typedef struct auth_serversupplied_info
{
+ TALLOC_CTX *mem_ctx;
+
BOOL guest;
/* NT group information taken from the info3 structure */
static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
TALLOC_CTX *mem_ctx,
- SAM_ACCOUNT *sampass,
+ const char *username,
+ uint16 acct_flags,
+ const uint8 lm_pw[16], const uint8 nt_pw[16],
const auth_usersupplied_info *user_info,
DATA_BLOB *user_sess_key,
DATA_BLOB *lm_sess_key)
{
- uint16 acct_ctrl;
- const uint8 *lm_pw, *nt_pw;
- const char *username = pdb_get_username(sampass);
-
- acct_ctrl = pdb_get_acct_ctrl(sampass);
- if (acct_ctrl & ACB_PWNOTREQ) {
+ if (acct_flags & ACB_PWNOTREQ) {
if (lp_null_passwords()) {
DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", username));
return NT_STATUS_OK;
}
}
- lm_pw = pdb_get_lanman_passwd(sampass);
- nt_pw = pdb_get_nt_passwd(sampass);
-
return ntlm_password_check(mem_ctx, &auth_context->challenge,
&user_info->lm_resp, &user_info->nt_resp,
&user_info->lm_interactive_pwd, &user_info->nt_interactive_pwd,
****************************************************************************/
static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
- SAM_ACCOUNT *sampass,
+ const char *username,
+ uint16 acct_flags,
+ struct ldb_message **msgs,
const auth_usersupplied_info *user_info)
{
- uint16 acct_ctrl = pdb_get_acct_ctrl(sampass);
char *workstation_list;
time_t kickoff_time;
- DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n",pdb_get_username(sampass)));
+ DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n", username));
/* Quit if the account was disabled. */
- if (acct_ctrl & ACB_DISABLED) {
- DEBUG(1,("sam_account_ok: Account for user '%s' was disabled.\n", pdb_get_username(sampass)));
+ if (acct_flags & ACB_DISABLED) {
+ DEBUG(1,("sam_account_ok: Account for user '%s' was disabled.\n", username));
return NT_STATUS_ACCOUNT_DISABLED;
}
/* Quit if the account was locked out. */
- if (acct_ctrl & ACB_AUTOLOCK) {
- DEBUG(1,("sam_account_ok: Account for user %s was locked out.\n", pdb_get_username(sampass)));
+ if (acct_flags & ACB_AUTOLOCK) {
+ DEBUG(1,("sam_account_ok: Account for user %s was locked out.\n", username));
return NT_STATUS_ACCOUNT_LOCKED_OUT;
}
+#if 0
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
if (kickoff_time != 0 && time(NULL) > kickoff_time) {
- DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", pdb_get_username(sampass)));
+ DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", username));
DEBUG(3,("sam_account_ok: Account expired at '%ld' unix time.\n", (long)kickoff_time));
return NT_STATUS_ACCOUNT_EXPIRED;
}
- if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) {
+ if (!(acct_flags & ACB_PWNOEXP)) {
time_t must_change_time = pdb_get_pass_must_change_time(sampass);
time_t last_set_time = pdb_get_pass_last_set_time(sampass);
/* check for immediate expiry "must change at next logon" */
if (must_change_time == 0 && last_set_time != 0) {
- DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass)));
+ DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", username));
return NT_STATUS_PASSWORD_MUST_CHANGE;
}
/* check for expired password */
if (must_change_time < time(NULL) && must_change_time != 0) {
- DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", pdb_get_username(sampass)));
+ DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", username));
DEBUG(1,("sam_account_ok: Password expired at '%s' (%ld) unix time.\n", timestring(mem_ctx, must_change_time), (long)must_change_time));
return NT_STATUS_PASSWORD_EXPIRED;
}
if (invalid_ws)
return NT_STATUS_INVALID_WORKSTATION;
}
-
- if (acct_ctrl & ACB_DOMTRUST) {
- DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", pdb_get_username(sampass)));
+#endif
+ if (acct_flags & ACB_DOMTRUST) {
+ DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", username));
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
- if (acct_ctrl & ACB_SVRTRUST) {
- DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
+ if (acct_flags & ACB_SVRTRUST) {
+ DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", username));
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
}
- if (acct_ctrl & ACB_WSTRUST) {
- DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
+ if (acct_flags & ACB_WSTRUST) {
+ DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", username));
return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
}
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
- SAM_ACCOUNT *sampass=NULL;
+ struct ldb_message **msgs;
+ void *sam_ctx;
+ uint16 acct_flags;
+ char *username = user_info->internal_username.str;
BOOL ret;
NTSTATUS nt_status;
DATA_BLOB user_sess_key = data_blob(NULL, 0);
DATA_BLOB lm_sess_key = data_blob(NULL, 0);
+ const uint8 *lm_pwd, *nt_pwd;
+ const char *unicodePwd;
+ struct samr_Hash lmPwdHash_u, ntPwdHash_u;
+ struct samr_Hash *lmPwdHash, *ntPwdHash;
+ uint_t num_lm, num_nt;
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
}
-
- /* Can't use the talloc version here, because the returned struct gets
- kept on the server_info */
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) {
- return nt_status;
+
+ sam_ctx = samdb_connect();
+ if (sam_ctx == NULL) {
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
-
- /* get the account information */
-
- become_root();
- ret = pdb_getsampwnam(sampass, user_info->internal_username.str);
- unbecome_root();
-
- if (ret == False) {
- DEBUG(3,("check_sam_security: Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str));
- pdb_free_sam(&sampass);
+ /* pull all the user attributes */
+ ret = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, NULL,
+ "(&(sAMAccountName=%s)(objectclass=user))",
+ username);
+
+ if (ret == 0) {
+ DEBUG(3,("check_sam_security: Couldn't find user [%s] in passdb file.\n",
+ username));
return NT_STATUS_NO_SUCH_USER;
}
+ if (ret > 1) {
+ DEBUG(1,("Found %d records matching user [%s]\n", ret, username));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ acct_flags = samdb_result_acct_flags(msgs[0], "sAMAcctFlags");
+
/* Quit if the account was locked out. */
- if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
- DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", pdb_get_username(sampass)));
+ if (acct_flags & ACB_AUTOLOCK) {
+ DEBUG(3,("check_sam_security: Account for user %s was locked out.\n",
+ username));
return NT_STATUS_ACCOUNT_LOCKED_OUT;
}
- nt_status = sam_password_ok(auth_context, mem_ctx, sampass,
+ unicodePwd = samdb_result_string(msgs[0], "unicodePwd", NULL);
+
+ if (unicodePwd) {
+ BOOL lm_hash_ok;
+ /* compute the new nt and lm hashes */
+ lm_hash_ok = E_deshash(unicodePwd, lmPwdHash_u.hash);
+ E_md4hash(unicodePwd, ntPwdHash_u.hash);
+
+ if (lm_hash_ok) {
+ lm_pwd = lmPwdHash_u.hash;
+ } else {
+ lm_pwd = NULL;
+ }
+
+ nt_pwd = ntPwdHash_u.hash;
+
+ } else {
+ num_lm = samdb_result_hashes(mem_ctx, msgs[0], "lmPwdHash", &lmPwdHash);
+ if (num_lm == 0) {
+ lm_pwd = NULL;
+ } else if (num_lm > 1) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ } else {
+ lm_pwd = lmPwdHash[0].hash;
+ }
+
+ num_nt = samdb_result_hashes(mem_ctx, msgs[0], "ntPwdHash", &ntPwdHash);
+ if (num_nt == 0) {
+ nt_pwd = NULL;
+ } else if (num_nt > 1) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ } else {
+ nt_pwd = ntPwdHash[0].hash;
+ }
+ }
+
+ nt_status = sam_password_ok(auth_context, mem_ctx,
+ username, acct_flags,
+ lm_pwd, nt_pwd,
user_info, &user_sess_key, &lm_sess_key);
if (!NT_STATUS_IS_OK(nt_status)) {
- pdb_free_sam(&sampass);
return nt_status;
}
- nt_status = sam_account_ok(mem_ctx, sampass, user_info);
+ nt_status = sam_account_ok(mem_ctx, username, acct_flags, msgs, user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
- pdb_free_sam(&sampass);
return nt_status;
}
- if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) {
+ if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, username))) {
DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
return nt_status;
}
+ {
+ struct ldb_message **group_msgs;
+ char *dn = msgs[0]->dn;
+ int group_ret;
+ const char *group_attrs[3] = { "sAMAccountType", "objectSid", NULL };
+ /* find list of sids */
+ struct dom_sid **groupSIDs = NULL;
+ struct dom_sid *user_sid;
+ struct dom_sid *group_sid;
+ const char *sidstr;
+ int i;
+
+ group_ret = samdb_search(sam_ctx,
+ mem_ctx, NULL, &group_msgs, group_attrs,
+ "(&(member=%s)(sAMAccountType=*))",
+ dn);
+
+ if (!(groupSIDs = talloc_realloc_p((*server_info)->mem_ctx, groupSIDs,
+ struct dom_sid *, group_ret))) {
+ talloc_destroy((*server_info)->mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Need to unroll some nested groups, but not aliases */
+ for (i = 0; i < group_ret; i++) {
+ sidstr = ldb_msg_find_string(group_msgs[i], "objectSid", NULL);
+ groupSIDs[i] = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr);
+ }
+
+ sidstr = ldb_msg_find_string(msgs[0], "objectSid", NULL);
+ user_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr);
+ group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr);
+ group_sid->sub_auths[group_sid->num_auths-1]
+ = samdb_result_uint(msgs[0], "primaryGroupID", 0);
+
+ if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token((*server_info)->mem_ctx,
+ user_sid, group_sid,
+ group_ret, groupSIDs,
+ False, &(*server_info)->ptok))) {
+ DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status)));
+ free_server_info(server_info);
+ return nt_status;
+ }
+ }
+
+ (*server_info)->guest = False;
+
(*server_info)->user_session_key = user_sess_key;
(*server_info)->lm_session_key = lm_sess_key;
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-extern DOM_SID global_sid_World;
-extern DOM_SID global_sid_Network;
-extern DOM_SID global_sid_Builtin_Guests;
-extern DOM_SID global_sid_Authenticated_Users;
-
-/****************************************************************************
- Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from
- unix info.
-****************************************************************************/
-
-NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account)
-{
- BOOL pdb_ret;
- NTSTATUS nt_status;
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) {
- return nt_status;
- }
-
- become_root();
- pdb_ret = pdb_getsampwnam(*account, user);
- unbecome_root();
-
- if (!pdb_ret) {
-
- struct passwd *pass = Get_Pwnam(user);
- if (!pass)
- return NT_STATUS_NO_SUCH_USER;
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) {
- return nt_status;
- }
- }
- return NT_STATUS_OK;
-}
+extern struct dom_sid *global_sid_World;
+extern struct dom_sid *global_sid_Anonymous;
+extern struct dom_sid *global_sid_Network;
+extern struct dom_sid *global_sid_Builtin_Guests;
+extern struct dom_sid *global_sid_Authenticated_Users;
/****************************************************************************
Create an auth_usersupplied_data structure
}
DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n",
- sid_to_string(sid_str, &token->user_sids[0]) ));
+ sid_to_string(sid_str, token->user_sids[0]) ));
DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids));
for (i = 0; i < token->num_sids; i++)
DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i,
- sid_to_string(sid_str, &token->user_sids[i])));
+ sid_to_string(sid_str, token->user_sids[i])));
}
/****************************************************************************
Create the SID list for this user.
****************************************************************************/
-static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid,
- int n_groupSIDs, DOM_SID *groupSIDs,
- BOOL is_guest, NT_USER_TOKEN **token)
+NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx,
+ struct dom_sid *user_sid, struct dom_sid *group_sid,
+ int n_groupSIDs, struct dom_sid **groupSIDs,
+ BOOL is_guest, struct nt_user_token **token)
{
NTSTATUS nt_status = NT_STATUS_OK;
- NT_USER_TOKEN *ptoken;
+ struct nt_user_token *ptoken;
int i;
int sid_ndx;
- if ((ptoken = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) {
+ if (!(ptoken = talloc_p(mem_ctx, struct nt_user_token))) {
DEBUG(0, ("create_nt_token: Out of memory allocating token\n"));
nt_status = NT_STATUS_NO_MEMORY;
return nt_status;
}
- ZERO_STRUCTP(ptoken);
-
- ptoken->num_sids = n_groupSIDs + 5;
+ ptoken->num_sids = 0;
- if ((ptoken->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptoken->num_sids )) == NULL) {
+ if (!(ptoken->user_sids = talloc_array_p(mem_ctx, struct dom_sid*, n_groupSIDs + 5))) {
DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n"));
nt_status = NT_STATUS_NO_MEMORY;
return nt_status;
}
- memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids);
-
/*
* Note - user SID *MUST* be first in token !
* se_access_check depends on this.
* Primary group SID is second in token. Convention.
*/
- sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid);
- if (group_sid)
- sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid);
+ ptoken->user_sids[PRIMARY_USER_SID_INDEX] = user_sid;
+ ptoken->num_sids++;
+ ptoken->user_sids[PRIMARY_GROUP_SID_INDEX] = group_sid;
+ ptoken->num_sids++;
/*
* Finally add the "standard" SIDs.
* don't really support) is the addition of Authenticated_Users.
*/
- sid_copy(&ptoken->user_sids[2], &global_sid_World);
- sid_copy(&ptoken->user_sids[3], &global_sid_Network);
+ ptoken->user_sids[2] = global_sid_World;
+ ptoken->user_sids[3] = global_sid_Network;
+
+ if (is_guest) {
+ ptoken->user_sids[4] = global_sid_Builtin_Guests;
+ ptoken->num_sids++;
+ } else {
+ ptoken->user_sids[4] = global_sid_Authenticated_Users;
+ ptoken->num_sids++;
+ }
- if (is_guest)
- sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests);
- else
- sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users);
-
sid_ndx = 5; /* next available spot */
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
- if (sid_equal(&ptoken->user_sids[check_sid_idx],
- &groupSIDs[i])) {
+ if (sid_equal(ptoken->user_sids[check_sid_idx],
+ groupSIDs[i])) {
break;
}
}
if (check_sid_idx >= ptoken->num_sids) /* Not found already */ {
- sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]);
- } else {
- ptoken->num_sids--;
+ ptoken->user_sids[sid_ndx++] = groupSIDs[i];
+ ptoken->num_sids++;
}
}
Make a user_info struct
***************************************************************************/
-static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass)
+NTSTATUS make_server_info(auth_serversupplied_info **server_info, const char *username)
{
- *server_info = malloc(sizeof(**server_info));
+ TALLOC_CTX *mem_ctx = talloc_init("auth subsystem: server_info for %s", username);
+ *server_info = talloc_p(mem_ctx, auth_serversupplied_info);
if (!*server_info) {
DEBUG(0,("make_server_info: malloc failed!\n"));
+ talloc_destroy(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
- ZERO_STRUCTP(*server_info);
-
- return NT_STATUS_OK;
-}
-
-/***************************************************************************
- Make (and fill) a user_info struct from a SAM_ACCOUNT
-***************************************************************************/
-
-NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
- SAM_ACCOUNT *sampass)
-{
- NTSTATUS nt_status = NT_STATUS_OK;
- const DOM_SID *user_sid = pdb_get_user_sid(sampass);
- const DOM_SID *group_sid = pdb_get_group_sid(sampass);
- NT_USER_TOKEN *token;
- BOOL is_guest;
- uint32 rid;
-
- if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) {
- return nt_status;
- }
-
- is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST);
-
- if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid,
- 0, NULL, is_guest,
- &token)))
- {
- DEBUG(4,("create_nt_user_token failed\n"));
- free_server_info(server_info);
- return nt_status;
- }
-
- (*server_info)->ptok = token;
+ (*server_info)->mem_ctx = mem_ctx;
- return nt_status;
-}
-
-/***************************************************************************
- Make (and fill) a user_info struct from a 'struct passwd' by conversion
- to a SAM_ACCOUNT
-***************************************************************************/
-
-NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd)
-{
- NTSTATUS nt_status;
- SAM_ACCOUNT *sampass = NULL;
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {
- return nt_status;
- }
- return make_server_info_sam(server_info, sampass);
+ return NT_STATUS_OK;
}
/***************************************************************************
NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
- SAM_ACCOUNT *sampass = NULL;
- DOM_SID guest_sid;
+ static const char zeros[16];
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) {
- return nt_status;
- }
+ nt_status = make_server_info(server_info, "");
- sid_copy(&guest_sid, get_global_sam_sid());
- sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
-
- become_root();
- if (!pdb_getsampwsid(sampass, &guest_sid)) {
- unbecome_root();
- return NT_STATUS_NO_SUCH_USER;
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
- unbecome_root();
-
- nt_status = make_server_info_sam(server_info, sampass);
-
- if (NT_STATUS_IS_OK(nt_status)) {
- static const char zeros[16];
- (*server_info)->guest = True;
-
- /* annoying, but the Guest really does have a session key,
- and it is all zeros! */
- (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
- (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
+
+ (*server_info)->guest = True;
+
+ if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token((*server_info)->mem_ctx,
+ global_sid_Anonymous, global_sid_Builtin_Guests,
+ 0, NULL,
+ True, &(*server_info)->ptok))) {
+ DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status)));
+ free_server_info(server_info);
+ return nt_status;
}
-
+
+ /* annoying, but the Guest really does have a session key,
+ and it is all zeros! */
+ (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
+ (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
return nt_status;
}
void free_server_info(auth_serversupplied_info **server_info)
{
- DEBUG(5,("attempting to free (and zero) a server_info structure\n"));
- if (*server_info != NULL) {
-
- /* call pam_end here, unless we know we are keeping it */
- delete_nt_token( &(*server_info)->ptok );
- ZERO_STRUCT(**server_info);
+ DEBUG(5,("attempting to free a server_info structure\n"));
+ if (!*server_info) {
+ talloc_destroy((*server_info)->mem_ctx);
}
- SAFE_FREE(*server_info);
+ *server_info = NULL;
}
/***************************************************************************
SAFE_FREE(*pptoken);
}
-/****************************************************************************
- Duplicate a SID token.
-****************************************************************************/
-
-struct nt_user_token *dup_nt_token(NT_USER_TOKEN *ptoken)
-{
- NT_USER_TOKEN *token;
-
- if (!ptoken)
- return NULL;
-
- if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL)
- return NULL;
-
- ZERO_STRUCTP(token);
-
- if ((token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids )) == NULL) {
- SAFE_FREE(token);
- return NULL;
- }
-
- token->num_sids = ptoken->num_sids;
-
- return token;
-}
-
/**
* Squash an NT_STATUS in line with security requirements.
* In an attempt to avoid giving the whole game away when users
SMB_MODULE(auth_sam,AUTH,STATIC,[auth/auth_sam.o])
SMB_MODULE(auth_builtin,AUTH,STATIC,[auth/auth_builtin.o])
-SMB_MODULE(auth_unix,AUTH,STATIC,[auth/auth_unix.o])
SMB_SUBSYSTEM(AUTH,auth/auth.o,
[auth/auth_ntlmssp.o
sinclude(smbd/process_model.m4)
sinclude(smb_server/config.m4)
sinclude(auth/config.m4)
-sinclude(passdb/config.m4)
sinclude(ntvfs/config.m4)
sinclude(rpc_server/config.m4)
sinclude(lib/registry/config.m4)
smbd/build_options.o
smbd/rewrite.o],
[],
- [PROCESS_MODEL SMB AUTH PASSDB NTVFS DCERPC LIBBASIC CONFIG LIBCMDLINE LIBSMB REGISTRY])
+ [PROCESS_MODEL SMB AUTH NTVFS DCERPC LIBBASIC CONFIG LIBCMDLINE LIBSMB REGISTRY])
SMB_BINARY(smbclient, [ALL], [BIN],
[client/client.o
#include "libcli/auth/schannel.h"
#include "auth/auth.h"
-#include "passdb/passdb.h"
#include "module.h"
typedef struct nt_user_token {
size_t num_sids;
- DOM_SID *user_sids;
+ struct dom_sid **user_sids;
} NT_USER_TOKEN;
/* 32 bit time (sec) since 01jan1970 - cifs6.txt, section 3.5, page 30 */
struct user_struct *next, *prev;
uint16 vuid; /* Tag for this entry. */
- BOOL guest;
-
- NT_USER_TOKEN *nt_user_token;
-
DATA_BLOB session_key;
char *session_keystr; /* used by utmp and pam session code.
static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) (const char *), int N);
static struct passwd *uname_string_combinations2(char *s, int offset, struct passwd * (*fn) (const char *), int N);
-/*****************************************************************
- Check if a user or group name is local (this is a *local* name for
- *local* people, there's nothing for you here...).
-*****************************************************************/
-
-static BOOL name_is_local(const char *name)
-{
- return !(strchr_m(name, *lp_winbind_separator()));
-}
-
/*****************************************************************
Splits passed user or group name to domain and user/group name parts
Returns True if name was splitted and False otherwise.
if(user_in_group_list(user, *list +2, groups, n_groups))
return True;
}
- } else if (!name_is_local(*list)) {
- /*
- * If user name did not match and token is not
- * a unix group and the token has a winbind separator in the
- * name then see if it is a Windows group.
- */
-
- DOM_SID g_sid;
- enum SID_NAME_USE name_type;
- BOOL winbind_answered = False;
- BOOL ret;
- fstring groupname, domain;
-
- /* Parse a string of the form DOMAIN/user into a domain and a user */
-
- char *p = strchr(*list,*lp_winbind_separator());
-
- DEBUG(10,("user_in_list: checking if user |%s| is in winbind group |%s|\n", user, *list));
-
- if (p) {
- fstrcpy(groupname, p+1);
- fstrcpy(domain, *list);
- domain[PTR_DIFF(p, *list)] = 0;
-
- /* Check to see if name is a Windows group */
- if (winbind_lookup_name(domain, groupname, &g_sid, &name_type) && name_type == SID_NAME_DOM_GRP) {
-
- /* Check if user name is in the Windows group */
- ret = user_in_winbind_group_list(user, *list, &winbind_answered);
-
- if (winbind_answered && ret == True) {
- DEBUG(10,("user_in_list: user |%s| is in winbind group |%s|\n", user, *list));
- return ret;
- }
- }
- }
}
list++;
{
struct sys_userlist *list_head = NULL;
struct group *gptr;
- fstring domain;
- fstring groupname;
- DOM_SID sid;
- enum SID_NAME_USE name_type;
- /* No point using winbind if we can't split it in the
- first place */
- if (split_domain_and_name(gname, domain, groupname)) {
-
- /*
- * If we're doing this via winbindd, don't do the
- * entire group list enumeration as we know this is
- * pointless (and slow).
- */
-
- if (winbind_lookup_name(domain, groupname, &sid, &name_type)
- && name_type == SID_NAME_DOM_GRP) {
- if ((gptr = (struct group *)getgrnam(gname)) == NULL)
- return NULL;
- return add_members_to_userlist(list_head, gptr);
- }
- }
-
#if !defined(BROKEN_GETGRNAM)
if ((gptr = (struct group *)getgrnam(gname)) == NULL)
return NULL;
* Some useful sids
*/
-DOM_SID global_sid_World_Domain; /* Everyone domain */
-DOM_SID global_sid_World; /* Everyone */
-DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */
-DOM_SID global_sid_NT_Authority; /* NT Authority */
-DOM_SID global_sid_System; /* System */
-DOM_SID global_sid_NULL; /* NULL sid */
-DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */
-DOM_SID global_sid_Network; /* Network rids */
-
-DOM_SID global_sid_Creator_Owner; /* Creator Owner */
-DOM_SID global_sid_Creator_Group; /* Creator Group */
-DOM_SID global_sid_Anonymous; /* Anonymous login */
-
-DOM_SID global_sid_Builtin; /* Local well-known domain */
-DOM_SID global_sid_Builtin_Administrators; /* Builtin administrators */
-DOM_SID global_sid_Builtin_Users; /* Builtin users */
-DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */
-DOM_SID global_sid_Builtin_Power_Users; /* Builtin power users */
-DOM_SID global_sid_Builtin_Account_Operators; /* Builtin account operators */
-DOM_SID global_sid_Builtin_Server_Operators; /* Builtin server operators */
-DOM_SID global_sid_Builtin_Print_Operators; /* Builtin print operators */
-DOM_SID global_sid_Builtin_Backup_Operators; /* Builtin backup operators */
-DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */
+struct dom_sid *global_sid_World_Domain; /* Everyone domain */
+struct dom_sid *global_sid_World; /* Everyone */
+struct dom_sid *global_sid_Creator_Owner_Domain; /* Creator Owner domain */
+struct dom_sid *global_sid_NT_Authority; /* NT Authority */
+struct dom_sid *global_sid_System; /* System */
+struct dom_sid *global_sid_NULL; /* NULL sid */
+struct dom_sid *global_sid_Authenticated_Users; /* All authenticated rids */
+struct dom_sid *global_sid_Network; /* Network rids */
+
+struct dom_sid *global_sid_Creator_Owner; /* Creator Owner */
+struct dom_sid *global_sid_Creator_Group; /* Creator Group */
+struct dom_sid *global_sid_Anonymous; /* Anonymous login */
+
+struct dom_sid *global_sid_Builtin; /* Local well-known domain */
+struct dom_sid *global_sid_Builtin_Administrators; /* Builtin administrators */
+struct dom_sid *global_sid_Builtin_Users; /* Builtin users */
+struct dom_sid *global_sid_Builtin_Guests; /* Builtin guest users */
+struct dom_sid *global_sid_Builtin_Power_Users; /* Builtin power users */
+struct dom_sid *global_sid_Builtin_Account_Operators; /* Builtin account operators */
+struct dom_sid *global_sid_Builtin_Server_Operators; /* Builtin server operators */
+struct dom_sid *global_sid_Builtin_Print_Operators; /* Builtin print operators */
+struct dom_sid *global_sid_Builtin_Backup_Operators; /* Builtin backup operators */
+struct dom_sid *global_sid_Builtin_Replicator; /* Builtin replicator */
#define SECURITY_NULL_SID_AUTHORITY 0
#define SECURITY_WORLD_SID_AUTHORITY 1
#define SECURITY_CREATOR_SID_AUTHORITY 3
#define SECURITY_NT_AUTHORITY 5
-/*
- * An NT compatible anonymous token.
- */
-
-static DOM_SID anon_sid_array[3];
-
-NT_USER_TOKEN anonymous_token = {
- 3,
- anon_sid_array
-};
-
-static DOM_SID system_sid_array[4];
-NT_USER_TOKEN system_token = {
- 1,
- system_sid_array
-};
-
/****************************************************************************
Lookup string names for SID types.
****************************************************************************/
void generate_wellknown_sids(void)
{
static BOOL initialised = False;
+ static TALLOC_CTX *mem_ctx;
if (initialised)
return;
+ mem_ctx = talloc_init("Well known groups, global static context");
+ if (!mem_ctx)
+ return;
+
/* SECURITY_NULL_SID_AUTHORITY */
- string_to_sid(&global_sid_NULL, "S-1-0-0");
+ global_sid_NULL = dom_sid_parse_talloc(mem_ctx, "S-1-0-0");
/* SECURITY_WORLD_SID_AUTHORITY */
- string_to_sid(&global_sid_World_Domain, "S-1-1");
- string_to_sid(&global_sid_World, "S-1-1-0");
+ global_sid_World_Domain = dom_sid_parse_talloc(mem_ctx, "S-1-1");
+ global_sid_World = dom_sid_parse_talloc(mem_ctx, "S-1-1-0");
/* SECURITY_CREATOR_SID_AUTHORITY */
- string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3");
- string_to_sid(&global_sid_Creator_Owner, "S-1-3-0");
- string_to_sid(&global_sid_Creator_Group, "S-1-3-1");
+ global_sid_Creator_Owner_Domain = dom_sid_parse_talloc(mem_ctx, "S-1-3");
+ global_sid_Creator_Owner = dom_sid_parse_talloc(mem_ctx, "S-1-3-0");
+ global_sid_Creator_Group = dom_sid_parse_talloc(mem_ctx, "S-1-3-1");
/* SECURITY_NT_AUTHORITY */
- string_to_sid(&global_sid_NT_Authority, "S-1-5");
- string_to_sid(&global_sid_Network, "S-1-5-2");
- string_to_sid(&global_sid_Anonymous, "S-1-5-7");
- string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
- string_to_sid(&global_sid_System, "S-1-5-18");
+ global_sid_NT_Authority = dom_sid_parse_talloc(mem_ctx, "S-1-5");
+ global_sid_Network = dom_sid_parse_talloc(mem_ctx, "S-1-5-2");
+ global_sid_Anonymous = dom_sid_parse_talloc(mem_ctx, "S-1-5-7");
+ global_sid_Authenticated_Users = dom_sid_parse_talloc(mem_ctx, "S-1-5-11");
+ global_sid_System = dom_sid_parse_talloc(mem_ctx, "S-1-5-18");
/* SECURITY_BUILTIN_DOMAIN_RID */
- string_to_sid(&global_sid_Builtin, "S-1-5-32");
- string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
- string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
- string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546");
- string_to_sid(&global_sid_Builtin_Power_Users, "S-1-5-32-547");
- string_to_sid(&global_sid_Builtin_Account_Operators, "S-1-5-32-548");
- string_to_sid(&global_sid_Builtin_Server_Operators, "S-1-5-32-549");
- string_to_sid(&global_sid_Builtin_Print_Operators, "S-1-5-32-550");
- string_to_sid(&global_sid_Builtin_Backup_Operators, "S-1-5-32-551");
- string_to_sid(&global_sid_Builtin_Replicator, "S-1-5-32-552");
-
- /* Create the anon token. */
- sid_copy( &anonymous_token.user_sids[0], &global_sid_World);
- sid_copy( &anonymous_token.user_sids[1], &global_sid_Network);
- sid_copy( &anonymous_token.user_sids[2], &global_sid_Anonymous);
-
- /* Create the system token. */
- sid_copy( &system_token.user_sids[0], &global_sid_System);
-
- initialised = True;
-}
+ global_sid_Builtin = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
+ global_sid_Builtin_Administrators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-544");
+ global_sid_Builtin_Users = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-545");
+ global_sid_Builtin_Guests = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-546");
+ global_sid_Builtin_Power_Users = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-547");
+ global_sid_Builtin_Account_Operators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-548");
+ global_sid_Builtin_Server_Operators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-549");
+ global_sid_Builtin_Print_Operators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-550");
+ global_sid_Builtin_Backup_Operators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-551");
+ global_sid_Builtin_Replicator = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-552");
-/**************************************************************************
- Create the SYSTEM token.
-***************************************************************************/
-
-NT_USER_TOKEN *get_system_token(void)
-{
- generate_wellknown_sids(); /* The token is initialised here */
- return &system_token;
+ initialised = True;
}
/**************************************************************************
fullname, domain, name));
}
-/****************************************************************************
- Test if a SID is wellknown and resolvable.
-****************************************************************************/
-
-BOOL resolvable_wellknown_sid(DOM_SID *sid)
-{
- uint32 ia = (sid->id_auth[5]) +
- (sid->id_auth[4] << 8 ) +
- (sid->id_auth[3] << 16) +
- (sid->id_auth[2] << 24);
-
- if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1)
- return False;
-
- return (ia == SECURITY_WORLD_SID_AUTHORITY ||
- ia == SECURITY_CREATOR_SID_AUTHORITY);
-}
-
/*****************************************************************
Convert a SID to an ascii string.
*****************************************************************/
-char *sid_to_string(fstring sidstr_out, const DOM_SID *sid)
+char *sid_to_string(fstring sidstr_out, const struct dom_sid *sid)
{
- char subauth[16];
- int i;
- uint32 ia;
-
- if (!sid) {
- fstrcpy(sidstr_out, "(NULL SID)");
- return sidstr_out;
- }
-
- /*
- * BIG NOTE: this function only does SIDS where the identauth is not >= 2^32
- * in a range of 2^48.
- */
- ia = (sid->id_auth[5]) +
- (sid->id_auth[4] << 8 ) +
- (sid->id_auth[3] << 16) +
- (sid->id_auth[2] << 24);
-
- slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia);
-
- for (i = 0; i < sid->num_auths; i++) {
- slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]);
- fstrcat(sidstr_out, subauth);
+ char *tmp_string;
+ TALLOC_CTX *mem_ctx;
+ if (!(mem_ctx = talloc_init("sid_to_string temp context"))) {
+ return NULL;
}
+ tmp_string = dom_sid_string(mem_ctx, sid);
+ if (!tmp_string)
+ return NULL;
+
+ fstrcpy(sidstr_out, tmp_string);
return sidstr_out;
}
-/*****************************************************************
- Useful function for debug lines.
-*****************************************************************/
-
-const char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid)
-{
- fstring tempSid;
- sid_to_string(tempSid, sid);
- return talloc_strdup(mem_ctx, tempSid);
-}
-
-/*****************************************************************
- Convert a string to a SID. Returns True on success, False on fail.
-*****************************************************************/
-
-BOOL string_to_sid(DOM_SID *sidout, const char *sidstr)
-{
- pstring tok;
- char *q;
- const char *p;
- /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
- uint32 ia;
-
- if (StrnCaseCmp( sidstr, "S-", 2)) {
- DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr));
- return False;
- }
-
- memset((char *)sidout, '\0', sizeof(DOM_SID));
-
- p = q = strdup(sidstr + 2);
- if (p == NULL) {
- DEBUG(0, ("string_to_sid: out of memory!\n"));
- return False;
- }
-
- if (!next_token(&p, tok, "-", sizeof(tok))) {
- DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
- SAFE_FREE(q);
- return False;
- }
-
- /* Get the revision number. */
- sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10);
-
- if (!next_token(&p, tok, "-", sizeof(tok))) {
- DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
- SAFE_FREE(q);
- return False;
- }
-
- /* identauth in decimal should be < 2^32 */
- ia = (uint32)strtoul(tok, NULL, 10);
-
- /* NOTE - the ia value is in big-endian format. */
- sidout->id_auth[0] = 0;
- sidout->id_auth[1] = 0;
- sidout->id_auth[2] = (ia & 0xff000000) >> 24;
- sidout->id_auth[3] = (ia & 0x00ff0000) >> 16;
- sidout->id_auth[4] = (ia & 0x0000ff00) >> 8;
- sidout->id_auth[5] = (ia & 0x000000ff);
-
- sidout->num_auths = 0;
-
- while(next_token(&p, tok, "-", sizeof(tok)) &&
- sidout->num_auths < MAXSUBAUTHS) {
- /*
- * NOTE - the subauths are in native machine-endian format. They
- * are converted to little-endian when linearized onto the wire.
- */
- sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10));
- }
-
- SAFE_FREE(q);
- return True;
-}
-
-/*****************************************************************
- Add a rid to the end of a sid
-*****************************************************************/
-
-BOOL sid_append_rid(DOM_SID *sid, uint32 rid)
-{
- if (sid->num_auths < MAXSUBAUTHS) {
- sid->sub_auths[sid->num_auths++] = rid;
- return True;
- }
- return False;
-}
-
/*****************************************************************
Removes the last rid from the end of a sid
*****************************************************************/
-BOOL sid_split_rid(DOM_SID *sid, uint32 *rid)
+BOOL sid_split_rid(struct dom_sid *sid, uint32 *rid)
{
if (sid->num_auths > 0) {
sid->num_auths--;
Return the last rid from the end of a sid
*****************************************************************/
-BOOL sid_peek_rid(const DOM_SID *sid, uint32 *rid)
+BOOL sid_peek_rid(const struct dom_sid *sid, uint32 *rid)
{
if (!sid || !rid)
return False;
and check the sid against the exp_dom_sid
*****************************************************************/
-BOOL sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid)
+BOOL sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid *sid, uint32 *rid)
{
if (!exp_dom_sid || !sid || !rid)
return False;
return sid_peek_rid(sid, rid);
}
-/*****************************************************************
- Copies a sid
-*****************************************************************/
-
-void sid_copy(DOM_SID *dst, const DOM_SID *src)
-{
- int i;
-
- ZERO_STRUCTP(dst);
-
- dst->sid_rev_num = src->sid_rev_num;
- dst->num_auths = src->num_auths;
-
- memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
-
- for (i = 0; i < src->num_auths; i++)
- dst->sub_auths[i] = src->sub_auths[i];
-}
-
-/*****************************************************************
- Write a sid out into on-the-wire format.
-*****************************************************************/
-
-BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid)
-{
- size_t i;
-
- if (len < sid_size(sid))
- return False;
-
- SCVAL(outbuf,0,sid->sid_rev_num);
- SCVAL(outbuf,1,sid->num_auths);
- memcpy(&outbuf[2], sid->id_auth, 6);
- for(i = 0; i < sid->num_auths; i++)
- SIVAL(outbuf, 8 + (i*4), sid->sub_auths[i]);
-
- return True;
-}
-
-/*****************************************************************
- Parse a on-the-wire SID to a DOM_SID.
-*****************************************************************/
-
-BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
-{
- int i;
- if (len < 8)
- return False;
-
- ZERO_STRUCTP(sid);
-
- sid->sid_rev_num = CVAL(inbuf, 0);
- sid->num_auths = CVAL(inbuf, 1);
- memcpy(sid->id_auth, inbuf+2, 6);
- if (len < 8 + sid->num_auths*4)
- return False;
- for (i=0;i<sid->num_auths;i++)
- sid->sub_auths[i] = IVAL(inbuf, 8+i*4);
- return True;
-}
-
/*****************************************************************
Compare the auth portion of two sids.
*****************************************************************/
-static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2)
+static int sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2)
{
int i;
Compare two sids.
*****************************************************************/
-int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2)
+int sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2)
{
int i;
this just compares the leading sub-auths
*****************************************************************/
-int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2)
+int sid_compare_domain(const struct dom_sid *sid1, const struct dom_sid *sid2)
{
int n, i;
Compare two sids.
*****************************************************************/
-BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2)
+BOOL sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2)
{
return sid_compare(sid1, sid2) == 0;
}
-
/*****************************************************************
- Check if the SID is the builtin SID (S-1-5-32).
+ Write a sid out into on-the-wire format.
*****************************************************************/
-BOOL sid_check_is_builtin(const DOM_SID *sid)
+BOOL sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid)
{
- return sid_equal(sid, &global_sid_Builtin);
-}
+ size_t i;
-/*****************************************************************
- Check if the SID is one of the builtin SIDs (S-1-5-32-a).
-*****************************************************************/
+ if (len < sid_size(sid))
+ return False;
-BOOL sid_check_is_in_builtin(const DOM_SID *sid)
-{
- DOM_SID dom_sid;
- uint32 rid;
+ SCVAL(outbuf,0,sid->sid_rev_num);
+ SCVAL(outbuf,1,sid->num_auths);
+ memcpy(&outbuf[2], sid->id_auth, 6);
+ for(i = 0; i < sid->num_auths; i++)
+ SIVAL(outbuf, 8 + (i*4), sid->sub_auths[i]);
- sid_copy(&dom_sid, sid);
- sid_split_rid(&dom_sid, &rid);
-
- return sid_equal(&dom_sid, &global_sid_Builtin);
+ return True;
}
+
/*****************************************************************
Calculates size of a sid.
*****************************************************************/
-size_t sid_size(const DOM_SID *sid)
+size_t sid_size(const struct dom_sid *sid)
{
if (sid == NULL)
return 0;
return sid->num_auths * sizeof(uint32) + 8;
}
-/*****************************************************************
- Returns true if SID is internal (and non-mappable).
-*****************************************************************/
-
-BOOL non_mappable_sid(DOM_SID *sid)
-{
- DOM_SID dom;
- uint32 rid;
-
- sid_copy(&dom, sid);
- sid_split_rid(&dom, &rid);
-
- if (sid_equal(&dom, &global_sid_Builtin))
- return True;
-
- if (sid_equal(&dom, &global_sid_NT_Authority))
- return True;
-
- return False;
-}
-
/*****************************************************************
Return the binary string representation of a DOM_SID.
Caller must free.
*****************************************************************/
-char *sid_binstring(const DOM_SID *sid)
+char *sid_binstring(const struct dom_sid *sid)
{
char *buf, *s;
int len = sid_size(sid);
struct winbindd_request *request,
struct winbindd_response *response);
-/* Call winbindd to convert a name to a sid */
-
-BOOL winbind_lookup_name(const char *dom_name, const char *name, DOM_SID *sid,
- enum SID_NAME_USE *name_type)
-{
- struct winbindd_request request;
- struct winbindd_response response;
- NSS_STATUS result;
-
- if (!sid || !name_type)
- return False;
-
- /* Send off request */
-
- ZERO_STRUCT(request);
- ZERO_STRUCT(response);
-
- fstrcpy(request.data.name.dom_name, dom_name);
- fstrcpy(request.data.name.name, name);
-
- if ((result = winbindd_request(WINBINDD_LOOKUPNAME, &request,
- &response)) == NSS_STATUS_SUCCESS) {
- if (!string_to_sid(sid, response.data.sid.sid))
- return False;
- *name_type = (enum SID_NAME_USE)response.data.sid.type;
- }
-
- return result == NSS_STATUS_SUCCESS;
-}
-
-/* Call winbindd to convert sid to name */
-
-BOOL winbind_lookup_sid(const DOM_SID *sid,
- fstring dom_name, fstring name,
- enum SID_NAME_USE *name_type)
-{
- struct winbindd_request request;
- struct winbindd_response response;
- NSS_STATUS result;
- fstring sid_str;
-
- /* Initialise request */
-
- ZERO_STRUCT(request);
- ZERO_STRUCT(response);
-
- sid_to_string(sid_str, sid);
- fstrcpy(request.data.sid, sid_str);
-
- /* Make request */
-
- result = winbindd_request(WINBINDD_LOOKUPSID, &request, &response);
-
- /* Copy out result */
-
- if (result == NSS_STATUS_SUCCESS) {
- fstrcpy(dom_name, response.data.name.dom_name);
- fstrcpy(name, response.data.name.name);
- *name_type = (enum SID_NAME_USE)response.data.name.type;
-
- DEBUG(10, ("winbind_lookup_sid: SUCCESS: SID %s -> %s %s\n",
- sid_str, dom_name, name));
- }
-
- return (result == NSS_STATUS_SUCCESS);
-}
-
-/* Call winbindd to convert SID to uid */
-
-BOOL winbind_sid_to_uid(uid_t *puid, const DOM_SID *sid)
-{
- struct winbindd_request request;
- struct winbindd_response response;
- int result;
- fstring sid_str;
-
- if (!puid)
- return False;
-
- /* Initialise request */
-
- ZERO_STRUCT(request);
- ZERO_STRUCT(response);
-
- sid_to_string(sid_str, sid);
- fstrcpy(request.data.sid, sid_str);
-
- /* Make request */
-
- result = winbindd_request(WINBINDD_SID_TO_UID, &request, &response);
-
- /* Copy out result */
-
- if (result == NSS_STATUS_SUCCESS) {
- *puid = response.data.uid;
- }
-
- return (result == NSS_STATUS_SUCCESS);
-}
-
-/* Call winbindd to convert uid to sid */
-
-BOOL winbind_uid_to_sid(DOM_SID *sid, uid_t uid)
-{
- struct winbindd_request request;
- struct winbindd_response response;
- int result;
-
- if (!sid)
- return False;
-
- /* Initialise request */
-
- ZERO_STRUCT(request);
- ZERO_STRUCT(response);
-
- request.data.uid = uid;
-
- /* Make request */
-
- result = winbindd_request(WINBINDD_UID_TO_SID, &request, &response);
-
- /* Copy out result */
-
- if (result == NSS_STATUS_SUCCESS) {
- if (!string_to_sid(sid, response.data.sid.sid))
- return False;
- } else {
- sid_copy(sid, &global_sid_NULL);
- }
-
- return (result == NSS_STATUS_SUCCESS);
-}
-
-/* Call winbindd to convert SID to gid */
-
-BOOL winbind_sid_to_gid(gid_t *pgid, const DOM_SID *sid)
-{
- struct winbindd_request request;
- struct winbindd_response response;
- int result;
- fstring sid_str;
-
- if (!pgid)
- return False;
-
- /* Initialise request */
-
- ZERO_STRUCT(request);
- ZERO_STRUCT(response);
-
- sid_to_string(sid_str, sid);
- fstrcpy(request.data.sid, sid_str);
-
- /* Make request */
-
- result = winbindd_request(WINBINDD_SID_TO_GID, &request, &response);
-
- /* Copy out result */
-
- if (result == NSS_STATUS_SUCCESS) {
- *pgid = response.data.gid;
- }
-
- return (result == NSS_STATUS_SUCCESS);
-}
-
-/* Call winbindd to convert gid to sid */
-
-BOOL winbind_gid_to_sid(DOM_SID *sid, gid_t gid)
-{
- struct winbindd_request request;
- struct winbindd_response response;
- int result;
-
- if (!sid)
- return False;
-
- /* Initialise request */
-
- ZERO_STRUCT(request);
- ZERO_STRUCT(response);
-
- request.data.gid = gid;
-
- /* Make request */
-
- result = winbindd_request(WINBINDD_GID_TO_SID, &request, &response);
-
- /* Copy out result */
-
- if (result == NSS_STATUS_SUCCESS) {
- if (!string_to_sid(sid, response.data.sid.sid))
- return False;
- } else {
- sid_copy(sid, &global_sid_NULL);
- }
-
- return (result == NSS_STATUS_SUCCESS);
-}
-
/* Fetch the list of groups a user is a member of from winbindd. This is
used by winbind_getgroups. */
+++ /dev/null
-dnl # PASSDB Server subsystem
-
-SMB_MODULE(passdb_smbpasswd,PASSDB,STATIC,[passdb/pdb_smbpasswd.o])
-SMB_MODULE(passdb_tdb,PASSDB,NOT,[passdb/pdb_tdb.o])
-SMB_MODULE(passdb_guest,PASSDB,STATIC,[passdb/pdb_guest.o])
-SMB_MODULE(passdb_unix,PASSDB,STATIC,[passdb/pdb_unix.o])
-
-if test x"$with_ldap_support" = x"yes"; then
- SMB_MODULE_DEFAULT(passdb_ldap,STATIC)
-fi
-SMB_MODULE(passdb_ldap,PASSDB,NOT,[passdb/pdb_ldap.o])
-
-SMB_SUBSYSTEM(PASSDB,passdb/pdb_interface.o,
- [passdb/passdb.o
- passdb/machine_sid.o
- passdb/util_sam_sid.o
- passdb/pdb_get_set.o
- passdb/pdb_compat.o])
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- Password and authentication handling
- Copyright (C) Jeremy Allison 1996-2002
- Copyright (C) Andrew Tridgell 2002
- Copyright (C) Gerald (Jerry) Carter 2000
- Copyright (C) Stefan (metze) Metzmacher 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-/* NOTE! the global_sam_sid is the SID of our local SAM. This is only
- equal to the domain SID when we are a DC, otherwise its our
- workstation SID */
-static DOM_SID *global_sam_sid=NULL;
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
-/****************************************************************************
- Read a SID from a file. This is for compatibility with the old MACHINE.SID
- style of SID storage
-****************************************************************************/
-static BOOL read_sid_from_file(const char *fname, DOM_SID *sid)
-{
- char **lines;
- int numlines;
- BOOL ret;
-
- lines = file_lines_load(fname, &numlines);
-
- if (!lines || numlines < 1) {
- if (lines) file_lines_free(lines);
- return False;
- }
-
- ret = string_to_sid(sid, lines[0]);
- file_lines_free(lines);
- return ret;
-}
-
-/*
- generate a random sid - used to build our own sid if we don't have one
-*/
-static void generate_random_sid(DOM_SID *sid)
-{
- int i;
- uchar raw_sid_data[12];
-
- memset((char *)sid, '\0', sizeof(*sid));
- sid->sid_rev_num = 1;
- sid->id_auth[5] = 5;
- sid->num_auths = 0;
- sid->sub_auths[sid->num_auths++] = 21;
-
- generate_random_buffer(raw_sid_data, 12, True);
- for (i = 0; i < 3; i++)
- sid->sub_auths[sid->num_auths++] = IVAL(raw_sid_data, i*4);
-}
-
-/****************************************************************************
- Generate the global machine sid.
-****************************************************************************/
-
-static BOOL pdb_generate_sam_sid(void)
-{
- char *fname = NULL;
- BOOL is_dc = False;
-
- if(global_sam_sid==NULL)
- if(!(global_sam_sid=(DOM_SID *)malloc(sizeof(DOM_SID))))
- return False;
-
- generate_wellknown_sids();
-
- switch (lp_server_role()) {
- case ROLE_DOMAIN_PDC:
- case ROLE_DOMAIN_BDC:
- is_dc = True;
- break;
- default:
- is_dc = False;
- break;
- }
-
- if (secrets_fetch_domain_sid(lp_netbios_name(), global_sam_sid)) {
- DOM_SID domain_sid;
-
- /* We got our sid. If not a pdc/bdc, we're done. */
- if (!is_dc)
- return True;
-
- if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
-
- /* No domain sid and we're a pdc/bdc. Store it */
-
- if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
- DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n"));
- return False;
- }
- return True;
- }
-
- if (!sid_equal(&domain_sid, global_sam_sid)) {
-
- /* Domain name sid doesn't match global sam sid. Re-store global sam sid as domain sid. */
-
- DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
- if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
- DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID as a pdc/bdc.\n"));
- return False;
- }
- return True;
- }
-
- return True;
-
- }
-
- /* check for an old MACHINE.SID file for backwards compatibility */
- asprintf(&fname, "%s/MACHINE.SID", lp_private_dir());
-
- if (read_sid_from_file(fname, global_sam_sid)) {
- /* remember it for future reference and unlink the old MACHINE.SID */
- if (!secrets_store_domain_sid(lp_netbios_name(), global_sam_sid)) {
- DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file-1.\n"));
- SAFE_FREE(fname);
- return False;
- }
- unlink(fname);
- if (is_dc) {
- if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
- DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file-2.\n"));
- SAFE_FREE(fname);
- return False;
- }
- }
-
- /* Stored the old sid from MACHINE.SID successfully.*/
- SAFE_FREE(fname);
- return True;
- }
-
- SAFE_FREE(fname);
-
- /* we don't have the SID in secrets.tdb, we will need to
- generate one and save it */
- generate_random_sid(global_sam_sid);
-
- if (!secrets_store_domain_sid(lp_netbios_name(), global_sam_sid)) {
- DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID-3, nb name=%s.\n", lp_netbios_name()));
- return False;
- }
- if (is_dc) {
- if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
- DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID-4, wg name=%s.\n", lp_workgroup()));
- return False;
- }
- }
-
- return True;
-}
-
-/* return our global_sam_sid */
-struct sid_info *get_global_sam_sid(void)
-{
- if (global_sam_sid != NULL)
- return global_sam_sid;
-
- /* memory for global_sam_sid is allocated in
- pdb_generate_sam_sid() as needed */
-
- if (!pdb_generate_sam_sid())
- global_sam_sid=NULL;
-
- return global_sam_sid;
-}
-
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- Password and authentication handling
- Copyright (C) Jeremy Allison 1996-2001
- Copyright (C) Luke Kenneth Casson Leighton 1996-1998
- Copyright (C) Gerald (Jerry) Carter 2000-2001
- Copyright (C) Andrew Bartlett 2001-2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
-/*
- * This is set on startup - it defines the SID for this
- * machine, and therefore the SAM database for which it is
- * responsible.
- */
-
-/************************************************************
- Fill the SAM_ACCOUNT with default values.
- ***********************************************************/
-
-static void pdb_fill_default_sam(SAM_ACCOUNT *user)
-{
- ZERO_STRUCT(user->private); /* Don't touch the talloc context */
-
- /* no initial methods */
- user->methods = NULL;
-
- /* Don't change these timestamp settings without a good reason.
- They are important for NT member server compatibility. */
-
- user->private.uid = user->private.gid = -1;
-
- user->private.logon_time = (time_t)0;
- user->private.pass_last_set_time = (time_t)0;
- user->private.pass_can_change_time = (time_t)0;
- user->private.logoff_time =
- user->private.kickoff_time =
- user->private.pass_must_change_time = get_time_t_max();
- user->private.unknown_3 = 0x00ffffff; /* don't know */
- user->private.logon_divs = 168; /* hours per week */
- user->private.hours_len = 21; /* 21 times 8 bits = 168 */
- memset(user->private.hours, 0xff, user->private.hours_len); /* available at all hours */
- user->private.unknown_5 = 0x00000000; /* don't know */
- user->private.unknown_6 = 0x000004ec; /* don't know */
-
- /* Some parts of samba strlen their pdb_get...() returns,
- so this keeps the interface unchanged for now. */
-
- user->private.username = "";
- user->private.domain = "";
- user->private.nt_username = "";
- user->private.full_name = "";
- user->private.home_dir = "";
- user->private.logon_script = "";
- user->private.profile_path = "";
- user->private.acct_desc = "";
- user->private.workstations = "";
- user->private.unknown_str = "";
- user->private.munged_dial = "";
-
- user->private.plaintext_pw = NULL;
-
-}
-
-static void destroy_pdb_talloc(SAM_ACCOUNT **user)
-{
- if (*user) {
- data_blob_clear_free(&((*user)->private.lm_pw));
- data_blob_clear_free(&((*user)->private.nt_pw));
-
- if((*user)->private.plaintext_pw!=NULL)
- memset((*user)->private.plaintext_pw,'\0',strlen((*user)->private.plaintext_pw));
- talloc_destroy((*user)->mem_ctx);
- *user = NULL;
- }
-}
-
-
-/**********************************************************************
- Alloc memory and initialises a struct sam_passwd on supplied mem_ctx.
-***********************************************************************/
-
-NTSTATUS pdb_init_sam_talloc(TALLOC_CTX *mem_ctx, SAM_ACCOUNT **user)
-{
- if (*user != NULL) {
- DEBUG(0,("pdb_init_sam_talloc: SAM_ACCOUNT was non NULL\n"));
-#if 0
- smb_panic("non-NULL pointer passed to pdb_init_sam\n");
-#endif
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!mem_ctx) {
- DEBUG(0,("pdb_init_sam_talloc: mem_ctx was NULL!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- *user=(SAM_ACCOUNT *)talloc(mem_ctx, sizeof(SAM_ACCOUNT));
-
- if (*user==NULL) {
- DEBUG(0,("pdb_init_sam_talloc: error while allocating memory\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- (*user)->mem_ctx = mem_ctx;
-
- (*user)->free_fn = NULL;
-
- pdb_fill_default_sam(*user);
-
- return NT_STATUS_OK;
-}
-
-
-/*************************************************************
- Alloc memory and initialises a struct sam_passwd.
- ************************************************************/
-
-NTSTATUS pdb_init_sam(SAM_ACCOUNT **user)
-{
- TALLOC_CTX *mem_ctx;
- NTSTATUS nt_status;
-
- mem_ctx = talloc_init("passdb internal SAM_ACCOUNT allocation");
-
- if (!mem_ctx) {
- DEBUG(0,("pdb_init_sam: error while doing talloc_init()\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, user))) {
- talloc_destroy(mem_ctx);
- return nt_status;
- }
-
- (*user)->free_fn = destroy_pdb_talloc;
-
- return NT_STATUS_OK;
-}
-
-
-/*************************************************************
- Initialises a struct sam_passwd with sane values.
- ************************************************************/
-
-NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
-{
- const char *guest_account = lp_guestaccount();
- if (!(guest_account && *guest_account)) {
- DEBUG(1, ("NULL guest account!?!?\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!pwd) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- pdb_fill_default_sam(sam_account);
-
- pdb_set_username(sam_account, pwd->pw_name, PDB_SET);
- pdb_set_fullname(sam_account, pwd->pw_gecos, PDB_SET);
-
- pdb_set_unix_homedir(sam_account, pwd->pw_dir, PDB_SET);
-
- pdb_set_domain (sam_account, lp_workgroup(), PDB_DEFAULT);
-
- pdb_set_uid(sam_account, pwd->pw_uid, PDB_SET);
- pdb_set_gid(sam_account, pwd->pw_gid, PDB_SET);
-
- /* When we get a proper uid -> SID and SID -> uid allocation
- mechinism, we should call it here.
-
- We can't just set this to 0 or allow it only to be filled
- in when added to the backend, becouse the user's SID
- may already be in security descriptors etc.
-
- -- abartlet 11-May-02
- */
-
-
- /* Ensure this *must* be set right */
- if (strcmp(pwd->pw_name, guest_account) == 0) {
- if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
- if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
- } else {
-
- if (!pdb_set_user_sid_from_rid(sam_account,
- fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
- DEBUG(0,("Can't set User SID from RID!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
- DEBUG(0,("Can't set Group SID\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- }
-
- /* check if this is a user account or a machine account */
- if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
- {
- pdb_set_profile_path(sam_account,
- talloc_sub_specified((sam_account)->mem_ctx,
- lp_logon_path(),
- pwd->pw_name, lp_netbios_name(),
- pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
-
- pdb_set_homedir(sam_account,
- talloc_sub_specified((sam_account)->mem_ctx,
- lp_logon_home(),
- pwd->pw_name, lp_netbios_name(),
- pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
-
- pdb_set_dir_drive(sam_account,
- talloc_sub_specified((sam_account)->mem_ctx,
- lp_logon_drive(),
- pwd->pw_name, lp_netbios_name(),
- pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
-
- pdb_set_logon_script(sam_account,
- talloc_sub_specified((sam_account)->mem_ctx,
- lp_logon_script(),
- pwd->pw_name, lp_netbios_name(),
- pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
- if (!pdb_set_acct_ctrl(sam_account, ACB_NORMAL, PDB_DEFAULT)) {
- DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n", pwd->pw_name));
- return NT_STATUS_UNSUCCESSFUL;
- }
- } else {
- if (!pdb_set_acct_ctrl(sam_account, ACB_WSTRUST, PDB_DEFAULT)) {
- DEBUG(1, ("Failed to set 'trusted workstation account' flags for user %s.\n", pwd->pw_name));
- return NT_STATUS_UNSUCCESSFUL;
- }
- }
- return NT_STATUS_OK;
-}
-
-
-/*************************************************************
- Initialises a struct sam_passwd with sane values.
- ************************************************************/
-
-NTSTATUS pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd)
-{
- NTSTATUS nt_status;
-
- if (!pwd) {
- new_sam_acct = NULL;
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(new_sam_acct))) {
- new_sam_acct = NULL;
- return nt_status;
- }
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*new_sam_acct, pwd))) {
- pdb_free_sam(new_sam_acct);
- new_sam_acct = NULL;
- return nt_status;
- }
-
- return NT_STATUS_OK;
-}
-
-
-/**
- * Free the contets of the SAM_ACCOUNT, but not the structure.
- *
- * Also wipes the LM and NT hashes and plaintext password from
- * memory.
- *
- * @param user SAM_ACCOUNT to free members of.
- **/
-
-static void pdb_free_sam_contents(SAM_ACCOUNT *user)
-{
-
- /* Kill off sensitive data. Free()ed by the
- talloc mechinism */
-
- data_blob_clear_free(&(user->private.lm_pw));
- data_blob_clear_free(&(user->private.nt_pw));
- if (user->private.plaintext_pw!=NULL)
- memset(user->private.plaintext_pw,'\0',strlen(user->private.plaintext_pw));
-}
-
-
-/************************************************************
- Reset the SAM_ACCOUNT and free the NT/LM hashes.
- ***********************************************************/
-
-NTSTATUS pdb_reset_sam(SAM_ACCOUNT *user)
-{
- if (user == NULL) {
- DEBUG(0,("pdb_reset_sam: SAM_ACCOUNT was NULL\n"));
-#if 0
- smb_panic("NULL pointer passed to pdb_free_sam\n");
-#endif
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- pdb_free_sam_contents(user);
-
- pdb_fill_default_sam(user);
-
- return NT_STATUS_OK;
-}
-
-
-/************************************************************
- Free the SAM_ACCOUNT and the member pointers.
- ***********************************************************/
-
-NTSTATUS pdb_free_sam(SAM_ACCOUNT **user)
-{
- if (*user == NULL) {
- DEBUG(0,("pdb_free_sam: SAM_ACCOUNT was NULL\n"));
-#if 0
- smb_panic("NULL pointer passed to pdb_free_sam\n");
-#endif
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- pdb_free_sam_contents(*user);
-
- if ((*user)->free_fn) {
- (*user)->free_fn(user);
- }
-
- return NT_STATUS_OK;
-}
-
-
-/**********************************************************
- Encode the account control bits into a string.
- length = length of string to encode into (including terminating
- null). length *MUST BE MORE THAN 2* !
- **********************************************************/
-
-char *pdb_encode_acct_ctrl(uint16 acct_ctrl, size_t length)
-{
- static fstring acct_str;
- size_t i = 0;
-
- acct_str[i++] = '[';
-
- if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
- if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
- if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
- if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
- if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
- if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
- if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
- if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
- if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
- if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
- if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
-
- for ( ; i < length - 2 ; i++ )
- acct_str[i] = ' ';
-
- i = length - 2;
- acct_str[i++] = ']';
- acct_str[i++] = '\0';
-
- return acct_str;
-}
-
-/**********************************************************
- Decode the account control bits from a string.
- **********************************************************/
-
-uint16 pdb_decode_acct_ctrl(const char *p)
-{
- uint16 acct_ctrl = 0;
- BOOL finished = False;
-
- /*
- * Check if the account type bits have been encoded after the
- * NT password (in the form [NDHTUWSLXI]).
- */
-
- if (*p != '[')
- return 0;
-
- for (p++; *p && !finished; p++) {
- switch (*p) {
- case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
- case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
- case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
- case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
- case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
- case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
- case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
- case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
- case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
- case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
- case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
- case ' ': { break; }
- case ':':
- case '\n':
- case '\0':
- case ']':
- default: { finished = True; }
- }
- }
-
- return acct_ctrl;
-}
-
-/*************************************************************
- Routine to set 32 hex password characters from a 16 byte array.
-**************************************************************/
-
-void pdb_sethexpwd(char *p, const unsigned char *pwd, uint16 acct_ctrl)
-{
- if (pwd != NULL) {
- int i;
- for (i = 0; i < 16; i++)
- slprintf(&p[i*2], 3, "%02X", pwd[i]);
- } else {
- if (acct_ctrl & ACB_PWNOTREQ)
- safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
- else
- safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
- }
-}
-
-/*************************************************************
- Routine to get the 32 hex characters and turn them
- into a 16 byte array.
-**************************************************************/
-
-BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
-{
- int i;
- unsigned char lonybble, hinybble;
- const char *hexchars = "0123456789ABCDEF";
- char *p1, *p2;
-
- if (!p)
- return (False);
-
- for (i = 0; i < 32; i += 2) {
- hinybble = toupper(p[i]);
- lonybble = toupper(p[i + 1]);
-
- p1 = strchr(hexchars, hinybble);
- p2 = strchr(hexchars, lonybble);
-
- if (!p1 || !p2)
- return (False);
-
- hinybble = PTR_DIFF(p1, hexchars);
- lonybble = PTR_DIFF(p2, hexchars);
-
- pwd[i / 2] = (hinybble << 4) | lonybble;
- }
- return (True);
-}
-
-/*******************************************************************
- Converts NT user RID to a UNIX uid.
- ********************************************************************/
-
-static int algorithmic_rid_base(void)
-{
- static int rid_offset = 0;
-
- if (rid_offset != 0)
- return rid_offset;
-
- rid_offset = lp_algorithmic_rid_base();
-
- if (rid_offset < BASE_RID) {
- /* Try to prevent admin foot-shooting, we can't put algorithmic
- rids below 1000, that's the 'well known RIDs' on NT */
- DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
- rid_offset = BASE_RID;
- }
- if (rid_offset & 1) {
- DEBUG(0, ("algorithmic rid base must be even\n"));
- rid_offset += 1;
- }
- return rid_offset;
-}
-
-
-uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid)
-{
- int rid_offset = algorithmic_rid_base();
- return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
-}
-
-
-/*******************************************************************
- converts UNIX uid to an NT User RID.
- ********************************************************************/
-
-uint32 fallback_pdb_uid_to_user_rid(uid_t uid)
-{
- int rid_offset = algorithmic_rid_base();
- return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
-}
-
-/*******************************************************************
- Converts NT group RID to a UNIX gid.
- ********************************************************************/
-
-gid_t pdb_group_rid_to_gid(uint32 group_rid)
-{
- int rid_offset = algorithmic_rid_base();
- return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
-}
-
-/*******************************************************************
- converts NT Group RID to a UNIX uid.
-
- warning: you must not call that function only
- you must do a call to the group mapping first.
- there is not anymore a direct link between the gid and the rid.
- ********************************************************************/
-
-uint32 pdb_gid_to_group_rid(gid_t gid)
-{
- int rid_offset = algorithmic_rid_base();
- return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
-}
-
-/*******************************************************************
- Decides if a RID is a well known RID.
- ********************************************************************/
-
-static BOOL pdb_rid_is_well_known(uint32 rid)
-{
- /* Not using rid_offset here, becouse this is the actual
- NT fixed value (1000) */
-
- return (rid < BASE_RID);
-}
-
-/*******************************************************************
- Decides if a RID is a user or group RID.
- ********************************************************************/
-
-BOOL pdb_rid_is_user(uint32 rid)
-{
- /* lkcl i understand that NT attaches an enumeration to a RID
- * such that it can be identified as either a user, group etc
- * type. there are 5 such categories, and they are documented.
- */
- /* However, they are not in the RID, just somthing you can query
- seperatly. Sorry luke :-) */
-
- if(pdb_rid_is_well_known(rid)) {
- /*
- * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
- * and DOMAIN_USER_RID_GUEST.
- */
- if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
- return True;
- } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
- return True;
- }
- return False;
-}
-
-/*******************************************************************
- Convert a rid into a name. Used in the lookup SID rpc.
- ********************************************************************/
-
-BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use)
-{
- uint32 rid;
- SAM_ACCOUNT *sam_account = NULL;
- TALLOC_CTX *mem_ctx;
-
- mem_ctx = talloc_init("local_lookup_sid");
- if (!mem_ctx) {
- DEBUG(0,("local_sid_to_gid: No memory\n"));
- return False;
- }
- if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){
- return False;
- }
- talloc_destroy(mem_ctx);
- *psid_name_use = SID_NAME_UNKNOWN;
-
- DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid));
-
- if (rid == DOMAIN_USER_RID_ADMIN) {
- const char **admin_list = lp_admin_users(-1);
- *psid_name_use = SID_NAME_USER;
- if (admin_list) {
- const char *p = *admin_list;
- if(!next_token(&p, name, NULL, sizeof(fstring)))
- fstrcpy(name, "Administrator");
- } else {
- fstrcpy(name, "Administrator");
- }
- return True;
- }
-
- /*
- * Don't try to convert the rid to a name if
- * running in appliance mode
- */
-
- if (lp_hide_local_users())
- return False;
-
- if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
- return False;
- }
-
- /* This now does the 'generic' mapping in pdb_unix */
- /* 'guest' is also handled there */
- if (pdb_getsampwsid(sam_account, sid)) {
- fstrcpy(name, pdb_get_username(sam_account));
- *psid_name_use = SID_NAME_USER;
-
- pdb_free_sam(&sam_account);
-
- return True;
- }
-
- pdb_free_sam(&sam_account);
-
- if (pdb_rid_is_user(rid)) {
- uid_t uid;
-
- DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid));
-
- uid = fallback_pdb_user_rid_to_uid(rid);
- slprintf(name, sizeof(fstring)-1, "unix_user.%u", (unsigned int)uid);
-
- return False; /* Indicates that this user was 'not mapped' */
- } else {
- gid_t gid;
- struct group *gr;
-
- DEBUG(5, ("assuming RID %u is a group\n", (unsigned)rid));
-
- gid = pdb_group_rid_to_gid(rid);
- gr = getgrgid(gid);
-
- *psid_name_use = SID_NAME_ALIAS;
-
- DEBUG(5,("local_lookup_sid: looking up gid %u %s\n", (unsigned int)gid,
- gr ? "succeeded" : "failed" ));
-
- if(!gr) {
- slprintf(name, sizeof(fstring)-1, "unix_group.%u", (unsigned int)gid);
- return False; /* Indicates that this group was 'not mapped' */
- }
-
- fstrcpy( name, gr->gr_name);
-
- DEBUG(5,("local_lookup_sid: found group %s for rid %u\n", name,
- (unsigned int)rid ));
- return True;
- }
-}
-
-/*******************************************************************
- Convert a name into a SID. Used in the lookup name rpc.
- ********************************************************************/
-
-BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psid_name_use)
-{
- extern DOM_SID global_sid_World_Domain;
- DOM_SID local_sid;
- fstring user;
- SAM_ACCOUNT *sam_account = NULL;
- struct group *grp;
-
- *psid_name_use = SID_NAME_UNKNOWN;
-
- /*
- * user may be quoted a const string, and map_username and
- * friends can modify it. Make a modifiable copy. JRA.
- */
-
- fstrcpy(user, c_user);
-
- sid_copy(&local_sid, get_global_sam_sid());
-
- /*
- * Special case for MACHINE\Everyone. Map to the world_sid.
- */
-
- if(strequal(user, "Everyone")) {
- sid_copy( psid, &global_sid_World_Domain);
- sid_append_rid(psid, 0);
- *psid_name_use = SID_NAME_ALIAS;
- return True;
- }
-
- /*
- * Don't lookup local unix users if running in appliance mode
- */
- if (lp_hide_local_users())
- return False;
-
- if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
- return False;
- }
-
- if (pdb_getsampwnam(sam_account, user)) {
- sid_copy(psid, pdb_get_user_sid(sam_account));
- *psid_name_use = SID_NAME_USER;
-
- pdb_free_sam(&sam_account);
- return True;
- }
-
- pdb_free_sam(&sam_account);
-
- /*
- * Maybe it was a group ?
- */
-
- {
- /* it's not a mapped group */
- grp = getgrnam(user);
- if(!grp)
- return False;
-
- /*
- *check if it's mapped, if it is reply it doesn't exist
- *
- * that's to prevent this case:
- *
- * unix group ug is mapped to nt group ng
- * someone does a lookup on ug
- * we must not reply as it doesn't "exist" anymore
- * for NT. For NT only ng exists.
- * JFM, 30/11/2001
- */
-
- sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
- *psid_name_use = SID_NAME_ALIAS;
- }
-
- sid_copy( psid, &local_sid);
-
- return True;
-}
-
-
-/*************************************************************
- Change a password entry in the local smbpasswd file.
-
-It is currently being called by SWAT and by smbpasswd.
-
- --jerry
- *************************************************************/
-
-BOOL local_password_change(const char *user_name, int local_flags,
- const char *new_passwd,
- char *err_str, size_t err_str_len,
- char *msg_str, size_t msg_str_len)
-{
- struct passwd *pwd = NULL;
- SAM_ACCOUNT *sam_pass=NULL;
- uint16 other_acb;
-
- *err_str = '\0';
- *msg_str = '\0';
-
- /* Get the smb passwd entry for this user */
- pdb_init_sam(&sam_pass);
- if(!pdb_getsampwnam(sam_pass, user_name)) {
- pdb_free_sam(&sam_pass);
-
- if (local_flags & LOCAL_ADD_USER) {
- pwd = getpwnam_alloc(user_name);
- } else if (local_flags & LOCAL_DELETE_USER) {
- /* Might not exist in /etc/passwd */
- } else {
- slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
- return False;
- }
-
- if (pwd) {
- /* Local user found, so init from this */
- if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sam_pass, pwd))){
- slprintf(err_str, err_str_len-1, "Failed initialise SAM_ACCOUNT for user %s.\n", user_name);
- passwd_free(&pwd);
- return False;
- }
-
- passwd_free(&pwd);
- } else {
- if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_pass))){
- slprintf(err_str, err_str_len-1, "Failed initialise SAM_ACCOUNT for user %s.\n", user_name);
- return False;
- }
-
- if (!pdb_set_username(sam_pass, user_name, PDB_CHANGED)) {
- slprintf(err_str, err_str_len - 1, "Failed to set username for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- }
- } else {
- /* the entry already existed */
- local_flags &= ~LOCAL_ADD_USER;
- }
-
- /* the 'other' acb bits not being changed here */
- other_acb = (pdb_get_acct_ctrl(sam_pass) & (!(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
- if (local_flags & LOCAL_TRUST_ACCOUNT) {
- if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
- slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
- if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST | other_acb, PDB_CHANGED)) {
- slprintf(err_str, err_str_len - 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- } else {
- if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL | other_acb, PDB_CHANGED)) {
- slprintf(err_str, err_str_len - 1, "Failed to set 'normal account' flags for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- }
-
- /*
- * We are root - just write the new password
- * and the valid last change time.
- */
-
- if (local_flags & LOCAL_DISABLE_USER) {
- if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED, PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- } else if (local_flags & LOCAL_ENABLE_USER) {
- if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- }
-
- if (local_flags & LOCAL_SET_NO_PASSWORD) {
- if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ, PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- } else if (local_flags & LOCAL_SET_PASSWORD) {
- /*
- * If we're dealing with setting a completely empty user account
- * ie. One with a password of 'XXXX', but not set disabled (like
- * an account created from scratch) then if the old password was
- * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
- * We remove that as we're giving this user their first password
- * and the decision hasn't really been made to disable them (ie.
- * don't create them disabled). JRA.
- */
- if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
- if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- }
- if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ), PDB_CHANGED)) {
- slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
-
- if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
- slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- }
-
- if (local_flags & LOCAL_ADD_USER) {
- if (pdb_add_sam_account(sam_pass)) {
- slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return True;
- } else {
- slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- } else if (local_flags & LOCAL_DELETE_USER) {
- if (!pdb_delete_sam_account(sam_pass)) {
- slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
- } else {
- if(!pdb_update_sam_account(sam_pass)) {
- slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
- pdb_free_sam(&sam_pass);
- return False;
- }
- if(local_flags & LOCAL_DISABLE_USER)
- slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
- else if (local_flags & LOCAL_ENABLE_USER)
- slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
- else if (local_flags & LOCAL_SET_NO_PASSWORD)
- slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
- }
-
- pdb_free_sam(&sam_pass);
- return True;
-}
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- passdb structures and parameters
- Copyright (C) Gerald Carter 2001
- Copyright (C) Luke Kenneth Casson Leighton 1998 - 2000
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#ifndef _SAMBA_PASSDB_H
-#define _SAMBA_PASSDB_H
-
-/*
- * This next constant specifies the version number of the PASSDB interface
- * this SAMBA will load. Increment this with a comment if *ANY* changes are made
- * to the interface and maybe update struct auth_critical_sizes
- */
-/* version 2 - init versioning of the interface - metze */
-/* version 3 - value states of SAM_ACCOUNT entries - metze */
-/* version 4 - add group mapping api - vlendec */
-#define PASSDB_INTERFACE_VERSION 4
-
-typedef struct pdb_context
-{
- struct pdb_methods *pdb_methods;
- struct pdb_methods *pwent_methods;
-
- /* These functions are wrappers for the functions listed above.
- They may do extra things like re-reading a SAM_ACCOUNT on update */
-
- NTSTATUS (*pdb_setsampwent)(struct pdb_context *, BOOL update);
-
- void (*pdb_endsampwent)(struct pdb_context *);
-
- NTSTATUS (*pdb_getsampwent)(struct pdb_context *, SAM_ACCOUNT *user);
-
- NTSTATUS (*pdb_getsampwnam)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const char *username);
-
- NTSTATUS (*pdb_getsampwsid)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const DOM_SID *sid);
-
- NTSTATUS (*pdb_add_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass);
-
- NTSTATUS (*pdb_update_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass);
-
- NTSTATUS (*pdb_delete_sam_account)(struct pdb_context *, SAM_ACCOUNT *username);
-
- NTSTATUS (*pdb_delete_group_mapping_entry)(struct pdb_context *context,
- DOM_SID sid);
-
- void (*free_fn)(struct pdb_context **);
-
- TALLOC_CTX *mem_ctx;
-
-} PDB_CONTEXT;
-
-typedef struct pdb_methods
-{
- const char *name; /* What name got this module */
- struct pdb_context *parent;
-
- /* Use macros from dlinklist.h on these two */
- struct pdb_methods *next;
- struct pdb_methods *prev;
-
- NTSTATUS (*setsampwent)(struct pdb_methods *, BOOL update);
-
- void (*endsampwent)(struct pdb_methods *);
-
- NTSTATUS (*getsampwent)(struct pdb_methods *, SAM_ACCOUNT *user);
-
- NTSTATUS (*getsampwnam)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const char *username);
-
- NTSTATUS (*getsampwsid)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const DOM_SID *Sid);
-
- NTSTATUS (*add_sam_account)(struct pdb_methods *, SAM_ACCOUNT *sampass);
-
- NTSTATUS (*update_sam_account)(struct pdb_methods *, SAM_ACCOUNT *sampass);
-
- NTSTATUS (*delete_sam_account)(struct pdb_methods *, SAM_ACCOUNT *username);
-
- NTSTATUS (*delete_group_mapping_entry)(struct pdb_methods *methods,
- DOM_SID sid);
-
- void *private_data; /* Private data of some kind */
-
- void (*free_private_data)(void **);
-
-} PDB_METHODS;
-
-struct passdb_ops {
- /* the name of the backend */
- const char *name;
-
- /* Function to create a member of the pdb_methods list */
- NTSTATUS (*init)(struct pdb_context *, struct pdb_methods **, const char *);
-};
-
-/* this structure is used by modules to determine the size of some critical types */
-struct passdb_critical_sizes {
- int interface_version;
- int sizeof_passdb_ops;
- int sizeof_pdb_methods;
- int sizeof_pdb_context;
- int sizeof_SAM_ACCOUNT;
-};
-
-#endif /* _SAMBA_PASSDB_H */
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- SAM_ACCOUNT access routines
- Copyright (C) Jeremy Allison 1996-2001
- Copyright (C) Luke Kenneth Casson Leighton 1996-1998
- Copyright (C) Gerald (Jerry) Carter 2000-2001
- Copyright (C) Andrew Bartlett 2001-2002
- Copyright (C) Stefan (metze) Metzmacher 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
-uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass)
-{
- uint32 u_rid;
-
- if (sampass)
- if (sid_peek_check_rid(get_global_sam_sid(), pdb_get_user_sid(sampass),&u_rid))
- return u_rid;
-
- return (0);
-}
-
-uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass)
-{
- uint32 g_rid;
-
- if (sampass)
- if (sid_peek_check_rid(get_global_sam_sid(), pdb_get_group_sid(sampass),&g_rid))
- return g_rid;
- return (0);
-}
-
-BOOL pdb_set_user_sid_from_rid (SAM_ACCOUNT *sampass, uint32 rid, enum pdb_value_state flag)
-{
- DOM_SID u_sid;
- const DOM_SID *global_sam_sid;
- TALLOC_CTX *mem_ctx;
-
- if (!sampass)
- return False;
-
- if (!(global_sam_sid = get_global_sam_sid())) {
- DEBUG(1, ("pdb_set_user_sid_from_rid: Could not read global sam sid!\n"));
- return False;
- }
-
- sid_copy(&u_sid, global_sam_sid);
-
- if (!sid_append_rid(&u_sid, rid))
- return False;
-
- if (!pdb_set_user_sid(sampass, &u_sid, flag))
- return False;
- mem_ctx = talloc_init("pdb_set_user_sid_from_rid");
- if (!mem_ctx) {
- DEBUG(1, ("pdb_set_user_sid_from_rid: No memory\n"));
- return False;
- }
- DEBUG(10, ("pdb_set_user_sid_from_rid:\n\tsetting user sid %s from rid %d\n",
- sid_string_talloc(mem_ctx, &u_sid),rid));
- talloc_destroy(mem_ctx);
- return True;
-}
-
-BOOL pdb_set_group_sid_from_rid (SAM_ACCOUNT *sampass, uint32 grid, enum pdb_value_state flag)
-{
- DOM_SID g_sid;
- const DOM_SID *global_sam_sid;
- TALLOC_CTX *mem_ctx;
-
- if (!sampass)
- return False;
-
- if (!(global_sam_sid = get_global_sam_sid())) {
- DEBUG(1, ("pdb_set_user_sid_from_rid: Could not read global sam sid!\n"));
- return False;
- }
-
- sid_copy(&g_sid, global_sam_sid);
-
- if (!sid_append_rid(&g_sid, grid))
- return False;
-
- if (!pdb_set_group_sid(sampass, &g_sid, flag))
- return False;
-
- mem_ctx = talloc_init("pdb_set_user_sid_from_rid");
- if (!mem_ctx) {
- DEBUG(1, ("pdb_set_user_sid_from_rid: No memory\n"));
- return False;
- }
- DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s from rid %d\n",
- sid_string_talloc(mem_ctx, &g_sid), grid));
- talloc_destroy(mem_ctx);
- return True;
-}
-
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- SAM_ACCOUNT access routines
- Copyright (C) Jeremy Allison 1996-2001
- Copyright (C) Luke Kenneth Casson Leighton 1996-1998
- Copyright (C) Gerald (Jerry) Carter 2000-2001
- Copyright (C) Andrew Bartlett 2001-2002
- Copyright (C) Stefan (metze) Metzmacher 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
-/**
- * @todo Redefine this to NULL, but this changes the API becouse
- * much of samba assumes that the pdb_get...() funtions
- * return pstrings. (ie not null-pointers).
- * See also pdb_fill_default_sam().
- */
-
-#define PDB_NOT_QUITE_NULL ""
-
-/*********************************************************************
- Collection of get...() functions for SAM_ACCOUNT.
- ********************************************************************/
-
-uint16 pdb_get_acct_ctrl (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.acct_ctrl);
- else
- return (ACB_DISABLED);
-}
-
-time_t pdb_get_logon_time (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.logon_time);
- else
- return (0);
-}
-
-time_t pdb_get_logoff_time (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.logoff_time);
- else
- return (-1);
-}
-
-time_t pdb_get_kickoff_time (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.kickoff_time);
- else
- return (-1);
-}
-
-time_t pdb_get_pass_last_set_time (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.pass_last_set_time);
- else
- return (-1);
-}
-
-time_t pdb_get_pass_can_change_time (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.pass_can_change_time);
- else
- return (-1);
-}
-
-time_t pdb_get_pass_must_change_time (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.pass_must_change_time);
- else
- return (-1);
-}
-
-uint16 pdb_get_logon_divs (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.logon_divs);
- else
- return (-1);
-}
-
-uint32 pdb_get_hours_len (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.hours_len);
- else
- return (-1);
-}
-
-const uint8* pdb_get_hours (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.hours);
- else
- return (NULL);
-}
-
-const uint8* pdb_get_nt_passwd (const SAM_ACCOUNT *sampass)
-{
- if (sampass) {
- SMB_ASSERT((!sampass->private.nt_pw.data)
- || sampass->private.nt_pw.length == NT_HASH_LEN);
- return ((uint8*)sampass->private.nt_pw.data);
- }
- else
- return (NULL);
-}
-
-const uint8* pdb_get_lanman_passwd (const SAM_ACCOUNT *sampass)
-{
- if (sampass) {
- SMB_ASSERT((!sampass->private.lm_pw.data)
- || sampass->private.lm_pw.length == LM_HASH_LEN);
- return ((uint8*)sampass->private.lm_pw.data);
- }
- else
- return (NULL);
-}
-
-/* Return the plaintext password if known. Most of the time
- it isn't, so don't assume anything magic about this function.
-
- Used to pass the plaintext to passdb backends that might
- want to store more than just the NTLM hashes.
-*/
-const char* pdb_get_plaintext_passwd (const SAM_ACCOUNT *sampass)
-{
- if (sampass) {
- return (sampass->private.plaintext_pw);
- }
- else
- return (NULL);
-}
-const DOM_SID *pdb_get_user_sid(const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return &sampass->private.user_sid;
- else
- return (NULL);
-}
-
-const DOM_SID *pdb_get_group_sid(const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return &sampass->private.group_sid;
- else
- return (NULL);
-}
-
-/**
- * Get flags showing what is initalised in the SAM_ACCOUNT
- * @param sampass the SAM_ACCOUNT in question
- * @return the flags indicating the members initialised in the struct.
- **/
-
-enum pdb_value_state pdb_get_init_flags (const SAM_ACCOUNT *sampass, enum pdb_elements element)
-{
- enum pdb_value_state ret = PDB_DEFAULT;
-
- if (!sampass || !sampass->private.change_flags || !sampass->private.set_flags)
- return ret;
-
- if (bitmap_query(sampass->private.set_flags, element)) {
- DEBUG(10, ("element %d: SET\n", element));
- ret = PDB_SET;
- }
-
- if (bitmap_query(sampass->private.change_flags, element)) {
- DEBUG(10, ("element %d: CHANGED\n", element));
- ret = PDB_CHANGED;
- }
-
- if (ret == PDB_DEFAULT) {
- DEBUG(10, ("element %d: DEFAULT\n", element));
- }
-
- return ret;
-}
-
-uid_t pdb_get_uid (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.uid);
- else
- return (-1);
-}
-
-gid_t pdb_get_gid (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.gid);
- else
- return (-1);
-}
-
-const char* pdb_get_username (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.username);
- else
- return (NULL);
-}
-
-const char* pdb_get_domain (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.domain);
- else
- return (NULL);
-}
-
-const char* pdb_get_nt_username (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.nt_username);
- else
- return (NULL);
-}
-
-const char* pdb_get_fullname (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.full_name);
- else
- return (NULL);
-}
-
-const char* pdb_get_homedir (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.home_dir);
- else
- return (NULL);
-}
-
-const char* pdb_get_unix_homedir (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.unix_home_dir);
- else
- return (NULL);
-}
-
-const char* pdb_get_dir_drive (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.dir_drive);
- else
- return (NULL);
-}
-
-const char* pdb_get_logon_script (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.logon_script);
- else
- return (NULL);
-}
-
-const char* pdb_get_profile_path (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.profile_path);
- else
- return (NULL);
-}
-
-const char* pdb_get_acct_desc (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.acct_desc);
- else
- return (NULL);
-}
-
-const char* pdb_get_workstations (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.workstations);
- else
- return (NULL);
-}
-
-const char* pdb_get_unknown_str (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.unknown_str);
- else
- return (NULL);
-}
-
-const char* pdb_get_munged_dial (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.munged_dial);
- else
- return (NULL);
-}
-
-uint32 pdb_get_unknown_3 (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.unknown_3);
- else
- return (-1);
-}
-
-uint32 pdb_get_unknown_5 (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.unknown_5);
- else
- return (-1);
-}
-
-uint32 pdb_get_unknown_6 (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.unknown_6);
- else
- return (-1);
-}
-
-/*********************************************************************
- Collection of set...() functions for SAM_ACCOUNT.
- ********************************************************************/
-
-BOOL pdb_set_acct_ctrl (SAM_ACCOUNT *sampass, uint16 acct_ctrl, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.acct_ctrl = acct_ctrl;
-
- return pdb_set_init_flags(sampass, PDB_ACCTCTRL, flag);
-}
-
-BOOL pdb_set_logon_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.logon_time = mytime;
-
- return pdb_set_init_flags(sampass, PDB_LOGONTIME, flag);
-}
-
-BOOL pdb_set_logoff_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.logoff_time = mytime;
-
- return pdb_set_init_flags(sampass, PDB_LOGOFFTIME, flag);
-}
-
-BOOL pdb_set_kickoff_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.kickoff_time = mytime;
-
- return pdb_set_init_flags(sampass, PDB_KICKOFFTIME, flag);
-}
-
-BOOL pdb_set_pass_can_change_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.pass_can_change_time = mytime;
-
- return pdb_set_init_flags(sampass, PDB_CANCHANGETIME, flag);
-}
-
-BOOL pdb_set_pass_must_change_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.pass_must_change_time = mytime;
-
- return pdb_set_init_flags(sampass, PDB_MUSTCHANGETIME, flag);
-}
-
-BOOL pdb_set_pass_last_set_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.pass_last_set_time = mytime;
-
- return pdb_set_init_flags(sampass, PDB_PASSLASTSET, flag);
-}
-
-BOOL pdb_set_hours_len (SAM_ACCOUNT *sampass, uint32 len, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.hours_len = len;
-
- return pdb_set_init_flags(sampass, PDB_HOURSLEN, flag);
-}
-
-BOOL pdb_set_logon_divs (SAM_ACCOUNT *sampass, uint16 hours, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.logon_divs = hours;
-
- return pdb_set_init_flags(sampass, PDB_LOGONDIVS, flag);
-}
-
-/**
- * Set flags showing what is initalised in the SAM_ACCOUNT
- * @param sampass the SAM_ACCOUNT in question
- * @param flag The *new* flag to be set. Old flags preserved
- * this flag is only added.
- **/
-
-BOOL pdb_set_init_flags (SAM_ACCOUNT *sampass, enum pdb_elements element, enum pdb_value_state value_flag)
-{
- if (!sampass || !sampass->mem_ctx)
- return False;
-
- if (!sampass->private.set_flags) {
- if ((sampass->private.set_flags =
- bitmap_talloc(sampass->mem_ctx,
- PDB_COUNT))==NULL) {
- DEBUG(0,("bitmap_talloc failed\n"));
- return False;
- }
- }
- if (!sampass->private.change_flags) {
- if ((sampass->private.change_flags =
- bitmap_talloc(sampass->mem_ctx,
- PDB_COUNT))==NULL) {
- DEBUG(0,("bitmap_talloc failed\n"));
- return False;
- }
- }
-
- switch(value_flag) {
- case PDB_CHANGED:
- if (!bitmap_set(sampass->private.change_flags, element)) {
- DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
- return False;
- }
- if (!bitmap_set(sampass->private.set_flags, element)) {
- DEBUG(0,("Can't set flag: %d in set_falgs.\n",element));
- return False;
- }
- DEBUG(10, ("element %d -> now CHANGED\n", element));
- break;
- case PDB_SET:
- if (!bitmap_clear(sampass->private.change_flags, element)) {
- DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
- return False;
- }
- if (!bitmap_set(sampass->private.set_flags, element)) {
- DEBUG(0,("Can't set flag: %d in set_falgs.\n",element));
- return False;
- }
- DEBUG(10, ("element %d -> now SET\n", element));
- break;
- case PDB_DEFAULT:
- default:
- if (!bitmap_clear(sampass->private.change_flags, element)) {
- DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
- return False;
- }
- if (!bitmap_clear(sampass->private.set_flags, element)) {
- DEBUG(0,("Can't set flag: %d in set_falgs.\n",element));
- return False;
- }
- DEBUG(10, ("element %d -> now DEFAULT\n", element));
- break;
- }
-
- return True;
-}
-
-BOOL pdb_set_uid (SAM_ACCOUNT *sampass, const uid_t uid, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- DEBUG(10, ("pdb_set_uid: setting uid %d, was %d\n",
- (int)uid, (int)sampass->private.uid));
-
- sampass->private.uid = uid;
-
- return pdb_set_init_flags(sampass, PDB_UID, flag);
-}
-
-BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- DEBUG(10, ("pdb_set_gid: setting gid %d, was %d\n",
- (int)gid, (int)sampass->private.gid));
-
- sampass->private.gid = gid;
-
- return pdb_set_init_flags(sampass, PDB_GID, flag);
-}
-
-BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid, enum pdb_value_state flag)
-{
- TALLOC_CTX *mem_ctx;
- if (!sampass || !u_sid)
- return False;
-
- sid_copy(&sampass->private.user_sid, u_sid);
-
- mem_ctx = talloc_init("pdb_set_group_sid");
- if (!mem_ctx) return False;
- DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n",
- sid_string_talloc(mem_ctx, &sampass->private.user_sid)));
-
- talloc_destroy(mem_ctx);
- return pdb_set_init_flags(sampass, PDB_USERSID, flag);
-}
-
-BOOL pdb_set_user_sid_from_string (SAM_ACCOUNT *sampass, fstring u_sid, enum pdb_value_state flag)
-{
- DOM_SID new_sid;
-
- if (!sampass || !u_sid)
- return False;
-
- DEBUG(10, ("pdb_set_user_sid_from_string: setting user sid %s\n",
- u_sid));
-
- if (!string_to_sid(&new_sid, u_sid)) {
- DEBUG(1, ("pdb_set_user_sid_from_string: %s isn't a valid SID!\n", u_sid));
- return False;
- }
-
- if (!pdb_set_user_sid(sampass, &new_sid, flag)) {
- DEBUG(1, ("pdb_set_user_sid_from_string: could not set sid %s on SAM_ACCOUNT!\n", u_sid));
- return False;
- }
-
- return True;
-}
-
-BOOL pdb_set_group_sid (SAM_ACCOUNT *sampass, DOM_SID *g_sid, enum pdb_value_state flag)
-{
- TALLOC_CTX *mem_ctx;
- if (!sampass || !g_sid)
- return False;
-
- sid_copy(&sampass->private.group_sid, g_sid);
-
- mem_ctx = talloc_init("pdb_set_group_sid");
- if (!mem_ctx) return False;
- DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n",
- sid_string_talloc(mem_ctx, &sampass->private.group_sid)));
- talloc_destroy(mem_ctx);
- return pdb_set_init_flags(sampass, PDB_GROUPSID, flag);
-}
-
-BOOL pdb_set_group_sid_from_string (SAM_ACCOUNT *sampass, fstring g_sid, enum pdb_value_state flag)
-{
- DOM_SID new_sid;
- if (!sampass || !g_sid)
- return False;
-
- DEBUG(10, ("pdb_set_group_sid_from_string: setting group sid %s\n",
- g_sid));
-
- if (!string_to_sid(&new_sid, g_sid)) {
- DEBUG(1, ("pdb_set_group_sid_from_string: %s isn't a valid SID!\n", g_sid));
- return False;
- }
-
- if (!pdb_set_group_sid(sampass, &new_sid, flag)) {
- DEBUG(1, ("pdb_set_group_sid_from_string: could not set sid %s on SAM_ACCOUNT!\n", g_sid));
- return False;
- }
- return True;
-}
-
-/*********************************************************************
- Set the user's UNIX name.
- ********************************************************************/
-
-BOOL pdb_set_username(SAM_ACCOUNT *sampass, const char *username, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (username) {
- DEBUG(10, ("pdb_set_username: setting username %s, was %s\n", username,
- (sampass->private.username)?(sampass->private.username):"NULL"));
-
- sampass->private.username = talloc_strdup(sampass->mem_ctx, username);
-
- if (!sampass->private.username) {
- DEBUG(0, ("pdb_set_username: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.username = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_USERNAME, flag);
-}
-
-/*********************************************************************
- Set the domain name.
- ********************************************************************/
-
-BOOL pdb_set_domain(SAM_ACCOUNT *sampass, const char *domain, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (domain) {
- DEBUG(10, ("pdb_set_domain: setting domain %s, was %s\n", domain,
- (sampass->private.domain)?(sampass->private.domain):"NULL"));
-
- sampass->private.domain = talloc_strdup(sampass->mem_ctx, domain);
-
- if (!sampass->private.domain) {
- DEBUG(0, ("pdb_set_domain: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.domain = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_DOMAIN, flag);
-}
-
-/*********************************************************************
- Set the user's NT name.
- ********************************************************************/
-
-BOOL pdb_set_nt_username(SAM_ACCOUNT *sampass, const char *nt_username, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (nt_username) {
- DEBUG(10, ("pdb_set_nt_username: setting nt username %s, was %s\n", nt_username,
- (sampass->private.nt_username)?(sampass->private.nt_username):"NULL"));
-
- sampass->private.nt_username = talloc_strdup(sampass->mem_ctx, nt_username);
-
- if (!sampass->private.nt_username) {
- DEBUG(0, ("pdb_set_nt_username: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.nt_username = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_NTUSERNAME, flag);
-}
-
-/*********************************************************************
- Set the user's full name.
- ********************************************************************/
-
-BOOL pdb_set_fullname(SAM_ACCOUNT *sampass, const char *full_name, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (full_name) {
- DEBUG(10, ("pdb_set_full_name: setting full name %s, was %s\n", full_name,
- (sampass->private.full_name)?(sampass->private.full_name):"NULL"));
-
- sampass->private.full_name = talloc_strdup(sampass->mem_ctx, full_name);
-
- if (!sampass->private.full_name) {
- DEBUG(0, ("pdb_set_fullname: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.full_name = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_FULLNAME, flag);
-}
-
-/*********************************************************************
- Set the user's logon script.
- ********************************************************************/
-
-BOOL pdb_set_logon_script(SAM_ACCOUNT *sampass, const char *logon_script, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (logon_script) {
- DEBUG(10, ("pdb_set_logon_script: setting logon script %s, was %s\n", logon_script,
- (sampass->private.logon_script)?(sampass->private.logon_script):"NULL"));
-
- sampass->private.logon_script = talloc_strdup(sampass->mem_ctx, logon_script);
-
- if (!sampass->private.logon_script) {
- DEBUG(0, ("pdb_set_logon_script: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.logon_script = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_LOGONSCRIPT, flag);
-}
-
-/*********************************************************************
- Set the user's profile path.
- ********************************************************************/
-
-BOOL pdb_set_profile_path (SAM_ACCOUNT *sampass, const char *profile_path, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (profile_path) {
- DEBUG(10, ("pdb_set_profile_path: setting profile path %s, was %s\n", profile_path,
- (sampass->private.profile_path)?(sampass->private.profile_path):"NULL"));
-
- sampass->private.profile_path = talloc_strdup(sampass->mem_ctx, profile_path);
-
- if (!sampass->private.profile_path) {
- DEBUG(0, ("pdb_set_profile_path: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.profile_path = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_PROFILE, flag);
-}
-
-/*********************************************************************
- Set the user's directory drive.
- ********************************************************************/
-
-BOOL pdb_set_dir_drive (SAM_ACCOUNT *sampass, const char *dir_drive, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (dir_drive) {
- DEBUG(10, ("pdb_set_dir_drive: setting dir drive %s, was %s\n", dir_drive,
- (sampass->private.dir_drive)?(sampass->private.dir_drive):"NULL"));
-
- sampass->private.dir_drive = talloc_strdup(sampass->mem_ctx, dir_drive);
-
- if (!sampass->private.dir_drive) {
- DEBUG(0, ("pdb_set_dir_drive: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.dir_drive = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_DRIVE, flag);
-}
-
-/*********************************************************************
- Set the user's home directory.
- ********************************************************************/
-
-BOOL pdb_set_homedir (SAM_ACCOUNT *sampass, const char *home_dir, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (home_dir) {
- DEBUG(10, ("pdb_set_homedir: setting home dir %s, was %s\n", home_dir,
- (sampass->private.home_dir)?(sampass->private.home_dir):"NULL"));
-
- sampass->private.home_dir = talloc_strdup(sampass->mem_ctx, home_dir);
-
- if (!sampass->private.home_dir) {
- DEBUG(0, ("pdb_set_home_dir: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.home_dir = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_SMBHOME, flag);
-}
-
-/*********************************************************************
- Set the user's unix home directory.
- ********************************************************************/
-
-BOOL pdb_set_unix_homedir (SAM_ACCOUNT *sampass, const char *unix_home_dir, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (unix_home_dir) {
- DEBUG(10, ("pdb_set_unix_homedir: setting home dir %s, was %s\n", unix_home_dir,
- (sampass->private.unix_home_dir)?(sampass->private.unix_home_dir):"NULL"));
-
- sampass->private.unix_home_dir = talloc_strdup(sampass->mem_ctx,
- unix_home_dir);
-
- if (!sampass->private.unix_home_dir) {
- DEBUG(0, ("pdb_set_unix_home_dir: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.unix_home_dir = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_UNIXHOMEDIR, flag);
-}
-
-/*********************************************************************
- Set the user's account description.
- ********************************************************************/
-
-BOOL pdb_set_acct_desc (SAM_ACCOUNT *sampass, const char *acct_desc, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (acct_desc) {
- sampass->private.acct_desc = talloc_strdup(sampass->mem_ctx, acct_desc);
-
- if (!sampass->private.acct_desc) {
- DEBUG(0, ("pdb_set_acct_desc: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.acct_desc = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_ACCTDESC, flag);
-}
-
-/*********************************************************************
- Set the user's workstation allowed list.
- ********************************************************************/
-
-BOOL pdb_set_workstations (SAM_ACCOUNT *sampass, const char *workstations, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (workstations) {
- DEBUG(10, ("pdb_set_workstations: setting workstations %s, was %s\n", workstations,
- (sampass->private.workstations)?(sampass->private.workstations):"NULL"));
-
- sampass->private.workstations = talloc_strdup(sampass->mem_ctx, workstations);
-
- if (!sampass->private.workstations) {
- DEBUG(0, ("pdb_set_workstations: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.workstations = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_WORKSTATIONS, flag);
-}
-
-/*********************************************************************
- Set the user's 'unknown_str', whatever the heck this actually is...
- ********************************************************************/
-
-BOOL pdb_set_unknown_str (SAM_ACCOUNT *sampass, const char *unknown_str, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (unknown_str) {
- sampass->private.unknown_str = talloc_strdup(sampass->mem_ctx, unknown_str);
-
- if (!sampass->private.unknown_str) {
- DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.unknown_str = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_UNKNOWNSTR, flag);
-}
-
-/*********************************************************************
- Set the user's dial string.
- ********************************************************************/
-
-BOOL pdb_set_munged_dial (SAM_ACCOUNT *sampass, const char *munged_dial, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (munged_dial) {
- sampass->private.munged_dial = talloc_strdup(sampass->mem_ctx, munged_dial);
-
- if (!sampass->private.munged_dial) {
- DEBUG(0, ("pdb_set_munged_dial: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.munged_dial = PDB_NOT_QUITE_NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_MUNGEDDIAL, flag);
-}
-
-/*********************************************************************
- Set the user's NT hash.
- ********************************************************************/
-
-BOOL pdb_set_nt_passwd (SAM_ACCOUNT *sampass, const uint8 pwd[NT_HASH_LEN], enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- data_blob_clear_free(&sampass->private.nt_pw);
-
- sampass->private.nt_pw = data_blob(pwd, NT_HASH_LEN);
-
- return pdb_set_init_flags(sampass, PDB_NTPASSWD, flag);
-}
-
-/*********************************************************************
- Set the user's LM hash.
- ********************************************************************/
-
-BOOL pdb_set_lanman_passwd (SAM_ACCOUNT *sampass, const uint8 pwd[LM_HASH_LEN], enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- data_blob_clear_free(&sampass->private.lm_pw);
-
- sampass->private.lm_pw = data_blob(pwd, LM_HASH_LEN);
-
- return pdb_set_init_flags(sampass, PDB_LMPASSWD, flag);
-}
-
-/*********************************************************************
- Set the user's plaintext password only (base procedure, see helper
- below)
- ********************************************************************/
-
-BOOL pdb_set_plaintext_pw_only (SAM_ACCOUNT *sampass, const char *password, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (password) {
- if (sampass->private.plaintext_pw!=NULL)
- memset(sampass->private.plaintext_pw,'\0',strlen(sampass->private.plaintext_pw)+1);
-
- sampass->private.plaintext_pw = talloc_strdup(sampass->mem_ctx, password);
-
- if (!sampass->private.plaintext_pw) {
- DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
- return False;
- }
-
- } else {
- sampass->private.plaintext_pw = NULL;
- }
-
- return pdb_set_init_flags(sampass, PDB_PLAINTEXT_PW, flag);
-}
-
-BOOL pdb_set_unknown_3 (SAM_ACCOUNT *sampass, uint32 unkn, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.unknown_3 = unkn;
-
- return pdb_set_init_flags(sampass, PDB_UNKNOWN3, flag);
-}
-
-BOOL pdb_set_unknown_5 (SAM_ACCOUNT *sampass, uint32 unkn, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.unknown_5 = unkn;
-
- return pdb_set_init_flags(sampass, PDB_UNKNOWN5, flag);
-}
-
-BOOL pdb_set_unknown_6 (SAM_ACCOUNT *sampass, uint32 unkn, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- sampass->private.unknown_6 = unkn;
-
- return pdb_set_init_flags(sampass, PDB_UNKNOWN6, flag);
-}
-
-BOOL pdb_set_hours (SAM_ACCOUNT *sampass, const uint8 *hours, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- if (!hours) {
- memset ((char *)sampass->private.hours, 0, MAX_HOURS_LEN);
- return True;
- }
-
- memcpy (sampass->private.hours, hours, MAX_HOURS_LEN);
-
- return pdb_set_init_flags(sampass, PDB_HOURS, flag);
-}
-
-
-/* Helpful interfaces to the above */
-
-/*********************************************************************
- Sets the last changed times and must change times for a normal
- password change.
- ********************************************************************/
-
-BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
-{
- uint32 expire;
-
- if (!sampass)
- return False;
-
- if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
- return False;
-
- if (!account_policy_get(AP_MAX_PASSWORD_AGE, &expire)
- || (expire==(uint32)-1)) {
- if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED))
- return False;
- } else {
- if (!pdb_set_pass_must_change_time (sampass,
- pdb_get_pass_last_set_time(sampass)
- + expire, PDB_CHANGED))
- return False;
- }
-
- return True;
-}
-
-/*********************************************************************
- Set the user's PLAINTEXT password. Used as an interface to the above.
- Also sets the last change time to NOW.
- ********************************************************************/
-
-BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext)
-{
- uchar new_lanman_p16[16];
- uchar new_nt_p16[16];
-
- if (!sampass || !plaintext)
- return False;
-
- nt_lm_owf_gen (plaintext, new_nt_p16, new_lanman_p16);
-
- if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED))
- return False;
-
- if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED))
- return False;
-
- if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED))
- return False;
-
- if (!pdb_set_pass_changed_now (sampass))
- return False;
-
- return True;
-}
+++ /dev/null
-/*
- * 'Guest' password backend for samba
- * Copyright (C) Jelmer Vernooij 2002
- * Copyright (C) Andrew Bartlett 2003
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2 of the License, or (at your option)
- * any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 675
- * Mass Ave, Cambridge, MA 02139, USA.
- */
-
-#include "includes.h"
-
-/******************************************************************
- Lookup a name in the SAM database
- ******************************************************************/
-
-static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname)
-{
- NTSTATUS nt_status;
- struct passwd *pass;
- const char *guest_account = lp_guestaccount();
- if (!(guest_account && *guest_account)) {
- DEBUG(1, ("NULL guest account!?!?\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!methods) {
- DEBUG(0,("invalid methods\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
- if (!sname) {
- DEBUG(0,("invalid name specified"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!strequal(guest_account, sname)) {
- return NT_STATUS_NO_SUCH_USER;
- }
-
- pass = getpwnam_alloc(guest_account);
-
- nt_status = pdb_fill_sam_pw(user, pass);
-
- passwd_free(&pass);
- return nt_status;
-}
-
-
-/***************************************************************************
- Search by rid
- **************************************************************************/
-
-static NTSTATUS guestsam_getsampwrid (struct pdb_methods *methods,
- SAM_ACCOUNT *user, uint32 rid)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct passwd *pass = NULL;
- const char *guest_account = lp_guestaccount();
- if (!(guest_account && *guest_account)) {
- DEBUG(1, ("NULL guest account!?!?\n"));
- return nt_status;
- }
-
- if (!methods) {
- DEBUG(0,("invalid methods\n"));
- return nt_status;
- }
-
- if (rid == DOMAIN_USER_RID_GUEST) {
- pass = getpwnam_alloc(guest_account);
- if (!pass) {
- DEBUG(1, ("guest account %s does not seem to exist...\n", guest_account));
- return NT_STATUS_NO_SUCH_USER;
- }
- } else {
- return NT_STATUS_NO_SUCH_USER;
- }
-
- nt_status = pdb_fill_sam_pw(user, pass);
- passwd_free(&pass);
-
- return nt_status;
-}
-
-static NTSTATUS guestsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
-{
- uint32 rid;
- if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
- return NT_STATUS_NO_SUCH_USER;
- return guestsam_getsampwrid(my_methods, user, rid);
-}
-
-static NTSTATUS pdb_init_guestsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
-
- if (!pdb_context) {
- DEBUG(0, ("invalid pdb_context specified\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "guestsam";
-
- (*pdb_method)->getsampwnam = guestsam_getsampwnam;
- (*pdb_method)->getsampwsid = guestsam_getsampwsid;
-
- /* There's not very much to initialise here */
- return NT_STATUS_OK;
-}
-
-NTSTATUS passdb_guest_init(void)
-{
- NTSTATUS ret;
- struct passdb_ops ops;
-
- ZERO_STRUCT(ops);
-
- /* fill in our name */
- ops.name = "guestsam";
- /* fill in all the operations */
- ops.init = pdb_init_guestsam;
-
- /* register ourselves with the PASSDB subsystem. */
- ret = register_backend("passdb", &ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' PASSDB backend!\n",
- ops.name));
- return ret;
- }
-
- /* fill in our name */
- ops.name = "guest";
- /* fill in all the operations */
- ops.init = pdb_init_guestsam;
-
- /* register ourselves with the PASSDB subsystem. */
- ret = register_backend("passdb", &ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' PASSDB backend!\n",
- ops.name));
- return ret;
- }
-
- return ret;
-}
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- Password and authentication handling
- Copyright (C) Andrew Bartlett 2002
- Copyright (C) Jelmer Vernooij 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
-/* the list of currently registered AUTH backends */
-static struct {
- const struct passdb_ops *ops;
-} *backends = NULL;
-static int num_backends;
-
-/*
- register a AUTH backend.
-
- The 'name' can be later used by other backends to find the operations
- structure for this backend.
-*/
-static NTSTATUS passdb_register(void *_ops)
-{
- const struct passdb_ops *ops = _ops;
- struct passdb_ops *new_ops;
-
- if (passdb_backend_byname(ops->name) != NULL) {
- /* its already registered! */
- DEBUG(0,("PASSDB backend '%s' already registered\n",
- ops->name));
- return NT_STATUS_OBJECT_NAME_COLLISION;
- }
-
- backends = Realloc(backends, sizeof(backends[0]) * (num_backends+1));
- if (!backends) {
- smb_panic("out of memory in passdb_register");
- }
-
- new_ops = smb_xmemdup(ops, sizeof(*ops));
- new_ops->name = smb_xstrdup(ops->name);
-
- backends[num_backends].ops = new_ops;
-
- num_backends++;
-
- DEBUG(3,("PASSDB backend '%s' registered\n",
- ops->name));
-
- return NT_STATUS_OK;
-}
-
-/*
- return the operations structure for a named backend of the specified type
-*/
-const struct passdb_ops *passdb_backend_byname(const char *name)
-{
- int i;
-
- for (i=0;i<num_backends;i++) {
- if (strcmp(backends[i].ops->name, name) == 0) {
- return backends[i].ops;
- }
- }
-
- return NULL;
-}
-
-/*
- return the PASSDB interface version, and the size of some critical types
- This can be used by backends to either detect compilation errors, or provide
- multiple implementations for different smbd compilation options in one module
-*/
-const struct passdb_critical_sizes *passdb_interface_version(void)
-{
- static const struct passdb_critical_sizes critical_sizes = {
- PASSDB_INTERFACE_VERSION,
- sizeof(struct passdb_ops),
- sizeof(struct pdb_methods),
- sizeof(struct pdb_context),
- sizeof(SAM_ACCOUNT)
- };
-
- return &critical_sizes;
-}
-
-/*
- initialise the PASSDB subsystem
-*/
-BOOL passdb_init(void)
-{
- NTSTATUS status;
-
- status = register_subsystem("passdb", passdb_register);
- if (!NT_STATUS_IS_OK(status)) {
- return False;
- }
-
- /* FIXME: Perhaps panic if a basic backend, such as SAM, fails to initialise? */
- static_init_passdb;
-
- DEBUG(3,("PASSDB subsystem version %d initialised\n", PASSDB_INTERFACE_VERSION));
- return True;
-}
-
-static NTSTATUS context_setsampwent(struct pdb_context *context, BOOL update)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
- if (!context) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
-
- context->pwent_methods = context->pdb_methods;
-
- if (!context->pwent_methods) {
- /* No passdbs at all */
- return ret;
- }
-
- while (NT_STATUS_IS_ERR(ret = context->pwent_methods->setsampwent(context->pwent_methods, update))) {
- context->pwent_methods = context->pwent_methods->next;
- if (context->pwent_methods == NULL)
- return NT_STATUS_UNSUCCESSFUL;
- }
- return ret;
-}
-
-static void context_endsampwent(struct pdb_context *context)
-{
- if ((!context)){
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return;
- }
-
- if (context->pwent_methods && context->pwent_methods->endsampwent)
- context->pwent_methods->endsampwent(context->pwent_methods);
-
- /* So we won't get strange data when calling getsampwent now */
- context->pwent_methods = NULL;
-}
-
-static NTSTATUS context_getsampwent(struct pdb_context *context, SAM_ACCOUNT *user)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
- if ((!context) || (!context->pwent_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
- /* Loop until we find something useful */
- while (NT_STATUS_IS_ERR(ret = context->pwent_methods->getsampwent(context->pwent_methods, user))) {
-
- context->pwent_methods->endsampwent(context->pwent_methods);
-
- context->pwent_methods = context->pwent_methods->next;
-
- /* All methods are checked now. There are no more entries */
- if (context->pwent_methods == NULL)
- return ret;
-
- context->pwent_methods->setsampwent(context->pwent_methods, False);
- }
- user->methods = context->pwent_methods;
- return ret;
-}
-
-static NTSTATUS context_getsampwnam(struct pdb_context *context, SAM_ACCOUNT *sam_acct, const char *username)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
- struct pdb_methods *curmethods;
- if ((!context)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
- curmethods = context->pdb_methods;
- while (curmethods){
- if (NT_STATUS_IS_OK(ret = curmethods->getsampwnam(curmethods, sam_acct, username))) {
- sam_acct->methods = curmethods;
- return ret;
- }
- curmethods = curmethods->next;
- }
-
- return ret;
-}
-
-static NTSTATUS context_getsampwsid(struct pdb_context *context, SAM_ACCOUNT *sam_acct, const DOM_SID *sid)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
- struct pdb_methods *curmethods;
- if ((!context)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
-
- curmethods = context->pdb_methods;
-
- while (curmethods){
- if (NT_STATUS_IS_OK(ret = curmethods->getsampwsid(curmethods, sam_acct, sid))) {
- sam_acct->methods = curmethods;
- return ret;
- }
- curmethods = curmethods->next;
- }
-
- return ret;
-}
-
-static NTSTATUS context_add_sam_account(struct pdb_context *context, SAM_ACCOUNT *sam_acct)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
-
- /** @todo This is where a 're-read on add' should be done */
- /* We now add a new account to the first database listed.
- * Should we? */
-
- return context->pdb_methods->add_sam_account(context->pdb_methods, sam_acct);
-}
-
-static NTSTATUS context_update_sam_account(struct pdb_context *context, SAM_ACCOUNT *sam_acct)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
- if (!context) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
-
- if (!sam_acct || !sam_acct->methods){
- DEBUG(0, ("invalid sam_acct specified\n"));
- return ret;
- }
-
- /** @todo This is where a 're-read on update' should be done */
-
- return sam_acct->methods->update_sam_account(sam_acct->methods, sam_acct);
-}
-
-static NTSTATUS context_delete_sam_account(struct pdb_context *context, SAM_ACCOUNT *sam_acct)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
- struct pdb_methods *pdb_selected;
- if (!context) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
-
- if (!sam_acct->methods){
- pdb_selected = context->pdb_methods;
- /* There's no passdb backend specified for this account.
- * Try to delete it in every passdb available
- * Needed to delete accounts in smbpasswd that are not
- * in /etc/passwd.
- */
- while (pdb_selected){
- if (NT_STATUS_IS_OK(ret = pdb_selected->delete_sam_account(pdb_selected, sam_acct))) {
- return ret;
- }
- pdb_selected = pdb_selected->next;
- }
- return ret;
- }
-
- if (!sam_acct->methods->delete_sam_account){
- DEBUG(0,("invalid sam_acct->methods->delete_sam_account\n"));
- return ret;
- }
-
- return sam_acct->methods->delete_sam_account(sam_acct->methods, sam_acct);
-}
-
-/******************************************************************
- Free and cleanup a pdb context, any associated data and anything
- that the attached modules might have associated.
- *******************************************************************/
-
-static void free_pdb_context(struct pdb_context **context)
-{
- struct pdb_methods *pdb_selected = (*context)->pdb_methods;
-
- while (pdb_selected){
- if(pdb_selected->free_private_data)
- pdb_selected->free_private_data(&(pdb_selected->private_data));
- pdb_selected = pdb_selected->next;
- }
-
- talloc_destroy((*context)->mem_ctx);
- *context = NULL;
-}
-
-/******************************************************************
- Make a pdb_methods from scratch
- *******************************************************************/
-
-static NTSTATUS make_pdb_methods_name(struct pdb_methods **methods, struct pdb_context *context, const char *selected)
-{
- char *module_name = smb_xstrdup(selected);
- char *module_param = NULL, *p;
- const struct passdb_ops *ops;
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-
- p = strchr(module_name, ':');
-
- if (p) {
- *p = 0;
- module_param = p+1;
- trim_string(module_param, " ", " ");
- }
-
- trim_string(module_name, " ", " ");
-
-
- DEBUG(5,("Attempting to find an passdb backend to match %s (%s)\n", selected, module_name));
-
- ops = passdb_backend_byname(module_name);
- /* No such backend found */
- if(!ops) {
- SAFE_FREE(module_name);
- return NT_STATUS_INVALID_PARAMETER;
- }
- DEBUG(5,("Found PASSDB backend %s\n", module_name));
- nt_status = ops->init(context, methods, module_param);
- if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5,("PASSDB backend %s has a valid init\n", selected));
- } else {
- DEBUG(0,("PASSDB backend %s did not correctly init (error was %s)\n", selected, nt_errstr(nt_status)));
- }
- SAFE_FREE(module_name);
- return nt_status;
-}
-
-/******************************************************************
- Make a pdb_context from scratch.
- *******************************************************************/
-
-static NTSTATUS make_pdb_context(struct pdb_context **context)
-{
- TALLOC_CTX *mem_ctx;
-
- mem_ctx = talloc_init("pdb_context internal allocation context");
-
- if (!mem_ctx) {
- DEBUG(0, ("make_pdb_context: talloc init failed!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- *context = talloc(mem_ctx, sizeof(**context));
- if (!*context) {
- DEBUG(0, ("make_pdb_context: talloc failed!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- ZERO_STRUCTP(*context);
-
- (*context)->mem_ctx = mem_ctx;
-
- (*context)->pdb_setsampwent = context_setsampwent;
- (*context)->pdb_endsampwent = context_endsampwent;
- (*context)->pdb_getsampwent = context_getsampwent;
- (*context)->pdb_getsampwnam = context_getsampwnam;
- (*context)->pdb_getsampwsid = context_getsampwsid;
- (*context)->pdb_add_sam_account = context_add_sam_account;
- (*context)->pdb_update_sam_account = context_update_sam_account;
- (*context)->pdb_delete_sam_account = context_delete_sam_account;
-
- (*context)->free_fn = free_pdb_context;
-
- return NT_STATUS_OK;
-}
-
-
-/******************************************************************
- Make a pdb_context, given an array of strings
- *******************************************************************/
-
-NTSTATUS make_pdb_context_list(struct pdb_context **context, const char **selected)
-{
- int i = 0;
- struct pdb_methods *curmethods;
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_context(context))) {
- return nt_status;
- }
-
- while (selected[i]){
- /* Try to initialise pdb */
- DEBUG(5,("Trying to load: %s\n", selected[i]));
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods_name(&curmethods, *context, selected[i]))) {
- DEBUG(1, ("Loading %s failed!\n", selected[i]));
- free_pdb_context(context);
- return nt_status;
- }
- curmethods->parent = *context;
- DLIST_ADD_END((*context)->pdb_methods, curmethods, struct pdb_methods *);
- i++;
- }
-
- return NT_STATUS_OK;
-}
-
-/******************************************************************
- Make a pdb_context, given a text string.
- *******************************************************************/
-
-NTSTATUS make_pdb_context_string(struct pdb_context **context, const char *selected)
-{
- NTSTATUS ret;
- char **newsel = str_list_make(selected, NULL);
- ret = make_pdb_context_list(context, (const char **)newsel);
- str_list_free(&newsel);
- return ret;
-}
-
-/******************************************************************
- Return an already initialised pdb_context, to facilitate backward
- compatibility (see functions below).
-*******************************************************************/
-
-static struct pdb_context *pdb_get_static_context(BOOL reload)
-{
- static struct pdb_context *pdb_context = NULL;
-
- if ((pdb_context) && (reload)) {
- pdb_context->free_fn(&pdb_context);
- if (NT_STATUS_IS_ERR(make_pdb_context_list(&pdb_context, lp_passdb_backend()))) {
- return NULL;
- }
- }
-
- if (!pdb_context) {
- if (NT_STATUS_IS_ERR(make_pdb_context_list(&pdb_context, lp_passdb_backend()))) {
- return NULL;
- }
- }
-
- return pdb_context;
-}
-
-/******************************************************************
- Backward compatibility functions for the original passdb interface
-*******************************************************************/
-
-BOOL pdb_setsampwent(BOOL update)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->pdb_setsampwent(pdb_context, update));
-}
-
-void pdb_endsampwent(void)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return;
- }
-
- pdb_context->pdb_endsampwent(pdb_context);
-}
-
-BOOL pdb_getsampwent(SAM_ACCOUNT *user)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->pdb_getsampwent(pdb_context, user));
-}
-
-BOOL pdb_getsampwnam(SAM_ACCOUNT *sam_acct, const char *username)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->pdb_getsampwnam(pdb_context, sam_acct, username));
-}
-
-BOOL pdb_getsampwsid(SAM_ACCOUNT *sam_acct, const DOM_SID *sid)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->pdb_getsampwsid(pdb_context, sam_acct, sid));
-}
-
-BOOL pdb_add_sam_account(SAM_ACCOUNT *sam_acct)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->pdb_add_sam_account(pdb_context, sam_acct));
-}
-
-BOOL pdb_update_sam_account(SAM_ACCOUNT *sam_acct)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->pdb_update_sam_account(pdb_context, sam_acct));
-}
-
-BOOL pdb_delete_sam_account(SAM_ACCOUNT *sam_acct)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->pdb_delete_sam_account(pdb_context, sam_acct));
-}
-
-/***************************************************************
- Initialize the static context (at smbd startup etc).
-
- If uninitialised, context will auto-init on first use.
- ***************************************************************/
-
-BOOL initialize_password_db(BOOL reload)
-{
- return (pdb_get_static_context(reload) != NULL);
-}
-
-
-/***************************************************************************
- Default implementations of some functions.
- ****************************************************************************/
-
-static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname)
-{
- return NT_STATUS_NO_SUCH_USER;
-}
-
-static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
-{
- return NT_STATUS_NO_SUCH_USER;
-}
-
-static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *newpwd)
-{
- DEBUG(0,("this backend (%s) should not be listed as the first passdb backend! You can't add users to it.\n", methods->name));
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *newpwd)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *pwd)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS pdb_default_setsampwent(struct pdb_methods *methods, BOOL update)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS pdb_default_getsampwent(struct pdb_methods *methods, SAM_ACCOUNT *user)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static void pdb_default_endsampwent(struct pdb_methods *methods)
-{
- return; /* NT_STATUS_NOT_IMPLEMENTED; */
-}
-
-NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods)
-{
- *methods = talloc(mem_ctx, sizeof(struct pdb_methods));
-
- if (!*methods) {
- return NT_STATUS_NO_MEMORY;
- }
-
- ZERO_STRUCTP(*methods);
-
- (*methods)->setsampwent = pdb_default_setsampwent;
- (*methods)->endsampwent = pdb_default_endsampwent;
- (*methods)->getsampwent = pdb_default_getsampwent;
- (*methods)->getsampwnam = pdb_default_getsampwnam;
- (*methods)->getsampwsid = pdb_default_getsampwsid;
- (*methods)->add_sam_account = pdb_default_add_sam_account;
- (*methods)->update_sam_account = pdb_default_update_sam_account;
- (*methods)->delete_sam_account = pdb_default_delete_sam_account;
-
- return NT_STATUS_OK;
-}
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- LDAP protocol helper functions for SAMBA
- Copyright (C) Jean François Micouleau 1998
- Copyright (C) Gerald Carter 2001
- Copyright (C) Shahms King 2001
- Copyright (C) Andrew Bartlett 2002
- Copyright (C) Stefan (metze) Metzmacher 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
-/* TODO:
-* persistent connections: if using NSS LDAP, many connections are made
-* however, using only one within Samba would be nice
-*
-* Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
-*
-* Other LDAP based login attributes: accountExpires, etc.
-* (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
-* structures don't have fields for some of these attributes)
-*
-* SSL is done, but can't get the certificate based authentication to work
-* against on my test platform (Linux 2.4, OpenLDAP 2.x)
-*/
-
-/* NOTE: this will NOT work against an Active Directory server
-* due to the fact that the two password fields cannot be retrieved
-* from a server; recommend using security = domain in this situation
-* and/or winbind
-*/
-
-#include <lber.h>
-#include <ldap.h>
-
-#ifndef SAM_ACCOUNT
-#define SAM_ACCOUNT struct sam_passwd
-#endif
-
-struct ldapsam_privates {
-
- /* Former statics */
- LDAP *ldap_struct;
- LDAPMessage *result;
- LDAPMessage *entry;
- int index;
-
- time_t last_ping;
- /* retrive-once info */
- const char *uri;
-
- BOOL permit_non_unix_accounts;
-
- uint32 low_nua_rid;
- uint32 high_nua_rid;
-
- char *bind_dn;
- char *bind_secret;
-};
-
-#define LDAPSAM_DONT_PING_TIME 10 /* ping only all 10 seconds */
-
-static struct ldapsam_privates *static_ldap_state;
-
-static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state);
-
-/*******************************************************************
- find the ldap password
-******************************************************************/
-static BOOL fetch_ldapsam_pw(char **dn, char** pw)
-{
- char *key = NULL;
- size_t size;
-
- *dn = smb_xstrdup(lp_ldap_admin_dn());
-
- if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
- SAFE_FREE(*dn);
- DEBUG(0, ("fetch_ldapsam_pw: asprintf failed!\n"));
- }
-
- *pw=secrets_fetch(key, &size);
- if (!size) {
- /* Upgrade 2.2 style entry */
- char *p;
- char* old_style_key = strdup(*dn);
- char *data;
- fstring old_style_pw;
-
- if (!old_style_key) {
- DEBUG(0, ("fetch_ldapsam_pw: strdup failed!\n"));
- return False;
- }
-
- for (p=old_style_key; *p; p++)
- if (*p == ',') *p = '/';
-
- data=secrets_fetch(old_style_key, &size);
- if (!size && size < sizeof(old_style_pw)) {
- DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
- SAFE_FREE(old_style_key);
- SAFE_FREE(*dn);
- return False;
- }
-
- strncpy(old_style_pw, data, size);
- old_style_pw[size] = 0;
-
- SAFE_FREE(data);
-
- if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
- DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
- SAFE_FREE(old_style_key);
- SAFE_FREE(*dn);
- return False;
- }
- if (!secrets_delete(old_style_key)) {
- DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
- }
-
- SAFE_FREE(old_style_key);
-
- *pw = smb_xstrdup(old_style_pw);
- }
-
- return True;
-}
-
-static const char * const attr[] = {"uid", "pwdLastSet", "logonTime",
- "logoffTime", "kickoffTime", "cn",
- "pwdCanChange", "pwdMustChange",
- "displayName", "homeDrive",
- "smbHome", "scriptPath",
- "profilePath", "description",
- "userWorkstations", "rid",
- "primaryGroupID", "lmPassword",
- "ntPassword", "acctFlags",
- "domain", "objectClass",
- "uidNumber", "gidNumber",
- "homeDirectory", NULL };
-
-/*******************************************************************
- open a connection to the ldap server.
-******************************************************************/
-static int ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct)
-{
- int rc = LDAP_SUCCESS;
- int version;
- BOOL ldap_v3 = False;
-
-#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
- DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri));
-
- if ((rc = ldap_initialize(ldap_struct, ldap_state->uri)) != LDAP_SUCCESS) {
- DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
- return rc;
- }
-
-#else
-
- /* Parse the string manually */
-
- {
- int port = 0;
- fstring protocol;
- fstring host;
- const char *p = ldap_state->uri;
- SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
-
- /* skip leading "URL:" (if any) */
- if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
- p += 4;
- }
-
- sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
-
- if (port == 0) {
- if (strequal(protocol, "ldap")) {
- port = LDAP_PORT;
- } else if (strequal(protocol, "ldaps")) {
- port = LDAPS_PORT;
- } else {
- DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
- }
- }
-
- if ((*ldap_struct = ldap_init(host, port)) == NULL) {
- DEBUG(0, ("ldap_init failed !\n"));
- return LDAP_OPERATIONS_ERROR;
- }
-
- if (strequal(protocol, "ldaps")) {
-#ifdef LDAP_OPT_X_TLS
- int tls = LDAP_OPT_X_TLS_HARD;
- if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
- {
- DEBUG(0, ("Failed to setup a TLS session\n"));
- }
-
- DEBUG(3,("LDAPS option set...!\n"));
-#else
- DEBUG(0,("ldapsam_open_connection: Secure connection not supported by LDAP client libraries!\n"));
- return LDAP_OPERATIONS_ERROR;
-#endif
- }
- }
-#endif
-
- if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
- {
- if (version != LDAP_VERSION3)
- {
- version = LDAP_VERSION3;
- if (ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) {
- ldap_v3 = True;
- }
- } else {
- ldap_v3 = True;
- }
- }
-
- if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
-#ifdef LDAP_OPT_X_TLS
- if (ldap_v3) {
- if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
- {
- DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
- ldap_err2string(rc)));
- return rc;
- }
- DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
- } else {
-
- DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
- return LDAP_OPERATIONS_ERROR;
- }
-#else
- DEBUG(0,("ldapsam_open_connection: StartTLS not supported by LDAP client libraries!\n"));
- return LDAP_OPERATIONS_ERROR;
-#endif
- }
-
- DEBUG(2, ("ldapsam_open_connection: connection opened\n"));
- return rc;
-}
-
-
-/*******************************************************************
- a rebind function for authenticated referrals
- This version takes a void* that we can shove useful stuff in :-)
-******************************************************************/
-#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
-#else
-static int rebindproc_with_state (LDAP * ld, char **whop, char **credp,
- int *methodp, int freeit, void *arg)
-{
- struct ldapsam_privates *ldap_state = arg;
-
- /** @TODO Should we be doing something to check what servers we rebind to?
- Could we get a referral to a machine that we don't want to give our
- username and password to? */
-
- if (freeit) {
- SAFE_FREE(*whop);
- memset(*credp, '\0', strlen(*credp));
- SAFE_FREE(*credp);
- } else {
- DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
- ldap_state->bind_dn));
-
- *whop = strdup(ldap_state->bind_dn);
- if (!*whop) {
- return LDAP_NO_MEMORY;
- }
- *credp = strdup(ldap_state->bind_secret);
- if (!*credp) {
- SAFE_FREE(*whop);
- return LDAP_NO_MEMORY;
- }
- *methodp = LDAP_AUTH_SIMPLE;
- }
- return 0;
-}
-#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
-
-/*******************************************************************
- a rebind function for authenticated referrals
- This version takes a void* that we can shove useful stuff in :-)
- and actually does the connection.
-******************************************************************/
-#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
-static int rebindproc_connect_with_state (LDAP *ldap_struct,
- LDAP_CONST char *url,
- ber_tag_t request,
- ber_int_t msgid, void *arg)
-{
- struct ldapsam_privates *ldap_state = arg;
- int rc;
- DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n",
- ldap_state->bind_dn));
-
- /** @TODO Should we be doing something to check what servers we rebind to?
- Could we get a referral to a machine that we don't want to give our
- username and password to? */
-
- rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
-
- return rc;
-}
-#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
-
-/*******************************************************************
- Add a rebind function for authenticated referrals
-******************************************************************/
-#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
-#else
-# if LDAP_SET_REBIND_PROC_ARGS == 2
-static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
- int *method, int freeit )
-{
- return rebindproc_with_state(ldap_struct, whop, credp,
- method, freeit, static_ldap_state);
-
-}
-# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
-#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
-
-/*******************************************************************
- a rebind function for authenticated referrals
- this also does the connection, but no void*.
-******************************************************************/
-#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
-# if LDAP_SET_REBIND_PROC_ARGS == 2
-static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
- ber_int_t msgid)
-{
- return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
- static_ldap_state);
-}
-# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
-#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
-
-/*******************************************************************
- connect to the ldap server under system privilege.
-******************************************************************/
-static int ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct)
-{
- int rc;
- char *ldap_dn;
- char *ldap_secret;
-
- /* The rebind proc needs this *HACK*. We are not multithreaded, so
- this will work, but it's not nice. */
- static_ldap_state = ldap_state;
-
- /* get the password */
- if (!fetch_ldapsam_pw(&ldap_dn, &ldap_secret))
- {
- DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
- return LDAP_INVALID_CREDENTIALS;
- }
-
- ldap_state->bind_dn = ldap_dn;
- ldap_state->bind_secret = ldap_secret;
-
- /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
- (OpenLDAP) doesnt' seem to support it */
-
- DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
- ldap_state->uri, ldap_dn));
-
-#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
-# if LDAP_SET_REBIND_PROC_ARGS == 2
- ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
-# endif
-# if LDAP_SET_REBIND_PROC_ARGS == 3
- ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
-# endif
-#else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
-# if LDAP_SET_REBIND_PROC_ARGS == 2
- ldap_set_rebind_proc(ldap_struct, &rebindproc);
-# endif
-# if LDAP_SET_REBIND_PROC_ARGS == 3
- ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
-# endif
-#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
-
- rc = ldap_simple_bind_s(ldap_struct, ldap_dn, ldap_secret);
-
- if (rc != LDAP_SUCCESS) {
- char *ld_error;
- ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
- &ld_error);
- DEBUG(0,
- ("failed to bind to server with dn= %s Error: %s\n\t%s\n",
- ldap_dn, ldap_err2string(rc),
- ld_error));
- free(ld_error);
- return rc;
- }
-
- DEBUG(2, ("ldap_connect_system: succesful connection to the LDAP server\n"));
- return rc;
-}
-
-/**********************************************************************
-Connect to LDAP server
-*********************************************************************/
-static int ldapsam_open(struct ldapsam_privates *ldap_state)
-{
- int rc;
- SMB_ASSERT(ldap_state);
-
-#ifndef NO_LDAP_SECURITY
- if (geteuid() != 0) {
- DEBUG(0, ("ldapsam_open: cannot access LDAP when not root..\n"));
- return LDAP_INSUFFICIENT_ACCESS;
- }
-#endif
-
- if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + LDAPSAM_DONT_PING_TIME) < time(NULL))) {
- struct sockaddr_un addr;
- socklen_t len;
- int sd;
- if (ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd) == 0 &&
- getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
- /* the other end has died. reopen. */
- ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
- ldap_state->ldap_struct = NULL;
- ldap_state->last_ping = (time_t)0;
- } else {
- ldap_state->last_ping = time(NULL);
- }
- }
-
- if (ldap_state->ldap_struct != NULL) {
- DEBUG(5,("ldapsam_open: allready connected to the LDAP server\n"));
- return LDAP_SUCCESS;
- }
-
- if ((rc = ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct))) {
- return rc;
- }
-
- if ((rc = ldapsam_connect_system(ldap_state, ldap_state->ldap_struct))) {
- ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
- ldap_state->ldap_struct = NULL;
- return rc;
- }
-
-
- ldap_state->last_ping = time(NULL);
- DEBUG(4,("The LDAP server is succesful connected\n"));
-
- return LDAP_SUCCESS;
-}
-
-/**********************************************************************
-Disconnect from LDAP server
-*********************************************************************/
-static NTSTATUS ldapsam_close(struct ldapsam_privates *ldap_state)
-{
- if (!ldap_state)
- return NT_STATUS_INVALID_PARAMETER;
-
- if (ldap_state->ldap_struct != NULL) {
- ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
- ldap_state->ldap_struct = NULL;
- }
-
- DEBUG(5,("The connection to the LDAP server was closed\n"));
- /* maybe free the results here --metze */
-
- return NT_STATUS_OK;
-}
-
-static int ldapsam_retry_open(struct ldapsam_privates *ldap_state, int *attempts)
-{
- int rc;
-
- SMB_ASSERT(ldap_state && attempts);
-
- if (*attempts != 0) {
- /* we retry after 0.5, 2, 4.5, 8, 12.5, 18, 24.5 seconds */
- msleep((((*attempts)*(*attempts))/2)*1000);
- }
- (*attempts)++;
-
- if ((rc = ldapsam_open(ldap_state))) {
- DEBUG(0,("Connection to LDAP Server failed for the %d try!\n",*attempts));
- return rc;
- }
-
- return LDAP_SUCCESS;
-}
-
-
-static int ldapsam_search(struct ldapsam_privates *ldap_state,
- const char *base, int scope, const char *filter,
- const char *attrs[], int attrsonly,
- LDAPMessage **res)
-{
- int rc = LDAP_SERVER_DOWN;
- int attempts = 0;
-
- SMB_ASSERT(ldap_state);
-
- while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
-
- if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
- continue;
-
- rc = ldap_search_s(ldap_state->ldap_struct, base, scope,
- filter, attrs, attrsonly, res);
- }
-
- if (rc == LDAP_SERVER_DOWN) {
- DEBUG(0,("ldapsam_seacrh: LDAP server is down!\n"));
- ldapsam_close(ldap_state);
- }
-
- return rc;
-}
-
-static int ldapsam_modify(struct ldapsam_privates *ldap_state, char *dn, LDAPMod *attrs[])
-{
- int rc = LDAP_SERVER_DOWN;
- int attempts = 0;
-
- if (!ldap_state)
- return (-1);
-
- while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
-
- if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
- continue;
-
- rc = ldap_modify_s(ldap_state->ldap_struct, dn, attrs);
- }
-
- if (rc == LDAP_SERVER_DOWN) {
- DEBUG(0,("ldapsam_modify: LDAP server is down!\n"));
- ldapsam_close(ldap_state);
- }
-
- return rc;
-}
-
-static int ldapsam_add(struct ldapsam_privates *ldap_state, const char *dn, LDAPMod *attrs[])
-{
- int rc = LDAP_SERVER_DOWN;
- int attempts = 0;
-
- if (!ldap_state)
- return (-1);
-
- while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
-
- if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
- continue;
-
- rc = ldap_add_s(ldap_state->ldap_struct, dn, attrs);
- }
-
- if (rc == LDAP_SERVER_DOWN) {
- DEBUG(0,("ldapsam_add: LDAP server is down!\n"));
- ldapsam_close(ldap_state);
- }
-
- return rc;
-}
-
-static int ldapsam_delete(struct ldapsam_privates *ldap_state, char *dn)
-{
- int rc = LDAP_SERVER_DOWN;
- int attempts = 0;
-
- if (!ldap_state)
- return (-1);
-
- while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
-
- if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
- continue;
-
- rc = ldap_delete_s(ldap_state->ldap_struct, dn);
- }
-
- if (rc == LDAP_SERVER_DOWN) {
- DEBUG(0,("ldapsam_delete: LDAP server is down!\n"));
- ldapsam_close(ldap_state);
- }
-
- return rc;
-}
-
-static int ldapsam_extended_operation(struct ldapsam_privates *ldap_state, LDAP_CONST char *reqoid, struct berval *reqdata, LDAPControl **serverctrls, LDAPControl **clientctrls, char **retoidp, struct berval **retdatap)
-{
- int rc = LDAP_SERVER_DOWN;
- int attempts = 0;
-
- if (!ldap_state)
- return (-1);
-
- while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
-
- if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
- continue;
-
- rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid, reqdata, serverctrls, clientctrls, retoidp, retdatap);
- }
-
- if (rc == LDAP_SERVER_DOWN) {
- DEBUG(0,("ldapsam_extended_operation: LDAP server is down!\n"));
- ldapsam_close(ldap_state);
- }
-
- return rc;
-}
-
-/*******************************************************************
- run the search by name.
-******************************************************************/
-static int ldapsam_search_one_user (struct ldapsam_privates *ldap_state, const char *filter, LDAPMessage ** result)
-{
- int scope = LDAP_SCOPE_SUBTREE;
- int rc;
-
- DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter));
-
- rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope, filter, attr, 0, result);
-
- if (rc != LDAP_SUCCESS) {
- DEBUG(0,("ldapsam_search_one_user: Problem during the LDAP search: %s\n",
- ldap_err2string (rc)));
- DEBUG(3,("ldapsam_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
- filter));
- }
-
- return rc;
-}
-
-/*******************************************************************
- run the search by name.
-******************************************************************/
-static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, const char *user,
- LDAPMessage ** result)
-{
- pstring filter;
- char *escape_user = escape_ldap_string_alloc(user);
-
- if (!escape_user) {
- return LDAP_NO_MEMORY;
- }
-
- /*
- * in the filter expression, replace %u with the real name
- * so in ldap filter, %u MUST exist :-)
- */
- pstrcpy(filter, lp_ldap_filter());
-
- /*
- * have to use this here because $ is filtered out
- * in pstring_sub
- */
-
-
- all_string_sub(filter, "%u", escape_user, sizeof(pstring));
- SAFE_FREE(escape_user);
-
- return ldapsam_search_one_user(ldap_state, filter, result);
-}
-
-/*******************************************************************
- run the search by uid.
-******************************************************************/
-static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state,
- int uid,
- LDAPMessage ** result)
-{
- struct passwd *user;
- pstring filter;
- char *escape_user;
-
- /* Get the username from the system and look that up in the LDAP */
-
- if ((user = getpwuid_alloc(uid)) == NULL) {
- DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
- return LDAP_NO_SUCH_OBJECT;
- }
-
- pstrcpy(filter, lp_ldap_filter());
-
- escape_user = escape_ldap_string_alloc(user->pw_name);
- if (!escape_user) {
- passwd_free(&user);
- return LDAP_NO_MEMORY;
- }
-
- all_string_sub(filter, "%u", escape_user, sizeof(pstring));
-
- passwd_free(&user);
- SAFE_FREE(escape_user);
-
- return ldapsam_search_one_user(ldap_state, filter, result);
-}
-
-/*******************************************************************
- run the search by rid.
-******************************************************************/
-static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state,
- uint32 rid,
- LDAPMessage ** result)
-{
- pstring filter;
- int rc;
-
- /* check if the user rid exsists, if not, try searching on the uid */
-
- snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
- rc = ldapsam_search_one_user(ldap_state, filter, result);
-
- if (rc != LDAP_SUCCESS)
- rc = ldapsam_search_one_user_by_uid(ldap_state,
- fallback_pdb_user_rid_to_uid(rid),
- result);
-
- return rc;
-}
-
-/*******************************************************************
-search an attribute and return the first value found.
-******************************************************************/
-static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
- const char *attribute, pstring value)
-{
- char **values;
-
- if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
- value = NULL;
- DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute));
-
- return False;
- }
-
- pstrcpy(value, values[0]);
- ldap_value_free(values);
-#ifdef DEBUG_PASSWORDS
- DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
-#endif
- return True;
-}
-
-/************************************************************************
-Routine to manage the LDAPMod structure array
-manage memory used by the array, by each struct, and values
-
-************************************************************************/
-static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
-{
- LDAPMod **mods;
- int i;
- int j;
-
- mods = *modlist;
-
- if (attribute == NULL || *attribute == '\0')
- return;
-
- if (value == NULL || *value == '\0')
- return;
-
- if (mods == NULL)
- {
- mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
- if (mods == NULL)
- {
- DEBUG(0, ("make_a_mod: out of memory!\n"));
- return;
- }
- mods[0] = NULL;
- }
-
- for (i = 0; mods[i] != NULL; ++i) {
- if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
- break;
- }
-
- if (mods[i] == NULL)
- {
- mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
- if (mods == NULL)
- {
- DEBUG(0, ("make_a_mod: out of memory!\n"));
- return;
- }
- mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
- if (mods[i] == NULL)
- {
- DEBUG(0, ("make_a_mod: out of memory!\n"));
- return;
- }
- mods[i]->mod_op = modop;
- mods[i]->mod_values = NULL;
- mods[i]->mod_type = strdup(attribute);
- mods[i + 1] = NULL;
- }
-
- if (value != NULL)
- {
- j = 0;
- if (mods[i]->mod_values != NULL) {
- for (; mods[i]->mod_values[j] != NULL; j++);
- }
- mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
- (j + 2) * sizeof (char *));
-
- if (mods[i]->mod_values == NULL) {
- DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
- return;
- }
- mods[i]->mod_values[j] = strdup(value);
- mods[i]->mod_values[j + 1] = NULL;
- }
- *modlist = mods;
-}
-
-/* New Interface is being implemented here */
-
-/**********************************************************************
-Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
-*********************************************************************/
-static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
- SAM_ACCOUNT * sampass,
- LDAPMessage * entry)
-{
- pstring homedir;
- pstring temp;
- uid_t uid;
- gid_t gid;
- char **ldap_values;
- char **values;
-
- if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
- DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
- return False;
- }
-
- for (values=ldap_values;*values;values++) {
- if (strcasecmp(*values, "posixAccount") == 0) {
- break;
- }
- }
-
- if (!*values) { /*end of array, no posixAccount */
- DEBUG(10, ("user does not have posixAcccount attributes\n"));
- ldap_value_free(ldap_values);
- return False;
- }
- ldap_value_free(ldap_values);
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir))
- return False;
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
- return False;
-
- uid = (uid_t)atol(temp);
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
- return False;
-
- gid = (gid_t)atol(temp);
-
- pdb_set_unix_homedir(sampass, homedir, PDB_SET);
- pdb_set_uid(sampass, uid, PDB_SET);
- pdb_set_gid(sampass, gid, PDB_SET);
-
- DEBUG(10, ("user has posixAcccount attributes\n"));
- return True;
-}
-
-
-/**********************************************************************
-Initialize SAM_ACCOUNT from an LDAP query
-(Based on init_sam_from_buffer in pdb_tdb.c)
-*********************************************************************/
-static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
- SAM_ACCOUNT * sampass,
- LDAPMessage * entry)
-{
- time_t logon_time,
- logoff_time,
- kickoff_time,
- pass_last_set_time,
- pass_can_change_time,
- pass_must_change_time;
- pstring username,
- domain,
- nt_username,
- fullname,
- homedir,
- dir_drive,
- logon_script,
- profile_path,
- acct_desc,
- munged_dial,
- workstations;
- struct passwd *pw;
- uint32 user_rid,
- group_rid;
- uint8 smblmpwd[LM_HASH_LEN],
- smbntpwd[NT_HASH_LEN];
- uint16 acct_ctrl = 0,
- logon_divs;
- uint32 hours_len;
- uint8 hours[MAX_HOURS_LEN];
- pstring temp;
- uid_t uid = -1;
- gid_t gid = getegid();
-
-
- /*
- * do a little initialization
- */
- username[0] = '\0';
- domain[0] = '\0';
- nt_username[0] = '\0';
- fullname[0] = '\0';
- homedir[0] = '\0';
- dir_drive[0] = '\0';
- logon_script[0] = '\0';
- profile_path[0] = '\0';
- acct_desc[0] = '\0';
- munged_dial[0] = '\0';
- workstations[0] = '\0';
-
-
- if (sampass == NULL || ldap_state == NULL || entry == NULL) {
- DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
- return False;
- }
-
- if (ldap_state->ldap_struct == NULL) {
- DEBUG(0, ("init_sam_from_ldap: ldap_state->ldap_struct is NULL!\n"));
- return False;
- }
-
- get_single_attribute(ldap_state->ldap_struct, entry, "uid", username);
- DEBUG(2, ("Entry found for user: %s\n", username));
-
- pstrcpy(nt_username, username);
-
- pstrcpy(domain, lp_workgroup());
-
- pdb_set_username(sampass, username, PDB_SET);
-
- pdb_set_domain(sampass, domain, PDB_DEFAULT);
- pdb_set_nt_username(sampass, nt_username, PDB_SET);
-
- get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp);
- user_rid = (uint32)atol(temp);
-
- pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
- group_rid = 0;
- } else {
- group_rid = (uint32)atol(temp);
- pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
- }
-
-
- /*
- * If so configured, try and get the values from LDAP
- */
-
- if (!lp_ldap_trust_ids() || (!get_unix_attributes(ldap_state, sampass, entry))) {
-
- /*
- * Otherwise just ask the system getpw() calls.
- */
-
- pw = getpwnam_alloc(username);
- if (pw == NULL) {
- if (! ldap_state->permit_non_unix_accounts) {
- DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
- return False;
- }
- } else {
- uid = pw->pw_uid;
- pdb_set_uid(sampass, uid, PDB_SET);
- gid = pw->pw_gid;
- pdb_set_gid(sampass, gid, PDB_SET);
-
- pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
- passwd_free(&pw);
- }
- }
-
- if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
- gid = pdb_get_gid(sampass);
- /* call the mapping code here */
- pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdLastSet", temp)) {
- /* leave as default */
- } else {
- pass_last_set_time = (time_t) atol(temp);
- pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "logonTime", temp)) {
- /* leave as default */
- } else {
- logon_time = (time_t) atol(temp);
- pdb_set_logon_time(sampass, logon_time, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "logoffTime", temp)) {
- /* leave as default */
- } else {
- logoff_time = (time_t) atol(temp);
- pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "kickoffTime", temp)) {
- /* leave as default */
- } else {
- kickoff_time = (time_t) atol(temp);
- pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdCanChange", temp)) {
- /* leave as default */
- } else {
- pass_can_change_time = (time_t) atol(temp);
- pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdMustChange", temp)) {
- /* leave as default */
- } else {
- pass_must_change_time = (time_t) atol(temp);
- pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
- }
-
- /* recommend that 'gecos' and 'displayName' should refer to the same
- * attribute OID. userFullName depreciated, only used by Samba
- * primary rules of LDAP: don't make a new attribute when one is already defined
- * that fits your needs; using cn then displayName rather than 'userFullName'
- */
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "cn", fullname)) {
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "displayName", fullname)) {
- /* leave as default */
- } else {
- pdb_set_fullname(sampass, fullname, PDB_SET);
- }
- } else {
- pdb_set_fullname(sampass, fullname, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDrive", dir_drive)) {
- pdb_set_dir_drive(sampass, talloc_sub_specified(sampass->mem_ctx,
- lp_logon_drive(),
- username, domain,
- uid, gid),
- PDB_DEFAULT);
- } else {
- pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "smbHome", homedir)) {
- pdb_set_homedir(sampass, talloc_sub_specified(sampass->mem_ctx,
- lp_logon_home(),
- username, domain,
- uid, gid),
- PDB_DEFAULT);
- } else {
- pdb_set_homedir(sampass, homedir, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "scriptPath", logon_script)) {
- pdb_set_logon_script(sampass, talloc_sub_specified(sampass->mem_ctx,
- lp_logon_script(),
- username, domain,
- uid, gid),
- PDB_DEFAULT);
- } else {
- pdb_set_logon_script(sampass, logon_script, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "profilePath", profile_path)) {
- pdb_set_profile_path(sampass, talloc_sub_specified(sampass->mem_ctx,
- lp_logon_path(),
- username, domain,
- uid, gid),
- PDB_DEFAULT);
- } else {
- pdb_set_profile_path(sampass, profile_path, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "description", acct_desc)) {
- /* leave as default */
- } else {
- pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
- }
-
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "userWorkstations", workstations)) {
- /* leave as default */;
- } else {
- pdb_set_workstations(sampass, workstations, PDB_SET);
- }
-
- /* FIXME: hours stuff should be cleaner */
-
- logon_divs = 168;
- hours_len = 21;
- memset(hours, 0xff, hours_len);
-
- if (!get_single_attribute (ldap_state->ldap_struct, entry, "lmPassword", temp)) {
- /* leave as default */
- } else {
- pdb_gethexpwd(temp, smblmpwd);
- memset((char *)temp, '\0', strlen(temp)+1);
- if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
- return False;
- ZERO_STRUCT(smblmpwd);
- }
-
- if (!get_single_attribute (ldap_state->ldap_struct, entry, "ntPassword", temp)) {
- /* leave as default */
- } else {
- pdb_gethexpwd(temp, smbntpwd);
- memset((char *)temp, '\0', strlen(temp)+1);
- if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
- return False;
- ZERO_STRUCT(smbntpwd);
- }
-
- if (!get_single_attribute (ldap_state->ldap_struct, entry, "acctFlags", temp)) {
- acct_ctrl |= ACB_NORMAL;
- } else {
- acct_ctrl = pdb_decode_acct_ctrl(temp);
-
- if (acct_ctrl == 0)
- acct_ctrl |= ACB_NORMAL;
-
- pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
- }
-
- pdb_set_hours_len(sampass, hours_len, PDB_SET);
- pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
-
- pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
-
- /* pdb_set_unknown_3(sampass, unknown3, PDB_SET); */
- /* pdb_set_unknown_5(sampass, unknown5, PDB_SET); */
- /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
-
- pdb_set_hours(sampass, hours, PDB_SET);
-
- return True;
-}
-
-static BOOL need_ldap_mod(BOOL pdb_add, const SAM_ACCOUNT * sampass, enum pdb_elements element) {
- if (pdb_add) {
- return (!IS_SAM_DEFAULT(sampass, element));
- } else {
- return IS_SAM_CHANGED(sampass, element);
- }
-}
-
-/**********************************************************************
-Initialize SAM_ACCOUNT from an LDAP query
-(Based on init_buffer_from_sam in pdb_tdb.c)
-*********************************************************************/
-static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
- LDAPMod *** mods, int ldap_op,
- BOOL pdb_add,
- const SAM_ACCOUNT * sampass)
-{
- pstring temp;
- uint32 rid;
-
- if (mods == NULL || sampass == NULL) {
- DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
- return False;
- }
-
- *mods = NULL;
-
- /*
- * took out adding "objectclass: sambaAccount"
- * do this on a per-mod basis
- */
- if (need_ldap_mod(pdb_add, sampass, PDB_USERNAME)) {
- make_a_mod(mods, ldap_op, "uid", pdb_get_username(sampass));
- DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
- }
-
- if ((rid = pdb_get_user_rid(sampass))!=0 ) {
- if (need_ldap_mod(pdb_add, sampass, PDB_USERSID)) {
- slprintf(temp, sizeof(temp) - 1, "%i", rid);
- make_a_mod(mods, ldap_op, "rid", temp);
- }
- } else if (!IS_SAM_DEFAULT(sampass, PDB_UID)) {
- rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(sampass));
- slprintf(temp, sizeof(temp) - 1, "%i", rid);
- make_a_mod(mods, ldap_op, "rid", temp);
- } else if (ldap_state->permit_non_unix_accounts) {
- rid = ldapsam_get_next_available_nua_rid(ldap_state);
- if (rid == 0) {
- DEBUG(0, ("NO user RID specified on account %s, and findining next available NUA RID failed, cannot store!\n", pdb_get_username(sampass)));
- return False;
- }
- slprintf(temp, sizeof(temp) - 1, "%i", rid);
- make_a_mod(mods, ldap_op, "rid", temp);
- } else {
- DEBUG(0, ("NO user RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
- return False;
- }
-
-
-
- if ((rid = pdb_get_group_rid(sampass))!=0 ) {
- if (need_ldap_mod(pdb_add, sampass, PDB_GROUPSID)) {
- slprintf(temp, sizeof(temp) - 1, "%i", rid);
- make_a_mod(mods, ldap_op, "primaryGroupID", temp);
- }
- } else if (!IS_SAM_DEFAULT(sampass, PDB_GID)) {
- rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
- slprintf(temp, sizeof(temp) - 1, "%i", rid);
- make_a_mod(mods, ldap_op, "primaryGroupID", temp);
- } else if (ldap_state->permit_non_unix_accounts) {
- rid = DOMAIN_GROUP_RID_USERS;
- slprintf(temp, sizeof(temp) - 1, "%i", rid);
- make_a_mod(mods, ldap_op, "primaryGroupID", temp);
- } else {
- DEBUG(0, ("NO group RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
- return False;
- }
-
-
- /* displayName, cn, and gecos should all be the same
- * most easily accomplished by giving them the same OID
- * gecos isn't set here b/c it should be handled by the
- * add-user script
- */
- if (need_ldap_mod(pdb_add, sampass, PDB_FULLNAME)) {
- make_a_mod(mods, ldap_op, "displayName", pdb_get_fullname(sampass));
- make_a_mod(mods, ldap_op, "cn", pdb_get_fullname(sampass));
- }
- if (need_ldap_mod(pdb_add, sampass, PDB_ACCTDESC)) {
- make_a_mod(mods, ldap_op, "description", pdb_get_acct_desc(sampass));
- }
- if (need_ldap_mod(pdb_add, sampass, PDB_WORKSTATIONS)) {
- make_a_mod(mods, ldap_op, "userWorkstations", pdb_get_workstations(sampass));
- }
- /*
- * Only updates fields which have been set (not defaults from smb.conf)
- */
-
- if (need_ldap_mod(pdb_add, sampass, PDB_SMBHOME)) {
- make_a_mod(mods, ldap_op, "smbHome", pdb_get_homedir(sampass));
- }
-
- if (need_ldap_mod(pdb_add, sampass, PDB_DRIVE)) {
- make_a_mod(mods, ldap_op, "homeDrive", pdb_get_dir_drive(sampass));
- }
-
- if (need_ldap_mod(pdb_add, sampass, PDB_LOGONSCRIPT)) {
- make_a_mod(mods, ldap_op, "scriptPath", pdb_get_logon_script(sampass));
- }
-
- if (need_ldap_mod(pdb_add, sampass, PDB_PROFILE))
- make_a_mod(mods, ldap_op, "profilePath", pdb_get_profile_path(sampass));
-
- if (need_ldap_mod(pdb_add, sampass, PDB_LOGONTIME)) {
- slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
- make_a_mod(mods, ldap_op, "logonTime", temp);
- }
-
- if (need_ldap_mod(pdb_add, sampass, PDB_LOGOFFTIME)) {
- slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
- make_a_mod(mods, ldap_op, "logoffTime", temp);
- }
-
- if (need_ldap_mod(pdb_add, sampass, PDB_KICKOFFTIME)) {
- slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
- make_a_mod(mods, ldap_op, "kickoffTime", temp);
- }
-
-
- if (need_ldap_mod(pdb_add, sampass, PDB_CANCHANGETIME)) {
- slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
- make_a_mod(mods, ldap_op, "pwdCanChange", temp);
- }
-
- if (need_ldap_mod(pdb_add, sampass, PDB_MUSTCHANGETIME)) {
- slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
- make_a_mod(mods, ldap_op, "pwdMustChange", temp);
- }
-
- if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))||
- (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
-
- if (need_ldap_mod(pdb_add, sampass, PDB_LMPASSWD)) {
- pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass));
- make_a_mod (mods, ldap_op, "lmPassword", temp);
- }
-
- if (need_ldap_mod(pdb_add, sampass, PDB_NTPASSWD)) {
- pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass));
- make_a_mod (mods, ldap_op, "ntPassword", temp);
- }
-
- if (need_ldap_mod(pdb_add, sampass, PDB_PASSLASTSET)) {
- slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
- make_a_mod(mods, ldap_op, "pwdLastSet", temp);
- }
- }
-
- /* FIXME: Hours stuff goes in LDAP */
- if (need_ldap_mod(pdb_add, sampass, PDB_ACCTCTRL)) {
- make_a_mod (mods, ldap_op, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
- NEW_PW_FORMAT_SPACE_PADDED_LEN));
- }
-
- return True;
-}
-
-
-/**********************************************************************
-Connect to LDAP server and find the next available RID.
-*********************************************************************/
-static uint32 check_nua_rid_is_avail(struct ldapsam_privates *ldap_state, uint32 top_rid)
-{
- LDAPMessage *result;
- uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER;
- if (top_rid == 0) {
- return 0;
- }
-
- if (final_rid < ldap_state->low_nua_rid || final_rid > ldap_state->high_nua_rid) {
- return 0;
- }
-
- if (ldapsam_search_one_user_by_rid(ldap_state, final_rid, &result) != LDAP_SUCCESS) {
- DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the confirmation search failed!\n", final_rid, final_rid));
- return 0;
- }
-
- if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) {
- DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the RID is already in use!!\n", final_rid, final_rid));
- ldap_msgfree(result);
- return 0;
- }
-
- DEBUG(5, ("NUA RID %d (0x%x), declared valid\n", final_rid, final_rid));
- ldap_msgfree(result);
- return final_rid;
-}
-
-/**********************************************************************
-Extract the RID from an LDAP entry
-*********************************************************************/
-static uint32 entry_to_user_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry) {
- uint32 rid;
- SAM_ACCOUNT *user = NULL;
- if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) {
- return 0;
- }
-
- if (init_sam_from_ldap(ldap_state, user, entry)) {
- rid = pdb_get_user_rid(user);
- } else {
- rid =0;
- }
- pdb_free_sam(&user);
- if (rid >= ldap_state->low_nua_rid && rid <= ldap_state->high_nua_rid) {
- return rid;
- }
- return 0;
-}
-
-
-/**********************************************************************
-Connect to LDAP server and find the next available RID.
-*********************************************************************/
-static uint32 search_top_nua_rid(struct ldapsam_privates *ldap_state)
-{
- int rc;
- pstring filter;
- LDAPMessage *result;
- LDAPMessage *entry;
- char *final_filter = NULL;
- uint32 top_rid = 0;
- uint32 count;
- uint32 rid;
-
- pstrcpy(filter, lp_ldap_filter());
- all_string_sub(filter, "%u", "*", sizeof(pstring));
-
-#if 0
- asprintf(&final_filter, "(&(%s)(&(rid>=%d)(rid<=%d)))", filter, ldap_state->low_nua_rid, ldap_state->high_nua_rid);
-#else
- final_filter = strdup(filter);
-#endif
- DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter));
-
- rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
- LDAP_SCOPE_SUBTREE, final_filter, attr, 0,
- &result);
-
- if (rc != LDAP_SUCCESS) {
- DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
- DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
-
- free(final_filter);
- result = NULL;
- return 0;
- }
-
- count = ldap_count_entries(ldap_state->ldap_struct, result);
- DEBUG(2, ("search_top_nua_rid: %d entries in the base!\n", count));
-
- if (count == 0) {
- DEBUG(3, ("LDAP search returned no records, assuming no non-unix-accounts present!: %s\n", ldap_err2string(rc)));
- DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
- free(final_filter);
- ldap_msgfree(result);
- result = NULL;
- return ldap_state->low_nua_rid;
- }
-
- free(final_filter);
- entry = ldap_first_entry(ldap_state->ldap_struct,result);
-
- top_rid = entry_to_user_rid(ldap_state, entry);
-
- while ((entry = ldap_next_entry(ldap_state->ldap_struct, entry))) {
-
- rid = entry_to_user_rid(ldap_state, entry);
- if (rid > top_rid) {
- top_rid = rid;
- }
- }
-
- ldap_msgfree(result);
-
- if (top_rid < ldap_state->low_nua_rid)
- top_rid = ldap_state->low_nua_rid;
-
- return top_rid;
-}
-
-/**********************************************************************
-Connect to LDAP server and find the next available RID.
-*********************************************************************/
-static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state) {
- uint32 next_nua_rid;
- uint32 top_nua_rid;
-
- top_nua_rid = search_top_nua_rid(ldap_state);
-
- next_nua_rid = check_nua_rid_is_avail(ldap_state,
- top_nua_rid);
-
- return next_nua_rid;
-}
-
-/**********************************************************************
-Connect to LDAP server for password enumeration
-*********************************************************************/
-static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
-{
- struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
- int rc;
- pstring filter;
-
- pstrcpy(filter, lp_ldap_filter());
- all_string_sub(filter, "%u", "*", sizeof(pstring));
-
- rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
- LDAP_SCOPE_SUBTREE, filter, attr, 0,
- &ldap_state->result);
-
- if (rc != LDAP_SUCCESS) {
- DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
- DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
- ldap_msgfree(ldap_state->result);
- ldap_state->result = NULL;
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
- ldap_count_entries(ldap_state->ldap_struct,
- ldap_state->result)));
-
- ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
- ldap_state->result);
- ldap_state->index = 0;
-
- return NT_STATUS_OK;
-}
-
-/**********************************************************************
-End enumeration of the LDAP password list
-*********************************************************************/
-static void ldapsam_endsampwent(struct pdb_methods *my_methods)
-{
- struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
- if (ldap_state->result) {
- ldap_msgfree(ldap_state->result);
- ldap_state->result = NULL;
- }
-}
-
-/**********************************************************************
-Get the next entry in the LDAP password database
-*********************************************************************/
-static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
- BOOL bret = False;
-
- /* The rebind proc needs this *HACK*. We are not multithreaded, so
- this will work, but it's not nice. */
- static_ldap_state = ldap_state;
-
- while (!bret) {
- if (!ldap_state->entry)
- return ret;
-
- ldap_state->index++;
- bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
-
- ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
- ldap_state->entry);
- }
-
- return NT_STATUS_OK;
-}
-
-/**********************************************************************
-Get SAM_ACCOUNT entry from LDAP by username
-*********************************************************************/
-static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
- LDAPMessage *result;
- LDAPMessage *entry;
- int count;
-
- if (ldapsam_search_one_user_by_name(ldap_state, sname, &result) != LDAP_SUCCESS) {
- return NT_STATUS_NO_SUCH_USER;
- }
-
- count = ldap_count_entries(ldap_state->ldap_struct, result);
-
- if (count < 1) {
- DEBUG(4,
- ("We don't find this user [%s] count=%d\n", sname,
- count));
- return NT_STATUS_NO_SUCH_USER;
- } else if (count > 1) {
- DEBUG(1,
- ("Duplicate entries for this user [%s] Failing. count=%d\n", sname,
- count));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- entry = ldap_first_entry(ldap_state->ldap_struct, result);
- if (entry) {
- if (!init_sam_from_ldap(ldap_state, user, entry)) {
- DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
- ldap_msgfree(result);
- return NT_STATUS_NO_SUCH_USER;
- }
- ldap_msgfree(result);
- ret = NT_STATUS_OK;
- } else {
- ldap_msgfree(result);
- }
- return ret;
-}
-
-/**********************************************************************
-Get SAM_ACCOUNT entry from LDAP by rid
-*********************************************************************/
-static NTSTATUS ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *user, uint32 rid)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct ldapsam_privates *ldap_state =
- (struct ldapsam_privates *)my_methods->private_data;
- LDAPMessage *result;
- LDAPMessage *entry;
- int count;
-
- if (ldapsam_search_one_user_by_rid(ldap_state, rid, &result) != LDAP_SUCCESS) {
- return NT_STATUS_NO_SUCH_USER;
- }
-
- count = ldap_count_entries(ldap_state->ldap_struct, result);
-
- if (count < 1) {
- DEBUG(4,
- ("We don't find this rid [%i] count=%d\n", rid,
- count));
- return NT_STATUS_NO_SUCH_USER;
- } else if (count > 1) {
- DEBUG(1,
- ("More than one user with rid [%i]. Failing. count=%d\n", rid,
- count));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- entry = ldap_first_entry(ldap_state->ldap_struct, result);
- if (entry) {
- if (!init_sam_from_ldap(ldap_state, user, entry)) {
- DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
- ldap_msgfree(result);
- return NT_STATUS_NO_SUCH_USER;
- }
- ldap_msgfree(result);
- ret = NT_STATUS_OK;
- } else {
- ldap_msgfree(result);
- }
- return ret;
-}
-
-static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
-{
- uint32 rid;
- if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
- return NT_STATUS_NO_SUCH_USER;
- return ldapsam_getsampwrid(my_methods, user, rid);
-}
-
-/********************************************************************
-Do the actual modification - also change a plaittext passord if
-it it set.
-**********************************************************************/
-
-static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
- SAM_ACCOUNT *newpwd, char *dn,
- LDAPMod **mods, int ldap_op, BOOL pdb_add)
-{
- struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
- int rc;
-
- if (!my_methods || !newpwd || !dn) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!mods) {
- DEBUG(5,("mods is empty: nothing to modify\n"));
- /* may be password change below however */
- } else {
- switch(ldap_op)
- {
- case LDAP_MOD_ADD:
- make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "account");
- rc = ldapsam_add(ldap_state, dn, mods);
- break;
- case LDAP_MOD_REPLACE:
- rc = ldapsam_modify(ldap_state, dn ,mods);
- break;
- default:
- DEBUG(0,("Wrong LDAP operation type: %d!\n", ldap_op));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (rc!=LDAP_SUCCESS) {
- char *ld_error;
- ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
- &ld_error);
- DEBUG(1,
- ("failed to %s user dn= %s with: %s\n\t%s\n",
- ldap_op == LDAP_MOD_ADD ? "add" : "modify",
- dn, ldap_err2string(rc),
- ld_error));
- free(ld_error);
- return NT_STATUS_UNSUCCESSFUL;
- }
- }
-
-#ifdef LDAP_EXOP_X_MODIFY_PASSWD
- if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))&&
- (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_OFF)&&
- need_ldap_mod(pdb_add, newpwd, PDB_PLAINTEXT_PW)&&
- (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
- BerElement *ber;
- struct berval *bv;
- char *retoid;
- struct berval *retdata;
-
- if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
- DEBUG(0,("ber_alloc_t returns NULL\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
- ber_printf (ber, "{");
- ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID,dn);
- ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, pdb_get_plaintext_passwd(newpwd));
- ber_printf (ber, "N}");
-
- if ((rc = ber_flatten (ber, &bv))<0) {
- DEBUG(0,("ber_flatten returns a value <0\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- ber_free(ber,1);
-
- if ((rc = ldapsam_extended_operation(ldap_state, LDAP_EXOP_X_MODIFY_PASSWD,
- bv, NULL, NULL, &retoid, &retdata))!=LDAP_SUCCESS) {
- DEBUG(0,("LDAP Password could not be changed for user %s: %s\n",
- pdb_get_username(newpwd),ldap_err2string(rc)));
- } else {
- DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
-
- ber_bvfree(retdata);
- ber_memfree(retoid);
- }
- ber_bvfree(bv);
- }
-#else
- DEBUG(10,("LDAP PASSWORD SYNC is not supported!\n"));
-#endif /* LDAP_EXOP_X_MODIFY_PASSWD */
- return NT_STATUS_OK;
-}
-
-/**********************************************************************
-Delete entry from LDAP for username
-*********************************************************************/
-static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
-{
- struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
- const char *sname;
- int rc;
- char *dn;
- LDAPMessage *entry;
- LDAPMessage *result;
-
- if (!sam_acct) {
- DEBUG(0, ("sam_acct was NULL!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- sname = pdb_get_username(sam_acct);
-
- DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
-
- rc = ldapsam_search_one_user_by_name(ldap_state, sname, &result);
- if (rc != LDAP_SUCCESS) {
- return NT_STATUS_NO_SUCH_USER;
- }
-
- if (ldap_count_entries (ldap_state->ldap_struct, result) == 0) {
- DEBUG (0, ("User doesn't exit!\n"));
- ldap_msgfree (result);
- return NT_STATUS_NO_SUCH_USER;
- }
-
- entry = ldap_first_entry (ldap_state->ldap_struct, result);
- dn = ldap_get_dn (ldap_state->ldap_struct, entry);
- ldap_msgfree(result);
-
- rc = ldapsam_delete(ldap_state, dn);
-
- ldap_memfree (dn);
- if (rc != LDAP_SUCCESS) {
- char *ld_error;
- ldap_get_option (ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
- DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n",
- sname, ldap_err2string (rc), ld_error));
- free (ld_error);
- return NT_STATUS_CANNOT_DELETE;
- }
-
- DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname));
- return NT_STATUS_OK;
-}
-
-/**********************************************************************
-Update SAM_ACCOUNT
-*********************************************************************/
-static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
- int rc;
- char *dn;
- LDAPMessage *result;
- LDAPMessage *entry;
- LDAPMod **mods;
-
- if (!init_ldap_from_sam(ldap_state, &mods, LDAP_MOD_REPLACE, False, newpwd)) {
- DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (mods == NULL) {
- DEBUG(4,("mods is empty: nothing to update for user: %s\n",pdb_get_username(newpwd)));
- return NT_STATUS_OK;
- }
-
- rc = ldapsam_search_one_user_by_name(ldap_state, pdb_get_username(newpwd), &result);
- if (rc != LDAP_SUCCESS) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (ldap_count_entries(ldap_state->ldap_struct, result) == 0) {
- DEBUG(0, ("No user to modify!\n"));
- ldap_msgfree(result);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- entry = ldap_first_entry(ldap_state->ldap_struct, result);
- dn = ldap_get_dn(ldap_state->ldap_struct, entry);
- ldap_msgfree(result);
-
- ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, False);
- if (NT_STATUS_IS_ERR(ret)) {
- DEBUG(0,("failed to modify user with uid = %s\n",
- pdb_get_username(newpwd)));
- ldap_mods_free(mods,1);
- return ret;
- }
-
-
- DEBUG(2,
- ("successfully modified uid = %s in the LDAP database\n",
- pdb_get_username(newpwd)));
- ldap_mods_free(mods, 1);
- return NT_STATUS_OK;
-}
-
-/**********************************************************************
-Add SAM_ACCOUNT to LDAP
-*********************************************************************/
-static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
- int rc;
- pstring filter;
- LDAPMessage *result = NULL;
- pstring dn;
- LDAPMod **mods = NULL;
- int ldap_op;
- uint32 num_result;
-
- const char *username = pdb_get_username(newpwd);
- if (!username || !*username) {
- DEBUG(0, ("Cannot add user without a username!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- rc = ldapsam_search_one_user_by_name (ldap_state, username, &result);
- if (rc != LDAP_SUCCESS) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) {
- DEBUG(0,("User '%s' already in the base, with samba properties\n",
- username));
- ldap_msgfree(result);
- return NT_STATUS_UNSUCCESSFUL;
- }
- ldap_msgfree(result);
-
- slprintf (filter, sizeof (filter) - 1, "uid=%s", username);
- rc = ldapsam_search_one_user(ldap_state, filter, &result);
- if (rc != LDAP_SUCCESS) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- num_result = ldap_count_entries(ldap_state->ldap_struct, result);
-
- if (num_result > 1) {
- DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
- ldap_msgfree(result);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* Check if we need to update an existing entry */
- if (num_result == 1) {
- char *tmp;
- LDAPMessage *entry;
-
- DEBUG(3,("User exists without samba properties: adding them\n"));
- ldap_op = LDAP_MOD_REPLACE;
- entry = ldap_first_entry (ldap_state->ldap_struct, result);
- tmp = ldap_get_dn (ldap_state->ldap_struct, entry);
- slprintf (dn, sizeof (dn) - 1, "%s", tmp);
- ldap_memfree (tmp);
- } else {
- /* Check if we need to add an entry */
- DEBUG(3,("Adding new user\n"));
- ldap_op = LDAP_MOD_ADD;
- if (username[strlen(username)-1] == '$') {
- slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
- } else {
- slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
- }
- }
-
- ldap_msgfree(result);
-
- if (!init_ldap_from_sam(ldap_state, &mods, ldap_op, True, newpwd)) {
- DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
- ldap_mods_free(mods, 1);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (mods == NULL) {
- DEBUG(0,("mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
-
- ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, True);
- if (NT_STATUS_IS_ERR(ret)) {
- DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n",
- pdb_get_username(newpwd),dn));
- ldap_mods_free(mods,1);
- return ret;
- }
-
- DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
- ldap_mods_free(mods, 1);
- return NT_STATUS_OK;
-}
-
-static void free_private_data(void **vp)
-{
- struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
-
- ldapsam_close(*ldap_state);
-
- if ((*ldap_state)->bind_secret) {
- memset((*ldap_state)->bind_secret, '\0', strlen((*ldap_state)->bind_secret));
- }
-
- ldapsam_close(*ldap_state);
-
- SAFE_FREE((*ldap_state)->bind_dn);
- SAFE_FREE((*ldap_state)->bind_secret);
-
- *ldap_state = NULL;
-
- /* No need to free any further, as it is talloc()ed */
-}
-
-static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
- struct ldapsam_privates *ldap_state;
-
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "ldapsam";
-
- (*pdb_method)->setsampwent = ldapsam_setsampwent;
- (*pdb_method)->endsampwent = ldapsam_endsampwent;
- (*pdb_method)->getsampwent = ldapsam_getsampwent;
- (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
- (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
- (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
- (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
- (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
-
- /* TODO: Setup private data and free */
-
- ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates));
-
- if (!ldap_state) {
- DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- if (location) {
- ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
-#ifdef WITH_LDAP_SAMCONFIG
- } else {
- int ldap_port = lp_ldap_port();
-
- /* remap default port if not using SSL (ie clear or TLS) */
- if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
- ldap_port = 389;
- }
-
- ldap_state->uri = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
- if (!ldap_state->uri) {
- return NT_STATUS_NO_MEMORY;
- }
-#else
- } else {
- ldap_state->uri = "ldap://localhost";
-#endif
- }
-
- (*pdb_method)->private_data = ldap_state;
-
- (*pdb_method)->free_private_data = free_private_data;
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
- struct ldapsam_privates *ldap_state;
- uint32 low_nua_uid, high_nua_uid;
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "ldapsam_nua";
-
- ldap_state = (*pdb_method)->private_data;
-
- ldap_state->permit_non_unix_accounts = True;
-
- if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) {
- DEBUG(0, ("cannot use ldapsam_nua without 'non unix account range' in smb.conf!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- ldap_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid);
-
- ldap_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
-
- return NT_STATUS_OK;
-}
-
-NTSTATUS passdb_ldap_init(void)
-{
- NTSTATUS ret;
- struct passdb_ops ops;
-
- /* fill in our name */
- ops.name = "ldapsam";
- /* fill in all the operations */
- ops.init = pdb_init_ldapsam;
-
- /* register ourselves with the PASSDB subsystem. */
- ret = register_backend("passdb", &ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' PASSDB backend!\n",
- ops.name));
- return ret;
- }
-
- /* fill in our name */
- ops.name = "ldapsam_nua";
- /* fill in all the operations */
- ops.init = pdb_init_ldapsam_nua;
-
- /* register ourselves with the PASSDB subsystem. */
- ret = register_backend("passdb", &ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' PASSDB backend!\n",
- ops.name));
- return ret;
- }
-
- return ret;
-}
+++ /dev/null
-/*
- * Unix SMB/CIFS implementation.
- * SMB parameters and setup
- * Copyright (C) Andrew Tridgell 1992-1998
- * Modified by Jeremy Allison 1995.
- * Modified by Gerald (Jerry) Carter 2000-2001
- * Modified by Andrew Bartlett 2002.
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2 of the License, or (at your option)
- * any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 675
- * Mass Ave, Cambridge, MA 02139, USA.
- */
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
-/*
- smb_passwd is analogous to sam_passwd used everywhere
- else. However, smb_passwd is limited to the information
- stored by an smbpasswd entry
- */
-
-struct smb_passwd
-{
- BOOL smb_userid_set; /* this is actually the unix uid_t */
- uint32 smb_userid; /* this is actually the unix uid_t */
- const char *smb_name; /* username string */
-
- const unsigned char *smb_passwd; /* Null if no password */
- const unsigned char *smb_nt_passwd; /* Null if no password */
-
- uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */
- time_t pass_last_set_time; /* password last set time */
-};
-
-struct smbpasswd_privates
-{
- /* used for maintain locks on the smbpasswd file */
- int pw_file_lock_depth;
-
- /* Global File pointer */
- FILE *pw_file;
-
- /* formerly static variables */
- struct smb_passwd pw_buf;
- pstring user_name;
- unsigned char smbpwd[16];
- unsigned char smbntpwd[16];
-
- /* retrive-once info */
- const char *smbpasswd_file;
-
- BOOL permit_non_unix_accounts;
-
- uint32 low_nua_userid;
- uint32 high_nua_userid;
-
-};
-
-enum pwf_access_type { PWF_READ, PWF_UPDATE, PWF_CREATE };
-
-/***************************************************************
- Lock an fd. Abandon after waitsecs seconds.
-****************************************************************/
-
-static BOOL pw_file_lock(int fd, int type, int secs, int *plock_depth)
-{
- if (fd < 0)
- return False;
-
- if(*plock_depth == 0) {
- if (!do_file_lock(fd, secs, type)) {
- DEBUG(10,("pw_file_lock: locking file failed, error = %s.\n",
- strerror(errno)));
- return False;
- }
- }
-
- (*plock_depth)++;
-
- return True;
-}
-
-/***************************************************************
- Unlock an fd. Abandon after waitsecs seconds.
-****************************************************************/
-
-static BOOL pw_file_unlock(int fd, int *plock_depth)
-{
- BOOL ret=True;
-
- if (fd == 0 || *plock_depth == 0) {
- return True;
- }
-
- if(*plock_depth == 1)
- ret = do_file_lock(fd, 5, F_UNLCK);
-
- if (*plock_depth > 0)
- (*plock_depth)--;
-
- if(!ret)
- DEBUG(10,("pw_file_unlock: unlocking file failed, error = %s.\n",
- strerror(errno)));
- return ret;
-}
-
-
-/**************************************************************
- Intialize a smb_passwd struct
- *************************************************************/
-
-static void pdb_init_smb(struct smb_passwd *user)
-{
- if (user == NULL)
- return;
- ZERO_STRUCTP (user);
-
- user->pass_last_set_time = (time_t)0;
-}
-
-/***************************************************************
- Internal fn to enumerate the smbpasswd list. Returns a void pointer
- to ensure no modification outside this module. Checks for atomic
- rename of smbpasswd file on update or create once the lock has
- been granted to prevent race conditions. JRA.
-****************************************************************/
-
-static FILE *startsmbfilepwent(const char *pfile, enum pwf_access_type type, int *lock_depth)
-{
- FILE *fp = NULL;
- const char *open_mode = NULL;
- int race_loop = 0;
- int lock_type = F_RDLCK;
-
- if (!*pfile) {
- DEBUG(0, ("startsmbfilepwent: No SMB password file set\n"));
- return (NULL);
- }
-
- switch(type) {
- case PWF_READ:
- open_mode = "rb";
- lock_type = F_RDLCK;
- break;
- case PWF_UPDATE:
- open_mode = "r+b";
- lock_type = F_WRLCK;
- break;
- case PWF_CREATE:
- /*
- * Ensure atomic file creation.
- */
- {
- int i, fd = -1;
-
- for(i = 0; i < 5; i++) {
- if((fd = sys_open(pfile, O_CREAT|O_TRUNC|O_EXCL|O_RDWR, 0600))!=-1)
- break;
- sys_usleep(200); /* Spin, spin... */
- }
- if(fd == -1) {
- DEBUG(0,("startsmbfilepwent_internal: too many race conditions creating file %s\n", pfile));
- return NULL;
- }
- close(fd);
- open_mode = "r+b";
- lock_type = F_WRLCK;
- break;
- }
- }
-
- for(race_loop = 0; race_loop < 5; race_loop++) {
- DEBUG(10, ("startsmbfilepwent_internal: opening file %s\n", pfile));
-
- if((fp = sys_fopen(pfile, open_mode)) == NULL) {
- DEBUG(0, ("startsmbfilepwent_internal: unable to open file %s. Error was %s\n", pfile, strerror(errno) ));
- return NULL;
- }
-
- if (!pw_file_lock(fileno(fp), lock_type, 5, lock_depth)) {
- DEBUG(0, ("startsmbfilepwent_internal: unable to lock file %s. Error was %s\n", pfile, strerror(errno) ));
- fclose(fp);
- return NULL;
- }
-
- /*
- * Only check for replacement races on update or create.
- * For read we don't mind if the data is one record out of date.
- */
-
- if(type == PWF_READ) {
- break;
- } else {
- SMB_STRUCT_STAT sbuf1, sbuf2;
-
- /*
- * Avoid the potential race condition between the open and the lock
- * by doing a stat on the filename and an fstat on the fd. If the
- * two inodes differ then someone did a rename between the open and
- * the lock. Back off and try the open again. Only do this 5 times to
- * prevent infinate loops. JRA.
- */
-
- if (sys_stat(pfile,&sbuf1) != 0) {
- DEBUG(0, ("startsmbfilepwent_internal: unable to stat file %s. Error was %s\n", pfile, strerror(errno)));
- pw_file_unlock(fileno(fp), lock_depth);
- fclose(fp);
- return NULL;
- }
-
- if (sys_fstat(fileno(fp),&sbuf2) != 0) {
- DEBUG(0, ("startsmbfilepwent_internal: unable to fstat file %s. Error was %s\n", pfile, strerror(errno)));
- pw_file_unlock(fileno(fp), lock_depth);
- fclose(fp);
- return NULL;
- }
-
- if( sbuf1.st_ino == sbuf2.st_ino) {
- /* No race. */
- break;
- }
-
- /*
- * Race occurred - back off and try again...
- */
-
- pw_file_unlock(fileno(fp), lock_depth);
- fclose(fp);
- }
- }
-
- if(race_loop == 5) {
- DEBUG(0, ("startsmbfilepwent_internal: too many race conditions opening file %s\n", pfile));
- return NULL;
- }
-
- /* Set a buffer to do more efficient reads */
- setvbuf(fp, (char *)NULL, _IOFBF, 1024);
-
- /* Make sure it is only rw by the owner */
- if(fchmod(fileno(fp), S_IRUSR|S_IWUSR) == -1) {
- DEBUG(0, ("startsmbfilepwent_internal: failed to set 0600 permissions on password file %s. \
-Error was %s\n.", pfile, strerror(errno) ));
- pw_file_unlock(fileno(fp), lock_depth);
- fclose(fp);
- return NULL;
- }
-
- /* We have a lock on the file. */
- return fp;
-}
-
-/***************************************************************
- End enumeration of the smbpasswd list.
-****************************************************************/
-static void endsmbfilepwent(FILE *fp, int *lock_depth)
-{
- if (!fp) {
- return;
- }
-
- pw_file_unlock(fileno(fp), lock_depth);
- fclose(fp);
- DEBUG(7, ("endsmbfilepwent_internal: closed password file.\n"));
-}
-
-/*************************************************************************
- Routine to return the next entry in the smbpasswd list.
- *************************************************************************/
-
-static struct smb_passwd *getsmbfilepwent(struct smbpasswd_privates *smbpasswd_state, FILE *fp)
-{
- /* Static buffers we will return. */
- struct smb_passwd *pw_buf = &smbpasswd_state->pw_buf;
- char *user_name = smbpasswd_state->user_name;
- unsigned char *smbpwd = smbpasswd_state->smbpwd;
- unsigned char *smbntpwd = smbpasswd_state->smbntpwd;
- char linebuf[256];
- unsigned char c;
- unsigned char *p;
- long uidval;
- size_t linebuf_len;
-
- if(fp == NULL) {
- DEBUG(0,("getsmbfilepwent: Bad password file pointer.\n"));
- return NULL;
- }
-
- pdb_init_smb(pw_buf);
-
- pw_buf->acct_ctrl = ACB_NORMAL;
-
- /*
- * Scan the file, a line at a time and check if the name matches.
- */
- while (!feof(fp)) {
- linebuf[0] = '\0';
-
- fgets(linebuf, 256, fp);
- if (ferror(fp)) {
- return NULL;
- }
-
- /*
- * Check if the string is terminated with a newline - if not
- * then we must keep reading and discard until we get one.
- */
- if ((linebuf_len = strlen(linebuf)) == 0)
- continue;
-
- if (linebuf[linebuf_len - 1] != '\n') {
- c = '\0';
- while (!ferror(fp) && !feof(fp)) {
- c = fgetc(fp);
- if (c == '\n')
- break;
- }
- } else
- linebuf[linebuf_len - 1] = '\0';
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("getsmbfilepwent: got line |%s|\n", linebuf));
-#endif
- if ((linebuf[0] == 0) && feof(fp)) {
- DEBUG(4, ("getsmbfilepwent: end of file reached\n"));
- break;
- }
- /*
- * The line we have should be of the form :-
- *
- * username:uid:32hex bytes:[Account type]:LCT-12345678....other flags presently
- * ignored....
- *
- * or,
- *
- * username:uid:32hex bytes:32hex bytes:[Account type]:LCT-12345678....ignored....
- *
- * if Windows NT compatible passwords are also present.
- * [Account type] is an ascii encoding of the type of account.
- * LCT-(8 hex digits) is the time_t value of the last change time.
- */
-
- if (linebuf[0] == '#' || linebuf[0] == '\0') {
- DEBUG(6, ("getsmbfilepwent: skipping comment or blank line\n"));
- continue;
- }
- p = (unsigned char *) strchr_m(linebuf, ':');
- if (p == NULL) {
- DEBUG(0, ("getsmbfilepwent: malformed password entry (no :)\n"));
- continue;
- }
- /*
- * As 256 is shorter than a pstring we don't need to check
- * length here - if this ever changes....
- */
- SMB_ASSERT(sizeof(pstring) > sizeof(linebuf));
-
- strncpy(user_name, linebuf, PTR_DIFF(p, linebuf));
- user_name[PTR_DIFF(p, linebuf)] = '\0';
-
- /* Get smb uid. */
-
- p++; /* Go past ':' */
-
- if(*p == '-') {
- DEBUG(0, ("getsmbfilepwent: uids in the smbpasswd file must not be negative.\n"));
- continue;
- }
-
- if (!isdigit(*p)) {
- DEBUG(0, ("getsmbfilepwent: malformed password entry (uid not number)\n"));
- continue;
- }
-
- uidval = atoi((char *) p);
-
- while (*p && isdigit(*p))
- p++;
-
- if (*p != ':') {
- DEBUG(0, ("getsmbfilepwent: malformed password entry (no : after uid)\n"));
- continue;
- }
-
- pw_buf->smb_name = user_name;
- pw_buf->smb_userid = uidval;
-
- /*
- * Now get the password value - this should be 32 hex digits
- * which are the ascii representations of a 16 byte string.
- * Get two at a time and put them into the password.
- */
-
- /* Skip the ':' */
- p++;
-
- if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) {
- DEBUG(0, ("getsmbfilepwent: malformed password entry (passwd too short)\n"));
- continue;
- }
-
- if (p[32] != ':') {
- DEBUG(0, ("getsmbfilepwent: malformed password entry (no terminating :)\n"));
- continue;
- }
-
- if (!strncasecmp((char *) p, "NO PASSWORD", 11)) {
- pw_buf->smb_passwd = NULL;
- pw_buf->acct_ctrl |= ACB_PWNOTREQ;
- } else {
- if (*p == '*' || *p == 'X') {
- /* NULL LM password */
- pw_buf->smb_passwd = NULL;
- DEBUG(10, ("getsmbfilepwent: LM password for user %s invalidated\n", user_name));
- } else if (pdb_gethexpwd((char *)p, smbpwd)) {
- pw_buf->smb_passwd = smbpwd;
- } else {
- pw_buf->smb_passwd = NULL;
- DEBUG(0, ("getsmbfilepwent: Malformed Lanman password entry (non hex chars)\n"));
- }
- }
-
- /*
- * Now check if the NT compatible password is
- * available.
- */
- pw_buf->smb_nt_passwd = NULL;
-
- p += 33; /* Move to the first character of the line after
- the lanman password. */
- if ((linebuf_len >= (PTR_DIFF(p, linebuf) + 33)) && (p[32] == ':')) {
- if (*p != '*' && *p != 'X') {
- if(pdb_gethexpwd((char *)p,smbntpwd))
- pw_buf->smb_nt_passwd = smbntpwd;
- }
- p += 33; /* Move to the first character of the line after
- the NT password. */
- }
-
- DEBUG(5,("getsmbfilepwent: returning passwd entry for user %s, uid %ld\n",
- user_name, uidval));
-
- if (*p == '[')
- {
- unsigned char *end_p = (unsigned char *)strchr_m((char *)p, ']');
- pw_buf->acct_ctrl = pdb_decode_acct_ctrl((char*)p);
-
- /* Must have some account type set. */
- if(pw_buf->acct_ctrl == 0)
- pw_buf->acct_ctrl = ACB_NORMAL;
-
- /* Now try and get the last change time. */
- if(end_p)
- p = end_p + 1;
- if(*p == ':') {
- p++;
- if(*p && (StrnCaseCmp((char *)p, "LCT-", 4)==0)) {
- int i;
- p += 4;
- for(i = 0; i < 8; i++) {
- if(p[i] == '\0' || !isxdigit(p[i]))
- break;
- }
- if(i == 8) {
- /*
- * p points at 8 characters of hex digits -
- * read into a time_t as the seconds since
- * 1970 that the password was last changed.
- */
- pw_buf->pass_last_set_time = (time_t)strtol((char *)p, NULL, 16);
- }
- }
- }
- } else {
- /* 'Old' style file. Fake up based on user name. */
- /*
- * Currently trust accounts are kept in the same
- * password file as 'normal accounts'. If this changes
- * we will have to fix this code. JRA.
- */
- if(pw_buf->smb_name[strlen(pw_buf->smb_name) - 1] == '$') {
- pw_buf->acct_ctrl &= ~ACB_NORMAL;
- pw_buf->acct_ctrl |= ACB_WSTRUST;
- }
- }
-
- return pw_buf;
- }
-
- DEBUG(5,("getsmbfilepwent: end of file reached.\n"));
- return NULL;
-}
-
-/************************************************************************
- Create a new smbpasswd entry - malloced space returned.
-*************************************************************************/
-
-static char *format_new_smbpasswd_entry(const struct smb_passwd *newpwd)
-{
- int new_entry_length;
- char *new_entry;
- char *p;
-
- new_entry_length = strlen(newpwd->smb_name) + 1 + 15 + 1 + 32 + 1 + 32 + 1 + NEW_PW_FORMAT_SPACE_PADDED_LEN + 1 + 13 + 2;
-
- if((new_entry = (char *)malloc( new_entry_length )) == NULL) {
- DEBUG(0, ("format_new_smbpasswd_entry: Malloc failed adding entry for user %s.\n", newpwd->smb_name ));
- return NULL;
- }
-
- slprintf(new_entry, new_entry_length - 1, "%s:%u:", newpwd->smb_name, (unsigned)newpwd->smb_userid);
-
- p = new_entry+strlen(new_entry);
-
- pdb_sethexpwd(p, newpwd->smb_passwd, newpwd->acct_ctrl);
-
- p+=strlen(p); *p = ':'; p++;
-
- pdb_sethexpwd(p, newpwd->smb_nt_passwd, newpwd->acct_ctrl);
-
- p+=strlen(p); *p = ':'; p++;
-
- /* Add the account encoding and the last change time. */
- slprintf((char *)p, new_entry_length - 1 - (p - new_entry), "%s:LCT-%08X:\n",
- pdb_encode_acct_ctrl(newpwd->acct_ctrl, NEW_PW_FORMAT_SPACE_PADDED_LEN),
- (uint32)newpwd->pass_last_set_time);
-
- return new_entry;
-}
-
-/************************************************************************
- Routine to add an entry to the smbpasswd file.
-*************************************************************************/
-
-static BOOL add_smbfilepwd_entry(struct smbpasswd_privates *smbpasswd_state, struct smb_passwd *newpwd)
-{
- const char *pfile = smbpasswd_state->smbpasswd_file;
- struct smb_passwd *pwd = NULL;
- FILE *fp = NULL;
- int wr_len;
- int fd;
- size_t new_entry_length;
- char *new_entry;
- SMB_OFF_T offpos;
- uint32 max_found_uid = 0;
-
- /* Open the smbpassword file - for update. */
- fp = startsmbfilepwent(pfile, PWF_UPDATE, &(smbpasswd_state->pw_file_lock_depth));
-
- if (fp == NULL && errno == ENOENT) {
- /* Try again - create. */
- fp = startsmbfilepwent(pfile, PWF_CREATE, &(smbpasswd_state->pw_file_lock_depth));
- }
-
- if (fp == NULL) {
- DEBUG(0, ("add_smbfilepwd_entry: unable to open file.\n"));
- return False;
- }
-
- /*
- * Scan the file, a line at a time and check if the name matches.
- */
-
- while ((pwd = getsmbfilepwent(smbpasswd_state, fp)) != NULL)
- {
- if (strequal(newpwd->smb_name, pwd->smb_name))
- {
- DEBUG(0, ("add_smbfilepwd_entry: entry with name %s already exists\n", pwd->smb_name));
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- return False;
- }
-
- /* Look for a free uid for use in non-unix accounts */
- if (pwd->smb_userid > max_found_uid) {
- max_found_uid = pwd->smb_userid;
- }
- }
-
- /* Ok - entry doesn't exist. We can add it */
-
- /* Account not in /etc/passwd hack!!! */
- if (!newpwd->smb_userid_set) {
- if (!smbpasswd_state->permit_non_unix_accounts) {
- DEBUG(0, ("add_smbfilepwd_entry: cannot add account %s without unix identity\n", newpwd->smb_name));
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- return False;
- }
-
- if (max_found_uid < smbpasswd_state->low_nua_userid) {
- newpwd->smb_userid = smbpasswd_state->low_nua_userid;
- newpwd->smb_userid_set = True;
- } else if (max_found_uid >= smbpasswd_state->high_nua_userid) {
- DEBUG(0, ("add_smbfilepwd_entry: cannot add machine %s, no uids are free! \n", newpwd->smb_name));
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- return False;
- } else {
- newpwd->smb_userid = max_found_uid + 1;
- newpwd->smb_userid_set = True;
- }
- }
-
-
- /* Create a new smb passwd entry and set it to the given password. */
- /*
- * The add user write needs to be atomic - so get the fd from
- * the fp and do a raw write() call.
- */
- fd = fileno(fp);
-
- if((offpos = sys_lseek(fd, 0, SEEK_END)) == -1)
- {
- DEBUG(0, ("add_smbfilepwd_entry(sys_lseek): Failed to add entry for user %s to file %s. \
-Error was %s\n", newpwd->smb_name, pfile, strerror(errno)));
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- return False;
- }
-
- if((new_entry = format_new_smbpasswd_entry(newpwd)) == NULL)
- {
- DEBUG(0, ("add_smbfilepwd_entry(malloc): Failed to add entry for user %s to file %s. \
-Error was %s\n", newpwd->smb_name, pfile, strerror(errno)));
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- return False;
- }
-
- new_entry_length = strlen(new_entry);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("add_smbfilepwd_entry(%d): new_entry_len %d made line |%s|",
- fd, new_entry_length, new_entry));
-#endif
-
- if ((wr_len = write(fd, new_entry, new_entry_length)) != new_entry_length)
- {
- DEBUG(0, ("add_smbfilepwd_entry(write): %d Failed to add entry for user %s to file %s. \
-Error was %s\n", wr_len, newpwd->smb_name, pfile, strerror(errno)));
-
- /* Remove the entry we just wrote. */
- if(sys_ftruncate(fd, offpos) == -1)
- {
- DEBUG(0, ("add_smbfilepwd_entry: ERROR failed to ftruncate file %s. \
-Error was %s. Password file may be corrupt ! Please examine by hand !\n",
- newpwd->smb_name, strerror(errno)));
- }
-
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- free(new_entry);
- return False;
- }
-
- free(new_entry);
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- return True;
-}
-
-/************************************************************************
- Routine to search the smbpasswd file for an entry matching the username.
- and then modify its password entry. We can't use the startsmbpwent()/
- getsmbpwent()/endsmbpwent() interfaces here as we depend on looking
- in the actual file to decide how much room we have to write data.
- override = False, normal
- override = True, override XXXXXXXX'd out password or NO PASS
-************************************************************************/
-
-static BOOL mod_smbfilepwd_entry(struct smbpasswd_privates *smbpasswd_state, const struct smb_passwd* pwd)
-{
- /* Static buffers we will return. */
- pstring user_name;
-
- char linebuf[256];
- char readbuf[1024];
- unsigned char c;
- fstring ascii_p16;
- fstring encode_bits;
- unsigned char *p = NULL;
- size_t linebuf_len = 0;
- FILE *fp;
- int lockfd;
- const char *pfile = smbpasswd_state->smbpasswd_file;
- BOOL found_entry = False;
- BOOL got_pass_last_set_time = False;
-
- SMB_OFF_T pwd_seekpos = 0;
-
- int i;
- int wr_len;
- int fd;
-
- if (!*pfile) {
- DEBUG(0, ("No SMB password file set\n"));
- return False;
- }
- DEBUG(10, ("mod_smbfilepwd_entry: opening file %s\n", pfile));
-
- fp = sys_fopen(pfile, "r+");
-
- if (fp == NULL) {
- DEBUG(0, ("mod_smbfilepwd_entry: unable to open file %s\n", pfile));
- return False;
- }
- /* Set a buffer to do more efficient reads */
- setvbuf(fp, readbuf, _IOFBF, sizeof(readbuf));
-
- lockfd = fileno(fp);
-
- if (!pw_file_lock(lockfd, F_WRLCK, 5, &(smbpasswd_state->pw_file_lock_depth))) {
- DEBUG(0, ("mod_smbfilepwd_entry: unable to lock file %s\n", pfile));
- fclose(fp);
- return False;
- }
-
- /* Make sure it is only rw by the owner */
- chmod(pfile, 0600);
-
- /* We have a write lock on the file. */
- /*
- * Scan the file, a line at a time and check if the name matches.
- */
- while (!feof(fp)) {
- pwd_seekpos = sys_ftell(fp);
-
- linebuf[0] = '\0';
-
- fgets(linebuf, sizeof(linebuf), fp);
- if (ferror(fp)) {
- pw_file_unlock(lockfd, &(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- /*
- * Check if the string is terminated with a newline - if not
- * then we must keep reading and discard until we get one.
- */
- linebuf_len = strlen(linebuf);
- if (linebuf[linebuf_len - 1] != '\n') {
- c = '\0';
- while (!ferror(fp) && !feof(fp)) {
- c = fgetc(fp);
- if (c == '\n') {
- break;
- }
- }
- } else {
- linebuf[linebuf_len - 1] = '\0';
- }
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("mod_smbfilepwd_entry: got line |%s|\n", linebuf));
-#endif
-
- if ((linebuf[0] == 0) && feof(fp)) {
- DEBUG(4, ("mod_smbfilepwd_entry: end of file reached\n"));
- break;
- }
-
- /*
- * The line we have should be of the form :-
- *
- * username:uid:[32hex bytes]:....other flags presently
- * ignored....
- *
- * or,
- *
- * username:uid:[32hex bytes]:[32hex bytes]:[attributes]:LCT-XXXXXXXX:...ignored.
- *
- * if Windows NT compatible passwords are also present.
- */
-
- if (linebuf[0] == '#' || linebuf[0] == '\0') {
- DEBUG(6, ("mod_smbfilepwd_entry: skipping comment or blank line\n"));
- continue;
- }
-
- p = (unsigned char *) strchr_m(linebuf, ':');
-
- if (p == NULL) {
- DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (no :)\n"));
- continue;
- }
-
- /*
- * As 256 is shorter than a pstring we don't need to check
- * length here - if this ever changes....
- */
-
- SMB_ASSERT(sizeof(user_name) > sizeof(linebuf));
-
- strncpy(user_name, linebuf, PTR_DIFF(p, linebuf));
- user_name[PTR_DIFF(p, linebuf)] = '\0';
- if (strequal(user_name, pwd->smb_name)) {
- found_entry = True;
- break;
- }
- }
-
- if (!found_entry) {
- pw_file_unlock(lockfd, &(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
-
- DEBUG(2, ("Cannot update entry for user %s, as they don't exist in the smbpasswd file!\n",
- pwd->smb_name));
- return False;
- }
-
- DEBUG(6, ("mod_smbfilepwd_entry: entry exists\n"));
-
- /* User name matches - get uid and password */
- p++; /* Go past ':' */
-
- if (!isdigit(*p)) {
- DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (uid not number)\n"));
- pw_file_unlock(lockfd, &(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- while (*p && isdigit(*p))
- p++;
- if (*p != ':') {
- DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (no : after uid)\n"));
- pw_file_unlock(lockfd, &(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- /*
- * Now get the password value - this should be 32 hex digits
- * which are the ascii representations of a 16 byte string.
- * Get two at a time and put them into the password.
- */
- p++;
-
- /* Record exact password position */
- pwd_seekpos += PTR_DIFF(p, linebuf);
-
- if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) {
- DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (passwd too short)\n"));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return (False);
- }
-
- if (p[32] != ':') {
- DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (no terminating :)\n"));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- /* Now check if the NT compatible password is
- available. */
- p += 33; /* Move to the first character of the line after
- the lanman password. */
- if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) {
- DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (passwd too short)\n"));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return (False);
- }
-
- if (p[32] != ':') {
- DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (no terminating :)\n"));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- /*
- * Now check if the account info and the password last
- * change time is available.
- */
- p += 33; /* Move to the first character of the line after
- the NT password. */
-
- if (*p == '[') {
-
- i = 0;
- encode_bits[i++] = *p++;
- while((linebuf_len > PTR_DIFF(p, linebuf)) && (*p != ']'))
- encode_bits[i++] = *p++;
-
- encode_bits[i++] = ']';
- encode_bits[i++] = '\0';
-
- if(i == NEW_PW_FORMAT_SPACE_PADDED_LEN) {
- /*
- * We are using a new format, space padded
- * acct ctrl field. Encode the given acct ctrl
- * bits into it.
- */
- fstrcpy(encode_bits, pdb_encode_acct_ctrl(pwd->acct_ctrl, NEW_PW_FORMAT_SPACE_PADDED_LEN));
- } else {
- DEBUG(0,("mod_smbfilepwd_entry: Using old smbpasswd format. This is no longer supported.!\n"));
- DEBUG(0,("mod_smbfilepwd_entry: No changes made, failing.!\n"));
- return False;
- }
-
- /* Go past the ']' */
- if(linebuf_len > PTR_DIFF(p, linebuf))
- p++;
-
- if((linebuf_len > PTR_DIFF(p, linebuf)) && (*p == ':')) {
- p++;
-
- /* We should be pointing at the LCT entry. */
- if((linebuf_len > (PTR_DIFF(p, linebuf) + 13)) && (StrnCaseCmp((char *)p, "LCT-", 4) == 0)) {
-
- p += 4;
- for(i = 0; i < 8; i++) {
- if(p[i] == '\0' || !isxdigit(p[i]))
- break;
- }
- if(i == 8) {
- /*
- * p points at 8 characters of hex digits -
- * read into a time_t as the seconds since
- * 1970 that the password was last changed.
- */
- got_pass_last_set_time = True;
- } /* i == 8 */
- } /* *p && StrnCaseCmp() */
- } /* p == ':' */
- } /* p == '[' */
-
- /* Entry is correctly formed. */
-
- /* Create the 32 byte representation of the new p16 */
- pdb_sethexpwd(ascii_p16, pwd->smb_passwd, pwd->acct_ctrl);
-
- /* Add on the NT md4 hash */
- ascii_p16[32] = ':';
- wr_len = 66;
- pdb_sethexpwd(ascii_p16+33, pwd->smb_nt_passwd, pwd->acct_ctrl);
- ascii_p16[65] = ':';
- ascii_p16[66] = '\0'; /* null-terminate the string so that strlen works */
-
- /* Add on the account info bits and the time of last
- password change. */
-
- if(got_pass_last_set_time) {
- slprintf(&ascii_p16[strlen(ascii_p16)],
- sizeof(ascii_p16)-(strlen(ascii_p16)+1),
- "%s:LCT-%08X:",
- encode_bits, (uint32)pwd->pass_last_set_time );
- wr_len = strlen(ascii_p16);
- }
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("mod_smbfilepwd_entry: "));
- dump_data(100, ascii_p16, wr_len);
-#endif
-
- if(wr_len > sizeof(linebuf)) {
- DEBUG(0, ("mod_smbfilepwd_entry: line to write (%d) is too long.\n", wr_len+1));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return (False);
- }
-
- /*
- * Do an atomic write into the file at the position defined by
- * seekpos.
- */
-
- /* The mod user write needs to be atomic - so get the fd from
- the fp and do a raw write() call.
- */
-
- fd = fileno(fp);
-
- if (sys_lseek(fd, pwd_seekpos - 1, SEEK_SET) != pwd_seekpos - 1) {
- DEBUG(0, ("mod_smbfilepwd_entry: seek fail on file %s.\n", pfile));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- /* Sanity check - ensure the areas we are writing are framed by ':' */
- if (read(fd, linebuf, wr_len+1) != wr_len+1) {
- DEBUG(0, ("mod_smbfilepwd_entry: read fail on file %s.\n", pfile));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- if ((linebuf[0] != ':') || (linebuf[wr_len] != ':')) {
- DEBUG(0, ("mod_smbfilepwd_entry: check on passwd file %s failed.\n", pfile));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- if (sys_lseek(fd, pwd_seekpos, SEEK_SET) != pwd_seekpos) {
- DEBUG(0, ("mod_smbfilepwd_entry: seek fail on file %s.\n", pfile));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- if (write(fd, ascii_p16, wr_len) != wr_len) {
- DEBUG(0, ("mod_smbfilepwd_entry: write failed in passwd file %s\n", pfile));
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return False;
- }
-
- pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
- fclose(fp);
- return True;
-}
-
-/************************************************************************
- Routine to delete an entry in the smbpasswd file by name.
-*************************************************************************/
-
-static BOOL del_smbfilepwd_entry(struct smbpasswd_privates *smbpasswd_state, const char *name)
-{
- const char *pfile = smbpasswd_state->smbpasswd_file;
- pstring pfile2;
- struct smb_passwd *pwd = NULL;
- FILE *fp = NULL;
- FILE *fp_write = NULL;
- int pfile2_lockdepth = 0;
-
- slprintf(pfile2, sizeof(pfile2)-1, "%s.%u", pfile, (unsigned)getpid() );
-
- /*
- * Open the smbpassword file - for update. It needs to be update
- * as we need any other processes to wait until we have replaced
- * it.
- */
-
- if((fp = startsmbfilepwent(pfile, PWF_UPDATE, &(smbpasswd_state->pw_file_lock_depth))) == NULL) {
- DEBUG(0, ("del_smbfilepwd_entry: unable to open file %s.\n", pfile));
- return False;
- }
-
- /*
- * Create the replacement password file.
- */
- if((fp_write = startsmbfilepwent(pfile2, PWF_CREATE, &pfile2_lockdepth)) == NULL) {
- DEBUG(0, ("del_smbfilepwd_entry: unable to open file %s.\n", pfile));
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- return False;
- }
-
- /*
- * Scan the file, a line at a time and check if the name matches.
- */
-
- while ((pwd = getsmbfilepwent(smbpasswd_state, fp)) != NULL) {
- char *new_entry;
- size_t new_entry_length;
-
- if (strequal(name, pwd->smb_name)) {
- DEBUG(10, ("add_smbfilepwd_entry: found entry with name %s - deleting it.\n", name));
- continue;
- }
-
- /*
- * We need to copy the entry out into the second file.
- */
-
- if((new_entry = format_new_smbpasswd_entry(pwd)) == NULL)
- {
- DEBUG(0, ("del_smbfilepwd_entry(malloc): Failed to copy entry for user %s to file %s. \
-Error was %s\n", pwd->smb_name, pfile2, strerror(errno)));
- unlink(pfile2);
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- endsmbfilepwent(fp_write, &pfile2_lockdepth);
- return False;
- }
-
- new_entry_length = strlen(new_entry);
-
- if(fwrite(new_entry, 1, new_entry_length, fp_write) != new_entry_length)
- {
- DEBUG(0, ("del_smbfilepwd_entry(write): Failed to copy entry for user %s to file %s. \
-Error was %s\n", pwd->smb_name, pfile2, strerror(errno)));
- unlink(pfile2);
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- endsmbfilepwent(fp_write, &pfile2_lockdepth);
- free(new_entry);
- return False;
- }
-
- free(new_entry);
- }
-
- /*
- * Ensure pfile2 is flushed before rename.
- */
-
- if(fflush(fp_write) != 0)
- {
- DEBUG(0, ("del_smbfilepwd_entry: Failed to flush file %s. Error was %s\n", pfile2, strerror(errno)));
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- endsmbfilepwent(fp_write,&pfile2_lockdepth);
- return False;
- }
-
- /*
- * Do an atomic rename - then release the locks.
- */
-
- if(rename(pfile2,pfile) != 0) {
- unlink(pfile2);
- }
-
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
- endsmbfilepwent(fp_write,&pfile2_lockdepth);
- return True;
-}
-
-/*********************************************************************
- Create a smb_passwd struct from a SAM_ACCOUNT.
- We will not allocate any new memory. The smb_passwd struct
- should only stay around as long as the SAM_ACCOUNT does.
- ********************************************************************/
-static BOOL build_smb_pass (struct smb_passwd *smb_pw, const SAM_ACCOUNT *sampass)
-{
- uid_t uid;
-
- if (sampass == NULL)
- return False;
-
- ZERO_STRUCTP(smb_pw);
-
- if (!IS_SAM_UNIX_USER(sampass)) {
- smb_pw->smb_userid_set = False;
- DEBUG(5,("build_smb_pass: storing user without a UNIX uid or gid. \n"));
- } else {
- uint32 rid = pdb_get_user_rid(sampass);
- smb_pw->smb_userid_set = True;
- uid = pdb_get_uid(sampass);
-
- /* If the user specified a RID, make sure its able to be both stored and retreived */
- if (rid && rid != DOMAIN_USER_RID_GUEST && uid != fallback_pdb_user_rid_to_uid(rid)) {
- DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n"));
- return False;
- }
-
- smb_pw->smb_userid=uid;
- }
-
- smb_pw->smb_name=(const char*)pdb_get_username(sampass);
-
- smb_pw->smb_passwd=pdb_get_lanman_passwd(sampass);
- smb_pw->smb_nt_passwd=pdb_get_nt_passwd(sampass);
-
- smb_pw->acct_ctrl=pdb_get_acct_ctrl(sampass);
- smb_pw->pass_last_set_time=pdb_get_pass_last_set_time(sampass);
-
-#if 0
- /*
- * ifdef'out by JFM on 11/29/2001.
- * this assertion is no longer valid
- * and I don't understand the goal
- * and doing the same thing with the group mapping code
- * is hairy !
- *
- * We just have the RID, in which SID is it valid ?
- * our domain SID ? well known SID ? local SID ?
- */
-
- if (gid != pdb_group_rid_to_gid(pdb_get_group_rid(sampass))) {
- DEBUG(0,("build_sam_pass: Failing attempt to store user with non-gid based primary group RID. \n"));
- DEBUG(0,("build_sam_pass: %d %d %d. \n", *gid, pdb_group_rid_to_gid(pdb_get_group_rid(sampass)), pdb_get_group_rid(sampass)));
- return False;
- }
-#endif
-
- return True;
-}
-
-/*********************************************************************
- Create a SAM_ACCOUNT from a smb_passwd struct
- ********************************************************************/
-static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state,
- SAM_ACCOUNT *sam_pass, const struct smb_passwd *pw_buf)
-{
- struct passwd *pwfile;
-
- if (sam_pass==NULL) {
- DEBUG(5,("build_sam_account: SAM_ACCOUNT is NULL\n"));
- return False;
- }
-
- pwfile = getpwnam_alloc(pw_buf->smb_name);
- if (pwfile == NULL) {
- if ((smbpasswd_state->permit_non_unix_accounts)
- && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid)
- && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
-
- pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid), PDB_SET);
-
- /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here.
-
- This was down the bottom for machines, but it looks pretty good as
- a general default for non-unix users. --abartlet 2002-01-08
- */
- pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET);
- pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET);
- pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT);
-
- } else {
- DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid %u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid));
- return False;
- }
- } else {
- if (!NT_STATUS_IS_OK(pdb_fill_sam_pw(sam_pass, pwfile))) {
- return False;
- }
-
- passwd_free(&pwfile);
- }
-
- pdb_set_nt_passwd (sam_pass, pw_buf->smb_nt_passwd, PDB_SET);
- pdb_set_lanman_passwd (sam_pass, pw_buf->smb_passwd, PDB_SET);
- pdb_set_acct_ctrl (sam_pass, pw_buf->acct_ctrl, PDB_SET);
- pdb_set_pass_last_set_time (sam_pass, pw_buf->pass_last_set_time, PDB_SET);
- pdb_set_pass_can_change_time (sam_pass, pw_buf->pass_last_set_time, PDB_SET);
-
-#if 0 /* JERRY */
- /* the smbpasswd format doesn't have a must change time field, so
- we can't get this right. The best we can do is to set this to
- some time in the future. 21 days seems as reasonable as any other value :)
- */
- pdb_set_pass_must_change_time (sam_pass, pw_buf->pass_last_set_time + MAX_PASSWORD_AGE, PDB_DEFAULT);
-#endif
- return True;
-}
-
-/*****************************************************************
- Functions to be implemented by the new passdb API
- ****************************************************************/
-static NTSTATUS smbpasswd_setsampwent (struct pdb_methods *my_methods, BOOL update)
-{
- struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
-
- smbpasswd_state->pw_file = startsmbfilepwent(smbpasswd_state->smbpasswd_file,
- update ? PWF_UPDATE : PWF_READ,
- &(smbpasswd_state->pw_file_lock_depth));
-
- /* did we fail? Should we try to create it? */
- if (!smbpasswd_state->pw_file && update && errno == ENOENT)
- {
- FILE *fp;
- /* slprintf(msg_str,msg_str_len-1,
- "smbpasswd file did not exist - attempting to create it.\n"); */
- DEBUG(0,("smbpasswd file did not exist - attempting to create it.\n"));
- fp = sys_fopen(smbpasswd_state->smbpasswd_file, "w");
- if (fp)
- {
- fprintf(fp, "# Samba SMB password file\n");
- fclose(fp);
- }
-
- smbpasswd_state->pw_file = startsmbfilepwent(smbpasswd_state->smbpasswd_file,
- update ? PWF_UPDATE : PWF_READ,
- &(smbpasswd_state->pw_file_lock_depth));
- }
-
- if (smbpasswd_state->pw_file != NULL)
- return NT_STATUS_OK;
- else
- return NT_STATUS_UNSUCCESSFUL;
-}
-
-static void smbpasswd_endsampwent (struct pdb_methods *my_methods)
-{
- struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
- endsmbfilepwent(smbpasswd_state->pw_file, &(smbpasswd_state->pw_file_lock_depth));
-}
-
-/*****************************************************************
- ****************************************************************/
-static NTSTATUS smbpasswd_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
- struct smb_passwd *pw_buf=NULL;
- BOOL done = False;
- DEBUG(5,("pdb_getsampwent\n"));
-
- if (user==NULL) {
- DEBUG(5,("pdb_getsampwent (smbpasswd): user is NULL\n"));
-#if 0
- smb_panic("NULL pointer passed to getsampwent (smbpasswd)\n");
-#endif
- return nt_status;
- }
-
- while (!done)
- {
- /* do we have an entry? */
- pw_buf = getsmbfilepwent(smbpasswd_state, smbpasswd_state->pw_file);
- if (pw_buf == NULL)
- return nt_status;
-
- /* build the SAM_ACCOUNT entry from the smb_passwd struct.
- We loop in case the user in the pdb does not exist in
- the local system password file */
- if (build_sam_account(smbpasswd_state, user, pw_buf))
- done = True;
- }
-
- DEBUG(5,("getsampwent (smbpasswd): done\n"));
-
- /* success */
- return NT_STATUS_OK;
-}
-
-
-/****************************************************************
- Search smbpasswd file by iterating over the entries. Do not
- call getpwnam() for unix account information until we have found
- the correct entry
- ***************************************************************/
-static NTSTATUS smbpasswd_getsampwnam(struct pdb_methods *my_methods,
- SAM_ACCOUNT *sam_acct, const char *username)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
- struct smb_passwd *smb_pw;
- void *fp = NULL;
-
- DEBUG(10, ("getsampwnam (smbpasswd): search by name: %s\n", username));
-
- /* startsmbfilepwent() is used here as we don't want to lookup
- the UNIX account in the local system password file until
- we have a match. */
- fp = startsmbfilepwent(smbpasswd_state->smbpasswd_file, PWF_READ, &(smbpasswd_state->pw_file_lock_depth));
-
- if (fp == NULL) {
- DEBUG(0, ("unable to open passdb database.\n"));
- return nt_status;
- }
-
- while ( ((smb_pw=getsmbfilepwent(smbpasswd_state, fp)) != NULL)&& (!strequal(smb_pw->smb_name, username)) )
- /* do nothing....another loop */ ;
-
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
-
-
- /* did we locate the username in smbpasswd */
- if (smb_pw == NULL)
- return nt_status;
-
- DEBUG(10, ("getsampwnam (smbpasswd): found by name: %s\n", smb_pw->smb_name));
-
- if (!sam_acct) {
- DEBUG(10,("getsampwnam (smbpasswd): SAM_ACCOUNT is NULL\n"));
-#if 0
- smb_panic("NULL pointer passed to pdb_getsampwnam\n");
-#endif
- return nt_status;
- }
-
- /* now build the SAM_ACCOUNT */
- if (!build_sam_account(smbpasswd_state, sam_acct, smb_pw))
- return nt_status;
-
- /* success */
- return NT_STATUS_OK;
-}
-
-static NTSTATUS smbpasswd_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT *sam_acct, const DOM_SID *sid)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
- struct smb_passwd *smb_pw;
- void *fp = NULL;
- fstring sid_str;
- uint32 rid;
-
- DEBUG(10, ("smbpasswd_getsampwrid: search by sid: %s\n", sid_to_string(sid_str, sid)));
-
- if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
- return NT_STATUS_UNSUCCESSFUL;
-
- /* More special case 'guest account' hacks... */
- if (rid == DOMAIN_USER_RID_GUEST) {
- const char *guest_account = lp_guestaccount();
- if (!(guest_account && *guest_account)) {
- DEBUG(1, ("Guest account not specfied!\n"));
- return nt_status;
- }
- return smbpasswd_getsampwnam(my_methods, sam_acct, guest_account);
- }
-
- /* Open the sam password file - not for update. */
- fp = startsmbfilepwent(smbpasswd_state->smbpasswd_file, PWF_READ, &(smbpasswd_state->pw_file_lock_depth));
-
- if (fp == NULL) {
- DEBUG(0, ("unable to open passdb database.\n"));
- return nt_status;
- }
-
- while ( ((smb_pw=getsmbfilepwent(smbpasswd_state, fp)) != NULL) && (fallback_pdb_uid_to_user_rid(smb_pw->smb_userid) != rid) )
- /* do nothing */ ;
-
- endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
-
-
- /* did we locate the username in smbpasswd */
- if (smb_pw == NULL)
- return nt_status;
-
- DEBUG(10, ("getsampwrid (smbpasswd): found by name: %s\n", smb_pw->smb_name));
-
- if (!sam_acct) {
- DEBUG(10,("getsampwrid: (smbpasswd) SAM_ACCOUNT is NULL\n"));
-#if 0
- smb_panic("NULL pointer passed to pdb_getsampwrid\n");
-#endif
- return nt_status;
- }
-
- /* now build the SAM_ACCOUNT */
- if (!build_sam_account (smbpasswd_state, sam_acct, smb_pw))
- return nt_status;
-
- /* build_sam_account might change the SID on us, if the name was for the guest account */
- if (NT_STATUS_IS_OK(nt_status) && !sid_equal(pdb_get_user_sid(sam_acct), sid)) {
- fstring sid_string1, sid_string2;
- DEBUG(1, ("looking for user with sid %s instead returned %s for account %s!?!\n",
- sid_to_string(sid_string1, sid), sid_to_string(sid_string2, pdb_get_user_sid(sam_acct)), pdb_get_username(sam_acct)));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- /* success */
- return NT_STATUS_OK;
-}
-
-static NTSTATUS smbpasswd_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT *sampass)
-{
- struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
- struct smb_passwd smb_pw;
-
- /* convert the SAM_ACCOUNT */
- if (!build_smb_pass(&smb_pw, sampass)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* add the entry */
- if(!add_smbfilepwd_entry(smbpasswd_state, &smb_pw)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS smbpasswd_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT *sampass)
-{
- struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
- struct smb_passwd smb_pw;
-
- /* convert the SAM_ACCOUNT */
- if (!build_smb_pass(&smb_pw, sampass)) {
- DEBUG(0, ("smbpasswd_update_sam_account: build_smb_pass failed!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* update the entry */
- if(!mod_smbfilepwd_entry(smbpasswd_state, &smb_pw)) {
- DEBUG(0, ("smbpasswd_update_sam_account: mod_smbfilepwd_entry failed!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS smbpasswd_delete_sam_account (struct pdb_methods *my_methods, SAM_ACCOUNT *sampass)
-{
- struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
-
- const char *username = pdb_get_username(sampass);
-
- if (del_smbfilepwd_entry(smbpasswd_state, username))
- return NT_STATUS_OK;
-
- return NT_STATUS_UNSUCCESSFUL;
-}
-
-static void free_private_data(void **vp)
-{
- struct smbpasswd_privates **privates = (struct smbpasswd_privates**)vp;
-
- endsmbfilepwent((*privates)->pw_file, &((*privates)->pw_file_lock_depth));
-
- *privates = NULL;
- /* No need to free any further, as it is talloc()ed */
-}
-
-
-static NTSTATUS pdb_init_smbpasswd(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
- struct smbpasswd_privates *privates;
-
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "smbpasswd";
-
- (*pdb_method)->setsampwent = smbpasswd_setsampwent;
- (*pdb_method)->endsampwent = smbpasswd_endsampwent;
- (*pdb_method)->getsampwent = smbpasswd_getsampwent;
- (*pdb_method)->getsampwnam = smbpasswd_getsampwnam;
- (*pdb_method)->getsampwsid = smbpasswd_getsampwsid;
- (*pdb_method)->add_sam_account = smbpasswd_add_sam_account;
- (*pdb_method)->update_sam_account = smbpasswd_update_sam_account;
- (*pdb_method)->delete_sam_account = smbpasswd_delete_sam_account;
-
- /* Setup private data and free function */
-
- privates = talloc_zero(pdb_context->mem_ctx, sizeof(struct smbpasswd_privates));
-
- if (!privates) {
- DEBUG(0, ("talloc() failed for smbpasswd private_data!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- /* Store some config details */
-
- if (location) {
- privates->smbpasswd_file = talloc_strdup(pdb_context->mem_ctx, location);
- } else {
- privates->smbpasswd_file = talloc_strdup(pdb_context->mem_ctx, lp_smb_passwd_file());
- }
-
- if (!privates->smbpasswd_file) {
- DEBUG(0, ("talloc_strdp() failed for storing smbpasswd location!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- (*pdb_method)->private_data = privates;
-
- (*pdb_method)->free_private_data = free_private_data;
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS pdb_init_smbpasswd_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
- struct smbpasswd_privates *privates;
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_smbpasswd(pdb_context, pdb_method, location))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "smbpasswd_nua";
-
- privates = (*pdb_method)->private_data;
-
- privates->permit_non_unix_accounts = True;
-
- if (!lp_non_unix_account_range(&privates->low_nua_userid, &privates->high_nua_userid)) {
- DEBUG(0, ("cannot use smbpasswd_nua without 'non unix account range' in smb.conf!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- return NT_STATUS_OK;
-}
-
-NTSTATUS passdb_smbpasswd_init(void)
-{
- NTSTATUS ret;
- struct passdb_ops ops;
-
- /* fill in our name */
- ops.name = "smbpasswd";
- /* fill in all the operations */
- ops.init = pdb_init_smbpasswd;
-
- /* register ourselves with the PASSDB subsystem. */
- ret = register_backend("passdb", &ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' PASSDB backend!\n",
- ops.name));
- return ret;
- }
-
- /* fill in our name */
- ops.name = "smbpasswd_nua";
- /* fill in all the operations */
- ops.init = pdb_init_smbpasswd_nua;
-
- /* register ourselves with the PASSDB subsystem. */
- ret = register_backend("passdb", &ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' PASSDB backend!\n",
- ops.name));
- return ret;
- }
-
- return ret;
-}
+++ /dev/null
-/*
- * Unix SMB/CIFS implementation.
- * SMB parameters and setup
- * Copyright (C) Andrew Tridgell 1992-1998
- * Copyright (C) Simo Sorce 2000-2002
- * Copyright (C) Gerald Carter 2000
- * Copyright (C) Jeremy Allison 2001
- * Copyright (C) Andrew Bartlett 2002
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2 of the License, or (at your option)
- * any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 675
- * Mass Ave, Cambridge, MA 02139, USA.
- */
-
-#include "includes.h"
-
-#if 0 /* when made a module use this */
-
-static int tdbsam_debug_level = DBGC_ALL;
-#undef DBGC_CLASS
-#define DBGC_CLASS tdbsam_debug_level
-
-#else
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
-#endif
-
-#define PDB_VERSION "20010830"
-#define PASSDB_FILE_NAME "passdb.tdb"
-#define TDB_FORMAT_STRING "ddddddBBBBBBBBBBBBddBBwdwdBdd"
-#define USERPREFIX "USER_"
-#define RIDPREFIX "RID_"
-
-struct tdbsam_privates {
- TDB_CONTEXT *passwd_tdb;
- TDB_DATA key;
-
- /* retrive-once info */
- const char *tdbsam_location;
-
- BOOL permit_non_unix_accounts;
-
- BOOL algorithmic_rids;
-
- uint32 low_nua_rid;
- uint32 high_nua_rid;
-};
-
-/**********************************************************************
- Intialize a SAM_ACCOUNT struct from a BYTE buffer of size len
- *********************************************************************/
-
-static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state,
- SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
-{
-
- /* times are stored as 32bit integer
- take care on system with 64bit wide time_t
- --SSS */
- uint32 logon_time,
- logoff_time,
- kickoff_time,
- pass_last_set_time,
- pass_can_change_time,
- pass_must_change_time;
- char *username;
- char *domain;
- char *nt_username;
- char *dir_drive;
- char *unknown_str;
- char *munged_dial;
- char *fullname;
- char *homedir;
- char *logon_script;
- char *profile_path;
- char *acct_desc;
- char *workstations;
- uint32 username_len, domain_len, nt_username_len,
- dir_drive_len, unknown_str_len, munged_dial_len,
- fullname_len, homedir_len, logon_script_len,
- profile_path_len, acct_desc_len, workstations_len;
-
- uint32 user_rid, group_rid, unknown_3, hours_len, unknown_5, unknown_6;
- uint16 acct_ctrl, logon_divs;
- uint8 *hours;
- static uint8 *lm_pw_ptr, *nt_pw_ptr;
- uint32 len = 0;
- uint32 lm_pw_len, nt_pw_len, hourslen;
- BOOL ret = True;
- struct passwd *pw;
- uid_t uid = -1;
- gid_t gid = -1; /* This is what standard sub advanced expects if no gid is known */
-
- if(sampass == NULL || buf == NULL) {
- DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
- return False;
- }
-
- /* unpack the buffer into variables */
- len = tdb_unpack (buf, buflen, TDB_FORMAT_STRING,
- &logon_time,
- &logoff_time,
- &kickoff_time,
- &pass_last_set_time,
- &pass_can_change_time,
- &pass_must_change_time,
- &username_len, &username,
- &domain_len, &domain,
- &nt_username_len, &nt_username,
- &fullname_len, &fullname,
- &homedir_len, &homedir,
- &dir_drive_len, &dir_drive,
- &logon_script_len, &logon_script,
- &profile_path_len, &profile_path,
- &acct_desc_len, &acct_desc,
- &workstations_len, &workstations,
- &unknown_str_len, &unknown_str,
- &munged_dial_len, &munged_dial,
- &user_rid,
- &group_rid,
- &lm_pw_len, &lm_pw_ptr,
- &nt_pw_len, &nt_pw_ptr,
- &acct_ctrl,
- &unknown_3,
- &logon_divs,
- &hours_len,
- &hourslen, &hours,
- &unknown_5,
- &unknown_6);
-
- if (len == -1) {
- ret = False;
- goto done;
- }
-
- /* validate the account and fill in UNIX uid and gid. Standard
- * getpwnam() is used instead of Get_Pwnam() as we do not need
- * to try case permutations
- */
- if (!username || !(pw = getpwnam_alloc(username))) {
- if (!(tdb_state->permit_non_unix_accounts)) {
- DEBUG(0,("tdbsam: getpwnam_alloc(%s) return NULL. User does not exist!\n", username));
- ret = False;
- goto done;
- }
- }
-
- if (pw) {
- uid = pw->pw_uid;
- gid = pw->pw_gid;
-
- pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
- passwd_free(&pw);
-
- pdb_set_uid(sampass, uid, PDB_SET);
- pdb_set_gid(sampass, gid, PDB_SET);
- }
-
- pdb_set_logon_time(sampass, logon_time, PDB_SET);
- pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
- pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
- pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
- pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
- pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
-
- pdb_set_username (sampass, username, PDB_SET);
- pdb_set_domain (sampass, domain, PDB_SET);
- pdb_set_nt_username (sampass, nt_username, PDB_SET);
- pdb_set_fullname (sampass, fullname, PDB_SET);
-
- if (homedir) {
- pdb_set_homedir(sampass, homedir, PDB_SET);
- }
- else {
- pdb_set_homedir(sampass,
- talloc_sub_specified(sampass->mem_ctx,
- lp_logon_home(),
- username, domain,
- uid, gid),
- PDB_DEFAULT);
- }
-
- if (dir_drive)
- pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
- else {
- pdb_set_dir_drive(sampass,
- talloc_sub_specified(sampass->mem_ctx,
- lp_logon_drive(),
- username, domain,
- uid, gid),
- PDB_DEFAULT);
- }
-
- if (logon_script)
- pdb_set_logon_script(sampass, logon_script, PDB_SET);
- else {
- pdb_set_logon_script(sampass,
- talloc_sub_specified(sampass->mem_ctx,
- lp_logon_script(),
- username, domain,
- uid, gid),
- PDB_DEFAULT);
- }
-
- if (profile_path) {
- pdb_set_profile_path(sampass, profile_path, PDB_SET);
- } else {
- pdb_set_profile_path(sampass,
- talloc_sub_specified(sampass->mem_ctx,
- lp_logon_path(),
- username, domain,
- uid, gid),
- PDB_DEFAULT);
- }
-
- pdb_set_acct_desc (sampass, acct_desc, PDB_SET);
- pdb_set_workstations (sampass, workstations, PDB_SET);
- pdb_set_munged_dial (sampass, munged_dial, PDB_SET);
-
- if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
- if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
- ret = False;
- goto done;
- }
- }
-
- if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
- if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
- ret = False;
- goto done;
- }
- }
-
- pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
- pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
- pdb_set_unknown_3(sampass, unknown_3, PDB_SET);
- pdb_set_hours_len(sampass, hours_len, PDB_SET);
- pdb_set_unknown_5(sampass, unknown_5, PDB_SET);
- pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
- pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
- pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
- pdb_set_hours(sampass, hours, PDB_SET);
-
-done:
-
- SAFE_FREE(username);
- SAFE_FREE(domain);
- SAFE_FREE(nt_username);
- SAFE_FREE(fullname);
- SAFE_FREE(homedir);
- SAFE_FREE(dir_drive);
- SAFE_FREE(logon_script);
- SAFE_FREE(profile_path);
- SAFE_FREE(acct_desc);
- SAFE_FREE(workstations);
- SAFE_FREE(munged_dial);
-
- return ret;
-}
-
-/**********************************************************************
- Intialize a BYTE buffer from a SAM_ACCOUNT struct
- *********************************************************************/
-static uint32 init_buffer_from_sam (struct tdbsam_privates *tdb_state,
- uint8 **buf, const SAM_ACCOUNT *sampass)
-{
- size_t len, buflen;
-
- /* times are stored as 32bit integer
- take care on system with 64bit wide time_t
- --SSS */
- uint32 logon_time,
- logoff_time,
- kickoff_time,
- pass_last_set_time,
- pass_can_change_time,
- pass_must_change_time;
-
- uint32 user_rid, group_rid;
-
- const char *username;
- const char *domain;
- const char *nt_username;
- const char *dir_drive;
- const char *unknown_str;
- const char *munged_dial;
- const char *fullname;
- const char *homedir;
- const char *logon_script;
- const char *profile_path;
- const char *acct_desc;
- const char *workstations;
- uint32 username_len, domain_len, nt_username_len,
- dir_drive_len, unknown_str_len, munged_dial_len,
- fullname_len, homedir_len, logon_script_len,
- profile_path_len, acct_desc_len, workstations_len;
-
- const uint8 *lm_pw;
- const uint8 *nt_pw;
- uint32 lm_pw_len = 16;
- uint32 nt_pw_len = 16;
-
- /* do we have a valid SAM_ACCOUNT pointer? */
- if (sampass == NULL) {
- DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
- return -1;
- }
-
- *buf = NULL;
- buflen = 0;
-
- logon_time = (uint32)pdb_get_logon_time(sampass);
- logoff_time = (uint32)pdb_get_logoff_time(sampass);
- kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
- pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
- pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
- pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
-
- user_rid = pdb_get_user_rid(sampass);
- group_rid = pdb_get_group_rid(sampass);
-
- username = pdb_get_username(sampass);
- if (username) username_len = strlen(username) +1;
- else username_len = 0;
-
- domain = pdb_get_domain(sampass);
- if (domain) domain_len = strlen(domain) +1;
- else domain_len = 0;
-
- nt_username = pdb_get_nt_username(sampass);
- if (nt_username) nt_username_len = strlen(nt_username) +1;
- else nt_username_len = 0;
-
- fullname = pdb_get_fullname(sampass);
- if (fullname) fullname_len = strlen(fullname) +1;
- else fullname_len = 0;
-
- /*
- * Only updates fields which have been set (not defaults from smb.conf)
- */
-
- if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE))
- dir_drive = pdb_get_dir_drive(sampass);
- else dir_drive = NULL;
- if (dir_drive) dir_drive_len = strlen(dir_drive) +1;
- else dir_drive_len = 0;
-
- if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) homedir = pdb_get_homedir(sampass);
- else homedir = NULL;
- if (homedir) homedir_len = strlen(homedir) +1;
- else homedir_len = 0;
-
- if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) logon_script = pdb_get_logon_script(sampass);
- else logon_script = NULL;
- if (logon_script) logon_script_len = strlen(logon_script) +1;
- else logon_script_len = 0;
-
- if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) profile_path = pdb_get_profile_path(sampass);
- else profile_path = NULL;
- if (profile_path) profile_path_len = strlen(profile_path) +1;
- else profile_path_len = 0;
-
- lm_pw = pdb_get_lanman_passwd(sampass);
- if (!lm_pw) lm_pw_len = 0;
-
- nt_pw = pdb_get_nt_passwd(sampass);
- if (!nt_pw) nt_pw_len = 0;
-
- acct_desc = pdb_get_acct_desc(sampass);
- if (acct_desc) acct_desc_len = strlen(acct_desc) +1;
- else acct_desc_len = 0;
-
- workstations = pdb_get_workstations(sampass);
- if (workstations) workstations_len = strlen(workstations) +1;
- else workstations_len = 0;
-
- unknown_str = NULL;
- unknown_str_len = 0;
-
- munged_dial = pdb_get_munged_dial(sampass);
- if (munged_dial) munged_dial_len = strlen(munged_dial) +1;
- else munged_dial_len = 0;
-
- /* one time to get the size needed */
- len = tdb_pack(NULL, 0, TDB_FORMAT_STRING,
- logon_time,
- logoff_time,
- kickoff_time,
- pass_last_set_time,
- pass_can_change_time,
- pass_must_change_time,
- username_len, username,
- domain_len, domain,
- nt_username_len, nt_username,
- fullname_len, fullname,
- homedir_len, homedir,
- dir_drive_len, dir_drive,
- logon_script_len, logon_script,
- profile_path_len, profile_path,
- acct_desc_len, acct_desc,
- workstations_len, workstations,
- unknown_str_len, unknown_str,
- munged_dial_len, munged_dial,
- user_rid,
- group_rid,
- lm_pw_len, lm_pw,
- nt_pw_len, nt_pw,
- pdb_get_acct_ctrl(sampass),
- pdb_get_unknown_3(sampass),
- pdb_get_logon_divs(sampass),
- pdb_get_hours_len(sampass),
- MAX_HOURS_LEN, pdb_get_hours(sampass),
- pdb_get_unknown_5(sampass),
- pdb_get_unknown_6(sampass));
-
-
- /* malloc the space needed */
- if ( (*buf=(uint8*)malloc(len)) == NULL) {
- DEBUG(0,("init_buffer_from_sam: Unable to malloc() memory for buffer!\n"));
- return (-1);
- }
-
- /* now for the real call to tdb_pack() */
- buflen = tdb_pack(*buf, len, TDB_FORMAT_STRING,
- logon_time,
- logoff_time,
- kickoff_time,
- pass_last_set_time,
- pass_can_change_time,
- pass_must_change_time,
- username_len, username,
- domain_len, domain,
- nt_username_len, nt_username,
- fullname_len, fullname,
- homedir_len, homedir,
- dir_drive_len, dir_drive,
- logon_script_len, logon_script,
- profile_path_len, profile_path,
- acct_desc_len, acct_desc,
- workstations_len, workstations,
- unknown_str_len, unknown_str,
- munged_dial_len, munged_dial,
- user_rid,
- group_rid,
- lm_pw_len, lm_pw,
- nt_pw_len, nt_pw,
- pdb_get_acct_ctrl(sampass),
- pdb_get_unknown_3(sampass),
- pdb_get_logon_divs(sampass),
- pdb_get_hours_len(sampass),
- MAX_HOURS_LEN, pdb_get_hours(sampass),
- pdb_get_unknown_5(sampass),
- pdb_get_unknown_6(sampass));
-
-
- /* check to make sure we got it correct */
- if (buflen != len) {
- DEBUG(0, ("init_buffer_from_sam: somthing odd is going on here: bufflen (%d) != len (%d) in tdb_pack operations!\n",
- buflen, len));
- /* error */
- SAFE_FREE (*buf);
- return (-1);
- }
-
- return (buflen);
-}
-
-/***************************************************************
- Open the TDB passwd database for SAM account enumeration.
-****************************************************************/
-
-static NTSTATUS tdbsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
-{
- struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
-
- /* Open tdb passwd */
- if (!(tdb_state->passwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, update?(O_RDWR|O_CREAT):O_RDONLY, 0600)))
- {
- DEBUG(0, ("Unable to open/create TDB passwd\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- tdb_state->key = tdb_firstkey(tdb_state->passwd_tdb);
-
- return NT_STATUS_OK;
-}
-
-static void close_tdb(struct tdbsam_privates *tdb_state)
-{
- if (tdb_state->passwd_tdb) {
- tdb_close(tdb_state->passwd_tdb);
- tdb_state->passwd_tdb = NULL;
- }
-}
-
-/***************************************************************
- End enumeration of the TDB passwd list.
-****************************************************************/
-
-static void tdbsam_endsampwent(struct pdb_methods *my_methods)
-{
- struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
- close_tdb(tdb_state);
-
- DEBUG(7, ("endtdbpwent: closed sam database.\n"));
-}
-
-/*****************************************************************
- Get one SAM_ACCOUNT from the TDB (next in line)
-*****************************************************************/
-
-static NTSTATUS tdbsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
- TDB_DATA data;
- const char *prefix = USERPREFIX;
- int prefixlen = strlen (prefix);
-
-
- if (user==NULL) {
- DEBUG(0,("pdb_get_sampwent: SAM_ACCOUNT is NULL.\n"));
- return nt_status;
- }
-
- /* skip all non-USER entries (eg. RIDs) */
- while ((tdb_state->key.dsize != 0) && (strncmp(tdb_state->key.dptr, prefix, prefixlen)))
- /* increment to next in line */
- tdb_state->key = tdb_nextkey(tdb_state->passwd_tdb, tdb_state->key);
-
- /* do we have an valid iteration pointer? */
- if(tdb_state->passwd_tdb == NULL) {
- DEBUG(0,("pdb_get_sampwent: Bad TDB Context pointer.\n"));
- return nt_status;
- }
-
- data = tdb_fetch(tdb_state->passwd_tdb, tdb_state->key);
- if (!data.dptr) {
- DEBUG(5,("pdb_getsampwent: database entry not found.\n"));
- return nt_status;
- }
-
- /* unpack the buffer */
- if (!init_sam_from_buffer(tdb_state, user, data.dptr, data.dsize)) {
- DEBUG(0,("pdb_getsampwent: Bad SAM_ACCOUNT entry returned from TDB!\n"));
- SAFE_FREE(data.dptr);
- return nt_status;
- }
- SAFE_FREE(data.dptr);
-
- /* increment to next in line */
- tdb_state->key = tdb_nextkey(tdb_state->passwd_tdb, tdb_state->key);
-
- return NT_STATUS_OK;
-}
-
-/******************************************************************
- Lookup a name in the SAM TDB
-******************************************************************/
-
-static NTSTATUS tdbsam_getsampwnam (struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
- TDB_CONTEXT *pwd_tdb;
- TDB_DATA data, key;
- fstring keystr;
- fstring name;
-
- if (user==NULL) {
- DEBUG(0,("pdb_getsampwnam: SAM_ACCOUNT is NULL.\n"));
- return nt_status;
- }
-
- /* Data is stored in all lower-case */
- unix_strlower(sname, -1, name, sizeof(name));
-
- /* set search key */
- slprintf(keystr, sizeof(keystr)-1, "%s%s", USERPREFIX, name);
- key.dptr = keystr;
- key.dsize = strlen(keystr) + 1;
-
- /* open the accounts TDB */
- if (!(pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDONLY, 0600))) {
- DEBUG(0, ("pdb_getsampwnam: Unable to open TDB passwd (%s)!\n", tdb_state->tdbsam_location));
- return nt_status;
- }
-
- /* get the record */
- data = tdb_fetch(pwd_tdb, key);
- if (!data.dptr) {
- DEBUG(5,("pdb_getsampwnam (TDB): error fetching database.\n"));
- DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
- DEBUGADD(5, (" Key: %s\n", keystr));
- tdb_close(pwd_tdb);
- return nt_status;
- }
-
- /* unpack the buffer */
- if (!init_sam_from_buffer(tdb_state, user, data.dptr, data.dsize)) {
- DEBUG(0,("pdb_getsampwent: Bad SAM_ACCOUNT entry returned from TDB!\n"));
- SAFE_FREE(data.dptr);
- tdb_close(pwd_tdb);
- return nt_status;
- }
- SAFE_FREE(data.dptr);
-
- /* no further use for database, close it now */
- tdb_close(pwd_tdb);
-
- return NT_STATUS_OK;
-}
-
-/***************************************************************************
- Search by rid
- **************************************************************************/
-
-static NTSTATUS tdbsam_getsampwrid (struct pdb_methods *my_methods, SAM_ACCOUNT *user, uint32 rid)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
- TDB_CONTEXT *pwd_tdb;
- TDB_DATA data, key;
- fstring keystr;
- fstring name;
-
- if (user==NULL) {
- DEBUG(0,("pdb_getsampwrid: SAM_ACCOUNT is NULL.\n"));
- return nt_status;
- }
-
- /* set search key */
- slprintf(keystr, sizeof(keystr)-1, "%s%.8x", RIDPREFIX, rid);
- key.dptr = keystr;
- key.dsize = strlen (keystr) + 1;
-
- /* open the accounts TDB */
- if (!(pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDONLY, 0600))) {
- DEBUG(0, ("pdb_getsampwrid: Unable to open TDB rid database!\n"));
- return nt_status;
- }
-
- /* get the record */
- data = tdb_fetch (pwd_tdb, key);
- if (!data.dptr) {
- DEBUG(5,("pdb_getsampwrid (TDB): error looking up RID %d by key %s.\n", rid, keystr));
- DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
- tdb_close (pwd_tdb);
- return nt_status;
- }
-
- fstrcpy (name, data.dptr);
- SAFE_FREE(data.dptr);
-
- tdb_close (pwd_tdb);
-
- return tdbsam_getsampwnam (my_methods, user, name);
-}
-
-static NTSTATUS tdbsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
-{
- uint32 rid;
- if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
- return NT_STATUS_UNSUCCESSFUL;
- return tdbsam_getsampwrid(my_methods, user, rid);
-}
-
-/***************************************************************************
- Delete a SAM_ACCOUNT
-****************************************************************************/
-
-static NTSTATUS tdbsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT *sam_pass)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
- TDB_CONTEXT *pwd_tdb;
- TDB_DATA key;
- fstring keystr;
- uint32 rid;
- fstring name;
-
- unix_strlower(pdb_get_username(sam_pass), -1, name, sizeof(name));
-
- /* open the TDB */
- if (!(pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDWR, 0600))) {
- DEBUG(0, ("Unable to open TDB passwd!"));
- return nt_status;
- }
-
- /* set the search key */
- slprintf(keystr, sizeof(keystr)-1, "%s%s", USERPREFIX, name);
- key.dptr = keystr;
- key.dsize = strlen (keystr) + 1;
-
- rid = pdb_get_user_rid(sam_pass);
-
- /* it's outaa here! 8^) */
- if (tdb_delete(pwd_tdb, key) != TDB_SUCCESS) {
- DEBUG(5, ("Error deleting entry from tdb passwd database!\n"));
- DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
- tdb_close(pwd_tdb);
- return nt_status;
- }
-
- /* delete also the RID key */
-
- /* set the search key */
- slprintf(keystr, sizeof(keystr)-1, "%s%.8x", RIDPREFIX, rid);
- key.dptr = keystr;
- key.dsize = strlen (keystr) + 1;
-
- /* it's outaa here! 8^) */
- if (tdb_delete(pwd_tdb, key) != TDB_SUCCESS) {
- DEBUG(5, ("Error deleting entry from tdb rid database!\n"));
- DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
- tdb_close(pwd_tdb);
- return nt_status;
- }
-
- tdb_close(pwd_tdb);
-
- return NT_STATUS_OK;
-}
-
-/***************************************************************************
- Update the TDB SAM
-****************************************************************************/
-
-static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, int flag)
-{
- struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
- TDB_CONTEXT *pwd_tdb = NULL;
- TDB_DATA key, data;
- uint8 *buf = NULL;
- fstring keystr;
- fstring name;
- BOOL ret = True;
- uint32 user_rid;
- BOOL tdb_ret;
-
- /* invalidate the existing TDB iterator if it is open */
- if (tdb_state->passwd_tdb) {
- tdb_close(tdb_state->passwd_tdb);
- tdb_state->passwd_tdb = NULL;
- }
-
- /* open the account TDB passwd*/
- pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0600);
- if (!pwd_tdb)
- {
- DEBUG(0, ("tdb_update_sam: Unable to open TDB passwd (%s)!\n", tdb_state->tdbsam_location));
- return False;
- }
-
- /* if flag == TDB_INSERT then make up a new RID else throw an error. */
- if (!(user_rid = pdb_get_user_rid(newpwd))) {
- if (flag & TDB_INSERT) {
- if (IS_SAM_UNIX_USER(newpwd)) {
- if (tdb_state->algorithmic_rids) {
- user_rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(newpwd));
- } else {
- user_rid = BASE_RID;
- tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER);
- if (!tdb_ret) {
- ret = False;
- goto done;
- }
- }
- pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED);
- } else {
- user_rid = tdb_state->low_nua_rid;
- tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER);
- if (!tdb_ret) {
- ret = False;
- goto done;
- }
- if (user_rid > tdb_state->high_nua_rid) {
- DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd)));
- ret = False;
- goto done;
- }
- pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED);
- }
- } else {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
- ret = False;
- goto done;
- }
- }
-
- if (!pdb_get_group_rid(newpwd)) {
- if (flag & TDB_INSERT) {
- if (!tdb_state->permit_non_unix_accounts) {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
- ret = False;
- goto done;
- } else {
- /* This seems like a good default choice for non-unix users */
- pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
- }
- } else {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
- ret = False;
- goto done;
- }
- }
-
- /* copy the SAM_ACCOUNT struct into a BYTE buffer for storage */
- if ((data.dsize=init_buffer_from_sam (tdb_state, &buf, newpwd)) == -1) {
- DEBUG(0,("tdb_update_sam: ERROR - Unable to copy SAM_ACCOUNT info BYTE buffer!\n"));
- ret = False;
- goto done;
- }
- data.dptr = buf;
-
- unix_strlower(pdb_get_username(newpwd), -1, name, sizeof(name));
-
- DEBUG(5, ("Storing %saccount %s with RID %d\n", flag == TDB_INSERT ? "(new) " : "", name, user_rid));
-
- /* setup the USER index key */
- slprintf(keystr, sizeof(keystr)-1, "%s%s", USERPREFIX, name);
- key.dptr = keystr;
- key.dsize = strlen (keystr) + 1;
-
- /* add the account */
- if (tdb_store(pwd_tdb, key, data, flag) != TDB_SUCCESS) {
- DEBUG(0, ("Unable to modify passwd TDB!"));
- DEBUGADD(0, (" Error: %s", tdb_errorstr(pwd_tdb)));
- DEBUGADD(0, (" occured while storing the main record (%s)\n", keystr));
- ret = False;
- goto done;
- }
-
- /* setup RID data */
- data.dsize = sizeof(fstring);
- data.dptr = name;
-
- /* setup the RID index key */
- slprintf(keystr, sizeof(keystr)-1, "%s%.8x", RIDPREFIX, user_rid);
- key.dptr = keystr;
- key.dsize = strlen (keystr) + 1;
-
- /* add the reference */
- if (tdb_store(pwd_tdb, key, data, flag) != TDB_SUCCESS) {
- DEBUG(0, ("Unable to modify TDB passwd !"));
- DEBUGADD(0, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
- DEBUGADD(0, (" occured while storing the RID index (%s)\n", keystr));
- ret = False;
- goto done;
- }
-
-done:
- /* cleanup */
- tdb_close (pwd_tdb);
- SAFE_FREE(buf);
-
- return (ret);
-}
-
-/***************************************************************************
- Modifies an existing SAM_ACCOUNT
-****************************************************************************/
-
-static NTSTATUS tdbsam_update_sam_account (struct pdb_methods *my_methods, SAM_ACCOUNT *newpwd)
-{
- if (tdb_update_sam(my_methods, newpwd, TDB_MODIFY))
- return NT_STATUS_OK;
- else
- return NT_STATUS_UNSUCCESSFUL;
-}
-
-/***************************************************************************
- Adds an existing SAM_ACCOUNT
-****************************************************************************/
-
-static NTSTATUS tdbsam_add_sam_account (struct pdb_methods *my_methods, SAM_ACCOUNT *newpwd)
-{
- if (tdb_update_sam(my_methods, newpwd, TDB_INSERT))
- return NT_STATUS_OK;
- else
- return NT_STATUS_UNSUCCESSFUL;
-}
-
-static void free_private_data(void **vp)
-{
- struct tdbsam_privates **tdb_state = (struct tdbsam_privates **)vp;
- close_tdb(*tdb_state);
- *tdb_state = NULL;
-
- /* No need to free any further, as it is talloc()ed */
-}
-
-
-static NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
- struct tdbsam_privates *tdb_state;
-
-#if 0 /* when made a module use this */
- tdbsam_debug_level = debug_add_class("tdbsam");
- if(tdbsam_debug_level == -1) {
- tdbsam_debug_level = DBGC_ALL;
- DEBUG(0, ("tdbsam: Couldn't register custom debugging class!\n"));
- }
-#endif
-
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "tdbsam";
-
- (*pdb_method)->setsampwent = tdbsam_setsampwent;
- (*pdb_method)->endsampwent = tdbsam_endsampwent;
- (*pdb_method)->getsampwent = tdbsam_getsampwent;
- (*pdb_method)->getsampwnam = tdbsam_getsampwnam;
- (*pdb_method)->getsampwsid = tdbsam_getsampwsid;
- (*pdb_method)->add_sam_account = tdbsam_add_sam_account;
- (*pdb_method)->update_sam_account = tdbsam_update_sam_account;
- (*pdb_method)->delete_sam_account = tdbsam_delete_sam_account;
-
- tdb_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct tdbsam_privates));
-
- if (!tdb_state) {
- DEBUG(0, ("talloc() failed for tdbsam private_data!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- if (location) {
- tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, location);
- } else {
- pstring tdbfile;
- get_private_directory(tdbfile);
- pstrcat(tdbfile, "/");
- pstrcat(tdbfile, PASSDB_FILE_NAME);
- tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, tdbfile);
- }
-
- tdb_state->algorithmic_rids = True;
-
- (*pdb_method)->private_data = tdb_state;
-
- (*pdb_method)->free_private_data = free_private_data;
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS pdb_init_tdbsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
- struct tdbsam_privates *tdb_state;
- uint32 low_nua_uid, high_nua_uid;
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_tdbsam(pdb_context, pdb_method, location))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "tdbsam_nua";
-
- tdb_state = (*pdb_method)->private_data;
-
- tdb_state->permit_non_unix_accounts = True;
-
- if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) {
- DEBUG(0, ("cannot use tdbsam_nua without 'non unix account range' in smb.conf!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid);
-
- tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
-
- return NT_STATUS_OK;
-}
-
-NTSTATUS passdb_tdb_init(void)
-{
- NTSTATUS ret;
- struct passdb_ops ops;
-
- /* fill in our name */
- ops.name = "tdbsam";
- /* fill in all the operations */
- ops.init = pdb_init_tdbsam;
-
- /* register ourselves with the PASSDB subsystem. */
- ret = register_backend("passdb", &ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' PASSDB backend!\n",
- ops.name));
- return ret;
- }
-
- /* fill in our name */
- ops.name = "tdbsam_nua";
- /* fill in all the operations */
- ops.init = pdb_init_tdbsam_nua;
-
- /* register ourselves with the PASSDB subsystem. */
- ret = register_backend("passdb", &ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' PASSDB backend!\n",
- ops.name));
- return ret;
- }
-
- return ret;
-}
+++ /dev/null
-/*
- * Unix password backend for samba
- * Copyright (C) Jelmer Vernooij 2002
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2 of the License, or (at your option)
- * any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 675
- * Mass Ave, Cambridge, MA 02139, USA.
- */
-
-#include "includes.h"
-
-/******************************************************************
- Lookup a name in the SAM database
- ******************************************************************/
-
-static NTSTATUS unixsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname)
-{
- struct passwd *pass;
- if (!methods) {
- DEBUG(0,("invalid methods\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
- if (!sname) {
- DEBUG(0,("invalid name specified"));
- return NT_STATUS_UNSUCCESSFUL;
- }
- pass = Get_Pwnam(sname);
-
- return pdb_fill_sam_pw(user, pass);
-}
-
-
-/***************************************************************************
- Search by rid
- **************************************************************************/
-
-static NTSTATUS unixsam_getsampwrid (struct pdb_methods *methods,
- SAM_ACCOUNT *user, uint32 rid)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct passwd *pass = NULL;
- const char *guest_account = lp_guestaccount();
- if (!(guest_account && *guest_account)) {
- DEBUG(1, ("NULL guest account!?!?\n"));
- return nt_status;
- }
-
- if (!methods) {
- DEBUG(0,("invalid methods\n"));
- return nt_status;
- }
-
- if (rid == DOMAIN_USER_RID_GUEST) {
- pass = getpwnam_alloc(guest_account);
- if (!pass) {
- DEBUG(1, ("guest account %s does not seem to exist...\n", guest_account));
- return nt_status;
- }
- } else if (pdb_rid_is_user(rid)) {
- pass = getpwuid_alloc(fallback_pdb_user_rid_to_uid (rid));
- }
-
- if (pass == NULL) {
- return nt_status;
- }
-
- nt_status = pdb_fill_sam_pw(user, pass);
- passwd_free(&pass);
-
- return nt_status;
-}
-
-static NTSTATUS unixsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
-{
- uint32 rid;
- if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
- return NT_STATUS_UNSUCCESSFUL;
- return unixsam_getsampwrid(my_methods, user, rid);
-}
-
-static NTSTATUS pdb_init_unixsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
-
- if (!pdb_context) {
- DEBUG(0, ("invalid pdb_context specified\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "unixsam";
- (*pdb_method)->getsampwnam = unixsam_getsampwnam;
- (*pdb_method)->getsampwsid = unixsam_getsampwsid;
-
- /* There's not very much to initialise here */
- return NT_STATUS_OK;
-}
-
-NTSTATUS passdb_unix_init(void)
-{
- NTSTATUS ret;
- struct passdb_ops ops;
-
- /* fill in our name */
- ops.name = "unixsam";
- /* fill in all the operations */
- ops.init = pdb_init_unixsam;
-
- /* register ourselves with the PASSDB subsystem. */
- ret = register_backend("passdb", &ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' PASSDB backend!\n",
- ops.name));
- return ret;
- }
-
- return ret;
-}
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- Samba utility functions
- Copyright (C) Andrew Tridgell 1992-1998
- Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
- Copyright (C) Jeremy Allison 1999
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#define MAX_SID_NAMES 7
-
-typedef struct _known_sid_users {
- uint32 rid;
- enum SID_NAME_USE sid_name_use;
- const char *known_user_name;
-} known_sid_users;
-
-static struct sid_name_map_info
-{
- DOM_SID *sid;
- const char *name;
- const known_sid_users *known_users;
-} sid_name_map[MAX_SID_NAMES];
-
-extern DOM_SID global_sid_Builtin; /* Local well-known domain */
-extern DOM_SID global_sid_World_Domain; /* Everyone domain */
-extern DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */
-extern DOM_SID global_sid_NT_Authority; /* NT Authority */
-
-
-static BOOL sid_name_map_initialized = False;
-/* static known_sid_users no_users[] = {{0, 0, NULL}}; */
-
-static const known_sid_users everyone_users[] = {
- { 0, SID_NAME_WKN_GRP, "Everyone" },
- {0, (enum SID_NAME_USE)0, NULL}};
-
-static const known_sid_users creator_owner_users[] = {
- { 0, SID_NAME_WKN_GRP, "Creator Owner" },
- { 1, SID_NAME_WKN_GRP, "Creator Group" },
- {0, (enum SID_NAME_USE)0, NULL}};
-
-static const known_sid_users nt_authority_users[] = {
- { 1, SID_NAME_ALIAS, "Dialup" },
- { 2, SID_NAME_ALIAS, "Network"},
- { 3, SID_NAME_ALIAS, "Batch"},
- { 4, SID_NAME_ALIAS, "Interactive"},
- { 6, SID_NAME_ALIAS, "Service"},
- { 7, SID_NAME_ALIAS, "AnonymousLogon"},
- { 8, SID_NAME_ALIAS, "Proxy"},
- { 9, SID_NAME_ALIAS, "ServerLogon"},
- { 11, SID_NAME_ALIAS, "Authenticated Users"},
- { 18, SID_NAME_ALIAS, "SYSTEM"},
- { 0, (enum SID_NAME_USE)0, NULL}};
-
-static const known_sid_users builtin_groups[] = {
- { BUILTIN_ALIAS_RID_ADMINS, SID_NAME_ALIAS, "Administrators" },
- { BUILTIN_ALIAS_RID_USERS, SID_NAME_ALIAS, "Users" },
- { BUILTIN_ALIAS_RID_GUESTS, SID_NAME_ALIAS, "Guests" },
- { BUILTIN_ALIAS_RID_ACCOUNT_OPS, SID_NAME_ALIAS, "Account Operators" },
- { BUILTIN_ALIAS_RID_SYSTEM_OPS, SID_NAME_ALIAS, "Server Operators" },
- { BUILTIN_ALIAS_RID_PRINT_OPS, SID_NAME_ALIAS, "Print Operators" },
- { BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" },
- { 0, (enum SID_NAME_USE)0, NULL}};
-
-/**************************************************************************
- Quick init function.
-*************************************************************************/
-
-static void init_sid_name_map (void)
-{
- int i = 0;
-
- if (sid_name_map_initialized) return;
-
- generate_wellknown_sids();
-
- if ((lp_security() == SEC_USER) && lp_domain_logons()) {
- sid_name_map[i].sid = get_global_sam_sid();
- /* This is not lp_workgroup() for good reason:
- it must stay around longer than the lp_*()
- strings do */
- sid_name_map[i].name = strdup(lp_workgroup());
- sid_name_map[i].known_users = NULL;
- i++;
- sid_name_map[i].sid = get_global_sam_sid();
- sid_name_map[i].name = strdup(lp_netbios_name());
- sid_name_map[i].known_users = NULL;
- i++;
- } else {
- sid_name_map[i].sid = get_global_sam_sid();
- sid_name_map[i].name = strdup(lp_netbios_name());
- sid_name_map[i].known_users = NULL;
- i++;
- }
-
- sid_name_map[i].sid = &global_sid_Builtin;
- sid_name_map[i].name = "BUILTIN";
- sid_name_map[i].known_users = &builtin_groups[0];
- i++;
-
- sid_name_map[i].sid = &global_sid_World_Domain;
- sid_name_map[i].name = "";
- sid_name_map[i].known_users = &everyone_users[0];
- i++;
-
- sid_name_map[i].sid = &global_sid_Creator_Owner_Domain;
- sid_name_map[i].name = "";
- sid_name_map[i].known_users = &creator_owner_users[0];
- i++;
-
- sid_name_map[i].sid = &global_sid_NT_Authority;
- sid_name_map[i].name = "NT Authority";
- sid_name_map[i].known_users = &nt_authority_users[0];
- i++;
-
- /* End of array. */
- sid_name_map[i].sid = NULL;
- sid_name_map[i].name = NULL;
- sid_name_map[i].known_users = NULL;
-
- sid_name_map_initialized = True;
-
- return;
-}
-
-/**************************************************************************
- Turns a domain SID into a name, returned in the nt_domain argument.
-***************************************************************************/
-
-BOOL map_domain_sid_to_name(DOM_SID *sid, fstring nt_domain)
-{
- fstring sid_str;
- int i = 0;
-
- sid_to_string(sid_str, sid);
-
- if (!sid_name_map_initialized)
- init_sid_name_map();
-
- DEBUG(5,("map_domain_sid_to_name: %s\n", sid_str));
-
- if (nt_domain == NULL)
- return False;
-
- while (sid_name_map[i].sid != NULL) {
- sid_to_string(sid_str, sid_name_map[i].sid);
- DEBUG(5,("map_domain_sid_to_name: compare: %s\n", sid_str));
- if (sid_equal(sid_name_map[i].sid, sid)) {
- fstrcpy(nt_domain, sid_name_map[i].name);
- DEBUG(5,("map_domain_sid_to_name: found '%s'\n", nt_domain));
- return True;
- }
- i++;
- }
-
- DEBUG(5,("map_domain_sid_to_name: mapping for %s not found\n", sid_str));
-
- return False;
-}
-
-/**************************************************************************
- Looks up a known username from one of the known domains.
-***************************************************************************/
-
-BOOL lookup_known_rid(DOM_SID *sid, uint32 rid, char *name, enum SID_NAME_USE *psid_name_use)
-{
- int i = 0;
- struct sid_name_map_info *psnm;
-
- if (!sid_name_map_initialized)
- init_sid_name_map();
-
- for(i = 0; sid_name_map[i].sid != NULL; i++) {
- psnm = &sid_name_map[i];
- if(sid_equal(psnm->sid, sid)) {
- int j;
- for(j = 0; psnm->known_users && psnm->known_users[j].known_user_name != NULL; j++) {
- if(rid == psnm->known_users[j].rid) {
- DEBUG(5,("lookup_builtin_rid: rid = %u, domain = '%s', user = '%s'\n",
- (unsigned int)rid, psnm->name, psnm->known_users[j].known_user_name ));
- fstrcpy( name, psnm->known_users[j].known_user_name);
- *psid_name_use = psnm->known_users[j].sid_name_use;
- return True;
- }
- }
- }
- }
-
- return False;
-}
-
-/**************************************************************************
- Turns a domain name into a SID.
- *** side-effect: if the domain name is NULL, it is set to our domain ***
-***************************************************************************/
-
-BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain)
-{
- int i = 0;
-
- if (nt_domain == NULL) {
- DEBUG(5,("map_domain_name_to_sid: mapping NULL domain to our SID.\n"));
- sid_copy(sid, get_global_sam_sid());
- return True;
- }
-
- if (nt_domain[0] == 0) {
- fstrcpy(nt_domain, lp_netbios_name());
- DEBUG(5,("map_domain_name_to_sid: overriding blank name to %s\n", nt_domain));
- sid_copy(sid, get_global_sam_sid());
- return True;
- }
-
- DEBUG(5,("map_domain_name_to_sid: %s\n", nt_domain));
-
- if (!sid_name_map_initialized)
- init_sid_name_map();
-
- while (sid_name_map[i].name != NULL) {
- DEBUG(5,("map_domain_name_to_sid: compare: %s\n", sid_name_map[i].name));
- if (strequal(sid_name_map[i].name, nt_domain)) {
- fstring sid_str;
- sid_copy(sid, sid_name_map[i].sid);
- sid_to_string(sid_str, sid_name_map[i].sid);
- DEBUG(5,("map_domain_name_to_sid: found %s\n", sid_str));
- return True;
- }
- i++;
- }
-
- DEBUG(0,("map_domain_name_to_sid: mapping to %s not found.\n", nt_domain));
- return False;
-}
-
-/*****************************************************************
- Check if the SID is our domain SID (S-1-5-21-x-y-z).
-*****************************************************************/
-
-BOOL sid_check_is_domain(const DOM_SID *sid)
-{
- return sid_equal(sid, get_global_sam_sid());
-}
-
-/*****************************************************************
- Check if the SID is our domain SID (S-1-5-21-x-y-z).
-*****************************************************************/
-
-BOOL sid_check_is_in_our_domain(const DOM_SID *sid)
-{
- DOM_SID dom_sid;
- uint32 rid;
-
- sid_copy(&dom_sid, sid);
- sid_split_rid(&dom_sid, &rid);
-
- return sid_equal(&dom_sid, get_global_sam_sid());
-}
-
-/**************************************************************************
- Try and map a name to one of the well known SIDs.
-***************************************************************************/
-
-BOOL map_name_to_wellknown_sid(DOM_SID *sid, enum SID_NAME_USE *use, const char *name)
-{
- int i, j;
-
- if (!sid_name_map_initialized)
- init_sid_name_map();
-
- for (i=0; sid_name_map[i].sid != NULL; i++) {
- const known_sid_users *users = sid_name_map[i].known_users;
-
- if (users == NULL)
- continue;
-
- for (j=0; users[j].known_user_name != NULL; j++) {
- if (strequal(users[j].known_user_name, name) == 0) {
- sid_copy(sid, sid_name_map[i].sid);
- sid_append_rid(sid, users[j].rid);
- *use = users[j].sid_name_use;
- return True;
- }
- }
- }
-
- return False;
-}
from the vuid 'owner' of connections */
/* REWRITE: conn_clear_vuid_cache(smb, vuid); */
- delete_nt_token(&vuser->nt_user_token);
SAFE_FREE(vuser);
smb->users.num_validated_vuids--;
}
vuser->vuid = smb->users.next_vuid;
- vuser->guest = server_info->guest;
-
vuser->session_key = *session_key;
- DEBUG(10,("register_vuid: guest=%d\n", vuser->guest ));
-
- if (server_info->ptok) {
- vuser->nt_user_token = dup_nt_token(server_info->ptok);
- } else {
+ if (!server_info->ptok) {
DEBUG(1, ("server_info does not contain a user_token - cannot continue\n"));
free_server_info(&server_info);
void smbd_process_init(void)
{
TALLOC_CTX *mem_ctx;
+
+ generate_wellknown_sids();
mem_ctx = talloc_init("smbd_process_init talloc");
if (!mem_ctx) {
/* possibly reload the services file. */
reload_services(NULL, True);
- if(!get_global_sam_sid()) {
- DEBUG(0,("ERROR: Samba cannot create a SAM SID.\n"));
- exit(1);
- }
-
if (!init_account_policy()) {
DEBUG(0,("Could not open account policy tdb.\n"));
exit(1);
if (!init_change_notify())
exit(1);
- /* Setup the PASSDB subsystem */
- if(!initialize_password_db(False))
- exit(1);
-
talloc_destroy(mem_ctx);
}
if (!auth_init())
exit(1);
- /* Setup the PASSDB subsystem */
- if (!passdb_init())
- exit(1);
-
/* Setup the NTVFS subsystem */
if (!ntvfs_init())
exit(1);
git.samba.org / bbaumbach / samba-autobuild / .git / commitdiff