diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-12-29 15:13:54 +1100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2013-01-21 16:12:45 +0100 |
commit | 8f078cdf247476fad511bb6d7e00c8654fd26e85 (patch) | |
tree | 224841e3e6b0531d20de16e336b84a32cdb085e7 /source4/dsdb/common | |
parent | d36c03056fb85dfedbafd3a59497e35db63ade17 (diff) | |
download | samba-8f078cdf247476fad511bb6d7e00c8654fd26e85.tar.gz samba-8f078cdf247476fad511bb6d7e00c8654fd26e85.tar.bz2 samba-8f078cdf247476fad511bb6d7e00c8654fd26e85.zip |
dsdb: Ensure "authenticated users" is processed for group memberships
This change moves the addition of "Authenticated Users" from the very end of the
token processing to the start. The reason is that we need to see if
"Authenticated Users" is a member of other builtin groups, just as we
would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access"
group, which is in turn often used in ACLs on LDAP objects.
Without this change, the eventual token does not contain S-1-5-32-554
and users other than "Administrator" are unable to read uidNumber
(in particular).
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb/common')
-rw-r--r-- | source4/dsdb/common/util_groups.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c index b5aecbafe9..6a96ce89d1 100644 --- a/source4/dsdb/common/util_groups.c +++ b/source4/dsdb/common/util_groups.c @@ -126,6 +126,31 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, filter); } + /* + * We have the problem with the caller creating a <SID=S-....> + * DN for ForeignSecurityPrincipals as they also have + * duplicate objects with the SAME SID under CN=Configuration. + * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba + * and on Windows. So, we allow this to fail, and + * double-check if we can find it with a search in the main + * domain partition. + */ + if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) { + char *sid_string = dom_sid_string(tmp_ctx, + &sid); + if (!sid_string) { + talloc_free(tmp_ctx); + return NT_STATUS_OK; + } + + ret = dsdb_search(sam_ctx, tmp_ctx, &res, + ldb_get_default_basedn(sam_ctx), + LDB_SCOPE_SUBTREE, + attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, + "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))", + sid_string); + } + if (ret == LDB_ERR_NO_SUCH_OBJECT) { talloc_free(tmp_ctx); return NT_STATUS_OK; |