[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8a50509 s4-dsdb: instanceType NC_HEAD is only allowed combined with WRITE for an originating add operation from 22945de doc/msdfs proxy: extend example for multi target config http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8a505090215501324f83dda86d146708b687abcc Author: Nadezhda Ivanova nivan...@symas.com Date: Tue Oct 29 18:17:27 2013 +0200 s4-dsdb: instanceType NC_HEAD is only allowed combined with WRITE for an originating add operation As described in MS-ATDS 3.1.1.5.2.8. Signed-off-by: Nadezhda Ivanova nivan...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Sun Nov 3 16:17:30 CET 2013 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/instancetype.c |3 +-- source4/dsdb/tests/python/ldap.py | 17 ++--- 2 files changed, 15 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/instancetype.c b/source4/dsdb/samdb/ldb_modules/instancetype.c index 7bf95f3..c35f4b6 100644 --- a/source4/dsdb/samdb/ldb_modules/instancetype.c +++ b/source4/dsdb/samdb/ldb_modules/instancetype.c @@ -80,8 +80,7 @@ static int instancetype_add(struct ldb_module *module, struct ldb_request *req) * TYPE_WRITE flag in order to succeed, * unless this NC is not instantiated */ - if (!(instanceType INSTANCE_TYPE_UNINSTANT) - !(instanceType INSTANCE_TYPE_WRITE)) { + if (!(instanceType INSTANCE_TYPE_WRITE)) { ldb_set_errstring(ldb, instancetype: if TYPE_IS_NC_HEAD was set, then also TYPE_WRITE is requested!); return LDB_ERR_UNWILLING_TO_PERFORM; } diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py index 643830f..f6b08e4 100755 --- a/source4/dsdb/tests/python/ldap.py +++ b/source4/dsdb/tests/python/ldap.py @@ -667,7 +667,7 @@ class BasicTests(samba.tests.TestCase): def test_single_valued_attributes(self): Test single-valued attributes -print Test single-valued attributes +print Test single-valued attributes try: self.ldb.add({ @@ -767,7 +767,7 @@ class BasicTests(samba.tests.TestCase): def test_empty_messages(self): Test empty messages -print Test empty messages +print Test empty messages m = Message() m.dn = Dn(ldb, cn=ldaptestgroup,cn=users, + self.base_dn) @@ -788,7 +788,7 @@ class BasicTests(samba.tests.TestCase): def test_empty_attributes(self): Test empty attributes -print Test empty attributes +print Test empty attributes m = Message() m.dn = Dn(ldb, cn=ldaptestgroup,cn=users, + self.base_dn) @@ -900,6 +900,17 @@ class BasicTests(samba.tests.TestCase): delete_force(self.ldb, cn=ldaptestgroup,cn=users, + self.base_dn) +#only write is allowed with NC_HEAD for originating updates +try: +self.ldb.add({ +dn: cn=ldaptestuser2,cn=users, + self.base_dn, +objectclass: user, +instanceType: 3 }) +self.fail() +except LdbError, (num, _): +self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) +delete_force(self.ldb, cn=ldaptestuser2,cn=users, + self.base_dn) + def test_distinguished_name(self): Tests the 'distinguishedName' attribute print Tests the 'distinguishedName' attribute -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 13a10d4 s4-samldb: Do not allow deletion of objects with RID 1000 from 064433f libcli4: Remove an unused variable http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 13a10d43141c29dad61868b451c0c1dca82360de Author: Nadezhda Ivanova nivan...@symas.com Date: Mon Oct 14 12:38:10 2013 +0300 s4-samldb: Do not allow deletion of objects with RID 1000 According to [MS-SAMR] 3.1.5.7 Delete Pattern we should not allow deletion of security objects with RID 1000. This patch will prevent deletion of well-known accounts and groups. Signed-off-by: Nadezhda Ivanova nivan...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Mon Oct 14 13:31:50 CEST 2013 on sn-devel-104 --- Summary of changes: python/samba/tests/samba3sam.py | 12 +- source4/dsdb/samdb/ldb_modules/samldb.c |5 source4/dsdb/samdb/samdb.h |1 + source4/dsdb/tests/python/sam.py| 37 -- testdata/samba3/samba3.ldif |4 +- 5 files changed, 48 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/samba3sam.py b/python/samba/tests/samba3sam.py index 9c017fb..7cd6566 100644 --- a/python/samba/tests/samba3sam.py +++ b/python/samba/tests/samba3sam.py @@ -172,7 +172,7 @@ class Samba3SamTestCase(MapBaseTestCase): self.assertEquals(str(msg[0].dn), cn=Replicator,ou=Groups,dc=vernstok,dc=nl) self.assertTrue(objectSid in msg[0]) -self.assertSidEquals(S-1-5-21-4231626423-2410014848-2360679739-552, +self.assertSidEquals(S-1-5-21-4231626423-2410014848-2360679739-1052, msg[0][objectSid]) oc = set(msg[0][objectClass]) self.assertEquals(oc, set([group])) @@ -345,7 +345,7 @@ dnsHostName: x nextRid: y lastLogon: x description: x -objectSid: S-1-5-21-4231626423-2410014848-2360679739-552 +objectSid: S-1-5-21-4231626423-2410014848-2360679739-1052 ) self.ldb.add({ @@ -380,7 +380,7 @@ objectSid: S-1-5-21-4231626423-2410014848-2360679739-552 sambaBadPasswordCount: x, sambaLogonTime: x, description: x, -sambaSID: S-1-5-21-4231626423-2410014848-2360679739-552, +sambaSID: S-1-5-21-4231626423-2410014848-2360679739-1052, sambaPrimaryGroupSID: S-1-5-21-4231626423-2410014848-2360679739-512}) self.samba3.db.add({ @@ -483,20 +483,20 @@ objectSid: S-1-5-21-4231626423-2410014848-2360679739-552 # TODO: # Using the SID directly in the parse tree leads to conversion # errors, letting the search fail with no results. -#res = self.ldb.search((objectSid=S-1-5-21-4231626423-2410014848-2360679739-552), scope=SCOPE_DEFAULT, attrs) +#res = self.ldb.search((objectSid=S-1-5-21-4231626423-2410014848-2360679739-1052), scope=SCOPE_DEFAULT, attrs) res = self.ldb.search(expression=(objectSid=*), base=None, scope=SCOPE_DEFAULT, attrs=[dnsHostName, lastLogon, objectSid]) self.assertEquals(len(res), 4) res = sorted(res, key=attrgetter('dn')) self.assertEquals(str(res[1].dn), self.samba4.dn(cn=X)) self.assertEquals(str(res[1][dnsHostName]), x) self.assertEquals(str(res[1][lastLogon]), x) -self.assertSidEquals(S-1-5-21-4231626423-2410014848-2360679739-552, +self.assertSidEquals(S-1-5-21-4231626423-2410014848-2360679739-1052, res[1][objectSid]) self.assertTrue(objectSid in res[1]) self.assertEquals(str(res[0].dn), self.samba4.dn(cn=A)) self.assertTrue(not dnsHostName in res[0]) self.assertEquals(str(res[0][lastLogon]), x) -self.assertSidEquals(S-1-5-21-4231626423-2410014848-2360679739-552, +self.assertSidEquals(S-1-5-21-4231626423-2410014848-2360679739-1052, res[0][objectSid]) self.assertTrue(objectSid in res[0]) diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 603370f..b798102 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -2552,6 +2552,11 @@ static int samldb_prim_group_users_check(struct samldb_ctx *ac) /* Special object (security principal?) */ return LDB_SUCCESS; } + /* do not allow deletion of well-known sids */ + if (rid DSDB_SAMDB_MINIMUM_ALLOWED_RID + (ldb_request_get_control(ac-req, LDB_CONTROL_RELAX_OID) == NULL)) { + return LDB_ERR_OTHER; + } /* Deny delete requests
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fc486d8 s4-openldap: Restored openldap-related options to the provision script from 58cb40d build: get rid of vars=locals() in source3/lib/netapi/examples/wscript_build http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fc486d861c4c616407725b7adfa7cec712526c9a Author: Nadezhda Ivanova nivan...@symas.com Date: Tue Sep 24 10:26:05 2013 -0700 s4-openldap: Restored openldap-related options to the provision script At the moment they are only available if TEST_LDAP=yes to avoid accidental use as the openldap backend is still failing some tests Signed-off-by: Nadezhda Ivanova nivan...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Thu Sep 26 07:31:05 CEST 2013 on sn-devel-104 --- Summary of changes: python/samba/netcmd/domain.py | 38 +++-- python/samba/provision/__init__.py| 12 -- python/samba/provision/backend.py | 10 +++--- source4/setup/tests/blackbox_provision-backend.sh | 12 +++--- 4 files changed, 54 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py index e7269c6..0698928 100644 --- a/python/samba/netcmd/domain.py +++ b/python/samba/netcmd/domain.py @@ -214,6 +214,21 @@ class cmd_domain_provision(Command): Option(--use-ntvfs, action=store_true, help=Use NTVFS for the fileserver (default = no)), Option(--use-rfc2307, action=store_true, help=Use AD to store posix attributes (default = no)), ] + +openldap_options = [ +Option(--ldap-dryrun-mode, help=Configure LDAP backend, but do not run any binaries and exit early. Used only for the test environment. DO NOT USE, + action=store_true), +Option(--slapd-path, type=string, metavar=SLAPD-PATH, + help=Path to slapd for LDAP backend [e.g.:'/usr/local/libexec/slapd']. Required for Setup with LDAP-Backend. OpenLDAP Version = 2.4.17 should be used.), +Option(--ldap-backend-extra-port, type=int, metavar=LDAP-BACKEND-EXTRA-PORT, help=Additional TCP port for LDAP backend server (to use for replication)), +Option(--ldap-backend-forced-uri, type=string, metavar=LDAP-BACKEND-FORCED-URI, + help=Force the LDAP backend connection to be to a particular URI. Use this ONLY for 'existing' backends, or when debugging the interaction with the LDAP backend and you need to intercept the LDA), +Option(--ldap-backend-nosync, help=Configure LDAP backend not to call fsync() (for performance in test environments), action=store_true), +] + +if os.getenv('TEST_LDAP', no) == yes: +takes_options.extend(openldap_options) + takes_args = [] def run(self, sambaopts=None, credopts=None, versionopts=None, @@ -246,8 +261,13 @@ class cmd_domain_provision(Command): targetdir=None, ol_mmr_urls=None, use_xattrs=None, +slapd_path=None, use_ntvfs=None, -use_rfc2307=None): +use_rfc2307=None, +ldap_backend_nosync=None, +ldap_backend_extra_port=None, +ldap_backend_forced_uri=None, +ldap_dryrun_mode=None): self.logger = self.get_logger(provision) if quiet: @@ -376,6 +396,14 @@ class cmd_domain_provision(Command): if eadb: self.logger.info(not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.) +if ldap_backend_type == existing: +if dap_backend_forced_uri is not None: +logger.warn(You have specified to use an existing LDAP server as the backend, please make sure an LDAP server is running at %s % ldap_backend_forced_uri) +else: +logger.info(You have specified to use an existing LDAP server as the backend, please make sure an LDAP server is running at the default location) +else: +if ldap_backend_forced_uri is not None: +logger.warn(You have specified to use an fixed URI %s for connecting to your LDAP server backend. This is NOT RECOMMENDED, as our default communiation over ldapi:// is more secure and much less) session = system_session() try: @@ -393,9 +421,13 @@ class cmd_domain_provision(Command): users=users, serverrole=server_role, dom_for_fun_level=dom_for_fun_level, backend_type=ldap_backend_type, - ldapadminpass=ldapadminpass
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5426e57 Fix DN RDN case in partition names via fefdb27 Fix entryCSN format via 7570577 s4-openldap: Remove use of talloc_reference in ldb_map_outbound.c via 5805b7a s4-openldap: Added an -H option to delegation script via aea5b5c Drop paged-search from OpenLDAP stack via 93f3aba Add LDB_MAP_RENDROP option via bc1503a Return a couple more attrs by default via 2a452f2 Cleanup start/stop code from 167e2f2 pidl: Generate wireshark that conforms to the rules of Wireshark project http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5426e57898b2b60b7def1af24050df10b1394c9e Author: Howard Chu h...@symas.com Date: Thu Sep 19 10:41:16 2013 -0700 Fix DN RDN case in partition names Move fix_dn from extended_dn_out.c to util.c Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Tue Sep 24 07:43:39 CEST 2013 on sn-devel-104 commit fefdb27f51ee4b8807314106674f7a3be1941610 Author: Howard Chu h...@symas.com Date: Thu Sep 19 10:41:02 2013 -0700 Fix entryCSN format Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com commit 75705776929d87f1a694582261c07d1724574370 Author: Nadezhda Ivanova nivan...@symas.com Date: Wed Sep 18 15:31:24 2013 -0700 s4-openldap: Remove use of talloc_reference in ldb_map_outbound.c Instead of referencing the values array of the element to the new element, copy them, to avoid use of talloc_reference and remove a warning of talloc_steal with reference. The issue is only relevant when openldap backend is used. Signed-off-by: Nadezhda Ivanova nivan...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit 5805b7abc88d9f16bc927ae5d51c2807e4a939ee Author: Nadezhda Ivanova nivan...@symas.com Date: Sun Sep 22 11:24:57 2013 -0700 s4-openldap: Added an -H option to delegation script Also calling delegation locally without credentials, as this is not really necessary and causes selftest errors against the openldap backend. Signed-off-by: Nadezhda Ivanova nivan...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org commit aea5b5ce338e0d84d93231171c172ec259151a33 Author: Howard Chu h...@symas.com Date: Mon Sep 16 14:12:42 2013 -0700 Drop paged-search from OpenLDAP stack Unnecessary, waste of time Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com commit 93f3aba5e083976a791b982b2064b619800ce110 Author: Howard Chu h...@symas.com Date: Wed Sep 18 16:50:34 2013 -0700 Add LDB_MAP_RENDROP option Like LDB_MAP_RENAME, but drop the attribute if it occurs in an Add request. Used for distinguishedName attribute, is read-only and generated but for some bizarre reason AD allows it in an Add request. Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com commit bc1503a96656f1274aa93ac7cab88401c96cac60 Author: Howard Chu h...@symas.com Date: Wed Sep 18 17:10:07 2013 -0700 Return a couple more attrs by default Seems to want name and distinguishedName to always be returned. Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com commit 2a452f2374d5723c43c5547708e253a1adfaabc4 Author: Howard Chu h...@symas.com Date: Thu Sep 19 05:52:59 2013 -0700 Cleanup start/stop code teardown was bailing out before stopping slapd. Use fork/exec to start slapd, just like samba. Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com --- Summary of changes: lib/ldb/ldb_map/ldb_map.c|4 + lib/ldb/ldb_map/ldb_map.h|3 +- lib/ldb/ldb_map/ldb_map_inbound.c| 17 -- lib/ldb/ldb_map/ldb_map_outbound.c | 29 +--- python/samba/netcmd/delegation.py| 74 ++--- selftest/target/Samba4.pm| 76 -- source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 33 +- source4/dsdb/samdb/ldb_modules/partition_init.c |7 ++ source4/dsdb/samdb/ldb_modules/samba_dsdb.c |2 +- source4
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 31ca4fc OpenLDAP provisioning tweaks via 743d4a4 Use SASL/EXTERNAL over ldapi:// via 6bf59b0 Add SASL/EXTERNAL gensec module via b3bb304 Prepare for SASL/EXTERNAL support from 887f4fb Free memory on error http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 31ca4fc67443e0c7a8fec61e91df39fe2535982e Author: Howard Chu h...@symas.com Date: Tue Sep 17 15:38:42 2013 -0700 OpenLDAP provisioning tweaks Remove BerkeleyDB-specific setup. Streamline cn=samba partition initialization - allow any backend type for it. Use back-mdb instead of back-ldif for cn=samba partition Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Wed Sep 18 21:39:51 CEST 2013 on sn-devel-104 commit 743d4a474e1d80783f658fa1001a6d077fcfbede Author: Howard Chu h...@symas.com Date: Tue Sep 17 14:04:06 2013 -0700 Use SASL/EXTERNAL over ldapi:// The provision script will map the uid of the user running the script to the samba-admin LDAP DN. Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com commit 6bf59b03d72b94b71e53fc2404c11e0d237e41b2 Author: Howard Chu h...@symas.com Date: Tue Sep 17 13:09:50 2013 -0700 Add SASL/EXTERNAL gensec module Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com commit b3bb3040364d4b8a497ced3e758fc81f24924db9 Author: Howard Chu h...@symas.com Date: Tue Sep 17 13:09:07 2013 -0700 Prepare for SASL/EXTERNAL support Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com --- Summary of changes: auth/credentials/credentials.c |8 ++ auth/gensec/external.c | 82 + auth/gensec/gensec.h|3 +- auth/gensec/wscript_build |7 ++ python/samba/provision/backend.py | 67 ++ source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 128 --- source4/libcli/ldap/ldap_bind.c | 13 +++- source4/setup/cn=replicator.ldif| 12 --- source4/setup/cn=samba-admin.ldif | 12 --- source4/setup/cn=samba.ldif | 19 +++-- source4/setup/slapd.conf|6 +- 11 files changed, 235 insertions(+), 122 deletions(-) create mode 100644 auth/gensec/external.c delete mode 100644 source4/setup/cn=replicator.ldif delete mode 100644 source4/setup/cn=samba-admin.ldif Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index e98dfbd..d15cee6 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -365,6 +365,14 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c return true; } + /* +* If we forced the mech we clearly want authentication. E.g. to use +* SASL/EXTERNAL which has no credentials. +*/ + if (cred-forced_sasl_mech) { + return true; + } + if (cli_credentials_is_anonymous(cred)){ return false; } diff --git a/auth/gensec/external.c b/auth/gensec/external.c new file mode 100644 index 000..a26e435 --- /dev/null +++ b/auth/gensec/external.c @@ -0,0 +1,82 @@ +/* + Unix SMB/CIFS implementation. + + SASL/EXTERNAL authentication. + + Copyright (C) Howard Chu h...@symas.com 2013 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +#include includes.h +#include auth/credentials/credentials.h +#include auth/gensec/gensec.h +#include auth/gensec/gensec_internal.h +#include auth/gensec/gensec_proto.h +#include auth/gensec/gensec_toplevel_proto.h + +/* SASL/EXTERNAL is essentially a no-op; it is only usable when
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ff88694 Give slapd a second to startup via 68a4081 Add an OpenLDAP-specific extended_dn_in module from 4879d08 libcli/smb: only check the SMB2 session setup signature if required and valid http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ff886940272354743cd6eb50717891454d8e5500 Author: Howard Chu h...@symas.com Date: Tue Sep 17 08:19:47 2013 -0700 Give slapd a second to startup Moving the sleep to the beginning of the loop avoids most occurrences of the connection failed message Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Wed Sep 18 07:43:09 CEST 2013 on sn-devel-104 commit 68a4081dd47344651cb4dfdf57247ce8e893a96e Author: Howard Chu h...@symas.com Date: Mon Sep 16 19:51:20 2013 -0700 Add an OpenLDAP-specific extended_dn_in module Don't fix plain DNs before sending them to OpenLDAP Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com --- Summary of changes: python/samba/provision/backend.py |2 +- source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 25 ++- source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 17 --- 3 files changed, 38 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/provision/backend.py b/python/samba/provision/backend.py index 58aab98..24d8675 100644 --- a/python/samba/provision/backend.py +++ b/python/samba/provision/backend.py @@ -292,6 +292,7 @@ class LDAPBackend(ProvisionBackend): while self.slapd.poll() is None: # Wait until the socket appears try: +time.sleep(1) ldapi_db = Ldb(self.ldap_uri, lp=self.lp, credentials=self.credentials) ldapi_db.search(base=, scope=SCOPE_BASE, expression=(objectClass=OpenLDAProotDSE)) @@ -299,7 +300,6 @@ class LDAPBackend(ProvisionBackend): # the LDAP server! return except LdbError: -time.sleep(1) count = count + 1 if count 15: diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c index 034d22a..df45f75 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -56,6 +56,9 @@ static const char *wkattr[] = { otherWellKnownObjects, NULL }; + +static const struct ldb_module_ops ldb_extended_dn_in_openldap_module_ops; + /* An extra layer of indirection because LDB does not allow the original request to be altered */ static int extended_final_callback(struct ldb_request *req, struct ldb_reply *ares) @@ -376,7 +379,14 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat has_extended_component = (memchr(tree-u.equality.value.data, '', tree-u.equality.value.length) != NULL); - if (!attribute-one_way_link !has_extended_component) { + /* +* Don't turn it into an extended DN if we're talking to OpenLDAP. +* We just check the module_ops pointer instead of adding a private +* pointer and a boolean to tell us the exact same thing. +*/ + if (!has_extended_component) { + if (!attribute-one_way_link || + ldb_module_get_ops(filter_ctx-module) == ldb_extended_dn_in_openldap_module_ops) return LDB_SUCCESS; } @@ -706,8 +716,21 @@ static const struct ldb_module_ops ldb_extended_dn_in_module_ops = { .rename= extended_dn_in_rename, }; +static const struct ldb_module_ops ldb_extended_dn_in_openldap_module_ops = { + .name = extended_dn_in_openldap, + .search= extended_dn_in_search, + .modify= extended_dn_in_modify, + .del = extended_dn_in_del, + .rename= extended_dn_in_rename, +}; + int ldb_extended_dn_in_module_init(const char *version) { + int ret; LDB_MODULE_CHECK_VERSION(version); + ret = ldb_register_module(ldb_extended_dn_in_openldap_module_ops); + if (ret != LDB_SUCCESS) { + return ret; + } return ldb_register_module(ldb_extended_dn_in_module_ops); } diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c index cde53bc..060a9d7 100644 --- a/source4/dsdb/samdb
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4dacaef dsdb: Use credentials.get_forced_sasl_mech() via 3f464ca auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech() via 68f7cd1 samba-tool domain provision: Make ldap_backend_startup.sh +x and take optional arguments from ef830f7 samba-tool domain join: Set server role correctly to active directory domain controller http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4dacaef2eae46a8d5d4729c8a607b9d928c70c25 Author: Andrew Bartlett abart...@samba.org Date: Mon Sep 16 09:39:12 2013 -0700 dsdb: Use credentials.get_forced_sasl_mech() This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Tue Sep 17 01:41:41 CEST 2013 on sn-devel-104 commit 3f464ca1f5672491edf5daf15389cf7f2dc68e2b Author: Andrew Bartlett abart...@samba.org Date: Mon Sep 16 09:38:09 2013 -0700 auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech() This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com commit 68f7cd1724480a9bae36692d19b94e10fb1b9e73 Author: Andrew Bartlett abart...@samba.org Date: Mon Sep 16 09:35:39 2013 -0700 samba-tool domain provision: Make ldap_backend_startup.sh +x and take optional arguments Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com --- Summary of changes: auth/credentials/credentials.c | 14 ++ auth/credentials/credentials.h |3 +++ auth/credentials/credentials_internal.h |3 +++ auth/credentials/pycredentials.c| 26 ++ auth/gensec/gensec_start.c | 14 ++ python/samba/provision/backend.py |9 +++-- source4/dsdb/samdb/ldb_modules/samba_dsdb.c |1 + 7 files changed, 68 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 57a7c0b..e98dfbd 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -112,6 +112,8 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cli_credentials_set_gensec_features(cred, 0); cli_credentials_set_krb_forwardable(cred, CRED_AUTO_KRB_FORWARDABLE); + cred-forced_sasl_mech = NULL; + return cred; } @@ -161,6 +163,13 @@ _PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds, creds-use_kerberos = use_kerberos; } +_PUBLIC_ void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds, + const char *sasl_mech) +{ + TALLOC_FREE(creds-forced_sasl_mech); + creds-forced_sasl_mech = talloc_strdup(creds, sasl_mech); +} + _PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds, enum credentials_krb_forwardable krb_forwardable) { @@ -172,6 +181,11 @@ _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct return creds-use_kerberos; } +_PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds) +{ + return creds-forced_sasl_mech; +} + _PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds) { return creds-krb_forwardable; diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 766a513..fdd35bb 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -118,6 +118,8 @@ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, struct loadparm_context *lp_ctx, struct gssapi_creds_container **_gcc, const char **error_string); +void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds, + const char *sasl_mech); void cli_credentials_set_kerberos_state(struct cli_credentials *creds, enum credentials_use_kerberos use_kerberos); void
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6ed5b1c Cleanup map return codes via dcbd4ed Fix OpenLDAP partition configs via f2bcceb lib/ldb-samba/ldb_ildap: Also skip special base DNs from 6ef3c98 docs-xml: document SMB3_02 as available protocol for the client side http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6ed5b1c159867466e54a54a10adcc6c49a0a7837 Author: Howard Chu h...@symas.com Date: Mon Sep 16 19:02:26 2013 -0700 Cleanup map return codes -1 was never a valid LDB return code, just use OPERATIONS_ERROR Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Tue Sep 17 07:51:45 CEST 2013 on sn-devel-104 commit dcbd4ede2f320df9264a138685a2214bfa1ef6a1 Author: Howard Chu h...@symas.com Date: Mon Sep 16 14:14:10 2013 -0700 Fix OpenLDAP partition configs Update to use LMDB backend, BDB is deprecated Update to support DomainDNSZones and ForestDNSZones partitions. Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org commit f2bccebd913f023e3d99282be4e831d012cd3578 Author: Andrew Bartlett abart...@samba.org Date: Mon Sep 16 14:22:53 2013 -0700 lib/ldb-samba/ldb_ildap: Also skip special base DNs This is so we do not search for @REPLCHANGED against ldap Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com --- Summary of changes: lib/ldb-samba/ldb_ildap.c |3 ++ lib/ldb/ldb_map/ldb_map_outbound.c | 35 +++ python/samba/provision/backend.py | 22 +++ source4/setup/slapd.conf | 53 +-- 4 files changed, 92 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c index 3c28690..18853eb 100644 --- a/lib/ldb-samba/ldb_ildap.c +++ b/lib/ldb-samba/ldb_ildap.c @@ -681,6 +681,9 @@ static bool ildb_dn_is_special(struct ldb_request *req) struct ldb_dn *dn = NULL; switch (req-operation) { + case LDB_SEARCH: + dn = req-op.search.base; + break; case LDB_ADD: dn = req-op.add.message-dn; break; diff --git a/lib/ldb/ldb_map/ldb_map_outbound.c b/lib/ldb/ldb_map/ldb_map_outbound.c index 2c517a6..c6c86e3 100644 --- a/lib/ldb/ldb_map/ldb_map_outbound.c +++ b/lib/ldb/ldb_map/ldb_map_outbound.c @@ -195,7 +195,7 @@ static int ldb_msg_replace(struct ldb_message *msg, const struct ldb_message_ele /* no local result, add as new element */ if (old == NULL) { if (ldb_msg_add_empty(msg, el-name, 0, old) != 0) { - return -1; + return LDB_ERR_OPERATIONS_ERROR; } talloc_free(discard_const_p(char, old-name)); } @@ -205,10 +205,10 @@ static int ldb_msg_replace(struct ldb_message *msg, const struct ldb_message_ele /* and make sure we reference the contents */ if (!talloc_reference(msg-elements, el-name)) { - return -1; + return LDB_ERR_OPERATIONS_ERROR; } if (!talloc_reference(msg-elements, el-values)) { - return -1; + return LDB_ERR_OPERATIONS_ERROR; } return 0; @@ -480,7 +480,7 @@ static int map_reply_remote(struct map_context *ac, struct ldb_reply *ares) msg = ldb_msg_new(ares); if (msg == NULL) { map_oom(ac-module); - return -1; + return LDB_ERR_OPERATIONS_ERROR; } /* Merge remote message into new message */ @@ -494,7 +494,7 @@ static int map_reply_remote(struct map_context *ac, struct ldb_reply *ares) dn = ldb_dn_map_rebase_remote(ac-module, msg, ares-message-dn); if (dn == NULL) { talloc_free(msg); - return -1; + return LDB_ERR_OPERATIONS_ERROR; } msg-dn = dn; @@ -581,7 +581,7 @@ static int map_subtree_select_local_not(struct ldb_module *module, void *mem_ctx *new = talloc_memdup(mem_ctx, tree, sizeof(struct ldb_parse_tree)); if (*new == NULL) { map_oom(module); - return -1; + return LDB_ERR_OPERATIONS_ERROR; } /* Generate new subtree */ @@ -613,7 +613,7 @@ static int map_subtree_select_local_list(struct ldb_module *module, void *mem_ct *new = talloc_memdup(mem_ctx, tree, sizeof(struct ldb_parse_tree)); if (*new == NULL) { map_oom(module); - return -1; + return
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 403ddac dsdb: When using an LDAP backend, force use of the password from secrets.ldb from 73278cd smbd: Convert br_lck-lock_data to talloc http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 403ddac6c899deeb452b32266e1b2169b1a09abe Author: Andrew Bartlett abart...@samba.org Date: Tue Sep 10 11:38:10 2013 +1200 dsdb: When using an LDAP backend, force use of the password from secrets.ldb This makes testing from the command line much easier, as ldbsearch -H sam.ldb will now just work as well as it did with a tdb-based provision. This code was removed from it's previous location outside the ldb module stack in aabda85a2fc9f6763abd56d61ff819012f2225ad. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Signed-off-by: Nadezhda Ivanova nivan...@symas.com Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Wed Sep 11 21:15:50 CEST 2013 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 99 +++ 1 files changed, 99 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c index ee7f694..ac993db 100644 --- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c +++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c @@ -37,6 +37,9 @@ #include dsdb/samdb/ldb_modules/util.h #include dsdb/samdb/samdb.h #include librpc/ndr/libndr.h +#include auth/credentials/credentials.h +#include param/secrets.h +#include lib/ldb-samba/ldb_wrap.h static int read_at_rootdse_record(struct ldb_context *ldb, struct ldb_module *module, TALLOC_CTX *mem_ctx, struct ldb_message **msg, struct ldb_request *parent) @@ -129,7 +132,94 @@ static int prepare_modules_line(struct ldb_context *ldb, return ret; } +/* + * Force overwrite of the credentials with those + * specified in secrets.ldb, to connect across the + * ldapi socket to an LDAP backend + */ +static int set_ldap_credentials(struct ldb_context *ldb) +{ + const char *secrets_ldb_path, *sam_ldb_path; + char *private_dir, *p, *error_string; + struct ldb_context *secrets_ldb; + struct cli_credentials *cred; + struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, loadparm); + TALLOC_CTX *tmp_ctx = talloc_new(ldb); + + if (!tmp_ctx) { + return ldb_oom(ldb); + } + + cred = cli_credentials_init(ldb); + if (!cred) { + talloc_free(tmp_ctx); + return ldb_oom(ldb); + } + cli_credentials_set_anonymous(cred); + + /* +* We don't want to use krb5 to talk to our samdb - recursion +* here would be bad, and this account isn't in the KDC +* anyway +*/ + cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS); + + /* +* Work out where *our* secrets.ldb is. It must be in +* the same directory as sam.ldb +*/ + sam_ldb_path = (const char *)ldb_get_opaque(ldb, ldb_url); + if (!sam_ldb_path) { + talloc_free(tmp_ctx); + return ldb_operr(ldb); + } + if (strncmp(tdb://, sam_ldb_path, 6) == 0) { + sam_ldb_path += 6; + } + private_dir = talloc_strdup(tmp_ctx, sam_ldb_path); + p = strrchr(private_dir, '/'); + if (p) { + *p = '\0'; + } else { + private_dir = talloc_strdup(tmp_ctx, .); + } + + secrets_ldb_path = talloc_asprintf(private_dir, tdb://%s/secrets.ldb, + private_dir); + + if (!secrets_ldb_path) { + talloc_free(tmp_ctx); + return ldb_oom(ldb); + } + + /* +* Now that we have found the location, connect to +* secrets.ldb so we can read the SamDB Credentials +* record +*/ + secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path, + NULL, NULL, 0); + + if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL, +SECRETS_LDAP_FILTER, error_string))) { + ldb_asprintf_errstring(ldb, Failed to read LDAP backend password from %s, secrets_ldb_path); + talloc_free(tmp_ctx); + return LDB_ERR_STRONG_AUTH_REQUIRED; + } + + /* +* Finally overwrite any supplied credentials with +* these ones, as only secrets.ldb contains the magic +* credentials to talk on the ldapi socket +*/ + if (ldb_set_opaque(ldb, credentials
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b1cedbb SEGV in acl_validate_spn_value: dnsHostName NULL from 95976d4 selftest: Rework samba4.blackbox.bogusdomain to use a temporary user http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b1cedbbeea14e67cbce32d6ab152c6c5413ba7d8 Author: Arvid Requate requ...@univention.de Date: Fri Mar 2 13:59:30 2012 +0100 SEGV in acl_validate_spn_value: dnsHostName NULL This patch addresses a segfault in acl_validate_spn_value which occurs when the dnsHostName attribute is missing. This seems to be the case in domains migrated with samba3upgrade. Looks similar to MS KB 817543. Signed-off-by: Nadezhda Ivanova nivanova@drizzit.(none) Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Fri Mar 2 21:26:40 CET 2012 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index abde85f..6aed682 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -516,7 +516,7 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx, if (strlen(instanceName) == (strlen(samAccountName) - 1) strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) { goto success; - } else if (strcasecmp(instanceName, dnsHostName) == 0) { + } else if (dnsHostName != NULL strcasecmp(instanceName, dnsHostName) == 0) { goto success; } else if (is_dc) { const char *guid_str; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 85e8c86 s4-dsdb: Add more information on why we don't check the SD control via cf4a308 s4-dsdb: If current attribute list is empty use the one from the request from 0e18a59 s3-build: fix the --with-profiling-data build on mac os x. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 85e8c863025db3dd6b895b42c7bf53c5b339b48a Author: Matthieu Patou m...@matws.net Date: Thu Apr 14 23:03:50 2011 +0400 s4-dsdb: Add more information on why we don't check the SD control Signed-off-by: Nadezhda Ivanova nivan...@samba.org Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Fri Apr 15 16:16:27 CEST 2011 on sn-devel-104 commit cf4a3081cbba88b00a3e224ce0ba61eb3d067985 Author: Matthieu Patou m...@matws.net Date: Thu Apr 14 22:02:48 2011 +0400 s4-dsdb: If current attribute list is empty use the one from the request This will avoid overwritting attribute list made by upper modules. Signed-off-by: Nadezhda Ivanova nivan...@samba.org --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl_read.c |7 ++- 1 files changed, 6 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index cde6d11..181619a 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -287,6 +287,11 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) if (!ac-schema) { return ldb_operr(ldb); } + /* +* In theory we should also check for the SD control but control verification is +* expensive so we'd better had the ntsecuritydescriptor to the list of +* searched attribute and then remove it ! +*/ ac-sd = !(ldb_attr_in_list(req-op.search.attrs, nTSecurityDescriptor)); if (req-op.search.attrs !ldb_attr_in_list(req-op.search.attrs, *)) { if (!ldb_attr_in_list(req-op.search.attrs, instanceType)) { @@ -305,7 +310,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) /* avoid replacing all attributes with nTSecurityDescriptor * if attribute list is empty */ if (!attrs) { - attrs = ldb_attr_list_copy_add(ac, attrs, *); + attrs = ldb_attr_list_copy_add(ac, req-op.search.attrs, *); } attrs = ldb_attr_list_copy_add(ac, attrs, nTSecurityDescriptor); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0b93902 s4-descriptor: Fixed a typo in a comment and clarified it a bit. via be36596 s4-descriptor: Fixed some missing curly braces. from 85f4f73 s4:torture/rpc/netlogon.c - fix two build warnings by casts http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0b9390234998098a2111dc891f0077bb9cf9d914 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Feb 22 06:30:53 2011 +0200 s4-descriptor: Fixed a typo in a comment and clarified it a bit. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Tue Feb 22 12:39:23 CET 2011 on sn-devel-104 commit be36596f4e98847c91548d8fb80f708a10ebaea1 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Feb 22 06:28:19 2011 +0200 s4-descriptor: Fixed some missing curly braces. --- Summary of changes: source4/dsdb/samdb/ldb_modules/descriptor.c | 27 +++ 1 files changed, 15 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 19cea0a..7e92c2b 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -81,28 +81,31 @@ struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx, } if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) { - if (security_token_has_sid(token, sa_sid)) + if (security_token_has_sid(token, sa_sid)) { dag_sid = dom_sid_dup(mem_ctx, sa_sid); - else if (security_token_has_sid(token, ea_sid)) + } else if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); - else if (security_token_has_sid(token, da_sid)) + } else if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); - else + } else { dag_sid = NULL; + } } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) { - if (security_token_has_sid(token, ea_sid)) + if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); - else if (security_token_has_sid(token, da_sid)) + } else if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); - else + } else { dag_sid = NULL; + } } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) { - if (security_token_has_sid(token, da_sid)) + if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); - else if (security_token_has_sid(token, ea_sid)) + } else if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); - else + } else { dag_sid = NULL; + } } else { dag_sid = NULL; } @@ -482,8 +485,8 @@ static int descriptor_add(struct ldb_module *module, struct ldb_request *req) } /* if the object has a parent, retrieve its SD to -* use for calculation. unfortunately we do not yet have -* instanceType*/ +* use for calculation. Unfortunately we do not yet have +* instanceType, so we use dsdb_find_nc_root. */ parent_dn = ldb_dn_get_parent(req, dn); if (parent_dn == NULL) { return ldb_oom(ldb); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a69f634 s4-descriptor: Fixed some compiler warnings. via 3b9f375 s4-descriptor: Removed unnecessary descriptor_change function and unused callbacks. via a0a52b3 s4-descriptor: Replaced the async descriptor_change with synchronous descriptor_modify. via 85877c0 s4-descriptor: Replaced the synchronous descriptor_change with the synchronous descriptor_add. from fb45c88 s4-smbtorture: use torture_comment() instead of printf in raw.write test. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a69f634de467733fc7c3238303bf061f47c39ab2 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Feb 21 17:17:12 2011 +0200 s4-descriptor: Fixed some compiler warnings. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Mon Feb 21 18:02:21 CET 2011 on sn-devel-104 commit 3b9f3755b037bf19244781cdaa2de46370d385e9 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Feb 21 17:14:12 2011 +0200 s4-descriptor: Removed unnecessary descriptor_change function and unused callbacks. commit a0a52b3423db0fec82092924772afc1d2289003a Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Feb 21 17:08:44 2011 +0200 s4-descriptor: Replaced the async descriptor_change with synchronous descriptor_modify. The purpose is to make descriptor module synchronous. This will simplify reading and debugging, and also will make the implementation of SD hierarchy recalculation on modify much easier. commit 85877c0bd1279a6c19bb8354f56e9cdbe1901630 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Feb 21 17:04:27 2011 +0200 s4-descriptor: Replaced the synchronous descriptor_change with the synchronous descriptor_add. The purpose is to make descriptor module synchronous. This will simplify reading and debugging, and also will make the implementation of SD hierarchy recalculation on modify much easier. --- Summary of changes: source4/dsdb/samdb/ldb_modules/descriptor.c | 516 ++- 1 files changed, 192 insertions(+), 324 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index dfbfdf6..19cea0a 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -211,8 +211,8 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, TALLOC_CTX *mem_ctx, const struct dsdb_class *objectclass, const struct ldb_val *parent, -struct ldb_val *object, -struct ldb_val *old_sd, +const struct ldb_val *object, +const struct ldb_val *old_sd, uint32_t sd_flags) { struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL; @@ -379,106 +379,6 @@ static struct descriptor_context *descriptor_init_context(struct ldb_module *mod return ac; } -static int get_search_callback(struct ldb_request *req, struct ldb_reply *ares) -{ - struct ldb_context *ldb; - struct descriptor_context *ac; - int ret; - - ac = talloc_get_type(req-context, struct descriptor_context); - ldb = ldb_module_get_ctx(ac-module); - - if (!ares) { - return ldb_module_done(ac-req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - if (ares-error != LDB_SUCCESS - ares-error != LDB_ERR_NO_SUCH_OBJECT) { - return ldb_module_done(ac-req, ares-controls, - ares-response, ares-error); - } - - ldb_reset_err_string(ldb); - - switch (ares-type) { - case LDB_REPLY_ENTRY: - if (ac-search_res != NULL) { - ldb_set_errstring(ldb, Too many results); - talloc_free(ares); - return ldb_module_done(ac-req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - - ac-search_res = talloc_steal(ac, ares); - break; - - case LDB_REPLY_REFERRAL: - /* ignore */ - talloc_free(ares); - break; - - case LDB_REPLY_DONE: - talloc_free(ares); - ret = ac-step_fn(ac); - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac-req, NULL, NULL, ret); - } - break; - } - - return LDB_SUCCESS; -} - -static int
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b5a2f95 s4-tests: Some tests that prove behavior for INHERITED user-provided ACEs is different if the P flag is set. via c3f6cc9 security: Fixed some handling of ACEs with INHERITED flag provided by the user from 14edbf7 s4-build: need EXPAND_VARIABLES() for terminal in make test http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b5a2f956c6f9ac8d37a77e0f20e9d3c87ab50f9d Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Feb 10 12:43:35 2011 +0200 s4-tests: Some tests that prove behavior for INHERITED user-provided ACEs is different if the P flag is set. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Feb 10 12:31:34 CET 2011 on sn-devel-104 commit c3f6cc9993f7fd45cff63c6a5fefde084a6cc173 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Feb 10 12:39:22 2011 +0200 security: Fixed some handling of ACEs with INHERITED flag provided by the user Some tests showed that these ACEs are not removed if the DACL_PROTECTED flag is provided at the same time. This is not documented but tests prove it and it has been observerd in deployment. --- Summary of changes: libcli/security/create_descriptor.c | 21 source4/dsdb/tests/python/sec_descriptor.py | 34 +++ 2 files changed, 50 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index 643c98d..9e348a7 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -210,7 +210,8 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx, bool is_container, struct dom_sid *owner, struct dom_sid *group, -struct GUID *object_list) +struct GUID *object_list, +bool is_protected) { uint32_t i; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -232,8 +233,16 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx, for (i=0; i acl-num_aces; i++){ struct security_ace *ace = acl-aces[i]; - if (ace-flags SEC_ACE_FLAG_INHERITED_ACE) - continue; + /* Remove ID flags from user-provided ACEs +* if we break inheritance, ignore them otherwise */ + if (ace-flags SEC_ACE_FLAG_INHERITED_ACE) { + if (is_protected) { + ace-flags = ~SEC_ACE_FLAG_INHERITED_ACE; + } else { + continue; + } + } + if (ace-flags SEC_ACE_FLAG_INHERIT_ONLY !(ace-flags SEC_ACE_FLAG_CONTAINER_INHERIT || ace-flags SEC_ACE_FLAG_OBJECT_INHERIT)) @@ -358,13 +367,15 @@ static bool compute_acl(struct security_descriptor *parent_sd, is_container, new_sd-owner_sid, new_sd-group_sid, -object_list); +object_list, +creator_sd-type SEC_DESC_DACL_PROTECTED); user_sacl = process_user_acl(new_sd, creator_sd-sacl, is_container, new_sd-owner_sid, new_sd-group_sid, -object_list); +object_list, +creator_sd-type SEC_DESC_SACL_PROTECTED); } cr_descr_log_descriptor(parent_sd, __location__parent_sd, level); cr_descr_log_descriptor(creator_sd,__location__ creator_sd, level); diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index 2db33ae..705bf89 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -1655,6 +1655,40 @@ class DaclDescriptorTests(DescriptorTests): self.assertTrue((A;CIID;WP;;;DU) in desc_sddl) self.assertFalse((A;CIIOID;WP;;;DU) in desc_sddl) +def test_216(self): + Make sure ID ACES provided by user are ignored + +ou_dn = OU=test_inherit_ou, + self.base_dn +group_dn = CN
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a38d04a s4-tools: Added --sddl option, which allows the user to add an ACE to an object's security descriptor in SDDL format from 6d3625d libwbclient: doxygen: mark wbcSetGidHwm deprecated http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a38d04a7a863d628f23b2bae95ee184eecb502f0 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Feb 10 15:04:23 2011 +0200 s4-tools: Added --sddl option, which allows the user to add an ACE to an object's security descriptor in SDDL format Useful for testing purposes. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Feb 10 15:28:04 CET 2011 on sn-devel-104 --- Summary of changes: source4/scripting/python/samba/netcmd/dsacl.py | 12 1 files changed, 8 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/netcmd/dsacl.py b/source4/scripting/python/samba/netcmd/dsacl.py index 2d74145..58a3552 100644 --- a/source4/scripting/python/samba/netcmd/dsacl.py +++ b/source4/scripting/python/samba/netcmd/dsacl.py @@ -79,6 +79,8 @@ class cmd_ds_acl_set(Command): type=string), Option(--trusteedn, help=DN of the entity that gets access, type=string), +Option(--sddl, help=An ACE or group of ACEs to be added on the object, +type=string), ] def find_trustee_sid(self, samdb, trusteedn): @@ -133,13 +135,13 @@ class cmd_ds_acl_set(Command): print new descriptor for %s: % object_dn print desc_sddl -def run(self, car, action, objectdn, trusteedn, +def run(self, car, action, objectdn, trusteedn, sddl, host=None, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) -if (car is None or action is None or objectdn is None or -trusteedn is None): +if sddl is None and (car is None or action is None + or objectdn is None or trusteedn is None): return self.usage() samdb = SamDB(url=host, session_info=system_session(), @@ -159,7 +161,9 @@ class cmd_ds_acl_set(Command): 'ro-repl-secret-sync' : GUID_DRS_RO_REPL_SECRET_SYNC, } sid = self.find_trustee_sid(samdb, trusteedn) -if action == allow: +if sddl: +new_ace = sddl +elif action == allow: new_ace = (OA;;CR;%s;;%s) % (cars[car], str(sid)) elif action == deny: new_ace = (OD;;CR;%s;;%s) % (cars[car], str(sid)) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 95e644f s4-acl: Fixed returning uninitialized ldap error in case of some critical errors. from 1232fb5 s3-rpc_client: remove some more obsolete cli_X.h header files. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 95e644f4605f91632bf606d5ec36abc187bc98af Author: Nadezhda Ivanova nivan...@samba.org Date: Fri Jan 28 11:58:14 2011 +0200 s4-acl: Fixed returning uninitialized ldap error in case of some critical errors. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Fri Jan 28 12:04:01 CET 2011 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c | 17 ++--- 1 files changed, 10 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 2db4de5..69ff2aa 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -891,8 +891,9 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, acl_res-msgs[0], sd); if (ret != LDB_SUCCESS) { - DEBUG(10, (acl_modify: cannot get descriptor\n)); - goto fail; + talloc_free(tmp_ctx); + return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, +acl_modify: Error retrieving security descriptor.); } /* Theoretically we pass the check if the object has no sd */ if (!sd) { @@ -901,19 +902,21 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) guid = get_oc_guid_from_message(module, schema, acl_res-msgs[0]); if (!guid) { - DEBUG(10, (acl_modify: cannot get guid\n)); - goto fail; + talloc_free(tmp_ctx); + return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, +acl_modify: Error retrieving object class GUID.); } sid = samdb_result_dom_sid(req, acl_res-msgs[0], objectSid); if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP, root, new_node)) { - DEBUG(10, (acl_modify: cannot add to object tree\n)); - goto fail; + talloc_free(tmp_ctx); + return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, +acl_modify: Error adding new node in object tree.); } for (i=0; i req-op.mod.message-num_elements; i++){ const struct dsdb_attribute *attr; attr = dsdb_attribute_by_lDAPDisplayName(schema, - req-op.mod.message-elements[i].name); + req-op.mod.message-elements[i].name); if (ldb_attr_cmp(nTSecurityDescriptor, req-op.mod.message-elements[i].name) == 0) { status = sec_access_check_ds(sd, acl_user_token(module), -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f6077f2 s4-tests: Added a test for correct inheritance of IO flagged ACEs. via fed9250 s4-security: Fixed incorrect inheritance of IO flagged ACES from 757cfc2 release-scripts: add build-htmlman-nogit http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f6077f23b773d521938539fe142cd2675c3978b3 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Jan 18 15:58:18 2011 +0200 s4-tests: Added a test for correct inheritance of IO flagged ACEs. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Tue Jan 18 15:53:46 CET 2011 on sn-devel-104 commit fed925079b988502674c48555e27e3ee9d214b4b Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Jan 18 15:56:19 2011 +0200 s4-security: Fixed incorrect inheritance of IO flagged ACES They should be inherited without the IO flag unless they contain generic information. --- Summary of changes: libcli/security/create_descriptor.c |5 + source4/dsdb/tests/python/sec_descriptor.py | 18 ++ 2 files changed, 23 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index e5fa9b8..643c98d 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -157,6 +157,11 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, tmp_acl-aces[tmp_acl-num_aces] = *ace; tmp_acl-aces[tmp_acl-num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE; + /* remove IO flag from the child's ace */ + if (ace-flags SEC_ACE_FLAG_INHERIT_ONLY + !desc_ace_has_generic(tmp_ctx, ace)) { + tmp_acl-aces[tmp_acl-num_aces].flags = ~SEC_ACE_FLAG_INHERIT_ONLY; + } if (is_container (ace-flags SEC_ACE_FLAG_OBJECT_INHERIT)) tmp_acl-aces[tmp_acl-num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index bab0476..de71dae 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -1637,6 +1637,24 @@ class DaclDescriptorTests(DescriptorTests): self.assertTrue((A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU) in desc_sddl) self.assertTrue((A;CIIOID;GA;;;DU) in desc_sddl) +def test_215(self): + Make sure IO flag is removed in child objects + +ou_dn = OU=test_inherit_ou_p, + self.base_dn +ou_dn1 = OU=test_inherit_ou1, + ou_dn +ou_dn5 = OU=test_inherit_ou5, + ou_dn1 +# Create inheritable-free OU +mod = D:P(A;CI;WPRPLCCCDCWDRC;;;DA) +tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) +self.ldb_admin.create_ou(ou_dn, sd=tmp_desc) +mod = D:(A;CIIO;WP;;;DU) +tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) +self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc) +self.ldb_admin.create_ou(ou_dn5) +desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5) +self.assertTrue((A;CIID;WP;;;DU) in desc_sddl) +self.assertFalse((A;CIIOID;WP;;;DU) in desc_sddl) + -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3ecce7f s4-tools: Added a --sort-aces option to ldapcmp from 528bced s3:build: don't use librpc/gen_ndr/cli_echo.[ch] anymore http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3ecce7f2ee243eb1411e4aa8cb0648d118c1c364 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Jan 17 14:22:22 2011 +0200 s4-tools: Added a --sort-aces option to ldapcmp This option sorts the ACE lists during SD comparison in collision view to make it easier to determine of a difference is only in ACE order, and if not, where do differences start. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Mon Jan 17 14:09:09 CET 2011 on sn-devel-104 --- Summary of changes: source4/scripting/python/samba/netcmd/ldapcmp.py | 18 -- 1 files changed, 12 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/netcmd/ldapcmp.py b/source4/scripting/python/samba/netcmd/ldapcmp.py index dff0c1e..d62b554 100755 --- a/source4/scripting/python/samba/netcmd/ldapcmp.py +++ b/source4/scripting/python/samba/netcmd/ldapcmp.py @@ -46,7 +46,7 @@ summary = {} class LDAPBase(object): def __init__(self, host, creds, lp, - two=False, quiet=False, descriptor=False, verbose=False, + two=False, quiet=False, descriptor=False, sort_aces=False, verbose=False, view=section, base=, scope=SUB): ldb_options = [] samdb_url = host @@ -67,6 +67,7 @@ class LDAPBase(object): self.two_domains = two self.quiet = quiet self.descriptor = descriptor +self.sort_aces = sort_aces self.view = view self.verbose = verbose self.host = host @@ -208,6 +209,8 @@ class Descriptor(object): self.dn = dn self.sddl = self.con.get_descriptor_sddl(self.dn) self.dacl_list = self.extract_dacl() +if self.con.sort_aces: +self.dacl_list.sort() def extract_dacl(self): Extracts the DACL as a list of ACE string (with the brakets). @@ -781,6 +784,8 @@ class cmd_ldapcmp(Command): help=Print all DN pairs that have been compared), Option(--sd, dest=descriptor, action=store_true, default=False, help=Compare nTSecurityDescriptor attibutes only), +Option(--sort-aces, dest=sort_aces, action=store_true, default=False, +help=Sort ACEs before comparison of nTSecurityDescriptor attribute), Option(--view, dest=view, default=section, help=Display mode for nTSecurityDescriptor results. Possible values: section or collision.), Option(--base, dest=base, default=, @@ -793,9 +798,8 @@ class cmd_ldapcmp(Command): def run(self, URL1, URL2, context1=None, context2=None, context3=None, -two=False, quiet=False, verbose=False, descriptor=False, view=section, -base=, base2=, scope=SUB, -credopts=None, sambaopts=None, versionopts=None): +two=False, quiet=False, verbose=False, descriptor=False, sort_aces=False, view=section, +base=, base2=, scope=SUB, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp, fallback_machine=True) creds2 = credopts.get_credentials2(lp, guess=False) @@ -835,11 +839,13 @@ class cmd_ldapcmp(Command): raise CommandError(Invalid --scope value. Choose from: SUB, ONE, BASE) con1 = LDAPBase(URL1, creds, lp, -two=two, quiet=quiet, descriptor=descriptor, verbose=verbose, view=view, base=base, scope=scope) +two=two, quiet=quiet, descriptor=descriptor, sort_aces=sort_aces, +verbose=verbose,view=view, base=base, scope=scope) assert len(con1.base_dn) 0 con2 = LDAPBase(URL2, creds2, lp, -two=two, quiet=quiet, descriptor=descriptor, verbose=verbose, view=view, base=base2, scope=scope) +two=two, quiet=quiet, descriptor=descriptor, sort_aces=sort_aces, +verbose=verbose, view=view, base=base2, scope=scope) assert len(con2.base_dn) 0 status = 0 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 622ef6a s4-provision: Fixed owner/group for hard-coded Sites descriptor. via 35d8b80 s4-tools: Fixed a bug in ldapcmp - DACL was not retrieved correctly if the object had no SACL. from 93da0aa s3-rpc_client: Fixed status check of dcerpc_lsa_lookup_sids_noalloc. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 622ef6aed82a2f2f7748c2a88535486af77487de Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Jan 17 17:48:36 2011 +0200 s4-provision: Fixed owner/group for hard-coded Sites descriptor. We must not specify explicitly owner and group. As there is a difference between WIN_2003 and WIN_2008, we should let descriptor module compute the correct default ones. Also removed inherited ACEs, they are ignored during SD creation anyway. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Mon Jan 17 18:23:24 CET 2011 on sn-devel-104 commit 35d8b808005638e9fa33bf7983d449db34dfb761 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Jan 17 17:44:10 2011 +0200 s4-tools: Fixed a bug in ldapcmp - DACL was not retrieved correctly if the object had no SACL. --Pair-Programmed-With: Zahari Zahariev --- Summary of changes: source4/scripting/python/samba/netcmd/ldapcmp.py |5 - .../scripting/python/samba/provision/__init__.py |4 +--- 2 files changed, 5 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/netcmd/ldapcmp.py b/source4/scripting/python/samba/netcmd/ldapcmp.py index d62b554..1cde860 100755 --- a/source4/scripting/python/samba/netcmd/ldapcmp.py +++ b/source4/scripting/python/samba/netcmd/ldapcmp.py @@ -216,7 +216,10 @@ class Descriptor(object): Extracts the DACL as a list of ACE string (with the brakets). try: -res = re.search(D:(.*?)(\(.*?\))S:, self.sddl).group(2) +if S: in self.sddl: +res = re.search(D:(.*?)(\(.*?\))S:, self.sddl).group(2) +else: +res = re.search(D:(.*?)(\(.*\)), self.sddl).group(2) except AttributeError: return [] return re.findall((\(.*?\)), res) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 3e402b2..e200083 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -106,11 +106,9 @@ def find_setup_dir(): # get_schema_descriptor is located in schema.py def get_sites_descriptor(domain_sid): -sddl = O:EAG:EAD:AI(A;;RPLCLORC;;;AU) \ +sddl = D:(A;;RPLCLORC;;;AU) \ (A;;RPWPCRCCLCLORCWOWDSW;;;EA) \ (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) \ - (A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA) \ - (A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA) \ S:AI(AU;CISA;CCDCSDDT;;;WD) \ (OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD) \ (OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD) \ -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 961f503 security: Fixed incorrect indentation in create_descriptor.c from a556896 s3-build: remove RPCCLI_WINREG subsystem. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 961f503f0dd7a03696460b482da4fa7e08daa78d Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Jan 13 15:22:15 2011 +0200 security: Fixed incorrect indentation in create_descriptor.c Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Jan 13 15:53:16 CET 2011 on sn-devel-104 --- Summary of changes: libcli/security/create_descriptor.c | 24 1 files changed, 12 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index 2228e48..e5fa9b8 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -253,18 +253,18 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx, owner, group); } else { - /*The original ACE becomes read only */ - tmp_acl-aces[tmp_acl-num_aces-1].flags |= SEC_ACE_FLAG_INHERIT_ONLY; - tmp_acl-aces = talloc_realloc(tmp_acl, tmp_acl-aces, - struct security_ace, - tmp_acl-num_aces+1); - /* add a new ACE with expanded generic info */ - tmp_acl-aces[tmp_acl-num_aces] = *ace; - desc_expand_generic(tmp_ctx, - tmp_acl-aces[tmp_acl-num_aces], - owner, - group); - tmp_acl-num_aces++; + /*The original ACE becomes read only */ + tmp_acl-aces[tmp_acl-num_aces-1].flags |= SEC_ACE_FLAG_INHERIT_ONLY; + tmp_acl-aces = talloc_realloc(tmp_acl, tmp_acl-aces, + struct security_ace, + tmp_acl-num_aces+1); + /* add a new ACE with expanded generic info */ + tmp_acl-aces[tmp_acl-num_aces] = *ace; + desc_expand_generic(tmp_ctx, + tmp_acl-aces[tmp_acl-num_aces], + owner, + group); + tmp_acl-num_aces++; } } } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via db7e38d s4-tests: Tests for expansion of ACEs containing generic information. via 980f68a security: Fixed bugs in expansion of generic information ACEs from d7c2eb1 abi: force TERM=none in abi generation http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit db7e38d59a88f2d42a816f365719a76dcaee89f1 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Jan 11 12:23:57 2011 +0200 s4-tests: Tests for expansion of ACEs containing generic information. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Tue Jan 11 12:10:25 CET 2011 on sn-devel-104 commit 980f68a6f26070270313a4c7a4c0430f2bb3f078 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Jan 11 12:20:43 2011 +0200 security: Fixed bugs in expansion of generic information ACEs When an ACE gontaining GA, GE, GR, GW, CO or CG is provided by a user or inherited the final SD actually has to have 2 ACEs, one is an effective expanded one, and the original one with IO flag added. --- Summary of changes: libcli/security/create_descriptor.c | 120 ++- source4/dsdb/tests/python/sec_descriptor.py | 61 +- 2 files changed, 141 insertions(+), 40 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index d5bb21b..2228e48 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -55,12 +55,12 @@ uint32_t map_generic_rights_ds(uint32_t access_mask) { if (access_mask SEC_GENERIC_ALL) { access_mask |= SEC_ADS_GENERIC_ALL; - access_mask = ~SEC_GENERIC_ALL; + access_mask = ~SEC_GENERIC_ALL; } if (access_mask SEC_GENERIC_EXECUTE) { access_mask |= SEC_ADS_GENERIC_EXECUTE; - access_mask = ~SEC_GENERIC_EXECUTE; + access_mask = ~SEC_GENERIC_EXECUTE; } if (access_mask SEC_GENERIC_WRITE) { @@ -82,6 +82,45 @@ static bool object_in_list(struct GUID *object_list, struct GUID *object) { return true; } + +/* returns true if the ACE gontains generic information + * that needs to be processed additionally */ + +static bool desc_ace_has_generic(TALLOC_CTX *mem_ctx, +struct security_ace *ace) +{ + struct dom_sid *co, *cg; + co = dom_sid_parse_talloc(mem_ctx, SID_CREATOR_OWNER); + cg = dom_sid_parse_talloc(mem_ctx, SID_CREATOR_GROUP); + if (ace-access_mask SEC_GENERIC_ALL || ace-access_mask SEC_GENERIC_READ || + ace-access_mask SEC_GENERIC_WRITE || ace-access_mask SEC_GENERIC_EXECUTE) { + return true; + } + if (dom_sid_equal(ace-trustee, co) || dom_sid_equal(ace-trustee, cg)) { + return true; + } + return false; +} + +/* creates an ace in which the generic information is expanded */ + +static void desc_expand_generic(TALLOC_CTX *mem_ctx, + struct security_ace *new_ace, + struct dom_sid *owner, + struct dom_sid *group) +{ + struct dom_sid *co, *cg; + co = dom_sid_parse_talloc(mem_ctx, SID_CREATOR_OWNER); + cg = dom_sid_parse_talloc(mem_ctx, SID_CREATOR_GROUP); + new_ace-access_mask = map_generic_rights_ds(new_ace-access_mask); + if (dom_sid_equal(new_ace-trustee, co)) { + new_ace-trustee = *owner; + } + if (dom_sid_equal(new_ace-trustee, cg)) { + new_ace-trustee = *group; + } + new_ace-flags = 0x0; +} static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, struct security_acl *acl, @@ -108,7 +147,8 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, struct security_ace *ace = acl-aces[i]; if ((ace-flags SEC_ACE_FLAG_CONTAINER_INHERIT) || (ace-flags SEC_ACE_FLAG_OBJECT_INHERIT)) { - tmp_acl-aces = talloc_realloc(tmp_acl, tmp_acl-aces, struct security_ace, + tmp_acl-aces = talloc_realloc(tmp_acl, tmp_acl-aces, + struct security_ace, tmp_acl-num_aces+1); if (tmp_acl-aces == NULL) { talloc_free(tmp_ctx); @@ -128,30 +168,24 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, } } - tmp_acl-aces[tmp_acl-num_aces].access_mask
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 935b985 s4-tests: Tests for Validated-SPN implementation. via 3ba42be s4-acl: Implementation of Validated-SPN validated write via 9aaacee s4-dsdb: Added a helper function to get the default dns domain as string. from 2c657d8 s3:libsmb/namequery.c: don't leak 'pserver' http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 935b985d23f84738259a42cbcd889fa6022d5d65 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 22 12:27:50 2010 +0200 s4-tests: Tests for Validated-SPN implementation. Test setting spn on RWDC, RODC and regular computer object. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Wed Dec 22 12:20:24 CET 2010 on sn-devel-104 commit 3ba42be7c178062c2e865d5197a5f3346f6b9a17 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 22 12:27:15 2010 +0200 s4-acl: Implementation of Validated-SPN validated write If this right is granted to a user, they may modify the SPN of an object with some value restrictions serviceName can be set only if the object is a DC, and then only to the default domain and netbios name, or ntds_guid._msdsc_.forest_domain. If the serviceType is GC, only to the forest root domain. If the serviceType is ldap, then to forest_domain or netbiosname. InstanceType can be samAccountName or dnsHostName. commit 9aaacee6cd19adf615f941771fe9d490b7dae3c4 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 22 12:19:46 2010 +0200 s4-dsdb: Added a helper function to get the default dns domain as string. --- Summary of changes: source4/dsdb/common/util.c | 19 +++ source4/dsdb/samdb/ldb_modules/acl.c | 215 + source4/dsdb/tests/python/acl.py | 288 -- 3 files changed, 508 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 36f6933..b2d4be0 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -3952,6 +3952,25 @@ const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) return forest_name; } +/* returns back the default domain DNS name */ +const char *samdb_default_domain_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) +{ + const char *domain_name = ldb_dn_canonical_string(mem_ctx, + ldb_get_default_basedn(ldb)); + char *p; + + if (domain_name == NULL) { + return NULL; + } + + p = strchr(domain_name, '/'); + if (p) { + *p = '\0'; + } + + return domain_name; +} + /* validate that an DSA GUID belongs to the specified user sid. The user SID must be a domain controller account (either RODC or diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 7fc626a..42e08cd 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -41,6 +41,8 @@ #include dsdb/samdb/ldb_modules/util.h #include dsdb/samdb/ldb_modules/schema.h #include lib/util/tsort.h +#include system/kerberos.h +#include auth/kerberos/kerberos.h struct extended_access_check_attribute { const char *oa_name; @@ -431,6 +433,208 @@ static int acl_sDRightsEffective(struct ldb_module *module, sDRightsEffective, flags); } +static int acl_validate_spn_value(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, + const char *spn_value, + int userAccountControl, + const char *samAccountName, + const char *dnsHostName, + const char *netbios_name, + const char *ntds_guid) +{ + int ret; + krb5_context krb_ctx; + krb5_error_code kerr; + krb5_principal principal; + char *instanceName; + char *serviceType; + char *serviceName; + const char *realm; + const char *guid_str; + const char *forest_name = samdb_forest_name(ldb, mem_ctx); + const char *base_domain = samdb_default_domain_name(ldb, mem_ctx); + struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, loadparm), + struct loadparm_context); + bool is_dc = (userAccountControl UF_SERVER_TRUST_ACCOUNT) || + (userAccountControl UF_PARTIAL_SECRETS_ACCOUNT); + + kerr = smb_krb5_init_context_basic(mem_ctx, + lp_ctx, + krb_ctx); + if (kerr
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6bb89aa s4-tests: Added a speedtest for LDAP search operations with different accounts. via aab37c3 s4-tests: Added tests for LDAP add/delete/modify using anonymous login. via a53f09b s4-dsdb: Fixed incorrect LDAP return code when anonymous login is used. from b3630b4 Fix bug 7866 - net in v3-6-test broken. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6bb89aaa0d38d59ce4f0d9362822ba1c525eb203 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 15 21:29:53 2010 +0200 s4-tests: Added a speedtest for LDAP search operations with different accounts. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Wed Dec 15 21:32:09 CET 2010 on sn-devel-104 commit aab37c314671f9ad712ab03b1b1c2e6688df772d Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 15 21:28:59 2010 +0200 s4-tests: Added tests for LDAP add/delete/modify using anonymous login. commit a53f09b9312fc08d4cdb2d94ec9119ee29b1bf84 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 15 21:28:12 2010 +0200 s4-dsdb: Fixed incorrect LDAP return code when anonymous login is used. --- Summary of changes: source4/dsdb/samdb/ldb_modules/rootdse.c |2 +- source4/dsdb/tests/python/acl.py | 58 +++--- source4/scripting/devel/speedtest.py | 78 + 3 files changed, 118 insertions(+), 20 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index e7ea765..2571bc3 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -641,7 +641,7 @@ static int rootdse_filter_operations(struct ldb_module *module, struct ldb_reque } } ldb_set_errstring(ldb_module_get_ctx(module), Operation unavailable without authentication); - return LDB_ERR_STRONG_AUTH_REQUIRED; + return LDB_ERR_OPERATIONS_ERROR; } static int rootdse_search(struct ldb_module *module, struct ldb_request *req) diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 85018b0..12f653b 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -6,7 +6,6 @@ import optparse import sys import base64 import re - sys.path.append(bin/python) import samba samba.ensure_external_module(testtools, testtools) @@ -20,7 +19,7 @@ from ldb import ( from ldb import ERR_CONSTRAINT_VIOLATION from ldb import ERR_OPERATIONS_ERROR from ldb import Message, MessageElement, Dn -from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE +from ldb import FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security @@ -67,6 +66,13 @@ class AclTests(samba.tests.TestCase): self.user_pass = samba123@ self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized() self.sd_utils = sd_utils.SDUtils(ldb) +#used for anonymous login +self.creds_tmp = Credentials() +self.creds_tmp.set_username() +self.creds_tmp.set_password() +self.creds_tmp.set_domain(creds.get_domain()) +self.creds_tmp.set_realm(creds.get_realm()) +self.creds_tmp.set_workstation(creds.get_workstation()) print baseDN: %s % self.base_dn def get_user_dn(self, name): @@ -134,6 +140,7 @@ class AclAddTests(AclTests): delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_owner)) delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_not_owner)) delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) +delete_force(self.ldb_admin, self.get_user_dn(test_add_anonymous)) # Make sure top OU is deleted (and so everything under it) def assert_top_ou_deleted(self): @@ -229,6 +236,16 @@ class AclAddTests(AclTests): expression=(distinguishedName=%s,%s) % (CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1, self.base_dn)) self.assertTrue(len(res) 0) +def test_add_anonymous(self): +Test add operation with anonymous user +anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) +try: +anonymous.newuser(test_add_anonymous, self.user_pass) +except LdbError, (num, _): +self.assertEquals(num, ERR_OPERATIONS_ERROR) +else: +self.fail() + #tests on ldap modify operations class AclModifyTests(AclTests): @@ -259,6 +276,7 @@ class AclModifyTests(AclTests): delete_force(self.ldb_admin, self.get_user_dn(self.user_with_sm)) delete_force(self.ldb_admin, self.get_user_dn(self.user_with_group_sm)) delete_force(self.ldb_admin
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b285d03 s4-tests: Modified sec_descriptor.py to use the sd_utils helpers. via c9264bb s4-tests: Modified acl.py to use the sd_utils helpers. via c5480e6 s4-tests: Moved some commonly redefined security descriptor methods to a utils class from 378295c build: detect if conf.env['CPP'] is an array or not http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b285d0304a58fbacb9fcaa8359271bcd717c16f7 Author: Nadezhda Ivanova nivan...@samba.org Date: Fri Dec 10 10:31:58 2010 +0200 s4-tests: Modified sec_descriptor.py to use the sd_utils helpers. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Fri Dec 10 11:03:28 CET 2010 on sn-devel-104 commit c9264bb04e58c7549e4f21bddae731e9b9dffa38 Author: Nadezhda Ivanova nivan...@samba.org Date: Fri Dec 10 10:31:19 2010 +0200 s4-tests: Modified acl.py to use the sd_utils helpers. commit c5480e659e270852a3e099eb3fafbae19bbb8988 Author: Nadezhda Ivanova nivan...@samba.org Date: Fri Dec 10 10:29:14 2010 +0200 s4-tests: Moved some commonly redefined security descriptor methods to a utils class These methods are used in more than one testsuite now so they are now in a utility class instead of being defined everywhere. --- Summary of changes: source4/dsdb/tests/python/acl.py| 213 ++- source4/dsdb/tests/python/sec_descriptor.py | 379 --- source4/scripting/python/samba/sd_utils.py | 79 ++ 3 files changed, 336 insertions(+), 335 deletions(-) create mode 100644 source4/scripting/python/samba/sd_utils.py Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index c540e7e..d336fa9 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -25,7 +25,7 @@ from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security from samba.auth import system_session -from samba import gensec +from samba import gensec, sd_utils from samba.samdb import SamDB from samba.credentials import Credentials import samba.tests @@ -66,32 +66,12 @@ class AclTests(samba.tests.TestCase): self.domain_sid = security.dom_sid(ldb.get_domain_sid()) self.user_pass = samba123@ self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized() +self.sd_utils = sd_utils.SDUtils(ldb) print baseDN: %s % self.base_dn def get_user_dn(self, name): return CN=%s,CN=Users,%s % (name, self.base_dn) -def modify_desc(self, object_dn, desc): - Modify security descriptor using either SDDL string -or security.descriptor object - -assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) -mod = -dn: + object_dn + -changetype: modify -replace: nTSecurityDescriptor - -if isinstance(desc, str): -mod += nTSecurityDescriptor: %s % desc -elif isinstance(desc, security.descriptor): -mod += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) -self.ldb_admin.modify_ldif(mod) - -def read_desc(self, object_dn): -res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, [nTSecurityDescriptor]) -desc = res[0][nTSecurityDescriptor][0] -return ndr_unpack(security.descriptor, desc) - def get_ldb_connection(self, target_username, target_password): creds_tmp = Credentials() creds_tmp.set_username(target_username) @@ -104,27 +84,6 @@ replace: nTSecurityDescriptor ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp) return ldb_target -def get_object_sid(self, object_dn): -res = self.ldb_admin.search(object_dn) -return ndr_unpack(security.dom_sid, res[0][objectSid][0]) - -def dacl_add_ace(self, object_dn, ace): -desc = self.read_desc(object_dn) -desc_sddl = desc.as_sddl(self.domain_sid) -if ace in desc_sddl: -return -if desc_sddl.find(() = 0: -desc_sddl = desc_sddl[:desc_sddl.index(()] + ace + desc_sddl[desc_sddl.index(():] -else: -desc_sddl = desc_sddl + ace -self.modify_desc(object_dn, desc_sddl) - -def get_desc_sddl(self, object_dn): - Return object nTSecutiryDescriptor in SDDL format - -desc = self.read_desc(object_dn) -return desc.as_sddl(self.domain_sid) - # Test if we have any additional groups for users than default ones def assert_user_no_group_member(self, username): res = self.ldb_admin.search(self.base_dn, expression=(distinguishedName=%s) % self.get_user_dn(username)) @@ -189,9 +148,9 @@ class AclAddTests(AclTests): # Change descriptor for top
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2079a6d s4-acl: Changed the mechanism of attribute removal to speed it up. via fe98b9a s4-acl: Added a flag to mark an element as failing an access check. from af3414f ndr: Another try to support the build on non-IPv6 systems http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2079a6d110ae12f12497605a03deae6720434a6c Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 8 12:12:34 2010 +0200 s4-acl: Changed the mechanism of attribute removal to speed it up. Instead of using ldb_msg_remove_attr, now we are flagging the attributes to be removed, and allocating the new elements array to be returned at once. This seems to decrease the overhead by 50 percent. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Wed Dec 8 12:00:27 CET 2010 on sn-devel-104 commit fe98b9aaebd57e3461fa2ac59a2924a6ef6f09fa Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 8 12:03:43 2010 +0200 s4-acl: Added a flag to mark an element as failing an access check. --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl_read.c | 129 - source4/lib/ldb/include/ldb_module.h |3 + 2 files changed, 91 insertions(+), 41 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 87144f9..c7aaf11 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -53,12 +53,22 @@ struct aclread_private { bool enabled; }; +static void aclread_mark_inaccesslible(struct ldb_message_element *el) { +el-flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE; +} + +static bool aclread_is_inaccessible(struct ldb_message_element *el) { + return el-flags LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE; +} + static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) { struct ldb_context *ldb; struct aclread_context *ac; -int ret; -unsigned int i; +struct ldb_message *ret_msg; +struct ldb_message *msg; +int ret, num_of_attrs = 0; +unsigned int i, k = 0; struct security_descriptor *sd; struct dom_sid *sid = NULL; TALLOC_CTX *tmp_ctx; @@ -76,20 +86,21 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) tmp_ctx = talloc_new(ac); switch (ares-type) { case LDB_REPLY_ENTRY: -ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, ares-message, sd); +msg = ares-message; +ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, sd); if (ret != LDB_SUCCESS) { DEBUG(10, (acl_read: cannot get descriptor\n)); ret = LDB_ERR_OPERATIONS_ERROR; goto fail; } -sid = samdb_result_dom_sid(tmp_ctx, ares-message, objectSid); +sid = samdb_result_dom_sid(tmp_ctx, msg, objectSid); /* get the object instance type */ -instanceType = ldb_msg_find_attr_as_uint(ares-message, +instanceType = ldb_msg_find_attr_as_uint(msg, instanceType, 0); -if (!ldb_dn_is_null(ares-message-dn) !(instanceType INSTANCE_TYPE_IS_NC_HEAD)) +if (!ldb_dn_is_null(msg-dn) !(instanceType INSTANCE_TYPE_IS_NC_HEAD)) { /* the object has a parent, so we have to check for visibility */ - struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, ares-message-dn); + struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg-dn); ret = dsdb_module_check_access_on_dn(ac-module, tmp_ctx, parent_dn, @@ -103,61 +114,97 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) } } /* for every element in the message check RP */ -i = 0; -while (i ares-message-num_elements) { +for (i=0; i msg-num_elements; i++) { const struct dsdb_attribute *attr; +bool is_sd, is_objectsid, is_instancetype; +uint32_t access_mask; attr = dsdb_attribute_by_lDAPDisplayName(ac-schema, - ares-message-elements[i].name
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f85089e s4-acl: Fixed incorrect value of LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE from 735c1cd s4-pkgconfig: add @LIB_RPATH@ to our link flags http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f85089e0153e875636a085d34c3c6ae6cb8462c6 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 8 13:19:27 2010 +0200 s4-acl: Fixed incorrect value of LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Wed Dec 8 13:31:48 CET 2010 on sn-devel-104 --- Summary of changes: source4/lib/ldb/include/ldb_module.h |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/include/ldb_module.h b/source4/lib/ldb/include/ldb_module.h index a6a4d16..0151468 100644 --- a/source4/lib/ldb/include/ldb_module.h +++ b/source4/lib/ldb/include/ldb_module.h @@ -47,7 +47,7 @@ struct ldb_module; #define LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK 0x20 /* attribute has failed access check and must not be exposed */ -#define LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE 0x30 +#define LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE 0x40 /* -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bf7b026 s4-acl: Replaced talloc_reference with talloc_steal, as aclread is the only one using this result message. from 1bd3bd6 Add ncacn_http (RTS) IDL implementation in dcerpc.idl http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bf7b026a9a1a425afa64fb9aa8bdcb1c10d161d7 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Dec 8 14:30:23 2010 +0200 s4-acl: Replaced talloc_reference with talloc_steal, as aclread is the only one using this result message. No need to reference as no one further up the stack uses the result, it is the result of a secondary request sent by aclread. As a result from code review by Kamen Mazdrashki and Anatoliy Atanasov Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Wed Dec 8 15:01:51 CET 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl_read.c |9 +++-- 1 files changed, 3 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index c7aaf11..27cc1e7 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -177,8 +177,9 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) } } /*create a new message to return*/ -ret_msg = ldb_msg_new(req); +ret_msg = ldb_msg_new(ac-req); ret_msg-dn = msg-dn; +talloc_steal(ret_msg, msg-dn); ret_msg-num_elements = num_of_attrs; if (num_of_attrs 0) { ret_msg-elements = talloc_array(ret_msg, @@ -191,11 +192,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) bool to_remove = aclread_is_inaccessible(msg-elements[i]); if (!to_remove) { ret_msg-elements[k] = msg-elements[i]; -if (!talloc_reference(ret_msg-elements, - msg-elements[i].values)) { -talloc_free(tmp_ctx); -return ldb_operr(ldb); -} +talloc_steal(ret_msg-elements, msg-elements[i].values); k++; } } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 91bf913 s4-acl: Some optimisation of the aclread module via 3f1b153 s4-acl: Moved aclread module below descriptor and acl. from bd3e580 Revert lib/util:tests/time.c - test_timestring - fix it on Solaris http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 91bf9133a62342e9aa640e30b8f3070eee9ecbc2 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Dec 6 13:58:29 2010 +0200 s4-acl: Some optimisation of the aclread module Modified the aclread module to now insert the attributes needed to perform access checks in the same request, instead of doind a separate search per entry. Also, instanceType is now used to determine id the object has a parent instead of parentGUID, which saves one additional search in operational. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Mon Dec 6 13:50:19 CET 2010 on sn-devel-104 commit 3f1b153132e2ca6ffcd9ca897f8d67eb4fdcf9b9 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Dec 6 13:53:06 2010 +0200 s4-acl: Moved aclread module below descriptor and acl. The aclread needs to be belod descriptor, as it needs to have the full nTsecurityDescriptor to make the checks, and the descriptor module may filter out parts of it if SD_FLAGS_CONTROL is provided. --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl_read.c | 133 +++ source4/dsdb/samdb/ldb_modules/samba_dsdb.c |2 +- 2 files changed, 76 insertions(+), 59 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 81f9bf6..0e9de9a 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -44,6 +44,9 @@ struct aclread_context { struct ldb_request *req; const char * const *attrs; const struct dsdb_schema *schema; + bool sd; + bool instance_type; + bool object_sid; }; struct aclread_private { @@ -59,7 +62,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) static const char *acl_attrs[] = { nTSecurityDescriptor, objectSid, -parentGUID, +insyanceType, NULL }; int ret; @@ -67,6 +70,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) struct security_descriptor *sd; struct dom_sid *sid = NULL; TALLOC_CTX *tmp_ctx; +uint32_t instanceType; + ac = talloc_get_type(req-context, struct aclread_context); ldb = ldb_module_get_ctx(ac-module); if (!ares) { @@ -79,60 +84,38 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) tmp_ctx = talloc_new(ac); switch (ares-type) { case LDB_REPLY_ENTRY: -ret = dsdb_module_search_dn(ac-module, tmp_ctx, acl_res, ares-message-dn, -acl_attrs, -DSDB_FLAG_NEXT_MODULE | -DSDB_SEARCH_SHOW_DELETED); -if (ret != LDB_SUCCESS) { -goto fail; -} -ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, acl_res-msgs[0], sd); +ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, ares-message, sd); if (ret != LDB_SUCCESS) { DEBUG(10, (acl_read: cannot get descriptor\n)); ret = LDB_ERR_OPERATIONS_ERROR; goto fail; } -sid = samdb_result_dom_sid(tmp_ctx, acl_res-msgs[0], objectSid); -/* get the parent guid */ -parent = ldb_msg_find_element(acl_res-msgs[0], parentGUID); -if (parent) { -/* the object has a parent, so we have to check for visibility */ -struct GUID parent_guid = samdb_result_guid(acl_res-msgs[0], parentGUID); -ret = dsdb_module_check_access_on_guid(ac-module, - tmp_ctx, - parent_guid, - SEC_ADS_LIST, - NULL); -if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { -talloc_free(tmp_ctx); -return LDB_SUCCESS; -} else if (ret != LDB_SUCCESS) { -goto fail
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ec97c9f s4-acl: Remove unused variables from aclread module. from 15a2eff s4:acl_read LDB module - fix attributes list http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ec97c9f7c72bd1390d3e101c9060d9386602671e Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Dec 6 17:00:56 2010 +0200 s4-acl: Remove unused variables from aclread module. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Mon Dec 6 16:48:35 CET 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl_read.c |8 1 files changed, 0 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 5ee7c95..87144f9 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -57,14 +57,6 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) { struct ldb_context *ldb; struct aclread_context *ac; -struct ldb_result *acl_res; -struct ldb_message_element *parent; -static const char *acl_attrs[] = { -nTSecurityDescriptor, -objectSid, -instanceType, -NULL -}; int ret; unsigned int i; struct security_descriptor *sd; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via db403ac s4-dsdb: Switched to using a dictionary in create_ou for consistency. via 05b8e07 s4-dsdb: Fixed wrong assignment of name attribute to description atribute in create_ou. from ae61408 s4:lsa RPC server / objectclass LDB module - fix the creation of trusted domain objects http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit db403ac35dde415231498aee41b2306dfbe6a983 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 14:25:28 2010 +0200 s4-dsdb: Switched to using a dictionary in create_ou for consistency. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 25 14:12:52 CET 2010 on sn-devel-104 commit 05b8e078f4649239bda42c66966dfa5567485b6d Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 14:02:51 2010 +0200 s4-dsdb: Fixed wrong assignment of name attribute to description atribute in create_ou. --- Summary of changes: source4/scripting/python/samba/samdb.py |8 +++- 1 files changed, 3 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index a59494f..109e948 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -659,15 +659,13 @@ accountExpires: %u :param sd: security descriptor of the object, can be an SDDL string or security.descriptor type -m = ldb.Message() -m.dn = ldb.Dn(self, ou_dn) -m[ou] = ou_dn.split(,)[0][3:] -m[objectClass] = organizationalUnit +m = {dn: ou_dn, + objectClass: organizationalUnit} if description: m[description] = description if name: - m[description] = name + m[name] = name if sd: assert(isinstance(sd, str) or isinstance(sd, security.descriptor)) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1e9a788 s4-tests: Modified create_ou to only accept security.descriptor type for sd to avoid confusion from db403ac s4-dsdb: Switched to using a dictionary in create_ou for consistency. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1e9a7882bead2a87eedcd5ddfe2b4df6a2b57306 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 19:57:51 2010 +0200 s4-tests: Modified create_ou to only accept security.descriptor type for sd to avoid confusion It used to work with sddl as well, but this is confusing and could lead to errors. It also caused a message about tallocing a security descriptor to appear. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 25 19:46:42 CET 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/tests/python/acl.py| 64 +- source4/scripting/python/samba/samdb.py | 12 + 2 files changed, 31 insertions(+), 45 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 691f358..fb66766 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -736,16 +736,13 @@ class AclSearchTests(AclTests): self.create_clean_ou(OU=ou1, + self.base_dn) mod = (A;;LC;;;%s)(A;;LC;;;%s) % (str(self.user_sid), str(self.group_sid)) self.dacl_add_ace(OU=ou1, + self.base_dn, mod) -self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) -self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) -self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) -self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) -self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) +tmp_desc = security.descriptor.from_sddl(D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod, + self.domain_sid) +self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) #regular users must see only ou1 and ou2 res = self.ldb_user3.search(OU=ou1, + self.base_dn, expression=(objectClass=*), @@ -807,16 +804,13 @@ class AclSearchTests(AclTests): self.create_clean_ou(OU=ou1, + self.base_dn) mod = (A;CI;LC;;;%s)(A;CI;LC;;;%s) % (str(self.user_sid), str(self.group_sid)) self.dacl_add_ace(OU=ou1, + self.base_dn, mod) -self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) -self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) -self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) -self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) -self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) +tmp_desc = security.descriptor.from_sddl(D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod, + self.domain_sid) +self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) print Testing correct behavior on nonaccessible search base try: @@ -861,16 +855,13 @@ class AclSearchTests(AclTests): self.create_clean_ou(OU=ou1, + self.base_dn) mod = (A;CI;CC;;;%s) % (str
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fad57d8 s4-tests: Made acl tests to reconnect if dSHeuristics is being manipulated from 1e9a788 s4-tests: Modified create_ou to only accept security.descriptor type for sd to avoid confusion http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fad57d8ad05cf6175c87db33a404aff205adddaf Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 21:01:05 2010 +0200 s4-tests: Made acl tests to reconnect if dSHeuristics is being manipulated Also made password tests set dSHeuristics only once rather that once per test. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 25 20:48:38 CET 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/tests/python/acl.py | 53 ++ 1 files changed, 25 insertions(+), 28 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index fb66766..9a0e754 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -614,8 +614,6 @@ class AclSearchTests(AclTests): self.creds_tmp.set_domain(creds.get_domain()) self.creds_tmp.set_realm(creds.get_realm()) self.creds_tmp.set_workstation(creds.get_workstation()) -self.anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) -self.dsheuristics = self.ldb_admin.get_dsheuristics() self.ldb_admin.newuser(self.u1, self.user_pass) self.ldb_admin.newuser(self.u2, self.user_pass) self.ldb_admin.newuser(self.u3, self.user_pass) @@ -676,7 +674,8 @@ class AclSearchTests(AclTests): def test_search_anonymous1(self): Verify access of rootDSE with the correct request -res = self.anonymous.search(, expression=(objectClass=*), scope=SCOPE_BASE) +anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) +res = anonymous.search(, expression=(objectClass=*), scope=SCOPE_BASE) self.assertEquals(len(res), 1) #verify some of the attributes #dont care about values @@ -691,20 +690,21 @@ class AclSearchTests(AclTests): def test_search_anonymous2(self): Make sure we cannot access anything else +anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) try: -res = self.anonymous.search(, expression=(objectClass=*), scope=SCOPE_SUBTREE) +res = anonymous.search(, expression=(objectClass=*), scope=SCOPE_SUBTREE) except LdbError, (num, _): self.assertEquals(num, ERR_OPERATIONS_ERROR) else: self.fail() try: -res = self.anonymous.search(self.base_dn, expression=(objectClass=*), scope=SCOPE_SUBTREE) +res = anonymous.search(self.base_dn, expression=(objectClass=*), scope=SCOPE_SUBTREE) except LdbError, (num, _): self.assertEquals(num, ERR_OPERATIONS_ERROR) else: self.fail() try: -res = self.anonymous.search(CN=Configuration, + self.base_dn, expression=(objectClass=*), +res = anonymous.search(CN=Configuration, + self.base_dn, expression=(objectClass=*), scope=SCOPE_SUBTREE) except LdbError, (num, _): self.assertEquals(num, ERR_OPERATIONS_ERROR) @@ -718,18 +718,18 @@ class AclSearchTests(AclTests): mod = (A;CI;LC;;;AN) self.dacl_add_ace(OU=test_search_ou1, + self.base_dn, mod) self.ldb_admin.create_ou(OU=test_search_ou2,OU=test_search_ou1, + self.base_dn) -res = self.anonymous.search(OU=test_search_ou2,OU=test_search_ou1, + self.base_dn, -expression=(objectClass=*), scope=SCOPE_SUBTREE) +anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) +res = anonymous.search(OU=test_search_ou2,OU=test_search_ou1, + self.base_dn, + expression=(objectClass=*), scope=SCOPE_SUBTREE) self.assertEquals(len(res), 1) self.assertTrue(dn in res[0]) self.assertTrue(res[0][dn] == Dn(self.ldb_admin, OU=test_search_ou2,OU=test_search_ou1, + self.base_dn)) -res = self.anonymous.search(CN=Configuration, + self.base_dn, expression=(objectClass=*), -scope=SCOPE_SUBTREE) +res = anonymous.search(CN=Configuration, + self.base_dn, expression=(objectClass=*), + scope=SCOPE_SUBTREE) self.assertEquals(len(res), 1) self.assertTrue(dn in res[0]) self.assertTrue(res[0][dn] == Dn(self.ldb_admin, self.configuration_dn)) -self.ldb_admin.set_dsheuristics(self.dsheuristics
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fc1da86 s4-tests: Modified speedtest.py to use samba.tests.delete_force via 21aceb1 s4-tests: Modified sec_descriptor.py to use samba.tests.delete_force via 9917525 s4-tests: Modified sam.py to use samba.tests.delete_force via 0d99a5f s4-tests: Modified passwords.py to use samba.tests.delete_force via 71af506 s4-tests: delete_force was unused, removed it. via 5e7d99a s4-tests: Modified ldap_schema.py to use samba.tests.delete_force via d21d3e7 s4-tests: Modified ldap.py to use samba.tests.delete_force via 66aa40b s4-tests: Modified deletetest.py to use samba.tests.delete_force via f42802e s4-tests: Modified bind.py to use samba.tests.delete_force via d7731f6 s4-tests: Modified acly.py to use common delete_force instead of defining its own. via db5bcb7 s4-tests: Added a common definition of delete_force. from 64424bb s4-smbtorture: pick a better printer in RPC-SPOOLSS-ACCESS. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fc1da86d403c654fc96a6b1410147fe93dee0a39 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 01:16:14 2010 +0200 s4-tests: Modified speedtest.py to use samba.tests.delete_force Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 25 01:28:19 CET 2010 on sn-devel-104 commit 21aceb1374329b9738031d9d6143b2cb24c87f52 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 01:15:24 2010 +0200 s4-tests: Modified sec_descriptor.py to use samba.tests.delete_force commit 9917525b96f7fe4b3e4fb310614499f093ed5ca8 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 01:14:58 2010 +0200 s4-tests: Modified sam.py to use samba.tests.delete_force commit 0d99a5f27c13b1160777a570482d8481ae931375 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 01:13:47 2010 +0200 s4-tests: Modified passwords.py to use samba.tests.delete_force commit 71af5069507ef60bd4b73ee3943716d55e833252 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 01:13:24 2010 +0200 s4-tests: delete_force was unused, removed it. commit 5e7d99a5d84dfc723c9be26cb7617307aaa2fb23 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 01:12:42 2010 +0200 s4-tests: Modified ldap_schema.py to use samba.tests.delete_force commit d21d3e7db8e9b05daa17ca0e84b1b7f82b55a80e Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 01:12:18 2010 +0200 s4-tests: Modified ldap.py to use samba.tests.delete_force commit 66aa40b9d942664722f113f07d6024529da1fb14 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 01:11:57 2010 +0200 s4-tests: Modified deletetest.py to use samba.tests.delete_force commit f42802e22fa0f0a2026036d540cd5f3341870557 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 01:11:29 2010 +0200 s4-tests: Modified bind.py to use samba.tests.delete_force commit d7731f6f39eb4887a4f91a5b5dbc969b1b0596d2 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Nov 24 17:48:56 2010 +0200 s4-tests: Modified acly.py to use common delete_force instead of defining its own. commit db5bcb7115991bb1289cad471190fd73139ea53e Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Nov 24 17:47:27 2010 +0200 s4-tests: Added a common definition of delete_force. --- Summary of changes: source4/auth/credentials/tests/bind.py |9 +- source4/dsdb/tests/python/acl.py | 115 +++--- source4/dsdb/tests/python/deletetest.py | 32 ++-- source4/dsdb/tests/python/ldap.py| 181 +++--- source4/dsdb/tests/python/ldap_schema.py | 11 +- source4/dsdb/tests/python/ldap_syntaxes.py |5 - source4/dsdb/tests/python/passwords.py | 19 +-- source4/dsdb/tests/python/sam.py | 139 - source4/dsdb/tests/python/sec_descriptor.py | 137 - source4/scripting/devel/speedtest.py | 11 +- source4/scripting/python/samba/tests/__init__.py |6 + 11 files changed, 311 insertions(+), 354 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/credentials/tests/bind.py b/source4/auth/credentials/tests/bind.py index c59e714..8c93319 100755 --- a/source4/auth/credentials/tests/bind.py +++ b/source4/auth/credentials/tests/bind.py @@ -26,6 +26,7 @@ from samba import gensec from samba.samdb import SamDB from samba.credentials import Credentials import samba.tests +from samba.tests import delete_force from subunit.run import SubunitTestRunner import unittest @@ -70,18 +71,12 @@ class BindTests(samba.tests.TestCase): self.password = p...@ssw0rd self.username = BindTestUser_ + time.strftime(%s
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dab4e00 s4-tests: Modified sec_descriptor to use samdb.newgroup instead of locally defined method. via c89ecfc s4-dsdb: Extended samdb.newgroup to set the group's security descriptor. from 650c967 s3:winbind correct a copypaste error http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dab4e008a0d133cd1fcbe96cab134fd9b13faac5 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Nov 24 17:18:09 2010 +0200 s4-tests: Modified sec_descriptor to use samdb.newgroup instead of locally defined method. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Wed Nov 24 17:38:28 CET 2010 on sn-devel-104 commit c89ecfc2adee20d8f77af45fe2a45985be0fe3ae Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Nov 24 17:17:15 2010 +0200 s4-dsdb: Extended samdb.newgroup to set the group's security descriptor. --- Summary of changes: source4/dsdb/tests/python/sec_descriptor.py | 98 ++- source4/scripting/python/samba/samdb.py |6 ++- 2 files changed, 55 insertions(+), 49 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index f74ac17..8b47175 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -85,22 +85,6 @@ replace: nTSecurityDescriptor mod += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) _ldb.modify_ldif(mod, controls) -def create_domain_group(self, _ldb, group_dn, desc=None): -ldif = -dn: + group_dn + -objectClass: group -sAMAccountName: + group_dn.split(,)[0][3:] + -groupType: 4 -url: www.example.com - -if desc: -assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) -if isinstance(desc, str): -ldif += nTSecurityDescriptor: %s % desc -elif isinstance(desc, security.descriptor): -ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) -_ldb.add_ldif(ldif) - def get_unique_schema_class_name(self): while True: class_name = test-class%s % random.randint(1,10) @@ -430,7 +414,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): _ldb = self.get_ldb_connection(user_name, samba123@) object_dn = CN=test_domain_group1,CN=Users, + self.base_dn self.delete_force(self.ldb_admin, object_dn) -self.create_domain_group(_ldb, object_dn) +_ldb.newgroup(test_domain_group1, grouptype=4) desc_sddl = self.get_desc_sddl(object_dn) res = re.search((O:.*G:.*?)D:, desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) @@ -445,7 +429,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): _ldb = self.get_ldb_connection(user_name, samba123@) object_dn = CN=test_domain_group1,CN=Users, + self.base_dn self.delete_force(self.ldb_admin, object_dn) -self.create_domain_group(_ldb, object_dn) +_ldb.newgroup(test_domain_group1, grouptype=4) desc_sddl = self.get_desc_sddl(object_dn) res = re.search((O:.*G:.*?)D:, desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) @@ -508,7 +492,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): _ldb = self.get_ldb_connection(user_name, samba123@) object_dn = CN=test_domain_group1,CN=Users, + self.base_dn self.delete_force(self.ldb_admin, object_dn) -self.create_domain_group(_ldb, object_dn) +_ldb.newgroup(test_domain_group1, grouptype=4) desc_sddl = self.get_desc_sddl(object_dn) res = re.search((O:.*G:.*?)D:, desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) @@ -523,7 +507,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): _ldb = self.get_ldb_connection(user_name, samba123@) object_dn = CN=test_domain_group1,CN=Users, + self.base_dn self.delete_force(self.ldb_admin, object_dn) -self.create_domain_group(_ldb, object_dn) +_ldb.newgroup(test_domain_group1, grouptype=4) desc_sddl = self.get_desc_sddl(object_dn) res = re.search((O:.*G:.*?)D:, desc_sddl).group(1) self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) @@ -538,7 +522,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): _ldb = self.get_ldb_connection(user_name, samba123@) object_dn = CN=test_domain_group1,CN=Users, + self.base_dn self.delete_force(self.ldb_admin, object_dn) -self.create_domain_group(_ldb, object_dn
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 439ff87 s4-tests: Ldap tests now use the get_dsheuristics and set_dsheuristics from SamDB. via c252dac s4-tests: Password tests now use the get_dsheuristics and set_dsheuristics from SamDB. via d6679cb s4-tests: Acl tests now use the get_dsheuristics and set_dsheuristics from SamDB. via eaa9733 s4-dsdb: Added python helpers for getting and seting dSHeuristics to SamDB from 95edbc3 wintest Evolve wintest to handle it's own BIND nameserver http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 439ff8717d41fb641f2a2cf2b14665edf375433d Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 11:22:10 2010 +0200 s4-tests: Ldap tests now use the get_dsheuristics and set_dsheuristics from SamDB. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Tue Nov 23 11:08:37 CET 2010 on sn-devel-104 commit c252dac1b3263361ddac87e782c2230679f22589 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 11:21:47 2010 +0200 s4-tests: Password tests now use the get_dsheuristics and set_dsheuristics from SamDB. commit d6679cb75a68b85c5dc28b5633bead84cc2deba9 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 11:21:22 2010 +0200 s4-tests: Acl tests now use the get_dsheuristics and set_dsheuristics from SamDB. commit eaa9733a83b23da8c54cc2975c4ff3c854bbc30f Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 11:20:12 2010 +0200 s4-dsdb: Added python helpers for getting and seting dSHeuristics to SamDB --- Summary of changes: source4/dsdb/tests/python/acl.py| 30 - source4/dsdb/tests/python/ldap.py | 31 +++-- source4/dsdb/tests/python/passwords.py | 53 +- source4/scripting/python/samba/samdb.py | 24 ++ 4 files changed, 46 insertions(+), 92 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 8a1c6a4..2b805d6 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -221,17 +221,6 @@ url: www.example.com self.create_active_user(self.ldb_admin, self.get_user_dn(username)) self.ldb_admin.enable_account((sAMAccountName= + username + )) -def set_dsheuristics(self, dsheuristics): -m = Message() -m.dn = Dn(self.ldb_admin, CN=Directory Service, CN=Windows NT, CN=Services, - + self.configuration_dn) -if dsheuristics is not None: -m[dSHeuristics] = MessageElement(dsheuristics, FLAG_MOD_REPLACE, - dSHeuristics) -else: -m[dSHeuristics] = MessageElement([], FLAG_MOD_DELETE, dsHeuristics) -self.ldb_admin.modify(m) - #tests on ldap add operations class AclAddTests(AclTests): @@ -697,13 +686,8 @@ class AclSearchTests(AclTests): self.creds_tmp.set_domain(creds.get_domain()) self.creds_tmp.set_realm(creds.get_realm()) self.creds_tmp.set_workstation(creds.get_workstation()) -self.anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp); -res = self.ldb_admin.search(CN=Directory Service, CN=Windows NT, CN=Services, - + self.configuration_dn, scope=SCOPE_BASE, attrs=[dSHeuristics]) -if dSHeuristics in res[0]: -self.dsheuristics = res[0][dSHeuristics][0] -else: -self.dsheuristics = None +self.anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) +self.dsheuristics = self.ldb_admin.get_dsheuristics() self.create_enable_user(self.u1) self.create_enable_user(self.u2) self.create_enable_user(self.u3) @@ -801,7 +785,7 @@ class AclSearchTests(AclTests): def test_search_anonymous3(self): Set dsHeuristics and repeat -self.set_dsheuristics(002) +self.ldb_admin.set_dsheuristics(002) self.create_ou(self.ldb_admin, OU=test_search_ou1, + self.base_dn) mod = (A;CI;LC;;;AN) self.dacl_add_ace(OU=test_search_ou1, + self.base_dn, mod) @@ -817,7 +801,7 @@ class AclSearchTests(AclTests): self.assertEquals(len(res), 1) self.assertTrue(dn in res[0]) self.assertTrue(res[0][dn] == Dn(self.ldb_admin, self.configuration_dn)) -self.set_dsheuristics(self.dsheuristics) +self.ldb_admin.set_dsheuristics(self.dsheuristics) def test_search1(self): Make sure users can see us if given LC to user and group @@ -1338,14 +1322,14 @@ class AclCARTests(AclTests): self.minPwdAge = self.ldb_admin.get_minPwdAge() # Set the dSHeuristics to have the tests run against Windows Server -self.set_dsheuristics
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5d27aee s4-tests: Modified sec_descriptor.py to use SamDB.create_ou() via 868dd26 s4-tests: Modified acl.py to use SamDB.create_ou() via 0c22316 s4-dsdb: Added a python method to SamDB for creating organizationalUnits from f6adad4 wintest: tidyups and new conf variables http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5d27aee10733a7928726c5e052234c19b617f6fd Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 14:33:11 2010 +0200 s4-tests: Modified sec_descriptor.py to use SamDB.create_ou() Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Tue Nov 23 14:19:34 CET 2010 on sn-devel-104 commit 868dd26efdca5a44b5e91bc8693638720b8a8e14 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 14:32:42 2010 +0200 s4-tests: Modified acl.py to use SamDB.create_ou() commit 0c22316ccfc2e20c39ef2fa3a2c195e931ec1509 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 14:31:34 2010 +0200 s4-dsdb: Added a python method to SamDB for creating organizationalUnits --- Summary of changes: source4/dsdb/tests/python/acl.py| 154 --- source4/dsdb/tests/python/sec_descriptor.py | 55 -- source4/scripting/python/samba/samdb.py | 30 +- 3 files changed, 119 insertions(+), 120 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 2b805d6..0ef7cb6 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -96,20 +96,6 @@ replace: nTSecurityDescriptor mod += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) self.ldb_admin.modify_ldif(mod) -def create_ou(self, _ldb, ou_dn, desc=None): -ldif = -dn: + ou_dn + -ou: + ou_dn.split(,)[0][3:] + -objectClass: organizationalUnit -url: www.example.com - -if desc: -assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) -if isinstance(desc, str): -ldif += nTSecurityDescriptor: %s % desc -elif isinstance(desc, security.descriptor): -ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) -_ldb.add_ldif(ldif) def create_active_user(self, _ldb, user_dn): ldif = @@ -267,8 +253,8 @@ class AclAddTests(AclTests): Testing OU with the rights of Doman Admin not creator of the OU self.assert_top_ou_deleted() # Change descriptor for top level OU -self.create_ou(self.ldb_owner, OU=test_add_ou1, + self.base_dn) -self.create_ou(self.ldb_owner, OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) +self.ldb_owner.create_ou(OU=test_add_ou1, + self.base_dn) +self.ldb_owner.create_ou(OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) user_sid = self.get_object_sid(self.get_user_dn(self.usr_admin_not_owner)) mod = (D;CI;WPCC;;;%s) % str(user_sid) self.dacl_add_ace(OU=test_add_ou1, + self.base_dn, mod) @@ -287,8 +273,8 @@ class AclAddTests(AclTests): Testing OU with the regular user that has no rights granted over the OU self.assert_top_ou_deleted() # Create a parent-child OU structure with domain admin credentials -self.create_ou(self.ldb_owner, OU=test_add_ou1, + self.base_dn) -self.create_ou(self.ldb_owner, OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) +self.ldb_owner.create_ou(OU=test_add_ou1, + self.base_dn) +self.ldb_owner.create_ou(OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) # Test user and group creation with regular user credentials try: self.create_test_user(self.ldb_user, CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) @@ -307,11 +293,11 @@ class AclAddTests(AclTests): Testing OU with the rights of regular user granted the right 'Create User child objects' self.assert_top_ou_deleted() # Change descriptor for top level OU -self.create_ou(self.ldb_owner, OU=test_add_ou1, + self.base_dn) +self.ldb_owner.create_ou(OU=test_add_ou1, + self.base_dn) user_sid = self.get_object_sid(self.get_user_dn(self.regular_user)) mod = (OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s) % str(user_sid) self.dacl_add_ace(OU=test_add_ou1, + self.base_dn, mod) -self.create_ou(self.ldb_owner, OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) +self.ldb_owner.create_ou(OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) # Test user and group creation with granted user only to one of the objects self.create_test_user(self.ldb_user, CN=test_add_user1,OU=test_add_ou2,OU
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ff82220 s4-tests: Modified sec_descriptor.py to use samdb.newuser instead of custom methods. via 860ad87 s4-tests: Modified acl.py to use samdb.newuser instead of custom methods. via 3001a51 s4-dsdb: Extended samdb.newuser to accept security descriptor for the object and optionally skip password reset from aa54713 s3-docs: Update 3.2 features. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ff822209c158697d7354b91a289b33596b9d33cf Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 17:52:55 2010 +0200 s4-tests: Modified sec_descriptor.py to use samdb.newuser instead of custom methods. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Tue Nov 23 17:58:38 CET 2010 on sn-devel-104 commit 860ad87340e9671a281b066a032eea91112fda00 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 17:51:40 2010 +0200 s4-tests: Modified acl.py to use samdb.newuser instead of custom methods. commit 3001a514dd034f2ab2ab1b8d688302508b545741 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 17:48:53 2010 +0200 s4-dsdb: Extended samdb.newuser to accept security descriptor for the object and optionally skip password reset Sometimes for testing purposes we create users without any permissions on their objects and password reset cannot be performed at that point, and is not necessary. For this purpose we can now optionally skip this step. The default is still to reset the user password. Also, a security.descriptor object can be specified during the user creation to override using the default one. defaultSecurityDescriptor is still used by default. --- Summary of changes: source4/dsdb/tests/python/acl.py| 154 --- source4/dsdb/tests/python/sec_descriptor.py | 69 source4/scripting/python/samba/samdb.py | 12 ++- 3 files changed, 99 insertions(+), 136 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 0ef7cb6..34c4e55 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -95,33 +95,6 @@ replace: nTSecurityDescriptor elif isinstance(desc, security.descriptor): mod += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) self.ldb_admin.modify_ldif(mod) - - -def create_active_user(self, _ldb, user_dn): -ldif = -dn: + user_dn + -sAMAccountName: + user_dn.split(,)[0][3:] + -objectClass: user -unicodePwd:: + base64.b64encode(\samba...@\.encode('utf-16-le')) + -url: www.example.com - -_ldb.add_ldif(ldif) - -def create_test_user(self, _ldb, user_dn, desc=None): -ldif = -dn: + user_dn + -sAMAccountName: + user_dn.split(,)[0][3:] + -objectClass: user -userPassword: + self.user_pass + -url: www.example.com - -if desc: -assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) -if isinstance(desc, str): -ldif += nTSecurityDescriptor: %s % desc -elif isinstance(desc, security.descriptor): -ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) -_ldb.add_ldif(ldif) def create_group(self, _ldb, group_dn, desc=None): ldif = @@ -202,10 +175,6 @@ url: www.example.com pass else: self.fail() - -def create_enable_user(self, username): -self.create_active_user(self.ldb_admin, self.get_user_dn(username)) -self.ldb_admin.enable_account((sAMAccountName= + username + )) #tests on ldap add operations class AclAddTests(AclTests): @@ -218,9 +187,13 @@ class AclAddTests(AclTests): self.usr_admin_not_owner = acl_add_user2 # Regular user self.regular_user = acl_add_user3 -self.create_enable_user(self.usr_admin_owner) -self.create_enable_user(self.usr_admin_not_owner) -self.create_enable_user(self.regular_user) +self.test_user1 = test_add_user1 +self.test_group1 = test_add_group1 +self.ou1 = OU=test_add_ou1 +self.ou2 = OU=test_add_ou2,%s % self.ou1 +self.ldb_admin.newuser(self.usr_admin_owner, self.user_pass) +self.ldb_admin.newuser(self.usr_admin_not_owner, self.user_pass) +self.ldb_admin.newuser(self.regular_user, self.user_pass) # add admins to the Domain Admins group self.ldb_admin.add_remove_group_members(Domain Admins, self.usr_admin_owner, @@ -234,10 +207,12 @@ class AclAddTests(AclTests): def tearDown(self): super(AclAddTests, self).tearDown() -self.delete_force(self.ldb_admin, CN=test_add_user1,OU=test_add_ou2,OU
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 91b687d s4-tests: Modified acl.py to use samdb.newgroup instead of custom methods. via e95a350 s4-dsdb: Changed filter to find the account of a user by samAccountName from 5e0130c Fix bug #7785 - atime limit. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 91b687d42b66c53bf81d49bb41b4597ab1a93b30 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 21:59:39 2010 +0200 s4-tests: Modified acl.py to use samdb.newgroup instead of custom methods. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Tue Nov 23 21:46:07 CET 2010 on sn-devel-104 commit e95a350682f965780841712527e8e0cac282218d Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Nov 23 21:54:09 2010 +0200 s4-dsdb: Changed filter to find the account of a user by samAccountName In newuser, a filter by dn was given to setpassword to find the account whose password is to be reset. It appears however that if given filter of type (dn=CN=smth) Windows fails to return the entry, and the tests that use newuser fail against it. Changed to use samAccountName instead. --- Summary of changes: source4/dsdb/tests/python/acl.py| 58 --- source4/scripting/python/samba/samdb.py |3 +- 2 files changed, 16 insertions(+), 45 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 34c4e55..c45399a 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -96,38 +96,6 @@ replace: nTSecurityDescriptor mod += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) self.ldb_admin.modify_ldif(mod) -def create_group(self, _ldb, group_dn, desc=None): -ldif = -dn: + group_dn + -objectClass: group -sAMAccountName: + group_dn.split(,)[0][3:] + -groupType: 4 -url: www.example.com - -if desc: -assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) -if isinstance(desc, str): -ldif += nTSecurityDescriptor: %s % desc -elif isinstance(desc, security.descriptor): -ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) -_ldb.add_ldif(ldif) - -def create_security_group(self, _ldb, group_dn, desc=None): -ldif = -dn: + group_dn + -objectClass: group -sAMAccountName: + group_dn.split(,)[0][3:] + -groupType: -2147483646 -url: www.example.com - -if desc: -assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) -if isinstance(desc, str): -ldif += nTSecurityDescriptor: %s % desc -elif isinstance(desc, security.descriptor): -ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) -_ldb.add_ldif(ldif) - def read_desc(self, object_dn): res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, [nTSecurityDescriptor]) desc = res[0][nTSecurityDescriptor][0] @@ -235,7 +203,8 @@ class AclAddTests(AclTests): self.dacl_add_ace(OU=test_add_ou1, + self.base_dn, mod) # Test user and group creation with another domain admin's credentials self.ldb_notowner.newuser(self.test_user1, self.user_pass, userou=self.ou2) -self.create_group(self.ldb_notowner, CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) +self.ldb_notowner.newgroup(test_add_group1, groupou=OU=test_add_ou2,OU=test_add_ou1, + grouptype=4) # Make sure we HAVE created the two objects -- user and group # !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE # !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere @@ -253,7 +222,8 @@ class AclAddTests(AclTests): # Test user and group creation with regular user credentials try: self.ldb_user.newuser(self.test_user1, self.user_pass, userou=self.ou2) -self.create_group(self.ldb_user, CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) +self.ldb_user.newgroup(test_add_group1, groupou=OU=test_add_ou2,OU=test_add_ou1, + grouptype=4) except LdbError, (num, _): self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) else: @@ -276,7 +246,8 @@ class AclAddTests(AclTests): # Test user and group creation with granted user only to one of the objects self.ldb_user.newuser(self.test_user1, self.user_pass, userou=self.ou2, setpassword=False) try: -self.create_group(self.ldb_user, CN
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2c993f0 s4-tests: Adapted passwords.py to use set_minPwdAge from SamDB. via 2c96be1 s4-tests: Adapted acl.py to use set_minPwdAge from SamDB. via c88b90e s4-dsdb: Added a helper to python SamDB for retrieving and setting minPwdAge. from b85dfce s4-test/repl_schema: Remote global ldb connections http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2c993f0d4eb43d39553857641d0686baba444b4b Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Nov 22 18:51:55 2010 +0200 s4-tests: Adapted passwords.py to use set_minPwdAge from SamDB. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Mon Nov 22 18:39:06 CET 2010 on sn-devel-104 commit 2c96be185d7d8222fc7f1aef513ca0e5b0ca2408 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Nov 22 18:50:35 2010 +0200 s4-tests: Adapted acl.py to use set_minPwdAge from SamDB. commit c88b90e9f69554832a4932cbc9e44ea1c3bd2b81 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Nov 22 18:34:18 2010 +0200 s4-dsdb: Added a helper to python SamDB for retrieving and setting minPwdAge. --- Summary of changes: source4/dsdb/tests/python/acl.py| 13 +++-- source4/dsdb/tests/python/passwords.py | 14 +++--- source4/scripting/python/samba/samdb.py | 15 +++ 3 files changed, 21 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 1480005..8a1c6a4 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -232,12 +232,6 @@ url: www.example.com m[dSHeuristics] = MessageElement([], FLAG_MOD_DELETE, dsHeuristics) self.ldb_admin.modify(m) -def set_minPwdAge(self, value): -m = Message() -m.dn = Dn(self.ldb_admin, self.base_dn) -m[minPwdAge] = MessageElement(value, FLAG_MOD_REPLACE, minPwdAge) -self.ldb_admin.modify(m) - #tests on ldap add operations class AclAddTests(AclTests): @@ -1341,19 +1335,18 @@ class AclCARTests(AclTests): else: self.dsheuristics = None -res = self.ldb_admin.search(self.base_dn, scope=SCOPE_BASE, attrs=[minPwdAge]) -self.minPwdAge = res[0][minPwdAge][0] +self.minPwdAge = self.ldb_admin.get_minPwdAge() # Set the dSHeuristics to have the tests run against Windows Server self.set_dsheuristics(1) # Set minPwdAge to 0 -self.set_minPwdAge(0) +self.ldb_admin.set_minPwdAge(0) def tearDown(self): super(AclCARTests, self).tearDown() #restore original values self.set_dsheuristics(self.dsheuristics) -self.set_minPwdAge(self.minPwdAge) +self.ldb_admin.set_minPwdAge(self.minPwdAge) self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp)) self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_pc)) diff --git a/source4/dsdb/tests/python/passwords.py b/source4/dsdb/tests/python/passwords.py index 461d135..1512346 100755 --- a/source4/dsdb/tests/python/passwords.py +++ b/source4/dsdb/tests/python/passwords.py @@ -948,14 +948,9 @@ m[dSHeuristics] = MessageElement(1, FLAG_MOD_REPLACE, ldb.modify(m) # Get the old minPwdAge -res = ldb.search(base_dn, scope=SCOPE_BASE, attrs=[minPwdAge]) -minPwdAge = res[0][minPwdAge][0] - +minPwdAge = ldb.get_minPwdAge() # Set it temporarely to 0 -m = Message() -m.dn = Dn(ldb, base_dn) -m[minPwdAge] = MessageElement(0, FLAG_MOD_REPLACE, minPwdAge) -ldb.modify(m) +ldb.set_minPwdAge(0) runner = SubunitTestRunner() rc = 0 @@ -974,9 +969,6 @@ else: ldb.modify(m) # Reset the minPwdAge as it was before -m = Message() -m.dn = Dn(ldb, base_dn) -m[minPwdAge] = MessageElement(minPwdAge, FLAG_MOD_REPLACE, minPwdAge) -ldb.modify(m) +ldb.set_minPwdAge(minPwdAge) sys.exit(rc) diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 61d7c3e..460c8b8 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -602,3 +602,18 @@ accountExpires: %u def get_partitions_dn(self): return dsdb._dsdb_get_partitions_dn(self) + +def set_minPwdAge(self, value): +m = ldb.Message() +m.dn = ldb.Dn(self, self.domain_dn()) +m[minPwdAge] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, minPwdAge) +self.modify(m) + +def get_minPwdAge(self): +res = self.search(self.domain_dn(), scope=ldb.SCOPE_BASE, attrs=[minPwdAge]) +if len(res) == 0: +return None +elif not minPwdAge in res[0]: +return None +else: +return res[0][minPwdAge][0] -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 47784a1 s4-tests: Descriptor tests should use the existing samdb domain_dn method instead of defining a new one via 763165c s4-tests: Acl tests should use the existing samdb domain_dn method instead of defining a new one from 56512fb ldb:skel.c - don't introduce trailing whitespaces by a module template http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 47784a14708827a0272b638c6ab088d74b392908 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 18 13:17:00 2010 +0200 s4-tests: Descriptor tests should use the existing samdb domain_dn method instead of defining a new one Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 18 12:52:48 UTC 2010 on sn-devel-104 commit 763165c7bcff5d4b2c331a75869a7db82f5ec91a Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 18 13:13:35 2010 +0200 s4-tests: Acl tests should use the existing samdb domain_dn method instead of defining a new one --- Summary of changes: source4/dsdb/tests/python/acl.py|8 +--- source4/dsdb/tests/python/sec_descriptor.py |8 +--- 2 files changed, 2 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 1726c43..b448d65 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -64,12 +64,6 @@ class AclTests(samba.tests.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_NO_SUCH_OBJECT) -def find_basedn(self, ldb): -res = ldb.search(base=, expression=, scope=SCOPE_BASE, - attrs=[defaultNamingContext]) -self.assertEquals(len(res), 1) -return res[0][defaultNamingContext][0] - def find_domain_sid(self, ldb): res = ldb.search(base=self.base_dn, expression=(objectClass=*), scope=SCOPE_BASE) return ndr_unpack(security.dom_sid,res[0][objectSid][0]) @@ -77,7 +71,7 @@ class AclTests(samba.tests.TestCase): def setUp(self): super(AclTests, self).setUp() self.ldb_admin = ldb -self.base_dn = self.find_basedn(self.ldb_admin) +self.base_dn = ldb.domain_dn() self.domain_sid = self.find_domain_sid(self.ldb_admin) self.user_pass = samba123@ res = self.ldb_admin.search(base=, expression=, scope=SCOPE_BASE, diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index 557d907..5b3bb6a 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -65,12 +65,6 @@ class DescriptorTests(samba.tests.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_NO_SUCH_OBJECT) -def find_basedn(self, ldb): -res = ldb.search(base=, expression=, scope=SCOPE_BASE, - attrs=[defaultNamingContext]) -self.assertEquals(len(res), 1) -return res[0][defaultNamingContext][0] - def find_configurationdn(self, ldb): res = ldb.search(base=, expression=, scope=SCOPE_BASE, attrs=[configurationNamingContext]) self.assertEquals(len(res), 1) @@ -276,7 +270,7 @@ member: + self.get_users_domain_dn(username) def setUp(self): super(DescriptorTests, self).setUp() self.ldb_admin = ldb -self.base_dn = self.find_basedn(self.ldb_admin) +self.base_dn = ldb.domain_dn() self.configuration_dn = self.find_configurationdn(self.ldb_admin) self.schema_dn = self.find_schemadn(self.ldb_admin) self.domain_sid = self.find_domain_sid(self.ldb_admin) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 469d15e s4-tests: Changed descriptor tests to use existing method in samdb for adding users to a group. via 82335b2 s4-tests: Changed acl tests to use existing method in samdb for adding users to a group. from fa1e866 Revert s4:api.py - DN tests - test a bit more special DNs and merge the comparison tests http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 469d15e2653bceb669f2202c07f6024341f2e99f Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 18 19:13:41 2010 +0200 s4-tests: Changed descriptor tests to use existing method in samdb for adding users to a group. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 18 18:30:55 UTC 2010 on sn-devel-104 commit 82335b25e7c9862d8e1a2294e7f633ed6bed110b Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 18 19:12:36 2010 +0200 s4-tests: Changed acl tests to use existing method in samdb for adding users to a group. --- Summary of changes: source4/dsdb/tests/python/acl.py| 27 - source4/dsdb/tests/python/sec_descriptor.py | 56 +++--- 2 files changed, 32 insertions(+), 51 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index b448d65..2f9cf64 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -97,17 +97,6 @@ replace: nTSecurityDescriptor elif isinstance(desc, security.descriptor): mod += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) self.ldb_admin.modify_ldif(mod) - -def add_group_member(self, _ldb, group_dn, member_dn): - Modify user to ge member of a group -e.g. User to be 'Doamin Admin' group member - -ldif = -dn: + group_dn + -changetype: modify -add: member -member: + member_dn -_ldb.modify_ldif(ldif) def create_ou(self, _ldb, ou_dn, desc=None): ldif = @@ -267,10 +256,10 @@ class AclAddTests(AclTests): self.create_enable_user(self.regular_user) # add admins to the Domain Admins group -self.add_group_member(self.ldb_admin, CN=Domain Admins,CN=Users, + self.base_dn, \ -self.get_user_dn(self.usr_admin_owner)) -self.add_group_member(self.ldb_admin, CN=Domain Admins,CN=Users, + self.base_dn, \ -self.get_user_dn(self.usr_admin_not_owner)) +self.ldb_admin.add_remove_group_members(Domain Admins, self.usr_admin_owner, + add_members_operation=True) +self.ldb_admin.add_remove_group_members(Domain Admins, self.usr_admin_not_owner, + add_members_operation=True) self.ldb_owner = self.get_ldb_connection(self.usr_admin_owner, self.user_pass) self.ldb_notowner = self.get_ldb_connection(self.usr_admin_not_owner, self.user_pass) @@ -727,8 +716,8 @@ class AclSearchTests(AclTests): self.create_enable_user(self.u2) self.create_enable_user(self.u3) self.create_security_group(self.ldb_admin, self.get_user_dn(self.group1)) -self.add_group_member(self.ldb_admin, self.get_user_dn(self.group1), \ -self.get_user_dn(self.u2)) +self.ldb_admin.add_remove_group_members(self.group1, self.u2, +add_members_operation=True) self.ldb_user = self.get_ldb_connection(self.u1, self.user_pass) self.ldb_user2 = self.get_ldb_connection(self.u2, self.user_pass) self.ldb_user3 = self.get_ldb_connection(self.u3, self.user_pass) @@ -1639,8 +1628,8 @@ class AclExtendedTests(AclTests): self.create_enable_user(self.u1) self.create_enable_user(self.u2) self.create_enable_user(self.u3) -self.add_group_member(self.ldb_admin, CN=Domain Admins,CN=Users, + self.base_dn, - self.get_user_dn(self.u3)) +self.ldb_admin.add_remove_group_members(Domain Admins, self.u3, +add_members_operation=True) self.ldb_user1 = self.get_ldb_connection(self.u1, self.user_pass) self.ldb_user2 = self.get_ldb_connection(self.u2, self.user_pass) self.ldb_user3 = self.get_ldb_connection(self.u3, self.user_pass) diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index 5b3bb6a..175cc81 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -221,14 +221,6 @@ url: www.example.com _ldb.add_ldif(ldif) -def add_user_to_group(self, _ldb, username, groupname): -ldif = -dn: + self.get_users_domain_dn(groupname
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f992dbb s4-tests: Modified descriptor tests to use pyldb api to retrieve configuration and schema dn. via b397a13 s4-tests: Modified acl tests to use pyldb api to retrieve configuration dn. from 0f6a4a2 Make 'net rpc printer driver' behave the same as rpcclient enumdrivers when dealing with unsupported architectures. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f992dbb9cade1a5ef6ee03f0ea5c378928be3b64 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 18 20:44:22 2010 +0200 s4-tests: Modified descriptor tests to use pyldb api to retrieve configuration and schema dn. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 18 22:25:07 CET 2010 on sn-devel-104 commit b397a139203781d7df9992a821b1c6c6849c42cf Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 18 20:43:16 2010 +0200 s4-tests: Modified acl tests to use pyldb api to retrieve configuration dn. --- Summary of changes: source4/dsdb/tests/python/acl.py|4 +--- source4/dsdb/tests/python/sec_descriptor.py | 14 ++ 2 files changed, 3 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 2f9cf64..1480005 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -74,9 +74,7 @@ class AclTests(samba.tests.TestCase): self.base_dn = ldb.domain_dn() self.domain_sid = self.find_domain_sid(self.ldb_admin) self.user_pass = samba123@ -res = self.ldb_admin.search(base=, expression=, scope=SCOPE_BASE, - attrs=[configurationNamingContext]) -self.configuration_dn = res[0][configurationNamingContext][0] +self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized() print baseDN: %s % self.base_dn def get_user_dn(self, name): diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index 175cc81..b61afd3 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -65,16 +65,6 @@ class DescriptorTests(samba.tests.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_NO_SUCH_OBJECT) -def find_configurationdn(self, ldb): -res = ldb.search(base=, expression=, scope=SCOPE_BASE, attrs=[configurationNamingContext]) -self.assertEquals(len(res), 1) -return res[0][configurationNamingContext][0] - -def find_schemadn(self, ldb): -res = ldb.search(base=, expression=, scope=SCOPE_BASE, attrs=[schemaNamingContext]) -self.assertEquals(len(res), 1) -return res[0][schemaNamingContext][0] - def find_domain_sid(self, ldb): res = ldb.search(base=self.base_dn, expression=(objectClass=*), scope=SCOPE_BASE) return ndr_unpack( security.dom_sid,res[0][objectSid][0]) @@ -263,8 +253,8 @@ url: www.example.com super(DescriptorTests, self).setUp() self.ldb_admin = ldb self.base_dn = ldb.domain_dn() -self.configuration_dn = self.find_configurationdn(self.ldb_admin) -self.schema_dn = self.find_schemadn(self.ldb_admin) +self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized() +self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized() self.domain_sid = self.find_domain_sid(self.ldb_admin) print baseDN: %s % self.base_dn -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3f43809 s4-tests: Tests for the dSHeuristics attribute value restrictions via b6fe5cd s4-dsdb: Implemented value restrictions for the dSHeuristics attribute from 80c3364 s3: Fix a getgrent crash with many groups http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3f4380993e75774c0c5d30171097f701b4227db7 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Nov 3 15:15:02 2010 +0200 s4-tests: Tests for the dSHeuristics attribute value restrictions Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Wed Nov 3 13:58:42 UTC 2010 on sn-devel-104 commit b6fe5cdfdd83319b894cbc2abf40c56c33ba Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Nov 3 15:14:06 2010 +0200 s4-dsdb: Implemented value restrictions for the dSHeuristics attribute --- Summary of changes: source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 28 +- source4/dsdb/tests/python/ldap.py | 41 2 files changed, 68 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index cb4f7d9..120357c 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -70,6 +70,25 @@ static struct oc_context *oc_init_context(struct ldb_module *module, static int oc_op_callback(struct ldb_request *req, struct ldb_reply *ares); +/* checks correctness of dSHeuristics attribute + * as described in MS-ADTS 7.1.1.2.4.1.2 dSHeuristics */ + +static int oc_validate_dsheuristics(struct ldb_message_element *el) +{ + if (LDB_FLAG_MOD_TYPE(el-flags) == LDB_FLAG_MOD_DELETE || + el-num_values 1) { + return LDB_SUCCESS; + } + if (el-values[0].length DS_HR_LDAP_BYPASS_UPPER_LIMIT_BOUNDS) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } else if (el-values[0].length = DS_HR_TENTH_CHAR + el-values[0].data[DS_HR_TENTH_CHAR-1] != '1') { + return LDB_ERR_CONSTRAINT_VIOLATION; + } else { + return LDB_SUCCESS; + } +} + static int attr_handler(struct oc_context *ac) { struct ldb_context *ldb; @@ -181,7 +200,14 @@ static int attr_handler(struct oc_context *ac) talloc_free(res); } } - +/* dSHeuristics syntax check */ + if ((ac-req-operation == LDB_ADD || ac-req-operation == LDB_MODIFY) + (ldb_attr_cmp(attr-lDAPDisplayName, dSHeuristics) == 0)) { + ret = oc_validate_dsheuristics((msg-elements[i])); + if (ret != LDB_SUCCESS) { + return ret; + } + } /* Substitute the attribute name to match in case */ msg-elements[i].name = attr-lDAPDisplayName; } diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py index d698243..e8bc625 100755 --- a/source4/dsdb/tests/python/ldap.py +++ b/source4/dsdb/tests/python/ldap.py @@ -89,6 +89,17 @@ class BasicTests(unittest.TestCase): res = self.ldb.search(base=self.base_dn, expression=(objectClass=*), scope=SCOPE_BASE) return ndr_unpack( security.dom_sid,res[0][objectSid][0]) +def set_dsheuristics(self, dsheuristics): +m = Message() +m.dn = Dn(self.ldb, CN=Directory Service, CN=Windows NT, CN=Services, + + self.configuration_dn) +if dsheuristics is not None: +m[dSHeuristics] = MessageElement(dsheuristics, FLAG_MOD_REPLACE, + dSHeuristics) +else: +m[dSHeuristics] = MessageElement([], FLAG_MOD_DELETE, dsHeuristics) +self.ldb.modify(m) + def setUp(self): super(BasicTests, self).setUp() self.ldb = ldb @@ -2471,6 +2482,36 @@ nTSecurityDescriptor:: + desc_base64 finally: self.delete_force(self.ldb, user_dn) +def test_dsheuristics(self): +Tests the 'dSHeuristics' attribute +print Tests the 'dSHeuristics' attribute + +# Get the current value to restore it later +res = self.ldb.search(CN=Directory Service, CN=Windows NT, CN=Services, + + self.configuration_dn, scope=SCOPE_BASE, attrs=[dSHeuristics]) +if dSHeuristics in res[0]: +dsheuristics = res[0][dSHeuristics][0] +else: +dsheuristics = None +# Should not be longer than 18 chars? +try: +self.set_dsheuristics(123abc-+!1as...@#^12) +except LdbError, (num
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3003bd4 s4-ldb: Changes the aclread module to use LDB_HANDLE_FLAG_UNTRUSTED to determine the source of the request from b1f6a2b unit tests: move backend testing to the end http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3003bd40379b669e8b2cef7a40784f0114344f8e Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Oct 27 14:04:03 2010 +0300 s4-ldb: Changes the aclread module to use LDB_HANDLE_FLAG_UNTRUSTED to determine the source of the request The aclread module used to use a control to make sure the request comes from the ldap server, but now the rootdse filters out any unregistered controls comming from ldap, so the control is lost. Using the LDB_HANDLE_FLAG_UNTRUSTED is a much more elegant solution. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Wed Oct 27 11:55:11 UTC 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl_read.c | 11 +-- source4/dsdb/samdb/samdb.h|3 --- source4/ldap_server/ldap_backend.c|1 - source4/libcli/ldap/ldap_controls.c |2 -- 4 files changed, 5 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 3b8e60c..78a9e28 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -195,25 +195,24 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) struct aclread_context *ac; struct ldb_request *down_req; struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); - struct ldb_control *apply_access = ldb_request_get_control(req, DSDB_CONTROL_SEARCH_APPLY_ACCESS); struct auth_session_info *session_info; struct ldb_result *res; struct ldb_message_element *parent; struct aclread_private *p; + bool is_untrusted = ldb_req_is_untrusted(req); static const char *acl_attrs[] = { parentGUID, NULL -}; + }; + ldb = ldb_module_get_ctx(module); p = talloc_get_type(ldb_module_get_private(module), struct aclread_private); - if (apply_access != NULL) { - apply_access-critical = 0; - } + /* skip access checks if we are system or system control is supplied * or this is not LDAP server request */ if (!p || !p-enabled || dsdb_module_am_system(module) - || as_system || !apply_access) { + || as_system || !is_untrusted) { return ldb_next_request(module, req); } /* no checks on special dn */ diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index 4a9edba..a3d8f79 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -192,7 +192,4 @@ struct dsdb_fsmo_extended_op { struct GUID destination_dsa_guid; }; -/* applied access checks on LDAP reads */ -#define DSDB_CONTROL_SEARCH_APPLY_ACCESS 1.3.6.1.4.1.7165.4.3.15 - #endif /* __SAMDB_H__ */ diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 671e94a..e45c180 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -594,7 +594,6 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call) } } - ldb_request_add_control(lreq, DSDB_CONTROL_SEARCH_APPLY_ACCESS, false, NULL); ldb_set_timeout(samdb, lreq, req-timelimit); ldb_req_mark_untrusted(lreq); diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c index 592635d..6ded87a 100644 --- a/source4/libcli/ldap/ldap_controls.c +++ b/source4/libcli/ldap/ldap_controls.c @@ -1185,8 +1185,6 @@ static const struct ldap_control_handler ldap_known_controls[] = { { LDB_CONTROL_BYPASS_OPERATIONAL_OID, NULL, NULL }, /* DSDB_CONTROL_CHANGEREPLMETADATA_OID is internal only, and has no network representation */ { DSDB_CONTROL_CHANGEREPLMETADATA_OID, NULL, NULL }, -/* DSDB_CONTROL_SEARCH_APPLY_ACCESS is internal only, and has no network representation */ - { DSDB_CONTROL_SEARCH_APPLY_ACCESS, NULL, NULL }, /* LDB_CONTROL_PROVISION_OID is internal only, and has no network representation */ { LDB_CONTROL_PROVISION_OID, NULL, NULL }, /* DSDB_EXTENDED_REPLICATED_OBJECTS_OID is internal only, and has no network representation */ -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5bc2b8f s4-ldb: Added the correct extended check for read access to nTSecurityDescriptor from 3003bd4 s4-ldb: Changes the aclread module to use LDB_HANDLE_FLAG_UNTRUSTED to determine the source of the request http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5bc2b8f0a494511800696d6d411a426463089e8b Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Oct 27 15:20:49 2010 +0300 s4-ldb: Added the correct extended check for read access to nTSecurityDescriptor It does not depend on READ_PROPERTY, but on SECURITY_PRIVILEGE and READ_CONTROL Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Wed Oct 27 13:18:50 UTC 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl_read.c |2 +- source4/dsdb/tests/python/acl.py | 62 + source4/selftest/knownfail|1 + 3 files changed, 64 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 78a9e28..bd9e128 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -146,7 +146,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) tmp_ctx, sd, sid, - SEC_FLAG_SYSTEM_SECURITY, + SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL, attr); } else { ret = acl_check_access_on_attribute(ac-module, diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index ae51044..d4c55a4 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -1621,6 +1621,65 @@ replace: userPassword userPassword: thatsAcomplPASS1 ) +class AclExtendedTests(AclTests): + +def setUp(self): +super(AclExtendedTests, self).setUp() +#regular user, will be the creator +self.u1 = ext_u1 +#regular user +self.u2 = ext_u2 +#admin user +self.u3 = ext_u3 +self.create_enable_user(self.u1) +self.create_enable_user(self.u2) +self.create_enable_user(self.u3) +self.add_group_member(self.ldb_admin, CN=Domain Admins,CN=Users, + self.base_dn, + self.get_user_dn(self.u3)) +self.ldb_user1 = self.get_ldb_connection(self.u1, self.user_pass) +self.ldb_user2 = self.get_ldb_connection(self.u2, self.user_pass) +self.ldb_user3 = self.get_ldb_connection(self.u3, self.user_pass) +self.user_sid1 = self.get_object_sid(self.get_user_dn(self.u1)) +self.user_sid2 = self.get_object_sid(self.get_user_dn(self.u2)) + +def tearDown(self): +super(AclExtendedTests, self).tearDown() +self.delete_force(self.ldb_admin, self.get_user_dn(self.u1)) +self.delete_force(self.ldb_admin, self.get_user_dn(self.u2)) +self.delete_force(self.ldb_admin, self.get_user_dn(self.u3)) +self.delete_force(self.ldb_admin, CN=ext_group1,OU=ext_ou1, + self.base_dn) +self.delete_force(self.ldb_admin, ou=ext_ou1, + self.base_dn) + +def test_ntSecurityDescriptor(self): +#create empty ou +self.create_ou(self.ldb_admin, ou=ext_ou1, + self.base_dn) +#give u1 Create children access +mod = (A;;CC;;;%s) % str(self.user_sid1) +self.dacl_add_ace(OU=ext_ou1, + self.base_dn, mod) +mod = (A;;LC;;;%s) % str(self.user_sid2) +self.dacl_add_ace(OU=ext_ou1, + self.base_dn, mod) +#create a group under that, grant RP to u2 +self.create_group(self.ldb_user1, CN=ext_group1,OU=ext_ou1, + self.base_dn) +mod = (A;;RP;;;%s) % str(self.user_sid2) +self.dacl_add_ace(CN=ext_group1,OU=ext_ou1, + self.base_dn, mod) +#u2 must not read the descriptor +res = self.ldb_user2.search(CN=ext_group1,OU=ext_ou1, + self.base_dn, +SCOPE_BASE, None, [nTSecurityDescriptor]) +self.assertNotEqual(res,[]) +self.assertFalse(nTSecurityDescriptor in res[0].keys()) +#grant RC to u2 - still no access +mod = (A;;RC;;;%s) % str(self.user_sid2) +self.dacl_add_ace(CN=ext_group1,OU=ext_ou1, + self.base_dn, mod) +res = self.ldb_user2.search(CN=ext_group1,OU=ext_ou1, + self.base_dn
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3b0d6fd s4-rodc: RODC should not accept requests for role transfer from cc28860 s4-provision: simplify our generated krb5.conf http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3b0d6fda38749b01d2f8c4ff0ccbfc6ffc7bde49 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Sep 28 19:35:56 2010 -0700 s4-rodc: RODC should not accept requests for role transfer A RODC cannot assume a role, and unwillingToPerform must be returned if such request is sent via LDAP --- Summary of changes: source4/dsdb/samdb/ldb_modules/rootdse.c | 12 1 files changed, 12 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 4f0b11b..6c2a1e6 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -1059,7 +1059,19 @@ static int rootdse_become_master(struct ldb_module *module, struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, loadparm); NTSTATUS status_call; WERROR status_fn; + bool am_rodc; struct dcerpc_binding_handle *irpc_handle; + int ret; + + ret = samdb_rodc(ldb, am_rodc); + if (ret != LDB_SUCCESS) { + return ldb_error(ldb, ret, Could not determine if server is RODC.); + } + + if (am_rodc) { + return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, +RODC cannot become a role master.); + } msg = messaging_client_init(tmp_ctx, lpcfg_messaging_path(tmp_ctx, lp_ctx), ldb_get_event_context(ldb)); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 99ac4e9 s4-ldbmodules: Added new module aclread to handle access checks on LDAP search via 93ba172 s4-tests: Added tests for search checks on attributes via 3e08965 s4-tests: Removed search tests with anonymous credentials as they fail againts Windows via dc9991a s4-dsdb: Added a function to check access on a particular object by its guid via 4d3f528 s4-dsdb: A helper to determine if an attribute is part of the search filter via b77edca s4-dsdb: Moved some helper functions to a separate file via 3d0e36b s4-ldap: Added a control to apply the access checks on read via LDAP from 5ffacff autobuild: use killbysubdir if available http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 99ac4e92ff3205f80ef0fe823cbbd05eed7d2bb6 Author: Nadezhda Ivanova nivan...@samba.org Date: Sun Sep 26 11:47:47 2010 -0700 s4-ldbmodules: Added new module aclread to handle access checks on LDAP search It is currently enabled only if the request comes from the LDAP server, and is disabled by default. Use acl:search=true in smb.conf to enable it. It filters out all objects the user is not allowed to see, and all attributes the user does not have RP on. Extended access not supported yet. commit 93ba17285d8afb0d6e4040bf443e88ca4ad5147e Author: Nadezhda Ivanova nivan...@samba.org Date: Sun Sep 26 11:39:36 2010 -0700 s4-tests: Added tests for search checks on attributes The ACL reach tests are in the knowfail because aclread module is not enabled by default commit 3e08965369c4a03c5c7b939f72a1b3ff0874059f Author: Nadezhda Ivanova nivan...@samba.org Date: Sun Sep 26 11:37:00 2010 -0700 s4-tests: Removed search tests with anonymous credentials as they fail againts Windows These tests will fail in make test as well if the acl_read module is enabled. commit dc9991ab0e191fe5b7dadbcf1d9e57b9ecbd7958 Author: Nadezhda Ivanova nivan...@samba.org Date: Sun Sep 26 11:32:22 2010 -0700 s4-dsdb: Added a function to check access on a particular object by its guid Similar to dsdb_check_access_on_dn, only it searches by guid. commit 4d3f528411301d0bc48110921a1ecb4b4f752b1e Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Sep 22 12:50:51 2010 -0700 s4-dsdb: A helper to determine if an attribute is part of the search filter commit b77edca7f8728fbba8d4a3e6fe9f226793dad9cb Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Sep 22 12:41:44 2010 -0700 s4-dsdb: Moved some helper functions to a separate file We need these to be accessible to the aclread module as well. commit 3d0e36bc87bd23e3d1bff7468db2eb99531d8d87 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Sep 14 10:51:14 2010 +0300 s4-ldap: Added a control to apply the access checks on read via LDAP --- Summary of changes: source4/dsdb/common/util.c | 46 source4/dsdb/samdb/ldb_modules/acl.c| 220 source4/dsdb/samdb/ldb_modules/acl_read.c | 307 +++ source4/dsdb/samdb/ldb_modules/acl_util.c | 292 + source4/dsdb/samdb/ldb_modules/config.mk| 14 +- source4/dsdb/samdb/ldb_modules/extended_dn_in.c |2 +- source4/dsdb/samdb/ldb_modules/samba_dsdb.c |1 + source4/dsdb/samdb/ldb_modules/util.h |2 + source4/dsdb/samdb/ldb_modules/wscript_build| 10 +- source4/dsdb/samdb/samdb.h |3 + source4/dsdb/tests/python/acl.py| 105 - source4/ldap_server/ldap_backend.c |1 + source4/libcli/ldap/ldap_controls.c |2 + source4/selftest/knownfail |2 + source4/selftest/tests.sh |6 +- 15 files changed, 782 insertions(+), 231 deletions(-) create mode 100644 source4/dsdb/samdb/ldb_modules/acl_read.c create mode 100644 source4/dsdb/samdb/ldb_modules/acl_util.c Changeset truncated at 500 lines: diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index a5d7cae..7bf2618 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -4075,3 +4075,49 @@ const char *samdb_dn_to_dnshostname(struct ldb_context *ldb, return samdb_result_string(res-msgs[0], dNSHostName, NULL); } + +/* + returns true if an attribute is in the filter, + false otherwise, provided that attribute value is provided with the expression +*/ +bool dsdb_attr_in_parse_tree(struct ldb_parse_tree *tree, +const char *attr) +{ + unsigned int i; + switch (tree-operation) { + case LDB_OP_AND: + case LDB_OP_OR: + for (i=0;itree-u.list.num_elements;i
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 99f0891 s4-dsdb: Fixed a call to the wrong ops function in dsdb_module_search_dn. from 8afb252 s3-waf: fix debug2html. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 99f0891944e8df91b98934b6c57f9c68dfed8722 Author: Nadezhda Ivanova nivan...@samba.org Date: Sat Sep 25 10:19:11 2010 -0700 s4-dsdb: Fixed a call to the wrong ops function in dsdb_module_search_dn. --- Summary of changes: source4/dsdb/samdb/ldb_modules/util.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 36f0ae9..a782001 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -79,7 +79,7 @@ int dsdb_module_search_dn(struct ldb_module *module, } else { const struct ldb_module_ops *ops = ldb_module_get_ops(module); SMB_ASSERT(dsdb_flags DSDB_FLAG_OWN_MODULE); - ret = ops-modify(module, req); + ret = ops-search(module, req); } if (ret == LDB_SUCCESS) { ret = ldb_wait(req-handle, LDB_WAIT_ALL); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via aa57fd8 s4-ldap: Fixed a problem with NC's having a parentGUID attribute from 24cac13 s3-waf: remove reg_util_legacy from waf build as well. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit aa57fd8224a09f26a0f6127024fe739b84eadf49 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Sep 21 09:10:54 2010 -0700 s4-ldap: Fixed a problem with NC's having a parentGUID attribute NC's other than default NC had a parentGUID, due to an incorrect check of whether the object has a parent. Fixed by checking object's instanceType instead. --- Summary of changes: source4/dsdb/samdb/ldb_modules/operational.c | 40 + source4/dsdb/tests/python/ldap.py| 22 +- 2 files changed, 48 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 56fb272..ee987d0 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -197,48 +197,62 @@ static int construct_token_groups(struct ldb_module *module, static int construct_parent_guid(struct ldb_module *module, struct ldb_message *msg, enum ldb_scope scope) { - struct ldb_result *res; + struct ldb_result *res, *parent_res; const struct ldb_val *parent_guid; - const char *attrs[] = { objectGUID, NULL }; + const char *attrs[] = { instanceType, NULL }; + const char *attrs2[] = { objectGUID, NULL }; + uint32_t instanceType; int ret; + struct ldb_dn *parent_dn; struct ldb_val v; - /* TODO: In the future, this needs to honour the partition boundaries */ - struct ldb_dn *parent_dn = ldb_dn_get_parent(msg, msg-dn); + /* determine if the object is NC by instance type */ + ret = dsdb_module_search_dn(module, msg, res, msg-dn, attrs, + DSDB_FLAG_NEXT_MODULE | + DSDB_SEARCH_SHOW_DELETED); + + instanceType = ldb_msg_find_attr_as_uint(res-msgs[0], +instanceType, 0); + talloc_free(res); + if (instanceType INSTANCE_TYPE_IS_NC_HEAD) { + DEBUG(4,(__location__ : Object %s is NC\n, +ldb_dn_get_linearized(msg-dn))); + return LDB_SUCCESS; + } + parent_dn = ldb_dn_get_parent(msg, msg-dn); if (parent_dn == NULL) { DEBUG(4,(__location__ : Failed to find parent for dn %s\n, ldb_dn_get_linearized(msg-dn))); return LDB_SUCCESS; } - - ret = dsdb_module_search_dn(module, msg, res, parent_dn, attrs, + ret = dsdb_module_search_dn(module, msg, parent_res, parent_dn, attrs2, DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED); talloc_free(parent_dn); - /* if there is no parent for this object, then return */ + /* not NC, so the object should have a parent*/ if (ret == LDB_ERR_NO_SUCH_OBJECT) { DEBUG(4,(__location__ : Parent dn for %s does not exist \n, ldb_dn_get_linearized(msg-dn))); - return LDB_SUCCESS; + return ldb_operr(ldb_module_get_ctx(module)); } else if (ret != LDB_SUCCESS) { return ret; } - parent_guid = ldb_msg_find_ldb_val(res-msgs[0], objectGUID); + parent_guid = ldb_msg_find_ldb_val(parent_res-msgs[0], objectGUID); if (!parent_guid) { - talloc_free(res); + talloc_free(parent_res); return LDB_SUCCESS; } - v = data_blob_dup_talloc(res, parent_guid); + v = data_blob_dup_talloc(parent_res, parent_guid); if (!v.data) { - talloc_free(res); + talloc_free(parent_res); return ldb_oom(ldb_module_get_ctx(module)); } ret = ldb_msg_add_steal_value(msg, parentGUID, v); - talloc_free(res); + talloc_free(parent_res); return ret; } diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py index e108e38..1bdf6f1 100755 --- a/source4/dsdb/tests/python/ldap.py +++ b/source4/dsdb/tests/python/ldap.py @@ -1038,11 +1038,15 @@ objectClass: container attrs=[objectGUID]); res3 = ldb.search(base=self.base_dn, scope=SCOPE_BASE, attrs=[parentGUID]); +res4 = ldb.search(base=self.configuration_dn, scope=SCOPE_BASE, + attrs=[parentGUID]); +res5
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c679290 s4-dsdb: Fixed a compiler warning. from c9e3640 s3: source/ is long gone :-) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c679290f6e942c44dac7c0bf8105a27d9260d5a8 Author: Nadezhda Ivanova nivan...@samba.org Date: Fri Aug 27 12:34:27 2010 +0300 s4-dsdb: Fixed a compiler warning. --- Summary of changes: source4/dsdb/samdb/ldb_modules/util.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index f046abf..36f0ae9 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1184,7 +1184,6 @@ bool dsdb_block_anonymous_ops(struct ldb_module *module, TALLOC_CTX *mem_ctx) { TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - struct ldb_context *ldb = ldb_module_get_ctx(module); bool result; const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module, tmp_ctx); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0de7954 Added values for the flags in dSHeuristics from 9cb771a pidl-python: ensure we allocate ref ptrs before use http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0de795414eca3f73386a7bd731ee2d1d6f051db9 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Aug 26 17:08:01 2010 +0300 Added values for the flags in dSHeuristics These specify the character position, while the character value of that character controls behavior --- Summary of changes: libds/common/flags.h | 23 +++ 1 files changed, 23 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/libds/common/flags.h b/libds/common/flags.h index eeb6940..0fc159a 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -207,3 +207,26 @@ /* wellknown GUIDs for optional directory features */ #define DS_GUID_FEATURE_RECYCLE_BIN 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a + +/* dsHeurisrics character indexes see MS-ADTS 7.1.1.2.4.1.2 */ + +#define DS_HR_SUPFIRSTLASTANR 0x0001 +#define DS_HR_SUPLASTFIRSTANR 0x0002 +#define DS_HR_DOLISTOBJECT0x0003 +#define DS_HR_DONICKRES 0x0004 +#define DS_HR_LDAP_USEPERMMOD 0x0005 +#define DS_HR_HIDEDSID0x0006 +#define DS_HR_BLOCK_ANONYMOUS_OPS 0x0007 +#define DS_HR_ALLOW_ANON_NSPI 0x0008 +#define DS_HR_USER_PASSWORD_SUPPORT 0x0009 +#define DS_HR_TENTH_CHAR 0x000A +#define DS_HR_SPECIFY_GUID_ON_ADD 0x000B +#define DS_HR_NO_STANDARD_SD 0x000C +#define DS_HR_ALLOW_NONSECURE_PWD_OPS 0x000D +#define DS_HR_NO_PROPAGATE_ON_NOCHANGE0x000E +#define DS_HR_COMPUTE_ANR_STATS 0x000F +#define DS_HR_ADMINSDEXMASK 0x0010 +#define DS_HR_KVNOEMUW2K 0x0011 +#define DS_HR_LDAP_BYPASS_UPPER_LIMIT_BOUNDS 0x0012 + + -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a571487 s4-dsdb: Added utility functions for retrieving dSHeuristics from the module stack from 0de7954 Added values for the flags in dSHeuristics http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a571487e6c6774e640abb67f3cefac2dedac9044 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Aug 26 17:18:40 2010 +0300 s4-dsdb: Added utility functions for retrieving dSHeuristics from the module stack Also a function to check dsHeuristics value to determine of anonymous access should be blocked --- Summary of changes: source4/dsdb/samdb/ldb_modules/util.c | 47 + 1 files changed, 47 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 23a8da2..86417e6 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1150,3 +1150,50 @@ int dsdb_module_constrainted_update_uint64(struct ldb_module *module, (const int64_t *)old_val, (const int64_t *)new_val); } + + +const struct ldb_val *dsdb_module_find_dsheuristics(struct ldb_module *module, + TALLOC_CTX *mem_ctx) +{ + int ret; + struct ldb_dn *new_dn; + struct ldb_context *ldb = ldb_module_get_ctx(module); + static const char *attrs[] = { dsHeuristics, NULL }; + struct ldb_result *res; + + new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(ldb)); + if ( !ldb_dn_add_child_fmt(new_dn, + CN=Directory Service,CN=Windows NT,CN=Services)) { + talloc_free(new_dn); + return NULL; + } + ret = dsdb_module_search_dn(module, mem_ctx, res, + new_dn, + attrs, + DSDB_FLAG_NEXT_MODULE); + if (ret == LDB_SUCCESS res-count == 1) { + return ldb_msg_find_ldb_val(res-msgs[0], + dsHeuristics); + } + return NULL; +} + +bool dsdb_block_anonymous_ops(struct ldb_module *module, + TALLOC_CTX *mem_ctx) +{ + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + struct ldb_context *ldb = ldb_module_get_ctx(module); + bool result; + const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module, +tmp_ctx); + if (hr_val == NULL || hr_val-length DS_HR_BLOCK_ANONYMOUS_OPS) { + result = true; + } else if (hr_val-data[DS_HR_BLOCK_ANONYMOUS_OPS -1] == '2') { + result = false; + } else { + result = true; + } + + talloc_free(tmp_ctx); + return result; +} -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ff20378 s4-dsdb: Removed an unnecessary space in dsdb_module_find_dsheuristics() from a571487 s4-dsdb: Added utility functions for retrieving dSHeuristics from the module stack http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ff2037876f80d5e49bf341bdcd1e8c13adc7b247 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Aug 26 17:37:49 2010 +0300 s4-dsdb: Removed an unnecessary space in dsdb_module_find_dsheuristics() --- Summary of changes: source4/dsdb/samdb/ldb_modules/util.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 86417e6..2323085 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1162,7 +1162,7 @@ const struct ldb_val *dsdb_module_find_dsheuristics(struct ldb_module *module, struct ldb_result *res; new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(ldb)); - if ( !ldb_dn_add_child_fmt(new_dn, + if (!ldb_dn_add_child_fmt(new_dn, CN=Directory Service,CN=Windows NT,CN=Services)) { talloc_free(new_dn); return NULL; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 38e4172... s4-tests: Added tests for acl checks on search requests from c360822... s3: Directly call write_data from print_job_write() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 38e41728c5fdf90ec063572b3fae2d1c267f20a6 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Aug 17 17:05:42 2010 +0300 s4-tests: Added tests for acl checks on search requests --- Summary of changes: source4/dsdb/tests/python/acl.py | 218 ++ 1 files changed, 218 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 2e68677..a8cba74 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -173,6 +173,22 @@ url: www.example.com ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) _ldb.add_ldif(ldif) +def create_security_group(self, _ldb, group_dn, desc=None): +ldif = +dn: + group_dn + +objectClass: group +sAMAccountName: + group_dn.split(,)[0][3:] + +groupType: -2147483646 +url: www.example.com + +if desc: +assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) +if isinstance(desc, str): +ldif += nTSecurityDescriptor: %s % desc +elif isinstance(desc, security.descriptor): +ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) +_ldb.add_ldif(ldif) + def read_desc(self, object_dn): res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, [nTSecurityDescriptor]) desc = res[0][nTSecurityDescriptor][0] @@ -697,6 +713,10 @@ class AclSearchTests(AclTests): def setUp(self): super(AclSearchTests, self).setUp() +self.u1 = search_u1 +self.u2 = search_u2 +self.u3 = search_u3 +self.group1 = group1 self.anonymous = SamDB(url=host, session_info=system_session_anonymous(), lp=lp) res = self.ldb_admin.search(CN=Directory Service, CN=Windows NT, CN=Services, @@ -705,12 +725,64 @@ class AclSearchTests(AclTests): self.dsheuristics = res[0][dSHeuristics][0] else: self.dsheuristics = None +self.create_enable_user(self.u1) +self.create_enable_user(self.u2) +self.create_enable_user(self.u3) +self.create_security_group(self.ldb_admin, self.get_user_dn(self.group1)) +self.add_group_member(self.ldb_admin, self.get_user_dn(self.group1), \ +self.get_user_dn(self.u2)) +self.ldb_user = self.get_ldb_connection(self.u1, self.user_pass) +self.ldb_user2 = self.get_ldb_connection(self.u2, self.user_pass) +self.ldb_user3 = self.get_ldb_connection(self.u3, self.user_pass) +self.full_list = [Dn(self.ldb_admin, OU=ou2,OU=ou1, + self.base_dn), + Dn(self.ldb_admin, OU=ou1, + self.base_dn), + Dn(self.ldb_admin, OU=ou3,OU=ou2,OU=ou1, + self.base_dn), + Dn(self.ldb_admin, OU=ou4,OU=ou2,OU=ou1, + self.base_dn), + Dn(self.ldb_admin, OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn), + Dn(self.ldb_admin, OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn)] +self.user_sid = self.get_object_sid(self.get_user_dn(self.u1)) +self.group_sid = self.get_object_sid(self.get_user_dn(self.group1)) + +def create_clean_ou(self, object_dn): + Base repeating setup for unittests to follow +res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \ +expression=distinguishedName=%s % object_dn) +# Make sure top testing OU has been deleted before starting the test +self.assertEqual(res, []) +self.create_ou(self.ldb_admin, object_dn) +desc_sddl = self.get_desc_sddl(object_dn) +# Make sure there are inheritable ACEs initially +self.assertTrue(CI in desc_sddl or OI in desc_sddl) +# Find and remove all inherit ACEs +res = re.findall(\(.*?\), desc_sddl) +res = [x for x in res if (CI in x) or (OI in x)] +for x in res: +desc_sddl = desc_sddl.replace(x, ) +# Add flag 'protected' in both DACL and SACL so no inherit ACEs +# can propagate from above +# remove SACL, we are not interested +desc_sddl = desc_sddl.replace(:AI, :AIP) +self.modify_desc(object_dn, desc_sddl) +# Verify all inheritable ACEs are gone +desc_sddl = self.get_desc_sddl(object_dn) +self.assertFalse(CI in desc_sddl) +self.assertFalse(OI in desc_sddl) def tearDown(self
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d50a9e8... s4-dsdb: Removed kludge_acl as it is no longer necessary from f4e60b4... small optimizations for shadowcopy2 module http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d50a9e8d9e706f545862ab1f5b9a8eaa27447844 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Aug 4 15:22:17 2010 +0300 s4-dsdb: Removed kludge_acl as it is no longer necessary Moved the access check on extended operations to acl module and removed kludge_acl --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c | 39 ++ source4/dsdb/samdb/ldb_modules/config.mk | 12 source4/dsdb/samdb/ldb_modules/samba_dsdb.c |1 - source4/dsdb/samdb/ldb_modules/util.c|8 + source4/dsdb/samdb/ldb_modules/wscript_build | 10 -- 5 files changed, 47 insertions(+), 23 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 1b85c5d..11fffa4 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -1335,6 +1335,44 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, down_req); } +static const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) +{ + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct auth_session_info *session_info + = (struct auth_session_info *)ldb_get_opaque(ldb, sessionInfo); + if (!session_info) { + return UNKNOWN (NULL); + } + + return talloc_asprintf(mem_ctx, %s\\%s, + session_info-server_info-domain_name, + session_info-server_info-account_name); +} + +static int acl_extended(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); + + /* allow everybody to read the sequence number */ + if (strcmp(req-op.extended.oid, + LDB_EXTENDED_SEQUENCE_NUMBER) == 0) { + return ldb_next_request(module, req); + } + + if (dsdb_module_am_system(module) || + dsdb_module_am_administrator(module) || as_system) { + return ldb_next_request(module, req); + } else { + ldb_asprintf_errstring(ldb, + acl_extended: + attempted database modify not permitted. + User %s is not SYSTEM or an administrator, + acl_user_name(req, module)); + return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } +} + _PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = { .name = acl, .search= acl_search, @@ -1342,5 +1380,6 @@ _PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = { .modify= acl_modify, .del = acl_delete, .rename= acl_rename, + .extended = acl_extended, .init_context = acl_module_init }; diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk index 39e0721..4c968cd 100644 --- a/source4/dsdb/samdb/ldb_modules/config.mk +++ b/source4/dsdb/samdb/ldb_modules/config.mk @@ -218,18 +218,6 @@ INIT_FUNCTION = LDB_MODULE(local_password) ldb_local_password_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/local_password.o -# Start MODULE ldb_kludge_acl -[MODULE::ldb_kludge_acl] -PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBSECURITY SAMDB -SUBSYSTEM = LIBLDB -INIT_FUNCTION = LDB_MODULE(kludge_acl) - -# End MODULE ldb_kludge_acl - - -ldb_kludge_acl_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/kludge_acl.o - - # Start MODULE ldb_extended_dn_in [MODULE::ldb_extended_dn_in] SUBSYSTEM = LIBLDB diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c index 392e215..82f5ec3 100644 --- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c +++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c @@ -178,7 +178,6 @@ static int samba_dsdb_init(struct ldb_module *module) samldb, password_hash, operational, -kludge_acl, schema_load
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ee56f74... Fixed system_session_anon to actually make an anonymous session from 0d95cee... s3:auth Change auth_ntlmssp_server_info API to return NTSTATUS http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ee56f74cae1d7387465f966dbe751398eaf01f10 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Jul 14 10:30:40 2010 +0300 Fixed system_session_anon to actually make an anonymous session It seems that because the flag is false, this always used the supplied credentials rhather than establish anonymous connection. --- Summary of changes: source4/auth/system_session.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 8fdf527..31c9bd1 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -225,7 +225,7 @@ _PUBLIC_ struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx, stru { NTSTATUS nt_status; struct auth_session_info *session_info = NULL; - nt_status = _auth_system_session_info(mem_ctx, lp_ctx, false, session_info); + nt_status = _auth_system_session_info(mem_ctx, lp_ctx, true, session_info); if (!NT_STATUS_IS_OK(nt_status)) { return NULL; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d35e900... s4: Added acl search tests for anonymous connection. from e30aa45... s3-dcerpc: fix crash bug in error path of process_complete_pdu(). http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d35e9008a78ed8303dad97296455faf6d0302805 Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Jul 14 14:44:46 2010 +0300 s4: Added acl search tests for anonymous connection. The tests make sure that we comply with dsHeuristics setting and restrict anonymous access to rootDSE. They will be enabled when the implementation is pushed. tests are verified against win2k8. --- Summary of changes: source4/dsdb/tests/python/acl.py | 151 +- 1 files changed, 68 insertions(+), 83 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 6387fce..2e68677 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -15,15 +15,17 @@ samba.ensure_external_module(testtools, testtools) import samba.getopt as options from ldb import ( -SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, +SCOPE_BASE, SCOPE_SUBTREE, LdbError, ERR_NO_SUCH_OBJECT, ERR_UNWILLING_TO_PERFORM, ERR_INSUFFICIENT_ACCESS_RIGHTS) from ldb import ERR_CONSTRAINT_VIOLATION +from ldb import ERR_OPERATIONS_ERROR from ldb import Message, MessageElement, Dn from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security from samba.auth import system_session +from samba.auth import system_session_anonymous from samba import gensec from samba.samdb import SamDB from samba.credentials import Credentials @@ -694,94 +696,77 @@ Member: CN=test_modify_user2,CN=Users, + self.base_dn class AclSearchTests(AclTests): def setUp(self): -super(AclTests, self).setUp() -self.regular_user = acl_search_user1 -self.create_enable_user(self.regular_user) -self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) +super(AclSearchTests, self).setUp() +self.anonymous = SamDB(url=host, session_info=system_session_anonymous(), + lp=lp) +res = self.ldb_admin.search(CN=Directory Service, CN=Windows NT, CN=Services, + + self.configuration_dn, scope=SCOPE_BASE, attrs=[dSHeuristics]) +if dSHeuristics in res[0]: +self.dsheuristics = res[0][dSHeuristics][0] +else: +self.dsheuristics = None def tearDown(self): super(AclSearchTests, self).tearDown() -self.delete_force(self.ldb_admin, CN=test_search_user1,OU=test_search_ou1, + self.base_dn) +self.set_dsheuristics(self.dsheuristics) +self.delete_force(self.ldb_admin, OU=test_search_ou2,OU=test_search_ou1, + self.base_dn) self.delete_force(self.ldb_admin, OU=test_search_ou1, + self.base_dn) -self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) -def test_search_u1(self): -See if can prohibit user to read another User object -ou_dn = OU=test_search_ou1, + self.base_dn -user_dn = CN=test_search_user1, + ou_dn -# Create clean OU -self.delete_force(self.ldb_admin, ou_dn) -self.create_ou(self.ldb_admin, ou_dn) -desc = self.read_desc(ou_dn) -desc_sddl = desc.as_sddl(self.domain_sid) -# Parse descriptor's SDDL and remove all inherited ACEs reffering -# to 'Registered Users' or 'Authenticated Users' -desc_aces = re.findall(\(.*?\), desc_sddl) -for ace in desc_aces: -if (I in ace) and ((RU in ace) or (AU in ace)): -desc_sddl = desc_sddl.replace(ace, ) -# Add 'P' in the DACL so it breaks further inheritance -desc_sddl = desc_sddl.replace(D:AI(, D:PAI() -# Create a security descriptor object and OU with that descriptor -desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) -self.delete_force(self.ldb_admin, ou_dn) -self.create_ou(self.ldb_admin, ou_dn, desc) -# Create clean user -self.delete_force(self.ldb_admin, user_dn) -self.create_test_user(self.ldb_admin, user_dn) -desc = self.read_desc(user_dn) -desc_sddl = desc.as_sddl(self.domain_sid) -# Parse security descriptor SDDL and remove all 'Read' ACEs -# reffering to AU -desc_aces = re.findall(\(.*?\), desc_sddl) -for ace in desc_aces: -if (AU in ace) and (R in ace): -desc_sddl = desc_sddl.replace(ace, ) -# Create user with the edited descriptor -desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0b2d965... s4: Reorganized dsHeuristics reset so the code can be reused from 0c93b7d... s3-dcerpc: Remove unused functions and headers http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0b2d965e4bd7ccc694ddff2342936c5c7d5dd9e5 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Jul 13 17:15:54 2010 +0300 s4: Reorganized dsHeuristics reset so the code can be reused Moved the setting of dsHeuristics to a method as soon we will have to set other values as well in different tests --- Summary of changes: source4/dsdb/tests/python/acl.py | 91 -- 1 files changed, 38 insertions(+), 53 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 471335f..6387fce 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -79,6 +79,9 @@ class AclTests(samba.tests.TestCase): self.base_dn = self.find_basedn(self.ldb_admin) self.domain_sid = self.find_domain_sid(self.ldb_admin) self.user_pass = samba123@ +res = self.ldb_admin.search(base=, expression=, scope=SCOPE_BASE, + attrs=[configurationNamingContext]) +self.configuration_dn = res[0][configurationNamingContext][0] print baseDN: %s % self.base_dn def get_user_dn(self, name): @@ -220,6 +223,23 @@ url: www.example.com self.create_active_user(self.ldb_admin, self.get_user_dn(username)) self.ldb_admin.enable_account((sAMAccountName= + username + )) +def set_dsheuristics(self, dsheuristics): +m = Message() +m.dn = Dn(self.ldb_admin, CN=Directory Service, CN=Windows NT, CN=Services, + + self.configuration_dn) +if dsheuristics is not None: +m[dSHeuristics] = MessageElement(dsheuristics, FLAG_MOD_REPLACE, + dSHeuristics) +else: +m[dSHeuristics] = MessageElement([], FLAG_MOD_DELETE, dsHeuristics) +self.ldb_admin.modify(m) + +def set_minPwdAge(self, value): +m = Message() +m.dn = Dn(self.ldb_admin, self.base_dn) +m[minPwdAge] = MessageElement(value, FLAG_MOD_REPLACE, minPwdAge) +self.ldb_admin.modify(m) + #tests on ldap add operations class AclAddTests(AclTests): @@ -1038,8 +1058,26 @@ class AclCARTests(AclTests): self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass) self.ldb_user2 = self.get_ldb_connection(self.user_with_pc, self.user_pass) +res = self.ldb_admin.search(CN=Directory Service, CN=Windows NT, CN=Services, + + self.configuration_dn, scope=SCOPE_BASE, attrs=[dSHeuristics]) +if dSHeuristics in res[0]: +self.dsheuristics = res[0][dSHeuristics][0] +else: +self.dsheuristics = None + +res = self.ldb_admin.search(self.base_dn, scope=SCOPE_BASE, attrs=[minPwdAge]) +self.minPwdAge = res[0][minPwdAge][0] + +# Set the dSHeuristics to have the tests run against Windows Server +self.set_dsheuristics(1) +# Set minPwdAge to 0 +self.set_minPwdAge(0) + def tearDown(self): super(AclCARTests, self).tearDown() +#restore original values +self.set_dsheuristics(self.dsheuristics) +self.set_minPwdAge(self.minPwdAge) self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp)) self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_pc)) @@ -1294,42 +1332,6 @@ if not :// in host: host = ldap://%s; % host ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp) -# Gets back the configuration basedn -res = ldb.search(base=, expression=, scope=SCOPE_BASE, - attrs=[configurationNamingContext]) -configuration_dn = res[0][configurationNamingContext][0] - -# Gets back the cbasedn -res = ldb.search(base=, expression=, scope=SCOPE_BASE, - attrs=[defaultNamingContext]) -base_dn = res[0][defaultNamingContext][0] - -# Get the old dSHeuristics if it was set -res = ldb.search(CN=Directory Service, CN=Windows NT, CN=Services, - + configuration_dn, scope=SCOPE_BASE, attrs=[dSHeuristics]) -if dSHeuristics in res[0]: - dsheuristics = res[0][dSHeuristics][0] -else: - dsheuristics = None - -# Set the dSHeuristics to have the tests run against Windows Server -m = Message() -m.dn = Dn(ldb, CN=Directory Service, CN=Windows NT, CN=Services, - + configuration_dn) -m[dSHeuristics] = MessageElement(1, FLAG_MOD_REPLACE, - dSHeuristics) -ldb.modify(m) - -# Get the current minPwdAge -res = ldb.search(base_dn, scope=SCOPE_BASE, attrs=[minPwdAge]) -minPwdAge
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 10c60f2... Added a test to prove by default users can change each other's pass if the old is known from 328f3ca... s3: Slightly simplify make_server_info_pw http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 10c60f237223f805566a66293418bd1cf04a8f5e Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Jul 8 15:38:16 2010 +0300 Added a test to prove by default users can change each other's pass if the old is known --- Summary of changes: source4/dsdb/tests/python/acl.py | 25 + 1 files changed, 25 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 31bcd31..471335f 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -1165,6 +1165,31 @@ userPassword: thatsAcomplPASS2 else: self.fail() +def test_change_password7(self): +Try a password change operation without any CARs given +#users have change password by default - remove for negative testing +desc = self.read_desc(self.get_user_dn(self.user_with_wp)) +sddl = desc.as_sddl(self.domain_sid) +self.modify_desc(self.get_user_dn(self.user_with_wp), sddl) +#first change our own password +self.ldb_user2.modify_ldif( +dn: + self.get_user_dn(self.user_with_pc) + +changetype: modify +delete: unicodePwd +unicodePwd:: + base64.b64encode(\samba...@\.encode('utf-16-le')) + +add: unicodePwd +unicodePwd:: + base64.b64encode(\thatsAcomplPASS1\.encode('utf-16-le')) + +) +#then someone else's +self.ldb_user2.modify_ldif( +dn: + self.get_user_dn(self.user_with_wp) + +changetype: modify +delete: unicodePwd +unicodePwd:: + base64.b64encode(\samba...@\.encode('utf-16-le')) + +add: unicodePwd +unicodePwd:: + base64.b64encode(\thatsAcomplPASS2\.encode('utf-16-le')) + +) + def test_reset_password1(self): Try a user password reset operation (unicodePwd) before and after granting CAR try: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 81240b1... s4-dsdb: Implementation of User-Change-Password and User-Force-Password-Change from 343e932... s4:subtree_rename LDB module - Cosmetic fixes http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 81240b13b365400e2da903a7fc0af1f501bc1249 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Jul 5 00:17:38 2010 +0300 s4-dsdb: Implementation of User-Change-Password and User-Force-Password-Change These CARs need to be checked on password change and password reset operations. Apparently the password attributes are not influenced by Write Property. Single detele operations and modifications of dBCSPwd are let through to the password_hash module. This is determined experimentally. --- Summary of changes: librpc/idl/security.idl |2 + source4/dsdb/samdb/ldb_modules/acl.c | 241 +++--- source4/dsdb/tests/python/acl.py | 70 +- 3 files changed, 228 insertions(+), 85 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 6e32b86..369579c 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -519,6 +519,8 @@ interface security const string GUID_DRS_MONITOR_TOPOLOGY= f98340fb-7c5b-4cdb-a00b-2ebdfa115a96; const string GUID_DRS_REPL_SYNCRONIZE = 1131f6ab-9c07-11d1-f79f-00c04fc2dcd2; const string GUID_DRS_RO_REPL_SECRET_SYNC = 1131f6ae-9c07-11d1-f79f-00c04fc2dcd2; + const string GUID_DRS_USER_CHANGE_PASSWORD= ab721a53-1e2f-11d0-9819-00aa0040529b; + const string GUID_DRS_FORCE_CHANGE_PASSWORD = 00299570-246d-11d0-a768-00aa006e0529; /***/ /* validated writes guids */ diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index e823b1e..d0e1c90 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -259,8 +259,10 @@ static int acl_check_access_on_attribute(struct ldb_module *module, else { ret = LDB_SUCCESS; } + talloc_free(tmp_ctx); return ret; fail: + talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } @@ -655,49 +657,46 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req) } /* checks for validated writes */ -static int acl_check_self_write(struct ldb_request *req, - struct security_descriptor *sd, - struct security_token *token, - const char *self_write, - struct dom_sid *sid) +static int acl_check_extended_right(TALLOC_CTX *mem_ctx, + struct security_descriptor *sd, + struct security_token *token, + const char *ext_right, + uint32_t right_type, + struct dom_sid *sid) { struct GUID right; NTSTATUS status; uint32_t access_granted; struct object_tree *root = NULL; struct object_tree *new_node = NULL; - TALLOC_CTX *tmp_ctx = talloc_new(req); + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - GUID_from_string(self_write, right); + GUID_from_string(ext_right, right); - if (!insert_in_object_tree(tmp_ctx, right, SEC_ADS_SELF_WRITE, + if (!insert_in_object_tree(tmp_ctx, right, right_type, root, new_node)) { - DEBUG(10, (acl_modify: cannot add to object tree\n)); + DEBUG(10, (acl_ext_right: cannot add to object tree\n)); talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } status = sec_access_check_ds(sd, token, -SEC_ADS_SELF_WRITE, +right_type, access_granted, root, sid); if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, (Object %s has no self membershipself write right\n, - ldb_dn_get_linearized(req-op.mod.message-dn))); - dsdb_acl_debug(sd, token, - req-op.mod.message-dn, - true, - 10); talloc_free(tmp_ctx); return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; } - + talloc_free(tmp_ctx); return LDB_SUCCESS; } + /* ckecks if modifications are allowed on Member attribute
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d300085... Changed passwords.py to use the correct account as acl checks now pass. from 81240b1... s4-dsdb: Implementation of User-Change-Password and User-Force-Password-Change http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d300085868b7ba3f5cd4dd24fbea8e35ad9f87ee Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Jul 5 00:20:37 2010 +0300 Changed passwords.py to use the correct account as acl checks now pass. --- Summary of changes: source4/dsdb/tests/python/passwords.py | 20 ++-- 1 files changed, 6 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/passwords.py b/source4/dsdb/tests/python/passwords.py index c288ed5..de1889f 100755 --- a/source4/dsdb/tests/python/passwords.py +++ b/source4/dsdb/tests/python/passwords.py @@ -93,12 +93,8 @@ class PasswordTests(samba.tests.TestCase): # command line credentials for informations like the domain, the realm # and the workstation. creds2 = Credentials() -# FIXME: Reactivate the user credentials when we have user password -# change support also on the ACL level in s4 -creds2.set_username(creds.get_username()) -creds2.set_password(creds.get_password()) -#creds2.set_username(testuser) -#creds2.set_password(thatsAcomplPASS1) +creds2.set_username(testuser) +creds2.set_password(thatsAcomplPASS1) creds2.set_domain(creds.get_domain()) creds2.set_realm(creds.get_realm()) creds2.set_workstation(creds.get_workstation()) @@ -338,8 +334,7 @@ userPassword: thatsAcomplPASS1 ) self.fail() except LdbError, (num, _): -self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) -#self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) +self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) try: ldb.modify_ldif( @@ -425,8 +420,7 @@ userPassword: thatsAcomplPASS2 ) self.fail() except LdbError, (num, _): -self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) -#self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) +self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) try: ldb.modify_ldif( @@ -456,8 +450,7 @@ userPassword: thatsAcomplPASS2 ) self.fail() except LdbError, (num, _): -self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) -#self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) +self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) try: ldb.modify_ldif( @@ -487,8 +480,7 @@ userPassword: thatsAcomplPASS3 ) self.fail() except LdbError, (num, _): -self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) -#self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) +self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) # Reverse order does work self.ldb2.modify_ldif( -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 86cde0a... Tests for user-change-password and force-password-change access rights from 61e9560... s3-net: forgot to set type in winreg getvalue operation. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 86cde0a7dc8388747060a11f101f715645ef0eae Author: Nadezhda Ivanova nivan...@samba.org Date: Fri Jul 2 16:38:05 2010 +0300 Tests for user-change-password and force-password-change access rights --- Summary of changes: source4/dsdb/tests/python/acl.py | 246 +- 1 files changed, 242 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 5bf3ff9..0f8fd0c 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -16,7 +16,9 @@ import samba.getopt as options from ldb import ( SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, ERR_INSUFFICIENT_ACCESS_RIGHTS) - +from ldb import ERR_CONSTRAINT_VIOLATION +from ldb import Message, MessageElement, Dn +from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security @@ -154,7 +156,7 @@ url: www.example.com dn: + group_dn + objectClass: group sAMAccountName: + group_dn.split(,)[0][3:] + -groupType: 2147483650 +groupType: 4 url: www.example.com if desc: @@ -415,7 +417,7 @@ displayName: test_changed res = self.ldb_admin.search(self.base_dn, expression=(distinguishedName=%s) % str(OU=test_modify_ou1, + self.base_dn)) self.assertEqual(res[0][displayName][0], test_changed) -def _test_modify_u2(self): +def test_modify_u2(self): 6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them mod = (OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s) % str(self.user_sid) # First test object -- User @@ -641,7 +643,7 @@ Member: CN=test_modify_user2,CN=Users, + self.base_dn 13 User with WP modifying Member #a second user is given write property permission user_sid = self.get_object_sid(self.get_user_dn(self.user_with_wp)) -mod = (OA;;WP;;;%s) % str(user_sid) +mod = (A;;WP;;;%s) % str(user_sid) self.dacl_add_ace(CN=test_modify_group2,CN=Users, + self.base_dn, mod) ldif = dn: CN=test_modify_group2,CN=Users, + self.base_dn + @@ -1023,12 +1025,230 @@ class AclRenameTests(AclTests): res = self.ldb_admin.search(self.base_dn, expression=(distinguishedName=%s) % ou3_dn) self.assertNotEqual(res, []) +#tests on Control Access Rights +class AclCARTests(AclTests): + +def setUp(self): +super(AclCARTests, self).setUp() +self.user_with_wp = acl_car_user1 +self.user_with_pc = acl_car_user2 +self.create_enable_user(self.user_with_wp) +self.create_enable_user(self.user_with_pc) +self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass) +self.ldb_user2 = self.get_ldb_connection(self.user_with_pc, self.user_pass) + +def tearDown(self): +super(AclCARTests, self).tearDown() +self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp)) +self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_pc)) + +def test_change_password1(self): +Try a password change operation without any CARs given +#users have change password by default - remove for negative testing +desc = self.read_desc(self.get_user_dn(self.user_with_wp)) +sddl = desc.as_sddl(self.domain_sid) +sddl = sddl.replace((OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD), ) +sddl = sddl.replace((OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS), ) +self.modify_desc(self.get_user_dn(self.user_with_wp), sddl) +try: +self.ldb_user.modify_ldif( +dn: + self.get_user_dn(self.user_with_wp) + +changetype: modify +delete: unicodePwd +unicodePwd:: + base64.b64encode(\samba...@\.encode('utf-16-le')) + +add: unicodePwd +unicodePwd:: + base64.b64encode(\thatsAcomplPASS2\.encode('utf-16-le')) + +) +except LdbError, (num, _): +self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) +else: +# for some reason we get constraint violation instead of insufficient access error +self.fail() + +def test_change_password2(self): +Make sure WP has no influence +desc = self.read_desc(self.get_user_dn(self.user_with_wp)) +sddl = desc.as_sddl(self.domain_sid) +sddl = sddl.replace((OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD), ) +sddl = sddl.replace((OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS), ) +self.modify_desc(self.get_user_dn(self.user_with_wp
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 845e7a6... Fixed incorrect use of cn instead of lDAPDisplayName from cc7c572... s4:secrets Ensure secrets.ldb uses the same hooks as the rest of Samba http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 845e7a609d23677539d9439b941e0dffb53f6bc9 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Jun 29 11:46:22 2010 +0300 Fixed incorrect use of cn instead of lDAPDisplayName --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index bd788d4..e823b1e 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -724,7 +724,7 @@ static int acl_check_self_membership(struct ldb_module *module, if (ret != LDB_SUCCESS) { return ret; } - member_el = ldb_msg_find_element(req-op.mod.message, Member); + member_el = ldb_msg_find_element(req-op.mod.message, member); if (!member_el) { return LDB_ERR_OPERATIONS_ERROR; } @@ -844,7 +844,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) if (ldb_attr_cmp(nTSecurityDescriptor, req-op.mod.message-elements[i].name) == 0) { modify_sd = true; } - else if (ldb_attr_cmp(Member, req-op.mod.message-elements[i].name) == 0) { + else if (ldb_attr_cmp(member, req-op.mod.message-elements[i].name) == 0) { ret = acl_check_self_membership(module, req, sd, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5a18fc2... Implementation of self membership validated right. from a0bb31d... s4/test: Run DrsDeleteObjectTestCase as part of S4 testing http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5a18fc2b2a520977440e301d816bdf11ac966bc2 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Jun 28 10:34:14 2010 +0300 Implementation of self membership validated right. When this right is granted, the user can add or remove themselves from a group even if they dont have write property right. --- Summary of changes: source4/dsdb/common/util.c | 31 ++ source4/dsdb/samdb/ldb_modules/acl.c | 101 +++- source4/lib/ldb/tests/python/acl.py | 108 -- 3 files changed, 234 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 515d96d..80736b1 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -2514,6 +2514,37 @@ int dsdb_find_sid_by_dn(struct ldb_context *ldb, return LDB_SUCCESS; } +/* + use a SID to find a DN + */ +int dsdb_find_dn_by_sid(struct ldb_context *ldb, + TALLOC_CTX *mem_ctx, + struct dom_sid *sid, struct ldb_dn **dn) +{ + int ret; + struct ldb_result *res; + const char *attrs[] = { NULL }; + char *sid_str = dom_sid_string(mem_ctx, sid); + + if (!sid_str) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = dsdb_search(ldb, mem_ctx, res, NULL, LDB_SCOPE_SUBTREE, attrs, + DSDB_SEARCH_SEARCH_ALL_PARTITIONS | + DSDB_SEARCH_SHOW_EXTENDED_DN | + DSDB_SEARCH_ONE_ONLY, + objectSID=%s, sid_str); + talloc_free(sid_str); + if (ret != LDB_SUCCESS) { + return ret; + } + + *dn = talloc_steal(mem_ctx, res-msgs[0]-dn); + talloc_free(res); + + return LDB_SUCCESS; +} /* load a repsFromTo blob list for a given partition GUID diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index ccc7edf..b2aeb2a 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -654,6 +654,95 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } +/* checks for validated writes */ +static int acl_check_self_write(struct ldb_request *req, + struct security_descriptor *sd, + struct security_token *token, + const char *self_write, + struct dom_sid *sid) +{ + struct GUID right; + NTSTATUS status; + uint32_t access_granted; + struct object_tree *root = NULL; + struct object_tree *new_node = NULL; + TALLOC_CTX *tmp_ctx = talloc_new(req); + + GUID_from_string(self_write, right); + + if (!insert_in_object_tree(tmp_ctx, right, SEC_ADS_SELF_WRITE, + root, new_node)) { + DEBUG(10, (acl_modify: cannot add to object tree\n)); + talloc_free(tmp_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + status = sec_access_check_ds(sd, token, +SEC_ADS_SELF_WRITE, +access_granted, +root, +sid); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, (Object %s has no self membershipself write right\n, + ldb_dn_get_linearized(req-op.mod.message-dn))); + dsdb_acl_debug(sd, token, + req-op.mod.message-dn, + true, + 10); + talloc_free(tmp_ctx); + return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } + + return LDB_SUCCESS; +} + +/* ckecks if modifications are allowed on Member attribute */ +static int acl_check_self_membership(struct ldb_module *module, +struct ldb_request *req, +struct security_descriptor *sd, +struct dom_sid *sid, +const struct GUID *oc_guid, +const struct dsdb_attribute *attr) +{ + int ret, i; + TALLOC_CTX *tmp_ctx = talloc_new(req); + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct ldb_dn *user_dn; + struct ldb_message_element *member_el; + /* if we have
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5ad12f7... s4:Descriptor tests clean-up. from 352fb5c... s4:provision: Make gc._msdcs DNS entries A/ records http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5ad12f70c543005fa5ef5485018150900382b8f0 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon Jun 14 15:12:00 2010 +0300 s4:Descriptor tests clean-up. A bit of refactoring and modified the tests to use encrypted connection so that they pass against Windows unconditionally. --- Summary of changes: source4/lib/ldb/tests/python/sec_descriptor.py | 220 +++ 1 files changed, 67 insertions(+), 153 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py index f26df07..43437fa 100755 --- a/source4/lib/ldb/tests/python/sec_descriptor.py +++ b/source4/lib/ldb/tests/python/sec_descriptor.py @@ -20,6 +20,9 @@ from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security from samba import Ldb +from samba import gensec +from samba.samdb import SamDB +from samba.credentials import Credentials from samba.auth import system_session from samba.dsdb import DS_DOMAIN_FUNCTION_2008 from samba.dcerpc.security import ( @@ -45,6 +48,7 @@ host = args[0] lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) # # Tests start here @@ -210,33 +214,34 @@ showInAdvancedViewOnly: TRUE desc = res[0][nTSecurityDescriptor][0] return ndr_unpack(security.descriptor, desc) -def enable_account(self, user_dn): -Enable an account. -:param user_dn: Dn of the account to enable. - -res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, [userAccountControl]) -assert len(res) == 1 -userAccountControl = res[0][userAccountControl][0] -userAccountControl = int(userAccountControl) -if (userAccountControl 0x2): -userAccountControl = userAccountControl ~0x2 # remove disabled bit -if (userAccountControl 0x20): -userAccountControl = userAccountControl ~0x20 # remove 'no password required' bit -mod = +def create_active_user(self, _ldb, user_dn): +ldif = dn: + user_dn + +sAMAccountName: + user_dn.split(,)[0][3:] + +objectClass: user +unicodePwd:: + base64.b64encode(\samba...@\.encode('utf-16-le')) + +url: www.example.com + +_ldb.add_ldif(ldif) + +def add_user_to_group(self, _ldb, username, groupname): +ldif = +dn: + self.get_users_domain_dn(groupname) + changetype: modify -replace: userAccountControl -userAccountControl: %s % userAccountControl -if self.WIN2003: -mod = re.sub(userAccountControl: \d.*, userAccountControl: 544, mod) -self.ldb_admin.modify_ldif(mod) +add: member +member: + self.get_users_domain_dn(username) +_ldb.modify_ldif(ldif) def get_ldb_connection(self, target_username, target_password): -username_save = creds.get_username(); password_save = creds.get_password() -creds.set_username(target_username) -creds.set_password(target_password) -ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) -creds.set_username(username_save); creds.set_password(password_save) +creds_tmp = Credentials() +creds_tmp.set_username(target_username) +creds_tmp.set_password(target_password) +creds_tmp.set_domain(creds.get_domain()) +creds_tmp.set_realm(creds.get_realm()) +creds_tmp.set_workstation(creds.get_workstation()) +creds_tmp.set_gensec_features(creds_tmp.get_gensec_features() + | gensec.FEATURE_SEAL) +ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp) return ldb_target def get_object_sid(self, object_dn): @@ -260,6 +265,11 @@ userAccountControl: %s % userAccountControl desc = self.read_desc(object_dn, controls) return desc.as_sddl(self.domain_sid) +def create_enable_user(self, username): +user_dn = self.get_users_domain_dn(username) +self.create_active_user(self.ldb_admin, user_dn) +self.ldb_admin.enable_account((sAMAccountName= + username + )) + def setUp(self): self.ldb_admin = ldb self.base_dn = self.find_basedn(self.ldb_admin) @@ -267,12 +277,6 @@ userAccountControl: %s % userAccountControl self.schema_dn = self.find_schemadn(self.ldb_admin) self.domain_sid = self.find_domain_sid(self.ldb_admin) print baseDN: %s % self.base_dn -self.SAMBA = False; self.WIN2003 = False -res = self.ldb_admin.search(base
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e3c9594... Adjusted ACL tests to use encripted connection. from 4bb351a... s3-auth: Fix valgrind warning (unitialized var) in samu_to_SamInfo3(). http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e3c95940cd6e1f6976cb249a8b329cdff4c756ee Author: Nadezhda Ivanova nivan...@samba.org Date: Fri Jun 11 17:22:21 2010 +0300 Adjusted ACL tests to use encripted connection. This way we get rid of the conditional if.Samba checks, because users are successfully created and enabled. --- Summary of changes: source4/lib/ldb/tests/python/acl.py | 189 +-- 1 files changed, 69 insertions(+), 120 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py index 37265ef..8a3f4cb 100755 --- a/source4/lib/ldb/tests/python/acl.py +++ b/source4/lib/ldb/tests/python/acl.py @@ -20,6 +20,9 @@ from samba.dcerpc import security from samba.auth import system_session from samba import Ldb +from samba import gensec +from samba.samdb import SamDB +from samba.credentials import Credentials from subunit.run import SubunitTestRunner import unittest @@ -41,6 +44,7 @@ host = args[0] lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) # # Tests start here @@ -70,13 +74,6 @@ class AclTests(unittest.TestCase): self.domain_sid = self.find_domain_sid(self.ldb_admin) self.user_pass = samba123@ print baseDN: %s % self.base_dn -self.SAMBA = False; self.WIN = False -res = self.ldb_admin.search(base=,expression=, scope=SCOPE_BASE, -attrs=[vendorName]) -if res and vendorName in res[0].keys() and res[0][vendorName][0].find(Samba Team) != -1: -self.SAMBA = True -else: -self.WIN = True def get_user_dn(self, name): return CN=%s,CN=Users,%s % (name, self.base_dn) @@ -96,15 +93,6 @@ replace: nTSecurityDescriptor elif isinstance(desc, security.descriptor): mod += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) self.ldb_admin.modify_ldif(mod) -return -# Everything below is used in case of emergency or -# double modify verification of some sort -assert(isinstance(desc, security.descriptor)) -fn = /tmp/tmpMod -f = open(fn, w); f.write(mod); f.close() -cmd = ldapmodify -x -h %s -D %s -w %s -f %s \ -% (host[7:], self.get_user_dn(creds.get_username()), creds.get_password(), fn) -return os.system( cmd ) == 0 def add_group_member(self, _ldb, group_dn, member_dn): Modify user to ge member of a group @@ -132,7 +120,17 @@ url: www.example.com ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) _ldb.add_ldif(ldif) -def create_user(self, _ldb, user_dn, desc=None): +def create_active_user(self, _ldb, user_dn): +ldif = +dn: + user_dn + +sAMAccountName: + user_dn.split(,)[0][3:] + +objectClass: user +unicodePwd:: + base64.b64encode(\samba...@\.encode('utf-16-le')) + +url: www.example.com + +_ldb.add_ldif(ldif) + +def create_test_user(self, _ldb, user_dn, desc=None): ldif = dn: + user_dn + sAMAccountName: + user_dn.split(,)[0][3:] + @@ -169,33 +167,16 @@ url: www.example.com desc = res[0][nTSecurityDescriptor][0] return ndr_unpack( security.descriptor, desc ) -def enable_account(self, user_dn): -Enable an account. -:param user_dn: Dn of the account to enable. - -res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, [userAccountControl]) -assert len(res) == 1 -userAccountControl = res[0][userAccountControl][0] -userAccountControl = int(userAccountControl) -if (userAccountControl 0x2): -userAccountControl = userAccountControl ~0x2 # remove disabled bit -if (userAccountControl 0x20): -userAccountControl = userAccountControl ~0x20 # remove 'no password required' bit -mod = -dn: + user_dn + -changetype: modify -replace: userAccountControl -userAccountControl: %s % userAccountControl -if self.WIN: -mod = re.sub(userAccountControl: \d.*, userAccountControl: 544, mod) -self.ldb_admin.modify_ldif(mod) - -def get_ldb_connection(self, target_username): -username_save = creds.get_username(); password_save = creds.get_password() -creds.set_username(target_username) -creds.set_password(self.user_pass) -ldb_target = Ldb(host, credentials=creds, session_info=system_session
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8823bdc... Added guids for the validated writes. from 1fd15dc... s3: Fix bug 7253 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8823bdc7e2d141add138420feadd86837ea2257d Author: Nadezhda Ivanova nivan...@samba.org Date: Wed Jun 9 12:03:32 2010 +0300 Added guids for the validated writes. --- Summary of changes: librpc/idl/security.idl |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 7f9e7db..6e32b86 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -520,6 +520,13 @@ interface security const string GUID_DRS_REPL_SYNCRONIZE = 1131f6ab-9c07-11d1-f79f-00c04fc2dcd2; const string GUID_DRS_RO_REPL_SECRET_SYNC = 1131f6ae-9c07-11d1-f79f-00c04fc2dcd2; + /***/ + /* validated writes guids */ + const string GUID_DRS_VALIDATE_SPN= f3a64788-5306-11d1-a9c5-f80367c1; + const string GUID_DRS_SELF_MEMBERSHIP = bf9679c0-0de6-11d0-a285-00aa003049e2; + const string GUID_DRS_DNS_HOST_NAME = 72e39547-7b18-11d1-adef-00c04fd8d5cd; + const string GUID_DRS_ADD_DNS_HOST_NAME = 80863791-dbe9-4eb8-837e-7f0ab55d9ac7; + const string GUID_DRS_BEHAVIOR_VERSION= d31a8757-2447-4545-8081-3bb610cacbf2; /* A type to describe the mapping of generic access rights to object specific access rights. */ -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 15b42d6... Added a function to check if an attribute can belong to a filtered replica. from fe1617a... s3-lanman: fix api_DosPrintQEnum(). http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 15b42d6515504862184f33ad8002135ec1e63158 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon May 3 14:50:10 2010 +0200 Added a function to check if an attribute can belong to a filtered replica. --- Summary of changes: source4/dsdb/config.mk|3 +- source4/dsdb/schema/schema_filtered.c | 110 + source4/dsdb/wscript_build|2 +- source4/torture/ldap/schema.c | 17 + 4 files changed, 130 insertions(+), 2 deletions(-) create mode 100644 source4/dsdb/schema/schema_filtered.c Changeset truncated at 500 lines: diff --git a/source4/dsdb/config.mk b/source4/dsdb/config.mk index 4363399..1ab0cb2 100644 --- a/source4/dsdb/config.mk +++ b/source4/dsdb/config.mk @@ -43,7 +43,8 @@ SAMDB_SCHEMA_OBJ_FILES = $(addprefix $(dsdbsrcdir)/schema/, \ schema_convert_to_ol.o \ schema_inferiors.o \ schema_prefixmap.o \ - schema_info_attr.o) + schema_info_attr.o \ + schema_filtered.o) $(eval $(call proto_header_template,$(dsdbsrcdir)/schema/proto.h,$(SAMDB_SCHEMA_OBJ_FILES:.o=.c))) # PUBLIC_HEADERS += dsdb/schema/schema.h diff --git a/source4/dsdb/schema/schema_filtered.c b/source4/dsdb/schema/schema_filtered.c new file mode 100644 index 000..304160d --- /dev/null +++ b/source4/dsdb/schema/schema_filtered.c @@ -0,0 +1,110 @@ +/* + Unix SMB/CIFS mplementation. + API for determining af an attribute belongs to the filtered set. + + Copyright (C) Nadezhda Ivanova nivan...@samba.org 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. + +*/ +#include includes.h +#include dsdb/samdb/samdb.h +#include dsdb/common/util.h +#include lib/ldb/include/ldb_errors.h +#include ../lib/util/dlinklist.h +#include param/param.h + +const char *never_in_filtered_attrs[] = { accountExpires, +codePage, +creationTime, +currentValue, +dBCSPwd, +dNSHostName, +displayName, +domainReplica, +fSMORoleOwner, +flatName, +initialAuthIncoming, +initialAuthOutgoing, +isCriticalSystemObject, +lmPwdHistory, +lockOutObservationWindow, +lockoutDuration, +lockoutTime, +logonHours, +maxPwdAge, +minPwdAge, +minPwdLength, +msDS-AdditionalDnsHostName, +msDS-AdditionalSamAccountName, +msDS-AllowedToDelegateTo, +msDS-AuthenticatedAtDC, +msDS-ExecuteScriptPassword, +msDS-KrbTgtLink, +msDS-SPNSuffixes, +msDS-SupportedEncryptionTypes, +msDS-TrustForestTrustInfo, +nETBIOSName, +nTMixedDomain, +notFiltlockoutThreshold, +ntPwdHistory, +operatingSystem, +operatingSystemServicePack, +operatingSystemVersion, +priorValue, +pwdHistoryLength
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 54e68b4... Added a couple of systemFlags, needed for determining filtered attributes. from 15b42d6... Added a function to check if an attribute can belong to a filtered replica. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 54e68b4949b8d7aadefe0eff8ea6b8c949a2ceb8 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon May 3 15:38:46 2010 +0200 Added a couple of systemFlags, needed for determining filtered attributes. --- Summary of changes: libds/common/flags.h |4 1 files changed, 4 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/libds/common/flags.h b/libds/common/flags.h index de3e71c..67811d0 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -185,8 +185,12 @@ /* sa-systemFlags on attributes */ #define DS_FLAG_ATTR_NOT_REPLICATED0x0001 +#define DS_FLAG_ATTR_REQ_PARTIAL_SET_MEMBER 0x0002 #define DS_FLAG_ATTR_IS_CONSTRUCTED0x0004 +/* sa-systemFlagsEx on attributes */ +#define DS_FLAG_ATTR_IS_CRITICAL0x0001 + /* 7.1.1.2.2.1.2.1.1 nTDSDSA Object options flags */ #define DS_NTDSDSA_OPT_IS_GC0x0001 #define DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL 0x0002 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e2e3911... Replaced DS_FLAG_ATTR_IS_CRITICAL with SCHEMA_FLAG_ATTR_IS_CRITICAL. from 9cc10e6... s3-rpcclient: Fix Bug #7277. rpcclient was sending invalid data, causing cupsaddsmb to fail. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e2e39117bcea5264c913383ccc68e23307264c63 Author: Nadezhda Ivanova nivan...@samba.org Date: Mon May 3 16:47:56 2010 +0200 Replaced DS_FLAG_ATTR_IS_CRITICAL with SCHEMA_FLAG_ATTR_IS_CRITICAL. --- Summary of changes: libds/common/flags.h |3 --- source4/dsdb/schema/schema_filtered.c |2 +- 2 files changed, 1 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/libds/common/flags.h b/libds/common/flags.h index 67811d0..6a29b1b 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -188,9 +188,6 @@ #define DS_FLAG_ATTR_REQ_PARTIAL_SET_MEMBER 0x0002 #define DS_FLAG_ATTR_IS_CONSTRUCTED0x0004 -/* sa-systemFlagsEx on attributes */ -#define DS_FLAG_ATTR_IS_CRITICAL0x0001 - /* 7.1.1.2.2.1.2.1.1 nTDSDSA Object options flags */ #define DS_NTDSDSA_OPT_IS_GC0x0001 #define DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL 0x0002 diff --git a/source4/dsdb/schema/schema_filtered.c b/source4/dsdb/schema/schema_filtered.c index 304160d..1582aee 100644 --- a/source4/dsdb/schema/schema_filtered.c +++ b/source4/dsdb/schema/schema_filtered.c @@ -88,7 +88,7 @@ bool dsdb_attribute_is_attr_in_filtered_replica(struct dsdb_attribute *attribute { int i, size = sizeof(never_in_filtered_attrs)/sizeof(char *); if (attribute-systemOnly || - attribute-schemaFlagsEx DS_FLAG_ATTR_IS_CRITICAL) { + attribute-schemaFlagsEx SCHEMA_FLAG_ATTR_IS_CRITICAL) { return false; } if (attribute-systemFlags (DS_FLAG_ATTR_NOT_REPLICATED | -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4fc5908... Removed more excess looping and fixed problem with incorrect IO flag handling. from cea24c4... Remove an unused auto variable. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4fc59089c81b251b4fab17f170e96bd6dac02490 Author: Nadezhda Ivanova nivan...@samba.org Date: Tue Apr 20 00:23:42 2010 +0300 Removed more excess looping and fixed problem with incorrect IO flag handling. --- Summary of changes: source4/lib/ldb/tests/python/sec_descriptor.py | 33 source4/libcli/security/create_descriptor.c| 207 +-- 2 files changed, 114 insertions(+), 126 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py index 609fca8..f26df07 100755 --- a/source4/lib/ldb/tests/python/sec_descriptor.py +++ b/source4/lib/ldb/tests/python/sec_descriptor.py @@ -1725,6 +1725,39 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.get_desc_sddl(group_dn) self.assertTrue((D;;WP;;;DA)(D;CIIO;WP;;;CO) in desc_sddl) +def test_212(self): + Provide ACE with IO flag, should be ignored + +ou_dn = OU=test_inherit_ou, + self.base_dn +group_dn = CN=test_inherit_group, + ou_dn +# Create inheritable-free OU +self.create_clean_ou(ou_dn) +# Add some custom 'CI' ACE +mod = D:(D;CIIO;WP;;;CO) +self.create_domain_group(self.ldb_admin, group_dn, mod) +# Make sure created group object contains only the above inherited ACE(s) +# that we've added manually +desc_sddl = self.get_desc_sddl(group_dn) +print desc_sddl +self.assertTrue((D;CIIO;WP;;;CO) in desc_sddl) +self.assertFalse((D;;WP;;;DA) in desc_sddl) +self.assertFalse((D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO) in desc_sddl) + +def test_213(self): + Provide ACE with IO flag, should be ignored + +ou_dn = OU=test_inherit_ou, + self.base_dn +group_dn = CN=test_inherit_group, + ou_dn +# Create inheritable-free OU +self.create_clean_ou(ou_dn) +mod = D:(D;IO;WP;;;DA) +self.create_domain_group(self.ldb_admin, group_dn, mod) +# Make sure created group object contains only the above inherited ACE(s) +# that we've added manually +desc_sddl = self.get_desc_sddl(group_dn) +print desc_sddl +self.assertFalse((D;IO;WP;;;DA) in desc_sddl) + diff --git a/source4/libcli/security/create_descriptor.c b/source4/libcli/security/create_descriptor.c index f4849cf..d64de2f 100644 --- a/source4/libcli/security/create_descriptor.c +++ b/source4/libcli/security/create_descriptor.c @@ -53,22 +53,22 @@ uint32_t map_generic_rights_ds(uint32_t access_mask) { - if (access_mask SEC_GENERIC_ALL){ + if (access_mask SEC_GENERIC_ALL) { access_mask |= SEC_ADS_GENERIC_ALL; access_mask = ~SEC_GENERIC_ALL; } - if (access_mask SEC_GENERIC_EXECUTE){ + if (access_mask SEC_GENERIC_EXECUTE) { access_mask |= SEC_ADS_GENERIC_EXECUTE; access_mask = ~SEC_GENERIC_EXECUTE; } - if (access_mask SEC_GENERIC_WRITE){ + if (access_mask SEC_GENERIC_WRITE) { access_mask |= SEC_ADS_GENERIC_WRITE; access_mask = ~SEC_GENERIC_WRITE; } - if (access_mask SEC_GENERIC_READ){ + if (access_mask SEC_GENERIC_READ) { access_mask |= SEC_ADS_GENERIC_READ; access_mask = ~SEC_GENERIC_READ; } @@ -83,85 +83,20 @@ static bool object_in_list(struct GUID *object_list, struct GUID *object) return true; } - /* remove any ACEs with inherited flag up - TODO test this! */ -static struct security_acl *clean_user_acl(TALLOC_CTX *mem, struct security_acl *acl) -{ - int i; - struct security_acl *new_acl; - if (!acl) { - return NULL; - } - - new_acl = talloc_zero(mem, struct security_acl); - - for (i=0; i acl-num_aces; i++) { - struct security_ace *ace = acl-aces[i]; - if (!(ace-flags SEC_ACE_FLAG_INHERITED_ACE)){ - new_acl-aces = talloc_realloc(new_acl, new_acl-aces, struct security_ace, - new_acl-num_aces+1); - if (new_acl-aces == NULL) { - talloc_free(new_acl); - return NULL; - } - new_acl-aces[new_acl-num_aces] = *ace; - new_acl-num_aces
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 64f4183... s4:Added a test for correct CO expansion in SD creation. from f4b73f4... s3: Slightly simpify samr_ValidatePassword_Reset http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 64f4183a3549205915354761eb211f031a632708 Author: Nadezhda Ivanova nivan...@samba.org Date: Sat Apr 17 18:16:25 2010 +0300 s4:Added a test for correct CO expansion in SD creation. --- Summary of changes: source4/lib/ldb/tests/python/sec_descriptor.py | 13 + 1 files changed, 13 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py index 4a683f1..609fca8 100755 --- a/source4/lib/ldb/tests/python/sec_descriptor.py +++ b/source4/lib/ldb/tests/python/sec_descriptor.py @@ -1712,6 +1712,19 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.get_desc_sddl(group_dn) self.assertFalse((A;ID;WP;;;AU) in desc_sddl) +def test_211(self): + Provide ACE with CO SID, should be expanded and replaced + +ou_dn = OU=test_inherit_ou, + self.base_dn +group_dn = CN=test_inherit_group, + ou_dn +# Create inheritable-free OU +self.create_clean_ou(ou_dn) +# Add some custom 'CI' ACE +mod = D:(D;CI;WP;;;CO) +self.create_domain_group(self.ldb_admin, group_dn, mod) +desc_sddl = self.get_desc_sddl(group_dn) +self.assertTrue((D;;WP;;;DA)(D;CIIO;WP;;;CO) in desc_sddl) + -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eef1843... s4:Replaced dsdb_get_dom_sid_from_ldb_message() with samdb_result_dom_sid() from 20fc769... s3-docs: Improve winbind nss info section in man smb.conf. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eef184301adccb141cc0da4cee960a60ae38b569 Author: Nadezhda Ivanova nivan...@samba.org Date: Fri Apr 16 14:28:09 2010 +0300 s4:Replaced dsdb_get_dom_sid_from_ldb_message() with samdb_result_dom_sid() --- Summary of changes: source4/dsdb/common/dsdb_access.c| 33 ++--- source4/dsdb/samdb/ldb_modules/acl.c | 29 + 2 files changed, 7 insertions(+), 55 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c index 40233f9..7857e1f 100644 --- a/source4/dsdb/common/dsdb_access.c +++ b/source4/dsdb/common/dsdb_access.c @@ -33,6 +33,7 @@ #include libcli/ldap/ldap_ndr.h #include param/param.h #include auth/auth.h +#include dsdb/samdb/samdb.h void dsdb_acl_debug(struct security_descriptor *sd, struct security_token *token, @@ -78,32 +79,6 @@ int dsdb_get_sd_from_ldb_message(TALLOC_CTX *mem_ctx, return LDB_SUCCESS; } -int dsdb_get_dom_sid_from_ldb_message(TALLOC_CTX *mem_ctx, -struct ldb_message *acl_res, -struct dom_sid **sid) -{ - struct ldb_message_element *sid_element; - enum ndr_err_code ndr_err; - - sid_element = ldb_msg_find_element(acl_res, objectSid); - if (!sid_element) { - *sid = NULL; - return LDB_SUCCESS; - } - *sid = talloc(mem_ctx, struct dom_sid); - if(!*sid) { - return LDB_ERR_OPERATIONS_ERROR; - } - ndr_err = ndr_pull_struct_blob(sid_element-values[0], *sid, NULL, *sid, - (ndr_pull_flags_fn_t)ndr_pull_dom_sid); - - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - return LDB_ERR_OPERATIONS_ERROR; - } - - return LDB_SUCCESS; -} - int dsdb_check_access_on_dn_internal(struct ldb_result *acl_res, TALLOC_CTX *mem_ctx, struct security_token *token, @@ -127,11 +102,7 @@ int dsdb_check_access_on_dn_internal(struct ldb_result *acl_res, if (!sd) { return LDB_SUCCESS; } - ret = dsdb_get_dom_sid_from_ldb_message(mem_ctx, acl_res-msgs[0], sid); - if (ret != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; - } - + sid = samdb_result_dom_sid(mem_ctx, acl_res-msgs[0], objectSid); if (guid) { if (!insert_in_object_tree(mem_ctx, guid, access, root, new_node)) { return LDB_ERR_OPERATIONS_ERROR; diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 5679e11..35b5663 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -374,11 +374,8 @@ static int acl_allowedAttributes(struct ldb_module *module, if (ret != LDB_SUCCESS) { return ret; } - ret = dsdb_get_dom_sid_from_ldb_message(mem_ctx, sd_msg, sid); - if (ret != LDB_SUCCESS) { - return ret; - } + sid = samdb_result_dom_sid(mem_ctx, sd_msg, objectSid); for (i=0; attr_list attr_list[i]; i++) { const struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema, attr_list[i]); @@ -495,11 +492,8 @@ static int acl_childClassesEffective(struct ldb_module *module, if (ret != LDB_SUCCESS) { return ret; } - ret = dsdb_get_dom_sid_from_ldb_message(msg, sd_msg, sid); - if (ret != LDB_SUCCESS) { - return ret; - } + sid = samdb_result_dom_sid(msg, sd_msg, objectSid); for (i=0; oc_el i oc_el-num_values; i++) { sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, oc_el-values[i]); if (!sclass) { @@ -573,11 +567,7 @@ static int acl_sDRightsEffective(struct ldb_module *module, if (ret != LDB_SUCCESS) { return ret; } - ret = dsdb_get_dom_sid_from_ldb_message(msg, sd_msg, sid); - - if (ret != LDB_SUCCESS) { - return ret; - } + sid = samdb_result_dom_sid(msg, sd_msg, objectSid); ret = acl_check_access_on_attribute(module
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 205c826... A bit of refactoring in the SD creation code. from e9d4f15... s4:torture/rpc/autoidl.c: check for NT_STATUS_RPC_* instead of p-last_fault_code http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 205c8266112d85543c3667854ac58e41c02fed17 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Apr 15 13:54:23 2010 +0300 A bit of refactoring in the SD creation code. --- Summary of changes: source4/libcli/security/create_descriptor.c | 198 ++- 1 files changed, 71 insertions(+), 127 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/libcli/security/create_descriptor.c b/source4/libcli/security/create_descriptor.c index d5bc7cb..f4849cf 100644 --- a/source4/libcli/security/create_descriptor.c +++ b/source4/libcli/security/create_descriptor.c @@ -83,24 +83,8 @@ static bool object_in_list(struct GUID *object_list, struct GUID *object) return true; } - -static bool contains_inheritable_aces(struct security_acl *acl) -{ -int i; - if (!acl) - return false; - - for (i=0; i acl-num_aces; i++) { - struct security_ace *ace = acl-aces[i]; - if ((ace-flags SEC_ACE_FLAG_CONTAINER_INHERIT) || - (ace-flags SEC_ACE_FLAG_OBJECT_INHERIT)) - return true; - } - - return false; -} - -static struct security_acl *preprocess_creator_acl(TALLOC_CTX *mem, struct security_acl *acl) + /* remove any ACEs with inherited flag up - TODO test this! */ +static struct security_acl *clean_user_acl(TALLOC_CTX *mem, struct security_acl *acl) { int i; struct security_acl *new_acl; @@ -129,8 +113,9 @@ static struct security_acl *preprocess_creator_acl(TALLOC_CTX *mem, struct secur return new_acl; } -/* This is not exactly as described in the docs. The original seemed to return - * only a list of the inherited or flagless ones... */ +/* sort according to rules, + * replace generic flags with the mapping + * replace CO and CG with the appropriate owner/group */ static bool postprocess_acl(struct security_acl *acl, struct dom_sid *owner, @@ -151,13 +136,12 @@ static bool postprocess_acl(struct security_acl *acl, continue; if (dom_sid_equal(ace-trustee, co)){ ace-trustee = *owner; - /* perhaps this should be done somewhere else? */ ace-flags = ~SEC_ACE_FLAG_CONTAINER_INHERIT; } if (dom_sid_equal(ace-trustee, cg)){ ace-trustee = *group; ace-flags = ~SEC_ACE_FLAG_CONTAINER_INHERIT; - } + } ace-access_mask = generic_map(ace-access_mask); } @@ -179,6 +163,9 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, if (!tmp_acl || !inh_acl) return NULL; + if (!acl) { + return NULL; + } co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER); cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP); @@ -200,7 +187,7 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, tmp_acl-aces[tmp_acl-num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; if (ace-type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || - ace-type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT){ + ace-type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { if (!object_in_list(object_list, ace-object.object.type.type)){ tmp_acl-aces[tmp_acl-num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; } @@ -233,21 +220,21 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, inh_acl-num_aces++; } } - } + } new_acl = security_acl_concatenate(mem_ctx, inh_acl, tmp_acl); + if (new_acl-num_aces == 0) { + return NULL; + } if (new_acl) new_acl-revision = acl-revision; talloc_free(tmp_ctx); return new_acl; } -/* In the docs this looks == calculate_inherited_from_parent. However, - * It shouldn't return the inherited, rather filter them out - */ static struct security_acl *calculate_inherited_from_creator(TALLOC_CTX *mem_ctx, - struct security_acl *acl, - bool is_container
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cec0e86... s4:Added a test to make sure we ignore ACEs with ID flag set. from 205c826... A bit of refactoring in the SD creation code. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cec0e86ec84a1347a330430337c6b8a643381001 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Apr 15 18:21:55 2010 +0300 s4:Added a test to make sure we ignore ACEs with ID flag set. --- Summary of changes: source4/lib/ldb/tests/python/sec_descriptor.py | 13 + 1 files changed, 13 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py index 30f82e6..4a683f1 100755 --- a/source4/lib/ldb/tests/python/sec_descriptor.py +++ b/source4/lib/ldb/tests/python/sec_descriptor.py @@ -1699,6 +1699,19 @@ class DaclDescriptorTests(DescriptorTests): self.assertTrue((D;ID;WP;;;DA) in desc_sddl) self.assertTrue((D;CIIOID;WP;;;CO) in desc_sddl) +def test_210(self): + OU with protected flag, provide ACEs with ID flag raised. Should be ignored. + +ou_dn = OU=test_inherit_ou, + self.base_dn +group_dn = CN=test_inherit_group, + ou_dn +self.create_clean_ou(ou_dn) +# Add some custom ACE +mod = D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU) +self.create_domain_group(self.ldb_admin, group_dn, mod) +# Make sure created group object does not contain the ID ace +desc_sddl = self.get_desc_sddl(group_dn) +self.assertFalse((A;ID;WP;;;AU) in desc_sddl) + -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 83312a9... Fixed a problem with provision missing the default_dir/etc directory. from d73a7e7... s3: Little refactoring: Factor out skip_space http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 83312a9e501ebbee15b4fd2353330880496f4add Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Mon Apr 12 16:05:37 2010 +0300 Fixed a problem with provision missing the default_dir/etc directory. --- Summary of changes: source4/scripting/python/samba/provision.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 2e4aa34..f200487 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -1170,11 +1170,11 @@ def provision(setup_dir, message, session_info, bind_gid = None if targetdir is not None: -if (not os.path.exists(os.path.join(targetdir, etc))): -os.makedirs(os.path.join(targetdir, etc)) smbconf = os.path.join(targetdir, etc, smb.conf) elif smbconf is None: smbconf = param.default_path() +if not os.path.exists(os.path.dirname(smbconf)): +os.makedirs(os.path.dirname(smbconf)) # only install a new smb.conf if there isn't one there already if os.path.exists(smbconf): -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a212c1d... Added a net acl ds command for modification of ACLs on directory objects from 4379b08... s3-spoolss: be very strict on OpenPrinter{Ex} failures for bad names. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a212c1dedb749b98d17c67db4278d1f1bb66d468 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Tue Mar 16 13:06:08 2010 +0200 Added a net acl ds command for modification of ACLs on directory objects At present the command supports only addition of control access rigts, done so DRS access checks can be tested. It will be expanded to deal with most ways to modify and view a DS ACL. Shifted commands a bit. What used to be net acl is now net acl nt as apposed to this, which is net acl ds ./bin/net acl ds set --help Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn Options: -h, --helpshow this help message and exit --host=HOST LDB URL for database or target server --car=CAR The access control right to allow or deny --action=ACTION Deny or allow access --objectdn=OBJECTDN DN of the object whose SD to modify --trusteedn=TRUSTEEDN DN of the entity that gets access Samba Common Options: -s FILE, --configfile=FILE Configuration file Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos --- Summary of changes: librpc/idl/security.idl | 19 ++- source4/scripting/python/pyglue.c | 15 ++ source4/scripting/python/samba/__init__.py| 15 ++ source4/scripting/python/samba/netcmd/__init__.py |2 +- source4/scripting/python/samba/netcmd/dsacl.py| 174 + source4/scripting/python/samba/netcmd/netacl.py | 36 + source4/scripting/python/samba/netcmd/ntacl.py|2 +- 7 files changed, 260 insertions(+), 3 deletions(-) create mode 100644 source4/scripting/python/samba/netcmd/dsacl.py create mode 100644 source4/scripting/python/samba/netcmd/netacl.py Changeset truncated at 500 lines: diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 186c2bc..e7ae854 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -479,4 +479,21 @@ interface security SEC_OWNER_FROM_PARENT= 0x0008, SEC_GROUP_FROM_PARENT= 0x0010 } security_autoinherit; -} + + /***/ + /* Extended right guids */ + + const string GUID_DRS_ALLOCATE_RIDS = 1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd; + const string GUID_DRS_CHANGE_DOMAIN_MASTER= 014bf69c-7b3b-11d1-85f6-08002be74fab; + const string GUID_DRS_CHANGE_INFR_MASTER = cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd; + const string GUID_DRS_CHANGE_PDC = bae50096-4752-11d1-9052-00c04fc2d4cf; + const string GUID_DRS_CHANGE_RID_MASTER = d58d5f36-0a98-11d1-adbb-00c04fd8d5cd; + const string GUID_DRS_CHANGE_SCHEMA_MASTER= e12b56b6-0a95-11d1-adbb-00c04fd8d5cd; + const string GUID_DRS_GET_CHANGES = 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2; + const string GUID_DRS_GET_ALL_CHANGES = 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2; + const string GUID_DRS_GET_FILTERED_ATTRIBUTES = 89e95b76-444d-4c62-991a-0facbeda640c; + const string GUID_DRS_MANAGE_TOPOLOGY = 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2; + const string GUID_DRS_MONITOR_TOPOLOGY= f98340fb-7c5b-4cdb-a00b-2ebdfa115a96; + const string GUID_DRS_REPL_SYNCRONIZE = 1131f6ab-9c07-11d1-f79f-00c04fc2dcd2; + const string GUID_DRS_RO_REPL_SECRET_SYNC = 1131f6ae-9c07-11d1-f79f-00c04fc2dcd2; +} \ No newline at end of file diff --git a/source4/scripting/python/pyglue.c b/source4/scripting/python/pyglue.c index c64f08e..e28406a 100644 --- a/source4/scripting/python/pyglue.c +++ b/source4/scripting/python/pyglue.c @@ -772,6 +772,21 @@ void initglue(void) PyModule_AddObject(m, SECINFO_DACL, PyInt_FromLong(SECINFO_DACL)); PyModule_AddObject(m, SECINFO_SACL, PyInt_FromLong(SECINFO_SACL)); + /* control access rights guids
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 222b955... Moved access_check_on_dn from acl module as an utility. from 24a7f8f... s3-winreg: make QueryValue pass RPC-WINREG test again. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 222b955237ed2a0d838738b4bacffc1106af2dc3 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Thu Mar 11 23:10:38 2010 +0200 Moved access_check_on_dn from acl module as an utility. Made this an utility function so it can be used for access checking outside of the acl ldb module, such as checking validated writes and control access rights in other protocols (e. g drs) --- Summary of changes: source4/dsdb/common/dsdb_access.c| 181 ++ source4/dsdb/config.mk |3 +- source4/dsdb/samdb/ldb_modules/acl.c | 175 - 3 files changed, 202 insertions(+), 157 deletions(-) create mode 100644 source4/dsdb/common/dsdb_access.c Changeset truncated at 500 lines: diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c new file mode 100644 index 000..1f8b795 --- /dev/null +++ b/source4/dsdb/common/dsdb_access.c @@ -0,0 +1,181 @@ +/* + ldb database library + + Copyright (C) Nadezhda Ivanova 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +/* + * Name: dsdb_access + * + * Description: utility functions for access checking on objects + * + * Authors: Nadezhda Ivanova + */ + +#include includes.h +#include events/events.h +#include ldb.h +#include ldb_errors.h +#include ../lib/util/util_ldb.h +#include ../lib/crypto/crypto.h +#include libcli/security/security.h +#include librpc/gen_ndr/ndr_security.h +#include librpc/gen_ndr/ndr_misc.h +#include ../libds/common/flags.h +#include libcli/ldap/ldap_ndr.h +#include param/param.h +#include libcli/auth/libcli_auth.h +#include librpc/gen_ndr/ndr_drsblobs.h +#include system/locale.h +#include auth/auth.h +#include lib/util/tsort.h + +void dsdb_acl_debug(struct security_descriptor *sd, + struct security_token *token, + struct ldb_dn *dn, + bool denied, + int level) +{ + if (denied) { + DEBUG(level, (Access on %s denied, ldb_dn_get_linearized(dn))); + } else { + DEBUG(level, (Access on %s granted, ldb_dn_get_linearized(dn))); + } + + DEBUG(level,(Security context: %s\n, + ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_token,, token))); + DEBUG(level,(Security descriptor: %s\n, + ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,, sd))); +} + +int dsdb_get_sd_from_ldb_message(TALLOC_CTX *mem_ctx, +struct ldb_message *acl_res, +struct security_descriptor **sd) +{ + struct ldb_message_element *sd_element; + enum ndr_err_code ndr_err; + + sd_element = ldb_msg_find_element(acl_res, nTSecurityDescriptor); + if (!sd_element) { + *sd = NULL; + return LDB_SUCCESS; + } + *sd = talloc(mem_ctx, struct security_descriptor); + if(!*sd) { + return LDB_ERR_OPERATIONS_ERROR; + } + ndr_err = ndr_pull_struct_blob(sd_element-values[0], *sd, NULL, *sd, + (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return LDB_ERR_OPERATIONS_ERROR; + } + + return LDB_SUCCESS; +} + +int dsdb_get_dom_sid_from_ldb_message(TALLOC_CTX *mem_ctx, +struct ldb_message *acl_res, +struct dom_sid **sid) +{ + struct ldb_message_element *sid_element; + enum ndr_err_code ndr_err; + + sid_element = ldb_msg_find_element(acl_res, objectSid); + if (!sid_element) { + *sid = NULL; + return LDB_SUCCESS; + } + *sid = talloc(mem_ctx, struct dom_sid); + if(!*sid) { + return LDB_ERR_OPERATIONS_ERROR; + } + ndr_err = ndr_pull_struct_blob(sid_element-values[0
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4b256c6... Fixed ACL module to use dsdb_module_* API. from 8194fc3... s3-netlogon: Fix bug #7237: _netr_SamLogon segfaults for clients sending NULL domain. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4b256c6d8e109d998b8b3a63585cc93596a96bfb Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Fri Mar 12 02:21:16 2010 +0200 Fixed ACL module to use dsdb_module_* API. --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c | 18 +- 1 files changed, 9 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 4bc8b82..9280de1 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -118,9 +118,9 @@ static int acl_module_init(struct ldb_module *module) return LDB_ERR_OPERATIONS_ERROR; } - ret = ldb_search(ldb, mem_ctx, res, -ldb_dn_new(mem_ctx, ldb, @KLUDGEACL), -LDB_SCOPE_BASE, attrs, NULL); + ret = dsdb_module_search_dn(module, mem_ctx, res, + ldb_dn_new(mem_ctx, ldb, @KLUDGEACL), + attrs, 0); if (ret != LDB_SUCCESS) { goto done; } @@ -652,8 +652,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) if (ldb_dn_is_special(req-op.mod.message-dn)) { return ldb_next_request(module, req); } - ret = ldb_search(ldb, req, acl_res, req-op.mod.message-dn, -LDB_SCOPE_BASE, acl_attrs, NULL); + ret = dsdb_module_search_dn(module, req, acl_res, req-op.mod.message-dn, + acl_attrs, 0); if (ret != LDB_SUCCESS) { return ret; @@ -845,9 +845,8 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) } ldb = ldb_module_get_ctx(module); - /* TODO search to include deleted objects */ - ret = ldb_search(ldb, req, acl_res, req-op.rename.olddn, -LDB_SCOPE_BASE, acl_attrs, NULL); + ret = dsdb_module_search_dn(module, req, acl_res, req-op.rename.olddn, + acl_attrs, DSDB_SEARCH_SHOW_DELETED); /* we sould be able to find the parent */ if (ret != LDB_SUCCESS) { DEBUG(10,(acl: failed to find object %s\n, @@ -992,7 +991,8 @@ static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares) || ac-allowedChildClassesEffective || ac-allowedAttributesEffective || ac-sDRightsEffective) { - ret = ldb_search(ldb, ac, acl_res, ares-message-dn, LDB_SCOPE_BASE, acl_attrs, NULL); + ret = dsdb_module_search_dn(ac-module, ac, acl_res, ares-message-dn, + acl_attrs, 0); if (ret != LDB_SUCCESS) { return ldb_module_done(ac-req, NULL, NULL, ret); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via be79f57... Split the dsdb_access_check_on_dn. from 4b256c6... Fixed ACL module to use dsdb_module_* API. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit be79f572ed2a5853917eeede3991c1674ad655a6 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Fri Mar 12 03:13:51 2010 +0200 Split the dsdb_access_check_on_dn. Split the dsdb_access_check_on_dn so it can be reused for checks from both within the module stack and outside it. --- Summary of changes: source4/dsdb/common/dsdb_access.c| 85 +++-- source4/dsdb/samdb/ldb_modules/acl.c | 49 +-- 2 files changed, 93 insertions(+), 41 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c index 1f8b795..40233f9 100644 --- a/source4/dsdb/common/dsdb_access.c +++ b/source4/dsdb/common/dsdb_access.c @@ -26,22 +26,13 @@ */ #include includes.h -#include events/events.h #include ldb.h #include ldb_errors.h -#include ../lib/util/util_ldb.h -#include ../lib/crypto/crypto.h #include libcli/security/security.h #include librpc/gen_ndr/ndr_security.h -#include librpc/gen_ndr/ndr_misc.h -#include ../libds/common/flags.h #include libcli/ldap/ldap_ndr.h #include param/param.h -#include libcli/auth/libcli_auth.h -#include librpc/gen_ndr/ndr_drsblobs.h -#include system/locale.h #include auth/auth.h -#include lib/util/tsort.h void dsdb_acl_debug(struct security_descriptor *sd, struct security_token *token, @@ -113,38 +104,20 @@ int dsdb_get_dom_sid_from_ldb_message(TALLOC_CTX *mem_ctx, return LDB_SUCCESS; } -int dsdb_check_access_on_dn(struct ldb_context *ldb, - TALLOC_CTX *mem_ctx, - struct ldb_dn *dn, - uint32_t access, - const struct GUID *guid) +int dsdb_check_access_on_dn_internal(struct ldb_result *acl_res, +TALLOC_CTX *mem_ctx, +struct security_token *token, +struct ldb_dn *dn, +uint32_t access, +const struct GUID *guid) { - int ret; - struct ldb_result *acl_res; struct security_descriptor *sd = NULL; struct dom_sid *sid = NULL; struct object_tree *root = NULL; struct object_tree *new_node = NULL; NTSTATUS status; uint32_t access_granted; - static const char *acl_attrs[] = { - nTSecurityDescriptor, - objectSid, - NULL - }; - - struct auth_session_info *session_info - = (struct auth_session_info *)ldb_get_opaque(ldb, sessionInfo); - if(!session_info) { - return LDB_ERR_OPERATIONS_ERROR; - } - - ret = ldb_search(ldb, mem_ctx, acl_res, dn, LDB_SCOPE_BASE, acl_attrs, NULL); - /* we sould be able to find the parent */ - if (ret != LDB_SUCCESS) { - DEBUG(10,(acl: failed to find object %s\n, ldb_dn_get_linearized(dn))); - return ret; - } + int ret; ret = dsdb_get_sd_from_ldb_message(mem_ctx, acl_res-msgs[0], sd); if (ret != LDB_SUCCESS) { @@ -164,14 +137,14 @@ int dsdb_check_access_on_dn(struct ldb_context *ldb, return LDB_ERR_OPERATIONS_ERROR; } } - status = sec_access_check_ds(sd, session_info-security_token, + status = sec_access_check_ds(sd, token, access, access_granted, root, sid); if (!NT_STATUS_IS_OK(status)) { dsdb_acl_debug(sd, - session_info-security_token, + token, dn, true, 10); @@ -179,3 +152,43 @@ int dsdb_check_access_on_dn(struct ldb_context *ldb, } return LDB_SUCCESS; } + +/* performs an access check from outside the module stack + * given the dn of the object to be checked, the required access + * guid is either the guid of the extended right, or NULL + */ + +int dsdb_check_access_on_dn(struct ldb_context *ldb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + uint32_t access, + const struct GUID *guid) +{ + int ret; + struct ldb_result *acl_res; + static const char *acl_attrs[] = { + nTSecurityDescriptor
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f742623... Added a check for permissions to modify the RDN attribute on rename. from ec53a0c... s4:dsdb/dns: change callers of samba_runcmd() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f742623b7b8a19ff3230754562deeac7657cd8cd Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Sun Mar 7 21:42:53 2010 +0200 Added a check for permissions to modify the RDN attribute on rename. Necessary because rdn module will be moved lower than acl in the stack. --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c | 12 source4/lib/ldb/tests/python/acl.py | 32 2 files changed, 44 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index c10624d..e7665c7 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -958,6 +958,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) TALLOC_CTX *tmp_ctx = talloc_new(req); NTSTATUS status; uint32_t access_granted; + const char *rdn_name; static const char *acl_attrs[] = { nTSecurityDescriptor, objectClass, @@ -1001,6 +1002,17 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OPERATIONS_ERROR; }; + rdn_name = ldb_dn_get_rdn_name(req-op.rename.olddn); + if (rdn_name == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + guid = attribute_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb), + rdn_name); + if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP, + new_node, new_node)) { + return LDB_ERR_OPERATIONS_ERROR; + }; + ret = get_sd_from_ldb_message(req, acl_res-msgs[0], sd); if (ret != LDB_SUCCESS) { diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py index 083c7ae..42c8c7e 100755 --- a/source4/lib/ldb/tests/python/acl.py +++ b/source4/lib/ldb/tests/python/acl.py @@ -785,6 +785,7 @@ class AclRenameTests(AclTests): self.delete_force(self.ldb_admin, CN=test_rename_user1,OU=test_rename_ou1, + self.base_dn) self.delete_force(self.ldb_admin, CN=test_rename_user2,OU=test_rename_ou1, + self.base_dn) self.delete_force(self.ldb_admin, CN=test_rename_user5,OU=test_rename_ou1, + self.base_dn) +self.delete_force(self.ldb_admin, OU=test_rename_ou3,OU=test_rename_ou1, + self.base_dn) self.delete_force(self.ldb_admin, OU=test_rename_ou1, + self.base_dn) if self.SAMBA: self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) @@ -939,6 +940,37 @@ class AclRenameTests(AclTests): % rename_user_dn ) self.assertNotEqual( res, [] ) +def test_rename_u8(self): +Test rename on an object with and without modify access on the RDN attribute +ou1_dn = OU=test_rename_ou1, + self.base_dn +ou2_dn = OU=test_rename_ou2, + ou1_dn +ou3_dn = OU=test_rename_ou3, + ou1_dn +# Create OU structure +self.create_ou(self.ldb_admin, ou1_dn) +self.create_ou(self.ldb_admin, ou2_dn) +sid = self.get_object_sid(self.get_user_dn(self.regular_user)) +mod = (OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;%s) % str(sid) +self.dacl_add_ace(ou2_dn, mod) +mod = (OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s) % str(sid) +self.dacl_add_ace(ou2_dn, mod) +try: +self.ldb_user.rename(ou2_dn, ou3_dn) +except LdbError, (num, _): +self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) +else: +# This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS +self.fail() +sid = self.get_object_sid(self.get_user_dn(self.regular_user)) +mod = (A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s) % str(sid) +self.dacl_add_ace(ou2_dn, mod) +self.ldb_user.rename(ou2_dn, ou3_dn) +res = self.ldb_admin.search( self.base_dn, expression=(distinguishedName=%s) \ +% ou2_dn ) +self.assertEqual( res, [] ) +res = self.ldb_admin.search( self.base_dn, expression=(distinguishedName=%s) \ +% ou3_dn ) +self.assertNotEqual( res, [] ) + # Important unit running information if not :// in host: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via deebbe7... A helper function to get the Infrastructure DN. from 4b8961bc.. Fixed a bug in acl tests - python error when we create user/group/ou with a descriptor. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit deebbe7cfae309baed9654e6e8354886eb3c568f Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Tue Mar 9 14:56:46 2010 +0200 A helper function to get the Infrastructure DN. --- Summary of changes: source4/dsdb/common/util.c | 12 1 files changed, 12 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index f597c41..9c29509 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1069,6 +1069,18 @@ struct ldb_dn *samdb_partitions_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ return new_dn; } +struct ldb_dn *samdb_infrastructure_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) +{ + struct ldb_dn *new_dn; + + new_dn = ldb_dn_copy(mem_ctx, samdb_base_dn(sam_ctx)); + if ( ! ldb_dn_add_child_fmt(new_dn, CN=Infrastructure)) { + talloc_free(new_dn); + return NULL; + } + return new_dn; +} + struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) { struct ldb_dn *new_dn; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4b8961bc.. Fixed a bug in acl tests - python error when we create user/group/ou with a descriptor. from f742623... Added a check for permissions to modify the RDN attribute on rename. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4b8961bc6f7aaf2c420d7b2bc2ef6eb07ab42429 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Tue Mar 9 13:53:41 2010 +0200 Fixed a bug in acl tests - python error when we create user/group/ou with a descriptor. --- Summary of changes: source4/lib/ldb/tests/python/acl.py | 46 +- 1 files changed, 23 insertions(+), 23 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py index 42c8c7e..0613689 100755 --- a/source4/lib/ldb/tests/python/acl.py +++ b/source4/lib/ldb/tests/python/acl.py @@ -120,51 +120,51 @@ member: + member_dn _ldb.modify_ldif(ldif) def create_ou(self, _ldb, ou_dn, desc=None): -ou_dict = { -dn : ou_dn, -ou : ou_dn.split(,)[0][3:], -objectClass : organizationalUnit, -url : www.bbc.co.uk, -} +ldif = +dn: + ou_dn + +ou: + ou_dn.split(,)[0][3:] + +objectClass: organizationalUnit +url: www.example.com + if desc: assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) if isinstance(desc, str): ldif += nTSecurityDescriptor: %s % desc elif isinstance(desc, security.descriptor): ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) -_ldb.add(ou_dict) +_ldb.add_ldif(ldif) def create_user(self, _ldb, user_dn, desc=None): -user_dict = { -dn : user_dn, -sAMAccountName : user_dn.split(,)[0][3:], -objectClass : user, -userPassword : self.user_pass, -url : www.bbc.co.uk, -} +ldif = +dn: + user_dn + +sAMAccountName: + user_dn.split(,)[0][3:] + +objectClass: user +userPassword: + self.user_pass + +url: www.example.com + if desc: assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) if isinstance(desc, str): ldif += nTSecurityDescriptor: %s % desc elif isinstance(desc, security.descriptor): ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) -_ldb.add(user_dict) +_ldb.add_ldif(ldif) def create_group(self, _ldb, group_dn, desc=None): -group_dict = { -dn : group_dn, -objectClass : group, -sAMAccountName : group_dn.split(,)[0][3:], -groupType : 4, -url : www.bbc.co.uk, -} +ldif = +dn: + group_dn + +objectClass: group +sAMAccountName: + group_dn.split(,)[0][3:] + +groupType: 4 +url: www.example.com + if desc: assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) if isinstance(desc, str): ldif += nTSecurityDescriptor: %s % desc elif isinstance(desc, security.descriptor): ldif += nTSecurityDescriptor:: %s % base64.b64encode(ndr_pack(desc)) -_ldb.add(group_dict) +_ldb.add_ldif(ldif) def read_desc(self, object_dn): res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, [nTSecurityDescriptor]) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8cb416a... Refactored ACL python tests from 22d3169... s3:configure: add --enable-as-needed http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8cb416a0b569017e1928a7a1cead723ce64ca314 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Thu Mar 4 15:22:30 2010 +0200 Refactored ACL python tests Made each type into a separate class to be easily run individually, removed code duplication --- Summary of changes: source4/lib/ldb/tests/python/acl.py | 697 +-- 1 files changed, 256 insertions(+), 441 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py index 05c3510..083c7ae 100755 --- a/source4/lib/ldb/tests/python/acl.py +++ b/source4/lib/ldb/tests/python/acl.py @@ -1,6 +1,6 @@ #!/usr/bin/python # -*- coding: utf-8 -*- -# This is unit with PPD tests +# This is unit with tests for LDAP access checks import getopt import optparse @@ -13,12 +13,10 @@ sys.path.append(bin/python) import samba.getopt as options -# Some error messages that are being tested from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS -# For running the test unit from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security @@ -72,6 +70,7 @@ class AclTests(unittest.TestCase): self.ldb_admin = ldb self.base_dn = self.find_basedn(self.ldb_admin) self.domain_sid = self.find_domain_sid(self.ldb_admin) +self.user_pass = samba123@ print baseDN: %s % self.base_dn self.SAMBA = False; self.WIN = False res = self.ldb_admin.search(base=,expression=, scope=SCOPE_BASE, @@ -80,54 +79,6 @@ class AclTests(unittest.TestCase): self.SAMBA = True else: self.WIN = True -if self.WIN: -# Modify acluser1 acluser2 to be excluded from 'Doamin Admin' group -try: -ldif = -dn: CN=Domain Admins,CN=Users, + self.base_dn + -changetype: modify -delete: member -member: + self.get_user_dn(acluser1) -self.ldb_admin.modify_ldif(ldif) -ldif = -dn: CN=Domain Admins,CN=Users, + self.base_dn + -changetype: modify -delete: member -member: + self.get_user_dn(acluser2) -self.ldb_admin.modify_ldif(ldif) -except LdbError, (num, _): -self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) # LDAP_ENTRY_ALREADY_EXISTS - -def tearDown(self): -# Add -self.delete_force(self.ldb_admin, CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) -self.delete_force(self.ldb_admin, CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) -self.delete_force(self.ldb_admin, OU=test_add_ou2,OU=test_add_ou1, + self.base_dn) -self.delete_force(self.ldb_admin, OU=test_add_ou1, + self.base_dn) -# Modify -self.delete_force(self.ldb_admin, self.get_user_dn(test_modify_user1)) -self.delete_force(self.ldb_admin, CN=test_modify_group1,CN=Users, + self.base_dn) -self.delete_force(self.ldb_admin, OU=test_modify_ou1, + self.base_dn) -# Search -self.delete_force(self.ldb_admin, CN=test_search_user1,OU=test_search_ou1, + self.base_dn) -self.delete_force(self.ldb_admin, OU=test_search_ou1, + self.base_dn) -# Delete -self.delete_force(self.ldb_admin, self.get_user_dn(test_delete_user1)) -# Rename OU3 -self.delete_force(self.ldb_admin, CN=test_rename_user1,OU=test_rename_ou3,OU=test_rename_ou2, + self.base_dn) -self.delete_force(self.ldb_admin, CN=test_rename_user2,OU=test_rename_ou3,OU=test_rename_ou2, + self.base_dn) -self.delete_force(self.ldb_admin, CN=test_rename_user5,OU=test_rename_ou3,OU=test_rename_ou2, + self.base_dn) -self.delete_force(self.ldb_admin, OU=test_rename_ou3,OU=test_rename_ou2, + self.base_dn) -# Rename OU2 -self.delete_force(self.ldb_admin, CN=test_rename_user1,OU=test_rename_ou2, + self.base_dn) -self.delete_force(self.ldb_admin, CN=test_rename_user2,OU=test_rename_ou2, + self.base_dn) -self.delete_force(self.ldb_admin, CN=test_rename_user5,OU=test_rename_ou2, + self.base_dn) -self.delete_force(self.ldb_admin, OU=test_rename_ou2, + self.base_dn) -# Rename OU1 -self.delete_force(self.ldb_admin, CN=test_rename_user1,OU=test_rename_ou1, + self.base_dn) -self.delete_force(self.ldb_admin, CN=test_rename_user2,OU=test_rename_ou1, + self.base_dn) -self.delete_force(self.ldb_admin, CN
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via adc38b0... Fixed a bug caused by a typo. Infrastructure role didn't work. from 2dc56d6... s4/ldap: Test to expoit ldb_ildap bug in case of nested search requests http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit adc38b00a90897da0ccf0120638b520153d0f4d6 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Fri Jan 29 15:42:46 2010 +0200 Fixed a bug caused by a typo. Infrastructure role didn't work. --- Summary of changes: source4/scripting/python/samba/netcmd/fsmo.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/netcmd/fsmo.py b/source4/scripting/python/samba/netcmd/fsmo.py index 6bfc2ef..171b89a 100644 --- a/source4/scripting/python/samba/netcmd/fsmo.py +++ b/source4/scripting/python/samba/netcmd/fsmo.py @@ -104,7 +104,7 @@ all=all of the above), elif role == naming: m.dn = ldb.Dn(samdb, self.naming_dn) elif role == infrastructure: -m.dn = ldb.Dn(samdb, self.indrastructure_dn) +m.dn = ldb.Dn(samdb, self.infrastructure_dn) elif role == schema: m.dn = ldb.Dn(samdb, self.schema_dn) else: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dffb5ad... Implemented net fsmo command for transferring fsmo roles from 0e2d1cf... s4-smbtorture: pick correct last packet while checking backchannel replies in RPC-SPOOLSS-NOTIFY. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dffb5ad2bf75fc0bcb69dce5cde52c8a1ea9c4f9 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Wed Jan 27 17:57:37 2010 +0200 Implemented net fsmo command for transferring fsmo roles The command allows the user to transfer a fsmo role to the server to which the connection is established. Roles can be transferred or seized. By default a transfer is attempted even if seize option is chosen, as it is dangerous to seize a role if the current owner is still running. example use: net fsmo show --host=hostnameoraddress --username=username --password=password net fsmo transfer --role=role --host=hostnameoraddress --username=username --password=password net fsmo seize --role=role --host=hostnameoraddress --username=username --password=password [--force] Tested against Win2008. Does not work for samba 4 yet as we are missing the GetNCChanges extensions. --- Summary of changes: source4/scripting/python/samba/netcmd/__init__.py |2 + source4/scripting/python/samba/netcmd/fsmo.py | 202 + 2 files changed, 204 insertions(+), 0 deletions(-) create mode 100644 source4/scripting/python/samba/netcmd/fsmo.py Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/netcmd/__init__.py b/source4/scripting/python/samba/netcmd/__init__.py index d6a130c..09c8cc3 100644 --- a/source4/scripting/python/samba/netcmd/__init__.py +++ b/source4/scripting/python/samba/netcmd/__init__.py @@ -145,3 +145,5 @@ from samba.netcmd.newuser import cmd_newuser commands[newuser] = cmd_newuser() from samba.netcmd.ntacl import cmd_acl commands[acl] = cmd_acl() +from samba.netcmd.fsmo import cmd_fsmo +commands[fsmo] = cmd_fsmo() diff --git a/source4/scripting/python/samba/netcmd/fsmo.py b/source4/scripting/python/samba/netcmd/fsmo.py new file mode 100644 index 000..6bfc2ef --- /dev/null +++ b/source4/scripting/python/samba/netcmd/fsmo.py @@ -0,0 +1,202 @@ +#!/usr/bin/python +# +# Changes a FSMO role owner +# +# Copyright Nadezhda Ivanova 2009 +# Copyright Jelmer Vernooij 2009 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# + +import samba.getopt as options +import ldb +from ldb import LdbError + +from samba.auth import system_session +from samba.netcmd import ( +Command, +CommandError, +Option, +) +from samba.samdb import SamDB + +class cmd_fsmo(Command): +Makes the targer DC transfer or seize a fsmo role + +synopsis = (show | transfer options | seize options) + +takes_optiongroups = { +sambaopts: options.SambaOptions, +credopts: options.CredentialsOptions, +versionopts: options.VersionOptions, +} + +takes_options = [ +Option(--host, help=LDB URL for database or target server, type=str), +Option(--force, help=Force seizing of the role without attempting to transfer first., action=store_true), +Option(--role, type=choice, choices=[rid, pdc, infrastructure,schema,naming,all], + help=The FSMO role to seize or transfer.\n +rid=RidAllocationMasterRole\n +schema=SchemaMasterRole\n +pdc=PdcEmulationMasterRole\n +naming=DomainNamingMasterRole\n +infrastructure=InfrastructureMasterRole\n +all=all of the above), +] + +takes_args = [subcommand] + +def transfer_role(self, role, samdb): +m = ldb.Message() +m.dn = ldb.Dn(samdb, ) +if role == rid: +m[becomeRidMaster]= ldb.MessageElement( +1, ldb.FLAG_MOD_REPLACE, +becomeRidMaster) +elif role == pdc: +domain_dn = SamDB.domain_dn(samdb) +res = samdb.search(domain_dn, + scope=ldb.SCOPE_BASE, attrs=[objectSid]) +assert(len(res) == 1) +sid = res[0][objectSid][0] +m[becomePdc]= ldb.MessageElement( +sid, ldb.FLAG_MOD_REPLACE, +becomePdc) +elif
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5d1aa4c... Comparison tool for LDAP servers (using Ldb) via 9b3871e... Merge branch 'master' of git://git.samba.org/samba via 309473f... Merge branch 'master' of git://git.samba.org/samba via fb5383c... Merge branch 'master' of git://git.samba.org/samba via 60d8ab3... Adapted acl module to skip checks if as_system control is provided. from ca84795... Fix bug #7034 - vfs_cap causes signal 11 (SIGSEGV) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5d1aa4c5b796ad5e65f7447414d09c059f060946 Author: Zahari Zahariev zahari.zahar...@postpath.com Date: Wed Jan 13 10:41:56 2010 +0200 Comparison tool for LDAP servers (using Ldb) This tool is integrated with Samba4 Ldb. It provides a useful output where you can find easy differences in objects or attributes within naming context (Domain, Configuration or Schema). Added functionality for two sets of credentials. commit 9b3871ed293f76e770e572cd6b59f59670f1f6f8 Merge: 309473f938d18b9993c2c4f120eeff7b4641985a ca847952054f5bbde1d40ad4260589b6fcc9721d Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Wed Jan 13 12:02:31 2010 +0200 Merge branch 'master' of git://git.samba.org/samba commit 309473f938d18b9993c2c4f120eeff7b4641985a Merge: fb5383c69ee52fb5e6d066a43451dc8c806cc795 71a40d7e2c21bf3ac47be3ec57fb091ff420ba9a Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Thu Jan 7 12:34:06 2010 +0200 Merge branch 'master' of git://git.samba.org/samba commit fb5383c69ee52fb5e6d066a43451dc8c806cc795 Merge: 60d8ab3b7b0bd2c9b633f0380d1fdf5bcf5e2621 a06e5cdb99ddf7abf16486d3837105ec4e0da9ee Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Mon Jan 4 11:24:10 2010 +0200 Merge branch 'master' of git://git.samba.org/samba commit 60d8ab3b7b0bd2c9b633f0380d1fdf5bcf5e2621 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Fri Dec 18 18:00:15 2009 +0200 Adapted acl module to skip checks if as_system control is provided. --- Summary of changes: source4/scripting/devel/ldapcmp | 449 ++ source4/scripting/python/samba/getopt.py | 52 2 files changed, 501 insertions(+), 0 deletions(-) create mode 100755 source4/scripting/devel/ldapcmp Changeset truncated at 500 lines: diff --git a/source4/scripting/devel/ldapcmp b/source4/scripting/devel/ldapcmp new file mode 100755 index 000..9258e9c --- /dev/null +++ b/source4/scripting/devel/ldapcmp @@ -0,0 +1,449 @@ +#!/usr/bin/python +# +# Unix SMB/CIFS implementation. +# A script to compare differences of objects and attributes between +# two LDAP servers both running at the same time. It generally compares +# one of the three pratitions DOMAIN, CONFIGURATION or SCHEMA. Users +# that have to be provided sheould be able to read objects in any of the +# above partitions. + +# Copyright (C) Zahari Zahariev zahari.zahar...@postpath.com 2009 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# + +import os +import re +import sys +from optparse import OptionParser + +sys.path.insert(0, bin/python) + +import samba +import samba.getopt as options +from samba import Ldb +from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc import security +from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, ERR_NO_SUCH_OBJECT, LdbError + +global summary +summary = {} + +class LDAPBase(object): + +def __init__(self, host, creds, lp): +if not :// in host: +self.host = ldap://; + host + :389 +self.ldb = Ldb(self.host, credentials=creds, lp=lp, + options=[modules:paged_searches]) +self.base_dn = self.find_basedn() +self.netbios_name = self.find_netbios() +self.domain_name = re.sub([Dd][Cc]=, , self.base_dn).replace(,, .) +self.domain_sid_bin = self.get_object_sid(self.base_dn) + +def find_netbios(self): +res = self.ldb.search(base=CN=Partitions,CN=Configuration,%s % self.base_dn, \ +scope=SCOPE_SUBTREE, attrs=[nETBIOSName]) +assert len(res) 0 +for x in res: +if nETBIOSName in x.keys(): +return x[nETBIOSName][0
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a4eaa11... Fixed a problem with incorrect default SD owner/group. from 026b230... s3: Fix a winbind segfault in trusted_domains http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a4eaa111342bfed4d31b9bffc60a1307e8a0d3c1 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Wed Jan 13 15:16:38 2010 +0200 Fixed a problem with incorrect default SD owner/group. --- Summary of changes: source4/scripting/python/samba/provision.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index a71b561..07de425 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -945,7 +945,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, message(Reopening sam.ldb with new schema); samdb.transaction_commit() -samdb = Ldb(session_info=session_info, +samdb = Ldb(session_info=admin_session_info, credentials=provision_backend.credentials, lp=lp) samdb.connect(path) samdb.transaction_start() -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 39616c0... Added oid for AS_SYSTEM control, used to bypass access checks for system operations. from 72d68ac... s3-docs: mention pam_winbind.conf(5) manpage in pam_winbind(8) manpage. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 39616c0ea2e2268d7b403bdb5d1a1250c7e44653 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Fri Dec 18 15:40:11 2009 +0200 Added oid for AS_SYSTEM control, used to bypass access checks for system operations. --- Summary of changes: source4/lib/ldb/include/ldb.h |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h index 81ec9ee..c8bfa24 100644 --- a/source4/lib/ldb/include/ldb.h +++ b/source4/lib/ldb/include/ldb.h @@ -477,6 +477,12 @@ typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2, void *opaque); */ #define LDB_CONTROL_REVEAL_INTERNALS 1.3.6.1.4.1.7165.4.3.6 +/** + LDB_CONTROL_AS_SYSTEM is used to skip access checks on operations + that are performed by the system, but with a user's credentials, e.g. + updating prefix map +*/ +#define LDB_CONTROL_AS_SYSTEM_OID 1.3.6.1.4.1.7165.4.3.7 /** OID for the paged results control. This control is included in the -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ea365af... Added freeing a successful req so it doesnt croud the ldb context from 39616c0... Added oid for AS_SYSTEM control, used to bypass access checks for system operations. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ea365af4f597fd1fb596018920040a6af49144ec Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Fri Dec 18 17:57:08 2009 +0200 Added freeing a successful req so it doesnt croud the ldb context --- Summary of changes: source4/ldap_server/ldap_backend.c |6 -- 1 files changed, 4 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index d983a54..689fd31 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -206,9 +206,11 @@ static int ldb_mod_req_with_controls(struct ldb_context *ldb, } if (ret == LDB_SUCCESS) { - return ldb_transaction_commit(ldb); + ret = ldb_transaction_commit(ldb); + } + else { + ldb_transaction_cancel(ldb); } - ldb_transaction_cancel(ldb); talloc_free(req); return ret; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c0883fb... Fixed incorrect checking of PRINCIPAL_SELF permissions. from 619ad0c... s4-smbtorture: add a samr_GetAliasMembership test to RPC-SAMR. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c0883fb4518570c85bf0a33ea0ce244f23c07c62 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Thu Dec 17 17:25:11 2009 +0200 Fixed incorrect checking of PRINCIPAL_SELF permissions. If an ace has the PRINCIPAL_SELF as trustee, this sid has to be replaced with the onjectSid of the object being checked. PRINCIPAL_SELF is the way to grant rights to an account over itself. --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c | 97 source4/lib/ldb/tests/python/acl.py| 43 +- source4/libcli/security/access_check.c | 15 - 3 files changed, 139 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index dcd015b..6cb50b2 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -204,6 +204,33 @@ static const struct GUID *get_oc_guid_from_message(struct ldb_module *module, (char *)oc_el-values[oc_el-num_values-1].data); } +static int get_dom_sid_from_ldb_message(TALLOC_CTX *mem_ctx, + struct ldb_message *acl_res, + struct dom_sid **sid) +{ + struct ldb_message_element *sid_element; + enum ndr_err_code ndr_err; + + sid_element = ldb_msg_find_element(acl_res, objectSid); + if (!sid_element) { + *sid = NULL; + return LDB_SUCCESS; + } + *sid = talloc(mem_ctx, struct dom_sid); + if(!*sid) { + return LDB_ERR_OPERATIONS_ERROR; + } + ndr_err = ndr_pull_struct_blob(sid_element-values[0], *sid, NULL, *sid, + (ndr_pull_flags_fn_t)ndr_pull_dom_sid); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return LDB_ERR_OPERATIONS_ERROR; + } + + return LDB_SUCCESS; +} + + static void acl_debug(struct security_descriptor *sd, struct security_token *token, struct ldb_dn *dn, @@ -232,10 +259,12 @@ static int check_access_on_dn(struct ldb_module *module, struct ldb_context *ldb = ldb_module_get_ctx(module); struct ldb_result *acl_res; struct security_descriptor *sd = NULL; + struct dom_sid *sid = NULL; NTSTATUS status; uint32_t access_granted; static const char *acl_attrs[] = { nTSecurityDescriptor, + objectSid, NULL }; @@ -254,10 +283,16 @@ static int check_access_on_dn(struct ldb_module *module, if (!sd) { return LDB_SUCCESS; } + ret = get_dom_sid_from_ldb_message(mem_ctx, acl_res-msgs[0], sid); + if (ret != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + status = sec_access_check_ds(sd, acl_user_token(module), access, access_granted, -tree); +tree, +sid); if (!NT_STATUS_IS_OK(status)) { acl_debug(sd, acl_user_token(module), @@ -272,16 +307,15 @@ static int check_access_on_dn(struct ldb_module *module, static int acl_check_access_on_attribute(struct ldb_module *module, TALLOC_CTX *mem_ctx, struct security_descriptor *sd, +struct dom_sid *rp_sid, uint32_t access, struct dsdb_attribute *attr) { int ret; - struct ldb_context *ldb = ldb_module_get_ctx(module); NTSTATUS status; uint32_t access_granted; struct object_tree *root = NULL; struct object_tree *new_node = NULL; - const struct dsdb_schema *schema = dsdb_get_schema(ldb); TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); struct security_token *token = acl_user_token(module); if (attr) { @@ -310,7 +344,8 @@ static int acl_check_access_on_attribute(struct ldb_module *module, status = sec_access_check_ds(sd, token, access, access_granted, -root); +root
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4deaa84... Fixed a problem with duplicate values of allowedAttributesEffective. from ef5508b... s4: rename res/res2 to something more explicit http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4deaa84ce4a425bfba4b2612d79cc6fa1e00cca5 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Tue Dec 15 12:02:20 2009 +0200 Fixed a problem with duplicate values of allowedAttributesEffective. --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c |4 +++- source4/dsdb/schema/schema_query.c | 11 ++- 2 files changed, 13 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 45aa294..dcd015b 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -431,7 +431,9 @@ static int acl_allowedAttributes(struct ldb_module *module, return LDB_ERR_OPERATIONS_ERROR; } /* remove constructed attributes */ - if (attr-systemFlags DS_FLAG_ATTR_IS_CONSTRUCTED) { + if (attr-systemFlags DS_FLAG_ATTR_IS_CONSTRUCTED + || attr-systemOnly + || (attr-linkID != 0 attr-linkID % 2 != 0 )) { continue; } ret = acl_check_access_on_attribute(module, diff --git a/source4/dsdb/schema/schema_query.c b/source4/dsdb/schema/schema_query.c index 0a58f7a..f563f01 100644 --- a/source4/dsdb/schema/schema_query.c +++ b/source4/dsdb/schema/schema_query.c @@ -350,6 +350,14 @@ static const char **dsdb_full_attribute_list_internal_el(TALLOC_CTX *mem_ctx, return attr_list; } +static int qsort_string(const void *v1, + const void *v2) +{ + char * const *s1 = v1; + char * const *s2 = v2; + return strcasecmp(*s1, *s2); +} + /* Helper function to remove duplicates from the attribute list to be returned */ static const char **dedup_attr_list(const char **attr_list) { @@ -359,13 +367,14 @@ static const char **dedup_attr_list(const char **attr_list) int i; qsort(attr_list, new_len, sizeof(*attr_list), - (comparison_fn_t)strcasecmp); + (comparison_fn_t)qsort_string); for (i=1 ; i new_len; i++) { const char **val1 = attr_list[i-1]; const char **val2 = attr_list[i]; if (ldb_attr_cmp(*val1, *val2) == 0) { memmove(val1, val2, (new_len - i) * sizeof( *attr_list)); + attr_list[new_len-1] = NULL; new_len--; i--; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4330efe... Removed ldb_modify_ctrl from ldb, implemented as a static in ldap_backend. from b85f6f6... s4 torture: Add new RAW-SEARCH test to explore strange max count behavior http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4330efe0f22b7318058867a554222c3c0049f644 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Tue Dec 15 20:29:20 2009 +0200 Removed ldb_modify_ctrl from ldb, implemented as a static in ldap_backend. --- Summary of changes: source4/ldap_server/ldap_backend.c | 44 +++- source4/lib/ldb/common/ldb.c | 17 +++-- source4/lib/ldb/include/ldb.h | 18 -- 3 files changed, 47 insertions(+), 32 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 5eabda9..d983a54 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -171,6 +171,48 @@ static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err, /* result is 1:1 for now */ return ldb_err; } +/* create and execute a modify request */ +static int ldb_mod_req_with_controls(struct ldb_context *ldb, +const struct ldb_message *message, +struct ldb_control **controls) +{ + struct ldb_request *req; + int ret; + + ret = ldb_msg_sanity_check(ldb, message); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = ldb_build_mod_req(req, ldb, ldb, + message, + controls, + NULL, + ldb_op_default_callback, + NULL); + + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = ldb_transaction_start(ldb); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = ldb_request(ldb, req); + if (ret == LDB_SUCCESS) { + ret = ldb_wait(req-handle, LDB_WAIT_ALL); + } + + if (ret == LDB_SUCCESS) { + return ldb_transaction_commit(ldb); + } + ldb_transaction_cancel(ldb); + + talloc_free(req); + return ret; +} /* connect to the sam database @@ -546,7 +588,7 @@ reply: NT_STATUS_HAVE_NO_MEMORY(modify_reply); if (result == LDAP_SUCCESS) { - ldb_ret = ldb_modify_ctrl(samdb, msg, call-request-controls); + ldb_ret = ldb_mod_req_with_controls(samdb, msg, call-request-controls); result = map_ldb_error(local_ctx, ldb_ret, errstr); } diff --git a/source4/lib/ldb/common/ldb.c b/source4/lib/ldb/common/ldb.c index 94a5fb2..a3472a6 100644 --- a/source4/lib/ldb/common/ldb.c +++ b/source4/lib/ldb/common/ldb.c @@ -1388,11 +1388,10 @@ int ldb_add(struct ldb_context *ldb, } /* - same as ldb_modify, but accepts controls + modify the specified attributes of a record */ -int ldb_modify_ctrl(struct ldb_context *ldb, - const struct ldb_message *message, - struct ldb_control **controls) +int ldb_modify(struct ldb_context *ldb, + const struct ldb_message *message) { struct ldb_request *req; int ret; @@ -1404,7 +1403,7 @@ int ldb_modify_ctrl(struct ldb_context *ldb, ret = ldb_build_mod_req(req, ldb, ldb, message, - controls, + NULL, NULL, ldb_op_default_callback, NULL); @@ -1417,14 +1416,6 @@ int ldb_modify_ctrl(struct ldb_context *ldb, talloc_free(req); return ret; } -/* - modify the specified attributes of a record -*/ -int ldb_modify(struct ldb_context *ldb, - const struct ldb_message *message) -{ - return ldb_modify_ctrl(ldb, message, NULL); -} /* diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h index 2b80e42..cf55f0a 100644 --- a/source4/lib/ldb/include/ldb.h +++ b/source4/lib/ldb/include/ldb.h @@ -1231,24 +1231,6 @@ int ldb_add(struct ldb_context *ldb, ldb_init()) \param message the message containing the changes required. - \param controls ldap controls for the request - - \return result code (LDB_SUCCESS if the record was modified as - requested, otherwise a failure code) -*/ -int ldb_modify_ctrl(struct ldb_context *ldb, - const struct ldb_message *message, - struct ldb_control **controls); - -/** - Modify the specified
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 56b754e... Implementation of sDRightsEffective, allowedAttributesEffective and allowedChildClassesEffective. from 85e79a2... s3:packaging: Fix source dir. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 56b754e09ad5cd926e1dd0747252b7c359294938 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Thu Dec 10 15:49:53 2009 +0200 Implementation of sDRightsEffective, allowedAttributesEffective and allowedChildClassesEffective. Behavior as documented in WSPP and tested. Needs optimisation though. --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c | 650 ++-- source4/dsdb/samdb/ldb_modules/kludge_acl.c|5 +- source4/lib/ldb/tests/python/sec_descriptor.py | 127 +- 3 files changed, 738 insertions(+), 44 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 13e71e5..45aa294 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -1,22 +1,22 @@ /* - ldb database library + ldb database library - Copyright (C) Simo Sorce 2006-2008 - Copyright (C) Nadezhda Ivanova 2009 - Copyright (C) Anatoliy Atanasov 2009 + Copyright (C) Simo Sorce 2006-2008 + Copyright (C) Nadezhda Ivanova 2009 + Copyright (C) Anatoliy Atanasov 2009 -This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. - You should have received a copy of the GNU General Public License - along with this program. If not, see http://www.gnu.org/licenses/. + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. */ /* @@ -45,8 +45,21 @@ struct extended_access_check_attribute { const uint32_t requires_rights; }; -struct acl_private{ - bool perform_check; +struct acl_private { + bool acl_perform; + const char **password_attrs; +}; + +struct acl_context { + struct ldb_module *module; + struct ldb_request *req; + enum security_user_level user_type; + bool allowedAttributes; + bool allowedAttributesEffective; + bool allowedChildClasses; + bool allowedChildClassesEffective; + bool sDRightsEffective; + const char * const *attrs; }; bool is_root_base_dn(struct ldb_context *ldb, struct ldb_dn *dn_to_check) @@ -80,7 +93,12 @@ static int acl_module_init(struct ldb_module *module) { struct ldb_context *ldb; struct acl_private *data; - int ret; + int ret, i; + TALLOC_CTX *mem_ctx = talloc_new(module); + static const char *attrs[] = { passwordAttribute, NULL }; + struct ldb_result *res; + struct ldb_message *msg; + struct ldb_message_element *password_attributes; ldb = ldb_module_get_ctx(module); @@ -92,22 +110,69 @@ static int acl_module_init(struct ldb_module *module) } data = talloc(module, struct acl_private); - data-perform_check = lp_parm_bool(ldb_get_opaque(ldb, loadparm), - NULL, acl, perform, false); + if (data == NULL) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + data-password_attrs = NULL; + data-acl_perform = lp_parm_bool(ldb_get_opaque(ldb, loadparm), +NULL, acl, perform, false); ldb_module_set_private(module, data); + if (!mem_ctx) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_search(ldb, mem_ctx, res, +ldb_dn_new(mem_ctx, ldb, @KLUDGEACL), +LDB_SCOPE_BASE, attrs, NULL); + if (ret != LDB_SUCCESS) { + goto done; + } + if (res
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 54991cd... Fixed incorrect indentation. from e28545e... s3: Fix some nonempty blank lines http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 54991cd2e15b797360c112c801b98ec24188da9e Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Sun Nov 22 13:36:35 2009 +0200 Fixed incorrect indentation. --- Summary of changes: source4/dsdb/samdb/ldb_modules/descriptor.c | 13 ++--- 1 files changed, 6 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index c3413e1..f9992e3 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -537,12 +537,12 @@ static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply } sd_control = ldb_request_get_control(ac-req, LDB_CONTROL_SD_FLAGS_OID); - if (sd_control) { - struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control-data; - sd_flags = sdctr-secinfo_flags; - /* we only care for the last 4 bits */ - sd_flags = sd_flags 0x000F; - } + if (sd_control) { + struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control-data; + sd_flags = sdctr-secinfo_flags; + /* we only care for the last 4 bits */ + sd_flags = sd_flags 0x000F; + } switch (ares-type) { case LDB_REPLY_ENTRY: @@ -572,7 +572,6 @@ static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply break; case LDB_REPLY_DONE: - return ldb_module_done(ac-req, ares-controls, ares-response, ares-error); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e00281d... Implemented LDAP_SERVER_SD_FLAGS_OID on search requests. from e406c17... s4:torture/smb2/oplock - Remove unneeded status redeclarations http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e00281d1f15d342bdfe850d30694e67749075a5d Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Sat Nov 21 18:40:51 2009 +0200 Implemented LDAP_SERVER_SD_FLAGS_OID on search requests. --- Summary of changes: source4/dsdb/samdb/ldb_modules/descriptor.c| 167 +++- source4/dsdb/samdb/ldb_modules/kludge_acl.c| 20 --- source4/lib/ldb/tests/python/sec_descriptor.py | 64 +- 3 files changed, 225 insertions(+), 26 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 98e54b1..c3413e1 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -160,7 +160,7 @@ static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx, uint32_t sd_flags) { struct security_descriptor *final_sd; - /* if there is no control or contlol == 0 modify everything */ + /* if there is no control or control == 0 modify everything */ if (!sd_flags) { return new_sd; } @@ -325,6 +325,51 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, return linear_sd; } +static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module, + TALLOC_CTX *mem_ctx, + struct ldb_val *sd, + uint32_t sd_flags) +{ + struct security_descriptor *old_sd, *final_sd; + DATA_BLOB *linear_sd; + enum ndr_err_code ndr_err; + struct ldb_context *ldb = ldb_module_get_ctx(module); + + old_sd = talloc(mem_ctx, struct security_descriptor); + if (!old_sd) { + return NULL; + } + ndr_err = ndr_pull_struct_blob(sd, old_sd, NULL, + old_sd, + (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(old_sd); + return NULL; + } + + final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags); + + if (!final_sd) { + return NULL; + } + + linear_sd = talloc(mem_ctx, DATA_BLOB); + if (!linear_sd) { + return NULL; + } + + ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx, + lp_iconv_convenience(ldb_get_opaque(ldb, loadparm)), + final_sd, + (ndr_push_flags_fn_t)ndr_push_security_descriptor); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return NULL; + } + + return linear_sd; +} + static struct descriptor_context *descriptor_init_context(struct ldb_module *module, struct ldb_request *req) { @@ -470,6 +515,74 @@ static int descriptor_op_callback(struct ldb_request *req, struct ldb_reply *are ares-response, ares-error); } +static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares) +{ + struct descriptor_context *ac; + struct ldb_control *sd_control; + struct ldb_val *sd_val = NULL; + struct ldb_message_element *sd_el; + DATA_BLOB *show_sd; + int ret; + uint32_t sd_flags = 0; + + ac = talloc_get_type(req-context, struct descriptor_context); + + if (!ares) { + ret = LDB_ERR_OPERATIONS_ERROR; + goto fail; + } + if (ares-error != LDB_SUCCESS) { + return ldb_module_done(ac-req, ares-controls, + ares-response, ares-error); + } + + sd_control = ldb_request_get_control(ac-req, LDB_CONTROL_SD_FLAGS_OID); + if (sd_control) { + struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control-data; + sd_flags = sdctr-secinfo_flags; + /* we only care for the last 4 bits */ + sd_flags = sd_flags 0x000F; + } + + switch (ares-type) { + case LDB_REPLY_ENTRY: + if (sd_flags != 0) { + sd_el = ldb_msg_find_element(ares-message, nTSecurityDescriptor); + if (sd_el
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a760f16... Some changes to allow processing of ldap controls on modify requests. from 07e971f... s4:ntvfs/posix/pvfs_acl - Remove unused variable token http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a760f169f4936d7e2677db9229181e2c5ac23bcd Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Fri Nov 20 13:22:38 2009 +0200 Some changes to allow processing of ldap controls on modify requests. ldap_backend used to filter out ldap controls on modify. Also, modified python binding for ldap_modify to allow writing tests for such controls. --- Summary of changes: source4/ldap_server/ldap_backend.c |2 +- source4/lib/ldb/common/ldb.c | 17 ++-- source4/lib/ldb/include/ldb.h | 18 source4/lib/ldb/pyldb.c| 61 +++- source4/scripting/python/pyglue.c |6 +++ source4/scripting/python/samba/__init__.py | 12 - 6 files changed, 106 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 8c6b8f9..5eabda9 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -546,7 +546,7 @@ reply: NT_STATUS_HAVE_NO_MEMORY(modify_reply); if (result == LDAP_SUCCESS) { - ldb_ret = ldb_modify(samdb, msg); + ldb_ret = ldb_modify_ctrl(samdb, msg, call-request-controls); result = map_ldb_error(local_ctx, ldb_ret, errstr); } diff --git a/source4/lib/ldb/common/ldb.c b/source4/lib/ldb/common/ldb.c index 20e3206..3a8023a 100644 --- a/source4/lib/ldb/common/ldb.c +++ b/source4/lib/ldb/common/ldb.c @@ -1378,10 +1378,11 @@ int ldb_add(struct ldb_context *ldb, } /* - modify the specified attributes of a record + same as ldb_modify, but accepts controls */ -int ldb_modify(struct ldb_context *ldb, - const struct ldb_message *message) +int ldb_modify_ctrl(struct ldb_context *ldb, + const struct ldb_message *message, + struct ldb_control **controls) { struct ldb_request *req; int ret; @@ -1393,7 +1394,7 @@ int ldb_modify(struct ldb_context *ldb, ret = ldb_build_mod_req(req, ldb, ldb, message, - NULL, + controls, NULL, ldb_op_default_callback, NULL); @@ -1406,6 +1407,14 @@ int ldb_modify(struct ldb_context *ldb, talloc_free(req); return ret; } +/* + modify the specified attributes of a record +*/ +int ldb_modify(struct ldb_context *ldb, + const struct ldb_message *message) +{ + return ldb_modify_ctrl(ldb, message, NULL); +} /* diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h index 1d0b533..62cd2b8 100644 --- a/source4/lib/ldb/include/ldb.h +++ b/source4/lib/ldb/include/ldb.h @@ -1217,6 +1217,24 @@ int ldb_add(struct ldb_context *ldb, ldb_init()) \param message the message containing the changes required. + \param controls ldap controls for the request + + \return result code (LDB_SUCCESS if the record was modified as + requested, otherwise a failure code) +*/ +int ldb_modify_ctrl(struct ldb_context *ldb, + const struct ldb_message *message, + struct ldb_control **controls); + +/** + Modify the specified attributes of a record + + This function modifies a record that is in the database. + + \param ldb the context associated with the database (from + ldb_init()) + \param message the message containing the changes required. + \return result code (LDB_SUCCESS if the record was modified as requested, otherwise a failure code) */ diff --git a/source4/lib/ldb/pyldb.c b/source4/lib/ldb/pyldb.c index 1f1dcf8..0d1d2fa 100644 --- a/source4/lib/ldb/pyldb.c +++ b/source4/lib/ldb/pyldb.c @@ -641,16 +641,73 @@ static PyObject *py_ldb_connect(PyLdbObject *self, PyObject *args, PyObject *kwa static PyObject *py_ldb_modify(PyLdbObject *self, PyObject *args) { PyObject *py_msg; + PyObject *py_controls = Py_None; + struct ldb_context *ldb_ctx; + struct ldb_request *req; + struct ldb_control **parsed_controls; + struct ldb_message *msg; int ret; - if (!PyArg_ParseTuple(args, O, py_msg)) + if (!PyArg_ParseTuple(args, O|O, py_msg, py_controls)) return NULL; + ldb_ctx = PyLdb_AsLdbContext(self); + + if (py_controls == Py_None) { + parsed_controls = NULL; + } else
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7c8b346... Implementation of LDAP_SERVER_SD_FLAGS_OID on modify requests. from a760f16... Some changes to allow processing of ldap controls on modify requests. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7c8b34657a19c96bbeb2181cd194f323a6827365 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Fri Nov 20 13:25:13 2009 +0200 Implementation of LDAP_SERVER_SD_FLAGS_OID on modify requests. --- Summary of changes: source4/dsdb/samdb/ldb_modules/descriptor.c| 149 +--- source4/lib/ldb/tests/python/sec_descriptor.py | 112 +- 2 files changed, 240 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 6a57560..98e54b1 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -154,15 +154,85 @@ static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx, return NULL; } +static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx, +struct security_descriptor *new_sd, +struct security_descriptor *old_sd, +uint32_t sd_flags) +{ + struct security_descriptor *final_sd; + /* if there is no control or contlol == 0 modify everything */ + if (!sd_flags) { + return new_sd; + } + + final_sd = talloc_zero(mem_ctx, struct security_descriptor); + final_sd-revision = SECURITY_DESCRIPTOR_REVISION_1; + final_sd-type = SEC_DESC_SELF_RELATIVE; + + if (sd_flags (SECINFO_OWNER)) { + final_sd-owner_sid = talloc_memdup(mem_ctx, new_sd-owner_sid, sizeof(struct dom_sid)); + final_sd-type |= new_sd-type SEC_DESC_OWNER_DEFAULTED; + } + else if (old_sd) { + final_sd-owner_sid = talloc_memdup(mem_ctx, old_sd-owner_sid, sizeof(struct dom_sid)); + final_sd-type |= old_sd-type SEC_DESC_OWNER_DEFAULTED; + } + + if (sd_flags (SECINFO_GROUP)) { + final_sd-group_sid = talloc_memdup(mem_ctx, new_sd-group_sid, sizeof(struct dom_sid)); + final_sd-type |= new_sd-type SEC_DESC_GROUP_DEFAULTED; + } + else if (old_sd) { + final_sd-group_sid = talloc_memdup(mem_ctx, old_sd-group_sid, sizeof(struct dom_sid)); + final_sd-type |= old_sd-type SEC_DESC_GROUP_DEFAULTED; + } + + if (sd_flags (SECINFO_SACL)) { + final_sd-sacl = security_acl_dup(mem_ctx,new_sd-sacl); + final_sd-type |= new_sd-type (SEC_DESC_SACL_PRESENT | + SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ | + SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED | + SEC_DESC_SERVER_SECURITY); + } + else if (old_sd) { + final_sd-sacl = security_acl_dup(mem_ctx,old_sd-sacl); + final_sd-type |= old_sd-type (SEC_DESC_SACL_PRESENT | + SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ | + SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED | + SEC_DESC_SERVER_SECURITY); + } + + if (sd_flags (SECINFO_DACL)) { + final_sd-dacl = security_acl_dup(mem_ctx,new_sd-dacl); + final_sd-type |= new_sd-type (SEC_DESC_DACL_PRESENT | + SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ | + SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED | + SEC_DESC_DACL_TRUSTED); + } + else if (old_sd) { + final_sd-dacl = security_acl_dup(mem_ctx,old_sd-dacl); + final_sd-type |= old_sd-type (SEC_DESC_DACL_PRESENT | + SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ | + SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED | + SEC_DESC_DACL_TRUSTED); + } + /* not so sure about this */ + final_sd-type |= new_sd-type SEC_DESC_RM_CONTROL_VALID; + return final_sd; +} + static DATA_BLOB *get_new_descriptor(struct ldb_module *module, struct ldb_dn *dn, TALLOC_CTX *mem_ctx, const struct dsdb_class *objectclass, const struct ldb_val *parent, -struct ldb_val *object) +struct ldb_val *object
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4abd858... Cosmetic patch - fixed case of attribute name. from aafbe63... s4:min_versions: require ldb 0.9.9 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4abd85898d5024fd1f19337ce286a133af6638b4 Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Fri Nov 20 14:55:31 2009 +0200 Cosmetic patch - fixed case of attribute name. --- Summary of changes: source4/dsdb/samdb/ldb_modules/operational.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 4e27157..9ec6d8b 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -184,7 +184,7 @@ static const struct { const char *attr; enum op_remove op; } operational_remove[] = { - { ntSecurityDescriptor, OPERATIONAL_REMOVE_UNASKED }, + { nTSecurityDescriptor, OPERATIONAL_REMOVE_UNASKED }, { parentGUID, OPERATIONAL_REMOVE_ALWAYS }, { replPropertyMetaData, OPERATIONAL_REMOVE_UNASKED }, { ntPwdHistory, OPERATIONAL_REMOVE_UNASKED }, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6178c17... Added control copying for message types other than ldb_search. from da8aba5... s3/docs: Add max protocol = smb2 to man smb.conf. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6178c17e09a5aed968dac49b16ed0b59750aef1c Author: Nadezhda Ivanova nadezhda.ivan...@postpath.com Date: Wed Nov 18 18:47:29 2009 +0200 Added control copying for message types other than ldb_search. When ildap created a new message to forward, it only copied controls for ldb_search requests. This caused controls for add and modify to be lost in transition and tests for them could not be implemented. --- Summary of changes: source4/lib/ldb/ldb_ildap/ldb_ildap.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/ldb_ildap/ldb_ildap.c b/source4/lib/ldb/ldb_ildap/ldb_ildap.c index 061238b..53257a1 100644 --- a/source4/lib/ldb/ldb_ildap/ldb_ildap.c +++ b/source4/lib/ldb/ldb_ildap/ldb_ildap.c @@ -513,6 +513,7 @@ static int ildb_add(struct ildb_context *ac) for (i = 0; i n; i++) { msg-r.AddRequest.attributes[i] = mods[i]-attrib; } + msg-controls = req-controls; return ildb_request_send(ac, msg); } @@ -556,7 +557,7 @@ static int ildb_modify(struct ildb_context *ac) for (i = 0; i n; i++) { msg-r.ModifyRequest.mods[i] = *mods[i]; } - + msg-controls = req-controls; return ildb_request_send(ac, msg); } @@ -580,6 +581,7 @@ static int ildb_delete(struct ildb_context *ac) talloc_free(msg); return LDB_ERR_INVALID_DN_SYNTAX; } + msg-controls = req-controls; return ildb_request_send(ac, msg); } @@ -629,6 +631,7 @@ static int ildb_rename(struct ildb_context *ac) } msg-r.ModifyDNRequest.deleteolddn = true; + msg-controls = req-controls; return ildb_request_send(ac, msg); } -- Samba Shared Repository