s4 dns: Check if signing user is allowed to update records
Andrew Bartlett
abartlet at samba.org
Thu Sep 6 17:00:04 MDT 2012
On Fri, 2012-09-07 at 00:32 +0200, Kai Blin wrote:
> The branch, master has been updated
> via 8ba8020 s4 dns: Make debug output less noisy
> via 319b239 s4 dns: Check if signing user is allowed to update records
> from 44fd8e7 fileserver:sysquotas: remove wrong cast
>
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>
>
> - Log -----------------------------------------------------------------
> commit 8ba802058644910741dc80940420781450a924b7
> Author: Kai Blin <kai at samba.org>
> Date: Thu Sep 6 22:53:32 2012 +0200
>
> s4 dns: Make debug output less noisy
>
> Autobuild-User(master): Kai Blin <kai at samba.org>
> Autobuild-Date(master): Fri Sep 7 00:31:56 CEST 2012 on sn-devel-104
>
> commit 319b239dc4aeb2c6a928a70fc7a7dbad56d273cd
> Author: Kai Blin <kai at samba.org>
> Date: Thu Sep 6 22:40:56 2012 +0200
>
> s4 dns: Check if signing user is allowed to update records
>
> This should fix bug #9142
Kai,
I mislead you a little when I suggested this task is as simple as just
checking the ACL. As I noticed when I started diving into the
equivalent code in the bind9 dlz code, we need to actually impersonate
the incoming user, or else we won't set owners correctly.
Have a look over all the uses of 'session_info' in the dlz code, because
we will need to do the same in your code.
Then we really, really need tests. Perhaps added to smbtorture, what we
need to do is create a record using libadds, then verify it's ownership
and the expected ACL AD using LDAP calls.
(The advantage of an smbtorture test here is that you can run it against
AD, and against bind9_dlz to ensure the test is correct).
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list