The branch, master has been updated via eed665d... s4/net_drs: Fix Connection name printed via bf49ac9... s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUID from 5197d76... s3: Make a debug msg more readable
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit eed665d653828832ec57642126c4040c47dd6e90 Author: Kamen Mazdrashki <kame...@samba.org> Date: Mon Apr 26 15:48:18 2010 +0300 s4/net_drs: Fix Connection name printed commit bf49ac99c94e4d937fd8d0532761b5635e372d84 Author: Kamen Mazdrashki <kame...@samba.org> Date: Mon Apr 26 00:22:53 2010 +0300 s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUID This function is used in DRSUpdateRefs() implementation where we get DSA's objectGUID rather than invocationId ----------------------------------------------------------------------- Summary of changes: source4/dsdb/common/util.c | 36 +++++++++++++++--------------- source4/rpc_server/drsuapi/updaterefs.c | 8 +++--- source4/utils/net/drs/net_drs_showrepl.c | 6 ++-- 3 files changed, 25 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 60bcbe4..42619b9 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -3668,18 +3668,18 @@ const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) } /* - validate that an invocationID belongs to the specified user sid. + validate that an DSA GUID belongs to the specified user sid. The user SID must be a domain controller account (either RODC or RWDC) */ -int dsdb_validate_invocation_id(struct ldb_context *ldb, - const struct GUID *invocation_id, - const struct dom_sid *sid) +int dsdb_validate_dsa_guid(struct ldb_context *ldb, + const struct GUID *dsa_guid, + const struct dom_sid *sid) { /* strategy: - - find DN of record with the invocationID in the - configuration partition - - remote "NTDS Settings" component from DN + - find DN of record with the DSA GUID in the + configuration partition (objectGUID) + - remove "NTDS Settings" component from DN - do a base search on that DN for serverReference with extended-dn enabled - extract objectSID from resulting serverReference @@ -3699,10 +3699,10 @@ int dsdb_validate_invocation_id(struct ldb_context *ldb, config_dn = ldb_get_config_basedn(ldb); ret = dsdb_search_one(ldb, tmp_ctx, &msg, config_dn, LDB_SCOPE_SUBTREE, - attrs1, 0, "(&(invocationID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, invocation_id)); + attrs1, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, dsa_guid)); if (ret != LDB_SUCCESS) { - DEBUG(1,(__location__ ": Failed to find invocationID %s for sid %s\n", - GUID_string(tmp_ctx, invocation_id), dom_sid_string(tmp_ctx, sid))); + DEBUG(1,(__location__ ": Failed to find DSA objectGUID %s for sid %s\n", + GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } @@ -3717,32 +3717,32 @@ int dsdb_validate_invocation_id(struct ldb_context *ldb, attrs2, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=server)"); if (ret != LDB_SUCCESS) { - DEBUG(1,(__location__ ": Failed to find server record for invocationID %s, sid %s\n", - GUID_string(tmp_ctx, invocation_id), dom_sid_string(tmp_ctx, sid))); + DEBUG(1,(__location__ ": Failed to find server record for DSA with objectGUID %s, sid %s\n", + GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } account_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, msg, "serverReference"); if (account_dn == NULL) { - DEBUG(1,(__location__ ": Failed to find account_dn for invocationID %s, sid %s\n", - GUID_string(tmp_ctx, invocation_id), dom_sid_string(tmp_ctx, sid))); + DEBUG(1,(__location__ ": Failed to find account_dn for DSA with objectGUID %s, sid %s\n", + GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } status = dsdb_get_extended_dn_sid(account_dn, &sid2, "SID"); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1,(__location__ ": Failed to find SID for invocationID %s, sid %s\n", - GUID_string(tmp_ctx, invocation_id), dom_sid_string(tmp_ctx, sid))); + DEBUG(1,(__location__ ": Failed to find SID for DSA with objectGUID %s, sid %s\n", + GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } if (!dom_sid_equal(sid, &sid2)) { /* someone is trying to spoof another account */ - DEBUG(0,(__location__ ": Bad invocationID invocationID %s for sid %s - expected sid %s\n", - GUID_string(tmp_ctx, invocation_id), + DEBUG(0,(__location__ ": Bad DSA objectGUID %s for sid %s - expected sid %s\n", + GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid), dom_sid_string(tmp_ctx, &sid2))); talloc_free(tmp_ctx); diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index 0403db8..d52a779 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -211,10 +211,10 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA security_level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL); if (security_level < SECURITY_ADMINISTRATOR) { - /* check that they are using an invocationId that they own */ - ret = dsdb_validate_invocation_id(b_state->sam_ctx, - &req->dest_dsa_guid, - dce_call->conn->auth_state.session_info->security_token->user_sid); + /* check that they are using an DSA objectGUID that they own */ + ret = dsdb_validate_dsa_guid(b_state->sam_ctx, + &req->dest_dsa_guid, + dce_call->conn->auth_state.session_info->security_token->user_sid); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n", dom_sid_string(mem_ctx, diff --git a/source4/utils/net/drs/net_drs_showrepl.c b/source4/utils/net/drs/net_drs_showrepl.c index b3e5ab9..b5d355e 100644 --- a/source4/utils/net/drs/net_drs_showrepl.c +++ b/source4/utils/net/drs/net_drs_showrepl.c @@ -358,10 +358,10 @@ static bool net_drs_showrepl_print_connection_objects(struct net_drs_context *dr struct ldb_message **conn_msgs; struct ldb_dn *dn; uint32_t options; - struct GUID guid; const char *dc_dns_name; TALLOC_CTX *mem_ctx; const char *conn_attr[] = { + "name", "enabledConnection", "fromServer", "mS-DS-ReplicatesNCReason", @@ -403,8 +403,8 @@ static bool net_drs_showrepl_print_connection_objects(struct net_drs_context *dr struct ldb_message *conn_msg = conn_msgs[i]; d_printf("Connection --\n"); - guid = samdb_result_guid(conn_msg, "name"); - d_printf("\tConnection name : %s\n", GUID_string(mem_ctx, &guid)); + d_printf("\tConnection name : %s\n", + samdb_result_string(conn_msg, "name", NULL)); d_printf("\tEnabled : %s\n", samdb_result_string(conn_msg, "enabledConnection", "TRUE")); d_printf("\tServer DNS name : %s\n", dc_dns_name); -- Samba Shared Repository