s4-dsdb Return ACL errors as ldb_errstring()
authorAndrew Bartlett <abartlet@samba.org>
Thu, 25 Aug 2011 09:20:28 +0000 (19:20 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Fri, 26 Aug 2011 12:06:07 +0000 (14:06 +0200)
This string is reported to the caller, which makes debugging much easier.

Andrew Bartlett

source4/dsdb/common/dsdb_access.c
source4/dsdb/samdb/ldb_modules/acl.c
source4/dsdb/samdb/ldb_modules/acl_util.c

index 39e67b7793a34484bcfa01719f0ecebe58d815c1..b8784fc62f7bafef83c6ec24254ee3eff54788d1 100644 (file)
@@ -124,6 +124,9 @@ int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
                               dn,
                               true,
                               10);
                               dn,
                               true,
                               10);
+               ldb_asprintf_errstring(ldb,
+                                      "dsdb_access: Access check failed on %s",
+                                      ldb_dn_get_linearized(dn));
                return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
        }
        return LDB_SUCCESS;
                return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
        }
        return LDB_SUCCESS;
index 12a4028cbe8ad6c11c0dc571af9737872361a62d..abde85f682c65b633b630ce4f3cec90608501af3 100644 (file)
@@ -706,7 +706,9 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req)
 
        oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
        if (!oc_el || oc_el->num_values == 0) {
 
        oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
        if (!oc_el || oc_el->num_values == 0) {
-               DEBUG(10,("acl:operation error %s\n", ldb_dn_get_linearized(req->op.add.message->dn)));
+               ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                      "acl: unable to find objectClass on %s\n",
+                                      ldb_dn_get_linearized(req->op.add.message->dn));
                return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
        }
 
                return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
        }
 
@@ -952,8 +954,9 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
                                             sid);
 
                        if (!NT_STATUS_IS_OK(status)) {
                                             sid);
 
                        if (!NT_STATUS_IS_OK(status)) {
-                               DEBUG(10, ("Object %s has no write dacl access\n",
-                                          ldb_dn_get_linearized(req->op.mod.message->dn)));
+                               ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                                      "Object %s has no write dacl access\n",
+                                                      ldb_dn_get_linearized(req->op.mod.message->dn));
                                dsdb_acl_debug(sd,
                                               acl_user_token(module),
                                               req->op.mod.message->dn,
                                dsdb_acl_debug(sd,
                                               acl_user_token(module),
                                               req->op.mod.message->dn,
@@ -1022,14 +1025,16 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
                        if (!insert_in_object_tree(tmp_ctx,
                                                   &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
                                                   &new_node, &new_node)) {
                        if (!insert_in_object_tree(tmp_ctx,
                                                   &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
                                                   &new_node, &new_node)) {
-                               DEBUG(10, ("acl_modify: cannot add to object tree securityGUID\n"));
+                               ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                                      "acl_modify: cannot add to object tree securityGUID\n");
                                ret = LDB_ERR_OPERATIONS_ERROR;
                                goto fail;
                        }
 
                        if (!insert_in_object_tree(tmp_ctx,
                                                   &attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
                                ret = LDB_ERR_OPERATIONS_ERROR;
                                goto fail;
                        }
 
                        if (!insert_in_object_tree(tmp_ctx,
                                                   &attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
-                               DEBUG(10, ("acl_modify: cannot add to object tree attributeGUID\n"));
+                               ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                                      "acl_modify: cannot add to object tree attributeGUID\n");
                                ret = LDB_ERR_OPERATIONS_ERROR;
                                goto fail;
                        }
                                ret = LDB_ERR_OPERATIONS_ERROR;
                                goto fail;
                        }
@@ -1044,13 +1049,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
                                             sid);
 
                if (!NT_STATUS_IS_OK(status)) {
                                             sid);
 
                if (!NT_STATUS_IS_OK(status)) {
-                       DEBUG(10, ("Object %s has no write property access\n",
-                                  ldb_dn_get_linearized(req->op.mod.message->dn)));
+                       ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                              "Object %s has no write property access\n",
+                                              ldb_dn_get_linearized(req->op.mod.message->dn));
                        dsdb_acl_debug(sd,
                        dsdb_acl_debug(sd,
-                                 acl_user_token(module),
-                                 req->op.mod.message->dn,
-                                 true,
-                                 10);
+                                      acl_user_token(module),
+                                      req->op.mod.message->dn,
+                                      true,
+                                      10);
                        ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
                        goto fail;
                }
                        ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
                        goto fail;
                }
@@ -1243,8 +1249,9 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
                                     sid);
 
        if (!NT_STATUS_IS_OK(status)) {
                                     sid);
 
        if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(10, ("Object %s has no wp on name\n",
-                          ldb_dn_get_linearized(req->op.rename.olddn)));
+               ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                      "Object %s has no wp on name\n",
+                                      ldb_dn_get_linearized(req->op.rename.olddn));
                dsdb_acl_debug(sd,
                          acl_user_token(module),
                          req->op.rename.olddn,
                dsdb_acl_debug(sd,
                          acl_user_token(module),
                          req->op.rename.olddn,
@@ -1265,14 +1272,17 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
        new_node = NULL;
        guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
        if (!guid) {
        new_node = NULL;
        guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
        if (!guid) {
-               DEBUG(10,("acl:renamed object has no object class\n"));
+               ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                      "acl:renamed object has no object class\n");
                talloc_free(tmp_ctx);
                return ldb_module_done(req, NULL, NULL,  LDB_ERR_OPERATIONS_ERROR);
        }
 
        ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid, req);
        if (ret != LDB_SUCCESS) {
                talloc_free(tmp_ctx);
                return ldb_module_done(req, NULL, NULL,  LDB_ERR_OPERATIONS_ERROR);
        }
 
        ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid, req);
        if (ret != LDB_SUCCESS) {
-               DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
+               ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                      "acl:access_denied renaming %s",
+                                      ldb_dn_get_linearized(req->op.rename.olddn));
                talloc_free(tmp_ctx);
                return ret;
        }
                talloc_free(tmp_ctx);
                return ret;
        }
@@ -1291,7 +1301,8 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
        /* what about delete child on the current parent */
        ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL, req);
        if (ret != LDB_SUCCESS) {
        /* what about delete child on the current parent */
        ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL, req);
        if (ret != LDB_SUCCESS) {
-               DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
+               ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                      "acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn));
                talloc_free(tmp_ctx);
                return ldb_module_done(req, NULL, NULL, ret);
        }
                talloc_free(tmp_ctx);
                return ldb_module_done(req, NULL, NULL, ret);
        }
index cce504dc97713113d309728ccba796fc169d0f3f..50bf88869158e5a1ff9eb649956c2c7edd1f5c23 100644 (file)
@@ -77,7 +77,9 @@ int dsdb_module_check_access_on_dn(struct ldb_module *module,
                                    DSDB_SEARCH_SHOW_RECYCLED,
                                    parent);
        if (ret != LDB_SUCCESS) {
                                    DSDB_SEARCH_SHOW_RECYCLED,
                                    parent);
        if (ret != LDB_SUCCESS) {
-               DEBUG(0,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
+               ldb_asprintf_errstring(ldb_module_get_ctx(module),
+                                      "access_check: failed to find object %s\n",
+                                      ldb_dn_get_linearized(dn));
                return ret;
        }
        return dsdb_check_access_on_dn_internal(ldb, acl_res,
                return ret;
        }
        return dsdb_check_access_on_dn_internal(ldb, acl_res,