[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-555-g8fd6ce6
Andrew Tridgell
tridge at samba.org
Sat Sep 19 19:42:52 MDT 2009
The branch, master has been updated
via 8fd6ce613a4c1b35e1c1435bdd99af96de1d6bdf (commit)
via ad53c34b6bf7fe0cc51f687ecc46253ea960a089 (commit)
via 663fe5530fbfc612ddfdb2579f0d49211455009b (commit)
via 0b68967096b77909c2b83e178f7b20396e1e4c1e (commit)
via 6e56261eb7d417b488da2d3b051fb8284abb3fbd (commit)
from 2b5d1dfe6be0ba586d4af54f4b5ccd478ff4db77 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8fd6ce613a4c1b35e1c1435bdd99af96de1d6bdf
Author: Andrew Tridgell <tridge at samba.org>
Date: Sat Sep 19 18:41:22 2009 -0700
s4-ldb: display an error if we can't decode a NDR blob
commit ad53c34b6bf7fe0cc51f687ecc46253ea960a089
Author: Andrew Tridgell <tridge at samba.org>
Date: Sat Sep 19 15:53:22 2009 -0700
s4-repl: need param.h for lp_parm_bool
commit 663fe5530fbfc612ddfdb2579f0d49211455009b
Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
Date: Fri Sep 11 18:57:34 2009 +0300
Handle dsdb_class_by_lDAPDisplayName returned values in schema_inferiors.c
commit 0b68967096b77909c2b83e178f7b20396e1e4c1e
Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
Date: Mon Sep 14 11:46:59 2009 -0700
Move replmd_drsuapi_DsReplicaCursor2_compare to a common place.
commit 6e56261eb7d417b488da2d3b051fb8284abb3fbd
Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
Date: Sat Sep 19 15:08:19 2009 -0700
Add drs_security_level_check for dcesrv calls security checks
There is also an option to disable the security check
by specifying in the smb.conf file:
drs:disable_sec_check = true
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/common/util.c | 6 ++++++
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 8 +-------
source4/dsdb/schema/schema_inferiors.c | 8 ++++++++
source4/lib/ldb-samba/ldif_handlers.c | 4 +++-
source4/rpc_server/drsuapi/addentry.c | 7 +++----
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 18 ++++++++++--------
source4/rpc_server/drsuapi/dcesrv_drsuapi.h | 2 ++
source4/rpc_server/drsuapi/drsutil.c | 16 ++++++++++++++++
source4/rpc_server/drsuapi/getncchanges.c | 15 ++++-----------
source4/rpc_server/drsuapi/updaterefs.c | 7 +++----
10 files changed, 56 insertions(+), 35 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 633279e..39fdfe9 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -2411,3 +2411,9 @@ again:
return ret;
}
+
+int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
+ const struct drsuapi_DsReplicaCursor2 *c2)
+{
+ return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
+}
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 283bdf7..fa8bd64 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -1543,12 +1543,6 @@ static int replmd_replicated_uptodate_modify_callback(struct ldb_request *req,
return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
}
-static int replmd_drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
- const struct drsuapi_DsReplicaCursor2 *c2)
-{
- return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
-}
-
static int replmd_replicated_uptodate_modify(struct replmd_replicated_request *ar)
{
struct ldb_context *ldb;
@@ -1703,7 +1697,7 @@ static int replmd_replicated_uptodate_modify(struct replmd_replicated_request *a
*/
qsort(nuv.ctr.ctr2.cursors, nuv.ctr.ctr2.count,
sizeof(struct drsuapi_DsReplicaCursor2),
- (comparison_fn_t)replmd_drsuapi_DsReplicaCursor2_compare);
+ (comparison_fn_t)drsuapi_DsReplicaCursor2_compare);
/*
* create the change ldb_message
diff --git a/source4/dsdb/schema/schema_inferiors.c b/source4/dsdb/schema/schema_inferiors.c
index 493b425..b02d557 100644
--- a/source4/dsdb/schema/schema_inferiors.c
+++ b/source4/dsdb/schema/schema_inferiors.c
@@ -82,6 +82,10 @@ static char **schema_subclasses(struct dsdb_schema *schema, TALLOC_CTX *mem_ctx,
for (i=0; oclist && oclist[i]; i++) {
struct dsdb_class *schema_class = dsdb_class_by_lDAPDisplayName(schema, oclist[i]);
+ if (!schema_class) {
+ DEBUG(0, ("ERROR: Unable to locate subClass: '%s'\n", oclist[i]));
+ continue;
+ }
list = str_list_append_const(list, schema_class->subclasses);
}
return list;
@@ -104,6 +108,10 @@ static char **schema_posssuperiors(struct dsdb_schema *schema,
list3 = schema_supclasses(schema, schema_class);
for (i=0; list3 && list3[i]; i++) {
struct dsdb_class *class2 = dsdb_class_by_lDAPDisplayName(schema, list3[i]);
+ if (!class2) {
+ DEBUG(0, ("ERROR: Unable to locate supClass: '%s'\n", list3[i]));
+ continue;
+ }
list2 = str_list_append_const(list2, schema_posssuperiors(schema, class2));
}
list2 = str_list_append_const(list2, schema_subclasses(schema, list2, list2));
diff --git a/source4/lib/ldb-samba/ldif_handlers.c b/source4/lib/ldb-samba/ldif_handlers.c
index 5a60a37..d1bdd95 100644
--- a/source4/lib/ldb-samba/ldif_handlers.c
+++ b/source4/lib/ldb-samba/ldif_handlers.c
@@ -54,7 +54,9 @@ static int ldif_write_NDR(struct ldb_context *ldb, void *mem_ctx,
p, pull_fn);
if (err != NDR_ERR_SUCCESS) {
talloc_free(p);
- return ldb_handler_copy(ldb, mem_ctx, in, out);
+ out->data = (uint8_t *)talloc_strdup(mem_ctx, "<Unable to decode binary data>");
+ out->length = strlen((const char *)out->data);
+ return 0;
}
out->data = (uint8_t *)ndr_print_struct_string(mem_ctx, print_fn, "NDR", p);
talloc_free(p);
diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c
index 25f2aaa..74de772 100644
--- a/source4/rpc_server/drsuapi/addentry.c
+++ b/source4/rpc_server/drsuapi/addentry.c
@@ -151,10 +151,9 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsAddEntry refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ status = drs_security_level_check(dce_call, "DsAddEntry");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
switch (r->in.level) {
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index f96c4c0..9903f08 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -228,15 +228,17 @@ static WERROR dcesrv_drsuapi_DsUnbind(struct dcesrv_call_state *dce_call, TALLOC
static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaSync *r)
{
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsReplicaSync refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ WERROR status;
+
+ status = drs_security_level_check(dce_call, "DsReplicaSync");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICASYNC,
&ndr_table_drsuapi,
"dreplsrv", "DsReplicaSync");
+
return WERR_OK;
}
@@ -453,14 +455,14 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call
struct ldb_dn *ntds_dn;
int ret;
bool ok;
+ WERROR status;
ZERO_STRUCT(r->out.res);
*r->out.level_out = 1;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsRemoveDSServer refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ status = drs_security_level_check(dce_call, "DsRemoveDSServer");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
index 3f69a3f..6852033 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
@@ -56,3 +56,5 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
const char * const *attrs,
const char *format, ...) PRINTF_ATTRIBUTE(7,8);
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
+ const char* call);
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 305e298..54bcdab 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -24,6 +24,8 @@
#include "dsdb/samdb/samdb.h"
#include "libcli/security/dom_sid.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "libcli/security/security.h"
+#include "param/param.h"
/*
format a drsuapi_DsReplicaObjectIdentifier naming context as a string
@@ -101,3 +103,17 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
return ret;
}
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
+{
+ if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", true)) {
+ return WERR_OK;
+ }
+
+ if (security_session_user_level(dce_call->conn->auth_state.session_info) <
+ SECURITY_DOMAIN_CONTROLLER) {
+ DEBUG(0,("DsReplicaGetInfo refused for security token\n"));
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+
+ return WERR_OK;
+}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 52d751b..8538ea8 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -162,12 +162,6 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
return WERR_OK;
}
-static int replmd_drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
- const struct drsuapi_DsReplicaCursor2 *c2)
-{
- return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
-}
-
/*
load replUpToDateVector from a DN
*/
@@ -252,7 +246,7 @@ static WERROR get_nc_changes_udv(struct ldb_context *sam_ctx,
qsort(udv->cursors, udv->count,
sizeof(struct drsuapi_DsReplicaCursor2),
- (comparison_fn_t)replmd_drsuapi_DsReplicaCursor2_compare);
+ (comparison_fn_t)drsuapi_DsReplicaCursor2_compare);
return WERR_OK;
}
@@ -301,10 +295,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_BAD_NC;
}
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("getncchanges refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ werr = drs_security_level_check(dce_call, "DsGetNCChanges");
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
}
/*
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index 6e97024..e12be6f 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -105,10 +105,9 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
WERROR werr;
struct ldb_dn *dn;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsReplicaUpdateRefs refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs");
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
}
if (r->in.level != 1) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list