summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-25 09:33:47 +0100
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-25 13:05:56 +0100
commitae61408e2f198ada294a826e375f0f4a1e7da3d6 (patch)
tree967703ee0348db38c1ac7b22aed0481330697b10
parentfc1da86d403c654fc96a6b1410147fe93dee0a39 (diff)
downloadsamba-ae61408e2f198ada294a826e375f0f4a1e7da3d6.tar.gz
samba-ae61408e2f198ada294a826e375f0f4a1e7da3d6.tar.bz2
samba-ae61408e2f198ada294a826e375f0f4a1e7da3d6.zip
s4:lsa RPC server / objectclass LDB module - fix the creation of trusted domain objects
Tridge pointed out that it is to dangerous to allow them to be created with SYSTEM permissions. The solution using the "untrusted" flag should be much more viable. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Nov 25 13:05:56 CET 2010 on sn-devel-104
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c8
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c4
2 files changed, 3 insertions, 9 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index d69c3f4d05..21f316400a 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -467,8 +467,6 @@ static int objectclass_do_add(struct oc_context *ac)
struct ldb_request *add_req;
struct ldb_message_element *objectclass_element, *el;
struct ldb_message *msg;
- struct ldb_control *as_system = ldb_request_get_control(ac->req,
- LDB_CONTROL_AS_SYSTEM_OID);
TALLOC_CTX *mem_ctx;
struct class_list *sorted, *current;
const char *rdn_name = NULL;
@@ -480,10 +478,6 @@ static int objectclass_do_add(struct oc_context *ac)
bool found;
int ret;
- if (as_system != NULL) {
- as_system->critical = 0;
- }
-
msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
if (msg == NULL) {
return ldb_module_oom(ac->module);
@@ -581,7 +575,7 @@ static int objectclass_do_add(struct oc_context *ac)
/* LSA-specific objectclasses per default not allowed */
if (((strcmp(value, "secret") == 0) ||
(strcmp(value, "trustedDomain") == 0)) &&
- !(dsdb_module_am_system(ac->module) || as_system)) {
+ ldb_req_is_untrusted(ac->req)) {
ldb_asprintf_errstring(ldb,
"objectclass: object class '%s' is LSA-specific, rejecting creation of '%s'!",
value,
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 1b55824bb1..4cb5da224d 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1056,7 +1056,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc
trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
/* create the trusted_domain */
- ret = dsdb_add(sam_ldb, msg, DSDB_FLAG_AS_SYSTEM);
+ ret = ldb_add(sam_ldb, msg);
switch (ret) {
case LDB_SUCCESS:
break;
@@ -2949,7 +2949,7 @@ static NTSTATUS dcesrv_lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALL
secret_state->secret_dn = talloc_reference(secret_state, msg->dn);
/* create the secret */
- ret = dsdb_add(secret_state->sam_ldb, msg, DSDB_FLAG_AS_SYSTEM);
+ ret = ldb_add(secret_state->sam_ldb, msg);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to create secret record %s: %s\n",
ldb_dn_get_linearized(msg->dn),