summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mwallnoefer@yahoo.de>2010-03-04 13:58:16 +0100
committerMatthias Dieter Wallnöfer <mwallnoefer@yahoo.de>2010-03-04 18:16:23 +0100
commitbf94d68df82f3c7085a6e468b4247fa55d4648ba (patch)
tree98398d3665377a6c2d4e6d5703e94bea95c93a99 /source4/dsdb/samdb
parent1f371cdbe5a5c2f02ca82a492530fc00b67960d4 (diff)
downloadsamba-bf94d68df82f3c7085a6e468b4247fa55d4648ba.tar.gz
samba-bf94d68df82f3c7085a6e468b4247fa55d4648ba.tar.bz2
samba-bf94d68df82f3c7085a6e468b4247fa55d4648ba.zip
s4:operational LDB - implement the "tokenGroups" constructed attribute
It contains the transitive SID closure (expand member/memberOf attributes) of a certain SAM object. The "tokenGroups" attribute never contains the SID of the object itself. References: http://msdn.microsoft.com/en-us/library/ms680275(VS.85).aspx, http://support.microsoft.com/kb/301916, MS-ADTS 3.1.1.4.5.19.
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/config.mk2
-rw-r--r--source4/dsdb/samdb/ldb_modules/operational.c95
2 files changed, 96 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk
index e13f44af09..586e937b6c 100644
--- a/source4/dsdb/samdb/ldb_modules/config.mk
+++ b/source4/dsdb/samdb/ldb_modules/config.mk
@@ -400,7 +400,7 @@ ldb_instancetype_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/instancetype.o
[MODULE::ldb_operational]
SUBSYSTEM = LIBLDB
CFLAGS = -Ilib/ldb/include
-PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS
+PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth_sam
INIT_FUNCTION = LDB_MODULE(operational)
# End MODULE ldb_operational
################################################
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 413ea6b528..7bb74689c6 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -72,6 +72,9 @@
#include "dsdb/samdb/samdb.h"
#include "dsdb/samdb/ldb_modules/util.h"
+#include "auth/auth.h"
+#include "libcli/security/dom_sid.h"
+
#ifndef ARRAY_SIZE
#define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0]))
#endif
@@ -118,6 +121,97 @@ static int construct_primary_group_token(struct ldb_module *module,
}
}
+/*
+ construct the token groups for SAM objects from a message
+*/
+static int construct_token_groups(struct ldb_module *module,
+ struct ldb_message *msg)
+{
+ struct ldb_context *ldb;
+ const struct dom_sid *sid;
+
+ ldb = ldb_module_get_ctx(module);
+
+ sid = samdb_result_dom_sid(msg, msg, "objectSid");
+ if (sid != NULL) {
+ NTSTATUS status;
+ uint32_t prim_group_rid;
+ struct dom_sid **sids = NULL;
+ unsigned int i, num_sids = 0;
+ int ret;
+
+ prim_group_rid = samdb_result_uint(msg, "primaryGroupID", 0);
+ if (prim_group_rid != 0) {
+ struct dom_sid *prim_group_sid;
+
+ prim_group_sid = dom_sid_add_rid(msg,
+ samdb_domain_sid(ldb),
+ prim_group_rid);
+ if (prim_group_sid == NULL) {
+ ldb_oom(ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ /* onlyChilds = false, we want to consider also the
+ * "primaryGroupID" for membership */
+ status = authsam_expand_nested_groups(ldb,
+ prim_group_sid,
+ false, msg,
+ &sids, &num_sids);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+ ldb_oom(ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ for (i = 0; i < num_sids; i++) {
+ ret = samdb_msg_add_dom_sid(ldb, msg, msg,
+ "tokenGroups",
+ sids[i]);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(sids);
+ return ret;
+ }
+ }
+
+ talloc_free(sids);
+ }
+
+ sids = NULL;
+ num_sids = 0;
+
+ /* onlyChils = true, we don't want to have the SAM object itself
+ * in the result */
+ status = authsam_expand_nested_groups(ldb, sid, true, msg,
+ &sids, &num_sids);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+ ldb_oom(ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ for (i = 0; i < num_sids; i++) {
+ ret = samdb_msg_add_dom_sid(ldb, msg, msg,
+ "tokenGroups", sids[i]);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(sids);
+ return ret;
+ }
+ }
+
+ talloc_free(sids);
+ }
+
+ return LDB_SUCCESS;
+}
+
+/*
+ construct the parent GUID for an entry from a message
+*/
static int construct_parent_guid(struct ldb_module *module,
struct ldb_message *msg)
{
@@ -207,6 +301,7 @@ static const struct {
{ "structuralObjectClass", "objectClass", NULL , NULL },
{ "canonicalName", "distinguishedName", NULL , construct_canonical_name },
{ "primaryGroupToken", "objectClass", "objectSid", construct_primary_group_token },
+ { "tokenGroups", "objectSid", "primaryGroupID", construct_token_groups },
{ "parentGUID", NULL, NULL, construct_parent_guid },
{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry }
};