summaryrefslogtreecommitdiff
path: root/source3/lib
diff options
context:
space:
mode:
authorLuke Leighton <lkcl@samba.org>1999-11-20 19:43:37 +0000
committerLuke Leighton <lkcl@samba.org>1999-11-20 19:43:37 +0000
commita56bea383b4813f77478f9859dc33c90a564f540 (patch)
treef5849949f0312e8a80e53125571cee3399b1320e /source3/lib
parentef8ced0ca6688f037d74a5e26b52b41afce37682 (diff)
downloadsamba-a56bea383b4813f77478f9859dc33c90a564f540.tar.gz
samba-a56bea383b4813f77478f9859dc33c90a564f540.tar.bz2
samba-a56bea383b4813f77478f9859dc33c90a564f540.zip
doing a code reshuffle. want to add code to establish trust relationships.
(This used to be commit 3ec269b402ba6898d905ea1029c427e1b645faf4)
Diffstat (limited to 'source3/lib')
-rw-r--r--source3/lib/sids.c271
-rw-r--r--source3/lib/util_pwdb.c2
-rw-r--r--source3/lib/util_sid.c296
3 files changed, 317 insertions, 252 deletions
diff --git a/source3/lib/sids.c b/source3/lib/sids.c
index 4d83adc36d..052c05cb01 100644
--- a/source3/lib/sids.c
+++ b/source3/lib/sids.c
@@ -87,39 +87,6 @@ sid_name_map[] =
};
/****************************************************************************
- Read the machine SID from a file.
-****************************************************************************/
-
-static BOOL read_sid_from_file(int fd, char *sid_file)
-{
- fstring fline;
- fstring sid_str;
-
- memset(fline, '\0', sizeof(fline));
-
- if (read(fd, fline, sizeof(fline) -1 ) < 0) {
- DEBUG(0,("unable to read file %s. Error was %s\n",
- sid_file, strerror(errno) ));
- return False;
- }
-
- /*
- * Convert to the machine SID.
- */
-
- fline[sizeof(fline)-1] = '\0';
- if (!string_to_sid( &global_sam_sid, fline)) {
- DEBUG(0,("unable to generate machine SID.\n"));
- return False;
- }
-
- sid_to_string(sid_str, &global_sam_sid);
- DEBUG(5,("read_sid_from_file: sid %s\n", sid_str));
-
- return True;
-}
-
-/****************************************************************************
sets up the name associated with the SAM database for which we are responsible
****************************************************************************/
void get_sam_domain_name(void)
@@ -175,99 +142,6 @@ BOOL get_member_domain_sid(void)
return get_domain_sids(NULL, &global_member_sid, lp_passwordserver());
}
-/****************************************************************************
- obtain the sid from the PDC. do some verification along the way...
-****************************************************************************/
-BOOL get_domain_sids(DOM_SID *sid3, DOM_SID *sid5, char *servers)
-{
- uint16 nt_pipe_fnum;
- POLICY_HND pol;
- fstring srv_name;
- struct cli_state cli;
- BOOL res = True;
- fstring dom3;
- fstring dom5;
-
- if (sid3 == NULL && sid5 == NULL)
- {
- /* don't waste my time... */
- return False;
- }
-
- if (!cli_connect_serverlist(&cli, servers))
- {
- DEBUG(0,("get_domain_sids: unable to initialise client connection.\n"));
- return False;
- }
-
- /*
- * Ok - we have an anonymous connection to the IPC$ share.
- * Now start the NT Domain stuff :-).
- */
-
- fstrcpy(dom3, "");
- fstrcpy(dom5, "");
- if (sid3 != NULL)
- {
- ZERO_STRUCTP(sid3);
- }
- if (sid5 != NULL)
- {
- ZERO_STRUCTP(sid5);
- }
-
- fstrcpy(srv_name, "\\\\");
- fstrcat(srv_name, global_myname);
- strupper(srv_name);
-
- /* open LSARPC session. */
- res = res ? cli_nt_session_open(&cli, PIPE_LSARPC, &nt_pipe_fnum) : False;
-
- /* lookup domain controller; receive a policy handle */
- res = res ? lsa_open_policy(&cli, nt_pipe_fnum, srv_name, &pol, False) : False;
-
- if (sid3 != NULL)
- {
- /* send client info query, level 3. receive domain name and sid */
- res = res ? lsa_query_info_pol(&cli, nt_pipe_fnum, &pol, 3, dom3, sid3) : False;
- }
-
- if (sid5 != NULL)
- {
- /* send client info query, level 5. receive domain name and sid */
- res = res ? lsa_query_info_pol(&cli, nt_pipe_fnum, &pol, 5, dom5, sid5) : False;
- }
-
- /* close policy handle */
- res = res ? lsa_close(&cli, nt_pipe_fnum, &pol) : False;
-
- /* close the session */
- cli_nt_session_close(&cli, nt_pipe_fnum);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
-
- if (res)
- {
- pstring sid;
- DEBUG(2,("LSA Query Info Policy\n"));
- if (sid3 != NULL)
- {
- sid_to_string(sid, sid3);
- DEBUG(2,("Domain Member - Domain: %s SID: %s\n", dom3, sid));
- }
- if (sid5 != NULL)
- {
- sid_to_string(sid, sid5);
- DEBUG(2,("Domain Controller - Domain: %s SID: %s\n", dom5, sid));
- }
- }
- else
- {
- DEBUG(1,("lsa query info failed\n"));
- }
-
- return res;
-}
/****************************************************************************
creates some useful well known sids
@@ -284,17 +158,12 @@ void generate_wellknown_sids(void)
Generate the global machine sid. Look for the DOMAINNAME.SID file first, if
not found then look in smb.conf and use it to create the DOMAINNAME.SID file.
****************************************************************************/
-BOOL generate_sam_sid(char *domain_name)
+BOOL generate_sam_sid(char *domain_name, DOM_SID *sid)
{
- int fd;
- int i;
char *p;
pstring sid_file;
pstring machine_sid_file;
- fstring sid_string;
fstring file_name;
- SMB_STRUCT_STAT st;
- uchar raw_sid_data[12];
pstrcpy(sid_file, lp_smb_passwd_file());
@@ -341,131 +210,30 @@ BOOL generate_sam_sid(char *domain_name)
}
}
- if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) {
- DEBUG(0,("unable to open or create file %s. Error was %s\n",
- sid_file, strerror(errno) ));
- return False;
- }
-
- /*
- * Check if the file contains data.
- */
-
- if (sys_fstat( fd, &st) < 0) {
- DEBUG(0,("unable to stat file %s. Error was %s\n",
- sid_file, strerror(errno) ));
- close(fd);
- return False;
- }
-
- if (st.st_size > 0) {
- /*
- * We have a valid SID - read it.
- */
- if (!read_sid_from_file( fd, sid_file)) {
- DEBUG(0,("unable to read file %s. Error was %s\n",
- sid_file, strerror(errno) ));
- close(fd);
- return False;
- }
- close(fd);
+ /* attempt to read the SID from the file */
+ if (read_sid(domain_name, sid))
+ {
return True;
- }
-
- /*
- * Generate the new sid data & turn it into a string.
- */
- generate_random_buffer( raw_sid_data, 12, True);
-
- fstrcpy( sid_string, "S-1-5-21");
- for( i = 0; i < 3; i++) {
- fstring tmp_string;
- slprintf( tmp_string, sizeof(tmp_string) - 1, "-%u", IVAL(raw_sid_data, i*4));
- fstrcat( sid_string, tmp_string);
}
-
- fstrcat(sid_string, "\n");
-
- /*
- * Ensure our new SID is valid.
- */
-
- if (!string_to_sid( &global_sam_sid, sid_string)) {
- DEBUG(0,("unable to generate machine SID.\n"));
- return False;
- }
- /*
- * Do an exclusive blocking lock on the file.
- */
-
- if (!do_file_lock( fd, 60, F_WRLCK)) {
- DEBUG(0,("unable to lock file %s. Error was %s\n",
- sid_file, strerror(errno) ));
- close(fd);
- return False;
- }
-
- /*
- * At this point we have a blocking lock on the SID
- * file - check if in the meantime someone else wrote
- * SID data into the file. If so - they were here first,
- * use their data.
- */
-
- if (sys_fstat( fd, &st) < 0) {
- DEBUG(0,("unable to stat file %s. Error was %s\n",
- sid_file, strerror(errno) ));
- close(fd);
+ if (!create_new_sid(sid))
+ {
return False;
- }
+ }
+ /* attempt to read the SID from the file */
+ if (!write_sid(domain_name, sid))
+ {
+ return True;
+ }
- if (st.st_size > 0) {
- /*
- * Unlock as soon as possible to reduce
- * contention on the exclusive lock.
- */
- do_file_lock( fd, 60, F_UNLCK);
-
- /*
- * We have a valid SID - read it.
- */
-
- if (!read_sid_from_file( fd, sid_file)) {
- DEBUG(0,("unable to read file %s. Error was %s\n",
- sid_file, strerror(errno) ));
- close(fd);
- return False;
- }
- close(fd);
+ /* during the attempt to write, someone else wrote? */
+
+ /* attempt to read the SID from the file */
+ if (read_sid(domain_name, sid))
+ {
return True;
- }
-
- /*
- * The file is still empty and we have an exlusive lock on it.
- * Write out out SID data into the file.
- */
-
- if (fchmod(fd, 0644) < 0) {
- DEBUG(0,("unable to set correct permissions on file %s. \
-Error was %s\n", sid_file, strerror(errno) ));
- close(fd);
- return False;
- }
-
- if (write( fd, sid_string, strlen(sid_string)) != strlen(sid_string)) {
- DEBUG(0,("unable to write file %s. Error was %s\n",
- sid_file, strerror(errno) ));
- close(fd);
- return False;
- }
-
- /*
- * Unlock & exit.
- */
-
- do_file_lock( fd, 60, F_UNLCK);
- close(fd);
+ }
+
return True;
}
@@ -630,3 +398,4 @@ BOOL enumdomains(char ***doms, uint32 *num_entries)
return True;
}
+
diff --git a/source3/lib/util_pwdb.c b/source3/lib/util_pwdb.c
index 0bf0cd9c4f..f27cce8fba 100644
--- a/source3/lib/util_pwdb.c
+++ b/source3/lib/util_pwdb.c
@@ -616,7 +616,7 @@ BOOL pwdb_initialise(BOOL is_server)
if (is_server)
{
- if (!generate_sam_sid(global_sam_name))
+ if (!generate_sam_sid(global_sam_name, &global_sam_sid))
{
DEBUG(0,("ERROR: Samba cannot create a SAM SID for its domain (%s).\n",
global_sam_name));
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 295fd0efac..b497a1e455 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -245,3 +245,299 @@ DOM_SID *sid_dup(const DOM_SID *src)
return dst;
}
+
+
+/****************************************************************************
+ Read a SID from a file.
+****************************************************************************/
+
+static BOOL read_sid_from_file(int fd, char *sid_file, DOM_SID *sid)
+{
+ fstring fline;
+ fstring sid_str;
+
+ memset(fline, '\0', sizeof(fline));
+
+ if (read(fd, fline, sizeof(fline) -1 ) < 0) {
+ DEBUG(0,("unable to read file %s. Error was %s\n",
+ sid_file, strerror(errno) ));
+ return False;
+ }
+
+ /*
+ * Convert to the machine SID.
+ */
+
+ fline[sizeof(fline)-1] = '\0';
+ if (!string_to_sid(sid, fline)) {
+ DEBUG(0,("unable to generate machine SID.\n"));
+ return False;
+ }
+
+ sid_to_string(sid_str, sid);
+ DEBUG(5,("read_sid_from_file: sid %s\n", sid_str));
+
+ return True;
+}
+
+/****************************************************************************
+ Generate the global machine sid. Look for the DOMAINNAME.SID file first, if
+ not found then look in smb.conf and use it to create the DOMAINNAME.SID file.
+****************************************************************************/
+BOOL read_sid(char *domain_name, DOM_SID *sid)
+{
+ int fd;
+ char *p;
+ pstring sid_file;
+ fstring sid_string;
+ fstring file_name;
+ SMB_STRUCT_STAT st;
+
+ pstrcpy(sid_file, lp_smb_passwd_file());
+ sid_to_string(sid_string, sid);
+
+ DEBUG(10,("read_sid: Domain: %s SID: %s\n", domain_name, sid_string));
+ fstrcat(sid_string, "\n");
+
+ if (sid_file[0] == 0)
+ {
+ DEBUG(0,("cannot find smb passwd file\n"));
+ return False;
+ }
+
+ p = strrchr(sid_file, '/');
+ if (p != NULL)
+ {
+ *++p = '\0';
+ }
+
+ if (!directory_exist(sid_file, NULL))
+ {
+ if (mkdir(sid_file, 0700) != 0)
+ {
+ DEBUG(0,("can't create private directory %s : %s\n",
+ sid_file, strerror(errno)));
+ return False;
+ }
+ }
+
+ slprintf(file_name, sizeof(file_name)-1, "%s.SID", domain_name);
+ strupper(file_name);
+ pstrcat(sid_file, file_name);
+
+ if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) {
+ DEBUG(0,("unable to open or create file %s. Error was %s\n",
+ sid_file, strerror(errno) ));
+ return False;
+ }
+
+ /*
+ * Check if the file contains data.
+ */
+
+ if (sys_fstat(fd, &st) < 0) {
+ DEBUG(0,("unable to stat file %s. Error was %s\n",
+ sid_file, strerror(errno) ));
+ close(fd);
+ return False;
+ }
+
+ if (st.st_size == 0)
+ {
+ close(fd);
+ return False;
+ }
+
+ /*
+ * We have a valid SID - read it.
+ */
+
+ if (!read_sid_from_file(fd, sid_file, sid))
+ {
+ DEBUG(0,("unable to read file %s. Error was %s\n",
+ sid_file, strerror(errno) ));
+ close(fd);
+ return False;
+ }
+ close(fd);
+ return True;
+}
+
+
+/****************************************************************************
+ Generate the global machine sid. Look for the DOMAINNAME.SID file first, if
+ not found then look in smb.conf and use it to create the DOMAINNAME.SID file.
+****************************************************************************/
+BOOL write_sid(char *domain_name, DOM_SID *sid)
+{
+ int fd;
+ char *p;
+ pstring sid_file;
+ fstring sid_string;
+ fstring file_name;
+ SMB_STRUCT_STAT st;
+
+ pstrcpy(sid_file, lp_smb_passwd_file());
+ sid_to_string(sid_string, sid);
+
+ DEBUG(10,("write_sid: Domain: %s SID: %s\n", domain_name, sid_string));
+ fstrcat(sid_string, "\n");
+
+ if (sid_file[0] == 0)
+ {
+ DEBUG(0,("cannot find smb passwd file\n"));
+ return False;
+ }
+
+ p = strrchr(sid_file, '/');
+ if (p != NULL)
+ {
+ *++p = '\0';
+ }
+
+ if (!directory_exist(sid_file, NULL)) {
+ if (mkdir(sid_file, 0700) != 0) {
+ DEBUG(0,("can't create private directory %s : %s\n",
+ sid_file, strerror(errno)));
+ return False;
+ }
+ }
+
+ slprintf(file_name, sizeof(file_name)-1, "%s.SID", domain_name);
+ strupper(file_name);
+ pstrcat(sid_file, file_name);
+
+ if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) {
+ DEBUG(0,("unable to open or create file %s. Error was %s\n",
+ sid_file, strerror(errno) ));
+ return False;
+ }
+
+ /*
+ * Check if the file contains data.
+ */
+
+ if (sys_fstat(fd, &st) < 0) {
+ DEBUG(0,("unable to stat file %s. Error was %s\n",
+ sid_file, strerror(errno) ));
+ close(fd);
+ return False;
+ }
+
+ if (st.st_size > 0)
+ {
+ /*
+ * We have a valid SID already.
+ */
+ close(fd);
+ DEBUG(0,("SID file %s already exists\n", sid_file));
+ return False;
+ }
+
+ if (!do_file_lock(fd, 60, F_WRLCK))
+ {
+ DEBUG(0,("unable to lock file %s. Error was %s\n",
+ sid_file, strerror(errno) ));
+ close(fd);
+ return False;
+ }
+
+ /*
+ * At this point we have a blocking lock on the SID
+ * file - check if in the meantime someone else wrote
+ * SID data into the file. If so - they were here first,
+ * use their data.
+ */
+
+ if (sys_fstat(fd, &st) < 0)
+ {
+ DEBUG(0,("unable to stat file %s. Error was %s\n",
+ sid_file, strerror(errno) ));
+ close(fd);
+ return False;
+ }
+
+ if (st.st_size > 0)
+ {
+ /*
+ * Unlock as soon as possible to reduce
+ * contention on the exclusive lock.
+ */
+ do_file_lock(fd, 60, F_UNLCK);
+
+ /*
+ * We have a valid SID already.
+ */
+
+ DEBUG(0,("SID file %s already exists\n", sid_file));
+ close(fd);
+ return False;
+ }
+
+ /*
+ * The file is still empty and we have an exlusive lock on it.
+ * Write out out SID data into the file.
+ */
+
+ if (fchmod(fd, 0644) < 0)
+ {
+ DEBUG(0,("unable to set correct permissions on file %s. \
+Error was %s\n", sid_file, strerror(errno) ));
+ close(fd);
+ return False;
+ }
+
+ if (write(fd, sid_string, strlen(sid_string)) != strlen(sid_string))
+ {
+ DEBUG(0,("unable to write file %s. Error was %s\n",
+ sid_file, strerror(errno) ));
+ close(fd);
+ return False;
+ }
+
+ /*
+ * Unlock & exit.
+ */
+
+ do_file_lock(fd, 60, F_UNLCK);
+ close(fd);
+ return True;
+}
+
+/****************************************************************************
+create a random SID.
+****************************************************************************/
+BOOL create_new_sid(DOM_SID *sid)
+{
+ uchar raw_sid_data[12];
+ fstring sid_string;
+ int i;
+
+ /*
+ * Generate the new sid data & turn it into a string.
+ */
+ generate_random_buffer(raw_sid_data, 12, True);
+
+ fstrcpy(sid_string, "S-1-5-21");
+ for(i = 0; i < 3; i++)
+ {
+ fstring tmp_string;
+ slprintf(tmp_string, sizeof(tmp_string) - 1, "-%u", IVAL(raw_sid_data, i*4));
+ fstrcat(sid_string, tmp_string);
+ }
+
+ fstrcat(sid_string, "\n");
+
+ /*
+ * Ensure our new SID is valid.
+ */
+
+ if (!string_to_sid(sid, sid_string))
+ {
+ DEBUG(0,("unable to generate machine SID.\n"));
+ return False;
+ }
+
+ return True;
+}
+