*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
+ * the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
/*
( READ_CONTROL_ACCESS | \
SA_RIGHT_USER_CHANGE_PASSWORD | \
SA_RIGHT_USER_SET_LOC_COM )
+#define SAMR_USR_RIGHTS_CANT_WRITE_PW \
+ ( READ_CONTROL_ACCESS | SA_RIGHT_USER_SET_LOC_COM )
#define DISP_INFO_CACHE_TIMEOUT 10
typedef struct disp_info {
- struct disp_info *next, *prev;
- TALLOC_CTX *mem_ctx;
DOM_SID sid; /* identify which domain this is. */
- BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */
+ bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
struct pdb_search *users; /* querydispinfo 1 and 4 */
struct pdb_search *machines; /* querydispinfo 2 */
struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
uint16 enum_acb_mask;
struct pdb_search *enum_users; /* enumusers with a mask */
-
- smb_event_id_t di_cache_timeout_event; /* cache idle timeout handler. */
+ struct timed_event *cache_timeout_event; /* cache idle timeout
+ * handler. */
} DISP_INFO;
/* We keep a static list of these by SID as modern clients close down
all resources between each request in a complete enumeration. */
-static DISP_INFO *disp_info_list;
-
struct samr_info {
/* for use by the \PIPE\samr policy */
DOM_SID sid;
- BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */
+ bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
uint32 acc_granted;
DISP_INFO *disp_info;
TALLOC_CTX *mem_ctx;
};
-static struct generic_mapping sam_generic_mapping = {
+static const struct generic_mapping sam_generic_mapping = {
GENERIC_RIGHTS_SAM_READ,
GENERIC_RIGHTS_SAM_WRITE,
GENERIC_RIGHTS_SAM_EXECUTE,
GENERIC_RIGHTS_SAM_ALL_ACCESS};
-static struct generic_mapping dom_generic_mapping = {
+static const struct generic_mapping dom_generic_mapping = {
GENERIC_RIGHTS_DOMAIN_READ,
GENERIC_RIGHTS_DOMAIN_WRITE,
GENERIC_RIGHTS_DOMAIN_EXECUTE,
GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
-static struct generic_mapping usr_generic_mapping = {
+static const struct generic_mapping usr_generic_mapping = {
GENERIC_RIGHTS_USER_READ,
GENERIC_RIGHTS_USER_WRITE,
GENERIC_RIGHTS_USER_EXECUTE,
GENERIC_RIGHTS_USER_ALL_ACCESS};
-static struct generic_mapping grp_generic_mapping = {
+static const struct generic_mapping usr_nopwchange_generic_mapping = {
+ GENERIC_RIGHTS_USER_READ,
+ GENERIC_RIGHTS_USER_WRITE,
+ GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD,
+ GENERIC_RIGHTS_USER_ALL_ACCESS};
+static const struct generic_mapping grp_generic_mapping = {
GENERIC_RIGHTS_GROUP_READ,
GENERIC_RIGHTS_GROUP_WRITE,
GENERIC_RIGHTS_GROUP_EXECUTE,
GENERIC_RIGHTS_GROUP_ALL_ACCESS};
-static struct generic_mapping ali_generic_mapping = {
+static const struct generic_mapping ali_generic_mapping = {
GENERIC_RIGHTS_ALIAS_READ,
GENERIC_RIGHTS_ALIAS_WRITE,
GENERIC_RIGHTS_ALIAS_EXECUTE,
*******************************************************************/
static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
- struct generic_mapping *map,
+ const struct generic_mapping *map,
DOM_SID *sid, uint32 sid_access )
{
DOM_SID domadmin_sid;
Fetch or create a dispinfo struct.
********************************************************************/
-static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str)
+static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
{
- TALLOC_CTX *mem_ctx;
- DISP_INFO *dpi;
+ /*
+ * We do a static cache for DISP_INFO's here. Explanation can be found
+ * in Jeremy's checkin message to r11793:
+ *
+ * Fix the SAMR cache so it works across completely insane
+ * client behaviour (ie.:
+ * open pipe/open SAMR handle/enumerate 0 - 1024
+ * close SAMR handle, close pipe.
+ * open pipe/open SAMR handle/enumerate 1024 - 2048...
+ * close SAMR handle, close pipe.
+ * And on ad-nausium. Amazing.... probably object-oriented
+ * client side programming in action yet again.
+ * This change should *massively* improve performance when
+ * enumerating users from an LDAP database.
+ * Jeremy.
+ *
+ * "Our" and the builtin domain are the only ones where we ever
+ * enumerate stuff, so just cache 2 entries.
+ */
+
+ static struct disp_info builtin_dispinfo;
+ static struct disp_info domain_dispinfo;
/* There are two cases to consider here:
1) The SID is a domain SID and we look for an equality match, or
2) This is an account SID and so we return the DISP_INFO* for our
domain */
- if ( psid && sid_check_is_in_our_domain( psid ) ) {
- DEBUG(10,("get_samr_dispinfo_by_sid: Replacing %s with our domain SID\n",
- sid_str));
- psid = get_global_sam_sid();
- }
-
- for (dpi = disp_info_list; dpi; dpi = dpi->next) {
- if (sid_equal(psid, &dpi->sid)) {
- return dpi;
- }
- }
-
- /* This struct is never free'd - I'm using talloc so we
- can get a list out of smbd using smbcontrol. There will
- be one of these per SID we're authorative for. JRA. */
-
- mem_ctx = talloc_init("DISP_INFO for domain sid %s", sid_str);
-
- if ((dpi = TALLOC_ZERO_P(mem_ctx, DISP_INFO)) == NULL)
+ if (psid == NULL) {
return NULL;
+ }
- dpi->mem_ctx = mem_ctx;
+ if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
+ /*
+ * Necessary only once, but it does not really hurt.
+ */
+ sid_copy(&builtin_dispinfo.sid, &global_sid_Builtin);
- if (psid) {
- sid_copy( &dpi->sid, psid);
- dpi->builtin_domain = sid_check_is_builtin(psid);
- } else {
- dpi->builtin_domain = False;
+ return &builtin_dispinfo;
}
+
+ if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
+ /*
+ * Necessary only once, but it does not really hurt.
+ */
+ sid_copy(&domain_dispinfo.sid, get_global_sam_sid());
- DLIST_ADD(disp_info_list, dpi);
+ return &domain_dispinfo;
+ }
- return dpi;
+ return NULL;
}
/*******************************************************************
TALLOC_CTX *mem_ctx;
if (psid) {
- sid_to_string(sid_str, psid);
+ sid_to_fstring(sid_str, psid);
} else {
fstrcpy(sid_str,"(NULL)");
}
}
info->mem_ctx = mem_ctx;
- info->disp_info = get_samr_dispinfo_by_sid(psid, sid_str);
-
- if (!info->disp_info) {
- talloc_destroy(mem_ctx);
- return NULL;
- }
+ info->disp_info = get_samr_dispinfo_by_sid(psid);
return info;
}
Function to free the per SID data.
********************************************************************/
-static void free_samr_cache(DISP_INFO *disp_info, const char *sid_str)
+static void free_samr_cache(DISP_INFO *disp_info)
{
- DEBUG(10,("free_samr_cache: deleting cache for SID %s\n", sid_str));
+ DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
+ sid_string_dbg(&disp_info->sid)));
/* We need to become root here because the paged search might have to
* tell the LDAP server we're not interested in the rest anymore. */
/* Only free the dispinfo cache if no one bothered to set up
a timeout. */
- if (info->disp_info && info->disp_info->di_cache_timeout_event == (smb_event_id_t)0) {
- fstring sid_str;
- sid_to_string(sid_str, &info->disp_info->sid);
- free_samr_cache(info->disp_info, sid_str);
+ if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
+ free_samr_cache(info->disp_info);
}
talloc_destroy(info->mem_ctx);
Idle event handler. Throw away the disp info cache.
********************************************************************/
-static void disp_info_cache_idle_timeout_handler(void **private_data,
- time_t *ev_interval,
- time_t ev_now)
+static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
+ struct timed_event *te,
+ const struct timeval *now,
+ void *private_data)
{
- fstring sid_str;
- DISP_INFO *disp_info = (DISP_INFO *)(*private_data);
-
- sid_to_string(sid_str, &disp_info->sid);
+ DISP_INFO *disp_info = (DISP_INFO *)private_data;
- free_samr_cache(disp_info, sid_str);
+ TALLOC_FREE(disp_info->cache_timeout_event);
- /* Remove the event. */
- smb_unregister_idle_event(disp_info->di_cache_timeout_event);
- disp_info->di_cache_timeout_event = (smb_event_id_t)0;
-
- DEBUG(10,("disp_info_cache_idle_timeout_handler: caching timed out for SID %s at %u\n",
- sid_str, (unsigned int)ev_now));
+ DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
+ "out\n"));
+ free_samr_cache(disp_info);
}
/*******************************************************************
static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
{
- fstring sid_str;
-
- sid_to_string(sid_str, &disp_info->sid);
-
/* Remove any pending timeout and update. */
- if (disp_info->di_cache_timeout_event) {
- smb_unregister_idle_event(disp_info->di_cache_timeout_event);
- disp_info->di_cache_timeout_event = (smb_event_id_t)0;
- }
+ TALLOC_FREE(disp_info->cache_timeout_event);
- DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for SID %s for %u seconds\n",
- sid_str, (unsigned int)secs_fromnow ));
+ DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
+ "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
+ (unsigned int)secs_fromnow ));
- disp_info->di_cache_timeout_event =
- smb_register_idle_event(disp_info_cache_idle_timeout_handler,
- disp_info,
- secs_fromnow);
+ disp_info->cache_timeout_event = event_add_timed(
+ smbd_event_context(), NULL,
+ timeval_current_ofs(secs_fromnow, 0),
+ "disp_info_cache_idle_timeout_handler",
+ disp_info_cache_idle_timeout_handler, (void *)disp_info);
}
/*******************************************************************
static void force_flush_samr_cache(DISP_INFO *disp_info)
{
- if (disp_info) {
- fstring sid_str;
-
- sid_to_string(sid_str, &disp_info->sid);
- if (disp_info->di_cache_timeout_event) {
- smb_unregister_idle_event(disp_info->di_cache_timeout_event);
- disp_info->di_cache_timeout_event = (smb_event_id_t)0;
- DEBUG(10,("force_flush_samr_cache: clearing idle event for SID %s\n",
- sid_str));
- }
- free_samr_cache(disp_info, sid_str);
+ if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
+ return;
}
+
+ DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
+ TALLOC_FREE(disp_info->cache_timeout_event);
+ free_samr_cache(disp_info);
}
/*******************************************************************
return r_u->status;
}
-/*******************************************************************
- _samr_set_sec_obj
- ********************************************************************/
-
-NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u)
-{
- DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n"));
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
/*******************************************************************
********************************************************************/
-static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
+static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
DOM_SID *sid, uint32 *acc_granted,
DISP_INFO **ppdisp_info)
{
return True;
}
+/*******************************************************************
+ _samr_set_sec_obj
+ ********************************************************************/
+
+NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u)
+{
+ DOM_SID pol_sid;
+ uint32 acc_granted, i;
+ SEC_ACL *dacl;
+ bool ret;
+ struct samu *sampass=NULL;
+ NTSTATUS status;
+
+ r_u->status = NT_STATUS_OK;
+
+ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL))
+ return NT_STATUS_INVALID_HANDLE;
+
+ if (!(sampass = samu_new( p->mem_ctx))) {
+ DEBUG(0,("No memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* get the user record */
+ become_root();
+ ret = pdb_getsampwsid(sampass, &pol_sid);
+ unbecome_root();
+
+ if (!ret) {
+ DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
+ TALLOC_FREE(sampass);
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ dacl = q_u->buf->sd->dacl;
+ for (i=0; i < dacl->num_aces; i++) {
+ if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
+ ret = pdb_set_pass_can_change(sampass,
+ (dacl->aces[i].access_mask &
+ SA_RIGHT_USER_CHANGE_PASSWORD) ?
+ True: False);
+ break;
+ }
+ }
+
+ if (!ret) {
+ TALLOC_FREE(sampass);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj");
+ if (NT_STATUS_IS_OK(status)) {
+ become_root();
+ status = pdb_update_sam_account(sampass);
+ unbecome_root();
+ }
+
+ TALLOC_FREE(sampass);
+
+ return status;
+}
+
+/*******************************************************************
+ build correct perms based on policies and password times for _samr_query_sec_obj
+*******************************************************************/
+static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
+{
+ struct samu *sampass=NULL;
+ bool ret;
+
+ if ( !(sampass = samu_new( mem_ctx )) ) {
+ DEBUG(0,("No memory!\n"));
+ return False;
+ }
+
+ become_root();
+ ret = pdb_getsampwsid(sampass, user_sid);
+ unbecome_root();
+
+ if (ret == False) {
+ DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
+ TALLOC_FREE(sampass);
+ return False;
+ }
+
+ DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
+
+ if (pdb_get_pass_can_change(sampass)) {
+ TALLOC_FREE(sampass);
+ return True;
+ }
+ TALLOC_FREE(sampass);
+ return False;
+}
+
+
/*******************************************************************
_samr_query_sec_obj
********************************************************************/
NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u)
{
DOM_SID pol_sid;
- fstring str_sid;
SEC_DESC * psd = NULL;
uint32 acc_granted;
size_t sd_size;
if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted, NULL))
return NT_STATUS_INVALID_HANDLE;
- DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid)));
+ DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n",
+ sid_string_dbg(&pol_sid)));
/* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
} else if (sid_equal(&pol_sid,get_global_sam_sid())) {
/* check if it is our domain SID */
- DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
+ DEBUG(5,("_samr_query_sec_obj: querying security on Domain "
+ "with SID: %s\n", sid_string_dbg(&pol_sid)));
r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
} else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
/* check if it is the Builtin Domain */
/* TODO: Builtin probably needs a different SD with restricted write access*/
- DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
+ DEBUG(5,("_samr_query_sec_obj: querying security on Builtin "
+ "Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
} else if (sid_check_is_in_our_domain(&pol_sid) ||
sid_check_is_in_builtin(&pol_sid)) {
/* TODO: different SDs have to be generated for aliases groups and users.
Currently all three get a default user SD */
- DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
- r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
+ DEBUG(10,("_samr_query_sec_obj: querying security on Object "
+ "with SID: %s\n", sid_string_dbg(&pol_sid)));
+ if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
+ r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
+ &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
+ } else {
+ r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
+ &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
+ }
} else {
return NT_STATUS_OBJECT_TYPE_MISMATCH;
}
uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_entries);
if (sam == NULL || uni_name == NULL) {
- DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n"));
+ DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
return NT_STATUS_NO_MEMORY;
}
if (num_account == 0) {
DEBUG(5, ("_samr_enum_dom_users: enumeration handle over "
"total entries\n"));
+ init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0);
return NT_STATUS_OK;
}
return r_u->status;
DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n",
- sid_string_static(&info->sid)));
+ sid_string_dbg(&info->sid)));
become_root();
DOM_SID sid;
struct acct_info info;
uint32 acc_granted;
- BOOL ret;
+ NTSTATUS status;
r_u->status = NT_STATUS_OK;
}
become_root();
- ret = pdb_get_aliasinfo(&sid, &info);
+ status = pdb_get_aliasinfo(&sid, &info);
unbecome_root();
- if ( !ret )
- return NT_STATUS_NO_SUCH_ALIAS;
+ if ( !NT_STATUS_IS_OK(status))
+ return status;
if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) )
return NT_STATUS_NO_MEMORY;
NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u)
{
uint32 rid[MAX_SAM_ENTRIES];
- enum SID_NAME_USE type[MAX_SAM_ENTRIES];
+ enum lsa_SidType type[MAX_SAM_ENTRIES];
int i;
int num_rids = q_u->num_names2;
DOM_SID pol_sid;
- fstring sid_str;
uint32 acc_granted;
r_u->status = NT_STATUS_OK;
DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids));
}
- DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid)));
+ DEBUG(5,("_samr_lookup_names: looking name on SID %s\n",
+ sid_string_dbg(&pol_sid)));
for (i = 0; i < num_rids; i++) {
fstring name;
makes a SAMR_R_LOOKUP_RIDS structure.
********************************************************************/
-static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
+static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
const char **names, UNIHDR **pp_hdr_name,
UNISTR2 **pp_uni_name)
{
NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u)
{
const char **names;
- enum SID_NAME_USE *attrs = NULL;
+ enum lsa_SidType *attrs = NULL;
uint32 *wire_attrs = NULL;
UNIHDR *hdr_name = NULL;
UNISTR2 *uni_name = NULL;
DOM_SID pol_sid;
- int num_rids = q_u->num_rids1;
+ int num_rids = (int)q_u->num_rids1;
uint32 acc_granted;
int i;
return NT_STATUS_UNSUCCESSFUL;
}
- names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
- attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum SID_NAME_USE, num_rids);
- wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
+ if (num_rids) {
+ names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
+ attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
+ wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
- if ((num_rids != 0) && ((names == NULL) || (attrs == NULL) || wire_attrs))
- return NT_STATUS_NO_MEMORY;
+ if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
+ return NT_STATUS_NO_MEMORY;
+ } else {
+ names = NULL;
+ attrs = NULL;
+ wire_attrs = NULL;
+ }
become_root(); /* lookup_sid can require root privs */
r_u->status = pdb_lookup_rids(&pol_sid, num_rids, q_u->rid,
&hdr_name, &uni_name))
return NT_STATUS_NO_MEMORY;
- /* Convert from enum SID_NAME_USE to uint32 for wire format. */
+ /* Convert from enum lsa_SidType to uint32 for wire format. */
for (i = 0; i < num_rids; i++) {
wire_attrs[i] = (uint32)attrs[i];
}
uint32 acc_granted;
uint32 des_access = q_u->access_mask;
size_t sd_size;
- BOOL ret;
+ bool ret;
NTSTATUS nt_status;
SE_PRIV se_rights;
static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_SID *user_sid)
{
struct samu *smbpass=NULL;
- BOOL ret;
+ bool ret;
if ( !(smbpass = samu_new( mem_ctx )) ) {
return NT_STATUS_NO_MEMORY;
unbecome_root();
if ( !ret ) {
- DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
+ DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
return NT_STATUS_NO_SUCH_USER;
}
static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_SID *user_sid)
{
struct samu *smbpass=NULL;
- BOOL ret;
+ bool ret;
if ( !(smbpass = samu_new( mem_ctx )) ) {
return NT_STATUS_NO_MEMORY;
unbecome_root();
if (ret==False) {
- DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
+ DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
return NT_STATUS_NO_SUCH_USER;
}
static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DOM_SID *user_sid)
{
struct samu *smbpass=NULL;
- BOOL ret;
+ bool ret;
if ( !(smbpass = samu_new( mem_ctx )) ) {
return NT_STATUS_NO_MEMORY;
unbecome_root();
if (ret==False) {
- DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
+ DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
return NT_STATUS_NO_SUCH_USER;
}
static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_18 * id18, DOM_SID *user_sid)
{
struct samu *smbpass=NULL;
- BOOL ret;
+ bool ret;
if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
return NT_STATUS_ACCESS_DENIED;
ret = pdb_getsampwsid(smbpass, user_sid);
if (ret == False) {
- DEBUG(4, ("User %s not found\n", sid_string_static(user_sid)));
+ DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
TALLOC_FREE(smbpass);
return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
}
static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid)
{
struct samu *sampass=NULL;
- BOOL ret;
+ bool ret;
if ( !(sampass = samu_new( mem_ctx )) ) {
return NT_STATUS_NO_MEMORY;
unbecome_root();
if (ret == False) {
- DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
+ DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
return NT_STATUS_NO_SUCH_USER;
}
DOM_SID *user_sid, DOM_SID *domain_sid)
{
struct samu *sampass=NULL;
- BOOL ret;
+ bool ret;
NTSTATUS nt_status;
if ( !(sampass = samu_new( mem_ctx )) ) {
unbecome_root();
if (ret == False) {
- DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
+ DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
return NT_STATUS_NO_SUCH_USER;
}
if (!sid_check_is_in_our_domain(&info->sid))
return NT_STATUS_OBJECT_TYPE_MISMATCH;
- DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid)));
+ DEBUG(5,("_samr_query_userinfo: sid:%s\n",
+ sid_string_dbg(&info->sid)));
ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_USERINFO_CTR);
if (!ctr)
gid_t *unix_gids;
size_t i, num_gids;
uint32 acc_granted;
- BOOL ret;
+ bool ret;
NTSTATUS result;
+ bool success = False;
/*
* from the SID in the request:
if (!ret) {
DEBUG(10, ("pdb_getsampwsid failed for %s\n",
- sid_string_static(&sid)));
+ sid_string_dbg(&sid)));
return NT_STATUS_NO_SUCH_USER;
}
sids = NULL;
+ /* make both calls inside the root block */
become_root();
result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
&sids, &unix_gids, &num_groups);
+ if ( NT_STATUS_IS_OK(result) ) {
+ success = sid_peek_check_rid(get_global_sam_sid(),
+ pdb_get_group_sid(sam_pass),
+ &primary_group_rid);
+ }
unbecome_root();
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
- sid_string_static(&sid)));
+ sid_string_dbg(&sid)));
return result;
}
- gids = NULL;
- num_gids = 0;
-
- dom_gid.attr = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
- SE_GROUP_ENABLED);
-
- if (!sid_peek_check_rid(get_global_sam_sid(),
- pdb_get_group_sid(sam_pass),
- &primary_group_rid)) {
+ if ( !success ) {
DEBUG(5, ("Group sid %s for user %s not in our domain\n",
- sid_string_static(pdb_get_group_sid(sam_pass)),
+ sid_string_dbg(pdb_get_group_sid(sam_pass)),
pdb_get_username(sam_pass)));
TALLOC_FREE(sam_pass);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- dom_gid.g_rid = primary_group_rid;
+ gids = NULL;
+ num_gids = 0;
+ dom_gid.attr = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
+ SE_GROUP_ENABLED);
+ dom_gid.g_rid = primary_group_rid;
ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids);
for (i=0; i<num_groups; i++) {
if (!sid_peek_check_rid(get_global_sam_sid(),
&(sids[i]), &dom_gid.g_rid)) {
DEBUG(10, ("Found sid %s not in our domain\n",
- sid_string_static(&sids[i])));
+ sid_string_dbg(&sids[i])));
continue;
}
static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
{
- enum SID_NAME_USE type;
- BOOL result;
+ enum lsa_SidType type;
+ bool result;
DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
become_root();
- /* Lookup in our local databases (only LOOKUP_NAME_ISOLATED set)
+ /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
* whether the name already exists */
- result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_ISOLATED,
+ result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
NULL, NULL, NULL, &type);
unbecome_root();
size_t sd_size;
/* check this, when giving away 'add computer to domain' privs */
uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
- BOOL can_add_account = False;
+ bool can_add_account = False;
SE_PRIV se_rights;
DISP_INFO *disp_info = NULL;
return NT_STATUS_NO_MEMORY;
}
- strlower_m(account);
-
nt_status = can_create(p->mem_ctx, account);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
}
- DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid)));
+ DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
+ sid_string_dbg(&sid)));
init_samr_r_lookup_domain(r_u, &sid, r_u->status);
makes a SAMR_R_ENUM_DOMAINS structure.
********************************************************************/
-static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam,
+static bool make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam,
UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[])
{
uint32 i;
{
/* Check we actually have the requested alias */
- enum SID_NAME_USE type;
- BOOL result;
+ enum lsa_SidType type;
+ bool result;
gid_t gid;
become_root();
set_user_info_16
********************************************************************/
-static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd)
+static bool set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd)
{
if (id16 == NULL) {
DEBUG(5, ("set_user_info_16: NULL id16\n"));
set_user_info_18
********************************************************************/
-static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd)
+static bool set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd)
{
if (id18 == NULL) {
TALLOC_FREE(pwd);
return False;
}
- if (!pdb_set_pass_changed_now (pwd)) {
+ if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) {
TALLOC_FREE(pwd);
return False;
}
set_user_info_20
********************************************************************/
-static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd)
+static bool set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd)
{
if (id20 == NULL) {
DEBUG(5, ("set_user_info_20: NULL id20\n"));
static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23,
struct samu *pwd)
{
- pstring plaintext_buf;
- uint32 len;
+ char *plaintext_buf = NULL;
+ uint32 len = 0;
uint16 acct_ctrl;
NTSTATUS status;
-
+
if (id23 == NULL) {
DEBUG(5, ("set_user_info_23: NULL id23\n"));
return NT_STATUS_INVALID_PARAMETER;
}
-
+
DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
pdb_get_username(pwd)));
acct_ctrl = pdb_get_acct_ctrl(pwd);
- if (!decode_pw_buffer(id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) {
+ if (!decode_pw_buffer(mem_ctx,
+ id23->pass,
+ &plaintext_buf,
+ &len,
+ STR_UNICODE)) {
TALLOC_FREE(pwd);
return NT_STATUS_INVALID_PARAMETER;
}
-
+
if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
TALLOC_FREE(pwd);
return NT_STATUS_ACCESS_DENIED;
}
-
+
copy_id23_to_sam_passwd(pwd, id23);
-
+
/* if it's a trust account, don't update /etc/passwd */
if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
- DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
+ DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
} else {
/* update the UNIX password */
if (lp_unix_password_sync() ) {
if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) {
DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
}
-
+
if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
TALLOC_FREE(pwd);
return NT_STATUS_ACCESS_DENIED;
}
}
}
-
- ZERO_STRUCT(plaintext_buf);
-
+
+ memset(plaintext_buf, '\0', strlen(plaintext_buf));
+
if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
(!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
pwd)))) {
TALLOC_FREE(pwd);
return status;
}
-
+
TALLOC_FREE(pwd);
return NT_STATUS_OK;
set_user_info_pw
********************************************************************/
-static BOOL set_user_info_pw(uint8 *pass, struct samu *pwd)
+static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
{
- uint32 len;
- pstring plaintext_buf;
+ uint32 len = 0;
+ char *plaintext_buf = NULL;
uint32 acct_ctrl;
-
+ time_t last_set_time;
+ enum pdb_value_state last_set_state;
+
DEBUG(5, ("Attempting administrator password change for user %s\n",
pdb_get_username(pwd)));
acct_ctrl = pdb_get_acct_ctrl(pwd);
-
- ZERO_STRUCT(plaintext_buf);
-
- if (!decode_pw_buffer(pass, plaintext_buf, 256, &len, STR_UNICODE)) {
+ /* we need to know if it's expired, because this is an admin change, not a
+ user change, so it's still expired when we're done */
+ last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
+ last_set_time = pdb_get_pass_last_set_time(pwd);
+
+ if (!decode_pw_buffer(talloc_tos(),
+ pass,
+ &plaintext_buf,
+ &len,
+ STR_UNICODE)) {
TALLOC_FREE(pwd);
return False;
}
TALLOC_FREE(pwd);
return False;
}
-
+
/* if it's a trust account, don't update /etc/passwd */
if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) {
DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
}
-
+
if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
TALLOC_FREE(pwd);
return False;
}
}
}
-
- ZERO_STRUCT(plaintext_buf);
-
+
+ memset(plaintext_buf, '\0', strlen(plaintext_buf));
+
+ /* restore last set time as this is an admin change, not a user pw change */
+ pdb_set_pass_last_set_time (pwd, last_set_time, last_set_state);
+
DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
-
+
/* update the SAMBA password */
if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
TALLOC_FREE(pwd);
copy_id25_to_sam_passwd(pwd, id25);
+ /* write the change out */
+ if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
+ TALLOC_FREE(pwd);
+ return status;
+ }
+
/*
- * The funny part about the previous two calls is
- * that pwd still has the password hashes from the
- * passdb entry. These have not been updated from
- * id21. I don't know if they need to be set. --jerry
+ * We need to "pdb_update_sam_account" before the unix primary group
+ * is set, because the idealx scripts would also change the
+ * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
+ * the delete explicit / add explicit, which would then fail to find
+ * the previous primaryGroupSid value.
*/
-
+
if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
status = pdb_set_unix_primary_group(mem_ctx, pwd);
if ( !NT_STATUS_IS_OK(status) ) {
}
}
- /* Don't worry about writing out the user account since the
- primary group SID is generated solely from the user's Unix
- primary group. */
-
- /* write the change out */
- if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
- TALLOC_FREE(pwd);
- return status;
- }
-
/* WARNING: No TALLOC_FREE(pwd), we are about to set the password
* hereafter! */
SAM_USERINFO_CTR *ctr = q_u->ctr;
uint32 acc_granted;
uint32 acc_required;
- BOOL ret;
- BOOL has_enough_rights = False;
+ bool ret;
+ bool has_enough_rights = False;
uint32 acb_info;
DISP_INFO *disp_info = NULL;
if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info))
return NT_STATUS_INVALID_HANDLE;
- /* observed when joining an XP client to a Samba domain */
+ /* This is tricky. A WinXP domain join sets
+ (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY)
+ The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
+ standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser().
+ This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
+ we'll use the set from the WinXP join as the basis. */
+
+ switch (switch_value) {
+ case 18:
+ case 24:
+ case 25:
+ case 26:
+ acc_required = SA_RIGHT_USER_SET_PASSWORD;
+ break;
+ default:
+ acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
+ break;
+ }
- acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
-
if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
return r_u->status;
}
- DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value));
+ DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n",
+ sid_string_dbg(&sid), switch_value));
if (ctr == NULL) {
DEBUG(5, ("_samr_set_userinfo: NULL info level\n"));
}
SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key);
- dump_data(100, (char *)ctr->info.id24->pass, 516);
+ dump_data(100, ctr->info.id24->pass, 516);
if (!set_user_info_pw(ctr->info.id24->pass, pwd))
r_u->status = NT_STATUS_ACCESS_DENIED;
}
encode_or_decode_arc4_passwd_buffer(ctr->info.id25->pass, &p->session_key);
- dump_data(100, (char *)ctr->info.id25->pass, 532);
+ dump_data(100, ctr->info.id25->pass, 532);
r_u->status = set_user_info_25(p->mem_ctx,
ctr->info.id25, pwd);
}
encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key);
- dump_data(100, (char *)ctr->info.id26->pass, 516);
+ dump_data(100, ctr->info.id26->pass, 516);
if (!set_user_info_pw(ctr->info.id26->pass, pwd))
r_u->status = NT_STATUS_ACCESS_DENIED;
}
SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key);
- dump_data(100, (char *)ctr->info.id23->pass, 516);
+ dump_data(100, ctr->info.id23->pass, 516);
r_u->status = set_user_info_23(p->mem_ctx,
ctr->info.id23, pwd);
uint16 switch_value = q_u->switch_value;
uint32 acc_granted;
uint32 acc_required;
- BOOL ret;
- BOOL has_enough_rights = False;
+ bool ret;
+ bool has_enough_rights = False;
uint32 acb_info;
DISP_INFO *disp_info = NULL;
return r_u->status;
}
- DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid)));
+ DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n",
+ sid_string_dbg(&sid)));
if (ctr == NULL) {
DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n"));
}
SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key);
- dump_data(100, (char *)ctr->info.id23->pass, 516);
+ dump_data(100, ctr->info.id23->pass, 516);
r_u->status = set_user_info_23(p->mem_ctx,
ctr->info.id23, pwd);
}
encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key);
- dump_data(100, (char *)ctr->info.id26->pass, 516);
+ dump_data(100, ctr->info.id26->pass, 516);
if (!set_user_info_pw(ctr->info.id26->pass, pwd))
r_u->status = NT_STATUS_ACCESS_DENIED;
!sid_check_is_builtin(&info->sid))
return NT_STATUS_OBJECT_TYPE_MISMATCH;
- members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1);
+ if (q_u->num_sids1) {
+ members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1);
- if (members == NULL)
- return NT_STATUS_NO_MEMORY;
+ if (members == NULL)
+ return NT_STATUS_NO_MEMORY;
+ } else {
+ members = NULL;
+ }
for (i=0; i<q_u->num_sids1; i++)
sid_copy(&members[i], &q_u->sid[i].sid);
return r_u->status;
}
- DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
+ DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
+ become_root();
status = pdb_enum_aliasmem(&alias_sid, &sids, &num_sids);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids);
- if (num_sids!=0 && sid == NULL) {
- SAFE_FREE(sids);
- return NT_STATUS_NO_MEMORY;
+ if (num_sids) {
+ sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids);
+ if (sid == NULL) {
+ SAFE_FREE(sids);
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ sid = NULL;
}
for (i = 0; i < num_sids; i++) {
init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK);
- SAFE_FREE(sids);
+ TALLOC_FREE(sids);
return NT_STATUS_OK;
}
NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u)
{
DOM_SID group_sid;
- fstring group_sid_str;
size_t i, num_members;
uint32 *rid=NULL;
return r_u->status;
}
- sid_to_string(group_sid_str, &group_sid);
- DEBUG(10, ("sid is %s\n", group_sid_str));
+ DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
if (!sid_check_is_in_our_domain(&group_sid)) {
- DEBUG(3, ("sid %s is not in our domain\n", group_sid_str));
+ DEBUG(3, ("sid %s is not in our domain\n",
+ sid_string_dbg(&group_sid)));
return NT_STATUS_NO_SUCH_GROUP;
}
if (!NT_STATUS_IS_OK(result))
return result;
- attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
-
- if ((num_members!=0) && (attr==NULL))
- return NT_STATUS_NO_MEMORY;
+ if (num_members) {
+ attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
+ if (attr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ attr = NULL;
+ }
for (i=0; i<num_members; i++)
attr[i] = SID_NAME_USER;
DOM_SID alias_sid;
uint32 acc_granted;
SE_PRIV se_rights;
- BOOL can_add_accounts;
+ bool can_add_accounts;
NTSTATUS ret;
DISP_INFO *disp_info = NULL;
return r_u->status;
}
- DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
+ DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
se_priv_copy( &se_rights, &se_add_users );
can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
DOM_SID alias_sid;
uint32 acc_granted;
SE_PRIV se_rights;
- BOOL can_add_accounts;
+ bool can_add_accounts;
NTSTATUS ret;
DISP_INFO *disp_info = NULL;
}
DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
- sid_string_static(&alias_sid)));
+ sid_string_dbg(&alias_sid)));
se_priv_copy( &se_rights, &se_add_users );
can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
uint32 group_rid;
uint32 acc_granted;
SE_PRIV se_rights;
- BOOL can_add_accounts;
+ bool can_add_accounts;
DISP_INFO *disp_info = NULL;
/* Find the policy handle. Open a policy on it. */
return r_u->status;
}
- DEBUG(10, ("sid is %s\n", sid_string_static(&group_sid)));
+ DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
&group_rid)) {
uint32 group_rid;
uint32 acc_granted;
SE_PRIV se_rights;
- BOOL can_add_accounts;
+ bool can_add_accounts;
DISP_INFO *disp_info = NULL;
/*
DOM_SID user_sid;
struct samu *sam_pass=NULL;
uint32 acc_granted;
- BOOL can_add_accounts;
+ bool can_add_accounts;
uint32 acb_info;
DISP_INFO *disp_info = NULL;
+ bool ret;
DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__));
return NT_STATUS_NO_MEMORY;
}
- if(!pdb_getsampwsid(sam_pass, &user_sid)) {
+ become_root();
+ ret = pdb_getsampwsid(sam_pass, &user_sid);
+ unbecome_root();
+
+ if( !ret ) {
DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n",
- sid_string_static(&user_sid)));
+ sid_string_dbg(&user_sid)));
TALLOC_FREE(sam_pass);
return NT_STATUS_NO_SUCH_USER;
}
uint32 group_rid;
uint32 acc_granted;
SE_PRIV se_rights;
- BOOL can_add_accounts;
+ bool can_add_accounts;
DISP_INFO *disp_info = NULL;
DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__));
return r_u->status;
}
- DEBUG(10, ("sid is %s\n", sid_string_static(&group_sid)));
+ DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
&group_rid)) {
if ( !NT_STATUS_IS_OK(r_u->status) ) {
DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping "
"entry for group %s: %s\n",
- sid_string_static(&group_sid),
+ sid_string_dbg(&group_sid),
nt_errstr(r_u->status)));
return r_u->status;
}
DOM_SID alias_sid;
uint32 acc_granted;
SE_PRIV se_rights;
- BOOL can_add_accounts;
- BOOL ret;
+ bool can_add_accounts;
+ NTSTATUS status;
DISP_INFO *disp_info = NULL;
DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__));
return r_u->status;
}
- DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
+ DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
/* Don't let Windows delete builtin groups */
become_root();
/* Have passdb delete the alias */
- ret = pdb_delete_alias(&alias_sid);
+ status = pdb_delete_alias(&alias_sid);
if ( can_add_accounts )
unbecome_root();
/******** END SeAddUsers BLOCK *********/
- if ( !ret )
- return NT_STATUS_ACCESS_DENIED;
+ if ( !NT_STATUS_IS_OK(status))
+ return status;
if (!close_policy_hnd(p, &q_u->alias_pol))
return NT_STATUS_OBJECT_NAME_INVALID;
struct samr_info *info;
uint32 acc_granted;
SE_PRIV se_rights;
- BOOL can_add_accounts;
+ bool can_add_accounts;
DISP_INFO *disp_info = NULL;
/* Find the policy handle. Open a policy on it. */
gid_t gid;
NTSTATUS result;
SE_PRIV se_rights;
- BOOL can_add_accounts;
+ bool can_add_accounts;
DISP_INFO *disp_info = NULL;
/* Find the policy handle. Open a policy on it. */
if (!sid_equal(&dom_sid, get_global_sam_sid()))
return NT_STATUS_ACCESS_DENIED;
- unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
+ unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name));
se_priv_copy( &se_rights, &se_add_users );
can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
GROUP_MAP map;
GROUP_INFO_CTR *ctr;
uint32 acc_granted;
- BOOL ret;
+ bool ret;
if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, NULL))
return NT_STATUS_INVALID_HANDLE;
GROUP_INFO_CTR *ctr;
uint32 acc_granted;
NTSTATUS ret;
- BOOL result;
- BOOL can_mod_accounts;
+ bool result;
+ bool can_mod_accounts;
DISP_INFO *disp_info = NULL;
if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info))
switch (ctr->switch_value1) {
case 1:
- unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)-1);
+ unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment));
break;
case 4:
- unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1);
+ unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment));
break;
default:
return NT_STATUS_INVALID_INFO_CLASS;
struct acct_info info;
ALIAS_INFO_CTR *ctr;
uint32 acc_granted;
- BOOL ret;
- BOOL can_mod_accounts;
+ bool can_mod_accounts;
+ NTSTATUS status;
DISP_INFO *disp_info = NULL;
if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info))
/* get the current group information */
- if ( !pdb_get_aliasinfo( &group_sid, &info ) ) {
- return NT_STATUS_NO_SUCH_ALIAS;
- }
+ become_root();
+ status = pdb_get_aliasinfo( &group_sid, &info );
+ unbecome_root();
+
+ if ( !NT_STATUS_IS_OK(status))
+ return status;
switch (ctr->level) {
case 2:
{
- fstring group_name;
- NTSTATUS status;
+ fstring group_name, acct_name;
/* We currently do not support renaming groups in the
the BUILTIN domain. Refer to util_builtin.c to understand
return NT_STATUS_SPECIAL_ACCOUNT;
}
- /* There has to be a valid name */
+ /* There has to be a valid name (and it has to be different) */
+
if ( !ctr->alias.info2.name.string )
return NT_STATUS_INVALID_PARAMETER;
- unistr2_to_ascii( info.acct_name, ctr->alias.info2.name.string,
- sizeof(info.acct_name)-1 );
+ unistr2_to_ascii( acct_name, ctr->alias.info2.name.string,
+ sizeof(acct_name));
+
+ /* If the name is the same just reply "ok". Yes this
+ doesn't allow you to change the case of a group name. */
+
+ if ( strequal( acct_name, info.acct_name ) )
+ return NT_STATUS_OK;
+
+ fstrcpy( info.acct_name, acct_name );
/* make sure the name doesn't already exist as a user
or local group */
if ( ctr->alias.info3.description.string ) {
unistr2_to_ascii( info.acct_desc,
ctr->alias.info3.description.string,
- sizeof(info.acct_desc)-1 );
+ sizeof(info.acct_desc));
}
else
fstrcpy( info.acct_desc, "" );
if ( can_mod_accounts )
become_root();
- ret = pdb_set_aliasinfo( &group_sid, &info );
+ status = pdb_set_aliasinfo( &group_sid, &info );
if ( can_mod_accounts )
unbecome_root();
/******** End SeAddUsers BLOCK *********/
- if (ret) {
+ if (NT_STATUS_IS_OK(status))
force_flush_samr_cache(disp_info);
- }
- return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
+ return status;
}
/*********************************************************************
size_t sd_size;
NTSTATUS status;
fstring sid_string;
- BOOL ret;
+ bool ret;
SE_PRIV se_rights;
if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted, NULL))
sid_copy(&info_sid, get_global_sam_sid());
sid_append_rid(&info_sid, q_u->rid_group);
- sid_to_string(sid_string, &info_sid);
+ sid_to_fstring(sid_string, &info_sid);
if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
return NT_STATUS_NO_MEMORY;
DISP_INFO *disp_info = NULL;
sid_copy( &delete_sid, &q_u->sid.sid );
-
+
DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n",
- sid_string_static(&delete_sid)));
-
+ sid_string_dbg(&delete_sid)));
+
/* Find the policy handle. Open a policy on it. */
-
+
if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid,
&acc_granted, &disp_info))
return NT_STATUS_INVALID_HANDLE;
if (!NT_STATUS_IS_OK(result))
return result;
- DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n",
- sid_string_static(&domain_sid)));
+ DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n",
+ sid_string_dbg(&domain_sid)));
/* we can only delete a user from a group since we don't have
nested groups anyways. So in the latter case, just say OK */
if (!sid_check_is_builtin(&domain_sid)) {
DEBUG(1,("_samr_remove_sid_foreign_domain: domain_sid = %s, "
"global_sam_sid() = %s\n",
- sid_string_static(&domain_sid),
- sid_string_static(get_global_sam_sid())));
+ sid_string_dbg(&domain_sid),
+ sid_string_dbg(get_global_sam_sid())));
DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
return NT_STATUS_OK;
}