[SCM] Samba Shared Repository - branch v4-9-stable updated
Karolin Seeger
kseeger at samba.org
Tue Jan 21 09:12:29 UTC 2020
The branch, v4-9-stable has been updated
via 5f8ef2f9eec VERSION: Disable GIT_SNAPSHOT for the 4.9.18 release.
via 4e6475813f9 WHATSNEW: Add release notes for Samba 4.9.18.
via 55fb0c2f67e CVE-2019-19344 kcc dns scavenging: Fix use after free in dns_tombstone_records_zone
via ad0e68d354a CVE-2019-14907 lib/util: Do not print the failed to convert string into the logs
via 030fa9e5455 CVE-2019-14907 lib/util/charset: clang: Fix Value stored to 'reason' is never read warning
via 16b377276ee CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs
via 7071888d5b5 CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename
via 9e6b09e0fd5 CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated.
via 9ac2b09fa5a CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN
via 0fa9a362e55 CVE-2019-14902 dsdb: Ensure we honour both change->force_self and change->force_children
via 589d1e4846b CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done here
via 17215b36b22 CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is proctected by a transaction
via 4afff32debe selftest: Add test to confirm ACL inheritence really happens
via c5a005a4538 CVE-2019-14902 selftest: Add test for a special case around replicated renames
via 77d55b64af6 CVE-2019-14902 selftest: Add test for replication of inherited security descriptors
via 052a54a54f7 VERSION: Bump version up to Samba 4.9.18...
from 631a49647b7 VERSION: Disable GIT_SNAPSHOT for the 4.9.17 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-stable
- Log -----------------------------------------------------------------
commit 5f8ef2f9eecbc6c6c405bdb55ed685ad83008c11
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Jan 10 16:30:15 2020 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.9.18 release.
o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 4e6475813f9e5a32207244857fd11f330a49a65b
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Jan 10 11:58:31 2020 +0100
WHATSNEW: Add release notes for Samba 4.9.18.
o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 55fb0c2f67ef1906c942729c00f9f918dd92a658
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Dec 16 13:57:47 2019 +1300
CVE-2019-19344 kcc dns scavenging: Fix use after free in dns_tombstone_records_zone
ldb_msg_add_empty reallocates the underlying element array, leaving
old_el pointing to freed memory.
This patch takes two defensive copies of the ldb message, and performs
the updates on them rather than the ldb messages in the result.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14050
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit ad0e68d354ad33c577dbf146fc4a1b8254857558
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Nov 29 20:58:47 2019 +1300
CVE-2019-14907 lib/util: Do not print the failed to convert string into the logs
The string may be in another charset, or may be sensitive and
certainly may not be terminated. It is not safe to just print.
Found by Robert Święcki using a fuzzer he wrote for smbd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(adapted from master commit)
commit 030fa9e5455125e30b71c90be80baadb657d8993
Author: Noel Power <noel.power at suse.com>
Date: Fri May 24 13:37:00 2019 +0000
CVE-2019-14907 lib/util/charset: clang: Fix Value stored to 'reason' is never read warning
Fixes:
lib/util/charset/convert_string.c:301:5: warning: Value stored to 'reason' is never read <--[clang]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Gary Lockyer gary at catalyst.net.nz
(cherry picked from commit add47e288bc80c1bf45765d1588a9fa5998ea677)
commit 16b377276ee82c04d069666e53deaa95a7633dd4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 12 14:44:57 2019 +1300
CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs
We can not process on the basis of a DN, as the DN may have changed in a rename,
not only that this module can see, but also from repl_meta_data below.
Therefore remove all the complex tree-based change processing, leaving only
a tree-based sort of the possible objects to be changed, and a single
stopped_dn variable containing the DN to stop processing below (after
a no-op change).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 7071888d5b556213be79545cac059a8b3f62baee
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 6 18:26:42 2019 +1300
CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename
Previously if there was a conflict, but the incoming object would still
win, this was not marked as a rename, and so inheritence was not done.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 9e6b09e0fd52c664de7f0589074fef872c753fa2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 26 15:50:35 2019 +1300
CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 9ac2b09fa5a2de44967a0b190918825e7dca8d53
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 6 18:05:54 2019 +1300
CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN
We need to check the SD of the parent if we rename, it is not the same as an incoming SD change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 0fa9a362e55abb289cbf0fe24baa09c45af4837e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 6 17:54:23 2019 +1300
CVE-2019-14902 dsdb: Ensure we honour both change->force_self and change->force_children
If we are renaming a DN we can be in a situation where we need to
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 589d1e4846bbac0e5388af3ef0c6d6c41b5ff991
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 26 16:17:32 2019 +1300
CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done here
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 17215b36b22d309a58a3b7bd08123f06e89657c9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 26 15:44:32 2019 +1300
CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is proctected by a transaction
This means we can trust the DB did not change between the two search
requests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4afff32debe5ea4bf1219f42c3042eb65c3e1d6b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 16 11:29:27 2019 +1300
selftest: Add test to confirm ACL inheritence really happens
While we have a seperate test (sec_descriptor.py) that confirms inheritance in
general we want to lock in these specific patterns as this test covers
rename.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit c5a005a45389c8d8fc0eae7137eab1904ea92d42
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 10 15:16:24 2019 +1300
CVE-2019-14902 selftest: Add test for a special case around replicated renames
It appears Samba is currently string-name based in the ACL inheritence code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 77d55b64af6acd38a08096b89ee051bc4ce72f43
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 28 17:16:16 2019 +1300
CVE-2019-14902 selftest: Add test for replication of inherited security descriptors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 052a54a54f7fec6d934c6e0b132b4d1b87a9533e
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 10 10:21:10 2019 +0100
VERSION: Bump version up to Samba 4.9.18...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 5d91d4cdbeb0921257c6f6701cc6f963ab629842)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 76 ++++-
lib/util/charset/convert_string.c | 33 +-
source4/dsdb/kcc/scavenge_dns_records.c | 51 ++-
source4/dsdb/samdb/ldb_modules/acl_util.c | 4 +-
source4/dsdb/samdb/ldb_modules/descriptor.c | 291 +++++++++--------
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 55 +++-
source4/dsdb/samdb/samdb.h | 2 +-
source4/selftest/tests.py | 5 +
source4/torture/drs/python/repl_secdesc.py | 400 ++++++++++++++++++++++++
10 files changed, 750 insertions(+), 169 deletions(-)
create mode 100644 source4/torture/drs/python/repl_secdesc.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index f1a9fd5260e..e377f6034ff 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=9
-SAMBA_VERSION_RELEASE=17
+SAMBA_VERSION_RELEASE=18
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c1f544b2c5c..d9ee3b40646 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,75 @@
+ ==============================
+ Release Notes for Samba 4.9.18
+ January 21, 2020
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
+ Directory not automatic.
+o CVE-2019-14907: Crash after failed character conversion at log level 3 or
+ above.
+o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
+
+
+=======
+Details
+=======
+
+o CVE-2019-14902:
+ The implementation of ACL inheritance in the Samba AD DC was not complete,
+ and so absent a 'full-sync' replication, ACLs could get out of sync between
+ domain controllers.
+
+o CVE-2019-14907:
+ When processing untrusted string input Samba can read past the end of the
+ allocated buffer when printing a "Conversion error" message to the logs.
+
+o CVE-2019-19344:
+ During DNS zone scavenging (of expired dynamic entries) there is a read of
+ memory after it has been freed.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.9.17:
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD Directory
+ not automatic.
+ * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert
+ string into the logs.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in
+ dns_tombstone_records_zone.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
==============================
Release Notes for Samba 4.9.17
December 10, 2019
@@ -57,8 +129,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.9.16
diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
index 196302aacfd..b546e056953 100644
--- a/lib/util/charset/convert_string.c
+++ b/lib/util/charset/convert_string.c
@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic,
switch(errno) {
case EINVAL:
reason="Incomplete multibyte sequence";
- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
- reason, (const char *)src));
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
case E2BIG:
{
reason="No more room";
if (from == CH_UNIX) {
- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s'\n",
- charset_name(ic, from), charset_name(ic, to),
- (unsigned int)srclen, (unsigned int)destlen, (const char *)src));
+ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+ charset_name(ic, from), charset_name(ic, to),
+ (unsigned int)srclen, (unsigned int)destlen, reason);
} else {
- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u\n",
- charset_name(ic, from), charset_name(ic, to),
- (unsigned int)srclen, (unsigned int)destlen));
+ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+ charset_name(ic, from), charset_name(ic, to),
+ (unsigned int)srclen, (unsigned int)destlen, reason);
}
break;
}
case EILSEQ:
reason="Illegal multibyte sequence";
- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
- reason, (const char *)src));
+ DBG_NOTICE("convert_string_internal: Conversion error: %s\n",
+ reason);
break;
default:
- DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n",
- reason, (const char *)src));
+ DBG_ERR("convert_string_internal: Conversion error: %s\n",
+ reason);
break;
}
/* smb_panic(reason); */
@@ -427,16 +427,19 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic,
switch(errno) {
case EINVAL:
reason="Incomplete multibyte sequence";
- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
case E2BIG:
goto convert;
case EILSEQ:
reason="Illegal multibyte sequence";
- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
default:
- DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));
+ DBG_ERR("Conversion error: %s\n",
+ reason);
break;
}
/* smb_panic(reason); */
diff --git a/source4/dsdb/kcc/scavenge_dns_records.c b/source4/dsdb/kcc/scavenge_dns_records.c
index 2f4f482e3da..9c82b1a472d 100644
--- a/source4/dsdb/kcc/scavenge_dns_records.c
+++ b/source4/dsdb/kcc/scavenge_dns_records.c
@@ -128,6 +128,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
struct ldb_message_element *el = NULL;
struct ldb_message_element *tombstone_el = NULL;
struct ldb_message_element *old_el = NULL;
+ struct ldb_message *new_msg = NULL;
+ struct ldb_message *old_msg = NULL;
int ret;
struct GUID guid;
struct GUID_txt_buf buf_guid;
@@ -184,12 +186,29 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
* change. This prevents race conditions.
*/
for (i = 0; i < res->count; i++) {
- old_el = ldb_msg_find_element(res->msgs[i], "dnsRecord");
+ old_msg = ldb_msg_copy(mem_ctx, res->msgs[i]);
+ if (old_msg == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ old_el = ldb_msg_find_element(old_msg, "dnsRecord");
+ if (old_el == NULL) {
+ TALLOC_FREE(old_msg);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
old_el->flags = LDB_FLAG_MOD_DELETE;
+ new_msg = ldb_msg_copy(mem_ctx, old_msg);
+ if (new_msg == NULL) {
+ TALLOC_FREE(old_msg);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
ret = ldb_msg_add_empty(
- res->msgs[i], "dnsRecord", LDB_FLAG_MOD_ADD, &el);
+ new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -197,12 +216,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
status = copy_current_records(mem_ctx, old_el, el, t);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
return NT_STATUS_INTERNAL_ERROR;
}
/* If nothing was expired, do nothing. */
if (el->num_values == old_el->num_values &&
el->num_values != 0) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
continue;
}
@@ -213,14 +236,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
el->values = tombstone_blob;
el->num_values = 1;
- tombstone_el = ldb_msg_find_element(res->msgs[i],
+ tombstone_el = ldb_msg_find_element(new_msg,
"dnsTombstoned");
if (tombstone_el == NULL) {
- ret = ldb_msg_add_value(res->msgs[i],
+ ret = ldb_msg_add_value(new_msg,
"dnsTombstoned",
true_struct,
&tombstone_el);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
return NT_STATUS_INTERNAL_ERROR;
}
tombstone_el->flags = LDB_FLAG_MOD_ADD;
@@ -234,13 +259,15 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
* Do not change the status of dnsTombstoned
* if we found any live records
*/
- ldb_msg_remove_attr(res->msgs[i],
+ ldb_msg_remove_attr(new_msg,
"dnsTombstoned");
}
/* Set DN to the GUID in case the object was moved. */
- el = ldb_msg_find_element(res->msgs[i], "objectGUID");
+ el = ldb_msg_find_element(new_msg, "objectGUID");
if (el == NULL) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
*error_string =
talloc_asprintf(mem_ctx,
"record has no objectGUID "
@@ -251,20 +278,24 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
status = GUID_from_ndr_blob(el->values, &guid);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
*error_string =
discard_const_p(char, "Error: Invalid GUID.\n");
return NT_STATUS_INTERNAL_ERROR;
}
GUID_buf_string(&guid, &buf_guid);
- res->msgs[i]->dn =
+ new_msg->dn =
ldb_dn_new_fmt(mem_ctx, samdb, "<GUID=%s>", buf_guid.buf);
/* Remove the GUID so we're not trying to modify it. */
- ldb_msg_remove_attr(res->msgs[i], "objectGUID");
+ ldb_msg_remove_attr(new_msg, "objectGUID");
- ret = ldb_modify(samdb, res->msgs[i]);
+ ret = ldb_modify(samdb, new_msg);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
*error_string =
talloc_asprintf(mem_ctx,
"Failed to modify dns record "
@@ -273,6 +304,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
ldb_errstring(samdb));
return NT_STATUS_INTERNAL_ERROR;
}
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
}
return NT_STATUS_OK;
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 6d645b10fe2..b9931795e19 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -286,7 +286,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
struct ldb_dn *nc_root,
- struct ldb_dn *dn,
+ struct GUID guid,
bool include_self)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
@@ -299,7 +299,7 @@ int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
}
op->nc_root = nc_root;
- op->dn = dn;
+ op->guid = guid;
op->include_self = include_self;
ret = dsdb_module_extended(module, op, NULL,
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 9018b750ab5..daa08c2ebc7 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -46,9 +46,8 @@
struct descriptor_changes {
struct descriptor_changes *prev, *next;
- struct descriptor_changes *children;
struct ldb_dn *nc_root;
- struct ldb_dn *dn;
+ struct GUID guid;
bool force_self;
bool force_children;
struct ldb_dn *stopped_dn;
@@ -771,7 +770,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
current_attrs,
DSDB_FLAG_NEXT_MODULE |
DSDB_FLAG_AS_SYSTEM |
- DSDB_SEARCH_SHOW_RECYCLED,
+ DSDB_SEARCH_SHOW_RECYCLED |
+ DSDB_SEARCH_SHOW_EXTENDED_DN,
req);
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
@@ -832,7 +832,7 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
user_sd = old_sd;
}
- sd = get_new_descriptor(module, dn, req,
+ sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
objectclass, parent_sd,
user_sd, old_sd, sd_flags);
if (sd == NULL) {
@@ -869,15 +869,32 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
return ldb_oom(ldb);
}
} else if (cmp_ret != 0) {
+ struct GUID guid;
struct ldb_dn *nc_root;
+ NTSTATUS status;
- ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
+ ret = dsdb_find_nc_root(ldb,
+ msg,
+ current_res->msgs[0]->dn,
+ &nc_root);
if (ret != LDB_SUCCESS) {
return ldb_oom(ldb);
}
- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
- dn, false);
+ status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
+ &guid,
+ "GUID");
+ if (!NT_STATUS_IS_OK(status)) {
+ return ldb_operr(ldb);
+ }
+
+ /*
+ * Force SD propagation on children of this record
+ */
+ ret = dsdb_module_schedule_sd_propagation(module,
+ nc_root,
+ guid,
+ false);
if (ret != LDB_SUCCESS) {
return ldb_operr(ldb);
}
@@ -960,16 +977,31 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
if (ldb_dn_compare(olddn, newdn) != 0) {
struct ldb_dn *nc_root;
+ struct GUID guid;
ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
if (ret != LDB_SUCCESS) {
return ldb_oom(ldb);
}
- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
- newdn, true);
- if (ret != LDB_SUCCESS) {
- return ldb_operr(ldb);
+ ret = dsdb_module_guid_by_dn(module,
+ olddn,
+ &guid,
+ req);
+ if (ret == LDB_SUCCESS) {
+ /*
+ * Without disturbing any errors if the olddn
+ * does not exit, force SD propagation on
+ * this record (get a new inherited SD from
+ * the potentially new parent
+ */
+ ret = dsdb_module_schedule_sd_propagation(module,
+ nc_root,
+ guid,
+ true);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+ }
}
}
@@ -985,9 +1017,7 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct dsdb_extended_sec_desc_propagation_op *op;
TALLOC_CTX *parent_mem = NULL;
- struct descriptor_changes *parent_change = NULL;
struct descriptor_changes *c;
- int ret;
op = talloc_get_type(req->op.extended.data,
struct dsdb_extended_sec_desc_propagation_op);
@@ -1004,32 +1034,6 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
parent_mem = descriptor_private->trans_mem;
- for (c = descriptor_private->changes; c; c = c->next) {
- ret = ldb_dn_compare(c->nc_root, op->nc_root);
- if (ret != 0) {
- continue;
- }
-
- ret = ldb_dn_compare(c->dn, op->dn);
- if (ret == 0) {
- if (op->include_self) {
- c->force_self = true;
- } else {
- c->force_children = true;
- }
- return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
- }
-
- ret = ldb_dn_compare_base(c->dn, op->dn);
- if (ret != 0) {
- continue;
- }
-
- parent_mem = c;
- parent_change = c;
- break;
- }
-
c = talloc_zero(parent_mem, struct descriptor_changes);
if (c == NULL) {
return ldb_module_oom(module);
@@ -1038,21 +1042,14 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
if (c->nc_root == NULL) {
return ldb_module_oom(module);
}
- c->dn = ldb_dn_copy(c, op->dn);
- if (c->dn == NULL) {
- return ldb_module_oom(module);
- }
+ c->guid = op->guid;
if (op->include_self) {
c->force_self = true;
} else {
c->force_children = true;
}
- if (parent_change != NULL) {
- DLIST_ADD_END(parent_change->children, c);
- } else {
--
Samba Shared Repository
More information about the samba-cvs
mailing list