Attachment 7768 Details for Bug 41665 – 0001-s4-samr-Rework-GetGroupsForUser-to-use-memberOf.patch

[patch] 0001-s4-samr-Rework-GetGroupsForUser-to-use-memberOf.patch

0001-s4-samr-Rework-GetGroupsForUser-to-use-memberOf.patch (text/plain), 4.98 KB, created by Arvid Requate on 2016-06-27 13:24:47 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Arvid Requate

Created: 2016-06-27 13:24:47 CEST

Size: 4.98 KB

patch

obsolete

>From 6b25fde13cba3971ead47164b26d0fa0b4530b63 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Wed, 8 Jun 2016 16:49:01 +1200
>Subject: [PATCH] s4-samr: Rework GetGroupsForUser to use memberOf
>
>By reading the SID values from the memberOf links, we avoid an un-indexed search on
>the member attribute.
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> source4/rpc_server/samr/dcesrv_samr.c | 109 +++++++++++++++++++++++++++-------
> 1 file changed, 86 insertions(+), 23 deletions(-)
>
>diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
>index 55efdac..c559042 100644
>--- a/source4/rpc_server/samr/dcesrv_samr.c
>+++ b/source4/rpc_server/samr/dcesrv_samr.c
>@@ -3581,31 +3581,93 @@ static NTSTATUS dcesrv_samr_GetGroupsForUser(struct dcesrv_call_state *dce_call,
> 	struct dcesrv_handle *h;
> 	struct samr_account_state *a_state;
> 	struct samr_domain_state *d_state;
>-	struct ldb_message **res;
>-	const char * const attrs[2] = { "objectSid", NULL };
>+	struct ldb_result *res, *res_memberof;
>+	const char * const attrs[] = { "primaryGroupID",
>+				       "memberOf",
>+				       NULL };
>+	const char * const group_attrs[] = { "objectSid",
>+					     NULL };
>+
> 	struct samr_RidWithAttributeArray *array;
>-	int i, count;
>-	char membersidstr[DOM_SID_STR_BUFLEN];
>+	struct ldb_message_element *memberof_el;
>+	int i, ret, count = 0;
>+	uint32_t primary_group_id;
>+	char *filter;
> 
> 	DCESRV_PULL_HANDLE(h, r->in.user_handle, SAMR_HANDLE_USER);
> 
> 	a_state = h->data;
> 	d_state = a_state->domain_state;
> 
>-	dom_sid_string_buf(a_state->account_sid,
>-			   membersidstr, sizeof(membersidstr)),
>-
>-	count = samdb_search_domain(a_state->sam_ctx, mem_ctx,
>-				    d_state->domain_dn, &res,
>-				    attrs, d_state->domain_sid,
>-				    "(&(member=<SID=%s>)"
>-				     "(|(grouptype=%d)(grouptype=%d))"
>-				     "(objectclass=group))",
>-				    membersidstr,
>-				    GTYPE_SECURITY_UNIVERSAL_GROUP,
>-				    GTYPE_SECURITY_GLOBAL_GROUP);
>-	if (count < 0)
>+	ret = dsdb_search_dn(a_state->sam_ctx, mem_ctx,
>+			     &res,
>+			     a_state->account_dn,
>+			     attrs, DSDB_SEARCH_SHOW_EXTENDED_DN);
>+
>+	if (ret == LDB_ERR_NO_SUCH_OBJECT) {
>+		return NT_STATUS_NO_SUCH_USER;
>+	} else if (ret != LDB_SUCCESS) {
> 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
>+	} else if (res->count != 1) {
>+		return NT_STATUS_NO_SUCH_USER;
>+	}
>+
>+	primary_group_id = ldb_msg_find_attr_as_uint(res->msgs[0], "primaryGroupID",
>+						     0);
>+
>+	filter = talloc_asprintf(mem_ctx,
>+				 "(&(|(grouptype=%d)(grouptype=%d))"
>+				 "(objectclass=group)(|",
>+				 GTYPE_SECURITY_UNIVERSAL_GROUP,
>+				 GTYPE_SECURITY_GLOBAL_GROUP);
>+	if (filter == NULL) {
>+		return NT_STATUS_NO_MEMORY;
>+	}
>+
>+	memberof_el = ldb_msg_find_element(res->msgs[0], "memberOf");
>+	if (memberof_el != NULL) {
>+		for (i = 0; i < memberof_el->num_values; i++) {
>+			const struct ldb_val *memberof_sid_binary;
>+			char *memberof_sid_escaped;
>+			struct ldb_dn *memberof_dn
>+				= ldb_dn_from_ldb_val(mem_ctx,
>+						      a_state->sam_ctx,
>+						      &memberof_el->values[i]);
>+			if (memberof_dn == NULL) {
>+				return NT_STATUS_INTERNAL_DB_CORRUPTION;
>+			}
>+
>+			memberof_sid_binary
>+				= ldb_dn_get_extended_component(memberof_dn,
>+								"SID");
>+			if (memberof_sid_binary == NULL) {
>+				return NT_STATUS_INTERNAL_DB_CORRUPTION;
>+			}
>+
>+			memberof_sid_escaped = ldb_binary_encode(mem_ctx,
>+								 *memberof_sid_binary);
>+			if (memberof_sid_escaped == NULL) {
>+				return NT_STATUS_NO_MEMORY;
>+			}
>+			filter = talloc_asprintf_append(filter, "(objectSID=%s)",
>+							memberof_sid_escaped);
>+			if (filter == NULL) {
>+				return NT_STATUS_NO_MEMORY;
>+			}
>+		}
>+
>+		ret = dsdb_search(a_state->sam_ctx, mem_ctx,
>+				  &res_memberof,
>+				  d_state->domain_dn,
>+				  LDB_SCOPE_SUBTREE,
>+				  group_attrs, 0,
>+				  "%s))", filter);
>+
>+		if (ret != LDB_SUCCESS) {
>+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
>+		}
>+		count = res_memberof->count;
>+	}
> 
> 	array = talloc(mem_ctx, struct samr_RidWithAttributeArray);
> 	if (array == NULL)
>@@ -3615,23 +3677,24 @@ static NTSTATUS dcesrv_samr_GetGroupsForUser(struct dcesrv_call_state *dce_call,
> 	array->rids = NULL;
> 
> 	array->rids = talloc_array(mem_ctx, struct samr_RidWithAttribute,
>-					    count + 1);
>+				   count + 1);
> 	if (array->rids == NULL)
> 		return NT_STATUS_NO_MEMORY;
> 
> 	/* Adds the primary group */
>-	array->rids[0].rid = samdb_search_uint(a_state->sam_ctx, mem_ctx,
>-					       ~0, a_state->account_dn,
>-					       "primaryGroupID", NULL);
>+
>+	array->rids[0].rid = primary_group_id;
> 	array->rids[0].attributes = SE_GROUP_MANDATORY
>-			| SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
>+		| SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
> 	array->count += 1;
> 
> 	/* Adds the additional groups */
> 	for (i = 0; i < count; i++) {
> 		struct dom_sid *group_sid;
> 
>-		group_sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
>+		group_sid = samdb_result_dom_sid(mem_ctx,
>+						 res_memberof->msgs[i],
>+						 "objectSid");
> 		if (group_sid == NULL) {
> 			return NT_STATUS_INTERNAL_DB_CORRUPTION;
> 		}
>-- 
>2.8.0.rc3
>

Actions: View | Diff

Attachments on bug 41665: 7768