[SCM] Samba Shared Repository - branch master updated
Matthias Dieter Wallnöfer
mdw at samba.org
Wed Nov 24 10:24:02 MST 2010
The branch, master has been updated
via 1352a94 s4:objectclass LDB module - LSA objects - allow them if the SYSTEM control is specified
via 8c01d6a s4:objectclass LDB module - move one checks into the "objectclass derivation loop"
via 0a6834e s4:objectclass LDB module - some more or less cosmetic return value macro changes
from dab4e00 s4-tests: Modified sec_descriptor to use samdb.newgroup instead of locally defined method.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1352a9406f3e3067a8e751ac157eab67796bc0c6
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Tue Nov 23 15:15:09 2010 +0100
s4:objectclass LDB module - LSA objects - allow them if the SYSTEM control is specified
This fits better than the RELAX one.
Autobuild-User: Matthias Dieter Wallnöfer <mdw at samba.org>
Autobuild-Date: Wed Nov 24 18:23:01 CET 2010 on sn-devel-104
commit 8c01d6a837718344b52aa117820d0dba7655f295
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Tue Nov 23 15:07:49 2010 +0100
s4:objectclass LDB module - move one checks into the "objectclass derivation loop"
This denies objects created from possible derivated classes from the prohibited
ones.
Also small cosmetic improvements for another check.
commit 0a6834e6305c99b74662c4bea97e2291d8b42cb3
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Nov 24 17:02:35 2010 +0100
s4:objectclass LDB module - some more or less cosmetic return value macro changes
Sometimes "ldb_module_oom" fits better than "ldb_operr" or "ldb_oom".
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/objectclass.c | 72 ++++++++++++++++----------
source4/rpc_server/lsa/dcesrv_lsa.c | 4 +-
2 files changed, 47 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 7dc3ae2..d69c3f4 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -319,14 +319,18 @@ static int fix_dn(struct ldb_context *ldb,
char *upper_rdn_attr;
const struct ldb_val *rdn_val;
- /* Fix up the DN to be in the standard form, taking particular care to match the parent DN */
+ /* Fix up the DN to be in the standard form, taking particular care to
+ * match the parent DN */
*fixed_dn = ldb_dn_copy(mem_ctx, parent_dn);
+ if (*fixed_dn == NULL) {
+ return ldb_oom(ldb);
+ }
/* We need the attribute name in upper case */
upper_rdn_attr = strupper_talloc(*fixed_dn,
ldb_dn_get_rdn_name(newdn));
- if (!upper_rdn_attr) {
- return ldb_operr(ldb);
+ if (upper_rdn_attr == NULL) {
+ return ldb_oom(ldb);
}
/* Create a new child */
@@ -397,7 +401,7 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
value = talloc_asprintf(req, "ldap://%s/%s", val->data,
ldb_dn_get_linearized(req->op.add.message->dn));
if (value == NULL) {
- return ldb_oom(ldb);
+ return ldb_module_oom(module);
}
return ldb_module_send_referral(req, value);
@@ -417,7 +421,7 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
/* get copy of parent DN */
parent_dn = ldb_dn_get_parent(ac, ac->req->op.add.message->dn);
if (parent_dn == NULL) {
- return ldb_oom(ldb);
+ return ldb_operr(ldb);
}
ret = ldb_build_search_req(&search_req, ldb,
@@ -459,10 +463,12 @@ static bool check_rodc_ntdsdsa_add(struct oc_context *ac,
static int objectclass_do_add(struct oc_context *ac)
{
- struct ldb_context *ldb;
+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
struct ldb_request *add_req;
struct ldb_message_element *objectclass_element, *el;
struct ldb_message *msg;
+ struct ldb_control *as_system = ldb_request_get_control(ac->req,
+ LDB_CONTROL_AS_SYSTEM_OID);
TALLOC_CTX *mem_ctx;
struct class_list *sorted, *current;
const char *rdn_name = NULL;
@@ -474,9 +480,14 @@ static int objectclass_do_add(struct oc_context *ac)
bool found;
int ret;
- ldb = ldb_module_get_ctx(ac->module);
+ if (as_system != NULL) {
+ as_system->critical = 0;
+ }
msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
+ if (msg == NULL) {
+ return ldb_module_oom(ac->module);
+ }
/* Check if we have a valid parent - this check is needed since
* we don't get a LDB_ERR_NO_SUCH_OBJECT error. */
@@ -511,7 +522,7 @@ static int objectclass_do_add(struct oc_context *ac)
mem_ctx = talloc_new(ac);
if (mem_ctx == NULL) {
- return ldb_oom(ldb);
+ return ldb_module_oom(ac->module);
}
if (ac->schema != NULL) {
@@ -560,10 +571,22 @@ static int objectclass_do_add(struct oc_context *ac)
/* Move from the linked list back into an ldb msg */
for (current = sorted; current; current = current->next) {
- value = talloc_strdup(msg, current->objectclass->lDAPDisplayName);
+ value = talloc_strdup(msg,
+ current->objectclass->lDAPDisplayName);
if (value == NULL) {
talloc_free(mem_ctx);
- return ldb_oom(ldb);
+ return ldb_module_oom(ac->module);
+ }
+
+ /* LSA-specific objectclasses per default not allowed */
+ if (((strcmp(value, "secret") == 0) ||
+ (strcmp(value, "trustedDomain") == 0)) &&
+ !(dsdb_module_am_system(ac->module) || as_system)) {
+ ldb_asprintf_errstring(ldb,
+ "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s'!",
+ value,
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
}
ret = ldb_msg_add_string(msg, "objectClass", value);
@@ -617,16 +640,10 @@ static int objectclass_do_add(struct oc_context *ac)
if (objectclass->systemOnly &&
!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) &&
!check_rodc_ntdsdsa_add(ac, objectclass)) {
- ldb_asprintf_errstring(ldb, "objectClass %s is systemOnly, rejecting creation of %s",
- objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn));
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
-
- if (((strcmp(objectclass->lDAPDisplayName, "secret") == 0) ||
- (strcmp(objectclass->lDAPDisplayName, "trustedDomain") == 0)) &&
- !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
- ldb_asprintf_errstring(ldb, "objectClass %s is LSA-specific, rejecting creation of %s",
- objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn));
+ ldb_asprintf_errstring(ldb,
+ "objectclass: object class '%s' is system-only, rejecting creation of '%s'!",
+ objectclass->lDAPDisplayName,
+ ldb_dn_get_linearized(msg->dn));
return LDB_ERR_UNWILLING_TO_PERFORM;
}
@@ -676,7 +693,7 @@ static int objectclass_do_add(struct oc_context *ac)
objectclass->defaultObjectCategory);
}
if (value == NULL) {
- return ldb_oom(ldb);
+ return ldb_module_oom(ac->module);
}
ret = ldb_msg_add_string(msg, "objectCategory", value);
@@ -829,7 +846,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
if (msg == NULL) {
- return ldb_operr(ldb);
+ return ldb_module_oom(ac->module);
}
/* For now change everything except the objectclasses */
@@ -965,14 +982,14 @@ static int objectclass_do_mod(struct oc_context *ac)
/* use a new message structure */
msg = ldb_msg_new(ac);
if (msg == NULL) {
- return ldb_oom(ldb);
+ return ldb_module_oom(ac->module);
}
msg->dn = ac->req->op.mod.message->dn;
mem_ctx = talloc_new(ac);
if (mem_ctx == NULL) {
- return ldb_oom(ldb);
+ return ldb_module_oom(ac->module);
}
/* We've to walk over all "objectClass" message elements */
@@ -1006,7 +1023,7 @@ static int objectclass_do_mod(struct oc_context *ac)
oc_el_entry->num_values + 1);
if (vals == NULL) {
talloc_free(mem_ctx);
- return ldb_oom(ldb);
+ return ldb_module_oom(ac->module);
}
oc_el_entry->values = vals;
oc_el_entry->values[oc_el_entry->num_values] =
@@ -1053,6 +1070,7 @@ static int objectclass_do_mod(struct oc_context *ac)
objectclass = get_last_structural_class(ac->schema,
oc_el_entry);
if (objectclass == NULL) {
+ /* no structural objectclass? */
talloc_free(mem_ctx);
return ldb_operr(ldb);
}
@@ -1124,7 +1142,7 @@ static int objectclass_do_mod(struct oc_context *ac)
LDB_FLAG_MOD_REPLACE, &oc_el_change);
if (ret != LDB_SUCCESS) {
talloc_free(mem_ctx);
- return ldb_oom(ldb);
+ return ret;
}
/* Move from the linked list back into an ldb msg */
@@ -1133,7 +1151,7 @@ static int objectclass_do_mod(struct oc_context *ac)
current->objectclass->lDAPDisplayName);
if (value == NULL) {
talloc_free(mem_ctx);
- return ldb_oom(ldb);
+ return ldb_module_oom(ac->module);
}
ret = ldb_msg_add_string(msg, "objectClass", value);
if (ret != LDB_SUCCESS) {
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 4014ae0..1b55824 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1056,7 +1056,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc
trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
/* create the trusted_domain */
- ret = dsdb_add(sam_ldb, msg, DSDB_MODIFY_RELAX);
+ ret = dsdb_add(sam_ldb, msg, DSDB_FLAG_AS_SYSTEM);
switch (ret) {
case LDB_SUCCESS:
break;
@@ -2949,7 +2949,7 @@ static NTSTATUS dcesrv_lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALL
secret_state->secret_dn = talloc_reference(secret_state, msg->dn);
/* create the secret */
- ret = dsdb_add(secret_state->sam_ldb, msg, DSDB_MODIFY_RELAX);
+ ret = dsdb_add(secret_state->sam_ldb, msg, DSDB_FLAG_AS_SYSTEM);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to create secret record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
--
Samba Shared Repository
More information about the samba-cvs
mailing list