diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-05-18 14:19:17 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:16:55 -0500 |
commit | db169af3b71c7b9911a64873a5ec9b7d304acf35 (patch) | |
tree | 5557c4c176d259606b261753183cdd4febc4d5af | |
parent | ab92b82d83db4e6a812d048f02fa4ffffeec8691 (diff) | |
download | samba-db169af3b71c7b9911a64873a5ec9b7d304acf35.tar.gz samba-db169af3b71c7b9911a64873a5ec9b7d304acf35.tar.bz2 samba-db169af3b71c7b9911a64873a5ec9b7d304acf35.zip |
r6883: Move to what simo assures me is the 'correct' way to find the NetBIOS
and long names for a domain.
Add servicePrincipalName mapping table (administrator configurable),
in the same spot as microsoft uses.
Andrew Bartlett
(This used to be commit c25e78b4b34384a3a79a920f50f01be696a048ba)
-rw-r--r-- | source4/auth/auth_sam.c | 47 | ||||
-rw-r--r-- | source4/setup/provision.ldif | 52 |
2 files changed, 81 insertions, 18 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index 947de1ef8c..24007d1eb7 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -179,6 +179,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, void *sam_ctx, struct ldb_message ***ret_msgs, struct ldb_message ***ret_msgs_domain) { + struct ldb_message **msgs_tmp; struct ldb_message **msgs; struct ldb_message **msgs_domain; @@ -210,12 +211,12 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, void *sam_ctx, NULL, }; - const char *domain_attrs[] = {"flatname", "objectSid"}; + const char *domain_attrs[] = {"nETBIOSName", "nCName"}; if (domain_name) { /* find the domain's DN */ ret_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, - "(|(&(dnsDomain=%s)(objectClass=domainDNS))(&(flatname=%s)(objectclass=domain)))", + "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))", domain_name, domain_name); if (ret_domain == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; @@ -233,7 +234,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, void *sam_ctx, return NT_STATUS_INTERNAL_DB_CORRUPTION; } - domain_dn = msgs_domain[0]->dn; + domain_dn = samdb_result_string(msgs_domain[0], "nCName", NULL); } /* pull the user attributes */ @@ -264,24 +265,44 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, void *sam_ctx, } /* find the domain's DN */ + ret = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_tmp, NULL, + "(&(objectSid=%s)(objectclass=domain))", + domain_sid); + if (ret == -1) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + if (ret == 0) { + DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n", + domain_sid)); + return NT_STATUS_NO_SUCH_USER; + } + + if (ret > 1) { + DEBUG(0,("Found %d records matching domain_sid [%s]\n", + ret, domain_sid)); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + ret_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, - "(&(objectSid=%s)(objectclass=domain))", - domain_sid); + "(nCName=%s)", msgs_tmp[0]->dn); + if (ret_domain == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } if (ret_domain == 0) { DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", - domain_sid)); + msgs_tmp[0]->dn)); return NT_STATUS_NO_SUCH_USER; } if (ret_domain > 1) { DEBUG(0,("Found %d records matching domain [%s]\n", - ret_domain, domain_sid)); + ret_domain, msgs_tmp[0]->dn)); return NT_STATUS_INTERNAL_DB_CORRUPTION; } + } *ret_msgs = msgs; @@ -304,7 +325,7 @@ static NTSTATUS authsam_authenticate(const struct auth_context *auth_context, NTTIME last_set_time; struct samr_Password *lm_pwd, *nt_pwd; NTSTATUS nt_status; - const char *domain_dn = msgs_domain[0]->dn; + const char *domain_dn = samdb_result_string(msgs_domain[0], "nCName", ""); acct_flags = samdb_result_acct_flags(msgs[0], "sAMAcctFlags"); @@ -355,7 +376,7 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, void *sam_ctx, struct dom_sid **groupSIDs = NULL; struct dom_sid *account_sid; struct dom_sid *primary_group_sid; - const char *str; + const char *str, *ncname; int i; uint_t rid; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -412,7 +433,7 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, void *sam_ctx, server_info->account_name = talloc_reference(server_info, samdb_result_string(msgs[0], "sAMAccountName", NULL)); - server_info->domain_name = talloc_reference(server_info, samdb_result_string(msgs_domain[0], "flatname", NULL)); + server_info->domain_name = talloc_reference(server_info, samdb_result_string(msgs_domain[0], "nETBIOSName", NULL)); str = samdb_result_string(msgs[0], "displayName", ""); server_info->full_name = talloc_strdup(server_info, str); @@ -439,10 +460,12 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, void *sam_ctx, server_info->acct_expiry = samdb_result_nttime(msgs[0], "accountExpires", 0); server_info->last_password_change = samdb_result_nttime(msgs[0], "pwdLastSet", 0); + ncname = samdb_result_string(msgs_domain[0], "nCName", ""); + server_info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx, - msgs_domain[0]->dn, msgs[0], "pwdLastSet"); + ncname, msgs[0], "pwdLastSet"); server_info->force_password_change = samdb_result_force_password_change(sam_ctx, mem_ctx, - msgs_domain[0]->dn, msgs[0], "pwdLastSet"); + ncname, msgs[0], "pwdLastSet"); server_info->logon_count = samdb_result_uint(msgs[0], "logonCount", 0); server_info->bad_password_count = samdb_result_uint(msgs[0], "badPwdCount", 0); diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index ca0c7f9051..bce690c482 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -9,10 +9,10 @@ dn: @INDEXLIST @IDXATTR: privilege dn: @ATTRIBUTES -realm: CASE_INSENSITIVE userPrincipalName: CASE_INSENSITIVE servicePrincipalName: CASE_INSENSITIVE dnsDomain: CASE_INSENSITIVE +dnsRoot: CASE_INSENSITIVE cn: CASE_INSENSITIVE dc: CASE_INSENSITIVE name: CASE_INSENSITIVE @@ -56,7 +56,6 @@ objectClass: domain objectClass: domainDNS name: ${DOMAIN} flatname: ${DOMAIN} -realm: ${REALM} dnsDomain: ${DNSDOMAIN} dc: ${DOMAIN} objectGUID: ${DOMAINGUID} @@ -614,10 +613,6 @@ isCriticalSystemObject: TRUE unicodePwd: ${JOINPASS} servicePrincipalName: HOST/${DNSNAME} servicePrincipalName: HOST/${NETBIOSNAME} -servicePrincipalName: CIFS/${DNSNAME} -servicePrincipalName: CIFS/${NETBIOSNAME} -servicePrincipalName: LDAP/${DNSNAME} -servicePrincipalName: LDAP/${NETBIOSNAME} dn: CN=krbtgt,CN=Users,${BASEDN} objectClass: top @@ -1229,6 +1224,51 @@ objectGUID: ${INVOCATIONID} invocationId: ${INVOCATIONID} msDS-Behavior-Version: 2 +dn: CN=Services,CN=Configuration,${BASEDN} +objectClass: top +objectClass: container +cn: Services +instanceType: 4 +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +uSNCreated: ${USN} +uSNChanged: ${USN} +showInAdvancedViewOnly: TRUE +name: Services +systemFlags: 0x80000000 +objectCategory: CN=Container,CN=Schema,CN=Configuration,${BASEDN} +objectGUID: ${INVOCATIONID} + +dn: CN=Windows NT,CN=Services,CN=Configuration,${BASEDN} +objectClass: top +objectClass: container +cn: Windows NT +instanceType: 4 +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +uSNCreated: ${USN} +uSNChanged: ${USN} +showInAdvancedViewOnly: TRUE +name: Windows NT +objectCategory: CN=Container,CN=Schema,CN=Configuration,${BASEDN} +objectGUID: ${INVOCATIONID} + +dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,${BASEDN} +objectClass: top +objectClass: nTDSService +cn: Directory Service +instanceType: 4 +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +uSNCreated: ${USN} +uSNChanged: ${USN} +showInAdvancedViewOnly: TRUE +name: Directory Service +objectCategory: CN=NTDS-Service,CN=Schema,CN=Configuration,${BASEDN} +objectGUID: ${INVOCATIONID} +sPNMappings: host=ldap,dns,cifs + + ############################### # Schema Naming Context ############################### |