[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sun May 9 05:22:12 MDT 2010
The branch, master has been updated
via 6dfa851... s4:dsdb Provide an intelegent fallback if not CN=Subnets is found
via 23cafd5... buildtools: Add 'make testenv' to Samba4 make targets
via 435ce8e... dsdb/password_hash: remove usage of msDs-KeyVersionNumber
via 7b11ce7... s4:dsdb Use replPropertyMetaData as the basis for msDS-KeyVersionNumber
from f1974fb... librpc:dcerpc_error.c - fix a warning
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6dfa851ce95b372c6c4bdd7a6c07c1ee183d1f7a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri May 7 22:43:36 2010 +1000
s4:dsdb Provide an intelegent fallback if not CN=Subnets is found
We may as well fall back rather than return NULL (which callers don't
do useful things with).
Andrew Bartlett
commit 23cafd5569729fe15f0c390cf5a276945662d8e8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri May 7 21:09:40 2010 +1000
buildtools: Add 'make testenv' to Samba4 make targets
I'm still too addicted to this as my standard debugging environment, and while I can learn the new command, this helps the muscle-memory.
Andrew Bartlett
commit 435ce8ebd7122a4a2d166acef6a83c21b7bd11a0
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat May 8 00:59:12 2010 +0200
dsdb/password_hash: remove usage of msDs-KeyVersionNumber
metze
commit 7b11ce738dbc94516350e1e64116be6bedd3b001
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri May 7 21:56:15 2010 +1000
s4:dsdb Use replPropertyMetaData as the basis for msDS-KeyVersionNumber
This means that the existing kvno will no longer be valid, all
unix-based domain members may need to be rejoined, and
upgradeprovision run to update the local kvno in
secrets.ldb/secrets.keytab.
This is required to match the algorithm used by Windows DCs, which we
may be replicating with. We also need to find a way to generate a
reasonable kvno with the OpenLDAP backend.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
buildtools/scripts/Makefile.waf | 3 +
source4/dsdb/common/util.c | 10 ++-
source4/dsdb/samdb/ldb_modules/operational.c | 86 +++++++++++++++++++++---
source4/dsdb/samdb/ldb_modules/password_hash.c | 38 +----------
4 files changed, 87 insertions(+), 50 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/scripts/Makefile.waf b/buildtools/scripts/Makefile.waf
index 5af4fd4..045d241 100644
--- a/buildtools/scripts/Makefile.waf
+++ b/buildtools/scripts/Makefile.waf
@@ -14,6 +14,9 @@ uninstall:
test:
$(WAF) test
+testenv:
+ $(WAF) test --testenv
+
quicktest:
$(WAF) test --quick
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 7064fcf..40f0a7f 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1607,7 +1607,7 @@ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
const struct ldb_val *val;
const char *site_name = NULL, *l_subnet_name = NULL;
const char *allow_list[2] = { NULL, NULL };
- unsigned int i;
+ unsigned int i, count;
int cnt, ret;
/*
@@ -1632,13 +1632,17 @@ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
ret = ldb_search(ldb, mem_ctx, &res, subnets_dn, LDB_SCOPE_ONELEVEL,
attrs, NULL);
- if (ret != LDB_SUCCESS) {
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ count = 0;
+ } else if (ret != LDB_SUCCESS) {
talloc_free(sites_container_dn);
talloc_free(subnets_dn);
return NULL;
+ } else {
+ count = res->count;
}
- for (i = 0; i < res->count; i++) {
+ for (i = 0; i < count; i++) {
l_subnet_name = ldb_msg_find_attr_as_string(res->msgs[i], "cn",
NULL);
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index bc2afa2..34d4257 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -68,6 +68,7 @@
#include "ldb_module.h"
#include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "param/param.h"
#include "dsdb/samdb/samdb.h"
#include "dsdb/samdb/ldb_modules/util.h"
@@ -437,6 +438,62 @@ static int construct_msds_isrodc(struct ldb_module *module, struct ldb_message *
return LDB_SUCCESS;
}
+
+/*
+ construct msDS-keyVersionNumber attr
+
+ TODO: Make this based on the 'win2k' DS huristics bit...
+
+*/
+static int construct_msds_keyversionnumber(struct ldb_module *module, struct ldb_message *msg)
+{
+ uint32_t i;
+ enum ndr_err_code ndr_err;
+ const struct ldb_val *omd_value;
+ struct replPropertyMetaDataBlob *omd;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+
+ omd_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
+ if (!omd_value) {
+ /* We can't make up a key version number without meta data */
+ return LDB_SUCCESS;
+ }
+ if (!omd_value) {
+ return LDB_SUCCESS;
+ }
+
+ omd = talloc(msg, struct replPropertyMetaDataBlob);
+ if (!omd) {
+ ldb_module_oom(module);
+ return LDB_SUCCESS;
+ }
+
+ ndr_err = ndr_pull_struct_blob(omd_value, omd,
+ lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
+ omd,
+ (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s when trying to add msDS-KeyVersionNumber\n",
+ ldb_dn_get_linearized(msg->dn)));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ if (omd->version != 1) {
+ DEBUG(0,(__location__ ": bad version %u in replPropertyMetaData for %s when trying to add msDS-KeyVersionNumber\n",
+ omd->version, ldb_dn_get_linearized(msg->dn)));
+ talloc_free(omd);
+ return LDB_SUCCESS;
+ }
+ for (i=0; i<omd->ctr.ctr1.count; i++) {
+ if (omd->ctr.ctr1.array[i].attid == DRSUAPI_ATTRIBUTE_unicodePwd) {
+ ldb_msg_add_fmt(msg, "msDS-KeyVersionNumber", "%u", omd->ctr.ctr1.array[i].version);
+ break;
+ }
+ }
+ return LDB_SUCCESS;
+
+}
+
/*
a list of attribute names that should be substituted in the parse
tree before the search is done
@@ -468,7 +525,8 @@ static const struct {
{ "tokenGroups", "objectSid", "primaryGroupID", construct_token_groups },
{ "parentGUID", NULL, NULL, construct_parent_guid },
{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
- { "msDS-isRODC", "objectClass", "objectCategory", construct_msds_isrodc }
+ { "msDS-isRODC", "objectClass", "objectCategory", construct_msds_isrodc },
+ { "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, construct_msds_keyversionnumber }
};
@@ -481,12 +539,15 @@ enum op_remove {
/*
a list of attributes that may need to be removed from the
underlying db return
+
+ Some of these are attributes that were once stored, but are now calculated
*/
static const struct {
const char *attr;
enum op_remove op;
} operational_remove[] = {
{ "nTSecurityDescriptor", OPERATIONAL_SD_FLAGS },
+ { "msDS-KeyVersionNumber", OPERATIONAL_REMOVE_ALWAYS },
{ "parentGUID", OPERATIONAL_REMOVE_ALWAYS },
{ "replPropertyMetaData", OPERATIONAL_REMOVE_UNASKED },
{ "unicodePwd", OPERATIONAL_REMOVE_UNASKED },
@@ -505,7 +566,8 @@ static const struct {
*/
static int operational_search_post_process(struct ldb_module *module,
struct ldb_message *msg,
- const char * const *attrs,
+ const char * const *attrs_from_user,
+ const char * const *attrs_searched_for,
bool sd_flags_set)
{
struct ldb_context *ldb;
@@ -518,7 +580,10 @@ static int operational_search_post_process(struct ldb_module *module,
for (i=0; i<ARRAY_SIZE(operational_remove); i++) {
switch (operational_remove[i].op) {
case OPERATIONAL_REMOVE_UNASKED:
- if (ldb_attr_in_list(attrs, operational_remove[i].attr)) {
+ if (ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
+ continue;
+ }
+ if (ldb_attr_in_list(attrs_searched_for, operational_remove[i].attr)) {
continue;
}
case OPERATIONAL_REMOVE_ALWAYS:
@@ -526,7 +591,7 @@ static int operational_search_post_process(struct ldb_module *module,
break;
case OPERATIONAL_SD_FLAGS:
if (sd_flags_set ||
- ldb_attr_in_list(attrs, operational_remove[i].attr)) {
+ ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
continue;
}
ldb_msg_remove_attr(msg, operational_remove[i].attr);
@@ -534,9 +599,9 @@ static int operational_search_post_process(struct ldb_module *module,
}
}
- for (a=0;attrs && attrs[a];a++) {
+ for (a=0;attrs_from_user && attrs_from_user[a];a++) {
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
- if (ldb_attr_cmp(attrs[a], search_sub[i].attr) != 0) {
+ if (ldb_attr_cmp(attrs_from_user[a], search_sub[i].attr) != 0) {
continue;
}
@@ -559,16 +624,16 @@ static int operational_search_post_process(struct ldb_module *module,
* - we generated constructed attributes and
* - we aren't requesting all attributes
*/
- if ((constructed_attributes) && (!ldb_attr_in_list(attrs, "*"))) {
+ if ((constructed_attributes) && (!ldb_attr_in_list(attrs_from_user, "*"))) {
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
/* remove the added search helper attributes, unless
* they were asked for by the user */
if (search_sub[i].replace != NULL &&
- !ldb_attr_in_list(attrs, search_sub[i].replace)) {
+ !ldb_attr_in_list(attrs_from_user, search_sub[i].replace)) {
ldb_msg_remove_attr(msg, search_sub[i].replace);
}
if (search_sub[i].extra_attr != NULL &&
- !ldb_attr_in_list(attrs, search_sub[i].extra_attr)) {
+ !ldb_attr_in_list(attrs_from_user, search_sub[i].extra_attr)) {
ldb_msg_remove_attr(msg, search_sub[i].extra_attr);
}
}
@@ -579,7 +644,7 @@ static int operational_search_post_process(struct ldb_module *module,
failed:
ldb_debug_set(ldb, LDB_DEBUG_WARNING,
"operational_search_post_process failed for attribute '%s'",
- attrs[a]);
+ attrs_from_user[a]);
return -1;
}
@@ -619,6 +684,7 @@ static int operational_callback(struct ldb_request *req, struct ldb_reply *ares)
ret = operational_search_post_process(ac->module,
ares->message,
ac->attrs,
+ req->op.search.attrs,
ac->sd_flags_set);
if (ret != 0) {
return ldb_module_done(ac->req, NULL, NULL,
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 53b2a47..426e9a1 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -59,11 +59,6 @@
* Once this is done (which could update anything at all), we
* calculate the password hashes.
*
- * This function must not only update the unicodePwd, dBCSPwd and
- * supplementalCredentials fields, it must also atomicly increment the
- * msDS-KeyVersionNumber. We should be in a transaction, so all this
- * should be quite safe...
- *
* Finally, if the administrator has requested that a password history
* be maintained, then this should also be written out.
*
@@ -121,7 +116,6 @@ struct setup_password_fields_io {
struct samr_Password *lm_history;
const struct ldb_val *supplemental;
struct supplementalCredentialsBlob scb;
- uint32_t kvno;
} o;
/* generated credentials */
@@ -139,7 +133,6 @@ struct setup_password_fields_io {
DATA_BLOB des_crc;
struct ldb_val supplemental;
NTTIME last_set;
- uint32_t kvno;
} g;
};
@@ -1291,14 +1284,6 @@ static int setup_last_set_field(struct setup_password_fields_io *io)
return LDB_SUCCESS;
}
-static int setup_kvno_field(struct setup_password_fields_io *io)
-{
- /* increment by one */
- io->g.kvno = io->o.kvno + 1;
-
- return LDB_SUCCESS;
-}
-
static int setup_password_fields(struct setup_password_fields_io *io)
{
struct ldb_context *ldb;
@@ -1421,11 +1406,6 @@ static int setup_password_fields(struct setup_password_fields_io *io)
return ret;
}
- ret = setup_kvno_field(io);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
-
return LDB_SUCCESS;
}
@@ -1788,8 +1768,6 @@ static int password_hash_add_do_add(struct ph_context *ac)
ldb_msg_remove_attr(msg, "unicodePwd");
ldb_msg_remove_attr(msg, "dBCSPwd");
ldb_msg_remove_attr(msg, "pwdLastSet");
- io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
- ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
ldb = ldb_module_get_ctx(ac->module);
@@ -1843,12 +1821,6 @@ static int password_hash_add_do_add(struct ph_context *ac)
if (ret != LDB_SUCCESS) {
return ret;
}
- ret = samdb_msg_add_uint(ldb, ac, msg,
- "msDs-KeyVersionNumber",
- io.g.kvno);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
ret = ldb_build_add_req(&down_req, ldb, ac,
msg,
@@ -2070,7 +2042,7 @@ static int password_hash_mod_search_self(struct ph_context *ac)
struct ldb_context *ldb;
static const char * const attrs[] = { "userAccountControl", "lmPwdHistory",
"ntPwdHistory",
- "objectSid", "msDS-KeyVersionNumber",
+ "objectSid",
"objectClass", "userPrincipalName",
"sAMAccountName",
"dBCSPwd", "unicodePwd",
@@ -2129,7 +2101,6 @@ static int password_hash_mod_do_mod(struct ph_context *ac)
searched_msg = ac->search_res->message;
/* Fill in some final details (only relevent once the password has been set) */
- io.o.kvno = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
@@ -2146,7 +2117,6 @@ static int password_hash_mod_do_mod(struct ph_context *ac)
ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
if (io.g.nt_hash) {
ret = samdb_msg_add_hash(ldb, ac, msg,
@@ -2193,12 +2163,6 @@ static int password_hash_mod_do_mod(struct ph_context *ac)
if (ret != LDB_SUCCESS) {
return ret;
}
- ret = samdb_msg_add_uint(ldb, ac, msg,
- "msDs-KeyVersionNumber",
- io.g.kvno);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
ret = ldb_build_mod_req(&mod_req, ldb, ac,
msg,
--
Samba Shared Repository
More information about the samba-cvs
mailing list