The branch, master has been updated
via 5064876 s4-cracknames: fixed cracknames to use more specific search
via 843de63 s4-cldap: fixed cldap search based on dom_sid
via 3fbdd3f ndr: range check on push of dom_sid blob
via ef3d860 s4-ldb: allow decoding of trustAuthIncoming and
trustAuthOutgoing
via b5c7eb9 heimdal: Try to handle the PAC checking when we are in a
cross-realm environment
via 17fa96b s4-samdb: added a few function comments for pydoc
via 957e1ed s4-provision: these substitutuons are not used any more
via 7d94c8a drsblobs: fixed alignment of drs blobs authentication
information
via cd8dcf6 s4-torture: enable password comparison in drsblobs test
via bee8daf s4-torture: fixed a ndr string error
via 5422db8 s4-s3-upgrade Fix error handling in add_users_to_group
via 1afeb4e s4-schema consolidate schema handling
from ad37341 s3-spoolssd: Remove stale printers only on a valid pcap
update.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 50648760e786c0f1c7236344c31592ab586773dd
Author: Andrew Tridgell <[email protected]>
Date: Mon Sep 5 16:46:35 2011 +1000
s4-cracknames: fixed cracknames to use more specific search
this uses the bitwise comparison ldap operators to ensure we only get
NC roots
Pair-Programmed-With: Andrew Bartlett <[email protected]>
Autobuild-User: Andrew Bartlett <[email protected]>
Autobuild-Date: Mon Sep 5 12:48:39 CEST 2011 on sn-devel-104
commit 843de63fa547601bc7ab0f4b3a57022720c83c61
Author: Andrew Tridgell <[email protected]>
Date: Mon Sep 5 16:42:09 2011 +1000
s4-cldap: fixed cldap search based on dom_sid
we were not filling in the sid pointer correctly for the ldb_search
Pair-Programmed-With: Andrew Bartlett <[email protected]>
commit 3fbdd3fa0164814b74409a11e67b3b708bb2a458
Author: Andrew Tridgell <[email protected]>
Date: Mon Sep 5 16:41:21 2011 +1000
ndr: range check on push of dom_sid blob
this ensures we get an error if we try to push a dom_sid with too many
sub_auths
Pair-Programmed-With: Andrew Bartlett <[email protected]>
commit ef3d860b2e8afa9895f0b3a954807c6b9b059262
Author: Andrew Tridgell <[email protected]>
Date: Mon Sep 5 16:40:19 2011 +1000
s4-ldb: allow decoding of trustAuthIncoming and trustAuthOutgoing
this allows --show-binary to display trustAuthOutgoing and
trustAuthIncoming NDR blobs. Useful for debugging trust issues
Pair-Programmed-With: Andrew Bartlett <[email protected]>
commit b5c7eb909f21efd8abe212202236388ad6e8e7f9
Author: Andrew Bartlett <[email protected]>
Date: Mon Sep 5 12:17:11 2011 +1000
heimdal: Try to handle the PAC checking when we are in a cross-realm
environment
commit 17fa96b64a2aa55a204209c031d6e5e514e17a7c
Author: Andrew Tridgell <[email protected]>
Date: Fri Sep 2 14:42:50 2011 +1000
s4-samdb: added a few function comments for pydoc
Pair-Programmed-With: Andrew Bartlett <[email protected]>
commit 957e1ed2a7c484339cd1eec5523336fd7b629897
Author: Andrew Tridgell <[email protected]>
Date: Fri Sep 2 12:02:19 2011 +1000
s4-provision: these substitutuons are not used any more
we now create partitions dynamically
Pair-Programmed-With: Amitay Isaacs <[email protected]>
commit 7d94c8ae198e3342d039d6e5dd8c6cdaa2622ebf
Author: Andrew Tridgell <[email protected]>
Date: Fri Sep 2 12:01:19 2011 +1000
drsblobs: fixed alignment of drs blobs authentication information
the two types of ndr flags were being mixed up, so NDR_BUFFERS was
being interpreted as LIBNDR_FLAG_NOALIGN
Pair-Programmed-With: Andrew Bartlett <[email protected]>
commit cd8dcf6d61a554ddac1a632f5bea855c4af1d558
Author: Andrew Tridgell <[email protected]>
Date: Fri Sep 2 11:58:59 2011 +1000
s4-torture: enable password comparison in drsblobs test
I'm not sure why this was commented out, as it does pass
Pair-Programmed-With: Andrew Bartlett <[email protected]>
commit bee8daf9a8fbffc2c71697fa2020dbbe1226b5a8
Author: Andrew Tridgell <[email protected]>
Date: Fri Sep 2 11:58:27 2011 +1000
s4-torture: fixed a ndr string error
the dos charset global changes with the new loadparm context
Pair-Programmed-With: Andrew Bartlett <[email protected]>
commit 5422db82e3c250add94357a4371c3db31b220be4
Author: Andrew Bartlett <[email protected]>
Date: Mon Sep 5 18:10:37 2011 +1000
s4-s3-upgrade Fix error handling in add_users_to_group
commit 1afeb4e391c99fa3513d460d3a8f08d9609f5a7e
Author: Andrew Bartlett <[email protected]>
Date: Thu Aug 25 11:39:03 2011 +1000
s4-schema consolidate schema handling
It also creates a single routine dsdb_load_ldb_results_into_schema()
to handle cases where the schema is in the form of an ldb_result.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
lib/ldb-samba/ldif_handlers.c | 22 ++++++++
lib/ldb-samba/ldif_handlers.h | 1 +
librpc/ndr/ndr_drsblobs.c | 10 ++--
librpc/ndr/ndr_sec_helper.c | 5 ++-
source4/cldap_server/netlogon.c | 19 ++-----
source4/dsdb/samdb/cracknames.c | 25 ++++-----
source4/dsdb/samdb/ldb_modules/schema_load.c | 26 ++-------
source4/dsdb/schema/schema_init.c | 56 +++++++++++--------
source4/heimdal/kdc/krb5tgs.c | 11 ++++-
.../scripting/python/samba/provision/__init__.py | 5 +--
source4/scripting/python/samba/samdb.py | 3 +
source4/scripting/python/samba/upgrade.py | 7 ++-
source4/torture/drs/drs_util.c | 46 ++++------------
source4/torture/ndr/drsblobs.c | 4 +-
source4/torture/ndr/string.c | 2 +-
15 files changed, 118 insertions(+), 124 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb-samba/ldif_handlers.c b/lib/ldb-samba/ldif_handlers.c
index 6ca419b..37e6966 100644
--- a/lib/ldb-samba/ldif_handlers.c
+++ b/lib/ldb-samba/ldif_handlers.c
@@ -927,6 +927,19 @@ static int ldif_write_supplementalCredentialsBlob(struct
ldb_context *ldb, void
true);
}
+/*
+ convert a NDR formatted blob to a ldif formatted trustAuthInOutBlob
+*/
+static int ldif_write_trustAuthInOutBlob(struct ldb_context *ldb, void
*mem_ctx,
+ const struct ldb_val *in, struct
ldb_val *out)
+{
+ return ldif_write_NDR(ldb, mem_ctx, in, out,
+ sizeof(struct trustAuthInOutBlob),
+ (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob,
+ (ndr_print_fn_t)ndr_print_trustAuthInOutBlob,
+ true);
+}
+
static int extended_dn_write_hex(struct ldb_context *ldb, void *mem_ctx,
const struct ldb_val *in, struct ldb_val *out)
@@ -1280,6 +1293,13 @@ static const struct ldb_schema_syntax samba_syntaxes[] =
{
.comparison_fn = ldb_comparison_binary,
.operator_fn = samba_syntax_operator_fn
},{
+ .name = LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB,
+ .ldif_read_fn = ldb_handler_copy,
+ .ldif_write_fn = ldif_write_trustAuthInOutBlob,
+ .canonicalise_fn = ldb_handler_copy,
+ .comparison_fn = ldb_comparison_binary,
+ .operator_fn = samba_syntax_operator_fn
+ },{
.name = DSDB_SYNTAX_BINARY_DN,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldb_handler_copy,
@@ -1395,6 +1415,8 @@ static const struct {
{ "repsTo", LDB_SYNTAX_SAMBA_REPSFROMTO },
{ "replPropertyMetaData", LDB_SYNTAX_SAMBA_REPLPROPERTYMETADATA },
{ "replUpToDateVector", LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR },
+ { "trustAuthIncoming", LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB },
+ { "trustAuthOutgoing", LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB },
{ "rIDAllocationPool", LDB_SYNTAX_SAMBA_RANGE64 },
{ "rIDPreviousAllocationPool", LDB_SYNTAX_SAMBA_RANGE64 },
{ "rIDAvailablePool", LDB_SYNTAX_SAMBA_RANGE64 },
diff --git a/lib/ldb-samba/ldif_handlers.h b/lib/ldb-samba/ldif_handlers.h
index 75ae7bd..e9669ab 100644
--- a/lib/ldb-samba/ldif_handlers.h
+++ b/lib/ldb-samba/ldif_handlers.h
@@ -15,6 +15,7 @@
#define LDB_SYNTAX_SAMBA_DNSRECORD "LDB_SYNTAX_SAMBA_DNSRECORD"
#define LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS
"LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS"
#define LDB_SYNTAX_SAMBA_SDDL_SECURITY_DESCRIPTOR "LDB_SYNTAX_SAMBA_SDDL"
+#define LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB
"LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB"
#include "lib/ldb-samba/ldif_handlers_proto.h"
#undef _PRINTF_ATTRIBUTE
diff --git a/librpc/ndr/ndr_drsblobs.c b/librpc/ndr/ndr_drsblobs.c
index 32176a7..1392b98 100644
--- a/librpc/ndr/ndr_drsblobs.c
+++ b/librpc/ndr/ndr_drsblobs.c
@@ -32,7 +32,7 @@ _PUBLIC_ enum ndr_err_code
ndr_push_AuthenticationInformationArray(struct ndr_pu
for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++)
{
NDR_CHECK(ndr_push_AuthenticationInformation(ndr,
NDR_SCALARS, &r->array[cntr_array_0]));
}
- NDR_CHECK(ndr_push_trailer_align(ndr, 4));
+ NDR_CHECK(ndr_push_align(ndr, 4));
}
if (ndr_flags & NDR_BUFFERS) {
}
@@ -51,7 +51,7 @@ _PUBLIC_ enum ndr_err_code
ndr_pull_AuthenticationInformationArray(struct ndr_pu
NDR_CHECK(ndr_pull_AuthenticationInformation(ndr,
NDR_SCALARS, &r->array[r->count]));
r->count++;
}
- NDR_CHECK(ndr_pull_trailer_align(ndr, 4));
+ NDR_CHECK(ndr_pull_align(ndr, 4));
}
if (ndr_flags & NDR_BUFFERS) {
}
@@ -64,12 +64,12 @@ _PUBLIC_ enum ndr_err_code
ndr_push_trustAuthInOutBlob(struct ndr_push *ndr, int
NDR_CHECK(ndr_push_align(ndr, 4));
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->count));
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, (r->count >
0)?12:0));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, (r->count > 0)?12 +
ndr_size_AuthenticationInformationArray(&r->current, ndr_flags):0));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, (r->count > 0)?12 +
ndr_size_AuthenticationInformationArray(&r->current, 0):0));
{
struct ndr_push *_ndr_current;
- NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_current,
0, ((r->count > 0)?12 + ndr_size_AuthenticationInformationArray(&r->current,
ndr_flags):0) - ((r->count > 0)?12:0)));
+ NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_current,
0, ((r->count > 0)?12 + ndr_size_AuthenticationInformationArray(&r->current,
0):0) - ((r->count > 0)?12:0)));
NDR_CHECK(ndr_push_AuthenticationInformationArray(_ndr_current, NDR_SCALARS,
&r->current));
- NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_current, 0,
((r->count > 0)?12 + ndr_size_AuthenticationInformationArray(&r->current,
ndr_flags):0) - ((r->count > 0)?12:0)));
+ NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_current, 0,
((r->count > 0)?12 + ndr_size_AuthenticationInformationArray(&r->current, 0):0)
- ((r->count > 0)?12:0)));
}
{
uint32_t _flags_save_AuthenticationInformationArray =
ndr->flags;
diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index ff8588d..984b6bd 100644
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -314,6 +314,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_dom_sid(struct ndr_push
*ndr, int ndr_flags,
NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->sid_rev_num));
NDR_CHECK(ndr_push_int8(ndr, NDR_SCALARS, r->num_auths));
NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->id_auth,
6));
+ if (r->num_auths < 0 || r->num_auths >
ARRAY_SIZE(r->sub_auths)) {
+ return ndr_push_error(ndr, NDR_ERR_RANGE, "value out of
range");
+ }
for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths;
cntr_sub_auths_0++) {
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS,
r->sub_auths[cntr_sub_auths_0]));
}
@@ -328,7 +331,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dom_sid(struct ndr_pull
*ndr, int ndr_flags,
NDR_CHECK(ndr_pull_align(ndr, 4));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num));
NDR_CHECK(ndr_pull_int8(ndr, NDR_SCALARS, &r->num_auths));
- if (r->num_auths < 0 || r->num_auths > 15) {
+ if (r->num_auths < 0 || r->num_auths >
ARRAY_SIZE(r->sub_auths)) {
return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of
range");
}
NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth,
6));
diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c
index 77f50ff..c9c92f6 100644
--- a/source4/cldap_server/netlogon.c
+++ b/source4/cldap_server/netlogon.c
@@ -134,22 +134,11 @@ NTSTATUS fill_netlogon_samlogon_response(struct
ldb_context *sam_ctx,
"(&(objectCategory=DomainDNS)(objectGUID=%s))",
ldb_binary_encode(mem_ctx,
guid_val));
} else { /* domain_sid case */
- struct dom_sid *sid;
- struct ldb_val sid_val;
- enum ndr_err_code ndr_err;
-
- /* Rather than go via the string, just push into the
NDR form */
- ndr_err = ndr_push_struct_blob(&sid_val, mem_ctx, &sid,
-
(ndr_push_flags_fn_t)ndr_push_dom_sid);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
- NULL, LDB_SCOPE_SUBTREE,
- dom_attrs,
-
"(&(objectCategory=DomainDNS)(objectSid=%s))",
- ldb_binary_encode(mem_ctx,
sid_val));
+ NULL, LDB_SCOPE_SUBTREE,
+ dom_attrs,
+
"(&(objectCategory=DomainDNS)(objectSid=%s))",
+ dom_sid_string(mem_ctx, domain_sid));
}
if (ret != LDB_SUCCESS) {
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 1e70a77..105de56 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -299,12 +299,14 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx,
principal);
ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
- samdb_partitions_dn(sam_ctx, mem_ctx),
- LDB_SCOPE_ONELEVEL,
- domain_attrs,
-
"(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))",
- ldb_binary_encode_string(mem_ctx, realm),
- ldb_binary_encode_string(mem_ctx, realm));
+ samdb_partitions_dn(sam_ctx, mem_ctx),
+ LDB_SCOPE_ONELEVEL,
+ domain_attrs,
+
"(&(objectClass=crossRef)(|(dnsRoot=%s)(netbiosName=%s))(systemFlags:%s:=%u))",
+ ldb_binary_encode_string(mem_ctx, realm),
+ ldb_binary_encode_string(mem_ctx, realm),
+ LDB_OID_COMPARATOR_AND,
+ SYSTEM_FLAG_CR_NTDS_DOMAIN);
if (ldb_ret != LDB_SUCCESS) {
DEBUG(2, ("DsCrackNameUPN domain ref search failed: %s\n",
ldb_errstring(sam_ctx)));
@@ -464,7 +466,6 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx,
case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
char *p;
char *domain;
- struct ldb_dn *dn_domain;
const char *account = NULL;
domain = talloc_strdup(mem_ctx, name);
@@ -482,14 +483,12 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx,
account = &p[1];
}
- /* it could be in DNS domain form */
- dn_domain = samdb_dns_domain_to_dn(sam_ctx, mem_ctx, domain);
- W_ERROR_HAVE_NO_MEMORY(dn_domain);
-
domain_filter = talloc_asprintf(mem_ctx,
-
"(&(&(|(nETBIOSName=%s)(nCName=%s))(objectclass=crossRef))(ncName=*))",
+
"(&(objectClass=crossRef)(|(dnsRoot=%s)(netbiosName=%s))(systemFlags:%s:=%u))",
+
ldb_binary_encode_string(mem_ctx, domain),
ldb_binary_encode_string(mem_ctx, domain),
-
ldb_dn_get_linearized(dn_domain));
+ LDB_OID_COMPARATOR_AND,
+ SYSTEM_FLAG_CR_NTDS_DOMAIN);
W_ERROR_HAVE_NO_MEMORY(domain_filter);
if (account) {
result_filter = talloc_asprintf(mem_ctx,
"(sAMAccountName=%s)",
diff --git a/source4/dsdb/samdb/ldb_modules/schema_load.c
b/source4/dsdb/samdb/ldb_modules/schema_load.c
index b7b5f6b..ec574b3 100644
--- a/source4/dsdb/samdb/ldb_modules/schema_load.c
+++ b/source4/dsdb/samdb/ldb_modules/schema_load.c
@@ -150,8 +150,7 @@ static int dsdb_schema_from_db(struct ldb_module *module,
struct ldb_dn *schema_
char *error_string;
int ret;
struct ldb_result *schema_res;
- struct ldb_result *a_res;
- struct ldb_result *c_res;
+ struct ldb_result *res;
static const char *schema_attrs[] = {
"prefixMap",
"schemaInfo",
@@ -190,36 +189,21 @@ static int dsdb_schema_from_db(struct ldb_module *module,
struct ldb_dn *schema_
/*
* load the attribute definitions
*/
- ret = dsdb_module_search(module, tmp_ctx, &a_res,
- schema_dn, LDB_SCOPE_ONELEVEL, NULL,
- DSDB_FLAG_NEXT_MODULE,
- NULL,
- "(objectClass=attributeSchema)");
- if (ret != LDB_SUCCESS) {
- ldb_asprintf_errstring(ldb,
- "dsdb_schema: failed to search
attributeSchema objects: %s",
- ldb_errstring(ldb));
- goto failed;
- }
-
- /*
- * load the objectClass definitions
- */
- ret = dsdb_module_search(module, tmp_ctx, &c_res,
+ ret = dsdb_module_search(module, tmp_ctx, &res,
schema_dn, LDB_SCOPE_ONELEVEL, NULL,
DSDB_FLAG_NEXT_MODULE |
DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
NULL,
- "(objectClass=classSchema)");
+
"(|(objectClass=attributeSchema)(objectClass=classSchema))");
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb,
- "dsdb_schema: failed to search
classSchema objects: %s",
+ "dsdb_schema: failed to search
attributeSchema and classSchema objects: %s",
ldb_errstring(ldb));
goto failed;
}
ret = dsdb_schema_from_ldb_results(tmp_ctx, ldb,
- schema_res, a_res, c_res, schema,
&error_string);
+ schema_res, res, schema,
&error_string);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb,
"dsdb_schema load failed: %s",
diff --git a/source4/dsdb/schema/schema_init.c
b/source4/dsdb/schema/schema_init.c
index 70d177c..0a9dedf 100644
--- a/source4/dsdb/schema/schema_init.c
+++ b/source4/dsdb/schema/schema_init.c
@@ -775,6 +775,33 @@ WERROR dsdb_class_from_ldb(struct dsdb_schema *schema,
#define dsdb_oom(error_string, mem_ctx) *error_string =
talloc_asprintf(mem_ctx, "dsdb out of memory at %s:%d\n", __FILE__, __LINE__)
/*
+ Fill a DSDB schema from the ldb results provided. This is called
+ directly when a schema must be created with a pre-initialised prefixMap
+*/
+
+int dsdb_load_ldb_results_into_schema(TALLOC_CTX *mem_ctx, struct ldb_context
*ldb,
+ struct dsdb_schema *schema,
+ struct ldb_result *attrs_class_res,
+ char **error_string)
+{
+ unsigned int i;
+
+ for (i=0; i < attrs_class_res->count; i++) {
+ WERROR status = dsdb_schema_set_el_from_ldb_msg(ldb, schema,
attrs_class_res->msgs[i]);
+ if (!W_ERROR_IS_OK(status)) {
+ *error_string = talloc_asprintf(mem_ctx,
+ "dsdb_load_ldb_results_into_schema:
failed to load attribute or class definition: %s:%s",
+
ldb_dn_get_linearized(attrs_class_res->msgs[i]->dn),
+ win_errstr(status));
+ DEBUG(0,(__location__ ": %s\n", *error_string));
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ }
+
+ return LDB_SUCCESS;
+}
+
+/*
Create a DSDB schema from the ldb results provided. This is called
directly when the schema is provisioned from an on-disk LDIF file, or
from dsdb_schema_from_schema_dn in schema_fsmo
@@ -782,16 +809,16 @@ WERROR dsdb_class_from_ldb(struct dsdb_schema *schema,
int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
struct ldb_result *schema_res,
- struct ldb_result *attrs_res, struct
ldb_result *objectclass_res,
+ struct ldb_result *attrs_class_res,
struct dsdb_schema **schema_out,
char **error_string)
{
WERROR status;
- unsigned int i;
const struct ldb_val *prefix_val;
const struct ldb_val *info_val;
struct ldb_val info_val_default;
struct dsdb_schema *schema;
+ int ret;
schema = dsdb_new_schema(mem_ctx);
if (!schema) {
@@ -830,28 +857,9 @@ int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
return LDB_ERR_CONSTRAINT_VIOLATION;
}
- for (i=0; i < attrs_res->count; i++) {
- status = dsdb_attribute_from_ldb(ldb, schema,
attrs_res->msgs[i]);
- if (!W_ERROR_IS_OK(status)) {
- *error_string = talloc_asprintf(mem_ctx,
- "schema_fsmo_init: failed to load
attribute definition: %s:%s",
-
ldb_dn_get_linearized(attrs_res->msgs[i]->dn),
- win_errstr(status));
- DEBUG(0,(__location__ ": %s\n", *error_string));
- return LDB_ERR_CONSTRAINT_VIOLATION;
- }
- }
-
- for (i=0; i < objectclass_res->count; i++) {
- status = dsdb_class_from_ldb(schema, objectclass_res->msgs[i]);
- if (!W_ERROR_IS_OK(status)) {
- *error_string = talloc_asprintf(mem_ctx,
- "schema_fsmo_init: failed to load class
definition: %s:%s",
-
ldb_dn_get_linearized(objectclass_res->msgs[i]->dn),
- win_errstr(status));
- DEBUG(0,(__location__ ": %s\n", *error_string));
- return LDB_ERR_CONSTRAINT_VIOLATION;
- }
+ ret = dsdb_load_ldb_results_into_schema(mem_ctx, ldb, schema,
attrs_class_res, error_string);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
schema->fsmo.master_dn = ldb_msg_find_attr_as_dn(ldb, schema,
schema_res->msgs[0], "fSMORoleOwner");
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 6aad65d..7955876 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1508,6 +1508,7 @@ tgs_build_reply(krb5_context context,
Key *tkey_check;
Key *tkey_sign;
+ Key *tkey_krbtgt_check = NULL;
int flags = HDB_F_FOR_TGS_REQ;
memset(&sessionkey, 0, sizeof(sessionkey));
@@ -1781,6 +1782,13 @@ server_lookup:
goto out;
}
+ /* Check if we would know the krbtgt key for the PAC. We would
+ * only know this if the krbtgt principal was the same (ie, in our
+ * realm, regardless of KVNO) */
+ if (krb5_principal_compare(context, krbtgt_out->entry.principal,
krbtgt->entry.principal)) {
+ tkey_krbtgt_check = tkey_check;
+ }
+
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
NULL, &clientdb, &client);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
@@ -1813,7 +1821,8 @@ server_lookup:
ret = check_PAC(context, config, cp, NULL,
client, server, krbtgt,
- &tkey_check->key, &tkey_check->key,
+ &tkey_check->key,
+ tkey_krbtgt_check ? &tkey_krbtgt_check->key : NULL,
ekey, &tkey_sign->key,
tgt, &rspac, &signedpath);
if (ret) {
diff --git a/source4/scripting/python/samba/provision/__init__.py
b/source4/scripting/python/samba/provision/__init__.py
index 1799663..61d016c 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -816,10 +816,7 @@ def setup_samdb_partitions(samdb_path, logger, lp,
session_info,
try:
logger.info("Setting up sam.ldb partitions and settings")
setup_add_ldif(samdb, setup_path("provision_partitions.ldif"), {
- "SCHEMADN": ldb.Dn(schema.ldb, names.schemadn).get_casefold(),
- "CONFIGDN": ldb.Dn(schema.ldb, names.configdn).get_casefold(),
- "DOMAINDN": ldb.Dn(schema.ldb, names.domaindn).get_casefold(),
- "LDAP_BACKEND_LINE": ldap_backend_line,
+ "LDAP_BACKEND_LINE": ldap_backend_line
})
diff --git a/source4/scripting/python/samba/samdb.py
b/source4/scripting/python/samba/samdb.py
index 794479f..5cceb06 100644
--- a/source4/scripting/python/samba/samdb.py
+++ b/source4/scripting/python/samba/samdb.py
@@ -63,6 +63,7 @@ class SamDB(samba.Ldb):
dsdb._dsdb_set_am_rodc(self, am_rodc)
def connect(self, url=None, flags=0, options=None):
+ '''connect to the database'''
if self.lp is not None and not os.path.exists(url):
url = self.lp.private_path(url)
self.url = url
@@ -71,9 +72,11 @@ class SamDB(samba.Ldb):
options=options)
def am_rodc(self):
+ '''return True if we are an RODC'''
return dsdb._am_rodc(self)
def domain_dn(self):
+ '''return the domain DN'''
return str(self.get_default_basedn())
def enable_account(self, search_filter):
diff --git a/source4/scripting/python/samba/upgrade.py
b/source4/scripting/python/samba/upgrade.py
index 58be991..7b0c062 100644
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -207,8 +207,11 @@ def add_users_to_group(samdb, group, members, logger):
try:
samdb.modify(m)
- except ldb.LdbError, e:
- logger.warn("Could not add member to group '%s'", groupmap.nt_name)
+ except ldb.LdbError, (ecode, emsg):
+ if ecode == ldb.ERR_NO_SUCH_OBJECT:
+ logger.warn("Could not add member '%s' to group '%s' as either
group or user record doesn't exist: %s", member_sid, group.sid, emsg)
+ else:
+ logger.warn("Could not add member '%s' to group '%s': %s",
member_sid, group.sid, emsg)
def import_wins(samba4_winsdb, samba3_winsdb):
diff --git a/source4/torture/drs/drs_util.c b/source4/torture/drs/drs_util.c
index 8773745..9a07150 100644
--- a/source4/torture/drs/drs_util.c
+++ b/source4/torture/drs/drs_util.c
@@ -112,11 +112,10 @@ bool drs_util_dsdb_schema_load_ldb(struct torture_context
*tctx,
const struct drsuapi_DsReplicaOIDMapping_Ctr
*mapping_ctr,
bool reload_schema)
{
- int i, ret;
+ int ret;
WERROR werr;
- const char *err_msg;
- struct ldb_result *a_res;
- struct ldb_result *c_res;
+ char *err_msg;
+ struct ldb_result *res;
struct ldb_dn *schema_dn;
struct dsdb_schema *ldap_schema;
@@ -137,50 +136,27 @@ bool drs_util_dsdb_schema_load_ldb(struct torture_context
*tctx,
"Failed to construct prefixMap from drsuapi
data");
/*
- * load the attribute definitions
+ * load the attribute and objectClass definitions
*/
- ret = ldb_search(ldb, ldap_schema, &a_res,
+ ret = ldb_search(ldb, ldap_schema, &res,
schema_dn, LDB_SCOPE_ONELEVEL, NULL,
- "(objectClass=attributeSchema)");
+
"(|(objectClass=attributeSchema)(objectClass=classSchema))");
if (ret != LDB_SUCCESS) {
err_msg = talloc_asprintf(tctx,
- "failed to search attributeSchema
objects: %s",
+ "failed to search attributeSchema or
classSchema objects: %s",
ldb_errstring(ldb));
torture_fail(tctx, err_msg);
}
- /*
- * load the objectClass definitions
- */
- ret = ldb_search(ldb, ldap_schema, &c_res,
- schema_dn, LDB_SCOPE_ONELEVEL, NULL,
- "(objectClass=classSchema)");
+ ret = dsdb_load_ldb_results_into_schema(tctx, ldb, ldap_schema, res,
&err_msg);
if (ret != LDB_SUCCESS) {
err_msg = talloc_asprintf(tctx,
- "failed to search classSchema
objects: %s",
- ldb_errstring(ldb));
+ "dsdb_load_ldb_results_into_schema
failed: %s",
+ err_msg);
torture_fail(tctx, err_msg);
}
- /* Build schema */
- for (i=0; i < a_res->count; i++) {
- werr = dsdb_attribute_from_ldb(ldb, ldap_schema,
a_res->msgs[i]);
- torture_assert_werr_ok(tctx, werr,
--
Samba Shared Repository
