#---------------------------------------------------------------------------
GENERATE_XML = NO
#---------------------------------------------------------------------------
-# Configuration options related to the preprocessor
+# configuration options related to the preprocessor
#---------------------------------------------------------------------------
ENABLE_PREPROCESSING = NO
MACRO_EXPANSION = NO
EXPAND_AS_DEFINED =
SKIP_FUNCTION_MACROS = YES
#---------------------------------------------------------------------------
-# Configuration::addtions related to external references
+# configuration::additions related to external references
#---------------------------------------------------------------------------
TAGFILES =
GENERATE_TAGFILE =
ALLEXTERNALS = NO
PERL_PATH = /usr/bin/perl
#---------------------------------------------------------------------------
-# Configuration options related to the dot tool
+# configuration options related to the dot tool
#---------------------------------------------------------------------------
HAVE_DOT = YES
CLASS_GRAPH = YES
GENERATE_LEGEND = YES
DOT_CLEANUP = YES
#---------------------------------------------------------------------------
-# Configuration::addtions related to the search engine
+# configuration::additions related to the search engine
#---------------------------------------------------------------------------
SEARCHENGINE = NO
CGI_NAME = search.cgi
LIBADS_OBJ = libads/ldap.o libads/ldap_printer.o libads/sasl.o \
libads/krb5_setpw.o libads/kerberos.o libads/ldap_user.o \
libads/ads_struct.o libads/ads_status.o \
- libads/disp_sec.o libads/ads_utils.o
+ libads/disp_sec.o libads/ads_utils.o libads/ldap_utils.o \
+ libads/ads_ldap.o
LIBADS_SERVER_OBJ = libads/util.o libads/kerberos_verify.o
if (!cli_send_tconX(c, sharename, "?????",
password, strlen(password)+1)) {
- d_printf("tree connect failed: %s\n", cli_errstr(c));
- cli_shutdown(c);
- return NULL;
+ pstring full_share;
+
+ /*
+ * Some servers require \\server\share for the share
+ * while others are happy with share as we gave above
+ * Lets see if we give it the long form if it works
+ */
+ pstrcpy(full_share, "\\\\");
+ pstrcat(full_share, server);
+ pstrcat(full_share, "\\");
+ pstrcat(full_share, sharename);
+ if (!cli_send_tconX(c, full_share, "?????", password,
+ strlen(password) + 1)) {
+
+ d_printf("tree connect failed: %s\n", cli_errstr(c));
+ cli_shutdown(c);
+ return NULL;
+ }
}
DEBUG(4,(" tconx ok\n"));
char *realm;
char *workgroup;
char *ldap_server;
+ char *ldap_uri;
int foreign; /* set to 1 if connecting to a foreign realm */
} server;
/* ads auth control flags */
-#define ADS_AUTH_DISABLE_KERBEROS 1
-#define ADS_AUTH_NO_BIND 2
+#define ADS_AUTH_DISABLE_KERBEROS 0x01
+#define ADS_AUTH_NO_BIND 0x02
+#define ADS_AUTH_ANON_BIND 0x04
+#define ADS_AUTH_SIMPLE_BIND 0x08
*
* @retval The number of bytes occupied by the string in the destination
**/
-int push_utf8_allocate(void **dest, const char *src)
+int push_utf8_allocate(char **dest, const char *src)
{
int src_len = strlen(src)+1;
*dest = NULL;
- return convert_string_allocate(CH_UNIX, CH_UTF8, src, src_len, dest);
+ return convert_string_allocate(CH_UNIX, CH_UTF8, src, src_len, (void **)dest);
}
/****************************************************************************
"Access-Checking" document in MSDN.
*****************************************************************************/
-BOOL se_access_check(SEC_DESC *sd, const NT_USER_TOKEN *token,
+BOOL se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token,
uint32 acc_desired, uint32 *acc_granted,
NTSTATUS *status)
{
DOM_SID global_sid_World; /* Everyone */
DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */
DOM_SID global_sid_NT_Authority; /* NT Authority */
+DOM_SID global_sid_System; /* System */
DOM_SID global_sid_NULL; /* NULL sid */
DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */
DOM_SID global_sid_Network; /* Network rids */
anon_sid_array
};
+static DOM_SID system_sid_array[4];
+NT_USER_TOKEN system_token = {
+ 1,
+ system_sid_array
+};
+
/****************************************************************************
Lookup string names for SID types.
****************************************************************************/
void generate_wellknown_sids(void)
{
+ static BOOL initialised = False;
+ if (initialised)
+ return;
+
string_to_sid(&global_sid_Builtin, "S-1-5-32");
string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
string_to_sid(&global_sid_Creator_Owner, "S-1-3-0");
string_to_sid(&global_sid_Creator_Group, "S-1-3-1");
string_to_sid(&global_sid_NT_Authority, "S-1-5");
+ string_to_sid(&global_sid_System, "S-1-5-18");
string_to_sid(&global_sid_NULL, "S-1-0-0");
string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
string_to_sid(&global_sid_Network, "S-1-5-2");
sid_copy( &anonymous_token.user_sids[0], &global_sid_World);
sid_copy( &anonymous_token.user_sids[1], &global_sid_Network);
sid_copy( &anonymous_token.user_sids[2], &global_sid_Anonymous);
+
+ /* Create the system token. */
+ sid_copy( &system_token.user_sids[0], &global_sid_System);
+
+ initialised = True;
+}
+
+NT_USER_TOKEN *get_system_token(void)
+{
+ generate_wellknown_sids(); /* The token is initialised here */
+ return &system_token;
}
/**************************************************************************
/*****************************************************************
Write a sid out into on-the-wire format.
*****************************************************************/
-BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid)
+BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid)
{
size_t i;
/*****************************************************************
parse a on-the-wire SID to a DOM_SID
*****************************************************************/
-BOOL sid_parse(char *inbuf, size_t len, DOM_SID *sid)
+BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
{
int i;
if (len < 8) return False;
Calculates size of a sid.
*****************************************************************/
-size_t sid_size(DOM_SID *sid)
+size_t sid_size(const DOM_SID *sid)
{
if (sid == NULL)
return 0;
return the binary string representation of a DOM_SID
caller must free
*/
-char *sid_binstring(DOM_SID *sid)
+char *sid_binstring(const DOM_SID *sid)
{
char *buf, *s;
int len = sid_size(sid);
for(i = 0; i < len; i++) {
int val = (src[i] & 0xff);
- if(isupper(val) || islower(val) || isdigit(val) || strchr_m(other_safe_chars, val))
+ if (isupper(val) || islower(val) || isdigit(val) || strchr_m(other_safe_chars, val))
dest[i] = src[i];
else
dest[i] = '_';
like strncpy but copies up to the character marker. always null terminates.
returns a pointer to the character marker in the source string (src).
****************************************************************************/
-char *strncpyn(char *dest, const char *src,size_t n, char c)
+char *strncpyn(char *dest, const char *src, size_t n, char c)
{
char *p;
size_t str_len;
if (status.error_type == ADS_ERROR_NT){
return status.err.nt_status;
}
+#ifdef HAVE_LDAP
+ if ((status.error_type == ADS_ERROR_LDAP)
+ && (status.err.rc == LDAP_NO_MEMORY)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+#endif
if (ADS_ERR_OK(status)) return NT_STATUS_OK;
return NT_STATUS_UNSUCCESSFUL;
}
SAFE_FREE((*ads)->server.realm);
SAFE_FREE((*ads)->server.workgroup);
SAFE_FREE((*ads)->server.ldap_server);
+ SAFE_FREE((*ads)->server.ldap_uri);
SAFE_FREE((*ads)->auth.realm);
SAFE_FREE((*ads)->auth.password);
ads (active directory) utility library
Copyright (C) Stefan (metze) Metzmacher 2002
-
+ Copyright (C) Andrew Tridgell 2001
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
#include "includes.h"
-#ifdef HAVE_ADS
-
-
/*
translated the ACB_CTRL Flags to UserFlags (userAccountControl)
*/
return atype;
}
-#endif
+/* turn a sAMAccountType into a SID_NAME_USE */
+enum SID_NAME_USE ads_atype_map(uint32 atype)
+{
+ switch (atype & 0xF0000000) {
+ case ATYPE_GLOBAL_GROUP:
+ return SID_NAME_DOM_GRP;
+ case ATYPE_ACCOUNT:
+ return SID_NAME_USER;
+ default:
+ DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
+ }
+ return SID_NAME_UNKNOWN;
+}
#include "includes.h"
-#ifdef HAVE_ADS
-
static struct perm_mask_str {
uint32 mask;
char *str;
printf("-------------- End Of Security Descriptor\n");
}
-#endif
}
+/**
+ * Set the machine account password
+ * @param ads connection to ads server
+ * @param hostname machine whose password is being set
+ * @param password new password
+ * @return status of password change
+ **/
+ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
+ const char *hostname,
+ const char *password)
+{
+ ADS_STATUS status;
+ char *host = strdup(hostname);
+ char *principal;
+
+ strlower(host);
+
+ /*
+ we need to use the '$' form of the name here, as otherwise the
+ server might end up setting the password for a user instead
+ */
+ asprintf(&principal, "%s$@%s", host, ads->auth.realm);
+
+ status = krb5_set_password(ads->auth.kdc_server, principal, password, ads->auth.time_offset);
+
+ free(host);
+ free(principal);
+
+ return status;
+}
+
#endif
#include "includes.h"
-#ifdef HAVE_ADS
+#ifdef HAVE_LDAP
/**
* @file ldap.c
return True;
}
+/*
+ try a connection to a given ldap server, based on URL, returning True if successful
+ */
+static BOOL ads_try_connect_uri(ADS_STRUCT *ads)
+{
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+ DEBUG(5,("ads_try_connect: trying ldap server at URI '%s'\n",
+ ads->server.ldap_uri));
+
+
+ if (ldap_initialize((LDAP**)&(ads->ld), ads->server.ldap_uri) == LDAP_SUCCESS) {
+ return True;
+ }
+ DEBUG(0, ("ldap_initialize: %s\n", strerror(errno)));
+
+#else
+
+ DEBUG(1, ("no URL support in LDAP libs!\n"));
+#endif
+
+ return False;
+}
+
/* used by the IP comparison function */
struct ldap_ip {
struct in_addr ip;
ads->last_attempt = time(NULL);
ads->ld = NULL;
+ /* try with a URL based server */
+
+ if (ads->server.ldap_uri &&
+ ads_try_connect_uri(ads)) {
+ goto got_connection;
+ }
+
/* try with a user specified server */
if (ads->server.ldap_server &&
ads_try_connect(ads, ads->server.ldap_server, LDAP_PORT)) {
return ADS_SUCCESS;
}
+ if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
+ return ADS_ERROR(ldap_simple_bind_s( ads->ld, NULL, NULL));
+ }
+
+ if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
+ return ADS_ERROR(ldap_simple_bind_s( ads->ld, ads->auth.user_name, ads->auth.password));
+ }
+
return ads_sasl_bind(ads);
}
/* the easiest way to find a machine account anywhere in the tree
is to look for hostname$ */
- asprintf(&exp, "(samAccountName=%s$)", host);
+ if (asprintf(&exp, "(samAccountName=%s$)", host) == -1) {
+ DEBUG(1, ("asprintf failed!\n"));
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
status = ads_search(ads, res, exp, attrs);
free(exp);
return status;
controls[0] = &PermitModify;
controls[1] = NULL;
- push_utf8_allocate((void **) &utf8_dn, mod_dn);
+ if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) {
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
/* find the end of the list, marked by NULL or -1 */
for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
/* make sure the end of the list is NULL */
mods[i] = NULL;
- ret = ldap_modify_ext_s(ads->ld, utf8_dn ? utf8_dn : mod_dn,
+ ret = ldap_modify_ext_s(ads->ld, utf8_dn,
(LDAPMod **) mods, controls, NULL);
SAFE_FREE(utf8_dn);
return ADS_ERROR(ret);
int ret, i;
char *utf8_dn = NULL;
- push_utf8_allocate((void **) &utf8_dn, new_dn);
+ if (push_utf8_allocate(&utf8_dn, new_dn) == -1) {
+ DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!"));
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
/* find the end of the list, marked by NULL or -1 */
for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
{
int ret;
char *utf8_dn = NULL;
- push_utf8_allocate((void **) &utf8_dn, del_dn);
+ if (push_utf8_allocate(&utf8_dn, del_dn) == -1) {
+ DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!"));
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
ret = ldap_delete(ads->ld, utf8_dn ? utf8_dn : del_dn);
return ADS_ERROR(ret);
}
if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->config.realm)))
goto done;
ou_str = ads_ou_string(org_unit);
+ if (!ou_str) {
+ DEBUG(1, ("ads_ou_string returned NULL (malloc failure?)\n"));
+ goto done;
+ }
new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", hostname, ou_str,
ads->config.bind_path);
free(ou_str);
const char *attrs[] = {"ntSecurityDescriptor", "objectSid", 0};
char *exp = 0;
size_t sd_size = 0;
- struct berval **bvals = 0;
struct berval bval = {0, NULL};
- prs_struct ps;
prs_struct ps_wire;
LDAPMessage *res = 0;
ret = ADS_ERROR(LDAP_SUCCESS);
- asprintf(&exp, "(samAccountName=%s$)", hostname);
+ if (asprintf(&exp, "(samAccountName=%s$)", hostname) == -1) {
+ DEBUG(1, ("ads_set_machine_sd: asprintf failed!\n"));
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
ret = ads_search(ads, (void *) &res, exp, attrs);
if (!ADS_ERR_OK(ret)) return ret;
msg = ads_first_entry(ads, res);
- bvals = ldap_get_values_len(ads->ld, msg, attrs[0]);
ads_pull_sid(ads, msg, attrs[1], &sid);
- ads_msgfree(ads, res);
-#if 0
- file_save("/tmp/sec_desc.old", bvals[0]->bv_val, bvals[0]->bv_len);
-#endif
- if (!(ctx = talloc_init_named("sec_io_desc")))
- return ADS_ERROR(LDAP_NO_MEMORY);
-
- prs_init(&ps, bvals[0]->bv_len, ctx, UNMARSHALL);
- prs_append_data(&ps, bvals[0]->bv_val, bvals[0]->bv_len);
- ps.data_offset = 0;
- ldap_value_free_len(bvals);
+ if (!(ctx = talloc_init_named("sec_io_desc"))) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto ads_set_sd_error;
+ }
- if (!sec_io_desc("sd", &psd, &ps, 1))
+ if (!ads_pull_sd(ads, ctx, msg, attrs[0], &psd)) {
+ ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
goto ads_set_sd_error;
+ }
status = sec_desc_add_sid(ctx, &psd, &sid, SEC_RIGHTS_FULL_CTRL, &sd_size);
- if (!NT_STATUS_IS_OK(status))
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = ADS_ERROR_NT(status);
goto ads_set_sd_error;
+ }
prs_init(&ps_wire, sd_size, ctx, MARSHALL);
- if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1))
+ if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1)) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto ads_set_sd_error;
+ }
#if 0
file_save("/tmp/sec_desc.new", ps_wire.data_p, sd_size);
ads_mod_ber(ctx, &mods, attrs[0], &bval);
ret = ads_gen_mod(ads, dn, mods);
- prs_mem_free(&ps);
- prs_mem_free(&ps_wire);
- talloc_destroy(ctx);
- return ret;
-
ads_set_sd_error:
- prs_mem_free(&ps);
+ ads_msgfree(ads, res);
prs_mem_free(&ps_wire);
talloc_destroy(ctx);
- return ADS_ERROR(LDAP_NO_MEMORY);
-}
-
-/**
- * Set the machine account password
- * @param ads connection to ads server
- * @param hostname machine whose password is being set
- * @param password new password
- * @return status of password change
- **/
-ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
- const char *hostname,
- const char *password)
-{
- ADS_STATUS status;
- char *host = strdup(hostname);
- char *principal;
-
- strlower(host);
-
- /*
- we need to use the '$' form of the name here, as otherwise the
- server might end up setting the password for a user instead
- */
- asprintf(&principal, "%s$@%s", host, ads->auth.realm);
-
- status = krb5_set_password(ads->auth.kdc_server, principal, password, ads->auth.time_offset);
-
- free(host);
- free(principal);
-
- return status;
+ return ret;
}
/**
return count;
}
+/**
+ * pull a SEC_DESC from a ADS result
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX for allocating sid array
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @param sd Pointer to *SEC_DESC to store result (talloc()ed)
+ * @return boolean inidicating success
+*/
+BOOL ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ void *msg, const char *field, SEC_DESC **sd)
+{
+ struct berval **values;
+ prs_struct ps;
+ BOOL ret = False;
+
+ values = ldap_get_values_len(ads->ld, msg, field);
+
+ if (!values) return False;
+
+ if (values[0]) {
+ prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL);
+ prs_append_data(&ps, values[0]->bv_val, values[0]->bv_len);
+ ps.data_offset = 0;
+
+ ret = sec_io_desc("sd", sd, &ps, 1);
+ }
+
+ ldap_value_free_len(values);
+ return ret;
+}
+
+/*
+ * in order to support usernames longer than 21 characters we need to
+ * use both the sAMAccountName and the userPrincipalName attributes
+ * It seems that not all users have the userPrincipalName attribute set
+ *
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX for allocating sid array
+ * @param msg Results of search
+ * @return the username
+ */
+char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, void *msg)
+{
+ char *ret, *p;
+
+ ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
+ if (ret && (p = strchr(ret, '@'))) {
+ *p = 0;
+ return ret;
+ }
+ return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
+}
+
/**
* find the update serial number - this is the core of the ldap cache
ads->config.realm = strdup(p+2);
ads->config.bind_path = ads_build_dn(ads->config.realm);
- DEBUG(3,("got ldap server name %s@%s\n",
- ads->config.ldap_server_name, ads->config.realm));
+ DEBUG(3,("got ldap server name %s@%s, using bind path: %s\n",
+ ads->config.ldap_server_name, ads->config.realm,
+ ads->config.bind_path));
ads->config.current_time = ads_parse_time(timestr);
#include "includes.h"
-#ifdef HAVE_ADS
+#ifdef HAVE_LDAP
/*
perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
}
DEBUG(3,("got principal=%s\n", principal));
+#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
got_kerberos_mechanism && ads_kinit_password(ads) == 0) {
return ads_sasl_spnego_krb5_bind(ads, principal);
}
+#endif
/* lets do NTLMSSP ... this has the big advantage that we don't need
to sync clocks, and we don't rely on special versions of the krb5
static char *primary_realm;
-/*
- a wrapper around ldap_search_s that retries depending on the error code
- this is supposed to catch dropped connections and auto-reconnect
-*/
-ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
- const char *exp,
- const char **attrs, void **res)
-{
- ADS_STATUS status;
- int count = 3;
- char *bp;
-
- if (!ads->ld &&
- time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
- return ADS_ERROR(LDAP_SERVER_DOWN);
- }
-
- bp = strdup(bind_path);
-
- while (count--) {
- status = ads_do_search_all(ads, bp, scope, exp, attrs, res);
- if (ADS_ERR_OK(status)) {
- DEBUG(5,("Search for %s gave %d replies\n",
- exp, ads_count_replies(ads, *res)));
- free(bp);
- return status;
- }
-
- if (*res) ads_msgfree(ads, *res);
- *res = NULL;
- DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n",
- ads->config.realm, ads_errstr(status)));
- if (ads->ld) {
- ldap_unbind(ads->ld);
- }
- ads->ld = NULL;
- status = ads_connect(ads);
- if (!ADS_ERR_OK(status)) {
- DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n",
- ads_errstr(status)));
- ads_destroy(&ads);
- free(bp);
- return status;
- }
- }
- free(bp);
-
- DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(status)));
- return status;
-}
-
-
-ADS_STATUS ads_search_retry(ADS_STRUCT *ads, void **res,
- const char *exp,
- const char **attrs)
-{
- return ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
- exp, attrs, res);
-}
-
-ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, void **res,
- const char *dn,
- const char **attrs)
-{
- return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
- "(objectclass=*)", attrs, res);
-}
-
/*
return our ads connections structure for a domain. We keep the connection
open to make things faster
sid_append_rid(sid, rid);
}
-/* turn a sAMAccountType into a SID_NAME_USE */
-static enum SID_NAME_USE ads_atype_map(uint32 atype)
-{
- switch (atype & 0xF0000000) {
- case ATYPE_GLOBAL_GROUP:
- return SID_NAME_DOM_GRP;
- case ATYPE_ACCOUNT:
- return SID_NAME_USER;
- default:
- DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
- }
- return SID_NAME_UNKNOWN;
-}
-
-/*
- in order to support usernames longer than 21 characters we need to
- use both the sAMAccountName and the userPrincipalName attributes
- It seems that not all users have the userPrincipalName attribute set
-*/
-static char *pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, void *msg)
-{
- char *ret, *p;
-
- ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
- if (ret && (p = strchr(ret, '@'))) {
- *p = 0;
- return ret;
- }
- return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
-}
-
/* Query display info for a realm. This is the basic user list fn */
static NTSTATUS query_user_list(struct winbindd_domain *domain,
continue;
}
- name = pull_username(ads, mem_ctx, msg);
+ name = ads_pull_username(ads, mem_ctx, msg);
gecos = ads_pull_string(ads, mem_ctx, msg, "name");
if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
DEBUG(1,("No sid for %s !?\n", name));
&account_type) ||
!(account_type & ATYPE_GLOBAL_GROUP)) continue;
- name = pull_username(ads, mem_ctx, msg);
+ name = ads_pull_username(ads, mem_ctx, msg);
gecos = ads_pull_string(ads, mem_ctx, msg, "name");
if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
DEBUG(1,("No sid for %s !?\n", name));
return status;
}
-
/* convert a single name to a sid in a domain */
static NTSTATUS name_to_sid(struct winbindd_domain *domain,
const char *name,
DOM_SID *sid,
enum SID_NAME_USE *type)
{
- ADS_STRUCT *ads = NULL;
- const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
- int count;
- ADS_STATUS rc;
- void *res = NULL;
- char *exp;
- uint32 t;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ ADS_STRUCT *ads;
DEBUG(3,("ads: name_to_sid\n"));
ads = ads_cached_connection(domain);
- if (!ads) goto done;
-
- /* accept either the win2000 or the pre-win2000 username */
- asprintf(&exp, "(|(sAMAccountName=%s)(userPrincipalName=%s@%s))",
- name, name, ads->config.realm);
- rc = ads_search_retry(ads, &res, exp, attrs);
- free(exp);
- if (!ADS_ERR_OK(rc)) {
- DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
- goto done;
- }
+ if (!ads)
+ return NT_STATUS_UNSUCCESSFUL;
- count = ads_count_replies(ads, res);
- if (count != 1) {
- DEBUG(1,("name_to_sid: %s not found\n", name));
- goto done;
- }
-
- if (!ads_pull_sid(ads, res, "objectSid", sid)) {
- DEBUG(1,("No sid for %s !?\n", name));
- goto done;
- }
-
- if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
- DEBUG(1,("No sAMAccountType for %s !?\n", name));
- goto done;
- }
-
- *type = ads_atype_map(t);
-
- status = NT_STATUS_OK;
-
- DEBUG(3,("ads name_to_sid mapped %s\n", name));
-
-done:
- if (res) ads_msgfree(ads, res);
-
- return status;
+ return ads_name_to_sid(ads, name, sid, type);
}
/* convert a sid to a user or group name */
enum SID_NAME_USE *type)
{
ADS_STRUCT *ads = NULL;
- const char *attrs[] = {"userPrincipalName",
- "sAMAccountName",
- "sAMAccountType", NULL};
- ADS_STATUS rc;
- void *msg = NULL;
- char *exp;
- char *sidstr;
- uint32 atype;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
-
DEBUG(3,("ads: sid_to_name\n"));
-
ads = ads_cached_connection(domain);
- if (!ads) goto done;
-
- sidstr = sid_binstring(sid);
- asprintf(&exp, "(objectSid=%s)", sidstr);
- rc = ads_search_retry(ads, &msg, exp, attrs);
- free(exp);
- free(sidstr);
- if (!ADS_ERR_OK(rc)) {
- DEBUG(1,("sid_to_name ads_search: %s\n", ads_errstr(rc)));
- goto done;
- }
-
- if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
- goto done;
- }
-
- *name = pull_username(ads, mem_ctx, msg);
- *type = ads_atype_map(atype);
-
- status = NT_STATUS_OK;
-
- DEBUG(3,("ads sid_to_name mapped %s\n", *name));
-
-done:
- if (msg) ads_msgfree(ads, msg);
+ if (!ads)
+ return NT_STATUS_UNSUCCESSFUL;
- return status;
+ return ads_sid_to_name(ads, mem_ctx, sid, name, type);
}
goto failed;
}
- (*name) = pull_username(ads, mem_ctx, res);
+ (*name) = ads_pull_username(ads, mem_ctx, res);
if (!ads_pull_uint32(ads, res, "sAMAccountType", &atype)) {
goto failed;
goto done;
}
- info->acct_name = pull_username(ads, mem_ctx, msg);
+ info->acct_name = ads_pull_username(ads, mem_ctx, msg);
info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
DEBUG(1,("No sid for %d !?\n", user_rid));
/* well-known aliases */
if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) {
- enum_group_mapping(SID_NAME_ALIAS, &map, (int *)&num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV);
+ enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV);
if (num_entries != 0) {
*d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP));
!sid_check_is_in_builtin(&sid))
return NT_STATUS_OBJECT_TYPE_MISMATCH;
- if (!get_local_group_from_sid(sid, &map, MAPPING_WITHOUT_PRIV))
+ if (!get_group_map_from_sid(sid, &map, MAPPING_WITHOUT_PRIV))
return NT_STATUS_NO_SUCH_ALIAS;
switch (q_u->switch_level) {
return WERR_BADFID;
}
- if (del_a_printer(Printer->dev.handlename) != 0) {
- DEBUG(3,("Error deleting printer %s\n", Printer->dev.handlename));
- return WERR_BADFID;
- }
-
/*
* It turns out that Windows allows delete printer on a handle
* opened by an admin user, then used on a pipe handle created
}
#endif
+ if (del_a_printer(Printer->dev.handlename) != 0) {
+ DEBUG(3,("Error deleting printer %s\n", Printer->dev.handlename));
+ return WERR_BADFID;
+ }
+
if (*lp_deleteprinter_cmd()) {
char *cmd = lp_deleteprinter_cmd();
Copyright (C) Andrew Tridgell 2002
Copyright (C) Tim Potter 2001,2002
+ Modified by Volker Lendecke 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
static NTSTATUS
sam_account_from_delta(SAM_ACCOUNT *account, SAM_ACCOUNT_INFO *delta)
{
- DOM_SID sid;
fstring s;
uchar lm_passwd[16], nt_passwd[16];
/* User and group sid */
- sid_copy(&sid, get_global_sam_sid());
- sid_append_rid(&sid, delta->user_rid);
- pdb_set_user_sid(account, &sid);
-
- sid_copy(&sid, get_global_sam_sid());
- sid_append_rid(&sid, delta->group_rid);
- pdb_set_group_sid(account, &sid);
+ pdb_set_user_sid_from_rid(account, delta->user_rid);
+ pdb_set_group_sid_from_rid(account, delta->group_rid);
/* Logon and password information */
fstring sid_string;
GROUP_MAP map;
int flag = TDB_INSERT;
- gid_t gid;
unistr2_to_ascii(name, &delta->uni_grp_name, sizeof(name)-1);
unistr2_to_ascii(comment, &delta->uni_grp_desc, sizeof(comment)-1);
- if ((grp = getgrnam(name)) == NULL)
- smb_create_group(name, &gid);
-
- if ((grp = getgrgid(gid)) == NULL)
- return NT_STATUS_ACCESS_DENIED;
-
/* add the group to the mapping table */
sid_copy(&group_sid, get_global_sam_sid());
sid_append_rid(&group_sid, rid);
if (grp == NULL)
{
- gid_t new_gid;
+ gid_t gid;
+
/* No group found from mapping, find it from its name. */
if ((grp = getgrnam(name)) == NULL) {
/* No appropriate group found, create one */
d_printf("Creating unix group: '%s'\n", name);
- if (smb_create_group(name, &new_gid) != 0)
+ if (smb_create_group(name, &gid) != 0)
+ return NT_STATUS_ACCESS_DENIED;
+ if ((grp = getgrgid(gid)) == NULL)
return NT_STATUS_ACCESS_DENIED;
}
-
- if ((grp = getgrgid(new_gid)) == NULL)
- return NT_STATUS_ACCESS_DENIED;
}
map.gid = grp->gr_gid;
}
if (grp == NULL) {
- gid_t new_gid;
+ gid_t gid;
+
/* No group found from mapping, find it from its name. */
if ((grp = getgrnam(name)) == NULL) {
/* No appropriate group found, create one */
d_printf("Creating unix group: '%s'\n", name);
- if (smb_create_group(name, &new_gid) != 0)
+ if (smb_create_group(name, &gid) != 0)
+ return NT_STATUS_ACCESS_DENIED;
+ if ((grp = getgrgid(gid)) == NULL)
return NT_STATUS_ACCESS_DENIED;
}
-
- if ((grp = getgrgid(new_gid)) == NULL)
- return NT_STATUS_ACCESS_DENIED;
}
map.gid = grp->gr_gid;
map.sid = alias_sid;
- map.sid_name_use = SID_NAME_ALIAS;
+
+ if (sid_equal(&dom_sid, &global_sid_Builtin))
+ map.sid_name_use = SID_NAME_WKN_GRP;
+ else
+ map.sid_name_use = SID_NAME_ALIAS;
fstrcpy(map.nt_name, name);
fstrcpy(map.comment, comment);
git.samba.org / sfrench / samba-autobuild / .git / commitdiff