diff options
| author | Jelmer Vernooij <jelmer@samba.org> | 2008-03-28 00:44:14 +0100 |
|---|---|---|
| committer | Jelmer Vernooij <jelmer@samba.org> | 2008-03-28 00:44:14 +0100 |
| commit | 18d80bdf1fc5a281358aef29324230698eb434d4 (patch) | |
| tree | e2515f11577052f42a227bc04541d572d7f2e1ff /source4/dsdb/samdb/ldb_modules | |
| parent | ac604330871504e88e4bcd37433bbf3717d97a88 (diff) | |
| parent | e15b35e3897e63b9e815a04101436439d4aebdef (diff) | |
| download | samba-18d80bdf1fc5a281358aef29324230698eb434d4.tar.gz samba-18d80bdf1fc5a281358aef29324230698eb434d4.tar.bz2 samba-18d80bdf1fc5a281358aef29324230698eb434d4.zip | |
Merge v4.0-test
(This used to be commit 977dbdeaf363c8905ed9fd0570eba4be80582833)
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/kludge_acl.c | 45 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/normalise.c | 2 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 20 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 3 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 4 |
5 files changed, 28 insertions, 46 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c index e3e1f7ac88..e418031271 100644 --- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c +++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c @@ -46,42 +46,15 @@ * */ -enum user_is { - ANONYMOUS, - USER, - ADMINISTRATOR, - SYSTEM -}; - struct kludge_private_data { const char **password_attrs; }; -static enum user_is what_is_user(struct ldb_module *module) +static enum security_user_level what_is_user(struct ldb_module *module) { struct auth_session_info *session_info = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo"); - if (!session_info) { - return ANONYMOUS; - } - - if (security_token_is_system(session_info->security_token)) { - return SYSTEM; - } - - if (security_token_is_anonymous(session_info->security_token)) { - return ANONYMOUS; - } - - if (security_token_has_builtin_administrators(session_info->security_token)) { - return ADMINISTRATOR; - } - - if (security_token_has_nt_authenticated_users(session_info->security_token)) { - return USER; - } - - return ANONYMOUS; + return security_session_user_level(session_info); } static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) @@ -104,7 +77,7 @@ struct kludge_acl_context { void *up_context; int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *); - enum user_is user_type; + enum security_user_level user_type; bool allowedAttributes; bool allowedAttributesEffective; bool allowedChildClasses; @@ -272,8 +245,8 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld if (data && data->password_attrs) /* if we are not initialized just get through */ { switch (ac->user_type) { - case SYSTEM: - case ADMINISTRATOR: + case SECURITY_SYSTEM: + case SECURITY_ADMINISTRATOR: if (ac->allowedAttributesEffective) { ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective"); if (ret != LDB_SUCCESS) { @@ -359,7 +332,7 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) so we don't allow a search for 'sambaPassword=penguin', just as we would not allow that attribute to be returned */ switch (ac->user_type) { - case SYSTEM: + case SECURITY_SYSTEM: break; default: /* remove password attributes */ @@ -391,10 +364,10 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) /* ANY change type */ static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req) { - enum user_is user_type = what_is_user(module); + enum security_user_level user_type = what_is_user(module); switch (user_type) { - case SYSTEM: - case ADMINISTRATOR: + case SECURITY_SYSTEM: + case SECURITY_ADMINISTRATOR: return ldb_next_request(module, req); default: ldb_asprintf_errstring(module->ldb, diff --git a/source4/dsdb/samdb/ldb_modules/normalise.c b/source4/dsdb/samdb/ldb_modules/normalise.c index a0eff43534..8de9e33002 100644 --- a/source4/dsdb/samdb/ldb_modules/normalise.c +++ b/source4/dsdb/samdb/ldb_modules/normalise.c @@ -117,7 +117,7 @@ static int normalise_search_callback(struct ldb_context *ldb, void *context, str talloc_free(mem_ctx); return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_dn(ares->message->dn); + ret = fix_dn(dn); if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); return ret; diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index e63ad4de56..4d4ef585cb 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -257,12 +257,18 @@ static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, DATA_BLOB *linear_sd; struct auth_session_info *session_info = ldb_get_opaque(module->ldb, "sessionInfo"); - struct security_descriptor *sd - = sddl_decode(mem_ctx, - objectclass->defaultSecurityDescriptor, - samdb_domain_sid(module->ldb)); + struct security_descriptor *sd; + struct dom_sid *domain_sid = samdb_domain_sid(module->ldb); - if (!session_info || !session_info->security_token) { + if (!objectclass->defaultSecurityDescriptor || !domain_sid) { + return NULL; + } + + sd = sddl_decode(mem_ctx, + objectclass->defaultSecurityDescriptor, + domain_sid); + + if (!sd || !session_info || !session_info->security_token) { return NULL; } @@ -538,7 +544,9 @@ static int objectclass_do_add(struct ldb_handle *h) } if (!ldb_msg_find_element(msg, "nTSecurityDescriptor")) { DATA_BLOB *sd = get_sd(ac->module, mem_ctx, current->objectclass); - ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd); + if (sd) { + ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd); + } } } } diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index aa64700f2f..1d2bdd988e 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1220,7 +1220,8 @@ static int build_domain_data_request(struct ph_context *ac) ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb); ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE; - filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))", + filter = talloc_asprintf(ac->dom_req, + "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid)); if (filter == NULL) { ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n"); diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 905cd4a995..5407db9956 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -293,7 +293,7 @@ int samldb_notice_sid(struct ldb_module *module, /* find the domain DN */ ret = ldb_search_exp_fmt(module->ldb, mem_ctx, &dom_res, NULL, LDB_SCOPE_SUBTREE, attrs, - "(&(objectSid=%s)(objectclass=domain))", + "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", ldap_encode_ndr_dom_sid(mem_ctx, dom_sid)); if (ret == LDB_SUCCESS) { if (dom_res->count == 0) { @@ -369,7 +369,7 @@ static int samldb_generate_samAccountName(struct ldb_module *module, TALLOC_CTX /* Format: $000000-000000000000 */ do { - *name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)random(), (unsigned int)random(), (unsigned int)random()); + *name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)generate_random(), (unsigned int)generate_random(), (unsigned int)generate_random()); /* TODO: Figure out exactly what this is meant to conflict with */ ret = ldb_search_exp_fmt(module->ldb, mem_ctx, &res, dom_dn, LDB_SCOPE_SUBTREE, attrs, |