The branch, v4-2-test has been updated via 837c146 s3: auth - tests: Add test for "force user" being a unix-only user, not in passdb. via c789398 s3: auth: Add previously missing allocation fail check. via a9e58a2 s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3(). via d8b2eee s3: auth: Convert samu_to_SamInfo3() to use the new utility function. via 31b2dad s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out the code to handle "Unix Users" and "Unix Groups". via a52c6cb nsswitch: fix soname of linux nss_*.so.2 modules via 5de1063 selftest: use shared/libnss_wrapper_winbind.so.2 via e9d45f6 wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY() via 74ee2f7 dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable from 77d8786 VERSION: Re-enable git snapshots...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test - Log ----------------------------------------------------------------- commit 837c146271ecd96ccde927dbeb389330361fca93 Author: Jeremy Allison <j...@samba.org> Date: Tue Jan 13 13:49:58 2015 -0800 s3: auth - tests: Add test for "force user" being a unix-only user, not in passdb. https://bugzilla.samba.org/show_bug.cgi?id=11044 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Wed Jan 14 08:46:08 CET 2015 on sn-devel-104 (cherry picked from commit d098b6c877629af0f23070481deaccdf65acd249) Autobuild-User(v4-2-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-2-test): Fri Jan 23 11:04:50 CET 2015 on sn-devel-104 commit c78939859714e09309d8101f1ef962fc12c0c565 Author: Jeremy Allison <j...@samba.org> Date: Tue Jan 13 13:49:36 2015 -0800 s3: auth: Add previously missing allocation fail check. Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> (cherry picked from commit 83066ed539658a9fa6deb897b15b20a0624227fe) commit a9e58a2ef220bbbd868a7c5851a882ec774a4971 Author: Jeremy Allison <j...@samba.org> Date: Tue Jan 13 13:45:16 2015 -0800 s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3(). Core fix for: https://bugzilla.samba.org/show_bug.cgi?id=11044 Based on code from Michael Zeis <mzeis.quan...@gmail.com> Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> (cherry picked from commit 60895e62fe21e41cf4a09ec8a92239b8f015b450) commit d8b2eee9fc26cbf317fde8b08f559ea3a7bf0e6a Author: Jeremy Allison <j...@samba.org> Date: Tue Jan 13 13:39:21 2015 -0800 s3: auth: Convert samu_to_SamInfo3() to use the new utility function. Based on code from Michael Zeis <mzeis.quan...@gmail.com> https://bugzilla.samba.org/show_bug.cgi?id=11044 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> (cherry picked from commit d20b2d397205c1ab85a43f54bc95360a732265f3) commit 31b2dadc60217f3658071aa57e1ffc39b9209ae4 Author: Jeremy Allison <j...@samba.org> Date: Tue Jan 13 13:35:56 2015 -0800 s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out the code to handle "Unix Users" and "Unix Groups". Based on code from Michael Zeis <mzeis.quan...@gmail.com> https://bugzilla.samba.org/show_bug.cgi?id=11044 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> (cherry picked from commit 9395243890aff5bb2166e18e33492afb28850097) commit a52c6cbf2e7bcb6f288a44ecb753bb4ff5b2ae60 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 18 10:33:34 2014 +0100 nsswitch: fix soname of linux nss_*.so.2 modules Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 575b093dac3c509b1bfaab0b4ad29b9b4214e487) commit 5de1063947db3e749b70275867f8daefe98cb70a Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 18 20:13:44 2014 +0100 selftest: use shared/libnss_wrapper_winbind.so.2 This library is always available in make test. nss-wrapper strictly requires the linux nss api. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 4eb24fa545234be506eb1330ccbbfd5c2b9e0d82) commit e9d45f6cff280857c4d54b0d6b0fa7666b001f7d Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 18 10:21:30 2014 +0100 wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY() Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 82e583b04b04e560c121163850d70c52d2fce78d) commit 74ee2f72abb842074d2e20f86eff74f4c2b16ed5 Author: Garming Sam <garm...@catalyst.net.nz> Date: Thu Dec 4 11:53:12 2014 +1300 dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable This includes additional tests based directly on the docs, rather than simply testing our internal implementation in client and server contexts, that create a user and groups. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022 Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz> Signed-off-by: Garming-Sam <garm...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104 (similar to commit e4213512d0a967e87a74a1ae816c903fb38dd8b9) ----------------------------------------------------------------------- Summary of changes: buildtools/wafsamba/wafsamba.py | 6 +- nsswitch/wscript_build | 24 +- selftest/target/Samba.pm | 2 +- selftest/target/Samba3.pm | 4 + source3/auth/auth_util.c | 3 +- source3/auth/proto.h | 3 +- source3/auth/server_info.c | 156 +++++++----- source3/script/tests/test_smbclient_auth.sh | 1 + source3/wscript_build | 7 - source4/dsdb/samdb/ldb_modules/operational.c | 66 ++++- source4/dsdb/tests/python/token_group.py | 351 ++++++++++++++++++++++++++- source4/selftest/tests.py | 2 +- 12 files changed, 532 insertions(+), 93 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index f86ac61..e564877 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -110,6 +110,7 @@ def SAMBA_LIBRARY(bld, libname, source, ldflags='', external_library=False, realname=None, + keep_underscore=False, autoproto=None, autoproto_extra_source='', group='main', @@ -212,7 +213,10 @@ def SAMBA_LIBRARY(bld, libname, source, libname) if target_type == 'PYTHON' or realname or not private_library: - bundled_name = libname.replace('_', '-') + if keep_underscore: + bundled_name = libname + else: + bundled_name = libname.replace('_', '-') else: bundled_name = PRIVATE_NAME(bld, libname, bundled_extension, private_library) diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build index 8ceb9ad..381ff44 100644 --- a/nsswitch/wscript_build +++ b/nsswitch/wscript_build @@ -30,12 +30,24 @@ bld.SAMBA_LIBRARY('nss_wrapper_winbind', # the search for .rfind('gnu') covers gnu* and *-gnu is that too broad? if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)): - bld.SAMBA_LIBRARY('nss_winbind', - source='winbind_nss_linux.c', - deps='winbind-client', - realname='libnss_winbind.so.2', - soname='libnss_winbind.so', - vnum='2') + bld.SAMBA_LIBRARY('nss_winbind', + keep_underscore=True, + source='winbind_nss_linux.c', + deps='winbind-client', + public_headers=[], + public_headers_install=False, + pc_files=[], + vnum='2') + + # for nss_wins is linux only + bld.SAMBA3_LIBRARY('nss_wins', + keep_underscore=True, + source='wins.c', + deps='''param libsmb LIBTSOCKET''', + public_headers=[], + public_headers_install=False, + pc_files=[], + vnum='2') elif (host_os.rfind('freebsd') > -1): # FreeBSD winbind client is implemented as a wrapper around # the Linux version. diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 2bd90ae..ccc63f3 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -69,7 +69,7 @@ sub nss_wrapper_winbind_so_path($) { my ($object) = @_; my $ret = $ENV{NSS_WRAPPER_WINBIND_SO_PATH}; if (not defined($ret)) { - $ret = bindir_path($object, "default/nsswitch/libnss-winbind.so"); + $ret = bindir_path($object, "shared/libnss_wrapper_winbind.so.2"); $ret = abs_path($ret); } return $ret; diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index a495685..d8eb58c 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1136,6 +1136,10 @@ sub provision($$$$$$) path = $shrdir force user = $unix_name guest ok = yes +[forceuser_unixonly] + path = $shrdir + force user = pdbtest + guest ok = yes [forcegroup] path = $shrdir force group = nogroup diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2986fb4..1c2cf80 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -671,7 +671,8 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, status = passwd_to_SamInfo3(result, unix_username, pwd, - &result->info3); + &result->info3, + &result->extra); if (!NT_STATUS_IS_OK(status)) { goto done; } diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 1da0c44..6a5508b 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -305,7 +305,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, const char *unix_username, const struct passwd *pwd, - struct netr_SamInfo3 **pinfo3); + struct netr_SamInfo3 **pinfo3, + struct extra_auth_info *extra); struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, const struct netr_SamInfo3 *orig); diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c index 8fd3b0d..b537390 100644 --- a/source3/auth/server_info.c +++ b/source3/auth/server_info.c @@ -330,46 +330,19 @@ NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -#define RET_NOMEM(ptr) do { \ - if (!ptr) { \ - TALLOC_FREE(info3); \ - return NT_STATUS_NO_MEMORY; \ - } } while(0) +/* + * Check if this is a "Unix Users" domain user, or a + * "Unix Groups" domain group, we need to handle it + * in a special way if that's the case. + */ -NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, - struct samu *samu, - const char *login_server, - struct netr_SamInfo3 **_info3, - struct extra_auth_info *extra) +static NTSTATUS SamInfo3_handle_sids(const char *username, + const struct dom_sid *user_sid, + const struct dom_sid *group_sid, + struct netr_SamInfo3 *info3, + struct dom_sid *domain_sid, + struct extra_auth_info *extra) { - struct netr_SamInfo3 *info3; - const struct dom_sid *user_sid; - const struct dom_sid *group_sid; - struct dom_sid domain_sid; - struct dom_sid *group_sids; - uint32_t num_group_sids = 0; - const char *tmp; - gid_t *gids; - NTSTATUS status; - bool ok; - - user_sid = pdb_get_user_sid(samu); - group_sid = pdb_get_group_sid(samu); - - if (!user_sid || !group_sid) { - DEBUG(1, ("Sam account is missing sids!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - info3 = talloc_zero(mem_ctx, struct netr_SamInfo3); - if (!info3) { - return NT_STATUS_NO_MEMORY; - } - - ZERO_STRUCT(domain_sid); - - /* check if this is a "Unix Users" domain user, - * we need to handle it in a special way if that's the case */ if (sid_check_is_in_unix_users(user_sid)) { /* in info3 you can only set rids for the user and the * primary group, and the domain sid must be that of @@ -382,16 +355,16 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, info3->base.rid = (uint32_t)(-1); sid_copy(&extra->user_sid, user_sid); - DEBUG(10, ("Unix User found in struct samu. Rid marked as " - "special and sid (%s) saved as extra sid\n", - sid_string_dbg(user_sid))); + DEBUG(10, ("Unix User found. Rid marked as " + "special and sid (%s) saved as extra sid\n", + sid_string_dbg(user_sid))); } else { - sid_copy(&domain_sid, user_sid); - sid_split_rid(&domain_sid, &info3->base.rid); + sid_copy(domain_sid, user_sid); + sid_split_rid(domain_sid, &info3->base.rid); } - if (is_null_sid(&domain_sid)) { - sid_copy(&domain_sid, get_global_sam_sid()); + if (is_null_sid(domain_sid)) { + sid_copy(domain_sid, get_global_sam_sid()); } /* check if this is a "Unix Groups" domain group, @@ -408,24 +381,73 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, info3->base.primary_gid = (uint32_t)(-1); sid_copy(&extra->pgid_sid, group_sid); - DEBUG(10, ("Unix Group found in struct samu. Rid marked as " - "special and sid (%s) saved as extra sid\n", - sid_string_dbg(group_sid))); - + DEBUG(10, ("Unix Group found. Rid marked as " + "special and sid (%s) saved as extra sid\n", + sid_string_dbg(group_sid))); } else { - ok = sid_peek_check_rid(&domain_sid, group_sid, + bool ok = sid_peek_check_rid(domain_sid, group_sid, &info3->base.primary_gid); if (!ok) { DEBUG(1, ("The primary group domain sid(%s) does not " - "match the domain sid(%s) for %s(%s)\n", - sid_string_dbg(group_sid), - sid_string_dbg(&domain_sid), - pdb_get_username(samu), - sid_string_dbg(user_sid))); - TALLOC_FREE(info3); - return NT_STATUS_UNSUCCESSFUL; + "match the domain sid(%s) for %s(%s)\n", + sid_string_dbg(group_sid), + sid_string_dbg(domain_sid), + username, + sid_string_dbg(user_sid))); + return NT_STATUS_INVALID_SID; } } + return NT_STATUS_OK; +} + +#define RET_NOMEM(ptr) do { \ + if (!ptr) { \ + TALLOC_FREE(info3); \ + return NT_STATUS_NO_MEMORY; \ + } } while(0) + +NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, + struct samu *samu, + const char *login_server, + struct netr_SamInfo3 **_info3, + struct extra_auth_info *extra) +{ + struct netr_SamInfo3 *info3; + const struct dom_sid *user_sid; + const struct dom_sid *group_sid; + struct dom_sid domain_sid; + struct dom_sid *group_sids; + uint32_t num_group_sids = 0; + const char *tmp; + gid_t *gids; + NTSTATUS status; + + user_sid = pdb_get_user_sid(samu); + group_sid = pdb_get_group_sid(samu); + + if (!user_sid || !group_sid) { + DEBUG(1, ("Sam account is missing sids!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + info3 = talloc_zero(mem_ctx, struct netr_SamInfo3); + if (!info3) { + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCT(domain_sid); + + status = SamInfo3_handle_sids(pdb_get_username(samu), + user_sid, + group_sid, + info3, + &domain_sid, + extra); + + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(info3); + return status; + } unix_to_nt_time(&info3->base.logon_time, pdb_get_logon_time(samu)); unix_to_nt_time(&info3->base.logoff_time, get_time_t_max()); @@ -517,7 +539,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, const char *unix_username, const struct passwd *pwd, - struct netr_SamInfo3 **pinfo3) + struct netr_SamInfo3 **pinfo3, + struct extra_auth_info *extra) { struct netr_SamInfo3 *info3; NTSTATUS status; @@ -613,9 +636,22 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, ZERO_STRUCT(domain_sid); - sid_copy(&domain_sid, &user_sid); - sid_split_rid(&domain_sid, &info3->base.rid); + status = SamInfo3_handle_sids(unix_username, + &user_sid, + &group_sid, + info3, + &domain_sid, + extra); + + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); + if (info3->base.domain_sid == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } ok = sid_peek_check_rid(&domain_sid, &group_sid, &info3->base.primary_gid); diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh index 3988095..24e98b1 100755 --- a/source3/script/tests/test_smbclient_auth.sh +++ b/source3/script/tests/test_smbclient_auth.sh @@ -27,5 +27,6 @@ testit "smbclient //$SERVER/tmpguest" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATI testit "smbclient //$SERVER/tmpguest as anon" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS testit "smbclient //$SERVER/forceuser as anon" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS +testit "smbclient //$SERVER/forceuser_unixonly" $SMBCLIENT //$SERVER/forceuser_unixonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS testit "smbclient //$SERVER/forcegroup as anon" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS diff --git a/source3/wscript_build b/source3/wscript_build index e1964a3..eadf832 100755 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -55,13 +55,6 @@ bld.SAMBA3_LIBRARY('netapi', pc_files='libnet/netapi.pc', vnum='0') -bld.SAMBA3_LIBRARY('nss_wins', - source='../nsswitch/wins.c', - deps='''param libsmb LIBTSOCKET''', - realname='libnss_wins.so.2', - soname='libnss_wins.so', - vnum='2') - bld.SAMBA3_LIBRARY('gse', source='librpc/crypto/gse_krb5.c librpc/crypto/gse.c', deps='krb5samba gensec param KRBCLIENT secrets3', diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index ad9863e..f77474f 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -84,6 +84,12 @@ struct operational_data { struct ldb_dn *aggregate_dn; }; +enum search_type { + TOKEN_GROUPS, + TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL, + TOKEN_GROUPS_NO_GC_ACCEPTABLE +}; + /* construct a canonical name from a message */ @@ -127,9 +133,11 @@ static int construct_primary_group_token(struct ldb_module *module, /* construct the token groups for SAM objects from a message */ -static int construct_token_groups(struct ldb_module *module, - struct ldb_message *msg, enum ldb_scope scope, - struct ldb_request *parent) +static int construct_generic_token_groups(struct ldb_module *module, + struct ldb_message *msg, enum ldb_scope scope, + struct ldb_request *parent, + const char *attribute_string, + enum search_type type) { struct ldb_context *ldb = ldb_module_get_ctx(module); TALLOC_CTX *tmp_ctx = talloc_new(msg); @@ -189,8 +197,18 @@ static int construct_token_groups(struct ldb_module *module, } /* only return security groups */ - filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))", - GROUP_TYPE_SECURITY_ENABLED); + switch(type) { + case TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL: + filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u)(|(groupType:1.2.840.113556.1.4.803:=%u)(groupType:1.2.840.113556.1.4.803:=%u)))", + GROUP_TYPE_SECURITY_ENABLED, GROUP_TYPE_ACCOUNT_GROUP, GROUP_TYPE_UNIVERSAL_GROUP); + break; + case TOKEN_GROUPS_NO_GC_ACCEPTABLE: + case TOKEN_GROUPS: + filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))", + GROUP_TYPE_SECURITY_ENABLED); + break; + } + if (!filter) { talloc_free(tmp_ctx); return ldb_oom(ldb); @@ -253,7 +271,7 @@ static int construct_token_groups(struct ldb_module *module, } for (i=0; i < num_groupSIDs; i++) { - ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", &groupSIDs[i]); + ret = samdb_msg_add_dom_sid(ldb, msg, msg, attribute_string, &groupSIDs[i]); if (ret) { talloc_free(tmp_ctx); return ret; @@ -263,6 +281,40 @@ static int construct_token_groups(struct ldb_module *module, return LDB_SUCCESS; } +static int construct_token_groups(struct ldb_module *module, + struct ldb_message *msg, enum ldb_scope scope, + struct ldb_request *parent) +{ + /** + * TODO: Add in a limiting domain when we start to support + * trusted domains. + */ + return construct_generic_token_groups(module, msg, scope, parent, + "tokenGroups", + TOKEN_GROUPS); +} + +static int construct_token_groups_no_gc(struct ldb_module *module, + struct ldb_message *msg, enum ldb_scope scope, + struct ldb_request *parent) +{ + /** + * TODO: Add in a limiting domain when we start to support + * trusted domains. + */ + return construct_generic_token_groups(module, msg, scope, parent, + "tokenGroupsNoGCAcceptable", + TOKEN_GROUPS); +} + +static int construct_global_universal_token_groups(struct ldb_module *module, + struct ldb_message *msg, enum ldb_scope scope, + struct ldb_request *parent) +{ + return construct_generic_token_groups(module, msg, scope, parent, + "tokenGroupsGlobalAndUniversal", + TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL); +} /* construct the parent GUID for an entry from a message */ @@ -870,6 +922,8 @@ static const struct op_attributes_replace search_sub[] = { { "canonicalName", NULL, NULL , construct_canonical_name }, { "primaryGroupToken", "objectClass", objectSid_attr, construct_primary_group_token }, { "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups }, + { "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc}, + { "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups }, { "parentGUID", NULL, NULL, construct_parent_guid }, { "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry }, { "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc }, diff --git a/source4/dsdb/tests/python/token_group.py b/source4/dsdb/tests/python/token_group.py index ff9f3ec..cba6480 100755 --- a/source4/dsdb/tests/python/token_group.py +++ b/source4/dsdb/tests/python/token_group.py @@ -14,16 +14,18 @@ samba.ensure_external_module("subunit", "subunit/python") import samba.getopt as options from samba.auth import system_session -from samba import ldb +from samba import ldb, dsdb from samba.samdb import SamDB from samba.auth import AuthContext from samba.ndr import ndr_unpack from samba import gensec -from samba.credentials import Credentials +from samba.credentials import Credentials, DONT_USE_KERBEROS +from samba.dsdb import GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP from subunit.run import SubunitTestRunner import unittest import samba.tests +from samba.tests import delete_force from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES @@ -45,13 +47,22 @@ url = args[0] lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) -class TokenTest(samba.tests.TestCase): +def closure(vSet, wSet, aSet): + for edge in aSet: + start, end = edge + if start in wSet: + if end not in wSet and end in vSet: -- Samba Shared Repository