Author: abartlet Date: 2007-08-27 02:26:24 +0000 (Mon, 27 Aug 2007) New Revision: 24696
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24696 Log: Fix bug 4918 reported by Matthias Walln?\195?\182fer <[EMAIL PROTECTED]> with a patch from Andrew Kroeger <[EMAIL PROTECTED]>. The changes to samldb_fill_foreignSecurityPrincipal_object() look much larger then they are: We just skip all the objectSid generation if the SID is supplied. By providing a few more objects, standard dialogs on the clients are better behaved, for these 'well known' users. Andrew Bartlett Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/samldb.c branches/SAMBA_4_0/source/setup/provision_users.ldif Changeset: Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/samldb.c =================================================================== --- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/samldb.c 2007-08-27 01:55:03 UTC (rev 24695) +++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/samldb.c 2007-08-27 02:26:24 UTC (rev 24696) @@ -576,7 +576,7 @@ /* build the new msg */ msg2 = ldb_msg_copy(mem_ctx, msg); if (!msg2) { - ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincpal_object: ldb_msg_copy failed!\n"); + ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincipal_object: ldb_msg_copy failed!\n"); talloc_free(mem_ctx); return LDB_ERR_OPERATIONS_ERROR; } @@ -601,47 +601,50 @@ return LDB_ERR_CONSTRAINT_VIOLATION; } - /* Slightly different for the foreign sids. We don't want - * domain SIDs ending up there, it would cause all sorts of - * pain */ - - sid = dom_sid_parse_talloc(msg2, (const char *)ldb_dn_get_rdn_val(msg2->dn)->data); + sid = samdb_result_dom_sid(msg2, msg, "objectSid"); if (!sid) { - ldb_set_errstring(module->ldb, "No valid found SID in ForeignSecurityPrincipal CN!"); - talloc_free(mem_ctx); - return LDB_ERR_CONSTRAINT_VIOLATION; - } + /* Slightly different for the foreign sids. We don't want + * domain SIDs ending up there, it would cause all sorts of + * pain */ - if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) { - talloc_free(sid); - return LDB_ERR_OPERATIONS_ERROR; - } + sid = dom_sid_parse_talloc(msg2, (const char *)ldb_dn_get_rdn_val(msg2->dn)->data); + if (!sid) { + ldb_set_errstring(module->ldb, "No valid found SID in ForeignSecurityPrincipal CN!"); + talloc_free(mem_ctx); + return LDB_ERR_CONSTRAINT_VIOLATION; + } - dom_sid = dom_sid_dup(mem_ctx, sid); - if (!dom_sid) { - talloc_free(mem_ctx); - return LDB_ERR_OPERATIONS_ERROR; - } - /* get the domain component part of the provided SID */ - dom_sid->num_auths--; + if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) { + talloc_free(sid); + return LDB_ERR_OPERATIONS_ERROR; + } - /* find the domain DN */ + dom_sid = dom_sid_dup(mem_ctx, sid); + if (!dom_sid) { + talloc_free(mem_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + /* get the domain component part of the provided SID */ + dom_sid->num_auths--; - ret = gendb_search(module->ldb, - mem_ctx, NULL, &dom_msgs, dom_attrs, - "(&(objectSid=%s)(objectclass=domain))", - ldap_encode_ndr_dom_sid(mem_ctx, dom_sid)); - if (ret >= 1) { - /* We don't really like the idea of foreign sids that are not foreign, but it happens */ - const char *name = samdb_result_string(dom_msgs[0], "name", NULL); - ldb_debug(module->ldb, LDB_DEBUG_TRACE, "NOTE (strange but valid): Adding foreign SID record with SID %s, but this domian (%s) is already in the database", - dom_sid_string(mem_ctx, sid), name); - } else if (ret == -1) { - ldb_asprintf_errstring(module->ldb, - "samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n", - dom_sid_string(mem_ctx, dom_sid)); - talloc_free(dom_msgs); - return LDB_ERR_OPERATIONS_ERROR; + /* find the domain DN */ + + ret = gendb_search(module->ldb, + mem_ctx, NULL, &dom_msgs, dom_attrs, + "(&(objectSid=%s)(objectclass=domain))", + ldap_encode_ndr_dom_sid(mem_ctx, dom_sid)); + if (ret >= 1) { + /* We don't really like the idea of foreign sids that are not foreign, but it happens */ + const char *name = samdb_result_string(dom_msgs[0], "name", NULL); + ldb_debug(module->ldb, LDB_DEBUG_TRACE, "NOTE (strange but valid): Adding foreign SID record with SID %s, but this domian (%s) is already in the database", + dom_sid_string(mem_ctx, sid), name); + } else if (ret == -1) { + ldb_asprintf_errstring(module->ldb, + "samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n", + dom_sid_string(mem_ctx, dom_sid)); + talloc_free(dom_msgs); + return LDB_ERR_OPERATIONS_ERROR; + } } /* This isn't an operation on a domain we know about, so just Modified: branches/SAMBA_4_0/source/setup/provision_users.ldif =================================================================== --- branches/SAMBA_4_0/source/setup/provision_users.ldif 2007-08-27 01:55:03 UTC (rev 24695) +++ branches/SAMBA_4_0/source/setup/provision_users.ldif 2007-08-27 02:26:24 UTC (rev 24696) @@ -347,3 +347,240 @@ isCriticalSystemObject: TRUE privilege: SeInteractiveLogonRight +dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Pre-Windows 2000 Compatible Access +description: A backward compatibility group which allows read access on all users and groups in the domain +objectSid: S-1-5-32-554 +sAMAccountName: Pre-Windows 2000 Compatible Access +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE +privilege: SeRemoteInteractiveLogonRight +privilege: SeChangeNotifyPrivilege + +dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Incoming Forest Trust Builders +description: Members of this group can create incoming, one-way trusts to this forest +objectSid: S-1-5-32-557 +sAMAccountName: Incoming Forest Trust Builders +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE + +dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Windows Authorization Access Group +description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects +objectSid: S-1-5-32-560 +sAMAccountName: Windows Authorization Access Group +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE + +dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Terminal Server License Servers +description: Terminal Server License Servers +objectSid: S-1-5-32-561 +sAMAccountName: Terminal Server License Servers +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE + +dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Distributed COM Users +description: Members are allowed to launch, activate and use Distributed COM objects on this machine. +objectSid: S-1-5-32-562 +sAMAccountName: Distributed COM Users +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE + +dn: CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: container +cn: WellKnown Security Principals +systemFlags: 2147483648 +showInAdvancedViewOnly: TRUE + +dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Anonymous Logon +objectSid: S-1-5-7 +showInAdvancedViewOnly: TRUE + +dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Authenticated Users +objectSid: S-1-5-11 +showInAdvancedViewOnly: TRUE + +dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Batch +objectSid: S-1-5-3 +showInAdvancedViewOnly: TRUE + +dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Creator Group +objectSid: S-1-3-1 +showInAdvancedViewOnly: TRUE + +dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Creator Owner +objectSid: S-1-3-0 +showInAdvancedViewOnly: TRUE + +dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Dialup +objectSid: S-1-5-1 +showInAdvancedViewOnly: TRUE + +dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Digest Authentication +objectSid: S-1-5-64-21 +showInAdvancedViewOnly: TRUE + +dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Enterprise Domain Controllers +objectSid: S-1-5-9 +showInAdvancedViewOnly: TRUE + +dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Everyone +objectSid: S-1-1-0 +showInAdvancedViewOnly: TRUE + +dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Interactive +objectSid: S-1-5-4 +showInAdvancedViewOnly: TRUE + +dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Local Service +objectSid: S-1-5-19 +showInAdvancedViewOnly: TRUE + +dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Network +objectSid: S-1-5-2 +showInAdvancedViewOnly: TRUE + +dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Network Service +objectSid: S-1-5-20 +showInAdvancedViewOnly: TRUE + +dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: NTLM Authentication +objectSid: S-1-5-64-10 +showInAdvancedViewOnly: TRUE + +dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Other Organization +objectSid: S-1-5-1000 +showInAdvancedViewOnly: TRUE + +dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Proxy +objectSid: S-1-5-8 +showInAdvancedViewOnly: TRUE + +dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Remote Interactive Logon +objectSid: S-1-5-14 +showInAdvancedViewOnly: TRUE + +dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Restricted +objectSid: S-1-5-12 +showInAdvancedViewOnly: TRUE + +dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: SChannel Authentication +objectSid: S-1-5-64-14 +showInAdvancedViewOnly: TRUE + +dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Self +objectSid: S-1-5-10 +showInAdvancedViewOnly: TRUE + +dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Service +objectSid: S-1-5-6 +showInAdvancedViewOnly: TRUE + +dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Terminal Server User +objectSid: S-1-5-13 +showInAdvancedViewOnly: TRUE + +dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: This Organization +objectSid: S-1-5-15 +showInAdvancedViewOnly: TRUE + +dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Well-Known-Security-Id-System +objectSid: S-1-5-18 +showInAdvancedViewOnly: TRUE +
