sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-24 13:57:43 +03:00
Code

python/samdb: fix group member removal by SID

Browse Source 
Otherwise the removal of groupmembers by SID fails silently, because the
DN does not match the the DN in group member list.

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>
This commit is contained in:
Björn Baumbach 2024-11-26 15:46:02 +01:00
parent a74bc62779
commit c9d8e96d2b
1 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
python/samba/samdb.py
View File

@ -387,8 +387,11 @@ lockoutTime: 0
self.transaction_start() self.transaction_start()
try: try:
targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, targetgroup = self.search(base=self.domain_dn(),
expression=groupfilter, attrs=['member']) scope=ldb.SCOPE_SUBTREE,
expression=groupfilter,
controls=["extended_dn:1:1"],
attrs=['member'])
if len(targetgroup) == 0: if len(targetgroup) == 0:
raise Exception('Unable to find group "%s"' % groupname) raise Exception('Unable to find group "%s"' % groupname)
assert(len(targetgroup) == 1) assert(len(targetgroup) == 1)
@ -405,6 +408,7 @@ changetype: modify
if member_base_dn is None: if member_base_dn is None:
member_base_dn = self.domain_dn() member_base_dn = self.domain_dn()
membersid = None
try: try:
membersid = security.dom_sid(member) membersid = security.dom_sid(member)
targetmember_dn = "<SID=%s>" % str(membersid) targetmember_dn = "<SID=%s>" % str(membersid)
@ -439,13 +443,33 @@ changetype: modify
raise Exception('Unable to find "%s". Operation cancelled.' % member) raise Exception('Unable to find "%s". Operation cancelled.' % member)
targetmember_dn = targetmember[0].dn.extended_str(1) targetmember_dn = targetmember[0].dn.extended_str(1)
if add_members_operation is True and (targetgroup[0].get('member') is None or get_bytes(targetmember_dn) not in targetgroup[0]['member']): def _is_member(samdb, group, member_dn, member_sid):
if group.get('member') is None:
return False
for m in group.get('member'):
m_ext_dn = ldb.Dn(samdb, str(m))
m_binary_sid = m_ext_dn.get_extended_component("SID")
if m_binary_sid:
m_sid = ndr_unpack(security.dom_sid, m_binary_sid)
if member_sid == m_sid:
return True
if member_dn == str(m_ext_dn):
return True
return False
is_member = _is_member(self,
targetgroup[0],
targetmember_dn,
membersid)
if add_members_operation is True and not is_member:
modified = True modified = True
addtargettogroup += """add: member addtargettogroup += """add: member
member: %s member: %s
""" % (str(targetmember_dn)) """ % (str(targetmember_dn))
elif add_members_operation is False and (targetgroup[0].get('member') is not None and get_bytes(targetmember_dn) in targetgroup[0]['member']): elif add_members_operation is False and is_member:
modified = True modified = True
addtargettogroup += """delete: member addtargettogroup += """delete: member
member: %s member: %s