The branch, v4-2-test has been updated via 77d8786 VERSION: Re-enable git snapshots... via c88a4f4 VERSION: Disable git snapshots for the 4.2.0rc4 release. via 8fdb354 WHATSNEW: Add release notes for Samba 4.2.0rc4. via 2a699e4 CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl via df1f7ce CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.c via 0b97e8b CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flag via 239c0f2 CVE-2014-8143:auth: Force talloc type of session_info pointer to match from 923827c vfs_fruit: mmap under FreeBSD needs PROT_READ
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test - Log ----------------------------------------------------------------- commit 77d8786bf8380de0a3e3c4a17e245e3dc261eabf Author: Karolin Seeger <ksee...@samba.org> Date: Thu Jan 15 16:53:23 2015 +0100 VERSION: Re-enable git snapshots... and bump version up to 4.2.0rc5. Signed-off-by: Karolin Seeger <ksee...@samba.org> Autobuild-User(v4-2-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-2-test): Thu Jan 15 22:37:56 CET 2015 on sn-devel-104 commit c88a4f4923fef8243e7e9dea4ab57f620f3a387a Author: Karolin Seeger <ksee...@samba.org> Date: Thu Jan 15 16:51:50 2015 +0100 VERSION: Disable git snapshots for the 4.2.0rc4 release. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 8fdb3547416be67366837fdf1e30b6bb6e27551d Author: Karolin Seeger <ksee...@samba.org> Date: Thu Jan 15 16:51:08 2015 +0100 WHATSNEW: Add release notes for Samba 4.2.0rc4. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 2a699e4e1168c473cf88c40db8efa1eab1bc17a2 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Dec 4 17:23:29 2014 +1300 CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl This requires an additional control to be used in the LSA server to add domain trust account objects. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit df1f7ce906a17d916e6faeb495efdab01e2759bf Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 8 14:20:21 2014 +1300 CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.c Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1 Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 0b97e8b96dad7213fb10bdec976386ded3580a64 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 8 12:19:19 2014 +1300 CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flag Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I36ad5ebc5d8a4811c41b59af90a3add4ae5fd857 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 239c0f267cc6fd81b15c67c81bda84de65950dfa Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 11 15:23:02 2014 +1300 CVE-2014-8143:auth: Force talloc type of session_info pointer to match This helps us keep things safe in LDB where we put this in a opaque pointer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Andrew Bartlett Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 48 +++++++- librpc/idl/security.idl | 13 ++- source4/auth/session.c | 5 + source4/dsdb/common/util.c | 4 +- source4/dsdb/pydsdb.c | 1 + source4/dsdb/samdb/ldb_modules/samldb.c | 190 +++++++++++++++++++++++++++++++- source4/dsdb/samdb/samdb.h | 6 + source4/rpc_server/lsa/dcesrv_lsa.c | 15 ++- source4/setup/schema_samba4.ldif | 1 + 10 files changed, 276 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index fa38d58..8dd14ce 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=4 +SAMBA_VERSION_RC_RELEASE=5 ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4e394ad..dc47556 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements ===================== -This is the third release candidate of Samba 4.2. This is *not* +This is the fourth release candidate of Samba 4.2. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -338,6 +338,52 @@ smb.conf changes winbind expand groups Changed default 0 +CHANGES SINCE 4.2.0rc3 +====================== + +o Andrew Bartlett <abart...@samba.org> + * BUG 10993: CVE-2014-8143: dsdb-samldb: Check for extended access + rights before we allow changes to userAccountControl. + + +o Günther Deschner <g...@samba.org> + * BUG 10240: vfs: Add glusterfs manpage. + + +o David Disseldorp <dd...@samba.org> + * BUG 10984: Fix spoolss IDL response marshalling when returning error + without clearing info. + + +o Amitay Isaacs <ami...@gmail.com> + * BUG 11000: ctdb-daemon: Use correct tdb flags when enabling robust mutex + support. + + +o Volker Lendecke <v...@samba.org> + * BUG 11032: tdb_wrap: Make mutexes easier to use. + * BUG 11039: vfs_fruit: Fix base_fsp name conversion. + * BUG 11040: vfs_fruit: mmap under FreeBSD needs PROT_READ. + * BUG 11051: net: Fix sam addgroupmem. + + +o Stefan Metzmacher <me...@samba.org> + * BUG 10940: s3:passdb: fix logic in pdb_set_pw_history(). + * BUG 11004: tdb: version 1.3.4. + + +o Christof Schmitt <c...@samba.org> + * BUG 11034: winbind: Retry after SESSION_EXPIRED error in ping-dc. + + +o Andreas Schneider <a...@samba.org> + * BUG 11008: s3-util: Fix authentication with long hostnames. + * BUG 11026: nss_wrapper: check for nss.h. + * BUG 11033: lib/util: Avoid collision which alread defined consumer DEBUG + macro. + * BUG 11037: s3-libads: Fix a possible segfault in kerberos_fetch_pac(). + + CHANGES SINCE 4.2.0rc2 ====================== diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index eb80a86..78c13c9 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -674,14 +674,21 @@ interface security const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd"; const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd"; const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c"; - const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96"; - const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"; - const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b"; const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529"; + const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT + = "280f369c-67c7-438e-ae98-1d46f3c6f541"; + const string GUID_DRS_UNEXPIRE_PASSWORD = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501"; + const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD + = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5"; + const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2"; + /***************************************************************/ /* validated writes guids */ diff --git a/source4/auth/session.c b/source4/auth/session.c index b4b4200..3d8714c 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -233,6 +233,11 @@ struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx, { struct auth_session_info *session_info; session_info = talloc_steal(mem_ctx, session_info_transport->session_info); + /* + * This is to allow us to check the type of this pointer using + * talloc_get_type() + */ + talloc_set_name(session_info, "struct auth_session_info"); #ifdef HAVE_GSS_IMPORT_CRED if (session_info_transport->exported_gssapi_credentials.length) { struct cli_credentials *creds; diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 409191d..7e5e5b8 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1101,8 +1101,8 @@ int samdb_msg_set_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, /* * Handle ldb_request in transaction */ -static int dsdb_autotransaction_request(struct ldb_context *sam_ldb, - struct ldb_request *req) +int dsdb_autotransaction_request(struct ldb_context *sam_ldb, + struct ldb_request *req) { int ret; diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c index ee02483..0a2b86e 100644 --- a/source4/dsdb/pydsdb.c +++ b/source4/dsdb/pydsdb.c @@ -1152,6 +1152,7 @@ void initdsdb(void) ADD_DSDB_FLAG(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION); ADD_DSDB_FLAG(UF_NO_AUTH_DATA_REQUIRED); ADD_DSDB_FLAG(UF_PARTIAL_SECRETS_ACCOUNT); + ADD_DSDB_FLAG(UF_USE_AES_KEYS); /* groupType flags */ ADD_DSDB_FLAG(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP); diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 7619bbb..54e2e5e 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -33,6 +33,7 @@ #include "includes.h" #include "libcli/ldap/ldap_ndr.h" #include "ldb_module.h" +#include "auth/auth.h" #include "dsdb/samdb/samdb.h" #include "dsdb/samdb/ldb_modules/util.h" #include "dsdb/samdb/ldb_modules/ridalloc.h" @@ -944,6 +945,10 @@ static int samldb_schema_info_update(struct samldb_ctx *ac) } static int samldb_prim_group_tester(struct samldb_ctx *ac, uint32_t rid); +static int samldb_check_user_account_control_acl(struct samldb_ctx *ac, + struct dom_sid *sid, + uint32_t user_account_control, + uint32_t user_account_control_old); /* * "Objectclass" trigger (MS-SAMR 3.1.1.8.1) @@ -1039,7 +1044,6 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) el = ldb_msg_find_element(ac->msg, "userAccountControl"); if (el != NULL) { uint32_t user_account_control, account_type; - /* Step 1.3: "userAccountControl" -> "sAMAccountType" mapping */ user_account_control = ldb_msg_find_attr_as_uint(ac->msg, "userAccountControl", @@ -1155,6 +1159,12 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) return ret; } } + + ret = samldb_check_user_account_control_acl(ac, NULL, + user_account_control, 0); + if (ret != LDB_SUCCESS) { + return ret; + } } break; } @@ -1442,6 +1452,172 @@ static int samldb_prim_group_trigger(struct samldb_ctx *ac) return ret; } +/** + * Validate that the restriction in point 5 of MS-SAMR 3.1.1.8.10 userAccountControl is honoured + * + */ +static int samldb_check_user_account_control_acl(struct samldb_ctx *ac, + struct dom_sid *sid, + uint32_t user_account_control, + uint32_t user_account_control_old) +{ + int i, ret = 0; + bool need_acl_check = false; + struct ldb_result *res; + const char * const sd_attrs[] = {"ntSecurityDescriptor", NULL}; + struct security_token *user_token; + struct security_descriptor *domain_sd; + struct ldb_dn *domain_dn = ldb_get_default_basedn(ldb_module_get_ctx(ac->module)); + const struct uac_to_guid { + uint32_t uac; + const char *oid; + const char *guid; + enum sec_privilege privilege; + bool delete_is_privileged; + const char *error_string; + } map[] = { + { + .uac = UF_PASSWD_NOTREQD, + .guid = GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT, + .error_string = "Adding the UF_PASSWD_NOTREQD bit in userAccountControl requires the Update-Password-Not-Required-Bit right that was not given on the Domain object" + }, + { + .uac = UF_DONT_EXPIRE_PASSWD, + .guid = GUID_DRS_UNEXPIRE_PASSWORD, + .error_string = "Adding the UF_DONT_EXPIRE_PASSWD bit in userAccountControl requires the Unexpire-Password right that was not given on the Domain object" + }, + { + .uac = UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED, + .guid = GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD, + .error_string = "Adding the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED bit in userAccountControl requires the Enable-Per-User-Reversibly-Encrypted-Password right that was not given on the Domain object" + }, + { + .uac = UF_SERVER_TRUST_ACCOUNT, + .guid = GUID_DRS_DS_INSTALL_REPLICA, + .error_string = "Adding the UF_SERVER_TRUST_ACCOUNT bit in userAccountControl requires the DS-Install-Replica right that was not given on the Domain object" + }, + { + .uac = UF_PARTIAL_SECRETS_ACCOUNT, + .guid = GUID_DRS_DS_INSTALL_REPLICA, + .error_string = "Adding the UF_PARTIAL_SECRETS_ACCOUNT bit in userAccountControl requires the DS-Install-Replica right that was not given on the Domain object" + }, + { + .uac = UF_INTERDOMAIN_TRUST_ACCOUNT, + .oid = DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID, + .error_string = "Updating the UF_INTERDOMAIN_TRUST_ACCOUNT bit in userAccountControl is not permitted over LDAP. This bit is restricted to the LSA CreateTrustedDomain interface", + .delete_is_privileged = true + }, + { + .uac = UF_TRUSTED_FOR_DELEGATION, + .privilege = SEC_PRIV_ENABLE_DELEGATION, + .delete_is_privileged = true, + .error_string = "Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege" + }, + { + .uac = UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION, + .privilege = SEC_PRIV_ENABLE_DELEGATION, + .delete_is_privileged = true, + .error_string = "Updating the UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege" + } + + }; + + if (dsdb_module_am_system(ac->module)) { + return LDB_SUCCESS; + } + + for (i = 0; i < ARRAY_SIZE(map); i++) { + if (user_account_control & map[i].uac) { + need_acl_check = true; + break; + } + } + if (need_acl_check == false) { + return LDB_SUCCESS; + } + + user_token = acl_user_token(ac->module); + if (user_token == NULL) { + return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } + + ret = dsdb_module_search_dn(ac->module, ac, &res, + domain_dn, + sd_attrs, + DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, + ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count != 1) { + return ldb_module_operr(ac->module); + } + + ret = dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(ac->module), + ac, res->msgs[0], &domain_sd); + + if (ret != LDB_SUCCESS) { + return ret; + } + + for (i = 0; i < ARRAY_SIZE(map); i++) { + uint32_t this_uac_new = user_account_control & map[i].uac; + uint32_t this_uac_old = user_account_control_old & map[i].uac; + if (this_uac_new != this_uac_old) { + if (this_uac_old != 0) { + if (map[i].delete_is_privileged == false) { + continue; + } + } + if (map[i].oid) { + struct ldb_control *control = ldb_request_get_control(ac->req, map[i].oid); + if (control == NULL) { + ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } + } else if (map[i].privilege != SEC_PRIV_INVALID) { + bool have_priv = security_token_has_privilege(user_token, + map[i].privilege); + if (have_priv == false) { + ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } + } else { + ret = acl_check_extended_right(ac, domain_sd, + user_token, + map[i].guid, + SEC_ADS_CONTROL_ACCESS, + sid); + } + if (ret != LDB_SUCCESS) { + break; + } + } + } + if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { + switch (ac->req->operation) { + case LDB_ADD: + ldb_asprintf_errstring(ldb_module_get_ctx(ac->module), + "Failed to add %s: %s", + ldb_dn_get_linearized(ac->msg->dn), + map[i].error_string); + break; + case LDB_MODIFY: + ldb_asprintf_errstring(ldb_module_get_ctx(ac->module), + "Failed to modify %s: %s", + ldb_dn_get_linearized(ac->msg->dn), + map[i].error_string); + break; + default: + return ldb_module_operr(ac->module); + } + if (map[i].guid) { + dsdb_acl_debug(domain_sd, acl_user_token(ac->module), + domain_dn, + true, + 10); + } + } + return ret; +} /** * This function is called on LDB modify operations. It performs some additions/ @@ -1467,6 +1643,7 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) struct ldb_val *val; struct ldb_val computer_val; struct ldb_message *tmp_msg; + struct dom_sid *sid; int ret; struct ldb_result *res; const char * const attrs[] = { @@ -1475,6 +1652,7 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) "userAccountControl", "msDS-User-Account-Control-Computed", "lockoutTime", + "objectSid", NULL }; bool is_computer = false; @@ -1671,6 +1849,16 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) ldb_msg_remove_attr(ac->msg, "userAccountControl"); } + sid = samdb_result_dom_sid(res, res->msgs[0], "objectSid"); + if (sid == NULL) { + return ldb_module_operr(ac->module); + } + + ret = samldb_check_user_account_control_acl(ac, sid, new_uac, old_uac); + if (ret != LDB_SUCCESS) { + return ret; + } + return LDB_SUCCESS; } diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index 7f77d4e..4f57343 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -135,6 +135,12 @@ struct dsdb_control_password_change { */ #define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.3.21" +/* + * passed when creating a interdomain trust account through LSA + * to relax constraints in the samldb ldb module. + */ +#define DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID "1.3.6.1.4.1.7165.4.3.23" + #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1" struct dsdb_extended_replicated_object { struct ldb_message *msg; diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 6c09649..53b937e 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -800,6 +800,7 @@ static NTSTATUS add_trust_user(TALLOC_CTX *mem_ctx, struct trustAuthInOutBlob *in, struct ldb_dn **user_dn) { + struct ldb_request *req; struct ldb_message *msg; struct ldb_dn *dn; uint32_t i; @@ -860,7 +861,19 @@ static NTSTATUS add_trust_user(TALLOC_CTX *mem_ctx, } /* create the trusted_domain user account */ - ret = ldb_add(sam_ldb, msg); + ret = ldb_build_add_req(&req, sam_ldb, mem_ctx, msg, NULL, NULL, + ldb_op_default_callback, NULL); + if (ret != LDB_SUCCESS) { + return NT_STATUS_NO_MEMORY; + } + + ret = ldb_request_add_control(req, DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID, + false, NULL); + if (ret != LDB_SUCCESS) { + return NT_STATUS_NO_MEMORY; + } + + ret = dsdb_autotransaction_request(sam_ldb, req); if (ret != LDB_SUCCESS) { DEBUG(0,("Failed to create user record %s: %s\n", ldb_dn_get_linearized(msg->dn), diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif index 94aedb0..22f0bc1 100644 --- a/source4/setup/schema_samba4.ldif +++ b/source4/setup/schema_samba4.ldif @@ -197,6 +197,7 @@ #Allocated: DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA 1.3.6.1.4.1.7165.4.3.19.1 #Allocated: DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID 1.3.6.1.4.1.7165.4.3.20 #Allocated: DSDB_CONTROL_SEC_DESC_PROPAGATION_OID 1.3.6.1.4.1.7165.4.3.21 +#Allocated: DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID 1.3.6.1.4.1.7165.4.3.23 # Extended 1.3.6.1.4.1.7165.4.4.x #Allocated: DSDB_EXTENDED_REPLICATED_OBJECTS_OID 1.3.6.1.4.1.7165.4.4.1 -- Samba Shared Repository