[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Wed Jul 9 03:08:04 MDT 2014
The branch, master has been updated
via 04e9d02 s4:dsdb/samldb: don't allow 'userParameters' to be modified over LDAP for now
via 9bfbff6 dbcheck: Add check and test for various invalid userParameters values
via d7b4d10 dsdb: Always store and return the userParameters as a array of LE 16-bit values
via 1592eaa dsdb: Set syntax of userParameters to binary string, not unicode string
via d64bc6c s4:dsdb/repl_meta_data: make sure objectGUID can't be deleted
via 9e6349f s4:dsdb/extended_dn_in: don't force DSDB_SEARCH_SHOW_RECYCLED
via fa17727 s4:dsdb/kcc: use SHOW_RECYCLED instead of SHOW_DELETED in when deleting tombstone/deleted objects
via 26fa0b9 s4:dsdb/schema_load: make error message more verbose
from 55fbe36 ctdb-daemon: Support per-node robust mutex feature
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 04e9d020c97c2dcd360b1845907f4c396d5671dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 8 16:19:09 2014 +0200
s4:dsdb/samldb: don't allow 'userParameters' to be modified over LDAP for now
For now it's safer to reject setting 'userParameters' via LDAP,
as we'll not provide the same behavior as a Windows Server.
If someone requires that feature please report this in the following
bug reports!
Bug: https://bugzilla.samba.org/show_bug.cgi?id=8077
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 9 11:07:51 CEST 2014 on sn-devel-104
commit 9bfbff65436a088fab5d564b6c0bb122a76492bc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 17 16:00:57 2014 +1200
dbcheck: Add check and test for various invalid userParameters values
Bug: https://bugzilla.samba.org/show_bug.cgi?id=8077
Change-Id: I6f2f4169856ce78c62e3a7e74b48520cca9cb9ae
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d7b4d10aba90f4a1acf01d1d5ab62161862f62f7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 17 16:03:22 2014 +1200
dsdb: Always store and return the userParameters as a array of LE 16-bit values
This is not allowed to be odd length, as otherwise we can not send it over the SAMR transport correctly.
Allocating one byte less memory than required causes malloc() heap corruption
and then a crash or lockup of the SAMR server.
Andrew Bartlett
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130
Change-Id: I5c0c531c1d660141e07f884a4789ebe11c1716f6
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 1592eaa5c781af83aa64bc4e7211339e1d1eafce
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 24 10:12:24 2013 -0700
dsdb: Set syntax of userParameters to binary string, not unicode string
This means we continue to store the values as given on SAMR, assuming
that the SAMR buffer is little endian. The syntax for this specific
object is forced to be a binary blob, so that it is not converted on
DRSUAPI.
This commit does not fix existing databases, nor pdb_samba_dsdb (used
by classicupgrade).
Andrew Bartlett
Bug: https://bugzilla.samba.org/show_bug.cgi?id=8077
Change-Id: I10bb6aaecc381194e3c0ce6b9163f961acbdcee1
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit d64bc6c9af24109e89632db9133070f2ab827c46
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 7 23:51:31 2014 +0200
s4:dsdb/repl_meta_data: make sure objectGUID can't be deleted
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9763
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9e6349f81edb3914d18bc50473d65c0c1f5bc113
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 7 12:00:14 2014 +0200
s4:dsdb/extended_dn_in: don't force DSDB_SEARCH_SHOW_RECYCLED
We should take the controls the caller provided when we search
for existing objects.
A search with a basedn of '<GUID=....>' should result in LDB_ERR_NO_SUCH_OBJECT
is the object has isDeleted=TRUE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10694
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fa177273b87d980f81f19acb2f1a9154f8c6bfd9
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 7 22:53:19 2014 +0200
s4:dsdb/kcc: use SHOW_RECYCLED instead of SHOW_DELETED in when deleting tombstone/deleted objects
SHOW_RECYCLED implies SHOW_DELETED.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10694
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 26fa0b97d0270456becb86d93723a3c8e5d58585
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 3 16:00:48 2014 +0200
s4:dsdb/schema_load: make error message more verbose
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/dbchecker.py | 90 +++++++++++++
source3/passdb/pdb_samba_dsdb.c | 31 ++++-
source4/dsdb/common/util.c | 59 +++++++--
source4/dsdb/kcc/kcc_deleted.c | 2 +-
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 37 +++---
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 6 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 18 +++
source4/dsdb/samdb/ldb_modules/schema_load.c | 3 +-
source4/dsdb/schema/schema.h | 1 +
source4/dsdb/schema/schema_syntax.c | 11 ++
source4/rpc_server/samr/dcesrv_samr.c | 17 ++-
testprogs/blackbox/dbcheck-oldrelease.sh | 154 +++++++++++++++++++++++
12 files changed, 384 insertions(+), 45 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index c658610..74e9678 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -20,6 +20,7 @@
import ldb
import samba
import time
+from base64 import b64decode
from samba import dsdb
from samba import common
from samba.dcerpc import misc
@@ -64,6 +65,9 @@ class dbcheck(object):
self.fix_replmetadata_zero_invocationid = False
self.fix_deleted_deleted_objects = False
self.fix_dn = False
+ self.fix_base64_userparameters = False
+ self.fix_utf8_userparameters = False
+ self.fix_doubled_userparameters = False
self.reset_well_known_acls = reset_well_known_acls
self.reset_all_well_known_acls = False
self.in_transaction = in_transaction
@@ -522,6 +526,58 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
"Failed to correct missing instanceType on %s by setting instanceType=%d" % (obj.dn, calculated_instancetype)):
self.report("Corrected instancetype on %s by setting instanceType=%d" % (obj.dn, calculated_instancetype))
+ def err_short_userParameters(self, obj, attrname, value):
+ # This is a truncated userParameters due to a pre 4.1 replication bug
+ self.report("ERROR: incorrect userParameters value on object %s. If you have another working DC that does not give this warning, please run 'samba-tool drs replicate --full-sync --local <destinationDC> <sourceDC> %s'" % (obj.dn, self.samdb.get_nc_root(obj.dn)))
+
+ def err_base64_userParameters(self, obj, attrname, value):
+ '''handle a wrong userParameters'''
+ self.report("ERROR: wrongly formatted userParameters %s on %s, should not be base64-encoded" % (value, obj.dn))
+ if not self.confirm_all('Convert userParameters from base64 encoding on %s?' % (obj.dn), 'fix_base64_userparameters'):
+ self.report('Not changing userParameters from base64 encoding on %s' % (obj.dn))
+ return
+
+ m = ldb.Message()
+ m.dn = obj.dn
+ m['value'] = ldb.MessageElement(b64decode(obj[attrname][0]), ldb.FLAG_MOD_REPLACE, 'userParameters')
+ if self.do_modify(m, [],
+ "Failed to correct base64-encoded userParameters on %s by converting from base64" % (obj.dn)):
+ self.report("Corrected base64-encoded userParameters on %s by converting from base64" % (obj.dn))
+
+ def err_utf8_userParameters(self, obj, attrname, value):
+ '''handle a wrong userParameters'''
+ self.report("ERROR: wrongly formatted userParameters on %s, should not be psudo-UTF8 encoded" % (obj.dn))
+ if not self.confirm_all('Convert userParameters from UTF8 encoding on %s?' % (obj.dn), 'fix_utf8_userparameters'):
+ self.report('Not changing userParameters from UTF8 encoding on %s' % (obj.dn))
+ return
+
+ m = ldb.Message()
+ m.dn = obj.dn
+ m['value'] = ldb.MessageElement(obj[attrname][0].decode('utf8').encode('utf-16-le'),
+ ldb.FLAG_MOD_REPLACE, 'userParameters')
+ if self.do_modify(m, [],
+ "Failed to correct psudo-UTF8 encoded userParameters on %s by converting from UTF8" % (obj.dn)):
+ self.report("Corrected psudo-UTF8 encoded userParameters on %s by converting from UTF8" % (obj.dn))
+
+ def err_doubled_userParameters(self, obj, attrname, value):
+ '''handle a wrong userParameters'''
+ self.report("ERROR: wrongly formatted userParameters on %s, should not be double UTF16 encoded" % (obj.dn))
+ if not self.confirm_all('Convert userParameters from doubled UTF-16 encoding on %s?' % (obj.dn), 'fix_doubled_userparameters'):
+ self.report('Not changing userParameters from doubled UTF-16 encoding on %s' % (obj.dn))
+ return
+
+ m = ldb.Message()
+ m.dn = obj.dn
+ m['value'] = ldb.MessageElement(obj[attrname][0].decode('utf-16-le').decode('utf-16-le').encode('utf-16-le'),
+ ldb.FLAG_MOD_REPLACE, 'userParameters')
+ if self.do_modify(m, [],
+ "Failed to correct doubled-UTF16 encoded userParameters on %s by converting" % (obj.dn)):
+ self.report("Corrected doubled-UTF16 encoded userParameters on %s by converting" % (obj.dn))
+
+ def err_odd_userParameters(self, obj, attrname):
+ # This is a truncated userParameters due to a pre 4.1 replication bug
+ self.report("ERROR: incorrect userParameters value on object %s (odd length). If you have another working DC that does not give this warning, please run 'samba-tool drs replicate --full-sync --local <destinationDC> <sourceDC> %s'" % (obj.dn, self.samdb.get_nc_root(obj.dn)))
+
def find_revealed_link(self, dn, attrname, guid):
'''return a revealed link in an object'''
res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=[attrname],
@@ -1164,6 +1220,40 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
error_count += 1
continue
+ if str(attrname).lower() == 'userparameters':
+ if len(obj[attrname][0]) == 1 and obj[attrname][0][0] == '\x20':
+ error_count += 1
+ self.err_short_userParameters(obj, attrname, obj[attrname])
+ continue
+
+ elif obj[attrname][0][:16] == '\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00':
+ # This is the correct, normal prefix
+ continue
+
+ elif obj[attrname][0][:20] == 'IAAgACAAIAAgACAAIAAg':
+ # this is the typical prefix from a windows migration
+ error_count += 1
+ self.err_base64_userParameters(obj, attrname, obj[attrname])
+ continue
+
+ elif obj[attrname][0][1] != '\x00' and obj[attrname][0][3] != '\x00' and obj[attrname][0][5] != '\x00' and obj[attrname][0][7] != '\x00' and obj[attrname][0][9] != '\x00':
+ # This is a prefix that is not in UTF-16 format for the space or munged dialback prefix
+ error_count += 1
+ self.err_utf8_userParameters(obj, attrname, obj[attrname])
+ continue
+
+ elif len(obj[attrname][0]) % 2 != 0:
+ # This is a value that isn't even in length
+ error_count += 1
+ self.err_odd_userParameters(obj, attrname, obj[attrname])
+ continue
+
+ elif obj[attrname][0][1] == '\x00' and obj[attrname][0][2] == '\x00' and obj[attrname][0][3] == '\x00' and obj[attrname][0][4] != '\x00' and obj[attrname][0][5] == '\x00':
+ # This is a prefix that would happen if a SAMR-written value was replicated from a Samba 4.1 server to a working server
+ error_count += 1
+ self.err_doubled_userParameters(obj, attrname, obj[attrname])
+ continue
+
# check for empty attributes
for val in obj[attrname]:
if val == '':
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 7e7468d..b04e7b2 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -259,9 +259,13 @@ static NTSTATUS pdb_samba_dsdb_init_sam_from_priv(struct pdb_methods *m,
pdb_set_workstations(sam, str, PDB_SET);
}
- str = ldb_msg_find_attr_as_string(msg, "userParameters",
- NULL);
- if (str != NULL) {
+ blob = ldb_msg_find_ldb_val(msg, "userParameters");
+ if (blob != NULL) {
+ str = base64_encode_data_blob(frame, *blob);
+ if (str == NULL) {
+ DEBUG(0, ("base64_encode_data_blob() failed\n"));
+ goto fail;
+ }
pdb_set_munged_dial(sam, str, PDB_SET);
}
@@ -555,8 +559,25 @@ static int pdb_samba_dsdb_replace_by_sam(struct pdb_samba_dsdb_state *state,
/* This will need work, it is actually a UTF8 'string' with internal NULLs, to handle TS parameters */
if (need_update(sam, PDB_MUNGEDDIAL)) {
- ret |= ldb_msg_add_string(msg, "userParameters",
- pdb_get_munged_dial(sam));
+ const char *base64_munged_dial = NULL;
+
+ base64_munged_dial = pdb_get_munged_dial(sam);
+ if (base64_munged_dial != NULL && strlen(base64_munged_dial) > 0) {
+ struct ldb_val blob;
+
+ blob = base64_decode_data_blob_talloc(msg,
+ base64_munged_dial);
+ if (blob.data == NULL) {
+ DEBUG(0, ("Failed to decode userParameters from "
+ "munged dialback string[%s] for %s\n",
+ base64_munged_dial,
+ ldb_dn_get_linearized(msg->dn)));
+ talloc_free(frame);
+ return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+ }
+ ret |= ldb_msg_add_steal_value(msg, "userParameters",
+ &blob);
+ }
}
if (need_update(sam, PDB_COUNTRY_CODE)) {
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 2aa6a6c..18f16f6 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -708,27 +708,42 @@ uint32_t samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
return acct_flags;
}
-struct lsa_BinaryString samdb_result_parameters(TALLOC_CTX *mem_ctx,
- struct ldb_message *msg,
- const char *attr)
+NTSTATUS samdb_result_parameters(TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg,
+ const char *attr,
+ struct lsa_BinaryString *s)
{
- struct lsa_BinaryString s;
+ int i;
const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
- ZERO_STRUCT(s);
+ ZERO_STRUCTP(s);
if (!val) {
- return s;
+ return NT_STATUS_OK;
+ }
+
+ if ((val->length % 2) != 0) {
+ /*
+ * If the on-disk data is not even in length, we know
+ * it is corrupt, and can not be safely pushed. We
+ * would either truncate, send either a un-initilaised
+ * byte or send a forced zero byte
+ */
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- s.array = talloc_array(mem_ctx, uint16_t, val->length/2);
- if (!s.array) {
- return s;
+ s->array = talloc_array(mem_ctx, uint16_t, val->length/2);
+ if (!s->array) {
+ return NT_STATUS_NO_MEMORY;
}
- s.length = s.size = val->length;
- memcpy(s.array, val->data, val->length);
+ s->length = s->size = val->length;
- return s;
+ /* The on-disk format is the 'network' format, being UTF16LE (sort of) */
+ for (i = 0; i < s->length / 2; i++) {
+ s->array[i] = SVAL(val->data, i * 2);
+ }
+
+ return NT_STATUS_OK;
}
/* Find an attribute, with a particular value */
@@ -1036,10 +1051,26 @@ int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, struct lsa_BinaryString *parameters)
{
+ int i;
struct ldb_val val;
+ if ((parameters->length % 2) != 0) {
+ return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+ }
+
+ val.data = talloc_array(mem_ctx, uint8_t, parameters->length);
+ if (val.data == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
val.length = parameters->length;
- val.data = (uint8_t *)parameters->array;
- return ldb_msg_add_value(msg, attr_name, &val, NULL);
+ for (i = 0; i < parameters->length / 2; i++) {
+ /*
+ * The on-disk format needs to be in the 'network'
+ * format, parmeters->array is a uint16_t array of
+ * length parameters->length / 2
+ */
+ SSVAL(val.data, i * 2, parameters->array[i]);
+ }
+ return ldb_msg_add_steal_value(msg, attr_name, &val);
}
/*
diff --git a/source4/dsdb/kcc/kcc_deleted.c b/source4/dsdb/kcc/kcc_deleted.c
index 331d4fb..93d74ca 100644
--- a/source4/dsdb/kcc/kcc_deleted.c
+++ b/source4/dsdb/kcc/kcc_deleted.c
@@ -128,7 +128,7 @@ NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
whenChanged = ldb_string_to_time(tstring);
}
if (t - whenChanged > tombstoneLifetime*60*60*24) {
- ret = dsdb_delete(s->samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_DELETED|DSDB_MODIFY_RELAX);
+ ret = dsdb_delete(s->samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_RECYCLED|DSDB_MODIFY_RELAX);
if (ret != LDB_SUCCESS) {
DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
ldb_dn_get_linearized(res->msgs[i]->dn)));
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
index df45f75..f738bc4 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
@@ -318,6 +318,7 @@ struct extended_dn_filter_ctx {
struct ldb_module *module;
struct ldb_request *req;
struct dsdb_schema *schema;
+ uint32_t dsdb_flags;
};
/*
@@ -421,10 +422,7 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat
return LDB_SUCCESS;
}
- dsdb_flags = DSDB_FLAG_NEXT_MODULE |
- DSDB_FLAG_AS_SYSTEM |
- DSDB_SEARCH_SHOW_RECYCLED |
- DSDB_SEARCH_SHOW_EXTENDED_DN;
+ dsdb_flags = filter_ctx->dsdb_flags | DSDB_FLAG_NEXT_MODULE;
if (guid_val) {
expression = talloc_asprintf(filter_ctx, "objectGUID=%s", ldb_binary_encode(filter_ctx, *guid_val));
@@ -485,7 +483,9 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat
fix the parse tree to change any extended DN components to their
caconical form
*/
-static int extended_dn_fix_filter(struct ldb_module *module, struct ldb_request *req)
+static int extended_dn_fix_filter(struct ldb_module *module,
+ struct ldb_request *req,
+ uint32_t default_dsdb_flags)
{
struct extended_dn_filter_ctx *filter_ctx;
int ret;
@@ -503,6 +503,7 @@ static int extended_dn_fix_filter(struct ldb_module *module, struct ldb_request
filter_ctx->module = module;
filter_ctx->req = req;
filter_ctx->schema = dsdb_get_schema(ldb_module_get_ctx(module), filter_ctx);
+ filter_ctx->dsdb_flags= default_dsdb_flags;
ret = ldb_parse_tree_walk(req->op.search.tree, extended_dn_filter_callback, filter_ctx);
if (ret != LDB_SUCCESS) {
@@ -551,10 +552,20 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
static const char *no_attr[] = {
NULL
};
- bool all_partitions = false;
+ uint32_t dsdb_flags = DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_EXTENDED_DN;
+
+ if (ldb_request_get_control(req, LDB_CONTROL_SHOW_DELETED_OID)) {
+ dsdb_flags |= DSDB_SEARCH_SHOW_DELETED;
+ }
+ if (ldb_request_get_control(req, LDB_CONTROL_SHOW_RECYCLED_OID)) {
+ dsdb_flags |= DSDB_SEARCH_SHOW_RECYCLED;
+ }
+ if (ldb_request_get_control(req, DSDB_CONTROL_DBCHECK)) {
+ dsdb_flags |= DSDB_SEARCH_SHOW_RECYCLED;
+ }
if (req->operation == LDB_SEARCH) {
- ret = extended_dn_fix_filter(module, req);
+ ret = extended_dn_fix_filter(module, req, dsdb_flags);
if (ret != LDB_SUCCESS) {
return ret;
}
@@ -566,7 +577,6 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
} else {
/* It looks like we need to map the DN */
const struct ldb_val *sid_val, *guid_val, *wkguid_val;
- uint32_t dsdb_flags = 0;
if (!ldb_dn_match_allowed(dn, req)) {
return ldb_error(ldb_module_get_ctx(module),
@@ -583,7 +593,7 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
ForeignSecurityPrinciples due to provision errors
*/
if (guid_val) {
- all_partitions = true;
+ dsdb_flags |= DSDB_SEARCH_SEARCH_ALL_PARTITIONS;
base_dn = NULL;
base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)",
ldb_binary_encode(req, *guid_val));
@@ -594,7 +604,7 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
base_dn_attrs = no_attr;
} else if (sid_val) {
- all_partitions = true;
+ dsdb_flags |= DSDB_SEARCH_SEARCH_ALL_PARTITIONS;
base_dn = NULL;
base_dn_filter = talloc_asprintf(req, "(objectSid=%s)",
ldb_binary_encode(req, *sid_val));
@@ -671,13 +681,6 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
return ldb_operr(ldb_module_get_ctx(module));
}
- dsdb_flags = DSDB_FLAG_AS_SYSTEM |
- DSDB_SEARCH_SHOW_RECYCLED |
- DSDB_SEARCH_SHOW_EXTENDED_DN;
- if (all_partitions) {
- dsdb_flags |= DSDB_SEARCH_SEARCH_ALL_PARTITIONS;
- }
-
ret = dsdb_request_add_controls(down_req, dsdb_flags);
if (ret != LDB_SUCCESS) {
return ret;
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 30b3012..4c5ced4 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -2474,7 +2474,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
int ret;
bool is_urgent = false, rodc = false;
unsigned int functional_level;
- const DATA_BLOB *guid_blob;
+ const struct ldb_message_element *guid_el = NULL;
struct ldb_control *sd_propagation_control;
struct replmd_private *replmd_private =
talloc_get_type(ldb_module_get_private(module), struct replmd_private);
@@ -2503,8 +2503,8 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_modify\n");
- guid_blob = ldb_msg_find_ldb_val(req->op.mod.message, "objectGUID");
- if ( guid_blob != NULL ) {
+ guid_el = ldb_msg_find_element(req->op.mod.message, "objectGUID");
+ if (guid_el != NULL) {
ldb_set_errstring(ldb,
"replmd_modify: it's not allowed to change the objectGUID!");
return LDB_ERR_CONSTRAINT_VIOLATION;
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index ad3d4da..7619bbb 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -2341,6 +2341,15 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
+ el = ldb_msg_find_element(req->op.add.message, "userParameters");
+ if (el != NULL && ldb_req_is_untrusted(req)) {
+ const char *reason = "samldb_add: "
+ "setting userParameters is not supported over LDAP, "
+ "see https://bugzilla.samba.org/show_bug.cgi?id=8077";
+ ldb_debug(ldb, LDB_DEBUG_WARNING, "%s", reason);
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, reason);
+ }
+
ac = samldb_ctx_init(module, req);
if (ac == NULL) {
return ldb_operr(ldb);
@@ -2480,6 +2489,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
}
}
+ el = ldb_msg_find_element(req->op.mod.message, "userParameters");
+ if (el != NULL && ldb_req_is_untrusted(req)) {
+ const char *reason = "samldb: "
+ "setting userParameters is not supported over LDAP, "
+ "see https://bugzilla.samba.org/show_bug.cgi?id=8077";
+ ldb_debug(ldb, LDB_DEBUG_WARNING, "%s", reason);
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, reason);
+ }
+
ac = samldb_ctx_init(module, req);
if (ac == NULL) {
return ldb_operr(ldb);
diff --git a/source4/dsdb/samdb/ldb_modules/schema_load.c b/source4/dsdb/samdb/ldb_modules/schema_load.c
index d8bc8c7..4538e89 100644
--- a/source4/dsdb/samdb/ldb_modules/schema_load.c
+++ b/source4/dsdb/samdb/ldb_modules/schema_load.c
@@ -213,7 +213,8 @@ static struct dsdb_schema *dsdb_schema_refresh(struct ldb_module *module, struct
schema->metadata_usn = schema_seq_num;
} else {
/* From an old provision it can happen that the tdb didn't exists yet */
- DEBUG(0, ("Error while searching for the schema usn in the metadata\n"));
+ DEBUG(0, ("Error while searching for the schema usn in the metadata ignoring: %d:%s:%s\n",
+ ret, ldb_strerror(ret), ldb_errstring(ldb)));
schema->metadata_usn = 0;
}
schema->last_refresh = ts;
diff --git a/source4/dsdb/schema/schema.h b/source4/dsdb/schema/schema.h
index cac6f98..457d986 100644
--- a/source4/dsdb/schema/schema.h
+++ b/source4/dsdb/schema/schema.h
@@ -74,6 +74,7 @@ struct dsdb_syntax {
const struct dsdb_attribute *attr,
const struct ldb_message_element *in);
bool auto_normalise;
+ bool userParameters; /* Indicates the syntax userParameters should be forced to */
};
struct dsdb_attribute {
diff --git a/source4/dsdb/schema/schema_syntax.c b/source4/dsdb/schema/schema_syntax.c
index c2e0208..c9ff588 100644
--- a/source4/dsdb/schema/schema_syntax.c
+++ b/source4/dsdb/schema/schema_syntax.c
@@ -2395,6 +2395,7 @@ static const struct dsdb_syntax dsdb_syntaxes[] = {
.validate_ldb = dsdb_syntax_DATA_BLOB_validate_ldb,
.equality = "octetStringMatch",
.comment = "Octet String",
+ .userParameters = true
},{
.name = "String(Sid)",
.ldap_oid = LDB_SYNTAX_OCTET_STRING,
@@ -2665,6 +2666,16 @@ const struct dsdb_syntax *dsdb_syntax_for_attribute(const struct dsdb_attribute
unsigned int i;
for (i=0; i < ARRAY_SIZE(dsdb_syntaxes); i++) {
+ /*
+ * We must pretend that userParamters was declared
+ * binary string, so we can store the 'UTF16' (not
+ * really string) structure as given over SAMR to samba
+ */
+ if (dsdb_syntaxes[i].userParameters &&
+ (strcasecmp(attr->lDAPDisplayName, "userParameters") == 0))
+ {
+ return &dsdb_syntaxes[i];
+ }
if (attr->oMSyntax != dsdb_syntaxes[i].oMSyntax) continue;
if (attr->oMObjectClass.length != dsdb_syntaxes[i].oMObjectClass.length) continue;
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index eacbe7d..c0bec43 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -64,8 +64,6 @@
info->field = samdb_result_logon_hours(mem_ctx, msg, attr);
#define QUERY_AFLAGS(msg, field, attr) \
--
Samba Shared Repository
More information about the samba-cvs
mailing list