The Samba-Bugzilla – Bug 9142
Need to check ACLs for TSIG updates
Last modified: 2012-09-17 21:52:19 UTC
Currently the update check only checks for a valid user, not if the user has permissions to actually create/modify a record.
should be fixed before 4.0 final.
Fixed by 319b239dc4aeb2c6a928a70fc7a7dbad56d273cd
I mislead you a little when I suggested this task is as simple as just
checking the ACL. As I noticed when I started diving into the
equivalent code in the bind9 dlz code, we need to actually impersonate
the incoming user, or else we won't set owners correctly. This could then mean that a subsequent ACL check fails.
Have a look over all the uses of 'session_info' in the dlz code, because
we will need to do the same in your code.
Then we really, really need tests. Perhaps added to smbtorture, what we
need to do is create a record using libadds, then verify it's ownership
and the expected ACL AD using LDAP calls.
(The advantage of an smbtorture test here is that you can run it against
AD, and against bind9_dlz to ensure the test is correct).
Should be fixed in RC1