samba.git/source4/dsdb, branch talloc-2.3.2 Unnamed repository; edit this file 'description' to name the repository. selftest: add test for new "samba-tool user unlock" command 2020-11-04T00:19:25+00:00 Björn Baumbach bb@sernet.de 2020-10-29T11:38:51+00:00 a1b021200e3d068631798942a1f219b26afadca7 Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Wed Nov 4 00:19:25 UTC 2020 on sn-devel-184 
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov  4 00:19:25 UTC 2020 on sn-devel-184
dsdb/mod/operational: correct comment arithmetic 2020-11-03T00:33:41+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2020-10-23T03:30:25+00:00 6a9d22f4a91e07b8af0f1fb3a7d0cbab2ca0c76f E + F is not 1F! E + F is 1D! Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
E + F is not 1F! E + F is 1D!

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dsdb:acl_read: Implement "List Object" mode feature 2020-10-21T08:48:01+00:00 Stefan Metzmacher metze@samba.org 2020-10-13T10:43:39+00:00 7223f6453b1b38c933c9480c637ffd06d9f39b97 See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility I tried to avoid any possible overhead for the common cases: - SEC_ADS_LIST (List Children) is already granted by default - fDoListObject is off by default Overhead is only added if the administrator turned on the fDoListObject feature and removed SEC_ADS_LIST (List Children) from a parent object. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 21 08:48:02 UTC 2020 on sn-devel-184 
See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility

I tried to avoid any possible overhead for the common cases:

- SEC_ADS_LIST (List Children) is already granted by default
- fDoListObject is off by default

Overhead is only added if the administrator turned on
the fDoListObject feature and removed SEC_ADS_LIST (List Children)
from a parent object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 21 08:48:02 UTC 2020 on sn-devel-184
s4:dsdb:util: add dsdb_do_list_object() helper 2020-10-21T07:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-10-06T09:21:34+00:00 ffc0bdc6d49e88da1ee408956365da163ff3e1b2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
s4:dsdb:acl_read: defer LDB_ERR_NO_SUCH_OBJECT 2020-10-21T07:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-10-12T15:59:34+00:00 e1529bedb2b6c8553e69a42537ac0cffd03af6d6 We may need to return child objects even if the base dn is invisible. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
We may need to return child objects even if the base dn
is invisible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
s4:dsdb:acl_read: make use of aclread_check_object_visible() for the search base 2020-10-21T07:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-10-06T13:10:33+00:00 faff8e6c89777c38443e561235073c336cfb2e9c We should only have one place to do access checks. Use 'git show -w' to see the minimal diff. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
We should only have one place to do access checks.

Use 'git show -w' to see the minimal diff.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
s4:dsdb:acl_read: fully set up 'struct aclread_context' before the search base acl check 2020-10-21T07:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-10-06T13:10:33+00:00 c4a3028de726d6708f57d02f9162a4d62d1b6ae7 This makes further change much easier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
This makes further change much easier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
s4:dsdb:acl_read: introduce aclread_check_object_visible() helper 2020-10-21T07:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-10-06T13:07:19+00:00 d2dd7c2a5c1f8ee30f0f3b41f933d082b0c75f7c In future this will do more than aclread_check_parent(), if we implement fDoListObject and SEC_ADS_LIST_OBJECT handling. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
In future this will do more than aclread_check_parent(),
if we implement fDoListObject and SEC_ADS_LIST_OBJECT handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
s4:dsdb:tests: add AclVisibiltyTests 2020-10-21T07:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-10-07T11:21:06+00:00 06d134406739e76b97273db3023855150dbaebbc This tests a sorts of combinations in order to demonstrate the visibility of objects depending on: - with or without fDoListObject - with or without explicit DENY ACEs - A hierachy of objects with 4 levels from the base dn - SEC_ADS_LIST (List Children) - SEC_ADS_LIST_LIST_OBJECT (List Object) - SEC_ADS_READ_PROP - all possible scopes and basedns This demonstrates that NO_SUCH_OBJECT doesn't depend purely on the visibility of the base dn, it's still possible to get children returned und an invisible base dn. It also demonstrates the additional behavior with "List Object" mode. See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
This tests a sorts of combinations in order to
demonstrate the visibility of objects depending on:

- with or without fDoListObject
- with or without explicit DENY ACEs
- A hierachy of objects with 4 levels from the base dn
- SEC_ADS_LIST (List Children)
- SEC_ADS_LIST_LIST_OBJECT (List Object)
- SEC_ADS_READ_PROP
- all possible scopes and basedns

This demonstrates that NO_SUCH_OBJECT doesn't depend purely
on the visibility of the base dn, it's still possible to
get children returned und an invisible base dn.

It also demonstrates the additional behavior with "List Object" mode.
See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
python2 reduction: Merge remaining compat code into common 2020-10-02T14:49:36+00:00 David Mulder dmulder@suse.com 2020-09-11T20:29:46+00:00 a3cd31532125ccb537af6cd9d27c761b7da4b03a The remaining compat code (get_string, get_bytes, cmp) are useful helper routines which we should simply merge into common (especially since there is some duplication here). Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): David Mulder <dmulder@samba.org> Autobuild-Date(master): Fri Oct 2 14:49:36 UTC 2020 on sn-devel-184 
The remaining compat code (get_string, get_bytes,
cmp) are useful helper routines which we should
simply merge into common (especially since there
is some duplication here).

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Fri Oct  2 14:49:36 UTC 2020 on sn-devel-184