[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Feb 2 23:31:04 MST 2015
The branch, master has been updated
via 7fd2401 s4-samdb/tests: Assert on expected set of attributes for new User object
via 72998ac s4-dsdb/tests: Assert on expected set of attributes for restored objects
via 3c06666 s4-dsdb: Refactor user objects defaults setter to use attribute/value map
via ed60811 dsdb: Do not use _ prefix in tombstone_reanimate module
via 3fdda87 s4-dsdb: common helper to determine "primaryGroupID" attribute value
via b37f7e6 s4-dsdb: Common helper for setting "sAMAccountType" on User objects
via c9b0945 s4-dsdb: Move User object default attribute values in separate helper
via de42cdd s4-tests: Add tombstone_reanimation test case to s4 test suite
via 459a7c7 s4-dsdb/tests: Do not pre-create LoadParm - connect_samdb_env() will handle it
via 2ad50f8 s4-dsdb-test: Use common base method for restoring Deleted objects
via db993c0 s4-dsdb/samldb: Don't allow rename requests on Deleted object
via b4ccfbc s4-dsdb/test: Delete any leftover objects in the beginning of Cross-NC test
via ac29316 s4-dsdb/samldb: Relax a bit restrictions in Config partition while restoring deleted object
via e30be9a s4-dsdb/samdb: Don't relax contraint checking during rename for Deleted objects
via 84b897a s4-dsdb-test/reanimate: Fix whitespaces according to PEP8
via a72e628 s4-dsdb-tests: Move base tests for Tombstone reanimation in tombstone_reanimation module
via 9875044 s4-dsdb-test: Fix duplicated key in a dictionary in sam.py
via add32d8 s4-dsdb/objectclass: remove duplicated declaration for objectclass_do_add
via e80bba7 s4-dsdb-test: remove trailing ';' in ldap.py
via 70c03fa s4-dsdb/reanimate: Group objects reanimation implementation
via d5fc8b0 s4-dsdb/reanimate: Swap rename->modify operations to modify->rename sequence
via 72c5598 s4-dsdb/reanimate: Use 'show deleted' control in modify operations too
via 4c5c7d3 s4-dsdb/samldb: Skip 'sAMAccountType' and 'primaryGroupID' during Tombstone reanimate
via afd4b23 s4-dsdb/samldb: Fix type "omputer" -> "computer"
via 4acd225 s4-dsdb/reanimate: Implement attribute_restore function
via 8e10c10 s4-dsdb-util: Mark attributes with ADD flag in samdb_find_or_add_attribute()
via 4944e73 s4-dsdb-test: Fix Undelete tests after subunit upgrade work
via 647c0ea s4-dsdb-test: Use case insensitive comparison for DNs in undelete test
via ea47868 s4-dsdb-test: Initial implementation for Tombstone restore test suite
via 599187e s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment
via 2aa2e9a s4-dsdb: Some minor fixes in tombstone_reanimate, to make it work with acl
via d633492 s4-dsdb: Implementation of access checks on a undelete operation
via ac8b8e5 s4-dsdb: Tests for security checks on undelete operation
via def9d26 s4-dsdb: Mark request during Tombstone reanimation with custom LDAP control
via 78f8484 s4-dsdb: Implement rename/modify requests as local for the module
via 2eef8e9 s4-dsdb: Add documentation link for Tombstone Reanimation
via e33c549 s4-tests: Print out what the error is in delete_force()
via 039646b s4-dsdb: Define internal dsdb control to mark Tombstone reanimation requests
via 4e44a08 s4-dsdb: Make use dsdb_make_object_category() for objectCategory
via 1154075 s4-dsdb: Make most specific objectCategory for an object
via 5921bb8 s4-dsdb: Initialize module context only we are to handle Tombstone request
via ffdc834 s4-dsdb: Return error codes as windows does for Tombstone reanimation
via f84e198 s4-dsdb-tests: Fix whitespace in deletetest.py
via 1afd50f s4-dsdb-tests: Make unique object names to test with in deletetest
via bb13371 s4-dsdb-tests: Remove unused method get_ldap_connection()
via 7d22479 s4-dsdb-tests: Remove trailing ';' in deletetest.py
via 5aaa336 s4-dsdb: Insert tombstone_reanimate module in ldb modules chain after objectclass
via 886a352 s4-dsdb: Initial implementation for Tombstone reanimation module
via b881da6 s4-dsdb-tests: Some tests for deleted objects undelete operation
from bba753b selftest: fix check for RODC and RID Set allocation
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7fd2401b7d08a0c74f34fb117c81c5b23ddae571
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Jan 25 21:39:17 2015 +0200
s4-samdb/tests: Assert on expected set of attributes for new User object
Change-Id: I225b64ff7492b41852fecb914f464a6c8d504a2c
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Feb 3 07:30:17 CET 2015 on sn-devel-104
commit 72998acc451a8722f19b901a9948774de089921a
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Jan 25 18:16:58 2015 +0200
s4-dsdb/tests: Assert on expected set of attributes for restored objects
Change-Id: I788406d9c3839d108cea508cf2a59488d495f141
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3c066661e826bed16869a6c0d52c4e083ea6bae0
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Wed Jan 28 01:43:10 2015 +0200
s4-dsdb: Refactor user objects defaults setter to use attribute/value map
Change-Id: Iaa32af4225219a4c5c42c663022e8be429b8a1d2
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit ed60811893e1362c0067001113a5bf267ae2c52e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jan 22 17:22:52 2015 +1300
dsdb: Do not use _ prefix in tombstone_reanimate module
This should only be used by the C library.
Andrew Bartlett
Change-Id: I00da64de1443a7c6b21aafae79e126180eb1a3d4
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
commit 3fdda87120abfd296af5efbb79e22095609f62fe
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Jan 18 23:58:13 2015 +0200
s4-dsdb: common helper to determine "primaryGroupID" attribute value
At the moment current implementation does not check if group RID
is existing group RID - this responsibility is left to the caller.
Change-Id: I8c58dd23a7185d63fa2117be0617884eb78d13c1
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit b37f7e619048593e267271f1b30af3f915fc422b
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Mon Jan 12 04:46:38 2015 +0200
s4-dsdb: Common helper for setting "sAMAccountType" on User objects
Change-Id: I4480e7d1ed0c754e960028e0be9a90ee56935e94
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit c9b0945199080b72ad454d49b310be0b66410124
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Mon Jan 12 03:30:17 2015 +0200
s4-dsdb: Move User object default attribute values in separate helper
Change-Id: I1e291bcf0a5c9b2fca11323dc7f8be29f5145d42
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit de42cdd305c68a7389525d245a01205469d3cf9b
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Wed Jan 21 01:03:13 2015 +0200
s4-tests: Add tombstone_reanimation test case to s4 test suite
DC, USERNAME and PASSWORD are passed as environment variables
prefixed with TEST_
Change-Id: I84ff628496bfa3e0538011400328585d080f21b8
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 459a7c7de6eeb536684d801b79e3022fc20bdd4a
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Dec 28 04:23:33 2014 +0200
s4-dsdb/tests: Do not pre-create LoadParm - connect_samdb_env() will handle it
Change-Id: I3483c5aa50de2f7aca19e4d7cc4fa49bbe5f889d
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 2ad50f8842c33fb90570e469dfb54df2bff1195c
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Thu Nov 27 17:49:15 2014 +0100
s4-dsdb-test: Use common base method for restoring Deleted objects
Change-Id: I266b58ced814cf7ea3616862506df5b55f4f1d8c
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit db993c0de4eeb391b68288b5d4909080dac23b26
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Thu Nov 27 06:20:33 2014 +0100
s4-dsdb/samldb: Don't allow rename requests on Deleted object
Windows behavior in case of renaming Deleted object is:
* return ERR_NO_SUCH_OBJECT in case client is not providing
SHOW_DELETED control
* ERR_UNWILLING_TO_PERFORM otherwise
Renaming of Deleted objects is allowed only through special
Tombstone reanimation modify request
Change-Id: I1eb33fc294a5de44917f6037988ea6362e6e21fc
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit b4ccfbc214a52b2d8d3747614e445bccfac9a63b
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Thu Nov 27 05:20:22 2014 +0100
s4-dsdb/test: Delete any leftover objects in the beginning of Cross-NC test
This way we ensure that samdb is clean before we make the test
Change-Id: I3c6fc94763807394e52b6df41548e9aba8b452c1
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit ac2931628cb79543b8ed96b4522bff8958541bd5
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Thu Nov 27 05:15:58 2014 +0100
s4-dsdb/samldb: Relax a bit restrictions in Config partition while restoring deleted object
Change-Id: Iead460d24058b160b46cf3ddedaf4d84b844da4d
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit e30be9a948241c7c42a7d0f8f4610489910987da
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Wed Nov 26 21:53:53 2014 +0100
s4-dsdb/samdb: Don't relax contraint checking during rename for Deleted objects
Now we have a module to handle to handle Tombstone reanimation
and it is better we do all the check here as usual
Change-Id: Ia5d28d64e99f7a961cfe8b9aa7cc96e4ca56192e
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 84b897aec40af3c33b0d1dac16060ddc4a8dbee0
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Wed Nov 26 06:59:09 2014 +0100
s4-dsdb-test/reanimate: Fix whitespaces according to PEP8
Change-Id: I7b46992c80178d40a0531b5afd71a7783068a9dd
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit a72e6287e5bc7cc48f8d8ea13333271fe8e28494
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Wed Nov 26 06:23:51 2014 +0100
s4-dsdb-tests: Move base tests for Tombstone reanimation in tombstone_reanimation module
So we have them all in one place.
While moving, I have:
* inherited from the base class for Tombstone reanimations
* replace self.ldb with self.samdb
Change-Id: Id3e4f02cc2e0877d736da812c14c91e2311203d2
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 98750442a396368df262218d343c439afdda01e2
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Fri Nov 21 19:31:25 2014 +0100
s4-dsdb-test: Fix duplicated key in a dictionary in sam.py
Change-Id: Ie33d92bd308262d9bfda553d6d5e2cfd98f6d7b3
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit add32d85750700aa6e4766a3a3067d7f3a6a02a2
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Nov 16 03:35:01 2014 +0100
s4-dsdb/objectclass: remove duplicated declaration for objectclass_do_add
Change-Id: Ib88a45cea64fb661a41ca3b4a3df9dabf509fc6c
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit e80bba721fcff03ec8f2740c82ab5d88b473aae1
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Nov 16 03:34:22 2014 +0100
s4-dsdb-test: remove trailing ';' in ldap.py
Change-Id: I5edc6e017b576791c1575f71a625c49ccc88fe8f
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 70c03fa7a86be3653e936e259c7850bcd522d22a
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Thu Nov 13 04:11:08 2014 +0100
s4-dsdb/reanimate: Group objects reanimation implementation
Change-Id: Iea92924ff6b33fa3723b104d5dfff1ce5a7a09b0
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit d5fc8b080fe47bf6f93de136788d56d51c526cb4
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Fri Nov 7 07:11:59 2014 +0100
s4-dsdb/reanimate: Swap rename->modify operations to modify->rename sequence
This way it is more visible that we work on 'deleted object' during modify
and also will help us to handle 'stop rename for deletec objects'
propertly in future
[MS-ADTS]: 3.1.1.5.3.7.3 Undelete Processing Specifics
Change-Id: I9bb644e099a4a2afcb261ad22515c9c4ce4875bb
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 72c55980e3adf1f47cf973c8c1a3f87e98121276
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Fri Nov 7 07:08:29 2014 +0100
s4-dsdb/reanimate: Use 'show deleted' control in modify operations too
Before committing changes, object is still deleted - isDeleted = true
Change-Id: Ie1ab53dc594d1bfaf5b9e06316e7a1fc0dd4b8cb
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 4c5c7d3c1c09835729404c13961572a9cb4be16c
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Fri Nov 7 07:07:07 2014 +0100
s4-dsdb/samldb: Skip 'sAMAccountType' and 'primaryGroupID' during Tombstone reanimate
tombstone_reanimate.c module is going to restore those attributes
and it needs a way to propagate them to DB
Change-Id: I36f30b33fa204fd28329eab01044a125f7a3f08e
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit afd4b23dc938cf5c9f1f0b7e1c642852fbe68ef6
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Fri Nov 7 07:05:56 2014 +0100
s4-dsdb/samldb: Fix type "omputer" -> "computer"
Change-Id: Ic56c6945528b7f60becc4f0b318429f4c22c3d2e
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 4acd22508d0b066eee67b778153d82ba4f90be6e
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Fri Nov 7 07:04:30 2014 +0100
s4-dsdb/reanimate: Implement attribute_restore function
At the moment it works for objects with objectClass user + a common
case of removing isRecycled attribute
Change-Id: I70b0ef0ef65c13d3def82ca53ace52a85a078a37
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 8e10c10bd6e601df47a2815c638482e486646f59
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Fri Nov 7 07:02:51 2014 +0100
s4-dsdb-util: Mark attributes with ADD flag in samdb_find_or_add_attribute()
At the moment no flags are set and it works fine, since this function
is solely used in samldb during ADD requests handling.
Pre-setting a flag make it usefull for other modules and request
handlers too
Change-Id: I7e43dcbe2a8f34e3b0ec16ae2db80ef436df8bfe
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 4944e73d537199208e9895e818ff3233223da5d7
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Thu Nov 6 04:10:42 2014 +0100
s4-dsdb-test: Fix Undelete tests after subunit upgrade work
Change-Id: I4712a2a2163a57fde037511afcc1cb7bee05f12e
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 647c0ea0177703563c485efd67da6a8bebbea418
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Thu Nov 6 03:01:54 2014 +0100
s4-dsdb-test: Use case insensitive comparison for DNs in undelete test
Change-Id: I4a009bb7ed58ab857ac74a235bb5f580911f0d92
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit ea4786875d90d1865c9e45324319865f513d02aa
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Wed Jan 21 00:58:56 2015 +0200
s4-dsdb-test: Initial implementation for Tombstone restore test suite
Change-Id: Ib35ff930b6e7cee14317328b6fe25b59eec5262c
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 599187ead61340d8d3bd3e9db7eab034175bfd7b
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Wed Nov 5 06:26:25 2014 +0100
s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment
this is to help me port Python tests to be more Unit test alike
and remove all global handling
Starting from a new test suite - tombstone_reanimation.py
Andrew Bartlett rose his concerns that passing parameters
through environment may make tests hard to trace for
failures. However, passing parameters on command line
is not Unit test alike either. After discussing this with him
offline, we agreed to continue this approach, but prefix
environment variables with "TEST_". So that an env var
should not be used by coincidence.
Change-Id: I29445c42cdcafede3897c8dd1f1529222a74afc9
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 2aa2e9afa2fa77480abe43ce51f818c5885c08ff
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Tue Nov 4 20:24:11 2014 +0200
s4-dsdb: Some minor fixes in tombstone_reanimate, to make it work with acl
Change-Id: Idad221c7ecf778fd24f6017bb4c6eacac541086a
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit d6334925ab6687bff464fd1a4d4d792a8d37c3a4
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Tue Nov 4 20:21:57 2014 +0200
s4-dsdb: Implementation of access checks on a undelete operation
Special Reanimate-Tombstone access right is required, as well as most of
the checks on a standard rename.
Change-Id: Idae5101a5df4cd0d54fe4ab2f7e5ad7fc1c23648
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit ac8b8e5539b79407292a5ef19bdd2aaf86b92884
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Tue Nov 4 20:08:58 2014 +0200
s4-dsdb: Tests for security checks on undelete operation
Implemented according to MS-ADTS 3.1.1.5.3.7.1. Unfortunately it appears
LC is also necessary, and it is not granted by default to anyone but
System and Administrator, so tests had to be done negatively
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Change-Id: Ic03b8fc4e222e7842ec8a9645a1bb33e7df9c438
commit def9d268681625c2431e53d842f22a01af72c95c
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Tue Nov 4 04:17:35 2014 +0100
s4-dsdb: Mark request during Tombstone reanimation with custom LDAP control
We are going to need this so that underlying modules (acl.c)
can treat those requests properly
Change-Id: I6c12069aa6e7e01197dddda6c610d930d3fd9cb0
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 78f848419d80fe3184abfc6c06e13934d4d5a97c
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Tue Nov 4 04:10:16 2014 +0100
s4-dsdb: Implement rename/modify requests as local for the module
The aim is for us to be able to fine tune the implementation
and also add custom LDAP controls to mark all requests as
being part of Reanimation procedure
Change-Id: I9f1c04cd21bf032146eb2626d6495711fcadf10c
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 2eef8e95a1d781456f6c5d6a49e21f88c113dc03
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Mon Nov 3 04:58:20 2014 +0100
s4-dsdb: Add documentation link for Tombstone Reanimation
Change-Id: Ib779c8b0839889371f25ad5751c9cda1a510eb54
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit e33c54914306ae0fc726d8e066456346aac6ca6c
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Nov 2 17:11:20 2014 +0100
s4-tests: Print out what the error is in delete_force()
Change-Id: Iaa631179dc79fa756416be8eaf8c55e3b0c1a29f
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 039646b3cb9a5ff244a4fd8928b0edcffaf6255b
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Tue Oct 28 15:03:59 2014 +0100
s4-dsdb: Define internal dsdb control to mark Tombstone reanimation requests
Tombstone reanimation requries some special handling which is going
to affect several modules. Most notably:
- a bit different access checks in acl.c
- restore certain attributes during modify requests in samldb.c
Control added also to schema_samba4.ldif by Andrew Bartlett
hence the "pair programmed with" tag.
Change-Id: Ief4f7dabbbdc2570924fae48c30ac9c531a701f4
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 4e44a0883e1ac5db84e9318b539322f10e35cf59
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Tue Oct 28 06:11:31 2014 +0100
s4-dsdb: Make use dsdb_make_object_category() for objectCategory
Change-Id: If65c54a653ad7078ca7a535b5c247db2746b5be7
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 1154075220da592e160ab357f2669eb4e1266217
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Tue Oct 28 06:10:56 2014 +0100
s4-dsdb: Make most specific objectCategory for an object
This is lightweight implementation and should be used on objects
with already verified objectClass attribute value - eg. valid classes,
sorted properly, etc.
Checkout objectclass.c module for heavy weight implementation.
Change-Id: Ifa7880d26246f67e2f982496fcc6c77e6648d56f
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 5921bb84ab54123d68691e63154f22ed124f6be4
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Mon Oct 27 05:31:54 2014 +0100
s4-dsdb: Initialize module context only we are to handle Tombstone request
Change-Id: I73bd2043e96907e3d1a669bdbd943ddee1df8c0a
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit ffdc834bd1433aa100ba57ae9e47fa09e591b8f7
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Oct 26 04:31:41 2014 +0100
s4-dsdb: Return error codes as windows does for Tombstone reanimation
Tested against Windows Server 2008 R2
In case we try to restore to already existing object, windows
returns: LDB_ERR_ENTRY_ALREADY_EXISTS
Otherwise it is: LDB_ERR_OPERATIONS_ERROR
Change-Id: I6b5fea1e327416ccf5069d97a4a378a527a25f80
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit f84e1989b452738f8cb5c1930e50bd13499c9de6
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Oct 26 04:29:49 2014 +0100
s4-dsdb-tests: Fix whitespace in deletetest.py
Change-Id: Ic2924b0aa9cffd29fe0c857317ccb65ba53a1c21
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 1afd50fed016841bd4ffedba3674447d08184fa6
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Oct 26 04:29:16 2014 +0100
s4-dsdb-tests: Make unique object names to test with in deletetest
This way we can re-run the test again and again
Change-Id: I29bd878b77073d94a279c38bd0afc2f0befa6f9d
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit bb1337170c1059a8dce02d9c3d8f3bad647890dd
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Oct 26 03:43:29 2014 +0100
s4-dsdb-tests: Remove unused method get_ldap_connection()
Change-Id: Ie50f77dbba724dbd3c2822de5c2cfff41016fac6
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 7d2247939cf0c4026480f35301eab648681948ac
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sun Oct 26 03:42:45 2014 +0100
s4-dsdb-tests: Remove trailing ';' in deletetest.py
Change-Id: Ic1ad6bbda55be56cbf7ae78a8ad988b8e479a40c
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 5aaa33694aa12ba61f608db55950d38d5a50a36c
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Thu Oct 23 08:15:23 2014 +0200
s4-dsdb: Insert tombstone_reanimate module in ldb modules chain after objectclass
Change-Id: Id9748f36f0aefe40b1894ecd2e5071e3b9c8a6d6
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 886a352bf70b7ad3cdaceea90703c4f912397b8d
Author: Kamen Mazdrashki <kamenim at samba.org>
Date: Sat Dec 27 21:14:25 2014 +0200
s4-dsdb: Initial implementation for Tombstone reanimation module
At the moment it works for basic scenario:
- add user
- delete user
- restore deleted user
TODO:
- security checks
- flags verification
- cross-NC checks
- asynchronous implementation (may not be needed, but anyway)
Change-Id: If396a6dfc766c224acfeb7e93ca75703e08c26e6
Signed-off-by: Kamen Mazdrashki <kamenim at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit b881da6584333e63737baaa8f90b518f0e0f639d
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Tue Oct 21 16:35:30 2014 +0300
s4-dsdb-tests: Some tests for deleted objects undelete operation
Based on MS-ADTS 3.1.1.5.3.7.2
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Change-Id: I650b315601fce574f9302435f812d1dd4b177e68
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/security.idl | 1 +
python/samba/sd_utils.py | 8 +-
python/samba/tests/__init__.py | 25 +-
source4/dsdb/common/util.c | 139 +++++-
source4/dsdb/samdb/ldb_modules/acl.c | 97 +++-
source4/dsdb/samdb/ldb_modules/objectclass.c | 2 -
source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 1 +
source4/dsdb/samdb/ldb_modules/samldb.c | 105 ++--
.../dsdb/samdb/ldb_modules/tombstone_reanimate.c | 430 ++++++++++++++++
source4/dsdb/samdb/ldb_modules/util.c | 67 +++
.../dsdb/samdb/ldb_modules/wscript_build_server | 11 +-
source4/dsdb/samdb/samdb.h | 8 +
source4/dsdb/tests/python/acl.py | 132 ++++-
source4/dsdb/tests/python/deletetest.py | 45 +-
source4/dsdb/tests/python/ldap.py | 64 +--
source4/dsdb/tests/python/sam.py | 64 ++-
source4/dsdb/tests/python/tombstone_reanimation.py | 548 +++++++++++++++++++++
source4/selftest/tests.py | 5 +
source4/setup/schema_samba4.ldif | 1 +
19 files changed, 1614 insertions(+), 139 deletions(-)
create mode 100644 source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c
create mode 100644 source4/dsdb/tests/python/tombstone_reanimation.py
Changeset truncated at 500 lines:
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 78c13c9..1f5390a 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -688,6 +688,7 @@ interface security
const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD
= "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5";
const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2";
+ const string GUID_DRS_REANIMATE_TOMBSTONE = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f";
/***************************************************************/
diff --git a/python/samba/sd_utils.py b/python/samba/sd_utils.py
index ded9bfc..7592a29 100644
--- a/python/samba/sd_utils.py
+++ b/python/samba/sd_utils.py
@@ -62,7 +62,7 @@ class SDUtils(object):
def dacl_add_ace(self, object_dn, ace):
"""Add an ACE to an objects security descriptor
"""
- desc = self.read_sd_on_dn(object_dn)
+ desc = self.read_sd_on_dn(object_dn,["show_deleted:1"])
desc_sddl = desc.as_sddl(self.domain_sid)
if ace in desc_sddl:
return
@@ -71,10 +71,10 @@ class SDUtils(object):
desc_sddl[desc_sddl.index("("):])
else:
desc_sddl = desc_sddl + ace
- self.modify_sd_on_dn(object_dn, desc_sddl)
+ self.modify_sd_on_dn(object_dn, desc_sddl, ["show_deleted:1"])
- def get_sd_as_sddl(self, object_dn, controls=None):
+ def get_sd_as_sddl(self, object_dn, controls=[]):
"""Return object nTSecutiryDescriptor in SDDL format
"""
- desc = self.read_sd_on_dn(object_dn, controls=controls)
+ desc = self.read_sd_on_dn(object_dn, controls + ["show_deleted:1"])
return desc.as_sddl(self.domain_sid)
diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
index bda4adf..5b45865 100644
--- a/python/samba/tests/__init__.py
+++ b/python/samba/tests/__init__.py
@@ -23,6 +23,7 @@ import samba
import samba.auth
from samba import param
from samba.samdb import SamDB
+from samba import credentials
import subprocess
import tempfile
@@ -234,8 +235,28 @@ def connect_samdb_ex(samdb_url, lp=None, session_info=None, credentials=None,
return (sam_db, res[0])
+def connect_samdb_env(env_url, env_username, env_password, lp=None):
+ """Connect to SamDB by getting URL and Credentials from environment
+
+ :param env_url: Environment variable name to get lsb url from
+ :param env_username: Username environment variable
+ :param env_password: Password environment variable
+ :return: sam_db_connection
+ """
+ samdb_url = env_get_var_value(env_url)
+ creds = credentials.Credentials()
+ if lp is None:
+ # guess Credentials parameters here. Otherwise workstation
+ # and domain fields are NULL and gencache code segfalts
+ lp = param.LoadParm()
+ creds.guess(lp)
+ creds.set_username(env_get_var_value(env_username))
+ creds.set_password(env_get_var_value(env_password))
+ return connect_samdb(samdb_url, credentials=creds, lp=lp)
+
+
def delete_force(samdb, dn):
try:
samdb.delete(dn)
- except ldb.LdbError, (num, _):
- assert(num == ldb.ERR_NO_SUCH_OBJECT)
+ except ldb.LdbError, (num, errstr):
+ assert num == ldb.ERR_NO_SUCH_OBJECT, "ldb.delete() failed: %s" % errstr
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 504afd8..7b948f2 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -774,6 +774,7 @@ struct ldb_message_element *samdb_find_attribute(struct ldb_context *ldb,
int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
{
+ int ret;
struct ldb_message_element *el;
el = ldb_msg_find_element(msg, name);
@@ -781,7 +782,12 @@ int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg
return LDB_SUCCESS;
}
- return ldb_msg_add_string(msg, name, set_value);
+ ret = ldb_msg_add_string(msg, name, set_value);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ msg->elements[msg->num_elements - 1].flags = LDB_FLAG_MOD_ADD;
+ return LDB_SUCCESS;
}
/*
@@ -4838,3 +4844,134 @@ NTSTATUS dsdb_update_bad_pwd_count(TALLOC_CTX *mem_ctx,
*_mod_msg = mod_msg;
return NT_STATUS_OK;
}
+
+/**
+ * Sets defaults for a User object
+ * List of default attributes set:
+ * accountExpires, badPasswordTime, badPwdCount,
+ * codePage, countryCode, lastLogoff, lastLogon
+ * logonCount, pwdLastSet
+ */
+int dsdb_user_obj_set_defaults(struct ldb_context *ldb, struct ldb_message *usr_obj)
+{
+ int i, ret;
+ const struct attribute_values {
+ const char *name;
+ const char *value;
+ } map[] = {
+ {
+ .name = "accountExpires",
+ .value = "9223372036854775807"
+ },
+ {
+ .name = "badPasswordTime",
+ .value = "0"
+ },
+ {
+ .name = "badPwdCount",
+ .value = "0"
+ },
+ {
+ .name = "codePage",
+ .value = "0"
+ },
+ {
+ .name = "countryCode",
+ .value = "0"
+ },
+ {
+ .name = "lastLogoff",
+ .value = "0"
+ },
+ {
+ .name = "lastLogon",
+ .value = "0"
+ },
+ {
+ .name = "logonCount",
+ .value = "0"
+ },
+ {
+ .name = "pwdLastSet",
+ .value = "0"
+ }
+ };
+
+ for (i = 0; i < ARRAY_SIZE(map); i++) {
+ ret = samdb_find_or_add_attribute(ldb, usr_obj,
+ map[i].name, map[i].value);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+
+ return LDB_SUCCESS;
+}
+
+/**
+ * Sets 'sAMAccountType on user object based on userAccountControl
+ * @param ldb Current ldb_context
+ * @param usr_obj ldb_message representing User object
+ * @param user_account_control Value for userAccountControl flags
+ * @param account_type_p Optional pointer to account_type to return
+ * @return LDB_SUCCESS or LDB_ERR* code on failure
+ */
+int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message *usr_obj,
+ uint32_t user_account_control, uint32_t *account_type_p)
+{
+ int ret;
+ uint32_t account_type;
+ struct ldb_message_element *el;
+
+ account_type = ds_uf2atype(user_account_control);
+ if (account_type == 0) {
+ ldb_set_errstring(ldb, "dsdb: Unrecognized account type!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj,
+ "sAMAccountType",
+ account_type);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ el = ldb_msg_find_element(usr_obj, "sAMAccountType");
+ el->flags = LDB_FLAG_MOD_REPLACE;
+
+ if (account_type_p) {
+ *account_type_p = account_type;
+ }
+
+ return LDB_SUCCESS;
+}
+
+/**
+ * Determine and set primaryGroupID based on userAccountControl value
+ * @param ldb Current ldb_context
+ * @param usr_obj ldb_message representing User object
+ * @param user_account_control Value for userAccountControl flags
+ * @param group_rid_p Optional pointer to group RID to return
+ * @return LDB_SUCCESS or LDB_ERR* code on failure
+ */
+int dsdb_user_obj_set_primary_group_id(struct ldb_context *ldb, struct ldb_message *usr_obj,
+ uint32_t user_account_control, uint32_t *group_rid_p)
+{
+ int ret;
+ uint32_t rid;
+ struct ldb_message_element *el;
+
+ rid = ds_uf2prim_group_rid(user_account_control);
+
+ ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj,
+ "primaryGroupID", rid);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ el = ldb_msg_find_element(usr_obj, "primaryGroupID");
+ el->flags = LDB_FLAG_MOD_REPLACE;
+
+ if (group_rid_p) {
+ *group_rid_p = rid;
+ }
+
+ return LDB_SUCCESS;
+}
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index e75fb2a..78e6461 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1028,6 +1028,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
struct ldb_control *as_system;
+ struct ldb_control *is_undelete;
bool userPassword;
TALLOC_CTX *tmp_ctx;
const struct ldb_message *msg = req->op.mod.message;
@@ -1047,6 +1048,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
as_system->critical = 0;
}
+ is_undelete = ldb_request_get_control(req, DSDB_CONTROL_RESTORE_TOMBSTONE_OID);
+
/* Don't print this debug statement if elements[0].name is going to be NULL */
if (msg->num_elements > 0) {
DEBUG(10, ("ldb:acl_modify: %s\n", msg->elements[0].name));
@@ -1193,6 +1196,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
if (ret != LDB_SUCCESS) {
goto fail;
}
+ } else if (is_undelete != NULL && (ldb_attr_cmp("isDeleted", el->name) == 0)) {
+ /*
+ * in case of undelete op permissions on
+ * isDeleted are irrelevant and
+ * distinguishedName is removed by the
+ * tombstone_reanimate module
+ */
+ continue;
} else {
ret = acl_check_access_on_attribute(module,
tmp_ctx,
@@ -1346,6 +1357,42 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
+static int acl_check_reanimate_tombstone(TALLOC_CTX *mem_ctx,
+ struct ldb_module *module,
+ struct ldb_request *req,
+ struct ldb_dn *nc_root)
+{
+ int ret;
+ struct ldb_result *acl_res;
+ struct security_descriptor *sd = NULL;
+ struct dom_sid *sid = NULL;
+ static const char *acl_attrs[] = {
+ "nTSecurityDescriptor",
+ "objectClass",
+ "objectSid",
+ NULL
+ };
+
+ ret = dsdb_module_search_dn(module, mem_ctx, &acl_res,
+ nc_root, acl_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED, req);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(10,("acl: failed to find object %s\n",
+ ldb_dn_get_linearized(nc_root)));
+ return ret;
+ }
+
+ ret = dsdb_get_sd_from_ldb_message(mem_ctx, req, acl_res->msgs[0], &sd);
+ sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
+ if (ret != LDB_SUCCESS || !sd) {
+ return ldb_operr(ldb_module_get_ctx(module));
+ }
+ return acl_check_extended_right(mem_ctx, sd, acl_user_token(module),
+ GUID_DRS_REANIMATE_TOMBSTONE,
+ SEC_ADS_CONTROL_ACCESS, sid);
+}
static int acl_rename(struct ldb_module *module, struct ldb_request *req)
{
@@ -1361,6 +1408,7 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
struct ldb_result *acl_res;
struct ldb_dn *nc_root;
struct ldb_control *as_system;
+ struct ldb_control *is_undelete;
TALLOC_CTX *tmp_ctx;
const char *rdn_name;
static const char *acl_attrs[] = {
@@ -1413,6 +1461,17 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
return ldb_module_done(req, NULL, NULL,
LDB_ERR_UNWILLING_TO_PERFORM);
}
+
+ /* special check for undelete operation */
+ is_undelete = ldb_request_get_control(req, DSDB_CONTROL_RESTORE_TOMBSTONE_OID);
+ if (is_undelete != NULL) {
+ is_undelete->critical = 0;
+ ret = acl_check_reanimate_tombstone(tmp_ctx, module, req, nc_root);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+ }
talloc_free(nc_root);
/* Look for the parent */
@@ -1526,25 +1585,27 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
}
/* do we have delete object on the object? */
- ret = acl_check_access_on_objectclass(module, tmp_ctx, sd, sid,
- SEC_STD_DELETE,
- objectclass);
- if (ret == LDB_SUCCESS) {
- talloc_free(tmp_ctx);
- return ldb_next_request(module, req);
- }
- /* what about delete child on the current parent */
- ret = dsdb_module_check_access_on_dn(module, req, oldparent,
- SEC_ADS_DELETE_CHILD,
- &objectclass->schemaIDGUID,
- req);
- if (ret != LDB_SUCCESS) {
- ldb_asprintf_errstring(ldb_module_get_ctx(module),
- "acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn));
- talloc_free(tmp_ctx);
- return ldb_module_done(req, NULL, NULL, ret);
+ /* this access is not necessary for undelete ops */
+ if (is_undelete == NULL) {
+ ret = acl_check_access_on_objectclass(module, tmp_ctx, sd, sid,
+ SEC_STD_DELETE,
+ objectclass);
+ if (ret == LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ldb_next_request(module, req);
+ }
+ /* what about delete child on the current parent */
+ ret = dsdb_module_check_access_on_dn(module, req, oldparent,
+ SEC_ADS_DELETE_CHILD,
+ &objectclass->schemaIDGUID,
+ req);
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn));
+ talloc_free(tmp_ctx);
+ return ldb_module_done(req, NULL, NULL, ret);
+ }
}
-
talloc_free(tmp_ctx);
return ldb_next_request(module, req);
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 8c361e9..bceeda9 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -246,8 +246,6 @@ static int fix_dn(struct ldb_context *ldb,
}
-static int objectclass_do_add(struct oc_context *ac);
-
static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb;
diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index 26c583e..75553ad 100644
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
+++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
@@ -273,6 +273,7 @@ static int samba_dsdb_init(struct ldb_module *module)
NULL };
/* extended_dn_in or extended_dn_in_openldap goes here */
static const char *modules_list1a[] = {"objectclass",
+ "tombstone_reanimate",
"descriptor",
"acl",
"aclread",
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index ade7c9a..664ace0 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -999,32 +999,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
bool uac_generated = false, uac_add_flags = false;
/* Step 1.2: Default values */
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "accountExpires", "9223372036854775807");
- if (ret != LDB_SUCCESS) return ret;
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "badPasswordTime", "0");
- if (ret != LDB_SUCCESS) return ret;
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "badPwdCount", "0");
- if (ret != LDB_SUCCESS) return ret;
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "codePage", "0");
- if (ret != LDB_SUCCESS) return ret;
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "countryCode", "0");
- if (ret != LDB_SUCCESS) return ret;
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "lastLogoff", "0");
- if (ret != LDB_SUCCESS) return ret;
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "lastLogon", "0");
- if (ret != LDB_SUCCESS) return ret;
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "logonCount", "0");
- if (ret != LDB_SUCCESS) return ret;
- ret = samdb_find_or_add_attribute(ldb, ac->msg,
- "pwdLastSet", "0");
+ ret = dsdb_user_obj_set_defaults(ldb, ac->msg);
if (ret != LDB_SUCCESS) return ret;
/* On add operations we might need to generate a
@@ -1043,7 +1018,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
el = ldb_msg_find_element(ac->msg, "userAccountControl");
if (el != NULL) {
- uint32_t user_account_control, account_type;
+ uint32_t user_account_control;
/* Step 1.3: "userAccountControl" -> "sAMAccountType" mapping */
user_account_control = ldb_msg_find_attr_as_uint(ac->msg,
"userAccountControl",
@@ -1086,19 +1061,11 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
- account_type = ds_uf2atype(user_account_control);
- if (account_type == 0) {
- ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
- "sAMAccountType",
- account_type);
+ /* add "sAMAccountType" attribute */
+ ret = dsdb_user_obj_set_account_type(ldb, ac->msg, user_account_control, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
- el2 = ldb_msg_find_element(ac->msg, "sAMAccountType");
- el2->flags = LDB_FLAG_MOD_REPLACE;
/* "isCriticalSystemObject" might be set */
if (user_account_control &
@@ -1124,8 +1091,12 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
/* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */
if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) {
- uint32_t rid = ds_uf2prim_group_rid(user_account_control);
+ uint32_t rid;
+ ret = dsdb_user_obj_set_primary_group_id(ldb, ac->msg, user_account_control, &rid);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
/*
--
Samba Shared Repository
More information about the samba-cvs
mailing list