summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2005-06-24 00:18:20 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:18:44 -0500
commitbdee131f30e1bef31498b08bb648ddee35ea4892 (patch)
treec0ad71d994361020334bb280a9a5cbd31f73db5b
parent3022bfef70f4d76d3a12cfb8ee8cbdc72644b58f (diff)
downloadsamba-bdee131f30e1bef31498b08bb648ddee35ea4892.tar.gz
samba-bdee131f30e1bef31498b08bb648ddee35ea4892.tar.bz2
samba-bdee131f30e1bef31498b08bb648ddee35ea4892.zip
r7860: switch our ldb storage format to use a NDR encoded objectSid. This is
quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
Diffstat
-rw-r--r--source4/auth/auth_sam.c15
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c51
-rw-r--r--source4/dsdb/samdb/samdb.c99
-rw-r--r--source4/dsdb/samdb/samdb_privilege.c11
-rw-r--r--source4/lib/db_wrap.c9
-rw-r--r--source4/lib/ldb/config.mk4
-rw-r--r--source4/lib/ldb/samba/ldif_handlers.c6
-rw-r--r--source4/libcli/ldap/ldap_ndr.c2
-rw-r--r--source4/ntvfs/common/sidmap.c97
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c68
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c17
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c263
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.h4
-rw-r--r--source4/rpc_server/samr/samr_password.c10
-rw-r--r--source4/setup/provision.ldif2
15 files changed, 303 insertions, 355 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 1ad9087bfe..3318238fda 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -257,7 +257,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
}
if (!domain_name) {
- const char *domain_sid;
+ struct dom_sid *domain_sid;
domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
if (!domain_sid) {
@@ -267,20 +267,20 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
/* find the domain's DN */
ret = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_tmp, NULL,
"(&(objectSid=%s)(objectclass=domain))",
- domain_sid);
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
if (ret == -1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (ret == 0) {
DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n",
- domain_sid));
+ dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_USER;
}
if (ret > 1) {
DEBUG(0,("Found %d records matching domain_sid [%s]\n",
- ret, domain_sid));
+ ret, dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -400,15 +400,14 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context
/* Need to unroll some nested groups, but not aliases */
for (i = 0; i < group_ret; i++) {
- str = ldb_msg_find_string(group_msgs[i], "objectSid", NULL);
- groupSIDs[i] = dom_sid_parse_talloc(groupSIDs, str);
+ groupSIDs[i] = samdb_result_dom_sid(groupSIDs,
+ group_msgs[i], "objectSid");
NT_STATUS_HAVE_NO_MEMORY(groupSIDs[i]);
}
talloc_free(tmp_ctx);
- str = ldb_msg_find_string(msgs[0], "objectSid", NULL);
- account_sid = dom_sid_parse_talloc(server_info, str);
+ account_sid = samdb_result_dom_sid(server_info, msgs[0], "objectSid");
NT_STATUS_HAVE_NO_MEMORY(account_sid);
primary_group_sid = dom_sid_dup(server_info, account_sid);
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 5472bed107..b5440c3cd1 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -35,7 +35,8 @@
#include "includes.h"
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_private.h"
-#include <time.h>
+#include "system/time.h"
+#include "librpc/gen_ndr/ndr_security.h"
#define SAM_ACCOUNT_NAME_BASE "$000000-000000000000"
@@ -169,14 +170,15 @@ static char *samldb_search_domain(struct ldb_module *module, TALLOC_CTX *mem_ctx
allocate a new RID for the domain
return the new sid string
*/
-static char *samldb_get_new_sid(struct ldb_module *module, TALLOC_CTX *mem_ctx, const char *obj_dn)
+static struct dom_sid *samldb_get_new_sid(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx, const char *obj_dn)
{
const char * const attrs[2] = { "objectSid", NULL };
struct ldb_message **res = NULL;
- const char *dom_dn, *dom_sid;
- char *obj_sid;
+ const char *dom_dn;
uint32_t rid;
int ret, tries = 10;
+ struct dom_sid *dom_sid, *obj_sid;
/* get the domain component part of the provided dn */
@@ -197,11 +199,11 @@ static char *samldb_get_new_sid(struct ldb_module *module, TALLOC_CTX *mem_ctx,
ret = ldb_search(module->ldb, dom_dn, LDB_SCOPE_BASE, "objectSid=*", attrs, &res);
if (ret != 1) {
ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain sid!\n");
- if (res) talloc_free(res);
+ talloc_free(res);
return NULL;
}
- dom_sid = ldb_msg_find_string(res[0], "objectSid", NULL);
+ dom_sid = samdb_result_dom_sid(res, res[0], "objectSid");
if (dom_sid == NULL) {
ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain sid!\n");
talloc_free(res);
@@ -225,12 +227,10 @@ static char *samldb_get_new_sid(struct ldb_module *module, TALLOC_CTX *mem_ctx,
}
/* return the new object sid */
-
- obj_sid = talloc_asprintf(mem_ctx, "%s-%u", dom_sid, rid);
+ obj_sid = dom_sid_add_rid(mem_ctx, dom_sid, rid);
talloc_free(res);
-
return obj_sid;
}
@@ -307,6 +307,18 @@ static BOOL samldb_msg_add_string(struct ldb_module *module, struct ldb_message
return True;
}
+static BOOL samldb_msg_add_sid(struct ldb_module *module, struct ldb_message *msg, const char *name, const struct dom_sid *sid)
+{
+ struct ldb_val v;
+ NTSTATUS status;
+ status = ndr_push_struct_blob(&v, msg, sid,
+ (ndr_push_flags_fn_t)ndr_push_dom_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+ }
+ return (ldb_msg_add_value(module->ldb, msg, name, &v) == 0);
+}
+
static BOOL samldb_find_or_add_attribute(struct ldb_module *module, struct ldb_message *msg, const char *name, const char *value, const char *set_value)
{
if (samldb_find_attribute(msg, name, value) == NULL) {
@@ -367,7 +379,7 @@ static struct ldb_message *samldb_fill_group_object(struct ldb_module *module, c
{
struct ldb_message *msg2;
struct ldb_message_element *attribute;
- char *rdn, *basedn, *sidstr;
+ char *rdn, *basedn;
if (samldb_find_attribute(msg, "objectclass", "group") == NULL) {
return NULL;
@@ -418,15 +430,17 @@ static struct ldb_message *samldb_fill_group_object(struct ldb_module *module, c
}
if ((attribute = samldb_find_attribute(msg2, "objectSid", NULL)) == NULL ) {
-
- if ((sidstr = samldb_get_new_sid(module, msg2, msg2->dn)) == NULL) {
+ struct dom_sid *sid = samldb_get_new_sid(module, msg2, msg2->dn);
+ if (sid == NULL) {
ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_group_object: internal error! Can't generate new sid\n");
return NULL;
}
- if ( ! samldb_msg_add_string(module, msg2, "objectSid", sidstr)) {
+ if (!samldb_msg_add_sid(module, msg2, "objectSid", sid)) {
+ talloc_free(sid);
return NULL;
}
+ talloc_free(sid);
}
if ( ! samldb_find_or_add_attribute(module, msg2, "sAMAccountName", NULL, samldb_generate_samAccountName(msg2))) {
@@ -444,7 +458,7 @@ static struct ldb_message *samldb_fill_user_or_computer_object(struct ldb_module
{
struct ldb_message *msg2;
struct ldb_message_element *attribute;
- char *rdn, *basedn, *sidstr;
+ char *rdn, *basedn;
if ((samldb_find_attribute(msg, "objectclass", "user") == NULL) && (samldb_find_attribute(msg, "objectclass", "computer") == NULL)) {
return NULL;
@@ -500,15 +514,18 @@ static struct ldb_message *samldb_fill_user_or_computer_object(struct ldb_module
}
if ((attribute = samldb_find_attribute(msg2, "objectSid", NULL)) == NULL ) {
-
- if ((sidstr = samldb_get_new_sid(module, msg2, msg2->dn)) == NULL) {
+ struct dom_sid *sid;
+ sid = samldb_get_new_sid(module, msg2, msg2->dn);
+ if (sid == NULL) {
ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_user_or_computer_object: internal error! Can't generate new sid\n");
return NULL;
}
- if ( ! samldb_msg_add_string(module, msg2, "objectSid", sidstr)) {
+ if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) {
+ talloc_free(sid);
return NULL;
}
+ talloc_free(sid);
}
if ( ! samldb_find_or_add_attribute(module, msg2, "sAMAccountName", NULL, samldb_generate_samAccountName(msg2))) {
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 5f9764ce42..e2426738da 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -61,17 +61,17 @@ int samdb_search_domain(struct ldb_context *sam_ldb,
while (i<count) {
struct dom_sid *entry_sid;
- entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i],
- "objectSid");
+ entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
if ((entry_sid == NULL) ||
(!dom_sid_in_domain(domain_sid, entry_sid))) {
-
/* Delete that entry from the result set */
(*res)[i] = (*res)[count-1];
count -= 1;
+ talloc_free(entry_sid);
continue;
}
+ talloc_free(entry_sid);
i += 1;
}
@@ -125,6 +125,37 @@ const char *samdb_search_string(struct ldb_context *sam_ldb,
}
/*
+ search the sam for a dom_sid attribute in exactly 1 record
+*/
+struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
+ TALLOC_CTX *mem_ctx,
+ const char *basedn,
+ const char *attr_name,
+ const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
+{
+ va_list ap;
+ int count;
+ struct ldb_message **res;
+ const char * const attrs[2] = { attr_name, NULL };
+ struct dom_sid *sid;
+
+ va_start(ap, format);
+ count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
+ va_end(ap);
+ if (count > 1) {
+ DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
+ attr_name, format, count));
+ }
+ if (count != 1) {
+ talloc_free(res);
+ return NULL;
+ }
+ sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
+ talloc_free(res);
+ return sid;
+}
+
+/*
return the count of the number of records in the sam matching the query
*/
int samdb_search_count(struct ldb_context *sam_ldb,
@@ -274,16 +305,18 @@ const char *samdb_result_string(struct ldb_message *msg, const char *attr,
pull a rid from a objectSid in a result set.
*/
uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr, uint32_t default_value)
+ const char *attr, uint32_t default_value)
{
struct dom_sid *sid;
- const char *sidstr = ldb_msg_find_string(msg, attr, NULL);
- if (!sidstr) return default_value;
-
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
- if (!sid) return default_value;
+ uint32_t rid;
- return sid->sub_auths[sid->num_auths-1];
+ sid = samdb_result_dom_sid(mem_ctx, msg, attr);
+ if (sid == NULL) {
+ return default_value;
+ }
+ rid = sid->sub_auths[sid->num_auths-1];
+ talloc_free(sid);
+ return rid;
}
/*
@@ -292,10 +325,24 @@ uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr)
{
- const char *sidstr = ldb_msg_find_string(msg, attr, NULL);
- if (!sidstr) return NULL;
-
- return dom_sid_parse_talloc(mem_ctx, sidstr);
+ const struct ldb_val *v;
+ struct dom_sid *sid;
+ NTSTATUS status;
+ v = ldb_msg_find_ldb_val(msg, attr);
+ if (v == NULL) {
+ return NULL;
+ }
+ sid = talloc(mem_ctx, struct dom_sid);
+ if (sid == NULL) {
+ return NULL;
+ }
+ status = ndr_pull_struct_blob(v, sid, sid,
+ (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(sid);
+ return NULL;
+ }
+ return sid;
}
/*
@@ -324,15 +371,13 @@ struct GUID samdb_result_guid(struct ldb_message *msg, const char *attr)
pull a sid prefix from a objectSid in a result set.
this is used to find the domain sid for a user
*/
-const char *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr)
+struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
+ const char *attr)
{
struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
if (!sid || sid->num_auths < 1) return NULL;
-
sid->num_auths--;
-
- return dom_sid_string(mem_ctx, sid);
+ return sid;
}
/*
@@ -704,6 +749,22 @@ int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struc
}
/*
+ add a dom_sid element to a message
+*/
+int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
+ const char *attr_name, struct dom_sid *sid)
+{
+ struct ldb_val v;
+ NTSTATUS status;
+ status = ndr_push_struct_blob(&v, mem_ctx, sid,
+ (ndr_push_flags_fn_t)ndr_push_dom_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+ }
+ return ldb_msg_add_value(sam_ldb, msg, attr_name, &v);
+}
+
+/*
add a delete element operation to a message
*/
int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c
index 77ddcbbdcd..bfd37f6417 100644
--- a/source4/dsdb/samdb/samdb_privilege.c
+++ b/source4/dsdb/samdb/samdb_privilege.c
@@ -31,29 +31,26 @@ static NTSTATUS samdb_privilege_setup_sid(void *samctx, TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
uint64_t *mask)
{
- char *sidstr;
const char * const attrs[] = { "privilege", NULL };
struct ldb_message **res = NULL;
struct ldb_message_element *el;
int ret, i;
+ char *sidstr;
*mask = 0;
- sidstr = dom_sid_string(mem_ctx, sid);
- if (sidstr == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
+ NT_STATUS_HAVE_NO_MEMORY(sidstr);
ret = gendb_search(samctx, mem_ctx, NULL, &res, attrs, "objectSid=%s", sidstr);
+ talloc_free(sidstr);
if (ret != 1) {
- talloc_free(sidstr);
/* not an error to not match */
return NT_STATUS_OK;
}
el = ldb_msg_find_element(res[0], "privilege");
if (el == NULL) {
- talloc_free(sidstr);
return NT_STATUS_OK;
}
diff --git a/source4/lib/db_wrap.c b/source4/lib/db_wrap.c
index c277f2d975..b000225bbf 100644
--- a/source4/lib/db_wrap.c
+++ b/source4/lib/db_wrap.c
@@ -102,6 +102,15 @@ struct ldb_context *ldb_wrap_connect(TALLOC_CTX *mem_ctx,
ev = talloc_find_parent_bytype(mem_ctx, struct event_context);
if (ev) {
ldb_set_opaque(ldb, "EventContext", ev);
+ } else {
+ DEBUG(0,("WARNING: event_context not found\n"));
+ talloc_show_parents(mem_ctx, stdout);
+ }
+
+ ret = ldb_register_samba_handlers(ldb);
+ if (ret == -1) {
+ talloc_free(ldb);
+ return NULL;
}
ret = ldb_connect(ldb, url, flags, options);
diff --git a/source4/lib/ldb/config.mk b/source4/lib/ldb/config.mk
index 00568aeda8..cf3a7fa93d 100644
--- a/source4/lib/ldb/config.mk
+++ b/source4/lib/ldb/config.mk
@@ -72,7 +72,7 @@ ADD_OBJ_FILES = \
lib/ldb/common/ldb_modules.o \
lib/ldb/common/ldb_explode_dn.o
REQUIRED_SUBSYSTEMS = \
- LIBREPLACE LIBTALLOC
+ LIBREPLACE LIBTALLOC LDBSAMBA
NOPROTO = YES
#
# End SUBSYSTEM LIBLDB
@@ -103,7 +103,7 @@ OBJ_FILES = \
[SUBSYSTEM::LIBLDB_CMDLINE]
OBJ_FILES= \
lib/ldb/tools/cmdline.o
-REQUIRED_SUBSYSTEMS = LIBLDB LIBCMDLINE LIBBASIC LDBSAMBA
+REQUIRED_SUBSYSTEMS = LIBLDB LIBCMDLINE LIBBASIC
# End SUBSYSTEM LIBLDB_CMDLINE
################################################
diff --git a/source4/lib/ldb/samba/ldif_handlers.c b/source4/lib/ldb/samba/ldif_handlers.c
index 7252d081f1..17a45df78d 100644
--- a/source4/lib/ldb/samba/ldif_handlers.c
+++ b/source4/lib/ldb/samba/ldif_handlers.c
@@ -85,11 +85,5 @@ static const struct ldb_ldif_handler samba_handlers[] = {
*/
int ldb_register_samba_handlers(struct ldb_context *ldb)
{
-#if 0
- /* we can't enable this until we fix the sam code to handle
- non-string elements */
return ldb_ldif_add_handlers(ldb, samba_handlers, ARRAY_SIZE(samba_handlers));
-#else
- return 0;
-#endif
}
diff --git a/source4/libcli/ldap/ldap_ndr.c b/source4/libcli/ldap/ldap_ndr.c
index 88ca1ece77..f490b9983d 100644
--- a/source4/libcli/ldap/ldap_ndr.c
+++ b/source4/libcli/ldap/ldap_ndr.c
@@ -41,7 +41,7 @@ const char *ldap_encode_ndr_uint32(TALLOC_CTX *mem_ctx, uint32_t value)
/*
encode a NDR dom_sid as a ldap filter element
*/
-const char *ldap_encode_ndr_dom_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid)
+const char *ldap_encode_ndr_dom_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
{
DATA_BLOB blob;
NTSTATUS status;
diff --git a/source4/ntvfs/common/sidmap.c b/source4/ntvfs/common/sidmap.c
index a39ee2f0eb..b29f197b34 100644
--- a/source4/ntvfs/common/sidmap.c
+++ b/source4/ntvfs/common/sidmap.c
@@ -97,26 +97,18 @@ static NTSTATUS sidmap_primary_domain_sid(struct sidmap_context *sidmap,
TALLOC_CTX *mem_ctx, struct dom_sid **sid)
{
const char *attrs[] = { "objectSid", NULL };
- void *ctx = talloc_new(mem_ctx);
- const char *sidstr;
int ret;
- struct ldb_message **res;
+ struct ldb_message **res = NULL;
- ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs,
+ ret = gendb_search(sidmap->samctx, mem_ctx, NULL, &res, attrs,
"(&(objectClass=domain)(name=%s))", lp_workgroup());
if (ret != 1) {
- talloc_free(ctx);
+ talloc_free(res);
return NT_STATUS_NO_SUCH_DOMAIN;
}
- sidstr = samdb_result_string(res[0], "objectSid", NULL);
- if (sidstr == NULL) {
- talloc_free(ctx);
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- *sid = dom_sid_parse_talloc(mem_ctx, sidstr);
- talloc_free(ctx);
+ *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
+ talloc_free(res);
if (*sid == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -137,26 +129,21 @@ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap,
const char *s;
void *ctx;
struct ldb_message **res;
- const char *sidstr;
struct dom_sid *domain_sid;
NTSTATUS status;
ctx = talloc_new(sidmap);
- sidstr = dom_sid_string(ctx, sid);
- if (sidstr == NULL) {
- talloc_free(ctx);
- return NT_STATUS_NO_MEMORY;
- }
ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs,
- "objectSid=%s", sidstr);
+ "objectSid=%s", ldap_encode_ndr_dom_sid(ctx, sid));
if (ret != 1) {
goto allocated_sid;
}
/* make sure its a user, not a group */
if (!is_user_account(res[0])) {
- DEBUG(0,("sid_to_unixuid: sid %s is not an account!\n", sidstr));
+ DEBUG(0,("sid_to_unixuid: sid %s is not an account!\n",
+ dom_sid_string(ctx, sid)));
talloc_free(ctx);
return NT_STATUS_INVALID_SID;
}
@@ -174,7 +161,7 @@ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap,
if (s != NULL) {
struct passwd *pwd = getpwnam(s);
if (!pwd) {
- DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s, sidstr));
+ DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s, dom_sid_string(ctx, sid)));
talloc_free(ctx);
return NT_STATUS_NO_SUCH_USER;
}
@@ -188,7 +175,8 @@ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap,
if (s != NULL) {
struct passwd *pwd = getpwnam(s);
if (!pwd) {
- DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n", s, sidstr));
+ DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n",
+ s, dom_sid_string(ctx, sid)));
talloc_free(ctx);
return NT_STATUS_NO_SUCH_USER;
}
@@ -217,7 +205,7 @@ allocated_sid:
DEBUG(0,("sid_to_unixuid: no unixID, unixName or sAMAccountName for sid %s\n",
- sidstr));
+ dom_sid_string(ctx, sid)));
talloc_free(ctx);
return NT_STATUS_INVALID_SID;
@@ -236,26 +224,21 @@ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap,
const char *s;
void *ctx;
struct ldb_message **res;
- const char *sidstr;
NTSTATUS status;
struct dom_sid *domain_sid;
ctx = talloc_new(sidmap);
- sidstr = dom_sid_string(ctx, sid);
- if (sidstr == NULL) {
- talloc_free(ctx);
- return NT_STATUS_NO_MEMORY;
- }
ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs,
- "objectSid=%s", sidstr);
+ "objectSid=%s", ldap_encode_ndr_dom_sid(ctx, sid));
if (ret != 1) {
goto allocated_sid;
}
/* make sure its not a user */
if (!is_group_account(res[0])) {
- DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n", sidstr));
+ DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n",
+ dom_sid_string(ctx, sid)));
talloc_free(ctx);
return NT_STATUS_INVALID_SID;
}
@@ -274,7 +257,7 @@ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap,
struct group *grp = getgrnam(s);
if (!grp) {
DEBUG(0,("unixName '%s' for sid %s does not exist as a local group\n",
- s, sidstr));
+ s, dom_sid_string(ctx, sid)));
talloc_free(ctx);
return NT_STATUS_NO_SUCH_USER;
}
@@ -288,7 +271,7 @@ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap,
if (s != NULL) {
struct group *grp = getgrnam(s);
if (!grp) {
- DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, sidstr));
+ DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, dom_sid_string(ctx, sid)));
talloc_free(ctx);
return NT_STATUS_NO_SUCH_USER;
}
@@ -314,7 +297,7 @@ allocated_sid:
}
DEBUG(0,("sid_to_unixgid: no unixID, unixName or sAMAccountName for sid %s\n",
- sidstr));
+ dom_sid_string(ctx, sid)));
talloc_free(ctx);
return NT_STATUS_INVALID_SID;
@@ -363,18 +346,11 @@ NTSTATUS sidmap_uid_to_sid(struct sidmap_context *sidmap,
ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs,
"unixID=%u", (unsigned int)uid);
for (i=0;i<ret;i++) {
- const char *sidstr;
-
if (!is_user_account(res[i])) continue;
- sidstr = samdb_result_string(res[i], "objectSid", NULL);
- if (sidstr == NULL) continue;
-
- *sid = dom_sid_parse_talloc(mem_ctx, sidstr);
+ *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
talloc_free(ctx);
- if (*sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY(*sid);
return NT_STATUS_OK;
}
@@ -391,18 +367,11 @@ NTSTATUS sidmap_uid_to_sid(struct sidmap_context *sidmap,
"(|(unixName=%s)(sAMAccountName=%s))",
pwd->pw_name, pwd->pw_name);
for (i=0;i<ret;i++) {
- const char *sidstr;
-
if (!is_user_account(res[i])) continue;
- sidstr = samdb_result_string(res[i], "objectSid", NULL);
- if (sidstr == NULL) continue;
-
- *sid = dom_sid_parse_talloc(mem_ctx, sidstr);
+ *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
talloc_free(ctx);
- if (*sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY(*sid);
return NT_STATUS_OK;
}
@@ -475,18 +444,11 @@ NTSTATUS sidmap_gid_to_sid(struct sidmap_context *sidmap,
ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs,
"unixID=%u", (unsigned int)gid);
for (i=0;i<ret;i++) {
- const char *sidstr;
-
if (!is_group_account(res[i])) continue;
- sidstr = samdb_result_string(res[i], "objectSid", NULL);
- if (sidstr == NULL) continue;
-
- *sid = dom_sid_parse_talloc(mem_ctx, sidstr);
+ *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
talloc_free(ctx);
- if (*sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY(*sid);
return NT_STATUS_OK;
}
@@ -503,18 +465,11 @@ NTSTATUS sidmap_gid_to_sid(struct sidmap_context *sidmap,
"(|(unixName=%s)(sAMAccountName=%s))",
grp->gr_name, grp->gr_name);
for (i=0;i<ret;i++) {
- const char *sidstr;
-
if (!is_group_account(res[i])) continue;
- sidstr = samdb_result_string(res[i], "objectSid", NULL);
- if (sidstr == NULL) continue;
-
- *sid = dom_sid_parse_talloc(mem_ctx, sidstr);
+ *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
talloc_free(ctx);
- if (*sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY(*sid);
return NT_STATUS_OK;
}
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index b3de4e4ba1..726c82364b 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -65,7 +65,6 @@ struct lsa_account_state {
struct lsa_policy_state *policy;
uint32_t access_mask;
struct dom_sid *account_sid;
- const char *account_sid_str;
const char *account_dn;
};
@@ -221,7 +220,6 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
struct lsa_policy_state **_state)
{
struct lsa_policy_state *state;
- const char *sid_str;
state = talloc(mem_ctx, struct lsa_policy_state);
if (!state) {
@@ -266,13 +264,8 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
return NT_STATUS_NO_SUCH_DOMAIN;
}
- sid_str = samdb_search_string(state->sam_ldb, mem_ctx,
- state->domain_dn, "objectSid", NULL);
- if (!sid_str) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- state->domain_sid = dom_sid_parse_talloc(state, sid_str);
+ state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state,
+ state->domain_dn, "objectSid", NULL);
if (!state->domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
@@ -519,16 +512,11 @@ static NTSTATUS lsa_EnumAccounts(struct dcesrv_call_state *dce_call, TALLOC_CTX
}
for (i=0;i<count;i++) {
- const char *sidstr;
-
- sidstr = samdb_result_string(res[i + *r->in.resume_handle], "objectSid", NULL);
- if (sidstr == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- r->out.sids->sids[i].sid = dom_sid_parse_talloc(r->out.sids->sids, sidstr);
- if (r->out.sids->sids[i].sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ r->out.sids->sids[i].sid =
+ samdb_result_dom_sid(r->out.sids->sids,
+ res[i + *r->in.resume_handle],
+ "objectSid");
+ NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid);
}
r->out.sids->num_sids = count;
@@ -1104,7 +1092,7 @@ static NTSTATUS lsa_lookup_sid(struct lsa_policy_state *state, TALLOC_CTX *mem_c
NTSTATUS status;
ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs,
- "objectSid=%s", sid_str);
+ "objectSid=%s", ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret == 1) {
*name = ldb_msg_find_string(res[0], "sAMAccountName", NULL);
if (!*name) {
@@ -1315,17 +1303,13 @@ static NTSTATUS lsa_OpenAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *
return NT_STATUS_NO_MEMORY;
}
- astate->account_sid_str = dom_sid_string(astate, astate->account_sid);
- if (astate->account_sid_str == NULL) {
- talloc_free(astate);
- return NT_STATUS_NO_MEMORY;
- }
-
/* check it really exists */
- astate->account_dn = samdb_search_string(state->sam_ldb, astate,
- NULL, "dn",
- "(&(objectSid=%s)(objectClass=group))",
- astate->account_sid_str);
+ astate->account_dn =
+ samdb_search_string(state->sam_ldb, astate,
+ NULL, "dn",
+ "(&(objectSid=%s)(objectClass=group))",
+ ldap_encode_ndr_dom_sid(mem_ctx,
+ astate->account_sid));
if (astate->account_dn == NULL) {
talloc_free(astate);
return NT_STATUS_NO_SUCH_USER;
@@ -1422,7 +1406,7 @@ static NTSTATUS lsa_EnumAccountRights(struct dcesrv_call_state *dce_call,
state = h->data;
- sidstr = dom_sid_string(mem_ctx, r->in.sid);
+ sidstr = ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid);
if (sidstr == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1471,7 +1455,7 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
const char *dn;
struct lsa_EnumAccountRights r2;
- sidstr = dom_sid_string(mem_ctx, sid);
+ sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
if (sidstr == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -2348,16 +2332,9 @@ static NTSTATUS lsa_EnumAccountsWithUserRight(struct dcesrv_call_state *dce_call
return NT_STATUS_NO_MEMORY;
}
for (i=0;i<ret;i++) {
- const char *sidstr;
- sidstr = samdb_result_string(res[i], "objectSid", NULL);
- if (sidstr == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- r->out.sids->sids[i].sid = dom_sid_parse_talloc(r->out.sids->sids,
- sidstr);
- if (r->out.sids->sids[i].sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ r->out.sids->sids[i].sid = samdb_result_dom_sid(r->out.sids->sids,
+ res[i], "objectSid");
+ NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid);
}
r->out.sids->num_sids = ret;
@@ -2540,12 +2517,7 @@ static NTSTATUS lsa_lookup_name(struct lsa_policy_state *state, TALLOC_CTX *mem_
ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs, "sAMAccountName=%s", name);
if (ret == 1) {
- const char *sid_str = ldb_msg_find_string(res[0], "objectSid", NULL);
- if (sid_str == NULL) {
- return NT_STATUS_INVALID_SID;
- }
-
- *sid = dom_sid_parse_talloc(mem_ctx, sid_str);
+ *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
if (*sid == NULL) {
return NT_STATUS_INVALID_SID;
}
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index bd20deedb9..4dd8312df5 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -313,7 +313,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
struct ldb_message **msgs_domain;
NTSTATUS nt_status;
struct ldb_message *mod;
- const char *domain_sid;
+ struct dom_sid *domain_sid;
const char *attrs[] = {"objectSid", NULL };
@@ -356,20 +356,20 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL,
&msgs_domain, domain_attrs,
"(&(objectSid=%s)(objectclass=domain))",
- domain_sid);
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
if (num_records_domain == -1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (num_records_domain == 0) {
DEBUG(3,("Couldn't find domain [%s] in samdb.\n",
- domain_sid));
+ dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_USER;
}
if (num_records_domain > 1) {
DEBUG(0,("Found %d records matching domain [%s]\n",
- num_records_domain, domain_sid));
+ num_records_domain, dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -1036,7 +1036,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL
struct ldb_message **msgs_domain;
NTSTATUS nt_status;
struct ldb_message *mod;
- const char *domain_sid;
+ struct dom_sid *domain_sid;
char new_pass[512];
uint32_t new_pass_len;
@@ -1083,20 +1083,21 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL
num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL,
&msgs_domain, domain_attrs,
"(&(objectSid=%s)(objectclass=domain))",
- domain_sid);
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
if (num_records_domain == -1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (num_records_domain == 0) {
DEBUG(3,("Couldn't find domain [%s] in samdb.\n",
- domain_sid));
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_USER;
}
if (num_records_domain > 1) {
DEBUG(0,("Found %d records matching domain [%s]\n",
- num_records_domain, domain_sid));
+ num_records_domain,
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 337c300203..cce446533d 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -160,8 +160,7 @@ static NTSTATUS samr_LookupDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX
{
struct samr_connect_state *c_state;
struct dcesrv_handle *h;
- struct dom_sid2 *sid;
- const char *sidstr;
+ struct dom_sid *sid;
r->out.sid = NULL;
@@ -173,19 +172,12 @@ static NTSTATUS samr_LookupDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX
return NT_STATUS_INVALID_PARAMETER;
}
- sidstr = samdb_search_string(c_state->sam_ctx,
- mem_ctx, NULL, "objectSid",
- "(&(name=%s)(objectclass=domain))",
- r->in.domain_name->string);
- if (sidstr == NULL) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
+ sid = samdb_search_dom_sid(c_state->sam_ctx,
+ mem_ctx, NULL, "objectSid",
+ "(&(name=%s)(objectclass=domain))",
+ r->in.domain_name->string);
if (sid == NULL) {
- DEBUG(0,("samdb: Invalid sid '%s' for domain %s\n",
- sidstr, r->in.domain_name->string));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ return NT_STATUS_NO_SUCH_DOMAIN;
}
r->out.sid = sid;
@@ -266,7 +258,7 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *
struct samr_OpenDomain *r)
{
struct dcesrv_handle *h_conn, *h_domain;
- const char *sidstr, *domain_name;
+ const char *domain_name;
struct samr_connect_state *c_state;
struct samr_domain_state *d_state;
const char * const attrs[2] = { "name", NULL};
@@ -283,15 +275,10 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *
return NT_STATUS_INVALID_PARAMETER;
}
- sidstr = dom_sid_string(mem_ctx, r->in.sid);
- if (sidstr == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
ret = gendb_search(c_state->sam_ctx,
mem_ctx, NULL, &msgs, attrs,
"(&(objectSid=%s)(objectclass=domain))",
- sidstr);
+ ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
if (ret != 1) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
@@ -308,7 +295,7 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *
d_state->connect_state = talloc_reference(d_state, c_state);
d_state->sam_ctx = c_state->sam_ctx;
- d_state->domain_sid = talloc_strdup(d_state, sidstr);
+ d_state->domain_sid = dom_sid_dup(d_state, r->in.sid);
d_state->domain_name = talloc_strdup(d_state, domain_name);
d_state->domain_dn = talloc_strdup(d_state, msgs[0]->dn);
if (!d_state->domain_sid || !d_state->domain_name || !d_state->domain_dn) {
@@ -470,7 +457,7 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO
const char *name;
struct ldb_message *msg;
struct dom_sid *sid;
- const char *groupname, *sidstr;
+ const char *groupname;
struct dcesrv_handle *g_handle;
int ret;
@@ -526,10 +513,10 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msg->dn);
- /* retrieve the sidstring for the group just created */
- sidstr = samdb_search_string(d_state->sam_ctx, a_state,
- msg->dn, "objectSid", NULL);
- if (sidstr == NULL) {
+ /* retrieve the sid for the group just created */
+ sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
+ msg->dn, "objectSid", NULL);
+ if (sid == NULL) {
return NT_STATUS_UNSUCCESSFUL;
}
@@ -547,11 +534,6 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO
g_handle->data = talloc_steal(g_handle, a_state);
*r->out.group_handle = g_handle->wire_handle;
-
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
- if (!sid)
- return NT_STATUS_UNSUCCESSFUL;
-
*r->out.rid = sid->sub_auths[sid->num_auths-1];
return NT_STATUS_OK;
@@ -578,7 +560,6 @@ static NTSTATUS samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, TALLOC
int ldb_cnt, count, i, first;
struct samr_SamEntry *entries;
const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL };
- struct dom_sid *domain_sid;
*r->out.resume_handle = 0;
r->out.sam = NULL;
@@ -588,15 +569,11 @@ static NTSTATUS samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, TALLOC
d_state = h->data;
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
-
/* search for all domain groups in this domain. This could possibly be
cached and resumed based on resume_key */
ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- domain_sid,
+ d_state->domain_sid,
"(&(grouptype=%s)(objectclass=group))",
ldb_hexstr(mem_ctx,
GTYPE_SECURITY_GLOBAL_GROUP));
@@ -680,7 +657,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
const char *name;
struct ldb_message *msg;
struct dom_sid *sid;
- const char *account_name, *sidstr;
+ const char *account_name;
struct dcesrv_handle *u_handle;
int ret;
const char *container, *class=NULL;
@@ -756,10 +733,10 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msg->dn);
- /* retrieve the sidstring for the group just created */
- sidstr = samdb_search_string(d_state->sam_ctx, a_state,
+ /* retrieve the sid for the group just created */
+ sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
msg->dn, "objectSid", NULL);
- if (sidstr == NULL) {
+ if (sid == NULL) {
return NT_STATUS_UNSUCCESSFUL;
}
@@ -779,10 +756,6 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
*r->out.user_handle = u_handle->wire_handle;
*r->out.access_granted = 0xf07ff; /* TODO: fix access mask calculations */
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
- if (!sid)
- return NT_STATUS_UNSUCCESSFUL;
-
*r->out.rid = sid->sub_auths[sid->num_auths-1];
return NT_STATUS_OK;
@@ -898,7 +871,7 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
- const char *alias_name, *name, *sidstr;
+ const char *alias_name, *name;
struct ldb_message *msg;
struct dom_sid *sid;
struct dcesrv_handle *a_handle;
@@ -960,12 +933,9 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msg->dn);
- /* retrieve the sidstring for the group just created */
- sidstr = samdb_search_string(d_state->sam_ctx, a_state,
+ /* retrieve the sid for the alias just created */
+ sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
msg->dn, "objectSid", NULL);
- if (sidstr == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
- }
a_state->account_name = talloc_strdup(a_state, alias_name);
if (!a_state->account_name) {
@@ -981,10 +951,6 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
*r->out.alias_handle = a_handle->wire_handle;
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
- if (!sid)
- return NT_STATUS_UNSUCCESSFUL;
-
*r->out.rid = sid->sub_auths[sid->num_auths-1];
return NT_STATUS_OK;
@@ -1003,7 +969,6 @@ static NTSTATUS samr_EnumDomainAliases(struct dcesrv_call_state *dce_call, TALLO
int ldb_cnt, count, i, first;
struct samr_SamEntry *entries;
const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL };
- struct dom_sid *domain_sid;
*r->out.resume_handle = 0;
r->out.sam = NULL;
@@ -1013,15 +978,12 @@ static NTSTATUS samr_EnumDomainAliases(struct dcesrv_call_state *dce_call, TALLO
d_state = h->data;
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
-
/* search for all domain groups in this domain. This could possibly be
cached and resumed based on resume_key */
ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn,
- &res, attrs, domain_sid,
+ &res, attrs,
+ d_state->domain_sid,
"(&(|(grouptype=%s)(grouptype=%s)))"
"(objectclass=group))",
ldb_hexstr(mem_ctx,
@@ -1102,7 +1064,6 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL
struct dcesrv_handle *h;
struct samr_domain_state *d_state;
struct ldb_message **res;
- struct dom_sid *domain_sid;
int i, count = 0;
DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN);
@@ -1124,17 +1085,14 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL
return NT_STATUS_NO_MEMORY;
for (i=0; i<r->in.sids->num_sids; i++) {
- const char *sidstr, *memberdn;
+ const char *memberdn;
- sidstr = dom_sid_string(mem_ctx,
- r->in.sids->sids[i].sid);
- if (sidstr == NULL)
- return NT_STATUS_NO_MEMORY;
-
- memberdn = samdb_search_string(d_state->sam_ctx,
- mem_ctx, NULL, "dn",
- "(objectSid=%s)",
- sidstr);
+ memberdn =
+ samdb_search_string(d_state->sam_ctx,
+ mem_ctx, NULL, "dn",
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx,
+ r->in.sids->sids[i].sid));
if (memberdn == NULL)
continue;
@@ -1145,14 +1103,9 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL
return NT_STATUS_NO_MEMORY;
}
- domain_sid = dom_sid_parse_talloc(mem_ctx,
- d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
-
count = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- domain_sid, "%s))", filter);
+ d_state->domain_sid, "%s))", filter);
if (count < 0)
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -1215,8 +1168,7 @@ static NTSTATUS samr_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX
for (i=0;i<r->in.num_names;i++) {
struct ldb_message **res;
- struct dom_sid2 *sid;
- const char *sidstr;
+ struct dom_sid *sid;
uint32_t atype, rtype;
r->out.rids.ids[i] = 0;
@@ -1229,18 +1181,12 @@ static NTSTATUS samr_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX
continue;
}
- sidstr = samdb_result_string(res[0], "objectSid", NULL);
- if (sidstr == NULL) {
- status = STATUS_SOME_UNMAPPED;
- continue;
- }
-
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
+ sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
if (sid == NULL) {
status = STATUS_SOME_UNMAPPED;
continue;
}
-
+
atype = samdb_result_uint(res[0], "sAMAccountType", 0);
if (atype == 0) {
status = STATUS_SOME_UNMAPPED;
@@ -1300,13 +1246,21 @@ static NTSTATUS samr_LookupRids(struct dcesrv_call_state *dce_call, TALLOC_CTX *
const char * const attrs[] = { "sAMAccountType",
"sAMAccountName", NULL };
uint32_t atype;
+ struct dom_sid *sid;
ids[i] = SID_NAME_UNKNOWN;
+ sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rids[i]);
+ if (sid == NULL) {
+ names[i].string = NULL;
+ status = STATUS_SOME_UNMAPPED;
+ continue;
+ }
+
count = gendb_search(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- "(objectSid=%s-%u)", d_state->domain_sid,
- r->in.rids[i]);
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (count != 1) {
names[i].string = NULL;
status = STATUS_SOME_UNMAPPED;
@@ -1349,7 +1303,8 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
- const char *groupname, *sidstr;
+ const char *groupname;
+ struct dom_sid *sid;
struct ldb_message **msgs;
struct dcesrv_handle *g_handle;
const char * const attrs[2] = { "sAMAccountName", NULL };
@@ -1362,8 +1317,8 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
d_state = h->data;
/* form the group SID */
- sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, r->in.rid);
- if (!sidstr) {
+ sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (!sid) {
return NT_STATUS_NO_MEMORY;
}
@@ -1372,19 +1327,22 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
mem_ctx, d_state->domain_dn, &msgs, attrs,
"(&(objectSid=%s)(objectclass=group)"
"(grouptype=%s))",
- sidstr, ldb_hexstr(mem_ctx,
- GTYPE_SECURITY_GLOBAL_GROUP));
+ ldap_encode_ndr_dom_sid(mem_ctx, sid),
+ ldb_hexstr(mem_ctx,
+ GTYPE_SECURITY_GLOBAL_GROUP));
if (ret == 0) {
return NT_STATUS_NO_SUCH_GROUP;
}
if (ret != 1) {
- DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr));
+ DEBUG(0,("Found %d records matching sid %s\n",
+ ret, dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
groupname = samdb_result_string(msgs[0], "sAMAccountName", NULL);
if (groupname == NULL) {
- DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr));
+ DEBUG(0,("sAMAccountName field missing for sid %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -1396,7 +1354,7 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
a_state->access_mask = r->in.access_mask;
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msgs[0]->dn);
- a_state->account_sid = talloc_steal(a_state, sidstr);
+ a_state->account_sid = talloc_steal(a_state, sid);
a_state->account_name = talloc_strdup(a_state, groupname);
if (!a_state->account_name) {
return NT_STATUS_NO_MEMORY;
@@ -1586,7 +1544,7 @@ static NTSTATUS samr_AddGroupMember(struct dcesrv_call_state *dce_call, TALLOC_C
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
struct ldb_message *mod;
- char *membersidstr;
+ struct dom_sid *membersid;
const char *memberdn;
struct ldb_message **msgs;
const char * const attrs[2] = { "dn", NULL };
@@ -1597,16 +1555,15 @@ static NTSTATUS samr_AddGroupMember(struct dcesrv_call_state *dce_call, TALLOC_C
a_state = h->data;
d_state = a_state->domain_state;
- membersidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid,
- r->in.rid);
- if (membersidstr == NULL)
+ membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (membersid == NULL)
return NT_STATUS_NO_MEMORY;
/* In native mode, AD can also nest domain groups. Not sure yet
* whether this is also available via RPC. */
ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn,
&msgs, attrs, "(&(objectSid=%s)(objectclass=user))",
- membersidstr);
+ ldap_encode_ndr_dom_sid(mem_ctx, membersid));
if (ret == 0)
return NT_STATUS_NO_SUCH_USER;
@@ -1674,7 +1631,7 @@ static NTSTATUS samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLO
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
struct ldb_message *mod;
- char *membersidstr;
+ struct dom_sid *membersid;
const char *memberdn;
struct ldb_message **msgs;
const char * const attrs[2] = { "dn", NULL };
@@ -1685,16 +1642,15 @@ static NTSTATUS samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLO
a_state = h->data;
d_state = a_state->domain_state;
- membersidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid,
- r->in.rid);
- if (membersidstr == NULL)
+ membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (membersid == NULL)
return NT_STATUS_NO_MEMORY;
/* In native mode, AD can also nest domain groups. Not sure yet
* whether this is also available via RPC. */
ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn,
&msgs, attrs, "(&(objectSid=%s)(objectclass=user))",
- membersidstr);
+ ldap_encode_ndr_dom_sid(mem_ctx, membersid));
if (ret == 0)
return NT_STATUS_NO_SUCH_USER;
@@ -1820,7 +1776,8 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
- const char *alias_name, *sidstr;
+ const char *alias_name;
+ struct dom_sid *sid;
struct ldb_message **msgs;
struct dcesrv_handle *g_handle;
const char * const attrs[2] = { "sAMAccountName", NULL };
@@ -1833,9 +1790,8 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
d_state = h->data;
/* form the alias SID */
- sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid,
- r->in.rid);
- if (sidstr == NULL)
+ sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (sid == NULL)
return NT_STATUS_NO_MEMORY;
/* search for the group record */
@@ -1843,7 +1799,7 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
mem_ctx, d_state->domain_dn, &msgs, attrs,
"(&(objectSid=%s)(objectclass=group)"
"(|(grouptype=%s)(grouptype=%s)))",
- sidstr,
+ ldap_encode_ndr_dom_sid(mem_ctx, sid),
ldb_hexstr(mem_ctx,
GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
ldb_hexstr(mem_ctx,
@@ -1852,13 +1808,15 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
return NT_STATUS_NO_SUCH_ALIAS;
}
if (ret != 1) {
- DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr));
+ DEBUG(0,("Found %d records matching sid %s\n",
+ ret, dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
alias_name = samdb_result_string(msgs[0], "sAMAccountName", NULL);
if (alias_name == NULL) {
- DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr));
+ DEBUG(0,("sAMAccountName field missing for sid %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -1870,7 +1828,7 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
a_state->access_mask = r->in.access_mask;
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msgs[0]->dn);
- a_state->account_sid = talloc_steal(a_state, sidstr);
+ a_state->account_sid = talloc_steal(a_state, sid);
a_state->account_name = talloc_strdup(a_state, alias_name);
if (!a_state->account_name) {
return NT_STATUS_NO_MEMORY;
@@ -2030,7 +1988,6 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
struct dcesrv_handle *h;
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
- const char *sidstr;
struct ldb_message *mod;
struct ldb_message **msgs;
const char * const attrs[2] = { "dn", NULL };
@@ -2042,28 +1999,27 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
a_state = h->data;
d_state = a_state->domain_state;
- sidstr = dom_sid_string(mem_ctx, r->in.sid);
- if (sidstr == NULL)
- return NT_STATUS_INVALID_PARAMETER;
-
ret = gendb_search(d_state->sam_ctx, mem_ctx, NULL,
- &msgs, attrs, "(objectsid=%s)", sidstr);
+ &msgs, attrs, "(objectsid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
if (ret == 1) {
memberdn = ldb_msg_find_string(msgs[0], "dn", NULL);
} else if (ret > 1) {
- DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr));
+ DEBUG(0,("Found %d records matching sid %s\n",
+ ret, dom_sid_string(mem_ctx, r->in.sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
struct ldb_message *msg;
struct GUID guid;
- const char *guidstr, *basedn;
+ const char *guidstr, *basedn, *sidstr;
+
+ sidstr = dom_sid_string(mem_ctx, r->in.sid);
+ NT_STATUS_HAVE_NO_MEMORY(sidstr);
/* We might have to create a ForeignSecurityPrincipal, but
* only if it's not our own domain */
- if (dom_sid_in_domain(dom_sid_parse_talloc(mem_ctx,
- d_state->domain_sid),
- r->in.sid))
+ if (dom_sid_in_domain(d_state->domain_sid, r->in.sid))
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
msg = ldb_msg_new(mem_ctx);
@@ -2166,7 +2122,6 @@ static NTSTATUS samr_DeleteAliasMember(struct dcesrv_call_state *dce_call, TALLO
struct dcesrv_handle *h;
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
- const char *sidstr;
struct ldb_message *mod;
const char *memberdn;
@@ -2175,12 +2130,9 @@ static NTSTATUS samr_DeleteAliasMember(struct dcesrv_call_state *dce_call, TALLO
a_state = h->data;
d_state = a_state->domain_state;
- sidstr = dom_sid_string(mem_ctx, r->in.sid);
- if (sidstr == NULL)
- return NT_STATUS_INVALID_PARAMETER;
-
memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
- "dn", "(objectSid=%s)", sidstr);
+ "dn", "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
if (memberdn == NULL)
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -2274,7 +2226,8 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
- const char *account_name, *sidstr;
+ const char *account_name;
+ struct dom_sid *sid;
struct ldb_message **msgs;
struct dcesrv_handle *u_handle;
const char * const attrs[2] = { "sAMAccountName", NULL };
@@ -2287,8 +2240,8 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
d_state = h->data;
/* form the users SID */
- sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, r->in.rid);
- if (!sidstr) {
+ sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (!sid) {
return NT_STATUS_NO_MEMORY;
}
@@ -2296,18 +2249,20 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
ret = gendb_search(d_state->sam_ctx,
mem_ctx, d_state->domain_dn, &msgs, attrs,
"(&(objectSid=%s)(objectclass=user))",
- sidstr);
+ ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret == 0) {
return NT_STATUS_NO_SUCH_USER;
}
if (ret != 1) {
- DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr));
+ DEBUG(0,("Found %d records matching sid %s\n", ret,
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
account_name = samdb_result_string(msgs[0], "sAMAccountName", NULL);
if (account_name == NULL) {
- DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr));
+ DEBUG(0,("sAMAccountName field missing for sid %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -2319,7 +2274,7 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
a_state->access_mask = r->in.access_mask;
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msgs[0]->dn);
- a_state->account_sid = talloc_steal(a_state, sidstr);
+ a_state->account_sid = talloc_steal(a_state, sid);
a_state->account_name = talloc_strdup(a_state, account_name);
if (!a_state->account_name) {
return NT_STATUS_NO_MEMORY;
@@ -2801,7 +2756,6 @@ static NTSTATUS samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, TALLOC
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
struct ldb_message **res;
- struct dom_sid *domain_sid;
const char * const attrs[2] = { "objectSid", NULL };
struct samr_RidWithTypeArray *array;
int count;
@@ -2810,12 +2764,9 @@ static NTSTATUS samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, TALLOC
a_state = h->data;
d_state = a_state->domain_state;
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
count = samdb_search_domain(a_state->sam_ctx, mem_ctx, NULL, &res,
- attrs, domain_sid,
+ attrs, d_state->domain_sid,
"(&(member=%s)(grouptype=%s)(objectclass=group))",
a_state->account_dn,
ldb_hexstr(mem_ctx,
@@ -2873,7 +2824,6 @@ static NTSTATUS samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, TALLOC
int ldb_cnt, count, i;
const char * const attrs[4] = { "objectSid", "sAMAccountName",
"description", NULL };
- struct dom_sid *domain_sid;
struct samr_DispEntryFull *entriesFull = NULL;
struct samr_DispEntryAscii *entriesAscii = NULL;
struct samr_DispEntryGeneral * entriesGeneral = NULL;
@@ -2907,15 +2857,11 @@ static NTSTATUS samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, TALLOC
return NT_STATUS_INVALID_INFO_CLASS;
}
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
-
/* search for all requested objects in this domain. This could
possibly be cached and resumed based on resume_key */
ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- domain_sid, "%s", filter);
+ d_state->domain_sid, "%s", filter);
if (ldb_cnt == -1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -3127,8 +3073,7 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce
{
struct dcesrv_handle *h;
struct samr_domain_state *d_state;
- struct dom_sid *domain_sid;
- const char *membersid, *memberdn;
+ const char *memberdn;
struct ldb_message **res;
const char * const attrs[3] = { "dn", "objectSid", NULL };
int i, count;
@@ -3137,13 +3082,9 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce
d_state = h->data;
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- membersid = dom_sid_string(mem_ctx, r->in.sid);
- if ((domain_sid == NULL) || (membersid == NULL))
- return NT_STATUS_NO_MEMORY;
-
memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
- "dn", "(objectSid=%s)", membersid);
+ "dn", "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
if (memberdn == NULL)
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -3152,7 +3093,7 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce
count = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- domain_sid,
+ d_state->domain_sid,
"(&(member=%s)(objectClass=group)"
"(|(groupType=%s)(groupType=%s)))",
memberdn,
diff --git a/source4/rpc_server/samr/dcesrv_samr.h b/source4/rpc_server/samr/dcesrv_samr.h
index 9e41937328..51e0869eef 100644
--- a/source4/rpc_server/samr/dcesrv_samr.h
+++ b/source4/rpc_server/samr/dcesrv_samr.h
@@ -47,7 +47,7 @@ struct samr_domain_state {
struct samr_connect_state *connect_state;
void *sam_ctx;
uint32_t access_mask;
- const char *domain_sid;
+ struct dom_sid *domain_sid;
const char *domain_name;
const char *domain_dn;
};
@@ -59,7 +59,7 @@ struct samr_account_state {
struct samr_domain_state *domain_state;
void *sam_ctx;
uint32_t access_mask;
- const char *account_sid;
+ struct dom_sid *account_sid;
const char *account_name;
const char *account_dn;
};
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 8fa261cf35..d251c02eca 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -147,11 +147,11 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
int ret;
struct ldb_message **res, *mod;
const char * const attrs[] = { "objectSid", "lmPwdHash", "unicodePwd", NULL };
- const char *domain_sid;
struct samr_Password *lm_pwd;
DATA_BLOB lm_pwd_blob;
uint8_t new_lm_hash[16];
struct samr_Password lm_verifier;
+ struct dom_sid *domain_sid;
if (pwbuf == NULL) {
return NT_STATUS_WRONG_PASSWORD;
@@ -211,7 +211,8 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
}
domain_dn = samdb_search_string(sam_ctx, mem_ctx, NULL, "dn",
- "(objectSid=%s)", domain_sid);
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
if (!domain_dn) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -267,7 +268,7 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
const char * const dom_attrs[] = { "minPwdLength", "pwdHistoryLength",
"pwdProperties", "minPwdAge", "maxPwdAge",
NULL };
- const char *domain_sid;
+ struct dom_sid *domain_sid;
struct samr_Password *nt_pwd, *lm_pwd;
DATA_BLOB nt_pwd_blob;
struct samr_DomInfo1 *dominfo;
@@ -360,7 +361,8 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
}
domain_dn = samdb_search_string(sam_ctx, mem_ctx, NULL, "dn",
- "(objectSid=%s)", domain_sid);
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
if (!domain_dn) {
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto failed;
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index c3968495e4..ce6d349aca 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -1,7 +1,7 @@
dn: @INDEXLIST
@IDXATTR: name
@IDXATTR: sAMAccountName
-@IDXATTR: objectSid
+@IDXATTR: objectSid_DISABLED_BY_TRIDGE
@IDXATTR: objectClass
@IDXATTR: member
@IDXATTR: unixID
generated by cgit (git 2.34.1) at 2024-07-16 05:30:21 +0000