git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 82beaf8)
dsdb: Check for userPassword support after loading the databases
authorAndrew Bartlett <abartlet@samba.org>
Wed, 11 Apr 2018 10:49:31 +0000 (22:49 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 12 Apr 2018 03:15:16 +0000 (05:15 +0200)
The net result of this is only that userPassword values (which were
world readable when set) would still be visible after userPassword
started setting the main DB password.

In AD, those values become hidden once the dSHeuristics bit is set,
but Samba lost that when fixing a performance issue with
f26a2845bd42e580ddeaf0eecc9b46b823a0c6bc

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13378

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
selftest/knownfail.d/dsheuristics_userPassword [new file with mode: 0644] patch | blob
source4/dsdb/samdb/ldb_modules/acl.c patch | blob | history

diff --git a/selftest/knownfail.d/dsheuristics_userPassword b/selftest/knownfail.d/dsheuristics_userPassword
new file mode 100644 (file)
index 0000000..6981255
--- /dev/null
+++ b/selftest/knownfail.d/dsheuristics_userPassword
@@ -0,0 +1 @@
+^samba4.ldap.passwords.python\(.*\).__main__.PasswordTests.test_modify_dsheuristics_userPassword
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index d750362c47fe7ebe6c2ba06b1a37ba49fdc05159..8b1dcbeed51429401e478489ad09302050054adf 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -108,8 +108,6 @@ static int acl_module_init(struct ldb_module *module)
                                        NULL, "acl", "search", true);
        ldb_module_set_private(module, data);
 
-       data->userPassword_support = dsdb_user_password_support(module, module, NULL);
-       
        mem_ctx = talloc_new(module);
        if (!mem_ctx) {
                return ldb_oom(ldb);
@@ -180,7 +178,21 @@ static int acl_module_init(struct ldb_module *module)
 
 done:
        talloc_free(mem_ctx);
-       return ldb_next_init(module);
+       ret = ldb_next_init(module);
+
+       if (ret != LDB_SUCCESS) {
+               return ret;
+       }
+
+       /*
+        * Check this after the modules have be initalised so we
+        * can actually read the backend DB.
+        */
+       data->userPassword_support
+               = dsdb_user_password_support(module,
+                                            module,
+                                            NULL);
+       return ret;
 }
 
 static int acl_allowedAttributes(struct ldb_module *module,
Work in progress branches