summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-08-27 02:26:24 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 15:02:48 -0500
commit4b31fd4409cd9eca29469c09ce4b585c6d5f1a81 (patch)
tree3b0a5de67ea74da5fdc64316fa7443d95de0d260
parent8794ffbc61c03ba9c5f2e2e61d23d87ed331e9ee (diff)
downloadsamba-4b31fd4409cd9eca29469c09ce4b585c6d5f1a81.tar.gz
samba-4b31fd4409cd9eca29469c09ce4b585c6d5f1a81.tar.xz
samba-4b31fd4409cd9eca29469c09ce4b585c6d5f1a81.zip
r24696: Fix bug 4918 reported by Matthias Wallnöfer <mwallnoefer@yahoo.de>
with a patch from Andrew Kroeger <andrew@sprocks.gotdns.com>. The changes to samldb_fill_foreignSecurityPrincipal_object() look much larger then they are: We just skip all the objectSid generation if the SID is supplied. By providing a few more objects, standard dialogs on the clients are better behaved, for these 'well known' users. Andrew Bartlett (This used to be commit 35ee4aee719e69983d650602d1c6422a31600001)
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c77
-rw-r--r--source4/setup/provision_users.ldif237
2 files changed, 277 insertions, 37 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index d4dc2b3d2b..d448e30b31 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -576,7 +576,7 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct ldb_module *module
/* build the new msg */
msg2 = ldb_msg_copy(mem_ctx, msg);
if (!msg2) {
- ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincpal_object: ldb_msg_copy failed!\n");
+ ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincipal_object: ldb_msg_copy failed!\n");
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -601,47 +601,50 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct ldb_module *module
return LDB_ERR_CONSTRAINT_VIOLATION;
}
- /* Slightly different for the foreign sids. We don't want
- * domain SIDs ending up there, it would cause all sorts of
- * pain */
-
- sid = dom_sid_parse_talloc(msg2, (const char *)ldb_dn_get_rdn_val(msg2->dn)->data);
+ sid = samdb_result_dom_sid(msg2, msg, "objectSid");
if (!sid) {
- ldb_set_errstring(module->ldb, "No valid found SID in ForeignSecurityPrincipal CN!");
- talloc_free(mem_ctx);
- return LDB_ERR_CONSTRAINT_VIOLATION;
- }
+ /* Slightly different for the foreign sids. We don't want
+ * domain SIDs ending up there, it would cause all sorts of
+ * pain */
- if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) {
- talloc_free(sid);
- return LDB_ERR_OPERATIONS_ERROR;
- }
+ sid = dom_sid_parse_talloc(msg2, (const char *)ldb_dn_get_rdn_val(msg2->dn)->data);
+ if (!sid) {
+ ldb_set_errstring(module->ldb, "No valid found SID in ForeignSecurityPrincipal CN!");
+ talloc_free(mem_ctx);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
- dom_sid = dom_sid_dup(mem_ctx, sid);
- if (!dom_sid) {
- talloc_free(mem_ctx);
- return LDB_ERR_OPERATIONS_ERROR;
- }
- /* get the domain component part of the provided SID */
- dom_sid->num_auths--;
+ if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) {
+ talloc_free(sid);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
- /* find the domain DN */
+ dom_sid = dom_sid_dup(mem_ctx, sid);
+ if (!dom_sid) {
+ talloc_free(mem_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ /* get the domain component part of the provided SID */
+ dom_sid->num_auths--;
- ret = gendb_search(module->ldb,
- mem_ctx, NULL, &dom_msgs, dom_attrs,
- "(&(objectSid=%s)(objectclass=domain))",
- ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
- if (ret >= 1) {
- /* We don't really like the idea of foreign sids that are not foreign, but it happens */
- const char *name = samdb_result_string(dom_msgs[0], "name", NULL);
- ldb_debug(module->ldb, LDB_DEBUG_TRACE, "NOTE (strange but valid): Adding foreign SID record with SID %s, but this domian (%s) is already in the database",
- dom_sid_string(mem_ctx, sid), name);
- } else if (ret == -1) {
- ldb_asprintf_errstring(module->ldb,
- "samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n",
- dom_sid_string(mem_ctx, dom_sid));
- talloc_free(dom_msgs);
- return LDB_ERR_OPERATIONS_ERROR;
+ /* find the domain DN */
+
+ ret = gendb_search(module->ldb,
+ mem_ctx, NULL, &dom_msgs, dom_attrs,
+ "(&(objectSid=%s)(objectclass=domain))",
+ ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
+ if (ret >= 1) {
+ /* We don't really like the idea of foreign sids that are not foreign, but it happens */
+ const char *name = samdb_result_string(dom_msgs[0], "name", NULL);
+ ldb_debug(module->ldb, LDB_DEBUG_TRACE, "NOTE (strange but valid): Adding foreign SID record with SID %s, but this domian (%s) is already in the database",
+ dom_sid_string(mem_ctx, sid), name);
+ } else if (ret == -1) {
+ ldb_asprintf_errstring(module->ldb,
+ "samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n",
+ dom_sid_string(mem_ctx, dom_sid));
+ talloc_free(dom_msgs);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
}
/* This isn't an operation on a domain we know about, so just
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index fa81784f1e..dcb9ef14fa 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -347,3 +347,240 @@ groupType: 2147483653
isCriticalSystemObject: TRUE
privilege: SeInteractiveLogonRight
+dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Pre-Windows 2000 Compatible Access
+description: A backward compatibility group which allows read access on all users and groups in the domain
+objectSid: S-1-5-32-554
+sAMAccountName: Pre-Windows 2000 Compatible Access
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+privilege: SeRemoteInteractiveLogonRight
+privilege: SeChangeNotifyPrivilege
+
+dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Incoming Forest Trust Builders
+description: Members of this group can create incoming, one-way trusts to this forest
+objectSid: S-1-5-32-557
+sAMAccountName: Incoming Forest Trust Builders
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+
+dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Windows Authorization Access Group
+description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
+objectSid: S-1-5-32-560
+sAMAccountName: Windows Authorization Access Group
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+
+dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Terminal Server License Servers
+description: Terminal Server License Servers
+objectSid: S-1-5-32-561
+sAMAccountName: Terminal Server License Servers
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+
+dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Distributed COM Users
+description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
+objectSid: S-1-5-32-562
+sAMAccountName: Distributed COM Users
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+
+dn: CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: container
+cn: WellKnown Security Principals
+systemFlags: 2147483648
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Anonymous Logon
+objectSid: S-1-5-7
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Authenticated Users
+objectSid: S-1-5-11
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Batch
+objectSid: S-1-5-3
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Creator Group
+objectSid: S-1-3-1
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Creator Owner
+objectSid: S-1-3-0
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Dialup
+objectSid: S-1-5-1
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Digest Authentication
+objectSid: S-1-5-64-21
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Enterprise Domain Controllers
+objectSid: S-1-5-9
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Everyone
+objectSid: S-1-1-0
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Interactive
+objectSid: S-1-5-4
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Local Service
+objectSid: S-1-5-19
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Network
+objectSid: S-1-5-2
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Network Service
+objectSid: S-1-5-20
+showInAdvancedViewOnly: TRUE
+
+dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: NTLM Authentication
+objectSid: S-1-5-64-10
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Other Organization
+objectSid: S-1-5-1000
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Proxy
+objectSid: S-1-5-8
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Remote Interactive Logon
+objectSid: S-1-5-14
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Restricted
+objectSid: S-1-5-12
+showInAdvancedViewOnly: TRUE
+
+dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: SChannel Authentication
+objectSid: S-1-5-64-14
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Self
+objectSid: S-1-5-10
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Service
+objectSid: S-1-5-6
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Terminal Server User
+objectSid: S-1-5-13
+showInAdvancedViewOnly: TRUE
+
+dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: This Organization
+objectSid: S-1-5-15
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Well-Known-Security-Id-System
+objectSid: S-1-5-18
+showInAdvancedViewOnly: TRUE
+