X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=source4%2Fdsdb%2Fsamdb%2Fldb_modules%2Foperational.c;h=ae61089198ff41eb4579056da7eb53851a4b981d;hb=87f31510475c6debd56ff874130f4f5d48bef9a5;hp=8604a27b9f0decdfd702e47b060f5ee826aff409;hpb=cbffc513130733ca9e775d99cea8f9a7402f10d0;p=samba.git

diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 8604a27b9f0..ae61089198f 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -89,7 +89,8 @@ struct operational_data {
   construct a canonical name from a message
 */
 static int construct_canonical_name(struct ldb_module *module,
-	struct ldb_message *msg, enum ldb_scope scope)
+				    struct ldb_message *msg, enum ldb_scope scope,
+				    struct ldb_request *parent)
 {
 	char *canonicalName;
 	canonicalName = ldb_dn_canonical_string(msg, msg->dn);
@@ -103,7 +104,8 @@ static int construct_canonical_name(struct ldb_module *module,
   construct a primary group token for groups from a message
 */
 static int construct_primary_group_token(struct ldb_module *module,
-					 struct ldb_message *msg, enum ldb_scope scope)
+					 struct ldb_message *msg, enum ldb_scope scope,
+					 struct ldb_request *parent)
 {
 	struct ldb_context *ldb;
 	uint32_t primary_group_token;
@@ -127,7 +129,8 @@ static int construct_primary_group_token(struct ldb_module *module,
   construct the token groups for SAM objects from a message
 */
 static int construct_token_groups(struct ldb_module *module,
-				  struct ldb_message *msg, enum ldb_scope scope)
+				  struct ldb_message *msg, enum ldb_scope scope,
+				  struct ldb_request *parent)
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(module);;
 	TALLOC_CTX *tmp_ctx = talloc_new(msg);
@@ -186,11 +189,9 @@ static int construct_token_groups(struct ldb_module *module,
 		return ldb_oom(ldb);
 	}
 
-	/* Filter out builtin groups from this token.  We will search
-	 * for builtin groups later, and not include them in the
-	 * tokenGroups (and therefore the PAC or SamLogon validation
-	 * info) */
-	filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
+	/* only return security groups */
+	filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
+				 GROUP_TYPE_SECURITY_ENABLED);
 	if (!filter) {
 		talloc_free(tmp_ctx);
 		return ldb_oom(ldb);
@@ -267,7 +268,8 @@ static int construct_token_groups(struct ldb_module *module,
   construct the parent GUID for an entry from a message
 */
 static int construct_parent_guid(struct ldb_module *module,
-				 struct ldb_message *msg, enum ldb_scope scope)
+				 struct ldb_message *msg, enum ldb_scope scope,
+				 struct ldb_request *parent)
 {
 	struct ldb_result *res, *parent_res;
 	const struct ldb_val *parent_guid;
@@ -281,7 +283,7 @@ static int construct_parent_guid(struct ldb_module *module,
 	/* determine if the object is NC by instance type */
 	ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs,
 	                            DSDB_FLAG_NEXT_MODULE |
-	                            DSDB_SEARCH_SHOW_RECYCLED);
+	                            DSDB_SEARCH_SHOW_RECYCLED, parent);
 
 	instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
 						 "instanceType", 0);
@@ -300,7 +302,7 @@ static int construct_parent_guid(struct ldb_module *module,
 	}
 	ret = dsdb_module_search_dn(module, msg, &parent_res, parent_dn, attrs2,
 	                            DSDB_FLAG_NEXT_MODULE |
-	                            DSDB_SEARCH_SHOW_RECYCLED);
+	                            DSDB_SEARCH_SHOW_RECYCLED, parent);
 	talloc_free(parent_dn);
 
 	/* not NC, so the object should have a parent*/
@@ -332,7 +334,8 @@ static int construct_parent_guid(struct ldb_module *module,
   construct a subSchemaSubEntry
 */
 static int construct_subschema_subentry(struct ldb_module *module,
-					struct ldb_message *msg, enum ldb_scope scope)
+					struct ldb_message *msg, enum ldb_scope scope,
+					struct ldb_request *parent)
 {
 	struct operational_data *data = talloc_get_type(ldb_module_get_private(module), struct operational_data);
 	char *subSchemaSubEntry;
@@ -396,7 +399,8 @@ static int construct_msds_isrodc_with_dn(struct ldb_module *module,
 
 static int construct_msds_isrodc_with_server_dn(struct ldb_module *module,
 						struct ldb_message *msg,
-						struct ldb_dn *dn)
+						struct ldb_dn *dn,
+						struct ldb_request *parent)
 {
 	struct ldb_dn *server_dn;
 	const char *attr_obj_cat[] = { "objectCategory", NULL };
@@ -412,7 +416,7 @@ static int construct_msds_isrodc_with_server_dn(struct ldb_module *module,
 	}
 
 	ret = dsdb_module_search_dn(module, msg, &res, server_dn, attr_obj_cat,
-	                            DSDB_FLAG_NEXT_MODULE);
+	                            DSDB_FLAG_NEXT_MODULE, parent);
 	if (ret == LDB_ERR_NO_SUCH_OBJECT) {
 		DEBUG(4,(__location__ ": Can't get objectCategory for %s \n",
 					 ldb_dn_get_linearized(server_dn)));
@@ -431,7 +435,8 @@ static int construct_msds_isrodc_with_server_dn(struct ldb_module *module,
 }
 
 static int construct_msds_isrodc_with_computer_dn(struct ldb_module *module,
-						  struct ldb_message *msg)
+						  struct ldb_message *msg,
+						  struct ldb_request *parent)
 {
 	struct ldb_context *ldb;
 	const char *attr[] = { "serverReferenceBL", NULL };
@@ -440,7 +445,7 @@ static int construct_msds_isrodc_with_computer_dn(struct ldb_module *module,
 	struct ldb_dn *server_dn;
 
 	ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attr,
-	                            DSDB_FLAG_NEXT_MODULE);
+	                            DSDB_FLAG_NEXT_MODULE, parent);
 	if (ret == LDB_ERR_NO_SUCH_OBJECT) {
 		DEBUG(4,(__location__ ": Can't get serverReferenceBL for %s \n",
 			 ldb_dn_get_linearized(msg->dn)));
@@ -460,14 +465,15 @@ static int construct_msds_isrodc_with_computer_dn(struct ldb_module *module,
 			 ldb_dn_get_linearized(res->msgs[0]->dn)));
 		return LDB_SUCCESS;
 	}
-	return construct_msds_isrodc_with_server_dn(module, msg, server_dn);
+	return construct_msds_isrodc_with_server_dn(module, msg, server_dn, parent);
 }
 
 /*
   construct msDS-isRODC attr
 */
 static int construct_msds_isrodc(struct ldb_module *module,
-				 struct ldb_message *msg, enum ldb_scope scope)
+				 struct ldb_message *msg, enum ldb_scope scope,
+				 struct ldb_request *parent)
 {
 	struct ldb_message_element * object_class;
 	struct ldb_message_element * object_category;
@@ -498,13 +504,13 @@ static int construct_msds_isrodc(struct ldb_module *module,
 			 * the DN of TO. Apply the previous rule for the "TO is an nTDSDSA  object" case,
 			 * substituting TN for TO.
 			 */
-			return construct_msds_isrodc_with_server_dn(module, msg, msg->dn);
+			return construct_msds_isrodc_with_server_dn(module, msg, msg->dn, parent);
 		}
 		if (strequal((const char*)object_class->values[i].data, "computer")) {
 			/* Let TS be the server  object named by TO!serverReferenceBL. Apply the previous
 			 * rule for the "TO is a server  object" case, substituting TS for TO.
 			 */
-			return construct_msds_isrodc_with_computer_dn(module, msg);
+			return construct_msds_isrodc_with_computer_dn(module, msg, parent);
 		}
 	}
 
@@ -520,7 +526,8 @@ static int construct_msds_isrodc(struct ldb_module *module,
 */
 static int construct_msds_keyversionnumber(struct ldb_module *module,
 					   struct ldb_message *msg,
-					   enum ldb_scope scope)
+					   enum ldb_scope scope,
+					   struct ldb_request *parent)
 {
 	uint32_t i;
 	enum ndr_err_code ndr_err;
@@ -607,7 +614,7 @@ static const struct {
 	const char *attr;
 	const char *replace;
 	const char *extra_attr;
-	int (*constructor)(struct ldb_module *, struct ldb_message *, enum ldb_scope);
+	int (*constructor)(struct ldb_module *, struct ldb_message *, enum ldb_scope, struct ldb_request *);
 } search_sub[] = {
 	{ "createTimestamp", "whenCreated", NULL , NULL },
 	{ "modifyTimestamp", "whenChanged", NULL , NULL },
@@ -659,7 +666,8 @@ static int operational_search_post_process(struct ldb_module *module,
 					   enum ldb_scope scope,
 					   const char * const *attrs_from_user,
 					   const char * const *attrs_searched_for,
-					   struct op_controls_flags* controls_flags)
+					   struct op_controls_flags* controls_flags,
+					   struct ldb_request *parent)
 {
 	struct ldb_context *ldb;
 	unsigned int i, a = 0;
@@ -710,7 +718,7 @@ static int operational_search_post_process(struct ldb_module *module,
 			   constructor or a simple copy */
 			constructed_attributes = true;
 			if (search_sub[i].constructor != NULL) {
-				if (search_sub[i].constructor(module, msg, scope) != LDB_SUCCESS) {
+				if (search_sub[i].constructor(module, msg, scope, parent) != LDB_SUCCESS) {
 					goto failed;
 				}
 			} else if (ldb_msg_copy_attr(msg,
@@ -786,7 +794,7 @@ static int operational_callback(struct ldb_request *req, struct ldb_reply *ares)
 						      ac->scope,
 						      ac->attrs,
 						      req->op.search.attrs,
-						      ac->controls_flags);
+						      ac->controls_flags, req);
 		if (ret != 0) {
 			return ldb_module_done(ac->req, NULL, NULL,
 						LDB_ERR_OPERATIONS_ERROR);