Merge branch 'master' of git://git.samba.org/samba

8 files changed, 112 insertions, 107 deletions

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index a197c51ac8..6149f974ac 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -75,8 +75,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 
 		/* It's our own domain, lookup the name in passdb */
 		if (lookup_global_sam_name(name, flags, &rid, &type)) {
-			sid_copy(&sid, get_global_sam_sid());
-			sid_append_rid(&sid, rid);
+			sid_compose(&sid, get_global_sam_sid(), rid);
 			goto ok;
 		}
 		TALLOC_FREE(tmp_ctx);
@@ -96,8 +95,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 
 		/* Explicit request for a name in BUILTIN */
 		if (lookup_builtin_name(name, &rid)) {
-			sid_copy(&sid, &global_sid_Builtin);
-			sid_append_rid(&sid, rid);
+			sid_compose(&sid, &global_sid_Builtin, rid);
 			type = SID_NAME_ALIAS;
 			goto ok;
 		}
@@ -215,8 +213,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 	    lookup_builtin_name(name, &rid))
 	{
 		domain = talloc_strdup(tmp_ctx, builtin_domain_name());
-		sid_copy(&sid, &global_sid_Builtin);
-		sid_append_rid(&sid, rid);
+		sid_compose(&sid, &global_sid_Builtin, rid);
 		type = SID_NAME_ALIAS;
 		goto ok;
 	}
@@ -230,8 +227,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
 	    lookup_global_sam_name(name, flags, &rid, &type))
 	{
 		domain = talloc_strdup(tmp_ctx, get_global_sam_name());
-		sid_copy(&sid, get_global_sam_sid());
-		sid_append_rid(&sid, rid);
+		sid_compose(&sid, get_global_sam_sid(), rid);
 		goto ok;
 	}
 
@@ -544,8 +540,7 @@ static bool lookup_rids(TALLOC_CTX *mem_ctx, const DOM_SID *domain_sid,
 	if (sid_check_is_wellknown_domain(domain_sid, NULL)) {
 		for (i=0; i<num_rids; i++) {
 			DOM_SID sid;
-			sid_copy(&sid, domain_sid);
-			sid_append_rid(&sid, rids[i]);
+			sid_compose(&sid, domain_sid, rids[i]);
 			if (lookup_wellknown_sid(mem_ctx, &sid,
 						 domain_name, &(*names)[i])) {
 				if ((*names)[i] == NULL) {
@@ -1192,9 +1187,8 @@ static void legacy_gid_to_sid(DOM_SID *psid, gid_t gid)
 static bool legacy_sid_to_uid(const DOM_SID *psid, uid_t *puid)
 {
 	enum lsa_SidType type;
-	uint32 rid;
 
-	if (sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
+	if (sid_check_is_in_our_domain(psid)) {
 		union unid_t id;
 		bool ret;
 
@@ -1235,7 +1229,6 @@ done:
 
 static bool legacy_sid_to_gid(const DOM_SID *psid, gid_t *pgid)
 {
-	uint32 rid;
 	GROUP_MAP map;
 	union unid_t id;
 	enum lsa_SidType type;
@@ -1257,7 +1250,7 @@ static bool legacy_sid_to_gid(const DOM_SID *psid, gid_t *pgid)
 		return false;
 	}
 
-	if (sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
+	if (sid_check_is_in_our_domain(psid)) {
 		bool ret;
 
 		become_root();
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index b2c3b948f1..3ced150803 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -216,8 +216,7 @@ static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *p
 			return NT_STATUS_ACCESS_DENIED;
 		}
 
-		sid_copy( &user_sid, get_global_sam_sid() );
-		sid_append_rid( &user_sid, user_rid );
+		sid_compose(&user_sid, get_global_sam_sid(), user_rid);
 
 		if ( !pdb_set_user_sid(user, &user_sid, PDB_SET) ) {
 			DEBUG(3, ("pdb_set_user_sid failed\n"));
diff --git a/source3/passdb/pdb_compat.c b/source3/passdb/pdb_compat.c
index 9967eb53ad..b65be70758 100644
--- a/source3/passdb/pdb_compat.c
+++ b/source3/passdb/pdb_compat.c
@@ -60,10 +60,9 @@ bool pdb_set_user_sid_from_rid (struct samu *sampass, uint32 rid, enum pdb_value
 		return False;
 	}
 
-	sid_copy(&u_sid, global_sam_sid);
-
-	if (!sid_append_rid(&u_sid, rid))
+	if (!sid_compose(&u_sid, global_sam_sid, rid)) {
 		return False;
+	}
 
 	if (!pdb_set_user_sid(sampass, &u_sid, flag))
 		return False;
@@ -87,10 +86,9 @@ bool pdb_set_group_sid_from_rid (struct samu *sampass, uint32 grid, enum pdb_val
 		return False;
 	}
 
-	sid_copy(&g_sid, global_sam_sid);
-	
-	if (!sid_append_rid(&g_sid, grid))
+	if (!sid_compose(&g_sid, global_sam_sid, grid)) {
 		return False;
+	}
 
 	if (!pdb_set_group_sid(sampass, &g_sid, flag))
 		return False;
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 30775e49fe..d7fc02f807 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -239,8 +239,7 @@ const DOM_SID *pdb_get_group_sid(struct samu *sampass)
 	/* Just set it to the 'Domain Users' RID of 512 which will 
 	   always resolve to a name */
 
-	sid_copy( gsid, get_global_sam_sid() );
-	sid_append_rid( gsid, DOMAIN_GROUP_RID_USERS );
+	sid_compose(gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
 
 	sampass->group_sid = gsid;
 
@@ -552,8 +551,8 @@ bool pdb_set_group_sid(struct samu *sampass, const DOM_SID *g_sid, enum pdb_valu
 	if ( sid_to_gid( g_sid, &gid ) ) {
 		sid_copy(sampass->group_sid, g_sid);
 	} else {
-		sid_copy( sampass->group_sid, get_global_sam_sid() );
-		sid_append_rid( sampass->group_sid, DOMAIN_GROUP_RID_USERS );
+		sid_compose(sampass->group_sid, get_global_sam_sid(),
+			    DOMAIN_GROUP_RID_USERS);
 	}
 
 	DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n", 
@@ -876,6 +875,7 @@ bool pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], e
 bool pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32 historyLen, enum pdb_value_state flag)
 {
 	if (historyLen && pwd){
+		data_blob_free(&(sampass->nt_pw_his));
 		sampass->nt_pw_his = data_blob_talloc(sampass,
 						pwd, historyLen*PW_HISTORY_ENTRY_LEN);
 		if (!sampass->nt_pw_his.length) {
@@ -980,6 +980,9 @@ bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
 {
 	uchar new_lanman_p16[LM_HASH_LEN];
 	uchar new_nt_p16[NT_HASH_LEN];
+	uchar *pwhistory;
+	uint32 pwHistLen;
+	uint32 current_history_len;
 
 	if (!plaintext)
 		return False;
@@ -1009,68 +1012,80 @@ bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
 	if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
 		return False;
 
-	/* Store the password history. */
-	if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) {
-		uchar *pwhistory;
-		uint32 pwHistLen;
-		pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
-		if (pwHistLen != 0){
-			uint32 current_history_len;
-			/* We need to make sure we don't have a race condition here - the
-			   account policy history length can change between when the pw_history
-			   was first loaded into the struct samu struct and now.... JRA. */
-			pwhistory = (uchar *)pdb_get_pw_history(sampass, &current_history_len);
-
-			if (current_history_len != pwHistLen) {
-				/* After closing and reopening struct samu the history
-					values will sync up. We can't do this here. */
-
-				/* current_history_len > pwHistLen is not a problem - we
-					have more history than we need. */
-
-				if (current_history_len < pwHistLen) {
-					/* Ensure we have space for the needed history. */
-					uchar *new_history = (uchar *)TALLOC(sampass,
-								pwHistLen*PW_HISTORY_ENTRY_LEN);
-					if (!new_history) {
-						return False;
-					}
-
-					/* And copy it into the new buffer. */
-					if (current_history_len) {
-						memcpy(new_history, pwhistory,
-							current_history_len*PW_HISTORY_ENTRY_LEN);
-					}
-					/* Clearing out any extra space. */
-					memset(&new_history[current_history_len*PW_HISTORY_ENTRY_LEN],
-						'\0', (pwHistLen-current_history_len)*PW_HISTORY_ENTRY_LEN);
-					/* Finally replace it. */
-					pwhistory = new_history;
-				}
-			}
-			if (pwhistory && pwHistLen){
-				/* Make room for the new password in the history list. */
-				if (pwHistLen > 1) {
-					memmove(&pwhistory[PW_HISTORY_ENTRY_LEN],
-						pwhistory, (pwHistLen -1)*PW_HISTORY_ENTRY_LEN );
-				}
-				/* Create the new salt as the first part of the history entry. */
-				generate_random_buffer(pwhistory, PW_HISTORY_SALT_LEN);
-
-				/* Generate the md5 hash of the salt+new password as the second
-					part of the history entry. */
-
-				E_md5hash(pwhistory, new_nt_p16, &pwhistory[PW_HISTORY_SALT_LEN]);
-				pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED);
-			} else {
-				DEBUG (10,("pdb_get_set.c: pdb_set_plaintext_passwd: pwhistory was NULL!\n"));
-			}
-		} else {
-			/* Set the history length to zero. */
-			pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
+	if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
+		/*
+		 * No password history for non-user accounts
+		 */
+		return true;
+	}
+
+	pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
+
+	if (pwHistLen == 0) {
+		/* Set the history length to zero. */
+		pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
+		return true;
+	}
+
+	/*
+	 * We need to make sure we don't have a race condition here -
+	 * the account policy history length can change between when
+	 * the pw_history was first loaded into the struct samu struct
+	 * and now.... JRA.
+	 */
+	pwhistory = (uchar *)pdb_get_pw_history(sampass, &current_history_len);
+
+	if ((current_history_len != 0) && (pwhistory == NULL)) {
+		DEBUG(1, ("pdb_set_plaintext_passwd: pwhistory == NULL!\n"));
+		return false;
+	}
+
+	if (current_history_len < pwHistLen) {
+		/*
+		 * Ensure we have space for the needed history. This
+		 * also takes care of an account which did not have
+		 * any history at all so far, i.e. pwhistory==NULL
+		 */
+		uchar *new_history = talloc_zero_array(
+			sampass, uchar,
+			pwHistLen*PW_HISTORY_ENTRY_LEN);
+
+		if (!new_history) {
+			return False;
 		}
+
+		memcpy(new_history, pwhistory,
+		       current_history_len*PW_HISTORY_ENTRY_LEN);
+
+		pwhistory = new_history;
 	}
 
+	/*
+	 * Make room for the new password in the history list.
+	 */
+	if (pwHistLen > 1) {
+		memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], pwhistory,
+			(pwHistLen-1)*PW_HISTORY_ENTRY_LEN );
+	}
+
+	/*
+	 * Fill the salt area with 0-s: this indicates that
+	 * a plain nt hash is stored in the has area.
+	 * The old format was to store a 16 byte salt and
+	 * then an md5hash of the nt_hash concatenated with
+	 * the salt.
+	 */
+	memset(pwhistory, 0, PW_HISTORY_SALT_LEN);
+
+	/*
+	 * Store the plain nt hash in the second 16 bytes.
+	 * The old format was to store the md5 hash of
+	 * the salt+newpw.
+	 */
+	memcpy(&pwhistory[PW_HISTORY_SALT_LEN], new_nt_p16, SALTED_MD5_HASH_LEN);
+
+	pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED);
+
 	return True;
 }
 
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index de46254dde..bd85ded138 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -1472,8 +1472,7 @@ static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
 	DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
 		 (unsigned int)rid));
 
-	sid_copy(&sid, get_global_sam_sid());
-	sid_append_rid(&sid, rid);
+	sid_compose(&sid, get_global_sam_sid(), rid);
 
 	/* see if the passdb can help us with the name of the user */
 
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 90ac8e5ffa..30b27d4596 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -915,9 +915,9 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
 
 		pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
 
-		if ((pwhist = TALLOC_ARRAY(ctx, uint8,
-					pwHistLen * PW_HISTORY_ENTRY_LEN)) ==
-				NULL){
+		pwhist = TALLOC_ARRAY(ctx, uint8,
+				      pwHistLen * PW_HISTORY_ENTRY_LEN);
+		if (pwhist == NULL) {
 			DEBUG(0, ("init_sam_from_ldap: talloc failed!\n"));
 			goto fn_exit;
 		}
@@ -6394,9 +6394,8 @@ NTSTATUS pdb_init_ldapsam(struct pdb_methods **pdb_method, const char *location)
 
 	trim_char( uri, '\"', '\"' );
 	nt_status = pdb_init_ldapsam_common(pdb_method, uri);
-	if (uri) {
-		TALLOC_FREE(uri);
-	}
+
+	TALLOC_FREE(uri);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
diff --git a/source3/passdb/util_unixsids.c b/source3/passdb/util_unixsids.c
index ad51253058..afda253c70 100644
--- a/source3/passdb/util_unixsids.c
+++ b/source3/passdb/util_unixsids.c
@@ -37,14 +37,12 @@ bool sid_check_is_in_unix_users(const DOM_SID *sid)
 
 bool uid_to_unix_users_sid(uid_t uid, DOM_SID *sid)
 {
-	sid_copy(sid, &global_sid_Unix_Users);
-	return sid_append_rid(sid, (uint32_t)uid);
+	return sid_compose(sid, &global_sid_Unix_Users, uid);
 }
 
 bool gid_to_unix_groups_sid(gid_t gid, DOM_SID *sid)
 {
-	sid_copy(sid, &global_sid_Unix_Groups);
-	return sid_append_rid(sid, (uint32_t)gid);
+	return sid_compose(sid, &global_sid_Unix_Groups, gid);
 }
 
 const char *unix_users_domain_name(void)
@@ -55,17 +53,20 @@ const char *unix_users_domain_name(void)
 bool lookup_unix_user_name(const char *name, DOM_SID *sid)
 {
 	struct passwd *pwd;
+	bool ret;
 
 	pwd = getpwnam_alloc(talloc_autofree_context(), name);
 	if (pwd == NULL) {
 		return False;
 	}
 
-	sid_copy(sid, &global_sid_Unix_Users);
-	sid_append_rid(sid, (uint32_t)pwd->pw_uid); /* For 64-bit uid's we have enough
-					  * space ... */
+	/*
+	 * For 64-bit uid's we have enough space in the whole SID,
+	 * should they become necessary
+	 */
+	ret = sid_compose(sid, &global_sid_Unix_Users, pwd->pw_uid);
 	TALLOC_FREE(pwd);
-	return True;
+	return ret;
 }
 
 bool sid_check_is_unix_groups(const DOM_SID *sid)
@@ -98,8 +99,9 @@ bool lookup_unix_group_name(const char *name, DOM_SID *sid)
 		return False;
 	}
 
-	sid_copy(sid, &global_sid_Unix_Groups);
-	sid_append_rid(sid, (uint32_t)grp->gr_gid); /* For 64-bit uid's we have enough
-					   * space ... */
-	return True;
+	/*
+	 * For 64-bit gid's we have enough space in the whole SID,
+	 * should they become necessary
+	 */
+	return sid_compose(sid, &global_sid_Unix_Groups, grp->gr_gid);
 }
diff --git a/source3/passdb/util_wellknown.c b/source3/passdb/util_wellknown.c
index 2af68b7e7c..0c45faab46 100644
--- a/source3/passdb/util_wellknown.c
+++ b/source3/passdb/util_wellknown.c
@@ -160,8 +160,8 @@ bool lookup_wellknown_name(TALLOC_CTX *mem_ctx, const char *name,
 
 		for (j=0; users[j].name != NULL; j++) {
 			if ( strequal(users[j].name, name) ) {
-				sid_copy(sid, special_domains[i].sid);
-				sid_append_rid(sid, users[j].rid);
+				sid_compose(sid, special_domains[i].sid,
+					    users[j].rid);
 				*domain = talloc_strdup(
 					mem_ctx, special_domains[i].name);
 				return True;