The branch, master has been updated
via 6e720ec s4:SID handling - always encode the SID using
"ldap_encode_ndr_dom_sid" for LDAP filters
via a4b7fac s4:cosmetic - the SID attribute is called objectSid - not
objectSID
via 0a19290 testdata/samba3/provision_samba3sam.ldif - update also here
the maximum domain controller functionality
from f1b21be param: Only include param_proto.h for Samba builds, provide
those prototypes necessary for external users (OpenChange) manually.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6e720ecd259742d274d6281088c5052070c955e6
Author: Matthias Dieter Wallnöfer <m...@samba.org>
Date: Mon Sep 13 22:41:06 2010 +0200
s4:SID handling - always encode the SID using "ldap_encode_ndr_dom_sid" for
LDAP filters
This makes also lookups through special backends as "samba3sam" work.
commit a4b7fac86d6f348d785409555849449527e22e58
Author: Matthias Dieter Wallnöfer <m...@samba.org>
Date: Mon Sep 13 22:39:50 2010 +0200
s4:cosmetic - the SID attribute is called objectSid - not objectSID
commit 0a19290ca7cb5531d71e65a37fd11276330b2a12
Author: Matthias Dieter Wallnöfer <m...@samba.org>
Date: Mon Sep 13 21:18:13 2010 +0200
testdata/samba3/provision_samba3sam.ldif - update also here the maximum
domain controller functionality
And we do support also LDAPv2.
-----------------------------------------------------------------------
Summary of changes:
source4/cldap_server/netlogon.c | 2 +-
source4/dsdb/common/util.c | 10 +++++-----
source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 16 ++++++++--------
source4/dsdb/samdb/ldb_modules/samba3sid.c | 2 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 20 ++++++++++----------
source4/dsdb/schema/schema_init.c | 2 +-
source4/lib/policy/gp_ldap.c | 7 +++++--
source4/ntp_signd/ntp_signd.c | 3 ++-
testdata/samba3/provision_samba3sam.ldif | 3 ++-
9 files changed, 35 insertions(+), 30 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c
index aa5533d..d1fde89 100644
--- a/source4/cldap_server/netlogon.c
+++ b/source4/cldap_server/netlogon.c
@@ -146,7 +146,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context
*sam_ctx,
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
NULL, LDB_SCOPE_SUBTREE,
dom_attrs,
-
"(&(objectCategory=DomainDNS)(objectSID=%s))",
+
"(&(objectCategory=DomainDNS)(objectSid=%s))",
ldb_binary_encode(mem_ctx,
sid_val));
}
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index c409adb..0e37108 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -2525,7 +2525,7 @@ int dsdb_find_sid_by_dn(struct ldb_context *ldb,
{
int ret;
struct ldb_result *res;
- const char *attrs[] = { "objectSID", NULL };
+ const char *attrs[] = { "objectSid", NULL };
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
struct dom_sid *s;
@@ -2540,7 +2540,7 @@ int dsdb_find_sid_by_dn(struct ldb_context *ldb,
talloc_free(tmp_ctx);
return LDB_ERR_NO_SUCH_OBJECT;
}
- s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSID");
+ s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
if (s == NULL) {
talloc_free(tmp_ctx);
return LDB_ERR_NO_SUCH_OBJECT;
@@ -2560,7 +2560,7 @@ int dsdb_find_dn_by_sid(struct ldb_context *ldb,
int ret;
struct ldb_result *res;
const char *attrs[] = { NULL };
- char *sid_str = dom_sid_string(mem_ctx, sid);
+ char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid);
if (!sid_str) {
return ldb_operr(ldb);
@@ -2570,7 +2570,7 @@ int dsdb_find_dn_by_sid(struct ldb_context *ldb,
DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
DSDB_SEARCH_SHOW_EXTENDED_DN |
DSDB_SEARCH_ONE_ONLY,
- "objectSID=%s", sid_str);
+ "objectSid=%s", sid_str);
talloc_free(sid_str);
if (ret != LDB_SUCCESS) {
return ret;
@@ -3871,7 +3871,7 @@ int dsdb_validate_dsa_guid(struct ldb_context *ldb,
- remove "NTDS Settings" component from DN
- do a base search on that DN for serverReference with
extended-dn enabled
- - extract objectSID from resulting serverReference
+ - extract objectSid from resulting serverReference
attribute
- check this sid matches the sid argument
*/
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
index 07c0bff..ad197b8 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
@@ -134,7 +134,7 @@ static int inject_extended_dn_out(struct ldb_reply *ares,
const DATA_BLOB *sid_blob;
guid_blob = ldb_msg_find_ldb_val(ares->message, "objectGUID");
- sid_blob = ldb_msg_find_ldb_val(ares->message, "objectSID");
+ sid_blob = ldb_msg_find_ldb_val(ares->message, "objectSid");
if (!guid_blob) {
ldb_set_errstring(ldb, "Did not find objectGUID to inject into
extended DN");
@@ -157,7 +157,7 @@ static int inject_extended_dn_out(struct ldb_reply *ares,
}
if (sid_blob && remove_sid) {
- ldb_msg_remove_attr(ares->message, "objectSID");
+ ldb_msg_remove_attr(ares->message, "objectSid");
}
return LDB_SUCCESS;
@@ -207,9 +207,9 @@ static int handle_dereference_openldap(struct ldb_dn *dn,
ldb_dn_set_extended_component(dn, "GUID", &guid_blob);
}
- sid_blob = ldb_msg_find_ldb_val(&fake_msg, "objectSID");
+ sid_blob = ldb_msg_find_ldb_val(&fake_msg, "objectSid");
- /* Look for the objectSID */
+ /* Look for the objectSid */
if (sid_blob) {
ldb_dn_set_extended_component(dn, "SID", sid_blob);
}
@@ -261,7 +261,7 @@ static int handle_dereference_fds(struct ldb_dn *dn,
ldb_dn_set_extended_component(dn, "GUID", &guid_blob);
}
- /* Look for the objectSID */
+ /* Look for the objectSid */
sidBlob = ldb_msg_find_ldb_val(&fake_msg, "sambaSID");
if (sidBlob) {
@@ -610,7 +610,7 @@ static int extended_dn_out_search(struct ldb_module
*module, struct ldb_request
if (! is_attr_in_list(req->op.search.attrs,
"objectGUID")) {
ac->remove_guid = true;
}
- if (! is_attr_in_list(req->op.search.attrs,
"objectSID")) {
+ if (! is_attr_in_list(req->op.search.attrs,
"objectSid")) {
ac->remove_sid = true;
}
if (ac->remove_guid || ac->remove_sid) {
@@ -624,7 +624,7 @@ static int extended_dn_out_search(struct ldb_module
*module, struct ldb_request
return ldb_operr(ldb);
}
if (ac->remove_sid) {
- if (!add_attrs(ac, &new_attrs,
"objectSID"))
+ if (!add_attrs(ac, &new_attrs,
"objectSid"))
return ldb_operr(ldb);
}
const_attrs = (const char * const *)new_attrs;
@@ -815,7 +815,7 @@ static int extended_dn_out_openldap_init(struct ldb_module
*module)
{
static const char *attrs[] = {
"entryUUID",
- "objectSID",
+ "objectSid",
NULL
};
diff --git a/source4/dsdb/samdb/ldb_modules/samba3sid.c
b/source4/dsdb/samdb/ldb_modules/samba3sid.c
index 9368e0d..ef14200 100644
--- a/source4/dsdb/samdb/ldb_modules/samba3sid.c
+++ b/source4/dsdb/samdb/ldb_modules/samba3sid.c
@@ -19,7 +19,7 @@
*/
/*
- add objectSID to users and groups using samba3 nextRid method
+ add objectSid to users and groups using samba3 nextRid method
*/
#include "includes.h"
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c
b/source4/dsdb/samdb/ldb_modules/samldb.c
index 7562122..dca6ece 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -276,8 +276,8 @@ static int samldb_check_primaryGroupID(struct samldb_ctx
*ac)
return ldb_operr(ldb);
}
- prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
- dom_sid_string(ac, sid));
+ prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(ac, sid));
if (prim_group_dn == NULL) {
ldb_asprintf_errstring(ldb,
"Failed to find primary group with RID
%u!",
@@ -799,7 +799,7 @@ static int samldb_fill_object(struct samldb_ctx *ac, const
char *type)
lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
struct loadparm_context);
- /* don't allow objectSID to be specified without the RELAX control */
+ /* don't allow objectSid to be specified without the RELAX control */
sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
if (sid && !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) &&
!dsdb_module_am_system(ac->module)) {
@@ -929,8 +929,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
return ldb_operr(ldb);
}
- prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
- dom_sid_string(ac, sid));
+ prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(ac, sid));
if (prev_prim_group_dn == NULL) {
return ldb_operr(ldb);
}
@@ -948,8 +948,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
return ldb_operr(ldb);
}
- new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
- dom_sid_string(ac, sid));
+ new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(ac, sid));
if (new_prim_group_dn == NULL) {
/* Here we know if the specified new primary group candidate is
* valid or not. */
@@ -1041,8 +1041,8 @@ static int samldb_member_check(struct samldb_ctx *ac)
return ldb_operr(ldb);
}
- group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)",
- dom_sid_string(ac, sid));
+ group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(ac, sid));
if (group_dn == NULL) {
return ldb_operr(ldb);
}
@@ -1282,7 +1282,7 @@ static int samldb_prim_group_users_check(struct
samldb_ctx *ac)
ldb = ldb_module_get_ctx(ac->module);
/* Finds out the SID/RID of the SAM object */
- sid = samdb_search_dom_sid(ldb, ac, ac->req->op.del.dn, "objectSID",
+ sid = samdb_search_dom_sid(ldb, ac, ac->req->op.del.dn, "objectSid",
NULL);
if (sid == NULL) {
/* No SID - it might not be a SAM object - therefore ok */
diff --git a/source4/dsdb/schema/schema_init.c
b/source4/dsdb/schema/schema_init.c
index 7bcdf85..a95e7ec 100644
--- a/source4/dsdb/schema/schema_init.c
+++ b/source4/dsdb/schema/schema_init.c
@@ -392,7 +392,7 @@ WERROR dsdb_read_prefixes_from_ldb(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
*/
static bool dsdb_schema_unique_attribute(const char *attr)
{
- const char *attrs[] = { "objectGUID", "objectSID" , NULL };
+ const char *attrs[] = { "objectGUID", "objectSid" , NULL };
unsigned int i;
for (i=0;attrs[i];i++) {
if (strcasecmp(attr, attrs[i]) == 0) {
diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c
index 87fde9d..d612cf8 100644
--- a/source4/lib/policy/gp_ldap.c
+++ b/source4/lib/policy/gp_ldap.c
@@ -28,6 +28,7 @@
#include "../librpc/gen_ndr/ndr_security.h"
#include "../libcli/security/dom_sid.h"
#include "libcli/security/security.h"
+#include "libcli/ldap/ldap_ndr.h"
#include "../lib/talloc/talloc.h"
#include "lib/policy/policy.h"
@@ -425,7 +426,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct
security_token *token, c
TALLOC_CTX *mem_ctx;
const char **gpos;
struct ldb_result *result;
- const char *sid;
+ char *sid;
struct ldb_dn *dn;
struct ldb_message_element *element;
bool inherit;
@@ -443,7 +444,9 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct
security_token *token, c
mem_ctx = talloc_new(gp_ctx);
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
- sid = dom_sid_string(mem_ctx, &token->sids[PRIMARY_USER_SID_INDEX]);
+ sid = ldap_encode_ndr_dom_sid(mem_ctx,
+ &token->sids[PRIMARY_USER_SID_INDEX]);
+ NT_STATUS_HAVE_NO_MEMORY(sid);
/* Find the user DN and objectclass via the sid from the security token
*/
rv = ldb_search(gp_ctx->ldb_ctx,
diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c
index 029071e..0147c12 100644
--- a/source4/ntp_signd/ntp_signd.c
+++ b/source4/ntp_signd/ntp_signd.c
@@ -34,6 +34,7 @@
#include "dsdb/samdb/samdb.h"
#include "auth/auth.h"
#include "libcli/security/security.h"
+#include "libcli/ldap/ldap_ndr.h"
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "../lib/crypto/md5.h"
@@ -164,7 +165,7 @@ static NTSTATUS ntp_signd_process(struct
ntp_signd_connection *ntp_signd_conn,
LDB_SCOPE_SUBTREE,
attrs,
"(&(objectSid=%s)(objectClass=user))",
- dom_sid_string(mem_ctx, sid));
+ ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret != LDB_SUCCESS) {
DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
"%s\n",
diff --git a/testdata/samba3/provision_samba3sam.ldif
b/testdata/samba3/provision_samba3sam.ldif
index ddcb093..e196ca6 100644
--- a/testdata/samba3/provision_samba3sam.ldif
+++ b/testdata/samba3/provision_samba3sam.ldif
@@ -65,12 +65,13 @@ rootDomainNamingContext: ${BASEDN}
configurationNamingContext: CN=Configuration,${BASEDN}
schemaNamingContext: CN=Schema,CN=Configuration,${BASEDN}
supportedLDAPVersion: 3
+supportedLDAPVersion: 2
dnsHostName: ${DNSNAME}
ldapServiceName: ${DNSDOMAIN}:${netbiosnam...@${realm}
serverName:
CN=${NETBIOSNAME},CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,${BASEDN}
domainFunctionality: 0
forestFunctionality: 0
-domainControllerFunctionality: 2
+domainControllerFunctionality: 4
isSynchronized: TRUE
vendorName: Samba Team (http://samba.org)
vendorVersion: ${VERSION}
--
Samba Shared Repository
