[SCM] Samba Shared Repository - branch master updated

Matthias Dieter Wallnöfer mdw at samba.org
Sun Oct 3 11:31:01 MDT 2010 

The branch, master has been updated
       via  7d0d6d4 s4:kdc/db-glue.c - remove unused variable
       via  24282ad s4:ldap.py - test allowed system flags restriction
       via  ca08cde s4:objectclass LDB module - introduce allowed system flags restriction
       via  4e8206e s4:urgent_replication.py - fix up the system flags handling
      from  79a4be4 s3: Remove smbd_server_conn from msg_force_tdis

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7d0d6d4d23fd010cf78736d33bd710710758b167
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Sun Oct 3 18:49:56 2010 +0200

    s4:kdc/db-glue.c - remove unused variable
    
    Autobuild-User: Matthias Dieter Wallnöfer <mdw at samba.org>
    Autobuild-Date: Sun Oct  3 17:30:34 UTC 2010 on sn-devel-104

commit 24282adb9a0db872ba45e878fdbe019c6bc2602e
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Wed Sep 29 19:49:57 2010 +0200

    s4:ldap.py - test allowed system flags restriction
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit ca08cde15029b6d8efdc562daf35d49f4fdbd4de
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Wed Sep 29 18:18:55 2010 +0200

    s4:objectclass LDB module - introduce allowed system flags restriction
    
    Let us do the distinction by real use and provision by the RELAX flag
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 4e8206eb4c74de05aa0657fc36ad1569b96a8900
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Sun Oct 3 18:40:05 2010 +0200

    s4:urgent_replication.py - fix up the system flags handling
    
    And relax some more object creations due to the enforced system flags rules.

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/objectclass.c    |   17 +++++++++++------
 source4/dsdb/tests/python/ldap.py               |   17 ++++++++++++++++-
 source4/dsdb/tests/python/urgent_replication.py |    7 +++----
 source4/kdc/db-glue.c                           |    1 -
 4 files changed, 30 insertions(+), 12 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 82c4144..fa95626 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -696,13 +696,18 @@ static int objectclass_do_add(struct oc_context *ac)
 
 		ldb_msg_remove_attr(msg, "systemFlags");
 
-		/* Only these flags may be set by a client, but we can't tell
-		 * between a client and our provision at this point
-		 * systemFlags &= ( SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_MOVE | SYSTEM_FLAG_CONFIG_LIMITED_MOVE);
-		 */
+		/* Only the following flags may be set by a client */
+		if (ldb_request_get_control(ac->req,
+					    LDB_CONTROL_RELAX_OID) == NULL) {
+			systemFlags &= ( SYSTEM_FLAG_CONFIG_ALLOW_RENAME
+				       | SYSTEM_FLAG_CONFIG_ALLOW_MOVE
+				       | SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE
+				       | SYSTEM_FLAG_ATTR_IS_RDN );
+		}
 
-		/* This flag is only allowed on attributeSchema objects */
-		if (ldb_attr_cmp(objectclass->lDAPDisplayName, "attributeSchema") == 0) {
+		/* But the last one ("ATTR_IS_RDN") is only allowed on
+		 * "attributeSchema" objects. So truncate if it does not fit. */
+		if (ldb_attr_cmp(objectclass->lDAPDisplayName, "attributeSchema") != 0) {
 			systemFlags &= ~SYSTEM_FLAG_ATTR_IS_RDN;
 		}
 
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index 8af9b11..2b75bd6 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -31,7 +31,9 @@ from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_INTERDOMAIN_TRUST_ACCOUNT,
     UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
     UF_PARTIAL_SECRETS_ACCOUNT,
     UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE, ATYPE_NORMAL_ACCOUNT,
-    ATYPE_WORKSTATION_TRUST, SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE)
+    ATYPE_WORKSTATION_TRUST, SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE,
+    SYSTEM_FLAG_CONFIG_ALLOW_RENAME, SYSTEM_FLAG_CONFIG_ALLOW_MOVE,
+    SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE)
 from samba.dcerpc.security import (DOMAIN_RID_USERS, DOMAIN_RID_DOMAIN_MEMBERS,
     DOMAIN_RID_DCS, DOMAIN_RID_READONLY_DCS)
 
@@ -173,6 +175,19 @@ class BasicTests(unittest.TestCase):
         except LdbError, (num, _):
             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
 
+        # Test allowed system flags
+        self.ldb.add({
+             "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+             "objectClass": "person",
+             "systemFlags": str(~(SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_MOVE | SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE)) })
+
+        res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["systemFlags"])
+        self.assertTrue(len(res) == 1)
+        self.assertEquals(res[0]["systemFlags"][0], "0")
+
+        self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
         self.ldb.add({
              "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
              "objectClass": "person" })
diff --git a/source4/dsdb/tests/python/urgent_replication.py b/source4/dsdb/tests/python/urgent_replication.py
index 3c35af6..47d43dd 100755
--- a/source4/dsdb/tests/python/urgent_replication.py
+++ b/source4/dsdb/tests/python/urgent_replication.py
@@ -96,7 +96,7 @@ class UrgentReplicationTests(samba.tests.TestCase):
             "objectclass":"server",
             "cn":"test server",
             "name":"test server",
-            "systemFlags":"50000000"});
+            "systemFlags":"50000000", ["relax:0"]});
 
         self.ldb.add_ldif(
             """dn: cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,%s""" % (self.base_dn) + """
@@ -139,7 +139,7 @@ systemFlags: 33554432""", ["relax:0"]);
                       "nCName": self.base_dn,
                       "showInAdvancedViewOnly": "TRUE",
                       "name": "test crossRef",
-                      "systemFlags": "1"});
+                      "systemFlags": "1", ["relax:0"]});
 
         # urgent replication should be enabled when creating
         res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn)
@@ -182,8 +182,7 @@ oMSyntax: 64
 systemOnly: FALSE
 searchFlags: 8
 lDAPDisplayName: test attributeSchema
-name: test attributeSchema
-systemFlags: 0""");
+name: test attributeSchema""");
 
             # urgent replication should be enabled when creating
             res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 0451634..3e918cf 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1634,7 +1634,6 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
 NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
 				struct samba_kdc_db_context **kdc_db_ctx_out)
 {
-	NTSTATUS nt_status;
 	int ldb_ret;
 	struct ldb_message *msg;
 	struct auth_session_info *session_info;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list