[SCM] Samba Shared Repository - branch v4-2-test updated

Stefan Metzmacher metze at samba.org
Fri Jan 23 03:05:08 MST 2015


The branch, v4-2-test has been updated
       via  837c146 s3: auth - tests: Add test for "force user" being a unix-only user, not in passdb.
       via  c789398 s3: auth: Add previously missing allocation fail check.
       via  a9e58a2 s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3().
       via  d8b2eee s3: auth: Convert samu_to_SamInfo3() to use the new utility function.
       via  31b2dad s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out the code to handle "Unix Users" and "Unix Groups".
       via  a52c6cb nsswitch: fix soname of linux nss_*.so.2 modules
       via  5de1063 selftest: use shared/libnss_wrapper_winbind.so.2
       via  e9d45f6 wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY()
       via  74ee2f7 dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable
      from  77d8786 VERSION: Re-enable git snapshots...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test


- Log -----------------------------------------------------------------
commit 837c146271ecd96ccde927dbeb389330361fca93
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 13 13:49:58 2015 -0800

    s3: auth - tests: Add test for "force user" being a unix-only user, not in passdb.
    
    https://bugzilla.samba.org/show_bug.cgi?id=11044
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Wed Jan 14 08:46:08 CET 2015 on sn-devel-104
    
    (cherry picked from commit d098b6c877629af0f23070481deaccdf65acd249)
    
    Autobuild-User(v4-2-test): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(v4-2-test): Fri Jan 23 11:04:50 CET 2015 on sn-devel-104

commit c78939859714e09309d8101f1ef962fc12c0c565
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 13 13:49:36 2015 -0800

    s3: auth: Add previously missing allocation fail check.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit 83066ed539658a9fa6deb897b15b20a0624227fe)

commit a9e58a2ef220bbbd868a7c5851a882ec774a4971
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 13 13:45:16 2015 -0800

    s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3().
    
    Core fix for:
    
    https://bugzilla.samba.org/show_bug.cgi?id=11044
    
    Based on code from Michael Zeis <mzeis.quantum at gmail.com>
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit 60895e62fe21e41cf4a09ec8a92239b8f015b450)

commit d8b2eee9fc26cbf317fde8b08f559ea3a7bf0e6a
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 13 13:39:21 2015 -0800

    s3: auth: Convert samu_to_SamInfo3() to use the new utility function.
    
    Based on code from Michael Zeis <mzeis.quantum at gmail.com>
    
    https://bugzilla.samba.org/show_bug.cgi?id=11044
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit d20b2d397205c1ab85a43f54bc95360a732265f3)

commit 31b2dadc60217f3658071aa57e1ffc39b9209ae4
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 13 13:35:56 2015 -0800

    s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out the code to handle "Unix Users" and "Unix Groups".
    
    Based on code from Michael Zeis <mzeis.quantum at gmail.com>
    
    https://bugzilla.samba.org/show_bug.cgi?id=11044
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit 9395243890aff5bb2166e18e33492afb28850097)

commit a52c6cbf2e7bcb6f288a44ecb753bb4ff5b2ae60
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 18 10:33:34 2014 +0100

    nsswitch: fix soname of linux nss_*.so.2 modules
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 575b093dac3c509b1bfaab0b4ad29b9b4214e487)

commit 5de1063947db3e749b70275867f8daefe98cb70a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 18 20:13:44 2014 +0100

    selftest: use shared/libnss_wrapper_winbind.so.2
    
    This library is always available in make test.
    nss-wrapper strictly requires the linux nss api.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 4eb24fa545234be506eb1330ccbbfd5c2b9e0d82)

commit e9d45f6cff280857c4d54b0d6b0fa7666b001f7d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 18 10:21:30 2014 +0100

    wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 82e583b04b04e560c121163850d70c52d2fce78d)

commit 74ee2f72abb842074d2e20f86eff74f4c2b16ed5
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Dec 4 11:53:12 2014 +1300

    dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable
    
    This includes additional tests based directly on the docs, rather than
    simply testing our internal implementation in client and server contexts,
    that create a user and groups.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022
    
    Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
    Signed-off-by: Garming-Sam <garming at catalyst.net.nz>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104
    
    (similar to commit e4213512d0a967e87a74a1ae816c903fb38dd8b9)

-----------------------------------------------------------------------

Summary of changes:
 buildtools/wafsamba/wafsamba.py              |   6 +-
 nsswitch/wscript_build                       |  24 +-
 selftest/target/Samba.pm                     |   2 +-
 selftest/target/Samba3.pm                    |   4 +
 source3/auth/auth_util.c                     |   3 +-
 source3/auth/proto.h                         |   3 +-
 source3/auth/server_info.c                   | 156 +++++++-----
 source3/script/tests/test_smbclient_auth.sh  |   1 +
 source3/wscript_build                        |   7 -
 source4/dsdb/samdb/ldb_modules/operational.c |  66 ++++-
 source4/dsdb/tests/python/token_group.py     | 351 ++++++++++++++++++++++++++-
 source4/selftest/tests.py                    |   2 +-
 12 files changed, 532 insertions(+), 93 deletions(-)


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index f86ac61..e564877 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -110,6 +110,7 @@ def SAMBA_LIBRARY(bld, libname, source,
                   ldflags='',
                   external_library=False,
                   realname=None,
+                  keep_underscore=False,
                   autoproto=None,
                   autoproto_extra_source='',
                   group='main',
@@ -212,7 +213,10 @@ def SAMBA_LIBRARY(bld, libname, source,
                        libname)
 
     if target_type == 'PYTHON' or realname or not private_library:
-        bundled_name = libname.replace('_', '-')
+        if keep_underscore:
+            bundled_name = libname
+        else:
+            bundled_name = libname.replace('_', '-')
     else:
         bundled_name = PRIVATE_NAME(bld, libname, bundled_extension,
             private_library)
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 8ceb9ad..381ff44 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -30,12 +30,24 @@ bld.SAMBA_LIBRARY('nss_wrapper_winbind',
 # the search for .rfind('gnu') covers gnu* and *-gnu is that too broad?
 
 if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)):
-	bld.SAMBA_LIBRARY('nss_winbind',
-			  source='winbind_nss_linux.c',
-			  deps='winbind-client',
-			  realname='libnss_winbind.so.2',
-			  soname='libnss_winbind.so',
-			  vnum='2')
+    bld.SAMBA_LIBRARY('nss_winbind',
+              keep_underscore=True,
+              source='winbind_nss_linux.c',
+              deps='winbind-client',
+              public_headers=[],
+              public_headers_install=False,
+              pc_files=[],
+              vnum='2')
+
+    # for nss_wins is linux only
+    bld.SAMBA3_LIBRARY('nss_wins',
+                       keep_underscore=True,
+                       source='wins.c',
+                       deps='''param libsmb LIBTSOCKET''',
+                       public_headers=[],
+                       public_headers_install=False,
+                       pc_files=[],
+                       vnum='2')
 elif (host_os.rfind('freebsd') > -1):
 	# FreeBSD winbind client is implemented as a wrapper around
 	# the Linux version.
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 2bd90ae..ccc63f3 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -69,7 +69,7 @@ sub nss_wrapper_winbind_so_path($) {
         my ($object) = @_;
 	my $ret = $ENV{NSS_WRAPPER_WINBIND_SO_PATH};
         if (not defined($ret)) {
-	    $ret = bindir_path($object, "default/nsswitch/libnss-winbind.so");
+	    $ret = bindir_path($object, "shared/libnss_wrapper_winbind.so.2");
 	    $ret = abs_path($ret);
 	}
 	return $ret;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index a495685..d8eb58c 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1136,6 +1136,10 @@ sub provision($$$$$$)
 	path = $shrdir
         force user = $unix_name
         guest ok = yes
+[forceuser_unixonly]
+	path = $shrdir
+	force user = pdbtest
+	guest ok = yes
 [forcegroup]
 	path = $shrdir
         force group = nogroup
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 2986fb4..1c2cf80 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -671,7 +671,8 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
 	status = passwd_to_SamInfo3(result,
 				    unix_username,
 				    pwd,
-				    &result->info3);
+				    &result->info3,
+				    &result->extra);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
 	}
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 1da0c44..6a5508b 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -305,7 +305,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
 NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
 			    const char *unix_username,
 			    const struct passwd *pwd,
-			    struct netr_SamInfo3 **pinfo3);
+			    struct netr_SamInfo3 **pinfo3,
+			    struct extra_auth_info *extra);
 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
 					 const struct netr_SamInfo3 *orig);
 
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 8fd3b0d..b537390 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -330,46 +330,19 @@ NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
-#define RET_NOMEM(ptr) do { \
-	if (!ptr) { \
-		TALLOC_FREE(info3); \
-		return NT_STATUS_NO_MEMORY; \
-	} } while(0)
+/*
+ * Check if this is a "Unix Users" domain user, or a
+ * "Unix Groups" domain group, we need to handle it
+ * in a special way if that's the case.
+ */
 
-NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
-			  struct samu *samu,
-			  const char *login_server,
-			  struct netr_SamInfo3 **_info3,
-			  struct extra_auth_info *extra)
+static NTSTATUS SamInfo3_handle_sids(const char *username,
+			const struct dom_sid *user_sid,
+			const struct dom_sid *group_sid,
+			struct netr_SamInfo3 *info3,
+			struct dom_sid *domain_sid,
+			struct extra_auth_info *extra)
 {
-	struct netr_SamInfo3 *info3;
-	const struct dom_sid *user_sid;
-	const struct dom_sid *group_sid;
-	struct dom_sid domain_sid;
-	struct dom_sid *group_sids;
-	uint32_t num_group_sids = 0;
-	const char *tmp;
-	gid_t *gids;
-	NTSTATUS status;
-	bool ok;
-
-	user_sid = pdb_get_user_sid(samu);
-	group_sid = pdb_get_group_sid(samu);
-
-	if (!user_sid || !group_sid) {
-		DEBUG(1, ("Sam account is missing sids!\n"));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
-	if (!info3) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	ZERO_STRUCT(domain_sid);
-
-	/* check if this is a "Unix Users" domain user,
-	 * we need to handle it in a special way if that's the case */
 	if (sid_check_is_in_unix_users(user_sid)) {
 		/* in info3 you can only set rids for the user and the
 		 * primary group, and the domain sid must be that of
@@ -382,16 +355,16 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
 		info3->base.rid = (uint32_t)(-1);
 		sid_copy(&extra->user_sid, user_sid);
 
-		DEBUG(10, ("Unix User found in struct samu. Rid marked as "
-			   "special and sid (%s) saved as extra sid\n",
-			   sid_string_dbg(user_sid)));
+		DEBUG(10, ("Unix User found. Rid marked as "
+			"special and sid (%s) saved as extra sid\n",
+			sid_string_dbg(user_sid)));
 	} else {
-		sid_copy(&domain_sid, user_sid);
-		sid_split_rid(&domain_sid, &info3->base.rid);
+		sid_copy(domain_sid, user_sid);
+		sid_split_rid(domain_sid, &info3->base.rid);
 	}
 
-	if (is_null_sid(&domain_sid)) {
-		sid_copy(&domain_sid, get_global_sam_sid());
+	if (is_null_sid(domain_sid)) {
+		sid_copy(domain_sid, get_global_sam_sid());
 	}
 
 	/* check if this is a "Unix Groups" domain group,
@@ -408,24 +381,73 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
 		info3->base.primary_gid = (uint32_t)(-1);
 		sid_copy(&extra->pgid_sid, group_sid);
 
-		DEBUG(10, ("Unix Group found in struct samu. Rid marked as "
-			   "special and sid (%s) saved as extra sid\n",
-			   sid_string_dbg(group_sid)));
-
+		DEBUG(10, ("Unix Group found. Rid marked as "
+			"special and sid (%s) saved as extra sid\n",
+			sid_string_dbg(group_sid)));
 	} else {
-		ok = sid_peek_check_rid(&domain_sid, group_sid,
+		bool ok = sid_peek_check_rid(domain_sid, group_sid,
 					&info3->base.primary_gid);
 		if (!ok) {
 			DEBUG(1, ("The primary group domain sid(%s) does not "
-				  "match the domain sid(%s) for %s(%s)\n",
-				  sid_string_dbg(group_sid),
-				  sid_string_dbg(&domain_sid),
-				  pdb_get_username(samu),
-				  sid_string_dbg(user_sid)));
-			TALLOC_FREE(info3);
-			return NT_STATUS_UNSUCCESSFUL;
+				"match the domain sid(%s) for %s(%s)\n",
+				sid_string_dbg(group_sid),
+				sid_string_dbg(domain_sid),
+				username,
+				sid_string_dbg(user_sid)));
+			return NT_STATUS_INVALID_SID;
 		}
 	}
+	return NT_STATUS_OK;
+}
+
+#define RET_NOMEM(ptr) do { \
+	if (!ptr) { \
+		TALLOC_FREE(info3); \
+		return NT_STATUS_NO_MEMORY; \
+	} } while(0)
+
+NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
+			  struct samu *samu,
+			  const char *login_server,
+			  struct netr_SamInfo3 **_info3,
+			  struct extra_auth_info *extra)
+{
+	struct netr_SamInfo3 *info3;
+	const struct dom_sid *user_sid;
+	const struct dom_sid *group_sid;
+	struct dom_sid domain_sid;
+	struct dom_sid *group_sids;
+	uint32_t num_group_sids = 0;
+	const char *tmp;
+	gid_t *gids;
+	NTSTATUS status;
+
+	user_sid = pdb_get_user_sid(samu);
+	group_sid = pdb_get_group_sid(samu);
+
+	if (!user_sid || !group_sid) {
+		DEBUG(1, ("Sam account is missing sids!\n"));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+	if (!info3) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ZERO_STRUCT(domain_sid);
+
+	status = SamInfo3_handle_sids(pdb_get_username(samu),
+				user_sid,
+				group_sid,
+				info3,
+				&domain_sid,
+				extra);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(info3);
+		return status;
+	}
 
 	unix_to_nt_time(&info3->base.logon_time, pdb_get_logon_time(samu));
 	unix_to_nt_time(&info3->base.logoff_time, get_time_t_max());
@@ -517,7 +539,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
 NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
 			    const char *unix_username,
 			    const struct passwd *pwd,
-			    struct netr_SamInfo3 **pinfo3)
+			    struct netr_SamInfo3 **pinfo3,
+			    struct extra_auth_info *extra)
 {
 	struct netr_SamInfo3 *info3;
 	NTSTATUS status;
@@ -613,9 +636,22 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
 
 	ZERO_STRUCT(domain_sid);
 
-	sid_copy(&domain_sid, &user_sid);
-	sid_split_rid(&domain_sid, &info3->base.rid);
+	status = SamInfo3_handle_sids(unix_username,
+				&user_sid,
+				&group_sid,
+				info3,
+				&domain_sid,
+				extra);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
 	info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
+	if (info3->base.domain_sid == NULL) {
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
 
 	ok = sid_peek_check_rid(&domain_sid, &group_sid,
 				&info3->base.primary_gid);
diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh
index 3988095..24e98b1 100755
--- a/source3/script/tests/test_smbclient_auth.sh
+++ b/source3/script/tests/test_smbclient_auth.sh
@@ -27,5 +27,6 @@ testit "smbclient //$SERVER/tmpguest" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATI
 testit "smbclient //$SERVER/tmpguest as anon" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
 testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
 testit "smbclient //$SERVER/forceuser as anon" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forceuser_unixonly" $SMBCLIENT //$SERVER/forceuser_unixonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
 testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
 testit "smbclient //$SERVER/forcegroup as anon" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
diff --git a/source3/wscript_build b/source3/wscript_build
index e1964a3..eadf832 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -55,13 +55,6 @@ bld.SAMBA3_LIBRARY('netapi',
                     pc_files='libnet/netapi.pc',
                     vnum='0')
 
-bld.SAMBA3_LIBRARY('nss_wins',
-                  source='../nsswitch/wins.c',
-                  deps='''param libsmb LIBTSOCKET''',
-                  realname='libnss_wins.so.2',
-                  soname='libnss_wins.so',
-                  vnum='2')
-
 bld.SAMBA3_LIBRARY('gse',
                    source='librpc/crypto/gse_krb5.c librpc/crypto/gse.c',
                    deps='krb5samba gensec param KRBCLIENT secrets3',
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index ad9863e..f77474f 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -84,6 +84,12 @@ struct operational_data {
 	struct ldb_dn *aggregate_dn;
 };
 
+enum search_type {
+	TOKEN_GROUPS,
+	TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL,
+	TOKEN_GROUPS_NO_GC_ACCEPTABLE
+};
+
 /*
   construct a canonical name from a message
 */
@@ -127,9 +133,11 @@ static int construct_primary_group_token(struct ldb_module *module,
 /*
   construct the token groups for SAM objects from a message
 */
-static int construct_token_groups(struct ldb_module *module,
-				  struct ldb_message *msg, enum ldb_scope scope,
-				  struct ldb_request *parent)
+static int construct_generic_token_groups(struct ldb_module *module,
+					  struct ldb_message *msg, enum ldb_scope scope,
+					  struct ldb_request *parent,
+					  const char *attribute_string,
+					  enum search_type type)
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	TALLOC_CTX *tmp_ctx = talloc_new(msg);
@@ -189,8 +197,18 @@ static int construct_token_groups(struct ldb_module *module,
 	}
 
 	/* only return security groups */
-	filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
-				 GROUP_TYPE_SECURITY_ENABLED);
+	switch(type) {
+	case TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL:
+		filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u)(|(groupType:1.2.840.113556.1.4.803:=%u)(groupType:1.2.840.113556.1.4.803:=%u)))",
+					 GROUP_TYPE_SECURITY_ENABLED, GROUP_TYPE_ACCOUNT_GROUP, GROUP_TYPE_UNIVERSAL_GROUP);
+		break;
+	case TOKEN_GROUPS_NO_GC_ACCEPTABLE:
+	case TOKEN_GROUPS:
+		filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
+					 GROUP_TYPE_SECURITY_ENABLED);
+		break;
+	}
+
 	if (!filter) {
 		talloc_free(tmp_ctx);
 		return ldb_oom(ldb);
@@ -253,7 +271,7 @@ static int construct_token_groups(struct ldb_module *module,
 	}
 
 	for (i=0; i < num_groupSIDs; i++) {
-		ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", &groupSIDs[i]);
+		ret = samdb_msg_add_dom_sid(ldb, msg, msg, attribute_string, &groupSIDs[i]);
 		if (ret) {
 			talloc_free(tmp_ctx);
 			return ret;
@@ -263,6 +281,40 @@ static int construct_token_groups(struct ldb_module *module,
 	return LDB_SUCCESS;
 }
 
+static int construct_token_groups(struct ldb_module *module,
+				  struct ldb_message *msg, enum ldb_scope scope,
+				  struct ldb_request *parent)
+{
+	/**
+	 * TODO: Add in a limiting domain when we start to support
+	 * trusted domains.
+	 */
+	return construct_generic_token_groups(module, msg, scope, parent,
+					      "tokenGroups",
+					      TOKEN_GROUPS);
+}
+
+static int construct_token_groups_no_gc(struct ldb_module *module,
+					struct ldb_message *msg, enum ldb_scope scope,
+					struct ldb_request *parent)
+{
+	/**
+	 * TODO: Add in a limiting domain when we start to support
+	 * trusted domains.
+	 */
+	return construct_generic_token_groups(module, msg, scope, parent,
+					      "tokenGroupsNoGCAcceptable",
+					      TOKEN_GROUPS);
+}
+
+static int construct_global_universal_token_groups(struct ldb_module *module,
+						   struct ldb_message *msg, enum ldb_scope scope,
+						   struct ldb_request *parent)
+{
+	return construct_generic_token_groups(module, msg, scope, parent,
+					      "tokenGroupsGlobalAndUniversal",
+					      TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL);
+}
 /*
   construct the parent GUID for an entry from a message
 */
@@ -870,6 +922,8 @@ static const struct op_attributes_replace search_sub[] = {
 	{ "canonicalName", NULL, NULL , construct_canonical_name },
 	{ "primaryGroupToken", "objectClass", objectSid_attr, construct_primary_group_token },
 	{ "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups },
+	{ "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc},
+	{ "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups },
 	{ "parentGUID", NULL, NULL, construct_parent_guid },
 	{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
 	{ "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc },
diff --git a/source4/dsdb/tests/python/token_group.py b/source4/dsdb/tests/python/token_group.py
index ff9f3ec..cba6480 100755
--- a/source4/dsdb/tests/python/token_group.py
+++ b/source4/dsdb/tests/python/token_group.py
@@ -14,16 +14,18 @@ samba.ensure_external_module("subunit", "subunit/python")
 import samba.getopt as options
 
 from samba.auth import system_session
-from samba import ldb
+from samba import ldb, dsdb
 from samba.samdb import SamDB
 from samba.auth import AuthContext
 from samba.ndr import ndr_unpack
 from samba import gensec
-from samba.credentials import Credentials
+from samba.credentials import Credentials, DONT_USE_KERBEROS
+from samba.dsdb import GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP
 
 from subunit.run import SubunitTestRunner
 import unittest
 import samba.tests
+from samba.tests import delete_force
 
 from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
 
@@ -45,13 +47,22 @@ url = args[0]
 
 lp = sambaopts.get_loadparm()
 creds = credopts.get_credentials(lp)
+creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
 
-class TokenTest(samba.tests.TestCase):
+def closure(vSet, wSet, aSet):
+    for edge in aSet:
+        start, end = edge
+        if start in wSet:
+            if end not in wSet and end in vSet:


-- 
Samba Shared Repository


More information about the samba-cvs mailing list