The branch, master has been updated via 57300bb s4:rpc_server/lsa: remove msDS-TrustForestTrustInfo if FOREST_TRANSITIVE is cleared via cfe6377 s4:rpc_server/lsa: allow LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE to be changed. from a2670f1 winbind: Retry after SESSION_EXPIRED error in ping-dc
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 57300bbf5e5fcb9cb32bd3462e8ed86400b68920 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 5 16:01:16 2015 +0100 s4:rpc_server/lsa: remove msDS-TrustForestTrustInfo if FOREST_TRANSITIVE is cleared Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Simo Sorce <i...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue Jan 6 22:50:23 CET 2015 on sn-devel-104 commit cfe6377173ef093cb90b167000b86e6626568b61 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 5 15:59:31 2015 +0100 s4:rpc_server/lsa: allow LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE to be changed. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Simo Sorce <i...@samba.org> ----------------------------------------------------------------------- Summary of changes: source4/rpc_server/lsa/dcesrv_lsa.c | 45 ++++++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 020360d..cc2048d 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -1366,7 +1366,10 @@ static NTSTATUS get_tdo(struct ldb_context *sam, TALLOC_CTX *mem_ctx, "securityIdentifier", "trustDirection", "trustType", "trustAttributes", "trustPosixOffset", - "msDs-supportedEncryptionTypes", NULL }; + "msDs-supportedEncryptionTypes", + "msDS-TrustForestTrustInfo", + NULL + }; char *dns = NULL; char *nbn = NULL; char *sidstr = NULL; @@ -1621,6 +1624,7 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call, bool add_incoming = false; bool del_outgoing = false; bool del_incoming = false; + bool del_forest_info = false; bool in_transaction = false; int ret; bool am_rodc; @@ -1766,6 +1770,7 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call, if (info_ex) { uint32_t origattrs; + uint32_t changed_attrs; uint32_t origdir; int origtype; @@ -1815,13 +1820,34 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call, } /* TODO: check forestFunctionality from ldb opaque */ /* TODO: check what is set makes sense */ - /* for now refuse changes */ - if (origattrs == -1 || - origattrs != info_ex->trust_attributes) { - DEBUG(1, ("Attempted to change trust attributes! " - "Operation not handled\n")); + + changed_attrs = origattrs ^ info_ex->trust_attributes; + if (changed_attrs & ~LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) { + /* + * For now we only allow + * LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE to be changed. + * + * TODO: we may need to support more attribute changes + */ + DEBUG(1, ("Attempted to change trust attributes " + "(0x%08x != 0x%08x)! " + "Operation not handled yet...\n", + (unsigned)origattrs, + (unsigned)info_ex->trust_attributes)); return NT_STATUS_INVALID_PARAMETER; } + + if (!(info_ex->trust_attributes & + LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) + { + struct ldb_message_element *orig_forest_el = NULL; + + orig_forest_el = ldb_msg_find_element(dom_msg, + "msDS-TrustForestTrustInfo"); + if (orig_forest_el != NULL) { + del_forest_info = true; + } + } } if (enc_types) { @@ -1862,6 +1888,13 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call, } } } + if (del_forest_info) { + ret = ldb_msg_add_empty(msg, "msDS-TrustForestTrustInfo", + LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + return NT_STATUS_NO_MEMORY; + } + } /* start transaction */ ret = ldb_transaction_start(p_state->sam_ldb); -- Samba Shared Repository