[PATCH 07/22] auth: Create an admin token with the forest SID set correctly
Jelmer Vernooij
jelmer at samba.org
Mon Aug 25 09:43:55 MDT 2014
On Wed, Aug 20, 2014 at 02:06:42PM +1200, abartlet at samba.org wrote:
> From: Andrew Bartlett <abartlet at samba.org>
>
> The forest SID, used for the enterprise admins and schema admins groups can be different if we
> are joining as subdomain.
>
> Change-Id: I3b29654a90424551a36d8da9c8b25b16db7d9836
> Pair-programmed-with: Graming Sam <garming at catalyst.net.nz>
> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> ---
> python/samba/provision/__init__.py | 2 +-
> source4/auth/pyauth.c | 21 ++++++++++++++++++---
> source4/auth/session.h | 3 ++-
> source4/auth/system_session.c | 17 ++++++++++++-----
> 4 files changed, 33 insertions(+), 10 deletions(-)
>
> diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
> index 06daa0e..287b633 100644
> --- a/python/samba/provision/__init__.py
> +++ b/python/samba/provision/__init__.py
> @@ -1276,7 +1276,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
> logger.info("Adding DomainDN: %s" % names.domaindn)
>
> # impersonate domain admin
> - admin_session_info = admin_session(lp, str(names.domainsid))
> + admin_session_info = admin_session(lp, str(names.domainsid), str(names.forestsid))
> samdb.set_session_info(admin_session_info)
> if names.domainguid is not None:
> domainguid_line = "objectGUID: %s\n-" % names.domainguid
> diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c
> index d79d417..027e99f 100644
> --- a/source4/auth/pyauth.c
> +++ b/source4/auth/pyauth.c
> @@ -81,12 +81,14 @@ static PyObject *py_admin_session(PyObject *module, PyObject *args)
> {
> PyObject *py_lp_ctx;
> PyObject *py_sid;
> + PyObject *py_forest_sid = NULL;
> struct loadparm_context *lp_ctx = NULL;
> struct auth_session_info *session;
> struct dom_sid *domain_sid = NULL;
> + struct dom_sid *forest_sid = NULL;
> TALLOC_CTX *mem_ctx;
>
> - if (!PyArg_ParseTuple(args, "OO", &py_lp_ctx, &py_sid))
> + if (!PyArg_ParseTuple(args, "OO|O", &py_lp_ctx, &py_sid, &py_forest_sid))
> return NULL;
>
> mem_ctx = talloc_new(NULL);
> @@ -103,12 +105,25 @@ static PyObject *py_admin_session(PyObject *module, PyObject *args)
>
> domain_sid = dom_sid_parse_talloc(mem_ctx, PyString_AsString(py_sid));
> if (domain_sid == NULL) {
> - PyErr_Format(PyExc_RuntimeError, "Unable to parse sid %s",
> + PyErr_Format(PyExc_RuntimeError, "Unable to parse domain sid %s",
> PyString_AsString(py_sid));
ValueError would be more accurate. I realize that's already borked,
but since you're changing this line anyway and adding another place
where we use PyExc_RuntimeError...
> talloc_free(mem_ctx);
> return NULL;
> }
> - session = admin_session(NULL, lp_ctx, domain_sid);
> +
> + if (py_forest_sid) {
> + forest_sid = dom_sid_parse_talloc(mem_ctx, PyString_AsString(py_forest_sid));
Please check the return value of PyString_AsString. It may return NULL
IIRC.
> + if (forest_sid == NULL) {
> + PyErr_Format(PyExc_RuntimeError, "Unable to parse forest sid %s",
> + PyString_AsString(py_forest_sid));
This should also be PyExc_ValueError.
Jelmer
--
Jelmer Vernooij <jelmer at samba.org> - https://jelmer.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140825/4ac8cc77/attachment.pgp>
More information about the samba-technical
mailing list