diff options
author | Gerald Carter <jerry@samba.org> | 2006-08-23 00:24:57 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2006-08-23 00:24:57 +0000 |
commit | 38e37f903f890f5a98ddc924152a3f15b35fac37 (patch) | |
tree | 7feb5339685346d7e5c61175d968d2e51bba9c4e | |
parent | 59a905de8ac6163c44fe5993067c5399043c5b68 (diff) | |
download | samba-38e37f903f890f5a98ddc924152a3f15b35fac37.tar.gz samba-38e37f903f890f5a98ddc924152a3f15b35fac37.tar.xz samba-38e37f903f890f5a98ddc924152a3f15b35fac37.zip |
r17727: Start pulling in changes for 3.0.23c
31 files changed, 211 insertions, 218 deletions
diff --git a/packaging/RHEL/samba.spec.tmpl b/packaging/RHEL/samba.spec.tmpl index 1d76bd07c20..5fdc8081080 100644 --- a/packaging/RHEL/samba.spec.tmpl +++ b/packaging/RHEL/samba.spec.tmpl @@ -351,11 +351,6 @@ fi %{_sbindir}/nmbd %{_sbindir}/winbindd -%attr(755,root,root) /%{_lib}/libnss_wins.so* -%attr(755,root,root) /%{_lib}/libnss_winbind.so* -%attr(755,root,root) /%{_lib}/security/pam_winbind.so -%attr(755,root,root) /%{_lib}/security/pam_smbpass.so - %{_bindir}/mksmbpasswd.sh %{_bindir}/smbcontrol %{_bindir}/smbstatus @@ -379,7 +374,6 @@ fi %{_mandir}/man8/nmbd.8* %{_mandir}/man8/pdbedit.8* %{_mandir}/man8/smbd.8* -%{_mandir}/man7/pam_winbind.7* %{_mandir}/man8/tdbbackup.8* %{_mandir}/man8/tdbdump.8* %{_mandir}/man8/winbindd.8* @@ -462,6 +456,11 @@ fi %config(noreplace) %{_sysconfdir}/samba/smb.conf %config(noreplace) %{_sysconfdir}/samba/lmhosts +%attr(755,root,root) /%{_lib}/libnss_wins.so* +%attr(755,root,root) /%{_lib}/libnss_winbind.so* +%attr(755,root,root) /%{_lib}/security/pam_winbind.so +%attr(755,root,root) /%{_lib}/security/pam_smbpass.so + %{_includedir}/libsmbclient.h %{_libdir}/libsmbclient.a %{_libdir}/libsmbclient.so* @@ -483,6 +482,7 @@ fi %{_mandir}/man5/lmhosts.5* %{_mandir}/man8/smbpasswd.8* %{_mandir}/man7/libsmbclient.7* +%{_mandir}/man7/pam_winbind.7* %changelog * Fri Jan 16 2004 Gerald (Jerry) Carter <jerry@samba,org> diff --git a/packaging/RHEL/setup/samba.pamd b/packaging/RHEL/setup/samba.pamd index f88aae628c2..8c529da3a1b 100644 --- a/packaging/RHEL/setup/samba.pamd +++ b/packaging/RHEL/setup/samba.pamd @@ -1,4 +1,4 @@ -auth required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth -password required /lib/security/pam_stack.so service=system-auth +auth required pam_stack.so service=system-auth +session required pam_stack.so service=system-auth +account required pam_stack.so service=system-auth +password required pam_stack.so service=system-auth diff --git a/source/VERSION b/source/VERSION index 673d82d34d9..e2a79b8b99c 100644 --- a/source/VERSION +++ b/source/VERSION @@ -37,7 +37,7 @@ SAMBA_VERSION_RELEASE=23 # e.g. SAMBA_VERSION_REVISION=a # # -> "2.2.8a" # ######################################################## -SAMBA_VERSION_REVISION=b +SAMBA_VERSION_REVISION=c ######################################################## # For 'pre' releases the version will be # diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c index 36473596eea..aa070805321 100644 --- a/source/auth/auth_util.c +++ b/source/auth/auth_util.c @@ -562,6 +562,10 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, struct passwd *pwd; gid_t *gids; auth_serversupplied_info *result; + int i; + size_t num_gids; + DOM_SID unix_group_sid; + if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", @@ -592,10 +596,29 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, TALLOC_FREE(result); return status; } + + /* Add the "Unix Group" SID for each gid to catch mapped groups + and their Unix equivalent. This is to solve the backwards + compatibility problem of 'valid users = +ntadmin' where + ntadmin has been paired with "Domain Admins" in the group + mapping table. Otherwise smb.conf would need to be changed + to 'valid user = "Domain Admins"'. --jerry */ + + num_gids = result->num_sids; + for ( i=0; i<num_gids; i++ ) { + if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) { + DEBUG(1,("make_server_info_sam: Failed to create SID " + "for gid %d!\n", gids[i])); + continue; + } + add_sid_to_array_unique( result, &unix_group_sid, + &result->sids, &result->num_sids ); + } /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ + TALLOC_FREE(gids); DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", @@ -873,7 +896,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_administrators( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); /* don't fail, just log the message */ } unbecome_root(); @@ -900,7 +923,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_users( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); /* don't fail, just log the message */ } unbecome_root(); diff --git a/source/groupdb/mapping.c b/source/groupdb/mapping.c index c701ef165dd..b1c5275bc10 100644 --- a/source/groupdb/mapping.c +++ b/source/groupdb/mapping.c @@ -195,7 +195,7 @@ NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap) fstrcpy(map.nt_name, grpname); if (pdb_rid_algorithm()) { - rid = pdb_gid_to_group_rid( grp->gr_gid ); + rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid ); } else { if (!pdb_new_rid(&rid)) { DEBUG(3, ("Could not get a new RID for %s\n", diff --git a/source/include/doserr.h b/source/include/doserr.h index 8f8ea066964..bc381e33515 100644 --- a/source/include/doserr.h +++ b/source/include/doserr.h @@ -44,6 +44,7 @@ #define ERRnomem 8 /* Out of memory */ #define ERRbadmem 9 /* Invalid memory block address */ #define ERRbadenv 10 /* Invalid environment */ +#define ERRbadformat 11 /* Bad Format */ #define ERRbadaccess 12 /* Invalid open mode */ #define ERRbaddata 13 /* Invalid data (only from ioctl call) */ #define ERRres 14 /* reserved */ @@ -60,6 +61,7 @@ #define ERRfilexists 80 /* File in operation already exists */ #define ERRinvalidparam 87 #define ERRcannotopen 110 /* Cannot open the file specified */ +#define ERRbufferoverflow 111 #define ERRinsufficientbuffer 122 #define ERRinvalidname 123 /* Invalid name */ #define ERRunknownlevel 124 diff --git a/source/include/includes.h b/source/include/includes.h index 59e8e5cd0fb..81e772b3a48 100644 --- a/source/include/includes.h +++ b/source/include/includes.h @@ -667,6 +667,14 @@ typedef int socklen_t; #endif /* don't lie. If we don't have it, then don't use it */ #endif +#if !defined(int64) +#if (SIZEOF_LONG == 8) +#define int64 long +#elif (SIZEOF_LONG_LONG == 8) +#define int64 long long +#endif /* don't lie. If we don't have it, then don't use it */ +#endif + /* * Types for devices, inodes and offsets. diff --git a/source/include/msdfs.h b/source/include/msdfs.h index f7aa494cd2c..e9fef5430ed 100644 --- a/source/include/msdfs.h +++ b/source/include/msdfs.h @@ -53,6 +53,7 @@ struct referral { struct junction_map { pstring service_name; pstring volume_name; + pstring comment; int referral_count; struct referral* referral_list; }; diff --git a/source/include/rpc_dfs.h b/source/include/rpc_dfs.h index adf25c9938b..9aba123deed 100644 --- a/source/include/rpc_dfs.h +++ b/source/include/rpc_dfs.h @@ -243,8 +243,6 @@ typedef struct netdfs_q_dfs_Enum { uint32 bufsize; uint32 ptr0_info; NETDFS_DFS_ENUMSTRUCT info; - uint32 ptr0_unknown; - uint32 unknown; uint32 ptr0_total; uint32 total; } NETDFS_Q_DFS_ENUM; diff --git a/source/include/smb.h b/source/include/smb.h index e0f2e8483cb..b805f864a04 100644 --- a/source/include/smb.h +++ b/source/include/smb.h @@ -272,7 +272,7 @@ enum SID_NAME_USE { #define LOOKUP_NAME_REMOTE 2 /* Ask others */ #define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE) -#define LOOKUP_NAME_GROUP 4 /* This is a NASTY hack for valid users = @foo +#define LOOKUP_NAME_GROUP 4 /* (unused) This is a NASTY hack for valid users = @foo * where foo also exists in as user. */ /** diff --git a/source/lib/access.c b/source/lib/access.c index fcc795d1f26..303e3ed4c49 100644 --- a/source/lib/access.c +++ b/source/lib/access.c @@ -83,8 +83,7 @@ static BOOL string_match(const char *tok,const char *s, char *invalid_char) yp_get_default_domain(&mydomain); if (!mydomain) { - DEBUG(0,("Unable to get default yp domain.\n")); - return False; + DEBUG(0,("Unable to get default yp domain. Try without it.\n")); } if (!(hostname = SMB_STRDUP(s))) { DEBUG(1,("out of memory for strdup!\n")); @@ -95,7 +94,7 @@ static BOOL string_match(const char *tok,const char *s, char *invalid_char) DEBUG(5,("looking for %s of domain %s in netgroup %s gave %s\n", hostname, - mydomain, + mydomain?mydomain:"(ANY)", tok+1, BOOLSTR(netgroup_ok))); diff --git a/source/libsmb/smb_signing.c b/source/libsmb/smb_signing.c index d7ef0f37214..b638800c0f8 100644 --- a/source/libsmb/smb_signing.c +++ b/source/libsmb/smb_signing.c @@ -108,6 +108,10 @@ static BOOL set_sequence_can_delete_flag(struct outstanding_packet_lookup **list static BOOL cli_set_smb_signing_common(struct cli_state *cli) { + if (!cli->sign_info.allow_smb_signing) { + return False; + } + if (!cli->sign_info.negotiated_smb_signing && !cli->sign_info.mandatory_signing) { return False; diff --git a/source/nmbd/nmbd_sendannounce.c b/source/nmbd/nmbd_sendannounce.c index a74dd99196f..7fcedc557ee 100644 --- a/source/nmbd/nmbd_sendannounce.c +++ b/source/nmbd/nmbd_sendannounce.c @@ -35,7 +35,7 @@ extern BOOL found_lm_clients; void send_browser_reset(int reset_type, const char *to_name, int to_type, struct in_addr to_ip) { - pstring outbuf; + char outbuf[PSTRING_LEN]; char *p; DEBUG(3,("send_browser_reset: sending reset request type %d to %s<%02x> IP %s.\n", @@ -60,7 +60,7 @@ void send_browser_reset(int reset_type, const char *to_name, int to_type, struct void broadcast_announce_request(struct subnet_record *subrec, struct work_record *work) { - pstring outbuf; + char outbuf[PSTRING_LEN]; char *p; work->needannounce = True; @@ -91,7 +91,7 @@ static void send_announcement(struct subnet_record *subrec, int announce_type, time_t announce_interval, const char *server_name, int server_type, const char *server_comment) { - pstring outbuf; + char outbuf[PSTRING_LEN]; unstring upper_server_name; char *p; @@ -116,7 +116,7 @@ static void send_announcement(struct subnet_record *subrec, int announce_type, SSVAL(p,27,BROWSER_ELECTION_VERSION); SSVAL(p,29,BROWSER_CONSTANT); /* Browse signature. */ - p += 31 + push_string(NULL, p+31, server_comment, -1, STR_ASCII|STR_TERMINATE); + p += 31 + push_string(NULL, p+31, server_comment, sizeof(outbuf) - (p + 31 - outbuf), STR_ASCII|STR_TERMINATE); send_mailslot(False,BROWSE_MAILSLOT, outbuf, PTR_DIFF(p,outbuf), from_name, 0x0, to_name, to_type, to_ip, subrec->myip, @@ -132,7 +132,7 @@ static void send_lm_announcement(struct subnet_record *subrec, int announce_type time_t announce_interval, char *server_name, int server_type, char *server_comment) { - pstring outbuf; + char outbuf[PSTRING_LEN]; char *p=outbuf; memset(outbuf,'\0',sizeof(outbuf)); @@ -145,7 +145,7 @@ static void send_lm_announcement(struct subnet_record *subrec, int announce_type p += 10; p += push_string(NULL, p, server_name, 15, STR_ASCII|STR_UPPER|STR_TERMINATE); - p += push_string(NULL, p, server_comment, sizeof(pstring)-15, STR_ASCII|STR_UPPER|STR_TERMINATE); + p += push_string(NULL, p, server_comment, sizeof(outbuf)- (p - outbuf), STR_ASCII|STR_UPPER|STR_TERMINATE); send_mailslot(False,LANMAN_MAILSLOT, outbuf, PTR_DIFF(p,outbuf), from_name, 0x0, to_name, to_type, to_ip, subrec->myip, diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c index 5a9fb4cf595..a81561fc9ab 100644 --- a/source/nsswitch/pam_winbind.c +++ b/source/nsswitch/pam_winbind.c @@ -348,7 +348,7 @@ static int winbind_auth_request(pam_handle_t * pamh, request.data.auth.krb5_cc_type[0] = '\0'; request.data.auth.uid = -1; - request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY; + request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM; if (ctrl & WINBIND_KRB5_AUTH) { @@ -546,7 +546,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh, } if (ctrl & WINBIND_KRB5_AUTH) { - request.flags = WBFLAG_PAM_KRB5; + request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM; } ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_CHAUTHTOK, &request, &response, user); @@ -1132,7 +1132,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags, } request.data.logoff.uid = pwd->pw_uid; - request.flags = WBFLAG_PAM_KRB5; + request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM; retval = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_LOGOFF, &request, &response, user); } @@ -1373,7 +1373,7 @@ struct pam_module _pam_winbind_modstruct = { * Copyright (c) Tim Potter <tpot@samba.org> 2000 * Copyright (c) Andrew Bartlettt <abartlet@samba.org> 2002 * Copyright (c) Guenther Deschner <gd@samba.org> 2005-2006 - * Copyright (c) Jan Rêkorajski 1999. + * Copyright (c) Jan Rêkorajski 1999. * Copyright (c) Andrew G. Morgan 1996-8. * Copyright (c) Alex O. Yuriev, 1996. * Copyright (c) Cristian Gafton 1996. diff --git a/source/nsswitch/winbind_nss_config.h b/source/nsswitch/winbind_nss_config.h index 66e38513fd2..f9d38526604 100644 --- a/source/nsswitch/winbind_nss_config.h +++ b/source/nsswitch/winbind_nss_config.h @@ -24,12 +24,12 @@ #ifndef _WINBIND_NSS_CONFIG_H #define _WINBIND_NSS_CONFIG_H -/* shutup the compiler warnings due to krb5.h on i - 64-bit sles9 */ +/* shutup the compiler warnings due to krb5.h on 64-bit sles9 */ #ifdef SIZEOF_LONG #undef SIZEOF_LONG #endif + /* Include header files from data in config.h file */ #ifndef NO_CONFIG_H @@ -137,6 +137,15 @@ typedef int BOOL; #endif /* don't lie. If we don't have it, then don't use it */ #endif +#if !defined(int64) +#if (SIZEOF_LONG == 8) +#define int64 long +#elif (SIZEOF_LONG_LONG == 8) +#define int64 long long +#endif /* don't lie. If we don't have it, then don't use it */ +#endif + + /* zero a structure */ #ifndef ZERO_STRUCT diff --git a/source/nsswitch/winbindd_cache.c b/source/nsswitch/winbindd_cache.c index b267a3f7705..269625ea88b 100644 --- a/source/nsswitch/winbindd_cache.c +++ b/source/nsswitch/winbindd_cache.c @@ -269,7 +269,38 @@ static char *centry_string(struct cache_entry *centry, TALLOC_CTX *mem_ctx) return ret; } -/* pull a string from a cache entry, using the supplied +/* pull a hash16 from a cache entry, using the supplied + talloc context +*/ +static char *centry_hash16(struct cache_entry *centry, TALLOC_CTX *mem_ctx) +{ + uint32 len; + char *ret; + + len = centry_uint8(centry); + + if (len != 16) { + DEBUG(0,("centry corruption? hash len (%u) != 16\n", + len )); + smb_panic("centry_hash16"); + } + + if (centry->len - centry->ofs < 16) { + DEBUG(0,("centry corruption? needed 16 bytes, have %d\n", + centry->len - centry->ofs)); + smb_panic("centry_hash16"); + } + + ret = TALLOC_ARRAY(mem_ctx, char, 16); + if (!ret) { + smb_panic("centry_hash out of memory\n"); + } + memcpy(ret,centry->data + centry->ofs, 16); + centry->ofs += 16; + return ret; +} + +/* pull a sid from a cache entry, using the supplied talloc context */ static BOOL centry_sid(struct cache_entry *centry, TALLOC_CTX *mem_ctx, DOM_SID *sid) @@ -629,6 +660,17 @@ static void centry_put_string(struct cache_entry *centry, const char *s) centry->ofs += len; } +/* + push a 16 byte hash into a centry - treat as 16 byte string. + */ +static void centry_put_hash16(struct cache_entry *centry, const uint8 val[16]) +{ + centry_put_uint8(centry, 16); + centry_expand(centry, 16); + memcpy(centry->data + centry->ofs, val, 16); + centry->ofs += 16; +} + static void centry_put_sid(struct cache_entry *centry, const DOM_SID *sid) { fstring sid_string; @@ -864,7 +906,7 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain, } t = centry_time(centry); - *cached_nt_pass = (const uint8 *)centry_string(centry, mem_ctx); + *cached_nt_pass = (const uint8 *)centry_hash16(centry, mem_ctx); #if DEBUG_PASSWORD dump_data(100, (const char *)cached_nt_pass, NT_HASH_LEN); @@ -905,7 +947,7 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain, #endif centry_put_time(centry, time(NULL)); - centry_put_string(centry, (const char *)nt_pass); + centry_put_hash16(centry, nt_pass); centry_end(centry, "CRED/%s", sid_to_string(sid_string, sid)); DEBUG(10,("wcache_save_creds: %s\n", sid_string)); @@ -1240,7 +1282,7 @@ do_query: status = domain->backend->name_to_sid(domain, mem_ctx, domain_name, name, sid, type); /* and save it */ - if (domain->online || !is_null_sid(sid)) { + if (domain->online && !is_null_sid(sid)) { wcache_save_name_to_sid(domain, status, domain_name, name, sid, *type); } diff --git a/source/nsswitch/winbindd_nss.h b/source/nsswitch/winbindd_nss.h index 98349e649f7..0ecfa6ce283 100644 --- a/source/nsswitch/winbindd_nss.h +++ b/source/nsswitch/winbindd_nss.h @@ -42,8 +42,8 @@ between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2. The easiest way to do this is to always use 8byte values for time_t. */ -#if defined(uint64) -# define SMB_TIME_T uint64 +#if defined(int64) +# define SMB_TIME_T int64 #else # define SMB_TIME_T time_t #endif @@ -190,7 +190,7 @@ typedef struct winbindd_gr { #define WBFLAG_PAM_KRB5 0x1000 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x2000 #define WBFLAG_PAM_CACHED_LOGIN 0x4000 -#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 +#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 /* not used */ #define WINBINDD_MAX_EXTRA_DATA (128*1024) diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c index 34d23ebf8fa..66b1f620176 100644 --- a/source/nsswitch/winbindd_pam.c +++ b/source/nsswitch/winbindd_pam.c @@ -6,7 +6,7 @@ Copyright (C) Andrew Tridgell 2000 Copyright (C) Tim Potter 2001 Copyright (C) Andrew Bartlett 2001-2002 - Copyright (C) Guenther Deschner 2005-2006 + Copyright (C) Guenther Deschner 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -222,44 +222,18 @@ static struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state return NULL; } - if (strequal(domain_name, lp_workgroup())) { - return find_our_domain(); - } - -#ifdef HAVE_ADS - - /* when trying to login using krb5 with a trusted domain account, we - * need to make sure that our and the remote domain are AD */ - - if ((state->request.flags & WBFLAG_PAM_KRB5) && - (lp_security() == SEC_ADS)) { - - struct winbindd_domain *our_domain = find_our_domain(); - - if (!our_domain->active_directory) { - DEBUG(3,("find_auth_domain: out domain is not AD\n")); - return NULL; - } - - if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) { - return NULL; - } - - /* do we already know it's AD ? */ - if (domain->active_directory) { + /* we can auth against trusted domains */ + if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) { + domain = find_domain_from_name_noinit(domain_name); + if (domain == NULL) { + DEBUG(3, ("Authentication for domain [%s] skipped " + "as it is not a trusted domain\n", + domain_name)); + } else { return domain; } - - set_dc_type_and_flags(domain); - - if (!domain->active_directory) { - DEBUG(3,("find_auth_domain: remote domain is not AD\n")); - return NULL; } - return domain; - } -#endif return find_our_domain(); } @@ -1286,15 +1260,12 @@ process_result: } - /* this is required to provide password expiry warning */ - if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) { result = fillup_password_policy(domain, state); if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result))); goto done; } - } } diff --git a/source/passdb/lookup_sid.c b/source/passdb/lookup_sid.c index e91db7f8b65..6eeea00416f 100644 --- a/source/passdb/lookup_sid.c +++ b/source/passdb/lookup_sid.c @@ -43,7 +43,6 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx, DOM_SID sid; enum SID_NAME_USE type; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - struct group *grp; if (tmp_ctx == NULL) { DEBUG(0, ("talloc_new failed\n")); @@ -120,63 +119,6 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx, goto failed; } - /* - * Nasty hack necessary for too common scenarios: - * - * For 'valid users = +users' we know "users" is most probably not - * BUILTIN\users but the unix group users. This hack requires the - * admin to explicitly qualify BUILTIN if BUILTIN\users is meant. - * - * Please note that LOOKUP_NAME_GROUP can not be requested via for - * example lsa_lookupnames, it only comes into this routine via - * the expansion of group names coming in from smb.conf - */ - - if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) != NULL)) { - - GROUP_MAP map; - - if (pdb_getgrgid(&map, grp->gr_gid)) { - /* The hack gets worse. Handle the case where we have - * 'force group = +unixgroup' but "unixgroup" has a - * group mapping */ - - if (sid_check_is_in_builtin(&map.sid)) { - domain = talloc_strdup( - tmp_ctx, builtin_domain_name()); - } else { - domain = talloc_strdup( - tmp_ctx, get_global_sam_name()); - } - - sid_copy(&sid, &map.sid); - type = map.sid_name_use; - goto ok; - } - - /* If we are using the smbpasswd backend, we need to use the - * algorithmic mapping for the unix group we find. This is - * necessary because when creating the NT token from the unix - * gid list we got from initgroups() we use gid_to_sid() that - * uses algorithmic mapping if pdb_rid_algorithm() is true. */ - - if (pdb_rid_algorithm() && - (grp->gr_gid < max_algorithmic_gid())) { - domain = talloc_strdup(tmp_ctx, get_global_sam_name()); - sid_compose(&sid, get_global_sam_sid(), - pdb_gid_to_group_rid(grp->gr_gid)); - type = SID_NAME_DOM_GRP; - goto ok; - } - - if (lookup_unix_group_name(name, &sid)) { - domain = talloc_strdup(tmp_ctx, - unix_groups_domain_name()); - type = SID_NAME_DOM_GRP; - goto ok; - } - } - /* Now the guesswork begins, we haven't been given an explicit * domain. Try the sequence as documented on * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp @@ -1138,14 +1080,9 @@ void uid_to_sid(DOM_SID *psid, uid_t uid) goto done; } - if (pdb_rid_algorithm() && (uid < max_algorithmic_uid())) { - sid_copy(psid, get_global_sam_sid()); - sid_append_rid(psid, algorithmic_pdb_uid_to_user_rid(uid)); - goto done; - } else { - uid_to_unix_users_sid(uid, psid); - goto done; - } + /* This is an unmapped user */ + + uid_to_unix_users_sid(uid, psid); done: DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid, @@ -1180,16 +1117,10 @@ void gid_to_sid(DOM_SID *psid, gid_t gid) /* This is a mapped group */ goto done; } + + /* This is an unmapped group */ - if (pdb_rid_algorithm() && (gid < max_algorithmic_gid())) { - sid_copy(psid, get_global_sam_sid()); - sid_append_rid(psid, pdb_gid_to_group_rid(gid)); - goto done; - } else { - sid_copy(psid, &global_sid_Unix_Groups); - sid_append_rid(psid, gid); - goto done; - } + gid_to_unix_groups_sid(gid, psid); done: DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, @@ -1235,14 +1166,9 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) *puid = id.uid; goto done; } - if (pdb_rid_algorithm() && - algorithmic_pdb_rid_is_user(rid)) { - *puid = algorithmic_pdb_user_rid_to_uid(rid); - goto done; - } - /* This was ours, but it was neither mapped nor - * algorithmic. Fail */ + /* This was ours, but it was not mapped. Fail */ + return False; } @@ -1323,14 +1249,9 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) *pgid = id.gid; goto done; } - if (pdb_rid_algorithm() && - !algorithmic_pdb_rid_is_user(rid)) { - /* This must be a group, presented as alias */ - *pgid = pdb_group_rid_to_gid(rid); - goto done; - } - /* This was ours, but it was neither mapped nor - * algorithmic. Fail. */ + + /* This was ours, but it was not mapped. Fail */ + return False; } diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c index cbb30ead023..27176b751e6 100644 --- a/source/passdb/passdb.c +++ b/source/passdb/passdb.c @@ -505,7 +505,7 @@ gid_t max_algorithmic_gid(void) there is not anymore a direct link between the gid and the rid. ********************************************************************/ -uint32 pdb_gid_to_group_rid(gid_t gid) +uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid) { int rid_offset = algorithmic_rid_base(); return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE); diff --git a/source/passdb/pdb_interface.c b/source/passdb/pdb_interface.c index 3e47c97b04c..bd06745b3d9 100644 --- a/source/passdb/pdb_interface.c +++ b/source/passdb/pdb_interface.c @@ -595,7 +595,7 @@ static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods, } if (pdb_rid_algorithm()) { - *rid = pdb_gid_to_group_rid( grp->gr_gid ); + *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid ); } else { if (!pdb_new_rid(rid)) { return NT_STATUS_ACCESS_DENIED; diff --git a/source/passdb/pdb_smbpasswd.c b/source/passdb/pdb_smbpasswd.c index ff2afd1a6f0..dc26ff5649d 100644 --- a/source/passdb/pdb_smbpasswd.c +++ b/source/passdb/pdb_smbpasswd.c @@ -1189,7 +1189,6 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, struct samu *sam_pass, const struct smb_passwd *pw_buf) { struct passwd *pwfile; - fstring unix_username; if ( !sam_pass ) { DEBUG(5,("build_sam_account: struct samu is NULL\n")); @@ -1198,10 +1197,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, /* verify the user account exists */ - fstrcpy( unix_username, pw_buf->smb_name ); - strlower_m( unix_username ); - - if ( !(pwfile = getpwnam_alloc(NULL, unix_username )) ) { + if ( !(pwfile = Get_Pwnam_alloc(NULL, pw_buf->smb_name )) ) { DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid " "%u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid)); return False; diff --git a/source/passdb/util_unixsids.c b/source/passdb/util_unixsids.c index d3f0999d6ac..a885d970ae0 100644 --- a/source/passdb/util_unixsids.c +++ b/source/passdb/util_unixsids.c @@ -42,6 +42,12 @@ BOOL uid_to_unix_users_sid(uid_t uid, DOM_SID *sid) return sid_append_rid(sid, uid); } +BOOL gid_to_unix_groups_sid(gid_t gid, DOM_SID *sid) +{ + sid_copy(sid, &global_sid_Unix_Groups); + return sid_append_rid(sid, gid); +} + const char *unix_users_domain_name(void) { return "Unix User"; diff --git a/source/rpc_client/cli_dfs.c b/source/rpc_client/cli_dfs.c index 8b94d6ed9d4..f93ce29dbfa 100644 --- a/source/rpc_client/cli_dfs.c +++ b/source/rpc_client/cli_dfs.c @@ -142,7 +142,7 @@ NTSTATUS rpccli_dfs_GetInfo(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, co return werror_to_ntstatus(r.status); } -NTSTATUS rpccli_dfs_Enum(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, uint32 level, uint32 bufsize, NETDFS_DFS_ENUMSTRUCT *info, uint32 *unknown, uint32 *total) +NTSTATUS rpccli_dfs_Enum(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, uint32 level, uint32 bufsize, NETDFS_DFS_ENUMSTRUCT *info, uint32 *total) { prs_struct qbuf, rbuf; NETDFS_Q_DFS_ENUM q; @@ -153,7 +153,7 @@ NTSTATUS rpccli_dfs_Enum(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, uint3 /* Marshall data and send request */ - if (!init_netdfs_q_dfs_Enum(&q, level, bufsize, info, unknown, total)) + if (!init_netdfs_q_dfs_Enum(&q, level, bufsize, info, total)) return NT_STATUS_INVALID_PARAMETER; CLI_DO_RPC(cli, mem_ctx, PI_NETDFS, DFS_ENUM, diff --git a/source/rpc_parse/parse_dfs.c b/source/rpc_parse/parse_dfs.c index f1d07053025..fde3dc6e03a 100644 --- a/source/rpc_parse/parse_dfs.c +++ b/source/rpc_parse/parse_dfs.c @@ -1862,7 +1862,7 @@ BOOL netdfs_io_r_dfs_GetInfo(const char *desc, NETDFS_R_DFS_GETINFO *v, prs_stru return True; } -BOOL init_netdfs_q_dfs_Enum(NETDFS_Q_DFS_ENUM *v, uint32 level, uint32 bufsize, NETDFS_DFS_ENUMSTRUCT *info, uint32 *unknown, uint32 *total) +BOOL init_netdfs_q_dfs_Enum(NETDFS_Q_DFS_ENUM *v, uint32 level, uint32 bufsize, NETDFS_DFS_ENUMSTRUCT *info, uint32 *total) { DEBUG(5,("init_netdfs_q_dfs_Enum\n")); @@ -1877,13 +1877,6 @@ BOOL init_netdfs_q_dfs_Enum(NETDFS_Q_DFS_ENUM *v, uint32 level, uint32 bufsize, v->ptr0_info = 0; } - if (unknown) { - v->ptr0_unknown = 1; - v->unknown = *unknown; - } else { - v->ptr0_unknown = 0; - } - if (total) { v->ptr0_total = 1; v->total = *total; @@ -1920,17 +1913,6 @@ BOOL netdfs_io_q_dfs_Enum(const char *desc, NETDFS_Q_DFS_ENUM *v, prs_struct *ps if (!prs_align_custom(ps, 4)) return False; - if (!prs_uint32("ptr0_unknown", ps, depth, &v->ptr0_unknown)) - return False; - - if (v->ptr0_unknown) { - if (!prs_uint32("unknown", ps, depth, &v->unknown)) - return False; - } - - if (!prs_align_custom(ps, 4)) - return False; - if (!prs_uint32("ptr0_total", ps, depth, &v->ptr0_total)) return False; diff --git a/source/rpc_server/srv_dfs_nt.c b/source/rpc_server/srv_dfs_nt.c index 8239584522a..1a2ad38910a 100644 --- a/source/rpc_server/srv_dfs_nt.c +++ b/source/rpc_server/srv_dfs_nt.c @@ -206,6 +206,7 @@ static BOOL init_reply_dfs_info_2(struct junction_map* j, NETDFS_DFS_INFO2* dfs2 j->service_name, j->volume_name); init_unistr2(&dfs2->path, str, UNI_STR_TERMINATE); dfs2->ptr0_comment = 0; + init_unistr2(&dfs2->comment, j->comment, UNI_STR_TERMINATE); dfs2->state = 1; /* set up state of dfs junction as OK */ dfs2->num_stores = j->referral_count; return True; @@ -225,7 +226,7 @@ static BOOL init_reply_dfs_info_3(TALLOC_CTX *ctx, struct junction_map* j, NETDF init_unistr2(&dfs3->path, str, UNI_STR_TERMINATE); dfs3->ptr0_comment = 1; - init_unistr2(&dfs3->comment, "", UNI_STR_TERMINATE); + init_unistr2(&dfs3->comment, j->comment, UNI_STR_TERMINATE); dfs3->state = 1; dfs3->num_stores = dfs3->size_stores = j->referral_count; dfs3->ptr0_stores = 1; @@ -260,6 +261,14 @@ static BOOL init_reply_dfs_info_3(TALLOC_CTX *ctx, struct junction_map* j, NETDF return True; } +static BOOL init_reply_dfs_info_100(struct junction_map* j, NETDFS_DFS_INFO100* dfs100) +{ + dfs100->ptr0_comment = 1; + init_unistr2(&dfs100->comment, j->comment, UNI_STR_TERMINATE); + return True; +} + + WERROR _dfs_Enum(pipes_struct *p, NETDFS_Q_DFS_ENUM *q_u, NETDFS_R_DFS_ENUM *r_u) { uint32 level = q_u->level; @@ -270,7 +279,7 @@ WERROR _dfs_Enum(pipes_struct *p, NETDFS_Q_DFS_ENUM *q_u, NETDFS_R_DFS_ENUM *r_u num_jn = enum_msdfs_links(p->mem_ctx, jn, ARRAY_SIZE(jn)); vfs_ChDir(p->conn,p->conn->connectpath); - DEBUG(5,("make_reply_dfs_enum: %d junctions found in Dfs, doing level %d\n", num_jn, level)); + DEBUG(5,("_dfs_Enum: %d junctions found in Dfs, doing level %d\n", num_jn, level)); r_u->ptr0_info = q_u->ptr0_info; r_u->ptr0_total = q_u->ptr0_total; @@ -336,7 +345,7 @@ WERROR _dfs_GetInfo(pipes_struct *p, NETDFS_Q_DFS_GETINFO *q_u, uint32 level = q_u->level; int consumedcnt = sizeof(pstring); pstring path; - BOOL ret; + BOOL ret = False; struct junction_map jn; unistr2_to_ascii(path, uni_path, sizeof(path)-1); @@ -358,8 +367,12 @@ WERROR _dfs_GetInfo(pipes_struct *p, NETDFS_Q_DFS_GETINFO *q_u, case 1: ret = init_reply_dfs_info_1(&jn, &r_u->info.u.info1); break; case 2: ret = init_reply_dfs_info_2(&jn, &r_u->info.u.info2); break; case 3: ret = init_reply_dfs_info_3(p->mem_ctx, &jn, &r_u->info.u.info3); break; + case 100: ret = init_reply_dfs_info_100(&jn, &r_u->info.u.info100); break; default: - ret = False; + r_u->info.ptr0 = 1; + r_u->info.switch_value = 0; + r_u->status = WERR_OK; + ret = True; break; } diff --git a/source/rpcclient/cmd_dfs.c b/source/rpcclient/cmd_dfs.c index b4d43bda5ee..75543df267e 100644 --- a/source/rpcclient/cmd_dfs.c +++ b/source/rpcclient/cmd_dfs.c @@ -190,7 +190,7 @@ static NTSTATUS cmd_dfs_enum(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, NETDFS_DFS_ENUMINFO_CTR ctr; NTSTATUS result; uint32 info_level = 1; - uint32 unknown = 0, total = 0; + uint32 total = 0; if (argc > 2) { printf("Usage: %s [info_level]\n", argv[0]); @@ -204,7 +204,7 @@ static NTSTATUS cmd_dfs_enum(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, init_netdfs_dfs_EnumStruct(&str, info_level, ctr); str.e.ptr0 = 1; - result = rpccli_dfs_Enum(cli, mem_ctx, info_level, 0xFFFFFFFF, &str, &unknown, &total); + result = rpccli_dfs_Enum(cli, mem_ctx, info_level, 0xFFFFFFFF, &str, &total); if (NT_STATUS_IS_OK(result)) display_dfs_enumstruct(&str); diff --git a/source/sam/idmap_ad.c b/source/sam/idmap_ad.c index 4d033e8f3e1..5bf039fa1aa 100644 --- a/source/sam/idmap_ad.c +++ b/source/sam/idmap_ad.c @@ -139,12 +139,12 @@ static ADS_STRUCT *ad_idmap_cached_connection(void) } /* no op */ -static NTSTATUS ad_idmap_init(const char *uri) +static NTSTATUS ad_idmap_init(char *uri) { return NT_STATUS_OK; } -static NTSTATUS ad_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, int id_type, int flags) +static NTSTATUS ad_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, int id_type) { ADS_STATUS rc; NTSTATUS status = NT_STATUS_NONE_MAPPED; diff --git a/source/smbd/msdfs.c b/source/smbd/msdfs.c index 8dc29728249..1ea19f657bf 100644 --- a/source/smbd/msdfs.c +++ b/source/smbd/msdfs.c @@ -889,6 +889,7 @@ BOOL create_junction(char *pathname, struct junction_map *jucn) pstrcpy(jucn->service_name,dp.servicename); pstrcpy(jucn->volume_name,dp.reqpath); + pstrcpy(jucn->comment, lp_comment(lp_servicenumber(dp.servicename))); return True; } diff --git a/source/smbd/password.c b/source/smbd/password.c index 73b0ebb4b32..814065dd34a 100644 --- a/source/smbd/password.c +++ b/source/smbd/password.c @@ -420,12 +420,11 @@ BOOL user_in_netgroup(const char *user, const char *ngname) yp_get_default_domain(&mydomain); if(mydomain == NULL) { - DEBUG(5,("Unable to get default yp domain\n")); - return False; + DEBUG(5,("Unable to get default yp domain, let's try without specifying it\n")); } DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", - user, mydomain, ngname)); + user, mydomain?mydomain:"(ANY)", ngname)); if (innetgr(ngname, NULL, user, mydomain)) { DEBUG(5,("user_in_netgroup: Found\n")); @@ -441,7 +440,7 @@ BOOL user_in_netgroup(const char *user, const char *ngname) strlower_m(lowercase_user); DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", - lowercase_user, mydomain, ngname)); + lowercase_user, mydomain?mydomain:"(ANY)", ngname)); if (innetgr(ngname, NULL, lowercase_user, mydomain)) { DEBUG(5,("user_in_netgroup: Found\n")); diff --git a/source/utils/net_groupmap.c b/source/utils/net_groupmap.c index a96ac526bfc..10a672bc1f0 100644 --- a/source/utils/net_groupmap.c +++ b/source/utils/net_groupmap.c @@ -192,7 +192,8 @@ static int net_groupmap_add(int argc, const char **argv) uint32 rid = 0; gid_t gid; int i; - + const char *name_type = "domain group"; + /* get the options */ for ( i=0; i<argc; i++ ) { if ( !StrnCaseCmp(argv[i], "rid", strlen("rid")) ) { @@ -236,15 +237,21 @@ static int net_groupmap_add(int argc, const char **argv) case 'b': case 'B': sid_type = SID_NAME_WKN_GRP; + name_type = "wellknown group"; break; case 'd': case 'D': sid_type = SID_NAME_DOM_GRP; + name_type = "domain group"; break; case 'l': case 'L': sid_type = SID_NAME_ALIAS; + name_type = "alias (local) group"; break; + default: + d_fprintf(stderr, "unknown group type %s\n", type); + return -1; } } else { @@ -275,7 +282,7 @@ static int net_groupmap_add(int argc, const char **argv) if ( (rid == 0) && (string_sid[0] == '\0') ) { d_printf("No rid or sid specified, choosing a RID\n"); if (pdb_rid_algorithm()) { - rid = pdb_gid_to_group_rid(gid); + rid = algorithmic_pdb_gid_to_group_rid(gid); } else { if (!pdb_new_rid(&rid)) { d_printf("Could not get new RID\n"); @@ -317,7 +324,8 @@ static int net_groupmap_add(int argc, const char **argv) return -1; } - d_printf("Successfully added group %s to the mapping db\n", ntgroup); + d_printf("Successfully added group %s to the mapping db as a %s\n", + ntgroup, name_type); return 0; } @@ -413,14 +421,17 @@ static int net_groupmap_modify(int argc, const char **argv) * Allow changing of group type only between domain and local * We disallow changing Builtin groups !!! (SID problem) */ - if (sid_type != SID_NAME_UNKNOWN) { - if (map.sid_name_use == SID_NAME_WKN_GRP) { - d_fprintf(stderr, "You can only change between domain and local groups.\n"); - return -1; - } - - map.sid_name_use=sid_type; + if (sid_type == SID_NAME_UNKNOWN) { + d_fprintf(stderr, "Can't map to an unknown group type.\n"); + return -1; + } + + if (map.sid_name_use == SID_NAME_WKN_GRP) { + d_fprintf(stderr, "You can only change between domain and local groups.\n"); + return -1; } + + map.sid_name_use=sid_type; /* Change comment if new one */ if ( ntcomment[0] ) @@ -555,7 +566,14 @@ static int net_groupmap_set(int argc, const char **argv) map.gid = grp->gr_gid; if (opt_rid == 0) { - opt_rid = pdb_gid_to_group_rid(map.gid); + if ( pdb_rid_algorithm() ) + opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid); + else { + if ( !pdb_new_rid((uint32*)&opt_rid) ) { + d_fprintf( stderr, "Could not allocate new RID\n"); + return -1; + } + } } sid_copy(&map.sid, get_global_sam_sid()); |