summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2012-12-02s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flagsStefan Metzmacher1-0/+44
A client can send a full security_descriptor while just passing sd_flags of SECINFO_DACL. We need to NULL out elements which will be ignored depending on the sd_flags and may set the old owner/group sids. Otherwise the calculation of the DACL/SACL can replace CREATOR_OWNER with the wrong sid. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/tests: add SdAutoInheritTestsStefan Metzmacher1-1/+83
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104
2012-11-30s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for ↵Stefan Metzmacher1-2/+70
replicated changes We only do so if the replicated object is not deleted. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)Stefan Metzmacher1-3/+17
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)Stefan Metzmacher1-1/+18
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()Stefan Metzmacher1-0/+29
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OIDStefan Metzmacher1-8/+395
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OIDStefan Metzmacher1-0/+12
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OIDStefan Metzmacher1-5/+67
This can only be triggered by ourself, that's why we expect control->data == module. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modifyStefan Metzmacher1-0/+16
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modifyStefan Metzmacher1-0/+16
The propagation of nTSecurityDescriptor doesn't change the replProperyMetaData. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modifyStefan Metzmacher1-0/+18
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OIDStefan Metzmacher1-0/+7
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)Stefan Metzmacher1-0/+19
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)Stefan Metzmacher1-3/+11
Now that the acl module checks for SEC_ADS_DELETE_TREE, we can do the recursive delete AS_SYSTEM. We need to pass the TRUSTED flags as we operate from the TOP module. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/subtree_delete: do an early return and avoid some nestingStefan Metzmacher1-24/+28
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/objectclass: do not pass the callers controls on helper searchesStefan Metzmacher1-1/+1
We add AS_SYSTEM and SHOW_RECYCLED to the helper search, don't let the caller specify additional controls. This also fixes a problem when the caller also specified AS_SYSTEM. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given ↵Stefan Metzmacher1-0/+12
(bug #7711) Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: remove unused 'deletedattr' variableStefan Metzmacher1-2/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to ↵Stefan Metzmacher1-0/+2
DSDB_SECRET_ATTRIBUTES_EX See [MS-ADTS] 3.1.1.4.4 Extended Access Checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributesStefan Metzmacher1-5/+36
The @KLUDGEACL record might not be uptodate. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on ↵Stefan Metzmacher1-0/+3
modify Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on ↵Stefan Metzmacher1-0/+11
nTSecurityDescriptor Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: remove some nesting from descriptor_modifyStefan Metzmacher1-10/+10
If the nTSecurityDescriptor attribute is not specified, we have nothing to do. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: remove some unnecessary nestingStefan Metzmacher1-10/+8
sd == NULL is checked before. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: add some error checks to descriptor_{add,modify}Stefan Metzmacher1-0/+12
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OIDStefan Metzmacher1-26/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: move special dn check to the start of ↵Stefan Metzmacher1-19/+21
descriptor_{add,modify,rename} Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a ↵Stefan Metzmacher1-1/+28
default one Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sidStefan Metzmacher1-0/+6
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)Stefan Metzmacher2-2/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptorStefan Metzmacher1-1/+19
We need to base the access mask on the given SD Flags. Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY, which could lead to INSUFFICIENT_RIGHTS when we should have been allowed to read. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-1/+3
Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: calculate the correct access_mask when modifying ↵Stefan Metzmacher1-1/+14
nTSecurityDescriptor The access_mask depends on the SD Flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" ↵Stefan Metzmacher1-0/+11
is set In that case the acl_read module does the protection. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: remove unused "acl:perform" optionStefan Metzmacher1-3/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-5/+15
The searches are done in order to do access checks and the results are not directly exposed to the client. Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: make it clear that the SD Flags are ignored on addStefan Metzmacher1-1/+7
See [MS-ADTS] 6.1.3.2 SD Flags Control: ... When performing an LDAP add operation, the client can supply an SD flags control with the operation; however, it will be ignored by the server. ... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: make use of dsdb_request_sd_flags()Stefan Metzmacher1-47/+15
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: always use descriptor_search_callback if we return ↵Stefan Metzmacher1-1/+12
nTSecurityDescriptor If the nTSecurityDescriptor is explicitly specified without the SD Flags control we should go through descriptor_search_callback(). This is not strictly needed at the moment, but makes the code clearer and might avoid surprises in the future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with ↵Stefan Metzmacher1-11/+12
SHOW_RECYCLED Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_util: add dsdb_request_sd_flags() helper functionStefan Metzmacher1-0/+37
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_util: do helper searches AS_SYSTEMStefan Metzmacher1-0/+1
The search is done in order to do access checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/extended_dn_store: do helper searches AS_SYSTEMStefan Metzmacher1-1/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-12/+13
Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-3/+31
Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/rootdse: do helper searches AS_SYSTEMStefan Metzmacher1-7/+29
As anonymous users can read all rootdse attributes, we should do helper searches with DSDB_FLAG_AS_SYSTEM in order to avoid unnecessary access checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/rootdse: remove unused variableStefan Metzmacher1-1/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xFStefan Metzmacher1-2/+2
A value of 0 is mapped to 0xF. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVectorStefan Metzmacher1-3/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>