The branch, master has been updated
via bdd83c0... s4:ldap.py - add testcase which demonstrates the reset
of the "primaryGroupID"
via d604d49... s4:samldb LDB module - fix up the case when the old and
new "primaryGroupID" are the same
via 13ca999... s4:samldb LDB module - don't create multiple "ac" module
contexts on modify operations
via 9f95298... s4:dcesrv_samr_Add/DeleteAliasMember - provide better
NTSTATUS return codes when something didn't work
via 7374cd0... s4:dcesrv_samr_GetAliasMembership - fix type of counter
variables
via 34b43a8... s4:dcesrv_samr_DeleteAliasMember - add more braces to
fit better the coding styles
via 305f2c7... s4:dcesrv_samr_AddAliasMembership - Merge the two error
blocks into one
via 13b1f7a... s4:dcesrv_samr_Add/DelGroupMember - remove the account
type check
via f95634d... s4:dcesrv_samr_AddGroupMember - also the error code
"LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS" is allowed
via 1305c91... s4:samba_dsdb LDB module - move the "objectclass_attrs"
module back
via c1b4ccb... s4:ldap.py - add a test to demonstrate the
'instanceType' behaviour
via 0a41b7e... s4:instancetype LDB module - prevent all types of
"instanceType" manipulation
from f66cc82... s3: Fix EnumDomainAliases when no aliases are in LDAP
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bdd83c0639ad0066a2b0e77611548f2d165bb747
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 16:18:41 2010 +0200
s4:ldap.py - add testcase which demonstrates the reset of the
"primaryGroupID"
commit d604d499390dea1a10bfdd462b512bfe1845a101
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 16:15:10 2010 +0200
s4:samldb LDB module - fix up the case when the old and new
"primaryGroupID" are the same
commit 13ca999b3b4660e530ac0b91342c40ff8a3c7a31
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 16:08:23 2010 +0200
s4:samldb LDB module - don't create multiple "ac" module contexts on modify
operations
Since we do now run sequentially through all checks we don't need multiple
"ac"
contexts anymore.
commit 9f9529886499acc80ad7316d5eab590545643b87
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 15:47:48 2010 +0200
s4:dcesrv_samr_Add/DeleteAliasMember - provide better NTSTATUS return codes
when something didn't work
commit 7374cd035807029d800815f82474ab9c6ed2e861
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 12:42:04 2010 +0200
s4:dcesrv_samr_GetAliasMembership - fix type of counter variables
commit 34b43a8642bd13dfad50a4e2436ccc5814135ce2
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 12:19:04 2010 +0200
s4:dcesrv_samr_DeleteAliasMember - add more braces to fit better the coding
styles
commit 305f2c70434ecc244c4c7bcad285e2cfae8f3215
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 12:17:48 2010 +0200
s4:dcesrv_samr_AddAliasMembership - Merge the two error blocks into one
commit 13b1f7a2b33b299208abfbb50fbf1e2b982ca326
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 11:50:12 2010 +0200
s4:dcesrv_samr_Add/DelGroupMember - remove the account type check
MS-SAMR 3.1.5.8 speaks from accounts which are not necessarely only users.
commit f95634dbe0b8afbae8b90323ba98ddb69d9dcf6e
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 11:48:33 2010 +0200
s4:dcesrv_samr_AddGroupMember - also the error code
"LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS" is allowed
This is returned when the group is the primary group of the specified entry.
commit 1305c9159876f1621710b9888624aaf037046155
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 11:05:43 2010 +0200
s4:samba_dsdb LDB module - move the "objectclass_attrs" module back
I think it should be lower in order to control also the "instanceType"
module.
commit c1b4ccb23b18c4d729f3fe299a1f03efa497a958
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 10:52:31 2010 +0200
s4:ldap.py - add a test to demonstrate the 'instanceType' behaviour
commit 0a41b7e95b394e410cc0d8d02e9ff5ea1f64cd9c
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Thu Jun 10 10:39:52 2010 +0200
s4:instancetype LDB module - prevent all types of "instanceType"
manipulation
Also on Windows Server you aren't able to change it.
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/instancetype.c | 16 ++++++
source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 2 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 32 +++++-------
source4/lib/ldb/tests/python/ldap.py | 46 +++++++++++++++++
source4/rpc_server/samr/dcesrv_samr.c | 67 +++++++++++++++----------
5 files changed, 116 insertions(+), 47 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/instancetype.c
b/source4/dsdb/samdb/ldb_modules/instancetype.c
index 7828ce1..4ed906f 100644
--- a/source4/dsdb/samdb/ldb_modules/instancetype.c
+++ b/source4/dsdb/samdb/ldb_modules/instancetype.c
@@ -158,7 +158,23 @@ static int instancetype_add(struct ldb_module *module,
struct ldb_request *req)
return ldb_next_request(module, down_req);
}
+/* deny instancetype modification */
+static int instancetype_mod(struct ldb_module *module, struct ldb_request *req)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ldb_message_element *el;
+
+ el = ldb_msg_find_element(req->op.mod.message, "instanceType");
+ if (el != NULL) {
+ ldb_set_errstring(ldb, "instancetype: the 'instanceType'
attribute can never be changed!");
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
+ return ldb_next_request(module, req);
+}
+
_PUBLIC_ const struct ldb_module_ops ldb_instancetype_module_ops = {
.name = "instancetype",
.add = instancetype_add,
+ .modify = instancetype_mod
};
diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index 08df460..137de73 100644
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
+++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
@@ -183,10 +183,10 @@ static int samba_dsdb_init(struct ldb_module *module)
"samldb",
"password_hash",
"operational",
- "objectclass_attrs",
"kludge_acl",
"schema_load",
"instancetype",
+ "objectclass_attrs",
NULL };
const char **link_modules;
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c
b/source4/dsdb/samdb/ldb_modules/samldb.c
index 64a91c8..5d64b6d 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1176,16 +1176,16 @@ static int samldb_prim_group_change(struct samldb_ctx
*ac)
return LDB_ERR_UNWILLING_TO_PERFORM;
}
- el = samdb_find_attribute(ldb, res->msgs[0], "memberOf",
- ldb_dn_get_linearized(new_prim_group_dn));
- if (el == NULL) {
+ /* Only update the "member" attributes when we really do have a change
*/
+ if (ldb_dn_compare(new_prim_group_dn, prev_prim_group_dn) != 0) {
/* We need to be already a normal member of the new primary
* group in order to be successful. */
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
+ el = samdb_find_attribute(ldb, res->msgs[0], "memberOf",
+
ldb_dn_get_linearized(new_prim_group_dn));
+ if (el == NULL) {
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
- /* Only update the "member" attributes when we really do have a change
*/
- if (ldb_dn_compare(new_prim_group_dn, prev_prim_group_dn) != 0) {
/* Remove the "member" attribute on the new primary group */
msg = talloc_zero(ac, struct ldb_message);
msg->dn = new_prim_group_dn;
@@ -1395,6 +1395,7 @@ static int samldb_add(struct ldb_module *module, struct
ldb_request *req)
static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb;
+ struct samldb_ctx *ac;
struct ldb_message *msg;
struct ldb_message_element *el, *el2;
int ret;
@@ -1421,6 +1422,11 @@ static int samldb_modify(struct ldb_module *module,
struct ldb_request *req)
}
}
+ ac = samldb_ctx_init(module, req);
+ if (ac == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
/* TODO: do not modify original request, create a new one */
el = ldb_msg_find_element(req->op.mod.message, "groupType");
@@ -1447,12 +1453,6 @@ static int samldb_modify(struct ldb_module *module,
struct ldb_request *req)
el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID");
if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
- struct samldb_ctx *ac;
-
- ac = samldb_ctx_init(module, req);
- if (ac == NULL)
- return LDB_ERR_OPERATIONS_ERROR;
-
req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
req->op.mod.message);
@@ -1511,12 +1511,6 @@ static int samldb_modify(struct ldb_module *module,
struct ldb_request *req)
el = ldb_msg_find_element(req->op.mod.message, "member");
if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) &&
el->num_values == 1) {
- struct samldb_ctx *ac;
-
- ac = samldb_ctx_init(module, req);
- if (ac == NULL)
- return LDB_ERR_OPERATIONS_ERROR;
-
req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
req->op.mod.message);
diff --git a/source4/lib/ldb/tests/python/ldap.py
b/source4/lib/ldb/tests/python/ldap.py
index fa902a0..db69b47 100755
--- a/source4/lib/ldb/tests/python/ldap.py
+++ b/source4/lib/ldb/tests/python/ldap.py
@@ -648,6 +648,45 @@ class BasicTests(unittest.TestCase):
self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," +
self.base_dn)
+ def test_instanceType(self):
+ """Tests the 'instanceType' attribute"""
+ print "Tests the 'instanceType' attribute"""
+
+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["instanceType"] = MessageElement("0", FLAG_MOD_REPLACE,
+ "instanceType")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["instanceType"] = MessageElement([], FLAG_MOD_REPLACE,
+ "instanceType")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["instanceType"] = MessageElement([], FLAG_MOD_DELETE, "instanceType")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," +
self.base_dn)
+
def test_distinguished_name(self):
"""Tests the 'distinguishedName' attribute"""
print "Tests the 'distinguishedName' attribute"""
@@ -989,6 +1028,13 @@ objectClass: container
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
"objectclass": ["user", "person"]})
+ # We should be able to reset our actual primary group
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["primaryGroupID"] = MessageElement("513", FLAG_MOD_REPLACE,
+ "primaryGroupID")
+ ldb.modify(m)
+
# Try to add invalid primary group
m = Message()
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
diff --git a/source4/rpc_server/samr/dcesrv_samr.c
b/source4/rpc_server/samr/dcesrv_samr.c
index fafa9d6..2ab5155 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -1513,7 +1513,8 @@ static NTSTATUS dcesrv_samr_GetAliasMembership(struct
dcesrv_call_state *dce_cal
struct dcesrv_handle *h;
struct samr_domain_state *d_state;
struct ldb_message **res;
- int i, count = 0;
+ uint32_t i;
+ int count = 0;
DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN);
@@ -1948,12 +1949,11 @@ static NTSTATUS dcesrv_samr_AddGroupMember(struct
dcesrv_call_state *dce_call, T
return NT_STATUS_NO_MEMORY;
}
- /* In native mode, AD can also nest domain groups. Not sure yet
- * whether this is also available via RPC. */
+ /* according to MS-SAMR 3.1.5.8.2 all type of accounts are accepted */
ret = ldb_search(d_state->sam_ctx, mem_ctx, &res,
- d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
- "(&(objectSid=%s)(objectclass=user))",
- ldap_encode_ndr_dom_sid(mem_ctx, membersid));
+ d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, membersid));
if (ret != LDB_SUCCESS) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -1990,6 +1990,7 @@ static NTSTATUS dcesrv_samr_AddGroupMember(struct
dcesrv_call_state *dce_call, T
case LDB_SUCCESS:
return NT_STATUS_OK;
case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
+ case LDB_ERR_ENTRY_ALREADY_EXISTS:
return NT_STATUS_MEMBER_IN_GROUP;
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
return NT_STATUS_ACCESS_DENIED;
@@ -2049,15 +2050,15 @@ static NTSTATUS dcesrv_samr_DeleteGroupMember(struct
dcesrv_call_state *dce_call
d_state = a_state->domain_state;
membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
- if (membersid == NULL)
+ if (membersid == NULL) {
return NT_STATUS_NO_MEMORY;
+ }
- /* In native mode, AD can also nest domain groups. Not sure yet
- * whether this is also available via RPC. */
+ /* according to MS-SAMR 3.1.5.8.2 all type of accounts are accepted */
ret = ldb_search(d_state->sam_ctx, mem_ctx, &res,
- d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
- "(&(objectSid=%s)(objectclass=user))",
- ldap_encode_ndr_dom_sid(mem_ctx, membersid));
+ d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, membersid));
if (ret != LDB_SUCCESS) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -2420,10 +2421,6 @@ static NTSTATUS dcesrv_samr_AddAliasMember(struct
dcesrv_call_state *dce_call, T
if (ret == 1) {
memberdn = msgs[0]->dn;
- } else if (ret > 1) {
- DEBUG(0,("Found %d records matching sid %s\n",
- ret, dom_sid_string(mem_ctx, r->in.sid)));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
status = samdb_create_foreign_security_principal(
d_state->sam_ctx, mem_ctx, r->in.sid, &memberdn);
@@ -2431,8 +2428,9 @@ static NTSTATUS dcesrv_samr_AddAliasMember(struct
dcesrv_call_state *dce_call, T
return status;
}
} else {
- DEBUG(0, ("samdb_search returned %d: %s\n", ret,
- ldb_errstring(d_state->sam_ctx)));
+ DEBUG(0,("Found %d records matching sid %s\n",
+ ret, dom_sid_string(mem_ctx, r->in.sid)));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (memberdn == NULL) {
@@ -2453,11 +2451,18 @@ static NTSTATUS dcesrv_samr_AddAliasMember(struct
dcesrv_call_state *dce_call, T
return NT_STATUS_UNSUCCESSFUL;
}
- if (ldb_modify(a_state->sam_ctx, mod) != LDB_SUCCESS) {
+ ret = ldb_modify(a_state->sam_ctx, mod);
+ switch (ret) {
+ case LDB_SUCCESS:
+ return NT_STATUS_OK;
+ case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
+ case LDB_ERR_ENTRY_ALREADY_EXISTS:
+ return NT_STATUS_MEMBER_IN_GROUP;
+ case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
+ return NT_STATUS_ACCESS_DENIED;
+ default:
return NT_STATUS_UNSUCCESSFUL;
}
-
- return NT_STATUS_OK;
}
@@ -2482,9 +2487,9 @@ static NTSTATUS dcesrv_samr_DeleteAliasMember(struct
dcesrv_call_state *dce_call
memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
"distinguishedName", "(objectSid=%s)",
ldap_encode_ndr_dom_sid(mem_ctx,
r->in.sid));
-
- if (memberdn == NULL)
+ if (memberdn == NULL) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
mod = ldb_msg_new(mem_ctx);
if (mod == NULL) {
@@ -2495,13 +2500,21 @@ static NTSTATUS dcesrv_samr_DeleteAliasMember(struct
dcesrv_call_state *dce_call
ret = samdb_msg_add_delval(d_state->sam_ctx, mem_ctx, mod, "member",
memberdn);
- if (ret != LDB_SUCCESS)
+ if (ret != LDB_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
+ }
- if (ldb_modify(a_state->sam_ctx, mod) != LDB_SUCCESS)
+ ret = ldb_modify(a_state->sam_ctx, mod);
+ switch (ret) {
+ case LDB_SUCCESS:
+ return NT_STATUS_OK;
+ case LDB_ERR_NO_SUCH_ATTRIBUTE:
+ return NT_STATUS_MEMBER_NOT_IN_GROUP;
+ case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
+ return NT_STATUS_ACCESS_DENIED;
+ default:
return NT_STATUS_UNSUCCESSFUL;
-
- return NT_STATUS_OK;
+ }
}
--
Samba Shared Repository
