[SCM] Samba Shared Repository - branch v4-0-test updated

Karolin Seeger kseeger at samba.org
Mon Nov 12 03:37:07 MST 2012


The branch, v4-0-test has been updated
       via  065083c WHATSNEW: Update changes since rc4.
       via  51e6113 WHATSNEW: Update changes since rc4.
       via  ed87e34 samba-tool: Fix typo in --help output.
       via  88bdfcb lib/krb5_wrap: request enc_types in the correct order (bug #9272)
       via  7c92c87 s3-kerberos: add aes enctypes to generated krb5.conf.
       via  3c7f48e s3-krb5: use and request AES keys in kerberos operations.
       via  4cb7d0d doc: describe samlogon cache caveat for winbindd -n
       via  949df3c Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache access."
       via  c2bafcf ntp_signd: Only allow group access to the ntp signd directory.
       via  fb3f081 ntp_signd: move socket directory to var/lib not var/run for permissions change
       via  3199aa1 s4:dsdb/acl_read: make sure confidential attributes require CONTROL_ACCESS (bug #8620)
       via  0f2b61b s4:dsdb/acl_read: fix whitespace formatting errors
       via  9139694 s4:dsdb/acl: only give administrators access to attributes marked as confidential (bug #8620)
       via  eb1c561 s4:dsdb/acl: reorganize the logic flow in the password filtering checks
       via  4da07b7 s4:dsdb/acl: fix search filter cleanup for password attributes
      from  2f05e8c WHATSNEW: Update changes since rc4.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test


- Log -----------------------------------------------------------------
commit 065083ca5e1c268a57dd635553e8b312ab5fa503
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Nov 12 09:50:35 2012 +0100

    WHATSNEW: Update changes since rc4.
    
    Karolin
    
    Autobuild-User(v4-0-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-0-test): Mon Nov 12 11:36:41 CET 2012 on sn-devel-104

commit 51e61133c6c7a27a764086c436c54cb2b17b70db
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Nov 12 09:19:05 2012 +0100

    WHATSNEW: Update changes since rc4.
    
    Karolin

commit ed87e34a6a71aecb57e175b6092bf04eb634c410
Author: Karolin Seeger <kseeger at samba.org>
Date:   Fri Nov 9 09:07:38 2012 +0100

    samba-tool: Fix typo in --help output.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>
    
    Part of a fix for bug #9373 - Output of 'samba-tool' does not look very nice.

commit 88bdfcb85e32bc52bf04ca6611828a65808d9b51
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Oct 22 13:47:48 2012 +0200

    lib/krb5_wrap: request enc_types in the correct order (bug #9272)
    
    aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
    should have a higher priority than arcfour-hmac-md5,
    otherwise the KDC still gives us arcfour-hmac-md5 session keys.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>
    (cherry picked from commit 24f3f87706329e6e280dc6be6d025e997d46c910)
    
    The last 3 patches address bug #9272 - net ads join does not provide AES keys in
    host keytab.

commit 7c92c873dc88f9ae7d1b26328a46509fd6360b09
Author: Günther Deschner <gd at samba.org>
Date:   Mon Dec 19 10:52:58 2011 +0100

    s3-kerberos: add aes enctypes to generated krb5.conf.
    
    Guenther

commit 3c7f48efeba806f0805a1315185ab2151fc429a3
Author: Günther Deschner <gd at samba.org>
Date:   Thu Dec 15 18:12:41 2011 +0100

    s3-krb5: use and request AES keys in kerberos operations.
    
    Guenther

commit 4cb7d0d9121ee8c46a54360e357e798a519f04e4
Author: David Disseldorp <ddiss at samba.org>
Date:   Tue Nov 6 12:49:42 2012 +0100

    doc: describe samlogon cache caveat for winbindd -n
    
    The samlogon cache is never bypassed, even when winbindd is run with the
    -n argument.
    See https://bugzilla.samba.org/show_bug.cgi?id=9125

commit 949df3ca93f1e570a531b51e005206780925bc7e
Author: David Disseldorp <ddiss at samba.org>
Date:   Tue Nov 6 12:29:24 2012 +0100

    Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache access."
    
    This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b.
    
    Bug 9125 analysis from Volker:
    
    The problem is that there are no network calls possible at all that
    would do what the samlogon cache does for us. There is just no way to
    retrieve the group membership in a complex trusted environment. If you
    have just a single domain with Samba as domain controller it might be
    possible, but even within a single domain it is not possible to
    correctly retrieve all group memberships using LDAP calls due to ACLs on
    directory objects. The call to get that is called NetSamLogon on the
    NETLOGON pipe. But this call requires user credentials and might trigger
    updating counts on the server. So to correctly implement wbinfo -r after
    a user has logged in, you have two alternatives: Save the info3 struct
    or the PAC in the netsamlogon cache. If you insist on doing network
    calls, you need to cache the user credentials somewhere to re-do the
    NetSamLogon call every time the wbinfo -r is requested.

commit c2bafcf2e24eb12afaa9b49b5bbc0b02d67dd8a6
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sun Nov 11 21:32:22 2012 +1100

    ntp_signd: Only allow group access to the ntp signd directory.
    
    Existing installations running ntp as group 'ntp' will need to change
    the permissions on the ntp_signd socket directory (eg
    PREFIX/lib/ntp_signd or /var/lib/samba/ntp_signd)
    
    The reason is that allowing other users on the host access to this
    directory would allow them to potentially spoof time on the network,
    or attack the password database with a chosen plaintext attack.
    
    Permissions should be changed to:
    
    ownership root:ntp (if ntp runs as gid ntp)
    mode 0750 (this is what it will be created as)
    
    If the permissions are not changed, Samba will refuse to start the
    ntp_signd server, and NTP operations will not be signed.  As the error
    is declared fatal, in the future, Samba may totally refused to start.
    
    Andrew Bartlett
    
    The last 2 patches address bug #9379 - [SECURITY] ntp_signd permissions are too
    broad.

commit fb3f0818f68986fc19324d175626ae8bbf6ed3a7
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Nov 12 08:44:02 2012 +1100

    ntp_signd: move socket directory to var/lib not var/run for permissions change
    
    With the next patch, this becomes a socket directory on which we must
    maintain administrator-specified permissions we will need to move it
    away from directories that wipe at boot.
    
    This means the ntp.conf will need to change from (eg)
    
    ntpsigndsocket /usr/local/samba/var/run/ntp_signd/
    
    to
    
    ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
    
    Andrew Bartlett

commit 3199aa17c101e01fb4d835a2bcc56fa8f1983cfc
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 9 17:23:53 2012 +0100

    s4:dsdb/acl_read: make sure confidential attributes require CONTROL_ACCESS (bug #8620)
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Mon Nov 12 01:25:21 CET 2012 on sn-devel-104
    (cherry picked from commit e0ab14f52a52c8317473b4c4cd3cf50265e1f9e4)
    
    The last 5 patches address bug #8620 - Read ACL are not enabled by default on
    DS.

commit 0f2b61bd24232c53996aca6f7d3ff28992fea063
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 9 17:22:44 2012 +0100

    s4:dsdb/acl_read: fix whitespace formatting errors
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 21dfaefda0e22f7ddaac62bfd8b32e6fb9fc253d)

commit 9139694cb949237d7f1f7065bdb13163b1ced591
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 9 17:05:44 2012 +0100

    s4:dsdb/acl: only give administrators access to attributes marked as confidential (bug #8620)
    
    The full fix will to implement and use the code of the read_acl module,
    but this is better than nothing for now.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit f6fa7243f81891cb7703264da526fd873a9745e4)

commit eb1c56117394dbb36045a2ed9f5638551632d159
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 9 11:23:47 2012 +0100

    s4:dsdb/acl: reorganize the logic flow in the password filtering checks
    
    This avoids some nesting levels and does early returns.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ed8b27516b212b59167bb932de949a7b54dc44cb)

commit 4da07b7884aa4deee61f7228ade753d30f1bb216
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 9 11:25:21 2012 +0100

    s4:dsdb/acl: fix search filter cleanup for password attributes
    
    We need to this when we're *not* system.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 54ad5c70e3cc731c872913841cbcd2ef29ec0e54)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                                      |   28 +++
 docs-xml/manpages/winbindd.8.xml                  |    6 +-
 dynconfig/wscript                                 |    4 +-
 lib/krb5_wrap/krb5_samba.c                        |    6 +
 source3/libads/kerberos.c                         |   28 ++-
 source3/libads/kerberos_keytab.c                  |    8 +-
 source3/winbindd/winbindd_ads.c                   |    2 +-
 source3/winbindd/winbindd_cache.c                 |    4 -
 source3/winbindd/winbindd_creds.c                 |    4 -
 source3/winbindd/winbindd_msrpc.c                 |    6 +-
 source4/dsdb/samdb/ldb_modules/acl.c              |  231 ++++++++++++++-----
 source4/dsdb/samdb/ldb_modules/acl_read.c         |  256 +++++++++++----------
 source4/ntp_signd/ntp_signd.c                     |    2 +-
 source4/scripting/python/samba/netcmd/testparm.py |    2 +-
 14 files changed, 386 insertions(+), 201 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 72b90e9..b1a2b7e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -167,6 +167,22 @@ smb.conf changes
 CHANGES SINCE 4.0.0rc4
 ======================
 
+With this release candidate the location of the socket samba accepts
+connections from NTPd has changed, as has the enforced permissions.
+
+This means the ntp.conf will need to change from (eg)
+
+ntpsigndsocket /usr/local/samba/var/run/ntp_signd/
+
+to
+
+ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
+
+To use the socket with ntp on a system with an ntp user and group, you must
+run:
+
+chgrp ntp /usr/local/samba/var/lib/ntp_signd/
+
 o   Michael Adam <obnox at samba.org>
     * BUG 9321: winbindd:cache: Fix offline logons with cached credentials.
     * BUG 9339: Build and quota fixes.
@@ -188,6 +204,7 @@ o   Andrew Bartlett <abartlet at samba.org>
     * BUG 9352: Fix samba crashes with certain RPC calls.
     * BUG 9355: Set mask values to 0777 and use fileserver.conf.
     * BUG 9357: Don't expose more symbols than specified by abi_match setting.
+    * BUG 9379: ntp_signd permissions are too broad.
 
 
 o   Björn Baumbach <bb at sernet.de>
@@ -203,6 +220,16 @@ o   Ira Cooper <ira at samba.org>
     * BUG 9339: Build and quota fixes.
 
 
+o   Günther Deschner <gd at samba.org>
+    * BUG 9272: 'net ads join' does not provide AES keys in host keytab.
+
+
+o   David Disseldorp <ddiss at samba.org>
+    * BUG 9125: Revert "s3-winbindd: make sure we obey the -n switch
+      also for samlogon cache access" and describe samlogon cache caveat for
+      'winbindd -n'.
+
+
 o   Björn Jacke <bj at sernet.de>
     * BUG 7472: Check for dn_expand also in libinet.
     * BUG 9339: Build and quota fixes.
@@ -215,6 +242,7 @@ o   Volker Lendecke <vl at samba.org>
 
 
 o   Stefan Metzmacher <metze at samba.org>
+    * BUG 8620: Read ACL are not enabled by default on DS.
     * BUG 9175: Add smbXcli_session_set_disconnect_expired().
     * BUG 9341: Fix SMBD_SMB2_NUM_IOV_PER_REQ check for sendfile().
     * BUG 9359: Optimization needed for SMB2 performance sensitive workloads.
diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml
index acde022..e224620 100644
--- a/docs-xml/manpages/winbindd.8.xml
+++ b/docs-xml/manpages/winbindd.8.xml
@@ -183,12 +183,14 @@ hosts:		files wins
 
 		<varlistentry>
 		<term>-n</term>
-		<listitem><para>Disable caching. This means winbindd will
-		always have to wait for a response from the domain controller
+		<listitem><para>Disable some caching. This means winbindd will
+		often have to wait for a response from the domain controller
 		before it can respond to a client and this thus makes things
 		slower. The results will however be more accurate, since
 		results from the cache might not be up-to-date. This
 		might also temporarily hang winbindd if the DC doesn't respond.
+		This does not disable the samlogon cache, which is required for
+		group membership tracking in trusted environments.
 		</para></listitem>
 		</varlistentry>
 
diff --git a/dynconfig/wscript b/dynconfig/wscript
index 44e8f19..d1c7a00 100755
--- a/dynconfig/wscript
+++ b/dynconfig/wscript
@@ -226,8 +226,8 @@ dynconfig = {
          'DELAY':     True,
     },
     'NTP_SIGND_SOCKET_DIR' : {
-         'STD-PATH':  '${SOCKET_DIR}/ntp_signd',
-         'FHS-PATH':  '${SOCKET_DIR}/ntp_signd',
+         'STD-PATH':  '${PRIVILEGED_SOCKET_DIR}/ntp_signd',
+         'FHS-PATH':  '${PRIVILEGED_SOCKET_DIR}/ntp_signd',
          'DELAY':     True,
     },
     'NCALRPCDIR' : {
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 1a5a710..f04f6e1 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -685,6 +685,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
 	krb5_ccache ccdef = NULL;
 	krb5_auth_context auth_context = NULL;
 	krb5_enctype enc_types[] = {
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
 		ENCTYPE_ARCFOUR_HMAC,
 		ENCTYPE_DES_CBC_MD5,
 		ENCTYPE_DES_CBC_CRC,
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 1093d12..3183e26 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -831,6 +831,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 	int fd;
 	char *realm_upper = NULL;
 	bool result = false;
+	char *aes_enctypes = NULL;
 
 	if (!lp_create_krb5_conf()) {
 		return false;
@@ -870,14 +871,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 		goto done;
 	}
 
+	aes_enctypes = talloc_strdup(fname, "");
+	if (aes_enctypes == NULL) {
+		goto done;
+	}
+
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+	aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 ");
+	if (aes_enctypes == NULL) {
+		goto done;
+	}
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+	aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96");
+	if (aes_enctypes == NULL) {
+		goto done;
+	}
+#endif
+
 	file_contents = talloc_asprintf(fname,
 					"[libdefaults]\n\tdefault_realm = %s\n"
-					"\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
-					"\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
-					"\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
+					"\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+					"\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+					"\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
 					"[realms]\n\t%s = {\n"
 					"\t%s\t}\n",
-					realm_upper, realm_upper, kdc_ip_string);
+					realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
+					realm_upper, kdc_ip_string);
 
 	if (!file_contents) {
 		goto done;
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index eb2603b..b7df50d 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -263,9 +263,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
 	krb5_keytab keytab = NULL;
 	krb5_data password;
 	krb5_kvno kvno;
-        krb5_enctype enctypes[4] = {
+        krb5_enctype enctypes[6] = {
 		ENCTYPE_DES_CBC_CRC,
 		ENCTYPE_DES_CBC_MD5,
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
 		ENCTYPE_ARCFOUR_HMAC,
 		0
 	};
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 628fd1c..a33aac2 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -503,7 +503,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 
 	/* try netsamlogon cache first */
 
-	if (winbindd_use_cache() && (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
+	if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL ) 
 	{
 		DEBUG(5,("query_user: Cache lookup succeeded for %s\n", 
 			 sid_string_dbg(sid)));
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c79d3b6..517a302 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1302,10 +1302,6 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
 	uint32 rid;
 	fstring tmp;
 
-	if (!winbindd_use_cache()) {
-		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
-	}
-
 	if (!cache->tdb) {
 		return NT_STATUS_INTERNAL_DB_ERROR;
 	}
diff --git a/source3/winbindd/winbindd_creds.c b/source3/winbindd/winbindd_creds.c
index a160f7a..6bbd0ff 100644
--- a/source3/winbindd/winbindd_creds.c
+++ b/source3/winbindd/winbindd_creds.c
@@ -38,10 +38,6 @@ NTSTATUS winbindd_get_creds(struct winbindd_domain *domain,
 	struct netr_SamInfo3 *info;
 	NTSTATUS status;
 
-	if (!winbindd_use_cache()) {
-		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
-	}
-
 	status = wcache_get_creds(domain, mem_ctx, sid, cached_nt_pass, cred_salt);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index 455de3d..39186f8 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -407,7 +407,7 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
 {
 	struct rpc_pipe_client *samr_pipe;
 	struct policy_handle dom_pol;
-	struct netr_SamInfo3 *user = NULL;
+	struct netr_SamInfo3 *user;
 	TALLOC_CTX *tmp_ctx;
 	NTSTATUS status;
 
@@ -425,9 +425,7 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
 	}
 
 	/* try netsamlogon cache first */
-	if (winbindd_use_cache()) {
-		user = netsamlogon_cache_get(tmp_ctx, user_sid);
-	}
+	user = netsamlogon_cache_get(tmp_ctx, user_sid);
 	if (user != NULL) {
 		DEBUG(5,("msrpc_query_user: Cache lookup succeeded for %s\n",
 			sid_string_dbg(user_sid)));
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 843d17e..1a41ee2 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -51,12 +51,19 @@ struct extended_access_check_attribute {
 struct acl_private {
 	bool acl_perform;
 	const char **password_attrs;
+	void *cached_schema_ptr;
+	uint64_t cached_schema_metadata_usn;
+	uint64_t cached_schema_loaded_usn;
+	const char **confidential_attrs;
 };
 
 struct acl_context {
 	struct ldb_module *module;
 	struct ldb_request *req;
 	bool am_system;
+	bool am_administrator;
+	bool modify_search;
+	bool constructed_attrs;
 	bool allowedAttributes;
 	bool allowedAttributesEffective;
 	bool allowedChildClasses;
@@ -88,12 +95,11 @@ static int acl_module_init(struct ldb_module *module)
 		return ldb_operr(ldb);
 	}
 
-	data = talloc(module, struct acl_private);
+	data = talloc_zero(module, struct acl_private);
 	if (data == NULL) {
 		return ldb_oom(ldb);
 	}
 
-	data->password_attrs = NULL;
 	data->acl_perform = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
 					 NULL, "acl", "perform", false);
 	ldb_module_set_private(module, data);
@@ -1376,6 +1382,55 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
 	return ldb_next_request(module, req);
 }
 
+static int acl_search_update_confidential_attrs(struct acl_context *ac,
+						struct acl_private *data)
+{
+	struct dsdb_attribute *a;
+	uint32_t n = 0;
+
+	if ((ac->schema == data->cached_schema_ptr) &&
+	    (ac->schema->loaded_usn == data->cached_schema_loaded_usn) &&
+	    (ac->schema->metadata_usn == data->cached_schema_metadata_usn))
+	{
+		return LDB_SUCCESS;
+	}
+
+	data->cached_schema_ptr = NULL;
+	data->cached_schema_loaded_usn = 0;
+	data->cached_schema_metadata_usn = 0;
+	TALLOC_FREE(data->confidential_attrs);
+
+	if (ac->schema == NULL) {
+		return LDB_SUCCESS;
+	}
+
+	for (a = ac->schema->attributes; a; a = a->next) {
+		const char **attrs = data->confidential_attrs;
+
+		if (!(a->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) {
+			continue;
+		}
+
+		attrs = talloc_realloc(data, attrs, const char *, n + 2);
+		if (attrs == NULL) {
+			TALLOC_FREE(data->confidential_attrs);
+			return ldb_module_oom(ac->module);
+		}
+
+		attrs[n] = a->lDAPDisplayName;
+		attrs[n+1] = NULL;
+		n++;
+
+		data->confidential_attrs = attrs;
+	}
+
+	data->cached_schema_ptr = ac->schema;
+	data->cached_schema_loaded_usn = ac->schema->loaded_usn;
+	data->cached_schema_metadata_usn = ac->schema->metadata_usn;
+
+	return LDB_SUCCESS;
+}
+
 static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares)
 {
 	struct acl_context *ac;
@@ -1403,11 +1458,7 @@ static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares)
 
 	switch (ares->type) {
 	case LDB_REPLY_ENTRY:
-		if (ac->allowedAttributes 
-		    || ac->allowedChildClasses
-		    || ac->allowedChildClassesEffective
-		    || ac->allowedAttributesEffective
-		    || ac->sDRightsEffective) {
+		if (ac->constructed_attrs) {
 			ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn, 
 						    acl_attrs,
 						    DSDB_FLAG_NEXT_MODULE |
@@ -1415,46 +1466,85 @@ static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares)
 			if (ret != LDB_SUCCESS) {
 				return ldb_module_done(ac->req, NULL, NULL, ret);
 			}
-			if (ac->allowedAttributes || ac->allowedAttributesEffective) {
-				ret = acl_allowedAttributes(ac->module, ac->schema, acl_res->msgs[0], ares->message, ac);
-				if (ret != LDB_SUCCESS) {
-					return ldb_module_done(ac->req, NULL, NULL, ret);
-				}
+		}
+
+		if (ac->allowedAttributes || ac->allowedAttributesEffective) {
+			ret = acl_allowedAttributes(ac->module, ac->schema,
+						    acl_res->msgs[0],
+						    ares->message, ac);
+			if (ret != LDB_SUCCESS) {
+				return ldb_module_done(ac->req, NULL, NULL, ret);
 			}
-			if (ac->allowedChildClasses) {
-				ret = acl_childClasses(ac->module, ac->schema, acl_res->msgs[0],
-						       ares->message, "allowedChildClasses");
-				if (ret != LDB_SUCCESS) {
-					return ldb_module_done(ac->req, NULL, NULL, ret);
-				}
+		}
+
+		if (ac->allowedChildClasses) {
+			ret = acl_childClasses(ac->module, ac->schema,
+					       acl_res->msgs[0],
+					       ares->message,
+					       "allowedChildClasses");
+			if (ret != LDB_SUCCESS) {
+				return ldb_module_done(ac->req, NULL, NULL, ret);
 			}
-			if (ac->allowedChildClassesEffective) {
-				ret = acl_childClassesEffective(ac->module, ac->schema,
-								acl_res->msgs[0], ares->message, ac);
-				if (ret != LDB_SUCCESS) {
-					return ldb_module_done(ac->req, NULL, NULL, ret);
-				}
+		}
+
+		if (ac->allowedChildClassesEffective) {
+			ret = acl_childClassesEffective(ac->module, ac->schema,
+							acl_res->msgs[0],
+							ares->message, ac);
+			if (ret != LDB_SUCCESS) {
+				return ldb_module_done(ac->req, NULL, NULL, ret);
 			}
-			if (ac->sDRightsEffective) {
-				ret = acl_sDRightsEffective(ac->module, 
-							    acl_res->msgs[0], ares->message, ac);
-				if (ret != LDB_SUCCESS) {
-					return ldb_module_done(ac->req, NULL, NULL, ret);
-				}
+		}
+
+		if (ac->sDRightsEffective) {
+			ret = acl_sDRightsEffective(ac->module,
+						    acl_res->msgs[0],
+						    ares->message, ac);
+			if (ret != LDB_SUCCESS) {
+				return ldb_module_done(ac->req, NULL, NULL, ret);
 			}
 		}
-		if (data && data->password_attrs) {
-			if (!ac->am_system) {
-				for (i = 0; data->password_attrs[i]; i++) {
-					if ((!ac->userPassword) &&
-					    (ldb_attr_cmp(data->password_attrs[i],
-							  "userPassword") == 0))
-						continue;
 
-					ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
+		if (data == NULL) {
+			return ldb_module_send_entry(ac->req, ares->message,
+						     ares->controls);
+		}
+
+		if (ac->am_system) {
+			return ldb_module_send_entry(ac->req, ares->message,
+						     ares->controls);
+		}
+
+		if (data->password_attrs != NULL) {
+			for (i = 0; data->password_attrs[i]; i++) {
+				if ((!ac->userPassword) &&
+				    (ldb_attr_cmp(data->password_attrs[i],
+						  "userPassword") == 0))
+				{
+						continue;
 				}
+
+				ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
+			}
+		}
+
+		if (ac->am_administrator) {
+			return ldb_module_send_entry(ac->req, ares->message,
+						     ares->controls);
+		}
+
+		ret = acl_search_update_confidential_attrs(ac, data);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+
+		if (data->confidential_attrs != NULL) {
+			for (i = 0; data->confidential_attrs[i]; i++) {
+				ldb_msg_remove_attr(ares->message,
+						    data->confidential_attrs[i]);
 			}
 		}
+
 		return ldb_module_send_entry(ac->req, ares->message, ares->controls);
 
 	case LDB_REPLY_REFERRAL:
@@ -1472,6 +1562,7 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
 {
 	struct ldb_context *ldb;
 	struct acl_context *ac;
+	struct ldb_parse_tree *down_tree;
 	struct ldb_request *down_req;
 	struct acl_private *data;
 	int ret;
@@ -1488,6 +1579,9 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
 	ac->module = module;
 	ac->req = req;
 	ac->am_system = dsdb_module_am_system(module);
+	ac->am_administrator = dsdb_module_am_administrator(module);
+	ac->constructed_attrs = false;
+	ac->modify_search = true;
 	ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
 	ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
 	ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
@@ -1496,30 +1590,61 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
 	ac->userPassword = dsdb_user_password_support(module, ac, req);
 	ac->schema = dsdb_get_schema(ldb, ac);
 
-	/* replace any attributes in the parse tree that are private,
-	   so we don't allow a search for 'userPassword=penguin',
-	   just as we would not allow that attribute to be returned */


-- 
Samba Shared Repository


More information about the samba-cvs mailing list