[SCM] Samba Shared Repository - branch master updated
Matthias Dieter Wallnöfer
mdw at samba.org
Mon Nov 8 03:37:02 MST 2010
The branch, master has been updated
via 4b97e7c s4:objectguid/repl_meta_data LDB module - deny "objectGUID" updates
via 8caf0ed s4:objectclass LDB module - no idea why we'd need the "objectGUID" here
via bb2eef5 s4:objectguid LDB module - make use of "dsdb_next_callback"
via e2efb09 s4:drsuapi RPC server - writespn.c - fix indentations
from b38a9a8 s4-drs: allow bypass of writespn checking for some SPNs
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4b97e7c8f20b125015417bcf440128f843ac648f
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Mon Nov 8 10:16:45 2010 +0100
s4:objectguid/repl_meta_data LDB module - deny "objectGUID" updates
Autobuild-User: Matthias Dieter Wallnöfer <mdw at samba.org>
Autobuild-Date: Mon Nov 8 10:36:50 UTC 2010 on sn-devel-104
commit 8caf0ed90980d4118878f0cda10eba8004a8dd4d
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Mon Nov 8 10:26:02 2010 +0100
s4:objectclass LDB module - no idea why we'd need the "objectGUID" here
commit bb2eef52950166bd50b7ea403097504faa5f720a
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Mon Nov 8 10:31:49 2010 +0100
s4:objectguid LDB module - make use of "dsdb_next_callback"
commit e2efb098ab5be25f3546c830313218c3f0b7af6e
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Mon Nov 8 09:58:59 2010 +0100
s4:drsuapi RPC server - writespn.c - fix indentations
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/objectclass.c | 2 +-
source4/dsdb/samdb/ldb_modules/objectguid.c | 42 +++++++----------------
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 9 +++++
source4/dsdb/samdb/ldb_modules/wscript_build | 2 +-
source4/dsdb/tests/python/ldap.py | 12 ++++++
source4/rpc_server/drsuapi/writespn.c | 39 +++++++++++++--------
6 files changed, 60 insertions(+), 46 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 9483d3e..6702b01 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -364,7 +364,7 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
const struct ldb_val *val;
char *value;
int ret;
- static const char * const parent_attrs[] = { "objectGUID", "objectClass", NULL };
+ static const char * const parent_attrs[] = { "objectClass", NULL };
ldb = ldb_module_get_ctx(module);
diff --git a/source4/dsdb/samdb/ldb_modules/objectguid.c b/source4/dsdb/samdb/ldb_modules/objectguid.c
index 623185f..bc3260c 100644
--- a/source4/dsdb/samdb/ldb_modules/objectguid.c
+++ b/source4/dsdb/samdb/ldb_modules/objectguid.c
@@ -32,6 +32,7 @@
#include "includes.h"
#include "ldb_module.h"
#include "dsdb/samdb/samdb.h"
+#include "dsdb/samdb/ldb_modules/util.h"
#include "librpc/gen_ndr/ndr_misc.h"
#include "param/param.h"
@@ -97,32 +98,7 @@ struct og_context {
struct ldb_request *req;
};
-static int og_op_callback(struct ldb_request *req, struct ldb_reply *ares)
-{
- struct og_context *ac;
-
- ac = talloc_get_type(req->context, struct og_context);
-
- if (!ares) {
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_ERR_OPERATIONS_ERROR);
- }
- if (ares->error != LDB_SUCCESS) {
- return ldb_module_done(ac->req, ares->controls,
- ares->response, ares->error);
- }
-
- if (ares->type != LDB_REPLY_DONE) {
- talloc_free(ares);
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_ERR_OPERATIONS_ERROR);
- }
-
- return ldb_module_done(ac->req, ares->controls,
- ares->response, ares->error);
-}
-
-/* add_record: add objectGUID attribute */
+/* add_record: add objectGUID and timestamp attributes */
static int objectguid_add(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb;
@@ -192,7 +168,7 @@ static int objectguid_add(struct ldb_module *module, struct ldb_request *req)
ret = ldb_build_add_req(&down_req, ldb, ac,
msg,
req->controls,
- ac, og_op_callback,
+ req, dsdb_next_callback,
req);
LDB_REQ_SET_LOCATION(down_req);
if (ret != LDB_SUCCESS) {
@@ -209,6 +185,7 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
struct ldb_context *ldb;
struct ldb_request *down_req;
struct ldb_message *msg;
+ struct ldb_message_element *el;
int ret;
time_t t = time(NULL);
uint64_t seq_num;
@@ -223,6 +200,13 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
+ el = ldb_msg_find_element(req->op.mod.message, "objectGUID");
+ if (el != NULL) {
+ ldb_set_errstring(ldb,
+ "objectguid: objectGUID must not be specified!");
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
ac = talloc(req, struct og_context);
if (ac == NULL) {
return ldb_oom(ldb);
@@ -252,7 +236,7 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
ret = ldb_build_mod_req(&down_req, ldb, ac,
msg,
req->controls,
- ac, og_op_callback,
+ req, dsdb_next_callback,
req);
LDB_REQ_SET_LOCATION(down_req);
if (ret != LDB_SUCCESS) {
@@ -266,7 +250,7 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
static const struct ldb_module_ops ldb_objectguid_module_ops = {
.name = "objectguid",
.add = objectguid_add,
- .modify = objectguid_modify,
+ .modify = objectguid_modify
};
int ldb_objectguid_module_init(const char *version)
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 95cd069..7838b65 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -2147,6 +2147,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
struct loadparm_context *lp_ctx;
char *referral;
unsigned int functional_level;
+ const DATA_BLOB *guid_blob;
/* do not manipulate our control entries */
if (ldb_dn_is_special(req->op.mod.message->dn)) {
@@ -2166,6 +2167,14 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_OPERATIONS_ERROR;
}
+ guid_blob = ldb_msg_find_ldb_val(req->op.mod.message, "objectGUID");
+ if ( guid_blob != NULL ) {
+ ldb_debug_set(ldb, LDB_DEBUG_ERROR,
+ "replmd_modify: it's not allowed to change the objectGUID\n");
+ talloc_free(ac);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
/* we have to copy the message as the caller might have it as a const */
msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
if (msg == NULL) {
diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build
index 360f4a4..50ec9f2 100644
--- a/source4/dsdb/samdb/ldb_modules/wscript_build
+++ b/source4/dsdb/samdb/ldb_modules/wscript_build
@@ -50,7 +50,7 @@ bld.SAMBA_MODULE('ldb_objectguid',
init_function='ldb_objectguid_module_init',
module_init_name='ldb_init_module',
internal_module=False,
- deps='samdb talloc events ndr'
+ deps='samdb talloc events ndr DSDB_MODULE_HELPERS'
)
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index 26969cc..833e141 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -1324,6 +1324,18 @@ objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d
self.assertTrue("whenCreated" in res[0])
self.assertTrue("whenChanged" in res[0])
+ # The objectGUID cannot directly be changed
+ try:
+ self.ldb.modify_ldif("""
+dn: cn=ldaptestcontainer,""" + self.base_dn + """
+changetype: modify
+replace: objectGUID
+objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d
+""")
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
def test_parentGUID(self):
diff --git a/source4/rpc_server/drsuapi/writespn.c b/source4/rpc_server/drsuapi/writespn.c
index d9338f7..23b0626 100644
--- a/source4/rpc_server/drsuapi/writespn.c
+++ b/source4/rpc_server/drsuapi/writespn.c
@@ -44,15 +44,15 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
const char *spn)
{
/*
- we only allow SPN updates if:
-
- 1) they are on the clients own account object
- 2) they are of the form SERVICE/dnshostname
+ * we only allow SPN updates if:
+ *
+ * 1) they are on the clients own account object
+ * 2) they are of the form SERVICE/dnshostname
*/
struct dom_sid *user_sid, *sid;
TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
struct ldb_result *res;
- const char *attrs[] = { "objectSID", "dnsHostName", NULL };
+ const char *attrs[] = { "objectSID", "dNSHostName", NULL };
int ret;
krb5_context krb_ctx;
krb5_error_code kerr;
@@ -64,7 +64,8 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
check it matches the user_sid in their token
*/
- ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_ONE_ONLY);
+ ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs,
+ DSDB_SEARCH_ONE_ONLY);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return false;
@@ -77,7 +78,8 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
return false;
}
- dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dnsHostName", NULL);
+ dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName",
+ NULL);
if (dnsHostName == NULL) {
talloc_free(tmp_ctx);
return false;
@@ -88,13 +90,16 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
return false;
}
- kerr = smb_krb5_init_context_basic(tmp_ctx, dce_call->conn->dce_ctx->lp_ctx, &krb_ctx);
+ kerr = smb_krb5_init_context_basic(tmp_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ &krb_ctx);
if (kerr != 0) {
talloc_free(tmp_ctx);
return false;
}
- ret = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
+ ret = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM,
+ &principal);
if (kerr != 0) {
krb5_free_context(krb_ctx);
talloc_free(tmp_ctx);
@@ -164,7 +169,8 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALL
return WERR_NOMEM;
}
- msg->dn = ldb_dn_new(msg, b_state->sam_ctx, req->object_dn);
+ msg->dn = ldb_dn_new(msg, b_state->sam_ctx,
+ req->object_dn);
if ( ! ldb_dn_validate(msg->dn)) {
r->out.res->res1.status = WERR_OK;
return WERR_OK;
@@ -179,7 +185,8 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALL
passed_checks = false;
}
ret = samdb_msg_add_string(b_state->sam_ctx,
- msg, msg, "servicePrincipalName",
+ msg, msg,
+ "servicePrincipalName",
req->spn_names[i].str);
if (ret != LDB_SUCCESS) {
return WERR_NOMEM;
@@ -188,7 +195,8 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALL
}
if (msg->num_elements == 0) {
- DEBUG(2,("No SPNs need changing on %s\n", ldb_dn_get_linearized(msg->dn)));
+ DEBUG(2,("No SPNs need changing on %s\n",
+ ldb_dn_get_linearized(msg->dn)));
r->out.res->res1.status = WERR_OK;
return WERR_OK;
}
@@ -208,15 +216,16 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALL
}
/* Apply to database */
- ret = dsdb_modify(passed_checks?b_state->sam_ctx_system:b_state->sam_ctx, msg,
- DSDB_MODIFY_PERMISSIVE);
+ ret = dsdb_modify(passed_checks?b_state->sam_ctx_system:b_state->sam_ctx,
+ msg, DSDB_MODIFY_PERMISSIVE);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to modify SPNs on %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(b_state->sam_ctx)));
r->out.res->res1.status = WERR_ACCESS_DENIED;
} else {
- DEBUG(2,("Modified %u SPNs on %s\n", spn_count, ldb_dn_get_linearized(msg->dn)));
+ DEBUG(2,("Modified %u SPNs on %s\n", spn_count,
+ ldb_dn_get_linearized(msg->dn)));
r->out.res->res1.status = WERR_OK;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list