r13316: Let the carnage begin....
authorGerald Carter <jerry@samba.org>
Fri, 3 Feb 2006 22:19:41 +0000 (22:19 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 16:06:23 +0000 (11:06 -0500)
Sync with trunk as off r13315

185 files changed:
source/Makefile.in
source/auth/auth.c
source/auth/auth_builtin.c
source/auth/auth_compat.c
source/auth/auth_domain.c
source/auth/auth_ntlmssp.c
source/auth/auth_rhosts.c
source/auth/auth_sam.c
source/auth/auth_script.c
source/auth/auth_server.c
source/auth/auth_unix.c
source/auth/auth_util.c
source/auth/auth_winbind.c
source/configure.in
source/groupdb/mapping.c
source/include/ads.h
source/include/auth.h
source/include/doserr.h
source/include/event.h [new file with mode: 0644]
source/include/gpo.h [new file with mode: 0644]
source/include/idmap.h
source/include/includes.h
source/include/local.h
source/include/messages.h
source/include/nt_status.h
source/include/passdb.h
source/include/rpc_dfs.h
source/include/rpc_lsa.h
source/include/rpc_netlogon.h
source/include/rpc_samr.h
source/include/secrets.h
source/include/smb.h
source/include/smbldap.h
source/intl/lang_tdb.c
source/lib/dummysmbd.c
source/lib/events.c [new file with mode: 0644]
source/lib/genrand.c
source/lib/messages.c
source/lib/pam_errors.c
source/lib/pidfile.c
source/lib/readline.c
source/lib/secdesc.c
source/lib/sharesec.c [new file with mode: 0644]
source/lib/smbldap.c
source/lib/smbldap_util.c
source/lib/system_smbd.c
source/lib/username.c
source/lib/util.c
source/lib/util_file.c
source/lib/util_pw.c
source/lib/util_sid.c
source/lib/util_str.c
source/lib/util_unistr.c
source/libads/gpo.c [new file with mode: 0644]
source/libads/gpo_util.c [new file with mode: 0644]
source/libads/kerberos.c
source/libads/krb5_errs.c [new file with mode: 0644]
source/libads/krb5_setpw.c
source/libads/ldap.c
source/libads/sasl.c
source/libmsrpc/cac_lsarpc.c
source/libsmb/cliconnect.c
source/libsmb/clidfs.c
source/libsmb/clientgen.c
source/libsmb/clikrb5.c
source/libsmb/clilist.c
source/libsmb/clispnego.c
source/libsmb/conncache.c
source/libsmb/errormap.c
source/libsmb/gpo.c [new file with mode: 0644]
source/libsmb/libsmbclient.c
source/libsmb/passchange.c
source/nsswitch/pam_winbind.c
source/nsswitch/pam_winbind.h
source/nsswitch/wb_client.c
source/nsswitch/wbinfo.c
source/nsswitch/winbindd.c
source/nsswitch/winbindd.h
source/nsswitch/winbindd_ads.c
source/nsswitch/winbindd_cache.c
source/nsswitch/winbindd_cm.c
source/nsswitch/winbindd_cred_cache.c [new file with mode: 0644]
source/nsswitch/winbindd_creds.c [new file with mode: 0644]
source/nsswitch/winbindd_dual.c
source/nsswitch/winbindd_group.c
source/nsswitch/winbindd_misc.c
source/nsswitch/winbindd_nss.h
source/nsswitch/winbindd_pam.c
source/nsswitch/winbindd_passdb.c
source/nsswitch/winbindd_reconnect.c
source/nsswitch/winbindd_rpc.c
source/nsswitch/winbindd_sid.c
source/nsswitch/winbindd_user.c
source/nsswitch/winbindd_util.c
source/pam_smbpass/pam_smb_auth.c
source/pam_smbpass/pam_smb_passwd.c
source/pam_smbpass/support.c
source/param/loadparm.c
source/param/params.c
source/passdb/lookup_sid.c
source/passdb/machine_sid.c
source/passdb/passdb.c
source/passdb/pdb_get_set.c
source/passdb/pdb_interface.c
source/passdb/pdb_ldap.c
source/passdb/pdb_nds.c
source/passdb/pdb_smbpasswd.c
source/passdb/pdb_tdb.c
source/passdb/secrets.c
source/passdb/util_builtin.c
source/passdb/util_unixsids.c [new file with mode: 0644]
source/passdb/util_wellknown.c
source/printing/nt_printing.c
source/printing/print_generic.c
source/python/py_lsa.c
source/rpc_client/cli_dfs.c
source/rpc_client/cli_lsarpc.c
source/rpc_client/cli_netlogon.c
source/rpc_client/cli_pipe.c
source/rpc_client/cli_samr.c
source/rpc_parse/parse_dfs.c
source/rpc_parse/parse_lsa.c
source/rpc_parse/parse_net.c
source/rpc_parse/parse_prs.c
source/rpc_parse/parse_rpc.c
source/rpc_parse/parse_samr.c
source/rpc_server/srv_dfs.c
source/rpc_server/srv_dfs_nt.c
source/rpc_server/srv_lsa_nt.c
source/rpc_server/srv_netlog_nt.c
source/rpc_server/srv_pipe.c
source/rpc_server/srv_pipe_hnd.c
source/rpc_server/srv_samr_nt.c
source/rpc_server/srv_spoolss_nt.c
source/rpc_server/srv_srvsvc_nt.c
source/rpcclient/cmd_dfs.c
source/rpcclient/cmd_lsarpc.c
source/rpcclient/cmd_samr.c
source/sam/idmap.c
source/sam/idmap_ad.c
source/sam/idmap_ldap.c
source/sam/idmap_rid.c
source/sam/idmap_smbldap.c
source/sam/idmap_tdb.c
source/sam/idmap_util.c
source/script/installman.sh
source/script/installswat.sh
source/smbd/chgpasswd.c
source/smbd/conn.c
source/smbd/lanman.c
source/smbd/msdfs.c
source/smbd/ntquotas.c
source/smbd/nttrans.c
source/smbd/open.c
source/smbd/password.c
source/smbd/posix_acls.c
source/smbd/process.c
source/smbd/sec_ctx.c
source/smbd/server.c
source/smbd/service.c
source/smbd/sesssetup.c
source/smbd/share_access.c [new file with mode: 0644]
source/smbd/uid.c
source/utils/net.c
source/utils/net.h
source/utils/net_ads_gpo.c [new file with mode: 0644]
source/utils/net_groupmap.c
source/utils/net_help.c
source/utils/net_lookup.c
source/utils/net_rpc.c
source/utils/net_rpc_rights.c
source/utils/net_rpc_samsync.c
source/utils/net_rpc_shell.c [new file with mode: 0644]
source/utils/net_sam.c [new file with mode: 0644]
source/utils/net_usershare.c [new file with mode: 0644]
source/utils/net_util.c [new file with mode: 0644]
source/utils/netlookup.c [new file with mode: 0644]
source/utils/ntlm_auth.c
source/utils/pdbedit.c
source/utils/smbcacls.c
source/utils/smbcontrol.c
source/utils/smbcquotas.c
source/utils/smbpasswd.c
source/web/cgi.c
source/web/swat.c

index 6c182a6e41ac502aa451880bad52f9f26744d6d2..281d58f23d087ddde96053221e58c22579706252 100644 (file)
@@ -134,7 +134,7 @@ BIN_PROGS2 = bin/smbcontrol@EXEEXT@ bin/smbtree@EXEEXT@ bin/tdbbackup@EXEEXT@ \
        bin/tdbtool@EXEEXT@
 BIN_PROGS3 = bin/smbpasswd@EXEEXT@ bin/rpcclient@EXEEXT@ bin/smbcacls@EXEEXT@ \
        bin/profiles@EXEEXT@ bin/ntlm_auth@EXEEXT@ \
-       bin/smbcquotas@EXEEXT@ bin/eventlogadm@EXEEXT@
+       bin/smbcquotas@EXEEXT@ bin/eventlogadm@EXEEXT@ 
 
 TORTURE_PROGS = bin/smbtorture@EXEEXT@ bin/msgtest@EXEEXT@ \
        bin/masktest@EXEEXT@ bin/locktest@EXEEXT@ \
@@ -207,8 +207,9 @@ LIB_OBJ = $(VERSION_OBJ) lib/charcnv.o lib/debug.o lib/fault.o \
          nsswitch/wb_client.o $(WBCOMMON_OBJ) \
          lib/pam_errors.o intl/lang_tdb.o \
          lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
-         lib/module.o lib/ldap_escape.o @CHARSET_STATIC@ \
-         lib/secdesc.o lib/secace.o lib/secacl.o @SOCKWRAP@
+         lib/module.o lib/events.o lib/ldap_escape.o @CHARSET_STATIC@ \
+         lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o @SOCKWRAP@ \
+         libads/krb5_errs.o
 
 LIB_DUMMY_OBJ = lib/dummysmbd.o lib/dummyroot.o
 LIB_NONSMBD_OBJ = $(LIB_OBJ) $(LIB_DUMMY_OBJ)
@@ -219,7 +220,7 @@ READLINE_OBJ = lib/readline.o
 # Be sure to include them into your application
 POPT_LIB_OBJ = lib/popt_common.o 
 
-PARAM_OBJ = dynconfig.o param/loadparm.o param/params.o
+PARAM_OBJ = dynconfig.o param/loadparm.o param/params.o lib/sharesec.o
 
 KRBCLIENT_OBJ = libads/kerberos.o libads/ads_status.o 
 
@@ -244,12 +245,11 @@ LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
             libsmb/clirap.o libsmb/clierror.o libsmb/climessage.o \
             libsmb/clireadwrite.o libsmb/clilist.o libsmb/cliprint.o \
             libsmb/clitrans.o libsmb/clisecdesc.o libsmb/clidgram.o \
-            libsmb/clistr.o lib/util_seaccess.o \
-            libsmb/cliquota.o libsmb/clifsinfo.o libsmb/clidfs.o \
+            libsmb/clistr.o libsmb/cliquota.o libsmb/clifsinfo.o libsmb/clidfs.o \
              libsmb/smberr.o libsmb/credentials.o libsmb/pwd_cache.o \
             libsmb/clioplock.o $(ERRORMAP_OBJ) libsmb/clirap2.o \
             $(DOSERR_OBJ) \
-            $(RPC_PARSE_OBJ1) $(LIBSAMBA_OBJ) $(LIBNMB_OBJ) 
+            $(RPC_PARSE_OBJ1) $(LIBSAMBA_OBJ) $(LIBNMB_OBJ)
 
 LIBMSRPC_OBJ = rpc_client/cli_lsarpc.o rpc_client/cli_samr.o \
               rpc_client/cli_netlogon.o rpc_client/cli_srvsvc.o \
@@ -324,7 +324,7 @@ PASSDB_GET_SET_OBJ = passdb/pdb_get_set.o
 
 PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \
                passdb/util_wellknown.o passdb/util_builtin.o passdb/pdb_compat.o \
-               passdb/lookup_sid.o \
+               passdb/util_unixsids.o passdb/lookup_sid.o \
                passdb/login_cache.o @PDB_STATIC@ passdb/pdb_sql.o \
                lib/system_smbd.o lib/account_pol.o lib/privileges.o
 
@@ -390,7 +390,8 @@ BUILDOPT_OBJ = smbd/build_options.o
 
 SMBD_OBJ_SRV = smbd/files.o smbd/chgpasswd.o smbd/connection.o \
               smbd/utmp.o smbd/session.o \
-               smbd/dfree.o smbd/dir.o smbd/password.o smbd/conn.o smbd/fileio.o \
+               smbd/dfree.o smbd/dir.o smbd/password.o smbd/conn.o \
+              smbd/share_access.o smbd/fileio.o \
                smbd/ipc.o smbd/lanman.o smbd/negprot.o \
                smbd/message.o smbd/nttrans.o smbd/pipes.o \
                smbd/reply.o smbd/sesssetup.o smbd/trans2.o smbd/uid.o \
@@ -462,12 +463,13 @@ SMBSH_OBJ = smbwrapper/smbsh.o smbwrapper/shared.o \
 
 STATUS_OBJ = utils/status.o $(LOCKING_OBJ) $(PARAM_OBJ) \
              $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
-            $(SECRETS_OBJ) $(LIBSAMBA_OBJ) $(ERRORMAP_OBJ) 
+            $(SECRETS_OBJ) $(LIBSAMBA_OBJ) $(ERRORMAP_OBJ) $(RPC_PARSE_OBJ1) \
+             $(DOSERR_OBJ)
              
 
 SMBCONTROL_OBJ = utils/smbcontrol.o $(LOCKING_OBJ) $(PARAM_OBJ) \
        $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
-       $(SECRETS_OBJ) $(LIBSAMBA_OBJ) \
+       $(SECRETS_OBJ) $(LIBSAMBA_OBJ) $(RPC_PARSE_OBJ1) $(DOSERR_OBJ) \
        $(PRINTBASE_OBJ) $(ERRORMAP_OBJ)
 
 SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
@@ -476,16 +478,16 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
 
 TESTPARM_OBJ = utils/testparm.o \
                $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
-              $(SECRETS_OBJ) $(LIBSAMBA_OBJ)
+              $(SECRETS_OBJ) $(LIBSAMBA_OBJ) $(RPC_PARSE_OBJ1) $(DOSERR_OBJ)
 
 SMBPASSWD_OBJ = utils/smbpasswd.o $(PASSCHANGE_OBJ) $(PARAM_OBJ) $(SECRETS_OBJ) \
                $(LIBSMB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ)\
-                $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) \
+                $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \
                $(SMBLDAP_OBJ) $(RPC_PARSE_OBJ) $(LIBMSRPC_OBJ)
 
 PDBEDIT_OBJ = utils/pdbedit.o $(PARAM_OBJ) $(PASSDB_OBJ) $(LIBSAMBA_OBJ) \
                $(LIB_NONSMBD_OBJ) $(GROUPDB_OBJ) $(SECRETS_OBJ) \
-               $(POPT_LIB_OBJ) $(SMBLDAP_OBJ) libsmb/asn1.o
+               $(POPT_LIB_OBJ) $(SMBLDAP_OBJ) libsmb/asn1.o $(RPC_PARSE_OBJ1) $(DOSERR_OBJ)
 
 SMBGET_OBJ = utils/smbget.o $(POPT_LIB_OBJ) $(LIBSMBCLIENT_OBJ)
 
@@ -504,9 +506,12 @@ RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \
             $(LIBADS_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) \
             $(SMBLDAP_OBJ) $(DCUTIL_OBJ)
 
-PAM_WINBIND_PICOBJ = nsswitch/pam_winbind.@PICSUFFIX@ \
-       nsswitch/wb_common.@PICSUFFIX@ lib/replace1.@PICSUFFIX@ \
-       lib/snprintf.@PICSUFFIX@
+PAM_WINBIND_OBJ = nsswitch/pam_winbind.o \
+                 $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ1) \
+                 $(LIBSAMBA_OBJ) $(DOSERR_OBJ)
+
+PAM_WINBIND_PICOBJ = $(PAM_WINBIND_OBJ:.o=.@PICSUFFIX@)
+
 
 SMBW_OBJ1 = smbwrapper/smbw.o \
                smbwrapper/smbw_dir.o smbwrapper/smbw_stat.o \
@@ -561,7 +566,9 @@ NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_ads_cldap.o utils/net_help.o \
           utils/net_rpc_join.o utils/net_time.o utils/net_lookup.o \
           utils/net_cache.o utils/net_groupmap.o utils/net_idmap.o \
           utils/net_status.o utils/net_rpc_printer.o utils/net_rpc_rights.o \
-          utils/net_rpc_service.o utils/net_rpc_registry.o 
+          utils/net_rpc_service.o utils/net_rpc_registry.o utils/net_usershare.o \
+          utils/netlookup.o utils/net_sam.o utils/net_rpc_shell.o \
+          utils/net_util.o
 
 NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
          $(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
@@ -569,7 +576,7 @@ NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
          $(LIBMSRPC_OBJ) $(IDMAP_OBJ) \
          $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) \
          $(SMBLDAP_OBJ) $(DCUTIL_OBJ) $(SERVER_MUTEX_OBJ) \
-         $(AFS_OBJ) $(AFS_SETTOKEN_OBJ) $(REGFIO_OBJ)
+         $(AFS_OBJ) $(AFS_SETTOKEN_OBJ) $(REGFIO_OBJ) $(READLINE_OBJ)
 
 CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
          $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(SECRETS_OBJ)
@@ -581,8 +588,9 @@ MNT_OBJ = client/smbmnt.o lib/replace.o $(VERSION_OBJ) $(SNPRINTF_OBJ)
 
 UMOUNT_OBJ = client/smbumount.o
 
-NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \
-               $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) $(LIBSAMBA_OBJ)
+NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) $(RPC_PARSE_OBJ1) $(DOSERR_OBJ) \
+               $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) $(LIBSAMBA_OBJ) \
+               
 
 SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
                torture/denytest.o torture/mangle_test.o 
@@ -625,11 +633,12 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
 EVTLOGADM_OBJ0 = utils/eventlogadm.o 
 
 EVTLOGADM_OBJ  = $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(REGOBJS_OBJ) \
-               $(ERRORMAP_OBJ) $(RPC_PARSE_OBJ0) $(LIBSAMBA_OBJ) $(DOSERR_OBJ) \
+               $(ERRORMAP_OBJ) $(RPC_PARSE_OBJ1) $(LIBSAMBA_OBJ) $(DOSERR_OBJ) \
                registry/reg_eventlog.o rpc_server/srv_eventlog_lib.o registry/reg_util.o \
                registry/reg_db.o 
 
-TALLOCTORT_OBJ = lib/talloctort.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) libsmb/nterr.o
+TALLOCTORT_OBJ = lib/talloctort.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
+                 $(RPC_PARSE_OBJ1) $(DOSERR_OBJ) $(LIBSAMBA_OBJ)
 
 RPCTORTURE_OBJ = torture/rpctorture.o \
              rpcclient/display.o \
@@ -699,7 +708,9 @@ WINBINDD_OBJ1 = \
                nsswitch/winbindd_ads.o \
                nsswitch/winbindd_passdb.o \
                nsswitch/winbindd_dual.o \
-               nsswitch/winbindd_async.o
+               nsswitch/winbindd_async.o \
+               nsswitch/winbindd_creds.o \
+               nsswitch/winbindd_cred_cache.o 
 
 WINBINDD_OBJ = \
                $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
@@ -708,10 +719,11 @@ WINBINDD_OBJ = \
                $(PROFILE_OBJ) $(SLCACHE_OBJ) $(SMBLDAP_OBJ) \
                $(SECRETS_OBJ) $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \
                $(DCUTIL_OBJ) $(IDMAP_OBJ) \
-               $(AFS_OBJ) $(AFS_SETTOKEN_OBJ)
+               $(AFS_OBJ) $(AFS_SETTOKEN_OBJ) \
+               $(LIBADS_SERVER_OBJ) $(SERVER_MUTEX_OBJ)
 
 WBINFO_OBJ = nsswitch/wbinfo.o $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
-               $(SECRETS_OBJ) $(POPT_LIB_OBJ) $(AFS_SETTOKEN_OBJ)
+               $(SECRETS_OBJ) $(POPT_LIB_OBJ) $(AFS_SETTOKEN_OBJ) $(RPC_PARSE_OBJ1) $(DOSERR_OBJ)
 
 WINBIND_NSS_OBJ = $(WBCOMMON_OBJ) lib/replace1.o @WINBIND_NSS_EXTRA_OBJS@
 
@@ -731,7 +743,7 @@ NTLM_AUTH_OBJ1 = utils/ntlm_auth.o utils/ntlm_auth_diagnostics.o
 NTLM_AUTH_OBJ = ${NTLM_AUTH_OBJ1} $(LIBSAMBA_OBJ) $(POPT_LIB_OBJ) \
                libsmb/asn1.o libsmb/spnego.o libsmb/clikrb5.o libads/kerberos.o \
                libads/kerberos_verify.o $(SECRETS_OBJ) $(SERVER_MUTEX_OBJ) \
-               libads/authdata.o $(RPC_PARSE_OBJ0) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
+               libads/authdata.o $(RPC_PARSE_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
                $(SMBLDAP_OBJ) $(DOSERR_OBJ) rpc_parse/parse_net.o
 
 ######################################################################
@@ -781,7 +793,7 @@ modules: SHOWFLAGS proto_exists $(MODULES)
 
 cac: SHOWFLAGS bin/libmsrpc.@SHLIBEXT@ bin/libmsrpc.a
 
-everything: all libsmbclient debug2html smbfilter talloctort modules torture eventlogadm \
+everything: all libsmbclient debug2html smbfilter talloctort modules torture \
        $(EVERYTHING_PROGS)
 
 .SUFFIXES:
@@ -908,7 +920,7 @@ bin/smbctool@EXEEXT@: $(TOOL_OBJ) @BUILD_POPT@ bin/.dummy
 
 bin/net@EXEEXT@: $(NET_OBJ) @BUILD_POPT@ bin/.dummy
        @echo Linking $@
-       @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(NET_OBJ) $(DYNEXP) $(LDFLAGS) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAP_LIBS) $(PASSDB_LIBS)
+       @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(NET_OBJ) $(DYNEXP) $(LDFLAGS) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAP_LIBS) $(PASSDB_LIBS) $(TERMLDFLAGS) $(TERMLIBS)
 
 bin/profiles@EXEEXT@: $(PROFILES_OBJ) @BUILD_POPT@ bin/.dummy
        @echo Linking $@
@@ -949,10 +961,10 @@ bin/smbtree@EXEEXT@: $(SMBTREE_OBJ) @BUILD_POPT@ bin/.dummy
        @echo Linking $@
        @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(SMBTREE_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAP_LIBS) 
 
-bin/smbpasswd@EXEEXT@: $(SMBPASSWD_OBJ) bin/.dummy
+bin/smbpasswd@EXEEXT@: $(SMBPASSWD_OBJ) @BUILD_POPT@ bin/.dummy
        @echo Linking $@
        @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(SMBPASSWD_OBJ) $(LDFLAGS) $(PASSDB_LIBS) \
-               $(DYNEXP) $(LIBS) $(KRB5LIBS) $(LDAP_LIBS) 
+               $(DYNEXP) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAP_LIBS) 
 
 bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
        @echo Linking $@
@@ -1180,7 +1192,7 @@ bin/winbindd@EXEEXT@: $(WINBINDD_OBJ) @BUILD_POPT@ bin/.dummy
 nsswitch/pam_winbind.@SHLIBEXT@: $(PAM_WINBIND_PICOBJ) bin/.dummy
        @echo "Linking $@"
        @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_PICOBJ) \
-               @SONAMEFLAG@`basename $@` -lpam
+               @SONAMEFLAG@`basename $@` $(LIBS) -lpam
 
 bin/rhosts.@SHLIBEXT@: $(AUTH_RHOSTS_OBJ:.o=.@PICSUFFIX@)
        @echo "Building plugin $@"
index df7d6fc9c60a638f15d3ad9e83a7b72165daba9f..6dc30383d5d121db0ac79449ab2d238cff33040a 100644 (file)
@@ -216,10 +216,10 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
                return NT_STATUS_LOGON_FAILURE;
 
        DEBUG(3, ("check_ntlm_password:  Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", 
-                 user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str));
+                 user_info->client_domain, user_info->smb_name, user_info->wksta_name));
 
        DEBUG(3, ("check_ntlm_password:  mapped user is: [%s]\\[%s]@[%s]\n", 
-                 user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str));
+                 user_info->domain, user_info->internal_username, user_info->wksta_name));
 
        if (auth_context->challenge.length != 8) {
                DEBUG(0, ("check_ntlm_password:  Invalid challenge stored for this auth context - cannot continue\n"));
@@ -243,14 +243,14 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 #endif
 
        /* This needs to be sorted:  If it doesn't match, what should we do? */
-       if (!check_domain_match(user_info->smb_name.str, user_info->domain.str))
+       if (!check_domain_match(user_info->smb_name, user_info->domain))
                return NT_STATUS_LOGON_FAILURE;
 
        for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
                NTSTATUS result;
                
                mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, 
-                                           user_info->domain.str, user_info->smb_name.str);
+                                           user_info->domain, user_info->smb_name);
 
                result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
 
@@ -265,10 +265,10 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 
                if (NT_STATUS_IS_OK(nt_status)) {
                        DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n", 
-                                 auth_method->name, user_info->smb_name.str));
+                                 auth_method->name, user_info->smb_name));
                } else {
                        DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n", 
-                                 auth_method->name, user_info->smb_name.str, nt_errstr(nt_status)));
+                                 auth_method->name, user_info->smb_name, nt_errstr(nt_status)));
                }
 
                talloc_destroy(mem_ctx);
@@ -302,8 +302,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
                        DEBUG((*server_info)->guest ? 5 : 2, 
                              ("check_ntlm_password:  %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", 
                               (*server_info)->guest ? "guest " : "", 
-                              user_info->smb_name.str
-                              user_info->internal_username.str
+                              user_info->smb_name, 
+                              user_info->internal_username, 
                               unix_username));
                }
                
@@ -313,8 +313,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
        /* failed authentication; check for guest lapping */
        
        DEBUG(2, ("check_ntlm_password:  Authentication for user [%s] -> [%s] FAILED with error %s\n", 
-       user_info->smb_name.str, user_info->internal_username.str
-       nt_errstr(nt_status)));
+                 user_info->smb_name, user_info->internal_username
+                 nt_errstr(nt_status)));
        ZERO_STRUCTP(server_info); 
        
        return nt_status;
index 96c2221652eef25d6dc7a44787eb84b376256ec7..d4d6d49e40c7d9c4ae290a4b7225f812740affeb 100644 (file)
@@ -41,8 +41,8 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context,
        /* mark this as 'not for me' */
        NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
 
-       if (!(user_info->internal_username.str 
-             && *user_info->internal_username.str)) {
+       if (!(user_info->internal_username 
+             && *user_info->internal_username)) {
                nt_status = make_server_info_guest(server_info);
        }
 
@@ -84,7 +84,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_
        NTSTATUS nt_status;
        fstring user;
        long error_num;
-       fstrcpy(user, user_info->smb_name.str);
+       fstrcpy(user, user_info->smb_name);
        
        if (strnequal("NT_STATUS", user, strlen("NT_STATUS"))) {
                strupper_m(user);
index 2ac70d7354663f32f4dab2bc9d989dabd60bcfce..28b9de8d4312060a3c844145c63a1088a8e9d429 100644 (file)
@@ -84,7 +84,7 @@ static NTSTATUS pass_check_smb(const char *smb_name,
        } else {
                nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info);
        }               
-       free_server_info(&server_info);
+       talloc_free(server_info);
        return nt_status;
 }
 
index 266851b22923a235a0a66fbd7612383ceafce798..81ae7c134004f93964d1eacec83565e4550fbded 100644 (file)
@@ -221,9 +221,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
                                                      mem_ctx,
                                                      user_info->logon_parameters,/* flags such as 'allow workstation logon' */ 
                                                      dc_name,                    /* server name */
-                                                     user_info->smb_name.str,    /* user name logging on. */
-                                                     user_info->domain.str,      /* domain name */
-                                                     user_info->wksta_name.str,  /* workstation name */
+                                                     user_info->smb_name,        /* user name logging on. */
+                                                     user_info->domain,          /* domain name */
+                                                     user_info->wksta_name,      /* workstation name */
                                                      chal,                       /* 8 byte challenge. */
                                                      user_info->lm_resp,         /* lanman 24 byte response */
                                                      user_info->nt_resp,         /* nt 24 byte response */
@@ -237,8 +237,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
        if (!NT_STATUS_IS_OK(nt_status)) {
                DEBUG(0,("domain_client_validate: unable to validate password "
                          "for user %s in domain %s to Domain controller %s. "
-                         "Error was %s.\n", user_info->smb_name.str,
-                         user_info->domain.str, dc_name, 
+                         "Error was %s.\n", user_info->smb_name,
+                         user_info->domain, dc_name, 
                          nt_errstr(nt_status)));
 
                /* map to something more useful */
@@ -247,13 +247,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
                }
        } else {
                nt_status = make_server_info_info3(mem_ctx,
-                                               user_info->internal_username.str
-                                               user_info->smb_name.str,
+                                               user_info->internal_username, 
+                                               user_info->smb_name,
                                                domain,
                                                server_info,
                                                &info3);
 
-               netsamlogon_cache_store( user_info->smb_name.str, &info3 );
+               netsamlogon_cache_store( user_info->smb_name, &info3 );
        }
 
        /* Note - once the cli stream is shutdown the mem_ctx used
@@ -296,7 +296,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
         * password file.
         */
 
-       if(strequal(get_global_sam_name(), user_info->domain.str)) {
+       if(strequal(get_global_sam_name(), user_info->domain)) {
                DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
                return NT_STATUS_NOT_IMPLEMENTED;
        }
@@ -305,7 +305,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
 
        if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) {
                DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n",
-                       user_info->domain.str));
+                       user_info->domain));
                return NT_STATUS_NO_LOGON_SERVERS;
        }
        
@@ -360,9 +360,9 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
         * Check that the requested domain is not our own machine name or domain name.
         */
 
-       if( strequal(get_global_sam_name(), user_info->domain.str)) {
+       if( strequal(get_global_sam_name(), user_info->domain)) {
                DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n",
-                       user_info->domain.str));
+                       user_info->domain));
                return NT_STATUS_NOT_IMPLEMENTED;
        }
 
@@ -371,7 +371,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
           The logic is that if we know nothing about the domain, that
           user is not known to us and does not exist */
        
-       if ( !is_trusted_domain( user_info->domain.str ) )
+       if ( !is_trusted_domain( user_info->domain ) )
                return NT_STATUS_NOT_IMPLEMENTED;
 
        /*
@@ -379,14 +379,17 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
         * No need to become_root() as secrets_init() is done at startup.
         */
 
-       if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password,
+       if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password,
                                &sid, &last_change_time)) {
-               DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str));
+               DEBUG(0, ("check_trustdomain_security: could not fetch trust "
+                         "account password for domain %s\n",
+                         user_info->domain));
                return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        }
 
 #ifdef DEBUG_PASSWORD
-       DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password));
+       DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain,
+                   trust_password));
 #endif
        E_md4hash(trust_password, trust_md4_password);
        SAFE_FREE(trust_password);
@@ -402,15 +405,15 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
        /* use get_dc_name() for consistency even through we know that it will be 
           a netbios name */
           
-       if ( !get_dc_name(user_info->domain.str, NULL, dc_name, &dc_ip) ) {
+       if ( !get_dc_name(user_info->domain, NULL, dc_name, &dc_ip) ) {
                DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n",
-                       user_info->domain.str));
+                       user_info->domain));
                return NT_STATUS_NO_LOGON_SERVERS;
        }
        
        nt_status = domain_client_validate(mem_ctx,
                                        user_info,
-                                       user_info->domain.str,
+                                       user_info->domain,
                                        (uchar *)auth_context->challenge.data,
                                        server_info,
                                        dc_name,
index 2fef8f1e9b56ca686d7ddcc080ced0b387da8187..2bf86860cc1469bec7029c8740d9f208bda89623 100644 (file)
@@ -115,6 +115,14 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }
+
+       nt_status = create_local_token(auth_ntlmssp_state->server_info);
+
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               DEBUG(10, ("create_local_token failed\n"));
+               return nt_status;
+       }
+
        if (auth_ntlmssp_state->server_info->user_session_key.length) {
                DEBUG(10, ("Got NT session key of length %u\n",
                        (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length));
@@ -179,7 +187,7 @@ void auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
                ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context);
        }
        if ((*auth_ntlmssp_state)->server_info) {
-               free_server_info(&(*auth_ntlmssp_state)->server_info);
+               talloc_free((*auth_ntlmssp_state)->server_info);
        }
        talloc_destroy(mem_ctx);
        *auth_ntlmssp_state = NULL;
index b561e3d42bee9c4d94b777cfdc34e510beda941d..e310fa80fd5de1f452f04f519b0b624592fe828d 100644 (file)
@@ -60,103 +60,101 @@ static NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account)
 
 static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file)
 {
-  int plus_allowed = 1;
-  char *file_host;
-  char *file_user;
-  char **lines = file_lines_load(equiv_file, NULL);
-  int i;
-
-  DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
-  if (! lines) return False;
-  for (i=0; lines[i]; i++) {
-    char *buf = lines[i];
-    trim_char(buf,' ',' ');
-
-    if (buf[0] != '#' && buf[0] != '\n') 
-    {
-      BOOL is_group = False;
-      int plus = 1;
-      char *bp = buf;
-      if (strcmp(buf, "NO_PLUS\n") == 0)
-      {
-       DEBUG(6, ("check_user_equiv NO_PLUS\n"));
-       plus_allowed = 0;
-      }
-      else {
-       if (buf[0] == '+') 
-       {
-         bp++;
-         if (*bp == '\n' && plus_allowed) 
-         {
-           /* a bare plus means everbody allowed */
-           DEBUG(6, ("check_user_equiv everybody allowed\n"));
-           file_lines_free(lines);
-           return True;
-         }
-       }
-       else if (buf[0] == '-')
-       {
-         bp++;
-         plus = 0;
-       }
-       if (*bp == '@') 
-       {
-         is_group = True;
-         bp++;
+       int plus_allowed = 1;
+       char *file_host;
+       char *file_user;
+       char **lines = file_lines_load(equiv_file, NULL,0);
+       int i;
+
+       DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
+       if (! lines) {
+               return False;
        }
-       file_host = strtok(bp, " \t\n");
-       file_user = strtok(NULL, " \t\n");
-       DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", 
-                 file_user ? file_user : "(null)" ));
-       if (file_host && *file_host) 
-       {
-         BOOL host_ok = False;
+       for (i=0; lines[i]; i++) {
+               char *buf = lines[i];
+               trim_char(buf,' ',' ');
+
+               if (buf[0] != '#' && buf[0] != '\n') {
+                       BOOL is_group = False;
+                       int plus = 1;
+                       char *bp = buf;
+
+                       if (strcmp(buf, "NO_PLUS\n") == 0) {
+                               DEBUG(6, ("check_user_equiv NO_PLUS\n"));
+                               plus_allowed = 0;
+                       } else {
+                               if (buf[0] == '+') {
+                                       bp++;
+                                       if (*bp == '\n' && plus_allowed) {
+                                               /* a bare plus means everbody allowed */
+                                               DEBUG(6, ("check_user_equiv everybody allowed\n"));
+                                               file_lines_free(lines);
+                                               return True;
+                                       }
+                               } else if (buf[0] == '-') {
+                                       bp++;
+                                       plus = 0;
+                               }
+                               if (*bp == '@') {
+                                       is_group = True;
+                                       bp++;
+                               }
+                               file_host = strtok(bp, " \t\n");
+                               file_user = strtok(NULL, " \t\n");
+                               DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", 
+                                       file_user ? file_user : "(null)" ));
+
+                               if (file_host && *file_host) {
+                                       BOOL host_ok = False;
 
 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
-         if (is_group)
-           {
-             static char *mydomain = NULL;
-             if (!mydomain)
-               yp_get_default_domain(&mydomain);
-             if (mydomain && innetgr(file_host,remote,user,mydomain))
-               host_ok = True;
-           }
+                                       if (is_group) {
+                                               static char *mydomain = NULL;
+                                               if (!mydomain) {
+                                                       yp_get_default_domain(&mydomain);
+                                               }
+                                               if (mydomain && innetgr(file_host,remote,user,mydomain)) {
+                                                       host_ok = True;
+                                               }
+                                       }
 #else
-         if (is_group)
-           {
-             DEBUG(1,("Netgroups not configured\n"));
-             continue;
-           }
+                                       if (is_group) {
+                                               DEBUG(1,("Netgroups not configured\n"));
+                                               continue;
+                                       }
 #endif
 
-         /* is it this host */
-         /* the fact that remote has come from a call of gethostbyaddr
-          * means that it may have the fully qualified domain name
-          * so we could look up the file version to get it into
-          * a canonical form, but I would rather just type it
-          * in full in the equiv file
-          */
-         if (!host_ok && !is_group && strequal(remote, file_host))
-           host_ok = True;
-
-         if (!host_ok)
-           continue;
-
-         /* is it this user */
-         if (file_user == 0 || strequal(user, file_user)) 
-           {
-             DEBUG(5, ("check_user_equiv matched %s%s %s\n",
-                       (plus ? "+" : "-"), file_host,
-                       (file_user ? file_user : "")));
-             file_lines_free(lines);
-             return (plus ? True : False);
-           }
+                                       /* is it this host */
+                                       /* the fact that remote has come from a call of gethostbyaddr
+                                        * means that it may have the fully qualified domain name
+                                        * so we could look up the file version to get it into
+                                        * a canonical form, but I would rather just type it
+                                        * in full in the equiv file
+                                        */
+
+                                       if (!host_ok && !is_group && strequal(remote, file_host)) {
+                                               host_ok = True;
+                                       }
+
+                                       if (!host_ok) {
+                                               continue;
+                                       }
+
+                                       /* is it this user */
+                                       if (file_user == 0 || strequal(user, file_user)) {
+                                               DEBUG(5, ("check_user_equiv matched %s%s %s\n",
+                                                       (plus ? "+" : "-"), file_host,
+                                                       (file_user ? file_user : "")));
+                                               file_lines_free(lines);
+                                               return (plus ? True : False);
+                                       }
+                               }
+                       }
+               }
        }
-      }
-    }
-  }
-  file_lines_free(lines);
-  return False;
+
+       file_lines_free(lines);
+       return False;
 }
 
 /****************************************************************************
@@ -169,7 +167,7 @@ static BOOL check_hosts_equiv(SAM_ACCOUNT *account)
        char *fname = NULL;
 
        fname = lp_hosts_equiv();
-       if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(account), &uid)))
+       if (!sid_to_uid(pdb_get_user_sid(account), &uid))
                return False;
 
        /* note: don't allow hosts.equiv on root */
@@ -195,7 +193,7 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex
        NTSTATUS nt_status;
        SAM_ACCOUNT *account = NULL;
        if (!NT_STATUS_IS_OK(nt_status = 
-                            auth_get_sam_account(user_info->internal_username.str, 
+                            auth_get_sam_account(user_info->internal_username,
                                                  &account))) {
                if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) 
                        nt_status = NT_STATUS_NOT_IMPLEMENTED;
@@ -204,6 +202,9 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex
 
        if (check_hosts_equiv(account)) {
                nt_status = make_server_info_sam(server_info, account);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       pdb_free_sam(&account);
+               }
        } else {
                pdb_free_sam(&account);
                nt_status = NT_STATUS_NOT_IMPLEMENTED;
@@ -241,7 +242,7 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context,
        const char *home;
        
        if (!NT_STATUS_IS_OK(nt_status = 
-                            auth_get_sam_account(user_info->internal_username.str, 
+                            auth_get_sam_account(user_info->internal_username,
                                                  &account))) {
                if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) 
                        nt_status = NT_STATUS_NOT_IMPLEMENTED;
@@ -255,6 +256,9 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context,
                become_root();
                if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) {
                        nt_status = make_server_info_sam(server_info, account);
+                       if (!NT_STATUS_IS_OK(nt_status)) {
+                               pdb_free_sam(&account);
+                       }
                } else {
                        pdb_free_sam(&account);
                }
index 558c181f704452731324e98515f00a3fee6b9293..fb53941b79fc3146b4a98dc4e03f49b5089c2587 100644 (file)
@@ -62,8 +62,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
                                   &user_info->lm_resp, &user_info->nt_resp, 
                                   &user_info->lm_interactive_pwd, &user_info->nt_interactive_pwd,
                                   username, 
-                                  user_info->smb_name.str, 
-                                  user_info->client_domain.str, 
+                                  user_info->smb_name,
+                                  user_info->client_domain,
                                   lm_pw, nt_pw, user_sess_key, lm_sess_key);
 }
 
@@ -177,22 +177,22 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
                fstring tok;
                const char *s = workstation_list;
 
-               const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name.str);
+               const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name);
                if (machine_name == NULL)
                        return NT_STATUS_NO_MEMORY;
                        
                        
                while (next_token(&s, tok, ",", sizeof(tok))) {
-                       DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n",
-                                 tok, user_info->wksta_name.str, user_info->wksta_name.len));
-                       if(strequal(tok, user_info->wksta_name.str)) {
+                       DEBUG(10,("sam_account_ok: checking for workstation match %s and %s\n",
+                                 tok, user_info->wksta_name));
+                       if(strequal(tok, user_info->wksta_name)) {
                                invalid_ws = False;
                                break;
                        }
                        if (tok[0] == '+') {
                                DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n", 
                                        machine_name, tok + 1));
-                               if (user_in_group_list(machine_name, tok + 1, NULL, 0)) {
+                               if (user_in_group(machine_name, tok + 1)) {
                                        invalid_ws = False;
                                        break;
                                }
@@ -257,11 +257,12 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
        /* get the account information */
 
        become_root();
-       ret = pdb_getsampwnam(sampass, user_info->internal_username.str);
+       ret = pdb_getsampwnam(sampass, user_info->internal_username);
        unbecome_root();
 
        if (ret == False) {
-               DEBUG(3,("check_sam_security: Couldn't find user '%s' in passdb.\n", user_info->internal_username.str));
+               DEBUG(3,("check_sam_security: Couldn't find user '%s' in "
+                        "passdb.\n", user_info->internal_username));
                pdb_free_sam(&sampass);
                return NT_STATUS_NO_SUCH_USER;
        }
@@ -294,7 +295,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
                }
                if (updated_autolock || updated_badpw){
                        become_root();
-                       if(!pdb_update_sam_account(sampass))
+                       if(!NT_STATUS_IS_OK(pdb_update_sam_account(sampass)))
                                DEBUG(1, ("Failed to modify entry.\n"));
                        unbecome_root();
                }
@@ -313,7 +314,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
 
        if (updated_autolock || updated_badpw){
                become_root();
-               if(!pdb_update_sam_account(sampass))
+               if(!NT_STATUS_IS_OK(pdb_update_sam_account(sampass)))
                        DEBUG(1, ("Failed to modify entry.\n"));
                unbecome_root();
        }
@@ -329,13 +330,21 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
 
        if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) {         
                DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
+               pdb_free_sam(&sampass);
                data_blob_free(&user_sess_key);
                data_blob_free(&lm_sess_key);
                return nt_status;
        }
 
-       (*server_info)->user_session_key = user_sess_key;
-       (*server_info)->lm_session_key = lm_sess_key;
+       (*server_info)->user_session_key =
+               data_blob_talloc(*server_info, user_sess_key.data,
+                                user_sess_key.length);
+       data_blob_free(&user_sess_key);
+
+       (*server_info)->lm_session_key =
+               data_blob_talloc(*server_info, lm_sess_key.data,
+                                lm_sess_key.length);
+       data_blob_free(&lm_sess_key);
 
        return nt_status;
 }
@@ -369,8 +378,8 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
                return NT_STATUS_LOGON_FAILURE;
        }
 
-       is_local_name = is_myname(user_info->domain.str);
-       is_my_domain  = strequal(user_info->domain.str, lp_workgroup());
+       is_local_name = is_myname(user_info->domain);
+       is_my_domain  = strequal(user_info->domain, lp_workgroup());
 
        /* check whether or not we service this domain/workgroup name */
        
@@ -379,7 +388,7 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
                case ROLE_DOMAIN_MEMBER:
                        if ( !is_local_name ) {
                                DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
-                                       user_info->domain.str, (lp_server_role() == ROLE_DOMAIN_MEMBER 
+                                       user_info->domain, (lp_server_role() == ROLE_DOMAIN_MEMBER 
                                        ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
                                return NT_STATUS_NOT_IMPLEMENTED;
                        }
@@ -387,7 +396,7 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
                case ROLE_DOMAIN_BDC:
                        if ( !is_local_name && !is_my_domain ) {
                                DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
-                                       user_info->domain.str));
+                                       user_info->domain));
                                return NT_STATUS_NOT_IMPLEMENTED;
                        }
                default: /* name is ok */
index 1a715fca319e3fc8a8fa3766772e9818b4b30e7c..1bc33ec59e7915ae3c9c107101c211764d5c1a66 100644 (file)
@@ -63,8 +63,8 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co
                return NT_STATUS_INVALID_PARAMETER;
        }               
 
-       secret_str_len = strlen(user_info->domain.str) + 1 +
-                       strlen(user_info->smb_name.str) + 1 +
+       secret_str_len = strlen(user_info->domain) + 1 +
+                       strlen(user_info->smb_name) + 1 +
                        16 + 1 + /* 8 bytes of challenge going to 16 */
                        48 + 1 + /* 24 bytes of challenge going to 48 */
                        48 + 1;
@@ -74,9 +74,9 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co
                return NT_STATUS_NO_MEMORY;
        }
 
-       safe_strcpy( secret_str, user_info->domain.str, secret_str_len - 1);
+       safe_strcpy( secret_str, user_info->domain, secret_str_len - 1);
        safe_strcat( secret_str, "\n", secret_str_len - 1);
-       safe_strcat( secret_str, user_info->smb_name.str, secret_str_len - 1);
+       safe_strcat( secret_str, user_info->smb_name, secret_str_len - 1);
        safe_strcat( secret_str, "\n", secret_str_len - 1);
 
        for (i = 0; i < 8; i++) {
@@ -110,7 +110,7 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co
 
        if (ret) {
                DEBUG(1,("script_check_user_credentials: failed to authenticate %s\\%s\n",
-                       user_info->domain.str, user_info->smb_name.str ));
+                       user_info->domain, user_info->smb_name ));
                /* auth failed. */
                return NT_STATUS_NO_SUCH_USER;
        }
index 7bce32ef2b221d3edd8bb49e7e0d59eca72a3dc7..8eed8bba6a40efd60e4286b0a74efd4f26cb8a7b 100644 (file)
@@ -235,7 +235,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
         * password file.
         */
 
-       if(is_myname(user_info->domain.str)) {
+       if(is_myname(user_info->domain)) {
                DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n"));
                return nt_status;
        }
@@ -296,7 +296,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
 
        if ((!tested_password_server) && (lp_paranoid_server_security())) {
                if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), 
-                                       (char *)badpass, sizeof(badpass), user_info->domain.str)) {
+                                       (char *)badpass, sizeof(badpass), user_info->domain)) {
 
                        /*
                         * We connected to the password server so we
@@ -342,11 +342,11 @@ use this machine as the password server.\n"));
 
        if (!user_info->encrypted) {
                /* Plaintext available */
-               if (!cli_session_setup(cli, user_info->smb_name.str
+               if (!cli_session_setup(cli, user_info->smb_name, 
                                       (char *)user_info->plaintext_password.data, 
                                       user_info->plaintext_password.length, 
                                       NULL, 0,
-                                      user_info->domain.str)) {
+                                      user_info->domain)) {
                        DEBUG(1,("password server %s rejected the password\n", cli->desthost));
                        /* Make this cli_nt_error() when the conversion is in */
                        nt_status = cli_nt_error(cli);
@@ -354,12 +354,12 @@ use this machine as the password server.\n"));
                        nt_status = NT_STATUS_OK;
                }
        } else {
-               if (!cli_session_setup(cli, user_info->smb_name.str
+               if (!cli_session_setup(cli, user_info->smb_name, 
                                       (char *)user_info->lm_resp.data, 
                                       user_info->lm_resp.length, 
                                       (char *)user_info->nt_resp.data, 
                                       user_info->nt_resp.length, 
-                                      user_info->domain.str)) {
+                                      user_info->domain)) {
                        DEBUG(1,("password server %s rejected the password\n", cli->desthost));
                        /* Make this cli_nt_error() when the conversion is in */
                        nt_status = cli_nt_error(cli);
@@ -380,11 +380,11 @@ use this machine as the password server.\n"));
                fstring real_username;
                struct passwd *pass;
 
-               if ( (pass = smb_getpwnam( user_info->internal_username.str
+               if ( (pass = smb_getpwnam( NULL, user_info->internal_username
                        real_username, True )) != NULL ) 
                {
                        nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
-                       passwd_free(&pass);
+                       talloc_free(pass);
                }
                else
                {
index f744cba0c434e53c754eee80a8bfcf304590f8d8..df0703d348b10af25a99a794b35b9a575875d5eb 100644 (file)
@@ -62,7 +62,7 @@ static BOOL update_smbpassword_file(const char *user, const char *password)
        /* Now write it into the file. */
        become_root();
 
-       ret = pdb_update_sam_account (sampass);
+       ret = NT_STATUS_IS_OK(pdb_update_sam_account (sampass));
 
        unbecome_root();
 
@@ -91,13 +91,13 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
        struct passwd *pass = NULL;
 
        become_root();
-       pass = Get_Pwnam(user_info->internal_username.str);
+       pass = Get_Pwnam(user_info->internal_username);
 
        
        /** @todo This call assumes a ASCII password, no charset transformation is 
            done.  We may need to revisit this **/
        nt_status = pass_check(pass,
-                               pass ? pass->pw_name : user_info->internal_username.str
+                               pass ? pass->pw_name : user_info->internal_username, 
                                (char *)user_info->plaintext_password.data,
                                user_info->plaintext_password.length-1,
                                lp_update_encrypted() ? 
index eb15fff7c8da5fc708ececbd8a7f7eb1a63b84c5..27dab9b9aa80f02398b46b76d62d5202328541d9 100644 (file)
@@ -5,6 +5,7 @@
    Copyright (C) Andrew Bartlett 2001
    Copyright (C) Jeremy Allison 2000-2001
    Copyright (C) Rafal Szczesniak 2002
+   Copyright (C) Volker Lendecke 2006
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
+static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
+                                                  const DOM_SID *user_sid,
+                                                  const DOM_SID *group_sid,
+                                                  BOOL is_guest,
+                                                  int num_groupsids,
+                                                  const DOM_SID *groupsids);
 
 /****************************************************************************
  Create a UNIX user on demand.
@@ -78,42 +85,32 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
 
        DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
 
-       (*user_info)->smb_name.str = SMB_STRDUP(smb_name);
-       if ((*user_info)->smb_name.str) { 
-               (*user_info)->smb_name.len = strlen(smb_name);
-       } else {
+       (*user_info)->smb_name = SMB_STRDUP(smb_name);
+       if ((*user_info)->smb_name == NULL) { 
                free_user_info(user_info);
                return NT_STATUS_NO_MEMORY;
        }
        
-       (*user_info)->internal_username.str = SMB_STRDUP(internal_username);
-       if ((*user_info)->internal_username.str) { 
-               (*user_info)->internal_username.len = strlen(internal_username);
-       } else {
+       (*user_info)->internal_username = SMB_STRDUP(internal_username);
+       if ((*user_info)->internal_username == NULL) { 
                free_user_info(user_info);
                return NT_STATUS_NO_MEMORY;
        }
 
-       (*user_info)->domain.str = SMB_STRDUP(domain);
-       if ((*user_info)->domain.str) { 
-               (*user_info)->domain.len = strlen(domain);
-       } else {
+       (*user_info)->domain = SMB_STRDUP(domain);
+       if ((*user_info)->domain == NULL) { 
                free_user_info(user_info);
                return NT_STATUS_NO_MEMORY;
        }
 
-       (*user_info)->client_domain.str = SMB_STRDUP(client_domain);
-       if ((*user_info)->client_domain.str) { 
-               (*user_info)->client_domain.len = strlen(client_domain);
-       } else {
+       (*user_info)->client_domain = SMB_STRDUP(client_domain);
+       if ((*user_info)->client_domain == NULL) { 
                free_user_info(user_info);
                return NT_STATUS_NO_MEMORY;
        }
 
-       (*user_info)->wksta_name.str = SMB_STRDUP(wksta_name);
-       if ((*user_info)->wksta_name.str) { 
-               (*user_info)->wksta_name.len = strlen(wksta_name);
-       } else {
+       (*user_info)->wksta_name = SMB_STRDUP(wksta_name);
+       if ((*user_info)->wksta_name == NULL) { 
                free_user_info(user_info);
                return NT_STATUS_NO_MEMORY;
        }
@@ -196,26 +193,28 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
                                     const char *client_domain, 
                                     const char *wksta_name, 
                                     uint32 logon_parameters,
-                                    const uchar *lm_network_pwd, int lm_pwd_len,
-                                    const uchar *nt_network_pwd, int nt_pwd_len)
+                                    const uchar *lm_network_pwd,
+                                    int lm_pwd_len,
+                                    const uchar *nt_network_pwd,
+                                    int nt_pwd_len)
 {
        BOOL ret;
-       NTSTATUS nt_status;
+       NTSTATUS status;
        DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
        DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
 
-       nt_status = make_user_info_map(user_info,
-                                      smb_name, client_domain, 
-                                      wksta_name, 
-                                      lm_pwd_len ? &lm_blob : NULL, 
-                                      nt_pwd_len ? &nt_blob : NULL,
-                                      NULL, NULL, NULL,
-                                      True);
+       status = make_user_info_map(user_info,
+                                   smb_name, client_domain, 
+                                   wksta_name, 
+                                   lm_pwd_len ? &lm_blob : NULL, 
+                                   nt_pwd_len ? &nt_blob : NULL,
+                                   NULL, NULL, NULL,
+                                   True);
 
-       if (NT_STATUS_IS_OK(nt_status)) {
+       if (NT_STATUS_IS_OK(status)) {
                (*user_info)->logon_parameters = logon_parameters;
        }
-       ret = NT_STATUS_IS_OK(nt_status) ? True : False;
+       ret = NT_STATUS_IS_OK(status) ? True : False;
 
        data_blob_free(&lm_blob);
        data_blob_free(&nt_blob);
@@ -246,8 +245,11 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
        ZERO_STRUCT(key);
        memcpy(key, dc_sess_key, 8);
        
-       if (lm_interactive_pwd) memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
-       if (nt_interactive_pwd) memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
+       if (lm_interactive_pwd)
+               memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
+
+       if (nt_interactive_pwd)
+               memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
        
 #ifdef DEBUG_PASSWORD
        DEBUG(100,("key:"));
@@ -275,10 +277,12 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
 #endif
        
        if (lm_interactive_pwd)
-               SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response);
+               SMBOWFencrypt((const unsigned char *)lm_pwd, chal,
+                             local_lm_response);
 
        if (nt_interactive_pwd)
-               SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response);
+               SMBOWFencrypt((const unsigned char *)nt_pwd, chal,
+                             local_nt_response);
        
        /* Password info paranoia */
        ZERO_STRUCT(key);
@@ -293,26 +297,29 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
                DATA_BLOB nt_interactive_blob;
                
                if (lm_interactive_pwd) {
-                       local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response));
-                       lm_interactive_blob = data_blob(lm_pwd, sizeof(lm_pwd));
+                       local_lm_blob = data_blob(local_lm_response,
+                                                 sizeof(local_lm_response));
+                       lm_interactive_blob = data_blob(lm_pwd,
+                                                       sizeof(lm_pwd));
                        ZERO_STRUCT(lm_pwd);
                }
                
                if (nt_interactive_pwd) {
-                       local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response));
-                       nt_interactive_blob = data_blob(nt_pwd, sizeof(nt_pwd));
+                       local_nt_blob = data_blob(local_nt_response,
+                                                 sizeof(local_nt_response));
+                       nt_interactive_blob = data_blob(nt_pwd,
+                                                       sizeof(nt_pwd));
                        ZERO_STRUCT(nt_pwd);
                }
 
-               nt_status = make_user_info_map(user_info, 
-                                              smb_name, client_domain, 
-                                              wksta_name, 
-                                              lm_interactive_pwd ? &local_lm_blob : NULL,
-                                              nt_interactive_pwd ? &local_nt_blob : NULL,
-                                              lm_interactive_pwd ? &lm_interactive_blob : NULL,
-                                              nt_interactive_pwd ? &nt_interactive_blob : NULL,
-                                              NULL,
-                                              True);
+               nt_status = make_user_info_map(
+                       user_info, 
+                       smb_name, client_domain, wksta_name, 
+                       lm_interactive_pwd ? &local_lm_blob : NULL,
+                       nt_interactive_pwd ? &local_nt_blob : NULL,
+                       lm_interactive_pwd ? &lm_interactive_blob : NULL,
+                       nt_interactive_pwd ? &nt_interactive_blob : NULL,
+                       NULL, True);
 
                if (NT_STATUS_IS_OK(nt_status)) {
                        (*user_info)->logon_parameters = logon_parameters;
@@ -347,17 +354,21 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
         * Not encrypted - do so.
         */
        
-       DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted format.\n"));
+       DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
+                "format.\n"));
        
        if (plaintext_password.data) {
                unsigned char local_lm_response[24];
                
 #ifdef DEBUG_PASSWORD
-               DEBUG(10,("Unencrypted password (len %d):\n",(int)plaintext_password.length));
-               dump_data(100, (const char *)plaintext_password.data, plaintext_password.length);
+               DEBUG(10,("Unencrypted password (len %d):\n",
+                         (int)plaintext_password.length));
+               dump_data(100, (const char *)plaintext_password.data,
+                         plaintext_password.length);
 #endif
 
-               SMBencrypt( (const char *)plaintext_password.data, (const uchar*)chal, local_lm_response);
+               SMBencrypt( (const char *)plaintext_password.data,
+                           (const uchar*)chal, local_lm_response);
                local_lm_blob = data_blob(local_lm_response, 24);
                
                /* We can't do an NT hash here, as the password needs to be
@@ -369,14 +380,14 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
                local_nt_blob = data_blob(NULL, 0); 
        }
        
-       ret = make_user_info_map(user_info, smb_name,
-                                client_domain, 
-                                get_remote_machine_name(),
-                                local_lm_blob.data ? &local_lm_blob : NULL,
-                                local_nt_blob.data ? &local_nt_blob : NULL,
-                                NULL, NULL,
-                                plaintext_password.data ? &plaintext_password : NULL, 
-                                False);
+       ret = make_user_info_map(
+               user_info, smb_name, client_domain, 
+               get_remote_machine_name(),
+               local_lm_blob.data ? &local_lm_blob : NULL,
+               local_nt_blob.data ? &local_nt_blob : NULL,
+               NULL, NULL,
+               plaintext_password.data ? &plaintext_password : NULL, 
+               False);
        
        data_blob_free(&local_lm_blob);
        return NT_STATUS_IS_OK(ret) ? True : False;
@@ -426,7 +437,6 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info)
 
 void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
 {
-       fstring sid_str;
        size_t     i;
        
        if (!token) {
@@ -434,12 +444,15 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
                return;
        }
        
-       DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n",
-                                   sid_to_string(sid_str, &token->user_sids[0]) ));
-       DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids));
+       DEBUGC(dbg_class, dbg_lev,
+              ("NT user token of user %s\n",
+               sid_string_static(&token->user_sids[0]) ));
+       DEBUGADDC(dbg_class, dbg_lev,
+                 ("contains %lu SIDs\n", (unsigned long)token->num_sids));
        for (i = 0; i < token->num_sids; i++)
-               DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, 
-                                              sid_to_string(sid_str, &token->user_sids[i])));
+               DEBUGADDC(dbg_class, dbg_lev,
+                         ("SID[%3lu]: %s\n", (unsigned long)i, 
+                          sid_string_static(&token->user_sids[i])));
 
        dump_se_priv( dbg_class, dbg_lev, &token->privileges );
 }
@@ -448,464 +461,568 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
  prints a UNIX 'token' to debug output.
 ****************************************************************************/
 
-void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, int n_groups, gid_t *groups)
+void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
+                          int n_groups, gid_t *groups)
 {
        int     i;
-       DEBUGC(dbg_class, dbg_lev, ("UNIX token of user %ld\n", (long int)uid));
+       DEBUGC(dbg_class, dbg_lev,
+              ("UNIX token of user %ld\n", (long int)uid));
 
-       DEBUGADDC(dbg_class, dbg_lev, ("Primary group is %ld and contains %i supplementary groups\n", (long int)gid, n_groups));
+       DEBUGADDC(dbg_class, dbg_lev,
+                 ("Primary group is %ld and contains %i supplementary "
+                  "groups\n", (long int)gid, n_groups));
        for (i = 0; i < n_groups; i++)
                DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, 
                        (long int)groups[i]));
 }
 
-/****************************************************************************
- Create the SID list for this user.
-****************************************************************************/
+/******************************************************************************
+ Create a token for the root user to be used internally by smbd.
+ This is similar to running under the context of the LOCAL_SYSTEM account
+ in Windows.  This is a read-only token.  Do not modify it or free() it.
+ Create a copy if your need to change it.
+******************************************************************************/
 
-static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid, 
-                                    int n_groupSIDs, DOM_SID *groupSIDs, 
-                                    BOOL is_guest, NT_USER_TOKEN **token)
+NT_USER_TOKEN *get_root_nt_token( void )
 {
-       NTSTATUS       nt_status = NT_STATUS_OK;
-       NT_USER_TOKEN *ptoken;
-       int i;
-       int sid_ndx;
-       DOM_SID domadm;
-       BOOL is_domain_admin = False;
-       BOOL domain_mode = False;
+       static NT_USER_TOKEN *token = NULL;
+       DOM_SID u_sid, g_sid;
+       struct passwd *pw;
        
-       if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) {
-               DEBUG(0, ("create_nt_user_token: Out of memory allocating token\n"));
-               nt_status = NT_STATUS_NO_MEMORY;
-               return nt_status;
+       if ( token )
+               return token;
+               
+       if ( !(pw = getpwnam( "root" )) ) {
+               DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
+               return NULL;
        }
+       
+       /* get the user and primary group SIDs; although the 
+          BUILTIN\Administrators SId is really the one that matters here */
+          
+       uid_to_sid(&u_sid, pw->pw_uid);
+       gid_to_sid(&g_sid, pw->pw_gid);
 
-       ZERO_STRUCTP(ptoken);
+       token = create_local_nt_token(NULL, &u_sid, &g_sid, False,
+                                     1, &global_sid_Builtin_Administrators);
+       return token;
+}
 
-       ptoken->num_sids = n_groupSIDs + 5;
+static int server_info_dtor(void *p)
+{
+       auth_serversupplied_info *server_info =
+               talloc_get_type_abort(p, auth_serversupplied_info);
 
-       if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) {
-               DEBUG(0, ("create_nt_user_token: Out of memory allocating SIDs\n"));
-               nt_status = NT_STATUS_NO_MEMORY;
-               return nt_status;
+       if (server_info->sam_account != NULL) {
+               pdb_free_sam(&server_info->sam_account);
        }
-       
-       memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids);
-       
-       /*
-        * Note - user SID *MUST* be first in token !
-        * se_access_check depends on this.
-        *
-        * Primary group SID is second in token. Convention.
-        */
 
-       sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid);
-       if (group_sid)
-               sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid);
+       ZERO_STRUCTP(server_info);
+       return 0;
+}
 
-       /*
-        * Finally add the "standard" SIDs.
-        * The only difference between guest and "anonymous" (which we
-        * don't really support) is the addition of Authenticated_Users.
-        */
+/***************************************************************************
+ Make a server_info struct. Free with talloc_free().
+***************************************************************************/
+
+static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
+{
+       struct auth_serversupplied_info *result;
 
-       sid_copy(&ptoken->user_sids[2], &global_sid_World);
-       sid_copy(&ptoken->user_sids[3], &global_sid_Network);
+       result = TALLOC_ZERO_P(mem_ctx, auth_serversupplied_info);
+       if (result == NULL) {
+               DEBUG(0, ("talloc failed\n"));
+               return NULL;
+       }
 
-       if (is_guest)
-               sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests);
-       else
-               sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users);
-       
-       sid_ndx = 5; /* next available spot */
-
-       /* this is where we construct the domain admins SID if we can
-          so that we can add the BUILTIN\Administrators SID to the token */
-
-       ZERO_STRUCT( domadm );
-       if ( IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER ) {
-               domain_mode = True;
-
-               if ( IS_DC ) 
-                       sid_copy( &domadm, get_global_sam_sid() );
-               else {
-                       /* if we a re a member server and cannot find
-                          out domain SID then reset the domain_mode flag */
-                       if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) )
-                               domain_mode = False;
-               }
+       talloc_set_destructor(result, server_info_dtor);
+
+       /* Initialise the uid and gid values to something non-zero
+          which may save us from giving away root access if there
+          is a bug in allocating these fields. */
+
+       result->uid = -1;
+       result->gid = -1;
+       return result;
+}
 
-               sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
+/***************************************************************************
+ Make (and fill) a user_info struct from a SAM_ACCOUNT
+***************************************************************************/
+
+NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, 
+                             SAM_ACCOUNT *sampass)
+{
+       NTSTATUS status;
+       struct passwd *pwd;
+       gid_t *gids;
+       auth_serversupplied_info *result;
+
+       pwd = getpwnam_alloc(NULL, pdb_get_username(sampass));
+       if ( pwd == NULL )  {
+               DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
+                         pdb_get_username(sampass)));
+               return NT_STATUS_NO_SUCH_USER;
        }
-       
-       /* add the group SIDs to teh token */
-       
-       for (i = 0; i < n_groupSIDs; i++) {
-               size_t check_sid_idx;
-               for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
-                       if (sid_equal(&ptoken->user_sids[check_sid_idx], 
-                                     &groupSIDs[i])) {
-                               break;
-                       }
-               }
-               
-               if (check_sid_idx >= ptoken->num_sids) /* Not found already */ {
-                       sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]);
-               } else {
-                       ptoken->num_sids--;
-               }
-               
-               /* here we check if the user is a domain admin and add the
-                  BUILTIN\Administrators SID to the token the group membership
-                  check succeeds. */
 
-               if ( domain_mode ) {
-                       if ( sid_equal( &domadm, &groupSIDs[i] ) )
-                               is_domain_admin = True;
-               }
-               
+       result = make_server_info(NULL);
+       if (result == NULL) {
+               talloc_free(pwd);
+               return NT_STATUS_NO_MEMORY;
        }
 
-       /* finally realloc the SID array and add the BUILTIN\Administrators 
-          SID if necessary */
+       result->sam_account = sampass;
+       result->unix_name = talloc_strdup(result, pwd->pw_name);
+       result->gid = pwd->pw_gid;
+       result->uid = pwd->pw_uid;
+       
+       talloc_free(pwd);
 
-       if ( is_domain_admin ) {
-               DOM_SID *sids;
+       status = pdb_enum_group_memberships(result, sampass,
+                                           &result->sids, &gids,
+                                           &result->num_sids);
 
-               if ( !(sids = SMB_REALLOC_ARRAY( ptoken->user_sids, DOM_SID, ptoken->num_sids+1 )) ) 
-                       DEBUG(0,("create_nt_user_token: Failed to realloc SID arry of size %d\n", ptoken->num_sids+1));
-               else  {
-                       ptoken->user_sids = sids;
-                       sid_copy( &(ptoken->user_sids)[ptoken->num_sids++], &global_sid_Builtin_Administrators );
-               }
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
+                          nt_errstr(status)));
+               result->sam_account = NULL; /* Don't free on error exit. */
+               talloc_free(result);
+               return status;
        }
 
-       /* add privileges assigned to this user */
+       /* For now we throw away the gids and convert via sid_to_gid
+        * later. This needs fixing, but I'd like to get the code straight and
+        * simple first. */
+       talloc_free(gids);
 
-       get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids );
-       
-       debug_nt_user_token(DBGC_AUTH, 10, ptoken);
-       
-       if ((lp_log_nt_token_command() != NULL) &&
-           (strlen(lp_log_nt_token_command()) > 0)) {
-               TALLOC_CTX *mem_ctx;
-               char *command;
-               char *group_sidstr;
-
-               mem_ctx = talloc_init("setnttoken");
-               if (mem_ctx == NULL)
-                       return NT_STATUS_NO_MEMORY;
+       DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
+                pdb_get_username(sampass), result->unix_name));
 
-               group_sidstr = talloc_strdup(mem_ctx, "");
-               for (i=1; i<ptoken->num_sids; i++) {
-                       group_sidstr = talloc_asprintf(
-                               mem_ctx, "%s %s", group_sidstr,
-                               sid_string_static(&ptoken->user_sids[i]));
-               }
+       *server_info = result;
 
-               command = talloc_string_sub(
-                       mem_ctx, lp_log_nt_token_command(),
-                       "%s", sid_string_static(&ptoken->user_sids[0]));
-               command = talloc_string_sub(
-                       mem_ctx, command, "%t", group_sidstr);
+       return NT_STATUS_OK;
+}
+
+/*
+ * Add alias SIDs from memberships within the partially created token SID list
+ */
 
-               if (command == NULL) {
-                       talloc_destroy(mem_ctx);
+static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid,
+                           struct nt_user_token *token)
+{
+       uint32 *aliases;
+       size_t i, num_aliases;
+       NTSTATUS status;
+
+       aliases = NULL;
+       num_aliases = 0;
+
+       status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
+                                           token->user_sids,
+                                           token->num_sids,
+                                           &aliases, &num_aliases);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
+                          nt_errstr(status)));
+               return status;
+       }
+
+       for (i=0; i<num_aliases; i++) {
+               DOM_SID alias_sid;
+               sid_compose(&alias_sid, domain_sid, aliases[i]);
+               add_sid_to_array_unique(token, &alias_sid,
+                                       &token->user_sids,
+                                       &token->num_sids);
+               if (token->user_sids == NULL) {
+                       DEBUG(0, ("add_sid_to_array failed\n"));
                        return NT_STATUS_NO_MEMORY;
                }
+       }
 
-               DEBUG(8, ("running command: [%s]\n", command));
-               if (smbrun(command, NULL) != 0) {
-                       DEBUG(0, ("Could not log NT token\n"));
-                       nt_status = NT_STATUS_ACCESS_DENIED;
-               }
-               talloc_destroy(mem_ctx);
+       return NT_STATUS_OK;
+}
+
+static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
+{
+       char *command;
+       char *group_sidstr;
+       size_t i;
+
+       if ((lp_log_nt_token_command() == NULL) ||
+           (strlen(lp_log_nt_token_command()) == 0)) {
+               return NT_STATUS_OK;
        }
 
-       *token = ptoken;
+       group_sidstr = talloc_strdup(tmp_ctx, "");
+       for (i=1; i<token->num_sids; i++) {
+               group_sidstr = talloc_asprintf(
+                       tmp_ctx, "%s %s", group_sidstr,
+                       sid_string_static(&token->user_sids[i]));
+       }
 
-       return nt_status;
-}
+       command = talloc_string_sub(
+               tmp_ctx, lp_log_nt_token_command(),
+               "%s", sid_string_static(&token->user_sids[0]));
+       command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr);
 
-/****************************************************************************
- Create the SID list for this user.
-****************************************************************************/
+       if (command == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       DEBUG(8, ("running command: [%s]\n", command));
+       if (smbrun(command, NULL) != 0) {
+               DEBUG(0, ("Could not log NT token\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       return NT_STATUS_OK;
+}
 
-NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest)
+/*
+ * Create a NT token for the user, expanding local aliases
+ */
+
+static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
+                                                  const DOM_SID *user_sid,
+                                                  const DOM_SID *group_sid,
+                                                  BOOL is_guest,
+                                                  int num_groupsids,
+                                                  const DOM_SID *groupsids)
 {
-       DOM_SID user_sid;
-       DOM_SID group_sid;
-       DOM_SID *group_sids;
-       NT_USER_TOKEN *token;
+       TALLOC_CTX *tmp_ctx;
+       struct nt_user_token *result = NULL;
        int i;
+       NTSTATUS status;
 
-       if (!NT_STATUS_IS_OK(uid_to_sid(&user_sid, uid))) {
+       tmp_ctx = talloc_new(mem_ctx);
+       if (tmp_ctx == NULL) {
+               DEBUG(0, ("talloc_new failed\n"));
                return NULL;
        }
-       if (!NT_STATUS_IS_OK(gid_to_sid(&group_sid, gid))) {
-               return NULL;
+
+       result = TALLOC_ZERO_P(tmp_ctx, NT_USER_TOKEN);
+       if (result == NULL) {
+               DEBUG(0, ("talloc failed\n"));
+               goto done;
        }
 
-       group_sids = SMB_MALLOC_ARRAY(DOM_SID, ngroups);
-       if (!group_sids) {
-               DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n"));
-               return NULL;
+       /* First create the default SIDs */
+
+       add_sid_to_array(result, user_sid,
+                        &result->user_sids, &result->num_sids);
+       add_sid_to_array(result, group_sid,
+                        &result->user_sids, &result->num_sids);
+       add_sid_to_array(result, &global_sid_World,
+                        &result->user_sids, &result->num_sids);
+       add_sid_to_array(result, &global_sid_Network,
+                        &result->user_sids, &result->num_sids);
+
+       if (is_guest) {
+               add_sid_to_array(result, &global_sid_Builtin_Guests,
+                                &result->user_sids, &result->num_sids);
+       } else {
+               add_sid_to_array(result, &global_sid_Authenticated_Users,
+                                &result->user_sids, &result->num_sids);
        }
 
-       /* convert the Unix group ids to SIDS */
+       /* Now the SIDs we got from authentication. These are the ones from
+        * the info3 struct or from the pdb_enum_group_memberships, depending
+        * on who authenticated the user. */
 
-       for (i = 0; i < ngroups; i++) {
-               if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) {
-                       DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i]));
-                       SAFE_FREE(group_sids);
-                       return NULL;
-               }
+       for (i=0; i<num_groupsids; i++) {
+               add_sid_to_array_unique(result, &groupsids[i],
+                                       &result->user_sids, &result->num_sids);
        }
 
-       if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid, 
-                                                 ngroups, group_sids, is_guest, &token))) {
-               SAFE_FREE(group_sids);
-               return NULL;
+       if (lp_winbind_nested_groups()) {
+
+               /* Now add the aliases. First the one from our local SAM */
+
+               status = add_aliases(tmp_ctx, get_global_sam_sid(), result);
+
+               if (!NT_STATUS_IS_OK(status)) {
+                       result = NULL;
+                       goto done;
+               }
+
+               /* Finally the builtin ones */
+
+               status = add_aliases(tmp_ctx, &global_sid_Builtin, result);
+
+               if (!NT_STATUS_IS_OK(status)) {
+                       result = NULL;
+                       goto done;
+               }
+       } else {
+
+               /* Play jerry's trick to auto-add local admins if we're a
+                * domain admin. */
+
+               DOM_SID dom_admins;
+               BOOL domain_mode = False;
+
+               if (IS_DC) {
+                       sid_compose(&dom_admins, get_global_sam_sid(),
+                                   DOMAIN_GROUP_RID_ADMINS);
+                       domain_mode = True;
+               }
+               if ((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
+                   (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) {
+                       sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
+                       domain_mode = True;
+               }
+
+               if (domain_mode) {
+                       for (i=0; i<result->num_sids; i++) {
+                               if (sid_equal(&dom_admins,
+                                             &result->user_sids[i])) {
+                                       add_sid_to_array_unique(
+                                               result,
+                                               &global_sid_Builtin_Administrators,
+                                               &result->user_sids,
+                                               &result->num_sids);
+                                       break;
+                               }
+                       }
+                       
+               }
        }
 
-       SAFE_FREE(group_sids);
+       get_privileges_for_sids(&result->privileges, result->user_sids,
+                               result->num_sids);
 
-       return token;
+       talloc_steal(mem_ctx, result);
+
+ done:
+       talloc_free(tmp_ctx);
+       return result;
 }
 
-/******************************************************************************
- Create a token for the root user to be used internally by smbd.
- This is similar to running under the context of the LOCAL_SYSTEM account
- in Windows.  This is a read-only token.  Do not modify it or free() it.
- Create a copy if your need to change it.
-******************************************************************************/
+/*
+ * Create the token to use from server_info->sam_account and
+ * server_info->sids (the info3/sam groups). Find the unix gids.
+ */
 
-NT_USER_TOKEN *get_root_nt_token( void )
+NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 {
-       static NT_USER_TOKEN *token = NULL;
-       DOM_SID u_sid, g_sid;
-       DOM_SID g_sids[1];
-       struct passwd *pw;
-       NTSTATUS result;
+       TALLOC_CTX *mem_ctx;
+       NTSTATUS status;
+       size_t i;
        
-       if ( token )
-               return token;
-               
-       if ( !(pw = getpwnam( "root" )) ) {
-               DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
-               return NULL;
+
+       mem_ctx = talloc_new(NULL);
+       if (mem_ctx == NULL) {
+               DEBUG(0, ("talloc_new failed\n"));
+               return NT_STATUS_NO_MEMORY;
        }
+
+       server_info->ptok = create_local_nt_token(
+               server_info,
+               pdb_get_user_sid(server_info->sam_account),
+               pdb_get_group_sid(server_info->sam_account),
+               server_info->guest,
+               server_info->num_sids, server_info->sids);
        
-       /* get the user and primary group SIDs; although the 
-          BUILTIN\Administrators SId is really the one that matters here */
-          
-       if ( !NT_STATUS_IS_OK(uid_to_sid(&u_sid, pw->pw_uid)) )
-               return NULL;
-       if ( !NT_STATUS_IS_OK(gid_to_sid(&g_sid, pw->pw_gid)) )
-               return NULL;
-               
-       sid_copy( &g_sids[0], &global_sid_Builtin_Administrators );
-       
-       result = create_nt_user_token( &u_sid, &g_sid, 1, g_sids, False, &token);
+       /* Convert the SIDs to gids. */
+
+       server_info->n_groups = 0;
+       server_info->groups = NULL;
+
+       /* Start at index 1, where the groups start. */
+
+       for (i=1; i<server_info->ptok->num_sids; i++) {
+               gid_t gid;
+               DOM_SID *sid = &server_info->ptok->user_sids[i];
+
+               if (!sid_to_gid(sid, &gid)) {
+                       DEBUG(10, ("Could not convert SID %s to gid, "
+                                  "ignoring it\n", sid_string_static(sid)));
+                       continue;
+               }
+               add_gid_to_array_unique(server_info, gid, &server_info->groups,
+                                       &server_info->n_groups);
+       }
        
-       return NT_STATUS_IS_OK(result) ? token : NULL;
+       debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
+
+       status = log_nt_token(mem_ctx, server_info->ptok);
+
+       talloc_free(mem_ctx);
+       return status;
 }
 
-/******************************************************************************
- * this function returns the groups (SIDs) of the local SAM the user is in.
- * If this samba server is a DC of the domain the user belongs to, it returns 
- * both domain groups and local / builtin groups. If the user is in a trusted
- * domain, or samba is a member server of a domain, then this function returns
- * local and builtin groups the user is a member of.
+/*
+ * Create an artificial NT token given just a username. (Initially indended
+ * for force user)
  *
- * currently this is a hack, as there is no sam implementation that is capable
- * of groups.
+ * We go through lookup_name() to avoid problems we had with 'winbind use
+ * default domain'.
  *
- * NOTE!! This function will fail if you pass in a winbind user without 
- * the domain   --jerry
- ******************************************************************************/
-
-static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid,
-                                size_t *n_groups, DOM_SID **groups, gid_t **unix_groups)
+ * We have 3 cases:
+ *
+ * unmapped unix users: Go directly to nss to find the user's group.
+ *
+ * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
+ *
+ * If the user is provided by winbind, the primary gid is set to "domain
+ * users" of the user's domain. For an explanation why this is necessary, see
+ * the thread starting at
+ * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
+ */
+
+NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
+                                   BOOL is_guest,
+                                   uid_t *uid, gid_t *gid,
+                                   char **found_username,
+                                   struct nt_user_token **token)
 {
-       int             n_unix_groups;
-       int             i;
+       NTSTATUS result = NT_STATUS_NO_SUCH_USER;
+       TALLOC_CTX *tmp_ctx;
+       DOM_SID user_sid;
+       enum SID_NAME_USE type;
+       gid_t *gids;
+       DOM_SID primary_group_sid;
+       DOM_SID *group_sids;
+       size_t num_group_sids;
 
-       *n_groups = 0;
-       *groups   = NULL;
+       tmp_ctx = talloc_new(NULL);
+       if (tmp_ctx == NULL) {
+               DEBUG(0, ("talloc_new failed\n"));
+               return NT_STATUS_NO_MEMORY;
+       }
 
-       if (strchr(username, *lp_winbind_separator()) == NULL) {
-               NTSTATUS result;
+       if (!lookup_name(tmp_ctx, username, LOOKUP_NAME_ALL,
+                        NULL, NULL, &user_sid, &type)) {
+               DEBUG(1, ("lookup_name for %s failed\n", username));
+               goto done;
+       }
 
-               become_root();
-               result = pdb_enum_group_memberships(username, gid, groups,
-                                                   unix_groups, n_groups);
-               unbecome_root();
-               return result;
+       if (type != SID_NAME_USER) {
+               DEBUG(1, ("%s is a %s, not a user\n", username,
+                         sid_type_lookup(type)));
+               goto done;
        }
 
-       /* We have the separator, this must be winbind */
-       
-       n_unix_groups = winbind_getgroups( username, unix_groups );
+       if (!sid_to_uid(&user_sid, uid)) {
+               DEBUG(1, ("sid_to_uid for %s (%s) failed\n",
+                         username, sid_string_static(&user_sid)));
+               goto done;
+       }
 
-       DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n",
-                 username,  n_unix_groups == -1 ? "FAIL" : "SUCCESS"));
-                         
-       if ( n_unix_groups == -1 )
-               return NT_STATUS_NO_SUCH_USER; /* what should this return
-                                               * value be? */  
+       if (sid_check_is_in_unix_users(&user_sid)) {
 
-       debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups);
-       
-       /* now setup the space for storing the SIDS */
-       
-       if (n_unix_groups > 0) {
-       
-               *groups   = SMB_MALLOC_ARRAY(DOM_SID, n_unix_groups);
-               
-               if (!*groups) {
-                       DEBUG(0, ("get_user_group: malloc() failed for DOM_SID list!\n"));
-                       SAFE_FREE(*unix_groups);
-                       return NT_STATUS_NO_MEMORY;
+               /* This is a unix user not in passdb. We need to ask nss
+                * directly, without consulting passdb */
+
+               struct passwd *pass;
+               size_t i;
+
+               pass = getpwuid_alloc(tmp_ctx, *uid);
+               if (pass == NULL) {
+                       DEBUG(1, ("getpwuid(%d) for user %s failed\n",
+                                 *uid, username));
+                       goto done;
                }
-       }
 
-       *n_groups = n_unix_groups;
+               *gid = pass->pw_gid;
+               gid_to_sid(&primary_group_sid, pass->pw_gid);
 
-       for (i = 0; i < *n_groups; i++) {
-               if (!NT_STATUS_IS_OK(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) {
-                       DEBUG(1, ("get_user_groups: failed to convert gid %ld to a sid!\n", 
-                               (long int)(*unix_groups)[i+1]));
-                       SAFE_FREE(*groups);
-                       SAFE_FREE(*unix_groups);
-                       return NT_STATUS_NO_SUCH_USER;
+               if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
+                                        &gids, &num_group_sids)) {
+                       DEBUG(1, ("getgroups_unix_user for user %s failed\n",
+                                 username));
+                       goto done;
                }
-       }
-                    
-       return NT_STATUS_OK;
-}
 
-/***************************************************************************
- Make a user_info struct
-***************************************************************************/
+               group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids);
+               if (group_sids == NULL) {
+                       DEBUG(1, ("talloc_array failed\n"));
+                       result = NT_STATUS_NO_MEMORY;
+                       goto done;
+               }
 
-static NTSTATUS make_server_info(auth_serversupplied_info **server_info)
-{
-       *server_info = SMB_MALLOC_P(auth_serversupplied_info);
-       if (!*server_info) {
-               DEBUG(0,("make_server_info: malloc failed!\n"));
-               return NT_STATUS_NO_MEMORY;
-       }
-       ZERO_STRUCTP(*server_info);
+               for (i=0; i<num_group_sids; i++) {
+                       gid_to_sid(&group_sids[i], gids[i]);
+               }
+               *found_username = talloc_strdup(mem_ctx, pass->pw_name);
 
-       /* Initialise the uid and gid values to something non-zero
-          which may save us from giving away root access if there
-          is a bug in allocating these fields. */
+       } else if (sid_check_is_in_our_domain(&user_sid)) {
 
-       (*server_info)->uid = -1;
-       (*server_info)->gid = -1;
+               /* This is a passdb user, so ask passdb */
 
-       return NT_STATUS_OK;
-}
+               SAM_ACCOUNT *sam_acct = NULL;
 
-/***************************************************************************
-Fill a server_info struct from a SAM_ACCOUNT with their groups
-***************************************************************************/
+               result = pdb_init_sam_talloc(tmp_ctx, &sam_acct);
+               if (!NT_STATUS_IS_OK(result)) {
+                       goto done;
+               }
 
-static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, 
-                               const char * unix_username,
-                               SAM_ACCOUNT *sampass,
-                               uid_t uid, gid_t gid)
-{
-       NTSTATUS nt_status;
-       const DOM_SID *user_sid = pdb_get_user_sid(sampass);
-       const DOM_SID *group_sid = pdb_get_group_sid(sampass);
-       size_t       n_groupSIDs = 0;
-       DOM_SID  *groupSIDs   = NULL;
-       gid_t    *unix_groups = NULL;
-       NT_USER_TOKEN *token;
-       BOOL is_guest;
-       uint32 rid;
+               if (!pdb_getsampwsid(sam_acct, &user_sid)) {
+                       DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
+                                 sid_string_static(&user_sid), username));
+                       result = NT_STATUS_NO_SUCH_USER;
+                       goto done;
+               }
 
-       nt_status = get_user_groups(unix_username, uid, gid, 
-               &n_groupSIDs, &groupSIDs, &unix_groups);
-               
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               DEBUG(4,("get_user_groups_from_local_sam failed\n"));
-               free_server_info(server_info);
-               return nt_status;
-       }
-       
-       is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST);
+               sid_copy(&primary_group_sid, pdb_get_group_sid(sam_acct));
 
-       if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid,
-                                                             n_groupSIDs, groupSIDs, is_guest, 
-                                                             &token)))
-       {
-               DEBUG(4,("create_nt_user_token failed\n"));
-               SAFE_FREE(groupSIDs);
-               SAFE_FREE(unix_groups);
-               free_server_info(server_info);
-               return nt_status;
-       }
-       
-       SAFE_FREE(groupSIDs);
+               result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
+                                                   &group_sids, &gids,
+                                                   &num_group_sids);
+               if (!NT_STATUS_IS_OK(result)) {
+                       DEBUG(10, ("enum_group_memberships failed for %s\n",
+                                  username));
+                       goto done;
+               }
 
-       (*server_info)->n_groups = n_groupSIDs;
-       (*server_info)->groups = unix_groups;
-       (*server_info)->ptok = token;
+               *found_username = talloc_strdup(mem_ctx,
+                                               pdb_get_username(sam_acct));
 
-       return nt_status;
-}
+       } else {
 
-/***************************************************************************
- Make (and fill) a user_info struct from a SAM_ACCOUNT
-***************************************************************************/
+               /* This user is from winbind, force the primary gid to the
+                * user's "domain users" group. Under certain circumstances
+                * (user comes from NT4), this might be a loss of
+                * information. But we can not rely on winbind getting the
+                * correct info. AD might prohibit winbind looking up that
+                * information. */
 
-NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, 
-                             SAM_ACCOUNT *sampass)
-{
-       NTSTATUS nt_status;
-       struct passwd *pwd;
+               uint32 dummy;
 
-       if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info)))
-               return nt_status;
+               sid_copy(&primary_group_sid, &user_sid);
+               sid_split_rid(&primary_group_sid, &dummy);
+               sid_append_rid(&primary_group_sid, DOMAIN_GROUP_RID_USERS);
 
-       (*server_info)->sam_account    = sampass;
+               if (!sid_to_gid(&primary_group_sid, gid)) {
+                       DEBUG(1, ("sid_to_gid(%s) failed\n",
+                                 sid_string_static(&primary_group_sid)));
+                       goto done;
+               }
 
-       if ( !(pwd = getpwnam_alloc(pdb_get_username(sampass))) )  {
-               DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
-                         pdb_get_username(sampass)));
-               free_server_info(server_info);
-               return NT_STATUS_NO_SUCH_USER;
-       }
-       (*server_info)->unix_name = smb_xstrdup(pwd->pw_name);
-       (*server_info)->gid = pwd->pw_gid;
-       (*server_info)->uid = pwd->pw_uid;
-       
-       passwd_free(&pwd);
+               num_group_sids = 0;
+               group_sids = NULL;
 
-       if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, pdb_get_username(sampass), 
-                                                        sampass,
-                                                        (*server_info)->uid, 
-                                                        (*server_info)->gid))) 
-       {
-               free_server_info(server_info);
-               return nt_status;
+               *found_username = talloc_strdup(mem_ctx, username);
        }
 
-       (*server_info)->sam_fill_level = SAM_FILL_ALL;
-       DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
-                pdb_get_username(sampass),
-                (*server_info)->unix_name));
+       *token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid,
+                                      is_guest, num_group_sids, group_sids);
 
-       return nt_status;
+       if ((*token == NULL) || (*found_username == NULL)) {
+               result = NT_STATUS_NO_MEMORY;
+               goto done;
+       }
+
+       result = NT_STATUS_OK;
+ done:
+       talloc_free(tmp_ctx);
+       return result;
 }
 
 /***************************************************************************
- Make (and fill) a user_info struct from a Kerberos PAC logon_info by conversion 
- to a SAM_ACCOUNT
+ Make (and fill) a user_info struct from a Kerberos PAC logon_info by
conversion to a SAM_ACCOUNT
 ***************************************************************************/
 
 NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, 
@@ -913,16 +1030,22 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info,
                              struct passwd *pwd,
                              PAC_LOGON_INFO *logon_info)
 {
-       NTSTATUS nt_status;
+       NTSTATUS status;
        SAM_ACCOUNT *sampass = NULL;
        DOM_SID user_sid, group_sid;
        fstring dom_name;
+       auth_serversupplied_info *result;
 
-       if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {             
-               return nt_status;
+       status = pdb_init_sam_pw(&sampass, pwd);
+
+       if (!NT_STATUS_IS_OK(status)) {         
+               return status;
        }
-       if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
-               return nt_status;
+
+       result = make_server_info(NULL);
+       if (result == NULL) {
+               pdb_free_sam(&sampass);
+               return NT_STATUS_NO_MEMORY;
        }
 
        /* only copy user_sid, group_sid and domain name out of the PAC for
@@ -941,20 +1064,18 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info,
 
        pdb_set_logon_count(sampass, logon_info->info3.logon_count, PDB_SET);
 
-       (*server_info)->sam_account    = sampass;
+       result->sam_account = sampass;
+       result->unix_name = talloc_strdup(result, unix_username);
+       result->uid = pwd->pw_uid;
+       result->gid = pwd->pw_gid;
 
-       if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username,
-               sampass, pwd->pw_uid, pwd->pw_gid))) 
-       {
-               return nt_status;
-       }
+       /* TODO: Add groups from pac */
+       result->sids = NULL;
+       result->num_sids = 0;
 
-       (*server_info)->unix_name = smb_xstrdup(unix_username);
+       *server_info = result;
 
-       (*server_info)->sam_fill_level = SAM_FILL_ALL;
-       (*server_info)->uid = pwd->pw_uid;
-       (*server_info)->gid = pwd->pw_gid;
-       return nt_status;
+       return NT_STATUS_OK;
 }
 
 
@@ -967,93 +1088,172 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
                              char *unix_username,
                             struct passwd *pwd)
 {
-       NTSTATUS nt_status;
+       NTSTATUS status;
        SAM_ACCOUNT *sampass = NULL;
-       if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {             
-               return nt_status;
+       gid_t *gids;
+       auth_serversupplied_info *result;
+       
+       status = pdb_init_sam_pw(&sampass, pwd);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
        }
-       if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
-               return nt_status;
+
+       result = make_server_info(NULL);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               pdb_free_sam(&sampass);
+               return status;
        }
 
-       (*server_info)->sam_account    = sampass;
+       result->sam_account = sampass;
+       result->unix_name = talloc_strdup(result, unix_username);
+       result->uid = pwd->pw_uid;
+       result->gid = pwd->pw_gid;
 
-       if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username,
-               sampass, pwd->pw_uid, pwd->pw_gid))) 
-       {
-               return nt_status;
+       status = pdb_enum_group_memberships(result, sampass,
+                                           &result->sids, &gids,
+                                           &result->num_sids);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
+                          nt_errstr(status)));
+               talloc_free(result);
+               return status;
        }
 
-       (*server_info)->unix_name = smb_xstrdup(unix_username);
+       /* For now we throw away the gids and convert via sid_to_gid
+        * later. This needs fixing, but I'd like to get the code straight and
+        * simple first. */
+       talloc_free(gids);
 
-       (*server_info)->sam_fill_level = SAM_FILL_ALL;
-       (*server_info)->uid = pwd->pw_uid;
-       (*server_info)->gid = pwd->pw_gid;
-       return nt_status;
+       *server_info = result;
+
+       return NT_STATUS_OK;
 }
 
 /***************************************************************************
  Make (and fill) a user_info struct for a guest login.
+ This *must* succeed for smbd to start. If there is no mapping entry for
+ the guest gid, then create one.
 ***************************************************************************/
 
 static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info)
 {
-       NTSTATUS nt_status;
+       NTSTATUS status;
        SAM_ACCOUNT *sampass = NULL;
        DOM_SID guest_sid;
+       BOOL ret;
+       static const char zeros[16];
 
-       if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) {
-               return nt_status;
+       status = pdb_init_sam(&sampass);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
        }
 
        sid_copy(&guest_sid, get_global_sam_sid());
        sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
 
        become_root();
-       if (!pdb_getsampwsid(sampass, &guest_sid)) {
-               unbecome_root();
+       ret = pdb_getsampwsid(sampass, &guest_sid);
+       unbecome_root();
+
+       if (!ret) {
+               pdb_free_sam(&sampass);
                return NT_STATUS_NO_SUCH_USER;
        }
-       unbecome_root();
 
-       nt_status = make_server_info_sam(server_info, sampass);
+       status = make_server_info_sam(server_info, sampass);
 
-       if (NT_STATUS_IS_OK(nt_status)) {
-               static const char zeros[16];
-               (*server_info)->guest = True;
-               
-               /* annoying, but the Guest really does have a session key, 
-                  and it is all zeros! */
-               (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
-               (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
+       if (!NT_STATUS_IS_OK(status)) {
+
+               /* If there was no initial group mapping for the nobody user,
+                  create one*/
+
+               if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+                       GROUP_MAP map;
+                       struct passwd *pwd = getpwnam_alloc(NULL, pdb_get_username(sampass));
+
+                       if ( pwd == NULL )  {
+                               DEBUG(1, ("No guest user %s!\n",
+                                         pdb_get_username(sampass)));
+                               pdb_free_sam(&sampass);
+                               return NT_STATUS_NO_SUCH_USER;
+                       }
+
+                       map.gid = pwd->pw_gid;
+                       sid_copy(&map.sid, get_global_sam_sid());
+                       sid_append_rid(&map.sid, DOMAIN_GROUP_RID_GUESTS);
+                       map.sid_name_use = SID_NAME_DOM_GRP;
+                       fstrcpy(map.nt_name, "Domain Guests");
+                       map.comment[0] = '\0';
+
+                       if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) {
+                               DEBUG(1, ("Could not update group database for guest user %s\n",
+                                       pdb_get_username(sampass) ));
+                               talloc_free(pwd);
+                               pdb_free_sam(&sampass);
+                               return NT_STATUS_NO_SUCH_USER;
+                       }
+
+                       talloc_free(pwd);
+
+                       /* And try again. */
+                       status = make_server_info_sam(server_info, sampass);
+               }
+
+               if (!NT_STATUS_IS_OK(status)) {
+                       pdb_free_sam(&sampass);
+                       return status;
+               }
        }
+       
+       (*server_info)->guest = True;
 
-       return nt_status;
+       status = create_local_token(*server_info);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(10, ("create_local_token failed: %s\n",
+                          nt_errstr(status)));
+               return status;
+       }
+
+       /* annoying, but the Guest really does have a session key, and it is
+          all zeros! */
+       (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
+       (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
+
+       return NT_STATUS_OK;
 }
 
 static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src)
 {
        auth_serversupplied_info *dst;
 
-       if (!NT_STATUS_IS_OK(make_server_info(&dst)))
+       dst = make_server_info(NULL);
+       if (dst == NULL) {
                return NULL;
+       }
 
        dst->guest = src->guest;
        dst->uid = src->uid;
        dst->gid = src->gid;
        dst->n_groups = src->n_groups;
        if (src->n_groups != 0)
-               dst->groups = memdup(src->groups, sizeof(gid_t)*dst->n_groups);
+               dst->groups = talloc_memdup(dst, src->groups,
+                                           sizeof(gid_t)*dst->n_groups);
        else
                dst->groups = NULL;
-       dst->ptok = dup_nt_token(src->ptok);
-       dst->user_session_key = data_blob(src->user_session_key.data,
-                                         src->user_session_key.length);
-       dst->lm_session_key = data_blob(src->lm_session_key.data,
-                                         src->lm_session_key.length);
+       dst->ptok = dup_nt_token(dst, src->ptok);
+       dst->user_session_key = data_blob_talloc(
+               dst, src->user_session_key.data,
+               src->user_session_key.length);
+       dst->lm_session_key = data_blob_talloc(
+               dst, src->lm_session_key.data,
+               src->lm_session_key.length);
        pdb_copy_sam_account(src->sam_account, &dst->sam_account);
        dst->pam_handle = NULL;
-       dst->unix_name = smb_xstrdup(src->unix_name);
+       dst->unix_name = talloc_strdup(dst, src->unix_name);
 
        return dst;
 }
@@ -1103,7 +1303,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
 
        map_username( dom_user );
 
-       if ( !(passwd = smb_getpwnam( dom_user, real_username, True )) )
+       if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
                return NT_STATUS_NO_SUCH_USER;
 
        *uid = passwd->pw_uid;
@@ -1121,7 +1321,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
                *found_username));
 
        nt_status = pdb_init_sam_pw(sam_account, passwd);
-       passwd_free(&passwd);
+       talloc_free(passwd);
        return nt_status;
 }
 
@@ -1131,7 +1331,8 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
  the username if we fallback to the username only.
  ****************************************************************************/
  
-struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create )
+struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
+                            fstring save_username, BOOL create )
 {
        struct passwd *pw = NULL;
        char *p;
@@ -1154,7 +1355,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create )
        if ( p ) {
                fstring strip_username;
 
-               pw = Get_Pwnam_alloc( domuser );
+               pw = Get_Pwnam_alloc( mem_ctx, domuser );
                if ( pw ) {     
                        /* make sure we get the case of the username correct */
                        /* work around 'winbind use default domain = yes' */
@@ -1185,7 +1386,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create )
        
        /* just lookup a plain username */
        
-       pw = Get_Pwnam_alloc(username);
+       pw = Get_Pwnam_alloc(mem_ctx, username);
                
        /* Create local user if requested. */
        
@@ -1195,7 +1396,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create )
                        return NULL;
 
                smb_create_user(NULL, username, NULL);
-               pw = Get_Pwnam_alloc(username);
+               pw = Get_Pwnam_alloc(mem_ctx, username);
        }
        
        /* one last check for a valid passwd struct */
@@ -1231,15 +1432,10 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
        uid_t uid;
        gid_t gid;
 
-       size_t n_lgroupSIDs;
-       DOM_SID *lgroupSIDs   = NULL;
-
-       gid_t *unix_groups = NULL;
-       NT_USER_TOKEN *token;
-
-       DOM_SID *all_group_SIDs;
        size_t i;
 
+       auth_serversupplied_info *result;
+
        /* 
           Here is where we should check the list of
           trusted domains, and verify that the SID 
@@ -1257,12 +1453,14 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
        }
 
        if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) {
-               /* If the server didn't give us one, just use the one we sent them */
+               /* If the server didn't give us one, just use the one we sent
+                * them */
                nt_username = sent_nt_username;
        }
 
        if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) {
-               /* If the server didn't give us one, just use the one we sent them */
+               /* If the server didn't give us one, just use the one we sent
+                * them */
                nt_domain = domain;
        }
        
@@ -1271,21 +1469,25 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
           We use the _unmapped_ username here in an attempt to provide
           consistent username mapping behavior between kerberos and NTLM[SSP]
-          authentication in domain mode security.  I.E. Username mapping should
-          be applied to the fully qualified username (e.g. DOMAIN\user) and
-          no just the login name.  Yes this mean swe called map_username()
-          unnecessarily in make_user_info_map() but that is how the current
-          code is designed.  Making the change here is the least disruptive 
-          place.    -- jerry */
+          authentication in domain mode security.  I.E. Username mapping
+          should be applied to the fully qualified username
+          (e.g. DOMAIN\user) and not just the login name.  Yes this means we
+          called map_username() unnecessarily in make_user_info_map() but
+          that is how the current code is designed.  Making the change here
+          is the least disruptive place.  -- jerry */
           
        nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
-               &found_username, &uid, &gid, &sam_account);
+                                    &found_username, &uid, &gid,
+                                    &sam_account);
 
        if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
-               DEBUG(3,("User %s does not exist, trying to add it\n", internal_username));
+               DEBUG(3,("User %s does not exist, trying to add it\n",
+                        internal_username));
                smb_create_user( nt_domain, sent_nt_username, NULL);
-               nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, 
-                       &found_username, &uid, &gid, &sam_account );
+               nt_status = fill_sam_account( mem_ctx, nt_domain,
+                                             sent_nt_username, 
+                                             &found_username, &uid, &gid,
+                                             &sam_account );
        }
        
        /* if we still don't have a valid unix account check for 
@@ -1326,96 +1528,77 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
                return NT_STATUS_UNSUCCESSFUL;
        }
                
-       if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), 
+       if (!pdb_set_fullname(sam_account,
+                             unistr2_static(&(info3->uni_full_name)), 
                              PDB_CHANGED)) {
                pdb_free_sam(&sam_account);
                return NT_STATUS_NO_MEMORY;
        }
 
-       if (!pdb_set_logon_script(sam_account, unistr2_static(&(info3->uni_logon_script)), PDB_CHANGED)) {
+       if (!pdb_set_logon_script(sam_account,
+                                 unistr2_static(&(info3->uni_logon_script)),
+                                 PDB_CHANGED)) {
                pdb_free_sam(&sam_account);
                return NT_STATUS_NO_MEMORY;
        }
 
-       if (!pdb_set_profile_path(sam_account, unistr2_static(&(info3->uni_profile_path)), PDB_CHANGED)) {
+       if (!pdb_set_profile_path(sam_account,
+                                 unistr2_static(&(info3->uni_profile_path)),
+                                 PDB_CHANGED)) {
                pdb_free_sam(&sam_account);
                return NT_STATUS_NO_MEMORY;
        }
 
-       if (!pdb_set_homedir(sam_account, unistr2_static(&(info3->uni_home_dir)), PDB_CHANGED)) {
+       if (!pdb_set_homedir(sam_account,
+                            unistr2_static(&(info3->uni_home_dir)),
+                            PDB_CHANGED)) {
                pdb_free_sam(&sam_account);
                return NT_STATUS_NO_MEMORY;
        }
 
-       if (!pdb_set_dir_drive(sam_account, unistr2_static(&(info3->uni_dir_drive)), PDB_CHANGED)) {
+       if (!pdb_set_dir_drive(sam_account,
+                              unistr2_static(&(info3->uni_dir_drive)),
+                              PDB_CHANGED)) {
                pdb_free_sam(&sam_account);
                return NT_STATUS_NO_MEMORY;
        }
 
-       if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
+       result = make_server_info(NULL);
+       if (result == NULL) {
                DEBUG(4, ("make_server_info failed!\n"));
                pdb_free_sam(&sam_account);
-               return nt_status;
+               return NT_STATUS_NO_MEMORY;
        }
 
        /* save this here to _net_sam_logon() doesn't fail (it assumes a 
           valid SAM_ACCOUNT) */
                   
-       (*server_info)->sam_account = sam_account;
-
-       (*server_info)->unix_name = smb_xstrdup(found_username);
+       result->sam_account = sam_account;
+       result->unix_name = talloc_strdup(result, found_username);
 
        /* Fill in the unix info we found on the way */
 
-       (*server_info)->sam_fill_level = SAM_FILL_ALL;
-       (*server_info)->uid = uid;
-       (*server_info)->gid = gid;
-
-       /* Store the user group information in the server_info 
-          returned to the caller. */
-       
-       nt_status = get_user_groups((*server_info)->unix_name,
-               uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups);
-               
-       if ( !NT_STATUS_IS_OK(nt_status) ) {
-               DEBUG(4,("get_user_groups failed\n"));
-               return nt_status;
-       }
+       result->uid = uid;
+       result->gid = gid;
 
-       (*server_info)->groups = unix_groups;
-       (*server_info)->n_groups = n_lgroupSIDs;
-       
        /* Create a 'combined' list of all SIDs we might want in the SD */
-       
-       all_group_SIDs = SMB_MALLOC_ARRAY(DOM_SID,info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs);
-       
-       if (!all_group_SIDs) {
-               DEBUG(0, ("malloc() failed for DOM_SID list!\n"));
-               SAFE_FREE(lgroupSIDs);
-               free_server_info(server_info);
-               return NT_STATUS_NO_MEMORY;
-       }
+
+       result->num_sids = 0;
+       result->sids = NULL;
 
        /* and create (by appending rids) the 'domain' sids */
        
        for (i = 0; i < info3->num_groups2; i++) {
-       
-               sid_copy(&all_group_SIDs[i], &(info3->dom_sid.sid));
-               
-               if (!sid_append_rid(&all_group_SIDs[i], info3->gids[i].g_rid)) {
-               
-                       nt_status = NT_STATUS_INVALID_PARAMETER;
-                       
-                       DEBUG(3,("could not append additional group rid 0x%x\n",
-                               info3->gids[i].g_rid));                 
-                               
-                       SAFE_FREE(lgroupSIDs);
-                       SAFE_FREE(all_group_SIDs);
-                       free_server_info(server_info);
-                       
-                       return nt_status;
-                       
+               DOM_SID sid;
+               if (!sid_compose(&sid, &info3->dom_sid.sid,
+                                info3->gids[i].g_rid)) {
+                       DEBUG(3,("could not append additional group rid "
+                                "0x%x\n", info3->gids[i].g_rid));
+                       talloc_free(result);
+                       return NT_STATUS_INVALID_PARAMETER;
                }
+               add_sid_to_array(result, &sid, &result->sids,
+                                &result->num_sids);
        }
 
        /* Copy 'other' sids.  We need to do sid filtering here to
@@ -1425,56 +1608,33 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
          */
 
        for (i = 0; i < info3->num_other_sids; i++) {
-               sid_copy(&all_group_SIDs[info3->num_groups2 + i],
-                        &info3->other_sids[i].sid);
-       }
-
-
-       /* add local alias sids */ 
-
-       for (i = 0; i < n_lgroupSIDs; i++) {
-               sid_copy(&all_group_SIDs[info3->num_groups2 +
-                                        info3->num_other_sids + i],
-                        &lgroupSIDs[i]);
-       }
-       
-       /* Where are the 'global' sids... */
-
-       /* can the user be guest? if yes, where is it stored? */
-       
-       nt_status = create_nt_user_token(&user_sid, &group_sid,
-               info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs,
-               all_group_SIDs, False, &token);
-               
-       if ( !NT_STATUS_IS_OK(nt_status) ) {
-               DEBUG(4,("create_nt_user_token failed\n"));
-               SAFE_FREE(lgroupSIDs);
-               SAFE_FREE(all_group_SIDs);
-               free_server_info(server_info);
-               return nt_status;
+               add_sid_to_array(result, &info3->other_sids[i].sid,
+                                &result->sids,
+                                &result->num_sids);
        }
 
-       (*server_info)->login_server = unistr2_tdup(mem_ctx, 
-                                                   &(info3->uni_logon_srv));
-
-       (*server_info)->ptok = token; 
-
-       SAFE_FREE(lgroupSIDs);
-       SAFE_FREE(all_group_SIDs);
+       result->login_server = unistr2_tdup(result, 
+                                           &(info3->uni_logon_srv));
 
        /* ensure we are never given NULL session keys */
        
        if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) {
-               (*server_info)->user_session_key = data_blob(NULL, 0);
+               result->user_session_key = data_blob(NULL, 0);
        } else {
-               (*server_info)->user_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key));
+               result->user_session_key = data_blob_talloc(
+                       result, info3->user_sess_key,
+                       sizeof(info3->user_sess_key));
        }
 
        if (memcmp(info3->lm_sess_key, zeros, 8) == 0) {
-               (*server_info)->lm_session_key = data_blob(NULL, 0);
+               result->lm_session_key = data_blob(NULL, 0);
        } else {
-               (*server_info)->lm_session_key = data_blob(info3->lm_sess_key, sizeof(info3->lm_sess_key));
-       } 
+               result->lm_session_key = data_blob_talloc(
+                       result, info3->lm_sess_key,
+                       sizeof(info3->lm_sess_key));
+       }
+
+       *server_info = result;
 
        return NT_STATUS_OK;
 }
@@ -1487,14 +1647,15 @@ void free_user_info(auth_usersupplied_info **user_info)
 {
        DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
        if (*user_info != NULL) {
-               if ((*user_info)->smb_name.str) {
-                       DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str));
+               if ((*user_info)->smb_name) {
+                       DEBUG(10,("structure was created for %s\n",
+                                 (*user_info)->smb_name));
                }
-               SAFE_FREE((*user_info)->smb_name.str);
-               SAFE_FREE((*user_info)->internal_username.str);
-               SAFE_FREE((*user_info)->client_domain.str);
-               SAFE_FREE((*user_info)->domain.str);
-               SAFE_FREE((*user_info)->wksta_name.str);
+               SAFE_FREE((*user_info)->smb_name);
+               SAFE_FREE((*user_info)->internal_username);
+               SAFE_FREE((*user_info)->client_domain);
+               SAFE_FREE((*user_info)->domain);
+               SAFE_FREE((*user_info)->wksta_name);
                data_blob_free(&(*user_info)->lm_resp);
                data_blob_free(&(*user_info)->nt_resp);
                data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
@@ -1505,27 +1666,6 @@ void free_user_info(auth_usersupplied_info **user_info)
        SAFE_FREE(*user_info);
 }
 
-/***************************************************************************
- Clear out a server_info struct that has been allocated
-***************************************************************************/
-
-void free_server_info(auth_serversupplied_info **server_info)
-{
-       DEBUG(5,("attempting to free (and zero) a server_info structure\n"));
-       if (*server_info != NULL) {
-               pdb_free_sam(&(*server_info)->sam_account);
-
-               /* call pam_end here, unless we know we are keeping it */
-               delete_nt_token( &(*server_info)->ptok );
-               SAFE_FREE((*server_info)->groups);
-               SAFE_FREE((*server_info)->unix_name);
-               data_blob_free(&(*server_info)->lm_session_key);
-               data_blob_free(&(*server_info)->user_session_key);
-               ZERO_STRUCT(**server_info);
-       }
-       SAFE_FREE(*server_info);
-}
-
 /***************************************************************************
  Make an auth_methods struct
 ***************************************************************************/
@@ -1533,11 +1673,13 @@ void free_server_info(auth_serversupplied_info **server_info)
 BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) 
 {
        if (!auth_context) {
-               smb_panic("no auth_context supplied to make_auth_methods()!\n");
+               smb_panic("no auth_context supplied to "
+                         "make_auth_methods()!\n");
        }
 
        if (!auth_method) {
-               smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n");
+               smb_panic("make_auth_methods: pointer to auth_method pointer "
+                         "is NULL!\n");
        }
 
        *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods);
@@ -1550,41 +1692,29 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me
        return True;
 }
 
-/****************************************************************************
- Delete a SID token.
-****************************************************************************/
-
-void delete_nt_token(NT_USER_TOKEN **pptoken)
-{
-       if (*pptoken) {
-               NT_USER_TOKEN *ptoken = *pptoken;
-
-               SAFE_FREE( ptoken->user_sids );
-               ZERO_STRUCTP(ptoken);
-       }
-       SAFE_FREE(*pptoken);
-}
-
 /****************************************************************************
  Duplicate a SID token.
 ****************************************************************************/
 
-NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
+NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken)
 {
        NT_USER_TOKEN *token;
 
        if (!ptoken)
                return NULL;
 
-       if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL)
+       token = TALLOC_P(mem_ctx, NT_USER_TOKEN);
+       if (token == NULL) {
+               DEBUG(0, ("talloc failed\n"));
                return NULL;
+       }
 
-       ZERO_STRUCTP(token);
-       
-       token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids );
-       
-       if ( !token ) {
-               SAFE_FREE(token);
+       token->user_sids = talloc_memdup(token, ptoken->user_sids,
+                                        sizeof(DOM_SID) * ptoken->num_sids );
+
+       if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) {
+               DEBUG(0, ("talloc_memdup failed\n"));
+               talloc_free(token);
                return NULL;
        }
 
@@ -1593,7 +1723,8 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
        /* copy the privileges; don't consider failure to be critical here */
        
        if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) {
-               DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!.  Continuing with 0 privileges assigned.\n"));
+               DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!.  "
+                        "Continuing with 0 privileges assigned.\n"));
        }
 
        return token;
@@ -1603,7 +1734,7 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
  Check for a SID in an NT_USER_TOKEN
 ****************************************************************************/
 
-static BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token )
+BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token )
 {
        int i;
        
@@ -1626,9 +1757,10 @@ BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid )
           a DC or standalone server, use our own SID */
 
        if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
-               if ( !secrets_fetch_domain_sid( lp_workgroup(), &domain_sid ) ) {
-                       DEBUG(1,("nt_token_check_domain_rid: Cannot lookup SID for domain [%s]\n",
-                               lp_workgroup()));
+               if ( !secrets_fetch_domain_sid( lp_workgroup(),
+                                               &domain_sid ) ) {
+                       DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
+                                "SID for domain [%s]\n", lp_workgroup()));
                        return False;
                }
        } 
@@ -1662,9 +1794,10 @@ BOOL is_trusted_domain(const char* dom_name)
 
        if ( IS_DC ) {
                become_root();
-               DEBUG (5,("is_trusted_domain: Checking for domain trust with [%s]\n",
-                       dom_name ));
-               ret = secrets_fetch_trusted_domain_password(dom_name, NULL, NULL, NULL);
+               DEBUG (5,("is_trusted_domain: Checking for domain trust with "
+                         "[%s]\n", dom_name ));
+               ret = secrets_fetch_trusted_domain_password(dom_name, NULL,
+                                                           NULL, NULL);
                unbecome_root();
                if (ret)
                        return True;
index ad72bd9a1fd561c4ba8c00de255c2a73d68bcb78..6e2f26a57222d8b81c3e9cb810221bc9f0ba0317 100644 (file)
@@ -71,13 +71,13 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 
        if (!auth_context) {
                DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", 
-                        user_info->internal_username.str));            
+                        user_info->internal_username));
                return NT_STATUS_INVALID_PARAMETER;
        }               
 
-       if (strequal(user_info->domain.str, get_global_sam_name())) {
+       if (strequal(user_info->domain, get_global_sam_name())) {
                DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
-                       user_info->domain.str));
+                       user_info->domain));
                return NT_STATUS_NOT_IMPLEMENTED;
        }
 
@@ -90,12 +90,9 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 
        request.data.auth_crap.logon_parameters = user_info->logon_parameters;
 
-       fstrcpy(request.data.auth_crap.user, 
-                         user_info->smb_name.str);
-       fstrcpy(request.data.auth_crap.domain, 
-                         user_info->domain.str);
-       fstrcpy(request.data.auth_crap.workstation, 
-                         user_info->wksta_name.str);
+       fstrcpy(request.data.auth_crap.user, user_info->smb_name);
+       fstrcpy(request.data.auth_crap.domain, user_info->domain);
+       fstrcpy(request.data.auth_crap.workstation, user_info->wksta_name);
 
        memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal));
        
@@ -131,8 +128,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
                if (NT_STATUS_IS_OK(nt_status)) {
                        if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { 
                                nt_status = make_server_info_info3(mem_ctx, 
-                                       user_info->internal_username.str
-                                       user_info->smb_name.str, user_info->domain.str
+                                       user_info->internal_username, 
+                                       user_info->smb_name, user_info->domain
                                        server_info, &info3); 
                        }
                        
index 7079bf7437a7ce13a9036a21dff99d5abb0568c0..e901e065d27cbc838308cf69c2be54d829fdcf93 100644 (file)
@@ -462,7 +462,7 @@ DYNEXP=
 
 dnl Add modules that have to be built by default here
 dnl These have to be built static:
-default_static_modules="pdb_smbpasswd pdb_tdbsam rpc_lsa rpc_samr rpc_reg rpc_lsa_ds rpc_wks rpc_svcctl rpc_ntsvcs rpc_net rpc_dfs rpc_srv rpc_spoolss rpc_eventlog auth_rhosts auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin"
+default_static_modules="pdb_smbpasswd pdb_tdbsam rpc_lsa rpc_samr rpc_reg rpc_lsa_ds rpc_wks rpc_svcctl rpc_ntsvcs rpc_net rpc_netdfs rpc_srv rpc_spoolss rpc_eventlog auth_rhosts auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin"
 
 dnl These are preferably build shared, and static if dlopen() is not available
 default_shared_modules="vfs_recycle vfs_audit vfs_extd_audit vfs_full_audit vfs_netatalk vfs_fake_perms vfs_default_quota vfs_readonly vfs_cap vfs_expand_msdfs vfs_shadow_copy charset_CP850 charset_CP437 auth_script"
@@ -2871,6 +2871,8 @@ if test x"$with_ldap_support" != x"no"; then
   
   AC_DEFINE_UNQUOTED(LDAP_SET_REBIND_PROC_ARGS, $smb_ldap_cv_ldap_set_rebind_proc, [Number of arguments to ldap_set_rebind_proc])
 
+  AC_CHECK_FUNC_EXT(ldap_dn2ad_canonical,$LDAP_LIBS)   
+  
   if test x"$ac_cv_lib_ext_ldap_ldap_init" = x"yes"; then
     AC_DEFINE(HAVE_LDAP,1,[Whether ldap is available])
     CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
@@ -3144,6 +3146,9 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(krb5_principal_compare_any_realm, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_parse_name_norealm, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_princ_size, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_set_pac_request, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_get_renewed_creds, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_get_kdc_cred, $KRB5_LIBS)
 
   LIBS="$KRB5_LIBS $LIBS"
 
@@ -3445,6 +3450,29 @@ if test x"$with_ads_support" != x"no"; then
 LIBS="$ac_save_LIBS"
 fi
 
+#################################################
+# check for KCM support
+
+with_kcm_support=no
+AC_MSG_CHECKING([for KCM support])
+
+AC_ARG_WITH(kcm,
+[  --with-kcm              KCM support (default no)],
+[ case "$withval" in
+    yes)
+       if test x$FOUND_KRB5 = x"no"; then
+               AC_MSG_ERROR(libkrb5 is needed for KCM support)
+       fi
+       with_kcm_support="$withval"
+       AC_DEFINE(WITH_KCM,1,[Whether to include KCM support])
+       ;;
+    *)
+       with_kcm_support="no"
+       AC_DEFINE(WITH_KCM,0,[Whether to include KCM support])
+       ;;
+  esac ])
+
+AC_MSG_RESULT($with_kcm_support)
 ########################################################
 # Compile experimental passdb backends?
 # (pdb_xml, pdb_mysql, pdb_pgsql)
@@ -5177,7 +5205,7 @@ SMB_MODULE(rpc_wks, \$(RPC_WKS_OBJ), "bin/librpc_wkssvc.$SHLIBEXT", RPC)
 SMB_MODULE(rpc_svcctl, \$(RPC_SVCCTL_OBJ), "bin/librpc_svcctl.$SHLIBEXT", RPC)
 SMB_MODULE(rpc_ntsvcs, \$(RPC_NTSVCS_OBJ), "bin/librpc_ntsvcs.$SHLIBEXT", RPC)
 SMB_MODULE(rpc_net, \$(RPC_NETLOG_OBJ), "bin/librpc_NETLOGON.$SHLIBEXT", RPC)
-SMB_MODULE(rpc_dfs, \$(RPC_DFS_OBJ), "bin/librpc_netdfs.$SHLIBEXT", RPC)
+SMB_MODULE(rpc_netdfs, \$(RPC_DFS_OBJ), "bin/librpc_netdfs.$SHLIBEXT", RPC)
 SMB_MODULE(rpc_srv, \$(RPC_SVC_OBJ), "bin/librpc_srvsvc.$SHLIBEXT", RPC)
 SMB_MODULE(rpc_spoolss, \$(RPC_SPOOLSS_OBJ), "bin/librpc_spoolss.$SHLIBEXT", RPC)
 SMB_MODULE(rpc_eventlog, \$(RPC_EVENTLOG_OBJ), "bin/librpc_eventlog.$SHLIBEXT", RPC)
index 7dc0426c4493849e0295cc8cc308936de2e25044..2790d4758770964df2f652bbbd2df205502a6b05 100644 (file)
@@ -176,7 +176,65 @@ BOOL add_initial_entry(gid_t gid, const char *sid, enum SID_NAME_USE sid_name_us
        fstrcpy(map.nt_name, nt_name);
        fstrcpy(map.comment, comment);
 
-       return pdb_add_group_mapping_entry(&map);
+       return NT_STATUS_IS_OK(pdb_add_group_mapping_entry(&map));
+}
+
+/****************************************************************************
+ Map a unix group to a newly created mapping
+****************************************************************************/
+NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
+{
+       NTSTATUS status;
+       GROUP_MAP map;
+       const char *grpname, *dom, *name;
+       uint32 rid;
+
+       if (pdb_getgrgid(&map, grp->gr_gid)) {
+               return NT_STATUS_GROUP_EXISTS;
+       }
+
+       map.gid = grp->gr_gid;
+       grpname = grp->gr_name;
+
+       if (lookup_name(tmp_talloc_ctx(), grpname, LOOKUP_NAME_ISOLATED,
+                       &dom, &name, NULL, NULL)) {
+
+               const char *tmp = talloc_asprintf(
+                       tmp_talloc_ctx(), "Unix Group %s", grp->gr_name);
+
+               DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
+                         grpname, dom, name, tmp));
+               grpname = tmp;
+       }
+
+       if (lookup_name(tmp_talloc_ctx(), grpname, LOOKUP_NAME_ISOLATED,
+                       NULL, NULL, NULL, NULL)) {
+               DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
+               return NT_STATUS_GROUP_EXISTS;
+       }
+
+       fstrcpy(map.nt_name, grpname);
+
+       if (pdb_rid_algorithm()) {
+               rid = pdb_gid_to_group_rid( grp->gr_gid );
+       } else {
+               if (!pdb_new_rid(&rid)) {
+                       DEBUG(3, ("Could not get a new RID for %s\n",
+                                 grp->gr_name));
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+       }
+
+       sid_compose(&map.sid, get_global_sam_sid(), rid);
+       map.sid_name_use = SID_NAME_DOM_GRP;
+       fstrcpy(map.comment, talloc_asprintf(tmp_talloc_ctx(), "Unix Group %s",
+                                            grp->gr_name));
+
+       status = pdb_add_group_mapping_entry(&map);
+       if (NT_STATUS_IS_OK(status)) {
+               *pmap = map;
+       }
+       return status;
 }
 
 /****************************************************************************
@@ -794,99 +852,6 @@ BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
        return True;
 }
 
-
-/* get a local (alias) group from it's SID */
-
-BOOL get_local_group_from_sid(DOM_SID *sid, GROUP_MAP *map)
-{
-       BOOL ret;
-       
-       if(!init_group_mapping()) {
-               DEBUG(0,("failed to initialize group mapping\n"));
-               return(False);
-       }
-
-       /* The group is in the mapping table */
-       become_root();
-       ret = pdb_getgrsid(map, *sid);
-       unbecome_root();
-       
-       if ( !ret )
-               return False;
-               
-       if ( ( (map->sid_name_use != SID_NAME_ALIAS) &&
-              (map->sid_name_use != SID_NAME_WKN_GRP) )
-               || (map->gid == -1)
-               || (getgrgid(map->gid) == NULL) ) 
-       {
-               return False;
-       }               
-                       
-#if 1  /* JERRY */
-       /* local groups only exist in the group mapping DB so this 
-          is not necessary */
-          
-       else {
-               /* the group isn't in the mapping table.
-                * make one based on the unix information */
-               uint32 alias_rid;
-               struct group *grp;
-
-               sid_peek_rid(sid, &alias_rid);
-               map->gid=pdb_group_rid_to_gid(alias_rid);
-               
-               grp = getgrgid(map->gid);
-               if ( !grp ) {
-                       DEBUG(3,("get_local_group_from_sid: No unix group for [%ul]\n", map->gid));
-                       return False;
-               }
-
-               map->sid_name_use=SID_NAME_ALIAS;
-
-               fstrcpy(map->nt_name, grp->gr_name);
-               fstrcpy(map->comment, "Local Unix Group");
-
-               sid_copy(&map->sid, sid);
-       }
-#endif
-
-       return True;
-}
-
-/* get a builtin group from it's SID */
-
-BOOL get_builtin_group_from_sid(DOM_SID *sid, GROUP_MAP *map)
-{
-       BOOL ret;
-       
-
-       if(!init_group_mapping()) {
-               DEBUG(0,("failed to initialize group mapping\n"));
-               return(False);
-       }
-
-       become_root();
-       ret = pdb_getgrsid(map, *sid);
-       unbecome_root();
-       
-       if ( !ret )
-               return False;
-
-       if (map->sid_name_use!=SID_NAME_WKN_GRP) {
-               return False;
-       }
-
-       if (map->gid==-1) {
-               return False;
-       }
-
-       if ( getgrgid(map->gid) == NULL) {
-               return False;
-       }
-
-       return True;
-}
-
 /****************************************************************************
  Create a UNIX group on demand.
 ****************************************************************************/
@@ -1101,9 +1066,12 @@ NTSTATUS pdb_default_create_alias(struct pdb_methods *methods,
        gid_t gid;
        BOOL exists;
        GROUP_MAP map;
+       TALLOC_CTX *mem_ctx;
+       NTSTATUS status;
 
-       TALLOC_CTX *mem_ctx = talloc_new(NULL);
+       DEBUG(10, ("Trying to create alias %s\n", name));
 
+       mem_ctx = talloc_new(NULL);
        if (mem_ctx == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -1116,8 +1084,18 @@ NTSTATUS pdb_default_create_alias(struct pdb_methods *methods,
                return NT_STATUS_ALIAS_EXISTS;
        }
 
-       if (!winbind_allocate_rid_and_gid(&new_rid, &gid))
+       if (!winbind_allocate_gid(&gid)) {
+               DEBUG(3, ("Could not get a gid out of winbind\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       if (!pdb_new_rid(&new_rid)) {
+               DEBUG(0, ("Could not allocate a RID -- wasted a gid :-(\n"));
                return NT_STATUS_ACCESS_DENIED;
+       }
+
+       DEBUG(10, ("Creating alias %s with gid %d and rid %d\n",
+                  name, gid, new_rid));
 
        sid_copy(&sid, get_global_sam_sid());
        sid_append_rid(&sid, new_rid);
@@ -1128,10 +1106,12 @@ NTSTATUS pdb_default_create_alias(struct pdb_methods *methods,
        fstrcpy(map.nt_name, name);
        fstrcpy(map.comment, "");
 
-       if (!pdb_add_group_mapping_entry(&map)) {
-               DEBUG(0, ("Could not add group mapping entry for alias %s\n",
-                         name));
-               return NT_STATUS_ACCESS_DENIED;
+       status = pdb_add_group_mapping_entry(&map);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0, ("Could not add group mapping entry for alias %s "
+                         "(%s)\n", name, nt_errstr(status)));
+               return status;
        }
 
        *rid = new_rid;
@@ -1155,6 +1135,14 @@ NTSTATUS pdb_default_get_aliasinfo(struct pdb_methods *methods,
        if (!pdb_getgrsid(&map, *sid))
                return NT_STATUS_NO_SUCH_ALIAS;
 
+       if ((map.sid_name_use != SID_NAME_ALIAS) &&
+           (map.sid_name_use != SID_NAME_WKN_GRP)) {
+               DEBUG(2, ("%s is a %s, expected an alias\n",
+                         sid_string_static(sid),
+                         sid_type_lookup(map.sid_name_use)));
+               return NT_STATUS_NO_SUCH_ALIAS;
+       }
+
        fstrcpy(info->acct_name, map.nt_name);
        fstrcpy(info->acct_desc, map.comment);
        sid_peek_rid(&map.sid, &info->rid);
@@ -1172,10 +1160,7 @@ NTSTATUS pdb_default_set_aliasinfo(struct pdb_methods *methods,
 
        fstrcpy(map.comment, info->acct_desc);
 
-       if (!pdb_update_group_mapping_entry(&map))
-               return NT_STATUS_ACCESS_DENIED;
-
-       return NT_STATUS_OK;
+       return pdb_update_group_mapping_entry(&map);
 }
 
 NTSTATUS pdb_default_add_aliasmem(struct pdb_methods *methods,
@@ -1315,7 +1300,7 @@ BOOL pdb_set_dom_grp_info(const DOM_SID *sid, const struct acct_info *info)
        fstrcpy(map.nt_name, info->acct_name);
        fstrcpy(map.comment, info->acct_desc);
 
-       return pdb_update_group_mapping_entry(&map);
+       return NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map));
 }
 
 
index decb823ea99a56f4c3f9911a2aa01dfcda742330..ce643666ad9655a5d49b26af95399a2af0b2d192 100644 (file)
@@ -30,6 +30,7 @@ typedef struct {
                unsigned flags;
                int time_offset;
                time_t expire;
+               time_t renewable;
        } auth;
 
        /* info derived from the servers config */
@@ -91,6 +92,7 @@ typedef void **ADS_MODLIST;
 #define ADS_NO_REFERRALS_OID   "1.2.840.113556.1.4.1339"
 #define ADS_SERVER_SORT_OID    "1.2.840.113556.1.4.473"
 #define ADS_PERMIT_MODIFY_OID  "1.2.840.113556.1.4.1413"
+#define ADS_ASQ_OID            "1.2.840.113556.1.4.1504"
 
 /* ldap attribute oids (Services for Unix) */
 #define ADS_ATTR_SFU_UIDNUMBER_OID     "1.2.840.113556.1.6.18.1.310"
index 03206c03c6a894822936f2fa5f7a177e9b814f7b..79fbb93895fb2bd3278876d1503df8e8c8b62d8d 100644 (file)
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */
 
-/* AUTH_STR - string */
-typedef struct normal_string {
-       int len;
-       char *str;
-} AUTH_STR;
-
 typedef struct auth_usersupplied_info {
        DATA_BLOB lm_resp;
        DATA_BLOB nt_resp;
@@ -35,25 +29,24 @@ typedef struct auth_usersupplied_info {
        
        BOOL encrypted;
        
-       AUTH_STR           client_domain;          /* domain name string */
-       AUTH_STR           domain;               /* domain name after mapping */
-       AUTH_STR           internal_username;    /* username after mapping */
-       AUTH_STR           smb_name;        /* username before mapping */
-       AUTH_STR           wksta_name;           /* workstation name (netbios calling name) unicode string */
+       char *client_domain;          /* domain name string */
+       char *domain;                 /* domain name after mapping */
+       char *internal_username;      /* username after mapping */
+       char *smb_name;               /* username before mapping */
+       char *wksta_name;             /* workstation name (netbios calling
+                                      * name) unicode string */
        
        uint32 logon_parameters;
 
 } auth_usersupplied_info;
 
-#define SAM_FILL_NAME  0x01
-#define SAM_FILL_INFO3 0x02
-#define SAM_FILL_SAM   0x04
-#define SAM_FILL_UNIX  0x08
-#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX)
-
 typedef struct auth_serversupplied_info {
        BOOL guest;
 
+       DOM_SID *sids;  /* These SIDs are preliminary between
+                          check_ntlm_password and the token creation. */
+       size_t num_sids;
+
        uid_t uid;
        gid_t gid;
        
@@ -70,8 +63,6 @@ typedef struct auth_serversupplied_info {
 
         char *login_server; /* which server authorized the login? */
        
-       uint32 sam_fill_level;  /* How far is this structure filled? */
-       
        SAM_ACCOUNT *sam_account;
        
        void *pam_handle;
index 62c1e4fa22d47611796c983af5bbe66763d8762d..8f8ea06696461e89f6bcc6b3fd32a66d92acbcb5 100644 (file)
 #define WERR_SERVICE_NEVER_STARTED W_ERROR(1077)
 #define WERR_MACHINE_LOCKED W_ERROR(1271)
 #define WERR_INVALID_SECURITY_DESCRIPTOR W_ERROR(1338)
+#define WERR_TIME_SKEW W_ERROR(1398)
 #define WERR_EVENTLOG_FILE_CORRUPT W_ERROR(1500)
 #define WERR_SERVER_UNAVAILABLE W_ERROR(1722)
 #define WERR_INVALID_FORM_NAME W_ERROR(1902)
diff --git a/source/include/event.h b/source/include/event.h
new file mode 100644 (file)
index 0000000..fdb9906
--- /dev/null
@@ -0,0 +1,31 @@
+/*
+   Unix SMB/CIFS implementation.
+   event handling
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Volker Lendecke 2005
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+struct timed_event {
+       struct timed_event *next, *prev;
+       struct timeval when;
+       const char *event_name;
+       void (*handler)(struct timed_event *te,
+                       const struct timeval *now,
+                       void *private_data);
+       void *private_data;
+};
+
diff --git a/source/include/gpo.h b/source/include/gpo.h
new file mode 100644 (file)
index 0000000..65c96c3
--- /dev/null
@@ -0,0 +1,91 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Group Policy Object Support
+ *  Copyright (C) Guenther Deschner 2005
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+
+enum GPO_LINK_TYPE {
+       GP_LINK_UNKOWN,
+       GP_LINK_MACHINE,
+       GP_LINK_SITE,
+       GP_LINK_DOMAIN,
+       GP_LINK_OU
+};
+
+/* GPO_OPTIONS */
+#define GPO_FLAG_DISABLE       0x00000001
+#define GPO_FLAG_FORCE         0x00000002
+
+/* GPO_LIST_FLAGS */
+#define GPO_LIST_FLAG_MACHINE  0x00000001
+#define GPO_LIST_FLAG_SITEONLY 0x00000002
+
+struct GROUP_POLICY_OBJECT {
+       uint32 options; /* GPFLAGS_* */ 
+       uint32 version;
+       uint16 version_user;
+       uint16 version_machine;
+       const char *ds_path;
+       const char *file_sys_path;
+       const char *display_name;
+       const char *name;
+       const char *link;
+       uint32 link_type; /* GPO_LINK_TYPE */
+       const char *user_extensions;
+       const char *machine_extensions;
+       struct GROUP_POLICY_OBJECT *next, *prev;
+};
+
+/* the following is seen on the DS (see adssearch.pl for details) */
+
+/* the type field in a 'gPLink', the same as GPO_FLAG ? */
+#define GPO_LINK_OPT_NONE      0x00000000
+#define GPO_LINK_OPT_DISABLED  0x00000001
+#define GPO_LINK_OPT_ENFORCED  0x00000002
+
+/* GPO_LINK_OPT_ENFORCED takes precedence over GPOPTIONS_BLOCK_INHERITANCE */
+
+/* 'gPOptions', maybe a bitmask as well */
+enum GPO_INHERIT {
+       GPOPTIONS_INHERIT,
+       GPOPTIONS_BLOCK_INHERITANCE
+};
+
+/* 'flags' in a 'groupPolicyContainer' object */
+#define GPFLAGS_ALL_ENABLED                    0x00000000
+#define GPFLAGS_USER_SETTINGS_DISABLED         0x00000001
+#define GPFLAGS_MACHINE_SETTINGS_DISABLED      0x00000002
+#define GPFLAGS_ALL_DISABLED (GPFLAGS_USER_SETTINGS_DISABLED | \
+                             GPFLAGS_MACHINE_SETTINGS_DISABLED)
+
+struct GP_LINK {
+       const char *gp_link;    /* raw link name */
+       uint32 gp_opts;         /* inheritance options GPO_INHERIT */
+       uint32 num_links;       /* number of links */
+       char **link_names;      /* array of parsed link names */
+       uint32 *link_opts;      /* array of parsed link opts GPO_LINK_OPT_* */
+};
+
+struct GP_EXT {
+       const char *gp_extension;       /* raw extension name */
+       uint32 num_exts;
+       char **extensions;
+       char **extensions_guid;
+       char **snapins;
+       char **snapins_guid;
+};
index c81b94a718a0cc382b03e77565e0cdb381add8b4..474982f2926eacfa88cbdf0050d13596d54863c4 100644 (file)
@@ -24,6 +24,9 @@
    Boston, MA  02111-1307, USA.   
 */
 
+/* idmap version determines auto-conversion */
+#define IDMAP_VERSION 2
+
 #define SMB_IDMAP_INTERFACE_VERSION    2
 
 
@@ -43,7 +46,6 @@ struct idmap_methods {
        /* Called when backend is first loaded */
        NTSTATUS (*init)( char *params );
 
-       NTSTATUS (*allocate_rid)(uint32 *rid, int rid_type);
        NTSTATUS (*allocate_id)(unid_t *id, int id_type);
        NTSTATUS (*get_sid_from_id)(DOM_SID *sid, unid_t id, int id_type);
        NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const DOM_SID *sid);
index a9b792d5f67b8f25577b0b7582f1983c0cd03575..8aa100324084c9cc78f2b77e548e674cb924e672 100644 (file)
@@ -989,6 +989,8 @@ extern int errno;
 
 #include "rpc_client.h"
 
+#include "event.h"
+
 /*
  * Type for wide character dirent structure.
  * Only d_name is defined by POSIX.
@@ -1018,6 +1020,11 @@ struct functable {
        int (*fn)(int argc, const char **argv);
 };
 
+struct functable2 {
+       const char *funcname;
+       int (*fn)(int argc, const char **argv);
+       const char *helptext;
+};
 
 /* Defines for wisXXX functions. */
 #define UNI_UPPER    0x1
@@ -1508,8 +1515,10 @@ BOOL smb_krb5_principal_compare_any_realm(krb5_context context,
                                          krb5_const_principal princ1, 
                                          krb5_const_principal princ2);
 int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-                       DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts);
+                       DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname);
 PAC_LOGON_INFO *get_logon_info_from_pac(PAC_DATA *pac_data);
+krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *new_start_time);
+krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
 #endif /* HAVE_KRB5 */
 
 
index c9b54ab1a21888595e35397c4652568645792076..916fb6e46d309703f6396ee67a496e9a2a670bfa 100644 (file)
 /* tdb hash size for the open database. */
 #define SMB_OPEN_DATABASE_TDB_HASH_SIZE 1049
 
+/* Characters we disallow in sharenames. */
+#define INVALID_SHARENAME_CHARS "%<>*?|/\\+=;:\","
+
+/* Seconds between connection attempts to a remote server. */
+#define FAILED_CONNECTION_CACHE_TIMEOUT 30
+
+/* Default hash size for the winbindd cache. */
+#define WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE 5000
+
 #endif
index 4b1732d42d17d0f39ff4bde29db900edf49bb33b..dc4f4ca2c032d8b54ca8d64547fa2dab0af76476 100644 (file)
@@ -73,6 +73,8 @@
 /* winbind messages */
 #define MSG_WINBIND_FINISHED     4001
 #define MSG_WINBIND_FORGET_STATE 4002
+#define MSG_WINBIND_ONLINE       4003
+#define MSG_WINBIND_OFFLINE      4004
 
 /* Flags to classify messages - used in message_send_all() */
 /* Sender will filter by flag. */
index ab768258df17fbccf04ad58c4567b9a1a00e2d91..14c83eba4b37036901c2713018875d3cb9edb898 100644 (file)
@@ -61,4 +61,10 @@ typedef uint32 WERROR;
 #define W_ERROR_IS_OK(x) (W_ERROR_V(x) == 0)
 #define W_ERROR_EQUAL(x,y) (W_ERROR_V(x) == W_ERROR_V(y))
 
+#define NT_STATUS_HAVE_NO_MEMORY(x) do { \
+        if (!(x)) {\
+                return NT_STATUS_NO_MEMORY;\
+        }\
+} while (0)
+
 #endif
index f1896710dc930cba134d63c7f6f5fdced0a1dff3..0035fc5b05ed7c2f1d4af6f95f82bc67800b5db0 100644 (file)
@@ -304,9 +304,10 @@ typedef struct pdb_context
                                           size_t *p_num_members);
 
        NTSTATUS (*pdb_enum_group_memberships)(struct pdb_context *context,
-                                              const char *username,
-                                              gid_t primary_gid,
-                                              DOM_SID **pp_sids, gid_t **pp_gids,
+                                              TALLOC_CTX *mem_ctx,
+                                              SAM_ACCOUNT *user,
+                                              DOM_SID **pp_sids,
+                                              gid_t **pp_gids,
                                               size_t *p_num_groups);
 
        NTSTATUS (*pdb_find_alias)(struct pdb_context *context,
@@ -376,6 +377,15 @@ typedef struct pdb_context
        BOOL (*pdb_search_aliases)(struct pdb_context *context,
                                   struct pdb_search *search,
                                   const DOM_SID *sid);
+       BOOL (*pdb_uid_to_rid)(struct pdb_context *context,
+                              uid_t uid, uint32 *rid);
+       BOOL (*pdb_gid_to_sid)(struct pdb_context *context,
+                              uid_t gid, DOM_SID *sid);
+       BOOL (*pdb_sid_to_id)(struct pdb_context *context, const DOM_SID *sid,
+                             union unid_t *id, enum SID_NAME_USE *type);
+
+       BOOL (*pdb_rid_algorithm)(struct pdb_context *context);
+       BOOL (*pdb_new_rid)(struct pdb_context *context, uint32 *rid);
 
        void (*free_fn)(struct pdb_context **);
        
@@ -439,8 +449,8 @@ typedef struct pdb_methods
                                       size_t *p_num_members);
 
        NTSTATUS (*enum_group_memberships)(struct pdb_methods *methods,
-                                          const char *username,
-                                          gid_t primary_gid,
+                                          TALLOC_CTX *mem_ctx,
+                                          SAM_ACCOUNT *user,
                                           DOM_SID **pp_sids, gid_t **pp_gids,
                                           size_t *p_num_groups);
 
@@ -507,6 +517,16 @@ typedef struct pdb_methods
                               struct pdb_search *search,
                               const DOM_SID *sid);
 
+       BOOL (*uid_to_rid)(struct pdb_methods *methods, uid_t uid,
+                          uint32 *rid);
+       BOOL (*gid_to_sid)(struct pdb_methods *methods, gid_t gid,
+                          DOM_SID *sid);
+       BOOL (*sid_to_id)(struct pdb_methods *methods, const DOM_SID *sid,
+                         union unid_t *id, enum SID_NAME_USE *type);
+
+       BOOL (*rid_algorithm)(struct pdb_methods *methods);
+       BOOL (*new_rid)(struct pdb_methods *methods, uint32 *rid);
+
        void *private_data;  /* Private data of some kind */
        
        void (*free_private_data)(void **);
index 7aee208c14b0fa3d8c333b8a3054e0054375ae5f..adf25c9938bc027f828c63afe29e35529520a46e 100644 (file)
-/* 
-   Unix SMB/CIFS implementation.
-   Samba parameters and setup
-   Copyright (C) Andrew Tridgell 1992-2000
-   Copyright (C) Luke Kenneth Casson Leighton 1996 - 2000
-   Copyright (C) Shirish Kalele 2000
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful, 
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#ifndef _RPC_DFS_H
-#define _RPC_DFS_H
-
-/* NETDFS pipe: calls */
-#define DFS_EXIST                0x00
-#define DFS_ADD                  0x01
-#define DFS_REMOVE               0x02
-#define DFS_GET_INFO             0x04
-#define DFS_ENUM                 0x05
-
-/* dfsadd flags */
-#define DFSFLAG_ADD_VOLUME           0x00000001
-#define DFSFLAG_RESTORE_VOLUME       0x00000002
-
-typedef struct dfs_q_dfs_exist {
-       uint32 dummy;
-} DFS_Q_DFS_EXIST;
-
-/* status == 1 if dfs exists. */
-typedef struct dfs_r_dfs_exist {
-       uint32 status;          /* Not a WERROR or NTSTATUS code */
-} DFS_R_DFS_EXIST;
-
-typedef struct dfs_q_dfs_add {
-       uint32 ptr_DfsEntryPath;
-       UNISTR2 DfsEntryPath;
-       uint32 ptr_ServerName;
-       UNISTR2 ServerName;
-       uint32 ptr_ShareName;
-       UNISTR2 ShareName;
-       uint32 ptr_Comment;
-       UNISTR2 Comment;
-       uint32 Flags;
-} DFS_Q_DFS_ADD;
-
-typedef struct dfs_r_dfs_add {
-       WERROR status;
-} DFS_R_DFS_ADD;
-
-/********************************************/
-typedef struct dfs_q_dfs_remove {
-       UNISTR2 DfsEntryPath;
-       uint32 ptr_ServerName;
-       UNISTR2 ServerName;
-       uint32 ptr_ShareName;
-       UNISTR2 ShareName;
-} DFS_Q_DFS_REMOVE;
-
-typedef struct dfs_r_dfs_remove {
-       WERROR status;
-} DFS_R_DFS_REMOVE;
-
-/********************************************/
-typedef struct dfs_info_1 {
-       uint32 ptr_entrypath;
-       UNISTR2 entrypath;
-} DFS_INFO_1;
-
-typedef struct dfs_info_2 {
-       uint32 ptr_entrypath;
-       UNISTR2 entrypath;
-       uint32 ptr_comment;
+/*
+ * Unix SMB/CIFS implementation.
+ * header auto-generated by pidl. DO NOT MODIFY!
+ */
+
+
+#ifndef _RPC_NETDFS_H
+#define _RPC_NETDFS_H
+
+#define DFS_GETMANAGERVERSION 0
+#define DFS_ADD 1
+#define DFS_REMOVE 2
+#define DFS_SETINFO 3
+#define DFS_GETINFO 4
+#define DFS_ENUM 5
+#define DFS_RENAME 6
+#define DFS_MOVE 7
+#define DFS_MANAGERGETCONFIGINFO 8
+#define DFS_MANAGERSENDSITEINFO 9
+#define DFS_ADDFTROOT 10
+#define DFS_REMOVEFTROOT 11
+#define DFS_ADDSTDROOT 12
+#define DFS_REMOVESTDROOT 13
+#define DFS_MANAGERINITIALIZE 14
+#define DFS_ADDSTDROOTFORCED 15
+#define DFS_GETDCADDRESS 16
+#define DFS_SETDCADDRESS 17
+#define DFS_FLUSHFTTABLE 18
+#define DFS_ADD2 19
+#define DFS_REMOVE2 20
+#define DFS_ENUMEX 21
+#define DFS_SETINFO2 22
+
+typedef struct netdfs_dfs_Info0 {
+       uint32 dummy;
+} NETDFS_DFS_INFO0;
+
+typedef struct netdfs_dfs_Info1 {
+       uint32 ptr0_path;
+       UNISTR2 path;
+} NETDFS_DFS_INFO1;
+
+typedef struct netdfs_dfs_Info2 {
+       uint32 ptr0_path;
+       UNISTR2 path;
+       uint32 ptr0_comment;
        UNISTR2 comment;
        uint32 state;
-       uint32 num_storages;
-} DFS_INFO_2;
+       uint32 num_stores;
+} NETDFS_DFS_INFO2;
 
-typedef struct dfs_storage_info {
+typedef struct netdfs_dfs_StorageInfo {
        uint32 state;
-       uint32 ptr_servername;
-       UNISTR2 servername;
-       uint32 ptr_sharename;
-       UNISTR2 sharename;
-} DFS_STORAGE_INFO;
-
-typedef struct dfs_info_3 {
-       uint32 ptr_entrypath;
-       UNISTR2 entrypath;
-       uint32 ptr_comment;
+       uint32 ptr0_server;
+       UNISTR2 server;
+       uint32 ptr0_share;
+       UNISTR2 share;
+} NETDFS_DFS_STORAGEINFO;
+
+typedef struct netdfs_dfs_Info3 {
+       uint32 ptr0_path;
+       UNISTR2 path;
+       uint32 ptr0_comment;
        UNISTR2 comment;
        uint32 state;
-       uint32 num_storages;
-       uint32 ptr_storages;
-       uint32 num_storage_infos;
-       DFS_STORAGE_INFO* storages;
-} DFS_INFO_3;
+       uint32 num_stores;
+       uint32 ptr0_stores;
+       uint32 size_stores;
+       NETDFS_DFS_STORAGEINFO *stores;
+} NETDFS_DFS_INFO3;
+
+typedef struct netdfs_dfs_Info4 {
+       uint32 ptr0_path;
+       UNISTR2 path;
+       uint32 ptr0_comment;
+       UNISTR2 comment;
+       uint32 state;
+       uint32 timeout;
+       struct uuid guid;
+       uint32 num_stores;
+       uint32 ptr0_stores;
+       uint32 size_stores;
+       NETDFS_DFS_STORAGEINFO *stores;
+} NETDFS_DFS_INFO4;
+
+typedef struct netdfs_dfs_Info100 {
+       uint32 ptr0_comment;
+       UNISTR2 comment;
+} NETDFS_DFS_INFO100;
+
+typedef struct netdfs_dfs_Info101 {
+       uint32 state;
+} NETDFS_DFS_INFO101;
 
-typedef struct dfs_info_ctr {
+typedef struct netdfs_dfs_Info102 {
+       uint32 timeout;
+} NETDFS_DFS_INFO102;
+
+typedef struct netdfs_dfs_Info200 {
+       uint32 ptr0_dom_root;
+       UNISTR2 dom_root;
+} NETDFS_DFS_INFO200;
+
+typedef struct netdfs_dfs_Info300 {
+       uint32 flags;
+       uint32 ptr0_dom_root;
+       UNISTR2 dom_root;
+} NETDFS_DFS_INFO300;
+
+typedef struct netdfs_dfs_Info_ctr {
        uint32 switch_value;
-       uint32 num_entries;
-       uint32 ptr_dfs_ctr; /* pointer to dfs info union */
-       union {
-               DFS_INFO_1 *info1;
-               DFS_INFO_2 *info2;
-               DFS_INFO_3 *info3;
-       } dfs;
-} DFS_INFO_CTR;
-
-typedef struct dfs_q_dfs_get_info {
-       UNISTR2 uni_path;
-  
-       uint32 ptr_server;
-       UNISTR2 uni_server;
-
-       uint32 ptr_share;
-       UNISTR2 uni_share;
-  
-       uint32 level;
-} DFS_Q_DFS_GET_INFO;
+       uint32 ptr0;
+       union netdfs_dfs_Info {
+                       NETDFS_DFS_INFO0 info0;
+                       NETDFS_DFS_INFO1 info1;
+                       NETDFS_DFS_INFO2 info2;
+                       NETDFS_DFS_INFO3 info3;
+                       NETDFS_DFS_INFO4 info4;
+                       NETDFS_DFS_INFO100 info100;
+                       NETDFS_DFS_INFO101 info101;
+                       NETDFS_DFS_INFO102 info102;
+       } u;
+} NETDFS_DFS_INFO_CTR;
+
+typedef struct netdfs_dfs_EnumArray1 {
+       uint32 count;
+       uint32 ptr0_s;
+       uint32 size_s;
+       NETDFS_DFS_INFO1 *s;
+} NETDFS_DFS_ENUMARRAY1;
+
+typedef struct netdfs_dfs_EnumArray2 {
+       uint32 count;
+       uint32 ptr0_s;
+       uint32 size_s;
+       NETDFS_DFS_INFO2 *s;
+} NETDFS_DFS_ENUMARRAY2;
+
+typedef struct netdfs_dfs_EnumArray3 {
+       uint32 count;
+       uint32 ptr0_s;
+       uint32 size_s;
+       NETDFS_DFS_INFO3 *s;
+} NETDFS_DFS_ENUMARRAY3;
 
-typedef struct dfs_r_dfs_get_info {
+typedef struct netdfs_dfs_EnumArray4 {
+       uint32 count;
+       uint32 ptr0_s;
+       uint32 size_s;
+       NETDFS_DFS_INFO4 *s;
+} NETDFS_DFS_ENUMARRAY4;
+
+typedef struct netdfs_dfs_EnumArray200 {
+       uint32 count;
+       uint32 ptr0_s;
+       uint32 size_s;
+       NETDFS_DFS_INFO200 *s;
+} NETDFS_DFS_ENUMARRAY200;
+
+typedef struct netdfs_dfs_EnumArray300 {
+       uint32 count;
+       uint32 ptr0_s;
+       uint32 size_s;
+       NETDFS_DFS_INFO300 *s;
+} NETDFS_DFS_ENUMARRAY300;
+
+typedef struct netdfs_dfs_EnumInfo_ctr {
+       uint32 switch_value;
+       uint32 ptr0;
+       union netdfs_dfs_EnumInfo {
+                       NETDFS_DFS_ENUMARRAY1 info1;
+                       NETDFS_DFS_ENUMARRAY2 info2;
+                       NETDFS_DFS_ENUMARRAY3 info3;
+                       NETDFS_DFS_ENUMARRAY4 info4;
+                       NETDFS_DFS_ENUMARRAY200 info200;
+                       NETDFS_DFS_ENUMARRAY300 info300;
+       } u;
+} NETDFS_DFS_ENUMINFO_CTR;
+
+typedef struct netdfs_dfs_EnumStruct {
        uint32 level;
-       uint32 ptr_ctr;
-       DFS_INFO_CTR ctr;
+       NETDFS_DFS_ENUMINFO_CTR e;
+} NETDFS_DFS_ENUMSTRUCT;
+
+typedef struct netdfs_q_dfs_GetManagerVersion {
+       uint32 dummy;
+} NETDFS_Q_DFS_GETMANAGERVERSION;
+
+typedef struct netdfs_r_dfs_GetManagerVersion {
+       uint32 exist_flag;
+} NETDFS_R_DFS_GETMANAGERVERSION;
+
+typedef struct netdfs_q_dfs_Add {
+       UNISTR2 path;
+       UNISTR2 server;
+       uint32 ptr0_share;
+       UNISTR2 share;
+       uint32 ptr0_comment;
+       UNISTR2 comment;
+       uint32 flags;
+} NETDFS_Q_DFS_ADD;
+
+typedef struct netdfs_r_dfs_Add {
+       WERROR status;
+} NETDFS_R_DFS_ADD;
+
+typedef struct netdfs_q_dfs_Remove {
+       UNISTR2 path;
+       uint32 ptr0_server;
+       UNISTR2 server;
+       uint32 ptr0_share;
+       UNISTR2 share;
+} NETDFS_Q_DFS_REMOVE;
+
+typedef struct netdfs_r_dfs_Remove {
        WERROR status;
-} DFS_R_DFS_GET_INFO;
+} NETDFS_R_DFS_REMOVE;
 
-typedef struct dfs_q_dfs_enum {
+typedef struct netdfs_q_dfs_SetInfo {
+       uint32 dummy;
+} NETDFS_Q_DFS_SETINFO;
+
+typedef struct netdfs_r_dfs_SetInfo {
+       WERROR status;
+} NETDFS_R_DFS_SETINFO;
+
+typedef struct netdfs_q_dfs_GetInfo {
+       UNISTR2 path;
+       uint32 ptr0_server;
+       UNISTR2 server;
+       uint32 ptr0_share;
+       UNISTR2 share;
        uint32 level;
-       uint32 maxpreflen;
-       uint32 ptr_buffer;
-       uint32 level2;
-       uint32 ptr_num_entries;
-       uint32 num_entries;
-       uint32 ptr_num_entries2;
-       uint32 num_entries2;
-       ENUM_HND reshnd;
-} DFS_Q_DFS_ENUM;
-
-typedef struct dfs_r_dfs_enum {
-       DFS_INFO_CTR *ctr;
-       uint32 ptr_buffer;
+} NETDFS_Q_DFS_GETINFO;
+
+typedef struct netdfs_r_dfs_GetInfo {
+       NETDFS_DFS_INFO_CTR info;
+       WERROR status;
+} NETDFS_R_DFS_GETINFO;
+
+typedef struct netdfs_q_dfs_Enum {
        uint32 level;
-       uint32 level2;
-       uint32 ptr_num_entries;
-       uint32 num_entries;
-       uint32 ptr_num_entries2;
-       uint32 num_entries2;
-       ENUM_HND reshnd;
-       WERROR status;
-} DFS_R_DFS_ENUM;
-#endif  
+       uint32 bufsize;
+       uint32 ptr0_info;
+       NETDFS_DFS_ENUMSTRUCT info;
+       uint32 ptr0_unknown;
+       uint32 unknown;
+       uint32 ptr0_total;
+       uint32 total;
+} NETDFS_Q_DFS_ENUM;
+
+typedef struct netdfs_r_dfs_Enum {
+       uint32 ptr0_info;
+       NETDFS_DFS_ENUMSTRUCT info;
+       uint32 ptr0_total;
+       uint32 total;
+       WERROR status;
+} NETDFS_R_DFS_ENUM;
+
+typedef struct netdfs_q_dfs_Rename {
+       uint32 dummy;
+} NETDFS_Q_DFS_RENAME;
+
+typedef struct netdfs_r_dfs_Rename {
+       WERROR status;
+} NETDFS_R_DFS_RENAME;
+
+typedef struct netdfs_q_dfs_Move {
+       uint32 dummy;
+} NETDFS_Q_DFS_MOVE;
+
+typedef struct netdfs_r_dfs_Move {
+       WERROR status;
+} NETDFS_R_DFS_MOVE;
+
+typedef struct netdfs_q_dfs_ManagerGetConfigInfo {
+       uint32 dummy;
+} NETDFS_Q_DFS_MANAGERGETCONFIGINFO;
+
+typedef struct netdfs_r_dfs_ManagerGetConfigInfo {
+       WERROR status;
+} NETDFS_R_DFS_MANAGERGETCONFIGINFO;
+
+typedef struct netdfs_q_dfs_ManagerSendSiteInfo {
+       uint32 dummy;
+} NETDFS_Q_DFS_MANAGERSENDSITEINFO;
+
+typedef struct netdfs_r_dfs_ManagerSendSiteInfo {
+       WERROR status;
+} NETDFS_R_DFS_MANAGERSENDSITEINFO;
+
+typedef struct netdfs_q_dfs_AddFtRoot {
+       uint32 dummy;
+} NETDFS_Q_DFS_ADDFTROOT;
+
+typedef struct netdfs_r_dfs_AddFtRoot {
+       WERROR status;
+} NETDFS_R_DFS_ADDFTROOT;
+
+typedef struct netdfs_q_dfs_RemoveFtRoot {
+       uint32 dummy;
+} NETDFS_Q_DFS_REMOVEFTROOT;
+
+typedef struct netdfs_r_dfs_RemoveFtRoot {
+       WERROR status;
+} NETDFS_R_DFS_REMOVEFTROOT;
+
+typedef struct netdfs_q_dfs_AddStdRoot {
+       uint32 dummy;
+} NETDFS_Q_DFS_ADDSTDROOT;
+
+typedef struct netdfs_r_dfs_AddStdRoot {
+       WERROR status;
+} NETDFS_R_DFS_ADDSTDROOT;
+
+typedef struct netdfs_q_dfs_RemoveStdRoot {
+       uint32 dummy;
+} NETDFS_Q_DFS_REMOVESTDROOT;
+
+typedef struct netdfs_r_dfs_RemoveStdRoot {
+       WERROR status;
+} NETDFS_R_DFS_REMOVESTDROOT;
+
+typedef struct netdfs_q_dfs_ManagerInitialize {
+       uint32 dummy;
+} NETDFS_Q_DFS_MANAGERINITIALIZE;
+
+typedef struct netdfs_r_dfs_ManagerInitialize {
+       WERROR status;
+} NETDFS_R_DFS_MANAGERINITIALIZE;
+
+typedef struct netdfs_q_dfs_AddStdRootForced {
+       uint32 dummy;
+} NETDFS_Q_DFS_ADDSTDROOTFORCED;
+
+typedef struct netdfs_r_dfs_AddStdRootForced {
+       WERROR status;
+} NETDFS_R_DFS_ADDSTDROOTFORCED;
+
+typedef struct netdfs_q_dfs_GetDcAddress {
+       uint32 dummy;
+} NETDFS_Q_DFS_GETDCADDRESS;
+
+typedef struct netdfs_r_dfs_GetDcAddress {
+       WERROR status;
+} NETDFS_R_DFS_GETDCADDRESS;
+
+typedef struct netdfs_q_dfs_SetDcAddress {
+       uint32 dummy;
+} NETDFS_Q_DFS_SETDCADDRESS;
+
+typedef struct netdfs_r_dfs_SetDcAddress {
+       WERROR status;
+} NETDFS_R_DFS_SETDCADDRESS;
+
+typedef struct netdfs_q_dfs_FlushFtTable {
+       uint32 dummy;
+} NETDFS_Q_DFS_FLUSHFTTABLE;
+
+typedef struct netdfs_r_dfs_FlushFtTable {
+       WERROR status;
+} NETDFS_R_DFS_FLUSHFTTABLE;
+
+typedef struct netdfs_q_dfs_Add2 {
+       uint32 dummy;
+} NETDFS_Q_DFS_ADD2;
+
+typedef struct netdfs_r_dfs_Add2 {
+       WERROR status;
+} NETDFS_R_DFS_ADD2;
+
+typedef struct netdfs_q_dfs_Remove2 {
+       uint32 dummy;
+} NETDFS_Q_DFS_REMOVE2;
+
+typedef struct netdfs_r_dfs_Remove2 {
+       WERROR status;
+} NETDFS_R_DFS_REMOVE2;
+
+typedef struct netdfs_q_dfs_EnumEx {
+       uint32 dummy;
+} NETDFS_Q_DFS_ENUMEX;
+
+typedef struct netdfs_r_dfs_EnumEx {
+       WERROR status;
+} NETDFS_R_DFS_ENUMEX;
+
+typedef struct netdfs_q_dfs_SetInfo2 {
+       uint32 dummy;
+} NETDFS_Q_DFS_SETINFO2;
+
+typedef struct netdfs_r_dfs_SetInfo2 {
+       WERROR status;
+} NETDFS_R_DFS_SETINFO2;
+
+#endif /* _RPC_NETDFS_H */
index dd255c28d5d5e3b52166db8fe0a5375bb45c7d23..c8d6a210b51eb3e1806849ea1f72d9c47533699a 100644 (file)
@@ -80,6 +80,7 @@
 #define LSA_UNK_GET_CONNUSER   0x2d /* LsaGetConnectedCredentials ? */
 #define LSA_QUERYINFO2         0x2e
 #define LSA_QUERYTRUSTDOMINFOBYNAME 0x30
+#define LSA_QUERYDOMINFOPOL    0x35
 #define LSA_OPENTRUSTDOMBYNAME 0x37
 
 /* XXXX these are here to get a compile! */
@@ -393,7 +394,7 @@ typedef struct lsa_trans_name_info
 } LSA_TRANS_NAME;
 
 /* This number is based on Win2k and later maximum response allowed */
-#define MAX_LOOKUP_SIDS 20480
+#define MAX_LOOKUP_SIDS 20480  /* 0x5000 */
 
 /* LSA_TRANS_NAME_ENUM - LSA Translated Name Enumeration container */
 typedef struct lsa_trans_name_enum_info
@@ -750,6 +751,25 @@ typedef struct {
 
 /*******************************************************/
 
+/* LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME - LSA Query Open Trusted Domain by Name*/
+typedef struct lsa_q_open_trusted_domain_by_name
+{
+       POLICY_HND      pol;    /* policy handle */
+       LSA_STRING      name;   /* domain name */
+       uint32  access_mask;    /* access mask */
+       
+} LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME;
+
+/* LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME - response to LSA Query Open Trusted Domain by Name */
+typedef struct {
+       POLICY_HND      handle; /* trustdom policy handle */
+       NTSTATUS        status; /* return code */
+} LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME;
+
+
+/*******************************************************/
+
+
 typedef struct {
        POLICY_HND      handle; 
        UNISTR4         secretname;
@@ -955,4 +975,38 @@ typedef struct r_lsa_query_trusted_domain_info
        NTSTATUS status;
 } LSA_R_QUERY_TRUSTED_DOMAIN_INFO;
 
+typedef struct dom_info_kerberos {
+       uint32 enforce_restrictions;
+       NTTIME service_tkt_lifetime;
+       NTTIME user_tkt_lifetime;
+       NTTIME user_tkt_renewaltime;
+       NTTIME clock_skew;
+       NTTIME unknown6;
+} LSA_DOM_INFO_POLICY_KERBEROS;
+
+typedef struct dom_info_efs {
+       uint32 blob_len;
+       UNISTR2 efs_blob;
+} LSA_DOM_INFO_POLICY_EFS;
+
+typedef struct lsa_dom_info_union {
+       uint16 info_class;
+       LSA_DOM_INFO_POLICY_EFS efs_policy;
+       LSA_DOM_INFO_POLICY_KERBEROS krb_policy;
+} LSA_DOM_INFO_UNION;
+
+/* LSA_Q_QUERY_DOM_INFO_POLICY - LSA query info */
+typedef struct lsa_q_query_dom_info_policy
+{
+       POLICY_HND pol;    /* policy handle */
+       uint16 info_class; /* info class */
+} LSA_Q_QUERY_DOM_INFO_POLICY;
+
+typedef struct lsa_r_query_dom_info_policy
+{
+       LSA_DOM_INFO_UNION *info;
+       NTSTATUS status;
+} LSA_R_QUERY_DOM_INFO_POLICY;
+
+
 #endif /* _RPC_LSA_H */
index c1d85403448959826c11e2ded4ff9bc5794aebb9..91f85601e3033272f1e1b300dfde4a9e03d1ef87 100644 (file)
 #define NL_CTRL_REPL_IN_PROGRESS 0x0002
 #define NL_CTRL_FULL_SYNC        0x0004
 
-#define LOGON_EXTRA_SIDS             0x0020
-#define LOGON_RESOURCE_GROUPS        0x0200 
+#define LOGON_GUEST                    0x00000001
+#define LOGON_NOENCRYPTION             0x00000002
+#define LOGON_CACHED_ACCOUNT           0x00000004
+#define LOGON_USED_LM_PASSWORD         0x00000008
+#define LOGON_EXTRA_SIDS               0x00000020
+#define LOGON_SUBAUTH_SESSION_KEY      0x00000040
+#define LOGON_SERVER_TRUST_ACCOUNT     0x00000080
+#define LOGON_NTLMV2_ENABLED           0x00000100
+#define LOGON_RESOURCE_GROUPS          0x00000200
+#define LOGON_PROFILE_PATH_RETURNED    0x00000400
+#define LOGON_GRACE_LOGON              0x01000000
 
 #define SE_GROUP_MANDATORY             0x00000001
 #define SE_GROUP_ENABLED_BY_DEFAULT    0x00000002
index 342db37ea574721eced74205661bb2e1d5e726f0..2fae514c3d1f1d9e368f721765f39e68e072f484 100644 (file)
@@ -1843,6 +1843,10 @@ typedef struct q_samr_chgpasswd3
 
 } SAMR_Q_CHGPASSWD3;
 
+#define REJECT_REASON_TOO_SHORT                0x00000001
+#define REJECT_REASON_IN_HISTORY       0x00000002
+#define REJECT_REASON_NOT_COMPLEX      0x00000005
+
 /* SAMR_CHANGE_REJECT */
 typedef struct samr_change_reject
 {
index f2d1afd96b3924eb74448f7a797e4de1d161081d..610a14b52be628f0ff08db940ab2f1492a4d49d2 100644 (file)
@@ -75,10 +75,10 @@ typedef struct trusted_dom_pass {
  * trusted domain entry/entries returned by secrets_get_trusted_domains
  * (used in _lsa_enum_trust_dom call)
  */
-typedef struct trustdom {
-       smb_ucs2_t *name;
+struct trustdom_info {
+       char *name;
        DOM_SID sid;
-} TRUSTDOM;
+};
 
 /*
  * Format of an OpenAFS keyfile
index 3a6f68b9ecc4a113b29c5dbac6c33489bfca1793..b167e4ee126b7099ee84d2ae751a6f4ffb85ca13 100644 (file)
@@ -224,18 +224,26 @@ typedef struct nttime_info {
 
 
 /* Allowable account control bits */
-#define ACB_DISABLED   0x0001  /* 1 = User account disabled */
-#define ACB_HOMDIRREQ  0x0002  /* 1 = Home directory required */
-#define ACB_PWNOTREQ   0x0004  /* 1 = User password not required */
-#define ACB_TEMPDUP    0x0008  /* 1 = Temporary duplicate account */
-#define ACB_NORMAL     0x0010  /* 1 = Normal user account */
-#define ACB_MNS        0x0020  /* 1 = MNS logon user account */
-#define ACB_DOMTRUST   0x0040  /* 1 = Interdomain trust account */
-#define ACB_WSTRUST    0x0080  /* 1 = Workstation trust account */
-#define ACB_SVRTRUST   0x0100  /* 1 = Server trust account (BDC) */
-#define ACB_PWNOEXP    0x0200  /* 1 = User password does not expire */
-#define ACB_AUTOLOCK   0x0400  /* 1 = Account auto locked */
+#define ACB_DISABLED                   0x00000001  /* 1 = User account disabled */
+#define ACB_HOMDIRREQ                  0x00000002  /* 1 = Home directory required */
+#define ACB_PWNOTREQ                   0x00000004  /* 1 = User password not required */
+#define ACB_TEMPDUP                    0x00000008  /* 1 = Temporary duplicate account */
+#define ACB_NORMAL                     0x00000010  /* 1 = Normal user account */
+#define ACB_MNS                                0x00000020  /* 1 = MNS logon user account */
+#define ACB_DOMTRUST                   0x00000040  /* 1 = Interdomain trust account */
+#define ACB_WSTRUST                    0x00000080  /* 1 = Workstation trust account */
+#define ACB_SVRTRUST                   0x00000100  /* 1 = Server trust account (BDC) */
+#define ACB_PWNOEXP                    0x00000200  /* 1 = User password does not expire */
+#define ACB_AUTOLOCK                   0x00000400  /* 1 = Account auto locked */
+
+/* only valid for > Windows 2000 */
+#define ACB_ENC_TXT_PWD_ALLOWED                0x00000800  /* 1 = Text password encryped */
+#define ACB_SMARTCARD_REQUIRED         0x00001000  /* 1 = Smart Card required */
+#define ACB_TRUSTED_FOR_DELEGATION     0x00002000  /* 1 = Trusted for Delegation */
+#define ACB_NOT_DELEGATED              0x00004000  /* 1 = Not delegated */
+#define ACB_USE_DES_KEY_ONLY           0x00008000  /* 1 = Use DES key only */
+#define ACB_DONT_REQUIRE_PREAUTH       0x00010000  /* 1 = Preauth not required */
+
 #define MAX_HOURS_LEN 32
 
 #ifndef MAXSUBAUTHS
@@ -262,6 +270,9 @@ enum SID_NAME_USE {
 #define LOOKUP_NAME_REMOTE   2  /* Ask others */
 #define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)
 
+#define LOOKUP_NAME_GROUP    4  /* This is a NASTY hack for valid users = @foo
+                                * where foo also exists in as user. */
+
 /**
  * @brief Security Identifier
  *
@@ -280,6 +291,21 @@ typedef struct sid_info {
        uint32 sub_auths[MAXSUBAUTHS];  
 } DOM_SID;
 
+struct lsa_dom_info {
+       BOOL valid;
+       DOM_SID sid;
+       const char *name;
+       int num_idxs;
+       int *idxs;
+};
+
+struct lsa_name_info {
+       uint32 rid;
+       enum SID_NAME_USE type;
+       const char *name;
+       int dom_idx;
+};
+
 /* Some well-known SIDs */
 extern const DOM_SID global_sid_World_Domain;
 extern const DOM_SID global_sid_World;
@@ -302,6 +328,8 @@ extern const DOM_SID global_sid_Builtin_Server_Operators;
 extern const DOM_SID global_sid_Builtin_Print_Operators;
 extern const DOM_SID global_sid_Builtin_Backup_Operators;
 extern const DOM_SID global_sid_Builtin_Replicator;
+extern const DOM_SID global_sid_Unix_Users;
+extern const DOM_SID global_sid_Unix_Groups;
 
 /*
  * The complete list of SIDS belonging to this user.
@@ -316,7 +344,7 @@ extern const DOM_SID global_sid_Builtin_Replicator;
 #define PRIMARY_USER_SID_INDEX 0
 #define PRIMARY_GROUP_SID_INDEX 1
 
-typedef struct _nt_user_token {
+typedef struct nt_user_token {
        size_t num_sids;
        DOM_SID *user_sids;
        SE_PRIV privileges;
@@ -1719,6 +1747,22 @@ typedef struct uuid_flat {
 /* map readonly options */
 enum mapreadonly_options {MAP_READONLY_NO, MAP_READONLY_YES, MAP_READONLY_PERMISSIONS};
 
+/* usershare error codes. */
+enum usershare_err {
+               USERSHARE_OK=0,
+               USERSHARE_MALFORMED_FILE,
+               USERSHARE_BAD_VERSION,
+               USERSHARE_MALFORMED_PATH,
+               USERSHARE_MALFORMED_COMMENT_DEF,
+               USERSHARE_MALFORMED_ACL_DEF,
+               USERSHARE_ACL_ERR,
+               USERSHARE_PATH_NOT_ABSOLUTE,
+               USERSHARE_PATH_IS_DENIED,
+               USERSHARE_PATH_NOT_ALLOWED,
+               USERSHARE_PATH_NOT_DIRECTORY,
+               USERSHARE_POSIX_ERR
+};
+
 /* Different reasons for closing a file. */
 enum file_close_type {NORMAL_CLOSE=0,SHUTDOWN_CLOSE,ERROR_CLOSE};
 
index bea1a6d84a36c54dd3eec4bf6a4aa93009f64dfe..8870205bbbc79c4f99bf96f486da56ce545904ff 100644 (file)
@@ -131,8 +131,7 @@ NTSTATUS smbldap_init(TALLOC_CTX *mem_ctx,
                       struct smbldap_state **smbldap_state);
 
 const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key );
-const char** get_attr_list( ATTRIB_MAP_ENTRY table[] );
-void free_attr_list( const char **list );
+const char** get_attr_list( TALLOC_CTX *mem_ctx, ATTRIB_MAP_ENTRY table[] );
 void smbldap_set_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value);
 void smbldap_make_mod(LDAP *ldap_struct, LDAPMessage *existing,
                      LDAPMod ***mods,
@@ -207,7 +206,17 @@ int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context,
                           PDB_METHODS **pdb_method,
                           const char *location);
-const char** get_userattr_list( int schema_ver );
+const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver );
+
+char * smbldap_talloc_single_attribute(LDAP *ldap_struct, LDAPMessage *entry,
+                                      const char *attribute,
+                                      TALLOC_CTX *mem_ctx);
+void talloc_autofree_ldapmsg(TALLOC_CTX *mem_ctx, LDAPMessage *result);
+void talloc_autofree_ldapmod(TALLOC_CTX *mem_ctx, LDAPMod **mod);
+const char *smbldap_talloc_dn(TALLOC_CTX *mem_ctx, LDAP *ld,
+                             LDAPMessage *entry);
+
+
 
 #endif         /* HAVE_LDAP */
 
index d3422f0d78ac03d599ac2fc2898455ca083bf1be..d20a15d90e26c7ce74cfb74f6a7ab00d6753d5b8 100644 (file)
@@ -34,7 +34,7 @@ static BOOL load_msg(const char *msg_file)
        char *msgid, *msgstr;
        TDB_DATA key, data;
 
-       lines = file_lines_load(msg_file, &num_lines);
+       lines = file_lines_load(msg_file, &num_lines,0);
 
        if (!lines) {
                return False;
index 1b31dff4995063a8fc37996b03c592737bf4b51a..9b587224e3e8b19624061ed92081ebbedc3e6030 100644 (file)
@@ -29,3 +29,12 @@ void decrement_smbd_process_count( void )
        return;
 }
 
+int find_service(fstring service)
+{
+       return -1;
+}
+
+BOOL conn_snum_used(int snum)
+{
+       return False;
+}
diff --git a/source/lib/events.c b/source/lib/events.c
new file mode 100644 (file)
index 0000000..314f074
--- /dev/null
@@ -0,0 +1,125 @@
+/*
+   Unix SMB/CIFS implementation.
+   Timed event library.
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Volker Lendecke 2005
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+static struct timed_event *timed_events;
+
+static int timed_event_destructor(void *p)
+{
+       struct timed_event *te = talloc_get_type_abort(p, struct timed_event);
+       DEBUG(10, ("Destroying timed event %lx \"%s\"\n", (unsigned long)te,
+               te->event_name));
+       DLIST_REMOVE(timed_events, te);
+       return 0;
+}
+
+/****************************************************************************
+ Schedule a function for future calling, cancel with talloc_free().
+ It's the responsibility of the handler to call talloc_free() on the event
+ handed to it.
+****************************************************************************/
+
+struct timed_event *add_timed_event(TALLOC_CTX *mem_ctx,
+                               struct timeval when,
+                               const char *event_name,
+                               void (*handler)(struct timed_event *te,
+                                               const struct timeval *now,
+                                               void *private_data),
+                               void *private_data)
+{
+       struct timed_event *te, *last_te, *cur_te;
+
+       te = TALLOC_P(mem_ctx, struct timed_event);
+       if (te == NULL) {
+               DEBUG(0, ("talloc failed\n"));
+               return NULL;
+       }
+
+       te->when = when;
+       te->event_name = event_name;
+       te->handler = handler;
+       te->private_data = private_data;
+
+       /* keep the list ordered */
+       last_te = NULL;
+       for (cur_te = timed_events; cur_te; cur_te = cur_te->next) {
+               /* if the new event comes before the current one break */
+               if (!timeval_is_zero(&cur_te->when) &&
+                               timeval_compare(&te->when, &cur_te->when) < 0) {
+                       break;
+               }
+               last_te = cur_te;
+       }
+
+       DLIST_ADD_AFTER(timed_events, te, last_te);
+       talloc_set_destructor(te, timed_event_destructor);
+
+       DEBUG(10, ("Added timed event \"%s\": %lx\n", event_name,
+                       (unsigned long)te));
+       return te;
+}
+
+void run_events(void)
+{
+       struct timeval now;
+
+       if (timed_events == NULL) {
+               /* No syscall if there are no events */
+               DEBUG(10, ("run_events: No events\n"));
+               return;
+       }
+
+       GetTimeOfDay(&now);
+
+       if (timeval_compare(&now, &timed_events->when) < 0) {
+               /* Nothing to do yet */
+               DEBUG(10, ("run_events: Nothing to do\n"));
+               return;
+       }
+
+       DEBUG(10, ("Running event \"%s\" %lx\n", timed_events->event_name,
+               (unsigned long)timed_events));
+
+       timed_events->handler(timed_events, &now, timed_events->private_data);
+       return;
+}
+
+struct timeval *get_timed_events_timeout(struct timeval *to_ret, time_t default_to)
+{
+       struct timeval now;
+
+       if (timed_events == NULL) {
+               if (default_to == (time_t)-1) {
+                       return NULL;
+               }
+               *to_ret = timeval_set(default_to, 0);
+               return to_ret;
+       }
+
+       now = timeval_current();
+       *to_ret = timeval_until(&now, &timed_events->when);
+
+       DEBUG(10, ("timed_events_timeout: %d/%d\n", (int)to_ret->tv_sec,
+               (int)to_ret->tv_usec));
+
+       return to_ret;
+}
index f37bbc9c2fd3b310e7971246d80aa2e5801af7c6..5b643bf297ef7503fea19895a1347eaa6be24fb9 100644 (file)
@@ -114,14 +114,14 @@ static int do_reseed(BOOL use_fd, int fd)
         * seriously this will be secret.
         */
 
-       pw = getpwnam_alloc("root");
+       pw = getpwnam_alloc(NULL, "root");
        if (pw && pw->pw_passwd) {
                size_t i;
                unsigned char md4_tmp[16];
                mdfour(md4_tmp, (unsigned char *)pw->pw_passwd, strlen(pw->pw_passwd));
                for (i=0;i<16;i++)
                        seed_inbuf[8+i] ^= md4_tmp[i];
-               passwd_free(&pw);
+               talloc_free(pw);
        }
 
        /*
index 058bbc99b0bcce105609c18af40a633096a95ad0..2d6518aed6a718a429962e487e61702f4a9b2836 100644 (file)
@@ -604,4 +604,19 @@ BOOL message_send_all(TDB_CONTEXT *conn_tdb, int msg_type,
                *n_sent = msg_all.n_sent;
        return True;
 }
+
+/*
+ * Block and unblock receiving of messages. Allows removal of race conditions
+ * when doing a fork and changing message disposition.
+ */
+
+void message_block(void)
+{
+       BlockSignals(True, SIGUSR1);
+}
+
+void message_unblock(void)
+{
+       BlockSignals(False, SIGUSR1);
+}
 /** @} **/
index 212d3831fd588d891898c3b032c791243587f3a2..8a4c41d7df55bf86bebfb8f846f24673e38bd987 100644 (file)
@@ -71,6 +71,7 @@ static const struct {
        {NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
        {NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
        {NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
+       {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
        {NT_STATUS_OK, PAM_SUCCESS}
 };
 
index b041eb7f1b2d5b1e2b300a0cff3b01c3661eb0c5..08e41083b59946f0ef1ac29e33b61544961c997a 100644 (file)
@@ -32,7 +32,8 @@ pid_t pidfile_pid(const char *name)
 {
        int fd;
        char pidstr[20];
-       unsigned ret;
+       pid_t pid;
+       unsigned int ret;
        pstring pidFile;
 
        slprintf(pidFile, sizeof(pidFile)-1, "%s/%s.pid", lp_piddir(), name);
@@ -57,7 +58,8 @@ pid_t pidfile_pid(const char *name)
                goto noproc;
        }
        
-       if (!process_exists_by_pid(ret)) {
+       pid = (pid_t)ret;
+       if (!process_exists_by_pid(pid)) {
                goto noproc;
        }
 
index 78b99fd7fb03168fe78c71d1e4d8feea61e6d1cb..c1f1dc7f4003c872a01b0e29bb48f94d86e76bdf 100644 (file)
@@ -50,7 +50,7 @@
  Display the prompt and wait for input. Call callback() regularly
 ****************************************************************************/
 
-static char *smb_readline_replacement(char *prompt, void (*callback)(void), 
+static char *smb_readline_replacement(const char *prompt, void (*callback)(void), 
                                char **(completion_fn)(const char *text, int start, int end))
 {
        fd_set fds;
@@ -82,7 +82,7 @@ static char *smb_readline_replacement(char *prompt, void (*callback)(void),
  Display the prompt and wait for input. Call callback() regularly.
 ****************************************************************************/
 
-char *smb_readline(char *prompt, void (*callback)(void), 
+char *smb_readline(const char *prompt, void (*callback)(void), 
                   char **(completion_fn)(const char *text, int start, int end))
 {
 #if HAVE_LIBREADLINE
index ace0aee866464e2d0ba8a8169b750d6ccb44ffd8..273bf0f0a3f365fa915ce1ace9adba2fe1c3c595 100644 (file)
 
 #include "includes.h"
 
+/* Map generic permissions to file object specific permissions */
+
+struct generic_mapping file_generic_mapping = {
+       FILE_GENERIC_READ,
+       FILE_GENERIC_WRITE,
+       FILE_GENERIC_EXECUTE,
+       FILE_GENERIC_ALL
+};
+
 /*******************************************************************
  Works out the linearization size of a SEC_DESC.
 ********************************************************************/
@@ -520,3 +529,4 @@ void init_sec_access(SEC_ACCESS *t, uint32 mask)
        t->mask = mask;
 }
 
+
diff --git a/source/lib/sharesec.c b/source/lib/sharesec.c
new file mode 100644 (file)
index 0000000..b98e304
--- /dev/null
@@ -0,0 +1,308 @@
+/* 
+ *  Unix SMB/Netbios implementation.
+ *  SEC_DESC handling functions
+ *  Copyright (C) Jeremy R. Allison            1995-2003.
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+/*******************************************************************
+ Create the share security tdb.
+ ********************************************************************/
+
+static TDB_CONTEXT *share_tdb; /* used for share security descriptors */
+#define SHARE_DATABASE_VERSION_V1 1
+#define SHARE_DATABASE_VERSION_V2 2 /* version id in little endian. */
+
+/* Map generic permissions to file object specific permissions */
+
+static struct generic_mapping file_generic_mapping = {
+        FILE_GENERIC_READ,
+        FILE_GENERIC_WRITE,
+        FILE_GENERIC_EXECUTE,
+        FILE_GENERIC_ALL
+};
+
+
+BOOL share_info_db_init(void)
+{
+       const char *vstring = "INFO/version";
+       int32 vers_id;
+       if (share_tdb) {
+               return True;
+       }
+
+       share_tdb = tdb_open_log(lock_path("share_info.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+       if (!share_tdb) {
+               DEBUG(0,("Failed to open share info database %s (%s)\n",
+                       lock_path("share_info.tdb"), strerror(errno) ));
+               return False;
+       }
+       /* handle a Samba upgrade */
+       tdb_lock_bystring(share_tdb, vstring, 0);
+
+       /* Cope with byte-reversed older versions of the db. */
+       vers_id = tdb_fetch_int32(share_tdb, vstring);
+       if ((vers_id == SHARE_DATABASE_VERSION_V1) || (IREV(vers_id) == SHARE_DATABASE_VERSION_V1)) {
+               /* Written on a bigendian machine with old fetch_int code. Save as le. */
+               tdb_store_int32(share_tdb, vstring, SHARE_DATABASE_VERSION_V2);
+               vers_id = SHARE_DATABASE_VERSION_V2;
+       }
+
+       if (vers_id != SHARE_DATABASE_VERSION_V2) {
+               tdb_traverse(share_tdb, tdb_traverse_delete_fn, NULL);
+               tdb_store_int32(share_tdb, vstring, SHARE_DATABASE_VERSION_V2);
+       }
+       tdb_unlock_bystring(share_tdb, vstring);
+
+       return True;
+}
+
+/*******************************************************************
+ Fake up a Everyone, default access as a default.
+ def_access is a GENERIC_XXX access mode.
+ ********************************************************************/
+
+SEC_DESC *get_share_security_default( TALLOC_CTX *ctx, size_t *psize, uint32 def_access)
+{
+       SEC_ACCESS sa;
+       SEC_ACE ace;
+       SEC_ACL *psa = NULL;
+       SEC_DESC *psd = NULL;
+       uint32 spec_access = def_access;
+
+       se_map_generic(&spec_access, &file_generic_mapping);
+
+       init_sec_access(&sa, def_access | spec_access );
+       init_sec_ace(&ace, &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0);
+
+       if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 1, &ace)) != NULL) {
+               psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, psize);
+       }
+
+       if (!psd) {
+               DEBUG(0,("get_share_security: Failed to make SEC_DESC.\n"));
+               return NULL;
+       }
+
+       return psd;
+}
+
+/*******************************************************************
+ Pull a security descriptor from the share tdb.
+ ********************************************************************/
+
+SEC_DESC *get_share_security( TALLOC_CTX *ctx, int snum, size_t *psize)
+{
+       prs_struct ps;
+       fstring key;
+       SEC_DESC *psd = NULL;
+
+       if (!share_info_db_init()) {
+               return NULL;
+       }
+
+       *psize = 0;
+
+       /* Fetch security descriptor from tdb */
+       slprintf(key, sizeof(key)-1, "SECDESC/%s", lp_servicename(snum));
+       if (tdb_prs_fetch(share_tdb, key, &ps, ctx)!=0 ||
+               !sec_io_desc("get_share_security", &psd, &ps, 1)) {
+               DEBUG(4,("get_share_security: using default secdesc for %s\n", lp_servicename(snum) ));
+               return get_share_security_default(ctx, psize, GENERIC_ALL_ACCESS);
+       }
+
+       if (psd)
+               *psize = sec_desc_size(psd);
+
+       prs_mem_free(&ps);
+       return psd;
+}
+
+/*******************************************************************
+ Store a security descriptor in the share db.
+ ********************************************************************/
+
+BOOL set_share_security(TALLOC_CTX *ctx, const char *share_name, SEC_DESC *psd)
+{
+       prs_struct ps;
+       TALLOC_CTX *mem_ctx = NULL;
+       fstring key;
+       BOOL ret = False;
+
+       if (!share_info_db_init()) {
+               return False;
+       }
+
+       mem_ctx = talloc_init("set_share_security");
+       if (mem_ctx == NULL)
+               return False;
+
+       prs_init(&ps, (uint32)sec_desc_size(psd), mem_ctx, MARSHALL);
+       if (!sec_io_desc("share_security", &psd, &ps, 1))
+               goto out;
+       slprintf(key, sizeof(key)-1, "SECDESC/%s", share_name);
+       if (tdb_prs_store(share_tdb, key, &ps)==0) {
+               ret = True;
+               DEBUG(5,("set_share_security: stored secdesc for %s\n", share_name ));
+       } else {
+               DEBUG(1,("set_share_security: Failed to store secdesc for %s\n", share_name ));
+       } 
+
+       /* Free malloc'ed memory */
+out:
+       prs_mem_free(&ps);
+       if (mem_ctx)
+               talloc_destroy(mem_ctx);
+       return ret;
+}
+
+/*******************************************************************
+ Delete a security descriptor.
+********************************************************************/
+
+BOOL delete_share_security(int snum)
+{
+       TDB_DATA kbuf;
+       fstring key;
+
+       slprintf(key, sizeof(key)-1, "SECDESC/%s", lp_servicename(snum));
+       kbuf.dptr = key;
+       kbuf.dsize = strlen(key)+1;
+
+       if (tdb_delete(share_tdb, kbuf) != 0) {
+               DEBUG(0,("delete_share_security: Failed to delete entry for share %s\n",
+                               lp_servicename(snum) ));
+               return False;
+       }
+
+       return True;
+}
+
+/***************************************************************************
+ Parse the contents of an acl string from a usershare file.
+***************************************************************************/
+
+BOOL parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, SEC_DESC **ppsd)
+{
+       size_t s_size = 0;
+       const char *pacl = acl_str;
+       int num_aces = 0;
+       SEC_ACE *ace_list = NULL;
+       SEC_ACL *psa = NULL;
+       SEC_DESC *psd = NULL;
+       size_t sd_size = 0;
+       int i;
+
+       *ppsd = NULL;
+
+       /* If the acl string is blank return "Everyone:R" */
+       if (!*acl_str) {
+               SEC_DESC *default_psd = get_share_security_default(ctx, &s_size, GENERIC_READ_ACCESS);
+               if (!default_psd) {
+                       return False;
+               }
+               *ppsd = default_psd;
+               return True;
+       }
+
+       num_aces = 1;
+
+       /* Add the number of ',' characters to get the number of aces. */
+       num_aces += count_chars(pacl,',');
+
+       ace_list = TALLOC_ARRAY(ctx, SEC_ACE, num_aces);
+       if (!ace_list) {
+               return False;
+       }
+
+       for (i = 0; i < num_aces; i++) {
+               SEC_ACCESS sa;
+               uint32 g_access;
+               uint32 s_access;
+               DOM_SID sid;
+               fstring sidstr;
+               uint8 type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+
+               if (!next_token(&pacl, sidstr, ":", sizeof(sidstr))) {
+                       DEBUG(0,("parse_usershare_acl: malformed usershare acl looking "
+                               "for ':' in string '%s'\n", pacl));
+                       return False;
+               }
+
+               if (!string_to_sid(&sid, sidstr)) {
+                       DEBUG(0,("parse_usershare_acl: failed to convert %s to sid.\n",
+                               sidstr ));
+                       return False;
+               }
+
+               switch (*pacl) {
+                       case 'F': /* Full Control, ie. R+W */
+                       case 'f': /* Full Control, ie. R+W */
+                               s_access = g_access = GENERIC_ALL_ACCESS;
+                               break;
+                       case 'R': /* Read only. */
+                       case 'r': /* Read only. */
+                               s_access = g_access = GENERIC_READ_ACCESS;
+                               break;
+                       case 'D': /* Deny all to this SID. */
+                       case 'd': /* Deny all to this SID. */
+                               type = SEC_ACE_TYPE_ACCESS_DENIED;
+                               s_access = g_access = GENERIC_ALL_ACCESS;
+                               break;
+                       default:
+                               DEBUG(0,("parse_usershare_acl: unknown acl type at %s.\n",
+                                       pacl ));
+                               return False;
+               }
+
+               pacl++;
+               if (*pacl && *pacl != ',') {
+                       DEBUG(0,("parse_usershare_acl: bad acl string at %s.\n",
+                               pacl ));
+                       return False;
+               }
+               pacl++; /* Go past any ',' */
+
+               se_map_generic(&s_access, &file_generic_mapping);
+               init_sec_access(&sa, g_access | s_access );
+               init_sec_ace(&ace_list[i], &sid, type, sa, 0);
+       }
+
+       if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, num_aces, ace_list)) != NULL) {
+               psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, &sd_size);
+       }
+
+       if (!psd) {
+               DEBUG(0,("parse_usershare_acl: Failed to make SEC_DESC.\n"));
+               return False;
+       }
+
+       *ppsd = psd;
+       return True;
+}
index 609816b877424eda44a88d35a5101d2c3e15285a..c045be51c5f63c817f704adf2fefd10e7d7dfe54 100644 (file)
@@ -230,7 +230,7 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
  Return the list of attribute names from a mapping table
  **********************************************************************/
 
- const char** get_attr_list( ATTRIB_MAP_ENTRY table[] )
+ const char** get_attr_list( TALLOC_CTX *mem_ctx, ATTRIB_MAP_ENTRY table[] )
 {
        const char **names;
        int i = 0;
@@ -239,7 +239,7 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
                i++;
        i++;
 
-       names = SMB_MALLOC_ARRAY( const char*, i );
+       names = TALLOC_ARRAY( mem_ctx, const char*, i );
        if ( !names ) {
                DEBUG(0,("get_attr_list: out of memory\n"));
                return NULL;
@@ -247,7 +247,7 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
 
        i = 0;
        while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
-               names[i] = SMB_STRDUP( table[i].name );
+               names[i] = talloc_strdup( names, table[i].name );
                i++;
        }
        names[i] = NULL;
@@ -255,29 +255,6 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
        return names;
 }
 
-/*********************************************************************
- Cleanup 
- ********************************************************************/
-
- void free_attr_list( const char **list )
-{
-       int i = 0;
-
-       if ( !list )
-               return; 
-
-       while ( list[i] ) {
-               /* SAFE_FREE generates a warning here that can't be gotten rid
-                * of with CONST_DISCARD */
-               if (list[i] != NULL) {
-                       free(CONST_DISCARD(char *, list[i]));
-               }
-               i+=1;
-       }
-
-       SAFE_FREE( list );
-}
-
 /*******************************************************************
  Search an attribute and return the first value found.
 ******************************************************************/
@@ -321,6 +298,88 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
                                            sizeof(pstring));
 }
 
+ char * smbldap_talloc_single_attribute(LDAP *ldap_struct, LDAPMessage *entry,
+                                       const char *attribute,
+                                       TALLOC_CTX *mem_ctx)
+{
+       char **values;
+       char *result;
+
+       if (attribute == NULL) {
+               return NULL;
+       }
+
+       values = ldap_get_values(ldap_struct, entry, attribute);
+
+       if (values == NULL) {
+               DEBUG(10, ("attribute %s does not exist\n", attribute));
+               return NULL;
+       }
+
+       if (ldap_count_values(values) != 1) {
+               DEBUG(10, ("attribute %s has %d values, expected only one\n",
+                          attribute, ldap_count_values(values)));
+               ldap_value_free(values);
+               return NULL;
+       }
+
+       if (pull_utf8_talloc(mem_ctx, &result, values[0]) < 0) {
+               DEBUG(10, ("pull_utf8_talloc failed\n"));
+               ldap_value_free(values);
+               return NULL;
+       }
+
+       ldap_value_free(values);
+
+#ifdef DEBUG_PASSWORDS
+       DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
+                    attribute, result));
+#endif 
+       return result;
+}
+
+ static int ldapmsg_destructor(void *p) {
+       LDAPMessage **result = talloc_get_type_abort(p, LDAPMessage *);
+       ldap_msgfree(*result);
+       return 0;
+}
+
+ void talloc_autofree_ldapmsg(TALLOC_CTX *mem_ctx, LDAPMessage *result)
+{
+       LDAPMessage **handle;
+
+       if (result == NULL) {
+               return;
+       }
+
+       handle = TALLOC_P(mem_ctx, LDAPMessage *);
+       SMB_ASSERT(handle != NULL);
+
+       *handle = result;
+       talloc_set_destructor(handle, ldapmsg_destructor);
+}
+
+ static int ldapmod_destructor(void *p) {
+       LDAPMod ***result = talloc_get_type_abort(p, LDAPMod **);
+       ldap_mods_free(*result, True);
+       return 0;
+}
+
+ void talloc_autofree_ldapmod(TALLOC_CTX *mem_ctx, LDAPMod **mod)
+{
+       LDAPMod ***handle;
+
+       if (mod == NULL) {
+               return;
+       }
+
+       handle = TALLOC_P(mem_ctx, LDAPMod **);
+       SMB_ASSERT(handle != NULL);
+
+       *handle = mod;
+       talloc_set_destructor(handle, ldapmod_destructor);
+}
+
 /************************************************************************
  Routine to manage the LDAPMod structure array
  manage memory used by the array, by each struct, and values
@@ -1041,6 +1100,14 @@ static int another_ldap_try(struct smbldap_state *ldap_state, int *rc,
                        return True;
                }
 
+               if (open_rc == LDAP_INSUFFICIENT_ACCESS) {
+                       /* The fact that we are non-root or any other
+                        * access-denied condition will not change in the next
+                        * round of trying */
+                       *rc = open_rc;
+                       break;
+               }
+
                if (got_alarm) {
                        *rc = LDAP_TIMEOUT;
                        break;
@@ -1123,12 +1190,22 @@ static int smbldap_search_ext(struct smbldap_state *ldap_state,
        alarm(lp_ldap_timeout());
        /* End setup timeout. */
 
-       while (another_ldap_try(ldap_state, &rc, &attempts, endtime))
+       while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
                rc = ldap_search_ext_s(ldap_state->ldap_struct, base, scope, 
                                       utf8_filter,
                                       CONST_DISCARD(char **, attrs),
                                       attrsonly, sctrls, cctrls, &timeout,
                                       sizelimit, res);
+               if (rc != LDAP_SUCCESS) {
+                       char *ld_error = NULL;
+                       ldap_get_option(ldap_state->ldap_struct,
+                                       LDAP_OPT_ERROR_STRING, &ld_error);
+                       DEBUG(10,("Failed search for base: %s, error: %s "
+                                 "(%s)\n", base, ldap_err2string(rc),
+                                 ld_error ? ld_error : "unknown"));
+                       SAFE_FREE(ld_error);
+               }
+       }
 
        SAFE_FREE(utf8_filter);
 
@@ -1257,8 +1334,18 @@ int smbldap_modify(struct smbldap_state *ldap_state, const char *dn, LDAPMod *at
                return LDAP_NO_MEMORY;
        }
 
-       while (another_ldap_try(ldap_state, &rc, &attempts, endtime))
+       while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
                rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
+               if (rc != LDAP_SUCCESS) {
+                       char *ld_error = NULL;
+                       ldap_get_option(ldap_state->ldap_struct,
+                                       LDAP_OPT_ERROR_STRING, &ld_error);
+                       DEBUG(10,("Failed to modify dn: %s, error: %s "
+                                 "(%s)\n", dn, ldap_err2string(rc),
+                                 ld_error ? ld_error : "unknown"));
+                       SAFE_FREE(ld_error);
+               }
+       }
                
        SAFE_FREE(utf8_dn);
        return rc;
@@ -1279,8 +1366,18 @@ int smbldap_add(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs
                return LDAP_NO_MEMORY;
        }
 
-       while (another_ldap_try(ldap_state, &rc, &attempts, endtime))
+       while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
                rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
+               if (rc != LDAP_SUCCESS) {
+                       char *ld_error = NULL;
+                       ldap_get_option(ldap_state->ldap_struct,
+                                       LDAP_OPT_ERROR_STRING, &ld_error);
+                       DEBUG(10,("Failed to add dn: %s, error: %s "
+                                 "(%s)\n", dn, ldap_err2string(rc),
+                                 ld_error ? ld_error : "unknown"));
+                       SAFE_FREE(ld_error);
+               }
+       }
        
        SAFE_FREE(utf8_dn);
        return rc;
@@ -1301,8 +1398,18 @@ int smbldap_delete(struct smbldap_state *ldap_state, const char *dn)
                return LDAP_NO_MEMORY;
        }
 
-       while (another_ldap_try(ldap_state, &rc, &attempts, endtime))
+       while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
                rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
+               if (rc != LDAP_SUCCESS) {
+                       char *ld_error = NULL;
+                       ldap_get_option(ldap_state->ldap_struct,
+                                       LDAP_OPT_ERROR_STRING, &ld_error);
+                       DEBUG(10,("Failed to delete dn: %s, error: %s "
+                                 "(%s)\n", dn, ldap_err2string(rc),
+                                 ld_error ? ld_error : "unknown"));
+                       SAFE_FREE(ld_error);
+               }
+       }
        
        SAFE_FREE(utf8_dn);
        return rc;
@@ -1320,34 +1427,33 @@ int smbldap_extended_operation(struct smbldap_state *ldap_state,
        if (!ldap_state)
                return (-1);
 
-       while (another_ldap_try(ldap_state, &rc, &attempts, endtime))
+       while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
                rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid,
                                               reqdata, serverctrls,
                                               clientctrls, retoidp, retdatap);
+               if (rc != LDAP_SUCCESS) {
+                       char *ld_error = NULL;
+                       ldap_get_option(ldap_state->ldap_struct,
+                                       LDAP_OPT_ERROR_STRING, &ld_error);
+                       DEBUG(10,("Extended operation failed with error: %s "
+                                 "(%s)\n", ldap_err2string(rc),
+                                 ld_error ? ld_error : "unknown"));
+                       SAFE_FREE(ld_error);
+               }
+       }
+               
        return rc;
 }
 
 /*******************************************************************
  run the search by name.
 ******************************************************************/
-int smbldap_search_suffix (struct smbldap_state *ldap_state, const char *filter, 
-                          const char **search_attr, LDAPMessage ** result)
+int smbldap_search_suffix (struct smbldap_state *ldap_state,
+                          const char *filter, const char **search_attr,
+                          LDAPMessage ** result)
 {
-       int scope = LDAP_SCOPE_SUBTREE;
-       int rc;
-
-       rc = smbldap_search(ldap_state, lp_ldap_suffix(), scope, filter, search_attr, 0, result);
-
-       if (rc != LDAP_SUCCESS) {
-               char *ld_error = NULL;
-               ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
-                               &ld_error);
-               DEBUG(0,("smbldap_search_suffix: Problem during the LDAP search: %s (%s)\n", 
-                       ld_error?ld_error:"(unknown)", ldap_err2string (rc)));
-               SAFE_FREE(ld_error);
-       }
-       
-       return rc;
+       return smbldap_search(ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
+                             filter, search_attr, 0, result);
 }
 
 static void smbldap_idle_fn(void **data, time_t *interval, time_t now)
@@ -1442,6 +1548,25 @@ char *smbldap_get_dn(LDAP *ld, LDAPMessage *entry)
        return unix_dn;
 }
 
+ const char *smbldap_talloc_dn(TALLOC_CTX *mem_ctx, LDAP *ld,
+                              LDAPMessage *entry)
+{
+       char *utf8_dn, *unix_dn;
+
+       utf8_dn = ldap_get_dn(ld, entry);
+       if (!utf8_dn) {
+               DEBUG (5, ("smbldap_get_dn: ldap_get_dn failed\n"));
+               return NULL;
+       }
+       if (pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn) == (size_t)-1) {
+               DEBUG (0, ("smbldap_get_dn: String conversion failure utf8 "
+                          "[%s]\n", utf8_dn));
+               return NULL;
+       }
+       ldap_memfree(utf8_dn);
+       return unix_dn;
+}
+
 /*******************************************************************
  Check if root-dse has a certain Control or Extension
 ********************************************************************/
index 4679b864874a01115d5eb92f257691c5afd9bdc6..7b4cf4d079f8ffa6e636091d533892dc5a16202a 100644 (file)
@@ -99,21 +99,17 @@ static NTSTATUS add_new_domain_info(struct smbldap_state *ldap_state,
        pstring filter, dn;
        LDAPMod **mods = NULL;
        int rc;
-       int ldap_op;
        LDAPMessage *result = NULL;
        int num_result;
        const char **attr_list;
-       uid_t u_low, u_high;
-       gid_t g_low, g_high;
-       uint32 rid_low, rid_high;
 
        slprintf (filter, sizeof (filter) - 1, "(&(%s=%s)(objectclass=%s))", 
                  get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), 
                  domain_name, LDAP_OBJ_DOMINFO);
 
-       attr_list = get_attr_list( dominfo_attr_list );
+       attr_list = get_attr_list( NULL, dominfo_attr_list );
        rc = smbldap_search_suffix(ldap_state, filter, attr_list, &result);
-       free_attr_list( attr_list );
+       talloc_free( attr_list );
 
        if (rc != LDAP_SUCCESS) {
                return NT_STATUS_UNSUCCESSFUL;
@@ -122,80 +118,72 @@ static NTSTATUS add_new_domain_info(struct smbldap_state *ldap_state,
        num_result = ldap_count_entries(ldap_state->ldap_struct, result);
        
        if (num_result > 1) {
-               DEBUG (0, ("More than domain with that name exists: bailing out!\n"));
+               DEBUG (0, ("More than domain with that name exists: bailing "
+                          "out!\n"));
                ldap_msgfree(result);
                return NT_STATUS_UNSUCCESSFUL;
        }
        
        /* Check if we need to add an entry */
        DEBUG(3,("Adding new domain\n"));
-       ldap_op = LDAP_MOD_ADD;
 
-       pstr_sprintf(dn, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
-               domain_name, lp_ldap_suffix());
+       pstr_sprintf(dn, "%s=%s,%s",
+                    get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+                    domain_name, lp_ldap_suffix());
 
        /* Free original search */
        ldap_msgfree(result);
 
-       /* make the changes - the entry *must* not already have samba attributes */
-       smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), 
-               domain_name);
+       /* make the changes - the entry *must* not already have samba
+        * attributes */
 
-       /* If we don't have an entry, then ask secrets.tdb for what it thinks.  
+       smbldap_set_mod(&mods, LDAP_MOD_ADD,
+                       get_attr_key2string(dominfo_attr_list,
+                                           LDAP_ATTR_DOMAIN), 
+                       domain_name);
+
+       /* If we don't have an entry, then ask secrets.tdb for what it thinks.
           It may choose to make it up */
 
        sid_to_string(sid_string, get_global_sam_sid());
-       smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), sid_string);
-
-       slprintf(algorithmic_rid_base_string, sizeof(algorithmic_rid_base_string) - 1, "%i", algorithmic_rid_base());
-       smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_ALGORITHMIC_RID_BASE), 
+       smbldap_set_mod(&mods, LDAP_MOD_ADD,
+                       get_attr_key2string(dominfo_attr_list,
+                                           LDAP_ATTR_DOM_SID),
+                       sid_string);
+
+       slprintf(algorithmic_rid_base_string,
+                sizeof(algorithmic_rid_base_string) - 1, "%i",
+                algorithmic_rid_base());
+       smbldap_set_mod(&mods, LDAP_MOD_ADD,
+                       get_attr_key2string(dominfo_attr_list,
+                                           LDAP_ATTR_ALGORITHMIC_RID_BASE), 
                        algorithmic_rid_base_string);
        smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
        
-       /* add the sambaNext[User|Group]Rid attributes if the idmap ranges are set.
-          TODO: fix all the places where the line between idmap and normal operations
-          needed by smbd gets fuzzy   --jerry 2003-08-11                              */
+       /* add the sambaNextUserRid attributes. */
        
-       if ( lp_idmap_uid(&u_low, &u_high) && lp_idmap_gid(&g_low, &g_high)
-               && get_free_rid_range(&rid_low, &rid_high) ) 
        {
+               uint32 rid = BASE_RID;
                fstring rid_str;
                
-               fstr_sprintf( rid_str, "%i", rid_high|USER_RID_TYPE );
+               fstr_sprintf( rid_str, "%i", rid );
                DEBUG(10,("setting next available user rid [%s]\n", rid_str));
                smbldap_set_mod(&mods, LDAP_MOD_ADD, 
-                       get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), 
-                       rid_str);
-                       
-               fstr_sprintf( rid_str, "%i", rid_high|GROUP_RID_TYPE );
-               DEBUG(10,("setting next available group rid [%s]\n", rid_str));
-               smbldap_set_mod(&mods, LDAP_MOD_ADD, 
-                       get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID), 
+                       get_attr_key2string(dominfo_attr_list,
+                                           LDAP_ATTR_NEXT_USERRID), 
                        rid_str);
-               
         }
 
 
-       switch(ldap_op)
-       {
-       case LDAP_MOD_ADD: 
-               rc = smbldap_add(ldap_state, dn, mods);
-               break;
-       case LDAP_MOD_REPLACE: 
-               rc = smbldap_modify(ldap_state, dn, mods);
-               break;
-       default:        
-               DEBUG(0,("Wrong LDAP operation type: %d!\n", ldap_op));
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-       
+       rc = smbldap_add(ldap_state, dn, mods);
+
        if (rc!=LDAP_SUCCESS) {
                char *ld_error = NULL;
-               ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
-               DEBUG(1,("failed to %s domain dn= %s with: %s\n\t%s\n",
-                      ldap_op == LDAP_MOD_ADD ? "add" : "modify",
-                      dn, ldap_err2string(rc),
-                      ld_error?ld_error:"unknown"));
+               ldap_get_option(ldap_state->ldap_struct,
+                               LDAP_OPT_ERROR_STRING, &ld_error);
+               DEBUG(1,("failed to add domain dn= %s with: %s\n\t%s\n",
+                        dn, ldap_err2string(rc),
+                        ld_error?ld_error:"unknown"));
                SAFE_FREE(ld_error);
 
                ldap_mods_free(mods, True);
@@ -227,9 +215,9 @@ NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state,
 
        DEBUG(2, ("Searching for:[%s]\n", filter));
 
-       attr_list = get_attr_list( dominfo_attr_list );
+       attr_list = get_attr_list( NULL, dominfo_attr_list );
        rc = smbldap_search_suffix(ldap_state, filter, attr_list , result);
-       free_attr_list( attr_list );
+       talloc_free( attr_list );
 
        if (rc != LDAP_SUCCESS) {
                DEBUG(2,("Problem during LDAPsearch: %s\n", ldap_err2string (rc)));
index 6c65f61ad7a0db0493c9074971647c4af2f7c5f3..1d4f88fbb96cd81698ae69faddb677c7e1445d07 100644 (file)
 
 #ifndef HAVE_GETGROUPLIST
 
-static int int_compare( int *a, int *b )
-{
-       if ( *a == *b )
-               return 0;
-       else if ( *a < *b )
-               return -1;
-       else
-               return 1;
-}
-
-void remove_duplicate_gids( int *num_groups, gid_t *groups )
-{
-       int i;
-       int count = *num_groups;
-
-       if ( *num_groups <= 0 || !groups )
-               return;
-
-       DEBUG(8,("remove_duplicate_gids: Enter %d gids\n", *num_groups));
-
-       qsort( groups, *num_groups, sizeof(gid_t), QSORT_CAST int_compare );
-
-       for ( i=1; i<count; ) {
-               if ( groups[i-1] == groups[i] ) {
-                       memmove( &groups[i-1], &groups[i], (count - i + 1)*sizeof(gid_t) );
-
-                       /* decrement the total number of groups and do not increment
-                          the loop counter */
-                       count--;
-                       continue;
-               }
-               i++;
-       }
-
-       *num_groups = count;
-
-       DEBUG(8,("remove_duplicate_gids: Exit %d gids\n", *num_groups));
-
-       return;
-}
-
 /*
   This is a *much* faster way of getting the list of groups for a user
   without changing the current supplementary group list. The old
@@ -79,7 +38,8 @@ void remove_duplicate_gids( int *num_groups, gid_t *groups )
   NOTE!! this function only works if it is called as root!
   */
 
-static int getgrouplist_internals(const char *user, gid_t gid, gid_t *groups, int *grpcnt)
+static int getgrouplist_internals(const char *user, gid_t gid, gid_t *groups,
+                                 int *grpcnt)
 {
        gid_t *gids_saved;
        int ret, ngrp_saved, num_gids;
@@ -140,9 +100,6 @@ static int getgrouplist_internals(const char *user, gid_t gid, gid_t *groups, in
                }
                groups[0] = gid;
                *grpcnt = ret + 1;
-
-               /* remove any duplicates gids in the list */
-               remove_duplicate_gids( grpcnt, groups );
        }
 
        restore_re_gid();
@@ -169,11 +126,11 @@ static int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grp
        /* see if we should disable winbindd lookups for local users */
        if (strchr(user, *lp_winbind_separator()) == NULL) {
                if ( !winbind_off() )
-                       DEBUG(0,("sys_getgroup_list: Insufficient environment space for %s\n",
-                               WINBINDD_DONT_ENV));
+                       DEBUG(0,("sys_getgroup_list: Insufficient environment space "
+                                "for %s\n", WINBINDD_DONT_ENV));
                else
-                       DEBUG(10,("sys_getgrouplist(): disabled winbindd for group lookup [user == %s]\n",
-                               user));
+                       DEBUG(10,("sys_getgrouplist(): disabled winbindd for group "
+                                 "lookup [user == %s]\n", user));
        }
 
 #ifdef HAVE_GETGROUPLIST
@@ -190,8 +147,9 @@ static int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grp
        return retval;
 }
 
-static BOOL getgroups_user(const char *user, gid_t primary_gid,
-                          gid_t **ret_groups, size_t *p_ngroups)
+BOOL getgroups_unix_user(TALLOC_CTX *mem_ctx, const char *user,
+                        gid_t primary_gid,
+                        gid_t **ret_groups, size_t *p_ngroups)
 {
        size_t ngrp;
        int max_grp;
@@ -229,10 +187,11 @@ static BOOL getgroups_user(const char *user, gid_t primary_gid,
        groups = NULL;
 
        /* Add in primary group first */
-       add_gid_to_array_unique(NULL, primary_gid, &groups, &ngrp);
+       add_gid_to_array_unique(mem_ctx, primary_gid, &groups, &ngrp);
 
        for (i=0; i<max_grp; i++)
-               add_gid_to_array_unique(NULL, temp_groups[i], &groups, &ngrp);
+               add_gid_to_array_unique(mem_ctx, temp_groups[i],
+                                       &groups, &ngrp);
 
        *p_ngroups = ngrp;
        *ret_groups = groups;
@@ -241,15 +200,22 @@ static BOOL getgroups_user(const char *user, gid_t primary_gid,
 }
 
 NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
-                                           const char *username,
-                                           gid_t primary_gid,
+                                           TALLOC_CTX *mem_ctx,
+                                           SAM_ACCOUNT *user,
                                            DOM_SID **pp_sids,
                                            gid_t **pp_gids,
                                            size_t *p_num_groups)
 {
        size_t i;
+       gid_t gid;
+
+       if (!sid_to_gid(pdb_get_group_sid(user), &gid)) {
+               DEBUG(10, ("sid_to_gid failed\n"));
+               return NT_STATUS_NO_SUCH_USER;
+       }
 
-       if (!getgroups_user(username, primary_gid, pp_gids, p_num_groups)) {
+       if (!getgroups_unix_user(mem_ctx, pdb_get_username(user), gid,
+                                pp_gids, p_num_groups)) {
                return NT_STATUS_NO_SUCH_USER;
        }
 
@@ -257,22 +223,15 @@ NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
                smb_panic("primary group missing");
        }
 
-       *pp_sids = SMB_MALLOC_ARRAY(DOM_SID, *p_num_groups);
+       *pp_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, *p_num_groups);
 
        if (*pp_sids == NULL) {
-               SAFE_FREE(pp_gids);
+               talloc_free(*pp_gids);
                return NT_STATUS_NO_MEMORY;
        }
 
        for (i=0; i<*p_num_groups; i++) {
-               if (!NT_STATUS_IS_OK(gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]))) {
-                       DEBUG(1, ("get_user_groups: failed to convert "
-                                 "gid %ld to a sid!\n", 
-                                 (long int)(*pp_gids)[i+1]));
-                       SAFE_FREE(*pp_sids);
-                       SAFE_FREE(*pp_gids);
-                       return NT_STATUS_NO_SUCH_USER;
-               }
+               gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
        }
 
        return NT_STATUS_OK;
index 7d66b320adf8d61abd2aefdddd2b056bc1ba8ffe..c04dfd05da10ba05fca94ff264f190b6be1d3234 100644 (file)
 #include "includes.h"
 
 /* internal functions */
-static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) (const char *), int N);
-static struct passwd *uname_string_combinations2(char *s, int offset, struct passwd * (*fn) (const char *), int N);
+static struct passwd *uname_string_combinations(char *s, TALLOC_CTX *mem_ctx,
+                                               struct passwd * (*fn) (TALLOC_CTX *mem_ctx, const char *),
+                                               int N);
+static struct passwd *uname_string_combinations2(char *s, TALLOC_CTX *mem_ctx, int offset,
+                                                struct passwd * (*fn) (TALLOC_CTX *mem_ctx, const char *),
+                                                int N);
 
 /*****************************************************************
  Check if a user or group name is local (this is a *local* name for
@@ -108,7 +112,7 @@ BOOL map_username(fstring user)
                }
 
                numlines = 0;
-               qlines = fd_lines_load(fd, &numlines);
+               qlines = fd_lines_load(fd, &numlines,0);
                DEBUGADD(10,("Lines returned = [%d]\n", numlines));
                close(fd);
 
@@ -180,7 +184,8 @@ BOOL map_username(fstring user)
                        return False;
                }
 
-               if (strchr_m(dosname,'*') || user_in_list(user, (const char **)dosuserlist, NULL, 0)) {
+               if (strchr_m(dosname,'*') ||
+                   user_in_list(user, (const char **)dosuserlist)) {
                        DEBUG(3,("Mapped user %s to %s\n",user,unixname));
                        mapped_user = True;
                        fstrcpy( last_from,user );
@@ -218,7 +223,8 @@ BOOL map_username(fstring user)
 
 static struct passwd *Get_Pwnam_ret = NULL;
 
-static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
+static struct passwd *Get_Pwnam_internals(TALLOC_CTX *mem_ctx,
+                                         const char *user, char *user2)
 {
        struct passwd *ret = NULL;
 
@@ -232,7 +238,7 @@ static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
           common case on UNIX systems */
        strlower_m(user2);
        DEBUG(5,("Trying _Get_Pwnam(), username as lowercase is %s\n",user2));
-       ret = getpwnam_alloc(user2);
+       ret = getpwnam_alloc(mem_ctx, user2);
        if(ret)
                goto done;
 
@@ -240,7 +246,7 @@ static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
        if(strcmp(user, user2) != 0) {
                DEBUG(5,("Trying _Get_Pwnam(), username as given is %s\n",
                         user));
-               ret = getpwnam_alloc(user);
+               ret = getpwnam_alloc(mem_ctx, user);
                if(ret)
                        goto done;
        }
@@ -250,7 +256,7 @@ static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
        if(strcmp(user, user2) != 0) {
                DEBUG(5,("Trying _Get_Pwnam(), username as uppercase is %s\n",
                         user2));
-               ret = getpwnam_alloc(user2);
+               ret = getpwnam_alloc(mem_ctx, user2);
                if(ret)
                        goto done;
        }
@@ -259,7 +265,7 @@ static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
        strlower_m(user2);
        DEBUG(5,("Checking combinations of %d uppercase letters in %s\n",
                 lp_usernamelevel(), user2));
-       ret = uname_string_combinations(user2, getpwnam_alloc,
+       ret = uname_string_combinations(user2, mem_ctx, getpwnam_alloc,
                                        lp_usernamelevel());
 
 done:
@@ -275,7 +281,7 @@ done:
   This will return an allocated structure
 ****************************************************************************/
 
-struct passwd *Get_Pwnam_alloc(const char *user)
+struct passwd *Get_Pwnam_alloc(TALLOC_CTX *mem_ctx, const char *user)
 {
        fstring user2;
        struct passwd *ret;
@@ -289,7 +295,7 @@ struct passwd *Get_Pwnam_alloc(const char *user)
 
        DEBUG(5,("Finding user %s\n", user));
 
-       ret = Get_Pwnam_internals(user, user2);
+       ret = Get_Pwnam_internals(mem_ctx, user, user2);
        
        return ret;  
 }
@@ -303,7 +309,7 @@ struct passwd *Get_Pwnam(const char *user)
 {
        struct passwd *ret;
 
-       ret = Get_Pwnam_alloc(user);
+       ret = Get_Pwnam_alloc(NULL, user);
        
        /* This call used to just return the 'passwd' static buffer.
           This could then have accidental reuse implications, so 
@@ -320,7 +326,7 @@ struct passwd *Get_Pwnam(const char *user)
        */
 
        if (Get_Pwnam_ret) {
-               passwd_free(&Get_Pwnam_ret);
+               talloc_free(Get_Pwnam_ret);
        }
        
        Get_Pwnam_ret = ret;
@@ -333,7 +339,7 @@ struct passwd *Get_Pwnam(const char *user)
  try lower case.
 ****************************************************************************/
 
-static BOOL user_in_netgroup_list(const char *user, const char *ngname)
+BOOL user_in_netgroup(const char *user, const char *ngname)
 {
 #ifdef HAVE_NETGROUP
        static char *mydomain = NULL;
@@ -351,7 +357,7 @@ static BOOL user_in_netgroup_list(const char *user, const char *ngname)
                user, mydomain, ngname));
 
        if (innetgr(ngname, NULL, user, mydomain)) {
-               DEBUG(5,("user_in_netgroup_list: Found\n"));
+               DEBUG(5,("user_in_netgroup: Found\n"));
                return (True);
        } else {
 
@@ -367,7 +373,7 @@ static BOOL user_in_netgroup_list(const char *user, const char *ngname)
                        lowercase_user, mydomain, ngname));
 
                if (innetgr(ngname, NULL, lowercase_user, mydomain)) {
-                       DEBUG(5,("user_in_netgroup_list: Found\n"));
+                       DEBUG(5,("user_in_netgroup: Found\n"));
                        return (True);
                }
        }
@@ -379,8 +385,8 @@ static BOOL user_in_netgroup_list(const char *user, const char *ngname)
  Check if a user is in a winbind group.
 ****************************************************************************/
   
-static BOOL user_in_winbind_group_list(const char *user, const char *gname,
-                                      BOOL *winbind_answered)
+static BOOL user_in_winbind_group(const char *user, const char *gname,
+                                 BOOL *winbind_answered)
 {
        int i;
        gid_t gid, gid_low, gid_high;
@@ -392,7 +398,7 @@ static BOOL user_in_winbind_group_list(const char *user, const char *gname,
        *winbind_answered = False;
  
        if ((gid = nametogid(gname)) == (gid_t)-1) {
-               DEBUG(0,("user_in_winbind_group_list: nametogid for group %s "
+               DEBUG(0,("user_in_winbind_group: nametogid for group %s "
                         "failed.\n", gname ));
                goto err;
        }
@@ -439,11 +445,11 @@ static BOOL user_in_winbind_group_list(const char *user, const char *gname,
                
        }
        else 
-               DEBUG(10,("user_in_winbind_group_list: using cached user "
+               DEBUG(10,("user_in_winbind_group: using cached user "
                          "groups for [%s]\n", user));
  
        if ( DEBUGLEVEL >= 10 ) {
-               DEBUG(10,("user_in_winbind_group_list: using groups -- "));
+               DEBUG(10,("user_in_winbind_group: using groups -- "));
                for ( i=0; i<num_groups; i++ )
                        DEBUGADD(10,("%lu ", (unsigned long)groups[i]));
                DEBUGADD(10,("\n"));    
@@ -477,13 +483,13 @@ static BOOL user_in_winbind_group_list(const char *user, const char *gname,
  Check if a user is in a UNIX group.
 ****************************************************************************/
 
-BOOL user_in_unix_group_list(const char *user,const char *gname)
+BOOL user_in_unix_group(const char *user,const char *gname)
 {
        struct passwd *pass = Get_Pwnam(user);
        struct sys_userlist *user_list;
        struct sys_userlist *member;
 
-       DEBUG(10,("user_in_unix_group_list: checking user %s in group %s\n",
+       DEBUG(10,("user_in_unix_group: checking user %s in group %s\n",
                  user, gname));
 
        /*
@@ -493,7 +499,7 @@ BOOL user_in_unix_group_list(const char *user,const char *gname)
  
        if (pass) {
                if (strequal(gname,gidtoname(pass->pw_gid))) {
-                       DEBUG(10,("user_in_unix_group_list: group %s is "
+                       DEBUG(10,("user_in_unix_group: group %s is "
                                  "primary group.\n", gname ));
                        return True;
                }
@@ -501,13 +507,13 @@ BOOL user_in_unix_group_list(const char *user,const char *gname)
  
        user_list = get_users_in_group(gname);
        if (user_list == NULL) {
-               DEBUG(10,("user_in_unix_group_list: no such group %s\n",
+               DEBUG(10,("user_in_unix_group: no such group %s\n",
                          gname ));
                return False;
        }
 
        for (member = user_list; member; member = member->next) {
-               DEBUG(10,("user_in_unix_group_list: checking user %s against "
+               DEBUG(10,("user_in_unix_group: checking user %s against "
                          "member %s\n", user, member->unix_name ));
                if (strequal(member->unix_name,user)) {
                        free_userlist(user_list);
@@ -523,35 +529,17 @@ BOOL user_in_unix_group_list(const char *user,const char *gname)
  Check if a user is in a group list. Ask winbind first, then use UNIX.
 ****************************************************************************/
 
-BOOL user_in_group_list(const char *user, const char *gname, gid_t *groups,
-                       size_t n_groups)
+BOOL user_in_group(const char *user, const char *gname)
 {
        BOOL winbind_answered = False;
        BOOL ret;
-       gid_t gid;
-       unsigned i;
 
-       gid = nametogid(gname);
-       if (gid == (gid_t)-1) 
-               return False;
-
-       if (groups && n_groups > 0) {
-               for (i=0; i < n_groups; i++) {
-                       if (groups[i] == gid) {
-                               return True;
-                       }
-               }
-               return False;
-       }
-
-       /* fallback if we don't yet have the group list */
-
-       ret = user_in_winbind_group_list(user, gname, &winbind_answered);
+       ret = user_in_winbind_group(user, gname, &winbind_answered);
        if (!winbind_answered)
-               ret = user_in_unix_group_list(user, gname);
+               ret = user_in_unix_group(user, gname);
 
        if (ret)
-               DEBUG(10,("user_in_group_list: user |%s| is in group |%s|\n",
+               DEBUG(10,("user_in_group: user |%s| is in group |%s|\n",
                          user, gname));
        return ret;
 }
@@ -561,8 +549,7 @@ BOOL user_in_group_list(const char *user, const char *gname, gid_t *groups,
  and netgroup lists.
 ****************************************************************************/
 
-BOOL user_in_list(const char *user,const char **list, gid_t *groups,
-                 size_t n_groups)
+BOOL user_in_list(const char *user,const char **list)
 {
        if (!list || !*list)
                return False;
@@ -590,10 +577,9 @@ BOOL user_in_list(const char *user,const char **list, gid_t *groups,
                         * Old behaviour. Check netgroup list
                         * followed by UNIX list.
                         */
-                       if(user_in_netgroup_list(user, *list +1))
+                       if(user_in_netgroup(user, *list +1))
                                return True;
-                       if(user_in_group_list(user, *list +1, groups,
-                                             n_groups))
+                       if(user_in_group(user, *list +1))
                                return True;
                } else if (**list == '+') {
 
@@ -601,10 +587,9 @@ BOOL user_in_list(const char *user,const char **list, gid_t *groups,
                                /*
                                 * Search UNIX list followed by netgroup.
                                 */
-                               if(user_in_group_list(user, *list +2, groups,
-                                                     n_groups))
+                               if(user_in_group(user, *list +2))
                                        return True;
-                               if(user_in_netgroup_list(user, *list +2))
+                               if(user_in_netgroup(user, *list +2))
                                        return True;
 
                        } else {