diff options
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 6 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/descriptor.c | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index e02270631f..5679e11359 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -634,8 +634,10 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req) ldb = ldb_module_get_ctx(module); /* Creating an NC. There is probably something we should do here, * but we will establish that later */ + /* FIXME: this has to be made dynamic at some point */ if ((ldb_dn_compare(req->op.add.message->dn, (ldb_get_schema_basedn(ldb))) == 0) || (ldb_dn_compare(req->op.add.message->dn, (ldb_get_config_basedn(ldb))) == 0) || + (ldb_dn_compare(req->op.add.message->dn, (ldb_get_default_basedn(ldb))) == 0) || (ldb_dn_compare(req->op.add.message->dn, (ldb_get_root_basedn(ldb))) == 0)) { return ldb_next_request(module, req); } @@ -847,8 +849,10 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req) /* Nope, we don't have delete object. Lets check if we have delete child on the parent */ /* No parent, so check fails */ + /* FIXME: this has to be made dynamic at some point */ if ((ldb_dn_compare(req->op.del.dn, (ldb_get_schema_basedn(ldb))) == 0) || (ldb_dn_compare(req->op.del.dn, (ldb_get_config_basedn(ldb))) == 0) || + (ldb_dn_compare(req->op.del.dn, (ldb_get_default_basedn(ldb))) == 0) || (ldb_dn_compare(req->op.del.dn, (ldb_get_root_basedn(ldb))) == 0)) { DEBUG(10,("acl:deleting an NC\n")); return ldb_module_done(req, NULL, NULL, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS); @@ -975,8 +979,10 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) } /* What exactly to do in this case? It would fail anyway.. */ + /* FIXME: this has to be made dynamic at some point */ if ((ldb_dn_compare(req->op.rename.newdn, (ldb_get_schema_basedn(ldb))) == 0) || (ldb_dn_compare(req->op.rename.newdn, (ldb_get_config_basedn(ldb))) == 0) || + (ldb_dn_compare(req->op.rename.newdn, (ldb_get_default_basedn(ldb))) == 0) || (ldb_dn_compare(req->op.rename.newdn, (ldb_get_root_basedn(ldb))) == 0)) { DEBUG(10,("acl:moving as an NC\n")); return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index efd331b054..cdfab3c354 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -64,6 +64,7 @@ struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx, { TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); struct ldb_dn *root_base_dn = ldb_get_root_basedn(ldb); + struct ldb_dn *default_base_dn = ldb_get_default_basedn(ldb); struct ldb_dn *schema_base_dn = ldb_get_schema_basedn(ldb); struct ldb_dn *config_base_dn = ldb_get_config_basedn(ldb); const struct dom_sid *domain_sid = samdb_domain_sid(ldb); @@ -72,6 +73,9 @@ struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx, struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS); struct dom_sid *dag_sid; + /* FIXME: this has to be fixed regarding the forest DN (root DN) and + * the domain DN (default DN) - they aren't always the same. */ + if (ldb_dn_compare_base(schema_base_dn, dn) == 0){ if (security_token_has_sid(token, sa_sid)) dag_sid = dom_sid_dup(mem_ctx, sa_sid); @@ -697,8 +701,10 @@ static int descriptor_do_add(struct descriptor_context *ac) ac->sd_val = talloc_memdup(ac, &sd_element->values[0], sizeof(struct ldb_val)); } /* NC's have no parent */ + /* FIXME: this has to be made dynamic at some point */ if ((ldb_dn_compare(msg->dn, (ldb_get_schema_basedn(ldb))) == 0) || (ldb_dn_compare(msg->dn, (ldb_get_config_basedn(ldb))) == 0) || + (ldb_dn_compare(msg->dn, (ldb_get_default_basedn(ldb))) == 0) || (ldb_dn_compare(msg->dn, (ldb_get_root_basedn(ldb))) == 0)) { ac->parentsd_val = NULL; } else if (ac->search_res != NULL) { |