Bug 9142 - Need to check ACLs for TSIG updates
Need to check ACLs for TSIG updates
Product: Samba 4.0
Classification: Unclassified
Component: Other
All All
: P5 normal
: ---
Assigned To: Kai Blin
Depends on:
Blocks: 8622
  Show dependency treegraph
Reported: 2012-09-06 07:43 UTC by Kai Blin
Modified: 2012-09-17 21:52 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Kai Blin 2012-09-06 07:43:52 UTC
Currently the update check only checks for a valid user, not if the user has permissions to actually create/modify a record.
Comment 1 Michael Adam 2012-09-06 13:16:56 UTC
should be fixed before 4.0 final.
Comment 2 Kai Blin 2012-09-06 22:33:13 UTC
Fixed by 319b239dc4aeb2c6a928a70fc7a7dbad56d273cd
Comment 3 Andrew Bartlett 2012-09-07 01:19:08 UTC

I mislead you a little when I suggested this task is as simple as just
checking the ACL.  As I noticed when I started diving into the
equivalent code in the bind9 dlz code, we need to actually impersonate
the incoming user, or else we won't set owners correctly.  This could then mean that a subsequent ACL check fails. 

Have a look over all the uses of 'session_info' in the dlz code, because
we will need to do the same in your code.  

Then we really, really need tests.  Perhaps added to smbtorture, what we
need to do is create a record using libadds, then verify it's ownership
and the expected ACL AD using LDAP calls. 

(The advantage of an smbtorture test here is that you can run it against
AD, and against bind9_dlz to ensure the test is correct). 


Andrew Bartlett
Comment 4 Kai Blin 2012-09-17 21:52:19 UTC
Should be fixed in RC1