[SCM] Samba Shared Repository - branch master updated

Thu Oct 24 16:40:02 MDT 2013

The branch, master has been updated
       via  d3aee80 s4-dns: dlz_bind9: Create dns-HOSTNAME account disabled
       via  4cf4ed1 s4-openldap: Fixed a problem with provisioning with OpenLdap
       via  daefca2 s4-dsacl: Fixed incorrect handling of privileges in sec_access_check_ds
      from  2d51424 torture: Add smb2.oplock.levelII501 test

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d3aee80928dc7ccde9441309bf946c2503f7714a
Author: Samuel Cabrero <scabrero at zentyal.com>
Date:   Thu Oct 24 17:37:06 2013 +0200

    s4-dns: dlz_bind9: Create dns-HOSTNAME account disabled
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri Oct 25 00:39:21 CEST 2013 on sn-devel-104

commit 4cf4ed1c3e655a8df19c6d1c8004903f6e944ff3
Author: Nadezhda Ivanova <nivanova at symas.com>
Date:   Thu Oct 24 23:30:05 2013 +0300

    s4-openldap: Fixed a problem with provisioning with OpenLdap
    
    Credentials are no longer used and there were too many arguments to the
    constructor
    
    Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea
Author: Nadezhda Ivanova <nivanova at symas.com>
Date:   Tue Oct 15 02:06:38 2013 +0300

    s4-dsacl: Fixed incorrect handling of privileges in sec_access_check_ds
    
    Restore and backup privileges are not relevant to ldap
    access checks, and the TakeOwnership privilege should
    grant write_owner right
    
    Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/access_check.c    |   12 ++++--------
 python/samba/join.py              |   11 +++++++----
 python/samba/provision/backend.py |    2 +-
 source4/dsdb/tests/python/acl.py  |   26 ++++++++++++++++++++++++++
 source4/dsdb/tests/python/ldap.py |    6 +++++-
 5 files changed, 43 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 2425e8a..2be5928 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -436,14 +436,10 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
 		bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
 	}
 
-	/* TODO: remove this, as it is file server specific */
-	if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
-	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-		bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
-	}
-	if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
-	    security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
-		bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+	/* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
+	if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
+	    security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+		bits_remaining &= ~(SEC_STD_WRITE_OWNER);
 	}
 
 	/* a NULL dacl allows access */
diff --git a/python/samba/join.py b/python/samba/join.py
index 9cac8f5..f8ede5d 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -612,15 +612,18 @@ class dc_join(object):
                                                                  "DNSNAME" : ctx.dnshostname}))
             for changetype, msg in recs:
                 assert changetype == ldb.CHANGETYPE_NONE
+                dns_acct_dn = msg["dn"]
                 print "Adding DNS account %s with dns/ SPN" % msg["dn"]
 
                 # Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP)
                 del msg["clearTextPassword"]
                 # Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP
                 del msg["isCriticalSystemObject"]
+                # Disable account until password is set
+                msg["userAccountControl"] = str(samba.dsdb.UF_NORMAL_ACCOUNT |
+                                                samba.dsdb.UF_ACCOUNTDISABLE)
                 try:
                     ctx.samdb.add(msg)
-                    dns_acct_dn = msg["dn"]
                 except ldb.LdbError, (num, _):
                     if num != ldb.ERR_ENTRY_ALREADY_EXISTS:
                         raise
@@ -630,7 +633,7 @@ class dc_join(object):
             # connections which are hard to set up and otherwise refuse with
             # ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet
             # over SAMR.
-            print "Setting account password for %s" % ctx.samname
+            print "Setting account password for dns-%s" % ctx.myname
             try:
                 ctx.samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))"
                                       % ldb.binary_encode(ctx.myname),
@@ -639,8 +642,8 @@ class dc_join(object):
                                       username=ctx.samname)
             except ldb.LdbError, (num, _):
                 if num != ldb.ERR_UNWILLING_TO_PERFORM:
-                    pass
-                ctx.net.set_password(account_name="dns-" % ctx.myname,
+                    raise
+                ctx.net.set_password(account_name="dns-%s" % ctx.myname,
                                      domain_name=ctx.domain_name,
                                      newpassword=ctx.dnspass)
 
diff --git a/python/samba/provision/backend.py b/python/samba/provision/backend.py
index 1180642..dbea3ea 100644
--- a/python/samba/provision/backend.py
+++ b/python/samba/provision/backend.py
@@ -304,7 +304,7 @@ class LDAPBackend(ProvisionBackend):
             self.slapd.communicate()
 
     def post_setup(self):
-        return LDAPBackendResult(self.credentials, self.slapd_command_escaped,
+        return LDAPBackendResult(self.slapd_command_escaped,
                     self.ldapdir)
 
 
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index ecda3c5..7439be6 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -1250,6 +1250,32 @@ class AclRenameTests(AclTests):
         res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou3_dn)
         self.assertNotEqual(len(res), 0)
 
+    def test_rename_u9(self):
+        """Rename 'User object' cross OU, with explicit deny on sd and dc"""
+        ou1_dn = "OU=test_rename_ou1," + self.base_dn
+        ou2_dn = "OU=test_rename_ou2," + self.base_dn
+        user_dn = "CN=test_rename_user2," + ou1_dn
+        rename_user_dn = "CN=test_rename_user5," + ou2_dn
+        # Create OU structure
+        self.ldb_admin.create_ou(ou1_dn)
+        self.ldb_admin.create_ou(ou2_dn)
+        self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1)
+        mod = "(D;;SD;;;DA)"
+        self.sd_utils.dacl_add_ace(user_dn, mod)
+        mod = "(D;;DC;;;DA)"
+        self.sd_utils.dacl_add_ace(ou1_dn, mod)
+        # Rename 'User object' having SD and CC to AU
+        try:
+            self.ldb_admin.rename(user_dn, rename_user_dn)
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+        else:
+            self.fail()
+        #add an allow ace so we can delete this ou
+        mod = "(A;;DC;;;DA)"
+        self.sd_utils.dacl_add_ace(ou1_dn, mod)
+
+
 #tests on Control Access Rights
 class AclCARTests(AclTests):
 
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index 63c422a..643830f 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -2649,7 +2649,7 @@ nTSecurityDescriptor:: """ + desc_base64)
         user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
         delete_force(self.ldb, user_dn)
         try:
-            sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+            sddl = "O:DUG:DUD:AI(A;;RPWP;;;AU)S:PAI"
             desc = security.descriptor.from_sddl(sddl, security.dom_sid('S-1-5-21'))
             desc_base64 = base64.b64encode( ndr_pack(desc) )
             self.ldb.add_ldif("""
@@ -2659,6 +2659,10 @@ sAMAccountName: """ + user_name + """
 nTSecurityDescriptor:: """ + desc_base64)
             res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
             self.assertTrue("nTSecurityDescriptor" in res[0])
+            desc = res[0]["nTSecurityDescriptor"][0]
+            desc = ndr_unpack(security.descriptor, desc)
+            desc_sddl = desc.as_sddl(self.domain_sid)
+            self.assertTrue("O:S-1-5-21-513G:S-1-5-21-513D:AI(A;;RPWP;;;AU)" in desc_sddl)
         finally:
             delete_force(self.ldb, user_dn)
 


-- 
Samba Shared Repository
