sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
83,658 Commits 60 Branches 1,144 Tags 452 MiB
1be4dbc0ca
Commit Graph

83658 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stefan Metzmacher
1be4dbc0ca s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
7f42a8b7b6 s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify 
The propagation of nTSecurityDescriptor doesn't change the
replProperyMetaData.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
cb9c7ee79b s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
60f0e172e3 s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
7f88ad3efc s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711) 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
5dd4555f39 s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711) 
Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.

We need to pass the TRUSTED flags as we operate from
the TOP module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
60192fd100 s4:dsdb/subtree_delete: do an early return and avoid some nesting 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
ff274bafeb s4:dsdb/objectclass: do not pass the callers controls on helper searches 
We add AS_SYSTEM and SHOW_RECYCLED to the helper search,
don't let the caller specify additional controls.

This also fixes a problem when the caller also specified AS_SYSTEM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
5838637b42 s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug #7711) 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
60c29a51a0 s4:dsdb/dirsync: remove unused 'deletedattr' variable 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
ffaf9bb98b s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACL 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
0c2c00e4b9 s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to DSDB_SECRET_ATTRIBUTES_EX 
See [MS-ADTS] 3.1.1.4.4 Extended Access Checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
b54d268e20 s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes 
The @KLUDGEACL record might not be uptodate.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
f67f469ce1 s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on modify 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
5aa7dbe546 s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on nTSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
4ef36fda68 s4:dsdb/descriptor: remove some nesting from descriptor_modify 
If the nTSecurityDescriptor attribute is not specified,
we have nothing to do.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
8d60ac19ed s4:dsdb/descriptor: remove some unnecessary nesting 
sd == NULL is checked before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
813492676c s4:dsdb/descriptor: add some error checks to descriptor_{add,modify} 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
b3486f4e1a s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
74e3f0ea0a s4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify,rename} 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
4136d969ca s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd 
The sd_flags:1:15 control together with an empty security_descriptor
has the same effect as the recalculate_sd:0 control (which is samba only).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
118db4ca11 s4:provision: add get_empty_descriptor() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
7a3e4d04c7 s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
c2c715f9c9 s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
990448b499 s4:dsdb/acl_read: enable acl checking on search by default (bug #8620) 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
fa676769e0 s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor 
We need to base the access mask on the given SD Flags.
Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY,
which could lead to INSUFFICIENT_RIGHTS when we should
have been allowed to read.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
ca3c0e28ef s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
53b100bb59 s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor 
The access_mask depends on the SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
95b480fd98 s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set 
In that case the acl_read module does the protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
3d57f17db9 s4:dsdb/acl: remove unused "acl:perform" option 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
329afc1a20 s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED 
The searches are done in order to do access checks
and the results are not directly exposed to the client.

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
42898590bb s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add 
See [MS-ADTS] 6.1.3.2 SD Flags Control:
  ...
  When performing an LDAP add operation, the client can supply an SD flags control
  with the operation; however, it will be ignored by the server.
  ...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
f018772e0c s4:dsdb/descriptor: make use of dsdb_request_sd_flags() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
67045fafe8 s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDescriptor 
If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through descriptor_search_callback().

This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
690b5e1161 s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
2916313f80 s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
1cdecf1234 s4:dsdb/acl_util: do helper searches AS_SYSTEM 
The search is done in order to do access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
8d900d06ff s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
659277a89d s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
844b736a1d s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
a882b41d44 s4:dsdb/rootdse: do helper searches AS_SYSTEM 
As anonymous users can read all rootdse attributes,
we should do helper searches with DSDB_FLAG_AS_SYSTEM
in order to avoid unnecessary access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
964d96d2c3 s4:dsdb/rootdse: remove unused variable 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Michael Adam
4970d3cacb s4:tests/samba_tool/gpo.py: fix accidential line break 
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
a581242080 s4:tests/samba_tool/gpo.py: add test_show_as_admin() 
This calls samba-tool gpo show as admin (which should be able to
see the full nTSecurityDescriptor.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
325e921908 s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
67799962b8 s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
6bffad67d2 s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
f843c04b0f s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
8563348a01 s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF 
A value of 0 is mapped to 0xF.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
6991fb385e s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00