Merge HEAD's winbind into 3.0.

This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).

Andrew Bartlett
(This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)

2 files changed, 25 insertions, 136 deletions

diff --git a/source3/libsmb/netlogon_unigrp.c b/source3/libsmb/netlogon_unigrp.c
index fa2fe32f35..466410d800 100644
--- a/source3/libsmb/netlogon_unigrp.c
+++ b/source3/libsmb/netlogon_unigrp.c
@@ -22,6 +22,7 @@
 */
 
 #include "includes.h"
+#define UNIGROUP_PREFIX "UNIGROUP"
 
 /*
     Handle for netlogon_unigrp.tdb database. It is used internally
@@ -50,17 +51,22 @@ BOOL uni_group_cache_init(void)
 BOOL  uni_group_cache_store_netlogon(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *user)
 {
 	TDB_DATA key,data;
-        fstring keystr;
-        int i;
+        fstring keystr, sid_string;
+	DOM_SID user_sid;
+        unsigned int i;
 
 	if (!uni_group_cache_init()) {
 		DEBUG(0,("uni_group_cache_store_netlogon: cannot open netlogon_unigrp.tdb for write!\n"));
 		return False;
 	}
 
-	/* Prepare key as DOMAIN-SID/USER-RID string */
-	slprintf(keystr, sizeof(keystr), "%s/%d", 
-		 sid_string_static(&user->dom_sid.sid), user->user_rid);
+	sid_copy(&user_sid, &user->dom_sid.sid);
+	sid_append_rid(&user_sid, user->user_rid);
+
+	/* Prepare key as USER-SID string */
+	slprintf(keystr, sizeof(keystr), "%s/%s",
+		 UNIGROUP_PREFIX,
+		 sid_to_string(sid_string, &user_sid));
 	key.dptr = keystr;
 	key.dsize = strlen(keystr) + 1;
 	
@@ -90,14 +96,15 @@ BOOL  uni_group_cache_store_netlogon(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *user)
     and elements are array[0] ... array[num_elements-1]
     
 */
-uint32* uni_group_cache_fetch(DOM_SID *domain, uint32 user_rid,
+DOM_SID **uni_group_cache_fetch(DOM_SID *domain, DOM_SID *user_sid,
 			      TALLOC_CTX *mem_ctx, uint32 *num_groups)
 {
 	TDB_DATA key,data;
 	fstring keystr;
-	uint32 *groups;
+	DOM_SID **groups;
 	uint32 i;
 	uint32 group_count;
+	fstring sid_string;
 	
 	if (!domain) {
 		DEBUG(1,("uni_group_cache_fetch: expected non-null domain sid\n"));
@@ -123,8 +130,9 @@ uint32* uni_group_cache_fetch(DOM_SID *domain, uint32 user_rid,
 	*num_groups = 0;
 	
 	/* Fetch universal groups */
-	slprintf(keystr, sizeof(keystr), "%s/%d", 
-		 sid_string_static(domain), user_rid);
+	slprintf(keystr, sizeof(keystr), "%s/%s", 
+		 UNIGROUP_PREFIX,
+		 sid_to_string(sid_string, user_sid));
 	key.dptr = keystr;
 	key.dsize = strlen(keystr) + 1;
 	data = tdb_fetch(netlogon_unigrp_tdb, key);
@@ -136,12 +144,17 @@ uint32* uni_group_cache_fetch(DOM_SID *domain, uint32 user_rid,
 	
 	/* Transfer data to receiver's memory context */
 	group_count = IVAL(&((uint32*)data.dptr)[0],0);
-	groups = talloc(mem_ctx, (group_count)*sizeof(uint32));
+	groups = talloc(mem_ctx, (group_count)*sizeof(*groups));
 	if (groups) {
 		for(i=0; i<group_count; i++) {
-			groups[i] = IVAL(&((uint32*)data.dptr)[i+1],0);
+			groups[i] = talloc(mem_ctx, sizeof(**groups));
+			if (!groups[i]) {
+				DEBUG(1,("uni_group_cache_fetch: cannot allocate uni groups in receiver's memory context\n"));
+				return NULL;
+			}
+			sid_copy(groups[i], domain);
+			sid_append_rid(groups[i], IVAL(&((uint32*)data.dptr)[i+1],0));
 		}
-		
 	} else {
 		DEBUG(1,("uni_group_cache_fetch: cannot allocate uni groups in receiver's memory context\n"));
 	}
diff --git a/source3/libsmb/trust_passwd.c b/source3/libsmb/trust_passwd.c
deleted file mode 100644
index 0d015128a6..0000000000
--- a/source3/libsmb/trust_passwd.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* 
- *  Unix SMB/CIFS implementation.
- *  Routines to operate on various trust relationships
- *  Copyright (C) Andrew Bartlett                   2001
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *  
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *  
- *  You should have received a copy of the GNU General Public License
- *  along with this program; if not, write to the Free Software
- *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- */
-
-#include "includes.h"
-
-/*********************************************************
- Change the domain password on the PDC.
-
- Just changes the password betwen the two values specified.
-
- Caller must have the cli connected to the netlogon pipe
- already.
-**********************************************************/
-static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ctx, 
-					 unsigned char orig_trust_passwd_hash[16],
-					 unsigned char new_trust_passwd_hash[16],
-					 uint32 sec_channel_type)
-{
-	NTSTATUS result;
-	uint32 neg_flags = 0x000001ff;
-
-	result = cli_nt_setup_creds(cli, sec_channel_type, orig_trust_passwd_hash, &neg_flags, 2);
-	
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(1,("just_change_the_password: unable to setup creds (%s)!\n",
-			 nt_errstr(result)));
-		return result;
-	}
-
-	result = cli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash);
-
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(0,("just_change_the_password: unable to change password (%s)!\n",
-			 nt_errstr(result)));
-	}
-	return result;
-}
-
-/*********************************************************
- Change the domain password on the PDC.
- Store the password ourselves, but use the supplied password
- Caller must have already setup the connection to the NETLOGON pipe
-**********************************************************/
-
-NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx, 
-				      const char *domain,
-				      unsigned char orig_trust_passwd_hash[16],
-				      uint32 sec_channel_type)
-{
-	unsigned char new_trust_passwd_hash[16];
-	char *new_trust_passwd;
-	char *str;
-	NTSTATUS nt_status;
-		
-	/* Create a random machine account password */
-	str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-	new_trust_passwd = talloc_strdup(mem_ctx, str);
-	
-	E_md4hash(new_trust_passwd, new_trust_passwd_hash);
-
-	nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
-					     new_trust_passwd_hash, sec_channel_type);
-	
-	if (NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", 
-			 timestring(False)));
-		/*
-		 * Return the result of trying to write the new password
-		 * back into the trust account file.
-		 */
-		if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
-			nt_status = NT_STATUS_UNSUCCESSFUL;
-		}
-	}
-
-	return nt_status;
-}
-
-/*********************************************************
- Change the domain password on the PDC.
- Do most of the legwork ourselfs.  Caller must have
- already setup the connection to the NETLOGON pipe
-**********************************************************/
-
-NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, 
-					   TALLOC_CTX *mem_ctx, 
-					   const char *domain) 
-{
-	unsigned char old_trust_passwd_hash[16];
-	char *up_domain;
-	uint32 sec_channel_type = 0;
-
-	up_domain = talloc_strdup(mem_ctx, domain);
-
-	if (!secrets_fetch_trust_account_password(domain,
-						  old_trust_passwd_hash, 
-						  NULL, &sec_channel_type)) {
-		DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-	
-	return trust_pw_change_and_store_it(cli, mem_ctx, domain,
-					    old_trust_passwd_hash,
-					    sec_channel_type);
-	
-}
-