summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
authorNadezhda Ivanova <nivanova@symas.com>2013-10-15 02:06:38 +0300
committerAndrew Bartlett <abartlet@samba.org>2013-10-25 09:45:57 +1300
commitdaefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea (patch)
tree85c9087d550b656abf6f2b075baa9234784ac380 /source4/dsdb
parent2d51424569a9fbb60215957bf5c17a1f0a9bb9ca (diff)
downloadsamba-daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea.tar.gz
samba-daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea.tar.bz2
samba-daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea.zip
s4-dsacl: Fixed incorrect handling of privileges in sec_access_check_ds
Restore and backup privileges are not relevant to ldap access checks, and the TakeOwnership privilege should grant write_owner right Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb')
-rwxr-xr-xsource4/dsdb/tests/python/acl.py26
-rwxr-xr-xsource4/dsdb/tests/python/ldap.py6
2 files changed, 31 insertions, 1 deletions
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index ecda3c5db6..7439be68d0 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -1250,6 +1250,32 @@ class AclRenameTests(AclTests):
res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou3_dn)
self.assertNotEqual(len(res), 0)
+ def test_rename_u9(self):
+ """Rename 'User object' cross OU, with explicit deny on sd and dc"""
+ ou1_dn = "OU=test_rename_ou1," + self.base_dn
+ ou2_dn = "OU=test_rename_ou2," + self.base_dn
+ user_dn = "CN=test_rename_user2," + ou1_dn
+ rename_user_dn = "CN=test_rename_user5," + ou2_dn
+ # Create OU structure
+ self.ldb_admin.create_ou(ou1_dn)
+ self.ldb_admin.create_ou(ou2_dn)
+ self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1)
+ mod = "(D;;SD;;;DA)"
+ self.sd_utils.dacl_add_ace(user_dn, mod)
+ mod = "(D;;DC;;;DA)"
+ self.sd_utils.dacl_add_ace(ou1_dn, mod)
+ # Rename 'User object' having SD and CC to AU
+ try:
+ self.ldb_admin.rename(user_dn, rename_user_dn)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+ else:
+ self.fail()
+ #add an allow ace so we can delete this ou
+ mod = "(A;;DC;;;DA)"
+ self.sd_utils.dacl_add_ace(ou1_dn, mod)
+
+
#tests on Control Access Rights
class AclCARTests(AclTests):
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index 63c422a7a2..643830fed7 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -2649,7 +2649,7 @@ nTSecurityDescriptor:: """ + desc_base64)
user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
delete_force(self.ldb, user_dn)
try:
- sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ sddl = "O:DUG:DUD:AI(A;;RPWP;;;AU)S:PAI"
desc = security.descriptor.from_sddl(sddl, security.dom_sid('S-1-5-21'))
desc_base64 = base64.b64encode( ndr_pack(desc) )
self.ldb.add_ldif("""
@@ -2659,6 +2659,10 @@ sAMAccountName: """ + user_name + """
nTSecurityDescriptor:: """ + desc_base64)
res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
self.assertTrue("nTSecurityDescriptor" in res[0])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertTrue("O:S-1-5-21-513G:S-1-5-21-513D:AI(A;;RPWP;;;AU)" in desc_sddl)
finally:
delete_force(self.ldb, user_dn)