[SCM] Samba Shared Repository - branch v4-11-stable updated

Karolin Seeger kseeger at samba.org
Tue Jan 21 09:09:18 UTC 2020


The branch, v4-11-stable has been updated
       via  01a4dd8ea2b VERSION: Disable GIT_SNAPSHOT for the 4.11.5 release.
       via  16f159bdd2d WHATSNEW: Add release notes for Samba 4.11.5.
       via  a56fb1c0427 CVE-2019-19344 kcc dns scavenging: Fix use after free in dns_tombstone_records_zone
       via  0010822597d CVE-2019-14907 lib/util: Do not print the failed to convert string into the logs
       via  5884a973309 CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs
       via  da1d3a0c03c CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename
       via  febccb4845e CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated.
       via  2cf368d0023 CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN
       via  dc1b30c8316 CVE-2019-14902 dsdb: Ensure we honour both change->force_self and change->force_children
       via  68a91b11e40 CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done here
       via  971247385a4 CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is proctected by a transaction
       via  50498111ac0 selftest: Add test to confirm ACL inheritence really happens
       via  59a7bbe0c15 CVE-2019-14902 selftest: Add test for a special case around replicated renames
       via  6b6a993e6af CVE-2019-14902 selftest: Add test for replication of inherited security descriptors
       via  98761ff1b2e VERSION: Bump version up to 4.11.5...
      from  a3e0dc33741 VERSION: Disable GIT_SNAPSHOT for the 4.11.4 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-stable


- Log -----------------------------------------------------------------
commit 01a4dd8ea2b7503270221beef02d21b0a2bc5ffa
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Jan 8 11:55:21 2020 +0100

    VERSION: Disable GIT_SNAPSHOT for the 4.11.5 release.
    
    o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
                      Directory not automatic.
    o CVE-2019-14907: Crash after failed character conversion at log level 3 or
                      above.
    o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 16f159bdd2dc1fadcfa5920f895eb32f2ccdc73c
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Jan 8 11:53:55 2020 +0100

    WHATSNEW: Add release notes for Samba 4.11.5.
    
    o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
                      Directory not automatic.
    o CVE-2019-14907: Crash after failed character conversion at log level 3 or
                      above.
    o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit a56fb1c04278e27381d5eaf52ec1036fceae411f
Author: Gary Lockyer <gary at catalyst.net.nz>
Date:   Mon Dec 16 13:57:47 2019 +1300

    CVE-2019-19344 kcc dns scavenging: Fix use after free in dns_tombstone_records_zone
    
    ldb_msg_add_empty reallocates the underlying element array, leaving
    old_el pointing to freed memory.
    
    This patch takes two defensive copies of the ldb message, and performs
    the updates on them rather than the ldb messages in the result.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14050
    
    Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>

commit 0010822597db4b26858f2a03ea09e070854da782
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Nov 29 20:58:47 2019 +1300

    CVE-2019-14907 lib/util: Do not print the failed to convert string into the logs
    
    The string may be in another charset, or may be sensitive and
    certainly may not be terminated.  It is not safe to just print.
    
    Found by Robert Święcki using a fuzzer he wrote for smbd.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 5884a9733099f5be05e2de5d3452a882b5c35c27
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Dec 12 14:44:57 2019 +1300

    CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs
    
    We can not process on the basis of a DN, as the DN may have changed in a rename,
    not only that this module can see, but also from repl_meta_data below.
    
    Therefore remove all the complex tree-based change processing, leaving only
    a tree-based sort of the possible objects to be changed, and a single
    stopped_dn variable containing the DN to stop processing below (after
    a no-op change).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit da1d3a0c03c002f6d2ffc6cfc7c0c15a4baa1000
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Dec 6 18:26:42 2019 +1300

    CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename
    
    Previously if there was a conflict, but the incoming object would still
    win, this was not marked as a rename, and so inheritence was not done.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit febccb4845e75fbf8c382df9f897215835e9d979
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 26 15:50:35 2019 +1300

    CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 2cf368d0023c68dc91f50e4cd73fcc83f77cf234
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Dec 6 18:05:54 2019 +1300

    CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN
    
    We need to check the SD of the parent if we rename, it is not the same as an incoming SD change.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit dc1b30c8316d99415e4968dc98779763102994dd
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Dec 6 17:54:23 2019 +1300

    CVE-2019-14902 dsdb: Ensure we honour both change->force_self and change->force_children
    
    If we are renaming a DN we can be in a situation where we need to
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 68a91b11e40c3670a0c45c72067ccd886fdad530
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 26 16:17:32 2019 +1300

    CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done here
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 971247385a4ab30709d2ed1728cce13dc59f4713
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 26 15:44:32 2019 +1300

    CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is proctected by a transaction
    
    This means we can trust the DB did not change between the two search
    requests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 50498111ac038e74c58208c604e9f10c90b03688
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Dec 16 11:29:27 2019 +1300

    selftest: Add test to confirm ACL inheritence really happens
    
    While we have a seperate test (sec_descriptor.py) that confirms inheritance in
    general we want to lock in these specific patterns as this test covers
    rename.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 59a7bbe0c155aa00aec93842cbf29c5e5c816929
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Dec 10 15:16:24 2019 +1300

    CVE-2019-14902 selftest: Add test for a special case around replicated renames
    
    It appears Samba is currently string-name based in the ACL inheritence code.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 6b6a993e6afe5b077c53ab2d21a34505fbd13eb5
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Nov 28 17:16:16 2019 +1300

    CVE-2019-14902 selftest: Add test for replication of inherited security descriptors
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 98761ff1b2e50a26b9ce39eab0b4cb630649a155
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Dec 16 15:54:00 2019 +0100

    VERSION: Bump version up to 4.11.5...
    
    and re-enable GIT_SNAPSHOT.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>
    (cherry picked from commit 5a75d9814091631001be8d7d8ccec66ea6380cfb)

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                         |   2 +-
 WHATSNEW.txt                                    |  76 ++++-
 lib/util/charset/convert_string.c               |  38 +--
 source4/dsdb/kcc/scavenge_dns_records.c         |  51 ++-
 source4/dsdb/samdb/ldb_modules/acl_util.c       |   4 +-
 source4/dsdb/samdb/ldb_modules/descriptor.c     | 291 +++++++++--------
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c |  55 +++-
 source4/dsdb/samdb/samdb.h                      |   2 +-
 source4/selftest/tests.py                       |   5 +
 source4/torture/drs/python/repl_secdesc.py      | 400 ++++++++++++++++++++++++
 10 files changed, 752 insertions(+), 172 deletions(-)
 create mode 100644 source4/torture/drs/python/repl_secdesc.py


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index b53fc3ab1db..27b90031747 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=11
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 830081446ab..99272550643 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,75 @@
+                   ==============================
+                   Release Notes for Samba 4.11.5
+                          January 21, 2020
+		   ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
+		  Directory not automatic.        
+o CVE-2019-14907: Crash after failed character conversion at log level 3 or
+		  above.                                               
+o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
+                                                                                
+                                                                                
+=======                                                                         
+Details                                                                         
+=======                                                                         
+                                                                                
+o  CVE-2019-14902:                                                                                
+   The implementation of ACL inheritance in the Samba AD DC was not complete,
+   and so absent a 'full-sync' replication, ACLs could get out of sync between
+   domain controllers. 
+
+o  CVE-2019-14907:
+   When processing untrusted string input Samba can read past the end of the
+   allocated buffer when printing a "Conversion error" message to the logs.
+
+o  CVE-2019-19344:                                                                                
+   During DNS zone scavenging (of expired dynamic entries) there is a read of
+   memory after it has been freed.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.11.4:
+---------------------
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD Directory
+     not automatic.
+   * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert
+     string into the logs.
+
+o  Gary Lockyer <gary at catalyst.net.nz>
+   * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in
+     dns_tombstone_records_zone.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                    ==============================
                    Release Notes for Samba 4.11.4
                           December 16, 2019
@@ -76,8 +148,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================
                    Release Notes for Samba 4.11.3
diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
index d274e305a0c..b725b53cb5a 100644
--- a/lib/util/charset/convert_string.c
+++ b/lib/util/charset/convert_string.c
@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic,
 		switch(errno) {
 			case EINVAL:
 				reason="Incomplete multibyte sequence";
-				DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
-					 reason, (const char *)src));
+				DBG_NOTICE("Conversion error: %s\n",
+					 reason);
 				break;
 			case E2BIG:
 			{
 				reason="No more room";
 				if (from == CH_UNIX) {
-					DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n",
-						 charset_name(ic, from), charset_name(ic, to),
-						 (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason));
+					DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+						   charset_name(ic, from), charset_name(ic, to),
+						   (unsigned int)srclen, (unsigned int)destlen, reason);
 				} else {
-					DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
-						 charset_name(ic, from), charset_name(ic, to),
-						 (unsigned int)srclen, (unsigned int)destlen, reason));
+					DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+						   charset_name(ic, from), charset_name(ic, to),
+						   (unsigned int)srclen, (unsigned int)destlen, reason);
 				}
 				break;
 			}
 			case EILSEQ:
 				reason="Illegal multibyte sequence";
-				DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
-					 reason, (const char *)src));
+				DBG_NOTICE("convert_string_internal: Conversion error: %s\n",
+					   reason);
 				break;
 			default:
-				DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n",
-					 reason, (const char *)src));
+				DBG_ERR("convert_string_internal: Conversion error: %s\n",
+					reason);
 				break;
 		}
 		/* smb_panic(reason); */
@@ -427,20 +427,22 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic,
 		switch(errno) {
 			case EINVAL:
 				reason="Incomplete multibyte sequence";
-				DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
+				DBG_NOTICE("Conversion error: %s\n",
+					   reason);
 				break;
 			case E2BIG:
 				reason = "output buffer is too small";
-				DBG_NOTICE("convert_string_talloc: "
-					   "Conversion error: %s(%s)\n",
-					   reason, inbuf);
+				DBG_NOTICE("Conversion error: %s\n",
+					   reason);
 				break;
 			case EILSEQ:
 				reason="Illegal multibyte sequence";
-				DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
+				DBG_NOTICE("Conversion error: %s\n",
+					   reason);
 				break;
 			default:
-				DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));
+				DBG_ERR("Conversion error: %s\n",
+					reason);
 				break;
 		}
 		/* smb_panic(reason); */
diff --git a/source4/dsdb/kcc/scavenge_dns_records.c b/source4/dsdb/kcc/scavenge_dns_records.c
index 6c0684b3153..8e916cf7b06 100644
--- a/source4/dsdb/kcc/scavenge_dns_records.c
+++ b/source4/dsdb/kcc/scavenge_dns_records.c
@@ -128,6 +128,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
 	struct ldb_message_element *el = NULL;
 	struct ldb_message_element *tombstone_el = NULL;
 	struct ldb_message_element *old_el = NULL;
+	struct ldb_message *new_msg = NULL;
+	struct ldb_message *old_msg = NULL;
 	int ret;
 	struct GUID guid;
 	struct GUID_txt_buf buf_guid;
@@ -184,12 +186,29 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
 	 * change.  This prevents race conditions.
 	 */
 	for (i = 0; i < res->count; i++) {
-		old_el = ldb_msg_find_element(res->msgs[i], "dnsRecord");
+		old_msg = ldb_msg_copy(mem_ctx, res->msgs[i]);
+		if (old_msg == NULL) {
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+
+		old_el = ldb_msg_find_element(old_msg, "dnsRecord");
+		if (old_el == NULL) {
+			TALLOC_FREE(old_msg);
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+
 		old_el->flags = LDB_FLAG_MOD_DELETE;
+		new_msg = ldb_msg_copy(mem_ctx, old_msg);
+		if (new_msg == NULL) {
+			TALLOC_FREE(old_msg);
+			return NT_STATUS_INTERNAL_ERROR;
+		}
 
 		ret = ldb_msg_add_empty(
-		    res->msgs[i], "dnsRecord", LDB_FLAG_MOD_ADD, &el);
+		    new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el);
 		if (ret != LDB_SUCCESS) {
+			TALLOC_FREE(old_msg);
+			TALLOC_FREE(new_msg);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 
@@ -197,12 +216,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
 		status = copy_current_records(mem_ctx, old_el, el, t);
 
 		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(old_msg);
+			TALLOC_FREE(new_msg);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 
 		/* If nothing was expired, do nothing. */
 		if (el->num_values == old_el->num_values &&
 		    el->num_values != 0) {
+			TALLOC_FREE(old_msg);
+			TALLOC_FREE(new_msg);
 			continue;
 		}
 
@@ -213,14 +236,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
 			el->values = tombstone_blob;
 			el->num_values = 1;
 
-			tombstone_el = ldb_msg_find_element(res->msgs[i],
+			tombstone_el = ldb_msg_find_element(new_msg,
 						  "dnsTombstoned");
 			if (tombstone_el == NULL) {
-				ret = ldb_msg_add_value(res->msgs[i],
+				ret = ldb_msg_add_value(new_msg,
 							"dnsTombstoned",
 							true_struct,
 							&tombstone_el);
 				if (ret != LDB_SUCCESS) {
+					TALLOC_FREE(old_msg);
+					TALLOC_FREE(new_msg);
 					return NT_STATUS_INTERNAL_ERROR;
 				}
 				tombstone_el->flags = LDB_FLAG_MOD_ADD;
@@ -234,13 +259,15 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
 			 * Do not change the status of dnsTombstoned
 			 * if we found any live records
 			 */
-			ldb_msg_remove_attr(res->msgs[i],
+			ldb_msg_remove_attr(new_msg,
 					    "dnsTombstoned");
 		}
 
 		/* Set DN to the GUID in case the object was moved. */
-		el = ldb_msg_find_element(res->msgs[i], "objectGUID");
+		el = ldb_msg_find_element(new_msg, "objectGUID");
 		if (el == NULL) {
+			TALLOC_FREE(old_msg);
+			TALLOC_FREE(new_msg);
 			*error_string =
 			    talloc_asprintf(mem_ctx,
 					    "record has no objectGUID "
@@ -251,20 +278,24 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
 
 		status = GUID_from_ndr_blob(el->values, &guid);
 		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(old_msg);
+			TALLOC_FREE(new_msg);
 			*error_string =
 			    discard_const_p(char, "Error: Invalid GUID.\n");
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 
 		GUID_buf_string(&guid, &buf_guid);
-		res->msgs[i]->dn =
+		new_msg->dn =
 		    ldb_dn_new_fmt(mem_ctx, samdb, "<GUID=%s>", buf_guid.buf);
 
 		/* Remove the GUID so we're not trying to modify it. */
-		ldb_msg_remove_attr(res->msgs[i], "objectGUID");
+		ldb_msg_remove_attr(new_msg, "objectGUID");
 
-		ret = ldb_modify(samdb, res->msgs[i]);
+		ret = ldb_modify(samdb, new_msg);
 		if (ret != LDB_SUCCESS) {
+			TALLOC_FREE(old_msg);
+			TALLOC_FREE(new_msg);
 			*error_string =
 			    talloc_asprintf(mem_ctx,
 					    "Failed to modify dns record "
@@ -273,6 +304,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
 					    ldb_errstring(samdb));
 			return NT_STATUS_INTERNAL_ERROR;
 		}
+		TALLOC_FREE(old_msg);
+		TALLOC_FREE(new_msg);
 	}
 
 	return NT_STATUS_OK;
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 6d645b10fe2..b9931795e19 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -286,7 +286,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
 
 int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
 					struct ldb_dn *nc_root,
-					struct ldb_dn *dn,
+					struct GUID guid,
 					bool include_self)
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
@@ -299,7 +299,7 @@ int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
 	}
 
 	op->nc_root = nc_root;
-	op->dn = dn;
+	op->guid = guid;
 	op->include_self = include_self;
 
 	ret = dsdb_module_extended(module, op, NULL,
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 9018b750ab5..daa08c2ebc7 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -46,9 +46,8 @@
 
 struct descriptor_changes {
 	struct descriptor_changes *prev, *next;
-	struct descriptor_changes *children;
 	struct ldb_dn *nc_root;
-	struct ldb_dn *dn;
+	struct GUID guid;
 	bool force_self;
 	bool force_children;
 	struct ldb_dn *stopped_dn;
@@ -771,7 +770,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
 				    current_attrs,
 				    DSDB_FLAG_NEXT_MODULE |
 				    DSDB_FLAG_AS_SYSTEM |
-				    DSDB_SEARCH_SHOW_RECYCLED,
+				    DSDB_SEARCH_SHOW_RECYCLED |
+				    DSDB_SEARCH_SHOW_EXTENDED_DN,
 				    req);
 	if (ret != LDB_SUCCESS) {
 		ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
@@ -832,7 +832,7 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
 		user_sd = old_sd;
 	}
 
-	sd = get_new_descriptor(module, dn, req,
+	sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
 				objectclass, parent_sd,
 				user_sd, old_sd, sd_flags);
 	if (sd == NULL) {
@@ -869,15 +869,32 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
 			return ldb_oom(ldb);
 		}
 	} else if (cmp_ret != 0) {
+		struct GUID guid;
 		struct ldb_dn *nc_root;
+		NTSTATUS status;
 
-		ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
+		ret = dsdb_find_nc_root(ldb,
+					msg,
+					current_res->msgs[0]->dn,
+					&nc_root);
 		if (ret != LDB_SUCCESS) {
 			return ldb_oom(ldb);
 		}
 
-		ret = dsdb_module_schedule_sd_propagation(module, nc_root,
-							  dn, false);
+		status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
+						   &guid,
+						   "GUID");
+		if (!NT_STATUS_IS_OK(status)) {
+			return ldb_operr(ldb);
+		}
+
+		/*
+		 * Force SD propagation on children of this record
+		 */
+		ret = dsdb_module_schedule_sd_propagation(module,
+							  nc_root,
+							  guid,
+							  false);
 		if (ret != LDB_SUCCESS) {
 			return ldb_operr(ldb);
 		}
@@ -960,16 +977,31 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
 
 	if (ldb_dn_compare(olddn, newdn) != 0) {
 		struct ldb_dn *nc_root;
+		struct GUID guid;
 
 		ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
 		if (ret != LDB_SUCCESS) {
 			return ldb_oom(ldb);
 		}
 
-		ret = dsdb_module_schedule_sd_propagation(module, nc_root,
-							  newdn, true);
-		if (ret != LDB_SUCCESS) {
-			return ldb_operr(ldb);
+		ret = dsdb_module_guid_by_dn(module,
+					     olddn,
+					     &guid,
+					     req);
+		if (ret == LDB_SUCCESS) {
+			/*
+			 * Without disturbing any errors if the olddn
+			 * does not exit, force SD propagation on
+			 * this record (get a new inherited SD from
+			 * the potentially new parent
+			 */
+			ret = dsdb_module_schedule_sd_propagation(module,
+								  nc_root,
+								  guid,
+								  true);
+			if (ret != LDB_SUCCESS) {
+				return ldb_operr(ldb);
+			}
 		}
 	}
 
@@ -985,9 +1017,7 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	struct dsdb_extended_sec_desc_propagation_op *op;
 	TALLOC_CTX *parent_mem = NULL;
-	struct descriptor_changes *parent_change = NULL;
 	struct descriptor_changes *c;
-	int ret;
 
 	op = talloc_get_type(req->op.extended.data,
 			     struct dsdb_extended_sec_desc_propagation_op);
@@ -1004,32 +1034,6 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
 
 	parent_mem = descriptor_private->trans_mem;
 
-	for (c = descriptor_private->changes; c; c = c->next) {
-		ret = ldb_dn_compare(c->nc_root, op->nc_root);
-		if (ret != 0) {
-			continue;
-		}
-
-		ret = ldb_dn_compare(c->dn, op->dn);
-		if (ret == 0) {
-			if (op->include_self) {
-				c->force_self = true;
-			} else {
-				c->force_children = true;
-			}
-			return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
-		}
-
-		ret = ldb_dn_compare_base(c->dn, op->dn);
-		if (ret != 0) {
-			continue;
-		}
-
-		parent_mem = c;
-		parent_change = c;
-		break;
-	}
-
 	c = talloc_zero(parent_mem, struct descriptor_changes);
 	if (c == NULL) {
 		return ldb_module_oom(module);
@@ -1038,21 +1042,14 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
 	if (c->nc_root == NULL) {
 		return ldb_module_oom(module);
 	}
-	c->dn = ldb_dn_copy(c, op->dn);
-	if (c->dn == NULL) {
-		return ldb_module_oom(module);
-	}
+	c->guid = op->guid;
 	if (op->include_self) {
 		c->force_self = true;
 	} else {


-- 
Samba Shared Repository



More information about the samba-cvs mailing list