sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-13 16:23:50 +03:00
Code Activity

forest_update: only update SDDL for schema objects

Browse Source 
Updates to domainDNS objects are done by the domain updates.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher
2023-03-11 03:35:57 +01:00
committed by Andrew Bartlett
parent 838a36c743
commit f1f79a2e4b
1 changed files with 0 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
python/samba/forest_update.py
View File

@@ -305,30 +305,6 @@ objectClass: container
if self.add_update_container:
self.update_add(op)
def insert_ace_into_dacl(self, dn, existing_sddl, ace):
"""
Add an ACE to a DACL, checking if it already exists with a simple string search.
:param dn: DN to modify
:param existing_sddl: existing sddl as string
:param ace: string ace to insert
:return: True if modified else False
"""
index = existing_sddl.rfind("S:")
if index != -1:
new_sddl = existing_sddl[:index] + ace + existing_sddl[index:]
else:
# Insert it at the end if no S: section
new_sddl = existing_sddl + ace
if ace in existing_sddl:
return False
self.sd_utils.modify_sd_on_dn(dn, new_sddl,
controls=["sd_flags:1:%d" % SECINFO_DACL])
return True
def insert_ace_into_string(self, dn, ace, attr):
"""
Insert an ACE into a string attribute like defaultSecurityDescriptor.
@@ -391,15 +367,6 @@ objectClass: container
self.insert_ace_into_string(schema_dn, ace,
attr="defaultSecurityDescriptor")
res = self.samdb.search(expression="(objectClass=samDomain)",
attrs=["nTSecurityDescriptor"],
controls=["search_options:1:2"])
for msg in res:
existing_sd = ndr_unpack(security.descriptor, msg["nTSecurityDescriptor"][0])
existing_sddl = existing_sd.as_sddl(self.domain_sid)
self.insert_ace_into_dacl(msg.dn, existing_sddl, ace)
if self.add_update_container:
self.update_add(op)
@@ -420,17 +387,6 @@ objectClass: container
self.insert_ace_into_string(schema_dn, ace,
attr="defaultSecurityDescriptor")
res = self.samdb.search(expression="(objectClass=domainDNS)",
attrs=["nTSecurityDescriptor"],
controls=["search_options:1:2",
"sd_flags:1:%d" % SECINFO_DACL])
for msg in res:
existing_sd = ndr_unpack(security.descriptor, msg["nTSecurityDescriptor"][0])
existing_sddl = existing_sd.as_sddl(self.domain_sid)
self.insert_ace_into_dacl(msg.dn, existing_sddl, ace)
if self.add_update_container:
self.update_add(op)
@@ -461,15 +417,6 @@ objectClass: container
self.insert_ace_into_string(schema_dn, ace,
attr='defaultSecurityDescriptor')
res = self.samdb.search(expression="(objectClass=samDomain)",
attrs=["nTSecurityDescriptor"],
controls=["search_options:1:2"])
for msg in res:
existing_sd = ndr_unpack(security.descriptor, msg["nTSecurityDescriptor"][0])
existing_sddl = existing_sd.as_sddl(self.domain_sid)
self.insert_ace_into_dacl(msg.dn, existing_sddl, ace)
if self.add_update_container:
self.update_add(op)
@@ -485,16 +432,6 @@ objectClass: container
self.insert_ace_into_string(schema_dn, ace,
attr='defaultSecurityDescriptor')
res = self.samdb.search(expression="(objectClass=domainDNS)",
attrs=["nTSecurityDescriptor"],
controls=["search_options:1:2"])
for msg in res:
existing_sd = ndr_unpack(security.descriptor, msg["nTSecurityDescriptor"][0])
existing_sddl = existing_sd.as_sddl(self.domain_sid)
self.insert_ace_into_dacl(msg.dn, existing_sddl, ace)
if self.add_update_container:
self.update_add(op)