The branch, master has been updated
via eed665d... s4/net_drs: Fix Connection name printed
via bf49ac9... s4/dsdb: dsdb_validate_invocation_id() should validate
by objectGUID
from 5197d76... s3: Make a debug msg more readable
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit eed665d653828832ec57642126c4040c47dd6e90
Author: Kamen Mazdrashki <kame...@samba.org>
Date: Mon Apr 26 15:48:18 2010 +0300
s4/net_drs: Fix Connection name printed
commit bf49ac99c94e4d937fd8d0532761b5635e372d84
Author: Kamen Mazdrashki <kame...@samba.org>
Date: Mon Apr 26 00:22:53 2010 +0300
s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUID
This function is used in DRSUpdateRefs() implementation where we
get DSA's objectGUID rather than invocationId
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/common/util.c | 36 +++++++++++++++---------------
source4/rpc_server/drsuapi/updaterefs.c | 8 +++---
source4/utils/net/drs/net_drs_showrepl.c | 6 ++--
3 files changed, 25 insertions(+), 25 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 60bcbe4..42619b9 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -3668,18 +3668,18 @@ const char *samdb_forest_name(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx)
}
/*
- validate that an invocationID belongs to the specified user sid.
+ validate that an DSA GUID belongs to the specified user sid.
The user SID must be a domain controller account (either RODC or
RWDC)
*/
-int dsdb_validate_invocation_id(struct ldb_context *ldb,
- const struct GUID *invocation_id,
- const struct dom_sid *sid)
+int dsdb_validate_dsa_guid(struct ldb_context *ldb,
+ const struct GUID *dsa_guid,
+ const struct dom_sid *sid)
{
/* strategy:
- - find DN of record with the invocationID in the
- configuration partition
- - remote "NTDS Settings" component from DN
+ - find DN of record with the DSA GUID in the
+ configuration partition (objectGUID)
+ - remove "NTDS Settings" component from DN
- do a base search on that DN for serverReference with
extended-dn enabled
- extract objectSID from resulting serverReference
@@ -3699,10 +3699,10 @@ int dsdb_validate_invocation_id(struct ldb_context *ldb,
config_dn = ldb_get_config_basedn(ldb);
ret = dsdb_search_one(ldb, tmp_ctx, &msg, config_dn, LDB_SCOPE_SUBTREE,
- attrs1, 0,
"(&(invocationID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx,
invocation_id));
+ attrs1, 0,
"(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, dsa_guid));
if (ret != LDB_SUCCESS) {
- DEBUG(1,(__location__ ": Failed to find invocationID %s for sid
%s\n",
- GUID_string(tmp_ctx, invocation_id),
dom_sid_string(tmp_ctx, sid)));
+ DEBUG(1,(__location__ ": Failed to find DSA objectGUID %s for
sid %s\n",
+ GUID_string(tmp_ctx, dsa_guid),
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -3717,32 +3717,32 @@ int dsdb_validate_invocation_id(struct ldb_context *ldb,
attrs2, DSDB_SEARCH_SHOW_EXTENDED_DN,
"(objectClass=server)");
if (ret != LDB_SUCCESS) {
- DEBUG(1,(__location__ ": Failed to find server record for
invocationID %s, sid %s\n",
- GUID_string(tmp_ctx, invocation_id),
dom_sid_string(tmp_ctx, sid)));
+ DEBUG(1,(__location__ ": Failed to find server record for DSA
with objectGUID %s, sid %s\n",
+ GUID_string(tmp_ctx, dsa_guid),
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
account_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, msg,
"serverReference");
if (account_dn == NULL) {
- DEBUG(1,(__location__ ": Failed to find account_dn for
invocationID %s, sid %s\n",
- GUID_string(tmp_ctx, invocation_id),
dom_sid_string(tmp_ctx, sid)));
+ DEBUG(1,(__location__ ": Failed to find account_dn for DSA with
objectGUID %s, sid %s\n",
+ GUID_string(tmp_ctx, dsa_guid),
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
status = dsdb_get_extended_dn_sid(account_dn, &sid2, "SID");
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1,(__location__ ": Failed to find SID for invocationID
%s, sid %s\n",
- GUID_string(tmp_ctx, invocation_id),
dom_sid_string(tmp_ctx, sid)));
+ DEBUG(1,(__location__ ": Failed to find SID for DSA with
objectGUID %s, sid %s\n",
+ GUID_string(tmp_ctx, dsa_guid),
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
if (!dom_sid_equal(sid, &sid2)) {
/* someone is trying to spoof another account */
- DEBUG(0,(__location__ ": Bad invocationID invocationID %s for
sid %s - expected sid %s\n",
- GUID_string(tmp_ctx, invocation_id),
+ DEBUG(0,(__location__ ": Bad DSA objectGUID %s for sid %s -
expected sid %s\n",
+ GUID_string(tmp_ctx, dsa_guid),
dom_sid_string(tmp_ctx, sid),
dom_sid_string(tmp_ctx, &sid2)));
talloc_free(tmp_ctx);
diff --git a/source4/rpc_server/drsuapi/updaterefs.c
b/source4/rpc_server/drsuapi/updaterefs.c
index 0403db8..d52a779 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -211,10 +211,10 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct
dcesrv_call_state *dce_call, TA
security_level =
security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
if (security_level < SECURITY_ADMINISTRATOR) {
- /* check that they are using an invocationId that they own */
- ret = dsdb_validate_invocation_id(b_state->sam_ctx,
- &req->dest_dsa_guid,
-
dce_call->conn->auth_state.session_info->security_token->user_sid);
+ /* check that they are using an DSA objectGUID that they own */
+ ret = dsdb_validate_dsa_guid(b_state->sam_ctx,
+ &req->dest_dsa_guid,
+
dce_call->conn->auth_state.session_info->security_token->user_sid);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs
for sid %s with GUID %s\n",
dom_sid_string(mem_ctx,
diff --git a/source4/utils/net/drs/net_drs_showrepl.c
b/source4/utils/net/drs/net_drs_showrepl.c
index b3e5ab9..b5d355e 100644
--- a/source4/utils/net/drs/net_drs_showrepl.c
+++ b/source4/utils/net/drs/net_drs_showrepl.c
@@ -358,10 +358,10 @@ static bool
net_drs_showrepl_print_connection_objects(struct net_drs_context *dr
struct ldb_message **conn_msgs;
struct ldb_dn *dn;
uint32_t options;
- struct GUID guid;
const char *dc_dns_name;
TALLOC_CTX *mem_ctx;
const char *conn_attr[] = {
+ "name",
"enabledConnection",
"fromServer",
"mS-DS-ReplicatesNCReason",
@@ -403,8 +403,8 @@ static bool
net_drs_showrepl_print_connection_objects(struct net_drs_context *dr
struct ldb_message *conn_msg = conn_msgs[i];
d_printf("Connection --\n");
- guid = samdb_result_guid(conn_msg, "name");
- d_printf("\tConnection name : %s\n", GUID_string(mem_ctx,
&guid));
+ d_printf("\tConnection name : %s\n",
+ samdb_result_string(conn_msg, "name", NULL));
d_printf("\tEnabled : %s\n",
samdb_result_string(conn_msg, "enabledConnection",
"TRUE"));
d_printf("\tServer DNS name : %s\n", dc_dns_name);
--
Samba Shared Repository
