summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/common/util.c31
-rw-r--r--source4/dsdb/samdb/cracknames.c2
-rw-r--r--source4/dsdb/samdb/ldb_modules/kludge_acl.c45
-rw-r--r--source4/dsdb/samdb/ldb_modules/normalise.c2
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c20
-rw-r--r--source4/dsdb/samdb/ldb_modules/password_hash.c3
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c4
7 files changed, 51 insertions, 56 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 88c8afd6cc..1220a5c855 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -445,13 +445,12 @@ NTTIME samdb_result_nttime(struct ldb_message *msg, const char *attr, NTTIME def
* Consolidate that logic here to allow clearer logic for account expiry in
* the rest of the code.
*/
-NTTIME samdb_result_account_expires(struct ldb_message *msg,
- NTTIME default_value)
+NTTIME samdb_result_account_expires(struct ldb_message *msg)
{
NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
- default_value);
+ 0);
- if (ret == (NTTIME)0)
+ if (ret == 0)
ret = 0x7FFFFFFFFFFFFFFFULL;
return ret;
@@ -1004,7 +1003,13 @@ struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
{
TALLOC_CTX *tmp_ctx;
- struct dom_sid *domain_sid;
+ const struct dom_sid *domain_sid;
+ const char *attrs[] = {
+ "objectSid",
+ NULL
+ };
+ struct ldb_result *res;
+ int ret;
/* see if we have a cached copy */
domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
@@ -1017,9 +1022,17 @@ const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
goto failed;
}
- /* find the domain_sid */
- domain_sid = samdb_search_dom_sid(ldb, tmp_ctx, ldb_get_default_basedn(ldb),
- "objectSid", "objectClass=domainDNS");
+ ret = ldb_search_exp_fmt(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*");
+
+ if (ret != LDB_SUCCESS) {
+ goto failed;
+ }
+
+ if (res->count != 1) {
+ goto failed;
+ }
+
+ domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
if (domain_sid == NULL) {
goto failed;
}
@@ -1464,7 +1477,7 @@ int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
ret = ldb_search(ldb, sdn, LDB_SCOPE_BASE,
- "(|(objectClass=domain)(objectClass=builtinDomain))", attrs, &res);
+ "(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain))", attrs, &res);
if (ret == LDB_SUCCESS) {
talloc_steal(local_ctx, res);
if (res->count == 1) {
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 93da46d5bd..b9333e451b 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -329,7 +329,7 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))",
ldb_binary_encode_string(mem_ctx, unparsed_name_short));
- domain_filter = talloc_asprintf(mem_ctx, "(dn=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
+ domain_filter = talloc_asprintf(mem_ctx, "(distinguishedName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
if (!result_filter || !domain_filter) {
free(unparsed_name_short);
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index e3e1f7ac88..e418031271 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -46,42 +46,15 @@
*
*/
-enum user_is {
- ANONYMOUS,
- USER,
- ADMINISTRATOR,
- SYSTEM
-};
-
struct kludge_private_data {
const char **password_attrs;
};
-static enum user_is what_is_user(struct ldb_module *module)
+static enum security_user_level what_is_user(struct ldb_module *module)
{
struct auth_session_info *session_info
= (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
- if (!session_info) {
- return ANONYMOUS;
- }
-
- if (security_token_is_system(session_info->security_token)) {
- return SYSTEM;
- }
-
- if (security_token_is_anonymous(session_info->security_token)) {
- return ANONYMOUS;
- }
-
- if (security_token_has_builtin_administrators(session_info->security_token)) {
- return ADMINISTRATOR;
- }
-
- if (security_token_has_nt_authenticated_users(session_info->security_token)) {
- return USER;
- }
-
- return ANONYMOUS;
+ return security_session_user_level(session_info);
}
static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
@@ -104,7 +77,7 @@ struct kludge_acl_context {
void *up_context;
int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
- enum user_is user_type;
+ enum security_user_level user_type;
bool allowedAttributes;
bool allowedAttributesEffective;
bool allowedChildClasses;
@@ -272,8 +245,8 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
if (data && data->password_attrs) /* if we are not initialized just get through */
{
switch (ac->user_type) {
- case SYSTEM:
- case ADMINISTRATOR:
+ case SECURITY_SYSTEM:
+ case SECURITY_ADMINISTRATOR:
if (ac->allowedAttributesEffective) {
ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
if (ret != LDB_SUCCESS) {
@@ -359,7 +332,7 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
so we don't allow a search for 'sambaPassword=penguin',
just as we would not allow that attribute to be returned */
switch (ac->user_type) {
- case SYSTEM:
+ case SECURITY_SYSTEM:
break;
default:
/* remove password attributes */
@@ -391,10 +364,10 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
/* ANY change type */
static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
{
- enum user_is user_type = what_is_user(module);
+ enum security_user_level user_type = what_is_user(module);
switch (user_type) {
- case SYSTEM:
- case ADMINISTRATOR:
+ case SECURITY_SYSTEM:
+ case SECURITY_ADMINISTRATOR:
return ldb_next_request(module, req);
default:
ldb_asprintf_errstring(module->ldb,
diff --git a/source4/dsdb/samdb/ldb_modules/normalise.c b/source4/dsdb/samdb/ldb_modules/normalise.c
index a0eff43534..8de9e33002 100644
--- a/source4/dsdb/samdb/ldb_modules/normalise.c
+++ b/source4/dsdb/samdb/ldb_modules/normalise.c
@@ -117,7 +117,7 @@ static int normalise_search_callback(struct ldb_context *ldb, void *context, str
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = fix_dn(ares->message->dn);
+ ret = fix_dn(dn);
if (ret != LDB_SUCCESS) {
talloc_free(mem_ctx);
return ret;
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index e63ad4de56..4d4ef585cb 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -257,12 +257,18 @@ static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
DATA_BLOB *linear_sd;
struct auth_session_info *session_info
= ldb_get_opaque(module->ldb, "sessionInfo");
- struct security_descriptor *sd
- = sddl_decode(mem_ctx,
- objectclass->defaultSecurityDescriptor,
- samdb_domain_sid(module->ldb));
+ struct security_descriptor *sd;
+ struct dom_sid *domain_sid = samdb_domain_sid(module->ldb);
- if (!session_info || !session_info->security_token) {
+ if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
+ return NULL;
+ }
+
+ sd = sddl_decode(mem_ctx,
+ objectclass->defaultSecurityDescriptor,
+ domain_sid);
+
+ if (!sd || !session_info || !session_info->security_token) {
return NULL;
}
@@ -538,7 +544,9 @@ static int objectclass_do_add(struct ldb_handle *h)
}
if (!ldb_msg_find_element(msg, "nTSecurityDescriptor")) {
DATA_BLOB *sd = get_sd(ac->module, mem_ctx, current->objectclass);
- ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
+ if (sd) {
+ ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
+ }
}
}
}
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index aa64700f2f..1d2bdd988e 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1220,7 +1220,8 @@ static int build_domain_data_request(struct ph_context *ac)
ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
- filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))",
+ filter = talloc_asprintf(ac->dom_req,
+ "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))",
ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
if (filter == NULL) {
ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 905cd4a995..5407db9956 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -293,7 +293,7 @@ int samldb_notice_sid(struct ldb_module *module,
/* find the domain DN */
ret = ldb_search_exp_fmt(module->ldb, mem_ctx, &dom_res,
NULL, LDB_SCOPE_SUBTREE, attrs,
- "(&(objectSid=%s)(objectclass=domain))",
+ "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))",
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
if (ret == LDB_SUCCESS) {
if (dom_res->count == 0) {
@@ -369,7 +369,7 @@ static int samldb_generate_samAccountName(struct ldb_module *module, TALLOC_CTX
/* Format: $000000-000000000000 */
do {
- *name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)random(), (unsigned int)random(), (unsigned int)random());
+ *name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)generate_random(), (unsigned int)generate_random(), (unsigned int)generate_random());
/* TODO: Figure out exactly what this is meant to conflict with */
ret = ldb_search_exp_fmt(module->ldb,
mem_ctx, &res, dom_dn, LDB_SCOPE_SUBTREE, attrs,