diff options
author | Kamen Mazdrashki <kamenim@samba.org> | 2011-02-14 11:35:48 +0200 |
---|---|---|
committer | Kamen Mazdrashki <kamenim@samba.org> | 2011-02-14 12:32:22 +0100 |
commit | 313489507593c7798d41f8cace48e7cc59228a0d (patch) | |
tree | cb7c1c20be458bc1e4d4ca8f6837081d6cf2a3dc /source4/dsdb/samdb | |
parent | 73972072d7c02ea8eaadd99be4361d7ee0e04d4a (diff) | |
download | samba-313489507593c7798d41f8cace48e7cc59228a0d.tar.gz samba-313489507593c7798d41f8cace48e7cc59228a0d.tar.bz2 samba-313489507593c7798d41f8cace48e7cc59228a0d.zip |
s4-ldb_modules/acl: Get correct NTDSDSA objectGUID to check SPN for
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 21843ad6e0..af13955771 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -549,8 +549,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, const char *samAccountName; const char *dnsHostName; const char *netbios_name; - const struct GUID *ntds = samdb_ntds_objectGUID(ldb); - const char *ntds_guid = GUID_string(tmp_ctx, ntds); + struct GUID ntds; + char *ntds_guid = NULL; static const char *acl_attrs[] = { "samAccountName", @@ -562,6 +562,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, "nETBIOSName", NULL }; + /* if we have wp, we can do whatever we like */ if (acl_check_access_on_attribute(module, tmp_ctx, @@ -619,6 +620,20 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, "Error finding element for servicePrincipalName."); } + /* NTDSDSA objectGuid of object we are checking SPN for */ + if (userAccountControl & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { + ret = dsdb_module_find_ntdsguid_for_computer(module, tmp_ctx, + req->op.mod.message->dn, &ntds, req); + if (ret != LDB_SUCCESS) { + ldb_asprintf_errstring(ldb, "Failed to find NTDSDSA objectGuid for %s: %s", + ldb_dn_get_linearized(req->op.mod.message->dn), + ldb_strerror(ret)); + talloc_free(tmp_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + ntds_guid = GUID_string(tmp_ctx, &ntds); + } + for (i=0; i < el->num_values; i++) { ret = acl_validate_spn_value(tmp_ctx, ldb, |