descriptor calculation for NC
Matthieu Patou
mat at samba.org
Tue Nov 15 15:06:07 MST 2011
Hello Nadya and all the SD/NtACLs experts,
I'm debugging what's happening when a Windows DC asks samba to create a
new NC for the DNS zone, and logically it's going in the descriptor
module for the creation of the SD.
I found this code and at least for my case it didn't work or more
exactly I think it won't be correct
/* if the object has a parent, retrieve its SD to
* use for calculation. Unfortunately we do not yet have
* instanceType, so we use dsdb_find_nc_root. */
parent_dn = ldb_dn_get_parent(req, dn);
if (parent_dn == NULL) {
return ldb_oom(ldb);
}
ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could
not find NC root for %s\n",
ldb_dn_get_linearized(dn));
return ret;
}
if (ldb_dn_compare(dn, nc_root) != 0) {
/* we aren't any NC */
ret = dsdb_module_search_dn(module, req, &parent_res,
parent_dn,
parent_attrs,
DSDB_FLAG_NEXT_MODULE,
req);
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add:
Could not find SD for %s\n",
ldb_dn_get_linearized(parent_dn));
return ret;
}
if (parent_res->count != 1) {
return ldb_operr(ldb);
}
parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0],
"nTSecurityDescriptor");
}
So we have dn and nc_root which are not equals so we fetch the parent's
SD as if we weren't a NC, but we are ...
I've seen other modules (I'm thinking at new_partition.c at least) that
are using the instanceType, and here in my case I have an instanceType
attribute.
So I'm wondering if:
1) the comment is still valid as when we replicate it seems that we have
the instanceType attribute, the same for the provision and the same when
the NC is created after (with DRS_addEntry for instance).
2) if we could introduce a test to check the presence of instanceType
and the indicator of NC_HEAD and use it in priority.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba-technical
mailing list