The branch, master has been updated
via 850bf67 s4-ldb_modules/acl: Use ntds_guid for SPN check only we
have a DC object
via 3134895 s4-ldb_modules/acl: Get correct NTDSDSA objectGUID to check
SPN for
via 7397207 s4-ldb_modules/util: Implement
dsdb_module_find_ntdsguid_for_computer()
via 6110887 s4/ldb_modules/acl.c: Fix calculation for samAccountName
string len
from b3ea56a s3-librpc: no need to globally include endpointmapper
headers.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 850bf67c452bcb8570e2fb0af77296754bec98cc
Author: Kamen Mazdrashki <[email protected]>
Date: Mon Feb 14 11:41:19 2011 +0200
s4-ldb_modules/acl: Use ntds_guid for SPN check only we have a DC object
ntds_guid is NULL otherwise as it doesn't make sense for
not a DC object
Autobuild-User: Kamen Mazdrashki <[email protected]>
Autobuild-Date: Mon Feb 14 13:15:31 CET 2011 on sn-devel-104
commit 313489507593c7798d41f8cace48e7cc59228a0d
Author: Kamen Mazdrashki <[email protected]>
Date: Mon Feb 14 11:35:48 2011 +0200
s4-ldb_modules/acl: Get correct NTDSDSA objectGUID to check SPN for
commit 73972072d7c02ea8eaadd99be4361d7ee0e04d4a
Author: Kamen Mazdrashki <[email protected]>
Date: Mon Feb 14 11:34:32 2011 +0200
s4-ldb_modules/util: Implement dsdb_module_find_ntdsguid_for_computer()
as a counterpart for samdb_find_ntdsguid_for_computer()
to be used in LDB modules
commit 6110887802e8912b2a1d17f0bde9d77c8f12ea87
Author: Kamen Mazdrashki <[email protected]>
Date: Fri Feb 11 05:42:28 2011 +0200
s4/ldb_modules/acl.c: Fix calculation for samAccountName string len
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/acl.c | 32 +++++++++++++++++++++++---------
source4/dsdb/samdb/ldb_modules/util.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c
b/source4/dsdb/samdb/ldb_modules/acl.c
index 69ff2aa..a96ea37 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -450,7 +450,6 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
char *serviceType;
char *serviceName;
const char *realm;
- const char *guid_str;
const char *forest_name = samdb_forest_name(ldb, mem_ctx);
const char *base_domain = samdb_default_domain_name(ldb, mem_ctx);
struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb,
"loadparm"),
@@ -475,9 +474,6 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
instanceName = principal->name.name_string.val[1];
serviceType = principal->name.name_string.val[0];
realm = krb5_principal_get_realm(krb_ctx, principal);
- guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
- ntds_guid,
- forest_name);
if (principal->name.name_string.len == 3) {
serviceName = principal->name.name_string.val[2];
} else {
@@ -507,17 +503,20 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
}
/* instanceName can be samAccountName without $ or dnsHostName
* or "ntds_guid._msdcs.forest_domain for DC objects */
- if (strncasecmp(instanceName, samAccountName, strlen(samAccountName -
1)) == 0) {
+ if (strncasecmp(instanceName, samAccountName, strlen(samAccountName) -
1) == 0) {
goto success;
} else if (strcasecmp(instanceName, dnsHostName) == 0) {
goto success;
} else if (is_dc) {
+ const char *guid_str;
+ guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
+ ntds_guid,
+ forest_name);
if (strcasecmp(instanceName, guid_str) == 0) {
goto success;
}
- } else {
- goto fail;
}
+
fail:
krb5_free_principal(krb_ctx, principal);
krb5_free_context(krb_ctx);
@@ -549,8 +548,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
const char *samAccountName;
const char *dnsHostName;
const char *netbios_name;
- const struct GUID *ntds = samdb_ntds_objectGUID(ldb);
- const char *ntds_guid = GUID_string(tmp_ctx, ntds);
+ struct GUID ntds;
+ char *ntds_guid = NULL;
static const char *acl_attrs[] = {
"samAccountName",
@@ -562,6 +561,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
"nETBIOSName",
NULL
};
+
/* if we have wp, we can do whatever we like */
if (acl_check_access_on_attribute(module,
tmp_ctx,
@@ -619,6 +619,20 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
"Error finding element for
servicePrincipalName.");
}
+ /* NTDSDSA objectGuid of object we are checking SPN for */
+ if (userAccountControl & (UF_SERVER_TRUST_ACCOUNT |
UF_PARTIAL_SECRETS_ACCOUNT)) {
+ ret = dsdb_module_find_ntdsguid_for_computer(module, tmp_ctx,
+
req->op.mod.message->dn, &ntds, req);
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb, "Failed to find NTDSDSA
objectGuid for %s: %s",
+
ldb_dn_get_linearized(req->op.mod.message->dn),
+ ldb_strerror(ret));
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ ntds_guid = GUID_string(tmp_ctx, &ntds);
+ }
+
for (i=0; i < el->num_values; i++) {
ret = acl_validate_spn_value(tmp_ctx,
ldb,
diff --git a/source4/dsdb/samdb/ldb_modules/util.c
b/source4/dsdb/samdb/ldb_modules/util.c
index e3e908f..37ab470 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -607,6 +607,36 @@ int dsdb_check_optional_feature(struct ldb_module *module,
struct ldb_dn *scope,
}
/*
+ find the NTDS GUID from a computers DN record
+ */
+int dsdb_module_find_ntdsguid_for_computer(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_dn *computer_dn,
+ struct GUID *ntds_guid,
+ struct ldb_request *parent)
+{
+ int ret;
+ struct ldb_dn *dn;
+
+ *ntds_guid = GUID_zero();
+
+ ret = dsdb_module_reference_dn(module, mem_ctx, computer_dn,
+ "serverReferenceBL", &dn, parent);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (!ldb_dn_add_child_fmt(dn, "CN=NTDS Settings")) {
+ talloc_free(dn);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ ret = dsdb_module_guid_by_dn(module, dn, ntds_guid, parent);
+ talloc_free(dn);
+ return ret;
+}
+
+/*
find a 'reference' DN that points at another object
(eg. serverReference, rIDManagerReference etc)
*/
--
Samba Shared Repository
