The branch, master has been updated
via 057c56a s4:dsdb/tests: add SdAutoInheritTests
via d317426 s4:dsdb/repl_meta_data: call
dsdb_module_schedule_sd_propagation() for replicated changes
via fb2a41d s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to
children (bug #8621)
via f8c0ad6 s4:dsdb/descriptor: recalculate nTSecurityDescriptor after
a rename (bug #8621)
via dae1b0d s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()
via d6962f4 s4:dsdb/descriptor: implement
DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
via 2101400 s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
via ddea856 s4:dsdb/descriptor: handle
DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
via 1be4dbc s4:dsdb/schema_data: allow
DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
via 7f42a8b s4:dsdb/repl_meta_data: allow
DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
via cb9c7ee s4:dsdb/objectclass_attrs: allow
DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
via 60f0e17 s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
via 7f88ad3 s4:dsdb/subtree_delete: delete from the leafs to the root
(bug #7711)
via 5dd4555 s4:dsdb/subtree_delete: do the recursive delete
AS_SYSTEM/TRUSTED (bug #7711)
via 60192fd s4:dsdb/subtree_delete: do an early return and avoid some
nesting
via ff274ba s4:dsdb/objectclass: do not pass the callers controls on
helper searches
via 5838637 s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE
control is given (bug #7711)
via 60c29a5 s4:dsdb/dirsync: remove unused 'deletedattr' variable
via ffaf9bb s4:provision: add pekList and msDS-ExecuteScriptPassword to
@KLUDGEACL
via 0c2c00e s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword
to DSDB_SECRET_ATTRIBUTES_EX
via b54d268 s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the
password attributes
via f67f469 s4:dsdb/descriptor: the old nTSecurityDescriptor is always
expected there on modify
via 5aa7dbe s4:dsdb/descriptor: make explicit that we don't support
MOD_DELETE on nTSecurityDescriptor
via 4ef36fd s4:dsdb/descriptor: remove some nesting from
descriptor_modify
via 8d60ac1 s4:dsdb/descriptor: remove some unnecessary nesting
via 8134926 s4:dsdb/descriptor: add some error checks to
descriptor_{add,modify}
via b3486f4 s4:dsdb/descriptor: remove support for unused
LDB_CONTROL_RECALCULATE_SD_OID
via 74e3f0e s4:dsdb/descriptor: move special dn check to the start of
descriptor_{add,modify,rename}
via 4136d96 s4:samba_upgradeprovision: use the sd_flags:1:15 control
with an empty sd
via 118db4c s4:provision: add get_empty_descriptor()
via 7a3e4d0 s4:dsdb/descriptor: if the caller specifies no DACL/SACL
the objects gets a default one
via c2c715f s4:dsdb/descriptor: give SYSTEM the correct default owner
(group) sid
via 990448b s4:dsdb/acl_read: enable acl checking on search by default
(bug #8620)
via fa67676 s4:dsdb/acl_read: specify the correct access_mask for
nTSecurityDescriptor
via ca3c0e2 s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and
with SHOW_RECYCLED
via 53b100b s4:dsdb/acl: calculate the correct access_mask when
modifying nTSecurityDescriptor
via 95b480f s4:dsdb/acl: don't protect confidential attributes when
"acl:search = yes" is set
via 3d57f17 s4:dsdb/acl: remove unused "acl:perform" option
via 329afc1 s4:dsdb/acl: do helper searches AS_SYSTEM and with
SHOW_RECYCLED
via 4289859 s4:dsdb/descriptor: make it clear that the SD Flags are
ignored on add
via f018772 s4:dsdb/descriptor: make use of dsdb_request_sd_flags()
via 67045fa s4:dsdb/descriptor: always use descriptor_search_callback
if we return nTSecurityDescriptor
via 690b5e1 s4:dsdb/descriptor: do searches for nTSecurityDescriptor
AS_SYSTEM and with SHOW_RECYCLED
via 2916313 s4:dsdb/acl_util: add dsdb_request_sd_flags() helper
function
via 1cdecf1 s4:dsdb/acl_util: do helper searches AS_SYSTEM
via 8d900d0 s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM
via 659277a s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and
with SHOW_RECYCLED
via 844b736 s4:dsdb/objectclass: do helper searches AS_SYSTEM and with
SHOW_RECYCLED
via a882b41 s4:dsdb/rootdse: do helper searches AS_SYSTEM
via 964d96d s4:dsdb/rootdse: remove unused variable
via 4970d3c s4:tests/samba_tool/gpo.py: fix accidential line break
via a581242 s4:tests/samba_tool/gpo.py: add test_show_as_admin()
via 325e921 s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the
full ntSecurityDescriptor
via 6779996 s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when
validating the nTSecurityDescriptor
via 6bffad6 s4:netcmd/gpo.py: the nTSecurityDescriptor may not be
visible for the current user
via f843c04 s4:netcmd/gpo.py:
s/ntSecurityDescriptor/nTSecurityDescriptor
via 8563348 s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags =
0xF
via 6991fb3 s4:dsdb/dirsync: use the correct nc_root to fetch
replUpToDateVector
via 7fe1e61 s4:dsdb/dirsync: check result of replUpToDateVector fetch
on nc_root
via ac9bd1e s4:dsdb/schema_data: fix debug message in
schema_data_modify()
from 8f3f38e ldb: fix a typo in the comment for ldb_req_is_untrusted()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 057c56ac2443abffbe169b06a72a93f41096fb67
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 16 12:51:44 2012 +0100
s4:dsdb/tests: add SdAutoInheritTests
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
Autobuild-User(master): Michael Adam <ob...@samba.org>
Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104
commit d31742641fb117e4249dcc317dac662bb5e1a690
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 17:10:38 2012 +0100
s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for
replicated changes
We only do so if the replicated object is not deleted.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit fb2a41d9453d94860104b7b96a75bf8fa96996d6
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 16 12:49:16 2012 +0100
s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug
#8621)
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit f8c0ad65ad783b3c82ec8ab120d18ad454fe2665
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 16 12:49:16 2012 +0100
s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug
#8621)
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit dae1b0d85207040fed873d4232a45206b0162f53
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 16:46:51 2012 +0100
s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit d6962f40caad861c7d240d80bd04070989c85a73
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 15:55:24 2012 +0100
s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 2101400af2e5e1b72a5d51e83f005f62bec1f482
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 22 17:42:32 2012 +0100
s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit ddea8564901f5aa1a25cd84713bf86a2ce95bc07
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 10:45:02 2012 +0100
s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
This can only be triggered by ourself, that's why we expect
control->data == module.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 1be4dbc0ca732bd2c35b6108331120a3f1a54ada
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 16:12:54 2012 +0100
s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 7f42a8b7b667c6a704ecd7bce1630971eb3f1e8c
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 11:18:05 2012 +0100
s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on
modify
The propagation of nTSecurityDescriptor doesn't change the
replProperyMetaData.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit cb9c7ee79b2f4e8c875bd15c1fddee90648eec19
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 15:25:06 2012 +0100
s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on
modify
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 60f0e172e3ce182324c4573fc05197ba241def89
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 22 17:42:32 2012 +0100
s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 7f88ad3efce5bc14de49b3d73a5dcb19499e1342
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 10:16:45 2012 +0100
s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 5dd4555f391d841b276e53e70eedde36f5190cdd
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 10:14:59 2012 +0100
s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug
#7711)
Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.
We need to pass the TRUSTED flags as we operate from
the TOP module.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 60192fd1004015b50e208b3da6a07bd67f9d7990
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 10:04:39 2012 +0100
s4:dsdb/subtree_delete: do an early return and avoid some nesting
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit ff274bafeb223c7440f4d97e2225b954b1031259
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 23:21:10 2012 +0100
s4:dsdb/objectclass: do not pass the callers controls on helper searches
We add AS_SYSTEM and SHOW_RECYCLED to the helper search,
don't let the caller specify additional controls.
This also fixes a problem when the caller also specified AS_SYSTEM.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 5838637b4218ecf88e7a650610da3be1a5a518c9
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 10:06:13 2012 +0100
s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is
given (bug #7711)
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 60c29a51a062640bf23c85d0d2f650d35a9ab59c
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 09:20:37 2012 +0100
s4:dsdb/dirsync: remove unused 'deletedattr' variable
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit ffaf9bb98b5322cca31ef6a43f8c27ca4e5fe42e
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 09:19:52 2012 +0100
s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACL
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 0c2c00e4b9afd72b4f4052e6b19e40096fd1e44c
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 09:17:27 2012 +0100
s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to
DSDB_SECRET_ATTRIBUTES_EX
See [MS-ADTS] 3.1.1.4.4 Extended Access Checks.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit b54d268e2042f36bc670cf8f4f33cddd957e1d34
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 24 09:15:24 2012 +0100
s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes
The @KLUDGEACL record might not be uptodate.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit f67f469ce101e48301de790b5c31f8d4e712e0ea
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 10:58:49 2012 +0100
s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there
on modify
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 5aa7dbe546ff18e521e72c0af713a2509201e00d
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 09:55:17 2012 +0100
s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on
nTSecurityDescriptor
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 4ef36fda681409bf7050adb98bb4b3d574bc01a9
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 09:31:05 2012 +0100
s4:dsdb/descriptor: remove some nesting from descriptor_modify
If the nTSecurityDescriptor attribute is not specified,
we have nothing to do.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 8d60ac19ed0bc70ec3763614147465c04f28e286
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 09:20:50 2012 +0100
s4:dsdb/descriptor: remove some unnecessary nesting
sd == NULL is checked before.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 813492676c5b876d309bb2db12c794c513fab5c7
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 09:19:11 2012 +0100
s4:dsdb/descriptor: add some error checks to descriptor_{add,modify}
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit b3486f4e1a2108bd3af7ce760c8410a560c5237d
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 09:15:25 2012 +0100
s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 74e3f0ea0aa0352bf15e92c70256fa9b4d291cd9
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 23 07:18:35 2012 +0100
s4:dsdb/descriptor: move special dn check to the start of
descriptor_{add,modify,rename}
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 4136d969cab5d4690f00c855bd98dc01253d73d9
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 22 16:22:30 2012 +0100
s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd
The sd_flags:1:15 control together with an empty security_descriptor
has the same effect as the recalculate_sd:0 control (which is samba only).
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 118db4ca11bec17b8f5955f188c07f154b85c87b
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 22 14:09:34 2012 +0100
s4:provision: add get_empty_descriptor()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 7a3e4d04c7e06379eddacb4f025a3c48a0a754a4
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 22 15:53:14 2012 +0100
s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a
default one
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit c2c715f9c9e0d465857ad118d632493131a5f9c5
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 22 14:07:04 2012 +0100
s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 990448b4997d1a2423e5dd4da1e37ad51f99bf3a
Author: Stefan Metzmacher <me...@samba.org>
Date: Sun Nov 18 18:57:03 2012 +0100
s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit fa676769e0d5d3f161b295f06f643fdacebb82ca
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 14:04:09 2012 +0100
s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor
We need to base the access mask on the given SD Flags.
Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY,
which could lead to INSUFFICIENT_RIGHTS when we should
have been allowed to read.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit ca3c0e28ef5d43f0af487e45a56f2929f5f23b4e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 09:31:25 2012 +0100
s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with
SHOW_RECYCLED
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 53b100bb59dadbc7cfb727a4ad1566302ff6c831
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 14:10:43 2012 +0100
s4:dsdb/acl: calculate the correct access_mask when modifying
nTSecurityDescriptor
The access_mask depends on the SD Flags.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 95b480fd98d9647c679672abac49c9f4ca5b3219
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 12:12:41 2012 +0100
s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes"
is set
In that case the acl_read module does the protection.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 3d57f17db94ddb5d5d8021158548ea7aebe16cd1
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 12:15:00 2012 +0100
s4:dsdb/acl: remove unused "acl:perform" option
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 329afc1a203056b1f4a43dd6c98ec2067c64f962
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 07:14:31 2012 +0100
s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED
The searches are done in order to do access checks
and the results are not directly exposed to the client.
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 42898590bb386a13b4f0d7b0294561a78df7e268
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 14:13:17 2012 +0100
s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add
See [MS-ADTS] 6.1.3.2 SD Flags Control:
...
When performing an LDAP add operation, the client can supply an SD flags
control
with the operation; however, it will be ignored by the server.
...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit f018772e0ca981857036078342456ef17858b966
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 13:05:31 2012 +0100
s4:dsdb/descriptor: make use of dsdb_request_sd_flags()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 67045fafe8a826792a51a504aa85ee6d8e137059
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 15:24:46 2012 +0100
s4:dsdb/descriptor: always use descriptor_search_callback if we return
nTSecurityDescriptor
If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through
descriptor_search_callback().
This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 690b5e11618eb0385272d6a003761db22369e620
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 10:15:58 2012 +0100
s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with
SHOW_RECYCLED
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 2916313f8016720fb36180db341efbf7b91522f6
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 12:33:35 2012 +0100
s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 1cdecf1234bffc37a9898b666371b2dd25ad158d
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 07:14:31 2012 +0100
s4:dsdb/acl_util: do helper searches AS_SYSTEM
The search is done in order to do access checks.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 8d900d06ff89136016ef2f139d6c33b306c87e93
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 09:33:53 2012 +0100
s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 659277a89dfd4226db9ea44709010ad7e3768fd6
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Nov 19 06:59:33 2012 +0100
s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 844b736a1dd05159850ccc28eee1b3e625489139
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Nov 19 06:59:33 2012 +0100
s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit a882b41d44b20476a0b1549260e07be3398f9752
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Nov 12 14:19:34 2012 +0100
s4:dsdb/rootdse: do helper searches AS_SYSTEM
As anonymous users can read all rootdse attributes,
we should do helper searches with DSDB_FLAG_AS_SYSTEM
in order to avoid unnecessary access checks.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 964d96d2c31211601b8854dd3d532112fd2aaece
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Nov 26 13:38:07 2012 +0100
s4:dsdb/rootdse: remove unused variable
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 4970d3cacbd6b9a76e64030cc79628f3dfecce1b
Author: Michael Adam <ob...@samba.org>
Date: Tue Nov 27 16:43:25 2012 +0100
s4:tests/samba_tool/gpo.py: fix accidential line break
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit a58124208006ba9311588554b147acfb86d4d4eb
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 20 15:02:05 2012 +0100
s4:tests/samba_tool/gpo.py: add test_show_as_admin()
This calls samba-tool gpo show as admin (which should be able to
see the full nTSecurityDescriptor.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 325e92190852ae317c42c26ab86d32818d119381
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 20 14:58:13 2012 +0100
s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full
ntSecurityDescriptor
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 67799962b8e6e16ac18466658a3f9924854e32f7
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 20 14:56:56 2012 +0100
s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the
nTSecurityDescriptor
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 6bffad67d24df2c90b174bbcc9c578899783a834
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 17 07:13:40 2012 +0100
s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the
current user
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit f843c04b0f2314ccedb4759c85721773845eb207
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 20 14:51:46 2012 +0100
s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 8563348a01206874ff215a55d0c542912740e84b
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 22 08:59:40 2012 +0100
s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF
A value of 0 is mapped to 0xF.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 6991fb385e3956892d904f871052aaede1137a29
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 09:51:45 2012 +0100
s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit 7fe1e61ab908264f2ac7b8df666b254ae2af4488
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 27 14:49:11 2012 +0100
s4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_root
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
commit ac9bd1e63a8adfb96eb5c9f996e60c2d99aba5e1
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 21 16:12:22 2012 +0100
s4:dsdb/schema_data: fix debug message in schema_data_modify()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 8 -
selftest/target/Samba4.pm | 3 -
source4/dsdb/common/util.h | 2 +
source4/dsdb/samdb/ldb_modules/acl.c | 102 +++-
source4/dsdb/samdb/ldb_modules/acl_read.c | 26 +-
source4/dsdb/samdb/ldb_modules/acl_util.c | 67 ++
source4/dsdb/samdb/ldb_modules/descriptor.c | 738 ++++++++++++++++----
source4/dsdb/samdb/ldb_modules/dirsync.c | 14 +-
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 25 +-
source4/dsdb/samdb/ldb_modules/extended_dn_store.c | 4 +-
source4/dsdb/samdb/ldb_modules/objectclass.c | 36 +-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 18 +
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 88 +++-
source4/dsdb/samdb/ldb_modules/rootdse.c | 37 +-
source4/dsdb/samdb/ldb_modules/schema_data.c | 18 +-
source4/dsdb/samdb/ldb_modules/subtree_delete.c | 79 ++-
source4/dsdb/samdb/samdb.h | 19 +
source4/dsdb/tests/python/sec_descriptor.py | 84 +++-
source4/scripting/bin/samba_upgradeprovision | 21 +-
source4/scripting/python/samba/netcmd/gpo.py | 31 +-
.../scripting/python/samba/provision/__init__.py | 1 +
.../scripting/python/samba/provision/descriptor.py | 5 +
.../scripting/python/samba/tests/samba_tool/gpo.py | 8 +-
source4/setup/provision_init.ldif | 2 +
source4/setup/schema_samba4.ldif | 2 +
25 files changed, 1210 insertions(+), 228 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 953056e..e3341e9 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -133,7 +133,6 @@
^samba4.smb2.acls.*.generic
^samba4.smb2.acls.*.inheritflags
^samba4.smb2.acls.*.owner
-^samba4.ldap.acl.*.ntSecurityDescriptor.* # ACL extended checks on search not
enabled by default
^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.test_dirsync_deleted_items
#^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.*
^samba4.drs.fsmo.python
@@ -158,13 +157,6 @@
^samba4.smb2.oplock.stream1 # samba 4 oplocks are a mess
^samba4.smb2.getinfo.getinfo # streams on directories does not work
^samba4.ntvfs.cifs.krb5.base.createx_access.createx_access\(.*\)$
-^samba4.ldap.acl.*.AclSearchTests.test_search_anonymous3\(.*\)$ # ACL search
behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search1\(.*\)$ # ACL search behaviour
not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search2\(.*\)$ # ACL search behaviour
not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search3\(.*\)$ # ACL search behaviour
not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search4\(.*\)$ # ACL search behaviour
not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search5\(.*\)$ # ACL search behaviour
not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search6\(.*\)$ # ACL search behaviour
not enabled by default
^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4
^samba4.blackbox.kinit\(.*\).kinit with user password for expired
password\(.*\) # We need to work out why this fails only during the pw change
^samba4.blackbox.dbcheck\(vampire_dc\).dbcheck\(vampire_dc:local\) # Due to
replicating with --domain-critical-only we fail dbcheck on this database
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 20114c9..5988b83 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -559,11 +559,8 @@ sub provision_raw_step1($$)
warn("can't open $ctx->{smb_conf}$?");
return undef;
}
- my $acl = "false";
- $acl = "true" if (defined $ENV{WITH_ACL});
print CONFFILE "
[global]
- acl:search = $acl
netbios name = $ctx->{netbiosname}
posix:eadb = $ctx->{statedir}/eadb.tdb
workgroup = $ctx->{domain}
diff --git a/source4/dsdb/common/util.h b/source4/dsdb/common/util.h
index c16ce81..0f9b442 100644
--- a/source4/dsdb/common/util.h
+++ b/source4/dsdb/common/util.h
@@ -46,6 +46,8 @@
bool is_attr_in_list(const char * const * attrs, const char *attr);
#define DSDB_SECRET_ATTRIBUTES_EX(sep) \
+ "pekList" sep \
+ "msDS-ExecuteScriptPassword" sep \
"currentValue" sep \
"dBCSPwd" sep \
"initialAuthIncoming" sep \
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c
b/source4/dsdb/samdb/ldb_modules/acl.c
index 1a41ee2..9bf2612 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -49,7 +49,7 @@ struct extended_access_check_attribute {
};
struct acl_private {
- bool acl_perform;
+ bool acl_search;
const char **password_attrs;
void *cached_schema_ptr;
uint64_t cached_schema_metadata_usn;
@@ -79,9 +79,12 @@ static int acl_module_init(struct ldb_module *module)
struct ldb_context *ldb;
struct acl_private *data;
int ret;
- unsigned int i;
+ unsigned int i, n, j;
TALLOC_CTX *mem_ctx;
- static const char *attrs[] = { "passwordAttribute", NULL };
+ static const char * const attrs[] = { "passwordAttribute", NULL };
+ static const char * const secret_attrs[] = {
+ DSDB_SECRET_ATTRIBUTES
+ };
struct ldb_result *res;
struct ldb_message *msg;
struct ldb_message_element *password_attributes;
@@ -100,8 +103,8 @@ static int acl_module_init(struct ldb_module *module)
return ldb_oom(ldb);
}
- data->acl_perform = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
- NULL, "acl", "perform", false);
+ data->acl_search = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
+ NULL, "acl", "search", true);
ldb_module_set_private(module, data);
mem_ctx = talloc_new(module);
@@ -112,7 +115,9 @@ static int acl_module_init(struct ldb_module *module)
ret = dsdb_module_search_dn(module, mem_ctx, &res,
ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
attrs,
- DSDB_FLAG_NEXT_MODULE, NULL);
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM,
+ NULL);
if (ret != LDB_SUCCESS) {
goto done;
}
@@ -131,16 +136,44 @@ static int acl_module_init(struct ldb_module *module)
if (!password_attributes) {
goto done;
}
- data->password_attrs = talloc_array(data, const char *,
password_attributes->num_values + 1);
+ data->password_attrs = talloc_array(data, const char *,
+ password_attributes->num_values +
+ ARRAY_SIZE(secret_attrs) + 1);
if (!data->password_attrs) {
talloc_free(mem_ctx);
return ldb_oom(ldb);
}
+
+ n = 0;
for (i=0; i < password_attributes->num_values; i++) {
- data->password_attrs[i] = (const char
*)password_attributes->values[i].data;
+ data->password_attrs[n] = (const char
*)password_attributes->values[i].data;
talloc_steal(data->password_attrs,
password_attributes->values[i].data);
+ n++;
}
- data->password_attrs[i] = NULL;
+
+ for (i=0; i < ARRAY_SIZE(secret_attrs); i++) {
+ bool found = false;
+
+ for (j=0; j < n; j++) {
+ if (strcasecmp(data->password_attrs[j],
secret_attrs[i]) == 0) {
+ found = true;
+ break;
+ }
+ }
+
+ if (found) {
+ continue;
+ }
+
+ data->password_attrs[n] = talloc_strdup(data->password_attrs,
+ secret_attrs[i]);
+ if (data->password_attrs[n] == NULL) {
+ talloc_free(mem_ctx);
+ return ldb_oom(ldb);
+ }
+ n++;
+ }
+ data->password_attrs[n] = NULL;
done:
talloc_free(mem_ctx);
@@ -652,7 +685,9 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
&acl_res, req->op.mod.message->dn,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_DELETED, req);
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED,
+ req);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -666,7 +701,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
&netbios_res, partitions_dn,
LDB_SCOPE_ONELEVEL,
netbios_attrs,
- DSDB_FLAG_NEXT_MODULE,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM,
req,
"(ncName=%s)",
ldb_dn_get_linearized(ldb_get_default_basedn(ldb)));
@@ -974,7 +1010,9 @@ static int acl_modify(struct ldb_module *module, struct
ldb_request *req)
}
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res,
req->op.mod.message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE |
DSDB_SEARCH_SHOW_DELETED,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED,
req);
if (ret != LDB_SUCCESS) {
@@ -1017,8 +1055,21 @@ static int acl_modify(struct ldb_module *module, struct
ldb_request *req)
req->op.mod.message->elements[i].name);
if (ldb_attr_cmp("nTSecurityDescriptor",
req->op.mod.message->elements[i].name) == 0) {
+ uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
+ uint32_t access_mask = 0;
+
+ if (sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+ access_mask |= SEC_STD_WRITE_OWNER;
+ }
+ if (sd_flags & SECINFO_DACL) {
+ access_mask |= SEC_STD_WRITE_DAC;
+ }
+ if (sd_flags & SECINFO_SACL) {
+ access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+ }
+
status = sec_access_check_ds(sd, acl_user_token(module),
- SEC_STD_WRITE_DAC,
+ access_mask,
&access_granted,
NULL,
sid);
@@ -1179,6 +1230,18 @@ static int acl_delete(struct ldb_module *module, struct
ldb_request *req)
}
talloc_free(nc_root);
+ if (ldb_request_get_control(req, LDB_CONTROL_TREE_DELETE_OID)) {
+ ret = dsdb_module_check_access_on_dn(module, req,
+ req->op.del.dn,
+ SEC_ADS_DELETE_TREE, NULL,
+ req);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ return ldb_next_request(module, req);
+ }
+
/* First check if we have delete object right */
ret = dsdb_module_check_access_on_dn(module, req, req->op.del.dn,
SEC_STD_DELETE, NULL, req);
@@ -1257,6 +1320,7 @@ static int acl_rename(struct ldb_module *module, struct
ldb_request *req)
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res,
req->op.rename.olddn, acl_attrs,
DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
DSDB_SEARCH_SHOW_RECYCLED, req);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
@@ -1388,6 +1452,14 @@ static int acl_search_update_confidential_attrs(struct
acl_context *ac,
struct dsdb_attribute *a;
uint32_t n = 0;
+ if (data->acl_search) {
+ /*
+ * If acl:search is activated, the acl_read module
+ * protects confidential attributes.
+ */
+ return LDB_SUCCESS;
+ }
+
if ((ac->schema == data->cached_schema_ptr) &&
(ac->schema->loaded_usn == data->cached_schema_loaded_usn) &&
(ac->schema->metadata_usn == data->cached_schema_metadata_usn))
@@ -1462,7 +1534,9 @@ static int acl_search_callback(struct ldb_request *req,
struct ldb_reply *ares)
ret = dsdb_module_search_dn(ac->module, ac, &acl_res,
ares->message->dn,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_DELETED,
req);
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED,
+ req);
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL,
ret);
}
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c
b/source4/dsdb/samdb/ldb_modules/acl_read.c
index e2a2d4c..92744f2 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -44,6 +44,7 @@ struct aclread_context {
struct ldb_request *req;
const char * const *attrs;
const struct dsdb_schema *schema;
+ uint32_t sd_flags;
bool sd;
bool instance_type;
bool object_sid;
@@ -149,7 +150,17 @@ static int aclread_callback(struct ldb_request *req,
struct ldb_reply *ares)
}
/* nTSecurityDescriptor is a special case */
if (is_sd) {
- access_mask =
SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL;
+ access_mask = 0;
+
+ if (ac->sd_flags &
(SECINFO_OWNER|SECINFO_GROUP)) {
+ access_mask |= SEC_STD_READ_CONTROL;
+ }
+ if (ac->sd_flags & SECINFO_DACL) {
+ access_mask |= SEC_STD_READ_CONTROL;
+ }
+ if (ac->sd_flags & SECINFO_SACL) {
+ access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+ }
} else {
access_mask = SEC_ADS_READ_PROP;
}
@@ -158,6 +169,11 @@ static int aclread_callback(struct ldb_request *req,
struct ldb_reply *ares)
access_mask |= SEC_ADS_CONTROL_ACCESS;
}
+ if (access_mask == 0) {
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ continue;
+ }
+
ret = acl_check_access_on_attribute(ac->module,
tmp_ctx,
sd,
@@ -287,7 +303,9 @@ static int aclread_search(struct ldb_module *module, struct
ldb_request *req)
ret = dsdb_module_search_dn(module, req, &res,
req->op.search.base,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_DELETED, req);
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED,
+ req);
if (ret != LDB_SUCCESS) {
return ldb_error(ldb, ret,
"acl_read: Error retrieving
instanceType for base.");
@@ -330,6 +348,8 @@ static int aclread_search(struct ldb_module *module, struct
ldb_request *req)
* expensive so we'd better had the ntsecuritydescriptor to the list of
* searched attribute and then remove it !
*/
+ ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL);
+
ac->sd = !(ldb_attr_in_list(req->op.search.attrs,
"nTSecurityDescriptor"));
if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs,
"*")) {
if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
@@ -377,7 +397,7 @@ static int aclread_init(struct ldb_module *module)
if (p == NULL) {
return ldb_module_oom(module);
}
- p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL,
"acl", "search", false);
+ p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL,
"acl", "search", true);
ldb_module_set_private(module, p);
return ldb_next_init(module);
}
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c
b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 50bf888..fc6a55a 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -74,6 +74,7 @@ int dsdb_module_check_access_on_dn(struct ldb_module *module,
ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
DSDB_SEARCH_SHOW_RECYCLED,
parent);
if (ret != LDB_SUCCESS) {
@@ -201,3 +202,69 @@ const char *acl_user_name(TALLOC_CTX *mem_ctx, struct
ldb_module *module)
session_info->info->domain_name,
session_info->info->account_name);
}
+
+uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
+{
+ struct ldb_control *sd_control;
+ uint32_t sd_flags = 0;
+
+ if (explicit) {
+ *explicit = false;
+ }
+
+ sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
+ if (sd_control) {
+ struct ldb_sd_flags_control *sdctr = (struct
ldb_sd_flags_control *)sd_control->data;
+
+ sd_flags = sdctr->secinfo_flags;
+
+ if (explicit) {
+ *explicit = true;
+ }
+
+ /* mark it as handled */
+ sd_control->critical = 0;
+ }
+
+ /* we only care for the last 4 bits */
+ sd_flags &= 0x0000000F;
+
+ /*
+ * MS-ADTS 3.1.1.3.4.1.11 says that no bits
+ * equals all 4 bits
+ */
+ if (sd_flags == 0) {
+ sd_flags = 0xF;
+ }
+
+ return sd_flags;
+}
+
+int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
+ struct ldb_dn *nc_root,
+ struct ldb_dn *dn,
+ bool include_self)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct dsdb_extended_sec_desc_propagation_op *op;
+ int ret;
+
+ op = talloc_zero(module, struct dsdb_extended_sec_desc_propagation_op);
+ if (op == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ op->nc_root = nc_root;
+ op->dn = dn;
+ op->include_self = include_self;
+
+ ret = dsdb_module_extended(module, op, NULL,
+ DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID,
+ op,
+ DSDB_FLAG_TOP_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_FLAG_TRUSTED,
+ NULL);
+ TALLOC_FREE(op);
+ return ret;
+}
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c
b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 0a26288..18caa38 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -42,9 +42,21 @@
#include "auth/auth.h"
#include "param/param.h"
#include "dsdb/samdb/ldb_modules/util.h"
+#include "lib/util/binsearch.h"
+
+struct descriptor_changes {
+ struct descriptor_changes *prev, *next;
+ struct descriptor_changes *children;
+ struct ldb_dn *nc_root;
+ struct ldb_dn *dn;
+ bool force_self;
+ bool force_children;
+ struct ldb_dn *stopped_dn;
+};
struct descriptor_data {
- int _dummy;
+ TALLOC_CTX *trans_mem;
+ struct descriptor_changes *changes;
};
struct descriptor_context {
@@ -56,6 +68,7 @@ struct descriptor_context {
struct ldb_val *parentsd_val;
struct ldb_message_element *sd_element;
struct ldb_val *sd_val;
+ uint32_t sd_flags;
int (*step_fn)(struct descriptor_context *);
};
@@ -86,6 +99,8 @@ static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
+ } else if (security_token_is_system(token)) {
+ dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else {
dag_sid = NULL;
}
@@ -94,6 +109,8 @@ static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
+ } else if (security_token_is_system(token)) {
+ dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else {
dag_sid = NULL;
}
@@ -102,6 +119,8 @@ static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
+ } else if (security_token_is_system(token)) {
+ dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else {
dag_sid = NULL;
}
@@ -229,6 +248,11 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module
*module,
char *sddl_sd;
struct dom_sid *default_owner;
struct dom_sid *default_group;
+ struct security_descriptor *default_descriptor = NULL;
+
+ if (objectclass != NULL) {
+ default_descriptor = get_sd_unpacked(module, mem_ctx,
objectclass);
+ }
if (object) {
user_descriptor = talloc(mem_ctx, struct security_descriptor);
@@ -244,7 +268,7 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module
*module,
return NULL;
}
} else {
- user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
+ user_descriptor = default_descriptor;
}
if (old_sd) {
@@ -277,6 +301,28 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module
*module,
}
--
Samba Shared Repository
