diff options
author | Matthieu Patou <mat@matws.net> | 2011-11-16 00:56:28 +0100 |
---|---|---|
committer | Amitay Isaacs <amitay@gmail.com> | 2011-11-16 17:16:30 +1100 |
commit | b91dd516b5cba8fd3f78256c4d86b304214ab9fc (patch) | |
tree | 90dc6c8ced6a2e127fc46c330db688d5f7e58151 | |
parent | 80113755c40b2ca04ce8a325463160483ec660b9 (diff) | |
download | samba-b91dd516b5cba8fd3f78256c4d86b304214ab9fc.tar.gz samba-b91dd516b5cba8fd3f78256c4d86b304214ab9fc.tar.bz2 samba-b91dd516b5cba8fd3f78256c4d86b304214ab9fc.zip |
s4-dsdb: rework the NC detection for the descriptor calculation
This checks if instanceType attribute is available, and if
INSTANCE_TYPE_IS_NC_HEAD bit is set. If the bit is set, then
the DN is NC root and security descriptor is not inherited
from parent SD.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/descriptor.c | 43 |
1 files changed, 31 insertions, 12 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 9763c8ee49..409d08dea9 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -467,6 +467,8 @@ static int descriptor_add(struct ldb_module *module, struct ldb_request *req) DATA_BLOB *sd; const struct dsdb_class *objectclass; static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL }; + uint32_t instanceType; + bool isNC = false; ldb = ldb_module_get_ctx(module); dn = req->op.add.message->dn; @@ -484,22 +486,39 @@ static int descriptor_add(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - /* if the object has a parent, retrieve its SD to - * use for calculation. Unfortunately we do not yet have - * instanceType, so we use dsdb_find_nc_root. */ - parent_dn = ldb_dn_get_parent(req, dn); - if (parent_dn == NULL) { - return ldb_oom(ldb); + instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0); + + if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) { + isNC = true; } - ret = dsdb_find_nc_root(ldb, req, dn, &nc_root); - if (ret != LDB_SUCCESS) { - ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n", - ldb_dn_get_linearized(dn)); - return ret; + if (!isNC) { + ret = dsdb_find_nc_root(ldb, req, dn, &nc_root); + if (ret != LDB_SUCCESS) { + ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n", + ldb_dn_get_linearized(dn)); + return ret; + } + + if (ldb_dn_compare(dn, nc_root) == 0) { + DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn))); + isNC = true; + } + } + + if (isNC) { + DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn))); } + if (!isNC) { + /* if the object has a parent, retrieve its SD to + * use for calculation. Unfortunately we do not yet have + * instanceType, so we use dsdb_find_nc_root. */ + + parent_dn = ldb_dn_get_parent(req, dn); + if (parent_dn == NULL) { + return ldb_oom(ldb); + } - if (ldb_dn_compare(dn, nc_root) != 0) { /* we aren't any NC */ ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn, parent_attrs, |