The Samba-Bugzilla – Attachment 18161 Details for
Bug 13595
CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-18-test
bfixes-tmp418.txt (text/plain), 25.66 KB, created by
Stefan Metzmacher
on 2023-10-17 05:49:03 UTC
(
hide
)
Description:
Patches for v4-18-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2023-10-17 05:49:03 UTC
Size:
25.66 KB
patch
obsolete
>From 7549245a91e9d04381d17af452fcca9b679ae439 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 29 Jan 2016 23:30:59 +0100 >Subject: [PATCH 1/6] CVE-2018-14628: python:descriptor: add > get_deletedobjects_descriptor() > >samba-tool drs clone-dc-database was quite useful to find >the true value of nTSecurityDescriptor of the CN=Delete Objects >containers. > >Only the auto inherited SACL is available via a ldap search. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8) >--- > python/samba/descriptor.py | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py >index ac4c7e3273de..08c7518f56ab 100644 >--- a/python/samba/descriptor.py >+++ b/python/samba/descriptor.py >@@ -52,6 +52,16 @@ def get_empty_descriptor(domain_sid, name_map={}): > # "get_schema_descriptor" is located in "schema.py" > > >+def get_deletedobjects_descriptor(domain_sid, name_map=None): >+ if name_map is None: >+ name_map = {} >+ >+ sddl = "O:SYG:SYD:PAI" \ >+ "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \ >+ "(A;;RPLC;;;BA)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+ > def get_config_descriptor(domain_sid, name_map={}): > sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ > "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >-- >2.34.1 > > >From e26f0a1b11385d3af189219b9a258d22c6568855 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 29 Jan 2016 23:33:37 +0100 >Subject: [PATCH 2/6] CVE-2018-14628: python:provision: make > DELETEDOBJECTS_DESCRIPTOR available in the ldif files > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c) >--- > python/samba/provision/__init__.py | 5 +++++ > python/samba/provision/sambadns.py | 4 ++++ > 2 files changed, 9 insertions(+) > >diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py >index ff9b8fac916a..f7d7468e4faf 100644 >--- a/python/samba/provision/__init__.py >+++ b/python/samba/provision/__init__.py >@@ -78,6 +78,7 @@ from samba.provision.backend import ( > LDBBackend, > ) > from samba.descriptor import ( >+ get_deletedobjects_descriptor, > get_empty_descriptor, > get_config_descriptor, > get_config_partitions_descriptor, >@@ -1441,6 +1442,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid, > msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD, > "subRefs") > >+ deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8') >+ > samdb.invocation_id = invocationid > > # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it >@@ -1472,6 +1475,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, > "FOREST_FUNCTIONALITY": str(forestFunctionality), > "DOMAIN_FUNCTIONALITY": str(domainFunctionality), > "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr, >+ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, > "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr, > "SERVICES_DESCRIPTOR": protected1_descr, > "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr, >@@ -1536,6 +1540,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, > "RIDAVAILABLESTART": str(next_rid + 600), > "POLICYGUID_DC": policyguid_dc, > "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, >+ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, > "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc, > "SYSTEM_DESCRIPTOR": system_desc, > "BUILTIN_DESCRIPTOR": builtin_desc, >diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py >index 9184711a7645..d057b7830ada 100644 >--- a/python/samba/provision/sambadns.py >+++ b/python/samba/provision/sambadns.py >@@ -42,6 +42,7 @@ from samba.dsdb import ( > DS_GUID_USERS_CONTAINER > ) > from samba.descriptor import ( >+ get_deletedobjects_descriptor, > get_domain_descriptor, > get_domain_delete_protected1_descriptor, > get_domain_delete_protected2_descriptor, >@@ -256,6 +257,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, > domainzone_dn = "DC=DomainDnsZones,%s" % domaindn > forestzone_dn = "DC=ForestDnsZones,%s" % forestdn > descriptor = get_dns_partition_descriptor(domainsid) >+ deletedobjects_desc = get_deletedobjects_descriptor(domainsid) > > setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), { > "ZONE_DN": domainzone_dn, >@@ -278,6 +280,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, > "ZONE_DNS": domainzone_dns, > "CONFIGDN": configdn, > "SERVERDN": serverdn, >+ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'), > "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), > "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), > }) >@@ -297,6 +300,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, > "ZONE_DNS": forestzone_dns, > "CONFIGDN": configdn, > "SERVERDN": serverdn, >+ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'), > "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), > "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), > }) >-- >2.34.1 > > >From 54b167ef9da3ba2a9c8258d9ca3a229968516bcd Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 29 Jan 2016 23:34:15 +0100 >Subject: [PATCH 3/6] CVE-2018-14628: s4:setup: set the correct > nTSecurityDescriptor on the CN=Deleted Objects container > >This revealed a bug in our dirsync code, so we mark >test_search_with_dirsync_deleted_objects as knownfail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47) >--- > selftest/knownfail.d/samba4.ldap.confidential_attr | 1 + > source4/setup/provision.ldif | 1 + > source4/setup/provision_configuration.ldif | 1 + > source4/setup/provision_dnszones_add.ldif | 1 + > 4 files changed, 4 insertions(+) > create mode 100644 selftest/knownfail.d/samba4.ldap.confidential_attr > >diff --git a/selftest/knownfail.d/samba4.ldap.confidential_attr b/selftest/knownfail.d/samba4.ldap.confidential_attr >new file mode 100644 >index 000000000000..46a75ce928b0 >--- /dev/null >+++ b/selftest/knownfail.d/samba4.ldap.confidential_attr >@@ -0,0 +1 @@ >+^samba4.ldap.confidential_attr.python.*.__main__.*.test_search_with_dirsync_deleted_objects >diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif >index 5d9eba49f86f..7f966fd57f81 100644 >--- a/source4/setup/provision.ldif >+++ b/source4/setup/provision.ldif >@@ -34,6 +34,7 @@ isDeleted: TRUE > isCriticalSystemObject: TRUE > showInAdvancedViewOnly: TRUE > systemFlags: -1946157056 >+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} > > # Computers located in "provision_computers*.ldif" > # Users/Groups located in "provision_users*.ldif" >diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif >index 53c9c8536de4..8fcbddbdae48 100644 >--- a/source4/setup/provision_configuration.ldif >+++ b/source4/setup/provision_configuration.ldif >@@ -14,6 +14,7 @@ description: Container for deleted objects > isDeleted: TRUE > isCriticalSystemObject: TRUE > systemFlags: -1946157056 >+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} > > # Extended rights > >diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif >index 860aa4b72b30..a2d6b6bab8f2 100644 >--- a/source4/setup/provision_dnszones_add.ldif >+++ b/source4/setup/provision_dnszones_add.ldif >@@ -8,6 +8,7 @@ description: Deleted objects > isDeleted: TRUE > isCriticalSystemObject: TRUE > systemFlags: -1946157056 >+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} > > dn: CN=LostAndFound,${ZONE_DN} > objectClass: top >-- >2.34.1 > > >From 413698d10d1eb5837ea0aff4192278c338201608 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 26 Jun 2023 15:14:24 +0200 >Subject: [PATCH 4/6] CVE-2018-14628: s4:dsdb: remove unused code in > dirsync_filter_entry() > >This makes the next change easier to understand. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371) >--- > source4/dsdb/samdb/ldb_modules/dirsync.c | 53 +++--------------------- > 1 file changed, 5 insertions(+), 48 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c >index fbb75790095b..124cff25e397 100644 >--- a/source4/dsdb/samdb/ldb_modules/dirsync.c >+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c >@@ -151,10 +151,6 @@ static int dirsync_filter_entry(struct ldb_request *req, > * list only the attribute that have been modified since last interogation > * > */ >- newmsg = ldb_msg_new(dsc->req); >- if (newmsg == NULL) { >- return ldb_oom(ldb); >- } > for (i = msg->num_elements - 1; i >= 0; i--) { > if (ldb_attr_cmp(msg->elements[i].name, "uSNChanged") == 0) { > int error = 0; >@@ -201,11 +197,6 @@ static int dirsync_filter_entry(struct ldb_request *req, > */ > return LDB_SUCCESS; > } >- newmsg->dn = ldb_dn_new(newmsg, ldb, ""); >- if (newmsg->dn == NULL) { >- return ldb_oom(ldb); >- } >- > el = ldb_msg_find_element(msg, "objectGUID"); > if ( el != NULL) { > guidfound = true; >@@ -216,48 +207,14 @@ static int dirsync_filter_entry(struct ldb_request *req, > * well will uncomment the code bellow > */ > SMB_ASSERT(guidfound == true); >- /* >- if (guidfound == false) { >- struct GUID guid; >- struct ldb_val *new_val; >- DATA_BLOB guid_blob; >- >- tmp[0] = '\0'; >- txt = strrchr(txt, ':'); >- if (txt == NULL) { >- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); >- } >- txt++; >- >- status = GUID_from_string(txt, &guid); >- if (!NT_STATUS_IS_OK(status)) { >- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); >- } >- >- status = GUID_to_ndr_blob(&guid, msg, &guid_blob); >- if (!NT_STATUS_IS_OK(status)) { >- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); >- } >- >- new_val = talloc(msg, struct ldb_val); >- if (new_val == NULL) { >- return ldb_oom(ldb); >- } >- new_val->data = talloc_steal(new_val, guid_blob.data); >- new_val->length = guid_blob.length; >- if (ldb_msg_add_value(msg, "objectGUID", new_val, NULL) != 0) { >- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); >- } >- } >- */ >- ldb_msg_add(newmsg, el, LDB_FLAG_MOD_ADD); >- talloc_steal(newmsg->elements, el->name); >- talloc_steal(newmsg->elements, el->values); >- >- talloc_steal(newmsg->elements, msg); > return ldb_module_send_entry(dsc->req, msg, controls); > } > >+ newmsg = ldb_msg_new(dsc->req); >+ if (newmsg == NULL) { >+ return ldb_oom(ldb); >+ } >+ > ndr_err = ndr_pull_struct_blob(replMetaData, dsc, &rmd, > (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob); > if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { >-- >2.34.1 > > >From 0024a82d75b714a6f9b2bf65ff4f2f0a6461cf02 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 7 Jun 2023 18:18:58 +0200 >Subject: [PATCH 5/6] CVE-2018-14628: dbchecker: use > get_deletedobjects_descriptor for missing deleted objects container > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db) >--- > python/samba/dbchecker.py | 17 ++++++++++++++--- > 1 file changed, 14 insertions(+), 3 deletions(-) > >diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py >index c9341f6500c2..e52cd7b067d5 100644 >--- a/python/samba/dbchecker.py >+++ b/python/samba/dbchecker.py >@@ -20,7 +20,7 @@ > import ldb > import samba > import time >-from base64 import b64decode >+from base64 import b64decode, b64encode > from samba import dsdb > from samba import common > from samba.dcerpc import misc >@@ -29,7 +29,11 @@ from samba.ndr import ndr_unpack, ndr_pack > from samba.dcerpc import drsblobs > from samba.samdb import dsdb_Dn > from samba.dcerpc import security >-from samba.descriptor import get_wellknown_sds, get_diff_sds >+from samba.descriptor import ( >+ get_wellknown_sds, >+ get_deletedobjects_descriptor, >+ get_diff_sds >+) > from samba.auth import system_session, admin_session > from samba.netcmd import CommandError > from samba.netcmd.fsmo import get_fsmo_roleowner >@@ -351,6 +355,12 @@ class dbcheck(object): > listwko.append('%s:%s' % (wko_prefix, dn)) > guid_suffix = "" > >+ >+ domain_sid = security.dom_sid(self.samdb.get_domain_sid()) >+ sec_desc = get_deletedobjects_descriptor(domain_sid, >+ name_map=self.name_map) >+ sec_desc_b64 = b64encode(sec_desc).decode('utf8') >+ > # Insert a brand new Deleted Objects container > self.samdb.add_ldif("""dn: %s > objectClass: top >@@ -359,7 +369,8 @@ description: Container for deleted objects > isDeleted: TRUE > isCriticalSystemObject: TRUE > showInAdvancedViewOnly: TRUE >-systemFlags: -1946157056%s""" % (dn, guid_suffix), >+nTSecurityDescriptor:: %s >+systemFlags: -1946157056%s""" % (dn, sec_desc_b64, guid_suffix), > controls=["relax:0", "provision:0"]) > > delta = ldb.Message() >-- >2.34.1 > > >From d94d7f58fbc6e6df75ad56bd090859b8eba1f044 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 29 Jan 2016 23:35:31 +0100 >Subject: [PATCH 6/6] CVE-2018-14628: python:descriptor: let samba-tool dbcheck > fix the nTSecurityDescriptor on CN=Deleted Objects containers > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566) >--- > python/samba/dbchecker.py | 10 ++++++++-- > python/samba/descriptor.py | 15 ++++++++++++++- > ...ck-link-output-missing-link-sid-corruption.txt | 8 ++++---- > .../expected-links-after-dbcheck.ldif | 2 +- > .../release-4-5-0-pre1/rootdse-version.final.txt | 2 +- > testprogs/blackbox/dbcheck-links.sh | 12 ++++++++++++ > 6 files changed, 40 insertions(+), 9 deletions(-) > >diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py >index e52cd7b067d5..d5bb8a5a1fc3 100644 >--- a/python/samba/dbchecker.py >+++ b/python/samba/dbchecker.py >@@ -2469,7 +2469,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) > error_count += 1 > continue > >- if self.reset_well_known_acls: >+ if dn == deleted_objects_dn or self.reset_well_known_acls: > try: > well_known_sd = self.get_wellknown_sd(dn) > except KeyError: >@@ -2478,7 +2478,13 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) > current_sd = ndr_unpack(security.descriptor, > obj[attrname][0]) > >- diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid())) >+ ignoreAdditionalACEs = False >+ if not self.reset_well_known_acls: >+ ignoreAdditionalACEs = True >+ >+ diff = get_diff_sds(well_known_sd, current_sd, >+ security.dom_sid(self.samdb.get_domain_sid()), >+ ignoreAdditionalACEs=ignoreAdditionalACEs) > if diff != "": > self.err_wrong_default_sd(dn, well_known_sd, diff) > error_count += 1 >diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py >index 08c7518f56ab..34877fa4814a 100644 >--- a/python/samba/descriptor.py >+++ b/python/samba/descriptor.py >@@ -417,6 +417,7 @@ def get_wellknown_sds(samdb): > # Then subcontainers > subcontainers = [ > (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor), >+ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor), > (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor), > (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor), > (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor), >@@ -427,6 +428,7 @@ def get_wellknown_sds(samdb): > (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor), > > (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor), >+ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor), > (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor), > (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor), > (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor), >@@ -451,6 +453,9 @@ def get_wellknown_sds(samdb): > if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn: > c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor) > subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)), >+ get_deletedobjects_descriptor) >+ subcontainers.append(c) > c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)), > get_domain_delete_protected1_descriptor) > subcontainers.append(c) >@@ -466,6 +471,9 @@ def get_wellknown_sds(samdb): > if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn: > c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor) > subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)), >+ get_deletedobjects_descriptor) >+ subcontainers.append(c) > c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)), > get_domain_delete_protected1_descriptor) > subcontainers.append(c) >@@ -558,7 +566,8 @@ def get_clean_sd(sd): > return sd_clean > > >-def get_diff_sds(refsd, cursd, domainsid, checkSacl=True): >+def get_diff_sds(refsd, cursd, domainsid, checkSacl=True, >+ ignoreAdditionalACEs=False): > """Get the difference between 2 sd > > This function split the textual representation of ACL into smaller >@@ -613,6 +622,10 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl=True): > h_ref.remove(k) > > if len(h_cur) + len(h_ref) > 0: >+ if txt == "" and len(h_ref) == 0: >+ if ignoreAdditionalACEs: >+ return "" >+ > txt = "%s\tPart %s is different between reference" \ > " and current here is the detail:\n" % (txt, part) > >diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt >index 34576157f25d..a8b653849108 100644 >--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt >+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt >@@ -1,8 +1,8 @@ >-Change DN to <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;<SID=S-1-5-21-4177067393-1453636373-93818738-771>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES] >-Change DN to <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;<SID=S-1-5-21-4177067393-1453636373-93818738-772>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES] >+Change DN to <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3773>;<RMD_ORIGINATING_USN=3773>;<RMD_VERSION=2>;<SID=S-1-5-21-4177067393-1453636373-93818738-771>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES] >+Change DN to <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3772>;<RMD_ORIGINATING_USN=3772>;<RMD_VERSION=1>;<SID=S-1-5-21-4177067393-1453636373-93818738-772>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES] > Checked 231 objects (2 errors) > Checking 231 objects >-ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp >-ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp >+ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3773>;<RMD_ORIGINATING_USN=3773>;<RMD_VERSION=2>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp >+ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3772>;<RMD_ORIGINATING_USN=3772>;<RMD_VERSION=1>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp > Fixed missing DN SID on attribute member > Fixed missing DN SID on attribute member >diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif >index 9ac86fcf1ee3..86ff44ea2247 100644 >--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif >+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif >@@ -1381,7 +1381,7 @@ uSNChanged: 3597 > dn: CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp > objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1, > DC=samba,DC=corp >-uSNChanged: 3377 >+uSNChanged: 3750 > > # record 215 > dn: CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samba,DC=corp >diff --git a/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt >index 0028f9b6e4a7..7ed468b6c0c5 100644 >--- a/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt >+++ b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt >@@ -1 +1 @@ >-highestCommittedUSN: 3746 >+highestCommittedUSN: 3750 >diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh >index aaf93a8cc487..63ad8dbce44f 100755 >--- a/testprogs/blackbox/dbcheck-links.sh >+++ b/testprogs/blackbox/dbcheck-links.sh >@@ -59,6 +59,16 @@ dbcheck() > fi > } > >+dbcheck_acl_reset() >+{ >+ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --fix --yes --attrs=nTSecurityDescriptor >+} >+ >+dbcheck_acl_clean() >+{ >+ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --attrs=nTSecurityDescriptor >+} >+ > dbcheck_dangling() > { > dbcheck "" "1" "--selftest-check-expired-tombstones" >@@ -925,6 +935,8 @@ EOF > remove_directory $PREFIX_ABS/${RELEASE} > > testit $RELEASE undump || failed=$(expr $failed + 1) >+testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1) >+testit "dbcheck_acl_clean" dbcheck_acl_clean || failed=$(expr $failed + 1) > testit "add_two_more_users" add_two_more_users || failed=$(expr $failed + 1) > testit "add_four_more_links" add_four_more_links || failed=$(expr $failed + 1) > testit "remove_one_link" remove_one_link || failed=$(expr $failed + 1) >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18161">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 13595
:
14456
|
14477
|
16855
|
18160
| 18161 |
18166
|
18167
|
18168