The Samba-Bugzilla – Attachment 8305 Details for
Bug 9470
MMC crashes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches against samba-4.0.0rc6 (v3)
tmp40.diff (text/plain), 31.46 KB, created by
Stefan Metzmacher
on 2012-12-07 21:59:20 UTC
(
hide
)
Description:
Patches against samba-4.0.0rc6 (v3)
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-12-07 21:59:20 UTC
Size:
31.46 KB
patch
obsolete
>From 78c4c3f9f831d96cb15c05aee68eb957a4594410 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 23 Nov 2012 11:49:05 +0100 >Subject: [PATCH 01/14] s4:dsdb/password_hash: Honor password complexity > settings. > >Honor password complexity settings when creating new users. >Without this patch, you could set simple passwords although the complexity >settings were enabled. This was an issue with 'samba-tool user add' and also >when adding new users via Windows' "Active Directory Users and Computers" >MMC Snap-In. > >The following scenarios were tested successfully after applying the patch: >-'samba-tool user add' against s4 >-'samba-tool user add -H' against a Windows DC >-Adding a new user on a s4 DC using Windows' "Active Directory Users and > Computers" MMC Snap-In. > >Please note that this bug was caused by a mistake in the documentation. > >Fix bug #9414 - 'samba-tool user add' ignores password complexity settings. > >Pair-programmed-with: Karolin Seeger <kseeger@samba.org> > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Karolin Seeger <kseeger@samba.org> >--- > source4/dsdb/samdb/ldb_modules/password_hash.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c >index 620de75..0f8920c 100644 >--- a/source4/dsdb/samdb/ldb_modules/password_hash.c >+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c >@@ -2188,8 +2188,14 @@ static int setup_io(struct ph_context *ac, > & (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT > | UF_SERVER_TRUST_ACCOUNT)); > >- if ((io->u.userAccountControl & UF_PASSWD_NOTREQD) != 0) { >+ if (!ldb_req_is_untrusted(ac->req) && >+ (io->u.userAccountControl & UF_PASSWD_NOTREQD)) >+ { > /* see [MS-ADTS] 2.2.15 */ >+ /* >+ * This seems to only happen for SAMR >+ * and not for LDAP clients >+ */ > io->u.restrictions = 0; > } > >-- >1.7.9.5 > > >From bb2f91c678a226f03f0cf89c87c9e769f1f8b08f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 7 Dec 2012 10:34:58 +0100 >Subject: [PATCH 02/14] s4:dsdb/schema: fix dsdb_schema_set_el_from_ldb_msg() > (bug #9470) > >We should always update the ts_last_change. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 944b6863a71efc48ccc8cd9ae8ad1a3081bc1805) >--- > source4/dsdb/schema/schema_set.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > >diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c >index e226118..31862a4 100644 >--- a/source4/dsdb/schema/schema_set.c >+++ b/source4/dsdb/schema/schema_set.c >@@ -676,13 +676,6 @@ WERROR dsdb_schema_set_el_from_ldb_msg(struct ldb_context *ldb, struct dsdb_sche > { > const char* tstring; > time_t ts; >- if (samdb_find_attribute(ldb, msg, >- "objectclass", "attributeSchema") != NULL) { >- return dsdb_set_attribute_from_ldb(ldb, schema, msg); >- } else if (samdb_find_attribute(ldb, msg, >- "objectclass", "classSchema") != NULL) { >- return dsdb_set_class_from_ldb(schema, msg); >- } > tstring = ldb_msg_find_attr_as_string(msg, "whenChanged", NULL); > /* keep a trace of the ts of the most recently changed object */ > if (tstring) { >@@ -691,6 +684,13 @@ WERROR dsdb_schema_set_el_from_ldb_msg(struct ldb_context *ldb, struct dsdb_sche > schema->ts_last_change = ts; > } > } >+ if (samdb_find_attribute(ldb, msg, >+ "objectclass", "attributeSchema") != NULL) { >+ return dsdb_set_attribute_from_ldb(ldb, schema, msg); >+ } else if (samdb_find_attribute(ldb, msg, >+ "objectclass", "classSchema") != NULL) { >+ return dsdb_set_class_from_ldb(schema, msg); >+ } > /* Don't fail on things not classes or attributes */ > return WERR_OK; > } >-- >1.7.9.5 > > >From 40c4e3cdf9a7b952ec599495cd99dce7f4261e73 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 7 Dec 2012 10:08:14 +0000 >Subject: [PATCH 03/14] s4:dsdb/schema_data.c: correctly move the CN=Aggregate > attributes to msg->elements[i].values (bug #9470) > >We should keep the talloc hierarchy sane. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 3535f8effefef6a68d2b686abe2769d797531dd9) >--- > source4/dsdb/samdb/ldb_modules/schema_data.c | 24 ++++++++++++++++++------ > 1 file changed, 18 insertions(+), 6 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/schema_data.c b/source4/dsdb/samdb/ldb_modules/schema_data.c >index bc9488b..3ce7ef9 100644 >--- a/source4/dsdb/samdb/ldb_modules/schema_data.c >+++ b/source4/dsdb/samdb/ldb_modules/schema_data.c >@@ -405,7 +405,11 @@ static int generate_objectClasses(struct ldb_context *ldb, struct ldb_message *m > int ret; > > for (sclass = schema->classes; sclass; sclass = sclass->next) { >- ret = ldb_msg_add_string(msg, "objectClasses", schema_class_to_description(msg, sclass)); >+ char *v = schema_class_to_description(msg, sclass); >+ if (v == NULL) { >+ return ldb_oom(ldb); >+ } >+ ret = ldb_msg_add_steal_string(msg, "objectClasses", v); > if (ret != LDB_SUCCESS) { > return ret; > } >@@ -417,9 +421,13 @@ static int generate_attributeTypes(struct ldb_context *ldb, struct ldb_message * > { > const struct dsdb_attribute *attribute; > int ret; >- >+ > for (attribute = schema->attributes; attribute; attribute = attribute->next) { >- ret = ldb_msg_add_string(msg, "attributeTypes", schema_attribute_to_description(msg, attribute)); >+ char *v = schema_attribute_to_description(msg, attribute); >+ if (v == NULL) { >+ return ldb_oom(ldb); >+ } >+ ret = ldb_msg_add_steal_string(msg, "attributeTypes", v); > if (ret != LDB_SUCCESS) { > return ret; > } >@@ -461,7 +469,7 @@ static int generate_extendedAttributeInfo(struct ldb_context *ldb, > return ldb_oom(ldb); > } > >- ret = ldb_msg_add_string(msg, "extendedAttributeInfo", val); >+ ret = ldb_msg_add_steal_string(msg, "extendedAttributeInfo", val); > if (ret != LDB_SUCCESS) { > return ret; > } >@@ -483,7 +491,7 @@ static int generate_extendedClassInfo(struct ldb_context *ldb, > return ldb_oom(ldb); > } > >- ret = ldb_msg_add_string(msg, "extendedClassInfo", val); >+ ret = ldb_msg_add_steal_string(msg, "extendedClassInfo", val); > if (ret != LDB_SUCCESS) { > return ret; > } >@@ -521,7 +529,11 @@ static int generate_possibleInferiors(struct ldb_context *ldb, struct ldb_messag > } > > for (i=0;possibleInferiors[i];i++) { >- ret = ldb_msg_add_string(msg, "possibleInferiors", possibleInferiors[i]); >+ char *v = talloc_strdup(msg, possibleInferiors[i]); >+ if (v == NULL) { >+ return ldb_oom(ldb); >+ } >+ ret = ldb_msg_add_steal_string(msg, "possibleInferiors", v); > if (ret != LDB_SUCCESS) { > return ret; > } >-- >1.7.9.5 > > >From 986e308c92321228e409d270cf18608a2ccb4ad3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 7 Dec 2012 11:02:49 +0100 >Subject: [PATCH 04/14] s4:dsdb/acl_read: keep the ldb_message of the sub > search (bug #9470) > >Some modules might not allocate values on the correct memory context. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 14b5b729049d92c30ba518adb82c9396fdddd09f) >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 92744f2..0b0f363 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -245,6 +245,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > k++; > } > } >+ /* >+ * This should not be needed, but some modules >+ * may allocate values on the wrong context... >+ */ >+ talloc_steal(ret_msg->elements, msg); > } else { > ret_msg->elements = NULL; > } >-- >1.7.9.5 > > >From 5707885c94626e72489cd6098fb42bb709747e31 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 7 Dec 2012 13:39:31 +0100 >Subject: [PATCH 05/14] s4:dsdb/acl_read: improve debugging for fatal error > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 802124789513ef207a154ee950dc03e66a80e0b1) >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 0b0f363..2b20f24 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -91,7 +91,9 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > msg = ares->message; > ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd); > if (ret != LDB_SUCCESS || sd == NULL ) { >- DEBUG(10, ("acl_read: cannot get descriptor\n")); >+ ldb_debug_set(ldb, LDB_DEBUG_FATAL, >+ "acl_read: cannot get descriptor of %s\n", >+ ldb_dn_get_linearized(msg->dn)); > ret = LDB_ERR_OPERATIONS_ERROR; > goto fail; > } >@@ -113,6 +115,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > talloc_free(tmp_ctx); > return LDB_SUCCESS; > } else if (ret != LDB_SUCCESS) { >+ ldb_debug_set(ldb, LDB_DEBUG_FATAL, >+ "acl_read: %s check parent %s - %s\n", >+ ldb_dn_get_linearized(msg->dn), >+ ldb_strerror(ret), >+ ldb_errstring(ldb)); > goto fail; > } > } >@@ -124,8 +131,10 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, > msg->elements[i].name); > if (!attr) { >- DEBUG(2, ("acl_read: cannot find attribute %s in schema\n", >- msg->elements[i].name)); >+ ldb_debug_set(ldb, LDB_DEBUG_FATAL, >+ "acl_read: %s cannot find attr[%s] in of schema\n", >+ ldb_dn_get_linearized(msg->dn), >+ msg->elements[i].name); > ret = LDB_ERR_OPERATIONS_ERROR; > goto fail; > } >@@ -216,6 +225,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > } > } > } else if (ret != LDB_SUCCESS) { >+ ldb_debug_set(ldb, LDB_DEBUG_FATAL, >+ "acl_read: %s check attr[%s] gives %s - %s\n", >+ ldb_dn_get_linearized(msg->dn), >+ msg->elements[i].name, >+ ldb_strerror(ret), >+ ldb_errstring(ldb)); > goto fail; > } > } >-- >1.7.9.5 > > >From 90ed095a51f2464c7338f54074d9251c8175a16a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 7 Dec 2012 12:56:21 +0000 >Subject: [PATCH 06/14] s4:dsdb/descriptor: fix replication of NC heads > >The sub NC heads maybe replicated with the parent partition, >if we don't need to recalculate the nTSecurityDescriptor attribute in that >case, the replication of the of the sub partition should handle that. > >This fixes error messages like this: >descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=s40dom,DC=base not found under DC=s40dom,DC=base > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 734d14b54834a4d03e67bcaece4f4e3cf1d10925) >--- > source4/dsdb/samdb/ldb_modules/descriptor.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c >index 95204b3..192c745 100644 >--- a/source4/dsdb/samdb/ldb_modules/descriptor.c >+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c >@@ -1192,12 +1192,12 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module, > msg); > > if (msg == NULL) { >- ldb_debug_set(ldb, LDB_DEBUG_FATAL, >+ ldb_debug(ldb, LDB_DEBUG_WARNING, > "descriptor_sd_propagation_recursive: " > "%s not found under %s", > ldb_dn_get_linearized(c->dn), > ldb_dn_get_linearized(change->dn)); >- return LDB_ERR_OPERATIONS_ERROR; >+ continue; > } > > msg->elements = (struct ldb_message_element *)c; >-- >1.7.9.5 > > >From e54e832388819424ff07201bc4d0b74bf42351ca Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 7 Dec 2012 19:02:10 +0100 >Subject: [PATCH 07/14] s4:dsdb/dirsync: fix potential talloc hierachy > problems (bug #9470) > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/dsdb/samdb/ldb_modules/dirsync.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c >index f75ec52..e769948 100644 >--- a/source4/dsdb/samdb/ldb_modules/dirsync.c >+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c >@@ -240,7 +240,7 @@ static int dirsync_filter_entry(struct ldb_request *req, > talloc_steal(newmsg->elements, el->name); > talloc_steal(newmsg->elements, el->values); > >- talloc_free(msg); >+ talloc_steal(newmsg->elements, msg); > return ldb_module_send_entry(dsc->req, msg, controls); > } > >@@ -653,6 +653,7 @@ skip_link: > continue; > } > } >+ talloc_steal(newmsg->elements, msg); > > /* > * Here we run through the list of attributes returned >@@ -685,10 +686,9 @@ skip_link: > if (val > dsc->highestUSN) { > dsc->highestUSN = val; > } >- talloc_free(msg); > return ldb_module_send_entry(dsc->req, newmsg, controls); > } else { >- talloc_free(msg); >+ talloc_free(newmsg); > return LDB_SUCCESS; > } > } >-- >1.7.9.5 > > >From cd4eb437df3ea5eccfe61188f6ab3ee8d92a37e8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 7 Dec 2012 18:39:29 +0100 >Subject: [PATCH 08/14] s4:dsdb/acl_read: check the ldb_attr_list_copy_add() > result > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 2b20f24..c42db5f 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -375,12 +375,18 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) { > ac->instance_type = true; > attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType"); >+ if (attrs == NULL) { >+ return ldb_oom(ldb); >+ } > } else { > attrs = req->op.search.attrs; > } > if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) { > ac->object_sid = true; > attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid"); >+ if (attrs == NULL) { >+ return ldb_oom(ldb); >+ } > } > } > >@@ -389,8 +395,14 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > * if attribute list is empty */ > if (!attrs) { > attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "*"); >+ if (attrs == NULL) { >+ return ldb_oom(ldb); >+ } > } > attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor"); >+ if (attrs == NULL) { >+ return ldb_oom(ldb); >+ } > } > ac->attrs = req->op.search.attrs; > ret = ldb_build_search_req_ex(&down_req, >-- >1.7.9.5 > > >From 952e77bcb5fce48f1dab0c3d56d5f15e8ada0688 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 7 Dec 2012 18:40:25 +0100 >Subject: [PATCH 09/14] s4:dsdb/acl_read: fix the calculation of the attribute > array for the sub search > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 33 +++++++++++++++++------------ > 1 file changed, 19 insertions(+), 14 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index c42db5f..e4adcde 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -296,6 +296,8 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > struct ldb_result *res; > struct aclread_private *p; > bool is_untrusted = ldb_req_is_untrusted(req); >+ static const char * const _all_attrs[] = { "*", NULL }; >+ bool all_attrs = false; > const char * const *attrs = NULL; > uint32_t instanceType; > static const char *acl_attrs[] = { >@@ -363,6 +365,18 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > if (!ac->schema) { > return ldb_operr(ldb); > } >+ >+ attrs = req->op.search.attrs; >+ if (attrs == NULL) { >+ all_attrs = true; >+ attrs = _all_attrs; >+ } else if (attrs[0] == NULL) { >+ all_attrs = true; >+ attrs = _all_attrs; >+ } else if (ldb_attr_in_list(attrs, "*")) { >+ all_attrs = true; >+ } >+ > /* > * In theory we should also check for the SD control but control verification is > * expensive so we'd better had the ntsecuritydescriptor to the list of >@@ -370,16 +384,15 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > */ > ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL); > >- ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor")); >- if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) { >- if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) { >+ ac->sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor")); >+ >+ if (!all_attrs) { >+ if (!ldb_attr_in_list(attrs, "instanceType")) { > ac->instance_type = true; >- attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType"); >+ attrs = ldb_attr_list_copy_add(ac, attrs, "instanceType"); > if (attrs == NULL) { > return ldb_oom(ldb); > } >- } else { >- attrs = req->op.search.attrs; > } > if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) { > ac->object_sid = true; >@@ -391,14 +404,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > } > > if (ac->sd) { >- /* avoid replacing all attributes with nTSecurityDescriptor >- * if attribute list is empty */ >- if (!attrs) { >- attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "*"); >- if (attrs == NULL) { >- return ldb_oom(ldb); >- } >- } > attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor"); > if (attrs == NULL) { > return ldb_oom(ldb); >-- >1.7.9.5 > > >From 86cafd2b368133f8925762f08c3a06c36018d534 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 6 Dec 2012 12:29:49 +0100 >Subject: [PATCH 10/14] s4:dsdb/acl_read: give some variables a better name > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 23 +++++++++++++---------- > 1 file changed, 13 insertions(+), 10 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index e4adcde..787e3ef 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -45,9 +45,9 @@ struct aclread_context { > const char * const *attrs; > const struct dsdb_schema *schema; > uint32_t sd_flags; >- bool sd; >- bool instance_type; >- bool object_sid; >+ bool added_nTSecurityDescriptor; >+ bool added_instanceType; >+ bool added_objectSid; > bool indirsync; > }; > >@@ -145,15 +145,15 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) > is_instancetype = ldb_attr_cmp("instanceType", > msg->elements[i].name) == 0; > /* these attributes were added to perform access checks and must be removed */ >- if (is_objectsid && ac->object_sid) { >+ if (is_objectsid && ac->added_objectSid) { > aclread_mark_inaccesslible(&msg->elements[i]); > continue; > } >- if (is_instancetype && ac->instance_type) { >+ if (is_instancetype && ac->added_instanceType) { > aclread_mark_inaccesslible(&msg->elements[i]); > continue; > } >- if (is_sd && ac->sd) { >+ if (is_sd && ac->added_nTSecurityDescriptor) { > aclread_mark_inaccesslible(&msg->elements[i]); > continue; > } >@@ -295,6 +295,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > uint32_t flags = ldb_req_get_custom_flags(req); > struct ldb_result *res; > struct aclread_private *p; >+ bool need_sd = false; > bool is_untrusted = ldb_req_is_untrusted(req); > static const char * const _all_attrs[] = { "*", NULL }; > bool all_attrs = false; >@@ -384,31 +385,33 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > */ > ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL); > >- ac->sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor")); >+ need_sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor")); > > if (!all_attrs) { > if (!ldb_attr_in_list(attrs, "instanceType")) { >- ac->instance_type = true; > attrs = ldb_attr_list_copy_add(ac, attrs, "instanceType"); > if (attrs == NULL) { > return ldb_oom(ldb); > } >+ ac->added_instanceType = true; > } > if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) { >- ac->object_sid = true; > attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid"); > if (attrs == NULL) { > return ldb_oom(ldb); > } >+ ac->added_objectSid = true; > } > } > >- if (ac->sd) { >+ if (need_sd) { > attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor"); > if (attrs == NULL) { > return ldb_oom(ldb); > } >+ ac->added_nTSecurityDescriptor = true; > } >+ > ac->attrs = req->op.search.attrs; > ret = ldb_build_search_req_ex(&down_req, > ldb, ac, >-- >1.7.9.5 > > >From 8d7086411749a725e92a5c43d2cc751155da5cae Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 6 Dec 2012 12:36:09 +0100 >Subject: [PATCH 11/14] s4:dsdb/acl_read: return the nTSecurityDescriptor attr > if the sd_flags control is given (bug #9470) > >Not returning the nTSecurityDescriptor causes a lot of problems. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/dsdb/samdb/ldb_modules/acl_read.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c >index 787e3ef..9955451 100644 >--- a/source4/dsdb/samdb/ldb_modules/acl_read.c >+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c >@@ -296,6 +296,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > struct ldb_result *res; > struct aclread_private *p; > bool need_sd = false; >+ bool explicit_sd_flags = false; > bool is_untrusted = ldb_req_is_untrusted(req); > static const char * const _all_attrs[] = { "*", NULL }; > bool all_attrs = false; >@@ -383,9 +384,15 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) > * expensive so we'd better had the ntsecuritydescriptor to the list of > * searched attribute and then remove it ! > */ >- ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL); >+ ac->sd_flags = dsdb_request_sd_flags(ac->req, &explicit_sd_flags); > >- need_sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor")); >+ if (ldb_attr_in_list(attrs, "nTSecurityDescriptor")) { >+ need_sd = false; >+ } else if (explicit_sd_flags && all_attrs) { >+ need_sd = false; >+ } else { >+ need_sd = true; >+ } > > if (!all_attrs) { > if (!ldb_attr_in_list(attrs, "instanceType")) { >-- >1.7.9.5 > > >From 458084ac8afbdfba31a37cdf512ad7608a867607 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 6 Dec 2012 15:56:26 +0100 >Subject: [PATCH 12/14] s4:dsdb/operational: fix stripping of the > nTSecurityDescriptor attribute > >If the sd_flags control is specified, we should return nTSecurityDescriptor >only if the client asked for all attributes. > >If there's a list of only explicit attribute names, we should ignore >the sd_flags control. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source4/dsdb/samdb/ldb_modules/operational.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c >index 4ce8b8f..c642ad8 100644 >--- a/source4/dsdb/samdb/ldb_modules/operational.c >+++ b/source4/dsdb/samdb/ldb_modules/operational.c >@@ -721,10 +721,20 @@ static int operational_search_post_process(struct ldb_module *module, > continue; > } > case OPERATIONAL_SD_FLAGS: >- if (controls_flags->sd || >- ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) { >+ if (ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) { > continue; > } >+ if (controls_flags->sd) { >+ if (attrs_from_user == NULL) { >+ continue; >+ } >+ if (attrs_from_user[0] == NULL) { >+ continue; >+ } >+ if (ldb_attr_in_list(attrs_from_user, "*")) { >+ continue; >+ } >+ } > ldb_msg_remove_attr(msg, operational_remove[i].attr); > break; > } >-- >1.7.9.5 > > >From 294742a5f51c1151845b12645e73a0850e29b6fa Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 6 Dec 2012 14:04:47 +0100 >Subject: [PATCH 13/14] s4:dsdb/tests/sec_descriptor: verify the > nTSecurityDescriptor and sd_flags interaction > >This is a regression test for bug #9470. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source4/dsdb/tests/python/sec_descriptor.py | 116 +++++++++++++++++++++++++++ > 1 file changed, 116 insertions(+) > >diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py >index aff6040..cf213ab 100755 >--- a/source4/dsdb/tests/python/sec_descriptor.py >+++ b/source4/dsdb/tests/python/sec_descriptor.py >@@ -1848,6 +1848,122 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.assertFalse("S:" in desc_sddl) > self.assertFalse("G:" in desc_sddl) > >+ def test_311(self): >+ sd_flags = (SECINFO_OWNER | >+ SECINFO_GROUP | >+ SECINFO_DACL | >+ SECINFO_SACL) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ [], controls=None) >+ self.assertFalse("nTSecurityDescriptor" in res[0]) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["name"], controls=None) >+ self.assertFalse("nTSecurityDescriptor" in res[0]) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["name"], controls=["sd_flags:1:%d" % (sd_flags)]) >+ self.assertFalse("nTSecurityDescriptor" in res[0]) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ [], controls=["sd_flags:1:%d" % (sd_flags)]) >+ self.assertTrue("nTSecurityDescriptor" in res[0]) >+ tmp = res[0]["nTSecurityDescriptor"][0] >+ sd = ndr_unpack(security.descriptor, tmp) >+ sddl = sd.as_sddl(self.sd_utils.domain_sid) >+ self.assertTrue("O:" in sddl) >+ self.assertTrue("G:" in sddl) >+ self.assertTrue("D:" in sddl) >+ self.assertTrue("S:" in sddl) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["*"], controls=["sd_flags:1:%d" % (sd_flags)]) >+ self.assertTrue("nTSecurityDescriptor" in res[0]) >+ tmp = res[0]["nTSecurityDescriptor"][0] >+ sd = ndr_unpack(security.descriptor, tmp) >+ sddl = sd.as_sddl(self.sd_utils.domain_sid) >+ self.assertTrue("O:" in sddl) >+ self.assertTrue("G:" in sddl) >+ self.assertTrue("D:" in sddl) >+ self.assertTrue("S:" in sddl) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)]) >+ self.assertTrue("nTSecurityDescriptor" in res[0]) >+ tmp = res[0]["nTSecurityDescriptor"][0] >+ sd = ndr_unpack(security.descriptor, tmp) >+ sddl = sd.as_sddl(self.sd_utils.domain_sid) >+ self.assertTrue("O:" in sddl) >+ self.assertTrue("G:" in sddl) >+ self.assertTrue("D:" in sddl) >+ self.assertTrue("S:" in sddl) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)]) >+ self.assertTrue("nTSecurityDescriptor" in res[0]) >+ tmp = res[0]["nTSecurityDescriptor"][0] >+ sd = ndr_unpack(security.descriptor, tmp) >+ sddl = sd.as_sddl(self.sd_utils.domain_sid) >+ self.assertTrue("O:" in sddl) >+ self.assertTrue("G:" in sddl) >+ self.assertTrue("D:" in sddl) >+ self.assertTrue("S:" in sddl) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)]) >+ self.assertTrue("nTSecurityDescriptor" in res[0]) >+ tmp = res[0]["nTSecurityDescriptor"][0] >+ sd = ndr_unpack(security.descriptor, tmp) >+ sddl = sd.as_sddl(self.sd_utils.domain_sid) >+ self.assertTrue("O:" in sddl) >+ self.assertTrue("G:" in sddl) >+ self.assertTrue("D:" in sddl) >+ self.assertTrue("S:" in sddl) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)]) >+ self.assertTrue("nTSecurityDescriptor" in res[0]) >+ tmp = res[0]["nTSecurityDescriptor"][0] >+ sd = ndr_unpack(security.descriptor, tmp) >+ sddl = sd.as_sddl(self.sd_utils.domain_sid) >+ self.assertTrue("O:" in sddl) >+ self.assertTrue("G:" in sddl) >+ self.assertTrue("D:" in sddl) >+ self.assertTrue("S:" in sddl) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["nTSecurityDescriptor"], controls=None) >+ self.assertTrue("nTSecurityDescriptor" in res[0]) >+ tmp = res[0]["nTSecurityDescriptor"][0] >+ sd = ndr_unpack(security.descriptor, tmp) >+ sddl = sd.as_sddl(self.sd_utils.domain_sid) >+ self.assertTrue("O:" in sddl) >+ self.assertTrue("G:" in sddl) >+ self.assertTrue("D:" in sddl) >+ self.assertTrue("S:" in sddl) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["name", "nTSecurityDescriptor"], controls=None) >+ self.assertTrue("nTSecurityDescriptor" in res[0]) >+ tmp = res[0]["nTSecurityDescriptor"][0] >+ sd = ndr_unpack(security.descriptor, tmp) >+ sddl = sd.as_sddl(self.sd_utils.domain_sid) >+ self.assertTrue("O:" in sddl) >+ self.assertTrue("G:" in sddl) >+ self.assertTrue("D:" in sddl) >+ self.assertTrue("S:" in sddl) >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, >+ ["nTSecurityDescriptor", "name"], controls=None) >+ self.assertTrue("nTSecurityDescriptor" in res[0]) >+ tmp = res[0]["nTSecurityDescriptor"][0] >+ sd = ndr_unpack(security.descriptor, tmp) >+ sddl = sd.as_sddl(self.sd_utils.domain_sid) >+ self.assertTrue("O:" in sddl) >+ self.assertTrue("G:" in sddl) >+ self.assertTrue("D:" in sddl) >+ self.assertTrue("S:" in sddl) > > class RightsAttributesTests(DescriptorTests): > >-- >1.7.9.5 > > >From 074014cc5ea85ab17e3ef7e560577114ef04eb97 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 7 Dec 2012 18:58:57 +0100 >Subject: [PATCH 14/14] s4:dsdb/tests/sec_descriptor: verify the search of a > windows dc join keeps working > >This is a regression test for bug #9470. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/dsdb/tests/python/sec_descriptor.py | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py >index cf213ab..78cd052 100755 >--- a/source4/dsdb/tests/python/sec_descriptor.py >+++ b/source4/dsdb/tests/python/sec_descriptor.py >@@ -1965,6 +1965,13 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.assertTrue("D:" in sddl) > self.assertTrue("S:" in sddl) > >+ def test_312(self): >+ """This search is done by the windows dc join...""" >+ >+ res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"], >+ controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"]) >+ self.assertFalse("nTSecurityDescriptor" in res[0]) >+ > class RightsAttributesTests(DescriptorTests): > > def deleteAll(self): >-- >1.7.9.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 9470
:
8294
|
8300
|
8305
|
8334