summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules
diff options
context:
space:
mode:
authorMatthieu Patou <mat@matws.net>2011-11-16 00:56:28 +0100
committerAmitay Isaacs <amitay@gmail.com>2011-11-16 17:16:30 +1100
commitb91dd516b5cba8fd3f78256c4d86b304214ab9fc (patch)
tree90dc6c8ced6a2e127fc46c330db688d5f7e58151 /source4/dsdb/samdb/ldb_modules
parent80113755c40b2ca04ce8a325463160483ec660b9 (diff)
downloadsamba-b91dd516b5cba8fd3f78256c4d86b304214ab9fc.tar.gz
samba-b91dd516b5cba8fd3f78256c4d86b304214ab9fc.tar.bz2
samba-b91dd516b5cba8fd3f78256c4d86b304214ab9fc.zip
s4-dsdb: rework the NC detection for the descriptor calculation
This checks if instanceType attribute is available, and if INSTANCE_TYPE_IS_NC_HEAD bit is set. If the bit is set, then the DN is NC root and security descriptor is not inherited from parent SD. Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules')
-rw-r--r--source4/dsdb/samdb/ldb_modules/descriptor.c43
1 files changed, 31 insertions, 12 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 9763c8ee49..409d08dea9 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -467,6 +467,8 @@ static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
DATA_BLOB *sd;
const struct dsdb_class *objectclass;
static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
+ uint32_t instanceType;
+ bool isNC = false;
ldb = ldb_module_get_ctx(module);
dn = req->op.add.message->dn;
@@ -484,22 +486,39 @@ static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
- /* if the object has a parent, retrieve its SD to
- * use for calculation. Unfortunately we do not yet have
- * instanceType, so we use dsdb_find_nc_root. */
- parent_dn = ldb_dn_get_parent(req, dn);
- if (parent_dn == NULL) {
- return ldb_oom(ldb);
+ instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
+
+ if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
+ isNC = true;
}
- ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
- if (ret != LDB_SUCCESS) {
- ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
- ldb_dn_get_linearized(dn));
- return ret;
+ if (!isNC) {
+ ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
+ ldb_dn_get_linearized(dn));
+ return ret;
+ }
+
+ if (ldb_dn_compare(dn, nc_root) == 0) {
+ DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn)));
+ isNC = true;
+ }
+ }
+
+ if (isNC) {
+ DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
}
+ if (!isNC) {
+ /* if the object has a parent, retrieve its SD to
+ * use for calculation. Unfortunately we do not yet have
+ * instanceType, so we use dsdb_find_nc_root. */
+
+ parent_dn = ldb_dn_get_parent(req, dn);
+ if (parent_dn == NULL) {
+ return ldb_oom(ldb);
+ }
- if (ldb_dn_compare(dn, nc_root) != 0) {
/* we aren't any NC */
ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
parent_attrs,