summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-08-07 09:01:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 15:01:32 -0500
commitc4e5fcc349ae8648e50c5fa893fd3fd47336fed2 (patch)
treeb49fac0f010bf6ecb7de4e92634061d0d535c110 /source4/dsdb
parentae7819d715e80cfbd17c4bec1c93685198febe6a (diff)
downloadsamba-c4e5fcc349ae8648e50c5fa893fd3fd47336fed2.tar.gz
samba-c4e5fcc349ae8648e50c5fa893fd3fd47336fed2.tar.bz2
samba-c4e5fcc349ae8648e50c5fa893fd3fd47336fed2.zip
r24263: Fix bug 4846 (unable to copy users in MMC Active Directory Users and
Computers). We now generate a security descriptor for each object, when it is created. This seems to keep MMC happy. The next step is to honour it. Andrew Bartlett (This used to be commit 72f4ae82463c5c1f9f6b7f18f125c4c8fb56ae4f)
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c50
1 files changed, 47 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 259b963ce0..a9ef93cab1 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -35,6 +35,11 @@
#include "ldb/include/ldb_private.h"
#include "dsdb/samdb/samdb.h"
#include "lib/util/dlinklist.h"
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
+#include "auth/auth.h"
+
struct oc_context {
enum oc_step {OC_DO_REQ, OC_SEARCH_SELF, OC_DO_MOD} step;
@@ -196,6 +201,39 @@ static int objectclass_sort(struct ldb_module *module,
return LDB_SUCCESS;
}
+DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
+ const struct dsdb_class *objectclass)
+{
+ NTSTATUS status;
+ DATA_BLOB *linear_sd;
+ struct auth_session_info *session_info
+ = ldb_get_opaque(module->ldb, "sessionInfo");
+ struct security_descriptor *sd = sddl_decode(mem_ctx,
+ objectclass->defaultSecurityDescriptor,
+ samdb_domain_sid(module->ldb));
+ if (!session_info || !session_info->security_token) {
+ return NULL;
+ }
+
+ sd->owner_sid = session_info->security_token->user_sid;
+ sd->group_sid = session_info->security_token->group_sid;
+
+ linear_sd = talloc(mem_ctx, DATA_BLOB);
+ if (!linear_sd) {
+ return NULL;
+ }
+
+ status = ndr_push_struct_blob(linear_sd, mem_ctx, sd,
+ (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return NULL;
+ }
+
+ return linear_sd;
+
+}
+
static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_message_element *objectclass_element;
@@ -266,12 +304,18 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
talloc_free(mem_ctx);
return ret;
}
- /* Last one */
- if (schema && !current->next && !ldb_msg_find_element(msg, "objectCategory")) {
+ /* Last one is the critical one */
+ if (schema && !current->next) {
const struct dsdb_class *objectclass
= dsdb_class_by_lDAPDisplayName(schema, current->objectclass);
if (objectclass) {
- ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
+ if (!ldb_msg_find_element(msg, "objectCategory")) {
+ ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
+ }
+ if (!ldb_msg_find_element(msg, "ntSecurityDescriptor")) {
+ DATA_BLOB *sd = get_sd(module, mem_ctx, objectclass);
+ ldb_msg_add_steal_value(msg, "ntSecurityDescriptor", sd);
+ }
}
}
}