-/*
+/*
Unix SMB/CIFS implementation.
LDAP protocol helper functions for SAMBA
Copyright (C) Jean François Micouleau 1998
/* TODO:
* persistent connections: if using NSS LDAP, many connections are made
* however, using only one within Samba would be nice
-*
+*
* Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
*
* Other LDAP based login attributes: accountExpires, etc.
#include "librpc/gen_ndr/idmap.h"
#include "lib/param/loadparm.h"
#include "lib/util_sid_passdb.h"
+#include "lib/util/smb_strtox.h"
+#include "lib/util/string_wrappers.h"
+#include "source3/lib/substitute.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
/**********************************************************************
Get the attribute name given a user schame version.
**********************************************************************/
-
+
static const char* get_userattr_key2string( int schema_ver, int key )
{
switch ( schema_ver ) {
/*******************************************************************
- Generate the LDAP search filter for the objectclass based on the
+ Generate the LDAP search filter for the objectclass based on the
version of the schema we are using.
******************************************************************/
if (!smbldap_has_naming_context(
smbldap_get_ldap(ldap_state->smbldap_state),
- lp_ldap_suffix(talloc_tos()))) {
+ lp_ldap_suffix())) {
DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
- "as top-level namingContext\n", lp_ldap_suffix(talloc_tos())));
+ "as top-level namingContext\n", lp_ldap_suffix()));
return ntstatus;
}
attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
attrs[1] = NULL;
suffix = talloc_asprintf(mem_ctx,
- "cn=syncrepl%d,%s", rid, lp_ldap_suffix(talloc_tos()));
+ "cn=syncrepl%d,%s", rid, lp_ldap_suffix());
if (!suffix) {
ntstatus = NT_STATUS_NO_MEMORY;
goto done;
attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
attrs[1] = NULL;
suffix = talloc_asprintf(mem_ctx,
- "cn=ldapsync,%s", lp_ldap_suffix(talloc_tos()));
+ "cn=ldapsync,%s", lp_ldap_suffix());
if (!suffix) {
ntstatus = NT_STATUS_NO_MEMORY;
/* very basic sanity check */
if (*seq_num <= 0) {
- DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n",
+ DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n",
(int)*seq_num));
goto done;
}
uint8_t smblmpwd[LM_HASH_LEN],
smbntpwd[NT_HASH_LEN];
bool use_samba_attrs = True;
- uint32_t acct_ctrl = 0;
uint16_t logon_divs;
uint16_t bad_password_count = 0,
logon_count = 0;
}
if (IS_SAM_DEFAULT(sampass, PDB_USERSID)) {
- DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
+ DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_SID),
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_ACB_INFO),
ctx);
if (temp) {
+ uint32_t acct_ctrl = 0;
acct_ctrl = pdb_decode_acct_ctrl(temp);
if (acct_ctrl == 0) {
}
pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
- } else {
- acct_ctrl |= ACB_NORMAL;
}
pdb_set_hours_len(sampass, hours_len, PDB_SET);
struct dom_sid mapped_gsid;
const struct dom_sid *primary_gsid;
struct unixid id;
+ int error = 0;
ZERO_STRUCT(unix_pw);
ctx);
if (temp) {
/* We've got a uid, feed the cache */
- unix_pw.pw_uid = strtoul(temp, NULL, 10);
+ unix_pw.pw_uid = smb_strtoul(temp,
+ NULL,
+ 10,
+ &error,
+ SMB_STR_STANDARD);
+ if (error != 0) {
+ DBG_ERR("Failed to convert UID\n");
+ goto fn_exit;
+ }
have_uid = true;
}
temp = smbldap_talloc_single_attribute(
ctx);
if (temp) {
/* We've got a uid, feed the cache */
- unix_pw.pw_gid = strtoul(temp, NULL, 10);
+ unix_pw.pw_gid = smb_strtoul(temp,
+ NULL,
+ 10,
+ &error,
+ SMB_STR_STANDARD);
+ if (error != 0) {
+ DBG_ERR("Failed to convert GID\n");
+ goto fn_exit;
+ }
have_gid = true;
}
unix_pw.pw_gecos = smbldap_talloc_single_attribute(
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
dom_sid_str_buf(user_sid, &sid_str));
break;
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver,
+ get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_PRIMARY_GROUP_SID),
dom_sid_str_buf(group_sid, &sid_str));
break;
if (need_update(sampass, PDB_FULLNAME))
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
pdb_get_fullname(sampass));
if (need_update(sampass, PDB_ACCTDESC))
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
pdb_get_acct_desc(sampass));
if (need_update(sampass, PDB_WORKSTATIONS))
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
pdb_get_workstations(sampass));
if (need_update(sampass, PDB_MUNGEDDIAL))
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
pdb_get_munged_dial(sampass));
if (need_update(sampass, PDB_SMBHOME))
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
pdb_get_homedir(sampass));
if (need_update(sampass, PDB_DRIVE))
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
pdb_get_dir_drive(sampass));
if (need_update(sampass, PDB_LOGONSCRIPT))
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
pdb_get_logon_script(sampass));
if (need_update(sampass, PDB_PROFILE))
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
pdb_get_profile_path(sampass));
if (asprintf(&temp, "%li", (long int)pdb_get_logon_time(sampass)) < 0) {
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
pwstr);
} else {
smbldap_make_mod(
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
NULL);
}
}
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
pwstr);
} else {
smbldap_make_mod(
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
NULL);
}
}
smbldap_make_mod(
smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
pwstr);
SAFE_FREE(pwstr);
}
smbldap_make_mod(
smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
temp);
SAFE_FREE(temp);
}
smbldap_make_mod(
smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
- get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
+ get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
/* password lockout cache:
attr_list);
TALLOC_FREE( attr_list );
- if ( rc != LDAP_SUCCESS )
+ if ( rc != LDAP_SUCCESS )
return NT_STATUS_NO_SUCH_USER;
count = ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
return ret;
}
-static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
+static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
const struct dom_sid *sid, LDAPMessage **result)
{
int rc = -1;
result, attr_list);
TALLOC_FREE(tmp_ctx);
- if ( rc != LDAP_SUCCESS )
+ if ( rc != LDAP_SUCCESS )
return rc;
break;
}
int count;
int rc;
- rc = ldapsam_get_ldap_user_by_sid(ldap_state,
- sid, &result);
+ rc = ldapsam_get_ldap_user_by_sid(ldap_state,
+ sid, &result);
if (rc != LDAP_SUCCESS)
return NT_STATUS_NO_SUCH_USER;
result);
if (count < 1) {
+ struct dom_sid_buf buf;
DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] "
- "count=%d\n", sid_string_dbg(sid), count));
+ "count=%d\n",
+ dom_sid_str_buf(sid, &buf),
+ count));
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_USER;
} else if (count > 1) {
+ struct dom_sid_buf buf;
DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID "
- "[%s]. Failing. count=%d\n", sid_string_dbg(sid),
+ "[%s]. Failing. count=%d\n",
+ dom_sid_str_buf(sid, &buf),
count));
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_USER;
my_methods, PDB_CHANGED);
smbldap_talloc_autofree_ldapmsg(user, result);
return NT_STATUS_OK;
-}
+}
/********************************************************************
- Do the actual modification - also change a plaintext passord if
+ Do the actual modification - also change a plaintext passord if
it it set.
**********************************************************************/
-static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
+static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
struct samu *newpwd, char *dn,
- LDAPMod **mods, int ldap_op,
+ LDAPMod **mods, int ldap_op,
bool (*need_update)(const struct samu *, enum pdb_elements))
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
ber_free(ber, 1);
if (!ldap_state->is_nds_ldap) {
- rc = smbldap_extended_operation(ldap_state->smbldap_state,
+ rc = smbldap_extended_operation(ldap_state->smbldap_state,
LDAP_EXOP_MODIFY_PASSWD,
- bv, NULL, NULL, &retoid,
+ bv, NULL, NULL, &retoid,
&retdata);
} else {
rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
#ifdef DEBUG_PASSWORD
DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
-#endif
+#endif
if (retdata)
ber_bvfree(retdata);
if (retoid)
static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS ret;
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
int rc = 0;
char *dn;
struct samu *old_acct,
const char *newname)
{
+ const struct loadparm_substitution *lp_sub =
+ loadparm_s3_global_substitution();
const char *oldname;
int rc;
char *rename_script = NULL;
oldname = pdb_get_username(old_acct);
/* rename the posix user */
- rename_script = lp_rename_user_script(talloc_tos());
+ rename_script = lp_rename_user_script(talloc_tos(), lp_sub);
if (rename_script == NULL) {
return NT_STATUS_NO_MEMORY;
}
static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
int rc;
LDAPMessage *result = NULL;
if (ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
result) != 0) {
- DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
+ DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
username));
goto fn_exit;
}
smbldap_get_ldap(
ldap_state->smbldap_state),
result) != 0) {
+ struct dom_sid_buf buf;
DEBUG(0,("ldapsam_add_sam_account: SID '%s' "
"already in the base, with samba "
- "attributes\n", sid_string_dbg(sid)));
+ "attributes\n",
+ dom_sid_str_buf(sid, &buf)));
goto fn_exit;
}
ldap_msgfree(result);
break;
}
- ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, pdb_element_is_set_or_changed);
- if (!NT_STATUS_IS_OK(ret)) {
+ status = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, pdb_element_is_set_or_changed);
+ if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
pdb_get_username(newpwd),dn));
ldap_mods_free(mods, true);
attr_list = get_attr_list(NULL, groupmap_attr_list);
rc = smbldap_search(ldap_state->smbldap_state,
- lp_ldap_suffix (talloc_tos()), scope,
+ lp_ldap_suffix(), scope,
filter, attr_list, 0, result);
TALLOC_FREE(attr_list);
LDAP_ATTR_GIDNUMBER),
ctx);
if (!temp) {
- DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
+ DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
TALLOC_FREE(ctx);
return false;
}
if (dom_sid_compare_domain(&sid, domain_sid) != 0) {
+ struct dom_sid_buf buf;
DEBUG(10, ("SID %s is not in expected domain %s\n",
- str, sid_string_dbg(domain_sid)));
+ str,
+ dom_sid_str_buf(domain_sid, &buf)));
return False;
}
*p_num_members = 0;
filter = talloc_asprintf(mem_ctx,
- "(&(objectClass=%s)"
- "(objectClass=%s)"
+ "(&(objectClass="LDAP_OBJ_POSIXGROUP")"
+ "(objectClass="LDAP_OBJ_GROUPMAP")"
"(sambaSID=%s))",
- LDAP_OBJ_POSIXGROUP,
- LDAP_OBJ_GROUPMAP,
dom_sid_str_buf(group, &buf));
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
- rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
+ rc = smbldap_search(conn, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, id_attrs, 0,
&result);
if (count > 1) {
DEBUG(1, ("Found more than one groupmap entry for %s\n",
- sid_string_dbg(group)));
+ dom_sid_str_buf(group, &buf)));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
if ((values != NULL) && (values[0] != NULL)) {
- filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT);
- if (filter == NULL) {
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
+ filter = talloc_strdup(mem_ctx, "(&(objectClass="LDAP_OBJ_SAMBASAMACCOUNT")(|");
for (memberuid = values; *memberuid != NULL; memberuid += 1) {
char *escape_memberuid;
goto done;
}
- rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
+ rc = smbldap_search(conn, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
&result);
LDAP_OBJ_SAMBASAMACCOUNT,
gidstr);
- rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
+ rc = smbldap_search(conn, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
&result);
uint32_t num_gids;
char *gidstr;
gid_t primary_gid = -1;
+ int error = 0;
*pp_sids = NULL;
num_sids = 0;
} else {
/* retrieve the users primary gid */
filter = talloc_asprintf(mem_ctx,
- "(&(objectClass=%s)(uid=%s))",
- LDAP_OBJ_SAMBASAMACCOUNT,
+ "(&(objectClass="LDAP_OBJ_SAMBASAMACCOUNT")(uid=%s))",
escape_name);
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
- rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
+ rc = smbldap_search(conn, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
if (rc != LDAP_SUCCESS)
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
- primary_gid = strtoul(gidstr, NULL, 10);
+ primary_gid = smb_strtoul(gidstr,
+ NULL,
+ 10,
+ &error,
+ SMB_STR_STANDARD);
+ if (error != 0) {
+ DBG_ERR("Failed to convert GID\n");
+ goto done;
+ }
break;
default:
DEBUG(1, ("found more than one account with the same user name ?!\n"));
}
filter = talloc_asprintf(mem_ctx,
- "(&(objectClass=%s)(|(memberUid=%s)(gidNumber=%u)))",
- LDAP_OBJ_POSIXGROUP, escape_name, (unsigned int)primary_gid);
+ "(&(objectClass="LDAP_OBJ_POSIXGROUP")(|(memberUid=%s)(gidNumber=%u)))",
+ escape_name, (unsigned int)primary_gid);
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
- rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
+ rc = smbldap_search(conn, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
if (rc != LDAP_SUCCESS)
fstring str;
struct dom_sid sid;
gid_t gid;
- char *end;
if (!smbldap_get_single_attribute(smbldap_get_ldap(conn),
entry, "sambaSID",
str, sizeof(str)-1))
continue;
- gid = strtoul(str, &end, 10);
+ gid = smb_strtoul(str, NULL, 10, &error, SMB_STR_FULL_STR_CONV);
- if (PTR_DIFF(end, str) != strlen(str))
+ if (error != 0) {
goto done;
+ }
if (gid == primary_gid) {
sid_copy(&(*pp_sids)[0], &sid);
int rc;
filter = talloc_asprintf(mem_ctx,
- "(&(objectClass=%s)(gidNumber=%u))",
- LDAP_OBJ_POSIXGROUP, (unsigned int)map->gid);
+ "(&(objectClass="LDAP_OBJ_POSIXGROUP")(gidNumber=%u))",
+ (unsigned int)map->gid);
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
goto done;
}
- rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(talloc_tos()),
+ rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg);
smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
msg) > 0)) {
DEBUG(3, ("SID %s already present in LDAP, refusing to add "
- "group mapping entry\n", sid_string_dbg(&map->sid)));
+ "group mapping entry\n",
+ dom_sid_str_buf(&map->sid, &buf)));
result = NT_STATUS_GROUP_EXISTS;
goto done;
}
break;
case SID_NAME_ALIAS:
- if (!sid_check_is_in_our_sam(&map->sid)
- && !sid_check_is_in_builtin(&map->sid) )
+ if (!sid_check_is_in_our_sam(&map->sid)
+ && !sid_check_is_in_builtin(&map->sid) )
{
DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
- sid_string_dbg(&map->sid)));
+ dom_sid_str_buf(&map->sid, &buf)));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
}
if (pdb_id_to_sid(&id, &sid)) {
DEBUG(3, ("Gid %u is already mapped to SID %s, refusing to "
- "add\n", (unsigned int)map->gid, sid_string_dbg(&sid)));
+ "add\n",
+ (unsigned int)map->gid,
+ dom_sid_str_buf(&sid, &buf)));
result = NT_STATUS_GROUP_EXISTS;
goto done;
}
/* Make 100% sure that sid, gid and type are not changed by looking up
* exactly the values we're given in LDAP. */
- filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)"
+ filter = talloc_asprintf(mem_ctx, "(&(objectClass="LDAP_OBJ_GROUPMAP")"
"(sambaSid=%s)(gidNumber=%u)"
"(sambaGroupType=%d))",
- LDAP_OBJ_GROUPMAP,
dom_sid_str_buf(&map->sid, &buf),
(unsigned int)map->gid, map->sid_name_use);
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
- filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))",
- LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
+ filter = talloc_asprintf(mem_ctx, "(&(objectClass="LDAP_OBJ_GROUPMAP")("LDAP_ATTRIBUTE_SID"=%s))",
dom_sid_str_buf(&sid, &buf));
if (filter == NULL) {
result = NT_STATUS_NO_MEMORY;
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)my_methods->private_data;
- char *filter = NULL;
+ const char *filter = NULL;
int rc;
const char **attr_list;
- filter = talloc_asprintf(NULL, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
- if (!filter) {
- return NT_STATUS_NO_MEMORY;
- }
+ filter = "(objectclass="LDAP_OBJ_GROUPMAP")";
attr_list = get_attr_list( NULL, groupmap_attr_list );
- rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(talloc_tos()),
+ rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter,
attr_list, 0, &ldap_state->result);
TALLOC_FREE(attr_list);
DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n",
ldap_err2string(rc)));
DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n",
- lp_ldap_suffix(talloc_tos()), filter));
+ lp_ldap_suffix(), filter));
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
- TALLOC_FREE(filter);
return NT_STATUS_UNSUCCESSFUL;
}
- TALLOC_FREE(filter);
-
DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
ldap_count_entries(
smbldap_get_ldap(ldap_state->smbldap_state),
}
if (type == SID_NAME_USE_NONE) {
+ struct dom_sid_buf buf;
DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
- sid_string_dbg(alias)));
+ dom_sid_str_buf(alias, &buf)));
return NT_STATUS_NO_SUCH_ALIAS;
}
if (type == SID_NAME_USE_NONE) {
DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
- sid_string_dbg(alias)));
+ dom_sid_str_buf(alias, &tmp)));
return NT_STATUS_NO_SUCH_ALIAS;
}
}
if (type == SID_NAME_USE_NONE) {
+ struct dom_sid_buf buf;
DEBUG(5, ("SID %s is neither builtin nor domain!\n",
- sid_string_dbg(domain_sid)));
+ dom_sid_str_buf(domain_sid, &buf)));
return NT_STATUS_UNSUCCESSFUL;
}
}
filter = talloc_asprintf(mem_ctx,
- "(&(objectclass=%s)(sambaGroupType=%d)(|",
- LDAP_OBJ_GROUPMAP, type);
+ "(&(objectclass="LDAP_OBJ_GROUPMAP")(sambaGroupType=%d)(|",
+ type);
for (i=0; i<num_members; i++) {
struct dom_sid_buf buf;
result = ldap_state->search_cache.result;
ldap_state->search_cache.result = NULL;
} else {
- rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(talloc_tos()),
+ rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
int count;
int rc;
char **vals = NULL;
- char *filter;
+ const char *filter;
const char *policy_attr = NULL;
struct ldapsam_privates *ldap_state =
attrs[0] = policy_attr;
attrs[1] = NULL;
- filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)", LDAP_OBJ_DOMINFO);
- if (filter == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ filter = "(objectClass="LDAP_OBJ_DOMINFO")";
rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
LDAP_SCOPE_BASE, filter, attrs, 0,
&result);
- TALLOC_FREE(filter);
if (rc != LDAP_SUCCESS) {
return ntstatus;
}
return ntstatus;
}
-/* wrapper around ldapsam_get_account_policy_from_ldap(), handles tdb as cache
+/* wrapper around ldapsam_get_account_policy_from_ldap(), handles tdb as cache
- if user hasn't decided to use account policies inside LDAP just reuse the
old tdb values
- if there is a valid cache entry, return that
- - if there is an LDAP entry, update cache and return
+ - if there is an LDAP entry, update cache and return
- otherwise set to default, update cache and return
Guenther
enum pdb_policy_type type,
uint32_t *value)
{
- NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS ntstatus;
if (cache_account_policy_get(type, value)) {
DEBUG(11,("ldapsam_get_account_policy: got valid value from "
const char *ldap_attrs[] = { "uid", "sambaSid", NULL };
filter = talloc_asprintf(
- mem_ctx, ("(&(objectClass=%s)(|%s))"),
- LDAP_OBJ_SAMBASAMACCOUNT, allsids);
+ mem_ctx, ("(&(objectClass="LDAP_OBJ_SAMBASAMACCOUNT")(|%s))"),
+ allsids);
if (filter == NULL) {
goto done;
"sambaGroupType", NULL };
filter = talloc_asprintf(
- mem_ctx, "(&(objectClass=%s)(|%s))",
- LDAP_OBJ_GROUPMAP, allsids);
+ mem_ctx, "(&(objectClass="LDAP_OBJ_GROUPMAP")(|%s))",
+ allsids);
if (filter == NULL) {
goto done;
}
rc = smbldap_search(ldap_state->smbldap_state,
- lp_ldap_suffix(talloc_tos()),
+ lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
&msg);
smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
if ((state->acct_flags != 0) &&
((state->acct_flags & acct_flags) == 0))
- return False;
+ return False;
result->acct_flags = acct_flags;
result->account_name = "";
ldap_value_free(vals);
if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
+ struct dom_sid_buf buf;
DEBUG(0, ("sid %s does not belong to our domain\n",
- sid_string_dbg(&sid)));
+ dom_sid_str_buf(&sid, &buf)));
return False;
}
((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))
state->base = lp_ldap_machine_suffix(talloc_tos());
else
- state->base = lp_ldap_suffix(talloc_tos());
+ state->base = lp_ldap_suffix();
state->acct_flags = acct_flags;
state->base = talloc_strdup(search, state->base);
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
- if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
- && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
+ if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
+ && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
{
+ struct dom_sid_buf buf;
DEBUG(0, ("%s is not in our domain\n",
- sid_string_dbg(&sid)));
+ dom_sid_str_buf(&sid, &buf)));
return False;
}
break;
state->connection = ldap_state->smbldap_state;
- state->base = lp_ldap_suffix(search);
+ state->base = lp_ldap_suffix();
state->connection = ldap_state->smbldap_state;
state->scope = LDAP_SCOPE_SUBTREE;
- state->filter = talloc_asprintf(search, "(&(objectclass=%s)"
+ state->filter = talloc_asprintf(search, "(&(objectclass="LDAP_OBJ_GROUPMAP")"
"(sambaGroupType=%d)(sambaSID=%s*))",
- LDAP_OBJ_GROUPMAP,
type,
dom_sid_str_buf(sid, &tmp));
state->attrs = talloc_attrs(search, "cn", "sambaSid",
int rc;
uint32_t nextRid = 0;
const char *dn;
+ uint32_t tmp;
+ int error = 0;
TALLOC_CTX *mem_ctx;
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaNextRid", mem_ctx);
if (value != NULL) {
- uint32_t tmp = (uint32_t)strtoul(value, NULL, 10);
+ tmp = (uint32_t)smb_strtoul(value,
+ NULL,
+ 10,
+ &error,
+ SMB_STR_STANDARD);
+ if (error != 0) {
+ goto done;
+ }
+
nextRid = MAX(nextRid, tmp);
}
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaNextUserRid", mem_ctx);
if (value != NULL) {
- uint32_t tmp = (uint32_t)strtoul(value, NULL, 10);
+ tmp = (uint32_t)smb_strtoul(value,
+ NULL,
+ 10,
+ &error,
+ SMB_STR_STANDARD);
+ if (error != 0) {
+ goto done;
+ }
+
nextRid = MAX(nextRid, tmp);
}
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaNextGroupRid", mem_ctx);
if (value != NULL) {
- uint32_t tmp = (uint32_t)strtoul(value, NULL, 10);
+ tmp = (uint32_t)smb_strtoul(value,
+ NULL,
+ 10,
+ &error,
+ SMB_STR_STANDARD);
+ if (error != 0) {
+ goto done;
+ }
+
nextRid = MAX(nextRid, tmp);
}
struct ldapsam_privates *priv =
(struct ldapsam_privates *)methods->private_data;
char *filter;
+ int error = 0;
struct dom_sid_buf buf;
const char *attrs[] = { "sambaGroupType", "gidNumber", "uidNumber",
NULL };
filter = talloc_asprintf(mem_ctx,
"(&(sambaSid=%s)"
- "(|(objectClass=%s)(objectClass=%s)))",
- dom_sid_str_buf(sid, &buf),
- LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT);
+ "(|(objectClass="LDAP_OBJ_GROUPMAP")(objectClass="LDAP_OBJ_SAMBASAMACCOUNT")))",
+ dom_sid_str_buf(sid, &buf));
if (filter == NULL) {
DEBUG(5, ("talloc_asprintf failed\n"));
goto done;
goto done;
}
- id->id = strtoul(gid_str, NULL, 10);
+ id->id = smb_strtoul(gid_str,
+ NULL,
+ 10,
+ &error,
+ SMB_STR_STANDARD);
+ if (error != 0) {
+ goto done;
+ }
+
id->type = ID_TYPE_GID;
ret = True;
goto done;
goto done;
}
- id->id = strtoul(value, NULL, 10);
- id->type = ID_TYPE_UID;
+ id->id = smb_strtoul(value, NULL, 10, &error, SMB_STR_STANDARD);
+ if (error != 0) {
+ goto done;
+ }
+ id->type = ID_TYPE_UID;
ret = True;
done:
TALLOC_FREE(mem_ctx);
filter = talloc_asprintf(tmp_ctx,
"(&(uidNumber=%u)"
- "(objectClass=%s)"
- "(objectClass=%s))",
- (unsigned int)uid,
- LDAP_OBJ_POSIXACCOUNT,
- LDAP_OBJ_SAMBASAMACCOUNT);
+ "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
+ "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
+ (unsigned int)uid);
if (filter == NULL) {
DEBUG(3, ("talloc_asprintf failed\n"));
goto done;
filter = talloc_asprintf(tmp_ctx,
"(&(gidNumber=%u)"
- "(objectClass=%s))",
- (unsigned int)gid,
- LDAP_OBJ_GROUPMAP);
+ "(objectClass="LDAP_OBJ_GROUPMAP"))",
+ (unsigned int)gid);
if (filter == NULL) {
DEBUG(3, ("talloc_asprintf failed\n"));
goto done;
}
username = escape_ldap_string(talloc_tos(), name);
- filter = talloc_asprintf(tmp_ctx, "(&(uid=%s)(objectClass=%s))",
- username, LDAP_OBJ_POSIXACCOUNT);
+ filter = talloc_asprintf(tmp_ctx, "(&(uid=%s)(objectClass="LDAP_OBJ_POSIXACCOUNT"))",
+ username);
TALLOC_FREE(username);
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
} else {
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
- }
+ }
ldap_mods_free(mods, true);
filter = talloc_asprintf(tmp_ctx,
"(&(uid=%s)"
- "(objectClass=%s)"
- "(objectClass=%s))",
- pdb_get_username(sam_acct),
- LDAP_OBJ_POSIXACCOUNT,
- LDAP_OBJ_SAMBASAMACCOUNT);
+ "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
+ "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
+ pdb_get_username(sam_acct));
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
LDAPMod **mods = NULL;
char *filter;
char *groupname;
- char *grouptype;
+ const char *grouptype;
char *gidstr;
const char *dn = NULL;
struct dom_sid group_sid;
struct dom_sid_buf buf;
gid_t gid = -1;
int rc;
+ int error = 0;
groupname = escape_ldap_string(talloc_tos(), name);
- filter = talloc_asprintf(tmp_ctx, "(&(cn=%s)(objectClass=%s))",
- groupname, LDAP_OBJ_POSIXGROUP);
+ filter = talloc_asprintf(tmp_ctx, "(&(cn=%s)(objectClass="LDAP_OBJ_POSIXGROUP"))",
+ groupname);
TALLOC_FREE(groupname);
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- gid = strtoul(tmp, NULL, 10);
+ gid = smb_strtoul(tmp, NULL, 10, &error, SMB_STR_STANDARD);
+ if (error != 0) {
+ DBG_ERR("Failed to convert gidNumber\n");
+ return NT_STATUS_UNSUCCESSFUL;
+ }
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);
- if (is_new_entry) {
+ if (is_new_entry) {
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
#if 0
if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
#endif
} else {
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
- }
+ }
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_create_group: failed to create a new group [%s] (dn = %s)\n", name ,dn));
filter = talloc_asprintf(tmp_ctx,
"(&(sambaSID=%s)"
- "(objectClass=%s)"
- "(objectClass=%s))",
- dom_sid_str_buf(&group_sid, &buf),
- LDAP_OBJ_POSIXGROUP,
- LDAP_OBJ_GROUPMAP);
+ "(objectClass="LDAP_OBJ_POSIXGROUP")"
+ "(objectClass="LDAP_OBJ_GROUPMAP"))",
+ dom_sid_str_buf(&group_sid, &buf));
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
/* check no user have this group marked as primary group */
filter = talloc_asprintf(tmp_ctx,
"(&(gidNumber=%s)"
- "(objectClass=%s)"
- "(objectClass=%s))",
- gidstr,
- LDAP_OBJ_POSIXACCOUNT,
- LDAP_OBJ_SAMBASAMACCOUNT);
+ "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
+ "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
+ gidstr);
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
struct dom_sid member_sid;
struct dom_sid_buf buf;
int rc;
+ int error = 0;
switch (modop) {
case LDAP_MOD_ADD:
filter = talloc_asprintf(tmp_ctx,
"(&(sambaSID=%s)"
- "(objectClass=%s)"
- "(objectClass=%s))",
- dom_sid_str_buf(&member_sid, &buf),
- LDAP_OBJ_POSIXACCOUNT,
- LDAP_OBJ_SAMBASAMACCOUNT);
+ "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
+ "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
+ dom_sid_str_buf(&member_sid, &buf));
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- user_gid = strtoul(gidstr, NULL, 10);
+ user_gid = smb_strtoul(gidstr, NULL, 10, &error, SMB_STR_STANDARD);
+ if (error != 0) {
+ DBG_ERR("Failed to convert user gid\n");
+ return NT_STATUS_UNSUCCESSFUL;
+ }
if (!sid_to_gid(&group_sid, &group_gid)) {
DEBUG (0, ("ldapsam_change_groupmem: Unable to get group gid from SID!\n"));
filter = talloc_asprintf(tmp_ctx,
"(&(sambaSID=%s)"
- "(objectClass=%s)"
- "(objectClass=%s))",
- dom_sid_str_buf(&group_sid, &buf),
- LDAP_OBJ_POSIXGROUP,
- LDAP_OBJ_GROUPMAP);
+ "(objectClass="LDAP_OBJ_POSIXGROUP")"
+ "(objectClass="LDAP_OBJ_GROUPMAP"))",
+ dom_sid_str_buf(&group_sid, &buf));
/* get the group */
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
filter = talloc_asprintf(mem_ctx,
"(&(uid=%s)"
- "(objectClass=%s)"
- "(objectClass=%s))",
- escape_username,
- LDAP_OBJ_POSIXACCOUNT,
- LDAP_OBJ_SAMBASAMACCOUNT);
+ "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
+ "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
+ escape_username);
TALLOC_FREE(escape_username);
uint32_t num_result;
filter = talloc_asprintf(talloc_tos(),
- "(&(objectClass=%s)(sambaDomainName=%s))",
- LDAP_OBJ_TRUSTDOM_PASSWORD, domain);
+ "(&(objectClass="LDAP_OBJ_TRUSTDOM_PASSWORD")(sambaDomainName=%s))",
+ domain);
trusted_dn = trusteddom_dn(ldap_state, domain);
if (trusted_dn == NULL) {
LDAPMod **mods = NULL;
char *prev_pwd = NULL;
char *trusted_dn = NULL;
+ struct dom_sid_buf buf;
int rc;
DEBUG(10, ("ldapsam_set_trusteddom_pw called for domain %s\n", domain));
smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaDomainName",
domain);
smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaSID",
- sid_string_tos(sid));
+ dom_sid_str_buf(sid, &buf));
smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaPwdLastSet",
talloc_asprintf(talloc_tos(), "%li", (long int)time(NULL)));
smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
int rc;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
- char *filter;
+ const char *filter;
int scope = LDAP_SCOPE_SUBTREE;
const char *attrs[] = { "sambaDomainName", "sambaSID", NULL };
int attrsonly = 0; /* 0: return values too */
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
- filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
- LDAP_OBJ_TRUSTDOM_PASSWORD);
+ filter = "(objectClass="LDAP_OBJ_TRUSTDOM_PASSWORD")";
rc = smbldap_search(ldap_state->smbldap_state,
ldap_state->domain_dn,
Housekeeping
*********************************************************************/
-static void free_private_data(void **vp)
+static void free_private_data(void **vp)
{
struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
}
/*********************************************************************
- Intitalise the parts of the pdb_methods structure that are common to
+ Intitalise the parts of the pdb_methods structure that are common to
all pdb_ldap modes
*********************************************************************/
nt_status = smbldap_init(*pdb_method, pdb_get_tevent_context(),
location, false, bind_dn, bind_secret,
&ldap_state->smbldap_state);
- memset(bind_secret, '\0', strlen(bind_secret));
- SAFE_FREE(bind_secret);
+ BURN_FREE_STR(bind_secret);
SAFE_FREE(bind_dn);
if ( !NT_STATUS_IS_OK(nt_status) ) {
return nt_status;
&secrets_domain_sid);
if (!found_sid || !dom_sid_equal(&secrets_domain_sid,
&ldap_domain_sid)) {
+ struct dom_sid_buf buf1, buf2;
DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain "
"%s based on pdb_ldap results %s -> %s\n",
ldap_state->domain_name,
- sid_string_dbg(&secrets_domain_sid),
- sid_string_dbg(&ldap_domain_sid)));
+ dom_sid_str_buf(&secrets_domain_sid, &buf1),
+ dom_sid_str_buf(&ldap_domain_sid, &buf2)));
/* reset secrets.tdb sid */
PDB_secrets_store_domain_sid(ldap_state->domain_name,
&ldap_domain_sid);
DEBUG(1, ("New global sam SID: %s\n",
- sid_string_dbg(get_global_sam_sid())));
+ dom_sid_str_buf(get_global_sam_sid(),
+ &buf1)));
}
sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
TALLOC_FREE(domain_sid_string);