summaryrefslogtreecommitdiff
path: root/source3/libsmb
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2006-02-03 22:19:41 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:06:23 -0500
commit0af1500fc0bafe61019f1b2ab1d9e1d369221240 (patch)
tree653fc2533795458d5f9696402285d9f14e527a21 /source3/libsmb
parent21a30a1346c9f9a25659a0cea0d276d8c2e6ddca (diff)
downloadsamba-0af1500fc0bafe61019f1b2ab1d9e1d369221240.tar.gz
samba-0af1500fc0bafe61019f1b2ab1d9e1d369221240.tar.bz2
samba-0af1500fc0bafe61019f1b2ab1d9e1d369221240.zip
r13316: Let the carnage begin....
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
Diffstat (limited to 'source3/libsmb')
-rw-r--r--source3/libsmb/cliconnect.c2
-rw-r--r--source3/libsmb/clidfs.c22
-rw-r--r--source3/libsmb/clientgen.c8
-rw-r--r--source3/libsmb/clikrb5.c171
-rw-r--r--source3/libsmb/clilist.c6
-rw-r--r--source3/libsmb/clispnego.c2
-rw-r--r--source3/libsmb/conncache.c36
-rw-r--r--source3/libsmb/errormap.c15
-rw-r--r--source3/libsmb/gpo.c167
-rw-r--r--source3/libsmb/libsmbclient.c13
-rw-r--r--source3/libsmb/passchange.c40
11 files changed, 418 insertions, 64 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 7c15c8d19f..6f32fb1b5d 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -756,7 +756,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
int ret;
use_in_memory_ccache();
- ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL);
+ ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL, NULL, False, 0);
if (ret){
SAFE_FREE(principal);
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 51f21397f7..c5cf75783b 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -682,12 +682,15 @@ BOOL cli_check_msdfs_proxy( struct cli_state *cli, const char *sharename,
CLIENT_DFS_REFERRAL *refs = NULL;
size_t num_refs;
uint16 consumed;
- struct cli_state *cli_ipc;
pstring fullpath;
+ BOOL res;
+ uint16 cnum;
if ( !cli || !sharename )
return False;
+ cnum = cli->cnum;
+
/* special case. never check for a referral on the IPC$ share */
if ( strequal( sharename, "IPC$" ) )
@@ -699,12 +702,19 @@ BOOL cli_check_msdfs_proxy( struct cli_state *cli, const char *sharename,
/* check for the referral */
- if ( !(cli_ipc = cli_cm_open( cli->desthost, "IPC$", False )) )
+ if (!cli_send_tconX(cli, "IPC$", "IPC", NULL, 0)) {
return False;
-
- if ( !cli_dfs_get_referral(cli_ipc, fullpath, &refs, &num_refs, &consumed)
- || !num_refs )
- {
+ }
+
+ res = cli_dfs_get_referral(cli, fullpath, &refs, &num_refs, &consumed);
+
+ if (!cli_tdis(cli)) {
+ return False;
+ }
+
+ cli->cnum = cnum;
+
+ if (!res || !num_refs ) {
return False;
}
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 2f980adcf8..55addd44a6 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -353,11 +353,14 @@ struct cli_state *cli_initialise(struct cli_state *cli)
/****************************************************************************
External interface.
Close an open named pipe over SMB. Free any authentication data.
+ Returns False if the cli_close call failed.
****************************************************************************/
-void cli_rpc_pipe_close(struct rpc_pipe_client *cli)
+BOOL cli_rpc_pipe_close(struct rpc_pipe_client *cli)
{
- if (!cli_close(cli->cli, cli->fnum)) {
+ BOOL ret = cli_close(cli->cli, cli->fnum);
+
+ if (!ret) {
DEBUG(0,("cli_rpc_pipe_close: cli_close failed on pipe %s, "
"fnum 0x%x "
"to machine %s. Error was %s\n",
@@ -376,6 +379,7 @@ void cli_rpc_pipe_close(struct rpc_pipe_client *cli)
DLIST_REMOVE(cli->cli->pipe_list, cli);
talloc_destroy(cli->mem_ctx);
+ return ret;
}
/****************************************************************************
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index e0dcefeb1d..55a705d7f0 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -409,9 +409,10 @@ static BOOL ads_cleanup_expired_creds(krb5_context context,
krb5_creds *credsp)
{
krb5_error_code retval;
+ const char *cc_type = krb5_cc_get_type(context, ccache);
- DEBUG(3, ("Ticket in ccache[%s] expiration %s\n",
- krb5_cc_default_name(context),
+ DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n",
+ cc_type, krb5_cc_get_name(context, ccache),
http_timestring(credsp->times.endtime)));
/* we will probably need new tickets if the current ones
@@ -425,11 +426,11 @@ static BOOL ads_cleanup_expired_creds(krb5_context context,
use memory ccaches, and a FILE one probably means that
we're using creds obtained outside of our exectuable
*/
- if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) {
- DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n"));
+ if (strequal(cc_type, "KCM") || strequal(cc_type, "FILE")) {
+ DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type));
return False;
}
-
+
retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
if (retval) {
DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
@@ -467,7 +468,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
/* obtain ticket & session key */
ZERO_STRUCT(creds);
if ((retval = krb5_copy_principal(context, server, &creds.server))) {
- DEBUG(1,("krb5_copy_principal failed (%s)\n",
+ DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n",
error_message(retval)));
goto cleanup_princ;
}
@@ -502,8 +503,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
i++;
}
- DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %u)\n",
- principal, krb5_cc_default_name(context),
+ DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n",
+ principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache),
http_timestring((unsigned)credsp->times.endtime),
(unsigned)credsp->times.endtime));
@@ -530,7 +531,8 @@ cleanup_princ:
get a kerberos5 ticket for the given service
*/
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts)
+ DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+ uint32 extra_ap_opts, const char *ccname)
{
krb5_error_code retval;
krb5_data packet;
@@ -544,7 +546,7 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL};
-
+
initialize_krb5_error_table();
retval = krb5_init_context(&context);
if (retval) {
@@ -557,7 +559,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
krb5_set_real_time(context, time(NULL) + time_offset, 0);
}
- if ((retval = krb5_cc_default(context, &ccdef))) {
+ if ((retval = krb5_cc_resolve(context, ccname ?
+ ccname : krb5_cc_default_name(context), &ccdef))) {
DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
error_message(retval)));
goto failed;
@@ -991,10 +994,154 @@ out:
#endif
}
+ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, /* FILE:/tmp/krb5cc_0 */
+ const char *client_string, /* gd@BER.SUSE.DE */
+ const char *service_string, /* krbtgt/BER.SUSE.DE@BER.SUSE.DE */
+ time_t *new_start_time)
+{
+ krb5_error_code ret;
+ krb5_context context = NULL;
+ krb5_ccache ccache = NULL;
+ krb5_principal client = NULL;
+
+ initialize_krb5_error_table();
+ ret = krb5_init_context(&context);
+ if (ret) {
+ goto done;
+ }
+
+ if (!ccache_string) {
+ ccache_string = krb5_cc_default_name(context);
+ }
+
+ DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
+
+ /* FIXME: we should not fall back to defaults */
+ ret = krb5_cc_resolve(context, CONST_DISCARD(char *, ccache_string), &ccache);
+ if (ret) {
+ goto done;
+ }
+
+#ifdef HAVE_KRB5_GET_RENEWED_CREDS /* MIT */
+ {
+ krb5_creds creds;
+
+ if (client_string) {
+ ret = krb5_parse_name(context, client_string, &client);
+ if (ret) {
+ goto done;
+ }
+ } else {
+ ret = krb5_cc_get_principal(context, ccache, &client);
+ if (ret) {
+ goto done;
+ }
+ }
+
+ ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string));
+ if (ret) {
+ DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ goto done;
+ }
+
+ /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
+ ret = krb5_cc_initialize(context, ccache, client);
+ if (ret) {
+ goto done;
+ }
+
+ ret = krb5_cc_store_cred(context, ccache, &creds);
+
+ if (new_start_time) {
+ *new_start_time = (time_t) creds.times.renew_till;
+ }
+
+ krb5_free_cred_contents(context, &creds);
+ }
+#elif defined(HAVE_KRB5_GET_KDC_CRED) /* Heimdal */
+ {
+ krb5_kdc_flags flags;
+ krb5_creds creds_in;
+ krb5_realm *client_realm;
+ krb5_creds *creds;
+
+ memset(&creds_in, 0, sizeof(creds_in));
+
+ if (client_string) {
+ ret = krb5_parse_name(context, client_string, &creds_in.client);
+ if (ret) {
+ goto done;
+ }
+ } else {
+ ret = krb5_cc_get_principal(context, ccache, &creds_in.client);
+ if (ret) {
+ goto done;
+ }
+ }
+
+ if (service_string) {
+ ret = krb5_parse_name(context, service_string, &creds_in.server);
+ if (ret) {
+ goto done;
+ }
+ } else {
+ /* build tgt service by default */
+ client_realm = krb5_princ_realm(context, client);
+ ret = krb5_make_principal(context, &creds_in.server, *client_realm, KRB5_TGS_NAME, *client_realm, NULL);
+ if (ret) {
+ goto done;
+ }
+ }
+
+ flags.i = 0;
+ flags.b.renewable = flags.b.renew = True;
+
+ ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds);
+ if (ret) {
+ DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ goto done;
+ }
+
+ /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
+ ret = krb5_cc_initialize(context, ccache, creds_in.client);
+ if (ret) {
+ goto done;
+ }
+
+ ret = krb5_cc_store_cred(context, ccache, creds);
+
+ if (new_start_time) {
+ *new_start_time = (time_t) creds->times.renew_till;
+ }
+
+ krb5_free_cred_contents(context, &creds_in);
+ krb5_free_creds(context, creds);
+ }
+#else
+#error No suitable krb5 ticket renew function available
+#endif
+
+
+done:
+ if (client) {
+ krb5_free_principal(context, client);
+ }
+ if (context) {
+ krb5_free_context(context);
+ }
+ if (ccache) {
+ krb5_cc_close(context, ccache);
+ }
+
+ return ret;
+
+}
+
#else /* HAVE_KRB5 */
/* this saves a few linking headaches */
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts)
+ DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
+ const char *ccname)
{
DEBUG(0,("NO KERBEROS SUPPORT\n"));
return 1;
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index 48780e28df..252dafcfa8 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -169,7 +169,11 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute,
void (*fn)(const char *, file_info *, const char *, void *), void *state)
{
- int max_matches = 1366;
+#if 1
+ int max_matches = 1366; /* Match W2k - was 512. */
+#else
+ int max_matches = 512;
+#endif
int info_level;
char *p, *p2;
pstring mask;
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index cc481a066a..13bf1a866c 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -333,7 +333,7 @@ int spnego_gen_negTokenTarg(const char *principal, int time_offset,
/* get a kerberos ticket for the service and extract the session key */
retval = cli_krb5_get_ticket(principal, time_offset,
- &tkt, session_key_krb5, extra_ap_opts);
+ &tkt, session_key_krb5, extra_ap_opts, NULL);
if (retval)
return retval;
diff --git a/source3/libsmb/conncache.c b/source3/libsmb/conncache.c
index 2af4d57b80..49512d7a2e 100644
--- a/source3/libsmb/conncache.c
+++ b/source3/libsmb/conncache.c
@@ -25,8 +25,6 @@
#include "includes.h"
-#define FAILED_CONNECTION_CACHE_TIMEOUT 30 /* Seconds between attempts */
-
#define CONNCACHE_ADDR 1
#define CONNCACHE_NAME 2
@@ -44,10 +42,13 @@ struct failed_connection_cache {
static struct failed_connection_cache *failed_connection_cache;
/**********************************************************************
- Check for a previously failed connection
+ Check for a previously failed connection.
+ failed_cache_timeout is an a absolute number of seconds after which
+ we should time this out. If failed_cache_timeout == 0 then time out
+ immediately. If failed_cache_timeout == -1 then never time out.
**********************************************************************/
-NTSTATUS check_negative_conn_cache( const char *domain, const char *server )
+NTSTATUS check_negative_conn_cache_timeout( const char *domain, const char *server, unsigned int failed_cache_timeout )
{
struct failed_connection_cache *fcc;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@@ -59,22 +60,24 @@ NTSTATUS check_negative_conn_cache( const char *domain, const char *server )
for (fcc = failed_connection_cache; fcc; fcc = fcc->next) {
- if ( !(strequal(domain, fcc->domain_name) && strequal(server, fcc->controller)) )
+ if (!(strequal(domain, fcc->domain_name) && strequal(server, fcc->controller))) {
continue; /* no match; check the next entry */
+ }
/* we have a match so see if it is still current */
+ if (failed_cache_timeout != (unsigned int)-1) {
+ if (failed_cache_timeout == 0 ||
+ (time(NULL) - fcc->lookup_time) > (time_t)failed_cache_timeout) {
+ /* Cache entry has expired, delete it */
- if ((time(NULL) - fcc->lookup_time) > FAILED_CONNECTION_CACHE_TIMEOUT)
- {
- /* Cache entry has expired, delete it */
-
- DEBUG(10, ("check_negative_conn_cache: cache entry expired for %s, %s\n",
- domain, server ));
+ DEBUG(10, ("check_negative_conn_cache: cache entry expired for %s, %s\n",
+ domain, server ));
- DLIST_REMOVE(failed_connection_cache, fcc);
- SAFE_FREE(fcc);
+ DLIST_REMOVE(failed_connection_cache, fcc);
+ SAFE_FREE(fcc);
- return NT_STATUS_OK;
+ return NT_STATUS_OK;
+ }
}
/* The timeout hasn't expired yet so return false */
@@ -90,6 +93,11 @@ NTSTATUS check_negative_conn_cache( const char *domain, const char *server )
return NT_STATUS_OK;
}
+NTSTATUS check_negative_conn_cache( const char *domain, const char *server)
+{
+ return check_negative_conn_cache_timeout(domain, server, FAILED_CONNECTION_CACHE_TIMEOUT);
+}
+
/**********************************************************************
Add an entry to the failed conneciton cache (aither a name of dotted
decimal IP
diff --git a/source3/libsmb/errormap.c b/source3/libsmb/errormap.c
index 3c0b13ad6f..f6b5af068a 100644
--- a/source3/libsmb/errormap.c
+++ b/source3/libsmb/errormap.c
@@ -1411,6 +1411,13 @@ static const struct {
{NT_STATUS(0x80000289), W_ERROR(0x48e)},
{NT_STATUS_OK, WERR_OK}};
+static const struct {
+ WERROR werror;
+ NTSTATUS ntstatus;
+} werror_to_ntstatus_map[] = {
+ { W_ERROR(0x5), NT_STATUS_ACCESS_DENIED },
+ { WERR_OK, NT_STATUS_OK }
+};
/*****************************************************************************
convert a dos eclas/ecode to a NT status32 code
@@ -1460,6 +1467,14 @@ NTSTATUS werror_to_ntstatus(WERROR error)
{
int i;
if (W_ERROR_IS_OK(error)) return NT_STATUS_OK;
+
+ for (i=0; !W_ERROR_IS_OK(werror_to_ntstatus_map[i].werror); i++) {
+ if (W_ERROR_V(error) ==
+ W_ERROR_V(werror_to_ntstatus_map[i].werror)) {
+ return werror_to_ntstatus_map[i].ntstatus;
+ }
+ }
+
for (i=0; NT_STATUS_V(ntstatus_to_werror_map[i].ntstatus); i++) {
if (W_ERROR_V(error) ==
W_ERROR_V(ntstatus_to_werror_map[i].werror)) {
diff --git a/source3/libsmb/gpo.c b/source3/libsmb/gpo.c
new file mode 100644
index 0000000000..0257138ece
--- /dev/null
+++ b/source3/libsmb/gpo.c
@@ -0,0 +1,167 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Guenther Deschner 2005
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+#define GPT_INI_SECTION_GENERAL "General"
+#define GPT_INI_PARAMETER_VERSION "Version"
+#define GPT_INI_PARAMETER_DISPLAYNAME "displayName"
+
+struct gpt_ini {
+ uint32 version;
+ const char *display_name;
+};
+
+static uint32 version;
+
+static BOOL do_section(const char *section)
+{
+ DEBUG(10,("do_section: %s\n", section));
+
+ return True;
+}
+
+static BOOL do_parameter(const char *parameter, const char *value)
+{
+ DEBUG(10,("do_parameter: %s, %s\n", parameter, value));
+
+ if (strequal(parameter, GPT_INI_PARAMETER_VERSION)) {
+ version = atoi(value);
+ }
+ return True;
+}
+
+NTSTATUS ads_gpo_get_sysvol_gpt_version(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *filesyspath,
+ uint32 *sysvol_version)
+{
+ NTSTATUS status;
+ const char *path;
+ struct cli_state *cli;
+ int fnum;
+ fstring tok;
+ static int io_bufsize = 64512;
+ int read_size = io_bufsize;
+ char *data = NULL;
+ off_t start = 0;
+ off_t nread = 0;
+ int handle = 0;
+ const char *local_file;
+
+ *sysvol_version = 0;
+
+ next_token(&filesyspath, tok, "\\", sizeof(tok));
+ next_token(&filesyspath, tok, "\\", sizeof(tok));
+
+ path = talloc_asprintf(mem_ctx, "\\%s\\gpt.ini", filesyspath);
+ if (path == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ local_file = talloc_asprintf(mem_ctx, "%s/%s", lock_path("gpo_cache"), "gpt.ini");
+ if (local_file == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* FIXME: walk down the dfs tree instead */
+ status = cli_full_connection(&cli, global_myname(),
+ ads->config.ldap_server_name,
+ NULL, 0,
+ "SYSVOL", "A:",
+ ads->auth.user_name, NULL, ads->auth.password,
+ CLI_FULL_CONNECTION_USE_KERBEROS,
+ Undefined, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ fnum = cli_open(cli, path, O_RDONLY, DENY_NONE);
+ if (fnum == -1) {
+ return NT_STATUS_NO_SUCH_FILE;
+ }
+
+
+ data = (char *)SMB_MALLOC(read_size);
+ if (data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ handle = sys_open(local_file, O_WRONLY|O_CREAT|O_TRUNC, 0644);
+
+ if (handle == -1) {
+ return NT_STATUS_NO_SUCH_FILE;
+ }
+
+ while (1) {
+
+ int n = cli_read(cli, fnum, data, nread + start, read_size);
+
+ if (n <= 0)
+ break;
+
+ if (write(handle, data, n) != n) {
+ break;
+ }
+
+ nread += n;
+ }
+
+ cli_close(cli, fnum);
+
+ if (!pm_process(local_file, do_section, do_parameter)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ *sysvol_version = version;
+
+ SAFE_FREE(data);
+
+ cli_shutdown(cli);
+
+ return NT_STATUS_OK;
+}
+
+/*
+
+perfectly parseable with pm_process() :))
+
+[Unicode]
+Unicode=yes
+[System Access]
+MinimumPasswordAge = 1
+MaximumPasswordAge = 42
+MinimumPasswordLength = 7
+PasswordComplexity = 1
+PasswordHistorySize = 24
+LockoutBadCount = 0
+RequireLogonToChangePassword = 0
+ForceLogoffWhenHourExpire = 0
+ClearTextPassword = 0
+[Kerberos Policy]
+MaxTicketAge = 10
+MaxRenewAge = 7
+MaxServiceAge = 600
+MaxClockSkew = 5
+TicketValidateClient = 1
+[Version]
+signature="$CHICAGO$"
+Revision=1
+*/
diff --git a/source3/libsmb/libsmbclient.c b/source3/libsmb/libsmbclient.c
index 44cb43c285..03dbd71e93 100644
--- a/source3/libsmb/libsmbclient.c
+++ b/source3/libsmb/libsmbclient.c
@@ -3734,7 +3734,7 @@ convert_string_to_sid(struct cli_state *ipc_cli,
}
if (!NT_STATUS_IS_OK(rpccli_lsa_lookup_names(pipe_hnd, ipc_cli->mem_ctx,
- pol, 1, &str, &sids,
+ pol, 1, &str, NULL, &sids,
&types))) {
result = False;
goto done;
@@ -5927,22 +5927,14 @@ smbc_free_context(SMBCCTX *context,
void
smbc_option_set(SMBCCTX *context,
char *option_name,
- ...)
+ void *option_value)
{
- va_list args;
-
- va_start(args, option_name);
-
if (strcmp(option_name, "debug_stderr") == 0) {
/*
* Log to standard error instead of standard output.
- *
- * optional parameters: none (it can't be turned off once on)
*/
context->internal->_debug_stderr = True;
}
-
- va_end(args);
}
@@ -5991,6 +5983,7 @@ smbc_init_context(SMBCCTX *context)
DEBUGLEVEL = context->debug;
load_case_tables();
+ setup_logging( "libsmbclient", True);
setup_logging("libsmbclient", True);
if (context->internal->_debug_stderr) {
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 8b811b06ea..673671d28d 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -24,7 +24,7 @@
Change a password on a remote machine using IPC calls.
*************************************************************/
-BOOL remote_password_change(const char *remote_machine, const char *user_name,
+NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
const char *old_passwd, const char *new_passwd,
char *err_str, size_t err_str_len)
{
@@ -41,7 +41,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
if(!resolve_name( remote_machine, &ip, 0x20)) {
slprintf(err_str, err_str_len-1, "unable to find an IP address for machine %s.\n",
remote_machine );
- return False;
+ return NT_STATUS_UNSUCCESSFUL;
}
ZERO_STRUCT(cli);
@@ -49,7 +49,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
if (!cli_initialise(&cli) || !cli_connect(&cli, remote_machine, &ip)) {
slprintf(err_str, err_str_len-1, "unable to connect to SMB server on machine %s. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
- return False;
+ return NT_STATUS_UNSUCCESSFUL;
}
make_nmb_name(&calling, global_myname() , 0x0);
@@ -59,7 +59,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
slprintf(err_str, err_str_len-1, "machine %s rejected the session setup. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
cli_shutdown(&cli);
- return False;
+ return NT_STATUS_UNSUCCESSFUL;
}
cli.protocol = PROTOCOL_NT1;
@@ -67,8 +67,9 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
if (!cli_negprot(&cli)) {
slprintf(err_str, err_str_len-1, "machine %s rejected the negotiate protocol. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
+ result = cli_nt_error(&cli);
cli_shutdown(&cli);
- return False;
+ return result;
}
/* Given things like SMB signing, restrict anonymous and the like,
@@ -90,7 +91,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
"connect to machine %s: %s\n",
remote_machine, cli_errstr(&cli));
cli_shutdown(&cli);
- return False;
+ return result;
}
pass_must_change = True;
@@ -105,8 +106,9 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
slprintf(err_str, err_str_len-1, "machine %s rejected the session setup. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
+ result = cli_nt_error(&cli);
cli_shutdown(&cli);
- return False;
+ return result;
}
cli_init_creds(&cli, "", "", NULL);
@@ -117,8 +119,9 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
slprintf(err_str, err_str_len-1, "machine %s rejected the tconX on the IPC$ share. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
+ result = cli_nt_error(&cli);
cli_shutdown(&cli);
- return False;
+ return result;
}
/* Try not to give the password away too easily */
@@ -149,16 +152,18 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
if (!cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
slprintf(err_str, err_str_len-1, "machine %s rejected the password change: Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
+ result = cli_nt_error(&cli);
cli_shutdown(&cli);
- return False;
+ return result;
}
} else {
slprintf(err_str, err_str_len-1,
"SAMR connection to machine %s failed. Error was %s, "
"but LANMAN password changed are disabled\n",
nt_errstr(result), remote_machine);
+ result = cli_nt_error(&cli);
cli_shutdown(&cli);
- return False;
+ return result;
}
}
@@ -166,7 +171,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
new_passwd, old_passwd))) {
/* Great - it all worked! */
cli_shutdown(&cli);
- return True;
+ return NT_STATUS_OK;
} else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
@@ -175,7 +180,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
slprintf(err_str, err_str_len-1, "machine %s rejected the password change: Error was : %s.\n",
remote_machine, get_friendly_nt_error_msg(result));
cli_shutdown(&cli);
- return False;
+ return result;
}
/* OK, that failed, so try again... */
@@ -197,7 +202,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
old_passwd)))) {
/* Great - it all worked! */
cli_shutdown(&cli);
- return True;
+ return NT_STATUS_OK;
} else {
if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
@@ -207,7 +212,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
"machine %s rejected the (anonymous) password change: Error was : %s.\n",
remote_machine, get_friendly_nt_error_msg(result));
cli_shutdown(&cli);
- return False;
+ return result;
}
/* We have failed to change the user's password, and we think the server
@@ -219,20 +224,21 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
/* SAMR failed, but the old LanMan protocol worked! */
cli_shutdown(&cli);
- return True;
+ return NT_STATUS_OK;
}
slprintf(err_str, err_str_len-1,
"machine %s rejected the password change: Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
+ result = cli_nt_error(&cli);
cli_shutdown(&cli);
- return False;
+ return result;
} else {
slprintf(err_str, err_str_len-1,
"SAMR connection to machine %s failed. Error was %s, "
"but LANMAN password changed are disabled\n",
nt_errstr(result), remote_machine);
cli_shutdown(&cli);
- return False;
+ return NT_STATUS_UNSUCCESSFUL;
}
}
}