The branch, master has been updated via 5571ce9619d dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() via 4250d07e4dc dsdb: Use samdb_system_container_dn() in dsdb_trust_*() via 9b4f3f3cb4e s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret() via 13eed1e0e7d s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret() via a900f6aa5d9 s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array() via 4e18066fa24 s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state() via 3669caa97f7 dsdb: Use samdb_get_system_container_dn() to get Password Settings Container via 97b682e0eb0 dsdb: Use samdb_system_container_dn() in samldb.c via 25b0e1102e1 dsdb: Add new function samdb_system_container_dn() via 2d461844a20 Bug #9959: Don't search for CN=System via b6e80733c3a For Bug #9959: local talloc frame for next commit from 0bf8b25aacd s3/modules: Fix DFS links when widelinks = yes
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 5571ce9619d856d3c9545099366f4e0259aee8ef Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jul 27 17:18:45 2023 +1200 dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() This makes more calls to add children, but avoids the cn=system string in the codebase which makes it easier to audit that this is always being built correctly. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Mon Jul 31 07:20:21 UTC 2023 on atb-devel-224 commit 4250d07e4dcd43bf7450b1ae603ff46fdc892d02 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jul 27 17:14:30 2023 +1200 dsdb: Use samdb_system_container_dn() in dsdb_trust_*() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9b4f3f3cb4ed17bb233d3b5ccd191be63f01f3f4 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jul 27 17:11:39 2023 +1200 s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 13eed1e0e7d0bdef6b5cdb6b858f124b812adbea Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jul 27 17:09:31 2023 +1200 s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit a900f6aa5d909d912ee3ca529baa4047c9c4da87 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jul 27 17:00:21 2023 +1200 s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 4e18066fa243da1c505f782ba87187c3bb1078ee Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jul 27 16:58:13 2023 +1200 s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3669caa97f76d3e893ac6a1ab88341057929ee6a Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jul 27 16:44:10 2023 +1200 dsdb: Use samdb_get_system_container_dn() to get Password Settings Container By doing this we use the common samdb_get_system_container_dn() routine and we avoid doing a linerize and parse step on the main DN, instead using the already stored parse of the DN. This is more hygenic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 97b682e0eb0450513dcecb74be672e18e84fe7a2 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jul 27 16:29:34 2023 +1200 dsdb: Use samdb_system_container_dn() in samldb.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 25b0e1102e1a502152d2695aeddf7c65555b16fb Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jul 27 16:12:11 2023 +1200 dsdb: Add new function samdb_system_container_dn() This will replace many calls crafting or searching for this DN elsewhere in the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 2d461844a201fbca55ebc9a46a15e1d16048055b Author: Arvid Requate <requ...@univention.de> Date: Fri Aug 26 16:20:34 2016 +0200 Bug #9959: Don't search for CN=System BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Arvid Requate <requ...@univention.de> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b6e80733c3a589f9d784eec86fc713f1ec9c1049 Author: Arvid Requate <requ...@univention.de> Date: Fri Aug 26 16:18:57 2016 +0200 For Bug #9959: local talloc frame for next commit BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Arvid Requate <requ...@univention.de> [abart...@samba.org Added additional talloc_free() in failure paths] Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/passdb/pdb_samba_dsdb.c | 12 ++++-- source4/dsdb/common/util.c | 19 +++++++++ source4/dsdb/common/util_trusts.c | 21 ++-------- source4/dsdb/samdb/ldb_modules/operational.c | 22 +++++----- source4/dsdb/samdb/ldb_modules/samldb.c | 7 +--- source4/rpc_server/backupkey/dcesrv_backupkey.c | 54 ++++++++++--------------- source4/rpc_server/lsa/lsa_init.c | 7 ++-- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++-- 8 files changed, 71 insertions(+), 79 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 8ed5799ac89..dee40bf2175 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -3317,9 +3317,13 @@ static NTSTATUS pdb_samba_dsdb_set_trusted_domain(struct pdb_methods *methods, goto out; } - msg->dn = ldb_dn_copy(tmp_ctx, base_dn); + msg->dn = samdb_system_container_dn(state->ldb, tmp_ctx); + if (msg->dn == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } - ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s,cn=System", td->domain_name); + ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s", td->domain_name); if (!ok) { status = NT_STATUS_NO_MEMORY; goto out; @@ -3544,13 +3548,13 @@ static NTSTATUS pdb_samba_dsdb_del_trusted_domain(struct pdb_methods *methods, return NT_STATUS_OK; } - tdo_dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->ldb)); + tdo_dn = samdb_system_container_dn(state->ldb, tmp_ctx); if (tdo_dn == NULL) { status = NT_STATUS_NO_MEMORY; goto out; } - ok = ldb_dn_add_child_fmt(tdo_dn, "cn=%s,cn=System", domain); + ok = ldb_dn_add_child_fmt(tdo_dn, "cn=%s", domain); if (!ok) { TALLOC_FREE(tmp_ctx); status = NT_STATUS_NO_MEMORY; diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index fbc8ffe5ce5..5fa9f65e247 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1276,6 +1276,25 @@ struct ldb_dn *samdb_infrastructure_dn(struct ldb_context *sam_ctx, TALLOC_CTX * return new_dn; } +struct ldb_dn *samdb_system_container_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) +{ + struct ldb_dn *new_dn = NULL; + bool ok; + + new_dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(sam_ctx)); + if (new_dn == NULL) { + return NULL; + } + + ok = ldb_dn_add_child_fmt(new_dn, "CN=System"); + if (!ok) { + TALLOC_FREE(new_dn); + return NULL; + } + + return new_dn; +} + struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) { struct ldb_dn *new_dn; diff --git a/source4/dsdb/common/util_trusts.c b/source4/dsdb/common/util_trusts.c index 0f4d5584192..fd1aa2be4d4 100644 --- a/source4/dsdb/common/util_trusts.c +++ b/source4/dsdb/common/util_trusts.c @@ -2459,17 +2459,12 @@ NTSTATUS dsdb_trust_search_tdo(struct ldb_context *sam_ctx, return NT_STATUS_INVALID_PARAMETER_MIX; } - system_dn = ldb_dn_copy(frame, ldb_get_default_basedn(sam_ctx)); + system_dn = samdb_system_container_dn(sam_ctx, frame); if (system_dn == NULL) { TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } - if (!ldb_dn_add_child_fmt(system_dn, "CN=System")) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - if (netbios != NULL) { netbios_encoded = ldb_binary_encode_string(frame, netbios); if (netbios_encoded == NULL) { @@ -2617,17 +2612,12 @@ NTSTATUS dsdb_trust_search_tdo_by_sid(struct ldb_context *sam_ctx, return NT_STATUS_NO_MEMORY; } - system_dn = ldb_dn_copy(frame, ldb_get_default_basedn(sam_ctx)); + system_dn = samdb_system_container_dn(sam_ctx, frame); if (system_dn == NULL) { TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } - if (!ldb_dn_add_child_fmt(system_dn, "CN=System")) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - filter = talloc_asprintf(frame, "(&" "(objectClass=trustedDomain)" @@ -2794,17 +2784,12 @@ NTSTATUS dsdb_trust_search_tdos(struct ldb_context *sam_ctx, *res = NULL; - system_dn = ldb_dn_copy(frame, ldb_get_default_basedn(sam_ctx)); + system_dn = samdb_system_container_dn(sam_ctx, frame); if (system_dn == NULL) { TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } - if (!ldb_dn_add_child_fmt(system_dn, "CN=System")) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - if (exclude != NULL) { exclude_encoded = ldb_binary_encode_string(frame, exclude); if (exclude_encoded == NULL) { diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 310f98693c0..8821765a703 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -1009,19 +1009,20 @@ static int get_pso_count(struct ldb_module *module, TALLOC_CTX *mem_ctx, { static const char * const attrs[] = { NULL }; int ret; - struct ldb_dn *domain_dn = NULL; struct ldb_dn *psc_dn = NULL; struct ldb_result *res = NULL; struct ldb_context *ldb = ldb_module_get_ctx(module); + bool psc_ok; *pso_count = 0; - domain_dn = ldb_get_default_basedn(ldb); - psc_dn = ldb_dn_new_fmt(mem_ctx, ldb, - "CN=Password Settings Container,CN=System,%s", - ldb_dn_get_linearized(domain_dn)); + psc_dn = samdb_system_container_dn(ldb, mem_ctx); if (psc_dn == NULL) { return ldb_oom(ldb); } + psc_ok = ldb_dn_add_child_fmt(psc_dn, "CN=Password Settings Container"); + if (psc_ok == false) { + return ldb_oom(ldb); + } /* get the number of PSO children */ ret = dsdb_module_search(module, mem_ctx, &res, psc_dn, @@ -1088,8 +1089,8 @@ static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx, int i; struct ldb_context *ldb = ldb_module_get_ctx(module); char *sid_filter = NULL; - struct ldb_dn *domain_dn = NULL; struct ldb_dn *psc_dn = NULL; + bool psc_ok; const char *attrs[] = { "msDS-PasswordSettingsPrecedence", "objectGUID", @@ -1117,13 +1118,14 @@ static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx, } /* only PSOs located in the Password Settings Container are valid */ - domain_dn = ldb_get_default_basedn(ldb); - psc_dn = ldb_dn_new_fmt(mem_ctx, ldb, - "CN=Password Settings Container,CN=System,%s", - ldb_dn_get_linearized(domain_dn)); + psc_dn = samdb_system_container_dn(ldb, mem_ctx); if (psc_dn == NULL) { return ldb_oom(ldb); } + psc_ok = ldb_dn_add_child_fmt(psc_dn, "CN=Password Settings Container"); + if (psc_ok == false) { + return ldb_oom(ldb); + } ret = dsdb_module_search(module, mem_ctx, result, psc_dn, LDB_SCOPE_ONELEVEL, attrs, diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 1b4921a6f2e..1edcba7223d 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -5402,14 +5402,9 @@ static int check_rename_constraints(struct ldb_message *msg, /* Objects under CN=System */ - dn1 = ldb_dn_copy(ac, ldb_get_default_basedn(ldb)); + dn1 = samdb_system_container_dn(ldb, ac); if (dn1 == NULL) return ldb_oom(ldb); - if ( ! ldb_dn_add_child_fmt(dn1, "CN=System")) { - talloc_free(dn1); - return LDB_ERR_OPERATIONS_ERROR; - } - if ((ldb_dn_compare_base(dn1, olddn) == 0) && (ldb_dn_compare_base(dn1, newdn) != 0)) { talloc_free(dn1); diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c index b5df40d1e1f..7c4b9de1feb 100644 --- a/source4/rpc_server/backupkey/dcesrv_backupkey.c +++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c @@ -59,10 +59,10 @@ static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx, const char *name, const DATA_BLOB *lsa_secret) { + TALLOC_CTX *frame = talloc_stackframe(); struct ldb_message *msg; struct ldb_result *res; - struct ldb_dn *domain_dn; - struct ldb_dn *system_dn; + struct ldb_dn *system_dn = NULL; struct ldb_val val; int ret; char *name2; @@ -72,13 +72,9 @@ static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx, NULL }; - domain_dn = ldb_get_default_basedn(ldb); - if (!domain_dn) { - return NT_STATUS_INTERNAL_ERROR; - } - - msg = ldb_msg_new(mem_ctx); + msg = ldb_msg_new(frame); if (msg == NULL) { + talloc_free(frame); return NT_STATUS_NO_MEMORY; } @@ -92,15 +88,15 @@ static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx, * * taillor the function to the particular needs of backup protocol */ - system_dn = samdb_search_dn(ldb, msg, domain_dn, "(&(objectClass=container)(cn=System))"); + system_dn = samdb_system_container_dn(ldb, frame); if (system_dn == NULL) { - talloc_free(msg); + talloc_free(frame); return NT_STATUS_NO_MEMORY; } name2 = talloc_asprintf(msg, "%s Secret", name); if (name2 == NULL) { - talloc_free(msg); + talloc_free(frame); return NT_STATUS_NO_MEMORY; } @@ -110,7 +106,7 @@ static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx, if (ret != LDB_SUCCESS || res->count != 0 ) { DEBUG(2, ("Secret %s already exists !\n", name2)); - talloc_free(msg); + talloc_free(frame); return NT_STATUS_OBJECT_NAME_COLLISION; } @@ -119,41 +115,41 @@ static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx, * here only if the key didn't exists before */ - msg->dn = ldb_dn_copy(mem_ctx, system_dn); + msg->dn = ldb_dn_copy(frame, system_dn); if (msg->dn == NULL) { - talloc_free(msg); + talloc_free(frame); return NT_STATUS_NO_MEMORY; } if (!ldb_dn_add_child_fmt(msg->dn, "cn=%s", name2)) { - talloc_free(msg); + talloc_free(frame); return NT_STATUS_NO_MEMORY; } ret = ldb_msg_add_string(msg, "cn", name2); if (ret != LDB_SUCCESS) { - talloc_free(msg); + talloc_free(frame); return NT_STATUS_NO_MEMORY; } ret = ldb_msg_add_string(msg, "objectClass", "secret"); if (ret != LDB_SUCCESS) { - talloc_free(msg); + talloc_free(frame); return NT_STATUS_NO_MEMORY; } - ret = samdb_msg_add_uint64(ldb, mem_ctx, msg, "priorSetTime", nt_now); + ret = samdb_msg_add_uint64(ldb, frame, msg, "priorSetTime", nt_now); if (ret != LDB_SUCCESS) { - talloc_free(msg); + talloc_free(frame); return NT_STATUS_NO_MEMORY; } val.data = lsa_secret->data; val.length = lsa_secret->length; ret = ldb_msg_add_value(msg, "currentValue", &val, NULL); if (ret != LDB_SUCCESS) { - talloc_free(msg); + talloc_free(frame); return NT_STATUS_NO_MEMORY; } - ret = samdb_msg_add_uint64(ldb, mem_ctx, msg, "lastSetTime", nt_now); + ret = samdb_msg_add_uint64(ldb, frame, msg, "lastSetTime", nt_now); if (ret != LDB_SUCCESS) { - talloc_free(msg); + talloc_free(frame); return NT_STATUS_NO_MEMORY; } @@ -167,11 +163,11 @@ static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx, DEBUG(2,("Failed to create secret record %s: %s\n", ldb_dn_get_linearized(msg->dn), ldb_errstring(ldb))); - talloc_free(msg); + talloc_free(frame); return NT_STATUS_ACCESS_DENIED; } - talloc_free(msg); + talloc_free(frame); return NT_STATUS_OK; } @@ -183,8 +179,7 @@ static NTSTATUS get_lsa_secret(TALLOC_CTX *mem_ctx, { TALLOC_CTX *tmp_mem; struct ldb_result *res; - struct ldb_dn *domain_dn; - struct ldb_dn *system_dn; + struct ldb_dn *system_dn = NULL; const struct ldb_val *val; uint8_t *data; const char *attrs[] = { @@ -196,17 +191,12 @@ static NTSTATUS get_lsa_secret(TALLOC_CTX *mem_ctx, lsa_secret->data = NULL; lsa_secret->length = 0; - domain_dn = ldb_get_default_basedn(ldb); - if (!domain_dn) { - return NT_STATUS_INTERNAL_ERROR; - } - tmp_mem = talloc_new(mem_ctx); if (tmp_mem == NULL) { return NT_STATUS_NO_MEMORY; } - system_dn = samdb_search_dn(ldb, tmp_mem, domain_dn, "(&(objectClass=container)(cn=System))"); + system_dn = samdb_system_container_dn(ldb, tmp_mem); if (system_dn == NULL) { talloc_free(tmp_mem); return NT_STATUS_NO_MEMORY; diff --git a/source4/rpc_server/lsa/lsa_init.c b/source4/rpc_server/lsa/lsa_init.c index 689634b9706..1065cc33f4d 100644 --- a/source4/rpc_server/lsa/lsa_init.c +++ b/source4/rpc_server/lsa/lsa_init.c @@ -146,10 +146,9 @@ NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call, /* work out the system_dn - useful for so many calls its worth fetching here */ - state->system_dn = samdb_search_dn(state->sam_ldb, state, - state->domain_dn, "(&(objectClass=container)(cn=System))"); - if (!state->system_dn) { - return NT_STATUS_NO_SUCH_DOMAIN; + state->system_dn = samdb_system_container_dn(state->sam_ldb, state); + if (state->system_dn == NULL) { + return NT_STATUS_NO_MEMORY; } state->builtin_sid = dom_sid_parse_talloc(state, SID_BUILTIN); diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index dc2167f08b2..0b07641f409 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -3941,11 +3941,9 @@ static WERROR fill_trusted_domains_array(TALLOC_CTX *mem_ctx, return WERR_INVALID_FLAGS; } - system_dn = samdb_search_dn(sam_ctx, mem_ctx, - ldb_get_default_basedn(sam_ctx), - "(&(objectClass=container)(cn=System))"); - if (!system_dn) { - return WERR_GEN_FAILURE; + system_dn = samdb_system_container_dn(sam_ctx, mem_ctx); + if (system_dn == NULL) { + return WERR_NOT_ENOUGH_MEMORY; } ret = gendb_search(sam_ctx, mem_ctx, system_dn, -- Samba Shared Repository