[SCM] Samba Shared Repository - branch v4-18-test updated
Jule Anger
janger at samba.org
Wed Mar 29 14:39:43 UTC 2023
The branch, v4-18-test has been updated
via 5db0223764d VERSION: Bump version up to Samba 4.18.2...
via 4b145ce26b6 VERSION: Disable GIT_SNAPSHOT for the 4.18.1 release.
via 17b49ffd146 WHATSNEW: Add release notes for Samba 4.18.1.
via bb5aecbd102 CVE-2023-0922 set default ldap client sasl wrapping to seal
via 003f6c16112 CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values
via 016687b3aae CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user
via 12617e0ec48 CVE-2023-0614 ldb: Release LDB 2.7.2
via 0776ce5caed CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
via d564a5c8166 CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes
via afad0829b16 CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests
via 7e69ecbdc3a CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
via ad4c2204112 CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed
via 7f37b4ce6b5 CVE-2023-0614 ldb: Filter on search base before redacting message
via 358894675d1 CVE-2023-0614 ldb: Centralise checking for inaccessible matches
via b0168c2ed0c CVE-2023-0614 ldb: Use binary search to check whether attribute is secret
via e7065304bd0 CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it
via e54fc56e238 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
via c1cb8021392 CVE-2023-0614 s4-acl: Split out function to set up access checking variables
via 9c9a03d020a CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
via db65f5f7628 CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes
via 2603728b14d CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
via c23689e97a4 CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences
via f20992d7fc9 CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID
via 5c4086d51f5 CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential attributes test
via 5f6e01c029d CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own
via 7689a2caeb4 CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place()
via 4b956377c66 CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place
via feb7ef495c8 CVE-2023-0614 ldb: Add function to filter message in place
via d2244ec1d3e CVE-2023-0614 ldb: Add function to add distinguishedName to message
via 15723d6ff5e CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb message
via 78a7b155cc2 CVE-2023-0614 ldb: Add function to take ownership of an ldb message
via ba135dceead CVE-2023-0614 ldb:tests: Ensure all tests are accounted for
via 04de06f18fe CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated
via 9222e613f66 CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements
via 5a33688dda2 CVE-2023-0614 ldb: Add functions for handling inaccessible message elements
via ce9b66c6642 CVE-2023-0614 s4-acl: Make some parameters const
via 1b1f6dd4887 CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently
via 88b5d9215c6 CVE-2023-0614 libcli/security: Make some parameters const
via 90b5fddb826 CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects
via 64da379aa95 CVE-2023-0614 selftest: Use setUpClass() to reduce "make test TESTS=large_ldap" time
via 680b865f183 CVE-2023-0614 lib/ldb: Avoid allocation and memcpy() for every wildcard match candidate
from 6bd15c87430 VERSION: Bump version up to Samba 4.18.1...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test
- Log -----------------------------------------------------------------
commit 5db0223764d392e17df40a6519ea8516e94a94ad
Author: Jule Anger <janger at samba.org>
Date: Wed Mar 29 16:36:47 2023 +0200
VERSION: Bump version up to Samba 4.18.2...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 71 +-
.../smbdotconf/ldap/clientldapsaslwrapping.xml | 27 +-
lib/ldb-samba/ldb_matching_rules.c | 17 +-
lib/ldb-samba/tests/match_rules.py | 135 +--
lib/ldb-samba/tests/match_rules_remote.py | 104 ++
lib/ldb/ABI/{ldb-2.6.1.sigs => ldb-2.7.2.sigs} | 10 +
...pyldb-util-2.1.0.sigs => pyldb-util-2.7.2.sigs} | 0
lib/ldb/common/ldb_match.c | 111 ++-
lib/ldb/common/ldb_msg.c | 42 +
lib/ldb/common/ldb_pack.c | 105 +-
lib/ldb/common/ldb_parse.c | 25 +
lib/ldb/include/ldb_module.h | 31 +
lib/ldb/include/ldb_private.h | 21 +
lib/ldb/ldb_key_value/ldb_kv.h | 6 +-
lib/ldb/ldb_key_value/ldb_kv_index.c | 59 +-
lib/ldb/ldb_key_value/ldb_kv_search.c | 115 ++-
lib/ldb/tests/ldb_filter_attrs_in_place_test.c | 940 ++++++++++++++++++
lib/ldb/tests/ldb_filter_attrs_test.c | 171 ++--
lib/ldb/wscript | 13 +-
lib/param/loadparm.c | 2 +-
libcli/security/access_check.c | 10 +-
libcli/security/access_check.h | 2 +-
python/samba/tests/auth_log.py | 2 +-
source3/param/loadparm.c | 2 +-
source4/dsdb/common/util.c | 24 +
source4/dsdb/common/util.h | 1 +
source4/dsdb/samdb/ldb_modules/acl.c | 195 +---
source4/dsdb/samdb/ldb_modules/acl_read.c | 1017 +++++++++++++-------
source4/dsdb/samdb/ldb_modules/acl_util.c | 6 +-
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 50 +-
source4/dsdb/samdb/ldb_modules/linked_attributes.c | 2 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +-
source4/dsdb/samdb/samdb.h | 2 +
source4/dsdb/schema/schema_description.c | 7 +
source4/dsdb/schema/schema_init.c | 11 +-
source4/dsdb/schema/schema_set.c | 9 +-
source4/dsdb/tests/python/acl_modify.py | 236 +++++
source4/dsdb/tests/python/confidential_attr.py | 180 +++-
source4/dsdb/tests/python/large_ldap.py | 85 +-
source4/selftest/tests.py | 2 +
source4/setup/schema_samba4.ldif | 2 +
source4/torture/ldb/ldb.c | 12 +-
43 files changed, 3016 insertions(+), 850 deletions(-)
create mode 100755 lib/ldb-samba/tests/match_rules_remote.py
copy lib/ldb/ABI/{ldb-2.6.1.sigs => ldb-2.7.2.sigs} (97%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.7.2.sigs} (100%)
create mode 100644 lib/ldb/tests/ldb_filter_attrs_in_place_test.c
create mode 100755 source4/dsdb/tests/python/acl_modify.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 8ff795fe865..56b27245d41 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=18
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index edd3c8828b0..1b49d1b5a6a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,72 @@
+ ==============================
+ Release Notes for Samba 4.18.1
+ March 29, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+ but otherwise unprivileged users to delete this attribute from
+ any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.18.0
+--------------------
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 15276: CVE-2023-0225.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <rob at catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15276: CVE-2023-0225.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.18.0
March 08, 2023
@@ -65,7 +134,7 @@ Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.
* samba-tool drs showrepl: default is now 'auto', not 'no'
-
+
* samba-tool visualize: the interactions between --color-scheme,
--color, and --output have changed slightly. When --color-scheme is
set it overrides --color for the purpose of the output diagram, but
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 3152f0682dd..21bd2090057 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -18,25 +18,24 @@
</para>
<para>
- This option is needed in the case of Domain Controllers enforcing
- the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
- LDAP sign and seal can be controlled with the registry key
- "<literal>HKLM\System\CurrentControlSet\Services\</literal>
- <literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
- on the Windows server side.
- </para>
+ This option is needed firstly to secure the privacy of
+ administrative connections from <command>samba-tool</command>,
+ including in particular new or reset passwords for users. For
+ this reason the default is <emphasis>seal</emphasis>.</para>
- <para>
- Depending on the used KRB5 library (MIT and older Heimdal versions)
- it is possible that the message "integrity only" is not supported.
- In this case, <emphasis>sign</emphasis> is just an alias for
- <emphasis>seal</emphasis>.
+ <para>Additionally, <command>winbindd</command> and the
+ <command>net</command> tool can use LDAP to communicate with
+ Domain Controllers, so this option also controls the level of
+ privacy for those connections. All supported AD DC versions
+ will enforce the usage of at least signed LDAP connections by
+ default, so a value of at least <emphasis>sign</emphasis> is
+ required in practice.
</para>
<para>
- The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+ The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">sign</value>
+<value type="default">seal</value>
</samba:parameter>
diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c
index 827f3920ae8..59d1385f4e3 100644
--- a/lib/ldb-samba/ldb_matching_rules.c
+++ b/lib/ldb-samba/ldb_matching_rules.c
@@ -67,7 +67,12 @@ static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx,
* Note also that we don't have the original request
* here, so we can not apply controls or timeouts here.
*/
- ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0);
+ ret = dsdb_search_dn(ldb,
+ tmp_ctx,
+ &res,
+ to_visit->dn,
+ attrs,
+ DSDB_MARK_REQ_UNTRUSTED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -370,6 +375,11 @@ static int dsdb_match_for_dns_to_tombstone_time(struct ldb_context *ldb,
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"),
struct auth_session_info);
if (session_info == NULL) {
@@ -489,6 +499,11 @@ static int dsdb_match_for_expunge(struct ldb_context *ldb,
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info
= talloc_get_type(ldb_get_opaque(ldb, DSDB_SESSION_INFO),
struct auth_session_info);
diff --git a/lib/ldb-samba/tests/match_rules.py b/lib/ldb-samba/tests/match_rules.py
index abf485c9eab..2fe6c3e2264 100755
--- a/lib/ldb-samba/tests/match_rules.py
+++ b/lib/ldb-samba/tests/match_rules.py
@@ -20,22 +20,35 @@ from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
# Windows appear to preserve casing of the RDN and uppercase the other keys.
-class MatchRulesTests(samba.tests.TestCase):
+class MatchRulesTestsBase(samba.tests.TestCase):
def setUp(self):
- super(MatchRulesTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
+ super().setUp()
+ self.lp = self.sambaopts.get_loadparm()
+ self.creds = self.credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(self.host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
- self.ou = "OU=matchrulestest,%s" % self.base_dn
+ self.ou_rdn = "OU=matchrulestest"
+ self.ou = self.ou_rdn + "," + self.base_dn
self.ou_users = "OU=users,%s" % self.ou
self.ou_groups = "OU=groups,%s" % self.ou
self.ou_computers = "OU=computers,%s" % self.ou
+ try:
+ self.ldb.delete(self.ou, ["tree_delete:1"])
+ except LdbError as e:
+ pass
+
# Add a organizational unit to create objects
self.ldb.add({
"dn": self.ou,
"objectclass": "organizationalUnit"})
+ self.addCleanup(self.ldb.delete, self.ou, controls=['tree_delete:0'])
+
+
# Add the following OU hierarchy and set otherWellKnownObjects,
# which has BinaryDN syntax:
#
@@ -204,6 +217,39 @@ class MatchRulesTests(samba.tests.TestCase):
FLAG_MOD_ADD, "member")
self.ldb.modify(m)
+ # Add a couple of ms-Exch-Configuration-Container to test forward-link
+ # attributes without backward link (addressBookRoots2)
+ # e1
+ # |--> e2
+ # | |--> c1
+ self.ldb.add({
+ "dn": "cn=e1,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+ self.ldb.add({
+ "dn": "cn=e2,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
+ m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
+ m["e1"] = MessageElement("cn=e2,%s" % self.ou,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+
+
+class MatchRulesTests(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+
# The msDS-RevealedUsers is owned by system and cannot be modified
# directly. Set the schemaUpgradeInProgress flag as workaround
# and create this hierarchy:
@@ -243,33 +289,6 @@ class MatchRulesTests(samba.tests.TestCase):
m["e1"] = MessageElement("0", FLAG_MOD_REPLACE, "schemaUpgradeInProgress")
self.ldb.modify(m)
- # Add a couple of ms-Exch-Configuration-Container to test forward-link
- # attributes without backward link (addressBookRoots2)
- # e1
- # |--> e2
- # | |--> c1
- self.ldb.add({
- "dn": "cn=e1,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
- self.ldb.add({
- "dn": "cn=e2,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
- m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
- m["e1"] = MessageElement("cn=e2,%s" % self.ou,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- def tearDown(self):
- super(MatchRulesTests, self).tearDown()
- self.ldb.delete(self.ou, controls=['tree_delete:0'])
def test_u1_member_of_g4(self):
# Search without transitive match must return 0 results
@@ -945,8 +964,12 @@ class MatchRulesTests(samba.tests.TestCase):
class MatchRuleConditionTests(samba.tests.TestCase):
def setUp(self):
super(MatchRuleConditionTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
self.ou = "OU=matchruleconditiontests,%s" % self.base_dn
self.ou_users = "OU=users,%s" % self.ou
@@ -1745,32 +1768,30 @@ class MatchRuleConditionTests(samba.tests.TestCase):
self.ou_groups, self.ou_computers))
self.assertEqual(len(res1), 0)
+if __name__ == "__main__":
-parser = optparse.OptionParser("match_rules.py [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-subunitopts = SubunitOptions(parser)
-parser.add_option_group(subunitopts)
+ parser = optparse.OptionParser("match_rules.py [options] <host>")
+ sambaopts = options.SambaOptions(parser)
+ parser.add_option_group(sambaopts)
+ parser.add_option_group(options.VersionOptions(parser))
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
+ # use command line creds if available
+ credopts = options.CredentialsOptions(parser)
+ parser.add_option_group(credopts)
+ opts, args = parser.parse_args()
+ subunitopts = SubunitOptions(parser)
+ parser.add_option_group(subunitopts)
-host = args[0]
+ if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
+ host = args[0]
-if "://" not in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s" % host
+ if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s" % host
-TestProgram(module=__name__, opts=subunitopts)
+ TestProgram(module=__name__, opts=subunitopts)
diff --git a/lib/ldb-samba/tests/match_rules_remote.py b/lib/ldb-samba/tests/match_rules_remote.py
new file mode 100755
index 00000000000..122231f2a60
--- /dev/null
+++ b/lib/ldb-samba/tests/match_rules_remote.py
@@ -0,0 +1,104 @@
+#!/usr/bin/env python3
+
+import optparse
+import sys
+import os
+import samba
+import samba.getopt as options
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba import sd_utils
+from samba.ndr import ndr_unpack
+from ldb import Message, MessageElement, Dn, LdbError
+from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
+
+from match_rules import MatchRulesTestsBase
+
+
+class MatchRulesTestsUser(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+ self.sd_utils = sd_utils.SDUtils(self.ldb)
+
+ self.user_pass = "samba123@"
+ self.match_test_user = "matchtestuser"
+ self.ldb.newuser(self.match_test_user,
+ self.user_pass,
+ userou=self.ou_rdn)
+ user_creds = self.insta_creds(template=self.creds,
+ username=self.match_test_user,
+ userpass=self.user_pass)
+ self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp)
+ token_res = self.user_ldb.search(scope=SCOPE_BASE,
+ base="",
+ attrs=["tokenGroups"])
+ self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
+ token_res[0]["tokenGroups"][0])
+
+ self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
+
+ def test_with_denied_link(self):
+
+ # add an ACE that denies the user Read Property (RP) access to
+ # the member attr (which is similar to making the attribute
+ # confidential)
+ ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid,
+ self.user_sid)
+ g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups)
+
+ # add the ACE that denies access to the attr under test
+ self.sd_utils.dacl_add_ace(g2_dn, ace)
+
+ # Search without transitive match must return 0 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+ expression="member=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+ # Search with transitive match must return 1 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+ expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 1)
+ self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" % self.ou_groups).lower())
+
+ # Search as a user match must return 0 results as the intermediate link can't be seen
+ res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+ expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+
+
+parser = optparse.OptionParser("match_rules_remote.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
+
+host = args[0]
+
+if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s" % host
+
+TestProgram(module=__name__, opts=subunitopts)
diff --git a/lib/ldb/ABI/ldb-2.6.1.sigs b/lib/ldb/ABI/ldb-2.7.2.sigs
similarity index 97%
copy from lib/ldb/ABI/ldb-2.6.1.sigs
copy to lib/ldb/ABI/ldb-2.7.2.sigs
index 40388d9e330..b4c5e20e8c7 100644
--- a/lib/ldb/ABI/ldb-2.6.1.sigs
+++ b/lib/ldb/ABI/ldb-2.7.2.sigs
@@ -86,6 +86,7 @@ ldb_errstring: const char *(struct ldb_context *)
ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **)
ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *)
ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *)
+ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *)
ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *)
ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *)
ldb_get_create_perms: unsigned int (struct ldb_context *)
@@ -125,6 +126,7 @@ ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const
ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope)
ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *)
--
Samba Shared Repository
More information about the samba-cvs
mailing list