diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dsdb/common/dsdb_access.c | 33 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 29 |
2 files changed, 7 insertions, 55 deletions
diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c index 40233f9379..7857e1fa25 100644 --- a/source4/dsdb/common/dsdb_access.c +++ b/source4/dsdb/common/dsdb_access.c @@ -33,6 +33,7 @@ #include "libcli/ldap/ldap_ndr.h" #include "param/param.h" #include "auth/auth.h" +#include "dsdb/samdb/samdb.h" void dsdb_acl_debug(struct security_descriptor *sd, struct security_token *token, @@ -78,32 +79,6 @@ int dsdb_get_sd_from_ldb_message(TALLOC_CTX *mem_ctx, return LDB_SUCCESS; } -int dsdb_get_dom_sid_from_ldb_message(TALLOC_CTX *mem_ctx, - struct ldb_message *acl_res, - struct dom_sid **sid) -{ - struct ldb_message_element *sid_element; - enum ndr_err_code ndr_err; - - sid_element = ldb_msg_find_element(acl_res, "objectSid"); - if (!sid_element) { - *sid = NULL; - return LDB_SUCCESS; - } - *sid = talloc(mem_ctx, struct dom_sid); - if(!*sid) { - return LDB_ERR_OPERATIONS_ERROR; - } - ndr_err = ndr_pull_struct_blob(&sid_element->values[0], *sid, NULL, *sid, - (ndr_pull_flags_fn_t)ndr_pull_dom_sid); - - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - return LDB_ERR_OPERATIONS_ERROR; - } - - return LDB_SUCCESS; -} - int dsdb_check_access_on_dn_internal(struct ldb_result *acl_res, TALLOC_CTX *mem_ctx, struct security_token *token, @@ -127,11 +102,7 @@ int dsdb_check_access_on_dn_internal(struct ldb_result *acl_res, if (!sd) { return LDB_SUCCESS; } - ret = dsdb_get_dom_sid_from_ldb_message(mem_ctx, acl_res->msgs[0], &sid); - if (ret != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; - } - + sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid"); if (guid) { if (!insert_in_object_tree(mem_ctx, guid, access, &root, &new_node)) { return LDB_ERR_OPERATIONS_ERROR; diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 5679e11359..35b5663745 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -374,11 +374,8 @@ static int acl_allowedAttributes(struct ldb_module *module, if (ret != LDB_SUCCESS) { return ret; } - ret = dsdb_get_dom_sid_from_ldb_message(mem_ctx, sd_msg, &sid); - if (ret != LDB_SUCCESS) { - return ret; - } + sid = samdb_result_dom_sid(mem_ctx, sd_msg, "objectSid"); for (i=0; attr_list && attr_list[i]; i++) { const struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema, attr_list[i]); @@ -495,11 +492,8 @@ static int acl_childClassesEffective(struct ldb_module *module, if (ret != LDB_SUCCESS) { return ret; } - ret = dsdb_get_dom_sid_from_ldb_message(msg, sd_msg, &sid); - if (ret != LDB_SUCCESS) { - return ret; - } + sid = samdb_result_dom_sid(msg, sd_msg, "objectSid"); for (i=0; oc_el && i < oc_el->num_values; i++) { sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]); if (!sclass) { @@ -573,11 +567,7 @@ static int acl_sDRightsEffective(struct ldb_module *module, if (ret != LDB_SUCCESS) { return ret; } - ret = dsdb_get_dom_sid_from_ldb_message(msg, sd_msg, &sid); - - if (ret != LDB_SUCCESS) { - return ret; - } + sid = samdb_result_dom_sid(msg, sd_msg, "objectSid"); ret = acl_check_access_on_attribute(module, msg, sd, @@ -729,12 +719,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) DEBUG(10, ("acl_modify: cannot get guid\n")); goto fail; } - - ret = dsdb_get_dom_sid_from_ldb_message(req, acl_res->msgs[0], &sid); - if (ret != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; - } - + sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid"); if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP, &root, &new_node)) { DEBUG(10, ("acl_modify: cannot add to object tree\n")); @@ -951,11 +936,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req) if (!sd) { return LDB_SUCCESS; } - ret = dsdb_get_dom_sid_from_ldb_message(req, acl_res->msgs[0], &sid); - if (ret != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; - } - + sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid"); status = sec_access_check_ds(sd, acl_user_token(module), SEC_ADS_WRITE_PROP, &access_granted, |