The branch, master has been updated via 057c56a s4:dsdb/tests: add SdAutoInheritTests via d317426 s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated changes via fb2a41d s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621) via f8c0ad6 s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621) via dae1b0d s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation() via d6962f4 s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID via 2101400 s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID via ddea856 s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID via 1be4dbc s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify via 7f42a8b s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify via cb9c7ee s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify via 60f0e17 s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID via 7f88ad3 s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711) via 5dd4555 s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711) via 60192fd s4:dsdb/subtree_delete: do an early return and avoid some nesting via ff274ba s4:dsdb/objectclass: do not pass the callers controls on helper searches via 5838637 s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug #7711) via 60c29a5 s4:dsdb/dirsync: remove unused 'deletedattr' variable via ffaf9bb s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACL via 0c2c00e s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to DSDB_SECRET_ATTRIBUTES_EX via b54d268 s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes via f67f469 s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on modify via 5aa7dbe s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on nTSecurityDescriptor via 4ef36fd s4:dsdb/descriptor: remove some nesting from descriptor_modify via 8d60ac1 s4:dsdb/descriptor: remove some unnecessary nesting via 8134926 s4:dsdb/descriptor: add some error checks to descriptor_{add,modify} via b3486f4 s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID via 74e3f0e s4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify,rename} via 4136d96 s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd via 118db4c s4:provision: add get_empty_descriptor() via 7a3e4d0 s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one via c2c715f s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid via 990448b s4:dsdb/acl_read: enable acl checking on search by default (bug #8620) via fa67676 s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor via ca3c0e2 s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED via 53b100b s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor via 95b480f s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set via 3d57f17 s4:dsdb/acl: remove unused "acl:perform" option via 329afc1 s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED via 4289859 s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add via f018772 s4:dsdb/descriptor: make use of dsdb_request_sd_flags() via 67045fa s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDescriptor via 690b5e1 s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED via 2916313 s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function via 1cdecf1 s4:dsdb/acl_util: do helper searches AS_SYSTEM via 8d900d0 s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM via 659277a s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED via 844b736 s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED via a882b41 s4:dsdb/rootdse: do helper searches AS_SYSTEM via 964d96d s4:dsdb/rootdse: remove unused variable via 4970d3c s4:tests/samba_tool/gpo.py: fix accidential line break via a581242 s4:tests/samba_tool/gpo.py: add test_show_as_admin() via 325e921 s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor via 6779996 s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor via 6bffad6 s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user via f843c04 s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor via 8563348 s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF via 6991fb3 s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector via 7fe1e61 s4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_root via ac9bd1e s4:dsdb/schema_data: fix debug message in schema_data_modify() from 8f3f38e ldb: fix a typo in the comment for ldb_req_is_untrusted()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 057c56ac2443abffbe169b06a72a93f41096fb67 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 16 12:51:44 2012 +0100 s4:dsdb/tests: add SdAutoInheritTests Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> Autobuild-User(master): Michael Adam <ob...@samba.org> Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104 commit d31742641fb117e4249dcc317dac662bb5e1a690 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 17:10:38 2012 +0100 s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated changes We only do so if the replicated object is not deleted. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit fb2a41d9453d94860104b7b96a75bf8fa96996d6 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 16 12:49:16 2012 +0100 s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621) Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit f8c0ad65ad783b3c82ec8ab120d18ad454fe2665 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 16 12:49:16 2012 +0100 s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621) Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit dae1b0d85207040fed873d4232a45206b0162f53 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 16:46:51 2012 +0100 s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit d6962f40caad861c7d240d80bd04070989c85a73 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 15:55:24 2012 +0100 s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 2101400af2e5e1b72a5d51e83f005f62bec1f482 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 22 17:42:32 2012 +0100 s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit ddea8564901f5aa1a25cd84713bf86a2ce95bc07 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 10:45:02 2012 +0100 s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID This can only be triggered by ourself, that's why we expect control->data == module. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 1be4dbc0ca732bd2c35b6108331120a3f1a54ada Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 16:12:54 2012 +0100 s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 7f42a8b7b667c6a704ecd7bce1630971eb3f1e8c Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 11:18:05 2012 +0100 s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify The propagation of nTSecurityDescriptor doesn't change the replProperyMetaData. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit cb9c7ee79b2f4e8c875bd15c1fddee90648eec19 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 15:25:06 2012 +0100 s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 60f0e172e3ce182324c4573fc05197ba241def89 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 22 17:42:32 2012 +0100 s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 7f88ad3efce5bc14de49b3d73a5dcb19499e1342 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 10:16:45 2012 +0100 s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711) Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 5dd4555f391d841b276e53e70eedde36f5190cdd Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 10:14:59 2012 +0100 s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711) Now that the acl module checks for SEC_ADS_DELETE_TREE, we can do the recursive delete AS_SYSTEM. We need to pass the TRUSTED flags as we operate from the TOP module. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 60192fd1004015b50e208b3da6a07bd67f9d7990 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 10:04:39 2012 +0100 s4:dsdb/subtree_delete: do an early return and avoid some nesting Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit ff274bafeb223c7440f4d97e2225b954b1031259 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 23:21:10 2012 +0100 s4:dsdb/objectclass: do not pass the callers controls on helper searches We add AS_SYSTEM and SHOW_RECYCLED to the helper search, don't let the caller specify additional controls. This also fixes a problem when the caller also specified AS_SYSTEM. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 5838637b4218ecf88e7a650610da3be1a5a518c9 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 10:06:13 2012 +0100 s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug #7711) Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 60c29a51a062640bf23c85d0d2f650d35a9ab59c Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 09:20:37 2012 +0100 s4:dsdb/dirsync: remove unused 'deletedattr' variable Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit ffaf9bb98b5322cca31ef6a43f8c27ca4e5fe42e Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 09:19:52 2012 +0100 s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACL Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 0c2c00e4b9afd72b4f4052e6b19e40096fd1e44c Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 09:17:27 2012 +0100 s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to DSDB_SECRET_ATTRIBUTES_EX See [MS-ADTS] 3.1.1.4.4 Extended Access Checks. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit b54d268e2042f36bc670cf8f4f33cddd957e1d34 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 24 09:15:24 2012 +0100 s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes The @KLUDGEACL record might not be uptodate. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit f67f469ce101e48301de790b5c31f8d4e712e0ea Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 10:58:49 2012 +0100 s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on modify Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 5aa7dbe546ff18e521e72c0af713a2509201e00d Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 09:55:17 2012 +0100 s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on nTSecurityDescriptor Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 4ef36fda681409bf7050adb98bb4b3d574bc01a9 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 09:31:05 2012 +0100 s4:dsdb/descriptor: remove some nesting from descriptor_modify If the nTSecurityDescriptor attribute is not specified, we have nothing to do. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 8d60ac19ed0bc70ec3763614147465c04f28e286 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 09:20:50 2012 +0100 s4:dsdb/descriptor: remove some unnecessary nesting sd == NULL is checked before. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 813492676c5b876d309bb2db12c794c513fab5c7 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 09:19:11 2012 +0100 s4:dsdb/descriptor: add some error checks to descriptor_{add,modify} Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit b3486f4e1a2108bd3af7ce760c8410a560c5237d Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 09:15:25 2012 +0100 s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 74e3f0ea0aa0352bf15e92c70256fa9b4d291cd9 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 23 07:18:35 2012 +0100 s4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify,rename} Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 4136d969cab5d4690f00c855bd98dc01253d73d9 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 22 16:22:30 2012 +0100 s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd The sd_flags:1:15 control together with an empty security_descriptor has the same effect as the recalculate_sd:0 control (which is samba only). Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 118db4ca11bec17b8f5955f188c07f154b85c87b Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 22 14:09:34 2012 +0100 s4:provision: add get_empty_descriptor() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 7a3e4d04c7e06379eddacb4f025a3c48a0a754a4 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 22 15:53:14 2012 +0100 s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit c2c715f9c9e0d465857ad118d632493131a5f9c5 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 22 14:07:04 2012 +0100 s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 990448b4997d1a2423e5dd4da1e37ad51f99bf3a Author: Stefan Metzmacher <me...@samba.org> Date: Sun Nov 18 18:57:03 2012 +0100 s4:dsdb/acl_read: enable acl checking on search by default (bug #8620) Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit fa676769e0d5d3f161b295f06f643fdacebb82ca Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 14:04:09 2012 +0100 s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor We need to base the access mask on the given SD Flags. Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY, which could lead to INSUFFICIENT_RIGHTS when we should have been allowed to read. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit ca3c0e28ef5d43f0af487e45a56f2929f5f23b4e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 09:31:25 2012 +0100 s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 53b100bb59dadbc7cfb727a4ad1566302ff6c831 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 14:10:43 2012 +0100 s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor The access_mask depends on the SD Flags. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 95b480fd98d9647c679672abac49c9f4ca5b3219 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 12:12:41 2012 +0100 s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set In that case the acl_read module does the protection. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 3d57f17db94ddb5d5d8021158548ea7aebe16cd1 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 12:15:00 2012 +0100 s4:dsdb/acl: remove unused "acl:perform" option Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 329afc1a203056b1f4a43dd6c98ec2067c64f962 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 07:14:31 2012 +0100 s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED The searches are done in order to do access checks and the results are not directly exposed to the client. Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 42898590bb386a13b4f0d7b0294561a78df7e268 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 14:13:17 2012 +0100 s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add See [MS-ADTS] 6.1.3.2 SD Flags Control: ... When performing an LDAP add operation, the client can supply an SD flags control with the operation; however, it will be ignored by the server. ... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit f018772e0ca981857036078342456ef17858b966 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 13:05:31 2012 +0100 s4:dsdb/descriptor: make use of dsdb_request_sd_flags() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 67045fafe8a826792a51a504aa85ee6d8e137059 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 15:24:46 2012 +0100 s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDescriptor If the nTSecurityDescriptor is explicitly specified without the SD Flags control we should go through descriptor_search_callback(). This is not strictly needed at the moment, but makes the code clearer and might avoid surprises in the future. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 690b5e11618eb0385272d6a003761db22369e620 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 10:15:58 2012 +0100 s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 2916313f8016720fb36180db341efbf7b91522f6 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 12:33:35 2012 +0100 s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 1cdecf1234bffc37a9898b666371b2dd25ad158d Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 07:14:31 2012 +0100 s4:dsdb/acl_util: do helper searches AS_SYSTEM The search is done in order to do access checks. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 8d900d06ff89136016ef2f139d6c33b306c87e93 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 09:33:53 2012 +0100 s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 659277a89dfd4226db9ea44709010ad7e3768fd6 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Nov 19 06:59:33 2012 +0100 s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 844b736a1dd05159850ccc28eee1b3e625489139 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Nov 19 06:59:33 2012 +0100 s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit a882b41d44b20476a0b1549260e07be3398f9752 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Nov 12 14:19:34 2012 +0100 s4:dsdb/rootdse: do helper searches AS_SYSTEM As anonymous users can read all rootdse attributes, we should do helper searches with DSDB_FLAG_AS_SYSTEM in order to avoid unnecessary access checks. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 964d96d2c31211601b8854dd3d532112fd2aaece Author: Stefan Metzmacher <me...@samba.org> Date: Mon Nov 26 13:38:07 2012 +0100 s4:dsdb/rootdse: remove unused variable Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 4970d3cacbd6b9a76e64030cc79628f3dfecce1b Author: Michael Adam <ob...@samba.org> Date: Tue Nov 27 16:43:25 2012 +0100 s4:tests/samba_tool/gpo.py: fix accidential line break Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit a58124208006ba9311588554b147acfb86d4d4eb Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 20 15:02:05 2012 +0100 s4:tests/samba_tool/gpo.py: add test_show_as_admin() This calls samba-tool gpo show as admin (which should be able to see the full nTSecurityDescriptor. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 325e92190852ae317c42c26ab86d32818d119381 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 20 14:58:13 2012 +0100 s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 67799962b8e6e16ac18466658a3f9924854e32f7 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 20 14:56:56 2012 +0100 s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 6bffad67d24df2c90b174bbcc9c578899783a834 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 17 07:13:40 2012 +0100 s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit f843c04b0f2314ccedb4759c85721773845eb207 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 20 14:51:46 2012 +0100 s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 8563348a01206874ff215a55d0c542912740e84b Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 22 08:59:40 2012 +0100 s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF A value of 0 is mapped to 0xF. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 6991fb385e3956892d904f871052aaede1137a29 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 09:51:45 2012 +0100 s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit 7fe1e61ab908264f2ac7b8df666b254ae2af4488 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 27 14:49:11 2012 +0100 s4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_root Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> commit ac9bd1e63a8adfb96eb5c9f996e60c2d99aba5e1 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 21 16:12:22 2012 +0100 s4:dsdb/schema_data: fix debug message in schema_data_modify() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> ----------------------------------------------------------------------- Summary of changes: selftest/knownfail | 8 - selftest/target/Samba4.pm | 3 - source4/dsdb/common/util.h | 2 + source4/dsdb/samdb/ldb_modules/acl.c | 102 +++- source4/dsdb/samdb/ldb_modules/acl_read.c | 26 +- source4/dsdb/samdb/ldb_modules/acl_util.c | 67 ++ source4/dsdb/samdb/ldb_modules/descriptor.c | 738 ++++++++++++++++---- source4/dsdb/samdb/ldb_modules/dirsync.c | 14 +- source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 25 +- source4/dsdb/samdb/ldb_modules/extended_dn_store.c | 4 +- source4/dsdb/samdb/ldb_modules/objectclass.c | 36 +- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 18 + source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 88 +++- source4/dsdb/samdb/ldb_modules/rootdse.c | 37 +- source4/dsdb/samdb/ldb_modules/schema_data.c | 18 +- source4/dsdb/samdb/ldb_modules/subtree_delete.c | 79 ++- source4/dsdb/samdb/samdb.h | 19 + source4/dsdb/tests/python/sec_descriptor.py | 84 +++- source4/scripting/bin/samba_upgradeprovision | 21 +- source4/scripting/python/samba/netcmd/gpo.py | 31 +- .../scripting/python/samba/provision/__init__.py | 1 + .../scripting/python/samba/provision/descriptor.py | 5 + .../scripting/python/samba/tests/samba_tool/gpo.py | 8 +- source4/setup/provision_init.ldif | 2 + source4/setup/schema_samba4.ldif | 2 + 25 files changed, 1210 insertions(+), 228 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/knownfail b/selftest/knownfail index 953056e..e3341e9 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -133,7 +133,6 @@ ^samba4.smb2.acls.*.generic ^samba4.smb2.acls.*.inheritflags ^samba4.smb2.acls.*.owner -^samba4.ldap.acl.*.ntSecurityDescriptor.* # ACL extended checks on search not enabled by default ^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.test_dirsync_deleted_items #^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.* ^samba4.drs.fsmo.python @@ -158,13 +157,6 @@ ^samba4.smb2.oplock.stream1 # samba 4 oplocks are a mess ^samba4.smb2.getinfo.getinfo # streams on directories does not work ^samba4.ntvfs.cifs.krb5.base.createx_access.createx_access\(.*\)$ -^samba4.ldap.acl.*.AclSearchTests.test_search_anonymous3\(.*\)$ # ACL search behaviour not enabled by default -^samba4.ldap.acl.*.AclSearchTests.test_search1\(.*\)$ # ACL search behaviour not enabled by default -^samba4.ldap.acl.*.AclSearchTests.test_search2\(.*\)$ # ACL search behaviour not enabled by default -^samba4.ldap.acl.*.AclSearchTests.test_search3\(.*\)$ # ACL search behaviour not enabled by default -^samba4.ldap.acl.*.AclSearchTests.test_search4\(.*\)$ # ACL search behaviour not enabled by default -^samba4.ldap.acl.*.AclSearchTests.test_search5\(.*\)$ # ACL search behaviour not enabled by default -^samba4.ldap.acl.*.AclSearchTests.test_search6\(.*\)$ # ACL search behaviour not enabled by default ^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4 ^samba4.blackbox.kinit\(.*\).kinit with user password for expired password\(.*\) # We need to work out why this fails only during the pw change ^samba4.blackbox.dbcheck\(vampire_dc\).dbcheck\(vampire_dc:local\) # Due to replicating with --domain-critical-only we fail dbcheck on this database diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 20114c9..5988b83 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -559,11 +559,8 @@ sub provision_raw_step1($$) warn("can't open $ctx->{smb_conf}$?"); return undef; } - my $acl = "false"; - $acl = "true" if (defined $ENV{WITH_ACL}); print CONFFILE " [global] - acl:search = $acl netbios name = $ctx->{netbiosname} posix:eadb = $ctx->{statedir}/eadb.tdb workgroup = $ctx->{domain} diff --git a/source4/dsdb/common/util.h b/source4/dsdb/common/util.h index c16ce81..0f9b442 100644 --- a/source4/dsdb/common/util.h +++ b/source4/dsdb/common/util.h @@ -46,6 +46,8 @@ bool is_attr_in_list(const char * const * attrs, const char *attr); #define DSDB_SECRET_ATTRIBUTES_EX(sep) \ + "pekList" sep \ + "msDS-ExecuteScriptPassword" sep \ "currentValue" sep \ "dBCSPwd" sep \ "initialAuthIncoming" sep \ diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 1a41ee2..9bf2612 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -49,7 +49,7 @@ struct extended_access_check_attribute { }; struct acl_private { - bool acl_perform; + bool acl_search; const char **password_attrs; void *cached_schema_ptr; uint64_t cached_schema_metadata_usn; @@ -79,9 +79,12 @@ static int acl_module_init(struct ldb_module *module) struct ldb_context *ldb; struct acl_private *data; int ret; - unsigned int i; + unsigned int i, n, j; TALLOC_CTX *mem_ctx; - static const char *attrs[] = { "passwordAttribute", NULL }; + static const char * const attrs[] = { "passwordAttribute", NULL }; + static const char * const secret_attrs[] = { + DSDB_SECRET_ATTRIBUTES + }; struct ldb_result *res; struct ldb_message *msg; struct ldb_message_element *password_attributes; @@ -100,8 +103,8 @@ static int acl_module_init(struct ldb_module *module) return ldb_oom(ldb); } - data->acl_perform = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), - NULL, "acl", "perform", false); + data->acl_search = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), + NULL, "acl", "search", true); ldb_module_set_private(module, data); mem_ctx = talloc_new(module); @@ -112,7 +115,9 @@ static int acl_module_init(struct ldb_module *module) ret = dsdb_module_search_dn(module, mem_ctx, &res, ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"), attrs, - DSDB_FLAG_NEXT_MODULE, NULL); + DSDB_FLAG_NEXT_MODULE | + DSDB_FLAG_AS_SYSTEM, + NULL); if (ret != LDB_SUCCESS) { goto done; } @@ -131,16 +136,44 @@ static int acl_module_init(struct ldb_module *module) if (!password_attributes) { goto done; } - data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1); + data->password_attrs = talloc_array(data, const char *, + password_attributes->num_values + + ARRAY_SIZE(secret_attrs) + 1); if (!data->password_attrs) { talloc_free(mem_ctx); return ldb_oom(ldb); } + + n = 0; for (i=0; i < password_attributes->num_values; i++) { - data->password_attrs[i] = (const char *)password_attributes->values[i].data; + data->password_attrs[n] = (const char *)password_attributes->values[i].data; talloc_steal(data->password_attrs, password_attributes->values[i].data); + n++; } - data->password_attrs[i] = NULL; + + for (i=0; i < ARRAY_SIZE(secret_attrs); i++) { + bool found = false; + + for (j=0; j < n; j++) { + if (strcasecmp(data->password_attrs[j], secret_attrs[i]) == 0) { + found = true; + break; + } + } + + if (found) { + continue; + } + + data->password_attrs[n] = talloc_strdup(data->password_attrs, + secret_attrs[i]); + if (data->password_attrs[n] == NULL) { + talloc_free(mem_ctx); + return ldb_oom(ldb); + } + n++; + } + data->password_attrs[n] = NULL; done: talloc_free(mem_ctx); @@ -652,7 +685,9 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, &acl_res, req->op.mod.message->dn, acl_attrs, DSDB_FLAG_NEXT_MODULE | - DSDB_SEARCH_SHOW_DELETED, req); + DSDB_FLAG_AS_SYSTEM | + DSDB_SEARCH_SHOW_RECYCLED, + req); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; @@ -666,7 +701,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, &netbios_res, partitions_dn, LDB_SCOPE_ONELEVEL, netbios_attrs, - DSDB_FLAG_NEXT_MODULE, + DSDB_FLAG_NEXT_MODULE | + DSDB_FLAG_AS_SYSTEM, req, "(ncName=%s)", ldb_dn_get_linearized(ldb_get_default_basedn(ldb))); @@ -974,7 +1010,9 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) } ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn, acl_attrs, - DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, + DSDB_FLAG_NEXT_MODULE | + DSDB_FLAG_AS_SYSTEM | + DSDB_SEARCH_SHOW_RECYCLED, req); if (ret != LDB_SUCCESS) { @@ -1017,8 +1055,21 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) req->op.mod.message->elements[i].name); if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) { + uint32_t sd_flags = dsdb_request_sd_flags(req, NULL); + uint32_t access_mask = 0; + + if (sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) { + access_mask |= SEC_STD_WRITE_OWNER; + } + if (sd_flags & SECINFO_DACL) { + access_mask |= SEC_STD_WRITE_DAC; + } + if (sd_flags & SECINFO_SACL) { + access_mask |= SEC_FLAG_SYSTEM_SECURITY; + } + status = sec_access_check_ds(sd, acl_user_token(module), - SEC_STD_WRITE_DAC, + access_mask, &access_granted, NULL, sid); @@ -1179,6 +1230,18 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req) } talloc_free(nc_root); + if (ldb_request_get_control(req, LDB_CONTROL_TREE_DELETE_OID)) { + ret = dsdb_module_check_access_on_dn(module, req, + req->op.del.dn, + SEC_ADS_DELETE_TREE, NULL, + req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(module, req); + } + /* First check if we have delete object right */ ret = dsdb_module_check_access_on_dn(module, req, req->op.del.dn, SEC_STD_DELETE, NULL, req); @@ -1257,6 +1320,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.rename.olddn, acl_attrs, DSDB_FLAG_NEXT_MODULE | + DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED, req); /* we sould be able to find the parent */ if (ret != LDB_SUCCESS) { @@ -1388,6 +1452,14 @@ static int acl_search_update_confidential_attrs(struct acl_context *ac, struct dsdb_attribute *a; uint32_t n = 0; + if (data->acl_search) { + /* + * If acl:search is activated, the acl_read module + * protects confidential attributes. + */ + return LDB_SUCCESS; + } + if ((ac->schema == data->cached_schema_ptr) && (ac->schema->loaded_usn == data->cached_schema_loaded_usn) && (ac->schema->metadata_usn == data->cached_schema_metadata_usn)) @@ -1462,7 +1534,9 @@ static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares) ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn, acl_attrs, DSDB_FLAG_NEXT_MODULE | - DSDB_SEARCH_SHOW_DELETED, req); + DSDB_FLAG_AS_SYSTEM | + DSDB_SEARCH_SHOW_RECYCLED, + req); if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); } diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index e2a2d4c..92744f2 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -44,6 +44,7 @@ struct aclread_context { struct ldb_request *req; const char * const *attrs; const struct dsdb_schema *schema; + uint32_t sd_flags; bool sd; bool instance_type; bool object_sid; @@ -149,7 +150,17 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) } /* nTSecurityDescriptor is a special case */ if (is_sd) { - access_mask = SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL; + access_mask = 0; + + if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) { + access_mask |= SEC_STD_READ_CONTROL; + } + if (ac->sd_flags & SECINFO_DACL) { + access_mask |= SEC_STD_READ_CONTROL; + } + if (ac->sd_flags & SECINFO_SACL) { + access_mask |= SEC_FLAG_SYSTEM_SECURITY; + } } else { access_mask = SEC_ADS_READ_PROP; } @@ -158,6 +169,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) access_mask |= SEC_ADS_CONTROL_ACCESS; } + if (access_mask == 0) { + aclread_mark_inaccesslible(&msg->elements[i]); + continue; + } + ret = acl_check_access_on_attribute(ac->module, tmp_ctx, sd, @@ -287,7 +303,9 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) ret = dsdb_module_search_dn(module, req, &res, req->op.search.base, acl_attrs, DSDB_FLAG_NEXT_MODULE | - DSDB_SEARCH_SHOW_DELETED, req); + DSDB_FLAG_AS_SYSTEM | + DSDB_SEARCH_SHOW_RECYCLED, + req); if (ret != LDB_SUCCESS) { return ldb_error(ldb, ret, "acl_read: Error retrieving instanceType for base."); @@ -330,6 +348,8 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) * expensive so we'd better had the ntsecuritydescriptor to the list of * searched attribute and then remove it ! */ + ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL); + ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor")); if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) { if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) { @@ -377,7 +397,7 @@ static int aclread_init(struct ldb_module *module) if (p == NULL) { return ldb_module_oom(module); } - p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false); + p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true); ldb_module_set_private(module, p); return ldb_next_init(module); } diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index 50bf888..fc6a55a 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -74,6 +74,7 @@ int dsdb_module_check_access_on_dn(struct ldb_module *module, ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn, acl_attrs, DSDB_FLAG_NEXT_MODULE | + DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED, parent); if (ret != LDB_SUCCESS) { @@ -201,3 +202,69 @@ const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) session_info->info->domain_name, session_info->info->account_name); } + +uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit) +{ + struct ldb_control *sd_control; + uint32_t sd_flags = 0; + + if (explicit) { + *explicit = false; + } + + sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID); + if (sd_control) { + struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data; + + sd_flags = sdctr->secinfo_flags; + + if (explicit) { + *explicit = true; + } + + /* mark it as handled */ + sd_control->critical = 0; + } + + /* we only care for the last 4 bits */ + sd_flags &= 0x0000000F; + + /* + * MS-ADTS 3.1.1.3.4.1.11 says that no bits + * equals all 4 bits + */ + if (sd_flags == 0) { + sd_flags = 0xF; + } + + return sd_flags; +} + +int dsdb_module_schedule_sd_propagation(struct ldb_module *module, + struct ldb_dn *nc_root, + struct ldb_dn *dn, + bool include_self) +{ + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct dsdb_extended_sec_desc_propagation_op *op; + int ret; + + op = talloc_zero(module, struct dsdb_extended_sec_desc_propagation_op); + if (op == NULL) { + return ldb_oom(ldb); + } + + op->nc_root = nc_root; + op->dn = dn; + op->include_self = include_self; + + ret = dsdb_module_extended(module, op, NULL, + DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID, + op, + DSDB_FLAG_TOP_MODULE | + DSDB_FLAG_AS_SYSTEM | + DSDB_FLAG_TRUSTED, + NULL); + TALLOC_FREE(op); + return ret; +} diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 0a26288..18caa38 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -42,9 +42,21 @@ #include "auth/auth.h" #include "param/param.h" #include "dsdb/samdb/ldb_modules/util.h" +#include "lib/util/binsearch.h" + +struct descriptor_changes { + struct descriptor_changes *prev, *next; + struct descriptor_changes *children; + struct ldb_dn *nc_root; + struct ldb_dn *dn; + bool force_self; + bool force_children; + struct ldb_dn *stopped_dn; +}; struct descriptor_data { - int _dummy; + TALLOC_CTX *trans_mem; + struct descriptor_changes *changes; }; struct descriptor_context { @@ -56,6 +68,7 @@ struct descriptor_context { struct ldb_val *parentsd_val; struct ldb_message_element *sd_element; struct ldb_val *sd_val; + uint32_t sd_flags; int (*step_fn)(struct descriptor_context *); }; @@ -86,6 +99,8 @@ static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx, dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); + } else if (security_token_is_system(token)) { + dag_sid = dom_sid_dup(mem_ctx, sa_sid); } else { dag_sid = NULL; } @@ -94,6 +109,8 @@ static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx, dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); + } else if (security_token_is_system(token)) { + dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else { dag_sid = NULL; } @@ -102,6 +119,8 @@ static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx, dag_sid = dom_sid_dup(mem_ctx, da_sid); } else if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); + } else if (security_token_is_system(token)) { + dag_sid = dom_sid_dup(mem_ctx, da_sid); } else { dag_sid = NULL; } @@ -229,6 +248,11 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, char *sddl_sd; struct dom_sid *default_owner; struct dom_sid *default_group; + struct security_descriptor *default_descriptor = NULL; + + if (objectclass != NULL) { + default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass); + } if (object) { user_descriptor = talloc(mem_ctx, struct security_descriptor); @@ -244,7 +268,7 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, return NULL; } } else { - user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass); + user_descriptor = default_descriptor; } if (old_sd) { @@ -277,6 +301,28 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, } -- Samba Shared Repository