From 58edd6d17951553cb6b693b37ce88454668b1c50 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 13 Mar 2008 10:27:09 +1100 Subject: Don't segfault on invalid objectClass input. If the objectClass found does not include a defaultSecurityDescriptor, then we should not segfault in the SDDL parser. Andrew Bartlett (This used to be commit 5a92771fb55149fcf24f21f30e4c6a622bef44f8) --- source4/dsdb/samdb/ldb_modules/objectclass.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index e63ad4de56..537a56045d 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -257,12 +257,17 @@ static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, DATA_BLOB *linear_sd; struct auth_session_info *session_info = ldb_get_opaque(module->ldb, "sessionInfo"); - struct security_descriptor *sd - = sddl_decode(mem_ctx, - objectclass->defaultSecurityDescriptor, - samdb_domain_sid(module->ldb)); + struct security_descriptor *sd; - if (!session_info || !session_info->security_token) { + if (!objectclass->defaultSecurityDescriptor) { + return NULL; + } + + sd = sddl_decode(mem_ctx, + objectclass->defaultSecurityDescriptor, + samdb_domain_sid(module->ldb)); + + if (!sd || !session_info || !session_info->security_token) { return NULL; } @@ -538,7 +543,9 @@ static int objectclass_do_add(struct ldb_handle *h) } if (!ldb_msg_find_element(msg, "nTSecurityDescriptor")) { DATA_BLOB *sd = get_sd(ac->module, mem_ctx, current->objectclass); - ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd); + if (sd) { + ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd); + } } } } -- cgit From 0c882402360a10b19a038bce9f87e241051c9ba8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 13 Mar 2008 11:36:58 +1100 Subject: Rework to have member server 'domains' be CN=NETBIOSNAME This reworks quite a few parts of our provision system to use CN=NETBIOSNAME as the domain for member servers. This makes it clear that these domains are not in the DNS structure, while complying with our own schema (found by OpenLDAP's schema validation). Andrew Bartlett (This used to be commit bda6a38b055fed2394e65cdc0b308a1442116402) --- source4/dsdb/common/util.c | 2 +- source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 88c8afd6cc..3be60ac452 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1464,7 +1464,7 @@ int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) { ret = ldb_search(ldb, sdn, LDB_SCOPE_BASE, - "(|(objectClass=domain)(objectClass=builtinDomain))", attrs, &res); + "(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain))", attrs, &res); if (ret == LDB_SUCCESS) { talloc_steal(local_ctx, res); if (res->count == 1) { diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index aa64700f2f..ec19e0d49e 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1220,7 +1220,7 @@ static int build_domain_data_request(struct ph_context *ac) ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb); ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE; - filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))", + filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid)); if (filter == NULL) { ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n"); -- cgit From 536d585c4cfb9d34965c26bdb6b6880ef4f6a4f8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 13 Mar 2008 14:11:06 +1100 Subject: Don't search the whole tree for the domains's sid This change removes a dependency on objectclass=domainDNS, and avoids a subtree search when we really know exactly where this record is. Andrew Bartlett (This used to be commit 52947fc0c019e57438a21e54953601b6cc08eb49) --- source4/dsdb/common/util.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 3be60ac452..807c0289f7 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1004,7 +1004,13 @@ struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb) { TALLOC_CTX *tmp_ctx; - struct dom_sid *domain_sid; + const struct dom_sid *domain_sid; + const char *attrs[] = { + "objectSid", + NULL + }; + struct ldb_result *res; + int ret; /* see if we have a cached copy */ domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid"); @@ -1017,9 +1023,17 @@ const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb) goto failed; } - /* find the domain_sid */ - domain_sid = samdb_search_dom_sid(ldb, tmp_ctx, ldb_get_default_basedn(ldb), - "objectSid", "objectClass=domainDNS"); + ret = ldb_search_exp_fmt(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*"); + + if (ret != LDB_SUCCESS) { + goto failed; + } + + if (res->count != 1) { + goto failed; + } + + domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid"); if (domain_sid == NULL) { goto failed; } -- cgit From e50d666bf9b2e5f18d19f6e1b9388d1ea7be0ff2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 13 Mar 2008 14:12:18 +1100 Subject: Correctly normalise records against OpenLDAP. Fixing this simple typo allows more of the ldap.js test to pass. Andrew Bartlett (This used to be commit 7c80cd18d5cd9cbf32dac15a4734f5a3c67cd0e7) --- source4/dsdb/samdb/ldb_modules/normalise.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/normalise.c b/source4/dsdb/samdb/ldb_modules/normalise.c index a0eff43534..8de9e33002 100644 --- a/source4/dsdb/samdb/ldb_modules/normalise.c +++ b/source4/dsdb/samdb/ldb_modules/normalise.c @@ -117,7 +117,7 @@ static int normalise_search_callback(struct ldb_context *ldb, void *context, str talloc_free(mem_ctx); return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_dn(ares->message->dn); + ret = fix_dn(dn); if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); return ret; -- cgit From 4a2ba0c047249fa6f7f4c78313b3b221d9a5bcc7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 13 Mar 2008 14:12:50 +1100 Subject: Bail out, rather than segfault on no domain sid. Andrew Bartlett (This used to be commit 7e85f318b571d1a909dffad0ecd661468ed497ca) --- source4/dsdb/samdb/ldb_modules/objectclass.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 537a56045d..4d4ef585cb 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -258,14 +258,15 @@ static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, struct auth_session_info *session_info = ldb_get_opaque(module->ldb, "sessionInfo"); struct security_descriptor *sd; + struct dom_sid *domain_sid = samdb_domain_sid(module->ldb); - if (!objectclass->defaultSecurityDescriptor) { + if (!objectclass->defaultSecurityDescriptor || !domain_sid) { return NULL; } sd = sddl_decode(mem_ctx, objectclass->defaultSecurityDescriptor, - samdb_domain_sid(module->ldb)); + domain_sid); if (!sd || !session_info || !session_info->security_token) { return NULL; -- cgit From 44628c43eefa48a700293fe25b9a65ec76f1c1b2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 13 Mar 2008 16:35:53 +1100 Subject: Don't use 'dn', this attribute does not exist with the LDAP backend, or in AD. Andrew Bartlett (This used to be commit a3e1f2830679a56366f0080115de504cdb0144f7) --- source4/dsdb/samdb/cracknames.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c index 93da46d5bd..b9333e451b 100644 --- a/source4/dsdb/samdb/cracknames.c +++ b/source4/dsdb/samdb/cracknames.c @@ -329,7 +329,7 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))", ldb_binary_encode_string(mem_ctx, unparsed_name_short)); - domain_filter = talloc_asprintf(mem_ctx, "(dn=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn)); + domain_filter = talloc_asprintf(mem_ctx, "(distinguishedName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn)); if (!result_filter || !domain_filter) { free(unparsed_name_short); -- cgit From de9b3af624833be8f5c3520d5ac99fba14b8032f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 14 Mar 2008 12:32:07 +1100 Subject: Allow more 'domain' objects when looking for a unqiue SID. Andrew Bartlett (This used to be commit db3b5f16ec8d9b83d8a82a535a4847dce5923663) --- source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 905cd4a995..5407db9956 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -293,7 +293,7 @@ int samldb_notice_sid(struct ldb_module *module, /* find the domain DN */ ret = ldb_search_exp_fmt(module->ldb, mem_ctx, &dom_res, NULL, LDB_SCOPE_SUBTREE, attrs, - "(&(objectSid=%s)(objectclass=domain))", + "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", ldap_encode_ndr_dom_sid(mem_ctx, dom_sid)); if (ret == LDB_SUCCESS) { if (dom_res->count == 0) { @@ -369,7 +369,7 @@ static int samldb_generate_samAccountName(struct ldb_module *module, TALLOC_CTX /* Format: $000000-000000000000 */ do { - *name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)random(), (unsigned int)random(), (unsigned int)random()); + *name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)generate_random(), (unsigned int)generate_random(), (unsigned int)generate_random()); /* TODO: Figure out exactly what this is meant to conflict with */ ret = ldb_search_exp_fmt(module->ldb, mem_ctx, &res, dom_dn, LDB_SCOPE_SUBTREE, attrs, -- cgit From 79a25a648debf0aba77185a5b2b1ee979210359c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 19 Mar 2008 12:06:37 +1100 Subject: Indent Andrew Bartlett (This used to be commit d2b5f40d80008ca3269118915409333755b6eac3) --- source4/dsdb/samdb/ldb_modules/password_hash.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index ec19e0d49e..1d2bdd988e 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1220,7 +1220,8 @@ static int build_domain_data_request(struct ph_context *ac) ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb); ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE; - filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", + filter = talloc_asprintf(ac->dom_req, + "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid)); if (filter == NULL) { ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n"); -- cgit From 9a1bec08013dda77597369387da0193081a7a6e2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Mar 2008 12:12:10 +1100 Subject: More kludge ACLs! Rather than killing off the nasty 'kludge ACLs' stuff, this patch extends it, to ensure that LSA secrets and the registry are also protected. Andrew Bartlett (This used to be commit 2f2b110fb870132099bad1d4c16ed8962affb3ce) --- source4/dsdb/samdb/ldb_modules/kludge_acl.c | 45 ++++++----------------------- 1 file changed, 9 insertions(+), 36 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c index e3e1f7ac88..e418031271 100644 --- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c +++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c @@ -46,42 +46,15 @@ * */ -enum user_is { - ANONYMOUS, - USER, - ADMINISTRATOR, - SYSTEM -}; - struct kludge_private_data { const char **password_attrs; }; -static enum user_is what_is_user(struct ldb_module *module) +static enum security_user_level what_is_user(struct ldb_module *module) { struct auth_session_info *session_info = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo"); - if (!session_info) { - return ANONYMOUS; - } - - if (security_token_is_system(session_info->security_token)) { - return SYSTEM; - } - - if (security_token_is_anonymous(session_info->security_token)) { - return ANONYMOUS; - } - - if (security_token_has_builtin_administrators(session_info->security_token)) { - return ADMINISTRATOR; - } - - if (security_token_has_nt_authenticated_users(session_info->security_token)) { - return USER; - } - - return ANONYMOUS; + return security_session_user_level(session_info); } static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) @@ -104,7 +77,7 @@ struct kludge_acl_context { void *up_context; int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *); - enum user_is user_type; + enum security_user_level user_type; bool allowedAttributes; bool allowedAttributesEffective; bool allowedChildClasses; @@ -272,8 +245,8 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld if (data && data->password_attrs) /* if we are not initialized just get through */ { switch (ac->user_type) { - case SYSTEM: - case ADMINISTRATOR: + case SECURITY_SYSTEM: + case SECURITY_ADMINISTRATOR: if (ac->allowedAttributesEffective) { ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective"); if (ret != LDB_SUCCESS) { @@ -359,7 +332,7 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) so we don't allow a search for 'sambaPassword=penguin', just as we would not allow that attribute to be returned */ switch (ac->user_type) { - case SYSTEM: + case SECURITY_SYSTEM: break; default: /* remove password attributes */ @@ -391,10 +364,10 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) /* ANY change type */ static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req) { - enum user_is user_type = what_is_user(module); + enum security_user_level user_type = what_is_user(module); switch (user_type) { - case SYSTEM: - case ADMINISTRATOR: + case SECURITY_SYSTEM: + case SECURITY_ADMINISTRATOR: return ldb_next_request(module, req); default: ldb_asprintf_errstring(module->ldb, -- cgit From dc49ae599eacd6c118dc355609bca657b05c5dee Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Mar 2008 15:25:13 +1100 Subject: Remove useless extra argument to samdb_result_account_expires(). Andrew Bartlett (This used to be commit bc607c334ff86624b891886a6f874da2bcff113e) --- source4/dsdb/common/util.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 807c0289f7..8a7a22a641 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -445,11 +445,10 @@ NTTIME samdb_result_nttime(struct ldb_message *msg, const char *attr, NTTIME def * Consolidate that logic here to allow clearer logic for account expiry in * the rest of the code. */ -NTTIME samdb_result_account_expires(struct ldb_message *msg, - NTTIME default_value) +NTTIME samdb_result_account_expires(struct ldb_message *msg) { NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires", - default_value); + 0); if (ret == (NTTIME)0) ret = 0x7FFFFFFFFFFFFFFFULL; -- cgit From 5738491674574cd913dac2ad4f3851f4a0189ef4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Mar 2008 16:36:13 +1100 Subject: Remove pointless cast (This used to be commit 9a1466abbd4115f4a57d794006aca29aa0184ced) --- source4/dsdb/common/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 8a7a22a641..1220a5c855 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -450,7 +450,7 @@ NTTIME samdb_result_account_expires(struct ldb_message *msg) NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires", 0); - if (ret == (NTTIME)0) + if (ret == 0) ret = 0x7FFFFFFFFFFFFFFFULL; return ret; -- cgit