The branch, master has been updated via 6e720ec s4:SID handling - always encode the SID using "ldap_encode_ndr_dom_sid" for LDAP filters via a4b7fac s4:cosmetic - the SID attribute is called objectSid - not objectSID via 0a19290 testdata/samba3/provision_samba3sam.ldif - update also here the maximum domain controller functionality from f1b21be param: Only include param_proto.h for Samba builds, provide those prototypes necessary for external users (OpenChange) manually.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6e720ecd259742d274d6281088c5052070c955e6 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Mon Sep 13 22:41:06 2010 +0200 s4:SID handling - always encode the SID using "ldap_encode_ndr_dom_sid" for LDAP filters This makes also lookups through special backends as "samba3sam" work. commit a4b7fac86d6f348d785409555849449527e22e58 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Mon Sep 13 22:39:50 2010 +0200 s4:cosmetic - the SID attribute is called objectSid - not objectSID commit 0a19290ca7cb5531d71e65a37fd11276330b2a12 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Mon Sep 13 21:18:13 2010 +0200 testdata/samba3/provision_samba3sam.ldif - update also here the maximum domain controller functionality And we do support also LDAPv2. ----------------------------------------------------------------------- Summary of changes: source4/cldap_server/netlogon.c | 2 +- source4/dsdb/common/util.c | 10 +++++----- source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 16 ++++++++-------- source4/dsdb/samdb/ldb_modules/samba3sid.c | 2 +- source4/dsdb/samdb/ldb_modules/samldb.c | 20 ++++++++++---------- source4/dsdb/schema/schema_init.c | 2 +- source4/lib/policy/gp_ldap.c | 7 +++++-- source4/ntp_signd/ntp_signd.c | 3 ++- testdata/samba3/provision_samba3sam.ldif | 3 ++- 9 files changed, 35 insertions(+), 30 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c index aa5533d..d1fde89 100644 --- a/source4/cldap_server/netlogon.c +++ b/source4/cldap_server/netlogon.c @@ -146,7 +146,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, ret = ldb_search(sam_ctx, mem_ctx, &dom_res, NULL, LDB_SCOPE_SUBTREE, dom_attrs, - "(&(objectCategory=DomainDNS)(objectSID=%s))", + "(&(objectCategory=DomainDNS)(objectSid=%s))", ldb_binary_encode(mem_ctx, sid_val)); } diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index c409adb..0e37108 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -2525,7 +2525,7 @@ int dsdb_find_sid_by_dn(struct ldb_context *ldb, { int ret; struct ldb_result *res; - const char *attrs[] = { "objectSID", NULL }; + const char *attrs[] = { "objectSid", NULL }; TALLOC_CTX *tmp_ctx = talloc_new(ldb); struct dom_sid *s; @@ -2540,7 +2540,7 @@ int dsdb_find_sid_by_dn(struct ldb_context *ldb, talloc_free(tmp_ctx); return LDB_ERR_NO_SUCH_OBJECT; } - s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSID"); + s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid"); if (s == NULL) { talloc_free(tmp_ctx); return LDB_ERR_NO_SUCH_OBJECT; @@ -2560,7 +2560,7 @@ int dsdb_find_dn_by_sid(struct ldb_context *ldb, int ret; struct ldb_result *res; const char *attrs[] = { NULL }; - char *sid_str = dom_sid_string(mem_ctx, sid); + char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid); if (!sid_str) { return ldb_operr(ldb); @@ -2570,7 +2570,7 @@ int dsdb_find_dn_by_sid(struct ldb_context *ldb, DSDB_SEARCH_SEARCH_ALL_PARTITIONS | DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_ONE_ONLY, - "objectSID=%s", sid_str); + "objectSid=%s", sid_str); talloc_free(sid_str); if (ret != LDB_SUCCESS) { return ret; @@ -3871,7 +3871,7 @@ int dsdb_validate_dsa_guid(struct ldb_context *ldb, - remove "NTDS Settings" component from DN - do a base search on that DN for serverReference with extended-dn enabled - - extract objectSID from resulting serverReference + - extract objectSid from resulting serverReference attribute - check this sid matches the sid argument */ diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c index 07c0bff..ad197b8 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c @@ -134,7 +134,7 @@ static int inject_extended_dn_out(struct ldb_reply *ares, const DATA_BLOB *sid_blob; guid_blob = ldb_msg_find_ldb_val(ares->message, "objectGUID"); - sid_blob = ldb_msg_find_ldb_val(ares->message, "objectSID"); + sid_blob = ldb_msg_find_ldb_val(ares->message, "objectSid"); if (!guid_blob) { ldb_set_errstring(ldb, "Did not find objectGUID to inject into extended DN"); @@ -157,7 +157,7 @@ static int inject_extended_dn_out(struct ldb_reply *ares, } if (sid_blob && remove_sid) { - ldb_msg_remove_attr(ares->message, "objectSID"); + ldb_msg_remove_attr(ares->message, "objectSid"); } return LDB_SUCCESS; @@ -207,9 +207,9 @@ static int handle_dereference_openldap(struct ldb_dn *dn, ldb_dn_set_extended_component(dn, "GUID", &guid_blob); } - sid_blob = ldb_msg_find_ldb_val(&fake_msg, "objectSID"); + sid_blob = ldb_msg_find_ldb_val(&fake_msg, "objectSid"); - /* Look for the objectSID */ + /* Look for the objectSid */ if (sid_blob) { ldb_dn_set_extended_component(dn, "SID", sid_blob); } @@ -261,7 +261,7 @@ static int handle_dereference_fds(struct ldb_dn *dn, ldb_dn_set_extended_component(dn, "GUID", &guid_blob); } - /* Look for the objectSID */ + /* Look for the objectSid */ sidBlob = ldb_msg_find_ldb_val(&fake_msg, "sambaSID"); if (sidBlob) { @@ -610,7 +610,7 @@ static int extended_dn_out_search(struct ldb_module *module, struct ldb_request if (! is_attr_in_list(req->op.search.attrs, "objectGUID")) { ac->remove_guid = true; } - if (! is_attr_in_list(req->op.search.attrs, "objectSID")) { + if (! is_attr_in_list(req->op.search.attrs, "objectSid")) { ac->remove_sid = true; } if (ac->remove_guid || ac->remove_sid) { @@ -624,7 +624,7 @@ static int extended_dn_out_search(struct ldb_module *module, struct ldb_request return ldb_operr(ldb); } if (ac->remove_sid) { - if (!add_attrs(ac, &new_attrs, "objectSID")) + if (!add_attrs(ac, &new_attrs, "objectSid")) return ldb_operr(ldb); } const_attrs = (const char * const *)new_attrs; @@ -815,7 +815,7 @@ static int extended_dn_out_openldap_init(struct ldb_module *module) { static const char *attrs[] = { "entryUUID", - "objectSID", + "objectSid", NULL }; diff --git a/source4/dsdb/samdb/ldb_modules/samba3sid.c b/source4/dsdb/samdb/ldb_modules/samba3sid.c index 9368e0d..ef14200 100644 --- a/source4/dsdb/samdb/ldb_modules/samba3sid.c +++ b/source4/dsdb/samdb/ldb_modules/samba3sid.c @@ -19,7 +19,7 @@ */ /* - add objectSID to users and groups using samba3 nextRid method + add objectSid to users and groups using samba3 nextRid method */ #include "includes.h" diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 7562122..dca6ece 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -276,8 +276,8 @@ static int samldb_check_primaryGroupID(struct samldb_ctx *ac) return ldb_operr(ldb); } - prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)", - dom_sid_string(ac, sid)); + prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, sid)); if (prim_group_dn == NULL) { ldb_asprintf_errstring(ldb, "Failed to find primary group with RID %u!", @@ -799,7 +799,7 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context); - /* don't allow objectSID to be specified without the RELAX control */ + /* don't allow objectSid to be specified without the RELAX control */ sid = samdb_result_dom_sid(ac, ac->msg, "objectSid"); if (sid && !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) && !dsdb_module_am_system(ac->module)) { @@ -929,8 +929,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac) return ldb_operr(ldb); } - prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)", - dom_sid_string(ac, sid)); + prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, sid)); if (prev_prim_group_dn == NULL) { return ldb_operr(ldb); } @@ -948,8 +948,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac) return ldb_operr(ldb); } - new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)", - dom_sid_string(ac, sid)); + new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, sid)); if (new_prim_group_dn == NULL) { /* Here we know if the specified new primary group candidate is * valid or not. */ @@ -1041,8 +1041,8 @@ static int samldb_member_check(struct samldb_ctx *ac) return ldb_operr(ldb); } - group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)", - dom_sid_string(ac, sid)); + group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, sid)); if (group_dn == NULL) { return ldb_operr(ldb); } @@ -1282,7 +1282,7 @@ static int samldb_prim_group_users_check(struct samldb_ctx *ac) ldb = ldb_module_get_ctx(ac->module); /* Finds out the SID/RID of the SAM object */ - sid = samdb_search_dom_sid(ldb, ac, ac->req->op.del.dn, "objectSID", + sid = samdb_search_dom_sid(ldb, ac, ac->req->op.del.dn, "objectSid", NULL); if (sid == NULL) { /* No SID - it might not be a SAM object - therefore ok */ diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c index 7bcdf85..a95e7ec 100644 --- a/source4/dsdb/schema/schema_init.c +++ b/source4/dsdb/schema/schema_init.c @@ -392,7 +392,7 @@ WERROR dsdb_read_prefixes_from_ldb(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, */ static bool dsdb_schema_unique_attribute(const char *attr) { - const char *attrs[] = { "objectGUID", "objectSID" , NULL }; + const char *attrs[] = { "objectGUID", "objectSid" , NULL }; unsigned int i; for (i=0;attrs[i];i++) { if (strcasecmp(attr, attrs[i]) == 0) { diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c index 87fde9d..d612cf8 100644 --- a/source4/lib/policy/gp_ldap.c +++ b/source4/lib/policy/gp_ldap.c @@ -28,6 +28,7 @@ #include "../librpc/gen_ndr/ndr_security.h" #include "../libcli/security/dom_sid.h" #include "libcli/security/security.h" +#include "libcli/ldap/ldap_ndr.h" #include "../lib/talloc/talloc.h" #include "lib/policy/policy.h" @@ -425,7 +426,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c TALLOC_CTX *mem_ctx; const char **gpos; struct ldb_result *result; - const char *sid; + char *sid; struct ldb_dn *dn; struct ldb_message_element *element; bool inherit; @@ -443,7 +444,9 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c mem_ctx = talloc_new(gp_ctx); NT_STATUS_HAVE_NO_MEMORY(mem_ctx); - sid = dom_sid_string(mem_ctx, &token->sids[PRIMARY_USER_SID_INDEX]); + sid = ldap_encode_ndr_dom_sid(mem_ctx, + &token->sids[PRIMARY_USER_SID_INDEX]); + NT_STATUS_HAVE_NO_MEMORY(sid); /* Find the user DN and objectclass via the sid from the security token */ rv = ldb_search(gp_ctx->ldb_ctx, diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c index 029071e..0147c12 100644 --- a/source4/ntp_signd/ntp_signd.c +++ b/source4/ntp_signd/ntp_signd.c @@ -34,6 +34,7 @@ #include "dsdb/samdb/samdb.h" #include "auth/auth.h" #include "libcli/security/security.h" +#include "libcli/ldap/ldap_ndr.h" #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" #include "../lib/crypto/md5.h" @@ -164,7 +165,7 @@ static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn, LDB_SCOPE_SUBTREE, attrs, "(&(objectSid=%s)(objectClass=user))", - dom_sid_string(mem_ctx, sid)); + ldap_encode_ndr_dom_sid(mem_ctx, sid)); if (ret != LDB_SUCCESS) { DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: " "%s\n", diff --git a/testdata/samba3/provision_samba3sam.ldif b/testdata/samba3/provision_samba3sam.ldif index ddcb093..e196ca6 100644 --- a/testdata/samba3/provision_samba3sam.ldif +++ b/testdata/samba3/provision_samba3sam.ldif @@ -65,12 +65,13 @@ rootDomainNamingContext: ${BASEDN} configurationNamingContext: CN=Configuration,${BASEDN} schemaNamingContext: CN=Schema,CN=Configuration,${BASEDN} supportedLDAPVersion: 3 +supportedLDAPVersion: 2 dnsHostName: ${DNSNAME} ldapServiceName: ${DNSDOMAIN}:${netbiosnam...@${realm} serverName: CN=${NETBIOSNAME},CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,${BASEDN} domainFunctionality: 0 forestFunctionality: 0 -domainControllerFunctionality: 2 +domainControllerFunctionality: 4 isSynchronized: TRUE vendorName: Samba Team (http://samba.org) vendorVersion: ${VERSION} -- Samba Shared Repository