From 58edd6d17951553cb6b693b37ce88454668b1c50 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 13 Mar 2008 10:27:09 +1100
Subject: Don't segfault on invalid objectClass input.

If the objectClass found does not include a defaultSecurityDescriptor,
then we should not segfault in the SDDL parser.

Andrew Bartlett
(This used to be commit 5a92771fb55149fcf24f21f30e4c6a622bef44f8)
---
 source4/dsdb/samdb/ldb_modules/objectclass.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index e63ad4de56..537a56045d 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -257,12 +257,17 @@ static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
 	DATA_BLOB *linear_sd;
 	struct auth_session_info *session_info
 		= ldb_get_opaque(module->ldb, "sessionInfo");
-	struct security_descriptor *sd
-		= sddl_decode(mem_ctx, 
-			      objectclass->defaultSecurityDescriptor,
-			      samdb_domain_sid(module->ldb));
+	struct security_descriptor *sd;
 
-	if (!session_info || !session_info->security_token) {
+	if (!objectclass->defaultSecurityDescriptor) {
+		return NULL;
+	}
+	
+	sd = sddl_decode(mem_ctx, 
+			 objectclass->defaultSecurityDescriptor,
+			 samdb_domain_sid(module->ldb));
+
+	if (!sd || !session_info || !session_info->security_token) {
 		return NULL;
 	}
 	
@@ -538,7 +543,9 @@ static int objectclass_do_add(struct ldb_handle *h)
 				}
 				if (!ldb_msg_find_element(msg, "nTSecurityDescriptor")) {
 					DATA_BLOB *sd = get_sd(ac->module, mem_ctx, current->objectclass);
-					ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
+					if (sd) {
+						ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
+					}
 				}
 			}
 		}
-- 
cgit 


From 0c882402360a10b19a038bce9f87e241051c9ba8 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 13 Mar 2008 11:36:58 +1100
Subject: Rework to have member server 'domains' be CN=NETBIOSNAME

This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.

This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).

Andrew Bartlett
(This used to be commit bda6a38b055fed2394e65cdc0b308a1442116402)
---
 source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index aa64700f2f..ec19e0d49e 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1220,7 +1220,7 @@ static int build_domain_data_request(struct ph_context *ac)
 	ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
 	ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
 
-	filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))", 
+	filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
 				 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
 	if (filter == NULL) {
 		ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
-- 
cgit 


From e50d666bf9b2e5f18d19f6e1b9388d1ea7be0ff2 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 13 Mar 2008 14:12:18 +1100
Subject: Correctly normalise records against OpenLDAP.

Fixing this simple typo allows more of the ldap.js test to pass.

Andrew Bartlett
(This used to be commit 7c80cd18d5cd9cbf32dac15a4734f5a3c67cd0e7)
---
 source4/dsdb/samdb/ldb_modules/normalise.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/normalise.c b/source4/dsdb/samdb/ldb_modules/normalise.c
index a0eff43534..8de9e33002 100644
--- a/source4/dsdb/samdb/ldb_modules/normalise.c
+++ b/source4/dsdb/samdb/ldb_modules/normalise.c
@@ -117,7 +117,7 @@ static int normalise_search_callback(struct ldb_context *ldb, void *context, str
 				talloc_free(mem_ctx);
 				return LDB_ERR_OPERATIONS_ERROR;
 			}
-			ret = fix_dn(ares->message->dn);
+			ret = fix_dn(dn);
 			if (ret != LDB_SUCCESS) {
 				talloc_free(mem_ctx);
 				return ret;
-- 
cgit 


From 4a2ba0c047249fa6f7f4c78313b3b221d9a5bcc7 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 13 Mar 2008 14:12:50 +1100
Subject: Bail out, rather than segfault on no domain sid.

Andrew Bartlett
(This used to be commit 7e85f318b571d1a909dffad0ecd661468ed497ca)
---
 source4/dsdb/samdb/ldb_modules/objectclass.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 537a56045d..4d4ef585cb 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -258,14 +258,15 @@ static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
 	struct auth_session_info *session_info
 		= ldb_get_opaque(module->ldb, "sessionInfo");
 	struct security_descriptor *sd;
+	struct dom_sid *domain_sid = samdb_domain_sid(module->ldb);
 
-	if (!objectclass->defaultSecurityDescriptor) {
+	if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
 		return NULL;
 	}
 	
 	sd = sddl_decode(mem_ctx, 
 			 objectclass->defaultSecurityDescriptor,
-			 samdb_domain_sid(module->ldb));
+			 domain_sid);
 
 	if (!sd || !session_info || !session_info->security_token) {
 		return NULL;
-- 
cgit 


From de9b3af624833be8f5c3520d5ac99fba14b8032f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 14 Mar 2008 12:32:07 +1100
Subject: Allow more 'domain' objects when looking for a unqiue SID.

Andrew Bartlett
(This used to be commit db3b5f16ec8d9b83d8a82a535a4847dce5923663)
---
 source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 905cd4a995..5407db9956 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -293,7 +293,7 @@ int samldb_notice_sid(struct ldb_module *module,
 	/* find the domain DN */
 	ret = ldb_search_exp_fmt(module->ldb, mem_ctx, &dom_res,
 				 NULL, LDB_SCOPE_SUBTREE, attrs,
-				 "(&(objectSid=%s)(objectclass=domain))",
+				 "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
 				 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
 	if (ret == LDB_SUCCESS) {
 		if (dom_res->count == 0) {
@@ -369,7 +369,7 @@ static int samldb_generate_samAccountName(struct ldb_module *module, TALLOC_CTX
 	/* Format: $000000-000000000000 */
 	
 	do {
-		*name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)random(), (unsigned int)random(), (unsigned int)random());
+		*name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)generate_random(), (unsigned int)generate_random(), (unsigned int)generate_random());
 		/* TODO: Figure out exactly what this is meant to conflict with */
 		ret = ldb_search_exp_fmt(module->ldb,
 					 mem_ctx, &res, dom_dn, LDB_SCOPE_SUBTREE, attrs,
-- 
cgit 


From 79a25a648debf0aba77185a5b2b1ee979210359c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 19 Mar 2008 12:06:37 +1100
Subject: Indent

Andrew Bartlett
(This used to be commit d2b5f40d80008ca3269118915409333755b6eac3)
---
 source4/dsdb/samdb/ldb_modules/password_hash.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index ec19e0d49e..1d2bdd988e 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1220,7 +1220,8 @@ static int build_domain_data_request(struct ph_context *ac)
 	ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
 	ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
 
-	filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
+	filter = talloc_asprintf(ac->dom_req,
+				 "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
 				 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
 	if (filter == NULL) {
 		ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
-- 
cgit 


From 9a1bec08013dda77597369387da0193081a7a6e2 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 20 Mar 2008 12:12:10 +1100
Subject: More kludge ACLs!

Rather than killing off the nasty 'kludge ACLs' stuff, this patch
extends it, to ensure that LSA secrets and the registry are also
protected.

Andrew Bartlett
(This used to be commit 2f2b110fb870132099bad1d4c16ed8962affb3ce)
---
 source4/dsdb/samdb/ldb_modules/kludge_acl.c | 45 ++++++-----------------------
 1 file changed, 9 insertions(+), 36 deletions(-)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index e3e1f7ac88..e418031271 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -46,42 +46,15 @@
  *
  */
 
-enum user_is {
-	ANONYMOUS,
-	USER,
-	ADMINISTRATOR,
-	SYSTEM
-};
-
 struct kludge_private_data {
 	const char **password_attrs;
 };
 
-static enum user_is what_is_user(struct ldb_module *module) 
+static enum security_user_level what_is_user(struct ldb_module *module) 
 {
 	struct auth_session_info *session_info
 		= (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
-	if (!session_info) {
-		return ANONYMOUS;
-	}
-	
-	if (security_token_is_system(session_info->security_token)) {
-		return SYSTEM;
-	}
-
-	if (security_token_is_anonymous(session_info->security_token)) {
-		return ANONYMOUS;
-	}
-
-	if (security_token_has_builtin_administrators(session_info->security_token)) {
-		return ADMINISTRATOR;
-	}
-
-	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
-		return USER;
-	}
-
-	return ANONYMOUS;
+	return security_session_user_level(session_info);
 }
 
 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) 
@@ -104,7 +77,7 @@ struct kludge_acl_context {
 	void *up_context;
 	int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
 
-	enum user_is user_type;
+	enum security_user_level user_type;
 	bool allowedAttributes;
 	bool allowedAttributesEffective;
 	bool allowedChildClasses;
@@ -272,8 +245,8 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
 	if (data && data->password_attrs) /* if we are not initialized just get through */
 	{
 		switch (ac->user_type) {
-		case SYSTEM:
-		case ADMINISTRATOR:
+		case SECURITY_SYSTEM:
+		case SECURITY_ADMINISTRATOR:
 			if (ac->allowedAttributesEffective) {
 				ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
 				if (ret != LDB_SUCCESS) {
@@ -359,7 +332,7 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
 	   so we don't allow a search for 'sambaPassword=penguin',
 	   just as we would not allow that attribute to be returned */
 	switch (ac->user_type) {
-	case SYSTEM:
+	case SECURITY_SYSTEM:
 		break;
 	default:
 		/* remove password attributes */
@@ -391,10 +364,10 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
 /* ANY change type */
 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
 {
-	enum user_is user_type = what_is_user(module);
+	enum security_user_level user_type = what_is_user(module);
 	switch (user_type) {
-	case SYSTEM:
-	case ADMINISTRATOR:
+	case SECURITY_SYSTEM:
+	case SECURITY_ADMINISTRATOR:
 		return ldb_next_request(module, req);
 	default:
 		ldb_asprintf_errstring(module->ldb,
-- 
cgit