[SCM] Samba Shared Repository - branch v4-10-stable updated
Karolin Seeger
kseeger at samba.org
Tue Jan 21 09:10:55 UTC 2020
The branch, v4-10-stable has been updated
via 06f7473fe56 VERSION: Disable GIT_SNAPSHOT for the 4.10.12 release.
via 8e1313322ce WHATSNEW: Add release notes for Samba 4.11.5.
via ed516929162 CVE-2019-19344 kcc dns scavenging: Fix use after free in dns_tombstone_records_zone
via 7deeb0c93bb CVE-2019-14907 lib/util: Do not print the failed to convert string into the logs
via 28e6066e5db CVE-2019-14907 lib/util/charset: clang: Fix Value stored to 'reason' is never read warning
via 90c1563cb83 CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs
via d257c764a7b CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename
via cf95287171e CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated.
via efb7ac7efe0 CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN
via f3e3e8deb46 CVE-2019-14902 dsdb: Ensure we honour both change->force_self and change->force_children
via 8092b27908c CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done here
via 17e6091b99a CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is proctected by a transaction
via 62e098fec23 selftest: Add test to confirm ACL inheritence really happens
via 9480a26697e CVE-2019-14902 selftest: Add test for a special case around replicated renames
via e7eeb725858 CVE-2019-14902 selftest: Add test for replication of inherited security descriptors
via a4c62918730 VERSION: Re-enable GIT_SNAPSHOT.
via 32d2cd1f5b5 VERSION: Bump version up to 4.10.12.
from d644dfea6f2 VERSION: Disable GIT_SNAPSHOT for the 4.10.11 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-stable
- Log -----------------------------------------------------------------
commit 06f7473fe565b3e2fd9413cbdcc77439d9907735
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jan 9 12:51:27 2020 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.10.12 release.
o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 8e1313322ce62b1dbd56957faa849e83d7c9ddfe
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jan 9 12:48:31 2020 +0100
WHATSNEW: Add release notes for Samba 4.11.5.
o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit ed5169291628b663c6d641f3c9e8d89bb84f91ac
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Dec 16 13:57:47 2019 +1300
CVE-2019-19344 kcc dns scavenging: Fix use after free in dns_tombstone_records_zone
ldb_msg_add_empty reallocates the underlying element array, leaving
old_el pointing to freed memory.
This patch takes two defensive copies of the ldb message, and performs
the updates on them rather than the ldb messages in the result.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14050
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 7deeb0c93bb5da014ea3d259ab9dbd63e8be72cb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Nov 29 20:58:47 2019 +1300
CVE-2019-14907 lib/util: Do not print the failed to convert string into the logs
The string may be in another charset, or may be sensitive and
certainly may not be terminated. It is not safe to just print.
Found by Robert Święcki using a fuzzer he wrote for smbd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(adapted from master commit)
commit 28e6066e5db61ca0a375fd8712385c0d1761b257
Author: Noel Power <noel.power at suse.com>
Date: Fri May 24 13:37:00 2019 +0000
CVE-2019-14907 lib/util/charset: clang: Fix Value stored to 'reason' is never read warning
Fixes:
lib/util/charset/convert_string.c:301:5: warning: Value stored to 'reason' is never read <--[clang]
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Gary Lockyer gary at catalyst.net.nz
(cherry picked from commit add47e288bc80c1bf45765d1588a9fa5998ea677)
commit 90c1563cb83a59fb4d9b997fbde76bcec1092c29
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 12 14:44:57 2019 +1300
CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs
We can not process on the basis of a DN, as the DN may have changed in a rename,
not only that this module can see, but also from repl_meta_data below.
Therefore remove all the complex tree-based change processing, leaving only
a tree-based sort of the possible objects to be changed, and a single
stopped_dn variable containing the DN to stop processing below (after
a no-op change).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit d257c764a7ba2747af2d8202ad4c0b3dbc030aa6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 6 18:26:42 2019 +1300
CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename
Previously if there was a conflict, but the incoming object would still
win, this was not marked as a rename, and so inheritence was not done.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit cf95287171e9ac883105ca036db0c9a9ed45c83f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 26 15:50:35 2019 +1300
CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit efb7ac7efe08edf92275cad3e30bf2c12a8ae053
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 6 18:05:54 2019 +1300
CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN
We need to check the SD of the parent if we rename, it is not the same as an incoming SD change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit f3e3e8deb4604c9c6dd0f929a969676cbb68f8d8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 6 17:54:23 2019 +1300
CVE-2019-14902 dsdb: Ensure we honour both change->force_self and change->force_children
If we are renaming a DN we can be in a situation where we need to
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 8092b27908cfb1afb70b7daed680c764cb5bd826
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 26 16:17:32 2019 +1300
CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done here
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 17e6091b99a6ff7688305ee360e8737498b87724
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 26 15:44:32 2019 +1300
CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is proctected by a transaction
This means we can trust the DB did not change between the two search
requests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 62e098fec23b14c8edc67f359947863eb269ed7e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 16 11:29:27 2019 +1300
selftest: Add test to confirm ACL inheritence really happens
While we have a seperate test (sec_descriptor.py) that confirms inheritance in
general we want to lock in these specific patterns as this test covers
rename.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 9480a26697e84f61b33a642c0013fea7aff51f4b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 10 15:16:24 2019 +1300
CVE-2019-14902 selftest: Add test for a special case around replicated renames
It appears Samba is currently string-name based in the ACL inheritence code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e7eeb7258586dccfd528b75713ceec57cb82907c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 28 17:16:16 2019 +1300
CVE-2019-14902 selftest: Add test for replication of inherited security descriptors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit a4c62918730851ea78705d83dca60b20705f0e12
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jan 9 12:49:43 2020 +0100
VERSION: Re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 32d2cd1f5b5a5541e1ca45c2e65fa1221722ff23
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Dec 16 09:03:42 2019 +0100
VERSION: Bump version up to 4.10.12.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Mon Dec 16 11:27:12 UTC 2019 on sn-devel-144
(cherry picked from commit bbeb73b40b885364a9ccf9108d4a930eaba0686c)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 76 ++++-
lib/util/charset/convert_string.c | 33 +-
source4/dsdb/kcc/scavenge_dns_records.c | 51 ++-
source4/dsdb/samdb/ldb_modules/acl_util.c | 4 +-
source4/dsdb/samdb/ldb_modules/descriptor.c | 291 +++++++++--------
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 55 +++-
source4/dsdb/samdb/samdb.h | 2 +-
source4/selftest/tests.py | 6 +
source4/torture/drs/python/repl_secdesc.py | 400 ++++++++++++++++++++++++
10 files changed, 751 insertions(+), 169 deletions(-)
create mode 100644 source4/torture/drs/python/repl_secdesc.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index c5e6d3f40c6..79bbc07fd9d 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=10
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=12
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6b3fbc88d50..82e54d46a79 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,75 @@
+ ===============================
+ Release Notes for Samba 4.10.12
+ January 21, 2020
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
+ Directory not automatic.
+o CVE-2019-14907: Crash after failed character conversion at log level 3 or
+ above.
+o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
+
+
+=======
+Details
+=======
+
+o CVE-2019-14902:
+ The implementation of ACL inheritance in the Samba AD DC was not complete,
+ and so absent a 'full-sync' replication, ACLs could get out of sync between
+ domain controllers.
+
+o CVE-2019-14907:
+ When processing untrusted string input Samba can read past the end of the
+ allocated buffer when printing a "Conversion error" message to the logs.
+
+o CVE-2019-19344:
+ During DNS zone scavenging (of expired dynamic entries) there is a read of
+ memory after it has been freed.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.10.11
+----------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD Directory
+ not automatic.
+ * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert
+ string into the logs.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in
+ dns_tombstone_records_zone.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
===============================
Release Notes for Samba 4.10.11
December 10, 2019
@@ -57,8 +129,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
===============================
Release Notes for Samba 4.10.10
diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
index 196302aacfd..b546e056953 100644
--- a/lib/util/charset/convert_string.c
+++ b/lib/util/charset/convert_string.c
@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic,
switch(errno) {
case EINVAL:
reason="Incomplete multibyte sequence";
- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
- reason, (const char *)src));
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
case E2BIG:
{
reason="No more room";
if (from == CH_UNIX) {
- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s'\n",
- charset_name(ic, from), charset_name(ic, to),
- (unsigned int)srclen, (unsigned int)destlen, (const char *)src));
+ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+ charset_name(ic, from), charset_name(ic, to),
+ (unsigned int)srclen, (unsigned int)destlen, reason);
} else {
- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u\n",
- charset_name(ic, from), charset_name(ic, to),
- (unsigned int)srclen, (unsigned int)destlen));
+ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+ charset_name(ic, from), charset_name(ic, to),
+ (unsigned int)srclen, (unsigned int)destlen, reason);
}
break;
}
case EILSEQ:
reason="Illegal multibyte sequence";
- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
- reason, (const char *)src));
+ DBG_NOTICE("convert_string_internal: Conversion error: %s\n",
+ reason);
break;
default:
- DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n",
- reason, (const char *)src));
+ DBG_ERR("convert_string_internal: Conversion error: %s\n",
+ reason);
break;
}
/* smb_panic(reason); */
@@ -427,16 +427,19 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic,
switch(errno) {
case EINVAL:
reason="Incomplete multibyte sequence";
- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
case E2BIG:
goto convert;
case EILSEQ:
reason="Illegal multibyte sequence";
- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
default:
- DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));
+ DBG_ERR("Conversion error: %s\n",
+ reason);
break;
}
/* smb_panic(reason); */
diff --git a/source4/dsdb/kcc/scavenge_dns_records.c b/source4/dsdb/kcc/scavenge_dns_records.c
index 6c0684b3153..8e916cf7b06 100644
--- a/source4/dsdb/kcc/scavenge_dns_records.c
+++ b/source4/dsdb/kcc/scavenge_dns_records.c
@@ -128,6 +128,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
struct ldb_message_element *el = NULL;
struct ldb_message_element *tombstone_el = NULL;
struct ldb_message_element *old_el = NULL;
+ struct ldb_message *new_msg = NULL;
+ struct ldb_message *old_msg = NULL;
int ret;
struct GUID guid;
struct GUID_txt_buf buf_guid;
@@ -184,12 +186,29 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
* change. This prevents race conditions.
*/
for (i = 0; i < res->count; i++) {
- old_el = ldb_msg_find_element(res->msgs[i], "dnsRecord");
+ old_msg = ldb_msg_copy(mem_ctx, res->msgs[i]);
+ if (old_msg == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ old_el = ldb_msg_find_element(old_msg, "dnsRecord");
+ if (old_el == NULL) {
+ TALLOC_FREE(old_msg);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
old_el->flags = LDB_FLAG_MOD_DELETE;
+ new_msg = ldb_msg_copy(mem_ctx, old_msg);
+ if (new_msg == NULL) {
+ TALLOC_FREE(old_msg);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
ret = ldb_msg_add_empty(
- res->msgs[i], "dnsRecord", LDB_FLAG_MOD_ADD, &el);
+ new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -197,12 +216,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
status = copy_current_records(mem_ctx, old_el, el, t);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
return NT_STATUS_INTERNAL_ERROR;
}
/* If nothing was expired, do nothing. */
if (el->num_values == old_el->num_values &&
el->num_values != 0) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
continue;
}
@@ -213,14 +236,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
el->values = tombstone_blob;
el->num_values = 1;
- tombstone_el = ldb_msg_find_element(res->msgs[i],
+ tombstone_el = ldb_msg_find_element(new_msg,
"dnsTombstoned");
if (tombstone_el == NULL) {
- ret = ldb_msg_add_value(res->msgs[i],
+ ret = ldb_msg_add_value(new_msg,
"dnsTombstoned",
true_struct,
&tombstone_el);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
return NT_STATUS_INTERNAL_ERROR;
}
tombstone_el->flags = LDB_FLAG_MOD_ADD;
@@ -234,13 +259,15 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
* Do not change the status of dnsTombstoned
* if we found any live records
*/
- ldb_msg_remove_attr(res->msgs[i],
+ ldb_msg_remove_attr(new_msg,
"dnsTombstoned");
}
/* Set DN to the GUID in case the object was moved. */
- el = ldb_msg_find_element(res->msgs[i], "objectGUID");
+ el = ldb_msg_find_element(new_msg, "objectGUID");
if (el == NULL) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
*error_string =
talloc_asprintf(mem_ctx,
"record has no objectGUID "
@@ -251,20 +278,24 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
status = GUID_from_ndr_blob(el->values, &guid);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
*error_string =
discard_const_p(char, "Error: Invalid GUID.\n");
return NT_STATUS_INTERNAL_ERROR;
}
GUID_buf_string(&guid, &buf_guid);
- res->msgs[i]->dn =
+ new_msg->dn =
ldb_dn_new_fmt(mem_ctx, samdb, "<GUID=%s>", buf_guid.buf);
/* Remove the GUID so we're not trying to modify it. */
- ldb_msg_remove_attr(res->msgs[i], "objectGUID");
+ ldb_msg_remove_attr(new_msg, "objectGUID");
- ret = ldb_modify(samdb, res->msgs[i]);
+ ret = ldb_modify(samdb, new_msg);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
*error_string =
talloc_asprintf(mem_ctx,
"Failed to modify dns record "
@@ -273,6 +304,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
ldb_errstring(samdb));
return NT_STATUS_INTERNAL_ERROR;
}
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
}
return NT_STATUS_OK;
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 6d645b10fe2..b9931795e19 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -286,7 +286,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
struct ldb_dn *nc_root,
- struct ldb_dn *dn,
+ struct GUID guid,
bool include_self)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
@@ -299,7 +299,7 @@ int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
}
op->nc_root = nc_root;
- op->dn = dn;
+ op->guid = guid;
op->include_self = include_self;
ret = dsdb_module_extended(module, op, NULL,
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 9018b750ab5..daa08c2ebc7 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -46,9 +46,8 @@
struct descriptor_changes {
struct descriptor_changes *prev, *next;
- struct descriptor_changes *children;
struct ldb_dn *nc_root;
- struct ldb_dn *dn;
+ struct GUID guid;
bool force_self;
bool force_children;
struct ldb_dn *stopped_dn;
@@ -771,7 +770,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
current_attrs,
DSDB_FLAG_NEXT_MODULE |
DSDB_FLAG_AS_SYSTEM |
- DSDB_SEARCH_SHOW_RECYCLED,
+ DSDB_SEARCH_SHOW_RECYCLED |
+ DSDB_SEARCH_SHOW_EXTENDED_DN,
req);
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
@@ -832,7 +832,7 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
user_sd = old_sd;
}
- sd = get_new_descriptor(module, dn, req,
+ sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
objectclass, parent_sd,
user_sd, old_sd, sd_flags);
if (sd == NULL) {
@@ -869,15 +869,32 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
return ldb_oom(ldb);
}
} else if (cmp_ret != 0) {
+ struct GUID guid;
struct ldb_dn *nc_root;
+ NTSTATUS status;
- ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
+ ret = dsdb_find_nc_root(ldb,
+ msg,
+ current_res->msgs[0]->dn,
+ &nc_root);
if (ret != LDB_SUCCESS) {
return ldb_oom(ldb);
}
- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
- dn, false);
+ status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
+ &guid,
+ "GUID");
+ if (!NT_STATUS_IS_OK(status)) {
+ return ldb_operr(ldb);
+ }
+
+ /*
+ * Force SD propagation on children of this record
+ */
+ ret = dsdb_module_schedule_sd_propagation(module,
+ nc_root,
+ guid,
+ false);
if (ret != LDB_SUCCESS) {
return ldb_operr(ldb);
}
@@ -960,16 +977,31 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
if (ldb_dn_compare(olddn, newdn) != 0) {
struct ldb_dn *nc_root;
+ struct GUID guid;
ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
if (ret != LDB_SUCCESS) {
return ldb_oom(ldb);
}
- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
- newdn, true);
- if (ret != LDB_SUCCESS) {
- return ldb_operr(ldb);
+ ret = dsdb_module_guid_by_dn(module,
+ olddn,
+ &guid,
+ req);
+ if (ret == LDB_SUCCESS) {
+ /*
+ * Without disturbing any errors if the olddn
+ * does not exit, force SD propagation on
+ * this record (get a new inherited SD from
+ * the potentially new parent
+ */
+ ret = dsdb_module_schedule_sd_propagation(module,
+ nc_root,
+ guid,
+ true);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+ }
}
}
@@ -985,9 +1017,7 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct dsdb_extended_sec_desc_propagation_op *op;
TALLOC_CTX *parent_mem = NULL;
- struct descriptor_changes *parent_change = NULL;
struct descriptor_changes *c;
- int ret;
op = talloc_get_type(req->op.extended.data,
struct dsdb_extended_sec_desc_propagation_op);
@@ -1004,32 +1034,6 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
parent_mem = descriptor_private->trans_mem;
- for (c = descriptor_private->changes; c; c = c->next) {
- ret = ldb_dn_compare(c->nc_root, op->nc_root);
- if (ret != 0) {
- continue;
- }
-
- ret = ldb_dn_compare(c->dn, op->dn);
- if (ret == 0) {
- if (op->include_self) {
- c->force_self = true;
- } else {
- c->force_children = true;
- }
- return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
- }
-
- ret = ldb_dn_compare_base(c->dn, op->dn);
- if (ret != 0) {
- continue;
- }
-
- parent_mem = c;
- parent_change = c;
- break;
- }
-
c = talloc_zero(parent_mem, struct descriptor_changes);
if (c == NULL) {
return ldb_module_oom(module);
@@ -1038,21 +1042,14 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
if (c->nc_root == NULL) {
return ldb_module_oom(module);
}
- c->dn = ldb_dn_copy(c, op->dn);
- if (c->dn == NULL) {
- return ldb_module_oom(module);
- }
+ c->guid = op->guid;
if (op->include_self) {
c->force_self = true;
} else {
c->force_children = true;
}
- if (parent_change != NULL) {
- DLIST_ADD_END(parent_change->children, c);
- } else {
--
Samba Shared Repository
More information about the samba-cvs
mailing list