summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2010-05-27 03:41:56 -0400
committerGünther Deschner <gd@samba.org>2010-05-28 00:55:53 +0200
commitd9cffc01be58184312a6a7b55bd523cf8daefa78 (patch)
treea7037d21510273479d752c9c7964264ac12524a1
parent6713f3d945f09a732e620641771d9ff403aca9ef (diff)
downloadsamba-d9cffc01be58184312a6a7b55bd523cf8daefa78.tar.gz
samba-d9cffc01be58184312a6a7b55bd523cf8daefa78.tar.bz2
samba-d9cffc01be58184312a6a7b55bd523cf8daefa78.zip
s3:auth use info3 in auth_serversupplied_info
Signed-off-by: Günther Deschner <gd@samba.org>
-rw-r--r--source3/auth/auth_util.c407
-rw-r--r--source3/auth/server_info.c277
-rw-r--r--source3/auth/server_info_sam.c9
-rw-r--r--source3/include/auth.h2
-rw-r--r--source3/modules/vfs_expand_msdfs.c2
-rw-r--r--source3/modules/vfs_full_audit.c2
-rw-r--r--source3/modules/vfs_recycle.c2
-rw-r--r--source3/modules/vfs_smb_traffic_analyzer.c6
-rw-r--r--source3/printing/printing.c2
-rw-r--r--source3/rpc_server/srv_lsa_nt.c2
-rw-r--r--source3/rpc_server/srv_netlog_nt.c2
-rw-r--r--source3/smbd/lanman.c9
-rw-r--r--source3/smbd/password.c6
-rw-r--r--source3/smbd/process.c3
-rw-r--r--source3/smbd/service.c12
-rw-r--r--source3/smbd/sesssetup.c6
-rw-r--r--source3/smbd/smb2_sesssetup.c8
-rw-r--r--source3/smbd/uid.c6
18 files changed, 158 insertions, 605 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ad454b6df1..d64cb537c7 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -455,7 +455,7 @@ static NTSTATUS log_nt_token(NT_USER_TOKEN *token)
}
/*
- * Create the token to use from server_info->sam_account and
+ * Create the token to use from server_info->info3 and
* server_info->sids (the info3/sam groups). Find the unix gids.
*/
@@ -464,6 +464,7 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
NTSTATUS status;
size_t i;
struct dom_sid tmp_sid;
+ struct dom_sid user_sid;
/*
* If winbind is not around, we can not make much use of the SIDs the
@@ -482,9 +483,13 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
&server_info->ptok);
} else {
+ sid_compose(&user_sid,
+ server_info->info3->base.domain_sid,
+ server_info->info3->base.rid);
+
server_info->ptok = create_local_nt_token(
server_info,
- pdb_get_user_sid(server_info->sam_account),
+ &user_sid,
server_info->guest,
server_info->num_sids, server_info->sids);
status = server_info->ptok ?
@@ -592,7 +597,16 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
return NT_STATUS_NO_MEMORY;
}
- result->sam_account = sampass;
+ status = samu_to_SamInfo3(result, sampass,
+ global_myname(), &result->info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("Failed to convert samu to info3: %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(sampass);
+ TALLOC_FREE(result);
+ return status;
+ }
+
result->unix_name = talloc_strdup(result, unix_username);
result->sanitized_username = sanitize_username(result, unix_username);
@@ -614,10 +628,13 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
nt_errstr(status)));
+ TALLOC_FREE(sampass);
TALLOC_FREE(result);
return status;
}
+ TALLOC_FREE(sampass);
+
/*
* The SID returned in server_info->sam_account is based
* on our SAM sid even though for a pure UNIX account this should
@@ -661,6 +678,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
return NT_STATUS_NO_SUCH_USER;
}
+ /* FIXME: add to info3 too ? */
status = add_sid_to_array_unique(result, &u_sid,
&result->sids,
&result->num_sids);
@@ -812,13 +830,8 @@ struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
src->lm_session_key.length);
- dst->sam_account = samu_new(NULL);
- if (!dst->sam_account) {
- TALLOC_FREE(dst);
- return NULL;
- }
-
- if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
+ dst->info3 = copy_netr_SamInfo3(dst, src->info3);
+ if (!dst->info3) {
TALLOC_FREE(dst);
return NULL;
}
@@ -901,15 +914,12 @@ bool copy_current_user(struct current_user *dst, struct current_user *src)
/***************************************************************************
Purely internal function for make_server_info_info3
- Fill the sam account from getpwnam
***************************************************************************/
-static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
- const char *domain,
- const char *username,
- char **found_username,
- uid_t *uid, gid_t *gid,
- struct samu *account,
- bool *username_was_mapped)
+
+static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+ const char *username, char **found_username,
+ uid_t *uid, gid_t *gid,
+ bool *username_was_mapped)
{
struct smbd_server_connection *sconn = smbd_server_conn;
NTSTATUS nt_status;
@@ -923,7 +933,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
lower_username);
- /* Get the passwd struct. Try to create the account is necessary. */
+ /* Get the passwd struct. Try to create the account if necessary. */
*username_was_mapped = map_username(sconn, dom_user);
@@ -941,10 +951,6 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
*found_username = talloc_strdup( mem_ctx, real_username );
- DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
-
- nt_status = samu_set_unix( account, passwd );
-
TALLOC_FREE(passwd);
return nt_status;
@@ -1051,7 +1057,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
char *found_username = NULL;
const char *nt_domain;
const char *nt_username;
- struct samu *sam_account = NULL;
struct dom_sid user_sid;
struct dom_sid group_sid;
bool username_was_mapped;
@@ -1090,8 +1095,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
nt_domain = domain;
}
- /* try to fill the SAM account.. If getpwnam() fails, then try the
- add user script (2.2.x behavior).
+ /* If getpwnam() fails try the add user script (2.2.x behavior).
We use the _unmapped_ username here in an attempt to provide
consistent username mapping behavior between kerberos and NTLM[SSP]
@@ -1102,129 +1106,18 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
that is how the current code is designed. Making the change here
is the least disruptive place. -- jerry */
- if ( !(sam_account = samu_new( NULL )) ) {
- return NT_STATUS_NO_MEMORY;
- }
-
/* this call will try to create the user if necessary */
- nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
- &found_username, &uid, &gid, sam_account,
+ nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
+ &found_username, &uid, &gid,
&username_was_mapped);
-
- /* if we still don't have a valid unix account check for
- 'map to guest = bad uid' */
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- TALLOC_FREE( sam_account );
- if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
- make_server_info_guest(NULL, server_info);
- return NT_STATUS_OK;
- }
- return nt_status;
- }
-
- if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!pdb_set_fullname(sam_account,
- info3->base.full_name.string,
- PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_logon_script(sam_account,
- info3->base.logon_script.string,
- PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_profile_path(sam_account,
- info3->base.profile_path.string,
- PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_homedir(sam_account,
- info3->base.home_directory.string,
- PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_dir_drive(sam_account,
- info3->base.home_drive.string,
- PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_pass_last_set_time(
- sam_account,
- nt_time_to_unix(info3->base.last_password_change),
- PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_pass_can_change_time(
- sam_account,
- nt_time_to_unix(info3->base.allow_password_change),
- PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_pass_must_change_time(
- sam_account,
- nt_time_to_unix(info3->base.force_password_change),
- PDB_CHANGED)) {
- TALLOC_FREE(sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
result = make_server_info(NULL);
if (result == NULL) {
DEBUG(4, ("make_server_info failed!\n"));
- TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
- /* save this here to _net_sam_logon() doesn't fail (it assumes a
- valid struct samu) */
-
- result->sam_account = sam_account;
result->unix_name = talloc_strdup(result, found_username);
result->sanitized_username = sanitize_username(result,
@@ -1234,6 +1127,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
+ /* copy in the info3 */
+ result->info3 = copy_netr_SamInfo3(result, info3);
+
/* Fill in the unix info we found on the way */
result->utok.uid = uid;
@@ -1294,237 +1190,16 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
const struct wbcAuthUserInfo *info,
struct auth_serversupplied_info **server_info)
{
- static const char zeros[16] = {0, };
-
- NTSTATUS nt_status = NT_STATUS_OK;
- char *found_username = NULL;
- const char *nt_domain;
- const char *nt_username;
- struct samu *sam_account = NULL;
- struct dom_sid user_sid;
- struct dom_sid group_sid;
- bool username_was_mapped;
- uint32_t i;
-
- uid_t uid = (uid_t)-1;
- gid_t gid = (gid_t)-1;
-
- struct auth_serversupplied_info *result;
-
- result = make_server_info(NULL);
- if (result == NULL) {
- DEBUG(4, ("make_server_info failed!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- /*
- Here is where we should check the list of
- trusted domains, and verify that the SID
- matches.
- */
-
- memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
- memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
+ struct netr_SamInfo3 *info3;
- if (info->account_name) {
- nt_username = talloc_strdup(result, info->account_name);
- } else {
- /* If the server didn't give us one, just use the one we sent
- * them */
- nt_username = talloc_strdup(result, sent_nt_username);
- }
- if (!nt_username) {
- TALLOC_FREE(result);
+ info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
+ if (!info3) {
return NT_STATUS_NO_MEMORY;
}
- if (info->domain_name) {
- nt_domain = talloc_strdup(result, info->domain_name);
- } else {
- /* If the server didn't give us one, just use the one we sent
- * them */
- nt_domain = talloc_strdup(result, domain);
- }
- if (!nt_domain) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- /* try to fill the SAM account.. If getpwnam() fails, then try the
- add user script (2.2.x behavior).
-
- We use the _unmapped_ username here in an attempt to provide
- consistent username mapping behavior between kerberos and NTLM[SSP]
- authentication in domain mode security. I.E. Username mapping
- should be applied to the fully qualified username
- (e.g. DOMAIN\user) and not just the login name. Yes this means we
- called map_username() unnecessarily in make_user_info_map() but
- that is how the current code is designed. Making the change here
- is the least disruptive place. -- jerry */
-
- if ( !(sam_account = samu_new( result )) ) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- /* this call will try to create the user if necessary */
-
- nt_status = fill_sam_account(result, nt_domain, sent_nt_username,
- &found_username, &uid, &gid, sam_account,
- &username_was_mapped);
-
- /* if we still don't have a valid unix account check for
- 'map to guest = bad uid' */
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- TALLOC_FREE( result );
- if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
- make_server_info_guest(NULL, server_info);
- return NT_STATUS_OK;
- }
- return nt_status;
- }
-
- if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_pass_last_set_time(
- sam_account,
- nt_time_to_unix(info->pass_last_set_time),
- PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_pass_can_change_time(
- sam_account,
- nt_time_to_unix(info->pass_can_change_time),
- PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_set_pass_must_change_time(
- sam_account,
- nt_time_to_unix(info->pass_must_change_time),
- PDB_CHANGED)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- /* save this here to _net_sam_logon() doesn't fail (it assumes a
- valid struct samu) */
-
- result->sam_account = sam_account;
- result->unix_name = talloc_strdup(result, found_username);
-
- result->sanitized_username = sanitize_username(result,
- result->unix_name);
- result->login_server = talloc_strdup(result, info->logon_server);
-
- if ((result->unix_name == NULL)
- || (result->sanitized_username == NULL)
- || (result->login_server == NULL)) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- /* Fill in the unix info we found on the way */
-
- result->utok.uid = uid;
- result->utok.gid = gid;
-
- /* Create a 'combined' list of all SIDs we might want in the SD */
-
- result->num_sids = info->num_sids - 2;
- result->sids = talloc_array(result, struct dom_sid, result->num_sids);
- if (result->sids == NULL) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- for (i=0; i < result->num_sids; i++) {
- memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
- }
-
- /* Ensure the primary group sid is at position 0. */
- sort_sid_array_for_smbd(result, &group_sid);
-
- /* ensure we are never given NULL session keys */
-
- if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) {
- result->user_session_key = data_blob_null;
- } else {
- result->user_session_key = data_blob_talloc(
- result, info->user_session_key,
- sizeof(info->user_session_key));
- }
-
- if (memcmp(info->lm_session_key, zeros, 8) == 0) {
- result->lm_session_key = data_blob_null;
- } else {
- result->lm_session_key = data_blob_talloc(
- result, info->lm_session_key,
- sizeof(info->lm_session_key));
- }
-
- result->nss_token |= username_was_mapped;
-
- *server_info = result;
-
- return NT_STATUS_OK;
+ return make_server_info_info3(mem_ctx,
+ sent_nt_username, domain,
+ server_info, info3);
}
/**
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index d7ab19c58b..e9ccdb6700 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -23,9 +23,10 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
+/* FIXME: do we really still need this ? */
static int server_info_dtor(struct auth_serversupplied_info *server_info)
{
- TALLOC_FREE(server_info->sam_account);
+ TALLOC_FREE(server_info->info3);
ZERO_STRUCTP(server_info);
return 0;
}
@@ -55,211 +56,45 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
return result;
}
-/*******************************************************************
- gets a domain user's groups from their already-calculated NT_USER_TOKEN
- ********************************************************************/
-
-static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx,
- const struct dom_sid *domain_sid,
- size_t num_sids,
- const struct dom_sid *sids,
- int *numgroups,
- struct samr_RidWithAttribute **pgids)
-{
- int i;
-
- *numgroups=0;
- *pgids = NULL;
-
- for (i=0; i<num_sids; i++) {
- struct samr_RidWithAttribute gid;
- if (!sid_peek_check_rid(domain_sid, &sids[i], &gid.rid)) {
- continue;
- }
- gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
- SE_GROUP_ENABLED);
- ADD_TO_ARRAY(mem_ctx, struct samr_RidWithAttribute,
- gid, pgids, numgroups);
- if (*pgids == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- }
- return NT_STATUS_OK;
-}
-
/****************************************************************************
- inits a netr_SamBaseInfo structure from an auth_serversupplied_info.
+ inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must
+ already be initialized and is used as the talloc parent for its members.
*****************************************************************************/
-static NTSTATUS serverinfo_to_SamInfo_base(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
- struct netr_SamBaseInfo *base)
+NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
+ uint8_t *pipe_session_key,
+ size_t pipe_session_key_len,
+ struct netr_SamInfo2 *sam2)
{
- struct samu *sampw;
- struct samr_RidWithAttribute *gids = NULL;
- const struct dom_sid *user_sid = NULL;
- const struct dom_sid *group_sid = NULL;
- struct dom_sid domain_sid;
- uint32 user_rid, group_rid;
- NTSTATUS status;
-
- int num_gids = 0;
- const char *my_name;
-
- struct netr_UserSessionKey user_session_key;
- struct netr_LMSessionKey lm_session_key;
-
- NTTIME last_logon, last_logoff, acct_expiry, last_password_change;
- NTTIME allow_password_change, force_password_change;
- struct samr_RidWithAttributeArray groups;
- int i;
- struct dom_sid2 *sid = NULL;
-
- ZERO_STRUCT(user_session_key);
- ZERO_STRUCT(lm_session_key);
-
- sampw = server_info->sam_account;
-
- user_sid = pdb_get_user_sid(sampw);
- group_sid = pdb_get_group_sid(sampw);
-
- if (pipe_session_key && pipe_session_key_len != 16) {
- DEBUG(0,("serverinfo_to_SamInfo3: invalid "
- "pipe_session_key_len[%zu] != 16\n",
- pipe_session_key_len));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- if ((user_sid == NULL) || (group_sid == NULL)) {
- DEBUG(1, ("_netr_LogonSamLogon: User without group or user SID\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- sid_copy(&domain_sid, user_sid);
- sid_split_rid(&domain_sid, &user_rid);
+ struct netr_SamInfo3 *info3;
- sid = sid_dup_talloc(mem_ctx, &domain_sid);
- if (!sid) {
+ info3 = copy_netr_SamInfo3(sam2, server_info->info3);
+ if (!info3) {
return NT_STATUS_NO_MEMORY;
}
- if (!sid_peek_check_rid(&domain_sid, group_sid, &group_rid)) {
- DEBUG(1, ("_netr_LogonSamLogon: user %s\\%s has user sid "
- "%s\n but group sid %s.\n"
- "The conflicting domain portions are not "
- "supported for NETLOGON calls\n",
- pdb_get_domain(sampw),
- pdb_get_username(sampw),
- sid_string_dbg(user_sid),
- sid_string_dbg(group_sid)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if(server_info->login_server) {
- my_name = server_info->login_server;
- } else {
- my_name = global_myname();
- }
-
- status = nt_token_to_group_list(mem_ctx, &domain_sid,
- server_info->num_sids,
- server_info->sids,
- &num_gids, &gids);
-
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
if (server_info->user_session_key.length) {
- memcpy(user_session_key.key,
+ memcpy(info3->base.key.key,
server_info->user_session_key.data,
- MIN(sizeof(user_session_key.key),
+ MIN(sizeof(info3->base.key.key),
server_info->user_session_key.length));
if (pipe_session_key) {
- arcfour_crypt(user_session_key.key, pipe_session_key, 16);
+ arcfour_crypt(info3->base.key.key,
+ pipe_session_key, 16);
}
}
if (server_info->lm_session_key.length) {
- memcpy(lm_session_key.key,
+ memcpy(info3->base.LMSessKey.key,
server_info->lm_session_key.data,
- MIN(sizeof(lm_session_key.key),
+ MIN(sizeof(info3->base.LMSessKey.key),
server_info->lm_session_key.length));
if (pipe_session_key) {
- arcfour_crypt(lm_session_key.key, pipe_session_key, 8);
+ arcfour_crypt(info3->base.LMSessKey.key,
+ pipe_session_key, 8);
}
}
- groups.count = num_gids;
- groups.rids = TALLOC_ARRAY(mem_ctx, struct samr_RidWithAttribute, groups.count);
- if (!groups.rids) {
- return NT_STATUS_NO_MEMORY;
- }
-
- for (i=0; i < groups.count; i++) {
- groups.rids[i].rid = gids[i].rid;
- groups.rids[i].attributes = gids[i].attributes;
- }
-
- unix_to_nt_time(&last_logon, pdb_get_logon_time(sampw));
- unix_to_nt_time(&last_logoff, get_time_t_max());
- unix_to_nt_time(&acct_expiry, get_time_t_max());
- unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(sampw));
- unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(sampw));
- unix_to_nt_time(&force_password_change, pdb_get_pass_must_change_time(sampw));
-
- base->last_logon = last_logon;
- base->last_logoff = last_logoff;
- base->acct_expiry = acct_expiry;
- base->last_password_change = last_password_change;
- base->allow_password_change = allow_password_change;
- base->force_password_change = force_password_change;
- base->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(sampw));
- base->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(sampw));
- base->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(sampw));
- base->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(sampw));
- base->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(sampw));
- base->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(sampw));
- base->logon_count = 0; /* ?? */
- base->bad_password_count = 0; /* ?? */
- base->rid = user_rid;
- base->primary_gid = group_rid;
- base->groups = groups;
- base->user_flags = NETLOGON_EXTRA_SIDS;
- base->key = user_session_key;
- base->logon_server.string = talloc_strdup(mem_ctx, my_name);
- base->domain.string = talloc_strdup(mem_ctx, pdb_get_domain(sampw));
- base->domain_sid = sid;
- base->LMSessKey = lm_session_key;
- base->acct_flags = pdb_get_acct_ctrl(sampw);
-
- ZERO_STRUCT(user_session_key);
- ZERO_STRUCT(lm_session_key);
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************************
- inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must
- already be initialized and is used as the talloc parent for its members.
-*****************************************************************************/
-
-NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
- uint8_t *pipe_session_key,
- size_t pipe_session_key_len,
- struct netr_SamInfo2 *sam2)
-{
- NTSTATUS status;
-
- status = serverinfo_to_SamInfo_base(sam2,
- server_info,
- pipe_session_key,
- pipe_session_key_len,
- &sam2->base);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ sam2->base = info3->base;
return NT_STATUS_OK;
}
@@ -274,17 +109,36 @@ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info,
size_t pipe_session_key_len,
struct netr_SamInfo3 *sam3)
{
- NTSTATUS status;
+ struct netr_SamInfo3 *info3;
- status = serverinfo_to_SamInfo_base(sam3,
- server_info,
- pipe_session_key,
- pipe_session_key_len,
- &sam3->base);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ info3 = copy_netr_SamInfo3(sam3, server_info->info3);
+ if (!info3) {
+ return NT_STATUS_NO_MEMORY;
}
+ if (server_info->user_session_key.length) {
+ memcpy(info3->base.key.key,
+ server_info->user_session_key.data,
+ MIN(sizeof(info3->base.key.key),
+ server_info->user_session_key.length));
+ if (pipe_session_key) {
+ arcfour_crypt(info3->base.key.key,
+ pipe_session_key, 16);
+ }
+ }
+ if (server_info->lm_session_key.length) {
+ memcpy(info3->base.LMSessKey.key,
+ server_info->lm_session_key.data,
+ MIN(sizeof(info3->base.LMSessKey.key),
+ server_info->lm_session_key.length));
+ if (pipe_session_key) {
+ arcfour_crypt(info3->base.LMSessKey.key,
+ pipe_session_key, 8);
+ }
+ }
+
+ sam3->base = info3->base;
+
sam3->sidcount = 0;
sam3->sids = NULL;
@@ -301,8 +155,8 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
size_t pipe_session_key_len,
struct netr_SamInfo6 *sam6)
{
- NTSTATUS status;
struct pdb_domain_info *dominfo;
+ struct netr_SamInfo3 *info3;
if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
DEBUG(10,("Not adding validation info level 6 "
@@ -315,14 +169,33 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
return NT_STATUS_NO_MEMORY;
}
- status = serverinfo_to_SamInfo_base(sam6,
- server_info,
- pipe_session_key,
- pipe_session_key_len,
- &sam6->base);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ info3 = copy_netr_SamInfo3(sam6, server_info->info3);
+ if (!info3) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (server_info->user_session_key.length) {
+ memcpy(info3->base.key.key,
+ server_info->user_session_key.data,
+ MIN(sizeof(info3->base.key.key),
+ server_info->user_session_key.length));
+ if (pipe_session_key) {
+ arcfour_crypt(info3->base.key.key,
+ pipe_session_key, 16);
+ }
}
+ if (server_info->lm_session_key.length) {
+ memcpy(info3->base.LMSessKey.key,
+ server_info->lm_session_key.data,
+ MIN(sizeof(info3->base.LMSessKey.key),
+ server_info->lm_session_key.length));
+ if (pipe_session_key) {
+ arcfour_crypt(info3->base.LMSessKey.key,
+ pipe_session_key, 8);
+ }
+ }
+
+ sam6->base = info3->base;
sam6->sidcount = 0;
sam6->sids = NULL;
@@ -333,7 +206,7 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
}
sam6->principle.string = talloc_asprintf(sam6, "%s@%s",
- pdb_get_username(server_info->sam_account),
+ sam6->base.account_name.string,
sam6->dns_domainname.string);
if (sam6->principle.string == NULL) {
return NT_STATUS_NO_MEMORY;
diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c
index c6e7522011..4dd3156fe5 100644
--- a/source3/auth/server_info_sam.c
+++ b/source3/auth/server_info_sam.c
@@ -77,7 +77,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
return NT_STATUS_NO_SUCH_USER;
}
- result->sam_account = sampass;
+ status = samu_to_SamInfo3(result, sampass,
+ global_myname(), &result->info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(result);
+ return status;
+ }
+
result->unix_name = pwd->pw_name;
/* Ensure that we keep pwd->pw_name, because we will free pwd below */
talloc_steal(result, pwd->pw_name);
@@ -128,7 +134,6 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
nt_errstr(status)));
- result->sam_account = NULL; /* Don't free on error exit. */
TALLOC_FREE(result);
return status;
}
diff --git a/source3/include/auth.h b/source3/include/auth.h
index 9f49fcc478..7996fafe40 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -58,7 +58,7 @@ struct auth_serversupplied_info {
char *login_server; /* which server authorized the login? */
- struct samu *sam_account;
+ struct netr_SamInfo3 *info3;
void *pam_handle;
diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c
index 0772215a28..d7ae3976bf 100644
--- a/source3/modules/vfs_expand_msdfs.c
+++ b/source3/modules/vfs_expand_msdfs.c
@@ -147,7 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
targethost);
DEBUG(10, ("Expanded targethost to %s\n", targethost));
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index a89b95f05c..9c665c81a0 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -396,7 +396,7 @@ static char *audit_prefix(TALLOC_CTX *ctx, connection_struct *conn)
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
prefix);
TALLOC_FREE(prefix);
return result;
diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c
index fb009a148f..3cd1f9dc80 100644
--- a/source3/modules/vfs_recycle.c
+++ b/source3/modules/vfs_recycle.c
@@ -467,7 +467,7 @@ static int recycle_unlink(vfs_handle_struct *handle,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
recycle_repository(handle));
ALLOC_CHECK(repository, done);
/* shouldn't we allow absolute path names here? --metze */
diff --git a/source3/modules/vfs_smb_traffic_analyzer.c b/source3/modules/vfs_smb_traffic_analyzer.c
index 75450c79df..6384c97856 100644
--- a/source3/modules/vfs_smb_traffic_analyzer.c
+++ b/source3/modules/vfs_smb_traffic_analyzer.c
@@ -356,8 +356,8 @@ static char *smb_traffic_analyzer_create_string( TALLOC_CTX *ctx,
(unsigned int) strlen(handle->conn->connectpath),
handle->conn->connectpath,
(unsigned int)
- strlen(pdb_get_domain(handle->conn->server_info->sam_account)),
- pdb_get_domain(handle->conn->server_info->sam_account),
+ strlen(handle->conn->server_info->info3->base.domain.string),
+ handle->conn->server_info->info3->base.domain.string,
(unsigned int) strlen(timestr),
timestr);
@@ -460,7 +460,7 @@ static void smb_traffic_analyzer_send_data(vfs_handle_struct *handle,
"\"%04d-%02d-%02d %02d:%02d:%02d.%03d\"\n",
(unsigned int) s_data->len,
username,
- pdb_get_domain(handle->conn->server_info->sam_account),
+ handle->conn->server_info->info3->base.domain.string,
Write ? 'W' : 'R',
handle->conn->connectpath,
s_data->filename,
diff --git a/source3/printing/printing.c b/source3/printing/printing.c
index b0f22c9b6f..05728d1731 100644
--- a/source3/printing/printing.c
+++ b/source3/printing/printing.c
@@ -2487,7 +2487,7 @@ uint32 print_job_start(struct auth_serversupplied_info *server_info, int snum,
standard_sub_advanced(sharename, server_info->sanitized_username,
path, server_info->utok.gid,
server_info->sanitized_username,
- pdb_get_domain(server_info->sam_account),
+ server_info->info3->base.domain.string,
pjob.user, sizeof(pjob.user)-1);
/* ensure NULL termination */
pjob.user[sizeof(pjob.user)-1] = '\0';
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index e3e0dcb4ae..7e00e7aa33 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1654,7 +1654,7 @@ NTSTATUS _lsa_GetUserName(pipes_struct *p,
}
} else {
username = p->server_info->sanitized_username;
- domname = pdb_get_domain(p->server_info->sam_account);
+ domname = p->server_info->info3->base.domain.string;
}
account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index a039b08869..ec6ade661f 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -194,7 +194,7 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
return WERR_INVALID_PARAM;
}
- acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
+ acct_ctrl = p->server_info->info3->base.acct_flags;
switch (r->in.function_code) {
case NETLOGON_CONTROL_TC_VERIFY:
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index 77ed2d422f..c0bc9090b8 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -113,7 +113,7 @@ static int CopyExpanded(connection_struct *conn,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
buf);
if (!buf) {
*p_space_remaining = 0;
@@ -164,7 +164,7 @@ static int StrlenExpanded(connection_struct *conn, int snum, char *s)
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
buf);
if (!buf) {
return 0;
@@ -4455,8 +4455,9 @@ static bool api_WWkstaUserLogon(connection_struct *conn,uint16 vuid,
}
PACKS(&desc,"z",lp_workgroup());/* domain */
- PACKS(&desc,"z", vuser ? pdb_get_logon_script(
- vuser->server_info->sam_account) : ""); /* script path */
+ PACKS(&desc,"z", vuser ?
+ vuser->server_info->info3->base.logon_script.string
+ : ""); /* script path */
PACKI(&desc,"D",0x00000000); /* reserved */
}
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 5cf290c158..809a913d6c 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -274,12 +274,12 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
(unsigned int)vuser->server_info->utok.gid,
vuser->server_info->unix_name,
vuser->server_info->sanitized_username,
- pdb_get_domain(vuser->server_info->sam_account),
+ vuser->server_info->info3->base.domain.string,
vuser->server_info->guest ));
DEBUG(3, ("register_existing_vuid: User name: %s\t"
"Real name: %s\n", vuser->server_info->unix_name,
- pdb_get_fullname(vuser->server_info->sam_account)));
+ vuser->server_info->info3->base.full_name.string));
if (!vuser->server_info->ptok) {
DEBUG(1, ("register_existing_vuid: server_info does not "
@@ -324,7 +324,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
set_current_user_info(
vuser->server_info->sanitized_username,
vuser->server_info->unix_name,
- pdb_get_domain(vuser->server_info->sam_account));
+ vuser->server_info->info3->base.domain.string);
return vuser->vuid;
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index ed70b9cdd8..c8497577a4 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1451,8 +1451,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
set_current_user_info(
vuser->server_info->sanitized_username,
vuser->server_info->unix_name,
- pdb_get_domain(vuser->server_info
- ->sam_account));
+ vuser->server_info->info3->base.domain.string);
}
}
}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 689f0e2f07..afd9cad27d 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -589,7 +589,7 @@ static NTSTATUS create_connection_server_info(struct smbd_server_connection *sco
}
} else {
if (!user_ok_token(vuid_serverinfo->unix_name,
- pdb_get_domain(vuid_serverinfo->sam_account),
+ vuid_serverinfo->info3->base.domain.string,
vuid_serverinfo->ptok, snum)) {
DEBUG(2, ("user '%s' (from session setup) not "
"permitted to access this share "
@@ -788,7 +788,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
lp_pathname(snum));
if (!s) {
*pstatus = NT_STATUS_NO_MEMORY;
@@ -915,7 +915,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
lp_rootpreexec(snum));
DEBUG(5,("cmd=%s\n",cmd));
ret = smbrun(cmd,NULL);
@@ -953,7 +953,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
lp_preexec(snum));
ret = smbrun(cmd,NULL);
TALLOC_FREE(cmd);
@@ -1257,7 +1257,7 @@ void close_cnum(connection_struct *conn, uint16 vuid)
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
lp_postexec(SNUM(conn)));
smbrun(cmd,NULL);
TALLOC_FREE(cmd);
@@ -1273,7 +1273,7 @@ void close_cnum(connection_struct *conn, uint16 vuid)
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
- pdb_get_domain(conn->server_info->sam_account),
+ conn->server_info->info3->base.domain.string,
lp_rootpostexec(SNUM(conn)));
smbrun(cmd,NULL);
TALLOC_FREE(cmd);
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index df39aed0ed..a561e3a593 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -529,9 +529,9 @@ static void reply_spnego_kerberos(struct smb_request *req,
* we end up with the local netbios name in substitutions for
* %D. */
- if (server_info->sam_account != NULL) {
- pdb_set_domain(server_info->sam_account,
- domain, PDB_SET);
+ if (server_info->info3 != NULL) {
+ server_info->info3->base.domain.string =
+ talloc_strdup(server_info->info3, domain);
}
}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 92e77a5ff2..7ac003fad6 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -371,9 +371,9 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
* we end up with the local netbios name in substitutions for
* %D. */
- if (session->server_info->sam_account != NULL) {
- pdb_set_domain(session->server_info->sam_account,
- domain, PDB_SET);
+ if (session->server_info->info3 != NULL) {
+ session->server_info->info3->base.domain.string =
+ talloc_strdup(session->server_info->info3, domain);
}
}
@@ -979,7 +979,7 @@ NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req)
set_current_user_info(session->server_info->sanitized_username,
session->server_info->unix_name,
- pdb_get_domain(session->server_info->sam_account));
+ session->server_info->info3->base.domain.string);
req->session = session;
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 5e61098ecb..f34ec5540a 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -104,13 +104,13 @@ static bool check_user_ok(connection_struct *conn,
}
if (!user_ok_token(server_info->unix_name,
- pdb_get_domain(server_info->sam_account),
+ server_info->info3->base.domain.string,
server_info->ptok, snum))
return(False);
readonly_share = is_share_read_only_for_token(
server_info->unix_name,
- pdb_get_domain(server_info->sam_account),
+ server_info->info3->base.domain.string,
server_info->ptok,
conn);
@@ -132,7 +132,7 @@ static bool check_user_ok(connection_struct *conn,
admin_user = token_contains_name_in_list(
server_info->unix_name,
- pdb_get_domain(server_info->sam_account),
+ server_info->info3->base.domain.string,
NULL, server_info->ptok, lp_admin_users(snum));
if (valid_vuid) {