dsdb:samldb: require as_system or provision control to create foreignSecurityPrincipa...

author Stefan Metzmacher <metze@samba.org>

Thu, 22 Feb 2018 21:51:46 +0000 (22:51 +0100)

committer Andreas Schneider <asn@cryptomilk.org>

Mon, 19 Mar 2018 19:30:50 +0000 (20:30 +0100)
author Stefan Metzmacher <metze@samba.org>
Thu, 22 Feb 2018 21:51:46 +0000 (22:51 +0100)
committer Andreas Schneider <asn@cryptomilk.org>
Mon, 19 Mar 2018 19:30:50 +0000 (20:30 +0100)
diff --git a/selftest/knownfail.d/duplicate_objectSIDs b/selftest/knownfail.d/duplicate_objectSIDs

deleted file mode 100644 (file)

index 6e6ddbe..0000000
--- a/selftest/knownfail.d/duplicate_objectSIDs
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.dsdb.*samba.tests.dsdb.DsdbTests.test_duplicate_objectSIDs_allowed_on_foreign_security_principals
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c

index 3e429e1476a2f63b78851f9f49d9de8e4ab7d914..108235a91b4460ab3a61f684ef50554ab4c6b787 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1249,14 +1249,52 @@ static int samldb_fill_object(struct samldb_ctx *ac)
  
  static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac)
  {
-       struct ldb_context *ldb;
-       const struct ldb_val *rdn_value;
-       struct dom_sid *sid;
+       struct ldb_context *ldb = NULL;
+       const struct ldb_val *rdn_value = NULL;
+       struct ldb_message_element *sid_el = NULL;
+       struct dom_sid *sid = NULL;
+       struct ldb_control *as_system = NULL;
+       struct ldb_control *provision = NULL;
+       bool allowed = false;
         int ret;
  
         ldb = ldb_module_get_ctx(ac->module);
  
-       sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid");
+       as_system = ldb_request_get_control(ac->req, LDB_CONTROL_AS_SYSTEM_OID);
+       if (as_system != NULL) {
+               allowed = true;
+       }
+
+       provision = ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID);
+       if (provision != NULL) {
+               allowed = true;
+       }
+
+       sid_el = ldb_msg_find_element(ac->msg, "objectSid");
+
+       if (!allowed && sid_el == NULL) {
+               return dsdb_module_werror(ac->module,
+                               LDB_ERR_OBJECT_CLASS_VIOLATION,
+                               WERR_DS_MISSING_REQUIRED_ATT,
+                               "objectSid missing on foreignSecurityPrincipal");
+       }
+
+       if (!allowed) {
+               return dsdb_module_werror(ac->module,
+                               LDB_ERR_UNWILLING_TO_PERFORM,
+                               WERR_DS_ILLEGAL_MOD_OPERATION,
+                               "foreignSecurityPrincipal object not allowed");
+       }
+
+       if (sid_el != NULL) {
+               sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid");
+               if (sid == NULL) {
+                       ldb_set_errstring(ldb,
+                                         "samldb: invalid objectSid!");
+                       return LDB_ERR_CONSTRAINT_VIOLATION;
+               }
+       }
+
         if (sid == NULL) {
                 rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
                 if (rdn_value == NULL) {
author	Stefan Metzmacher <metze@samba.org>
	Thu, 22 Feb 2018 21:51:46 +0000 (22:51 +0100)
committer	Andreas Schneider <asn@cryptomilk.org>
	Mon, 19 Mar 2018 19:30:50 +0000 (20:30 +0100)
selftest/knownfail.d/duplicate_objectSIDs	[deleted file]	patch \| blob \| history
source4/dsdb/samdb/ldb_modules/samldb.c		patch \| blob \| history