- group database API. oops and oh dear, the threat has been carried out:

  the pre-alpha "domain group" etc parameters have disappeared.

- interactive debug detection

- re-added mem_man (andrew's memory management, detects memory corruption)

- american spellings of "initialise" replaced with english spelling of
  "initialise".

- started on "lookup_name()" and "lookup_sid()" functions.  proper ones.

- moved lots of functions around.  created some modules of commonly used
  code.  e.g the password file locking code, which is used in groupfile.c
  and aliasfile.c and smbpass.c

- moved RID_TYPE_MASK up another bit.  this is really unfortunate, but
  there is no other "fast" way to identify users from groups from aliases.
  i do not believe that this code saves us anything (the multipliers)
  and puts us at a disadvantage (reduces the useable rid space).
  the designers of NT aren't silly: if they can get away with a user-
  interface-speed LsaLookupNames / LsaLookupSids, then so can we.  i
  spoke with isaac at the cifs conference, the only time for example that
  they do a security context check is on file create.  certainly not on
  individual file reads / writes, which would drastically hit their
  performance and ours, too.

- renamed myworkgroup to global_sam_name, amongst other things, when used
  in the rpc code.  there is also a global_member_name, as we are always
  responsible for a SAM database, the scope of which is limited by the role
  of the machine (e.g if a member of a workgroup, your SAM is for _local_
  logins only, and its name is the name of your server.  you even still
  have a SID.  see LsaQueryInfoPolicy, levels 3 and 5).

- updated functionality of groupname.c to be able to cope with names
  like DOMAIN\group and SERVER\alias.  used this code to be able to
  do aliases as well as groups.  this code may actually be better
  off being used in username mapping, too.

- created a connect to serverlist function in clientgen.c and used it
  in password.c

- initialisation in server.c depends on the role of the server.  well,
  it does now.

- rpctorture.  smbtorture.  EXERCISE EXTREME CAUTION.
(This used to be commit 0d21e1e6090b933f396c764af535ca3388a562db)

1 files changed, 8 insertions, 106 deletions

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index fb5acf156f..0c8eb124ff 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -153,7 +153,7 @@ char *validated_username(uint16 vuid)
 /****************************************************************************
 Setup the groups a user belongs to.
 ****************************************************************************/
-int setup_groups(char *user, uid_t uid, gid_t gid, int *p_ngroups, gid_t **p_groups)
+int get_unixgroups(char *user, uid_t uid, gid_t gid, int *p_ngroups, gid_t **p_groups)
 {
 	int i,ngroups;
 	gid_t grp = 0;
@@ -180,7 +180,7 @@ int setup_groups(char *user, uid_t uid, gid_t gid, int *p_ngroups, gid_t **p_gro
 
 	if((groups = (gid_t *)malloc(sizeof(gid_t)*ngroups)) == NULL)
 	{
-		DEBUG(0,("setup_groups malloc fail !\n"));
+		DEBUG(0,("get_unixgroups malloc fail !\n"));
 		return -1;
 	}
 
@@ -263,7 +263,7 @@ uint16 register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name,
 
   /* Find all the groups this uid is in and store them. 
      Used by become_user() */
-  setup_groups(unix_name,uid,gid,
+  get_unixgroups(unix_name,uid,gid,
 	       &vuser->n_groups,
 	       &vuser->groups);
 
@@ -1142,15 +1142,10 @@ BOOL domain_client_validate( char *user, char *domain,
   unsigned char local_lm_response[24];
   unsigned char local_nt_reponse[24];
   unsigned char trust_passwd[16];
-  fstring remote_machine;
-  char *p;
-  struct in_addr dest_ip;
   NET_ID_INFO_CTR ctr;
   NET_USER_INFO_3 info3;
   struct cli_state cli;
   uint32 smb_uid_low;
-  BOOL connected_ok = False;
-  struct nmb_name calling, called;
 
   /* 
    * Check that the requested domain is not our own machine name.
@@ -1211,102 +1206,9 @@ BOOL domain_client_validate( char *user, char *domain,
    * see if they were valid.
    */
 
-  ZERO_STRUCT(cli);
-
-  if(cli_initialise(&cli) == False) {
-    DEBUG(0,("domain_client_validate: unable to initialize client connection.\n"));
-    return False;
-  }
-
-  /*
-   * Treat each name in the 'password server =' line as a potential
-   * PDC/BDC. Contact each in turn and try and authenticate.
-   */
-
-  p = lp_passwordserver();
-  while(p && next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) {
-
-    standard_sub_basic(remote_machine);
-    strupper(remote_machine);
- 
-    if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
-      DEBUG(1,("domain_client_validate: Can't resolve address for %s\n", remote_machine));
-      continue;
-    }   
-    
-    if (ismyip(dest_ip)) {
-      DEBUG(1,("domain_client_validate: Password server loop - not using password server %s\n",remote_machine));
-      continue;
-    }
-      
-    if (!cli_connect(&cli, remote_machine, &dest_ip)) {
-      DEBUG(0,("domain_client_validate: unable to connect to SMB server on \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
-      continue;
-    }
-    
-	make_nmb_name(&calling, global_myname , 0x0 , scope);
-	make_nmb_name(&called , remote_machine, 0x20, scope);
-
-	if (!cli_session_request(&cli, &calling, &called))
+	if (!cli_connect_serverlist(&cli, lp_passwordserver()))
 	{
-      DEBUG(0,("domain_client_validate: machine %s rejected the session setup. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
-      cli_shutdown(&cli);
-      continue;
-    }
-    
-    cli.protocol = PROTOCOL_NT1;
-
-    if (!cli_negprot(&cli)) {
-      DEBUG(0,("domain_client_validate: machine %s rejected the negotiate protocol. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
-      cli_shutdown(&cli);
-      continue;
-    }
-    
-    if (cli.protocol != PROTOCOL_NT1) {
-      DEBUG(0,("domain_client_validate: machine %s didn't negotiate NT protocol.\n",
-                     remote_machine));
-      cli_shutdown(&cli);
-      continue;
-    }
-
-    /* 
-     * Do an anonymous session setup.
-     */
-
-    if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
-      DEBUG(0,("domain_client_validate: machine %s rejected the session setup. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
-      cli_shutdown(&cli);
-      continue;
-    }      
-
-    if (!(cli.sec_mode & 1)) {
-      DEBUG(1,("domain_client_validate: machine %s isn't in user level security mode\n",
-                 remote_machine));
-      cli_shutdown(&cli);
-      continue;
-    }
-
-    if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
-      DEBUG(0,("domain_client_validate: machine %s rejected the tconX on the IPC$ share. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
-      cli_shutdown(&cli);
-      continue;
-    }
-
-    /*
-     * We have an anonymous connection to IPC$.
-     */
-    connected_ok = True;
-    break;
-  }
-
-  if (!connected_ok) {
     DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
-    cli_shutdown(&cli);
     return False;
   }
 
@@ -1317,7 +1219,7 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
 
   if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) {
     DEBUG(0,("domain_client_validate: unable to open the domain client session to \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
+machine %s. Error was : %s.\n", cli.desthost, cli_errstr(&cli)));
     cli_nt_session_close(&cli);
     cli_ulogoff(&cli);
     cli_shutdown(&cli);
@@ -1326,7 +1228,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
 
   if(cli_nt_setup_creds(&cli, trust_passwd) == False) {
     DEBUG(0,("domain_client_validate: unable to setup the PDC credentials to machine \
-%s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
+%s. Error was : %s.\n", cli.desthost, cli_errstr(&cli)));
     cli_nt_session_close(&cli);
     cli_ulogoff(&cli);
     cli_shutdown(&cli);
@@ -1341,7 +1243,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
                           ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL),
                           &ctr, &info3) == False) {
     DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
-%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
+%s to Domain controller %s. Error was %s.\n", user, domain, cli.desthost, cli_errstr(&cli)));
     cli_nt_session_close(&cli);
     cli_ulogoff(&cli);
     cli_shutdown(&cli);
@@ -1361,7 +1263,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
 
   if(cli_nt_logoff(&cli, &ctr) == False) {
     DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
-%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));        
+%s to Domain controller %s. Error was %s.\n", user, domain, cli.desthost, cli_errstr(&cli)));        
     cli_nt_session_close(&cli);
     cli_ulogoff(&cli);
     cli_shutdown(&cli);