diff options
author | Andrew Bartlett <abartlet@samba.org> | 2007-08-07 09:01:08 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 15:01:32 -0500 |
commit | c4e5fcc349ae8648e50c5fa893fd3fd47336fed2 (patch) | |
tree | b49fac0f010bf6ecb7de4e92634061d0d535c110 | |
parent | ae7819d715e80cfbd17c4bec1c93685198febe6a (diff) | |
download | samba-c4e5fcc349ae8648e50c5fa893fd3fd47336fed2.tar.gz samba-c4e5fcc349ae8648e50c5fa893fd3fd47336fed2.tar.bz2 samba-c4e5fcc349ae8648e50c5fa893fd3fd47336fed2.zip |
r24263: Fix bug 4846 (unable to copy users in MMC Active Directory Users and
Computers).
We now generate a security descriptor for each object, when it is
created. This seems to keep MMC happy. The next step is to honour
it.
Andrew Bartlett
(This used to be commit 72f4ae82463c5c1f9f6b7f18f125c4c8fb56ae4f)
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 50 | ||||
-rwxr-xr-x | testprogs/ejs/ldap.js | 6 |
2 files changed, 51 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 259b963ce0..a9ef93cab1 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -35,6 +35,11 @@ #include "ldb/include/ldb_private.h" #include "dsdb/samdb/samdb.h" #include "lib/util/dlinklist.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_security.h" +#include "libcli/security/security.h" +#include "auth/auth.h" + struct oc_context { enum oc_step {OC_DO_REQ, OC_SEARCH_SELF, OC_DO_MOD} step; @@ -196,6 +201,39 @@ static int objectclass_sort(struct ldb_module *module, return LDB_SUCCESS; } +DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, + const struct dsdb_class *objectclass) +{ + NTSTATUS status; + DATA_BLOB *linear_sd; + struct auth_session_info *session_info + = ldb_get_opaque(module->ldb, "sessionInfo"); + struct security_descriptor *sd = sddl_decode(mem_ctx, + objectclass->defaultSecurityDescriptor, + samdb_domain_sid(module->ldb)); + if (!session_info || !session_info->security_token) { + return NULL; + } + + sd->owner_sid = session_info->security_token->user_sid; + sd->group_sid = session_info->security_token->group_sid; + + linear_sd = talloc(mem_ctx, DATA_BLOB); + if (!linear_sd) { + return NULL; + } + + status = ndr_push_struct_blob(linear_sd, mem_ctx, sd, + (ndr_push_flags_fn_t)ndr_push_security_descriptor); + + if (!NT_STATUS_IS_OK(status)) { + return NULL; + } + + return linear_sd; + +} + static int objectclass_add(struct ldb_module *module, struct ldb_request *req) { struct ldb_message_element *objectclass_element; @@ -266,12 +304,18 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) talloc_free(mem_ctx); return ret; } - /* Last one */ - if (schema && !current->next && !ldb_msg_find_element(msg, "objectCategory")) { + /* Last one is the critical one */ + if (schema && !current->next) { const struct dsdb_class *objectclass = dsdb_class_by_lDAPDisplayName(schema, current->objectclass); if (objectclass) { - ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory); + if (!ldb_msg_find_element(msg, "objectCategory")) { + ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory); + } + if (!ldb_msg_find_element(msg, "ntSecurityDescriptor")) { + DATA_BLOB *sd = get_sd(module, mem_ctx, objectclass); + ldb_msg_add_steal_value(msg, "ntSecurityDescriptor", sd); + } } } } diff --git a/testprogs/ejs/ldap.js b/testprogs/ejs/ldap.js index bb7e482ec8..5735b8b391 100755 --- a/testprogs/ejs/ldap.js +++ b/testprogs/ejs/ldap.js @@ -258,7 +258,7 @@ objectClass: user assert(res.msgs[0].objectCategory == "cn=Person,cn=Schema,cn=Configuration," + base_dn); assert(res.msgs[0].sAMAccountType == 805306368); // assert(res[0].userAccountControl == 546); - + println("Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))"); var res2 = ldb.search("(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))"); if (res2.error != 0 || res2.msgs.length != 1) { @@ -439,8 +439,9 @@ objectClass: user // assert(res.msgs[0].userAccountControl == 4098); + var attrs = new Array("cn", "name", "objectClass", "objectGUID", "whenCreated", "ntSecurityDescriptor"); println("Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))"); - var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))"); + var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))", base_dn, ldb.SCOPE_SUBTREE, attrs); if (res.error != 0 || res.msgs.length != 1) { println("Could not find (&(cn=ldaptestUSer2)(objectClass=user))"); assert(res.error == 0); @@ -456,6 +457,7 @@ objectClass: user assert(res.msgs[0].objectClass[3] == "user"); assert(res.msgs[0].objectGUID != undefined); assert(res.msgs[0].whenCreated != undefined); + assert(res.msgs[0].ntSecurityDescriptor != undefined); ok = ldb.del(res.msgs[0].dn); if (ok.error != 0) { |