diff options
| author | Stefan Metzmacher <metze@samba.org> | 2018-02-22 22:51:46 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2018-03-19 20:30:50 +0100 |
| commit | a0813b2a9fe8004e4552a952e3587150f832993e (patch) | |
| tree | 2b4e789511bd3ca245fba0587aad66a0690ce616 /source4 | |
| parent | 856504ca26d1769b5db8fe2e220414960349afe9 (diff) | |
| download | samba-a0813b2a9fe8004e4552a952e3587150f832993e.tar.gz | |
dsdb:samldb: require as_system or provision control to create foreignSecurityPrincipal objects
Windows rejects creating foreignSecurityPrincipal objects directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 3e429e1476a..108235a91b4 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1249,14 +1249,52 @@ static int samldb_fill_object(struct samldb_ctx *ac) static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac) { - struct ldb_context *ldb; - const struct ldb_val *rdn_value; - struct dom_sid *sid; + struct ldb_context *ldb = NULL; + const struct ldb_val *rdn_value = NULL; + struct ldb_message_element *sid_el = NULL; + struct dom_sid *sid = NULL; + struct ldb_control *as_system = NULL; + struct ldb_control *provision = NULL; + bool allowed = false; int ret; ldb = ldb_module_get_ctx(ac->module); - sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid"); + as_system = ldb_request_get_control(ac->req, LDB_CONTROL_AS_SYSTEM_OID); + if (as_system != NULL) { + allowed = true; + } + + provision = ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID); + if (provision != NULL) { + allowed = true; + } + + sid_el = ldb_msg_find_element(ac->msg, "objectSid"); + + if (!allowed && sid_el == NULL) { + return dsdb_module_werror(ac->module, + LDB_ERR_OBJECT_CLASS_VIOLATION, + WERR_DS_MISSING_REQUIRED_ATT, + "objectSid missing on foreignSecurityPrincipal"); + } + + if (!allowed) { + return dsdb_module_werror(ac->module, + LDB_ERR_UNWILLING_TO_PERFORM, + WERR_DS_ILLEGAL_MOD_OPERATION, + "foreignSecurityPrincipal object not allowed"); + } + + if (sid_el != NULL) { + sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid"); + if (sid == NULL) { + ldb_set_errstring(ldb, + "samldb: invalid objectSid!"); + return LDB_ERR_CONSTRAINT_VIOLATION; + } + } + if (sid == NULL) { rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); if (rdn_value == NULL) { |