diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-04-15 11:58:05 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-05-20 17:39:10 +1000 |
commit | 72ccbcacddd2c3fdc6bfb61b8efb78625368365d (patch) | |
tree | aec687078b41d811d85113d27381c0ae70df3a6b /source4 | |
parent | 4fa9aa30996219821d5d2496d574340f14a4a406 (diff) | |
download | samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.tar.gz samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.tar.bz2 samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.zip |
s4:auth Allow the operational module to get a user's tokenGroups from auth
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/auth.h | 13 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 1 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 2 | ||||
-rw-r--r-- | source4/auth/ntlm/auth.c | 96 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 60 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/config.mk | 2 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/operational.c | 146 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/wscript_build | 2 | ||||
-rw-r--r-- | source4/utils/ntlm_auth.c | 1 |
9 files changed, 200 insertions, 123 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 3984704928..2678d2ca66 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -127,6 +127,7 @@ struct auth_method_context; struct auth_check_password_request; struct auth_context; struct auth_session_info; +struct ldb_dn; struct auth_operations { const char *name; @@ -153,6 +154,7 @@ struct auth_operations { NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, const char *principal, + struct ldb_dn *user_dn, struct auth_serversupplied_info **server_info); }; @@ -201,9 +203,10 @@ struct auth_context { NTSTATUS (*set_challenge)(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by); NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx, - struct auth_context *auth_context, - const char *principal, - struct auth_serversupplied_info **server_info); + struct auth_context *auth_ctx, + const char *principal, + struct ldb_dn *user_dn, + struct auth_serversupplied_info **server_info); NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, @@ -231,7 +234,6 @@ struct auth_critical_sizes { struct ldb_message; struct ldb_context; -struct ldb_dn; struct gensec_security; NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal[8]); @@ -265,6 +267,7 @@ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, struct tevent_context *ev, struct messaging_context *msg, struct loadparm_context *lp_ctx, + struct ldb_context *sam_ctx, struct auth_context **auth_ctx); NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, @@ -272,6 +275,7 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, struct messaging_context *msg, struct loadparm_context *lp_ctx, struct auth_context **auth_ctx); +NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth_context **auth_ctx); NTSTATUS auth_check_password(struct auth_context *auth_ctx, TALLOC_CTX *mem_ctx, @@ -302,6 +306,7 @@ NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, struct auth_context *auth_ctx, const char *principal, + struct ldb_dn *user_dn, struct auth_serversupplied_info **server_info); NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx, diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 73c12a20ff..4aaae6cdad 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1308,6 +1308,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, gensec_security->auth_context, principal_string, + NULL, &server_info); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 77b50cb41c..a0d880f5b2 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -653,7 +653,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, gensec_security->auth_context, principal_string, - &server_info); + NULL, &server_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index e9e72fa2a5..b5f3afc86d 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -98,13 +98,16 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal } /**************************************************************************** - Try to get a challenge out of the various authentication modules. - Returns a const char of length 8 bytes. +Used in the gensec_gssapi and gensec_krb5 server-side code, where the +PAC isn't available, and for tokenGroups in the DSDB stack. + + Supply either a principal or a DN ****************************************************************************/ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, - struct auth_context *auth_ctx, - const char *principal, - struct auth_serversupplied_info **server_info) + struct auth_context *auth_ctx, + const char *principal, + struct ldb_dn *user_dn, + struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; struct auth_method_context *method; @@ -114,7 +117,7 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, continue; } - nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, server_info); + nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, user_dn, server_info); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { continue; } @@ -399,13 +402,14 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, /*************************************************************************** Make a auth_info struct for the auth subsystem - - Allow the caller to specify the methods to use + - Allow the caller to specify the methods to use, including optionally the SAM to use ***************************************************************************/ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, - struct tevent_context *ev, - struct messaging_context *msg, - struct loadparm_context *lp_ctx, - struct auth_context **auth_ctx) + struct tevent_context *ev, + struct messaging_context *msg, + struct loadparm_context *lp_ctx, + struct ldb_context *sam_ctx, + struct auth_context **auth_ctx) { int i; struct auth_context *ctx; @@ -437,7 +441,11 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** ctx->msg_ctx = msg; ctx->lp_ctx = lp_ctx; - ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx)); + if (sam_ctx) { + ctx->sam_ctx = sam_ctx; + } else { + ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx)); + } for (i=0; methods[i] ; i++) { struct auth_method_context *method; @@ -471,15 +479,8 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** return NT_STATUS_OK; } -/*************************************************************************** - Make a auth_info struct for the auth subsystem - - Uses default auth_methods, depending on server role and smb.conf settings -***************************************************************************/ -_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct messaging_context *msg, - struct loadparm_context *lp_ctx, - struct auth_context **auth_ctx) + +static const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) { const char **auth_methods = NULL; switch (lp_server_role(lp_ctx)) { @@ -493,9 +494,60 @@ _PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, auth_methods = lp_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "domain controller", NULL); break; } - return auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, auth_ctx); + return auth_methods; } +/*************************************************************************** + Make a auth_info struct for the auth subsystem + - Uses default auth_methods, depending on server role and smb.conf settings +***************************************************************************/ +_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct messaging_context *msg, + struct loadparm_context *lp_ctx, + struct auth_context **auth_ctx) +{ + NTSTATUS status; + const char **auth_methods; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx); + if (!auth_methods) { + return NT_STATUS_INVALID_PARAMETER; + } + status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, NULL, auth_ctx); + talloc_free(tmp_ctx); + return status; +} + +/* Create an auth context from an open LDB. + + This allows us not to re-open the LDB when we need to do a some authentication logic (such as tokenGroups) + + */ +NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth_context **auth_ctx) +{ + NTSTATUS status; + const char **auth_methods; + struct loadparm_context *lp_ctx = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context); + struct tevent_context *ev = ldb_get_event_context(ldb); + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx); + if (!auth_methods) { + return NT_STATUS_INVALID_PARAMETER; + } + status = auth_context_create_methods(mem_ctx, auth_methods, ev, NULL, lp_ctx, ldb, auth_ctx); + talloc_free(tmp_ctx); + return status; +} /* the list of currently registered AUTH backends */ static struct auth_backend { diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index e4e56e1219..6d1ed0ea10 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -23,6 +23,8 @@ #include "system/time.h" #include "lib/ldb/include/ldb.h" #include "../lib/util/util_ldb.h" +#include "libcli/ldap/ldap_ndr.h" +#include "libcli/security/security.h" #include "auth/auth.h" #include "../libcli/auth/ntlm_check.h" #include "auth/ntlm/auth_proto.h" @@ -300,10 +302,14 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, } -/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */ +/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack. + + Supply either a principal or a DN +*/ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, const char *principal, + struct ldb_dn *user_dn, struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; @@ -311,7 +317,6 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, DATA_BLOB lm_sess_key = data_blob(NULL, 0); struct ldb_message *msg; - struct ldb_context *sam_ctx; struct ldb_dn *domain_dn; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -319,21 +324,48 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, auth_context->event_ctx, auth_context->lp_ctx, - system_session(auth_context->lp_ctx)); - if (sam_ctx == NULL) { - talloc_free(tmp_ctx); - return NT_STATUS_INVALID_SYSTEM_SERVICE; - } + if (principal) { + nt_status = sam_get_results_principal(auth_context->sam_ctx, tmp_ctx, principal, + user_attrs, &domain_dn, &msg); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + } else if (user_dn) { + struct dom_sid *user_sid, *domain_sid; + int ret; + /* pull the user attributes */ + ret = dsdb_search_one(auth_context->sam_ctx, tmp_ctx, &msg, user_dn, + LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)"); + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + talloc_free(tmp_ctx); + return NT_STATUS_NO_SUCH_USER; + } else if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } - nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, - user_attrs, &domain_dn, &msg); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; + user_sid = samdb_result_dom_sid(msg, msg, "objectSid"); + + nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + domain_dn = samdb_search_dn(auth_context->sam_ctx, mem_ctx, NULL, + "(&(objectSid=%s)(objectClass=domain))", + ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid)); + if (!domain_dn) { + DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n", + dom_sid_string(tmp_ctx, domain_sid))); + return NT_STATUS_NO_SUCH_USER; + } + + } else { + return NT_STATUS_INVALID_PARAMETER; } - nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, + nt_status = authsam_make_server_info(tmp_ctx, auth_context->sam_ctx, lp_netbios_name(auth_context->lp_ctx), lp_workgroup(auth_context->lp_ctx), domain_dn, diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk index 586e937b6c..39e07214d5 100644 --- a/source4/dsdb/samdb/ldb_modules/config.mk +++ b/source4/dsdb/samdb/ldb_modules/config.mk @@ -400,7 +400,7 @@ ldb_instancetype_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/instancetype.o [MODULE::ldb_operational] SUBSYSTEM = LIBLDB CFLAGS = -Ilib/ldb/include -PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth_sam +PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth_session auth INIT_FUNCTION = LDB_MODULE(operational) # End MODULE ldb_operational ################################################ diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 57c7a44e35..e17409e078 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -88,7 +88,7 @@ struct operational_data { construct a canonical name from a message */ static int construct_canonical_name(struct ldb_module *module, - struct ldb_message *msg) + struct ldb_message *msg, enum ldb_scope scope) { char *canonicalName; canonicalName = ldb_dn_canonical_string(msg, msg->dn); @@ -102,7 +102,7 @@ static int construct_canonical_name(struct ldb_module *module, construct a primary group token for groups from a message */ static int construct_primary_group_token(struct ldb_module *module, - struct ldb_message *msg) + struct ldb_message *msg, enum ldb_scope scope) { struct ldb_context *ldb; uint32_t primary_group_token; @@ -126,88 +126,71 @@ static int construct_primary_group_token(struct ldb_module *module, construct the token groups for SAM objects from a message */ static int construct_token_groups(struct ldb_module *module, - struct ldb_message *msg) + struct ldb_message *msg, enum ldb_scope scope) { -#if 0 - struct ldb_context *ldb; - const struct dom_sid *sid; + struct ldb_context *ldb = ldb_module_get_ctx(module);; + struct auth_context *auth_context; + struct auth_serversupplied_info *server_info; + struct auth_session_info *session_info; + TALLOC_CTX *tmp_ctx = talloc_new(msg); + uint32_t i; + int ret; - ldb = ldb_module_get_ctx(module); + NTSTATUS status; - sid = samdb_result_dom_sid(msg, msg, "objectSid"); - if (sid != NULL) { - NTSTATUS status; - uint32_t prim_group_rid; - struct dom_sid **sids = NULL; - unsigned int i, num_sids = 0; - int ret; - - prim_group_rid = samdb_result_uint(msg, "primaryGroupID", 0); - if (prim_group_rid != 0) { - struct dom_sid *prim_group_sid; - - prim_group_sid = dom_sid_add_rid(msg, - samdb_domain_sid(ldb), - prim_group_rid); - if (prim_group_sid == NULL) { - ldb_oom(ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - - /* onlyChilds = false, we want to consider also the - * "primaryGroupID" for membership */ - status = authsam_expand_nested_groups(ldb, - prim_group_sid, - false, msg, - &sids, &num_sids); - if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) { - ldb_oom(ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - if (!NT_STATUS_IS_OK(status)) { - return LDB_ERR_OPERATIONS_ERROR; - } + if (scope != LDB_SCOPE_BASE) { + ldb_set_errstring(ldb, "Cannot provide tokenGroups attribute, this is not a BASE search"); + return LDB_ERR_OPERATIONS_ERROR; + } - for (i = 0; i < num_sids; i++) { - ret = samdb_msg_add_dom_sid(ldb, msg, msg, - "tokenGroups", - sids[i]); - if (ret != LDB_SUCCESS) { - talloc_free(sids); - return ret; - } - } + status = auth_context_create_from_ldb(tmp_ctx, ldb, &auth_context); + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) { + talloc_free(tmp_ctx); + ldb_module_oom(module); + return LDB_ERR_OPERATIONS_ERROR; + } else if (!NT_STATUS_IS_OK(status)) { + talloc_free(tmp_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } - talloc_free(sids); - } + status = auth_get_server_info_principal(tmp_ctx, auth_context, NULL, msg->dn, &server_info); + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) { + talloc_free(tmp_ctx); + ldb_module_oom(module); + return LDB_ERR_OPERATIONS_ERROR; + } else if (!NT_STATUS_IS_OK(status)) { + talloc_free(tmp_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } - sids = NULL; - num_sids = 0; + status = auth_generate_session_info(tmp_ctx, auth_context, server_info, &session_info); + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) { + talloc_free(tmp_ctx); + ldb_module_oom(module); + return LDB_ERR_OPERATIONS_ERROR; + } else if (!NT_STATUS_IS_OK(status)) { + talloc_free(tmp_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } - /* onlyChils = true, we don't want to have the SAM object itself - * in the result */ - status = authsam_expand_nested_groups(ldb, sid, true, msg, - &sids, &num_sids); - if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) { - ldb_oom(ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - if (!NT_STATUS_IS_OK(status)) { - return LDB_ERR_OPERATIONS_ERROR; - } + ret = samdb_msg_add_dom_sid(ldb, msg, msg, + "tokenGroups", + session_info->security_token->group_sid); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ret; + } - for (i = 0; i < num_sids; i++) { - ret = samdb_msg_add_dom_sid(ldb, msg, msg, - "tokenGroups", sids[i]); - if (ret != LDB_SUCCESS) { - talloc_free(sids); - return ret; - } + for (i = 0; i < session_info->security_token->num_sids; i++) { + ret = samdb_msg_add_dom_sid(ldb, msg, msg, + "tokenGroups", + session_info->security_token->sids[i]); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ret; } - - talloc_free(sids); } -#endif + return LDB_SUCCESS; } @@ -215,7 +198,7 @@ static int construct_token_groups(struct ldb_module *module, construct the parent GUID for an entry from a message */ static int construct_parent_guid(struct ldb_module *module, - struct ldb_message *msg) + struct ldb_message *msg, enum ldb_scope scope) { struct ldb_result *res; const struct ldb_val *parent_guid; @@ -263,7 +246,7 @@ static int construct_parent_guid(struct ldb_module *module, construct a subSchemaSubEntry */ static int construct_subschema_subentry(struct ldb_module *module, - struct ldb_message *msg) + struct ldb_message *msg, enum ldb_scope scope) { struct operational_data *data = talloc_get_type(ldb_module_get_private(module), struct operational_data); char *subSchemaSubEntry; @@ -514,14 +497,14 @@ static const struct { const char *attr; const char *replace; const char *extra_attr; - int (*constructor)(struct ldb_module *, struct ldb_message *); + int (*constructor)(struct ldb_module *, struct ldb_message *, enum ldb_scope); } search_sub[] = { { "createTimestamp", "whenCreated", NULL , NULL }, { "modifyTimestamp", "whenChanged", NULL , NULL }, { "structuralObjectClass", "objectClass", NULL , NULL }, { "canonicalName", "distinguishedName", NULL , construct_canonical_name }, { "primaryGroupToken", "objectClass", "objectSid", construct_primary_group_token }, - { "tokenGroups", "objectSid", "primaryGroupID", construct_token_groups }, + { "tokenGroups", "objectClass", NULL, construct_token_groups }, { "parentGUID", NULL, NULL, construct_parent_guid }, { "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry }, { "msDS-isRODC", "objectClass", "objectCategory", construct_msds_isrodc }, @@ -565,6 +548,7 @@ static const struct { */ static int operational_search_post_process(struct ldb_module *module, struct ldb_message *msg, + enum ldb_scope scope, const char * const *attrs_from_user, const char * const *attrs_searched_for, bool sd_flags_set) @@ -608,7 +592,7 @@ static int operational_search_post_process(struct ldb_module *module, constructor or a simple copy */ constructed_attributes = true; if (search_sub[i].constructor != NULL) { - if (search_sub[i].constructor(module, msg) != LDB_SUCCESS) { + if (search_sub[i].constructor(module, msg, scope) != LDB_SUCCESS) { goto failed; } } else if (ldb_msg_copy_attr(msg, @@ -655,7 +639,7 @@ failed: struct operational_context { struct ldb_module *module; struct ldb_request *req; - + enum ldb_scope scope; const char * const *attrs; bool sd_flags_set; }; @@ -682,6 +666,7 @@ static int operational_callback(struct ldb_request *req, struct ldb_reply *ares) attributes that have been asked for */ ret = operational_search_post_process(ac->module, ares->message, + ac->scope, ac->attrs, req->op.search.attrs, ac->sd_flags_set); @@ -727,6 +712,7 @@ static int operational_search(struct ldb_module *module, struct ldb_request *req ac->module = module; ac->req = req; + ac->scope = req->op.search.scope; ac->attrs = req->op.search.attrs; /* FIXME: We must copy the tree and keep the original diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build index 1f464240a4..370b548eb2 100644 --- a/source4/dsdb/samdb/ldb_modules/wscript_build +++ b/source4/dsdb/samdb/ldb_modules/wscript_build @@ -262,7 +262,7 @@ bld.SAMBA_MODULE('ldb_operational', source='operational.c', subsystem='LIBLDB', init_function='LDB_MODULE(operational)', - deps='talloc tevent LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth_sam' + deps='talloc tevent LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth' ) diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index c5d37e82c9..17e724eb6a 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -499,6 +499,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, ev, msg, lp_ctx, + NULL, &auth_context); if (!NT_STATUS_IS_OK(nt_status)) { |