From 5a2a6f1ba316489d118a8bdd9551b155226de94f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 3 Jul 2002 07:37:54 +0000
Subject: Break up the passdb objects (to allow RPC clients to link without
 brining in *.o) and implment new enum_dom_users code in the SAMR RPC
 subsystem.

Incresingly, we are using the pdb_get_{user,group}_sid() functions, in the
eventual hope that we might one day support muliple domains off a single
passdb.  To extract the RID, we use sid_peek_check_rid(), and supply an
'expected' domain SID.

The id21 -> SAM_ACCOUNT and id23 -> SAM_ACCOUNT code has been moved to
srv_samr_util.c, to ease linking in passdb users.

Compatiblity code that uses 'get_global_sam_sid()' for the 'expected' sid is in
pdb_compat.c

Andrew Bartlett
---
 source/rpc_parse/parse_samr.c | 91 +++++++++++++++++++++++++++++++++++++------
 1 file changed, 80 insertions(+), 11 deletions(-)

(limited to 'source/rpc_parse')

diff --git a/source/rpc_parse/parse_samr.c b/source/rpc_parse/parse_samr.c
index 34aa75f1d02..137883cc7e9 100644
--- a/source/rpc_parse/parse_samr.c
+++ b/source/rpc_parse/parse_samr.c
@@ -1440,7 +1440,8 @@ inits a SAM_DISPINFO_1 structure.
 ********************************************************************/
 
 NTSTATUS init_sam_dispinfo_1(TALLOC_CTX *ctx, SAM_DISPINFO_1 *sam, uint32 num_entries,
-			 uint32 start_idx, DISP_USER_INFO *disp_user_info)
+			     uint32 start_idx, DISP_USER_INFO *disp_user_info,
+			     DOM_SID *domain_sid)
 {
 	uint32 len_sam_name, len_sam_full, len_sam_desc;
 	uint32 i;
@@ -1468,6 +1469,9 @@ NTSTATUS init_sam_dispinfo_1(TALLOC_CTX *ctx, SAM_DISPINFO_1 *sam, uint32 num_en
 		const char *username;
 		const char *fullname;
 		const char *acct_desc;
+		uint32 user_rid;
+		const DOM_SID *user_sid;
+		fstring user_sid_string, domain_sid_string;			
 
 		DEBUG(11, ("init_sam_dispinfo_1: entry: %d\n",i));
 		
@@ -1486,14 +1490,25 @@ NTSTATUS init_sam_dispinfo_1(TALLOC_CTX *ctx, SAM_DISPINFO_1 *sam, uint32 num_en
 		if (!acct_desc) 
 			acct_desc = "";
 
+		user_sid = pdb_get_user_sid(pwd);
+
+		if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) {
+			DEBUG(0, ("init_sam_dispinfo_1: User %s has SID %s, which conflicts with "
+				  "the domain sid %s.  Failing operation.\n", 
+				  username, 
+				  sid_to_string(user_sid_string, user_sid),
+				  sid_to_string(domain_sid_string, domain_sid)));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+			
 		len_sam_name = strlen(username);
 		len_sam_full = strlen(fullname);
 		len_sam_desc = strlen(acct_desc);
 
 		init_sam_entry1(&sam->sam[i], start_idx + i + 1,
 				len_sam_name, len_sam_full, len_sam_desc,
-				pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd));
-
+				user_rid, pdb_get_acct_ctrl(pwd));
+		
 		ZERO_STRUCTP(&sam->str[i].uni_acct_name);
 		ZERO_STRUCTP(&sam->str[i].uni_full_name);
 		ZERO_STRUCTP(&sam->str[i].uni_acct_desc);
@@ -1560,7 +1575,8 @@ inits a SAM_DISPINFO_2 structure.
 ********************************************************************/
 
 NTSTATUS init_sam_dispinfo_2(TALLOC_CTX *ctx, SAM_DISPINFO_2 *sam, uint32 num_entries,
-			 uint32 start_idx, DISP_USER_INFO *disp_user_info)
+			     uint32 start_idx, DISP_USER_INFO *disp_user_info, 
+			     DOM_SID *domain_sid )
 {
 	uint32 len_sam_name, len_sam_desc;
 	uint32 i;
@@ -1583,20 +1599,39 @@ NTSTATUS init_sam_dispinfo_2(TALLOC_CTX *ctx, SAM_DISPINFO_2 *sam, uint32 num_en
 	ZERO_STRUCTP(sam->str);
 
 	for (i = 0; i < num_entries; i++) {
+		uint32 user_rid;
+		const DOM_SID *user_sid;
+		const char *username;
+		const char *acct_desc;
+		fstring user_sid_string, domain_sid_string;			
+
 		DEBUG(11, ("init_sam_dispinfo_2: entry: %d\n",i));
 		pwd=disp_user_info[i+start_idx].sam;
 
-		len_sam_name = strlen(pdb_get_username(pwd));
-		len_sam_desc = strlen(pdb_get_acct_desc(pwd));
+		username = pdb_get_username(pwd);
+		acct_desc = pdb_get_acct_desc(pwd);
+		user_sid = pdb_get_user_sid(pwd);
+
+		if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) {
+			DEBUG(0, ("init_sam_dispinfo_2: User %s has SID %s, which conflicts with "
+				  "the domain sid %s.  Failing operation.\n", 
+				  username, 
+				  sid_to_string(user_sid_string, user_sid),
+				  sid_to_string(domain_sid_string, domain_sid)));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+			
+		len_sam_name = strlen(username);
+		len_sam_desc = strlen(acct_desc);
 	  
 		init_sam_entry2(&sam->sam[i], start_idx + i + 1,
 			  len_sam_name, len_sam_desc,
-			  pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd));
+			  user_rid, pdb_get_acct_ctrl(pwd));
 	  
 		ZERO_STRUCTP(&sam->str[i].uni_srv_name);
 		ZERO_STRUCTP(&sam->str[i].uni_srv_desc);
 
-		init_unistr2(&sam->str[i].uni_srv_name, pdb_get_username(pwd),  len_sam_name);
+		init_unistr2(&sam->str[i].uni_srv_name, username,  len_sam_name);
 		init_unistr2(&sam->str[i].uni_srv_desc, pdb_get_acct_desc(pwd), len_sam_desc);
 	}
 
@@ -5844,7 +5879,7 @@ void init_sam_user_info21W(SAM_USER_INFO_21 * usr,
 
  *************************************************************************/
 
-void init_sam_user_info21A(SAM_USER_INFO_21 *usr, SAM_ACCOUNT *pw)
+NTSTATUS init_sam_user_info21A(SAM_USER_INFO_21 *usr, SAM_ACCOUNT *pw, DOM_SID *domain_sid)
 {
 	NTTIME 		logon_time, logoff_time, kickoff_time,
 			pass_last_set_time, pass_can_change_time,
@@ -5865,6 +5900,12 @@ void init_sam_user_info21A(SAM_USER_INFO_21 *usr, SAM_ACCOUNT *pw)
 	const char*		workstations = pdb_get_workstations(pw);
 	const char*		munged_dial = pdb_get_munged_dial(pw);
 
+	uint32 user_rid;
+	const DOM_SID *user_sid;
+
+	uint32 group_rid;
+	const DOM_SID *group_sid;
+
 	len_user_name    = user_name    != NULL ? strlen(user_name   )+1 : 0;
 	len_full_name    = full_name    != NULL ? strlen(full_name   )+1 : 0;
 	len_home_dir     = home_dir     != NULL ? strlen(home_dir    )+1 : 0;
@@ -5907,8 +5948,34 @@ void init_sam_user_info21A(SAM_USER_INFO_21 *usr, SAM_ACCOUNT *pw)
 	ZERO_STRUCT(usr->nt_pwd);
 	ZERO_STRUCT(usr->lm_pwd);
 
-	usr->user_rid  = pdb_get_user_rid(pw);
-	usr->group_rid = pdb_get_group_rid(pw);
+	user_sid = pdb_get_user_sid(pw);
+	
+	if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) {
+		fstring user_sid_string;
+		fstring domain_sid_string;
+		DEBUG(0, ("init_sam_user_info_21A: User %s has SID %s, \nwhich conflicts with "
+			  "the domain sid %s.  Failing operation.\n", 
+			  user_name, 
+			  sid_to_string(user_sid_string, user_sid),
+			  sid_to_string(domain_sid_string, domain_sid)));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	group_sid = pdb_get_group_sid(pw);
+	
+	if (!sid_peek_check_rid(domain_sid, group_sid, &group_rid)) {
+		fstring group_sid_string;
+		fstring domain_sid_string;
+		DEBUG(0, ("init_sam_user_info_21A: User %s has Primary Group SID %s, \n"
+			  "which conflicts with the domain sid %s.  Failing operation.\n", 
+			  user_name, 
+			  sid_to_string(group_sid_string, group_sid),
+			  sid_to_string(domain_sid_string, domain_sid)));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	usr->user_rid  = user_rid;
+	usr->group_rid = group_rid;
 	usr->acb_info  = pdb_get_acct_ctrl(pw);
 	usr->unknown_3 = pdb_get_unknown3(pw);
 
@@ -5937,6 +6004,8 @@ void init_sam_user_info21A(SAM_USER_INFO_21 *usr, SAM_ACCOUNT *pw)
 		memcpy(&usr->logon_hrs.hours, pdb_get_hours(pw), MAX_HOURS_LEN);
 	} else
 		memset(&usr->logon_hrs, 0xff, sizeof(usr->logon_hrs));
+
+	return NT_STATUS_OK;
 }
 
 /*******************************************************************
-- 
cgit