From d2dc8370dd1916dffa01257b1681fad00f0d33cf Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 22 Dec 2022 15:54:14 +1300 Subject: [PATCH] s4/dsdb/samldb: Disallow setting a domain-local group as a primary group Windows also disallows this. Note that changing a primary group to a domain-local group is allowed by both Windows and Samba. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- selftest/knownfail.d/domain-local-primary-group | 1 - selftest/knownfail_heimdal_kdc | 4 ---- selftest/knownfail_mit_kdc | 1 - source4/dsdb/samdb/ldb_modules/samldb.c | 14 +++++++++++++- 4 files changed, 13 insertions(+), 7 deletions(-) delete mode 100644 selftest/knownfail.d/domain-local-primary-group diff --git a/selftest/knownfail.d/domain-local-primary-group b/selftest/knownfail.d/domain-local-primary-group deleted file mode 100644 index 9a92b56d840..00000000000 --- a/selftest/knownfail.d/domain-local-primary-group +++ /dev/null @@ -1 +0,0 @@ -^samba4.blackbox.group.py.user\ setprimarygroup\ domain-local.none diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 9f1a81e883e..99f687e3212 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -142,7 +142,3 @@ ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc -# -# Group tests -# -^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_set_domain_local_primary_group.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index c372e32149e..4832e831508 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -612,7 +612,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_universal_as_req_to_service.ad_dc ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_removal_tgs_req_to_krbtgt.ad_dc ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_removal_tgs_req_to_service.ad_dc -^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_set_domain_local_primary_group.ad_dc # # Encryption type tests # diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 3ecbd00e68e..1b4921a6f2e 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -2113,6 +2113,8 @@ static int samldb_prim_group_change(struct samldb_ctx *ac) const char *user_dn_ext_str = NULL; int ret; const char * const noattrs[] = { NULL }; + const char * const group_type_attrs[] = { "groupType", NULL }; + unsigned group_type; ret = dsdb_get_expected_new_values(ac, ac->msg, @@ -2223,7 +2225,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac) ret = dsdb_module_search(ac->module, ac, &group_res, ldb_get_default_basedn(ldb), LDB_SCOPE_SUBTREE, - noattrs, search_flags, + group_type_attrs, search_flags, ac->req, "(objectSid=%s)", ldap_encode_ndr_dom_sid(ac, new_sid)); @@ -2236,6 +2238,16 @@ static int samldb_prim_group_change(struct samldb_ctx *ac) return LDB_ERR_UNWILLING_TO_PERFORM; } new_prim_group_dn = group_res->msgs[0]->dn; + + /* The new primary group must not be domain-local. */ + group_type = ldb_msg_find_attr_as_uint(group_res->msgs[0], "groupType", 0); + if (group_type & GROUP_TYPE_RESOURCE_GROUP) { + return dsdb_module_werror(ac->module, + LDB_ERR_UNWILLING_TO_PERFORM, + WERR_MEMBER_NOT_IN_GROUP, + "may not set resource group as primary group!"); + } + new_prim_group_dn_ext_str = ldb_dn_get_extended_linearized(ac, new_prim_group_dn, 1); if (new_prim_group_dn_ext_str == NULL) { -- 2.34.1