diff options
author | Andrew Bartlett <abartlet@samba.org> | 2007-08-27 02:26:24 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 15:02:48 -0500 |
commit | 4b31fd4409cd9eca29469c09ce4b585c6d5f1a81 (patch) | |
tree | 3b0a5de67ea74da5fdc64316fa7443d95de0d260 /source4 | |
parent | 8794ffbc61c03ba9c5f2e2e61d23d87ed331e9ee (diff) | |
download | samba-4b31fd4409cd9eca29469c09ce4b585c6d5f1a81.tar.gz samba-4b31fd4409cd9eca29469c09ce4b585c6d5f1a81.tar.bz2 samba-4b31fd4409cd9eca29469c09ce4b585c6d5f1a81.zip |
r24696: Fix bug 4918 reported by Matthias Wallnöfer <mwallnoefer@yahoo.de>
with a patch from Andrew Kroeger <andrew@sprocks.gotdns.com>.
The changes to samldb_fill_foreignSecurityPrincipal_object() look much
larger then they are: We just skip all the objectSid generation if the
SID is supplied.
By providing a few more objects, standard dialogs on the clients are
better behaved, for these 'well known' users.
Andrew Bartlett
(This used to be commit 35ee4aee719e69983d650602d1c6422a31600001)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 77 | ||||
-rw-r--r-- | source4/setup/provision_users.ldif | 237 |
2 files changed, 277 insertions, 37 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index d4dc2b3d2b..d448e30b31 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -576,7 +576,7 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct ldb_module *module /* build the new msg */ msg2 = ldb_msg_copy(mem_ctx, msg); if (!msg2) { - ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincpal_object: ldb_msg_copy failed!\n"); + ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincipal_object: ldb_msg_copy failed!\n"); talloc_free(mem_ctx); return LDB_ERR_OPERATIONS_ERROR; } @@ -601,47 +601,50 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct ldb_module *module return LDB_ERR_CONSTRAINT_VIOLATION; } - /* Slightly different for the foreign sids. We don't want - * domain SIDs ending up there, it would cause all sorts of - * pain */ - - sid = dom_sid_parse_talloc(msg2, (const char *)ldb_dn_get_rdn_val(msg2->dn)->data); + sid = samdb_result_dom_sid(msg2, msg, "objectSid"); if (!sid) { - ldb_set_errstring(module->ldb, "No valid found SID in ForeignSecurityPrincipal CN!"); - talloc_free(mem_ctx); - return LDB_ERR_CONSTRAINT_VIOLATION; - } + /* Slightly different for the foreign sids. We don't want + * domain SIDs ending up there, it would cause all sorts of + * pain */ - if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) { - talloc_free(sid); - return LDB_ERR_OPERATIONS_ERROR; - } + sid = dom_sid_parse_talloc(msg2, (const char *)ldb_dn_get_rdn_val(msg2->dn)->data); + if (!sid) { + ldb_set_errstring(module->ldb, "No valid found SID in ForeignSecurityPrincipal CN!"); + talloc_free(mem_ctx); + return LDB_ERR_CONSTRAINT_VIOLATION; + } - dom_sid = dom_sid_dup(mem_ctx, sid); - if (!dom_sid) { - talloc_free(mem_ctx); - return LDB_ERR_OPERATIONS_ERROR; - } - /* get the domain component part of the provided SID */ - dom_sid->num_auths--; + if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) { + talloc_free(sid); + return LDB_ERR_OPERATIONS_ERROR; + } - /* find the domain DN */ + dom_sid = dom_sid_dup(mem_ctx, sid); + if (!dom_sid) { + talloc_free(mem_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + /* get the domain component part of the provided SID */ + dom_sid->num_auths--; - ret = gendb_search(module->ldb, - mem_ctx, NULL, &dom_msgs, dom_attrs, - "(&(objectSid=%s)(objectclass=domain))", - ldap_encode_ndr_dom_sid(mem_ctx, dom_sid)); - if (ret >= 1) { - /* We don't really like the idea of foreign sids that are not foreign, but it happens */ - const char *name = samdb_result_string(dom_msgs[0], "name", NULL); - ldb_debug(module->ldb, LDB_DEBUG_TRACE, "NOTE (strange but valid): Adding foreign SID record with SID %s, but this domian (%s) is already in the database", - dom_sid_string(mem_ctx, sid), name); - } else if (ret == -1) { - ldb_asprintf_errstring(module->ldb, - "samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n", - dom_sid_string(mem_ctx, dom_sid)); - talloc_free(dom_msgs); - return LDB_ERR_OPERATIONS_ERROR; + /* find the domain DN */ + + ret = gendb_search(module->ldb, + mem_ctx, NULL, &dom_msgs, dom_attrs, + "(&(objectSid=%s)(objectclass=domain))", + ldap_encode_ndr_dom_sid(mem_ctx, dom_sid)); + if (ret >= 1) { + /* We don't really like the idea of foreign sids that are not foreign, but it happens */ + const char *name = samdb_result_string(dom_msgs[0], "name", NULL); + ldb_debug(module->ldb, LDB_DEBUG_TRACE, "NOTE (strange but valid): Adding foreign SID record with SID %s, but this domian (%s) is already in the database", + dom_sid_string(mem_ctx, sid), name); + } else if (ret == -1) { + ldb_asprintf_errstring(module->ldb, + "samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n", + dom_sid_string(mem_ctx, dom_sid)); + talloc_free(dom_msgs); + return LDB_ERR_OPERATIONS_ERROR; + } } /* This isn't an operation on a domain we know about, so just diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index fa81784f1e..dcb9ef14fa 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -347,3 +347,240 @@ groupType: 2147483653 isCriticalSystemObject: TRUE privilege: SeInteractiveLogonRight +dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Pre-Windows 2000 Compatible Access +description: A backward compatibility group which allows read access on all users and groups in the domain +objectSid: S-1-5-32-554 +sAMAccountName: Pre-Windows 2000 Compatible Access +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE +privilege: SeRemoteInteractiveLogonRight +privilege: SeChangeNotifyPrivilege + +dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Incoming Forest Trust Builders +description: Members of this group can create incoming, one-way trusts to this forest +objectSid: S-1-5-32-557 +sAMAccountName: Incoming Forest Trust Builders +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE + +dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Windows Authorization Access Group +description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects +objectSid: S-1-5-32-560 +sAMAccountName: Windows Authorization Access Group +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE + +dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Terminal Server License Servers +description: Terminal Server License Servers +objectSid: S-1-5-32-561 +sAMAccountName: Terminal Server License Servers +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE + +dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +cn: Distributed COM Users +description: Members are allowed to launch, activate and use Distributed COM objects on this machine. +objectSid: S-1-5-32-562 +sAMAccountName: Distributed COM Users +sAMAccountType: 536870912 +systemFlags: 2348810240 +groupType: 2147483653 +isCriticalSystemObject: TRUE + +dn: CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: container +cn: WellKnown Security Principals +systemFlags: 2147483648 +showInAdvancedViewOnly: TRUE + +dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Anonymous Logon +objectSid: S-1-5-7 +showInAdvancedViewOnly: TRUE + +dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Authenticated Users +objectSid: S-1-5-11 +showInAdvancedViewOnly: TRUE + +dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Batch +objectSid: S-1-5-3 +showInAdvancedViewOnly: TRUE + +dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Creator Group +objectSid: S-1-3-1 +showInAdvancedViewOnly: TRUE + +dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Creator Owner +objectSid: S-1-3-0 +showInAdvancedViewOnly: TRUE + +dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Dialup +objectSid: S-1-5-1 +showInAdvancedViewOnly: TRUE + +dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Digest Authentication +objectSid: S-1-5-64-21 +showInAdvancedViewOnly: TRUE + +dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Enterprise Domain Controllers +objectSid: S-1-5-9 +showInAdvancedViewOnly: TRUE + +dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Everyone +objectSid: S-1-1-0 +showInAdvancedViewOnly: TRUE + +dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Interactive +objectSid: S-1-5-4 +showInAdvancedViewOnly: TRUE + +dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Local Service +objectSid: S-1-5-19 +showInAdvancedViewOnly: TRUE + +dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Network +objectSid: S-1-5-2 +showInAdvancedViewOnly: TRUE + +dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Network Service +objectSid: S-1-5-20 +showInAdvancedViewOnly: TRUE + +dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: NTLM Authentication +objectSid: S-1-5-64-10 +showInAdvancedViewOnly: TRUE + +dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Other Organization +objectSid: S-1-5-1000 +showInAdvancedViewOnly: TRUE + +dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Proxy +objectSid: S-1-5-8 +showInAdvancedViewOnly: TRUE + +dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Remote Interactive Logon +objectSid: S-1-5-14 +showInAdvancedViewOnly: TRUE + +dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Restricted +objectSid: S-1-5-12 +showInAdvancedViewOnly: TRUE + +dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: SChannel Authentication +objectSid: S-1-5-64-14 +showInAdvancedViewOnly: TRUE + +dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Self +objectSid: S-1-5-10 +showInAdvancedViewOnly: TRUE + +dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Service +objectSid: S-1-5-6 +showInAdvancedViewOnly: TRUE + +dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Terminal Server User +objectSid: S-1-5-13 +showInAdvancedViewOnly: TRUE + +dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: This Organization +objectSid: S-1-5-15 +showInAdvancedViewOnly: TRUE + +dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN} +objectClass: top +objectClass: foreignSecurityPrincipal +cn: Well-Known-Security-Id-System +objectSid: S-1-5-18 +showInAdvancedViewOnly: TRUE + |