diff options
author | Andrew Tridgell <tridge@samba.org> | 2008-12-03 17:47:39 +1100 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2008-12-03 17:47:39 +1100 |
commit | a226d86dcec393b2cd657d5441c3041dfdf5cd8f (patch) | |
tree | 03ef7f3207607a4e5351bf50892b0a39dcf6f219 | |
parent | 30eff4f31b497ac94d8ee02ee2ec24bc8865ce0d (diff) | |
parent | 85b8cccab072bab263061654b677bc84826646c9 (diff) | |
download | samba-a226d86dcec393b2cd657d5441c3041dfdf5cd8f.tar.gz samba-a226d86dcec393b2cd657d5441c3041dfdf5cd8f.tar.bz2 samba-a226d86dcec393b2cd657d5441c3041dfdf5cd8f.zip |
Merge branch 'master' of ssh://git.samba.org/data/git/samba
343 files changed, 14013 insertions, 6548 deletions
diff --git a/docs-xml/manpages-3/net.8.xml b/docs-xml/manpages-3/net.8.xml index 31fe69d8d3..75f85e1c55 100644 --- a/docs-xml/manpages-3/net.8.xml +++ b/docs-xml/manpages-3/net.8.xml @@ -395,7 +395,7 @@ current network.</para> <title>RAP PRINTQ</title> <refsect3> -<title>RAP PRINTQ LIST <replaceable>QUEUE_NAME</replaceable></title> +<title>RAP PRINTQ INFO <replaceable>QUEUE_NAME</replaceable></title> <para>Lists the specified print queue and print jobs on the server. If the <replaceable>QUEUE_NAME</replaceable> is omitted, all diff --git a/docs-xml/manpages-3/wbinfo.1.xml b/docs-xml/manpages-3/wbinfo.1.xml index 72a2380dde..abb1c7f53f 100644 --- a/docs-xml/manpages-3/wbinfo.1.xml +++ b/docs-xml/manpages-3/wbinfo.1.xml @@ -39,10 +39,14 @@ <arg choice="opt">--own-domain</arg> <arg choice="opt">-p</arg> <arg choice="opt">-r user</arg> + <arg choice="opt">--remove-uid-mapping uid,sid</arg> + <arg choice="opt">--remove-gid-mapping gid,sid</arg> <arg choice="opt">-s sid</arg> <arg choice="opt">--separator</arg> <arg choice="opt">--sequence</arg> <arg choice="opt">--set-auth-user user%password</arg> + <arg choice="opt">--set-uid-mapping uid,sid</arg> + <arg choice="opt">--set-gid-mapping gid,sid</arg> <arg choice="opt">-S sid</arg> <arg choice="opt">-t</arg> <arg choice="opt">-u</arg> @@ -333,6 +337,29 @@ the operation will fail. </para></listitem> </varlistentry> + <varlistentry> + <term>--remove-uid-mapping uid,sid</term> + <listitem><para>Remove an existing uid to sid mapping + entry from the IDmap backend.</para></listitem> + </varlistentry> + + <varlistentry> + <term>--remove-gid-mapping gid,sid</term> + <listitem><para>Remove an existing gid to sid + mapping entry from the IDmap backend.</para></listitem> + </varlistentry> + + <varlistentry> + <term>--set-uid-mapping uid,sid</term> + <listitem><para>Create a new or modify an existing uid to sid + mapping in the IDmap backend.</para></listitem> + </varlistentry> + + <varlistentry> + <term>--set-gid-mapping gid,sid</term> + <listitem><para>Create a new or modify an existing gid to sid + mapping in the IDmap backend.</para></listitem> + </varlistentry> &stdarg.version; &stdarg.help; diff --git a/docs-xml/smbdotconf/security/writeable.xml b/docs-xml/smbdotconf/security/writeable.xml index f811c47e5c..99678a9fce 100644 --- a/docs-xml/smbdotconf/security/writeable.xml +++ b/docs-xml/smbdotconf/security/writeable.xml @@ -6,4 +6,6 @@ <description> <para>Inverted synonym for <smbconfoption name="read only"/>.</para> </description> + +<value type="default">no</value> </samba:parameter> diff --git a/lib/README b/lib/README index b994447f4b..acae62c378 100644 --- a/lib/README +++ b/lib/README @@ -8,3 +8,4 @@ socket_wrapper - Wrapper library allowing TCP/IP traffic to be redirected over Unix domain sockets. talloc - Hierarchical pool based memory allocator tdb - Simple but fast key/value database library, supporting multiple writers +torture - Simple unit testing helper library diff --git a/lib/replace/autoconf-2.60.m4 b/lib/replace/autoconf-2.60.m4 index acdcd38efe..2d5dbc1661 100644 --- a/lib/replace/autoconf-2.60.m4 +++ b/lib/replace/autoconf-2.60.m4 @@ -179,6 +179,7 @@ AC_DEFUN([AC_PROG_CC_C99], # ------------------------ # Enable extensions on systems that normally disable them, # typically due to standards-conformance issues. +m4_ifndef([AC_USE_SYSTEM_EXTENSIONS],[ AC_DEFUN([AC_USE_SYSTEM_EXTENSIONS], [ AC_BEFORE([$0], [AC_COMPILE_IFELSE]) @@ -208,3 +209,4 @@ AC_DEFUN([AC_USE_SYSTEM_EXTENSIONS], AC_DEFINE([__EXTENSIONS__]) AC_DEFINE([_POSIX_PTHREAD_SEMANTICS]) ]) +]) diff --git a/source4/lib/torture/config.mk b/lib/torture/config.mk index 8a7f2a3b6b..abd89260f6 100644 --- a/source4/lib/torture/config.mk +++ b/lib/torture/config.mk @@ -4,6 +4,7 @@ PUBLIC_DEPENDENCIES = \ LIBSAMBA-HOSTCONFIG \ LIBSAMBA-UTIL \ LIBTALLOC +CFLAGS = -I$(libtorturesrcdir) -I$(libtorturesrcdir)/../ torture_VERSION = 0.0.1 torture_SOVERSION = 0 diff --git a/source4/lib/torture/subunit.c b/lib/torture/subunit.c index d5ee344596..832f11fafc 100644 --- a/source4/lib/torture/subunit.c +++ b/lib/torture/subunit.c @@ -20,11 +20,6 @@ #include "includes.h" #include "lib/torture/torture.h" -static void subunit_init(struct torture_results *results) -{ - /* FIXME: register segv and bus handler */ -} - static void subunit_suite_start(struct torture_context *ctx, struct torture_suite *suite) { @@ -87,7 +82,6 @@ static void subunit_warning(struct torture_context *test, } const struct torture_ui_ops torture_subunit_ui_ops = { - .init = subunit_init, .comment = subunit_comment, .warning = subunit_warning, .test_start = subunit_test_start, diff --git a/source4/lib/torture/torture.c b/lib/torture/torture.c index e465529f6b..9ad29ba9d0 100644 --- a/source4/lib/torture/torture.c +++ b/lib/torture/torture.c @@ -2,7 +2,7 @@ Unix SMB/CIFS implementation. SMB torture UI functions - Copyright (C) Jelmer Vernooij 2006 + Copyright (C) Jelmer Vernooij 2006-2008 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -18,8 +18,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ -#include "includes.h" -#include "torture/torture.h" +#include "source4/include/includes.h" +#include "../torture/torture.h" #include "../lib/util/dlinklist.h" #include "param/param.h" #include "system/filesys.h" @@ -310,7 +310,7 @@ static bool internal_torture_run_test(struct torture_context *context, bool already_setup) { bool success; - char *old_testname; + char *old_testname = NULL; if (tcase == NULL || strcmp(test->name, tcase->name) != 0) { old_testname = context->active_testname; diff --git a/source4/lib/torture/torture.h b/lib/torture/torture.h index f06ffe012b..73ea1eb643 100644 --- a/source4/lib/torture/torture.h +++ b/lib/torture/torture.h @@ -105,8 +105,6 @@ struct torture_results bool quiet; bool returncode; - - }; /* @@ -286,6 +284,21 @@ void torture_result(struct torture_context *test, } \ } while(0) +#define torture_assert_data_blob_equal(torture_ctx,got,expected,cmt)\ + do { const DATA_BLOB __got = (got), __expected = (expected); \ + if (__got.length != __expected.length) { \ + torture_result(torture_ctx, TORTURE_FAIL, \ + __location__": "#got".len %d did not match "#expected" len %d: %s", \ + (int)__got.length, (int)__expected.length, cmt); \ + return false; \ + } \ + if (memcmp(__got.data, __expected.data, __got.length) != 0) { \ + torture_result(torture_ctx, TORTURE_FAIL, \ + __location__": "#got" of len %d did not match"#expected": %s", (int)__got.length, cmt); \ + return false; \ + } \ + } while(0) + #define torture_assert_file_contains_text(torture_ctx,filename,expected,cmt)\ do { \ char *__got; \ diff --git a/source4/lib/torture/torture.pc.in b/lib/torture/torture.pc.in index 6582816cb5..6582816cb5 100644 --- a/source4/lib/torture/torture.pc.in +++ b/lib/torture/torture.pc.in diff --git a/lib/util/fault.m4 b/lib/util/fault.m4 index b24e63641c..da077af31d 100644 --- a/lib/util/fault.m4 +++ b/lib/util/fault.m4 @@ -1,5 +1,15 @@ AC_CHECK_HEADERS(execinfo.h) AC_SEARCH_LIBS_EXT(backtrace, [execinfo], EXECINFO_LIBS) AC_CHECK_FUNC_EXT(backtrace, $EXECINFO_LIBS) -SMB_EXT_LIB(EXECINFO,[${EXECINFO_LIBS}]) -SMB_ENABLE(EXECINFO) + + +if test x"$ac_cv_header_execinfo_h" = x"yes" -a x"$ac_cv_func_ext_backtrace" = x"yes";then + SMB_ENABLE(EXECINFO, YES) + EXECINFO_CFLAGS="$CFLAGS" + EXECINFO_CPPFLAGS="$CPPFLAGS" + EXECINFO_LDFLAGS="$LDFLAGS" +else + SMB_ENABLE(EXECINFO,NO) +fi + +SMB_EXT_LIB(EXECINFO, [${EXECINFO_LIBS}], [${EXECINFO_CFLAGS}], [${EXECINFO_CPPFLAGS}], [${EXECINFO_LDFLAGS}]) diff --git a/lib/util/util.c b/lib/util/util.c index 4e2a5aab09..7548d30b7e 100644 --- a/lib/util/util.c +++ b/lib/util/util.c @@ -701,10 +701,14 @@ _PUBLIC_ char *hex_encode_talloc(TALLOC_CTX *mem_ctx, const unsigned char *buff_ char *hex_buffer; hex_buffer = talloc_array(mem_ctx, char, (len*2)+1); + if (!hex_buffer) { + return NULL; + } for (i = 0; i < len; i++) slprintf(&hex_buffer[i*2], 3, "%02X", buff_in[i]); + talloc_set_name_const(hex_buffer, hex_buffer); return hex_buffer; } diff --git a/lib/util/util.h b/lib/util/util.h index ec1cfef110..dced557acb 100644 --- a/lib/util/util.h +++ b/lib/util/util.h @@ -21,6 +21,8 @@ #ifndef _SAMBA_UTIL_H_ #define _SAMBA_UTIL_H_ +#include <netinet/in.h> + #if _SAMBA_BUILD_ == 4 #include "../lib/util/charset/charset.h" #endif @@ -124,9 +126,6 @@ void CatchChildLeaveStatus(void); /* The following definitions come from lib/util/system.c */ - -struct in_addr; - /************************************************************************** A wrapper for gethostbyname() that tries avoids looking up hostnames in the root domain, which can cause dial-on-demand links to come up for no diff --git a/libcli/nbt/libnbt.h b/libcli/nbt/libnbt.h index e03352d7cf..7d8ca49e9a 100644 --- a/libcli/nbt/libnbt.h +++ b/libcli/nbt/libnbt.h @@ -331,9 +331,9 @@ NTSTATUS nbt_name_reply_send(struct nbt_name_socket *nbtsock, struct nbt_name_packet *request); -NDR_SCALAR_PROTO(wrepl_nbt_name, const struct nbt_name *); -NDR_SCALAR_PROTO(nbt_string, const char *); -NDR_BUFFER_PROTO(nbt_name, struct nbt_name); +NDR_SCALAR_PROTO(wrepl_nbt_name, const struct nbt_name *) +NDR_SCALAR_PROTO(nbt_string, const char *) +NDR_BUFFER_PROTO(nbt_name, struct nbt_name) NTSTATUS nbt_rcode_to_ntstatus(uint8_t rcode); struct composite_context; diff --git a/libcli/util/doserr.c b/libcli/util/doserr.c index 2ab39125df..160e7bc3e0 100644 --- a/libcli/util/doserr.c +++ b/libcli/util/doserr.c @@ -135,6 +135,7 @@ static const struct werror_code_struct dos_errs[] = { "WERR_INVALID_FLAGS", WERR_INVALID_FLAGS }, { "WERR_NOT_FOUND", WERR_NOT_FOUND }, { "WERR_SERVER_UNAVAILABLE", WERR_SERVER_UNAVAILABLE }, + { "WERR_NO_TRUST_SAM_ACCOUNT", WERR_NO_TRUST_SAM_ACCOUNT }, { "WERR_CLASS_NOT_REGISTERED", WERR_CLASS_NOT_REGISTERED }, { "WERR_NO_SHUTDOWN_IN_PROGRESS", WERR_NO_SHUTDOWN_IN_PROGRESS }, { "WERR_SHUTDOWN_ALREADY_IN_PROGRESS", WERR_SHUTDOWN_ALREADY_IN_PROGRESS }, diff --git a/libcli/util/ntstatus.h b/libcli/util/ntstatus.h index fa4553df1e..139562d8c2 100644 --- a/libcli/util/ntstatus.h +++ b/libcli/util/ntstatus.h @@ -592,6 +592,7 @@ typedef uint32_t NTSTATUS; #define NT_STATUS_TOO_MANY_LINKS NT_STATUS(0xC0000000 | 0x0265) #define NT_STATUS_QUOTA_LIST_INCONSISTENT NT_STATUS(0xC0000000 | 0x0266) #define NT_STATUS_FILE_IS_OFFLINE NT_STATUS(0xC0000000 | 0x0267) +#define NT_STATUS_DS_BUSY NT_STATUS(0xC0000000 | 0x02a5) #define NT_STATUS_DS_NO_MORE_RIDS NT_STATUS(0xC0000000 | 0x02a8) #define NT_STATUS_NOT_A_REPARSE_POINT NT_STATUS(0xC0000000 | 0x0275) #define NT_STATUS_CURRENT_DOMAIN_NOT_ALLOWED NT_STATUS(0xC0000000 | 0x02E9) diff --git a/libcli/util/werror.h b/libcli/util/werror.h index fe819fce5e..d22516ae5c 100644 --- a/libcli/util/werror.h +++ b/libcli/util/werror.h @@ -136,6 +136,7 @@ typedef uint32_t WERROR; #define WERR_TIME_SKEW W_ERROR(1398) #define WERR_EVENTLOG_FILE_CORRUPT W_ERROR(1500) #define WERR_SERVER_UNAVAILABLE W_ERROR(1722) +#define WERR_NO_TRUST_SAM_ACCOUNT W_ERROR(1787) #define WERR_INVALID_FORM_NAME W_ERROR(1902) #define WERR_INVALID_FORM_SIZE W_ERROR(1903) #define WERR_PASSWORD_MUST_CHANGE W_ERROR(1907) @@ -180,6 +181,7 @@ typedef uint32_t WERROR; /* Configuration Manager Errors */ /* Basically Win32 errors meanings are specific to the \ntsvcs pipe */ +#define WERR_CM_BUFFER_SMALL W_ERROR(26) #define WERR_CM_NO_MORE_HW_PROFILES W_ERROR(35) #define WERR_CM_NO_SUCH_VALUE W_ERROR(37) diff --git a/librpc/idl/eventlog.idl b/librpc/idl/eventlog.idl index ce25dd65ff..bab4cb90c7 100644 --- a/librpc/idl/eventlog.idl +++ b/librpc/idl/eventlog.idl @@ -11,7 +11,7 @@ import "lsa.idl", "security.idl"; helpstring("Event Logger") ] interface eventlog { - typedef bitmap { + typedef [bitmap32bit] bitmap { EVENTLOG_SEQUENTIAL_READ = 0x0001, EVENTLOG_SEEK_READ = 0x0002, EVENTLOG_FORWARDS_READ = 0x0004, @@ -100,8 +100,8 @@ import "lsa.idl", "security.idl"; [in,unique] eventlog_OpenUnknown0 *unknown0, [in,ref] lsa_String *logname, [in,ref] lsa_String *servername, - [in] uint32 unknown2, - [in] uint32 unknown3, + [in] uint32 major_version, + [in] uint32 minor_version, [out] policy_handle *handle ); @@ -117,7 +117,7 @@ import "lsa.idl", "security.idl"; /* Function: 0x0a */ NTSTATUS eventlog_ReadEventLogW( [in] policy_handle *handle, - [in] uint32 flags, + [in] eventlogReadFlags flags, [in] uint32 offset, [in] [range(0,0x7FFFF)] uint32 number_of_bytes, [out,ref,size_is(number_of_bytes)] uint8 *data, diff --git a/librpc/idl/misc.idl b/librpc/idl/misc.idl index ff548fe804..1907195252 100644 --- a/librpc/idl/misc.idl +++ b/librpc/idl/misc.idl @@ -2,7 +2,6 @@ miscellaneous IDL structures */ - [ pointer_default(unique) ] @@ -36,19 +35,4 @@ interface misc SEC_CHAN_DOMAIN = 4, SEC_CHAN_BDC = 6 } netr_SchannelType; - - /* SAM database types */ - typedef [public,v1_enum] enum { - SAM_DATABASE_DOMAIN = 0, /* Domain users and groups */ - SAM_DATABASE_BUILTIN = 1, /* BUILTIN users and groups */ - SAM_DATABASE_PRIVS = 2 /* Privileges */ - } netr_SamDatabaseID; - - typedef [public,v1_enum] enum { - SAMR_REJECT_OTHER = 0, - SAMR_REJECT_TOO_SHORT = 1, - SAMR_REJECT_IN_HISTORY = 2, - SAMR_REJECT_COMPLEXITY = 5 - } samr_RejectReason; - } diff --git a/librpc/idl/named_pipe_auth.idl b/librpc/idl/named_pipe_auth.idl new file mode 100644 index 0000000000..7d85eba9eb --- /dev/null +++ b/librpc/idl/named_pipe_auth.idl @@ -0,0 +1,44 @@ +#include "idl_types.h" +/* + miscellaneous IDL structures +*/ + +import "netlogon.idl"; + +[ + pointer_default(unique) +] +interface named_pipe_auth +{ + const char *NAMED_PIPE_AUTH_MAGIC = "NPAM"; + + typedef [switch_type(uint32)] union { + [case(0)] ;/* anonymous */ + [case(1)] netr_SamInfo3 info1; + } named_pipe_auth_req_info; + + typedef [public,gensize] struct { + [flag(NDR_BIG_ENDIAN), + value(ndr_size_named_pipe_auth_req(r,ndr->flags)-4)] + uint32 length; + [charset(DOS),value(NAMED_PIPE_AUTH_MAGIC)] uint8 magic[4]; + uint32 level; + [switch_is(level)] named_pipe_auth_req_info info; + } named_pipe_auth_req; + + typedef [switch_type(uint32)] union { + [case(0)] ; + [case(1)] ; + } named_pipe_auth_rep_info; + + typedef [public,gensize] struct { + [flag(NDR_BIG_ENDIAN), + value(ndr_size_named_pipe_auth_rep(r,ndr->flags)-4)] + uint32 length; + [charset(DOS),value(NAMED_PIPE_AUTH_MAGIC)] uint8 magic[4]; + uint32 level; + [switch_is(level)] named_pipe_auth_rep_info info; + NTSTATUS status; + } named_pipe_auth_rep; +} + diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl index 0561f5becd..cf4da7adfa 100644 --- a/librpc/idl/netlogon.idl +++ b/librpc/idl/netlogon.idl @@ -8,10 +8,14 @@ import "misc.idl", "lsa.idl", "samr.idl", "security.idl", "nbt.idl"; #include "idl_types.h" +cpp_quote("#define netr_DeltaEnum8Bit netr_DeltaEnum") +cpp_quote("#define netr_SamDatabaseID8Bit netr_SamDatabaseID") + [ uuid("12345678-1234-abcd-ef00-01234567cffb"), version(1.0), endpoint("ncacn_np:[\\pipe\\netlogon]","ncacn_ip_tcp:","ncalrpc:"), + helper("../librpc/ndr/ndr_netlogon.h"), pointer_default(unique) ] @@ -19,6 +23,8 @@ interface netlogon { typedef bitmap samr_AcctFlags samr_AcctFlags; typedef bitmap samr_GroupAttrs samr_GroupAttrs; + typedef enum netr_DeltaEnum8Bit netr_DeltaEnum8Bit; + typedef enum netr_SamDatabaseID8Bit netr_SamDatabaseID8Bit; /*****************/ /* Function 0x00 */ @@ -432,7 +438,7 @@ interface netlogon boolean8 lm_password_present; boolean8 password_expired; lsa_String comment; - lsa_String parameters; + lsa_BinaryString parameters; uint16 country_code; uint16 code_page; netr_USER_PRIVATE_INFO user_private_info; @@ -958,13 +964,37 @@ interface netlogon /* i'm not at all sure how this call works */ + typedef [bitmap16bit] bitmap { + NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED = 0x0001, + NETR_CHANGELOG_CHANGED_PASSWORD = 0x0002, + NETR_CHANGELOG_SID_INCLUDED = 0x0004, + NETR_CHANGELOG_NAME_INCLUDED = 0x0008, + NETR_CHANGELOG_FIRST_PROMOTION_OBJ = 0x0010 + } netr_ChangeLogFlags; + + typedef [nodiscriminant] union { + [case(NETR_CHANGELOG_SID_INCLUDED)] dom_sid object_sid; + [case(NETR_CHANGELOG_NAME_INCLUDED)] nstring object_name; + [default]; + } netr_ChangeLogObject; + + typedef [public,gensize] struct { + uint32 serial_number1; + uint32 serial_number2; + uint32 object_rid; + netr_ChangeLogFlags flags; + netr_SamDatabaseID8Bit db_index; + netr_DeltaEnum8Bit delta_type; + [switch_is(flags & (NETR_CHANGELOG_SID_INCLUDED|NETR_CHANGELOG_NAME_INCLUDED))] netr_ChangeLogObject object; + } netr_ChangeLogEntry; + NTSTATUS netr_DatabaseRedo( [in] [string,charset(UTF16)] uint16 logon_server[], [in] [string,charset(UTF16)] uint16 computername[], [in] netr_Authenticator *credential, [in,out,ref] netr_Authenticator *return_authenticator, - [in,ref][size_is(change_log_entry_size)] uint8 *change_log_entry, - [in] uint32 change_log_entry_size, + [in] [subcontext(4),subcontext_size(change_log_entry_size)] netr_ChangeLogEntry change_log_entry, + [in] [value(ndr_size_netr_ChangeLogEntry(&change_log_entry, ndr->flags))] uint32 change_log_entry_size, [out,ref] netr_DELTA_ENUM_ARRAY **delta_enum_array ); diff --git a/librpc/idl/ntsvcs.idl b/librpc/idl/ntsvcs.idl index 809ead90c3..be7fcdff13 100644 --- a/librpc/idl/ntsvcs.idl +++ b/librpc/idl/ntsvcs.idl @@ -2,9 +2,12 @@ plug and play services */ +import "winreg.idl"; + [ uuid("8d9f4e40-a03d-11ce-8f69-08003e30051b"), version(1.0), + endpoint("ncacn_np:[\\pipe\\ntsvcs]","ncacn_np:[\\pipe\\plugplay]"), helpstring("Plug and Play services") ] interface ntsvcs @@ -67,7 +70,7 @@ interface ntsvcs /******************/ /* Function: 0x0a */ - [todo] WERROR PNP_GetDeviceList( + WERROR PNP_GetDeviceList( [in,unique] [string,charset(UTF16)] uint16 *filter, [out,ref] [size_is(*length),length_is(*length)] uint16 *buffer, [in,out,ref] uint32 *length, @@ -96,7 +99,7 @@ interface ntsvcs WERROR PNP_GetDeviceRegProp( [in,ref] [string,charset(UTF16)] uint16 *devicepath, [in] uint32 property, - [in,out,ref] uint32 *reg_data_type, + [in,out,ref] winreg_Type *reg_data_type, [out,ref] [size_is(*buffer_size)] [length_is(*buffer_size)] uint8 *buffer, [in,out,ref] uint32 *buffer_size, [in,out,ref] uint32 *needed, @@ -237,31 +240,31 @@ interface ntsvcs /* Function: 0x28 */ WERROR PNP_HwProfFlags( - [in] uint32 unknown1, + [in] uint32 action, [in,ref] [string,charset(UTF16)] uint16 *devicepath, - [in] uint32 unknown2, - [in,out,ref] uint32 *unknown3, - [in,out,unique] uint16 *unknown4, + [in] uint32 config, + [in,out,ref] uint32 *profile_flags, + [in,out,unique] uint16 *veto_type, [in,unique] [string,charset(UTF16)] uint16 *unknown5, [out,unique] [string,charset(UTF16)] uint16 **unknown5a, - [in] uint32 unknown6, - [in] uint32 unknown7 + [in] uint32 name_length, + [in] uint32 flags ); /******************/ /* Function: 0x29 */ typedef struct { - uint32 unknown1; - uint16 unknown2[160]; - uint32 unknown3; + uint32 profile_handle; + uint16 friendly_name[80]; + uint32 flags; } PNP_HwProfInfo; WERROR PNP_GetHwProfInfo( [in] uint32 idx, [in,out,ref] PNP_HwProfInfo *info, - [in] uint32 unknown1, - [in] uint32 unknown2 + [in] uint32 size, + [in] uint32 flags ); /******************/ diff --git a/source3/librpc/idl/samr.idl b/librpc/idl/samr.idl index f47e0994dc..46478ee9e8 100644 --- a/source3/librpc/idl/samr.idl +++ b/librpc/idl/samr.idl @@ -17,6 +17,22 @@ import "misc.idl", "lsa.idl", "security.idl"; { typedef bitmap security_secinfo security_secinfo; + /* SAM database types */ + typedef [public,v1_enum] enum { + SAM_DATABASE_DOMAIN = 0, /* Domain users and groups */ + SAM_DATABASE_BUILTIN = 1, /* BUILTIN users and groups */ + SAM_DATABASE_PRIVS = 2 /* Privileges */ + } netr_SamDatabaseID; + + typedef [public,v1_enum] enum { + SAMR_REJECT_OTHER = 0, + SAMR_REJECT_TOO_SHORT = 1, + SAMR_REJECT_IN_HISTORY = 2, + SAMR_REJECT_COMPLEXITY = 5 + } samr_RejectReason; + + + /* account control (acct_flags) bits */ typedef [public,bitmap32bit] bitmap { ACB_DISABLED = 0x00000001, /* 1 = User account disabled */ @@ -321,6 +337,11 @@ import "misc.idl", "lsa.idl", "security.idl"; DOMAIN_REFUSE_PASSWORD_CHANGE = 0x00000020 } samr_PasswordProperties; + typedef [v1_enum] enum { + DOMAIN_SERVER_ENABLED = 1, + DOMAIN_SERVER_DISABLED = 2 + } samr_DomainServerState; + typedef struct { uint16 min_password_length; uint16 password_history_length; @@ -336,7 +357,7 @@ import "misc.idl", "lsa.idl", "security.idl"; lsa_String domain_name; lsa_String primary; /* PDC name if this is a BDC */ udlong sequence_num; - uint32 unknown2; + samr_DomainServerState domain_server_state; samr_Role role; uint32 unknown3; uint32 num_users; @@ -370,7 +391,7 @@ import "misc.idl", "lsa.idl", "security.idl"; } samr_DomInfo8; typedef struct { - uint32 unknown; /* w2k3 returns 1 */ + samr_DomainServerState domain_server_state; } samr_DomInfo9; typedef struct { @@ -417,7 +438,7 @@ import "misc.idl", "lsa.idl", "security.idl"; /************************/ /* Function 0x09 */ /* - only levels 1, 3, 4, 6, 7, 9, 12 are valid for this + only levels 1, 3, 4, 6, 7, 9, 12 are valid for this call in w2k3 */ NTSTATUS samr_SetDomainInfo( @@ -436,14 +457,10 @@ import "misc.idl", "lsa.idl", "security.idl"; [out,ref] policy_handle *group_handle, [out,ref] uint32 *rid ); - + /************************/ /* Function 0x0b */ - - const int MAX_SAM_ENTRIES_W2K = 0x400; /* 1024 */ - const int MAX_SAM_ENTRIES_W95 = 50; - NTSTATUS samr_EnumDomainGroups( [in] policy_handle *domain_handle, [in,out,ref] uint32 *resume_handle, @@ -853,7 +870,7 @@ import "misc.idl", "lsa.idl", "security.idl"; typedef struct { samr_AcctFlags acct_flags; } samr_UserInfo16; - + typedef struct { NTTIME acct_expiry; } samr_UserInfo17; @@ -959,7 +976,7 @@ import "misc.idl", "lsa.idl", "security.idl"; typedef struct { samr_CryptPassword password; - uint8 pw_len; + uint8 password_expired; } samr_UserInfo24; typedef [flag(NDR_PAHEX)] struct { @@ -973,7 +990,7 @@ import "misc.idl", "lsa.idl", "security.idl"; typedef struct { samr_CryptPasswordEx password; - uint8 pw_len; + uint8 password_expired; } samr_UserInfo26; typedef [switch_type(uint16)] union { @@ -1135,7 +1152,7 @@ import "misc.idl", "lsa.idl", "security.idl"; this seems to be an alphabetic search function. The returned index is the index for samr_QueryDisplayInfo needed to get names occurring after the specified name. The supplied name does not need to exist - in the database (for example you can supply just a first letter for + in the database (for example you can supply just a first letter for searching starting at that letter) The level corresponds to the samr_QueryDisplayInfo level @@ -1330,7 +1347,7 @@ import "misc.idl", "lsa.idl", "security.idl"; /************************/ /* Function 0x3a */ /* - seems to be an exact alias for samr_SetUserInfo() + seems to be an exact alias for samr_SetUserInfo() */ [public] NTSTATUS samr_SetUserInfo2( [in,ref] policy_handle *user_handle, @@ -1434,10 +1451,9 @@ import "misc.idl", "lsa.idl", "security.idl"; NTSTATUS samr_RidToSid( [in,ref] policy_handle *domain_handle, [in] uint32 rid, - [out,ref] dom_sid2 *sid + [out,ref] dom_sid2 **sid ); - /************************/ /* Function 0x42 */ diff --git a/source4/librpc/idl/security.cnf b/librpc/idl/security.cnf index 37da8c7423..37da8c7423 100644 --- a/source4/librpc/idl/security.cnf +++ b/librpc/idl/security.cnf diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 690f406081..3f70e2c36e 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -5,27 +5,10 @@ */ import "misc.idl"; - -/* - use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really - just a dom sid, but with the sub_auths represented as a conformant - array. As with all in-structure conformant arrays, the array length - is placed before the start of the structure. That's what gives rise - to the extra num_auths elemenent. We don't want the Samba code to - have to bother with such esoteric NDR details, so its easier to just - define it as a dom_sid and use pidl magic to make it all work. It - just means you need to mark a sid as a "dom_sid2" in the IDL when you - know it is of the conformant array variety -*/ -cpp_quote("#define dom_sid2 dom_sid") - -/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */ -cpp_quote("#define dom_sid28 dom_sid") - -/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */ -cpp_quote("#define dom_sid0 dom_sid") +import "dom_sid.idl"; [ + helper("librpc/gen_ndr/ndr_dom_sid.h"), pointer_default(unique) ] interface security @@ -257,7 +240,7 @@ interface security } sec_privilege; - typedef [bitmap8bit] bitmap { + typedef [public,bitmap8bit] bitmap { SEC_ACE_FLAG_OBJECT_INHERIT = 0x01, SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04, @@ -268,7 +251,7 @@ interface security SEC_ACE_FLAG_FAILED_ACCESS = 0x80 } security_ace_flags; - typedef [enum8bit] enum { + typedef [public,enum8bit] enum { SEC_ACE_TYPE_ACCESS_ALLOWED = 0, SEC_ACE_TYPE_ACCESS_DENIED = 1, SEC_ACE_TYPE_SYSTEM_AUDIT = 2, @@ -305,7 +288,7 @@ interface security [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type; } security_ace_object; - typedef [nodiscriminant] union { + typedef [public,nodiscriminant] union { [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object; [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object; [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object; @@ -313,7 +296,7 @@ interface security [default]; } security_ace_object_ctr; - typedef [public,gensize,nosize] struct { + typedef [public,nopull,gensize,nosize] struct { security_ace_type type; /* SEC_ACE_TYPE_* */ security_ace_flags flags; /* SEC_ACE_FLAG_* */ [value(ndr_size_security_ace(r,ndr->flags))] uint16 size; diff --git a/librpc/idl/svcctl.idl b/librpc/idl/svcctl.idl index fa8e10988c..4b88f5e5f4 100644 --- a/librpc/idl/svcctl.idl +++ b/librpc/idl/svcctl.idl @@ -89,13 +89,19 @@ import "misc.idl", "security.idl"; /*****************/ /* Function 0x01 */ - typedef enum { - FIXME=1 + /* Service Controls */ + + typedef [v1_enum] enum { + SVCCTL_CONTROL_STOP = 0x00000001, + SVCCTL_CONTROL_PAUSE = 0x00000002, + SVCCTL_CONTROL_CONTINUE = 0x00000003, + SVCCTL_CONTROL_INTERROGATE = 0x00000004, + SVCCTL_CONTROL_SHUTDOWN = 0x00000005 } SERVICE_CONTROL; WERROR svcctl_ControlService( [in,ref] policy_handle *handle, - [in] uint32 control, + [in] SERVICE_CONTROL control, [out,ref] SERVICE_STATUS *service_status ); @@ -218,10 +224,10 @@ import "misc.idl", "security.idl"; [in,ref] policy_handle *handle, [in] uint32 type, [in] uint32 state, - [in] uint32 buf_size, - [out,size_is(buf_size)] uint8 service[*], - [out,ref] uint32 *bytes_needed, - [out,ref] uint32 *services_returned, + [out,ref,size_is(buf_size)] uint8 *service, + [in] [range(0,262144)] uint32 buf_size, + [out,ref] [range(0,262144)] uint32 *bytes_needed, + [out,ref] [range(0,262144)] uint32 *services_returned, [in,out,unique] uint32 *resume_handle ); @@ -535,9 +541,9 @@ import "misc.idl", "security.idl"; WERROR svcctl_QueryServiceConfig2W( [in,ref] policy_handle *handle, [in] uint32 info_level, - [out] uint8 buffer[buf_size], - [in] uint32 buf_size, - [out,ref] uint32 *bytes_needed + [out,ref,size_is(buf_size)] uint8 *buffer, + [in] [range(0,8192)] uint32 buf_size, + [out,ref] [range(0,8192)] uint32 *bytes_needed ); /*****************/ @@ -545,9 +551,9 @@ import "misc.idl", "security.idl"; WERROR svcctl_QueryServiceStatusEx( [in,ref] policy_handle *handle, [in] uint32 info_level, - [out] uint8 buffer[buf_size], - [in] uint32 buf_size, - [out,ref] uint32 *bytes_needed + [out,ref,size_is(buf_size)] uint8 *buffer, + [in] [range(0,8192)] uint32 buf_size, + [out,ref] [range(0,8192)] uint32 *bytes_needed ); /*****************/ @@ -572,12 +578,12 @@ import "misc.idl", "security.idl"; [in] uint32 info_level, [in] uint32 type, [in] uint32 state, - [out] uint8 services[buf_size], - [in] uint32 buf_size, - [out,ref] uint32 *bytes_needed, - [out,ref] uint32 *service_returned, - [in,out,unique] uint32 *resume_handle, - [out,ref] [string,charset(UTF16)] uint16 **group_name + [out,ref,size_is(buf_size)] uint8 *services, + [in] [range(0,262144)] uint32 buf_size, + [out,ref] [range(0,262144)] uint32 *bytes_needed, + [out,ref] [range(0,262144)] uint32 *service_returned, + [in,out,unique] [range(0,262144)] uint32 *resume_handle, + [in,unique] [string,charset(UTF16)] uint16 *group_name ); /*****************/ diff --git a/librpc/idl/xattr.idl b/librpc/idl/xattr.idl index c1af4791ae..4191ea67ce 100644 --- a/librpc/idl/xattr.idl +++ b/librpc/idl/xattr.idl @@ -117,20 +117,20 @@ interface xattr stored in "security.NTACL" Version 1. raw SD stored as Samba4 does it. - Version 2. raw SD + last changed timestamp so we - can discard if this doesn't match the POSIX st_ctime. + Version 2. raw SD + last changed hash so we + can discard if this doesn't match the underlying ACL hash. */ const char *XATTR_NTACL_NAME = "security.NTACL"; typedef [public] struct { security_descriptor *sd; - NTTIME last_changed; - } security_descriptor_timestamp; + uint8 hash[16]; + } security_descriptor_hash; typedef [switch_type(uint16)] union { [case(1)] security_descriptor *sd; - [case(2)] security_descriptor_timestamp *sd_ts; + [case(2)] security_descriptor_hash *sd_hs; } xattr_NTACL_Info; typedef [public] struct { diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h index 127f6734e3..eafaf688af 100644 --- a/librpc/ndr/libndr.h +++ b/librpc/ndr/libndr.h @@ -511,6 +511,7 @@ enum ndr_err_code ndr_push_charset(struct ndr_push *ndr, int ndr_flags, const ch /* GUIDs */ bool GUID_equal(const struct GUID *u1, const struct GUID *u2); +NTSTATUS GUID_from_data_blob(const DATA_BLOB *s, struct GUID *guid); NTSTATUS GUID_from_string(const char *s, struct GUID *guid); NTSTATUS NS_GUID_from_string(const char *s, struct GUID *guid); struct GUID GUID_zero(void); @@ -518,6 +519,7 @@ bool GUID_all_zero(const struct GUID *u); int GUID_compare(const struct GUID *u1, const struct GUID *u2); char *GUID_string(TALLOC_CTX *mem_ctx, const struct GUID *guid); char *GUID_string2(TALLOC_CTX *mem_ctx, const struct GUID *guid); +char *GUID_hexstring(TALLOC_CTX *mem_ctx, const struct GUID *guid); char *NS_GUID_string(TALLOC_CTX *mem_ctx, const struct GUID *guid); struct GUID GUID_random(void); diff --git a/librpc/ndr/ndr_netlogon.c b/librpc/ndr/ndr_netlogon.c new file mode 100644 index 0000000000..411f3b9ba0 --- /dev/null +++ b/librpc/ndr/ndr_netlogon.c @@ -0,0 +1,65 @@ +/* + Unix SMB/CIFS implementation. + + routines for marshalling/unmarshalling special netlogon types + + Copyright (C) Guenther Deschner 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_netlogon.h" +#include "librpc/gen_ndr/ndr_misc.h" +#include "librpc/gen_ndr/ndr_samr.h" + +_PUBLIC_ enum ndr_err_code ndr_push_netr_SamDatabaseID8Bit(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID8Bit r) +{ + if (r > 0xff) return NDR_ERR_BUFSIZE; + NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r)); + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_netr_SamDatabaseID8Bit(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID8Bit *r) +{ + uint8_t v; + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_netr_SamDatabaseID8Bit(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID8Bit r) +{ + ndr_print_netr_SamDatabaseID(ndr, name, r); +} + +_PUBLIC_ enum ndr_err_code ndr_push_netr_DeltaEnum8Bit(struct ndr_push *ndr, int ndr_flags, enum netr_DeltaEnum8Bit r) +{ + if (r > 0xff) return NDR_ERR_BUFSIZE; + NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r)); + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_netr_DeltaEnum8Bit(struct ndr_pull *ndr, int ndr_flags, enum netr_DeltaEnum8Bit *r) +{ + uint8_t v; + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_netr_DeltaEnum8Bit(struct ndr_print *ndr, const char *name, enum netr_DeltaEnum8Bit r) +{ + ndr_print_netr_DeltaEnum(ndr, name, r); +} diff --git a/librpc/ndr/ndr_netlogon.h b/librpc/ndr/ndr_netlogon.h new file mode 100644 index 0000000000..0e6bd6a410 --- /dev/null +++ b/librpc/ndr/ndr_netlogon.h @@ -0,0 +1,28 @@ +/* + Unix SMB/CIFS implementation. + + routines for marshalling/unmarshalling special netlogon types + + Copyright (C) Guenther Deschner 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +_PUBLIC_ enum ndr_err_code ndr_push_netr_SamDatabaseID8Bit(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID8Bit r); +_PUBLIC_ enum ndr_err_code ndr_pull_netr_SamDatabaseID8Bit(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID8Bit *r); +_PUBLIC_ void ndr_print_netr_SamDatabaseID8Bit(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID8Bit r); + +_PUBLIC_ enum ndr_err_code ndr_push_netr_DeltaEnum8Bit(struct ndr_push *ndr, int ndr_flags, enum netr_DeltaEnum8Bit r); +_PUBLIC_ enum ndr_err_code ndr_pull_netr_DeltaEnum8Bit(struct ndr_pull *ndr, int ndr_flags, enum netr_DeltaEnum8Bit *r); +_PUBLIC_ void ndr_print_netr_DeltaEnum8Bit(struct ndr_print *ndr, const char *name, enum netr_DeltaEnum8Bit r); diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c new file mode 100644 index 0000000000..4b135505d8 --- /dev/null +++ b/librpc/ndr/ndr_sec_helper.c @@ -0,0 +1,118 @@ +/* + Unix SMB/CIFS implementation. + + fast routines for getting the wire size of security objects + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Stefan Metzmacher 2006-2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + + +#include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" + +/* + return the wire size of a security_ace +*/ +size_t ndr_size_security_ace(const struct security_ace *ace, int flags) +{ + size_t ret; + + if (!ace) return 0; + + ret = 8 + ndr_size_dom_sid(&ace->trustee, flags); + + switch (ace->type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + ret += 4; /* uint32 bitmap ace->object.object.flags */ + if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { + ret += 16; /* GUID ace->object.object.type.type */ + } + if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { + ret += 16; /* GUID ace->object.object.inherited_typeinherited_type */ + } + break; + default: + break; + } + + return ret; +} + +enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, int ndr_flags, struct security_ace *r) +{ + if (ndr_flags & NDR_SCALARS) { + uint32_t start_ofs = ndr->offset; + uint32_t size = 0; + uint32_t pad = 0; + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type)); + NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type)); + NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_SCALARS, &r->object)); + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee)); + size = ndr->offset - start_ofs; + if (r->size < size) { + return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, + "ndr_pull_security_ace: r->size %u < size %u", + (unsigned)r->size, size); + } + pad = r->size - size; + NDR_PULL_NEED_BYTES(ndr, pad); + ndr->offset += pad; + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_BUFFERS, &r->object)); + } + return NDR_ERR_SUCCESS; +} + +/* + return the wire size of a security_acl +*/ +size_t ndr_size_security_acl(const struct security_acl *acl, int flags) +{ + size_t ret; + int i; + if (!acl) return 0; + ret = 8; + for (i=0;i<acl->num_aces;i++) { + ret += ndr_size_security_ace(&acl->aces[i], flags); + } + return ret; +} + +/* + return the wire size of a security descriptor +*/ +size_t ndr_size_security_descriptor(const struct security_descriptor *sd, int flags) +{ + size_t ret; + if (!sd) return 0; + + ret = 20; + ret += ndr_size_dom_sid(sd->owner_sid, flags); + ret += ndr_size_dom_sid(sd->group_sid, flags); + ret += ndr_size_security_acl(sd->dacl, flags); + ret += ndr_size_security_acl(sd->sacl, flags); + return ret; +} + diff --git a/librpc/ndr/uuid.c b/librpc/ndr/uuid.c index 1e6ee0a3db..aa24ac4494 100644 --- a/librpc/ndr/uuid.c +++ b/librpc/ndr/uuid.c @@ -23,33 +23,66 @@ #include "includes.h" #include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_misc.h" /** build a GUID from a string */ -_PUBLIC_ NTSTATUS GUID_from_string(const char *s, struct GUID *guid) +_PUBLIC_ NTSTATUS GUID_from_data_blob(const DATA_BLOB *s, struct GUID *guid) { NTSTATUS status = NT_STATUS_INVALID_PARAMETER; uint32_t time_low; uint32_t time_mid, time_hi_and_version; uint32_t clock_seq[2]; uint32_t node[6]; + uint8_t buf16[16]; + DATA_BLOB blob16 = data_blob_const(buf16, sizeof(buf16)); int i; - if (s == NULL) { + if (s->data == NULL) { return NT_STATUS_INVALID_PARAMETER; } - if (11 == sscanf(s, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x", + if (s->length == 36 && + 11 == sscanf((const char *)s->data, + "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x", &time_low, &time_mid, &time_hi_and_version, &clock_seq[0], &clock_seq[1], &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) { status = NT_STATUS_OK; - } else if (11 == sscanf(s, "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}", - &time_low, &time_mid, &time_hi_and_version, - &clock_seq[0], &clock_seq[1], - &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) { + } else if (s->length == 38 + && 11 == sscanf((const char *)s->data, + "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}", + &time_low, &time_mid, &time_hi_and_version, + &clock_seq[0], &clock_seq[1], + &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) { status = NT_STATUS_OK; + } else if (s->length == 32) { + size_t rlen = strhex_to_str((char *)blob16.data, blob16.length, + (const char *)s->data, s->length); + if (rlen == blob16.length) { + /* goto the ndr_pull_struct_blob() path */ + status = NT_STATUS_OK; + s = &blob16; + } + } + + if (s->length == 16) { + enum ndr_err_code ndr_err; + struct GUID guid2; + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_new(NULL); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + ndr_err = ndr_pull_struct_blob(s, mem_ctx, NULL, &guid2, + (ndr_pull_flags_fn_t)ndr_pull_GUID); + talloc_free(mem_ctx); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return ndr_map_error2ntstatus(ndr_err); + } + *guid = guid2; + return NT_STATUS_OK; } if (!NT_STATUS_IS_OK(status)) { @@ -71,6 +104,16 @@ _PUBLIC_ NTSTATUS GUID_from_string(const char *s, struct GUID *guid) /** build a GUID from a string */ +_PUBLIC_ NTSTATUS GUID_from_string(const char *s, struct GUID *guid) +{ + DATA_BLOB blob = data_blob_string_const(s); + return GUID_from_data_blob(&blob, guid); + return NT_STATUS_OK; +} + +/** + build a GUID from a string +*/ _PUBLIC_ NTSTATUS NS_GUID_from_string(const char *s, struct GUID *guid) { NTSTATUS status = NT_STATUS_INVALID_PARAMETER; @@ -208,6 +251,31 @@ _PUBLIC_ char *GUID_string2(TALLOC_CTX *mem_ctx, const struct GUID *guid) return ret; } +_PUBLIC_ char *GUID_hexstring(TALLOC_CTX *mem_ctx, const struct GUID *guid) +{ + char *ret; + DATA_BLOB guid_blob; + enum ndr_err_code ndr_err; + TALLOC_CTX *tmp_mem; + + tmp_mem = talloc_new(mem_ctx); + if (!tmp_mem) { + return NULL; + } + ndr_err = ndr_push_struct_blob(&guid_blob, tmp_mem, + NULL, + guid, + (ndr_push_flags_fn_t)ndr_push_GUID); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(tmp_mem); + return NULL; + } + + ret = data_blob_hex_string(mem_ctx, &guid_blob); + talloc_free(tmp_mem); + return ret; +} + _PUBLIC_ char *NS_GUID_string(TALLOC_CTX *mem_ctx, const struct GUID *guid) { return talloc_asprintf(mem_ctx, diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c index b755431034..a660989d19 100644 --- a/librpc/rpc/binding.c +++ b/librpc/rpc/binding.c @@ -251,8 +251,8 @@ _PUBLIC_ NTSTATUS dcerpc_parse_binding(TALLOC_CTX *mem_ctx, const char *s, struc if (p && PTR_DIFF(p, s) == 36) { /* 36 is the length of a UUID */ NTSTATUS status; - - status = GUID_from_string(s, &b->object.uuid); + DATA_BLOB blob = data_blob(s, 36); + status = GUID_from_data_blob(&blob, &b->object.uuid); if (NT_STATUS_IS_ERR(status)) { DEBUG(0, ("Failed parsing UUID\n")); diff --git a/pidl/lib/Parse/Pidl/Samba3/ClientNDR.pm b/pidl/lib/Parse/Pidl/Samba3/ClientNDR.pm index 2a23fad4a7..4109ce9962 100644 --- a/pidl/lib/Parse/Pidl/Samba3/ClientNDR.pm +++ b/pidl/lib/Parse/Pidl/Samba3/ClientNDR.pm @@ -215,7 +215,10 @@ sub ParseInterface($$) $self->pidl_hdr("#ifndef __CLI_$uif\__"); $self->pidl_hdr("#define __CLI_$uif\__"); - $self->ParseFunction($if->{NAME}, $_) foreach (@{$if->{FUNCTIONS}}); + foreach (@{$if->{FUNCTIONS}}) { + next if ($_->{PROPERTIES}{noopnum}); + $self->ParseFunction($if->{NAME}, $_); + } $self->pidl_hdr("#endif /* __CLI_$uif\__ */"); } diff --git a/pidl/lib/Parse/Pidl/Samba3/ServerNDR.pm b/pidl/lib/Parse/Pidl/Samba3/ServerNDR.pm index 6034fb6f16..eb3cdf20cb 100644 --- a/pidl/lib/Parse/Pidl/Samba3/ServerNDR.pm +++ b/pidl/lib/Parse/Pidl/Samba3/ServerNDR.pm @@ -142,6 +142,13 @@ sub ParseFunction($$) my @dir = @{$_->{DIRECTION}}; if (grep(/in/, @dir) and grep(/out/, @dir)) { pidl "r->out.$_->{NAME} = r->in.$_->{NAME};"; + } + } + + foreach (@{$fn->{ELEMENTS}}) { + my @dir = @{$_->{DIRECTION}}; + if (grep(/in/, @dir) and grep(/out/, @dir)) { + # noop } elsif (grep(/out/, @dir) and not has_property($_, "represent_as")) { AllocOutVar($_, "r", "r->out.$_->{NAME}", $env); @@ -205,7 +212,11 @@ sub ParseInterface($) pidl_hdr "#ifndef __SRV_$uif\__"; pidl_hdr "#define __SRV_$uif\__"; - ParseFunction($if, $_) foreach (@{$if->{FUNCTIONS}}); + + foreach (@{$if->{FUNCTIONS}}) { + next if ($_->{PROPERTIES}{noopnum}); + ParseFunction($if, $_); + } pidl ""; pidl "/* Tables */"; @@ -214,6 +225,7 @@ sub ParseInterface($) indent; foreach (@{$if->{FUNCTIONS}}) { + next if ($_->{PROPERTIES}{noopnum}); pidl "{\"" . uc($_->{NAME}) . "\", NDR_" . uc($_->{NAME}) . ", api_$_->{NAME}},"; } diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm b/pidl/lib/Parse/Pidl/Samba4/Python.pm index 38aee2c9d1..a3107d4672 100644 --- a/pidl/lib/Parse/Pidl/Samba4/Python.pm +++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm @@ -702,7 +702,7 @@ sub Interface($$$) $self->pidl("if (!NT_STATUS_IS_OK(status)) {"); $self->indent; $self->pidl("PyErr_SetNTSTATUS(status);"); - $self->pidl("return;"); + $self->pidl("return NULL;"); $self->deindent; $self->pidl("}"); @@ -1181,7 +1181,6 @@ sub Parse($$$$$) $self->pidl("{"); $self->indent; $self->pidl("PyObject *m;"); - $self->pidl("NTSTATUS status;"); $self->pidl(""); foreach (@{$self->{ready_types}}) { diff --git a/release-scripts/build-docs b/release-scripts/build-docs index fa38d8dd2c..c138149f6c 100755 --- a/release-scripts/build-docs +++ b/release-scripts/build-docs @@ -4,7 +4,7 @@ DOCSRCDIR=`dirname $0`/../docs-xml cd $DOCSRCDIR || exit 1 -git-clean -d -x -f +git clean -d -x -f autoconf && \ ./configure --with-papersize=letter && \ make smbdotconf/parameters.all.xml && \ diff --git a/release-scripts/create-tarball b/release-scripts/create-tarball index 04728d835d..ab27f08222 100755 --- a/release-scripts/create-tarball +++ b/release-scripts/create-tarball @@ -137,7 +137,7 @@ function createReleaseTag return 0 fi - if [ "x`git-tag -l ${OPT_TAG}`" != "x" ]; then + if [ "x`git tag -l ${OPT_TAG}`" != "x" ]; then echo -n "Tag exists. Do you wish to overwrite? (y/N): " read answer @@ -155,7 +155,7 @@ function createReleaseTag fi fi - git-tag -u ${OPT_KEYID} ${OPT_TAG} + git tag -u ${OPT_KEYID} ${OPT_TAG} exitOnError $? "Failed to create tag" return 0 @@ -170,7 +170,7 @@ function main cd $TOPDIR - git-checkout ${OPT_BRANCH} + git checkout ${OPT_BRANCH} exitOnError $? "Invalid branch name \"${OPT_BRANCH}\"" (cd source3 && ./script/mkversion.sh) @@ -188,7 +188,7 @@ function main echo "Creating release tarball for Samba $version" /bin/rm -rf ../samba-${version} - git-archive --format=tar --prefix=samba-${version}/ HEAD | (cd .. && tar xf -) + git archive --format=tar --prefix=samba-${version}/ HEAD | (cd .. && tar xf -) exitOnError $? "Failed to create release directory tree" pushd ../samba-${version} diff --git a/source3/Makefile.in b/source3/Makefile.in index ce24001fd2..83e94a4382 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -17,6 +17,7 @@ localstatedir=@localstatedir@ datarootdir=@datarootdir@ selftest_prefix=@selftest_prefix@ +selftest_shrdir=@selftest_shrdir@ smbtorture4_path=@smbtorture4_path@ LIBS=@LIBS@ @@ -139,6 +140,9 @@ PRIVATE_DIR = $(PRIVATEDIR) # This is where SWAT images and help files go SWATDIR = @swatdir@ +# This is where locale(mo) files go +LOCALEDIR= @localedir@ + # the directory where lock files go LOCKDIR = @lockdir@ @@ -172,7 +176,8 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_PASSWD_FILE)\" \ -DCONFIGDIR=\"$(CONFIGDIR)\" \ -DCODEPAGEDIR=\"$(CODEPAGEDIR)\" \ -DCACHEDIR=\"$(CACHEDIR)\" \ - -DSTATEDIR=\"$(STATEDIR)\" + -DSTATEDIR=\"$(STATEDIR)\" \ + -DLOCALEDIR=\"$(LOCALEDIR)\" # Note that all executable programs now provide for an optional executable suffix. @@ -224,6 +229,8 @@ MODULES = $(VFS_MODULES) $(PDB_MODULES) $(RPC_MODULES) $(IDMAP_MODULES) \ $(CHARSET_MODULES) $(AUTH_MODULES) $(NSS_INFO_MODULES) \ $(GPEXT_MODULES) +EXTRA_ALL_TARGETS = @EXTRA_ALL_TARGETS@ + ###################################################################### # object file lists ###################################################################### @@ -267,7 +274,7 @@ LIBNDR_OBJ = ../librpc/ndr/ndr_basic.o \ ../librpc/ndr/ndr_misc.o \ librpc/gen_ndr/ndr_misc.o \ librpc/gen_ndr/ndr_security.o \ - librpc/ndr/ndr_sec_helper.o \ + ../librpc/ndr/ndr_sec_helper.o \ librpc/ndr/ndr_string.o \ librpc/ndr/sid.o \ ../librpc/ndr/uuid.o \ @@ -278,7 +285,8 @@ RPCCLIENT_NDR_OBJ = rpc_client/ndr.o LIBNDR_GEN_OBJ0 = librpc/gen_ndr/ndr_samr.o \ librpc/gen_ndr/ndr_lsa.o -LIBNDR_GEN_OBJ1 = librpc/gen_ndr/ndr_netlogon.o +LIBNDR_GEN_OBJ1 = librpc/gen_ndr/ndr_netlogon.o \ + ../librpc/ndr/ndr_netlogon.o LIBNDR_GEN_OBJ = librpc/gen_ndr/ndr_wkssvc.o \ $(LIBNDR_GEN_OBJ0) \ @@ -293,6 +301,7 @@ LIBNDR_GEN_OBJ = librpc/gen_ndr/ndr_wkssvc.o \ librpc/gen_ndr/ndr_notify.o \ librpc/gen_ndr/ndr_xattr.o \ librpc/gen_ndr/ndr_epmapper.o \ + librpc/gen_ndr/ndr_named_pipe_auth.o \ librpc/gen_ndr/ndr_ntsvcs.o RPC_PARSE_OBJ0 = rpc_parse/parse_prs.o rpc_parse/parse_misc.o @@ -639,7 +648,9 @@ VFS_FILEID_OBJ = modules/vfs_fileid.o VFS_AIO_FORK_OBJ = modules/vfs_aio_fork.o VFS_SYNCOPS_OBJ = modules/vfs_syncops.o VFS_ACL_XATTR_OBJ = modules/vfs_acl_xattr.o +VFS_ACL_TDB_OBJ = modules/vfs_acl_tdb.o VFS_SMB_TRAFFIC_ANALYZER_OBJ = modules/vfs_smb_traffic_analyzer.o +VFS_ONEFS_OBJ = modules/vfs_onefs.o modules/onefs_acl.o PLAINTEXT_AUTH_OBJ = auth/pampass.o auth/pass_check.o @@ -797,7 +808,7 @@ RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \ $(LIBADS_OBJ) $(POPT_LIB_OBJ) \ $(SMBLDAP_OBJ) $(DCUTIL_OBJ) $(LDB_OBJ) -PAM_WINBIND_OBJ = nsswitch/pam_winbind.o $(WBCOMMON_OBJ) \ +PAM_WINBIND_OBJ = nsswitch/pam_winbind.o localedir.o $(WBCOMMON_OBJ) \ $(LIBREPLACE_OBJ) @BUILD_INIPARSER@ LIBSMBCLIENT_OBJ0 = \ @@ -903,9 +914,9 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \ $(LIBNDR_GEN_OBJ0) -CIFS_MOUNT_OBJ = client/mount.cifs.o +CIFS_MOUNT_OBJ = client/mount.cifs.o client/mtab.o -CIFS_UMOUNT_OBJ = client/umount.cifs.o +CIFS_UMOUNT_OBJ = client/umount.cifs.o client/mtab.o CIFS_UPCALL_OBJ = client/cifs.upcall.o @@ -921,7 +932,7 @@ SMBTORTURE_OBJ = $(SMBTORTURE_OBJ1) $(PARAM_OBJ) \ MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ $(LIB_NONSMBD_OBJ) \ - $(LIBNDR_GEN_OBJ0) $(ZLIB_LIBS) + $(LIBNDR_GEN_OBJ0) MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ $(LIB_NONSMBD_OBJ) \ @@ -929,7 +940,7 @@ MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ LOCKTEST_OBJ = torture/locktest.o $(PARAM_OBJ) $(LOCKING_OBJ) $(KRBCLIENT_OBJ) \ $(LIBSMB_OBJ) $(LIB_NONSMBD_OBJ) \ - $(LIBNDR_GEN_OBJ0) $(ZLIB_LIBS) + $(LIBNDR_GEN_OBJ0) NSSTEST_OBJ = torture/nsstest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ $(LIB_NONSMBD_OBJ) \ @@ -948,7 +959,7 @@ LOG2PCAP_OBJ = utils/log2pcaphex.o LOCKTEST2_OBJ = torture/locktest2.o $(PARAM_OBJ) $(LOCKING_OBJ) $(LIBSMB_OBJ) \ $(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) \ - $(LIBNDR_GEN_OBJ0) $(ZLIB_LIBS) + $(LIBNDR_GEN_OBJ0) SMBCACLS_OBJ = utils/smbcacls.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ $(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \ @@ -1156,7 +1167,8 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.o \ # now the rules... ###################################################################### all:: SHOWFLAGS basics libs $(SBIN_PROGS) $(BIN_PROGS) $(ROOT_SBIN_PROGS) \ - $(MODULES) $(NSS_MODULES) $(PAM_MODULES) @EXTRA_ALL_TARGETS@ + $(MODULES) $(NSS_MODULES) $(PAM_MODULES) @CIFSUPCALL_PROGS@ \ + $(EXTRA_ALL_TARGETS) basics:: @@ -1219,14 +1231,18 @@ samba3-idl:: ../librpc/idl/initshutdown.idl ../librpc/idl/srvsvc.idl ../librpc/idl/svcctl.idl \ ../librpc/idl/eventlog.idl ../librpc/idl/wkssvc.idl ../librpc/idl/netlogon.idl \ ../librpc/idl/notify.idl ../librpc/idl/epmapper.idl librpc/idl/messaging.idl \ - ../librpc/idl/xattr.idl ../librpc/idl/misc.idl librpc/idl/samr.idl \ + ../librpc/idl/xattr.idl ../librpc/idl/misc.idl ../librpc/idl/samr.idl \ ../librpc/idl/security.idl ../librpc/idl/dssetup.idl ../librpc/idl/krb5pac.idl \ ../librpc/idl/ntsvcs.idl librpc/idl/libnetapi.idl ../librpc/idl/drsuapi.idl \ - ../librpc/idl/drsblobs.idl ../librpc/idl/nbt.idl + ../librpc/idl/drsblobs.idl ../librpc/idl/nbt.idl \ + ../librpc/idl/named_pipe_auth.idl librpc/idl/dom_sid.idl + @$(MAKE) ndr-tables + +NDR_TABLES = librpc/gen_ndr/tables.c -librpc/gen_ndr/tables.c:: librpc/gen_ndr/*.h - @echo "Generating $@" - @$(PERL) ../librpc/tables.pl $^ > $@ +ndr-tables:: librpc/gen_ndr/*.h + @echo "Generating $(NDR_TABLES)" + @$(PERL) ../librpc/tables.pl $^ > $(NDR_TABLES) ##################################################################### @@ -1304,6 +1320,13 @@ dynconfig.o: dynconfig.c Makefile echo "$(COMPILE_CC_PATH)" 1>&2;\ $(COMPILE_CC_PATH) >/dev/null 2>&1 +localedir.o: localedir.c Makefile + @echo Compiling $*.c + @$(COMPILE_CC_PATH) && exit 0;\ + echo "The following command failed:" 1>&2;\ + echo "$(COMPILE_CC_PATH)" 1>&2;\ + $(COMPILE_CC_PATH) >/dev/null 2>&1 + lib/pidfile.o: lib/pidfile.c @echo Compiling $*.c @$(COMPILE_CC_PATH) && exit 0;\ @@ -2453,6 +2476,14 @@ bin/smb_traffic_analyzer.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_SMB_TRAFFIC_ANALYZE @echo "Building plugin $@" @$(SHLD_MODULE) $(VFS_SMB_TRAFFIC_ANALYZER_OBJ) +bin/acl_tdb.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_ACL_TDB_OBJ) + @echo "Building plugin $@" + @$(SHLD_MODULE) $(VFS_ACL_TDB_OBJ) + +bin/onefs.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_ONEFS_OBJ) + @echo "Building plugin $@" + @$(SHLD_MODULE) $(VFS_ONEFS_OBJ) @ONEFS_LIBS@ + bin/registry.@SHLIBEXT@: $(BINARY_PREREQS) libgpo/gpext/registry.o @echo "Building plugin $@" @$(SHLD_MODULE) libgpo/gpext/registry.o @@ -2546,7 +2577,7 @@ bin/test_lp_load@EXEEXT@: $(BINARY_PREREQS) $(TEST_LP_LOAD_OBJ) @BUILD_POPT@ @LI install:: installservers installbin @INSTALL_CIFSMOUNT@ @INSTALL_CIFSUPCALL@ installman \ installscripts installdat installmodules @SWAT_INSTALL_TARGETS@ \ - @INSTALL_PAM_MODULES@ installlibs + @INSTALL_PAM_MODULES@ installlibs installmo install-everything:: install installmodules @@ -2559,7 +2590,7 @@ install-everything:: install installmodules # is not used installdirs:: - @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(BINDIR) $(SBINDIR) $(LIBDIR) $(VARDIR) $(PRIVATEDIR) $(PIDDIR) $(LOCKDIR) $(MANDIR) $(CODEPAGEDIR) $(MODULESDIR) + @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(BINDIR) $(SBINDIR) $(LIBDIR) $(VARDIR) $(PRIVATEDIR) $(PIDDIR) $(LOCKDIR) $(MANDIR) $(CODEPAGEDIR) $(MODULESDIR) $(LOCALEDIR) installservers:: all installdirs @$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(SBINDIR) $(SBIN_PROGS) @@ -2625,6 +2656,9 @@ revert:: installman:: installdirs @$(SHELL) $(srcdir)/script/installman.sh $(DESTDIR)$(MANDIR) $(srcdir) C "@ROFF@" +installmo:: all installdirs + @$(SHELL) $(srcdir)/script/installmo.sh $(DESTDIR) $(LOCALEDIR) $(srcdir) + .PHONY: showlayout showlayout:: @@ -2644,7 +2678,10 @@ showlayout:: @echo " codepagedir: $(CODEPAGEDIR)" -uninstall:: uninstallman uninstallservers uninstallbin @UNINSTALL_CIFSMOUNT@ @UNINSTALL_CIFSUPCALL@ uninstallscripts uninstalldat uninstallswat uninstallmodules uninstalllibs @UNINSTALL_PAM_MODULES@ +uninstall:: uninstallmo uninstallman uninstallservers uninstallbin @UNINSTALL_CIFSMOUNT@ @UNINSTALL_CIFSUPCALL@ uninstallscripts uninstalldat uninstallswat uninstallmodules uninstalllibs @UNINSTALL_PAM_MODULES@ + +uninstallmo:: + @$(SHELL) $(srcdir)/script/uninstallmo.sh $(DESTDIR) $(LOCALEDIR) $(srcdir) uninstallman:: @$(SHELL) $(srcdir)/script/uninstallman.sh $(DESTDIR)$(MANDIR) $(srcdir) C @@ -2689,7 +2726,7 @@ uninstallpammodules:: done # Toplevel clean files -TOPFILES=dynconfig.o +TOPFILES=dynconfig.o localedir.o cleanlibs:: -rm -f ../lib/*/*.o ../lib/*/*/*.o \ @@ -2759,7 +2796,7 @@ etags:: etags --append `find $(srcdir)/../source4/dsdb -name "*.[ch]"` ctags:: - ctags `find $(srcdir)/.. -name "*.[ch]"` + ctags `find $(srcdir)/.. -name "*.[ch]" | grep -v include/proto\.h` realclean:: clean -rm -f config.log bin/.dummy script/findsmb script/gen-8bit-gap.sh @@ -2835,7 +2872,7 @@ test_pam_modules:: pam_modules ## test:: all torture timelimit @echo Running Test suite - @LIB_PATH_VAR=$(LIB_PATH_VAR) PERL="$(PERL)" $(srcdir)/script/tests/selftest.sh ${selftest_prefix} all "${smbtorture4_path}" + @LIB_PATH_VAR=$(LIB_PATH_VAR) PERL="$(PERL)" $(srcdir)/script/tests/selftest.sh ${selftest_prefix} all "${smbtorture4_path}" ${selftest_shrdir} valgrindtest:: all torture timelimit @echo Running Test suite with valgrind diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 7f95656bef..505098c76a 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -469,13 +469,13 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = str_list_make( + auth_method_list = str_list_make_v3( talloc_tos(), "guest sam winbind:ntdomain", NULL); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = str_list_make( + auth_method_list = str_list_make_v3( talloc_tos(), "guest sam smbserver", NULL); break; @@ -483,36 +483,36 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) if (lp_encrypted_passwords()) { if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) { DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n")); - auth_method_list = str_list_make( + auth_method_list = str_list_make_v3( talloc_tos(), "guest sam winbind:trustdomain", NULL); } else { DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n")); - auth_method_list = str_list_make( + auth_method_list = str_list_make_v3( talloc_tos(), "guest sam", NULL); } } else { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); - auth_method_list = str_list_make( + auth_method_list = str_list_make_v3( talloc_tos(), "guest unix", NULL); } break; case SEC_SHARE: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); - auth_method_list = str_list_make( + auth_method_list = str_list_make_v3( talloc_tos(), "guest sam", NULL); } else { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); - auth_method_list = str_list_make( + auth_method_list = str_list_make_v3( talloc_tos(), "guest unix", NULL); } break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make( + auth_method_list = str_list_make_v3( talloc_tos(), "guest sam winbind:ntdomain", NULL); break; diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index e739fdaabe..28d6601b5f 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -77,7 +77,7 @@ bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) NT_USER_TOKEN *get_root_nt_token( void ) { - struct nt_user_token *token = NULL; + struct nt_user_token *token, *for_cache; DOM_SID u_sid, g_sid; struct passwd *pw; void *cache_data; @@ -102,14 +102,16 @@ NT_USER_TOKEN *get_root_nt_token( void ) uid_to_sid(&u_sid, pw->pw_uid); gid_to_sid(&g_sid, pw->pw_gid); - token = create_local_nt_token(NULL, &u_sid, False, + token = create_local_nt_token(talloc_autofree_context(), &u_sid, False, 1, &global_sid_Builtin_Administrators); token->privileges = se_disk_operators; + for_cache = token; + memcache_add_talloc( NULL, SINGLETON_CACHE_TALLOC, - data_blob_string_const_null("root_nt_token"), token); + data_blob_string_const_null("root_nt_token"), &for_cache); return token; } diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c index 2a9c2b7304..da2f98bff8 100644 --- a/source3/client/mount.cifs.c +++ b/source3/client/mount.cifs.c @@ -39,9 +39,10 @@ #include <mntent.h> #include <fcntl.h> #include <limits.h> +#include "mount.h" #define MOUNT_CIFS_VERSION_MAJOR "1" -#define MOUNT_CIFS_VERSION_MINOR "11" +#define MOUNT_CIFS_VERSION_MINOR "12" #ifndef MOUNT_CIFS_VENDOR_SUFFIX #ifdef _SAMBA_BUILD_ @@ -79,15 +80,6 @@ #define MOUNT_PASSWD_SIZE 64 #define DOMAIN_SIZE 64 -/* exit status - bits below are ORed */ -#define EX_USAGE 1 /* incorrect invocation or permission */ -#define EX_SYSERR 2 /* out of memory, cannot fork, ... */ -#define EX_SOFTWARE 4 /* internal mount bug or wrong version */ -#define EX_USER 8 /* user interrupt */ -#define EX_FILEIO 16 /* problems writing, locking, ... mtab/fstab */ -#define EX_FAIL 32 /* mount failure */ -#define EX_SOMEOK 64 /* some mount succeeded */ - const char *thisprogram; int verboseflag = 0; static int got_password = 0; @@ -1424,48 +1416,57 @@ mount_retry: printf("Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)\n"); rc = EX_FAIL; } else { + atexit(unlock_mtab); + rc = lock_mtab(); + if (rc) { + printf("cannot lock mtab"); + goto mount_exit; + } pmntfile = setmntent(MOUNTED, "a+"); - if(pmntfile) { - mountent.mnt_fsname = dev_name; - mountent.mnt_dir = mountpoint; - mountent.mnt_type = CONST_DISCARD(char *,"cifs"); - mountent.mnt_opts = (char *)malloc(220); - if(mountent.mnt_opts) { - char * mount_user = getusername(); - memset(mountent.mnt_opts,0,200); - if(flags & MS_RDONLY) - strlcat(mountent.mnt_opts,"ro",220); - else - strlcat(mountent.mnt_opts,"rw",220); - if(flags & MS_MANDLOCK) - strlcat(mountent.mnt_opts,",mand",220); - if(flags & MS_NOEXEC) - strlcat(mountent.mnt_opts,",noexec",220); - if(flags & MS_NOSUID) - strlcat(mountent.mnt_opts,",nosuid",220); - if(flags & MS_NODEV) - strlcat(mountent.mnt_opts,",nodev",220); - if(flags & MS_SYNCHRONOUS) - strlcat(mountent.mnt_opts,",synch",220); - if(mount_user) { - if(getuid() != 0) { - strlcat(mountent.mnt_opts,",user=",220); - strlcat(mountent.mnt_opts,mount_user,220); - } - /* free(mount_user); do not free static mem */ - } - } - mountent.mnt_freq = 0; - mountent.mnt_passno = 0; - rc = addmntent(pmntfile,&mountent); - endmntent(pmntfile); - SAFE_FREE(mountent.mnt_opts); - if (rc) - rc = EX_FILEIO; - } else { + if (!pmntfile) { printf("could not update mount table\n"); + unlock_mtab(); rc = EX_FILEIO; + goto mount_exit; } + mountent.mnt_fsname = dev_name; + mountent.mnt_dir = mountpoint; + mountent.mnt_type = CONST_DISCARD(char *,"cifs"); + mountent.mnt_opts = (char *)malloc(220); + if(mountent.mnt_opts) { + char * mount_user = getusername(); + memset(mountent.mnt_opts,0,200); + if(flags & MS_RDONLY) + strlcat(mountent.mnt_opts,"ro",220); + else + strlcat(mountent.mnt_opts,"rw",220); + if(flags & MS_MANDLOCK) + strlcat(mountent.mnt_opts,",mand",220); + if(flags & MS_NOEXEC) + strlcat(mountent.mnt_opts,",noexec",220); + if(flags & MS_NOSUID) + strlcat(mountent.mnt_opts,",nosuid",220); + if(flags & MS_NODEV) + strlcat(mountent.mnt_opts,",nodev",220); + if(flags & MS_SYNCHRONOUS) + strlcat(mountent.mnt_opts,",sync",220); + if(mount_user) { + if(getuid() != 0) { + strlcat(mountent.mnt_opts, + ",user=", 220); + strlcat(mountent.mnt_opts, + mount_user, 220); + } + } + } + mountent.mnt_freq = 0; + mountent.mnt_passno = 0; + rc = addmntent(pmntfile,&mountent); + endmntent(pmntfile); + unlock_mtab(); + SAFE_FREE(mountent.mnt_opts); + if (rc) + rc = EX_FILEIO; } mount_exit: if(mountpassword) { diff --git a/source3/client/mount.h b/source3/client/mount.h new file mode 100644 index 0000000000..23ea4f0cbd --- /dev/null +++ b/source3/client/mount.h @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2008 Jeff Layton (jlayton@samba.org) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +/* most of this info was taken from the util-linux-ng sources */ + +#ifndef _MOUNT_H_ +#define _MOUNT_H_ + +/* exit status - bits below are ORed */ +#define EX_USAGE 1 /* incorrect invocation or permission */ +#define EX_SYSERR 2 /* out of memory, cannot fork, ... */ +#define EX_SOFTWARE 4 /* internal mount bug or wrong version */ +#define EX_USER 8 /* user interrupt */ +#define EX_FILEIO 16 /* problems writing, locking, ... mtab/fstab */ +#define EX_FAIL 32 /* mount failure */ +#define EX_SOMEOK 64 /* some mount succeeded */ + +#define _PATH_MOUNTED_LOCK _PATH_MOUNTED "~" +#define _PATH_MOUNTED_TMP _PATH_MOUNTED ".tmp" + +extern int lock_mtab(void); +extern void unlock_mtab(void); + +#endif /* ! _MOUNT_H_ */ diff --git a/source3/client/mtab.c b/source3/client/mtab.c new file mode 100644 index 0000000000..93fbd11359 --- /dev/null +++ b/source3/client/mtab.c @@ -0,0 +1,219 @@ +/* + * mtab locking routines for use with mount.cifs and umount.cifs + * Copyright (C) 2008 Jeff Layton (jlayton@samba.org) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +/* + * This code was copied from the util-linux-ng sources and modified: + * + * git://git.kernel.org/pub/scm/utils/util-linux-ng/util-linux-ng.git + * + * ...specifically from mount/fstab.c. That file has no explicit license. The + * "default" license for anything in that tree is apparently GPLv2+, so I + * believe we're OK to copy it here. + * + * Jeff Layton <jlayton@samba.org> + */ + +#include <unistd.h> +#include <errno.h> +#include <stdio.h> +#include <sys/time.h> +#include <time.h> +#include <fcntl.h> +#include <mntent.h> +#include <stdlib.h> +#include <signal.h> +#include "mount.h" + + +/* Updating mtab ----------------------------------------------*/ + +/* Flag for already existing lock file. */ +static int we_created_lockfile = 0; +static int lockfile_fd = -1; + +/* Flag to indicate that signals have been set up. */ +static int signals_have_been_setup = 0; + +static void +handler (int sig) { + exit(EX_USER); +} + +static void +setlkw_timeout (int sig) { + /* nothing, fcntl will fail anyway */ +} + +/* Remove lock file. */ +void +unlock_mtab (void) { + if (we_created_lockfile) { + close(lockfile_fd); + lockfile_fd = -1; + unlink (_PATH_MOUNTED_LOCK); + we_created_lockfile = 0; + } +} + +/* Create the lock file. + The lock file will be removed if we catch a signal or when we exit. */ +/* The old code here used flock on a lock file /etc/mtab~ and deleted + this lock file afterwards. However, as rgooch remarks, that has a + race: a second mount may be waiting on the lock and proceed as + soon as the lock file is deleted by the first mount, and immediately + afterwards a third mount comes, creates a new /etc/mtab~, applies + flock to that, and also proceeds, so that the second and third mount + now both are scribbling in /etc/mtab. + The new code uses a link() instead of a creat(), where we proceed + only if it was us that created the lock, and hence we always have + to delete the lock afterwards. Now the use of flock() is in principle + superfluous, but avoids an arbitrary sleep(). */ + +/* Where does the link point to? Obvious choices are mtab and mtab~~. + HJLu points out that the latter leads to races. Right now we use + mtab~.<pid> instead. Use 20 as upper bound for the length of %d. */ +#define MOUNTLOCK_LINKTARGET _PATH_MOUNTED_LOCK "%d" +#define MOUNTLOCK_LINKTARGET_LTH (sizeof(_PATH_MOUNTED_LOCK)+20) + +/* + * The original mount locking code has used sleep(1) between attempts and + * maximal number of attemps has been 5. + * + * There was very small number of attempts and extremely long waiting (1s) + * that is useless on machines with large number of concurret mount processes. + * + * Now we wait few thousand microseconds between attempts and we have global + * time limit (30s) rather than limit for number of attempts. The advantage + * is that this method also counts time which we spend in fcntl(F_SETLKW) and + * number of attempts is not so much restricted. + * + * -- kzak@redhat.com [2007-Mar-2007] + */ + +/* maximum seconds between first and last attempt */ +#define MOUNTLOCK_MAXTIME 30 + +/* sleep time (in microseconds, max=999999) between attempts */ +#define MOUNTLOCK_WAITTIME 5000 + +int +lock_mtab (void) { + int i; + struct timespec waittime; + struct timeval maxtime; + char linktargetfile[MOUNTLOCK_LINKTARGET_LTH]; + + if (!signals_have_been_setup) { + int sig = 0; + struct sigaction sa; + + sa.sa_handler = handler; + sa.sa_flags = 0; + sigfillset (&sa.sa_mask); + + while (sigismember (&sa.sa_mask, ++sig) != -1 + && sig != SIGCHLD) { + if (sig == SIGALRM) + sa.sa_handler = setlkw_timeout; + else + sa.sa_handler = handler; + sigaction (sig, &sa, (struct sigaction *) 0); + } + signals_have_been_setup = 1; + } + + sprintf(linktargetfile, MOUNTLOCK_LINKTARGET, getpid ()); + + i = open (linktargetfile, O_WRONLY|O_CREAT, S_IRUSR|S_IWUSR); + if (i < 0) { + /* linktargetfile does not exist (as a file) + and we cannot create it. Read-only filesystem? + Too many files open in the system? + Filesystem full? */ + return EX_FILEIO; + } + close(i); + + gettimeofday(&maxtime, NULL); + maxtime.tv_sec += MOUNTLOCK_MAXTIME; + + waittime.tv_sec = 0; + waittime.tv_nsec = (1000 * MOUNTLOCK_WAITTIME); + + /* Repeat until it was us who made the link */ + while (!we_created_lockfile) { + struct timeval now; + struct flock flock; + int errsv, j; + + j = link(linktargetfile, _PATH_MOUNTED_LOCK); + errsv = errno; + + if (j == 0) + we_created_lockfile = 1; + + if (j < 0 && errsv != EEXIST) { + (void) unlink(linktargetfile); + return EX_FILEIO; + } + + lockfile_fd = open (_PATH_MOUNTED_LOCK, O_WRONLY); + + if (lockfile_fd < 0) { + /* Strange... Maybe the file was just deleted? */ + gettimeofday(&now, NULL); + if (errno == ENOENT && now.tv_sec < maxtime.tv_sec) { + we_created_lockfile = 0; + continue; + } + (void) unlink(linktargetfile); + return EX_FILEIO; + } + + flock.l_type = F_WRLCK; + flock.l_whence = SEEK_SET; + flock.l_start = 0; + flock.l_len = 0; + + if (j == 0) { + /* We made the link. Now claim the lock. If we can't + * get it, continue anyway + */ + fcntl (lockfile_fd, F_SETLK, &flock); + (void) unlink(linktargetfile); + } else { + /* Someone else made the link. Wait. */ + gettimeofday(&now, NULL); + if (now.tv_sec < maxtime.tv_sec) { + alarm(maxtime.tv_sec - now.tv_sec); + if (fcntl (lockfile_fd, F_SETLKW, &flock) == -1) { + (void) unlink(linktargetfile); + return EX_FILEIO; + } + alarm(0); + nanosleep(&waittime, NULL); + } else { + (void) unlink(linktargetfile); + return EX_FILEIO; + } + close(lockfile_fd); + } + } + return 0; +} + diff --git a/source3/client/umount.cifs.c b/source3/client/umount.cifs.c index 3e2415ad00..aff7cea397 100644 --- a/source3/client/umount.cifs.c +++ b/source3/client/umount.cifs.c @@ -33,9 +33,10 @@ #include <errno.h> #include <string.h> #include <mntent.h> +#include "mount.h" #define UNMOUNT_CIFS_VERSION_MAJOR "0" -#define UNMOUNT_CIFS_VERSION_MINOR "5" +#define UNMOUNT_CIFS_VERSION_MINOR "6" #ifndef UNMOUNT_CIFS_VENDOR_SUFFIX #ifdef _SAMBA_BUILD_ @@ -137,24 +138,6 @@ static int umount_check_perm(char * dir) return rc; } -static int lock_mtab(void) -{ - int rc; - - rc = mknod(MOUNTED_LOCK , 0600, 0); - if(rc == -1) - printf("\ngetting lock file %s failed with %s\n",MOUNTED_LOCK, - strerror(errno)); - - return rc; - -} - -static void unlock_mtab(void) -{ - unlink(MOUNTED_LOCK); -} - static int remove_from_mtab(char * mountpoint) { int rc; @@ -168,6 +151,7 @@ static int remove_from_mtab(char * mountpoint) /* Do we first need to check if it is writable? */ + atexit(unlock_mtab); if (lock_mtab()) { printf("Mount table locked\n"); return -EACCES; diff --git a/source3/configure.in b/source3/configure.in index 0aeefe4180..40e78e89d9 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -399,7 +399,7 @@ dnl These have to be built static: default_static_modules="pdb_smbpasswd pdb_tdbsam rpc_lsarpc rpc_samr rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl2 rpc_ntsvcs2 rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog2 auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin auth_netlogond vfs_default nss_info_template" dnl These are preferably build shared, and static if dlopen() is not available -default_shared_modules="vfs_recycle vfs_audit vfs_extd_audit vfs_full_audit vfs_netatalk vfs_fake_perms vfs_default_quota vfs_readonly vfs_cap vfs_expand_msdfs vfs_shadow_copy vfs_shadow_copy2 charset_CP850 charset_CP437 auth_script vfs_readahead vfs_xattr_tdb vfs_streams_xattr vfs_acl_xattr vfs_smb_traffic_analyzer" +default_shared_modules="vfs_recycle vfs_audit vfs_extd_audit vfs_full_audit vfs_netatalk vfs_fake_perms vfs_default_quota vfs_readonly vfs_cap vfs_expand_msdfs vfs_shadow_copy vfs_shadow_copy2 charset_CP850 charset_CP437 auth_script vfs_readahead vfs_xattr_tdb vfs_streams_xattr vfs_streams_depot vfs_acl_xattr vfs_acl_tdb vfs_smb_traffic_analyzer" if test "x$developer" = xyes; then default_static_modules="$default_static_modules rpc_rpcecho" @@ -654,7 +654,7 @@ AUTH_LIBS="${AUTH_LIBS} ${CRYPT_LIBS}" AC_CHECK_HEADERS(aio.h sys/fcntl.h sys/select.h fcntl.h sys/time.h sys/unistd.h rpc/nettype.h) AC_CHECK_HEADERS(unistd.h grp.h sys/id.h memory.h alloca.h) -AC_CHECK_HEADERS(limits.h float.h pthread.h) +AC_CHECK_HEADERS(limits.h float.h pthread.h libintl.h) AC_CHECK_HEADERS(rpc/rpc.h rpcsvc/nis.h rpcsvc/ypclnt.h) AC_CHECK_HEADERS(sys/param.h ctype.h sys/wait.h sys/resource.h sys/ioctl.h sys/ipc.h sys/prctl.h) AC_CHECK_HEADERS(sys/mman.h sys/filio.h sys/priv.h sys/shm.h string.h strings.h stdlib.h) @@ -1029,9 +1029,12 @@ AC_CHECK_FUNCS(memalign posix_memalign hstrerror) AC_CHECK_HEADERS(sys/mman.h) # setbuffer, shmget, shm_open are needed for smbtorture AC_CHECK_FUNCS(shmget shm_open) +AC_CHECK_FUNCS(gettext dgettext) # Find a method of generating a stack trace AC_CHECK_HEADERS(execinfo.h libexc.h libunwind.h) +# libexecinfo provides backtrace_symbols on FreeBSD +AC_SEARCH_LIBS(backtrace_symbols, [execinfo]) AC_CHECK_FUNCS(backtrace_symbols) AC_CHECK_LIB(exc, trace_back_stack) @@ -1049,6 +1052,24 @@ if test x"$samba_cv_HAVE_GPFS" = x"yes"; then fi LIBS="$save_LIBS" +############################################# +# check if building on Isilon OneFS +printf "%s" "checking for Isilon OneFS... " +save_LIBS="$LIBS" +LIBS="$LIBS -lisi_version" +AC_TRY_LINK([#include <isi_version/isi_version.h>], + [get_isilon_copyright()], + samba_cv_HAVE_ONEFS=yes, + samba_cv_HAVE_ONEFS=no) +echo $samba_cv_HAVE_ONEFS +if test x"$samba_cv_HAVE_ONEFS" = x"yes"; then + AC_DEFINE(HAVE_ONEFS,1,[Whether building on Isilon OneFS]) + default_shared_modules="$default_shared_modules vfs_onefs" + ONEFS_LIBS="-lisi_acl" +fi +AC_SUBST(ONEFS_LIBS) +LIBS="$save_LIBS" + # Note that all the libunwind symbols in the API are defined to internal # platform-specific version, so we must include libunwind.h before checking # any of them. @@ -1433,6 +1454,25 @@ if test x"$samba_cv_stat_st_birthtime" = x"yes" ; then AC_DEFINE(HAVE_STAT_ST_BIRTHTIME, 1, [whether struct stat contains st_birthtime]) fi +AC_CACHE_CHECK([whether there is DOS flags support in the stat struct], samba_cv_stat_dos_flags, + [ + AC_TRY_COMPILE( + [#include <sys/stat.h>], + [ + int a = UF_DOS_ARCHIVE; + int h = UF_DOS_HIDDEN; + int r = UF_DOS_RO; + int s = UF_DOS_SYSTEM; + int i = UF_DOS_NOINDEX; + int f = UF_DOS_FLAGS; + ], + samba_cv_stat_dos_flags=yes, samba_cv_stat_dos_flags=no) + ]) + +if test x"$samba_cv_stat_dos_flags" = x"yes" ; then + AC_DEFINE(HAVE_STAT_DOS_FLAGS, 1, [whether there is DOS flags support in the stat struct]) +fi + ##################################### # needed for SRV lookups AC_CHECK_LIB(resolv, dn_expand) @@ -4347,6 +4387,22 @@ AC_ARG_WITH(syslog, ) ################################################# +# check for custom syslog facility +AC_MSG_CHECKING(whether to use a custom syslog facility) +AC_ARG_WITH(syslog-facility, +[AS_HELP_STRING([--with-syslog-facility], [Use a custom syslog facility (default=none)])], +[ + if test "$withval" = "no" ; then + AC_MSG_ERROR([argument to --with-syslog-facility must be a string]) + else + if test "$withval" != "yes" ; then + syslog_facility="$withval" + AC_DEFINE_UNQUOTED(SYSLOG_FACILITY,$syslog_facility, [syslog facility to log to]) + fi + fi +]) + +################################################# # check for experimental disk-quotas support samba_cv_WITH_QUOTAS=auto @@ -6087,7 +6143,9 @@ SMB_MODULE(vfs_syncops, \$(VFS_SYNCOPS_OBJ), "bin/syncops.$SHLIBEXT", VFS) SMB_MODULE(vfs_zfsacl, \$(VFS_ZFSACL_OBJ), "bin/zfsacl.$SHLIBEXT", VFS) SMB_MODULE(vfs_notify_fam, \$(VFS_NOTIFY_FAM_OBJ), "bin/notify_fam.$SHLIBEXT", VFS) SMB_MODULE(vfs_acl_xattr, \$(VFS_ACL_XATTR_OBJ), "bin/acl_xattr.$SHLIBEXT", VFS) +SMB_MODULE(vfs_acl_tdb, \$(VFS_ACL_TDB_OBJ), "bin/acl_tdb.$SHLIBEXT", VFS) SMB_MODULE(vfs_smb_traffic_analyzer, \$(VFS_SMB_TRAFFIC_ANALYZER_OBJ), "bin/smb_traffic_analyzer.$SHLIBEXT", VFS) +SMB_MODULE(vfs_onefs, \$(VFS_ONEFS), "bin/onefs.$SHLIBEXT", VFS) SMB_SUBSYSTEM(VFS,smbd/vfs.o) @@ -6233,7 +6291,7 @@ AC_ZLIB([ZLIB_OBJS=""], [ do ZLIB_OBJS="$ZLIB_OBJS ../lib/zlib/$o" done - CFLAGS="$CFLAGS -I../lib/zlib" + CFLAGS="-I../lib/zlib $CFLAGS" ]) dnl Remove -L/usr/lib/? from LDFLAGS and LIBS diff --git a/source3/include/eventlog.h b/source3/include/eventlog.h new file mode 100644 index 0000000000..16affe3313 --- /dev/null +++ b/source3/include/eventlog.h @@ -0,0 +1,41 @@ +/* + * Unix SMB/CIFS implementation. + * RPC Pipe client / server routines + * Copyright (C) Marcin Krzysztof Porwit 2005. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +/* Defines for TDB keys */ +#define EVT_OLDEST_ENTRY "INFO/oldest_entry" +#define EVT_NEXT_RECORD "INFO/next_record" +#define EVT_VERSION "INFO/version" +#define EVT_MAXSIZE "INFO/maxsize" +#define EVT_RETENTION "INFO/retention" + +#define ELOG_APPL "Application" +#define ELOG_SYS "System" +#define ELOG_SEC "Security" + +typedef struct elog_tdb { + struct elog_tdb *prev, *next; + char *name; + TDB_CONTEXT *tdb; + int ref_count; +} ELOG_TDB; + +#define ELOG_TDB_CTX(x) ((x)->tdb) + + +#define EVENTLOG_DATABASE_VERSION_V1 1 diff --git a/source3/include/includes.h b/source3/include/includes.h index 4399c734d0..38d6ec06b9 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -654,6 +654,7 @@ struct smb_iconv_convenience *lp_iconv_convenience(void *lp_ctx); #include "async_smb.h" #include "async_sock.h" #include "services.h" +#include "eventlog.h" #include "lib/smbconf/smbconf.h" diff --git a/source3/include/localedir.h b/source3/include/localedir.h new file mode 100644 index 0000000000..2a291d3ceb --- /dev/null +++ b/source3/include/localedir.h @@ -0,0 +1,6 @@ +#ifndef __LOCALEDIR_H__ +#define __LOCALEDIR_H__ + +extern const char *dyn_LOCALEDIR; + +#endif diff --git a/source3/include/nss_info.h b/source3/include/nss_info.h index e756136b76..0224be099f 100644 --- a/source3/include/nss_info.h +++ b/source3/include/nss_info.h @@ -66,10 +66,12 @@ struct nss_info_methods { TALLOC_CTX *ctx, ADS_STRUCT *ads, LDAPMessage *msg, char **homedir, char **shell, char **gecos, gid_t *p_gid); - NTSTATUS (*map_to_alias)( TALLOC_CTX *mem_ctx, const char *domain, - const char *name, char **alias ); - NTSTATUS (*map_from_alias)( TALLOC_CTX *mem_ctx, const char *domain, - const char *alias, char **name ); + NTSTATUS (*map_to_alias)(TALLOC_CTX *mem_ctx, + struct nss_domain_entry *e, + const char *name, char **alias); + NTSTATUS (*map_from_alias)(TALLOC_CTX *mem_ctx, + struct nss_domain_entry *e, + const char *alias, char **name); NTSTATUS (*close_fn)( void ); }; diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index e6c97c69dc..cc99ad74c2 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -5,17 +5,17 @@ Copyright (C) Luke Kenneth Casson Leighton 1996-1997 Copyright (C) Paul Ashton 1997 Copyright (C) Jeremy Allison 2000-2004 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -27,7 +27,7 @@ * A bunch of stuff that was put into smb.h * in the NTDOM branch - it didn't belong there. */ - + typedef struct _prs_struct { bool io; /* parsing in or out of data stream */ /* @@ -138,7 +138,7 @@ struct dcinfo { struct netr_Credential seed_chal; struct netr_Credential clnt_chal; /* Client credential */ struct netr_Credential srv_chal; /* Server credential */ - + unsigned char sess_key[16]; /* Session key - 8 bytes followed by 8 zero bytes */ unsigned char mach_pw[16]; /* md4(machine password) */ @@ -154,13 +154,13 @@ struct dcinfo { typedef struct pipe_rpc_fns { struct pipe_rpc_fns *next, *prev; - + /* RPC function table associated with the current rpc_bind (associated by context) */ - + const struct api_struct *cmds; int n_cmds; uint32 context_id; - + } PIPE_RPC_FNS; /* @@ -217,12 +217,12 @@ typedef struct pipes_struct { fstring name; fstring pipe_srv_name; - + /* linked list of rpc dispatch tables associated with the open rpc contexts */ - + PIPE_RPC_FNS *contexts; - + RPC_HDR hdr; /* Incoming RPC header. */ RPC_HDR_REQ hdr_req; /* Incoming request header. */ @@ -231,21 +231,15 @@ typedef struct pipes_struct { struct dcinfo *dc; /* Keeps the creds data from netlogon. */ /* - * Unix user name and credentials used when a pipe is authenticated. - */ - - struct current_user pipe_user; - - /* * Set to true when an RPC bind has been done on this pipe. */ - + bool pipe_bound; - + /* * Set to true when we should return fault PDU's for everything. */ - + bool fault_state; /* @@ -259,13 +253,13 @@ typedef struct pipes_struct { */ bool rng_fault_state; - + /* * Set to RPC_BIG_ENDIAN when dealing with big-endian PDU's */ - + bool endian; - + /* * Struct to deal with multiple pdu inputs. */ diff --git a/source3/include/ntlmssp.h b/source3/include/ntlmssp.h index b014b2170c..55b9249ea7 100644 --- a/source3/include/ntlmssp.h +++ b/source3/include/ntlmssp.h @@ -77,7 +77,6 @@ enum NTLM_MESSAGE_TYPE typedef struct ntlmssp_state { - TALLOC_CTX *mem_ctx; unsigned int ref_count; enum NTLMSSP_ROLE role; enum server_types server_role; @@ -98,9 +97,9 @@ typedef struct ntlmssp_state DATA_BLOB lm_resp; DATA_BLOB nt_resp; DATA_BLOB session_key; - + uint32 neg_flags; /* the current state of negotiation with the NTLMSSP partner */ - + void *auth_context; /** @@ -171,5 +170,4 @@ typedef struct ntlmssp_state response in at the time we want to process it. Store it here, until we need it */ DATA_BLOB stored_response; - } NTLMSSP_STATE; diff --git a/source3/include/passdb.h b/source3/include/passdb.h index 360a0d0444..744b723c83 100644 --- a/source3/include/passdb.h +++ b/source3/include/passdb.h @@ -23,16 +23,6 @@ #ifndef _PASSDB_H #define _PASSDB_H - -/* - * in samba4 idl - * ACCT_NT_PWD_SET == SAMR_FIELD_PASSWORD and - * ACCT_LM_PWD_SET == SAMR_FIELD_PASSWORD2 - */ - -#define ACCT_NT_PWD_SET 0x01000000 -#define ACCT_LM_PWD_SET 0x02000000 - /* * bit flags representing initialized fields in struct samu */ diff --git a/source3/include/proto.h b/source3/include/proto.h index ac55a67c19..f2bbb07f92 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1251,6 +1251,7 @@ char *procid_str_static(const struct server_id *pid); bool procid_valid(const struct server_id *pid); bool procid_is_local(const struct server_id *pid); int this_is_smp(void); +bool trans_oob(uint32_t bufsize, uint32_t offset, uint32_t length); bool is_offset_safe(const char *buf_base, size_t buf_len, char *ptr, size_t off); char *get_safe_ptr(const char *buf_base, size_t buf_len, char *ptr, size_t off); char *get_safe_str_ptr(const char *buf_base, size_t buf_len, char *ptr, size_t off); @@ -1582,6 +1583,7 @@ bool validate_net_name( const char *name, const char *invalid_chars, int max_len); char *escape_shell_string(const char *src); +char **str_list_make_v3(TALLOC_CTX *mem_ctx, const char *string, const char *sep); /* The following definitions come from lib/util_unistr.c */ @@ -1919,10 +1921,10 @@ ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***ous, size_t *num_ous); -bool ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, - const char *extended_dn, - enum ads_extended_dn_flags flags, - DOM_SID *sid); +ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, + const char *extended_dn, + enum ads_extended_dn_flags flags, + DOM_SID *sid); char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); char* ads_get_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); @@ -4772,10 +4774,12 @@ bool delete_a_form(nt_forms_struct **list, UNISTR2 *del_name, int *count, WERROR void update_a_form(nt_forms_struct **list, const FORM *form, int count); int get_ntdrivers(fstring **list, const char *architecture, uint32 version); const char *get_short_archi(const char *long_archi); -WERROR clean_up_driver_struct(NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract, - uint32 level, struct current_user *user); -WERROR move_driver_to_download_area(NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract, uint32 level, - struct current_user *user, WERROR *perr); +WERROR clean_up_driver_struct(struct pipes_struct *rpc_pipe, + NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract, + uint32 level); +WERROR move_driver_to_download_area(struct pipes_struct *p, + NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract, + uint32 level, WERROR *perr); int pack_devicemode(NT_DEVICEMODE *nt_devmode, uint8 *buf, int buflen); uint32 del_a_printer(const char *sharename); NT_DEVICEMODE *construct_nt_devicemode(const fstring default_devicename); @@ -4818,8 +4822,9 @@ WERROR get_a_printer_driver(NT_PRINTER_DRIVER_INFO_LEVEL *driver, uint32 level, uint32 free_a_printer_driver(NT_PRINTER_DRIVER_INFO_LEVEL driver, uint32 level); bool printer_driver_in_use ( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3 ); bool printer_driver_files_in_use ( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info ); -WERROR delete_printer_driver( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct current_user *user, - uint32 version, bool delete_files ); +WERROR delete_printer_driver(struct pipes_struct *rpc_pipe, + NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, + uint32 version, bool delete_files ); WERROR nt_printing_setsec(const char *sharename, SEC_DESC_BUF *secdesc_ctr); bool nt_printing_getsec(TALLOC_CTX *ctx, const char *sharename, SEC_DESC_BUF **secdesc_ctr); void map_printer_permissions(SEC_DESC *sd); @@ -4865,7 +4870,7 @@ bool sysv_cache_reload(void); NTSTATUS print_fsp_open(struct smb_request *req, connection_struct *conn, const char *fname, - uint16_t current_vuid, files_struct **result); + uint16_t current_vuid, files_struct *fsp); void print_fsp_end(files_struct *fsp, enum file_close_type close_type); /* The following definitions come from printing/printing.c */ @@ -5295,7 +5300,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx, NTSTATUS rpccli_winreg_Connect(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, uint32 reg_type, uint32 access_mask, POLICY_HND *reg_hnd); -uint32 reg_init_regval_buffer( REGVAL_BUFFER *buf2, REGISTRY_VALUE *val ); /* The following definitions come from rpc_client/cli_samr.c */ @@ -5549,7 +5553,8 @@ void init_netr_SamInfo3(struct netr_SamInfo3 *r, uint32_t sidcount, struct netr_SidAttr *sids); NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, - uint8_t pipe_session_key[16], + uint8_t *pipe_session_key, + size_t pipe_session_key_len, struct netr_SamInfo3 *sam3); void init_netr_IdentityInfo(struct netr_IdentityInfo *r, const char *domain_name, @@ -5595,7 +5600,7 @@ void init_samr_DomGeneralInformation(struct samr_DomGeneralInformation *r, const char *domain_name, const char *primary, uint64_t sequence_num, - uint32_t unknown2, + enum samr_DomainServerState domain_server_state, enum samr_Role role, uint32_t unknown3, uint32_t num_users, @@ -5615,7 +5620,7 @@ void init_samr_DomInfo8(struct samr_DomInfo8 *r, uint64_t sequence_num, NTTIME domain_create_time); void init_samr_DomInfo9(struct samr_DomInfo9 *r, - uint32_t unknown); + enum samr_DomainServerState domain_server_state); void init_samr_DomInfo12(struct samr_DomInfo12 *r, uint64_t lockout_duration, uint64_t lockout_window, @@ -5640,6 +5645,25 @@ void init_samr_alias_info1(struct samr_AliasInfoAll *r, const char *description); void init_samr_alias_info3(struct lsa_String *r, const char *description); +void init_samr_user_info5(struct samr_UserInfo5 *r, + const char *account_name, + const char *full_name, + uint32_t rid, + uint32_t primary_gid, + const char *home_directory, + const char *home_drive, + const char *logon_script, + const char *profile_path, + const char *description, + const char *workstations, + NTTIME last_logon, + NTTIME last_logoff, + struct samr_LogonHours logon_hours, + uint16_t bad_password_count, + uint16_t logon_count, + NTTIME last_password_change, + NTTIME acct_expiry, + uint32_t acct_flags); void init_samr_user_info7(struct samr_UserInfo7 *r, const char *account_name); void init_samr_user_info9(struct samr_UserInfo9 *r, @@ -5709,11 +5733,43 @@ void init_samr_user_info23(struct samr_UserInfo23 *r, uint8_t nt_password_set, uint8_t lm_password_set, uint8_t password_expired, - uint8_t data[516], - uint8_t pw_len); + struct samr_CryptPassword *pwd_buf); void init_samr_user_info24(struct samr_UserInfo24 *r, - uint8_t data[516], - uint8_t pw_len); + struct samr_CryptPassword *pwd_buf, + uint8_t password_expired); +void init_samr_user_info25(struct samr_UserInfo25 *r, + NTTIME last_logon, + NTTIME last_logoff, + NTTIME last_password_change, + NTTIME acct_expiry, + NTTIME allow_password_change, + NTTIME force_password_change, + const char *account_name, + const char *full_name, + const char *home_directory, + const char *home_drive, + const char *logon_script, + const char *profile_path, + const char *description, + const char *workstations, + const char *comment, + struct lsa_BinaryString *parameters, + uint32_t rid, + uint32_t primary_gid, + uint32_t acct_flags, + uint32_t fields_present, + struct samr_LogonHours logon_hours, + uint16_t bad_password_count, + uint16_t logon_count, + uint16_t country_code, + uint16_t code_page, + uint8_t nt_password_set, + uint8_t lm_password_set, + uint8_t password_expired, + struct samr_CryptPasswordEx *pwd_buf); +void init_samr_user_info26(struct samr_UserInfo26 *r, + struct samr_CryptPasswordEx *pwd_buf, + uint8_t password_expired); void init_samr_CryptPasswordEx(const char *pwd, DATA_BLOB *session_key, struct samr_CryptPasswordEx *pwd_buf); @@ -5908,8 +5964,6 @@ void init_rpc_blob_str(RPC_DATA_BLOB *str, const char *buf, int len); void init_rpc_blob_hex(RPC_DATA_BLOB *str, const char *buf); void init_rpc_blob_bytes(RPC_DATA_BLOB *str, uint8 *buf, size_t len); bool smb_io_buffer5(const char *desc, BUFFER5 *buf5, prs_struct *ps, int depth); -void init_regval_buffer(REGVAL_BUFFER *str, const uint8 *buf, size_t len); -bool smb_io_regval_buffer(const char *desc, prs_struct *ps, int depth, REGVAL_BUFFER *buf2); void init_buf_unistr2(UNISTR2 *str, uint32 *ptr, const char *buf); void copy_unistr2(UNISTR2 *str, const UNISTR2 *from); void init_string2(STRING2 *str, const char *buf, size_t max_len, size_t str_len); @@ -5972,8 +6026,6 @@ bool policy_handle_is_valid(const POLICY_HND *hnd); bool ntsvcs_io_q_get_device_list(const char *desc, NTSVCS_Q_GET_DEVICE_LIST *q_u, prs_struct *ps, int depth); bool ntsvcs_io_r_get_device_list(const char *desc, NTSVCS_R_GET_DEVICE_LIST *r_u, prs_struct *ps, int depth); -bool ntsvcs_io_q_get_device_reg_property(const char *desc, NTSVCS_Q_GET_DEVICE_REG_PROPERTY *q_u, prs_struct *ps, int depth); -bool ntsvcs_io_r_get_device_reg_property(const char *desc, NTSVCS_R_GET_DEVICE_REG_PROPERTY *r_u, prs_struct *ps, int depth); /* The following definitions come from rpc_parse/parse_prs.c */ @@ -6029,7 +6081,6 @@ bool prs_uint16s(bool charmode, const char *name, prs_struct *ps, int depth, uin bool prs_uint16uni(bool charmode, const char *name, prs_struct *ps, int depth, uint16 *data16s, int len); bool prs_uint32s(bool charmode, const char *name, prs_struct *ps, int depth, uint32 *data32s, int len); bool prs_buffer5(bool charmode, const char *name, prs_struct *ps, int depth, BUFFER5 *str); -bool prs_regval_buffer(bool charmode, const char *name, prs_struct *ps, int depth, REGVAL_BUFFER *buf); bool prs_string2(bool charmode, const char *name, prs_struct *ps, int depth, STRING2 *str); bool prs_unistr2(bool charmode, const char *name, prs_struct *ps, int depth, UNISTR2 *str); bool prs_unistr3(bool charmode, const char *name, UNISTR3 *str, prs_struct *ps, int depth); @@ -6822,7 +6873,6 @@ WERROR _PNP_GetVersion(pipes_struct *p, WERROR _PNP_GetDeviceListSize(pipes_struct *p, struct PNP_GetDeviceListSize *r); WERROR _ntsvcs_get_device_list( pipes_struct *p, NTSVCS_Q_GET_DEVICE_LIST *q_u, NTSVCS_R_GET_DEVICE_LIST *r_u ); -WERROR _ntsvcs_get_device_reg_property( pipes_struct *p, NTSVCS_Q_GET_DEVICE_REG_PROPERTY *q_u, NTSVCS_R_GET_DEVICE_REG_PROPERTY *r_u ); WERROR _PNP_ValidateDeviceInstance(pipes_struct *p, struct PNP_ValidateDeviceInstance *r); WERROR _PNP_GetHwProfInfo(pipes_struct *p, @@ -6968,7 +7018,6 @@ bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p); bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len, NTSTATUS *pstatus); bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len); -struct current_user *get_current_user(struct current_user *user, pipes_struct *p); void free_pipe_rpc_context( PIPE_RPC_FNS *list ); bool api_pipe_request(pipes_struct *p); @@ -6979,8 +7028,8 @@ pipes_struct *get_next_internal_pipe(pipes_struct *p); void init_rpc_pipe_hnd(void); bool fsp_is_np(struct files_struct *fsp); -NTSTATUS np_open(struct smb_request *smb_req, struct connection_struct *conn, - const char *name, struct files_struct **pfsp); +NTSTATUS np_open(struct smb_request *smb_req, const char *name, + struct files_struct **pfsp); NTSTATUS np_write(struct files_struct *fsp, const uint8_t *data, size_t len, ssize_t *nwritten); NTSTATUS np_read(struct files_struct *fsp, uint8_t *data, size_t len, @@ -7865,9 +7914,9 @@ void file_sync_all(connection_struct *conn); void file_free(struct smb_request *req, files_struct *fsp); files_struct *file_fnum(uint16 fnum); files_struct *file_fsp(struct smb_request *req, uint16 fid); -NTSTATUS dup_file_fsp(struct smb_request *req, files_struct *fsp, +void dup_file_fsp(struct smb_request *req, files_struct *from, uint32 access_mask, uint32 share_access, - uint32 create_options, files_struct **result); + uint32 create_options, files_struct *to); /* The following definitions come from smbd/ipc.c */ @@ -7962,7 +8011,8 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx, connection_struct **pconn, int snum, const char *path, - char **poldcwd); + struct auth_serversupplied_info *server_info, + char **poldcwd); /* The following definitions come from smbd/negprot.c */ @@ -7971,11 +8021,11 @@ void reply_negprot(struct smb_request *req); /* The following definitions come from smbd/notify.c */ void change_notify_reply(connection_struct *conn, - const uint8 *request_buf, uint32 max_param, + struct smb_request *req, uint32 max_param, struct notify_change_buf *notify_buf); NTSTATUS change_notify_create(struct files_struct *fsp, uint32 filter, bool recursive); -NTSTATUS change_notify_add_request(const struct smb_request *req, +NTSTATUS change_notify_add_request(struct smb_request *req, uint32 max_param, uint32 filter, bool recursive, struct files_struct *fsp); @@ -8176,6 +8226,7 @@ void reply_pipe_close(connection_struct *conn, struct smb_request *req); /* The following definitions come from smbd/posix_acls.c */ void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid); +bool nt4_compatible_acls(void); NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd); SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl); NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info, @@ -8231,7 +8282,6 @@ void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes); const char *smb_fn_name(int type); void add_to_common_flags2(uint32 v); void remove_from_common_flags2(uint32 v); -void construct_reply_common(const char *inbuf, char *outbuf); void construct_reply_common_req(struct smb_request *req, char *outbuf); void chain_reply(struct smb_request *req); void check_reload(time_t t); @@ -8424,10 +8474,6 @@ bool set_current_service(connection_struct *conn, uint16 flags, bool do_chdir); void load_registry_shares(void); int add_home_service(const char *service, const char *username, const char *homedir); int find_service(fstring service); -connection_struct *make_connection_with_chdir(const char *service_in, - DATA_BLOB password, - const char *dev, uint16 vuid, - NTSTATUS *status); connection_struct *make_connection(const char *service_in, DATA_BLOB password, const char *pdev, uint16 vuid, NTSTATUS *status); @@ -8458,7 +8504,8 @@ bool user_ok_token(const char *username, const char *domain, struct nt_user_token *token, int snum); bool is_share_read_only_for_token(const char *username, const char *domain, - struct nt_user_token *token, int snum); + struct nt_user_token *token, + connection_struct *conn); /* The following definitions come from smbd/srvstr.c */ @@ -8663,6 +8710,7 @@ NTSTATUS idmap_backends_sid_to_unixid(const char *domname, NTSTATUS idmap_new_mapping(const struct dom_sid *psid, enum id_type type, struct unixid *pxid); NTSTATUS idmap_set_mapping(const struct id_map *map); +NTSTATUS idmap_remove_mapping(const struct id_map *map); /* The following definitions come from winbindd/idmap_cache.c */ diff --git a/source3/include/rpc_eventlog.h b/source3/include/rpc_eventlog.h index 3f5d03ed63..f17e448d9e 100644 --- a/source3/include/rpc_eventlog.h +++ b/source3/include/rpc_eventlog.h @@ -35,29 +35,6 @@ /* Event types */ /* defined in librpc/gen_ndr/eventlog.h */ -/* Defines for TDB keys */ -#define EVT_OLDEST_ENTRY "INFO/oldest_entry" -#define EVT_NEXT_RECORD "INFO/next_record" -#define EVT_VERSION "INFO/version" -#define EVT_MAXSIZE "INFO/maxsize" -#define EVT_RETENTION "INFO/retention" - -#define ELOG_APPL "Application" -#define ELOG_SYS "System" -#define ELOG_SEC "Security" - -typedef struct elog_tdb { - struct elog_tdb *prev, *next; - char *name; - TDB_CONTEXT *tdb; - int ref_count; -} ELOG_TDB; - -#define ELOG_TDB_CTX(x) ((x)->tdb) - - -#define EVENTLOG_DATABASE_VERSION_V1 1 - /***********************************/ typedef struct diff --git a/source3/include/rpc_ntsvcs.h b/source3/include/rpc_ntsvcs.h index 0056d16eb9..dc74298cb9 100644 --- a/source3/include/rpc_ntsvcs.h +++ b/source3/include/rpc_ntsvcs.h @@ -47,23 +47,4 @@ typedef struct { WERROR status; } NTSVCS_R_GET_DEVICE_LIST; -/**************************/ - -typedef struct { - UNISTR2 devicepath; - uint32 property; - uint32 unknown2; - uint32 buffer_size1; - uint32 buffer_size2; - uint32 unknown5; -} NTSVCS_Q_GET_DEVICE_REG_PROPERTY; - -typedef struct { - uint32 unknown1; - REGVAL_BUFFER value; - uint32 size; - uint32 needed; - WERROR status; -} NTSVCS_R_GET_DEVICE_REG_PROPERTY; - #endif /* _RPC_NTSVCS_H */ diff --git a/source3/include/rpc_svcctl.h b/source3/include/rpc_svcctl.h index 27858405e7..7dd849d5b4 100644 --- a/source3/include/rpc_svcctl.h +++ b/source3/include/rpc_svcctl.h @@ -103,14 +103,6 @@ #define SVCCTL_DEMAND_START 0x00000003 #define SVCCTL_DISABLED 0x00000004 -/* Service Controls */ - -#define SVCCTL_CONTROL_STOP 0x00000001 -#define SVCCTL_CONTROL_PAUSE 0x00000002 -#define SVCCTL_CONTROL_CONTINUE 0x00000003 -#define SVCCTL_CONTROL_INTERROGATE 0x00000004 -#define SVCCTL_CONTROL_SHUTDOWN 0x00000005 - #define SVC_HANDLE_IS_SCM 0x0000001 #define SVC_HANDLE_IS_SERVICE 0x0000002 #define SVC_HANDLE_IS_DBLOCK 0x0000003 diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h index 46ca236553..119ceeb158 100644 --- a/source3/include/smb_macros.h +++ b/source3/include/smb_macros.h @@ -52,8 +52,8 @@ return ERROR_NT(NT_STATUS_INVALID_HANDLE); \ } while(0) -#define CHECK_READ(fsp,inbuf) (((fsp)->fh->fd != -1) && ((fsp)->can_read || \ - ((SVAL((inbuf),smb_flg2) & FLAGS2_READ_PERMIT_EXECUTE) && \ +#define CHECK_READ(fsp,req) (((fsp)->fh->fd != -1) && ((fsp)->can_read || \ + ((req->flags2 & FLAGS2_READ_PERMIT_EXECUTE) && \ (fsp->access_mask & FILE_EXECUTE)))) #define CHECK_WRITE(fsp) ((fsp)->can_write && ((fsp)->fh->fd != -1)) diff --git a/source3/include/vfs_macros.h b/source3/include/vfs_macros.h index 7b3aeaa2c7..8fbc21b12d 100644 --- a/source3/include/vfs_macros.h +++ b/source3/include/vfs_macros.h @@ -92,7 +92,7 @@ /* POSIX ACL operations. */ #define SMB_VFS_CHMOD_ACL(conn, name, mode) ((conn)->vfs.ops.chmod_acl((conn)->vfs.handles.chmod_acl, (name), (mode))) -#define SMB_VFS_FCHMOD_ACL(fsp, mode) ((fsp)->conn->vfs.ops.fchmod_acl((fsp)->conn->vfs.handles.chmod_acl, (fsp), (mode))) +#define SMB_VFS_FCHMOD_ACL(fsp, mode) ((fsp)->conn->vfs.ops.fchmod_acl((fsp)->conn->vfs.handles.fchmod_acl, (fsp), (mode))) #define SMB_VFS_SYS_ACL_GET_ENTRY(conn, theacl, entry_id, entry_p) ((conn)->vfs.ops.sys_acl_get_entry((conn)->vfs.handles.sys_acl_get_entry, (theacl), (entry_id), (entry_p))) #define SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry_d, tag_type_p) ((conn)->vfs.ops.sys_acl_get_tag_type((conn)->vfs.handles.sys_acl_get_tag_type, (entry_d), (tag_type_p))) @@ -217,7 +217,7 @@ /* POSIX ACL operations. */ #define SMB_VFS_OPAQUE_CHMOD_ACL(conn, name, mode) ((conn)->vfs_opaque.ops.chmod_acl((conn)->vfs_opaque.handles.chmod_acl, (name), (mode))) -#define SMB_VFS_OPAQUE_FCHMOD_ACL(fsp, mode) ((fsp)->conn->vfs_opaque.ops.fchmod_acl((fsp)->conn->vfs_opaque.handles.chmod_acl, (fsp), (mode))) +#define SMB_VFS_OPAQUE_FCHMOD_ACL(fsp, mode) ((fsp)->conn->vfs_opaque.ops.fchmod_acl((fsp)->conn->vfs_opaque.handles.fchmod_acl, (fsp), (mode))) #define SMB_VFS_OPAQUE_SYS_ACL_GET_ENTRY(conn, theacl, entry_id, entry_p) ((conn)->vfs_opaque.ops.sys_acl_get_entry((conn)->vfs_opaque.handles.sys_acl_get_entry, (theacl), (entry_id), (entry_p))) #define SMB_VFS_OPAQUE_SYS_ACL_GET_TAG_TYPE(conn, entry_d, tag_type_p) ((conn)->vfs_opaque.ops.sys_acl_get_tag_type((conn)->vfs_opaque.handles.sys_acl_get_tag_type, (entry_d), (tag_type_p))) @@ -343,7 +343,7 @@ /* POSIX ACL operations. */ #define SMB_VFS_NEXT_CHMOD_ACL(handle, name, mode) ((handle)->vfs_next.ops.chmod_acl((handle)->vfs_next.handles.chmod_acl, (name), (mode))) -#define SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode) ((handle)->vfs_next.ops.fchmod_acl((handle)->vfs_next.handles.chmod_acl, (fsp), (mode))) +#define SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode) ((handle)->vfs_next.ops.fchmod_acl((handle)->vfs_next.handles.fchmod_acl, (fsp), (mode))) #define SMB_VFS_NEXT_SYS_ACL_GET_ENTRY(handle, theacl, entry_id, entry_p) ((handle)->vfs_next.ops.sys_acl_get_entry((handle)->vfs_next.handles.sys_acl_get_entry, (theacl), (entry_id), (entry_p))) #define SMB_VFS_NEXT_SYS_ACL_GET_TAG_TYPE(handle, entry_d, tag_type_p) ((handle)->vfs_next.ops.sys_acl_get_tag_type((handle)->vfs_next.handles.sys_acl_get_tag_type, (entry_d), (tag_type_p))) diff --git a/source3/lib/debug.c b/source3/lib/debug.c index 986dff48d7..d64fcb66d9 100644 --- a/source3/lib/debug.c +++ b/source3/lib/debug.c @@ -472,7 +472,7 @@ bool debug_parse_levels(const char *params_str) if (AllowDebugChange == False) return True; - params = str_list_make(talloc_tos(), params_str, NULL); + params = str_list_make_v3(talloc_tos(), params_str, NULL); if (debug_parse_params(params)) { debug_dump_status(5); diff --git a/source3/lib/memcache.c b/source3/lib/memcache.c index 9c892fedfa..606d72ab5a 100644 --- a/source3/lib/memcache.c +++ b/source3/lib/memcache.c @@ -63,14 +63,6 @@ static int memcache_destructor(struct memcache *cache) { for (e = cache->mru; e != NULL; e = next) { next = e->next; - if (memcache_is_talloc((enum memcache_number)e->n) - && (e->valuelength == sizeof(void *))) { - DATA_BLOB key, value; - void *ptr; - memcache_element_parse(e, &key, &value); - memcpy(&ptr, value.data, sizeof(ptr)); - TALLOC_FREE(ptr); - } SAFE_FREE(e); } return 0; @@ -214,6 +206,16 @@ static void memcache_delete_element(struct memcache *cache, } DLIST_REMOVE(cache->mru, e); + if (memcache_is_talloc(e->n)) { + DATA_BLOB cache_key, cache_value; + void *ptr; + + memcache_element_parse(e, &cache_key, &cache_value); + SMB_ASSERT(cache_value.length == sizeof(ptr)); + memcpy(&ptr, cache_value.data, sizeof(ptr)); + TALLOC_FREE(ptr); + } + cache->size -= memcache_element_size(e->keylength, e->valuelength); SAFE_FREE(e); @@ -276,6 +278,12 @@ void memcache_add(struct memcache *cache, enum memcache_number n, memcache_element_parse(e, &cache_key, &cache_value); if (value.length <= cache_value.length) { + if (memcache_is_talloc(e->n)) { + void *ptr; + SMB_ASSERT(cache_value.length == sizeof(ptr)); + memcpy(&ptr, cache_value.data, sizeof(ptr)); + TALLOC_FREE(ptr); + } /* * We can reuse the existing record */ @@ -332,9 +340,20 @@ void memcache_add(struct memcache *cache, enum memcache_number n, } void memcache_add_talloc(struct memcache *cache, enum memcache_number n, - DATA_BLOB key, void *ptr) + DATA_BLOB key, void *pptr) { - memcache_add(cache, n, key, data_blob_const(&ptr, sizeof(ptr))); + void **ptr = (void **)pptr; + void *p; + + if (cache == NULL) { + cache = global_cache; + } + if (cache == NULL) { + return; + } + + p = talloc_move(cache, ptr); + memcache_add(cache, n, key, data_blob_const(&p, sizeof(p))); } void memcache_flush(struct memcache *cache, enum memcache_number n) diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c index 2987306066..df85336603 100644 --- a/source3/lib/secdesc.c +++ b/source3/lib/secdesc.c @@ -546,6 +546,9 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, ptrustee = creator; new_flags |= SEC_ACE_FLAG_INHERIT_ONLY; + } else if (container && + !(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) { + ptrustee = &ace->trustee; } init_sec_ace(new_ace, ptrustee, ace->type, @@ -563,19 +566,20 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, } /* Create child security descriptor to return */ - - new_dacl = make_sec_acl(ctx, + if (new_ace_list_ndx) { + new_dacl = make_sec_acl(ctx, NT4_ACL_REVISION, new_ace_list_ndx, new_ace_list); - if (!new_dacl) { - return NT_STATUS_NO_MEMORY; + if (!new_dacl) { + return NT_STATUS_NO_MEMORY; + } } + *ppsd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1, - SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT| - SEC_DESC_DACL_DEFAULTED, + SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT, owner_sid, group_sid, NULL, diff --git a/source3/lib/util.c b/source3/lib/util.c index 820cf376be..074b523ae0 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -1497,7 +1497,7 @@ uid_t nametouid(const char *name) char *p; uid_t u; - pass = getpwnam_alloc(NULL, name); + pass = getpwnam_alloc(talloc_autofree_context(), name); if (pass) { u = pass->pw_uid; TALLOC_FREE(pass); @@ -2255,8 +2255,8 @@ char *myhostname(void) static char *ret; if (ret == NULL) { /* This is cached forever so - * use NULL talloc ctx. */ - ret = talloc_get_myname(NULL); + * use talloc_autofree_context() ctx. */ + ret = talloc_get_myname(talloc_autofree_context()); } return ret; } @@ -2879,6 +2879,25 @@ int this_is_smp(void) } /**************************************************************** + Check if offset/length fit into bufsize. Should probably be + merged with is_offset_safe, but this would require a rewrite + of lanman.c. Later :-) +****************************************************************/ + +bool trans_oob(uint32_t bufsize, uint32_t offset, uint32_t length) +{ + if ((offset + length < offset) || (offset + length < length)) { + /* wrap */ + return true; + } + if ((offset > bufsize) || (offset + length > bufsize)) { + /* overflow */ + return true; + } + return false; +} + +/**************************************************************** Check if an offset into a buffer is safe. If this returns True it's safe to indirect into the byte at pointer ptr+off. diff --git a/source3/lib/util_pw.c b/source3/lib/util_pw.c index c0d37f1094..b0baa12c3e 100644 --- a/source3/lib/util_pw.c +++ b/source3/lib/util_pw.c @@ -44,30 +44,28 @@ void flush_pwnam_cache(void) struct passwd *getpwnam_alloc(TALLOC_CTX *mem_ctx, const char *name) { - struct passwd *temp, *cached; + struct passwd *pw, *for_cache; - temp = (struct passwd *)memcache_lookup_talloc( + pw = (struct passwd *)memcache_lookup_talloc( NULL, GETPWNAM_CACHE, data_blob_string_const_null(name)); - if (temp != NULL) { - return tcopy_passwd(mem_ctx, temp); + if (pw != NULL) { + return tcopy_passwd(mem_ctx, pw); } - temp = sys_getpwnam(name); - if (temp == NULL) { + pw = sys_getpwnam(name); + if (pw == NULL) { return NULL; } - cached = tcopy_passwd(NULL, temp); - if (cached == NULL) { - /* - * Just don't add this into the cache, ignore the failure - */ - return temp; + for_cache = tcopy_passwd(talloc_autofree_context(), pw); + if (for_cache == NULL) { + return NULL; } - memcache_add_talloc(NULL, GETPWNAM_CACHE, data_blob_string_const_null(name), - cached); - return tcopy_passwd(mem_ctx, temp); + memcache_add_talloc(NULL, GETPWNAM_CACHE, + data_blob_string_const_null(name), &for_cache); + + return tcopy_passwd(mem_ctx, pw); } struct passwd *getpwuid_alloc(TALLOC_CTX *mem_ctx, uid_t uid) diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c index 046ce61ea3..fde4f825e8 100644 --- a/source3/lib/util_str.c +++ b/source3/lib/util_str.c @@ -2532,3 +2532,19 @@ char *escape_shell_string(const char *src) *dest++ = '\0'; return ret; } + +/*************************************************** + Wrapper for str_list_make() to restore the s3 behavior. + In samba 3.2 passing NULL or an empty string returned NULL. + + In master, it now returns a list of length 1 with the first string set + to NULL (an empty list) +***************************************************/ + +char **str_list_make_v3(TALLOC_CTX *mem_ctx, const char *string, const char *sep) +{ + if (!string || !*string) { + return NULL; + } + return str_list_make(mem_ctx, string, sep); +} diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 883f582445..c4e67091dd 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -725,8 +725,11 @@ int ads_keytab_list(const char *keytab_name) ret = smb_krb5_enctype_to_string(context, enctype, &etype_s); if (ret) { - SAFE_FREE(princ_s); - goto out; + if (asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1) + { + SAFE_FREE(princ_s); + goto out; + } } printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s); diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 2dcd1fd6ae..932e42e076 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -301,11 +301,11 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads) if ( use_own_domain ) c_realm = lp_workgroup(); } + } - if ( !c_realm || !*c_realm ) { - DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n")); - return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */ - } + if ( !c_realm || !*c_realm ) { + DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n")); + return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */ } realm = c_realm; @@ -3111,60 +3111,66 @@ ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads, /** * pull a DOM_SID from an extended dn string - * @param mem_ctx TALLOC_CTX + * @param mem_ctx TALLOC_CTX * @param extended_dn string * @param flags string type of extended_dn * @param sid pointer to a DOM_SID - * @return boolean inidicating success + * @return NT_STATUS_OK on success, + * NT_INVALID_PARAMETER on error, + * NT_STATUS_NOT_FOUND if no SID present **/ -bool ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, - const char *extended_dn, - enum ads_extended_dn_flags flags, - DOM_SID *sid) +ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, + const char *extended_dn, + enum ads_extended_dn_flags flags, + DOM_SID *sid) { char *p, *q, *dn; if (!extended_dn) { - return False; + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } /* otherwise extended_dn gets stripped off */ if ((dn = talloc_strdup(mem_ctx, extended_dn)) == NULL) { - return False; + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } - /* + /* * ADS_EXTENDED_DN_HEX_STRING: * <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de * * ADS_EXTENDED_DN_STRING (only with w2k3): - <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de + * <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de + * + * Object with no SID, such as an Exchange Public Folder + * <GUID=28907fb4bdf6854993e7f0a10b504e7c>;CN=public,CN=Microsoft Exchange System Objects,DC=sd2k3ms,DC=west,DC=isilon,DC=com */ p = strchr(dn, ';'); if (!p) { - return False; + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) { - return False; + DEBUG(5,("No SID present in extended dn\n")); + return ADS_ERROR_NT(NT_STATUS_NOT_FOUND); } p += strlen(";<SID="); q = strchr(p, '>'); if (!q) { - return False; + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } - + *q = '\0'; DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p)); switch (flags) { - + case ADS_EXTENDED_DN_STRING: if (!string_to_sid(sid, p)) { - return False; + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } break; case ADS_EXTENDED_DN_HEX_STRING: { @@ -3173,21 +3179,21 @@ bool ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, buf_len = strhex_to_str(buf, sizeof(buf), p, strlen(p)); if (buf_len == 0) { - return False; + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } if (!sid_parse(buf, buf_len, sid)) { DEBUG(10,("failed to parse sid\n")); - return False; + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } break; } default: DEBUG(10,("unknown extended dn format\n")); - return False; + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } - return True; + return ADS_ERROR_NT(NT_STATUS_OK); } /** @@ -3200,18 +3206,19 @@ bool ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, * @param sids pointer to sid array to allocate * @return the count of SIDs pulled **/ - int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - LDAPMessage *msg, + int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + LDAPMessage *msg, const char *field, enum ads_extended_dn_flags flags, DOM_SID **sids) { int i; - size_t dn_count; + ADS_STATUS rc; + size_t dn_count, ret_count = 0; char **dn_strings; - if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field, + if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field, &dn_count)) == NULL) { return 0; } @@ -3223,18 +3230,25 @@ bool ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, } for (i=0; i<dn_count; i++) { - - if (!ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i], - flags, &(*sids)[i])) { - TALLOC_FREE(*sids); - TALLOC_FREE(dn_strings); - return 0; + rc = ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i], + flags, &(*sids)[i]); + if (!ADS_ERR_OK(rc)) { + if (NT_STATUS_EQUAL(ads_ntstatus(rc), + NT_STATUS_NOT_FOUND)) { + continue; + } + else { + TALLOC_FREE(*sids); + TALLOC_FREE(dn_strings); + return 0; + } } + ret_count++; } TALLOC_FREE(dn_strings); - return dn_count; + return ret_count; } /******************************************************************** diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c index 0e77f0a856..26813864e5 100644 --- a/source3/libgpo/gpo_ldap.c +++ b/source3/libgpo/gpo_ldap.c @@ -44,7 +44,7 @@ bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx, goto parse_error; } - ext_list = str_list_make(mem_ctx, extension_raw, "]"); + ext_list = str_list_make_v3(mem_ctx, extension_raw, "]"); if (!ext_list) { goto parse_error; } @@ -87,7 +87,7 @@ bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx, p++; } - ext_strings = str_list_make(mem_ctx, p, "}"); + ext_strings = str_list_make_v3(mem_ctx, p, "}"); if (ext_strings == NULL) { goto parse_error; } @@ -162,7 +162,7 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx, DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw)); - link_list = str_list_make(mem_ctx, gp_link_raw, "]"); + link_list = str_list_make_v3(mem_ctx, gp_link_raw, "]"); if (!link_list) { goto parse_error; } diff --git a/source3/libnet/libnet_dssync_keytab.c b/source3/libnet/libnet_dssync_keytab.c index 6a3139d6ad..a05bfdcbe2 100644 --- a/source3/libnet/libnet_dssync_keytab.c +++ b/source3/libnet/libnet_dssync_keytab.c @@ -24,39 +24,6 @@ #if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) -/** - * Internal helper function to add data to the list - * of keytab entries. It builds the prefix from the input. - */ -static NTSTATUS add_to_keytab_entries(TALLOC_CTX *mem_ctx, - struct libnet_keytab_context *ctx, - uint32_t kvno, - const char *name, - const char *prefix, - const krb5_enctype enctype, - DATA_BLOB blob) -{ - struct libnet_keytab_entry entry; - - entry.kvno = kvno; - entry.name = talloc_strdup(mem_ctx, name); - entry.principal = talloc_asprintf(mem_ctx, "%s%s%s@%s", - prefix ? prefix : "", - prefix ? "/" : "", - name, ctx->dns_domain_name); - entry.enctype = enctype; - entry.password = blob; - NT_STATUS_HAVE_NO_MEMORY(entry.name); - NT_STATUS_HAVE_NO_MEMORY(entry.principal); - NT_STATUS_HAVE_NO_MEMORY(entry.password.data); - - ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry, - &ctx->entries, &ctx->count); - NT_STATUS_HAVE_NO_MEMORY(ctx->entries); - - return NT_STATUS_OK; -} - static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx, struct replUpToDateVectorBlob **pold_utdv) { @@ -134,10 +101,10 @@ static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx, goto done; } - status = add_to_keytab_entries(mem_ctx, keytab_ctx, 0, - ctx->nc_dn, "UTDV", - ENCTYPE_NULL, - blob); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, keytab_ctx, 0, + ctx->nc_dn, "UTDV", + ENCTYPE_NULL, + blob); if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -391,11 +358,11 @@ static NTSTATUS parse_object(TALLOC_CTX *mem_ctx, } if (name) { - status = add_to_keytab_entries(mem_ctx, ctx, 0, object_dn, - "SAMACCOUNTNAME", - ENCTYPE_NULL, - data_blob_talloc(mem_ctx, name, - strlen(name) + 1)); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, 0, object_dn, + "SAMACCOUNTNAME", + ENCTYPE_NULL, + data_blob_talloc(mem_ctx, name, + strlen(name) + 1)); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -454,9 +421,9 @@ static NTSTATUS parse_object(TALLOC_CTX *mem_ctx, } DEBUGADD(1,("\n")); - status = add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL, - ENCTYPE_ARCFOUR_HMAC, - data_blob_talloc(mem_ctx, nt_passwd, 16)); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL, + ENCTYPE_ARCFOUR_HMAC, + data_blob_talloc(mem_ctx, nt_passwd, 16)); if (!NT_STATUS_IS_OK(status)) { return status; @@ -469,11 +436,11 @@ static NTSTATUS parse_object(TALLOC_CTX *mem_ctx, if (!pkb4->keys[i].value) { continue; } - status = add_to_keytab_entries(mem_ctx, ctx, kvno, - name, - NULL, - pkb4->keys[i].keytype, - *pkb4->keys[i].value); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno, + name, + NULL, + pkb4->keys[i].keytype, + *pkb4->keys[i].value); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -482,11 +449,11 @@ static NTSTATUS parse_object(TALLOC_CTX *mem_ctx, if (!pkb4->old_keys[i].value) { continue; } - status = add_to_keytab_entries(mem_ctx, ctx, kvno - 1, - name, - NULL, - pkb4->old_keys[i].keytype, - *pkb4->old_keys[i].value); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 1, + name, + NULL, + pkb4->old_keys[i].keytype, + *pkb4->old_keys[i].value); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -495,11 +462,11 @@ static NTSTATUS parse_object(TALLOC_CTX *mem_ctx, if (!pkb4->older_keys[i].value) { continue; } - status = add_to_keytab_entries(mem_ctx, ctx, kvno - 2, - name, - NULL, - pkb4->older_keys[i].keytype, - *pkb4->older_keys[i].value); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 2, + name, + NULL, + pkb4->older_keys[i].keytype, + *pkb4->older_keys[i].value); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -511,10 +478,10 @@ static NTSTATUS parse_object(TALLOC_CTX *mem_ctx, if (!pkb3->keys[i].value) { continue; } - status = add_to_keytab_entries(mem_ctx, ctx, kvno, name, - NULL, - pkb3->keys[i].keytype, - *pkb3->keys[i].value); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno, name, + NULL, + pkb3->keys[i].keytype, + *pkb3->keys[i].value); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -523,11 +490,11 @@ static NTSTATUS parse_object(TALLOC_CTX *mem_ctx, if (!pkb3->old_keys[i].value) { continue; } - status = add_to_keytab_entries(mem_ctx, ctx, kvno - 1, - name, - NULL, - pkb3->old_keys[i].keytype, - *pkb3->old_keys[i].value); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 1, + name, + NULL, + pkb3->old_keys[i].keytype, + *pkb3->old_keys[i].value); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -549,9 +516,9 @@ static NTSTATUS parse_object(TALLOC_CTX *mem_ctx, } for (; i<pwd_history_len; i++) { - status = add_to_keytab_entries(mem_ctx, ctx, kvno--, name, NULL, - ENCTYPE_ARCFOUR_HMAC, - data_blob_talloc(mem_ctx, &pwd_history[i*16], 16)); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno--, name, NULL, + ENCTYPE_ARCFOUR_HMAC, + data_blob_talloc(mem_ctx, &pwd_history[i*16], 16)); if (!NT_STATUS_IS_OK(status)) { break; } diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 6935e000dc..908fb78ab4 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -762,7 +762,6 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, struct lsa_String lsa_acct_name; uint32_t user_rid; uint32_t acct_flags = ACB_WSTRUST; - uchar md4_trust_password[16]; struct samr_Ids user_rids; struct samr_Ids name_types; union samr_UserInfo user_info; @@ -898,14 +897,6 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - /* Create a random machine account password and generate the hash */ - - E_md4hash(r->in.machine_password, md4_trust_password); - - init_samr_CryptPasswordEx(r->in.machine_password, - &cli->user_session_key, - &crypt_pwd_ex); - /* Fill in the additional account flags now */ acct_flags |= ACB_PWNOEXP; @@ -916,23 +907,40 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, ;; } - /* Set password and account flags on machine account */ - - ZERO_STRUCT(user_info.info25); - - user_info.info25.info.fields_present = ACCT_NT_PWD_SET | - ACCT_LM_PWD_SET | - SAMR_FIELD_ACCT_FLAGS; - - user_info.info25.info.acct_flags = acct_flags; - memcpy(&user_info.info25.password.data, crypt_pwd_ex.data, - sizeof(crypt_pwd_ex.data)); + /* Set account flags on machine account */ + ZERO_STRUCT(user_info.info16); + user_info.info16.acct_flags = acct_flags; status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx, &user_pol, - 25, + 16, &user_info); + if (!NT_STATUS_IS_OK(status)) { + + rpccli_samr_DeleteUser(pipe_hnd, mem_ctx, + &user_pol); + + libnet_join_set_error_string(mem_ctx, r, + "Failed to set account flags for machine account (%s)\n", + nt_errstr(status)); + goto done; + } + + /* Set password on machine account - first try level 26 */ + + init_samr_CryptPasswordEx(r->in.machine_password, + &cli->user_session_key, + &crypt_pwd_ex); + + init_samr_user_info26(&user_info.info26, &crypt_pwd_ex, + PASS_DONT_CHANGE_AT_NEXT_LOGON); + + status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx, + &user_pol, + 26, + &user_info); + if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) { /* retry with level 24 */ @@ -941,7 +949,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, &cli->user_session_key, &crypt_pwd); - init_samr_user_info24(&user_info.info24, crypt_pwd.data, 24); + init_samr_user_info24(&user_info.info24, &crypt_pwd, + PASS_DONT_CHANGE_AT_NEXT_LOGON); status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx, &user_pol, @@ -1638,24 +1647,31 @@ WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx, static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx *r) { + bool valid_security = false; + bool valid_workgroup = false; + bool valid_realm = false; + /* check if configuration is already set correctly */ + valid_workgroup = strequal(lp_workgroup(), r->out.netbios_domain_name); + switch (r->out.domain_is_ad) { case false: - if ((strequal(lp_workgroup(), - r->out.netbios_domain_name)) && - (lp_security() == SEC_DOMAIN)) { + valid_security = (lp_security() == SEC_DOMAIN); + if (valid_workgroup && valid_security) { /* nothing to be done */ return WERR_OK; } break; case true: - if ((strequal(lp_workgroup(), - r->out.netbios_domain_name)) && - (strequal(lp_realm(), - r->out.dns_domain_name)) && - ((lp_security() == SEC_ADS) || - (lp_security() == SEC_DOMAIN))) { + valid_realm = strequal(lp_realm(), r->out.dns_domain_name); + switch (lp_security()) { + case SEC_DOMAIN: + case SEC_ADS: + valid_security = true; + } + + if (valid_workgroup && valid_realm && valid_security) { /* nothing to be done */ return WERR_OK; } @@ -1665,9 +1681,41 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx, /* check if we are supposed to manipulate configuration */ if (!r->in.modify_config) { + + char *wrong_conf = talloc_strdup(mem_ctx, ""); + + if (!valid_workgroup) { + wrong_conf = talloc_asprintf_append(wrong_conf, + "\"workgroup\" set to '%s', should be '%s'", + lp_workgroup(), r->out.netbios_domain_name); + W_ERROR_HAVE_NO_MEMORY(wrong_conf); + } + + if (!valid_realm) { + wrong_conf = talloc_asprintf_append(wrong_conf, + "\"realm\" set to '%s', should be '%s'", + lp_realm(), r->out.dns_domain_name); + W_ERROR_HAVE_NO_MEMORY(wrong_conf); + } + + if (!valid_security) { + const char *sec = NULL; + switch (lp_security()) { + case SEC_SHARE: sec = "share"; break; + case SEC_USER: sec = "user"; break; + case SEC_DOMAIN: sec = "domain"; break; + case SEC_ADS: sec = "ads"; break; + } + wrong_conf = talloc_asprintf_append(wrong_conf, + "\"security\" set to '%s', should be %s", + sec, r->out.domain_is_ad ? + "either 'domain' or 'ads'" : "'domain'"); + W_ERROR_HAVE_NO_MEMORY(wrong_conf); + } + libnet_join_set_error_string(mem_ctx, r, - "Invalid configuration and configuration modification " - "was not requested"); + "Invalid configuration (%s) and configuration modification " + "was not requested", wrong_conf); return WERR_CAN_NOT_COMPLETE; } diff --git a/source3/libnet/libnet_keytab.c b/source3/libnet/libnet_keytab.c index 46c17b219c..990f6f6a63 100644 --- a/source3/libnet/libnet_keytab.c +++ b/source3/libnet/libnet_keytab.c @@ -401,4 +401,37 @@ cont: return entry; } +/** + * Helper function to add data to the list + * of keytab entries. It builds the prefix from the input. + */ +NTSTATUS libnet_keytab_add_to_keytab_entries(TALLOC_CTX *mem_ctx, + struct libnet_keytab_context *ctx, + uint32_t kvno, + const char *name, + const char *prefix, + const krb5_enctype enctype, + DATA_BLOB blob) +{ + struct libnet_keytab_entry entry; + + entry.kvno = kvno; + entry.name = talloc_strdup(mem_ctx, name); + entry.principal = talloc_asprintf(mem_ctx, "%s%s%s@%s", + prefix ? prefix : "", + prefix ? "/" : "", + name, ctx->dns_domain_name); + entry.enctype = enctype; + entry.password = blob; + NT_STATUS_HAVE_NO_MEMORY(entry.name); + NT_STATUS_HAVE_NO_MEMORY(entry.principal); + NT_STATUS_HAVE_NO_MEMORY(entry.password.data); + + ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry, + &ctx->entries, &ctx->count); + NT_STATUS_HAVE_NO_MEMORY(ctx->entries); + + return NT_STATUS_OK; +} + #endif /* HAVE_KRB5 */ diff --git a/source3/libnet/libnet_proto.h b/source3/libnet/libnet_proto.h index 69a16c1c7d..9a193b724d 100644 --- a/source3/libnet/libnet_proto.h +++ b/source3/libnet/libnet_proto.h @@ -55,6 +55,13 @@ struct libnet_keytab_entry *libnet_keytab_search(struct libnet_keytab_context *c const char *principal, int kvno, const krb5_enctype enctype, TALLOC_CTX *mem_ctx); +NTSTATUS libnet_keytab_add_to_keytab_entries(TALLOC_CTX *mem_ctx, + struct libnet_keytab_context *ctx, + uint32_t kvno, + const char *name, + const char *prefix, + const krb5_enctype enctype, + DATA_BLOB blob); #endif /* The following definitions come from libnet/libnet_samsync.c */ diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c index 00caf2b8c1..4351810169 100644 --- a/source3/libnet/libnet_samsync.c +++ b/source3/libnet/libnet_samsync.c @@ -282,47 +282,112 @@ static const char *samsync_debug_str(TALLOC_CTX *mem_ctx, * libnet_samsync */ -NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id, - struct samsync_context *ctx) +void libnet_init_netr_ChangeLogEntry(struct samsync_object *o, + struct netr_ChangeLogEntry *e) +{ + ZERO_STRUCTP(e); + + e->db_index = o->database_id; + e->delta_type = o->object_type; + + switch (e->delta_type) { + case NETR_DELTA_DOMAIN: + case NETR_DELTA_DELETE_GROUP: + case NETR_DELTA_RENAME_GROUP: + case NETR_DELTA_DELETE_USER: + case NETR_DELTA_RENAME_USER: + case NETR_DELTA_DELETE_ALIAS: + case NETR_DELTA_RENAME_ALIAS: + case NETR_DELTA_DELETE_TRUST: + case NETR_DELTA_DELETE_ACCOUNT: + case NETR_DELTA_DELETE_SECRET: + case NETR_DELTA_DELETE_GROUP2: + case NETR_DELTA_DELETE_USER2: + case NETR_DELTA_MODIFY_COUNT: + break; + case NETR_DELTA_USER: + case NETR_DELTA_GROUP: + case NETR_DELTA_GROUP_MEMBER: + case NETR_DELTA_ALIAS: + case NETR_DELTA_ALIAS_MEMBER: + e->object_rid = o->object_identifier.rid; + break; + case NETR_DELTA_SECRET: + e->object.object_name = o->object_identifier.name; + e->flags = NETR_CHANGELOG_NAME_INCLUDED; + break; + case NETR_DELTA_TRUSTED_DOMAIN: + case NETR_DELTA_ACCOUNT: + case NETR_DELTA_POLICY: + e->object.object_sid = o->object_identifier.sid; + e->flags = NETR_CHANGELOG_SID_INCLUDED; + break; + default: + break; + } +} + +/** + * libnet_samsync_delta + */ + +static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx, + enum netr_SamDatabaseID database_id, + uint64_t *sequence_num, + struct samsync_context *ctx, + struct netr_ChangeLogEntry *e) { NTSTATUS result; - TALLOC_CTX *mem_ctx; + NTSTATUS callback_status; const char *logon_server = ctx->cli->desthost; const char *computername = global_myname(); struct netr_Authenticator credential; struct netr_Authenticator return_authenticator; uint16_t restart_state = 0; uint32_t sync_context = 0; - const char *debug_str; DATA_BLOB session_key; ZERO_STRUCT(return_authenticator); - if (!(mem_ctx = talloc_init("libnet_samsync"))) { - return NT_STATUS_NO_MEMORY; - } - - debug_str = samsync_debug_str(mem_ctx, ctx->mode, database_id); - if (debug_str) { - d_fprintf(stderr, "%s\n", debug_str); - } - do { struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; - NTSTATUS callback_status; netlogon_creds_client_step(ctx->cli->dc, &credential); - result = rpccli_netr_DatabaseSync2(ctx->cli, mem_ctx, - logon_server, - computername, - &credential, - &return_authenticator, - database_id, - restart_state, - &sync_context, - &delta_enum_array, - 0xffff); + if (ctx->single_object_replication && + !ctx->force_full_replication) { + result = rpccli_netr_DatabaseRedo(ctx->cli, mem_ctx, + logon_server, + computername, + &credential, + &return_authenticator, + *e, + 0, + &delta_enum_array); + } else if (!ctx->force_full_replication && + sequence_num && (*sequence_num > 0)) { + result = rpccli_netr_DatabaseDeltas(ctx->cli, mem_ctx, + logon_server, + computername, + &credential, + &return_authenticator, + database_id, + sequence_num, + &delta_enum_array, + 0xffff); + } else { + result = rpccli_netr_DatabaseSync2(ctx->cli, mem_ctx, + logon_server, + computername, + &credential, + &return_authenticator, + database_id, + restart_state, + &sync_context, + &delta_enum_array, + 0xffff); + } + if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) { return result; } @@ -346,9 +411,10 @@ NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id, delta_enum_array); /* Process results */ - callback_status = ctx->delta_fn(mem_ctx, database_id, - delta_enum_array, - NT_STATUS_IS_OK(result), ctx); + callback_status = ctx->ops->process_objects(mem_ctx, database_id, + delta_enum_array, + sequence_num, + ctx); if (!NT_STATUS_IS_OK(callback_status)) { result = callback_status; goto out; @@ -362,14 +428,86 @@ NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id, } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)); out: - if (NT_STATUS_IS_ERR(result) && !ctx->error_message) { + + return result; +} + +/** + * libnet_samsync + */ + +NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id, + struct samsync_context *ctx) +{ + NTSTATUS status = NT_STATUS_OK; + NTSTATUS callback_status; + TALLOC_CTX *mem_ctx; + const char *debug_str; + uint64_t sequence_num = 0; + int i = 0; + + if (!(mem_ctx = talloc_new(ctx))) { + return NT_STATUS_NO_MEMORY; + } + + if (!ctx->ops) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (ctx->ops->startup) { + status = ctx->ops->startup(mem_ctx, ctx, + database_id, &sequence_num); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + } + + debug_str = samsync_debug_str(mem_ctx, ctx->mode, database_id); + if (debug_str) { + d_fprintf(stderr, "%s\n", debug_str); + } + + if (!ctx->single_object_replication) { + status = libnet_samsync_delta(mem_ctx, database_id, + &sequence_num, ctx, NULL); + goto done; + } + + for (i=0; i<ctx->num_objects; i++) { + + struct netr_ChangeLogEntry e; + + if (ctx->objects[i].database_id != database_id) { + continue; + } + + libnet_init_netr_ChangeLogEntry(&ctx->objects[i], &e); + + status = libnet_samsync_delta(mem_ctx, database_id, + &sequence_num, ctx, &e); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + } + + done: + + if (NT_STATUS_IS_OK(status) && ctx->ops->finish) { + callback_status = ctx->ops->finish(mem_ctx, ctx, + database_id, sequence_num); + if (!NT_STATUS_IS_OK(callback_status)) { + status = callback_status; + } + } + + if (NT_STATUS_IS_ERR(status) && !ctx->error_message) { ctx->error_message = talloc_asprintf(ctx, "Failed to fetch %s database: %s", samsync_database_str(database_id), - nt_errstr(result)); + nt_errstr(status)); - if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) { + if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { ctx->error_message = talloc_asprintf_append(ctx->error_message, @@ -380,7 +518,7 @@ NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id, talloc_destroy(mem_ctx); - return result; + return status; } /** diff --git a/source3/libnet/libnet_samsync.h b/source3/libnet/libnet_samsync.h index 1f10d2c1c0..3a686a7f45 100644 --- a/source3/libnet/libnet_samsync.h +++ b/source3/libnet/libnet_samsync.h @@ -27,11 +27,31 @@ enum net_samsync_mode { struct samsync_context; -typedef NTSTATUS (*samsync_delta_fn_t)(TALLOC_CTX *, - enum netr_SamDatabaseID, - struct netr_DELTA_ENUM_ARRAY *, - bool, - struct samsync_context *); +struct samsync_ops { + NTSTATUS (*startup)(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID id, + uint64_t *sequence_num); + NTSTATUS (*process_objects)(TALLOC_CTX *mem_ctx, + enum netr_SamDatabaseID id, + struct netr_DELTA_ENUM_ARRAY *array, + uint64_t *sequence_num, + struct samsync_context *ctx); + NTSTATUS (*finish)(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID id, + uint64_t sequence_num); +}; + +struct samsync_object { + uint16_t database_id; + uint16_t object_type; + union { + uint32_t rid; + const char *name; + struct dom_sid sid; + } object_identifier; +}; struct samsync_context { enum net_samsync_mode mode; @@ -46,28 +66,21 @@ struct samsync_context { char *result_message; char *error_message; + bool single_object_replication; + bool force_full_replication; + bool clean_old_entries; + + uint32_t num_objects; + struct samsync_object *objects; + struct rpc_pipe_client *cli; - samsync_delta_fn_t delta_fn; + + const struct samsync_ops *ops; + void *private_data; }; -NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx); -NTSTATUS fetch_sam_entries(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx); -NTSTATUS display_sam_entries(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx); -NTSTATUS fetch_sam_entries_keytab(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx); +extern const struct samsync_ops libnet_samsync_ldif_ops; +extern const struct samsync_ops libnet_samsync_keytab_ops; +extern const struct samsync_ops libnet_samsync_display_ops; +extern const struct samsync_ops libnet_samsync_passdb_ops; diff --git a/source3/libnet/libnet_samsync_display.c b/source3/libnet/libnet_samsync_display.c index 1dd9a1add5..c8d9ec6f09 100644 --- a/source3/libnet/libnet_samsync_display.c +++ b/source3/libnet/libnet_samsync_display.c @@ -163,7 +163,6 @@ static void display_rename_alias(uint32_t rid, struct netr_DELTA_RENAME *r) static NTSTATUS display_sam_entry(TALLOC_CTX *mem_ctx, enum netr_SamDatabaseID database_id, struct netr_DELTA_ENUM *r, - bool last_query, struct samsync_context *ctx) { union netr_DELTA_UNION u = r->delta_union; @@ -285,18 +284,22 @@ static NTSTATUS display_sam_entry(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -NTSTATUS display_sam_entries(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx) +static NTSTATUS display_sam_entries(TALLOC_CTX *mem_ctx, + enum netr_SamDatabaseID database_id, + struct netr_DELTA_ENUM_ARRAY *r, + uint64_t *sequence_num, + struct samsync_context *ctx) { int i; for (i = 0; i < r->num_deltas; i++) { display_sam_entry(mem_ctx, database_id, &r->delta_enum[i], - last_query, ctx); + ctx); } return NT_STATUS_OK; } + +const struct samsync_ops libnet_samsync_display_ops = { + .process_objects = display_sam_entries, +}; diff --git a/source3/libnet/libnet_samsync_keytab.c b/source3/libnet/libnet_samsync_keytab.c index 4b0cc06d94..cdb344604d 100644 --- a/source3/libnet/libnet_samsync_keytab.c +++ b/source3/libnet/libnet_samsync_keytab.c @@ -75,30 +75,28 @@ static NTSTATUS fetch_sam_entry_keytab(TALLOC_CTX *mem_ctx, enum netr_SamDatabaseID database_id, uint32_t rid, struct netr_DELTA_USER *r, - bool last_query, struct libnet_keytab_context *ctx) { - struct libnet_keytab_entry entry; + NTSTATUS status; + uint32_t kvno = 0; + DATA_BLOB blob; if (memcmp(r->ntpassword.hash, ctx->zero_buf, 16) == 0) { return NT_STATUS_OK; } - entry.name = talloc_strdup(mem_ctx, r->account_name.string); - entry.principal = talloc_asprintf(mem_ctx, "%s@%s", - r->account_name.string, - ctx->dns_domain_name); - entry.password = data_blob_talloc(mem_ctx, r->ntpassword.hash, 16); - entry.kvno = ads_get_kvno(ctx->ads, entry.name); - entry.enctype = ENCTYPE_NULL; - - NT_STATUS_HAVE_NO_MEMORY(entry.name); - NT_STATUS_HAVE_NO_MEMORY(entry.principal); - NT_STATUS_HAVE_NO_MEMORY(entry.password.data); - + kvno = ads_get_kvno(ctx->ads, r->account_name.string); + blob = data_blob_const(r->ntpassword.hash, 16); - ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry, - &ctx->entries, &ctx->count); + status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, + kvno, + r->account_name.string, + NULL, + ENCTYPE_ARCFOUR_HMAC, + blob); + if (!NT_STATUS_IS_OK(status)) { + return status; + } return NT_STATUS_OK; } @@ -106,72 +104,163 @@ static NTSTATUS fetch_sam_entry_keytab(TALLOC_CTX *mem_ctx, /**************************************************************** ****************************************************************/ -NTSTATUS fetch_sam_entries_keytab(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx) +static NTSTATUS init_keytab(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID database_id, + uint64_t *sequence_num) { - NTSTATUS status = NT_STATUS_OK; krb5_error_code ret = 0; - static struct libnet_keytab_context *keytab_ctx = NULL; - int i; - - if (!keytab_ctx) { - ret = libnet_keytab_init(mem_ctx, ctx->output_filename, - &keytab_ctx); - if (ret) { - status = krb5_to_nt_status(ret); - goto out; - } + NTSTATUS status; + struct libnet_keytab_context *keytab_ctx; + struct libnet_keytab_entry *entry; + uint64_t old_sequence_num = 0; + const char *principal = NULL; + + ret = libnet_keytab_init(mem_ctx, ctx->output_filename, &keytab_ctx); + if (ret) { + return krb5_to_nt_status(ret); } + keytab_ctx->clean_old_entries = ctx->clean_old_entries; + ctx->private_data = keytab_ctx; + status = keytab_ad_connect(mem_ctx, ctx->domain_name, ctx->username, ctx->password, keytab_ctx); if (!NT_STATUS_IS_OK(status)) { - goto out; + TALLOC_FREE(keytab_ctx); + return status; } + principal = talloc_asprintf(mem_ctx, "SEQUENCE_NUM@%s", + keytab_ctx->dns_domain_name); + NT_STATUS_HAVE_NO_MEMORY(principal); + + entry = libnet_keytab_search(keytab_ctx, principal, 0, ENCTYPE_NULL, + mem_ctx); + if (entry && (entry->password.length == 8)) { + old_sequence_num = BVAL(entry->password.data, 0); + } + + if (sequence_num) { + *sequence_num = old_sequence_num; + } + + return status; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS fetch_sam_entries_keytab(TALLOC_CTX *mem_ctx, + enum netr_SamDatabaseID database_id, + struct netr_DELTA_ENUM_ARRAY *r, + uint64_t *sequence_num, + struct samsync_context *ctx) +{ + struct libnet_keytab_context *keytab_ctx = + (struct libnet_keytab_context *)ctx->private_data; + + NTSTATUS status = NT_STATUS_OK; + int i; + for (i = 0; i < r->num_deltas; i++) { - if (r->delta_enum[i].delta_type != NETR_DELTA_USER) { + switch (r->delta_enum[i].delta_type) { + case NETR_DELTA_USER: + break; + case NETR_DELTA_DOMAIN: + if (sequence_num) { + *sequence_num = + r->delta_enum[i].delta_union.domain->sequence_num; + } + continue; + case NETR_DELTA_MODIFY_COUNT: + if (sequence_num) { + *sequence_num = + *r->delta_enum[i].delta_union.modified_count; + } + continue; + default: continue; } status = fetch_sam_entry_keytab(mem_ctx, database_id, r->delta_enum[i].delta_id_union.rid, r->delta_enum[i].delta_union.user, - last_query, keytab_ctx); if (!NT_STATUS_IS_OK(status)) { goto out; } } + out: + return status; +} - if (last_query) { +/**************************************************************** +****************************************************************/ + +static NTSTATUS close_keytab(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID database_id, + uint64_t sequence_num) +{ + struct libnet_keytab_context *keytab_ctx = + (struct libnet_keytab_context *)ctx->private_data; + krb5_error_code ret; + NTSTATUS status; + struct libnet_keytab_entry *entry; + uint64_t old_sequence_num = 0; + const char *principal = NULL; + + principal = talloc_asprintf(mem_ctx, "SEQUENCE_NUM@%s", + keytab_ctx->dns_domain_name); + NT_STATUS_HAVE_NO_MEMORY(principal); + + + entry = libnet_keytab_search(keytab_ctx, principal, 0, ENCTYPE_NULL, + mem_ctx); + if (entry && (entry->password.length == 8)) { + old_sequence_num = BVAL(entry->password.data, 0); + } - ret = libnet_keytab_add(keytab_ctx); - if (ret) { - status = krb5_to_nt_status(ret); - ctx->error_message = talloc_asprintf(mem_ctx, - "Failed to add entries to keytab %s: %s", - keytab_ctx->keytab_name, error_message(ret)); - goto out; - } - ctx->result_message = talloc_asprintf(mem_ctx, - "Vampired %d accounts to keytab %s", - keytab_ctx->count, - keytab_ctx->keytab_name); + if (sequence_num > old_sequence_num) { + DATA_BLOB blob; + blob = data_blob_talloc_zero(mem_ctx, 8); + SBVAL(blob.data, 0, sequence_num); + + status = libnet_keytab_add_to_keytab_entries(mem_ctx, keytab_ctx, + 0, + "SEQUENCE_NUM", + NULL, + ENCTYPE_NULL, + blob); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + } + ret = libnet_keytab_add(keytab_ctx); + if (ret) { + status = krb5_to_nt_status(ret); + ctx->error_message = talloc_asprintf(ctx, + "Failed to add entries to keytab %s: %s", + keytab_ctx->keytab_name, error_message(ret)); TALLOC_FREE(keytab_ctx); + return status; } - return NT_STATUS_OK; - out: + ctx->result_message = talloc_asprintf(ctx, + "Vampired %d accounts to keytab %s", + keytab_ctx->count, + keytab_ctx->keytab_name); + + status = NT_STATUS_OK; + + done: TALLOC_FREE(keytab_ctx); return status; @@ -179,13 +268,35 @@ NTSTATUS fetch_sam_entries_keytab(TALLOC_CTX *mem_ctx, #else -NTSTATUS fetch_sam_entries_keytab(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx) +static NTSTATUS init_keytab(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID database_id, + uint64_t *sequence_num) +{ + return NT_STATUS_NOT_SUPPORTED; +} + +static NTSTATUS fetch_sam_entries_keytab(TALLOC_CTX *mem_ctx, + enum netr_SamDatabaseID database_id, + struct netr_DELTA_ENUM_ARRAY *r, + uint64_t *sequence_num, + struct samsync_context *ctx) +{ + return NT_STATUS_NOT_SUPPORTED; +} + +static NTSTATUS close_keytab(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID database_id, + uint64_t sequence_num) { return NT_STATUS_NOT_SUPPORTED; } #endif /* defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) */ + +const struct samsync_ops libnet_samsync_keytab_ops = { + .startup = init_keytab, + .process_objects = fetch_sam_entries_keytab, + .finish = close_keytab +}; diff --git a/source3/libnet/libnet_samsync_ldif.c b/source3/libnet/libnet_samsync_ldif.c index dd5380b6b8..c72eadf03f 100644 --- a/source3/libnet/libnet_samsync_ldif.c +++ b/source3/libnet/libnet_samsync_ldif.c @@ -32,6 +32,10 @@ static uint32 ldif_gid = 999; static uint32 ldif_uid = 999; +/* global counters */ +static uint32_t g_index = 0; +static uint32_t a_index = 0; + /* Structure for mapping accounts to groups */ /* Array element is the group rid */ typedef struct _groupmap { @@ -1046,8 +1050,8 @@ static NTSTATUS fetch_sam_entry_ldif(TALLOC_CTX *mem_ctx, enum netr_SamDatabaseID database_id, struct netr_DELTA_ENUM *r, struct samsync_context *ctx, - uint32_t *a_index, - uint32_t *g_index) + uint32_t *a_index_p, + uint32_t *g_index_p) { union netr_DELTA_UNION u = r->delta_union; union netr_DELTA_ID_UNION id = r->delta_id_union; @@ -1061,34 +1065,34 @@ static NTSTATUS fetch_sam_entry_ldif(TALLOC_CTX *mem_ctx, case NETR_DELTA_GROUP: fetch_group_info_to_ldif(mem_ctx, u.group, - &l->groupmap[*g_index], + &l->groupmap[*g_index_p], l->add_file, ctx->domain_sid_str, l->suffix); - (*g_index)++; + (*g_index_p)++; break; case NETR_DELTA_USER: fetch_account_info_to_ldif(mem_ctx, u.user, l->groupmap, - &l->accountmap[*a_index], + &l->accountmap[*a_index_p], l->add_file, ctx->domain_sid_str, l->suffix, l->num_alloced); - (*a_index)++; + (*a_index_p)++; break; case NETR_DELTA_ALIAS: fetch_alias_info_to_ldif(mem_ctx, u.alias, - &l->groupmap[*g_index], + &l->groupmap[*g_index_p], l->add_file, ctx->domain_sid_str, l->suffix, database_id); - (*g_index)++; + (*g_index_p)++; break; case NETR_DELTA_GROUP_MEMBER: @@ -1156,15 +1160,12 @@ static NTSTATUS ldif_realloc_maps(TALLOC_CTX *mem_ctx, /**************************************************************** ****************************************************************/ -NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx) +static NTSTATUS init_ldif(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID database_id, + uint64_t *sequence_num) { NTSTATUS status; - int i; - uint32_t g_index = 0, a_index = 0; struct samsync_ldif_context *ldif_ctx = (struct samsync_ldif_context *)ctx->private_data; @@ -1174,11 +1175,28 @@ NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx, ctx->domain_sid_str, &ldif_ctx); if (!NT_STATUS_IS_OK(status)) { - goto failed; + return status; } ctx->private_data = ldif_ctx; + return NT_STATUS_OK; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx, + enum netr_SamDatabaseID database_id, + struct netr_DELTA_ENUM_ARRAY *r, + uint64_t *sequence_num, + struct samsync_context *ctx) +{ + NTSTATUS status; + int i; + struct samsync_ldif_context *ldif_ctx = + (struct samsync_ldif_context *)ctx->private_data; + status = ldif_realloc_maps(mem_ctx, ldif_ctx, r->num_deltas); if (!NT_STATUS_IS_OK(status)) { goto failed; @@ -1193,18 +1211,6 @@ NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx, } } - /* This was the last query */ - if (last_query) { - ldif_write_output(database_id, ldif_ctx); - if (ldif_ctx->ldif_file != stdout) { - ctx->result_message = talloc_asprintf(mem_ctx, - "Vampired %d accounts and %d groups to %s", - a_index, g_index, ctx->output_filename); - } - ldif_free_context(ldif_ctx); - ctx->private_data = NULL; - } - return NT_STATUS_OK; failed: @@ -1214,15 +1220,62 @@ NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx, return status; } +/**************************************************************** +****************************************************************/ + +static NTSTATUS close_ldif(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID database_id, + uint64_t sequence_num) +{ + struct samsync_ldif_context *ldif_ctx = + (struct samsync_ldif_context *)ctx->private_data; + + /* This was the last query */ + ldif_write_output(database_id, ldif_ctx); + if (ldif_ctx->ldif_file != stdout) { + ctx->result_message = talloc_asprintf(ctx, + "Vampired %d accounts and %d groups to %s", + a_index, g_index, ctx->output_filename); + } + + ldif_free_context(ldif_ctx); + ctx->private_data = NULL; + + return NT_STATUS_OK; +} + #else /* HAVE_LDAP */ -NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx) +static NTSTATUS init_ldif(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID database_id, + uint64_t *sequence_num) +{ + return NT_STATUS_NOT_SUPPORTED; +} + +static NTSTATUS fetch_sam_entries_ldif(TALLOC_CTX *mem_ctx, + enum netr_SamDatabaseID database_id, + struct netr_DELTA_ENUM_ARRAY *r, + uint64_t *sequence_num, + struct samsync_context *ctx) +{ + return NT_STATUS_NOT_SUPPORTED; +} + +static NTSTATUS close_ldif(TALLOC_CTX *mem_ctx, + struct samsync_context *ctx, + enum netr_SamDatabaseID database_id, + uint64_t sequence_num) { return NT_STATUS_NOT_SUPPORTED; } #endif + +const struct samsync_ops libnet_samsync_ldif_ops = { + .startup = init_ldif, + .process_objects = fetch_sam_entries_ldif, + .finish = close_ldif, +}; diff --git a/source3/libnet/libnet_samsync_passdb.c b/source3/libnet/libnet_samsync_passdb.c index 1faef7b3eb..388b10a0fa 100644 --- a/source3/libnet/libnet_samsync_passdb.c +++ b/source3/libnet/libnet_samsync_passdb.c @@ -118,12 +118,12 @@ static NTSTATUS sam_account_from_delta(struct samu *account, pdb_set_profile_path(account, new_string, PDB_CHANGED); } - if (r->parameters.string) { + if (r->parameters.array) { DATA_BLOB mung; char *newstr; old_string = pdb_get_munged_dial(account); - mung.length = r->parameters.length; - mung.data = (uint8 *) r->parameters.string; + mung.length = r->parameters.length * 2; + mung.data = (uint8_t *) r->parameters.array; newstr = (mung.length == 0) ? NULL : base64_encode_data_blob(talloc_tos(), mung); @@ -772,11 +772,11 @@ static NTSTATUS fetch_sam_entry(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -NTSTATUS fetch_sam_entries(TALLOC_CTX *mem_ctx, - enum netr_SamDatabaseID database_id, - struct netr_DELTA_ENUM_ARRAY *r, - bool last_query, - struct samsync_context *ctx) +static NTSTATUS fetch_sam_entries(TALLOC_CTX *mem_ctx, + enum netr_SamDatabaseID database_id, + struct netr_DELTA_ENUM_ARRAY *r, + uint64_t *sequence_num, + struct samsync_context *ctx) { int i; @@ -786,3 +786,7 @@ NTSTATUS fetch_sam_entries(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } + +const struct samsync_ops libnet_samsync_passdb_ops = { + .process_objects = fetch_sam_entries, +}; diff --git a/source3/librpc/gen_ndr/cli_eventlog.c b/source3/librpc/gen_ndr/cli_eventlog.c index 08456fc994..02d8fb2e65 100644 --- a/source3/librpc/gen_ndr/cli_eventlog.c +++ b/source3/librpc/gen_ndr/cli_eventlog.c @@ -278,8 +278,8 @@ NTSTATUS rpccli_eventlog_OpenEventLogW(struct rpc_pipe_client *cli, struct eventlog_OpenUnknown0 *unknown0 /* [in] [unique] */, struct lsa_String *logname /* [in] [ref] */, struct lsa_String *servername /* [in] [ref] */, - uint32_t unknown2 /* [in] */, - uint32_t unknown3 /* [in] */, + uint32_t major_version /* [in] */, + uint32_t minor_version /* [in] */, struct policy_handle *handle /* [out] [ref] */) { struct eventlog_OpenEventLogW r; @@ -289,8 +289,8 @@ NTSTATUS rpccli_eventlog_OpenEventLogW(struct rpc_pipe_client *cli, r.in.unknown0 = unknown0; r.in.logname = logname; r.in.servername = servername; - r.in.unknown2 = unknown2; - r.in.unknown3 = unknown3; + r.in.major_version = major_version; + r.in.minor_version = minor_version; if (DEBUGLEVEL >= 10) { NDR_PRINT_IN_DEBUG(eventlog_OpenEventLogW, &r); diff --git a/source3/librpc/gen_ndr/cli_eventlog.h b/source3/librpc/gen_ndr/cli_eventlog.h index 6945683340..0594a06f59 100644 --- a/source3/librpc/gen_ndr/cli_eventlog.h +++ b/source3/librpc/gen_ndr/cli_eventlog.h @@ -27,8 +27,8 @@ NTSTATUS rpccli_eventlog_OpenEventLogW(struct rpc_pipe_client *cli, struct eventlog_OpenUnknown0 *unknown0 /* [in] [unique] */, struct lsa_String *logname /* [in] [ref] */, struct lsa_String *servername /* [in] [ref] */, - uint32_t unknown2 /* [in] */, - uint32_t unknown3 /* [in] */, + uint32_t major_version /* [in] */, + uint32_t minor_version /* [in] */, struct policy_handle *handle /* [out] [ref] */); NTSTATUS rpccli_eventlog_RegisterEventSourceW(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx); diff --git a/source3/librpc/gen_ndr/cli_netlogon.c b/source3/librpc/gen_ndr/cli_netlogon.c index 275c83a450..1af3249473 100644 --- a/source3/librpc/gen_ndr/cli_netlogon.c +++ b/source3/librpc/gen_ndr/cli_netlogon.c @@ -892,8 +892,8 @@ NTSTATUS rpccli_netr_DatabaseRedo(struct rpc_pipe_client *cli, const char *computername /* [in] [charset(UTF16)] */, struct netr_Authenticator *credential /* [in] [ref] */, struct netr_Authenticator *return_authenticator /* [in,out] [ref] */, - uint8_t *change_log_entry /* [in] [ref,size_is(change_log_entry_size)] */, - uint32_t change_log_entry_size /* [in] */, + struct netr_ChangeLogEntry change_log_entry /* [in] [subcontext_size(change_log_entry_size),subcontext(4)] */, + uint32_t change_log_entry_size /* [in] [value(ndr_size_netr_ChangeLogEntry(&change_log_entry,ndr->flags))] */, struct netr_DELTA_ENUM_ARRAY **delta_enum_array /* [out] [ref] */) { struct netr_DatabaseRedo r; diff --git a/source3/librpc/gen_ndr/cli_netlogon.h b/source3/librpc/gen_ndr/cli_netlogon.h index 5adf8e8cad..9f5eac15b2 100644 --- a/source3/librpc/gen_ndr/cli_netlogon.h +++ b/source3/librpc/gen_ndr/cli_netlogon.h @@ -158,8 +158,8 @@ NTSTATUS rpccli_netr_DatabaseRedo(struct rpc_pipe_client *cli, const char *computername /* [in] [charset(UTF16)] */, struct netr_Authenticator *credential /* [in] [ref] */, struct netr_Authenticator *return_authenticator /* [in,out] [ref] */, - uint8_t *change_log_entry /* [in] [ref,size_is(change_log_entry_size)] */, - uint32_t change_log_entry_size /* [in] */, + struct netr_ChangeLogEntry change_log_entry /* [in] [subcontext_size(change_log_entry_size),subcontext(4)] */, + uint32_t change_log_entry_size /* [in] [value(ndr_size_netr_ChangeLogEntry(&change_log_entry,ndr->flags))] */, struct netr_DELTA_ENUM_ARRAY **delta_enum_array /* [out] [ref] */); NTSTATUS rpccli_netr_LogonControl2Ex(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, diff --git a/source3/librpc/gen_ndr/cli_ntsvcs.c b/source3/librpc/gen_ndr/cli_ntsvcs.c index f8ef7a99ad..0f97970e0b 100644 --- a/source3/librpc/gen_ndr/cli_ntsvcs.c +++ b/source3/librpc/gen_ndr/cli_ntsvcs.c @@ -564,7 +564,7 @@ NTSTATUS rpccli_PNP_GetDeviceRegProp(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const char *devicepath /* [in] [ref,charset(UTF16)] */, uint32_t property /* [in] */, - uint32_t *reg_data_type /* [in,out] [ref] */, + enum winreg_Type *reg_data_type /* [in,out] [ref] */, uint8_t *buffer /* [out] [ref,length_is(*buffer_size),size_is(*buffer_size)] */, uint32_t *buffer_size /* [in,out] [ref] */, uint32_t *needed /* [in,out] [ref] */, @@ -1686,29 +1686,29 @@ NTSTATUS rpccli_PNP_RequestEjectPC(struct rpc_pipe_client *cli, NTSTATUS rpccli_PNP_HwProfFlags(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - uint32_t unknown1 /* [in] */, + uint32_t action /* [in] */, const char *devicepath /* [in] [ref,charset(UTF16)] */, - uint32_t unknown2 /* [in] */, - uint32_t *unknown3 /* [in,out] [ref] */, - uint16_t *unknown4 /* [in,out] [unique] */, + uint32_t config /* [in] */, + uint32_t *profile_flags /* [in,out] [ref] */, + uint16_t *veto_type /* [in,out] [unique] */, const char *unknown5 /* [in] [unique,charset(UTF16)] */, const char **unknown5a /* [out] [unique,charset(UTF16)] */, - uint32_t unknown6 /* [in] */, - uint32_t unknown7 /* [in] */, + uint32_t name_length /* [in] */, + uint32_t flags /* [in] */, WERROR *werror) { struct PNP_HwProfFlags r; NTSTATUS status; /* In parameters */ - r.in.unknown1 = unknown1; + r.in.action = action; r.in.devicepath = devicepath; - r.in.unknown2 = unknown2; - r.in.unknown3 = unknown3; - r.in.unknown4 = unknown4; + r.in.config = config; + r.in.profile_flags = profile_flags; + r.in.veto_type = veto_type; r.in.unknown5 = unknown5; - r.in.unknown6 = unknown6; - r.in.unknown7 = unknown7; + r.in.name_length = name_length; + r.in.flags = flags; if (DEBUGLEVEL >= 10) { NDR_PRINT_IN_DEBUG(PNP_HwProfFlags, &r); @@ -1733,9 +1733,9 @@ NTSTATUS rpccli_PNP_HwProfFlags(struct rpc_pipe_client *cli, } /* Return variables */ - *unknown3 = *r.out.unknown3; - if (unknown4 && r.out.unknown4) { - *unknown4 = *r.out.unknown4; + *profile_flags = *r.out.profile_flags; + if (veto_type && r.out.veto_type) { + *veto_type = *r.out.veto_type; } if (unknown5a && r.out.unknown5a) { *unknown5a = *r.out.unknown5a; @@ -1753,8 +1753,8 @@ NTSTATUS rpccli_PNP_GetHwProfInfo(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, uint32_t idx /* [in] */, struct PNP_HwProfInfo *info /* [in,out] [ref] */, - uint32_t unknown1 /* [in] */, - uint32_t unknown2 /* [in] */, + uint32_t size /* [in] */, + uint32_t flags /* [in] */, WERROR *werror) { struct PNP_GetHwProfInfo r; @@ -1763,8 +1763,8 @@ NTSTATUS rpccli_PNP_GetHwProfInfo(struct rpc_pipe_client *cli, /* In parameters */ r.in.idx = idx; r.in.info = info; - r.in.unknown1 = unknown1; - r.in.unknown2 = unknown2; + r.in.size = size; + r.in.flags = flags; if (DEBUGLEVEL >= 10) { NDR_PRINT_IN_DEBUG(PNP_GetHwProfInfo, &r); diff --git a/source3/librpc/gen_ndr/cli_ntsvcs.h b/source3/librpc/gen_ndr/cli_ntsvcs.h index 4ed8a401ec..fc4a9f4a71 100644 --- a/source3/librpc/gen_ndr/cli_ntsvcs.h +++ b/source3/librpc/gen_ndr/cli_ntsvcs.h @@ -54,7 +54,7 @@ NTSTATUS rpccli_PNP_GetDeviceRegProp(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const char *devicepath /* [in] [ref,charset(UTF16)] */, uint32_t property /* [in] */, - uint32_t *reg_data_type /* [in,out] [ref] */, + enum winreg_Type *reg_data_type /* [in,out] [ref] */, uint8_t *buffer /* [out] [ref,length_is(*buffer_size),size_is(*buffer_size)] */, uint32_t *buffer_size /* [in,out] [ref] */, uint32_t *needed /* [in,out] [ref] */, @@ -140,22 +140,22 @@ NTSTATUS rpccli_PNP_RequestEjectPC(struct rpc_pipe_client *cli, WERROR *werror); NTSTATUS rpccli_PNP_HwProfFlags(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - uint32_t unknown1 /* [in] */, + uint32_t action /* [in] */, const char *devicepath /* [in] [ref,charset(UTF16)] */, - uint32_t unknown2 /* [in] */, - uint32_t *unknown3 /* [in,out] [ref] */, - uint16_t *unknown4 /* [in,out] [unique] */, + uint32_t config /* [in] */, + uint32_t *profile_flags /* [in,out] [ref] */, + uint16_t *veto_type /* [in,out] [unique] */, const char *unknown5 /* [in] [unique,charset(UTF16)] */, const char **unknown5a /* [out] [unique,charset(UTF16)] */, - uint32_t unknown6 /* [in] */, - uint32_t unknown7 /* [in] */, + uint32_t name_length /* [in] */, + uint32_t flags /* [in] */, WERROR *werror); NTSTATUS rpccli_PNP_GetHwProfInfo(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, uint32_t idx /* [in] */, struct PNP_HwProfInfo *info /* [in,out] [ref] */, - uint32_t unknown1 /* [in] */, - uint32_t unknown2 /* [in] */, + uint32_t size /* [in] */, + uint32_t flags /* [in] */, WERROR *werror); NTSTATUS rpccli_PNP_AddEmptyLogConf(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, diff --git a/source3/librpc/gen_ndr/cli_samr.c b/source3/librpc/gen_ndr/cli_samr.c index 179bd0007f..7edb790286 100644 --- a/source3/librpc/gen_ndr/cli_samr.c +++ b/source3/librpc/gen_ndr/cli_samr.c @@ -2838,7 +2838,7 @@ NTSTATUS rpccli_samr_RidToSid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *domain_handle /* [in] [ref] */, uint32_t rid /* [in] */, - struct dom_sid2 *sid /* [out] [ref] */) + struct dom_sid2 **sid /* [out] [ref] */) { struct samr_RidToSid r; NTSTATUS status; diff --git a/source3/librpc/gen_ndr/cli_samr.h b/source3/librpc/gen_ndr/cli_samr.h index 7216d0cf3d..b57d63334e 100644 --- a/source3/librpc/gen_ndr/cli_samr.h +++ b/source3/librpc/gen_ndr/cli_samr.h @@ -375,7 +375,7 @@ NTSTATUS rpccli_samr_RidToSid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *domain_handle /* [in] [ref] */, uint32_t rid /* [in] */, - struct dom_sid2 *sid /* [out] [ref] */); + struct dom_sid2 **sid /* [out] [ref] */); NTSTATUS rpccli_samr_SetDsrmPassword(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct lsa_String *name /* [in] [unique] */, diff --git a/source3/librpc/gen_ndr/cli_svcctl.c b/source3/librpc/gen_ndr/cli_svcctl.c index e5fd4dac87..9f11a40d7e 100644 --- a/source3/librpc/gen_ndr/cli_svcctl.c +++ b/source3/librpc/gen_ndr/cli_svcctl.c @@ -53,7 +53,7 @@ NTSTATUS rpccli_svcctl_CloseServiceHandle(struct rpc_pipe_client *cli, NTSTATUS rpccli_svcctl_ControlService(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *handle /* [in] [ref] */, - uint32_t control /* [in] */, + enum SERVICE_CONTROL control /* [in] */, struct SERVICE_STATUS *service_status /* [out] [ref] */, WERROR *werror) { @@ -702,10 +702,10 @@ NTSTATUS rpccli_svcctl_EnumServicesStatusW(struct rpc_pipe_client *cli, struct policy_handle *handle /* [in] [ref] */, uint32_t type /* [in] */, uint32_t state /* [in] */, - uint32_t buf_size /* [in] */, - uint8_t *service /* [out] [size_is(buf_size)] */, - uint32_t *bytes_needed /* [out] [ref] */, - uint32_t *services_returned /* [out] [ref] */, + uint8_t *service /* [out] [ref,size_is(buf_size)] */, + uint32_t buf_size /* [in] [range(0,262144)] */, + uint32_t *bytes_needed /* [out] [ref,range(0,262144)] */, + uint32_t *services_returned /* [out] [ref,range(0,262144)] */, uint32_t *resume_handle /* [in,out] [unique] */, WERROR *werror) { @@ -1976,9 +1976,9 @@ NTSTATUS rpccli_svcctl_QueryServiceConfig2W(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *handle /* [in] [ref] */, uint32_t info_level /* [in] */, - uint8_t *buffer /* [out] */, - uint32_t buf_size /* [in] */, - uint32_t *bytes_needed /* [out] [ref] */, + uint8_t *buffer /* [out] [ref,size_is(buf_size)] */, + uint32_t buf_size /* [in] [range(0,8192)] */, + uint32_t *bytes_needed /* [out] [ref,range(0,8192)] */, WERROR *werror) { struct svcctl_QueryServiceConfig2W r; @@ -2027,9 +2027,9 @@ NTSTATUS rpccli_svcctl_QueryServiceStatusEx(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *handle /* [in] [ref] */, uint32_t info_level /* [in] */, - uint8_t *buffer /* [out] */, - uint32_t buf_size /* [in] */, - uint32_t *bytes_needed /* [out] [ref] */, + uint8_t *buffer /* [out] [ref,size_is(buf_size)] */, + uint32_t buf_size /* [in] [range(0,8192)] */, + uint32_t *bytes_needed /* [out] [ref,range(0,8192)] */, WERROR *werror) { struct svcctl_QueryServiceStatusEx r; @@ -2144,12 +2144,12 @@ NTSTATUS rpccli_EnumServicesStatusExW(struct rpc_pipe_client *cli, uint32_t info_level /* [in] */, uint32_t type /* [in] */, uint32_t state /* [in] */, - uint8_t *services /* [out] */, - uint32_t buf_size /* [in] */, - uint32_t *bytes_needed /* [out] [ref] */, - uint32_t *service_returned /* [out] [ref] */, - uint32_t *resume_handle /* [in,out] [unique] */, - const char **group_name /* [out] [ref,charset(UTF16)] */, + uint8_t *services /* [out] [ref,size_is(buf_size)] */, + uint32_t buf_size /* [in] [range(0,262144)] */, + uint32_t *bytes_needed /* [out] [ref,range(0,262144)] */, + uint32_t *service_returned /* [out] [ref,range(0,262144)] */, + uint32_t *resume_handle /* [in,out] [unique,range(0,262144)] */, + const char *group_name /* [in] [unique,charset(UTF16)] */, WERROR *werror) { struct EnumServicesStatusExW r; @@ -2162,6 +2162,7 @@ NTSTATUS rpccli_EnumServicesStatusExW(struct rpc_pipe_client *cli, r.in.state = state; r.in.buf_size = buf_size; r.in.resume_handle = resume_handle; + r.in.group_name = group_name; if (DEBUGLEVEL >= 10) { NDR_PRINT_IN_DEBUG(EnumServicesStatusExW, &r); @@ -2192,7 +2193,6 @@ NTSTATUS rpccli_EnumServicesStatusExW(struct rpc_pipe_client *cli, if (resume_handle && r.out.resume_handle) { *resume_handle = *r.out.resume_handle; } - *group_name = *r.out.group_name; /* Return result */ if (werror) { diff --git a/source3/librpc/gen_ndr/cli_svcctl.h b/source3/librpc/gen_ndr/cli_svcctl.h index 02abbadf1e..78c9bf40d8 100644 --- a/source3/librpc/gen_ndr/cli_svcctl.h +++ b/source3/librpc/gen_ndr/cli_svcctl.h @@ -8,7 +8,7 @@ NTSTATUS rpccli_svcctl_CloseServiceHandle(struct rpc_pipe_client *cli, NTSTATUS rpccli_svcctl_ControlService(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *handle /* [in] [ref] */, - uint32_t control /* [in] */, + enum SERVICE_CONTROL control /* [in] */, struct SERVICE_STATUS *service_status /* [out] [ref] */, WERROR *werror); NTSTATUS rpccli_svcctl_DeleteService(struct rpc_pipe_client *cli, @@ -104,10 +104,10 @@ NTSTATUS rpccli_svcctl_EnumServicesStatusW(struct rpc_pipe_client *cli, struct policy_handle *handle /* [in] [ref] */, uint32_t type /* [in] */, uint32_t state /* [in] */, - uint32_t buf_size /* [in] */, - uint8_t *service /* [out] [size_is(buf_size)] */, - uint32_t *bytes_needed /* [out] [ref] */, - uint32_t *services_returned /* [out] [ref] */, + uint8_t *service /* [out] [ref,size_is(buf_size)] */, + uint32_t buf_size /* [in] [range(0,262144)] */, + uint32_t *bytes_needed /* [out] [ref,range(0,262144)] */, + uint32_t *services_returned /* [out] [ref,range(0,262144)] */, uint32_t *resume_handle /* [in,out] [unique] */, WERROR *werror); NTSTATUS rpccli_svcctl_OpenSCManagerW(struct rpc_pipe_client *cli, @@ -292,17 +292,17 @@ NTSTATUS rpccli_svcctl_QueryServiceConfig2W(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *handle /* [in] [ref] */, uint32_t info_level /* [in] */, - uint8_t *buffer /* [out] */, - uint32_t buf_size /* [in] */, - uint32_t *bytes_needed /* [out] [ref] */, + uint8_t *buffer /* [out] [ref,size_is(buf_size)] */, + uint32_t buf_size /* [in] [range(0,8192)] */, + uint32_t *bytes_needed /* [out] [ref,range(0,8192)] */, WERROR *werror); NTSTATUS rpccli_svcctl_QueryServiceStatusEx(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *handle /* [in] [ref] */, uint32_t info_level /* [in] */, - uint8_t *buffer /* [out] */, - uint32_t buf_size /* [in] */, - uint32_t *bytes_needed /* [out] [ref] */, + uint8_t *buffer /* [out] [ref,size_is(buf_size)] */, + uint32_t buf_size /* [in] [range(0,8192)] */, + uint32_t *bytes_needed /* [out] [ref,range(0,8192)] */, WERROR *werror); NTSTATUS rpccli_EnumServicesStatusExA(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, @@ -323,12 +323,12 @@ NTSTATUS rpccli_EnumServicesStatusExW(struct rpc_pipe_client *cli, uint32_t info_level /* [in] */, uint32_t type /* [in] */, uint32_t state /* [in] */, - uint8_t *services /* [out] */, - uint32_t buf_size /* [in] */, - uint32_t *bytes_needed /* [out] [ref] */, - uint32_t *service_returned /* [out] [ref] */, - uint32_t *resume_handle /* [in,out] [unique] */, - const char **group_name /* [out] [ref,charset(UTF16)] */, + uint8_t *services /* [out] [ref,size_is(buf_size)] */, + uint32_t buf_size /* [in] [range(0,262144)] */, + uint32_t *bytes_needed /* [out] [ref,range(0,262144)] */, + uint32_t *service_returned /* [out] [ref,range(0,262144)] */, + uint32_t *resume_handle /* [in,out] [unique,range(0,262144)] */, + const char *group_name /* [in] [unique,charset(UTF16)] */, WERROR *werror); NTSTATUS rpccli_svcctl_SCSendTSMessage(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, diff --git a/source3/librpc/gen_ndr/dom_sid.h b/source3/librpc/gen_ndr/dom_sid.h new file mode 100644 index 0000000000..57dd16855a --- /dev/null +++ b/source3/librpc/gen_ndr/dom_sid.h @@ -0,0 +1,15 @@ +/* header auto-generated by pidl */ + +#include <stdint.h> + +#define dom_sid2 dom_sid +#define dom_sid28 dom_sid +#define dom_sid0 dom_sid +#ifndef _HEADER_dom_sid +#define _HEADER_dom_sid + +struct _dummy_domsid { + uint8_t dummy; +}; + +#endif /* _HEADER_dom_sid */ diff --git a/source3/librpc/gen_ndr/eventlog.h b/source3/librpc/gen_ndr/eventlog.h index 0fd929dd99..76b9e863bb 100644 --- a/source3/librpc/gen_ndr/eventlog.h +++ b/source3/librpc/gen_ndr/eventlog.h @@ -131,8 +131,8 @@ struct eventlog_OpenEventLogW { struct eventlog_OpenUnknown0 *unknown0;/* [unique] */ struct lsa_String *logname;/* [ref] */ struct lsa_String *servername;/* [ref] */ - uint32_t unknown2; - uint32_t unknown3; + uint32_t major_version; + uint32_t minor_version; } in; struct { diff --git a/source3/librpc/gen_ndr/misc.h b/source3/librpc/gen_ndr/misc.h index b3740faf34..d1cf64e0eb 100644 --- a/source3/librpc/gen_ndr/misc.h +++ b/source3/librpc/gen_ndr/misc.h @@ -42,36 +42,4 @@ enum netr_SchannelType #endif ; -enum netr_SamDatabaseID -#ifndef USE_UINT_ENUMS - { - SAM_DATABASE_DOMAIN=0, - SAM_DATABASE_BUILTIN=1, - SAM_DATABASE_PRIVS=2 -} -#else - { __donnot_use_enum_netr_SamDatabaseID=0x7FFFFFFF} -#define SAM_DATABASE_DOMAIN ( 0 ) -#define SAM_DATABASE_BUILTIN ( 1 ) -#define SAM_DATABASE_PRIVS ( 2 ) -#endif -; - -enum samr_RejectReason -#ifndef USE_UINT_ENUMS - { - SAMR_REJECT_OTHER=0, - SAMR_REJECT_TOO_SHORT=1, - SAMR_REJECT_IN_HISTORY=2, - SAMR_REJECT_COMPLEXITY=5 -} -#else - { __donnot_use_enum_samr_RejectReason=0x7FFFFFFF} -#define SAMR_REJECT_OTHER ( 0 ) -#define SAMR_REJECT_TOO_SHORT ( 1 ) -#define SAMR_REJECT_IN_HISTORY ( 2 ) -#define SAMR_REJECT_COMPLEXITY ( 5 ) -#endif -; - #endif /* _HEADER_misc */ diff --git a/source3/librpc/gen_ndr/named_pipe_auth.h b/source3/librpc/gen_ndr/named_pipe_auth.h new file mode 100644 index 0000000000..5f4ba9afb1 --- /dev/null +++ b/source3/librpc/gen_ndr/named_pipe_auth.h @@ -0,0 +1,32 @@ +/* header auto-generated by pidl */ + +#include <stdint.h> + +#include "librpc/gen_ndr/netlogon.h" +#ifndef _HEADER_named_pipe_auth +#define _HEADER_named_pipe_auth + +#define NAMED_PIPE_AUTH_MAGIC ( "NPAM" ) +union named_pipe_auth_req_info { + struct netr_SamInfo3 info1;/* [case] */ +}/* [switch_type(uint32)] */; + +struct named_pipe_auth_req { + uint32_t length;/* [value(ndr_size_named_pipe_auth_req(r,ndr->flags)-4),flag(LIBNDR_FLAG_BIGENDIAN)] */ + const char *magic;/* [value(NAMED_PIPE_AUTH_MAGIC),charset(DOS)] */ + uint32_t level; + union named_pipe_auth_req_info info;/* [switch_is(level)] */ +}/* [gensize,public] */; + +union named_pipe_auth_rep_info { +}/* [switch_type(uint32)] */; + +struct named_pipe_auth_rep { + uint32_t length;/* [value(ndr_size_named_pipe_auth_rep(r,ndr->flags)-4),flag(LIBNDR_FLAG_BIGENDIAN)] */ + const char *magic;/* [value(NAMED_PIPE_AUTH_MAGIC),charset(DOS)] */ + uint32_t level; + union named_pipe_auth_rep_info info;/* [switch_is(level)] */ + NTSTATUS status; +}/* [gensize,public] */; + +#endif /* _HEADER_named_pipe_auth */ diff --git a/source3/librpc/gen_ndr/ndr_dom_sid.h b/source3/librpc/gen_ndr/ndr_dom_sid.h new file mode 100644 index 0000000000..145ec1db46 --- /dev/null +++ b/source3/librpc/gen_ndr/ndr_dom_sid.h @@ -0,0 +1,10 @@ +/* header auto-generated by pidl */ + +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/dom_sid.h" + +#ifndef _HEADER_NDR_dom_sid +#define _HEADER_NDR_dom_sid + +#define NDR_DOM_SID_CALL_COUNT (0) +#endif /* _HEADER_NDR_dom_sid */ diff --git a/source3/librpc/gen_ndr/ndr_eventlog.c b/source3/librpc/gen_ndr/ndr_eventlog.c index f0c7ee4d61..12fa9fcec4 100644 --- a/source3/librpc/gen_ndr/ndr_eventlog.c +++ b/source3/librpc/gen_ndr/ndr_eventlog.c @@ -5,6 +5,31 @@ #include "librpc/gen_ndr/ndr_lsa.h" #include "librpc/gen_ndr/ndr_security.h" +static enum ndr_err_code ndr_push_eventlogReadFlags(struct ndr_push *ndr, int ndr_flags, uint32_t r) +{ + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code ndr_pull_eventlogReadFlags(struct ndr_pull *ndr, int ndr_flags, uint32_t *r) +{ + uint32_t v; + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_eventlogReadFlags(struct ndr_print *ndr, const char *name, uint32_t r) +{ + ndr_print_uint32(ndr, name, r); + ndr->depth++; + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "EVENTLOG_SEQUENTIAL_READ", EVENTLOG_SEQUENTIAL_READ, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "EVENTLOG_SEEK_READ", EVENTLOG_SEEK_READ, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "EVENTLOG_FORWARDS_READ", EVENTLOG_FORWARDS_READ, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "EVENTLOG_BACKWARDS_READ", EVENTLOG_BACKWARDS_READ, r); + ndr->depth--; +} + static enum ndr_err_code ndr_push_eventlog_OpenUnknown0(struct ndr_push *ndr, int ndr_flags, const struct eventlog_OpenUnknown0 *r) { if (ndr_flags & NDR_SCALARS) { @@ -635,8 +660,8 @@ static enum ndr_err_code ndr_push_eventlog_OpenEventLogW(struct ndr_push *ndr, i return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } NDR_CHECK(ndr_push_lsa_String(ndr, NDR_SCALARS|NDR_BUFFERS, r->in.servername)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.unknown2)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.unknown3)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.major_version)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.minor_version)); } if (flags & NDR_OUT) { if (r->out.handle == NULL) { @@ -684,8 +709,8 @@ static enum ndr_err_code ndr_pull_eventlog_OpenEventLogW(struct ndr_pull *ndr, i NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS|NDR_BUFFERS, r->in.servername)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown2)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown3)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.major_version)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.minor_version)); NDR_PULL_ALLOC(ndr, r->out.handle); ZERO_STRUCTP(r->out.handle); } @@ -726,8 +751,8 @@ _PUBLIC_ void ndr_print_eventlog_OpenEventLogW(struct ndr_print *ndr, const char ndr->depth++; ndr_print_lsa_String(ndr, "servername", r->in.servername); ndr->depth--; - ndr_print_uint32(ndr, "unknown2", r->in.unknown2); - ndr_print_uint32(ndr, "unknown3", r->in.unknown3); + ndr_print_uint32(ndr, "major_version", r->in.major_version); + ndr_print_uint32(ndr, "minor_version", r->in.minor_version); ndr->depth--; } if (flags & NDR_OUT) { @@ -832,7 +857,7 @@ static enum ndr_err_code ndr_push_eventlog_ReadEventLogW(struct ndr_push *ndr, i return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } NDR_CHECK(ndr_push_policy_handle(ndr, NDR_SCALARS, r->in.handle)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.flags)); + NDR_CHECK(ndr_push_eventlogReadFlags(ndr, NDR_SCALARS, r->in.flags)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.offset)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.number_of_bytes)); } @@ -870,7 +895,7 @@ static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, i NDR_PULL_SET_MEM_CTX(ndr, r->in.handle, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_policy_handle(ndr, NDR_SCALARS, r->in.handle)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_CHECK(ndr_pull_eventlogReadFlags(ndr, NDR_SCALARS, &r->in.flags)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offset)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.number_of_bytes)); if (r->in.number_of_bytes < 0 || r->in.number_of_bytes > 0x7FFFF) { @@ -925,7 +950,7 @@ _PUBLIC_ void ndr_print_eventlog_ReadEventLogW(struct ndr_print *ndr, const char ndr->depth++; ndr_print_policy_handle(ndr, "handle", r->in.handle); ndr->depth--; - ndr_print_uint32(ndr, "flags", r->in.flags); + ndr_print_eventlogReadFlags(ndr, "flags", r->in.flags); ndr_print_uint32(ndr, "offset", r->in.offset); ndr_print_uint32(ndr, "number_of_bytes", r->in.number_of_bytes); ndr->depth--; diff --git a/source3/librpc/gen_ndr/ndr_eventlog.h b/source3/librpc/gen_ndr/ndr_eventlog.h index 6c6e679eca..6002f35a7d 100644 --- a/source3/librpc/gen_ndr/ndr_eventlog.h +++ b/source3/librpc/gen_ndr/ndr_eventlog.h @@ -60,6 +60,7 @@ extern const struct ndr_interface_table ndr_table_eventlog; #define NDR_EVENTLOG_FLUSHEVENTLOG (0x17) #define NDR_EVENTLOG_CALL_COUNT (24) +void ndr_print_eventlogReadFlags(struct ndr_print *ndr, const char *name, uint32_t r); void ndr_print_eventlog_OpenUnknown0(struct ndr_print *ndr, const char *name, const struct eventlog_OpenUnknown0 *r); enum ndr_err_code ndr_push_eventlog_Record(struct ndr_push *ndr, int ndr_flags, const struct eventlog_Record *r); enum ndr_err_code ndr_pull_eventlog_Record(struct ndr_pull *ndr, int ndr_flags, struct eventlog_Record *r); diff --git a/source3/librpc/gen_ndr/ndr_misc.c b/source3/librpc/gen_ndr/ndr_misc.c index 22c416a0d7..971cbdac24 100644 --- a/source3/librpc/gen_ndr/ndr_misc.c +++ b/source3/librpc/gen_ndr/ndr_misc.c @@ -132,56 +132,3 @@ _PUBLIC_ void ndr_print_netr_SchannelType(struct ndr_print *ndr, const char *nam ndr_print_enum(ndr, name, "ENUM", val, r); } -_PUBLIC_ enum ndr_err_code ndr_push_netr_SamDatabaseID(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID r) -{ - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ enum ndr_err_code ndr_pull_netr_SamDatabaseID(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID *r) -{ - uint32_t v; - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &v)); - *r = v; - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ void ndr_print_netr_SamDatabaseID(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID r) -{ - const char *val = NULL; - - switch (r) { - case SAM_DATABASE_DOMAIN: val = "SAM_DATABASE_DOMAIN"; break; - case SAM_DATABASE_BUILTIN: val = "SAM_DATABASE_BUILTIN"; break; - case SAM_DATABASE_PRIVS: val = "SAM_DATABASE_PRIVS"; break; - } - ndr_print_enum(ndr, name, "ENUM", val, r); -} - -_PUBLIC_ enum ndr_err_code ndr_push_samr_RejectReason(struct ndr_push *ndr, int ndr_flags, enum samr_RejectReason r) -{ - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ enum ndr_err_code ndr_pull_samr_RejectReason(struct ndr_pull *ndr, int ndr_flags, enum samr_RejectReason *r) -{ - uint32_t v; - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &v)); - *r = v; - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ void ndr_print_samr_RejectReason(struct ndr_print *ndr, const char *name, enum samr_RejectReason r) -{ - const char *val = NULL; - - switch (r) { - case SAMR_REJECT_OTHER: val = "SAMR_REJECT_OTHER"; break; - case SAMR_REJECT_TOO_SHORT: val = "SAMR_REJECT_TOO_SHORT"; break; - case SAMR_REJECT_IN_HISTORY: val = "SAMR_REJECT_IN_HISTORY"; break; - case SAMR_REJECT_COMPLEXITY: val = "SAMR_REJECT_COMPLEXITY"; break; - } - ndr_print_enum(ndr, name, "ENUM", val, r); -} - diff --git a/source3/librpc/gen_ndr/ndr_misc.h b/source3/librpc/gen_ndr/ndr_misc.h index a15a781367..b907af0605 100644 --- a/source3/librpc/gen_ndr/ndr_misc.h +++ b/source3/librpc/gen_ndr/ndr_misc.h @@ -20,10 +20,4 @@ void ndr_print_policy_handle(struct ndr_print *ndr, const char *name, const stru enum ndr_err_code ndr_push_netr_SchannelType(struct ndr_push *ndr, int ndr_flags, enum netr_SchannelType r); enum ndr_err_code ndr_pull_netr_SchannelType(struct ndr_pull *ndr, int ndr_flags, enum netr_SchannelType *r); void ndr_print_netr_SchannelType(struct ndr_print *ndr, const char *name, enum netr_SchannelType r); -enum ndr_err_code ndr_push_netr_SamDatabaseID(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID r); -enum ndr_err_code ndr_pull_netr_SamDatabaseID(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID *r); -void ndr_print_netr_SamDatabaseID(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID r); -enum ndr_err_code ndr_push_samr_RejectReason(struct ndr_push *ndr, int ndr_flags, enum samr_RejectReason r); -enum ndr_err_code ndr_pull_samr_RejectReason(struct ndr_pull *ndr, int ndr_flags, enum samr_RejectReason *r); -void ndr_print_samr_RejectReason(struct ndr_print *ndr, const char *name, enum samr_RejectReason r); #endif /* _HEADER_NDR_misc */ diff --git a/source3/librpc/gen_ndr/ndr_named_pipe_auth.c b/source3/librpc/gen_ndr/ndr_named_pipe_auth.c new file mode 100644 index 0000000000..69412bf427 --- /dev/null +++ b/source3/librpc/gen_ndr/ndr_named_pipe_auth.c @@ -0,0 +1,302 @@ +/* parser auto-generated by pidl */ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_named_pipe_auth.h" + +#include "librpc/gen_ndr/ndr_netlogon.h" +static enum ndr_err_code ndr_push_named_pipe_auth_req_info(struct ndr_push *ndr, int ndr_flags, const union named_pipe_auth_req_info *r) +{ + if (ndr_flags & NDR_SCALARS) { + int level = ndr_push_get_switch_value(ndr, r); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, level)); + switch (level) { + case 0: { + break; } + + case 1: { + NDR_CHECK(ndr_push_netr_SamInfo3(ndr, NDR_SCALARS, &r->info1)); + break; } + + default: + return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level); + } + } + if (ndr_flags & NDR_BUFFERS) { + int level = ndr_push_get_switch_value(ndr, r); + switch (level) { + case 0: + break; + + case 1: + NDR_CHECK(ndr_push_netr_SamInfo3(ndr, NDR_BUFFERS, &r->info1)); + break; + + default: + return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level); + } + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code ndr_pull_named_pipe_auth_req_info(struct ndr_pull *ndr, int ndr_flags, union named_pipe_auth_req_info *r) +{ + int level; + uint32_t _level; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); + if (_level != level) { + return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u for r", _level); + } + switch (level) { + case 0: { + break; } + + case 1: { + NDR_CHECK(ndr_pull_netr_SamInfo3(ndr, NDR_SCALARS, &r->info1)); + break; } + + default: + return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level); + } + } + if (ndr_flags & NDR_BUFFERS) { + switch (level) { + case 0: + break; + + case 1: + NDR_CHECK(ndr_pull_netr_SamInfo3(ndr, NDR_BUFFERS, &r->info1)); + break; + + default: + return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level); + } + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_named_pipe_auth_req_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_req_info *r) +{ + int level; + level = ndr_print_get_switch_value(ndr, r); + ndr_print_union(ndr, name, level, "named_pipe_auth_req_info"); + switch (level) { + case 0: + break; + + case 1: + ndr_print_netr_SamInfo3(ndr, "info1", &r->info1); + break; + + default: + ndr_print_bad_level(ndr, name, level); + } +} + +_PUBLIC_ enum ndr_err_code ndr_push_named_pipe_auth_req(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_req *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_push_align(ndr, 4)); + { + uint32_t _flags_save_uint32 = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_size_named_pipe_auth_req(r, ndr->flags) - 4)); + ndr->flags = _flags_save_uint32; + } + NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, NAMED_PIPE_AUTH_MAGIC, 4, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->level)); + NDR_CHECK(ndr_push_set_switch_value(ndr, &r->info, r->level)); + NDR_CHECK(ndr_push_named_pipe_auth_req_info(ndr, NDR_SCALARS, &r->info)); + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_push_named_pipe_auth_req_info(ndr, NDR_BUFFERS, &r->info)); + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + { + uint32_t _flags_save_uint32 = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); + ndr->flags = _flags_save_uint32; + } + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level)); + NDR_CHECK(ndr_pull_named_pipe_auth_req_info(ndr, NDR_SCALARS, &r->info)); + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_named_pipe_auth_req_info(ndr, NDR_BUFFERS, &r->info)); + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_named_pipe_auth_req(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req *r) +{ + ndr_print_struct(ndr, name, "named_pipe_auth_req"); + ndr->depth++; + ndr_print_uint32(ndr, "length", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?ndr_size_named_pipe_auth_req(r, ndr->flags) - 4:r->length); + ndr_print_string(ndr, "magic", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?NAMED_PIPE_AUTH_MAGIC:r->magic); + ndr_print_uint32(ndr, "level", r->level); + ndr_print_set_switch_value(ndr, &r->info, r->level); + ndr_print_named_pipe_auth_req_info(ndr, "info", &r->info); + ndr->depth--; +} + +_PUBLIC_ size_t ndr_size_named_pipe_auth_req(const struct named_pipe_auth_req *r, int flags) +{ + return ndr_size_struct(r, flags, (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req); +} + +static enum ndr_err_code ndr_push_named_pipe_auth_rep_info(struct ndr_push *ndr, int ndr_flags, const union named_pipe_auth_rep_info *r) +{ + if (ndr_flags & NDR_SCALARS) { + int level = ndr_push_get_switch_value(ndr, r); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, level)); + switch (level) { + case 0: { + break; } + + case 1: { + break; } + + default: + return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level); + } + } + if (ndr_flags & NDR_BUFFERS) { + int level = ndr_push_get_switch_value(ndr, r); + switch (level) { + case 0: + break; + + case 1: + break; + + default: + return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level); + } + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code ndr_pull_named_pipe_auth_rep_info(struct ndr_pull *ndr, int ndr_flags, union named_pipe_auth_rep_info *r) +{ + int level; + uint32_t _level; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); + if (_level != level) { + return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u for r", _level); + } + switch (level) { + case 0: { + break; } + + case 1: { + break; } + + default: + return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level); + } + } + if (ndr_flags & NDR_BUFFERS) { + switch (level) { + case 0: + break; + + case 1: + break; + + default: + return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level); + } + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_named_pipe_auth_rep_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_rep_info *r) +{ + int level; + level = ndr_print_get_switch_value(ndr, r); + ndr_print_union(ndr, name, level, "named_pipe_auth_rep_info"); + switch (level) { + case 0: + break; + + case 1: + break; + + default: + ndr_print_bad_level(ndr, name, level); + } +} + +_PUBLIC_ enum ndr_err_code ndr_push_named_pipe_auth_rep(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_rep *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_push_align(ndr, 4)); + { + uint32_t _flags_save_uint32 = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_size_named_pipe_auth_rep(r, ndr->flags) - 4)); + ndr->flags = _flags_save_uint32; + } + NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, NAMED_PIPE_AUTH_MAGIC, 4, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->level)); + NDR_CHECK(ndr_push_set_switch_value(ndr, &r->info, r->level)); + NDR_CHECK(ndr_push_named_pipe_auth_rep_info(ndr, NDR_SCALARS, &r->info)); + NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->status)); + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_push_named_pipe_auth_rep_info(ndr, NDR_BUFFERS, &r->info)); + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + { + uint32_t _flags_save_uint32 = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); + ndr->flags = _flags_save_uint32; + } + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level)); + NDR_CHECK(ndr_pull_named_pipe_auth_rep_info(ndr, NDR_SCALARS, &r->info)); + NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->status)); + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_named_pipe_auth_rep_info(ndr, NDR_BUFFERS, &r->info)); + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_named_pipe_auth_rep(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep *r) +{ + ndr_print_struct(ndr, name, "named_pipe_auth_rep"); + ndr->depth++; + ndr_print_uint32(ndr, "length", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?ndr_size_named_pipe_auth_rep(r, ndr->flags) - 4:r->length); + ndr_print_string(ndr, "magic", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?NAMED_PIPE_AUTH_MAGIC:r->magic); + ndr_print_uint32(ndr, "level", r->level); + ndr_print_set_switch_value(ndr, &r->info, r->level); + ndr_print_named_pipe_auth_rep_info(ndr, "info", &r->info); + ndr_print_NTSTATUS(ndr, "status", r->status); + ndr->depth--; +} + +_PUBLIC_ size_t ndr_size_named_pipe_auth_rep(const struct named_pipe_auth_rep *r, int flags) +{ + return ndr_size_struct(r, flags, (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_rep); +} + diff --git a/source3/librpc/gen_ndr/ndr_named_pipe_auth.h b/source3/librpc/gen_ndr/ndr_named_pipe_auth.h new file mode 100644 index 0000000000..fbef9d5f1c --- /dev/null +++ b/source3/librpc/gen_ndr/ndr_named_pipe_auth.h @@ -0,0 +1,20 @@ +/* header auto-generated by pidl */ + +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/named_pipe_auth.h" + +#ifndef _HEADER_NDR_named_pipe_auth +#define _HEADER_NDR_named_pipe_auth + +#define NDR_NAMED_PIPE_AUTH_CALL_COUNT (0) +void ndr_print_named_pipe_auth_req_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_req_info *r); +enum ndr_err_code ndr_push_named_pipe_auth_req(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_req *r); +enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req *r); +void ndr_print_named_pipe_auth_req(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req *r); +size_t ndr_size_named_pipe_auth_req(const struct named_pipe_auth_req *r, int flags); +void ndr_print_named_pipe_auth_rep_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_rep_info *r); +enum ndr_err_code ndr_push_named_pipe_auth_rep(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_rep *r); +enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep *r); +void ndr_print_named_pipe_auth_rep(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep *r); +size_t ndr_size_named_pipe_auth_rep(const struct named_pipe_auth_rep *r, int flags); +#endif /* _HEADER_NDR_named_pipe_auth */ diff --git a/source3/librpc/gen_ndr/ndr_netlogon.c b/source3/librpc/gen_ndr/ndr_netlogon.c index 12ab98e610..c4102eba6e 100644 --- a/source3/librpc/gen_ndr/ndr_netlogon.c +++ b/source3/librpc/gen_ndr/ndr_netlogon.c @@ -363,8 +363,6 @@ static enum ndr_err_code ndr_push_netr_PasswordInfo(struct ndr_push *ndr, int nd } if (ndr_flags & NDR_BUFFERS) { NDR_CHECK(ndr_push_netr_IdentityInfo(ndr, NDR_BUFFERS, &r->identity_info)); - NDR_CHECK(ndr_push_samr_Password(ndr, NDR_BUFFERS, &r->lmpassword)); - NDR_CHECK(ndr_push_samr_Password(ndr, NDR_BUFFERS, &r->ntpassword)); } return NDR_ERR_SUCCESS; } @@ -379,8 +377,6 @@ static enum ndr_err_code ndr_pull_netr_PasswordInfo(struct ndr_pull *ndr, int nd } if (ndr_flags & NDR_BUFFERS) { NDR_CHECK(ndr_pull_netr_IdentityInfo(ndr, NDR_BUFFERS, &r->identity_info)); - NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_BUFFERS, &r->lmpassword)); - NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_BUFFERS, &r->ntpassword)); } return NDR_ERR_SUCCESS; } @@ -2212,7 +2208,6 @@ static enum ndr_err_code ndr_push_netr_USER_KEY16(struct ndr_push *ndr, int ndr_ NDR_CHECK(ndr_push_samr_Password(ndr, NDR_SCALARS, &r->pwd)); } if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_push_samr_Password(ndr, NDR_BUFFERS, &r->pwd)); } return NDR_ERR_SUCCESS; } @@ -2227,7 +2222,6 @@ static enum ndr_err_code ndr_pull_netr_USER_KEY16(struct ndr_pull *ndr, int ndr_ NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_SCALARS, &r->pwd)); } if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_BUFFERS, &r->pwd)); } return NDR_ERR_SUCCESS; } @@ -2305,8 +2299,6 @@ static enum ndr_err_code ndr_push_netr_USER_KEYS2(struct ndr_push *ndr, int ndr_ NDR_CHECK(ndr_push_netr_PasswordHistory(ndr, NDR_SCALARS, &r->history)); } if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_push_netr_USER_KEY16(ndr, NDR_BUFFERS, &r->lmpassword)); - NDR_CHECK(ndr_push_netr_USER_KEY16(ndr, NDR_BUFFERS, &r->ntpassword)); } return NDR_ERR_SUCCESS; } @@ -2320,8 +2312,6 @@ static enum ndr_err_code ndr_pull_netr_USER_KEYS2(struct ndr_pull *ndr, int ndr_ NDR_CHECK(ndr_pull_netr_PasswordHistory(ndr, NDR_SCALARS, &r->history)); } if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_pull_netr_USER_KEY16(ndr, NDR_BUFFERS, &r->lmpassword)); - NDR_CHECK(ndr_pull_netr_USER_KEY16(ndr, NDR_BUFFERS, &r->ntpassword)); } return NDR_ERR_SUCCESS; } @@ -2343,7 +2333,6 @@ static enum ndr_err_code ndr_push_netr_USER_KEY_UNION(struct ndr_push *ndr, int NDR_CHECK(ndr_push_netr_USER_KEYS2(ndr, NDR_SCALARS, &r->keys2)); } if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_push_netr_USER_KEYS2(ndr, NDR_BUFFERS, &r->keys2)); } return NDR_ERR_SUCCESS; } @@ -2355,7 +2344,6 @@ static enum ndr_err_code ndr_pull_netr_USER_KEY_UNION(struct ndr_pull *ndr, int NDR_CHECK(ndr_pull_netr_USER_KEYS2(ndr, NDR_SCALARS, &r->keys2)); } if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_pull_netr_USER_KEYS2(ndr, NDR_BUFFERS, &r->keys2)); } return NDR_ERR_SUCCESS; } @@ -2376,7 +2364,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_USER_KEYS(struct ndr_push *ndr, int ndr NDR_CHECK(ndr_push_netr_USER_KEY_UNION(ndr, NDR_SCALARS, &r->keys)); } if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_push_netr_USER_KEY_UNION(ndr, NDR_BUFFERS, &r->keys)); } return NDR_ERR_SUCCESS; } @@ -2389,7 +2376,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_USER_KEYS(struct ndr_pull *ndr, int ndr NDR_CHECK(ndr_pull_netr_USER_KEY_UNION(ndr, NDR_SCALARS, &r->keys)); } if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_pull_netr_USER_KEY_UNION(ndr, NDR_BUFFERS, &r->keys)); } return NDR_ERR_SUCCESS; } @@ -2513,7 +2499,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_USER(struct ndr_push *ndr, int ndr_ NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->lm_password_present)); NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->password_expired)); NDR_CHECK(ndr_push_lsa_String(ndr, NDR_SCALARS, &r->comment)); - NDR_CHECK(ndr_push_lsa_String(ndr, NDR_SCALARS, &r->parameters)); + NDR_CHECK(ndr_push_lsa_BinaryString(ndr, NDR_SCALARS, &r->parameters)); NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->country_code)); NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->code_page)); NDR_CHECK(ndr_push_netr_USER_PRIVATE_INFO(ndr, NDR_SCALARS, &r->user_private_info)); @@ -2537,10 +2523,8 @@ static enum ndr_err_code ndr_push_netr_DELTA_USER(struct ndr_push *ndr, int ndr_ NDR_CHECK(ndr_push_lsa_String(ndr, NDR_BUFFERS, &r->description)); NDR_CHECK(ndr_push_lsa_String(ndr, NDR_BUFFERS, &r->workstations)); NDR_CHECK(ndr_push_samr_LogonHours(ndr, NDR_BUFFERS, &r->logon_hours)); - NDR_CHECK(ndr_push_samr_Password(ndr, NDR_BUFFERS, &r->lmpassword)); - NDR_CHECK(ndr_push_samr_Password(ndr, NDR_BUFFERS, &r->ntpassword)); NDR_CHECK(ndr_push_lsa_String(ndr, NDR_BUFFERS, &r->comment)); - NDR_CHECK(ndr_push_lsa_String(ndr, NDR_BUFFERS, &r->parameters)); + NDR_CHECK(ndr_push_lsa_BinaryString(ndr, NDR_BUFFERS, &r->parameters)); NDR_CHECK(ndr_push_netr_USER_PRIVATE_INFO(ndr, NDR_BUFFERS, &r->user_private_info)); NDR_CHECK(ndr_push_sec_desc_buf(ndr, NDR_BUFFERS, &r->sdbuf)); NDR_CHECK(ndr_push_lsa_String(ndr, NDR_BUFFERS, &r->profile_path)); @@ -2578,7 +2562,7 @@ static enum ndr_err_code ndr_pull_netr_DELTA_USER(struct ndr_pull *ndr, int ndr_ NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->lm_password_present)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->password_expired)); NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->comment)); - NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->parameters)); + NDR_CHECK(ndr_pull_lsa_BinaryString(ndr, NDR_SCALARS, &r->parameters)); NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->country_code)); NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->code_page)); NDR_CHECK(ndr_pull_netr_USER_PRIVATE_INFO(ndr, NDR_SCALARS, &r->user_private_info)); @@ -2602,10 +2586,8 @@ static enum ndr_err_code ndr_pull_netr_DELTA_USER(struct ndr_pull *ndr, int ndr_ NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->description)); NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->workstations)); NDR_CHECK(ndr_pull_samr_LogonHours(ndr, NDR_BUFFERS, &r->logon_hours)); - NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_BUFFERS, &r->lmpassword)); - NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_BUFFERS, &r->ntpassword)); NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->comment)); - NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->parameters)); + NDR_CHECK(ndr_pull_lsa_BinaryString(ndr, NDR_BUFFERS, &r->parameters)); NDR_CHECK(ndr_pull_netr_USER_PRIVATE_INFO(ndr, NDR_BUFFERS, &r->user_private_info)); NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_BUFFERS, &r->sdbuf)); NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->profile_path)); @@ -2643,7 +2625,7 @@ _PUBLIC_ void ndr_print_netr_DELTA_USER(struct ndr_print *ndr, const char *name, ndr_print_uint8(ndr, "lm_password_present", r->lm_password_present); ndr_print_uint8(ndr, "password_expired", r->password_expired); ndr_print_lsa_String(ndr, "comment", &r->comment); - ndr_print_lsa_String(ndr, "parameters", &r->parameters); + ndr_print_lsa_BinaryString(ndr, "parameters", &r->parameters); ndr_print_uint16(ndr, "country_code", r->country_code); ndr_print_uint16(ndr, "code_page", r->code_page); ndr_print_netr_USER_PRIVATE_INFO(ndr, "user_private_info", &r->user_private_info); @@ -6232,6 +6214,192 @@ _PUBLIC_ void ndr_print_netr_NegotiateFlags(struct ndr_print *ndr, const char *n ndr->depth--; } +static enum ndr_err_code ndr_push_netr_ChangeLogFlags(struct ndr_push *ndr, int ndr_flags, uint16_t r) +{ + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r)); + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code ndr_pull_netr_ChangeLogFlags(struct ndr_pull *ndr, int ndr_flags, uint16_t *r) +{ + uint16_t v; + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_netr_ChangeLogFlags(struct ndr_print *ndr, const char *name, uint16_t r) +{ + ndr_print_uint16(ndr, name, r); + ndr->depth++; + ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED", NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED, r); + ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_CHANGED_PASSWORD", NETR_CHANGELOG_CHANGED_PASSWORD, r); + ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_SID_INCLUDED", NETR_CHANGELOG_SID_INCLUDED, r); + ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_NAME_INCLUDED", NETR_CHANGELOG_NAME_INCLUDED, r); + ndr_print_bitmap_flag(ndr, sizeof(uint16_t), "NETR_CHANGELOG_FIRST_PROMOTION_OBJ", NETR_CHANGELOG_FIRST_PROMOTION_OBJ, r); + ndr->depth--; +} + +static enum ndr_err_code ndr_push_netr_ChangeLogObject(struct ndr_push *ndr, int ndr_flags, const union netr_ChangeLogObject *r) +{ + if (ndr_flags & NDR_SCALARS) { + int level = ndr_push_get_switch_value(ndr, r); + switch (level) { + case NETR_CHANGELOG_SID_INCLUDED: { + NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->object_sid)); + break; } + + case NETR_CHANGELOG_NAME_INCLUDED: { + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM); + NDR_CHECK(ndr_push_string(ndr, NDR_SCALARS, r->object_name)); + ndr->flags = _flags_save_string; + } + break; } + + default: { + break; } + + } + } + if (ndr_flags & NDR_BUFFERS) { + int level = ndr_push_get_switch_value(ndr, r); + switch (level) { + case NETR_CHANGELOG_SID_INCLUDED: + NDR_CHECK(ndr_push_dom_sid(ndr, NDR_BUFFERS, &r->object_sid)); + break; + + case NETR_CHANGELOG_NAME_INCLUDED: + break; + + default: + break; + + } + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code ndr_pull_netr_ChangeLogObject(struct ndr_pull *ndr, int ndr_flags, union netr_ChangeLogObject *r) +{ + int level; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + switch (level) { + case NETR_CHANGELOG_SID_INCLUDED: { + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->object_sid)); + break; } + + case NETR_CHANGELOG_NAME_INCLUDED: { + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM); + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->object_name)); + ndr->flags = _flags_save_string; + } + break; } + + default: { + break; } + + } + } + if (ndr_flags & NDR_BUFFERS) { + switch (level) { + case NETR_CHANGELOG_SID_INCLUDED: + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_BUFFERS, &r->object_sid)); + break; + + case NETR_CHANGELOG_NAME_INCLUDED: + break; + + default: + break; + + } + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_netr_ChangeLogObject(struct ndr_print *ndr, const char *name, const union netr_ChangeLogObject *r) +{ + int level; + level = ndr_print_get_switch_value(ndr, r); + ndr_print_union(ndr, name, level, "netr_ChangeLogObject"); + switch (level) { + case NETR_CHANGELOG_SID_INCLUDED: + ndr_print_dom_sid(ndr, "object_sid", &r->object_sid); + break; + + case NETR_CHANGELOG_NAME_INCLUDED: + ndr_print_string(ndr, "object_name", r->object_name); + break; + + default: + break; + + } +} + +_PUBLIC_ enum ndr_err_code ndr_push_netr_ChangeLogEntry(struct ndr_push *ndr, int ndr_flags, const struct netr_ChangeLogEntry *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_push_align(ndr, 4)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->serial_number1)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->serial_number2)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->object_rid)); + NDR_CHECK(ndr_push_netr_ChangeLogFlags(ndr, NDR_SCALARS, r->flags)); + NDR_CHECK(ndr_push_netr_SamDatabaseID8Bit(ndr, NDR_SCALARS, r->db_index)); + NDR_CHECK(ndr_push_netr_DeltaEnum8Bit(ndr, NDR_SCALARS, r->delta_type)); + NDR_CHECK(ndr_push_set_switch_value(ndr, &r->object, r->flags & (NETR_CHANGELOG_SID_INCLUDED | NETR_CHANGELOG_NAME_INCLUDED))); + NDR_CHECK(ndr_push_netr_ChangeLogObject(ndr, NDR_SCALARS, &r->object)); + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_push_netr_ChangeLogObject(ndr, NDR_BUFFERS, &r->object)); + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_netr_ChangeLogEntry(struct ndr_pull *ndr, int ndr_flags, struct netr_ChangeLogEntry *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->serial_number1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->serial_number2)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->object_rid)); + NDR_CHECK(ndr_pull_netr_ChangeLogFlags(ndr, NDR_SCALARS, &r->flags)); + NDR_CHECK(ndr_pull_netr_SamDatabaseID8Bit(ndr, NDR_SCALARS, &r->db_index)); + NDR_CHECK(ndr_pull_netr_DeltaEnum8Bit(ndr, NDR_SCALARS, &r->delta_type)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->flags & (NETR_CHANGELOG_SID_INCLUDED | NETR_CHANGELOG_NAME_INCLUDED))); + NDR_CHECK(ndr_pull_netr_ChangeLogObject(ndr, NDR_SCALARS, &r->object)); + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_netr_ChangeLogObject(ndr, NDR_BUFFERS, &r->object)); + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_netr_ChangeLogEntry(struct ndr_print *ndr, const char *name, const struct netr_ChangeLogEntry *r) +{ + ndr_print_struct(ndr, name, "netr_ChangeLogEntry"); + ndr->depth++; + ndr_print_uint32(ndr, "serial_number1", r->serial_number1); + ndr_print_uint32(ndr, "serial_number2", r->serial_number2); + ndr_print_uint32(ndr, "object_rid", r->object_rid); + ndr_print_netr_ChangeLogFlags(ndr, "flags", r->flags); + ndr_print_netr_SamDatabaseID8Bit(ndr, "db_index", r->db_index); + ndr_print_netr_DeltaEnum8Bit(ndr, "delta_type", r->delta_type); + ndr_print_set_switch_value(ndr, &r->object, r->flags & (NETR_CHANGELOG_SID_INCLUDED | NETR_CHANGELOG_NAME_INCLUDED)); + ndr_print_netr_ChangeLogObject(ndr, "object", &r->object); + ndr->depth--; +} + +_PUBLIC_ size_t ndr_size_netr_ChangeLogEntry(const struct netr_ChangeLogEntry *r, int flags) +{ + return ndr_size_struct(r, flags, (ndr_push_flags_fn_t)ndr_push_netr_ChangeLogEntry); +} + static enum ndr_err_code ndr_push_netr_Blob(struct ndr_push *ndr, int ndr_flags, const struct netr_Blob *r) { if (ndr_flags & NDR_SCALARS) { @@ -9422,7 +9590,7 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet(struct ndr_push *ndr, i if (r->in.new_password == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } - NDR_CHECK(ndr_push_samr_Password(ndr, NDR_SCALARS|NDR_BUFFERS, r->in.new_password)); + NDR_CHECK(ndr_push_samr_Password(ndr, NDR_SCALARS, r->in.new_password)); } if (flags & NDR_OUT) { if (r->out.return_authenticator == NULL) { @@ -9489,7 +9657,7 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet(struct ndr_pull *ndr, i } _mem_save_new_password_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->in.new_password, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_SCALARS|NDR_BUFFERS, r->in.new_password)); + NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_SCALARS, r->in.new_password)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_new_password_0, LIBNDR_FLAG_REF_ALLOC); NDR_PULL_ALLOC(ndr, r->out.return_authenticator); ZERO_STRUCTP(r->out.return_authenticator); @@ -11307,12 +11475,13 @@ static enum ndr_err_code ndr_push_netr_DatabaseRedo(struct ndr_push *ndr, int fl return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, r->in.return_authenticator)); - if (r->in.change_log_entry == NULL) { - return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); + { + struct ndr_push *_ndr_change_log_entry; + NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_change_log_entry, 4, ndr_size_netr_ChangeLogEntry(&r->in.change_log_entry, ndr->flags))); + NDR_CHECK(ndr_push_netr_ChangeLogEntry(_ndr_change_log_entry, NDR_SCALARS|NDR_BUFFERS, &r->in.change_log_entry)); + NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_change_log_entry, 4, ndr_size_netr_ChangeLogEntry(&r->in.change_log_entry, ndr->flags))); } - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.change_log_entry_size)); - NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->in.change_log_entry, r->in.change_log_entry_size)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.change_log_entry_size)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_size_netr_ChangeLogEntry(&r->in.change_log_entry, ndr->flags))); } if (flags & NDR_OUT) { if (r->out.return_authenticator == NULL) { @@ -11369,19 +11538,17 @@ static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int fl NDR_PULL_SET_MEM_CTX(ndr, r->in.return_authenticator, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, r->in.return_authenticator)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_return_authenticator_0, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_array_size(ndr, &r->in.change_log_entry)); - if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { - NDR_PULL_ALLOC_N(ndr, r->in.change_log_entry, ndr_get_array_size(ndr, &r->in.change_log_entry)); + { + struct ndr_pull *_ndr_change_log_entry; + NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_change_log_entry, 4, r->in.change_log_entry_size)); + NDR_CHECK(ndr_pull_netr_ChangeLogEntry(_ndr_change_log_entry, NDR_SCALARS|NDR_BUFFERS, &r->in.change_log_entry)); + NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_change_log_entry, 4, r->in.change_log_entry_size)); } - NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.change_log_entry, ndr_get_array_size(ndr, &r->in.change_log_entry))); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.change_log_entry_size)); NDR_PULL_ALLOC(ndr, r->out.return_authenticator); *r->out.return_authenticator = *r->in.return_authenticator; NDR_PULL_ALLOC(ndr, r->out.delta_enum_array); ZERO_STRUCTP(r->out.delta_enum_array); - if (r->in.change_log_entry) { - NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.change_log_entry, r->in.change_log_entry_size)); - } } if (flags & NDR_OUT) { if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { @@ -11434,11 +11601,8 @@ _PUBLIC_ void ndr_print_netr_DatabaseRedo(struct ndr_print *ndr, const char *nam ndr->depth++; ndr_print_netr_Authenticator(ndr, "return_authenticator", r->in.return_authenticator); ndr->depth--; - ndr_print_ptr(ndr, "change_log_entry", r->in.change_log_entry); - ndr->depth++; - ndr_print_array_uint8(ndr, "change_log_entry", r->in.change_log_entry, r->in.change_log_entry_size); - ndr->depth--; - ndr_print_uint32(ndr, "change_log_entry_size", r->in.change_log_entry_size); + ndr_print_netr_ChangeLogEntry(ndr, "change_log_entry", &r->in.change_log_entry); + ndr_print_uint32(ndr, "change_log_entry_size", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?ndr_size_netr_ChangeLogEntry(&r->in.change_log_entry, ndr->flags):r->in.change_log_entry_size); ndr->depth--; } if (flags & NDR_OUT) { @@ -13028,7 +13192,7 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordGet(struct ndr_push *ndr, i if (r->out.password == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } - NDR_CHECK(ndr_push_samr_Password(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.password)); + NDR_CHECK(ndr_push_samr_Password(ndr, NDR_SCALARS, r->out.password)); NDR_CHECK(ndr_push_WERROR(ndr, NDR_SCALARS, r->out.result)); } return NDR_ERR_SUCCESS; @@ -13102,7 +13266,7 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordGet(struct ndr_pull *ndr, i } _mem_save_password_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.password, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.password)); + NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_SCALARS, r->out.password)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); } @@ -14522,11 +14686,11 @@ static enum ndr_err_code ndr_push_netr_ServerTrustPasswordsGet(struct ndr_push * if (r->out.password == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } - NDR_CHECK(ndr_push_samr_Password(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.password)); + NDR_CHECK(ndr_push_samr_Password(ndr, NDR_SCALARS, r->out.password)); if (r->out.password2 == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } - NDR_CHECK(ndr_push_samr_Password(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.password2)); + NDR_CHECK(ndr_push_samr_Password(ndr, NDR_SCALARS, r->out.password2)); NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->out.result)); } return NDR_ERR_SUCCESS; @@ -14603,14 +14767,14 @@ static enum ndr_err_code ndr_pull_netr_ServerTrustPasswordsGet(struct ndr_pull * } _mem_save_password_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.password, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.password)); + NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_SCALARS, r->out.password)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, LIBNDR_FLAG_REF_ALLOC); if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { NDR_PULL_ALLOC(ndr, r->out.password2); } _mem_save_password2_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.password2, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.password2)); + NDR_CHECK(ndr_pull_samr_Password(ndr, NDR_SCALARS, r->out.password2)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password2_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->out.result)); } diff --git a/source3/librpc/gen_ndr/ndr_netlogon.h b/source3/librpc/gen_ndr/ndr_netlogon.h index 8561a5b5ca..be20448636 100644 --- a/source3/librpc/gen_ndr/ndr_netlogon.h +++ b/source3/librpc/gen_ndr/ndr_netlogon.h @@ -6,6 +6,7 @@ #ifndef _HEADER_NDR_netlogon #define _HEADER_NDR_netlogon +#include "../librpc/ndr/ndr_netlogon.h" #define NDR_NETLOGON_UUID "12345678-1234-abcd-ef00-01234567cffb" #define NDR_NETLOGON_VERSION 1.0 #define NDR_NETLOGON_NAME "netlogon" @@ -190,6 +191,12 @@ void ndr_print_netr_CONTROL_QUERY_INFORMATION(struct ndr_print *ndr, const char void ndr_print_netr_LogonControlCode(struct ndr_print *ndr, const char *name, enum netr_LogonControlCode r); void ndr_print_netr_CONTROL_DATA_INFORMATION(struct ndr_print *ndr, const char *name, const union netr_CONTROL_DATA_INFORMATION *r); void ndr_print_netr_NegotiateFlags(struct ndr_print *ndr, const char *name, uint32_t r); +void ndr_print_netr_ChangeLogFlags(struct ndr_print *ndr, const char *name, uint16_t r); +void ndr_print_netr_ChangeLogObject(struct ndr_print *ndr, const char *name, const union netr_ChangeLogObject *r); +enum ndr_err_code ndr_push_netr_ChangeLogEntry(struct ndr_push *ndr, int ndr_flags, const struct netr_ChangeLogEntry *r); +enum ndr_err_code ndr_pull_netr_ChangeLogEntry(struct ndr_pull *ndr, int ndr_flags, struct netr_ChangeLogEntry *r); +void ndr_print_netr_ChangeLogEntry(struct ndr_print *ndr, const char *name, const struct netr_ChangeLogEntry *r); +size_t ndr_size_netr_ChangeLogEntry(const struct netr_ChangeLogEntry *r, int flags); void ndr_print_netr_Blob(struct ndr_print *ndr, const char *name, const struct netr_Blob *r); void ndr_print_netr_DsRGetDCName_flags(struct ndr_print *ndr, const char *name, uint32_t r); void ndr_print_netr_DsRGetDCNameInfo_AddressType(struct ndr_print *ndr, const char *name, enum netr_DsRGetDCNameInfo_AddressType r); diff --git a/source3/librpc/gen_ndr/ndr_ntsvcs.c b/source3/librpc/gen_ndr/ndr_ntsvcs.c index 35d02a0dcb..ced6fb7767 100644 --- a/source3/librpc/gen_ndr/ndr_ntsvcs.c +++ b/source3/librpc/gen_ndr/ndr_ntsvcs.c @@ -3,16 +3,17 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_ntsvcs.h" +#include "librpc/gen_ndr/ndr_winreg.h" static enum ndr_err_code ndr_push_PNP_HwProfInfo(struct ndr_push *ndr, int ndr_flags, const struct PNP_HwProfInfo *r) { - uint32_t cntr_unknown2_0; + uint32_t cntr_friendly_name_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_push_align(ndr, 4)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown1)); - for (cntr_unknown2_0 = 0; cntr_unknown2_0 < 160; cntr_unknown2_0++) { - NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->unknown2[cntr_unknown2_0])); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->profile_handle)); + for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < 80; cntr_friendly_name_0++) { + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->friendly_name[cntr_friendly_name_0])); } - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown3)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->flags)); } if (ndr_flags & NDR_BUFFERS) { } @@ -21,14 +22,14 @@ static enum ndr_err_code ndr_push_PNP_HwProfInfo(struct ndr_push *ndr, int ndr_f static enum ndr_err_code ndr_pull_PNP_HwProfInfo(struct ndr_pull *ndr, int ndr_flags, struct PNP_HwProfInfo *r) { - uint32_t cntr_unknown2_0; + uint32_t cntr_friendly_name_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1)); - for (cntr_unknown2_0 = 0; cntr_unknown2_0 < 160; cntr_unknown2_0++) { - NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->unknown2[cntr_unknown2_0])); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->profile_handle)); + for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < 80; cntr_friendly_name_0++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->friendly_name[cntr_friendly_name_0])); } - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown3)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags)); } if (ndr_flags & NDR_BUFFERS) { } @@ -37,21 +38,21 @@ static enum ndr_err_code ndr_pull_PNP_HwProfInfo(struct ndr_pull *ndr, int ndr_f _PUBLIC_ void ndr_print_PNP_HwProfInfo(struct ndr_print *ndr, const char *name, const struct PNP_HwProfInfo *r) { - uint32_t cntr_unknown2_0; + uint32_t cntr_friendly_name_0; ndr_print_struct(ndr, name, "PNP_HwProfInfo"); ndr->depth++; - ndr_print_uint32(ndr, "unknown1", r->unknown1); - ndr->print(ndr, "%s: ARRAY(%d)", "unknown2", (int)160); + ndr_print_uint32(ndr, "profile_handle", r->profile_handle); + ndr->print(ndr, "%s: ARRAY(%d)", "friendly_name", (int)80); ndr->depth++; - for (cntr_unknown2_0=0;cntr_unknown2_0<160;cntr_unknown2_0++) { + for (cntr_friendly_name_0=0;cntr_friendly_name_0<80;cntr_friendly_name_0++) { char *idx_0=NULL; - if (asprintf(&idx_0, "[%d]", cntr_unknown2_0) != -1) { - ndr_print_uint16(ndr, "unknown2", r->unknown2[cntr_unknown2_0]); + if (asprintf(&idx_0, "[%d]", cntr_friendly_name_0) != -1) { + ndr_print_uint16(ndr, "friendly_name", r->friendly_name[cntr_friendly_name_0]); free(idx_0); } } ndr->depth--; - ndr_print_uint32(ndr, "unknown3", r->unknown3); + ndr_print_uint32(ndr, "flags", r->flags); ndr->depth--; } @@ -818,7 +819,7 @@ static enum ndr_err_code ndr_push_PNP_GetDeviceRegProp(struct ndr_push *ndr, int if (r->in.reg_data_type == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, *r->in.reg_data_type)); + NDR_CHECK(ndr_push_winreg_Type(ndr, NDR_SCALARS, *r->in.reg_data_type)); if (r->in.buffer_size == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } @@ -833,7 +834,7 @@ static enum ndr_err_code ndr_push_PNP_GetDeviceRegProp(struct ndr_push *ndr, int if (r->out.reg_data_type == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, *r->out.reg_data_type)); + NDR_CHECK(ndr_push_winreg_Type(ndr, NDR_SCALARS, *r->out.reg_data_type)); if (r->out.buffer == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } @@ -875,7 +876,7 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int } _mem_save_reg_data_type_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->in.reg_data_type, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->in.reg_data_type)); + NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, r->in.reg_data_type)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reg_data_type_0, LIBNDR_FLAG_REF_ALLOC); if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { NDR_PULL_ALLOC(ndr, r->in.buffer_size); @@ -907,7 +908,7 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int } _mem_save_reg_data_type_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.reg_data_type, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.reg_data_type)); + NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, r->out.reg_data_type)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reg_data_type_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); @@ -960,7 +961,7 @@ _PUBLIC_ void ndr_print_PNP_GetDeviceRegProp(struct ndr_print *ndr, const char * ndr_print_uint32(ndr, "property", r->in.property); ndr_print_ptr(ndr, "reg_data_type", r->in.reg_data_type); ndr->depth++; - ndr_print_uint32(ndr, "reg_data_type", *r->in.reg_data_type); + ndr_print_winreg_Type(ndr, "reg_data_type", *r->in.reg_data_type); ndr->depth--; ndr_print_ptr(ndr, "buffer_size", r->in.buffer_size); ndr->depth++; @@ -978,7 +979,7 @@ _PUBLIC_ void ndr_print_PNP_GetDeviceRegProp(struct ndr_print *ndr, const char * ndr->depth++; ndr_print_ptr(ndr, "reg_data_type", r->out.reg_data_type); ndr->depth++; - ndr_print_uint32(ndr, "reg_data_type", *r->out.reg_data_type); + ndr_print_winreg_Type(ndr, "reg_data_type", *r->out.reg_data_type); ndr->depth--; ndr_print_ptr(ndr, "buffer", r->out.buffer); ndr->depth++; @@ -2067,7 +2068,7 @@ _PUBLIC_ void ndr_print_PNP_RequestEjectPC(struct ndr_print *ndr, const char *na static enum ndr_err_code ndr_push_PNP_HwProfFlags(struct ndr_push *ndr, int flags, const struct PNP_HwProfFlags *r) { if (flags & NDR_IN) { - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.unknown1)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.action)); if (r->in.devicepath == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } @@ -2075,14 +2076,14 @@ static enum ndr_err_code ndr_push_PNP_HwProfFlags(struct ndr_push *ndr, int flag NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->in.devicepath, CH_UTF16))); NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->in.devicepath, ndr_charset_length(r->in.devicepath, CH_UTF16), sizeof(uint16_t), CH_UTF16)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.unknown2)); - if (r->in.unknown3 == NULL) { + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.config)); + if (r->in.profile_flags == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, *r->in.unknown3)); - NDR_CHECK(ndr_push_unique_ptr(ndr, r->in.unknown4)); - if (r->in.unknown4) { - NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, *r->in.unknown4)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, *r->in.profile_flags)); + NDR_CHECK(ndr_push_unique_ptr(ndr, r->in.veto_type)); + if (r->in.veto_type) { + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, *r->in.veto_type)); } NDR_CHECK(ndr_push_unique_ptr(ndr, r->in.unknown5)); if (r->in.unknown5) { @@ -2091,17 +2092,17 @@ static enum ndr_err_code ndr_push_PNP_HwProfFlags(struct ndr_push *ndr, int flag NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->in.unknown5, CH_UTF16))); NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->in.unknown5, ndr_charset_length(r->in.unknown5, CH_UTF16), sizeof(uint16_t), CH_UTF16)); } - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.unknown6)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.unknown7)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.name_length)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.flags)); } if (flags & NDR_OUT) { - if (r->out.unknown3 == NULL) { + if (r->out.profile_flags == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, *r->out.unknown3)); - NDR_CHECK(ndr_push_unique_ptr(ndr, r->out.unknown4)); - if (r->out.unknown4) { - NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, *r->out.unknown4)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, *r->out.profile_flags)); + NDR_CHECK(ndr_push_unique_ptr(ndr, r->out.veto_type)); + if (r->out.veto_type) { + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, *r->out.veto_type)); } NDR_CHECK(ndr_push_unique_ptr(ndr, r->out.unknown5a)); if (r->out.unknown5a) { @@ -2120,18 +2121,18 @@ static enum ndr_err_code ndr_push_PNP_HwProfFlags(struct ndr_push *ndr, int flag static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flags, struct PNP_HwProfFlags *r) { - uint32_t _ptr_unknown4; + uint32_t _ptr_veto_type; uint32_t _ptr_unknown5; uint32_t _ptr_unknown5a; - TALLOC_CTX *_mem_save_unknown3_0; - TALLOC_CTX *_mem_save_unknown4_0; + TALLOC_CTX *_mem_save_profile_flags_0; + TALLOC_CTX *_mem_save_veto_type_0; TALLOC_CTX *_mem_save_unknown5_0; TALLOC_CTX *_mem_save_unknown5a_0; TALLOC_CTX *_mem_save_unknown5a_1; if (flags & NDR_IN) { ZERO_STRUCT(r->out); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.action)); NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { @@ -2139,25 +2140,25 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag } NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown2)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.config)); if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { - NDR_PULL_ALLOC(ndr, r->in.unknown3); - } - _mem_save_unknown3_0 = NDR_PULL_GET_MEM_CTX(ndr); - NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown3, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->in.unknown3)); - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown3_0, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown4)); - if (_ptr_unknown4) { - NDR_PULL_ALLOC(ndr, r->in.unknown4); + NDR_PULL_ALLOC(ndr, r->in.profile_flags); + } + _mem_save_profile_flags_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.profile_flags, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->in.profile_flags)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_profile_flags_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_veto_type)); + if (_ptr_veto_type) { + NDR_PULL_ALLOC(ndr, r->in.veto_type); } else { - r->in.unknown4 = NULL; + r->in.veto_type = NULL; } - if (r->in.unknown4) { - _mem_save_unknown4_0 = NDR_PULL_GET_MEM_CTX(ndr); - NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown4, 0); - NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, r->in.unknown4)); - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown4_0, 0); + if (r->in.veto_type) { + _mem_save_veto_type_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.veto_type, 0); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, r->in.veto_type)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_veto_type_0, 0); } NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown5)); if (_ptr_unknown5) { @@ -2177,30 +2178,30 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5_0, 0); } - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown6)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown7)); - NDR_PULL_ALLOC(ndr, r->out.unknown3); - *r->out.unknown3 = *r->in.unknown3; + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_length)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_PULL_ALLOC(ndr, r->out.profile_flags); + *r->out.profile_flags = *r->in.profile_flags; } if (flags & NDR_OUT) { if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { - NDR_PULL_ALLOC(ndr, r->out.unknown3); - } - _mem_save_unknown3_0 = NDR_PULL_GET_MEM_CTX(ndr); - NDR_PULL_SET_MEM_CTX(ndr, r->out.unknown3, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.unknown3)); - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown3_0, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown4)); - if (_ptr_unknown4) { - NDR_PULL_ALLOC(ndr, r->out.unknown4); + NDR_PULL_ALLOC(ndr, r->out.profile_flags); + } + _mem_save_profile_flags_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.profile_flags, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.profile_flags)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_profile_flags_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_veto_type)); + if (_ptr_veto_type) { + NDR_PULL_ALLOC(ndr, r->out.veto_type); } else { - r->out.unknown4 = NULL; + r->out.veto_type = NULL; } - if (r->out.unknown4) { - _mem_save_unknown4_0 = NDR_PULL_GET_MEM_CTX(ndr); - NDR_PULL_SET_MEM_CTX(ndr, r->out.unknown4, 0); - NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, r->out.unknown4)); - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown4_0, 0); + if (r->out.veto_type) { + _mem_save_veto_type_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.veto_type, 0); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, r->out.veto_type)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_veto_type_0, 0); } NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown5a)); if (_ptr_unknown5a) { @@ -2246,20 +2247,20 @@ _PUBLIC_ void ndr_print_PNP_HwProfFlags(struct ndr_print *ndr, const char *name, if (flags & NDR_IN) { ndr_print_struct(ndr, "in", "PNP_HwProfFlags"); ndr->depth++; - ndr_print_uint32(ndr, "unknown1", r->in.unknown1); + ndr_print_uint32(ndr, "action", r->in.action); ndr_print_ptr(ndr, "devicepath", r->in.devicepath); ndr->depth++; ndr_print_string(ndr, "devicepath", r->in.devicepath); ndr->depth--; - ndr_print_uint32(ndr, "unknown2", r->in.unknown2); - ndr_print_ptr(ndr, "unknown3", r->in.unknown3); + ndr_print_uint32(ndr, "config", r->in.config); + ndr_print_ptr(ndr, "profile_flags", r->in.profile_flags); ndr->depth++; - ndr_print_uint32(ndr, "unknown3", *r->in.unknown3); + ndr_print_uint32(ndr, "profile_flags", *r->in.profile_flags); ndr->depth--; - ndr_print_ptr(ndr, "unknown4", r->in.unknown4); + ndr_print_ptr(ndr, "veto_type", r->in.veto_type); ndr->depth++; - if (r->in.unknown4) { - ndr_print_uint16(ndr, "unknown4", *r->in.unknown4); + if (r->in.veto_type) { + ndr_print_uint16(ndr, "veto_type", *r->in.veto_type); } ndr->depth--; ndr_print_ptr(ndr, "unknown5", r->in.unknown5); @@ -2268,21 +2269,21 @@ _PUBLIC_ void ndr_print_PNP_HwProfFlags(struct ndr_print *ndr, const char *name, ndr_print_string(ndr, "unknown5", r->in.unknown5); } ndr->depth--; - ndr_print_uint32(ndr, "unknown6", r->in.unknown6); - ndr_print_uint32(ndr, "unknown7", r->in.unknown7); + ndr_print_uint32(ndr, "name_length", r->in.name_length); + ndr_print_uint32(ndr, "flags", r->in.flags); ndr->depth--; } if (flags & NDR_OUT) { ndr_print_struct(ndr, "out", "PNP_HwProfFlags"); ndr->depth++; - ndr_print_ptr(ndr, "unknown3", r->out.unknown3); + ndr_print_ptr(ndr, "profile_flags", r->out.profile_flags); ndr->depth++; - ndr_print_uint32(ndr, "unknown3", *r->out.unknown3); + ndr_print_uint32(ndr, "profile_flags", *r->out.profile_flags); ndr->depth--; - ndr_print_ptr(ndr, "unknown4", r->out.unknown4); + ndr_print_ptr(ndr, "veto_type", r->out.veto_type); ndr->depth++; - if (r->out.unknown4) { - ndr_print_uint16(ndr, "unknown4", *r->out.unknown4); + if (r->out.veto_type) { + ndr_print_uint16(ndr, "veto_type", *r->out.veto_type); } ndr->depth--; ndr_print_ptr(ndr, "unknown5a", r->out.unknown5a); @@ -2310,8 +2311,8 @@ static enum ndr_err_code ndr_push_PNP_GetHwProfInfo(struct ndr_push *ndr, int fl return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } NDR_CHECK(ndr_push_PNP_HwProfInfo(ndr, NDR_SCALARS, r->in.info)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.unknown1)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.unknown2)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.size)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.flags)); } if (flags & NDR_OUT) { if (r->out.info == NULL) { @@ -2337,8 +2338,8 @@ static enum ndr_err_code ndr_pull_PNP_GetHwProfInfo(struct ndr_pull *ndr, int fl NDR_PULL_SET_MEM_CTX(ndr, r->in.info, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_PNP_HwProfInfo(ndr, NDR_SCALARS, r->in.info)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown1)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown2)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.size)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); NDR_PULL_ALLOC(ndr, r->out.info); *r->out.info = *r->in.info; } @@ -2370,8 +2371,8 @@ _PUBLIC_ void ndr_print_PNP_GetHwProfInfo(struct ndr_print *ndr, const char *nam ndr->depth++; ndr_print_PNP_HwProfInfo(ndr, "info", r->in.info); ndr->depth--; - ndr_print_uint32(ndr, "unknown1", r->in.unknown1); - ndr_print_uint32(ndr, "unknown2", r->in.unknown2); + ndr_print_uint32(ndr, "size", r->in.size); + ndr_print_uint32(ndr, "flags", r->in.flags); ndr->depth--; } if (flags & NDR_OUT) { @@ -3856,10 +3857,11 @@ static const struct ndr_interface_call ntsvcs_calls[] = { static const char * const ntsvcs_endpoint_strings[] = { "ncacn_np:[\\pipe\\ntsvcs]", + "ncacn_np:[\\pipe\\plugplay]", }; static const struct ndr_interface_string_array ntsvcs_endpoints = { - .count = 1, + .count = 2, .names = ntsvcs_endpoint_strings }; diff --git a/source3/librpc/gen_ndr/ndr_samr.c b/source3/librpc/gen_ndr/ndr_samr.c index f83d0f0875..975bde3340 100644 --- a/source3/librpc/gen_ndr/ndr_samr.c +++ b/source3/librpc/gen_ndr/ndr_samr.c @@ -6,6 +6,59 @@ #include "librpc/gen_ndr/ndr_misc.h" #include "librpc/gen_ndr/ndr_lsa.h" #include "librpc/gen_ndr/ndr_security.h" +_PUBLIC_ enum ndr_err_code ndr_push_netr_SamDatabaseID(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID r) +{ + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_netr_SamDatabaseID(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID *r) +{ + uint32_t v; + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_netr_SamDatabaseID(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID r) +{ + const char *val = NULL; + + switch (r) { + case SAM_DATABASE_DOMAIN: val = "SAM_DATABASE_DOMAIN"; break; + case SAM_DATABASE_BUILTIN: val = "SAM_DATABASE_BUILTIN"; break; + case SAM_DATABASE_PRIVS: val = "SAM_DATABASE_PRIVS"; break; + } + ndr_print_enum(ndr, name, "ENUM", val, r); +} + +_PUBLIC_ enum ndr_err_code ndr_push_samr_RejectReason(struct ndr_push *ndr, int ndr_flags, enum samr_RejectReason r) +{ + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_samr_RejectReason(struct ndr_pull *ndr, int ndr_flags, enum samr_RejectReason *r) +{ + uint32_t v; + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_samr_RejectReason(struct ndr_print *ndr, const char *name, enum samr_RejectReason r) +{ + const char *val = NULL; + + switch (r) { + case SAMR_REJECT_OTHER: val = "SAMR_REJECT_OTHER"; break; + case SAMR_REJECT_TOO_SHORT: val = "SAMR_REJECT_TOO_SHORT"; break; + case SAMR_REJECT_IN_HISTORY: val = "SAMR_REJECT_IN_HISTORY"; break; + case SAMR_REJECT_COMPLEXITY: val = "SAMR_REJECT_COMPLEXITY"; break; + } + ndr_print_enum(ndr, name, "ENUM", val, r); +} + _PUBLIC_ enum ndr_err_code ndr_push_samr_AcctFlags(struct ndr_push *ndr, int ndr_flags, uint32_t r) { NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); @@ -364,6 +417,31 @@ _PUBLIC_ void ndr_print_samr_PasswordProperties(struct ndr_print *ndr, const cha ndr->depth--; } +static enum ndr_err_code ndr_push_samr_DomainServerState(struct ndr_push *ndr, int ndr_flags, enum samr_DomainServerState r) +{ + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code ndr_pull_samr_DomainServerState(struct ndr_pull *ndr, int ndr_flags, enum samr_DomainServerState *r) +{ + uint32_t v; + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_samr_DomainServerState(struct ndr_print *ndr, const char *name, enum samr_DomainServerState r) +{ + const char *val = NULL; + + switch (r) { + case DOMAIN_SERVER_ENABLED: val = "DOMAIN_SERVER_ENABLED"; break; + case DOMAIN_SERVER_DISABLED: val = "DOMAIN_SERVER_DISABLED"; break; + } + ndr_print_enum(ndr, name, "ENUM", val, r); +} + static enum ndr_err_code ndr_push_samr_DomInfo1(struct ndr_push *ndr, int ndr_flags, const struct samr_DomInfo1 *r) { if (ndr_flags & NDR_SCALARS) { @@ -415,7 +493,7 @@ static enum ndr_err_code ndr_push_samr_DomGeneralInformation(struct ndr_push *nd NDR_CHECK(ndr_push_lsa_String(ndr, NDR_SCALARS, &r->domain_name)); NDR_CHECK(ndr_push_lsa_String(ndr, NDR_SCALARS, &r->primary)); NDR_CHECK(ndr_push_udlong(ndr, NDR_SCALARS, r->sequence_num)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown2)); + NDR_CHECK(ndr_push_samr_DomainServerState(ndr, NDR_SCALARS, r->domain_server_state)); NDR_CHECK(ndr_push_samr_Role(ndr, NDR_SCALARS, r->role)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown3)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->num_users)); @@ -439,7 +517,7 @@ static enum ndr_err_code ndr_pull_samr_DomGeneralInformation(struct ndr_pull *nd NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->domain_name)); NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->primary)); NDR_CHECK(ndr_pull_udlong(ndr, NDR_SCALARS, &r->sequence_num)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown2)); + NDR_CHECK(ndr_pull_samr_DomainServerState(ndr, NDR_SCALARS, &r->domain_server_state)); NDR_CHECK(ndr_pull_samr_Role(ndr, NDR_SCALARS, &r->role)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown3)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_users)); @@ -463,7 +541,7 @@ _PUBLIC_ void ndr_print_samr_DomGeneralInformation(struct ndr_print *ndr, const ndr_print_lsa_String(ndr, "domain_name", &r->domain_name); ndr_print_lsa_String(ndr, "primary", &r->primary); ndr_print_udlong(ndr, "sequence_num", r->sequence_num); - ndr_print_uint32(ndr, "unknown2", r->unknown2); + ndr_print_samr_DomainServerState(ndr, "domain_server_state", r->domain_server_state); ndr_print_samr_Role(ndr, "role", r->role); ndr_print_uint32(ndr, "unknown3", r->unknown3); ndr_print_uint32(ndr, "num_users", r->num_users); @@ -665,7 +743,7 @@ static enum ndr_err_code ndr_push_samr_DomInfo9(struct ndr_push *ndr, int ndr_fl { if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_push_align(ndr, 4)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown)); + NDR_CHECK(ndr_push_samr_DomainServerState(ndr, NDR_SCALARS, r->domain_server_state)); } if (ndr_flags & NDR_BUFFERS) { } @@ -676,7 +754,7 @@ static enum ndr_err_code ndr_pull_samr_DomInfo9(struct ndr_pull *ndr, int ndr_fl { if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown)); + NDR_CHECK(ndr_pull_samr_DomainServerState(ndr, NDR_SCALARS, &r->domain_server_state)); } if (ndr_flags & NDR_BUFFERS) { } @@ -687,7 +765,7 @@ _PUBLIC_ void ndr_print_samr_DomInfo9(struct ndr_print *ndr, const char *name, c { ndr_print_struct(ndr, name, "samr_DomInfo9"); ndr->depth++; - ndr_print_uint32(ndr, "unknown", r->unknown); + ndr_print_samr_DomainServerState(ndr, "domain_server_state", r->domain_server_state); ndr->depth--; } @@ -2961,7 +3039,7 @@ static enum ndr_err_code ndr_push_samr_UserInfo24(struct ndr_push *ndr, int ndr_ if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_push_align(ndr, 1)); NDR_CHECK(ndr_push_samr_CryptPassword(ndr, NDR_SCALARS, &r->password)); - NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->pw_len)); + NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->password_expired)); } if (ndr_flags & NDR_BUFFERS) { } @@ -2973,7 +3051,7 @@ static enum ndr_err_code ndr_pull_samr_UserInfo24(struct ndr_pull *ndr, int ndr_ if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 1)); NDR_CHECK(ndr_pull_samr_CryptPassword(ndr, NDR_SCALARS, &r->password)); - NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pw_len)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->password_expired)); } if (ndr_flags & NDR_BUFFERS) { } @@ -2985,7 +3063,7 @@ _PUBLIC_ void ndr_print_samr_UserInfo24(struct ndr_print *ndr, const char *name, ndr_print_struct(ndr, name, "samr_UserInfo24"); ndr->depth++; ndr_print_samr_CryptPassword(ndr, "password", &r->password); - ndr_print_uint8(ndr, "pw_len", r->pw_len); + ndr_print_uint8(ndr, "password_expired", r->password_expired); ndr->depth--; } @@ -3074,7 +3152,7 @@ static enum ndr_err_code ndr_push_samr_UserInfo26(struct ndr_push *ndr, int ndr_ if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_push_align(ndr, 1)); NDR_CHECK(ndr_push_samr_CryptPasswordEx(ndr, NDR_SCALARS, &r->password)); - NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->pw_len)); + NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->password_expired)); } if (ndr_flags & NDR_BUFFERS) { } @@ -3086,7 +3164,7 @@ static enum ndr_err_code ndr_pull_samr_UserInfo26(struct ndr_pull *ndr, int ndr_ if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 1)); NDR_CHECK(ndr_pull_samr_CryptPasswordEx(ndr, NDR_SCALARS, &r->password)); - NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pw_len)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->password_expired)); } if (ndr_flags & NDR_BUFFERS) { } @@ -3098,7 +3176,7 @@ _PUBLIC_ void ndr_print_samr_UserInfo26(struct ndr_print *ndr, const char *name, ndr_print_struct(ndr, name, "samr_UserInfo26"); ndr->depth++; ndr_print_samr_CryptPasswordEx(ndr, "password", &r->password); - ndr_print_uint8(ndr, "pw_len", r->pw_len); + ndr_print_uint8(ndr, "password_expired", r->password_expired); ndr->depth--; } @@ -11907,7 +11985,10 @@ static enum ndr_err_code ndr_push_samr_RidToSid(struct ndr_push *ndr, int flags, if (r->out.sid == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } - NDR_CHECK(ndr_push_dom_sid2(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.sid)); + NDR_CHECK(ndr_push_unique_ptr(ndr, *r->out.sid)); + if (*r->out.sid) { + NDR_CHECK(ndr_push_dom_sid2(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.sid)); + } NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->out.result)); } return NDR_ERR_SUCCESS; @@ -11915,8 +11996,10 @@ static enum ndr_err_code ndr_push_samr_RidToSid(struct ndr_push *ndr, int flags, static enum ndr_err_code ndr_pull_samr_RidToSid(struct ndr_pull *ndr, int flags, struct samr_RidToSid *r) { + uint32_t _ptr_sid; TALLOC_CTX *_mem_save_domain_handle_0; TALLOC_CTX *_mem_save_sid_0; + TALLOC_CTX *_mem_save_sid_1; if (flags & NDR_IN) { ZERO_STRUCT(r->out); @@ -11937,7 +12020,18 @@ static enum ndr_err_code ndr_pull_samr_RidToSid(struct ndr_pull *ndr, int flags, } _mem_save_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.sid, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_dom_sid2(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.sid)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); + if (_ptr_sid) { + NDR_PULL_ALLOC(ndr, *r->out.sid); + } else { + *r->out.sid = NULL; + } + if (*r->out.sid) { + _mem_save_sid_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.sid, 0); + NDR_CHECK(ndr_pull_dom_sid2(ndr, NDR_SCALARS|NDR_BUFFERS, *r->out.sid)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sid_1, 0); + } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sid_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->out.result)); } @@ -11966,7 +12060,12 @@ _PUBLIC_ void ndr_print_samr_RidToSid(struct ndr_print *ndr, const char *name, i ndr->depth++; ndr_print_ptr(ndr, "sid", r->out.sid); ndr->depth++; - ndr_print_dom_sid2(ndr, "sid", r->out.sid); + ndr_print_ptr(ndr, "sid", *r->out.sid); + ndr->depth++; + if (*r->out.sid) { + ndr_print_dom_sid2(ndr, "sid", *r->out.sid); + } + ndr->depth--; ndr->depth--; ndr_print_NTSTATUS(ndr, "result", r->out.result); ndr->depth--; diff --git a/source3/librpc/gen_ndr/ndr_samr.h b/source3/librpc/gen_ndr/ndr_samr.h index 1f582061f9..64c60ee704 100644 --- a/source3/librpc/gen_ndr/ndr_samr.h +++ b/source3/librpc/gen_ndr/ndr_samr.h @@ -148,6 +148,12 @@ extern const struct ndr_interface_table ndr_table_samr; #define NDR_SAMR_VALIDATEPASSWORD (0x43) #define NDR_SAMR_CALL_COUNT (68) +enum ndr_err_code ndr_push_netr_SamDatabaseID(struct ndr_push *ndr, int ndr_flags, enum netr_SamDatabaseID r); +enum ndr_err_code ndr_pull_netr_SamDatabaseID(struct ndr_pull *ndr, int ndr_flags, enum netr_SamDatabaseID *r); +void ndr_print_netr_SamDatabaseID(struct ndr_print *ndr, const char *name, enum netr_SamDatabaseID r); +enum ndr_err_code ndr_push_samr_RejectReason(struct ndr_push *ndr, int ndr_flags, enum samr_RejectReason r); +enum ndr_err_code ndr_pull_samr_RejectReason(struct ndr_pull *ndr, int ndr_flags, enum samr_RejectReason *r); +void ndr_print_samr_RejectReason(struct ndr_print *ndr, const char *name, enum samr_RejectReason r); enum ndr_err_code ndr_push_samr_AcctFlags(struct ndr_push *ndr, int ndr_flags, uint32_t r); enum ndr_err_code ndr_pull_samr_AcctFlags(struct ndr_pull *ndr, int ndr_flags, uint32_t *r); void ndr_print_samr_AcctFlags(struct ndr_print *ndr, const char *name, uint32_t r); @@ -162,6 +168,7 @@ void ndr_print_samr_Role(struct ndr_print *ndr, const char *name, enum samr_Role enum ndr_err_code ndr_push_samr_PasswordProperties(struct ndr_push *ndr, int ndr_flags, uint32_t r); enum ndr_err_code ndr_pull_samr_PasswordProperties(struct ndr_pull *ndr, int ndr_flags, uint32_t *r); void ndr_print_samr_PasswordProperties(struct ndr_print *ndr, const char *name, uint32_t r); +void ndr_print_samr_DomainServerState(struct ndr_print *ndr, const char *name, enum samr_DomainServerState r); void ndr_print_samr_DomInfo1(struct ndr_print *ndr, const char *name, const struct samr_DomInfo1 *r); void ndr_print_samr_DomGeneralInformation(struct ndr_print *ndr, const char *name, const struct samr_DomGeneralInformation *r); void ndr_print_samr_DomInfo3(struct ndr_print *ndr, const char *name, const struct samr_DomInfo3 *r); diff --git a/source3/librpc/gen_ndr/ndr_security.c b/source3/librpc/gen_ndr/ndr_security.c index de899241ab..108f2f689c 100644 --- a/source3/librpc/gen_ndr/ndr_security.c +++ b/source3/librpc/gen_ndr/ndr_security.c @@ -4,13 +4,14 @@ #include "librpc/gen_ndr/ndr_security.h" #include "librpc/gen_ndr/ndr_misc.h" -static enum ndr_err_code ndr_push_security_ace_flags(struct ndr_push *ndr, int ndr_flags, uint8_t r) +#include "librpc/gen_ndr/ndr_dom_sid.h" +_PUBLIC_ enum ndr_err_code ndr_push_security_ace_flags(struct ndr_push *ndr, int ndr_flags, uint8_t r) { NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r)); return NDR_ERR_SUCCESS; } -static enum ndr_err_code ndr_pull_security_ace_flags(struct ndr_pull *ndr, int ndr_flags, uint8_t *r) +_PUBLIC_ enum ndr_err_code ndr_pull_security_ace_flags(struct ndr_pull *ndr, int ndr_flags, uint8_t *r) { uint8_t v; NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &v)); @@ -33,13 +34,13 @@ _PUBLIC_ void ndr_print_security_ace_flags(struct ndr_print *ndr, const char *na ndr->depth--; } -static enum ndr_err_code ndr_push_security_ace_type(struct ndr_push *ndr, int ndr_flags, enum security_ace_type r) +_PUBLIC_ enum ndr_err_code ndr_push_security_ace_type(struct ndr_push *ndr, int ndr_flags, enum security_ace_type r) { NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r)); return NDR_ERR_SUCCESS; } -static enum ndr_err_code ndr_pull_security_ace_type(struct ndr_pull *ndr, int ndr_flags, enum security_ace_type *r) +_PUBLIC_ enum ndr_err_code ndr_pull_security_ace_type(struct ndr_pull *ndr, int ndr_flags, enum security_ace_type *r) { uint8_t v; NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &v)); @@ -278,7 +279,7 @@ _PUBLIC_ void ndr_print_security_ace_object(struct ndr_print *ndr, const char *n ndr->depth--; } -static enum ndr_err_code ndr_push_security_ace_object_ctr(struct ndr_push *ndr, int ndr_flags, const union security_ace_object_ctr *r) +_PUBLIC_ enum ndr_err_code ndr_push_security_ace_object_ctr(struct ndr_push *ndr, int ndr_flags, const union security_ace_object_ctr *r) { if (ndr_flags & NDR_SCALARS) { int level = ndr_push_get_switch_value(ndr, r); @@ -331,7 +332,7 @@ static enum ndr_err_code ndr_push_security_ace_object_ctr(struct ndr_push *ndr, return NDR_ERR_SUCCESS; } -static enum ndr_err_code ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, int ndr_flags, union security_ace_object_ctr *r) +_PUBLIC_ enum ndr_err_code ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, int ndr_flags, union security_ace_object_ctr *r) { int level; level = ndr_pull_get_switch_value(ndr, r); @@ -431,25 +432,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_ace(struct ndr_push *ndr, int ndr_f return NDR_ERR_SUCCESS; } -_PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, int ndr_flags, struct security_ace *r) -{ - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type)); - NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags)); - NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask)); - NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type)); - NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_SCALARS, &r->object)); - NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee)); - } - if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, NDR_BUFFERS, &r->object)); - NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_BUFFERS, &r->trustee)); - } - return NDR_ERR_SUCCESS; -} - _PUBLIC_ void ndr_print_security_ace(struct ndr_print *ndr, const char *name, const struct security_ace *r) { ndr_print_struct(ndr, name, "security_ace"); diff --git a/source3/librpc/gen_ndr/ndr_security.h b/source3/librpc/gen_ndr/ndr_security.h index 7a2ff74309..bddf1bd2b7 100644 --- a/source3/librpc/gen_ndr/ndr_security.h +++ b/source3/librpc/gen_ndr/ndr_security.h @@ -6,13 +6,20 @@ #ifndef _HEADER_NDR_security #define _HEADER_NDR_security +#include "librpc/gen_ndr/ndr_dom_sid.h" #define NDR_SECURITY_CALL_COUNT (0) +enum ndr_err_code ndr_push_security_ace_flags(struct ndr_push *ndr, int ndr_flags, uint8_t r); +enum ndr_err_code ndr_pull_security_ace_flags(struct ndr_pull *ndr, int ndr_flags, uint8_t *r); void ndr_print_security_ace_flags(struct ndr_print *ndr, const char *name, uint8_t r); +enum ndr_err_code ndr_push_security_ace_type(struct ndr_push *ndr, int ndr_flags, enum security_ace_type r); +enum ndr_err_code ndr_pull_security_ace_type(struct ndr_pull *ndr, int ndr_flags, enum security_ace_type *r); void ndr_print_security_ace_type(struct ndr_print *ndr, const char *name, enum security_ace_type r); void ndr_print_security_ace_object_flags(struct ndr_print *ndr, const char *name, uint32_t r); void ndr_print_security_ace_object_type(struct ndr_print *ndr, const char *name, const union security_ace_object_type *r); void ndr_print_security_ace_object_inherited_type(struct ndr_print *ndr, const char *name, const union security_ace_object_inherited_type *r); void ndr_print_security_ace_object(struct ndr_print *ndr, const char *name, const struct security_ace_object *r); +enum ndr_err_code ndr_push_security_ace_object_ctr(struct ndr_push *ndr, int ndr_flags, const union security_ace_object_ctr *r); +enum ndr_err_code ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, int ndr_flags, union security_ace_object_ctr *r); void ndr_print_security_ace_object_ctr(struct ndr_print *ndr, const char *name, const union security_ace_object_ctr *r); enum ndr_err_code ndr_push_security_ace(struct ndr_push *ndr, int ndr_flags, const struct security_ace *r); enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, int ndr_flags, struct security_ace *r); diff --git a/source3/librpc/gen_ndr/ndr_svcctl.c b/source3/librpc/gen_ndr/ndr_svcctl.c index d04c89b9a1..2bccde9ba0 100644 --- a/source3/librpc/gen_ndr/ndr_svcctl.c +++ b/source3/librpc/gen_ndr/ndr_svcctl.c @@ -297,6 +297,34 @@ _PUBLIC_ void ndr_print_svcctl_ServerType(struct ndr_print *ndr, const char *nam ndr->depth--; } +static enum ndr_err_code ndr_push_SERVICE_CONTROL(struct ndr_push *ndr, int ndr_flags, enum SERVICE_CONTROL r) +{ + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code ndr_pull_SERVICE_CONTROL(struct ndr_pull *ndr, int ndr_flags, enum SERVICE_CONTROL *r) +{ + uint32_t v; + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_SERVICE_CONTROL(struct ndr_print *ndr, const char *name, enum SERVICE_CONTROL r) +{ + const char *val = NULL; + + switch (r) { + case SVCCTL_CONTROL_STOP: val = "SVCCTL_CONTROL_STOP"; break; + case SVCCTL_CONTROL_PAUSE: val = "SVCCTL_CONTROL_PAUSE"; break; + case SVCCTL_CONTROL_CONTINUE: val = "SVCCTL_CONTROL_CONTINUE"; break; + case SVCCTL_CONTROL_INTERROGATE: val = "SVCCTL_CONTROL_INTERROGATE"; break; + case SVCCTL_CONTROL_SHUTDOWN: val = "SVCCTL_CONTROL_SHUTDOWN"; break; + } + ndr_print_enum(ndr, name, "ENUM", val, r); +} + static enum ndr_err_code ndr_push_svcctl_MgrAccessMask(struct ndr_push *ndr, int ndr_flags, uint32_t r) { NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r)); @@ -646,7 +674,7 @@ static enum ndr_err_code ndr_push_svcctl_ControlService(struct ndr_push *ndr, in return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); } NDR_CHECK(ndr_push_policy_handle(ndr, NDR_SCALARS, r->in.handle)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.control)); + NDR_CHECK(ndr_push_SERVICE_CONTROL(ndr, NDR_SCALARS, r->in.control)); } if (flags & NDR_OUT) { if (r->out.service_status == NULL) { @@ -672,7 +700,7 @@ static enum ndr_err_code ndr_pull_svcctl_ControlService(struct ndr_pull *ndr, in NDR_PULL_SET_MEM_CTX(ndr, r->in.handle, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_policy_handle(ndr, NDR_SCALARS, r->in.handle)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.control)); + NDR_CHECK(ndr_pull_SERVICE_CONTROL(ndr, NDR_SCALARS, &r->in.control)); NDR_PULL_ALLOC(ndr, r->out.service_status); ZERO_STRUCTP(r->out.service_status); } @@ -703,7 +731,7 @@ _PUBLIC_ void ndr_print_svcctl_ControlService(struct ndr_print *ndr, const char ndr->depth++; ndr_print_policy_handle(ndr, "handle", r->in.handle); ndr->depth--; - ndr_print_uint32(ndr, "control", r->in.control); + ndr_print_SERVICE_CONTROL(ndr, "control", r->in.control); ndr->depth--; } if (flags & NDR_OUT) { @@ -2095,6 +2123,9 @@ static enum ndr_err_code ndr_push_svcctl_EnumServicesStatusW(struct ndr_push *nd } } if (flags & NDR_OUT) { + if (r->out.service == NULL) { + return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); + } NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.buf_size)); NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->out.service, r->in.buf_size)); if (r->out.bytes_needed == NULL) { @@ -2134,6 +2165,9 @@ static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *nd NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.type)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.state)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.buf_size)); + if (r->in.buf_size < 0 || r->in.buf_size > 262144) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_resume_handle)); if (_ptr_resume_handle) { NDR_PULL_ALLOC(ndr, r->in.resume_handle); @@ -2146,6 +2180,8 @@ static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *nd NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->in.resume_handle)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resume_handle_0, 0); } + NDR_PULL_ALLOC_N(ndr, r->out.service, r->in.buf_size); + memset(r->out.service, 0, (r->in.buf_size) * sizeof(*r->out.service)); NDR_PULL_ALLOC(ndr, r->out.bytes_needed); ZERO_STRUCTP(r->out.bytes_needed); NDR_PULL_ALLOC(ndr, r->out.services_returned); @@ -2153,7 +2189,9 @@ static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *nd } if (flags & NDR_OUT) { NDR_CHECK(ndr_pull_array_size(ndr, &r->out.service)); - NDR_PULL_ALLOC_N(ndr, r->out.service, ndr_get_array_size(ndr, &r->out.service)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC_N(ndr, r->out.service, ndr_get_array_size(ndr, &r->out.service)); + } NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, ndr_get_array_size(ndr, &r->out.service))); if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { NDR_PULL_ALLOC(ndr, r->out.bytes_needed); @@ -2161,6 +2199,9 @@ static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *nd _mem_save_bytes_needed_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.bytes_needed, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.bytes_needed)); + if (*r->out.bytes_needed < 0 || *r->out.bytes_needed > 262144) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bytes_needed_0, LIBNDR_FLAG_REF_ALLOC); if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { NDR_PULL_ALLOC(ndr, r->out.services_returned); @@ -2168,6 +2209,9 @@ static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *nd _mem_save_services_returned_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.services_returned, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.services_returned)); + if (*r->out.services_returned < 0 || *r->out.services_returned > 262144) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_services_returned_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_resume_handle)); if (_ptr_resume_handle) { @@ -2217,7 +2261,10 @@ _PUBLIC_ void ndr_print_svcctl_EnumServicesStatusW(struct ndr_print *ndr, const if (flags & NDR_OUT) { ndr_print_struct(ndr, "out", "svcctl_EnumServicesStatusW"); ndr->depth++; + ndr_print_ptr(ndr, "service", r->out.service); + ndr->depth++; ndr_print_array_uint8(ndr, "service", r->out.service, r->in.buf_size); + ndr->depth--; ndr_print_ptr(ndr, "bytes_needed", r->out.bytes_needed); ndr->depth++; ndr_print_uint32(ndr, "bytes_needed", *r->out.bytes_needed); @@ -5305,6 +5352,10 @@ static enum ndr_err_code ndr_push_svcctl_QueryServiceConfig2W(struct ndr_push *n NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.buf_size)); } if (flags & NDR_OUT) { + if (r->out.buffer == NULL) { + return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); + } + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.buf_size)); NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->out.buffer, r->in.buf_size)); if (r->out.bytes_needed == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); @@ -5331,20 +5382,34 @@ static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfig2W(struct ndr_pull *n NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.info_level)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.buf_size)); + if (r->in.buf_size < 0 || r->in.buf_size > 8192) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_PULL_ALLOC_N(ndr, r->out.buffer, r->in.buf_size); + memset(r->out.buffer, 0, (r->in.buf_size) * sizeof(*r->out.buffer)); NDR_PULL_ALLOC(ndr, r->out.bytes_needed); ZERO_STRUCTP(r->out.bytes_needed); } if (flags & NDR_OUT) { - NDR_PULL_ALLOC_N(ndr, r->out.buffer, r->in.buf_size); - NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, r->in.buf_size)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); + } + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { NDR_PULL_ALLOC(ndr, r->out.bytes_needed); } _mem_save_bytes_needed_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.bytes_needed, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.bytes_needed)); + if (*r->out.bytes_needed < 0 || *r->out.bytes_needed > 8192) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bytes_needed_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); + if (r->out.buffer) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.buffer, r->in.buf_size)); + } } return NDR_ERR_SUCCESS; } @@ -5370,7 +5435,10 @@ _PUBLIC_ void ndr_print_svcctl_QueryServiceConfig2W(struct ndr_print *ndr, const if (flags & NDR_OUT) { ndr_print_struct(ndr, "out", "svcctl_QueryServiceConfig2W"); ndr->depth++; + ndr_print_ptr(ndr, "buffer", r->out.buffer); + ndr->depth++; ndr_print_array_uint8(ndr, "buffer", r->out.buffer, r->in.buf_size); + ndr->depth--; ndr_print_ptr(ndr, "bytes_needed", r->out.bytes_needed); ndr->depth++; ndr_print_uint32(ndr, "bytes_needed", *r->out.bytes_needed); @@ -5392,6 +5460,10 @@ static enum ndr_err_code ndr_push_svcctl_QueryServiceStatusEx(struct ndr_push *n NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.buf_size)); } if (flags & NDR_OUT) { + if (r->out.buffer == NULL) { + return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); + } + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.buf_size)); NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->out.buffer, r->in.buf_size)); if (r->out.bytes_needed == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); @@ -5418,20 +5490,34 @@ static enum ndr_err_code ndr_pull_svcctl_QueryServiceStatusEx(struct ndr_pull *n NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.info_level)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.buf_size)); + if (r->in.buf_size < 0 || r->in.buf_size > 8192) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_PULL_ALLOC_N(ndr, r->out.buffer, r->in.buf_size); + memset(r->out.buffer, 0, (r->in.buf_size) * sizeof(*r->out.buffer)); NDR_PULL_ALLOC(ndr, r->out.bytes_needed); ZERO_STRUCTP(r->out.bytes_needed); } if (flags & NDR_OUT) { - NDR_PULL_ALLOC_N(ndr, r->out.buffer, r->in.buf_size); - NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, r->in.buf_size)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); + } + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { NDR_PULL_ALLOC(ndr, r->out.bytes_needed); } _mem_save_bytes_needed_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.bytes_needed, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.bytes_needed)); + if (*r->out.bytes_needed < 0 || *r->out.bytes_needed > 8192) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bytes_needed_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); + if (r->out.buffer) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.buffer, r->in.buf_size)); + } } return NDR_ERR_SUCCESS; } @@ -5457,7 +5543,10 @@ _PUBLIC_ void ndr_print_svcctl_QueryServiceStatusEx(struct ndr_print *ndr, const if (flags & NDR_OUT) { ndr_print_struct(ndr, "out", "svcctl_QueryServiceStatusEx"); ndr->depth++; + ndr_print_ptr(ndr, "buffer", r->out.buffer); + ndr->depth++; ndr_print_array_uint8(ndr, "buffer", r->out.buffer, r->in.buf_size); + ndr->depth--; ndr_print_ptr(ndr, "bytes_needed", r->out.bytes_needed); ndr->depth++; ndr_print_uint32(ndr, "bytes_needed", *r->out.bytes_needed); @@ -5688,8 +5777,19 @@ static enum ndr_err_code ndr_push_EnumServicesStatusExW(struct ndr_push *ndr, in if (r->in.resume_handle) { NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, *r->in.resume_handle)); } + NDR_CHECK(ndr_push_unique_ptr(ndr, r->in.group_name)); + if (r->in.group_name) { + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->in.group_name, CH_UTF16))); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->in.group_name, CH_UTF16))); + NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->in.group_name, ndr_charset_length(r->in.group_name, CH_UTF16), sizeof(uint16_t), CH_UTF16)); + } } if (flags & NDR_OUT) { + if (r->out.services == NULL) { + return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); + } + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->in.buf_size)); NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->out.services, r->in.buf_size)); if (r->out.bytes_needed == NULL) { return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); @@ -5703,16 +5803,6 @@ static enum ndr_err_code ndr_push_EnumServicesStatusExW(struct ndr_push *ndr, in if (r->out.resume_handle) { NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, *r->out.resume_handle)); } - if (r->out.group_name == NULL) { - return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer"); - } - NDR_CHECK(ndr_push_unique_ptr(ndr, *r->out.group_name)); - if (*r->out.group_name) { - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(*r->out.group_name, CH_UTF16))); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(*r->out.group_name, CH_UTF16))); - NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, *r->out.group_name, ndr_charset_length(*r->out.group_name, CH_UTF16), sizeof(uint16_t), CH_UTF16)); - } NDR_CHECK(ndr_push_WERROR(ndr, NDR_SCALARS, r->out.result)); } return NDR_ERR_SUCCESS; @@ -5727,7 +5817,6 @@ static enum ndr_err_code ndr_pull_EnumServicesStatusExW(struct ndr_pull *ndr, in TALLOC_CTX *_mem_save_service_returned_0; TALLOC_CTX *_mem_save_resume_handle_0; TALLOC_CTX *_mem_save_group_name_0; - TALLOC_CTX *_mem_save_group_name_1; if (flags & NDR_IN) { ZERO_STRUCT(r->out); @@ -5742,6 +5831,9 @@ static enum ndr_err_code ndr_pull_EnumServicesStatusExW(struct ndr_pull *ndr, in NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.type)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.state)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.buf_size)); + if (r->in.buf_size < 0 || r->in.buf_size > 262144) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_resume_handle)); if (_ptr_resume_handle) { NDR_PULL_ALLOC(ndr, r->in.resume_handle); @@ -5752,24 +5844,51 @@ static enum ndr_err_code ndr_pull_EnumServicesStatusExW(struct ndr_pull *ndr, in _mem_save_resume_handle_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->in.resume_handle, 0); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->in.resume_handle)); + if (*r->in.resume_handle < 0 || *r->in.resume_handle > 262144) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resume_handle_0, 0); } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_name)); + if (_ptr_group_name) { + NDR_PULL_ALLOC(ndr, r->in.group_name); + } else { + r->in.group_name = NULL; + } + if (r->in.group_name) { + _mem_save_group_name_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.group_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.group_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.group_name)); + if (ndr_get_array_length(ndr, &r->in.group_name) > ndr_get_array_size(ndr, &r->in.group_name)) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.group_name), ndr_get_array_length(ndr, &r->in.group_name)); + } + NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.group_name), sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.group_name, ndr_get_array_length(ndr, &r->in.group_name), sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_name_0, 0); + } + NDR_PULL_ALLOC_N(ndr, r->out.services, r->in.buf_size); + memset(r->out.services, 0, (r->in.buf_size) * sizeof(*r->out.services)); NDR_PULL_ALLOC(ndr, r->out.bytes_needed); ZERO_STRUCTP(r->out.bytes_needed); NDR_PULL_ALLOC(ndr, r->out.service_returned); ZERO_STRUCTP(r->out.service_returned); - NDR_PULL_ALLOC(ndr, r->out.group_name); - ZERO_STRUCTP(r->out.group_name); } if (flags & NDR_OUT) { - NDR_PULL_ALLOC_N(ndr, r->out.services, r->in.buf_size); - NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, r->in.buf_size)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.services)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC_N(ndr, r->out.services, ndr_get_array_size(ndr, &r->out.services)); + } + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, ndr_get_array_size(ndr, &r->out.services))); if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { NDR_PULL_ALLOC(ndr, r->out.bytes_needed); } _mem_save_bytes_needed_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.bytes_needed, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.bytes_needed)); + if (*r->out.bytes_needed < 0 || *r->out.bytes_needed > 262144) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bytes_needed_0, LIBNDR_FLAG_REF_ALLOC); if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { NDR_PULL_ALLOC(ndr, r->out.service_returned); @@ -5777,6 +5896,9 @@ static enum ndr_err_code ndr_pull_EnumServicesStatusExW(struct ndr_pull *ndr, in _mem_save_service_returned_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.service_returned, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.service_returned)); + if (*r->out.service_returned < 0 || *r->out.service_returned > 262144) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_returned_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_resume_handle)); if (_ptr_resume_handle) { @@ -5788,33 +5910,15 @@ static enum ndr_err_code ndr_pull_EnumServicesStatusExW(struct ndr_pull *ndr, in _mem_save_resume_handle_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->out.resume_handle, 0); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, r->out.resume_handle)); - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resume_handle_0, 0); - } - if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { - NDR_PULL_ALLOC(ndr, r->out.group_name); - } - _mem_save_group_name_0 = NDR_PULL_GET_MEM_CTX(ndr); - NDR_PULL_SET_MEM_CTX(ndr, r->out.group_name, LIBNDR_FLAG_REF_ALLOC); - NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_name)); - if (_ptr_group_name) { - NDR_PULL_ALLOC(ndr, *r->out.group_name); - } else { - *r->out.group_name = NULL; - } - if (*r->out.group_name) { - _mem_save_group_name_1 = NDR_PULL_GET_MEM_CTX(ndr); - NDR_PULL_SET_MEM_CTX(ndr, *r->out.group_name, 0); - NDR_CHECK(ndr_pull_array_size(ndr, r->out.group_name)); - NDR_CHECK(ndr_pull_array_length(ndr, r->out.group_name)); - if (ndr_get_array_length(ndr, r->out.group_name) > ndr_get_array_size(ndr, r->out.group_name)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.group_name), ndr_get_array_length(ndr, r->out.group_name)); + if (*r->out.resume_handle < 0 || *r->out.resume_handle > 262144) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.group_name), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.group_name, ndr_get_array_length(ndr, r->out.group_name), sizeof(uint16_t), CH_UTF16)); - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_name_1, 0); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resume_handle_0, 0); } - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_name_0, LIBNDR_FLAG_REF_ALLOC); NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); + if (r->out.services) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.services, r->in.buf_size)); + } } return NDR_ERR_SUCCESS; } @@ -5843,12 +5947,21 @@ _PUBLIC_ void ndr_print_EnumServicesStatusExW(struct ndr_print *ndr, const char ndr_print_uint32(ndr, "resume_handle", *r->in.resume_handle); } ndr->depth--; + ndr_print_ptr(ndr, "group_name", r->in.group_name); + ndr->depth++; + if (r->in.group_name) { + ndr_print_string(ndr, "group_name", r->in.group_name); + } + ndr->depth--; ndr->depth--; } if (flags & NDR_OUT) { ndr_print_struct(ndr, "out", "EnumServicesStatusExW"); ndr->depth++; + ndr_print_ptr(ndr, "services", r->out.services); + ndr->depth++; ndr_print_array_uint8(ndr, "services", r->out.services, r->in.buf_size); + ndr->depth--; ndr_print_ptr(ndr, "bytes_needed", r->out.bytes_needed); ndr->depth++; ndr_print_uint32(ndr, "bytes_needed", *r->out.bytes_needed); @@ -5863,15 +5976,6 @@ _PUBLIC_ void ndr_print_EnumServicesStatusExW(struct ndr_print *ndr, const char ndr_print_uint32(ndr, "resume_handle", *r->out.resume_handle); } ndr->depth--; - ndr_print_ptr(ndr, "group_name", r->out.group_name); - ndr->depth++; - ndr_print_ptr(ndr, "group_name", *r->out.group_name); - ndr->depth++; - if (*r->out.group_name) { - ndr_print_string(ndr, "group_name", *r->out.group_name); - } - ndr->depth--; - ndr->depth--; ndr_print_WERROR(ndr, "result", r->out.result); ndr->depth--; } diff --git a/source3/librpc/gen_ndr/ndr_svcctl.h b/source3/librpc/gen_ndr/ndr_svcctl.h index 0bebd3401a..8d7739a7db 100644 --- a/source3/librpc/gen_ndr/ndr_svcctl.h +++ b/source3/librpc/gen_ndr/ndr_svcctl.h @@ -106,6 +106,7 @@ void ndr_print_ENUM_SERVICE_STATUS(struct ndr_print *ndr, const char *name, cons enum ndr_err_code ndr_push_svcctl_ServerType(struct ndr_push *ndr, int ndr_flags, uint32_t r); enum ndr_err_code ndr_pull_svcctl_ServerType(struct ndr_pull *ndr, int ndr_flags, uint32_t *r); void ndr_print_svcctl_ServerType(struct ndr_print *ndr, const char *name, uint32_t r); +void ndr_print_SERVICE_CONTROL(struct ndr_print *ndr, const char *name, enum SERVICE_CONTROL r); void ndr_print_svcctl_MgrAccessMask(struct ndr_print *ndr, const char *name, uint32_t r); void ndr_print_svcctl_ServiceAccessMask(struct ndr_print *ndr, const char *name, uint32_t r); enum ndr_err_code ndr_push_QUERY_SERVICE_CONFIG(struct ndr_push *ndr, int ndr_flags, const struct QUERY_SERVICE_CONFIG *r); diff --git a/source3/librpc/gen_ndr/ndr_xattr.c b/source3/librpc/gen_ndr/ndr_xattr.c index 0e9dda9f47..75781d763d 100644 --- a/source3/librpc/gen_ndr/ndr_xattr.c +++ b/source3/librpc/gen_ndr/ndr_xattr.c @@ -546,12 +546,12 @@ _PUBLIC_ void ndr_print_xattr_DosStreams(struct ndr_print *ndr, const char *name ndr->depth--; } -_PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_timestamp(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_timestamp *r) +_PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_hash(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash *r) { if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_push_align(ndr, 4)); NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd)); - NDR_CHECK(ndr_push_NTTIME(ndr, NDR_SCALARS, r->last_changed)); + NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); } if (ndr_flags & NDR_BUFFERS) { if (r->sd) { @@ -561,7 +561,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_timestamp(struct ndr_pus return NDR_ERR_SUCCESS; } -_PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_timestamp(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_timestamp *r) +_PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash *r) { uint32_t _ptr_sd; TALLOC_CTX *_mem_save_sd_0; @@ -573,7 +573,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_timestamp(struct ndr_pul } else { r->sd = NULL; } - NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->last_changed)); + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); } if (ndr_flags & NDR_BUFFERS) { if (r->sd) { @@ -586,9 +586,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_timestamp(struct ndr_pul return NDR_ERR_SUCCESS; } -_PUBLIC_ void ndr_print_security_descriptor_timestamp(struct ndr_print *ndr, const char *name, const struct security_descriptor_timestamp *r) +_PUBLIC_ void ndr_print_security_descriptor_hash(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash *r) { - ndr_print_struct(ndr, name, "security_descriptor_timestamp"); + ndr_print_struct(ndr, name, "security_descriptor_hash"); ndr->depth++; ndr_print_ptr(ndr, "sd", r->sd); ndr->depth++; @@ -596,7 +596,7 @@ _PUBLIC_ void ndr_print_security_descriptor_timestamp(struct ndr_print *ndr, con ndr_print_security_descriptor(ndr, "sd", r->sd); } ndr->depth--; - ndr_print_NTTIME(ndr, "last_changed", r->last_changed); + ndr_print_array_uint8(ndr, "hash", r->hash, 16); ndr->depth--; } @@ -611,7 +611,7 @@ static enum ndr_err_code ndr_push_xattr_NTACL_Info(struct ndr_push *ndr, int ndr break; } case 2: { - NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd_ts)); + NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd_hs)); break; } default: @@ -628,8 +628,8 @@ static enum ndr_err_code ndr_push_xattr_NTACL_Info(struct ndr_push *ndr, int ndr break; case 2: - if (r->sd_ts) { - NDR_CHECK(ndr_push_security_descriptor_timestamp(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_ts)); + if (r->sd_hs) { + NDR_CHECK(ndr_push_security_descriptor_hash(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs)); } break; @@ -645,7 +645,7 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr int level; uint16_t _level; TALLOC_CTX *_mem_save_sd_0; - TALLOC_CTX *_mem_save_sd_ts_0; + TALLOC_CTX *_mem_save_sd_hs_0; level = ndr_pull_get_switch_value(ndr, r); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); @@ -664,12 +664,12 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr break; } case 2: { - uint32_t _ptr_sd_ts; - NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_ts)); - if (_ptr_sd_ts) { - NDR_PULL_ALLOC(ndr, r->sd_ts); + uint32_t _ptr_sd_hs; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_hs)); + if (_ptr_sd_hs) { + NDR_PULL_ALLOC(ndr, r->sd_hs); } else { - r->sd_ts = NULL; + r->sd_hs = NULL; } break; } @@ -689,11 +689,11 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr break; case 2: - if (r->sd_ts) { - _mem_save_sd_ts_0 = NDR_PULL_GET_MEM_CTX(ndr); - NDR_PULL_SET_MEM_CTX(ndr, r->sd_ts, 0); - NDR_CHECK(ndr_pull_security_descriptor_timestamp(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_ts)); - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sd_ts_0, 0); + if (r->sd_hs) { + _mem_save_sd_hs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sd_hs, 0); + NDR_CHECK(ndr_pull_security_descriptor_hash(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sd_hs_0, 0); } break; @@ -720,10 +720,10 @@ _PUBLIC_ void ndr_print_xattr_NTACL_Info(struct ndr_print *ndr, const char *name break; case 2: - ndr_print_ptr(ndr, "sd_ts", r->sd_ts); + ndr_print_ptr(ndr, "sd_hs", r->sd_hs); ndr->depth++; - if (r->sd_ts) { - ndr_print_security_descriptor_timestamp(ndr, "sd_ts", r->sd_ts); + if (r->sd_hs) { + ndr_print_security_descriptor_hash(ndr, "sd_hs", r->sd_hs); } ndr->depth--; break; diff --git a/source3/librpc/gen_ndr/ndr_xattr.h b/source3/librpc/gen_ndr/ndr_xattr.h index 38701b1aca..c565e8513a 100644 --- a/source3/librpc/gen_ndr/ndr_xattr.h +++ b/source3/librpc/gen_ndr/ndr_xattr.h @@ -24,9 +24,9 @@ void ndr_print_xattr_DosStream(struct ndr_print *ndr, const char *name, const st enum ndr_err_code ndr_push_xattr_DosStreams(struct ndr_push *ndr, int ndr_flags, const struct xattr_DosStreams *r); enum ndr_err_code ndr_pull_xattr_DosStreams(struct ndr_pull *ndr, int ndr_flags, struct xattr_DosStreams *r); void ndr_print_xattr_DosStreams(struct ndr_print *ndr, const char *name, const struct xattr_DosStreams *r); -enum ndr_err_code ndr_push_security_descriptor_timestamp(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_timestamp *r); -enum ndr_err_code ndr_pull_security_descriptor_timestamp(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_timestamp *r); -void ndr_print_security_descriptor_timestamp(struct ndr_print *ndr, const char *name, const struct security_descriptor_timestamp *r); +enum ndr_err_code ndr_push_security_descriptor_hash(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash *r); +enum ndr_err_code ndr_pull_security_descriptor_hash(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash *r); +void ndr_print_security_descriptor_hash(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash *r); void ndr_print_xattr_NTACL_Info(struct ndr_print *ndr, const char *name, const union xattr_NTACL_Info *r); enum ndr_err_code ndr_push_xattr_NTACL(struct ndr_push *ndr, int ndr_flags, const struct xattr_NTACL *r); enum ndr_err_code ndr_pull_xattr_NTACL(struct ndr_pull *ndr, int ndr_flags, struct xattr_NTACL *r); diff --git a/source3/librpc/gen_ndr/netlogon.h b/source3/librpc/gen_ndr/netlogon.h index fd9e08b461..4d9b549e75 100644 --- a/source3/librpc/gen_ndr/netlogon.h +++ b/source3/librpc/gen_ndr/netlogon.h @@ -7,11 +7,17 @@ #include "librpc/gen_ndr/samr.h" #include "librpc/gen_ndr/security.h" #include "librpc/gen_ndr/nbt.h" +#define netr_DeltaEnum8Bit netr_DeltaEnum +#define netr_SamDatabaseID8Bit netr_SamDatabaseID #ifndef _HEADER_netlogon #define _HEADER_netlogon #define DSGETDC_VALID_FLAGS ( (DS_FORCE_REDISCOVERY|DS_DIRECTORY_SERVICE_REQUIRED|DS_DIRECTORY_SERVICE_PREFERRED|DS_GC_SERVER_REQUIRED|DS_PDC_REQUIRED|DS_BACKGROUND_ONLY|DS_IP_REQUIRED|DS_KDC_REQUIRED|DS_TIMESERV_REQUIRED|DS_WRITABLE_REQUIRED|DS_GOOD_TIMESERV_PREFERRED|DS_AVOID_SELF|DS_ONLY_LDAP_NEEDED|DS_IS_FLAT_NAME|DS_IS_DNS_NAME|DS_RETURN_FLAT_NAME|DS_RETURN_DNS_NAME) ) #define DS_GFTI_UPDATE_TDO ( 0x1 ) +enum netr_DeltaEnum8Bit; + +enum netr_SamDatabaseID8Bit; + struct netr_UasInfo { const char *account_name;/* [unique,charset(UTF16)] */ uint32_t priv; @@ -324,7 +330,7 @@ struct netr_DELTA_USER { uint8_t lm_password_present; uint8_t password_expired; struct lsa_String comment; - struct lsa_String parameters; + struct lsa_BinaryString parameters; uint16_t country_code; uint16_t code_page; struct netr_USER_PRIVATE_INFO user_private_info; @@ -712,6 +718,28 @@ union netr_CONTROL_DATA_INFORMATION { #define NETLOGON_NEG_AUTHENTICATED_RPC_LSASS ( 0x20000000 ) #define NETLOGON_NEG_SCHANNEL ( 0x40000000 ) +/* bitmap netr_ChangeLogFlags */ +#define NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED ( 0x0001 ) +#define NETR_CHANGELOG_CHANGED_PASSWORD ( 0x0002 ) +#define NETR_CHANGELOG_SID_INCLUDED ( 0x0004 ) +#define NETR_CHANGELOG_NAME_INCLUDED ( 0x0008 ) +#define NETR_CHANGELOG_FIRST_PROMOTION_OBJ ( 0x0010 ) + +union netr_ChangeLogObject { + struct dom_sid object_sid;/* [case(NETR_CHANGELOG_SID_INCLUDED)] */ + const char * object_name;/* [flag(LIBNDR_FLAG_STR_NULLTERM),case(NETR_CHANGELOG_NAME_INCLUDED)] */ +}/* [nodiscriminant] */; + +struct netr_ChangeLogEntry { + uint32_t serial_number1; + uint32_t serial_number2; + uint32_t object_rid; + uint16_t flags; + enum netr_SamDatabaseID8Bit db_index; + enum netr_DeltaEnum8Bit delta_type; + union netr_ChangeLogObject object;/* [switch_is(flags&(NETR_CHANGELOG_SID_INCLUDED|NETR_CHANGELOG_NAME_INCLUDED))] */ +}/* [gensize,public] */; + struct netr_Blob { uint32_t length; uint8_t *data;/* [unique,size_is(length)] */ @@ -1252,8 +1280,8 @@ struct netr_DatabaseRedo { const char *logon_server;/* [charset(UTF16)] */ const char *computername;/* [charset(UTF16)] */ struct netr_Authenticator *credential;/* [ref] */ - uint8_t *change_log_entry;/* [ref,size_is(change_log_entry_size)] */ - uint32_t change_log_entry_size; + struct netr_ChangeLogEntry change_log_entry;/* [subcontext_size(change_log_entry_size),subcontext(4)] */ + uint32_t change_log_entry_size;/* [value(ndr_size_netr_ChangeLogEntry(&change_log_entry,ndr->flags))] */ struct netr_Authenticator *return_authenticator;/* [ref] */ } in; diff --git a/source3/librpc/gen_ndr/ntsvcs.h b/source3/librpc/gen_ndr/ntsvcs.h index b56b552ae2..5021aa2252 100644 --- a/source3/librpc/gen_ndr/ntsvcs.h +++ b/source3/librpc/gen_ndr/ntsvcs.h @@ -2,14 +2,15 @@ #include <stdint.h> +#include "librpc/gen_ndr/winreg.h" #ifndef _HEADER_ntsvcs #define _HEADER_ntsvcs #define DEV_REGPROP_DESC ( 1 ) struct PNP_HwProfInfo { - uint32_t unknown1; - uint16_t unknown2[160]; - uint32_t unknown3; + uint32_t profile_handle; + uint16_t friendly_name[80]; + uint32_t flags; }; @@ -142,14 +143,14 @@ struct PNP_GetDeviceRegProp { const char *devicepath;/* [ref,charset(UTF16)] */ uint32_t property; uint32_t flags; - uint32_t *reg_data_type;/* [ref] */ + enum winreg_Type *reg_data_type;/* [ref] */ uint32_t *buffer_size;/* [ref] */ uint32_t *needed;/* [ref] */ } in; struct { uint8_t *buffer;/* [ref,length_is(*buffer_size),size_is(*buffer_size)] */ - uint32_t *reg_data_type;/* [ref] */ + enum winreg_Type *reg_data_type;/* [ref] */ uint32_t *buffer_size;/* [ref] */ uint32_t *needed;/* [ref] */ WERROR result; @@ -368,20 +369,20 @@ struct PNP_RequestEjectPC { struct PNP_HwProfFlags { struct { - uint32_t unknown1; + uint32_t action; const char *devicepath;/* [ref,charset(UTF16)] */ - uint32_t unknown2; + uint32_t config; const char *unknown5;/* [unique,charset(UTF16)] */ - uint32_t unknown6; - uint32_t unknown7; - uint32_t *unknown3;/* [ref] */ - uint16_t *unknown4;/* [unique] */ + uint32_t name_length; + uint32_t flags; + uint32_t *profile_flags;/* [ref] */ + uint16_t *veto_type;/* [unique] */ } in; struct { const char **unknown5a;/* [unique,charset(UTF16)] */ - uint32_t *unknown3;/* [ref] */ - uint16_t *unknown4;/* [unique] */ + uint32_t *profile_flags;/* [ref] */ + uint16_t *veto_type;/* [unique] */ WERROR result; } out; @@ -391,8 +392,8 @@ struct PNP_HwProfFlags { struct PNP_GetHwProfInfo { struct { uint32_t idx; - uint32_t unknown1; - uint32_t unknown2; + uint32_t size; + uint32_t flags; struct PNP_HwProfInfo *info;/* [ref] */ } in; diff --git a/source3/librpc/gen_ndr/samr.h b/source3/librpc/gen_ndr/samr.h index 8c8f3f70f9..537f144940 100644 --- a/source3/librpc/gen_ndr/samr.h +++ b/source3/librpc/gen_ndr/samr.h @@ -33,11 +33,41 @@ #define GENERIC_RIGHTS_ALIAS_READ ( (STANDARD_RIGHTS_READ_ACCESS|SAMR_ALIAS_ACCESS_GET_MEMBERS) ) #define GENERIC_RIGHTS_ALIAS_WRITE ( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_ALIAS_ACCESS_REMOVE_MEMBER|SAMR_ALIAS_ACCESS_ADD_MEMBER|SAMR_ALIAS_ACCESS_SET_INFO) ) #define GENERIC_RIGHTS_ALIAS_EXECUTE ( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_ALIAS_ACCESS_LOOKUP_INFO) ) -#define MAX_SAM_ENTRIES_W2K ( 0x400 ) -#define MAX_SAM_ENTRIES_W95 ( 50 ) #define SAMR_ENUM_USERS_MULTIPLIER ( 54 ) #define PASS_MUST_CHANGE_AT_NEXT_LOGON ( 0x01 ) #define PASS_DONT_CHANGE_AT_NEXT_LOGON ( 0x00 ) +enum netr_SamDatabaseID +#ifndef USE_UINT_ENUMS + { + SAM_DATABASE_DOMAIN=0, + SAM_DATABASE_BUILTIN=1, + SAM_DATABASE_PRIVS=2 +} +#else + { __donnot_use_enum_netr_SamDatabaseID=0x7FFFFFFF} +#define SAM_DATABASE_DOMAIN ( 0 ) +#define SAM_DATABASE_BUILTIN ( 1 ) +#define SAM_DATABASE_PRIVS ( 2 ) +#endif +; + +enum samr_RejectReason +#ifndef USE_UINT_ENUMS + { + SAMR_REJECT_OTHER=0, + SAMR_REJECT_TOO_SHORT=1, + SAMR_REJECT_IN_HISTORY=2, + SAMR_REJECT_COMPLEXITY=5 +} +#else + { __donnot_use_enum_samr_RejectReason=0x7FFFFFFF} +#define SAMR_REJECT_OTHER ( 0 ) +#define SAMR_REJECT_TOO_SHORT ( 1 ) +#define SAMR_REJECT_IN_HISTORY ( 2 ) +#define SAMR_REJECT_COMPLEXITY ( 5 ) +#endif +; + /* bitmap samr_AcctFlags */ #define ACB_DISABLED ( 0x00000001 ) #define ACB_HOMDIRREQ ( 0x00000002 ) @@ -142,6 +172,19 @@ enum samr_Role #define DOMAIN_PASSWORD_STORE_CLEARTEXT ( 0x00000010 ) #define DOMAIN_REFUSE_PASSWORD_CHANGE ( 0x00000020 ) +enum samr_DomainServerState +#ifndef USE_UINT_ENUMS + { + DOMAIN_SERVER_ENABLED=1, + DOMAIN_SERVER_DISABLED=2 +} +#else + { __donnot_use_enum_samr_DomainServerState=0x7FFFFFFF} +#define DOMAIN_SERVER_ENABLED ( 1 ) +#define DOMAIN_SERVER_DISABLED ( 2 ) +#endif +; + struct samr_DomInfo1 { uint16_t min_password_length; uint16_t password_history_length; @@ -156,7 +199,7 @@ struct samr_DomGeneralInformation { struct lsa_String domain_name; struct lsa_String primary; uint64_t sequence_num; - uint32_t unknown2; + enum samr_DomainServerState domain_server_state; enum samr_Role role; uint32_t unknown3; uint32_t num_users; @@ -190,7 +233,7 @@ struct samr_DomInfo8 { }; struct samr_DomInfo9 { - uint32_t unknown; + enum samr_DomainServerState domain_server_state; }; struct samr_DomGeneralInformation2 { @@ -524,7 +567,7 @@ struct samr_UserInfo23 { struct samr_UserInfo24 { struct samr_CryptPassword password; - uint8_t pw_len; + uint8_t password_expired; }; struct samr_CryptPasswordEx { @@ -538,7 +581,7 @@ struct samr_UserInfo25 { struct samr_UserInfo26 { struct samr_CryptPasswordEx password; - uint8_t pw_len; + uint8_t password_expired; }; union samr_UserInfo { @@ -1747,7 +1790,7 @@ struct samr_RidToSid { } in; struct { - struct dom_sid2 *sid;/* [ref] */ + struct dom_sid2 **sid;/* [ref] */ NTSTATUS result; } out; diff --git a/source3/librpc/gen_ndr/security.h b/source3/librpc/gen_ndr/security.h index bb06dc2584..fe23347fdf 100644 --- a/source3/librpc/gen_ndr/security.h +++ b/source3/librpc/gen_ndr/security.h @@ -3,9 +3,7 @@ #include <stdint.h> #include "librpc/gen_ndr/misc.h" -#define dom_sid2 dom_sid -#define dom_sid28 dom_sid -#define dom_sid0 dom_sid +#include "librpc/gen_ndr/dom_sid.h" #ifndef _HEADER_security #define _HEADER_security @@ -245,7 +243,7 @@ struct security_ace_object { union security_ace_object_ctr { struct security_ace_object object;/* [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] */ -}/* [nodiscriminant] */; +}/* [public,nodiscriminant] */; struct security_ace { enum security_ace_type type; @@ -254,7 +252,7 @@ struct security_ace { uint32_t access_mask; union security_ace_object_ctr object;/* [switch_is(type)] */ struct dom_sid trustee; -}/* [gensize,public,nosize] */; +}/* [gensize,public,nopull,nosize] */; enum security_acl_revision #ifndef USE_UINT_ENUMS diff --git a/source3/librpc/gen_ndr/srv_lsa.c b/source3/librpc/gen_ndr/srv_lsa.c index b0893623a8..c30f276800 100644 --- a/source3/librpc/gen_ndr/srv_lsa.c +++ b/source3/librpc/gen_ndr/srv_lsa.c @@ -1128,14 +1128,14 @@ static bool api_lsa_LookupNames(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.sids = r->in.sids; + r->out.count = r->in.count; r->out.domains = talloc_zero(r, struct lsa_RefDomainList *); if (r->out.domains == NULL) { talloc_free(r); return false; } - r->out.sids = r->in.sids; - r->out.count = r->in.count; r->out.result = _lsa_LookupNames(p, r); if (p->rng_fault_state) { @@ -1210,14 +1210,14 @@ static bool api_lsa_LookupSids(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.names = r->in.names; + r->out.count = r->in.count; r->out.domains = talloc_zero(r, struct lsa_RefDomainList *); if (r->out.domains == NULL) { talloc_free(r); return false; } - r->out.names = r->in.names; - r->out.count = r->in.count; r->out.result = _lsa_LookupSids(p, r); if (p->rng_fault_state) { @@ -4444,14 +4444,14 @@ static bool api_lsa_LookupSids2(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.names = r->in.names; + r->out.count = r->in.count; r->out.domains = talloc_zero(r, struct lsa_RefDomainList *); if (r->out.domains == NULL) { talloc_free(r); return false; } - r->out.names = r->in.names; - r->out.count = r->in.count; r->out.result = _lsa_LookupSids2(p, r); if (p->rng_fault_state) { @@ -4526,14 +4526,14 @@ static bool api_lsa_LookupNames2(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.sids = r->in.sids; + r->out.count = r->in.count; r->out.domains = talloc_zero(r, struct lsa_RefDomainList *); if (r->out.domains == NULL) { talloc_free(r); return false; } - r->out.sids = r->in.sids; - r->out.count = r->in.count; r->out.result = _lsa_LookupNames2(p, r); if (p->rng_fault_state) { @@ -5272,14 +5272,14 @@ static bool api_lsa_LookupNames3(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.sids = r->in.sids; + r->out.count = r->in.count; r->out.domains = talloc_zero(r, struct lsa_RefDomainList *); if (r->out.domains == NULL) { talloc_free(r); return false; } - r->out.sids = r->in.sids; - r->out.count = r->in.count; r->out.result = _lsa_LookupNames3(p, r); if (p->rng_fault_state) { @@ -5872,14 +5872,14 @@ static bool api_lsa_LookupSids3(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.names = r->in.names; + r->out.count = r->in.count; r->out.domains = talloc_zero(r, struct lsa_RefDomainList *); if (r->out.domains == NULL) { talloc_free(r); return false; } - r->out.names = r->in.names; - r->out.count = r->in.count; r->out.result = _lsa_LookupSids3(p, r); if (p->rng_fault_state) { @@ -5954,14 +5954,14 @@ static bool api_lsa_LookupNames4(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.sids = r->in.sids; + r->out.count = r->in.count; r->out.domains = talloc_zero(r, struct lsa_RefDomainList *); if (r->out.domains == NULL) { talloc_free(r); return false; } - r->out.sids = r->in.sids; - r->out.count = r->in.count; r->out.result = _lsa_LookupNames4(p, r); if (p->rng_fault_state) { diff --git a/source3/librpc/gen_ndr/srv_netlogon.c b/source3/librpc/gen_ndr/srv_netlogon.c index 9546b2551b..2cb2978af2 100644 --- a/source3/librpc/gen_ndr/srv_netlogon.c +++ b/source3/librpc/gen_ndr/srv_netlogon.c @@ -871,6 +871,7 @@ static bool api_netr_AccountSync(pipes_struct *p) ZERO_STRUCT(r->out); r->out.return_authenticator = r->in.return_authenticator; + r->out.recordid = r->in.recordid; r->out.buffer = talloc_zero(r, struct netr_AccountBuffer); if (r->out.buffer == NULL) { talloc_free(r); @@ -895,7 +896,6 @@ static bool api_netr_AccountSync(pipes_struct *p) return false; } - r->out.recordid = r->in.recordid; r->out.result = _netr_AccountSync(p, r); if (p->rng_fault_state) { @@ -1290,13 +1290,13 @@ static bool api_netr_ServerAuthenticate2(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.negotiate_flags = r->in.negotiate_flags; r->out.return_credentials = talloc_zero(r, struct netr_Credential); if (r->out.return_credentials == NULL) { talloc_free(r); return false; } - r->out.negotiate_flags = r->in.negotiate_flags; r->out.result = _netr_ServerAuthenticate2(p, r); if (p->rng_fault_state) { @@ -2146,13 +2146,13 @@ static bool api_netr_ServerAuthenticate3(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.negotiate_flags = r->in.negotiate_flags; r->out.return_credentials = talloc_zero(r, struct netr_Credential); if (r->out.return_credentials == NULL) { talloc_free(r); return false; } - r->out.negotiate_flags = r->in.negotiate_flags; r->out.rid = talloc_zero(r, uint32_t); if (r->out.rid == NULL) { talloc_free(r); @@ -3186,6 +3186,7 @@ static bool api_netr_LogonSamLogonEx(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.flags = r->in.flags; r->out.validation = talloc_zero(r, union netr_Validation); if (r->out.validation == NULL) { talloc_free(r); @@ -3198,7 +3199,6 @@ static bool api_netr_LogonSamLogonEx(pipes_struct *p) return false; } - r->out.flags = r->in.flags; r->out.result = _netr_LogonSamLogonEx(p, r); if (p->rng_fault_state) { @@ -3685,6 +3685,7 @@ static bool api_netr_LogonSamLogonWithFlags(pipes_struct *p) ZERO_STRUCT(r->out); r->out.return_authenticator = r->in.return_authenticator; + r->out.flags = r->in.flags; r->out.validation = talloc_zero(r, union netr_Validation); if (r->out.validation == NULL) { talloc_free(r); @@ -3697,7 +3698,6 @@ static bool api_netr_LogonSamLogonWithFlags(pipes_struct *p) return false; } - r->out.flags = r->in.flags; r->out.result = _netr_LogonSamLogonWithFlags(p, r); if (p->rng_fault_state) { diff --git a/source3/librpc/gen_ndr/srv_ntsvcs.c b/source3/librpc/gen_ndr/srv_ntsvcs.c index 87f5d51695..288f3ed5d7 100644 --- a/source3/librpc/gen_ndr/srv_ntsvcs.c +++ b/source3/librpc/gen_ndr/srv_ntsvcs.c @@ -782,13 +782,13 @@ static bool api_PNP_GetDeviceList(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.length = r->in.length; r->out.buffer = talloc_zero_array(r, uint16_t, *r->out.length); if (r->out.buffer == NULL) { talloc_free(r); return false; } - r->out.length = r->in.length; r->out.result = _PNP_GetDeviceList(p, r); if (p->rng_fault_state) { @@ -1017,14 +1017,14 @@ static bool api_PNP_GetDeviceRegProp(pipes_struct *p) ZERO_STRUCT(r->out); r->out.reg_data_type = r->in.reg_data_type; + r->out.buffer_size = r->in.buffer_size; + r->out.needed = r->in.needed; r->out.buffer = talloc_zero_array(r, uint8_t, *r->out.buffer_size); if (r->out.buffer == NULL) { talloc_free(r); return false; } - r->out.buffer_size = r->in.buffer_size; - r->out.needed = r->in.needed; r->out.result = _PNP_GetDeviceRegProp(p, r); if (p->rng_fault_state) { @@ -2997,8 +2997,8 @@ static bool api_PNP_HwProfFlags(pipes_struct *p) } ZERO_STRUCT(r->out); - r->out.unknown3 = r->in.unknown3; - r->out.unknown4 = r->in.unknown4; + r->out.profile_flags = r->in.profile_flags; + r->out.veto_type = r->in.veto_type; r->out.unknown5a = talloc_zero(r, const char *); if (r->out.unknown5a == NULL) { talloc_free(r); diff --git a/source3/librpc/gen_ndr/srv_samr.c b/source3/librpc/gen_ndr/srv_samr.c index 3e3a1cc6c1..f4facd2914 100644 --- a/source3/librpc/gen_ndr/srv_samr.c +++ b/source3/librpc/gen_ndr/srv_samr.c @@ -5202,7 +5202,7 @@ static bool api_samr_RidToSid(pipes_struct *p) } ZERO_STRUCT(r->out); - r->out.sid = talloc_zero(r, struct dom_sid2); + r->out.sid = talloc_zero(r, struct dom_sid2 *); if (r->out.sid == NULL) { talloc_free(r); return false; diff --git a/source3/librpc/gen_ndr/srv_srvsvc.c b/source3/librpc/gen_ndr/srv_srvsvc.c index f995930b89..59f51ba774 100644 --- a/source3/librpc/gen_ndr/srv_srvsvc.c +++ b/source3/librpc/gen_ndr/srv_srvsvc.c @@ -46,13 +46,13 @@ static bool api_srvsvc_NetCharDevEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info_ctr = r->in.info_ctr; + r->out.resume_handle = r->in.resume_handle; r->out.totalentries = talloc_zero(r, uint32_t); if (r->out.totalentries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _srvsvc_NetCharDevEnum(p, r); if (p->rng_fault_state) { @@ -281,13 +281,13 @@ static bool api_srvsvc_NetCharDevQEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info_ctr = r->in.info_ctr; + r->out.resume_handle = r->in.resume_handle; r->out.totalentries = talloc_zero(r, uint32_t); if (r->out.totalentries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _srvsvc_NetCharDevQEnum(p, r); if (p->rng_fault_state) { @@ -664,13 +664,13 @@ static bool api_srvsvc_NetConnEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info_ctr = r->in.info_ctr; + r->out.resume_handle = r->in.resume_handle; r->out.totalentries = talloc_zero(r, uint32_t); if (r->out.totalentries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _srvsvc_NetConnEnum(p, r); if (p->rng_fault_state) { @@ -746,13 +746,13 @@ static bool api_srvsvc_NetFileEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info_ctr = r->in.info_ctr; + r->out.resume_handle = r->in.resume_handle; r->out.totalentries = talloc_zero(r, uint32_t); if (r->out.totalentries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _srvsvc_NetFileEnum(p, r); if (p->rng_fault_state) { @@ -981,13 +981,13 @@ static bool api_srvsvc_NetSessEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info_ctr = r->in.info_ctr; + r->out.resume_handle = r->in.resume_handle; r->out.totalentries = talloc_zero(r, uint32_t); if (r->out.totalentries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _srvsvc_NetSessEnum(p, r); if (p->rng_fault_state) { @@ -1211,13 +1211,13 @@ static bool api_srvsvc_NetShareEnumAll(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info_ctr = r->in.info_ctr; + r->out.resume_handle = r->in.resume_handle; r->out.totalentries = talloc_zero(r, uint32_t); if (r->out.totalentries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _srvsvc_NetShareEnumAll(p, r); if (p->rng_fault_state) { @@ -1829,13 +1829,13 @@ static bool api_srvsvc_NetDiskEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info = r->in.info; + r->out.resume_handle = r->in.resume_handle; r->out.totalentries = talloc_zero(r, uint32_t); if (r->out.totalentries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _srvsvc_NetDiskEnum(p, r); if (p->rng_fault_state) { @@ -2064,13 +2064,13 @@ static bool api_srvsvc_NetTransportEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.transports = r->in.transports; + r->out.resume_handle = r->in.resume_handle; r->out.totalentries = talloc_zero(r, uint32_t); if (r->out.totalentries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _srvsvc_NetTransportEnum(p, r); if (p->rng_fault_state) { @@ -2451,13 +2451,13 @@ static bool api_srvsvc_NetPathCanonicalize(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.pathtype = r->in.pathtype; r->out.can_path = talloc_zero_array(r, uint8_t, r->in.maxbuf); if (r->out.can_path == NULL) { talloc_free(r); return false; } - r->out.pathtype = r->in.pathtype; r->out.result = _srvsvc_NetPathCanonicalize(p, r); if (p->rng_fault_state) { @@ -2825,13 +2825,13 @@ static bool api_srvsvc_NetShareEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info_ctr = r->in.info_ctr; + r->out.resume_handle = r->in.resume_handle; r->out.totalentries = talloc_zero(r, uint32_t); if (r->out.totalentries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _srvsvc_NetShareEnum(p, r); if (p->rng_fault_state) { diff --git a/source3/librpc/gen_ndr/srv_svcctl.c b/source3/librpc/gen_ndr/srv_svcctl.c index 2349b4fd93..5b30bf00f7 100644 --- a/source3/librpc/gen_ndr/srv_svcctl.c +++ b/source3/librpc/gen_ndr/srv_svcctl.c @@ -1139,6 +1139,7 @@ static bool api_svcctl_EnumServicesStatusW(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.resume_handle = r->in.resume_handle; r->out.service = talloc_zero_array(r, uint8_t, r->in.buf_size); if (r->out.service == NULL) { talloc_free(r); @@ -1157,7 +1158,6 @@ static bool api_svcctl_EnumServicesStatusW(pipes_struct *p) return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _svcctl_EnumServicesStatusW(p, r); if (p->rng_fault_state) { @@ -1637,13 +1637,13 @@ static bool api_svcctl_GetServiceDisplayNameW(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.display_name_length = r->in.display_name_length; r->out.display_name = talloc_zero(r, const char *); if (r->out.display_name == NULL) { talloc_free(r); return false; } - r->out.display_name_length = r->in.display_name_length; r->out.result = _svcctl_GetServiceDisplayNameW(p, r); if (p->rng_fault_state) { @@ -1718,13 +1718,13 @@ static bool api_svcctl_GetServiceKeyNameW(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.display_name_length = r->in.display_name_length; r->out.key_name = talloc_zero(r, const char *); if (r->out.key_name == NULL) { talloc_free(r); return false; } - r->out.display_name_length = r->in.display_name_length; r->out.result = _svcctl_GetServiceKeyNameW(p, r); if (p->rng_fault_state) { @@ -2124,6 +2124,7 @@ static bool api_svcctl_EnumServicesStatusA(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.resume_handle = r->in.resume_handle; r->out.service = talloc_zero_array(r, uint8_t, r->in.buf_size); if (r->out.service == NULL) { talloc_free(r); @@ -2142,7 +2143,6 @@ static bool api_svcctl_EnumServicesStatusA(pipes_struct *p) return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _svcctl_EnumServicesStatusA(p, r); if (p->rng_fault_state) { @@ -2615,13 +2615,13 @@ static bool api_svcctl_GetServiceDisplayNameA(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.display_name_length = r->in.display_name_length; r->out.display_name = talloc_zero(r, const char *); if (r->out.display_name == NULL) { talloc_free(r); return false; } - r->out.display_name_length = r->in.display_name_length; r->out.result = _svcctl_GetServiceDisplayNameA(p, r); if (p->rng_fault_state) { @@ -2696,13 +2696,13 @@ static bool api_svcctl_GetServiceKeyNameA(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.display_name_length = r->in.display_name_length; r->out.key_name = talloc_zero(r, const char *); if (r->out.key_name == NULL) { talloc_free(r); return false; } - r->out.display_name_length = r->in.display_name_length; r->out.result = _svcctl_GetServiceKeyNameA(p, r); if (p->rng_fault_state) { @@ -3327,6 +3327,7 @@ static bool api_EnumServicesStatusExA(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.resume_handle = r->in.resume_handle; r->out.services = talloc_zero_array(r, uint8_t, r->in.buf_size); if (r->out.services == NULL) { talloc_free(r); @@ -3345,7 +3346,6 @@ static bool api_EnumServicesStatusExA(pipes_struct *p) return false; } - r->out.resume_handle = r->in.resume_handle; r->out.group_name = talloc_zero(r, const char *); if (r->out.group_name == NULL) { talloc_free(r); @@ -3426,6 +3426,7 @@ static bool api_EnumServicesStatusExW(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.resume_handle = r->in.resume_handle; r->out.services = talloc_zero_array(r, uint8_t, r->in.buf_size); if (r->out.services == NULL) { talloc_free(r); @@ -3444,13 +3445,6 @@ static bool api_EnumServicesStatusExW(pipes_struct *p) return false; } - r->out.resume_handle = r->in.resume_handle; - r->out.group_name = talloc_zero(r, const char *); - if (r->out.group_name == NULL) { - talloc_free(r); - return false; - } - r->out.result = _EnumServicesStatusExW(p, r); if (p->rng_fault_state) { diff --git a/source3/librpc/gen_ndr/srv_winreg.c b/source3/librpc/gen_ndr/srv_winreg.c index 77b0a1c5d2..ac70b41219 100644 --- a/source3/librpc/gen_ndr/srv_winreg.c +++ b/source3/librpc/gen_ndr/srv_winreg.c @@ -520,13 +520,13 @@ static bool api_winreg_CreateKey(pipes_struct *p) } ZERO_STRUCT(r->out); + r->out.action_taken = r->in.action_taken; r->out.new_handle = talloc_zero(r, struct policy_handle); if (r->out.new_handle == NULL) { talloc_free(r); return false; } - r->out.action_taken = r->in.action_taken; r->out.result = _winreg_CreateKey(p, r); if (p->rng_fault_state) { diff --git a/source3/librpc/gen_ndr/srv_wkssvc.c b/source3/librpc/gen_ndr/srv_wkssvc.c index 9c07fa86ea..61a5be081f 100644 --- a/source3/librpc/gen_ndr/srv_wkssvc.c +++ b/source3/librpc/gen_ndr/srv_wkssvc.c @@ -201,13 +201,13 @@ static bool api_wkssvc_NetWkstaEnumUsers(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info = r->in.info; + r->out.resume_handle = r->in.resume_handle; r->out.entries_read = talloc_zero(r, uint32_t); if (r->out.entries_read == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _wkssvc_NetWkstaEnumUsers(p, r); if (p->rng_fault_state) { @@ -438,13 +438,13 @@ static bool api_wkssvc_NetWkstaTransportEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info = r->in.info; + r->out.resume_handle = r->in.resume_handle; r->out.total_entries = talloc_zero(r, uint32_t); if (r->out.total_entries == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _wkssvc_NetWkstaTransportEnum(p, r); if (p->rng_fault_state) { @@ -896,13 +896,13 @@ static bool api_wkssvc_NetrUseEnum(pipes_struct *p) ZERO_STRUCT(r->out); r->out.info = r->in.info; + r->out.resume_handle = r->in.resume_handle; r->out.entries_read = talloc_zero(r, uint32_t); if (r->out.entries_read == NULL) { talloc_free(r); return false; } - r->out.resume_handle = r->in.resume_handle; r->out.result = _wkssvc_NetrUseEnum(p, r); if (p->rng_fault_state) { diff --git a/source3/librpc/gen_ndr/svcctl.h b/source3/librpc/gen_ndr/svcctl.h index b098eb1c42..9baa122e56 100644 --- a/source3/librpc/gen_ndr/svcctl.h +++ b/source3/librpc/gen_ndr/svcctl.h @@ -81,11 +81,19 @@ struct ENUM_SERVICE_STATUS { enum SERVICE_CONTROL #ifndef USE_UINT_ENUMS { - FIXME=1 + SVCCTL_CONTROL_STOP=0x00000001, + SVCCTL_CONTROL_PAUSE=0x00000002, + SVCCTL_CONTROL_CONTINUE=0x00000003, + SVCCTL_CONTROL_INTERROGATE=0x00000004, + SVCCTL_CONTROL_SHUTDOWN=0x00000005 } #else { __donnot_use_enum_SERVICE_CONTROL=0x7FFFFFFF} -#define FIXME ( 1 ) +#define SVCCTL_CONTROL_STOP ( 0x00000001 ) +#define SVCCTL_CONTROL_PAUSE ( 0x00000002 ) +#define SVCCTL_CONTROL_CONTINUE ( 0x00000003 ) +#define SVCCTL_CONTROL_INTERROGATE ( 0x00000004 ) +#define SVCCTL_CONTROL_SHUTDOWN ( 0x00000005 ) #endif ; @@ -137,7 +145,7 @@ struct svcctl_CloseServiceHandle { struct svcctl_ControlService { struct { struct policy_handle *handle;/* [ref] */ - uint32_t control; + enum SERVICE_CONTROL control; } in; struct { @@ -333,14 +341,14 @@ struct svcctl_EnumServicesStatusW { struct policy_handle *handle;/* [ref] */ uint32_t type; uint32_t state; - uint32_t buf_size; + uint32_t buf_size;/* [range(0,262144)] */ uint32_t *resume_handle;/* [unique] */ } in; struct { - uint8_t *service;/* [size_is(buf_size)] */ - uint32_t *bytes_needed;/* [ref] */ - uint32_t *services_returned;/* [ref] */ + uint8_t *service;/* [ref,size_is(buf_size)] */ + uint32_t *bytes_needed;/* [ref,range(0,262144)] */ + uint32_t *services_returned;/* [ref,range(0,262144)] */ uint32_t *resume_handle;/* [unique] */ WERROR result; } out; @@ -721,12 +729,12 @@ struct svcctl_QueryServiceConfig2W { struct { struct policy_handle *handle;/* [ref] */ uint32_t info_level; - uint32_t buf_size; + uint32_t buf_size;/* [range(0,8192)] */ } in; struct { - uint8_t *buffer; - uint32_t *bytes_needed;/* [ref] */ + uint8_t *buffer;/* [ref,size_is(buf_size)] */ + uint32_t *bytes_needed;/* [ref,range(0,8192)] */ WERROR result; } out; @@ -737,12 +745,12 @@ struct svcctl_QueryServiceStatusEx { struct { struct policy_handle *handle;/* [ref] */ uint32_t info_level; - uint32_t buf_size; + uint32_t buf_size;/* [range(0,8192)] */ } in; struct { - uint8_t *buffer; - uint32_t *bytes_needed;/* [ref] */ + uint8_t *buffer;/* [ref,size_is(buf_size)] */ + uint32_t *bytes_needed;/* [ref,range(0,8192)] */ WERROR result; } out; @@ -777,16 +785,16 @@ struct EnumServicesStatusExW { uint32_t info_level; uint32_t type; uint32_t state; - uint32_t buf_size; - uint32_t *resume_handle;/* [unique] */ + uint32_t buf_size;/* [range(0,262144)] */ + const char *group_name;/* [unique,charset(UTF16)] */ + uint32_t *resume_handle;/* [unique,range(0,262144)] */ } in; struct { - uint8_t *services; - uint32_t *bytes_needed;/* [ref] */ - uint32_t *service_returned;/* [ref] */ - const char **group_name;/* [ref,charset(UTF16)] */ - uint32_t *resume_handle;/* [unique] */ + uint8_t *services;/* [ref,size_is(buf_size)] */ + uint32_t *bytes_needed;/* [ref,range(0,262144)] */ + uint32_t *service_returned;/* [ref,range(0,262144)] */ + uint32_t *resume_handle;/* [unique,range(0,262144)] */ WERROR result; } out; diff --git a/source3/librpc/gen_ndr/xattr.h b/source3/librpc/gen_ndr/xattr.h index 1d8da3f5e2..1148a0acec 100644 --- a/source3/librpc/gen_ndr/xattr.h +++ b/source3/librpc/gen_ndr/xattr.h @@ -73,14 +73,14 @@ struct xattr_DosStreams { struct xattr_DosStream *streams;/* [unique,size_is(num_streams)] */ }/* [public] */; -struct security_descriptor_timestamp { +struct security_descriptor_hash { struct security_descriptor *sd;/* [unique] */ - NTTIME last_changed; + uint8_t hash[16]; }/* [public] */; union xattr_NTACL_Info { struct security_descriptor *sd;/* [unique,case] */ - struct security_descriptor_timestamp *sd_ts;/* [unique,case(2)] */ + struct security_descriptor_hash *sd_hs;/* [unique,case(2)] */ }/* [switch_type(uint16)] */; struct xattr_NTACL { diff --git a/source3/librpc/idl/dom_sid.idl b/source3/librpc/idl/dom_sid.idl new file mode 100644 index 0000000000..c405c18726 --- /dev/null +++ b/source3/librpc/idl/dom_sid.idl @@ -0,0 +1,29 @@ +/* + use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really + just a dom sid, but with the sub_auths represented as a conformant + array. As with all in-structure conformant arrays, the array length + is placed before the start of the structure. That's what gives rise + to the extra num_auths elemenent. We don't want the Samba code to + have to bother with such esoteric NDR details, so its easier to just + define it as a dom_sid and use pidl magic to make it all work. It + just means you need to mark a sid as a "dom_sid2" in the IDL when you + know it is of the conformant array variety +*/ +cpp_quote("#define dom_sid2 dom_sid") + +/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */ +cpp_quote("#define dom_sid28 dom_sid") + +/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */ +cpp_quote("#define dom_sid0 dom_sid") + +[ + pointer_default(unique) +] +interface dom_sid +{ + struct _dummy_domsid { + uint8 dummy; + }; +} + diff --git a/source3/librpc/ndr/ndr_sec.h b/source3/librpc/ndr/ndr_sec.h deleted file mode 100644 index 8034367223..0000000000 --- a/source3/librpc/ndr/ndr_sec.h +++ /dev/null @@ -1,35 +0,0 @@ -#ifndef __LIBRPC_NDR_NDR_SEC_H__ -#define __LIBRPC_NDR_NDR_SEC_H__ - -#undef _PRINTF_ATTRIBUTE -#define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2) -/* This file was automatically generated by mkproto.pl. DO NOT EDIT */ - -#ifndef _PUBLIC_ -#define _PUBLIC_ -#endif - - -/* The following definitions come from librpc/ndr/ndr_sec_helper.c */ - -size_t ndr_size_dom_sid(const struct dom_sid *sid); -size_t ndr_length_dom_sid(const struct dom_sid *sid); -size_t ndr_size_security_ace(const struct security_ace *ace); -size_t ndr_size_security_acl(const struct security_acl *acl); -size_t ndr_size_security_descriptor(const struct security_descriptor *sd); -void ndr_print_dom_sid(struct ndr_print *ndr, const char *name, const struct dom_sid *sid); -void ndr_print_dom_sid2(struct ndr_print *ndr, const char *name, const struct dom_sid *sid); -void ndr_print_dom_sid28(struct ndr_print *ndr, const char *name, const struct dom_sid *sid); -char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); - -/* The following definitions come from librpc/ndr/ndr_sec.c */ - -enum ndr_err_code ndr_pull_dom_sid2(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid); -enum ndr_err_code ndr_push_dom_sid2(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid); -enum ndr_err_code ndr_pull_dom_sid28(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *sid); -enum ndr_err_code ndr_push_dom_sid28(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid); -#undef _PRINTF_ATTRIBUTE -#define _PRINTF_ATTRIBUTE(a1, a2) - -#endif /* __LIBRPC_NDR_NDR_SEC_H__ */ - diff --git a/source3/librpc/ndr/ndr_sec_helper.c b/source3/librpc/ndr/ndr_sec_helper.c deleted file mode 100644 index 18d343799e..0000000000 --- a/source3/librpc/ndr/ndr_sec_helper.c +++ /dev/null @@ -1,117 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - fast routines for getting the wire size of security objects - - Copyright (C) Andrew Tridgell 2003 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - - -#include "includes.h" - -/* - return the wire size of a dom_sid -*/ -size_t ndr_size_dom_sid(const struct dom_sid *sid, int flags) -{ - if (!sid) return 0; - return 8 + 4*sid->num_auths; -} - -size_t ndr_size_dom_sid28(const struct dom_sid *sid, int flags) -{ - struct dom_sid zero_sid; - - if (!sid) return 0; - - ZERO_STRUCT(zero_sid); - - if (memcmp(&zero_sid, sid, sizeof(zero_sid)) == 0) { - return 0; - } - - return 8 + 4*sid->num_auths; -} - -size_t ndr_size_dom_sid0(const struct dom_sid *sid, int flags) -{ - return ndr_size_dom_sid28(sid, flags); -} - -/* - return the wire size of a security_ace -*/ -size_t ndr_size_security_ace(const struct security_ace *ace, int flags) -{ - if (!ace) return 0; - return 8 + ndr_size_dom_sid(&ace->trustee, flags); -} - - -/* - return the wire size of a security_acl -*/ -size_t ndr_size_security_acl(const struct security_acl *acl, int flags) -{ - size_t ret; - int i; - if (!acl) return 0; - ret = 8; - for (i=0;i<acl->num_aces;i++) { - ret += ndr_size_security_ace(&acl->aces[i], flags); - } - return ret; -} - -/* - return the wire size of a security descriptor -*/ -size_t ndr_size_security_descriptor(const struct security_descriptor *sd, int flags) -{ - size_t ret; - if (!sd) return 0; - - ret = 20; - ret += ndr_size_dom_sid(sd->owner_sid, flags); - ret += ndr_size_dom_sid(sd->group_sid, flags); - ret += ndr_size_security_acl(sd->dacl, flags); - ret += ndr_size_security_acl(sd->sacl, flags); - return ret; -} - -/* - print a dom_sid -*/ -void ndr_print_dom_sid(struct ndr_print *ndr, const char *name, const struct dom_sid *sid) -{ - ndr->print(ndr, "%-25s: %s", name, dom_sid_string(ndr, sid)); -} - -void ndr_print_dom_sid2(struct ndr_print *ndr, const char *name, const struct dom_sid *sid) -{ - ndr_print_dom_sid(ndr, name, sid); -} - -void ndr_print_dom_sid28(struct ndr_print *ndr, const char *name, const struct dom_sid *sid) -{ - ndr_print_dom_sid(ndr, name, sid); -} - -void ndr_print_dom_sid0(struct ndr_print *ndr, const char *name, const struct dom_sid *sid) -{ - ndr_print_dom_sid(ndr, name, sid); -} - diff --git a/source3/librpc/ndr/sid.c b/source3/librpc/ndr/sid.c index ed27375de1..39b7e3cd59 100644 --- a/source3/librpc/ndr/sid.c +++ b/source3/librpc/ndr/sid.c @@ -21,6 +21,35 @@ #include "includes.h" +/* + return the wire size of a dom_sid +*/ +size_t ndr_size_dom_sid(const struct dom_sid *sid, int flags) +{ + if (!sid) return 0; + return 8 + 4*sid->num_auths; +} + +size_t ndr_size_dom_sid28(const struct dom_sid *sid, int flags) +{ + struct dom_sid zero_sid; + + if (!sid) return 0; + + ZERO_STRUCT(zero_sid); + + if (memcmp(&zero_sid, sid, sizeof(zero_sid)) == 0) { + return 0; + } + + return 8 + 4*sid->num_auths; +} + +size_t ndr_size_dom_sid0(const struct dom_sid *sid, int flags) +{ + return ndr_size_dom_sid28(sid, flags); +} + enum ndr_err_code ndr_push_dom_sid(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *r) { uint32_t cntr_sub_auths_0; @@ -228,3 +257,27 @@ enum ndr_err_code ndr_push_dom_sid0(struct ndr_push *ndr, int ndr_flags, const s return ndr_push_dom_sid(ndr, ndr_flags, sid); } + +/* + print a dom_sid +*/ +void ndr_print_dom_sid(struct ndr_print *ndr, const char *name, const struct dom_sid *sid) +{ + ndr->print(ndr, "%-25s: %s", name, dom_sid_string(ndr, sid)); +} + +void ndr_print_dom_sid2(struct ndr_print *ndr, const char *name, const struct dom_sid *sid) +{ + ndr_print_dom_sid(ndr, name, sid); +} + +void ndr_print_dom_sid28(struct ndr_print *ndr, const char *name, const struct dom_sid *sid) +{ + ndr_print_dom_sid(ndr, name, sid); +} + +void ndr_print_dom_sid0(struct ndr_print *ndr, const char *name, const struct dom_sid *sid) +{ + ndr_print_dom_sid(ndr, name, sid); +} + diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 1588ae3efe..8b7ac7d718 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -468,7 +468,7 @@ static bool cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob) SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); - + SCVAL(cli->outbuf,smb_vwv0,0xFF); SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); SSVAL(cli->outbuf,smb_vwv3,2); @@ -504,10 +504,10 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli) NT_STATUS_MORE_PROCESSING_REQUIRED)) { return blob2; } - + /* use the returned vuid from now on */ cli->vuid = SVAL(cli->inbuf,smb_uid); - + p = smb_buf(cli->inbuf); blob2 = data_blob(p, SVAL(cli->inbuf, smb_vwv3)); @@ -696,14 +696,14 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use /* wrap it in SPNEGO */ msg1 = spnego_gen_auth(blob_out); } - + /* now send that blob on its way */ if (!cli_session_setup_blob_send(cli, msg1)) { DEBUG(3, ("Failed to send NTLMSSP/SPNEGO blob to server!\n")); nt_status = NT_STATUS_UNSUCCESSFUL; } else { blob = cli_session_setup_blob_receive(cli); - + nt_status = cli_nt_error(cli); if (cli_is_error(cli) && NT_STATUS_IS_OK(nt_status)) { if (cli->smb_rw_error == SMB_READ_BAD_SIG) { @@ -715,7 +715,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } data_blob_free(&msg1); } - + if (!blob.length) { if (NT_STATUS_IS_OK(nt_status)) { nt_status = NT_STATUS_UNSUCCESSFUL; @@ -761,11 +761,11 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use data_blob_free(&key); if (res) { - + /* 'resign' the last message, so we get the right sequence numbers for checking the first reply from the server */ cli_calculate_sign_mac(cli, cli->outbuf); - + if (!cli_check_sign_mac(cli, cli->inbuf)) { nt_status = NT_STATUS_ACCESS_DENIED; } @@ -849,10 +849,10 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, if (pass && *pass) { int ret; - + use_in_memory_ccache(); ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL); - + if (ret){ TALLOC_FREE(principal); DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); @@ -861,7 +861,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, return ADS_ERROR_KRB5(ret); } } - + /* If we get a bad principal, try to guess it if we have a valid host NetBIOS name. */ @@ -1132,7 +1132,7 @@ bool cli_send_tconX(struct cli_state *cli, * Non-encrypted passwords - convert to DOS codepage before using. */ passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); - + } else { if (passlen) { memcpy(pword, pass, passlen); @@ -1175,7 +1175,7 @@ bool cli_send_tconX(struct cli_state *cli, /* almost certainly win95 - enable bug fixes */ cli->win95 = True; } - + /* Make sure that we have the optional support 16-bit field. WCT > 2 */ /* Avoids issues when connecting to Win9x boxes sharing files */ @@ -1198,11 +1198,11 @@ bool cli_tdis(struct cli_state *cli) SCVAL(cli->outbuf,smb_com,SMBtdis); SSVAL(cli->outbuf,smb_tid,cli->cnum); cli_setup_packet(cli); - + cli_send_smb(cli); if (!cli_receive_smb(cli)) return False; - + if (cli_is_error(cli)) { return False; } @@ -1265,7 +1265,7 @@ bool cli_negprot(struct cli_state *cli) prots[numprots].name && prots[numprots].prot<=cli->protocol; numprots++) plength += strlen(prots[numprots].name)+2; - + cli_set_message(cli->outbuf,0,plength,True); p = smb_buf(cli->outbuf); @@ -1397,9 +1397,13 @@ bool cli_session_request(struct cli_state *cli, char *p; int len = 4; + /* 445 doesn't have session request */ + if (cli->port == 445) + return True; + memcpy(&(cli->calling), calling, sizeof(*calling)); memcpy(&(cli->called ), called , sizeof(*called )); - + /* put in the destination name */ p = cli->outbuf+len; name_mangle(cli->called .name, p, cli->called .name_type); @@ -1410,10 +1414,6 @@ bool cli_session_request(struct cli_state *cli, name_mangle(cli->calling.name, p, cli->calling.name_type); len += name_len(p); - /* 445 doesn't have session request */ - if (cli->port == 445) - return True; - /* send a session request (RFC 1002) */ /* setup the packet length * Remove four bytes from the length count, since the length @@ -1605,11 +1605,11 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli, if (!my_name) my_name = global_myname(); - + if (!(cli = cli_initialise())) { return NT_STATUS_NO_MEMORY; } - + make_nmb_name(&calling, my_name, 0x0); make_nmb_name(&called , dest_host, 0x20); diff --git a/source3/libsmb/clifile.c b/source3/libsmb/clifile.c index 1c525363f7..a9e81082ea 100644 --- a/source3/libsmb/clifile.c +++ b/source3/libsmb/clifile.c @@ -66,7 +66,7 @@ static bool cli_link_internal(struct cli_state *cli, const char *oldname, const -1, 0, /* fid, flags */ &setup, 1, 0, /* setup, length, max */ param, param_len, 2, /* param, length, max */ - (char *)&data, data_len, cli->max_xmit /* data, length, max */ + data, data_len, cli->max_xmit /* data, length, max */ )) { SAFE_FREE(data); SAFE_FREE(param); diff --git a/source3/libsmb/clitrans.c b/source3/libsmb/clitrans.c index c929f0b7a9..bbdfb75fcd 100644 --- a/source3/libsmb/clitrans.c +++ b/source3/libsmb/clitrans.c @@ -978,19 +978,6 @@ static void cli_trans_ship_rest(struct async_req *req, } } -static bool cli_trans_oob(uint32_t bufsize, uint32_t offset, uint32_t length) -{ - if ((offset + length < offset) || (offset + length < length)) { - /* wrap */ - return true; - } - if ((offset > bufsize) || (offset + length > bufsize)) { - /* overflow */ - return true; - } - return false; -} - static NTSTATUS cli_pull_trans(struct async_req *req, struct cli_request *cli_req, uint8_t smb_cmd, bool expect_first_reply, @@ -1072,10 +1059,10 @@ static NTSTATUS cli_pull_trans(struct async_req *req, * length. Likewise for param_ofs/param_disp. */ - if (cli_trans_oob(smb_len(cli_req->inbuf), param_ofs, *pnum_param) - || cli_trans_oob(*ptotal_param, *pparam_disp, *pnum_param) - || cli_trans_oob(smb_len(cli_req->inbuf), data_ofs, *pnum_data) - || cli_trans_oob(*ptotal_data, *pdata_disp, *pnum_data)) { + if (trans_oob(smb_len(cli_req->inbuf), param_ofs, *pnum_param) + || trans_oob(*ptotal_param, *pparam_disp, *pnum_param) + || trans_oob(smb_len(cli_req->inbuf), data_ofs, *pnum_data) + || trans_oob(*ptotal_data, *pdata_disp, *pnum_data)) { return NT_STATUS_INVALID_NETWORK_RESPONSE; } diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index ff0a8f9808..d8c2b70175 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -1040,6 +1040,8 @@ static NTSTATUS process_dc_netbios(TALLOC_CTX *mem_ctx, r->data.nt4 = logon1; r->ntver = nt_version; + map_netlogon_samlogon_response(r); + namecache_store(tmp_dc_name, NBT_NAME_SERVER, 1, &ip_list); goto make_reply; diff --git a/source3/libsmb/nterr.c b/source3/libsmb/nterr.c index 1ba230cefe..465d88a9b6 100644 --- a/source3/libsmb/nterr.c +++ b/source3/libsmb/nterr.c @@ -532,6 +532,7 @@ static const nt_err_code_struct nt_errs[] = { "NT_STATUS_TOO_MANY_LINKS", NT_STATUS_TOO_MANY_LINKS }, { "NT_STATUS_QUOTA_LIST_INCONSISTENT", NT_STATUS_QUOTA_LIST_INCONSISTENT }, { "NT_STATUS_FILE_IS_OFFLINE", NT_STATUS_FILE_IS_OFFLINE }, + { "NT_STATUS_DS_BUSY", NT_STATUS_DS_BUSY }, { "NT_STATUS_DS_NO_MORE_RIDS", NT_STATUS_DS_NO_MORE_RIDS }, { "NT_STATUS_NOT_A_REPARSE_POINT", NT_STATUS_NOT_A_REPARSE_POINT }, { "NT_STATUS_DOWNGRADE_DETECTED", NT_STATUS_DOWNGRADE_DETECTED }, diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index a0e54ce769..cc13476935 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -11,12 +11,12 @@ it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -60,7 +60,7 @@ static const struct ntlmssp_callbacks { void debug_ntlmssp_flags(uint32 neg_flags) { DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags)); - + if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) DEBUGADD(4, (" NTLMSSP_NEGOTIATE_UNICODE\n")); if (neg_flags & NTLMSSP_NEGOTIATE_OEM) @@ -109,7 +109,7 @@ void debug_ntlmssp_flags(uint32 neg_flags) * Default challenge generation code. * */ - + static const uint8 *get_challenge(const struct ntlmssp_state *ntlmssp_state) { static uchar chal[8]; @@ -122,7 +122,7 @@ static const uint8 *get_challenge(const struct ntlmssp_state *ntlmssp_state) * Default 'we can set the challenge to anything we like' implementation * */ - + static bool may_set_challenge(const struct ntlmssp_state *ntlmssp_state) { return True; @@ -134,7 +134,7 @@ static bool may_set_challenge(const struct ntlmssp_state *ntlmssp_state) * Does not actually do anything, as the value is always in the structure anyway. * */ - + static NTSTATUS set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) { SMB_ASSERT(challenge->length == 8); @@ -148,7 +148,7 @@ static NTSTATUS set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *ch NTSTATUS ntlmssp_set_username(NTLMSSP_STATE *ntlmssp_state, const char *user) { - ntlmssp_state->user = talloc_strdup(ntlmssp_state->mem_ctx, user ? user : "" ); + ntlmssp_state->user = talloc_strdup(ntlmssp_state, user ? user : "" ); if (!ntlmssp_state->user) { return NT_STATUS_NO_MEMORY; } @@ -164,9 +164,9 @@ NTSTATUS ntlmssp_set_hashes(NTLMSSP_STATE *ntlmssp_state, const unsigned char nt_hash[16]) { ntlmssp_state->lm_hash = (unsigned char *) - TALLOC_MEMDUP(ntlmssp_state->mem_ctx, lm_hash, 16); + TALLOC_MEMDUP(ntlmssp_state, lm_hash, 16); ntlmssp_state->nt_hash = (unsigned char *) - TALLOC_MEMDUP(ntlmssp_state->mem_ctx, nt_hash, 16); + TALLOC_MEMDUP(ntlmssp_state, nt_hash, 16); if (!ntlmssp_state->lm_hash || !ntlmssp_state->nt_hash) { TALLOC_FREE(ntlmssp_state->lm_hash); TALLOC_FREE(ntlmssp_state->nt_hash); @@ -201,7 +201,8 @@ NTSTATUS ntlmssp_set_password(NTLMSSP_STATE *ntlmssp_state, const char *password */ NTSTATUS ntlmssp_set_domain(NTLMSSP_STATE *ntlmssp_state, const char *domain) { - ntlmssp_state->domain = talloc_strdup(ntlmssp_state->mem_ctx, domain ? domain : "" ); + ntlmssp_state->domain = talloc_strdup(ntlmssp_state, + domain ? domain : "" ); if (!ntlmssp_state->domain) { return NT_STATUS_NO_MEMORY; } @@ -214,7 +215,7 @@ NTSTATUS ntlmssp_set_domain(NTLMSSP_STATE *ntlmssp_state, const char *domain) */ NTSTATUS ntlmssp_set_workstation(NTLMSSP_STATE *ntlmssp_state, const char *workstation) { - ntlmssp_state->workstation = talloc_strdup(ntlmssp_state->mem_ctx, workstation); + ntlmssp_state->workstation = talloc_strdup(ntlmssp_state, workstation); if (!ntlmssp_state->workstation) { return NT_STATUS_NO_MEMORY; } @@ -229,8 +230,9 @@ NTSTATUS ntlmssp_set_workstation(NTLMSSP_STATE *ntlmssp_state, const char *works NTSTATUS ntlmssp_store_response(NTLMSSP_STATE *ntlmssp_state, DATA_BLOB response) { - ntlmssp_state->stored_response = data_blob_talloc(ntlmssp_state->mem_ctx, - response.data, response.length); + ntlmssp_state->stored_response = data_blob_talloc(ntlmssp_state, + response.data, + response.length); return NT_STATUS_OK; } @@ -277,7 +279,7 @@ void ntlmssp_want_feature(NTLMSSP_STATE *ntlmssp_state, uint32 feature) ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } } - + /** * Next state function for the NTLMSSP state machine * @@ -304,7 +306,7 @@ NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state, if (!in.length && ntlmssp_state->stored_response.length) { input = ntlmssp_state->stored_response; - + /* we only want to read the stored response once - overwrite it */ ntlmssp_state->stored_response = data_blob_null; } else { @@ -357,16 +359,13 @@ NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state, void ntlmssp_end(NTLMSSP_STATE **ntlmssp_state) { - TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx; - (*ntlmssp_state)->ref_count--; if ((*ntlmssp_state)->ref_count == 0) { data_blob_free(&(*ntlmssp_state)->chal); data_blob_free(&(*ntlmssp_state)->lm_resp); data_blob_free(&(*ntlmssp_state)->nt_resp); - - talloc_destroy(mem_ctx); + TALLOC_FREE(*ntlmssp_state); } *ntlmssp_state = NULL; @@ -562,13 +561,14 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, if (target_name == NULL) return NT_STATUS_INVALID_PARAMETER; - ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8); - ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8); + ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8); + ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state, + cryptkey, 8); /* This should be a 'netbios domain -> DNS domain' mapping */ - dnsdomname = get_mydnsdomname(ntlmssp_state->mem_ctx); + dnsdomname = get_mydnsdomname(ntlmssp_state); if (!dnsdomname) { - dnsdomname = talloc_strdup(ntlmssp_state->mem_ctx, ""); + dnsdomname = talloc_strdup(ntlmssp_state, ""); } if (!dnsdomname) { return NT_STATUS_NO_MEMORY; @@ -685,7 +685,7 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, SAFE_FREE(workstation); data_blob_free(&encrypted_session_key); auth_flags = 0; - + /* Try again with a shorter string (Win9X truncates this packet) */ if (ntlmssp_state->unicode) { parse_string = "CdBBUUU"; @@ -753,24 +753,25 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, /* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a client challenge - + However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful. */ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) { struct MD5Context md5_session_nonce_ctx; SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8); - + doing_ntlm2 = True; memcpy(session_nonce, ntlmssp_state->internal_chal.data, 8); memcpy(&session_nonce[8], ntlmssp_state->lm_resp.data, 8); - + MD5Init(&md5_session_nonce_ctx); MD5Update(&md5_session_nonce_ctx, session_nonce, 16); MD5Final(session_nonce_hash, &md5_session_nonce_ctx); - - ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, session_nonce_hash, 8); + + ntlmssp_state->chal = data_blob_talloc( + ntlmssp_state, session_nonce_hash, 8); /* LM response is no longer useful */ data_blob_free(&ntlmssp_state->lm_resp); @@ -807,12 +808,13 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, /* Handle the different session key derivation for NTLM2 */ if (doing_ntlm2) { if (user_session_key.data && user_session_key.length == 16) { - session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16); + session_key = data_blob_talloc(ntlmssp_state, + NULL, 16); hmac_md5(user_session_key.data, session_nonce, sizeof(session_nonce), session_key.data); DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n")); dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length); - + } else { DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n")); session_key = data_blob_null; @@ -820,7 +822,8 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) { if (lm_session_key.data && lm_session_key.length >= 8) { if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) { - session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16); + session_key = data_blob_talloc(ntlmssp_state, + NULL, 16); if (session_key.data == NULL) { return NT_STATUS_NO_MEMORY; } @@ -831,7 +834,7 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, uint8 zeros[24]; ZERO_STRUCT(zeros); session_key = data_blob_talloc( - ntlmssp_state->mem_ctx, NULL, 16); + ntlmssp_state, NULL, 16); if (session_key.data == NULL) { return NT_STATUS_NO_MEMORY; } @@ -875,9 +878,9 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, SamOEMhash(encrypted_session_key.data, session_key.data, encrypted_session_key.length); - ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state->mem_ctx, - encrypted_session_key.data, - encrypted_session_key.length); + ntlmssp_state->session_key = data_blob_talloc( + ntlmssp_state, encrypted_session_key.data, + encrypted_session_key.length); dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length); } @@ -892,7 +895,7 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, } data_blob_free(&encrypted_session_key); - + /* Only one authentication allowed per server state. */ ntlmssp_state->expected_state = NTLMSSP_DONE; @@ -907,20 +910,15 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state) { - TALLOC_CTX *mem_ctx; - - mem_ctx = talloc_init("NTLMSSP context"); - - *ntlmssp_state = TALLOC_ZERO_P(mem_ctx, NTLMSSP_STATE); + *ntlmssp_state = TALLOC_ZERO_P(NULL, NTLMSSP_STATE); if (!*ntlmssp_state) { DEBUG(0,("ntlmssp_server_start: talloc failed!\n")); - talloc_destroy(mem_ctx); + talloc_destroy(*ntlmssp_state); return NT_STATUS_NO_MEMORY; } (*ntlmssp_state)->role = NTLMSSP_SERVER; - (*ntlmssp_state)->mem_ctx = mem_ctx; (*ntlmssp_state)->get_challenge = get_challenge; (*ntlmssp_state)->set_challenge = set_challenge; (*ntlmssp_state)->may_set_challenge = may_set_challenge; @@ -968,7 +966,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, } else { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM; } - + if (ntlmssp_state->use_ntlmv2) { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } @@ -1021,7 +1019,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, return NT_STATUS_INVALID_PARAMETER; } - + data_blob_free(&server_domain_blob); DEBUG(3, ("Got challenge flags:\n")); @@ -1062,7 +1060,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, return NT_STATUS_INVALID_PARAMETER; } - ntlmssp_state->server_domain = talloc_strdup(ntlmssp_state->mem_ctx, + ntlmssp_state->server_domain = talloc_strdup(ntlmssp_state, server_domain); SAFE_FREE(server_domain); @@ -1078,8 +1076,8 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, ZERO_STRUCT(zeros); /* session key is all zeros */ - session_key = data_blob_talloc(ntlmssp_state->mem_ctx, zeros, 16); - + session_key = data_blob_talloc(ntlmssp_state, zeros, 16); + /* not doing NLTM2 without a password */ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; } else if (ntlmssp_state->use_ntlmv2) { @@ -1092,7 +1090,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, /* TODO: if the remote server is standalone, then we should replace 'domain' with the server name as supplied above */ - + if (!SMBNTLMv2encrypt_hash(ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->nt_hash, &challenge_blob, @@ -1107,14 +1105,14 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, uchar session_nonce[16]; uchar session_nonce_hash[16]; uchar user_session_key[16]; - - lm_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24); + + lm_response = data_blob_talloc(ntlmssp_state, NULL, 24); generate_random_buffer(lm_response.data, 8); memset(lm_response.data+8, 0, 16); memcpy(session_nonce, challenge_blob.data, 8); memcpy(&session_nonce[8], lm_response.data, 8); - + MD5Init(&md5_session_nonce_ctx); MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8); MD5Update(&md5_session_nonce_ctx, lm_response.data, 8); @@ -1123,13 +1121,13 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, DEBUG(5, ("NTLMSSP challenge set by NTLM2\n")); DEBUG(5, ("challenge is: \n")); dump_data(5, session_nonce_hash, 8); - - nt_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24); + + nt_response = data_blob_talloc(ntlmssp_state, NULL, 24); SMBNTencrypt_hash(ntlmssp_state->nt_hash, session_nonce_hash, nt_response.data); - session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16); + session_key = data_blob_talloc(ntlmssp_state, NULL, 16); SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, NULL, user_session_key); hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data); @@ -1137,16 +1135,17 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, } else { /* lanman auth is insecure, it may be disabled */ if (lp_client_lanman_auth()) { - lm_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24); + lm_response = data_blob_talloc(ntlmssp_state, + NULL, 24); SMBencrypt_hash(ntlmssp_state->lm_hash,challenge_blob.data, lm_response.data); } - - nt_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24); + + nt_response = data_blob_talloc(ntlmssp_state, NULL, 24); SMBNTencrypt_hash(ntlmssp_state->nt_hash,challenge_blob.data, nt_response.data); - - session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16); + + session_key = data_blob_talloc(ntlmssp_state, NULL, 16); if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && lp_client_lanman_auth()) { SMBsesskeygen_lm_sess_key(ntlmssp_state->lm_hash, lm_response.data, @@ -1174,7 +1173,9 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, /* Mark the new session key as the 'real' session key */ data_blob_free(&session_key); - session_key = data_blob_talloc(ntlmssp_state->mem_ctx, client_session_key, sizeof(client_session_key)); + session_key = data_blob_talloc(ntlmssp_state, + client_session_key, + sizeof(client_session_key)); } /* this generates the actual auth packet */ @@ -1188,7 +1189,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->get_global_myname(), encrypted_session_key.data, encrypted_session_key.length, ntlmssp_state->neg_flags)) { - + return NT_STATUS_NO_MEMORY; } @@ -1213,21 +1214,15 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, NTSTATUS ntlmssp_client_start(NTLMSSP_STATE **ntlmssp_state) { - TALLOC_CTX *mem_ctx; - - mem_ctx = talloc_init("NTLMSSP Client context"); - - *ntlmssp_state = TALLOC_ZERO_P(mem_ctx, NTLMSSP_STATE); + *ntlmssp_state = TALLOC_ZERO_P(NULL, NTLMSSP_STATE); if (!*ntlmssp_state) { DEBUG(0,("ntlmssp_client_start: talloc failed!\n")); - talloc_destroy(mem_ctx); + talloc_destroy(*ntlmssp_state); return NT_STATUS_NO_MEMORY; } (*ntlmssp_state)->role = NTLMSSP_CLIENT; - (*ntlmssp_state)->mem_ctx = mem_ctx; - (*ntlmssp_state)->get_global_myname = global_myname; (*ntlmssp_state)->get_domain = lp_workgroup; diff --git a/source3/locale/pam_winbind/de.po b/source3/locale/pam_winbind/de.po new file mode 100644 index 0000000000..5a7223d63d --- /dev/null +++ b/source3/locale/pam_winbind/de.po @@ -0,0 +1,181 @@ +# pam_winbind message translations (german) +# Copyright (C) 2008 Guenther Deschner <gd@samba.org> +# This file is distributed under the same license as the pam_winbind package. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: @PACKAGE@\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2008-11-17 12:00+0100\n" +"PO-Revision-Date: 2008-11-13 14:29+0100\n" +"Last-Translator: Guenther Deschner <gd@samba.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#: ../../nsswitch/pam_winbind.c:579 +msgid "Success" +msgstr "Erfolgreich" + +#: ../../nsswitch/pam_winbind.c:581 +msgid "No primary Domain Controler available" +msgstr "Kein primärer Domänen-Controller verfügbar" + +#: ../../nsswitch/pam_winbind.c:583 +msgid "No domain controllers found" +msgstr "Keine Domänen-Controller gefunden" + +#: ../../nsswitch/pam_winbind.c:585 +msgid "No logon servers" +msgstr "Keine Anmeldeserver verfügbar" + +#: ../../nsswitch/pam_winbind.c:587 +msgid "Password too short" +msgstr "Passwort ist zu kurz" + +#: ../../nsswitch/pam_winbind.c:589 +msgid "The password of this user is too recent to change" +msgstr "Das Passwort des Benutzers kann noch nicht erneut geändert werden" + +#: ../../nsswitch/pam_winbind.c:591 +msgid "Password is already in password history" +msgstr "Das neue Passwort ist bereits in der Passwort-Historie enthalten" + +#: ../../nsswitch/pam_winbind.c:593 +msgid "Your password has expired" +msgstr "Ihr Passwort ist abgelaufen" + +#: ../../nsswitch/pam_winbind.c:595 +msgid "You need to change your password now" +msgstr "Sie müssen Ihr Passwort unmittelbar ändern" + +#: ../../nsswitch/pam_winbind.c:597 +msgid "You are not allowed to logon from this workstation" +msgstr "Sie können sich nicht von diesem Arbeitsplatz aus anmelden" + +#: ../../nsswitch/pam_winbind.c:599 +msgid "You are not allowed to logon at this time" +msgstr "Sie können sich zum jetzigen Zeitpunkt nicht anmelden" + +#: ../../nsswitch/pam_winbind.c:601 +msgid "Your account has expired. Please contact your System administrator" +msgstr "Ihr Benutzerkonto ist abgelaufen. Bitte kontaktieren Sie ihren System-Administrator" + +#: ../../nsswitch/pam_winbind.c:604 +msgid "Your account is disabled. Please contact your System administrator" +msgstr "Ihr Benutzerkonto ist deaktiviert. Bitte kontaktieren Sie ihren System-Administrator" + +#: ../../nsswitch/pam_winbind.c:607 +msgid "Your account has been locked. Please contact your System administrator" +msgstr "Ihr Benutzerkonto wurde gesperrt. Bitte kontaktieren Sie ihren System-Administrator" + +#: ../../nsswitch/pam_winbind.c:610 ../../nsswitch/pam_winbind.c:612 ../../nsswitch/pam_winbind.c:614 +msgid "Invalid Trust Account" +msgstr "Ungültiges Maschinen-Konto" + +#: ../../nsswitch/pam_winbind.c:616 +msgid "Access is denied" +msgstr "Zugriff verweigert" + +#: ../../nsswitch/pam_winbind.c:854 +msgid "Your password expires today" +msgstr "Ihr Passwort läuft heute ab" + +#: ../../nsswitch/pam_winbind.c:860 +#, c-format +msgid "Your password will expire in %d %s" +msgstr "Ihr Passwort wird in %d %s ungültig" + +#: ../../nsswitch/pam_winbind.c:861 +msgid "days" +msgstr "Tagen" + +#: ../../nsswitch/pam_winbind.c:861 +msgid "day" +msgstr "Tag" + +#: ../../nsswitch/pam_winbind.c:1253 +msgid "Grace login. Please change your password as soon you're online again" +msgstr "Kulanzanmeldung. Bitte ändern sie ihr Passwort sobald sie wieder online sind" + +#: ../../nsswitch/pam_winbind.c:1263 +msgid "Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable" +msgstr "Domänen-Controller unerreichbar. Anmeldung erfolgte mit gespeicherten Anmeldedaten. Netzwerk Ressourcen können momentan nicht verfügbar sein" + +#: ../../nsswitch/pam_winbind.c:1288 +msgid "" +"Failed to establish your Kerberos Ticket cache due time differences\n" +"with the domain controller. Please verify the system time.\n" +msgstr "" +"Anforderung eines Kerberos Tickets aufgrund Zeitunterscheid zum \n" +"Domänen-Controller fehlgeschlagen. Bitte überprüfen Sie die Systemzeit.\n" + +#: ../../nsswitch/pam_winbind.c:1356 +msgid "Your password " +msgstr "Ihr Passwort " + +#: ../../nsswitch/pam_winbind.c:1363 +#, c-format +msgid "must be at least %d characters; " +msgstr "muß mindestens %d Zeichen lang sein; " + +#: ../../nsswitch/pam_winbind.c:1372 +#, c-format +msgid "cannot repeat any of your previous %d passwords; " +msgstr "kann keines der %d vorherigen Passwörter enthalten; " + +#: ../../nsswitch/pam_winbind.c:1382 +msgid "must contain capitals, numerals or punctuation; and cannot contain your account or full name; " +msgstr "muß Großbuchstaben, Ziffern oder Punktzeichen enthalten; kann nicht den Benutzer- oder vollen Namen enthalten; " + +#: ../../nsswitch/pam_winbind.c:1392 +msgid "Please type a different password. Type a password which meets these requirements in both text boxes." +msgstr "Bitte wählen Sie ein anderes Passwort. Geben Sie ein geeignetes Passwort in beide Textfelder ein." + +#: ../../nsswitch/pam_winbind.c:1419 +#, c-format +msgid "Creating directory: %s failed: %s" +msgstr "Anlegen des Verzeichnis: %s fehlgeschlagen: %s" + +#: ../../nsswitch/pam_winbind.c:1877 +msgid "Password does not meet complexity requirements" +msgstr "Passwort genügt nicht den Komplexitätsanforderungen" + +#. +#. * First get the name of a user +#. +#: ../../nsswitch/pam_winbind.c:2336 ../../nsswitch/pam_winbind.c:2883 +msgid "Username: " +msgstr "Benuzername: " + +#: ../../nsswitch/pam_winbind.c:2513 +msgid "Password: " +msgstr "Passwort: " + +#. instruct user what is happening +#: ../../nsswitch/pam_winbind.c:2921 +#, fuzzy +msgid "Changing password for" +msgstr "Ändere Passwort für" + +#: ../../nsswitch/pam_winbind.c:2934 +msgid "(current) NT password: " +msgstr "(aktuelles) NT Passwort: " + +#: ../../nsswitch/pam_winbind.c:3004 +msgid "Enter new NT password: " +msgstr "Neues NT Passwort eingeben: " + +#: ../../nsswitch/pam_winbind.c:3005 +msgid "Retype new NT password: " +msgstr "Neues NT Passwort wiederholen: " + +#. +#. * here is the string to inform the user that the new passwords they +#. * typed were not the same. +#. +#: ../../nsswitch/pam_winbind.h:122 +msgid "Sorry, passwords do not match" +msgstr "Passwörter stimmen leider nicht überein" diff --git a/source3/locale/pam_winbind/genmsg b/source3/locale/pam_winbind/genmsg new file mode 100755 index 0000000000..5aa258aa85 --- /dev/null +++ b/source3/locale/pam_winbind/genmsg @@ -0,0 +1,25 @@ +#!/bin/sh + +FILES="../../nsswitch/pam_winbind.c ../../nsswitch/pam_winbind.h" +LANGS="af ar bg bn bs ca cs cy da de el en_GB en_US es et fi fr gl gu he hi hr hu id it ja ka km ko lo lt mk mr nb nl pa pl pt_BR pt ro ru si sk sl sr sv ta th tr uk vi wa xh zh_CN zh_TW zu" + +XGETTEXT=xgettext +MSGMERGE=msgmerge + +WIDTH=256 + +$XGETTEXT --default-domain="pam_winbind" \ + --add-comments \ + --keyword=_ --keyword=N_ \ + --width=${WIDTH} \ + ${FILES} + +for lang in ${LANGS}; do + echo -n $lang + touch ${lang}.po + mv ${lang}.po ${lang}.po.old + ${MSGMERGE} --width=${WIDTH} ${lang}.po.old pam_winbind.po -o ${lang}.po + rm -fr ${lang}.po.old +done + +rm -fr pam_winbind.po diff --git a/source3/localedir.c b/source3/localedir.c new file mode 100644 index 0000000000..20f69219ed --- /dev/null +++ b/source3/localedir.c @@ -0,0 +1,3 @@ +#include "localedir.h" + +const char *dyn_LOCALEDIR = LOCALEDIR; diff --git a/source3/m4/check_path.m4 b/source3/m4/check_path.m4 index 9c99468084..da6c922233 100644 --- a/source3/m4/check_path.m4 +++ b/source3/m4/check_path.m4 @@ -30,6 +30,7 @@ swatdir="\${prefix}/swat" codepagedir="\${MODULESDIR}" statedir="\${LOCKDIR}" cachedir="\${LOCKDIR}" +localedir="\${prefix}/share/locale" AC_ARG_WITH(fhs, [AS_HELP_STRING([--with-fhs],[Use FHS-compliant paths (default=no)])], @@ -242,6 +243,23 @@ AC_ARG_WITH(mandir, ;; esac]) +################################################ +# set locale directory location +AC_ARG_WITH(localedir, +[ --with-localedir=DIR Where to put po files ($ac_default_prefix/share/locale)], +[ case "$withval" in + yes|no) + # + # Just in case anybody does it + # + AC_MSG_WARN([--with-localedir called without argument - will use default]) + ;; + *) + localedir="$withval" + ;; + esac]) + + AC_SUBST(configdir) AC_SUBST(lockdir) AC_SUBST(piddir) @@ -258,6 +276,7 @@ AC_SUBST(cachedir) AC_SUBST(rootsbindir) AC_SUBST(pammodulesdir) AC_SUBST(modulesdir) +AC_SUBST(localedir) ################################################# # set prefix for 'make test' @@ -276,6 +295,22 @@ AC_ARG_WITH(selftest-prefix, ]) ################################################# +# set shrdir for 'make test' +selftest_shrdir="" +AC_SUBST(selftest_shrdir) +AC_ARG_WITH(selftest-shrdir, +[AS_HELP_STRING([--with-selftest-shrdir=DIR], [The share directory that make test will be run against ($selftest_shrdir)])], +[ case "$withval" in + yes|no) + AC_MSG_WARN([--with-selftest-shrdir called without argument - will use default]) + ;; + * ) + selftest_shrdir="$withval" + ;; + esac +]) + +################################################# # set path of samba4's smbtorture smbtorture4_path="" AC_SUBST(smbtorture4_path) diff --git a/source3/modules/gpfs.c b/source3/modules/gpfs.c index a0d33fa33a..4e76b97ccf 100644 --- a/source3/modules/gpfs.c +++ b/source3/modules/gpfs.c @@ -24,7 +24,6 @@ #include "gpfs_gpl.h" #include "vfs_gpfs.h" -static void *libgpfs_handle = NULL; static bool gpfs_share_modes; static bool gpfs_leases; @@ -135,65 +134,64 @@ int smbd_gpfs_putacl(char *pathname, int flags, void *acl) return gpfs_putacl_fn(pathname, flags, acl); } -void init_gpfs(void) +static bool init_gpfs_function_lib(void *plibhandle_pointer, + const char *libname, + void *pfn_pointer, const char *fn_name) { - if (libgpfs_handle != NULL) { - return; - } - - libgpfs_handle = dlopen("libgpfs_gpl.so", RTLD_LAZY); - - if (libgpfs_handle == NULL) { - DEBUG(10, ("dlopen for libgpfs_gpl failed: %s\n", - strerror(errno))); - return; + bool did_open_here = false; + void **libhandle_pointer = (void **)plibhandle_pointer; + void **fn_pointer = (void **)pfn_pointer; + + if (*libhandle_pointer == NULL) { + *libhandle_pointer = dlopen(libname, RTLD_LAZY); + did_open_here = true; + } + if (*libhandle_pointer == NULL) { + DEBUG(10, ("Could not open lib %s\n", libname)); + return false; + } + + *fn_pointer = dlsym(*libhandle_pointer, fn_name); + if (*fn_pointer == NULL) { + DEBUG(10, ("Did not find symbol %s in lib %s\n", + fn_name, libname)); + if (did_open_here) { + dlclose(*libhandle_pointer); + *libhandle_pointer = NULL; + } + return false; } - DEBUG(10, ("libgpfs_gpl.so loaded\n")); - - gpfs_set_share_fn = dlsym(libgpfs_handle, "gpfs_set_share"); - if (gpfs_set_share_fn == NULL) { - DEBUG(3, ("libgpfs_gpl.so does not contain the symbol " - "'gpfs_set_share'\n")); - goto failed; - } + return true; +} - gpfs_set_lease_fn = dlsym(libgpfs_handle, "gpfs_set_lease"); - if (gpfs_set_lease_fn == NULL) { - DEBUG(3, ("libgpfs_gpl.so does not contain the symbol " - "'gpfs_set_lease'\n")); - dlclose(libgpfs_handle); +static bool init_gpfs_function(void *fn_pointer, const char *fn_name) +{ + static void *libgpfs_handle = NULL; + static void *libgpfs_gpl_handle = NULL; - goto failed; + if (init_gpfs_function_lib(&libgpfs_handle, "libgpfs.so", + fn_pointer, fn_name)) { + return true; } - - gpfs_getacl_fn = dlsym(libgpfs_handle, "gpfs_getacl"); - if (gpfs_getacl_fn == NULL) { - DEBUG(3, ("libgpfs_gpl.so does not contain the symbol " - "'gpfs_getacl'\n")); - goto failed; + if (init_gpfs_function_lib(&libgpfs_gpl_handle, "libgpfs_gpl.so", + fn_pointer, fn_name)) { + return true; } + return false; +} - gpfs_putacl_fn = dlsym(libgpfs_handle, "gpfs_putacl"); - if (gpfs_putacl_fn == NULL) { - DEBUG(3, ("libgpfs_gpl.so does not contain the symbol " - "'gpfs_putacl'\n")); - goto failed; - } +void init_gpfs(void) +{ + init_gpfs_function(&gpfs_set_share_fn, "gpfs_set_share"); + init_gpfs_function(&gpfs_set_lease_fn, "gpfs_set_lease"); + init_gpfs_function(&gpfs_getacl_fn, "gpfs_getacl"); + init_gpfs_function(&gpfs_putacl_fn, "gpfs_putacl"); gpfs_share_modes = lp_parm_bool(-1, "gpfs", "sharemodes", True); gpfs_leases = lp_parm_bool(-1, "gpfs", "leases", True); return; - -failed: - dlclose(libgpfs_handle); - /* leave libgpfs_handle != NULL around, no point - in trying twice */ - gpfs_set_share_fn = NULL; - gpfs_set_lease_fn = NULL; - gpfs_getacl_fn = NULL; - gpfs_putacl_fn = NULL; } #else diff --git a/source3/modules/nfs4_acls.h b/source3/modules/nfs4_acls.h index 0f783aa977..a227c6e0fc 100644 --- a/source3/modules/nfs4_acls.h +++ b/source3/modules/nfs4_acls.h @@ -144,7 +144,7 @@ typedef bool (*set_nfs4acl_native_fn_t)(files_struct *, SMB4ACL_T *); NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, uint32 security_info_sent, - SEC_DESC *psd, + const SEC_DESC *psd, set_nfs4acl_native_fn_t set_nfs4_native); #endif /* __NFS4_ACLS_H__ */ diff --git a/source3/modules/onefs.h b/source3/modules/onefs.h new file mode 100644 index 0000000000..965f39509a --- /dev/null +++ b/source3/modules/onefs.h @@ -0,0 +1,52 @@ +/* + * Unix SMB/CIFS implementation. + * Support for OneFS + * + * Copyright (C) Steven Danneman, 2008 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _ONEFS_H +#define _ONEFS_H + +/* OneFS Module smb.conf parameters and defaults */ + +/** +* Specifies when ACLs presented to Windows should be canonicalized +* into the ordering which Explorer expects. +*/ +enum onefs_acl_wire_format +{ + ACL_FORMAT_RAW, /**< Never canonicalize */ + ACL_FORMAT_WINDOWS_SD, /**< Only canonicalize synthetic ACLs */ + ACL_FORMAT_ALWAYS /**< Always canonicalize */ +}; + +const struct enum_list enum_onefs_acl_wire_format[] = { + {ACL_FORMAT_RAW, "No Format"}, + {ACL_FORMAT_WINDOWS_SD, "Format Windows SD"}, + {ACL_FORMAT_ALWAYS, "Always Format SD"}, + {-1, NULL} +}; + +#define PARM_ONEFS_TYPE "onefs" +#define PARM_ACL_WIRE_FORMAT "acl wire format" +#define PARM_ACL_WIRE_FORMAT_DEFAULT ACL_FORMAT_WINDOWS_SD +#define PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE "simple file sharing compatibility mode" +#define PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE_DEFAULT false +#define PARM_CREATOR_OWNER_GETS_FULL_CONTROL "creator owner gets full control" +#define PARM_CREATOR_OWNER_GETS_FULL_CONTROL_DEFAULT true + +#endif /* _ONEFS_H */ diff --git a/source3/modules/onefs_acl.c b/source3/modules/onefs_acl.c new file mode 100644 index 0000000000..3a692c95ab --- /dev/null +++ b/source3/modules/onefs_acl.c @@ -0,0 +1,807 @@ +/* + * Unix SMB/CIFS implementation. + * + * Support for OneFS native NTFS ACLs + * + * Copyright (C) Steven Danneman, 2008 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" + +#include <sys/isi_acl.h> +#include <isi_acl/isi_acl_util.h> +#include <sys/isi_oplock.h> +#include <ifs/ifs_syscalls.h> + +#include "onefs.h" + +/** + * Turn SID into UID/GID and setup a struct ifs_identity + */ +static bool +onefs_sid_to_identity(DOM_SID *sid, struct ifs_identity *id, bool is_group) +{ + enum ifs_identity_type type = IFS_ID_TYPE_LAST+1; + uid_t uid = 0; + gid_t gid = 0; + + if (!sid || sid_equal(sid, &global_sid_NULL)) + type = IFS_ID_TYPE_NULL; + else if (sid_equal(sid, &global_sid_World)) + type = IFS_ID_TYPE_EVERYONE; + else if (sid_equal(sid, &global_sid_Creator_Owner)) + type = IFS_ID_TYPE_CREATOR_OWNER; + else if (sid_equal(sid, &global_sid_Creator_Group)) + type = IFS_ID_TYPE_CREATOR_GROUP; + else if (is_group) { + if (!sid_to_gid(sid, &gid)) + return false; + type = IFS_ID_TYPE_GID; + } else { + if (sid_to_uid(sid, &uid)) + type = IFS_ID_TYPE_UID; + else if (sid_to_gid(sid, &gid)) + type = IFS_ID_TYPE_GID; + else + return false; + } + + if (aclu_initialize_identity(id, type, uid, gid, is_group)) { + DEBUG(3, ("Call to aclu_initialize_identity failed! id=%x, " + "type=%d, uid=%u, gid=%u, is_group=%d\n", + (unsigned int)id, type, uid, gid, is_group)); + return false; + } + + return true; +} + +/** + * Turn struct ifs_identity into SID + */ +static bool +onefs_identity_to_sid(struct ifs_identity *id, DOM_SID *sid) +{ + if (!id || !sid) + return false; + + if (id->type >= IFS_ID_TYPE_LAST) + return false; + + switch (id->type) { + case IFS_ID_TYPE_UID: + uid_to_sid(sid, id->id.uid); + break; + case IFS_ID_TYPE_GID: + gid_to_sid(sid, id->id.gid); + break; + case IFS_ID_TYPE_EVERYONE: + sid_copy(sid, &global_sid_World); + break; + case IFS_ID_TYPE_NULL: + sid_copy(sid, &global_sid_NULL); + break; + case IFS_ID_TYPE_CREATOR_OWNER: + sid_copy(sid, &global_sid_Creator_Owner); + break; + case IFS_ID_TYPE_CREATOR_GROUP: + sid_copy(sid, &global_sid_Creator_Group); + break; + default: + DEBUG(0, ("Unknown identity type: %d\n", id->type)); + return false; + } + + return true; +} + +/** + * Convert a SEC_ACL to a struct ifs_security_acl + */ +static bool +onefs_samba_acl_to_acl(SEC_ACL *samba_acl, struct ifs_security_acl **acl) +{ + int num_aces = 0; + struct ifs_ace *aces = NULL; + struct ifs_identity temp; + SEC_ACE *samba_aces; + int i, j; + + if ((!acl) || (!samba_acl)) + return false; + + samba_aces = samba_acl->aces; + + if (samba_acl->num_aces > 0 && samba_aces) { + /* Setup ACES */ + num_aces = samba_acl->num_aces; + aces = SMB_MALLOC_ARRAY(struct ifs_ace, num_aces); + + for (i = 0, j = 0; j < num_aces; i++, j++) { + if (!onefs_sid_to_identity(&samba_aces[j].trustee, + &temp, false)) + goto err_free; + + /* + * XXX Act like we did pre-Thai: Silently fail setting + * ACEs for BUILTIN accounts. + */ + if (temp.id.uid == -1) { + DEBUG(3, ("Silently failing to set ACE " + "because our id was == -1.\n")); + i--; + continue; + } + + if (aclu_initialize_ace(&aces[i], samba_aces[i].type, + samba_aces[i].access_mask, samba_aces[i].flags, + 0, &temp)) + goto err_free; + + if ((aces[i].trustee.type == IFS_ID_TYPE_CREATOR_OWNER || + aces[i].trustee.type == IFS_ID_TYPE_CREATOR_GROUP) && + nt4_compatible_acls()) + aces[i].flags |= IFS_ACE_FLAG_INHERIT_ONLY; + } + num_aces = i; + } + + if (aclu_initialize_acl(acl, aces, num_aces)) + goto err_free; + + /* Currently aclu_initialize_acl should copy the aces over, allowing us + * to immediately free */ + free(aces); + return true; + +err_free: + free(aces); + return false; +} + +/** + * Convert a struct ifs_security_acl to a SEC_ACL + */ +static bool +onefs_acl_to_samba_acl(struct ifs_security_acl *acl, SEC_ACL **samba_acl) +{ + SEC_ACE *samba_aces = NULL; + SEC_ACL *tmp_samba_acl = NULL; + int i, num_aces = 0; + + if (!samba_acl) + return false; + + /* NULL ACL */ + if (!acl) { + *samba_acl = NULL; + return true; + } + + /* Determine number of aces in ACL */ + if (!acl->aces) + num_aces = 0; + else + num_aces = acl->num_aces; + + /* Allocate the ace list. */ + if (num_aces > 0) { + if ((samba_aces = SMB_MALLOC_ARRAY(SEC_ACE, num_aces)) == NULL) + { + DEBUG(0, ("Unable to malloc space for %d aces.\n", + num_aces)); + return false; + } + memset(samba_aces, '\0', (num_aces) * sizeof(SEC_ACE)); + } + + for (i = 0; i < num_aces; i++) { + DOM_SID sid; + + if (!onefs_identity_to_sid(&acl->aces[i].trustee, &sid)) + goto err_free; + + init_sec_ace(&samba_aces[i], &sid, acl->aces[i].type, + acl->aces[i].access_mask, acl->aces[i].flags); + } + + if ((tmp_samba_acl = make_sec_acl(talloc_tos(), acl->revision, num_aces, + samba_aces)) == NULL) { + DEBUG(0, ("Unable to malloc space for acl.\n")); + goto err_free; + } + + *samba_acl = tmp_samba_acl; + SAFE_FREE(samba_aces); + return true; +err_free: + SAFE_FREE(samba_aces); + return false; +} + +/** + * @brief Reorder ACLs into the "correct" order for Windows Explorer. + * + * Windows Explorer expects ACLs to be in a standard order (inherited first, + * then deny, then permit.) When ACLs are composed from POSIX file permissions + * bits, they may not match these expectations, generating an annoying warning + * dialog for the user. This function will, if configured appropriately, + * reorder the ACLs for these "synthetic" (POSIX-derived) descriptors to prevent + * this. The list is changed within the security descriptor passed in. + * + * @param fsp files_struct with service configs; must not be NULL + * @param sd security descriptor being normalized; + * sd->dacl->aces is rewritten in-place, so must not be NULL + * @return true on success, errno will be set on error + * + * @bug Although Windows Explorer likes the reordering, they seem to cause + * problems with Excel and Word sending back the reordered ACLs to us and + * changing policy; see Isilon bug 30165. + */ +static bool +onefs_canon_acl(files_struct *fsp, struct ifs_security_descriptor *sd) +{ + int error = 0; + int cur; + struct ifs_ace *new_aces = NULL; + int new_aces_count = 0; + SMB_STRUCT_STAT sbuf; + + if (sd == NULL || sd->dacl == NULL || sd->dacl->num_aces == 0) + return true; + + /* + * Find out if this is a windows bit, and if the smb policy wants us to + * lie about the sd. + */ + SMB_ASSERT(fsp != NULL); + switch (lp_parm_enum(SNUM(fsp->conn), PARM_ONEFS_TYPE, + PARM_ACL_WIRE_FORMAT, enum_onefs_acl_wire_format, + PARM_ACL_WIRE_FORMAT_DEFAULT)) { + case ACL_FORMAT_RAW: + return true; + + case ACL_FORMAT_WINDOWS_SD: + error = SMB_VFS_FSTAT(fsp, &sbuf); + if (error) + return false; + + if ((sbuf.st_flags & SF_HASNTFSACL) != 0) { + DEBUG(10, ("Did not canonicalize ACLs because a " + "Windows ACL set was found for file %s\n", + fsp->fsp_name)); + return true; + } + break; + + case ACL_FORMAT_ALWAYS: + break; + + default: + SMB_ASSERT(false); + return false; + } + + new_aces = SMB_MALLOC_ARRAY(struct ifs_ace, sd->dacl->num_aces); + if (new_aces == NULL) + return false; + + /* + * By walking down the list 3 separate times, we can avoid the need + * to create multiple temp buffers and extra copies. + */ + for (cur = 0; cur < sd->dacl->num_aces; cur++) { + if (sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) + new_aces[new_aces_count++] = sd->dacl->aces[cur]; + } + + for (cur = 0; cur < sd->dacl->num_aces; cur++) { + if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) && + (sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED)) + new_aces[new_aces_count++] = sd->dacl->aces[cur]; + } + + for (cur = 0; cur < sd->dacl->num_aces; cur++) { + if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) && + !(sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED)) + new_aces[new_aces_count++] = sd->dacl->aces[cur]; + } + + SMB_ASSERT(new_aces_count == sd->dacl->num_aces); + DEBUG(10, ("Performed canonicalization of ACLs for file %s\n", + fsp->fsp_name)); + + /* + * At this point you would think we could just do this: + * SAFE_FREE(sd->dacl->aces); + * sd->dacl->aces = new_aces; + * However, in some cases the existing aces pointer does not point + * to the beginning of an allocated block. So we have to do a more + * expensive memcpy() + */ + memcpy(sd->dacl->aces, new_aces, + sizeof(struct ifs_ace) * new_aces_count); + + SAFE_FREE(new_aces); + return true; +} + + +/** + * This enum is a helper for onefs_fget_nt_acl() to communicate with + * onefs_init_ace(). + */ +enum mode_ident { USR, GRP, OTH }; + +/** + * Initializes an ACE for addition to a synthetic ACL. + */ +static struct ifs_ace onefs_init_ace(struct connection_struct *conn, + mode_t mode, + bool isdir, + enum mode_ident ident) +{ + struct ifs_ace result; + enum ifs_ace_rights r,w,x; + + r = isdir ? UNIX_DIRECTORY_ACCESS_R : UNIX_ACCESS_R; + w = isdir ? UNIX_DIRECTORY_ACCESS_W : UNIX_ACCESS_W; + x = isdir ? UNIX_DIRECTORY_ACCESS_X : UNIX_ACCESS_X; + + result.type = IFS_ACE_TYPE_ACCESS_ALLOWED; + result.ifs_flags = 0; + result.flags = isdir ? IFS_ACE_FLAG_CONTAINER_INHERIT : + IFS_ACE_FLAG_OBJECT_INHERIT; + result.flags |= IFS_ACE_FLAG_INHERIT_ONLY; + + switch (ident) { + case USR: + result.access_mask = + ((mode & S_IRUSR) ? r : 0 ) | + ((mode & S_IWUSR) ? w : 0 ) | + ((mode & S_IXUSR) ? x : 0 ); + if (lp_parm_bool(SNUM(conn), PARM_ONEFS_TYPE, + PARM_CREATOR_OWNER_GETS_FULL_CONTROL, + PARM_CREATOR_OWNER_GETS_FULL_CONTROL_DEFAULT)) + result.access_mask |= GENERIC_ALL_ACCESS; + result.trustee.type = IFS_ID_TYPE_CREATOR_OWNER; + break; + case GRP: + result.access_mask = + ((mode & S_IRGRP) ? r : 0 ) | + ((mode & S_IWGRP) ? w : 0 ) | + ((mode & S_IXGRP) ? x : 0 ); + result.trustee.type = IFS_ID_TYPE_CREATOR_GROUP; + break; + case OTH: + result.access_mask = + ((mode & S_IROTH) ? r : 0 ) | + ((mode & S_IWOTH) ? w : 0 ) | + ((mode & S_IXOTH) ? x : 0 ); + result.trustee.type = IFS_ID_TYPE_EVERYONE; + break; + } + + return result; +} + +/** + * This adds inheritable ACEs to the end of the DACL, with the ACEs + * being derived from the mode bits. This is useful for clients that have the + * MoveSecurityAttributes regkey set to 0 or are in Simple File Sharing Mode. + * + * On these clients, when copying files from one folder to another inside the + * same volume/share, the DACL is explicitely cleared. Without inheritable + * aces on the target folder the mode bits of the copied file are set to 000. + * + * See Isilon Bug 27990 + * + * Note: This function allocates additional memory onto sd->dacl->aces, that + * must be freed by the caller. + */ +static bool add_sfs_aces(files_struct *fsp, struct ifs_security_descriptor *sd) +{ + int error; + SMB_STRUCT_STAT sbuf; + + error = SMB_VFS_FSTAT(fsp, &sbuf); + if (error) { + DEBUG(0, ("Failed to stat %s in simple files sharing " + "compatibility mode. errno=%d\n", + fsp->fsp_name, errno)); + return false; + } + + /* Only continue if this is a synthetic ACL and a directory. */ + if (S_ISDIR(sbuf.st_mode) && (sbuf.st_flags & SF_HASNTFSACL) == 0) { + struct ifs_ace new_aces[6]; + struct ifs_ace *old_aces; + int i, num_aces_to_add = 0; + mode_t file_mode = 0, dir_mode = 0; + + /* Use existing samba logic to derive the mode bits. */ + file_mode = unix_mode(fsp->conn, 0, fsp->fsp_name, false); + dir_mode = unix_mode(fsp->conn, aDIR, fsp->fsp_name, false); + + /* Initialize ACEs. */ + new_aces[0] = onefs_init_ace(fsp->conn, file_mode, false, USR); + new_aces[1] = onefs_init_ace(fsp->conn, file_mode, false, GRP); + new_aces[2] = onefs_init_ace(fsp->conn, file_mode, false, OTH); + new_aces[3] = onefs_init_ace(fsp->conn, dir_mode, true, USR); + new_aces[4] = onefs_init_ace(fsp->conn, dir_mode, true, GRP); + new_aces[5] = onefs_init_ace(fsp->conn, dir_mode, true, OTH); + + for (i = 0; i < 6; i++) + if (new_aces[i].access_mask != 0) + num_aces_to_add++; + + /* Expand the ACEs array */ + if (num_aces_to_add != 0) { + old_aces = sd->dacl->aces; + + sd->dacl->aces = SMB_MALLOC_ARRAY(struct ifs_ace, + sd->dacl->num_aces + num_aces_to_add); + if (!sd->dacl->aces) { + DEBUG(0, ("Unable to malloc space for " + "new_aces: %d.\n", + sd->dacl->num_aces + num_aces_to_add)); + return false; + } + memcpy(sd->dacl->aces, old_aces, + sizeof(struct ifs_ace) * sd->dacl->num_aces); + + /* Add the new ACEs to the DACL. */ + for (i = 0; i < 6; i++) { + if (new_aces[i].access_mask != 0) { + sd->dacl->aces[sd->dacl->num_aces] = + new_aces[i]; + sd->dacl->num_aces++; + } + } + } + } + return true; +} + +/** + * Isilon-specific function for getting an NTFS ACL from an open file. + * + * @param[out] ppdesc SecDesc to allocate and fill in + * + * @return NTSTATUS based off errno on error + */ +NTSTATUS +onefs_fget_nt_acl(vfs_handle_struct *handle, files_struct *fsp, + uint32 security_info, SEC_DESC **ppdesc) +{ + int error; + uint32_t sd_size = 0; + size_t size = 0; + struct ifs_security_descriptor *sd = NULL; + DOM_SID owner_sid, group_sid; + DOM_SID *ownerp, *groupp; + SEC_ACL *dacl, *sacl; + SEC_DESC *pdesc; + bool alloced = false; + bool new_aces_alloced = false; + bool fopened = false; + NTSTATUS status = NT_STATUS_OK; + + *ppdesc = NULL; + + DEBUG(5, ("Getting sd for file %s. security_info=%u\n", + fsp->fsp_name, security_info)); + + if (fsp->fh->fd == -1) { + enum ifs_ace_rights desired_access = 0; + + if (security_info & (OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION)) + desired_access |= IFS_RTS_STD_READ_CONTROL; + if (security_info & SACL_SECURITY_INFORMATION) + desired_access |= IFS_RTS_SACL_ACCESS; + + if ((fsp->fh->fd = ifs_createfile(-1, + fsp->fsp_name, + desired_access, + 0, 0, + OPLOCK_NONE, + 0, NULL, 0, + NULL, 0, NULL)) == -1) { + DEBUG(0, ("Error opening file %s. errno=%d\n", + fsp->fsp_name, errno)); + status = map_nt_error_from_unix(errno); + goto out; + } + fopened = true; + } + + /* Get security descriptor */ + sd_size = 0; + do { + /* Allocate memory for get_security_descriptor */ + if (sd_size > 0) { + sd = SMB_REALLOC(sd, sd_size); + if (!sd) { + DEBUG(0, ("Unable to malloc %u bytes of space " + "for security descriptor.\n", sd_size)); + status = map_nt_error_from_unix(errno); + goto out; + } + + alloced = true; + } + + error = ifs_get_security_descriptor(fsp->fh->fd, security_info, + &sd_size, sd); + if (error && (errno != EMSGSIZE)) { + DEBUG(0, ("Failed getting size of security descriptor! " + "errno=%d\n", errno)); + status = map_nt_error_from_unix(errno); + goto out; + } + } while (error); + + DEBUG(5, ("Got sd, size=%u:\n", sd_size)); + + if (lp_parm_bool(SNUM(fsp->conn), + PARM_ONEFS_TYPE, + PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE, + PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE_DEFAULT) && + sd->dacl) { + if(!(new_aces_alloced = add_sfs_aces(fsp, sd))) + goto out; + } + + if (!(onefs_canon_acl(fsp, sd))) { + status = map_nt_error_from_unix(errno); + goto out; + } + + DEBUG(5, ("Finished canonicalizing ACL\n")); + + ownerp = NULL; + groupp = NULL; + dacl = NULL; + sacl = NULL; + + /* Copy owner into ppdesc */ + if (security_info & OWNER_SECURITY_INFORMATION) { + if (!onefs_identity_to_sid(sd->owner, &owner_sid)) { + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + + ownerp = &owner_sid; + } + + /* Copy group into ppdesc */ + if (security_info & GROUP_SECURITY_INFORMATION) { + if (!onefs_identity_to_sid(sd->group, &group_sid)) { + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + + groupp = &group_sid; + } + + /* Copy DACL into ppdesc */ + if (security_info & DACL_SECURITY_INFORMATION) { + if (!onefs_acl_to_samba_acl(sd->dacl, &dacl)) { + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + } + + /* Copy SACL into ppdesc */ + if (security_info & SACL_SECURITY_INFORMATION) { + if (!onefs_acl_to_samba_acl(sd->sacl, &sacl)) { + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + } + + /* AUTO_INHERIT_REQ bits are not returned over the wire so strip them + * off. Eventually we should stop storing these in the kernel + * all together. See Isilon bug 40364 */ + sd->control &= ~(IFS_SD_CTRL_DACL_AUTO_INHERIT_REQ | + IFS_SD_CTRL_SACL_AUTO_INHERIT_REQ); + + pdesc = make_sec_desc(talloc_tos(), sd->revision, sd->control, + ownerp, groupp, sacl, dacl, &size); + + if (!pdesc) { + DEBUG(0, ("Problem with make_sec_desc. Memory?\n")); + status = map_nt_error_from_unix(errno); + goto out; + } + + *ppdesc = pdesc; + + DEBUG(5, ("Finished retrieving/canonicalizing SD!\n")); + /* FALLTHROUGH */ +out: + if (alloced && sd) { + if (new_aces_alloced && sd->dacl->aces) + SAFE_FREE(sd->dacl->aces); + + SAFE_FREE(sd); + } + + if (fopened) { + close(fsp->fh->fd); + fsp->fh->fd = -1; + } + + return status; +} + +/** + * Isilon-specific function for getting an NTFS ACL from a file path. + * + * Since onefs_fget_nt_acl() needs to open a filepath if the fd is invalid, + * we just mock up a files_struct with the path and bad fd and call into it. + * + * @param[out] ppdesc SecDesc to allocate and fill in + * + * @return NTSTATUS based off errno on error + */ +NTSTATUS +onefs_get_nt_acl(vfs_handle_struct *handle, const char* name, + uint32 security_info, SEC_DESC **ppdesc) +{ + files_struct finfo; + struct fd_handle fh; + + ZERO_STRUCT(finfo); + ZERO_STRUCT(fh); + + finfo.fnum = -1; + finfo.conn = handle->conn; + finfo.fh = &fh; + finfo.fh->fd = -1; + finfo.fsp_name = CONST_DISCARD(char *, name); + + return onefs_fget_nt_acl(handle, &finfo, security_info, ppdesc); +} + +/** + * Isilon-specific function for setting an NTFS ACL on an open file. + * + * @return NT_STATUS_UNSUCCESSFUL for userspace errors, NTSTATUS based off + * errno on syscall errors + */ +NTSTATUS +onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, + uint32 security_info_sent, SEC_DESC *psd) +{ + struct ifs_security_descriptor sd = {}; + struct ifs_security_acl dacl, sacl, *daclp, *saclp; + struct ifs_identity owner, group, *ownerp, *groupp; + int fd; + bool fopened = false; + + DEBUG(5,("Setting SD on file %s.\n", fsp->fsp_name )); + + ownerp = NULL; + groupp = NULL; + daclp = NULL; + saclp = NULL; + + /* Setup owner */ + if (security_info_sent & OWNER_SECURITY_INFORMATION) { + if (!onefs_sid_to_identity(psd->owner_sid, &owner, false)) + return NT_STATUS_UNSUCCESSFUL; + + /* + * XXX Act like we did pre-Thai: Silently fail setting the + * owner to a BUILTIN account. + */ + if (owner.id.uid == -1) { + DEBUG(3, ("Silently failing to set owner because our " + "id was == -1.\n")); + security_info_sent &= ~OWNER_SECURITY_INFORMATION; + if (!security_info_sent) + return NT_STATUS_OK; + } + else + ownerp = &owner; + } + + /* Setup group */ + if (security_info_sent & GROUP_SECURITY_INFORMATION) { + if (!onefs_sid_to_identity(psd->group_sid, &group, true)) + return NT_STATUS_UNSUCCESSFUL; + + /* + * XXX Act like we did pre-Thai: Silently fail setting the + * group to a BUILTIN account. + */ + if (group.id.gid == -1) { + DEBUG(3, ("Silently failing to set group because our " + "id was == -1.\n")); + security_info_sent &= ~GROUP_SECURITY_INFORMATION; + if (!security_info_sent) + return NT_STATUS_OK; + } + else + groupp = &group; + } + + /* Setup DACL */ + if ((security_info_sent & DACL_SECURITY_INFORMATION) && (psd->dacl)) { + daclp = &dacl; + + if (!onefs_samba_acl_to_acl(psd->dacl, &daclp)) + return NT_STATUS_UNSUCCESSFUL; + } + + /* Setup SACL */ + if ((security_info_sent & SACL_SECURITY_INFORMATION) && (psd->sacl)) { + saclp = &sacl; + + if (!onefs_samba_acl_to_acl(psd->sacl, &saclp)) + return NT_STATUS_UNSUCCESSFUL; + } + + /* Setup ifs_security_descriptor */ + DEBUG(5,("Setting up SD\n")); + if (aclu_initialize_sd(&sd, psd->type, ownerp, groupp, + (daclp ? &daclp : NULL), (saclp ? &saclp : NULL), false)) + return NT_STATUS_UNSUCCESSFUL; + + fd = fsp->fh->fd; + if (fd == -1) { + enum ifs_ace_rights desired_access = 0; + + if (security_info_sent & + (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION)) + desired_access |= IFS_RTS_STD_WRITE_OWNER; + if (security_info_sent & DACL_SECURITY_INFORMATION) + desired_access |= IFS_RTS_STD_WRITE_DAC; + if (security_info_sent & SACL_SECURITY_INFORMATION) + desired_access |= IFS_RTS_SACL_ACCESS; + + if ((fd = ifs_createfile(-1, + fsp->fsp_name, + desired_access, + 0, 0, + OPLOCK_NONE, + 0, NULL, 0, + NULL, 0, NULL)) == -1) { + DEBUG(0, ("Error opening file %s. errno=%d\n", + fsp->fsp_name, errno)); + return map_nt_error_from_unix(errno); + } + fopened = true; + } + + errno = 0; + if (ifs_set_security_descriptor(fd, security_info_sent, &sd)) { + DEBUG(0, ("Error setting security descriptor = %d\n", errno)); + goto out; + } + + DEBUG(5, ("Security descriptor set correctly!\n")); + + /* FALLTHROUGH */ +out: + if (fopened) + close(fd); + + aclu_free_sd(&sd, false); + return errno ? map_nt_error_from_unix(errno) : NT_STATUS_OK; +} diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c new file mode 100644 index 0000000000..915f73233d --- /dev/null +++ b/source3/modules/vfs_acl_tdb.c @@ -0,0 +1,891 @@ +/* + * Store Windows ACLs in a tdb. + * + * Copyright (C) Volker Lendecke, 2008 + * Copyright (C) Jeremy Allison, 2008 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +/* NOTE: This is an experimental module, not yet finished. JRA. */ + +#include "includes.h" +#include "librpc/gen_ndr/xattr.h" +#include "librpc/gen_ndr/ndr_xattr.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_VFS + +static unsigned int ref_count; +static struct db_context *acl_db; + +/******************************************************************* + Open acl_db if not already open, increment ref count. +*******************************************************************/ + +static bool acl_tdb_init(struct db_context **pp_db) +{ + const char *dbname; + + if (acl_db) { + *pp_db = acl_db; + ref_count++; + return true; + } + + dbname = lock_path("file_ntacls.tdb"); + + if (dbname == NULL) { + errno = ENOSYS; + return false; + } + + become_root(); + *pp_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + unbecome_root(); + + if (*pp_db == NULL) { +#if defined(ENOTSUP) + errno = ENOTSUP; +#else + errno = ENOSYS; +#endif + return false; + } + + ref_count++; + return true; +} + +/******************************************************************* + Lower ref count and close acl_db if zero. +*******************************************************************/ + +static void free_acl_tdb_data(void **pptr) +{ + struct db_context **pp_db = (struct db_context **)pptr; + + ref_count--; + if (ref_count == 0) { + TALLOC_FREE(*pp_db); + acl_db = NULL; + } +} + +/******************************************************************* + Fetch_lock the tdb acl record for a file +*******************************************************************/ + +static struct db_record *acl_tdb_lock(TALLOC_CTX *mem_ctx, + struct db_context *db, + const struct file_id *id) +{ + uint8 id_buf[16]; + push_file_id_16((char *)id_buf, id); + return db->fetch_locked(db, + mem_ctx, + make_tdb_data(id_buf, + sizeof(id_buf))); +} + +/******************************************************************* + Delete the tdb acl record for a file +*******************************************************************/ + +static NTSTATUS acl_tdb_delete(vfs_handle_struct *handle, + struct db_context *db, + SMB_STRUCT_STAT *psbuf) +{ + NTSTATUS status; + struct file_id id = vfs_file_id_from_sbuf(handle->conn, psbuf); + struct db_record *rec = acl_tdb_lock(talloc_tos(), db, &id); + + /* + * If rec == NULL there's not much we can do about it + */ + + if (rec == NULL) { + DEBUG(10,("acl_tdb_delete: rec == NULL\n")); + TALLOC_FREE(rec); + return NT_STATUS_OK; + } + + status = rec->delete_rec(rec); + TALLOC_FREE(rec); + return status; +} + +/******************************************************************* + Parse out a struct security_descriptor from a DATA_BLOB. +*******************************************************************/ + +static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob, + uint32 security_info, + struct security_descriptor **ppdesc) +{ + TALLOC_CTX *ctx = talloc_tos(); + struct xattr_NTACL xacl; + enum ndr_err_code ndr_err; + size_t sd_size; + + ndr_err = ndr_pull_struct_blob(pblob, ctx, NULL, &xacl, + (ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n", + ndr_errstr(ndr_err))); + return ndr_map_error2ntstatus(ndr_err);; + } + + if (xacl.version != 2) { + return NT_STATUS_REVISION_MISMATCH; + } + + *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_hs->sd->type | SEC_DESC_SELF_RELATIVE, + (security_info & OWNER_SECURITY_INFORMATION) + ? xacl.info.sd_hs->sd->owner_sid : NULL, + (security_info & GROUP_SECURITY_INFORMATION) + ? xacl.info.sd_hs->sd->group_sid : NULL, + (security_info & SACL_SECURITY_INFORMATION) + ? xacl.info.sd_hs->sd->sacl : NULL, + (security_info & DACL_SECURITY_INFORMATION) + ? xacl.info.sd_hs->sd->dacl : NULL, + &sd_size); + + TALLOC_FREE(xacl.info.sd); + + return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; +} + +/******************************************************************* + Pull a security descriptor into a DATA_BLOB from a tdb store. +*******************************************************************/ + +static NTSTATUS get_acl_blob(TALLOC_CTX *ctx, + vfs_handle_struct *handle, + files_struct *fsp, + const char *name, + DATA_BLOB *pblob) +{ + uint8 id_buf[16]; + TDB_DATA data; + struct file_id id; + struct db_context *db; + SMB_STRUCT_STAT sbuf; + + SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, + return NT_STATUS_INTERNAL_DB_CORRUPTION); + + if (fsp && fsp->fh->fd != -1) { + if (SMB_VFS_FSTAT(fsp, &sbuf) == -1) { + return map_nt_error_from_unix(errno); + } + } else { + if (SMB_VFS_STAT(handle->conn, name, &sbuf) == -1) { + return map_nt_error_from_unix(errno); + } + } + id = vfs_file_id_from_sbuf(handle->conn, &sbuf); + + push_file_id_16((char *)id_buf, &id); + + if (db->fetch(db, + ctx, + make_tdb_data(id_buf, sizeof(id_buf)), + &data) == -1) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + pblob->data = data.dptr; + pblob->length = data.dsize; + + DEBUG(10,("get_acl_blob: returned %u bytes from file %s\n", + (unsigned int)data.dsize, name )); + + if (pblob->length == 0 || pblob->data == NULL) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + return NT_STATUS_OK; +} + +/******************************************************************* + Create a DATA_BLOB from a security descriptor. +*******************************************************************/ + +static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob) +{ + struct xattr_NTACL xacl; + struct security_descriptor_hash sd_hs; + enum ndr_err_code ndr_err; + TALLOC_CTX *ctx = talloc_tos(); + + ZERO_STRUCT(xacl); + ZERO_STRUCT(sd_hs); + + xacl.version = 2; + xacl.info.sd_hs = &sd_hs; + xacl.info.sd_hs->sd = CONST_DISCARD(struct security_descriptor *, psd); + memset(&xacl.info.sd_hs->hash[0], '\0', 16); + + ndr_err = ndr_push_struct_blob( + pblob, ctx, NULL, &xacl, + (ndr_push_flags_fn_t)ndr_push_xattr_NTACL); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n", + ndr_errstr(ndr_err))); + return ndr_map_error2ntstatus(ndr_err);; + } + + return NT_STATUS_OK; +} + +/******************************************************************* + Store a DATA_BLOB into a tdb record given an fsp pointer. +*******************************************************************/ + +static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle, + files_struct *fsp, + DATA_BLOB *pblob) +{ + uint8 id_buf[16]; + struct file_id id; + SMB_STRUCT_STAT sbuf; + TDB_DATA data; + struct db_context *db; + struct db_record *rec; + + DEBUG(10,("store_acl_blob_fsp: storing blob length %u on file %s\n", + (unsigned int)pblob->length, fsp->fsp_name)); + + SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, + return NT_STATUS_INTERNAL_DB_CORRUPTION); + + if (fsp->fh->fd != -1) { + if (SMB_VFS_FSTAT(fsp, &sbuf) == -1) { + return map_nt_error_from_unix(errno); + } + } else { + if (SMB_VFS_STAT(handle->conn, fsp->fsp_name, &sbuf) == -1) { + return map_nt_error_from_unix(errno); + } + } + id = vfs_file_id_from_sbuf(handle->conn, &sbuf); + + push_file_id_16((char *)id_buf, &id); + rec = db->fetch_locked(db, talloc_tos(), + make_tdb_data(id_buf, + sizeof(id_buf))); + if (rec == NULL) { + DEBUG(0, ("store_acl_blob_fsp_tdb: fetch_lock failed\n")); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + data.dptr = pblob->data; + data.dsize = pblob->length; + return rec->store(rec, data, 0); +} + +/******************************************************************* + Store a DATA_BLOB into a tdb record given a pathname. +*******************************************************************/ + +static NTSTATUS store_acl_blob_pathname(vfs_handle_struct *handle, + const char *fname, + DATA_BLOB *pblob) +{ + uint8 id_buf[16]; + struct file_id id; + TDB_DATA data; + SMB_STRUCT_STAT sbuf; + struct db_context *db; + struct db_record *rec; + + DEBUG(10,("store_acl_blob_pathname: storing blob " + "length %u on file %s\n", + (unsigned int)pblob->length, fname)); + + SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, + return NT_STATUS_INTERNAL_DB_CORRUPTION); + + if (SMB_VFS_STAT(handle->conn, fname, &sbuf) == -1) { + return map_nt_error_from_unix(errno); + } + + id = vfs_file_id_from_sbuf(handle->conn, &sbuf); + push_file_id_16((char *)id_buf, &id); + + rec = db->fetch_locked(db, talloc_tos(), + make_tdb_data(id_buf, + sizeof(id_buf))); + if (rec == NULL) { + DEBUG(0, ("store_acl_blob_pathname_tdb: fetch_lock failed\n")); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + data.dptr = pblob->data; + data.dsize = pblob->length; + return rec->store(rec, data, 0); +} + +/******************************************************************* + Store a DATA_BLOB into an tdb given a pathname. +*******************************************************************/ + +static NTSTATUS get_nt_acl_tdb_internal(vfs_handle_struct *handle, + files_struct *fsp, + const char *name, + uint32 security_info, + struct security_descriptor **ppdesc) +{ + TALLOC_CTX *ctx = talloc_tos(); + DATA_BLOB blob; + NTSTATUS status; + + if (fsp && name == NULL) { + name = fsp->fsp_name; + } + + DEBUG(10, ("get_nt_acl_tdb_internal: name=%s\n", name)); + + status = get_acl_blob(ctx, handle, fsp, name, &blob); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("get_acl_blob returned %s\n", nt_errstr(status))); + return status; + } + + status = parse_acl_blob(&blob, security_info, ppdesc); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("parse_acl_blob returned %s\n", + nt_errstr(status))); + return status; + } + + TALLOC_FREE(blob.data); + return status; +} + +/********************************************************************* + Create a default security descriptor for a file in case no inheritance + exists. All permissions to the owner and SYSTEM. +*********************************************************************/ + +static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx, + SMB_STRUCT_STAT *psbuf) +{ + struct dom_sid owner_sid, group_sid; + size_t sd_size; + struct security_ace *pace = NULL; + struct security_acl *pacl = NULL; + + uid_to_sid(&owner_sid, psbuf->st_uid); + gid_to_sid(&group_sid, psbuf->st_gid); + + pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2); + if (!pace) { + return NULL; + } + + init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_RIGHTS_FILE_ALL, 0); + init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_RIGHTS_FILE_ALL, 0); + + pacl = make_sec_acl(mem_ctx, + NT4_ACL_REVISION, + 2, + pace); + if (!pacl) { + return NULL; + } + return make_sec_desc(mem_ctx, + SECURITY_DESCRIPTOR_REVISION_1, + SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT, + &owner_sid, + &group_sid, + NULL, + pacl, + &sd_size); +} + +/********************************************************************* +*********************************************************************/ + +static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, + const char *fname, + files_struct *fsp, + bool container) +{ + TALLOC_CTX *ctx = talloc_tos(); + NTSTATUS status; + struct security_descriptor *parent_desc = NULL; + struct security_descriptor *psd = NULL; + DATA_BLOB blob; + size_t size; + char *parent_name; + + if (!parent_dirname_talloc(ctx, + fname, + &parent_name, + NULL)) { + return NT_STATUS_NO_MEMORY; + } + + DEBUG(10,("inherit_new_acl: check directory %s\n", + parent_name)); + + status = get_nt_acl_tdb_internal(handle, + NULL, + parent_name, + (OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION), + &parent_desc); + if (NT_STATUS_IS_OK(status)) { + /* Create an inherited descriptor from the parent. */ + + if (DEBUGLEVEL >= 10) { + DEBUG(10,("inherit_new_acl: parent acl is:\n")); + NDR_PRINT_DEBUG(security_descriptor, parent_desc); + } + + status = se_create_child_secdesc(ctx, + &psd, + &size, + parent_desc, + &handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX], + &handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX], + container); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (DEBUGLEVEL >= 10) { + DEBUG(10,("inherit_new_acl: child acl is:\n")); + NDR_PRINT_DEBUG(security_descriptor, psd); + } + + } else { + DEBUG(10,("inherit_new_acl: directory %s failed " + "to get acl %s\n", + parent_name, + nt_errstr(status) )); + } + + if (!psd || psd->dacl == NULL) { + SMB_STRUCT_STAT sbuf; + int ret; + + TALLOC_FREE(psd); + if (fsp && !fsp->is_directory && fsp->fh->fd != -1) { + ret = SMB_VFS_FSTAT(fsp, &sbuf); + } else { + ret = SMB_VFS_STAT(handle->conn,fname, &sbuf); + } + if (ret == -1) { + return map_nt_error_from_unix(errno); + } + psd = default_file_sd(ctx, &sbuf); + if (!psd) { + return NT_STATUS_NO_MEMORY; + } + + if (DEBUGLEVEL >= 10) { + DEBUG(10,("inherit_new_acl: default acl is:\n")); + NDR_PRINT_DEBUG(security_descriptor, psd); + } + } + + status = create_acl_blob(psd, &blob); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + if (fsp) { + return store_acl_blob_fsp(handle, fsp, &blob); + } else { + return store_acl_blob_pathname(handle, fname, &blob); + } +} + +/********************************************************************* + Check ACL on open. For new files inherit from parent directory. +*********************************************************************/ + +static int open_acl_tdb(vfs_handle_struct *handle, + const char *fname, + files_struct *fsp, + int flags, + mode_t mode) +{ + uint32_t access_granted = 0; + struct security_descriptor *pdesc = NULL; + bool file_existed = true; + NTSTATUS status = get_nt_acl_tdb_internal(handle, + NULL, + fname, + (OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION), + &pdesc); + if (NT_STATUS_IS_OK(status)) { + /* See if we can access it. */ + status = smb1_file_se_access_check(pdesc, + handle->conn->server_info->ptok, + fsp->access_mask, + &access_granted); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("open_acl_tdb: file %s open " + "refused with error %s\n", + fname, + nt_errstr(status) )); + errno = map_errno_from_nt_status(status); + return -1; + } + } else if (NT_STATUS_EQUAL(status,NT_STATUS_OBJECT_NAME_NOT_FOUND)) { + file_existed = false; + } + + DEBUG(10,("open_acl_tdb: get_nt_acl_attr_internal for " + "file %s returned %s\n", + fname, + nt_errstr(status) )); + + fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, fname, fsp, flags, mode); + + if (!file_existed && fsp->fh->fd != -1) { + /* File was created. Inherit from parent directory. */ + string_set(&fsp->fsp_name, fname); + inherit_new_acl(handle, fname, fsp, false); + } + + return fsp->fh->fd; +} + +/********************************************************************* + On unlink we need to delete the tdb record (if using tdb). +*********************************************************************/ + +static int unlink_acl_tdb(vfs_handle_struct *handle, const char *path) +{ + SMB_STRUCT_STAT sbuf; + struct db_context *db; + int ret; + + SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1); + + if (SMB_VFS_STAT(handle->conn, path, &sbuf) == -1) { + return -1; + } + + ret = SMB_VFS_NEXT_UNLINK(handle, path); + + if (ret == -1) { + return -1; + } + + acl_tdb_delete(handle, db, &sbuf); + return 0; +} + +/********************************************************************* + Store an inherited SD on mkdir. +*********************************************************************/ + +static int mkdir_acl_tdb(vfs_handle_struct *handle, const char *path, mode_t mode) +{ + int ret = SMB_VFS_NEXT_MKDIR(handle, path, mode); + + if (ret == -1) { + return ret; + } + /* New directory - inherit from parent. */ + inherit_new_acl(handle, path, NULL, true); + return ret; +} + +/********************************************************************* + On rmdir we need to delete the tdb record (if using tdb). +*********************************************************************/ + +static int rmdir_acl_tdb(vfs_handle_struct *handle, const char *path) +{ + + SMB_STRUCT_STAT sbuf; + struct db_context *db; + int ret; + + SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1); + + if (SMB_VFS_STAT(handle->conn, path, &sbuf) == -1) { + return -1; + } + + ret = SMB_VFS_NEXT_RMDIR(handle, path); + if (ret == -1) { + return -1; + } + + acl_tdb_delete(handle, db, &sbuf); + return 0; +} + +/********************************************************************* + Fetch a security descriptor given an fsp. +*********************************************************************/ + +static NTSTATUS fget_nt_acl_tdb(vfs_handle_struct *handle, files_struct *fsp, + uint32 security_info, struct security_descriptor **ppdesc) +{ + NTSTATUS status = get_nt_acl_tdb_internal(handle, fsp, + NULL, security_info, ppdesc); + if (NT_STATUS_IS_OK(status)) { + if (DEBUGLEVEL >= 10) { + DEBUG(10,("fget_nt_acl_tdb: returning tdb sd for file %s\n", + fsp->fsp_name)); + NDR_PRINT_DEBUG(security_descriptor, *ppdesc); + } + return NT_STATUS_OK; + } + + DEBUG(10,("fget_nt_acl_tdb: failed to get tdb sd for file %s, Error %s\n", + fsp->fsp_name, + nt_errstr(status) )); + + return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, + security_info, ppdesc); +} + +/********************************************************************* + Fetch a security descriptor given a pathname. +*********************************************************************/ + +static NTSTATUS get_nt_acl_tdb(vfs_handle_struct *handle, + const char *name, uint32 security_info, struct security_descriptor **ppdesc) +{ + NTSTATUS status = get_nt_acl_tdb_internal(handle, NULL, + name, security_info, ppdesc); + if (NT_STATUS_IS_OK(status)) { + if (DEBUGLEVEL >= 10) { + DEBUG(10,("get_nt_acl_tdb: returning tdb sd for file %s\n", + name)); + NDR_PRINT_DEBUG(security_descriptor, *ppdesc); + } + return NT_STATUS_OK; + } + + DEBUG(10,("get_nt_acl_tdb: failed to get tdb sd for file %s, Error %s\n", + name, + nt_errstr(status) )); + + return SMB_VFS_NEXT_GET_NT_ACL(handle, name, + security_info, ppdesc); +} + +/********************************************************************* + Store a security descriptor given an fsp. +*********************************************************************/ + +static NTSTATUS fset_nt_acl_tdb(vfs_handle_struct *handle, files_struct *fsp, + uint32 security_info_sent, const struct security_descriptor *psd) +{ + NTSTATUS status; + DATA_BLOB blob; + + if (DEBUGLEVEL >= 10) { + DEBUG(10,("fset_nt_acl_tdb: incoming sd for file %s\n", + fsp->fsp_name)); + NDR_PRINT_DEBUG(security_descriptor, + CONST_DISCARD(struct security_descriptor *,psd)); + } + + status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* Ensure owner and group are set. */ + if (!psd->owner_sid || !psd->group_sid) { + int ret; + SMB_STRUCT_STAT sbuf; + DOM_SID owner_sid, group_sid; + struct security_descriptor *nc_psd = dup_sec_desc(talloc_tos(), psd); + + if (!nc_psd) { + return NT_STATUS_OK; + } + if (fsp->is_directory || fsp->fh->fd == -1) { + ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf); + } else { + ret = SMB_VFS_FSTAT(fsp, &sbuf); + } + if (ret == -1) { + /* Lower level acl set succeeded, + * so still return OK. */ + return NT_STATUS_OK; + } + create_file_sids(&sbuf, &owner_sid, &group_sid); + /* This is safe as nc_psd is discarded at fn exit. */ + nc_psd->owner_sid = &owner_sid; + nc_psd->group_sid = &group_sid; + security_info_sent |= (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION); + psd = nc_psd; + } + + if ((security_info_sent & DACL_SECURITY_INFORMATION) && + psd->dacl != NULL && + (psd->type & (SE_DESC_DACL_AUTO_INHERITED| + SE_DESC_DACL_AUTO_INHERIT_REQ))== + (SE_DESC_DACL_AUTO_INHERITED| + SE_DESC_DACL_AUTO_INHERIT_REQ) ) { + struct security_descriptor *new_psd = NULL; + status = append_parent_acl(fsp, psd, &new_psd); + if (!NT_STATUS_IS_OK(status)) { + /* Lower level acl set succeeded, + * so still return OK. */ + return NT_STATUS_OK; + } + psd = new_psd; + } + + if (DEBUGLEVEL >= 10) { + DEBUG(10,("fset_nt_acl_tdb: storing tdb sd for file %s\n", + fsp->fsp_name)); + NDR_PRINT_DEBUG(security_descriptor, + CONST_DISCARD(struct security_descriptor *,psd)); + } + create_acl_blob(psd, &blob); + store_acl_blob_fsp(handle, fsp, &blob); + + return NT_STATUS_OK; +} + +/******************************************************************* + Handle opening the storage tdb if so configured. +*******************************************************************/ + +static int connect_acl_tdb(struct vfs_handle_struct *handle, + const char *service, + const char *user) +{ + struct db_context *db; + int res; + + res = SMB_VFS_NEXT_CONNECT(handle, service, user); + if (res < 0) { + return res; + } + + if (!acl_tdb_init(&db)) { + SMB_VFS_NEXT_DISCONNECT(handle); + return -1; + } + + SMB_VFS_HANDLE_SET_DATA(handle, db, free_acl_tdb_data, + struct db_context, return -1); + + return 0; +} + +/********************************************************************* + Remove a Windows ACL - we're setting the underlying POSIX ACL. +*********************************************************************/ + +static int sys_acl_set_file_tdb(vfs_handle_struct *handle, + const char *path, + SMB_ACL_TYPE_T type, + SMB_ACL_T theacl) +{ + SMB_STRUCT_STAT sbuf; + struct db_context *db; + int ret; + + SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1); + + if (SMB_VFS_STAT(handle->conn, path, &sbuf) == -1) { + return -1; + } + + ret = SMB_VFS_NEXT_SYS_ACL_SET_FILE(handle, + path, + type, + theacl); + if (ret == -1) { + return -1; + } + + acl_tdb_delete(handle, db, &sbuf); + return 0; +} + +/********************************************************************* + Remove a Windows ACL - we're setting the underlying POSIX ACL. +*********************************************************************/ + +static int sys_acl_set_fd_tdb(vfs_handle_struct *handle, + files_struct *fsp, + SMB_ACL_T theacl) +{ + SMB_STRUCT_STAT sbuf; + struct db_context *db; + int ret; + + SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1); + + if (fsp->is_directory || fsp->fh->fd == -1) { + ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf); + } else { + ret = SMB_VFS_FSTAT(fsp, &sbuf); + } + if (ret == -1) { + return -1; + } + + ret = SMB_VFS_NEXT_SYS_ACL_SET_FD(handle, + fsp, + theacl); + if (ret == -1) { + return -1; + } + + acl_tdb_delete(handle, db, &sbuf); + return 0; +} + +/* VFS operations structure */ + +static vfs_op_tuple skel_op_tuples[] = +{ + {SMB_VFS_OP(connect_acl_tdb), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT}, + + {SMB_VFS_OP(mkdir_acl_tdb), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(rmdir_acl_tdb), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT}, + + {SMB_VFS_OP(open_acl_tdb), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(unlink_acl_tdb), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT}, + + /* NT File ACL operations */ + + {SMB_VFS_OP(fget_nt_acl_tdb),SMB_VFS_OP_FGET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(get_nt_acl_tdb), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(fset_nt_acl_tdb),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT}, + + /* POSIX ACL operations. */ + {SMB_VFS_OP(sys_acl_set_file_tdb), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(sys_acl_set_fd_tdb), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_TRANSPARENT}, + + {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} +}; + +NTSTATUS vfs_acl_tdb_init(void) +{ + return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "acl_tdb", skel_op_tuples); +} diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index 5dfe43e55b..2edb441741 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -27,8 +27,11 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_VFS +/******************************************************************* + Parse out a struct security_descriptor from a DATA_BLOB. +*******************************************************************/ + static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob, - const struct timespec cts, uint32 security_info, struct security_descriptor **ppdesc) { @@ -50,39 +53,15 @@ static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob, return NT_STATUS_REVISION_MISMATCH; } -#if 0 - { - struct timespec ts; - /* Arg. This doesn't work. Too many activities - * change the ctime. May have to roll back to - * version 1. - */ - /* - * Check that the ctime timestamp is ealier - * than the stored timestamp. - */ - - ts = nt_time_to_unix_timespec(&xacl.info.sd_ts->last_changed); - - if (timespec_compare(&cts, &ts) > 0) { - DEBUG(5, ("parse_acl_blob: stored ACL out of date " - "(%s > %s.\n", - timestring(ctx, cts.tv_sec), - timestring(ctx, ts.tv_sec))); - return NT_STATUS_EA_CORRUPT_ERROR; - } - } -#endif - - *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, + *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_hs->sd->type | SEC_DESC_SELF_RELATIVE, (security_info & OWNER_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->owner_sid : NULL, + ? xacl.info.sd_hs->sd->owner_sid : NULL, (security_info & GROUP_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->group_sid : NULL, + ? xacl.info.sd_hs->sd->group_sid : NULL, (security_info & SACL_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->sacl : NULL, + ? xacl.info.sd_hs->sd->sacl : NULL, (security_info & DACL_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->dacl : NULL, + ? xacl.info.sd_hs->sd->dacl : NULL, &sd_size); TALLOC_FREE(xacl.info.sd); @@ -90,6 +69,10 @@ static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob, return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } +/******************************************************************* + Pull a security descriptor into a DATA_BLOB from a xattr. +*******************************************************************/ + static NTSTATUS get_acl_blob(TALLOC_CTX *ctx, vfs_handle_struct *handle, files_struct *fsp, @@ -144,30 +127,24 @@ static NTSTATUS get_acl_blob(TALLOC_CTX *ctx, return NT_STATUS_OK; } +/******************************************************************* + Create a DATA_BLOB from a security descriptor. +*******************************************************************/ + static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob) { struct xattr_NTACL xacl; - struct security_descriptor_timestamp sd_ts; + struct security_descriptor_hash sd_hs; enum ndr_err_code ndr_err; TALLOC_CTX *ctx = talloc_tos(); - struct timespec curr = timespec_current(); ZERO_STRUCT(xacl); - ZERO_STRUCT(sd_ts); - - /* Horrid hack as setting an xattr changes the ctime - * on Linux. This gives a race of 1 second during - * which we would not see a POSIX ACL set. - */ - curr.tv_sec += 1; + ZERO_STRUCT(sd_hs); xacl.version = 2; - xacl.info.sd_ts = &sd_ts; - xacl.info.sd_ts->sd = CONST_DISCARD(struct security_descriptor *, psd); - unix_timespec_to_nt_time(&xacl.info.sd_ts->last_changed, curr); - - DEBUG(10, ("create_acl_blob: timestamp stored as %s\n", - timestring(ctx, curr.tv_sec) )); + xacl.info.sd_hs = &sd_hs; + xacl.info.sd_hs->sd = CONST_DISCARD(struct security_descriptor *, psd); + memset(&xacl.info.sd_hs->hash[0], '\0', 16); ndr_err = ndr_push_struct_blob( pblob, ctx, NULL, &xacl, @@ -182,7 +159,12 @@ static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB return NT_STATUS_OK; } -static NTSTATUS store_acl_blob_fsp(files_struct *fsp, +/******************************************************************* + Store a DATA_BLOB into an xattr given an fsp pointer. +*******************************************************************/ + +static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle, + files_struct *fsp, DATA_BLOB *pblob) { int ret; @@ -215,10 +197,15 @@ static NTSTATUS store_acl_blob_fsp(files_struct *fsp, return NT_STATUS_OK; } -static NTSTATUS store_acl_blob_pathname(connection_struct *conn, +/******************************************************************* + Store a DATA_BLOB into an xattr given a pathname. +*******************************************************************/ + +static NTSTATUS store_acl_blob_pathname(vfs_handle_struct *handle, const char *fname, DATA_BLOB *pblob) { + connection_struct *conn = handle->conn; int ret; int saved_errno = 0; @@ -245,6 +232,9 @@ static NTSTATUS store_acl_blob_pathname(connection_struct *conn, return NT_STATUS_OK; } +/******************************************************************* + Store a DATA_BLOB into an xattr given a pathname. +*******************************************************************/ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle, files_struct *fsp, @@ -254,7 +244,6 @@ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle, { TALLOC_CTX *ctx = talloc_tos(); DATA_BLOB blob; - SMB_STRUCT_STAT sbuf; NTSTATUS status; if (fsp && name == NULL) { @@ -269,18 +258,7 @@ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle, return status; } - if (fsp && fsp->fh->fd != -1) { - if (SMB_VFS_FSTAT(fsp, &sbuf) == -1) { - return map_nt_error_from_unix(errno); - } - } else { - if (SMB_VFS_STAT(handle->conn, name, &sbuf) == -1) { - return map_nt_error_from_unix(errno); - } - } - - status = parse_acl_blob(&blob, get_ctimespec(&sbuf), - security_info, ppdesc); + status = parse_acl_blob(&blob, security_info, ppdesc); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("parse_acl_blob returned %s\n", nt_errstr(status))); @@ -326,8 +304,7 @@ static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx, } return make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1, - SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT| - SEC_DESC_DACL_DEFAULTED, + SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT, &owner_sid, &group_sid, NULL, @@ -364,28 +341,42 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, status = get_nt_acl_xattr_internal(handle, NULL, parent_name, - DACL_SECURITY_INFORMATION, + (OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION), &parent_desc); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("inherit_new_acl: directory %s failed " - "to get acl %s\n", - parent_name, - nt_errstr(status) )); - return status; - } + if (NT_STATUS_IS_OK(status)) { + /* Create an inherited descriptor from the parent. */ + + if (DEBUGLEVEL >= 10) { + DEBUG(10,("inherit_new_acl: parent acl is:\n")); + NDR_PRINT_DEBUG(security_descriptor, parent_desc); + } - /* Create an inherited descriptor from the parent. */ - status = se_create_child_secdesc(ctx, + status = se_create_child_secdesc(ctx, &psd, &size, parent_desc, &handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX], &handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX], container); - if (!NT_STATUS_IS_OK(status)) { - return status; + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (DEBUGLEVEL >= 10) { + DEBUG(10,("inherit_new_acl: child acl is:\n")); + NDR_PRINT_DEBUG(security_descriptor, psd); + } + + } else { + DEBUG(10,("inherit_new_acl: directory %s failed " + "to get acl %s\n", + parent_name, + nt_errstr(status) )); } - if (psd->dacl == NULL) { + + if (!psd || psd->dacl == NULL) { SMB_STRUCT_STAT sbuf; int ret; @@ -393,7 +384,7 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, if (fsp && !fsp->is_directory && fsp->fh->fd != -1) { ret = SMB_VFS_FSTAT(fsp, &sbuf); } else { - ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf); + ret = SMB_VFS_STAT(handle->conn,fname, &sbuf); } if (ret == -1) { return map_nt_error_from_unix(errno); @@ -402,6 +393,11 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, if (!psd) { return NT_STATUS_NO_MEMORY; } + + if (DEBUGLEVEL >= 10) { + DEBUG(10,("inherit_new_acl: default acl is:\n")); + NDR_PRINT_DEBUG(security_descriptor, psd); + } } status = create_acl_blob(psd, &blob); @@ -409,9 +405,9 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, return status; } if (fsp) { - return store_acl_blob_fsp(fsp, &blob); + return store_acl_blob_fsp(handle, fsp, &blob); } else { - return store_acl_blob_pathname(handle->conn, fname, &blob); + return store_acl_blob_pathname(handle, fname, &blob); } } @@ -481,6 +477,10 @@ static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t m return ret; } +/********************************************************************* + Fetch a security descriptor given an fsp. +*********************************************************************/ + static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info, struct security_descriptor **ppdesc) { @@ -494,10 +494,19 @@ static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, } return NT_STATUS_OK; } + + DEBUG(10,("fget_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n", + fsp->fsp_name, + nt_errstr(status) )); + return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, security_info, ppdesc); } +/********************************************************************* + Fetch a security descriptor given a pathname. +*********************************************************************/ + static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle, const char *name, uint32 security_info, struct security_descriptor **ppdesc) { @@ -511,10 +520,19 @@ static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle, } return NT_STATUS_OK; } + + DEBUG(10,("get_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n", + name, + nt_errstr(status) )); + return SMB_VFS_NEXT_GET_NT_ACL(handle, name, security_info, ppdesc); } +/********************************************************************* + Store a security descriptor given an fsp. +*********************************************************************/ + static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, const struct security_descriptor *psd) { @@ -584,11 +602,57 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, CONST_DISCARD(struct security_descriptor *,psd)); } create_acl_blob(psd, &blob); - store_acl_blob_fsp(fsp, &blob); + store_acl_blob_fsp(handle, fsp, &blob); return NT_STATUS_OK; } +/********************************************************************* + Remove a Windows ACL - we're setting the underlying POSIX ACL. +*********************************************************************/ + +static int sys_acl_set_file_xattr(vfs_handle_struct *handle, + const char *name, + SMB_ACL_TYPE_T type, + SMB_ACL_T theacl) +{ + int ret = SMB_VFS_NEXT_SYS_ACL_SET_FILE(handle, + name, + type, + theacl); + if (ret == -1) { + return -1; + } + + become_root(); + SMB_VFS_REMOVEXATTR(handle->conn, name, XATTR_NTACL_NAME); + unbecome_root(); + + return ret; +} + +/********************************************************************* + Remove a Windows ACL - we're setting the underlying POSIX ACL. +*********************************************************************/ + +static int sys_acl_set_fd_xattr(vfs_handle_struct *handle, + files_struct *fsp, + SMB_ACL_T theacl) +{ + int ret = SMB_VFS_NEXT_SYS_ACL_SET_FD(handle, + fsp, + theacl); + if (ret == -1) { + return -1; + } + + become_root(); + SMB_VFS_FREMOVEXATTR(fsp, XATTR_NTACL_NAME); + unbecome_root(); + + return ret; +} + /* VFS operations structure */ static vfs_op_tuple skel_op_tuples[] = @@ -602,7 +666,11 @@ static vfs_op_tuple skel_op_tuples[] = {SMB_VFS_OP(get_nt_acl_xattr), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT}, {SMB_VFS_OP(fset_nt_acl_xattr),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT}, - {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} + /* POSIX ACL operations. */ + {SMB_VFS_OP(sys_acl_set_file_xattr), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(sys_acl_set_fd_xattr), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_TRANSPARENT}, + + {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} }; NTSTATUS vfs_acl_xattr_init(void) diff --git a/source3/modules/vfs_onefs.c b/source3/modules/vfs_onefs.c new file mode 100644 index 0000000000..193a986cf6 --- /dev/null +++ b/source3/modules/vfs_onefs.c @@ -0,0 +1,48 @@ +/* + * Support for OneFS + * + * Copyright (C) Tim Prouty, 2008 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_VFS + +NTSTATUS onefs_fget_nt_acl(vfs_handle_struct *handle, files_struct *fsp, + uint32 security_info, SEC_DESC **ppdesc); + +NTSTATUS onefs_get_nt_acl(vfs_handle_struct *handle, const char* name, + uint32 security_info, SEC_DESC **ppdesc); + +NTSTATUS onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, + uint32 security_info_sent, SEC_DESC *psd); + +static vfs_op_tuple onefs_ops[] = { + {SMB_VFS_OP(onefs_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(onefs_get_nt_acl), SMB_VFS_OP_GET_NT_ACL, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(onefs_fset_nt_acl), SMB_VFS_OP_FSET_NT_ACL, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} +}; + +NTSTATUS vfs_onefs_init(void) +{ + return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "onefs", + onefs_ops); +} diff --git a/source3/modules/vfs_readonly.c b/source3/modules/vfs_readonly.c index d4ddf32e3a..58c83e5e1b 100644 --- a/source3/modules/vfs_readonly.c +++ b/source3/modules/vfs_readonly.c @@ -64,12 +64,25 @@ static int readonly_connect(vfs_handle_struct *handle, "period", period_def); if (period && period[0] && period[1]) { + int i; time_t current_time = time(NULL); time_t begin_period = get_date(period[0], ¤t_time); time_t end_period = get_date(period[1], ¤t_time); if ((current_time >= begin_period) && (current_time <= end_period)) { + connection_struct *conn = handle->conn; + handle->conn->read_only = True; + + /* Wipe out the VUID cache. */ + for (i=0; i< VUID_CACHE_SIZE; i++) { + struct vuid_cache_entry *ent = ent = &conn->vuid_cache.array[i]; + ent->vuid = UID_FIELD_INVALID; + TALLOC_FREE(ent->server_info); + ent->read_only = false; + ent->admin_user = false; + } + conn->vuid_cache.next_entry = 0; } return SMB_VFS_NEXT_CONNECT(handle, service, user); diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c index d8c476f96f..69d34940fd 100644 --- a/source3/modules/vfs_streams_depot.c +++ b/source3/modules/vfs_streams_depot.c @@ -67,10 +67,15 @@ static uint32_t hash_fn(DATA_BLOB key) #define SAMBA_XATTR_MARKER "user.SAMBA_STREAMS" -static bool file_is_valid(vfs_handle_struct *handle, const char *path) +static bool file_is_valid(vfs_handle_struct *handle, const char *path, + bool check_valid) { char buf; + if (!check_valid) { + return true; + } + DEBUG(10, ("file_is_valid (%s) called\n", path)); if (SMB_VFS_NEXT_GETXATTR(handle, path, SAMBA_XATTR_MARKER, @@ -87,11 +92,16 @@ static bool file_is_valid(vfs_handle_struct *handle, const char *path) return true; } -static bool mark_file_valid(vfs_handle_struct *handle, const char *path) +static bool mark_file_valid(vfs_handle_struct *handle, const char *path, + bool check_valid) { char buf = '1'; int ret; + if (!check_valid) { + return true; + } + DEBUG(10, ("marking file %s as valid\n", path)); ret = SMB_VFS_NEXT_SETXATTR(handle, path, SAMBA_XATTR_MARKER, @@ -116,10 +126,22 @@ static char *stream_dir(vfs_handle_struct *handle, const char *base_path, char *id_hex; struct file_id id; uint8 id_buf[16]; + bool check_valid; + const char *rootdir; + + check_valid = lp_parm_bool(SNUM(handle->conn), + "streams_depot", "check_valid", true); + + tmp = talloc_asprintf(talloc_tos(), "%s/.streams", handle->conn->connectpath); - const char *rootdir = lp_parm_const_string( + if (tmp == NULL) { + errno = ENOMEM; + goto fail; + } + + rootdir = lp_parm_const_string( SNUM(handle->conn), "streams_depot", "directory", - handle->conn->connectpath); + tmp); if (base_sbuf == NULL) { if (SMB_VFS_NEXT_STAT(handle, base_path, &sbuf) == -1) { @@ -141,7 +163,7 @@ static char *stream_dir(vfs_handle_struct *handle, const char *base_path, first = hash & 0xff; second = (hash >> 8) & 0xff; - id_hex = hex_encode(talloc_tos(), id_buf, sizeof(id_buf)); + id_hex = hex_encode_talloc(talloc_tos(), id_buf, sizeof(id_buf)); if (id_hex == NULL) { errno = ENOMEM; @@ -166,7 +188,7 @@ static char *stream_dir(vfs_handle_struct *handle, const char *base_path, goto fail; } - if (file_is_valid(handle, base_path)) { + if (file_is_valid(handle, base_path, check_valid)) { return result; } @@ -236,7 +258,7 @@ static char *stream_dir(vfs_handle_struct *handle, const char *base_path, goto fail; } - if (!mark_file_valid(handle, base_path)) { + if (!mark_file_valid(handle, base_path, check_valid)) { goto fail; } @@ -262,6 +284,11 @@ static char *stream_name(vfs_handle_struct *handle, const char *fname, goto fail; } + /* if it's the ::$DATA stream just return the base file name */ + if (!sname) { + return base; + } + dirname = stream_dir(handle, base, NULL, create_dir); if (dirname == NULL) { @@ -401,6 +428,7 @@ static int streams_depot_open(vfs_handle_struct *handle, const char *fname, { TALLOC_CTX *frame; char *base = NULL; + char *sname = NULL; SMB_STRUCT_STAT base_sbuf; char *stream_fname; int ret = -1; @@ -412,11 +440,16 @@ static int streams_depot_open(vfs_handle_struct *handle, const char *fname, frame = talloc_stackframe(); if (!NT_STATUS_IS_OK(split_ntfs_stream_name(talloc_tos(), fname, - &base, NULL))) { + &base, &sname))) { errno = ENOMEM; goto done; } + if (!sname) { + ret = SMB_VFS_NEXT_OPEN(handle, base, fsp, flags, mode); + goto done; + } + ret = SMB_VFS_NEXT_STAT(handle, base, &base_sbuf); if (ret == -1) { @@ -478,6 +511,78 @@ static int streams_depot_unlink(vfs_handle_struct *handle, const char *fname) return SMB_VFS_NEXT_UNLINK(handle, fname); } +static int streams_depot_rename(vfs_handle_struct *handle, + const char *oldname, + const char *newname) +{ + TALLOC_CTX *frame = NULL; + int ret = -1; + bool old_is_stream; + bool new_is_stream; + char *obase = NULL; + char *osname = NULL; + char *nbase = NULL; + char *nsname = NULL; + char *ostream_fname = NULL; + char *nstream_fname = NULL; + + DEBUG(10, ("streams_depot_rename called for %s => %s\n", + oldname, newname)); + + old_is_stream = is_ntfs_stream_name(oldname); + new_is_stream = is_ntfs_stream_name(newname); + + if (!old_is_stream && !new_is_stream) { + return SMB_VFS_NEXT_RENAME(handle, oldname, newname); + } + + if (!(old_is_stream && new_is_stream)) { + errno = ENOSYS; + return -1; + } + + frame = talloc_stackframe(); + + if (!NT_STATUS_IS_OK(split_ntfs_stream_name(talloc_tos(), oldname, + &obase, &osname))) { + errno = ENOMEM; + goto done; + } + + if (!NT_STATUS_IS_OK(split_ntfs_stream_name(talloc_tos(), oldname, + &nbase, &nsname))) { + errno = ENOMEM; + goto done; + } + + /* for now don't allow renames from or to the default stream */ + if (!osname || !nsname) { + errno = ENOSYS; + goto done; + } + + if (StrCaseCmp(obase, nbase) != 0) { + errno = ENOSYS; + goto done; + } + + ostream_fname = stream_name(handle, oldname, false); + if (ostream_fname == NULL) { + return -1; + } + + nstream_fname = stream_name(handle, newname, false); + if (nstream_fname == NULL) { + return -1; + } + + ret = SMB_VFS_NEXT_RENAME(handle, ostream_fname, nstream_fname); + +done: + TALLOC_FREE(frame); + return ret; +} + static bool add_one_stream(TALLOC_CTX *mem_ctx, unsigned int *num_streams, struct stream_struct **streams, const char *name, SMB_OFF_T size, @@ -628,6 +733,8 @@ static vfs_op_tuple streams_depot_ops[] = { SMB_VFS_LAYER_TRANSPARENT}, {SMB_VFS_OP(streams_depot_unlink), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(streams_depot_rename), SMB_VFS_OP_RENAME, + SMB_VFS_LAYER_TRANSPARENT}, {SMB_VFS_OP(streams_depot_streaminfo), SMB_VFS_OP_STREAMINFO, SMB_VFS_LAYER_OPAQUE}, {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c index b74c4f7902..ecfc31970d 100644 --- a/source3/modules/vfs_streams_xattr.c +++ b/source3/modules/vfs_streams_xattr.c @@ -29,6 +29,9 @@ struct stream_io { char *base; char *xattr_name; + void *fsp_name_ptr; + files_struct *fsp; + vfs_handle_struct *handle; }; static SMB_INO_T stream_inode(const SMB_STRUCT_STAT *sbuf, const char *sname) @@ -64,14 +67,16 @@ static SMB_INO_T stream_inode(const SMB_STRUCT_STAT *sbuf, const char *sname) return result; } -static ssize_t get_xattr_size(connection_struct *conn, const char *fname, - const char *xattr_name) +static ssize_t get_xattr_size(connection_struct *conn, + files_struct *fsp, + const char *fname, + const char *xattr_name) { NTSTATUS status; struct ea_struct ea; ssize_t result; - status = get_ea_value(talloc_tos(), conn, NULL, fname, + status = get_ea_value(talloc_tos(), conn, fsp, fname, xattr_name, &ea); if (!NT_STATUS_IS_OK(status)) { @@ -83,6 +88,49 @@ static ssize_t get_xattr_size(connection_struct *conn, const char *fname, return result; } +static bool streams_xattr_recheck(struct stream_io *sio) +{ + NTSTATUS status; + char *base = NULL; + char *sname = NULL; + char *xattr_name = NULL; + + if (sio->fsp->fsp_name == sio->fsp_name_ptr) { + return true; + } + + status = split_ntfs_stream_name(talloc_tos(), sio->fsp->fsp_name, + &base, &sname); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + if (sname == NULL) { + /* how can this happen */ + errno = EINVAL; + return false; + } + + xattr_name = talloc_asprintf(talloc_tos(), "%s%s", + SAMBA_XATTR_DOSSTREAM_PREFIX, sname); + if (xattr_name == NULL) { + return false; + } + + TALLOC_FREE(sio->xattr_name); + TALLOC_FREE(sio->base); + sio->xattr_name = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(sio->handle, sio->fsp), + xattr_name); + sio->base = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(sio->handle, sio->fsp), + base); + sio->fsp_name_ptr = sio->fsp->fsp_name; + + if ((sio->xattr_name == NULL) || (sio->base == NULL)) { + return false; + } + + return true; +} static int streams_xattr_fstat(vfs_handle_struct *handle, files_struct *fsp, SMB_STRUCT_STAT *sbuf) @@ -92,15 +140,20 @@ static int streams_xattr_fstat(vfs_handle_struct *handle, files_struct *fsp, DEBUG(10, ("streams_xattr_fstat called for %d\n", fsp->fh->fd)); - if (io == NULL) { + if (io == NULL || fsp->base_fsp == NULL) { return SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf); } - if (SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf) == -1) { + if (!streams_xattr_recheck(io)) { return -1; } - sbuf->st_size = get_xattr_size(handle->conn, io->base, io->xattr_name); + if (SMB_VFS_STAT(handle->conn, io->base, sbuf) == -1) { + return -1; + } + + sbuf->st_size = get_xattr_size(handle->conn, fsp->base_fsp, + io->base, io->xattr_name); if (sbuf->st_size == -1) { return -1; } @@ -133,6 +186,10 @@ static int streams_xattr_stat(vfs_handle_struct *handle, const char *fname, return -1; } + if (sname == NULL){ + return SMB_VFS_NEXT_STAT(handle, base, sbuf); + } + if (SMB_VFS_STAT(handle->conn, base, sbuf) == -1) { goto fail; } @@ -144,7 +201,7 @@ static int streams_xattr_stat(vfs_handle_struct *handle, const char *fname, goto fail; } - sbuf->st_size = get_xattr_size(handle->conn, base, xattr_name); + sbuf->st_size = get_xattr_size(handle->conn, NULL, base, xattr_name); if (sbuf->st_size == -1) { errno = ENOENT; goto fail; @@ -180,6 +237,10 @@ static int streams_xattr_lstat(vfs_handle_struct *handle, const char *fname, goto fail; } + if (sname == NULL){ + return SMB_VFS_NEXT_LSTAT(handle, base, sbuf); + } + if (SMB_VFS_LSTAT(handle->conn, base, sbuf) == -1) { goto fail; } @@ -191,7 +252,7 @@ static int streams_xattr_lstat(vfs_handle_struct *handle, const char *fname, goto fail; } - sbuf->st_size = get_xattr_size(handle->conn, base, xattr_name); + sbuf->st_size = get_xattr_size(handle->conn, NULL, base, xattr_name); if (sbuf->st_size == -1) { errno = ENOENT; goto fail; @@ -236,6 +297,12 @@ static int streams_xattr_open(vfs_handle_struct *handle, const char *fname, goto fail; } + if (sname == NULL) { + hostfd = SMB_VFS_NEXT_OPEN(handle, base, fsp, flags, mode); + talloc_free(frame); + return hostfd; + } + xattr_name = talloc_asprintf(talloc_tos(), "%s%s", SAMBA_XATTR_DOSSTREAM_PREFIX, sname); if (xattr_name == NULL) { @@ -300,22 +367,40 @@ static int streams_xattr_open(vfs_handle_struct *handle, const char *fname, DEBUG(10, ("creating attribute %s on file %s\n", xattr_name, base)); - if (SMB_VFS_SETXATTR( - handle->conn, base, xattr_name, - &null, sizeof(null), - flags & O_EXCL ? XATTR_CREATE : 0) == -1) { - goto fail; + if (fsp->base_fsp->fh->fd != -1) { + if (SMB_VFS_FSETXATTR( + fsp->base_fsp, xattr_name, + &null, sizeof(null), + flags & O_EXCL ? XATTR_CREATE : 0) == -1) { + goto fail; + } + } else { + if (SMB_VFS_SETXATTR( + handle->conn, base, xattr_name, + &null, sizeof(null), + flags & O_EXCL ? XATTR_CREATE : 0) == -1) { + goto fail; + } } } } if (flags & O_TRUNC) { char null = '\0'; - if (SMB_VFS_SETXATTR( - handle->conn, base, xattr_name, - &null, sizeof(null), - flags & O_EXCL ? XATTR_CREATE : 0) == -1) { - goto fail; + if (fsp->base_fsp->fh->fd != -1) { + if (SMB_VFS_FSETXATTR( + fsp->base_fsp, xattr_name, + &null, sizeof(null), + flags & O_EXCL ? XATTR_CREATE : 0) == -1) { + goto fail; + } + } else { + if (SMB_VFS_SETXATTR( + handle->conn, base, xattr_name, + &null, sizeof(null), + flags & O_EXCL ? XATTR_CREATE : 0) == -1) { + goto fail; + } } } @@ -330,6 +415,9 @@ static int streams_xattr_open(vfs_handle_struct *handle, const char *fname, xattr_name); sio->base = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(handle, fsp), base); + sio->fsp_name_ptr = fsp->fsp_name; + sio->handle = handle; + sio->fsp = fsp; if ((sio->xattr_name == NULL) || (sio->base == NULL)) { errno = ENOMEM; @@ -370,6 +458,10 @@ static int streams_xattr_unlink(vfs_handle_struct *handle, const char *fname) goto fail; } + if (sname == NULL){ + return SMB_VFS_NEXT_UNLINK(handle, base); + } + xattr_name = talloc_asprintf(talloc_tos(), "%s%s", SAMBA_XATTR_DOSSTREAM_PREFIX, sname); if (xattr_name == NULL) { @@ -392,6 +484,127 @@ static int streams_xattr_unlink(vfs_handle_struct *handle, const char *fname) return ret; } +static int streams_xattr_rename(vfs_handle_struct *handle, + const char *oldname, + const char *newname) +{ + NTSTATUS status; + TALLOC_CTX *frame = NULL; + char *obase; + char *ostream; + char *nbase; + char *nstream; + const char *base; + int ret = -1; + char *oxattr_name; + char *nxattr_name; + bool o_is_stream; + bool n_is_stream; + ssize_t oret; + ssize_t nret; + struct ea_struct ea; + + o_is_stream = is_ntfs_stream_name(oldname); + n_is_stream = is_ntfs_stream_name(newname); + + if (!o_is_stream && !n_is_stream) { + return SMB_VFS_NEXT_RENAME(handle, oldname, newname); + } + + if (!(o_is_stream && n_is_stream)) { + errno = ENOSYS; + goto fail; + } + + frame = talloc_stackframe(); + if (!frame) { + goto fail; + } + + status = split_ntfs_stream_name(talloc_tos(), oldname, &obase, &ostream); + if (!NT_STATUS_IS_OK(status)) { + errno = EINVAL; + goto fail; + } + + status = split_ntfs_stream_name(talloc_tos(), newname, &nbase, &nstream); + if (!NT_STATUS_IS_OK(status)) { + errno = EINVAL; + goto fail; + } + + /*TODO: maybe call SMB_VFS_NEXT_RENAME() both streams are NULL (::$DATA) */ + if (ostream == NULL) { + errno = ENOSYS; + goto fail; + } + + if (nstream == NULL) { + errno = ENOSYS; + goto fail; + } + + /* the new base should be empty */ + if (StrCaseCmp(obase, nbase) != 0) { + errno = ENOSYS; + goto fail; + } + + if (StrCaseCmp(ostream, nstream) == 0) { + goto done; + } + + base = obase; + + oxattr_name = talloc_asprintf(talloc_tos(), "%s%s", + SAMBA_XATTR_DOSSTREAM_PREFIX, ostream); + if (oxattr_name == NULL) { + errno = ENOMEM; + goto fail; + } + + nxattr_name = talloc_asprintf(talloc_tos(), "%s%s", + SAMBA_XATTR_DOSSTREAM_PREFIX, nstream); + if (nxattr_name == NULL) { + errno = ENOMEM; + goto fail; + } + + /* read the old stream */ + status = get_ea_value(talloc_tos(), handle->conn, NULL, + base, oxattr_name, &ea); + if (!NT_STATUS_IS_OK(status)) { + errno = ENOENT; + goto fail; + } + + /* (over)write the new stream */ + nret = SMB_VFS_SETXATTR(handle->conn, base, nxattr_name, + ea.value.data, ea.value.length, 0); + if (nret < 0) { + if (errno == ENOATTR) { + errno = ENOENT; + } + goto fail; + } + + /* remove the old stream */ + oret = SMB_VFS_REMOVEXATTR(handle->conn, base, oxattr_name); + if (oret < 0) { + if (errno == ENOATTR) { + errno = ENOENT; + } + goto fail; + } + + done: + errno = 0; + ret = 0; + fail: + TALLOC_FREE(frame); + return ret; +} + static NTSTATUS walk_xattr_streams(connection_struct *conn, files_struct *fsp, const char *fname, bool (*fn)(struct ea_struct *ea, @@ -579,6 +792,10 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle, return SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset); } + if (!streams_xattr_recheck(sio)) { + return -1; + } + status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp, sio->base, sio->xattr_name, &ea); if (!NT_STATUS_IS_OK(status)) { @@ -603,10 +820,15 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle, memcpy(ea.value.data + offset, data, n); - ret = SMB_VFS_SETXATTR(fsp->conn, fsp->base_fsp->fsp_name, + if (fsp->base_fsp->fh->fd != -1) { + ret = SMB_VFS_FSETXATTR(fsp->base_fsp, sio->xattr_name, ea.value.data, ea.value.length, 0); - + } else { + ret = SMB_VFS_SETXATTR(fsp->conn, fsp->base_fsp->fsp_name, + sio->xattr_name, + ea.value.data, ea.value.length, 0); + } TALLOC_FREE(ea.value.data); if (ret == -1) { @@ -624,12 +846,16 @@ static ssize_t streams_xattr_pread(vfs_handle_struct *handle, (struct stream_io *)VFS_FETCH_FSP_EXTENSION(handle, fsp); struct ea_struct ea; NTSTATUS status; - size_t length, overlap; + size_t length, overlap; if (sio == NULL) { return SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset); } + if (!streams_xattr_recheck(sio)) { + return -1; + } + status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp, sio->base, sio->xattr_name, &ea); if (!NT_STATUS_IS_OK(status)) { @@ -651,6 +877,73 @@ static ssize_t streams_xattr_pread(vfs_handle_struct *handle, return overlap; } +static int streams_xattr_ftruncate(struct vfs_handle_struct *handle, + struct files_struct *fsp, + SMB_OFF_T offset) +{ + int ret; + uint8 *tmp; + struct ea_struct ea; + NTSTATUS status; + struct stream_io *sio = + (struct stream_io *)VFS_FETCH_FSP_EXTENSION(handle, fsp); + + DEBUG(10, ("streams_xattr_ftruncate called for file %s offset %.0f\n", + fsp->fsp_name, + (double)offset )); + + if (sio == NULL) { + return SMB_VFS_NEXT_FTRUNCATE(handle, fsp, offset); + } + + if (!streams_xattr_recheck(sio)) { + return -1; + } + + status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp, + sio->base, sio->xattr_name, &ea); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + + tmp = TALLOC_REALLOC_ARRAY(talloc_tos(), ea.value.data, uint8, + offset + 1); + + if (tmp == NULL) { + TALLOC_FREE(ea.value.data); + errno = ENOMEM; + return -1; + } + + /* Did we expand ? */ + if (ea.value.length < offset + 1) { + memset(&tmp[ea.value.length], '\0', + offset + 1 - ea.value.length); + } + + ea.value.data = tmp; + ea.value.length = offset + 1; + ea.value.data[offset] = 0; + + if (fsp->base_fsp->fh->fd != -1) { + ret = SMB_VFS_FSETXATTR(fsp->base_fsp, + sio->xattr_name, + ea.value.data, ea.value.length, 0); + } else { + ret = SMB_VFS_SETXATTR(fsp->conn, fsp->base_fsp->fsp_name, + sio->xattr_name, + ea.value.data, ea.value.length, 0); + } + + TALLOC_FREE(ea.value.data); + + if (ret == -1) { + return -1; + } + + return 0; +} + /* VFS operations structure */ static vfs_op_tuple streams_xattr_ops[] = { @@ -672,6 +965,10 @@ static vfs_op_tuple streams_xattr_ops[] = { SMB_VFS_LAYER_TRANSPARENT}, {SMB_VFS_OP(streams_xattr_unlink), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(streams_xattr_rename), SMB_VFS_OP_RENAME, + SMB_VFS_LAYER_TRANSPARENT}, + {SMB_VFS_OP(streams_xattr_ftruncate), SMB_VFS_OP_FTRUNCATE, + SMB_VFS_LAYER_TRANSPARENT}, {SMB_VFS_OP(streams_xattr_streaminfo), SMB_VFS_OP_STREAMINFO, SMB_VFS_LAYER_OPAQUE}, {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} diff --git a/source3/modules/vfs_tsmsm.c b/source3/modules/vfs_tsmsm.c index ee958b1be5..6fb1d1d2d4 100644 --- a/source3/modules/vfs_tsmsm.c +++ b/source3/modules/vfs_tsmsm.c @@ -148,7 +148,7 @@ static bool tsmsm_is_offline(struct vfs_handle_struct *handle, dm_attrname_t dmname; int ret, lerrno; bool offline; - char *buf; + char *buf = NULL; size_t buflen; /* if the file has more than FILE_IS_ONLINE_RATIO of blocks available, diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c index 3688b2386e..a5b0490c8d 100644 --- a/source3/modules/vfs_zfsacl.c +++ b/source3/modules/vfs_zfsacl.c @@ -212,9 +212,92 @@ static NTSTATUS zfsacl_fset_nt_acl(vfs_handle_struct *handle, return zfs_set_nt_acl(handle, fsp, security_info_sent, psd); } +/* nils.goroll@hamburg.de 2008-06-16 : + + See also + - https://bugzilla.samba.org/show_bug.cgi?id=5446 + - http://bugs.opensolaris.org/view_bug.do?bug_id=6688240 + + Solaris supports NFSv4 and ZFS ACLs through a common system call, acl(2) + with ACE_SETACL / ACE_GETACL / ACE_GETACLCNT, which is being wrapped for + use by samba in this module. + + As the acl(2) interface is identical for ZFS and for NFS, this module, + vfs_zfsacl, can not only be used for ZFS, but also for sharing NFSv4 + mounts on Solaris. + + But while "traditional" POSIX DRAFT ACLs (using acl(2) with SETACL + / GETACL / GETACLCNT) fail for ZFS, the Solaris NFS client + implemets a compatibility wrapper, which will make calls to + traditional ACL calls though vfs_solarisacl succeed. As the + compatibility wrapper's implementation is (by design) incomplete, + we want to make sure that it is never being called. + + As long as Samba does not support an exiplicit method for a module + to define conflicting vfs methods, we should override all conflicting + methods here. + + For this to work, we need to make sure that this module is initialised + *after* vfs_solarisacl + + Function declarations taken from vfs_solarisacl +*/ + +SMB_ACL_T zfsacl_fail__sys_acl_get_file(vfs_handle_struct *handle, + const char *path_p, + SMB_ACL_TYPE_T type) +{ + return (SMB_ACL_T)NULL; +} +SMB_ACL_T zfsacl_fail__sys_acl_get_fd(vfs_handle_struct *handle, + files_struct *fsp, + int fd) +{ + return (SMB_ACL_T)NULL; +} + +int zfsacl_fail__sys_acl_set_file(vfs_handle_struct *handle, + const char *name, + SMB_ACL_TYPE_T type, + SMB_ACL_T theacl) +{ + return -1; +} + +int zfsacl_fail__sys_acl_set_fd(vfs_handle_struct *handle, + files_struct *fsp, + int fd, SMB_ACL_T theacl) +{ + return -1; +} + +int zfsacl_fail__sys_acl_delete_def_file(vfs_handle_struct *handle, + const char *path) +{ + return -1; +} + /* VFS operations structure */ static vfs_op_tuple zfsacl_ops[] = { + /* invalidate conflicting VFS methods */ + {SMB_VFS_OP(zfsacl_fail__sys_acl_get_file), + SMB_VFS_OP_SYS_ACL_GET_FILE, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(zfsacl_fail__sys_acl_get_fd), + SMB_VFS_OP_SYS_ACL_GET_FD, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(zfsacl_fail__sys_acl_set_file), + SMB_VFS_OP_SYS_ACL_SET_FILE, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(zfsacl_fail__sys_acl_set_fd), + SMB_VFS_OP_SYS_ACL_SET_FD, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(zfsacl_fail__sys_acl_delete_def_file), + SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE, + SMB_VFS_LAYER_OPAQUE}, + + /* actual methods */ {SMB_VFS_OP(zfsacl_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL, SMB_VFS_LAYER_OPAQUE}, {SMB_VFS_OP(zfsacl_get_nt_acl), SMB_VFS_OP_GET_NT_ACL, diff --git a/source3/nsswitch/libwbclient/wbc_idmap.c b/source3/nsswitch/libwbclient/wbc_idmap.c index 1615fd33ee..81b369c87c 100644 --- a/source3/nsswitch/libwbclient/wbc_idmap.c +++ b/source3/nsswitch/libwbclient/wbc_idmap.c @@ -24,7 +24,7 @@ #include "libwbclient.h" -/** @brief Convert a Windows SID to a Unix uid +/** @brief Convert a Windows SID to a Unix uid, allocating an uid if needed * * @param *sid Pointer to the domain SID to be resolved * @param *puid Pointer to the resolved uid_t value @@ -71,7 +71,22 @@ wbcErr wbcSidToUid(const struct wbcDomainSid *sid, uid_t *puid) return wbc_status; } -/** @brief Convert a Unix uid to a Windows SID +/** @brief Convert a Windows SID to a Unix uid if there already is a mapping + * + * @param *sid Pointer to the domain SID to be resolved + * @param *puid Pointer to the resolved uid_t value + * + * @return #wbcErr + * + **/ + +wbcErr wbcQuerySidToUid(const struct wbcDomainSid *sid, + uid_t *puid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/** @brief Convert a Unix uid to a Windows SID, allocating a SID if needed * * @param uid Unix uid to be resolved * @param *sid Pointer to the resolved domain SID @@ -112,7 +127,22 @@ done: return wbc_status; } -/** @brief Convert a Windows SID to a Unix gid +/** @brief Convert a Unix uid to a Windows SID if there already is a mapping + * + * @param uid Unix uid to be resolved + * @param *sid Pointer to the resolved domain SID + * + * @return #wbcErr + * + **/ + +wbcErr wbcQueryUidToSid(uid_t uid, + struct wbcDomainSid *sid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/** @brief Convert a Windows SID to a Unix gid, allocating a gid if needed * * @param *sid Pointer to the domain SID to be resolved * @param *pgid Pointer to the resolved gid_t value @@ -159,7 +189,22 @@ wbcErr wbcSidToGid(const struct wbcDomainSid *sid, gid_t *pgid) return wbc_status; } -/** @brief Convert a Unix uid to a Windows SID +/** @brief Convert a Windows SID to a Unix gid if there already is a mapping + * + * @param *sid Pointer to the domain SID to be resolved + * @param *pgid Pointer to the resolved gid_t value + * + * @return #wbcErr + * + **/ + +wbcErr wbcQuerySidToGid(const struct wbcDomainSid *sid, + gid_t *pgid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/** @brief Convert a Unix gid to a Windows SID, allocating a SID if needed * * @param gid Unix gid to be resolved * @param *sid Pointer to the resolved domain SID @@ -200,6 +245,21 @@ done: return wbc_status; } +/** @brief Convert a Unix gid to a Windows SID if there already is a mapping + * + * @param gid Unix gid to be resolved + * @param *sid Pointer to the resolved domain SID + * + * @return #wbcErr + * + **/ + +wbcErr wbcQueryGidToSid(gid_t gid, + struct wbcDomainSid *sid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + /** @brief Obtain a new uid from Winbind * * @param *puid *pointer to the allocated uid @@ -362,6 +422,92 @@ wbcErr wbcSetGidMapping(gid_t gid, const struct wbcDomainSid *sid) return wbc_status; } +/** @brief Remove a user id mapping + * + * @param uid Uid of the mapping to remove. + * @param *sid Pointer to the sid of the mapping to remove. + * + * @return #wbcErr + **/ +wbcErr wbcRemoveUidMapping(uid_t uid, const struct wbcDomainSid *sid) +{ + struct winbindd_request request; + struct winbindd_response response; + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + char *sid_string = NULL; + + if (!sid) { + return WBC_ERR_INVALID_PARAM; + } + + /* Initialise request */ + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + /* Make request */ + + request.data.dual_idmapset.id = uid; + request.data.dual_idmapset.type = _ID_TYPE_UID; + + wbc_status = wbcSidToString(sid, &sid_string); + BAIL_ON_WBC_ERROR(wbc_status); + + strncpy(request.data.dual_idmapset.sid, sid_string, + sizeof(request.data.dual_idmapset.sid)-1); + wbcFreeMemory(sid_string); + + wbc_status = wbcRequestResponse(WINBINDD_REMOVE_MAPPING, + &request, &response); + BAIL_ON_WBC_ERROR(wbc_status); + + done: + return wbc_status; +} + +/** @brief Remove a group id mapping + * + * @param gid Gid of the mapping to remove. + * @param *sid Pointer to the sid of the mapping to remove. + * + * @return #wbcErr + **/ +wbcErr wbcRemoveGidMapping(gid_t gid, const struct wbcDomainSid *sid) +{ + struct winbindd_request request; + struct winbindd_response response; + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + char *sid_string = NULL; + + if (!sid) { + return WBC_ERR_INVALID_PARAM; + } + + /* Initialise request */ + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + /* Make request */ + + request.data.dual_idmapset.id = gid; + request.data.dual_idmapset.type = _ID_TYPE_GID; + + wbc_status = wbcSidToString(sid, &sid_string); + BAIL_ON_WBC_ERROR(wbc_status); + + strncpy(request.data.dual_idmapset.sid, sid_string, + sizeof(request.data.dual_idmapset.sid)-1); + wbcFreeMemory(sid_string); + + wbc_status = wbcRequestResponse(WINBINDD_REMOVE_MAPPING, + &request, &response); + BAIL_ON_WBC_ERROR(wbc_status); + + done: + return wbc_status; +} + /** @brief Set the highwater mark for allocated uids. * * @param uid_hwm The new uid highwater mark value diff --git a/source3/nsswitch/libwbclient/wbc_pam.c b/source3/nsswitch/libwbclient/wbc_pam.c index 713ba2e65b..401d2ad2c3 100644 --- a/source3/nsswitch/libwbclient/wbc_pam.c +++ b/source3/nsswitch/libwbclient/wbc_pam.c @@ -1095,3 +1095,18 @@ done: return wbc_status; } + +/** @brief Authenticate a user with cached credentials + * + * @param *params Pointer to a wbcCredentialCacheParams structure + * @param **info Pointer to a pointer to a wbcCredentialCacheInfo structure + * @param **error Pointer to a pointer to a wbcAuthErrorInfo structure + * + * @return #wbcErr + **/ +wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params, + struct wbcCredentialCacheInfo **info, + struct wbcAuthErrorInfo **error) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} diff --git a/source3/nsswitch/libwbclient/wbc_pwd.c b/source3/nsswitch/libwbclient/wbc_pwd.c index 0d17b312ef..d54a5af4fc 100644 --- a/source3/nsswitch/libwbclient/wbc_pwd.c +++ b/source3/nsswitch/libwbclient/wbc_pwd.c @@ -24,6 +24,16 @@ #include "libwbclient.h" +/** @brief The maximum number of pwent structs to get from winbindd + * + */ +#define MAX_GETPWENT_USERS 500 + +/** @brief The maximum number of grent structs to get from winbindd + * + */ +#define MAX_GETGRENT_GROUPS 500 + /** * **/ @@ -284,6 +294,21 @@ wbcErr wbcGetgrgid(gid_t gid, struct group **grp) return wbc_status; } +/** @brief Number of cached passwd structs + * + */ +static uint32_t pw_cache_size; + +/** @brief Position of the pwent context + * + */ +static uint32_t pw_cache_idx; + +/** @brief Winbindd response containing the passwd structs + * + */ +static struct winbindd_response pw_response; + /** @brief Reset the passwd iterator * * @return #wbcErr @@ -293,6 +318,15 @@ wbcErr wbcSetpwent(void) { wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + if (pw_cache_size > 0) { + pw_cache_idx = pw_cache_size = 0; + if (pw_response.extra_data.data) { + free(pw_response.extra_data.data); + } + } + + ZERO_STRUCT(pw_response); + wbc_status = wbcRequestResponse(WINBINDD_SETPWENT, NULL, NULL); BAIL_ON_WBC_ERROR(wbc_status); @@ -310,6 +344,13 @@ wbcErr wbcEndpwent(void) { wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + if (pw_cache_size > 0) { + pw_cache_idx = pw_cache_size = 0; + if (pw_response.extra_data.data) { + free(pw_response.extra_data.data); + } + } + wbc_status = wbcRequestResponse(WINBINDD_ENDPWENT, NULL, NULL); BAIL_ON_WBC_ERROR(wbc_status); @@ -320,16 +361,70 @@ wbcErr wbcEndpwent(void) /** @brief Return the next struct passwd* entry from the pwent iterator * - * @param **pwd Pointer to resulting struct group* from the query. + * @param **pwd Pointer to resulting struct passwd* from the query. * * @return #wbcErr **/ wbcErr wbcGetpwent(struct passwd **pwd) { - return WBC_ERR_NOT_IMPLEMENTED; + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct winbindd_request request; + struct winbindd_pw *wb_pw; + + /* If there's a cached result, return that. */ + if (pw_cache_idx < pw_cache_size) { + goto return_result; + } + + /* Otherwise, query winbindd for some entries. */ + + pw_cache_idx = 0; + + if (pw_response.extra_data.data) { + free(pw_response.extra_data.data); + ZERO_STRUCT(pw_response); + } + + ZERO_STRUCT(request); + request.data.num_entries = MAX_GETPWENT_USERS; + + wbc_status = wbcRequestResponse(WINBINDD_GETPWENT, &request, + &pw_response); + + BAIL_ON_WBC_ERROR(wbc_status); + + pw_cache_size = pw_response.data.num_entries; + +return_result: + + wb_pw = (struct winbindd_pw *) pw_response.extra_data.data; + + *pwd = copy_passwd_entry(&wb_pw[pw_cache_idx]); + + BAIL_ON_PTR_ERROR(*pwd, wbc_status); + + pw_cache_idx++; + +done: + return wbc_status; } +/** @brief Number of cached group structs + * + */ +static uint32_t gr_cache_size; + +/** @brief Position of the grent context + * + */ +static uint32_t gr_cache_idx; + +/** @brief Winbindd response containing the group structs + * + */ +static struct winbindd_response gr_response; + /** @brief Reset the group iterator * * @return #wbcErr @@ -339,6 +434,15 @@ wbcErr wbcSetgrent(void) { wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + if (gr_cache_size > 0) { + gr_cache_idx = gr_cache_size = 0; + if (gr_response.extra_data.data) { + free(gr_response.extra_data.data); + } + } + + ZERO_STRUCT(gr_response); + wbc_status = wbcRequestResponse(WINBINDD_SETGRENT, NULL, NULL); BAIL_ON_WBC_ERROR(wbc_status); @@ -356,6 +460,13 @@ wbcErr wbcEndgrent(void) { wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + if (gr_cache_size > 0) { + gr_cache_idx = gr_cache_size = 0; + if (gr_response.extra_data.data) { + free(gr_response.extra_data.data); + } + } + wbc_status = wbcRequestResponse(WINBINDD_ENDGRENT, NULL, NULL); BAIL_ON_WBC_ERROR(wbc_status); @@ -364,7 +475,7 @@ wbcErr wbcEndgrent(void) return wbc_status; } -/** @brief Return the next struct passwd* entry from the pwent iterator +/** @brief Return the next struct group* entry from the pwent iterator * * @param **grp Pointer to resulting struct group* from the query. * @@ -373,7 +484,104 @@ wbcErr wbcEndgrent(void) wbcErr wbcGetgrent(struct group **grp) { - return WBC_ERR_NOT_IMPLEMENTED; + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct winbindd_request request; + struct winbindd_gr *wb_gr; + uint32_t mem_ofs; + + /* If there's a cached result, return that. */ + if (gr_cache_idx < gr_cache_size) { + goto return_result; + } + + /* Otherwise, query winbindd for some entries. */ + + gr_cache_idx = 0; + + if (gr_response.extra_data.data) { + free(gr_response.extra_data.data); + ZERO_STRUCT(gr_response); + } + + ZERO_STRUCT(request); + request.data.num_entries = MAX_GETGRENT_GROUPS; + + wbc_status = wbcRequestResponse(WINBINDD_GETGRENT, &request, + &gr_response); + + BAIL_ON_WBC_ERROR(wbc_status); + + gr_cache_size = gr_response.data.num_entries; + +return_result: + + wb_gr = (struct winbindd_gr *) gr_response.extra_data.data; + + mem_ofs = wb_gr[gr_cache_idx].gr_mem_ofs + + gr_cache_size * sizeof(struct winbindd_gr); + + *grp = copy_group_entry(&wb_gr[gr_cache_idx], + ((char *)gr_response.extra_data.data)+mem_ofs); + + BAIL_ON_PTR_ERROR(*grp, wbc_status); + + gr_cache_idx++; + +done: + return wbc_status; +} + +/** @brief Return the next struct group* entry from the pwent iterator + * + * This is similar to #wbcGetgrent, just that the member list is empty + * + * @param **grp Pointer to resulting struct group* from the query. + * + * @return #wbcErr + **/ + +wbcErr wbcGetgrlist(struct group **grp) +{ + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct winbindd_request request; + struct winbindd_gr *wb_gr; + + /* If there's a cached result, return that. */ + if (gr_cache_idx < gr_cache_size) { + goto return_result; + } + + /* Otherwise, query winbindd for some entries. */ + + gr_cache_idx = 0; + + if (gr_response.extra_data.data) { + free(gr_response.extra_data.data); + ZERO_STRUCT(gr_response); + } + + ZERO_STRUCT(request); + request.data.num_entries = MAX_GETGRENT_GROUPS; + + wbc_status = wbcRequestResponse(WINBINDD_GETGRLST, &request, + &gr_response); + + BAIL_ON_WBC_ERROR(wbc_status); + + gr_cache_size = gr_response.data.num_entries; + +return_result: + + wb_gr = (struct winbindd_gr *) gr_response.extra_data.data; + + *grp = copy_group_entry(&wb_gr[gr_cache_idx], NULL); + + BAIL_ON_PTR_ERROR(*grp, wbc_status); + + gr_cache_idx++; + +done: + return wbc_status; } /** @brief Return the unix group array belonging to the given user diff --git a/source3/nsswitch/libwbclient/wbclient.c b/source3/nsswitch/libwbclient/wbclient.c index bdde562a93..c0b7e0675a 100644 --- a/source3/nsswitch/libwbclient/wbclient.c +++ b/source3/nsswitch/libwbclient/wbclient.c @@ -59,7 +59,7 @@ wbcErr wbcRequestResponse(int cmd, wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; NSS_STATUS nss_status; - /* for some calls the request and/or response cna be NULL */ + /* for some calls the request and/or response can be NULL */ nss_status = winbindd_request_response(cmd, request, response); diff --git a/source3/nsswitch/libwbclient/wbclient.h b/source3/nsswitch/libwbclient/wbclient.h index 662e0cdf8d..cb31360407 100644 --- a/source3/nsswitch/libwbclient/wbclient.h +++ b/source3/nsswitch/libwbclient/wbclient.h @@ -57,9 +57,12 @@ const char *wbcErrorString(wbcErr error); /** * @brief Some useful details about the wbclient library * + * 0.1: Initial version + * 0.2: Added wbcRemoveUidMapping() + * Added wbcRemoveGidMapping() **/ #define WBCLIENT_MAJOR_VERSION 0 -#define WBCLIENT_MINOR_VERSION 1 +#define WBCLIENT_MINOR_VERSION 2 #define WBCLIENT_VENDOR_VERSION "Samba libwbclient" struct wbcLibraryDetails { uint16_t major_version; @@ -358,7 +361,7 @@ struct wbcLogonUserInfo { #define WBC_AUTH_USER_INFO_NOENCRYPTION 0x00000002 #define WBC_AUTH_USER_INFO_CACHED_ACCOUNT 0x00000004 #define WBC_AUTH_USER_INFO_USED_LM_PASSWORD 0x00000008 -#define WBC_AUTH_USER_INFO_EXTRA_SIDS 0x00000020 +#define WBC_AUTH_USER_INFO_EXTRA_SIDS 0x00000020 #define WBC_AUTH_USER_INFO_SUBAUTH_SESSION_KEY 0x00000040 #define WBC_AUTH_USER_INFO_SERVER_TRUST_ACCOUNT 0x00000080 #define WBC_AUTH_USER_INFO_NTLMV2_ENABLED 0x00000100 @@ -385,7 +388,7 @@ struct wbcLogonUserInfo { #define WBC_ACB_NOT_DELEGATED 0x00004000 /* 1 Not delegated */ #define WBC_ACB_USE_DES_KEY_ONLY 0x00008000 /* 1 Use DES key only */ #define WBC_ACB_DONT_REQUIRE_PREAUTH 0x00010000 /* 1 Preauth not required */ -#define WBC_ACB_PW_EXPIRED 0x00020000 /* 1 Password Expired */ +#define WBC_ACB_PW_EXPIRED 0x00020000 /* 1 Password Expired */ #define WBC_ACB_NO_AUTH_DATA_REQD 0x00080000 /* 1 = No authorization data required */ struct wbcAuthErrorInfo { @@ -437,6 +440,30 @@ struct wbcLogoffUserParams { struct wbcNamedBlob *blobs; }; +/** @brief Credential cache log-on parameters + * + */ + +struct wbcCredentialCacheParams { + const char *account_name; + const char *domain_name; + enum wbcCredentialCacheLevel { + WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP = 1 + } level; + size_t num_blobs; + struct wbcNamedBlob *blobs; +}; + + +/** @brief Info returned by credential cache auth + * + */ + +struct wbcCredentialCacheInfo { + size_t num_blobs; + struct wbcNamedBlob *blobs; +}; + /* * DomainControllerInfo struct */ @@ -538,15 +565,27 @@ wbcErr wbcGetDisplayName(const struct wbcDomainSid *sid, wbcErr wbcSidToUid(const struct wbcDomainSid *sid, uid_t *puid); +wbcErr wbcQuerySidToUid(const struct wbcDomainSid *sid, + uid_t *puid); + wbcErr wbcUidToSid(uid_t uid, struct wbcDomainSid *sid); +wbcErr wbcQueryUidToSid(uid_t uid, + struct wbcDomainSid *sid); + wbcErr wbcSidToGid(const struct wbcDomainSid *sid, gid_t *pgid); +wbcErr wbcQuerySidToGid(const struct wbcDomainSid *sid, + gid_t *pgid); + wbcErr wbcGidToSid(gid_t gid, struct wbcDomainSid *sid); +wbcErr wbcQueryGidToSid(gid_t gid, + struct wbcDomainSid *sid); + wbcErr wbcAllocateUid(uid_t *puid); wbcErr wbcAllocateGid(gid_t *pgid); @@ -555,6 +594,10 @@ wbcErr wbcSetUidMapping(uid_t uid, const struct wbcDomainSid *sid); wbcErr wbcSetGidMapping(gid_t gid, const struct wbcDomainSid *sid); +wbcErr wbcRemoveUidMapping(uid_t uid, const struct wbcDomainSid *sid); + +wbcErr wbcRemoveGidMapping(gid_t gid, const struct wbcDomainSid *sid); + wbcErr wbcSetUidHwm(uid_t uid_hwm); wbcErr wbcSetGidHwm(gid_t gid_hwm); @@ -583,6 +626,8 @@ wbcErr wbcEndgrent(void); wbcErr wbcGetgrent(struct group **grp); +wbcErr wbcGetgrlist(struct group **grp); + wbcErr wbcGetGroups(const char *account, uint32_t *num_groups, gid_t **_groups); @@ -662,6 +707,10 @@ wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params, enum wbcPasswordChangeRejectReason *reject_reason, struct wbcUserPasswordPolicyInfo **policy); +wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params, + struct wbcCredentialCacheInfo **info, + struct wbcAuthErrorInfo **error); + /* * Resolve functions */ diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index 1c927259e5..be22ff3f5e 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -147,6 +147,21 @@ static const char *_pam_error_code_str(int err) #define MAX_PASSWD_TRIES 3 +#ifdef HAVE_GETTEXT +static char initialized = 0; + +static inline void textdomain_init(void); +static inline void textdomain_init(void) +{ + if (!initialized) { + bindtextdomain(MODULE_NAME, dyn_LOCALEDIR); + initialized = 1; + } + return; +} +#endif + + /* * Work around the pam API that has functions with void ** as parameters * These lead to strict aliasing warnings with gcc. @@ -515,6 +530,10 @@ static int _pam_winbind_init_context(pam_handle_t *pamh, { struct pwb_context *r = NULL; +#ifdef HAVE_GETTEXT + textdomain_init(); +#endif + r = TALLOC_ZERO_P(NULL, struct pwb_context); if (!r) { return PAM_BUF_ERR; @@ -557,44 +576,44 @@ static const struct ntstatus_errors { const char *error_string; } ntstatus_errors[] = { {"NT_STATUS_OK", - "Success"}, + N_("Success")}, {"NT_STATUS_BACKUP_CONTROLLER", - "No primary Domain Controler available"}, + N_("No primary Domain Controler available")}, {"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND", - "No domain controllers found"}, + N_("No domain controllers found")}, {"NT_STATUS_NO_LOGON_SERVERS", - "No logon servers"}, + N_("No logon servers")}, {"NT_STATUS_PWD_TOO_SHORT", - "Password too short"}, + N_("Password too short")}, {"NT_STATUS_PWD_TOO_RECENT", - "The password of this user is too recent to change"}, + N_("The password of this user is too recent to change")}, {"NT_STATUS_PWD_HISTORY_CONFLICT", - "Password is already in password history"}, + N_("Password is already in password history")}, {"NT_STATUS_PASSWORD_EXPIRED", - "Your password has expired"}, + N_("Your password has expired")}, {"NT_STATUS_PASSWORD_MUST_CHANGE", - "You need to change your password now"}, + N_("You need to change your password now")}, {"NT_STATUS_INVALID_WORKSTATION", - "You are not allowed to logon from this workstation"}, + N_("You are not allowed to logon from this workstation")}, {"NT_STATUS_INVALID_LOGON_HOURS", - "You are not allowed to logon at this time"}, + N_("You are not allowed to logon at this time")}, {"NT_STATUS_ACCOUNT_EXPIRED", - "Your account has expired. " - "Please contact your System administrator"}, /* SCNR */ + N_("Your account has expired. " + "Please contact your System administrator")}, /* SCNR */ {"NT_STATUS_ACCOUNT_DISABLED", - "Your account is disabled. " - "Please contact your System administrator"}, /* SCNR */ + N_("Your account is disabled. " + "Please contact your System administrator")}, /* SCNR */ {"NT_STATUS_ACCOUNT_LOCKED_OUT", - "Your account has been locked. " - "Please contact your System administrator"}, /* SCNR */ + N_("Your account has been locked. " + "Please contact your System administrator")}, /* SCNR */ {"NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT", - "Invalid Trust Account"}, + N_("Invalid Trust Account")}, {"NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT", - "Invalid Trust Account"}, + N_("Invalid Trust Account")}, {"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT", - "Invalid Trust Account"}, + N_("Invalid Trust Account")}, {"NT_STATUS_ACCESS_DENIED", - "Access is denied"}, + N_("Access is denied")}, {NULL, NULL} }; @@ -604,7 +623,7 @@ static const char *_get_ntstatus_error_string(const char *nt_status_string) for (i=0; ntstatus_errors[i].ntstatus_string != NULL; i++) { if (!strcasecmp(ntstatus_errors[i].ntstatus_string, nt_status_string)) { - return ntstatus_errors[i].error_string; + return _(ntstatus_errors[i].error_string); } } return NULL; @@ -832,14 +851,14 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, if (days == 0) { _make_remark(ctx, PAM_TEXT_INFO, - "Your password expires today"); + _("Your password expires today")); return true; } if (days > 0 && days < warn_pwd_expire) { _make_remark_format(ctx, PAM_TEXT_INFO, - "Your password will expire in %d %s", - days, (days > 1) ? "days":"day"); + _("Your password will expire in %d %s"), + days, (days > 1) ? _("days"):_("day")); return true; } @@ -1231,9 +1250,9 @@ static void _pam_warn_logon_type(struct pwb_context *ctx, if (PAM_WB_GRACE_LOGON(info3_user_flgs)) { _make_remark(ctx, PAM_ERROR_MSG, - "Grace login. " - "Please change your password as soon you're " - "online again"); + _("Grace login. " + "Please change your password as soon you're " + "online again")); _pam_log_debug(ctx, LOG_DEBUG, "User %s logged on using grace logon\n", username); @@ -1241,9 +1260,9 @@ static void _pam_warn_logon_type(struct pwb_context *ctx, } else if (PAM_WB_CACHED_LOGON(info3_user_flgs)) { _make_remark(ctx, PAM_ERROR_MSG, - "Domain Controller unreachable, " - "using cached credentials instead. " - "Network resources may be unavailable"); + _("Domain Controller unreachable, " + "using cached credentials instead. " + "Network resources may be unavailable")); _pam_log_debug(ctx, LOG_DEBUG, "User %s logged on using cached credentials\n", username); @@ -1266,10 +1285,10 @@ static void _pam_warn_krb5_failure(struct pwb_context *ctx, { if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) { _make_remark(ctx, PAM_ERROR_MSG, - "Failed to establish your Kerberos Ticket cache " - "due time differences\n" - "with the domain controller. " - "Please verify the system time.\n"); + _("Failed to establish your Kerberos Ticket cache " + "due time differences\n" + "with the domain controller. " + "Please verify the system time.\n")); _pam_log_debug(ctx, LOG_DEBUG, "User %s: Clock skew when getting Krb5 TGT\n", username); @@ -1334,14 +1353,14 @@ static char *_pam_compose_pwd_restriction_string(struct pwb_context *ctx, goto failed; } - str = talloc_asprintf(ctx, "Your password "); + str = talloc_asprintf(ctx, _("Your password ")); if (!str) { goto failed; } if (i->min_length_password > 0) { str = talloc_asprintf_append(str, - "must be at least %d characters; ", + _("must be at least %d characters; "), i->min_length_password); if (!str) { goto failed; @@ -1350,8 +1369,8 @@ static char *_pam_compose_pwd_restriction_string(struct pwb_context *ctx, if (i->password_history > 0) { str = talloc_asprintf_append(str, - "cannot repeat any of your previous %d " - "passwords; ", + _("cannot repeat any of your previous %d " + "passwords; "), i->password_history); if (!str) { goto failed; @@ -1360,19 +1379,19 @@ static char *_pam_compose_pwd_restriction_string(struct pwb_context *ctx, if (i->password_properties & WBC_DOMAIN_PASSWORD_COMPLEX) { str = talloc_asprintf_append(str, - "must contain capitals, numerals " - "or punctuation; " - "and cannot contain your account " - "or full name; "); + _("must contain capitals, numerals " + "or punctuation; " + "and cannot contain your account " + "or full name; ")); if (!str) { goto failed; } } str = talloc_asprintf_append(str, - "Please type a different password. " - "Type a password which meets these requirements in " - "both text boxes."); + _("Please type a different password. " + "Type a password which meets these requirements in " + "both text boxes.")); if (!str) { goto failed; } @@ -1397,7 +1416,7 @@ static int _pam_create_homedir(struct pwb_context *ctx, if (mkdir(dirname, mode) != 0) { _make_remark_format(ctx, PAM_TEXT_INFO, - "Creating directory: %s failed: %s", + _("Creating directory: %s failed: %s"), dirname, strerror(errno)); _pam_log(ctx, LOG_ERR, "could not create dir: %s (%s)", dirname, strerror(errno)); @@ -1615,14 +1634,16 @@ static int winbind_auth_request(struct pwb_context *ctx, logon.username = user; logon.password = pass; - wbc_status = wbcAddNamedBlob(&logon.num_blobs, - &logon.blobs, - "krb5_cc_type", - 0, - (uint8_t *)cctype, - strlen(cctype)+1); - if (!WBC_ERROR_IS_OK(wbc_status)) { - goto done; + if (cctype) { + wbc_status = wbcAddNamedBlob(&logon.num_blobs, + &logon.blobs, + "krb5_cc_type", + 0, + (uint8_t *)cctype, + strlen(cctype)+1); + if (!WBC_ERROR_IS_OK(wbc_status)) { + goto done; + } } wbc_status = wbcAddNamedBlob(&logon.num_blobs, @@ -1645,14 +1666,16 @@ static int winbind_auth_request(struct pwb_context *ctx, goto done; } - wbc_status = wbcAddNamedBlob(&logon.num_blobs, - &logon.blobs, - "membership_of", - 0, - (uint8_t *)membership_of, - sizeof(membership_of)); - if (!WBC_ERROR_IS_OK(wbc_status)) { - goto done; + if (member) { + wbc_status = wbcAddNamedBlob(&logon.num_blobs, + &logon.blobs, + "membership_of", + 0, + (uint8_t *)membership_of, + sizeof(membership_of)); + if (!WBC_ERROR_IS_OK(wbc_status)) { + goto done; + } } wbc_status = wbcLogonUser(&logon, &info, &error, &policy); @@ -1851,8 +1874,8 @@ static int winbind_chauthtok_request(struct pwb_context *ctx, break; case WBC_PWD_CHANGE_REJECT_COMPLEXITY: _make_remark(ctx, PAM_ERROR_MSG, - "Password does not meet " - "complexity requirements"); + _("Password does not meet " + "complexity requirements")); break; default: _pam_log_debug(ctx, LOG_DEBUG, @@ -2293,7 +2316,7 @@ static int _pam_delete_cred(pam_handle_t *pamh, int flags, struct wbcLogoffUserParams logoff; struct wbcAuthErrorInfo *error = NULL; const char *user; - wbcErr wbc_status; + wbcErr wbc_status = WBC_ERR_SUCCESS; retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx); if (retval) { @@ -2310,7 +2333,7 @@ static int _pam_delete_cred(pam_handle_t *pamh, int flags, const char *ccname = NULL; struct passwd *pwd = NULL; - retval = pam_get_user(pamh, &user, "Username: "); + retval = pam_get_user(pamh, &user, _("Username: ")); if (retval) { _pam_log(ctx, LOG_ERR, "could not identify user"); @@ -2346,14 +2369,16 @@ static int _pam_delete_cred(pam_handle_t *pamh, int flags, logoff.username = user; - wbc_status = wbcAddNamedBlob(&logoff.num_blobs, - &logoff.blobs, - "ccfilename", - 0, - (uint8_t *)ccname, - strlen(ccname)+1); - if (!WBC_ERROR_IS_OK(wbc_status)) { - goto out; + if (ccname) { + wbc_status = wbcAddNamedBlob(&logoff.num_blobs, + &logoff.blobs, + "ccfilename", + 0, + (uint8_t *)ccname, + strlen(ccname)+1); + if (!WBC_ERROR_IS_OK(wbc_status)) { + goto out; + } } wbc_status = wbcAddNamedBlob(&logoff.num_blobs, @@ -2485,7 +2510,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, } retval = _winbind_read_password(ctx, ctx->ctrl, NULL, - "Password: ", NULL, + _("Password: "), NULL, &password); if (retval != PAM_SUCCESS) { @@ -2855,7 +2880,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, /* * First get the name of a user */ - ret = pam_get_user(pamh, &user, "Username: "); + ret = pam_get_user(pamh, &user, _("Username: ")); if (ret) { _pam_log(ctx, LOG_ERR, "password - could not identify user"); @@ -2893,7 +2918,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, /* instruct user what is happening */ -#define greeting "Changing password for" +#define greeting _("Changing password for") Announce = talloc_asprintf(ctx, "%s %s", greeting, user); if (!Announce) { _pam_log(ctx, LOG_CRIT, @@ -2906,7 +2931,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, lctrl = ctx->ctrl | WINBIND__OLD_PASSWORD; ret = _winbind_read_password(ctx, lctrl, Announce, - "(current) NT password: ", + _("(current) NT password: "), NULL, (const char **) &pass_old); TALLOC_FREE(Announce); @@ -2976,8 +3001,8 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, ret = _winbind_read_password(ctx, lctrl, NULL, - "Enter new NT password: ", - "Retype new NT password: ", + _("Enter new NT password: "), + _("Retype new NT password: "), (const char **)&pass_new); if (ret != PAM_SUCCESS) { diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index cb6f450ccb..0656f5972e 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -9,6 +9,7 @@ #include "system/time.h" #include <talloc.h> #include "libwbclient/wbclient.h" +#include "localedir.h" #define MODULE_NAME "pam_winbind" #define PAM_SM_AUTH @@ -22,6 +23,10 @@ #include <iniparser.h> +#ifdef HAVE_LIBINTL_H +#include <libintl.h> +#endif + #ifndef LINUX /* Solaris always uses dynamic pam modules */ @@ -101,12 +106,20 @@ do { \ #define WINBIND_WARN_PWD_EXPIRE 0x00002000 #define WINBIND_MKHOMEDIR 0x00004000 +#if defined(HAVE_GETTEXT) && !defined(__LCLINT__) +#define _(string) dgettext(MODULE_NAME, string) +#else +#define _(string) string +#endif + +#define N_(string) string + /* * here is the string to inform the user that the new passwords they * typed were not the same. */ -#define MISTYPED_PASS "Sorry, passwords do not match" +#define MISTYPED_PASS _("Sorry, passwords do not match") #define on(x, y) (x & y) #define off(x, y) (!(x & y)) diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c index 6e6d2bbbf8..a1646215bd 100644 --- a/source3/nsswitch/wb_common.c +++ b/source3/nsswitch/wb_common.c @@ -314,7 +314,7 @@ static int winbind_open_pipe_sock(int recursing, int need_priv) if ((need_priv != 0) && (is_privileged == 0)) { winbind_close_sock(); } - + if (winbindd_fd != -1) { return winbindd_fd; } diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index 84f01e19ff..d14cfe94b7 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -75,7 +75,7 @@ static char winbind_separator_int(bool strict) /* HACK: (this module should not call lp_ funtions) */ sep = *lp_winbind_separator(); } - + return sep; } @@ -130,6 +130,31 @@ static bool parse_wbinfo_domain_user(const char *domuser, fstring domain, return true; } +/* Parse string of "uid,sid" or "gid,sid" into separate int and string values. + * Return true if input was valid, false otherwise. */ +static bool parse_mapping_arg(char *arg, int *id, char **sid) +{ + char *tmp, *endptr; + + if (!arg || !*arg) + return false; + + tmp = strtok(arg, ","); + *sid = strtok(NULL, ","); + + if (!tmp || !*tmp || !*sid || !**sid) + return false; + + /* Because atoi() can return 0 on invalid input, which would be a valid + * UID/GID we must use strtol() and do error checking */ + *id = strtol(tmp, &endptr, 10); + + if (endptr[0] != '\0') + return false; + + return true; +} + /* pull pwent info for a given user */ static bool wbinfo_get_userinfo(char *user) @@ -738,6 +763,102 @@ static bool wbinfo_allocate_gid(void) return true; } +static bool wbinfo_set_uid_mapping(uid_t uid, const char *sid_str) +{ + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct wbcDomainSid sid; + + /* Send request */ + + wbc_status = wbcStringToSid(sid_str, &sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return false; + } + + wbc_status = wbcSetUidMapping(uid, &sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return false; + } + + /* Display response */ + + d_printf("uid %d now mapped to sid %s\n", uid, sid_str); + + return true; +} + +static bool wbinfo_set_gid_mapping(gid_t gid, const char *sid_str) +{ + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct wbcDomainSid sid; + + /* Send request */ + + wbc_status = wbcStringToSid(sid_str, &sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return false; + } + + wbc_status = wbcSetGidMapping(gid, &sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return false; + } + + /* Display response */ + + d_printf("gid %d now mapped to sid %s\n", gid, sid_str); + + return true; +} + +static bool wbinfo_remove_uid_mapping(uid_t uid, const char *sid_str) +{ + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct wbcDomainSid sid; + + /* Send request */ + + wbc_status = wbcStringToSid(sid_str, &sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return false; + } + + wbc_status = wbcRemoveUidMapping(uid, &sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return false; + } + + /* Display response */ + + d_printf("Removed uid %d to sid %s mapping\n", uid, sid_str); + + return true; +} + +static bool wbinfo_remove_gid_mapping(gid_t gid, const char *sid_str) +{ + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct wbcDomainSid sid; + + /* Send request */ + + wbc_status = wbcStringToSid(sid_str, &sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return false; + } + + wbc_status = wbcRemoveGidMapping(gid, &sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return false; + } + + /* Display response */ + + d_printf("Removed gid %d to sid %s mapping\n", gid, sid_str); + + return true; +} + /* Convert sid to string */ static bool wbinfo_lookupsid(const char *sid_str) @@ -1414,6 +1535,10 @@ enum { OPT_USERSIDS, OPT_ALLOCATE_UID, OPT_ALLOCATE_GID, + OPT_SET_UID_MAPPING, + OPT_SET_GID_MAPPING, + OPT_REMOVE_UID_MAPPING, + OPT_REMOVE_GID_MAPPING, OPT_SEPARATOR, OPT_LIST_ALL_DOMAINS, OPT_LIST_OWN_DOMAIN, @@ -1431,8 +1556,10 @@ int main(int argc, char **argv, char **envp) TALLOC_CTX *frame = talloc_stackframe(); poptContext pc; static char *string_arg; + char *string_subarg = NULL; static char *opt_domain_name; static int int_arg; + int int_subarg = -1; int result = 1; bool verbose = false; @@ -1459,6 +1586,10 @@ int main(int argc, char **argv, char **envp) "Get a new UID out of idmap" }, { "allocate-gid", 0, POPT_ARG_NONE, 0, OPT_ALLOCATE_GID, "Get a new GID out of idmap" }, + { "set-uid-mapping", 0, POPT_ARG_STRING, &string_arg, OPT_SET_UID_MAPPING, "Create or modify uid to sid mapping in idmap", "UID,SID" }, + { "set-gid-mapping", 0, POPT_ARG_STRING, &string_arg, OPT_SET_GID_MAPPING, "Create or modify gid to sid mapping in idmap", "GID,SID" }, + { "remove-uid-mapping", 0, POPT_ARG_STRING, &string_arg, OPT_REMOVE_UID_MAPPING, "Remove uid to sid mapping in idmap", "UID,SID" }, + { "remove-gid-mapping", 0, POPT_ARG_STRING, &string_arg, OPT_REMOVE_GID_MAPPING, "Remove gid to sid mapping in idmap", "GID,SID" }, { "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" }, { "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" }, { "all-domains", 0, POPT_ARG_NONE, 0, OPT_LIST_ALL_DOMAINS, "List all domains (trusted and own domain)" }, @@ -1473,7 +1604,7 @@ int main(int argc, char **argv, char **envp) { "user-domgroups", 0, POPT_ARG_STRING, &string_arg, OPT_USERDOMGROUPS, "Get user domain groups", "SID" }, { "user-sids", 0, POPT_ARG_STRING, &string_arg, OPT_USERSIDS, "Get user group sids for user SID", "SID" }, - { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" }, + { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" }, { "set-auth-user", 0, POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER, "Store user and password used by winbindd (root only)", "user%password" }, { "getdcname", 0, POPT_ARG_STRING, &string_arg, OPT_GETDCNAME, "Get a DC name for a foreign domain", "domainname" }, @@ -1482,7 +1613,7 @@ int main(int argc, char **argv, char **envp) { "ping", 'p', POPT_ARG_NONE, 0, 'p', "Ping winbindd to see if it is alive" }, { "domain", 0, POPT_ARG_STRING, &opt_domain_name, OPT_DOMAIN_NAME, "Define to the domain to restrict operation", "domain" }, #ifdef WITH_FAKE_KASERVER - { "klog", 'k', POPT_ARG_STRING, &string_arg, 'k', "set an AFS token from winbind", "user%password" }, + { "klog", 'k', POPT_ARG_STRING, &string_arg, 'k', "set an AFS token from winbind", "user%password" }, #endif #ifdef HAVE_KRB5 { "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" }, @@ -1534,7 +1665,7 @@ int main(int argc, char **argv, char **envp) load_interfaces(); - pc = poptGetContext(NULL, argc, (const char **)argv, long_options, + pc = poptGetContext(NULL, argc, (const char **)argv, long_options, POPT_CONTEXT_KEEP_FIRST); while((opt = poptGetNextOpt(pc)) != -1) { @@ -1627,6 +1758,48 @@ int main(int argc, char **argv, char **envp) goto done; } break; + case OPT_SET_UID_MAPPING: + if (!parse_mapping_arg(string_arg, &int_subarg, + &string_subarg) || + !wbinfo_set_uid_mapping(int_subarg, string_subarg)) + { + d_fprintf(stderr, "Could not create or modify " + "uid to sid mapping\n"); + goto done; + } + break; + case OPT_SET_GID_MAPPING: + if (!parse_mapping_arg(string_arg, &int_subarg, + &string_subarg) || + !wbinfo_set_gid_mapping(int_subarg, string_subarg)) + { + d_fprintf(stderr, "Could not create or modify " + "gid to sid mapping\n"); + goto done; + } + break; + case OPT_REMOVE_UID_MAPPING: + if (!parse_mapping_arg(string_arg, &int_subarg, + &string_subarg) || + !wbinfo_remove_uid_mapping(int_subarg, + string_subarg)) + { + d_fprintf(stderr, "Could not remove uid to sid " + "mapping\n"); + goto done; + } + break; + case OPT_REMOVE_GID_MAPPING: + if (!parse_mapping_arg(string_arg, &int_subarg, + &string_subarg) || + !wbinfo_remove_gid_mapping(int_subarg, + string_subarg)) + { + d_fprintf(stderr, "Could not remove gid to sid " + "mapping\n"); + goto done; + } + break; case 't': if (!wbinfo_check_secret()) { d_fprintf(stderr, "Could not check secret\n"); diff --git a/source3/nsswitch/winbind_struct_protocol.h b/source3/nsswitch/winbind_struct_protocol.h index ff52dbddaf..36873f2096 100644 --- a/source3/nsswitch/winbind_struct_protocol.h +++ b/source3/nsswitch/winbind_struct_protocol.h @@ -41,7 +41,9 @@ /* Update this when you change the interface. */ -#define WINBIND_INTERFACE_VERSION 19 +/* Version 20: added WINBINDD_REMOVE_MAPPING command */ + +#define WINBIND_INTERFACE_VERSION 20 /* Have to deal with time_t being 4 or 8 bytes due to structure alignment. On a 64bit Linux box, we have to support a constant structure size @@ -95,7 +97,7 @@ enum winbindd_cmd { /* Lookup functions */ - WINBINDD_SID_TO_UID, + WINBINDD_SID_TO_UID, WINBINDD_SID_TO_GID, WINBINDD_SIDS_TO_XIDS, WINBINDD_UID_TO_SID, @@ -104,6 +106,7 @@ enum winbindd_cmd { WINBINDD_ALLOCATE_UID, WINBINDD_ALLOCATE_GID, WINBINDD_SET_MAPPING, + WINBINDD_REMOVE_MAPPING, WINBINDD_SET_HWM, /* Miscellaneous other stuff */ @@ -150,6 +153,7 @@ enum winbindd_cmd { WINBINDD_DUAL_UID2SID, WINBINDD_DUAL_GID2SID, WINBINDD_DUAL_SET_MAPPING, + WINBINDD_DUAL_REMOVE_MAPPING, WINBINDD_DUAL_SET_HWM, /* Wrapper around possibly blocking unix nss calls */ @@ -202,7 +206,9 @@ typedef struct winbindd_gr { #define WBFLAG_IS_PRIVILEGED 0x00000400 /* not used */ /* Flag to say this is a winbindd internal send - don't recurse. */ #define WBFLAG_RECURSE 0x00000800 - +/* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the + * extra_data field */ +#define WBFLAG_BIG_NTLMV2_BLOB 0x00010000 #define WINBINDD_MAX_EXTRA_DATA (128*1024) diff --git a/source3/nsswitch/wins.c b/source3/nsswitch/wins.c index 2f82997aaf..e028eb8cf2 100644 --- a/source3/nsswitch/wins.c +++ b/source3/nsswitch/wins.c @@ -24,6 +24,14 @@ #include <ns_daemon.h> #endif +#if HAVE_PTHREAD_H +#include <pthread.h> +#endif + +#if HAVE_PTHREAD +static pthread_mutex_t wins_nss_mutex = PTHREAD_MUTEX_INITIALIZER; +#endif + #ifndef INADDRSZ #define INADDRSZ 4 #endif @@ -320,11 +328,16 @@ NSS_STATUS _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, char *buffer, size_t buflen, int *h_errnop) { + NSS_STATUS nss_status = NSS_STATUS_SUCCESS; struct in_addr *ip_list; int i, count; fstring name; size_t namelen; +#if HAVE_PTHREAD + pthread_mutex_lock(&wins_nss_mutex); +#endif + memset(he, '\0', sizeof(*he)); fstrcpy(name, hostname); @@ -332,8 +345,10 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, ip_list = lookup_byname_backend(name, &count); - if (!ip_list) - return NSS_STATUS_NOTFOUND; + if (!ip_list) { + nss_status = NSS_STATUS_NOTFOUND; + goto out; + } /* Copy h_name */ @@ -341,7 +356,8 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, if ((he->h_name = get_static(&buffer, &buflen, namelen)) == NULL) { free(ip_list); - return NSS_STATUS_TRYAGAIN; + nss_status = NSS_STATUS_TRYAGAIN; + goto out; } memcpy(he->h_name, name, namelen); @@ -353,20 +369,23 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, if (get_static(&buffer, &buflen, i) == NULL) { free(ip_list); - return NSS_STATUS_TRYAGAIN; + nss_status = NSS_STATUS_TRYAGAIN; + goto out; } if ((he->h_addr_list = (char **)get_static( &buffer, &buflen, (count + 1) * sizeof(char *))) == NULL) { free(ip_list); - return NSS_STATUS_TRYAGAIN; + nss_status = NSS_STATUS_TRYAGAIN; + goto out; } for (i = 0; i < count; i++) { if ((he->h_addr_list[i] = get_static(&buffer, &buflen, INADDRSZ)) == NULL) { free(ip_list); - return NSS_STATUS_TRYAGAIN; + nss_status = NSS_STATUS_TRYAGAIN; + goto out; } memcpy(he->h_addr_list[i], &ip_list[i], INADDRSZ); } @@ -385,16 +404,27 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, if ((i = (unsigned long)(buffer) % sizeof(char*)) != 0) i = sizeof(char*) - i; - if (get_static(&buffer, &buflen, i) == NULL) - return NSS_STATUS_TRYAGAIN; + if (get_static(&buffer, &buflen, i) == NULL) { + nss_status = NSS_STATUS_TRYAGAIN; + goto out; + } if ((he->h_aliases = (char **)get_static( - &buffer, &buflen, sizeof(char *))) == NULL) - return NSS_STATUS_TRYAGAIN; + &buffer, &buflen, sizeof(char *))) == NULL) { + nss_status = NSS_STATUS_TRYAGAIN; + goto out; + } he->h_aliases[0] = NULL; - return NSS_STATUS_SUCCESS; + nss_status = NSS_STATUS_SUCCESS; + + out: + +#if HAVE_PTHREAD + pthread_mutex_unlock(&wins_nss_mutex); +#endif + return nss_status; } @@ -402,12 +432,15 @@ NSS_STATUS _nss_wins_gethostbyname2_r(const char *name, int af, struct hostent *he, char *buffer, size_t buflen, int *h_errnop) { + NSS_STATUS nss_status; + if(af!=AF_INET) { *h_errnop = NO_DATA; - return NSS_STATUS_UNAVAIL; + nss_status = NSS_STATUS_UNAVAIL; + } else { + nss_status = _nss_wins_gethostbyname_r( + name, he, buffer, buflen, h_errnop); } - - return _nss_wins_gethostbyname_r( - name, he, buffer, buflen, h_errnop); + return nss_status; } #endif diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 84f6fb907a..217957ab37 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -4899,7 +4899,7 @@ static void init_globals(bool first_time_only) Globals.bWinbindTrustedDomainsOnly = False; Globals.bWinbindNestedGroups = True; Globals.winbind_expand_groups = 1; - Globals.szWinbindNssInfo = str_list_make(NULL, "template", NULL); + Globals.szWinbindNssInfo = str_list_make_v3(talloc_autofree_context(), "template", NULL); Globals.bWinbindRefreshTickets = False; Globals.bWinbindOfflineLogon = False; @@ -5615,7 +5615,7 @@ const char **lp_parm_string_list(int snum, const char *type, const char *option, return (const char **)def; if (data->list==NULL) { - data->list = str_list_make(NULL, data->value, NULL); + data->list = str_list_make_v3(talloc_autofree_context(), data->value, NULL); } return (const char **)data->list; @@ -6859,7 +6859,7 @@ static bool handle_netbios_scope(int snum, const char *pszParmValue, char **ptr) static bool handle_netbios_aliases(int snum, const char *pszParmValue, char **ptr) { TALLOC_FREE(Globals.szNetbiosAliases); - Globals.szNetbiosAliases = str_list_make(NULL, pszParmValue, NULL); + Globals.szNetbiosAliases = str_list_make_v3(talloc_autofree_context(), pszParmValue, NULL); return set_netbios_aliases((const char **)Globals.szNetbiosAliases); } @@ -7261,8 +7261,8 @@ bool lp_do_parameter(int snum, const char *pszParmName, const char *pszParmValue case P_LIST: TALLOC_FREE(*((char ***)parm_ptr)); - *(char ***)parm_ptr = str_list_make( - NULL, pszParmValue, NULL); + *(char ***)parm_ptr = str_list_make_v3( + talloc_autofree_context(), pszParmValue, NULL); break; case P_STRING: diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 60699615f0..8367d6a9ad 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -665,7 +665,7 @@ NTSTATUS local_password_change(const char *user_name, DEBUGLEVEL = 1; } - if ( !(pwd = getpwnam_alloc( NULL, user_name)) ) { + if ( !(pwd = getpwnam_alloc(talloc_autofree_context(), user_name)) ) { return NT_STATUS_NO_SUCH_USER; } diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index 2a1024cc56..5a79f09db0 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -207,28 +207,28 @@ static struct pdb_methods *pdb_get_methods(void) bool pdb_getsampwnam(struct samu *sam_acct, const char *username) { struct pdb_methods *pdb = pdb_get_methods(); - struct samu *cache_copy; + struct samu *for_cache; const struct dom_sid *user_sid; if (!NT_STATUS_IS_OK(pdb->getsampwnam(pdb, sam_acct, username))) { return False; } - cache_copy = samu_new(NULL); - if (cache_copy == NULL) { + for_cache = samu_new(NULL); + if (for_cache == NULL) { return False; } - if (!pdb_copy_sam_account(cache_copy, sam_acct)) { - TALLOC_FREE(cache_copy); + if (!pdb_copy_sam_account(for_cache, sam_acct)) { + TALLOC_FREE(for_cache); return False; } - user_sid = pdb_get_user_sid(cache_copy); + user_sid = pdb_get_user_sid(for_cache); memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, data_blob_const(user_sid, sizeof(*user_sid)), - cache_copy); + &for_cache); return True; } @@ -242,7 +242,7 @@ bool guest_user_info( struct samu *user ) NTSTATUS result; const char *guestname = lp_guestaccount(); - if ( !(pwd = getpwnam_alloc( NULL, guestname ) ) ) { + if ( !(pwd = getpwnam_alloc(talloc_autofree_context(), guestname ) ) ) { DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n", guestname)); return False; @@ -1150,7 +1150,9 @@ static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, str static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success) { - return NT_STATUS_NOT_IMPLEMENTED; + /* Only the pdb_nds backend implements this, by + * default just return ok. */ + return NT_STATUS_OK; } static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, int policy_index, uint32 *value) @@ -2014,7 +2016,7 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods ) { /* allocate memory for the structure as its own talloc CTX */ - if ( !(*methods = TALLOC_ZERO_P(NULL, struct pdb_methods) ) ) { + if ( !(*methods = TALLOC_ZERO_P(talloc_autofree_context(), struct pdb_methods) ) ) { return NT_STATUS_NO_MEMORY; } diff --git a/source3/passdb/util_unixsids.c b/source3/passdb/util_unixsids.c index 1b674d02a2..ad4e70256d 100644 --- a/source3/passdb/util_unixsids.c +++ b/source3/passdb/util_unixsids.c @@ -56,7 +56,7 @@ bool lookup_unix_user_name(const char *name, DOM_SID *sid) { struct passwd *pwd; - pwd = getpwnam_alloc(NULL, name); + pwd = getpwnam_alloc(talloc_autofree_context(), name); if (pwd == NULL) { return False; } diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 11370272a2..244b3aee03 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -1454,18 +1454,21 @@ static int file_version_is_newer(connection_struct *conn, fstring new_file, fstr /**************************************************************************** Determine the correct cVersion associated with an architecture and driver ****************************************************************************/ -static uint32 get_correct_cversion(const char *architecture, fstring driverpath_in, - struct current_user *user, WERROR *perr) +static uint32 get_correct_cversion(struct pipes_struct *p, + const char *architecture, + fstring driverpath_in, + WERROR *perr) { int cversion; NTSTATUS nt_status; char *driverpath = NULL; - DATA_BLOB null_pw; - fstring res_type; files_struct *fsp = NULL; SMB_STRUCT_STAT st; - connection_struct *conn; + connection_struct *conn = NULL; NTSTATUS status; + char *oldcwd; + fstring printdollar; + int printdollar_snum; SET_STAT_INVALID(st); @@ -1485,28 +1488,21 @@ static uint32 get_correct_cversion(const char *architecture, fstring driverpath_ return 3; } - /* - * Connect to the print$ share under the same account as the user connected - * to the rpc pipe. Note we must still be root to do this. - */ - - /* Null password is ok - we are already an authenticated user... */ - null_pw = data_blob_null; - fstrcpy(res_type, "A:"); - become_root(); - conn = make_connection_with_chdir("print$", null_pw, res_type, user->vuid, &nt_status); - unbecome_root(); + fstrcpy(printdollar, "print$"); - if (conn == NULL) { - DEBUG(0,("get_correct_cversion: Unable to connect\n")); - *perr = ntstatus_to_werror(nt_status); + printdollar_snum = find_service(printdollar); + if (printdollar_snum == -1) { + *perr = WERR_NO_SUCH_SHARE; return -1; } - /* We are temporarily becoming the connection user. */ - if (!become_user(conn, user->vuid)) { - DEBUG(0,("get_correct_cversion: Can't become user!\n")); - *perr = WERR_ACCESS_DENIED; + nt_status = create_conn_struct(talloc_tos(), &conn, printdollar_snum, + lp_pathname(printdollar_snum), + p->server_info, &oldcwd); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("get_correct_cversion: create_conn_struct " + "returned %s\n", nt_errstr(nt_status))); + *perr = ntstatus_to_werror(nt_status); return -1; } @@ -1583,27 +1579,28 @@ static uint32 get_correct_cversion(const char *architecture, fstring driverpath_ DEBUG(10,("get_correct_cversion: Driver file [%s] cversion = %d\n", driverpath, cversion)); - close_file(NULL, fsp, NORMAL_CLOSE); - close_cnum(conn, user->vuid); - unbecome_user(); - *perr = WERR_OK; - return cversion; - - - error_exit: + goto done; - if(fsp) + error_exit: + cversion = -1; + done: + if (fsp != NULL) { close_file(NULL, fsp, NORMAL_CLOSE); - - close_cnum(conn, user->vuid); - unbecome_user(); - return -1; + } + if (conn != NULL) { + vfs_ChDir(conn, oldcwd); + conn_free_internal(conn); + } + if (cversion != -1) { + *perr = WERR_OK; + } + return cversion; } /**************************************************************************** ****************************************************************************/ -static WERROR clean_up_driver_struct_level_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 *driver, - struct current_user *user) +static WERROR clean_up_driver_struct_level_3(struct pipes_struct *rpc_pipe, + NT_PRINTER_DRIVER_INFO_LEVEL_3 *driver) { const char *architecture; fstring new_name; @@ -1661,7 +1658,9 @@ static WERROR clean_up_driver_struct_level_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 *dri * NT 4: cversion=2 * NT2K: cversion=3 */ - if ((driver->cversion = get_correct_cversion( architecture, driver->driverpath, user, &err)) == -1) + if ((driver->cversion = get_correct_cversion(rpc_pipe, architecture, + driver->driverpath, + &err)) == -1) return err; return WERR_OK; @@ -1669,7 +1668,8 @@ static WERROR clean_up_driver_struct_level_3(NT_PRINTER_DRIVER_INFO_LEVEL_3 *dri /**************************************************************************** ****************************************************************************/ -static WERROR clean_up_driver_struct_level_6(NT_PRINTER_DRIVER_INFO_LEVEL_6 *driver, struct current_user *user) +static WERROR clean_up_driver_struct_level_6(struct pipes_struct *rpc_pipe, + NT_PRINTER_DRIVER_INFO_LEVEL_6 *driver) { const char *architecture; fstring new_name; @@ -1728,7 +1728,9 @@ static WERROR clean_up_driver_struct_level_6(NT_PRINTER_DRIVER_INFO_LEVEL_6 *dri * NT2K: cversion=3 */ - if ((driver->version = get_correct_cversion(architecture, driver->driverpath, user, &err)) == -1) + if ((driver->version = get_correct_cversion(rpc_pipe, architecture, + driver->driverpath, + &err)) == -1) return err; return WERR_OK; @@ -1736,21 +1738,24 @@ static WERROR clean_up_driver_struct_level_6(NT_PRINTER_DRIVER_INFO_LEVEL_6 *dri /**************************************************************************** ****************************************************************************/ -WERROR clean_up_driver_struct(NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract, - uint32 level, struct current_user *user) +WERROR clean_up_driver_struct(struct pipes_struct *rpc_pipe, + NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract, + uint32 level) { switch (level) { case 3: { NT_PRINTER_DRIVER_INFO_LEVEL_3 *driver; driver=driver_abstract.info_3; - return clean_up_driver_struct_level_3(driver, user); + return clean_up_driver_struct_level_3(rpc_pipe, + driver); } case 6: { NT_PRINTER_DRIVER_INFO_LEVEL_6 *driver; driver=driver_abstract.info_6; - return clean_up_driver_struct_level_6(driver, user); + return clean_up_driver_struct_level_6(rpc_pipe, + driver); } default: return WERR_INVALID_PARAM; @@ -1796,8 +1801,9 @@ static char* ffmt(unsigned char *c){ /**************************************************************************** ****************************************************************************/ -WERROR move_driver_to_download_area(NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract, uint32 level, - struct current_user *user, WERROR *perr) +WERROR move_driver_to_download_area(struct pipes_struct *p, + NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract, + uint32 level, WERROR *perr) { NT_PRINTER_DRIVER_INFO_LEVEL_3 *driver; NT_PRINTER_DRIVER_INFO_LEVEL_3 converted_driver; @@ -1805,14 +1811,15 @@ WERROR move_driver_to_download_area(NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract char *new_dir = NULL; char *old_name = NULL; char *new_name = NULL; - DATA_BLOB null_pw; - connection_struct *conn; + connection_struct *conn = NULL; NTSTATUS nt_status; - fstring res_type; SMB_STRUCT_STAT st; int i; TALLOC_CTX *ctx = talloc_tos(); int ver = 0; + char *oldcwd; + fstring printdollar; + int printdollar_snum; *perr = WERR_OK; @@ -1831,38 +1838,24 @@ WERROR move_driver_to_download_area(NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract return WERR_UNKNOWN_PRINTER_DRIVER; } - /* - * Connect to the print$ share under the same account as the user connected to the rpc pipe. - * Note we must be root to do this. - */ - - null_pw = data_blob_null; - fstrcpy(res_type, "A:"); - become_root(); - conn = make_connection_with_chdir("print$", null_pw, res_type, user->vuid, &nt_status); - unbecome_root(); + fstrcpy(printdollar, "print$"); - if (conn == NULL) { - DEBUG(0,("move_driver_to_download_area: Unable to connect\n")); - *perr = ntstatus_to_werror(nt_status); + printdollar_snum = find_service(printdollar); + if (printdollar_snum == -1) { + *perr = WERR_NO_SUCH_SHARE; return WERR_NO_SUCH_SHARE; } - /* - * Save who we are - we are temporarily becoming the connection user. - */ - - if (!become_user(conn, conn->vuid)) { - DEBUG(0,("move_driver_to_download_area: Can't become user!\n")); - return WERR_ACCESS_DENIED; + nt_status = create_conn_struct(talloc_tos(), &conn, printdollar_snum, + lp_pathname(printdollar_snum), + p->server_info, &oldcwd); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("move_driver_to_download_area: create_conn_struct " + "returned %s\n", nt_errstr(nt_status))); + *perr = ntstatus_to_werror(nt_status); + return *perr; } - /* WE ARE NOW RUNNING AS USER conn->vuid !!!!! */ - - /* - * make the directories version and version\driver_name - * under the architecture directory. - */ DEBUG(5,("Creating first directory\n")); new_dir = talloc_asprintf(ctx, "%s/%d", @@ -2092,8 +2085,10 @@ WERROR move_driver_to_download_area(NT_PRINTER_DRIVER_INFO_LEVEL driver_abstract err_exit: - close_cnum(conn, user->vuid); - unbecome_user(); + if (conn != NULL) { + vfs_ChDir(conn, oldcwd); + conn_free_internal(conn); + } if (W_ERROR_EQUAL(*perr, WERR_OK)) { return WERR_OK; @@ -5201,49 +5196,44 @@ bool printer_driver_files_in_use ( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info ) this. ****************************************************************************/ -static bool delete_driver_files( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct current_user *user ) +static bool delete_driver_files(struct pipes_struct *rpc_pipe, + NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3) { int i = 0; char *s; const char *file; connection_struct *conn; - DATA_BLOB null_pw; NTSTATUS nt_status; - fstring res_type; SMB_STRUCT_STAT st; + char *oldcwd; + fstring printdollar; + int printdollar_snum; + bool ret = false; if ( !info_3 ) return False; DEBUG(6,("delete_driver_files: deleting driver [%s] - version [%d]\n", info_3->name, info_3->cversion)); - /* - * Connect to the print$ share under the same account as the - * user connected to the rpc pipe. Note we must be root to - * do this. - */ + fstrcpy(printdollar, "print$"); - null_pw = data_blob_null; - fstrcpy(res_type, "A:"); - become_root(); - conn = make_connection_with_chdir( "print$", null_pw, res_type, user->vuid, &nt_status ); - unbecome_root(); + printdollar_snum = find_service(printdollar); + if (printdollar_snum == -1) { + return false; + } - if ( !conn ) { - DEBUG(0,("delete_driver_files: Unable to connect\n")); - return False; + nt_status = create_conn_struct(talloc_tos(), &conn, printdollar_snum, + lp_pathname(printdollar_snum), + rpc_pipe->server_info, &oldcwd); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("delete_driver_files: create_conn_struct " + "returned %s\n", nt_errstr(nt_status))); + return false; } if ( !CAN_WRITE(conn) ) { DEBUG(3,("delete_driver_files: Cannot delete print driver when [print$] is read-only\n")); - return False; - } - - /* Save who we are - we are temporarily becoming the connection user. */ - - if ( !become_user(conn, conn->vuid) ) { - DEBUG(0,("delete_driver_files: Can't become user!\n")); - return False; + goto fail; } /* now delete the files; must strip the '\print$' string from @@ -5304,9 +5294,15 @@ static bool delete_driver_files( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct } } - unbecome_user(); - - return true; + goto done; + fail: + ret = false; + done: + if (conn != NULL) { + vfs_ChDir(conn, oldcwd); + conn_free_internal(conn); + } + return ret; } /**************************************************************************** @@ -5314,8 +5310,9 @@ static bool delete_driver_files( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct previously looked up. ***************************************************************************/ -WERROR delete_printer_driver( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct current_user *user, - uint32 version, bool delete_files ) +WERROR delete_printer_driver(struct pipes_struct *rpc_pipe, + NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, + uint32 version, bool delete_files ) { char *key = NULL; const char *arch; @@ -5365,7 +5362,7 @@ WERROR delete_printer_driver( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct cur */ if ( delete_files ) - delete_driver_files( info_3, user ); + delete_driver_files(rpc_pipe, info_3); DEBUG(5,("delete_printer_driver: driver delete successful [%s]\n", key)); SAFE_FREE(key); diff --git a/source3/printing/printfsp.c b/source3/printing/printfsp.c index a247cd8427..5481d95650 100644 --- a/source3/printing/printfsp.c +++ b/source3/printing/printfsp.c @@ -27,19 +27,13 @@ print_job_start(). NTSTATUS print_fsp_open(struct smb_request *req, connection_struct *conn, const char *fname, - uint16_t current_vuid, files_struct **result) + uint16_t current_vuid, files_struct *fsp) { int jobid; SMB_STRUCT_STAT sbuf; - files_struct *fsp; fstring name; NTSTATUS status; - status = file_new(req, conn, &fsp); - if(!NT_STATUS_IS_OK(status)) { - return status; - } - fstrcpy( name, "Remote Downlevel Document"); if (fname) { const char *p = strrchr(fname, '/'); @@ -53,7 +47,6 @@ NTSTATUS print_fsp_open(struct smb_request *req, connection_struct *conn, jobid = print_job_start(conn->server_info, SNUM(conn), name, NULL); if (jobid == -1) { status = map_nt_error_from_unix(errno); - file_free(req, fsp); return status; } @@ -62,7 +55,6 @@ NTSTATUS print_fsp_open(struct smb_request *req, connection_struct *conn, if (fsp->rap_print_jobid == 0) { /* We need to delete the entry in the tdb. */ pjob_delete(lp_const_servicename(SNUM(conn)), jobid); - file_free(req, fsp); return NT_STATUS_ACCESS_DENIED; /* No errno around here */ } @@ -81,14 +73,11 @@ NTSTATUS print_fsp_open(struct smb_request *req, connection_struct *conn, fsp->sent_oplock_break = NO_BREAK_SENT; fsp->is_directory = False; string_set(&fsp->fsp_name,print_job_fname(lp_const_servicename(SNUM(conn)),jobid)); - fsp->wcp = NULL; + fsp->wcp = NULL; SMB_VFS_FSTAT(fsp, &sbuf); fsp->mode = sbuf.st_mode; fsp->file_id = vfs_file_id_from_sbuf(conn, &sbuf); - conn->num_files_open++; - - *result = fsp; return NT_STATUS_OK; } diff --git a/source3/rpc_client/cli_reg.c b/source3/rpc_client/cli_reg.c index ba98e25d63..2ed7119f4b 100644 --- a/source3/rpc_client/cli_reg.c +++ b/source3/rpc_client/cli_reg.c @@ -60,20 +60,3 @@ NTSTATUS rpccli_winreg_Connect(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - -/******************************************************************* - Fill in a REGVAL_BUFFER for the data given a REGISTRY_VALUE - *******************************************************************/ - -uint32 reg_init_regval_buffer( REGVAL_BUFFER *buf2, REGISTRY_VALUE *val ) -{ - uint32 real_size = 0; - - if ( !buf2 || !val ) - return 0; - - real_size = regval_size(val); - init_regval_buffer( buf2, (unsigned char*)regval_data_p(val), real_size ); - - return real_size; -} diff --git a/source3/rpc_client/init_netlogon.c b/source3/rpc_client/init_netlogon.c index e4c39e739e..6f7a541f72 100644 --- a/source3/rpc_client/init_netlogon.c +++ b/source3/rpc_client/init_netlogon.c @@ -172,7 +172,8 @@ static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx, *****************************************************************************/ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, - uint8_t pipe_session_key[16], + uint8_t *pipe_session_key, + size_t pipe_session_key_len, struct netr_SamInfo3 *sam3) { struct samu *sampw; @@ -203,6 +204,13 @@ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, user_sid = pdb_get_user_sid(sampw); group_sid = pdb_get_group_sid(sampw); + if (pipe_session_key && pipe_session_key_len != 16) { + DEBUG(0,("serverinfo_to_SamInfo3: invalid " + "pipe_session_key_len[%zu] != 16\n", + pipe_session_key_len)); + return NT_STATUS_INTERNAL_ERROR; + } + if ((user_sid == NULL) || (group_sid == NULL)) { DEBUG(1, ("_netr_LogonSamLogon: User without group or user SID\n")); return NT_STATUS_UNSUCCESSFUL; @@ -248,14 +256,18 @@ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, server_info->user_session_key.data, MIN(sizeof(user_session_key.key), server_info->user_session_key.length)); - SamOEMhash(user_session_key.key, pipe_session_key, 16); + if (pipe_session_key) { + SamOEMhash(user_session_key.key, pipe_session_key, 16); + } } if (server_info->lm_session_key.length) { memcpy(lm_session_key.key, server_info->lm_session_key.data, MIN(sizeof(lm_session_key.key), server_info->lm_session_key.length)); - SamOEMhash(lm_session_key.key, pipe_session_key, 8); + if (pipe_session_key) { + SamOEMhash(lm_session_key.key, pipe_session_key, 8); + } } groups.count = num_gids; diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c index 283be0d98b..6a9e6d1682 100644 --- a/source3/rpc_client/init_samr.c +++ b/source3/rpc_client/init_samr.c @@ -47,7 +47,7 @@ void init_samr_DomGeneralInformation(struct samr_DomGeneralInformation *r, const char *domain_name, const char *primary, uint64_t sequence_num, - uint32_t unknown2, + enum samr_DomainServerState domain_server_state, enum samr_Role role, uint32_t unknown3, uint32_t num_users, @@ -59,7 +59,7 @@ void init_samr_DomGeneralInformation(struct samr_DomGeneralInformation *r, init_lsa_String(&r->domain_name, domain_name); init_lsa_String(&r->primary, primary); r->sequence_num = sequence_num; - r->unknown2 = unknown2; + r->domain_server_state = domain_server_state; r->role = role; r->unknown3 = unknown3; r->num_users = num_users; @@ -134,11 +134,12 @@ void init_samr_DomInfo8(struct samr_DomInfo8 *r, ********************************************************************/ void init_samr_DomInfo9(struct samr_DomInfo9 *r, - uint32_t unknown) + enum samr_DomainServerState domain_server_state) { - r->unknown = unknown; + r->domain_server_state = domain_server_state; } + /******************************************************************* inits a structure. ********************************************************************/ @@ -252,6 +253,53 @@ void init_samr_alias_info3(struct lsa_String *r, } /******************************************************************* + inits a samr_UserInfo5 structure. +********************************************************************/ + +void init_samr_user_info5(struct samr_UserInfo5 *r, + const char *account_name, + const char *full_name, + uint32_t rid, + uint32_t primary_gid, + const char *home_directory, + const char *home_drive, + const char *logon_script, + const char *profile_path, + const char *description, + const char *workstations, + NTTIME last_logon, + NTTIME last_logoff, + struct samr_LogonHours logon_hours, + uint16_t bad_password_count, + uint16_t logon_count, + NTTIME last_password_change, + NTTIME acct_expiry, + uint32_t acct_flags) +{ + DEBUG(5, ("init_samr_user_info5\n")); + + init_lsa_String(&r->account_name, account_name); + init_lsa_String(&r->full_name, full_name); + r->rid = rid; + r->primary_gid = primary_gid; + init_lsa_String(&r->home_directory, home_directory); + init_lsa_String(&r->home_drive, home_drive); + init_lsa_String(&r->logon_script, logon_script); + init_lsa_String(&r->profile_path, profile_path); + init_lsa_String(&r->description, description); + init_lsa_String(&r->workstations, workstations); + r->last_logon = last_logon; + r->last_logoff = last_logoff; + r->logon_hours = logon_hours; + r->bad_password_count = bad_password_count; + r->logon_count = logon_count; + r->last_password_change = last_password_change; + r->acct_expiry = acct_expiry; + r->acct_flags = acct_flags; +} + + +/******************************************************************* inits a samr_UserInfo7 structure. ********************************************************************/ @@ -410,8 +458,7 @@ void init_samr_user_info23(struct samr_UserInfo23 *r, uint8_t nt_password_set, uint8_t lm_password_set, uint8_t password_expired, - uint8_t data[516], - uint8_t pw_len) + struct samr_CryptPassword *pwd_buf) { memset(r, '\0', sizeof(*r)); init_samr_user_info21(&r->info, @@ -444,7 +491,7 @@ void init_samr_user_info23(struct samr_UserInfo23 *r, lm_password_set, password_expired); - memcpy(r->password.data, data, sizeof(r->password.data)); + r->password = *pwd_buf; } /************************************************************************* @@ -452,13 +499,98 @@ void init_samr_user_info23(struct samr_UserInfo23 *r, *************************************************************************/ void init_samr_user_info24(struct samr_UserInfo24 *r, - uint8_t data[516], - uint8_t pw_len) + struct samr_CryptPassword *pwd_buf, + uint8_t password_expired) { DEBUG(10, ("init_samr_user_info24:\n")); - memcpy(r->password.data, data, sizeof(r->password.data)); - r->pw_len = pw_len; + r->password = *pwd_buf; + r->password_expired = password_expired; +} + +/************************************************************************* + init_samr_user_info25 + *************************************************************************/ + +void init_samr_user_info25(struct samr_UserInfo25 *r, + NTTIME last_logon, + NTTIME last_logoff, + NTTIME last_password_change, + NTTIME acct_expiry, + NTTIME allow_password_change, + NTTIME force_password_change, + const char *account_name, + const char *full_name, + const char *home_directory, + const char *home_drive, + const char *logon_script, + const char *profile_path, + const char *description, + const char *workstations, + const char *comment, + struct lsa_BinaryString *parameters, + uint32_t rid, + uint32_t primary_gid, + uint32_t acct_flags, + uint32_t fields_present, + struct samr_LogonHours logon_hours, + uint16_t bad_password_count, + uint16_t logon_count, + uint16_t country_code, + uint16_t code_page, + uint8_t nt_password_set, + uint8_t lm_password_set, + uint8_t password_expired, + struct samr_CryptPasswordEx *pwd_buf) +{ + DEBUG(10, ("init_samr_user_info25:\n")); + + memset(r, '\0', sizeof(*r)); + init_samr_user_info21(&r->info, + last_logon, + last_logoff, + last_password_change, + acct_expiry, + allow_password_change, + force_password_change, + account_name, + full_name, + home_directory, + home_drive, + logon_script, + profile_path, + description, + workstations, + comment, + parameters, + rid, + primary_gid, + acct_flags, + fields_present, + logon_hours, + bad_password_count, + logon_count, + country_code, + code_page, + nt_password_set, + lm_password_set, + password_expired); + + r->password = *pwd_buf; +} + +/************************************************************************* + init_samr_user_info26 + *************************************************************************/ + +void init_samr_user_info26(struct samr_UserInfo26 *r, + struct samr_CryptPasswordEx *pwd_buf, + uint8_t password_expired) +{ + DEBUG(10, ("init_samr_user_info26:\n")); + + r->password = *pwd_buf; + r->password_expired = password_expired; } /************************************************************************* diff --git a/source3/rpc_parse/parse_misc.c b/source3/rpc_parse/parse_misc.c index cf989c8b5e..169e5cb560 100644 --- a/source3/rpc_parse/parse_misc.c +++ b/source3/rpc_parse/parse_misc.c @@ -558,60 +558,6 @@ bool smb_io_buffer5(const char *desc, BUFFER5 *buf5, prs_struct *ps, int depth) } /******************************************************************* - Inits a REGVAL_BUFFER structure. -********************************************************************/ - -void init_regval_buffer(REGVAL_BUFFER *str, const uint8 *buf, size_t len) -{ - ZERO_STRUCTP(str); - - /* max buffer size (allocated size) */ - str->buf_max_len = len; - str->offset = 0; - str->buf_len = buf != NULL ? len : 0; - - if (buf != NULL) { - SMB_ASSERT(str->buf_max_len >= str->buf_len); - str->buffer = (uint16 *)TALLOC_ZERO(talloc_tos(), - str->buf_max_len); - if (str->buffer == NULL) - smb_panic("init_regval_buffer: talloc fail"); - memcpy(str->buffer, buf, str->buf_len); - } -} - -/******************************************************************* - Reads or writes a REGVAL_BUFFER structure. - the uni_max_len member tells you how large the buffer is. - the uni_str_len member tells you how much of the buffer is really used. -********************************************************************/ - -bool smb_io_regval_buffer(const char *desc, prs_struct *ps, int depth, REGVAL_BUFFER *buf2) -{ - - prs_debug(ps, depth, desc, "smb_io_regval_buffer"); - depth++; - - if(!prs_align(ps)) - return False; - - if(!prs_uint32("buf_max_len", ps, depth, &buf2->buf_max_len)) - return False; - if(!prs_uint32("offset ", ps, depth, &buf2->offset)) - return False; - if(!prs_uint32("buf_len ", ps, depth, &buf2->buf_len)) - return False; - - /* buffer advanced by indicated length of string - NOT by searching for null-termination */ - - if(!prs_regval_buffer(True, "buffer ", ps, depth, buf2)) - return False; - - return True; -} - -/******************************************************************* creates a UNISTR2 structure: sets up the buffer, too ********************************************************************/ diff --git a/source3/rpc_parse/parse_ntsvcs.c b/source3/rpc_parse/parse_ntsvcs.c index 2b15a45506..17b51fa751 100644 --- a/source3/rpc_parse/parse_ntsvcs.c +++ b/source3/rpc_parse/parse_ntsvcs.c @@ -77,71 +77,3 @@ bool ntsvcs_io_r_get_device_list(const char *desc, NTSVCS_R_GET_DEVICE_LIST *r_u return True; } - -/******************************************************************* -********************************************************************/ - -bool ntsvcs_io_q_get_device_reg_property(const char *desc, NTSVCS_Q_GET_DEVICE_REG_PROPERTY *q_u, prs_struct *ps, int depth) -{ - if (q_u == NULL) - return False; - - prs_debug(ps, depth, desc, "ntsvcs_io_q_get_device_reg_property"); - depth++; - - if(!prs_align(ps)) - return False; - - if ( !prs_io_unistr2("devicepath", ps, depth, &q_u->devicepath) ) - return False; - if( !prs_align(ps) ) - return False; - - if ( !prs_uint32("property", ps, depth, &q_u->property) ) - return False; - if ( !prs_uint32("unknown2", ps, depth, &q_u->unknown2) ) - return False; - if ( !prs_uint32("buffer_size1", ps, depth, &q_u->buffer_size1) ) - return False; - if ( !prs_uint32("buffer_size2", ps, depth, &q_u->buffer_size2) ) - return False; - if ( !prs_uint32("unknown5", ps, depth, &q_u->unknown5) ) - return False; - - return True; - -} - -/******************************************************************* -********************************************************************/ - -bool ntsvcs_io_r_get_device_reg_property(const char *desc, NTSVCS_R_GET_DEVICE_REG_PROPERTY *r_u, prs_struct *ps, int depth) -{ - if ( !r_u ) - return False; - - prs_debug(ps, depth, desc, "ntsvcs_io_r_get_device_reg_property"); - depth++; - - if ( !prs_align(ps) ) - return False; - - if ( !prs_uint32("unknown1", ps, depth, &r_u->unknown1) ) - return False; - - if ( !smb_io_regval_buffer("value", ps, depth, &r_u->value) ) - return False; - if ( !prs_align(ps) ) - return False; - - if ( !prs_uint32("size", ps, depth, &r_u->size) ) - return False; - - if ( !prs_uint32("needed", ps, depth, &r_u->needed) ) - return False; - - if(!prs_werror("status", ps, depth, &r_u->status)) - return False; - - return True; -} diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index a0d3ed7397..acc0cc88ef 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -1056,39 +1056,6 @@ bool prs_buffer5(bool charmode, const char *name, prs_struct *ps, int depth, BUF } /****************************************************************** - Stream a "not" unicode string, length/buffer specified separately, - in byte chars. String is in little-endian format. - ********************************************************************/ - -bool prs_regval_buffer(bool charmode, const char *name, prs_struct *ps, int depth, REGVAL_BUFFER *buf) -{ - char *p; - char *q = prs_mem_get(ps, buf->buf_len); - if (q == NULL) - return False; - - if (UNMARSHALLING(ps)) { - if (buf->buf_len > buf->buf_max_len) { - return False; - } - if ( buf->buf_max_len ) { - buf->buffer = PRS_ALLOC_MEM(ps, uint16, buf->buf_max_len); - if ( buf->buffer == NULL ) - return False; - } else { - buf->buffer = NULL; - } - } - - p = (char *)buf->buffer; - - dbg_rw_punival(charmode, name, depth, ps, q, p, buf->buf_len/2); - ps->data_offset += buf->buf_len; - - return True; -} - -/****************************************************************** Stream a string, length/buffer specified separately, in uint8 chars. ********************************************************************/ diff --git a/source3/rpc_server/srv_dfs_nt.c b/source3/rpc_server/srv_dfs_nt.c index 661d262dc4..bef8d83103 100644 --- a/source3/rpc_server/srv_dfs_nt.c +++ b/source3/rpc_server/srv_dfs_nt.c @@ -48,7 +48,7 @@ WERROR _dfs_Add(pipes_struct *p, struct dfs_Add *r) NTSTATUS status; TALLOC_CTX *ctx = talloc_tos(); - if (p->pipe_user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { DEBUG(10,("_dfs_add: uid != 0. Access denied.\n")); return WERR_ACCESS_DENIED; } @@ -113,7 +113,7 @@ WERROR _dfs_Remove(pipes_struct *p, struct dfs_Remove *r) TALLOC_CTX *ctx = talloc_tos(); char *altpath = NULL; - if (p->pipe_user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { DEBUG(10,("_dfs_remove: uid != 0. Access denied.\n")); return WERR_ACCESS_DENIED; } diff --git a/source3/rpc_server/srv_eventlog_lib.c b/source3/rpc_server/srv_eventlog_lib.c index 9215a86d3f..c4a7828b6c 100644 --- a/source3/rpc_server/srv_eventlog_lib.c +++ b/source3/rpc_server/srv_eventlog_lib.c @@ -140,13 +140,13 @@ int elog_tdb_size( TDB_CONTEXT * tdb, int *MaxSize, int *Retention ) return True if we made enough room to accommodate needed bytes ********************************************************************/ -static bool make_way_for_eventlogs( TDB_CONTEXT * the_tdb, int32 needed, +static bool make_way_for_eventlogs( TDB_CONTEXT * the_tdb, int32_t needed, bool whack_by_date ) { - int start_record, i, new_start; - int end_record; - int nbytes, reclen, len, Retention, MaxSize; - int tresv1, trecnum, timegen, timewr; + int32_t start_record, i, new_start; + int32_t end_record; + int32_t reclen, tresv1, trecnum, timegen, timewr; + int nbytes, len, Retention, MaxSize; TDB_DATA key, ret; time_t current_time, exp_time; @@ -173,16 +173,17 @@ static bool make_way_for_eventlogs( TDB_CONTEXT * the_tdb, int32 needed, nbytes = 0; DEBUG( 3, - ( "MaxSize [%d] Retention [%d] Current Time [%d] exp_time [%d]\n", - MaxSize, Retention, (uint32)current_time, (uint32)exp_time ) ); + ( "MaxSize [%d] Retention [%d] Current Time [%u] exp_time [%u]\n", + MaxSize, Retention, (unsigned int)current_time, (unsigned int)exp_time ) ); DEBUG( 3, - ( "Start Record [%d] End Record [%d]\n", start_record, - end_record ) ); + ( "Start Record [%u] End Record [%u]\n", + (unsigned int)start_record, + (unsigned int)end_record )); for ( i = start_record; i < end_record; i++ ) { /* read a record, add the amt to nbytes */ - key.dsize = sizeof( int32 ); - key.dptr = ( uint8 * ) ( int32 * ) & i; + key.dsize = sizeof(int32_t); + key.dptr = (unsigned char *)&i; ret = tdb_fetch( the_tdb, key ); if ( ret.dsize == 0 ) { DEBUG( 8, @@ -198,12 +199,13 @@ static bool make_way_for_eventlogs( TDB_CONTEXT * the_tdb, int32 needed, if (len == -1) { DEBUG( 10,("make_way_for_eventlogs: tdb_unpack failed.\n")); tdb_unlock_bystring( the_tdb, EVT_NEXT_RECORD ); + SAFE_FREE( ret.dptr ); return False; } DEBUG( 8, - ( "read record %d, record size is [%d], total so far [%d]\n", - i, reclen, nbytes ) ); + ( "read record %u, record size is [%d], total so far [%d]\n", + (unsigned int)i, reclen, nbytes ) ); SAFE_FREE( ret.dptr ); @@ -220,14 +222,14 @@ static bool make_way_for_eventlogs( TDB_CONTEXT * the_tdb, int32 needed, } DEBUG( 3, - ( "nbytes [%d] needed [%d] start_record is [%d], should be set to [%d]\n", - nbytes, needed, start_record, i ) ); + ( "nbytes [%d] needed [%d] start_record is [%u], should be set to [%u]\n", + nbytes, needed, (unsigned int)start_record, (unsigned int)i ) ); /* todo - remove eventlog entries here and set starting record to start_record... */ new_start = i; if ( start_record != new_start ) { for ( i = start_record; i < new_start; i++ ) { - key.dsize = sizeof( int32 ); - key.dptr = ( uint8 * ) ( int32 * ) & i; + key.dsize = sizeof(int32_t); + key.dptr = (unsigned char *)&i; tdb_delete( the_tdb, key ); } @@ -267,7 +269,7 @@ bool prune_eventlog( TDB_CONTEXT * tdb ) /******************************************************************** ********************************************************************/ -bool can_write_to_eventlog( TDB_CONTEXT * tdb, int32 needed ) +bool can_write_to_eventlog( TDB_CONTEXT * tdb, int32_t needed ) { int calcd_size; int MaxSize, Retention; @@ -313,7 +315,7 @@ bool can_write_to_eventlog( TDB_CONTEXT * tdb, int32 needed ) ELOG_TDB *elog_open_tdb( char *logname, bool force_clear ) { TDB_CONTEXT *tdb = NULL; - uint32 vers_id; + uint32_t vers_id; ELOG_TDB *ptr; char *tdbpath = NULL; ELOG_TDB *tdb_node = NULL; @@ -454,7 +456,7 @@ int write_eventlog_tdb( TDB_CONTEXT * the_tdb, Eventlog_entry * ee ) uint8 *packed_ee; TALLOC_CTX *mem_ctx = NULL; TDB_DATA kbuf, ebuf; - uint32 n_packed; + uint32_t n_packed; if ( !ee ) return 0; diff --git a/source3/rpc_server/srv_eventlog_nt.c b/source3/rpc_server/srv_eventlog_nt.c index 3c7469f3ef..d12b490d21 100644 --- a/source3/rpc_server/srv_eventlog_nt.c +++ b/source3/rpc_server/srv_eventlog_nt.c @@ -1,20 +1,20 @@ -/* +/* * Unix SMB/CIFS implementation. * RPC Pipe client / server routines * Copyright (C) Marcin Krzysztof Porwit 2005, * Copyright (C) Brian Moran 2005, * Copyright (C) Gerald (Jerry) Carter 2005. - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License * along with this program; if not, see <http://www.gnu.org/licenses/>. */ @@ -40,10 +40,10 @@ typedef struct { static void free_eventlog_info( void *ptr ) { EVENTLOG_INFO *elog = (EVENTLOG_INFO *)ptr; - + if ( elog->etdb ) elog_close_tdb( elog->etdb, False ); - + TALLOC_FREE( elog ); } @@ -72,21 +72,21 @@ static bool elog_check_access( EVENTLOG_INFO *info, NT_USER_TOKEN *token ) char *tdbname = elog_tdbname(talloc_tos(), info->logname ); SEC_DESC *sec_desc; NTSTATUS status; - - if ( !tdbname ) + + if ( !tdbname ) return False; - + /* get the security descriptor for the file */ - + sec_desc = get_nt_acl_no_snum( info, tdbname ); - SAFE_FREE( tdbname ); - + TALLOC_FREE( tdbname ); + if ( !sec_desc ) { - DEBUG(5,("elog_check_access: Unable to get NT ACL for %s\n", + DEBUG(5,("elog_check_access: Unable to get NT ACL for %s\n", tdbname)); return False; } - + /* root free pass */ if ( geteuid() == sec_initial_uid() ) { @@ -95,21 +95,21 @@ static bool elog_check_access( EVENTLOG_INFO *info, NT_USER_TOKEN *token ) } /* run the check, try for the max allowed */ - + status = se_access_check( sec_desc, token, MAXIMUM_ALLOWED_ACCESS, &info->access_granted); - + if ( sec_desc ) TALLOC_FREE( sec_desc ); - + if (!NT_STATUS_IS_OK(status)) { DEBUG(8,("elog_check_access: se_access_check() return %s\n", nt_errstr(status))); return False; } - + /* we have to have READ permission for a successful open */ - + return ( info->access_granted & SA_RIGHT_FILE_READ_DATA ); } @@ -120,7 +120,7 @@ static bool elog_validate_logname( const char *name ) { int i; const char **elogs = lp_eventlog_list(); - + if (!elogs) { return False; } @@ -129,7 +129,7 @@ static bool elog_validate_logname( const char *name ) if ( strequal( name, elogs[i] ) ) return True; } - + return False; } @@ -178,19 +178,19 @@ static bool get_oldest_entry_hook( EVENTLOG_INFO * info ) static NTSTATUS elog_open( pipes_struct * p, const char *logname, POLICY_HND *hnd ) { EVENTLOG_INFO *elog; - + /* first thing is to validate the eventlog name */ if ( !elog_validate_logname( logname ) ) return NT_STATUS_OBJECT_PATH_INVALID; - + if ( !(elog = TALLOC_ZERO_P( NULL, EVENTLOG_INFO )) ) return NT_STATUS_NO_MEMORY; - + elog->logname = talloc_strdup( elog, logname ); - + /* Open the tdb first (so that we can create any new tdbs if necessary). - We have to do this as root and then use an internal access check + We have to do this as root and then use an internal access check on the file permissions since you can only have a tdb open once in a single process */ @@ -201,40 +201,40 @@ static NTSTATUS elog_open( pipes_struct * p, const char *logname, POLICY_HND *hn if ( !elog->etdb ) { /* according to MSDN, if the logfile cannot be found, we should default to the "Application" log */ - + if ( !strequal( logname, ELOG_APPL ) ) { - + TALLOC_FREE( elog->logname ); - - elog->logname = talloc_strdup( elog, ELOG_APPL ); + + elog->logname = talloc_strdup( elog, ELOG_APPL ); /* do the access check */ - if ( !elog_check_access( elog, p->pipe_user.nt_user_token ) ) { + if ( !elog_check_access( elog, p->server_info->ptok ) ) { TALLOC_FREE( elog ); return NT_STATUS_ACCESS_DENIED; } - + become_root(); elog->etdb = elog_open_tdb( elog->logname, False ); unbecome_root(); - } - + } + if ( !elog->etdb ) { TALLOC_FREE( elog ); - return NT_STATUS_ACCESS_DENIED; /* ??? */ + return NT_STATUS_ACCESS_DENIED; /* ??? */ } } - + /* now do the access check. Close the tdb if we fail here */ - if ( !elog_check_access( elog, p->pipe_user.nt_user_token ) ) { + if ( !elog_check_access( elog, p->server_info->ptok ) ) { elog_close_tdb( elog->etdb, False ); TALLOC_FREE( elog ); return NT_STATUS_ACCESS_DENIED; } - + /* create the policy handle */ - + if ( !create_policy_hnd ( p, hnd, free_eventlog_info, ( void * ) elog ) ) { free_eventlog_info( elog ); @@ -246,7 +246,7 @@ static NTSTATUS elog_open( pipes_struct * p, const char *logname, POLICY_HND *hn if ( !get_oldest_entry_hook( elog ) ) { DEBUG(3,("elog_open: Successfully opened eventlog but can't " "get any information on internal records!\n")); - } + } elog->current_record = elog->oldest_entry; @@ -283,15 +283,15 @@ static int elog_size( EVENTLOG_INFO *info ) Eventlog_entry. returns NULL if it can't get the record for some reason. ********************************************************************/ -static Eventlog_entry *get_eventlog_record(prs_struct *ps, +static Eventlog_entry *get_eventlog_record(TALLOC_CTX *mem_ctx, TDB_CONTEXT *tdb, int recno) { Eventlog_entry *ee = NULL; TDB_DATA ret, key; - int srecno; - int reclen; + int32_t srecno; + int32_t reclen; int len; char *wpsource = NULL; @@ -300,10 +300,10 @@ static Eventlog_entry *get_eventlog_record(prs_struct *ps, char *wpstrs = NULL; char *puserdata = NULL; - key.dsize = sizeof(int32); + key.dsize = sizeof(int32_t); srecno = recno; - key.dptr = ( uint8 * ) &srecno; + key.dptr = (unsigned char *)&srecno; ret = tdb_fetch( tdb, key ); @@ -321,7 +321,7 @@ static Eventlog_entry *get_eventlog_record(prs_struct *ps, if ( !len ) return NULL; - ee = TALLOC_ARRAY(ps->mem_ctx, Eventlog_entry, 1); + ee = TALLOC_ARRAY(mem_ctx, Eventlog_entry, 1); if (!ee) { return NULL; } @@ -413,7 +413,7 @@ static Eventlog_entry *get_eventlog_record(prs_struct *ps, } /******************************************************************** - note that this can only be called AFTER the table is constructed, + note that this can only be called AFTER the table is constructed, since it uses the table to find the tdb handle ********************************************************************/ @@ -426,28 +426,28 @@ static bool sync_eventlog_params( EVENTLOG_INFO *info ) struct registry_value *value; WERROR wresult; char *elogname = info->logname; - TALLOC_CTX *ctx = talloc_tos(); + TALLOC_CTX *ctx = talloc_stackframe(); bool ret = false; DEBUG( 4, ( "sync_eventlog_params with %s\n", elogname ) ); if ( !info->etdb ) { DEBUG( 4, ( "No open tdb! (%s)\n", info->logname ) ); - return False; + goto done; } /* set resonable defaults. 512Kb on size and 1 week on time */ uiMaxSize = 0x80000; uiRetention = 604800; - /* the general idea is to internally open the registry - key and retrieve the values. That way we can continue - to use the same fetch/store api that we use in + /* the general idea is to internally open the registry + key and retrieve the values. That way we can continue + to use the same fetch/store api that we use in srv_reg_nt.c */ path = talloc_asprintf(ctx, "%s/%s", KEY_EVENTLOG, elogname ); if (!path) { - return false; + goto done; } wresult = reg_open_path(ctx, path, REG_KEY_READ, get_root_nt_token(), @@ -457,14 +457,13 @@ static bool sync_eventlog_params( EVENTLOG_INFO *info ) DEBUG( 4, ( "sync_eventlog_params: Failed to open key [%s] (%s)\n", path, win_errstr( wresult ) ) ); - return false; + goto done; } wresult = reg_queryvalue(key, key, "Retention", &value); if (!W_ERROR_IS_OK(wresult)) { DEBUG(4, ("Failed to query value \"Retention\": %s\n", win_errstr(wresult))); - ret = false; goto done; } uiRetention = value->v.dword; @@ -473,7 +472,6 @@ static bool sync_eventlog_params( EVENTLOG_INFO *info ) if (!W_ERROR_IS_OK(wresult)) { DEBUG(4, ("Failed to query value \"MaxSize\": %s\n", win_errstr(wresult))); - ret = false; goto done; } uiMaxSize = value->v.dword; @@ -491,13 +489,13 @@ done: /******************************************************************** ********************************************************************/ -static Eventlog_entry *read_package_entry( prs_struct * ps, +static Eventlog_entry *read_package_entry( TALLOC_CTX *mem_ctx, Eventlog_entry * entry ) { uint8 *offset; Eventlog_entry *ee_new = NULL; - ee_new = PRS_ALLOC_MEM( ps, Eventlog_entry, 1 ); + ee_new = TALLOC_ZERO_ARRAY(mem_ctx, Eventlog_entry, 1 ); if ( ee_new == NULL ) { return NULL; } @@ -536,10 +534,10 @@ static Eventlog_entry *read_package_entry( prs_struct * ps, DEBUG( 10, ( "entry->record.length is [%d].\n", entry->record.length ) ); entry->data = - PRS_ALLOC_MEM( ps, uint8, - entry->record.length - - sizeof( Eventlog_record ) - - sizeof( entry->record.length ) ); + TALLOC_ZERO_ARRAY(mem_ctx, uint8_t, + entry->record.length - + sizeof( Eventlog_record ) - + sizeof( entry->record.length )); if ( entry->data == NULL ) { return NULL; } @@ -625,13 +623,13 @@ NTSTATUS _eventlog_OpenEventLogW(pipes_struct *p, if (r->in.logname->string) { logname = r->in.logname->string; } - + DEBUG( 10,("_eventlog_open_eventlog: Server [%s], Log [%s]\n", servername, logname )); - + /* according to MSDN, if the logfile cannot be found, we should default to the "Application" log */ - + if ( !NT_STATUS_IS_OK( result = elog_open( p, logname, r->out.handle )) ) return result; @@ -761,7 +759,7 @@ NTSTATUS _eventlog_read_eventlog( pipes_struct * p, /* assume that when the record fetch fails, that we are done */ - entry = get_eventlog_record (ps, ELOG_TDB_CTX(info->etdb), record_number); + entry = get_eventlog_record (ps->mem_ctx, ELOG_TDB_CTX(info->etdb), record_number); if (!entry) { break; } @@ -770,7 +768,7 @@ NTSTATUS _eventlog_read_eventlog( pipes_struct * p, /* Now see if there is enough room to add */ - if ( !(ee_new = read_package_entry( ps, entry )) ) + if ( !(ee_new = read_package_entry( ps->mem_ctx, entry )) ) return NT_STATUS_NO_MEMORY; if ( r_u->num_bytes_in_resp + ee_new->record.length > q_u->max_read_size ) { diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index f4e891ca8c..05452112ca 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -381,9 +381,10 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, /* get the generic lsa policy SD until we store it */ lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size); - status = se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted); + status = se_access_check(psd, p->server_info->ptok, des_access, + &acc_granted); if (!NT_STATUS_IS_OK(status)) { - if (p->pipe_user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { return status; } DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", @@ -393,7 +394,7 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, /* This is needed for lsa_open_account and rpcclient .... :-) */ - if (p->pipe_user.ut.uid == sec_initial_uid()) + if (p->server_info->utok.uid == sec_initial_uid()) acc_granted = LSA_POLICY_ALL_ACCESS; /* associate the domain SID with the (unique) handle. */ @@ -432,9 +433,10 @@ NTSTATUS _lsa_OpenPolicy(pipes_struct *p, /* get the generic lsa policy SD until we store it */ lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size); - status = se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted); + status = se_access_check(psd, p->server_info->ptok, des_access, + &acc_granted); if (!NT_STATUS_IS_OK(status)) { - if (p->pipe_user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { return status; } DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", @@ -1539,8 +1541,9 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) return NT_STATUS_ACCESS_DENIED; if ( is_privileged_sid( r->in.sid ) ) @@ -1726,8 +1729,9 @@ NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) return NT_STATUS_ACCESS_DENIED; if (!pdb_getgrsid(&map, info->sid)) @@ -1755,8 +1759,9 @@ NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p, /* check to see if the pipe_user is root or a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } @@ -1795,8 +1800,9 @@ NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p, /* check to see if the pipe_user is root or a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } @@ -1952,8 +1958,9 @@ NTSTATUS _lsa_AddAccountRights(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } @@ -2001,8 +2008,9 @@ NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p, /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + if ( p->server_info->utok.uid != sec_initial_uid() + && !nt_token_check_domain_rid( p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 75fc99401e..45acd3ed48 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -981,7 +981,7 @@ NTSTATUS _netr_LogonSamLogon(pipes_struct *p, memcpy(pipe_session_key, p->auth.a_u.schannel_auth->sess_key, 16); } - status = serverinfo_to_SamInfo3(server_info, pipe_session_key, sam3); + status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16, sam3); TALLOC_FREE(server_info); return status; } diff --git a/source3/rpc_server/srv_ntsvcs.c b/source3/rpc_server/srv_ntsvcs.c index 5010990b58..840da3eec4 100644 --- a/source3/rpc_server/srv_ntsvcs.c +++ b/source3/rpc_server/srv_ntsvcs.c @@ -97,23 +97,7 @@ static bool api_ntsvcs_validate_device_instance(pipes_struct *p) static bool api_ntsvcs_get_device_reg_property(pipes_struct *p) { - NTSVCS_Q_GET_DEVICE_REG_PROPERTY q_u; - NTSVCS_R_GET_DEVICE_REG_PROPERTY r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!ntsvcs_io_q_get_device_reg_property("", &q_u, data, 0)) - return False; - - r_u.status = _ntsvcs_get_device_reg_property(p, &q_u, &r_u); - - if(!ntsvcs_io_r_get_device_reg_property("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_ntsvcs_call(p, NDR_PNP_GETDEVICEREGPROP); } /******************************************************************* diff --git a/source3/rpc_server/srv_ntsvcs_nt.c b/source3/rpc_server/srv_ntsvcs_nt.c index 268da52896..f2c85bbd3e 100644 --- a/source3/rpc_server/srv_ntsvcs_nt.c +++ b/source3/rpc_server/srv_ntsvcs_nt.c @@ -93,30 +93,31 @@ WERROR _ntsvcs_get_device_list( pipes_struct *p, NTSVCS_Q_GET_DEVICE_LIST *q_u, } /******************************************************************** +_PNP_GetDeviceRegProp ********************************************************************/ -WERROR _ntsvcs_get_device_reg_property( pipes_struct *p, NTSVCS_Q_GET_DEVICE_REG_PROPERTY *q_u, NTSVCS_R_GET_DEVICE_REG_PROPERTY *r_u ) +WERROR _PNP_GetDeviceRegProp(pipes_struct *p, + struct PNP_GetDeviceRegProp *r) { - fstring devicepath; char *ptr; REGVAL_CTR *values; REGISTRY_VALUE *val; - rpcstr_pull(devicepath, q_u->devicepath.buffer, sizeof(devicepath), q_u->devicepath.uni_str_len*2, 0); - - switch( q_u->property ) { + switch( r->in.property ) { case DEV_REGPROP_DESC: + /* just parse the service name from the device path and then lookup the display name */ - if ( !(ptr = strrchr_m( devicepath, '\\' )) ) + if ( !(ptr = strrchr_m( r->in.devicepath, '\\' )) ) return WERR_GENERAL_FAILURE; *ptr = '\0'; - if ( !(ptr = strrchr_m( devicepath, '_' )) ) + if ( !(ptr = strrchr_m( r->in.devicepath, '_' )) ) return WERR_GENERAL_FAILURE; ptr++; - if ( !(values = svcctl_fetch_regvalues( ptr, p->pipe_user.nt_user_token )) ) + if ( !(values = svcctl_fetch_regvalues( + ptr, p->server_info->ptok))) return WERR_GENERAL_FAILURE; if ( !(val = regval_ctr_getvalue( values, "DisplayName" )) ) { @@ -124,16 +125,27 @@ WERROR _ntsvcs_get_device_reg_property( pipes_struct *p, NTSVCS_Q_GET_DEVICE_REG return WERR_GENERAL_FAILURE; } - r_u->unknown1 = 0x1; /* always 1...tested using a remove device manager connection */ - r_u->size = reg_init_regval_buffer( &r_u->value, val ); - r_u->needed = r_u->size; + if (*r->in.buffer_size < val->size) { + *r->out.needed = val->size; + *r->out.buffer_size = 0; + TALLOC_FREE( values ); + return WERR_CM_BUFFER_SMALL; + } + r->out.buffer = (uint8_t *)talloc_memdup(p->mem_ctx, val->data_p, val->size); TALLOC_FREE(values); + if (!r->out.buffer) { + return WERR_NOMEM; + } + + *r->out.reg_data_type = REG_SZ; /* always 1...tested using a remove device manager connection */ + *r->out.buffer_size = val->size; + *r->out.needed = val->size; break; default: - r_u->unknown1 = 0x00437c98; + *r->out.reg_data_type = 0x00437c98; /* ??? */ return WERR_CM_NO_SUCH_VALUE; } @@ -279,16 +291,6 @@ WERROR _PNP_GetDepth(pipes_struct *p, /**************************************************************** ****************************************************************/ -WERROR _PNP_GetDeviceRegProp(pipes_struct *p, - struct PNP_GetDeviceRegProp *r) -{ - p->rng_fault_state = true; - return WERR_NOT_SUPPORTED; -} - -/**************************************************************** -****************************************************************/ - WERROR _PNP_SetDeviceRegProp(pipes_struct *p, struct PNP_SetDeviceRegProp *r) { diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 2c31d7b3f1..5610e0bf71 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -614,11 +614,6 @@ static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob) ZERO_STRUCT(reply); - /* Set up for non-authenticated user. */ - TALLOC_FREE(p->pipe_user.nt_user_token); - p->pipe_user.ut.ngroups = 0; - SAFE_FREE( p->pipe_user.ut.groups); - /* this has to be done as root in order to verify the password */ become_root(); status = auth_ntlmssp_update(a, *p_resp_blob, &reply); @@ -656,29 +651,8 @@ static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob) "workstation: %s\n", a->ntlmssp_state->user, a->ntlmssp_state->domain, a->ntlmssp_state->workstation)); - /* - * Store the UNIX credential data (uid/gid pair) in the pipe structure. - */ - - p->pipe_user.ut.uid = a->server_info->utok.uid; - p->pipe_user.ut.gid = a->server_info->utok.gid; - - p->pipe_user.ut.ngroups = a->server_info->utok.ngroups; - if (p->pipe_user.ut.ngroups) { - if (!(p->pipe_user.ut.groups = (gid_t *)memdup( - a->server_info->utok.groups, - sizeof(gid_t) * p->pipe_user.ut.ngroups))) { - DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n")); - return False; - } - } - - if (a->server_info->ptok) { - p->pipe_user.nt_user_token = - dup_nt_token(NULL, a->server_info->ptok); - } else { + if (a->server_info->ptok == NULL) { DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n")); - p->pipe_user.nt_user_token = NULL; return False; } @@ -1711,11 +1685,6 @@ bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p) case RPC_ANONYMOUS_AUTH_TYPE: /* Unauthenticated bind request. */ - /* Get the authenticated pipe user from current_user */ - if (!copy_current_user(&p->pipe_user, ¤t_user)) { - DEBUG(10, ("Could not copy current user\n")); - goto err_exit; - } /* We're finished - no more packets. */ p->auth.auth_type = PIPE_AUTH_TYPE_NONE; /* We must set the pipe auth_level here also. */ @@ -2226,23 +2195,6 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss } /**************************************************************************** - Return a user struct for a pipe user. -****************************************************************************/ - -struct current_user *get_current_user(struct current_user *user, pipes_struct *p) -{ - if (p->pipe_bound && - (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP || - (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) { - memcpy(user, &p->pipe_user, sizeof(struct current_user)); - } else { - memcpy(user, ¤t_user, sizeof(struct current_user)); - } - - return user; -} - -/**************************************************************************** Find the set of RPC functions associated with this context_id ****************************************************************************/ diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index 92f89282cf..1cff95dcab 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -20,6 +20,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_named_pipe_auth.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -161,13 +162,6 @@ static struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx, p->endian = RPC_LITTLE_ENDIAN; - ZERO_STRUCT(p->pipe_user); - - p->pipe_user.vuid = vuid; - p->pipe_user.ut.uid = (uid_t)-1; - p->pipe_user.ut.gid = (gid_t)-1; - p->pipe_user.nt_user_token = dup_nt_token(NULL, server_info->ptok); - /* * Initialize the outgoing RPC data buffer with no memory. */ @@ -899,9 +893,6 @@ static int close_internal_rpc_pipe_hnd(struct pipes_struct *p) /* Free the handles database. */ close_policy_by_pipe(p); - TALLOC_FREE(p->pipe_user.nt_user_token); - SAFE_FREE(p->pipe_user.ut.groups); - DLIST_REMOVE(InternalPipes, p); ZERO_STRUCTP(p); @@ -944,6 +935,17 @@ static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, struct np_proxy_state *result; struct sockaddr_un addr; char *socket_path; + const char *socket_dir; + + DATA_BLOB req_blob; + struct netr_SamInfo3 *info3; + struct named_pipe_auth_req req; + DATA_BLOB rep_blob; + uint8 rep_buf[20]; + struct named_pipe_auth_rep rep; + enum ndr_err_code ndr_err; + NTSTATUS status; + ssize_t written; result = talloc(mem_ctx, struct np_proxy_state); if (result == NULL) { @@ -961,8 +963,16 @@ static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, ZERO_STRUCT(addr); addr.sun_family = AF_UNIX; - socket_path = talloc_asprintf(talloc_tos(), "%s/%s", - get_dyn_NCALRPCDIR(), "DEFAULT"); + socket_dir = lp_parm_const_string( + GLOBAL_SECTION_SNUM, "external_rpc_pipe", "socket_dir", + get_dyn_NCALRPCDIR()); + if (socket_dir == NULL) { + DEBUG(0, ("externan_rpc_pipe:socket_dir not set\n")); + goto fail; + } + + socket_path = talloc_asprintf(talloc_tos(), "%s/np/%s", + socket_dir, pipe_name); if (socket_path == NULL) { DEBUG(0, ("talloc_asprintf failed\n")); goto fail; @@ -970,11 +980,96 @@ static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path)); TALLOC_FREE(socket_path); + become_root(); if (sys_connect(result->fd, (struct sockaddr *)&addr) == -1) { + unbecome_root(); DEBUG(0, ("connect(%s) failed: %s\n", addr.sun_path, strerror(errno))); goto fail; } + unbecome_root(); + + info3 = talloc(talloc_tos(), struct netr_SamInfo3); + if (info3 == NULL) { + DEBUG(0, ("talloc failed\n")); + goto fail; + } + + status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(info3); + DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n", + nt_errstr(status))); + goto fail; + } + + req.level = 1; + req.info.info1 = *info3; + + ndr_err = ndr_push_struct_blob( + &req_blob, talloc_tos(), NULL, &req, + (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(10, ("ndr_push_named_pipe_auth_req failed: %s\n", + ndr_errstr(ndr_err))); + goto fail; + } + + DEBUG(10, ("named_pipe_auth_req(client)[%u]\n", (uint32_t)req_blob.length)); + dump_data(10, req_blob.data, req_blob.length); + + written = write_data(result->fd, (char *)req_blob.data, + req_blob.length); + if (written == -1) { + DEBUG(3, ("Could not write auth req data to RPC server\n")); + goto fail; + } + + status = read_data(result->fd, (char *)rep_buf, sizeof(rep_buf)); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("Could not read auth result\n")); + goto fail; + } + + rep_blob = data_blob_const(rep_buf, sizeof(rep_buf)); + + DEBUG(10,("name_pipe_auth_rep(client)[%u]\n", (uint32_t)rep_blob.length)); + dump_data(10, rep_blob.data, rep_blob.length); + + ndr_err = ndr_pull_struct_blob( + &rep_blob, talloc_tos(), NULL, &rep, + (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_rep); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(0, ("ndr_pull_named_pipe_auth_rep failed: %s\n", + ndr_errstr(ndr_err))); + goto fail; + } + + if (rep.length != 16) { + DEBUG(0, ("req invalid length: %u != 16\n", + rep.length)); + goto fail; + } + + if (strcmp(NAMED_PIPE_AUTH_MAGIC, rep.magic) != 0) { + DEBUG(0, ("req invalid magic: %s != %s\n", + rep.magic, NAMED_PIPE_AUTH_MAGIC)); + goto fail; + } + + if (!NT_STATUS_IS_OK(rep.status)) { + DEBUG(0, ("req failed: %s\n", + nt_errstr(rep.status))); + goto fail; + } + + if (rep.level != 1) { + DEBUG(0, ("req invalid level: %u != 1\n", + rep.level)); + goto fail; + } return result; @@ -983,9 +1078,10 @@ static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, return NULL; } -NTSTATUS np_open(struct smb_request *smb_req, struct connection_struct *conn, - const char *name, struct files_struct **pfsp) +NTSTATUS np_open(struct smb_request *smb_req, const char *name, + struct files_struct **pfsp) { + struct connection_struct *conn = smb_req->conn; NTSTATUS status; struct files_struct *fsp; const char **proxy_list; diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c573173900..cbcd4de60c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -45,6 +45,9 @@ #define DISP_INFO_CACHE_TIMEOUT 10 +#define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */ +#define MAX_SAM_ENTRIES_W95 50 + typedef struct disp_info { DOM_SID sid; /* identify which domain this is. */ bool builtin_domain; /* Quick flag to check if this is the builtin domain. */ @@ -629,7 +632,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, return status; /*check if access can be granted as requested by client. */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 ); se_map_generic( &des_access, &dom_generic_mapping ); @@ -637,7 +640,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, se_priv_copy( &se_rights, &se_machine_account ); se_priv_add( &se_rights, &se_add_users ); - status = access_check_samr_object( psd, p->pipe_user.nt_user_token, + status = access_check_samr_object( psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access, &acc_granted, "_samr_OpenDomain" ); @@ -1009,6 +1012,7 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p, if (!samr_array) { return NT_STATUS_NO_MEMORY; } + *r->out.sam = samr_array; become_root(); @@ -1068,7 +1072,6 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p, samr_array->entries = samr_entries; *r->out.resume_handle = *r->in.resume_handle + num_account; - *r->out.sam = samr_array; *r->out.num_entries = num_account; DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__)); @@ -1481,6 +1484,11 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; + if (info->builtin_domain) { + DEBUG(5,("_samr_QueryDisplayInfo: Nothing in BUILTIN\n")); + return NT_STATUS_OK; + } + status = access_check_samr_function(info->acc_granted, SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, "_samr_QueryDisplayInfo"); @@ -1791,6 +1799,7 @@ NTSTATUS _samr_LookupNames(pipes_struct *p, DOM_SID pol_sid; uint32 acc_granted; struct samr_Ids rids, types; + uint32_t num_mapped = 0; DEBUG(5,("_samr_LookupNames: %d\n", __LINE__)); @@ -1838,10 +1847,18 @@ NTSTATUS _samr_LookupNames(pipes_struct *p, } if (type[i] != SID_NAME_UNKNOWN) { - status = NT_STATUS_OK; + num_mapped++; } } + if (num_mapped == num_rids) { + status = NT_STATUS_OK; + } else if (num_mapped == 0) { + status = NT_STATUS_NONE_MAPPED; + } else { + status = STATUS_SOME_UNMAPPED; + } + rids.count = num_rids; rids.ids = rid; @@ -2163,7 +2180,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, /* check if access can be granted as requested by client. */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); @@ -2171,7 +2188,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, se_priv_copy( &se_rights, &se_machine_account ); se_priv_add( &se_rights, &se_add_users ); - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + nt_status = access_check_samr_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, &acc_granted, "_samr_OpenUser"); @@ -2236,79 +2253,117 @@ static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -/************************************************************************* - get_user_info_7. Safe. Only gives out account_name. - *************************************************************************/ - -static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, - struct samr_UserInfo7 *r, - DOM_SID *user_sid) +static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx, + struct samr_UserInfo5 *r, + struct samu *pw, + DOM_SID *domain_sid) { - struct samu *smbpass=NULL; - bool ret; - const char *account_name = NULL; + const DOM_SID *sid_user, *sid_group; + uint32_t rid, primary_gid; + NTTIME last_logon, last_logoff, last_password_change, + acct_expiry; + const char *account_name, *full_name, *home_directory, *home_drive, + *logon_script, *profile_path, *description, + *workstations, *comment; + struct samr_LogonHours logon_hours; ZERO_STRUCTP(r); - if ( !(smbpass = samu_new( mem_ctx )) ) { - return NT_STATUS_NO_MEMORY; + sid_user = pdb_get_user_sid(pw); + + if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) { + DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with " + "the domain sid %s. Failing operation.\n", + pdb_get_username(pw), sid_string_dbg(sid_user), + sid_string_dbg(domain_sid))); + return NT_STATUS_UNSUCCESSFUL; } become_root(); - ret = pdb_getsampwsid(smbpass, user_sid); + sid_group = pdb_get_group_sid(pw); unbecome_root(); - if ( !ret ) { - DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); - return NT_STATUS_NO_SUCH_USER; + if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) { + DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n" + "which conflicts with the domain sid %s. Failing operation.\n", + pdb_get_username(pw), sid_string_dbg(sid_group), + sid_string_dbg(domain_sid))); + return NT_STATUS_UNSUCCESSFUL; } - account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass)); - if (!account_name) { - TALLOC_FREE(smbpass); - return NT_STATUS_NO_MEMORY; - } - TALLOC_FREE(smbpass); + unix_to_nt_time(&last_logon, pdb_get_logon_time(pw)); + unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw)); + unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw)); + unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw)); + + account_name = talloc_strdup(mem_ctx, pdb_get_username(pw)); + full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw)); + home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw)); + home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw)); + logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw)); + profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw)); + description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw)); + workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw)); + comment = talloc_strdup(mem_ctx, pdb_get_comment(pw)); - DEBUG(3,("User:[%s]\n", account_name)); + logon_hours = get_logon_hours_from_pdb(mem_ctx, pw); - init_samr_user_info7(r, account_name); + init_samr_user_info5(r, + account_name, + full_name, + rid, + primary_gid, + home_directory, + home_drive, + logon_script, + profile_path, + description, + workstations, + last_logon, + last_logoff, + logon_hours, + pdb_get_bad_password_count(pw), + pdb_get_logon_count(pw), + last_password_change, + acct_expiry, + pdb_get_acct_ctrl(pw)); return NT_STATUS_OK; } /************************************************************************* - get_user_info_9. Only gives out primary group SID. + get_user_info_7. Safe. Only gives out account_name. *************************************************************************/ -static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, - struct samr_UserInfo9 *r, - DOM_SID *user_sid) +static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, + struct samr_UserInfo7 *r, + struct samu *smbpass) { - struct samu *smbpass=NULL; - bool ret; + const char *account_name = NULL; ZERO_STRUCTP(r); - if ( !(smbpass = samu_new( mem_ctx )) ) { + account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass)); + if (!account_name) { return NT_STATUS_NO_MEMORY; } - become_root(); - ret = pdb_getsampwsid(smbpass, user_sid); - unbecome_root(); + init_samr_user_info7(r, account_name); - if (ret==False) { - DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); - TALLOC_FREE(smbpass); - return NT_STATUS_NO_SUCH_USER; - } + return NT_STATUS_OK; +} - DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); +/************************************************************************* + get_user_info_9. Only gives out primary group SID. + *************************************************************************/ - init_samr_user_info9(r, pdb_get_group_rid(smbpass)); +static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, + struct samr_UserInfo9 *r, + struct samu *smbpass) +{ + ZERO_STRUCTP(r); - TALLOC_FREE(smbpass); + init_samr_user_info9(r, pdb_get_group_rid(smbpass)); return NT_STATUS_OK; } @@ -2319,33 +2374,12 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, struct samr_UserInfo16 *r, - DOM_SID *user_sid) + struct samu *smbpass) { - struct samu *smbpass=NULL; - bool ret; - ZERO_STRUCTP(r); - if ( !(smbpass = samu_new( mem_ctx )) ) { - return NT_STATUS_NO_MEMORY; - } - - become_root(); - ret = pdb_getsampwsid(smbpass, user_sid); - unbecome_root(); - - if (ret==False) { - DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); - TALLOC_FREE(smbpass); - return NT_STATUS_NO_SUCH_USER; - } - - DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); - init_samr_user_info16(r, pdb_get_acct_ctrl(smbpass)); - TALLOC_FREE(smbpass); - return NT_STATUS_OK; } @@ -2410,10 +2444,8 @@ static NTSTATUS get_user_info_18(pipes_struct *p, static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, struct samr_UserInfo20 *r, - DOM_SID *user_sid) + struct samu *sampass) { - struct samu *sampass=NULL; - bool ret; const char *munged_dial = NULL; DATA_BLOB blob; NTSTATUS status; @@ -2421,24 +2453,8 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, ZERO_STRUCTP(r); - if ( !(sampass = samu_new( mem_ctx )) ) { - return NT_STATUS_NO_MEMORY; - } - - become_root(); - ret = pdb_getsampwsid(sampass, user_sid); - unbecome_root(); - - if (ret == False) { - DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); - TALLOC_FREE(sampass); - return NT_STATUS_NO_SUCH_USER; - } - munged_dial = pdb_get_munged_dial(sampass); - samr_clear_sam_passwd(sampass); - DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass), munged_dial, (int)strlen(munged_dial))); @@ -2450,7 +2466,6 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, status = init_samr_parameters_string(mem_ctx, &blob, ¶meters); data_blob_free(&blob); - TALLOC_FREE(sampass); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2467,12 +2482,10 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, struct samr_UserInfo21 *r, - DOM_SID *user_sid, + struct samu *pw, DOM_SID *domain_sid) { NTSTATUS status; - struct samu *pw = NULL; - bool ret; const DOM_SID *sid_user, *sid_group; uint32_t rid, primary_gid; NTTIME last_logon, last_logoff, last_password_change, @@ -2489,24 +2502,6 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, ZERO_STRUCTP(r); - if (!(pw = samu_new(mem_ctx))) { - return NT_STATUS_NO_MEMORY; - } - - become_root(); - ret = pdb_getsampwsid(pw, user_sid); - unbecome_root(); - - if (ret == False) { - DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); - TALLOC_FREE(pw); - return NT_STATUS_NO_SUCH_USER; - } - - samr_clear_sam_passwd(pw); - - DEBUG(3,("User:[%s]\n", pdb_get_username(pw))); - sid_user = pdb_get_user_sid(pw); if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) { @@ -2514,7 +2509,6 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, "the domain sid %s. Failing operation.\n", pdb_get_username(pw), sid_string_dbg(sid_user), sid_string_dbg(domain_sid))); - TALLOC_FREE(pw); return NT_STATUS_UNSUCCESSFUL; } @@ -2527,7 +2521,6 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, "which conflicts with the domain sid %s. Failing operation.\n", pdb_get_username(pw), sid_string_dbg(sid_group), sid_string_dbg(domain_sid))); - TALLOC_FREE(pw); return NT_STATUS_UNSUCCESSFUL; } @@ -2560,7 +2553,6 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, status = init_samr_parameters_string(mem_ctx, &blob, ¶meters); data_blob_free(&blob); if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(pw); return status; } @@ -2618,7 +2610,6 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, 0, /* nt_password_set */ 0, /* lm_password_set */ password_expired); - TALLOC_FREE(pw); return NT_STATUS_OK; } @@ -2635,6 +2626,8 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p, struct samr_info *info = NULL; DOM_SID domain_sid; uint32 rid; + bool ret = false; + struct samu *pwd = NULL; /* search for the handle */ if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) @@ -2664,52 +2657,54 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p, DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level)); + if (!(pwd = samu_new(p->mem_ctx))) { + return NT_STATUS_NO_MEMORY; + } + + become_root(); + ret = pdb_getsampwsid(pwd, &info->sid); + unbecome_root(); + + if (ret == false) { + DEBUG(4,("User %s not found\n", sid_string_dbg(&info->sid))); + TALLOC_FREE(pwd); + return NT_STATUS_NO_SUCH_USER; + } + + DEBUG(3,("User:[%s]\n", pdb_get_username(pwd))); + + samr_clear_sam_passwd(pwd); + switch (r->in.level) { + case 5: + status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid); + break; case 7: - status = get_user_info_7(p->mem_ctx, &user_info->info7, &info->sid); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd); break; case 9: - status = get_user_info_9(p->mem_ctx, &user_info->info9, &info->sid); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd); break; case 16: - status = get_user_info_16(p->mem_ctx, &user_info->info16, &info->sid); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd); break; - case 18: + /* level 18 is special */ status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid); - if (!NT_STATUS_IS_OK(status)) { - return status; - } break; - case 20: - status = get_user_info_20(p->mem_ctx, &user_info->info20, &info->sid); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd); break; - case 21: - status = get_user_info_21(p->mem_ctx, &user_info->info21, - &info->sid, &domain_sid); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid); break; - default: - return NT_STATUS_INVALID_INFO_CLASS; + status = NT_STATUS_INVALID_INFO_CLASS; + break; } + TALLOC_FREE(pwd); + *r->out.info = user_info; DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__)); @@ -2717,6 +2712,21 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p, return status; } +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryUserInfo2(pipes_struct *p, + struct samr_QueryUserInfo2 *r) +{ + struct samr_QueryUserInfo u; + + u.in.user_handle = r->in.user_handle; + u.in.level = r->in.level; + u.out.info = r->out.info; + + return _samr_QueryUserInfo(p, &u); +} + /******************************************************************* _samr_GetGroupsForUser ********************************************************************/ @@ -2969,7 +2979,7 @@ NTSTATUS _samr_QueryDomainInfo(pipes_struct *p, lp_workgroup(), global_myname(), seq_num, - 1, + DOMAIN_SERVER_ENABLED, server_role, 1, num_users, @@ -3146,6 +3156,11 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, &disp_info)) return NT_STATUS_INVALID_HANDLE; + if (disp_info->builtin_domain) { + DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n")); + return NT_STATUS_ACCESS_DENIED; + } + nt_status = access_check_samr_function(acc_granted, SAMR_DOMAIN_ACCESS_CREATE_USER, "_samr_CreateUser2"); @@ -3176,7 +3191,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, { se_priv_copy( &se_rights, &se_machine_account ); can_add_account = user_has_privileges( - p->pipe_user.nt_user_token, &se_rights ); + p->server_info->ptok, &se_rights ); } /* usrmgr.exe (and net rpc trustdom grant) creates a normal user account for domain trusts and changes the ACB flags later */ @@ -3185,7 +3200,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, { se_priv_copy( &se_rights, &se_add_users ); can_add_account = user_has_privileges( - p->pipe_user.nt_user_token, &se_rights ); + p->server_info->ptok, &se_rights ); } else /* implicit assumption of a BDC or domain trust account here * (we already check the flags earlier) */ @@ -3194,13 +3209,13 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, /* only Domain Admins can add a BDC or domain trust */ se_priv_copy( &se_rights, &se_priv_none ); can_add_account = nt_token_check_domain_rid( - p->pipe_user.nt_user_token, + p->server_info->ptok, DOMAIN_GROUP_RID_ADMINS ); } } DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n", - uidtoname(p->pipe_user.ut.uid), + uidtoname(p->server_info->utok.uid), can_add_account ? "True":"False" )); /********** BEGIN Admin BLOCK **********/ @@ -3225,13 +3240,13 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, sid_compose(&sid, get_global_sam_sid(), *r->out.rid); - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + nt_status = access_check_samr_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, &acc_granted, "_samr_CreateUser2"); @@ -3261,6 +3276,26 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, return NT_STATUS_OK; } +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_CreateUser(pipes_struct *p, + struct samr_CreateUser *r) +{ + struct samr_CreateUser2 c; + uint32_t access_granted; + + c.in.domain_handle = r->in.domain_handle; + c.in.account_name = r->in.account_name; + c.in.acct_flags = ACB_NORMAL; + c.in.access_mask = r->in.access_mask; + c.out.user_handle = r->out.user_handle; + c.out.access_granted = &access_granted; + c.out.rid = r->out.rid; + + return _samr_CreateUser2(p, &c); +} + /******************************************************************* _samr_Connect ********************************************************************/ @@ -3288,7 +3323,7 @@ NTSTATUS _samr_Connect(pipes_struct *p, was observed from a win98 client trying to enumerate users (when configured user level access control on shares) --jerry */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); se_map_generic( &des_access, &sam_generic_mapping ); info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_OPEN_DOMAIN); @@ -3313,24 +3348,36 @@ NTSTATUS _samr_Connect2(pipes_struct *p, uint32 des_access = r->in.access_mask; NTSTATUS nt_status; size_t sd_size; + const char *fn = "_samr_Connect2"; + switch (p->hdr_req.opnum) { + case NDR_SAMR_CONNECT2: + fn = "_samr_Connect2"; + break; + case NDR_SAMR_CONNECT4: + fn = "_samr_Connect4"; + break; + case NDR_SAMR_CONNECT5: + fn = "_samr_Connect5"; + break; + } - DEBUG(5,("_samr_Connect2: %d\n", __LINE__)); + DEBUG(5,("%s: %d\n", fn, __LINE__)); /* Access check */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to _samr_Connect2\n")); + DEBUG(3, ("access denied to %s\n", fn)); return NT_STATUS_ACCESS_DENIED; } - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - NULL, 0, des_access, &acc_granted, "_samr_Connect2"); + nt_status = access_check_samr_object(psd, p->server_info->ptok, + NULL, 0, des_access, &acc_granted, fn); if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; @@ -3346,7 +3393,7 @@ NTSTATUS _samr_Connect2(pipes_struct *p, if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("_samr_Connect2: %d\n", __LINE__)); + DEBUG(5,("%s: %d\n", fn, __LINE__)); return nt_status; } @@ -3358,48 +3405,13 @@ NTSTATUS _samr_Connect2(pipes_struct *p, NTSTATUS _samr_Connect4(pipes_struct *p, struct samr_Connect4 *r) { - struct samr_info *info = NULL; - SEC_DESC *psd = NULL; - uint32 acc_granted; - uint32 des_access = r->in.access_mask; - NTSTATUS nt_status; - size_t sd_size; - - - DEBUG(5,("_samr_Connect4: %d\n", __LINE__)); - - /* Access check */ - - if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_Connect4\n")); - return NT_STATUS_ACCESS_DENIED; - } - - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); - - make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); - se_map_generic(&des_access, &sam_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - NULL, 0, des_access, &acc_granted, "_samr_Connect4"); + struct samr_Connect2 c; - if ( !NT_STATUS_IS_OK(nt_status) ) - return nt_status; - - /* associate the user's SID and access granted with the new handle. */ - if ((info = get_samr_info_by_sid(NULL)) == NULL) - return NT_STATUS_NO_MEMORY; - - info->acc_granted = acc_granted; - info->status = r->in.access_mask; /* ??? */ - - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + c.in.system_name = r->in.system_name; + c.in.access_mask = r->in.access_mask; + c.out.connect_handle = r->out.connect_handle; - DEBUG(5,("_samr_Connect4: %d\n", __LINE__)); - - return NT_STATUS_OK; + return _samr_Connect2(p, &c); } /******************************************************************* @@ -3409,50 +3421,22 @@ NTSTATUS _samr_Connect4(pipes_struct *p, NTSTATUS _samr_Connect5(pipes_struct *p, struct samr_Connect5 *r) { - struct samr_info *info = NULL; - SEC_DESC *psd = NULL; - uint32 acc_granted; - uint32 des_access = r->in.access_mask; - NTSTATUS nt_status; - size_t sd_size; + NTSTATUS status; + struct samr_Connect2 c; struct samr_ConnectInfo1 info1; - DEBUG(5,("_samr_Connect5: %d\n", __LINE__)); + info1.client_version = SAMR_CONNECT_AFTER_W2K; + info1.unknown2 = 0; - /* Access check */ + c.in.system_name = r->in.system_name; + c.in.access_mask = r->in.access_mask; + c.out.connect_handle = r->out.connect_handle; - if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_Connect5\n")); - return NT_STATUS_ACCESS_DENIED; + status = _samr_Connect2(p, &c); + if (!NT_STATUS_IS_OK(status)) { + return status; } - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); - - make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); - se_map_generic(&des_access, &sam_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - NULL, 0, des_access, &acc_granted, "_samr_Connect5"); - - if ( !NT_STATUS_IS_OK(nt_status) ) - return nt_status; - - /* associate the user's SID and access granted with the new handle. */ - if ((info = get_samr_info_by_sid(NULL)) == NULL) - return NT_STATUS_NO_MEMORY; - - info->acc_granted = acc_granted; - info->status = r->in.access_mask; /* ??? */ - - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - - DEBUG(5,("_samr_Connect5: %d\n", __LINE__)); - - info1.client_version = SAMR_CONNECT_AFTER_W2K; - info1.unknown2 = 0; - *r->out.level_out = 1; r->out.info_out->info1 = info1; @@ -3485,6 +3469,9 @@ NTSTATUS _samr_LookupDomain(pipes_struct *p, } domain_name = r->in.domain_name->string; + if (!domain_name) { + return NT_STATUS_INVALID_PARAMETER; + } sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2); if (!sid) { @@ -3595,7 +3582,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, /*check if access can be granted as requested by client. */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0); se_map_generic(&des_access,&ali_generic_mapping); @@ -3603,7 +3590,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, se_priv_copy( &se_rights, &se_add_users ); - status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + status = access_check_samr_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access, &acc_granted, "_samr_OpenAlias"); @@ -3657,13 +3644,11 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, if (id7 == NULL) { DEBUG(5, ("set_user_info_7: NULL id7\n")); - TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } if (!id7->account_name.string) { DEBUG(5, ("set_user_info_7: failed to get new username\n")); - TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } @@ -3683,7 +3668,6 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, rc = pdb_rename_sam_account(pwd, id7->account_name.string); - TALLOC_FREE(pwd); return rc; } @@ -3696,23 +3680,18 @@ static bool set_user_info_16(struct samr_UserInfo16 *id16, { if (id16 == NULL) { DEBUG(5, ("set_user_info_16: NULL id16\n")); - TALLOC_FREE(pwd); return False; } /* FIX ME: check if the value is really changed --metze */ if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) { - TALLOC_FREE(pwd); return False; } if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { - TALLOC_FREE(pwd); return False; } - TALLOC_FREE(pwd); - return True; } @@ -3725,29 +3704,23 @@ static bool set_user_info_18(struct samr_UserInfo18 *id18, { if (id18 == NULL) { DEBUG(2, ("set_user_info_18: id18 is NULL\n")); - TALLOC_FREE(pwd); return False; } if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd.hash, PDB_CHANGED)) { - TALLOC_FREE(pwd); return False; } if (!pdb_set_nt_passwd (pwd, id18->nt_pwd.hash, PDB_CHANGED)) { - TALLOC_FREE(pwd); return False; } if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) { - TALLOC_FREE(pwd); return False; } if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { - TALLOC_FREE(pwd); return False; } - TALLOC_FREE(pwd); return True; } @@ -3767,12 +3740,9 @@ static bool set_user_info_20(struct samr_UserInfo20 *id20, /* write the change out */ if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { - TALLOC_FREE(pwd); return False; } - TALLOC_FREE(pwd); - return True; } @@ -3791,6 +3761,14 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } + if (id21->fields_present == 0) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) { + return NT_STATUS_ACCESS_DENIED; + } + /* we need to separately check for an account rename first */ if (id21->account_name.string && @@ -3816,7 +3794,6 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("set_user_info_21: failed to rename account: %s\n", nt_errstr(status))); - TALLOC_FREE(pwd); return status; } @@ -3847,12 +3824,9 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, /* write the change out */ if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { - TALLOC_FREE(pwd); return status; } - TALLOC_FREE(pwd); - return NT_STATUS_OK; } @@ -3866,7 +3840,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, { char *plaintext_buf = NULL; uint32 len = 0; - uint16 acct_ctrl; + uint32_t acct_ctrl; NTSTATUS status; if (id23 == NULL) { @@ -3874,39 +3848,48 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n", - pdb_get_username(pwd))); - - acct_ctrl = pdb_get_acct_ctrl(pwd); - - if (!decode_pw_buffer(mem_ctx, - id23->password.data, - &plaintext_buf, - &len, - STR_UNICODE)) { - TALLOC_FREE(pwd); + if (id23->info.fields_present == 0) { return NT_STATUS_INVALID_PARAMETER; - } + } - if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) { - TALLOC_FREE(pwd); + if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) { return NT_STATUS_ACCESS_DENIED; } + if ((id23->info.fields_present & SAMR_FIELD_PASSWORD) || + (id23->info.fields_present & SAMR_FIELD_PASSWORD2)) { + + DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n", + pdb_get_username(pwd))); + + if (!decode_pw_buffer(mem_ctx, + id23->password.data, + &plaintext_buf, + &len, + STR_UNICODE)) { + return NT_STATUS_WRONG_PASSWORD; + } + + if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) { + return NT_STATUS_ACCESS_DENIED; + } + } + copy_id23_to_sam_passwd(pwd, id23); + acct_ctrl = pdb_get_acct_ctrl(pwd); + /* if it's a trust account, don't update /etc/passwd */ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n")); - } else { + } else if (plaintext_buf) { /* update the UNIX password */ if (lp_unix_password_sync() ) { struct passwd *passwd; if (pdb_get_username(pwd) == NULL) { DEBUG(1, ("chgpasswd: User without name???\n")); - TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } @@ -3916,29 +3899,26 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, } if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { - TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } TALLOC_FREE(passwd); } } - memset(plaintext_buf, '\0', strlen(plaintext_buf)); + if (plaintext_buf) { + memset(plaintext_buf, '\0', strlen(plaintext_buf)); + } if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) && (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx, pwd)))) { - TALLOC_FREE(pwd); return status; } if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { - TALLOC_FREE(pwd); return status; } - TALLOC_FREE(pwd); - return NT_STATUS_OK; } @@ -3969,12 +3949,10 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd, &plaintext_buf, &len, STR_UNICODE)) { - TALLOC_FREE(pwd); return False; } if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) { - TALLOC_FREE(pwd); return False; } @@ -3990,7 +3968,6 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd, if (pdb_get_username(pwd) == NULL) { DEBUG(1, ("chgpasswd: User without name???\n")); - TALLOC_FREE(pwd); return False; } @@ -4000,7 +3977,6 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd, } if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { - TALLOC_FREE(pwd); return False; } TALLOC_FREE(passwd); @@ -4028,12 +4004,9 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd, /* update the SAMBA password */ if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { - TALLOC_FREE(pwd); return False; } - TALLOC_FREE(pwd); - return True; } @@ -4052,11 +4025,18 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } + if (id25->info.fields_present == 0) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) { + return NT_STATUS_ACCESS_DENIED; + } + copy_id25_to_sam_passwd(pwd, id25); /* write the change out */ if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { - TALLOC_FREE(pwd); return status; } @@ -4075,9 +4055,6 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, } } - /* WARNING: No TALLOC_FREE(pwd), we are about to set the password - * hereafter! */ - return NT_STATUS_OK; } @@ -4162,20 +4139,20 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, acb_info = pdb_get_acct_ctrl(pwd); if (acb_info & ACB_WSTRUST) - has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token, + has_enough_rights = user_has_privileges(p->server_info->ptok, &se_machine_account); else if (acb_info & ACB_NORMAL) - has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token, + has_enough_rights = user_has_privileges(p->server_info->ptok, &se_add_users); else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) { if (lp_enable_privileges()) { - has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token, + has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_GROUP_RID_ADMINS); } } DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n", - uidtoname(p->pipe_user.ut.uid), + uidtoname(p->server_info->utok.uid), has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ @@ -4242,7 +4219,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, if (!set_user_info_pw(info->info24.password.data, pwd, switch_value)) { - status = NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_WRONG_PASSWORD; } break; @@ -4263,7 +4240,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, } if (!set_user_info_pw(info->info25.password.data, pwd, switch_value)) { - status = NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_WRONG_PASSWORD; } break; @@ -4279,7 +4256,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, if (!set_user_info_pw(info->info26.password.data, pwd, switch_value)) { - status = NT_STATUS_ACCESS_DENIED; + status = NT_STATUS_WRONG_PASSWORD; } break; @@ -4289,6 +4266,8 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, done: + TALLOC_FREE(pwd); + if (has_enough_rights) { unbecome_root(); } @@ -4553,7 +4532,7 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p, DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4603,7 +4582,7 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, sid_string_dbg(&alias_sid))); se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4658,7 +4637,7 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p, } se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4716,7 +4695,7 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, } se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4787,9 +4766,9 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, /* For machine accounts it's the SeMachineAccountPrivilege that counts. */ if ( acb_info & ACB_WSTRUST ) { - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account ); } else { - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_add_users ); } /******** BEGIN SeAddUsers BLOCK *********/ @@ -4861,7 +4840,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, } se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -4936,7 +4915,7 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, DEBUG(10, ("lookup on Local SID\n")); se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -5005,7 +4984,7 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, } se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -5079,7 +5058,7 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, name = r->in.alias_name->string; se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); result = can_create(p->mem_ctx, name); if (!NT_STATUS_IS_OK(result)) { @@ -5291,7 +5270,7 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p, return NT_STATUS_INVALID_INFO_CLASS; } - can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -5393,7 +5372,7 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, return NT_STATUS_INVALID_INFO_CLASS; } - can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users ); /******** BEGIN SeAddUsers BLOCK *********/ @@ -5481,14 +5460,14 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, return status; /*check if access can be granted as requested by client. */ - map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); + map_max_allowed_access(p->server_info->ptok, &des_access); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0); se_map_generic(&des_access,&grp_generic_mapping); se_priv_copy( &se_rights, &se_add_users ); - status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + status = access_check_samr_object(psd, p->server_info->ptok, &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access, &acc_granted, "_samr_OpenGroup"); @@ -5842,16 +5821,6 @@ NTSTATUS _samr_Shutdown(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_CreateUser(pipes_struct *p, - struct samr_CreateUser *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, struct samr_SetMemberAttributesOfGroup *r) { @@ -5892,16 +5861,6 @@ NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryUserInfo2(pipes_struct *p, - struct samr_QueryUserInfo2 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p, struct samr_AddMultipleMembersToAlias *r) { diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index 577f7f1ded..744de67db4 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -388,7 +388,8 @@ static WERROR delete_printer_handle(pipes_struct *p, POLICY_HND *hnd) return WERR_BADFID; } - return delete_printer_hook(p->mem_ctx, p->pipe_user.nt_user_token, Printer->sharename ); + return delete_printer_hook(p->mem_ctx, p->server_info->ptok, + Printer->sharename ); } /**************************************************************************** @@ -1656,13 +1657,13 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u, /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, and not a printer admin, then fail */ - if ((p->pipe_user.ut.uid != 0) && - !user_has_privileges(p->pipe_user.nt_user_token, + if ((p->server_info->utok.uid != 0) && + !user_has_privileges(p->server_info->ptok, &se_printop ) && !token_contains_name_in_list( - uidtoname(p->pipe_user.ut.uid), + uidtoname(p->server_info->utok.uid), NULL, NULL, - p->pipe_user.nt_user_token, + p->server_info->ptok, lp_printer_admin(snum))) { close_printer_handle(p, handle); return WERR_ACCESS_DENIED; @@ -1715,8 +1716,8 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u, return WERR_ACCESS_DENIED; } - if (!user_ok_token(uidtoname(p->pipe_user.ut.uid), NULL, - p->pipe_user.nt_user_token, snum) || + if (!user_ok_token(uidtoname(p->server_info->utok.uid), NULL, + p->server_info->ptok, snum) || !print_access_check(p->server_info, snum, printer_default->access_required)) { DEBUG(3, ("access DENIED for printer open\n")); @@ -2018,11 +2019,11 @@ WERROR _spoolss_deleteprinterdriver(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIVER /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, and not a printer admin, then fail */ - if ( (p->pipe_user.ut.uid != 0) - && !user_has_privileges(p->pipe_user.nt_user_token, &se_printop ) + if ( (p->server_info->utok.uid != 0) + && !user_has_privileges(p->server_info->ptok, &se_printop ) && !token_contains_name_in_list( - uidtoname(p->pipe_user.ut.uid), NULL, - NULL, p->pipe_user.nt_user_token, + uidtoname(p->server_info->utok.uid), NULL, + NULL, p->server_info->ptok, lp_printer_admin(-1)) ) { return WERR_ACCESS_DENIED; @@ -2070,7 +2071,8 @@ WERROR _spoolss_deleteprinterdriver(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIVER /* if we get to here, we now have 2 driver info structures to remove */ /* remove the Win2k driver first*/ - status_win2k = delete_printer_driver(info_win2k.info_3, &p->pipe_user, 3, False ); + status_win2k = delete_printer_driver( + p, info_win2k.info_3, 3, False ); free_a_printer_driver( info_win2k, 3 ); /* this should not have failed---if it did, report to client */ @@ -2082,7 +2084,7 @@ WERROR _spoolss_deleteprinterdriver(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIVER } } - status = delete_printer_driver(info.info_3, &p->pipe_user, version, False); + status = delete_printer_driver(p, info.info_3, version, False); /* if at least one of the deletes succeeded return OK */ @@ -2115,11 +2117,11 @@ WERROR _spoolss_deleteprinterdriverex(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIV /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, and not a printer admin, then fail */ - if ( (p->pipe_user.ut.uid != 0) - && !user_has_privileges(p->pipe_user.nt_user_token, &se_printop ) + if ( (p->server_info->utok.uid != 0) + && !user_has_privileges(p->server_info->ptok, &se_printop ) && !token_contains_name_in_list( - uidtoname(p->pipe_user.ut.uid), NULL, NULL, - p->pipe_user.nt_user_token, lp_printer_admin(-1)) ) + uidtoname(p->server_info->utok.uid), NULL, NULL, + p->server_info->ptok, lp_printer_admin(-1)) ) { return WERR_ACCESS_DENIED; } @@ -2205,7 +2207,8 @@ WERROR _spoolss_deleteprinterdriverex(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIV /* if we get to here, we now have 2 driver info structures to remove */ /* remove the Win2k driver first*/ - status_win2k = delete_printer_driver(info_win2k.info_3, &p->pipe_user, 3, delete_files); + status_win2k = delete_printer_driver( + p, info_win2k.info_3, 3, delete_files); free_a_printer_driver( info_win2k, 3 ); /* this should not have failed---if it did, report to client */ @@ -2215,7 +2218,7 @@ WERROR _spoolss_deleteprinterdriverex(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIV } } - status = delete_printer_driver(info.info_3, &p->pipe_user, version, delete_files); + status = delete_printer_driver(p, info.info_3, version, delete_files); if ( W_ERROR_IS_OK(status) || W_ERROR_IS_OK(status_win2k) ) status = WERR_OK; @@ -6388,7 +6391,8 @@ static WERROR update_printer(pipes_struct *p, POLICY_HND *handle, uint32 level, { /* add_printer_hook() will call reload_services() */ - if ( !add_printer_hook(p->mem_ctx, p->pipe_user.nt_user_token, printer) ) { + if ( !add_printer_hook(p->mem_ctx, p->server_info->ptok, + printer) ) { result = WERR_ACCESS_DENIED; goto done; } @@ -7482,11 +7486,11 @@ WERROR enumports_hook(TALLOC_CTX *ctx, int *count, char ***lines ) /* if no hook then just fill in the default port */ if ( !*cmd ) { - if (!(qlines = SMB_MALLOC_ARRAY( char*, 2 ))) { + if (!(qlines = TALLOC_ARRAY( NULL, char*, 2 ))) { return WERR_NOMEM; } - if (!(qlines[0] = SMB_STRDUP( SAMBA_PRINTER_PORT_NAME ))) { - SAFE_FREE(qlines); + if (!(qlines[0] = talloc_strdup(qlines, SAMBA_PRINTER_PORT_NAME ))) { + TALLOC_FREE(qlines); return WERR_NOMEM; } qlines[1] = NULL; @@ -7728,7 +7732,8 @@ static WERROR spoolss_addprinterex_level_2( pipes_struct *p, const UNISTR2 *uni_ trying to add a printer like this --jerry */ if (*lp_addprinter_cmd() ) { - if ( !add_printer_hook(p->mem_ctx, p->pipe_user.nt_user_token, printer) ) { + if ( !add_printer_hook(p->mem_ctx, p->server_info->ptok, + printer) ) { free_a_printer(&printer,2); return WERR_ACCESS_DENIED; } @@ -7855,12 +7860,13 @@ WERROR _spoolss_addprinterdriver(pipes_struct *p, SPOOL_Q_ADDPRINTERDRIVER *q_u, } DEBUG(5,("Cleaning driver's information\n")); - err = clean_up_driver_struct(driver, level, &p->pipe_user); + err = clean_up_driver_struct(p, driver, level); if (!W_ERROR_IS_OK(err)) goto done; DEBUG(5,("Moving driver to final destination\n")); - if( !W_ERROR_IS_OK(err = move_driver_to_download_area(driver, level, &p->pipe_user, &err)) ) { + if( !W_ERROR_IS_OK(err = move_driver_to_download_area(p, driver, level, + &err)) ) { goto done; } @@ -9935,10 +9941,10 @@ WERROR _spoolss_xcvdataport(pipes_struct *p, SPOOL_Q_XCVDATAPORT *q_u, SPOOL_R_X switch ( Printer->printer_type ) { case SPLHND_PORTMON_TCP: - return process_xcvtcp_command( p->pipe_user.nt_user_token, command, + return process_xcvtcp_command( p->server_info->ptok, command, &q_u->indata, &r_u->outdata, &r_u->needed ); case SPLHND_PORTMON_LOCAL: - return process_xcvlocal_command( p->pipe_user.nt_user_token, command, + return process_xcvlocal_command( p->server_info->ptok, command, &q_u->indata, &r_u->outdata, &r_u->needed ); } diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index 9d9e9af59b..bf3669022d 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -262,7 +262,7 @@ static void init_srv_share_info_1(pipes_struct *p, struct srvsvc_NetShareInfo1 * remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } @@ -289,7 +289,7 @@ static void init_srv_share_info_2(pipes_struct *p, struct srvsvc_NetShareInfo2 * remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } path = talloc_asprintf(p->mem_ctx, @@ -355,7 +355,7 @@ static void init_srv_share_info_501(pipes_struct *p, struct srvsvc_NetShareInfo5 remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } @@ -383,7 +383,7 @@ static void init_srv_share_info_502(pipes_struct *p, struct srvsvc_NetShareInfo5 remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } path = talloc_asprintf(ctx, "C:%s", lp_pathname(snum)); @@ -422,7 +422,7 @@ static void init_srv_share_info_1004(pipes_struct *p, struct srvsvc_NetShareInfo remark = talloc_sub_advanced( p->mem_ctx, lp_servicename(snum), get_current_username(), lp_pathname(snum), - p->pipe_user.ut.uid, get_current_username(), + p->server_info->utok.uid, get_current_username(), "", remark); } @@ -1225,7 +1225,6 @@ WERROR _srvsvc_NetSessDel(pipes_struct *p, struct srvsvc_NetSessDel *r) { struct sessionid *session_list; - struct current_user user; int num_sessions, snum; const char *username; const char *machine; @@ -1246,12 +1245,11 @@ WERROR _srvsvc_NetSessDel(pipes_struct *p, werr = WERR_ACCESS_DENIED; - get_current_user(&user, p); - /* fail out now if you are not root or not a domain admin */ - if ((user.ut.uid != sec_initial_uid()) && - ( ! nt_token_check_domain_rid(p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS))) { + if ((p->server_info->utok.uid != sec_initial_uid()) && + ( ! nt_token_check_domain_rid(p->server_info->ptok, + DOMAIN_GROUP_RID_ADMINS))) { goto done; } @@ -1263,7 +1261,7 @@ WERROR _srvsvc_NetSessDel(pipes_struct *p, NTSTATUS ntstat; - if (user.ut.uid != sec_initial_uid()) { + if (p->server_info->utok.uid != sec_initial_uid()) { not_root = True; become_root(); } @@ -1466,7 +1464,6 @@ char *valid_share_pathname(TALLOC_CTX *ctx, const char *dos_pathname) WERROR _srvsvc_NetShareSetInfo(pipes_struct *p, struct srvsvc_NetShareSetInfo *r) { - struct current_user user; char *command = NULL; char *share_name = NULL; char *comment = NULL; @@ -1510,13 +1507,11 @@ WERROR _srvsvc_NetShareSetInfo(pipes_struct *p, if (lp_print_ok(snum)) return WERR_ACCESS_DENIED; - get_current_user(&user,p); - - is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop ); + is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop ); /* fail out now if you are not root and not a disk op */ - if ( user.ut.uid != sec_initial_uid() && !is_disk_op ) + if ( p->server_info->utok.uid != sec_initial_uid() && !is_disk_op ) return WERR_ACCESS_DENIED; switch (r->in.level) { @@ -1683,7 +1678,6 @@ WERROR _srvsvc_NetShareSetInfo(pipes_struct *p, WERROR _srvsvc_NetShareAdd(pipes_struct *p, struct srvsvc_NetShareAdd *r) { - struct current_user user; char *command = NULL; char *share_name = NULL; char *comment = NULL; @@ -1704,11 +1698,9 @@ WERROR _srvsvc_NetShareAdd(pipes_struct *p, *r->out.parm_error = 0; } - get_current_user(&user,p); + is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop ); - is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop ); - - if (user.ut.uid != sec_initial_uid() && !is_disk_op ) + if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op ) return WERR_ACCESS_DENIED; if (!lp_add_share_cmd() || !*lp_add_share_cmd()) { @@ -1868,7 +1860,6 @@ WERROR _srvsvc_NetShareAdd(pipes_struct *p, WERROR _srvsvc_NetShareDel(pipes_struct *p, struct srvsvc_NetShareDel *r) { - struct current_user user; char *command = NULL; char *share_name = NULL; int ret; @@ -1901,11 +1892,9 @@ WERROR _srvsvc_NetShareDel(pipes_struct *p, if (lp_print_ok(snum)) return WERR_ACCESS_DENIED; - get_current_user(&user,p); - - is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop ); + is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop ); - if (user.ut.uid != sec_initial_uid() && !is_disk_op ) + if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op ) return WERR_ACCESS_DENIED; if (!lp_delete_share_cmd() || !*lp_delete_share_cmd()) { @@ -2050,7 +2039,8 @@ WERROR _srvsvc_NetGetFileSecurity(pipes_struct *p, } nt_status = create_conn_struct(talloc_tos(), &conn, snum, - lp_pathname(snum), &oldcwd); + lp_pathname(snum), p->server_info, + &oldcwd); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(10, ("create_conn_struct failed: %s\n", nt_errstr(nt_status))); @@ -2058,8 +2048,6 @@ WERROR _srvsvc_NetGetFileSecurity(pipes_struct *p, goto error_exit; } - conn->server_info = p->server_info; - nt_status = create_file( conn, /* conn */ NULL, /* req */ @@ -2165,7 +2153,8 @@ WERROR _srvsvc_NetSetFileSecurity(pipes_struct *p, } nt_status = create_conn_struct(talloc_tos(), &conn, snum, - lp_pathname(snum), &oldcwd); + lp_pathname(snum), p->server_info, + &oldcwd); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(10, ("create_conn_struct failed: %s\n", nt_errstr(nt_status))); @@ -2173,8 +2162,6 @@ WERROR _srvsvc_NetSetFileSecurity(pipes_struct *p, goto error_exit; } - conn->server_info = p->server_info; - nt_status = create_file( conn, /* conn */ NULL, /* req */ @@ -2411,17 +2398,14 @@ static void enum_file_close_fn( const struct share_mode_entry *e, WERROR _srvsvc_NetFileClose(pipes_struct *p, struct srvsvc_NetFileClose *r) { - struct current_user user; SE_PRIV se_diskop = SE_DISK_OPERATOR; bool is_disk_op; DEBUG(5,("_srvsvc_NetFileClose: %d\n", __LINE__)); - get_current_user(&user,p); - - is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop ); + is_disk_op = user_has_privileges( p->server_info->ptok, &se_diskop ); - if (user.ut.uid != sec_initial_uid() && !is_disk_op) { + if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op) { return WERR_ACCESS_DENIED; } diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c index cb6657400f..6692160ba2 100644 --- a/source3/rpc_server/srv_svcctl_nt.c +++ b/source3/rpc_server/srv_svcctl_nt.c @@ -272,7 +272,8 @@ WERROR _svcctl_OpenSCManagerW(pipes_struct *p, return WERR_NOMEM; se_map_generic( &r->in.access_mask, &scm_generic_map ); - status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, r->in.access_mask, &access_granted ); + status = svcctl_access_check( sec_desc, p->server_info->ptok, + r->in.access_mask, &access_granted ); if ( !NT_STATUS_IS_OK(status) ) return ntstatus_to_werror( status ); @@ -309,7 +310,8 @@ WERROR _svcctl_OpenServiceW(pipes_struct *p, return WERR_NOMEM; se_map_generic( &r->in.access_mask, &svc_generic_map ); - status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, r->in.access_mask, &access_granted ); + status = svcctl_access_check( sec_desc, p->server_info->ptok, + r->in.access_mask, &access_granted ); if ( !NT_STATUS_IS_OK(status) ) return ntstatus_to_werror( status ); @@ -347,7 +349,8 @@ WERROR _svcctl_GetServiceDisplayNameW(pipes_struct *p, service = r->in.service_name; - display_name = svcctl_lookup_dispname(p->mem_ctx, service, p->pipe_user.nt_user_token ); + display_name = svcctl_lookup_dispname(p->mem_ctx, service, + p->server_info->ptok); if (!display_name) { display_name = ""; } @@ -424,7 +427,7 @@ WERROR _svcctl_enum_services_status(pipes_struct *p, SVCCTL_Q_ENUM_SERVICES_STAT size_t buffer_size = 0; WERROR result = WERR_OK; SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); - NT_USER_TOKEN *token = p->pipe_user.nt_user_token; + NT_USER_TOKEN *token = p->server_info->ptok; /* perform access checks */ @@ -517,11 +520,9 @@ WERROR _svcctl_ControlService(pipes_struct *p, return info->ops->service_status( info->name, r->out.service_status ); + default: + return WERR_ACCESS_DENIED; } - - /* default control action */ - - return WERR_ACCESS_DENIED; } /******************************************************************** @@ -682,7 +683,8 @@ WERROR _svcctl_QueryServiceConfigW(pipes_struct *p, *r->out.bytes_needed = r->in.buf_size; - wresult = fill_svc_config( p->mem_ctx, info->name, r->out.query, p->pipe_user.nt_user_token ); + wresult = fill_svc_config( p->mem_ctx, info->name, r->out.query, + p->server_info->ptok); if ( !W_ERROR_IS_OK(wresult) ) return wresult; @@ -690,7 +692,7 @@ WERROR _svcctl_QueryServiceConfigW(pipes_struct *p, *r->out.bytes_needed = (buffer_size > r->in.buf_size) ? buffer_size : r->in.buf_size; if (buffer_size > r->in.buf_size ) { - TALLOC_FREE(r->out.query); + ZERO_STRUCTP(r->out.query); return WERR_INSUFFICIENT_BUFFER; } @@ -725,7 +727,8 @@ WERROR _svcctl_query_service_config2( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_CO SERVICE_DESCRIPTION desc_buf; const char *description; - description = svcctl_lookup_description(p->mem_ctx, info->name, p->pipe_user.nt_user_token ); + description = svcctl_lookup_description( + p->mem_ctx, info->name, p->server_info->ptok); ZERO_STRUCTP( &desc_buf ); @@ -905,7 +908,8 @@ WERROR _svcctl_SetServiceObjectSecurity(pipes_struct *p, /* store the new SD */ - if ( !svcctl_set_secdesc( p->mem_ctx, info->name, sec_desc, p->pipe_user.nt_user_token ) ) + if ( !svcctl_set_secdesc( p->mem_ctx, info->name, sec_desc, + p->server_info->ptok) ) return WERR_ACCESS_DENIED; return WERR_OK; diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c index 7e842ed54d..1131033b04 100644 --- a/source3/rpc_server/srv_winreg_nt.c +++ b/source3/rpc_server/srv_winreg_nt.c @@ -70,7 +70,7 @@ static WERROR open_registry_key( pipes_struct *p, POLICY_HND *hnd, if (parent == NULL) { result = reg_openhive(NULL, subkeyname, access_desired, - p->pipe_user.nt_user_token, &key); + p->server_info->ptok, &key); } else { result = reg_openkey(NULL, parent, subkeyname, access_desired, @@ -556,7 +556,8 @@ WERROR _winreg_InitiateSystemShutdownEx(pipes_struct *p, struct winreg_InitiateS return WERR_NOMEM; } - can_shutdown = user_has_privileges( p->pipe_user.nt_user_token, &se_remote_shutdown ); + can_shutdown = user_has_privileges( p->server_info->ptok, + &se_remote_shutdown ); /* IF someone has privs, run the shutdown script as root. OTHERWISE run it as not root Take the error return from the script and provide it as the Windows return code. */ @@ -594,7 +595,8 @@ WERROR _winreg_AbortSystemShutdown(pipes_struct *p, struct winreg_AbortSystemShu if (!*abort_shutdown_script) return WERR_ACCESS_DENIED; - can_shutdown = user_has_privileges( p->pipe_user.nt_user_token, &se_remote_shutdown ); + can_shutdown = user_has_privileges( p->server_info->ptok, + &se_remote_shutdown ); /********** BEGIN SeRemoteShutdownPrivilege BLOCK **********/ @@ -682,7 +684,7 @@ WERROR _winreg_RestoreKey(pipes_struct *p, struct winreg_RestoreKey *r) /* user must posses SeRestorePrivilege for this this proceed */ - if ( !user_has_privileges( p->pipe_user.nt_user_token, &se_restore ) ) + if ( !user_has_privileges( p->server_info->ptok, &se_restore ) ) return WERR_ACCESS_DENIED; DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n", diff --git a/source3/rpc_server/srv_wkssvc_nt.c b/source3/rpc_server/srv_wkssvc_nt.c index 0a54b0dd3f..7071b55e7c 100644 --- a/source3/rpc_server/srv_wkssvc_nt.c +++ b/source3/rpc_server/srv_wkssvc_nt.c @@ -293,7 +293,7 @@ WERROR _wkssvc_NetrJoinDomain2(pipes_struct *p, char *admin_domain = NULL; char *admin_account = NULL; WERROR werr; - struct nt_user_token *token = p->pipe_user.nt_user_token; + struct nt_user_token *token = p->server_info->ptok; if (!r->in.domain_name) { return WERR_INVALID_PARAM; @@ -368,7 +368,7 @@ WERROR _wkssvc_NetrUnjoinDomain2(pipes_struct *p, char *admin_domain = NULL; char *admin_account = NULL; WERROR werr; - struct nt_user_token *token = p->pipe_user.nt_user_token; + struct nt_user_token *token = p->server_info->ptok; if (!r->in.account || !r->in.encrypted_password) { return WERR_INVALID_PARAM; diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c index 9e3f35545c..9955d2d3fa 100644 --- a/source3/rpcclient/cmd_netlogon.c +++ b/source3/rpcclient/cmd_netlogon.c @@ -1040,6 +1040,72 @@ static WERROR cmd_netlogon_getdcsitecoverage(struct rpc_pipe_client *cli, return werr; } +static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, int argc, + const char **argv) +{ + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + const char *server_name = cli->desthost; + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + struct netr_Authenticator clnt_creds, srv_cred; + struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; + unsigned char trust_passwd_hash[16]; + uint32_t sec_channel_type = 0; + struct netr_ChangeLogEntry e; + uint32_t rid = 500; + + if (argc > 2) { + fprintf(stderr, "Usage: %s <user rid>\n", argv[0]); + return NT_STATUS_OK; + } + + if (argc == 2) { + sscanf(argv[1], "%d", &rid); + } + + if (!secrets_fetch_trust_account_password(lp_workgroup(), + trust_passwd_hash, + NULL, &sec_channel_type)) { + return NT_STATUS_UNSUCCESSFUL; + } + + status = rpccli_netlogon_setup_creds(cli, + server_name, /* server name */ + lp_workgroup(), /* domain */ + global_myname(), /* client name */ + global_myname(), /* machine account name */ + trust_passwd_hash, + sec_channel_type, + &neg_flags); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + netlogon_creds_client_step(cli->dc, &clnt_creds); + + ZERO_STRUCT(e); + + e.object_rid = rid; + e.db_index = SAM_DATABASE_DOMAIN; + e.delta_type = NETR_DELTA_USER; + + status = rpccli_netr_DatabaseRedo(cli, mem_ctx, + server_name, + global_myname(), + &clnt_creds, + &srv_cred, + e, + 0, /* is calculated automatically */ + &delta_enum_array); + + if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) { + DEBUG(0,("credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; + } + + return status; +} /* List of commands exported by this module */ @@ -1067,6 +1133,7 @@ struct cmd_set netlogon_commands[] = { { "netrenumtrusteddomains", RPC_RTYPE_WERROR, NULL, cmd_netlogon_enumtrusteddomains, &ndr_table_netlogon.syntax_id, NULL, "Enumerate trusted domains", "" }, { "netrenumtrusteddomainsex", RPC_RTYPE_WERROR, NULL, cmd_netlogon_enumtrusteddomainsex, &ndr_table_netlogon.syntax_id, NULL, "Enumerate trusted domains", "" }, { "getdcsitecoverage", RPC_RTYPE_WERROR, NULL, cmd_netlogon_getdcsitecoverage, &ndr_table_netlogon.syntax_id, NULL, "Get the Site-Coverage from a DC", "" }, + { "database_redo", RPC_RTYPE_NTSTATUS, cmd_netlogon_database_redo, NULL, &ndr_table_netlogon.syntax_id, NULL, "Replicate single object from a DC", "" }, { NULL } }; diff --git a/source3/rpcclient/cmd_ntsvcs.c b/source3/rpcclient/cmd_ntsvcs.c index 377a8a2a00..eb620d06b2 100644 --- a/source3/rpcclient/cmd_ntsvcs.c +++ b/source3/rpcclient/cmd_ntsvcs.c @@ -75,44 +75,6 @@ static WERROR cmd_ntsvcs_validate_dev_inst(struct rpc_pipe_client *cli, return werr; } -static WERROR cmd_ntsvcs_get_device_list_size(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - int argc, - const char **argv) -{ - NTSTATUS status; - WERROR werr; - const char *devicename = NULL; - uint32_t flags = 0; - uint32_t size = 0; - - if (argc < 2 || argc > 4) { - printf("usage: %s [devicename] <flags>\n", argv[0]); - return WERR_OK; - } - - devicename = argv[1]; - - if (argc >= 3) { - flags = atoi(argv[2]); - } - - status = rpccli_PNP_GetDeviceListSize(cli, mem_ctx, - devicename, - &size, - flags, - &werr); - if (!NT_STATUS_IS_OK(status)) { - return ntstatus_to_werror(status); - } - - if (W_ERROR_IS_OK(werr)) { - printf("size: %d\n", size); - } - - return werr; -} - static WERROR cmd_ntsvcs_hw_prof_flags(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, @@ -121,8 +83,8 @@ static WERROR cmd_ntsvcs_hw_prof_flags(struct rpc_pipe_client *cli, NTSTATUS status; WERROR werr; const char *devicepath = NULL; - uint32_t unk3 = 0; - uint16_t unk4 = 0; + uint32_t profile_flags = 0; + uint16_t veto_type = 0; const char *unk5 = NULL; const char *unk5a = NULL; @@ -137,8 +99,8 @@ static WERROR cmd_ntsvcs_hw_prof_flags(struct rpc_pipe_client *cli, 0, devicepath, 0, - &unk3, - &unk4, + &profile_flags, + &veto_type, unk5, &unk5a, 0, @@ -160,15 +122,15 @@ static WERROR cmd_ntsvcs_get_hw_prof_info(struct rpc_pipe_client *cli, WERROR werr; uint32_t idx = 0; struct PNP_HwProfInfo info; - uint32_t unknown1 = 0, unknown2 = 0; + uint32_t size = 0, flags = 0; ZERO_STRUCT(info); status = rpccli_PNP_GetHwProfInfo(cli, mem_ctx, idx, &info, - unknown1, - unknown2, + size, + flags, &werr); if (!NT_STATUS_IS_OK(status)) { return ntstatus_to_werror(status); @@ -186,27 +148,35 @@ static WERROR cmd_ntsvcs_get_dev_reg_prop(struct rpc_pipe_client *cli, WERROR werr; const char *devicepath = NULL; uint32_t property = DEV_REGPROP_DESC; - uint32_t unknown1 = 0; - uint8_t buffer; + uint32_t reg_data_type = REG_NONE; + uint8_t *buffer; uint32_t buffer_size = 0; - uint32_t unknown2 = 0; - uint32_t unknown3 = 0; + uint32_t needed = 0; + uint32_t flags = 0; if (argc < 2) { - printf("usage: %s [devicepath]\n", argv[0]); + printf("usage: %s [devicepath] [buffersize]\n", argv[0]); return WERR_OK; } devicepath = argv[1]; + if (argc >= 3) { + buffer_size = atoi(argv[2]); + needed = buffer_size; + } + + buffer = talloc_array(mem_ctx, uint8_t, buffer_size); + W_ERROR_HAVE_NO_MEMORY(buffer); + status = rpccli_PNP_GetDeviceRegProp(cli, mem_ctx, devicepath, property, - &unknown1, - &buffer, + ®_data_type, + buffer, &buffer_size, - &unknown2, - unknown3, + &needed, + flags, &werr); if (!NT_STATUS_IS_OK(status)) { return ntstatus_to_werror(status); @@ -215,15 +185,98 @@ static WERROR cmd_ntsvcs_get_dev_reg_prop(struct rpc_pipe_client *cli, return werr; } +static WERROR cmd_ntsvcs_get_dev_list_size(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status; + WERROR werr; + uint32_t size = 0; + uint32_t flags = 0; + const char *filter = NULL; + + if (argc > 3) { + printf("usage: %s [filter] [flags]\n", argv[0]); + return WERR_OK; + } + + if (argc >= 2) { + filter = argv[1]; + } + + if (argc >= 3) { + flags = atoi(argv[2]); + } + + status = rpccli_PNP_GetDeviceListSize(cli, mem_ctx, + filter, + &size, + flags, + &werr); + if (!NT_STATUS_IS_OK(status)) { + return ntstatus_to_werror(status); + } + + printf("size: %d\n", size); + + return werr; +} + +static WERROR cmd_ntsvcs_get_dev_list(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status; + WERROR werr; + const char *filter = NULL; + uint16_t *buffer = NULL; + uint32_t length = 0; + uint32_t flags = 0; + + if (argc > 3) { + printf("usage: %s [length] [filter]\n", argv[0]); + return WERR_OK; + } + + if (argc >= 2) { + length = atoi(argv[1]); + } + + if (argc >= 3) { + filter = argv[2]; + } + + buffer = talloc(mem_ctx, uint16_t); + if (!buffer) { + return WERR_NOMEM; + } + + status = rpccli_PNP_GetDeviceList(cli, mem_ctx, + filter, + buffer, + &length, + flags, + &werr); + if (!NT_STATUS_IS_OK(status)) { + return ntstatus_to_werror(status); + } + + printf("devlist needs size: %d\n", length); + + return werr; +} struct cmd_set ntsvcs_commands[] = { { "NTSVCS" }, { "ntsvcs_getversion", RPC_RTYPE_WERROR, NULL, cmd_ntsvcs_get_version, &ndr_table_ntsvcs.syntax_id, NULL, "Query NTSVCS version", "" }, { "ntsvcs_validatedevinst", RPC_RTYPE_WERROR, NULL, cmd_ntsvcs_validate_dev_inst, &ndr_table_ntsvcs.syntax_id, NULL, "Query NTSVCS device instance", "" }, - { "ntsvcs_getdevlistsize", RPC_RTYPE_WERROR, NULL, cmd_ntsvcs_get_device_list_size, &ndr_table_ntsvcs.syntax_id, NULL, "Query NTSVCS get device list", "" }, { "ntsvcs_hwprofflags", RPC_RTYPE_WERROR, NULL, cmd_ntsvcs_hw_prof_flags, &ndr_table_ntsvcs.syntax_id, NULL, "Query NTSVCS HW prof flags", "" }, { "ntsvcs_hwprofinfo", RPC_RTYPE_WERROR, NULL, cmd_ntsvcs_get_hw_prof_info, &ndr_table_ntsvcs.syntax_id, NULL, "Query NTSVCS HW prof info", "" }, { "ntsvcs_getdevregprop", RPC_RTYPE_WERROR, NULL, cmd_ntsvcs_get_dev_reg_prop, &ndr_table_ntsvcs.syntax_id, NULL, "Query NTSVCS device registry property", "" }, + { "ntsvcs_getdevlistsize", RPC_RTYPE_WERROR, NULL, cmd_ntsvcs_get_dev_list_size, &ndr_table_ntsvcs.syntax_id, NULL, "Query NTSVCS device list size", "" }, + { "ntsvcs_getdevlist", RPC_RTYPE_WERROR, NULL, cmd_ntsvcs_get_dev_list, &ndr_table_ntsvcs.syntax_id, NULL, "Query NTSVCS device list", "" }, { NULL } }; diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 3494e9123a..eaf5adbfa5 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -161,7 +161,7 @@ static void display_sam_dom_info_2(struct samr_DomGeneralInformation *general) printf("Force Logoff:\t%d\n", (int)nt_time_to_unix_abs(&general->force_logoff_time)); - printf("Unknown 2:\t0x%x\n", general->unknown2); + printf("Domain Server State:\t0x%x\n", general->domain_server_state); printf("Server Role:\t%s\n", server_role_str(general->role)); printf("Unknown 3:\t0x%x\n", general->unknown3); } @@ -201,7 +201,7 @@ static void display_sam_dom_info_8(struct samr_DomInfo8 *info8) static void display_sam_dom_info_9(struct samr_DomInfo9 *info9) { - printf("unknown:\t%d (0x%08x)\n", info9->unknown, info9->unknown); + printf("Domain Server State:\t0x%x\n", info9->domain_server_state); } static void display_sam_dom_info_12(struct samr_DomInfo12 *info12) diff --git a/source3/samba4.m4 b/source3/samba4.m4 index b99deb8870..9ef3d71fd0 100644 --- a/source3/samba4.m4 +++ b/source3/samba4.m4 @@ -47,7 +47,7 @@ SMB_INCLUDE_MK(lib/zlib.mk) AC_CONFIG_FILES(../source4/lib/registry/registry.pc) AC_CONFIG_FILES(../source4/librpc/dcerpc.pc) AC_CONFIG_FILES(../librpc/ndr.pc) -AC_CONFIG_FILES(../source4/lib/torture/torture.pc) +AC_CONFIG_FILES(../lib/torture/torture.pc) AC_CONFIG_FILES(../source4/auth/gensec/gensec.pc) AC_CONFIG_FILES(../source4/param/samba-hostconfig.pc) AC_CONFIG_FILES(../source4/librpc/dcerpc_samr.pc) @@ -131,6 +131,7 @@ builddir="$builddir/../source4" oldsrcdir="$srcdir" srcdir="$srcdir/../source4" AC_SUBST(srcdir) +AC_SUBST(builddir) SMB_WRITE_PERLVARS(../source4/build/smb_build/config.pm) builddir="$oldbuilddir" srcdir="$oldsrcdir" diff --git a/source3/samba4.mk b/source3/samba4.mk index 1743431aa4..032a3d9c35 100644 --- a/source3/samba4.mk +++ b/source3/samba4.mk @@ -88,7 +88,7 @@ libutilsrcdir := $(samba4srcdir)/../lib/util libtdrsrcdir := $(samba4srcdir)/lib/tdr libdbwrapsrcdir := $(samba4srcdir)/lib/dbwrap libcryptosrcdir := $(samba4srcdir)/../lib/crypto -libtorturesrcdir := $(samba4srcdir)/lib/torture +libtorturesrcdir := ../lib/torture libcompressionsrcdir := $(samba4srcdir)/../lib/compression libgencachesrcdir := $(samba4srcdir)/lib paramsrcdir := $(samba4srcdir)/param diff --git a/source3/script/installmo.sh b/source3/script/installmo.sh new file mode 100644 index 0000000000..9c4ab1eefe --- /dev/null +++ b/source3/script/installmo.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +DESTDIR=$1 +LOCALEDIR=`echo $2 | sed 's/\/\//\//g'` +SRCDIR=$3/ +MSGFMT=msgfmt + +case $0 in + *uninstall*) + if test ! -d "$DESTDIR/$LOCALEDIR"; then + echo "Directory $DESTDIR/$LOCALEDIR doesn't exist!" + echo "Do a \"make installmo\" or \"make install\" first." + exit 1 + fi + mode='uninstall' + ;; + *) + mode='install' + ;; +esac + +for dir in $SRCDIR/locale/*; do + MODULE=`basename $dir` + for f in $SRCDIR/locale/$MODULE/*.po; do + BASE=`basename $f` + LANGUAGE=`echo $BASE | sed 's/\.po//g'` + if test "$LANGUAGE" = '*'; then + echo "No .po file exists!" + exit 0 + fi + FNAME="$DESTDIR/$LOCALEDIR/$LANGUAGE/LC_MESSAGES/$MODULE.mo" + if test ! -d "$DESTDIR/$LOCALEDIR/$LANGUAGE/LC_MESSAGES/"; then + mkdir -p "$DESTDIR/$LOCALEDIR/$LANGUAGE/LC_MESSAGES/" + fi + if test "$mode" = 'install'; then + echo "Installing $f as $FNAME" + touch "$FNAME" + $MSGFMT "$f" -f -o "$FNAME" + if test ! -f "$FNAME"; then + echo "Cannot install $FNAME. Does $USER have privileges?" + exit 1 + fi + chmod 0644 "$FNAME" + elif test "$mode" = 'uninstall'; then + echo "removing $FNAME" + rm -f "$FNAME" + if test -f "$FNAME"; then + echo "Cannot remove $FNAME. Does $USER have privileges?" + exit 1 + fi + else + echo "Unknown mode $mode. script called as $0." + exit 1 + fi + done + if test "$mode" = 'install'; then + cat << EOF +============================================================== +MO files for $MODULE are installed. +============================================================== +EOF + else + cat << EOF +============================================================== +MO files for $MODULE are removed. +============================================================== +EOF + fi +done + +if test "$mode" = 'install'; then + cat << EOF +============================================================== +All MO files for Samba are installed. You can use "make uninstall" +or "make uninstallmo" to remove them. +============================================================== +EOF +else + cat << EOF +============================================================== +All MO files for Samba are removed. you can use "make install" +or "make installmo" to install them. +============================================================== +EOF +fi + +exit 0 diff --git a/source3/script/tests/selftest.sh b/source3/script/tests/selftest.sh index 0894b2507d..3b65aaa760 100755 --- a/source3/script/tests/selftest.sh +++ b/source3/script/tests/selftest.sh @@ -1,7 +1,7 @@ #!/bin/sh -if [ $# != 3 ]; then - echo "$0 <directory> <all | quick> <smbtorture4>" +if [ $# != 3 -a $# != 4 ]; then + echo "$0 <directory> <all | quick> <smbtorture4> [<shrdir>]" exit 1 fi @@ -38,7 +38,6 @@ PASSWORD=test SRCDIR="`dirname $0`/../.." BINDIR="`pwd`/bin" SCRIPTDIR=$SRCDIR/script/tests -SHRDIR=$PREFIX_ABS/tmp LIBDIR=$PREFIX_ABS/lib PIDDIR=$PREFIX_ABS/pid CONFFILE=$LIBDIR/client.conf @@ -113,8 +112,23 @@ mkdir -p $PRIVATEDIR $LIBDIR $PIDDIR $LOCKDIR $LOGDIR mkdir -p $SOCKET_WRAPPER_DIR mkdir -p $WINBINDD_SOCKET_DIR chmod 755 $WINBINDD_SOCKET_DIR -mkdir -p $PREFIX_ABS/tmp -chmod 777 $PREFIX_ABS/tmp + +## +## Create an alternate shrdir if one was specified. +## +if [ $# = 4 ]; then + ALT_SHRDIR=`echo $4 | sed s+//+/+` + mkdir -p $ALT_SHRDIR || exit $? + OLD_PWD=`pwd` + cd $ALT_SHRDIR || exit $? + SHRDIR=`pwd` + cd $OLD_PWD + /bin/rm -rf $SHRDIR/* +else + SHRDIR=$PREFIX_ABS/tmp + mkdir -p $SHRDIR +fi +chmod 777 $SHRDIR ## ## Create the common config include file with the basic settings @@ -184,14 +198,14 @@ cat >$SERVERCONFFILE<<EOF # min receivefile size = 4000 [tmp] - path = $PREFIX_ABS/tmp + path = $SHRDIR read only = no smbd:sharedelay = 100000 smbd:writetimeupdatedelay = 500000 map hidden = yes map system = yes create mask = 755 - vfs objects = $BINDIR/xattr_tdb.so $BINDIR/streams_xattr.so + vfs objects = $BINDIR/xattr_tdb.so $BINDIR/streams_depot.so [hideunread] copy = tmp hide unreadable = yes @@ -262,7 +276,7 @@ export SOCKET_WRAPPER_DEFAULT_IFACE TORTURE4_OPTIONS="$SAMBA4CONFIGURATION" TORTURE4_OPTIONS="$TORTURE4_OPTIONS --maximum-runtime=$TORTURE_MAXTIME" TORTURE4_OPTIONS="$TORTURE4_OPTIONS --target=samba3" -TORTURE4_OPTIONS="$TORTURE4_OPTIONS --option=torture:localdir=$PREFIX_ABS/tmp" +TORTURE4_OPTIONS="$TORTURE4_OPTIONS --option=torture:localdir=$SHRDIR" export TORTURE4_OPTIONS if [ x"$RUN_FROM_BUILD_FARM" = x"yes" ];then diff --git a/source3/script/uninstallmo.sh b/source3/script/uninstallmo.sh new file mode 100644 index 0000000000..5b4475f5c2 --- /dev/null +++ b/source3/script/uninstallmo.sh @@ -0,0 +1 @@ +installmo.sh diff --git a/source3/smbd/aio.c b/source3/smbd/aio.c index fd553c3fc4..8beed0744c 100644 --- a/source3/smbd/aio.c +++ b/source3/smbd/aio.c @@ -506,7 +506,7 @@ static int handle_aio_write_complete(struct aio_extra *aio_ex) ERROR_BOTH(map_nt_error_from_unix(ret), ERRHRD, ERRdiskfull); srv_set_message(outbuf,0,0,true); } else { - bool write_through = BITSETW(aio_ex->req->inbuf+smb_vwv7,0); + bool write_through = BITSETW(aio_ex->req->vwv+7,0); NTSTATUS status; SSVAL(outbuf,smb_vwv2,nwritten); diff --git a/source3/smbd/blocking.c b/source3/smbd/blocking.c index 555033b7df..2237a89ace 100644 --- a/source3/smbd/blocking.c +++ b/source3/smbd/blocking.c @@ -505,7 +505,6 @@ static bool process_trans2(blocking_lock_record *blr) /* We finally got the lock, return success. */ - SCVAL(blr->req->inbuf, smb_com, SMBtrans2); SSVAL(params,0,0); /* Fake up max_data_bytes here - we know it fits. */ send_trans2_replies(blr->fsp->conn, blr->req, params, 2, NULL, 0, 0xffff); @@ -666,86 +665,18 @@ static void process_blocking_lock_queue(void) */ for (blr = blocking_lock_queue; blr; blr = next) { - connection_struct *conn = NULL; - uint16 vuid; - files_struct *fsp = NULL; next = blr->next; /* - * Ensure we don't have any old chain_fsp values - * sitting around.... - */ - chain_size = 0; - fsp = blr->fsp; - - conn = conn_find(blr->req->tid); - vuid = (lp_security() == SEC_SHARE) - ? UID_FIELD_INVALID : blr->req->vuid; - - DEBUG(5,("process_blocking_lock_queue: examining pending lock fnum = %d for file %s\n", - fsp->fnum, fsp->fsp_name )); - - if(!change_to_user(conn,vuid)) { - struct byte_range_lock *br_lck = brl_get_locks(talloc_tos(), fsp); - - /* - * Remove the entry and return an error to the client. - */ - - if (br_lck) { - brl_lock_cancel(br_lck, - blr->lock_pid, - procid_self(), - blr->offset, - blr->count, - blr->lock_flav); - TALLOC_FREE(br_lck); - } - - DEBUG(0,("process_blocking_lock_queue: Unable to become user vuid=%d.\n", - vuid )); - blocking_lock_reply_error(blr,NT_STATUS_ACCESS_DENIED); - DLIST_REMOVE(blocking_lock_queue, blr); - TALLOC_FREE(blr); - recalc_timeout = True; - continue; - } - - if(!set_current_service(conn,SVAL(blr->req->inbuf,smb_flg),True)) { - struct byte_range_lock *br_lck = brl_get_locks(talloc_tos(), fsp); - - /* - * Remove the entry and return an error to the client. - */ - - if (br_lck) { - brl_lock_cancel(br_lck, - blr->lock_pid, - procid_self(), - blr->offset, - blr->count, - blr->lock_flav); - TALLOC_FREE(br_lck); - } - - DEBUG(0,("process_blocking_lock_queue: Unable to become service Error was %s.\n", strerror(errno) )); - blocking_lock_reply_error(blr,NT_STATUS_ACCESS_DENIED); - DLIST_REMOVE(blocking_lock_queue, blr); - TALLOC_FREE(blr); - recalc_timeout = True; - change_to_root_user(); - continue; - } - - /* * Go through the remaining locks and try and obtain them. * The call returns True if all locks were obtained successfully * and False if we still need to wait. */ if(blocking_lock_record_process(blr)) { - struct byte_range_lock *br_lck = brl_get_locks(talloc_tos(), fsp); + struct byte_range_lock *br_lck = brl_get_locks( + talloc_tos(), blr->fsp); if (br_lck) { brl_lock_cancel(br_lck, @@ -760,19 +691,17 @@ static void process_blocking_lock_queue(void) DLIST_REMOVE(blocking_lock_queue, blr); TALLOC_FREE(blr); recalc_timeout = True; - change_to_root_user(); continue; } - change_to_root_user(); - /* * We couldn't get the locks for this record on the list. * If the time has expired, return a lock error. */ if (!timeval_is_zero(&blr->expire_time) && timeval_compare(&blr->expire_time, &tv_curr) <= 0) { - struct byte_range_lock *br_lck = brl_get_locks(talloc_tos(), fsp); + struct byte_range_lock *br_lck = brl_get_locks( + talloc_tos(), blr->fsp); /* * Lock expired - throw away all previously @@ -780,8 +709,10 @@ static void process_blocking_lock_queue(void) */ if (br_lck) { - DEBUG(5,("process_blocking_lock_queue: pending lock fnum = %d for file %s timed out.\n", - fsp->fnum, fsp->fsp_name )); + DEBUG(5,("process_blocking_lock_queue: " + "pending lock fnum = %d for file %s " + "timed out.\n", blr->fsp->fnum, + blr->fsp->fsp_name )); brl_lock_cancel(br_lck, blr->lock_pid, diff --git a/source3/smbd/close.c b/source3/smbd/close.c index d4c531ab19..ce918ab6a3 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -106,8 +106,7 @@ static void check_magic(struct files_struct *fsp) static NTSTATUS close_filestruct(files_struct *fsp) { NTSTATUS status = NT_STATUS_OK; - connection_struct *conn = fsp->conn; - + if (fsp->fh->fd != -1) { if(flush_write_cache(fsp, CLOSE_FLUSH) == -1) { status = map_nt_error_from_unix(errno); @@ -115,9 +114,8 @@ static NTSTATUS close_filestruct(files_struct *fsp) delete_write_cache(fsp); } - conn->num_files_open--; return status; -} +} /**************************************************************************** If any deferred opens are waiting on this close, notify them. @@ -583,7 +581,7 @@ static NTSTATUS close_normal_file(struct smb_request *req, files_struct *fsp, DEBUG(2,("%s closed file %s (numopen=%d) %s\n", conn->server_info->unix_name,fsp->fsp_name, - conn->num_files_open, + conn->num_files_open - 1, nt_errstr(status) )); file_free(req, fsp); diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index 784b36d9bd..954cd5a4d2 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -30,6 +30,17 @@ static int set_sparse_flag(const SMB_STRUCT_STAT * const sbuf) return 0; } +static int set_link_read_only_flag(const SMB_STRUCT_STAT *const sbuf) +{ +#ifdef S_ISLNK +#if LINKS_READ_ONLY + if (S_ISLNK(sbuf->st_mode) && S_ISDIR(sbuf->st_mode)) + return aRONLY; +#endif +#endif + return 0; +} + /**************************************************************************** Change a dos mode to a unix mode. Base permission for files: @@ -159,13 +170,7 @@ static uint32 dos_mode_from_sbuf(connection_struct *conn, const char *path, SMB_ result = aDIR | (result & aRONLY); result |= set_sparse_flag(sbuf); - -#ifdef S_ISLNK -#if LINKS_READ_ONLY - if (S_ISLNK(sbuf->st_mode) && S_ISDIR(sbuf->st_mode)) - result |= aRONLY; -#endif -#endif + result |= set_link_read_only_flag(sbuf); DEBUG(8,("dos_mode_from_sbuf returning ")); @@ -343,6 +348,113 @@ uint32 dos_mode_msdfs(connection_struct *conn, const char *path,SMB_STRUCT_STAT return(result); } +#ifdef HAVE_STAT_DOS_FLAGS +/**************************************************************************** + Convert dos attributes (FILE_ATTRIBUTE_*) to dos stat flags (UF_*) +****************************************************************************/ + +static int dos_attributes_to_stat_dos_flags(uint32_t dosmode) +{ + uint32_t dos_stat_flags = 0; + + if (dosmode & aARCH) + dos_stat_flags |= UF_DOS_ARCHIVE; + if (dosmode & aHIDDEN) + dos_stat_flags |= UF_DOS_HIDDEN; + if (dosmode & aRONLY) + dos_stat_flags |= UF_DOS_RO; + if (dosmode & aSYSTEM) + dos_stat_flags |= UF_DOS_SYSTEM; + if (dosmode & FILE_ATTRIBUTE_NONINDEXED) + dos_stat_flags |= UF_DOS_NOINDEX; + + return dos_stat_flags; +} + +/**************************************************************************** + Gets DOS attributes, accessed via st_flags in the stat struct. +****************************************************************************/ + +static bool get_stat_dos_flags(connection_struct *conn, + const char *fname, + const SMB_STRUCT_STAT *sbuf, + uint32_t *dosmode) +{ + SMB_ASSERT(sbuf && VALID_STAT(*sbuf)); + SMB_ASSERT(dosmode); + + if (!lp_store_dos_attributes(SNUM(conn))) { + return false; + } + + DEBUG(5, ("Getting stat dos attributes for %s.\n", fname)); + + if (sbuf->st_flags & UF_DOS_ARCHIVE) + *dosmode |= aARCH; + if (sbuf->st_flags & UF_DOS_HIDDEN) + *dosmode |= aHIDDEN; + if (sbuf->st_flags & UF_DOS_RO) + *dosmode |= aRONLY; + if (sbuf->st_flags & UF_DOS_SYSTEM) + *dosmode |= aSYSTEM; + if (sbuf->st_flags & UF_DOS_NOINDEX) + *dosmode |= FILE_ATTRIBUTE_NONINDEXED; + if (S_ISDIR(sbuf->st_mode)) + *dosmode |= aDIR; + + *dosmode |= set_sparse_flag(sbuf); + *dosmode |= set_link_read_only_flag(sbuf); + + return true; +} + +/**************************************************************************** + Sets DOS attributes, stored in st_flags of the inode. +****************************************************************************/ + +static bool set_stat_dos_flags(connection_struct *conn, + const char *fname, + SMB_STRUCT_STAT *sbuf, + uint32_t dosmode, + bool *attributes_changed) +{ + uint32_t new_flags = 0; + int error = 0; + + SMB_ASSERT(sbuf && VALID_STAT(*sbuf)); + SMB_ASSERT(attributes_changed); + + *attributes_changed = false; + + if (!lp_store_dos_attributes(SNUM(conn))) { + return false; + } + + DEBUG(5, ("Setting stat dos attributes for %s.\n", fname)); + + new_flags = (sbuf->st_flags & ~UF_DOS_FLAGS) | + dos_attributes_to_stat_dos_flags(dosmode); + + /* Return early if no flags changed. */ + if (new_flags == sbuf->st_flags) + return true; + + DEBUG(5, ("Setting stat dos attributes=0x%x, prev=0x%x\n", new_flags, + sbuf->st_flags)); + + /* Set new flags with chflags. */ + error = SMB_VFS_CHFLAGS(conn, fname, new_flags); + if (error) { + DEBUG(0, ("Failed setting new stat dos attributes (0x%x) on " + "file %s! errno=%d\n", new_flags, fname, errno)); + return false; + } + + *attributes_changed = true; + return true; +} +#endif /* HAVE_STAT_DOS_FLAGS */ + /**************************************************************************** Change a unix mode to a dos mode. ****************************************************************************/ @@ -350,7 +462,7 @@ uint32 dos_mode_msdfs(connection_struct *conn, const char *path,SMB_STRUCT_STAT uint32 dos_mode(connection_struct *conn, const char *path,SMB_STRUCT_STAT *sbuf) { uint32 result = 0; - bool offline; + bool offline, used_stat_dos_flags = false; DEBUG(8,("dos_mode: %s\n", path)); @@ -373,11 +485,16 @@ uint32 dos_mode(connection_struct *conn, const char *path,SMB_STRUCT_STAT *sbuf) } } - /* Get the DOS attributes from an EA by preference. */ - if (get_ea_dos_attribute(conn, path, sbuf, &result)) { - result |= set_sparse_flag(sbuf); - } else { - result |= dos_mode_from_sbuf(conn, path, sbuf); +#ifdef HAVE_STAT_DOS_FLAGS + used_stat_dos_flags = get_stat_dos_flags(conn, path, sbuf, &result); +#endif + if (!used_stat_dos_flags) { + /* Get the DOS attributes from an EA by preference. */ + if (get_ea_dos_attribute(conn, path, sbuf, &result)) { + result |= set_sparse_flag(sbuf); + } else { + result |= dos_mode_from_sbuf(conn, path, sbuf); + } } @@ -468,6 +585,23 @@ int file_set_dosmode(connection_struct *conn, const char *fname, return(0); } +#ifdef HAVE_STAT_DOS_FLAGS + { + bool attributes_changed; + + if (set_stat_dos_flags(conn, fname, st, dosmode, + &attributes_changed)) + { + if (!newfile && attributes_changed) { + notify_fname(conn, NOTIFY_ACTION_MODIFIED, + FILE_NOTIFY_CHANGE_ATTRIBUTES, fname); + } + st->st_mode = unixmode; + return 0; + } + } +#endif + /* Store the DOS attributes in an EA by preference. */ if (set_ea_dos_attribute(conn, fname, st, dosmode)) { if (!newfile) { diff --git a/source3/smbd/fake_file.c b/source3/smbd/fake_file.c index 58b09604c4..7feedcc9f9 100644 --- a/source3/smbd/fake_file.c +++ b/source3/smbd/fake_file.c @@ -141,7 +141,6 @@ NTSTATUS open_fake_file(struct smb_request *req, connection_struct *conn, return NT_STATUS_NO_MEMORY; } - conn->num_files_open++; *result = fsp; return NT_STATUS_OK; } diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index 562f1e8d94..392264bfc0 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -194,25 +194,39 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, return result; } + if (!(name = talloc_strdup(ctx, orig_path))) { + DEBUG(0, ("talloc_strdup failed\n")); + return NT_STATUS_NO_MEMORY; + } + + /* + * Large directory fix normalization. If we're case sensitive, and + * the case preserving parameters are set to "no", normalize the case of + * the incoming filename from the client WHETHER IT EXISTS OR NOT ! + * This is in conflict with the current (3.0.20) man page, but is + * what people expect from the "large directory howto". I'll update + * the man page. Thanks to jht@samba.org for finding this. JRA. + */ + + if (conn->case_sensitive && !conn->case_preserve && + !conn->short_case_preserve) { + strnorm(name, lp_defaultcase(SNUM(conn))); + } + /* * Ensure saved_last_component is valid even if file exists. */ if(pp_saved_last_component) { - end = strrchr_m(orig_path, '/'); + end = strrchr_m(name, '/'); if (end) { *pp_saved_last_component = talloc_strdup(ctx, end + 1); } else { *pp_saved_last_component = talloc_strdup(ctx, - orig_path); + name); } } - if (!(name = talloc_strdup(ctx, orig_path))) { - DEBUG(0, ("talloc_strdup failed\n")); - return NT_STATUS_NO_MEMORY; - } - if (!lp_posix_pathnames()) { stream = strchr_m(name, ':'); @@ -227,20 +241,6 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, } } - /* - * Large directory fix normalization. If we're case sensitive, and - * the case preserving parameters are set to "no", normalize the case of - * the incoming filename from the client WHETHER IT EXISTS OR NOT ! - * This is in conflict with the current (3.0.20) man page, but is - * what people expect from the "large directory howto". I'll update - * the man page. Thanks to jht@samba.org for finding this. JRA. - */ - - if (conn->case_sensitive && !conn->case_preserve && - !conn->short_case_preserve) { - strnorm(name, lp_defaultcase(SNUM(conn))); - } - start = name; /* If we're providing case insentive semantics or diff --git a/source3/smbd/files.c b/source3/smbd/files.c index d3bfce7499..1a3a997e59 100644 --- a/source3/smbd/files.c +++ b/source3/smbd/files.c @@ -129,6 +129,8 @@ NTSTATUS file_new(struct smb_request *req, connection_struct *conn, ZERO_STRUCT(fsp_fi_cache); + conn->num_files_open++; + *result = fsp; return NT_STATUS_OK; } @@ -420,9 +422,7 @@ void file_free(struct smb_request *req, files_struct *fsp) DEBUG(5,("freed files structure %d (%d used)\n", fsp->fnum, files_used)); - /* this is paranoia, just in case someone tries to reuse the - information */ - ZERO_STRUCTP(fsp); + fsp->conn->num_files_open--; if ((req != NULL) && (fsp == req->chain_fsp)) { req->chain_fsp = NULL; @@ -438,6 +438,10 @@ void file_free(struct smb_request *req, files_struct *fsp) vfs_remove_fsp_extension(fsp->vfs_extension->owner, fsp); } + /* this is paranoia, just in case someone tries to reuse the + information */ + ZERO_STRUCTP(fsp); + SAFE_FREE(fsp); } @@ -484,46 +488,34 @@ files_struct *file_fsp(struct smb_request *req, uint16 fid) Duplicate the file handle part for a DOS or FCB open. ****************************************************************************/ -NTSTATUS dup_file_fsp(struct smb_request *req, files_struct *fsp, +void dup_file_fsp(struct smb_request *req, files_struct *from, uint32 access_mask, uint32 share_access, - uint32 create_options, files_struct **result) + uint32 create_options, files_struct *to) { - NTSTATUS status; - files_struct *dup_fsp; - - status = file_new(NULL, fsp->conn, &dup_fsp); - - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - SAFE_FREE(dup_fsp->fh); - - dup_fsp->fh = fsp->fh; - dup_fsp->fh->ref_count++; - - dup_fsp->file_id = fsp->file_id; - dup_fsp->initial_allocation_size = fsp->initial_allocation_size; - dup_fsp->mode = fsp->mode; - dup_fsp->file_pid = fsp->file_pid; - dup_fsp->vuid = fsp->vuid; - dup_fsp->open_time = fsp->open_time; - dup_fsp->access_mask = access_mask; - dup_fsp->share_access = share_access; - dup_fsp->oplock_type = fsp->oplock_type; - dup_fsp->can_lock = fsp->can_lock; - dup_fsp->can_read = (access_mask & (FILE_READ_DATA)) ? True : False; - if (!CAN_WRITE(fsp->conn)) { - dup_fsp->can_write = False; + SAFE_FREE(to->fh); + + to->fh = from->fh; + to->fh->ref_count++; + + to->file_id = from->file_id; + to->initial_allocation_size = from->initial_allocation_size; + to->mode = from->mode; + to->file_pid = from->file_pid; + to->vuid = from->vuid; + to->open_time = from->open_time; + to->access_mask = access_mask; + to->share_access = share_access; + to->oplock_type = from->oplock_type; + to->can_lock = from->can_lock; + to->can_read = (access_mask & (FILE_READ_DATA)) ? True : False; + if (!CAN_WRITE(from->conn)) { + to->can_write = False; } else { - dup_fsp->can_write = (access_mask & (FILE_WRITE_DATA | FILE_APPEND_DATA)) ? True : False; + to->can_write = (access_mask & (FILE_WRITE_DATA | FILE_APPEND_DATA)) ? True : False; } - dup_fsp->print_file = fsp->print_file; - dup_fsp->modified = fsp->modified; - dup_fsp->is_directory = fsp->is_directory; - dup_fsp->aio_write_behind = fsp->aio_write_behind; - string_set(&dup_fsp->fsp_name,fsp->fsp_name); - - *result = dup_fsp; - return NT_STATUS_OK; + to->print_file = from->print_file; + to->modified = from->modified; + to->is_directory = from->is_directory; + to->aio_write_behind = from->aio_write_behind; + string_set(&to->fsp_name,from->fsp_name); } diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index b9460e5211..649ead4682 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -91,7 +91,6 @@ void send_trans_reply(connection_struct *conn, int tot_data_sent = 0; int tot_param_sent = 0; int align; - char *outbuf; int ldata = rdata ? rdata_len : 0; int lparam = rparam ? rparam_len : 0; @@ -104,38 +103,43 @@ void send_trans_reply(connection_struct *conn, align = ((this_lparam)%4); - if (!create_outbuf(talloc_tos(), (char *)req->inbuf, &outbuf, - 10, 1+align+this_ldata+this_lparam)) { - smb_panic("could not allocate outbuf"); - } + reply_outbuf(req, 10, 1+align+this_ldata+this_lparam); + + /* + * We might have SMBtranss in req which was transferred to the outbuf, + * fix that. + */ + SCVAL(req->outbuf, smb_com, SMBtrans); - copy_trans_params_and_data(outbuf, align, + copy_trans_params_and_data((char *)req->outbuf, align, rparam, tot_param_sent, this_lparam, rdata, tot_data_sent, this_ldata); - SSVAL(outbuf,smb_vwv0,lparam); - SSVAL(outbuf,smb_vwv1,ldata); - SSVAL(outbuf,smb_vwv3,this_lparam); - SSVAL(outbuf,smb_vwv4,smb_offset(smb_buf(outbuf)+1,outbuf)); - SSVAL(outbuf,smb_vwv5,0); - SSVAL(outbuf,smb_vwv6,this_ldata); - SSVAL(outbuf,smb_vwv7,smb_offset(smb_buf(outbuf)+1+this_lparam+align, - outbuf)); - SSVAL(outbuf,smb_vwv8,0); - SSVAL(outbuf,smb_vwv9,0); + SSVAL(req->outbuf,smb_vwv0,lparam); + SSVAL(req->outbuf,smb_vwv1,ldata); + SSVAL(req->outbuf,smb_vwv3,this_lparam); + SSVAL(req->outbuf,smb_vwv4, + smb_offset(smb_buf(req->outbuf)+1, req->outbuf)); + SSVAL(req->outbuf,smb_vwv5,0); + SSVAL(req->outbuf,smb_vwv6,this_ldata); + SSVAL(req->outbuf,smb_vwv7, + smb_offset(smb_buf(req->outbuf)+1+this_lparam+align, + req->outbuf)); + SSVAL(req->outbuf,smb_vwv8,0); + SSVAL(req->outbuf,smb_vwv9,0); if (buffer_too_large) { - error_packet_set((char *)outbuf, ERRDOS, ERRmoredata, + error_packet_set((char *)req->outbuf, ERRDOS, ERRmoredata, STATUS_BUFFER_OVERFLOW, __LINE__, __FILE__); } - show_msg(outbuf); - if (!srv_send_smb(smbd_server_fd(), (char *)outbuf, + show_msg((char *)req->outbuf); + if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf, IS_CONN_ENCRYPTED(conn))) { exit_server_cleanly("send_trans_reply: srv_send_smb failed."); } - TALLOC_FREE(outbuf); + TALLOC_FREE(req->outbuf); tot_data_sent = this_ldata; tot_param_sent = this_lparam; @@ -155,39 +159,45 @@ void send_trans_reply(connection_struct *conn, align = (this_lparam%4); - if (!create_outbuf(talloc_tos(), (char *)req->inbuf, &outbuf, - 10, 1+align+this_ldata+this_lparam)) { - smb_panic("could not allocate outbuf"); - } + reply_outbuf(req, 10, 1+align+this_ldata+this_lparam); + + /* + * We might have SMBtranss in req which was transferred to the + * outbuf, fix that. + */ + SCVAL(req->outbuf, smb_com, SMBtrans); - copy_trans_params_and_data(outbuf, align, + copy_trans_params_and_data((char *)req->outbuf, align, rparam, tot_param_sent, this_lparam, rdata, tot_data_sent, this_ldata); - SSVAL(outbuf,smb_vwv3,this_lparam); - SSVAL(outbuf,smb_vwv4,smb_offset(smb_buf(outbuf)+1,outbuf)); - SSVAL(outbuf,smb_vwv5,tot_param_sent); - SSVAL(outbuf,smb_vwv6,this_ldata); - SSVAL(outbuf,smb_vwv7, - smb_offset(smb_buf(outbuf)+1+this_lparam+align, outbuf)); - SSVAL(outbuf,smb_vwv8,tot_data_sent); - SSVAL(outbuf,smb_vwv9,0); + SSVAL(req->outbuf,smb_vwv3,this_lparam); + SSVAL(req->outbuf,smb_vwv4, + smb_offset(smb_buf(req->outbuf)+1,req->outbuf)); + SSVAL(req->outbuf,smb_vwv5,tot_param_sent); + SSVAL(req->outbuf,smb_vwv6,this_ldata); + SSVAL(req->outbuf,smb_vwv7, + smb_offset(smb_buf(req->outbuf)+1+this_lparam+align, + req->outbuf)); + SSVAL(req->outbuf,smb_vwv8,tot_data_sent); + SSVAL(req->outbuf,smb_vwv9,0); if (buffer_too_large) { - error_packet_set(outbuf, ERRDOS, ERRmoredata, + error_packet_set((char *)req->outbuf, + ERRDOS, ERRmoredata, STATUS_BUFFER_OVERFLOW, __LINE__, __FILE__); } - show_msg(outbuf); - if (!srv_send_smb(smbd_server_fd(), outbuf, + show_msg((char *)req->outbuf); + if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf, IS_CONN_ENCRYPTED(conn))) exit_server_cleanly("send_trans_reply: srv_send_smb " "failed."); tot_data_sent += this_ldata; tot_param_sent += this_lparam; - TALLOC_FREE(outbuf); + TALLOC_FREE(req->outbuf); } } @@ -493,8 +503,6 @@ void reply_trans(struct smb_request *req) unsigned int pscnt; struct trans_state *state; NTSTATUS result; - unsigned int size; - unsigned int av_size; START_PROFILE(SMBtrans); @@ -504,8 +512,6 @@ void reply_trans(struct smb_request *req) return; } - size = smb_len(req->inbuf) + 4; - av_size = smb_len(req->inbuf); dsoff = SVAL(req->vwv+12, 0); dscnt = SVAL(req->vwv+11, 0); psoff = SVAL(req->vwv+10, 0); @@ -551,6 +557,12 @@ void reply_trans(struct smb_request *req) goto bad_param; if (state->total_data) { + + if (trans_oob(state->total_data, 0, dscnt) + || trans_oob(smb_len(req->inbuf), dsoff, dscnt)) { + goto bad_param; + } + /* Can't use talloc here, the core routines do realloc on the * params and data. Out of paranoia, 100 bytes too many. */ state->data = (char *)SMB_MALLOC(state->total_data+100); @@ -565,21 +577,16 @@ void reply_trans(struct smb_request *req) /* null-terminate the slack space */ memset(&state->data[state->total_data], 0, 100); - if (dscnt > state->total_data || - dsoff+dscnt < dsoff) { - goto bad_param; - } - - if (dsoff > av_size || - dscnt > av_size || - dsoff+dscnt > av_size) { - goto bad_param; - } - memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt); } if (state->total_param) { + + if (trans_oob(state->total_param, 0, pscnt) + || trans_oob(smb_len(req->inbuf), psoff, pscnt)) { + goto bad_param; + } + /* Can't use talloc here, the core routines do realloc on the * params and data. Out of paranoia, 100 bytes too many */ state->param = (char *)SMB_MALLOC(state->total_param+100); @@ -595,17 +602,6 @@ void reply_trans(struct smb_request *req) /* null-terminate the slack space */ memset(&state->param[state->total_param], 0, 100); - if (pscnt > state->total_param || - psoff+pscnt < psoff) { - goto bad_param; - } - - if (psoff > av_size || - pscnt > av_size || - psoff+pscnt > av_size) { - goto bad_param; - } - memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt); } @@ -614,6 +610,19 @@ void reply_trans(struct smb_request *req) if (state->setup_count) { unsigned int i; + + /* + * No overflow possible here, state->setup_count is an + * unsigned int, being filled by a single byte from + * CVAL(req->vwv+13, 0) above. The cast in the comparison + * below is not necessary, it's here to clarify things. The + * validity of req->vwv and req->wct has been checked in + * init_smb_request already. + */ + if (state->setup_count + 14 > (unsigned int)req->wct) { + goto bad_param; + } + if((state->setup = TALLOC_ARRAY( state, uint16, state->setup_count)) == NULL) { DEBUG(0,("reply_trans: setup malloc fail for %u " @@ -626,17 +635,10 @@ void reply_trans(struct smb_request *req) END_PROFILE(SMBtrans); return; } - if (req->inbuf+smb_vwv14+(state->setup_count*SIZEOFWORD) > - req->inbuf + size) - goto bad_param; - if ((smb_vwv14+(state->setup_count*SIZEOFWORD) < smb_vwv14) || - (smb_vwv14+(state->setup_count*SIZEOFWORD) < - (state->setup_count*SIZEOFWORD))) - goto bad_param; - for (i=0;i<state->setup_count;i++) - state->setup[i] = SVAL(req->inbuf, - smb_vwv14+i*SIZEOFWORD); + for (i=0;i<state->setup_count;i++) { + state->setup[i] = SVAL(req->vwv + 14 + i, 0); + } } state->received_param = pscnt; @@ -682,7 +684,6 @@ void reply_transs(struct smb_request *req) connection_struct *conn = req->conn; unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp; struct trans_state *state; - unsigned int av_size; START_PROFILE(SMBtranss); @@ -715,8 +716,6 @@ void reply_transs(struct smb_request *req) if (SVAL(req->vwv+1, 0) < state->total_data) state->total_data = SVAL(req->vwv+1, 0); - av_size = smb_len(req->inbuf); - pcnt = SVAL(req->vwv+2, 0); poff = SVAL(req->vwv+3, 0); pdisp = SVAL(req->vwv+4, 0); @@ -733,41 +732,19 @@ void reply_transs(struct smb_request *req) goto bad_param; if (pcnt) { - if (pdisp > state->total_param || - pcnt > state->total_param || - pdisp+pcnt > state->total_param || - pdisp+pcnt < pdisp) { - goto bad_param; - } - - if (poff > av_size || - pcnt > av_size || - poff+pcnt > av_size || - poff+pcnt < poff) { + if (trans_oob(state->total_param, pdisp, pcnt) + || trans_oob(smb_len(req->inbuf), poff, pcnt)) { goto bad_param; } - - memcpy(state->param+pdisp,smb_base(req->inbuf)+poff, - pcnt); + memcpy(state->param+pdisp,smb_base(req->inbuf)+poff,pcnt); } if (dcnt) { - if (ddisp > state->total_data || - dcnt > state->total_data || - ddisp+dcnt > state->total_data || - ddisp+dcnt < ddisp) { + if (trans_oob(state->total_data, ddisp, dcnt) + || trans_oob(smb_len(req->inbuf), doff, dcnt)) { goto bad_param; } - - if (ddisp > av_size || - dcnt > av_size || - ddisp+dcnt > av_size || - ddisp+dcnt < ddisp) { - goto bad_param; - } - - memcpy(state->data+ddisp, smb_base(req->inbuf)+doff, - dcnt); + memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt); } if ((state->received_param < state->total_param) || @@ -776,12 +753,6 @@ void reply_transs(struct smb_request *req) return; } - /* - * construct_reply_common will copy smb_com from inbuf to - * outbuf. SMBtranss is wrong here. - */ - SCVAL(req->inbuf,smb_com,SMBtrans); - handle_trans(conn, req, state); DLIST_REMOVE(conn->pending_trans, state); diff --git a/source3/smbd/map_username.c b/source3/smbd/map_username.c index a8899dd538..f549f0c9f3 100644 --- a/source3/smbd/map_username.c +++ b/source3/smbd/map_username.c @@ -178,7 +178,7 @@ bool map_username(fstring user) /* skip lines like 'user = ' */ - dosuserlist = str_list_make(talloc_tos(), dosname, NULL); + dosuserlist = str_list_make_v3(talloc_tos(), dosname, NULL); if (!dosuserlist) { DEBUG(0,("Bad username map entry. Unable to build user list. Ignoring.\n")); continue; diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c index 32240ff0d5..d46be64262 100644 --- a/source3/smbd/msdfs.c +++ b/source3/smbd/msdfs.c @@ -219,6 +219,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx, connection_struct **pconn, int snum, const char *path, + struct auth_serversupplied_info *server_info, char **poldcwd) { connection_struct *conn; @@ -254,6 +255,15 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx, conn->params->service = snum; + if (server_info != NULL) { + conn->server_info = copy_serverinfo(conn, server_info); + if (conn->server_info == NULL) { + DEBUG(0, ("copy_serverinfo failed\n")); + TALLOC_FREE(conn); + return NT_STATUS_NO_MEMORY; + } + } + set_conn_connectpath(conn, connpath); if (!smbd_vfs_init(conn)) { @@ -881,7 +891,7 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx, } status = create_conn_struct(ctx, &conn, snum, lp_pathname(snum), - &oldpath); + NULL, &oldpath); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(pdp); return status; @@ -923,7 +933,6 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx, static int setup_ver2_dfs_referral(const char *pathname, char **ppdata, struct junction_map *junction, - int consumedcnt, bool self_referral) { char* pdata = *ppdata; @@ -988,7 +997,8 @@ static int setup_ver2_dfs_referral(const char *pathname, memcpy(pdata+uni_reqpathoffset2,uni_requestedpath,requestedpathlen); /* create the header */ - SSVAL(pdata,0,consumedcnt * 2); /* path consumed */ + SSVAL(pdata,0,requestedpathlen - 2); /* UCS2 of path consumed minus + 2 byte null */ /* number of referral in this pkt */ SSVAL(pdata,2,junction->referral_count); if(self_referral) { @@ -1037,7 +1047,6 @@ static int setup_ver2_dfs_referral(const char *pathname, static int setup_ver3_dfs_referral(const char *pathname, char **ppdata, struct junction_map *junction, - int consumedcnt, bool self_referral) { char *pdata = *ppdata; @@ -1084,7 +1093,8 @@ static int setup_ver3_dfs_referral(const char *pathname, *ppdata = pdata; /* create the header */ - SSVAL(pdata,0,consumedcnt * 2); /* path consumed */ + SSVAL(pdata,0,reqpathlen - 2); /* UCS2 of path consumed minus + 2 byte null */ SSVAL(pdata,2,junction->referral_count); /* number of referral */ if(self_referral) { SIVAL(pdata,4,DFSREF_REFERRAL_SERVER | DFSREF_STORAGE_SERVER); @@ -1224,11 +1234,11 @@ int setup_dfs_referral(connection_struct *orig_conn, case 2: reply_size = setup_ver2_dfs_referral(pathnamep, ppdata, junction, - consumedcnt, self_referral); + self_referral); break; case 3: reply_size = setup_ver3_dfs_referral(pathnamep, ppdata, - junction, consumedcnt, self_referral); + junction, self_referral); break; default: DEBUG(0,("setup_dfs_referral: Invalid dfs referral " @@ -1321,7 +1331,7 @@ static bool junction_to_local_path(const struct junction_map *jucn, return False; } status = create_conn_struct(talloc_tos(), conn_out, snum, - lp_pathname(snum), oldpath); + lp_pathname(snum), NULL, oldpath); if (!NT_STATUS_IS_OK(status)) { return False; } @@ -1455,7 +1465,7 @@ static int count_dfs_links(TALLOC_CTX *ctx, int snum) */ status = create_conn_struct(talloc_tos(), &conn, snum, connect_path, - &cwd); + NULL, &cwd); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("create_conn_struct failed: %s\n", nt_errstr(status))); @@ -1523,7 +1533,8 @@ static int form_junctions(TALLOC_CTX *ctx, * Fake up a connection struct for the VFS layer. */ - status = create_conn_struct(ctx, &conn, snum, connect_path, &cwd); + status = create_conn_struct(ctx, &conn, snum, connect_path, NULL, + &cwd); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("create_conn_struct failed: %s\n", nt_errstr(status))); diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c index b2d0f20f89..2d0811bc1c 100644 --- a/source3/smbd/notify.c +++ b/source3/smbd/notify.c @@ -24,7 +24,7 @@ struct notify_change_request { struct notify_change_request *prev, *next; struct files_struct *fsp; /* backpointer for cancel by mid */ - uint8 request_buf[smb_size]; + struct smb_request *req; uint32 filter; uint32 max_param; struct notify_mid_map *mid_map; @@ -133,40 +133,33 @@ static bool notify_marshall_changes(int num_changes, *****************************************************************************/ static void change_notify_reply_packet(connection_struct *conn, - const uint8 *request_buf, + struct smb_request *req, NTSTATUS error_code) { - char outbuf[smb_size+38]; + reply_outbuf(req, 18, 0); - memset(outbuf, '\0', sizeof(outbuf)); - construct_reply_common((char *)request_buf, outbuf); - - ERROR_NT(error_code); - - /* - * Seems NT needs a transact command with an error code - * in it. This is a longer packet than a simple error. - */ - srv_set_message(outbuf,18,0,False); + if (!NT_STATUS_IS_OK(error_code)) { + error_packet_set((char *)req->outbuf, 0, 0, error_code, + __LINE__,__FILE__); + } - show_msg(outbuf); - if (!srv_send_smb(smbd_server_fd(), - outbuf, - IS_CONN_ENCRYPTED(conn))) + show_msg((char *)req->outbuf); + if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf, + req->encrypted)) { exit_server_cleanly("change_notify_reply_packet: srv_send_smb " "failed."); + } + TALLOC_FREE(req->outbuf); } void change_notify_reply(connection_struct *conn, - const uint8 *request_buf, uint32 max_param, + struct smb_request *req, uint32 max_param, struct notify_change_buf *notify_buf) { prs_struct ps; - struct smb_request *req = NULL; - uint8 tmp_request[smb_size]; if (notify_buf->num_changes == -1) { - change_notify_reply_packet(conn, request_buf, NT_STATUS_OK); + change_notify_reply_packet(conn, req, NT_STATUS_OK); notify_buf->num_changes = 0; return; } @@ -179,32 +172,14 @@ void change_notify_reply(connection_struct *conn, * We exceed what the client is willing to accept. Send * nothing. */ - change_notify_reply_packet(conn, request_buf, NT_STATUS_OK); - goto done; - } - - if (!(req = talloc(talloc_tos(), struct smb_request))) { - change_notify_reply_packet(conn, request_buf, NT_STATUS_NO_MEMORY); + change_notify_reply_packet(conn, req, NT_STATUS_OK); goto done; } - memcpy(tmp_request, request_buf, smb_size); - - /* - * We're only interested in the header fields here - */ - - smb_setlen((char *)tmp_request, smb_size); - SCVAL(tmp_request, smb_wct, 0); - - init_smb_request(req, tmp_request,0, conn->encrypted_tid); - req->inbuf = tmp_request; - send_nt_replies(conn, req, NT_STATUS_OK, prs_data_p(&ps), prs_offset(&ps), NULL, 0); done: - TALLOC_FREE(req); prs_mem_free(&ps); TALLOC_FREE(notify_buf->changes); @@ -252,7 +227,7 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32 filter, return status; } -NTSTATUS change_notify_add_request(const struct smb_request *req, +NTSTATUS change_notify_add_request(struct smb_request *req, uint32 max_param, uint32 filter, bool recursive, struct files_struct *fsp) @@ -263,16 +238,16 @@ NTSTATUS change_notify_add_request(const struct smb_request *req, DEBUG(10, ("change_notify_add_request: Adding request for %s: " "max_param = %d\n", fsp->fsp_name, (int)max_param)); - if (!(request = SMB_MALLOC_P(struct notify_change_request)) - || !(map = SMB_MALLOC_P(struct notify_mid_map))) { - SAFE_FREE(request); + if (!(request = talloc(NULL, struct notify_change_request)) + || !(map = talloc(request, struct notify_mid_map))) { + TALLOC_FREE(request); return NT_STATUS_NO_MEMORY; } request->mid_map = map; map->req = request; - memcpy(request->request_buf, req->inbuf, sizeof(request->request_buf)); + request->req = talloc_move(request, &req); request->max_param = max_param; request->filter = filter; request->fsp = fsp; @@ -281,11 +256,11 @@ NTSTATUS change_notify_add_request(const struct smb_request *req, DLIST_ADD_END(fsp->notify->requests, request, struct notify_change_request *); - map->mid = SVAL(req->inbuf, smb_mid); + map->mid = request->req->mid; DLIST_ADD(notify_changes_by_mid, map); /* Push the MID of this packet on the signing queue. */ - srv_defer_sign_response(SVAL(req->inbuf,smb_mid)); + srv_defer_sign_response(request->req->mid); return NT_STATUS_OK; } @@ -315,9 +290,7 @@ static void change_notify_remove_request(struct notify_change_request *remove_re DLIST_REMOVE(fsp->notify->requests, req); DLIST_REMOVE(notify_changes_by_mid, req->mid_map); - SAFE_FREE(req->mid_map); - TALLOC_FREE(req->backend_data); - SAFE_FREE(req); + TALLOC_FREE(req); } /**************************************************************************** @@ -338,8 +311,8 @@ void remove_pending_change_notify_requests_by_mid(uint16 mid) return; } - change_notify_reply_packet(map->req->fsp->conn, - map->req->request_buf, NT_STATUS_CANCELLED); + change_notify_reply_packet(map->req->fsp->conn, map->req->req, + NT_STATUS_CANCELLED); change_notify_remove_request(map->req); } @@ -355,8 +328,8 @@ void remove_pending_change_notify_requests_by_fid(files_struct *fsp, } while (fsp->notify->requests != NULL) { - change_notify_reply_packet(fsp->conn, - fsp->notify->requests->request_buf, status); + change_notify_reply_packet( + fsp->conn, fsp->notify->requests->req, status); change_notify_remove_request(fsp->notify->requests); } } @@ -366,6 +339,9 @@ void notify_fname(connection_struct *conn, uint32 action, uint32 filter, { char *fullpath; + if (path[0] == '.' && path[1] == '/') { + path += 2; + } if (asprintf(&fullpath, "%s/%s", conn->connectpath, path) == -1) { DEBUG(0, ("asprintf failed\n")); return; @@ -450,7 +426,7 @@ static void notify_fsp(files_struct *fsp, uint32 action, const char *name) */ change_notify_reply(fsp->conn, - fsp->notify->requests->request_buf, + fsp->notify->requests->req, fsp->notify->requests->max_param, fsp->notify); diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index f711b588c5..777073e6ba 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -120,6 +120,11 @@ void send_nt_replies(connection_struct *conn, + data_alignment_offset); /* + * We might have had SMBnttranss in req->inbuf, fix that. + */ + SCVAL(req->outbuf, smb_com, SMBnttrans); + + /* * Set total params and data to be sent. */ @@ -279,7 +284,7 @@ static void nt_open_pipe(char *fname, connection_struct *conn, /* Strip \\ off the name. */ fname++; - status = np_open(req, conn, fname, &fsp); + status = np_open(req, fname, &fsp); if (!NT_STATUS_IS_OK(status)) { if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND, @@ -716,23 +721,22 @@ static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len, return status; } - if (psd->owner_sid==0) { + if (psd->owner_sid == NULL) { security_info_sent &= ~OWNER_SECURITY_INFORMATION; } - if (psd->group_sid==0) { + if (psd->group_sid == NULL) { security_info_sent &= ~GROUP_SECURITY_INFORMATION; } - if (psd->sacl==0) { - security_info_sent &= ~SACL_SECURITY_INFORMATION; - } - if (psd->dacl==0) { - security_info_sent &= ~DACL_SECURITY_INFORMATION; - } /* Convert all the generic bits. */ security_acl_map_generic(psd->dacl, &file_generic_mapping); security_acl_map_generic(psd->sacl, &file_generic_mapping); + if (DEBUGLEVEL >= 10) { + DEBUG(10,("set_sd for file %s\n", fsp->fsp_name )); + NDR_PRINT_DEBUG(security_descriptor, psd); + } + status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd); TALLOC_FREE(psd); @@ -1440,7 +1444,8 @@ static void call_nt_transact_notify_change(connection_struct *conn, * here. */ - change_notify_reply(fsp->conn, req->inbuf, max_param_count, fsp->notify); + change_notify_reply(fsp->conn, req, max_param_count, + fsp->notify); /* * change_notify_reply() above has independently sent its @@ -1582,16 +1587,29 @@ static void call_nt_transact_query_security_desc(connection_struct *conn, status = SMB_VFS_FGET_NT_ACL( fsp, security_info_wanted, &psd); } - if (!NT_STATUS_IS_OK(status)) { reply_nterror(req, status); return; } + /* If the SACL/DACL is NULL, but was requested, we mark that it is + * present in the reply to match Windows behavior */ + if (psd->sacl == NULL && + security_info_wanted & SACL_SECURITY_INFORMATION) + psd->type |= SEC_DESC_SACL_PRESENT; + if (psd->dacl == NULL && + security_info_wanted & DACL_SECURITY_INFORMATION) + psd->type |= SEC_DESC_DACL_PRESENT; + sd_size = ndr_size_security_descriptor(psd, 0); DEBUG(3,("call_nt_transact_query_security_desc: sd_size = %lu.\n",(unsigned long)sd_size)); + if (DEBUGLEVEL >= 10) { + DEBUG(10,("call_nt_transact_query_security_desc for file %s\n", fsp->fsp_name)); + NDR_PRINT_DEBUG(security_descriptor, psd); + } + SIVAL(params,0,(uint32)sd_size); if (max_data_count < sd_size) { @@ -2519,8 +2537,6 @@ void reply_nttrans(struct smb_request *req) uint16 function_code; NTSTATUS result; struct trans_state *state; - uint32_t size; - uint32_t av_size; START_PROFILE(SMBnttrans); @@ -2530,8 +2546,6 @@ void reply_nttrans(struct smb_request *req) return; } - size = smb_len(req->inbuf) + 4; - av_size = smb_len(req->inbuf); pscnt = IVAL(req->vwv+9, 1); psoff = IVAL(req->vwv+11, 1); dscnt = IVAL(req->vwv+13, 1); @@ -2608,6 +2622,12 @@ void reply_nttrans(struct smb_request *req) goto bad_param; if (state->total_data) { + + if (trans_oob(state->total_data, 0, dscnt) + || trans_oob(smb_len(req->inbuf), dsoff, dscnt)) { + goto bad_param; + } + /* Can't use talloc here, the core routines do realloc on the * params and data. */ if ((state->data = (char *)SMB_MALLOC(state->total_data)) == NULL) { @@ -2619,21 +2639,16 @@ void reply_nttrans(struct smb_request *req) return; } - if (dscnt > state->total_data || - dsoff+dscnt < dsoff) { - goto bad_param; - } - - if (dsoff > av_size || - dscnt > av_size || - dsoff+dscnt > av_size) { - goto bad_param; - } - memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt); } if (state->total_param) { + + if (trans_oob(state->total_param, 0, pscnt) + || trans_oob(smb_len(req->inbuf), psoff, pscnt)) { + goto bad_param; + } + /* Can't use talloc here, the core routines do realloc on the * params and data. */ if ((state->param = (char *)SMB_MALLOC(state->total_param)) == NULL) { @@ -2646,17 +2661,6 @@ void reply_nttrans(struct smb_request *req) return; } - if (pscnt > state->total_param || - psoff+pscnt < psoff) { - goto bad_param; - } - - if (psoff > av_size || - pscnt > av_size || - psoff+pscnt > av_size) { - goto bad_param; - } - memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt); } @@ -2666,6 +2670,19 @@ void reply_nttrans(struct smb_request *req) if(state->setup_count > 0) { DEBUG(10,("reply_nttrans: state->setup_count = %d\n", state->setup_count)); + + /* + * No overflow possible here, state->setup_count is an + * unsigned int, being filled by a single byte from + * CVAL(req->vwv+13, 0) above. The cast in the comparison + * below is not necessary, it's here to clarify things. The + * validity of req->vwv and req->wct has been checked in + * init_smb_request already. + */ + if ((state->setup_count/2) + 19 > (unsigned int)req->wct) { + goto bad_param; + } + state->setup = (uint16 *)TALLOC(state, state->setup_count); if (state->setup == NULL) { DEBUG(0,("reply_nttrans : Out of memory\n")); @@ -2677,16 +2694,7 @@ void reply_nttrans(struct smb_request *req) return; } - if ((smb_nt_SetupStart + state->setup_count < smb_nt_SetupStart) || - (smb_nt_SetupStart + state->setup_count < state->setup_count)) { - goto bad_param; - } - if (smb_nt_SetupStart + state->setup_count > size) { - goto bad_param; - } - - memcpy( state->setup, &req->inbuf[smb_nt_SetupStart], - state->setup_count); + memcpy(state->setup, req->vwv+19, state->setup_count); dump_data(10, (uint8 *)state->setup, state->setup_count); } @@ -2729,8 +2737,6 @@ void reply_nttranss(struct smb_request *req) connection_struct *conn = req->conn; uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp; struct trans_state *state; - uint32_t av_size; - uint32_t size; START_PROFILE(SMBnttranss); @@ -2764,9 +2770,6 @@ void reply_nttranss(struct smb_request *req) state->total_data = IVAL(req->vwv+3, 1); } - size = smb_len(req->inbuf) + 4; - av_size = smb_len(req->inbuf); - pcnt = IVAL(req->vwv+5, 1); poff = IVAL(req->vwv+7, 1); pdisp = IVAL(req->vwv+9, 1); @@ -2783,41 +2786,19 @@ void reply_nttranss(struct smb_request *req) goto bad_param; if (pcnt) { - if (pdisp > state->total_param || - pcnt > state->total_param || - pdisp+pcnt > state->total_param || - pdisp+pcnt < pdisp) { + if (trans_oob(state->total_param, pdisp, pcnt) + || trans_oob(smb_len(req->inbuf), poff, pcnt)) { goto bad_param; } - - if (poff > av_size || - pcnt > av_size || - poff+pcnt > av_size || - poff+pcnt < poff) { - goto bad_param; - } - - memcpy(state->param+pdisp, smb_base(req->inbuf)+poff, - pcnt); + memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,pcnt); } if (dcnt) { - if (ddisp > state->total_data || - dcnt > state->total_data || - ddisp+dcnt > state->total_data || - ddisp+dcnt < ddisp) { + if (trans_oob(state->total_data, ddisp, dcnt) + || trans_oob(smb_len(req->inbuf), doff, dcnt)) { goto bad_param; } - - if (ddisp > av_size || - dcnt > av_size || - ddisp+dcnt > av_size || - ddisp+dcnt < ddisp) { - goto bad_param; - } - - memcpy(state->data+ddisp, smb_base(req->inbuf)+doff, - dcnt); + memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt); } if ((state->received_param < state->total_param) || @@ -2826,12 +2807,6 @@ void reply_nttranss(struct smb_request *req) return; } - /* - * construct_reply_common will copy smb_com from inbuf to - * outbuf. SMBnttranss is wrong here. - */ - SCVAL(req->inbuf,smb_com,SMBnttrans); - handle_nttrans(conn, state, req); DLIST_REMOVE(conn->pending_trans, state); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 480352beda..f98415ee33 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -332,6 +332,7 @@ static NTSTATUS open_file(files_struct *fsp, if ((open_access_mask & (FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_EXECUTE)) || (!file_existed && (local_flags & O_CREAT)) || ((local_flags & O_TRUNC) == O_TRUNC) ) { + const char *wild; /* * We can't actually truncate here as the file may be locked. @@ -353,8 +354,17 @@ static NTSTATUS open_file(files_struct *fsp, #endif /* Don't create files with Microsoft wildcard characters. */ + if (fsp->base_fsp) { + /* + * wildcard characters are allowed in stream names + * only test the basefilename + */ + wild = fsp->base_fsp->fsp_name; + } else { + wild = path; + } if ((local_flags & O_CREAT) && !file_existed && - ms_has_wild(path)) { + ms_has_wild(wild)) { return NT_STATUS_OBJECT_NAME_INVALID; } @@ -462,7 +472,7 @@ static NTSTATUS open_file(files_struct *fsp, conn->server_info->unix_name, fsp->fsp_name, BOOLSTR(fsp->can_read), BOOLSTR(fsp->can_write), - conn->num_files_open + 1)); + conn->num_files_open)); errno = 0; return NT_STATUS_OK; @@ -951,9 +961,10 @@ static bool open_match_attributes(connection_struct *conn, Try and find a duplicated file handle. ****************************************************************************/ -static files_struct *fcb_or_dos_open(struct smb_request *req, +static NTSTATUS fcb_or_dos_open(struct smb_request *req, connection_struct *conn, - const char *fname, + files_struct *fsp_to_dup_into, + const char *fname, struct file_id id, uint16 file_pid, uint16 vuid, @@ -962,7 +973,6 @@ static files_struct *fcb_or_dos_open(struct smb_request *req, uint32 create_options) { files_struct *fsp; - files_struct *dup_fsp; DEBUG(5,("fcb_or_dos_open: attempting old open semantics for " "file %s.\n", fname )); @@ -991,23 +1001,21 @@ static files_struct *fcb_or_dos_open(struct smb_request *req, } if (!fsp) { - return NULL; + return NT_STATUS_NOT_FOUND; } /* quite an insane set of semantics ... */ if (is_executable(fname) && (fsp->fh->private_options & NTCREATEX_OPTIONS_PRIVATE_DENY_DOS)) { DEBUG(10,("fcb_or_dos_open: file fail due to is_executable.\n")); - return NULL; + return NT_STATUS_INVALID_PARAMETER; } /* We need to duplicate this fsp. */ - if (!NT_STATUS_IS_OK(dup_file_fsp(req, fsp, access_mask, share_access, - create_options, &dup_fsp))) { - return NULL; - } + dup_file_fsp(req, fsp, access_mask, share_access, + create_options, fsp_to_dup_into); - return dup_fsp; + return NT_STATUS_OK; } /**************************************************************************** @@ -1249,10 +1257,10 @@ static NTSTATUS calculate_access_mask(connection_struct *conn, } /**************************************************************************** - Open a file with a share mode. + Open a file with a share mode. Passed in an already created files_struct *. ****************************************************************************/ -NTSTATUS open_file_ntcreate(connection_struct *conn, +static NTSTATUS open_file_ntcreate_internal(connection_struct *conn, struct smb_request *req, const char *fname, SMB_STRUCT_STAT *psbuf, @@ -1264,7 +1272,7 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, int oplock_request, /* internal Samba oplock codes. */ /* Information (FILE_EXISTS etc.) */ int *pinfo, - files_struct **result) + files_struct *fsp) { int flags=0; int flags2=0; @@ -1274,7 +1282,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, bool new_file_created = False; struct file_id id; NTSTATUS fsp_open = NT_STATUS_ACCESS_DENIED; - files_struct *fsp = NULL; mode_t new_unx_mode = (mode_t)0; mode_t unx_mode = (mode_t)0; int info; @@ -1291,7 +1298,7 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, ZERO_STRUCT(id); if (conn->printer) { - /* + /* * Printers are handled completely differently. * Most of the passed parameters are ignored. */ @@ -1302,7 +1309,7 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, DEBUG(10, ("open_file_ntcreate: printer open fname=%s\n", fname)); - return print_fsp_open(req, conn, fname, req->vuid, result); + return print_fsp_open(req, conn, fname, req->vuid, fsp); } if (!parent_dirname_talloc(talloc_tos(), fname, &parent_dir, @@ -1366,7 +1373,7 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, status = check_name(conn, fname); if (!NT_STATUS_IS_OK(status)) { return status; - } + } if (!posix_open) { new_dos_attributes &= SAMBA_ATTRIBUTES_MASK; @@ -1533,7 +1540,7 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, flags2 |= O_SYNC; } #endif /* O_SYNC */ - + if (posix_open && (access_mask & FILE_APPEND_DATA)) { flags2 |= O_APPEND; } @@ -1560,11 +1567,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, return NT_STATUS_ACCESS_DENIED; } - status = file_new(req, conn, &fsp); - if(!NT_STATUS_IS_OK(status)) { - return status; - } - fsp->file_id = vfs_file_id_from_sbuf(conn, psbuf); fsp->share_access = share_access; fsp->fh->private_options = create_options; @@ -1589,7 +1591,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, fname, &old_write_time); if (lck == NULL) { - file_free(req, fsp); DEBUG(0, ("Could not get share mode lock\n")); return NT_STATUS_SHARING_VIOLATION; } @@ -1600,7 +1601,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, oplock_request)) { schedule_defer_open(lck, request_time, req); TALLOC_FREE(lck); - file_free(req, fsp); return NT_STATUS_SHARING_VIOLATION; } @@ -1620,7 +1620,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, oplock_request)) { schedule_defer_open(lck, request_time, req); TALLOC_FREE(lck); - file_free(req, fsp); return NT_STATUS_SHARING_VIOLATION; } } @@ -1628,7 +1627,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, if (NT_STATUS_EQUAL(status, NT_STATUS_DELETE_PENDING)) { /* DELETE_PENDING is not deferred for a second */ TALLOC_FREE(lck); - file_free(req, fsp); return status; } @@ -1643,33 +1641,31 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, if (create_options & (NTCREATEX_OPTIONS_PRIVATE_DENY_DOS| NTCREATEX_OPTIONS_PRIVATE_DENY_FCB)) { - files_struct *fsp_dup; - if (req == NULL) { DEBUG(0, ("DOS open without an SMB " "request!\n")); TALLOC_FREE(lck); - file_free(req, fsp); return NT_STATUS_INTERNAL_ERROR; } /* Use the client requested access mask here, * not the one we open with. */ - fsp_dup = fcb_or_dos_open(req, conn, fname, id, - req->smbpid, - req->vuid, - access_mask, - share_access, - create_options); - - if (fsp_dup) { + status = fcb_or_dos_open(req, + conn, + fsp, + fname, + id, + req->smbpid, + req->vuid, + access_mask, + share_access, + create_options); + + if (NT_STATUS_IS_OK(status)) { TALLOC_FREE(lck); - file_free(req, fsp); if (pinfo) { *pinfo = FILE_WAS_OPENED; } - conn->num_files_open++; - *result = fsp_dup; return NT_STATUS_OK; } } @@ -1697,7 +1693,7 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, can_access = False; } - /* + /* * If we're returning a share violation, ensure we * cope with the braindead 1 second delay. */ @@ -1750,7 +1746,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, } else { status = NT_STATUS_ACCESS_DENIED; } - file_free(req, fsp); return status; } @@ -1788,7 +1783,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, if (lck != NULL) { TALLOC_FREE(lck); } - file_free(req, fsp); return fsp_open; } @@ -1819,7 +1813,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, DEBUG(0, ("open_file_ntcreate: Could not get share " "mode lock for %s\n", fname)); fd_close(fsp); - file_free(req, fsp); return NT_STATUS_SHARING_VIOLATION; } @@ -1830,7 +1823,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, schedule_defer_open(lck, request_time, req); TALLOC_FREE(lck); fd_close(fsp); - file_free(req, fsp); return NT_STATUS_SHARING_VIOLATION; } @@ -1849,7 +1841,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, schedule_defer_open(lck, request_time, req); TALLOC_FREE(lck); fd_close(fsp); - file_free(req, fsp); return NT_STATUS_SHARING_VIOLATION; } } @@ -1858,7 +1849,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, struct deferred_open_record state; fd_close(fsp); - file_free(req, fsp); state.delayed_for_oplocks = False; state.id = id; @@ -1900,7 +1890,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, TALLOC_FREE(lck); fd_close(fsp); - file_free(req, fsp); return NT_STATUS_SHARING_VIOLATION; } @@ -1926,7 +1915,6 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, status = map_nt_error_from_unix(errno); TALLOC_FREE(lck); fd_close(fsp); - file_free(req, fsp); return status; } } @@ -1958,7 +1946,7 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, *pinfo = info; } - /* + /* * Setup the oplock info in both the shared memory and * file structs. */ @@ -1990,14 +1978,13 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, del_share_mode(lck, fsp); TALLOC_FREE(lck); fd_close(fsp); - file_free(req, fsp); return status; } /* Note that here we set the *inital* delete on close flag, not the regular one. The magic gets handled in close. */ fsp->initial_delete_on_close = True; } - + if (new_file_created) { /* Files should be initially set as archive */ if (lp_map_archive(SNUM(conn)) || @@ -2066,10 +2053,57 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, } TALLOC_FREE(lck); - conn->num_files_open++; + return NT_STATUS_OK; +} + +/**************************************************************************** + Open a file with a share mode. +****************************************************************************/ + +NTSTATUS open_file_ntcreate(connection_struct *conn, + struct smb_request *req, + const char *fname, + SMB_STRUCT_STAT *psbuf, + uint32 access_mask, /* access bits (FILE_READ_DATA etc.) */ + uint32 share_access, /* share constants (FILE_SHARE_READ etc) */ + uint32 create_disposition, /* FILE_OPEN_IF etc. */ + uint32 create_options, /* options such as delete on close. */ + uint32 new_dos_attributes, /* attributes used for new file. */ + int oplock_request, /* internal Samba oplock codes. */ + /* Information (FILE_EXISTS etc.) */ + int *pinfo, + files_struct **result) +{ + NTSTATUS status; + files_struct *fsp = NULL; + + *result = NULL; + + status = file_new(req, conn, &fsp); + if(!NT_STATUS_IS_OK(status)) { + return status; + } + + status = open_file_ntcreate_internal(conn, + req, + fname, + psbuf, + access_mask, + share_access, + create_disposition, + create_options, + new_dos_attributes, + oplock_request, + pinfo, + fsp); + + if(!NT_STATUS_IS_OK(status)) { + file_free(req, fsp); + return status; + } *result = fsp; - return NT_STATUS_OK; + return status; } /**************************************************************************** @@ -2097,10 +2131,9 @@ NTSTATUS open_file_fchmod(struct smb_request *req, connection_struct *conn, status = open_file(fsp, conn, NULL, NULL, NULL, fname, psbuf, O_WRONLY, 0, FILE_WRITE_DATA, FILE_WRITE_DATA); - /* + /* * This is not a user visible file open. - * Don't set a share mode and don't increment - * the conn->num_files_open. + * Don't set a share mode. */ if (!NT_STATUS_IS_OK(status)) { @@ -2431,8 +2464,6 @@ NTSTATUS open_directory(connection_struct *conn, *pinfo = info; } - conn->num_files_open++; - *result = fsp; return NT_STATUS_OK; } @@ -2821,6 +2852,8 @@ NTSTATUS create_file_unixpath(connection_struct *conn, "%s\n", base, nt_errstr(status))); goto fail; } + /* we don't need to low level fd */ + fd_close(base_fsp); } /* @@ -2857,13 +2890,52 @@ NTSTATUS create_file_unixpath(connection_struct *conn, * Ordinary file case. */ - status = open_file_ntcreate( - conn, req, fname, &sbuf, access_mask, share_access, - create_disposition, create_options, file_attributes, - oplock_request, &info, &fsp); + if (base_fsp) { + /* + * We're opening the stream element of a base_fsp + * we already opened. We need to initialize + * the fsp first, and set up the base_fsp pointer. + */ + status = file_new(req, conn, &fsp); + if(!NT_STATUS_IS_OK(status)) { + goto fail; + } + + fsp->base_fsp = base_fsp; + + status = open_file_ntcreate_internal(conn, + req, + fname, + &sbuf, + access_mask, + share_access, + create_disposition, + create_options, + file_attributes, + oplock_request, + &info, + fsp); + + if(!NT_STATUS_IS_OK(status)) { + file_free(req, fsp); + fsp = NULL; + } + } else { + status = open_file_ntcreate( + conn, req, fname, &sbuf, access_mask, share_access, + create_disposition, create_options, file_attributes, + oplock_request, &info, &fsp); + } if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_IS_A_DIRECTORY)) { + /* A stream open never opens a directory */ + + if (base_fsp) { + status = NT_STATUS_FILE_IS_A_DIRECTORY; + goto fail; + } + /* * Fail the open if it was explicitly a non-directory * file. @@ -2887,6 +2959,8 @@ NTSTATUS create_file_unixpath(connection_struct *conn, goto fail; } + fsp->base_fsp = base_fsp; + /* * According to the MS documentation, the only time the security * descriptor is applied to the opened file is iff we *created* the @@ -2923,7 +2997,12 @@ NTSTATUS create_file_unixpath(connection_struct *conn, security_acl_map_generic(sd->dacl, &file_generic_mapping); security_acl_map_generic(sd->sacl, &file_generic_mapping); - status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd); + if (sec_info_sent & (OWNER_SECURITY_INFORMATION| + GROUP_SECURITY_INFORMATION| + DACL_SECURITY_INFORMATION| + SACL_SECURITY_INFORMATION)) { + status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd); + } fsp->access_mask = saved_access_mask; @@ -2968,16 +3047,6 @@ NTSTATUS create_file_unixpath(connection_struct *conn, DEBUG(10, ("create_file_unixpath: info=%d\n", info)); - /* - * Set fsp->base_fsp late enough that we can't "goto fail" anymore. In - * the fail: branch we call close_file(fsp, ERROR_CLOSE) which would - * also close fsp->base_fsp which we have to also do explicitly in - * this routine here, as not in all "goto fail:" we have the fsp set - * up already to be initialized with the base_fsp. - */ - - fsp->base_fsp = base_fsp; - *result = fsp; if (pinfo != NULL) { *pinfo = info; @@ -2996,6 +3065,13 @@ NTSTATUS create_file_unixpath(connection_struct *conn, DEBUG(10, ("create_file_unixpath: %s\n", nt_errstr(status))); if (fsp != NULL) { + if (base_fsp && fsp->base_fsp == base_fsp) { + /* + * The close_file below will close + * fsp->base_fsp. + */ + base_fsp = NULL; + } close_file(req, fsp, ERROR_CLOSE); fsp = NULL; } diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 88e7b766be..84b40f28cc 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -576,7 +576,7 @@ static bool user_ok(const char *user, int snum) TALLOC_FREE(valid); if (ret && lp_onlyuser(snum)) { - char **user_list = str_list_make( + char **user_list = str_list_make_v3( talloc_tos(), lp_username(snum), NULL); if (user_list && str_list_substitute(user_list, "%S", diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c index b52b1b02d0..261f12cb08 100644 --- a/source3/smbd/pipes.c +++ b/source3/smbd/pipes.c @@ -78,7 +78,7 @@ void reply_open_pipe_and_X(connection_struct *conn, struct smb_request *req) } #endif - status = np_open(req, conn, fname, &fsp); + status = np_open(req, fname, &fsp); if (!NT_STATUS_IS_OK(status)) { if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND, diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index cccf3087f7..97fd3b2bbe 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -870,7 +870,7 @@ static void merge_aces( canon_ace **pp_list_head ) Check if we need to return NT4.x compatible ACL entries. ****************************************************************************/ -static bool nt4_compatible_acls(void) +bool nt4_compatible_acls(void) { int compat = lp_acl_compatibility(); @@ -3211,6 +3211,9 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return ret; } +#if 0 +/* Disable this - prevents ACL inheritance from the ACL editor. JRA. */ + /**************************************************************************** Take care of parent ACL inheritance. ****************************************************************************/ @@ -3398,6 +3401,7 @@ NTSTATUS append_parent_acl(files_struct *fsp, *pp_new_sd = psd; return status; } +#endif /**************************************************************************** Reply to set a security descriptor on an fsp. security_info_sent is the @@ -3510,8 +3514,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC create_file_sids(&sbuf, &file_owner_sid, &file_grp_sid); +#if 0 + /* Disable this - prevents ACL inheritance from the ACL editor. JRA. */ + /* See here: http://www.codeproject.com/KB/winsdk/accessctrl2.aspx - * for details. JRA. + * for details and also the log trace in bug #4308. JRA. */ if ((security_info_sent & DACL_SECURITY_INFORMATION) && @@ -3527,6 +3534,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC } psd = new_sd; } +#endif acl_perms = unpack_canon_ace( fsp, &sbuf, &file_owner_sid, &file_grp_sid, &file_ace_list, &dir_ace_list, security_info_sent, psd); @@ -4301,7 +4309,7 @@ SEC_DESC *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname) finfo.fh->fd = -1; finfo.fsp_name = CONST_DISCARD(char *,fname); - if (!NT_STATUS_IS_OK(posix_fget_nt_acl( &finfo, DACL_SECURITY_INFORMATION, &psd))) { + if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, DACL_SECURITY_INFORMATION, &psd))) { DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n")); conn_free_internal( conn ); return NULL; diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 7931fbebab..b3cd2f26c8 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -37,6 +37,8 @@ SIG_ATOMIC_T got_sig_term = 0; extern bool global_machine_password_needs_changing; extern int max_send; +static void construct_reply_common(const char *inbuf, char *outbuf); + /* Accessor function for smb_read_error for smbd functions. */ /**************************************************************************** @@ -1590,7 +1592,7 @@ void remove_from_common_flags2(uint32 v) common_flags2 &= ~v; } -void construct_reply_common(const char *inbuf, char *outbuf) +static void construct_reply_common(const char *inbuf, char *outbuf) { srv_set_message(outbuf,0,0,false); diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 377ba4e530..11c713ab4a 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -52,11 +52,45 @@ static NTSTATUS check_path_syntax_internal(char *path, const char *s = path; NTSTATUS ret = NT_STATUS_OK; bool start_of_name_component = True; + bool stream_started = false; *p_last_component_contains_wcard = False; while (*s) { - if (IS_PATH_SEP(*s,posix_path)) { + if (stream_started) { + switch (*s) { + case '/': + case '\\': + return NT_STATUS_OBJECT_NAME_INVALID; + case ':': + if (s[1] == '\0') { + return NT_STATUS_OBJECT_NAME_INVALID; + } + if (strchr_m(&s[1], ':')) { + return NT_STATUS_OBJECT_NAME_INVALID; + } + if (StrCaseCmp(s, ":$DATA") != 0) { + return NT_STATUS_INVALID_PARAMETER; + } + break; + } + } + + if (!stream_started && *s == ':') { + if (*p_last_component_contains_wcard) { + return NT_STATUS_OBJECT_NAME_INVALID; + } + /* stream names allow more characters than file names */ + stream_started = true; + start_of_name_component = false; + posix_path = true; + + if (s[1] == '\0') { + return NT_STATUS_OBJECT_NAME_INVALID; + } + } + + if (!stream_started && IS_PATH_SEP(*s,posix_path)) { /* * Safe to assume is not the second part of a mb char * as this is handled below. @@ -119,7 +153,7 @@ static NTSTATUS check_path_syntax_internal(char *path, if (!(*s & 0x80)) { if (!posix_path) { - if (*s <= 0x1f) { + if (*s <= 0x1f || *s == '|') { return NT_STATUS_OBJECT_NAME_INVALID; } switch (*s) { @@ -2894,7 +2928,7 @@ void reply_lockread(struct smb_request *req) return; } - if (!CHECK_READ(fsp,req->inbuf)) { + if (!CHECK_READ(fsp,req)) { reply_doserror(req, ERRDOS, ERRbadaccess); END_PROFILE(SMBlockread); return; @@ -3002,7 +3036,7 @@ void reply_read(struct smb_request *req) return; } - if (!CHECK_READ(fsp,req->inbuf)) { + if (!CHECK_READ(fsp,req)) { reply_doserror(req, ERRDOS, ERRbadaccess); END_PROFILE(SMBread); return; @@ -3255,7 +3289,7 @@ void reply_read_and_X(struct smb_request *req) return; } - if (!CHECK_READ(fsp,req->inbuf)) { + if (!CHECK_READ(fsp,req)) { reply_doserror(req, ERRDOS,ERRbadaccess); END_PROFILE(SMBreadX); return; @@ -4558,8 +4592,15 @@ void reply_printopen(struct smb_request *req) return; } + status = file_new(req, conn, &fsp); + if(!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBsplopen); + return; + } + /* Open for exclusive use, write only. */ - status = print_fsp_open(req, conn, NULL, req->vuid, &fsp); + status = print_fsp_open(req, conn, NULL, req->vuid, fsp); if (!NT_STATUS_IS_OK(status)) { reply_nterror(req, status); @@ -4989,8 +5030,16 @@ NTSTATUS rmdir_internals(TALLOC_CTX *ctx, } } - /* We only have veto files/directories. Recursive delete. */ + /* We only have veto files/directories. + * Are we allowed to delete them ? */ + if(!lp_recursive_veto_delete(SNUM(conn))) { + TALLOC_FREE(dir_hnd); + errno = ENOTEMPTY; + goto err; + } + + /* Do a recursive delete. */ RewindDir(dir_hnd,&dirpos); while ((dname = ReadDirName(dir_hnd,&dirpos))) { char *fullname = NULL; @@ -5016,9 +5065,8 @@ NTSTATUS rmdir_internals(TALLOC_CTX *ctx, break; } if(st.st_mode & S_IFDIR) { - if(lp_recursive_veto_delete(SNUM(conn))) { - if(!recursive_rmdir(ctx, conn, fullname)) - break; + if(!recursive_rmdir(ctx, conn, fullname)) { + break; } if(SMB_VFS_RMDIR(conn,fullname) != 0) { break; @@ -5448,6 +5496,12 @@ NTSTATUS rename_internals_fsp(connection_struct *conn, return NT_STATUS_OBJECT_NAME_COLLISION; } + if(replace_if_exists && dst_exists) { + if (is_ntfs_stream_name(newname)) { + return NT_STATUS_INVALID_PARAMETER; + } + } + if (dst_exists) { struct file_id fileid = vfs_file_id_from_sbuf(conn, &sbuf1); files_struct *dst_fsp = file_find_di_first(fileid); diff --git a/source3/smbd/server.c b/source3/smbd/server.c index 7583da65a5..fff05a3aac 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -80,7 +80,7 @@ struct event_context *smbd_event_context(void) { static struct event_context *ctx; - if (!ctx && !(ctx = event_context_init(NULL))) { + if (!ctx && !(ctx = event_context_init(talloc_autofree_context()))) { smb_panic("Could not init smbd event context"); } return ctx; @@ -91,7 +91,7 @@ struct messaging_context *smbd_messaging_context(void) static struct messaging_context *ctx; if (ctx == NULL) { - ctx = messaging_init(NULL, server_id_self(), + ctx = messaging_init(talloc_autofree_context(), server_id_self(), smbd_event_context()); } if (ctx == NULL) { @@ -105,7 +105,7 @@ struct memcache *smbd_memcache(void) static struct memcache *cache; if (!cache - && !(cache = memcache_init(NULL, + && !(cache = memcache_init(talloc_autofree_context(), lp_max_stat_cache_size()*1024))) { smb_panic("Could not init smbd memcache"); diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 05197021a3..0dea615fb5 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -1123,38 +1123,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, return NULL; } -/*************************************************************************************** - Simple wrapper function for make_connection() to include a call to - vfs_chdir() - **************************************************************************************/ - -connection_struct *make_connection_with_chdir(const char *service_in, - DATA_BLOB password, - const char *dev, uint16 vuid, - NTSTATUS *status) -{ - connection_struct *conn = NULL; - - conn = make_connection(service_in, password, dev, vuid, status); - - /* - * make_connection() does not change the directory for us any more - * so we have to do it as a separate step --jerry - */ - - if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) { - DEBUG(0,("make_connection_with_chdir: Can't change " - "directory to %s for [print$] (%s)\n", - conn->connectpath,strerror(errno))); - yield_connection(conn, lp_servicename(SNUM(conn))); - conn_free(conn); - *status = NT_STATUS_UNSUCCESSFUL; - return NULL; - } - - return conn; -} - /**************************************************************************** Make a connection to a service. * diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index fde6cdc160..24a201013a 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -1171,7 +1171,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) const char *p2; uint16 data_blob_len = SVAL(req->vwv+7, 0); enum remote_arch_types ra_type = get_remote_arch(); - int vuid = SVAL(req->inbuf,smb_uid); + int vuid = req->vuid; user_struct *vuser = NULL; NTSTATUS status = NT_STATUS_OK; uint16 smbpid = req->smbpid; @@ -1203,7 +1203,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) file_save("negotiate.dat", blob1.data, blob1.length); #endif - p2 = (char *)req->inbuf + smb_vwv13 + data_blob_len; + p2 = (char *)req->buf + data_blob_len; p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2, STR_TERMINATE); diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c index f5f79c86e5..9dbacc2998 100644 --- a/source3/smbd/share_access.c +++ b/source3/smbd/share_access.c @@ -252,9 +252,11 @@ bool user_ok_token(const char *username, const char *domain, bool is_share_read_only_for_token(const char *username, const char *domain, - struct nt_user_token *token, int snum) + struct nt_user_token *token, + connection_struct *conn) { - bool result = lp_readonly(snum); + int snum = SNUM(conn); + bool result = conn->read_only; if (lp_readlist(snum) != NULL) { if (token_contains_name_in_list(username, domain, diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index d0e3a68e8a..7b051d389f 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -768,6 +768,12 @@ void send_trans2_replies(connection_struct *conn, reply_outbuf(req, 10, total_sent_thistime + alignment_offset + data_alignment_offset); + /* + * We might have SMBtrans2s in req which was transferred to + * the outbuf, fix that. + */ + SCVAL(req->outbuf, smb_com, SMBtrans2); + /* Set total params and data to be sent */ SSVAL(req->outbuf,smb_tprcnt,paramsize); SSVAL(req->outbuf,smb_tdrcnt,datasize); @@ -1129,7 +1135,7 @@ static uint32 unix_filetype(mode_t mode) return UNIX_TYPE_SOCKET; #endif - DEBUG(0,("unix_filetype: unknown filetype %u", (unsigned)mode)); + DEBUG(0,("unix_filetype: unknown filetype %u\n", (unsigned)mode)); return UNIX_TYPE_UNKNOWN; } @@ -3993,6 +3999,46 @@ static void call_trans2qfilepathinfo(connection_struct *conn, return; } + if ((conn->fs_capabilities & FILE_NAMED_STREAMS) + && is_ntfs_stream_name(fname)) { + char *base; + SMB_STRUCT_STAT bsbuf; + + status = split_ntfs_stream_name(talloc_tos(), fname, + &base, NULL); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("create_file_unixpath: " + "split_ntfs_stream_name failed: %s\n", + nt_errstr(status))); + reply_nterror(req, status); + return; + } + + SMB_ASSERT(!is_ntfs_stream_name(base)); /* paranoia.. */ + + if (INFO_LEVEL_IS_UNIX(info_level)) { + /* Always do lstat for UNIX calls. */ + if (SMB_VFS_LSTAT(conn,base,&bsbuf)) { + DEBUG(3,("call_trans2qfilepathinfo: SMB_VFS_LSTAT of %s failed (%s)\n",base,strerror(errno))); + reply_unixerror(req,ERRDOS,ERRbadpath); + return; + } + } else { + if (SMB_VFS_STAT(conn,base,&bsbuf) != 0) { + DEBUG(3,("call_trans2qfilepathinfo: fileinfo of %s failed (%s)\n",base,strerror(errno))); + reply_unixerror(req,ERRDOS,ERRbadpath); + return; + } + } + + fileid = vfs_file_id_from_sbuf(conn, &bsbuf); + get_file_infos(fileid, &delete_pending, NULL); + if (delete_pending) { + reply_nterror(req, NT_STATUS_DELETE_PENDING); + return; + } + } + if (INFO_LEVEL_IS_UNIX(info_level)) { /* Always do lstat for UNIX calls. */ if (SMB_VFS_LSTAT(conn,fname,&sbuf)) { @@ -4911,7 +4957,11 @@ NTSTATUS smb_set_file_time(connection_struct *conn, time_to_asc(convert_timespec_to_time_t(ts[1])) )); if (fsp != NULL) { - set_sticky_write_time_fsp(fsp, ts[1]); + if (fsp->base_fsp) { + set_sticky_write_time_fsp(fsp->base_fsp, ts[1]); + } else { + set_sticky_write_time_fsp(fsp, ts[1]); + } } else { set_sticky_write_time_path(conn, fname, vfs_file_id_from_sbuf(conn, psbuf), @@ -4921,6 +4971,10 @@ NTSTATUS smb_set_file_time(connection_struct *conn, DEBUG(10,("smb_set_file_time: setting utimes to modified values.\n")); + if (fsp && fsp->base_fsp) { + fname = fsp->base_fsp->fsp_name; + } + if(file_ntimes(conn, fname, ts)!=0) { return map_nt_error_from_unix(errno); } @@ -5347,26 +5401,42 @@ static NTSTATUS smb_file_rename_information(connection_struct *conn, return NT_STATUS_NOT_SUPPORTED; } - /* Create the base directory. */ - base_name = talloc_strdup(ctx, fname); - if (!base_name) { - return NT_STATUS_NO_MEMORY; - } - p = strrchr_m(base_name, '/'); - if (p) { - p[1] = '\0'; + if (fsp && fsp->base_fsp) { + if (newname[0] != ':') { + return NT_STATUS_NOT_SUPPORTED; + } + base_name = talloc_asprintf(ctx, "%s%s", + fsp->base_fsp->fsp_name, + newname); + if (!base_name) { + return NT_STATUS_NO_MEMORY; + } } else { - base_name = talloc_strdup(ctx, "./"); + if (is_ntfs_stream_name(newname)) { + return NT_STATUS_NOT_SUPPORTED; + } + + /* Create the base directory. */ + base_name = talloc_strdup(ctx, fname); + if (!base_name) { + return NT_STATUS_NO_MEMORY; + } + p = strrchr_m(base_name, '/'); + if (p) { + p[1] = '\0'; + } else { + base_name = talloc_strdup(ctx, "./"); + if (!base_name) { + return NT_STATUS_NO_MEMORY; + } + } + /* Append the new name. */ + base_name = talloc_asprintf_append(base_name, + "%s", + newname); if (!base_name) { return NT_STATUS_NO_MEMORY; } - } - /* Append the new name. */ - base_name = talloc_asprintf_append(base_name, - "%s", - newname); - if (!base_name) { - return NT_STATUS_NO_MEMORY; } if (fsp) { @@ -7263,8 +7333,8 @@ static void call_trans2ioctl(connection_struct *conn, return; } - if ((SVAL(req->inbuf,(smb_setup+4)) == LMCAT_SPL) - && (SVAL(req->inbuf,(smb_setup+6)) == LMFUNC_GETJOBID)) { + if ((SVAL(req->vwv+16, 0) == LMCAT_SPL) + && (SVAL(req->vwv+17, 0) == LMFUNC_GETJOBID)) { *ppdata = (char *)SMB_REALLOC(*ppdata, 32); if (*ppdata == NULL) { reply_nterror(req, NT_STATUS_NO_MEMORY); @@ -7527,8 +7597,6 @@ void reply_trans2(struct smb_request *req) unsigned int psoff; unsigned int pscnt; unsigned int tran_call; - unsigned int size; - unsigned int av_size; struct trans_state *state; NTSTATUS result; @@ -7545,8 +7613,6 @@ void reply_trans2(struct smb_request *req) psoff = SVAL(req->vwv+10, 0); pscnt = SVAL(req->vwv+9, 0); tran_call = SVAL(req->vwv+14, 0); - size = smb_len(req->inbuf) + 4; - av_size = smb_len(req->inbuf); result = allow_new_trans(conn->pending_trans, req->mid); if (!NT_STATUS_IS_OK(result)) { @@ -7611,8 +7677,8 @@ void reply_trans2(struct smb_request *req) */ if ( (state->setup_count == 4) && (tran_call == TRANSACT2_IOCTL) - && (SVAL(req->inbuf,(smb_setup+4)) == LMCAT_SPL) - && (SVAL(req->inbuf,(smb_setup+6)) == LMFUNC_GETJOBID)) { + && (SVAL(req->vwv+16, 0) == LMCAT_SPL) + && (SVAL(req->vwv+17, 0) == LMFUNC_GETJOBID)) { DEBUG(2,("Got Trans2 DevIOctl jobid\n")); } else { DEBUG(2,("Invalid smb_sucnt in trans2 call(%u)\n",state->setup_count)); @@ -7628,6 +7694,12 @@ void reply_trans2(struct smb_request *req) goto bad_param; if (state->total_data) { + + if (trans_oob(state->total_data, 0, dscnt) + || trans_oob(smb_len(req->inbuf), dsoff, dscnt)) { + goto bad_param; + } + /* Can't use talloc here, the core routines do realloc on the * params and data. */ state->data = (char *)SMB_MALLOC(state->total_data); @@ -7640,21 +7712,16 @@ void reply_trans2(struct smb_request *req) return; } - if (dscnt > state->total_data || - dsoff+dscnt < dsoff) { - goto bad_param; - } - - if (dsoff > av_size || - dscnt > av_size || - dsoff+dscnt > av_size) { - goto bad_param; - } - memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt); } if (state->total_param) { + + if (trans_oob(state->total_param, 0, pscnt) + || trans_oob(smb_len(req->inbuf), psoff, pscnt)) { + goto bad_param; + } + /* Can't use talloc here, the core routines do realloc on the * params and data. */ state->param = (char *)SMB_MALLOC(state->total_param); @@ -7668,17 +7735,6 @@ void reply_trans2(struct smb_request *req) return; } - if (pscnt > state->total_param || - psoff+pscnt < psoff) { - goto bad_param; - } - - if (psoff > av_size || - pscnt > av_size || - psoff+pscnt > av_size) { - goto bad_param; - } - memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt); } @@ -7726,8 +7782,6 @@ void reply_transs2(struct smb_request *req) connection_struct *conn = req->conn; unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp; struct trans_state *state; - unsigned int size; - unsigned int av_size; START_PROFILE(SMBtranss2); @@ -7739,9 +7793,6 @@ void reply_transs2(struct smb_request *req) return; } - size = smb_len(req->inbuf)+4; - av_size = smb_len(req->inbuf); - for (state = conn->pending_trans; state != NULL; state = state->next) { if (state->mid == req->mid) { @@ -7779,41 +7830,19 @@ void reply_transs2(struct smb_request *req) goto bad_param; if (pcnt) { - if (pdisp > state->total_param || - pcnt > state->total_param || - pdisp+pcnt > state->total_param || - pdisp+pcnt < pdisp) { - goto bad_param; - } - - if (poff > av_size || - pcnt > av_size || - poff+pcnt > av_size || - poff+pcnt < poff) { + if (trans_oob(state->total_param, pdisp, pcnt) + || trans_oob(smb_len(req->inbuf), poff, pcnt)) { goto bad_param; } - - memcpy(state->param+pdisp,smb_base(req->inbuf)+poff, - pcnt); + memcpy(state->param+pdisp,smb_base(req->inbuf)+poff,pcnt); } if (dcnt) { - if (ddisp > state->total_data || - dcnt > state->total_data || - ddisp+dcnt > state->total_data || - ddisp+dcnt < ddisp) { - goto bad_param; - } - - if (ddisp > av_size || - dcnt > av_size || - ddisp+dcnt > av_size || - ddisp+dcnt < ddisp) { + if (trans_oob(state->total_data, ddisp, dcnt) + || trans_oob(smb_len(req->inbuf), doff, dcnt)) { goto bad_param; } - - memcpy(state->data+ddisp, smb_base(req->inbuf)+doff, - dcnt); + memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt); } if ((state->received_param < state->total_param) || @@ -7822,12 +7851,6 @@ void reply_transs2(struct smb_request *req) return; } - /* - * construct_reply_common will copy smb_com from inbuf to - * outbuf. SMBtranss2 is wrong here. - */ - SCVAL(req->inbuf,smb_com,SMBtrans2); - handle_trans2(conn, req, state); DLIST_REMOVE(conn->pending_trans, state); diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 8998f6a371..ca7df264e2 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -32,7 +32,7 @@ bool change_to_guest(void) if (!pass) { /* Don't need to free() this as its stored in a static */ - pass = getpwnam_alloc(NULL, lp_guestaccount()); + pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount()); if (!pass) return(False); } @@ -88,7 +88,8 @@ static bool check_user_ok(connection_struct *conn, uint16_t vuid, readonly_share = is_share_read_only_for_token( server_info->unix_name, pdb_get_domain(server_info->sam_account), - server_info->ptok, snum); + server_info->ptok, + conn); if (!readonly_share && !share_access_check(server_info->ptok, lp_servicename(snum), @@ -317,9 +318,9 @@ bool become_authenticated_pipe_user(pipes_struct *p) if (!push_sec_ctx()) return False; - set_sec_ctx(p->pipe_user.ut.uid, p->pipe_user.ut.gid, - p->pipe_user.ut.ngroups, p->pipe_user.ut.groups, - p->pipe_user.nt_user_token); + set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid, + p->server_info->utok.ngroups, p->server_info->utok.groups, + p->server_info->ptok); return True; } diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 904fb5c262..603426b67c 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -5291,6 +5291,11 @@ static bool run_local_memcache(int dummy) DATA_BLOB d1, d2, d3; DATA_BLOB v1, v2, v3; + TALLOC_CTX *mem_ctx; + char *str1, *str2; + size_t size1, size2; + bool ret = false; + cache = memcache_init(NULL, 100); if (cache == NULL) { @@ -5342,7 +5347,33 @@ static bool run_local_memcache(int dummy) } TALLOC_FREE(cache); - return true; + + cache = memcache_init(NULL, 0); + + mem_ctx = talloc_init("foo"); + + str1 = talloc_strdup(mem_ctx, "string1"); + str2 = talloc_strdup(mem_ctx, "string2"); + + memcache_add_talloc(cache, SINGLETON_CACHE_TALLOC, + data_blob_string_const("torture"), &str1); + size1 = talloc_total_size(cache); + + memcache_add_talloc(cache, SINGLETON_CACHE_TALLOC, + data_blob_string_const("torture"), &str2); + size2 = talloc_total_size(cache); + + printf("size1=%d, size2=%d\n", (int)size1, (int)size2); + + if (size2 > size1) { + printf("memcache leaks memory!\n"); + goto fail; + } + + ret = true; + fail: + TALLOC_FREE(cache); + return ret; } static double create_procs(bool (*fn)(int), bool *result) diff --git a/source3/utils/net.h b/source3/utils/net.h index 5dc2b11d4e..2d72756def 100644 --- a/source3/utils/net.h +++ b/source3/utils/net.h @@ -70,6 +70,16 @@ struct net_context { void *private_data; }; +struct net_dc_info { + bool is_dc; + bool is_pdc; + bool is_ad; + bool is_mixed_mode; + const char *netbios_domain_name; + const char *dns_domain_name; + const char *forest_name; +}; + #define NET_TRANSPORT_LOCAL 0x01 #define NET_TRANSPORT_RAP 0x02 #define NET_TRANSPORT_RPC 0x04 diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h index ee4388f157..c058a0166f 100644 --- a/source3/utils/net_proto.h +++ b/source3/utils/net_proto.h @@ -359,6 +359,7 @@ NTSTATUS rpc_vampire_internals(struct net_context *c, TALLOC_CTX *mem_ctx, int argc, const char **argv); +int rpc_vampire_passdb(struct net_context *c, int argc, const char **argv); int rpc_vampire_ldif(struct net_context *c, int argc, const char **argv); NTSTATUS rpc_vampire_ldif_internals(struct net_context *c, const DOM_SID *domain_sid, @@ -473,6 +474,10 @@ void net_display_usage_from_functable(struct functable *table); const char *net_share_type_str(int num_type); +NTSTATUS net_scan_dc(struct net_context *c, + struct cli_state *cli, + struct net_dc_info *dc_info); + /* The following definitions come from utils/netlookup.c */ NTSTATUS net_lookup_name_from_sid(struct net_context *c, diff --git a/source3/utils/net_rap.c b/source3/utils/net_rap.c index 570e951aee..dd757abd1a 100644 --- a/source3/utils/net_rap.c +++ b/source3/utils/net_rap.c @@ -612,7 +612,7 @@ int net_rap_printq_usage(struct net_context *c, int argc, const char **argv) d_printf( "net rap printq [misc. options] [targets]\n" "\tor\n" - "net rap printq list [<queue_name>] [misc. options] [targets]\n" + "net rap printq info [<queue_name>] [misc. options] [targets]\n" "\tlists the specified queue and jobs on the target server.\n" "\tIf the queue name is not specified, all queues are listed.\n\n"); d_printf( @@ -726,9 +726,10 @@ int net_rap_printq(struct net_context *c, int argc, const char **argv) "info", rap_printq_info, NET_TRANSPORT_RAP, - "Display info about print job", - "net rap printq info\n" - " Display info about print job" + "Display info about print queues and jobs", + "net rap printq info [queue]\n" + " Display info about print jobs in queue.\n" + " If queue is not specified, all queues are listed" }, { "delete", diff --git a/source3/utils/net_registry.c b/source3/utils/net_registry.c index 64a0d8ac40..e2f410b9ac 100644 --- a/source3/utils/net_registry.c +++ b/source3/utils/net_registry.c @@ -339,6 +339,10 @@ static int net_registry_setvalue(struct net_context *c, int argc, value.type = REG_SZ; value.v.sz.len = strlen(argv[3])+1; value.v.sz.str = CONST_DISCARD(char *, argv[3]); + } else if (strequal(argv[2], "multi_sz")) { + value.type = REG_MULTI_SZ; + value.v.multi_sz.num_strings = argc - 3; + value.v.multi_sz.strings = (char **)(argv + 3); } else { d_fprintf(stderr, "type \"%s\" not implemented\n", argv[2]); goto done; diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 10f2a324a3..3c8ce0326e 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -5253,7 +5253,7 @@ static NTSTATUS rpc_trustdom_add_internals(struct net_context *c, 0, 0, ACB_DOMTRUST, SAMR_FIELD_ACCT_FLAGS, hours, 0, 0, 0, 0, 0, 0, 0, - crypt_pwd.data, 24); + &crypt_pwd); result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx, &user_pol, @@ -6370,6 +6370,14 @@ static int rpc_vampire(struct net_context *c, int argc, const char **argv) "net rpc vampire keytab\n" " Dump remote SAM database to Kerberos keytab file" }, + { + "passdb", + rpc_vampire_passdb, + NET_TRANSPORT_RPC, + "Dump remote SAM database to passdb", + "net rpc vampire passdb\n" + " Dump remote SAM database to passdb" + }, {NULL, NULL, 0, NULL, NULL} }; diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 2fe464a000..8070a6282b 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -339,7 +339,8 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) &cli->user_session_key, &crypt_pwd); - init_samr_user_info24(&set_info.info24, crypt_pwd.data, 24); + init_samr_user_info24(&set_info.info24, &crypt_pwd, + PASS_DONT_CHANGE_AT_NEXT_LOGON); CHECK_RPC_ERR(rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx, &user_pol, diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c index c0922efe6b..6b23db74cb 100644 --- a/source3/utils/net_rpc_samsync.c +++ b/source3/utils/net_rpc_samsync.c @@ -26,6 +26,81 @@ #include "includes.h" #include "utils/net.h" +static void parse_samsync_partial_replication_objects(TALLOC_CTX *mem_ctx, + int argc, + const char **argv, + bool *do_single_object_replication, + struct samsync_object **objects, + uint32_t *num_objects) +{ + int i; + + if (argc > 0) { + *do_single_object_replication = true; + } + + for (i=0; i<argc; i++) { + + struct samsync_object o; + + ZERO_STRUCT(o); + + if (!StrnCaseCmp(argv[i], "user_rid=", strlen("user_rid="))) { + o.object_identifier.rid = get_int_param(argv[i]); + o.object_type = NETR_DELTA_USER; + o.database_id = SAM_DATABASE_DOMAIN; + } + if (!StrnCaseCmp(argv[i], "group_rid=", strlen("group_rid="))) { + o.object_identifier.rid = get_int_param(argv[i]); + o.object_type = NETR_DELTA_GROUP; + o.database_id = SAM_DATABASE_DOMAIN; + } + if (!StrnCaseCmp(argv[i], "group_member_rid=", strlen("group_member_rid="))) { + o.object_identifier.rid = get_int_param(argv[i]); + o.object_type = NETR_DELTA_GROUP_MEMBER; + o.database_id = SAM_DATABASE_DOMAIN; + } + if (!StrnCaseCmp(argv[i], "alias_rid=", strlen("alias_rid="))) { + o.object_identifier.rid = get_int_param(argv[i]); + o.object_type = NETR_DELTA_ALIAS; + o.database_id = SAM_DATABASE_BUILTIN; + } + if (!StrnCaseCmp(argv[i], "alias_member_rid=", strlen("alias_member_rid="))) { + o.object_identifier.rid = get_int_param(argv[i]); + o.object_type = NETR_DELTA_ALIAS_MEMBER; + o.database_id = SAM_DATABASE_BUILTIN; + } + if (!StrnCaseCmp(argv[i], "account_sid=", strlen("account_sid="))) { + const char *sid_str = get_string_param(argv[i]); + string_to_sid(&o.object_identifier.sid, sid_str); + o.object_type = NETR_DELTA_ACCOUNT; + o.database_id = SAM_DATABASE_PRIVS; + } + if (!StrnCaseCmp(argv[i], "policy_sid=", strlen("policy_sid="))) { + const char *sid_str = get_string_param(argv[i]); + string_to_sid(&o.object_identifier.sid, sid_str); + o.object_type = NETR_DELTA_POLICY; + o.database_id = SAM_DATABASE_PRIVS; + } + if (!StrnCaseCmp(argv[i], "trustdom_sid=", strlen("trustdom_sid="))) { + const char *sid_str = get_string_param(argv[i]); + string_to_sid(&o.object_identifier.sid, sid_str); + o.object_type = NETR_DELTA_TRUSTED_DOMAIN; + o.database_id = SAM_DATABASE_PRIVS; + } + if (!StrnCaseCmp(argv[i], "secret_name=", strlen("secret_name="))) { + o.object_identifier.name = get_string_param(argv[i]); + o.object_type = NETR_DELTA_SECRET; + o.database_id = SAM_DATABASE_PRIVS; + } + + if (o.object_type > 0) { + ADD_TO_ARRAY(mem_ctx, struct samsync_object, o, + objects, num_objects); + } + } +} + /* dump sam database via samsync rpc calls */ NTSTATUS rpc_samdump_internals(struct net_context *c, const DOM_SID *domain_sid, @@ -48,9 +123,17 @@ NTSTATUS rpc_samdump_internals(struct net_context *c, ctx->mode = NET_SAMSYNC_MODE_DUMP; ctx->cli = pipe_hnd; - ctx->delta_fn = display_sam_entries; + ctx->ops = &libnet_samsync_display_ops; ctx->domain_name = domain_name; + ctx->force_full_replication = c->opt_force_full_repl ? true : false; + ctx->clean_old_entries = c->opt_clean_old_entries ? true : false; + + parse_samsync_partial_replication_objects(ctx, argc, argv, + &ctx->single_object_replication, + &ctx->objects, + &ctx->num_objects); + libnet_samsync(SAM_DATABASE_DOMAIN, ctx); libnet_samsync(SAM_DATABASE_BUILTIN, ctx); @@ -123,9 +206,17 @@ NTSTATUS rpc_vampire_internals(struct net_context *c, ctx->mode = NET_SAMSYNC_MODE_FETCH_PASSDB; ctx->cli = pipe_hnd; - ctx->delta_fn = fetch_sam_entries; + ctx->ops = &libnet_samsync_passdb_ops; ctx->domain_name = domain_name; + ctx->force_full_replication = c->opt_force_full_repl ? true : false; + ctx->clean_old_entries = c->opt_clean_old_entries ? true : false; + + parse_samsync_partial_replication_objects(ctx, argc, argv, + &ctx->single_object_replication, + &ctx->objects, + &ctx->num_objects); + /* fetch domain */ result = libnet_samsync(SAM_DATABASE_DOMAIN, ctx); @@ -157,6 +248,19 @@ NTSTATUS rpc_vampire_internals(struct net_context *c, return result; } +int rpc_vampire_passdb(struct net_context *c, int argc, const char **argv) +{ + if (c->display_usage) { + d_printf("Usage:\n" + "net rpc vampire passdb\n" + " Dump remote SAM database to passdb\n"); + return 0; + } + + return run_rpc_command(c, NULL, &ndr_table_netlogon.syntax_id, 0, + rpc_vampire_internals, argc, argv); +} + NTSTATUS rpc_vampire_ldif_internals(struct net_context *c, const DOM_SID *domain_sid, const char *domain_name, @@ -179,12 +283,21 @@ NTSTATUS rpc_vampire_ldif_internals(struct net_context *c, if (argc >= 1) { ctx->output_filename = argv[0]; } + if (argc >= 2) { + parse_samsync_partial_replication_objects(ctx, argc-1, argv+1, + &ctx->single_object_replication, + &ctx->objects, + &ctx->num_objects); + } ctx->mode = NET_SAMSYNC_MODE_FETCH_LDIF; ctx->cli = pipe_hnd; - ctx->delta_fn = fetch_sam_entries_ldif; + ctx->ops = &libnet_samsync_ldif_ops; ctx->domain_name = domain_name; + ctx->force_full_replication = c->opt_force_full_repl ? true : false; + ctx->clean_old_entries = c->opt_clean_old_entries ? true : false; + /* fetch domain */ status = libnet_samsync(SAM_DATABASE_DOMAIN, ctx); @@ -249,17 +362,29 @@ NTSTATUS rpc_vampire_keytab_internals(struct net_context *c, return status; } - if (argc >= 1) { + if (argc < 1) { + /* the caller should ensure that a filename is provided */ + return NT_STATUS_INVALID_PARAMETER; + } else { ctx->output_filename = argv[0]; } + if (argc >= 2) { + parse_samsync_partial_replication_objects(ctx, argc-1, argv+1, + &ctx->single_object_replication, + &ctx->objects, + &ctx->num_objects); + } ctx->mode = NET_SAMSYNC_MODE_FETCH_KEYTAB; ctx->cli = pipe_hnd; - ctx->delta_fn = fetch_sam_entries_keytab; + ctx->ops = &libnet_samsync_keytab_ops; ctx->domain_name = domain_name; ctx->username = c->opt_user_name; ctx->password = c->opt_password; + ctx->force_full_replication = c->opt_force_full_repl ? true : false; + ctx->clean_old_entries = c->opt_clean_old_entries ? true : false; + /* fetch domain */ status = libnet_samsync(SAM_DATABASE_DOMAIN, ctx); @@ -299,9 +424,13 @@ static NTSTATUS rpc_vampire_keytab_ds_internals(struct net_context *c, ctx->force_full_replication = c->opt_force_full_repl ? true : false; ctx->clean_old_entries = c->opt_clean_old_entries ? true : false; - if (argc >= 1) { + if (argc < 1) { + /* the caller should ensure that a filename is provided */ + return NT_STATUS_INVALID_PARAMETER; + } else { ctx->output_filename = argv[0]; } + if (argc >= 2) { ctx->object_dns = &argv[1]; ctx->object_count = argc - 1; @@ -341,22 +470,41 @@ static NTSTATUS rpc_vampire_keytab_ds_internals(struct net_context *c, int rpc_vampire_keytab(struct net_context *c, int argc, const char **argv) { int ret = 0; + NTSTATUS status; + struct cli_state *cli = NULL; + struct net_dc_info dc_info; - if (c->display_usage) { + if (c->display_usage || (argc < 1)) { d_printf("Usage:\n" - "net rpc vampire keytab\n" + "net rpc vampire keytab <keytabfile>\n" " Dump remote SAM database to Kerberos keytab file\n"); return 0; } - ret = run_rpc_command(c, NULL, &ndr_table_drsuapi.syntax_id, - NET_FLAGS_SEAL, - rpc_vampire_keytab_ds_internals, argc, argv); - if (ret == 0) { - return 0; + status = net_make_ipc_connection(c, 0, &cli); + if (!NT_STATUS_IS_OK(status)) { + return -1; } - return run_rpc_command(c, NULL, &ndr_table_netlogon.syntax_id, 0, - rpc_vampire_keytab_internals, - argc, argv); + status = net_scan_dc(c, cli, &dc_info); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + + if (!dc_info.is_ad) { + printf("DC is not running Active Directory\n"); + return -1; + } + + if (dc_info.is_mixed_mode) { + ret = run_rpc_command(c, cli, &ndr_table_netlogon.syntax_id, + 0, + rpc_vampire_keytab_internals, argc, argv); + } else { + ret = run_rpc_command(c, cli, &ndr_table_drsuapi.syntax_id, + NET_FLAGS_SEAL, + rpc_vampire_keytab_ds_internals, argc, argv); + } + + return ret; } diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c index ce132131f7..e8ebb60205 100644 --- a/source3/utils/net_sam.c +++ b/source3/utils/net_sam.c @@ -1735,7 +1735,7 @@ doma_done: d_printf("Checking Guest's group.\n"); - pwd = getpwnam_alloc(NULL, lp_guestaccount()); + pwd = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount()); if (!pwd) { d_fprintf(stderr, "Failed to find just created Guest account!\n" " Is nss properly configured?!\n"); diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index a9b2bbe621..590a916522 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -607,3 +607,41 @@ const char *net_share_type_str(int num_type) default: return "Unknown"; } } + +NTSTATUS net_scan_dc(struct net_context *c, + struct cli_state *cli, + struct net_dc_info *dc_info) +{ + TALLOC_CTX *mem_ctx = talloc_tos(); + struct rpc_pipe_client *dssetup_pipe = NULL; + union dssetup_DsRoleInfo info; + NTSTATUS status; + + ZERO_STRUCTP(dc_info); + + status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup.syntax_id, + &dssetup_pipe); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = rpccli_dssetup_DsRoleGetPrimaryDomainInformation(dssetup_pipe, mem_ctx, + DS_ROLE_BASIC_INFORMATION, + &info, + NULL); + TALLOC_FREE(dssetup_pipe); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + dc_info->is_dc = (info.basic.role & (DS_ROLE_PRIMARY_DC|DS_ROLE_BACKUP_DC)); + dc_info->is_pdc = (info.basic.role & DS_ROLE_PRIMARY_DC); + dc_info->is_ad = (info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING); + dc_info->is_mixed_mode = (info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE); + dc_info->netbios_domain_name = talloc_strdup(mem_ctx, info.basic.domain); + dc_info->dns_domain_name = talloc_strdup(mem_ctx, info.basic.dns_domain); + dc_info->forest_name = talloc_strdup(mem_ctx, info.basic.forest); + + return NT_STATUS_OK; +} diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 0a76761cb2..8aa8e5e0f9 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -380,13 +380,25 @@ NTSTATUS contact_winbind_auth_crap(const char *username, } if (nt_response && nt_response->length) { - memcpy(request.data.auth_crap.nt_resp, - nt_response->data, - MIN(nt_response->length, sizeof(request.data.auth_crap.nt_resp))); + if (nt_response->length > sizeof(request.data.auth_crap.nt_resp)) { + request.flags = request.flags | WBFLAG_BIG_NTLMV2_BLOB; + request.extra_len = nt_response->length; + request.extra_data.data = SMB_MALLOC_ARRAY(char, request.extra_len); + if (request.extra_data.data == NULL) { + return NT_STATUS_NO_MEMORY; + } + memcpy(request.extra_data.data, nt_response->data, + nt_response->length); + + } else { + memcpy(request.data.auth_crap.nt_resp, + nt_response->data, nt_response->length); + } request.data.auth_crap.nt_resp_len = nt_response->length; } result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response); + SAFE_FREE(request.extra_data.data); /* Display response */ @@ -535,7 +547,8 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB if (memcmp(user_sess_key, zeros, 16) != 0) { *user_session_key = data_blob(user_sess_key, 16); } - ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state->mem_ctx, unix_name); + ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state, + unix_name); SAFE_FREE(unix_name); } else { DEBUG(NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED) ? 0 : 3, @@ -555,7 +568,7 @@ static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *u nt_lm_owf_gen (opt_password, nt_pw, lm_pw); - nt_status = ntlm_password_check(ntlmssp_state->mem_ctx, + nt_status = ntlm_password_check(ntlmssp_state, &ntlmssp_state->chal, &ntlmssp_state->lm_resp, &ntlmssp_state->nt_resp, @@ -566,7 +579,7 @@ static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *u lm_pw, nt_pw, user_session_key, lm_session_key); if (NT_STATUS_IS_OK(nt_status)) { - ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx, + ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state, "%s%c%s", ntlmssp_state->domain, *lp_winbind_separator(), ntlmssp_state->user); diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c index fe99b6fc9e..50cbc43d6d 100644 --- a/source3/utils/pdbedit.c +++ b/source3/utils/pdbedit.c @@ -571,7 +571,7 @@ static int new_user (struct pdb_methods *in, const char *username, get_global_sam_sid(); - if ( !(pwd = getpwnam_alloc( NULL, username )) ) { + if ( !(pwd = getpwnam_alloc(talloc_autofree_context(), username )) ) { DEBUG(0,("Cannot locate Unix account for %s\n", username)); return -1; } @@ -675,7 +675,7 @@ static int new_machine (struct pdb_methods *in, const char *machine_in) fstrcpy(machineaccount, machinename); fstrcat(machineaccount, "$"); - if ( !(pwd = getpwnam_alloc( NULL, machineaccount )) ) { + if ( !(pwd = getpwnam_alloc(talloc_autofree_context(), machineaccount )) ) { DEBUG(0,("Cannot locate Unix account for %s\n", machineaccount)); return -1; } diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 600fe52f0d..d2652ad95a 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -337,7 +337,7 @@ static int process_root(int local_flags) load_interfaces(); } - if (!user_name[0] && (pwd = getpwuid_alloc(NULL, geteuid()))) { + if (!user_name[0] && (pwd = getpwuid_alloc(talloc_autofree_context(), geteuid()))) { fstrcpy(user_name, pwd->pw_name); TALLOC_FREE(pwd); } @@ -498,7 +498,7 @@ static int process_nonroot(int local_flags) } if (!user_name[0]) { - pwd = getpwuid_alloc(NULL, getuid()); + pwd = getpwuid_alloc(talloc_autofree_context(), getuid()); if (pwd) { fstrcpy(user_name,pwd->pw_name); TALLOC_FREE(pwd); diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c index ce2de4d7fe..9fc02bac13 100644 --- a/source3/utils/smbtree.c +++ b/source3/utils/smbtree.c @@ -30,15 +30,15 @@ static enum tree_level level = LEV_SHARE; /* Holds a list of workgroups or servers */ -struct name_list { - struct name_list *prev, *next; +struct smb_name_list { + struct smb_name_list *prev, *next; char *name, *comment; uint32 server_type; }; -static struct name_list *workgroups, *servers, *shares; +static struct smb_name_list *workgroups, *servers, *shares; -static void free_name_list(struct name_list *list) +static void free_name_list(struct smb_name_list *list) { while(list) DLIST_REMOVE(list, list); @@ -47,10 +47,10 @@ static void free_name_list(struct name_list *list) static void add_name(const char *machine_name, uint32 server_type, const char *comment, void *state) { - struct name_list **name_list = (struct name_list **)state; - struct name_list *new_name; + struct smb_name_list **name_list = (struct smb_name_list **)state; + struct smb_name_list *new_name; - new_name = SMB_MALLOC_P(struct name_list); + new_name = SMB_MALLOC_P(struct smb_name_list); if (!new_name) return; @@ -222,7 +222,7 @@ static bool get_shares(char *server_name, struct user_auth_info *user_info) static bool print_tree(struct user_auth_info *user_info) { - struct name_list *wg, *sv, *sh; + struct smb_name_list *wg, *sv, *sh; /* List workgroups */ diff --git a/source3/web/cgi.c b/source3/web/cgi.c index ce36bd9310..49e83717c3 100644 --- a/source3/web/cgi.c +++ b/source3/web/cgi.c @@ -314,7 +314,7 @@ static void cgi_web_auth(void) exit(0); } - pwd = getpwnam_alloc(NULL, user); + pwd = getpwnam_alloc(talloc_autofree_context(), user); if (!pwd) { printf("%sCannot find user %s<br>%s\n", head, user, tail); exit(0); @@ -367,7 +367,7 @@ static bool cgi_handle_authorization(char *line) * Try and get the user from the UNIX password file. */ - pass = getpwnam_alloc(NULL, user); + pass = getpwnam_alloc(talloc_autofree_context(), user); /* * Validate the password they have given. diff --git a/source3/web/neg_lang.c b/source3/web/neg_lang.c index 82411000cd..491ca9eedd 100644 --- a/source3/web/neg_lang.c +++ b/source3/web/neg_lang.c @@ -74,7 +74,7 @@ void web_set_lang(const char *lang_string) int lang_num, i; /* build the lang list */ - lang_list = str_list_make(talloc_tos(), lang_string, ", \t\r\n"); + lang_list = str_list_make_v3(talloc_tos(), lang_string, ", \t\r\n"); if (!lang_list) return; /* sort the list by priority */ diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c index cfc5597f42..aaba7e53ee 100644 --- a/source3/winbindd/idmap.c +++ b/source3/winbindd/idmap.c @@ -461,6 +461,9 @@ static struct idmap_domain *idmap_find_domain(const char *domname) struct idmap_domain *result; int i; + DEBUG(10, ("idmap_find_domain called for domain '%s'\n", + domname?domname:"NULL")); + /* * Always init the default domain, we can't go without one */ @@ -725,6 +728,10 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) struct idmap_domain *dom; struct id_map *maps[2]; + DEBUG(10, ("idmap_backend_unixid_to_sid: domain = '%s', xid = %d " + "(type %d)\n", + domname?domname:"NULL", id->xid.id, id->xid.type)); + maps[0] = id; maps[1] = NULL; @@ -751,6 +758,9 @@ NTSTATUS idmap_backends_sid_to_unixid(const char *domain, struct id_map *id) struct idmap_domain *dom; struct id_map *maps[2]; + DEBUG(10, ("idmap_backend_sid_to_unixid: domain = '%s', sid = [%s]\n", + domain?domain:"NULL", sid_string_dbg(id->sid))); + maps[0] = id; maps[1] = NULL; @@ -788,3 +798,20 @@ NTSTATUS idmap_set_mapping(const struct id_map *map) return dom->methods->set_mapping(dom, map); } + +NTSTATUS idmap_remove_mapping(const struct id_map *map) +{ + struct idmap_domain *dom; + + dom = idmap_find_domain(NULL); + if (dom == NULL) { + DEBUG(3, ("no default domain, no place to write\n")); + return NT_STATUS_ACCESS_DENIED; + } + if (dom->methods->remove_mapping == NULL) { + DEBUG(3, ("default domain not writable\n")); + return NT_STATUS_MEDIA_WRITE_PROTECTED; + } + + return dom->methods->remove_mapping(dom, map); +} diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c index 60a2d8642a..b22e5af94a 100644 --- a/source3/winbindd/idmap_ad.c +++ b/source3/winbindd/idmap_ad.c @@ -9,6 +9,7 @@ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003 * Copyright (C) Gerald (Jerry) Carter 2004-2007 * Copyright (C) Luke Howard 2001-2004 + * Copyright (C) Michael Adam 2008 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -25,6 +26,7 @@ */ #include "includes.h" +#include "winbindd.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_IDMAP @@ -43,31 +45,39 @@ struct idmap_ad_context { uint32_t filter_low_id; uint32_t filter_high_id; + ADS_STRUCT *ads; + struct posix_schema *ad_schema; + enum wb_posix_mapping ad_map_type; /* WB_POSIX_MAP_UNKNOWN */ }; NTSTATUS init_module(void); -static ADS_STRUCT *ad_idmap_ads = NULL; -static struct posix_schema *ad_schema = NULL; -static enum wb_posix_mapping ad_map_type = WB_POSIX_MAP_UNKNOWN; - /************************************************************************ ***********************************************************************/ -static ADS_STRUCT *ad_idmap_cached_connection_internal(void) +static ADS_STATUS ad_idmap_cached_connection_internal(struct idmap_domain *dom) { ADS_STRUCT *ads; ADS_STATUS status; bool local = False; fstring dc_name; struct sockaddr_storage dc_ip; + struct idmap_ad_context *ctx; + char *ldap_server = NULL; + char *realm = NULL; + struct winbindd_domain *wb_dom; + + DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n", + dom->name)); + + ctx = talloc_get_type(dom->private_data, struct idmap_ad_context); - if (ad_idmap_ads != NULL) { + if (ctx->ads != NULL) { time_t expire; time_t now = time(NULL); - ads = ad_idmap_ads; + ads = ctx->ads; expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); @@ -76,15 +86,15 @@ static ADS_STRUCT *ad_idmap_cached_connection_internal(void) (uint32)expire-(uint32)now, (uint32) expire, (uint32) now)); if ( ads->config.realm && (expire > time(NULL))) { - return ads; + return ADS_SUCCESS; } else { /* we own this ADS_STRUCT so make sure it goes away */ DEBUG(7,("Deleting expired krb5 credential cache\n")); ads->is_mine = True; ads_destroy( &ads ); ads_kdestroy(WINBIND_CCACHE_NAME); - ad_idmap_ads = NULL; - TALLOC_FREE( ad_schema ); + ctx->ads = NULL; + TALLOC_FREE( ctx->ad_schema ); } } @@ -93,9 +103,28 @@ static ADS_STRUCT *ad_idmap_cached_connection_internal(void) setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); } - if ( (ads = ads_init(lp_realm(), lp_workgroup(), NULL)) == NULL ) { + /* + * At this point we only have the NetBIOS domain name. + * Check if we can get server nam and realm from SAF cache + * and the domain list. + */ + ldap_server = saf_fetch(dom->name); + DEBUG(10, ("ldap_server from saf cache: '%s'\n", ldap_server?ldap_server:"")); + + wb_dom = find_domain_from_name_noinit(dom->name); + if (wb_dom == NULL) { + DEBUG(10, ("find_domain_from_name_noinit did not find domain '%s'\n", + dom->name)); + realm = NULL; + } else { + DEBUG(10, ("find_domain_from_name_noinit found realm '%s' for " + " domain '%s'\n", wb_dom->alt_name, dom->name)); + realm = wb_dom->alt_name; + } + + if ( (ads = ads_init(realm, dom->name, ldap_server)) == NULL ) { DEBUG(1,("ads_init failed\n")); - return NULL; + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } /* the machine acct password might have change - fetch it every time */ @@ -107,54 +136,57 @@ static ADS_STRUCT *ad_idmap_cached_connection_internal(void) /* setup server affinity */ - get_dc_name( NULL, ads->auth.realm, dc_name, &dc_ip ); + get_dc_name(dom->name, realm, dc_name, &dc_ip ); status = ads_connect(ads); if (!ADS_ERR_OK(status)) { DEBUG(1, ("ad_idmap_init: failed to connect to AD\n")); ads_destroy(&ads); - return NULL; + return status; } ads->is_mine = False; - ad_idmap_ads = ads; + ctx->ads = ads; - return ads; + return ADS_SUCCESS; } /************************************************************************ ***********************************************************************/ -static ADS_STRUCT *ad_idmap_cached_connection(void) +static ADS_STATUS ad_idmap_cached_connection(struct idmap_domain *dom) { - ADS_STRUCT *ads = ad_idmap_cached_connection_internal(); - - if ( !ads ) - return NULL; + ADS_STATUS status; + struct idmap_ad_context * ctx; + + status = ad_idmap_cached_connection_internal(dom); + if (!ADS_ERR_OK(status)) { + return status; + } + + ctx = talloc_get_type(dom->private_data, struct idmap_ad_context); /* if we have a valid ADS_STRUCT and the schema model is defined, then we can return here. */ - if ( ad_schema ) - return ads; + if ( ctx->ad_schema ) { + return ADS_SUCCESS; + } /* Otherwise, set the schema model */ - if ( (ad_map_type == WB_POSIX_MAP_SFU) || - (ad_map_type == WB_POSIX_MAP_SFU20) || - (ad_map_type == WB_POSIX_MAP_RFC2307) ) + if ( (ctx->ad_map_type == WB_POSIX_MAP_SFU) || + (ctx->ad_map_type == WB_POSIX_MAP_SFU20) || + (ctx->ad_map_type == WB_POSIX_MAP_RFC2307) ) { - ADS_STATUS schema_status; - - schema_status = ads_check_posix_schema_mapping( NULL, ads, ad_map_type, &ad_schema); - if ( !ADS_ERR_OK(schema_status) ) { + status = ads_check_posix_schema_mapping(NULL, ctx->ads, ctx->ad_map_type, &ctx->ad_schema); + if ( !ADS_ERR_OK(status) ) { DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n")); - return NULL; } } - return ads; + return status; } /************************************************************************ @@ -190,17 +222,18 @@ static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom, } } + /* default map type */ + ctx->ad_map_type = WB_POSIX_MAP_RFC2307; + /* schema mode */ - if ( ad_map_type == WB_POSIX_MAP_UNKNOWN ) - ad_map_type = WB_POSIX_MAP_RFC2307; schema_mode = lp_parm_const_string(-1, config_option, "schema_mode", NULL); if ( schema_mode && schema_mode[0] ) { if ( strequal(schema_mode, "sfu") ) - ad_map_type = WB_POSIX_MAP_SFU; + ctx->ad_map_type = WB_POSIX_MAP_SFU; else if ( strequal(schema_mode, "sfu20" ) ) - ad_map_type = WB_POSIX_MAP_SFU20; + ctx->ad_map_type = WB_POSIX_MAP_SFU20; else if ( strequal(schema_mode, "rfc2307" ) ) - ad_map_type = WB_POSIX_MAP_RFC2307; + ctx->ad_map_type = WB_POSIX_MAP_RFC2307; else DEBUG(0,("idmap_ad_initialize: Unknown schema_mode (%s)\n", schema_mode)); @@ -256,7 +289,6 @@ static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map TALLOC_CTX *memctx; struct idmap_ad_context *ctx; ADS_STATUS rc; - ADS_STRUCT *ads; const char *attrs[] = { "sAMAccountType", "objectSid", NULL, /* uidnumber */ @@ -284,14 +316,16 @@ static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map return NT_STATUS_NO_MEMORY; } - if ( (ads = ad_idmap_cached_connection()) == NULL ) { - DEBUG(1, ("ADS uninitialized\n")); + rc = ad_idmap_cached_connection(dom); + if (!ADS_ERR_OK(rc)) { + DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc))); ret = NT_STATUS_UNSUCCESSFUL; + /* ret = ads_ntstatus(rc); */ goto done; } - attrs[2] = ad_schema->posix_uidnumber_attr; - attrs[3] = ad_schema->posix_gidnumber_attr; + attrs[2] = ctx->ad_schema->posix_uidnumber_attr; + attrs[3] = ctx->ad_schema->posix_gidnumber_attr; again: bidx = idx; @@ -308,7 +342,7 @@ again: ATYPE_INTERDOMAIN_TRUST); } u_filter = talloc_asprintf_append_buffer(u_filter, "(%s=%lu)", - ad_schema->posix_uidnumber_attr, + ctx->ad_schema->posix_uidnumber_attr, (unsigned long)ids[idx]->xid.id); CHECK_ALLOC_DONE(u_filter); break; @@ -322,7 +356,7 @@ again: ATYPE_SECURITY_LOCAL_GROUP); } g_filter = talloc_asprintf_append_buffer(g_filter, "(%s=%lu)", - ad_schema->posix_gidnumber_attr, + ctx->ad_schema->posix_gidnumber_attr, (unsigned long)ids[idx]->xid.id); CHECK_ALLOC_DONE(g_filter); break; @@ -348,14 +382,14 @@ again: filter = talloc_asprintf_append_buffer(filter, ")"); CHECK_ALLOC_DONE(filter); - rc = ads_search_retry(ads, &res, filter, attrs); + rc = ads_search_retry(ctx->ads, &res, filter, attrs); if (!ADS_ERR_OK(rc)) { DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc))); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - if ( (count = ads_count_replies(ads, res)) == 0 ) { + if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) { DEBUG(10, ("No IDs found\n")); } @@ -368,9 +402,9 @@ again: uint32_t atype; if (i == 0) { /* first entry */ - entry = ads_first_entry(ads, entry); + entry = ads_first_entry(ctx->ads, entry); } else { /* following ones */ - entry = ads_next_entry(ads, entry); + entry = ads_next_entry(ctx->ads, entry); } if ( !entry ) { @@ -379,13 +413,13 @@ again: } /* first check if the SID is present */ - if (!ads_pull_sid(ads, entry, "objectSid", &sid)) { + if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) { DEBUG(2, ("Could not retrieve SID from entry\n")); continue; } /* get type */ - if (!ads_pull_uint32(ads, entry, "sAMAccountType", &atype)) { + if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) { DEBUG(1, ("could not get SAM account type\n")); continue; } @@ -405,9 +439,9 @@ again: continue; } - if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ? - ad_schema->posix_uidnumber_attr : - ad_schema->posix_gidnumber_attr, + if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ? + ctx->ad_schema->posix_uidnumber_attr : + ctx->ad_schema->posix_gidnumber_attr, &id)) { DEBUG(1, ("Could not get unix ID\n")); @@ -439,7 +473,7 @@ again: } if (res) { - ads_msgfree(ads, res); + ads_msgfree(ctx->ads, res); } if (ids[idx]) { /* still some values to map */ @@ -468,7 +502,6 @@ static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map TALLOC_CTX *memctx; struct idmap_ad_context *ctx; ADS_STATUS rc; - ADS_STRUCT *ads; const char *attrs[] = { "sAMAccountType", "objectSid", NULL, /* attr_uidnumber */ @@ -495,14 +528,22 @@ static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map return NT_STATUS_NO_MEMORY; } - if ( (ads = ad_idmap_cached_connection()) == NULL ) { - DEBUG(1, ("ADS uninitialized\n")); + rc = ad_idmap_cached_connection(dom); + if (!ADS_ERR_OK(rc)) { + DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc))); + ret = NT_STATUS_UNSUCCESSFUL; + /* ret = ads_ntstatus(rc); */ + goto done; + } + + if (ctx->ad_schema == NULL) { + DEBUG(0, ("haven't got ctx->ad_schema ! \n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - attrs[2] = ad_schema->posix_uidnumber_attr; - attrs[3] = ad_schema->posix_gidnumber_attr; + attrs[2] = ctx->ad_schema->posix_uidnumber_attr; + attrs[3] = ctx->ad_schema->posix_gidnumber_attr; again: filter = talloc_asprintf(memctx, "(&(|" @@ -529,14 +570,14 @@ again: CHECK_ALLOC_DONE(filter); DEBUG(10, ("Filter: [%s]\n", filter)); - rc = ads_search_retry(ads, &res, filter, attrs); + rc = ads_search_retry(ctx->ads, &res, filter, attrs); if (!ADS_ERR_OK(rc)) { DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc))); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - if ( (count = ads_count_replies(ads, res)) == 0 ) { + if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) { DEBUG(10, ("No IDs found\n")); } @@ -549,9 +590,9 @@ again: uint32_t atype; if (i == 0) { /* first entry */ - entry = ads_first_entry(ads, entry); + entry = ads_first_entry(ctx->ads, entry); } else { /* following ones */ - entry = ads_next_entry(ads, entry); + entry = ads_next_entry(ctx->ads, entry); } if ( !entry ) { @@ -560,7 +601,7 @@ again: } /* first check if the SID is present */ - if (!ads_pull_sid(ads, entry, "objectSid", &sid)) { + if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) { DEBUG(2, ("Could not retrieve SID from entry\n")); continue; } @@ -572,7 +613,7 @@ again: } /* get type */ - if (!ads_pull_uint32(ads, entry, "sAMAccountType", &atype)) { + if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) { DEBUG(1, ("could not get SAM account type\n")); continue; } @@ -592,9 +633,9 @@ again: continue; } - if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ? - ad_schema->posix_uidnumber_attr : - ad_schema->posix_gidnumber_attr, + if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ? + ctx->ad_schema->posix_uidnumber_attr : + ctx->ad_schema->posix_gidnumber_attr, &id)) { DEBUG(1, ("Could not get unix ID\n")); @@ -619,7 +660,7 @@ again: } if (res) { - ads_msgfree(ads, res); + ads_msgfree(ctx->ads, res); } if (ids[idx]) { /* still some values to map */ @@ -644,16 +685,18 @@ done: static NTSTATUS idmap_ad_close(struct idmap_domain *dom) { - ADS_STRUCT *ads = ad_idmap_ads; + struct idmap_ad_context * ctx; + + ctx = talloc_get_type(dom->private_data, struct idmap_ad_context); - if (ads != NULL) { + if (ctx->ads != NULL) { /* we own this ADS_STRUCT so make sure it goes away */ - ads->is_mine = True; - ads_destroy( &ads ); - ad_idmap_ads = NULL; + ctx->ads->is_mine = True; + ads_destroy( &ctx->ads ); + ctx->ads = NULL; } - TALLOC_FREE( ad_schema ); + TALLOC_FREE( ctx->ad_schema ); return NT_STATUS_OK; } @@ -666,66 +709,107 @@ static NTSTATUS idmap_ad_close(struct idmap_domain *dom) Initialize the {sfu,sfu20,rfc2307} state ***********************************************************************/ -static NTSTATUS nss_sfu_init( struct nss_domain_entry *e ) -{ - /* Sanity check if we have previously been called with a - different schema model */ +static const char *wb_posix_map_unknown_string = "WB_POSIX_MAP_UNKNOWN"; +static const char *wb_posix_map_template_string = "WB_POSIX_MAP_TEMPLATE"; +static const char *wb_posix_map_sfu_string = "WB_POSIX_MAP_SFU"; +static const char *wb_posix_map_sfu20_string = "WB_POSIX_MAP_SFU20"; +static const char *wb_posix_map_rfc2307_string = "WB_POSIX_MAP_RFC2307"; +static const char *wb_posix_map_unixinfo_string = "WB_POSIX_MAP_UNIXINFO"; - if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) && - (ad_map_type != WB_POSIX_MAP_SFU) ) - { - DEBUG(0,("nss_sfu_init: Posix Map type has already been set. " - "Mixed schema models not supported!\n")); - return NT_STATUS_NOT_SUPPORTED; +static const char *ad_map_type_string(enum wb_posix_mapping map_type) +{ + switch (map_type) { + case WB_POSIX_MAP_TEMPLATE: + return wb_posix_map_template_string; + case WB_POSIX_MAP_SFU: + return wb_posix_map_sfu_string; + case WB_POSIX_MAP_SFU20: + return wb_posix_map_sfu20_string; + case WB_POSIX_MAP_RFC2307: + return wb_posix_map_rfc2307_string; + case WB_POSIX_MAP_UNIXINFO: + return wb_posix_map_unixinfo_string; + default: + return wb_posix_map_unknown_string; } - - ad_map_type = WB_POSIX_MAP_SFU; - - return NT_STATUS_OK; } -static NTSTATUS nss_sfu20_init( struct nss_domain_entry *e ) +static NTSTATUS nss_ad_generic_init(struct nss_domain_entry *e, + enum wb_posix_mapping new_ad_map_type) { - /* Sanity check if we have previously been called with a - different schema model */ + struct idmap_domain *dom; + struct idmap_ad_context *ctx; + + if (e->state != NULL) { + dom = talloc_get_type(e->state, struct idmap_domain); + } else { + dom = TALLOC_ZERO_P(e, struct idmap_domain); + if (dom == NULL) { + DEBUG(0, ("Out of memory!\n")); + return NT_STATUS_NO_MEMORY; + } + e->state = dom; + } + + if (e->domain != NULL) { + dom->name = talloc_strdup(dom, e->domain); + if (dom->name == NULL) { + DEBUG(0, ("Out of memory!\n")); + return NT_STATUS_NO_MEMORY; + } + } - if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) && - (ad_map_type != WB_POSIX_MAP_SFU20) ) + if (dom->private_data != NULL) { + ctx = talloc_get_type(dom->private_data, + struct idmap_ad_context); + } else { + ctx = TALLOC_ZERO_P(dom, struct idmap_ad_context); + if (ctx == NULL) { + DEBUG(0, ("Out of memory!\n")); + return NT_STATUS_NO_MEMORY; + } + ctx->ad_map_type = WB_POSIX_MAP_RFC2307; + dom->private_data = ctx; + } + + if ((ctx->ad_map_type != WB_POSIX_MAP_UNKNOWN) && + (ctx->ad_map_type != new_ad_map_type)) { - DEBUG(0,("nss_sfu20_init: Posix Map type has already been set. " - "Mixed schema models not supported!\n")); - return NT_STATUS_NOT_SUPPORTED; + DEBUG(2, ("nss_ad_generic_init: " + "Warning: overriding previously set posix map type " + "%s for domain %s with map type %s.\n", + ad_map_type_string(ctx->ad_map_type), + dom->name, + ad_map_type_string(new_ad_map_type))); } - - ad_map_type = WB_POSIX_MAP_SFU20; + + ctx->ad_map_type = new_ad_map_type; return NT_STATUS_OK; } -static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e ) +static NTSTATUS nss_sfu_init( struct nss_domain_entry *e ) { - /* Sanity check if we have previously been called with a - different schema model */ - - if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) && - (ad_map_type != WB_POSIX_MAP_RFC2307) ) - { - DEBUG(0,("nss_rfc2307_init: Posix Map type has already been set. " - "Mixed schema models not supported!\n")); - return NT_STATUS_NOT_SUPPORTED; - } - - ad_map_type = WB_POSIX_MAP_RFC2307; + return nss_ad_generic_init(e, WB_POSIX_MAP_SFU); +} - return NT_STATUS_OK; +static NTSTATUS nss_sfu20_init( struct nss_domain_entry *e ) +{ + return nss_ad_generic_init(e, WB_POSIX_MAP_SFU20); +} + +static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e ) +{ + return nss_ad_generic_init(e, WB_POSIX_MAP_RFC2307); } /************************************************************************ ***********************************************************************/ + static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e, const DOM_SID *sid, - TALLOC_CTX *ctx, + TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, LDAPMessage *msg, char **homedir, @@ -733,7 +817,6 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e, char **gecos, uint32 *gid ) { - ADS_STRUCT *ads_internal = NULL; const char *attrs[] = {NULL, /* attr_homedir */ NULL, /* attr_shell */ NULL, /* attr_gecos */ @@ -744,18 +827,27 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e, ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; char *sidstr = NULL; + struct idmap_domain *dom; + struct idmap_ad_context *ctx; + + DEBUG(10, ("nss_ad_get_info called for sid [%s] in domain '%s'\n", + sid_string_dbg(sid), e->domain?e->domain:"NULL")); /* Only do query if we are online */ if (idmap_is_offline()) { return NT_STATUS_FILE_IS_OFFLINE; } - /* We are assuming that the internal ADS_STRUCT is for the - same forest as the incoming *ads pointer */ + dom = talloc_get_type(e->state, struct idmap_domain); + ctx = talloc_get_type(dom->private_data, struct idmap_ad_context); - ads_internal = ad_idmap_cached_connection(); + ads_status = ad_idmap_cached_connection(dom); + if (!ADS_ERR_OK(ads_status)) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } - if ( !ads_internal || !ad_schema ) { + if (!ctx->ad_schema) { + DEBUG(10, ("nss_ad_get_info: no ad_schema configured!\n")); return NT_STATUS_OBJECT_NAME_NOT_FOUND; } @@ -766,12 +858,15 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e, /* See if we can use the ADS connection struct swe were given */ if (ads) { - *homedir = ads_pull_string( ads, ctx, msg, ad_schema->posix_homedir_attr ); - *shell = ads_pull_string( ads, ctx, msg, ad_schema->posix_shell_attr ); - *gecos = ads_pull_string( ads, ctx, msg, ad_schema->posix_gecos_attr ); + DEBUG(10, ("nss_ad_get_info: using given ads connection and " + "LDAP message (%p)\n", msg)); + + *homedir = ads_pull_string( ads, mem_ctx, msg, ctx->ad_schema->posix_homedir_attr ); + *shell = ads_pull_string( ads, mem_ctx, msg, ctx->ad_schema->posix_shell_attr ); + *gecos = ads_pull_string( ads, mem_ctx, msg, ctx->ad_schema->posix_gecos_attr ); if (gid) { - if ( !ads_pull_uint32(ads, msg, ad_schema->posix_gidnumber_attr, gid ) ) + if ( !ads_pull_uint32(ads, msg, ctx->ad_schema->posix_gidnumber_attr, gid ) ) *gid = (uint32)-1; } @@ -781,13 +876,16 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e, /* Have to do our own query */ - attrs[0] = ad_schema->posix_homedir_attr; - attrs[1] = ad_schema->posix_shell_attr; - attrs[2] = ad_schema->posix_gecos_attr; - attrs[3] = ad_schema->posix_gidnumber_attr; + DEBUG(10, ("nss_ad_get_info: no ads connection given, doing our " + "own query\n")); + + attrs[0] = ctx->ad_schema->posix_homedir_attr; + attrs[1] = ctx->ad_schema->posix_shell_attr; + attrs[2] = ctx->ad_schema->posix_gecos_attr; + attrs[3] = ctx->ad_schema->posix_gidnumber_attr; sidstr = sid_binstring(sid); - filter = talloc_asprintf(ctx, "(objectSid=%s)", sidstr); + filter = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr); SAFE_FREE(sidstr); if (!filter) { @@ -795,18 +893,18 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e, goto done; } - ads_status = ads_search_retry(ads_internal, &msg_internal, filter, attrs); + ads_status = ads_search_retry(ctx->ads, &msg_internal, filter, attrs); if (!ADS_ERR_OK(ads_status)) { nt_status = ads_ntstatus(ads_status); goto done; } - *homedir = ads_pull_string(ads_internal, ctx, msg_internal, ad_schema->posix_homedir_attr); - *shell = ads_pull_string(ads_internal, ctx, msg_internal, ad_schema->posix_shell_attr); - *gecos = ads_pull_string(ads_internal, ctx, msg_internal, ad_schema->posix_gecos_attr); + *homedir = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_homedir_attr); + *shell = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_shell_attr); + *gecos = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_gecos_attr); if (gid) { - if (!ads_pull_uint32(ads_internal, msg_internal, ad_schema->posix_gidnumber_attr, gid)) + if (!ads_pull_uint32(ctx->ads, msg_internal, ctx->ad_schema->posix_gidnumber_attr, gid)) *gid = (uint32)-1; } @@ -814,7 +912,7 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e, done: if (msg_internal) { - ads_msgfree(ads_internal, msg_internal); + ads_msgfree(ctx->ads, msg_internal); } return nt_status; @@ -824,21 +922,22 @@ done: *********************************************************************/ static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx, - const char *domain, + struct nss_domain_entry *e, const char *name, char **alias) { - ADS_STRUCT *ads_internal = NULL; const char *attrs[] = {NULL, /* attr_uid */ NULL }; char *filter = NULL; LDAPMessage *msg = NULL; ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; + struct idmap_domain *dom; + struct idmap_ad_context *ctx = NULL; /* Check incoming parameters */ - if ( !domain || !name || !*alias) { + if ( !e || !e->domain || !name || !*alias) { nt_status = NT_STATUS_INVALID_PARAMETER; goto done; } @@ -850,14 +949,20 @@ static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx, goto done; } - ads_internal = ad_idmap_cached_connection(); + dom = talloc_get_type(e->state, struct idmap_domain); + ctx = talloc_get_type(dom->private_data, struct idmap_ad_context); + + ads_status = ad_idmap_cached_connection(dom); + if (!ADS_ERR_OK(ads_status)) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } - if (!ads_internal || !ad_schema) { + if (!ctx->ad_schema) { nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND; goto done; } - attrs[0] = ad_schema->posix_uid_attr; + attrs[0] = ctx->ad_schema->posix_uid_attr; filter = talloc_asprintf(mem_ctx, "(sAMAccountName=%s)", @@ -867,13 +972,13 @@ static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx, goto done; } - ads_status = ads_search_retry(ads_internal, &msg, filter, attrs); + ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs); if (!ADS_ERR_OK(ads_status)) { nt_status = ads_ntstatus(ads_status); goto done; } - *alias = ads_pull_string(ads_internal, mem_ctx, msg, ad_schema->posix_uid_attr ); + *alias = ads_pull_string(ctx->ads, mem_ctx, msg, ctx->ad_schema->posix_uid_attr); if (!*alias) { return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -886,7 +991,7 @@ done: talloc_destroy(filter); } if (msg) { - ads_msgfree(ads_internal, msg); + ads_msgfree(ctx->ads, msg); } return nt_status; @@ -896,11 +1001,10 @@ done: *********************************************************************/ static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx, - const char *domain, + struct nss_domain_entry *e, const char *alias, char **name ) { - ADS_STRUCT *ads_internal = NULL; const char *attrs[] = {"sAMAccountName", NULL }; char *filter = NULL; @@ -908,6 +1012,8 @@ static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx, ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; char *username; + struct idmap_domain *dom; + struct idmap_ad_context *ctx = NULL; /* Check incoming parameters */ @@ -923,29 +1029,35 @@ static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx, goto done; } - ads_internal = ad_idmap_cached_connection(); + dom = talloc_get_type(e->state, struct idmap_domain); + ctx = talloc_get_type(dom->private_data, struct idmap_ad_context); + + ads_status = ad_idmap_cached_connection(dom); + if (!ADS_ERR_OK(ads_status)) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } - if (!ads_internal || !ad_schema) { + if (!ctx->ad_schema) { nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND; goto done; } filter = talloc_asprintf(mem_ctx, "(%s=%s)", - ad_schema->posix_uid_attr, + ctx->ad_schema->posix_uid_attr, alias); if (!filter) { nt_status = NT_STATUS_NO_MEMORY; goto done; } - ads_status = ads_search_retry(ads_internal, &msg, filter, attrs); + ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs); if (!ADS_ERR_OK(ads_status)) { nt_status = ads_ntstatus(ads_status); goto done; } - username = ads_pull_string(ads_internal, mem_ctx, msg, + username = ads_pull_string(ctx->ads, mem_ctx, msg, "sAMAccountName"); if (!username) { return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -966,7 +1078,7 @@ done: talloc_destroy(filter); } if (msg) { - ads_msgfree(ads_internal, msg); + ads_msgfree(ctx->ads, msg); } return nt_status; diff --git a/source3/winbindd/idmap_adex/idmap_adex.c b/source3/winbindd/idmap_adex/idmap_adex.c index 7596b1cbd8..7e186ca8a1 100644 --- a/source3/winbindd/idmap_adex/idmap_adex.c +++ b/source3/winbindd/idmap_adex/idmap_adex.c @@ -329,9 +329,9 @@ static NTSTATUS _nss_adex_get_info(struct /********************************************************************** *********************************************************************/ -static NTSTATUS _nss_adex_map_to_alias(TALLOC_CTX * mem_ctx, const char - *domain, const char - *name, char **alias) +static NTSTATUS _nss_adex_map_to_alias(TALLOC_CTX * mem_ctx, + struct nss_domain_entry *e, + const char *name, char **alias) { NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct likewise_cell *cell = NULL; @@ -344,7 +344,7 @@ static NTSTATUS _nss_adex_map_to_alias(TALLOC_CTX * mem_ctx, const char BAIL_ON_NTSTATUS_ERROR(nt_status); } - nt_status = cell->provider->map_to_alias(mem_ctx, domain, + nt_status = cell->provider->map_to_alias(mem_ctx, e->domain, name, alias); /* go ahead and allow the cache mgr to mark this in @@ -360,9 +360,9 @@ done: /********************************************************************** *********************************************************************/ -static NTSTATUS _nss_adex_map_from_alias(TALLOC_CTX * mem_ctx, const char - *domain, const char - *alias, char **name) +static NTSTATUS _nss_adex_map_from_alias(TALLOC_CTX * mem_ctx, + struct nss_domain_entry *e, + const char *alias, char **name) { NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct likewise_cell *cell = NULL; @@ -376,7 +376,7 @@ static NTSTATUS _nss_adex_map_from_alias(TALLOC_CTX * mem_ctx, const char } - nt_status = cell->provider->map_from_alias(mem_ctx, domain, + nt_status = cell->provider->map_from_alias(mem_ctx, e->domain, alias, name); /* go ahead and allow the cache mgr to mark this in diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c index a050f99bc8..7dd94aede0 100644 --- a/source3/winbindd/idmap_hash/idmap_hash.c +++ b/source3/winbindd/idmap_hash/idmap_hash.c @@ -304,14 +304,14 @@ done: *********************************************************************/ static NTSTATUS nss_hash_map_to_alias(TALLOC_CTX *mem_ctx, - const char *domain, + struct nss_domain_entry *e, const char *name, char **alias) { NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; const char *value; - value = talloc_asprintf(mem_ctx, "%s\\%s", domain, name); + value = talloc_asprintf(mem_ctx, "%s\\%s", e->domain, name); BAIL_ON_PTR_NT_ERROR(value, nt_status); nt_status = mapfile_lookup_key(mem_ctx, value, alias); @@ -325,7 +325,7 @@ done: *********************************************************************/ static NTSTATUS nss_hash_map_from_alias(TALLOC_CTX *mem_ctx, - const char *domain, + struct nss_domain_entry *e, const char *alias, char **name) { diff --git a/source3/winbindd/idmap_tdb.c b/source3/winbindd/idmap_tdb.c index f9d3a9fbff..4c8cceb691 100644 --- a/source3/winbindd/idmap_tdb.c +++ b/source3/winbindd/idmap_tdb.c @@ -820,10 +820,11 @@ done: } /********************************** - set a mapping. + set a mapping. **********************************/ -static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom, const struct id_map *map) +static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom, + const struct id_map *map) { struct idmap_tdb_context *ctx; NTSTATUS ret; @@ -839,17 +840,19 @@ static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom, const struct id_ data.dptr = NULL; /* TODO: should we filter a set_mapping using low/high filters ? */ - + ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context); switch (map->xid.type) { case ID_TYPE_UID: - kidstr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id); + kidstr = talloc_asprintf(ctx, "UID %lu", + (unsigned long)map->xid.id); break; - + case ID_TYPE_GID: - kidstr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id); + kidstr = talloc_asprintf(ctx, "GID %lu", + (unsigned long)map->xid.id); break; default: @@ -875,8 +878,13 @@ static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom, const struct id_ ksid = string_term_tdb_data(ksidstr); /* *DELETE* previous mappings if any. - * This is done both SID and [U|G]ID passed in */ - + * This is done for both the SID and [U|G]ID passed in */ + + /* NOTE: We should lock both the ksid and kid records here, before + * making modifications. However, because tdb_chainlock() is a + * blocking call we could create an unrecoverable deadlock, so for now + * we only lock the ksid record. */ + /* Lock the record for this SID. */ if (tdb_chainlock(ctx->tdb, ksid) != 0) { DEBUG(10,("Failed to lock record %s. Error %s\n", @@ -886,7 +894,8 @@ static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom, const struct id_ data = tdb_fetch(ctx->tdb, ksid); if (data.dptr) { - DEBUG(10, ("Deleting existing mapping %s <-> %s\n", (const char *)data.dptr, ksidstr )); + DEBUG(10, ("Deleting existing mapping %s <-> %s\n", + (const char *)data.dptr, ksidstr )); tdb_delete(ctx->tdb, data); tdb_delete(ctx->tdb, ksid); SAFE_FREE(data.dptr); @@ -894,20 +903,23 @@ static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom, const struct id_ data = tdb_fetch(ctx->tdb, kid); if (data.dptr) { - DEBUG(10,("Deleting existing mapping %s <-> %s\n", (const char *)data.dptr, kidstr )); + DEBUG(10,("Deleting existing mapping %s <-> %s\n", + (const char *)data.dptr, kidstr )); tdb_delete(ctx->tdb, data); tdb_delete(ctx->tdb, kid); SAFE_FREE(data.dptr); } if (tdb_store(ctx->tdb, ksid, kid, TDB_INSERT) == -1) { - DEBUG(0, ("Error storing SID -> ID: %s\n", tdb_errorstr(ctx->tdb))); + DEBUG(0, ("Error storing SID -> ID: %s\n", + tdb_errorstr(ctx->tdb))); tdb_chainunlock(ctx->tdb, ksid); ret = NT_STATUS_UNSUCCESSFUL; goto done; } if (tdb_store(ctx->tdb, kid, ksid, TDB_INSERT) == -1) { - DEBUG(0, ("Error stroing ID -> SID: %s\n", tdb_errorstr(ctx->tdb))); + DEBUG(0, ("Error storing ID -> SID: %s\n", + tdb_errorstr(ctx->tdb))); /* try to remove the previous stored SID -> ID map */ tdb_delete(ctx->tdb, ksid); tdb_chainunlock(ctx->tdb, ksid); @@ -927,10 +939,11 @@ done: } /********************************** - remove a mapping. + remove a mapping. **********************************/ -static NTSTATUS idmap_tdb_remove_mapping(struct idmap_domain *dom, const struct id_map *map) +static NTSTATUS idmap_tdb_remove_mapping(struct idmap_domain *dom, + const struct id_map *map) { struct idmap_tdb_context *ctx; NTSTATUS ret; @@ -946,17 +959,19 @@ static NTSTATUS idmap_tdb_remove_mapping(struct idmap_domain *dom, const struct data.dptr = NULL; /* TODO: should we filter a remove_mapping using low/high filters ? */ - + ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context); switch (map->xid.type) { case ID_TYPE_UID: - kidstr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id); + kidstr = talloc_asprintf(ctx, "UID %lu", + (unsigned long)map->xid.id); break; - + case ID_TYPE_GID: - kidstr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id); + kidstr = talloc_asprintf(ctx, "GID %lu", + (unsigned long)map->xid.id); break; default: @@ -981,6 +996,11 @@ static NTSTATUS idmap_tdb_remove_mapping(struct idmap_domain *dom, const struct ksid = string_term_tdb_data(ksidstr); kid = string_term_tdb_data(kidstr); + /* NOTE: We should lock both the ksid and kid records here, before + * making modifications. However, because tdb_chainlock() is a + * blocking call we could create an unrecoverable deadlock, so for now + * we only lock the ksid record. */ + /* Lock the record for this SID. */ if (tdb_chainlock(ctx->tdb, ksid) != 0) { DEBUG(10,("Failed to lock record %s. Error %s\n", @@ -1001,16 +1021,17 @@ static NTSTATUS idmap_tdb_remove_mapping(struct idmap_domain *dom, const struct if ((data.dsize != kid.dsize) || (memcmp(data.dptr, kid.dptr, data.dsize) != 0)) { DEBUG(10,("Specified SID does not map to specified ID\n")); - DEBUGADD(10,("Actual mapping is %s -> %s\n", ksidstr, (const char *)data.dptr)); + DEBUGADD(10,("Actual mapping is %s -> %s\n", ksidstr, + (const char *)data.dptr)); tdb_chainunlock(ctx->tdb, ksid); ret = NT_STATUS_NONE_MAPPED; goto done; } - + DEBUG(10, ("Removing %s <-> %s map\n", ksidstr, kidstr)); /* Delete previous mappings. */ - + DEBUG(10, ("Deleting existing mapping %s -> %s\n", ksidstr, kidstr )); tdb_delete(ctx->tdb, ksid); diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c index 9f876618be..9abf425f3e 100644 --- a/source3/winbindd/idmap_util.c +++ b/source3/winbindd/idmap_util.c @@ -33,7 +33,8 @@ NTSTATUS idmap_uid_to_sid(const char *domname, DOM_SID *sid, uid_t uid) struct id_map map; bool expired; - DEBUG(10,("uid = [%lu]\n", (unsigned long)uid)); + DEBUG(10,("idmap_uid_to_sid: uid = [%lu], domain = '%s'\n", + (unsigned long)uid, domname?domname:"NULL")); if (idmap_cache_find_uid2sid(uid, sid, &expired)) { DEBUG(10, ("idmap_cache_find_uid2sid found %d%s\n", uid, @@ -85,7 +86,8 @@ NTSTATUS idmap_gid_to_sid(const char *domname, DOM_SID *sid, gid_t gid) struct id_map map; bool expired; - DEBUG(10,("gid = [%lu]\n", (unsigned long)gid)); + DEBUG(10,("idmap_gid_to_si: gid = [%lu], domain = '%s'\n", + (unsigned long)gid, domname?domname:"NULL")); if (idmap_cache_find_gid2sid(gid, sid, &expired)) { DEBUG(10, ("idmap_cache_find_gid2sid found %d%s\n", gid, @@ -137,7 +139,8 @@ NTSTATUS idmap_sid_to_uid(const char *dom_name, DOM_SID *sid, uid_t *uid) struct id_map map; bool expired; - DEBUG(10,("idmap_sid_to_uid: sid = [%s]\n", sid_string_dbg(sid))); + DEBUG(10,("idmap_sid_to_uid: sid = [%s], domain = '%s'\n", + sid_string_dbg(sid), dom_name)); if (idmap_cache_find_sid2uid(sid, uid, &expired)) { DEBUG(10, ("idmap_cache_find_sid2uid found %d%s\n", @@ -209,7 +212,8 @@ NTSTATUS idmap_sid_to_gid(const char *domname, DOM_SID *sid, gid_t *gid) struct id_map map; bool expired; - DEBUG(10,("idmap_sid_to_gid: sid = [%s]\n", sid_string_dbg(sid))); + DEBUG(10,("idmap_sid_to_gid: sid = [%s], domain = '%s'\n", + sid_string_dbg(sid), domname)); if (idmap_cache_find_sid2gid(sid, gid, &expired)) { DEBUG(10, ("idmap_cache_find_sid2gid found %d%s\n", diff --git a/source3/winbindd/nss_info.c b/source3/winbindd/nss_info.c index 0e8cb60257..734c009602 100644 --- a/source3/winbindd/nss_info.c +++ b/source3/winbindd/nss_info.c @@ -1,19 +1,20 @@ -/* +/* Unix SMB/CIFS implementation. Idmap NSS headers Copyright (C) Gerald Carter 2006 + Copyright (C) Michael Adam 2008 This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. - + You should have received a copy of the GNU Lesser General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -22,6 +23,7 @@ #include "nss_info.h" static struct nss_function_entry *backends = NULL; +static struct nss_function_entry *default_backend = NULL; static struct nss_domain_entry *nss_domain_list = NULL; /********************************************************************** @@ -48,14 +50,14 @@ static struct nss_function_entry *nss_get_backend(const char *name ) { struct nss_function_entry *entry; - if ((version != SMB_NSS_INFO_INTERFACE_VERSION)) { + if ((version != SMB_NSS_INFO_INTERFACE_VERSION)) { DEBUG(0, ("smb_register_idmap_nss: Failed to register idmap_nss module.\n" - "The module was compiled against SMB_NSS_INFO_INTERFACE_VERSION %d,\n" - "current SMB_NSS_INFO_INTERFACE_VERSION is %d.\n" - "Please recompile against the current version of samba!\n", + "The module was compiled against SMB_NSS_INFO_INTERFACE_VERSION %d,\n" + "current SMB_NSS_INFO_INTERFACE_VERSION is %d.\n" + "Please recompile against the current version of samba!\n", version, SMB_NSS_INFO_INTERFACE_VERSION)); return NT_STATUS_OBJECT_TYPE_MISMATCH; - } + } if (!name || !name[0] || !methods) { DEBUG(0,("smb_register_idmap_nss: called with NULL pointer or empty name!\n")); @@ -89,12 +91,12 @@ static bool parse_nss_parm( const char *config, char **backend, char **domain ) int len; *backend = *domain = NULL; - + if ( !config ) return False; - + p = strchr( config, ':' ); - + /* if no : then the string must be the backend name only */ if ( !p ) { @@ -107,13 +109,13 @@ static bool parse_nss_parm( const char *config, char **backend, char **domain ) if ( strlen(p+1) > 0 ) { *domain = SMB_STRDUP( p+1 ); } - + len = PTR_DIFF(p,config)+1; if ( (q = SMB_MALLOC_ARRAY( char, len )) == NULL ) { SAFE_FREE( *backend ); return False; } - + StrnCpy( q, config, len-1); q[len-1] = '\0'; *backend = q; @@ -121,8 +123,44 @@ static bool parse_nss_parm( const char *config, char **backend, char **domain ) return True; } +static NTSTATUS nss_domain_list_add_domain(const char *domain, + struct nss_function_entry *nss_backend) +{ + struct nss_domain_entry *nss_domain; + + nss_domain = TALLOC_ZERO_P(nss_domain_list, struct nss_domain_entry); + if (!nss_domain) { + DEBUG(0, ("nss_domain_list_add_domain: talloc() failure!\n")); + return NT_STATUS_NO_MEMORY; + } + + nss_domain->backend = nss_backend; + if (domain) { + nss_domain->domain = talloc_strdup(nss_domain, domain); + if (!nss_domain->domain) { + DEBUG(0, ("nss_domain_list_add_domain: talloc() " + "failure!\n")); + TALLOC_FREE(nss_domain); + return NT_STATUS_NO_MEMORY; + } + } + + nss_domain->init_status = nss_domain->backend->methods->init(nss_domain); + if (!NT_STATUS_IS_OK(nss_domain->init_status)) { + DEBUG(0, ("nss_init: Failed to init backend '%s' for domain " + "'%s'!\n", nss_backend->name, nss_domain->domain)); + } + + DLIST_ADD(nss_domain_list, nss_domain); + + DEBUG(10, ("Added domain '%s' with backend '%s' to nss_domain_list.\n", + domain, nss_backend->name)); + + return NT_STATUS_OK; +} + /******************************************************************** - Each nss backend must not store global state, but rather be able + Each nss backend must not store global state, but rather be able to initialize the state on a per domain basis. *******************************************************************/ @@ -133,18 +171,17 @@ static bool parse_nss_parm( const char *config, char **backend, char **domain ) int i; char *backend, *domain; struct nss_function_entry *nss_backend; - struct nss_domain_entry *nss_domain; /* check for previous successful initializations */ if ( NT_STATUS_IS_OK(nss_initialized) ) return NT_STATUS_OK; - + /* The "template" backend should alqays be registered as it is a static module */ if ( (nss_backend = nss_get_backend( "template" )) == NULL ) { - static_init_nss_info; + static_init_nss_info; } /* Create the list of nss_domains (loading any shared plugins @@ -152,12 +189,15 @@ static bool parse_nss_parm( const char *config, char **backend, char **domain ) for ( i=0; nss_list && nss_list[i]; i++ ) { - if ( !parse_nss_parm(nss_list[i], &backend, &domain) ) { + if ( !parse_nss_parm(nss_list[i], &backend, &domain) ) { DEBUG(0,("nss_init: failed to parse \"%s\"!\n", nss_list[i])); - continue; + continue; } + DEBUG(10, ("parsed backend = '%s', domain = '%s'\n", + backend, domain)); + /* validate the backend */ if ( (nss_backend = nss_get_backend( backend )) == NULL ) { @@ -166,41 +206,34 @@ static bool parse_nss_parm( const char *config, char **backend, char **domain ) if ( !NT_STATUS_IS_OK(status) ) { continue; } - + /* try again */ if ( (nss_backend = nss_get_backend( backend )) == NULL ) { DEBUG(0,("nss_init: unregistered backend %s!. Skipping\n", backend)); continue; } - } - /* fill in the nss_domain_entry and add it to the - list of domains */ - - nss_domain = TALLOC_ZERO_P( nss_domain_list, struct nss_domain_entry ); - if ( !nss_domain ) { - DEBUG(0,("nss_init: talloc() failure!\n")); - return NT_STATUS_NO_MEMORY; + /* + * The first config item of the list without an explicit domain + * is treated as the default nss info backend. + */ + if ((domain == NULL) && (default_backend == NULL)) { + DEBUG(10, ("nss_init: using '%s' as default backend.\n", + backend)); + default_backend = nss_backend; } - - nss_domain->backend = nss_backend; - nss_domain->domain = talloc_strdup( nss_domain, domain ); - /* Try to init and ave the result */ - - nss_domain->init_status = nss_domain->backend->methods->init( nss_domain ); - DLIST_ADD( nss_domain_list, nss_domain ); - if ( !NT_STATUS_IS_OK(nss_domain->init_status) ) { - DEBUG(0,("nss_init: Failed to init backend for %s domain!\n", - nss_domain->domain)); + status = nss_domain_list_add_domain(domain, nss_backend); + if (!NT_STATUS_IS_OK(status)) { + return status; } /* cleanup */ SAFE_FREE( backend ); - SAFE_FREE( domain ); + SAFE_FREE( domain ); } if ( !nss_domain_list ) { @@ -210,10 +243,9 @@ static bool parse_nss_parm( const char *config, char **backend, char **domain ) /* we shouild default to use template here */ } - - + nss_initialized = NT_STATUS_OK; - + return NT_STATUS_OK; } @@ -222,7 +254,7 @@ static bool parse_nss_parm( const char *config, char **backend, char **domain ) static struct nss_domain_entry *find_nss_domain( const char *domain ) { - NTSTATUS status; + NTSTATUS status; struct nss_domain_entry *p; status = nss_init( lp_winbind_nss_info() ); @@ -231,20 +263,30 @@ static struct nss_domain_entry *find_nss_domain( const char *domain ) nt_errstr(status))); return NULL; } - + for ( p=nss_domain_list; p; p=p->next ) { if ( strequal( p->domain, domain ) ) break; } - - /* If we didn't find a match, then use the default nss info */ + + /* If we didn't find a match, then use the default nss backend */ if ( !p ) { - if ( !nss_domain_list ) { + if (!default_backend) { + return NULL; + } + + status = nss_domain_list_add_domain(domain, default_backend); + if (!NT_STATUS_IS_OK(status)) { return NULL; } - - p = nss_domain_list; + + /* + * HACK ALERT: + * Here, we use the fact that the new domain was added at + * the beginning of the list... + */ + p = nss_domain_list; } if ( !NT_STATUS_IS_OK( p->init_status ) ) { @@ -266,15 +308,18 @@ static struct nss_domain_entry *find_nss_domain( const char *domain ) struct nss_domain_entry *p; struct nss_info_methods *m; + DEBUG(10, ("nss_get_info called for sid [%s] in domain '%s'\n", + sid_string_dbg(user_sid), domain?domain:"NULL")); + if ( (p = find_nss_domain( domain )) == NULL ) { DEBUG(4,("nss_get_info: Failed to find nss domain pointer for %s\n", domain )); return NT_STATUS_NOT_FOUND; } - + m = p->backend->methods; - return m->get_nss_info( p, user_sid, ctx, ads, msg, + return m->get_nss_info( p, user_sid, ctx, ads, msg, homedir, shell, gecos, p_gid ); } @@ -295,7 +340,7 @@ static struct nss_domain_entry *find_nss_domain( const char *domain ) m = p->backend->methods; - return m->map_to_alias( mem_ctx, domain, name, alias ); + return m->map_to_alias(mem_ctx, p, name, alias); } @@ -316,7 +361,7 @@ static struct nss_domain_entry *find_nss_domain( const char *domain ) m = p->backend->methods; - return m->map_from_alias( mem_ctx, domain, alias, name ); + return m->map_from_alias( mem_ctx, p, alias, name ); } /******************************************************************** diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c index d8f903ddd0..f44c73f3a6 100644 --- a/source3/winbindd/nss_info_template.c +++ b/source3/winbindd/nss_info_template.c @@ -62,7 +62,7 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e, *********************************************************************/ static NTSTATUS nss_template_map_to_alias( TALLOC_CTX *mem_ctx, - const char *domain, + struct nss_domain_entry *e, const char *name, char **alias ) { @@ -73,7 +73,7 @@ static NTSTATUS nss_template_map_to_alias( TALLOC_CTX *mem_ctx, *********************************************************************/ static NTSTATUS nss_template_map_from_alias( TALLOC_CTX *mem_ctx, - const char *domain, + struct nss_domain_entry *e, const char *alias, char **name ) { diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index ce1a1fe52f..82af55800f 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -343,6 +343,7 @@ static struct winbindd_dispatch_table { { WINBINDD_ALLOCATE_UID, winbindd_allocate_uid, "ALLOCATE_UID" }, { WINBINDD_ALLOCATE_GID, winbindd_allocate_gid, "ALLOCATE_GID" }, { WINBINDD_SET_MAPPING, winbindd_set_mapping, "SET_MAPPING" }, + { WINBINDD_REMOVE_MAPPING, winbindd_remove_mapping, "REMOVE_MAPPING" }, { WINBINDD_SET_HWM, winbindd_set_hwm, "SET_HWMS" }, /* Miscellaneous */ @@ -367,7 +368,7 @@ static struct winbindd_dispatch_table { { WINBINDD_WINS_BYNAME, winbindd_wins_byname, "WINS_BYNAME" }, { WINBINDD_WINS_BYIP, winbindd_wins_byip, "WINS_BYIP" }, - + /* End of list */ { WINBINDD_NUM_CMDS, NULL, "NONE" } diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 1febddf110..5c7d491849 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -401,6 +401,47 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, return NT_STATUS_OK; } +/* convert a single name to a sid in a domain - use rpc methods */ +static NTSTATUS name_to_sid(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + enum winbindd_cmd orig_cmd, + const char *domain_name, + const char *name, + DOM_SID *sid, + enum lsa_SidType *type) +{ + return reconnect_methods.name_to_sid(domain, mem_ctx, orig_cmd, + domain_name, name, + sid, type); +} + +/* convert a domain SID to a user or group name - use rpc methods */ +static NTSTATUS sid_to_name(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const DOM_SID *sid, + char **domain_name, + char **name, + enum lsa_SidType *type) +{ + return reconnect_methods.sid_to_name(domain, mem_ctx, sid, + domain_name, name, type); +} + +/* convert a list of rids to names - use rpc methods */ +static NTSTATUS rids_to_names(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const DOM_SID *sid, + uint32 *rids, + size_t num_rids, + char **domain_name, + char ***names, + enum lsa_SidType **types) +{ + return reconnect_methods.rids_to_names(domain, mem_ctx, sid, + rids, num_rids, + domain_name, names, types); +} + /* If you are looking for "dn_lookup": Yes, it used to be here! * It has gone now since it was a major speed bottleneck in * lookup_groupmem (its only use). It has been replaced by @@ -641,9 +682,10 @@ done: tokenGroups are not available. */ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - const char *user_dn, + const char *user_dn, DOM_SID *primary_group, - size_t *p_num_groups, DOM_SID **user_sids) + size_t *p_num_groups, + DOM_SID **user_sids) { ADS_STATUS rc; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; @@ -652,15 +694,15 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, size_t num_groups = 0; DOM_SID *group_sids = NULL; int i; - char **strings; - size_t num_strings = 0; + char **strings = NULL; + size_t num_strings = 0, num_sids = 0; DEBUG(3,("ads: lookup_usergroups_memberof\n")); if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_usergroups_memberof: No incoming trust for domain %s\n", - domain->name)); + DEBUG(10,("lookup_usergroups_memberof: No incoming trust for " + "domain %s\n", domain->name)); return NT_STATUS_OK; } @@ -668,19 +710,19 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, if (!ads) { domain->last_status = NT_STATUS_SERVER_DISABLED; - goto done; + return NT_STATUS_UNSUCCESSFUL; } - rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs, - ADS_EXTENDED_DN_HEX_STRING, + rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs, + ADS_EXTENDED_DN_HEX_STRING, &strings, &num_strings); if (!ADS_ERR_OK(rc)) { - DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n", - user_dn, ads_errstr(rc))); + DEBUG(1,("lookup_usergroups_memberof ads_search " + "member=%s: %s\n", user_dn, ads_errstr(rc))); return ads_ntstatus(rc); } - + *user_sids = NULL; num_groups = 0; @@ -693,21 +735,26 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, group_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_strings + 1); if (!group_sids) { - TALLOC_FREE(strings); status = NT_STATUS_NO_MEMORY; goto done; } for (i=0; i<num_strings; i++) { - - if (!ads_get_sid_from_extended_dn(mem_ctx, strings[i], - ADS_EXTENDED_DN_HEX_STRING, - &(group_sids)[i])) { - TALLOC_FREE(group_sids); - TALLOC_FREE(strings); - status = NT_STATUS_NO_MEMORY; - goto done; + rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i], + ADS_EXTENDED_DN_HEX_STRING, + &(group_sids)[i]); + if (!ADS_ERR_OK(rc)) { + /* ignore members without SIDs */ + if (NT_STATUS_EQUAL(ads_ntstatus(rc), + NT_STATUS_NOT_FOUND)) { + continue; + } + else { + status = ads_ntstatus(rc); + goto done; + } } + num_sids++; } if (i == 0) { @@ -716,7 +763,7 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, goto done; } - for (i=0; i<num_strings; i++) { + for (i=0; i<num_sids; i++) { /* ignore Builtin groups from ADS - Guenther */ if (sid_check_is_in_builtin(&group_sids[i])) { @@ -728,14 +775,17 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, if (!NT_STATUS_IS_OK(status)) { goto done; } - + } *p_num_groups = num_groups; status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; - DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", user_dn)); + DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", + user_dn)); + done: + TALLOC_FREE(strings); TALLOC_FREE(group_sids); return status; @@ -894,13 +944,25 @@ done: return status; } +/* Lookup aliases a user is member of - use rpc methods */ +static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 num_sids, const DOM_SID *sids, + uint32 *num_aliases, uint32 **alias_rids) +{ + return reconnect_methods.lookup_useraliases(domain, mem_ctx, + num_sids, sids, + num_aliases, + alias_rids); +} + /* find the members of a group, given a group rid and domain */ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - const DOM_SID *group_sid, uint32 *num_names, - DOM_SID **sid_mem, char ***names, + const DOM_SID *group_sid, uint32 *num_names, + DOM_SID **sid_mem, char ***names, uint32 **name_types) { ADS_STATUS rc; @@ -921,7 +983,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, uint32 num_nocache = 0; TALLOC_CTX *tmp_ctx = NULL; - DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name, + DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name, sid_string_dbg(group_sid))); *num_names = 0; @@ -935,12 +997,12 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, if ( !winbindd_can_contact_domain( domain ) ) { DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n", - domain->name)); + domain->name)); return NT_STATUS_OK; } ads = ads_cached_connection(domain); - + if (!ads) { domain->last_status = NT_STATUS_SERVER_DISABLED; goto done; @@ -952,8 +1014,8 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, } /* search for all members of the group */ - if (!(ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", - sidbinstr))) + if (!(ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", + sidbinstr))) { SAFE_FREE(sidbinstr); DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n")); @@ -966,21 +1028,21 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, args.val = ADS_EXTENDED_DN_HEX_STRING; args.critical = True; - rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path, + rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path, ldap_exp, &args, "member", &members, &num_members); if (!ADS_ERR_OK(rc)) { DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc))); status = NT_STATUS_UNSUCCESSFUL; goto done; - } - + } + DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); - + /* Now that we have a list of sids, we need to get the * lists of names and name_types belonging to these sids. - * even though conceptually not quite clean, we use the - * RPC call lsa_lookup_sids for this since it can handle a + * even though conceptually not quite clean, we use the + * RPC call lsa_lookup_sids for this since it can handle a * list of sids. ldap calls can just resolve one sid at a time. * * At this stage, the sids are still hidden in the exetended dn @@ -988,7 +1050,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, * stated above: In extracting the sids from the member strings, * we try to resolve as many sids as possible from the * cache. Only the rest is passed to the lsa_lookup_sids call. */ - + if (num_members) { (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members); (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members); @@ -1015,11 +1077,23 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, char *name, *domain_name; DOM_SID sid; - if (!ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val, &sid)) { - status = NT_STATUS_INVALID_PARAMETER; - goto done; + rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val, + &sid); + if (!ADS_ERR_OK(rc)) { + if (NT_STATUS_EQUAL(ads_ntstatus(rc), + NT_STATUS_NOT_FOUND)) { + /* Group members can be objects, like Exchange + * Public Folders, that don't have a SID. Skip + * them. */ + continue; + } + else { + status = ads_ntstatus(rc); + goto done; + } } - if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name, &name_type)) { + if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name, + &name_type)) { DEBUG(10,("ads: lookup_groupmem: got sid %s from " "cache\n", sid_string_dbg(&sid))); sid_copy(&(*sid_mem)[*num_names], &sid); @@ -1052,23 +1126,46 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, goto done; } - status = rpccli_lsa_lookup_sids(cli, tmp_ctx, + status = rpccli_lsa_lookup_sids(cli, tmp_ctx, &lsa_policy, - num_nocache, - sid_mem_nocache, - &domains_nocache, - &names_nocache, + num_nocache, + sid_mem_nocache, + &domains_nocache, + &names_nocache, &name_types_nocache); + if (!(NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) || + NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))) + { + DEBUG(1, ("lsa_lookupsids call failed with %s " + "- retrying...\n", nt_errstr(status))); + + status = cm_connect_lsa(domain, tmp_ctx, &cli, + &lsa_policy); + + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + status = rpccli_lsa_lookup_sids(cli, tmp_ctx, + &lsa_policy, + num_nocache, + sid_mem_nocache, + &domains_nocache, + &names_nocache, + &name_types_nocache); + } + if (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) + NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) { - /* Copy the entries over from the "_nocache" arrays - * to the result arrays, skipping the gaps the + /* Copy the entries over from the "_nocache" arrays + * to the result arrays, skipping the gaps the * lookup_sids call left. */ for (i=0; i < num_nocache; i++) { - if (((names_nocache)[i] != NULL) && - ((name_types_nocache)[i] != SID_NAME_UNKNOWN)) + if (((names_nocache)[i] != NULL) && + ((name_types_nocache)[i] != SID_NAME_UNKNOWN)) { sid_copy(&(*sid_mem)[*num_names], &sid_mem_nocache[i]); @@ -1150,6 +1247,22 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) return ads_ntstatus(rc); } +/* find the lockout policy of a domain - use rpc methods */ +static NTSTATUS lockout_policy(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct samr_DomInfo12 *policy) +{ + return reconnect_methods.lockout_policy(domain, mem_ctx, policy); +} + +/* find the password policy of a domain - use rpc methods */ +static NTSTATUS password_policy(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct samr_DomInfo1 *policy) +{ + return reconnect_methods.password_policy(domain, mem_ctx, policy); +} + /* get a list of trusted domains */ static NTSTATUS trusted_domains(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, @@ -1340,16 +1453,16 @@ struct winbindd_methods ads_methods = { query_user_list, enum_dom_groups, enum_local_groups, - msrpc_name_to_sid, - msrpc_sid_to_name, - msrpc_rids_to_names, + name_to_sid, + sid_to_name, + rids_to_names, query_user, lookup_usergroups, - msrpc_lookup_useraliases, + lookup_useraliases, lookup_groupmem, sequence_number, - msrpc_lockout_policy, - msrpc_password_policy, + lockout_policy, + password_policy, trusted_domains, }; diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 360e915bc4..2f4a6ffe56 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -4222,7 +4222,14 @@ do_query: nt_status = nss_get_info( domain->name, user_sid, ctx, ads, msg, homedir, shell, gecos, p_gid ); + DEBUG(10, ("nss_get_info returned %s\n", nt_errstr(nt_status))); + if ( NT_STATUS_IS_OK(nt_status) ) { + DEBUG(10, ("result:\n\thomedir = '%s'\n", *homedir)); + DEBUGADD(10, ("\tshell = '%s'\n", *shell)); + DEBUGADD(10, ("\tgecos = '%s'\n", *gecos)); + DEBUGADD(10, ("\tgid = '%u'\n", *p_gid)); + wcache_save_user_pwinfo( domain, nt_status, user_sid, *homedir, *shell, *gecos, *p_gid ); } diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index 03d1e043bf..9153585c26 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -1279,6 +1279,7 @@ static bool fork_domain_child(struct winbindd_child *child) } if (child->domain && child->domain->primary && + !lp_use_kerberos_keytab() && lp_server_role() == ROLE_DOMAIN_MEMBER) { struct timeval next_change; diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c index 8e56138bb5..3422fdba1c 100644 --- a/source3/winbindd/winbindd_group.c +++ b/source3/winbindd/winbindd_group.c @@ -585,7 +585,7 @@ static bool fill_grent_mem(struct winbindd_domain *domain, } /* Real work goes here. Create a list of group names to - expand startign with the initial one. Pass that to + expand starting with the initial one. Pass that to expand_groups() which returns a list of more group names to expand. Do this up to the max search depth. */ @@ -922,7 +922,7 @@ static void getgrsid_lookupsid_recv( void *private_data, bool success, nt_status = normalize_name_unmap(s->state->mem_ctx, raw_name, &mapped_name); - /* basiuc whitespace reversal */ + /* basic whitespace reversal */ if (NT_STATUS_IS_OK(nt_status)) { s->group_name = talloc_asprintf(s->state->mem_ctx, "%s%c%s", diff --git a/source3/winbindd/winbindd_idmap.c b/source3/winbindd/winbindd_idmap.c index d8c67dc21c..94a8c78a85 100644 --- a/source3/winbindd/winbindd_idmap.c +++ b/source3/winbindd/winbindd_idmap.c @@ -111,6 +111,65 @@ enum winbindd_result winbindd_dual_set_mapping(struct winbindd_domain *domain, return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } +static void winbindd_remove_mapping_recv(TALLOC_CTX *mem_ctx, bool success, + struct winbindd_response *response, + void *c, void *private_data) +{ + void (*cont)(void *priv, bool succ) = (void (*)(void *, bool))c; + + if (!success) { + DEBUG(5, ("Could not trigger idmap_remove_mapping\n")); + cont(private_data, False); + return; + } + + if (response->result != WINBINDD_OK) { + DEBUG(5, ("idmap_remove_mapping returned an error\n")); + cont(private_data, False); + return; + } + + cont(private_data, True); +} + +void winbindd_remove_mapping_async(TALLOC_CTX *mem_ctx, + const struct id_map *map, + void (*cont)(void *private_data, bool success), + void *private_data) +{ + struct winbindd_request request; + ZERO_STRUCT(request); + request.cmd = WINBINDD_DUAL_REMOVE_MAPPING; + request.data.dual_idmapset.id = map->xid.id; + request.data.dual_idmapset.type = map->xid.type; + sid_to_fstring(request.data.dual_idmapset.sid, map->sid); + + do_async(mem_ctx, idmap_child(), &request, winbindd_remove_mapping_recv, + (void *)cont, private_data); +} + +enum winbindd_result winbindd_dual_remove_mapping( + struct winbindd_domain *domain, + struct winbindd_cli_state *state) +{ + struct id_map map; + DOM_SID sid; + NTSTATUS result; + + DEBUG(3, ("[%5lu]: dual_idmapremove\n", (unsigned long)state->pid)); + + if (!string_to_sid(&sid, state->request.data.dual_idmapset.sid)) + return WINBINDD_ERROR; + + map.sid = &sid; + map.xid.id = state->request.data.dual_idmapset.id; + map.xid.type = state->request.data.dual_idmapset.type; + map.status = ID_MAPPED; + + result = idmap_remove_mapping(&map); + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; +} + static void winbindd_set_hwm_recv(TALLOC_CTX *mem_ctx, bool success, struct winbindd_response *response, void *c, void *private_data) @@ -486,6 +545,10 @@ static const struct winbindd_child_dispatch_table idmap_dispatch_table[] = { .struct_cmd = WINBINDD_DUAL_SET_MAPPING, .struct_fn = winbindd_dual_set_mapping, },{ + .name = "DUAL_REMOVE_MAPPING", + .struct_cmd = WINBINDD_DUAL_REMOVE_MAPPING, + .struct_fn = winbindd_dual_remove_mapping, + },{ .name = "DUAL_SET_HWMS", .struct_cmd = WINBINDD_DUAL_SET_HWM, .struct_fn = winbindd_dual_set_hwm, diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 9ff3899661..597d48aad0 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1854,17 +1854,28 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp) || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) { - DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", - state->request.data.auth_crap.lm_resp_len, - state->request.data.auth_crap.nt_resp_len)); - result = NT_STATUS_INVALID_PARAMETER; - goto done; + if (!state->request.flags & WBFLAG_BIG_NTLMV2_BLOB || + state->request.extra_len != state->request.data.auth_crap.nt_resp_len) { + DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", + state->request.data.auth_crap.lm_resp_len, + state->request.data.auth_crap.nt_resp_len)); + result = NT_STATUS_INVALID_PARAMETER; + goto done; + } } lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len); - nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp, - state->request.data.auth_crap.nt_resp_len); + + if (state->request.flags & WBFLAG_BIG_NTLMV2_BLOB) { + nt_resp = data_blob_talloc(state->mem_ctx, + state->request.extra_data.data, + state->request.data.auth_crap.nt_resp_len); + } else { + nt_resp = data_blob_talloc(state->mem_ctx, + state->request.data.auth_crap.nt_resp, + state->request.data.auth_crap.nt_resp_len); + } /* what domain should we contact? */ @@ -2106,9 +2117,15 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact got_info = true; } + /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will + * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just + * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too + * short to comply with the samr_ChangePasswordUser3 idl - gd */ + /* only fallback when the chgpasswd_user3 call is not supported */ if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) || (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) || + (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) || (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) { DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n", diff --git a/source3/winbindd/winbindd_passdb.c b/source3/winbindd/winbindd_passdb.c index 5677c01be1..101854ae94 100644 --- a/source3/winbindd/winbindd_passdb.c +++ b/source3/winbindd/winbindd_passdb.c @@ -267,6 +267,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, } if ( !pdb_getsampwsid( user, user_sid ) ) { + TALLOC_FREE( user ); return NT_STATUS_NO_SUCH_USER; } @@ -638,13 +639,13 @@ static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain, sid_type_lookup(lsa_names[i].type))); continue; } - if (!((*names)[i] = talloc_strdup((*names), + if (!((*names)[num_mapped] = talloc_strdup((*names), lsa_names[i].name))) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; } - (*name_types)[i] = lsa_names[i].type; + (*name_types)[num_mapped] = lsa_names[i].type; num_mapped += 1; } diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 65ad47dd03..9de385e3b3 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -353,6 +353,11 @@ void winbindd_set_mapping_async(TALLOC_CTX *mem_ctx, const struct id_map *map, void *private_data); enum winbindd_result winbindd_dual_set_mapping(struct winbindd_domain *domain, struct winbindd_cli_state *state); +void winbindd_remove_mapping_async(TALLOC_CTX *mem_ctx, const struct id_map *map, + void (*cont)(void *private_data, bool success), + void *private_data); +enum winbindd_result winbindd_dual_remove_mapping(struct winbindd_domain *domain, + struct winbindd_cli_state *state); void winbindd_set_hwm_async(TALLOC_CTX *mem_ctx, const struct unixid *xid, void (*cont)(void *private_data, bool success), void *private_data); @@ -462,40 +467,6 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai /* The following definitions come from winbindd/winbindd_reconnect.c */ -/* The following definitions come from winbindd/winbindd_rpc.c */ - -NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - enum winbindd_cmd original_cmd, - const char *domain_name, - const char *name, - DOM_SID *sid, - enum lsa_SidType *type); -NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - char **domain_name, - char **name, - enum lsa_SidType *type); -NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - uint32 *rids, - size_t num_rids, - char **domain_name, - char ***names, - enum lsa_SidType **types); -NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 num_sids, const DOM_SID *sids, - uint32 *num_aliases, uint32 **alias_rids); -NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - struct samr_DomInfo12 *lockout_policy); -NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - struct samr_DomInfo1 *password_policy); - /* The following definitions come from winbindd/winbindd_sid.c */ void winbindd_lookupsid(struct winbindd_cli_state *state); @@ -505,6 +476,7 @@ void winbindd_sid_to_uid(struct winbindd_cli_state *state); void winbindd_sid_to_gid(struct winbindd_cli_state *state); void winbindd_sids_to_unixids(struct winbindd_cli_state *state); void winbindd_set_mapping(struct winbindd_cli_state *state); +void winbindd_remove_mapping(struct winbindd_cli_state *state); void winbindd_set_hwm(struct winbindd_cli_state *state); void winbindd_uid_to_sid(struct winbindd_cli_state *state); void winbindd_gid_to_sid(struct winbindd_cli_state *state); diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index d966e50159..0070bde2cc 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -265,13 +265,13 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, } /* convert a single name to a sid in a domain */ -NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - enum winbindd_cmd original_cmd, - const char *domain_name, - const char *name, - DOM_SID *sid, - enum lsa_SidType *type) +static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + enum winbindd_cmd original_cmd, + const char *domain_name, + const char *name, + DOM_SID *sid, + enum lsa_SidType *type) { NTSTATUS result; DOM_SID *sids = NULL; @@ -331,12 +331,12 @@ NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, /* convert a domain SID to a user or group name */ -NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - char **domain_name, - char **name, - enum lsa_SidType *type) +static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const DOM_SID *sid, + char **domain_name, + char **name, + enum lsa_SidType *type) { char **domains; char **names; @@ -384,14 +384,14 @@ NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, return NT_STATUS_OK; } -NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - uint32 *rids, - size_t num_rids, - char **domain_name, - char ***names, - enum lsa_SidType **types) +static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const DOM_SID *sid, + uint32 *rids, + size_t num_rids, + char **domain_name, + char ***names, + enum lsa_SidType **types) { char **domains; NTSTATUS result; @@ -636,10 +636,13 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, return NT_STATUS_OK; } -NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 num_sids, const DOM_SID *sids, - uint32 *num_aliases, uint32 **alias_rids) +#define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */ + +static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 num_sids, const DOM_SID *sids, + uint32 *num_aliases, + uint32 **alias_rids) { NTSTATUS result = NT_STATUS_UNSUCCESSFUL; POLICY_HND dom_pol; @@ -1102,9 +1105,9 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, } /* find the lockout policy for a domain */ -NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - struct samr_DomInfo12 *lockout_policy) +static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct samr_DomInfo12 *lockout_policy) { NTSTATUS result; struct rpc_pipe_client *cli; @@ -1143,9 +1146,9 @@ NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain, } /* find the password policy for a domain */ -NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - struct samr_DomInfo1 *password_policy) +static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct samr_DomInfo1 *password_policy) { NTSTATUS result; struct rpc_pipe_client *cli; diff --git a/source3/winbindd/winbindd_sid.c b/source3/winbindd/winbindd_sid.c index 274786fa63..641b18ebbd 100644 --- a/source3/winbindd/winbindd_sid.c +++ b/source3/winbindd/winbindd_sid.c @@ -370,7 +370,8 @@ void winbindd_sid_to_gid(struct winbindd_cli_state *state) range from random SIDs. */ backend: - winbindd_lookupsid_async( state->mem_ctx, &sid, sid2gid_lookupsid_recv, state ); + winbindd_lookupsid_async( state->mem_ctx, &sid, sid2gid_lookupsid_recv, + state ); } static void set_mapping_recv(void *private_data, bool success) @@ -415,6 +416,48 @@ void winbindd_set_mapping(struct winbindd_cli_state *state) set_mapping_recv, state); } +static void remove_mapping_recv(void *private_data, bool success) +{ + struct winbindd_cli_state *state = + talloc_get_type_abort(private_data, struct winbindd_cli_state); + + if (!success) { + DEBUG(5, ("Could not remove sid mapping\n")); + request_error(state); + return; + } + + request_ok(state); +} + +void winbindd_remove_mapping(struct winbindd_cli_state *state) +{ + struct id_map map; + DOM_SID sid; + + DEBUG(3, ("[%5lu]: remove id map\n", (unsigned long)state->pid)); + + if ( ! state->privileged) { + DEBUG(0, ("Only root is allowed to remove mappings!\n")); + request_error(state); + return; + } + + if (!string_to_sid(&sid, state->request.data.dual_idmapset.sid)) { + DEBUG(1, ("Could not get convert sid %s from string\n", + state->request.data.sid)); + request_error(state); + return; + } + + map.sid = &sid; + map.xid.id = state->request.data.dual_idmapset.id; + map.xid.type = state->request.data.dual_idmapset.type; + + winbindd_remove_mapping_async(state->mem_ctx, &map, + remove_mapping_recv, state); +} + static void set_hwm_recv(void *private_data, bool success) { struct winbindd_cli_state *state = diff --git a/source4/Makefile b/source4/Makefile index be41d02a38..38eb0706c9 100644 --- a/source4/Makefile +++ b/source4/Makefile @@ -11,7 +11,7 @@ include mkconfig.mk pidldir := $(srcdir)/../pidl basedir = $(prefix) -torturedir = $(libdir)/torture +torturedir = ../lib/torture swatdir = $(datadir)/swat setupdir = $(datadir)/setup ncalrpcdir = $(localstatedir)/ncalrpc @@ -78,7 +78,7 @@ libutilsrcdir := ../lib/util libtdrsrcdir := lib/tdr libdbwrapsrcdir := lib/dbwrap libcryptosrcdir := ../lib/crypto -libtorturesrcdir := lib/torture +libtorturesrcdir := ../lib/torture smb_serversrcdir := smb_server libcompressionsrcdir := ../lib/compression libgencachesrcdir := lib diff --git a/source4/auth/config.m4 b/source4/auth/config.m4 index 1338b775ec..a271a9f6fe 100644 --- a/source4/auth/config.m4 +++ b/source4/auth/config.m4 @@ -20,11 +20,15 @@ AC_CHECK_FUNCS(crypt16 getauthuid getpwanam) AC_CHECK_HEADERS(sasl/sasl.h) AC_CHECK_LIB_EXT(sasl2, SASL_LIBS, sasl_client_init) -SMB_EXT_LIB(SASL, $SASL_LIBS) if test x"$ac_cv_header_sasl_sasl_h" = x"yes" -a x"$ac_cv_lib_ext_sasl2_sasl_client_init" = x"yes";then SMB_ENABLE(SASL,YES) SMB_ENABLE(cyrus_sasl,YES) + SASL_CFLAGS="$CFLAGS" + SASL_CPPFLAGS="$CPPFLAGS" + SASL_LDFLAGS="$LDFLAGS" else SMB_ENABLE(cyrus_sasl,NO) fi + +SMB_EXT_LIB(SASL, $SASL_LIBS, [${SASL_CFLAGS}], [${SASL_CPPFLAGS}], [${SASL_LDFLAGS}]) diff --git a/source4/build/m4/check_python.m4 b/source4/build/m4/check_python.m4 index 96f93a3d75..7e56af76f7 100644 --- a/source4/build/m4/check_python.m4 +++ b/source4/build/m4/check_python.m4 @@ -71,8 +71,19 @@ AC_DEFUN([AC_SAMBA_PYTHON_DEVEL], if test x$PYTHON != x then - DISTUTILS_CFLAGS=`$PYTHON -c "from distutils import sysconfig; print '-I%s -I%s %s' % (sysconfig.get_python_inc(), sysconfig.get_python_inc(plat_specific=1), sysconfig.get_config_var('CFLAGS'))"` - DISTUTILS_LDFLAGS=`$PYTHON -c "from distutils import sysconfig; print '%s %s -lpython%s -L%s' % (sysconfig.get_config_var('LIBS'), sysconfig.get_config_var('SYSLIBS'), sysconfig.get_config_var('VERSION'), sysconfig.get_config_var('LIBPL'))"` + DISTUTILS_CFLAGS=`$PYTHON -c "from distutils import sysconfig; \ + print '-I%s -I%s %s' % ( \ + sysconfig.get_python_inc(), \ + sysconfig.get_python_inc(plat_specific=1), \ + sysconfig.get_config_var('CFLAGS'))"` + DISTUTILS_LDFLAGS=`$PYTHON -c "from distutils import sysconfig; \ + print '%s %s -lpython%s -L%s %s -L%s' % ( \ + sysconfig.get_config_var('LIBS'), \ + sysconfig.get_config_var('SYSLIBS'), \ + sysconfig.get_config_var('VERSION'), \ + sysconfig.get_config_var('LIBDIR'), \ + sysconfig.get_config_var('LDFLAGS'), \ + sysconfig.get_config_var('LIBPL'))"` TRY_LINK_PYTHON($DISTUTILS_LDFLAGS, $DISTUTILS_CFLAGS) fi diff --git a/source4/build/m4/public.m4 b/source4/build/m4/public.m4 index d61e00b22e..5be4189e06 100644 --- a/source4/build/m4/public.m4 +++ b/source4/build/m4/public.m4 @@ -188,10 +188,17 @@ use strict; use vars qw(%enabled %config); -%config = (AC_FOREACH([AC_Var], m4_defn([_AC_SUBST_VARS]), [ - AC_Var => '$AC_Var',]) -); +%config = ( +CEOF + +for ac_var in $ac_subst_vars +do + eval ac_val=\$$ac_var + echo "$ac_var => '$ac_val'," >> $1 +done +cat >>$1<<CEOF +); $SMB_INFO_ENABLES 1; CEOF diff --git a/source4/build/make/python.mk b/source4/build/make/python.mk index e307ba74bb..67a3e86215 100644 --- a/source4/build/make/python.mk +++ b/source4/build/make/python.mk @@ -46,7 +46,7 @@ swig:: pythonmods .SUFFIXES: _wrap.c .i .py %_wrap.c %.py: %.i - [ "$(SWIG)" == "no" ] || $(SWIG) -O -Wall -python -keyword -I../source4 $< + [ "$(SWIG)" = "no" ] || $(SWIG) -O -Wall -python -keyword -I../source4 $< realdistclean:: @echo "Removing SWIG output files" diff --git a/source4/configure.ac b/source4/configure.ac index cf85b13225..a90ac9e668 100644 --- a/source4/configure.ac +++ b/source4/configure.ac @@ -37,7 +37,7 @@ AC_CONFIG_FILES(lib/registry/registry.pc) AC_CONFIG_FILES(lib/events/events.pc) AC_CONFIG_FILES(librpc/dcerpc.pc) AC_CONFIG_FILES(../librpc/ndr.pc) -AC_CONFIG_FILES(lib/torture/torture.pc) +AC_CONFIG_FILES(../lib/torture/torture.pc) AC_CONFIG_FILES(auth/gensec/gensec.pc) AC_CONFIG_FILES(param/samba-hostconfig.pc) AC_CONFIG_FILES(librpc/dcerpc_samr.pc) diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 69e456274c..2161286e08 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -657,6 +657,28 @@ uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ct return acct_flags; } +struct lsa_BinaryString samdb_result_parameters(TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + const char *attr) +{ + struct lsa_BinaryString s; + const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr); + + ZERO_STRUCT(s); + + if (!val) { + return s; + } + + s.array = talloc_array(mem_ctx, uint16_t, val->length/2); + if (!s.array) { + return s; + } + s.length = s.size = val->length/2; + memcpy(s.array, val->data, val->length); + + return s; +} /* Find an attribute, with a particular value */ @@ -897,6 +919,17 @@ int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, } /* + add a parameters element to a message +*/ +int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr_name, struct lsa_BinaryString *parameters) +{ + struct ldb_val val; + val.length = parameters->length * 2; + val.data = (uint8_t *)parameters->array; + return ldb_msg_add_value(msg, attr_name, &val, NULL); +} +/* add a general value element to a message */ int samdb_msg_add_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, diff --git a/source4/dsdb/config.mk b/source4/dsdb/config.mk index 8bc8b6e000..bd188192a0 100644 --- a/source4/dsdb/config.mk +++ b/source4/dsdb/config.mk @@ -6,7 +6,7 @@ mkinclude samdb/ldb_modules/config.mk # Start SUBSYSTEM SAMDB [SUBSYSTEM::SAMDB] PUBLIC_DEPENDENCIES = HEIMDAL_KRB5 -PRIVATE_DEPENDENCIES = LIBNDR NDR_MISC NDR_DRSUAPI NDR_DRSBLOBS NSS_WRAPPER \ +PRIVATE_DEPENDENCIES = LIBNDR NDR_DRSUAPI NDR_DRSBLOBS NSS_WRAPPER \ auth_system_session LDAP_ENCODE LIBCLI_AUTH LIBNDR \ SAMDB_SCHEMA LDB_WRAP SAMDB_COMMON diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk index 00e4f1af92..1387066256 100644 --- a/source4/dsdb/samdb/ldb_modules/config.mk +++ b/source4/dsdb/samdb/ldb_modules/config.mk @@ -2,7 +2,7 @@ # Start MODULE ldb_objectguid [MODULE::ldb_objectguid] SUBSYSTEM = LIBLDB -PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBNDR NDR_MISC +PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBNDR INIT_FUNCTION = LDB_MODULE(objectguid) # End MODULE ldb_objectguid ################################################ @@ -14,7 +14,7 @@ ldb_objectguid_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/objectguid.o [MODULE::ldb_repl_meta_data] SUBSYSTEM = LIBLDB PRIVATE_DEPENDENCIES = SAMDB LIBTALLOC LIBEVENTS \ - LIBNDR NDR_MISC NDR_DRSUAPI \ + LIBNDR NDR_DRSUAPI \ NDR_DRSBLOBS LIBNDR INIT_FUNCTION = LDB_MODULE(repl_meta_data) # End MODULE ldb_repl_meta_data @@ -75,7 +75,7 @@ ldb_pdc_fsmo_OBJ_FILES = \ # Start MODULE ldb_samldb [MODULE::ldb_samldb] SUBSYSTEM = LIBLDB -PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LDAP_ENCODE NDR_MISC SAMDB +PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LDAP_ENCODE SAMDB INIT_FUNCTION = LDB_MODULE(samldb) # # End MODULE ldb_samldb @@ -102,7 +102,7 @@ ldb_samba3sam_OBJ_FILES = \ [MODULE::ldb_simple_ldap_map] SUBSYSTEM = LIBLDB INIT_FUNCTION = LDB_MODULE(entryuuid),LDB_MODULE(nsuniqueid) -PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBNDR NDR_MISC +PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBNDR ENABLE = YES ALIASES = entryuuid nsuniqueid # End MODULE ldb_entryuuid diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c index dd199c0137..f16eb215a6 100644 --- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c +++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c @@ -249,10 +249,14 @@ static int linked_attributes_add(struct ldb_module *module, struct ldb_request * return ldb_next_request(module, req); } - /* start with the first one */ - return la_do_mod_request(ac); + /* start with the original request */ + return la_down_req(ac); } +/* For a delete or rename, we need to find out what linked attributes + * are currently on this DN, and then deal with them. This is the + * callback to the base search */ + static int la_mod_search_callback(struct ldb_request *req, struct ldb_reply *ares) { const struct dsdb_attribute *schema_attr; @@ -349,8 +353,8 @@ static int la_mod_search_callback(struct ldb_request *req, struct ldb_reply *are talloc_free(ares); - /* All mods set up, start with the first one */ - ret = la_do_mod_request(ac); + /* Start with the original request */ + ret = la_down_req(ac); if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); } @@ -539,8 +543,8 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques } else { if (ac->ops) { - /* Jump directly to handling the modifies */ - ret = la_do_mod_request(ac); + /* Start with the original request */ + ret = la_down_req(ac); } else { /* nothing to do for this module, proceed */ talloc_free(ac); @@ -732,12 +736,8 @@ static int la_op_search_callback(struct ldb_request *req, talloc_free(ares); - if (ac->ops) { - /* start the mod requests chain */ - ret = la_do_mod_request(ac); - } else { - ret = la_down_req(ac); - } + /* start the mod requests chain */ + ret = la_down_req(ac); if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); } @@ -840,11 +840,13 @@ static int la_mod_callback(struct ldb_request *req, struct ldb_reply *ares) talloc_free(os); } - /* as last op run the original request */ + /* If we still have modifies in the queue, then run them */ if (ac->ops) { ret = la_do_mod_request(ac); } else { - ret = la_down_req(ac); + /* Otherwise, we are done! */ + ret = ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); } if (ret != LDB_SUCCESS) { @@ -898,6 +900,7 @@ static int la_down_req(struct la_context *ac) return ldb_next_request(ac->module, down_req); } +/* Having done the original operation, then try to fix up all the linked attributes */ static int la_down_callback(struct ldb_request *req, struct ldb_reply *ares) { struct la_context *ac; @@ -920,9 +923,13 @@ static int la_down_callback(struct ldb_request *req, struct ldb_reply *ares) return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } - - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); + /* If we have modfies to make, then run them */ + if (ac->ops) { + return la_do_mod_request(ac); + } else { + return ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } } _PUBLIC_ const struct ldb_module_ops ldb_linked_attributes_module_ops = { diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 7d00851792..1d240a33fe 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -414,10 +414,10 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - /* Need to object to this, but cn=rootdse doesn't have an objectClass... */ + /* the objectClass must be specified on add */ if (ldb_msg_find_element(req->op.add.message, "objectClass") == NULL) { - return ldb_next_request(module, req); + return LDB_ERR_OBJECT_CLASS_VIOLATION; } ac = oc_init_context(module, req); diff --git a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c index 0266654811..df409a8ae3 100644 --- a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c +++ b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c @@ -38,6 +38,10 @@ static int generate_attributeTypes(struct ldb_context *ldb, struct ldb_message * const struct dsdb_schema *schema); static int generate_dITContentRules(struct ldb_context *ldb, struct ldb_message *msg, const struct dsdb_schema *schema); +static int generate_extendedAttributeInfo(struct ldb_context *ldb, struct ldb_message *msg, + const struct dsdb_schema *schema); +static int generate_extendedClassInfo(struct ldb_context *ldb, struct ldb_message *msg, + const struct dsdb_schema *schema); static const struct { const char *attr; @@ -54,6 +58,14 @@ static const struct { { .attr = "dITContentRules", .fn = generate_dITContentRules + }, + { + .attr = "extendedAttributeInfo", + .fn = generate_extendedAttributeInfo + }, + { + .attr = "extendedClassInfo", + .fn = generate_extendedClassInfo } }; @@ -322,7 +334,51 @@ static int generate_dITContentRules(struct ldb_context *ldb, struct ldb_message return LDB_SUCCESS; } +static int generate_extendedAttributeInfo(struct ldb_context *ldb, + struct ldb_message *msg, + const struct dsdb_schema *schema) +{ + const struct dsdb_attribute *attribute; + int ret; + + for (attribute = schema->attributes; attribute; attribute = attribute->next) { + char *val = schema_attribute_to_extendedInfo(msg, attribute); + if (!val) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_msg_add_string(msg, "extendedAttributeInfo", val); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + return LDB_SUCCESS; +} + +static int generate_extendedClassInfo(struct ldb_context *ldb, + struct ldb_message *msg, + const struct dsdb_schema *schema) +{ + const struct dsdb_class *sclass; + int ret; + + for (sclass = schema->classes; sclass; sclass = sclass->next) { + char *val = schema_class_to_extendedInfo(msg, sclass); + if (!val) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + ret = ldb_msg_add_string(msg, "extendedClassInfo", val); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + return LDB_SUCCESS; +} /* Add objectClasses, attributeTypes and dITContentRules from the schema object (they are not stored in the database) diff --git a/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py b/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py index 1fc531902d..fa1af2ad61 100644 --- a/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py +++ b/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py @@ -27,7 +27,7 @@ import ldb from ldb import SCOPE_DEFAULT, SCOPE_BASE, SCOPE_SUBTREE from samba import Ldb, substitute_var from samba.tests import LdbTestCase, TestCaseInTempDir, cmdline_loadparm -import samba.dcerpc.security +import samba.dcerpc.dom_sid import samba.security import samba.ndr @@ -50,7 +50,7 @@ class MapBaseTestCase(TestCaseInTempDir): "@TO": "sambaDomainName=TESTS," + s3.basedn}) ldb.add({"dn": "@MODULES", - "@LIST": "rootdse,paged_results,server_sort,extended_dn,asq,samldb,password_hash,operational,objectguid,rdn_name,samba3sam,partition"}) + "@LIST": "rootdse,paged_results,server_sort,asq,samldb,password_hash,operational,objectguid,rdn_name,samba3sam,partition"}) ldb.add({"dn": "@PARTITION", "partition": ["%s:%s" % (s4.basedn, s4.url), @@ -116,7 +116,7 @@ class MapBaseTestCase(TestCaseInTempDir): super(MapBaseTestCase, self).tearDown() def assertSidEquals(self, text, ndr_sid): - sid_obj1 = samba.ndr.ndr_unpack(samba.dcerpc.security.dom_sid, + sid_obj1 = samba.ndr.ndr_unpack(samba.dcerpc.dom_sid.dom_sid, str(ndr_sid[0])) sid_obj2 = samba.security.Sid(text) # For now, this is the only way we can compare these since the diff --git a/source4/dsdb/schema/schema.h b/source4/dsdb/schema/schema.h index 68dc8197cb..e8fefb5246 100644 --- a/source4/dsdb/schema/schema.h +++ b/source4/dsdb/schema/schema.h @@ -72,8 +72,8 @@ struct dsdb_attribute { struct ldb_val oMObjectClass; bool isSingleValued; - uint32_t rangeLower; - uint32_t rangeUpper; + uint32_t *rangeLower; + uint32_t *rangeUpper; bool extendedCharsAllowed; uint32_t schemaFlagsEx; diff --git a/source4/dsdb/schema/schema_description.c b/source4/dsdb/schema/schema_description.c index c3c37b4653..9443c04bb0 100644 --- a/source4/dsdb/schema/schema_description.c +++ b/source4/dsdb/schema/schema_description.c @@ -20,6 +20,7 @@ */ #include "includes.h" #include "dsdb/samdb/samdb.h" +#include "librpc/ndr/libndr.h" #define IF_NULL_FAIL_RET(x) do { \ if (!x) { \ @@ -36,7 +37,12 @@ char *schema_attribute_description(TALLOC_CTX *mem_ctx, const char *equality, const char *substring, const char *syntax, - bool single_value, bool operational) + bool single_value, bool operational, + uint32_t *range_lower, + uint32_t *range_upper, + const char *property_guid, + const char *property_set_guid, + bool indexed, bool system_only) { char *schema_entry = talloc_asprintf(mem_ctx, "(%s%s%s", seperator, oid, seperator); @@ -55,11 +61,13 @@ char *schema_attribute_description(TALLOC_CTX *mem_ctx, "SUBSTR %s%s", substring, seperator); IF_NULL_FAIL_RET(schema_entry); } - - schema_entry = talloc_asprintf_append(schema_entry, - "SYNTAX %s%s", syntax, seperator); - IF_NULL_FAIL_RET(schema_entry); - + + if (syntax) { + schema_entry = talloc_asprintf_append(schema_entry, + "SYNTAX %s%s", syntax, seperator); + IF_NULL_FAIL_RET(schema_entry); + } + if (single_value) { schema_entry = talloc_asprintf_append(schema_entry, "SINGLE-VALUE%s", seperator); @@ -71,7 +79,47 @@ char *schema_attribute_description(TALLOC_CTX *mem_ctx, "NO-USER-MODIFICATION%s", seperator); IF_NULL_FAIL_RET(schema_entry); } - + + if (range_lower) { + schema_entry = talloc_asprintf_append(schema_entry, + "RANGE-LOWER '%u'%s", + *range_lower, seperator); + IF_NULL_FAIL_RET(schema_entry); + } + + if (range_upper) { + schema_entry = talloc_asprintf_append(schema_entry, + "RANGE-UPPER '%u'%s", + *range_upper, seperator); + IF_NULL_FAIL_RET(schema_entry); + } + + if (property_guid) { + schema_entry = talloc_asprintf_append(schema_entry, + "PROPERTY-GUID '%s'%s", + property_guid, seperator); + IF_NULL_FAIL_RET(schema_entry); + } + + if (property_set_guid) { + schema_entry = talloc_asprintf_append(schema_entry, + "PROPERTY-SET-GUID '%s'%s", + property_set_guid, seperator); + IF_NULL_FAIL_RET(schema_entry); + } + + if (indexed) { + schema_entry = talloc_asprintf_append(schema_entry, + "INDEXED%s", seperator); + IF_NULL_FAIL_RET(schema_entry); + } + + if (system_only) { + schema_entry = talloc_asprintf_append(schema_entry, + "SYSTEM-ONLY%s", seperator); + IF_NULL_FAIL_RET(schema_entry); + } + schema_entry = talloc_asprintf_append(schema_entry, ")"); return schema_entry; @@ -80,14 +128,12 @@ char *schema_attribute_description(TALLOC_CTX *mem_ctx, char *schema_attribute_to_description(TALLOC_CTX *mem_ctx, const struct dsdb_attribute *attribute) { char *schema_description; - const struct dsdb_syntax *map = find_syntax_map_by_ad_oid(attribute->attributeSyntax_oid); - const char *syntax = map ? map->ldap_oid : attribute->attributeSyntax_oid; + const char *syntax = attribute->syntax->ldap_oid; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NULL; } - schema_description = schema_attribute_description(mem_ctx, TARGET_AD_SCHEMA_SUBENTRY, @@ -96,6 +142,34 @@ char *schema_attribute_to_description(TALLOC_CTX *mem_ctx, const struct dsdb_att attribute->lDAPDisplayName, NULL, NULL, talloc_asprintf(tmp_ctx, "'%s'", syntax), attribute->isSingleValued, + attribute->systemOnly,/* TODO: is this correct? */ + NULL, NULL, NULL, NULL, + false, false); + talloc_free(tmp_ctx); + return schema_description; +} + +char *schema_attribute_to_extendedInfo(TALLOC_CTX *mem_ctx, const struct dsdb_attribute *attribute) +{ + char *schema_description; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NULL; + } + + schema_description + = schema_attribute_description(mem_ctx, + TARGET_AD_SCHEMA_SUBENTRY, + " ", + attribute->attributeID_oid, + attribute->lDAPDisplayName, + NULL, NULL, NULL, + false, false, + attribute->rangeLower, + attribute->rangeUpper, + GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID), + GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID), + (attribute->searchFlags & SEARCH_FLAG_ATTINDEX), attribute->systemOnly); talloc_free(tmp_ctx); return schema_description; @@ -142,7 +216,8 @@ char *schema_class_description(TALLOC_CTX *mem_ctx, const char *subClassOf, int objectClassCategory, char **must, - char **may) + char **may, + const char *schemaHexGUID) { char *schema_entry = talloc_asprintf(mem_ctx, "(%s%s%s", seperator, oid, seperator); @@ -225,7 +300,14 @@ char *schema_class_description(TALLOC_CTX *mem_ctx, ")%s", seperator); IF_NULL_FAIL_RET(schema_entry); } - + + if (schemaHexGUID) { + schema_entry = talloc_asprintf_append(schema_entry, + "CLASS-GUID '%s'%s", + schemaHexGUID, seperator); + IF_NULL_FAIL_RET(schema_entry); + } + schema_entry = talloc_asprintf_append(schema_entry, ")"); return schema_entry; @@ -251,7 +333,8 @@ char *schema_class_to_description(TALLOC_CTX *mem_ctx, const struct dsdb_class * dsdb_attribute_list(tmp_ctx, class, DSDB_SCHEMA_ALL_MUST), dsdb_attribute_list(tmp_ctx, - class, DSDB_SCHEMA_ALL_MAY)); + class, DSDB_SCHEMA_ALL_MAY), + NULL); talloc_free(tmp_ctx); return schema_description; } @@ -295,7 +378,38 @@ char *schema_class_to_dITContentRule(TALLOC_CTX *mem_ctx, const struct dsdb_clas * ditContentRules * per MS-ADTS * 3.1.1.3.1.1.1 */ - -1, must_attr_list, may_attr_list); + -1, must_attr_list, may_attr_list, + NULL); talloc_free(tmp_ctx); return schema_description; } + +char *schema_class_to_extendedInfo(TALLOC_CTX *mem_ctx, const struct dsdb_class *sclass) +{ + char *schema_description = NULL; + DATA_BLOB guid_blob; + char *guid_hex; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NULL; + } + + schema_description + = schema_class_description(mem_ctx, + TARGET_AD_SCHEMA_SUBENTRY, + " ", + sclass->governsID_oid, + sclass->lDAPDisplayName, + NULL, + NULL, /* Must not specify a + * SUP (subclass) in + * ditContentRules + * per MS-ADTS + * 3.1.1.3.1.1.1 */ + -1, NULL, NULL, + GUID_hexstring(tmp_ctx, &sclass->schemaIDGUID)); + talloc_free(tmp_ctx); + return schema_description; +} + + diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c index 6561e8ed88..763872cf2b 100644 --- a/source4/dsdb/schema/schema_init.c +++ b/source4/dsdb/schema/schema_init.c @@ -643,6 +643,24 @@ WERROR dsdb_read_prefixes_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, (p)->elem = samdb_result_uint(msg, attr, 0);\ } while (0) +#define GET_UINT32_PTR_LDB(msg, attr, p, elem) do { \ + uint64_t _v = samdb_result_uint64(msg, attr, UINT64_MAX);\ + if (_v == UINT64_MAX) { \ + (p)->elem = NULL; \ + } else if (_v > UINT32_MAX) { \ + d_printf("%s: %s == 0x%llX\n", __location__, \ + attr, (unsigned long long)_v); \ + return WERR_INVALID_PARAM; \ + } else { \ + (p)->elem = talloc(mem_ctx, uint32_t); \ + if (!(p)->elem) { \ + d_printf("%s: talloc failed for %s\n", __location__, attr); \ + return WERR_NOMEM; \ + } \ + *(p)->elem = (uint32_t)_v; \ + } \ +} while (0) + #define GET_GUID_LDB(msg, attr, p, elem) do { \ (p)->elem = samdb_result_guid(msg, attr);\ } while (0) @@ -707,8 +725,8 @@ WERROR dsdb_attribute_from_ldb(const struct dsdb_schema *schema, GET_BLOB_LDB(msg, "oMObjectClass", mem_ctx, attr, oMObjectClass); GET_BOOL_LDB(msg, "isSingleValued", attr, isSingleValued, true); - GET_UINT32_LDB(msg, "rangeLower", attr, rangeLower); - GET_UINT32_LDB(msg, "rangeUpper", attr, rangeUpper); + GET_UINT32_PTR_LDB(msg, "rangeLower", attr, rangeLower); + GET_UINT32_PTR_LDB(msg, "rangeUpper", attr, rangeUpper); GET_BOOL_LDB(msg, "extendedCharsAllowed", attr, extendedCharsAllowed, false); GET_UINT32_LDB(msg, "schemaFlagsEx", attr, schemaFlagsEx); @@ -1260,6 +1278,23 @@ static struct drsuapi_DsReplicaAttribute *dsdb_find_object_attr_name(struct dsdb } \ } while (0) +#define GET_UINT32_PTR_DS(s, r, attr, p, elem) do { \ + struct drsuapi_DsReplicaAttribute *_a; \ + _a = dsdb_find_object_attr_name(s, r, attr, NULL); \ + if (_a && _a->value_ctr.num_values >= 1 \ + && _a->value_ctr.values[0].blob \ + && _a->value_ctr.values[0].blob->length == 4) { \ + (p)->elem = talloc(mem_ctx, uint32_t); \ + if (!(p)->elem) { \ + d_printf("%s: talloc failed for %s\n", __location__, attr); \ + return WERR_NOMEM; \ + } \ + *(p)->elem = IVAL(_a->value_ctr.values[0].blob->data,0);\ + } else { \ + (p)->elem = NULL; \ + } \ +} while (0) + #define GET_GUID_DS(s, r, attr, mem_ctx, p, elem) do { \ struct drsuapi_DsReplicaAttribute *_a; \ _a = dsdb_find_object_attr_name(s, r, attr, NULL); \ @@ -1330,8 +1365,8 @@ WERROR dsdb_attribute_from_drsuapi(struct dsdb_schema *schema, GET_BLOB_DS(schema, r, "oMObjectClass", mem_ctx, attr, oMObjectClass); GET_BOOL_DS(schema, r, "isSingleValued", attr, isSingleValued, true); - GET_UINT32_DS(schema, r, "rangeLower", attr, rangeLower); - GET_UINT32_DS(schema, r, "rangeUpper", attr, rangeUpper); + GET_UINT32_PTR_DS(schema, r, "rangeLower", attr, rangeLower); + GET_UINT32_PTR_DS(schema, r, "rangeUpper", attr, rangeUpper); GET_BOOL_DS(schema, r, "extendedCharsAllowed", attr, extendedCharsAllowed, false); GET_UINT32_DS(schema, r, "schemaFlagsEx", attr, schemaFlagsEx); diff --git a/source4/dsdb/schema/schema_syntax.c b/source4/dsdb/schema/schema_syntax.c index e0e6b3fc77..7aed08605b 100644 --- a/source4/dsdb/schema/schema_syntax.c +++ b/source4/dsdb/schema/schema_syntax.c @@ -1278,9 +1278,9 @@ static const struct dsdb_syntax dsdb_syntaxes[] = { .attributeSyntax_oid = "2.5.5.7", .drsuapi_to_ldb = dsdb_syntax_DN_BINARY_drsuapi_to_ldb, .ldb_to_drsuapi = dsdb_syntax_DN_BINARY_ldb_to_drsuapi, - .equality = "distinguishedNameMatch", + .equality = "octetStringMatch", .comment = "OctetString: Binary+DN", - .ldb_syntax = LDB_SYNTAX_DN, + .ldb_syntax = LDB_SYNTAX_OCTET_STRING, },{ /* not used in w2k3 schema */ .name = "Object(OR-Name)", @@ -1322,9 +1322,6 @@ static const struct dsdb_syntax dsdb_syntaxes[] = { .attributeSyntax_oid = "2.5.5.14", .drsuapi_to_ldb = dsdb_syntax_FOOBAR_drsuapi_to_ldb, .ldb_to_drsuapi = dsdb_syntax_FOOBAR_ldb_to_drsuapi, - .equality = "distinguishedNameMatch", - .comment = "OctetString: String+DN", - .ldb_syntax = LDB_SYNTAX_DN, },{ /* not used in w2k3 schema */ .name = "Object(DN-String)", @@ -1334,6 +1331,8 @@ static const struct dsdb_syntax dsdb_syntaxes[] = { .attributeSyntax_oid = "2.5.5.14", .drsuapi_to_ldb = dsdb_syntax_FOOBAR_drsuapi_to_ldb, .ldb_to_drsuapi = dsdb_syntax_FOOBAR_ldb_to_drsuapi, + .equality = "distinguishedNameMatch", + .comment = "OctetString: String+DN", .ldb_syntax = LDB_SYNTAX_DN, } }; diff --git a/source4/headermap.txt b/source4/headermap.txt index cb5a4fab4c..b6edaac414 100644 --- a/source4/headermap.txt +++ b/source4/headermap.txt @@ -43,6 +43,7 @@ librpc/gen_ndr/samr.h: gen_ndr/samr.h librpc/gen_ndr/ndr_samr.h: gen_ndr/ndr_samr.h librpc/gen_ndr/ndr_samr_c.h: gen_ndr/ndr_samr_c.h librpc/gen_ndr/security.h: gen_ndr/security.h +librpc/gen_ndr/dom_sid.h: gen_ndr/dom_sid.h auth/credentials/credentials.h: credentials.h auth/credentials/credentials_krb5.h: credentials/krb5.h rpc_server/dcerpc_server.h: dcerpc_server.h @@ -50,7 +51,7 @@ rpc_server/common/common.h: dcerpc_server/common.h libcli/auth/credentials.h: domain_credentials.h ../lib/util/charset/charset.h: charset.h libcli/ldap/ldap.h: ldap.h -lib/torture/torture.h: torture.h +../lib/torture/torture.h: torture.h libcli/libcli.h: client.h librpc/gen_ndr/nbt.h: gen_ndr/nbt.h librpc/gen_ndr/ntp_signd.h: gen_ndr/ntp_signd.h diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index d0417107f1..2adff2a1df 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -29,17 +29,13 @@ #include "lib/ldb/include/ldb_errors.h" #include "lib/ldb_wrap.h" -#define VALID_DN_SYNTAX(dn,i) do {\ +#define VALID_DN_SYNTAX(dn) do {\ if (!(dn)) {\ return NT_STATUS_NO_MEMORY;\ } else if ( ! ldb_dn_validate(dn)) {\ result = LDAP_INVALID_DN_SYNTAX;\ errstr = "Invalid DN format";\ goto reply;\ - } else if (ldb_dn_get_comp_num(dn) < (i)) {\ - result = LDAP_INVALID_DN_SYNTAX;\ - errstr = "Invalid DN (" #i " components needed for '" #dn "')";\ - goto reply;\ }\ } while(0) @@ -179,7 +175,7 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call) NT_STATUS_HAVE_NO_MEMORY(local_ctx); basedn = ldb_dn_new(local_ctx, samdb, req->basedn); - VALID_DN_SYNTAX(basedn, 0); + VALID_DN_SYNTAX(basedn); DEBUG(10, ("SearchRequest: basedn: [%s]\n", req->basedn)); DEBUG(10, ("SearchRequest: filter: [%s]\n", ldb_filter_from_tree(call, req->tree))); @@ -349,7 +345,7 @@ static NTSTATUS ldapsrv_ModifyRequest(struct ldapsrv_call *call) NT_STATUS_HAVE_NO_MEMORY(local_ctx); dn = ldb_dn_new(local_ctx, samdb, req->dn); - VALID_DN_SYNTAX(dn, 0); + VALID_DN_SYNTAX(dn); DEBUG(10, ("ModifyRequest: dn: [%s]\n", req->dn)); @@ -452,7 +448,7 @@ static NTSTATUS ldapsrv_AddRequest(struct ldapsrv_call *call) NT_STATUS_HAVE_NO_MEMORY(local_ctx); dn = ldb_dn_new(local_ctx, samdb, req->dn); - VALID_DN_SYNTAX(dn,1); + VALID_DN_SYNTAX(dn); DEBUG(10, ("AddRequest: dn: [%s]\n", req->dn)); @@ -542,7 +538,7 @@ static NTSTATUS ldapsrv_DelRequest(struct ldapsrv_call *call) NT_STATUS_HAVE_NO_MEMORY(local_ctx); dn = ldb_dn_new(local_ctx, samdb, req->dn); - VALID_DN_SYNTAX(dn,1); + VALID_DN_SYNTAX(dn); DEBUG(10, ("DelRequest: dn: [%s]\n", req->dn)); @@ -588,10 +584,10 @@ static NTSTATUS ldapsrv_ModifyDNRequest(struct ldapsrv_call *call) NT_STATUS_HAVE_NO_MEMORY(local_ctx); olddn = ldb_dn_new(local_ctx, samdb, req->dn); - VALID_DN_SYNTAX(olddn, 2); + VALID_DN_SYNTAX(olddn); newrdn = ldb_dn_new(local_ctx, samdb, req->newrdn); - VALID_DN_SYNTAX(newrdn, 1); + VALID_DN_SYNTAX(newrdn); DEBUG(10, ("ModifyDNRequest: olddn: [%s]\n", req->dn)); DEBUG(10, ("ModifyDNRequest: newrdn: [%s]\n", req->newrdn)); @@ -605,7 +601,7 @@ static NTSTATUS ldapsrv_ModifyDNRequest(struct ldapsrv_call *call) if (req->newsuperior) { parentdn = ldb_dn_new(local_ctx, samdb, req->newsuperior); - VALID_DN_SYNTAX(parentdn, 0); + VALID_DN_SYNTAX(parentdn); DEBUG(10, ("ModifyDNRequest: newsuperior: [%s]\n", req->newsuperior)); if (ldb_dn_get_comp_num(parentdn) < 1) { @@ -672,7 +668,7 @@ static NTSTATUS ldapsrv_CompareRequest(struct ldapsrv_call *call) NT_STATUS_HAVE_NO_MEMORY(local_ctx); dn = ldb_dn_new(local_ctx, samdb, req->dn); - VALID_DN_SYNTAX(dn, 1); + VALID_DN_SYNTAX(dn); DEBUG(10, ("CompareRequest: dn: [%s]\n", req->dn)); filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute, diff --git a/source4/lib/ldb-samba/config.mk b/source4/lib/ldb-samba/config.mk index f84b44dfc7..ceacf277e4 100644 --- a/source4/lib/ldb-samba/config.mk +++ b/source4/lib/ldb-samba/config.mk @@ -2,7 +2,7 @@ # Start SUBSYSTEM LDBSAMBA [SUBSYSTEM::LDBSAMBA] PUBLIC_DEPENDENCIES = LIBLDB -PRIVATE_DEPENDENCIES = LIBSECURITY SAMDB_SCHEMA LIBNDR NDR_MISC NDR_DRSBLOBS +PRIVATE_DEPENDENCIES = LIBSECURITY SAMDB_SCHEMA LIBNDR NDR_DRSBLOBS # End SUBSYSTEM LDBSAMBA ################################################ diff --git a/source4/lib/ldb/common/ldb_ldif.c b/source4/lib/ldb/common/ldb_ldif.c index 538ff8feaa..69490e670b 100644 --- a/source4/lib/ldb/common/ldb_ldif.c +++ b/source4/lib/ldb/common/ldb_ldif.c @@ -328,8 +328,10 @@ int ldb_ldif_write(struct ldb_context *ldb, for (j=0;j<msg->elements[i].num_values;j++) { struct ldb_val v; ret = a->syntax->ldif_write_fn(ldb, mem_ctx, &msg->elements[i].values[j], &v); - CHECK_RET; - if (ldb_should_b64_encode(&v)) { + if (ret != LDB_SUCCESS) { + v = msg->elements[i].values[j]; + } + if (ret != LDB_SUCCESS || ldb_should_b64_encode(&v)) { ret = fprintf_fn(private_data, "%s:: ", msg->elements[i].name); CHECK_RET; diff --git a/source4/lib/ldb/ldb.i b/source4/lib/ldb/ldb.i index 35d443e809..0f05c1fbab 100644 --- a/source4/lib/ldb/ldb.i +++ b/source4/lib/ldb/ldb.i @@ -217,7 +217,7 @@ typedef struct ldb_dn { we do it this way... */ talloc_steal(NULL, ret); - if (ret == NULL) + if (ret == NULL || !ldb_dn_validate(ret)) SWIG_exception(SWIG_ValueError, "unable to parse dn string"); fail: @@ -263,7 +263,6 @@ fail: { char *dn = ldb_dn_get_linearized($self), *ret; asprintf(&ret, "Dn('%s')", dn); - talloc_free(dn); return ret; } diff --git a/source4/lib/ldb/ldb_tdb/ldb_tdb.c b/source4/lib/ldb/ldb_tdb/ldb_tdb.c index 34a4e03965..9e3ad80705 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_tdb.c +++ b/source4/lib/ldb/ldb_tdb/ldb_tdb.c @@ -1076,12 +1076,14 @@ static void ltdb_callback(struct event_context *ev, } if (!ctx->callback_failed) { + /* Once we are done, we do not need timeout events */ + talloc_free(ctx->timeout_event); ltdb_request_done(ctx->req, ret); } } static int ltdb_handle_request(struct ldb_module *module, - struct ldb_request *req) + struct ldb_request *req) { struct event_context *ev; struct ltdb_context *ac; @@ -1115,10 +1117,9 @@ static int ltdb_handle_request(struct ldb_module *module, return LDB_ERR_OPERATIONS_ERROR; } - tv.tv_sec = req->starttime + req->timeout; - te = event_add_timed(ev, ac, tv, ltdb_timeout, ac); - if (NULL == te) { + ac->timeout_event = event_add_timed(ev, ac, tv, ltdb_timeout, ac); + if (NULL == ac->timeout_event) { return LDB_ERR_OPERATIONS_ERROR; } diff --git a/source4/lib/ldb/ldb_tdb/ldb_tdb.h b/source4/lib/ldb/ldb_tdb/ldb_tdb.h index 61e90bccc6..c78a8172c7 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_tdb.h +++ b/source4/lib/ldb/ldb_tdb/ldb_tdb.h @@ -50,6 +50,7 @@ struct ltdb_context { struct ldb_dn *base; enum ldb_scope scope; const char * const *attrs; + struct timed_event *timeout_event; }; /* special record types */ diff --git a/source4/lib/ldb/ldb_wrap.c b/source4/lib/ldb/ldb_wrap.c index 194b562c30..4a34c1c998 100644 --- a/source4/lib/ldb/ldb_wrap.c +++ b/source4/lib/ldb/ldb_wrap.c @@ -2732,7 +2732,6 @@ SWIGINTERN char const *ldb_dn_canonical_ex_str(ldb_dn *self){ SWIGINTERN char *ldb_dn___repr__(ldb_dn *self){ char *dn = ldb_dn_get_linearized(self), *ret; asprintf(&ret, "Dn('%s')", dn); - talloc_free(dn); return ret; } SWIGINTERN ldb_dn *ldb_dn___add__(ldb_dn *self,ldb_dn *other){ diff --git a/source4/lib/registry/config.mk b/source4/lib/registry/config.mk index 2e2b45abe9..9af61f9632 100644 --- a/source4/lib/registry/config.mk +++ b/source4/lib/registry/config.mk @@ -97,7 +97,7 @@ regtree_OBJ_FILES = $(libregistrysrcdir)/tools/regtree.o MANPAGES += $(libregistrysrcdir)/man/regtree.1 [SUBSYSTEM::torture_registry] -PRIVATE_DEPENDENCIES = registry +PRIVATE_DEPENDENCIES = torture registry torture_registry_OBJ_FILES = $(addprefix $(libregistrysrcdir)/tests/, generic.o hive.o diff.o registry.o) diff --git a/source4/lib/wmi/config.mk b/source4/lib/wmi/config.mk index 28f6c73dcd..3bb1690c7b 100644 --- a/source4/lib/wmi/config.mk +++ b/source4/lib/wmi/config.mk @@ -43,7 +43,7 @@ librpc/gen_ndr/dcom_p.c: idl ####################### # Start LIBRARY swig_dcerpc [PYTHON::pywmi] -PUBLIC_DEPENDENCIES = LIBCLI_SMB NDR_MISC LIBSAMBA-UTIL LIBSAMBA-CONFIG WMI +PUBLIC_DEPENDENCIES = LIBCLI_SMB LIBNDR LIBSAMBA-UTIL LIBSAMBA-CONFIG WMI $(eval $(call python_py_module_template,wmi.py,$(wmisrcdir)/wmi.py)) diff --git a/source4/libcli/clideltree.c b/source4/libcli/clideltree.c index 28563d918e..d947ac3547 100644 --- a/source4/libcli/clideltree.c +++ b/source4/libcli/clideltree.c @@ -97,7 +97,8 @@ int smbcli_deltree(struct smbcli_tree *tree, const char *dname) } if (NT_STATUS_EQUAL(smbcli_nt_error(tree), NT_STATUS_OBJECT_NAME_NOT_FOUND) || NT_STATUS_EQUAL(smbcli_nt_error(tree), NT_STATUS_OBJECT_PATH_NOT_FOUND) || - NT_STATUS_EQUAL(smbcli_nt_error(tree), NT_STATUS_NO_SUCH_FILE)) { + NT_STATUS_EQUAL(smbcli_nt_error(tree), NT_STATUS_NO_SUCH_FILE) || + NT_STATUS_EQUAL(smbcli_nt_error(tree), NT_STATUS_DOS(ERRDOS, ERRbadfile))) { return 0; } if (NT_STATUS_EQUAL(status, NT_STATUS_CANNOT_DELETE)) { diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c index a12f7652a5..5e6a5faafa 100644 --- a/source4/libcli/ldap/ldap_bind.c +++ b/source4/libcli/ldap/ldap_bind.c @@ -286,7 +286,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, search = &sasl_mechs_msgs[0]->r.SearchResultEntry; if (search->num_attributes != 1) { - DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d\n", + DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1\n", search->num_attributes)); goto failed; } diff --git a/source4/libcli/resolve/host.c b/source4/libcli/resolve/host.c index 1a695432ee..7d779b0678 100644 --- a/source4/libcli/resolve/host.c +++ b/source4/libcli/resolve/host.c @@ -53,10 +53,15 @@ struct host_state { */ static int host_destructor(struct host_state *state) { + int status; + + kill(state->child, SIGTERM); close(state->child_fd); - if (state->child != (pid_t)-1) { - kill(state->child, SIGTERM); + if (waitpid(state->child, &status, WNOHANG) == 0) { + kill(state->child, SIGKILL); + waitpid(state->child, &status, 0); } + return 0; } @@ -90,16 +95,23 @@ static void pipe_handler(struct event_context *ev, struct fd_event *fde, struct host_state *state = talloc_get_type(c->private_data, struct host_state); char address[128]; int ret; + pid_t child = state->child; + int status; /* if we get any event from the child then we know that we won't need to kill it off */ - state->child = (pid_t)-1; + talloc_set_destructor(state, NULL); /* yes, we don't care about EAGAIN or other niceities here. They just can't happen with this parent/child relationship, and even if they did then giving an error is the right thing to do */ ret = read(state->child_fd, address, sizeof(address)-1); + close(state->child_fd); + if (waitpid(state->child, &status, WNOHANG) == 0) { + kill(state->child, SIGKILL); + waitpid(state->child, &status, 0); + } if (ret <= 0) { composite_error(c, NT_STATUS_OBJECT_NAME_NOT_FOUND); return; @@ -164,10 +176,6 @@ struct composite_context *resolve_name_host_send(TALLOC_CTX *mem_ctx, return c; } - /* signal handling in posix really sucks - doing this in a library - affects the whole app, but what else to do?? */ - signal(SIGCHLD, SIG_IGN); - state->child = fork(); if (state->child == (pid_t)-1) { composite_error(c, map_nt_error_from_unix(errno)); diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk index f2883d1ede..30b1f32935 100644 --- a/source4/libcli/security/config.mk +++ b/source4/libcli/security/config.mk @@ -1,5 +1,5 @@ [SUBSYSTEM::LIBSECURITY] -PUBLIC_DEPENDENCIES = NDR_MISC LIBNDR +PUBLIC_DEPENDENCIES = LIBNDR LIBSECURITY_OBJ_FILES = $(addprefix $(libclisrcdir)/security/, \ security_token.o security_descriptor.o \ diff --git a/source4/libcli/util/nterr.c b/source4/libcli/util/nterr.c index e95f0228c1..e94ed36d39 100644 --- a/source4/libcli/util/nterr.c +++ b/source4/libcli/util/nterr.c @@ -548,6 +548,7 @@ static const nt_err_code_struct nt_errs[] = { "NT_STATUS_CURRENT_DOMAIN_NOT_ALLOWED", NT_STATUS_CURRENT_DOMAIN_NOT_ALLOWED }, { "NT_STATUS_OBJECTID_NOT_FOUND", NT_STATUS_OBJECTID_NOT_FOUND }, { "NT_STATUS_DOWNGRADE_DETECTED", NT_STATUS_DOWNGRADE_DETECTED }, + { "NT_STATUS_DS_BUSY", NT_STATUS_DS_BUSY }, { "STATUS_MORE_ENTRIES", STATUS_MORE_ENTRIES }, { "STATUS_SOME_UNMAPPED", STATUS_SOME_UNMAPPED }, { "STATUS_NOTIFY_CLEANUP", STATUS_NOTIFY_CLEANUP }, diff --git a/source4/libnet/groupinfo.c b/source4/libnet/groupinfo.c index 1da6646702..5c94c34b1d 100644 --- a/source4/libnet/groupinfo.c +++ b/source4/libnet/groupinfo.c @@ -83,8 +83,8 @@ static void continue_groupinfo_lookup(struct rpc_request *req) if (s->monitor_fn) { msg.type = mon_SamrLookupName; msg_lookup = talloc(s, struct msg_rpc_lookup_name); - msg_lookup->rid = s->lookup.out.rids.ids; - msg_lookup->count = s->lookup.out.rids.count; + msg_lookup->rid = s->lookup.out.rids->ids; + msg_lookup->count = s->lookup.out.rids->count; msg.data = (void*)msg_lookup; msg.data_size = sizeof(*msg_lookup); @@ -94,7 +94,7 @@ static void continue_groupinfo_lookup(struct rpc_request *req) /* have we actually got name resolved - we're looking for only one at the moment */ - if (s->lookup.out.rids.count == 0) { + if (s->lookup.out.rids->count == 0) { composite_error(c, NT_STATUS_NO_SUCH_USER); } @@ -103,7 +103,7 @@ static void continue_groupinfo_lookup(struct rpc_request *req) /* prepare parameters for LookupNames */ s->opengroup.in.domain_handle = &s->domain_handle; s->opengroup.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - s->opengroup.in.rid = s->lookup.out.rids.ids[0]; + s->opengroup.in.rid = s->lookup.out.rids->ids[0]; s->opengroup.out.group_handle = &s->group_handle; /* send request */ @@ -152,6 +152,8 @@ static void continue_groupinfo_opengroup(struct rpc_request *req) /* prepare parameters for QueryGroupInfo call */ s->querygroupinfo.in.group_handle = &s->group_handle; s->querygroupinfo.in.level = s->level; + s->querygroupinfo.out.info = talloc(s, union samr_GroupInfo *); + if (composite_nomem(s->querygroupinfo.out.info, c)) return; /* queue rpc call, set event handling and new state */ querygroup_req = dcerpc_samr_QueryGroupInfo_send(s->pipe, c, &s->querygroupinfo); @@ -185,7 +187,7 @@ static void continue_groupinfo_getgroup(struct rpc_request *req) return; } - s->info = talloc_steal(s, s->querygroupinfo.out.info); + s->info = talloc_steal(s, *s->querygroupinfo.out.info); /* issue a monitor message */ if (s->monitor_fn) { @@ -301,7 +303,11 @@ struct composite_context *libnet_rpc_groupinfo_send(struct dcerpc_pipe *p, s->lookup.in.names[0].string = talloc_strdup(s, io->in.groupname); if (composite_nomem(s->lookup.in.names[0].string, c)) return c; - + s->lookup.out.rids = talloc_zero(s, struct samr_Ids); + s->lookup.out.types = talloc_zero(s, struct samr_Ids); + if (composite_nomem(s->lookup.out.rids, c)) return c; + if (composite_nomem(s->lookup.out.types, c)) return c; + /* send request */ lookup_req = dcerpc_samr_LookupNames_send(p, c, &s->lookup); if (composite_nomem(lookup_req, c)) return c; diff --git a/source4/libnet/groupman.c b/source4/libnet/groupman.c index 58d5742336..4dfb2d8aab 100644 --- a/source4/libnet/groupman.c +++ b/source4/libnet/groupman.c @@ -174,6 +174,10 @@ struct composite_context* libnet_rpc_groupdel_send(struct dcerpc_pipe *p, s->lookupname.in.num_names = 1; s->lookupname.in.names = talloc_zero(s, struct lsa_String); s->lookupname.in.names->string = io->in.groupname; + s->lookupname.out.rids = talloc_zero(s, struct samr_Ids); + s->lookupname.out.types = talloc_zero(s, struct samr_Ids); + if (composite_nomem(s->lookupname.out.rids, c)) return c; + if (composite_nomem(s->lookupname.out.types, c)) return c; /* send the request */ lookup_req = dcerpc_samr_LookupNames_send(p, c, &s->lookupname); @@ -205,12 +209,12 @@ static void continue_groupdel_name_found(struct rpc_request *req) /* what to do when there's no group account to delete and what if there's more than one rid resolved */ - if (!s->lookupname.out.rids.count) { + if (!s->lookupname.out.rids->count) { c->status = NT_STATUS_NO_SUCH_GROUP; composite_error(c, c->status); return; - } else if (!s->lookupname.out.rids.count > 1) { + } else if (!s->lookupname.out.rids->count > 1) { c->status = NT_STATUS_INVALID_ACCOUNT_NAME; composite_error(c, c->status); return; @@ -218,7 +222,7 @@ static void continue_groupdel_name_found(struct rpc_request *req) /* prepare the arguments for rpc call */ s->opengroup.in.domain_handle = &s->domain_handle; - s->opengroup.in.rid = s->lookupname.out.rids.ids[0]; + s->opengroup.in.rid = s->lookupname.out.rids->ids[0]; s->opengroup.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; s->opengroup.out.group_handle = &s->group_handle; diff --git a/source4/libnet/libnet_domain.c b/source4/libnet/libnet_domain.c index ccdfdaf134..eb6920d88e 100644 --- a/source4/libnet/libnet_domain.c +++ b/source4/libnet/libnet_domain.c @@ -40,6 +40,7 @@ struct domain_open_samr_state { uint32_t access_mask; struct policy_handle connect_handle; struct policy_handle domain_handle; + struct dom_sid2 *domain_sid; /* information about the progress */ void (*monitor_fn)(struct monitor_msg*); @@ -159,6 +160,8 @@ static void continue_domain_open_connect(struct rpc_request *req) /* prepare for samr_LookupDomain call */ r->in.connect_handle = &s->connect_handle; r->in.domain_name = &s->domain_name; + r->out.sid = talloc(s, struct dom_sid2 *); + if (composite_nomem(r->out.sid, c)) return; lookup_req = dcerpc_samr_LookupDomain_send(s->pipe, c, r); if (composite_nomem(lookup_req, c)) return; @@ -209,7 +212,7 @@ static void continue_domain_open_lookup(struct rpc_request *req) /* prepare for samr_OpenDomain call */ r->in.connect_handle = &s->connect_handle; r->in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - r->in.sid = s->lookup.out.sid; + r->in.sid = *s->lookup.out.sid; r->out.domain_handle = &s->domain_handle; opendom_req = dcerpc_samr_OpenDomain_send(s->pipe, c, r); @@ -361,7 +364,7 @@ NTSTATUS libnet_DomainOpenSamr_recv(struct composite_context *c, struct libnet_c libnet functions */ ctx->samr.connect_handle = s->connect_handle; ctx->samr.handle = s->domain_handle; - ctx->samr.sid = talloc_steal(ctx, s->lookup.out.sid); + ctx->samr.sid = talloc_steal(ctx, *s->lookup.out.sid); ctx->samr.name = talloc_steal(ctx, s->domain_name.string); ctx->samr.access_mask = s->access_mask; } @@ -998,6 +1001,10 @@ static void continue_samr_connect(struct rpc_request *req) s->enumdom.in.resume_handle = &s->resume_handle; s->enumdom.in.buf_size = s->buf_size; s->enumdom.out.resume_handle = &s->resume_handle; + s->enumdom.out.num_entries = talloc(s, uint32_t); + if (composite_nomem(s->enumdom.out.num_entries, c)) return; + s->enumdom.out.sam = talloc(s, struct samr_SamArray *); + if (composite_nomem(s->enumdom.out.sam, c)) return; enumdom_req = dcerpc_samr_EnumDomains_send(s->ctx->samr.pipe, c, &s->enumdom); if (composite_nomem(enumdom_req, c)) return; @@ -1113,16 +1120,16 @@ static struct domainlist* get_domain_list(TALLOC_CTX *mem_ctx, struct domain_lis /* prepare domains array */ if (s->domains == NULL) { s->domains = talloc_array(mem_ctx, struct domainlist, - s->enumdom.out.num_entries); + *s->enumdom.out.num_entries); } else { s->domains = talloc_realloc(mem_ctx, s->domains, struct domainlist, - s->count + s->enumdom.out.num_entries); + s->count + *s->enumdom.out.num_entries); } /* copy domain names returned from samr_EnumDomains call */ - for (i = s->count; i < s->count + s->enumdom.out.num_entries; i++) + for (i = s->count; i < s->count + *s->enumdom.out.num_entries; i++) { - struct lsa_String *domain_name = &s->enumdom.out.sam->entries[i - s->count].name; + struct lsa_String *domain_name = &(*s->enumdom.out.sam)->entries[i - s->count].name; /* strdup name as a child of allocated array to make it follow the array in case of talloc_steal or talloc_free */ @@ -1131,7 +1138,7 @@ static struct domainlist* get_domain_list(TALLOC_CTX *mem_ctx, struct domain_lis } /* number of entries returned (domains enumerated) */ - s->count += s->enumdom.out.num_entries; + s->count += *s->enumdom.out.num_entries; return s->domains; } diff --git a/source4/libnet/libnet_group.c b/source4/libnet/libnet_group.c index eded378511..af5fe4d5d3 100644 --- a/source4/libnet/libnet_group.c +++ b/source4/libnet/libnet_group.c @@ -518,6 +518,10 @@ static void continue_domain_queried(struct rpc_request *req) s->group_list.in.max_size = s->page_size; s->group_list.in.resume_handle = &s->resume_index; s->group_list.out.resume_handle = &s->resume_index; + s->group_list.out.num_entries = talloc(s, uint32_t); + if (composite_nomem(s->group_list.out.num_entries, c)) return; + s->group_list.out.sam = talloc(s, struct samr_SamArray *); + if (composite_nomem(s->group_list.out.sam, c)) return; /* send the request */ enum_req = dcerpc_samr_EnumDomainGroups_send(s->ctx->samr.pipe, c, &s->group_list); @@ -549,6 +553,10 @@ static void continue_samr_domain_opened(struct composite_context *ctx) s->group_list.in.max_size = s->page_size; s->group_list.in.resume_handle = &s->resume_index; s->group_list.out.resume_handle = &s->resume_index; + s->group_list.out.num_entries = talloc(s, uint32_t); + if (composite_nomem(s->group_list.out.num_entries, c)) return; + s->group_list.out.sam = talloc(s, struct samr_SamArray *); + if (composite_nomem(s->group_list.out.sam, c)) return; /* send the request */ enum_req = dcerpc_samr_EnumDomainGroups_send(s->ctx->samr.pipe, c, &s->group_list); @@ -587,15 +595,15 @@ static void continue_groups_enumerated(struct rpc_request *req) /* get enumerated accounts counter and resume handle (the latter allows making subsequent call to continue enumeration) */ s->resume_index = *s->group_list.out.resume_handle; - s->count = s->group_list.out.num_entries; + s->count = *s->group_list.out.num_entries; /* prepare returned group accounts array */ - s->groups = talloc_array(c, struct grouplist, s->group_list.out.sam->count); + s->groups = talloc_array(c, struct grouplist, (*s->group_list.out.sam)->count); if (composite_nomem(s->groups, c)) return; - for (i = 0; i < s->group_list.out.sam->count; i++) { + for (i = 0; i < (*s->group_list.out.sam)->count; i++) { struct dom_sid *group_sid; - struct samr_SamEntry *entry = &s->group_list.out.sam->entries[i]; + struct samr_SamEntry *entry = &(*s->group_list.out.sam)->entries[i]; struct dom_sid *domain_sid = (*s->query_domain.out.info)->domain.sid; /* construct group sid from returned rid and queried domain sid */ diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c index 0ed5e8ae26..70fcb4a894 100644 --- a/source4/libnet/libnet_join.c +++ b/source4/libnet/libnet_join.c @@ -444,13 +444,16 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru struct samr_OpenDomain od; struct policy_handle d_handle; struct samr_LookupNames ln; + struct samr_Ids rids, types; struct samr_OpenUser ou; struct samr_CreateUser2 cu; struct policy_handle *u_handle = NULL; struct samr_QueryUserInfo qui; + union samr_UserInfo *uinfo; struct samr_UserInfo21 u_info21; union libnet_SetPassword r2; struct samr_GetUserPwInfo pwp; + struct samr_PwInfo info; struct lsa_String samr_account_name; uint32_t acct_flags, old_acct_flags; @@ -559,9 +562,11 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru if (!connect_with_info->out.domain_sid) { struct lsa_String name; struct samr_LookupDomain l; + struct dom_sid2 *sid = NULL; name.string = connect_with_info->out.domain_name; l.in.connect_handle = &p_handle; l.in.domain_name = &name; + l.out.sid = &sid; status = dcerpc_samr_LookupDomain(samr_pipe, tmp_ctx, &l); if (!NT_STATUS_IS_OK(status)) { @@ -571,7 +576,7 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru talloc_free(tmp_ctx); return status; } - connect_with_info->out.domain_sid = l.out.sid; + connect_with_info->out.domain_sid = *l.out.sid; } /* prepare samr_OpenDomain */ @@ -611,6 +616,8 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru ln.in.domain_handle = &d_handle; ln.in.num_names = 1; ln.in.names = talloc_array(tmp_ctx, struct lsa_String, 1); + ln.out.rids = &rids; + ln.out.types = &types; if (!ln.in.names) { r->out.error_string = NULL; talloc_free(tmp_ctx); @@ -630,10 +637,10 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru } /* check if we got one RID for the user */ - if (ln.out.rids.count != 1) { + if (ln.out.rids->count != 1) { r->out.error_string = talloc_asprintf(mem_ctx, "samr_LookupNames for [%s] returns %d RIDs", - r->in.account_name, ln.out.rids.count); + r->in.account_name, ln.out.rids->count); talloc_free(tmp_ctx); return NT_STATUS_INVALID_PARAMETER; } @@ -642,7 +649,7 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru ZERO_STRUCTP(u_handle); ou.in.domain_handle = &d_handle; ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - ou.in.rid = ln.out.rids.ids[0]; + ou.in.rid = ln.out.rids->ids[0]; rid = ou.in.rid; ou.out.user_handle = u_handle; @@ -694,6 +701,7 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru /* prepare samr_QueryUserInfo (get flags) */ qui.in.user_handle = u_handle; qui.in.level = 16; + qui.out.info = &uinfo; status = dcerpc_samr_QueryUserInfo(samr_pipe, tmp_ctx, &qui); if (!NT_STATUS_IS_OK(status)) { @@ -705,7 +713,7 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru return status; } - if (!qui.out.info) { + if (!uinfo) { status = NT_STATUS_INVALID_PARAMETER; r->out.error_string = talloc_asprintf(mem_ctx, @@ -715,7 +723,7 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru return status; } - old_acct_flags = (qui.out.info->info16.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST)); + old_acct_flags = (uinfo->info16.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST)); /* Possibly bail if the account is of the wrong type */ if (old_acct_flags != r->in.acct_type) { @@ -771,17 +779,18 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru return NT_STATUS_USER_EXISTS; } } else { - acct_flags = qui.out.info->info16.acct_flags; + acct_flags = uinfo->info16.acct_flags; } acct_flags = (acct_flags & ~(ACB_DISABLED|ACB_PWNOTREQ)); /* Find out what password policy this user has */ pwp.in.user_handle = u_handle; + pwp.out.info = &info; status = dcerpc_samr_GetUserPwInfo(samr_pipe, tmp_ctx, &pwp); if (NT_STATUS_IS_OK(status)) { - policy_min_pw_len = pwp.out.info.min_password_length; + policy_min_pw_len = pwp.out.info->min_password_length; } /* Grab a password of that minimum length */ diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c index de2ed01abd..80de6134b5 100644 --- a/source4/libnet/libnet_passwd.c +++ b/source4/libnet/libnet_passwd.c @@ -50,6 +50,8 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT struct samr_Password nt_verifier, lm_verifier; uint8_t old_nt_hash[16], new_nt_hash[16]; uint8_t old_lm_hash[16], new_lm_hash[16]; + struct samr_DomInfo1 *dominfo = NULL; + struct samr_ChangeReject *reject = NULL; /* prepare connect to the SAMR pipe of the users domain PDC */ c.level = LIBNET_RPC_CONNECT_PDC; @@ -92,6 +94,8 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT pw3.in.lm_password = &lm_pass; pw3.in.lm_verifier = &lm_verifier; pw3.in.password3 = NULL; + pw3.out.dominfo = &dominfo; + pw3.out.reject = &reject; /* 2. try samr_ChangePasswordUser3 */ status = dcerpc_samr_ChangePasswordUser3(c.out.dcerpc_pipe, mem_ctx, &pw3); @@ -303,7 +307,7 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct libnet_context *ctx, TA /* prepare samr_SetUserInfo2 level 26 */ ZERO_STRUCT(u_info); encode_pw_buffer(u_info.info26.password.data, r->samr_handle.in.newpassword, STR_UNICODE); - u_info.info26.pw_len = strlen(r->samr_handle.in.newpassword); + u_info.info26.password_expired = 0; status = dcerpc_fetch_session_key(r->samr_handle.in.dcerpc_pipe, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -406,8 +410,7 @@ static NTSTATUS libnet_SetPassword_samr_handle_24(struct libnet_context *ctx, TA /* prepare samr_SetUserInfo2 level 24 */ ZERO_STRUCT(u_info); encode_pw_buffer(u_info.info24.password.data, r->samr_handle.in.newpassword, STR_UNICODE); - /* w2k3 ignores this length */ - u_info.info24.pw_len = strlen_m(r->samr_handle.in.newpassword)*2; + u_info.info24.password_expired = 0; status = dcerpc_fetch_session_key(r->samr_handle.in.dcerpc_pipe, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -527,10 +530,12 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX * struct samr_Connect sc; struct policy_handle p_handle; struct samr_LookupDomain ld; + struct dom_sid2 *sid = NULL; struct lsa_String d_name; struct samr_OpenDomain od; struct policy_handle d_handle; struct samr_LookupNames ln; + struct samr_Ids rids, types; struct samr_OpenUser ou; struct policy_handle u_handle; union libnet_SetPassword r2; @@ -568,6 +573,7 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX * d_name.string = r->samr.in.domain_name; ld.in.connect_handle = &p_handle; ld.in.domain_name = &d_name; + ld.out.sid = &sid; /* 3. do a samr_LookupDomain to get the domain sid */ status = dcerpc_samr_LookupDomain(c.out.dcerpc_pipe, mem_ctx, &ld); @@ -582,7 +588,7 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX * ZERO_STRUCT(d_handle); od.in.connect_handle = &p_handle; od.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - od.in.sid = ld.out.sid; + od.in.sid = *ld.out.sid; od.out.domain_handle = &d_handle; /* 4. do a samr_OpenDomain to get a domain handle */ @@ -598,6 +604,8 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX * ln.in.domain_handle = &d_handle; ln.in.num_names = 1; ln.in.names = talloc_array(mem_ctx, struct lsa_String, 1); + ln.out.rids = &rids; + ln.out.types = &types; if (!ln.in.names) { r->samr.out.error_string = "Out of Memory"; return NT_STATUS_NO_MEMORY; @@ -614,10 +622,10 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX * } /* check if we got one RID for the user */ - if (ln.out.rids.count != 1) { + if (ln.out.rids->count != 1) { r->samr.out.error_string = talloc_asprintf(mem_ctx, "samr_LookupNames for [%s] returns %d RIDs", - r->samr.in.account_name, ln.out.rids.count); + r->samr.in.account_name, ln.out.rids->count); status = NT_STATUS_INVALID_PARAMETER; goto disconnect; } @@ -626,7 +634,7 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX * ZERO_STRUCT(u_handle); ou.in.domain_handle = &d_handle; ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - ou.in.rid = ln.out.rids.ids[0]; + ou.in.rid = ln.out.rids->ids[0]; ou.out.user_handle = &u_handle; /* 6. do a samr_OpenUser to get a user handle */ diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c index 8b7dd1f598..160b4b3e19 100644 --- a/source4/libnet/libnet_samsync_ldb.c +++ b/source4/libnet/libnet_samsync_ldb.c @@ -384,7 +384,11 @@ static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx, } ADD_OR_DEL(string, "comment", comment.string); - ADD_OR_DEL(string, "userParameters", parameters.string); + + if (samdb_msg_add_parameters(state->sam_ldb, mem_ctx, msg, "userParameters", &user->parameters) != 0) { + return NT_STATUS_NO_MEMORY; + } + ADD_OR_DEL(uint, "countryCode", country_code); ADD_OR_DEL(uint, "codePage", code_page); diff --git a/source4/libnet/libnet_user.c b/source4/libnet/libnet_user.c index c768319452..8606d0856e 100644 --- a/source4/libnet/libnet_user.c +++ b/source4/libnet/libnet_user.c @@ -1032,6 +1032,10 @@ static void continue_domain_queried(struct rpc_request *req) s->user_list.in.resume_handle = &s->resume_index; s->user_list.in.acct_flags = ACB_NORMAL; s->user_list.out.resume_handle = &s->resume_index; + s->user_list.out.num_entries = talloc(s, uint32_t); + if (composite_nomem(s->user_list.out.num_entries, c)) return; + s->user_list.out.sam = talloc(s, struct samr_SamArray *); + if (composite_nomem(s->user_list.out.sam, c)) return; /* send the request */ enum_req = dcerpc_samr_EnumDomainUsers_send(s->ctx->samr.pipe, c, &s->user_list); @@ -1064,6 +1068,10 @@ static void continue_samr_domain_opened(struct composite_context *ctx) s->user_list.in.resume_handle = &s->resume_index; s->user_list.in.acct_flags = ACB_NORMAL; s->user_list.out.resume_handle = &s->resume_index; + s->user_list.out.sam = talloc(s, struct samr_SamArray *); + if (composite_nomem(s->user_list.out.sam, c)) return; + s->user_list.out.num_entries = talloc(s, uint32_t); + if (composite_nomem(s->user_list.out.num_entries, c)) return; /* send the request */ enum_req = dcerpc_samr_EnumDomainUsers_send(s->ctx->samr.pipe, c, &s->user_list); @@ -1102,15 +1110,15 @@ static void continue_users_enumerated(struct rpc_request *req) /* get enumerated accounts counter and resume handle (the latter allows making subsequent call to continue enumeration) */ s->resume_index = *s->user_list.out.resume_handle; - s->count = s->user_list.out.num_entries; + s->count = *s->user_list.out.num_entries; /* prepare returned user accounts array */ - s->users = talloc_array(c, struct userlist, s->user_list.out.sam->count); + s->users = talloc_array(c, struct userlist, (*s->user_list.out.sam)->count); if (composite_nomem(s->users, c)) return; - for (i = 0; i < s->user_list.out.sam->count; i++) { + for (i = 0; i < (*s->user_list.out.sam)->count; i++) { struct dom_sid *user_sid; - struct samr_SamEntry *entry = &s->user_list.out.sam->entries[i]; + struct samr_SamEntry *entry = &(*s->user_list.out.sam)->entries[i]; struct dom_sid *domain_sid = (*s->query_domain.out.info)->domain.sid; /* construct user sid from returned rid and queried domain sid */ diff --git a/source4/libnet/userinfo.c b/source4/libnet/userinfo.c index e8b6b090c7..710154d41e 100644 --- a/source4/libnet/userinfo.c +++ b/source4/libnet/userinfo.c @@ -82,8 +82,8 @@ static void continue_userinfo_lookup(struct rpc_request *req) if (s->monitor_fn) { msg.type = mon_SamrLookupName; msg_lookup = talloc(s, struct msg_rpc_lookup_name); - msg_lookup->rid = s->lookup.out.rids.ids; - msg_lookup->count = s->lookup.out.rids.count; + msg_lookup->rid = s->lookup.out.rids->ids; + msg_lookup->count = s->lookup.out.rids->count; msg.data = (void*)msg_lookup; msg.data_size = sizeof(*msg_lookup); @@ -93,7 +93,7 @@ static void continue_userinfo_lookup(struct rpc_request *req) /* have we actually got name resolved - we're looking for only one at the moment */ - if (s->lookup.out.rids.count == 0) { + if (s->lookup.out.rids->count == 0) { composite_error(c, NT_STATUS_NO_SUCH_USER); } @@ -102,7 +102,7 @@ static void continue_userinfo_lookup(struct rpc_request *req) /* prepare parameters for LookupNames */ s->openuser.in.domain_handle = &s->domain_handle; s->openuser.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - s->openuser.in.rid = s->lookup.out.rids.ids[0]; + s->openuser.in.rid = s->lookup.out.rids->ids[0]; s->openuser.out.user_handle = &s->user_handle; /* send request */ @@ -151,6 +151,8 @@ static void continue_userinfo_openuser(struct rpc_request *req) /* prepare parameters for QueryUserInfo call */ s->queryuserinfo.in.user_handle = &s->user_handle; s->queryuserinfo.in.level = s->level; + s->queryuserinfo.out.info = talloc(s, union samr_UserInfo *); + if (composite_nomem(s->queryuserinfo.out.info, c)) return; /* queue rpc call, set event handling and new state */ queryuser_req = dcerpc_samr_QueryUserInfo_send(s->pipe, c, &s->queryuserinfo); @@ -184,7 +186,7 @@ static void continue_userinfo_getuser(struct rpc_request *req) return; } - s->info = talloc_steal(s, s->queryuserinfo.out.info); + s->info = talloc_steal(s, *(s->queryuserinfo.out.info)); /* issue a monitor message */ if (s->monitor_fn) { @@ -297,6 +299,10 @@ struct composite_context *libnet_rpc_userinfo_send(struct dcerpc_pipe *p, s->lookup.in.num_names = 1; s->lookup.in.names = talloc_array(s, struct lsa_String, 1); if (composite_nomem(s->lookup.in.names, c)) return c; + s->lookup.out.rids = talloc_zero(s, struct samr_Ids); + s->lookup.out.types = talloc_zero(s, struct samr_Ids); + if (composite_nomem(s->lookup.out.rids, c)) return c; + if (composite_nomem(s->lookup.out.types, c)) return c; s->lookup.in.names[0].string = talloc_strdup(s, io->in.username); if (composite_nomem(s->lookup.in.names[0].string, c)) return c; diff --git a/source4/libnet/userman.c b/source4/libnet/userman.c index 398d9f2cb0..c638d8af32 100644 --- a/source4/libnet/userman.c +++ b/source4/libnet/userman.c @@ -236,12 +236,12 @@ static void continue_userdel_name_found(struct rpc_request *req) /* what to do when there's no user account to delete and what if there's more than one rid resolved */ - if (!s->lookupname.out.rids.count) { + if (!s->lookupname.out.rids->count) { c->status = NT_STATUS_NO_SUCH_USER; composite_error(c, c->status); return; - } else if (!s->lookupname.out.rids.count > 1) { + } else if (!s->lookupname.out.rids->count > 1) { c->status = NT_STATUS_INVALID_ACCOUNT_NAME; composite_error(c, c->status); return; @@ -251,8 +251,8 @@ static void continue_userdel_name_found(struct rpc_request *req) if (s->monitor_fn) { struct msg_rpc_lookup_name msg_lookup; - msg_lookup.rid = s->lookupname.out.rids.ids; - msg_lookup.count = s->lookupname.out.rids.count; + msg_lookup.rid = s->lookupname.out.rids->ids; + msg_lookup.count = s->lookupname.out.rids->count; msg.type = mon_SamrLookupName; msg.data = (void*)&msg_lookup; @@ -262,7 +262,7 @@ static void continue_userdel_name_found(struct rpc_request *req) /* prepare the arguments for rpc call */ s->openuser.in.domain_handle = &s->domain_handle; - s->openuser.in.rid = s->lookupname.out.rids.ids[0]; + s->openuser.in.rid = s->lookupname.out.rids->ids[0]; s->openuser.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; s->openuser.out.user_handle = &s->user_handle; @@ -393,6 +393,10 @@ struct composite_context *libnet_rpc_userdel_send(struct dcerpc_pipe *p, s->lookupname.in.num_names = 1; s->lookupname.in.names = talloc_zero(s, struct lsa_String); s->lookupname.in.names->string = io->in.username; + s->lookupname.out.rids = talloc_zero(s, struct samr_Ids); + s->lookupname.out.types = talloc_zero(s, struct samr_Ids); + if (composite_nomem(s->lookupname.out.rids, c)) return c; + if (composite_nomem(s->lookupname.out.types, c)) return c; /* send the request */ lookup_req = dcerpc_samr_LookupNames_send(p, c, &s->lookupname); @@ -500,12 +504,12 @@ static void continue_usermod_name_found(struct rpc_request *req) /* what to do when there's no user account to delete and what if there's more than one rid resolved */ - if (!s->lookupname.out.rids.count) { + if (!s->lookupname.out.rids->count) { c->status = NT_STATUS_NO_SUCH_USER; composite_error(c, c->status); return; - } else if (!s->lookupname.out.rids.count > 1) { + } else if (!s->lookupname.out.rids->count > 1) { c->status = NT_STATUS_INVALID_ACCOUNT_NAME; composite_error(c, c->status); return; @@ -515,8 +519,8 @@ static void continue_usermod_name_found(struct rpc_request *req) if (s->monitor_fn) { struct msg_rpc_lookup_name msg_lookup; - msg_lookup.rid = s->lookupname.out.rids.ids; - msg_lookup.count = s->lookupname.out.rids.count; + msg_lookup.rid = s->lookupname.out.rids->ids; + msg_lookup.count = s->lookupname.out.rids->count; msg.type = mon_SamrLookupName; msg.data = (void*)&msg_lookup; @@ -526,7 +530,7 @@ static void continue_usermod_name_found(struct rpc_request *req) /* prepare the next rpc call */ s->openuser.in.domain_handle = &s->domain_handle; - s->openuser.in.rid = s->lookupname.out.rids.ids[0]; + s->openuser.in.rid = s->lookupname.out.rids->ids[0]; s->openuser.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; s->openuser.out.user_handle = &s->user_handle; @@ -679,6 +683,9 @@ static NTSTATUS usermod_change(struct composite_context *c, if (!do_set) { s->queryuser.in.user_handle = &s->user_handle; s->queryuser.in.level = level; + s->queryuser.out.info = talloc(s, union samr_UserInfo *); + if (composite_nomem(s->queryuser.out.info, c)) return; + /* send query user info request to retrieve complete data of a particular info level */ @@ -751,7 +758,7 @@ static void continue_usermod_user_queried(struct rpc_request *req) /* get returned user data and make a change (potentially one of many) */ - s->info = *s->queryuser.out.info; + s->info = *(*s->queryuser.out.info); usermod_setfields(s, &level, i, true); @@ -834,6 +841,10 @@ struct composite_context *libnet_rpc_usermod_send(struct dcerpc_pipe *p, s->lookupname.in.num_names = 1; s->lookupname.in.names = talloc_zero(s, struct lsa_String); s->lookupname.in.names->string = io->in.username; + s->lookupname.out.rids = talloc_zero(s, struct samr_Ids); + s->lookupname.out.types = talloc_zero(s, struct samr_Ids); + if (composite_nomem(s->lookupname.out.rids, c)) return c; + if (composite_nomem(s->lookupname.out.types, c)) return c; /* send the rpc request */ lookup_req = dcerpc_samr_LookupNames_send(p, c, &s->lookupname); diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk index b2b9f2e7a7..97da760832 100644 --- a/source4/librpc/config.mk +++ b/source4/librpc/config.mk @@ -8,7 +8,7 @@ dcerpcsrcdir = $(librpcsrcdir)/rpc PUBLIC_DEPENDENCIES = LIBSAMBA-ERRORS LIBTALLOC LIBSAMBA-UTIL CHARSET \ LIBSAMBA-HOSTCONFIG -LIBNDR_OBJ_FILES = $(addprefix $(ndrsrcdir)/, ndr_string.o) ../librpc/ndr/ndr_basic.o ../librpc/ndr/uuid.o ../librpc/ndr/ndr.o +LIBNDR_OBJ_FILES = $(addprefix $(ndrsrcdir)/, ndr_string.o) ../librpc/ndr/ndr_basic.o ../librpc/ndr/uuid.o ../librpc/ndr/ndr.o $(gen_ndrsrcdir)/ndr_misc.o ../librpc/ndr/ndr_misc.o PC_FILES += ../librpc/ndr.pc LIBNDR_VERSION = 0.0.1 @@ -18,6 +18,7 @@ LIBNDR_SOVERSION = 0 ################################################ PUBLIC_HEADERS += ../librpc/ndr/libndr.h +PUBLIC_HEADERS += $(gen_ndrsrcdir)/misc.h $(gen_ndrsrcdir)/ndr_misc.h ################################# # Start BINARY ndrdump @@ -49,17 +50,26 @@ PUBLIC_DEPENDENCIES = LIBSAMBA-ERRORS LIBNDR NDR_COMPRESSION_OBJ_FILES = ../librpc/ndr/ndr_compression.o [SUBSYSTEM::NDR_SECURITY] -PUBLIC_DEPENDENCIES = NDR_MISC LIBSECURITY +PUBLIC_DEPENDENCIES = LIBNDR LIBSECURITY + +NDR_SECURITY_OBJ_FILES = $(gen_ndrsrcdir)/ndr_security.o \ + ../librpc/ndr/ndr_sec_helper.o \ + $(gen_ndrsrcdir)/ndr_dom_sid.o \ + $(ndrsrcdir)/ndr_dom_sid.o -NDR_SECURITY_OBJ_FILES = $(gen_ndrsrcdir)/ndr_security.o $(ndrsrcdir)/ndr_sec_helper.o +PUBLIC_HEADERS += $(addprefix $(gen_ndrsrcdir)/, security.h dom_sid.h) -PUBLIC_HEADERS += $(gen_ndrsrcdir)/security.h [SUBSYSTEM::NDR_AUDIOSRV] PUBLIC_DEPENDENCIES = LIBNDR NDR_AUDIOSRV_OBJ_FILES = $(gen_ndrsrcdir)/ndr_audiosrv.o +[SUBSYSTEM::NDR_NAMED_PIPE_AUTH] +PUBLIC_DEPENDENCIES = LIBNDR + +NDR_NAMED_PIPE_AUTH_OBJ_FILES = $(gen_ndrsrcdir)/ndr_named_pipe_auth.o + [SUBSYSTEM::NDR_DNSSERVER] PUBLIC_DEPENDENCIES = LIBNDR @@ -100,13 +110,6 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_SECURITY NDR_EFS_OBJ_FILES = $(gen_ndrsrcdir)/ndr_efs.o -[SUBSYSTEM::NDR_MISC] -PUBLIC_DEPENDENCIES = LIBNDR - -NDR_MISC_OBJ_FILES = $(gen_ndrsrcdir)/ndr_misc.o ../librpc/ndr/ndr_misc.o - -PUBLIC_HEADERS += $(gen_ndrsrcdir)/misc.h $(gen_ndrsrcdir)/ndr_misc.h - [SUBSYSTEM::NDR_ROT] PUBLIC_DEPENDENCIES = LIBNDR NDR_ORPC @@ -120,7 +123,7 @@ NDR_LSA_OBJ_FILES = $(gen_ndrsrcdir)/ndr_lsa.o PUBLIC_HEADERS += $(gen_ndrsrcdir)/lsa.h [SUBSYSTEM::NDR_DFS] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC +PUBLIC_DEPENDENCIES = LIBNDR NDR_DFS_OBJ_FILES = $(gen_ndrsrcdir)/ndr_dfs.o @@ -140,7 +143,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_COMPRESSION NDR_SECURITY NDR_SAMR ASN1_UTIL NDR_DRSUAPI_OBJ_FILES = $(gen_ndrsrcdir)/ndr_drsuapi.o ../librpc/ndr/ndr_drsuapi.o [SUBSYSTEM::NDR_DRSBLOBS] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC NDR_DRSUAPI +PUBLIC_DEPENDENCIES = LIBNDR NDR_DRSUAPI NDR_DRSBLOBS_OBJ_FILES = $(gen_ndrsrcdir)/ndr_drsblobs.o ../librpc/ndr/ndr_drsblobs.o @@ -160,14 +163,14 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_SECURITY NDR_UNIXINFO_OBJ_FILES = $(gen_ndrsrcdir)/ndr_unixinfo.o [SUBSYSTEM::NDR_SAMR] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC NDR_LSA NDR_SECURITY +PUBLIC_DEPENDENCIES = LIBNDR NDR_LSA NDR_SECURITY NDR_SAMR_OBJ_FILES = $(gen_ndrsrcdir)/ndr_samr.o PUBLIC_HEADERS += $(addprefix $(librpcsrcdir)/, gen_ndr/samr.h gen_ndr/ndr_samr.h gen_ndr/ndr_samr_c.h) [SUBSYSTEM::NDR_NFS4ACL] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC NDR_SECURITY +PUBLIC_DEPENDENCIES = LIBNDR NDR_SECURITY NDR_NFS4ACL_OBJ_FILES = $(gen_ndrsrcdir)/ndr_nfs4acl.o @@ -183,7 +186,7 @@ NDR_SPOOLSS_BUF_OBJ_FILES = $(ndrsrcdir)/ndr_spoolss_buf.o $(eval $(call proto_header_template,$(ndrsrcdir)/ndr_spoolss_buf.h,$(NDR_SPOOLSS_BUF_OBJ_FILES:.o=.c))) [SUBSYSTEM::NDR_WKSSVC] -PUBLIC_DEPENDENCIES = LIBNDR NDR_SRVSVC NDR_MISC NDR_SECURITY +PUBLIC_DEPENDENCIES = LIBNDR NDR_SRVSVC NDR_SECURITY NDR_WKSSVC_OBJ_FILES = $(gen_ndrsrcdir)/ndr_wkssvc.o @@ -193,7 +196,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_SVCCTL NDR_SECURITY NDR_SRVSVC_OBJ_FILES = $(gen_ndrsrcdir)/ndr_srvsvc.o [SUBSYSTEM::NDR_SVCCTL] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC +PUBLIC_DEPENDENCIES = LIBNDR NDR_SVCCTL_OBJ_FILES = $(gen_ndrsrcdir)/ndr_svcctl.o @@ -212,7 +215,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_LSA NDR_EVENTLOG_OBJ_FILES = $(gen_ndrsrcdir)/ndr_eventlog.o [SUBSYSTEM::NDR_EPMAPPER] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC +PUBLIC_DEPENDENCIES = LIBNDR NDR_EPMAPPER_OBJ_FILES = $(gen_ndrsrcdir)/ndr_epmapper.o @@ -222,7 +225,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_DBGIDL_OBJ_FILES = $(gen_ndrsrcdir)/ndr_dbgidl.o [SUBSYSTEM::NDR_DSSETUP] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC +PUBLIC_DEPENDENCIES = LIBNDR NDR_DSSETUP_OBJ_FILES = $(gen_ndrsrcdir)/ndr_dssetup.o @@ -237,7 +240,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_WINS_OBJ_FILES = $(gen_ndrsrcdir)/ndr_wins.o [SUBSYSTEM::NDR_WINREG] -PUBLIC_DEPENDENCIES = LIBNDR NDR_INITSHUTDOWN NDR_SECURITY NDR_MISC +PUBLIC_DEPENDENCIES = LIBNDR NDR_INITSHUTDOWN NDR_SECURITY NDR_WINREG_OBJ_FILES = $(gen_ndrsrcdir)/ndr_winreg.o @@ -262,12 +265,12 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_ORPC_OBJ_FILES = $(gen_ndrsrcdir)/ndr_orpc.o ../librpc/ndr/ndr_orpc.o [SUBSYSTEM::NDR_OXIDRESOLVER] -PUBLIC_DEPENDENCIES = LIBNDR NDR_ORPC NDR_MISC +PUBLIC_DEPENDENCIES = LIBNDR NDR_ORPC NDR_OXIDRESOLVER_OBJ_FILES = $(gen_ndrsrcdir)/ndr_oxidresolver.o [SUBSYSTEM::NDR_REMACT] -PUBLIC_DEPENDENCIES = LIBNDR NDR_ORPC NDR_MISC +PUBLIC_DEPENDENCIES = LIBNDR NDR_ORPC NDR_REMACT_OBJ_FILES = $(gen_ndrsrcdir)/ndr_remact.o @@ -299,7 +302,7 @@ NDR_NTSVCS_OBJ_FILES = $(gen_ndrsrcdir)/ndr_ntsvcs.o [SUBSYSTEM::NDR_NETLOGON] PUBLIC_DEPENDENCIES = LIBNDR NDR_SAMR NDR_LSA NDR_SECURITY -NDR_NETLOGON_OBJ_FILES = $(gen_ndrsrcdir)/ndr_netlogon.o +NDR_NETLOGON_OBJ_FILES = $(gen_ndrsrcdir)/ndr_netlogon.o ../librpc/ndr/ndr_netlogon.o PUBLIC_HEADERS += $(addprefix $(librpcsrcdir)/, gen_ndr/netlogon.h) @@ -339,7 +342,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_NBT NDR_SCHANNEL_OBJ_FILES = $(gen_ndrsrcdir)/ndr_schannel.o [SUBSYSTEM::NDR_NBT] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC NDR_NBT_BUF NDR_SVCCTL NDR_SECURITY NDR_SAMR LIBCLI_NDR_NETLOGON +PUBLIC_DEPENDENCIES = LIBNDR NDR_NBT_BUF NDR_SVCCTL NDR_SECURITY NDR_SAMR LIBCLI_NDR_NETLOGON NDR_NBT_OBJ_FILES = $(gen_ndrsrcdir)/ndr_nbt.o @@ -362,7 +365,7 @@ NDR_WINBIND_OBJ_FILES = $(gen_ndrsrcdir)/ndr_winbind.o #PUBLIC_HEADERS += $(gen_ndrsrcdir)/winbind.h $(librpcsrcdir)/idl-deps: - $(PERL) $(librpcsrcdir)/idl-deps.pl $(filter-out ../librpc/idl/security.idl,$(wildcard $(librpcsrcdir)/idl/*.idl ../librpc/idl/*.idl)) >$@ + $(PERL) $(librpcsrcdir)/idl-deps.pl $(wildcard $(librpcsrcdir)/idl/*.idl ../librpc/idl/*.idl) >$@ clean:: rm -f $(librpcsrcdir)/idl-deps @@ -377,7 +380,7 @@ $(gen_ndrsrcdir)/tables.c: $(IDL_NDR_PARSE_H_FILES) [SUBSYSTEM::NDR_TABLE] PUBLIC_DEPENDENCIES = \ NDR_AUDIOSRV NDR_ECHO NDR_DCERPC \ - NDR_DSBACKUP NDR_EFS NDR_MISC NDR_LSA NDR_DFS NDR_DRSUAPI \ + NDR_DSBACKUP NDR_EFS NDR_LSA NDR_DFS NDR_DRSUAPI \ NDR_POLICYAGENT NDR_UNIXINFO NDR_SAMR NDR_SPOOLSS NDR_WKSSVC NDR_SRVSVC NDR_ATSVC \ NDR_EVENTLOG NDR_EPMAPPER NDR_DBGIDL NDR_DSSETUP NDR_MSGSVC NDR_WINS \ NDR_WINREG NDR_MGMT NDR_PROTECTED_STORAGE NDR_OXIDRESOLVER \ @@ -386,7 +389,7 @@ PUBLIC_DEPENDENCIES = \ NDR_ROT NDR_DRSBLOBS NDR_SVCCTL NDR_NBT NDR_WINSREPL NDR_SECURITY \ NDR_INITSHUTDOWN NDR_DNSSERVER NDR_WINSTATION NDR_IRPC NDR_OPENDB \ NDR_SASL_HELPERS NDR_NOTIFY NDR_WINBIND NDR_FRSRPC NDR_FRSAPI NDR_NFS4ACL NDR_NTP_SIGND \ - NDR_DCOM NDR_WMI + NDR_DCOM NDR_WMI NDR_NAMED_PIPE_AUTH NDR_TABLE_OBJ_FILES = ../librpc/ndr/ndr_table.o $(gen_ndrsrcdir)/tables.o @@ -588,7 +591,7 @@ PUBLIC_DEPENDENCIES = dcerpc NDR_KEYSVC RPC_NDR_KEYSVC_OBJ_FILES = $(gen_ndrsrcdir)/ndr_keysvc_c.o [SUBSYSTEM::NDR_DCERPC] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC +PUBLIC_DEPENDENCIES = LIBNDR NDR_DCERPC_OBJ_FILES = $(gen_ndrsrcdir)/ndr_dcerpc.o @@ -626,7 +629,7 @@ PUBLIC_HEADERS += $(addprefix $(librpcsrcdir)/, rpc/dcerpc.h \ [PYTHON::python_dcerpc] LIBRARY_REALNAME = samba/dcerpc/base.$(SHLIBEXT) -PUBLIC_DEPENDENCIES = LIBCLI_SMB NDR_MISC LIBSAMBA-UTIL LIBSAMBA-HOSTCONFIG dcerpc_samr RPC_NDR_LSA DYNCONFIG swig_credentials param +PUBLIC_DEPENDENCIES = LIBCLI_SMB LIBSAMBA-UTIL LIBSAMBA-HOSTCONFIG dcerpc_samr RPC_NDR_LSA DYNCONFIG swig_credentials param python_dcerpc_OBJ_FILES = $(dcerpcsrcdir)/pyrpc.o @@ -729,9 +732,15 @@ PRIVATE_DEPENDENCIES = RPC_NDR_DRSUAPI PYTALLOC param swig_credentials python_dc python_drsuapi_OBJ_FILES = $(gen_ndrsrcdir)/py_drsuapi.o +[PYTHON::python_dcerpc_dom_sid] +LIBRARY_REALNAME = samba/dcerpc/dom_sid.$(SHLIBEXT) +PRIVATE_DEPENDENCIES = PYTALLOC python_dcerpc_misc python_dcerpc + +python_dcerpc_dom_sid_OBJ_FILES = $(gen_ndrsrcdir)/py_dom_sid.o + [PYTHON::python_dcerpc_security] LIBRARY_REALNAME = samba/dcerpc/security.$(SHLIBEXT) -PRIVATE_DEPENDENCIES = PYTALLOC python_dcerpc_misc python_dcerpc +PRIVATE_DEPENDENCIES = PYTALLOC python_dcerpc_misc python_dcerpc_dom_sid python_dcerpc python_dcerpc_security_OBJ_FILES = $(gen_ndrsrcdir)/py_security.o diff --git a/source4/librpc/idl/dom_sid.idl b/source4/librpc/idl/dom_sid.idl new file mode 100644 index 0000000000..80df11dbfe --- /dev/null +++ b/source4/librpc/idl/dom_sid.idl @@ -0,0 +1,42 @@ +/* + use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really + just a dom sid, but with the sub_auths represented as a conformant + array. As with all in-structure conformant arrays, the array length + is placed before the start of the structure. That's what gives rise + to the extra num_auths elemenent. We don't want the Samba code to + have to bother with such esoteric NDR details, so its easier to just + define it as a dom_sid and use pidl magic to make it all work. It + just means you need to mark a sid as a "dom_sid2" in the IDL when you + know it is of the conformant array variety +*/ +cpp_quote("#define dom_sid2 dom_sid") + +/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */ +cpp_quote("#define dom_sid28 dom_sid") + +/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */ +cpp_quote("#define dom_sid0 dom_sid") + +[ + pointer_default(unique) +] +interface dom_sid +{ + /* a domain SID. Note that unlike Samba3 this contains a pointer, + so you can't copy them using assignment */ + typedef [public,gensize,noprint,noejs,nosize] struct { + uint8 sid_rev_num; /**< SID revision number */ + [range(0,15)] int8 num_auths; /**< Number of sub-authorities */ + uint8 id_auth[6]; /**< Identifier Authority */ + uint32 sub_auths[num_auths]; + } dom_sid; + + /* id used to identify a endpoint, possibly in a cluster */ + typedef [public] struct { + hyper id; + uint32 id2; + uint32 node; + } server_id; + +} + diff --git a/source4/librpc/idl/samr.idl b/source4/librpc/idl/samr.idl deleted file mode 100644 index 47882dfb84..0000000000 --- a/source4/librpc/idl/samr.idl +++ /dev/null @@ -1,1424 +0,0 @@ -#include "idl_types.h" - -/* - samr interface definition -*/ -import "misc.idl", "lsa.idl", "security.idl"; - -/* - Thanks to Todd Sabin for some information from his samr.idl in acltools -*/ - -[ uuid("12345778-1234-abcd-ef00-0123456789ac"), - version(1.0), - endpoint("ncacn_np:[\\pipe\\samr]","ncacn_ip_tcp:", "ncalrpc:"), - pointer_default(unique) -] interface samr -{ - typedef bitmap security_secinfo security_secinfo; - - /* account control (acct_flags) bits */ - typedef [public,bitmap32bit] bitmap { - ACB_DISABLED = 0x00000001, /* 1 = User account disabled */ - ACB_HOMDIRREQ = 0x00000002, /* 1 = Home directory required */ - ACB_PWNOTREQ = 0x00000004, /* 1 = User password not required */ - ACB_TEMPDUP = 0x00000008, /* 1 = Temporary duplicate account */ - ACB_NORMAL = 0x00000010, /* 1 = Normal user account */ - ACB_MNS = 0x00000020, /* 1 = MNS logon user account */ - ACB_DOMTRUST = 0x00000040, /* 1 = Interdomain trust account */ - ACB_WSTRUST = 0x00000080, /* 1 = Workstation trust account */ - ACB_SVRTRUST = 0x00000100, /* 1 = Server trust account */ - ACB_PWNOEXP = 0x00000200, /* 1 = User password does not expire */ - ACB_AUTOLOCK = 0x00000400, /* 1 = Account auto locked */ - ACB_ENC_TXT_PWD_ALLOWED = 0x00000800, /* 1 = Encryped text password is allowed */ - ACB_SMARTCARD_REQUIRED = 0x00001000, /* 1 = Smart Card required */ - ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */ - ACB_NOT_DELEGATED = 0x00004000, /* 1 = Not delegated */ - ACB_USE_DES_KEY_ONLY = 0x00008000, /* 1 = Use DES key only */ - ACB_DONT_REQUIRE_PREAUTH = 0x00010000, /* 1 = Preauth not required */ - ACB_PW_EXPIRED = 0x00020000, /* 1 = Password Expired */ - ACB_NO_AUTH_DATA_REQD = 0x00080000 /* 1 = No authorization data required */ - } samr_AcctFlags; - - typedef [bitmap32bit] bitmap { - SAMR_ACCESS_CONNECT_TO_SERVER = 0x00000001, - SAMR_ACCESS_SHUTDOWN_SERVER = 0x00000002, - SAMR_ACCESS_INITIALIZE_SERVER = 0x00000004, - SAMR_ACCESS_CREATE_DOMAIN = 0x00000008, - SAMR_ACCESS_ENUM_DOMAINS = 0x00000010, - SAMR_ACCESS_OPEN_DOMAIN = 0x00000020 - } samr_ConnectAccessMask; - - typedef [bitmap32bit] bitmap { - SAMR_USER_ACCESS_GET_NAME_ETC = 0x00000001, - SAMR_USER_ACCESS_GET_LOCALE = 0x00000002, - SAMR_USER_ACCESS_SET_LOC_COM = 0x00000004, - SAMR_USER_ACCESS_GET_LOGONINFO = 0x00000008, - SAMR_USER_ACCESS_GET_ATTRIBUTES = 0x00000010, - SAMR_USER_ACCESS_SET_ATTRIBUTES = 0x00000020, - SAMR_USER_ACCESS_CHANGE_PASSWORD = 0x00000040, - SAMR_USER_ACCESS_SET_PASSWORD = 0x00000080, - SAMR_USER_ACCESS_GET_GROUPS = 0x00000100, - SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP = 0x00000200, - SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP = 0x00000400 - } samr_UserAccessMask; - - typedef [bitmap32bit] bitmap { - SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 = 0x00000001, - SAMR_DOMAIN_ACCESS_SET_INFO_1 = 0x00000002, - SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 = 0x00000004, - SAMR_DOMAIN_ACCESS_SET_INFO_2 = 0x00000008, - SAMR_DOMAIN_ACCESS_CREATE_USER = 0x00000010, - SAMR_DOMAIN_ACCESS_CREATE_GROUP = 0x00000020, - SAMR_DOMAIN_ACCESS_CREATE_ALIAS = 0x00000040, - SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS = 0x00000080, - SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS = 0x00000100, - SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT = 0x00000200, - SAMR_DOMAIN_ACCESS_SET_INFO_3 = 0x00000400 - } samr_DomainAccessMask; - - typedef [bitmap32bit] bitmap { - SAMR_GROUP_ACCESS_LOOKUP_INFO = 0x00000001, - SAMR_GROUP_ACCESS_SET_INFO = 0x00000002, - SAMR_GROUP_ACCESS_ADD_MEMBER = 0x00000004, - SAMR_GROUP_ACCESS_REMOVE_MEMBER = 0x00000008, - SAMR_GROUP_ACCESS_GET_MEMBERS = 0x00000010 - } samr_GroupAccessMask; - - typedef [bitmap32bit] bitmap { - SAMR_ALIAS_ACCESS_ADD_MEMBER = 0x00000001, - SAMR_ALIAS_ACCESS_REMOVE_MEMBER = 0x00000002, - SAMR_ALIAS_ACCESS_GET_MEMBERS = 0x00000004, - SAMR_ALIAS_ACCESS_LOOKUP_INFO = 0x00000008, - SAMR_ALIAS_ACCESS_SET_INFO = 0x00000010 - } samr_AliasAccessMask; - - /******************/ - /* Function: 0x00 */ - NTSTATUS samr_Connect ( - /* notice the lack of [string] */ - [in,unique] uint16 *system_name, - [in] samr_ConnectAccessMask access_mask, - [out,ref] policy_handle *connect_handle - ); - - - /******************/ - /* Function: 0x01 */ - [public] NTSTATUS samr_Close ( - [in,out,ref] policy_handle *handle - ); - - /******************/ - /* Function: 0x02 */ - - NTSTATUS samr_SetSecurity ( - [in,ref] policy_handle *handle, - [in] security_secinfo sec_info, - [in,ref] sec_desc_buf *sdbuf - ); - - /******************/ - /* Function: 0x03 */ - - NTSTATUS samr_QuerySecurity ( - [in,ref] policy_handle *handle, - [in] security_secinfo sec_info, - [out,unique] sec_desc_buf *sdbuf - ); - - /******************/ - /* Function: 0x04 */ - - /* - shutdown the SAM - once you call this the SAM will be dead - */ - NTSTATUS samr_Shutdown ( - [in,ref] policy_handle *connect_handle - ); - - /******************/ - /* Function: 0x05 */ - NTSTATUS samr_LookupDomain ( - [in,ref] policy_handle *connect_handle, - [in,ref] lsa_String *domain_name, - [out,unique] dom_sid2 *sid - ); - - - /******************/ - /* Function: 0x06 */ - - typedef struct { - uint32 idx; - lsa_String name; - } samr_SamEntry; - - typedef struct { - uint32 count; - [size_is(count)] samr_SamEntry *entries; - } samr_SamArray; - - NTSTATUS samr_EnumDomains ( - [in,ref] policy_handle *connect_handle, - [in,out,ref] uint32 *resume_handle, - [in] uint32 buf_size, - [out,unique] samr_SamArray *sam, - [out] uint32 num_entries - ); - - - /************************/ - /* Function 0x07 */ - [public] NTSTATUS samr_OpenDomain( - [in,ref] policy_handle *connect_handle, - [in] samr_DomainAccessMask access_mask, - [in,ref] dom_sid2 *sid, - [out,ref] policy_handle *domain_handle - ); - - /************************/ - /* Function 0x08 */ - /* server roles */ - typedef [v1_enum] enum { - SAMR_ROLE_STANDALONE = 0, - SAMR_ROLE_DOMAIN_MEMBER = 1, - SAMR_ROLE_DOMAIN_BDC = 2, - SAMR_ROLE_DOMAIN_PDC = 3 - } samr_Role; - - /* password properties flags */ - typedef [public,bitmap32bit] bitmap { - DOMAIN_PASSWORD_COMPLEX = 0x00000001, - DOMAIN_PASSWORD_NO_ANON_CHANGE = 0x00000002, - DOMAIN_PASSWORD_NO_CLEAR_CHANGE = 0x00000004, - DOMAIN_PASSWORD_LOCKOUT_ADMINS = 0x00000008, - DOMAIN_PASSWORD_STORE_CLEARTEXT = 0x00000010, - DOMAIN_REFUSE_PASSWORD_CHANGE = 0x00000020 - } samr_PasswordProperties; - - typedef struct { - uint16 min_password_length; - uint16 password_history_length; - samr_PasswordProperties password_properties; - /* yes, these are signed. They are in negative 100ns */ - dlong max_password_age; - dlong min_password_age; - } samr_DomInfo1; - - typedef struct { - NTTIME force_logoff_time; - lsa_String oem_information; /* comment */ - lsa_String domain_name; - lsa_String primary; /* PDC name if this is a BDC */ - udlong sequence_num; - uint32 unknown2; - samr_Role role; - uint32 unknown3; - uint32 num_users; - uint32 num_groups; - uint32 num_aliases; - } samr_DomGeneralInformation; - - typedef struct { - NTTIME force_logoff_time; - } samr_DomInfo3; - - typedef struct { - lsa_String oem_information; /* comment */ - } samr_DomOEMInformation; - - typedef struct { - lsa_String domain_name; - } samr_DomInfo5; - - typedef struct { - lsa_String primary; - } samr_DomInfo6; - - typedef struct { - samr_Role role; - } samr_DomInfo7; - - typedef struct { - hyper sequence_num; - NTTIME domain_create_time; - } samr_DomInfo8; - - typedef struct { - uint32 unknown; /* w2k3 returns 1 */ - } samr_DomInfo9; - - typedef struct { - samr_DomGeneralInformation general; - hyper lockout_duration; - hyper lockout_window; - uint16 lockout_threshold; - } samr_DomGeneralInformation2; - - typedef struct { - hyper lockout_duration; - hyper lockout_window; - uint16 lockout_threshold; - } samr_DomInfo12; - - typedef struct { - hyper sequence_num; - NTTIME domain_create_time; - uint32 unknown1; - uint32 unknown2; - } samr_DomInfo13; - - typedef [switch_type(uint16)] union { - [case(1)] samr_DomInfo1 info1; - [case(2)] samr_DomGeneralInformation general; - [case(3)] samr_DomInfo3 info3; - [case(4)] samr_DomOEMInformation oem; - [case(5)] samr_DomInfo5 info5; - [case(6)] samr_DomInfo6 info6; - [case(7)] samr_DomInfo7 info7; - [case(8)] samr_DomInfo8 info8; - [case(9)] samr_DomInfo9 info9; - [case(11)] samr_DomGeneralInformation2 general2; - [case(12)] samr_DomInfo12 info12; - [case(13)] samr_DomInfo13 info13; - } samr_DomainInfo; - - NTSTATUS samr_QueryDomainInfo( - [in,ref] policy_handle *domain_handle, - [in] uint16 level, - [out,switch_is(level),unique] samr_DomainInfo *info - ); - - /************************/ - /* Function 0x09 */ - /* - only levels 1, 3, 4, 6, 7, 9, 12 are valid for this - call in w2k3 - */ - NTSTATUS samr_SetDomainInfo( - [in,ref] policy_handle *domain_handle, - [in] uint16 level, - [in,switch_is(level),ref] samr_DomainInfo *info - ); - - - /************************/ - /* Function 0x0a */ - NTSTATUS samr_CreateDomainGroup( - [in,ref] policy_handle *domain_handle, - [in,ref] lsa_String *name, - [in] samr_GroupAccessMask access_mask, - [out,ref] policy_handle *group_handle, - [out,ref] uint32 *rid - ); - - - /************************/ - /* Function 0x0b */ - NTSTATUS samr_EnumDomainGroups( - [in,ref] policy_handle *domain_handle, - [in,out,ref] uint32 *resume_handle, - [in] uint32 max_size, - [out,unique] samr_SamArray *sam, - [out] uint32 num_entries - ); - - /************************/ - /* Function 0x0c */ - NTSTATUS samr_CreateUser( - [in,ref] policy_handle *domain_handle, - [in,ref] lsa_String *account_name, - [in] samr_UserAccessMask access_mask, - [out,ref] policy_handle *user_handle, - [out,ref] uint32 *rid - ); - - /************************/ - /* Function 0x0d */ - - - /* w2k3 treats max_size as max_users*54 and sets the - resume_handle as the rid of the last user sent - */ - const int SAMR_ENUM_USERS_MULTIPLIER = 54; - - NTSTATUS samr_EnumDomainUsers( - [in,ref] policy_handle *domain_handle, - [in,out,ref] uint32 *resume_handle, - [in] samr_AcctFlags acct_flags, - [in] uint32 max_size, - [out,unique] samr_SamArray *sam, - [out] uint32 num_entries - ); - - /************************/ - /* Function 0x0e */ - NTSTATUS samr_CreateDomAlias( - [in,ref] policy_handle *domain_handle, - [in,ref] lsa_String *alias_name, - [in] samr_AliasAccessMask access_mask, - [out,ref] policy_handle *alias_handle, - [out,ref] uint32 *rid - ); - - /************************/ - /* Function 0x0f */ - NTSTATUS samr_EnumDomainAliases( - [in,ref] policy_handle *domain_handle, - [in,out,ref] uint32 *resume_handle, - [in] samr_AcctFlags acct_flags, - [out,unique] samr_SamArray *sam, - [out] uint32 num_entries - ); - - /************************/ - /* Function 0x10 */ - - typedef struct { - [range(0,1024)] uint32 count; - [size_is(count)] uint32 *ids; - } samr_Ids; - - NTSTATUS samr_GetAliasMembership( - [in,ref] policy_handle *domain_handle, - [in,ref] lsa_SidArray *sids, - [out,ref] samr_Ids *rids - ); - - /************************/ - /* Function 0x11 */ - - [public] NTSTATUS samr_LookupNames( - [in,ref] policy_handle *domain_handle, - [in,range(0,1000)] uint32 num_names, - [in,size_is(1000),length_is(num_names)] lsa_String names[], - [out] samr_Ids rids, - [out] samr_Ids types - ); - - - /************************/ - /* Function 0x12 */ - NTSTATUS samr_LookupRids( - [in,ref] policy_handle *domain_handle, - [in,range(0,1000)] uint32 num_rids, - [in,size_is(1000),length_is(num_rids)] uint32 rids[], - [out] lsa_Strings names, - [out] samr_Ids types - ); - - /************************/ - /* Function 0x13 */ - NTSTATUS samr_OpenGroup( - [in,ref] policy_handle *domain_handle, - [in] samr_GroupAccessMask access_mask, - [in] uint32 rid, - [out,ref] policy_handle *group_handle - ); - - /* Group attributes */ - typedef [public,bitmap32bit] bitmap { - SE_GROUP_MANDATORY = 0x00000001, - SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002, - SE_GROUP_ENABLED = 0x00000004, - SE_GROUP_OWNER = 0x00000008, - SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010, - SE_GROUP_RESOURCE = 0x20000000, - SE_GROUP_LOGON_ID = 0xC0000000 - } samr_GroupAttrs; - - /************************/ - /* Function 0x14 */ - - typedef struct { - lsa_String name; - samr_GroupAttrs attributes; - uint32 num_members; - lsa_String description; - } samr_GroupInfoAll; - - typedef struct { - samr_GroupAttrs attributes; - } samr_GroupInfoAttributes; - - typedef struct { - lsa_String description; - } samr_GroupInfoDescription; - - typedef enum { - GROUPINFOALL = 1, - GROUPINFONAME = 2, - GROUPINFOATTRIBUTES = 3, - GROUPINFODESCRIPTION = 4, - GROUPINFOALL2 = 5 - } samr_GroupInfoEnum; - - typedef [switch_type(samr_GroupInfoEnum)] union { - [case(GROUPINFOALL)] samr_GroupInfoAll all; - [case(GROUPINFONAME)] lsa_String name; - [case(GROUPINFOATTRIBUTES)] samr_GroupInfoAttributes attributes; - [case(GROUPINFODESCRIPTION)] lsa_String description; - [case(GROUPINFOALL2)] samr_GroupInfoAll all2; - } samr_GroupInfo; - - NTSTATUS samr_QueryGroupInfo( - [in,ref] policy_handle *group_handle, - [in] samr_GroupInfoEnum level, - [out,switch_is(level),unique] samr_GroupInfo *info - ); - - /************************/ - /* Function 0x15 */ - NTSTATUS samr_SetGroupInfo( - [in,ref] policy_handle *group_handle, - [in] samr_GroupInfoEnum level, - [in,switch_is(level),ref] samr_GroupInfo *info - ); - - /************************/ - /* Function 0x16 */ - NTSTATUS samr_AddGroupMember( - [in,ref] policy_handle *group_handle, - [in] uint32 rid, - [in] uint32 flags - ); - - /************************/ - /* Function 0x17 */ - NTSTATUS samr_DeleteDomainGroup( - [in,out,ref] policy_handle *group_handle - ); - - /************************/ - /* Function 0x18 */ - NTSTATUS samr_DeleteGroupMember( - [in,ref] policy_handle *group_handle, - [in] uint32 rid - ); - - - /************************/ - /* Function 0x19 */ - typedef struct { - uint32 count; - [size_is(count)] uint32 *rids; - [size_is(count)] uint32 *types; - } samr_RidTypeArray; - - NTSTATUS samr_QueryGroupMember( - [in,ref] policy_handle *group_handle, - [out,unique] samr_RidTypeArray *rids - ); - - - /************************/ - /* Function 0x1a */ - - /* - win2003 seems to accept any data at all for the two integers - below, and doesn't seem to do anything with them that I can - see. Weird. I really expected the first integer to be a rid - and the second to be the attributes for that rid member. - */ - NTSTATUS samr_SetMemberAttributesOfGroup( - [in,ref] policy_handle *group_handle, - [in] uint32 unknown1, - [in] uint32 unknown2 - ); - - - /************************/ - /* Function 0x1b */ - NTSTATUS samr_OpenAlias ( - [in,ref] policy_handle *domain_handle, - [in] samr_AliasAccessMask access_mask, - [in] uint32 rid, - [out,ref] policy_handle *alias_handle - ); - - - /************************/ - /* Function 0x1c */ - - typedef struct { - lsa_String name; - uint32 num_members; - lsa_String description; - } samr_AliasInfoAll; - - typedef enum { - ALIASINFOALL = 1, - ALIASINFONAME = 2, - ALIASINFODESCRIPTION = 3 - } samr_AliasInfoEnum; - - typedef [switch_type(samr_AliasInfoEnum)] union { - [case(ALIASINFOALL)] samr_AliasInfoAll all; - [case(ALIASINFONAME)] lsa_String name; - [case(ALIASINFODESCRIPTION)] lsa_String description; - } samr_AliasInfo; - - NTSTATUS samr_QueryAliasInfo( - [in,ref] policy_handle *alias_handle, - [in] samr_AliasInfoEnum level, - [out,switch_is(level),unique] samr_AliasInfo *info - ); - - /************************/ - /* Function 0x1d */ - NTSTATUS samr_SetAliasInfo( - [in,ref] policy_handle *alias_handle, - [in] samr_AliasInfoEnum level, - [in,switch_is(level),ref] samr_AliasInfo *info - ); - - /************************/ - /* Function 0x1e */ - NTSTATUS samr_DeleteDomAlias( - [in,out,ref] policy_handle *alias_handle - ); - - /************************/ - /* Function 0x1f */ - NTSTATUS samr_AddAliasMember( - [in,ref] policy_handle *alias_handle, - [in,ref] dom_sid2 *sid - ); - - /************************/ - /* Function 0x20 */ - NTSTATUS samr_DeleteAliasMember( - [in,ref] policy_handle *alias_handle, - [in,ref] dom_sid2 *sid - ); - - /************************/ - /* Function 0x21 */ - NTSTATUS samr_GetMembersInAlias( - [in,ref] policy_handle *alias_handle, - [out,ref] lsa_SidArray *sids - ); - - /************************/ - /* Function 0x22 */ - [public] NTSTATUS samr_OpenUser( - [in,ref] policy_handle *domain_handle, - [in] samr_UserAccessMask access_mask, - [in] uint32 rid, - [out,ref] policy_handle *user_handle - ); - - /************************/ - /* Function 0x23 */ - NTSTATUS samr_DeleteUser( - [in,out,ref] policy_handle *user_handle - ); - - /************************/ - /* Function 0x24 */ - typedef struct { - lsa_String account_name; - lsa_String full_name; - uint32 primary_gid; - lsa_String description; - lsa_String comment; - } samr_UserInfo1; - - typedef struct { - lsa_String comment; - lsa_String unknown; /* settable, but doesn't stick. probably obsolete */ - uint16 country_code; - uint16 code_page; - } samr_UserInfo2; - - /* this is also used in samr and netlogon */ - typedef [public, flag(NDR_PAHEX)] struct { - uint16 units_per_week; - [size_is(1260), length_is(units_per_week/8)] uint8 *bits; - } samr_LogonHours; - - typedef struct { - lsa_String account_name; - lsa_String full_name; - uint32 rid; - uint32 primary_gid; - lsa_String home_directory; - lsa_String home_drive; - lsa_String logon_script; - lsa_String profile_path; - lsa_String workstations; - NTTIME last_logon; - NTTIME last_logoff; - NTTIME last_password_change; - NTTIME allow_password_change; - NTTIME force_password_change; - samr_LogonHours logon_hours; - uint16 bad_password_count; - uint16 logon_count; - samr_AcctFlags acct_flags; - } samr_UserInfo3; - - typedef struct { - samr_LogonHours logon_hours; - } samr_UserInfo4; - - typedef struct { - lsa_String account_name; - lsa_String full_name; - uint32 rid; - uint32 primary_gid; - lsa_String home_directory; - lsa_String home_drive; - lsa_String logon_script; - lsa_String profile_path; - lsa_String description; - lsa_String workstations; - NTTIME last_logon; - NTTIME last_logoff; - samr_LogonHours logon_hours; - uint16 bad_password_count; - uint16 logon_count; - NTTIME last_password_change; - NTTIME acct_expiry; - samr_AcctFlags acct_flags; - } samr_UserInfo5; - - typedef struct { - lsa_String account_name; - lsa_String full_name; - } samr_UserInfo6; - - typedef struct { - lsa_String account_name; - } samr_UserInfo7; - - typedef struct { - lsa_String full_name; - } samr_UserInfo8; - - typedef struct { - uint32 primary_gid; - } samr_UserInfo9; - - typedef struct { - lsa_String home_directory; - lsa_String home_drive; - } samr_UserInfo10; - - typedef struct { - lsa_String logon_script; - } samr_UserInfo11; - - typedef struct { - lsa_String profile_path; - } samr_UserInfo12; - - typedef struct { - lsa_String description; - } samr_UserInfo13; - - typedef struct { - lsa_String workstations; - } samr_UserInfo14; - - typedef struct { - samr_AcctFlags acct_flags; - } samr_UserInfo16; - - typedef struct { - NTTIME acct_expiry; - } samr_UserInfo17; - - typedef [public, flag(NDR_PAHEX)] struct { - uint8 hash[16]; - } samr_Password; - - typedef struct { - samr_Password lm_pwd; - samr_Password nt_pwd; - boolean8 lm_pwd_active; - boolean8 nt_pwd_active; - } samr_UserInfo18; - - typedef struct { - lsa_String parameters; - } samr_UserInfo20; - - /* this defines the bits used for fields_present in info21 */ - typedef [bitmap32bit] bitmap { - SAMR_FIELD_ACCOUNT_NAME = 0x00000001, - SAMR_FIELD_FULL_NAME = 0x00000002, - SAMR_FIELD_RID = 0x00000004, - SAMR_FIELD_PRIMARY_GID = 0x00000008, - SAMR_FIELD_DESCRIPTION = 0x00000010, - SAMR_FIELD_COMMENT = 0x00000020, - SAMR_FIELD_HOME_DIRECTORY = 0x00000040, - SAMR_FIELD_HOME_DRIVE = 0x00000080, - SAMR_FIELD_LOGON_SCRIPT = 0x00000100, - SAMR_FIELD_PROFILE_PATH = 0x00000200, - SAMR_FIELD_WORKSTATIONS = 0x00000400, - SAMR_FIELD_LAST_LOGON = 0x00000800, - SAMR_FIELD_LAST_LOGOFF = 0x00001000, - SAMR_FIELD_LOGON_HOURS = 0x00002000, - SAMR_FIELD_BAD_PWD_COUNT = 0x00004000, - SAMR_FIELD_NUM_LOGONS = 0x00008000, - SAMR_FIELD_ALLOW_PWD_CHANGE = 0x00010000, - SAMR_FIELD_FORCE_PWD_CHANGE = 0x00020000, - SAMR_FIELD_LAST_PWD_CHANGE = 0x00040000, - SAMR_FIELD_ACCT_EXPIRY = 0x00080000, - SAMR_FIELD_ACCT_FLAGS = 0x00100000, - SAMR_FIELD_PARAMETERS = 0x00200000, - SAMR_FIELD_COUNTRY_CODE = 0x00400000, - SAMR_FIELD_CODE_PAGE = 0x00800000, - SAMR_FIELD_PASSWORD = 0x01000000, /* either of these */ - SAMR_FIELD_PASSWORD2 = 0x02000000, /* two bits seems to work */ - SAMR_FIELD_PRIVATE_DATA = 0x04000000, - SAMR_FIELD_EXPIRED_FLAG = 0x08000000, - SAMR_FIELD_SEC_DESC = 0x10000000, - SAMR_FIELD_OWF_PWD = 0x20000000 - } samr_FieldsPresent; - - /* used for 'password_expired' in samr_UserInfo21 */ - const int PASS_MUST_CHANGE_AT_NEXT_LOGON = 0x01; - const int PASS_DONT_CHANGE_AT_NEXT_LOGON = 0x00; - - typedef struct { - NTTIME last_logon; - NTTIME last_logoff; - NTTIME last_password_change; - NTTIME acct_expiry; - NTTIME allow_password_change; - NTTIME force_password_change; - lsa_String account_name; - lsa_String full_name; - lsa_String home_directory; - lsa_String home_drive; - lsa_String logon_script; - lsa_String profile_path; - lsa_String description; - lsa_String workstations; - lsa_String comment; - lsa_String parameters; - lsa_String unknown1; - lsa_String unknown2; - lsa_String unknown3; - uint32 buf_count; - [size_is(buf_count)] uint8 *buffer; - uint32 rid; - uint32 primary_gid; - samr_AcctFlags acct_flags; - samr_FieldsPresent fields_present; - samr_LogonHours logon_hours; - uint16 bad_password_count; - uint16 logon_count; - uint16 country_code; - uint16 code_page; - uint8 nt_password_set; - uint8 lm_password_set; - uint8 password_expired; - uint8 unknown4; - } samr_UserInfo21; - - typedef [public, flag(NDR_PAHEX)] struct { - uint8 data[516]; - } samr_CryptPassword; - - typedef struct { - samr_UserInfo21 info; - samr_CryptPassword password; - } samr_UserInfo23; - - typedef struct { - samr_CryptPassword password; - uint8 pw_len; - } samr_UserInfo24; - - typedef [flag(NDR_PAHEX)] struct { - uint8 data[532]; - } samr_CryptPasswordEx; - - typedef struct { - samr_UserInfo21 info; - samr_CryptPasswordEx password; - } samr_UserInfo25; - - typedef struct { - samr_CryptPasswordEx password; - uint8 pw_len; - } samr_UserInfo26; - - typedef [switch_type(uint16)] union { - [case(1)] samr_UserInfo1 info1; - [case(2)] samr_UserInfo2 info2; - [case(3)] samr_UserInfo3 info3; - [case(4)] samr_UserInfo4 info4; - [case(5)] samr_UserInfo5 info5; - [case(6)] samr_UserInfo6 info6; - [case(7)] samr_UserInfo7 info7; - [case(8)] samr_UserInfo8 info8; - [case(9)] samr_UserInfo9 info9; - [case(10)] samr_UserInfo10 info10; - [case(11)] samr_UserInfo11 info11; - [case(12)] samr_UserInfo12 info12; - [case(13)] samr_UserInfo13 info13; - [case(14)] samr_UserInfo14 info14; - [case(16)] samr_UserInfo16 info16; - [case(17)] samr_UserInfo17 info17; - [case(18)] samr_UserInfo18 info18; - [case(20)] samr_UserInfo20 info20; - [case(21)] samr_UserInfo21 info21; - [case(23)] samr_UserInfo23 info23; - [case(24)] samr_UserInfo24 info24; - [case(25)] samr_UserInfo25 info25; - [case(26)] samr_UserInfo26 info26; - } samr_UserInfo; - - [public] NTSTATUS samr_QueryUserInfo( - [in,ref] policy_handle *user_handle, - [in] uint16 level, - [out,unique,switch_is(level)] samr_UserInfo *info - ); - - - /************************/ - /* Function 0x25 */ - [public] NTSTATUS samr_SetUserInfo( - [in,ref] policy_handle *user_handle, - [in] uint16 level, - [in,ref,switch_is(level)] samr_UserInfo *info - ); - - /************************/ - /* Function 0x26 */ - /* - this is a password change interface that doesn't give - the server the plaintext password. Depricated. - */ - NTSTATUS samr_ChangePasswordUser( - [in,ref] policy_handle *user_handle, - [in] boolean8 lm_present, - [in,unique] samr_Password *old_lm_crypted, - [in,unique] samr_Password *new_lm_crypted, - [in] boolean8 nt_present, - [in,unique] samr_Password *old_nt_crypted, - [in,unique] samr_Password *new_nt_crypted, - [in] boolean8 cross1_present, - [in,unique] samr_Password *nt_cross, - [in] boolean8 cross2_present, - [in,unique] samr_Password *lm_cross - ); - - /************************/ - /* Function 0x27 */ - - typedef [public] struct { - uint32 rid; - samr_GroupAttrs attributes; - } samr_RidWithAttribute; - - typedef [public] struct { - uint32 count; - [size_is(count)] samr_RidWithAttribute *rids; - } samr_RidWithAttributeArray; - - NTSTATUS samr_GetGroupsForUser( - [in,ref] policy_handle *user_handle, - [out,unique] samr_RidWithAttributeArray *rids - ); - - /************************/ - /* Function 0x28 */ - - typedef struct { - uint32 idx; - uint32 rid; - samr_AcctFlags acct_flags; - lsa_String account_name; - lsa_String description; - lsa_String full_name; - } samr_DispEntryGeneral; - - typedef struct { - uint32 count; - [size_is(count)] samr_DispEntryGeneral *entries; - } samr_DispInfoGeneral; - - typedef struct { - uint32 idx; - uint32 rid; - samr_AcctFlags acct_flags; - lsa_String account_name; - lsa_String description; - } samr_DispEntryFull; - - typedef struct { - uint32 count; - [size_is(count)] samr_DispEntryFull *entries; - } samr_DispInfoFull; - - typedef struct { - uint32 idx; - uint32 rid; - samr_GroupAttrs acct_flags; - lsa_String account_name; - lsa_String description; - } samr_DispEntryFullGroup; - - typedef struct { - uint32 count; - [size_is(count)] samr_DispEntryFullGroup *entries; - } samr_DispInfoFullGroups; - - typedef struct { - uint32 idx; - lsa_AsciiStringLarge account_name; - } samr_DispEntryAscii; - - typedef struct { - uint32 count; - [size_is(count)] samr_DispEntryAscii *entries; - } samr_DispInfoAscii; - - typedef [switch_type(uint16)] union { - [case(1)] samr_DispInfoGeneral info1;/* users */ - [case(2)] samr_DispInfoFull info2; /* trust accounts? */ - [case(3)] samr_DispInfoFullGroups info3; /* groups */ - [case(4)] samr_DispInfoAscii info4; /* users */ - [case(5)] samr_DispInfoAscii info5; /* groups */ - } samr_DispInfo; - - NTSTATUS samr_QueryDisplayInfo( - [in,ref] policy_handle *domain_handle, - [in] uint16 level, - [in] uint32 start_idx, - [in] uint32 max_entries, - [in] uint32 buf_size, - [out] uint32 total_size, - [out] uint32 returned_size, - [out,switch_is(level)] samr_DispInfo info - ); - - - /************************/ - /* Function 0x29 */ - - /* - this seems to be an alphabetic search function. The returned index - is the index for samr_QueryDisplayInfo needed to get names occurring - after the specified name. The supplied name does not need to exist - in the database (for example you can supply just a first letter for - searching starting at that letter) - - The level corresponds to the samr_QueryDisplayInfo level - */ - NTSTATUS samr_GetDisplayEnumerationIndex( - [in,ref] policy_handle *domain_handle, - [in] uint16 level, - [in] lsa_String name, - [out] uint32 idx - ); - - - - /************************/ - /* Function 0x2a */ - - /* - w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this - */ - NTSTATUS samr_TestPrivateFunctionsDomain( - [in,ref] policy_handle *domain_handle - ); - - - /************************/ - /* Function 0x2b */ - - /* - w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this - */ - NTSTATUS samr_TestPrivateFunctionsUser( - [in,ref] policy_handle *user_handle - ); - - - /************************/ - /* Function 0x2c */ - - typedef struct { - uint16 min_password_length; - samr_PasswordProperties password_properties; - } samr_PwInfo; - - [public] NTSTATUS samr_GetUserPwInfo( - [in,ref] policy_handle *user_handle, - [out] samr_PwInfo info - ); - - /************************/ - /* Function 0x2d */ - NTSTATUS samr_RemoveMemberFromForeignDomain( - [in,ref] policy_handle *domain_handle, - [in,ref] dom_sid2 *sid - ); - - /************************/ - /* Function 0x2e */ - - /* - how is this different from QueryDomainInfo ?? - */ - NTSTATUS samr_QueryDomainInfo2( - [in,ref] policy_handle *domain_handle, - [in] uint16 level, - [out,unique,switch_is(level)] samr_DomainInfo *info - ); - - /************************/ - /* Function 0x2f */ - - /* - how is this different from QueryUserInfo ?? - */ - NTSTATUS samr_QueryUserInfo2( - [in,ref] policy_handle *user_handle, - [in] uint16 level, - [out,unique,switch_is(level)] samr_UserInfo *info - ); - - /************************/ - /* Function 0x30 */ - - /* - how is this different from QueryDisplayInfo?? - */ - NTSTATUS samr_QueryDisplayInfo2( - [in,ref] policy_handle *domain_handle, - [in] uint16 level, - [in] uint32 start_idx, - [in] uint32 max_entries, - [in] uint32 buf_size, - [out] uint32 total_size, - [out] uint32 returned_size, - [out,switch_is(level)] samr_DispInfo info - ); - - /************************/ - /* Function 0x31 */ - - /* - how is this different from GetDisplayEnumerationIndex ?? - */ - NTSTATUS samr_GetDisplayEnumerationIndex2( - [in,ref] policy_handle *domain_handle, - [in] uint16 level, - [in] lsa_String name, - [out] uint32 idx - ); - - - /************************/ - /* Function 0x32 */ - NTSTATUS samr_CreateUser2( - [in,ref] policy_handle *domain_handle, - [in,ref] lsa_String *account_name, - [in] samr_AcctFlags acct_flags, - [in] samr_UserAccessMask access_mask, - [out,ref] policy_handle *user_handle, - [out,ref] uint32 *access_granted, - [out,ref] uint32 *rid - ); - - - /************************/ - /* Function 0x33 */ - - /* - another duplicate. There must be a reason .... - */ - NTSTATUS samr_QueryDisplayInfo3( - [in,ref] policy_handle *domain_handle, - [in] uint16 level, - [in] uint32 start_idx, - [in] uint32 max_entries, - [in] uint32 buf_size, - [out] uint32 total_size, - [out] uint32 returned_size, - [out,switch_is(level)] samr_DispInfo info - ); - - /************************/ - /* Function 0x34 */ - NTSTATUS samr_AddMultipleMembersToAlias( - [in,ref] policy_handle *alias_handle, - [in,ref] lsa_SidArray *sids - ); - - /************************/ - /* Function 0x35 */ - NTSTATUS samr_RemoveMultipleMembersFromAlias( - [in,ref] policy_handle *alias_handle, - [in,ref] lsa_SidArray *sids - ); - - /************************/ - /* Function 0x36 */ - - NTSTATUS samr_OemChangePasswordUser2( - [in,unique] lsa_AsciiString *server, - [in,ref] lsa_AsciiString *account, - [in,unique] samr_CryptPassword *password, - [in,unique] samr_Password *hash - ); - - /************************/ - /* Function 0x37 */ - NTSTATUS samr_ChangePasswordUser2( - [in,unique] lsa_String *server, - [in,ref] lsa_String *account, - [in,unique] samr_CryptPassword *nt_password, - [in,unique] samr_Password *nt_verifier, - [in] boolean8 lm_change, - [in,unique] samr_CryptPassword *lm_password, - [in,unique] samr_Password *lm_verifier - ); - - /************************/ - /* Function 0x38 */ - NTSTATUS samr_GetDomPwInfo( - [in,unique] lsa_String *domain_name, - [out] samr_PwInfo info - ); - - /************************/ - /* Function 0x39 */ - NTSTATUS samr_Connect2( - [in,unique,string,charset(UTF16)] uint16 *system_name, - [in] samr_ConnectAccessMask access_mask, - [out,ref] policy_handle *connect_handle - ); - - /************************/ - /* Function 0x3a */ - /* - seems to be an exact alias for samr_SetUserInfo() - */ - [public] NTSTATUS samr_SetUserInfo2( - [in,ref] policy_handle *user_handle, - [in] uint16 level, - [in,ref,switch_is(level)] samr_UserInfo *info - ); - - /************************/ - /* Function 0x3b */ - /* - this one is mysterious. I have a few guesses, but nothing working yet - */ - NTSTATUS samr_SetBootKeyInformation( - [in,ref] policy_handle *connect_handle, - [in] uint32 unknown1, - [in] uint32 unknown2, - [in] uint32 unknown3 - ); - - /************************/ - /* Function 0x3c */ - NTSTATUS samr_GetBootKeyInformation( - [in,ref] policy_handle *domain_handle, - [out] uint32 unknown - ); - - /************************/ - /* Function 0x3d */ - NTSTATUS samr_Connect3( - [in,unique,string,charset(UTF16)] uint16 *system_name, - /* this unknown value seems to be completely ignored by w2k3 */ - [in] uint32 unknown, - [in] samr_ConnectAccessMask access_mask, - [out,ref] policy_handle *connect_handle - ); - - /************************/ - /* Function 0x3e */ - - typedef enum { - SAMR_CONNECT_PRE_W2K = 1, - SAMR_CONNECT_W2K = 2, - SAMR_CONNECT_AFTER_W2K = 3 - } samr_ConnectVersion; - - NTSTATUS samr_Connect4( - [in,unique,string,charset(UTF16)] uint16 *system_name, - [in] samr_ConnectVersion client_version, - [in] samr_ConnectAccessMask access_mask, - [out,ref] policy_handle *connect_handle - ); - - /************************/ - /* Function 0x3f */ - - typedef enum samr_RejectReason samr_RejectReason; - - typedef struct { - samr_RejectReason reason; - uint32 unknown1; - uint32 unknown2; - } samr_ChangeReject; - - NTSTATUS samr_ChangePasswordUser3( - [in,unique] lsa_String *server, - [in,ref] lsa_String *account, - [in,unique] samr_CryptPassword *nt_password, - [in,unique] samr_Password *nt_verifier, - [in] boolean8 lm_change, - [in,unique] samr_CryptPassword *lm_password, - [in,unique] samr_Password *lm_verifier, - [in,unique] samr_CryptPassword *password3, - [out,unique] samr_DomInfo1 *dominfo, - [out,unique] samr_ChangeReject *reject - ); - - /************************/ - /* Function 0x40 */ - - typedef struct { - samr_ConnectVersion client_version; /* w2k3 gives 3 */ - uint32 unknown2; /* w2k3 gives 0 */ - } samr_ConnectInfo1; - - typedef union { - [case(1)] samr_ConnectInfo1 info1; - } samr_ConnectInfo; - - [public] NTSTATUS samr_Connect5( - [in,unique,string,charset(UTF16)] uint16 *system_name, - [in] samr_ConnectAccessMask access_mask, - [in,out] uint32 level, - [in,out,switch_is(level),ref] samr_ConnectInfo *info, - [out,ref] policy_handle *connect_handle - ); - - /************************/ - /* Function 0x41 */ - NTSTATUS samr_RidToSid( - [in,ref] policy_handle *domain_handle, - [in] uint32 rid, - [out,unique] dom_sid2 *sid - ); - - - /************************/ - /* Function 0x42 */ - - /* - this should set the DSRM password for the server, which is used - when booting into Directory Services Recovery Mode on a DC. Win2003 - gives me NT_STATUS_NOT_SUPPORTED - */ - - NTSTATUS samr_SetDsrmPassword( - [in,unique] lsa_String *name, - [in] uint32 unknown, - [in,unique] samr_Password *hash - ); - - - /************************/ - /* Function 0x43 */ - /************************/ - typedef [bitmap32bit] bitmap { - SAMR_VALIDATE_FIELD_PASSWORD_LAST_SET = 0x00000001, - SAMR_VALIDATE_FIELD_BAD_PASSWORD_TIME = 0x00000002, - SAMR_VALIDATE_FIELD_LOCKOUT_TIME = 0x00000004, - SAMR_VALIDATE_FIELD_BAD_PASSWORD_COUNT = 0x00000008, - SAMR_VALIDATE_FIELD_PASSWORD_HISTORY_LENGTH = 0x00000010, - SAMR_VALIDATE_FIELD_PASSWORD_HISTORY = 0x00000020 - } samr_ValidateFieldsPresent; - - typedef enum { - NetValidateAuthentication = 1, - NetValidatePasswordChange= 2, - NetValidatePasswordReset = 3 - } samr_ValidatePasswordLevel; - - /* NetApi maps samr_ValidationStatus errors to WERRORs. Haven't - * identified the mapping of - * - NERR_PasswordFilterError - * - NERR_PasswordExpired and - * - NERR_PasswordCantChange - * yet - Guenther - */ - - typedef enum { - SAMR_VALIDATION_STATUS_SUCCESS = 0, - SAMR_VALIDATION_STATUS_PASSWORD_MUST_CHANGE = 1, - SAMR_VALIDATION_STATUS_ACCOUNT_LOCKED_OUT = 2, - SAMR_VALIDATION_STATUS_BAD_PASSWORD = 4, - SAMR_VALIDATION_STATUS_PWD_HISTORY_CONFLICT = 5, - SAMR_VALIDATION_STATUS_PWD_TOO_SHORT = 6, - SAMR_VALIDATION_STATUS_PWD_TOO_LONG = 7, - SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH = 8, - SAMR_VALIDATION_STATUS_PASSWORD_TOO_RECENT = 9 - } samr_ValidationStatus; - - typedef struct { - uint32 length; - [size_is(length)] uint8 *data; - } samr_ValidationBlob; - - typedef struct { - samr_ValidateFieldsPresent fields_present; - NTTIME_hyper last_password_change; - NTTIME_hyper bad_password_time; - NTTIME_hyper lockout_time; - uint32 bad_pwd_count; - uint32 pwd_history_len; - [size_is(pwd_history_len)] samr_ValidationBlob *pwd_history; - } samr_ValidatePasswordInfo; - - typedef struct { - samr_ValidatePasswordInfo info; - samr_ValidationStatus status; - } samr_ValidatePasswordRepCtr; - - typedef [switch_type(uint16)] union { - [case(1)] samr_ValidatePasswordRepCtr ctr1; - [case(2)] samr_ValidatePasswordRepCtr ctr2; - [case(3)] samr_ValidatePasswordRepCtr ctr3; - } samr_ValidatePasswordRep; - - typedef struct { - samr_ValidatePasswordInfo info; - lsa_StringLarge password; - lsa_StringLarge account; - samr_ValidationBlob hash; - boolean8 pwd_must_change_at_next_logon; - boolean8 clear_lockout; - } samr_ValidatePasswordReq3; - - typedef struct { - samr_ValidatePasswordInfo info; - lsa_StringLarge password; - lsa_StringLarge account; - samr_ValidationBlob hash; - boolean8 password_matched; - } samr_ValidatePasswordReq2; - - typedef struct { - samr_ValidatePasswordInfo info; - boolean8 password_matched; - } samr_ValidatePasswordReq1; - - typedef [switch_type(uint16)] union { - [case(1)] samr_ValidatePasswordReq1 req1; - [case(2)] samr_ValidatePasswordReq2 req2; - [case(3)] samr_ValidatePasswordReq3 req3; - } samr_ValidatePasswordReq; - - NTSTATUS samr_ValidatePassword( - [in] samr_ValidatePasswordLevel level, - [in,switch_is(level)] samr_ValidatePasswordReq req, - [out,unique,switch_is(level)] samr_ValidatePasswordRep *rep - ); -} diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl deleted file mode 100644 index 40aa698176..0000000000 --- a/source4/librpc/idl/security.idl +++ /dev/null @@ -1,410 +0,0 @@ -#include "idl_types.h" - -/* - security IDL structures -*/ - -import "misc.idl"; - -/* - use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really - just a dom sid, but with the sub_auths represented as a conformant - array. As with all in-structure conformant arrays, the array length - is placed before the start of the structure. That's what gives rise - to the extra num_auths elemenent. We don't want the Samba code to - have to bother with such esoteric NDR details, so its easier to just - define it as a dom_sid and use pidl magic to make it all work. It - just means you need to mark a sid as a "dom_sid2" in the IDL when you - know it is of the conformant array variety -*/ -cpp_quote("#define dom_sid2 dom_sid") - -/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */ -cpp_quote("#define dom_sid28 dom_sid") - -/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */ -cpp_quote("#define dom_sid0 dom_sid") - -[ - pointer_default(unique) -] -interface security -{ - /* - access masks are divided up like this: - 0xabccdddd - where - a = generic rights bits SEC_GENERIC_ - b = flags SEC_FLAG_ - c = standard rights bits SEC_STD_ - d = object type specific bits SEC_{FILE,DIR,REG,xxx}_ - - common combinations of bits are prefixed with SEC_RIGHTS_ - */ - const int SEC_MASK_GENERIC = 0xF0000000; - const int SEC_MASK_FLAGS = 0x0F000000; - const int SEC_MASK_STANDARD = 0x00FF0000; - const int SEC_MASK_SPECIFIC = 0x0000FFFF; - - /* generic bits */ - const int SEC_GENERIC_ALL = 0x10000000; - const int SEC_GENERIC_EXECUTE = 0x20000000; - const int SEC_GENERIC_WRITE = 0x40000000; - const int SEC_GENERIC_READ = 0x80000000; - - /* flag bits */ - const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000; - const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000; - - /* standard bits */ - const int SEC_STD_DELETE = 0x00010000; - const int SEC_STD_READ_CONTROL = 0x00020000; - const int SEC_STD_WRITE_DAC = 0x00040000; - const int SEC_STD_WRITE_OWNER = 0x00080000; - const int SEC_STD_SYNCHRONIZE = 0x00100000; - const int SEC_STD_REQUIRED = 0x000F0000; - const int SEC_STD_ALL = 0x001F0000; - - /* file specific bits */ - const int SEC_FILE_READ_DATA = 0x00000001; - const int SEC_FILE_WRITE_DATA = 0x00000002; - const int SEC_FILE_APPEND_DATA = 0x00000004; - const int SEC_FILE_READ_EA = 0x00000008; - const int SEC_FILE_WRITE_EA = 0x00000010; - const int SEC_FILE_EXECUTE = 0x00000020; - const int SEC_FILE_READ_ATTRIBUTE = 0x00000080; - const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100; - const int SEC_FILE_ALL = 0x000001ff; - - /* directory specific bits */ - const int SEC_DIR_LIST = 0x00000001; - const int SEC_DIR_ADD_FILE = 0x00000002; - const int SEC_DIR_ADD_SUBDIR = 0x00000004; - const int SEC_DIR_READ_EA = 0x00000008; - const int SEC_DIR_WRITE_EA = 0x00000010; - const int SEC_DIR_TRAVERSE = 0x00000020; - const int SEC_DIR_DELETE_CHILD = 0x00000040; - const int SEC_DIR_READ_ATTRIBUTE = 0x00000080; - const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100; - - /* registry entry specific bits */ - const int SEC_REG_QUERY_VALUE = 0x00000001; - const int SEC_REG_SET_VALUE = 0x00000002; - const int SEC_REG_CREATE_SUBKEY = 0x00000004; - const int SEC_REG_ENUM_SUBKEYS = 0x00000008; - const int SEC_REG_NOTIFY = 0x00000010; - const int SEC_REG_CREATE_LINK = 0x00000020; - - /* ldap specific access bits */ - const int SEC_ADS_CREATE_CHILD = 0x00000001; - const int SEC_ADS_DELETE_CHILD = 0x00000002; - const int SEC_ADS_LIST = 0x00000004; - const int SEC_ADS_SELF_WRITE = 0x00000008; - const int SEC_ADS_READ_PROP = 0x00000010; - const int SEC_ADS_WRITE_PROP = 0x00000020; - const int SEC_ADS_DELETE_TREE = 0x00000040; - const int SEC_ADS_LIST_OBJECT = 0x00000080; - const int SEC_ADS_CONTROL_ACCESS = 0x00000100; - - /* invalid bits */ - const int SEC_MASK_INVALID = 0x0ce0fe00; - - /* generic->specific mappings for files */ - const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL | - SEC_STD_SYNCHRONIZE | - SEC_FILE_READ_DATA | - SEC_FILE_READ_ATTRIBUTE | - SEC_FILE_READ_EA; - - const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL | - SEC_STD_SYNCHRONIZE | - SEC_FILE_WRITE_DATA | - SEC_FILE_WRITE_ATTRIBUTE | - SEC_FILE_WRITE_EA | - SEC_FILE_APPEND_DATA; - - const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | - SEC_STD_READ_CONTROL | - SEC_FILE_READ_ATTRIBUTE | - SEC_FILE_EXECUTE; - - const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL; - - /* generic->specific mappings for directories (same as files) */ - const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ; - const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE; - const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE; - const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL; - - - /***************************************************************/ - /* WELL KNOWN SIDS */ - - /* a NULL sid */ - const string SID_NULL = "S-1-0-0"; - - /* the world domain */ - const string NAME_WORLD = "WORLD"; - - const string SID_WORLD_DOMAIN = "S-1-1"; - const string SID_WORLD = "S-1-1-0"; - - /* SECURITY_CREATOR_SID_AUTHORITY */ - const string SID_CREATOR_OWNER_DOMAIN = "S-1-3"; - const string SID_CREATOR_OWNER = "S-1-3-0"; - const string SID_CREATOR_GROUP = "S-1-3-1"; - const string SID_OWNER_RIGHTS = "S-1-3-4"; - - /* SECURITY_NT_AUTHORITY */ - const string NAME_NT_AUTHORITY = "NT AUTHORITY"; - - const string SID_NT_AUTHORITY = "S-1-5"; - const string SID_NT_DIALUP = "S-1-5-1"; - const string SID_NT_NETWORK = "S-1-5-2"; - const string SID_NT_BATCH = "S-1-5-3"; - const string SID_NT_INTERACTIVE = "S-1-5-4"; - const string SID_NT_SERVICE = "S-1-5-6"; - const string SID_NT_ANONYMOUS = "S-1-5-7"; - const string SID_NT_PROXY = "S-1-5-8"; - const string SID_NT_ENTERPRISE_DCS = "S-1-5-9"; - const string SID_NT_SELF = "S-1-5-10"; - const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11"; - const string SID_NT_RESTRICTED = "S-1-5-12"; - const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13"; - const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14"; - const string SID_NT_THIS_ORGANISATION = "S-1-5-15"; - const string SID_NT_IUSR = "S-1-5-17"; - const string SID_NT_SYSTEM = "S-1-5-18"; - const string SID_NT_LOCAL_SERVICE = "S-1-5-19"; - const string SID_NT_NETWORK_SERVICE = "S-1-5-20"; - const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21"; - const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10"; - const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14"; - const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000"; - - /* SECURITY_BUILTIN_DOMAIN_RID */ - const string NAME_BUILTIN = "BUILTIN"; - - const string SID_BUILTIN = "S-1-5-32"; - const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544"; - const string SID_BUILTIN_USERS = "S-1-5-32-545"; - const string SID_BUILTIN_GUESTS = "S-1-5-32-546"; - const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547"; - const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548"; - const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549"; - const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550"; - const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551"; - const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552"; - const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553"; - const string SID_BUILTIN_PREW2K = "S-1-5-32-554"; - - /* well-known domain RIDs */ - const int DOMAIN_RID_LOGON = 9; - const int DOMAIN_RID_ADMINISTRATOR = 500; - const int DOMAIN_RID_GUEST = 501; - const int DOMAIN_RID_ADMINS = 512; - const int DOMAIN_RID_USERS = 513; - const int DOMAIN_RID_DOMAIN_MEMBERS = 515; - const int DOMAIN_RID_DCS = 516; - const int DOMAIN_RID_CERT_ADMINS = 517; - const int DOMAIN_RID_SCHEMA_ADMINS = 518; - const int DOMAIN_RID_ENTERPRISE_ADMINS = 519; - - - /* - privilege IDs. Please keep the IDs below 64. If we get more - than 64 then we need to change security_token - */ - typedef enum { - SEC_PRIV_SECURITY = 1, - SEC_PRIV_BACKUP = 2, - SEC_PRIV_RESTORE = 3, - SEC_PRIV_SYSTEMTIME = 4, - SEC_PRIV_SHUTDOWN = 5, - SEC_PRIV_REMOTE_SHUTDOWN = 6, - SEC_PRIV_TAKE_OWNERSHIP = 7, - SEC_PRIV_DEBUG = 8, - SEC_PRIV_SYSTEM_ENVIRONMENT = 9, - SEC_PRIV_SYSTEM_PROFILE = 10, - SEC_PRIV_PROFILE_SINGLE_PROCESS = 11, - SEC_PRIV_INCREASE_BASE_PRIORITY = 12, - SEC_PRIV_LOAD_DRIVER = 13, - SEC_PRIV_CREATE_PAGEFILE = 14, - SEC_PRIV_INCREASE_QUOTA = 15, - SEC_PRIV_CHANGE_NOTIFY = 16, - SEC_PRIV_UNDOCK = 17, - SEC_PRIV_MANAGE_VOLUME = 18, - SEC_PRIV_IMPERSONATE = 19, - SEC_PRIV_CREATE_GLOBAL = 20, - SEC_PRIV_ENABLE_DELEGATION = 21, - SEC_PRIV_INTERACTIVE_LOGON = 22, - SEC_PRIV_NETWORK_LOGON = 23, - SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24 - } sec_privilege; - - - /* a domain SID. Note that unlike Samba3 this contains a pointer, - so you can't copy them using assignment */ - typedef [public,gensize,noprint,noejs,nosize] struct { - uint8 sid_rev_num; /**< SID revision number */ - [range(0,15)] int8 num_auths; /**< Number of sub-authorities */ - uint8 id_auth[6]; /**< Identifier Authority */ - uint32 sub_auths[num_auths]; - } dom_sid; - - /* id used to identify a endpoint, possibly in a cluster */ - typedef [public] struct { - hyper id; - uint32 id2; - uint32 node; - } server_id; - - typedef [bitmap8bit] bitmap { - SEC_ACE_FLAG_OBJECT_INHERIT = 0x01, - SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02, - SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04, - SEC_ACE_FLAG_INHERIT_ONLY = 0x08, - SEC_ACE_FLAG_INHERITED_ACE = 0x10, - SEC_ACE_FLAG_VALID_INHERIT = 0x0f, - SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40, - SEC_ACE_FLAG_FAILED_ACCESS = 0x80 - } security_ace_flags; - - typedef [enum8bit] enum { - SEC_ACE_TYPE_ACCESS_ALLOWED = 0, - SEC_ACE_TYPE_ACCESS_DENIED = 1, - SEC_ACE_TYPE_SYSTEM_AUDIT = 2, - SEC_ACE_TYPE_SYSTEM_ALARM = 3, - SEC_ACE_TYPE_ALLOWED_COMPOUND = 4, - SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5, - SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6, - SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7, - SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8 - } security_ace_type; - - typedef [bitmap32bit] bitmap { - SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001, - SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002 - } security_ace_object_flags; - - typedef [nodiscriminant] union { - /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */ - [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type; - [default]; - } security_ace_object_type; - - typedef [nodiscriminant] union { - /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context - * (of the parent container) - */ - [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type; - [default]; - } security_ace_object_inherited_type; - - typedef struct { - security_ace_object_flags flags; - [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type; - [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type; - } security_ace_object; - - typedef [nodiscriminant] union { - [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object; - [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object; - [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object; - [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object; - [default]; - } security_ace_object_ctr; - - typedef [public,gensize,nosize] struct { - security_ace_type type; /* SEC_ACE_TYPE_* */ - security_ace_flags flags; /* SEC_ACE_FLAG_* */ - [value(ndr_size_security_ace(r,ndr->flags))] uint16 size; - uint32 access_mask; - [switch_is(type)] security_ace_object_ctr object; - dom_sid trustee; - } security_ace; - - typedef enum { - SECURITY_ACL_REVISION_NT4 = 2, - SECURITY_ACL_REVISION_ADS = 4 - } security_acl_revision; - - const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4; - - typedef [public,gensize,nosize] struct { - security_acl_revision revision; - [value(ndr_size_security_acl(r,ndr->flags))] uint16 size; - [range(0,1000)] uint32 num_aces; - security_ace aces[num_aces]; - } security_acl; - - /* default revision for new ACLs */ - typedef [enum8bit] enum { - SECURITY_DESCRIPTOR_REVISION_1 = 1 - } security_descriptor_revision; - - const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1; - - /* security_descriptor->type bits */ - typedef [bitmap16bit] bitmap { - SEC_DESC_OWNER_DEFAULTED = 0x0001, - SEC_DESC_GROUP_DEFAULTED = 0x0002, - SEC_DESC_DACL_PRESENT = 0x0004, - SEC_DESC_DACL_DEFAULTED = 0x0008, - SEC_DESC_SACL_PRESENT = 0x0010, - SEC_DESC_SACL_DEFAULTED = 0x0020, - SEC_DESC_DACL_TRUSTED = 0x0040, - SEC_DESC_SERVER_SECURITY = 0x0080, - SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100, - SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200, - SEC_DESC_DACL_AUTO_INHERITED = 0x0400, - SEC_DESC_SACL_AUTO_INHERITED = 0x0800, - SEC_DESC_DACL_PROTECTED = 0x1000, - SEC_DESC_SACL_PROTECTED = 0x2000, - SEC_DESC_RM_CONTROL_VALID = 0x4000, - SEC_DESC_SELF_RELATIVE = 0x8000 - } security_descriptor_type; - - typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct { - security_descriptor_revision revision; - security_descriptor_type type; /* SEC_DESC_xxxx flags */ - [relative] dom_sid *owner_sid; - [relative] dom_sid *group_sid; - [relative] security_acl *sacl; /* system ACL */ - [relative] security_acl *dacl; /* user (discretionary) ACL */ - } security_descriptor; - - typedef [public] struct { - [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size; - [subcontext(4)] security_descriptor *sd; - } sec_desc_buf; - - typedef [public] struct { - dom_sid *user_sid; - dom_sid *group_sid; - uint32 num_sids; - [size_is(num_sids)] dom_sid *sids[*]; - udlong privilege_mask; - } security_token; - - /* bits that determine which parts of a security descriptor - are being queried/set */ - typedef [public,bitmap32bit] bitmap { - SECINFO_OWNER = 0x00000001, - SECINFO_GROUP = 0x00000002, - SECINFO_DACL = 0x00000004, - SECINFO_SACL = 0x00000008, - SECINFO_UNPROTECTED_SACL = 0x10000000, - SECINFO_UNPROTECTED_DACL = 0x20000000, - SECINFO_PROTECTED_SACL = 0x40000000, - SECINFO_PROTECTED_DACL = 0x80000000 - } security_secinfo; - - typedef [public,bitmap32bit] bitmap { - KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, - KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, - KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, - KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, - KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 - } kerb_EncTypes; -} diff --git a/source4/librpc/ndr/ndr_sec_helper.c b/source4/librpc/ndr/ndr_dom_sid.c index 1256d7dd2d..b986231b4f 100644 --- a/source4/librpc/ndr/ndr_sec_helper.c +++ b/source4/librpc/ndr/ndr_dom_sid.c @@ -4,6 +4,7 @@ fast routines for getting the wire size of security objects Copyright (C) Andrew Tridgell 2003 + Copyright (C) Stefan Metzmacher 2006-2008 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -54,68 +55,6 @@ size_t ndr_size_dom_sid0(const struct dom_sid *sid, int flags) } /* - return the wire size of a security_ace -*/ -size_t ndr_size_security_ace(const struct security_ace *ace, int flags) -{ - size_t ret; - - if (!ace) return 0; - - ret = 8 + ndr_size_dom_sid(&ace->trustee, flags); - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: - case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: - ret += 4; /* uint32 bitmap ace->object.object.flags */ - if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { - ret += 16; /* GUID ace->object.object.type.type */ - } - if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { - ret += 16; /* GUID ace->object.object.inherited_typeinherited_type */ - } - break; - default: - break; - } - - return ret; -} - -/* - return the wire size of a security_acl -*/ -size_t ndr_size_security_acl(const struct security_acl *acl, int flags) -{ - size_t ret; - int i; - if (!acl) return 0; - ret = 8; - for (i=0;i<acl->num_aces;i++) { - ret += ndr_size_security_ace(&acl->aces[i], flags); - } - return ret; -} - -/* - return the wire size of a security descriptor -*/ -size_t ndr_size_security_descriptor(const struct security_descriptor *sd, int flags) -{ - size_t ret; - if (!sd) return 0; - - ret = 20; - ret += ndr_size_dom_sid(sd->owner_sid, flags); - ret += ndr_size_dom_sid(sd->group_sid, flags); - ret += ndr_size_security_acl(sd->dacl, flags); - ret += ndr_size_security_acl(sd->sacl, flags); - return ret; -} - -/* print a dom_sid */ void ndr_print_dom_sid(struct ndr_print *ndr, const char *name, const struct dom_sid *sid) diff --git a/source4/main.mk b/source4/main.mk index 278c38454d..0a72487f8a 100644 --- a/source4/main.mk +++ b/source4/main.mk @@ -23,7 +23,7 @@ mkinclude ../lib/util/config.mk mkinclude lib/tdr/config.mk mkinclude lib/dbwrap/config.mk mkinclude ../lib/crypto/config.mk -mkinclude lib/torture/config.mk +mkinclude ../lib/torture/config.mk mkinclude lib/basic.mk mkinclude lib/com/config.mk # WMI fails at the moment diff --git a/source4/ntvfs/posix/pvfs_resolve.c b/source4/ntvfs/posix/pvfs_resolve.c index 1e13474b9e..f08de72a38 100644 --- a/source4/ntvfs/posix/pvfs_resolve.c +++ b/source4/ntvfs/posix/pvfs_resolve.c @@ -186,23 +186,49 @@ static NTSTATUS pvfs_case_search(struct pvfs_state *pvfs, /* parse a alternate data stream name */ -static NTSTATUS parse_stream_name(struct pvfs_filename *name, const char *s) +static NTSTATUS parse_stream_name(struct smb_iconv_convenience *ic, + struct pvfs_filename *name, + const char *s) { char *p; + if (s[1] == '\0') { + return NT_STATUS_OBJECT_NAME_INVALID; + } name->stream_name = talloc_strdup(name, s+1); if (name->stream_name == NULL) { return NT_STATUS_NO_MEMORY; } - p = strchr_m(name->stream_name, ':'); - if (p == NULL) { - name->stream_id = pvfs_name_hash(name->stream_name, - strlen(name->stream_name)); - return NT_STATUS_OK; - } - if (strcasecmp_m(p, ":$DATA") != 0) { - return NT_STATUS_OBJECT_NAME_INVALID; + + p = name->stream_name; + + while (*p) { + size_t c_size; + codepoint_t c = next_codepoint_convenience(ic, p, &c_size); + + switch (c) { + case '/': + case '\\': + return NT_STATUS_OBJECT_NAME_INVALID; + case ':': + *p= 0; + p++; + if (*p == '\0') { + return NT_STATUS_OBJECT_NAME_INVALID; + } + if (strcasecmp_m(p, "$DATA") != 0) { + if (strchr_m(p, ':')) { + return NT_STATUS_OBJECT_NAME_INVALID; + } + return NT_STATUS_INVALID_PARAMETER; + } + c_size = 0; + p--; + break; + } + + p += c_size; } - *p = 0; + if (strcmp(name->stream_name, "") == 0) { /* * we don't set stream_name to NULL, here @@ -233,6 +259,7 @@ static NTSTATUS pvfs_unix_path(struct pvfs_state *pvfs, const char *cifs_name, uint_t flags, struct pvfs_filename *name) { char *ret, *p, *p_start; + struct smb_iconv_convenience *ic = NULL; NTSTATUS status; name->original_name = talloc_strdup(name, cifs_name); @@ -263,15 +290,21 @@ static NTSTATUS pvfs_unix_path(struct pvfs_state *pvfs, const char *cifs_name, for legal characters */ p_start = p; + ic = lp_iconv_convenience(pvfs->ntvfs->ctx->lp_ctx); while (*p) { size_t c_size; - codepoint_t c = next_codepoint_convenience(lp_iconv_convenience(pvfs->ntvfs->ctx->lp_ctx), p, &c_size); + codepoint_t c = next_codepoint_convenience(ic, p, &c_size); + + if (c <= 0x1F) { + return NT_STATUS_OBJECT_NAME_INVALID; + } + switch (c) { case '\\': if (name->has_wildcard) { /* wildcards are only allowed in the last part of a name */ - return NT_STATUS_ILLEGAL_CHARACTER; + return NT_STATUS_OBJECT_NAME_INVALID; } if (p > p_start && (p[1] == '\\' || p[1] == '\0')) { /* see if it is definately a "\\" or @@ -288,12 +321,12 @@ static NTSTATUS pvfs_unix_path(struct pvfs_state *pvfs, const char *cifs_name, break; case ':': if (!(flags & PVFS_RESOLVE_STREAMS)) { - return NT_STATUS_ILLEGAL_CHARACTER; + return NT_STATUS_OBJECT_NAME_INVALID; } if (name->has_wildcard) { - return NT_STATUS_ILLEGAL_CHARACTER; + return NT_STATUS_OBJECT_NAME_INVALID; } - status = parse_stream_name(name, p); + status = parse_stream_name(ic, name, p); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -311,7 +344,7 @@ static NTSTATUS pvfs_unix_path(struct pvfs_state *pvfs, const char *cifs_name, break; case '/': case '|': - return NT_STATUS_ILLEGAL_CHARACTER; + return NT_STATUS_OBJECT_NAME_INVALID; case '.': /* see if it is definately a .. or . component. If it is then fail here, and diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 6f3f6799e7..6e888e5259 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -251,8 +251,8 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx, return NT_STATUS_OK; } -static NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p, - DATA_BLOB *session_key) +NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p, + DATA_BLOB *session_key) { if (p->auth_state.session_info->session_key.length) { *session_key = p->auth_state.session_info->session_key; diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index b3118d772d..e1fb187c52 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -37,26 +37,28 @@ #include "../lib/util/util_ldb.h" #include "param/param.h" -/* these query macros make samr_Query[User|Group]Info a bit easier to read */ +/* these query macros make samr_Query[User|Group|Alias]Info a bit easier to read */ #define QUERY_STRING(msg, field, attr) \ - r->out.info->field.string = samdb_result_string(msg, attr, ""); + info->field.string = samdb_result_string(msg, attr, ""); #define QUERY_UINT(msg, field, attr) \ - r->out.info->field = samdb_result_uint(msg, attr, 0); + info->field = samdb_result_uint(msg, attr, 0); #define QUERY_RID(msg, field, attr) \ - r->out.info->field = samdb_result_rid_from_sid(mem_ctx, msg, attr, 0); + info->field = samdb_result_rid_from_sid(mem_ctx, msg, attr, 0); #define QUERY_UINT64(msg, field, attr) \ - r->out.info->field = samdb_result_uint64(msg, attr, 0); + info->field = samdb_result_uint64(msg, attr, 0); #define QUERY_APASSC(msg, field, attr) \ - r->out.info->field = samdb_result_allow_password_change(sam_ctx, mem_ctx, \ - a_state->domain_state->domain_dn, msg, attr); + info->field = samdb_result_allow_password_change(sam_ctx, mem_ctx, \ + a_state->domain_state->domain_dn, msg, attr); #define QUERY_FPASSC(msg, field, attr) \ - r->out.info->field = samdb_result_force_password_change(sam_ctx, mem_ctx, \ - a_state->domain_state->domain_dn, msg); + info->field = samdb_result_force_password_change(sam_ctx, mem_ctx, \ + a_state->domain_state->domain_dn, msg); #define QUERY_LHOURS(msg, field, attr) \ - r->out.info->field = samdb_result_logon_hours(mem_ctx, msg, attr); + info->field = samdb_result_logon_hours(mem_ctx, msg, attr); #define QUERY_AFLAGS(msg, field, attr) \ - r->out.info->field = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, a_state->domain_state->domain_dn); + info->field = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, a_state->domain_state->domain_dn); +#define QUERY_PARAMETERS(msg, field, attr) \ + info->field = samdb_result_parameters(mem_ctx, msg, attr); /* these are used to make the Set[User|Group]Info code easier to follow */ @@ -136,6 +138,16 @@ set_el->flags = LDB_FLAG_MOD_REPLACE; \ } while (0) +#define SET_PARAMETERS(msg, field, attr) do { \ + struct ldb_message_element *set_el; \ + if (samdb_msg_add_parameters(sam_ctx, mem_ctx, msg, attr, &r->in.info->field) != 0) { \ + return NT_STATUS_NO_MEMORY; \ + } \ + set_el = ldb_msg_find_element(msg, attr); \ + set_el->flags = LDB_FLAG_MOD_REPLACE; \ +} while (0) + + /* samr_Connect @@ -217,7 +229,7 @@ static NTSTATUS dcesrv_samr_QuerySecurity(struct dcesrv_call_state *dce_call, TA struct dcesrv_handle *h; struct sec_desc_buf *sd; - r->out.sdbuf = NULL; + *r->out.sdbuf = NULL; DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY); @@ -228,7 +240,7 @@ static NTSTATUS dcesrv_samr_QuerySecurity(struct dcesrv_call_state *dce_call, TA sd->sd = samdb_default_security_descriptor(mem_ctx); - r->out.sdbuf = sd; + *r->out.sdbuf = sd; return NT_STATUS_OK; } @@ -265,7 +277,7 @@ static NTSTATUS dcesrv_samr_LookupDomain(struct dcesrv_call_state *dce_call, TAL int ret; struct ldb_dn *partitions_basedn; - r->out.sid = NULL; + *r->out.sid = NULL; DCESRV_PULL_HANDLE(h, r->in.connect_handle, SAMR_HANDLE_CONNECT); @@ -307,7 +319,7 @@ static NTSTATUS dcesrv_samr_LookupDomain(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_NO_SUCH_DOMAIN; } - r->out.sid = sid; + *r->out.sid = sid; return NT_STATUS_OK; } @@ -332,8 +344,8 @@ static NTSTATUS dcesrv_samr_EnumDomains(struct dcesrv_call_state *dce_call, TALL struct ldb_dn *partitions_basedn; *r->out.resume_handle = 0; - r->out.sam = NULL; - r->out.num_entries = 0; + *r->out.sam = NULL; + *r->out.num_entries = 0; DCESRV_PULL_HANDLE(h, r->in.connect_handle, SAMR_HANDLE_CONNECT); @@ -389,9 +401,9 @@ static NTSTATUS dcesrv_samr_EnumDomains(struct dcesrv_call_state *dce_call, TALL } } - r->out.sam = array; - r->out.num_entries = i; - array->count = r->out.num_entries; + *r->out.sam = array; + *r->out.num_entries = i; + array->count = *r->out.num_entries; return NT_STATUS_OK; } @@ -692,7 +704,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo9(struct samr_domain_state *state, struct ldb_message **dom_msgs, struct samr_DomInfo9 *info) { - info->unknown = 1; + info->domain_server_state = DOMAIN_SERVER_ENABLED; return NT_STATUS_OK; } @@ -765,18 +777,19 @@ static NTSTATUS dcesrv_samr_QueryDomainInfo(struct dcesrv_call_state *dce_call, { struct dcesrv_handle *h; struct samr_domain_state *d_state; + union samr_DomainInfo *info; struct ldb_message **dom_msgs; const char * const *attrs = NULL; - r->out.info = NULL; + *r->out.info = NULL; DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN); d_state = h->data; - r->out.info = talloc(mem_ctx, union samr_DomainInfo); - if (!r->out.info) { + info = talloc(mem_ctx, union samr_DomainInfo); + if (!info) { return NT_STATUS_NO_MEMORY; } @@ -881,47 +894,49 @@ static NTSTATUS dcesrv_samr_QueryDomainInfo(struct dcesrv_call_state *dce_call, } } - ZERO_STRUCTP(r->out.info); + *r->out.info = info; + + ZERO_STRUCTP(info); switch (r->in.level) { case 1: return dcesrv_samr_info_DomInfo1(d_state, mem_ctx, dom_msgs, - &r->out.info->info1); + &info->info1); case 2: return dcesrv_samr_info_DomGeneralInformation(d_state, mem_ctx, dom_msgs, - &r->out.info->general); + &info->general); case 3: return dcesrv_samr_info_DomInfo3(d_state, mem_ctx, dom_msgs, - &r->out.info->info3); + &info->info3); case 4: return dcesrv_samr_info_DomOEMInformation(d_state, mem_ctx, dom_msgs, - &r->out.info->oem); + &info->oem); case 5: return dcesrv_samr_info_DomInfo5(d_state, mem_ctx, dom_msgs, - &r->out.info->info5); + &info->info5); case 6: return dcesrv_samr_info_DomInfo6(d_state, mem_ctx, dom_msgs, - &r->out.info->info6); + &info->info6); case 7: return dcesrv_samr_info_DomInfo7(d_state, mem_ctx, dom_msgs, - &r->out.info->info7); + &info->info7); case 8: return dcesrv_samr_info_DomInfo8(d_state, mem_ctx, dom_msgs, - &r->out.info->info8); + &info->info8); case 9: return dcesrv_samr_info_DomInfo9(d_state, mem_ctx, dom_msgs, - &r->out.info->info9); + &info->info9); case 11: return dcesrv_samr_info_DomGeneralInformation2(d_state, mem_ctx, dom_msgs, - &r->out.info->general2); + &info->general2); case 12: return dcesrv_samr_info_DomInfo12(d_state, mem_ctx, dom_msgs, - &r->out.info->info12); + &info->info12); case 13: return dcesrv_samr_info_DomInfo13(d_state, mem_ctx, dom_msgs, - &r->out.info->info13); + &info->info13); } - + return NT_STATUS_INVALID_INFO_CLASS; } @@ -1135,10 +1150,11 @@ static NTSTATUS dcesrv_samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, int ldb_cnt, count, i, first; struct samr_SamEntry *entries; const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL }; + struct samr_SamArray *sam; *r->out.resume_handle = 0; - r->out.sam = NULL; - r->out.num_entries = 0; + *r->out.sam = NULL; + *r->out.num_entries = 0; DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN); @@ -1189,20 +1205,22 @@ static NTSTATUS dcesrv_samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, /* return the rest, limit by max_size. Note that we use the w2k3 element size value of 54 */ - r->out.num_entries = count - first; - r->out.num_entries = MIN(r->out.num_entries, + *r->out.num_entries = count - first; + *r->out.num_entries = MIN(*r->out.num_entries, 1+(r->in.max_size/SAMR_ENUM_USERS_MULTIPLIER)); - r->out.sam = talloc(mem_ctx, struct samr_SamArray); - if (!r->out.sam) { + sam = talloc(mem_ctx, struct samr_SamArray); + if (!sam) { return NT_STATUS_NO_MEMORY; } - r->out.sam->entries = entries+first; - r->out.sam->count = r->out.num_entries; + sam->entries = entries+first; + sam->count = *r->out.num_entries; + + *r->out.sam = sam; - if (r->out.num_entries < count - first) { - *r->out.resume_handle = entries[first+r->out.num_entries-1].idx; + if (*r->out.num_entries < count - first) { + *r->out.resume_handle = entries[first+*r->out.num_entries-1].idx; return STATUS_MORE_ENTRIES; } @@ -1492,10 +1510,11 @@ static NTSTATUS dcesrv_samr_EnumDomainUsers(struct dcesrv_call_state *dce_call, int ret, num_filtered_entries, i, first; struct samr_SamEntry *entries; const char * const attrs[] = { "objectSid", "sAMAccountName", "userAccountControl", NULL }; + struct samr_SamArray *sam; *r->out.resume_handle = 0; - r->out.sam = NULL; - r->out.num_entries = 0; + *r->out.sam = NULL; + *r->out.num_entries = 0; DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN); @@ -1539,24 +1558,26 @@ static NTSTATUS dcesrv_samr_EnumDomainUsers(struct dcesrv_call_state *dce_call, /* return the rest, limit by max_size. Note that we use the w2k3 element size value of 54 */ - r->out.num_entries = num_filtered_entries - first; - r->out.num_entries = MIN(r->out.num_entries, + *r->out.num_entries = num_filtered_entries - first; + *r->out.num_entries = MIN(*r->out.num_entries, 1+(r->in.max_size/SAMR_ENUM_USERS_MULTIPLIER)); - r->out.sam = talloc(mem_ctx, struct samr_SamArray); - if (!r->out.sam) { + sam = talloc(mem_ctx, struct samr_SamArray); + if (!sam) { return NT_STATUS_NO_MEMORY; } - r->out.sam->entries = entries+first; - r->out.sam->count = r->out.num_entries; + sam->entries = entries+first; + sam->count = *r->out.num_entries; + + *r->out.sam = sam; if (first == num_filtered_entries) { return NT_STATUS_OK; } - if (r->out.num_entries < num_filtered_entries - first) { - *r->out.resume_handle = entries[first+r->out.num_entries-1].idx; + if (*r->out.num_entries < num_filtered_entries - first) { + *r->out.resume_handle = entries[first+*r->out.num_entries-1].idx; return STATUS_MORE_ENTRIES; } @@ -1685,10 +1706,11 @@ static NTSTATUS dcesrv_samr_EnumDomainAliases(struct dcesrv_call_state *dce_call int ldb_cnt, count, i, first; struct samr_SamEntry *entries; const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL }; + struct samr_SamArray *sam; *r->out.resume_handle = 0; - r->out.sam = NULL; - r->out.num_entries = 0; + *r->out.sam = NULL; + *r->out.num_entries = 0; DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN); @@ -1748,20 +1770,22 @@ static NTSTATUS dcesrv_samr_EnumDomainAliases(struct dcesrv_call_state *dce_call return NT_STATUS_OK; } - r->out.num_entries = count - first; - r->out.num_entries = MIN(r->out.num_entries, 1000); + *r->out.num_entries = count - first; + *r->out.num_entries = MIN(*r->out.num_entries, 1000); - r->out.sam = talloc(mem_ctx, struct samr_SamArray); - if (!r->out.sam) { + sam = talloc(mem_ctx, struct samr_SamArray); + if (!sam) { return NT_STATUS_NO_MEMORY; } - r->out.sam->entries = entries+first; - r->out.sam->count = r->out.num_entries; + sam->entries = entries+first; + sam->count = *r->out.num_entries; + + *r->out.sam = sam; - if (r->out.num_entries < count - first) { + if (*r->out.num_entries < count - first) { *r->out.resume_handle = - entries[first+r->out.num_entries-1].idx; + entries[first+*r->out.num_entries-1].idx; return STATUS_MORE_ENTRIES; } @@ -1859,8 +1883,8 @@ static NTSTATUS dcesrv_samr_LookupNames(struct dcesrv_call_state *dce_call, TALL const char * const attrs[] = { "sAMAccountType", "objectSid", NULL }; int count; - ZERO_STRUCT(r->out.rids); - ZERO_STRUCT(r->out.types); + ZERO_STRUCTP(r->out.rids); + ZERO_STRUCTP(r->out.types); DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN); @@ -1870,13 +1894,13 @@ static NTSTATUS dcesrv_samr_LookupNames(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_OK; } - r->out.rids.ids = talloc_array(mem_ctx, uint32_t, r->in.num_names); - r->out.types.ids = talloc_array(mem_ctx, uint32_t, r->in.num_names); - if (!r->out.rids.ids || !r->out.types.ids) { + r->out.rids->ids = talloc_array(mem_ctx, uint32_t, r->in.num_names); + r->out.types->ids = talloc_array(mem_ctx, uint32_t, r->in.num_names); + if (!r->out.rids->ids || !r->out.types->ids) { return NT_STATUS_NO_MEMORY; } - r->out.rids.count = r->in.num_names; - r->out.types.count = r->in.num_names; + r->out.rids->count = r->in.num_names; + r->out.types->count = r->in.num_names; num_mapped = 0; @@ -1885,8 +1909,8 @@ static NTSTATUS dcesrv_samr_LookupNames(struct dcesrv_call_state *dce_call, TALL struct dom_sid *sid; uint32_t atype, rtype; - r->out.rids.ids[i] = 0; - r->out.types.ids[i] = SID_NAME_UNKNOWN; + r->out.rids->ids[i] = 0; + r->out.types->ids[i] = SID_NAME_UNKNOWN; count = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, "sAMAccountName=%s", @@ -1915,8 +1939,8 @@ static NTSTATUS dcesrv_samr_LookupNames(struct dcesrv_call_state *dce_call, TALL continue; } - r->out.rids.ids[i] = sid->sub_auths[sid->num_auths-1]; - r->out.types.ids[i] = rtype; + r->out.rids->ids[i] = sid->sub_auths[sid->num_auths-1]; + r->out.types->ids[i] = rtype; num_mapped++; } @@ -1940,8 +1964,8 @@ static NTSTATUS dcesrv_samr_LookupRids(struct dcesrv_call_state *dce_call, TALLO struct lsa_String *names; uint32_t *ids; - ZERO_STRUCT(r->out.names); - ZERO_STRUCT(r->out.types); + ZERO_STRUCTP(r->out.names); + ZERO_STRUCTP(r->out.types); DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN); @@ -2002,11 +2026,11 @@ static NTSTATUS dcesrv_samr_LookupRids(struct dcesrv_call_state *dce_call, TALLO } } - r->out.names.names = names; - r->out.names.count = r->in.num_rids; + r->out.names->names = names; + r->out.names->count = r->in.num_rids; - r->out.types.ids = ids; - r->out.types.count = r->in.num_rids; + r->out.types->ids = ids; + r->out.types->count = r->in.num_rids; return status; } @@ -2103,8 +2127,9 @@ static NTSTATUS dcesrv_samr_QueryGroupInfo(struct dcesrv_call_state *dce_call, T const char * const attrs[4] = { "sAMAccountName", "description", "numMembers", NULL }; int ret; + union samr_GroupInfo *info; - r->out.info = NULL; + *r->out.info = NULL; DCESRV_PULL_HANDLE(h, r->in.group_handle, SAMR_HANDLE_GROUP); @@ -2127,17 +2152,16 @@ static NTSTATUS dcesrv_samr_QueryGroupInfo(struct dcesrv_call_state *dce_call, T msg = res->msgs[0]; /* allocate the info structure */ - r->out.info = talloc(mem_ctx, union samr_GroupInfo); - if (r->out.info == NULL) { + info = talloc_zero(mem_ctx, union samr_GroupInfo); + if (info == NULL) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(r->out.info); /* Fill in the level */ switch (r->in.level) { case GROUPINFOALL: QUERY_STRING(msg, all.name, "sAMAccountName"); - r->out.info->all.attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* Do like w2k3 */ + info->all.attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* Do like w2k3 */ QUERY_UINT (msg, all.num_members, "numMembers") QUERY_STRING(msg, all.description, "description"); break; @@ -2145,22 +2169,24 @@ static NTSTATUS dcesrv_samr_QueryGroupInfo(struct dcesrv_call_state *dce_call, T QUERY_STRING(msg, name, "sAMAccountName"); break; case GROUPINFOATTRIBUTES: - r->out.info->attributes.attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* Do like w2k3 */ + info->attributes.attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* Do like w2k3 */ break; case GROUPINFODESCRIPTION: QUERY_STRING(msg, description, "description"); break; case GROUPINFOALL2: QUERY_STRING(msg, all2.name, "sAMAccountName"); - r->out.info->all.attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* Do like w2k3 */ + info->all.attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* Do like w2k3 */ QUERY_UINT (msg, all2.num_members, "numMembers") QUERY_STRING(msg, all2.description, "description"); break; default: - r->out.info = NULL; + talloc_free(info); return NT_STATUS_INVALID_INFO_CLASS; } - + + *r->out.info = info; + return NT_STATUS_OK; } @@ -2467,7 +2493,7 @@ static NTSTATUS dcesrv_samr_QueryGroupMember(struct dcesrv_call_state *dce_call, } } - r->out.rids = array; + *r->out.rids = array; return NT_STATUS_OK; } @@ -2574,8 +2600,9 @@ static NTSTATUS dcesrv_samr_QueryAliasInfo(struct dcesrv_call_state *dce_call, T const char * const attrs[4] = { "sAMAccountName", "description", "numMembers", NULL }; int ret; + union samr_AliasInfo *info; - r->out.info = NULL; + *r->out.info = NULL; DCESRV_PULL_HANDLE(h, r->in.alias_handle, SAMR_HANDLE_ALIAS); @@ -2590,11 +2617,10 @@ static NTSTATUS dcesrv_samr_QueryAliasInfo(struct dcesrv_call_state *dce_call, T msg = res[0]; /* allocate the info structure */ - r->out.info = talloc(mem_ctx, union samr_AliasInfo); - if (r->out.info == NULL) { + info = talloc_zero(mem_ctx, union samr_AliasInfo); + if (info == NULL) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(r->out.info); switch(r->in.level) { case ALIASINFOALL: @@ -2609,10 +2635,12 @@ static NTSTATUS dcesrv_samr_QueryAliasInfo(struct dcesrv_call_state *dce_call, T QUERY_STRING(msg, description, "description"); break; default: - r->out.info = NULL; + talloc_free(info); return NT_STATUS_INVALID_INFO_CLASS; } - + + *r->out.info = info; + return NT_STATUS_OK; } @@ -2989,8 +3017,9 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA struct ldb_context *sam_ctx; const char * const *attrs = NULL; + union samr_UserInfo *info; - r->out.info = NULL; + *r->out.info = NULL; DCESRV_PULL_HANDLE(h, r->in.user_handle, SAMR_HANDLE_USER); @@ -3175,11 +3204,10 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA msg = res[0]; /* allocate the info structure */ - r->out.info = talloc(mem_ctx, union samr_UserInfo); - if (r->out.info == NULL) { + info = talloc_zero(mem_ctx, union samr_UserInfo); + if (info == NULL) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(r->out.info); /* fill in the reply */ switch (r->in.level) { @@ -3290,7 +3318,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA break; case 20: - QUERY_STRING(msg, info20.parameters, "userParameters"); + QUERY_PARAMETERS(msg, info20.parameters, "userParameters"); break; case 21: @@ -3309,11 +3337,11 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA QUERY_STRING(msg, info21.description, "description"); QUERY_STRING(msg, info21.workstations, "userWorkstations"); QUERY_STRING(msg, info21.comment, "comment"); - QUERY_STRING(msg, info21.parameters, "userParameters"); + QUERY_PARAMETERS(msg, info21.parameters, "userParameters"); QUERY_RID (msg, info21.rid, "objectSid"); QUERY_UINT (msg, info21.primary_gid, "primaryGroupID"); QUERY_AFLAGS(msg, info21.acct_flags, "userAccountControl"); - r->out.info->info21.fields_present = 0x00FFFFFF; + info->info21.fields_present = 0x00FFFFFF; QUERY_LHOURS(msg, info21.logon_hours, "logonHours"); QUERY_UINT (msg, info21.bad_password_count, "badPwdCount"); QUERY_UINT (msg, info21.logon_count, "logonCount"); @@ -3323,10 +3351,12 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA default: - r->out.info = NULL; + talloc_free(info); return NT_STATUS_INVALID_INFO_CLASS; } - + + *r->out.info = info; + return NT_STATUS_OK; } @@ -3416,7 +3446,7 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL break; case 20: - SET_STRING(msg, info20.parameters, "userParameters"); + SET_PARAMETERS(msg, info20.parameters, "userParameters"); break; case 21: @@ -3446,7 +3476,7 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL IFSET(SAMR_FIELD_ACCT_FLAGS) SET_AFLAGS(msg, info21.acct_flags, "userAccountControl"); IFSET(SAMR_FIELD_PARAMETERS) - SET_STRING(msg, info21.parameters, "userParameters"); + SET_PARAMETERS(msg, info21.parameters, "userParameters"); IFSET(SAMR_FIELD_COUNTRY_CODE) SET_UINT (msg, info21.country_code, "countryCode"); IFSET(SAMR_FIELD_CODE_PAGE) @@ -3477,7 +3507,7 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL IFSET(SAMR_FIELD_ACCT_FLAGS) SET_AFLAGS(msg, info23.info.acct_flags, "userAccountControl"); IFSET(SAMR_FIELD_PARAMETERS) - SET_STRING(msg, info23.info.parameters, "userParameters"); + SET_PARAMETERS(msg, info23.info.parameters, "userParameters"); IFSET(SAMR_FIELD_COUNTRY_CODE) SET_UINT (msg, info23.info.country_code, "countryCode"); IFSET(SAMR_FIELD_CODE_PAGE) @@ -3533,7 +3563,7 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL IFSET(SAMR_FIELD_ACCT_FLAGS) SET_AFLAGS(msg, info25.info.acct_flags, "userAccountControl"); IFSET(SAMR_FIELD_PARAMETERS) - SET_STRING(msg, info25.info.parameters, "userParameters"); + SET_PARAMETERS(msg, info25.info.parameters, "userParameters"); IFSET(SAMR_FIELD_COUNTRY_CODE) SET_UINT (msg, info25.info.country_code, "countryCode"); IFSET(SAMR_FIELD_CODE_PAGE) @@ -3650,7 +3680,7 @@ static NTSTATUS dcesrv_samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, } } - r->out.rids = array; + *r->out.rids = array; return NT_STATUS_OK; } @@ -3808,65 +3838,65 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, count += 1; } - r->out.total_size = count; + *r->out.total_size = count; if (r->in.start_idx >= count) { - r->out.returned_size = 0; + *r->out.returned_size = 0; switch(r->in.level) { case 1: - r->out.info.info1.count = r->out.returned_size; - r->out.info.info1.entries = NULL; + r->out.info->info1.count = *r->out.returned_size; + r->out.info->info1.entries = NULL; break; case 2: - r->out.info.info2.count = r->out.returned_size; - r->out.info.info2.entries = NULL; + r->out.info->info2.count = *r->out.returned_size; + r->out.info->info2.entries = NULL; break; case 3: - r->out.info.info3.count = r->out.returned_size; - r->out.info.info3.entries = NULL; + r->out.info->info3.count = *r->out.returned_size; + r->out.info->info3.entries = NULL; break; case 4: - r->out.info.info4.count = r->out.returned_size; - r->out.info.info4.entries = NULL; + r->out.info->info4.count = *r->out.returned_size; + r->out.info->info4.entries = NULL; break; case 5: - r->out.info.info5.count = r->out.returned_size; - r->out.info.info5.entries = NULL; + r->out.info->info5.count = *r->out.returned_size; + r->out.info->info5.entries = NULL; break; } } else { - r->out.returned_size = MIN(count - r->in.start_idx, + *r->out.returned_size = MIN(count - r->in.start_idx, r->in.max_entries); switch(r->in.level) { case 1: - r->out.info.info1.count = r->out.returned_size; - r->out.info.info1.entries = + r->out.info->info1.count = *r->out.returned_size; + r->out.info->info1.entries = &(entriesGeneral[r->in.start_idx]); break; case 2: - r->out.info.info2.count = r->out.returned_size; - r->out.info.info2.entries = + r->out.info->info2.count = *r->out.returned_size; + r->out.info->info2.entries = &(entriesFull[r->in.start_idx]); break; case 3: - r->out.info.info3.count = r->out.returned_size; - r->out.info.info3.entries = + r->out.info->info3.count = *r->out.returned_size; + r->out.info->info3.entries = &(entriesFullGroup[r->in.start_idx]); break; case 4: - r->out.info.info4.count = r->out.returned_size; - r->out.info.info4.entries = + r->out.info->info4.count = *r->out.returned_size; + r->out.info->info4.entries = &(entriesAscii[r->in.start_idx]); break; case 5: - r->out.info.info5.count = r->out.returned_size; - r->out.info.info5.entries = + r->out.info->info5.count = *r->out.returned_size; + r->out.info->info5.entries = &(entriesAscii[r->in.start_idx]); break; } } - return (r->out.returned_size < (count - r->in.start_idx)) ? + return (*r->out.returned_size < (count - r->in.start_idx)) ? STATUS_MORE_ENTRIES : NT_STATUS_OK; } @@ -3910,18 +3940,18 @@ static NTSTATUS dcesrv_samr_GetUserPwInfo(struct dcesrv_call_state *dce_call, TA struct dcesrv_handle *h; struct samr_account_state *a_state; - ZERO_STRUCT(r->out.info); + ZERO_STRUCTP(r->out.info); DCESRV_PULL_HANDLE(h, r->in.user_handle, SAMR_HANDLE_USER); a_state = h->data; - r->out.info.min_password_length = samdb_search_uint(a_state->sam_ctx, mem_ctx, 0, - a_state->domain_state->domain_dn, "minPwdLength", - NULL); - r->out.info.password_properties = samdb_search_uint(a_state->sam_ctx, mem_ctx, 0, - a_state->account_dn, - "pwdProperties", NULL); + r->out.info->min_password_length = samdb_search_uint(a_state->sam_ctx, mem_ctx, 0, + a_state->domain_state->domain_dn, "minPwdLength", + NULL); + r->out.info->password_properties = samdb_search_uint(a_state->sam_ctx, mem_ctx, 0, + a_state->account_dn, + "pwdProperties", NULL); return NT_STATUS_OK; } @@ -4008,11 +4038,10 @@ static NTSTATUS dcesrv_samr_QueryDomainInfo2(struct dcesrv_call_state *dce_call, ZERO_STRUCT(r1.out); r1.in.domain_handle = r->in.domain_handle; r1.in.level = r->in.level; - + r1.out.info = r->out.info; + status = dcesrv_samr_QueryDomainInfo(dce_call, mem_ctx, &r1); - r->out.info = r1.out.info; - return status; } @@ -4028,13 +4057,11 @@ static NTSTATUS dcesrv_samr_QueryUserInfo2(struct dcesrv_call_state *dce_call, T struct samr_QueryUserInfo r1; NTSTATUS status; - ZERO_STRUCT(r1.out); r1.in.user_handle = r->in.user_handle; r1.in.level = r->in.level; + r1.out.info = r->out.info; status = dcesrv_samr_QueryUserInfo(dce_call, mem_ctx, &r1); - - r->out.info = r1.out.info; return status; } @@ -4054,14 +4081,12 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo2(struct dcesrv_call_state *dce_call q.in.start_idx = r->in.start_idx; q.in.max_entries = r->in.max_entries; q.in.buf_size = r->in.buf_size; - ZERO_STRUCT(q.out); + q.out.total_size = r->out.total_size; + q.out.returned_size = r->out.returned_size; + q.out.info = r->out.info; result = dcesrv_samr_QueryDisplayInfo(dce_call, mem_ctx, &q); - r->out.total_size = q.out.total_size; - r->out.returned_size = q.out.returned_size; - r->out.info = q.out.info; - return result; } @@ -4090,14 +4115,12 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo3(struct dcesrv_call_state *dce_call q.in.start_idx = r->in.start_idx; q.in.max_entries = r->in.max_entries; q.in.buf_size = r->in.buf_size; - ZERO_STRUCT(q.out); + q.out.total_size = r->out.total_size; + q.out.returned_size = r->out.returned_size; + q.out.info = r->out.info; result = dcesrv_samr_QueryDisplayInfo(dce_call, mem_ctx, &q); - r->out.total_size = q.out.total_size; - r->out.returned_size = q.out.returned_size; - r->out.info = q.out.info; - return result; } @@ -4138,7 +4161,7 @@ static NTSTATUS dcesrv_samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TAL const char * const attrs[] = {"minPwdLength", "pwdProperties", NULL }; struct ldb_context *sam_ctx; - ZERO_STRUCT(r->out.info); + ZERO_STRUCTP(r->out.info); sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { @@ -4156,8 +4179,8 @@ static NTSTATUS dcesrv_samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_INTERNAL_DB_CORRUPTION; } - r->out.info.min_password_length = samdb_result_uint(msgs[0], "minPwdLength", 0); - r->out.info.password_properties = samdb_result_uint(msgs[0], "pwdProperties", 1); + r->out.info->min_password_length = samdb_result_uint(msgs[0], "minPwdLength", 0); + r->out.info->password_properties = samdb_result_uint(msgs[0], "pwdProperties", 1); talloc_free(msgs); @@ -4267,9 +4290,9 @@ static NTSTATUS dcesrv_samr_Connect5(struct dcesrv_call_state *dce_call, TALLOC_ status = dcesrv_samr_Connect(dce_call, mem_ctx, &c); - r->out.info->info1.client_version = SAMR_CONNECT_AFTER_W2K; - r->out.info->info1.unknown2 = 0; - r->out.level = r->in.level; + r->out.info_out->info1.client_version = SAMR_CONNECT_AFTER_W2K; + r->out.info_out->info1.unknown2 = 0; + *r->out.level_out = r->in.level_in; return status; } @@ -4289,8 +4312,8 @@ static NTSTATUS dcesrv_samr_RidToSid(struct dcesrv_call_state *dce_call, TALLOC_ d_state = h->data; /* form the users SID */ - r->out.sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); - if (!r->out.sid) { + *r->out.sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (!*r->out.sid) { return NT_STATUS_NO_MEMORY; } diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 1eb6a4f37c..ff8215a673 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -352,7 +352,8 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, uint8_t new_nt_hash[16], new_lm_hash[16]; struct samr_Password nt_verifier, lm_verifier; - ZERO_STRUCT(r->out); + *r->out.dominfo = NULL; + *r->out.reject = NULL; if (r->in.nt_password == NULL || r->in.nt_verifier == NULL) { @@ -495,8 +496,8 @@ failed: talloc_free(sam_ctx); reject = talloc(mem_ctx, struct samr_ChangeReject); - r->out.dominfo = dominfo; - r->out.reject = reject; + *r->out.dominfo = dominfo; + *r->out.reject = reject; if (reject == NULL) { return status; @@ -518,6 +519,8 @@ NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call, TAL struct samr_ChangePasswordUser2 *r) { struct samr_ChangePasswordUser3 r2; + struct samr_DomInfo1 *dominfo = NULL; + struct samr_ChangeReject *reject = NULL; r2.in.server = r->in.server; r2.in.account = r->in.account; @@ -527,6 +530,8 @@ NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call, TAL r2.in.lm_password = r->in.lm_password; r2.in.lm_verifier = r->in.lm_verifier; r2.in.password3 = NULL; + r2.out.dominfo = &dominfo; + r2.out.reject = &reject; return dcesrv_samr_ChangePasswordUser3(dce_call, mem_ctx, &r2); } diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c index f168614ad5..bb4d6bdaf2 100644 --- a/source4/rpc_server/service_rpc.c +++ b/source4/rpc_server/service_rpc.c @@ -27,6 +27,7 @@ #include "auth/gensec/gensec.h" #include "../lib/util/dlinklist.h" #include "rpc_server/dcerpc_server.h" +#include "rpc_server/dcerpc_server_proto.h" #include "lib/events/events.h" #include "smbd/service_task.h" #include "smbd/service_stream.h" @@ -139,6 +140,10 @@ static void dcesrv_sock_accept(struct stream_connection *srv_conn) dcesrv_conn->transport.get_my_addr = dcesrv_sock_get_my_addr; dcesrv_conn->transport.get_peer_addr = dcesrv_sock_get_peer_addr; + if (dcesrv_sock->endpoint->ep_description->transport == NCACN_NP) { + dcesrv_conn->auth_state.session_key = dcesrv_inherited_session_key; + } + srv_conn->private = dcesrv_conn; irpc_add_name(srv_conn->msg_ctx, "rpc_server"); @@ -287,12 +292,10 @@ static NTSTATUS dcesrv_add_ep_ncalrpc(struct dcesrv_context *dce_ctx, return status; } - -/* - add a socket address to the list of events, one event per dcerpc endpoint -*/ -static NTSTATUS add_socket_rpc_pipe_iface(struct dcesrv_context *dce_ctx, struct dcesrv_endpoint *e, - struct event_context *event_ctx, const struct model_ops *model_ops) +static NTSTATUS dcesrv_add_ep_np(struct dcesrv_context *dce_ctx, + struct loadparm_context *lp_ctx, + struct dcesrv_endpoint *e, + struct event_context *event_ctx, const struct model_ops *model_ops) { struct dcesrv_socket_context *dcesrv_sock; NTSTATUS status; @@ -309,30 +312,16 @@ static NTSTATUS add_socket_rpc_pipe_iface(struct dcesrv_context *dce_ctx, struct dcesrv_sock->endpoint = e; dcesrv_sock->dcesrv_ctx = talloc_reference(dcesrv_sock, dce_ctx); - status = NT_STATUS_OK; -#if 0 - - status = stream_setup_smb_pipe(event_ctx, model_ops, &dcesrv_stream_ops, - e->ep_description->endpoint, dcesrv_sock); + status = stream_setup_named_pipe(event_ctx, lp_ctx, + model_ops, &dcesrv_stream_ops, + e->ep_description->endpoint, dcesrv_sock); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("service_setup_stream_socket(path=%s) failed - %s\n", + DEBUG(0,("stream_setup_named_pipe(pipe=%s) failed - %s\n", e->ep_description->endpoint, nt_errstr(status))); + return status; } -#endif - return status; -} - -static NTSTATUS dcesrv_add_ep_np(struct dcesrv_context *dce_ctx, - struct loadparm_context *lp_ctx, - struct dcesrv_endpoint *e, - struct event_context *event_ctx, const struct model_ops *model_ops) -{ - NTSTATUS status; - - status = add_socket_rpc_pipe_iface(dce_ctx, e, event_ctx, model_ops); - NT_STATUS_NOT_OK_RETURN(status); - return status; + return NT_STATUS_OK; } /* diff --git a/source4/selftest/knownfail b/source4/selftest/knownfail index f99db4fb1b..9649a1f644 100644 --- a/source4/selftest/knownfail +++ b/source4/selftest/knownfail @@ -35,6 +35,7 @@ rpc.netlogon.*.DsRAddressToSitenamesW rpc.netlogon.*.DsRAddressToSitenamesExW rpc.netlogon.*.GetPassword rpc.netlogon.*.GetTrustPasswords +rpc.netlogon.*.DatabaseRedo base.charset.*.Testing partial surrogate .*net.api.delshare.* # DelShare isn't implemented yet rap.*netservergetinfo diff --git a/source4/selftest/skip b/source4/selftest/skip index e3e2d2d525..f1500ff315 100644 --- a/source4/selftest/skip +++ b/source4/selftest/skip @@ -23,6 +23,7 @@ base.scan.maxfid raw.hold.oplock # Not a test, but a way to block other clients for a test raw.ping.pong # Needs second server to test rpc.samr_accessmask +samba4.rpc.samr.passwords.pwdlastset # Not provided by Samba 4 yet raw.scan.eamax samba4.ntvfs.cifs.raw.qfileinfo.ipc smb2.notify @@ -49,6 +50,7 @@ rpc.initshutdown # Not provided by Samba 4 rpc.svcctl # Not provided by Samba 4 rpc.atsvc # Not provided by Samba 4 rpc.frsapi # Not provided by Samba 4 +rpc.ntsvcs # Not provided by Samba 4 ^samba4.base.samba3.* # Samba3-specific test ^samba4.ntvfs.cifs.base.samba3.* # Samba3-specific test ^samba4.raw.samba3.* # Samba3-specific test diff --git a/source4/setup/schema-map-fedora-ds-1.0 b/source4/setup/schema-map-fedora-ds-1.0 index e55ef0a9e7..74d9e2ac5a 100644 --- a/source4/setup/schema-map-fedora-ds-1.0 +++ b/source4/setup/schema-map-fedora-ds-1.0 @@ -23,9 +23,9 @@ aci 1.2.840.113556.1.4.906:1.3.6.1.4.1.1466.115.121.1.27 #This case insensitive string isn't available 1.2.840.113556.1.4.905:1.3.6.1.4.1.1466.115.121.1.15 -#This type of DN isn't in OpenLDAP -1.2.840.113556.1.4.903:1.3.6.1.4.1.1466.115.121.1.12 #Treat Security Descriptors as binary 1.2.840.113556.1.4.907:1.3.6.1.4.1.1466.115.121.1.40 #NumbericString is not supported in Fedora DS 1.0, map to a directory string 1.3.6.1.4.1.1466.115.121.1.36:1.3.6.1.4.1.1466.115.121.1.15 +#Treat Object(DN-Binary) as a binary blob +1.2.840.113556.1.4.903:1.3.6.1.4.1.1466.115.121.1.40 diff --git a/source4/setup/schema-map-openldap-2.3 b/source4/setup/schema-map-openldap-2.3 index 7de2e67b5e..bff1695c8f 100644 --- a/source4/setup/schema-map-openldap-2.3 +++ b/source4/setup/schema-map-openldap-2.3 @@ -35,10 +35,10 @@ modifyTimeStamp:samba4ModifyTimestamp 1.2.840.113556.1.4.906:1.3.6.1.4.1.1466.115.121.1.27 #This case insensitive string isn't available 1.2.840.113556.1.4.905:1.3.6.1.4.1.1466.115.121.1.44 -#This type of DN isn't in OpenLDAP -1.2.840.113556.1.4.903:1.3.6.1.4.1.1466.115.121.1.12 #Treat Security Descriptors as binary 1.2.840.113556.1.4.907:1.3.6.1.4.1.1466.115.121.1.40 #Treat OIDs as case insensitive strings (as otherwise ldap class and #attribute names, declared at OIDs fail 1.3.6.1.4.1.1466.115.121.1.38:1.3.6.1.4.1.1466.115.121.1.44 +#Treat Object(DN-Binary) as a binary blob +1.2.840.113556.1.4.903:1.3.6.1.4.1.1466.115.121.1.40 diff --git a/source4/smbd/config.mk b/source4/smbd/config.mk index b5babd4d69..63105d368c 100644 --- a/source4/smbd/config.mk +++ b/source4/smbd/config.mk @@ -2,11 +2,12 @@ [SUBSYSTEM::service] PRIVATE_DEPENDENCIES = \ - MESSAGING samba-socket + MESSAGING samba-socket NDR_NAMED_PIPE_AUTH service_OBJ_FILES = $(addprefix $(smbdsrcdir)/, \ service.o \ service_stream.o \ + service_named_pipe.o \ service_task.o) $(eval $(call proto_header_template,$(smbdsrcdir)/service_proto.h,$(service_OBJ_FILES:.o=.c))) diff --git a/source4/smbd/service_named_pipe.c b/source4/smbd/service_named_pipe.c new file mode 100644 index 0000000000..b2b102c01f --- /dev/null +++ b/source4/smbd/service_named_pipe.c @@ -0,0 +1,366 @@ +/* + Unix SMB/CIFS implementation. + + helper functions for NAMED PIPE servers + + Copyright (C) Stefan (metze) Metzmacher 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "lib/socket/socket.h" +#include "smbd/service.h" +#include "param/param.h" +#include "auth/session.h" +#include "lib/stream/packet.h" +#include "librpc/gen_ndr/ndr_named_pipe_auth.h" +#include "system/passwd.h" + +struct named_pipe_socket { + const char *pipe_name; + const char *pipe_path; + const struct stream_server_ops *ops; + void *private_data; +}; + +struct named_pipe_connection { + struct stream_connection *connection; + struct packet_context *packet; + const struct named_pipe_socket *pipe_sock; + NTSTATUS status; +}; + +static void named_pipe_handover_connection(void *private_data) +{ + struct named_pipe_connection *pipe_conn = talloc_get_type( + private_data, struct named_pipe_connection); + struct stream_connection *conn = pipe_conn->connection; + + EVENT_FD_NOT_WRITEABLE(conn->event.fde); + + if (!NT_STATUS_IS_OK(pipe_conn->status)) { + stream_terminate_connection(conn, nt_errstr(pipe_conn->status)); + return; + } + + /* + * remove the named_pipe layer together with its packet layer + */ + conn->ops = pipe_conn->pipe_sock->ops; + conn->private = pipe_conn->pipe_sock->private_data; + talloc_free(pipe_conn); + + /* we're now ready to start receiving events on this stream */ + EVENT_FD_READABLE(conn->event.fde); + + /* + * hand over to the real pipe implementation, + * now that we have setup the transport session_info + */ + conn->ops->accept_connection(conn); + + DEBUG(10,("named_pipe_handover_connection[%s]: succeeded\n", + conn->ops->name)); +} + +static NTSTATUS named_pipe_recv_auth_request(void *private_data, + DATA_BLOB req_blob) +{ + struct named_pipe_connection *pipe_conn = talloc_get_type( + private_data, struct named_pipe_connection); + struct stream_connection *conn = pipe_conn->connection; + enum ndr_err_code ndr_err; + struct named_pipe_auth_req req; + union netr_Validation val; + struct auth_serversupplied_info *server_info; + struct named_pipe_auth_rep rep; + DATA_BLOB rep_blob; + NTSTATUS status; + + /* + * make sure nothing happens on the socket untill the + * real implemenation takes over + */ + packet_recv_disable(pipe_conn->packet); + + /* + * TODO: check it's a root (uid == 0) pipe + */ + + ZERO_STRUCT(rep); + rep.level = 0; + rep.status = NT_STATUS_INTERNAL_ERROR; + + DEBUG(10,("named_pipe_auth: req_blob.length[%u]\n", + (unsigned int)req_blob.length)); + dump_data(10, req_blob.data, req_blob.length); + + /* parse the passed credentials */ + ndr_err = ndr_pull_struct_blob_all( + &req_blob, + pipe_conn, + lp_iconv_convenience(conn->lp_ctx), + &req, + (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + rep.status = ndr_map_error2ntstatus(ndr_err); + DEBUG(2, ("Could not unmarshall named_pipe_auth_req: %s\n", + nt_errstr(rep.status))); + goto reply; + } + + if (strcmp(NAMED_PIPE_AUTH_MAGIC, req.magic) != 0) { + DEBUG(2, ("named_pipe_auth_req: invalid magic '%s' != %s\n", + req.magic, NAMED_PIPE_AUTH_MAGIC)); + rep.status = NT_STATUS_INVALID_PARAMETER; + goto reply; + } + + switch (req.level) { + case 0: + /* + * anon connection, we don't create a session info + * and leave it NULL + */ + rep.level = 0; + rep.status = NT_STATUS_OK; + break; + case 1: + val.sam3 = &req.info.info1; + + rep.level = 1; + rep.status = make_server_info_netlogon_validation(pipe_conn, + "TODO", + 3, &val, + &server_info); + if (!NT_STATUS_IS_OK(rep.status)) { + DEBUG(2, ("make_server_info_netlogon_validation returned " + "%s\n", nt_errstr(rep.status))); + goto reply; + } + + /* setup the session_info on the connection */ + rep.status = auth_generate_session_info(conn, + conn->event.ctx, + conn->lp_ctx, + server_info, + &conn->session_info); + if (!NT_STATUS_IS_OK(rep.status)) { + DEBUG(2, ("auth_generate_session_info failed: %s\n", + nt_errstr(rep.status))); + goto reply; + } + + break; + default: + DEBUG(2, ("named_pipe_auth_req: unknown level %u\n", + req.level)); + rep.level = 0; + rep.status = NT_STATUS_INVALID_LEVEL; + goto reply; + } + +reply: + /* create the output */ + ndr_err = ndr_push_struct_blob(&rep_blob, pipe_conn, + lp_iconv_convenience(conn->lp_ctx), + &rep, + (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_rep); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(2, ("Could not marshall named_pipe_auth_rep: %s\n", + nt_errstr(status))); + return status; + } + + pipe_conn->status = rep.status; + + DEBUG(10,("named_pipe_auth reply[%u]\n", rep_blob.length)); + dump_data(10, rep_blob.data, rep_blob.length); + status = packet_send_callback(pipe_conn->packet, rep_blob, + named_pipe_handover_connection, + pipe_conn); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("packet_send_callback returned %s\n", + nt_errstr(status))); + return status; + } + + return NT_STATUS_OK; +} + +/* + called when a pipe socket becomes readable +*/ +static void named_pipe_recv(struct stream_connection *conn, uint16_t flags) +{ + struct named_pipe_connection *pipe_conn = talloc_get_type( + conn->private, struct named_pipe_connection); + + DEBUG(10,("named_pipe_recv\n")); + + packet_recv(pipe_conn->packet); +} + +/* + called when a pipe socket becomes writable +*/ +static void named_pipe_send(struct stream_connection *conn, uint16_t flags) +{ + struct named_pipe_connection *pipe_conn = talloc_get_type( + conn->private, struct named_pipe_connection); + + packet_queue_run(pipe_conn->packet); +} + +/* + handle socket recv errors +*/ +static void named_pipe_recv_error(void *private_data, NTSTATUS status) +{ + struct named_pipe_connection *pipe_conn = talloc_get_type( + private_data, struct named_pipe_connection); + + stream_terminate_connection(pipe_conn->connection, nt_errstr(status)); +} + +static NTSTATUS named_pipe_full_request(void *private, DATA_BLOB blob, size_t *size) +{ + if (blob.length < 8) { + return STATUS_MORE_ENTRIES; + } + + if (memcmp(NAMED_PIPE_AUTH_MAGIC, &blob.data[4], 4) != 0) { + DEBUG(0,("named_pipe_full_request: wrong protocol\n")); + *size = blob.length; + /* the error will be handled in named_pipe_recv_auth_request */ + return NT_STATUS_OK; + } + + *size = 4 + RIVAL(blob.data, 0); + if (*size > blob.length) { + return STATUS_MORE_ENTRIES; + } + + return NT_STATUS_OK; +} + +static void named_pipe_accept(struct stream_connection *conn) +{ + struct named_pipe_socket *pipe_sock = talloc_get_type( + conn->private, struct named_pipe_socket); + struct named_pipe_connection *pipe_conn; + + DEBUG(5,("named_pipe_accept\n")); + + pipe_conn = talloc_zero(conn, struct named_pipe_connection); + if (!pipe_conn) { + stream_terminate_connection(conn, "out of memory"); + return; + } + + pipe_conn->packet = packet_init(pipe_conn); + if (!pipe_conn->packet) { + stream_terminate_connection(conn, "out of memory"); + return; + } + packet_set_private(pipe_conn->packet, pipe_conn); + packet_set_socket(pipe_conn->packet, conn->socket); + packet_set_callback(pipe_conn->packet, named_pipe_recv_auth_request); + packet_set_full_request(pipe_conn->packet, named_pipe_full_request); + packet_set_error_handler(pipe_conn->packet, named_pipe_recv_error); + packet_set_event_context(pipe_conn->packet, conn->event.ctx); + packet_set_fde(pipe_conn->packet, conn->event.fde); + packet_set_serialise(pipe_conn->packet); + packet_set_initial_read(pipe_conn->packet, 8); + + pipe_conn->pipe_sock = pipe_sock; + + pipe_conn->connection = conn; + conn->private = pipe_conn; +} + +static const struct stream_server_ops named_pipe_stream_ops = { + .name = "named_pipe", + .accept_connection = named_pipe_accept, + .recv_handler = named_pipe_recv, + .send_handler = named_pipe_send, +}; + +NTSTATUS stream_setup_named_pipe(struct event_context *event_context, + struct loadparm_context *lp_ctx, + const struct model_ops *model_ops, + const struct stream_server_ops *stream_ops, + const char *pipe_name, + void *private_data) +{ + char *dirname; + struct named_pipe_socket *pipe_sock; + NTSTATUS status = NT_STATUS_NO_MEMORY;; + + pipe_sock = talloc(event_context, struct named_pipe_socket); + if (pipe_sock == NULL) { + goto fail; + } + + /* remember the details about the pipe */ + pipe_sock->pipe_name = talloc_strdup(pipe_sock, pipe_name); + if (pipe_sock->pipe_name == NULL) { + goto fail; + } + + dirname = talloc_asprintf(pipe_sock, "%s/np", lp_ncalrpc_dir(lp_ctx)); + if (dirname == NULL) { + goto fail; + } + + if (!directory_create_or_exist(dirname, geteuid(), 0700)) { + status = map_nt_error_from_unix(errno); + goto fail; + } + + if (strncmp(pipe_name, "\\pipe\\", 6) == 0) { + pipe_name += 6; + } + + pipe_sock->pipe_path = talloc_asprintf(pipe_sock, "%s/%s", dirname, + pipe_name); + if (pipe_sock->pipe_path == NULL) { + goto fail; + } + + talloc_free(dirname); + + pipe_sock->ops = stream_ops; + pipe_sock->private_data = talloc_reference(pipe_sock, private_data); + + status = stream_setup_socket(event_context, + lp_ctx, + model_ops, + &named_pipe_stream_ops, + "unix", + pipe_sock->pipe_path, + NULL, + NULL, + pipe_sock); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + return NT_STATUS_OK; + + fail: + talloc_free(pipe_sock); + return status; +} diff --git a/source4/torture/config.mk b/source4/torture/config.mk index 8b12f36f95..4b4664f101 100644 --- a/source4/torture/config.mk +++ b/source4/torture/config.mk @@ -1,6 +1,6 @@ [SUBSYSTEM::TORTURE_UTIL] PRIVATE_DEPENDENCIES = LIBCLI_RAW -PUBLIC_DEPENDENCIES = POPT_CREDENTIALS +PUBLIC_DEPENDENCIES = torture POPT_CREDENTIALS TORTURE_UTIL_OBJ_FILES = $(addprefix $(torturesrcdir)/, util_smb.o) @@ -89,6 +89,7 @@ mkinclude smb2/config.mk mkinclude winbind/config.mk [SUBSYSTEM::TORTURE_NDR] +PRIVATE_DEPENDENCIES = torture TORTURE_NDR_OBJ_FILES = $(addprefix $(torturesrcdir)/ndr/, ndr.o winreg.o atsvc.o lsa.o epmap.o dfs.o netlogon.o drsuapi.o spoolss.o samr.o) @@ -105,7 +106,7 @@ PRIVATE_DEPENDENCIES = \ RPC_NDR_NETLOGON dcerpc_atsvc dcerpc_mgmt RPC_NDR_DRSUAPI \ RPC_NDR_LSA RPC_NDR_EPMAPPER RPC_NDR_DFS RPC_NDR_FRSAPI RPC_NDR_SPOOLSS \ RPC_NDR_SRVSVC RPC_NDR_WKSSVC RPC_NDR_ROT RPC_NDR_DSSETUP \ - RPC_NDR_REMACT RPC_NDR_OXIDRESOLVER WB_HELPER LIBSAMBA-NET \ + RPC_NDR_REMACT RPC_NDR_OXIDRESOLVER RPC_NDR_NTSVCS WB_HELPER LIBSAMBA-NET \ LIBCLI_AUTH POPT_CREDENTIALS TORTURE_LDAP TORTURE_UTIL TORTURE_RAP \ dcerpc_server service process_model ntvfs SERVICE_SMB @@ -116,7 +117,7 @@ torture_rpc_OBJ_FILES = $(addprefix $(torturesrcdir)/rpc/, \ eventlog.o epmapper.o winreg.o initshutdown.o oxidresolve.o remact.o mgmt.o \ scanner.o autoidl.o countcalls.o testjoin.o schannel.o netlogon.o remote_pac.o samlogon.o \ samsync.o bind.o dssetup.o alter_context.o bench.o samba3rpc.o rpc.o async_bind.o \ - handles.o frsapi.o object_uuid.o) + handles.o frsapi.o object_uuid.o ntsvcs.o) $(eval $(call proto_header_template,$(torturesrcdir)/rpc/proto.h,$(torture_rpc_OBJ_FILES:.o=.c))) @@ -139,7 +140,7 @@ $(eval $(call proto_header_template,$(torturesrcdir)/rap/proto.h,$(TORTURE_RAP_O SUBSYSTEM = smbtorture PRIVATE_DEPENDENCIES = \ LIBCLI_SMB gensec auth KERBEROS \ - POPT_CREDENTIALS SMBPASSWD + POPT_CREDENTIALS SMBPASSWD torture # End SUBSYSTEM TORTURE_AUTH ################################# @@ -181,7 +182,7 @@ $(eval $(call proto_header_template,$(torturesrcdir)/unix/proto.h,$(TORTURE_UNIX SUBSYSTEM = smbtorture INIT_FUNCTION = torture_ldap_init PRIVATE_DEPENDENCIES = \ - LIBCLI_LDAP LIBCLI_CLDAP SAMDB POPT_CREDENTIALS + LIBCLI_LDAP LIBCLI_CLDAP SAMDB POPT_CREDENTIALS torture # End SUBSYSTEM TORTURE_LDAP ################################# diff --git a/source4/torture/libnet/libnet_domain.c b/source4/torture/libnet/libnet_domain.c index 7d5be368c2..3c28d1a019 100644 --- a/source4/torture/libnet/libnet_domain.c +++ b/source4/torture/libnet/libnet_domain.c @@ -35,12 +35,13 @@ static bool test_opendomain_samr(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *handle, struct lsa_String *domname, - uint32_t *access_mask, struct dom_sid **sid) + uint32_t *access_mask, struct dom_sid **sid_p) { NTSTATUS status; struct policy_handle h, domain_handle; struct samr_Connect r1; struct samr_LookupDomain r2; + struct dom_sid2 *sid = NULL; struct samr_OpenDomain r3; printf("connecting\n"); @@ -59,6 +60,7 @@ static bool test_opendomain_samr(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r2.in.connect_handle = &h; r2.in.domain_name = domname; + r2.out.sid = &sid; printf("domain lookup on %s\n", domname->string); @@ -70,7 +72,7 @@ static bool test_opendomain_samr(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r3.in.connect_handle = &h; r3.in.access_mask = *access_mask; - r3.in.sid = *sid = r2.out.sid; + r3.in.sid = *sid_p = *r2.out.sid; r3.out.domain_handle = &domain_handle; printf("opening domain\n"); diff --git a/source4/torture/libnet/libnet_group.c b/source4/torture/libnet/libnet_group.c index 12b8167a86..9c9ecfd525 100644 --- a/source4/torture/libnet/libnet_group.c +++ b/source4/torture/libnet/libnet_group.c @@ -42,12 +42,15 @@ static bool test_cleanup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct lsa_String names[2]; uint32_t rid; struct policy_handle group_handle; + struct samr_Ids rids, types; names[0].string = groupname; r1.in.domain_handle = domain_handle; r1.in.num_names = 1; r1.in.names = names; + r1.out.rids = &rids; + r1.out.types = &types; printf("group account lookup '%s'\n", groupname); @@ -57,7 +60,7 @@ static bool test_cleanup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return false; } - rid = r1.out.rids.ids[0]; + rid = r1.out.rids->ids[0]; r2.in.domain_handle = domain_handle; r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; @@ -139,6 +142,7 @@ static bool test_opendomain(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle h, domain_handle; struct samr_Connect r1; struct samr_LookupDomain r2; + struct dom_sid2 *sid = NULL; struct samr_OpenDomain r3; printf("connecting\n"); @@ -155,6 +159,7 @@ static bool test_opendomain(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r2.in.connect_handle = &h; r2.in.domain_name = domname; + r2.out.sid = &sid; printf("domain lookup on %s\n", domname->string); @@ -166,7 +171,7 @@ static bool test_opendomain(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r3.in.connect_handle = &h; r3.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - r3.in.sid = r2.out.sid; + r3.in.sid = *r2.out.sid; r3.out.domain_handle = &domain_handle; printf("opening domain\n"); diff --git a/source4/torture/libnet/libnet_user.c b/source4/torture/libnet/libnet_user.c index 6d3e682976..18007dccad 100644 --- a/source4/torture/libnet/libnet_user.c +++ b/source4/torture/libnet/libnet_user.c @@ -40,12 +40,15 @@ static bool test_cleanup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct lsa_String names[2]; uint32_t rid; struct policy_handle user_handle; + struct samr_Ids rids, types; names[0].string = username; r1.in.domain_handle = domain_handle; r1.in.num_names = 1; r1.in.names = names; + r1.out.rids = &rids; + r1.out.types = &types; printf("user account lookup '%s'\n", username); @@ -55,7 +58,7 @@ static bool test_cleanup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return false; } - rid = r1.out.rids.ids[0]; + rid = r1.out.rids->ids[0]; r2.in.domain_handle = domain_handle; r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; @@ -92,6 +95,7 @@ static bool test_opendomain(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle h, domain_handle; struct samr_Connect r1; struct samr_LookupDomain r2; + struct dom_sid2 *sid = NULL; struct samr_OpenDomain r3; printf("connecting\n"); @@ -108,6 +112,7 @@ static bool test_opendomain(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r2.in.connect_handle = &h; r2.in.domain_name = domname; + r2.out.sid = &sid; printf("domain lookup on %s\n", domname->string); @@ -119,7 +124,7 @@ static bool test_opendomain(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r3.in.connect_handle = &h; r3.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - r3.in.sid = r2.out.sid; + r3.in.sid = *r2.out.sid; r3.out.domain_handle = &domain_handle; printf("opening domain\n"); diff --git a/source4/torture/libnet/utils.c b/source4/torture/libnet/utils.c index 54c5f2c29c..942540c80e 100644 --- a/source4/torture/libnet/utils.c +++ b/source4/torture/libnet/utils.c @@ -32,12 +32,13 @@ bool test_opendomain(struct torture_context *tctx, struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *handle, struct lsa_String *domname, - struct dom_sid2 *sid) + struct dom_sid2 *sid_p) { NTSTATUS status; struct policy_handle h, domain_handle; struct samr_Connect r1; struct samr_LookupDomain r2; + struct dom_sid2 *sid = NULL; struct samr_OpenDomain r3; torture_comment(tctx, "connecting\n"); @@ -51,6 +52,7 @@ bool test_opendomain(struct torture_context *tctx, r2.in.connect_handle = &h; r2.in.domain_name = domname; + r2.out.sid = &sid; torture_comment(tctx, "domain lookup on %s\n", domname->string); @@ -59,7 +61,7 @@ bool test_opendomain(struct torture_context *tctx, r3.in.connect_handle = &h; r3.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - r3.in.sid = r2.out.sid; + r3.in.sid = *r2.out.sid; r3.out.domain_handle = &domain_handle; torture_comment(tctx, "opening domain\n"); @@ -68,7 +70,7 @@ bool test_opendomain(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "OpenDomain failed"); *handle = domain_handle; - *sid = *r2.out.sid; + *sid_p = **r2.out.sid; return true; } @@ -84,19 +86,22 @@ bool test_user_cleanup(struct torture_context *tctx, struct dcerpc_pipe *p, struct lsa_String names[2]; uint32_t rid; struct policy_handle user_handle; + struct samr_Ids rids, types; names[0].string = name; r1.in.domain_handle = domain_handle; r1.in.num_names = 1; r1.in.names = names; + r1.out.rids = &rids; + r1.out.types = &types; torture_comment(tctx, "user account lookup '%s'\n", name); status = dcerpc_samr_LookupNames(p, mem_ctx, &r1); torture_assert_ntstatus_ok(tctx, status, "LookupNames failed"); - rid = r1.out.rids.ids[0]; + rid = r1.out.rids->ids[0]; r2.in.domain_handle = domain_handle; r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; @@ -174,12 +179,15 @@ bool test_group_cleanup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct lsa_String names[2]; uint32_t rid; struct policy_handle group_handle; + struct samr_Ids rids, types; names[0].string = name; r1.in.domain_handle = domain_handle; r1.in.num_names = 1; r1.in.names = names; + r1.out.rids = &rids; + r1.out.types = &types; printf("group account lookup '%s'\n", name); @@ -189,7 +197,7 @@ bool test_group_cleanup(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return false; } - rid = r1.out.rids.ids[0]; + rid = r1.out.rids->ids[0]; r2.in.domain_handle = domain_handle; r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c index 862b96ac17..48dec6e561 100644 --- a/source4/torture/raw/acls.c +++ b/source4/torture/raw/acls.c @@ -1410,7 +1410,9 @@ static bool test_inheritance(struct torture_context *tctx, if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) { - printf("Expected default sd at %d - got:\n", i); + printf("Expected default sd:\n"); + NDR_PRINT_DEBUG(security_descriptor, sd_def); + printf("at %d - got:\n", i); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); } goto check_dir; @@ -1455,7 +1457,9 @@ static bool test_inheritance(struct torture_context *tctx, (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT) || (test_flags[i].parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT))) { if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) { - printf("Expected default sd for dir at %d - got:\n", i); + printf("Expected default sd for dir at %d:\n", i); + NDR_PRINT_DEBUG(security_descriptor, sd_def); + printf("got:\n"); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); } continue; @@ -1469,7 +1473,7 @@ static bool test_inheritance(struct torture_context *tctx, !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, sd_orig->owner_sid) || q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags) { - printf("Bad sd in child dir at %d (parent 0x%x)\n", + printf("(CI & NP) Bad sd in child dir at %d (parent 0x%x)\n", i, test_flags[i].parent_flags); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); ret = false; @@ -1487,7 +1491,7 @@ static bool test_inheritance(struct torture_context *tctx, q.query_secdesc.out.sd->dacl->aces[0].flags != 0 || q.query_secdesc.out.sd->dacl->aces[1].flags != (test_flags[i].dir_flags | SEC_ACE_FLAG_INHERIT_ONLY)) { - printf("Bad sd in child dir at %d (parent 0x%x)\n", + printf("(CI) Bad sd in child dir at %d (parent 0x%x)\n", i, test_flags[i].parent_flags); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); ret = false; @@ -1500,8 +1504,8 @@ static bool test_inheritance(struct torture_context *tctx, !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, creator_owner) || q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags) { - printf("Bad sd in child dir at %d (parent 0x%x)\n", - i, test_flags[i].parent_flags); + printf("(0) Bad sd in child dir at %d (parent 0x%x)\n", + i, test_flags[i].parent_flags); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); ret = false; continue; diff --git a/source4/torture/raw/chkpath.c b/source4/torture/raw/chkpath.c index 68ef8e226d..b66839b997 100644 --- a/source4/torture/raw/chkpath.c +++ b/source4/torture/raw/chkpath.c @@ -18,6 +18,7 @@ */ #include "includes.h" +#include "system/locale.h" #include "torture/torture.h" #include "libcli/raw/libcliraw.h" #include "libcli/raw/raw_proto.h" @@ -267,6 +268,85 @@ done: return ret; } +static bool test_chkpath_names(struct smbcli_state *cli, struct torture_context *tctx) +{ + union smb_chkpath io; + union smb_fileinfo finfo; + NTSTATUS status; + bool ret = true; + uint8_t i; + + /* + * we don't test characters >= 0x80 yet, + * as somehow our client libraries can't do that + */ + for (i=0x01; i <= 0x7F; i++) { + /* + * it's important that we test the last character + * because of the error code with ':' 0x3A + * and servers without stream support + */ + char *path = talloc_asprintf(tctx, "%s\\File0x%02X%c", + BASEDIR, i, i); + NTSTATUS expected; + NTSTATUS expected_dos1; + NTSTATUS expected_dos2; + + expected = NT_STATUS_OBJECT_NAME_NOT_FOUND; + expected_dos1 = NT_STATUS_DOS(ERRDOS,ERRbadpath); + expected_dos2 = NT_STATUS_DOS(ERRDOS,ERRbadfile); + + switch (i) { + case '"':/*0x22*/ + case '*':/*0x2A*/ + case '/':/*0x2F*/ + case ':':/*0x3A*/ + case '<':/*0x3C*/ + case '>':/*0x3E*/ + case '?':/*0x3F*/ + case '|':/*0x7C*/ + if (i == '/' && + torture_setting_bool(tctx, "samba3", true)) { + /* samba 3 handles '/' as '\\' */ + break; + } + expected = NT_STATUS_OBJECT_NAME_INVALID; + expected_dos1 = NT_STATUS_DOS(ERRDOS,ERRbadpath); + expected_dos2 = NT_STATUS_DOS(ERRDOS,ERRinvalidname); + break; + default: + if (i <= 0x1F) { + expected = NT_STATUS_OBJECT_NAME_INVALID; + expected_dos1 = NT_STATUS_DOS(ERRDOS,ERRbadpath); + expected_dos2 = NT_STATUS_DOS(ERRDOS,ERRinvalidname); + } + break; + } + + printf("Checking File0x%02X%c%s expected[%s|%s|%s]\n", + i, isprint(i)?(char)i:' ', + isprint(i)?"":"(not printable)", + nt_errstr(expected), + nt_errstr(expected_dos1), + nt_errstr(expected_dos2)); + + io.chkpath.in.path = path; + status = smb_raw_chkpath(cli->tree, &io); + CHECK_STATUS(status, expected, expected_dos1); + + ZERO_STRUCT(finfo); + finfo.generic.level = RAW_FILEINFO_NAME_INFO; + finfo.generic.in.file.path = path; + status = smb_raw_pathinfo(cli->tree, cli, &finfo); + CHECK_STATUS(status, expected, expected_dos2); + + talloc_free(path); + } + +done: + return ret; +} + /* basic testing of chkpath calls */ @@ -303,6 +383,7 @@ bool torture_raw_chkpath(struct torture_context *torture, } ret &= test_chkpath(cli, torture); + ret &= test_chkpath_names(cli, torture); done: diff --git a/source4/torture/raw/streams.c b/source4/torture/raw/streams.c index 8b2d327653..501da2335e 100644 --- a/source4/torture/raw/streams.c +++ b/source4/torture/raw/streams.c @@ -20,6 +20,7 @@ */ #include "includes.h" +#include "system/locale.h" #include "torture/torture.h" #include "libcli/raw/libcliraw.h" #include "system/filesys.h" @@ -43,6 +44,34 @@ ret = false; \ }} while (0) +#define CHECK_NTTIME(v, correct) do { \ + if ((v) != (correct)) { \ + printf("(%s) Incorrect value %s=%llu - should be %llu\n", \ + __location__, #v, (unsigned long long)v, \ + (unsigned long long)correct); \ + ret = false; \ + }} while (0) + +#define CHECK_STR(v, correct) do { \ + bool ok; \ + if ((v) && !(correct)) { \ + ok = false; \ + } else if (!(v) && (correct)) { \ + ok = false; \ + } else if (!(v) && !(correct)) { \ + ok = true; \ + } else if (strcmp((v), (correct)) == 0) { \ + ok = true; \ + } else { \ + ok = false; \ + } \ + if (!ok) { \ + printf("(%s) Incorrect value %s='%s' - should be '%s'\n", \ + __location__, #v, (v)?(v):"NULL", \ + (correct)?(correct):"NULL"); \ + ret = false; \ + }} while (0) + /* check that a stream has the right contents */ @@ -236,11 +265,7 @@ static bool test_stream_dir(struct torture_context *tctx, io.ntcreatex.in.security_flags = 0; io.ntcreatex.in.fname = basedir_data; status = smb_raw_open(cli->tree, mem_ctx, &io); - if (torture_setting_bool(tctx, "samba3", false)) { - CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND); - } else { - CHECK_STATUS(status, NT_STATUS_FILE_IS_A_DIRECTORY); - } + CHECK_STATUS(status, NT_STATUS_FILE_IS_A_DIRECTORY); printf("(%s) list the streams on the basedir\n", __location__); ret &= check_stream_list(cli, BASEDIR, 0, NULL); @@ -565,16 +590,12 @@ static bool test_stream_delete(struct torture_context *tctx, status = smb_raw_pathinfo(cli->tree, mem_ctx, &finfo); CHECK_STATUS(status, NT_STATUS_DELETE_PENDING); - if (!torture_setting_bool(tctx, "samba3", false)) { - - /* - * S3 doesn't do this yet - */ - - finfo.generic.in.file.path = sname1; - status = smb_raw_pathinfo(cli->tree, mem_ctx, &finfo); - CHECK_STATUS(status, NT_STATUS_DELETE_PENDING); - } + /* + * older S3 doesn't do this + */ + finfo.generic.in.file.path = sname1; + status = smb_raw_pathinfo(cli->tree, mem_ctx, &finfo); + CHECK_STATUS(status, NT_STATUS_DELETE_PENDING); /* * fd-based qfileinfo on the stream still works, the stream does not @@ -587,7 +608,9 @@ static bool test_stream_delete(struct torture_context *tctx, status = smb_raw_fileinfo(cli->tree, mem_ctx, &finfo); CHECK_STATUS(status, NT_STATUS_OK); + /* w2k and w2k3 return 0 and w2k8 returns 1 CHECK_VALUE(finfo.all_info.out.delete_pending, 0); + */ smbcli_close(cli->tree, fnum); @@ -620,6 +643,378 @@ done: return ret; } +/* + test stream names +*/ +static bool test_stream_names(struct torture_context *tctx, + struct smbcli_state *cli, + TALLOC_CTX *mem_ctx) +{ + NTSTATUS status; + union smb_open io; + union smb_fileinfo finfo; + union smb_fileinfo stinfo; + union smb_setfileinfo sinfo; + const char *fname = BASEDIR "\\stream_names.txt"; + const char *sname1, *sname1b, *sname1c, *sname1d; + const char *sname2, *snamew, *snamew2; + const char *snamer1, *snamer2; + bool ret = true; + int fnum1 = -1; + int fnum2 = -1; + int fnum3 = -1; + int i; + const char *four[4] = { + "::$DATA", + ":\x05Stream\n One:$DATA", + ":MStream Two:$DATA", + ":?Stream*:$DATA" + }; + const char *five1[5] = { + "::$DATA", + ":\x05Stream\n One:$DATA", + ":BeforeRename:$DATA", + ":MStream Two:$DATA", + ":?Stream*:$DATA" + }; + const char *five2[5] = { + "::$DATA", + ":\x05Stream\n One:$DATA", + ":AfterRename:$DATA", + ":MStream Two:$DATA", + ":?Stream*:$DATA" + }; + + sname1 = talloc_asprintf(mem_ctx, "%s:%s", fname, "\x05Stream\n One"); + sname1b = talloc_asprintf(mem_ctx, "%s:", sname1); + sname1c = talloc_asprintf(mem_ctx, "%s:$FOO", sname1); + sname1d = talloc_asprintf(mem_ctx, "%s:?D*a", sname1); + sname2 = talloc_asprintf(mem_ctx, "%s:%s:$DaTa", fname, "MStream Two"); + snamew = talloc_asprintf(mem_ctx, "%s:%s:$DATA", fname, "?Stream*"); + snamew2 = talloc_asprintf(mem_ctx, "%s\\stream*:%s:$DATA", BASEDIR, "?Stream*"); + snamer1 = talloc_asprintf(mem_ctx, "%s:%s:$DATA", fname, "BeforeRename"); + snamer2 = talloc_asprintf(mem_ctx, "%s:%s:$DATA", fname, "AfterRename"); + + printf("(%s) testing stream names\n", __location__); + io.generic.level = RAW_OPEN_NTCREATEX; + io.ntcreatex.in.root_fid = 0; + io.ntcreatex.in.flags = 0; + io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA; + io.ntcreatex.in.create_options = 0; + io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; + io.ntcreatex.in.share_access = 0; + io.ntcreatex.in.alloc_size = 0; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; + io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS; + io.ntcreatex.in.security_flags = 0; + io.ntcreatex.in.fname = sname1; + + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OK); + fnum1 = io.ntcreatex.out.file.fnum; + + /* + * A different stream does not give a sharing violation + */ + + io.ntcreatex.in.fname = sname2; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OK); + fnum2 = io.ntcreatex.out.file.fnum; + + /* + * ... whereas the same stream does with unchanged access/share_access + * flags + */ + + io.ntcreatex.in.fname = sname1; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_SUPERSEDE; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_SHARING_VIOLATION); + + io.ntcreatex.in.fname = sname1b; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_INVALID); + + io.ntcreatex.in.fname = sname1c; + status = smb_raw_open(cli->tree, mem_ctx, &io); + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + /* w2k returns INVALID_PARAMETER */ + CHECK_STATUS(status, NT_STATUS_INVALID_PARAMETER); + } else { + CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_INVALID); + } + + io.ntcreatex.in.fname = sname1d; + status = smb_raw_open(cli->tree, mem_ctx, &io); + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + /* w2k returns INVALID_PARAMETER */ + CHECK_STATUS(status, NT_STATUS_INVALID_PARAMETER); + } else { + CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_INVALID); + } + + io.ntcreatex.in.fname = sname2; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_SHARING_VIOLATION); + + io.ntcreatex.in.fname = snamew; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OK); + fnum3 = io.ntcreatex.out.file.fnum; + + io.ntcreatex.in.fname = snamew2; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_INVALID); + + ret &= check_stream_list(cli, fname, 4, four); + + smbcli_close(cli->tree, fnum1); + smbcli_close(cli->tree, fnum2); + smbcli_close(cli->tree, fnum3); + + if (torture_setting_bool(tctx, "samba4", true)) { + goto done; + } + + finfo.generic.level = RAW_FILEINFO_ALL_INFO; + finfo.generic.in.file.path = fname; + status = smb_raw_pathinfo(cli->tree, mem_ctx, &finfo); + CHECK_STATUS(status, NT_STATUS_OK); + + ret &= check_stream_list(cli, fname, 4, four); + + for (i=0; i < 4; i++) { + NTTIME write_time; + uint64_t stream_size; + char *path = talloc_asprintf(tctx, "%s%s", + fname, four[i]); + + char *rpath = talloc_strdup(path, path); + char *p = strrchr(rpath, ':'); + /* eat :$DATA */ + *p = 0; + p--; + if (*p == ':') { + /* eat ::$DATA */ + *p = 0; + } + printf("(%s): i[%u][%s]\n", __location__, i, path); + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN; + io.ntcreatex.in.access_mask = SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_RIGHTS_FILE_ALL; + io.ntcreatex.in.fname = path; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OK); + fnum1 = io.ntcreatex.out.file.fnum; + + finfo.generic.level = RAW_FILEINFO_ALL_INFO; + finfo.generic.in.file.path = fname; + status = smb_raw_pathinfo(cli->tree, mem_ctx, &finfo); + CHECK_STATUS(status, NT_STATUS_OK); + + stinfo.generic.level = RAW_FILEINFO_ALL_INFO; + stinfo.generic.in.file.fnum = fnum1; + status = smb_raw_fileinfo(cli->tree, mem_ctx, &stinfo); + CHECK_STATUS(status, NT_STATUS_OK); + if (!torture_setting_bool(tctx, "samba3", false)) { + CHECK_NTTIME(stinfo.all_info.out.create_time, + finfo.all_info.out.create_time); + CHECK_NTTIME(stinfo.all_info.out.access_time, + finfo.all_info.out.access_time); + CHECK_NTTIME(stinfo.all_info.out.write_time, + finfo.all_info.out.write_time); + CHECK_NTTIME(stinfo.all_info.out.change_time, + finfo.all_info.out.change_time); + } + CHECK_VALUE(stinfo.all_info.out.attrib, + finfo.all_info.out.attrib); + CHECK_VALUE(stinfo.all_info.out.size, + finfo.all_info.out.size); + CHECK_VALUE(stinfo.all_info.out.delete_pending, + finfo.all_info.out.delete_pending); + CHECK_VALUE(stinfo.all_info.out.directory, + finfo.all_info.out.directory); + CHECK_VALUE(stinfo.all_info.out.ea_size, + finfo.all_info.out.ea_size); + + stinfo.generic.level = RAW_FILEINFO_NAME_INFO; + stinfo.generic.in.file.fnum = fnum1; + status = smb_raw_fileinfo(cli->tree, mem_ctx, &stinfo); + CHECK_STATUS(status, NT_STATUS_OK); + if (!torture_setting_bool(tctx, "samba3", false)) { + CHECK_STR(rpath, stinfo.name_info.out.fname.s); + } + + write_time = finfo.all_info.out.write_time; + write_time += i*1000000; + write_time /= 1000000; + write_time *= 1000000; + + ZERO_STRUCT(sinfo); + sinfo.basic_info.level = RAW_SFILEINFO_BASIC_INFO; + sinfo.basic_info.in.file.fnum = fnum1; + sinfo.basic_info.in.write_time = write_time; + sinfo.basic_info.in.attrib = stinfo.all_info.out.attrib; + status = smb_raw_setfileinfo(cli->tree, &sinfo); + CHECK_STATUS(status, NT_STATUS_OK); + + stream_size = i*8192; + + ZERO_STRUCT(sinfo); + sinfo.end_of_file_info.level = RAW_SFILEINFO_END_OF_FILE_INFO; + sinfo.end_of_file_info.in.file.fnum = fnum1; + sinfo.end_of_file_info.in.size = stream_size; + status = smb_raw_setfileinfo(cli->tree, &sinfo); + CHECK_STATUS(status, NT_STATUS_OK); + + stinfo.generic.level = RAW_FILEINFO_ALL_INFO; + stinfo.generic.in.file.fnum = fnum1; + status = smb_raw_fileinfo(cli->tree, mem_ctx, &stinfo); + CHECK_STATUS(status, NT_STATUS_OK); + if (!torture_setting_bool(tctx, "samba3", false)) { + CHECK_NTTIME(stinfo.all_info.out.write_time, + write_time); + CHECK_VALUE(stinfo.all_info.out.attrib, + finfo.all_info.out.attrib); + } + CHECK_VALUE(stinfo.all_info.out.size, + stream_size); + CHECK_VALUE(stinfo.all_info.out.delete_pending, + finfo.all_info.out.delete_pending); + CHECK_VALUE(stinfo.all_info.out.directory, + finfo.all_info.out.directory); + CHECK_VALUE(stinfo.all_info.out.ea_size, + finfo.all_info.out.ea_size); + + ret &= check_stream_list(cli, fname, 4, four); + + smbcli_close(cli->tree, fnum1); + talloc_free(path); + } + + printf("(%s): testing stream renames\n", __location__); + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; + io.ntcreatex.in.access_mask = SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_RIGHTS_FILE_ALL; + io.ntcreatex.in.fname = snamer1; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OK); + fnum1 = io.ntcreatex.out.file.fnum; + + ret &= check_stream_list(cli, fname, 5, five1); + + ZERO_STRUCT(sinfo); + sinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION; + sinfo.rename_information.in.file.fnum = fnum1; + sinfo.rename_information.in.overwrite = true; + sinfo.rename_information.in.root_fid = 0; + sinfo.rename_information.in.new_name = ":AfterRename:$DATA"; + status = smb_raw_setfileinfo(cli->tree, &sinfo); + CHECK_STATUS(status, NT_STATUS_OK); + + ret &= check_stream_list(cli, fname, 5, five2); + + ZERO_STRUCT(sinfo); + sinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION; + sinfo.rename_information.in.file.fnum = fnum1; + sinfo.rename_information.in.overwrite = false; + sinfo.rename_information.in.root_fid = 0; + sinfo.rename_information.in.new_name = ":MStream Two:$DATA"; + status = smb_raw_setfileinfo(cli->tree, &sinfo); + CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_COLLISION); + + ret &= check_stream_list(cli, fname, 5, five2); + + ZERO_STRUCT(sinfo); + sinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION; + sinfo.rename_information.in.file.fnum = fnum1; + sinfo.rename_information.in.overwrite = true; + sinfo.rename_information.in.root_fid = 0; + sinfo.rename_information.in.new_name = ":MStream Two:$DATA"; + status = smb_raw_setfileinfo(cli->tree, &sinfo); + CHECK_STATUS(status, NT_STATUS_INVALID_PARAMETER); + + ret &= check_stream_list(cli, fname, 5, five2); + + /* TODO: we need to test more rename combinations */ + +done: + if (fnum1 != -1) smbcli_close(cli->tree, fnum1); + if (fnum2 != -1) smbcli_close(cli->tree, fnum2); + if (fnum3 != -1) smbcli_close(cli->tree, fnum3); + status = smbcli_unlink(cli->tree, fname); + return ret; +} + +/* + test stream names +*/ +static bool test_stream_names2(struct torture_context *tctx, + struct smbcli_state *cli, + TALLOC_CTX *mem_ctx) +{ + NTSTATUS status; + union smb_open io; + const char *fname = BASEDIR "\\stream_names2.txt"; + bool ret = true; + int fnum1 = -1; + uint8_t i; + + printf("(%s) testing stream names\n", __location__); + io.generic.level = RAW_OPEN_NTCREATEX; + io.ntcreatex.in.root_fid = 0; + io.ntcreatex.in.flags = 0; + io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA; + io.ntcreatex.in.create_options = 0; + io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; + io.ntcreatex.in.share_access = 0; + io.ntcreatex.in.alloc_size = 0; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; + io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS; + io.ntcreatex.in.security_flags = 0; + io.ntcreatex.in.fname = fname; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OK); + fnum1 = io.ntcreatex.out.file.fnum; + + for (i=0x01; i < 0x7F; i++) { + char *path = talloc_asprintf(tctx, "%s:Stream%c0x%02X:$DATA", + fname, i, i); + NTSTATUS expected; + + switch (i) { + case '/':/*0x2F*/ + case ':':/*0x3A*/ + case '\\':/*0x5C*/ + expected = NT_STATUS_OBJECT_NAME_INVALID; + break; + default: + expected = NT_STATUS_OBJECT_NAME_NOT_FOUND; + break; + } + + printf("(%s) %s:Stream%c0x%02X:$DATA%s => expected[%s]\n", + __location__, fname, isprint(i)?(char)i:' ', i, + isprint(i)?"":" (not printable)", + nt_errstr(expected)); + + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN; + io.ntcreatex.in.fname = path; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, expected); + + talloc_free(path); + } + +done: + if (fnum1 != -1) smbcli_close(cli->tree, fnum1); + status = smbcli_unlink(cli->tree, fname); + return ret; +} + /* basic testing of streams calls */ @@ -638,6 +1033,10 @@ bool torture_raw_streams(struct torture_context *torture, smb_raw_exit(cli->session); ret &= test_stream_sharemodes(torture, cli, torture); smb_raw_exit(cli->session); + ret &= test_stream_names(torture, cli, torture); + smb_raw_exit(cli->session); + ret &= test_stream_names2(torture, cli, torture); + smb_raw_exit(cli->session); if (!torture_setting_bool(torture, "samba4", false)) { ret &= test_stream_delete(torture, cli, torture); } diff --git a/source4/torture/rpc/eventlog.c b/source4/torture/rpc/eventlog.c index d5665ad07d..e89cdd3ea9 100644 --- a/source4/torture/rpc/eventlog.c +++ b/source4/torture/rpc/eventlog.c @@ -46,12 +46,12 @@ static bool get_policy_handle(struct torture_context *tctx, unknown0.unknown1 = 0x0001; r.in.unknown0 = &unknown0; - init_lsa_String(r.in.logname, "dns server"); - init_lsa_String(r.in.servername, NULL); + init_lsa_String(&logname, "dns server"); + init_lsa_String(&servername, NULL); r.in.logname = &logname; r.in.servername = &servername; - r.in.unknown2 = 0x00000001; - r.in.unknown3 = 0x00000001; + r.in.major_version = 0x00000001; + r.in.minor_version = 0x00000001; r.out.handle = handle; torture_assert_ntstatus_ok(tctx, diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 96cab0bf02..953f9d126d 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -32,8 +32,10 @@ #include "../lib/crypto/crypto.h" #include "libcli/auth/libcli_auth.h" #include "librpc/gen_ndr/ndr_netlogon_c.h" +#include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_lsa_c.h" #include "param/param.h" +#include "libcli/security/security.h" #define TEST_MACHINE_NAME "torturetest" @@ -831,6 +833,538 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, return true; } +static bool test_DatabaseRedo(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *machine_credentials) +{ + NTSTATUS status; + struct netr_DatabaseRedo r; + struct creds_CredentialState *creds; + struct netr_Authenticator credential; + struct netr_Authenticator return_authenticator; + struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; + struct netr_ChangeLogEntry e; + struct dom_sid null_sid, *sid; + int i,d; + + ZERO_STRUCT(null_sid); + + sid = dom_sid_parse_talloc(tctx, "S-1-5-21-1111111111-2222222222-333333333-500"); + + { + + struct { + uint32_t rid; + uint16_t flags; + uint8_t db_index; + uint8_t delta_type; + struct dom_sid sid; + const char *name; + NTSTATUS expected_error; + uint32_t expected_num_results; + uint8_t expected_delta_type_1; + uint8_t expected_delta_type_2; + const char *comment; + } changes[] = { + + /* SAM_DATABASE_DOMAIN */ + + { + .rid = 0, + .flags = 0, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = NETR_DELTA_MODIFY_COUNT, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, + .expected_num_results = 0, + .comment = "NETR_DELTA_MODIFY_COUNT" + }, + { + .rid = 0, + .flags = 0, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = 0, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DOMAIN, + .comment = "NULL DELTA" + }, + { + .rid = 0, + .flags = 0, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = NETR_DELTA_DOMAIN, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DOMAIN, + .comment = "NETR_DELTA_DOMAIN" + }, + { + .rid = DOMAIN_RID_ADMINISTRATOR, + .flags = 0, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = NETR_DELTA_USER, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_USER, + .comment = "NETR_DELTA_USER by rid 500" + }, + { + .rid = DOMAIN_RID_GUEST, + .flags = 0, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = NETR_DELTA_USER, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_USER, + .comment = "NETR_DELTA_USER by rid 501" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_SID_INCLUDED, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = NETR_DELTA_USER, + .sid = *sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DELETE_USER, + .comment = "NETR_DELTA_USER by sid and flags" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_SID_INCLUDED, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = NETR_DELTA_USER, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DELETE_USER, + .comment = "NETR_DELTA_USER by null_sid and flags" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_NAME_INCLUDED, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = NETR_DELTA_USER, + .sid = null_sid, + .name = "administrator", + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DELETE_USER, + .comment = "NETR_DELTA_USER by name 'administrator'" + }, + { + .rid = DOMAIN_RID_ADMINS, + .flags = 0, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = NETR_DELTA_GROUP, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 2, + .expected_delta_type_1 = NETR_DELTA_GROUP, + .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER, + .comment = "NETR_DELTA_GROUP by rid 512" + }, + { + .rid = DOMAIN_RID_ADMINS, + .flags = 0, + .db_index = SAM_DATABASE_DOMAIN, + .delta_type = NETR_DELTA_GROUP_MEMBER, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 2, + .expected_delta_type_1 = NETR_DELTA_GROUP, + .expected_delta_type_2 = NETR_DELTA_GROUP_MEMBER, + .comment = "NETR_DELTA_GROUP_MEMBER by rid 512" + }, + + + /* SAM_DATABASE_BUILTIN */ + + { + .rid = 0, + .flags = 0, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = NETR_DELTA_MODIFY_COUNT, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, + .expected_num_results = 0, + .comment = "NETR_DELTA_MODIFY_COUNT" + }, + { + .rid = 0, + .flags = 0, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = NETR_DELTA_DOMAIN, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DOMAIN, + .comment = "NETR_DELTA_DOMAIN" + }, + { + .rid = DOMAIN_RID_ADMINISTRATOR, + .flags = 0, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = NETR_DELTA_USER, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DELETE_USER, + .comment = "NETR_DELTA_USER by rid 500" + }, + { + .rid = 0, + .flags = 0, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = NETR_DELTA_USER, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DELETE_USER, + .comment = "NETR_DELTA_USER" + }, + { + .rid = 544, + .flags = 0, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = NETR_DELTA_ALIAS, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 2, + .expected_delta_type_1 = NETR_DELTA_ALIAS, + .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER, + .comment = "NETR_DELTA_ALIAS by rid 544" + }, + { + .rid = 544, + .flags = 0, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = NETR_DELTA_ALIAS_MEMBER, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 2, + .expected_delta_type_1 = NETR_DELTA_ALIAS, + .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER, + .comment = "NETR_DELTA_ALIAS_MEMBER by rid 544" + }, + { + .rid = 544, + .flags = 0, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = 0, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DOMAIN, + .comment = "NULL DELTA by rid 544" + }, + { + .rid = 544, + .flags = NETR_CHANGELOG_SID_INCLUDED, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = 0, + .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"), + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DOMAIN, + .comment = "NULL DELTA by rid 544 sid S-1-5-32-544 and flags" + }, + { + .rid = 544, + .flags = NETR_CHANGELOG_SID_INCLUDED, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = NETR_DELTA_ALIAS, + .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"), + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 2, + .expected_delta_type_1 = NETR_DELTA_ALIAS, + .expected_delta_type_2 = NETR_DELTA_ALIAS_MEMBER, + .comment = "NETR_DELTA_ALIAS by rid 544 and sid S-1-5-32-544 and flags" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_SID_INCLUDED, + .db_index = SAM_DATABASE_BUILTIN, + .delta_type = NETR_DELTA_ALIAS, + .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32-544"), + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DELETE_ALIAS, + .comment = "NETR_DELTA_ALIAS by sid S-1-5-32-544 and flags" + }, + + /* SAM_DATABASE_PRIVS */ + + { + .rid = 0, + .flags = 0, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = 0, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_ACCESS_DENIED, + .expected_num_results = 0, + .comment = "NULL DELTA" + }, + { + .rid = 0, + .flags = 0, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_MODIFY_COUNT, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, + .expected_num_results = 0, + .comment = "NETR_DELTA_MODIFY_COUNT" + }, + { + .rid = 0, + .flags = 0, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_POLICY, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_POLICY, + .comment = "NETR_DELTA_POLICY" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_SID_INCLUDED, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_POLICY, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_POLICY, + .comment = "NETR_DELTA_POLICY by null sid and flags" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_SID_INCLUDED, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_POLICY, + .sid = *dom_sid_parse_talloc(tctx, "S-1-5-32"), + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_POLICY, + .comment = "NETR_DELTA_POLICY by sid S-1-5-32 and flags" + }, + { + .rid = DOMAIN_RID_ADMINISTRATOR, + .flags = 0, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_ACCOUNT, + .sid = null_sid, + .name = NULL, + .expected_error = NT_STATUS_SYNCHRONIZATION_REQUIRED, /* strange */ + .expected_num_results = 0, + .comment = "NETR_DELTA_ACCOUNT by rid 500" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_SID_INCLUDED, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_ACCOUNT, + .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"), + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_ACCOUNT, + .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and flags" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_SID_INCLUDED | + NETR_CHANGELOG_IMMEDIATE_REPL_REQUIRED, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_ACCOUNT, + .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"), + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_ACCOUNT, + .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and 2 flags" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_SID_INCLUDED | + NETR_CHANGELOG_NAME_INCLUDED, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_ACCOUNT, + .sid = *dom_sid_parse_talloc(tctx, "S-1-1-0"), + .name = NULL, + .expected_error = NT_STATUS_INVALID_PARAMETER, + .expected_num_results = 0, + .comment = "NETR_DELTA_ACCOUNT by sid S-1-1-0 and invalid flags" + }, + { + .rid = DOMAIN_RID_ADMINISTRATOR, + .flags = NETR_CHANGELOG_SID_INCLUDED, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_ACCOUNT, + .sid = *sid, + .name = NULL, + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DELETE_ACCOUNT, + .comment = "NETR_DELTA_ACCOUNT by rid 500, sid and flags" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_NAME_INCLUDED, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_SECRET, + .sid = null_sid, + .name = "IsurelydontexistIhope", + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_DELETE_SECRET, + .comment = "NETR_DELTA_SECRET by name 'IsurelydontexistIhope' and flags" + }, + { + .rid = 0, + .flags = NETR_CHANGELOG_NAME_INCLUDED, + .db_index = SAM_DATABASE_PRIVS, + .delta_type = NETR_DELTA_SECRET, + .sid = null_sid, + .name = "G$BCKUPKEY_P", + .expected_error = NT_STATUS_OK, + .expected_num_results = 1, + .expected_delta_type_1 = NETR_DELTA_SECRET, + .comment = "NETR_DELTA_SECRET by name 'G$BCKUPKEY_P' and flags" + } + }; + + ZERO_STRUCT(return_authenticator); + + r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); + r.in.computername = TEST_MACHINE_NAME; + r.in.return_authenticator = &return_authenticator; + r.out.return_authenticator = &return_authenticator; + r.out.delta_enum_array = &delta_enum_array; + + for (d=0; d<3; d++) { + + const char *database; + + switch (d) { + case 0: + database = "SAM"; + break; + case 1: + database = "BUILTIN"; + break; + case 2: + database = "LSA"; + break; + default: + break; + } + + torture_comment(tctx, "Testing DatabaseRedo\n"); + + if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) { + return false; + } + + for (i=0;i<ARRAY_SIZE(changes);i++) { + + if (d != changes[i].db_index) { + continue; + } + + creds_client_authenticator(creds, &credential); + + r.in.credential = &credential; + + e.serial_number1 = 0; + e.serial_number2 = 0; + e.object_rid = changes[i].rid; + e.flags = changes[i].flags; + e.db_index = changes[i].db_index; + e.delta_type = changes[i].delta_type; + + switch (changes[i].flags & (NETR_CHANGELOG_NAME_INCLUDED | NETR_CHANGELOG_SID_INCLUDED)) { + case NETR_CHANGELOG_SID_INCLUDED: + e.object.object_sid = changes[i].sid; + break; + case NETR_CHANGELOG_NAME_INCLUDED: + e.object.object_name = changes[i].name; + break; + default: + break; + } + + r.in.change_log_entry = e; + + torture_comment(tctx, "Testing DatabaseRedo with database %s and %s\n", + database, changes[i].comment); + + status = dcerpc_netr_DatabaseRedo(p, tctx, &r); + if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { + return true; + } + + torture_assert_ntstatus_equal(tctx, status, changes[i].expected_error, changes[i].comment); + if (delta_enum_array) { + torture_assert_int_equal(tctx, + delta_enum_array->num_deltas, + changes[i].expected_num_results, + changes[i].comment); + if (delta_enum_array->num_deltas > 0) { + torture_assert_int_equal(tctx, + delta_enum_array->delta_enum[0].delta_type, + changes[i].expected_delta_type_1, + changes[i].comment); + } + if (delta_enum_array->num_deltas > 1) { + torture_assert_int_equal(tctx, + delta_enum_array->delta_enum[1].delta_type, + changes[i].expected_delta_type_2, + changes[i].comment); + } + } + + if (!creds_client_check(creds, &return_authenticator.cred)) { + torture_comment(tctx, "Credential chaining failed\n"); + if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) { + return false; + } + } + } + } + } + + return true; +} /* try a netlogon AccountDeltas @@ -1761,6 +2295,7 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx) torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo); torture_rpc_tcase_add_test_creds(tcase, "DatabaseSync", test_DatabaseSync); torture_rpc_tcase_add_test_creds(tcase, "DatabaseDeltas", test_DatabaseDeltas); + torture_rpc_tcase_add_test_creds(tcase, "DatabaseRedo", test_DatabaseRedo); torture_rpc_tcase_add_test_creds(tcase, "AccountDeltas", test_AccountDeltas); torture_rpc_tcase_add_test_creds(tcase, "AccountSync", test_AccountSync); torture_rpc_tcase_add_test(tcase, "GetDcName", test_GetDcName); diff --git a/source4/torture/rpc/ntsvcs.c b/source4/torture/rpc/ntsvcs.c new file mode 100644 index 0000000000..5453102039 --- /dev/null +++ b/source4/torture/rpc/ntsvcs.c @@ -0,0 +1,169 @@ +/* + Unix SMB/CIFS implementation. + test suite for rpc ntsvcs operations + + Copyright (C) Guenther Deschner 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "lib/torture/torture.h" +#include "torture/rpc/rpc.h" +#include "librpc/gen_ndr/ndr_ntsvcs_c.h" +#include "torture/util.h" +#include "param/param.h" + +static bool test_PNP_GetVersion(struct torture_context *tctx, + struct dcerpc_pipe *p) +{ + NTSTATUS status; + struct PNP_GetVersion r; + uint16_t version = 0; + + r.out.version = &version; + + status = dcerpc_PNP_GetVersion(p, tctx, &r); + + torture_assert_ntstatus_ok(tctx, status, "PNP_GetVersion"); + torture_assert_werr_ok(tctx, r.out.result, "PNP_GetVersion"); + torture_assert_int_equal(tctx, version, 0x400, "invalid version"); + + return true; +} + +static bool test_PNP_GetDeviceListSize(struct torture_context *tctx, + struct dcerpc_pipe *p) +{ + NTSTATUS status; + struct PNP_GetDeviceListSize r; + uint32_t size = 0; + + r.in.devicename = NULL; + r.in.flags = 0; + r.out.size = &size; + + status = dcerpc_PNP_GetDeviceListSize(p, tctx, &r); + + torture_assert_ntstatus_ok(tctx, status, "PNP_GetDeviceListSize"); + torture_assert_werr_ok(tctx, r.out.result, "PNP_GetDeviceListSize"); + + return true; +} + +static bool test_PNP_GetDeviceList(struct torture_context *tctx, + struct dcerpc_pipe *p) +{ + NTSTATUS status; + struct PNP_GetDeviceList r; + uint16_t *buffer = NULL; + uint32_t length = 0; + + buffer = talloc_array(tctx, uint16_t, 0); + + r.in.filter = NULL; + r.in.flags = 0; + r.in.length = &length; + r.out.length = &length; + r.out.buffer = buffer; + + status = dcerpc_PNP_GetDeviceList(p, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "PNP_GetDeviceList"); + + if (W_ERROR_EQUAL(r.out.result, WERR_CM_BUFFER_SMALL)) { + struct PNP_GetDeviceListSize s; + + s.in.devicename = NULL; + s.in.flags = 0; + s.out.size = &length; + + status = dcerpc_PNP_GetDeviceListSize(p, tctx, &s); + + torture_assert_ntstatus_ok(tctx, status, "PNP_GetDeviceListSize"); + torture_assert_werr_ok(tctx, s.out.result, "PNP_GetDeviceListSize"); + } + + buffer = talloc_array(tctx, uint16_t, length); + + r.in.length = &length; + r.out.length = &length; + r.out.buffer = buffer; + + status = dcerpc_PNP_GetDeviceList(p, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "PNP_GetDeviceList"); + torture_assert_werr_ok(tctx, r.out.result, "PNP_GetDeviceList"); + + return true; +} + +static bool test_PNP_GetDeviceRegProp(struct torture_context *tctx, + struct dcerpc_pipe *p) +{ + NTSTATUS status; + struct PNP_GetDeviceRegProp r; + + enum winreg_Type reg_data_type = REG_NONE; + uint32_t buffer_size = 0; + uint32_t needed = 0; + uint8_t *buffer; + + buffer = talloc(tctx, uint8_t); + + r.in.devicepath = "ACPI\\ACPI0003\\1"; + r.in.property = DEV_REGPROP_DESC; + r.in.flags = 0; + r.in.reg_data_type = ®_data_type; + r.in.buffer_size = &buffer_size; + r.in.needed = &needed; + r.out.buffer = buffer; + r.out.reg_data_type = ®_data_type; + r.out.buffer_size = &buffer_size; + r.out.needed = &needed; + + status = dcerpc_PNP_GetDeviceRegProp(p, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "PNP_GetDeviceRegProp"); + + if (W_ERROR_EQUAL(r.out.result, WERR_CM_BUFFER_SMALL)) { + + buffer = talloc_array(tctx, uint8_t, needed); + r.in.buffer_size = &needed; + + status = dcerpc_PNP_GetDeviceRegProp(p, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "PNP_GetDeviceRegProp"); + } + + return true; +} + +struct torture_suite *torture_rpc_ntsvcs(TALLOC_CTX *mem_ctx) +{ + struct torture_rpc_tcase *tcase; + struct torture_suite *suite = torture_suite_create(mem_ctx, "NTSVCS"); + struct torture_test *test; + + tcase = torture_suite_add_rpc_iface_tcase(suite, "ntsvcs", + &ndr_table_ntsvcs); + + test = torture_rpc_tcase_add_test(tcase, "PNP_GetDeviceRegProp", + test_PNP_GetDeviceRegProp); + test = torture_rpc_tcase_add_test(tcase, "PNP_GetDeviceList", + test_PNP_GetDeviceList); + test = torture_rpc_tcase_add_test(tcase, "PNP_GetDeviceListSize", + test_PNP_GetDeviceListSize); + test = torture_rpc_tcase_add_test(tcase, "PNP_GetVersion", + test_PNP_GetVersion); + + return suite; +} diff --git a/source4/torture/rpc/rpc.c b/source4/torture/rpc/rpc.c index 2fcf700c36..7f6b06d000 100644 --- a/source4/torture/rpc/rpc.c +++ b/source4/torture/rpc/rpc.c @@ -395,6 +395,7 @@ NTSTATUS torture_rpc_init(void) torture_suite_add_simple_test(suite, "SAMR", torture_rpc_samr); torture_suite_add_simple_test(suite, "SAMR-USERS", torture_rpc_samr_users); torture_suite_add_simple_test(suite, "SAMR-PASSWORDS", torture_rpc_samr_passwords); + torture_suite_add_simple_test(suite, "SAMR-PASSWORDS-PWDLASTSET", torture_rpc_samr_passwords_pwdlastset); torture_suite_add_suite(suite, torture_rpc_netlogon(suite)); torture_suite_add_suite(suite, torture_rpc_remote_pac(suite)); torture_suite_add_simple_test(suite, "SAMLOGON", torture_rpc_samlogon); @@ -438,6 +439,7 @@ NTSTATUS torture_rpc_init(void) torture_suite_add_simple_test(suite, "DSSYNC", torture_rpc_dssync); torture_suite_add_simple_test(suite, "BENCH-RPC", torture_bench_rpc); torture_suite_add_simple_test(suite, "ASYNCBIND", torture_async_bind); + torture_suite_add_suite(suite, torture_rpc_ntsvcs(suite)); suite->description = talloc_strdup(suite, "DCE/RPC protocol and interface tests"); diff --git a/source4/torture/rpc/rpc.h b/source4/torture/rpc/rpc.h index 29b1ebee54..9fd64f18b5 100644 --- a/source4/torture/rpc/rpc.h +++ b/source4/torture/rpc/rpc.h @@ -21,14 +21,13 @@ #ifndef __TORTURE_RPC_H__ #define __TORTURE_RPC_H__ -#include "torture/torture.h" +#include "lib/torture/torture.h" #include "auth/credentials/credentials.h" #include "torture/rpc/drsuapi.h" #include "libnet/libnet_join.h" #include "librpc/rpc/dcerpc.h" #include "libcli/raw/libcliraw.h" #include "torture/rpc/proto.h" -#include "torture/torture.h" struct torture_rpc_tcase { struct torture_tcase tcase; diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index c2b849127f..f1e7e5a367 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -355,7 +355,7 @@ static NTSTATUS get_usr_handle(struct smbcli_state *cli, char **domain, struct dcerpc_pipe **result_pipe, struct policy_handle **result_handle, - struct dom_sid **sid) + struct dom_sid **sid_p) { struct dcerpc_pipe *samr_pipe; NTSTATUS status; @@ -365,7 +365,10 @@ static NTSTATUS get_usr_handle(struct smbcli_state *cli, struct samr_Connect2 conn; struct samr_EnumDomains enumdom; uint32_t resume_handle = 0; + uint32_t num_entries = 0; + struct samr_SamArray *sam = NULL; struct samr_LookupDomain l; + struct dom_sid2 *sid = NULL; int dom_idx; struct lsa_String domain_name; struct lsa_String user_name; @@ -423,6 +426,8 @@ static NTSTATUS get_usr_handle(struct smbcli_state *cli, enumdom.in.resume_handle = &resume_handle; enumdom.in.buf_size = (uint32_t)-1; enumdom.out.resume_handle = &resume_handle; + enumdom.out.num_entries = &num_entries; + enumdom.out.sam = &sam; status = dcerpc_samr_EnumDomains(samr_pipe, mem_ctx, &enumdom); if (!NT_STATUS_IS_OK(status)) { @@ -430,20 +435,21 @@ static NTSTATUS get_usr_handle(struct smbcli_state *cli, goto fail; } - if (enumdom.out.num_entries != 2) { + if (*enumdom.out.num_entries != 2) { d_printf("samr_EnumDomains returned %d entries, expected 2\n", - enumdom.out.num_entries); + *enumdom.out.num_entries); status = NT_STATUS_UNSUCCESSFUL; goto fail; } - dom_idx = strequal(enumdom.out.sam->entries[0].name.string, + dom_idx = strequal(sam->entries[0].name.string, "builtin") ? 1:0; l.in.connect_handle = &conn_handle; - domain_name.string = enumdom.out.sam->entries[dom_idx].name.string; + domain_name.string = sam->entries[dom_idx].name.string; *domain = talloc_strdup(mem_ctx, domain_name.string); l.in.domain_name = &domain_name; + l.out.sid = &sid; status = dcerpc_samr_LookupDomain(samr_pipe, mem_ctx, &l); if (!NT_STATUS_IS_OK(status)) { @@ -453,7 +459,7 @@ static NTSTATUS get_usr_handle(struct smbcli_state *cli, o.in.connect_handle = &conn_handle; o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - o.in.sid = l.out.sid; + o.in.sid = *l.out.sid; o.out.domain_handle = &domain_handle; status = dcerpc_samr_OpenDomain(samr_pipe, mem_ctx, &o); @@ -477,10 +483,13 @@ static NTSTATUS get_usr_handle(struct smbcli_state *cli, if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { struct samr_LookupNames ln; struct samr_OpenUser ou; + struct samr_Ids rids, types; ln.in.domain_handle = &domain_handle; ln.in.num_names = 1; ln.in.names = &user_name; + ln.out.rids = &rids; + ln.out.types = &types; status = dcerpc_samr_LookupNames(samr_pipe, mem_ctx, &ln); if (!NT_STATUS_IS_OK(status)) { @@ -491,7 +500,7 @@ static NTSTATUS get_usr_handle(struct smbcli_state *cli, ou.in.domain_handle = &domain_handle; ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - user_rid = ou.in.rid = ln.out.rids.ids[0]; + user_rid = ou.in.rid = ln.out.rids->ids[0]; ou.out.user_handle = user_handle; status = dcerpc_samr_OpenUser(samr_pipe, mem_ctx, &ou); @@ -509,8 +518,8 @@ static NTSTATUS get_usr_handle(struct smbcli_state *cli, *result_pipe = samr_pipe; *result_handle = user_handle; - if (sid != NULL) { - *sid = dom_sid_add_rid(mem_ctx, l.out.sid, user_rid); + if (sid_p != NULL) { + *sid_p = dom_sid_add_rid(mem_ctx, *l.out.sid, user_rid); } return NT_STATUS_OK; @@ -555,6 +564,7 @@ static bool create_user(TALLOC_CTX *mem_ctx, struct smbcli_state *cli, struct samr_SetUserInfo sui; struct samr_QueryUserInfo qui; union samr_UserInfo u_info; + union samr_UserInfo *info; DATA_BLOB session_key; @@ -597,6 +607,7 @@ static bool create_user(TALLOC_CTX *mem_ctx, struct smbcli_state *cli, qui.in.user_handle = wks_handle; qui.in.level = 21; + qui.out.info = &info; status = dcerpc_samr_QueryUserInfo(samr_pipe, tmp_ctx, &qui); if (!NT_STATUS_IS_OK(status)) { @@ -604,14 +615,14 @@ static bool create_user(TALLOC_CTX *mem_ctx, struct smbcli_state *cli, goto done; } - qui.out.info->info21.allow_password_change = 0; - qui.out.info->info21.force_password_change = 0; - qui.out.info->info21.account_name.string = NULL; - qui.out.info->info21.rid = 0; - qui.out.info->info21.acct_expiry = 0; - qui.out.info->info21.fields_present = 0x81827fa; /* copy usrmgr.exe */ + info->info21.allow_password_change = 0; + info->info21.force_password_change = 0; + info->info21.account_name.string = NULL; + info->info21.rid = 0; + info->info21.acct_expiry = 0; + info->info21.fields_present = 0x81827fa; /* copy usrmgr.exe */ - u_info.info21 = qui.out.info->info21; + u_info.info21 = info->info21; sui.in.user_handle = wks_handle; sui.in.info = &u_info; sui.in.level = 21; @@ -721,9 +732,11 @@ static bool join3(struct smbcli_state *cli, { struct samr_QueryUserInfo q; + union samr_UserInfo *info; q.in.user_handle = wks_handle; q.in.level = 21; + q.out.info = &info; status = dcerpc_samr_QueryUserInfo(samr_pipe, mem_ctx, &q); if (!NT_STATUS_IS_OK(status)) { @@ -732,7 +745,7 @@ static bool join3(struct smbcli_state *cli, goto done; } - last_password_change = q.out.info->info21.last_password_change; + last_password_change = info->info21.last_password_change; } cli_credentials_set_domain(wks_creds, dom_name, CRED_SPECIFIED); @@ -755,6 +768,10 @@ static bool join3(struct smbcli_state *cli, i21->acct_flags = ACB_WSTRUST; i21->fields_present = SAMR_FIELD_FULL_NAME | SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_PASSWORD; + /* this would break the test result expectations + i21->fields_present |= SAMR_FIELD_EXPIRED_FLAG; + i21->password_expired = 1; + */ encode_pw_buffer(u_info.info25.password.data, cli_credentials_get_password(wks_creds), @@ -795,8 +812,8 @@ static bool join3(struct smbcli_state *cli, encode_pw_buffer(u_info.info24.password.data, cli_credentials_get_password(wks_creds), STR_UNICODE); - u_info.info24.pw_len = - strlen_m(cli_credentials_get_password(wks_creds))*2; + /* just to make this test pass */ + u_info.info24.password_expired = 1; status = dcerpc_fetch_session_key(samr_pipe, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -830,9 +847,11 @@ static bool join3(struct smbcli_state *cli, { struct samr_QueryUserInfo q; + union samr_UserInfo *info; q.in.user_handle = wks_handle; q.in.level = 21; + q.out.info = &info; status = dcerpc_samr_QueryUserInfo(samr_pipe, mem_ctx, &q); if (!NT_STATUS_IS_OK(status)) { @@ -843,7 +862,7 @@ static bool join3(struct smbcli_state *cli, if (use_level25) { if (last_password_change - == q.out.info->info21.last_password_change) { + == info->info21.last_password_change) { d_printf("(%s) last_password_change unchanged " "during join, level25 must change " "it\n", __location__); @@ -852,7 +871,7 @@ static bool join3(struct smbcli_state *cli, } else { if (last_password_change - != q.out.info->info21.last_password_change) { + != info->info21.last_password_change) { d_printf("(%s) last_password_change changed " "during join, level24 doesn't " "change it\n", __location__); diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 23c288bfcc..01ff01674c 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -29,6 +29,8 @@ #include "libcli/security/security.h" #include "torture/rpc/rpc.h" +#include <unistd.h> + #define TEST_ACCOUNT_NAME "samrtorturetest" #define TEST_ALIASNAME "samrtorturetestalias" #define TEST_GROUPNAME "samrtorturetestgroup" @@ -37,6 +39,7 @@ enum torture_samr_choice { TORTURE_SAMR_PASSWORDS, + TORTURE_SAMR_PASSWORDS_PWDLASTSET, TORTURE_SAMR_USER_ATTRIBUTES, TORTURE_SAMR_OTHER }; @@ -59,6 +62,13 @@ static void init_lsa_String(struct lsa_String *string, const char *s) string->string = s; } +static void init_lsa_BinaryString(struct lsa_BinaryString *string, const char *s, uint32_t length) +{ + string->length = length; + string->size = length; + string->array = (uint16_t *)discard_const(s); +} + bool test_samr_handle_Close(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *handle) { @@ -131,18 +141,20 @@ static bool test_QuerySecurity(struct dcerpc_pipe *p, NTSTATUS status; struct samr_QuerySecurity r; struct samr_SetSecurity s; + struct sec_desc_buf *sdbuf = NULL; r.in.handle = handle; r.in.sec_info = 7; + r.out.sdbuf = &sdbuf; status = dcerpc_samr_QuerySecurity(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "QuerySecurity"); - torture_assert(tctx, r.out.sdbuf != NULL, "sdbuf is NULL"); + torture_assert(tctx, sdbuf != NULL, "sdbuf is NULL"); s.in.handle = handle; s.in.sec_info = 7; - s.in.sdbuf = r.out.sdbuf; + s.in.sdbuf = sdbuf; if (torture_setting_bool(tctx, "samba4", false)) { torture_skip(tctx, "skipping SetSecurity test against Samba4\n"); @@ -168,6 +180,7 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx struct samr_QueryUserInfo q; struct samr_QueryUserInfo q0; union samr_UserInfo u; + union samr_UserInfo *info; bool ret = true; const char *test_account_name; @@ -184,7 +197,7 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx s2.in.info = &u; q.in.user_handle = handle; - q.out.info = &u; + q.out.info = &info; q0 = q; #define TESTCALL(call, r) \ @@ -204,6 +217,14 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx break; \ } +#define MEM_EQUAL(s1, s2, length, field) \ + if ((s1 && !s2) || (s2 && !s1) || memcmp(s1, s2, length)) { \ + torture_comment(tctx, "Failed to set %s to '%s' (%s)\n", \ + #field, (const char *)s2, __location__); \ + ret = false; \ + break; \ + } + #define INT_EQUAL(i1, i2, field) \ if (i1 != i2) { \ torture_comment(tctx, "Failed to set %s to 0x%llx - got 0x%llx (%s)\n", \ @@ -218,7 +239,7 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx TESTCALL(QueryUserInfo, q) \ s.in.level = lvl1; \ s2.in.level = lvl1; \ - u = *q.out.info; \ + u = *info; \ if (lvl1 == 21) { \ ZERO_STRUCT(u.info21); \ u.info21.fields_present = fpval; \ @@ -228,21 +249,45 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx TESTCALL(SetUserInfo2, s2) \ init_lsa_String(&u.info ## lvl1.field1, ""); \ TESTCALL(QueryUserInfo, q); \ - u = *q.out.info; \ + u = *info; \ STRING_EQUAL(u.info ## lvl1.field1.string, value, field1); \ q.in.level = lvl2; \ TESTCALL(QueryUserInfo, q) \ - u = *q.out.info; \ + u = *info; \ STRING_EQUAL(u.info ## lvl2.field2.string, value, field2); \ } while (0) +#define TEST_USERINFO_BINARYSTRING(lvl1, field1, lvl2, field2, value, fpval) do { \ + torture_comment(tctx, "field test %d/%s vs %d/%s\n", lvl1, #field1, lvl2, #field2); \ + q.in.level = lvl1; \ + TESTCALL(QueryUserInfo, q) \ + s.in.level = lvl1; \ + s2.in.level = lvl1; \ + u = *info; \ + if (lvl1 == 21) { \ + ZERO_STRUCT(u.info21); \ + u.info21.fields_present = fpval; \ + } \ + init_lsa_BinaryString(&u.info ## lvl1.field1, value, strlen(value)); \ + TESTCALL(SetUserInfo, s) \ + TESTCALL(SetUserInfo2, s2) \ + init_lsa_BinaryString(&u.info ## lvl1.field1, "", 1); \ + TESTCALL(QueryUserInfo, q); \ + u = *info; \ + MEM_EQUAL(u.info ## lvl1.field1.array, value, strlen(value), field1); \ + q.in.level = lvl2; \ + TESTCALL(QueryUserInfo, q) \ + u = *info; \ + MEM_EQUAL(u.info ## lvl2.field2.array, value, strlen(value), field2); \ + } while (0) + #define TEST_USERINFO_INT_EXP(lvl1, field1, lvl2, field2, value, exp_value, fpval) do { \ torture_comment(tctx, "field test %d/%s vs %d/%s\n", lvl1, #field1, lvl2, #field2); \ q.in.level = lvl1; \ TESTCALL(QueryUserInfo, q) \ s.in.level = lvl1; \ s2.in.level = lvl1; \ - u = *q.out.info; \ + u = *info; \ if (lvl1 == 21) { \ uint8_t *bits = u.info21.logon_hours.bits; \ ZERO_STRUCT(u.info21); \ @@ -257,11 +302,11 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx TESTCALL(SetUserInfo2, s2) \ u.info ## lvl1.field1 = 0; \ TESTCALL(QueryUserInfo, q); \ - u = *q.out.info; \ + u = *info; \ INT_EQUAL(u.info ## lvl1.field1, exp_value, field1); \ q.in.level = lvl2; \ TESTCALL(QueryUserInfo, q) \ - u = *q.out.info; \ + u = *info; \ INT_EQUAL(u.info ## lvl2.field2, exp_value, field1); \ } while (0) @@ -359,10 +404,10 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx TEST_USERINFO_STRING(21, workstations, 14, workstations, "21workstation14", SAMR_FIELD_WORKSTATIONS); - TEST_USERINFO_STRING(20, parameters, 21, parameters, "xx20-21 parameters", 0); - TEST_USERINFO_STRING(21, parameters, 21, parameters, "xx21-21 parameters", + TEST_USERINFO_BINARYSTRING(20, parameters, 21, parameters, "xx20-21 parameters", 0); + TEST_USERINFO_BINARYSTRING(21, parameters, 21, parameters, "xx21-21 parameters", SAMR_FIELD_PARAMETERS); - TEST_USERINFO_STRING(21, parameters, 20, parameters, "xx21-20 parameters", + TEST_USERINFO_BINARYSTRING(21, parameters, 20, parameters, "xx21-20 parameters", SAMR_FIELD_PARAMETERS); TEST_USERINFO_INT(2, country_code, 2, country_code, __LINE__, 0); @@ -466,12 +511,19 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx /* generate a random password for password change tests */ -static char *samr_rand_pass(TALLOC_CTX *mem_ctx, int min_len) +static char *samr_rand_pass_silent(TALLOC_CTX *mem_ctx, int min_len) { size_t len = MAX(8, min_len) + (random() % 6); char *s = generate_random_str(mem_ctx, len); + return s; +} + +static char *samr_rand_pass(TALLOC_CTX *mem_ctx, int min_len) +{ + char *s = samr_rand_pass_silent(mem_ctx, min_len); printf("Generated password '%s'\n", s); return s; + } /* @@ -512,12 +564,14 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx DATA_BLOB session_key; char *newpass; struct samr_GetUserPwInfo pwp; + struct samr_PwInfo info; int policy_min_pw_len = 0; pwp.in.user_handle = handle; + pwp.out.info = &info; status = dcerpc_samr_GetUserPwInfo(p, tctx, &pwp); if (NT_STATUS_IS_OK(status)) { - policy_min_pw_len = pwp.out.info.min_password_length; + policy_min_pw_len = pwp.out.info->min_password_length; } newpass = samr_rand_pass(tctx, policy_min_pw_len); @@ -526,8 +580,7 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx s.in.level = 24; encode_pw_buffer(u.info24.password.data, newpass, STR_UNICODE); - /* w2k3 ignores this length */ - u.info24.pw_len = strlen_m(newpass) * 2; + u.info24.password_expired = 0; status = dcerpc_fetch_session_key(p, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -564,12 +617,14 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t DATA_BLOB session_key; char *newpass; struct samr_GetUserPwInfo pwp; + struct samr_PwInfo info; int policy_min_pw_len = 0; pwp.in.user_handle = handle; + pwp.out.info = &info; status = dcerpc_samr_GetUserPwInfo(p, tctx, &pwp); if (NT_STATUS_IS_OK(status)) { - policy_min_pw_len = pwp.out.info.min_password_length; + policy_min_pw_len = pwp.out.info->min_password_length; } newpass = samr_rand_pass(tctx, policy_min_pw_len); @@ -643,12 +698,14 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc char *newpass; struct MD5Context ctx; struct samr_GetUserPwInfo pwp; + struct samr_PwInfo info; int policy_min_pw_len = 0; pwp.in.user_handle = handle; + pwp.out.info = &info; status = dcerpc_samr_GetUserPwInfo(p, tctx, &pwp); if (NT_STATUS_IS_OK(status)) { - policy_min_pw_len = pwp.out.info.min_password_length; + policy_min_pw_len = pwp.out.info->min_password_length; } if (makeshort && policy_min_pw_len) { newpass = samr_rand_pass_fixed_len(tctx, policy_min_pw_len - 1); @@ -661,7 +718,7 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc s.in.level = 26; encode_pw_buffer(u.info26.password.data, newpass, STR_UNICODE); - u.info26.pw_len = strlen(newpass); + u.info26.password_expired = 0; status = dcerpc_fetch_session_key(p, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -725,12 +782,14 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t uint8_t confounder[16]; char *newpass; struct samr_GetUserPwInfo pwp; + struct samr_PwInfo info; int policy_min_pw_len = 0; pwp.in.user_handle = handle; + pwp.out.info = &info; status = dcerpc_samr_GetUserPwInfo(p, tctx, &pwp); if (NT_STATUS_IS_OK(status)) { - policy_min_pw_len = pwp.out.info.min_password_length; + policy_min_pw_len = pwp.out.info->min_password_length; } newpass = samr_rand_pass(tctx, policy_min_pw_len); @@ -790,12 +849,161 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t return ret; } +static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle, + uint16_t level, + uint32_t fields_present, + char **password, uint8_t password_expired, + bool use_setinfo2, NTSTATUS expected_error) +{ + NTSTATUS status; + struct samr_SetUserInfo s; + struct samr_SetUserInfo2 s2; + union samr_UserInfo u; + bool ret = true; + DATA_BLOB session_key; + DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16); + struct MD5Context ctx; + uint8_t confounder[16]; + char *newpass; + struct samr_GetUserPwInfo pwp; + struct samr_PwInfo info; + int policy_min_pw_len = 0; + const char *comment = NULL; + + pwp.in.user_handle = handle; + pwp.out.info = &info; + + status = dcerpc_samr_GetUserPwInfo(p, tctx, &pwp); + if (NT_STATUS_IS_OK(status)) { + policy_min_pw_len = pwp.out.info->min_password_length; + } + newpass = samr_rand_pass_silent(tctx, policy_min_pw_len); + + if (use_setinfo2) { + s2.in.user_handle = handle; + s2.in.info = &u; + s2.in.level = level; + } else { + s.in.user_handle = handle; + s.in.info = &u; + s.in.level = level; + } + + if (fields_present & SAMR_FIELD_COMMENT) { + comment = talloc_asprintf(tctx, "comment: %d\n", time(NULL)); + } + + ZERO_STRUCT(u); + + switch (level) { + case 21: + u.info21.fields_present = fields_present; + u.info21.password_expired = password_expired; + u.info21.comment.string = comment; + + break; + case 23: + u.info23.info.fields_present = fields_present; + u.info23.info.password_expired = password_expired; + u.info23.info.comment.string = comment; + + encode_pw_buffer(u.info23.password.data, newpass, STR_UNICODE); + + break; + case 24: + u.info24.password_expired = password_expired; + + encode_pw_buffer(u.info24.password.data, newpass, STR_UNICODE); + + break; + case 25: + u.info25.info.fields_present = fields_present; + u.info25.info.password_expired = password_expired; + u.info25.info.comment.string = comment; + + encode_pw_buffer(u.info25.password.data, newpass, STR_UNICODE); + + break; + case 26: + u.info26.password_expired = password_expired; + + encode_pw_buffer(u.info26.password.data, newpass, STR_UNICODE); + + break; + } + + status = dcerpc_fetch_session_key(p, &session_key); + if (!NT_STATUS_IS_OK(status)) { + printf("SetUserInfo level %u - no session key - %s\n", + s.in.level, nt_errstr(status)); + return false; + } + + generate_random_buffer((uint8_t *)confounder, 16); + + MD5Init(&ctx); + MD5Update(&ctx, confounder, 16); + MD5Update(&ctx, session_key.data, session_key.length); + MD5Final(confounded_session_key.data, &ctx); + + switch (level) { + case 23: + arcfour_crypt_blob(u.info23.password.data, 516, &session_key); + break; + case 24: + arcfour_crypt_blob(u.info24.password.data, 516, &session_key); + break; + case 25: + arcfour_crypt_blob(u.info25.password.data, 516, &confounded_session_key); + memcpy(&u.info25.password.data[516], confounder, 16); + break; + case 26: + arcfour_crypt_blob(u.info26.password.data, 516, &confounded_session_key); + memcpy(&u.info26.password.data[516], confounder, 16); + break; + } + + if (use_setinfo2) { + status = dcerpc_samr_SetUserInfo2(p, tctx, &s2); + } else { + status = dcerpc_samr_SetUserInfo(p, tctx, &s); + } + + if (!NT_STATUS_IS_OK(expected_error)) { + if (use_setinfo2) { + torture_assert_ntstatus_equal(tctx, + s2.out.result, + expected_error, "SetUserInfo2 failed"); + } else { + torture_assert_ntstatus_equal(tctx, + s.out.result, + expected_error, "SetUserInfo failed"); + } + return true; + } + + if (!NT_STATUS_IS_OK(status)) { + printf("SetUserInfo%s level %u failed - %s\n", + use_setinfo2 ? "2":"", level, nt_errstr(status)); + ret = false; + } else { + if (level != 21) { + *password = newpass; + } + } + + return ret; +} + static bool test_SetAliasInfo(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *handle) { NTSTATUS status; struct samr_SetAliasInfo r; struct samr_QueryAliasInfo q; + union samr_AliasInfo *info; uint16_t levels[] = {2, 3}; int i; bool ret = true; @@ -826,6 +1034,7 @@ static bool test_SetAliasInfo(struct dcerpc_pipe *p, struct torture_context *tct q.in.alias_handle = handle; q.in.level = levels[i]; + q.out.info = &info; status = dcerpc_samr_QueryAliasInfo(p, tctx, &q); if (!NT_STATUS_IS_OK(status)) { @@ -842,11 +1051,13 @@ static bool test_GetGroupsForUser(struct dcerpc_pipe *p, struct torture_context struct policy_handle *user_handle) { struct samr_GetGroupsForUser r; + struct samr_RidWithAttributeArray *rids = NULL; NTSTATUS status; torture_comment(tctx, "testing GetGroupsForUser\n"); r.in.user_handle = user_handle; + r.out.rids = &rids; status = dcerpc_samr_GetGroupsForUser(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "GetGroupsForUser"); @@ -860,8 +1071,11 @@ static bool test_GetDomPwInfo(struct dcerpc_pipe *p, struct torture_context *tct { NTSTATUS status; struct samr_GetDomPwInfo r; + struct samr_PwInfo info; r.in.domain_name = domain_name; + r.out.info = &info; + torture_comment(tctx, "Testing GetDomPwInfo with name %s\n", r.in.domain_name->string); status = dcerpc_samr_GetDomPwInfo(p, tctx, &r); @@ -893,10 +1107,12 @@ static bool test_GetUserPwInfo(struct dcerpc_pipe *p, struct torture_context *tc { NTSTATUS status; struct samr_GetUserPwInfo r; + struct samr_PwInfo info; torture_comment(tctx, "Testing GetUserPwInfo\n"); r.in.user_handle = handle; + r.out.info = &info; status = dcerpc_samr_GetUserPwInfo(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "GetUserPwInfo"); @@ -911,15 +1127,18 @@ static NTSTATUS test_LookupName(struct dcerpc_pipe *p, struct torture_context *t NTSTATUS status; struct samr_LookupNames n; struct lsa_String sname[2]; + struct samr_Ids rids, types; init_lsa_String(&sname[0], name); n.in.domain_handle = domain_handle; n.in.num_names = 1; n.in.names = sname; + n.out.rids = &rids; + n.out.types = &types; status = dcerpc_samr_LookupNames(p, tctx, &n); if (NT_STATUS_IS_OK(status)) { - *rid = n.out.rids.ids[0]; + *rid = n.out.rids->ids[0]; } else { return status; } @@ -1071,6 +1290,7 @@ static bool test_ChangePasswordUser(struct dcerpc_pipe *p, struct torture_contex char *newpass; struct samr_GetUserPwInfo pwp; + struct samr_PwInfo info; int policy_min_pw_len = 0; status = test_OpenUser_byname(p, tctx, handle, acct_name, &user_handle); @@ -1078,10 +1298,11 @@ static bool test_ChangePasswordUser(struct dcerpc_pipe *p, struct torture_contex return false; } pwp.in.user_handle = &user_handle; + pwp.out.info = &info; status = dcerpc_samr_GetUserPwInfo(p, tctx, &pwp); if (NT_STATUS_IS_OK(status)) { - policy_min_pw_len = pwp.out.info.min_password_length; + policy_min_pw_len = pwp.out.info->min_password_length; } newpass = samr_rand_pass(tctx, policy_min_pw_len); @@ -1346,12 +1567,14 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co uint8_t old_lm_hash[16], new_lm_hash[16]; struct samr_GetDomPwInfo dom_pw_info; + struct samr_PwInfo info; int policy_min_pw_len = 0; struct lsa_String domain_name; domain_name.string = ""; dom_pw_info.in.domain_name = &domain_name; + dom_pw_info.out.info = &info; torture_comment(tctx, "Testing OemChangePasswordUser2\n"); @@ -1362,7 +1585,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co status = dcerpc_samr_GetDomPwInfo(p, tctx, &dom_pw_info); if (NT_STATUS_IS_OK(status)) { - policy_min_pw_len = dom_pw_info.out.info.min_password_length; + policy_min_pw_len = dom_pw_info.out.info->min_password_length; } newpass = samr_rand_pass(tctx, policy_min_pw_len); @@ -1515,11 +1738,13 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte uint8_t old_lm_hash[16], new_lm_hash[16]; struct samr_GetDomPwInfo dom_pw_info; + struct samr_PwInfo info; struct lsa_String domain_name; domain_name.string = ""; dom_pw_info.in.domain_name = &domain_name; + dom_pw_info.out.info = &info; torture_comment(tctx, "Testing ChangePasswordUser2 on %s\n", acct_name); @@ -1531,7 +1756,7 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte int policy_min_pw_len = 0; status = dcerpc_samr_GetDomPwInfo(p, tctx, &dom_pw_info); if (NT_STATUS_IS_OK(status)) { - policy_min_pw_len = dom_pw_info.out.info.min_password_length; + policy_min_pw_len = dom_pw_info.out.info->min_password_length; } newpass = samr_rand_pass(tctx, policy_min_pw_len); @@ -1594,6 +1819,8 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct uint8_t old_nt_hash[16], new_nt_hash[16]; uint8_t old_lm_hash[16], new_lm_hash[16]; NTTIME t; + struct samr_DomInfo1 *dominfo = NULL; + struct samr_ChangeReject *reject = NULL; torture_comment(tctx, "Testing ChangePasswordUser3\n"); @@ -1641,6 +1868,8 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct r.in.lm_password = &lm_pass; r.in.lm_verifier = &lm_verifier; r.in.password3 = NULL; + r.out.dominfo = &dominfo; + r.out.reject = &reject; status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) && @@ -1670,6 +1899,8 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct r.in.lm_password = &lm_pass; r.in.lm_verifier = &lm_verifier; r.in.password3 = NULL; + r.out.dominfo = &dominfo; + r.out.reject = &reject; status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) && @@ -1712,21 +1943,23 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct r.in.lm_password = &lm_pass; r.in.lm_verifier = &lm_verifier; r.in.password3 = NULL; + r.out.dominfo = &dominfo; + r.out.reject = &reject; unix_to_nt_time(&t, time(NULL)); status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) - && r.out.dominfo - && r.out.reject + && dominfo + && reject && handle_reject_reason - && (!null_nttime(last_password_change) || !r.out.dominfo->min_password_age)) { - if (r.out.dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) { + && (!null_nttime(last_password_change) || !dominfo->min_password_age)) { + if (dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) { - if (r.out.reject && (r.out.reject->reason != SAMR_REJECT_OTHER)) { + if (reject && (reject->reason != SAMR_REJECT_OTHER)) { printf("expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, r.out.reject->reason); + SAMR_REJECT_OTHER, reject->reason); return false; } } @@ -1740,54 +1973,54 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct Guenther */ - if ((r.out.dominfo->min_password_age > 0) && !null_nttime(last_password_change) && - (last_password_change + r.out.dominfo->min_password_age > t)) { + if ((dominfo->min_password_age > 0) && !null_nttime(last_password_change) && + (last_password_change + dominfo->min_password_age > t)) { - if (r.out.reject->reason != SAMR_REJECT_OTHER) { + if (reject->reason != SAMR_REJECT_OTHER) { printf("expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, r.out.reject->reason); + SAMR_REJECT_OTHER, reject->reason); return false; } - } else if ((r.out.dominfo->min_password_length > 0) && - (strlen(newpass) < r.out.dominfo->min_password_length)) { + } else if ((dominfo->min_password_length > 0) && + (strlen(newpass) < dominfo->min_password_length)) { - if (r.out.reject->reason != SAMR_REJECT_TOO_SHORT) { + if (reject->reason != SAMR_REJECT_TOO_SHORT) { printf("expected SAMR_REJECT_TOO_SHORT (%d), got %d\n", - SAMR_REJECT_TOO_SHORT, r.out.reject->reason); + SAMR_REJECT_TOO_SHORT, reject->reason); return false; } - } else if ((r.out.dominfo->password_history_length > 0) && + } else if ((dominfo->password_history_length > 0) && strequal(oldpass, newpass)) { - if (r.out.reject->reason != SAMR_REJECT_IN_HISTORY) { + if (reject->reason != SAMR_REJECT_IN_HISTORY) { printf("expected SAMR_REJECT_IN_HISTORY (%d), got %d\n", - SAMR_REJECT_IN_HISTORY, r.out.reject->reason); + SAMR_REJECT_IN_HISTORY, reject->reason); return false; } - } else if (r.out.dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) { + } else if (dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) { - if (r.out.reject->reason != SAMR_REJECT_COMPLEXITY) { + if (reject->reason != SAMR_REJECT_COMPLEXITY) { printf("expected SAMR_REJECT_COMPLEXITY (%d), got %d\n", - SAMR_REJECT_COMPLEXITY, r.out.reject->reason); + SAMR_REJECT_COMPLEXITY, reject->reason); return false; } } - if (r.out.reject->reason == SAMR_REJECT_TOO_SHORT) { + if (reject->reason == SAMR_REJECT_TOO_SHORT) { /* retry with adjusted size */ return test_ChangePasswordUser3(p, tctx, account_string, - r.out.dominfo->min_password_length, + dominfo->min_password_length, password, NULL, 0, false); } } else if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (r.out.reject && r.out.reject->reason != SAMR_REJECT_OTHER) { + if (reject && reject->reason != SAMR_REJECT_OTHER) { printf("expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, r.out.reject->reason); + SAMR_REJECT_OTHER, reject->reason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -1823,6 +2056,8 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex char *oldpass; uint8_t old_nt_hash[16], new_nt_hash[16]; NTTIME t; + struct samr_DomInfo1 *dominfo = NULL; + struct samr_ChangeReject *reject = NULL; new_random_pass = samr_very_rand_pass(tctx, 128); @@ -1889,15 +2124,17 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex r.in.lm_password = NULL; r.in.lm_verifier = NULL; r.in.password3 = NULL; + r.out.dominfo = &dominfo; + r.out.reject = &reject; unix_to_nt_time(&t, time(NULL)); status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (r.out.reject && r.out.reject->reason != SAMR_REJECT_OTHER) { + if (reject && reject->reason != SAMR_REJECT_OTHER) { printf("expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, r.out.reject->reason); + SAMR_REJECT_OTHER, reject->reason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -1925,15 +2162,17 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex r.in.lm_password = NULL; r.in.lm_verifier = NULL; r.in.password3 = NULL; + r.out.dominfo = &dominfo; + r.out.reject = &reject; unix_to_nt_time(&t, time(NULL)); status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r); if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) { - if (r.out.reject && r.out.reject->reason != SAMR_REJECT_OTHER) { + if (reject && reject->reason != SAMR_REJECT_OTHER) { printf("expected SAMR_REJECT_OTHER (%d), got %d\n", - SAMR_REJECT_OTHER, r.out.reject->reason); + SAMR_REJECT_OTHER, reject->reason); return false; } /* Perhaps the server has a 'min password age' set? */ @@ -2051,6 +2290,486 @@ static bool test_TestPrivateFunctionsUser(struct dcerpc_pipe *p, struct torture_ return true; } +static bool test_QueryUserInfo_pwdlastset(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle, + bool use_info2, + NTTIME *pwdlastset) +{ + NTSTATUS status; + uint16_t levels[] = { /* 3, */ 5, 21 }; + int i; + NTTIME pwdlastset3 = 0; + NTTIME pwdlastset5 = 0; + NTTIME pwdlastset21 = 0; + + torture_comment(tctx, "Testing QueryUserInfo%s level 5 and 21 call ", + use_info2 ? "2":""); + + for (i=0; i<ARRAY_SIZE(levels); i++) { + + struct samr_QueryUserInfo r; + struct samr_QueryUserInfo2 r2; + union samr_UserInfo *info; + + if (use_info2) { + r2.in.user_handle = handle; + r2.in.level = levels[i]; + r2.out.info = &info; + status = dcerpc_samr_QueryUserInfo2(p, tctx, &r2); + + } else { + r.in.user_handle = handle; + r.in.level = levels[i]; + r.out.info = &info; + status = dcerpc_samr_QueryUserInfo(p, tctx, &r); + } + + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) { + printf("QueryUserInfo%s level %u failed - %s\n", + use_info2 ? "2":"", levels[i], nt_errstr(status)); + return false; + } + + switch (levels[i]) { + case 3: + pwdlastset3 = info->info3.last_password_change; + break; + case 5: + pwdlastset5 = info->info5.last_password_change; + break; + case 21: + pwdlastset21 = info->info21.last_password_change; + break; + default: + return false; + } + } + /* torture_assert_int_equal(tctx, pwdlastset3, pwdlastset5, + "pwdlastset mixup"); */ + torture_assert_int_equal(tctx, pwdlastset5, pwdlastset21, + "pwdlastset mixup"); + + *pwdlastset = pwdlastset21; + + torture_comment(tctx, "(pwdlastset: %lld)\n", *pwdlastset); + + return true; +} + +static bool test_SetPassword_level(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle, + uint16_t level, + uint32_t fields_present, + uint8_t password_expired, + NTSTATUS expected_error, + bool use_setinfo2, + char **password, + bool use_queryinfo2, + NTTIME *pwdlastset) +{ + const char *fields = NULL; + bool ret = true; + + switch (level) { + case 21: + case 23: + case 25: + fields = talloc_asprintf(tctx, "(fields_present: 0x%08x)", + fields_present); + break; + default: + break; + } + + torture_comment(tctx, "Testing SetUserInfo%s level %d call " + "(password_expired: %d) %s\n", + use_setinfo2 ? "2":"", level, password_expired, + fields ? fields : ""); + + switch (level) { + case 21: + case 23: + case 24: + case 25: + case 26: + if (!test_SetUserPass_level_ex(p, tctx, handle, level, + fields_present, + password, + password_expired, + use_setinfo2, + expected_error)) { + ret = false; + } + break; + default: + return false; + } + + if (!test_QueryUserInfo_pwdlastset(p, tctx, handle, + use_queryinfo2, + pwdlastset)) { + ret = false; + } + + return ret; +} + +static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p, + struct torture_context *tctx, + uint32_t acct_flags, + struct policy_handle *handle, + char **password) +{ + int i, s = 0, q = 0; + bool ret = true; + int delay = 500000; + bool set_levels[] = { false, true }; + bool query_levels[] = { false, true }; + + struct { + uint16_t level; + uint8_t password_expired_nonzero; + uint32_t fields_present; + bool query_info2; + bool set_info2; + NTSTATUS set_error; + } pwd_tests[] = { + + /* level 21 */ + { + .level = 21, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_EXPIRED_FLAG + },{ + .level = 21, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_LAST_PWD_CHANGE, + .set_error = NT_STATUS_ACCESS_DENIED + },{ + .level = 21, + .password_expired_nonzero = 1, + .fields_present = 0, + .set_error = NT_STATUS_INVALID_PARAMETER + },{ + .level = 21, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_COMMENT, + +#if 0 + /* FIXME */ + },{ + .level = 21, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_PASSWORD | + SAMR_FIELD_PASSWORD2 | + SAMR_FIELD_LAST_PWD_CHANGE, + .query_info2 = false, + .set_error = NT_STATUS_ACCESS_DENIED +#endif + + /* level 23 */ + },{ + .level = 23, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_EXPIRED_FLAG + },{ + .level = 23, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_LAST_PWD_CHANGE, + .set_error = NT_STATUS_ACCESS_DENIED + },{ + .level = 23, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_LAST_PWD_CHANGE | + SAMR_FIELD_PASSWORD | + SAMR_FIELD_PASSWORD2, + .set_error = NT_STATUS_ACCESS_DENIED + },{ + .level = 23, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_LAST_PWD_CHANGE | + SAMR_FIELD_PASSWORD | + SAMR_FIELD_PASSWORD2 | + SAMR_FIELD_EXPIRED_FLAG, + .set_error = NT_STATUS_ACCESS_DENIED + },{ + .level = 23, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_PASSWORD | + SAMR_FIELD_PASSWORD2 | + SAMR_FIELD_EXPIRED_FLAG + },{ + .level = 23, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_PASSWORD | + SAMR_FIELD_PASSWORD2, + },{ + .level = 23, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_COMMENT, + },{ + .level = 23, + .password_expired_nonzero = 1, + .fields_present = 0, + .set_error = NT_STATUS_INVALID_PARAMETER + },{ + + /* level 24 */ + + .level = 24, + .password_expired_nonzero = 1 + },{ + .level = 24, + .password_expired_nonzero = 24 + },{ + + /* level 25 */ + + .level = 25, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_LAST_PWD_CHANGE, + .set_error = NT_STATUS_ACCESS_DENIED + },{ + .level = 25, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_EXPIRED_FLAG, + },{ + .level = 25, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_PASSWORD | + SAMR_FIELD_PASSWORD2 | + SAMR_FIELD_EXPIRED_FLAG + },{ + .level = 25, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_PASSWORD | + SAMR_FIELD_PASSWORD2, + },{ + .level = 25, + .password_expired_nonzero = 1, + .fields_present = SAMR_FIELD_COMMENT, + },{ + + /* level 26 */ + + .level = 26, + .password_expired_nonzero = 1 + },{ + .level = 26, + .password_expired_nonzero = 24 + } + }; + + if (torture_setting_bool(tctx, "samba3", false)) { + delay = 1000000; + printf("Samba3 has second granularity, setting delay to: %d\n", + delay); + } + + /* set to 1 to enable testing for all possible opcode + (SetUserInfo, SetUserInfo2, QueryUserInfo, QueryUserInfo2) + combinations */ +#if 0 +#define TEST_SET_LEVELS 1 +#define TEST_QUERY_LEVELS 1 +#endif + for (i=0; i<ARRAY_SIZE(pwd_tests); i++) { +#ifdef TEST_SET_LEVELS + for (s=0; s<ARRAY_SIZE(set_levels); s++) { +#endif +#ifdef TEST_QUERY_LEVELS + for (q=0; q<ARRAY_SIZE(query_levels); q++) { +#endif + NTTIME pwdlastset_old = 0; + NTTIME pwdlastset_new = 0; + + torture_comment(tctx, "------------------------------\n" + "Testing pwdLastSet attribute for flags: 0x%08x " + "(s: %d (l: %d), q: %d)\n", + acct_flags, s, pwd_tests[i].level, q); + + /* set #1 */ + + /* set a password and force password change (pwdlastset 0) by + * setting the password expired flag to a non-0 value */ + + if (!test_SetPassword_level(p, tctx, handle, + pwd_tests[i].level, + pwd_tests[i].fields_present, + pwd_tests[i].password_expired_nonzero, + pwd_tests[i].set_error, + set_levels[s], + password, + query_levels[q], + &pwdlastset_old)) { + ret = false; + } + + if (!NT_STATUS_IS_OK(pwd_tests[i].set_error)) { + /* skipping on expected failure */ + continue; + } + + /* pwdlastset must be 0 afterwards, except for a level 21, 23 and 25 + * set without the SAMR_FIELD_EXPIRED_FLAG */ + + switch (pwd_tests[i].level) { + case 21: + case 23: + case 25: + if ((pwdlastset_new != 0) && + !(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG)) { + torture_comment(tctx, "not considering a non-0 " + "pwdLastSet as a an error as the " + "SAMR_FIELD_EXPIRED_FLAG has not " + "been set\n"); + break; + } + default: + if (pwdlastset_new != 0) { + torture_warning(tctx, "pwdLastSet test failed: " + "expected pwdLastSet 0 but got %lld\n", + pwdlastset_old); + ret = false; + } + break; + } + + usleep(delay); + + /* set #2 */ + + /* set a password, pwdlastset needs to get updated (increased + * value), password_expired value used here is 0 */ + + if (!test_SetPassword_level(p, tctx, handle, pwd_tests[i].level, + pwd_tests[i].fields_present, + 0, + pwd_tests[i].set_error, + set_levels[s], + password, + query_levels[q], + &pwdlastset_new)) { + + ret = false; + } + + /* when a password has been changed, pwdlastset must not be 0 afterwards + * and must be larger then the old value */ + + switch (pwd_tests[i].level) { + case 21: + case 23: + case 25: + + /* SAMR_FIELD_EXPIRED_FLAG has not been set and no + * password has been changed, old and new pwdlastset + * need to be the same value */ + + if (!(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG) && + !((pwd_tests[i].fields_present & SAMR_FIELD_PASSWORD) || + (pwd_tests[i].fields_present & SAMR_FIELD_PASSWORD2))) + { + torture_assert_int_equal(tctx, pwdlastset_old, + pwdlastset_new, "pwdlastset must be equal"); + break; + } + default: + if (pwdlastset_old >= pwdlastset_new) { + torture_warning(tctx, "pwdLastSet test failed: " + "expected last pwdlastset (%lld) < new pwdlastset (%lld)\n", + pwdlastset_old, pwdlastset_new); + ret = false; + } + if (pwdlastset_new == 0) { + torture_warning(tctx, "pwdLastSet test failed: " + "expected non-0 pwdlastset, got: %lld\n", + pwdlastset_new); + ret = false; + } + } + + pwdlastset_old = pwdlastset_new; + + usleep(delay); + + /* set #3 */ + + /* set a password and force password change (pwdlastset 0) by + * setting the password expired flag to a non-0 value */ + + if (!test_SetPassword_level(p, tctx, handle, pwd_tests[i].level, + pwd_tests[i].fields_present, + pwd_tests[i].password_expired_nonzero, + pwd_tests[i].set_error, + set_levels[s], + password, + query_levels[q], + &pwdlastset_new)) { + ret = false; + } + + /* pwdlastset must be 0 afterwards, except for a level 21, 23 and 25 + * set without the SAMR_FIELD_EXPIRED_FLAG */ + + switch (pwd_tests[i].level) { + case 21: + case 23: + case 25: + if ((pwdlastset_new != 0) && + !(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG)) { + torture_comment(tctx, "not considering a non-0 " + "pwdLastSet as a an error as the " + "SAMR_FIELD_EXPIRED_FLAG has not " + "been set\n"); + break; + } + + /* SAMR_FIELD_EXPIRED_FLAG has not been set and no + * password has been changed, old and new pwdlastset + * need to be the same value */ + + if (!(pwd_tests[i].fields_present & SAMR_FIELD_EXPIRED_FLAG) && + !((pwd_tests[i].fields_present & SAMR_FIELD_PASSWORD) || + (pwd_tests[i].fields_present & SAMR_FIELD_PASSWORD2))) + { + torture_assert_int_equal(tctx, pwdlastset_old, + pwdlastset_new, "pwdlastset must be equal"); + break; + } + default: + + if (pwdlastset_old == pwdlastset_new) { + torture_warning(tctx, "pwdLastSet test failed: " + "expected last pwdlastset (%lld) != new pwdlastset (%lld)\n", + pwdlastset_old, pwdlastset_new); + ret = false; + } + + if (pwdlastset_new != 0) { + torture_warning(tctx, "pwdLastSet test failed: " + "expected pwdLastSet 0, got %lld\n", + pwdlastset_old); + ret = false; + } + break; + } +#ifdef TEST_QUERY_LEVELS + } +#endif +#ifdef TEST_SET_LEVELS + } +#endif + } + +#undef TEST_SET_LEVELS +#undef TEST_QUERY_LEVELS + + return ret; +} static bool test_user_ops(struct dcerpc_pipe *p, struct torture_context *tctx, @@ -2061,6 +2780,7 @@ static bool test_user_ops(struct dcerpc_pipe *p, { char *password = NULL; struct samr_QueryUserInfo q; + union samr_UserInfo *info; NTSTATUS status; bool ret = true; @@ -2143,7 +2863,7 @@ static bool test_user_ops(struct dcerpc_pipe *p, ret = false; } } - + for (i = 0; password_fields[i]; i++) { if (!test_SetUserPass_23(p, tctx, user_handle, password_fields[i], &password)) { ret = false; @@ -2176,6 +2896,7 @@ static bool test_user_ops(struct dcerpc_pipe *p, q.in.user_handle = user_handle; q.in.level = 5; + q.out.info = &info; status = dcerpc_samr_QueryUserInfo(p, tctx, &q); if (!NT_STATUS_IS_OK(status)) { @@ -2184,20 +2905,37 @@ static bool test_user_ops(struct dcerpc_pipe *p, ret = false; } else { uint32_t expected_flags = (base_acct_flags | ACB_PWNOTREQ | ACB_DISABLED); - if ((q.out.info->info5.acct_flags) != expected_flags) { + if ((info->info5.acct_flags) != expected_flags) { printf("QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n", - q.out.info->info5.acct_flags, + info->info5.acct_flags, expected_flags); ret = false; } - if (q.out.info->info5.rid != rid) { + if (info->info5.rid != rid) { printf("QuerUserInfo level 5 failed, it returned %u when we expected rid of %u\n", - q.out.info->info5.rid, rid); + info->info5.rid, rid); } } break; + + case TORTURE_SAMR_PASSWORDS_PWDLASTSET: + + /* test last password change timestamp behaviour */ + if (!test_SetPassword_pwdlastset(p, tctx, base_acct_flags, + user_handle, &password)) { + ret = false; + } + + if (ret == true) { + torture_comment(tctx, "pwdLastSet test succeeded\n"); + } else { + torture_warning(tctx, "pwdLastSet test failed\n"); + } + + break; + case TORTURE_SAMR_OTHER: /* We just need the account to exist */ break; @@ -2481,6 +3219,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, /* set samr_SetDomainInfo level 1 with min_length 5 */ { struct samr_QueryDomainInfo r; + union samr_DomainInfo *info = NULL; struct samr_SetDomainInfo s; uint16_t len_old, len; uint32_t pwd_prop_old; @@ -2491,6 +3230,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.domain_handle = domain_handle; r.in.level = 1; + r.out.info = &info; printf("testing samr_QueryDomainInfo level 1\n"); status = dcerpc_samr_QueryDomainInfo(p, mem_ctx, &r); @@ -2500,7 +3240,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, s.in.domain_handle = domain_handle; s.in.level = 1; - s.in.info = r.out.info; + s.in.info = info; /* remember the old min length, so we can reset it */ len_old = s.in.info->info1.min_password_length; @@ -2540,13 +3280,17 @@ static bool test_ChangePassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, NTSTATUS status; struct samr_OpenUser r; struct samr_QueryUserInfo q; + union samr_UserInfo *info; struct samr_LookupNames n; struct policy_handle user_handle; + struct samr_Ids rids, types; n.in.domain_handle = domain_handle; n.in.num_names = 1; n.in.names = talloc_array(mem_ctx, struct lsa_String, 1); n.in.names[0].string = acct_name; + n.out.rids = &rids; + n.out.types = &types; status = dcerpc_samr_LookupNames(p, mem_ctx, &n); if (!NT_STATUS_IS_OK(status)) { @@ -2556,17 +3300,18 @@ static bool test_ChangePassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.domain_handle = domain_handle; r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - r.in.rid = n.out.rids.ids[0]; + r.in.rid = n.out.rids->ids[0]; r.out.user_handle = &user_handle; status = dcerpc_samr_OpenUser(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { - printf("OpenUser(%u) failed - %s\n", n.out.rids.ids[0], nt_errstr(status)); + printf("OpenUser(%u) failed - %s\n", n.out.rids->ids[0], nt_errstr(status)); return false; } q.in.user_handle = &user_handle; q.in.level = 5; + q.out.info = &info; status = dcerpc_samr_QueryUserInfo(p, mem_ctx, &q); if (!NT_STATUS_IS_OK(status)) { @@ -2577,7 +3322,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, printf("calling test_ChangePasswordUser3 with too early password change\n"); if (!test_ChangePasswordUser3(p, mem_ctx, acct_name, 0, password, NULL, - q.out.info->info5.last_password_change, true)) { + info->info5.last_password_change, true)) { ret = false; } } @@ -2607,6 +3352,7 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx, NTSTATUS status; struct samr_CreateUser r; struct samr_QueryUserInfo q; + union samr_UserInfo *info; struct samr_DeleteUser d; uint32_t rid; @@ -2654,6 +3400,7 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx, } else { q.in.user_handle = &user_handle; q.in.level = 16; + q.out.info = &info; status = dcerpc_samr_QueryUserInfo(p, user_ctx, &q); if (!NT_STATUS_IS_OK(status)) { @@ -2661,9 +3408,9 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx, q.in.level, nt_errstr(status)); ret = false; } else { - if ((q.out.info->info16.acct_flags & acct_flags) != acct_flags) { + if ((info->info16.acct_flags & acct_flags) != acct_flags) { printf("QuerUserInfo level 16 failed, it returned 0x%08x when we expected flags of 0x%08x\n", - q.out.info->info16.acct_flags, + info->info16.acct_flags, acct_flags); ret = false; } @@ -2705,6 +3452,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx NTSTATUS status; struct samr_CreateUser2 r; struct samr_QueryUserInfo q; + union samr_UserInfo *info; struct samr_DeleteUser d; struct policy_handle user_handle; uint32_t rid; @@ -2783,6 +3531,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx if (NT_STATUS_IS_OK(status)) { q.in.user_handle = &user_handle; q.in.level = 5; + q.out.info = &info; status = dcerpc_samr_QueryUserInfo(p, user_ctx, &q); if (!NT_STATUS_IS_OK(status)) { @@ -2794,31 +3543,31 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx if (acct_flags == ACB_NORMAL) { expected_flags |= ACB_PW_EXPIRED; } - if ((q.out.info->info5.acct_flags) != expected_flags) { + if ((info->info5.acct_flags) != expected_flags) { printf("QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n", - q.out.info->info5.acct_flags, + info->info5.acct_flags, expected_flags); ret = false; } switch (acct_flags) { case ACB_SVRTRUST: - if (q.out.info->info5.primary_gid != DOMAIN_RID_DCS) { + if (info->info5.primary_gid != DOMAIN_RID_DCS) { printf("QuerUserInfo level 5: DC should have had Primary Group %d, got %d\n", - DOMAIN_RID_DCS, q.out.info->info5.primary_gid); + DOMAIN_RID_DCS, info->info5.primary_gid); ret = false; } break; case ACB_WSTRUST: - if (q.out.info->info5.primary_gid != DOMAIN_RID_DOMAIN_MEMBERS) { + if (info->info5.primary_gid != DOMAIN_RID_DOMAIN_MEMBERS) { printf("QuerUserInfo level 5: Domain Member should have had Primary Group %d, got %d\n", - DOMAIN_RID_DOMAIN_MEMBERS, q.out.info->info5.primary_gid); + DOMAIN_RID_DOMAIN_MEMBERS, info->info5.primary_gid); ret = false; } break; case ACB_NORMAL: - if (q.out.info->info5.primary_gid != DOMAIN_RID_USERS) { + if (info->info5.primary_gid != DOMAIN_RID_USERS) { printf("QuerUserInfo level 5: Users should have had Primary Group %d, got %d\n", - DOMAIN_RID_USERS, q.out.info->info5.primary_gid); + DOMAIN_RID_USERS, info->info5.primary_gid); ret = false; } break; @@ -2852,6 +3601,7 @@ static bool test_QueryAliasInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, { NTSTATUS status; struct samr_QueryAliasInfo r; + union samr_AliasInfo *info; uint16_t levels[] = {1, 2, 3}; int i; bool ret = true; @@ -2861,6 +3611,7 @@ static bool test_QueryAliasInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.alias_handle = handle; r.in.level = levels[i]; + r.out.info = &info; status = dcerpc_samr_QueryAliasInfo(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -2878,6 +3629,7 @@ static bool test_QueryGroupInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, { NTSTATUS status; struct samr_QueryGroupInfo r; + union samr_GroupInfo *info; uint16_t levels[] = {1, 2, 3, 4, 5}; int i; bool ret = true; @@ -2887,6 +3639,7 @@ static bool test_QueryGroupInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.group_handle = handle; r.in.level = levels[i]; + r.out.info = &info; status = dcerpc_samr_QueryGroupInfo(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -2904,11 +3657,13 @@ static bool test_QueryGroupMember(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, { NTSTATUS status; struct samr_QueryGroupMember r; + struct samr_RidTypeArray *rids = NULL; bool ret = true; printf("Testing QueryGroupMember\n"); r.in.group_handle = handle; + r.out.rids = &rids; status = dcerpc_samr_QueryGroupMember(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -2925,6 +3680,7 @@ static bool test_SetGroupInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, { NTSTATUS status; struct samr_QueryGroupInfo r; + union samr_GroupInfo *info; struct samr_SetGroupInfo s; uint16_t levels[] = {1, 2, 3, 4}; uint16_t set_ok[] = {0, 1, 1, 1}; @@ -2936,6 +3692,7 @@ static bool test_SetGroupInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.group_handle = handle; r.in.level = levels[i]; + r.out.info = &info; status = dcerpc_samr_QueryGroupInfo(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -2948,7 +3705,7 @@ static bool test_SetGroupInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, s.in.group_handle = handle; s.in.level = levels[i]; - s.in.info = r.out.info; + s.in.info = *r.out.info; #if 0 /* disabled this, as it changes the name only from the point of view of samr, @@ -2990,6 +3747,7 @@ static bool test_QueryUserInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, { NTSTATUS status; struct samr_QueryUserInfo r; + union samr_UserInfo *info; uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 20, 21}; int i; @@ -3000,6 +3758,7 @@ static bool test_QueryUserInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.user_handle = handle; r.in.level = levels[i]; + r.out.info = &info; status = dcerpc_samr_QueryUserInfo(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -3017,6 +3776,7 @@ static bool test_QueryUserInfo2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, { NTSTATUS status; struct samr_QueryUserInfo2 r; + union samr_UserInfo *info; uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 20, 21}; int i; @@ -3027,6 +3787,7 @@ static bool test_QueryUserInfo2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.user_handle = handle; r.in.level = levels[i]; + r.out.info = &info; status = dcerpc_samr_QueryUserInfo2(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -3174,6 +3935,7 @@ static bool check_mask(struct dcerpc_pipe *p, struct torture_context *tctx, NTSTATUS status; struct samr_OpenUser r; struct samr_QueryUserInfo q; + union samr_UserInfo *info; struct policy_handle user_handle; bool ret = true; @@ -3192,6 +3954,7 @@ static bool check_mask(struct dcerpc_pipe *p, struct torture_context *tctx, q.in.user_handle = &user_handle; q.in.level = 16; + q.out.info = &info; status = dcerpc_samr_QueryUserInfo(p, tctx, &q); if (!NT_STATUS_IS_OK(status)) { @@ -3199,9 +3962,9 @@ static bool check_mask(struct dcerpc_pipe *p, struct torture_context *tctx, nt_errstr(status)); ret = false; } else { - if ((acct_flag_mask & q.out.info->info16.acct_flags) == 0) { + if ((acct_flag_mask & info->info16.acct_flags) == 0) { printf("Server failed to filter for 0x%x, allowed 0x%x (%d) on EnumDomainUsers\n", - acct_flag_mask, q.out.info->info16.acct_flags, rid); + acct_flag_mask, info->info16.acct_flags, rid); ret = false; } } @@ -3223,6 +3986,11 @@ static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context * bool ret = true; struct samr_LookupNames n; struct samr_LookupRids lr ; + struct lsa_Strings names; + struct samr_Ids rids, types; + struct samr_SamArray *sam = NULL; + uint32_t num_entries = 0; + uint32_t masks[] = {ACB_NORMAL, ACB_DOMTRUST, ACB_WSTRUST, ACB_DISABLED, ACB_NORMAL | ACB_DISABLED, ACB_SVRTRUST | ACB_DOMTRUST | ACB_WSTRUST, @@ -3236,6 +4004,8 @@ static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context * r.in.acct_flags = mask = masks[mask_idx]; r.in.max_size = (uint32_t)-1; r.out.resume_handle = &resume_handle; + r.out.num_entries = &num_entries; + r.out.sam = &sam; status = dcerpc_samr_EnumDomainUsers(p, tctx, &r); if (!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) && @@ -3244,18 +4014,18 @@ static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context * return false; } - torture_assert(tctx, r.out.sam, "EnumDomainUsers failed: r.out.sam unexpectedly NULL"); + torture_assert(tctx, sam, "EnumDomainUsers failed: r.out.sam unexpectedly NULL"); - if (r.out.sam->count == 0) { + if (sam->count == 0) { continue; } - for (i=0;i<r.out.sam->count;i++) { + for (i=0;i<sam->count;i++) { if (mask) { - if (!check_mask(p, tctx, handle, r.out.sam->entries[i].idx, mask)) { + if (!check_mask(p, tctx, handle, sam->entries[i].idx, mask)) { ret = false; } - } else if (!test_OpenUser(p, tctx, handle, r.out.sam->entries[i].idx)) { + } else if (!test_OpenUser(p, tctx, handle, sam->entries[i].idx)) { ret = false; } } @@ -3263,10 +4033,12 @@ static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context * printf("Testing LookupNames\n"); n.in.domain_handle = handle; - n.in.num_names = r.out.sam->count; - n.in.names = talloc_array(tctx, struct lsa_String, r.out.sam->count); - for (i=0;i<r.out.sam->count;i++) { - n.in.names[i].string = r.out.sam->entries[i].name.string; + n.in.num_names = sam->count; + n.in.names = talloc_array(tctx, struct lsa_String, sam->count); + n.out.rids = &rids; + n.out.types = &types; + for (i=0;i<sam->count;i++) { + n.in.names[i].string = sam->entries[i].name.string; } status = dcerpc_samr_LookupNames(p, tctx, &n); if (!NT_STATUS_IS_OK(status)) { @@ -3277,10 +4049,12 @@ static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context * printf("Testing LookupRids\n"); lr.in.domain_handle = handle; - lr.in.num_rids = r.out.sam->count; - lr.in.rids = talloc_array(tctx, uint32_t, r.out.sam->count); - for (i=0;i<r.out.sam->count;i++) { - lr.in.rids[i] = r.out.sam->entries[i].idx; + lr.in.num_rids = sam->count; + lr.in.rids = talloc_array(tctx, uint32_t, sam->count); + lr.out.names = &names; + lr.out.types = &types; + for (i=0;i<sam->count;i++) { + lr.in.rids[i] = sam->entries[i].idx; } status = dcerpc_samr_LookupRids(p, tctx, &lr); torture_assert_ntstatus_ok(tctx, status, "LookupRids"); @@ -3337,6 +4111,8 @@ static bool test_EnumDomainGroups(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, NTSTATUS status; struct samr_EnumDomainGroups r; uint32_t resume_handle=0; + struct samr_SamArray *sam = NULL; + uint32_t num_entries = 0; int i; bool ret = true; @@ -3346,6 +4122,8 @@ static bool test_EnumDomainGroups(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.resume_handle = &resume_handle; r.in.max_size = (uint32_t)-1; r.out.resume_handle = &resume_handle; + r.out.num_entries = &num_entries; + r.out.sam = &sam; status = dcerpc_samr_EnumDomainGroups(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -3353,12 +4131,12 @@ static bool test_EnumDomainGroups(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return false; } - if (!r.out.sam) { + if (!sam) { return false; } - for (i=0;i<r.out.sam->count;i++) { - if (!test_OpenGroup(p, mem_ctx, handle, r.out.sam->entries[i].idx)) { + for (i=0;i<sam->count;i++) { + if (!test_OpenGroup(p, mem_ctx, handle, sam->entries[i].idx)) { ret = false; } } @@ -3372,6 +4150,8 @@ static bool test_EnumDomainAliases(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, NTSTATUS status; struct samr_EnumDomainAliases r; uint32_t resume_handle=0; + struct samr_SamArray *sam = NULL; + uint32_t num_entries = 0; int i; bool ret = true; @@ -3379,7 +4159,9 @@ static bool test_EnumDomainAliases(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.domain_handle = handle; r.in.resume_handle = &resume_handle; - r.in.acct_flags = (uint32_t)-1; + r.in.max_size = (uint32_t)-1; + r.out.sam = &sam; + r.out.num_entries = &num_entries; r.out.resume_handle = &resume_handle; status = dcerpc_samr_EnumDomainAliases(p, mem_ctx, &r); @@ -3388,12 +4170,12 @@ static bool test_EnumDomainAliases(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return false; } - if (!r.out.sam) { + if (!sam) { return false; } - for (i=0;i<r.out.sam->count;i++) { - if (!test_OpenAlias(p, mem_ctx, handle, r.out.sam->entries[i].idx)) { + for (i=0;i<sam->count;i++) { + if (!test_OpenAlias(p, mem_ctx, handle, sam->entries[i].idx)) { ret = false; } } @@ -3409,14 +4191,19 @@ static bool test_GetDisplayEnumerationIndex(struct dcerpc_pipe *p, TALLOC_CTX *m bool ret = true; uint16_t levels[] = {1, 2, 3, 4, 5}; uint16_t ok_lvl[] = {1, 1, 1, 0, 0}; + struct lsa_String name; + uint32_t idx = 0; int i; for (i=0;i<ARRAY_SIZE(levels);i++) { printf("Testing GetDisplayEnumerationIndex level %u\n", levels[i]); + init_lsa_String(&name, TEST_ACCOUNT_NAME); + r.in.domain_handle = handle; r.in.level = levels[i]; - init_lsa_String(&r.in.name, TEST_ACCOUNT_NAME); + r.in.name = &name; + r.out.idx = &idx; status = dcerpc_samr_GetDisplayEnumerationIndex(p, mem_ctx, &r); @@ -3428,7 +4215,7 @@ static bool test_GetDisplayEnumerationIndex(struct dcerpc_pipe *p, TALLOC_CTX *m ret = false; } - init_lsa_String(&r.in.name, "zzzzzzzz"); + init_lsa_String(&name, "zzzzzzzz"); status = dcerpc_samr_GetDisplayEnumerationIndex(p, mem_ctx, &r); @@ -3450,14 +4237,19 @@ static bool test_GetDisplayEnumerationIndex2(struct dcerpc_pipe *p, TALLOC_CTX * bool ret = true; uint16_t levels[] = {1, 2, 3, 4, 5}; uint16_t ok_lvl[] = {1, 1, 1, 0, 0}; + struct lsa_String name; + uint32_t idx = 0; int i; for (i=0;i<ARRAY_SIZE(levels);i++) { printf("Testing GetDisplayEnumerationIndex2 level %u\n", levels[i]); + init_lsa_String(&name, TEST_ACCOUNT_NAME); + r.in.domain_handle = handle; r.in.level = levels[i]; - init_lsa_String(&r.in.name, TEST_ACCOUNT_NAME); + r.in.name = &name; + r.out.idx = &idx; status = dcerpc_samr_GetDisplayEnumerationIndex2(p, mem_ctx, &r); if (ok_lvl[i] && @@ -3468,7 +4260,7 @@ static bool test_GetDisplayEnumerationIndex2(struct dcerpc_pipe *p, TALLOC_CTX * ret = false; } - init_lsa_String(&r.in.name, "zzzzzzzz"); + init_lsa_String(&name, "zzzzzzzz"); status = dcerpc_samr_GetDisplayEnumerationIndex2(p, mem_ctx, &r); if (ok_lvl[i] && !NT_STATUS_EQUAL(NT_STATUS_NO_MORE_ENTRIES, status)) { @@ -3502,6 +4294,7 @@ static bool test_each_DisplayInfo_user(struct dcerpc_pipe *p, TALLOC_CTX *mem_ct { struct samr_OpenUser r; struct samr_QueryUserInfo q; + union samr_UserInfo *info; struct policy_handle user_handle; int i, ret = true; NTSTATUS status; @@ -3510,16 +4303,16 @@ static bool test_each_DisplayInfo_user(struct dcerpc_pipe *p, TALLOC_CTX *mem_ct for (i = 0; ; i++) { switch (querydisplayinfo->in.level) { case 1: - if (i >= querydisplayinfo->out.info.info1.count) { + if (i >= querydisplayinfo->out.info->info1.count) { return ret; } - r.in.rid = querydisplayinfo->out.info.info1.entries[i].rid; + r.in.rid = querydisplayinfo->out.info->info1.entries[i].rid; break; case 2: - if (i >= querydisplayinfo->out.info.info2.count) { + if (i >= querydisplayinfo->out.info->info2.count) { return ret; } - r.in.rid = querydisplayinfo->out.info.info2.entries[i].rid; + r.in.rid = querydisplayinfo->out.info->info2.entries[i].rid; break; case 3: /* Groups */ @@ -3543,6 +4336,7 @@ static bool test_each_DisplayInfo_user(struct dcerpc_pipe *p, TALLOC_CTX *mem_ct q.in.user_handle = &user_handle; q.in.level = 21; + q.out.info = &info; status = dcerpc_samr_QueryUserInfo(p, mem_ctx, &q); if (!NT_STATUS_IS_OK(status)) { printf("QueryUserInfo(%u) failed - %s\n", r.in.rid, nt_errstr(status)); @@ -3551,41 +4345,41 @@ static bool test_each_DisplayInfo_user(struct dcerpc_pipe *p, TALLOC_CTX *mem_ct switch (querydisplayinfo->in.level) { case 1: - if (seen_testuser && strcmp(q.out.info->info21.account_name.string, TEST_ACCOUNT_NAME) == 0) { + if (seen_testuser && strcmp(info->info21.account_name.string, TEST_ACCOUNT_NAME) == 0) { *seen_testuser = true; } - STRING_EQUAL_QUERY(querydisplayinfo->out.info.info1.entries[i].full_name, - q.out.info->info21.full_name, q.out.info->info21.account_name); - STRING_EQUAL_QUERY(querydisplayinfo->out.info.info1.entries[i].account_name, - q.out.info->info21.account_name, q.out.info->info21.account_name); - STRING_EQUAL_QUERY(querydisplayinfo->out.info.info1.entries[i].description, - q.out.info->info21.description, q.out.info->info21.account_name); - INT_EQUAL_QUERY(querydisplayinfo->out.info.info1.entries[i].rid, - q.out.info->info21.rid, q.out.info->info21.account_name); - INT_EQUAL_QUERY(querydisplayinfo->out.info.info1.entries[i].acct_flags, - q.out.info->info21.acct_flags, q.out.info->info21.account_name); + STRING_EQUAL_QUERY(querydisplayinfo->out.info->info1.entries[i].full_name, + info->info21.full_name, info->info21.account_name); + STRING_EQUAL_QUERY(querydisplayinfo->out.info->info1.entries[i].account_name, + info->info21.account_name, info->info21.account_name); + STRING_EQUAL_QUERY(querydisplayinfo->out.info->info1.entries[i].description, + info->info21.description, info->info21.account_name); + INT_EQUAL_QUERY(querydisplayinfo->out.info->info1.entries[i].rid, + info->info21.rid, info->info21.account_name); + INT_EQUAL_QUERY(querydisplayinfo->out.info->info1.entries[i].acct_flags, + info->info21.acct_flags, info->info21.account_name); break; case 2: - STRING_EQUAL_QUERY(querydisplayinfo->out.info.info2.entries[i].account_name, - q.out.info->info21.account_name, q.out.info->info21.account_name); - STRING_EQUAL_QUERY(querydisplayinfo->out.info.info2.entries[i].description, - q.out.info->info21.description, q.out.info->info21.account_name); - INT_EQUAL_QUERY(querydisplayinfo->out.info.info2.entries[i].rid, - q.out.info->info21.rid, q.out.info->info21.account_name); - INT_EQUAL_QUERY((querydisplayinfo->out.info.info2.entries[i].acct_flags & ~ACB_NORMAL), - q.out.info->info21.acct_flags, q.out.info->info21.account_name); + STRING_EQUAL_QUERY(querydisplayinfo->out.info->info2.entries[i].account_name, + info->info21.account_name, info->info21.account_name); + STRING_EQUAL_QUERY(querydisplayinfo->out.info->info2.entries[i].description, + info->info21.description, info->info21.account_name); + INT_EQUAL_QUERY(querydisplayinfo->out.info->info2.entries[i].rid, + info->info21.rid, info->info21.account_name); + INT_EQUAL_QUERY((querydisplayinfo->out.info->info2.entries[i].acct_flags & ~ACB_NORMAL), + info->info21.acct_flags, info->info21.account_name); - if (!(querydisplayinfo->out.info.info2.entries[i].acct_flags & ACB_NORMAL)) { + if (!(querydisplayinfo->out.info->info2.entries[i].acct_flags & ACB_NORMAL)) { printf("Missing ACB_NORMAL in querydisplayinfo->out.info.info2.entries[i].acct_flags on %s\n", - q.out.info->info21.account_name.string); + info->info21.account_name.string); } - if (!(q.out.info->info21.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST))) { + if (!(info->info21.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST))) { printf("Found non-trust account %s in trust account listing: 0x%x 0x%x\n", - q.out.info->info21.account_name.string, - querydisplayinfo->out.info.info2.entries[i].acct_flags, - q.out.info->info21.acct_flags); + info->info21.account_name.string, + querydisplayinfo->out.info->info2.entries[i].acct_flags, + info->info21.acct_flags); return false; } @@ -3605,10 +4399,15 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, NTSTATUS status; struct samr_QueryDisplayInfo r; struct samr_QueryDomainInfo dom_info; + union samr_DomainInfo *info = NULL; bool ret = true; uint16_t levels[] = {1, 2, 3, 4, 5}; int i; bool seen_testuser = false; + uint32_t total_size; + uint32_t returned_size; + union samr_DispInfo disp_info; + for (i=0;i<ARRAY_SIZE(levels);i++) { printf("Testing QueryDisplayInfo level %u\n", levels[i]); @@ -3620,6 +4419,9 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.level = levels[i]; r.in.max_entries = 2; r.in.buf_size = (uint32_t)-1; + r.out.total_size = &total_size; + r.out.returned_size = &returned_size; + r.out.info = &disp_info; status = dcerpc_samr_QueryDisplayInfo(p, mem_ctx, &r); if (!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) && !NT_STATUS_IS_OK(status)) { @@ -3632,27 +4434,29 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, if (!test_each_DisplayInfo_user(p, mem_ctx, &r, &seen_testuser)) { ret = false; } - r.in.start_idx += r.out.info.info1.count; + r.in.start_idx += r.out.info->info1.count; break; case 2: if (!test_each_DisplayInfo_user(p, mem_ctx, &r, NULL)) { ret = false; } - r.in.start_idx += r.out.info.info2.count; + r.in.start_idx += r.out.info->info2.count; break; case 3: - r.in.start_idx += r.out.info.info3.count; + r.in.start_idx += r.out.info->info3.count; break; case 4: - r.in.start_idx += r.out.info.info4.count; + r.in.start_idx += r.out.info->info4.count; break; case 5: - r.in.start_idx += r.out.info.info5.count; + r.in.start_idx += r.out.info->info5.count; break; } } dom_info.in.domain_handle = handle; dom_info.in.level = 2; + dom_info.out.info = &info; + /* Check number of users returned is correct */ status = dcerpc_samr_QueryDomainInfo(p, mem_ctx, &dom_info); if (!NT_STATUS_IS_OK(status)) { @@ -3664,17 +4468,17 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, switch (r.in.level) { case 1: case 4: - if (dom_info.out.info->general.num_users < r.in.start_idx) { + if (info->general.num_users < r.in.start_idx) { printf("QueryDomainInfo indicates that QueryDisplayInfo returned more users (%d/%d) than the domain %s is said to contain!\n", - r.in.start_idx, dom_info.out.info->general.num_groups, - dom_info.out.info->general.domain_name.string); + r.in.start_idx, info->general.num_groups, + info->general.domain_name.string); ret = false; } if (!seen_testuser) { struct policy_handle user_handle; if (NT_STATUS_IS_OK(test_OpenUser_byname(p, mem_ctx, handle, TEST_ACCOUNT_NAME, &user_handle))) { printf("Didn't find test user " TEST_ACCOUNT_NAME " in enumeration of %s\n", - dom_info.out.info->general.domain_name.string); + info->general.domain_name.string); ret = false; test_samr_handle_Close(p, mem_ctx, &user_handle); } @@ -3682,10 +4486,10 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, break; case 3: case 5: - if (dom_info.out.info->general.num_groups != r.in.start_idx) { + if (info->general.num_groups != r.in.start_idx) { printf("QueryDomainInfo indicates that QueryDisplayInfo didn't return all (%d/%d) the groups in %s\n", - r.in.start_idx, dom_info.out.info->general.num_groups, - dom_info.out.info->general.domain_name.string); + r.in.start_idx, info->general.num_groups, + info->general.domain_name.string); ret = false; } @@ -3705,6 +4509,9 @@ static bool test_QueryDisplayInfo2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, bool ret = true; uint16_t levels[] = {1, 2, 3, 4, 5}; int i; + uint32_t total_size; + uint32_t returned_size; + union samr_DispInfo info; for (i=0;i<ARRAY_SIZE(levels);i++) { printf("Testing QueryDisplayInfo2 level %u\n", levels[i]); @@ -3714,6 +4521,9 @@ static bool test_QueryDisplayInfo2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.start_idx = 0; r.in.max_entries = 1000; r.in.buf_size = (uint32_t)-1; + r.out.total_size = &total_size; + r.out.returned_size = &returned_size; + r.out.info = &info; status = dcerpc_samr_QueryDisplayInfo2(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -3734,6 +4544,9 @@ static bool test_QueryDisplayInfo3(struct dcerpc_pipe *p, struct torture_context bool ret = true; uint16_t levels[] = {1, 2, 3, 4, 5}; int i; + uint32_t total_size; + uint32_t returned_size; + union samr_DispInfo info; for (i=0;i<ARRAY_SIZE(levels);i++) { torture_comment(tctx, "Testing QueryDisplayInfo3 level %u\n", levels[i]); @@ -3743,6 +4556,9 @@ static bool test_QueryDisplayInfo3(struct dcerpc_pipe *p, struct torture_context r.in.start_idx = 0; r.in.max_entries = 1000; r.in.buf_size = (uint32_t)-1; + r.out.total_size = &total_size; + r.out.returned_size = &returned_size; + r.out.info = &info; status = dcerpc_samr_QueryDisplayInfo3(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -3762,6 +4578,9 @@ static bool test_QueryDisplayInfo_continue(struct dcerpc_pipe *p, TALLOC_CTX *me NTSTATUS status; struct samr_QueryDisplayInfo r; bool ret = true; + uint32_t total_size; + uint32_t returned_size; + union samr_DispInfo info; printf("Testing QueryDisplayInfo continuation\n"); @@ -3770,14 +4589,17 @@ static bool test_QueryDisplayInfo_continue(struct dcerpc_pipe *p, TALLOC_CTX *me r.in.start_idx = 0; r.in.max_entries = 1; r.in.buf_size = (uint32_t)-1; + r.out.total_size = &total_size; + r.out.returned_size = &returned_size; + r.out.info = &info; do { status = dcerpc_samr_QueryDisplayInfo(p, mem_ctx, &r); - if (NT_STATUS_IS_OK(status) && r.out.returned_size != 0) { - if (r.out.info.info1.entries[0].idx != r.in.start_idx + 1) { + if (NT_STATUS_IS_OK(status) && *r.out.returned_size != 0) { + if (r.out.info->info1.entries[0].idx != r.in.start_idx + 1) { printf("expected idx %d but got %d\n", r.in.start_idx + 1, - r.out.info.info1.entries[0].idx); + r.out.info->info1.entries[0].idx); break; } } @@ -3791,7 +4613,7 @@ static bool test_QueryDisplayInfo_continue(struct dcerpc_pipe *p, TALLOC_CTX *me r.in.start_idx++; } while ((NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) || NT_STATUS_IS_OK(status)) && - r.out.returned_size != 0); + *r.out.returned_size != 0); return ret; } @@ -3801,6 +4623,7 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p, struct torture_context * { NTSTATUS status; struct samr_QueryDomainInfo r; + union samr_DomainInfo *info = NULL; struct samr_SetDomainInfo s; uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13}; uint16_t set_ok[] = {1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0}; @@ -3827,6 +4650,7 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p, struct torture_context * r.in.domain_handle = handle; r.in.level = levels[i]; + r.out.info = &info; status = dcerpc_samr_QueryDomainInfo(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -3838,40 +4662,40 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p, struct torture_context * switch (levels[i]) { case 2: - if (strcmp(r.out.info->general.oem_information.string, domain_comment) != 0) { + if (strcmp(info->general.oem_information.string, domain_comment) != 0) { printf("QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n", - levels[i], r.out.info->general.oem_information.string, domain_comment); + levels[i], info->general.oem_information.string, domain_comment); ret = false; } - if (!r.out.info->general.primary.string) { + if (!info->general.primary.string) { printf("QueryDomainInfo level %u returned no PDC name\n", levels[i]); ret = false; - } else if (r.out.info->general.role == SAMR_ROLE_DOMAIN_PDC) { - if (dcerpc_server_name(p) && strcasecmp_m(dcerpc_server_name(p), r.out.info->general.primary.string) != 0) { + } else if (info->general.role == SAMR_ROLE_DOMAIN_PDC) { + if (dcerpc_server_name(p) && strcasecmp_m(dcerpc_server_name(p), info->general.primary.string) != 0) { printf("QueryDomainInfo level %u returned different PDC name (%s) compared to server name (%s), despite claiming to be the PDC\n", - levels[i], r.out.info->general.primary.string, dcerpc_server_name(p)); + levels[i], info->general.primary.string, dcerpc_server_name(p)); } } break; case 4: - if (strcmp(r.out.info->oem.oem_information.string, domain_comment) != 0) { + if (strcmp(info->oem.oem_information.string, domain_comment) != 0) { printf("QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n", - levels[i], r.out.info->oem.oem_information.string, domain_comment); + levels[i], info->oem.oem_information.string, domain_comment); ret = false; } break; case 6: - if (!r.out.info->info6.primary.string) { + if (!info->info6.primary.string) { printf("QueryDomainInfo level %u returned no PDC name\n", levels[i]); ret = false; } break; case 11: - if (strcmp(r.out.info->general2.general.oem_information.string, domain_comment) != 0) { + if (strcmp(info->general2.general.oem_information.string, domain_comment) != 0) { printf("QueryDomainInfo level %u returned different comment (%s, expected %s)\n", - levels[i], r.out.info->general2.general.oem_information.string, domain_comment); + levels[i], info->general2.general.oem_information.string, domain_comment); ret = false; } break; @@ -3881,7 +4705,7 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p, struct torture_context * s.in.domain_handle = handle; s.in.level = levels[i]; - s.in.info = r.out.info; + s.in.info = info; status = dcerpc_samr_SetDomainInfo(p, tctx, &s); if (set_ok[i]) { @@ -3918,6 +4742,7 @@ static bool test_QueryDomainInfo2(struct dcerpc_pipe *p, struct torture_context { NTSTATUS status; struct samr_QueryDomainInfo2 r; + union samr_DomainInfo *info = NULL; uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13}; int i; bool ret = true; @@ -3927,6 +4752,7 @@ static bool test_QueryDomainInfo2(struct dcerpc_pipe *p, struct torture_context r.in.domain_handle = handle; r.in.level = levels[i]; + r.out.info = &info; status = dcerpc_samr_QueryDomainInfo2(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -3949,8 +4775,13 @@ static bool test_GroupList(struct dcerpc_pipe *p, struct torture_context *tctx, struct samr_QueryDisplayInfo q2; NTSTATUS status; uint32_t resume_handle=0; + struct samr_SamArray *sam = NULL; + uint32_t num_entries = 0; int i; bool ret = true; + uint32_t total_size; + uint32_t returned_size; + union samr_DispInfo info; int num_names = 0; const char **names = NULL; @@ -3961,6 +4792,8 @@ static bool test_GroupList(struct dcerpc_pipe *p, struct torture_context *tctx, q1.in.resume_handle = &resume_handle; q1.in.max_size = 5; q1.out.resume_handle = &resume_handle; + q1.out.num_entries = &num_entries; + q1.out.sam = &sam; status = STATUS_MORE_ENTRIES; while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { @@ -3970,22 +4803,25 @@ static bool test_GroupList(struct dcerpc_pipe *p, struct torture_context *tctx, !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) break; - for (i=0; i<q1.out.num_entries; i++) { + for (i=0; i<*q1.out.num_entries; i++) { add_string_to_array(tctx, - q1.out.sam->entries[i].name.string, + sam->entries[i].name.string, &names, &num_names); } } torture_assert_ntstatus_ok(tctx, status, "EnumDomainGroups"); - torture_assert(tctx, q1.out.sam, "EnumDomainGroups failed to return q1.out.sam"); + torture_assert(tctx, sam, "EnumDomainGroups failed to return sam"); q2.in.domain_handle = handle; q2.in.level = 5; q2.in.start_idx = 0; q2.in.max_entries = 5; q2.in.buf_size = (uint32_t)-1; + q2.out.total_size = &total_size; + q2.out.returned_size = &returned_size; + q2.out.info = &info; status = STATUS_MORE_ENTRIES; while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { @@ -3995,9 +4831,9 @@ static bool test_GroupList(struct dcerpc_pipe *p, struct torture_context *tctx, !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) break; - for (i=0; i<q2.out.info.info5.count; i++) { + for (i=0; i<q2.out.info->info5.count; i++) { int j; - const char *name = q2.out.info.info5.entries[i].account_name.string; + const char *name = q2.out.info->info5.entries[i].account_name.string; bool found = false; for (j=0; j<num_names; j++) { if (names[j] == NULL) @@ -4015,7 +4851,7 @@ static bool test_GroupList(struct dcerpc_pipe *p, struct torture_context *tctx, ret = false; } } - q2.in.start_idx += q2.out.info.info5.count; + q2.in.start_idx += q2.out.info->info5.count; } if (!NT_STATUS_IS_OK(status)) { @@ -4076,7 +4912,7 @@ static bool test_RidToSid(struct dcerpc_pipe *p, struct torture_context *tctx, struct samr_RidToSid r; NTSTATUS status; bool ret = true; - struct dom_sid *calc_sid; + struct dom_sid *calc_sid, *out_sid; int rids[] = { 0, 42, 512, 10200 }; int i; @@ -4086,6 +4922,7 @@ static bool test_RidToSid(struct dcerpc_pipe *p, struct torture_context *tctx, calc_sid = dom_sid_dup(tctx, domain_sid); r.in.domain_handle = domain_handle; r.in.rid = rids[i]; + r.out.sid = &out_sid; status = dcerpc_samr_RidToSid(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -4094,9 +4931,9 @@ static bool test_RidToSid(struct dcerpc_pipe *p, struct torture_context *tctx, } else { calc_sid = dom_sid_add_rid(calc_sid, calc_sid, rids[i]); - if (!dom_sid_equal(calc_sid, r.out.sid)) { + if (!dom_sid_equal(calc_sid, out_sid)) { printf("RidToSid for %d failed - got %s, expected %s\n", rids[i], - dom_sid_string(tctx, r.out.sid), + dom_sid_string(tctx, out_sid), dom_sid_string(tctx, calc_sid)); ret = false; } @@ -4112,10 +4949,12 @@ static bool test_GetBootKeyInformation(struct dcerpc_pipe *p, struct torture_con struct samr_GetBootKeyInformation r; NTSTATUS status; bool ret = true; + uint32_t unknown = 0; torture_comment(tctx, "Testing GetBootKeyInformation\n"); r.in.domain_handle = domain_handle; + r.out.unknown = &unknown; status = dcerpc_samr_GetBootKeyInformation(p, tctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -4134,6 +4973,7 @@ static bool test_AddGroupMember(struct dcerpc_pipe *p, struct torture_context *t struct samr_AddGroupMember r; struct samr_DeleteGroupMember d; struct samr_QueryGroupMember q; + struct samr_RidTypeArray *rids = NULL; struct samr_SetMemberAttributesOfGroup s; uint32_t rid; @@ -4173,6 +5013,7 @@ static bool test_AddGroupMember(struct dcerpc_pipe *p, struct torture_context *t } q.in.group_handle = group_handle; + q.out.rids = &rids; status = dcerpc_samr_QueryGroupMember(p, tctx, &q); torture_assert_ntstatus_ok(tctx, status, "QueryGroupMember"); @@ -4312,6 +5153,7 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx, switch (which_ops) { case TORTURE_SAMR_USER_ATTRIBUTES: case TORTURE_SAMR_PASSWORDS: + case TORTURE_SAMR_PASSWORDS_PWDLASTSET: ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops); ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops); /* This test needs 'complex' users to validate */ @@ -4388,6 +5230,7 @@ static bool test_LookupDomain(struct dcerpc_pipe *p, struct torture_context *tct { NTSTATUS status; struct samr_LookupDomain r; + struct dom_sid2 *sid = NULL; struct lsa_String n1; struct lsa_String n2; bool ret = true; @@ -4397,6 +5240,7 @@ static bool test_LookupDomain(struct dcerpc_pipe *p, struct torture_context *tct /* check for correct error codes */ r.in.connect_handle = handle; r.in.domain_name = &n2; + r.out.sid = &sid; n2.string = NULL; status = dcerpc_samr_LookupDomain(p, tctx, &r); @@ -4419,7 +5263,7 @@ static bool test_LookupDomain(struct dcerpc_pipe *p, struct torture_context *tct ret = false; } - if (!test_OpenDomain(p, tctx, handle, r.out.sid, which_ops)) { + if (!test_OpenDomain(p, tctx, handle, *r.out.sid, which_ops)) { ret = false; } @@ -4433,6 +5277,8 @@ static bool test_EnumDomains(struct dcerpc_pipe *p, struct torture_context *tctx NTSTATUS status; struct samr_EnumDomains r; uint32_t resume_handle = 0; + uint32_t num_entries = 0; + struct samr_SamArray *sam = NULL; int i; bool ret = true; @@ -4440,17 +5286,19 @@ static bool test_EnumDomains(struct dcerpc_pipe *p, struct torture_context *tctx r.in.resume_handle = &resume_handle; r.in.buf_size = (uint32_t)-1; r.out.resume_handle = &resume_handle; + r.out.num_entries = &num_entries; + r.out.sam = &sam; status = dcerpc_samr_EnumDomains(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "EnumDomains"); - if (!r.out.sam) { + if (!*r.out.sam) { return false; } - for (i=0;i<r.out.sam->count;i++) { + for (i=0;i<sam->count;i++) { if (!test_LookupDomain(p, tctx, handle, - r.out.sam->entries[i].name.string, which_ops)) { + sam->entries[i].name.string, which_ops)) { ret = false; } } @@ -4473,6 +5321,7 @@ static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx, struct samr_Connect5 r5; union samr_ConnectInfo info; struct policy_handle h; + uint32_t level_out = 0; bool ret = true, got_handle = false; torture_comment(tctx, "testing samr_Connect\n"); @@ -4553,9 +5402,10 @@ static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx, r5.in.system_name = ""; r5.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - r5.in.level = 1; - r5.in.info = &info; - r5.out.info = &info; + r5.in.level_in = 1; + r5.out.level_out = &level_out; + r5.in.info_in = &info; + r5.out.info_out = &info; r5.out.connect_handle = &h; status = dcerpc_samr_Connect5(p, tctx, &r5); @@ -4651,3 +5501,25 @@ bool torture_rpc_samr_passwords(struct torture_context *torture) return ret; } +bool torture_rpc_samr_passwords_pwdlastset(struct torture_context *torture) +{ + NTSTATUS status; + struct dcerpc_pipe *p; + bool ret = true; + struct policy_handle handle; + + status = torture_rpc_connection(torture, &p, &ndr_table_samr); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + ret &= test_Connect(p, torture, &handle); + + ret &= test_EnumDomains(p, torture, &handle, + TORTURE_SAMR_PASSWORDS_PWDLASTSET); + + ret &= test_samr_handle_Close(p, torture, &handle); + + return ret; +} + diff --git a/source4/torture/rpc/samr_accessmask.c b/source4/torture/rpc/samr_accessmask.c index bfff8c9267..9a8e442019 100644 --- a/source4/torture/rpc/samr_accessmask.c +++ b/source4/torture/rpc/samr_accessmask.c @@ -52,13 +52,15 @@ static NTSTATUS torture_samr_Connect5(struct torture_context *tctx, NTSTATUS status; struct samr_Connect5 r5; union samr_ConnectInfo info; + uint32_t level_out = 0; info.info1.client_version = 0; info.info1.unknown2 = 0; r5.in.system_name = ""; - r5.in.level = 1; - r5.in.info = &info; - r5.out.info = &info; + r5.in.level_in = 1; + r5.in.info_in = &info; + r5.out.info_out = &info; + r5.out.level_out = &level_out; r5.out.connect_handle = h; r5.in.access_mask = mask; @@ -147,6 +149,8 @@ static bool test_samr_accessmask_EnumDomains(struct torture_context *tctx, int i; uint32_t mask; uint32_t resume_handle = 0; + struct samr_SamArray *sam = NULL; + uint32_t num_entries = 0; printf("testing which bits in Connect5 accessmask allows us to EnumDomains\n"); mask = 1; @@ -170,6 +174,8 @@ static bool test_samr_accessmask_EnumDomains(struct torture_context *tctx, ed.in.resume_handle = &resume_handle; ed.in.buf_size = (uint32_t)-1; ed.out.resume_handle = &resume_handle; + ed.out.num_entries = &num_entries; + ed.out.sam = &sam; status = dcerpc_samr_EnumDomains(p, tctx, &ed); if (!NT_STATUS_IS_OK(status)) { @@ -195,6 +201,8 @@ static bool test_samr_accessmask_EnumDomains(struct torture_context *tctx, ed.in.resume_handle = &resume_handle; ed.in.buf_size = (uint32_t)-1; ed.out.resume_handle = &resume_handle; + ed.out.num_entries = &num_entries; + ed.out.sam = &sam; status = dcerpc_samr_EnumDomains(p, tctx, &ed); if(!NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) { @@ -236,7 +244,7 @@ static bool test_samr_connect_user_acl(struct torture_context *tctx, struct samr_SetSecurity ss; struct security_ace ace; struct security_descriptor *sd; - struct sec_desc_buf sdb; + struct sec_desc_buf sdb, *sdbuf = NULL; bool ret = true; int sd_size; struct dcerpc_pipe *test_p; @@ -255,6 +263,7 @@ static bool test_samr_connect_user_acl(struct torture_context *tctx, /* get the current ACL for the SAMR policy handle */ qs.in.handle = &ch; qs.in.sec_info = SECINFO_DACL; + qs.out.sdbuf = &sdbuf; status = dcerpc_samr_QuerySecurity(p, tctx, &qs); if (!NT_STATUS_IS_OK(status)) { printf("QuerySecurity failed - %s\n", nt_errstr(status)); @@ -262,13 +271,13 @@ static bool test_samr_connect_user_acl(struct torture_context *tctx, } /* how big is the security descriptor? */ - sd_size = qs.out.sdbuf->sd_size; + sd_size = sdbuf->sd_size; /* add an ACE to the security descriptor to deny the user the * 'connect to server' right */ - sd = qs.out.sdbuf->sd; + sd = sdbuf->sd; ace.type = SEC_ACE_TYPE_ACCESS_DENIED; ace.flags = 0; ace.access_mask = SAMR_ACCESS_CONNECT_TO_SERVER; @@ -314,7 +323,7 @@ static bool test_samr_connect_user_acl(struct torture_context *tctx, printf("QuerySecurity failed - %s\n", nt_errstr(status)); ret = false; } - if (sd_size != qs.out.sdbuf->sd_size) { + if (sd_size != sdbuf->sd_size) { printf("security descriptor changed\n"); ret = false; } @@ -387,6 +396,7 @@ static bool test_samr_accessmask_LookupDomain(struct torture_context *tctx, { NTSTATUS status; struct samr_LookupDomain ld; + struct dom_sid2 *sid = NULL; struct policy_handle ch; struct lsa_String dn; int i; @@ -412,6 +422,7 @@ static bool test_samr_accessmask_LookupDomain(struct torture_context *tctx, ld.in.connect_handle = &ch; ld.in.domain_name = &dn; + ld.out.sid = &sid; dn.string = lp_workgroup(tctx->lp_ctx); status = dcerpc_samr_LookupDomain(p, tctx, &ld); @@ -471,6 +482,7 @@ static bool test_samr_accessmask_OpenDomain(struct torture_context *tctx, { NTSTATUS status; struct samr_LookupDomain ld; + struct dom_sid2 *sid = NULL; struct samr_OpenDomain od; struct policy_handle ch; struct policy_handle dh; @@ -488,6 +500,7 @@ static bool test_samr_accessmask_OpenDomain(struct torture_context *tctx, ld.in.connect_handle = &ch; ld.in.domain_name = &dn; + ld.out.sid = &sid; dn.string = lp_workgroup(tctx->lp_ctx); status = dcerpc_samr_LookupDomain(p, tctx, &ld); if (!NT_STATUS_IS_OK(status)) { @@ -517,7 +530,7 @@ static bool test_samr_accessmask_OpenDomain(struct torture_context *tctx, od.in.connect_handle = &ch; od.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - od.in.sid = ld.out.sid; + od.in.sid = *ld.out.sid; od.out.domain_handle = &dh; status = dcerpc_samr_OpenDomain(p, tctx, &od); diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index 12ddc934c9..a3fc6f740f 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -151,17 +151,19 @@ struct samsync_trusted_domain { static struct policy_handle *samsync_open_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state, const char *domain, - struct dom_sid **sid) + struct dom_sid **sid_p) { struct lsa_String name; struct samr_OpenDomain o; struct samr_LookupDomain l; + struct dom_sid2 *sid = NULL; struct policy_handle *domain_handle = talloc(mem_ctx, struct policy_handle); NTSTATUS nt_status; name.string = domain; l.in.connect_handle = samsync_state->connect_handle; l.in.domain_name = &name; + l.out.sid = &sid; nt_status = dcerpc_samr_LookupDomain(samsync_state->p_samr, mem_ctx, &l); if (!NT_STATUS_IS_OK(nt_status)) { @@ -171,11 +173,11 @@ static struct policy_handle *samsync_open_domain(TALLOC_CTX *mem_ctx, o.in.connect_handle = samsync_state->connect_handle; o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - o.in.sid = l.out.sid; + o.in.sid = *l.out.sid; o.out.domain_handle = domain_handle; if (sid) { - *sid = l.out.sid; + *sid_p = *l.out.sid; } nt_status = dcerpc_samr_OpenDomain(samsync_state->p_samr, mem_ctx, &o); @@ -192,10 +194,12 @@ static struct sec_desc_buf *samsync_query_samr_sec_desc(TALLOC_CTX *mem_ctx, struct policy_handle *handle) { struct samr_QuerySecurity r; + struct sec_desc_buf *sdbuf = NULL; NTSTATUS status; r.in.handle = handle; r.in.sec_info = 0x7; + r.out.sdbuf = &sdbuf; status = dcerpc_samr_QuerySecurity(samsync_state->p_samr, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { @@ -203,7 +207,7 @@ static struct sec_desc_buf *samsync_query_samr_sec_desc(TALLOC_CTX *mem_ctx, return NULL; } - return r.out.sdbuf; + return sdbuf; } static struct sec_desc_buf *samsync_query_lsa_sec_desc(TALLOC_CTX *mem_ctx, @@ -260,6 +264,15 @@ static struct sec_desc_buf *samsync_query_lsa_sec_desc(TALLOC_CTX *mem_ctx, } \ } while (0) +#define TEST_BINARY_STRING_EQUAL(s1, s2) do {\ + if (!((!s1.array || s1.array[0]=='\0') && (!s2.array || s2.array[0]=='\0')) \ + && memcmp(s1.array, s2.array, s1.length * 2) != 0) {\ + printf("%s: string mismatch: " #s1 ":%s != " #s2 ": %s\n", \ + __location__, (const char *)s1.array, (const char *)s2.array);\ + ret = false;\ + } \ +} while (0) + #define TEST_SID_EQUAL(s1, s2) do {\ if (!dom_sid_equal(s1, s2)) {\ printf("%s: dom_sid mismatch: " #s1 ":%s != " #s2 ": %s\n", \ @@ -294,6 +307,7 @@ static bool samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *sam struct netr_DELTA_DOMAIN *domain = delta->delta_union.domain; struct dom_sid *dom_sid; struct samr_QueryDomainInfo q[14]; /* q[0] will be unused simple for clarity */ + union samr_DomainInfo *info[14]; uint16_t levels[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13}; NTSTATUS nt_status; int i; @@ -341,8 +355,10 @@ static bool samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *sam (long long)samsync_state->seq_num[database_id]); for (i=0;i<ARRAY_SIZE(levels);i++) { + q[levels[i]].in.domain_handle = samsync_state->domain_handle[database_id]; q[levels[i]].in.level = levels[i]; + q[levels[i]].out.info = &info[levels[i]]; nt_status = dcerpc_samr_QueryDomainInfo(samsync_state->p_samr, mem_ctx, &q[levels[i]]); @@ -353,23 +369,23 @@ static bool samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *sam } } - TEST_STRING_EQUAL(q[5].out.info->info5.domain_name, domain->domain_name); + TEST_STRING_EQUAL(info[5]->info5.domain_name, domain->domain_name); - TEST_STRING_EQUAL(q[2].out.info->general.oem_information, domain->oem_information); - TEST_STRING_EQUAL(q[4].out.info->oem.oem_information, domain->oem_information); - TEST_TIME_EQUAL(q[2].out.info->general.force_logoff_time, domain->force_logoff_time); - TEST_TIME_EQUAL(q[3].out.info->info3.force_logoff_time, domain->force_logoff_time); + TEST_STRING_EQUAL(info[2]->general.oem_information, domain->oem_information); + TEST_STRING_EQUAL(info[4]->oem.oem_information, domain->oem_information); + TEST_TIME_EQUAL(info[2]->general.force_logoff_time, domain->force_logoff_time); + TEST_TIME_EQUAL(info[3]->info3.force_logoff_time, domain->force_logoff_time); - TEST_TIME_EQUAL(q[1].out.info->info1.min_password_length, domain->min_password_length); - TEST_TIME_EQUAL(q[1].out.info->info1.password_history_length, domain->password_history_length); - TEST_TIME_EQUAL(q[1].out.info->info1.max_password_age, domain->max_password_age); - TEST_TIME_EQUAL(q[1].out.info->info1.min_password_age, domain->min_password_age); + TEST_TIME_EQUAL(info[1]->info1.min_password_length, domain->min_password_length); + TEST_TIME_EQUAL(info[1]->info1.password_history_length, domain->password_history_length); + TEST_TIME_EQUAL(info[1]->info1.max_password_age, domain->max_password_age); + TEST_TIME_EQUAL(info[1]->info1.min_password_age, domain->min_password_age); - TEST_UINT64_EQUAL(q[8].out.info->info8.sequence_num, + TEST_UINT64_EQUAL(info[8]->info8.sequence_num, domain->sequence_num); - TEST_TIME_EQUAL(q[8].out.info->info8.domain_create_time, + TEST_TIME_EQUAL(info[8]->info8.domain_create_time, domain->domain_create_time); - TEST_TIME_EQUAL(q[13].out.info->info13.domain_create_time, + TEST_TIME_EQUAL(info[13]->info13.domain_create_time, domain->domain_create_time); TEST_SEC_DESC_EQUAL(domain->sdbuf, samr, samsync_state->domain_handle[database_id]); @@ -425,9 +441,12 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct struct samr_OpenUser r; struct samr_QueryUserInfo q; + union samr_UserInfo *info; struct policy_handle user_handle; struct samr_GetGroupsForUser getgroups; + struct samr_RidWithAttributeArray *rids; + if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) { printf("SamSync needs domain information before the users\n"); return false; @@ -446,6 +465,7 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct q.in.user_handle = &user_handle; q.in.level = 21; + q.out.info = &info; TEST_SEC_DESC_EQUAL(user->sdbuf, samr, &user_handle); @@ -457,6 +477,7 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct } getgroups.in.user_handle = &user_handle; + getgroups.out.rids = &rids; nt_status = dcerpc_samr_GetGroupsForUser(samsync_state->p_samr, mem_ctx, &getgroups); if (!NT_STATUS_IS_OK(nt_status)) { @@ -480,67 +501,67 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct return false; } - TEST_STRING_EQUAL(q.out.info->info21.account_name, user->account_name); - TEST_STRING_EQUAL(q.out.info->info21.full_name, user->full_name); - TEST_INT_EQUAL(q.out.info->info21.rid, user->rid); - TEST_INT_EQUAL(q.out.info->info21.primary_gid, user->primary_gid); - TEST_STRING_EQUAL(q.out.info->info21.home_directory, user->home_directory); - TEST_STRING_EQUAL(q.out.info->info21.home_drive, user->home_drive); - TEST_STRING_EQUAL(q.out.info->info21.logon_script, user->logon_script); - TEST_STRING_EQUAL(q.out.info->info21.description, user->description); - TEST_STRING_EQUAL(q.out.info->info21.workstations, user->workstations); + TEST_STRING_EQUAL(info->info21.account_name, user->account_name); + TEST_STRING_EQUAL(info->info21.full_name, user->full_name); + TEST_INT_EQUAL(info->info21.rid, user->rid); + TEST_INT_EQUAL(info->info21.primary_gid, user->primary_gid); + TEST_STRING_EQUAL(info->info21.home_directory, user->home_directory); + TEST_STRING_EQUAL(info->info21.home_drive, user->home_drive); + TEST_STRING_EQUAL(info->info21.logon_script, user->logon_script); + TEST_STRING_EQUAL(info->info21.description, user->description); + TEST_STRING_EQUAL(info->info21.workstations, user->workstations); - TEST_TIME_EQUAL(q.out.info->info21.last_logon, user->last_logon); - TEST_TIME_EQUAL(q.out.info->info21.last_logoff, user->last_logoff); + TEST_TIME_EQUAL(info->info21.last_logon, user->last_logon); + TEST_TIME_EQUAL(info->info21.last_logoff, user->last_logoff); - TEST_INT_EQUAL(q.out.info->info21.logon_hours.units_per_week, + TEST_INT_EQUAL(info->info21.logon_hours.units_per_week, user->logon_hours.units_per_week); if (ret) { - if (memcmp(q.out.info->info21.logon_hours.bits, user->logon_hours.bits, - q.out.info->info21.logon_hours.units_per_week/8) != 0) { + if (memcmp(info->info21.logon_hours.bits, user->logon_hours.bits, + info->info21.logon_hours.units_per_week/8) != 0) { printf("Logon hours mismatch\n"); ret = false; } } - TEST_INT_EQUAL(q.out.info->info21.bad_password_count, + TEST_INT_EQUAL(info->info21.bad_password_count, user->bad_password_count); - TEST_INT_EQUAL(q.out.info->info21.logon_count, + TEST_INT_EQUAL(info->info21.logon_count, user->logon_count); - TEST_TIME_EQUAL(q.out.info->info21.last_password_change, + TEST_TIME_EQUAL(info->info21.last_password_change, user->last_password_change); - TEST_TIME_EQUAL(q.out.info->info21.acct_expiry, + TEST_TIME_EQUAL(info->info21.acct_expiry, user->acct_expiry); - TEST_INT_EQUAL((q.out.info->info21.acct_flags & ~ACB_PW_EXPIRED), user->acct_flags); + TEST_INT_EQUAL((info->info21.acct_flags & ~ACB_PW_EXPIRED), user->acct_flags); if (user->acct_flags & ACB_PWNOEXP) { - if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) { + if (info->info21.acct_flags & ACB_PW_EXPIRED) { printf("ACB flags mismatch: both expired and no expiry!\n"); ret = false; } - if (q.out.info->info21.force_password_change != (NTTIME)0x7FFFFFFFFFFFFFFFULL) { + if (info->info21.force_password_change != (NTTIME)0x7FFFFFFFFFFFFFFFULL) { printf("ACB flags mismatch: no password expiry, but force password change 0x%016llx (%lld) != 0x%016llx (%lld)\n", - (unsigned long long)q.out.info->info21.force_password_change, - (unsigned long long)q.out.info->info21.force_password_change, + (unsigned long long)info->info21.force_password_change, + (unsigned long long)info->info21.force_password_change, (unsigned long long)0x7FFFFFFFFFFFFFFFULL, (unsigned long long)0x7FFFFFFFFFFFFFFFULL ); ret = false; } } - TEST_INT_EQUAL(q.out.info->info21.nt_password_set, user->nt_password_present); - TEST_INT_EQUAL(q.out.info->info21.lm_password_set, user->lm_password_present); - TEST_INT_EQUAL(q.out.info->info21.password_expired, user->password_expired); + TEST_INT_EQUAL(info->info21.nt_password_set, user->nt_password_present); + TEST_INT_EQUAL(info->info21.lm_password_set, user->lm_password_present); + TEST_INT_EQUAL(info->info21.password_expired, user->password_expired); - TEST_STRING_EQUAL(q.out.info->info21.comment, user->comment); - TEST_STRING_EQUAL(q.out.info->info21.parameters, user->parameters); + TEST_STRING_EQUAL(info->info21.comment, user->comment); + TEST_BINARY_STRING_EQUAL(info->info21.parameters, user->parameters); - TEST_INT_EQUAL(q.out.info->info21.country_code, user->country_code); - TEST_INT_EQUAL(q.out.info->info21.code_page, user->code_page); + TEST_INT_EQUAL(info->info21.country_code, user->country_code); + TEST_INT_EQUAL(info->info21.code_page, user->code_page); - TEST_STRING_EQUAL(q.out.info->info21.profile_path, user->profile_path); + TEST_STRING_EQUAL(info->info21.profile_path, user->profile_path); if (user->lm_password_present) { sam_rid_crypt(rid, user->lmpassword.hash, lm_hash.hash, 0); @@ -619,7 +640,7 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct return true; } } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED)) { - if (q.out.info->info21.acct_flags & ACB_PW_EXPIRED) { + if (info->info21.acct_flags & ACB_PW_EXPIRED) { return true; } } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { @@ -654,7 +675,7 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct TEST_TIME_EQUAL(user->last_logon, info3->base.last_logon); TEST_TIME_EQUAL(user->acct_expiry, info3->base.acct_expiry); TEST_TIME_EQUAL(user->last_password_change, info3->base.last_password_change); - TEST_TIME_EQUAL(q.out.info->info21.force_password_change, info3->base.force_password_change); + TEST_TIME_EQUAL(info->info21.force_password_change, info3->base.force_password_change); /* Does the concept of a logoff time ever really * exist? (not in any sensible way, according to the @@ -667,28 +688,28 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct TEST_TIME_EQUAL(user->last_logoff, info3->base.last_logoff); } - TEST_INT_EQUAL(getgroups.out.rids->count, info3->base.groups.count); - if (getgroups.out.rids->count == info3->base.groups.count) { + TEST_INT_EQUAL(rids->count, info3->base.groups.count); + if (rids->count == info3->base.groups.count) { int i, j; - int count = getgroups.out.rids->count; - bool *matched = talloc_zero_array(mem_ctx, bool, getgroups.out.rids->count); + int count = rids->count; + bool *matched = talloc_zero_array(mem_ctx, bool, rids->count); for (i = 0; i < count; i++) { for (j = 0; j < count; j++) { - if ((getgroups.out.rids->rids[i].rid == + if ((rids->rids[i].rid == info3->base.groups.rids[j].rid) - && (getgroups.out.rids->rids[i].attributes == + && (rids->rids[i].attributes == info3->base.groups.rids[j].attributes)) { matched[i] = true; } } } - for (i = 0; i < getgroups.out.rids->count; i++) { + for (i = 0; i < rids->count; i++) { if (matched[i] == false) { ret = false; printf("Could not find group RID %u found in getgroups in NETLOGON reply\n", - getgroups.out.rids->rids[i].rid); + rids->rids[i].rid); } } } @@ -711,6 +732,7 @@ static bool samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *sams struct samr_OpenAlias r; struct samr_QueryAliasInfo q; + union samr_AliasInfo *info; struct policy_handle alias_handle; if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) { @@ -731,6 +753,7 @@ static bool samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *sams q.in.alias_handle = &alias_handle; q.in.level = 1; + q.out.info = &info; TEST_SEC_DESC_EQUAL(alias->sdbuf, samr, &alias_handle); @@ -745,8 +768,8 @@ static bool samsync_handle_alias(TALLOC_CTX *mem_ctx, struct samsync_state *sams return false; } - TEST_STRING_EQUAL(q.out.info->all.name, alias->alias_name); - TEST_STRING_EQUAL(q.out.info->all.description, alias->description); + TEST_STRING_EQUAL(info->all.name, alias->alias_name); + TEST_STRING_EQUAL(info->all.description, alias->description); return ret; } @@ -760,6 +783,7 @@ static bool samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *sams struct samr_OpenGroup r; struct samr_QueryGroupInfo q; + union samr_GroupInfo *info; struct policy_handle group_handle; if (!samsync_state->domain_name || !samsync_state->domain_handle[database_id]) { @@ -780,6 +804,7 @@ static bool samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *sams q.in.group_handle = &group_handle; q.in.level = 1; + q.out.info = &info; TEST_SEC_DESC_EQUAL(group->sdbuf, samr, &group_handle); @@ -794,9 +819,9 @@ static bool samsync_handle_group(TALLOC_CTX *mem_ctx, struct samsync_state *sams return false; } - TEST_STRING_EQUAL(q.out.info->all.name, group->group_name); - TEST_INT_EQUAL(q.out.info->all.attributes, group->attributes); - TEST_STRING_EQUAL(q.out.info->all.description, group->description); + TEST_STRING_EQUAL(info->all.name, group->group_name); + TEST_INT_EQUAL(info->all.attributes, group->attributes); + TEST_STRING_EQUAL(info->all.description, group->description); return ret; } diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index ca1655729b..451990a71b 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -128,6 +128,7 @@ static bool test_samr_ops(struct torture_context *tctx, { NTSTATUS status; struct samr_GetDomPwInfo r; + struct samr_PwInfo info; struct samr_Connect connect; struct samr_OpenDomain opendom; int i; @@ -137,6 +138,7 @@ static bool test_samr_ops(struct torture_context *tctx, name.string = lp_workgroup(tctx->lp_ctx); r.in.domain_name = &name; + r.out.info = &info; connect.in.system_name = 0; connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; diff --git a/source4/torture/rpc/svcctl.c b/source4/torture/rpc/svcctl.c index c9006baaf5..8d8f43a0cf 100644 --- a/source4/torture/rpc/svcctl.c +++ b/source4/torture/rpc/svcctl.c @@ -1,19 +1,19 @@ -/* +/* Unix SMB/CIFS implementation. test suite for srvsvc rpc operations Copyright (C) Jelmer Vernooij 2004 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -26,28 +26,141 @@ static bool test_OpenSCManager(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *h) { struct svcctl_OpenSCManagerW r; - + r.in.MachineName = NULL; r.in.DatabaseName = NULL; r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; r.out.handle = h; - - torture_assert_ntstatus_ok(tctx, - dcerpc_svcctl_OpenSCManagerW(p, tctx, &r), - "OpenSCManager failed!"); - + + torture_assert_ntstatus_ok(tctx, + dcerpc_svcctl_OpenSCManagerW(p, tctx, &r), + "OpenSCManager failed!"); + return true; } static bool test_CloseServiceHandle(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *h) { - struct svcctl_CloseServiceHandle r; + struct svcctl_CloseServiceHandle r; r.in.handle = h; r.out.handle = h; - torture_assert_ntstatus_ok(tctx, - dcerpc_svcctl_CloseServiceHandle(p, tctx, &r), - "CloseServiceHandle failed"); + torture_assert_ntstatus_ok(tctx, + dcerpc_svcctl_CloseServiceHandle(p, tctx, &r), + "CloseServiceHandle failed"); + + return true; +} + +static bool test_OpenService(struct dcerpc_pipe *p, struct torture_context *tctx, + struct policy_handle *h, const char *name, struct policy_handle *s) +{ + struct svcctl_OpenServiceW r; + + r.in.scmanager_handle = h; + r.in.ServiceName = name; + r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + r.out.handle = s; + + torture_assert_ntstatus_ok(tctx, + dcerpc_svcctl_OpenServiceW(p, tctx, &r), + "OpenServiceW failed!"); + torture_assert_werr_ok(tctx, r.out.result, "OpenServiceW failed!"); + + return true; + +} + +static bool test_QueryServiceStatusEx(struct torture_context *tctx, struct dcerpc_pipe *p) +{ + struct svcctl_QueryServiceStatusEx r; + struct policy_handle h, s; + NTSTATUS status; + + uint32_t info_level = 0; + uint8_t *buffer; + uint32_t buf_size = 0; + uint32_t bytes_needed = 0; + + if (!test_OpenSCManager(p, tctx, &h)) + return false; + + if (!test_OpenService(p, tctx, &h, "Netlogon", &s)) + return false; + + buffer = talloc(tctx, uint8_t); + + r.in.handle = &s; + r.in.info_level = info_level; + r.in.buf_size = buf_size; + r.out.buffer = buffer; + r.out.bytes_needed = &bytes_needed; + + status = dcerpc_svcctl_QueryServiceStatusEx(p, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "QueryServiceStatusEx failed!"); + + if (W_ERROR_EQUAL(r.out.result, WERR_INSUFFICIENT_BUFFER)) { + r.in.buf_size = bytes_needed; + buffer = talloc_array(tctx, uint8_t, bytes_needed); + r.out.buffer = buffer; + + status = dcerpc_svcctl_QueryServiceStatusEx(p, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "QueryServiceStatusEx failed!"); + torture_assert_werr_ok(tctx, r.out.result, "QueryServiceStatusEx failed!"); + } + + if (!test_CloseServiceHandle(p, tctx, &s)) + return false; + + if (!test_CloseServiceHandle(p, tctx, &h)) + return false; + + return true; +} + +static bool test_QueryServiceConfig2W(struct torture_context *tctx, struct dcerpc_pipe *p) +{ + struct svcctl_QueryServiceConfig2W r; + struct policy_handle h, s; + NTSTATUS status; + + uint32_t info_level = 1; + uint8_t *buffer; + uint32_t buf_size = 0; + uint32_t bytes_needed = 0; + + if (!test_OpenSCManager(p, tctx, &h)) + return false; + + if (!test_OpenService(p, tctx, &h, "Netlogon", &s)) + return false; + + buffer = talloc(tctx, uint8_t); + + r.in.handle = &s; + r.in.info_level = info_level; + r.in.buf_size = buf_size; + r.out.buffer = buffer; + r.out.bytes_needed = &bytes_needed; + + status = dcerpc_svcctl_QueryServiceConfig2W(p, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "QueryServiceConfig2W failed!"); + + if (W_ERROR_EQUAL(r.out.result, WERR_INSUFFICIENT_BUFFER)) { + r.in.buf_size = bytes_needed; + buffer = talloc_array(tctx, uint8_t, bytes_needed); + r.out.buffer = buffer; + + status = dcerpc_svcctl_QueryServiceConfig2W(p, tctx, &r); + torture_assert_ntstatus_ok(tctx, status, "QueryServiceConfig2W failed!"); + torture_assert_werr_ok(tctx, r.out.result, "QueryServiceConfig2W failed!"); + } + + if (!test_CloseServiceHandle(p, tctx, &s)) + return false; + + if (!test_CloseServiceHandle(p, tctx, &h)) + return false; return true; } @@ -59,7 +172,9 @@ static bool test_EnumServicesStatus(struct torture_context *tctx, struct dcerpc_ int i; NTSTATUS status; uint32_t resume_handle = 0; - struct ENUM_SERVICE_STATUS *service = NULL; + struct ENUM_SERVICE_STATUS *service = NULL; + uint32_t bytes_needed = 0; + uint32_t services_returned = 0; if (!test_OpenSCManager(p, tctx, &h)) return false; @@ -71,17 +186,17 @@ static bool test_EnumServicesStatus(struct torture_context *tctx, struct dcerpc_ r.in.resume_handle = &resume_handle; r.out.service = NULL; r.out.resume_handle = &resume_handle; - r.out.services_returned = 0; - r.out.bytes_needed = 0; + r.out.services_returned = &services_returned; + r.out.bytes_needed = &bytes_needed; status = dcerpc_svcctl_EnumServicesStatusW(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "EnumServicesStatus failed!"); if (W_ERROR_EQUAL(r.out.result, WERR_MORE_DATA)) { - r.in.buf_size = *r.out.bytes_needed; - r.out.service = talloc_array(tctx, uint8_t, *r.out.bytes_needed); - + r.in.buf_size = bytes_needed; + r.out.service = talloc_array(tctx, uint8_t, bytes_needed); + status = dcerpc_svcctl_EnumServicesStatusW(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "EnumServicesStatus failed!"); @@ -90,17 +205,17 @@ static bool test_EnumServicesStatus(struct torture_context *tctx, struct dcerpc_ service = (struct ENUM_SERVICE_STATUS *)r.out.service; } - for(i = 0; i < *r.out.services_returned; i++) { + for(i = 0; i < services_returned; i++) { printf("Type: %d, State: %d\n", service[i].status.type, service[i].status.state); } - + if (!test_CloseServiceHandle(p, tctx, &h)) return false; return true; } -static bool test_SCManager(struct torture_context *tctx, +static bool test_SCManager(struct torture_context *tctx, struct dcerpc_pipe *p) { struct policy_handle h; @@ -119,13 +234,16 @@ struct torture_suite *torture_rpc_svcctl(TALLOC_CTX *mem_ctx) struct torture_suite *suite = torture_suite_create(mem_ctx, "SVCCTL"); struct torture_rpc_tcase *tcase; - tcase = torture_suite_add_rpc_iface_tcase(suite, "svcctl", - &ndr_table_svcctl); - - torture_rpc_tcase_add_test(tcase, "SCManager", - test_SCManager); - torture_rpc_tcase_add_test(tcase, "EnumServicesStatus", - test_EnumServicesStatus); + tcase = torture_suite_add_rpc_iface_tcase(suite, "svcctl", &ndr_table_svcctl); + + torture_rpc_tcase_add_test(tcase, "SCManager", + test_SCManager); + torture_rpc_tcase_add_test(tcase, "EnumServicesStatus", + test_EnumServicesStatus); + torture_rpc_tcase_add_test(tcase, "QueryServiceStatusEx", + test_QueryServiceStatusEx); + torture_rpc_tcase_add_test(tcase, "QueryServiceConfig2W", + test_QueryServiceConfig2W); return suite; } diff --git a/source4/torture/rpc/testjoin.c b/source4/torture/rpc/testjoin.c index 3408a1924c..c93358015c 100644 --- a/source4/torture/rpc/testjoin.c +++ b/source4/torture/rpc/testjoin.c @@ -59,6 +59,7 @@ static NTSTATUS DeleteUser_byname(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle user_handle; uint32_t rid; struct samr_LookupNames n; + struct samr_Ids rids, types; struct lsa_String sname; struct samr_OpenUser r; @@ -67,10 +68,12 @@ static NTSTATUS DeleteUser_byname(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, n.in.domain_handle = handle; n.in.num_names = 1; n.in.names = &sname; + n.out.rids = &rids; + n.out.types = &types; status = dcerpc_samr_LookupNames(p, mem_ctx, &n); if (NT_STATUS_IS_OK(status)) { - rid = n.out.rids.ids[0]; + rid = n.out.rids->ids[0]; } else { return status; } @@ -113,7 +116,9 @@ struct test_join *torture_create_testuser(struct torture_context *torture, struct samr_CreateUser2 r; struct samr_OpenDomain o; struct samr_LookupDomain l; + struct dom_sid2 *sid = NULL; struct samr_GetUserPwInfo pwp; + struct samr_PwInfo info; struct samr_SetUserInfo s; union samr_UserInfo u; struct policy_handle handle; @@ -172,6 +177,7 @@ struct test_join *torture_create_testuser(struct torture_context *torture, name.string = domain; l.in.connect_handle = &handle; l.in.domain_name = &name; + l.out.sid = &sid; status = dcerpc_samr_LookupDomain(join->p, join, &l); if (!NT_STATUS_IS_OK(status)) { @@ -179,14 +185,14 @@ struct test_join *torture_create_testuser(struct torture_context *torture, goto failed; } - talloc_steal(join, l.out.sid); - join->dom_sid = l.out.sid; + talloc_steal(join, *l.out.sid); + join->dom_sid = *l.out.sid; join->dom_netbios_name = talloc_strdup(join, domain); if (!join->dom_netbios_name) goto failed; o.in.connect_handle = &handle; o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - o.in.sid = l.out.sid; + o.in.sid = *l.out.sid; o.out.domain_handle = &domain_handle; status = dcerpc_samr_OpenDomain(join->p, join, &o); @@ -224,10 +230,11 @@ again: join->user_sid = dom_sid_add_rid(join, join->dom_sid, rid); pwp.in.user_handle = &join->user_handle; + pwp.out.info = &info; status = dcerpc_samr_GetUserPwInfo(join->p, join, &pwp); if (NT_STATUS_IS_OK(status)) { - policy_min_pw_len = pwp.out.info.min_password_length; + policy_min_pw_len = pwp.out.info->min_password_length; } random_pw = generate_random_str(join, MAX(8, policy_min_pw_len)); @@ -240,7 +247,7 @@ again: s.in.level = 24; encode_pw_buffer(u.info24.password.data, random_pw, STR_UNICODE); - u.info24.pw_len = strlen(random_pw); + u.info24.password_expired = 0; status = dcerpc_fetch_session_key(join->p, &session_key); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/torture/smb2/config.mk b/source4/torture/smb2/config.mk index 9785303629..3a1ac5e06c 100644 --- a/source4/torture/smb2/config.mk +++ b/source4/torture/smb2/config.mk @@ -5,7 +5,7 @@ SUBSYSTEM = smbtorture INIT_FUNCTION = torture_smb2_init PRIVATE_DEPENDENCIES = \ - LIBCLI_SMB2 POPT_CREDENTIALS + LIBCLI_SMB2 POPT_CREDENTIALS torture # End SUBSYSTEM TORTURE_SMB2 ################################# diff --git a/source4/torture/smbtorture.h b/source4/torture/smbtorture.h index 3b5a573d83..c1363fd4c1 100644 --- a/source4/torture/smbtorture.h +++ b/source4/torture/smbtorture.h @@ -21,7 +21,7 @@ #ifndef __SMBTORTURE_H__ #define __SMBTORTURE_H__ -#include "torture/torture.h" +#include "../lib/torture/torture.h" struct smbcli_state; diff --git a/source4/torture/util.h b/source4/torture/util.h index f36d54233d..3609cca7d9 100644 --- a/source4/torture/util.h +++ b/source4/torture/util.h @@ -20,7 +20,7 @@ #ifndef _TORTURE_UTIL_H_ #define _TORTURE_UTIL_H_ -#include "torture/torture.h" +#include "lib/torture/torture.h" struct smbcli_state; struct smbcli_tree; diff --git a/source4/torture/winbind/config.mk b/source4/torture/winbind/config.mk index 15bc51daba..9648a7472b 100644 --- a/source4/torture/winbind/config.mk +++ b/source4/torture/winbind/config.mk @@ -5,7 +5,7 @@ SUBSYSTEM = smbtorture INIT_FUNCTION = torture_winbind_init PRIVATE_DEPENDENCIES = \ - LIBWINBIND-CLIENT + LIBWINBIND-CLIENT torture # End SUBSYSTEM TORTURE_WINBIND ################################# diff --git a/source4/utils/ad2oLschema.c b/source4/utils/ad2oLschema.c index c579112b45..2e3139d9c7 100644 --- a/source4/utils/ad2oLschema.c +++ b/source4/utils/ad2oLschema.c @@ -226,7 +226,6 @@ static struct schema_conv process_convert(struct ldb_context *ldb, enum dsdb_sch const char *equality = NULL, *substring = NULL; bool single_value = attribute->isSingleValued; - const struct dsdb_syntax *map = find_syntax_map_by_ad_syntax(attribute->oMSyntax); char *schema_entry = NULL; int j; @@ -244,11 +243,11 @@ static struct schema_conv process_convert(struct ldb_context *ldb, enum dsdb_sch } } - if (map) { + if (attribute->syntax) { /* We might have been asked to remap this oid, * due to a conflict, or lack of * implementation */ - syntax = map->ldap_oid; + syntax = attribute->syntax->ldap_oid; /* We might have been asked to remap this oid, due to a conflict */ for (j=0; syntax && oid_map && oid_map[j].old_oid; j++) { if (strcasecmp(syntax, oid_map[j].old_oid) == 0) { @@ -257,8 +256,8 @@ static struct schema_conv process_convert(struct ldb_context *ldb, enum dsdb_sch } } - equality = map->equality; - substring = map->substring; + equality = attribute->syntax->equality; + substring = attribute->syntax->substring; } /* We might have been asked to remap this name, due to a conflict */ @@ -278,7 +277,10 @@ static struct schema_conv process_convert(struct ldb_context *ldb, enum dsdb_sch substring, syntax, single_value, - false); + false, + NULL, NULL, + NULL, NULL, + false, false); if (schema_entry == NULL) { ret.failures++; @@ -366,7 +368,8 @@ static struct schema_conv process_convert(struct ldb_context *ldb, enum dsdb_sch subClassOf, objectClassCategory, must, - may); + may, + NULL); if (schema_entry == NULL) { ret.failures++; return ret; diff --git a/source4/utils/net/config.mk b/source4/utils/net/config.mk index 93b51e1e28..b2f0fcf6b1 100644 --- a/source4/utils/net/config.mk +++ b/source4/utils/net/config.mk @@ -16,6 +16,7 @@ PRIVATE_DEPENDENCIES = \ net_OBJ_FILES = $(addprefix $(utilssrcdir)/net/, \ net.o \ + net_machinepw.o \ net_password.o \ net_time.o \ net_join.o \ diff --git a/source4/utils/net/net.c b/source4/utils/net/net.c index 81584e4398..4d1b202ccb 100644 --- a/source4/utils/net/net.c +++ b/source4/utils/net/net.c @@ -107,6 +107,8 @@ static const struct net_functable net_functable[] = { {"vampire", "join and syncronise an AD domain onto the local server\n", net_vampire, net_vampire_usage}, {"samsync", "synchronise into the local ldb the sam of an NT4 domain\n", net_samsync_ldb, net_samsync_ldb_usage}, {"user", "manage user accounts\n", net_user, net_user_usage}, + {"machinepw", "Get a machine password out of our SAM", net_machinepw, + net_machinepw_usage}, {NULL, NULL, NULL, NULL} }; diff --git a/source4/utils/net/net_machinepw.c b/source4/utils/net/net_machinepw.c new file mode 100644 index 0000000000..710d889c19 --- /dev/null +++ b/source4/utils/net/net_machinepw.c @@ -0,0 +1,91 @@ +/* + Samba Unix/Linux SMB client library + Distributed SMB/CIFS Server Management Utility + + Copyright (C) 2008 Volker Lendecke + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "utils/net/net.h" +#include "libnet/libnet.h" +#include "libcli/security/security.h" +#include "param/secrets.h" +#include "param/param.h" +#include "lib/events/events.h" +#include "lib/util/util_ldb.h" + +int net_machinepw_usage(struct net_context *ctx, int argc, const char **argv) +{ + d_printf("net machinepw <accountname>\n"); + return -1; +} + +int net_machinepw(struct net_context *ctx, int argc, const char **argv) +{ + struct ldb_context *secrets; + TALLOC_CTX *mem_ctx; + struct event_context *ev; + struct ldb_message **msgs; + int num_records; + const char *attrs[] = { "secret", NULL }; + const char *secret; + + if (argc != 1) { + net_machinepw_usage(ctx, argc, argv); + return -1; + } + + mem_ctx = talloc_new(ctx); + if (mem_ctx == NULL) { + d_fprintf(stderr, "talloc_new failed\n"); + return -1; + } + + ev = event_context_init(mem_ctx); + if (ev == NULL) { + d_fprintf(stderr, "event_context_init failed\n"); + goto fail; + } + + secrets = secrets_db_connect(mem_ctx, ev, ctx->lp_ctx); + if (secrets == NULL) { + d_fprintf(stderr, "secrets_db_connect failed\n"); + goto fail; + } + + num_records = gendb_search(secrets, mem_ctx, NULL, &msgs, attrs, + "(&(objectclass=primaryDomain)" + "(samaccountname=%s))", argv[0]); + if (num_records != 1) { + d_fprintf(stderr, "gendb_search returned %d records, " + "expected 1\n", num_records); + goto fail; + } + + secret = ldb_msg_find_attr_as_string(msgs[0], "secret", NULL); + if (secret == NULL) { + d_fprintf(stderr, "machine account contains no secret\n"); + goto fail; + } + + printf("%s\n", secret); + talloc_free(mem_ctx); + return 0; + + fail: + talloc_free(mem_ctx); + return -1; +} diff --git a/source4/winbind/wb_async_helpers.c b/source4/winbind/wb_async_helpers.c index 48a2a4d882..a50a0fe473 100644 --- a/source4/winbind/wb_async_helpers.c +++ b/source4/winbind/wb_async_helpers.c @@ -325,6 +325,8 @@ struct samr_getuserdomgroups_state { int num_rids; uint32_t *rids; + struct samr_RidWithAttributeArray *rid_array; + struct policy_handle *user_handle; struct samr_OpenUser o; struct samr_GetGroupsForUser g; @@ -386,6 +388,7 @@ static void samr_usergroups_recv_open(struct rpc_request *req) if (!composite_is_ok(state->ctx)) return; state->g.in.user_handle = state->user_handle; + state->g.out.rids = &state->rid_array; req = dcerpc_samr_GetGroupsForUser_send(state->samr_pipe, state, &state->g); @@ -438,7 +441,7 @@ NTSTATUS wb_samr_userdomgroups_recv(struct composite_context *ctx, NTSTATUS status = composite_wait(ctx); if (!NT_STATUS_IS_OK(status)) goto done; - *num_rids = state->g.out.rids->count; + *num_rids = state->rid_array->count; *rids = talloc_array(mem_ctx, uint32_t, *num_rids); if (*rids == NULL) { status = NT_STATUS_NO_MEMORY; @@ -446,7 +449,7 @@ NTSTATUS wb_samr_userdomgroups_recv(struct composite_context *ctx, } for (i=0; i<*num_rids; i++) { - (*rids)[i] = state->g.out.rids->rids[i].rid; + (*rids)[i] = state->rid_array->rids[i].rid; } done: |