svn commit: samba r24263 - in branches/SAMBA_4_0: source/dsdb/samdb/ldb_modules testprogs/ejs

abartlet at samba.org abartlet at samba.org
Tue Aug 7 09:01:09 GMT 2007 

Author: abartlet
Date: 2007-08-07 09:01:08 +0000 (Tue, 07 Aug 2007)
New Revision: 24263

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24263

Log:
Fix bug 4846 (unable to copy users in MMC Active Directory Users and
Computers).

We now generate a security descriptor for each object, when it is
created.  This seems to keep MMC happy.  The next step is to honour
it.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c
   branches/SAMBA_4_0/testprogs/ejs/ldap.js


Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c
===================================================================
--- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c	2007-08-07 05:58:47 UTC (rev 24262)
+++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/objectclass.c	2007-08-07 09:01:08 UTC (rev 24263)
@@ -35,6 +35,11 @@
 #include "ldb/include/ldb_private.h"
 #include "dsdb/samdb/samdb.h"
 #include "lib/util/dlinklist.h"
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
+#include "auth/auth.h"
+
 struct oc_context {
 
 	enum oc_step {OC_DO_REQ, OC_SEARCH_SELF, OC_DO_MOD} step;
@@ -196,6 +201,39 @@
 	return LDB_SUCCESS;
 }
 
+DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx, 
+		  const struct dsdb_class *objectclass) 
+{
+	NTSTATUS status;
+	DATA_BLOB *linear_sd;
+	struct auth_session_info *session_info
+		= ldb_get_opaque(module->ldb, "sessionInfo");
+	struct security_descriptor *sd = sddl_decode(mem_ctx, 
+						     objectclass->defaultSecurityDescriptor,
+						     samdb_domain_sid(module->ldb));
+	if (!session_info || !session_info->security_token) {
+		return NULL;
+	}
+	
+	sd->owner_sid = session_info->security_token->user_sid;
+	sd->group_sid = session_info->security_token->group_sid;
+	
+	linear_sd = talloc(mem_ctx, DATA_BLOB);
+	if (!linear_sd) {
+		return NULL;
+	}
+
+	status = ndr_push_struct_blob(linear_sd, mem_ctx, sd, 
+				      (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		return NULL;
+	}
+	
+	return linear_sd;
+
+}
+
 static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
 {
 	struct ldb_message_element *objectclass_element;
@@ -266,12 +304,18 @@
 			talloc_free(mem_ctx);
 			return ret;
 		}
-		/* Last one */
-		if (schema && !current->next && !ldb_msg_find_element(msg, "objectCategory")) {
+		/* Last one is the critical one */
+		if (schema && !current->next) {
 			const struct dsdb_class *objectclass
 				= dsdb_class_by_lDAPDisplayName(schema, current->objectclass);
 			if (objectclass) {
-				ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
+				if (!ldb_msg_find_element(msg, "objectCategory")) {
+					ldb_msg_add_string(msg, "objectCategory", objectclass->defaultObjectCategory);
+				}
+				if (!ldb_msg_find_element(msg, "ntSecurityDescriptor")) {
+					DATA_BLOB *sd = get_sd(module, mem_ctx, objectclass);
+					ldb_msg_add_steal_value(msg, "ntSecurityDescriptor", sd);
+				}
 			}
 		}
 	}

Modified: branches/SAMBA_4_0/testprogs/ejs/ldap.js
===================================================================
--- branches/SAMBA_4_0/testprogs/ejs/ldap.js	2007-08-07 05:58:47 UTC (rev 24262)
+++ branches/SAMBA_4_0/testprogs/ejs/ldap.js	2007-08-07 09:01:08 UTC (rev 24263)
@@ -258,7 +258,7 @@
 	assert(res.msgs[0].objectCategory == "cn=Person,cn=Schema,cn=Configuration," + base_dn);
 	assert(res.msgs[0].sAMAccountType == 805306368);
 //	assert(res[0].userAccountControl == 546);
-
+ 
 	println("Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))");
 	var res2 = ldb.search("(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + base_dn + "))");
 	if (res2.error != 0 || res2.msgs.length != 1) {
@@ -439,8 +439,9 @@
 //	assert(res.msgs[0].userAccountControl == 4098);
 
 
+        var attrs = new Array("cn", "name", "objectClass", "objectGUID", "whenCreated", "ntSecurityDescriptor");
 	println("Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))");
-	var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))");
+	var res = ldb.search("(&(cn=ldaptestUSer2)(objectClass=user))", base_dn, ldb.SCOPE_SUBTREE, attrs);
 	if (res.error != 0 || res.msgs.length != 1) {
 		println("Could not find (&(cn=ldaptestUSer2)(objectClass=user))");
 		assert(res.error == 0);
@@ -456,6 +457,7 @@
 	assert(res.msgs[0].objectClass[3] == "user");
 	assert(res.msgs[0].objectGUID != undefined);
 	assert(res.msgs[0].whenCreated != undefined);
+	assert(res.msgs[0].ntSecurityDescriptor != undefined);
 
 	ok = ldb.del(res.msgs[0].dn);
 	if (ok.error != 0) {

More information about the samba-cvs mailing list