[SCM] Samba Shared Repository - branch master updated - 677e0fb9659abe1ad684dd980d61b88caad9f8a2

Stefan Metzmacher metze at samba.org
Thu Dec 4 14:45:58 GMT 2008 

The branch, master has been updated
       via  677e0fb9659abe1ad684dd980d61b88caad9f8a2 (commit)
       via  180245fce0f0d73d924ca6a25db3fc78934c40d1 (commit)
      from  0f38bd90722469c6dbf1bcc7f56d3fbf6db3a8e8 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 677e0fb9659abe1ad684dd980d61b88caad9f8a2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 4 15:40:31 2008 +0100

    s4:kludge_acl: allow everybody to read the sequence number
    
    metze

commit 180245fce0f0d73d924ca6a25db3fc78934c40d1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 4 15:09:21 2008 +0100

    s4:kdc: allow a trusted domain to get kerberos tickets
    
    metze

-----------------------------------------------------------------------

Summary of changes:
 source4/auth/auth.h                         |    3 +-
 source4/auth/ntlm/auth_sam.c                |    3 +-
 source4/auth/sam.c                          |   12 ++++++----
 source4/dsdb/samdb/ldb_modules/kludge_acl.c |   28 ++++++++++++++++++++++++++-
 source4/kdc/pac-glue.c                      |    3 +-
 5 files changed, 40 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index af9ed52..360da50 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -204,7 +204,8 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			    struct ldb_message *msg,
 			    struct ldb_message *msg_domain_ref,
 			    const char *logon_workstation,
-			    const char *name_for_logs);
+			    const char *name_for_logs,
+			    bool allow_domain_trust);
 struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
 NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
 					   const char *netbios_name,
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index d1be5b6..384d342 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -262,7 +262,8 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
 				       msgs[0],
 				       msgs_domain_ref[0],
 				       user_info->workstation_name,
-				       user_info->mapped.account_name);
+				       user_info->mapped.account_name,
+				       false);
 
 	return nt_status;
 }
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index f6a998a..4b848cf 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -144,7 +144,8 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			    struct ldb_message *msg,
 			    struct ldb_message *msg_domain_ref,
 			    const char *logon_workstation,
-			    const char *name_for_logs)
+			    const char *name_for_logs,
+			    bool allow_domain_trust)
 {
 	uint16_t acct_flags;
 	const char *workstation_list;
@@ -231,11 +232,12 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_LOGON_HOURS;
 	}
 	
-	if (acct_flags & ACB_DOMTRUST) {
-		DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
-		return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+	if (!allow_domain_trust) {
+		if (acct_flags & ACB_DOMTRUST) {
+			DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
+			return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+		}
 	}
-	
 	if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
 		if (acct_flags & ACB_SVRTRUST) {
 			DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", name_for_logs));
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index 6acbf45..97179a8 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -417,6 +417,32 @@ static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
 	}
 }
 
+static int kludge_acl_extended(struct ldb_module *module, struct ldb_request *req)
+{
+	enum security_user_level user_type;
+
+	/* allow everybody to read the sequence number */
+	if (strcmp(req->op.extended.oid,
+		   LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
+		return ldb_next_request(module, req);
+	}
+
+	user_type = what_is_user(module);
+
+	switch (user_type) {
+	case SECURITY_SYSTEM:
+	case SECURITY_ADMINISTRATOR:
+		return ldb_next_request(module, req);
+	default:
+		ldb_asprintf_errstring(module->ldb,
+				       "kludge_acl_change: "
+				       "attempted database modify not permitted. "
+				       "User %s is not SYSTEM or an administrator",
+				       user_name(req, module));
+		return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+	}
+}
+
 static int kludge_acl_init(struct ldb_module *module)
 {
 	int ret, i;
@@ -494,6 +520,6 @@ _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
 	.modify            = kludge_acl_change,
 	.del               = kludge_acl_change,
 	.rename            = kludge_acl_change,
-	.extended          = kludge_acl_change,
+	.extended          = kludge_acl_extended,
 	.init_context	   = kludge_acl_init
 };
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 3f1c1fc..74bec85 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -270,13 +270,14 @@ krb5_error_code samba_kdc_check_client_access(void *priv,
 		}
 	}
 
+	/* we allow all kinds of trusts here */
 	nt_status = authsam_account_ok(tmp_ctx, 
 				       private->samdb, 
 				       MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
 				       private->msg,
 				       private->realm_ref_msg,
 				       workstation,
-				       name);
+				       name, true);
 	free(name);
 
 	if (NT_STATUS_IS_OK(nt_status))


-- 
Samba Shared Repository

More information about the samba-cvs mailing list