[SCM] Samba Shared Repository - branch master updated

Thu Apr 29 02:06:59 MDT 2010

The branch, master has been updated
       via  dbbbc7d... s4/rodc: RODC FAS initial implementation
      from  5a4ee75... s4/tort: Add simple unit test for dsdb_schema_info object creation

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit dbbbc7d1f8a86bd0535c46f50fae8223c26afd9a
Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
Date:   Mon Apr 26 09:56:59 2010 +0300

    s4/rodc: RODC FAS initial implementation

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/common/util.c                       |   28 ++++++++++++++++++++++
 source4/dsdb/samdb/ldb_modules/extended_dn_out.c |   13 +---------
 source4/dsdb/samdb/ldb_modules/util.c            |   12 +++++++++
 source4/rpc_server/drsuapi/getncchanges.c        |   21 ++++++++--------
 4 files changed, 51 insertions(+), 23 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 42619b9..e4e55fc 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -41,6 +41,7 @@
 #include "lib/util/tsort.h"
 #include "dsdb/common/util.h"
 #include "lib/socket/socket.h"
+#include "dsdb/samdb/ldb_modules/util.h"
 
 /*
   search the sam for the specified attributes in a specific domain, filter on
@@ -3752,3 +3753,30 @@ int dsdb_validate_dsa_guid(struct ldb_context *ldb,
 	talloc_free(tmp_ctx);
 	return LDB_SUCCESS;
 }
+
+const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys",
+			       "ms-PKI-AccountCredentials",
+			       "ms-PKI-RoamingTimeStamp",
+			       "ms-FVE-KeyPackage",
+			       "ms-FVE-RecoveryGuid",
+			       "ms-FVE-RecoveryInformation",
+			       "ms-FVE-RecoveryPassword",
+			       "ms-FVE-VolumeGuid",
+			       "ms-TPM-OwnerInformation",
+			       NULL};
+/*
+  check if the attribute belongs to the RODC filtered attribute set
+*/
+bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa)
+{
+	int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
+	bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0);
+
+	if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) {
+		return true;
+	}
+	if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) {
+		return true;
+	}
+	return false;
+}
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
index f28ad8e..39af870 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
@@ -40,6 +40,7 @@
 #include "librpc/gen_ndr/ndr_security.h"
 #include "librpc/ndr/libndr.h"
 #include "dsdb/samdb/samdb.h"
+#include "util.h"
 
 struct extended_dn_out_private {
 	bool dereference;
@@ -47,18 +48,6 @@ struct extended_dn_out_private {
 	struct dsdb_openldap_dereference_control *dereference_control;
 };
 
-static bool is_attr_in_list(const char * const * attrs, const char *attr)
-{
-	unsigned int i;
-
-	for (i = 0; attrs[i]; i++) {
-		if (ldb_attr_cmp(attrs[i], attr) == 0)
-			return true;
-	}
-
-	return false;
-}
-
 static char **copy_attrs(void *mem_ctx, const char * const * attrs)
 {
 	char **nattrs;
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 7913ac8..18631c4 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -826,3 +826,15 @@ int dsdb_recyclebin_enabled(struct ldb_module *module, bool *enabled)
 	talloc_free(partitions_dn);
 	return LDB_SUCCESS;
 }
+
+bool is_attr_in_list(const char * const * attrs, const char *attr)
+{
+	unsigned int i;
+
+	for (i = 0; attrs[i]; i++) {
+		if (ldb_attr_cmp(attrs[i], attr) == 0)
+			return true;
+	}
+
+	return false;
+}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index df8305e..354ebf0 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -105,7 +105,6 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
 	const char *rdn;
 	const struct dsdb_attribute *rdn_sa;
 	unsigned int instanceType;
-	int rodc_filtered_flags;
 
 	instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0);
 	if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
@@ -206,19 +205,19 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
 			continue;
 		}
 
-		/* if the recipient is a RODC, then we should not add any
-		* RODC filtered attribute */
-		/* TODO: This is not strictly correct, as it doesn't allow for administrators
-		   to setup some users to transfer passwords to specific RODCs. To support that
-		   we would instead remove this check and rely on extended ACL checking in the dsdb
-		   acl module. */
-		rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
-		if ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0 &&
-		    (sa->searchFlags & rodc_filtered_flags)) {
+		/*
+		 * If the recipient is a RODC, then we should not add any
+		 * RODC filtered attribute
+		 *
+		 * TODO: This is not strictly correct, as it doesn't allow for administrators
+		 * to setup some users to transfer passwords to specific RODCs. To support that
+		 * we would instead remove this check and rely on extended ACL checking in the dsdb
+		 * acl module.
+		 */
+		if (dsdb_attr_in_rodc_fas(replica_flags, sa)) {
 			continue;
 		}
 
-
 		obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
 		obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
 		obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;


-- 
Samba Shared Repository
