ret = dsdb_module_search_dn(module, mem_ctx, &res,
ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
attrs,
- DSDB_FLAG_NEXT_MODULE);
+ DSDB_FLAG_NEXT_MODULE, NULL);
if (ret != LDB_SUCCESS) {
goto done;
}
static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const char *spn_value,
- int userAccountControl,
+ uint32_t userAccountControl,
const char *samAccountName,
const char *dnsHostName,
const char *netbios_name,
char *serviceType;
char *serviceName;
const char *realm;
- const char *guid_str;
const char *forest_name = samdb_forest_name(ldb, mem_ctx);
const char *base_domain = samdb_default_domain_name(ldb, mem_ctx);
struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
bool is_dc = (userAccountControl & UF_SERVER_TRUST_ACCOUNT) ||
(userAccountControl & UF_PARTIAL_SECRETS_ACCOUNT);
+ if (strcasecmp_m(spn_value, samAccountName) == 0) {
+ /* MacOS X sets this value, and setting an SPN of your
+ * own samAccountName is both pointless and safe */
+ return LDB_SUCCESS;
+ }
+
kerr = smb_krb5_init_context_basic(mem_ctx,
lp_ctx,
&krb_ctx);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
+ if (principal->name.name_string.len < 2) {
+ goto fail;
+ }
+
instanceName = principal->name.name_string.val[1];
serviceType = principal->name.name_string.val[0];
realm = krb5_principal_get_realm(krb_ctx, principal);
- guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
- ntds_guid,
- forest_name);
if (principal->name.name_string.len == 3) {
serviceName = principal->name.name_string.val[2];
} else {
}
/* instanceName can be samAccountName without $ or dnsHostName
* or "ntds_guid._msdcs.forest_domain for DC objects */
- if (strncasecmp(instanceName, samAccountName, strlen(samAccountName - 1)) == 0) {
+ if (strlen(instanceName) == (strlen(samAccountName) - 1)
+ && strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
goto success;
} else if (strcasecmp(instanceName, dnsHostName) == 0) {
goto success;
} else if (is_dc) {
+ const char *guid_str;
+ guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
+ ntds_guid,
+ forest_name);
if (strcasecmp(instanceName, guid_str) == 0) {
goto success;
}
- } else {
- goto fail;
}
+
fail:
krb5_free_principal(krb_ctx, principal);
krb5_free_context(krb_ctx);
struct ldb_result *netbios_res;
struct ldb_message_element *el;
struct ldb_dn *partitions_dn = samdb_partitions_dn(ldb, tmp_ctx);
- int userAccountControl;
+ uint32_t userAccountControl;
const char *samAccountName;
const char *dnsHostName;
const char *netbios_name;
- const struct GUID *ntds = samdb_ntds_objectGUID(ldb);
- const char *ntds_guid = GUID_string(tmp_ctx, ntds);
+ struct GUID ntds;
+ char *ntds_guid = NULL;
static const char *acl_attrs[] = {
"samAccountName",
"nETBIOSName",
NULL
};
+
/* if we have wp, we can do whatever we like */
if (acl_check_access_on_attribute(module,
tmp_ctx,
&acl_res, req->op.mod.message->dn,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_DELETED);
+ DSDB_SEARCH_SHOW_DELETED, req);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
- userAccountControl = ldb_msg_find_attr_as_int(acl_res->msgs[0], "userAccountControl", 0);
+ userAccountControl = ldb_msg_find_attr_as_uint(acl_res->msgs[0], "userAccountControl", 0);
dnsHostName = ldb_msg_find_attr_as_string(acl_res->msgs[0], "dnsHostName", NULL);
samAccountName = ldb_msg_find_attr_as_string(acl_res->msgs[0], "samAccountName", NULL);
LDB_SCOPE_ONELEVEL,
netbios_attrs,
DSDB_FLAG_NEXT_MODULE,
+ req,
"(ncName=%s)",
ldb_dn_get_linearized(ldb_get_default_basedn(ldb)));
el = ldb_msg_find_element(req->op.mod.message, "servicePrincipalName");
if (!el) {
+ talloc_free(tmp_ctx);
return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
"Error finding element for servicePrincipalName.");
}
+ /* NTDSDSA objectGuid of object we are checking SPN for */
+ if (userAccountControl & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
+ ret = dsdb_module_find_ntdsguid_for_computer(module, tmp_ctx,
+ req->op.mod.message->dn, &ntds, req);
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb, "Failed to find NTDSDSA objectGuid for %s: %s",
+ ldb_dn_get_linearized(req->op.mod.message->dn),
+ ldb_strerror(ret));
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ ntds_guid = GUID_string(tmp_ctx, &ntds);
+ }
+
for (i=0; i < el->num_values; i++) {
ret = acl_validate_spn_value(tmp_ctx,
ldb,
oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
if (!oc_el || oc_el->num_values == 0) {
- DEBUG(10,("acl:operation error %s\n", ldb_dn_get_linearized(req->op.add.message->dn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl: unable to find objectClass on %s\n",
+ ldb_dn_get_linearized(req->op.add.message->dn));
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
guid = class_schemaid_guid_by_lDAPDisplayName(schema,
(char *)oc_el->values[oc_el->num_values-1].data);
- ret = dsdb_module_check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, guid);
+ ret = dsdb_module_check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, guid, req);
if (ret != LDB_SUCCESS) {
return ret;
}
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
- bool userPassword = dsdb_user_password_support(module, req);
+ bool userPassword = dsdb_user_password_support(module, req, req);
TALLOC_CTX *tmp_ctx = talloc_new(req);
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
}
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE);
+ DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED,
+ req);
if (ret != LDB_SUCCESS) {
goto fail;
ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
- DEBUG(10, ("acl_modify: cannot get descriptor\n"));
- goto fail;
+ talloc_free(tmp_ctx);
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "acl_modify: Error retrieving security descriptor.");
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
if (!guid) {
- DEBUG(10, ("acl_modify: cannot get guid\n"));
- goto fail;
+ talloc_free(tmp_ctx);
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "acl_modify: Error retrieving object class GUID.");
}
sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
- DEBUG(10, ("acl_modify: cannot add to object tree\n"));
- goto fail;
+ talloc_free(tmp_ctx);
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "acl_modify: Error adding new node in object tree.");
}
for (i=0; i < req->op.mod.message->num_elements; i++){
const struct dsdb_attribute *attr;
attr = dsdb_attribute_by_lDAPDisplayName(schema,
- req->op.mod.message->elements[i].name);
+ req->op.mod.message->elements[i].name);
if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
status = sec_access_check_ds(sd, acl_user_token(module),
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s has no write dacl access\n",
- ldb_dn_get_linearized(req->op.mod.message->dn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no write dacl access\n",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
dsdb_acl_debug(sd,
acl_user_token(module),
req->op.mod.message->dn,
/* This basic attribute existence check with the right errorcode
* is needed since this module is the first one which requests
- * schema attribute informations.
+ * schema attribute information.
* The complete attribute checking is done in the
* "objectclass_attrs" module behind this one.
*/
if (!insert_in_object_tree(tmp_ctx,
&attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
- DEBUG(10, ("acl_modify: cannot add to object tree securityGUID\n"));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl_modify: cannot add to object tree securityGUID\n");
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
if (!insert_in_object_tree(tmp_ctx,
&attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
- DEBUG(10, ("acl_modify: cannot add to object tree attributeGUID\n"));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl_modify: cannot add to object tree attributeGUID\n");
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s has no write property access\n",
- ldb_dn_get_linearized(req->op.mod.message->dn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no write property access\n",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
dsdb_acl_debug(sd,
- acl_user_token(module),
- req->op.mod.message->dn,
- true,
- 10);
+ acl_user_token(module),
+ req->op.mod.message->dn,
+ true,
+ 10);
ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
goto fail;
}
/* First check if we have delete object right */
ret = dsdb_module_check_access_on_dn(module, req, req->op.del.dn,
- SEC_STD_DELETE, NULL);
+ SEC_STD_DELETE, NULL, req);
if (ret == LDB_SUCCESS) {
return ldb_next_request(module, req);
}
/* Nope, we don't have delete object. Lets check if we have delete
* child on the parent */
ret = dsdb_module_check_access_on_dn(module, req, parent,
- SEC_ADS_DELETE_CHILD, NULL);
+ SEC_ADS_DELETE_CHILD, NULL, req);
if (ret != LDB_SUCCESS) {
return ret;
}
/* Look for the parent */
- ret = dsdb_module_search_dn(module, req, &acl_res, req->op.rename.olddn,
- acl_attrs,
+ ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res,
+ req->op.rename.olddn, acl_attrs,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_RECYCLED);
+ DSDB_SEARCH_SHOW_RECYCLED, req);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl: failed to find object %s\n",
ldb_dn_get_linearized(req->op.rename.olddn)));
+ talloc_free(tmp_ctx);
return ret;
}
schema = dsdb_get_schema(ldb, acl_res);
if (!schema) {
- talloc_free(acl_res);
+ talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
+ talloc_free(tmp_ctx);
return ldb_operr(ldb);
};
"name");
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
+ talloc_free(tmp_ctx);
return ldb_operr(ldb);
};
rdn_name = ldb_dn_get_rdn_name(req->op.rename.olddn);
if (rdn_name == NULL) {
+ talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
guid = attribute_schemaid_guid_by_lDAPDisplayName(schema,
rdn_name);
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
+ talloc_free(tmp_ctx);
return ldb_operr(ldb);
};
ret = dsdb_get_sd_from_ldb_message(ldb, req, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
+ talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s has no wp on name\n",
- ldb_dn_get_linearized(req->op.rename.olddn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no wp on name\n",
+ ldb_dn_get_linearized(req->op.rename.olddn));
dsdb_acl_debug(sd,
acl_user_token(module),
req->op.rename.olddn,
true,
10);
+ talloc_free(tmp_ctx);
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
if (ldb_dn_compare(oldparent, newparent) == 0) {
/* regular rename, not move, nothing more to do */
+ talloc_free(tmp_ctx);
return ldb_next_request(module, req);
}
/* new parent should have create child */
- talloc_free(tmp_ctx);
- tmp_ctx = talloc_new(req);
root = NULL;
new_node = NULL;
guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
if (!guid) {
- DEBUG(10,("acl:renamed object has no object class\n"));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:renamed object has no object class\n");
+ talloc_free(tmp_ctx);
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
- ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid);
+ ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid, req);
if (ret != LDB_SUCCESS) {
- DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:access_denied renaming %s",
+ ldb_dn_get_linearized(req->op.rename.olddn));
+ talloc_free(tmp_ctx);
return ret;
}
/* do we have delete object on the object? */
sid);
if (NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
return ldb_next_request(module, req);
}
/* what about delete child on the current parent */
- ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL);
+ ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL, req);
if (ret != LDB_SUCCESS) {
- DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn));
+ talloc_free(tmp_ctx);
return ldb_module_done(req, NULL, NULL, ret);
}
+
+ talloc_free(tmp_ctx);
+
return ldb_next_request(module, req);
}
|| ac->sDRightsEffective) {
ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE);
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_SEARCH_SHOW_DELETED, req);
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL, ret);
}
ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
- ac->userPassword = dsdb_user_password_support(module, ac);
+ ac->userPassword = dsdb_user_password_support(module, ac, req);
ac->schema = dsdb_get_schema(ldb, ac);
/* replace any attributes in the parse tree that are private,