[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sun Nov 1 22:37:58 MST 2009
The branch, master has been updated
via a355365... s4:dsdb Fix up after the MAP_ constants became LDB_MAP_
via 371afc4... s4:provision Remove LDB backend files in provision
via 6439bde... s4:provision Split ProvisionBackend out of the main provision script
via aa37db5... s4:provision Inline 'ldap_backend_shutdown' for clarity
via e94bfe5... s4:provision Fix samdb test with new provision code
via 4be253f... s4:provision Move 'Schema' into it's own file
via 76d289b... s4:provision Make 'linked_attributes' and 'dnsyntax_attributes' a property of the Schema
via 350e963... s4:provision Rework provision to always have a ProvisionBackend
via e035433... s4 - SID allocation using FDS DNA plugin
via 40a06c0... s4:dsdb - Removed redundant domain SID filter.
via bf01937... s4:dsdb - Store SID as string in FDS.
via 8097280... s4 - Mapped AD schema to existing FDS schema.
via 1fc19ee... s4:dsdb - Fixed attribute dereferencing for FDS
via 7d38bb4... Remove special case logic in 'samdb_relative_path'.
via 1ac8ef1... s4:dsdb Revert back to using DN:filename in the partitions record
via 7a29013... lib/util Use rfc1738.c from Squid for all our URL encode/decode needs.
via 87195f5... lib/util Add rfc1738 escape/unescape code from Squid
via 609b831... s4:credentials Put the 'secrets.keytab' in the same directory as secrets.ldb
via 0712750... s4: Create a script for updating a running provision with change introduced since the initial provision
via 3caaf6a... s4:torture/raw/samba3misc - Add "discard_const_p" macro before a string
via f1f1bda... s4:ldb Remove debug traces duplicated by the new generic trace code
from 7006352... s3:ldap: don't search when no values where found
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a3553658bfd7898081de90a79afce144c91b39ac
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 23:45:21 2009 +1100
s4:dsdb Fix up after the MAP_ constants became LDB_MAP_
commit 371afc47dc744ce4012f5ea00ced29653bd5869a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 23:42:03 2009 +1100
s4:provision Remove LDB backend files in provision
Rather than try and remove the records in the LDB files, make the
provision remove the whole file. This also removes the need to try
and carry forward the old ldb filenames.
Andrew Bartlett
commit 6439bdeb3a50aaeb1a9c431b9036c44810d9a5e3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 15:18:42 2009 +1100
s4:provision Split ProvisionBackend out of the main provision script
This splits the code, while keeping the original behaviour. The
provision.py file had become just too long.
Andrew Bartlett
commit aa37db5a12fcd8f9d9cba56378953f1c16de6d46
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 14:54:21 2009 +1100
s4:provision Inline 'ldap_backend_shutdown' for clarity
commit e94bfe5efbbc61eea8592adce55a998aa6f400d8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 14:51:57 2009 +1100
s4:provision Fix samdb test with new provision code
commit 4be253fe2fe7b24f322952f94c973a5d250aec4b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 14:31:25 2009 +1100
s4:provision Move 'Schema' into it's own file
commit 76d289bb0e791c7c9fb892a368c767aed2635279
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 14:05:21 2009 +1100
s4:provision Make 'linked_attributes' and 'dnsyntax_attributes' a property of the Schema
commit 350e96354543943b5e7249d517596ddfaf29c47e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 13:16:10 2009 +1100
s4:provision Rework provision to always have a ProvisionBackend
Rather than treat the LDAP backend as a special case, treat all
backends the same, with different callbacks.
Andrew Bartlett
commit e035433bab87cb5f2f12def900e194da877e6925
Author: Endi S. Dewata <edewata at redhat.com>
Date: Wed Oct 28 15:28:31 2009 -0500
s4 - SID allocation using FDS DNA plugin
commit 40a06c0101bf6426e0752cd695044049a8058f54
Author: Endi S. Dewata <edewata at redhat.com>
Date: Tue Oct 27 14:59:28 2009 -0500
s4:dsdb - Removed redundant domain SID filter.
commit bf01937549cd1ebaf327a709ecb104bfc0e0705c
Author: Endi S. Dewata <edewata at redhat.com>
Date: Fri Oct 23 22:59:48 2009 -0500
s4:dsdb - Store SID as string in FDS.
commit 8097280b468b7bcf26a0e17fdcaaccfb34d06415
Author: Endi S. Dewata <edewata at redhat.com>
Date: Fri Oct 23 20:09:07 2009 -0500
s4 - Mapped AD schema to existing FDS schema.
commit 1fc19ee7d0021e963923911bb440463aa79184fc
Author: Endi S. Dewata <edewata at redhat.com>
Date: Wed Oct 21 16:02:18 2009 -0500
s4:dsdb - Fixed attribute dereferencing for FDS
commit 7d38bb4e93f298a9edb11d5c7d3301029c94c326
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 09:03:10 2009 +1100
Remove special case logic in 'samdb_relative_path'.
While this logic (avoiding to prefix a non-filename with a path) is
important in the code this was copied from (private_dir()), none of
the callers of this function need it.
Andrew Bartlett
commit 1ac8ef155f9e41a3c68e8e34ad8a14fb6c6d0365
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 09:00:13 2009 +1100
s4:dsdb Revert back to using DN:filename in the partitions record
This allows us to change the escaping function without breaking
existing installs. The new escaping function (used for new databases)
is RFC1738 URI encoding, except for the trivial cases without special
characters.
The new databases are also placed in a subdirectory, sam.ldb.d per an
earlier suggestion by metze.
Andrew Bartlett
commit 7a290130bdeb411625f16451af3f2cfd25eeaf00
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 30 08:58:34 2009 +1100
lib/util Use rfc1738.c from Squid for all our URL encode/decode needs.
Andrew Bartlett
commit 87195f55de771546ea74c0ab06d882f900588099
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 29 17:09:49 2009 +1100
lib/util Add rfc1738 escape/unescape code from Squid
This is intended to replace our rfc1738_unescape(), and give us an
rfc1738_escape implementation (and hopefully is better tested and more
secure).
Andrew Bartlett
commit 609b831462d95bcb24b93453d62481d11e0ff53b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 28 16:49:30 2009 +1100
s4:credentials Put the 'secrets.keytab' in the same directory as secrets.ldb
This avoids trouble when the secrets.ldb is updated with ldbedit but
an smb.conf is not specified.
Andrew Bartlett
commit 071275010ee6a6d39351ab68e2c6770fedfc4328
Author: Matthieu Patou <mat at matws.net>
Date: Tue Oct 27 15:31:40 2009 +0300
s4: Create a script for updating a running provision with change introduced since the initial provision
commit 3caaf6a84c9643aee9aef5f81caf010445d1952a
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sat Oct 17 22:37:24 2009 +0200
s4:torture/raw/samba3misc - Add "discard_const_p" macro before a string
commit f1f1bdada637865fc5d5d1326d1ab64cd8fdaca4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 27 13:56:40 2009 +1100
s4:ldb Remove debug traces duplicated by the new generic trace code
-----------------------------------------------------------------------
Summary of changes:
lib/util/config.mk | 1 +
lib/util/rfc1738.c | 225 +++++
lib/util/util.c | 40 -
lib/util/util.h | 25 +
selftest/target/Samba4.pm | 14 +-
source3/Makefile.in | 2 +-
source4/auth/credentials/credentials_files.c | 4 +-
source4/dsdb/samdb/ldb_modules/config.mk | 4 +-
source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 158 ++++-
source4/dsdb/samdb/ldb_modules/partition.h | 1 +
source4/dsdb/samdb/ldb_modules/partition_init.c | 147 +++-
source4/dsdb/samdb/ldb_modules/password_hash.c | 30 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 29 +-
source4/dsdb/samdb/ldb_modules/simple_ldap_map.c | 187 ++++-
source4/dsdb/samdb/samdb.c | 3 -
source4/dsdb/schema/schema_convert_to_ol.c | 8 +
source4/lib/ldb-samba/ldif_handlers.c | 4 +-
source4/lib/ldb/modules/rdn_name.c | 3 -
source4/param/loadparm.c | 8 +
source4/param/param.h | 6 +
source4/scripting/bin/rebuildextendeddn | 3 +-
source4/scripting/bin/upgradeschema.py | 695 ++++++++++++++++
source4/scripting/python/samba/__init__.py | 29 +
source4/scripting/python/samba/provision.py | 862 +++-----------------
source4/scripting/python/samba/provisionbackend.py | 618 ++++++++++++++
source4/scripting/python/samba/schema.py | 140 ++++
source4/scripting/python/samba/tests/samdb.py | 15 +-
source4/setup/fedorads-dna.ldif | 18 +
source4/setup/fedorads-samba.ldif | 11 +
source4/setup/fedorads.inf | 6 +
source4/setup/provision | 2 +-
source4/setup/provision.smb.conf.dc | 1 +
source4/setup/provision.smb.conf.member | 1 +
source4/setup/provision.smb.conf.standalone | 1 +
source4/setup/schema-map-fedora-ds-1.0 | 65 ++-
source4/torture/raw/samba3misc.c | 2 +-
36 files changed, 2433 insertions(+), 935 deletions(-)
create mode 100644 lib/util/rfc1738.c
create mode 100755 source4/scripting/bin/upgradeschema.py
create mode 100644 source4/scripting/python/samba/provisionbackend.py
create mode 100644 source4/scripting/python/samba/schema.py
create mode 100644 source4/setup/fedorads-dna.ldif
Changeset truncated at 500 lines:
diff --git a/lib/util/config.mk b/lib/util/config.mk
index 9f33b0f..b612556 100644
--- a/lib/util/config.mk
+++ b/lib/util/config.mk
@@ -17,6 +17,7 @@ LIBSAMBA-UTIL_OBJ_FILES = $(addprefix $(libutilsrcdir)/, \
genrand.o \
dprintf.o \
util_str.o \
+ rfc1738.o \
substitute.o \
util_strlist.o \
util_file.o \
diff --git a/lib/util/rfc1738.c b/lib/util/rfc1738.c
new file mode 100644
index 0000000..1de3193
--- /dev/null
+++ b/lib/util/rfc1738.c
@@ -0,0 +1,225 @@
+/*
+ * NOTE:
+ *
+ * This file imported from the Squid project. The licence below is
+ * reproduced intact, but refers to files in Squid's repository, not
+ * in Samba. See COPYING for the GPLv3 notice (being the later
+ * version mentioned below).
+ *
+ * This file has also been modified, in particular to use talloc to
+ * allocate in rfc1738_escape()
+ *
+ * - Andrew Bartlett Oct-2009
+ *
+ */
+
+
+/*
+ * $Id$
+ *
+ * DEBUG:
+ * AUTHOR: Harvest Derived
+ *
+ * SQUID Web Proxy Cache http://www.squid-cache.org/
+ * ----------------------------------------------------------
+ *
+ * Squid is the result of efforts by numerous individuals from
+ * the Internet community; see the CONTRIBUTORS file for full
+ * details. Many organizations have provided support for Squid's
+ * development; see the SPONSORS file for full details. Squid is
+ * Copyrighted (C) 2001 by the Regents of the University of
+ * California; see the COPYRIGHT file for full details. Squid
+ * incorporates software developed and/or copyrighted by other
+ * sources; see the CREDITS file for full details.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
+ *
+ */
+
+#include "includes.h"
+
+#include "util.h"
+
+/*
+ * RFC 1738 defines that these characters should be escaped, as well
+ * any non-US-ASCII character or anything between 0x00 - 0x1F.
+ */
+static char rfc1738_unsafe_chars[] = {
+ (char) 0x3C, /* < */
+ (char) 0x3E, /* > */
+ (char) 0x22, /* " */
+ (char) 0x23, /* # */
+#if 0 /* done in code */
+ (char) 0x25, /* % */
+#endif
+ (char) 0x7B, /* { */
+ (char) 0x7D, /* } */
+ (char) 0x7C, /* | */
+ (char) 0x5C, /* \ */
+ (char) 0x5E, /* ^ */
+ (char) 0x7E, /* ~ */
+ (char) 0x5B, /* [ */
+ (char) 0x5D, /* ] */
+ (char) 0x60, /* ` */
+ (char) 0x27, /* ' */
+ (char) 0x20 /* space */
+};
+
+static char rfc1738_reserved_chars[] = {
+ (char) 0x3b, /* ; */
+ (char) 0x2f, /* / */
+ (char) 0x3f, /* ? */
+ (char) 0x3a, /* : */
+ (char) 0x40, /* @ */
+ (char) 0x3d, /* = */
+ (char) 0x26 /* & */
+};
+
+/*
+ * rfc1738_escape - Returns a static buffer contains the RFC 1738
+ * compliant, escaped version of the given url.
+ *
+ */
+static char *
+rfc1738_do_escape(TALLOC_CTX *mem_ctx, const char *url, int encode_reserved)
+{
+ size_t bufsize = 0;
+ const char *p;
+ char *buf;
+ char *q;
+ unsigned int i, do_escape;
+
+ bufsize = strlen(url) * 3 + 1;
+ buf = talloc_array(mem_ctx, char, bufsize);
+ if (!buf) {
+ return NULL;
+ }
+
+ talloc_set_name_const(buf, buf);
+ buf[0] = '\0';
+
+ for (p = url, q = buf; *p != '\0' && q < (buf + bufsize - 1); p++, q++) {
+ do_escape = 0;
+
+ /* RFC 1738 defines these chars as unsafe */
+ for (i = 0; i < sizeof(rfc1738_unsafe_chars); i++) {
+ if (*p == rfc1738_unsafe_chars[i]) {
+ do_escape = 1;
+ break;
+ }
+ }
+ /* Handle % separately */
+ if (encode_reserved >= 0 && *p == '%')
+ do_escape = 1;
+ /* RFC 1738 defines these chars as reserved */
+ for (i = 0; i < sizeof(rfc1738_reserved_chars) && encode_reserved > 0; i++) {
+ if (*p == rfc1738_reserved_chars[i]) {
+ do_escape = 1;
+ break;
+ }
+ }
+ /* RFC 1738 says any control chars (0x00-0x1F) are encoded */
+ if ((unsigned char) *p <= (unsigned char) 0x1F) {
+ do_escape = 1;
+ }
+ /* RFC 1738 says 0x7f is encoded */
+ if (*p == (char) 0x7F) {
+ do_escape = 1;
+ }
+ /* RFC 1738 says any non-US-ASCII are encoded */
+ if (((unsigned char) *p >= (unsigned char) 0x80)) {
+ do_escape = 1;
+ }
+ /* Do the triplet encoding, or just copy the char */
+ /* note: while we do not need snprintf here as q is appropriately
+ * allocated, Samba does to avoid our macro banning it -- abartlet */
+
+ if (do_escape == 1) {
+ (void) snprintf(q, 4, "%%%02X", (unsigned char) *p);
+ q += sizeof(char) * 2;
+ } else {
+ *q = *p;
+ }
+ }
+ *q = '\0';
+ return (buf);
+}
+
+/*
+ * rfc1738_escape - Returns a static buffer that contains the RFC
+ * 1738 compliant, escaped version of the given url. (escapes unsafe and % characters)
+ */
+char *
+rfc1738_escape(TALLOC_CTX *mem_ctx, const char *url)
+{
+ return rfc1738_do_escape(mem_ctx, url, 0);
+}
+
+/*
+ * rfc1738_escape_unescaped - Returns a static buffer that contains
+ * the RFC 1738 compliant, escaped version of the given url (escapes unsafe chars only)
+ */
+char *
+rfc1738_escape_unescaped(TALLOC_CTX *mem_ctx, const char *url)
+{
+ return rfc1738_do_escape(mem_ctx, url, -1);
+}
+
+/*
+ * rfc1738_escape_part - Returns a static buffer that contains the RFC
+ * 1738 compliant, escaped version of the given url segment. (escapes
+ * unsafe, reserved and % chars) It would mangle the :// in http://,
+ * and mangle paths (because of /).
+ */
+char *
+rfc1738_escape_part(TALLOC_CTX *mem_ctx, const char *url)
+{
+ return rfc1738_do_escape(mem_ctx, url, 1);
+}
+
+/*
+ * rfc1738_unescape() - Converts escaped characters (%xy numbers) in
+ * given the string. %% is a %. %ab is the 8-bit hexadecimal number "ab"
+ */
+_PUBLIC_ void
+rfc1738_unescape(char *s)
+{
+ char hexnum[3];
+ int i, j; /* i is write, j is read */
+ unsigned int x;
+ for (i = j = 0; s[j]; i++, j++) {
+ s[i] = s[j];
+ if (s[i] != '%')
+ continue;
+ if (s[j + 1] == '%') { /* %% case */
+ j++;
+ continue;
+ }
+ if (s[j + 1] && s[j + 2]) {
+ if (s[j + 1] == '0' && s[j + 2] == '0') { /* %00 case */
+ j += 2;
+ continue;
+ }
+ hexnum[0] = s[j + 1];
+ hexnum[1] = s[j + 2];
+ hexnum[2] = '\0';
+ if (1 == sscanf(hexnum, "%x", &x)) {
+ s[i] = (char) (0x0ff & x);
+ j += 2;
+ }
+ }
+ }
+ s[i] = '\0';
+}
diff --git a/lib/util/util.c b/lib/util/util.c
index fd0e6b8..67b166b 100644
--- a/lib/util/util.c
+++ b/lib/util/util.c
@@ -667,46 +667,6 @@ _PUBLIC_ char *hex_encode_talloc(TALLOC_CTX *mem_ctx, const unsigned char *buff_
}
/**
- Unescape a URL encoded string, in place.
-**/
-
-_PUBLIC_ void rfc1738_unescape(char *buf)
-{
- char *p=buf;
-
- while ((p=strchr(p,'+')))
- *p = ' ';
-
- p = buf;
-
- while (p && *p && (p=strchr(p,'%'))) {
- int c1 = p[1];
- int c2 = p[2];
-
- if (c1 >= '0' && c1 <= '9')
- c1 = c1 - '0';
- else if (c1 >= 'A' && c1 <= 'F')
- c1 = 10 + c1 - 'A';
- else if (c1 >= 'a' && c1 <= 'f')
- c1 = 10 + c1 - 'a';
- else {p++; continue;}
-
- if (c2 >= '0' && c2 <= '9')
- c2 = c2 - '0';
- else if (c2 >= 'A' && c2 <= 'F')
- c2 = 10 + c2 - 'A';
- else if (c2 >= 'a' && c2 <= 'f')
- c2 = 10 + c2 - 'a';
- else {p++; continue;}
-
- *p = (c1<<4) | c2;
-
- memmove(p+1, p+3, strlen(p+3)+1);
- p++;
- }
-}
-
-/**
varient of strcmp() that handles NULL ptrs
**/
_PUBLIC_ int strcmp_safe(const char *s1, const char *s2)
diff --git a/lib/util/util.h b/lib/util/util.h
index c766e3d..159f812 100644
--- a/lib/util/util.h
+++ b/lib/util/util.h
@@ -307,6 +307,31 @@ _PUBLIC_ void all_string_sub(char *s,const char *pattern,const char *insert, siz
**/
_PUBLIC_ void rfc1738_unescape(char *buf);
+
+/**
+ * rfc1738_escape
+ * Returns a static buffer that contains the RFC
+ * 1738 compliant, escaped version of the given url. (escapes unsafe and % characters)
+ **/
+_PUBLIC_ char *rfc1738_escape(TALLOC_CTX *mem_ctx, const char *url);
+
+/**
+ * rfc1738_escape_unescaped
+ *
+ * Returns a static buffer that contains
+ * the RFC 1738 compliant, escaped version of the given url (escapes unsafe chars only)
+ **/
+_PUBLIC_ char *rfc1738_escape_unescaped(TALLOC_CTX *mem_ctx, const char *url);
+
+/**
+ * rfc1738_escape_part
+ * Returns a static buffer that contains the RFC
+ * 1738 compliant, escaped version of the given url segment. (escapes
+ * unsafe, reserved and % chars) It would mangle the :// in http://,
+ * and mangle paths (because of /).
+ **/
+_PUBLIC_ char *rfc1738_escape_part(TALLOC_CTX *mem_ctx, const char *url);
+
/**
format a string into length-prefixed dotted domain format, as used in NBT
and in some ADS structures
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index db2793e..f178849 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -471,6 +471,7 @@ sub provision_raw_prepare($$$$$$$)
$ctx->{realm} = "SAMBA.EXAMPLE.COM";
$ctx->{dnsname} = "samba.example.com";
$ctx->{basedn} = "dc=samba,dc=example,dc=com";
+ $ctx->{sid_generator} = "internal";
my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `whoami`);
chomp $unix_name;
@@ -578,7 +579,14 @@ sub provision_raw_step1($$)
#We don't want to pass our self-tests if the PAC code is wrong
gensec:require_pac = true
log level = $ctx->{server_loglevel}
- lanman auth = Yes
+ lanman auth = Yes";
+
+ if (defined($ctx->{sid_generator}) && $ctx->{sid_generator} ne "internal") {
+ print CONFFILE "
+ sid generator = $ctx->{sid_generator}";
+ }
+
+ print CONFFILE "
# Begin extra options
$ctx->{smb_conf_extra_options}
@@ -778,6 +786,10 @@ sub provision($$$$$$$)
$ldap_uri =~ s|/|%2F|g;
$ldap_uri = "ldapi://$ldap_uri";
$ctx->{ldap_uri} = $ldap_uri;
+
+ if ($self->{ldap} eq "fedora-ds") {
+ $ctx->{sid_generator} = "backend";
+ }
}
my $ret = $self->provision_raw_step1($ctx);
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 74a6c0b..cb10a7c 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -371,7 +371,7 @@ UTIL_OBJ = ../lib/util/rbtree.o ../lib/util/signal.o ../lib/util/time.o \
../lib/util/become_daemon.o ../lib/util/system.o \
../lib/util/tevent_unix.o ../lib/util/tevent_ntstatus.o \
../lib/util/smb_threads.o ../lib/util/util_id.o \
- ../lib/util/blocking.o
+ ../lib/util/blocking.o ../lib/util/rfc1738.o
CRYPTO_OBJ = ../lib/crypto/crc32.o ../lib/crypto/md5.o \
../lib/crypto/hmacmd5.o ../lib/crypto/arcfour.o \
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 42e8ea0..8036e48 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -33,6 +33,8 @@
#include "auth/credentials/credentials_proto.h"
#include "param/param.h"
#include "lib/events/events.h"
+#include "dsdb/samdb/samdb.h"
+
/**
* Read a file descriptor, and parse it for a password (eg from a file or stdin)
@@ -323,7 +325,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
} else {
keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL);
if (keytab) {
- keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, lp_ctx, keytab));
+ keytab = talloc_asprintf(mem_ctx, "FILE:%s", samdb_relative_path(ldb, mem_ctx, keytab));
if (keytab) {
cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
}
diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk
index c75e4a6..93c248b 100644
--- a/source4/dsdb/samdb/ldb_modules/config.mk
+++ b/source4/dsdb/samdb/ldb_modules/config.mk
@@ -208,9 +208,9 @@ ldb_extended_dn_in_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/extended_dn_in.o
[MODULE::ldb_extended_dn_out]
SUBSYSTEM = LIBLDB
PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBNDR LIBSAMBA-UTIL SAMDB
-INIT_FUNCTION = LDB_MODULE(extended_dn_out_ldb),LDB_MODULE(extended_dn_out_dereference)
+INIT_FUNCTION = LDB_MODULE(extended_dn_out_ldb),LDB_MODULE(extended_dn_out_openldap),LDB_MODULE(extended_dn_out_fds)
ENABLE = YES
-ALIASES = extended_dn_out_ldb extended_dn_out_dereference
+ALIASES = extended_dn_out_ldb extended_dn_out_openldap extended_dn_out_fds
# End MODULE ldb_extended_dn_out
################################################
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
index bb5e379..cbbf8c6 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
@@ -35,7 +35,9 @@
#include "ldb/include/ldb.h"
#include "ldb/include/ldb_errors.h"
#include "ldb/include/ldb_module.h"
+#include "libcli/security/dom_sid.h"
#include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/ndr/libndr.h"
#include "dsdb/samdb/samdb.h"
@@ -172,7 +174,7 @@ static int inject_extended_dn_out(struct ldb_reply *ares,
return LDB_SUCCESS;
}
-static int handle_dereference(struct ldb_dn *dn,
+static int handle_dereference_openldap(struct ldb_dn *dn,
struct dsdb_openldap_dereference_result **dereference_attrs,
const char *attr, const DATA_BLOB *val)
{
@@ -228,6 +230,81 @@ static int handle_dereference(struct ldb_dn *dn,
return LDB_SUCCESS;
}
+static int handle_dereference_fds(struct ldb_dn *dn,
+ struct dsdb_openldap_dereference_result **dereference_attrs,
+ const char *attr, const DATA_BLOB *val)
+{
+ const struct ldb_val *nsUniqueIdBlob, *sidBlob;
+ struct ldb_message fake_msg; /* easier to use routines that expect an ldb_message */
+ int j;
+
+ fake_msg.num_elements = 0;
+
+ /* Look for this attribute in the returned control */
+ for (j = 0; dereference_attrs && dereference_attrs[j]; j++) {
+ struct ldb_val source_dn = data_blob_string_const(dereference_attrs[j]->dereferenced_dn);
+ if (ldb_attr_cmp(dereference_attrs[j]->source_attribute, attr) == 0
+ && data_blob_cmp(&source_dn, val) == 0) {
+ fake_msg.num_elements = dereference_attrs[j]->num_attributes;
+ fake_msg.elements = dereference_attrs[j]->attributes;
+ break;
+ }
+ }
+ if (!fake_msg.num_elements) {
+ return LDB_SUCCESS;
+ }
+
+ /* Look for the nsUniqueId */
+
+ nsUniqueIdBlob = ldb_msg_find_ldb_val(&fake_msg, "nsUniqueId");
+ if (nsUniqueIdBlob) {
+ NTSTATUS status;
+ enum ndr_err_code ndr_err;
+
+ struct ldb_val guid_blob;
+ struct GUID guid;
+
+ status = NS_GUID_from_string((char *)nsUniqueIdBlob->data, &guid);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+ ndr_err = ndr_push_struct_blob(&guid_blob, NULL, NULL, &guid,
+ (ndr_push_flags_fn_t)ndr_push_GUID);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+
+ ldb_dn_set_extended_component(dn, "GUID", &guid_blob);
+ }
+
+ /* Look for the objectSID */
+
+ sidBlob = ldb_msg_find_ldb_val(&fake_msg, "sambaSID");
+ if (sidBlob) {
+ enum ndr_err_code ndr_err;
--
Samba Shared Repository
More information about the samba-cvs
mailing list