[PATCH] Password Settings Object (PSO) support for Samba

Andrew Bartlett abartlet at samba.org
Wed May 23 00:08:05 UTC 2018


On Tue, 2018-05-22 at 17:50 +1200, Tim Beale via samba-technical wrote:
> Hi,
> 
> Attached is the latest patch-set that contains the functional changes
> required to support PSOs. Changes can also be viewed here:
> https://gitlab.com/catalyst-samba/samba/commits/tim-pso
> 
> And proof they run through the CI tests successfully here:
> https://gitlab.com/catalyst-samba/samba/pipelines/22403197
> 
> Note: the domain.py file move work is still waiting for the backup
> changes to go in first (I haven't forgotten about it).

Thanks.  

Reviewed-by: Andrew Bartlett <abartlet at samba.org> 

with small changes (see attached). 

Tim: Can you check the updated branch for me. 

Garming: If Tim is happy, can you review and push?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba



-------------- next part --------------
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 925355368a3..07cfbd06b33 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -68,6 +68,12 @@ const char *server_attrs[] = {
 };
 
 const char *user_attrs[] = {
+	/*
+	 * This ordering (having msDS-ResultantPSO first) is
+	 * important.  By processing this attribute first it is
+	 * available in the operational module for the other PSO
+	 * attribute calcuations to use.
+	 */
 	"msDS-ResultantPSO",
 
 	KRBTGT_ATTRS,
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index a8f46e51268..fe84b94630b 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1093,8 +1093,15 @@ static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx,
 		return ldb_oom(ldb);
 	}
 
+	/*
+	 * PSO objects must be directly under the Password Settings
+	 * Container.
+	 *
+	 * This avoids a rouge PSO from being linked onto users or
+	 * groups
+	 */
 	ret = dsdb_module_search(module, mem_ctx, result, psc_dn,
-				 LDB_SCOPE_SUBTREE, attrs,
+				 LDB_SCOPE_ONELEVEL, attrs,
 				 DSDB_FLAG_NEXT_MODULE, parent,
 				 "(&(objectClass=msDS-PasswordSettings)(|%s))",
 				 sid_filter);


More information about the samba-technical mailing list