Attachment 8305 Details for Bug 9470 – Patches against samba-4.0.0rc6 (v3)

[patch] Patches against samba-4.0.0rc6 (v3)

tmp40.diff (text/plain), 31.46 KB, created by Stefan Metzmacher on 2012-12-07 21:59:20 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2012-12-07 21:59:20 UTC

Size: 31.46 KB

patch

obsolete

>From 78c4c3f9f831d96cb15c05aee68eb957a4594410 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 23 Nov 2012 11:49:05 +0100
>Subject: [PATCH 01/14] s4:dsdb/password_hash: Honor password complexity
> settings.
>
>Honor password complexity settings when creating new users.
>Without this patch, you could set simple passwords although the complexity
>settings were enabled. This was an issue with 'samba-tool user add' and also
>when adding new users via Windows' "Active Directory Users and Computers"
>MMC Snap-In.
>
>The following scenarios were tested successfully after applying the patch:
>-'samba-tool user add' against s4
>-'samba-tool user add -H' against a Windows DC
>-Adding a new user on a s4 DC using Windows' "Active Directory Users and
> Computers" MMC Snap-In.
>
>Please note that this bug was caused by a mistake in the documentation.
>
>Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
>
>Pair-programmed-with: Karolin Seeger <kseeger@samba.org>
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Signed-off-by: Karolin Seeger <kseeger@samba.org>
>---
> source4/dsdb/samdb/ldb_modules/password_hash.c |    8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
>index 620de75..0f8920c 100644
>--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
>+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
>@@ -2188,8 +2188,14 @@ static int setup_io(struct ph_context *ac,
> 		& (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT
> 			| UF_SERVER_TRUST_ACCOUNT));
> 
>-	if ((io->u.userAccountControl & UF_PASSWD_NOTREQD) != 0) {
>+	if (!ldb_req_is_untrusted(ac->req) &&
>+	    (io->u.userAccountControl & UF_PASSWD_NOTREQD))
>+	{
> 		/* see [MS-ADTS] 2.2.15 */
>+		/*
>+		 * This seems to only happen for SAMR
>+		 * and not for LDAP clients
>+		 */
> 		io->u.restrictions = 0;
> 	}
> 
>-- 
>1.7.9.5
>
>
>From bb2f91c678a226f03f0cf89c87c9e769f1f8b08f Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 7 Dec 2012 10:34:58 +0100
>Subject: [PATCH 02/14] s4:dsdb/schema: fix dsdb_schema_set_el_from_ldb_msg()
> (bug #9470)
>
>We should always update the ts_last_change.
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Michael Adam <obnox@samba.org>
>(cherry picked from commit 944b6863a71efc48ccc8cd9ae8ad1a3081bc1805)
>---
> source4/dsdb/schema/schema_set.c |   14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
>diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c
>index e226118..31862a4 100644
>--- a/source4/dsdb/schema/schema_set.c
>+++ b/source4/dsdb/schema/schema_set.c
>@@ -676,13 +676,6 @@ WERROR dsdb_schema_set_el_from_ldb_msg(struct ldb_context *ldb, struct dsdb_sche
> {
> 	const char* tstring;
> 	time_t ts;
>-	if (samdb_find_attribute(ldb, msg,
>-				 "objectclass", "attributeSchema") != NULL) {
>-		return dsdb_set_attribute_from_ldb(ldb, schema, msg);
>-	} else if (samdb_find_attribute(ldb, msg,
>-				 "objectclass", "classSchema") != NULL) {
>-		return dsdb_set_class_from_ldb(schema, msg);
>-	}
> 	tstring = ldb_msg_find_attr_as_string(msg, "whenChanged", NULL);
> 	/* keep a trace of the ts of the most recently changed object */
> 	if (tstring) {
>@@ -691,6 +684,13 @@ WERROR dsdb_schema_set_el_from_ldb_msg(struct ldb_context *ldb, struct dsdb_sche
> 			schema->ts_last_change = ts;
> 		}
> 	}
>+	if (samdb_find_attribute(ldb, msg,
>+				 "objectclass", "attributeSchema") != NULL) {
>+		return dsdb_set_attribute_from_ldb(ldb, schema, msg);
>+	} else if (samdb_find_attribute(ldb, msg,
>+				 "objectclass", "classSchema") != NULL) {
>+		return dsdb_set_class_from_ldb(schema, msg);
>+	}
> 	/* Don't fail on things not classes or attributes */
> 	return WERR_OK;
> }
>-- 
>1.7.9.5
>
>
>From 40c4e3cdf9a7b952ec599495cd99dce7f4261e73 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 7 Dec 2012 10:08:14 +0000
>Subject: [PATCH 03/14] s4:dsdb/schema_data.c: correctly move the CN=Aggregate
> attributes to msg->elements[i].values (bug #9470)
>
>We should keep the talloc hierarchy sane.
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Michael Adam <obnox@samba.org>
>(cherry picked from commit 3535f8effefef6a68d2b686abe2769d797531dd9)
>---
> source4/dsdb/samdb/ldb_modules/schema_data.c |   24 ++++++++++++++++++------
> 1 file changed, 18 insertions(+), 6 deletions(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/schema_data.c b/source4/dsdb/samdb/ldb_modules/schema_data.c
>index bc9488b..3ce7ef9 100644
>--- a/source4/dsdb/samdb/ldb_modules/schema_data.c
>+++ b/source4/dsdb/samdb/ldb_modules/schema_data.c
>@@ -405,7 +405,11 @@ static int generate_objectClasses(struct ldb_context *ldb, struct ldb_message *m
> 	int ret;
> 
> 	for (sclass = schema->classes; sclass; sclass = sclass->next) {
>-		ret = ldb_msg_add_string(msg, "objectClasses", schema_class_to_description(msg, sclass));
>+		char *v = schema_class_to_description(msg, sclass);
>+		if (v == NULL) {
>+			return ldb_oom(ldb);
>+		}
>+		ret = ldb_msg_add_steal_string(msg, "objectClasses", v);
> 		if (ret != LDB_SUCCESS) {
> 			return ret;
> 		}
>@@ -417,9 +421,13 @@ static int generate_attributeTypes(struct ldb_context *ldb, struct ldb_message *
> {
> 	const struct dsdb_attribute *attribute;
> 	int ret;
>-	
>+
> 	for (attribute = schema->attributes; attribute; attribute = attribute->next) {
>-		ret = ldb_msg_add_string(msg, "attributeTypes", schema_attribute_to_description(msg, attribute));
>+		char *v = schema_attribute_to_description(msg, attribute);
>+		if (v == NULL) {
>+			return ldb_oom(ldb);
>+		}
>+		ret = ldb_msg_add_steal_string(msg, "attributeTypes", v);
> 		if (ret != LDB_SUCCESS) {
> 			return ret;
> 		}
>@@ -461,7 +469,7 @@ static int generate_extendedAttributeInfo(struct ldb_context *ldb,
> 			return ldb_oom(ldb);
> 		}
> 
>-		ret = ldb_msg_add_string(msg, "extendedAttributeInfo", val);
>+		ret = ldb_msg_add_steal_string(msg, "extendedAttributeInfo", val);
> 		if (ret != LDB_SUCCESS) {
> 			return ret;
> 		}
>@@ -483,7 +491,7 @@ static int generate_extendedClassInfo(struct ldb_context *ldb,
> 			return ldb_oom(ldb);
> 		}
> 
>-		ret = ldb_msg_add_string(msg, "extendedClassInfo", val);
>+		ret = ldb_msg_add_steal_string(msg, "extendedClassInfo", val);
> 		if (ret != LDB_SUCCESS) {
> 			return ret;
> 		}
>@@ -521,7 +529,11 @@ static int generate_possibleInferiors(struct ldb_context *ldb, struct ldb_messag
> 	}
> 
> 	for (i=0;possibleInferiors[i];i++) {
>-		ret = ldb_msg_add_string(msg, "possibleInferiors", possibleInferiors[i]);
>+		char *v = talloc_strdup(msg, possibleInferiors[i]);
>+		if (v == NULL) {
>+			return ldb_oom(ldb);
>+		}
>+		ret = ldb_msg_add_steal_string(msg, "possibleInferiors", v);
> 		if (ret != LDB_SUCCESS) {
> 			return ret;
> 		}
>-- 
>1.7.9.5
>
>
>From 986e308c92321228e409d270cf18608a2ccb4ad3 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 7 Dec 2012 11:02:49 +0100
>Subject: [PATCH 04/14] s4:dsdb/acl_read: keep the ldb_message of the sub
> search (bug #9470)
>
>Some modules might not allocate values on the correct memory context.
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Michael Adam <obnox@samba.org>
>(cherry picked from commit 14b5b729049d92c30ba518adb82c9396fdddd09f)
>---
> source4/dsdb/samdb/ldb_modules/acl_read.c |    5 +++++
> 1 file changed, 5 insertions(+)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
>index 92744f2..0b0f363 100644
>--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
>+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
>@@ -245,6 +245,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
> 					k++;
> 				}
> 			}
>+			/*
>+			 * This should not be needed, but some modules
>+			 * may allocate values on the wrong context...
>+			 */
>+			talloc_steal(ret_msg->elements, msg);
> 		} else {
> 			ret_msg->elements = NULL;
> 		}
>-- 
>1.7.9.5
>
>
>From 5707885c94626e72489cd6098fb42bb709747e31 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 7 Dec 2012 13:39:31 +0100
>Subject: [PATCH 05/14] s4:dsdb/acl_read: improve debugging for fatal error
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Michael Adam <obnox@samba.org>
>(cherry picked from commit 802124789513ef207a154ee950dc03e66a80e0b1)
>---
> source4/dsdb/samdb/ldb_modules/acl_read.c |   21 ++++++++++++++++++---
> 1 file changed, 18 insertions(+), 3 deletions(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
>index 0b0f363..2b20f24 100644
>--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
>+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
>@@ -91,7 +91,9 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
> 		msg = ares->message;
> 		ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
> 		if (ret != LDB_SUCCESS || sd == NULL ) {
>-			DEBUG(10, ("acl_read: cannot get descriptor\n"));
>+			ldb_debug_set(ldb, LDB_DEBUG_FATAL,
>+				      "acl_read: cannot get descriptor of %s\n",
>+				      ldb_dn_get_linearized(msg->dn));
> 			ret = LDB_ERR_OPERATIONS_ERROR;
> 			goto fail;
> 		}
>@@ -113,6 +115,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
> 				talloc_free(tmp_ctx);
> 				return LDB_SUCCESS;
> 			} else if (ret != LDB_SUCCESS) {
>+				ldb_debug_set(ldb, LDB_DEBUG_FATAL,
>+					      "acl_read: %s check parent %s - %s\n",
>+					      ldb_dn_get_linearized(msg->dn),
>+					      ldb_strerror(ret),
>+					      ldb_errstring(ldb));
> 				goto fail;
> 			}
> 		}
>@@ -124,8 +131,10 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
> 			attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
> 								 msg->elements[i].name);
> 			if (!attr) {
>-				DEBUG(2, ("acl_read: cannot find attribute %s in schema\n",
>-					   msg->elements[i].name));
>+				ldb_debug_set(ldb, LDB_DEBUG_FATAL,
>+					      "acl_read: %s cannot find attr[%s] in of schema\n",
>+					      ldb_dn_get_linearized(msg->dn),
>+					      msg->elements[i].name);
> 				ret = LDB_ERR_OPERATIONS_ERROR;
> 				goto fail;
> 			}
>@@ -216,6 +225,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
> 					}
> 				}
> 			} else if (ret != LDB_SUCCESS) {
>+				ldb_debug_set(ldb, LDB_DEBUG_FATAL,
>+					      "acl_read: %s check attr[%s] gives %s - %s\n",
>+					      ldb_dn_get_linearized(msg->dn),
>+					      msg->elements[i].name,
>+					      ldb_strerror(ret),
>+					      ldb_errstring(ldb));
> 				goto fail;
> 			}
> 		}
>-- 
>1.7.9.5
>
>
>From 90ed095a51f2464c7338f54074d9251c8175a16a Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 7 Dec 2012 12:56:21 +0000
>Subject: [PATCH 06/14] s4:dsdb/descriptor: fix replication of NC heads
>
>The sub NC heads maybe replicated with the parent partition,
>if we don't need to recalculate the nTSecurityDescriptor attribute in that
>case, the replication of the of the sub partition should handle that.
>
>This fixes error messages like this:
>descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=s40dom,DC=base not found under DC=s40dom,DC=base
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Michael Adam <obnox@samba.org>
>(cherry picked from commit 734d14b54834a4d03e67bcaece4f4e3cf1d10925)
>---
> source4/dsdb/samdb/ldb_modules/descriptor.c |    4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
>index 95204b3..192c745 100644
>--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
>+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
>@@ -1192,12 +1192,12 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
> 				      msg);
> 
> 		if (msg == NULL) {
>-			ldb_debug_set(ldb, LDB_DEBUG_FATAL,
>+			ldb_debug(ldb, LDB_DEBUG_WARNING,
> 				"descriptor_sd_propagation_recursive: "
> 				"%s not found under %s",
> 				ldb_dn_get_linearized(c->dn),
> 				ldb_dn_get_linearized(change->dn));
>-			return LDB_ERR_OPERATIONS_ERROR;
>+			continue;
> 		}
> 
> 		msg->elements = (struct ldb_message_element *)c;
>-- 
>1.7.9.5
>
>
>From e54e832388819424ff07201bc4d0b74bf42351ca Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 7 Dec 2012 19:02:10 +0100
>Subject: [PATCH 07/14] s4:dsdb/dirsync: fix potential talloc hierachy
> problems (bug #9470)
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source4/dsdb/samdb/ldb_modules/dirsync.c |    6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c
>index f75ec52..e769948 100644
>--- a/source4/dsdb/samdb/ldb_modules/dirsync.c
>+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c
>@@ -240,7 +240,7 @@ static int dirsync_filter_entry(struct ldb_request *req,
> 		talloc_steal(newmsg->elements, el->name);
> 		talloc_steal(newmsg->elements, el->values);
> 
>-		talloc_free(msg);
>+		talloc_steal(newmsg->elements, msg);
> 		return ldb_module_send_entry(dsc->req, msg, controls);
> 	}
> 
>@@ -653,6 +653,7 @@ skip_link:
> 			continue;
> 		}
> 	}
>+	talloc_steal(newmsg->elements, msg);
> 
> 	/*
> 	 * Here we run through the list of attributes returned
>@@ -685,10 +686,9 @@ skip_link:
> 		if (val > dsc->highestUSN) {
> 			dsc->highestUSN = val;
> 		}
>-		talloc_free(msg);
> 		return ldb_module_send_entry(dsc->req, newmsg, controls);
> 	} else {
>-		talloc_free(msg);
>+		talloc_free(newmsg);
> 		return LDB_SUCCESS;
> 	}
> }
>-- 
>1.7.9.5
>
>
>From cd4eb437df3ea5eccfe61188f6ab3ee8d92a37e8 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 7 Dec 2012 18:39:29 +0100
>Subject: [PATCH 08/14] s4:dsdb/acl_read: check the ldb_attr_list_copy_add()
> result
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source4/dsdb/samdb/ldb_modules/acl_read.c |   12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
>index 2b20f24..c42db5f 100644
>--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
>+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
>@@ -375,12 +375,18 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 		if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
> 			ac->instance_type = true;
> 			attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
>+			if (attrs == NULL) {
>+				return ldb_oom(ldb);
>+			}
> 		} else {
> 			attrs = req->op.search.attrs;
> 		}
> 		if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
> 			ac->object_sid = true;
> 			attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
>+			if (attrs == NULL) {
>+				return ldb_oom(ldb);
>+			}
> 		}
> 	}
> 
>@@ -389,8 +395,14 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 		 * if attribute list is empty */
> 		if (!attrs) {
> 			attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "*");
>+			if (attrs == NULL) {
>+				return ldb_oom(ldb);
>+			}
> 		}
> 		attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
>+		if (attrs == NULL) {
>+			return ldb_oom(ldb);
>+		}
> 	}
> 	ac->attrs = req->op.search.attrs;
> 	ret = ldb_build_search_req_ex(&down_req,
>-- 
>1.7.9.5
>
>
>From 952e77bcb5fce48f1dab0c3d56d5f15e8ada0688 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 7 Dec 2012 18:40:25 +0100
>Subject: [PATCH 09/14] s4:dsdb/acl_read: fix the calculation of the attribute
> array for the sub search
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source4/dsdb/samdb/ldb_modules/acl_read.c |   33 +++++++++++++++++------------
> 1 file changed, 19 insertions(+), 14 deletions(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
>index c42db5f..e4adcde 100644
>--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
>+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
>@@ -296,6 +296,8 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 	struct ldb_result *res;
> 	struct aclread_private *p;
> 	bool is_untrusted = ldb_req_is_untrusted(req);
>+	static const char * const _all_attrs[] = { "*", NULL };
>+	bool all_attrs = false;
> 	const char * const *attrs = NULL;
> 	uint32_t instanceType;
> 	static const char *acl_attrs[] = {
>@@ -363,6 +365,18 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 	if (!ac->schema) {
> 		return ldb_operr(ldb);
> 	}
>+
>+	attrs = req->op.search.attrs;
>+	if (attrs == NULL) {
>+		all_attrs = true;
>+		attrs = _all_attrs;
>+	} else if (attrs[0] == NULL) {
>+		all_attrs = true;
>+		attrs = _all_attrs;
>+	} else if (ldb_attr_in_list(attrs, "*")) {
>+		all_attrs = true;
>+	}
>+
> 	/*
> 	 * In theory we should also check for the SD control but control verification is
> 	 * expensive so we'd better had the ntsecuritydescriptor to the list of
>@@ -370,16 +384,15 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 	 */
> 	ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL);
> 
>-	ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
>-	if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
>-		if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
>+	ac->sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor"));
>+
>+	if (!all_attrs) {
>+		if (!ldb_attr_in_list(attrs, "instanceType")) {
> 			ac->instance_type = true;
>-			attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
>+			attrs = ldb_attr_list_copy_add(ac, attrs, "instanceType");
> 			if (attrs == NULL) {
> 				return ldb_oom(ldb);
> 			}
>-		} else {
>-			attrs = req->op.search.attrs;
> 		}
> 		if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
> 			ac->object_sid = true;
>@@ -391,14 +404,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 	}
> 
> 	if (ac->sd) {
>-		/* avoid replacing all attributes with nTSecurityDescriptor
>-		 * if attribute list is empty */
>-		if (!attrs) {
>-			attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "*");
>-			if (attrs == NULL) {
>-				return ldb_oom(ldb);
>-			}
>-		}
> 		attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
> 		if (attrs == NULL) {
> 			return ldb_oom(ldb);
>-- 
>1.7.9.5
>
>
>From 86cafd2b368133f8925762f08c3a06c36018d534 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 6 Dec 2012 12:29:49 +0100
>Subject: [PATCH 10/14] s4:dsdb/acl_read: give some variables a better name
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source4/dsdb/samdb/ldb_modules/acl_read.c |   23 +++++++++++++----------
> 1 file changed, 13 insertions(+), 10 deletions(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
>index e4adcde..787e3ef 100644
>--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
>+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
>@@ -45,9 +45,9 @@ struct aclread_context {
> 	const char * const *attrs;
> 	const struct dsdb_schema *schema;
> 	uint32_t sd_flags;
>-	bool sd;
>-	bool instance_type;
>-	bool object_sid;
>+	bool added_nTSecurityDescriptor;
>+	bool added_instanceType;
>+	bool added_objectSid;
> 	bool indirsync;
> };
> 
>@@ -145,15 +145,15 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
> 			is_instancetype = ldb_attr_cmp("instanceType",
> 						       msg->elements[i].name) == 0;
> 			/* these attributes were added to perform access checks and must be removed */
>-			if (is_objectsid && ac->object_sid) {
>+			if (is_objectsid && ac->added_objectSid) {
> 				aclread_mark_inaccesslible(&msg->elements[i]);
> 				continue;
> 			}
>-			if (is_instancetype && ac->instance_type) {
>+			if (is_instancetype && ac->added_instanceType) {
> 				aclread_mark_inaccesslible(&msg->elements[i]);
> 				continue;
> 			}
>-			if (is_sd && ac->sd) {
>+			if (is_sd && ac->added_nTSecurityDescriptor) {
> 				aclread_mark_inaccesslible(&msg->elements[i]);
> 				continue;
> 			}
>@@ -295,6 +295,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 	uint32_t flags = ldb_req_get_custom_flags(req);
> 	struct ldb_result *res;
> 	struct aclread_private *p;
>+	bool need_sd = false;
> 	bool is_untrusted = ldb_req_is_untrusted(req);
> 	static const char * const _all_attrs[] = { "*", NULL };
> 	bool all_attrs = false;
>@@ -384,31 +385,33 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 	 */
> 	ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL);
> 
>-	ac->sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor"));
>+	need_sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor"));
> 
> 	if (!all_attrs) {
> 		if (!ldb_attr_in_list(attrs, "instanceType")) {
>-			ac->instance_type = true;
> 			attrs = ldb_attr_list_copy_add(ac, attrs, "instanceType");
> 			if (attrs == NULL) {
> 				return ldb_oom(ldb);
> 			}
>+			ac->added_instanceType = true;
> 		}
> 		if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
>-			ac->object_sid = true;
> 			attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
> 			if (attrs == NULL) {
> 				return ldb_oom(ldb);
> 			}
>+			ac->added_objectSid = true;
> 		}
> 	}
> 
>-	if (ac->sd) {
>+	if (need_sd) {
> 		attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
> 		if (attrs == NULL) {
> 			return ldb_oom(ldb);
> 		}
>+		ac->added_nTSecurityDescriptor = true;
> 	}
>+
> 	ac->attrs = req->op.search.attrs;
> 	ret = ldb_build_search_req_ex(&down_req,
> 				      ldb, ac,
>-- 
>1.7.9.5
>
>
>From 8d7086411749a725e92a5c43d2cc751155da5cae Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 6 Dec 2012 12:36:09 +0100
>Subject: [PATCH 11/14] s4:dsdb/acl_read: return the nTSecurityDescriptor attr
> if the sd_flags control is given (bug #9470)
>
>Not returning the nTSecurityDescriptor causes a lot of problems.
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source4/dsdb/samdb/ldb_modules/acl_read.c |   11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
>index 787e3ef..9955451 100644
>--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
>+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
>@@ -296,6 +296,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 	struct ldb_result *res;
> 	struct aclread_private *p;
> 	bool need_sd = false;
>+	bool explicit_sd_flags = false;
> 	bool is_untrusted = ldb_req_is_untrusted(req);
> 	static const char * const _all_attrs[] = { "*", NULL };
> 	bool all_attrs = false;
>@@ -383,9 +384,15 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
> 	 * expensive so we'd better had the ntsecuritydescriptor to the list of
> 	 * searched attribute and then remove it !
> 	 */
>-	ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL);
>+	ac->sd_flags = dsdb_request_sd_flags(ac->req, &explicit_sd_flags);
> 
>-	need_sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor"));
>+	if (ldb_attr_in_list(attrs, "nTSecurityDescriptor")) {
>+		need_sd = false;
>+	} else if (explicit_sd_flags && all_attrs) {
>+		need_sd = false;
>+	} else {
>+		need_sd = true;
>+	}
> 
> 	if (!all_attrs) {
> 		if (!ldb_attr_in_list(attrs, "instanceType")) {
>-- 
>1.7.9.5
>
>
>From 458084ac8afbdfba31a37cdf512ad7608a867607 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 6 Dec 2012 15:56:26 +0100
>Subject: [PATCH 12/14] s4:dsdb/operational: fix stripping of the
> nTSecurityDescriptor attribute
>
>If the sd_flags control is specified, we should return nTSecurityDescriptor
>only if the client asked for all attributes.
>
>If there's a list of only explicit attribute names, we should ignore
>the sd_flags control.
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Michael Adam <obnox@samba.org>
>---
> source4/dsdb/samdb/ldb_modules/operational.c |   14 ++++++++++++--
> 1 file changed, 12 insertions(+), 2 deletions(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
>index 4ce8b8f..c642ad8 100644
>--- a/source4/dsdb/samdb/ldb_modules/operational.c
>+++ b/source4/dsdb/samdb/ldb_modules/operational.c
>@@ -721,10 +721,20 @@ static int operational_search_post_process(struct ldb_module *module,
> 				continue;
> 			}
> 		case OPERATIONAL_SD_FLAGS:
>-			if (controls_flags->sd ||
>-			    ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
>+			if (ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
> 				continue;
> 			}
>+			if (controls_flags->sd) {
>+				if (attrs_from_user == NULL) {
>+					continue;
>+				}
>+				if (attrs_from_user[0] == NULL) {
>+					continue;
>+				}
>+				if (ldb_attr_in_list(attrs_from_user, "*")) {
>+					continue;
>+				}
>+			}
> 			ldb_msg_remove_attr(msg, operational_remove[i].attr);
> 			break;
> 		}
>-- 
>1.7.9.5
>
>
>From 294742a5f51c1151845b12645e73a0850e29b6fa Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 6 Dec 2012 14:04:47 +0100
>Subject: [PATCH 13/14] s4:dsdb/tests/sec_descriptor: verify the
> nTSecurityDescriptor and sd_flags interaction
>
>This is a regression test for bug #9470.
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Michael Adam <obnox@samba.org>
>---
> source4/dsdb/tests/python/sec_descriptor.py |  116 +++++++++++++++++++++++++++
> 1 file changed, 116 insertions(+)
>
>diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py
>index aff6040..cf213ab 100755
>--- a/source4/dsdb/tests/python/sec_descriptor.py
>+++ b/source4/dsdb/tests/python/sec_descriptor.py
>@@ -1848,6 +1848,122 @@ class SdFlagsDescriptorTests(DescriptorTests):
>         self.assertFalse("S:" in desc_sddl)
>         self.assertFalse("G:" in desc_sddl)
> 
>+    def test_311(self):
>+        sd_flags = (SECINFO_OWNER |
>+                    SECINFO_GROUP |
>+                    SECINFO_DACL |
>+                    SECINFO_SACL)
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                [], controls=None)
>+        self.assertFalse("nTSecurityDescriptor" in res[0])
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["name"], controls=None)
>+        self.assertFalse("nTSecurityDescriptor" in res[0])
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["name"], controls=["sd_flags:1:%d" % (sd_flags)])
>+        self.assertFalse("nTSecurityDescriptor" in res[0])
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                [], controls=["sd_flags:1:%d" % (sd_flags)])
>+        self.assertTrue("nTSecurityDescriptor" in res[0])
>+        tmp = res[0]["nTSecurityDescriptor"][0]
>+        sd = ndr_unpack(security.descriptor, tmp)
>+        sddl = sd.as_sddl(self.sd_utils.domain_sid)
>+        self.assertTrue("O:" in sddl)
>+        self.assertTrue("G:" in sddl)
>+        self.assertTrue("D:" in sddl)
>+        self.assertTrue("S:" in sddl)
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["*"], controls=["sd_flags:1:%d" % (sd_flags)])
>+        self.assertTrue("nTSecurityDescriptor" in res[0])
>+        tmp = res[0]["nTSecurityDescriptor"][0]
>+        sd = ndr_unpack(security.descriptor, tmp)
>+        sddl = sd.as_sddl(self.sd_utils.domain_sid)
>+        self.assertTrue("O:" in sddl)
>+        self.assertTrue("G:" in sddl)
>+        self.assertTrue("D:" in sddl)
>+        self.assertTrue("S:" in sddl)
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)])
>+        self.assertTrue("nTSecurityDescriptor" in res[0])
>+        tmp = res[0]["nTSecurityDescriptor"][0]
>+        sd = ndr_unpack(security.descriptor, tmp)
>+        sddl = sd.as_sddl(self.sd_utils.domain_sid)
>+        self.assertTrue("O:" in sddl)
>+        self.assertTrue("G:" in sddl)
>+        self.assertTrue("D:" in sddl)
>+        self.assertTrue("S:" in sddl)
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
>+        self.assertTrue("nTSecurityDescriptor" in res[0])
>+        tmp = res[0]["nTSecurityDescriptor"][0]
>+        sd = ndr_unpack(security.descriptor, tmp)
>+        sddl = sd.as_sddl(self.sd_utils.domain_sid)
>+        self.assertTrue("O:" in sddl)
>+        self.assertTrue("G:" in sddl)
>+        self.assertTrue("D:" in sddl)
>+        self.assertTrue("S:" in sddl)
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)])
>+        self.assertTrue("nTSecurityDescriptor" in res[0])
>+        tmp = res[0]["nTSecurityDescriptor"][0]
>+        sd = ndr_unpack(security.descriptor, tmp)
>+        sddl = sd.as_sddl(self.sd_utils.domain_sid)
>+        self.assertTrue("O:" in sddl)
>+        self.assertTrue("G:" in sddl)
>+        self.assertTrue("D:" in sddl)
>+        self.assertTrue("S:" in sddl)
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
>+        self.assertTrue("nTSecurityDescriptor" in res[0])
>+        tmp = res[0]["nTSecurityDescriptor"][0]
>+        sd = ndr_unpack(security.descriptor, tmp)
>+        sddl = sd.as_sddl(self.sd_utils.domain_sid)
>+        self.assertTrue("O:" in sddl)
>+        self.assertTrue("G:" in sddl)
>+        self.assertTrue("D:" in sddl)
>+        self.assertTrue("S:" in sddl)
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["nTSecurityDescriptor"], controls=None)
>+        self.assertTrue("nTSecurityDescriptor" in res[0])
>+        tmp = res[0]["nTSecurityDescriptor"][0]
>+        sd = ndr_unpack(security.descriptor, tmp)
>+        sddl = sd.as_sddl(self.sd_utils.domain_sid)
>+        self.assertTrue("O:" in sddl)
>+        self.assertTrue("G:" in sddl)
>+        self.assertTrue("D:" in sddl)
>+        self.assertTrue("S:" in sddl)
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["name", "nTSecurityDescriptor"], controls=None)
>+        self.assertTrue("nTSecurityDescriptor" in res[0])
>+        tmp = res[0]["nTSecurityDescriptor"][0]
>+        sd = ndr_unpack(security.descriptor, tmp)
>+        sddl = sd.as_sddl(self.sd_utils.domain_sid)
>+        self.assertTrue("O:" in sddl)
>+        self.assertTrue("G:" in sddl)
>+        self.assertTrue("D:" in sddl)
>+        self.assertTrue("S:" in sddl)
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
>+                ["nTSecurityDescriptor", "name"], controls=None)
>+        self.assertTrue("nTSecurityDescriptor" in res[0])
>+        tmp = res[0]["nTSecurityDescriptor"][0]
>+        sd = ndr_unpack(security.descriptor, tmp)
>+        sddl = sd.as_sddl(self.sd_utils.domain_sid)
>+        self.assertTrue("O:" in sddl)
>+        self.assertTrue("G:" in sddl)
>+        self.assertTrue("D:" in sddl)
>+        self.assertTrue("S:" in sddl)
> 
> class RightsAttributesTests(DescriptorTests):
> 
>-- 
>1.7.9.5
>
>
>From 074014cc5ea85ab17e3ef7e560577114ef04eb97 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 7 Dec 2012 18:58:57 +0100
>Subject: [PATCH 14/14] s4:dsdb/tests/sec_descriptor: verify the search of a
> windows dc join keeps working
>
>This is a regression test for bug #9470.
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source4/dsdb/tests/python/sec_descriptor.py |    7 +++++++
> 1 file changed, 7 insertions(+)
>
>diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py
>index cf213ab..78cd052 100755
>--- a/source4/dsdb/tests/python/sec_descriptor.py
>+++ b/source4/dsdb/tests/python/sec_descriptor.py
>@@ -1965,6 +1965,13 @@ class SdFlagsDescriptorTests(DescriptorTests):
>         self.assertTrue("D:" in sddl)
>         self.assertTrue("S:" in sddl)
> 
>+    def test_312(self):
>+        """This search is done by the windows dc join..."""
>+
>+        res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"],
>+                controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"])
>+        self.assertFalse("nTSecurityDescriptor" in res[0])
>+
> class RightsAttributesTests(DescriptorTests):
> 
>     def deleteAll(self):
>-- 
>1.7.9.5
>

Actions: View

Attachments on bug 9470: 8294 | 8300 | 8305 | 8334