The branch, master has been updated
via 3d05128 dsdb: Avoid ldb_dn_validate() call on trusted input when
not required
via 8a029b5 selftest: Do not use a central credential cache
via f717622 selftest: Fix variable name for krb5.conf
from 7e9b6c6 s3: tidyup - move struct idle_event to util_event.h
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3d05128da085a1d8873942d205d3ccf843969b98
Author: Andrew Bartlett <[email protected]>
Date: Thu Sep 1 14:54:25 2016 +1200
dsdb: Avoid ldb_dn_validate() call on trusted input when not required
This call is very costly, because of the time required
to strictly check the syntax of the extended DN components.
This allows a 20% decrease in time taken for some link-heavy tests.
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Garming Sam <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Tue Sep 27 20:47:34 CEST 2016 on sn-devel-144
commit 8a029b5d2aa2604c7d79e70d1a372bd029fabd75
Author: Andreas Schneider <[email protected]>
Date: Thu Sep 22 18:46:28 2016 +0200
selftest: Do not use a central credential cache
We should use seperate caches and set the default_ccache_name
accordingly.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit f7176228fce3a49e4fa5469b2baa4c27db01259d
Author: Andreas Schneider <[email protected]>
Date: Fri Sep 23 06:14:45 2016 +0200
selftest: Fix variable name for krb5.conf
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
selftest/selftest.pl | 2 +-
selftest/target/Samba.pm | 7 +++++
selftest/target/Samba3.pm | 10 +++++++
selftest/target/Samba4.pm | 35 ++++++++++++++++++++++--
source4/dsdb/common/dsdb_dn.c | 24 +++++++++++++---
source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 26 ++++++++++++------
6 files changed, 87 insertions(+), 17 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 1284e77..015a684 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -317,7 +317,6 @@ die("using an empty absolute prefix isn't allowed") unless
$prefix_abs ne "";
die("using '/' as absolute prefix isn't allowed") unless $prefix_abs ne "/";
$ENV{PREFIX} = $prefix;
-$ENV{KRB5CCNAME} = "$prefix/krb5ticket";
$ENV{PREFIX_ABS} = $prefix_abs;
$ENV{SRCDIR} = $srcdir;
$ENV{SRCDIR_ABS} = $srcdir_abs;
@@ -830,6 +829,7 @@ my @exported_envvars = (
# misc stuff
"KRB5_CONFIG",
+ "KRB5CCNAME",
"SELFTEST_WINBINDD_SOCKET_DIR",
"WINBINDD_PRIV_PIPE_DIR",
"NMBD_SOCKET_DIR",
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 69b956d..d60358e 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -204,6 +204,13 @@ sub mk_krb5_conf($$)
";
+ if (defined($ctx->{krb5_ccname})) {
+ print KRB5CONF "
+ default_ccache_name = $ctx->{krb5_ccname}
+";
+ }
+
+
if (defined($ctx->{supported_enctypes})) {
print KRB5CONF "
default_etypes = $ctx->{supported_enctypes}
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f68d7de..d0dcdf1 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -406,6 +406,7 @@ sub setup_admember($$$$)
$ctx->{dnsname} = lc($dcvars->{REALM});
$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
$ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
Samba::mk_krb5_conf($ctx, "");
$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -497,6 +498,7 @@ sub setup_admember_rfc2307($$$$)
$ctx->{dnsname} = lc($dcvars->{REALM});
$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
$ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
Samba::mk_krb5_conf($ctx, "");
$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -784,6 +786,7 @@ sub setup_ktest($$$)
$ctx->{dnsname} = lc($ctx->{realm});
$ctx->{kdc_ipv4} = "0.0.0.0";
$ctx->{kdc_ipv6} = "::";
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
Samba::mk_krb5_conf($ctx, "");
$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -920,6 +923,7 @@ sub check_or_start($$$$$) {
SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
+ $ENV{KRB5CCNAME} = "$env_vars->{KRB5_CCACHE}.nmbd";
$ENV{SELFTEST_WINBINDD_SOCKET_DIR} =
$env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
@@ -979,6 +983,7 @@ sub check_or_start($$$$$) {
SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
+ $ENV{KRB5CCNAME} = "$env_vars->{KRB5_CCACHE}.winbindd";
$ENV{SELFTEST_WINBINDD_SOCKET_DIR} =
$env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
@@ -1043,6 +1048,7 @@ sub check_or_start($$$$$) {
SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
+ $ENV{KRB5CCNAME} = "$env_vars->{KRB5_CCACHE}.smbd";
$ENV{SELFTEST_WINBINDD_SOCKET_DIR} =
$env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
@@ -1953,6 +1959,10 @@ force_user:x:$gid_force_user:
#
$ret{KRB5_CONFIG} = abs_path($prefix) . "/no_krb5.conf";
+ # Define KRB5CCNAME for each environment we set up
+ $ret{KRB5_CCACHE} = abs_path($prefix) . "/krb5ccache";
+ $ENV{KRB5CCNAME} = $ret{KRB5_CCACHE};
+
return \%ret;
}
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index ed88ac5..176b3c3 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -122,6 +122,7 @@ sub check_or_start($$$)
SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
+ $ENV{KRB5CCNAME} = "$env_vars->{KRB5_CCACHE}.samba";
$ENV{SELFTEST_WINBINDD_SOCKET_DIR} =
$env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
@@ -313,7 +314,8 @@ sub setup_namespaces($$:$$)
} else {
$cmd_env .=
"RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
}
- $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\"";
+ $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\" ";
+ $cmd_env .= "KRB5CCNAME=\"$localenv->{KRB5_CCACHE}\" ";
my $cmd_config = " $localenv->{CONFIGURATION}";
@@ -350,7 +352,8 @@ sub setup_trust($$$$$)
} else {
$cmd_env .=
"RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
}
- $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\"";
+ $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\" ";
+ $cmd_env .= "KRB5CCNAME=\"$localenv->{KRB5_CCACHE}\" ";
my $cmd_config = " $localenv->{CONFIGURATION}";
my $cmd_creds = $cmd_config;
@@ -402,6 +405,7 @@ sub provision_raw_prepare($$$$$$$$$$$)
$ctx->{password} = $password;
$ctx->{kdc_ipv4} = $kdc_ipv4;
$ctx->{kdc_ipv6} = $kdc_ipv6;
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
if ($functional_level eq "2000") {
$ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5
des-cbc-crc"
}
@@ -430,6 +434,7 @@ sub provision_raw_prepare($$$$$$$$$$$)
$ctx->{piddir} = "$prefix_abs/pid";
$ctx->{smb_conf} = "$ctx->{etcdir}/smb.conf";
$ctx->{krb5_conf} = "$ctx->{etcdir}/krb5.conf";
+ $ctx->{krb5_ccache} = "$prefix_abs/krb5_ccache";
$ctx->{privatedir} = "$prefix_abs/private";
$ctx->{ncalrpcdir} = "$prefix_abs/ncalrpc";
$ctx->{lockdir} = "$prefix_abs/lockdir";
@@ -469,7 +474,8 @@ sub provision_raw_prepare($$$$$$$$$$$)
$ctx->{smb_conf_extra_options} = "";
my @provision_options = ();
- push (@provision_options, "KRB5_CONFIG=\"$ctx->{krb5_config}\"");
+ push (@provision_options, "KRB5_CONFIG=\"$ctx->{krb5_conf}\"");
+ push (@provision_options, "KRB5_CCACHE=\"$ctx->{krb5_ccache}\"");
push (@provision_options,
"NSS_WRAPPER_PASSWD=\"$ctx->{nsswrap_passwd}\"");
push (@provision_options,
"NSS_WRAPPER_GROUP=\"$ctx->{nsswrap_group}\"");
push (@provision_options,
"NSS_WRAPPER_HOSTS=\"$ctx->{nsswrap_hosts}\"");
@@ -667,6 +673,7 @@ nogroup:x:65534:nobody
my $ret = {
KRB5_CONFIG => $ctx->{krb5_conf},
+ KRB5_CCACHE => $ctx->{krb5_ccache},
PIDDIR => $ctx->{piddir},
SERVER => $ctx->{hostname},
SERVER_IP => $ctx->{ipv4},
@@ -728,6 +735,7 @@ sub provision_raw_step2($$$)
my $testallowed_account = "testallowed";
my $samba_tool_cmd = "";
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
. " user create --configfile=$ctx->{smb_conf} $testallowed_account
$ctx->{password}";
unless (system($samba_tool_cmd) == 0) {
@@ -737,6 +745,7 @@ sub provision_raw_step2($$$)
my $ldbmodify = "";
$ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$ldbmodify .= Samba::bindir_path($self, "ldbmodify");
my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
@@ -768,6 +777,7 @@ servicePrincipalName: host/testallowed
$samba_tool_cmd = "";
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
. " user create --configfile=$ctx->{smb_conf} testdenied
$ctx->{password}";
unless (system($samba_tool_cmd) == 0) {
@@ -787,6 +797,7 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
$samba_tool_cmd = "";
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
. " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC
Password Replication Group' '$testallowed_account'";
unless (system($samba_tool_cmd) == 0) {
@@ -998,6 +1009,7 @@ rpc_server:tcpip = no
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\"
";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM}
member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD}";
@@ -1075,6 +1087,7 @@ sub provision_rpc_proxy($$$)
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\"
";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM}
member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD}";
@@ -1088,6 +1101,7 @@ sub provision_rpc_proxy($$$)
$cmd = "";
$cmd .=
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool delegation for-any-protocol
'$ret->{NETBIOSNAME}\$' on";
$cmd .= " $dcvars->{CONFIGURATION}";
print $cmd;
@@ -1101,6 +1115,7 @@ sub provision_rpc_proxy($$$)
$cmd = "";
$cmd .=
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$'
cifs/$dcvars->{SERVER}";
$cmd .= " $dcvars->{CONFIGURATION}";
@@ -1171,6 +1186,7 @@ sub provision_promoted_dc($$$)
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\"
";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM}
MEMBER --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD}";
@@ -1184,6 +1200,7 @@ sub provision_promoted_dc($$$)
my $cmd = "";
$cmd .=
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION}
$dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs
--dns-backend=BIND9_DLZ";
@@ -1253,6 +1270,7 @@ sub provision_vampire_dc($$$)
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\"
";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM}
DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}
--domain-critical-only";
$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
@@ -1324,6 +1342,7 @@ sub provision_subdom_dc($$$)
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\"
";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{dnsname}
subdomain ";
$cmd .= "--parent-domain=$dcvars->{REALM}
-U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
@@ -1588,6 +1607,7 @@ sub provision_rodc($$$)
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\"
";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM}
RODC";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --server=$dcvars->{DC_SERVER} --use-ntvfs";
@@ -1601,6 +1621,7 @@ sub provision_rodc($$$)
# user password verified on the RODC
my $testallowed_account = "testallowed account";
$cmd = "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool rodc preload '$testallowed_account'
$ret->{CONFIGURATION}";
$cmd .= " --server=$dcvars->{DC_SERVER}";
@@ -2147,6 +2168,7 @@ sub setup_vampire_dc($$$)
$cmd .=
"RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}";
$cmd .= " $env->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
@@ -2166,6 +2188,7 @@ sub setup_vampire_dc($$$)
$cmd .=
"RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs replicate $env->{DC_SERVER}
$env->{SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
@@ -2205,6 +2228,7 @@ sub setup_promoted_dc($$$)
my $cmd = "";
$cmd .=
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
$cmd .= " $env->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
@@ -2217,6 +2241,7 @@ sub setup_promoted_dc($$$)
my $cmd = "";
$cmd .=
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs kcc $env->{SERVER}";
$cmd .= " $env->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
@@ -2230,6 +2255,7 @@ sub setup_promoted_dc($$$)
my $base_dn = "DC=".join(",DC=", split(/\./,
$dc_vars->{REALM}));
$cmd =
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs replicate $env->{DC_SERVER}
$env->{SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
@@ -2269,6 +2295,7 @@ sub setup_subdom_dc($$$)
my $cmd = "";
$cmd .=
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
$cmd .= " $env->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}
--realm=$dc_vars->{DC_REALM}";
@@ -2283,6 +2310,7 @@ sub setup_subdom_dc($$$)
my $config_dn = "CN=Configuration,DC=".join(",DC=", split(/\./,
$dc_vars->{REALM}));
$cmd =
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs replicate $env->{DC_SERVER}
$env->{SUBDOM_DC_SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}
--realm=$dc_vars->{DC_REALM}";
@@ -2323,6 +2351,7 @@ sub setup_rodc($$$)
my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
$cmd =
"SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
diff --git a/source4/dsdb/common/dsdb_dn.c b/source4/dsdb/common/dsdb_dn.c
index ccfbe36..0c55c0b 100644
--- a/source4/dsdb/common/dsdb_dn.c
+++ b/source4/dsdb/common/dsdb_dn.c
@@ -71,8 +71,8 @@ struct dsdb_dn *dsdb_dn_construct(TALLOC_CTX *mem_ctx, struct
ldb_dn *dn, DATA_B
return dsdb_dn_construct_internal(mem_ctx, dn, extra_part, dn_format,
oid);
}
-struct dsdb_dn *dsdb_dn_parse(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
- const struct ldb_val *dn_blob, const char *dn_oid)
+struct dsdb_dn *dsdb_dn_parse_trusted(TALLOC_CTX *mem_ctx, struct ldb_context
*ldb,
+ const struct ldb_val *dn_blob, const char
*dn_oid)
{
struct dsdb_dn *dsdb_dn;
struct ldb_dn *dn;
@@ -97,7 +97,7 @@ struct dsdb_dn *dsdb_dn_parse(TALLOC_CTX *mem_ctx, struct
ldb_context *ldb,
case DSDB_NORMAL_DN:
{
dn = ldb_dn_from_ldb_val(mem_ctx, ldb, dn_blob);
- if (!dn || !ldb_dn_validate(dn)) {
+ if (!dn) {
talloc_free(dn);
return NULL;
}
@@ -204,7 +204,7 @@ struct dsdb_dn *dsdb_dn_parse(TALLOC_CTX *mem_ctx, struct
ldb_context *ldb,
dval.length = strlen(dn_str);
dn = ldb_dn_from_ldb_val(tmp_ctx, ldb, &dval);
- if (!dn || !ldb_dn_validate(dn)) {
+ if (!dn) {
DEBUG(10, (__location__ ": err\n"));
goto failed;
}
@@ -219,6 +219,22 @@ failed:
return NULL;
}
+struct dsdb_dn *dsdb_dn_parse(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
+ const struct ldb_val *dn_blob, const char *dn_oid)
+{
+ struct dsdb_dn *dsdb_dn = dsdb_dn_parse_trusted(mem_ctx, ldb,
+ dn_blob, dn_oid);
+ if (dsdb_dn == NULL) {
+ return NULL;
+ }
+ if (ldb_dn_validate(dsdb_dn->dn) == false) {
+ DEBUG(10, ("could not parse %.*s as a %s DN",
+ (int)dn_blob->length, dn_blob->data,
+ dn_oid));
+ return NULL;
+ }
+ return dsdb_dn;
+}
static char *dsdb_dn_get_with_postfix(TALLOC_CTX *mem_ctx,
struct dsdb_dn *dsdb_dn,
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
index d29a50c..ad4603f 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
@@ -548,9 +548,9 @@ static int extended_callback(struct ldb_request *req,
struct ldb_reply *ares,
}
- dsdb_dn = dsdb_dn_parse(msg, ldb, plain_dn,
attribute->syntax->ldap_oid);
+ dsdb_dn = dsdb_dn_parse_trusted(msg, ldb, plain_dn,
attribute->syntax->ldap_oid);
- if (!dsdb_dn || !ldb_dn_validate(dsdb_dn->dn)) {
+ if (!dsdb_dn) {
ldb_asprintf_errstring(ldb,
"could not parse %.*s in
%s on %s as a %s DN",
(int)plain_dn->length,
plain_dn->data,
@@ -572,13 +572,6 @@ static int extended_callback(struct ldb_request *req,
struct ldb_reply *ares,
talloc_free(hex_string);
}
- /* don't let users see the internal extended
- GUID components */
- if (!have_reveal_control) {
- const char *accept[] = { "GUID", "SID", NULL };
- ldb_dn_extended_filter(dn, accept);
- }
-
if (p->normalise) {
ret = dsdb_fix_dn_rdncase(ldb, dn);
if (ret != LDB_SUCCESS) {
@@ -633,6 +626,21 @@ static int extended_callback(struct ldb_request *req,
struct ldb_reply *ares,
}
if (make_extended_dn) {
+ if (!ldb_dn_validate(dsdb_dn->dn)) {
+ ldb_asprintf_errstring(ldb,
+ "could not parse
%.*s in %s on %s as a %s DN",
+
(int)plain_dn->length, plain_dn->data,
+
msg->elements[i].name, ldb_dn_get_linearized(msg->dn),
+
attribute->syntax->ldap_oid);
+ talloc_free(dsdb_dn);
+ return ldb_module_done(ac->req, NULL,
NULL, LDB_ERR_INVALID_DN_SYNTAX);
+ }
+ /* don't let users see the internal extended
+ GUID components */
+ if (!have_reveal_control) {
+ const char *accept[] = { "GUID", "SID",
NULL };
+ ldb_dn_extended_filter(dn, accept);
+ }
dn_str =
dsdb_dn_get_extended_linearized(msg->elements[i].values,
dsdb_dn, ac->extended_type);
} else {
--
Samba Shared Repository
