[SCM] Samba Shared Repository - branch master updated

Matthias Dieter Wallnöfer mdw at samba.org
Mon Nov 8 03:37:02 MST 2010


The branch, master has been updated
       via  4b97e7c s4:objectguid/repl_meta_data LDB module - deny "objectGUID" updates
       via  8caf0ed s4:objectclass LDB module - no idea why we'd need the "objectGUID" here
       via  bb2eef5 s4:objectguid LDB module - make use of "dsdb_next_callback"
       via  e2efb09 s4:drsuapi RPC server - writespn.c - fix indentations
      from  b38a9a8 s4-drs: allow bypass of writespn checking for some SPNs

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4b97e7c8f20b125015417bcf440128f843ac648f
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Mon Nov 8 10:16:45 2010 +0100

    s4:objectguid/repl_meta_data LDB module - deny "objectGUID" updates
    
    Autobuild-User: Matthias Dieter Wallnöfer <mdw at samba.org>
    Autobuild-Date: Mon Nov  8 10:36:50 UTC 2010 on sn-devel-104

commit 8caf0ed90980d4118878f0cda10eba8004a8dd4d
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Mon Nov 8 10:26:02 2010 +0100

    s4:objectclass LDB module - no idea why we'd need the "objectGUID" here

commit bb2eef52950166bd50b7ea403097504faa5f720a
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Mon Nov 8 10:31:49 2010 +0100

    s4:objectguid LDB module - make use of "dsdb_next_callback"

commit e2efb098ab5be25f3546c830313218c3f0b7af6e
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Mon Nov 8 09:58:59 2010 +0100

    s4:drsuapi RPC server - writespn.c - fix indentations

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/objectclass.c    |    2 +-
 source4/dsdb/samdb/ldb_modules/objectguid.c     |   42 +++++++----------------
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c |    9 +++++
 source4/dsdb/samdb/ldb_modules/wscript_build    |    2 +-
 source4/dsdb/tests/python/ldap.py               |   12 ++++++
 source4/rpc_server/drsuapi/writespn.c           |   39 +++++++++++++--------
 6 files changed, 60 insertions(+), 46 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 9483d3e..6702b01 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -364,7 +364,7 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
 	const struct ldb_val *val;
 	char *value;
 	int ret;
-	static const char * const parent_attrs[] = { "objectGUID", "objectClass", NULL };
+	static const char * const parent_attrs[] = { "objectClass", NULL };
 
 	ldb = ldb_module_get_ctx(module);
 
diff --git a/source4/dsdb/samdb/ldb_modules/objectguid.c b/source4/dsdb/samdb/ldb_modules/objectguid.c
index 623185f..bc3260c 100644
--- a/source4/dsdb/samdb/ldb_modules/objectguid.c
+++ b/source4/dsdb/samdb/ldb_modules/objectguid.c
@@ -32,6 +32,7 @@
 #include "includes.h"
 #include "ldb_module.h"
 #include "dsdb/samdb/samdb.h"
+#include "dsdb/samdb/ldb_modules/util.h"
 #include "librpc/gen_ndr/ndr_misc.h"
 #include "param/param.h"
 
@@ -97,32 +98,7 @@ struct og_context {
 	struct ldb_request *req;
 };
 
-static int og_op_callback(struct ldb_request *req, struct ldb_reply *ares)
-{
-	struct og_context *ac;
-
-	ac = talloc_get_type(req->context, struct og_context);
-
-	if (!ares) {
-		return ldb_module_done(ac->req, NULL, NULL,
-					LDB_ERR_OPERATIONS_ERROR);
-	}
-	if (ares->error != LDB_SUCCESS) {
-		return ldb_module_done(ac->req, ares->controls,
-					ares->response, ares->error);
-	}
-
-	if (ares->type != LDB_REPLY_DONE) {
-		talloc_free(ares);
-		return ldb_module_done(ac->req, NULL, NULL,
-					LDB_ERR_OPERATIONS_ERROR);
-	}
-
-	return ldb_module_done(ac->req, ares->controls,
-				ares->response, ares->error);
-}
-
-/* add_record: add objectGUID attribute */
+/* add_record: add objectGUID and timestamp attributes */
 static int objectguid_add(struct ldb_module *module, struct ldb_request *req)
 {
 	struct ldb_context *ldb;
@@ -192,7 +168,7 @@ static int objectguid_add(struct ldb_module *module, struct ldb_request *req)
 	ret = ldb_build_add_req(&down_req, ldb, ac,
 				msg,
 				req->controls,
-				ac, og_op_callback,
+				req, dsdb_next_callback,
 				req);
 	LDB_REQ_SET_LOCATION(down_req);
 	if (ret != LDB_SUCCESS) {
@@ -209,6 +185,7 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
 	struct ldb_context *ldb;
 	struct ldb_request *down_req;
 	struct ldb_message *msg;
+	struct ldb_message_element *el;
 	int ret;
 	time_t t = time(NULL);
 	uint64_t seq_num;
@@ -223,6 +200,13 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
+	el = ldb_msg_find_element(req->op.mod.message, "objectGUID");
+	if (el != NULL) {
+		ldb_set_errstring(ldb,
+				  "objectguid: objectGUID must not be specified!");
+		return LDB_ERR_CONSTRAINT_VIOLATION;
+	}
+
 	ac = talloc(req, struct og_context);
 	if (ac == NULL) {
 		return ldb_oom(ldb);
@@ -252,7 +236,7 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
 	ret = ldb_build_mod_req(&down_req, ldb, ac,
 				msg,
 				req->controls,
-				ac, og_op_callback,
+				req, dsdb_next_callback,
 				req);
 	LDB_REQ_SET_LOCATION(down_req);
 	if (ret != LDB_SUCCESS) {
@@ -266,7 +250,7 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
 static const struct ldb_module_ops ldb_objectguid_module_ops = {
 	.name          = "objectguid",
 	.add           = objectguid_add,
-	.modify        = objectguid_modify,
+	.modify        = objectguid_modify
 };
 
 int ldb_objectguid_module_init(const char *version)
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 95cd069..7838b65 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -2147,6 +2147,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
 	struct loadparm_context *lp_ctx;
 	char *referral;
 	unsigned int functional_level;
+	const DATA_BLOB *guid_blob;
 
 	/* do not manipulate our control entries */
 	if (ldb_dn_is_special(req->op.mod.message->dn)) {
@@ -2166,6 +2167,14 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
+	guid_blob = ldb_msg_find_ldb_val(req->op.mod.message, "objectGUID");
+	if ( guid_blob != NULL ) {
+		ldb_debug_set(ldb, LDB_DEBUG_ERROR,
+			      "replmd_modify: it's not allowed to change the objectGUID\n");
+		talloc_free(ac);
+		return LDB_ERR_CONSTRAINT_VIOLATION;
+	}
+
 	/* we have to copy the message as the caller might have it as a const */
 	msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
 	if (msg == NULL) {
diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build
index 360f4a4..50ec9f2 100644
--- a/source4/dsdb/samdb/ldb_modules/wscript_build
+++ b/source4/dsdb/samdb/ldb_modules/wscript_build
@@ -50,7 +50,7 @@ bld.SAMBA_MODULE('ldb_objectguid',
 	init_function='ldb_objectguid_module_init',
 	module_init_name='ldb_init_module',
 	internal_module=False,
-	deps='samdb talloc events ndr'
+	deps='samdb talloc events ndr DSDB_MODULE_HELPERS'
 	)
 
 
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index 26969cc..833e141 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -1324,6 +1324,18 @@ objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d
         self.assertTrue("whenCreated" in res[0])
         self.assertTrue("whenChanged" in res[0])
 
+        # The objectGUID cannot directly be changed
+        try:
+            self.ldb.modify_ldif("""
+dn: cn=ldaptestcontainer,""" + self.base_dn + """
+changetype: modify
+replace: objectGUID
+objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d
+""")
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
         self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
 
     def test_parentGUID(self):
diff --git a/source4/rpc_server/drsuapi/writespn.c b/source4/rpc_server/drsuapi/writespn.c
index d9338f7..23b0626 100644
--- a/source4/rpc_server/drsuapi/writespn.c
+++ b/source4/rpc_server/drsuapi/writespn.c
@@ -44,15 +44,15 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
 			       const char *spn)
 {
 	/*
-	  we only allow SPN updates if:
-
-            1) they are on the clients own account object
-	    2) they are of the form SERVICE/dnshostname
+	 * we only allow SPN updates if:
+	 *
+	 * 1) they are on the clients own account object
+	 * 2) they are of the form SERVICE/dnshostname
 	 */
 	struct dom_sid *user_sid, *sid;
 	TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
 	struct ldb_result *res;
-	const char *attrs[] = { "objectSID", "dnsHostName", NULL };
+	const char *attrs[] = { "objectSID", "dNSHostName", NULL };
 	int ret;
 	krb5_context krb_ctx;
 	krb5_error_code kerr;
@@ -64,7 +64,8 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
 	  check it matches the user_sid in their token
 	 */
 
-	ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_ONE_ONLY);
+	ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs,
+			     DSDB_SEARCH_ONE_ONLY);
 	if (ret != LDB_SUCCESS) {
 		talloc_free(tmp_ctx);
 		return false;
@@ -77,7 +78,8 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
 		return false;
 	}
 
-	dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dnsHostName", NULL);
+	dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName",
+						  NULL);
 	if (dnsHostName == NULL) {
 		talloc_free(tmp_ctx);
 		return false;
@@ -88,13 +90,16 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
 		return false;
 	}
 
-	kerr = smb_krb5_init_context_basic(tmp_ctx, dce_call->conn->dce_ctx->lp_ctx, &krb_ctx);
+	kerr = smb_krb5_init_context_basic(tmp_ctx,
+					   dce_call->conn->dce_ctx->lp_ctx,
+					   &krb_ctx);
 	if (kerr != 0) {
 		talloc_free(tmp_ctx);
 		return false;
 	}
 
-	ret = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
+	ret = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM,
+				    &principal);
 	if (kerr != 0) {
 		krb5_free_context(krb_ctx);
 		talloc_free(tmp_ctx);
@@ -164,7 +169,8 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALL
 				return WERR_NOMEM;
 			}
 
-			msg->dn = ldb_dn_new(msg, b_state->sam_ctx, req->object_dn);
+			msg->dn = ldb_dn_new(msg, b_state->sam_ctx,
+					     req->object_dn);
 			if ( ! ldb_dn_validate(msg->dn)) {
 				r->out.res->res1.status = WERR_OK;
 				return WERR_OK;
@@ -179,7 +185,8 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALL
 					passed_checks = false;
 				}
 				ret = samdb_msg_add_string(b_state->sam_ctx,
-							   msg, msg, "servicePrincipalName",
+							   msg, msg,
+							   "servicePrincipalName",
 							   req->spn_names[i].str);
 				if (ret != LDB_SUCCESS) {
 					return WERR_NOMEM;
@@ -188,7 +195,8 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALL
 			}
 
 			if (msg->num_elements == 0) {
-				DEBUG(2,("No SPNs need changing on %s\n", ldb_dn_get_linearized(msg->dn)));
+				DEBUG(2,("No SPNs need changing on %s\n",
+					 ldb_dn_get_linearized(msg->dn)));
 				r->out.res->res1.status = WERR_OK;
 				return WERR_OK;
 			}
@@ -208,15 +216,16 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALL
 			}
 
 			/* Apply to database */
-			ret = dsdb_modify(passed_checks?b_state->sam_ctx_system:b_state->sam_ctx, msg,
-					  DSDB_MODIFY_PERMISSIVE);
+			ret = dsdb_modify(passed_checks?b_state->sam_ctx_system:b_state->sam_ctx,
+					  msg, DSDB_MODIFY_PERMISSIVE);
 			if (ret != LDB_SUCCESS) {
 				DEBUG(0,("Failed to modify SPNs on %s: %s\n",
 					 ldb_dn_get_linearized(msg->dn),
 					 ldb_errstring(b_state->sam_ctx)));
 				r->out.res->res1.status = WERR_ACCESS_DENIED;
 			} else {
-				DEBUG(2,("Modified %u SPNs on %s\n", spn_count, ldb_dn_get_linearized(msg->dn)));
+				DEBUG(2,("Modified %u SPNs on %s\n", spn_count,
+					 ldb_dn_get_linearized(msg->dn)));
 				r->out.res->res1.status = WERR_OK;
 			}
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list