From fdf12a607d4da368bcbb8d4379b6ea38cbfdbce6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 7 Jan 2010 10:11:10 +1100 Subject: s4-ldb: improve error handling in indexing code When we get an indexing failure we want a clear error message --- source4/lib/ldb/ldb_tdb/ldb_index.c | 36 ++++++++++++++++++++++++++++++++---- source4/lib/ldb/ldb_tdb/ldb_tdb.c | 3 ++- 2 files changed, 34 insertions(+), 5 deletions(-) (limited to 'source4/lib/ldb') diff --git a/source4/lib/ldb/ldb_tdb/ldb_index.c b/source4/lib/ldb/ldb_tdb/ldb_index.c index 52f9f00c58..01d0d6ce34 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_index.c +++ b/source4/lib/ldb/ldb_tdb/ldb_index.c @@ -1104,6 +1104,8 @@ static int ltdb_index_add1(struct ldb_module *module, const char *dn, if (list->count > 0 && a->flags & LDB_ATTR_FLAG_UNIQUE_INDEX) { talloc_free(list); + ldb_asprintf_errstring(ldb, __location__ ": unique index violation on %s in %s", + el->name, dn); return LDB_ERR_ENTRY_ALREADY_EXISTS; } @@ -1168,6 +1170,10 @@ static int ltdb_index_add_all(struct ldb_module *module, const char *dn, } ret = ltdb_index_add_el(module, dn, &elements[i]); if (ret != LDB_SUCCESS) { + struct ldb_context *ldb = ldb_module_get_ctx(module); + ldb_asprintf_errstring(ldb, + __location__ ": Failed to re-index %s in %s - %s", + elements[i].name, dn, ldb_errstring(ldb)); return ret; } } @@ -1446,13 +1452,19 @@ static int delete_index(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, vo return 0; } +struct ltdb_reindex_context { + struct ldb_module *module; + int error; +}; + /* traversal function that adds @INDEX records during a re index */ static int re_index(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, void *state) { struct ldb_context *ldb; - struct ldb_module *module = (struct ldb_module *)state; + struct ltdb_reindex_context *ctx = (struct ltdb_reindex_context *)state; + struct ldb_module *module = ctx->module; struct ldb_message *msg; const char *dn = NULL; int ret; @@ -1511,9 +1523,13 @@ static int re_index(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, void * ret = ltdb_index_add_all(module, dn, msg->elements, msg->num_elements); - talloc_free(msg); + if (ret != LDB_SUCCESS) { + ctx->error = ret; + talloc_free(msg); + return -1; + } - if (ret != LDB_SUCCESS) return -1; + talloc_free(msg); return 0; } @@ -1525,6 +1541,7 @@ int ltdb_reindex(struct ldb_module *module) { struct ltdb_private *ltdb = talloc_get_type(ldb_module_get_private(module), struct ltdb_private); int ret; + struct ltdb_reindex_context ctx; if (ltdb_cache_reload(module) != 0) { return LDB_ERR_OPERATIONS_ERROR; @@ -1543,11 +1560,22 @@ int ltdb_reindex(struct ldb_module *module) return LDB_SUCCESS; } + ctx.module = module; + ctx.error = 0; + /* now traverse adding any indexes for normal LDB records */ - ret = tdb_traverse(ltdb->tdb, re_index, module); + ret = tdb_traverse(ltdb->tdb, re_index, &ctx); if (ret == -1) { + struct ldb_context *ldb = ldb_module_get_ctx(module); + ldb_asprintf_errstring(ldb, "reindexing traverse failed: %s", ldb_errstring(ldb)); return LDB_ERR_OPERATIONS_ERROR; } + if (ctx.error != LDB_SUCCESS) { + struct ldb_context *ldb = ldb_module_get_ctx(module); + ldb_asprintf_errstring(ldb, "reindexing failed: %s", ldb_errstring(ldb)); + return ctx.error; + } + return LDB_SUCCESS; } diff --git a/source4/lib/ldb/ldb_tdb/ldb_tdb.c b/source4/lib/ldb/ldb_tdb/ldb_tdb.c index a146b96b20..b8b4d399ef 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_tdb.c +++ b/source4/lib/ldb/ldb_tdb/ldb_tdb.c @@ -230,7 +230,8 @@ static int ltdb_modified(struct ldb_module *module, struct ldb_dn *dn) } /* If the modify was to @OPTIONS, reload the cache */ - if (ldb_dn_is_special(dn) && + if (ret == LDB_SUCCESS && + ldb_dn_is_special(dn) && (ldb_dn_check_special(dn, LTDB_OPTIONS)) ) { ret = ltdb_cache_reload(module); } -- cgit From 81c0b01585c93472a14e3027a6da0b6d65a2ed7c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 8 Jan 2010 10:00:35 +1100 Subject: s4-secdesc: fixed the sec_descriptor.py test The test was using a "changetype: add" to try and add a member to a group, where it should use a "changetype: modify" with a "add: member" Also fixed the recovery when the test fails part way through (delete the test users at the start as well as the end) Nadya, please check! --- source4/lib/ldb/tests/python/sec_descriptor.py | 116 ++++++++++++++++--------- 1 file changed, 74 insertions(+), 42 deletions(-) (limited to 'source4/lib/ldb') diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py index e420cec3bd..4589178a42 100755 --- a/source4/lib/ldb/tests/python/sec_descriptor.py +++ b/source4/lib/ldb/tests/python/sec_descriptor.py @@ -285,8 +285,30 @@ userAccountControl: %s""" % userAccountControl class OwnerGroupDescriptorTests(DescriptorTests): + def deleteAll(self): + if self.SAMBA: + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8")) + # DOMAIN + self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1")) + self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) + # SCHEMA + # CONFIGURATION + self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \ + + self.configuration_dn) + self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn) + def setUp(self): DescriptorTests.setUp(self) + self.deleteAll() if self.SAMBA: ### Create users # User 1 @@ -295,7 +317,8 @@ class OwnerGroupDescriptorTests(DescriptorTests): self.enable_account(user_dn) ldif = """ dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 2 @@ -304,7 +327,8 @@ member: """ + user_dn self.enable_account(user_dn) ldif = """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 3 @@ -313,7 +337,8 @@ member: """ + user_dn self.enable_account(user_dn) ldif = """ dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 4 @@ -326,11 +351,13 @@ member: """ + user_dn self.enable_account(user_dn) ldif = """ dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn + """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 6 @@ -339,15 +366,18 @@ member: """ + user_dn self.enable_account(user_dn) ldif = """ dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn + """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn + """ dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 7 @@ -356,11 +386,13 @@ member: """ + user_dn self.enable_account(user_dn) ldif = """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn + """ dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) # User 8 @@ -369,11 +401,13 @@ member: """ + user_dn self.enable_account(user_dn) ldif = """ dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn + """ dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) self.results = { @@ -490,25 +524,7 @@ member: """ + user_dn self.DS_BEHAVIOR = "ds_behavior_win2008" def tearDown(self): - if self.SAMBA: - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8")) - # DOMAIN - self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1")) - self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) - # SCHEMA - # CONFIGURATION - self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \ - + self.configuration_dn) - self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn) + self.deleteAll() def check_user_belongs(self, user_dn, groups=[]): """ Test wether user is member of the expected group(s) """ @@ -1414,12 +1430,16 @@ member: """ + user_dn class DaclDescriptorTests(DescriptorTests): + def deleteAll(self): + self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn) + def setUp(self): DescriptorTests.setUp(self) + self.deleteAll() def tearDown(self): - self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn) + self.deleteAll() def create_clean_ou(self, object_dn): """ Base repeating setup for unittests to follow """ @@ -1686,12 +1706,16 @@ class DaclDescriptorTests(DescriptorTests): class SdFlagsDescriptorTests(DescriptorTests): + def deleteAll(self): + self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn) + def setUp(self): DescriptorTests.setUp(self) self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)" + self.deleteAll() def tearDown(self): - self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn) + self.deleteAll() def test_301(self): """ Modify a descriptor with OWNER_SECURITY_INFORMATION set. @@ -1841,8 +1865,16 @@ class SdFlagsDescriptorTests(DescriptorTests): class RightsAttributesTests(DescriptorTests): + def deleteAll(self): + if self.SAMBA: + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2")) + + self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) + def setUp(self): DescriptorTests.setUp(self) + self.deleteAll() if self.SAMBA: ### Create users # User 1 @@ -1855,17 +1887,13 @@ class RightsAttributesTests(DescriptorTests): self.enable_account(user_dn) ldif = """ dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ -changetype: add +changetype: modify +add: member member: """ + user_dn self.ldb_admin.modify_ldif(ldif) def tearDown(self): - - if self.SAMBA: - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2")) - - self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) + self.deleteAll() def test_sDRightsEffective(self): object_dn = "OU=test_domain_ou1," + self.base_dn @@ -1964,7 +1992,11 @@ member: """ + user_dn self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"]) if not "://" in host: - host = "ldap://%s" % host + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host + ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"]) runner = SubunitTestRunner() -- cgit From 66f161dee13fc027ea0253abdf40dfb7dc4bffa3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 8 Jan 2010 10:03:51 +1100 Subject: s4-acl: fixed acl.py test to use correct ldif same problem as sec_descriptor.py --- source4/lib/ldb/tests/python/acl.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/lib/ldb') diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py index 4544f60736..909adc5129 100755 --- a/source4/lib/ldb/tests/python/acl.py +++ b/source4/lib/ldb/tests/python/acl.py @@ -164,7 +164,8 @@ replace: nTSecurityDescriptor """ ldif = """ dn: """ + group_dn + """ -changetype: add +changetype: modify +add: member member: """ + member_dn _ldb.modify_ldif(ldif) -- cgit From 39a4e2a38d0a6767ebca13efaee0ac61297ad45b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 9 Jan 2010 09:03:08 +1100 Subject: s4-ldb: validate the type of the ldb argument to ldb_dn_new() It has been a common bug to get the first two arguments the wrong way around --- source4/lib/ldb/common/ldb_dn.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source4/lib/ldb') diff --git a/source4/lib/ldb/common/ldb_dn.c b/source4/lib/ldb/common/ldb_dn.c index 79953c6018..252a0c632b 100644 --- a/source4/lib/ldb/common/ldb_dn.c +++ b/source4/lib/ldb/common/ldb_dn.c @@ -103,7 +103,13 @@ struct ldb_dn *ldb_dn_from_ldb_val(void *mem_ctx, dn = talloc_zero(mem_ctx, struct ldb_dn); LDB_DN_NULL_FAILED(dn); - dn->ldb = ldb; + dn->ldb = talloc_get_type(ldb, struct ldb_context); + if (dn->ldb == NULL) { + /* the caller probably got the arguments to + ldb_dn_new() mixed up */ + talloc_free(dn); + return NULL; + } if (strdn->data && strdn->length) { const char *data = (const char *)strdn->data; -- cgit From a3e089db19384221c65996b158b7fa3aaf512792 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 10 Jan 2010 12:53:07 +1100 Subject: s4-ldb: display security descriptors with correct SDL for known SIDs This makes it much easier to compare SDs --- source4/lib/ldb/tools/cmdline.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source4/lib/ldb') diff --git a/source4/lib/ldb/tools/cmdline.c b/source4/lib/ldb/tools/cmdline.c index 39a460763c..44ae23b26c 100644 --- a/source4/lib/ldb/tools/cmdline.c +++ b/source4/lib/ldb/tools/cmdline.c @@ -33,6 +33,7 @@ #include "auth/auth.h" #include "ldb_wrap.h" #include "param/param.h" +#include "dsdb/common/proto.h" #endif static struct ldb_cmdline options; /* needs to be static for older compilers */ @@ -321,6 +322,11 @@ struct ldb_cmdline *ldb_cmdline_process(struct ldb_context *ldb, goto failed; } +#if (_SAMBA_BUILD_ >= 4) + /* get the domain SID into the cache for SDDL processing */ + samdb_domain_sid(ldb); +#endif + return ret; failed: -- cgit