summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules/acl.c
AgeCommit message (Collapse)AuthorFilesLines
2012-11-30s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given ↵Stefan Metzmacher1-0/+12
(bug #7711) Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributesStefan Metzmacher1-5/+36
The @KLUDGEACL record might not be uptodate. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)Stefan Metzmacher1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: calculate the correct access_mask when modifying ↵Stefan Metzmacher1-1/+14
nTSecurityDescriptor The access_mask depends on the SD Flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" ↵Stefan Metzmacher1-0/+11
is set In that case the acl_read module does the protection. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: remove unused "acl:perform" optionStefan Metzmacher1-3/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-5/+15
The searches are done in order to do access checks and the results are not directly exposed to the client. Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-12s4:dsdb/acl: only give administrators access to attributes marked as ↵Stefan Metzmacher1-0/+87
confidential (bug #8620) The full fix will to implement and use the code of the read_acl module, but this is better than nothing for now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: reorganize the logic flow in the password filtering checksStefan Metzmacher1-54/+92
This avoids some nesting levels and does early returns. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: fix search filter cleanup for password attributesStefan Metzmacher1-1/+1
We need to this when we're *not* system. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-04-11s4:dsdb/samdb/ldb_modules/schema.c - move "get_last_structural_class()" into ↵Matthias Dieter Wallnöfer1-2/+1
"util.c" And remove this helper module - it does not have much sense keeping it. Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Apr 11 06:31:51 CEST 2012 on sn-devel-104
2012-04-11s4:dsdb/samdb/ldb_modules/schema.c - inline "get_oc_guid_from_message()" to ↵Matthias Dieter Wallnöfer1-3/+23
its only user Reduce the number of not to be shared functions in "schema.c". Change it to make use of "get_last_structural_class()".
2012-04-11s4:dsdb/samdb/ldb_modules/schema.c - inline "acl_check_access_on_class" to ↵Matthias Dieter Wallnöfer1-0/+47
its only user Reduce the number of not to be shared functions in "schema.c".
2012-04-11s4:acl LDB module - remove set but unused variablesMatthias Dieter Wallnöfer1-5/+0
2012-03-02SEGV in acl_validate_spn_value: dnsHostName NULLArvid Requate1-1/+1
This patch addresses a segfault in acl_validate_spn_value which occurs when the "dnsHostName" attribute is missing. This seems to be the case in domains migrated with samba3upgrade. Looks similar to MS KB 817543. Signed-off-by: Nadezhda Ivanova <nivanova@drizzit.(none)> Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Fri Mar 2 21:26:40 CET 2012 on sn-devel-104
2011-08-26s4-dsdb Return ACL errors as ldb_errstring()Andrew Bartlett1-16/+27
This string is reported to the caller, which makes debugging much easier. Andrew Bartlett
2011-07-13s4-dsdb: fixed modify of ACLs on deleted objectsAndrew Tridgell1-2/+4
this is needed for the dbcheck code Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-07-01s4-dsdb guard principalName parse for invalid inputsAndrew Bartlett1-1/+6
We need to ensure that if this parses name.name_string as just one val, then we don't read uninitialised and possibly unallocated memory. Found by Adam Thorn <alt36@cam.ac.uk> While we are checking that, we need to fix the strncasecmp() check to first check if the string is the expected length, then check for a match against sAMAccountName-without-doller, as otherwise we will permit a string such as machinefoo to match a sAMAccountName of machine. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Jul 1 03:55:00 CEST 2011 on sn-devel-104
2011-07-01s4-dsdb Allow a servicePrincipalName of machine$Andrew Bartlett1-0/+6
This is pointless, but MacOS X (version 10.6.8 was tested) apparently sets machine$ into this field. Andrew Bartlett
2011-02-28Fix some typesJelmer Vernooij1-1/+1
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
2011-02-15s4:acl LDB module - interpret "userAccountControl" as "uint32_t"Matthias Dieter Wallnöfer1-3/+3
This is the same way as it is done in the samldb LDB module. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Feb 15 12:08:26 CET 2011 on sn-devel-104
2011-02-14s4-ldb_modules/acl: Use ntds_guid for SPN check only we have a DC objectKamen Mazdrashki1-6/+5
ntds_guid is NULL otherwise as it doesn't make sense for not a DC object Autobuild-User: Kamen Mazdrashki <kamenim@samba.org> Autobuild-Date: Mon Feb 14 13:15:31 CET 2011 on sn-devel-104
2011-02-14s4-ldb_modules/acl: Get correct NTDSDSA objectGUID to check SPN forKamen Mazdrashki1-2/+17
2011-02-14s4/ldb_modules/acl.c: Fix calculation for samAccountName string lenKamen Mazdrashki1-1/+1
2011-01-28s4-acl: Fixed returning uninitialized ldap error in case of some critical ↵Nadezhda Ivanova1-7/+10
errors. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Fri Jan 28 12:04:01 CET 2011 on sn-devel-104
2011-01-17s4-dsdb: pass parent request to dsdb_module_*() functions Andrew Tridgell1-12/+13
this preserves the request hierarchy for dsdb_module_*() calls inside dsdb ldb modules Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-12-23s4:acl LDB module - "acl_rename" - memory contexts fixupMatthias Dieter Wallnöfer1-5/+19
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 23 22:49:41 CET 2010 on sn-devel-104
2010-12-23s4:acl LDB module - add a missing "talloc_free(tmp_ctx)" in an error pathMatthias Dieter Wallnöfer1-0/+1
Just for consistency. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 23 21:46:38 CET 2010 on sn-devel-104
2010-12-22s4-acl: Implementation of Validated-SPN validated writeNadezhda Ivanova1-0/+215
If this right is granted to a user, they may modify the SPN of an object with some value restrictions serviceName can be set only if the object is a DC, and then only to the default domain and netbios name, or ntds_guid._msdsc_.forest_domain. If the serviceType is GC, only to the forest root domain. If the serviceType is ldap, then to forest_domain or netbiosname. InstanceType can be samAccountName or dnsHostName.
2010-11-20s4:acl LDB module - it's more correct to count the password attributes using ↵Matthias Dieter Wallnöfer1-3/+6
"unsigned int" Since these are derived from a LDB result. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Nov 20 11:29:07 CET 2010 on sn-devel-104
2010-11-16s4:acl LDB module - use also here "dsdb_find_nc_root" to implement the ↵Matthias Dieter Wallnöfer1-28/+57
NC-specific checks Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Nov 16 15:12:13 UTC 2010 on sn-devel-104
2010-11-11s4:password_hash and acl LDB modules - handle the "userPassword" attribute ↵Matthias Dieter Wallnöfer1-3/+22
according to the "dSHeuristics"
2010-11-08s4:acl LDB module - define the delete passwords special case a bit betterMatthias Dieter Wallnöfer1-3/+4
2010-11-01s4-ldb: enable version checking in dsdb ldb modulesAndrew Tridgell1-0/+1
2010-11-01s4-dsdb: convert the rest of the ldb modules to the new module typeAndrew Tridgell1-1/+6
2010-10-16s4:dsdb - fix unsigned integer save problems using the "%u" specifierMatthias Dieter Wallnöfer1-2/+2
The issue here is that we have not yet first cast to int32_t explicitly, before we cast to an signed int to printf() into the %d or cast to a int64_t before we then cast to a long long to printf into a %lld. There are *no* unsigned integers in Active Directory LDAP, even the RID allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. (See the schema, and the syntax definitions in schema_syntax.c). The failure has been detected by Matthieu Patou on the buildfarm host "tridge" due to a malformed "groupType" attribute. The solution is to use the "%d" specifier. Either to use it directly - or better (when possible) use the call "samdb_msg_add_uint" (which encapsulates it). This patch changes such problematic situations.
2010-10-10dsdb/modules: Split up helpers a bit to prevent recursive dependencies.Jelmer Vernooij1-0/+1
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 10 23:47:54 UTC 2010 on sn-devel-104
2010-10-03s4:dsdb - substitute the "show_deleted" with the "show_recycled" controlMatthias Dieter Wallnöfer1-1/+1
We intend to see always all objects with the "show_deleted" control specified. To see also recycled objects (beginning with 2008_R2 function level) we need to use the new "show_recycled" control. As far as I see this is only internal code and therefore we don't run into problems if we do substitute it. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-09-26s4-dsdb: Moved some helper functions to a separate fileNadezhda Ivanova1-220/+0
We need these to be accessible to the aclread module as well.
2010-09-25s4-dsdb: added tagging of requests in dsdb modulesAndrew Tridgell1-0/+1
this allows you to call dsdb_req_chain_debug() in gdb or when writing debug code to see the request chain
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett1-1/+1
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett1-1/+3
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-17s4:acl LDB module - support password changes over the ↵Matthias Dieter Wallnöfer1-1/+15
DSDB_CONTROL_PASSWORD_CHANGE_OID control This control is used from the SAMR and "kpasswd" password changes. It is strictly private and means "this is a password change and not a password set".
2010-08-17s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messagesAndrew Tridgell1-3/+3
The flags field of message elements is part of a set of flags. We had LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely being used (only 1 call used it correctly). This adds LDB_FLAG_MOD_MASK() to make it more obvious what is going on. This will allow us to use some of the other flags bits for internal markers on elements Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-04s4-dsdb: Removed kludge_acl as it is no longer necessaryNadezhda Ivanova1-0/+39
Moved the access check on extended operations to acl module and removed kludge_acl
2010-08-01s4:acl LDB module - remove the "forest DN" checkMatthias Dieter Wallnöfer1-6/+3
After some reading I've discovered that this isn't really true. The forest partition does exist on one or more DCs and is there the same as the default base DN (which is already checked by the module). And if we have other DCs which contain child domains then they never contain data of the forest domain beside the schema and the configuration partition (which are checked anyway) since a DC can always contain only one domain! Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
2010-08-01s4:acl LDB module - remove unused call "is_root_base_dn"Matthias Dieter Wallnöfer1-8/+0
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-1/+1
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-08s4:acl LDB module - password attributes - check also the "dBCSPwd" attributeMatthias Dieter Wallnöfer1-2/+2
It's also a possible password change/set attribute candidate.
2010-07-08s4:acl LDB module - move a "mem_ctx" creation to the place where it is ↵Matthias Dieter Wallnöfer1-1/+2
actually checked Memory allocations and their result checks should be as tight as possible.