summaryrefslogtreecommitdiff
path: root/source3/utils
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-07-16 05:34:56 +0000
committerGerald Carter <jerry@samba.org>2003-07-16 05:34:56 +0000
commit4a090ba06a54f5da179ac02bb307cc03d08831bf (patch)
treeed652ef36be7f16682c358816334f969a22f1c27 /source3/utils
parent95fe82670032a3a43571b46d7bbf2c26bc8cdcd9 (diff)
downloadsamba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.gz
samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.bz2
samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.zip
trying to get HEAD building again. If you want the code
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
Diffstat (limited to 'source3/utils')
-rw-r--r--source3/utils/editreg.c30
-rw-r--r--source3/utils/net.c56
-rw-r--r--source3/utils/net_ads.c140
-rw-r--r--source3/utils/net_ads_cldap.c242
-rw-r--r--source3/utils/net_cache.c2
-rw-r--r--source3/utils/net_groupmap.c91
-rw-r--r--source3/utils/net_help.c20
-rw-r--r--source3/utils/net_lookup.c8
-rw-r--r--source3/utils/net_rpc.c222
-rw-r--r--source3/utils/net_rpc_join.c47
-rw-r--r--source3/utils/net_rpc_samsync.c165
-rw-r--r--source3/utils/ntlm_auth.c587
-rw-r--r--source3/utils/pdbedit.c36
-rw-r--r--source3/utils/profiles.c4
-rw-r--r--source3/utils/smbcacls.c13
-rw-r--r--source3/utils/smbcontrol.c60
-rw-r--r--source3/utils/smbpasswd.c21
-rw-r--r--source3/utils/testparm.c4
18 files changed, 1278 insertions, 470 deletions
diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c
index 54148fdcf8..a0cfa2bb07 100644
--- a/source3/utils/editreg.c
+++ b/source3/utils/editreg.c
@@ -1099,7 +1099,7 @@ VAL_KEY *nt_add_reg_value(REG_KEY *key, char *name, int type, char *value)
tmp = (VAL_KEY *)malloc(sizeof(VAL_KEY));
if (!tmp) goto error;
- bzero(tmp, sizeof(VAL_KEY));
+ memset(tmp, 0, sizeof(VAL_KEY));
tmp->name = strdup(name);
tmp->has_name = True;
if (!tmp->name) goto error;
@@ -1181,7 +1181,7 @@ int sid_string_to_sid(sid_t **sid, const char *sid_str)
*sid = (sid_t *)malloc(sizeof(sid_t));
if (!*sid) return 0;
- bzero(*sid, sizeof(sid_t));
+ memset(*sid, 0, sizeof(sid_t));
if (strncmp(sid_str, "S-1-5", 5)) {
fprintf(stderr, "Does not conform to S-1-5...: %s\n", sid_str);
@@ -1402,7 +1402,7 @@ REG_KEY *nt_add_reg_key_list(REGF *regf, REG_KEY *key, char * name, int create)
tmp = (REG_KEY *)malloc(sizeof(REG_KEY));
- bzero(tmp, sizeof(REG_KEY));
+ memset(tmp, 0, sizeof(REG_KEY));
tmp->name = strdup(c1);
if (!tmp->name) goto error;
@@ -1466,7 +1466,7 @@ REG_KEY *nt_add_reg_key(REGF *regf, char *name, int create)
tmp = (REG_KEY *)malloc(sizeof(REG_KEY));
if (!tmp) goto error;
- bzero(tmp, sizeof(REG_KEY));
+ memset(tmp, 0, sizeof(REG_KEY));
tmp->name = strdup(c1);
if (!tmp->name) goto error;
tmp->security = nt_create_init_sec(regf);
@@ -1654,7 +1654,7 @@ REGF *nt_create_regf(void)
{
REGF *tmp = (REGF *)malloc(sizeof(REGF));
if (!tmp) return tmp;
- bzero(tmp, sizeof(REGF));
+ memset(tmp, 0, sizeof(REGF));
tmp->owner_sid_str = def_owner_sid_str;
return tmp;
}
@@ -1815,7 +1815,7 @@ KEY_SEC_DESC *lookup_create_sec_key(REGF *regf, SK_MAP *sk_map, int sk_off)
if (!tmp) {
return NULL;
}
- bzero(tmp, sizeof(KEY_SEC_DESC)); /* Neatly sets offset to 0 */
+ memset(tmp, 0, sizeof(KEY_SEC_DESC)); /* Neatly sets offset to 0 */
tmp->state = SEC_DESC_RES;
if (!alloc_sk_map_entry(regf, tmp, sk_off)) {
return NULL;
@@ -1991,7 +1991,7 @@ KEY_SEC_DESC *process_sk(REGF *regf, SK_HDR *sk_hdr, int sk_off, int size)
if (!tmp) {
tmp = (KEY_SEC_DESC *)malloc(sizeof(KEY_SEC_DESC));
if (!tmp) return NULL;
- bzero(tmp, sizeof(KEY_SEC_DESC));
+ memset(tmp, 0, sizeof(KEY_SEC_DESC));
/*
* Allocate an entry in the SK_MAP ...
@@ -2059,7 +2059,7 @@ VAL_KEY *process_vk(REGF *regf, VK_HDR *vk_hdr, int size)
if (!tmp) {
goto error;
}
- bzero(tmp, sizeof(VAL_KEY));
+ memset(tmp, 0, sizeof(VAL_KEY));
tmp->has_name = flag;
tmp->data_type = dat_type;
@@ -2268,7 +2268,7 @@ REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size, REG_KEY *parent)
/* Allocate the key struct now */
tmp = (REG_KEY *)malloc(sizeof(REG_KEY));
if (!tmp) return tmp;
- bzero(tmp, sizeof(REG_KEY));
+ memset(tmp, 0, sizeof(REG_KEY));
tmp->type = (SVAL(&nk_hdr->type)==0x2C?REG_ROOT_KEY:REG_SUB_KEY);
@@ -2295,7 +2295,7 @@ REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size, REG_KEY *parent)
clsnamep = LOCN(regf->base, clsnam_off);
if (verbose) fprintf(stdout, "Class Name Offset: %0X\n", clsnam_off);
- bzero(cls_name, clsname_len);
+ memset(cls_name, 0, clsname_len);
uni_to_ascii(clsnamep, cls_name, sizeof(cls_name), clsname_len);
/*
@@ -2494,12 +2494,12 @@ HBIN_BLK *nt_create_hbin_blk(REGF *regf, int size)
size = (size + (REGF_HDR_BLKSIZ - 1)) & ~(REGF_HDR_BLKSIZ - 1);
tmp = (HBIN_BLK *)malloc(sizeof(HBIN_BLK));
- bzero(tmp, sizeof(HBIN_BLK));
+ memset(tmp, 0, sizeof(HBIN_BLK));
tmp->data = malloc(size);
if (!tmp->data) goto error;
- bzero(tmp->data, size); /* Make it pristine */
+ memset(tmp->data, 0, size); /* Make it pristine */
tmp->size = size;
tmp->file_offset = regf->blk_tail->file_offset + regf->blk_tail->size;
@@ -2986,13 +2986,13 @@ REGF_HDR *nt_get_reg_header(REGF *regf)
tmp = (HBIN_BLK *)malloc(sizeof(HBIN_BLK));
if (!tmp) return 0;
- bzero(tmp, sizeof(HBIN_BLK));
+ memset(tmp, 0, sizeof(HBIN_BLK));
tmp->type = REG_OUTBLK_HDR;
tmp->size = REGF_HDR_BLKSIZ;
tmp->data = malloc(REGF_HDR_BLKSIZ);
if (!tmp->data) goto error;
- bzero(tmp->data, REGF_HDR_BLKSIZ); /* Make it pristine, unlike Windows */
+ memset(tmp->data, 0, REGF_HDR_BLKSIZ); /* Make it pristine, unlike Windows */
regf->blk_head = regf->blk_tail = tmp;
return (REGF_HDR *)tmp->data;
@@ -3921,7 +3921,7 @@ int print_val(const char *path, char *val_name, int val_type, int data_len,
{
char data_asc[1024];
- bzero(data_asc, sizeof(data_asc));
+ memset(data_asc, 0, sizeof(data_asc));
if (!terminal && first)
fprintf(stdout, "%s\n", path);
data_to_ascii((unsigned char *)data_blk, data_len, val_type, data_asc,
diff --git a/source3/utils/net.c b/source3/utils/net.c
index aa245a920a..e643a3d10d 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -77,6 +77,21 @@ static int opt_machine_pass = 0;
BOOL opt_have_ip = False;
struct in_addr opt_dest_ip;
+/*****************************************************************************
+ stubb functions
+****************************************************************************/
+
+void become_root( void )
+{
+ return;
+}
+
+void unbecome_root( void )
+{
+ return;
+}
+
+
uint32 get_sec_channel_type(const char *param)
{
if (!(param && *param)) {
@@ -206,7 +221,7 @@ BOOL net_find_server(unsigned flags, struct in_addr *server_ip, char **server_na
if (is_zero_ip(pdc_ip))
return False;
- if (!lookup_dc_name(global_myname(), opt_target_workgroup, &pdc_ip, dc_name))
+ if ( !name_status_find(opt_target_workgroup, 0x1b, 0x20, pdc_ip, dc_name) )
return False;
*server_name = strdup(dc_name);
@@ -248,20 +263,18 @@ BOOL net_find_server(unsigned flags, struct in_addr *server_ip, char **server_na
}
-BOOL net_find_dc(struct in_addr *server_ip, fstring server_name, const char *domain_name)
+BOOL net_find_pdc(struct in_addr *server_ip, fstring server_name, const char *domain_name)
{
if (get_pdc_ip(domain_name, server_ip)) {
- fstring dc_name;
-
if (is_zero_ip(*server_ip))
return False;
- if (!lookup_dc_name(global_myname(), domain_name, server_ip, dc_name))
+ if (!name_status_find(domain_name, 0x1b, 0x20, *server_ip, server_name))
return False;
- fstrcpy(server_name, dc_name);
- return True;
- } else
+ return True;
+ }
+ else
return False;
}
@@ -348,26 +361,6 @@ static int net_file(int argc, const char **argv)
return net_rap_file(argc, argv);
}
-/***********************************************************
- migrated functionality from smbgroupedit
- **********************************************************/
-static int net_groupmap(int argc, const char **argv)
-{
- if ( 0 == argc )
- return net_help_groupmap( argc, argv );
-
- if ( !StrCaseCmp( argv[0], "add" ) )
- return net_groupmap_add(argc-1, argv+1);
- else if ( !StrCaseCmp( argv[0], "modify" ) )
- return net_groupmap_modify(argc-1, argv+1);
- else if ( !StrCaseCmp( argv[0], "delete" ) )
- return net_groupmap_delete(argc-1, argv+1);
- else if ( !StrCaseCmp( argv[0], "list" ) )
- return net_groupmap_list(argc-1, argv+1);
-
- return net_help_groupmap( argc, argv );
-}
-
/*
Retrieve our local SID or the SID for the specified name
*/
@@ -471,7 +464,7 @@ static uint32 get_maxrid(void)
pdb_free_sam(&pwd);
if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries,
- ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
+ ENUM_ONLY_MAPPED))
return max_rid;
for (i = 0; i < num_entries; i++) {
@@ -544,6 +537,7 @@ static struct functable net_func[] = {
{"SETLOCALSID", net_setlocalsid},
{"GETDOMAINSID", net_getdomainsid},
{"MAXRID", net_maxrid},
+ {"IDMAP", net_idmap},
{"HELP", net_help},
{NULL, NULL}
@@ -655,6 +649,10 @@ static struct functable net_func[] = {
exit(1);
load_interfaces();
+
+ /* this makes sure that when we do things like call scripts,
+ that it won't assert becouse we are not root */
+ sec_init();
if (opt_machine_pass) {
char *user = NULL;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 203d849786..69d282420d 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -109,6 +109,9 @@ static int net_ads_info(int argc, const char **argv)
d_printf("LDAP port: %d\n", ads->ldap_port);
d_printf("Server time: %s\n", http_timestring(ads->config.current_time));
+ d_printf("KDC server: %s\n", ads->auth.kdc_server );
+ d_printf("Server time offset: %d\n", ads->auth.time_offset );
+
return 0;
}
@@ -124,7 +127,7 @@ static ADS_STRUCT *ads_startup(void)
ADS_STATUS status;
BOOL need_password = False;
BOOL second_time = False;
- char *realm;
+ char *cp;
ads = ads_init(NULL, NULL, opt_host);
@@ -146,22 +149,24 @@ retry:
if (opt_password) {
use_in_memory_ccache();
- ads->auth.password = strdup(opt_password);
+ ads->auth.password = smb_xstrdup(opt_password);
}
- ads->auth.user_name = strdup(opt_user_name);
+ ads->auth.user_name = smb_xstrdup(opt_user_name);
- /*
- * If the username is of the form "name@realm",
- * extract the realm and convert to upper case.
- */
- if ((realm = strchr(ads->auth.user_name, '@'))) {
- *realm++ = '\0';
- ads->auth.realm = strdup(realm);
- strupper(ads->auth.realm);
- }
+ /*
+ * If the username is of the form "name@realm",
+ * extract the realm and convert to upper case.
+ * This is only used to establish the connection.
+ */
+ if ((cp = strchr(ads->auth.user_name, '@'))!=0) {
+ *cp++ = '\0';
+ ads->auth.realm = smb_xstrdup(cp);
+ strupper_m(ads->auth.realm);
+ }
status = ads_connect(ads);
+
if (!ADS_ERR_OK(status)) {
if (!need_password && !second_time) {
need_password = True;
@@ -230,7 +235,7 @@ static BOOL usergrp_display(char *field, void **values, void *data_area)
if (!field) { /* must be end of record */
if (!strchr_m(disp_fields[0], '$')) {
if (disp_fields[1])
- d_printf("%-21.21s %-50.50s\n",
+ d_printf("%-21.21s %s\n",
disp_fields[0], disp_fields[1]);
else
d_printf("%s\n", disp_fields[0]);
@@ -295,7 +300,8 @@ static int ads_user_add(int argc, const char **argv)
/* try setting the password */
asprintf(&upn, "%s@%s", argv[0], ads->config.realm);
- status = krb5_set_password(ads->auth.kdc_server, upn, argv[1], ads->auth.time_offset);
+ status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
+ ads->auth.time_offset);
safe_free(upn);
if (ADS_ERR_OK(status)) {
d_printf("User %s added\n", argv[0]);
@@ -720,6 +726,8 @@ int net_ads_join(int argc, const char **argv)
int net_ads_printer_usage(int argc, const char **argv)
{
d_printf(
+"\nnet ads printer search <printer>"
+"\n\tsearch for a printer in the directory"
"\nnet ads printer info <printer> <server>"
"\n\tlookup info in directory for printer on server"
"\n\t(note: printer defaults to \"*\", server defaults to local)\n"
@@ -732,6 +740,35 @@ int net_ads_printer_usage(int argc, const char **argv)
return -1;
}
+static int net_ads_printer_search(int argc, const char **argv)
+{
+ ADS_STRUCT *ads;
+ ADS_STATUS rc;
+ void *res = NULL;
+
+ if (!(ads = ads_startup()))
+ return -1;
+
+ rc = ads_find_printers(ads, &res);
+
+ if (!ADS_ERR_OK(rc)) {
+ d_printf("ads_find_printer: %s\n", ads_errstr(rc));
+ ads_msgfree(ads, res);
+ return -1;
+ }
+
+ if (ads_count_replies(ads, res) == 0) {
+ d_printf("No results found\n");
+ ads_msgfree(ads, res);
+ return -1;
+ }
+
+ ads_dump(ads, res);
+ ads_msgfree(ads, res);
+
+ return 0;
+}
+
static int net_ads_printer_info(int argc, const char **argv)
{
ADS_STRUCT *ads;
@@ -780,7 +817,7 @@ static int net_ads_printer_publish(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
- const char *servername;
+ const char *servername, *printername;
struct cli_state *cli;
struct in_addr server_ip;
NTSTATUS nt_status;
@@ -794,15 +831,14 @@ static int net_ads_printer_publish(int argc, const char **argv)
if (argc < 1)
return net_ads_printer_usage(argc, argv);
+ printername = argv[0];
+
if (argc == 2)
servername = argv[1];
else
servername = global_myname();
- ads_find_machine_acct(ads, &res, servername);
- srv_dn = ldap_get_dn(ads->ld, res);
- srv_cn = ldap_explode_dn(srv_dn, 1);
- asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn[0], argv[0], srv_dn);
+ /* Get printer data from SPOOLSS */
resolve_name(servername, &server_ip, 0x20);
@@ -814,8 +850,29 @@ static int net_ads_printer_publish(int argc, const char **argv)
CLI_FULL_CONNECTION_USE_KERBEROS,
NULL);
+ if (NT_STATUS_IS_ERR(nt_status)) {
+ d_printf("Unable to open a connnection to %s to obtain data "
+ "for %s\n", servername, printername);
+ return -1;
+ }
+
+ /* Publish on AD server */
+
+ ads_find_machine_acct(ads, &res, servername);
+
+ if (ads_count_replies(ads, res) == 0) {
+ d_printf("Could not find machine account for server %s\n",
+ servername);
+ return -1;
+ }
+
+ srv_dn = ldap_get_dn(ads->ld, res);
+ srv_cn = ldap_explode_dn(srv_dn, 1);
+
+ asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn[0], printername, srv_dn);
+
cli_nt_session_open(cli, PI_SPOOLSS);
- get_remote_printer_publishing_data(cli, mem_ctx, &mods, argv[0]);
+ get_remote_printer_publishing_data(cli, mem_ctx, &mods, printername);
rc = ads_add_printer_entry(ads, prt_dn, mem_ctx, &mods);
if (!ADS_ERR_OK(rc)) {
@@ -876,6 +933,7 @@ static int net_ads_printer_remove(int argc, const char **argv)
static int net_ads_printer(int argc, const char **argv)
{
struct functable func[] = {
+ {"SEARCH", net_ads_printer_search},
{"INFO", net_ads_printer_info},
{"PUBLISH", net_ads_printer_publish},
{"REMOVE", net_ads_printer_remove},
@@ -893,20 +951,34 @@ static int net_ads_password(int argc, const char **argv)
const char *auth_password = opt_password;
char *realm = NULL;
char *new_password = NULL;
- char *c;
- char *prompt;
+ char *c, *prompt;
+ const char *user;
ADS_STATUS ret;
+ if (opt_user_name == NULL || opt_password == NULL) {
+ d_printf("You must supply an administrator username/password\n");
+ return -1;
+ }
+
- if ((argc != 1) || (opt_user_name == NULL) ||
- (opt_password == NULL) || (strchr(opt_user_name, '@') == NULL) ||
- (strchr(argv[0], '@') == NULL)) {
- return net_ads_usage(argc, argv);
+ if (argc != 1) {
+ d_printf("ERROR: You must say which username to change password for\n");
+ return -1;
+ }
+
+ user = argv[0];
+ if (!strchr(user, '@')) {
+ asprintf(&c, "%s@%s", argv[0], lp_realm());
+ user = c;
}
use_in_memory_ccache();
c = strchr(auth_principal, '@');
- realm = ++c;
+ if (c) {
+ realm = ++c;
+ } else {
+ realm = lp_realm();
+ }
/* use the realm so we can eventually change passwords for users
in realms other than default */
@@ -921,12 +993,12 @@ static int net_ads_password(int argc, const char **argv)
return -1;
}
- asprintf(&prompt, "Enter new password for %s:", argv[0]);
+ asprintf(&prompt, "Enter new password for %s:", user);
new_password = getpass(prompt);
ret = kerberos_set_password(ads->auth.kdc_server, auth_principal,
- auth_password, argv[0], new_password, ads->auth.time_offset);
+ auth_password, user, new_password, ads->auth.time_offset);
if (!ADS_ERR_OK(ret)) {
d_printf("Password change failed :-( ...\n");
ads_destroy(&ads);
@@ -934,7 +1006,7 @@ static int net_ads_password(int argc, const char **argv)
return -1;
}
- d_printf("Password change for %s completed.\n", argv[0]);
+ d_printf("Password change for %s completed.\n", user);
ads_destroy(&ads);
free(prompt);
@@ -967,7 +1039,7 @@ int net_ads_changetrustpw(int argc, const char **argv)
}
hostname = strdup(global_myname());
- strlower(hostname);
+ strlower_m(hostname);
asprintf(&host_principal, "%s@%s", hostname, ads->config.realm);
SAFE_FREE(hostname);
d_printf("Changing password for principal: HOST/%s\n", host_principal);
@@ -1012,7 +1084,7 @@ static int net_ads_search(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
- const char *exp;
+ const char *ldap_exp;
const char **attrs;
void *res = NULL;
@@ -1024,12 +1096,12 @@ static int net_ads_search(int argc, const char **argv)
return -1;
}
- exp = argv[0];
+ ldap_exp = argv[0];
attrs = (argv + 1);
rc = ads_do_search_all(ads, ads->config.bind_path,
LDAP_SCOPE_SUBTREE,
- exp, attrs, &res);
+ ldap_exp, attrs, &res);
if (!ADS_ERR_OK(rc)) {
d_printf("search failed: %s\n", ads_errstr(rc));
return -1;
diff --git a/source3/utils/net_ads_cldap.c b/source3/utils/net_ads_cldap.c
index 86d5abea4b..e74e4b5a4c 100644
--- a/source3/utils/net_ads_cldap.c
+++ b/source3/utils/net_ads_cldap.c
@@ -24,28 +24,28 @@
#ifdef HAVE_ADS
-struct netlogon_string {
- uint32 comp_len;
- char **component;
- uint8 extra_flag;
-};
+#define MAX_DNS_LABEL 255 + 1
struct cldap_netlogon_reply {
uint32 type;
uint32 flags;
GUID guid;
- struct netlogon_string forest;
- struct netlogon_string domain;
- struct netlogon_string hostname;
-
- struct netlogon_string netbios_domain;
- struct netlogon_string netbios_hostname;
+ char forest[MAX_DNS_LABEL];
+ char unk0[MAX_DNS_LABEL];
+ char domain[MAX_DNS_LABEL];
+ char hostname[MAX_DNS_LABEL];
- struct netlogon_string user_name;
- struct netlogon_string site_name;
+ char netbios_domain[MAX_DNS_LABEL];
+ char unk1[MAX_DNS_LABEL];
+ char netbios_hostname[MAX_DNS_LABEL];
- struct netlogon_string unk0;
+ char unk2[MAX_DNS_LABEL];
+ char user_name[MAX_DNS_LABEL];
+ char unk3[MAX_DNS_LABEL];
+ char site_name[MAX_DNS_LABEL];
+ char unk4[MAX_DNS_LABEL];
+ char site_name_2[MAX_DNS_LABEL];
uint32 version;
uint16 lmnt_token;
@@ -53,38 +53,69 @@ struct cldap_netlogon_reply {
};
/*
- These strings are rather interesting... They are composed of a series of
- length encoded strings, terminated by either 1) a zero length string or 2)
- a 0xc0 byte with what appears to be a one byte flags immediately following.
+ These seem to be strings as described in RFC1035 4.1.4 and can be:
+
+ - a sequence of labels ending in a zero octet
+ - a pointer
+ - a sequence of labels ending with a pointer
+
+ A label is a byte where the first two bits must be zero and the remaining
+ bits represent the length of the label followed by the label itself.
+ Therefore, the length of a label is at max 64 bytes. Under RFC1035, a
+ sequence of labels cannot exceed 255 bytes.
+
+ A pointer consists of a 14 bit offset from the beginning of the data.
+
+ struct ptr {
+ unsigned ident:2; // must be 11
+ unsigned offset:14; // from the beginning of data
+ };
+
+ This is used as a method to compress the packet by eliminated duplicate
+ domain components. Since a UDP packet should probably be < 512 bytes and a
+ DNS name can be up to 255 bytes, this actually makes a lot of sense.
*/
-static unsigned pull_netlogon_string(struct netlogon_string *ret,const char *d)
+static unsigned pull_netlogon_string(char *ret, const char *ptr,
+ const char *data)
{
- const char *p = (const char *)d;
-
- ZERO_STRUCTP(ret);
+ char *pret = ret;
+ int followed_ptr = 0;
+ unsigned ret_len = 0;
+ memset(pret, 0, MAX_DNS_LABEL);
do {
- unsigned len = (unsigned char)*p;
- p++;
-
- if (len > 0 && len != 0xc0) {
- ret->component = realloc(ret->component,
- ++ret->comp_len *
- sizeof(char *));
-
- ret->component[ret->comp_len - 1] =
- smb_xstrndup(p, len);
- p += len;
- } else {
- if (len == 0xc0) {
- ret->extra_flag = *p;
- p++;
- };
- break;
+ if ((*ptr & 0xc0) == 0xc0) {
+ uint16 len;
+
+ if (!followed_ptr) {
+ ret_len += 2;
+ followed_ptr = 1;
+ }
+ len = ((ptr[0] & 0x3f) << 8) | ptr[1];
+ ptr = data + len;
+ } else if (*ptr) {
+ uint8 len = (uint8)*(ptr++);
+
+ if ((pret - ret + len + 1) >= MAX_DNS_LABEL) {
+ d_printf("DC returning too long DNS name\n");
+ return 0;
+ }
+
+ if (pret != ret) {
+ *pret = '.';
+ pret++;
+ }
+ memcpy(pret, ptr, len);
+ pret += len;
+ ptr += len;
+
+ if (!followed_ptr) {
+ ret_len += (len + 1);
+ }
}
- } while (1);
+ } while (*ptr);
- return (p - d);
+ return ret_len ? ret_len : 1;
}
/*
@@ -95,7 +126,11 @@ static int send_cldap_netlogon(int sock, const char *domain,
{
ASN1_DATA data;
char ntver[4];
+#ifdef CLDAP_USER_QUERY
+ char aac[4];
+ SIVAL(aac, 0, 0x00000180);
+#endif
SIVAL(ntver, 0, ntversion);
memset(&data, 0, sizeof(data));
@@ -121,6 +156,18 @@ static int send_cldap_netlogon(int sock, const char *domain,
asn1_write_OctetString(&data, hostname, strlen(hostname));
asn1_pop_tag(&data);
+#ifdef CLDAP_USER_QUERY
+ asn1_push_tag(&data, ASN1_CONTEXT(3));
+ asn1_write_OctetString(&data, "User", 4);
+ asn1_write_OctetString(&data, "SAMBA$", 6);
+ asn1_pop_tag(&data);
+
+ asn1_push_tag(&data, ASN1_CONTEXT(3));
+ asn1_write_OctetString(&data, "AAC", 4);
+ asn1_write_OctetString(&data, aac, 4);
+ asn1_pop_tag(&data);
+#endif
+
asn1_push_tag(&data, ASN1_CONTEXT(3));
asn1_write_OctetString(&data, "NtVer", 5);
asn1_write_OctetString(&data, ntver, 4);
@@ -144,7 +191,6 @@ static int send_cldap_netlogon(int sock, const char *domain,
d_printf("failed to send cldap query (%s)\n", strerror(errno));
}
- file_save("cldap_query.dat", data.data, data.length);
asn1_free(&data);
return 0;
@@ -173,8 +219,6 @@ static int recv_cldap_netlogon(int sock, struct cldap_netlogon_reply *reply)
}
blob.length = ret;
- file_save("cldap_reply.dat", blob.data, blob.length);
-
asn1_load(&data, blob);
asn1_start_tag(&data, ASN1_SEQUENCE(0));
asn1_read_Integer(&data, &i1);
@@ -196,8 +240,6 @@ static int recv_cldap_netlogon(int sock, struct cldap_netlogon_reply *reply)
return -1;
}
- file_save("cldap_reply_core.dat", os3.data, os3.length);
-
p = os3.data;
reply->type = IVAL(p, 0); p += 4;
@@ -206,15 +248,25 @@ static int recv_cldap_netlogon(int sock, struct cldap_netlogon_reply *reply)
memcpy(&reply->guid.info, p, GUID_SIZE);
p += GUID_SIZE;
- p += pull_netlogon_string(&reply->forest, p);
- p += pull_netlogon_string(&reply->domain, p);
- p += pull_netlogon_string(&reply->hostname, p);
- p += pull_netlogon_string(&reply->netbios_domain, p);
- p += pull_netlogon_string(&reply->netbios_hostname, p);
- p += pull_netlogon_string(&reply->user_name, p);
- p += pull_netlogon_string(&reply->site_name, p);
+ p += pull_netlogon_string(reply->forest, p, os3.data);
+ p += pull_netlogon_string(reply->unk0, p, os3.data);
+ p += pull_netlogon_string(reply->domain, p, os3.data);
+ p += pull_netlogon_string(reply->hostname, p, os3.data);
+ p += pull_netlogon_string(reply->netbios_domain, p, os3.data);
+ p += pull_netlogon_string(reply->unk1, p, os3.data);
+ p += pull_netlogon_string(reply->netbios_hostname, p, os3.data);
+ p += pull_netlogon_string(reply->unk2, p, os3.data);
+
+ if (reply->type == SAMLOGON_AD_R) {
+ p += pull_netlogon_string(reply->user_name, p, os3.data);
+ } else {
+ *reply->user_name = 0;
+ }
- p += pull_netlogon_string(&reply->unk0, p);
+ p += pull_netlogon_string(reply->unk3, p, os3.data);
+ p += pull_netlogon_string(reply->site_name, p, os3.data);
+ p += pull_netlogon_string(reply->unk4, p, os3.data);
+ p += pull_netlogon_string(reply->site_name_2, p, os3.data);
reply->version = IVAL(p, 0);
reply->lmnt_token = SVAL(p, 4);
@@ -229,52 +281,6 @@ static int recv_cldap_netlogon(int sock, struct cldap_netlogon_reply *reply)
}
/*
- free a netlogon string
-*/
-static void netlogon_string_free(struct netlogon_string *str)
-{
- unsigned int i;
-
- for (i = 0; i < str->comp_len; ++i) {
- SAFE_FREE(str->component[i]);
- }
- SAFE_FREE(str->component);
-}
-
-/*
- free a cldap reply packet
-*/
-static void cldap_reply_free(struct cldap_netlogon_reply *reply)
-{
- netlogon_string_free(&reply->forest);
- netlogon_string_free(&reply->domain);
- netlogon_string_free(&reply->hostname);
- netlogon_string_free(&reply->netbios_domain);
- netlogon_string_free(&reply->netbios_hostname);
- netlogon_string_free(&reply->user_name);
- netlogon_string_free(&reply->site_name);
- netlogon_string_free(&reply->unk0);
-}
-
-static void d_print_netlogon_string(const char *label,
- struct netlogon_string *str)
-{
- unsigned int i;
-
- if (str->comp_len) {
- d_printf("%s", label);
- if (str->extra_flag) {
- d_printf("[%d]", str->extra_flag);
- }
- d_printf(": ");
- for (i = 0; i < str->comp_len; ++i) {
- d_printf("%s%s", (i ? "." : ""), str->component[i]);
- }
- d_printf("\n");
- }
-}
-
-/*
do a cldap netlogon query
*/
int ads_cldap_netlogon(ADS_STRUCT *ads)
@@ -289,6 +295,7 @@ int ads_cldap_netlogon(ADS_STRUCT *ads)
inet_ntoa(ads->ldap_ip),
ads->ldap_port);
return -1;
+
}
ret = send_cldap_netlogon(sock, ads->config.realm, global_myname(), 6);
@@ -305,7 +312,18 @@ int ads_cldap_netlogon(ADS_STRUCT *ads)
d_printf("Information for Domain Controller: %s\n\n",
ads->config.ldap_server_name);
- d_printf("Response Type: 0x%x\n", reply.type);
+ d_printf("Response Type: ");
+ switch (reply.type) {
+ case SAMLOGON_AD_UNK_R:
+ d_printf("SAMLOGON\n");
+ break;
+ case SAMLOGON_AD_R:
+ d_printf("SAMLOGON_USER\n");
+ break;
+ default:
+ d_printf("0x%x\n", reply.type);
+ break;
+ }
d_printf("GUID: ");
print_guid(&reply.guid);
d_printf("Flags:\n"
@@ -330,23 +348,27 @@ int ads_cldap_netlogon(ADS_STRUCT *ads)
(reply.flags & ADS_GOOD_TIMESERV) ? "yes" : "no",
(reply.flags & ADS_NDNC) ? "yes" : "no");
- d_print_netlogon_string("Forest", &reply.forest);
- d_print_netlogon_string("Domain", &reply.domain);
- d_print_netlogon_string("Hostname", &reply.hostname);
+ printf("Forest:\t\t\t%s\n", reply.forest);
+ if (*reply.unk0) printf("Unk0:\t\t\t%s\n", reply.unk0);
+ printf("Domain:\t\t\t%s\n", reply.domain);
+ printf("Domain Controller:\t%s\n", reply.hostname);
- d_print_netlogon_string("Pre-Win2k Domain", &reply.netbios_domain);
- d_print_netlogon_string("Pre-Win2k Hostname", &reply.netbios_hostname);
+ printf("Pre-Win2k Domain:\t%s\n", reply.netbios_domain);
+ if (*reply.unk1) printf("Unk1:\t\t\t%s\n", reply.unk1);
+ printf("Pre-Win2k Hostname:\t%s\n", reply.netbios_hostname);
- d_print_netlogon_string("User name", &reply.user_name);
- d_print_netlogon_string("Site Name", &reply.site_name);
- d_print_netlogon_string("Unknown Field", &reply.unk0);
+ if (*reply.unk2) printf("Unk2:\t\t\t%s\n", reply.unk2);
+ if (*reply.user_name) printf("User name:\t%s\n", reply.user_name);
+
+ if (*reply.unk3) printf("Unk3:\t\t\t%s\n", reply.unk3);
+ printf("Site Name:\t\t%s\n", reply.site_name);
+ if (*reply.unk4) printf("Unk4:\t\t\t%s\n", reply.unk4);
+ printf("Site Name (2):\t\t%s\n", reply.site_name_2);
d_printf("NT Version: %d\n", reply.version);
d_printf("LMNT Token: %.2x\n", reply.lmnt_token);
d_printf("LM20 Token: %.2x\n", reply.lm20_token);
- cldap_reply_free(&reply);
-
return ret;
}
diff --git a/source3/utils/net_cache.c b/source3/utils/net_cache.c
index 93c4f1aa1d..8dd9db599d 100644
--- a/source3/utils/net_cache.c
+++ b/source3/utils/net_cache.c
@@ -64,7 +64,7 @@ static void delete_cache_entry(const char* keystr, const char* datastr,
const time_t timeout, void* dptr)
{
if (!gencache_del(keystr))
- d_printf("Couldn't delete entry! key = %s", keystr);
+ d_printf("Couldn't delete entry! key = %s\n", keystr);
}
diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c
index 905fdf6287..8831839e4e 100644
--- a/source3/utils/net_groupmap.c
+++ b/source3/utils/net_groupmap.c
@@ -65,7 +65,7 @@ static BOOL get_sid_from_input(DOM_SID *sid, char *input)
if (StrnCaseCmp( input, "S-", 2)) {
/* Perhaps its the NT group name? */
- if (!pdb_getgrnam(&map, input, MAPPING_WITHOUT_PRIV)) {
+ if (!pdb_getgrnam(&map, input)) {
printf("NT Group %s doesn't exist in mapping DB\n", input);
return False;
} else {
@@ -88,11 +88,9 @@ static void print_map_entry ( GROUP_MAP map, BOOL long_list )
{
fstring string_sid;
fstring group_type;
- fstring priv_text;
decode_sid_name_use(group_type, map.sid_name_use);
sid_to_string(string_sid, &map.sid);
- convert_priv_to_text(&(map.priv_set), priv_text);
if (!long_list)
d_printf("%s (%s) -> %s\n", map.nt_name, string_sid, gidtoname(map.gid));
@@ -102,14 +100,13 @@ static void print_map_entry ( GROUP_MAP map, BOOL long_list )
d_printf("\tUnix group: %s\n", gidtoname(map.gid));
d_printf("\tGroup type: %s\n", group_type);
d_printf("\tComment : %s\n", map.comment);
- d_printf("\tPrivilege : %s\n\n", priv_text);
}
}
/*********************************************************
List the groups.
**********************************************************/
-int net_groupmap_list(int argc, const char **argv)
+static int net_groupmap_list(int argc, const char **argv)
{
int entries;
BOOL long_list = False;
@@ -155,24 +152,24 @@ int net_groupmap_list(int argc, const char **argv)
}
/* Get the current mapping from the database */
- if(!pdb_getgrsid(&map, sid, MAPPING_WITH_PRIV)) {
+ if(!pdb_getgrsid(&map, sid)) {
d_printf("Failure to local group SID in the database\n");
return -1;
}
print_map_entry( map, long_list );
- free_privilege(&(map.priv_set));
}
else {
GROUP_MAP *map=NULL;
/* enumerate all group mappings */
- if ( !pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED, MAPPING_WITH_PRIV) )
+ if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
return -1;
for (i=0; i<entries; i++) {
print_map_entry( map[i], long_list );
- free_privilege(&(map[i].priv_set));
}
+
+ SAFE_FREE(map);
}
return 0;
@@ -182,9 +179,8 @@ int net_groupmap_list(int argc, const char **argv)
Add a new group mapping entry
**********************************************************/
-int net_groupmap_add(int argc, const char **argv)
+static int net_groupmap_add(int argc, const char **argv)
{
- PRIVILEGE_SET se_priv;
DOM_SID sid;
fstring ntgroup = "";
fstring unixgrp = "";
@@ -280,25 +276,16 @@ int net_groupmap_add(int argc, const char **argv)
fstrcpy( ntgroup, unixgrp );
- init_privilege(&se_priv);
-#if 0
- if (privilege!=NULL)
- convert_priv_from_text(&se_priv, privilege);
-#endif
-
- if (!add_initial_entry(gid, string_sid, sid_type, ntgroup,
- ntcomment, se_priv, PR_ACCESS_FROM_NETWORK) ) {
+ if (!add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment)) {
d_printf("adding entry for group %s failed!\n", ntgroup);
return -1;
}
- free_privilege(&se_priv);
-
d_printf("Successully added group %s to the mapping db\n", ntgroup);
return 0;
}
-int net_groupmap_modify(int argc, const char **argv)
+static int net_groupmap_modify(int argc, const char **argv)
{
DOM_SID sid;
GROUP_MAP map;
@@ -381,7 +368,7 @@ int net_groupmap_modify(int argc, const char **argv)
}
/* Get the current mapping from the database */
- if(!pdb_getgrsid(&map, sid, MAPPING_WITH_PRIV)) {
+ if(!pdb_getgrsid(&map, sid)) {
d_printf("Failure to local group SID in the database\n");
return -1;
}
@@ -390,9 +377,8 @@ int net_groupmap_modify(int argc, const char **argv)
* Allow changing of group type only between domain and local
* We disallow changing Builtin groups !!! (SID problem)
*/
- if ( sid_type != SID_NAME_UNKNOWN )
- {
- if ( map.sid_name_use == SID_NAME_WKN_GRP ) {
+ if (sid_type != SID_NAME_UNKNOWN) {
+ if (map.sid_name_use == SID_NAME_WKN_GRP) {
d_printf("You can only change between domain and local groups.\n");
return -1;
}
@@ -418,26 +404,17 @@ int net_groupmap_modify(int argc, const char **argv)
map.gid = gid;
}
-#if 0
- /* Change the privilege if new one */
- if (privilege!=NULL)
- convert_priv_from_text(&map.priv_set, privilege);
-#endif
-
if ( !pdb_update_group_mapping_entry(&map) ) {
d_printf("Could not update group database\n");
- free_privilege(&map.priv_set);
return -1;
}
- free_privilege(&map.priv_set);
-
d_printf("Updated mapping entry for %s\n", ntgroup);
return 0;
}
-int net_groupmap_delete(int argc, const char **argv)
+static int net_groupmap_delete(int argc, const char **argv)
{
DOM_SID sid;
fstring ntgroup = "";
@@ -491,3 +468,45 @@ int net_groupmap_delete(int argc, const char **argv)
return 0;
}
+int net_help_groupmap(int argc, const char **argv)
+{
+ d_printf("net groupmap add"\
+ "\n Create a new group mapping\n");
+ d_printf("net groupmap modify"\
+ "\n Update a group mapping\n");
+ d_printf("net groupmap delete"\
+ "\n Remove a group mapping\n");
+ d_printf("net groupmap list"\
+ "\n List current group map\n");
+
+ return -1;
+}
+
+
+/***********************************************************
+ migrated functionality from smbgroupedit
+ **********************************************************/
+int net_groupmap(int argc, const char **argv)
+{
+ struct functable func[] = {
+ {"add", net_groupmap_add},
+ {"modify", net_groupmap_modify},
+ {"delete", net_groupmap_delete},
+ {"list", net_groupmap_list},
+ {"help", net_help_groupmap},
+ {NULL, NULL}
+ };
+
+ /* we shouldn't have silly checks like this */
+ if (getuid() != 0) {
+ d_printf("You must be root to edit group mappings.\nExiting...\n");
+ return -1;
+ }
+
+ return net_run_function(argc, argv, func, net_help_groupmap);
+ if ( 0 == argc )
+ return net_help_groupmap( argc, argv );
+
+ return net_help_groupmap( argc, argv );
+}
+
diff --git a/source3/utils/net_help.c b/source3/utils/net_help.c
index f24367f246..1f3afb1690 100644
--- a/source3/utils/net_help.c
+++ b/source3/utils/net_help.c
@@ -99,26 +99,6 @@ int net_help_group(int argc, const char **argv)
return -1;
}
-int net_help_groupmap(int argc, const char **argv)
-{
- if (getuid() != 0) {
- d_printf("You must be root to edit group mappings.\nExiting...\n");
- return -1;
- }
-
- d_printf("net groupmap add"\
- "\n Create a new group mapping\n");
- d_printf("net groupmap modify"\
- "\n Update a group mapping\n");
- d_printf("net groupmap delete"\
- "\n Remove a group mapping\n");
- d_printf("net groupmap list"\
- "\n List current group map\n");
-
- return -1;
-}
-
-
int net_help_join(int argc, const char **argv)
{
d_printf("\nnet [<method>] join [misc. options]\n"
diff --git a/source3/utils/net_lookup.c b/source3/utils/net_lookup.c
index 271094480c..8456da4e0c 100644
--- a/source3/utils/net_lookup.c
+++ b/source3/utils/net_lookup.c
@@ -124,11 +124,11 @@ static int net_lookup_ldap(int argc, const char **argv)
static int net_lookup_dc(int argc, const char **argv)
{
- struct in_addr *ip_list, addr;
+ struct ip_service *ip_list;
+ struct in_addr addr;
char *pdc_str = NULL;
const char *domain=opt_target_workgroup;
int count, i;
- BOOL list_ordered;
if (argc > 0)
domain=argv[0];
@@ -140,12 +140,12 @@ static int net_lookup_dc(int argc, const char **argv)
asprintf(&pdc_str, "%s", inet_ntoa(addr));
d_printf("%s\n", pdc_str);
- if (!get_dc_list(domain, &ip_list, &count, &list_ordered)) {
+ if (!get_sorted_dc_list(domain, &ip_list, &count, False)) {
SAFE_FREE(pdc_str);
return 0;
}
for (i=0;i<count;i++) {
- char *dc_str = inet_ntoa(ip_list[i]);
+ char *dc_str = inet_ntoa(ip_list[i].ip);
if (!strequal(pdc_str, dc_str))
d_printf("%s\n", dc_str);
}
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 3f5a339948..890d4a012b 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -74,7 +74,7 @@ static DOM_SID *net_get_remote_domain_sid(struct cli_state *cli)
goto error;
}
- result = cli_lsa_open_policy(cli, mem_ctx, True,
+ result = cli_lsa_open_policy(cli, mem_ctx, False,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result)) {
@@ -235,16 +235,27 @@ int net_rpc_changetrustpw(int argc, const char **argv)
* @return Normal NTSTATUS return.
**/
-static NTSTATUS rpc_join_oldstyle_internals(const DOM_SID *domain_sid, struct cli_state *cli,
+static NTSTATUS rpc_oldjoin_internals(const DOM_SID *domain_sid, struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, const char **argv) {
fstring trust_passwd;
unsigned char orig_trust_passwd_hash[16];
NTSTATUS result;
+ uint32 sec_channel_type;
+ /*
+ check what type of join - if the user want's to join as
+ a BDC, the server must agree that we are a BDC.
+ */
+ if (argc >= 0) {
+ sec_channel_type = get_sec_channel_type(argv[0]);
+ } else {
+ sec_channel_type = get_sec_channel_type(NULL);
+ }
+
fstrcpy(trust_passwd, global_myname());
- strlower(trust_passwd);
+ strlower_m(trust_passwd);
/*
* Machine names can be 15 characters, but the max length on
@@ -257,11 +268,7 @@ static NTSTATUS rpc_join_oldstyle_internals(const DOM_SID *domain_sid, struct cl
result = trust_pw_change_and_store_it(cli, mem_ctx, opt_target_workgroup,
orig_trust_passwd_hash,
- SEC_CHAN_WKSTA);
-
- /* SEC_CHAN_WKSTA specified specifically, as you cannot use this
- to join a BDC to the domain (MS won't allow it, and is *really*
- insecure) */
+ sec_channel_type);
if (NT_STATUS_IS_OK(result))
printf("Joined domain %s.\n",opt_target_workgroup);
@@ -285,40 +292,11 @@ static NTSTATUS rpc_join_oldstyle_internals(const DOM_SID *domain_sid, struct cl
* @return A shell status integer (0 for success)
**/
-static int net_rpc_join_oldstyle(int argc, const char **argv)
-{
- uint32 sec_channel_type;
- /* check what type of join */
- if (argc >= 0) {
- sec_channel_type = get_sec_channel_type(argv[0]);
- } else {
- sec_channel_type = get_sec_channel_type(NULL);
- }
-
- if (sec_channel_type != SEC_CHAN_WKSTA)
- return 1;
-
- return run_rpc_command(NULL, PI_NETLOGON,
- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
- rpc_join_oldstyle_internals,
- argc, argv);
-}
-
-/**
- * Join a domain, the old way.
- *
- * @param argc Standard main() style argc
- * @param argc Standard main() style argv. Initial components are already
- * stripped
- *
- * @return A shell status integer (0 for success)
- **/
-
static int net_rpc_oldjoin(int argc, const char **argv)
{
return run_rpc_command(NULL, PI_NETLOGON,
NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
- rpc_join_oldstyle_internals,
+ rpc_oldjoin_internals,
argc, argv);
}
@@ -351,13 +329,13 @@ static int rpc_join_usage(int argc, const char **argv)
*
* Main 'net_rpc_join()' (where the admain username/password is used) is
* in net_rpc_join.c
- * Assume if a -U is specified, it's the new style, otherwise it's the
- * old style. If 'oldstyle' is specfied explicity, do it and don't prompt.
+ * Try to just change the password, but if that doesn't work, use/prompt
+ * for a username/password.
**/
int net_rpc_join(int argc, const char **argv)
{
- if ((net_rpc_join_oldstyle(argc, argv) == 0))
+ if ((net_rpc_oldjoin(argc, argv) == 0))
return 0;
return net_rpc_join_newstyle(argc, argv);
@@ -862,11 +840,11 @@ rpc_user_list_internals(const DOM_SID *domain_sid, struct cli_state *cli,
unistr2_to_ascii(desc, &(&ctr.sam.info1->str[i])->uni_acct_desc, sizeof(desc)-1);
if (opt_long_list_entries)
- printf("%-21.21s %-50.50s\n", user, desc);
+ printf("%-21.21s %s\n", user, desc);
else
printf("%s\n", user);
}
- } while (!NT_STATUS_IS_OK(result));
+ } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
done:
return result;
@@ -937,7 +915,7 @@ rpc_group_list_internals(const DOM_SID *domain_sid, struct cli_state *cli,
{
POLICY_HND connect_pol, domain_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- uint32 start_idx=0, max_entries=250, num_entries, i;
+ uint32 start_idx=0, max_entries=250, num_entries, i, loop_count = 0;
struct acct_info *groups;
DOM_SID global_sid_Builtin;
@@ -965,34 +943,75 @@ rpc_group_list_internals(const DOM_SID *domain_sid, struct cli_state *cli,
d_printf("\nGroup name Comment"\
"\n-----------------------------\n");
do {
- result = cli_samr_enum_dom_groups(cli, mem_ctx, &domain_pol,
- &start_idx, max_entries,
- &groups, &num_entries);
+ SAM_DISPINFO_CTR ctr;
+ SAM_DISPINFO_3 info3;
+ uint32 max_size;
+
+ ZERO_STRUCT(ctr);
+ ZERO_STRUCT(info3);
+ ctr.sam.info3 = &info3;
+
+ get_query_dispinfo_params(
+ loop_count, &max_entries, &max_size);
+
+ result = cli_samr_query_dispinfo(cli, mem_ctx, &domain_pol,
+ &start_idx, 3, &num_entries,
+ max_entries, max_size, &ctr);
for (i = 0; i < num_entries; i++) {
+
+ fstring group, desc;
+
+ unistr2_to_ascii(group, &(&ctr.sam.info3->str[i])->uni_grp_name, sizeof(group)-1);
+ unistr2_to_ascii(desc, &(&ctr.sam.info3->str[i])->uni_grp_desc, sizeof(desc)-1);
+
if (opt_long_list_entries)
- printf("%-21.21s %-50.50s\n",
- groups[i].acct_name,
- groups[i].acct_desc);
+ printf("%-21.21s %-50.50s\n",
+ group, desc);
else
- printf("%-21.21s\n", groups[i].acct_name);
+ printf("%-21.21s\n", group);
}
- } while (NT_STATUS_V(result) == NT_STATUS_V(STATUS_MORE_ENTRIES));
+ } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
/* query domain aliases */
+ start_idx = 0;
do {
result = cli_samr_enum_als_groups(cli, mem_ctx, &domain_pol,
&start_idx, max_entries,
&groups, &num_entries);
-
+
for (i = 0; i < num_entries; i++) {
- if (opt_long_list_entries)
+
+ char *description = NULL;
+
+ if (opt_long_list_entries) {
+
+ POLICY_HND alias_pol;
+ ALIAS_INFO_CTR ctr;
+
+ if ((NT_STATUS_IS_OK(cli_samr_open_alias(cli, mem_ctx,
+ &domain_pol,
+ 0x8,
+ groups[i].rid,
+ &alias_pol))) &&
+ (NT_STATUS_IS_OK(cli_samr_query_alias_info(cli, mem_ctx,
+ &alias_pol, 3,
+ &ctr))) &&
+ (NT_STATUS_IS_OK(cli_samr_close(cli, mem_ctx,
+ &alias_pol)))) {
+ description = unistr2_tdup(mem_ctx,
+ &ctr.alias.info3.uni_acct_desc);
+ }
+ }
+
+ if (description != NULL) {
printf("%-21.21s %-50.50s\n",
groups[i].acct_name,
- groups[i].acct_desc);
- else
+ description);
+ } else {
printf("%-21.21s\n", groups[i].acct_name);
+ }
}
- } while (NT_STATUS_V(result) == NT_STATUS_V(STATUS_MORE_ENTRIES));
+ } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
cli_samr_close(cli, mem_ctx, &domain_pol);
/* Get builtin policy handle */
@@ -1003,20 +1022,45 @@ rpc_group_list_internals(const DOM_SID *domain_sid, struct cli_state *cli,
goto done;
}
/* query builtin aliases */
+ start_idx = 0;
do {
result = cli_samr_enum_als_groups(cli, mem_ctx, &domain_pol,
&start_idx, max_entries,
&groups, &num_entries);
for (i = 0; i < num_entries; i++) {
- if (opt_long_list_entries)
+
+ char *description = NULL;
+
+ if (opt_long_list_entries) {
+
+ POLICY_HND alias_pol;
+ ALIAS_INFO_CTR ctr;
+
+ if ((NT_STATUS_IS_OK(cli_samr_open_alias(cli, mem_ctx,
+ &domain_pol,
+ 0x8,
+ groups[i].rid,
+ &alias_pol))) &&
+ (NT_STATUS_IS_OK(cli_samr_query_alias_info(cli, mem_ctx,
+ &alias_pol, 3,
+ &ctr))) &&
+ (NT_STATUS_IS_OK(cli_samr_close(cli, mem_ctx,
+ &alias_pol)))) {
+ description = unistr2_tdup(mem_ctx,
+ &ctr.alias.info3.uni_acct_desc);
+ }
+ }
+
+ if (description != NULL) {
printf("%-21.21s %-50.50s\n",
groups[i].acct_name,
- groups[i].acct_desc);
- else
- printf("%s\n", groups[i].acct_name);
+ description);
+ } else {
+ printf("%-21.21s\n", groups[i].acct_name);
+ }
}
- } while (NT_STATUS_V(result) == NT_STATUS_V(STATUS_MORE_ENTRIES));
+ } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
done:
return result;
@@ -1576,8 +1620,8 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid, struct cli
uint16 acb_info;
uint32 unknown, user_rid;
- if (argc != 1) {
- d_printf("Usage: net rpc trustdom add <domain_name>\n");
+ if (argc != 2) {
+ d_printf("Usage: net rpc trustdom add <domain_name> <pw>\n");
return NT_STATUS_INVALID_PARAMETER;
}
@@ -1589,7 +1633,7 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid, struct cli
return NT_STATUS_NO_MEMORY;
}
- strupper(acct_name);
+ strupper_m(acct_name);
/* Get samr policy handle */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
@@ -1608,7 +1652,7 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid, struct cli
/* Create trusting domain's account */
acb_info = ACB_DOMTRUST;
- unknown = 0xe005000b; /* No idea what this is - a permission mask?
+ unknown = 0xe00500b0; /* No idea what this is - a permission mask?
mimir: yes, most probably it is */
result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol,
@@ -1618,6 +1662,37 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid, struct cli
goto done;
}
+ {
+ SAM_USERINFO_CTR ctr;
+ SAM_USER_INFO_24 p24;
+ fstring ucs2_trust_password;
+ int ucs2_pw_len;
+ uchar pwbuf[516];
+
+ ucs2_pw_len = push_ucs2(NULL, ucs2_trust_password, argv[1],
+ sizeof(ucs2_trust_password), 0);
+
+ encode_pw_buffer((char *)pwbuf, ucs2_trust_password,
+ ucs2_pw_len);
+
+ ZERO_STRUCT(ctr);
+ ZERO_STRUCT(p24);
+
+ init_sam_user_info24(&p24, (char *)pwbuf, 24);
+
+ ctr.switch_value = 24;
+ ctr.info.id24 = &p24;
+
+ result = cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24,
+ cli->user_session_key, &ctr);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("Could not set trust account password: %s\n",
+ nt_errstr(result)));
+ goto done;
+ }
+ }
+
done:
SAFE_FREE(acct_name);
return result;
@@ -1689,11 +1764,11 @@ static int rpc_trustdom_establish(int argc, const char **argv)
}
domain_name = smb_xstrdup(argv[0]);
- strupper(domain_name);
+ strupper_m(domain_name);
/* account name used at first is our domain's name with '$' */
asprintf(&acct_name, "%s$", lp_workgroup());
- strupper(acct_name);
+ strupper_m(acct_name);
/*
* opt_workgroup will be used by connection functions further,
@@ -1706,7 +1781,7 @@ static int rpc_trustdom_establish(int argc, const char **argv)
opt_user_name = acct_name;
/* find the domain controller */
- if (!net_find_dc(&server_ip, pdc_name, domain_name)) {
+ if (!net_find_pdc(&server_ip, pdc_name, domain_name)) {
DEBUG(0, ("Coulnd find domain controller for domain %s\n", domain_name));
return -1;
}
@@ -1785,7 +1860,7 @@ static int rpc_trustdom_establish(int argc, const char **argv)
return -1;
}
- nt_status = cli_lsa_open_policy2(cli, mem_ctx, False, SEC_RIGHTS_QUERY_VALUE,
+ nt_status = cli_lsa_open_policy2(cli, mem_ctx, True, SEC_RIGHTS_QUERY_VALUE,
&connect_hnd);
if (NT_STATUS_IS_ERR(nt_status)) {
DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
@@ -1804,6 +1879,9 @@ static int rpc_trustdom_establish(int argc, const char **argv)
return -1;
}
+
+
+
/* There should be actually query info level 3 (following nt serv behaviour),
but I still don't know if it's _really_ necessary */
@@ -1855,7 +1933,7 @@ static int rpc_trustdom_revoke(int argc, const char **argv)
/* generate upper cased domain name */
domain_name = smb_xstrdup(argv[0]);
- strupper(domain_name);
+ strupper_m(domain_name);
/* delete password of the trust */
if (!trusted_domain_password_delete(domain_name)) {
@@ -2089,7 +2167,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
do padding[--pad_len] = ' '; while (pad_len);
/* set opt_* variables to remote domain */
- strupper(trusting_dom_names[i]);
+ strupper_m(trusting_dom_names[i]);
opt_workgroup = talloc_strdup(mem_ctx, trusting_dom_names[i]);
opt_target_workgroup = opt_workgroup;
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index e389cf8ef8..22ed49c74f 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -49,7 +49,6 @@ int net_rpc_join_ok(const char *domain)
int retval = 1;
uint32 channel;
NTSTATUS result;
- uint32 neg_flags = 0x000001ff;
/* Connect to remote machine */
if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) {
@@ -68,10 +67,12 @@ int net_rpc_join_ok(const char *domain)
goto done;
}
- CHECK_RPC_ERR(cli_nt_setup_creds(cli,
- channel,
- stored_md4_trust_password, &neg_flags, 2),
- "error in domain join verification");
+ /* ensure that schannel uses the right domain */
+ fstrcpy(cli->domain, domain);
+ if (! NT_STATUS_IS_OK(result = cli_nt_establish_netlogon(cli, channel, stored_md4_trust_password))) {
+ DEBUG(0,("Error in domain join verfication\n"));
+ goto done;
+ }
retval = 0; /* Success! */
@@ -131,7 +132,6 @@ int net_rpc_join_newstyle(int argc, const char **argv)
uint32 flags = 0x3e8;
char *acct_name;
const char *const_acct_name;
- uint32 neg_flags = 0x000001ff;
/* check what type of join */
if (argc >= 0) {
@@ -167,7 +167,7 @@ int net_rpc_join_newstyle(int argc, const char **argv)
/* Fetch domain sid */
if (!cli_nt_session_open(cli, PI_LSARPC)) {
- DEBUG(0, ("Error connecting to SAM pipe\n"));
+ DEBUG(0, ("Error connecting to LSA pipe\n"));
goto done;
}
@@ -204,7 +204,7 @@ int net_rpc_join_newstyle(int argc, const char **argv)
/* Create domain user */
acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname());
- strlower(acct_name);
+ strlower_m(acct_name);
const_acct_name = acct_name;
result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol,
@@ -240,7 +240,7 @@ int net_rpc_join_newstyle(int argc, const char **argv)
acct_name, nt_errstr(result)));
if (name_types[0] != SID_NAME_USER) {
- DEBUG(0, ("%s is not a user account\n", acct_name));
+ DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types[0]));
goto done;
}
@@ -315,14 +315,29 @@ int net_rpc_join_newstyle(int argc, const char **argv)
goto done;
}
- CHECK_RPC_ERR(cli_nt_setup_creds(cli,
- sec_channel_type,
- md4_trust_password, &neg_flags, 2),
- "error in domain join verification");
-
+ /* ensure that schannel uses the right domain */
+ fstrcpy(cli->domain, domain);
+
+ result = cli_nt_establish_netlogon(cli, sec_channel_type,
+ md4_trust_password);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0, ("Error domain join verification: %s\n\n",
+ nt_errstr(result)));
+
+ if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) &&
+ (sec_channel_type == SEC_CHAN_BDC) ) {
+ d_printf("Please make sure that no computer account\n"
+ "named like this machine (%s) exists in the domain\n",
+ global_myname());
+ }
+
+ goto done;
+ }
+
/* Now store the secret in the secrets database */
- strupper(domain);
+ strupper_m(domain);
if (!secrets_store_domain_sid(domain, &domain_sid)) {
DEBUG(0, ("error storing domain sid for %s\n", domain));
@@ -366,7 +381,7 @@ done:
**/
int net_rpc_testjoin(int argc, const char **argv)
{
- char *domain = smb_xstrdup(lp_workgroup());
+ char *domain = smb_xstrdup(opt_target_workgroup);
/* Display success or failure */
if (net_rpc_join_ok(domain) != 0) {
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 42bb480844..e5e9a68b2e 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -209,6 +209,11 @@ int rpc_samdump(int argc, const char **argv)
fstrcpy(cli->domain, lp_workgroup());
+ if (!cli_nt_session_open(cli, PI_NETLOGON)) {
+ DEBUG(0,("Could not open connection to NETLOGON pipe\n"));
+ goto fail;
+ }
+
if (!secrets_fetch_trust_account_password(lp_workgroup(),
trust_password,
NULL, &sec_channel)) {
@@ -216,7 +221,8 @@ int rpc_samdump(int argc, const char **argv)
goto fail;
}
- if (!cli_nt_open_netlogon(cli, trust_password, sec_channel)) {
+ if (!NT_STATUS_IS_OK(cli_nt_establish_netlogon(cli, sec_channel,
+ trust_password))) {
DEBUG(0,("Error connecting to NETLOGON pipe\n"));
goto fail;
}
@@ -403,8 +409,10 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
SAM_ACCOUNT *sam_account=NULL;
GROUP_MAP map;
struct group *grp;
- DOM_SID sid;
- BOOL try_add = False;
+ DOM_SID user_sid;
+ DOM_SID group_sid;
+ struct passwd *passwd;
+ fstring sid_string;
fstrcpy(account, unistr2_static(&delta->uni_acct_name));
d_printf("Creating account: %s\n", account);
@@ -412,7 +420,7 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
if (!NT_STATUS_IS_OK(nt_ret = pdb_init_sam(&sam_account)))
return nt_ret;
- if (!pdb_getsampwnam(sam_account, account)) {
+ if (!(passwd = Get_Pwnam(account))) {
/* Create appropriate user */
if (delta->acb_info & ACB_NORMAL) {
pstrcpy(add_script, lp_adduser_script());
@@ -423,8 +431,6 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
} else {
DEBUG(1, ("Unknown user type: %s\n",
smbpasswd_encode_acb_info(delta->acb_info)));
- pdb_free_sam(&sam_account);
- return NT_STATUS_NO_SUCH_USER;
}
if (*add_script) {
int add_ret;
@@ -434,44 +440,68 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
DEBUG(1,("fetch_account: Running the command `%s' "
"gave %d\n", add_script, add_ret));
}
-
- try_add = True;
+ else {
+ DEBUG(8,("fetch_account_info: no add user/machine script. Asking winbindd\n"));
+
+ /* don't need a RID allocated since the user already has a SID */
+ if ( !winbind_create_user( account, NULL ) )
+ DEBUG(4,("fetch_account_info: winbind_create_user() failed\n"));
+ }
+
+ /* try and find the possible unix account again */
+ if ( !(passwd = Get_Pwnam(account)) )
+ return NT_STATUS_NO_SUCH_USER;
+
}
-
- sam_account_from_delta(sam_account, delta);
-
- if (try_add) {
+
+ sid_copy(&user_sid, get_global_sam_sid());
+ sid_append_rid(&user_sid, delta->user_rid);
+
+ DEBUG(3, ("Attempting to find SID %s for user %s in the passdb\n", sid_to_string(sid_string, &user_sid), account));
+ if (!pdb_getsampwsid(sam_account, &user_sid)) {
+ sam_account_from_delta(sam_account, delta);
+ DEBUG(3, ("Attempting to add user SID %s for user %s in the passdb\n",
+ sid_to_string(sid_string, &user_sid), pdb_get_username(sam_account)));
if (!pdb_add_sam_account(sam_account)) {
DEBUG(1, ("SAM Account for %s failed to be added to the passdb!\n",
account));
+ return NT_STATUS_ACCESS_DENIED;
}
} else {
+ sam_account_from_delta(sam_account, delta);
+ DEBUG(3, ("Attempting to update user SID %s for user %s in the passdb\n",
+ sid_to_string(sid_string, &user_sid), pdb_get_username(sam_account)));
if (!pdb_update_sam_account(sam_account)) {
DEBUG(1, ("SAM Account for %s failed to be updated in the passdb!\n",
account));
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_ACCESS_DENIED;
}
}
- sid = *pdb_get_group_sid(sam_account);
+ group_sid = *pdb_get_group_sid(sam_account);
- if (!pdb_getgrsid(&map, sid, False)) {
+ if (!pdb_getgrsid(&map, group_sid)) {
DEBUG(0, ("Primary group of %s has no mapping!\n",
pdb_get_username(sam_account)));
- pdb_free_sam(&sam_account);
- return NT_STATUS_NO_SUCH_GROUP;
- }
+ } else {
+ if (map.gid != passwd->pw_gid) {
+ if (!(grp = getgrgid(map.gid))) {
+ DEBUG(0, ("Could not find unix group %d for user %s (group SID=%s)\n",
+ map.gid, pdb_get_username(sam_account), sid_string_static(&group_sid)));
+ } else {
+ smb_set_primary_group(grp->gr_name, pdb_get_username(sam_account));
+ }
+ }
+ }
- if (!(grp = getgrgid(map.gid))) {
- DEBUG(0, ("Could not find unix group %d for user %s (group SID=%s)\n",
- map.gid, pdb_get_username(sam_account), sid_string_static(&sid)));
- pdb_free_sam(&sam_account);
- return NT_STATUS_NO_SUCH_GROUP;
+ if ( !passwd ) {
+ DEBUG(1, ("No unix user for this account (%s), cannot adjust mappings\n",
+ pdb_get_username(sam_account)));
}
- smb_set_primary_group(grp->gr_name, pdb_get_username(sam_account));
-
pdb_free_sam(&sam_account);
- return NT_STATUS_OK;
+ return nt_ret;
}
static NTSTATUS
@@ -493,22 +523,26 @@ fetch_group_info(uint32 rid, SAM_GROUP_INFO *delta)
sid_append_rid(&group_sid, rid);
sid_to_string(sid_string, &group_sid);
- if (pdb_getgrsid(&map, group_sid, False)) {
- grp = getgrgid(map.gid);
+ if (pdb_getgrsid(&map, group_sid)) {
+ if ( map.gid != -1 )
+ grp = getgrgid(map.gid);
insert = False;
}
- if (grp == NULL)
- {
+ if (grp == NULL) {
gid_t gid;
/* No group found from mapping, find it from its name. */
if ((grp = getgrnam(name)) == NULL) {
+
/* No appropriate group found, create one */
+
d_printf("Creating unix group: '%s'\n", name);
+
if (smb_create_group(name, &gid) != 0)
return NT_STATUS_ACCESS_DENIED;
- if ((grp = getgrgid(gid)) == NULL)
+
+ if ((grp = getgrnam(name)) == NULL)
return NT_STATUS_ACCESS_DENIED;
}
}
@@ -519,9 +553,6 @@ fetch_group_info(uint32 rid, SAM_GROUP_INFO *delta)
fstrcpy(map.nt_name, name);
fstrcpy(map.comment, comment);
- map.priv_set.count = 0;
- map.priv_set.set = NULL;
-
if (insert)
pdb_add_group_mapping_entry(&map);
else
@@ -548,7 +579,7 @@ fetch_group_mem_info(uint32 rid, SAM_GROUP_MEM_INFO *delta)
sid_copy(&group_sid, get_global_sam_sid());
sid_append_rid(&group_sid, rid);
- if (!get_domain_group_from_sid(group_sid, &map, False)) {
+ if (!get_domain_group_from_sid(group_sid, &map)) {
DEBUG(0, ("Could not find global group %d\n", rid));
return NT_STATUS_NO_SUCH_GROUP;
}
@@ -673,7 +704,7 @@ static NTSTATUS fetch_alias_info(uint32 rid, SAM_ALIAS_INFO *delta,
sid_append_rid(&alias_sid, rid);
sid_to_string(sid_string, &alias_sid);
- if (pdb_getgrsid(&map, alias_sid, False)) {
+ if (pdb_getgrsid(&map, alias_sid)) {
grp = getgrgid(map.gid);
insert = False;
}
@@ -703,9 +734,6 @@ static NTSTATUS fetch_alias_info(uint32 rid, SAM_ALIAS_INFO *delta,
fstrcpy(map.nt_name, name);
fstrcpy(map.comment, comment);
- map.priv_set.count = 0;
- map.priv_set.set = NULL;
-
if (insert)
pdb_add_group_mapping_entry(&map);
else
@@ -885,7 +913,7 @@ fetch_sam_entry(SAM_DELTA_HDR *hdr_delta, SAM_DELTA_CTR *delta,
&delta->als_mem_info, dom_sid);
break;
case SAM_DELTA_DOMAIN_INFO:
- d_printf("SAMBA_DELTA_DOMAIN_INFO not handled\n");
+ d_printf("SAM_DELTA_DOMAIN_INFO not handled\n");
break;
default:
d_printf("Unknown delta record type %d\n", hdr_delta->type);
@@ -893,7 +921,7 @@ fetch_sam_entry(SAM_DELTA_HDR *hdr_delta, SAM_DELTA_CTR *delta,
}
}
-static void
+static NTSTATUS
fetch_database(struct cli_state *cli, unsigned db_type, DOM_CRED *ret_creds,
DOM_SID dom_sid)
{
@@ -905,9 +933,8 @@ fetch_database(struct cli_state *cli, unsigned db_type, DOM_CRED *ret_creds,
SAM_DELTA_CTR *deltas;
uint32 num_deltas;
- if (!(mem_ctx = talloc_init("fetch_database"))) {
- return;
- }
+ if (!(mem_ctx = talloc_init("fetch_database")))
+ return NT_STATUS_NO_MEMORY;
switch( db_type ) {
case SAM_DATABASE_DOMAIN:
@@ -929,15 +956,25 @@ fetch_database(struct cli_state *cli, unsigned db_type, DOM_CRED *ret_creds,
db_type, sync_context,
&num_deltas,
&hdr_deltas, &deltas);
- clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred),
- ret_creds);
- for (i = 0; i < num_deltas; i++) {
- fetch_sam_entry(&hdr_deltas[i], &deltas[i], dom_sid);
- }
+
+ if (NT_STATUS_IS_OK(result) ||
+ NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
+
+ clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred),
+ ret_creds);
+
+ for (i = 0; i < num_deltas; i++) {
+ fetch_sam_entry(&hdr_deltas[i], &deltas[i], dom_sid);
+ }
+ } else
+ return result;
+
sync_context += 1;
} while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
talloc_destroy(mem_ctx);
+
+ return result;
}
/* dump sam database via samsync rpc calls */
@@ -947,7 +984,6 @@ int rpc_vampire(int argc, const char **argv)
struct cli_state *cli = NULL;
uchar trust_password[16];
DOM_CRED ret_creds;
- uint32 neg_flags = 0x000001ff;
DOM_SID dom_sid;
uint32 sec_channel;
@@ -971,18 +1007,35 @@ int rpc_vampire(int argc, const char **argv)
goto fail;
}
- result = cli_nt_setup_creds(cli, sec_channel, trust_password,
- &neg_flags, 2);
+ result = cli_nt_establish_netlogon(cli, sec_channel, trust_password);
+
if (!NT_STATUS_IS_OK(result)) {
d_printf("Failed to setup BDC creds\n");
goto fail;
}
- dom_sid = *get_global_sam_sid();
- fetch_database(cli, SAM_DATABASE_DOMAIN, &ret_creds, dom_sid);
+ sid_copy( &dom_sid, get_global_sam_sid() );
+ result = fetch_database(cli, SAM_DATABASE_DOMAIN, &ret_creds, dom_sid);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ d_printf("Failed to fetch domain database: %s\n",
+ nt_errstr(result));
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED))
+ d_printf("Perhaps %s is a Windows 2000 native mode "
+ "domain?\n", lp_workgroup());
+ goto fail;
+ }
sid_copy(&dom_sid, &global_sid_Builtin);
- fetch_database(cli, SAM_DATABASE_BUILTIN, &ret_creds, dom_sid);
+
+ result = fetch_database(cli, SAM_DATABASE_BUILTIN, &ret_creds,
+ dom_sid);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ d_printf("Failed to fetch builtin database: %s\n",
+ nt_errstr(result));
+ goto fail;
+ }
/* Currently we crash on PRIVS somewhere in unmarshalling */
/* Dump_database(cli, SAM_DATABASE_PRIVS, &ret_creds); */
@@ -992,8 +1045,8 @@ int rpc_vampire(int argc, const char **argv)
return 0;
fail:
- if (cli) {
+ if (cli)
cli_nt_session_close(cli);
- }
+
return -1;
}
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 42490190f3..3dfa157bda 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -38,7 +38,6 @@ enum squid_mode {
extern int winbindd_fd;
-static const char *helper_protocol;
static const char *opt_username;
static const char *opt_domain;
static const char *opt_workstation;
@@ -48,7 +47,6 @@ static DATA_BLOB opt_lm_response;
static DATA_BLOB opt_nt_response;
static int request_lm_key;
static int request_nt_key;
-static int diagnostics;
static char winbind_separator(void)
@@ -184,7 +182,7 @@ static NTSTATUS contact_winbind_auth_crap(const char *username,
const DATA_BLOB *lm_response,
const DATA_BLOB *nt_response,
uint32 flags,
- uint8 lm_key[16],
+ uint8 lm_key[8],
uint8 nt_key[16],
char **error_string)
{
@@ -198,7 +196,7 @@ static NTSTATUS contact_winbind_auth_crap(const char *username,
ZERO_STRUCT(request);
ZERO_STRUCT(response);
- request.data.auth_crap.flags = flags;
+ request.flags = flags;
fstrcpy(request.data.auth_crap.user, username);
@@ -235,13 +233,13 @@ static NTSTATUS contact_winbind_auth_crap(const char *username,
return nt_status;
}
- if ((flags & WINBIND_PAM_LMKEY) && lm_key
+ if ((flags & WBFLAG_PAM_LMKEY) && lm_key
&& (memcmp(zeros, response.data.auth.first_8_lm_hash,
sizeof(response.data.auth.first_8_lm_hash)) != 0)) {
memcpy(lm_key, response.data.auth.first_8_lm_hash,
sizeof(response.data.auth.first_8_lm_hash));
}
- if ((flags & WINBIND_PAM_NTKEY) && nt_key
+ if ((flags & WBFLAG_PAM_NTKEY) && nt_key
&& (memcmp(zeros, response.data.auth.nt_session_key,
sizeof(response.data.auth.nt_session_key)) != 0)) {
memcpy(nt_key, response.data.auth.nt_session_key,
@@ -410,14 +408,15 @@ static BOOL check_auth_crap(void)
char *hex_lm_key;
char *hex_nt_key;
char *error_string;
-
static uint8 zeros[16];
+ x_setbuf(x_stdout, NULL);
+
if (request_lm_key)
- flags |= WINBIND_PAM_LMKEY;
+ flags |= WBFLAG_PAM_LMKEY;
if (request_nt_key)
- flags |= WINBIND_PAM_NTKEY;
+ flags |= WBFLAG_PAM_NTKEY;
nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
opt_workstation,
@@ -430,9 +429,9 @@ static BOOL check_auth_crap(void)
&error_string);
if (!NT_STATUS_IS_OK(nt_status)) {
- d_printf("%s (0x%x)\n",
- error_string,
- NT_STATUS_V(nt_status));
+ x_fprintf(x_stdout, "%s (0x%x)\n",
+ error_string,
+ NT_STATUS_V(nt_status));
SAFE_FREE(error_string);
return False;
}
@@ -443,7 +442,7 @@ static BOOL check_auth_crap(void)
hex_encode(lm_key,
sizeof(lm_key),
&hex_lm_key);
- d_printf("LM_KEY: %s\n", hex_lm_key);
+ x_fprintf(x_stdout, "LM_KEY: %s\n", hex_lm_key);
SAFE_FREE(hex_lm_key);
}
if (request_nt_key
@@ -452,7 +451,7 @@ static BOOL check_auth_crap(void)
hex_encode(nt_key,
sizeof(nt_key),
&hex_nt_key);
- d_printf("NT_KEY: %s\n", hex_nt_key);
+ x_fprintf(x_stdout, "NT_KEY: %s\n", hex_nt_key);
SAFE_FREE(hex_nt_key);
}
@@ -476,6 +475,10 @@ static DATA_BLOB get_challenge(void)
return chal;
}
+/*
+ * Test LM authentication, no NT response supplied
+ */
+
static BOOL test_lm(void)
{
NTSTATUS nt_status;
@@ -483,13 +486,18 @@ static BOOL test_lm(void)
DATA_BLOB lm_response = data_blob(NULL, 24);
uchar lm_key[8];
+ uchar nt_key[16];
uchar lm_hash[16];
DATA_BLOB chall = get_challenge();
char *error_string;
- flags |= WINBIND_PAM_LMKEY;
+ ZERO_STRUCT(lm_key);
+ ZERO_STRUCT(nt_key);
- SMBencrypt(opt_password,chall.data,lm_response.data);
+ flags |= WBFLAG_PAM_LMKEY;
+ flags |= WBFLAG_PAM_NTKEY;
+
+ SMBencrypt(opt_password, chall.data, lm_response.data);
E_deshash(opt_password, lm_hash);
nt_status = contact_winbind_auth_crap(opt_username, opt_domain, opt_workstation,
@@ -498,7 +506,7 @@ static BOOL test_lm(void)
NULL,
flags,
lm_key,
- NULL,
+ nt_key,
&error_string);
data_blob_free(&lm_response);
@@ -518,9 +526,20 @@ static BOOL test_lm(void)
DEBUG(1, ("expected:\n"));
dump_data(1, lm_hash, 8);
}
+ if (memcmp(lm_hash, nt_key, 8) != 0) {
+ DEBUG(1, ("Session Key (first 8, lm hash) does not match expectations!\n"));
+ DEBUG(1, ("nt_key:\n"));
+ dump_data(1, nt_key, 8);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ }
return True;
}
+/*
+ * Test the normal 'LM and NTLM' combination
+ */
+
static BOOL test_lm_ntlm(void)
{
BOOL pass = True;
@@ -537,8 +556,11 @@ static BOOL test_lm_ntlm(void)
DATA_BLOB chall = get_challenge();
char *error_string;
- flags |= WINBIND_PAM_LMKEY;
- flags |= WINBIND_PAM_NTKEY;
+ ZERO_STRUCT(lm_key);
+ ZERO_STRUCT(nt_key);
+
+ flags |= WBFLAG_PAM_LMKEY;
+ flags |= WBFLAG_PAM_NTKEY;
SMBencrypt(opt_password,chall.data,lm_response.data);
E_deshash(opt_password, lm_hash);
@@ -589,6 +611,10 @@ static BOOL test_lm_ntlm(void)
return pass;
}
+/*
+ * Test the NTLM response only, no LM.
+ */
+
static BOOL test_ntlm(void)
{
BOOL pass = True;
@@ -597,24 +623,99 @@ static BOOL test_ntlm(void)
DATA_BLOB nt_response = data_blob(NULL, 24);
DATA_BLOB session_key = data_blob(NULL, 16);
+ char lm_key[8];
char nt_key[16];
+ char lm_hash[16];
char nt_hash[16];
DATA_BLOB chall = get_challenge();
char *error_string;
- flags |= WINBIND_PAM_NTKEY;
+ ZERO_STRUCT(lm_key);
+ ZERO_STRUCT(nt_key);
+
+ flags |= WBFLAG_PAM_LMKEY;
+ flags |= WBFLAG_PAM_NTKEY;
SMBNTencrypt(opt_password,chall.data,nt_response.data);
E_md4hash(opt_password, nt_hash);
SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
+ E_deshash(opt_password, lm_hash);
+
nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
opt_workstation,
&chall,
NULL,
&nt_response,
flags,
+ lm_key,
+ nt_key,
+ &error_string);
+
+ data_blob_free(&nt_response);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ d_printf("%s (0x%x)\n",
+ error_string,
+ NT_STATUS_V(nt_status));
+ SAFE_FREE(error_string);
+ return False;
+ }
+
+ if (memcmp(lm_hash, lm_key,
+ sizeof(lm_key)) != 0) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ pass = False;
+ }
+ if (memcmp(session_key.data, nt_key,
+ sizeof(nt_key)) != 0) {
+ DEBUG(1, ("NT Session Key does not match expectations!\n"));
+ DEBUG(1, ("nt_key:\n"));
+ dump_data(1, nt_key, 16);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, session_key.data, session_key.length);
+ pass = False;
+ }
+ return pass;
+}
+
+/*
+ * Test the NTLM response only, but in the LM field.
+ */
+
+static BOOL test_ntlm_in_lm(void)
+{
+ BOOL pass = True;
+ NTSTATUS nt_status;
+ uint32 flags = 0;
+ DATA_BLOB nt_response = data_blob(NULL, 24);
+
+ uchar lm_key[8];
+ uchar lm_hash[16];
+ uchar nt_key[16];
+ DATA_BLOB chall = get_challenge();
+ char *error_string;
+
+ ZERO_STRUCT(nt_key);
+
+ flags |= WBFLAG_PAM_LMKEY;
+ flags |= WBFLAG_PAM_NTKEY;
+
+ SMBNTencrypt(opt_password,chall.data,nt_response.data);
+
+ E_deshash(opt_password, lm_hash);
+
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ opt_workstation,
+ &chall,
+ &nt_response,
NULL,
+ flags,
+ lm_key,
nt_key,
&error_string);
@@ -628,6 +729,86 @@ static BOOL test_ntlm(void)
return False;
}
+ if (memcmp(lm_hash, lm_key,
+ sizeof(lm_key)) != 0) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ pass = False;
+ }
+ if (memcmp(lm_hash, nt_key, 8) != 0) {
+ DEBUG(1, ("Session Key (first 8 lm hash) does not match expectations!\n"));
+ DEBUG(1, ("nt_key:\n"));
+ dump_data(1, nt_key, 16);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ pass = False;
+ }
+ return pass;
+}
+
+/*
+ * Test the NTLM response only, but in the both the NT and LM fields.
+ */
+
+static BOOL test_ntlm_in_both(void)
+{
+ BOOL pass = True;
+ NTSTATUS nt_status;
+ uint32 flags = 0;
+ DATA_BLOB nt_response = data_blob(NULL, 24);
+ DATA_BLOB session_key = data_blob(NULL, 16);
+
+ char lm_key[8];
+ char lm_hash[16];
+ char nt_key[16];
+ char nt_hash[16];
+ DATA_BLOB chall = get_challenge();
+ char *error_string;
+
+ ZERO_STRUCT(lm_key);
+ ZERO_STRUCT(nt_key);
+
+ flags |= WBFLAG_PAM_LMKEY;
+ flags |= WBFLAG_PAM_NTKEY;
+
+ SMBNTencrypt(opt_password,chall.data,nt_response.data);
+ E_md4hash(opt_password, nt_hash);
+ SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
+
+ E_deshash(opt_password, lm_hash);
+
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ opt_workstation,
+ &chall,
+ &nt_response,
+ &nt_response,
+ flags,
+ lm_key,
+ nt_key,
+ &error_string);
+
+ data_blob_free(&nt_response);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ d_printf("%s (0x%x)\n",
+ error_string,
+ NT_STATUS_V(nt_status));
+ SAFE_FREE(error_string);
+ return False;
+ }
+
+ if (memcmp(lm_hash, lm_key,
+ sizeof(lm_key)) != 0) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ pass = False;
+ }
if (memcmp(session_key.data, nt_key,
sizeof(nt_key)) != 0) {
DEBUG(1, ("NT Session Key does not match expectations!\n"));
@@ -637,15 +818,347 @@ static BOOL test_ntlm(void)
dump_data(1, session_key.data, session_key.length);
pass = False;
}
+
+
return pass;
}
/*
+ * Test the NTLMv2 response only
+ */
+
+static BOOL test_ntlmv2(void)
+{
+ BOOL pass = True;
+ NTSTATUS nt_status;
+ uint32 flags = 0;
+ DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
+ DATA_BLOB nt_session_key = data_blob(NULL, 0);
+ DATA_BLOB names_blob = NTLMv2_generate_names_blob(get_winbind_netbios_name(), get_winbind_domain());
+
+ uchar nt_key[16];
+ DATA_BLOB chall = get_challenge();
+ char *error_string;
+
+ ZERO_STRUCT(nt_key);
+
+ flags |= WBFLAG_PAM_NTKEY;
+
+ if (!SMBNTLMv2encrypt(opt_username, opt_domain, opt_password, &chall,
+ &names_blob,
+ NULL, &ntlmv2_response,
+ &nt_session_key)) {
+ data_blob_free(&names_blob);
+ return False;
+ }
+ data_blob_free(&names_blob);
+
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ opt_workstation,
+ &chall,
+ NULL,
+ &ntlmv2_response,
+ flags,
+ NULL,
+ nt_key,
+ &error_string);
+
+ data_blob_free(&ntlmv2_response);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ d_printf("%s (0x%x)\n",
+ error_string,
+ NT_STATUS_V(nt_status));
+ SAFE_FREE(error_string);
+ return False;
+ }
+
+ if (memcmp(nt_session_key.data, nt_key,
+ sizeof(nt_key)) != 0) {
+ DEBUG(1, ("NT Session Key does not match expectations!\n"));
+ DEBUG(1, ("nt_key:\n"));
+ dump_data(1, nt_key, 16);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, nt_session_key.data, nt_session_key.length);
+ pass = False;
+ }
+ return pass;
+}
+
+/*
+ * Test the NTLMv2 and LMv2 responses
+ */
+
+static BOOL test_lmv2_ntlmv2(void)
+{
+ BOOL pass = True;
+ NTSTATUS nt_status;
+ uint32 flags = 0;
+ DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
+ DATA_BLOB lmv2_response = data_blob(NULL, 0);
+ DATA_BLOB nt_session_key = data_blob(NULL, 0);
+ DATA_BLOB names_blob = NTLMv2_generate_names_blob(get_winbind_netbios_name(), get_winbind_domain());
+
+ uchar nt_key[16];
+ DATA_BLOB chall = get_challenge();
+ char *error_string;
+
+ ZERO_STRUCT(nt_key);
+
+ flags |= WBFLAG_PAM_NTKEY;
+
+ if (!SMBNTLMv2encrypt(opt_username, opt_domain, opt_password, &chall,
+ &names_blob,
+ &lmv2_response, &ntlmv2_response,
+ &nt_session_key)) {
+ data_blob_free(&names_blob);
+ return False;
+ }
+ data_blob_free(&names_blob);
+
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ opt_workstation,
+ &chall,
+ &lmv2_response,
+ &ntlmv2_response,
+ flags,
+ NULL,
+ nt_key,
+ &error_string);
+
+ data_blob_free(&lmv2_response);
+ data_blob_free(&ntlmv2_response);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ d_printf("%s (0x%x)\n",
+ error_string,
+ NT_STATUS_V(nt_status));
+ SAFE_FREE(error_string);
+ return False;
+ }
+
+ if (memcmp(nt_session_key.data, nt_key,
+ sizeof(nt_key)) != 0) {
+ DEBUG(1, ("NT Session Key does not match expectations!\n"));
+ DEBUG(1, ("nt_key:\n"));
+ dump_data(1, nt_key, 16);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, nt_session_key.data, nt_session_key.length);
+ pass = False;
+ }
+ return pass;
+}
+
+/*
+ * Test the LMv2 response only
+ */
+
+static BOOL test_lmv2(void)
+{
+ BOOL pass = True;
+ NTSTATUS nt_status;
+ uint32 flags = 0;
+ DATA_BLOB lmv2_response = data_blob(NULL, 0);
+
+ DATA_BLOB chall = get_challenge();
+ char *error_string;
+
+ if (!SMBNTLMv2encrypt(opt_username, opt_domain, opt_password, &chall,
+ NULL,
+ &lmv2_response, NULL,
+ NULL)) {
+ return False;
+ }
+
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ opt_workstation,
+ &chall,
+ &lmv2_response,
+ NULL,
+ flags,
+ NULL,
+ NULL,
+ &error_string);
+
+ data_blob_free(&lmv2_response);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ d_printf("%s (0x%x)\n",
+ error_string,
+ NT_STATUS_V(nt_status));
+ SAFE_FREE(error_string);
+ return False;
+ }
+
+ return pass;
+}
+
+/*
+ * Test the normal 'LM and NTLM' combination but deliberately break one
+ */
+
+static BOOL test_ntlm_broken(BOOL break_lm)
+{
+ BOOL pass = True;
+ NTSTATUS nt_status;
+ uint32 flags = 0;
+ DATA_BLOB lm_response = data_blob(NULL, 24);
+ DATA_BLOB nt_response = data_blob(NULL, 24);
+ DATA_BLOB session_key = data_blob(NULL, 16);
+
+ uchar lm_key[8];
+ uchar nt_key[16];
+ uchar lm_hash[16];
+ uchar nt_hash[16];
+ DATA_BLOB chall = get_challenge();
+ char *error_string;
+
+ ZERO_STRUCT(lm_key);
+ ZERO_STRUCT(nt_key);
+
+ flags |= WBFLAG_PAM_LMKEY;
+ flags |= WBFLAG_PAM_NTKEY;
+
+ SMBencrypt(opt_password,chall.data,lm_response.data);
+ E_deshash(opt_password, lm_hash);
+
+ SMBNTencrypt(opt_password,chall.data,nt_response.data);
+
+ E_md4hash(opt_password, nt_hash);
+ SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
+
+ if (break_lm)
+ lm_response.data[0]++;
+ else
+ nt_response.data[0]++;
+
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ opt_workstation,
+ &chall,
+ &lm_response,
+ &nt_response,
+ flags,
+ lm_key,
+ nt_key,
+ &error_string);
+
+ data_blob_free(&lm_response);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ d_printf("%s (0x%x)\n",
+ error_string,
+ NT_STATUS_V(nt_status));
+ SAFE_FREE(error_string);
+ return False;
+ }
+
+ if (memcmp(lm_hash, lm_key,
+ sizeof(lm_key)) != 0) {
+ DEBUG(1, ("LM Key does not match expectations!\n"));
+ DEBUG(1, ("lm_key:\n"));
+ dump_data(1, lm_key, 8);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, lm_hash, 8);
+ pass = False;
+ }
+ if (memcmp(session_key.data, nt_key,
+ sizeof(nt_key)) != 0) {
+ DEBUG(1, ("NT Session Key does not match expectations!\n"));
+ DEBUG(1, ("nt_key:\n"));
+ dump_data(1, nt_key, 16);
+ DEBUG(1, ("expected:\n"));
+ dump_data(1, session_key.data, session_key.length);
+ pass = False;
+ }
+ return pass;
+}
+
+static BOOL test_ntlm_lm_broken(void)
+{
+ return test_ntlm_broken(True);
+}
+
+static BOOL test_ntlm_ntlm_broken(void)
+{
+ return test_ntlm_broken(False);
+}
+
+static BOOL test_ntlmv2_broken(BOOL break_lmv2)
+{
+ BOOL pass = True;
+ NTSTATUS nt_status;
+ uint32 flags = 0;
+ DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
+ DATA_BLOB lmv2_response = data_blob(NULL, 0);
+ DATA_BLOB nt_session_key = data_blob(NULL, 0);
+ DATA_BLOB names_blob = NTLMv2_generate_names_blob(get_winbind_netbios_name(), get_winbind_domain());
+
+ uchar nt_key[16];
+ DATA_BLOB chall = get_challenge();
+ char *error_string;
+
+ ZERO_STRUCT(nt_key);
+
+ flags |= WBFLAG_PAM_NTKEY;
+
+ if (!SMBNTLMv2encrypt(opt_username, opt_domain, opt_password, &chall,
+ &names_blob,
+ &lmv2_response, &ntlmv2_response,
+ &nt_session_key)) {
+ data_blob_free(&names_blob);
+ return False;
+ }
+ data_blob_free(&names_blob);
+
+ /* Heh - this should break the appropriate password hash nicely! */
+
+ if (break_lmv2)
+ lmv2_response.data[0]++;
+ else
+ ntlmv2_response.data[0]++;
+
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ opt_workstation,
+ &chall,
+ &lmv2_response,
+ &ntlmv2_response,
+ flags,
+ NULL,
+ nt_key,
+ &error_string);
+
+ data_blob_free(&lmv2_response);
+ data_blob_free(&ntlmv2_response);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ d_printf("%s (0x%x)\n",
+ error_string,
+ NT_STATUS_V(nt_status));
+ SAFE_FREE(error_string);
+ return False;
+ }
+
+ return pass;
+}
+
+static BOOL test_ntlmv2_lmv2_broken(void)
+{
+ return test_ntlmv2_broken(True);
+}
+
+static BOOL test_ntlmv2_ntlmv2_broken(void)
+{
+ return test_ntlmv2_broken(False);
+}
+
+/*
Tests:
- LM only
- NT and LM
- NT
+ - NT in LM field
+ - NT in both fields
- NTLMv2
- NTLMv2 and LMv2
- LMv2
@@ -659,12 +1172,18 @@ struct ntlm_tests {
BOOL (*fn)(void);
const char *name;
} test_table[] = {
- {test_lm, "test LM"},
- {test_lm_ntlm, "test LM and NTLM"},
- {test_ntlm, "test NTLM"}
-/* {test_lm_ntlmv2, "test NTLMv2"}, */
-/* {test_lm_ntlmv2, "test NTLMv2 and LMv2"}, */
-/* {test_lm_ntlmv2, "test LMv2"} */
+ {test_lm, "LM"},
+ {test_lm_ntlm, "LM and NTLM"},
+ {test_ntlm, "NTLM"},
+ {test_ntlm_in_lm, "NTLM in LM"},
+ {test_ntlm_in_both, "NTLM in both"},
+ {test_ntlmv2, "NTLMv2"},
+ {test_lmv2_ntlmv2, "NTLMv2 and LMv2"},
+ {test_lmv2, "LMv2"},
+ {test_ntlmv2_lmv2_broken, "NTLMv2 and LMv2, LMv2 broken"},
+ {test_ntlmv2_ntlmv2_broken, "NTLMv2 and LMv2, NTLMv2 broken"},
+ {test_ntlm_lm_broken, "NTLM and LM, LM broken"},
+ {test_ntlm_ntlm_broken, "NTLM and LM, NTLM broken"}
};
static BOOL diagnose_ntlm_auth(void)
@@ -701,6 +1220,8 @@ enum {
int main(int argc, const char **argv)
{
int opt;
+ static const char *helper_protocol;
+ static int diagnostics;
static const char *hex_challenge;
static const char *hex_lm_response;
@@ -743,6 +1264,14 @@ enum {
dbf = x_stderr;
+ /* Samba client initialisation */
+
+ if (!lp_load(dyn_CONFIGFILE, True, False, False)) {
+ d_fprintf(stderr, "wbinfo: error opening config file %s. Error was %s\n",
+ dyn_CONFIGFILE, strerror(errno));
+ exit(1);
+ }
+
/* Parse options */
pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0);
@@ -760,7 +1289,7 @@ enum {
while((opt = poptGetNextOpt(pc)) != -1) {
switch (opt) {
case OPT_CHALLENGE:
- challenge = smb_xmalloc((strlen(hex_challenge)+1)/2);
+ challenge = smb_xmalloc((strlen(hex_challenge))/2+1);
if ((challenge_len = strhex_to_str(challenge,
strlen(hex_challenge),
hex_challenge)) != 8) {
@@ -772,7 +1301,7 @@ enum {
SAFE_FREE(challenge);
break;
case OPT_LM:
- lm_response = smb_xmalloc((strlen(hex_lm_response)+1)/2);
+ lm_response = smb_xmalloc((strlen(hex_lm_response))/2+1);
lm_response_len = strhex_to_str(lm_response,
strlen(hex_lm_response),
hex_lm_response);
@@ -784,7 +1313,7 @@ enum {
SAFE_FREE(lm_response);
break;
case OPT_NT:
- nt_response = smb_xmalloc((strlen(hex_nt_response)+1)/2);
+ nt_response = smb_xmalloc((strlen(hex_nt_response)+2)/2+1);
nt_response_len = strhex_to_str(nt_response,
strlen(hex_nt_response),
hex_nt_response);
diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
index d540bf42de..96d0d3c057 100644
--- a/source3/utils/pdbedit.c
+++ b/source3/utils/pdbedit.c
@@ -51,6 +51,21 @@
#define MASK_ALWAYS_GOOD 0x0000001F
#define MASK_USER_GOOD 0x00401F00
+/*****************************************************************************
+ stubb functions
+****************************************************************************/
+
+void become_root( void )
+{
+ return;
+}
+
+void unbecome_root( void )
+{
+ return;
+}
+
+
/*********************************************************
Add all currently available users to another db
********************************************************/
@@ -91,7 +106,7 @@ static int export_groups (struct pdb_context *in, struct pdb_context *out) {
if (NT_STATUS_IS_ERR(in->pdb_enum_group_mapping(in, SID_NAME_UNKNOWN,
&maps, &entries,
- False, False))) {
+ False))) {
fprintf(stderr, "Can't get group mappings!\n");
return 1;
}
@@ -157,8 +172,7 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst
char lm_passwd[33];
char nt_passwd[33];
- uid = -1;
- sid_to_uid(pdb_get_user_sid(sam_pwent), &uid);
+ uid = nametouid(pdb_get_username(sam_pwent));
pdb_sethexpwd(lm_passwd, pdb_get_lanman_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent));
pdb_sethexpwd(nt_passwd, pdb_get_nt_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent));
@@ -170,8 +184,7 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst
pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent),NEW_PW_FORMAT_SPACE_PADDED_LEN),
(uint32)pdb_get_pass_last_set_time(sam_pwent));
} else {
- uid = -1;
- sid_to_uid(pdb_get_user_sid(sam_pwent), &uid);
+ uid = nametouid(pdb_get_username(sam_pwent));
printf ("%s:%d:%s\n", pdb_get_username(sam_pwent), uid, pdb_get_fullname(sam_pwent));
}
@@ -337,7 +350,7 @@ static int new_user (struct pdb_context *in, const char *username,
NTSTATUS nt_status;
char *password1, *password2, *staticpass;
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pwent, username))) {
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pwent, username, 0))) {
DEBUG(0, ("could not create account to add new user %s\n", username));
return -1;
}
@@ -485,7 +498,7 @@ static int delete_user_entry (struct pdb_context *in, const char *username)
return -1;
}
- if (NT_STATUS_IS_ERR(in->pdb_getsampwnam(in, samaccount, username))) {
+ if (!NT_STATUS_IS_OK(in->pdb_getsampwnam(in, samaccount, username))) {
fprintf (stderr, "user %s does not exist in the passdb\n", username);
return -1;
}
@@ -511,7 +524,7 @@ static int delete_machine_entry (struct pdb_context *in, const char *machinename
return -1;
}
- if (NT_STATUS_IS_ERR(in->pdb_getsampwnam(in, samaccount, name))) {
+ if (!NT_STATUS_IS_OK(in->pdb_getsampwnam(in, samaccount, name))) {
fprintf (stderr, "machine %s does not exist in the passdb\n", name);
return -1;
}
@@ -606,13 +619,10 @@ int main (int argc, char **argv)
exit(1);
}
- if (!init_names())
- exit(1);
-
- if (!idmap_init())
+ if(!initialize_password_db(False))
exit(1);
- if (!idmap_init_wellknown_sids())
+ if (!init_names())
exit(1);
setparms = (backend ? BIT_BACKEND : 0) +
diff --git a/source3/utils/profiles.c b/source3/utils/profiles.c
index afaa83f638..23df26d150 100644
--- a/source3/utils/profiles.c
+++ b/source3/utils/profiles.c
@@ -454,6 +454,8 @@ static int get_sid(DOM_SID *sid, const unsigned char *sid_str)
return 1;
}
+#if 0
+
/*
* Replace SID1, component by component with SID2
* Assumes will never be called with unequal length SIDS
@@ -470,6 +472,8 @@ static void change_sid(DOM_SID *s1, DOM_SID *s2)
}
}
+#endif
+
static void print_sid(DOM_SID *sid)
{
int i, comps = sid->num_auths;
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
index 9d8a657726..69dc2dd47a 100644
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -30,7 +30,6 @@ static int test_args = False;
static TALLOC_CTX *ctx;
#define CREATE_ACCESS_READ READ_CONTROL_ACCESS
-#define CREATE_ACCESS_WRITE (WRITE_DAC_ACCESS | WRITE_OWNER_ACCESS)
/* numeric is set when the user wants numeric SIDs and ACEs rather
than going via LSA calls to resolve them */
@@ -506,11 +505,11 @@ static int owner_set(struct cli_state *cli, enum chown_mode change_mode,
}
sd = make_sec_desc(ctx,old->revision,
- (change_mode == REQUEST_CHOWN) ? &sid : old->owner_sid,
- (change_mode == REQUEST_CHGRP) ? &sid : old->grp_sid,
- NULL, old->dacl, &sd_size);
+ (change_mode == REQUEST_CHOWN) ? &sid : NULL,
+ (change_mode == REQUEST_CHGRP) ? &sid : NULL,
+ NULL, NULL, &sd_size);
- fnum = cli_nt_create(cli, filename, CREATE_ACCESS_WRITE);
+ fnum = cli_nt_create(cli, filename, WRITE_OWNER_ACCESS);
if (fnum == -1) {
printf("Failed to open %s: %s\n", filename, cli_errstr(cli));
@@ -680,10 +679,10 @@ static int cacl_set(struct cli_state *cli, char *filename,
sort_acl(old->dacl);
/* Create new security descriptor and set it */
- sd = make_sec_desc(ctx,old->revision, old->owner_sid, old->grp_sid,
+ sd = make_sec_desc(ctx,old->revision, NULL, NULL,
NULL, old->dacl, &sd_size);
- fnum = cli_nt_create(cli, filename, CREATE_ACCESS_WRITE);
+ fnum = cli_nt_create(cli, filename, WRITE_DAC_ACCESS);
if (fnum == -1) {
printf("cacl_set failed to open %s: %s\n", filename, cli_errstr(cli));
diff --git a/source3/utils/smbcontrol.c b/source3/utils/smbcontrol.c
index 06add6af22..b7333f2317 100644
--- a/source3/utils/smbcontrol.c
+++ b/source3/utils/smbcontrol.c
@@ -34,7 +34,7 @@ static int num_replies; /* Used by message callback fns */
/* Send a message to a destination pid. Zero means broadcast smbd. */
-static BOOL send_message(pid_t pid, int msg_type, void *buf, int len,
+static BOOL send_message(pid_t pid, int msg_type, const void *buf, int len,
BOOL duplicates)
{
TDB_CONTEXT *tdb;
@@ -92,7 +92,7 @@ static void print_string_cb(int msg_type, pid_t pid, void *buf, size_t len)
/* Send no message. Useful for testing. */
-static BOOL do_noop(const pid_t pid, const int argc, char **argv)
+static BOOL do_noop(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> noop\n");
@@ -106,7 +106,7 @@ static BOOL do_noop(const pid_t pid, const int argc, char **argv)
/* Send a debug string */
-static BOOL do_debug(const pid_t pid, const int argc, char **argv)
+static BOOL do_debug(const pid_t pid, const int argc, const char **argv)
{
if (argc != 2) {
fprintf(stderr, "Usage: smbcontrol <dest> debug "
@@ -120,7 +120,7 @@ static BOOL do_debug(const pid_t pid, const int argc, char **argv)
/* Force a browser election */
-static BOOL do_election(const pid_t pid, const int argc, char **argv)
+static BOOL do_election(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> force-election\n");
@@ -139,7 +139,7 @@ static void pong_cb(int msg_type, pid_t pid, void *buf, size_t len)
num_replies++;
}
-static BOOL do_ping(const pid_t pid, const int argc, char **argv)
+static BOOL do_ping(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> ping\n");
@@ -167,7 +167,7 @@ static BOOL do_ping(const pid_t pid, const int argc, char **argv)
/* Set profiling options */
-static BOOL do_profile(const pid_t pid, const int argc, char **argv)
+static BOOL do_profile(const pid_t pid, const int argc, const char **argv)
{
int v;
@@ -239,7 +239,7 @@ static void profilelevel_rqst(int msg_type, pid_t pid, void *buf, size_t len)
send_message(pid, MSG_PROFILELEVEL, &v, sizeof(int), False);
}
-static BOOL do_profilelevel(const pid_t pid, const int argc, char **argv)
+static BOOL do_profilelevel(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> profilelevel\n");
@@ -268,7 +268,7 @@ static BOOL do_profilelevel(const pid_t pid, const int argc, char **argv)
/* Display debug level settings */
-static BOOL do_debuglevel(const pid_t pid, const int argc, char **argv)
+static BOOL do_debuglevel(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> debuglevel\n");
@@ -296,9 +296,9 @@ static BOOL do_debuglevel(const pid_t pid, const int argc, char **argv)
/* Send a print notify message */
-static BOOL do_printnotify(const pid_t pid, const int argc, char **argv)
+static BOOL do_printnotify(const pid_t pid, const int argc, const char **argv)
{
- char *cmd;
+ const char *cmd;
/* Check for subcommand */
@@ -434,7 +434,7 @@ send:
/* Close a share */
-static BOOL do_closeshare(const pid_t pid, const int argc, char **argv)
+static BOOL do_closeshare(const pid_t pid, const int argc, const char **argv)
{
if (argc != 2) {
fprintf(stderr, "Usage: smbcontrol <dest> close-share "
@@ -448,7 +448,7 @@ static BOOL do_closeshare(const pid_t pid, const int argc, char **argv)
/* Force a SAM synchronisation */
-static BOOL do_samsync(const pid_t pid, const int argc, char **argv)
+static BOOL do_samsync(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> samsync\n");
@@ -461,7 +461,7 @@ static BOOL do_samsync(const pid_t pid, const int argc, char **argv)
/* Force a SAM replication */
-static BOOL do_samrepl(const pid_t pid, const int argc, char **argv)
+static BOOL do_samrepl(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> samrepl\n");
@@ -474,7 +474,7 @@ static BOOL do_samrepl(const pid_t pid, const int argc, char **argv)
/* Display talloc pool usage */
-static BOOL do_poolusage(const pid_t pid, const int argc, char **argv)
+static BOOL do_poolusage(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> pool-usage\n");
@@ -502,7 +502,7 @@ static BOOL do_poolusage(const pid_t pid, const int argc, char **argv)
/* Perform a dmalloc mark */
-static BOOL do_dmalloc_mark(const pid_t pid, const int argc, char **argv)
+static BOOL do_dmalloc_mark(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> dmalloc-mark\n");
@@ -515,8 +515,7 @@ static BOOL do_dmalloc_mark(const pid_t pid, const int argc, char **argv)
/* Perform a dmalloc changed */
-static BOOL do_dmalloc_changed(const pid_t pid, const int argc,
- char **argv)
+static BOOL do_dmalloc_changed(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> "
@@ -530,7 +529,7 @@ static BOOL do_dmalloc_changed(const pid_t pid, const int argc,
/* Shutdown a server process */
-static BOOL do_shutdown(const pid_t pid, const int argc, char **argv)
+static BOOL do_shutdown(const pid_t pid, const int argc, const char **argv)
{
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol <dest> shutdown\n");
@@ -542,7 +541,7 @@ static BOOL do_shutdown(const pid_t pid, const int argc, char **argv)
/* Notify a driver upgrade */
-static BOOL do_drvupgrade(const pid_t pid, const int argc, char **argv)
+static BOOL do_drvupgrade(const pid_t pid, const int argc, const char **argv)
{
if (argc != 2) {
fprintf(stderr, "Usage: smbcontrol <dest> drvupgrade "
@@ -554,11 +553,21 @@ static BOOL do_drvupgrade(const pid_t pid, const int argc, char **argv)
pid, MSG_DEBUG, argv[1], strlen(argv[1]) + 1, False);
}
+static BOOL do_reload_config(const pid_t pid, const int argc, const char **argv)
+{
+ if (argc != 1) {
+ fprintf(stderr, "Usage: smbcontrol <dest> reload-config\n");
+ return False;
+ }
+
+ return send_message(pid, MSG_SMB_CONF_UPDATED, NULL, 0, False);
+}
+
/* A list of message type supported */
static const struct {
const char *name; /* Option name */
- BOOL (*fn)(const pid_t pid, const int argc, char **argv);
+ BOOL (*fn)(const pid_t pid, const int argc, const char **argv);
const char *help; /* Short help text */
} msg_types[] = {
{ "debug", do_debug, "Set debuglevel" },
@@ -577,6 +586,7 @@ static const struct {
{ "dmalloc-log-changed", do_dmalloc_changed, "" },
{ "shutdown", do_shutdown, "Shut down daemon" },
{ "drvupgrade", do_drvupgrade, "Notify a printer driver has changed" },
+ { "reload-config", do_reload_config, "Force smbd or winbindd to reload config file"},
{ "noop", do_noop, "Do nothing" },
{ NULL }
};
@@ -613,7 +623,7 @@ static void usage(poptContext *pc)
/* Return the pid number for a string destination */
-static pid_t parse_dest(char *dest)
+static pid_t parse_dest(const char *dest)
{
pid_t pid;
@@ -644,9 +654,9 @@ static pid_t parse_dest(char *dest)
/* Execute smbcontrol command */
-static BOOL do_command(int argc, char **argv)
+static BOOL do_command(int argc, const char **argv)
{
- char *dest = argv[0], *command = argv[1];
+ const char *dest = argv[0], *command = argv[1];
pid_t pid;
int i;
@@ -669,7 +679,7 @@ static BOOL do_command(int argc, char **argv)
/* Main program */
-int main(int argc, char **argv)
+int main(int argc, const char **argv)
{
poptContext pc;
int opt;
@@ -726,7 +736,7 @@ int main(int argc, char **argv)
argv. The argc parameter should have been decremented to the
correct value in the above switch statement. */
- argv = (char **)poptGetArgs(pc);
+ argv = (const char **)poptGetArgs(pc);
argc--; /* Don't forget about argv[0] */
if (argc == 1)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 577e467fbd..eade5331af 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -37,6 +37,21 @@ static const char *remote_machine = NULL;
static fstring ldap_secret;
+/*****************************************************************************
+ stubb functions
+****************************************************************************/
+
+void become_root( void )
+{
+ return;
+}
+
+void unbecome_root( void )
+{
+ return;
+}
+
+
/*********************************************************
Print command usage on stderr and die.
**********************************************************/
@@ -392,7 +407,7 @@ static int process_root(int local_flags)
if (local_flags & LOCAL_ADD_USER) {
SAFE_FREE(new_passwd);
new_passwd = smb_xstrdup(user_name);
- strlower(new_passwd);
+ strlower_m(new_passwd);
}
/*
@@ -405,7 +420,7 @@ static int process_root(int local_flags)
} else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
static fstring buf;
- if (local_flags & LOCAL_ADD_USER) {
+ if ((local_flags & LOCAL_ADD_USER) && (new_passwd == NULL)) {
/*
* Prompt for trusting domain's account password
*/
@@ -450,7 +465,7 @@ static int process_root(int local_flags)
}
}
- if(local_flags & LOCAL_SET_PASSWORD) {
+ if((local_flags & LOCAL_SET_PASSWORD) && (new_passwd == NULL)) {
new_passwd = prompt_for_new_password(stdin_passwd_get);
if(!new_passwd) {
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index e3d6ce0274..16918ecd4a 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -183,6 +183,10 @@ via the %%o substitution. With encrypted passwords this is not possible.\n", lp_
}
#endif
+ if (!lp_passdb_backend()) {
+ printf("ERROR: passdb backend must have a value or be left out\n");
+ }
+
return ret;
}