[SCM] Samba Shared Repository - branch master updated -
677e0fb9659abe1ad684dd980d61b88caad9f8a2
Stefan Metzmacher
metze at samba.org
Thu Dec 4 14:45:58 GMT 2008
The branch, master has been updated
via 677e0fb9659abe1ad684dd980d61b88caad9f8a2 (commit)
via 180245fce0f0d73d924ca6a25db3fc78934c40d1 (commit)
from 0f38bd90722469c6dbf1bcc7f56d3fbf6db3a8e8 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 677e0fb9659abe1ad684dd980d61b88caad9f8a2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 4 15:40:31 2008 +0100
s4:kludge_acl: allow everybody to read the sequence number
metze
commit 180245fce0f0d73d924ca6a25db3fc78934c40d1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 4 15:09:21 2008 +0100
s4:kdc: allow a trusted domain to get kerberos tickets
metze
-----------------------------------------------------------------------
Summary of changes:
source4/auth/auth.h | 3 +-
source4/auth/ntlm/auth_sam.c | 3 +-
source4/auth/sam.c | 12 ++++++----
source4/dsdb/samdb/ldb_modules/kludge_acl.c | 28 ++++++++++++++++++++++++++-
source4/kdc/pac-glue.c | 3 +-
5 files changed, 40 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index af9ed52..360da50 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -204,7 +204,8 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
struct ldb_message *msg_domain_ref,
const char *logon_workstation,
- const char *name_for_logs);
+ const char *name_for_logs,
+ bool allow_domain_trust);
struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
const char *netbios_name,
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index d1be5b6..384d342 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -262,7 +262,8 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
msgs[0],
msgs_domain_ref[0],
user_info->workstation_name,
- user_info->mapped.account_name);
+ user_info->mapped.account_name,
+ false);
return nt_status;
}
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index f6a998a..4b848cf 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -144,7 +144,8 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
struct ldb_message *msg_domain_ref,
const char *logon_workstation,
- const char *name_for_logs)
+ const char *name_for_logs,
+ bool allow_domain_trust)
{
uint16_t acct_flags;
const char *workstation_list;
@@ -231,11 +232,12 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_LOGON_HOURS;
}
- if (acct_flags & ACB_DOMTRUST) {
- DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
- return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+ if (!allow_domain_trust) {
+ if (acct_flags & ACB_DOMTRUST) {
+ DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
+ return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+ }
}
-
if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
if (acct_flags & ACB_SVRTRUST) {
DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", name_for_logs));
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index 6acbf45..97179a8 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -417,6 +417,32 @@ static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
}
}
+static int kludge_acl_extended(struct ldb_module *module, struct ldb_request *req)
+{
+ enum security_user_level user_type;
+
+ /* allow everybody to read the sequence number */
+ if (strcmp(req->op.extended.oid,
+ LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
+ return ldb_next_request(module, req);
+ }
+
+ user_type = what_is_user(module);
+
+ switch (user_type) {
+ case SECURITY_SYSTEM:
+ case SECURITY_ADMINISTRATOR:
+ return ldb_next_request(module, req);
+ default:
+ ldb_asprintf_errstring(module->ldb,
+ "kludge_acl_change: "
+ "attempted database modify not permitted. "
+ "User %s is not SYSTEM or an administrator",
+ user_name(req, module));
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+}
+
static int kludge_acl_init(struct ldb_module *module)
{
int ret, i;
@@ -494,6 +520,6 @@ _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
.modify = kludge_acl_change,
.del = kludge_acl_change,
.rename = kludge_acl_change,
- .extended = kludge_acl_change,
+ .extended = kludge_acl_extended,
.init_context = kludge_acl_init
};
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 3f1c1fc..74bec85 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -270,13 +270,14 @@ krb5_error_code samba_kdc_check_client_access(void *priv,
}
}
+ /* we allow all kinds of trusts here */
nt_status = authsam_account_ok(tmp_ctx,
private->samdb,
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
private->msg,
private->realm_ref_msg,
workstation,
- name);
+ name, true);
free(name);
if (NT_STATUS_IS_OK(nt_status))
--
Samba Shared Repository
More information about the samba-cvs
mailing list