summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-08-07 09:01:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 15:01:32 -0500
commitc4e5fcc349ae8648e50c5fa893fd3fd47336fed2 (patch)
treeb49fac0f010bf6ecb7de4e92634061d0d535c110
parentae7819d715e80cfbd17c4bec1c93685198febe6a (diff)
downloadsamba-c4e5fcc349ae8648e50c5fa893fd3fd47336fed2.tar.gz
samba-c4e5fcc349ae8648e50c5fa893fd3fd47336fed2.tar.bz2
samba-c4e5fcc349ae8648e50c5fa893fd3fd47336fed2.zip
r24263: Fix bug 4846 (unable to copy users in MMC Active Directory Users and
Computers). We now generate a security descriptor for each object, when it is created. This seems to keep MMC happy. The next step is to honour it. Andrew Bartlett (This used to be commit 72f4ae82463c5c1f9f6b7f18f125c4c8fb56ae4f)
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c50
-rwxr-xr-xtestprogs/ejs/ldap.js6
2 files changed, 51 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 259b963ce0..a9ef93cab1 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -35,6 +35,11 @@
#include "ldb/include/ldb_private.h"
#include "dsdb/samdb/samdb.h"
#include "lib/util/dlinklist.h"
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
+#include "auth/auth.h"
+
struct oc_context {
enum oc_step {OC_DO_REQ, OC_SEARCH_SELF, OC_DO_MOD} step;
@@ -196,6 +201,39 @@ static int objectclass_sort(struct ldb_module *module,
return LDB_SUCCESS;
}
+DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
+ const struct dsdb_class *objectclass)
+{
+ NTSTATUS status;
+ DATA_BLOB *linear_sd;
+ struct auth_session_info *session_info
+ = ldb_get_opaque(module->ldb, "sessionInfo");
+ struct security_descriptor *sd = sddl_decode(mem_ctx,
+ objectclass->defaultSecurityDescriptor,
+ samdb_domain_sid(module->ldb));
+ if (!session_info || !session_info->security_token) {
+ return NULL;
+ }
+
+ sd->owner_sid = session_info->security_token->user_sid;
+ sd->group_sid = session_info->security_token->group_sid;
+
+ linear_sd = talloc(mem_ctx, DATA_BLOB);
+ if (!linear_sd) {
+ return NULL;
+ }
+
+ status = ndr_push_struct_blob(linear_sd, mem_ctx, sd,
+ (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return NULL;
+ }
+
+ return linear_sd;
+
+}
+
static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_message_element *objectclass_element;
@@ -266,12 +304,18 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
talloc_free(mem_ctx);
return ret;
}
- /* Last one */
- if (schema && !current->next && !ldb_msg_find_element(msg, "objectCategory")) {
+ /* Last one is the critical one */
+ if (schema && !current->next) {
const struct dsdb_class *objectclass
= dsdb_class_by_lDAPDisplayName(schema, current->objectclass);
if (objectclass) {
- ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
+ if (!ldb_msg_find_element(msg, "objectCategory")) {
+ ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
+ }
+ if (!ldb_msg_find_element(msg, "ntSecurityDescriptor")) {
+ DATA_BLOB *sd = get_sd(module, mem_ctx, objectclass);
+ ldb_msg_add_steal_value(msg, "ntSecurityDescriptor", sd);
+ }
}
}
}
diff --git a/testprogs/ejs/ldap.js b/testprogs/ejs/ldap.js
index bb7e482ec8..5735b8b391 100755
--- a/testprogs/ejs/ldap.js
+++ b/testprogs/ejs/ldap.js
@@ -258,7 +258,7 @@ objectClass: user
assert(res.msgs[0].objectCategory == "cn=Person,cn=Schema,cn=Configuration," + base_dn);
assert(res.msgs[0].sAMAccountType == 805306368);
// assert(res[0].userAccountControl == 546);
-
+
println("Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))");
var res2 = ldb.search("(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))");
if (res2.error != 0 || res2.msgs.length != 1) {
@@ -439,8 +439,9 @@ objectClass: user
// assert(res.msgs[0].userAccountControl == 4098);
+ var attrs = new Array("cn", "name", "objectClass", "objectGUID", "whenCreated", "ntSecurityDescriptor");
println("Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))");
- var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))");
+ var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))", base_dn, ldb.SCOPE_SUBTREE, attrs);
if (res.error != 0 || res.msgs.length != 1) {
println("Could not find (&(cn=ldaptestUSer2)(objectClass=user))");
assert(res.error == 0);
@@ -456,6 +457,7 @@ objectClass: user
assert(res.msgs[0].objectClass[3] == "user");
assert(res.msgs[0].objectGUID != undefined);
assert(res.msgs[0].whenCreated != undefined);
+ assert(res.msgs[0].ntSecurityDescriptor != undefined);
ok = ldb.del(res.msgs[0].dn);
if (ok.error != 0) {