subtree rename constraint checks
Matthias Dieter Wallnöfer
mdw at samba.org
Fri Apr 29 12:17:33 MDT 2011
Hi ekacnet,
I've reflected over your problem and re-read the concerning section
3.1.1.5.4.1.2 of MS-ADTS
(http://msdn.microsoft.com/en-us/library/cc223474(PROT.13).aspx). And
obviously you are right: the checks are really performed on the
root/origin object alone.
Your patch proposal however seemed a bit circumstancial to me - hence I
found an easier way:
http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=commitdiff;h=158b062697907edad55336207075991742ebffef.
Are you okay with that?
Cheers,
Matthias
Matthias Dieter Wallnöfer wrote:
> Hi ekacnet,
>
> I'm not confident in this patch. I think that each entry needs the
> constraint checks since it has its own "systemFlags" attribute.
> Probably just my limited move checks are wrong (this code part of the
> subtree_rename LDB module):
>> bool limited_move =
>> systemFlags &
>> SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE;
>>
>> if (limited_move) {
>> dn1 = ldb_dn_copy(ac, olddn);
>> if (dn1 == NULL) return ldb_oom(ldb);
>> dn2 = ldb_dn_copy(ac, newdn);
>> if (dn2 == NULL) return ldb_oom(ldb);
>>
>> limited_move &=
>> ldb_dn_remove_child_components(dn1, 3);
>> limited_move &=
>> ldb_dn_remove_child_components(dn2, 3);
>> limited_move &= ldb_dn_compare(dn1,
>> dn2) == 0;
>>
>> talloc_free(dn1);
>> talloc_free(dn2);
>> }
>>
>> if (!limited_move) {
>> ldb_asprintf_errstring(ldb,
>>
>> "subtree_rename: Cannot move %s to %s in config partition",
>>
>> ldb_dn_get_linearized(olddn), ldb_dn_get_linearized(newdn));
>> return LDB_ERR_UNWILLING_TO_PERFORM;
>> }
>
> I will try to fix it.
>
> Cheers,
> Matthias
>
>
> Matthieu Patou wrote:
>> On 25/04/2011 18:30, Matthieu Patou wrote:
>>> Hello Mathias,
>>>
>>> I'm asking some questions about the tests related to
>>> subtree_rename.c module in samdb.
>>>
>>> Have you tested the case when
>>> CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld
>>> is renamed but it has a subentry (ie. CN=NTDS
>>> Settings,CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld)
>>>
>>>
>>> After reading MS-ADTS, I still don't have an idea of what is wrong,
>>> but I'm pretty sure that something is wrong as when I try to move a
>>> server from 1 site to another in Active Directory Sites and Services
>>> (dssite.msc) I have an error and the error came from the DN move
>>> that are triggered on the subentries while moving
>>> CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld
>>> to CN=A,CN=Servers,CN=Test,CN=Sites,CN=Configuration,DC=domain,DC=tld.
>>>
>>> It's clear that something is wrong as in ADTS in chapter
>>> 7.1.1.2.2.1.2.1 (Server Object) the system flags for it are: {
>>> FLAG_CONFIG_ALLOW_RENAME | FLAG_CONFIG_ALLOW_LIMITED_MOVE |
>>> FLAG_DISALLOW_MOVE_ON_DELETE }
>>>
>>> So the (limited) move o CN=A,CN=Servers, ... is authorized. The
>>> "NTDS Settings" entry is a nTDSDSA Object described at
>>> 7.1.1.2.2.1.2.1.1 says systemFlags: {FLAG_DISALLOW_MOVE_ON_DELETE}
>>> so the way the code is done we can never move nor rename a server
>>> object as its NTDS subentry do not allow anything like this.
>>>
>>> My assumption is that the checks should be done only on the DN that
>>> trigger the subtree rename and not on the subentry as they are not
>>> really changed and DN should be dynamically calculated.
>>>
>> What about a patch like this ?
>>> Matthieu.
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
More information about the samba-technical
mailing list