The branch, master has been updated
via 8507adb provision: Set the security descriptor while creating
partitions
via b91dd51 s4-dsdb: rework the NC detection for the descriptor
calculation
from 8011375 s3-s4-upgrade: do not add description if it is empty string
or none
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8507adb8d0087e833d44462d3247e819a9e05860
Author: Amitay Isaacs <ami...@gmail.com>
Date: Wed Nov 16 11:18:18 2011 +1100
provision: Set the security descriptor while creating partitions
With Matthieu's patch, the setting of security descriptor on
partition dn at create time works correctly.
Autobuild-User: Amitay Isaacs <ami...@samba.org>
Autobuild-Date: Wed Nov 16 08:54:25 CET 2011 on sn-devel-104
commit b91dd516b5cba8fd3f78256c4d86b304214ab9fc
Author: Matthieu Patou <m...@matws.net>
Date: Wed Nov 16 00:56:28 2011 +0100
s4-dsdb: rework the NC detection for the descriptor calculation
This checks if instanceType attribute is available, and if
INSTANCE_TYPE_IS_NC_HEAD bit is set. If the bit is set, then
the DN is NC root and security descriptor is not inherited
from parent SD.
Signed-off-by: Amitay Isaacs <ami...@gmail.com>
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/descriptor.c | 43 ++++++++++++++-----
.../scripting/python/samba/provision/sambadns.py | 14 +-----
source4/setup/provision_dnszones_partitions.ldif | 2 +
3 files changed, 35 insertions(+), 24 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c
b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 9763c8e..409d08d 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -467,6 +467,8 @@ static int descriptor_add(struct ldb_module *module, struct
ldb_request *req)
DATA_BLOB *sd;
const struct dsdb_class *objectclass;
static const char * const parent_attrs[] = { "nTSecurityDescriptor",
NULL };
+ uint32_t instanceType;
+ bool isNC = false;
ldb = ldb_module_get_ctx(module);
dn = req->op.add.message->dn;
@@ -484,22 +486,39 @@ static int descriptor_add(struct ldb_module *module,
struct ldb_request *req)
return ldb_next_request(module, req);
}
- /* if the object has a parent, retrieve its SD to
- * use for calculation. Unfortunately we do not yet have
- * instanceType, so we use dsdb_find_nc_root. */
- parent_dn = ldb_dn_get_parent(req, dn);
- if (parent_dn == NULL) {
- return ldb_oom(ldb);
+ instanceType = ldb_msg_find_attr_as_uint(req->op.add.message,
"instanceType", 0);
+
+ if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
+ isNC = true;
}
- ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
- if (ret != LDB_SUCCESS) {
- ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find
NC root for %s\n",
- ldb_dn_get_linearized(dn));
- return ret;
+ if (!isNC) {
+ ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could
not find NC root for %s\n",
+ ldb_dn_get_linearized(dn));
+ return ret;
+ }
+
+ if (ldb_dn_compare(dn, nc_root) == 0) {
+ DEBUG(0, ("Found DN %s being a NC by the old method\n",
ldb_dn_get_linearized(dn)));
+ isNC = true;
+ }
+ }
+
+ if (isNC) {
+ DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
}
+ if (!isNC) {
+ /* if the object has a parent, retrieve its SD to
+ * use for calculation. Unfortunately we do not yet have
+ * instanceType, so we use dsdb_find_nc_root. */
+
+ parent_dn = ldb_dn_get_parent(req, dn);
+ if (parent_dn == NULL) {
+ return ldb_oom(ldb);
+ }
- if (ldb_dn_compare(dn, nc_root) != 0) {
/* we aren't any NC */
ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
parent_attrs,
diff --git a/source4/scripting/python/samba/provision/sambadns.py
b/source4/scripting/python/samba/provision/sambadns.py
index c3725f6..37c0dff 100644
--- a/source4/scripting/python/samba/provision/sambadns.py
+++ b/source4/scripting/python/samba/provision/sambadns.py
@@ -49,13 +49,6 @@ def modify_ldif(ldb, ldif_file, subst_vars,
controls=["relax:0"]):
data = read_and_sub_file(ldif_file_path, subst_vars)
ldb.modify_ldif(data, controls)
-def set_security_descriptor(samdb, dn_str, descriptor):
- msg = ldb.Message()
- msg.dn = ldb.Dn(samdb, dn_str)
- msg["nTSecurityDescriptor"] = ldb.MessageElement(descriptor,
- ldb.FLAG_MOD_REPLACE, "nTSecurityDescriptor")
- samdb.modify(msg, controls=["relax:0"])
-
def setup_ldb(ldb, ldif_path, subst_vars):
"""Import a LDIF a file into a LDB handle, optionally substituting
variables.
@@ -224,16 +217,13 @@ class SRVRecord(dnsp.DnssrvRpcRecord):
def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
serverdn):
domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
-
+ descriptor = get_dns_partition_descriptor(domainsid)
add_ldif(samdb, "provision_dnszones_partitions.ldif", {
"DOMAINZONE_DN": domainzone_dn,
"FORESTZONE_DN": forestzone_dn,
+ "SECDESC" : b64encode(descriptor)
})
- descriptor = get_dns_partition_descriptor(domainsid)
- set_security_descriptor(samdb, domainzone_dn, descriptor)
- set_security_descriptor(samdb, forestzone_dn, descriptor)
-
domainzone_guid = get_domainguid(samdb, domainzone_dn)
forestzone_guid = get_domainguid(samdb, forestzone_dn)
diff --git a/source4/setup/provision_dnszones_partitions.ldif
b/source4/setup/provision_dnszones_partitions.ldif
index bb16332..4ab7aed 100644
--- a/source4/setup/provision_dnszones_partitions.ldif
+++ b/source4/setup/provision_dnszones_partitions.ldif
@@ -7,6 +7,7 @@ objectClass: domainDNS
description: Microsoft DNS Directory
msDS-NcType: 0
instanceType: 13
+ntSecurityDescriptor:: ${SECDESC}
dn: ${FORESTZONE_DN}
objectClass: top
@@ -14,3 +15,4 @@ objectClass: domainDNS
description: Microsoft DNS Directory
msDS-NcType: 0
instanceType: 13
+ntSecurityDescriptor:: ${SECDESC}
--
Samba Shared Repository
