mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
r24263: Fix bug 4846 (unable to copy users in MMC Active Directory Users and
Computers).
We now generate a security descriptor for each object, when it is
created. This seems to keep MMC happy. The next step is to honour
it.
Andrew Bartlett
(This used to be commit 72f4ae8246
)
This commit is contained in:
parent
ae7819d715
commit
c4e5fcc349
@ -35,6 +35,11 @@
|
||||
#include "ldb/include/ldb_private.h"
|
||||
#include "dsdb/samdb/samdb.h"
|
||||
#include "lib/util/dlinklist.h"
|
||||
#include "librpc/ndr/libndr.h"
|
||||
#include "librpc/gen_ndr/ndr_security.h"
|
||||
#include "libcli/security/security.h"
|
||||
#include "auth/auth.h"
|
||||
|
||||
struct oc_context {
|
||||
|
||||
enum oc_step {OC_DO_REQ, OC_SEARCH_SELF, OC_DO_MOD} step;
|
||||
@ -196,6 +201,39 @@ static int objectclass_sort(struct ldb_module *module,
|
||||
return LDB_SUCCESS;
|
||||
}
|
||||
|
||||
DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
|
||||
const struct dsdb_class *objectclass)
|
||||
{
|
||||
NTSTATUS status;
|
||||
DATA_BLOB *linear_sd;
|
||||
struct auth_session_info *session_info
|
||||
= ldb_get_opaque(module->ldb, "sessionInfo");
|
||||
struct security_descriptor *sd = sddl_decode(mem_ctx,
|
||||
objectclass->defaultSecurityDescriptor,
|
||||
samdb_domain_sid(module->ldb));
|
||||
if (!session_info || !session_info->security_token) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
sd->owner_sid = session_info->security_token->user_sid;
|
||||
sd->group_sid = session_info->security_token->group_sid;
|
||||
|
||||
linear_sd = talloc(mem_ctx, DATA_BLOB);
|
||||
if (!linear_sd) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
status = ndr_push_struct_blob(linear_sd, mem_ctx, sd,
|
||||
(ndr_push_flags_fn_t)ndr_push_security_descriptor);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return linear_sd;
|
||||
|
||||
}
|
||||
|
||||
static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
|
||||
{
|
||||
struct ldb_message_element *objectclass_element;
|
||||
@ -266,12 +304,18 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
|
||||
talloc_free(mem_ctx);
|
||||
return ret;
|
||||
}
|
||||
/* Last one */
|
||||
if (schema && !current->next && !ldb_msg_find_element(msg, "objectCategory")) {
|
||||
/* Last one is the critical one */
|
||||
if (schema && !current->next) {
|
||||
const struct dsdb_class *objectclass
|
||||
= dsdb_class_by_lDAPDisplayName(schema, current->objectclass);
|
||||
if (objectclass) {
|
||||
ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
|
||||
if (!ldb_msg_find_element(msg, "objectCategory")) {
|
||||
ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
|
||||
}
|
||||
if (!ldb_msg_find_element(msg, "ntSecurityDescriptor")) {
|
||||
DATA_BLOB *sd = get_sd(module, mem_ctx, objectclass);
|
||||
ldb_msg_add_steal_value(msg, "ntSecurityDescriptor", sd);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -258,7 +258,7 @@ objectClass: user
|
||||
assert(res.msgs[0].objectCategory == "cn=Person,cn=Schema,cn=Configuration," + base_dn);
|
||||
assert(res.msgs[0].sAMAccountType == 805306368);
|
||||
// assert(res[0].userAccountControl == 546);
|
||||
|
||||
|
||||
println("Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))");
|
||||
var res2 = ldb.search("(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))");
|
||||
if (res2.error != 0 || res2.msgs.length != 1) {
|
||||
@ -439,8 +439,9 @@ objectClass: user
|
||||
// assert(res.msgs[0].userAccountControl == 4098);
|
||||
|
||||
|
||||
var attrs = new Array("cn", "name", "objectClass", "objectGUID", "whenCreated", "ntSecurityDescriptor");
|
||||
println("Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))");
|
||||
var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))");
|
||||
var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))", base_dn, ldb.SCOPE_SUBTREE, attrs);
|
||||
if (res.error != 0 || res.msgs.length != 1) {
|
||||
println("Could not find (&(cn=ldaptestUSer2)(objectClass=user))");
|
||||
assert(res.error == 0);
|
||||
@ -456,6 +457,7 @@ objectClass: user
|
||||
assert(res.msgs[0].objectClass[3] == "user");
|
||||
assert(res.msgs[0].objectGUID != undefined);
|
||||
assert(res.msgs[0].whenCreated != undefined);
|
||||
assert(res.msgs[0].ntSecurityDescriptor != undefined);
|
||||
|
||||
ok = ldb.del(res.msgs[0].dn);
|
||||
if (ok.error != 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user