1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

r24263: Fix bug 4846 (unable to copy users in MMC Active Directory Users and

Computers).

We now generate a security descriptor for each object, when it is
created.  This seems to keep MMC happy.  The next step is to honour
it.

Andrew Bartlett
(This used to be commit 72f4ae8246)
This commit is contained in:
Andrew Bartlett 2007-08-07 09:01:08 +00:00 committed by Gerald (Jerry) Carter
parent ae7819d715
commit c4e5fcc349
2 changed files with 51 additions and 5 deletions

View File

@ -35,6 +35,11 @@
#include "ldb/include/ldb_private.h"
#include "dsdb/samdb/samdb.h"
#include "lib/util/dlinklist.h"
#include "librpc/ndr/libndr.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "libcli/security/security.h"
#include "auth/auth.h"
struct oc_context {
enum oc_step {OC_DO_REQ, OC_SEARCH_SELF, OC_DO_MOD} step;
@ -196,6 +201,39 @@ static int objectclass_sort(struct ldb_module *module,
return LDB_SUCCESS;
}
DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
const struct dsdb_class *objectclass)
{
NTSTATUS status;
DATA_BLOB *linear_sd;
struct auth_session_info *session_info
= ldb_get_opaque(module->ldb, "sessionInfo");
struct security_descriptor *sd = sddl_decode(mem_ctx,
objectclass->defaultSecurityDescriptor,
samdb_domain_sid(module->ldb));
if (!session_info || !session_info->security_token) {
return NULL;
}
sd->owner_sid = session_info->security_token->user_sid;
sd->group_sid = session_info->security_token->group_sid;
linear_sd = talloc(mem_ctx, DATA_BLOB);
if (!linear_sd) {
return NULL;
}
status = ndr_push_struct_blob(linear_sd, mem_ctx, sd,
(ndr_push_flags_fn_t)ndr_push_security_descriptor);
if (!NT_STATUS_IS_OK(status)) {
return NULL;
}
return linear_sd;
}
static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_message_element *objectclass_element;
@ -266,12 +304,18 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
talloc_free(mem_ctx);
return ret;
}
/* Last one */
if (schema && !current->next && !ldb_msg_find_element(msg, "objectCategory")) {
/* Last one is the critical one */
if (schema && !current->next) {
const struct dsdb_class *objectclass
= dsdb_class_by_lDAPDisplayName(schema, current->objectclass);
if (objectclass) {
ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
if (!ldb_msg_find_element(msg, "objectCategory")) {
ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
}
if (!ldb_msg_find_element(msg, "ntSecurityDescriptor")) {
DATA_BLOB *sd = get_sd(module, mem_ctx, objectclass);
ldb_msg_add_steal_value(msg, "ntSecurityDescriptor", sd);
}
}
}
}

View File

@ -258,7 +258,7 @@ objectClass: user
assert(res.msgs[0].objectCategory == "cn=Person,cn=Schema,cn=Configuration," + base_dn);
assert(res.msgs[0].sAMAccountType == 805306368);
// assert(res[0].userAccountControl == 546);
println("Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))");
var res2 = ldb.search("(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))");
if (res2.error != 0 || res2.msgs.length != 1) {
@ -439,8 +439,9 @@ objectClass: user
// assert(res.msgs[0].userAccountControl == 4098);
var attrs = new Array("cn", "name", "objectClass", "objectGUID", "whenCreated", "ntSecurityDescriptor");
println("Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))");
var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))");
var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))", base_dn, ldb.SCOPE_SUBTREE, attrs);
if (res.error != 0 || res.msgs.length != 1) {
println("Could not find (&(cn=ldaptestUSer2)(objectClass=user))");
assert(res.error == 0);
@ -456,6 +457,7 @@ objectClass: user
assert(res.msgs[0].objectClass[3] == "user");
assert(res.msgs[0].objectGUID != undefined);
assert(res.msgs[0].whenCreated != undefined);
assert(res.msgs[0].ntSecurityDescriptor != undefined);
ok = ldb.del(res.msgs[0].dn);
if (ok.error != 0) {