From: Garming Sam Date: Fri, 3 Mar 2017 03:02:40 +0000 (+1300) Subject: getncchanges: include object SID in tokenGroups calculation for repl secret X-Git-Tag: tdb-1.3.13~485 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6b2425343b42b46634bfa8a4421388205e64bbde;p=thirdparty%2Fsamba.git getncchanges: include object SID in tokenGroups calculation for repl secret Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett --- diff --git a/selftest/knownfail b/selftest/knownfail index fe90a4f2def..7c5417b6bc1 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -315,4 +315,3 @@ ^samba3.smb2.credits.session_setup_credits_granted.* ^samba3.smb2.credits.single_req_credits_granted.* ^samba3.smb2.credits.skipped_mid.* -^samba4.drs.repl_rodc.python.*repl_rodc.DrsRodcTestCase.test_msDSRevealedUsers_local_deny_allow diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index d334de7d025..82a176260b1 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -1129,13 +1129,14 @@ static WERROR samdb_result_sid_array_dn(struct ldb_context *sam_ctx, /* return an array of SIDs from a ldb_message given an attribute name - assumes the SIDs are in NDR form + assumes the SIDs are in NDR form (with an additional sid at the end) */ static WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx, struct ldb_message *msg, TALLOC_CTX *mem_ctx, const char *attr, - const struct dom_sid ***sids) + const struct dom_sid ***sids, + const struct dom_sid *user_sid) { struct ldb_message_element *el; unsigned int i; @@ -1146,7 +1147,8 @@ static WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx, return WERR_OK; } - (*sids) = talloc_array(mem_ctx, const struct dom_sid *, el->num_values + 1); + /* Make array long enough for NULL and additional SID */ + (*sids) = talloc_array(mem_ctx, const struct dom_sid *, el->num_values + 2); W_ERROR_HAVE_NO_MEMORY(*sids); for (i=0; inum_values; i++) { @@ -1163,7 +1165,8 @@ static WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx, } (*sids)[i] = sid; } - (*sids)[i] = NULL; + (*sids)[i] = user_sid; + (*sids)[i+1] = NULL; return WERR_OK; } @@ -1205,6 +1208,7 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state, const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL }; struct ldb_result *rodc_res, *obj_res; const struct dom_sid **never_reveal_sids, **reveal_sids, **token_sids; + const struct dom_sid *object_sid = NULL; WERROR werr; DEBUG(3,(__location__ ": DRSUAPI_EXOP_REPL_SECRET extended op on %s\n", @@ -1289,8 +1293,8 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state, if (ret != LDB_SUCCESS || obj_res->count != 1) goto failed; /* if the object SID is equal to the user_sid, allow */ - if (dom_sid_equal(user_sid, - samdb_result_dom_sid(mem_ctx, obj_res->msgs[0], "objectSid"))) { + object_sid = samdb_result_dom_sid(mem_ctx, obj_res->msgs[0], "objectSid"); + if (dom_sid_equal(user_sid, object_sid)) { goto allowed; } @@ -1335,7 +1339,7 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state, } werr = samdb_result_sid_array_ndr(b_state->sam_ctx_system, obj_res->msgs[0], - mem_ctx, "tokenGroups", &token_sids); + mem_ctx, "tokenGroups", &token_sids, object_sid); if (!W_ERROR_IS_OK(werr) || token_sids==NULL) { goto denied; }