The branch, v4-11-stable has been updated via 01a4dd8ea2b VERSION: Disable GIT_SNAPSHOT for the 4.11.5 release. via 16f159bdd2d WHATSNEW: Add release notes for Samba 4.11.5. via a56fb1c0427 CVE-2019-19344 kcc dns scavenging: Fix use after free in dns_tombstone_records_zone via 0010822597d CVE-2019-14907 lib/util: Do not print the failed to convert string into the logs via 5884a973309 CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs via da1d3a0c03c CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename via febccb4845e CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated. via 2cf368d0023 CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN via dc1b30c8316 CVE-2019-14902 dsdb: Ensure we honour both change->force_self and change->force_children via 68a91b11e40 CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done here via 971247385a4 CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is proctected by a transaction via 50498111ac0 selftest: Add test to confirm ACL inheritence really happens via 59a7bbe0c15 CVE-2019-14902 selftest: Add test for a special case around replicated renames via 6b6a993e6af CVE-2019-14902 selftest: Add test for replication of inherited security descriptors via 98761ff1b2e VERSION: Bump version up to 4.11.5... from a3e0dc33741 VERSION: Disable GIT_SNAPSHOT for the 4.11.4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-stable - Log ----------------------------------------------------------------- commit 01a4dd8ea2b7503270221beef02d21b0a2bc5ffa Author: Karolin Seeger <ksee...@samba.org> Date: Wed Jan 8 11:55:21 2020 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.11.5 release. o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic. o CVE-2019-14907: Crash after failed character conversion at log level 3 or above. o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 16f159bdd2dc1fadcfa5920f895eb32f2ccdc73c Author: Karolin Seeger <ksee...@samba.org> Date: Wed Jan 8 11:53:55 2020 +0100 WHATSNEW: Add release notes for Samba 4.11.5. o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic. o CVE-2019-14907: Crash after failed character conversion at log level 3 or above. o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit a56fb1c04278e27381d5eaf52ec1036fceae411f Author: Gary Lockyer <g...@catalyst.net.nz> Date: Mon Dec 16 13:57:47 2019 +1300 CVE-2019-19344 kcc dns scavenging: Fix use after free in dns_tombstone_records_zone ldb_msg_add_empty reallocates the underlying element array, leaving old_el pointing to freed memory. This patch takes two defensive copies of the ldb message, and performs the updates on them rather than the ldb messages in the result. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14050 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> commit 0010822597db4b26858f2a03ea09e070854da782 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 29 20:58:47 2019 +1300 CVE-2019-14907 lib/util: Do not print the failed to convert string into the logs The string may be in another charset, or may be sensitive and certainly may not be terminated. It is not safe to just print. Found by Robert Święcki using a fuzzer he wrote for smbd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 5884a9733099f5be05e2de5d3452a882b5c35c27 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Dec 12 14:44:57 2019 +1300 CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs We can not process on the basis of a DN, as the DN may have changed in a rename, not only that this module can see, but also from repl_meta_data below. Therefore remove all the complex tree-based change processing, leaving only a tree-based sort of the possible objects to be changed, and a single stopped_dn variable containing the DN to stop processing below (after a no-op change). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit da1d3a0c03c002f6d2ffc6cfc7c0c15a4baa1000 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 6 18:26:42 2019 +1300 CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename Previously if there was a conflict, but the incoming object would still win, this was not marked as a rename, and so inheritence was not done. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit febccb4845e75fbf8c382df9f897215835e9d979 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 26 15:50:35 2019 +1300 CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 2cf368d0023c68dc91f50e4cd73fcc83f77cf234 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 6 18:05:54 2019 +1300 CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN We need to check the SD of the parent if we rename, it is not the same as an incoming SD change. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit dc1b30c8316d99415e4968dc98779763102994dd Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 6 17:54:23 2019 +1300 CVE-2019-14902 dsdb: Ensure we honour both change->force_self and change->force_children If we are renaming a DN we can be in a situation where we need to BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 68a91b11e40c3670a0c45c72067ccd886fdad530 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 26 16:17:32 2019 +1300 CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done here BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 971247385a4ab30709d2ed1728cce13dc59f4713 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 26 15:44:32 2019 +1300 CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is proctected by a transaction This means we can trust the DB did not change between the two search requests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 50498111ac038e74c58208c604e9f10c90b03688 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 16 11:29:27 2019 +1300 selftest: Add test to confirm ACL inheritence really happens While we have a seperate test (sec_descriptor.py) that confirms inheritance in general we want to lock in these specific patterns as this test covers rename. Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 59a7bbe0c155aa00aec93842cbf29c5e5c816929 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 10 15:16:24 2019 +1300 CVE-2019-14902 selftest: Add test for a special case around replicated renames It appears Samba is currently string-name based in the ACL inheritence code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 6b6a993e6afe5b077c53ab2d21a34505fbd13eb5 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 28 17:16:16 2019 +1300 CVE-2019-14902 selftest: Add test for replication of inherited security descriptors BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 98761ff1b2e50a26b9ce39eab0b4cb630649a155 Author: Karolin Seeger <ksee...@samba.org> Date: Mon Dec 16 15:54:00 2019 +0100 VERSION: Bump version up to 4.11.5... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <ksee...@samba.org> (cherry picked from commit 5a75d9814091631001be8d7d8ccec66ea6380cfb) ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 76 ++++- lib/util/charset/convert_string.c | 38 +-- source4/dsdb/kcc/scavenge_dns_records.c | 51 ++- source4/dsdb/samdb/ldb_modules/acl_util.c | 4 +- source4/dsdb/samdb/ldb_modules/descriptor.c | 291 +++++++++-------- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 55 +++- source4/dsdb/samdb/samdb.h | 2 +- source4/selftest/tests.py | 5 + source4/torture/drs/python/repl_secdesc.py | 400 ++++++++++++++++++++++++ 10 files changed, 752 insertions(+), 172 deletions(-) create mode 100644 source4/torture/drs/python/repl_secdesc.py Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index b53fc3ab1db..27b90031747 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=11 -SAMBA_VERSION_RELEASE=4 +SAMBA_VERSION_RELEASE=5 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 830081446ab..99272550643 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,75 @@ + ============================== + Release Notes for Samba 4.11.5 + January 21, 2020 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD + Directory not automatic. +o CVE-2019-14907: Crash after failed character conversion at log level 3 or + above. +o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC. + + +======= +Details +======= + +o CVE-2019-14902: + The implementation of ACL inheritance in the Samba AD DC was not complete, + and so absent a 'full-sync' replication, ACLs could get out of sync between + domain controllers. + +o CVE-2019-14907: + When processing untrusted string input Samba can read past the end of the + allocated buffer when printing a "Conversion error" message to the logs. + +o CVE-2019-19344: + During DNS zone scavenging (of expired dynamic entries) there is a read of + memory after it has been freed. + +For more details and workarounds, please refer to the security advisories. + + +Changes since 4.11.4: +--------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD Directory + not automatic. + * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert + string into the logs. + +o Gary Lockyer <g...@catalyst.net.nz> + * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in + dns_tombstone_records_zone. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + ============================== Release Notes for Samba 4.11.4 December 16, 2019 @@ -76,8 +148,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.11.3 diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c index d274e305a0c..b725b53cb5a 100644 --- a/lib/util/charset/convert_string.c +++ b/lib/util/charset/convert_string.c @@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic, switch(errno) { case EINVAL: reason="Incomplete multibyte sequence"; - DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n", - reason, (const char *)src)); + DBG_NOTICE("Conversion error: %s\n", + reason); break; case E2BIG: { reason="No more room"; if (from == CH_UNIX) { - DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n", - charset_name(ic, from), charset_name(ic, to), - (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason)); + DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", + charset_name(ic, from), charset_name(ic, to), + (unsigned int)srclen, (unsigned int)destlen, reason); } else { - DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", - charset_name(ic, from), charset_name(ic, to), - (unsigned int)srclen, (unsigned int)destlen, reason)); + DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", + charset_name(ic, from), charset_name(ic, to), + (unsigned int)srclen, (unsigned int)destlen, reason); } break; } case EILSEQ: reason="Illegal multibyte sequence"; - DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n", - reason, (const char *)src)); + DBG_NOTICE("convert_string_internal: Conversion error: %s\n", + reason); break; default: - DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n", - reason, (const char *)src)); + DBG_ERR("convert_string_internal: Conversion error: %s\n", + reason); break; } /* smb_panic(reason); */ @@ -427,20 +427,22 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic, switch(errno) { case EINVAL: reason="Incomplete multibyte sequence"; - DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf)); + DBG_NOTICE("Conversion error: %s\n", + reason); break; case E2BIG: reason = "output buffer is too small"; - DBG_NOTICE("convert_string_talloc: " - "Conversion error: %s(%s)\n", - reason, inbuf); + DBG_NOTICE("Conversion error: %s\n", + reason); break; case EILSEQ: reason="Illegal multibyte sequence"; - DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf)); + DBG_NOTICE("Conversion error: %s\n", + reason); break; default: - DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf)); + DBG_ERR("Conversion error: %s\n", + reason); break; } /* smb_panic(reason); */ diff --git a/source4/dsdb/kcc/scavenge_dns_records.c b/source4/dsdb/kcc/scavenge_dns_records.c index 6c0684b3153..8e916cf7b06 100644 --- a/source4/dsdb/kcc/scavenge_dns_records.c +++ b/source4/dsdb/kcc/scavenge_dns_records.c @@ -128,6 +128,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx, struct ldb_message_element *el = NULL; struct ldb_message_element *tombstone_el = NULL; struct ldb_message_element *old_el = NULL; + struct ldb_message *new_msg = NULL; + struct ldb_message *old_msg = NULL; int ret; struct GUID guid; struct GUID_txt_buf buf_guid; @@ -184,12 +186,29 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx, * change. This prevents race conditions. */ for (i = 0; i < res->count; i++) { - old_el = ldb_msg_find_element(res->msgs[i], "dnsRecord"); + old_msg = ldb_msg_copy(mem_ctx, res->msgs[i]); + if (old_msg == NULL) { + return NT_STATUS_INTERNAL_ERROR; + } + + old_el = ldb_msg_find_element(old_msg, "dnsRecord"); + if (old_el == NULL) { + TALLOC_FREE(old_msg); + return NT_STATUS_INTERNAL_ERROR; + } + old_el->flags = LDB_FLAG_MOD_DELETE; + new_msg = ldb_msg_copy(mem_ctx, old_msg); + if (new_msg == NULL) { + TALLOC_FREE(old_msg); + return NT_STATUS_INTERNAL_ERROR; + } ret = ldb_msg_add_empty( - res->msgs[i], "dnsRecord", LDB_FLAG_MOD_ADD, &el); + new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el); if (ret != LDB_SUCCESS) { + TALLOC_FREE(old_msg); + TALLOC_FREE(new_msg); return NT_STATUS_INTERNAL_ERROR; } @@ -197,12 +216,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx, status = copy_current_records(mem_ctx, old_el, el, t); if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(old_msg); + TALLOC_FREE(new_msg); return NT_STATUS_INTERNAL_ERROR; } /* If nothing was expired, do nothing. */ if (el->num_values == old_el->num_values && el->num_values != 0) { + TALLOC_FREE(old_msg); + TALLOC_FREE(new_msg); continue; } @@ -213,14 +236,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx, el->values = tombstone_blob; el->num_values = 1; - tombstone_el = ldb_msg_find_element(res->msgs[i], + tombstone_el = ldb_msg_find_element(new_msg, "dnsTombstoned"); if (tombstone_el == NULL) { - ret = ldb_msg_add_value(res->msgs[i], + ret = ldb_msg_add_value(new_msg, "dnsTombstoned", true_struct, &tombstone_el); if (ret != LDB_SUCCESS) { + TALLOC_FREE(old_msg); + TALLOC_FREE(new_msg); return NT_STATUS_INTERNAL_ERROR; } tombstone_el->flags = LDB_FLAG_MOD_ADD; @@ -234,13 +259,15 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx, * Do not change the status of dnsTombstoned * if we found any live records */ - ldb_msg_remove_attr(res->msgs[i], + ldb_msg_remove_attr(new_msg, "dnsTombstoned"); } /* Set DN to the GUID in case the object was moved. */ - el = ldb_msg_find_element(res->msgs[i], "objectGUID"); + el = ldb_msg_find_element(new_msg, "objectGUID"); if (el == NULL) { + TALLOC_FREE(old_msg); + TALLOC_FREE(new_msg); *error_string = talloc_asprintf(mem_ctx, "record has no objectGUID " @@ -251,20 +278,24 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx, status = GUID_from_ndr_blob(el->values, &guid); if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(old_msg); + TALLOC_FREE(new_msg); *error_string = discard_const_p(char, "Error: Invalid GUID.\n"); return NT_STATUS_INTERNAL_ERROR; } GUID_buf_string(&guid, &buf_guid); - res->msgs[i]->dn = + new_msg->dn = ldb_dn_new_fmt(mem_ctx, samdb, "<GUID=%s>", buf_guid.buf); /* Remove the GUID so we're not trying to modify it. */ - ldb_msg_remove_attr(res->msgs[i], "objectGUID"); + ldb_msg_remove_attr(new_msg, "objectGUID"); - ret = ldb_modify(samdb, res->msgs[i]); + ret = ldb_modify(samdb, new_msg); if (ret != LDB_SUCCESS) { + TALLOC_FREE(old_msg); + TALLOC_FREE(new_msg); *error_string = talloc_asprintf(mem_ctx, "Failed to modify dns record " @@ -273,6 +304,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx, ldb_errstring(samdb)); return NT_STATUS_INTERNAL_ERROR; } + TALLOC_FREE(old_msg); + TALLOC_FREE(new_msg); } return NT_STATUS_OK; diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index 6d645b10fe2..b9931795e19 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -286,7 +286,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit) int dsdb_module_schedule_sd_propagation(struct ldb_module *module, struct ldb_dn *nc_root, - struct ldb_dn *dn, + struct GUID guid, bool include_self) { struct ldb_context *ldb = ldb_module_get_ctx(module); @@ -299,7 +299,7 @@ int dsdb_module_schedule_sd_propagation(struct ldb_module *module, } op->nc_root = nc_root; - op->dn = dn; + op->guid = guid; op->include_self = include_self; ret = dsdb_module_extended(module, op, NULL, diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 9018b750ab5..daa08c2ebc7 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -46,9 +46,8 @@ struct descriptor_changes { struct descriptor_changes *prev, *next; - struct descriptor_changes *children; struct ldb_dn *nc_root; - struct ldb_dn *dn; + struct GUID guid; bool force_self; bool force_children; struct ldb_dn *stopped_dn; @@ -771,7 +770,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) current_attrs, DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_AS_SYSTEM | - DSDB_SEARCH_SHOW_RECYCLED, + DSDB_SEARCH_SHOW_RECYCLED | + DSDB_SEARCH_SHOW_EXTENDED_DN, req); if (ret != LDB_SUCCESS) { ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n", @@ -832,7 +832,7 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) user_sd = old_sd; } - sd = get_new_descriptor(module, dn, req, + sd = get_new_descriptor(module, current_res->msgs[0]->dn, req, objectclass, parent_sd, user_sd, old_sd, sd_flags); if (sd == NULL) { @@ -869,15 +869,32 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) return ldb_oom(ldb); } } else if (cmp_ret != 0) { + struct GUID guid; struct ldb_dn *nc_root; + NTSTATUS status; - ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root); + ret = dsdb_find_nc_root(ldb, + msg, + current_res->msgs[0]->dn, + &nc_root); if (ret != LDB_SUCCESS) { return ldb_oom(ldb); } - ret = dsdb_module_schedule_sd_propagation(module, nc_root, - dn, false); + status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn, + &guid, + "GUID"); + if (!NT_STATUS_IS_OK(status)) { + return ldb_operr(ldb); + } + + /* + * Force SD propagation on children of this record + */ + ret = dsdb_module_schedule_sd_propagation(module, + nc_root, + guid, + false); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } @@ -960,16 +977,31 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req) if (ldb_dn_compare(olddn, newdn) != 0) { struct ldb_dn *nc_root; + struct GUID guid; ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root); if (ret != LDB_SUCCESS) { return ldb_oom(ldb); } - ret = dsdb_module_schedule_sd_propagation(module, nc_root, - newdn, true); - if (ret != LDB_SUCCESS) { - return ldb_operr(ldb); + ret = dsdb_module_guid_by_dn(module, + olddn, + &guid, + req); + if (ret == LDB_SUCCESS) { + /* + * Without disturbing any errors if the olddn + * does not exit, force SD propagation on + * this record (get a new inherited SD from + * the potentially new parent + */ + ret = dsdb_module_schedule_sd_propagation(module, + nc_root, + guid, + true); + if (ret != LDB_SUCCESS) { + return ldb_operr(ldb); + } } } @@ -985,9 +1017,7 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module, struct ldb_context *ldb = ldb_module_get_ctx(module); struct dsdb_extended_sec_desc_propagation_op *op; TALLOC_CTX *parent_mem = NULL; - struct descriptor_changes *parent_change = NULL; struct descriptor_changes *c; - int ret; op = talloc_get_type(req->op.extended.data, struct dsdb_extended_sec_desc_propagation_op); @@ -1004,32 +1034,6 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module, parent_mem = descriptor_private->trans_mem; - for (c = descriptor_private->changes; c; c = c->next) { - ret = ldb_dn_compare(c->nc_root, op->nc_root); - if (ret != 0) { - continue; - } - - ret = ldb_dn_compare(c->dn, op->dn); - if (ret == 0) { - if (op->include_self) { - c->force_self = true; - } else { - c->force_children = true; - } - return ldb_module_done(req, NULL, NULL, LDB_SUCCESS); - } - - ret = ldb_dn_compare_base(c->dn, op->dn); - if (ret != 0) { - continue; - } - - parent_mem = c; - parent_change = c; - break; - } - c = talloc_zero(parent_mem, struct descriptor_changes); if (c == NULL) { return ldb_module_oom(module); @@ -1038,21 +1042,14 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module, if (c->nc_root == NULL) { return ldb_module_oom(module); } - c->dn = ldb_dn_copy(c, op->dn); - if (c->dn == NULL) { - return ldb_module_oom(module); - } + c->guid = op->guid; if (op->include_self) { c->force_self = true; } else { -- Samba Shared Repository