diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 21843ad6e0..af13955771 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -549,8 +549,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, const char *samAccountName; const char *dnsHostName; const char *netbios_name; - const struct GUID *ntds = samdb_ntds_objectGUID(ldb); - const char *ntds_guid = GUID_string(tmp_ctx, ntds); + struct GUID ntds; + char *ntds_guid = NULL; static const char *acl_attrs[] = { "samAccountName", @@ -562,6 +562,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, "nETBIOSName", NULL }; + /* if we have wp, we can do whatever we like */ if (acl_check_access_on_attribute(module, tmp_ctx, @@ -619,6 +620,20 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, "Error finding element for servicePrincipalName."); } + /* NTDSDSA objectGuid of object we are checking SPN for */ + if (userAccountControl & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { + ret = dsdb_module_find_ntdsguid_for_computer(module, tmp_ctx, + req->op.mod.message->dn, &ntds, req); + if (ret != LDB_SUCCESS) { + ldb_asprintf_errstring(ldb, "Failed to find NTDSDSA objectGuid for %s: %s", + ldb_dn_get_linearized(req->op.mod.message->dn), + ldb_strerror(ret)); + talloc_free(tmp_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + ntds_guid = GUID_string(tmp_ctx, &ntds); + } + for (i=0; i < el->num_values; i++) { ret = acl_validate_spn_value(tmp_ctx, ldb, |