[SCM] Samba Shared Repository - branch v4-2-test updated
Stefan Metzmacher
metze at samba.org
Fri Jan 23 03:05:08 MST 2015
The branch, v4-2-test has been updated
via 837c146 s3: auth - tests: Add test for "force user" being a unix-only user, not in passdb.
via c789398 s3: auth: Add previously missing allocation fail check.
via a9e58a2 s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3().
via d8b2eee s3: auth: Convert samu_to_SamInfo3() to use the new utility function.
via 31b2dad s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out the code to handle "Unix Users" and "Unix Groups".
via a52c6cb nsswitch: fix soname of linux nss_*.so.2 modules
via 5de1063 selftest: use shared/libnss_wrapper_winbind.so.2
via e9d45f6 wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY()
via 74ee2f7 dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable
from 77d8786 VERSION: Re-enable git snapshots...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test
- Log -----------------------------------------------------------------
commit 837c146271ecd96ccde927dbeb389330361fca93
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 13 13:49:58 2015 -0800
s3: auth - tests: Add test for "force user" being a unix-only user, not in passdb.
https://bugzilla.samba.org/show_bug.cgi?id=11044
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Jan 14 08:46:08 CET 2015 on sn-devel-104
(cherry picked from commit d098b6c877629af0f23070481deaccdf65acd249)
Autobuild-User(v4-2-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-2-test): Fri Jan 23 11:04:50 CET 2015 on sn-devel-104
commit c78939859714e09309d8101f1ef962fc12c0c565
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 13 13:49:36 2015 -0800
s3: auth: Add previously missing allocation fail check.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 83066ed539658a9fa6deb897b15b20a0624227fe)
commit a9e58a2ef220bbbd868a7c5851a882ec774a4971
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 13 13:45:16 2015 -0800
s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3().
Core fix for:
https://bugzilla.samba.org/show_bug.cgi?id=11044
Based on code from Michael Zeis <mzeis.quantum at gmail.com>
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 60895e62fe21e41cf4a09ec8a92239b8f015b450)
commit d8b2eee9fc26cbf317fde8b08f559ea3a7bf0e6a
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 13 13:39:21 2015 -0800
s3: auth: Convert samu_to_SamInfo3() to use the new utility function.
Based on code from Michael Zeis <mzeis.quantum at gmail.com>
https://bugzilla.samba.org/show_bug.cgi?id=11044
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit d20b2d397205c1ab85a43f54bc95360a732265f3)
commit 31b2dadc60217f3658071aa57e1ffc39b9209ae4
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 13 13:35:56 2015 -0800
s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out the code to handle "Unix Users" and "Unix Groups".
Based on code from Michael Zeis <mzeis.quantum at gmail.com>
https://bugzilla.samba.org/show_bug.cgi?id=11044
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 9395243890aff5bb2166e18e33492afb28850097)
commit a52c6cbf2e7bcb6f288a44ecb753bb4ff5b2ae60
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 18 10:33:34 2014 +0100
nsswitch: fix soname of linux nss_*.so.2 modules
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 575b093dac3c509b1bfaab0b4ad29b9b4214e487)
commit 5de1063947db3e749b70275867f8daefe98cb70a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 18 20:13:44 2014 +0100
selftest: use shared/libnss_wrapper_winbind.so.2
This library is always available in make test.
nss-wrapper strictly requires the linux nss api.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4eb24fa545234be506eb1330ccbbfd5c2b9e0d82)
commit e9d45f6cff280857c4d54b0d6b0fa7666b001f7d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 18 10:21:30 2014 +0100
wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 82e583b04b04e560c121163850d70c52d2fce78d)
commit 74ee2f72abb842074d2e20f86eff74f4c2b16ed5
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Dec 4 11:53:12 2014 +1300
dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable
This includes additional tests based directly on the docs, rather than
simply testing our internal implementation in client and server contexts,
that create a user and groups.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming-Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104
(similar to commit e4213512d0a967e87a74a1ae816c903fb38dd8b9)
-----------------------------------------------------------------------
Summary of changes:
buildtools/wafsamba/wafsamba.py | 6 +-
nsswitch/wscript_build | 24 +-
selftest/target/Samba.pm | 2 +-
selftest/target/Samba3.pm | 4 +
source3/auth/auth_util.c | 3 +-
source3/auth/proto.h | 3 +-
source3/auth/server_info.c | 156 +++++++-----
source3/script/tests/test_smbclient_auth.sh | 1 +
source3/wscript_build | 7 -
source4/dsdb/samdb/ldb_modules/operational.c | 66 ++++-
source4/dsdb/tests/python/token_group.py | 351 ++++++++++++++++++++++++++-
source4/selftest/tests.py | 2 +-
12 files changed, 532 insertions(+), 93 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index f86ac61..e564877 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -110,6 +110,7 @@ def SAMBA_LIBRARY(bld, libname, source,
ldflags='',
external_library=False,
realname=None,
+ keep_underscore=False,
autoproto=None,
autoproto_extra_source='',
group='main',
@@ -212,7 +213,10 @@ def SAMBA_LIBRARY(bld, libname, source,
libname)
if target_type == 'PYTHON' or realname or not private_library:
- bundled_name = libname.replace('_', '-')
+ if keep_underscore:
+ bundled_name = libname
+ else:
+ bundled_name = libname.replace('_', '-')
else:
bundled_name = PRIVATE_NAME(bld, libname, bundled_extension,
private_library)
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 8ceb9ad..381ff44 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -30,12 +30,24 @@ bld.SAMBA_LIBRARY('nss_wrapper_winbind',
# the search for .rfind('gnu') covers gnu* and *-gnu is that too broad?
if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)):
- bld.SAMBA_LIBRARY('nss_winbind',
- source='winbind_nss_linux.c',
- deps='winbind-client',
- realname='libnss_winbind.so.2',
- soname='libnss_winbind.so',
- vnum='2')
+ bld.SAMBA_LIBRARY('nss_winbind',
+ keep_underscore=True,
+ source='winbind_nss_linux.c',
+ deps='winbind-client',
+ public_headers=[],
+ public_headers_install=False,
+ pc_files=[],
+ vnum='2')
+
+ # for nss_wins is linux only
+ bld.SAMBA3_LIBRARY('nss_wins',
+ keep_underscore=True,
+ source='wins.c',
+ deps='''param libsmb LIBTSOCKET''',
+ public_headers=[],
+ public_headers_install=False,
+ pc_files=[],
+ vnum='2')
elif (host_os.rfind('freebsd') > -1):
# FreeBSD winbind client is implemented as a wrapper around
# the Linux version.
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 2bd90ae..ccc63f3 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -69,7 +69,7 @@ sub nss_wrapper_winbind_so_path($) {
my ($object) = @_;
my $ret = $ENV{NSS_WRAPPER_WINBIND_SO_PATH};
if (not defined($ret)) {
- $ret = bindir_path($object, "default/nsswitch/libnss-winbind.so");
+ $ret = bindir_path($object, "shared/libnss_wrapper_winbind.so.2");
$ret = abs_path($ret);
}
return $ret;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index a495685..d8eb58c 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1136,6 +1136,10 @@ sub provision($$$$$$)
path = $shrdir
force user = $unix_name
guest ok = yes
+[forceuser_unixonly]
+ path = $shrdir
+ force user = pdbtest
+ guest ok = yes
[forcegroup]
path = $shrdir
force group = nogroup
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 2986fb4..1c2cf80 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -671,7 +671,8 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
status = passwd_to_SamInfo3(result,
unix_username,
pwd,
- &result->info3);
+ &result->info3,
+ &result->extra);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 1da0c44..6a5508b 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -305,7 +305,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
const char *unix_username,
const struct passwd *pwd,
- struct netr_SamInfo3 **pinfo3);
+ struct netr_SamInfo3 **pinfo3,
+ struct extra_auth_info *extra);
struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
const struct netr_SamInfo3 *orig);
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 8fd3b0d..b537390 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -330,46 +330,19 @@ NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-#define RET_NOMEM(ptr) do { \
- if (!ptr) { \
- TALLOC_FREE(info3); \
- return NT_STATUS_NO_MEMORY; \
- } } while(0)
+/*
+ * Check if this is a "Unix Users" domain user, or a
+ * "Unix Groups" domain group, we need to handle it
+ * in a special way if that's the case.
+ */
-NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
- struct samu *samu,
- const char *login_server,
- struct netr_SamInfo3 **_info3,
- struct extra_auth_info *extra)
+static NTSTATUS SamInfo3_handle_sids(const char *username,
+ const struct dom_sid *user_sid,
+ const struct dom_sid *group_sid,
+ struct netr_SamInfo3 *info3,
+ struct dom_sid *domain_sid,
+ struct extra_auth_info *extra)
{
- struct netr_SamInfo3 *info3;
- const struct dom_sid *user_sid;
- const struct dom_sid *group_sid;
- struct dom_sid domain_sid;
- struct dom_sid *group_sids;
- uint32_t num_group_sids = 0;
- const char *tmp;
- gid_t *gids;
- NTSTATUS status;
- bool ok;
-
- user_sid = pdb_get_user_sid(samu);
- group_sid = pdb_get_group_sid(samu);
-
- if (!user_sid || !group_sid) {
- DEBUG(1, ("Sam account is missing sids!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
- if (!info3) {
- return NT_STATUS_NO_MEMORY;
- }
-
- ZERO_STRUCT(domain_sid);
-
- /* check if this is a "Unix Users" domain user,
- * we need to handle it in a special way if that's the case */
if (sid_check_is_in_unix_users(user_sid)) {
/* in info3 you can only set rids for the user and the
* primary group, and the domain sid must be that of
@@ -382,16 +355,16 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
info3->base.rid = (uint32_t)(-1);
sid_copy(&extra->user_sid, user_sid);
- DEBUG(10, ("Unix User found in struct samu. Rid marked as "
- "special and sid (%s) saved as extra sid\n",
- sid_string_dbg(user_sid)));
+ DEBUG(10, ("Unix User found. Rid marked as "
+ "special and sid (%s) saved as extra sid\n",
+ sid_string_dbg(user_sid)));
} else {
- sid_copy(&domain_sid, user_sid);
- sid_split_rid(&domain_sid, &info3->base.rid);
+ sid_copy(domain_sid, user_sid);
+ sid_split_rid(domain_sid, &info3->base.rid);
}
- if (is_null_sid(&domain_sid)) {
- sid_copy(&domain_sid, get_global_sam_sid());
+ if (is_null_sid(domain_sid)) {
+ sid_copy(domain_sid, get_global_sam_sid());
}
/* check if this is a "Unix Groups" domain group,
@@ -408,24 +381,73 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
info3->base.primary_gid = (uint32_t)(-1);
sid_copy(&extra->pgid_sid, group_sid);
- DEBUG(10, ("Unix Group found in struct samu. Rid marked as "
- "special and sid (%s) saved as extra sid\n",
- sid_string_dbg(group_sid)));
-
+ DEBUG(10, ("Unix Group found. Rid marked as "
+ "special and sid (%s) saved as extra sid\n",
+ sid_string_dbg(group_sid)));
} else {
- ok = sid_peek_check_rid(&domain_sid, group_sid,
+ bool ok = sid_peek_check_rid(domain_sid, group_sid,
&info3->base.primary_gid);
if (!ok) {
DEBUG(1, ("The primary group domain sid(%s) does not "
- "match the domain sid(%s) for %s(%s)\n",
- sid_string_dbg(group_sid),
- sid_string_dbg(&domain_sid),
- pdb_get_username(samu),
- sid_string_dbg(user_sid)));
- TALLOC_FREE(info3);
- return NT_STATUS_UNSUCCESSFUL;
+ "match the domain sid(%s) for %s(%s)\n",
+ sid_string_dbg(group_sid),
+ sid_string_dbg(domain_sid),
+ username,
+ sid_string_dbg(user_sid)));
+ return NT_STATUS_INVALID_SID;
}
}
+ return NT_STATUS_OK;
+}
+
+#define RET_NOMEM(ptr) do { \
+ if (!ptr) { \
+ TALLOC_FREE(info3); \
+ return NT_STATUS_NO_MEMORY; \
+ } } while(0)
+
+NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
+ struct samu *samu,
+ const char *login_server,
+ struct netr_SamInfo3 **_info3,
+ struct extra_auth_info *extra)
+{
+ struct netr_SamInfo3 *info3;
+ const struct dom_sid *user_sid;
+ const struct dom_sid *group_sid;
+ struct dom_sid domain_sid;
+ struct dom_sid *group_sids;
+ uint32_t num_group_sids = 0;
+ const char *tmp;
+ gid_t *gids;
+ NTSTATUS status;
+
+ user_sid = pdb_get_user_sid(samu);
+ group_sid = pdb_get_group_sid(samu);
+
+ if (!user_sid || !group_sid) {
+ DEBUG(1, ("Sam account is missing sids!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (!info3) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ZERO_STRUCT(domain_sid);
+
+ status = SamInfo3_handle_sids(pdb_get_username(samu),
+ user_sid,
+ group_sid,
+ info3,
+ &domain_sid,
+ extra);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info3);
+ return status;
+ }
unix_to_nt_time(&info3->base.logon_time, pdb_get_logon_time(samu));
unix_to_nt_time(&info3->base.logoff_time, get_time_t_max());
@@ -517,7 +539,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
const char *unix_username,
const struct passwd *pwd,
- struct netr_SamInfo3 **pinfo3)
+ struct netr_SamInfo3 **pinfo3,
+ struct extra_auth_info *extra)
{
struct netr_SamInfo3 *info3;
NTSTATUS status;
@@ -613,9 +636,22 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(domain_sid);
- sid_copy(&domain_sid, &user_sid);
- sid_split_rid(&domain_sid, &info3->base.rid);
+ status = SamInfo3_handle_sids(unix_username,
+ &user_sid,
+ &group_sid,
+ info3,
+ &domain_sid,
+ extra);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
+ if (info3->base.domain_sid == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
ok = sid_peek_check_rid(&domain_sid, &group_sid,
&info3->base.primary_gid);
diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh
index 3988095..24e98b1 100755
--- a/source3/script/tests/test_smbclient_auth.sh
+++ b/source3/script/tests/test_smbclient_auth.sh
@@ -27,5 +27,6 @@ testit "smbclient //$SERVER/tmpguest" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATI
testit "smbclient //$SERVER/tmpguest as anon" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forceuser as anon" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forceuser_unixonly" $SMBCLIENT //$SERVER/forceuser_unixonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forcegroup as anon" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
diff --git a/source3/wscript_build b/source3/wscript_build
index e1964a3..eadf832 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -55,13 +55,6 @@ bld.SAMBA3_LIBRARY('netapi',
pc_files='libnet/netapi.pc',
vnum='0')
-bld.SAMBA3_LIBRARY('nss_wins',
- source='../nsswitch/wins.c',
- deps='''param libsmb LIBTSOCKET''',
- realname='libnss_wins.so.2',
- soname='libnss_wins.so',
- vnum='2')
-
bld.SAMBA3_LIBRARY('gse',
source='librpc/crypto/gse_krb5.c librpc/crypto/gse.c',
deps='krb5samba gensec param KRBCLIENT secrets3',
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index ad9863e..f77474f 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -84,6 +84,12 @@ struct operational_data {
struct ldb_dn *aggregate_dn;
};
+enum search_type {
+ TOKEN_GROUPS,
+ TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL,
+ TOKEN_GROUPS_NO_GC_ACCEPTABLE
+};
+
/*
construct a canonical name from a message
*/
@@ -127,9 +133,11 @@ static int construct_primary_group_token(struct ldb_module *module,
/*
construct the token groups for SAM objects from a message
*/
-static int construct_token_groups(struct ldb_module *module,
- struct ldb_message *msg, enum ldb_scope scope,
- struct ldb_request *parent)
+static int construct_generic_token_groups(struct ldb_module *module,
+ struct ldb_message *msg, enum ldb_scope scope,
+ struct ldb_request *parent,
+ const char *attribute_string,
+ enum search_type type)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
TALLOC_CTX *tmp_ctx = talloc_new(msg);
@@ -189,8 +197,18 @@ static int construct_token_groups(struct ldb_module *module,
}
/* only return security groups */
- filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
- GROUP_TYPE_SECURITY_ENABLED);
+ switch(type) {
+ case TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL:
+ filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u)(|(groupType:1.2.840.113556.1.4.803:=%u)(groupType:1.2.840.113556.1.4.803:=%u)))",
+ GROUP_TYPE_SECURITY_ENABLED, GROUP_TYPE_ACCOUNT_GROUP, GROUP_TYPE_UNIVERSAL_GROUP);
+ break;
+ case TOKEN_GROUPS_NO_GC_ACCEPTABLE:
+ case TOKEN_GROUPS:
+ filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
+ GROUP_TYPE_SECURITY_ENABLED);
+ break;
+ }
+
if (!filter) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
@@ -253,7 +271,7 @@ static int construct_token_groups(struct ldb_module *module,
}
for (i=0; i < num_groupSIDs; i++) {
- ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", &groupSIDs[i]);
+ ret = samdb_msg_add_dom_sid(ldb, msg, msg, attribute_string, &groupSIDs[i]);
if (ret) {
talloc_free(tmp_ctx);
return ret;
@@ -263,6 +281,40 @@ static int construct_token_groups(struct ldb_module *module,
return LDB_SUCCESS;
}
+static int construct_token_groups(struct ldb_module *module,
+ struct ldb_message *msg, enum ldb_scope scope,
+ struct ldb_request *parent)
+{
+ /**
+ * TODO: Add in a limiting domain when we start to support
+ * trusted domains.
+ */
+ return construct_generic_token_groups(module, msg, scope, parent,
+ "tokenGroups",
+ TOKEN_GROUPS);
+}
+
+static int construct_token_groups_no_gc(struct ldb_module *module,
+ struct ldb_message *msg, enum ldb_scope scope,
+ struct ldb_request *parent)
+{
+ /**
+ * TODO: Add in a limiting domain when we start to support
+ * trusted domains.
+ */
+ return construct_generic_token_groups(module, msg, scope, parent,
+ "tokenGroupsNoGCAcceptable",
+ TOKEN_GROUPS);
+}
+
+static int construct_global_universal_token_groups(struct ldb_module *module,
+ struct ldb_message *msg, enum ldb_scope scope,
+ struct ldb_request *parent)
+{
+ return construct_generic_token_groups(module, msg, scope, parent,
+ "tokenGroupsGlobalAndUniversal",
+ TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL);
+}
/*
construct the parent GUID for an entry from a message
*/
@@ -870,6 +922,8 @@ static const struct op_attributes_replace search_sub[] = {
{ "canonicalName", NULL, NULL , construct_canonical_name },
{ "primaryGroupToken", "objectClass", objectSid_attr, construct_primary_group_token },
{ "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups },
+ { "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc},
+ { "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups },
{ "parentGUID", NULL, NULL, construct_parent_guid },
{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
{ "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc },
diff --git a/source4/dsdb/tests/python/token_group.py b/source4/dsdb/tests/python/token_group.py
index ff9f3ec..cba6480 100755
--- a/source4/dsdb/tests/python/token_group.py
+++ b/source4/dsdb/tests/python/token_group.py
@@ -14,16 +14,18 @@ samba.ensure_external_module("subunit", "subunit/python")
import samba.getopt as options
from samba.auth import system_session
-from samba import ldb
+from samba import ldb, dsdb
from samba.samdb import SamDB
from samba.auth import AuthContext
from samba.ndr import ndr_unpack
from samba import gensec
-from samba.credentials import Credentials
+from samba.credentials import Credentials, DONT_USE_KERBEROS
+from samba.dsdb import GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP
from subunit.run import SubunitTestRunner
import unittest
import samba.tests
+from samba.tests import delete_force
from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
@@ -45,13 +47,22 @@ url = args[0]
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
+creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
-class TokenTest(samba.tests.TestCase):
+def closure(vSet, wSet, aSet):
+ for edge in aSet:
+ start, end = edge
+ if start in wSet:
+ if end not in wSet and end in vSet:
--
Samba Shared Repository
More information about the samba-cvs
mailing list