diff options
author | Gerald Carter <jerry@samba.org> | 2003-09-09 04:07:32 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-09-09 04:07:32 +0000 |
commit | 4093bf7ff8c8861cf7b941945ede53a8ec5bb6c8 (patch) | |
tree | dd0a9f32d9933e1f75d919b5083e007d7453f9c4 /source3/utils | |
parent | 3d7cb49747a9a7f5cdec0ee05c6270ec3604202f (diff) | |
download | samba-4093bf7ff8c8861cf7b941945ede53a8ec5bb6c8.tar.gz samba-4093bf7ff8c8861cf7b941945ede53a8ec5bb6c8.tar.bz2 samba-4093bf7ff8c8861cf7b941945ede53a8ec5bb6c8.zip |
sync 3.0 into HEAD for the last time
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
Diffstat (limited to 'source3/utils')
-rw-r--r-- | source3/utils/log2pcaphex.c | 294 | ||||
-rw-r--r-- | source3/utils/net.c | 111 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 91 | ||||
-rw-r--r-- | source3/utils/net_ads_cldap.c | 28 | ||||
-rw-r--r-- | source3/utils/net_groupmap.c | 17 | ||||
-rw-r--r-- | source3/utils/net_help.c | 10 | ||||
-rw-r--r-- | source3/utils/net_lookup.c | 38 | ||||
-rw-r--r-- | source3/utils/net_rpc.c | 34 | ||||
-rw-r--r-- | source3/utils/net_rpc_samsync.c | 37 | ||||
-rw-r--r-- | source3/utils/nmblookup.c | 2 | ||||
-rw-r--r-- | source3/utils/ntlm_auth.c | 474 | ||||
-rw-r--r-- | source3/utils/profiles.c | 2 | ||||
-rw-r--r-- | source3/utils/smbcacls.c | 4 | ||||
-rw-r--r-- | source3/utils/smbgroupedit.c | 405 | ||||
-rw-r--r-- | source3/utils/status.c | 2 | ||||
-rw-r--r-- | source3/utils/testparm.c | 21 |
16 files changed, 938 insertions, 632 deletions
diff --git a/source3/utils/log2pcaphex.c b/source3/utils/log2pcaphex.c new file mode 100644 index 0000000000..4804b99338 --- /dev/null +++ b/source3/utils/log2pcaphex.c @@ -0,0 +1,294 @@ +/* + Unix SMB/CIFS implementation. + Utility to extract pcap files from samba (log level 10) log files + + Copyright (C) Jelmer Vernooij 2003 + Thanks to Tim Potter for the genial idea + + Portions (from capconvert.c) (C) Andrew Tridgell 1997 + Portions (from text2pcap.c) (C) Ashok Narayanan 2001 + + Example use with -h parameter: + log2pcaphex < samba-log-file | text2pcap -T 139,139 - foo.pcap + + TODO: Have correct IP and TCP checksums. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include <assert.h> + +int quiet = 0; +int hexformat = 0; + +#define itoa(a) ((a) < 0xa?'0'+(a):'A' + (a-0xa)) + +#include <stdlib.h> +#include <unistd.h> +#include <sys/time.h> +#include <stdio.h> +#include <fcntl.h> + +#define TCPDUMP_MAGIC 0xa1b2c3d4 + +/* tcpdump file format */ +struct tcpdump_file_header { + uint32 magic; + uint16 major; + uint16 minor; + int32 zone; + uint32 sigfigs; + uint32 snaplen; + uint32 linktype; +}; + +struct tcpdump_packet { + struct timeval ts; + uint32 caplen; + uint32 len; +}; + +typedef struct { + uint8 ver_hdrlen; + uint8 dscp; + uint16 packet_length; + uint16 identification; + uint8 flags; + uint8 fragment; + uint8 ttl; + uint8 protocol; + uint16 hdr_checksum; + uint32 src_addr; + uint32 dest_addr; +} hdr_ip_t; + +static hdr_ip_t HDR_IP = {0x45, 0, 0, 0x3412, 0, 0, 0xff, 6, 0, 0x01010101, 0x02020202}; + +typedef struct { + uint16 source_port; + uint16 dest_port; + uint32 seq_num; + uint32 ack_num; + uint8 hdr_length; + uint8 flags; + uint16 window; + uint16 checksum; + uint16 urg; +} hdr_tcp_t; + +static hdr_tcp_t HDR_TCP = {139, 139, 0, 0, 0x50, 0, 0, 0, 0}; + +void print_pcap_header(FILE *out) +{ + struct tcpdump_file_header h; + h.magic = TCPDUMP_MAGIC; + h.major = 2; + h.minor = 4; + h.zone = 0; + h.sigfigs = 0; + h.snaplen = 102400; /* As long packets as possible */ + h.linktype = 101; /* Raw IP */ + fwrite(&h, sizeof(struct tcpdump_file_header), 1, out); +} + +void print_pcap_packet(FILE *out, unsigned char *data, long length, long caplen) +{ + static int i = 0; + struct tcpdump_packet p; + i++; + p.ts.tv_usec = 0; + p.ts.tv_sec = 0; + p.caplen = caplen; + p.len = length; + fwrite(&p, sizeof(struct tcpdump_packet), 1, out); + fwrite(data, sizeof(unsigned char), caplen, out); +} + +void print_hex_packet(FILE *out, unsigned char *data, long length) +{ + long i,cur = 0; + while(cur < length) { + fprintf(out, "%06lX ", cur); + for(i = cur; i < length && i < cur + 16; i++) { + fprintf(out, "%02x ", data[i]); + } + + cur = i; + fprintf(out, "\n"); + } +} + +void print_netbios_packet(FILE *out, unsigned char *data, long length, long actual_length) +{ + unsigned char *newdata; long offset = 0; + long newlen; + + newlen = length+sizeof(HDR_IP)+sizeof(HDR_TCP); + newdata = malloc(newlen); + + HDR_IP.packet_length = htons(newlen); + HDR_TCP.window = htons(0x2000); + HDR_TCP.source_port = HDR_TCP.dest_port = htons(139); + + memcpy(newdata+offset, &HDR_IP, sizeof(HDR_IP));offset+=sizeof(HDR_IP); + memcpy(newdata+offset, &HDR_TCP, sizeof(HDR_TCP));offset+=sizeof(HDR_TCP); + memcpy(newdata+offset,data,length); + + print_pcap_packet(out, newdata, newlen, actual_length+offset); + free(newdata); +} + +unsigned char *curpacket = NULL; +long curpacket_len = 0; + +void read_log_msg(FILE *in, unsigned char **_buffer, long *buffersize, long *data_offset, long *data_length) +{ + unsigned char *buffer; + int tmp; long i; + assert(fscanf(in, " size=%ld\n", buffersize)); + *buffersize+=4; /* for netbios */ + buffer = malloc(*buffersize); + memset(buffer, 0, *buffersize); + /* NetBIOS */ + buffer[0] = 0x00; + buffer[1] = 0x00; + memcpy(buffer+2, &buffersize, 2); + buffer[4] = 0xFF; + buffer[5] = 'S'; + buffer[6] = 'M'; + buffer[7] = 'B'; + assert(fscanf(in, " smb_com=0x%x\n", &tmp)); buffer[smb_com] = tmp; + assert(fscanf(in, " smb_rcls=%d\n", &tmp)); buffer[smb_rcls] = tmp; + assert(fscanf(in, " smb_reh=%d\n", &tmp)); buffer[smb_reh] = tmp; + assert(fscanf(in, " smb_err=%d\n", &tmp)); memcpy(buffer+smb_err, &tmp, 2); + assert(fscanf(in, " smb_flg=%d\n", &tmp)); buffer[smb_flg] = tmp; + assert(fscanf(in, " smb_flg2=%d\n", &tmp)); memcpy(buffer+smb_flg2, &tmp, 2); + assert(fscanf(in, " smb_tid=%d\n", &tmp)); memcpy(buffer+smb_tid, &tmp, 2); + assert(fscanf(in, " smb_pid=%d\n", &tmp)); memcpy(buffer+smb_pid, &tmp, 2); + assert(fscanf(in, " smb_uid=%d\n", &tmp)); memcpy(buffer+smb_uid, &tmp, 2); + assert(fscanf(in, " smb_mid=%d\n", &tmp)); memcpy(buffer+smb_mid, &tmp, 2); + assert(fscanf(in, " smt_wct=%d\n", &tmp)); buffer[smb_wct] = tmp; + for(i = 0; i < buffer[smb_wct]; i++) { + assert(fscanf(in, " smb_vwv[%*2d]=%*5d (0x%X)\n", &tmp)); + memcpy(buffer+smb_vwv+i*2, &tmp, 2); + } + + *data_offset = smb_vwv+buffer[smb_wct]*2; + assert(fscanf(in, " smb_bcc=%ld\n", data_length)); buffer[(*data_offset)] = *data_length; + (*data_offset)+=2; + *_buffer = buffer; +} + +long read_log_data(FILE *in, unsigned char *buffer, long data_length) +{ + long i, addr; char real[2][16]; int ret; + unsigned char tmp; + for(i = 0; i < data_length; i++) { + if(i % 16 == 0){ + if(i != 0) { /* Read data after each line */ + assert(fscanf(in, "%8s %8s", real[0], real[1]) == 2); + } + ret = fscanf(in, " [%03lX]", &addr); + if(!ret) { + if(!quiet)fprintf(stderr, "Only first %ld bytes are logged, packet trace will be incomplete\nTry a higher log level\n", i); + return i-1; + } + assert(addr == i); + } + if(!fscanf(in, "%02lX", &tmp)) { + if(!quiet)fprintf(stderr, "Only first %ld bytes are logged, packet trace will be incomplete\nTry a higher log level\n", i-1); + return i-1; + } + buffer[i] = tmp; + } + return data_length; +} + +int main (int argc, char **argv) +{ + const char *infile, *outfile; + FILE *out, *in; + int opt; + poptContext pc; + char buffer[4096]; + long data_offset, data_length; + long data_bytes_read; + int in_packet = 0; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "quiet", 'q', POPT_ARG_NONE, &quiet, 0, "Be quiet, don't output warnings" }, + { "hex", 'h', POPT_ARG_NONE, &hexformat, 0, "Output format readable by text2pcap" }, + POPT_TABLEEND + }; + + pc = poptGetContext(NULL, argc, (const char **) argv, long_options, + POPT_CONTEXT_KEEP_FIRST); + poptSetOtherOptionHelp(pc, "[<infile> [<outfile>]]"); + + + while((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + } + } + + poptGetArg(pc); /* Drop argv[0], the program name */ + + infile = poptGetArg(pc); + + if(infile) { + in = fopen(infile, "r"); + if(!in) { + perror("fopen"); + return 1; + } + } else in = stdin; + + outfile = poptGetArg(pc); + + if(outfile) { + out = fopen(outfile, "w+"); + if(!out) { + perror("fopen"); + fprintf(stderr, "Can't find %s, using stdout...\n", outfile); + } + } + + if(!outfile) out = stdout; + + if(!hexformat)print_pcap_header(out); + + while(!feof(in)) { + fgets(buffer, sizeof(buffer), in); + if(buffer[0] == '[') { /* Header */ + if(strstr(buffer, "show_msg")) { + in_packet++; + if(in_packet == 1)continue; + read_log_msg(in, &curpacket, &curpacket_len, &data_offset, &data_length); + } else if(in_packet && strstr(buffer, "dump_data")) { + data_bytes_read = read_log_data(in, curpacket+data_offset, data_length); + } else { + if(in_packet){ + if(hexformat) print_hex_packet(out, curpacket, curpacket_len); + else print_netbios_packet(out, curpacket, curpacket_len, data_bytes_read+data_offset); + free(curpacket); + } + in_packet = 0; + } + } + } + + return 0; +} diff --git a/source3/utils/net.c b/source3/utils/net.c index 8f6b09a3fa..e5c078da29 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -181,6 +181,27 @@ NTSTATUS connect_to_ipc_anonymous(struct cli_state **c, } } +/**************************************************************************** + Use the local machine's password for this session +****************************************************************************/ +int net_use_machine_password(void) +{ + char *user_name = NULL; + + if (!secrets_init()) { + d_printf("ERROR: Unable to open secrets database\n"); + exit(1); + } + + user_name = NULL; + opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); + if (asprintf(&user_name, "%s$@%s", global_myname(), lp_realm()) == -1) { + return -1; + } + opt_user_name = user_name; + return 0; +} + BOOL net_find_server(unsigned flags, struct in_addr *server_ip, char **server_name) { @@ -321,7 +342,7 @@ static int net_join(int argc, const char **argv) if (net_ads_join(argc, argv) == 0) return 0; else - d_printf("ADS join did not work, trying RPC...\n"); + d_printf("ADS join did not work, falling back to RPC...\n"); } return net_rpc_join(argc, argv); } @@ -334,6 +355,31 @@ static int net_changetrustpw(int argc, const char **argv) return net_rpc_changetrustpw(argc, argv); } +static int net_changesecretpw(int argc, const char **argv) +{ + char *trust_pw; + uint32 sec_channel_type = SEC_CHAN_WKSTA; + + if(opt_force) { + trust_pw = getpass("Enter machine password: "); + + if (!secrets_store_machine_password(trust_pw, lp_workgroup(), sec_channel_type)) { + d_printf("Unable to write the machine account password in the secrets database"); + return 1; + } + else { + d_printf("Modified trust account password in secrets database\n"); + } + } + else { + d_printf("Machine account password change requires the -f flag.\n"); + d_printf("Do NOT use this function unless you know what it does!\n"); + d_printf("This function will change the ADS Domain member machine account password in the secrets.tdb file!\n"); + } + + return 0; +} + static int net_share(int argc, const char **argv) { if (net_rpc_check(0)) @@ -416,6 +462,50 @@ static int net_getdomainsid(int argc, const char **argv) return 0; } +#ifdef WITH_FAKE_KASERVER + +int net_afskey_usage(int argc, const char **argv) +{ + d_printf(" net afskey filename\n" + "\tImports a OpenAFS KeyFile into our secrets.tdb\n\n"); + return -1; +} + +static int net_afskey(int argc, const char **argv) +{ + int fd; + struct afs_keyfile keyfile; + + if (argc != 1) { + d_printf("usage: 'net afskey <keyfile>'\n"); + return -1; + } + + if (!secrets_init()) { + d_printf("Could not open secrets.tdb\n"); + return -1; + } + + if ((fd = open(argv[0], O_RDONLY, 0)) < 0) { + d_printf("Could not open %s\n", argv[0]); + return -1; + } + + if (read(fd, &keyfile, sizeof(keyfile)) != sizeof(keyfile)) { + d_printf("Could not read keyfile\n"); + return -1; + } + + if (!secrets_store_afs_keyfile(afs_cell(), &keyfile)) { + d_printf("Could not write keyfile to secrets.tdb\n"); + return -1; + } + + return 0; +} + +#endif /* WITH_FAKE_KASERVER */ + static uint32 get_maxrid(void) { SAM_ACCOUNT *pwd = NULL; @@ -516,6 +606,7 @@ static struct functable net_func[] = { {"SERVICE", net_rap_service}, {"PASSWORD", net_rap_password}, {"CHANGETRUSTPW", net_changetrustpw}, + {"CHANGESECRETPW", net_changesecretpw}, {"TIME", net_time}, {"LOOKUP", net_lookup}, {"JOIN", net_join}, @@ -525,6 +616,9 @@ static struct functable net_func[] = { {"GETDOMAINSID", net_getdomainsid}, {"MAXRID", net_maxrid}, {"IDMAP", net_idmap}, +#ifdef WITH_FAKE_KASERVER + {"AFSKEY", net_afskey}, +#endif {"HELP", net_help}, {NULL, NULL} @@ -649,23 +743,10 @@ static struct functable net_func[] = { sec_init(); if (opt_machine_pass) { - char *user = NULL; /* it is very useful to be able to make ads queries as the machine account for testing purposes and for domain leave */ - if (!secrets_init()) { - d_printf("ERROR: Unable to open secrets database\n"); - exit(1); - } - - opt_password = secrets_fetch_machine_password(opt_workgroup, NULL, NULL); - - asprintf(&user,"%s$", global_myname()); - opt_user_name = user; - if (!opt_password) { - d_printf("ERROR: Unable to fetch machine password\n"); - exit(1); - } + net_use_machine_password(); } if (!opt_password) { diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 631e235127..3b955742d8 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -127,9 +127,14 @@ static ADS_STRUCT *ads_startup(void) ADS_STATUS status; BOOL need_password = False; BOOL second_time = False; - char *cp; + char *cp; - ads = ads_init(NULL, opt_target_workgroup, opt_host); + /* lp_realm() should be handled by a command line param, + However, the join requires that realm be set in smb.conf + and compares our realm with the remote server's so this is + ok until someone needs more flexibility */ + + ads = ads_init(lp_realm(), opt_target_workgroup, opt_host); if (!opt_user_name) { opt_user_name = "administrator"; @@ -579,10 +584,7 @@ static int net_ads_leave(int argc, const char **argv) } if (!opt_password) { - char *user_name; - asprintf(&user_name, "%s$", global_myname()); - opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); - opt_user_name = user_name; + net_use_machine_password(); } if (!(ads = ads_startup())) { @@ -603,7 +605,6 @@ static int net_ads_leave(int argc, const char **argv) static int net_ads_join_ok(void) { - char *user_name; ADS_STRUCT *ads = NULL; if (!secrets_init()) { @@ -611,9 +612,7 @@ static int net_ads_join_ok(void) return -1; } - asprintf(&user_name, "%s$", global_myname()); - opt_user_name = user_name; - opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); + net_use_machine_password(); if (!(ads = ads_startup())) { return -1; @@ -648,6 +647,7 @@ int net_ads_join(int argc, const char **argv) ADS_STRUCT *ads; ADS_STATUS rc; char *password; + char *machine_account = NULL; char *tmp_password; const char *org_unit = "Computers"; char *dn; @@ -656,6 +656,8 @@ int net_ads_join(int argc, const char **argv) char *ou_str; uint32 sec_channel_type = SEC_CHAN_WKSTA; uint32 account_type = UF_WORKSTATION_TRUST_ACCOUNT; + char *short_domain_name = NULL; + TALLOC_CTX *ctx = NULL; if (argc > 0) org_unit = argv[0]; @@ -669,6 +671,16 @@ int net_ads_join(int argc, const char **argv) if (!(ads = ads_startup())) return -1; + if (!*lp_realm()) { + d_printf("realm must be set in in smb.conf for ADS join to succeed.\n"); + return -1; + } + + if (strcmp(ads->config.realm, lp_realm()) != 0) { + d_printf("realm of remote server (%s) and realm in smb.conf (%s) DO NOT match. Aborting join\n", ads->config.realm, lp_realm()); + return -1; + } + ou_str = ads_ou_string(org_unit); asprintf(&dn, "%s,%s", ou_str, ads->config.bind_path); free(ou_str); @@ -696,16 +708,47 @@ int net_ads_join(int argc, const char **argv) rc = ads_domain_sid(ads, &dom_sid); if (!ADS_ERR_OK(rc)) { - d_printf("ads_domain_sid: %s\n", ads_errstr(rc)); + d_printf("ads_domain_sid: %s\n", ads_errstr(rc)); + return -1; + } + + if (asprintf(&machine_account, "%s$", global_myname()) == -1) { + d_printf("asprintf failed\n"); return -1; } - rc = ads_set_machine_password(ads, global_myname(), password); + rc = ads_set_machine_password(ads, machine_account, password); if (!ADS_ERR_OK(rc)) { d_printf("ads_set_machine_password: %s\n", ads_errstr(rc)); return -1; } - + + /* make sure we get the right workgroup */ + + if ( !(ctx = talloc_init("net ads join")) ) { + d_printf("talloc_init() failed!\n"); + return -1; + } + + rc = ads_workgroup_name(ads, ctx, &short_domain_name); + if ( ADS_ERR_OK(rc) ) { + if ( !strequal(lp_workgroup(), short_domain_name) ) { + d_printf("The workgroup in smb.conf does not match the short\n"); + d_printf("domain name obtained from the server.\n"); + d_printf("Using the name [%s] from the server.\n", short_domain_name); + d_printf("You should set \"workgroup = %s\" in smb.conf.\n", short_domain_name); + } + } + else + short_domain_name = lp_workgroup(); + + d_printf("Using short domain name -- %s\n", short_domain_name); + + /* HACK ALRET! Store the sid and password under bother the lp_workgroup() + value from smb.conf and the string returned from the server. The former is + neede to bootstrap winbindd's first connection to the DC to get the real + short domain name --jerry */ + if (!secrets_store_domain_sid(lp_workgroup(), &dom_sid)) { DEBUG(1,("Failed to save domain sid\n")); return -1; @@ -716,10 +759,22 @@ int net_ads_join(int argc, const char **argv) return -1; } - d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm); + if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) { + DEBUG(1,("Failed to save domain sid\n")); + return -1; + } - free(password); + if (!secrets_store_machine_password(password, short_domain_name, sec_channel_type)) { + DEBUG(1,("Failed to save machine password\n")); + return -1; + } + + d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm); + SAFE_FREE(password); + SAFE_FREE(machine_account); + if ( ctx ) + talloc_destroy(ctx); return 0; } @@ -1020,17 +1075,13 @@ int net_ads_changetrustpw(int argc, const char **argv) char *host_principal; char *hostname; ADS_STATUS ret; - char *user_name; if (!secrets_init()) { DEBUG(1,("Failed to initialise secrets database\n")); return -1; } - asprintf(&user_name, "%s$", global_myname()); - opt_user_name = user_name; - - opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); + net_use_machine_password(); use_in_memory_ccache(); diff --git a/source3/utils/net_ads_cldap.c b/source3/utils/net_ads_cldap.c index e74e4b5a4c..595e6e9434 100644 --- a/source3/utils/net_ads_cldap.c +++ b/source3/utils/net_ads_cldap.c @@ -240,7 +240,7 @@ static int recv_cldap_netlogon(int sock, struct cldap_netlogon_reply *reply) return -1; } - p = os3.data; + p = (char *)os3.data; reply->type = IVAL(p, 0); p += 4; reply->flags = IVAL(p, 0); p += 4; @@ -248,25 +248,25 @@ static int recv_cldap_netlogon(int sock, struct cldap_netlogon_reply *reply) memcpy(&reply->guid.info, p, GUID_SIZE); p += GUID_SIZE; - p += pull_netlogon_string(reply->forest, p, os3.data); - p += pull_netlogon_string(reply->unk0, p, os3.data); - p += pull_netlogon_string(reply->domain, p, os3.data); - p += pull_netlogon_string(reply->hostname, p, os3.data); - p += pull_netlogon_string(reply->netbios_domain, p, os3.data); - p += pull_netlogon_string(reply->unk1, p, os3.data); - p += pull_netlogon_string(reply->netbios_hostname, p, os3.data); - p += pull_netlogon_string(reply->unk2, p, os3.data); + p += pull_netlogon_string(reply->forest, p, (const char *)os3.data); + p += pull_netlogon_string(reply->unk0, p, (const char *)os3.data); + p += pull_netlogon_string(reply->domain, p, (const char *)os3.data); + p += pull_netlogon_string(reply->hostname, p, (const char *)os3.data); + p += pull_netlogon_string(reply->netbios_domain, p, (const char *)os3.data); + p += pull_netlogon_string(reply->unk1, p, (const char *)os3.data); + p += pull_netlogon_string(reply->netbios_hostname, p, (const char *)os3.data); + p += pull_netlogon_string(reply->unk2, p, (const char *)os3.data); if (reply->type == SAMLOGON_AD_R) { - p += pull_netlogon_string(reply->user_name, p, os3.data); + p += pull_netlogon_string(reply->user_name, p, (const char *)os3.data); } else { *reply->user_name = 0; } - p += pull_netlogon_string(reply->unk3, p, os3.data); - p += pull_netlogon_string(reply->site_name, p, os3.data); - p += pull_netlogon_string(reply->unk4, p, os3.data); - p += pull_netlogon_string(reply->site_name_2, p, os3.data); + p += pull_netlogon_string(reply->unk3, p, (const char *)os3.data); + p += pull_netlogon_string(reply->site_name, p, (const char *)os3.data); + p += pull_netlogon_string(reply->unk4, p, (const char *)os3.data); + p += pull_netlogon_string(reply->site_name_2, p, (const char *)os3.data); reply->version = IVAL(p, 0); reply->lmnt_token = SVAL(p, 4); diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index 8831839e4e..9937145230 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -252,11 +252,21 @@ static int net_groupmap_add(int argc, const char **argv) } } - if ( !unixgrp[0] || (!rid && !string_sid[0]) ) { + if ( !unixgrp[0] ) { d_printf("Usage: net groupmap add {rid=<int>|sid=<string>} unixgroup=<string> [type=<domain|local|builtin>] [ntgroup=<string>] [comment=<string>]\n"); return -1; } + if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) { + d_printf("Can't lookup UNIX group %s\n", ntgroup); + return -1; + } + + if ( (rid == 0) && (string_sid[0] == '\0') ) { + d_printf("No rid or sid specified, choosing algorithmic mapping\n"); + rid = pdb_gid_to_group_rid(gid); + } + /* append the rid to our own domain/machine SID if we don't have a full SID */ if ( !string_sid[0] ) { sid_copy(&sid, get_global_sam_sid()); @@ -267,11 +277,6 @@ static int net_groupmap_add(int argc, const char **argv) if (ntcomment[0]) fstrcpy(ntcomment, "Local Unix group"); - if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) { - d_printf("Can't lookup UNIX group %s\n", ntgroup); - return -1; - } - if ( !ntgroup[0] ) fstrcpy( ntgroup, unixgrp ); diff --git a/source3/utils/net_help.c b/source3/utils/net_help.c index 1f3afb1690..95116a4d2a 100644 --- a/source3/utils/net_help.c +++ b/source3/utils/net_help.c @@ -47,7 +47,7 @@ int net_common_flags_usage(int argc, const char **argv) d_printf("\t-U or --user=<name>\t\tuser name\n"); d_printf("\t-s or --configfile=<path>\t\tpathname of smb.conf file\n"); d_printf("\t-l or --long\t\t\tDisplay full information\n"); - d_printf("\t-V or --version\t\tPrint samba version information\n"); + d_printf("\t-V or --version\t\t\tPrint samba version information\n"); d_printf("\t-P or --machine-pass\t\tAuthenticate as machine account\n"); return -1; } @@ -60,7 +60,8 @@ static int help_usage(int argc, const char **argv) "\n"\ "Valid functions are:\n"\ " RPC RAP ADS FILE SHARE SESSION SERVER DOMAIN PRINTQ USER GROUP VALIDATE\n"\ -" GROUPMEMBER ADMIN SERVICE PASSWORD TIME LOOKUP GETLOCALSID SETLOCALSID\n"); +" GROUPMEMBER ADMIN SERVICE PASSWORD TIME LOOKUP GETLOCALSID SETLOCALSID\n"\ +" CHANGESCRETPW\n"); return -1; } @@ -156,6 +157,8 @@ static int net_usage(int argc, const char **argv) " net cache\t\tto operate on cache tdb file\n"\ " net getlocalsid [NAME]\tto get the SID for local name\n"\ " net setlocalsid SID\tto set the local domain SID\n"\ + " net changesecretpw\tto change the machine password in the local secrets database only\n"\ + " \tthis requires the -f flag as a safety barrier\n"\ "\n"\ " net ads <command>\tto run ADS commands\n"\ " net rap <command>\tto run RAP (pre-RPC) commands\n"\ @@ -193,6 +196,9 @@ int net_help(int argc, const char **argv) {"PASSWORD", net_rap_password_usage}, {"TIME", net_time_usage}, {"LOOKUP", net_lookup_usage}, +#ifdef WITH_FAKE_KASERVER + {"AFSKEY", net_afskey_usage}, +#endif {"HELP", help_usage}, {NULL, NULL}}; diff --git a/source3/utils/net_lookup.c b/source3/utils/net_lookup.c index 8456da4e0c..cef0ea5fbe 100644 --- a/source3/utils/net_lookup.c +++ b/source3/utils/net_lookup.c @@ -23,7 +23,7 @@ int net_lookup_usage(int argc, const char **argv) { d_printf( -" net lookup host HOSTNAME <type>\n\tgives IP for a hostname\n\n" +" net lookup [host] HOSTNAME[#<type>]\n\tgives IP for a hostname\n\n" " net lookup ldap [domain]\n\tgives IP of domain's ldap server\n\n" " net lookup kdc [realm]\n\tgives IP of realm's kerberos KDC\n\n" " net lookup dc [domain]\n\tgives IP of domains Domain Controllers\n\n" @@ -37,14 +37,22 @@ static int net_lookup_host(int argc, const char **argv) { struct in_addr ip; int name_type = 0x20; + const char *name = argv[0]; + char *p; - if (argc == 0) return net_lookup_usage(argc, argv); - if (argc > 1) name_type = strtol(argv[1], NULL, 0); + if (argc == 0) + return net_lookup_usage(argc, argv); - if (!resolve_name(argv[0], &ip, name_type)) { + p = strchr_m(name,'#'); + if (p) { + *p = '\0'; + sscanf(++p,"%x",&name_type); + } + + if (!resolve_name(name, &ip, name_type)) { /* we deliberately use DEBUG() here to send it to stderr so scripts aren't mucked up */ - DEBUG(0,("Didn't find %s#%02x\n", argv[0], name_type)); + DEBUG(0,("Didn't find %s#%02x\n", name, name_type)); return -1; } @@ -221,7 +229,9 @@ static int net_lookup_kdc(int argc, const char **argv) /* lookup hosts or IP addresses using internal samba lookup fns */ int net_lookup(int argc, const char **argv) { - struct functable func[] = { + int i; + + struct functable table[] = { {"HOST", net_lookup_host}, {"LDAP", net_lookup_ldap}, {"DC", net_lookup_dc}, @@ -230,5 +240,19 @@ int net_lookup(int argc, const char **argv) {NULL, NULL} }; - return net_run_function(argc, argv, func, net_lookup_usage); + if (argc < 1) { + d_printf("\nUsage: \n"); + return net_lookup_usage(argc, argv); + } + for (i=0; table[i].funcname; i++) { + if (StrCaseCmp(argv[0], table[i].funcname) == 0) + return table[i].fn(argc-1, argv+1); + } + + /* Default to lookup a hostname so 'net lookup foo#1b' can be + used instead of 'net lookup host foo#1b'. The host syntax + is a bit confusing as non #00 names can't really be + considered hosts as such. */ + + return net_lookup_host(argc, argv); } diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 890d4a012b..fefc5af365 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -84,7 +84,14 @@ static DOM_SID *net_get_remote_domain_sid(struct cli_state *cli) result = cli_lsa_query_info_policy(cli, mem_ctx, &pol, info_class, domain_name, domain_sid); if (!NT_STATUS_IS_OK(result)) { - goto error; + error: + fprintf(stderr, "could not obtain sid for domain %s\n", cli->domain); + + if (!NT_STATUS_IS_OK(result)) { + fprintf(stderr, "error: %s\n", nt_errstr(result)); + } + + exit(1); } cli_lsa_close(cli, mem_ctx, &pol); @@ -92,15 +99,6 @@ static DOM_SID *net_get_remote_domain_sid(struct cli_state *cli) talloc_destroy(mem_ctx); return domain_sid; - - error: - fprintf(stderr, "could not obtain sid for domain %s\n", cli->domain); - - if (!NT_STATUS_IS_OK(result)) { - fprintf(stderr, "error: %s\n", nt_errstr(result)); - } - - exit(1); } /** @@ -1709,8 +1707,13 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid, struct cli static int rpc_trustdom_add(int argc, const char **argv) { - return run_rpc_command(NULL, PI_SAMR, 0, rpc_trustdom_add_internals, - argc, argv); + if (argc > 0) { + return run_rpc_command(NULL, PI_SAMR, 0, rpc_trustdom_add_internals, + argc, argv); + } else { + d_printf("Usage: net rpc trustdom add <domain>\n"); + return -1; + } } @@ -1726,6 +1729,7 @@ static int rpc_trustdom_add(int argc, const char **argv) static int rpc_trustdom_del(int argc, const char **argv) { d_printf("Sorry, not yet implemented.\n"); + d_printf("Use 'smbpasswd -x -i' instead.\n"); return -1; } @@ -1782,7 +1786,7 @@ static int rpc_trustdom_establish(int argc, const char **argv) /* find the domain controller */ if (!net_find_pdc(&server_ip, pdc_name, domain_name)) { - DEBUG(0, ("Coulnd find domain controller for domain %s\n", domain_name)); + DEBUG(0, ("Couldn't find domain controller for domain %s\n", domain_name)); return -1; } @@ -1988,8 +1992,8 @@ static int rpc_trustdom_list(int argc, const char **argv) POLICY_HND connect_hnd; /* trusted domains listing variables */ - int enum_ctx = 0; - int num_domains, i, pad_len, col_len = 20; + unsigned int num_domains, enum_ctx = 0; + int i, pad_len, col_len = 20; DOM_SID *domain_sids; char **trusted_dom_names; fstring pdc_name, dummy; diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c index 9eadbbbade..ed69f8a326 100644 --- a/source3/utils/net_rpc_samsync.c +++ b/source3/utils/net_rpc_samsync.c @@ -550,7 +550,11 @@ fetch_group_info(uint32 rid, SAM_GROUP_INFO *delta) map.sid = group_sid; map.sid_name_use = SID_NAME_DOM_GRP; fstrcpy(map.nt_name, name); - fstrcpy(map.comment, comment); + if (delta->hdr_grp_desc.buffer) { + fstrcpy(map.comment, comment); + } else { + fstrcpy(map.comment, ""); + } if (insert) pdb_add_group_mapping_entry(&map); @@ -911,9 +915,40 @@ fetch_sam_entry(SAM_DELTA_HDR *hdr_delta, SAM_DELTA_CTR *delta, fetch_alias_mem(hdr_delta->target_rid, &delta->als_mem_info, dom_sid); break; + /* The following types are recognised but not handled */ case SAM_DELTA_DOMAIN_INFO: d_printf("SAM_DELTA_DOMAIN_INFO not handled\n"); break; + case SAM_DELTA_RENAME_GROUP: + d_printf("SAM_DELTA_RENAME_GROUP not handled\n"); + break; + case SAM_DELTA_RENAME_USER: + d_printf("SAM_DELTA_RENAME_USER not handled\n"); + break; + case SAM_DELTA_RENAME_ALIAS: + d_printf("SAM_DELTA_RENAME_ALIAS not handled\n"); + break; + case SAM_DELTA_POLICY_INFO: + d_printf("SAM_DELTA_POLICY_INFO not handled\n"); + break; + case SAM_DELTA_TRUST_DOMS: + d_printf("SAM_DELTA_TRUST_DOMS not handled\n"); + break; + case SAM_DELTA_PRIVS_INFO: + d_printf("SAM_DELTA_PRIVS_INFO not handled\n"); + break; + case SAM_DELTA_SECRET_INFO: + d_printf("SAM_DELTA_SECRET_INFO not handled\n"); + break; + case SAM_DELTA_DELETE_GROUP: + d_printf("SAM_DELTA_DELETE_GROUP not handled\n"); + break; + case SAM_DELTA_DELETE_USER: + d_printf("SAM_DELTA_DELETE_USER not handled\n"); + break; + case SAM_DELTA_MODIFIED_COUNT: + d_printf("SAM_DELTA_MODIFIED_COUNT not handled\n"); + break; default: d_printf("Unknown delta record type %d\n", hdr_delta->type); break; diff --git a/source3/utils/nmblookup.c b/source3/utils/nmblookup.c index d2c5cbc00e..3c5a22841e 100644 --- a/source3/utils/nmblookup.c +++ b/source3/utils/nmblookup.c @@ -109,7 +109,7 @@ static void do_node_status(int fd, const char *name, int type, struct in_addr ip status = node_status_query(fd,&nname,ip, &count); if (status) { for (i=0;i<count;i++) { - fstrcpy(cleanname, status[i].name); + pull_ascii_fstring(cleanname, status[i].name); for (j=0;cleanname[j];j++) { if (!isprint((int)cleanname[j])) cleanname[j] = '.'; } diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 1d36a7ce52..7cd7e0b087 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -200,10 +200,24 @@ static NTSTATUS contact_winbind_auth_crap(const char *username, request.flags = flags; - fstrcpy(request.data.auth_crap.user, username); + if (push_utf8_fstring(request.data.auth_crap.user, username) == -1) { + *error_string = smb_xstrdup( + "unable to create utf8 string for username"); + return NT_STATUS_UNSUCCESSFUL; + } + + if (push_utf8_fstring(request.data.auth_crap.domain, domain) == -1) { + *error_string = smb_xstrdup( + "unable to create utf8 string for domain"); + return NT_STATUS_UNSUCCESSFUL; + } - fstrcpy(request.data.auth_crap.domain, domain); - fstrcpy(request.data.auth_crap.workstation, workstation); + if (push_utf8_fstring(request.data.auth_crap.workstation, + workstation) == -1) { + *error_string = smb_xstrdup( + "unable to create utf8 string for workstation"); + return NT_STATUS_UNSUCCESSFUL; + } memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); @@ -296,7 +310,7 @@ static void manage_squid_ntlmssp_request(enum squid_mode squid_mode, } DEBUG(10, ("got NTLMSSP packet:\n")); - dump_data(10, request.data, request.length); + dump_data(10, (const char *)request.data, request.length); nt_status = ntlmssp_server_update(ntlmssp_state, request, &reply); @@ -347,27 +361,35 @@ static void manage_squid_basic_request(enum squid_mode squid_mode, static void offer_gss_spnego_mechs(void) { DATA_BLOB token; - ASN1_DATA asn1; SPNEGO_DATA spnego; ssize_t len; char *reply_base64; + pstring principal; + pstring myname_lower; + ZERO_STRUCT(spnego); + pstrcpy(myname_lower, global_myname()); + strlower_m(myname_lower); + + pstr_sprintf(principal, "%s$@%s", myname_lower, lp_realm()); + /* Server negTokenInit (mech offerings) */ spnego.type = SPNEGO_NEG_TOKEN_INIT; - spnego.negTokenInit.mechTypes = smb_xmalloc(sizeof(char *) * 2); + spnego.negTokenInit.mechTypes = smb_xmalloc(sizeof(char *) * 3); +#ifdef HAVE_KRB5 + spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_KERBEROS5_OLD); + spnego.negTokenInit.mechTypes[1] = smb_xstrdup(OID_NTLMSSP); + spnego.negTokenInit.mechTypes[2] = NULL; +#else spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_NTLMSSP); spnego.negTokenInit.mechTypes[1] = NULL; +#endif + - ZERO_STRUCT(asn1); - asn1_push_tag(&asn1, ASN1_SEQUENCE(0)); - asn1_push_tag(&asn1, ASN1_CONTEXT(0)); - asn1_write_GeneralString(&asn1, "NONE"); - asn1_pop_tag(&asn1); - asn1_pop_tag(&asn1); - spnego.negTokenInit.mechListMIC = data_blob(asn1.data, asn1.length); - asn1_free(&asn1); + spnego.negTokenInit.mechListMIC = data_blob(principal, + strlen(principal)); len = write_spnego_data(&token, &spnego); free_spnego_data(&spnego); @@ -391,11 +413,14 @@ static void manage_gss_spnego_request(enum squid_mode squid_mode, char *buf, int length) { static NTLMSSP_STATE *ntlmssp_state = NULL; - SPNEGO_DATA spnego; - DATA_BLOB request, token; + SPNEGO_DATA request, response; + DATA_BLOB token; NTSTATUS status; ssize_t len; + char *user = NULL; + char *domain = NULL; + const char *reply_code; char *reply_base64; pstring reply_argument; @@ -432,9 +457,9 @@ static void manage_gss_spnego_request(enum squid_mode squid_mode, return; } - request = base64_decode_data_blob(buf + 3); - len = read_spnego_data(request, &spnego); - data_blob_free(&request); + token = base64_decode_data_blob(buf + 3); + len = read_spnego_data(token, &request); + data_blob_free(&token); if (len == -1) { DEBUG(1, ("GSS-SPNEGO query [%s] invalid", buf)); @@ -442,100 +467,159 @@ static void manage_gss_spnego_request(enum squid_mode squid_mode, return; } - if (spnego.type == SPNEGO_NEG_TOKEN_INIT) { + if (request.type == SPNEGO_NEG_TOKEN_INIT) { /* Second request from Client. This is where the client offers its mechanism to use. We currently only support NTLMSSP, the decision for Kerberos would be taken here. */ - if ( (spnego.negTokenInit.mechTypes == NULL) || - (spnego.negTokenInit.mechTypes[0] == NULL) ) { + if ( (request.negTokenInit.mechTypes == NULL) || + (request.negTokenInit.mechTypes[0] == NULL) ) { DEBUG(1, ("Client did not offer any mechanism")); x_fprintf(x_stdout, "BH\n"); return; } - if ( strcmp(spnego.negTokenInit.mechTypes[0], OID_NTLMSSP) != 0 ) { - DEBUG(1, ("Client did not choose NTLMSSP but %s\n", - spnego.negTokenInit.mechTypes[0])); - x_fprintf(x_stdout, "BH\n"); - return; - } + if (strcmp(request.negTokenInit.mechTypes[0], OID_NTLMSSP) == 0) { - if ( spnego.negTokenInit.mechToken.data == NULL ) { - DEBUG(1, ("Client did not provide NTLMSSP data\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } + if ( request.negTokenInit.mechToken.data == NULL ) { + DEBUG(1, ("Client did not provide NTLMSSP data\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } - if ( ntlmssp_state != NULL ) { - DEBUG(1, ("Client wants a new NTLMSSP challenge, but " - "already got one\n")); - x_fprintf(x_stdout, "BH\n"); - ntlmssp_server_end(&ntlmssp_state); - return; + if ( ntlmssp_state != NULL ) { + DEBUG(1, ("Client wants a new NTLMSSP challenge, but " + "already got one\n")); + x_fprintf(x_stdout, "BH\n"); + ntlmssp_server_end(&ntlmssp_state); + return; + } + + ntlmssp_server_start(&ntlmssp_state); + ntlmssp_state->check_password = winbind_pw_check; + ntlmssp_state->get_domain = get_winbind_domain; + ntlmssp_state->get_global_myname = get_winbind_netbios_name; + + DEBUG(10, ("got NTLMSSP packet:\n")); + dump_data(10, (const char *)request.negTokenInit.mechToken.data, + request.negTokenInit.mechToken.length); + + response.type = SPNEGO_NEG_TOKEN_TARG; + response.negTokenTarg.supportedMech = strdup(OID_NTLMSSP); + response.negTokenTarg.mechListMIC = data_blob(NULL, 0); + + status = ntlmssp_server_update(ntlmssp_state, + request.negTokenInit.mechToken, + &response.negTokenTarg.responseToken); } - ntlmssp_server_start(&ntlmssp_state); - ntlmssp_state->check_password = winbind_pw_check; - ntlmssp_state->get_domain = get_winbind_domain; - ntlmssp_state->get_global_myname = get_winbind_netbios_name; +#ifdef HAVE_KRB5 + if (strcmp(request.negTokenInit.mechTypes[0], OID_KERBEROS5_OLD) == 0) { - DEBUG(10, ("got NTLMSSP packet:\n")); - dump_data(10, spnego.negTokenInit.mechToken.data, - spnego.negTokenInit.mechToken.length); + char *principal; + DATA_BLOB auth_data; + DATA_BLOB ap_rep; + uint8 session_key[16]; - free_spnego_data(&spnego); + if ( request.negTokenInit.mechToken.data == NULL ) { + DEBUG(1, ("Client did not provide Kerberos data\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } - spnego.type = SPNEGO_NEG_TOKEN_TARG; - spnego.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; - spnego.negTokenTarg.supportedMech = strdup(OID_NTLMSSP); + response.type = SPNEGO_NEG_TOKEN_TARG; + response.negTokenTarg.supportedMech = strdup(OID_KERBEROS5_OLD); + response.negTokenTarg.mechListMIC = data_blob(NULL, 0); + response.negTokenTarg.responseToken = data_blob(NULL, 0); - status = ntlmssp_server_update(ntlmssp_state, - spnego.negTokenInit.mechToken, - &spnego.negTokenTarg.responseToken); + status = ads_verify_ticket(lp_realm(), + &request.negTokenInit.mechToken, + &principal, &auth_data, &ap_rep, + session_key); - } else { + /* Now in "principal" we have the name we are + authenticated as. */ + + if (NT_STATUS_IS_OK(status)) { + + domain = strchr(principal, '@'); - /* spnego.type == SPNEGO_NEG_TOKEN_TARG */ + if (domain == NULL) { + DEBUG(1, ("Did not get a valid principal " + "from ads_verify_ticket\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } - DATA_BLOB response; + *domain++ = '\0'; + domain = strdup(domain); + user = strdup(principal); - if (spnego.negTokenTarg.responseToken.data == NULL) { - DEBUG(1, ("Got a negTokenArg without a responseToken!\n")); + data_blob_free(&ap_rep); + data_blob_free(&auth_data); + + SAFE_FREE(principal); + } + } +#endif + + } else { + + if ( (request.negTokenTarg.supportedMech == NULL) || + ( strcmp(request.negTokenTarg.supportedMech, OID_NTLMSSP) != 0 ) ) { + /* Kerberos should never send a negTokenTarg, OID_NTLMSSP + is the only one we support that sends this stuff */ + DEBUG(1, ("Got a negTokenTarg for something non-NTLMSSP: %s\n", + request.negTokenTarg.supportedMech)); x_fprintf(x_stdout, "BH\n"); return; } - status = ntlmssp_server_update(ntlmssp_state, - spnego.negTokenTarg.responseToken, - &response); + if (request.negTokenTarg.responseToken.data == NULL) { + DEBUG(1, ("Got a negTokenTarg without a responseToken!\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } - data_blob_free(&spnego.negTokenTarg.responseToken); + status = ntlmssp_server_update(ntlmssp_state, + request.negTokenTarg.responseToken, + &response.negTokenTarg.responseToken); - spnego.negTokenTarg.responseToken = response; + response.type = SPNEGO_NEG_TOKEN_TARG; + response.negTokenTarg.supportedMech = strdup(OID_NTLMSSP); + response.negTokenTarg.mechListMIC = data_blob(NULL, 0); + if (NT_STATUS_IS_OK(status)) { + user = strdup(ntlmssp_state->user); + domain = strdup(ntlmssp_state->domain); + ntlmssp_server_end(&ntlmssp_state); + } } + free_spnego_data(&request); + if (NT_STATUS_IS_OK(status)) { - spnego.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED; + response.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED; reply_code = "AF"; - pstr_sprintf(reply_argument, "%s\\%s", - ntlmssp_state->domain, ntlmssp_state->user); + pstr_sprintf(reply_argument, "%s\\%s", domain, user); } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - spnego.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; + response.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; reply_code = "TT"; pstr_sprintf(reply_argument, "*"); } else { - spnego.negTokenTarg.negResult = SPNEGO_REJECT; + response.negTokenTarg.negResult = SPNEGO_REJECT; reply_code = "NA"; pstrcpy(reply_argument, nt_errstr(status)); } - len = write_spnego_data(&token, &spnego); - free_spnego_data(&spnego); + SAFE_FREE(user); + SAFE_FREE(domain); + + len = write_spnego_data(&token, &response); + free_spnego_data(&response); if (len == -1) { DEBUG(1, ("Could not write SPNEGO data blob\n")); @@ -551,16 +635,12 @@ static void manage_gss_spnego_request(enum squid_mode squid_mode, SAFE_FREE(reply_base64); data_blob_free(&token); - if (NT_STATUS_IS_OK(status)) { - ntlmssp_server_end(&ntlmssp_state); - } - return; } static NTLMSSP_CLIENT_STATE *client_ntlmssp_state = NULL; -static void manage_client_ntlmssp_init(SPNEGO_DATA spnego) +static BOOL manage_client_ntlmssp_init(SPNEGO_DATA spnego) { NTSTATUS status; DATA_BLOB null_blob = data_blob(NULL, 0); @@ -573,14 +653,12 @@ static void manage_client_ntlmssp_init(SPNEGO_DATA spnego) if (client_ntlmssp_state != NULL) { DEBUG(1, ("Request for initial SPNEGO request where " "we already have a state\n")); - x_fprintf(x_stdout, "BH\n"); - return; + return False; } if ( (opt_username == NULL) || (opt_domain == NULL) ) { DEBUG(1, ("Need username and domain for NTLMSSP\n")); - x_fprintf(x_stdout, "BH\n"); - return; + return False; } if (opt_password == NULL) { @@ -591,7 +669,7 @@ static void manage_client_ntlmssp_init(SPNEGO_DATA spnego) DEBUG(10, ("Requesting password\n")); x_fprintf(x_stdout, "PW\n"); - return; + return True; } status = ntlmssp_client_start(&client_ntlmssp_state); @@ -599,9 +677,8 @@ static void manage_client_ntlmssp_init(SPNEGO_DATA spnego) if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Could not start NTLMSSP client: %s\n", nt_errstr(status))); - x_fprintf(x_stdout, "BH\n"); ntlmssp_client_end(&client_ntlmssp_state); - return; + return False; } status = ntlmssp_set_username(client_ntlmssp_state, opt_username); @@ -609,9 +686,8 @@ static void manage_client_ntlmssp_init(SPNEGO_DATA spnego) if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Could not set username: %s\n", nt_errstr(status))); - x_fprintf(x_stdout, "BH\n"); ntlmssp_client_end(&client_ntlmssp_state); - return; + return False; } status = ntlmssp_set_domain(client_ntlmssp_state, opt_domain); @@ -619,9 +695,8 @@ static void manage_client_ntlmssp_init(SPNEGO_DATA spnego) if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Could not set domain: %s\n", nt_errstr(status))); - x_fprintf(x_stdout, "BH\n"); ntlmssp_client_end(&client_ntlmssp_state); - return; + return False; } status = ntlmssp_set_password(client_ntlmssp_state, opt_password); @@ -629,9 +704,8 @@ static void manage_client_ntlmssp_init(SPNEGO_DATA spnego) if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Could not set password: %s\n", nt_errstr(status))); - x_fprintf(x_stdout, "BH\n"); ntlmssp_client_end(&client_ntlmssp_state); - return; + return False; } spnego.type = SPNEGO_NEG_TOKEN_INIT; @@ -645,9 +719,8 @@ static void manage_client_ntlmssp_init(SPNEGO_DATA spnego) if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED, got: %s\n", nt_errstr(status))); - x_fprintf(x_stdout, "BH\n"); ntlmssp_client_end(&client_ntlmssp_state); - return; + return False; } write_spnego_data(&to_server, &spnego); @@ -657,7 +730,7 @@ static void manage_client_ntlmssp_init(SPNEGO_DATA spnego) data_blob_free(&to_server); x_fprintf(x_stdout, "KK %s\n", to_server_base64); SAFE_FREE(to_server_base64); - return; + return True; } static void manage_client_ntlmssp_targ(SPNEGO_DATA spnego) @@ -719,21 +792,110 @@ static void manage_client_ntlmssp_targ(SPNEGO_DATA spnego) return; } -static void manage_client_krb5_init(SPNEGO_DATA spnego) +#ifdef HAVE_KRB5 + +static BOOL manage_client_krb5_init(SPNEGO_DATA spnego) { - DEBUG(1, ("to be done ... \n")); - x_fprintf(x_stdout, "BH\n"); - return; + char *principal; + DATA_BLOB tkt, to_server; + unsigned char session_key_krb5[16]; + SPNEGO_DATA reply; + char *reply_base64; + + const char *my_mechs[] = {OID_KERBEROS5_OLD, NULL}; + ssize_t len; + + if ( (spnego.negTokenInit.mechListMIC.data == NULL) || + (spnego.negTokenInit.mechListMIC.length == 0) ) { + DEBUG(1, ("Did not get a principal for krb5\n")); + return False; + } + + principal = malloc(spnego.negTokenInit.mechListMIC.length+1); + + if (principal == NULL) { + DEBUG(1, ("Could not malloc principal\n")); + return False; + } + + memcpy(principal, spnego.negTokenInit.mechListMIC.data, + spnego.negTokenInit.mechListMIC.length); + principal[spnego.negTokenInit.mechListMIC.length] = '\0'; + + tkt = cli_krb5_get_ticket(principal, 0, session_key_krb5); + + if (tkt.data == NULL) { + + pstring user; + + /* Let's try to first get the TGT, for that we need a + password. */ + + if (opt_password == NULL) { + DEBUG(10, ("Requesting password\n")); + x_fprintf(x_stdout, "PW\n"); + return True; + } + + pstr_sprintf(user, "%s@%s", opt_username, opt_domain); + + if (kerberos_kinit_password(user, opt_password, 0) != 0) { + DEBUG(10, ("Requesting TGT failed\n")); + x_fprintf(x_stdout, "NA\n"); + return True; + } + + tkt = cli_krb5_get_ticket(principal, 0, session_key_krb5); + } + + ZERO_STRUCT(reply); + + reply.type = SPNEGO_NEG_TOKEN_INIT; + reply.negTokenInit.mechTypes = my_mechs; + reply.negTokenInit.reqFlags = 0; + reply.negTokenInit.mechToken = tkt; + reply.negTokenInit.mechListMIC = data_blob(NULL, 0); + + len = write_spnego_data(&to_server, &reply); + data_blob_free(&tkt); + + if (len == -1) { + DEBUG(1, ("Could not write SPNEGO data blob\n")); + return False; + } + + reply_base64 = base64_encode_data_blob(to_server); + x_fprintf(x_stdout, "KK %s *\n", reply_base64); + + SAFE_FREE(reply_base64); + data_blob_free(&to_server); + DEBUG(10, ("sent GSS-SPNEGO KERBEROS5 negTokenInit\n")); + return True; } static void manage_client_krb5_targ(SPNEGO_DATA spnego) { - DEBUG(1, ("Got a negTokenTarg with a Kerberos token. This should not " - "happen!\n")); - x_fprintf(x_stdout, "BH\n"); - return; + switch (spnego.negTokenTarg.negResult) { + case SPNEGO_ACCEPT_INCOMPLETE: + DEBUG(1, ("Got a Kerberos negTokenTarg with ACCEPT_INCOMPLETE\n")); + x_fprintf(x_stdout, "BH\n"); + break; + case SPNEGO_ACCEPT_COMPLETED: + DEBUG(10, ("Accept completed\n")); + x_fprintf(x_stdout, "AF\n"); + break; + case SPNEGO_REJECT: + DEBUG(10, ("Rejected\n")); + x_fprintf(x_stdout, "NA\n"); + break; + default: + DEBUG(1, ("Got an invalid negTokenTarg\n")); + x_fprintf(x_stdout, "AF\n"); + } } +#endif + static void manage_gss_spnego_client_request(enum squid_mode squid_mode, char *buf, int length) { @@ -753,7 +915,7 @@ static void manage_gss_spnego_client_request(enum squid_mode squid_mode, /* We asked for a password and obviously got it :-) */ - opt_password = strndup(request.data, request.length); + opt_password = strndup((const char *)request.data, request.length); if (opt_password == NULL) { DEBUG(1, ("Out of memory\n")); @@ -796,14 +958,17 @@ static void manage_gss_spnego_client_request(enum squid_mode squid_mode, while (*mechType != NULL) { - if (strcmp(*mechType, OID_NTLMSSP) == 0) { - manage_client_ntlmssp_init(spnego); - goto out; +#ifdef HAVE_KRB5 + if ( (strcmp(*mechType, OID_KERBEROS5_OLD) == 0) || + (strcmp(*mechType, OID_KERBEROS5) == 0) ) { + if (manage_client_krb5_init(spnego)) + goto out; } +#endif - if (strcmp(*mechType, OID_KERBEROS5_OLD) == 0) { - manage_client_krb5_init(spnego); - goto out; + if (strcmp(*mechType, OID_NTLMSSP) == 0) { + if (manage_client_ntlmssp_init(spnego)) + goto out; } mechType++; @@ -816,17 +981,42 @@ static void manage_gss_spnego_client_request(enum squid_mode squid_mode, if (spnego.type == SPNEGO_NEG_TOKEN_TARG) { + if (spnego.negTokenTarg.supportedMech == NULL) { + /* On accept/reject Windows does not send the + mechanism anymore. Handle that here and + shut down the mechanisms. */ + + switch (spnego.negTokenTarg.negResult) { + case SPNEGO_ACCEPT_COMPLETED: + x_fprintf(x_stdout, "AF\n"); + break; + case SPNEGO_REJECT: + x_fprintf(x_stdout, "NA\n"); + break; + default: + DEBUG(1, ("Got a negTokenTarg with no mech and an " + "unknown negResult: %d\n", + spnego.negTokenTarg.negResult)); + x_fprintf(x_stdout, "BH\n"); + } + + ntlmssp_client_end(&client_ntlmssp_state); + goto out; + } + if (strcmp(spnego.negTokenTarg.supportedMech, OID_NTLMSSP) == 0) { manage_client_ntlmssp_targ(spnego); goto out; } +#if HAVE_KRB5 if (strcmp(spnego.negTokenTarg.supportedMech, OID_KERBEROS5_OLD) == 0) { manage_client_krb5_targ(spnego); goto out; } +#endif } @@ -925,8 +1115,8 @@ static BOOL check_auth_crap(void) &opt_lm_response, &opt_nt_response, flags, - lm_key, - nt_key, + (unsigned char *)lm_key, + (unsigned char *)nt_key, &error_string); if (!NT_STATUS_IS_OK(nt_status)) { @@ -940,7 +1130,7 @@ static BOOL check_auth_crap(void) if (request_lm_key && (memcmp(zeros, lm_key, sizeof(lm_key)) != 0)) { - hex_encode(lm_key, + hex_encode((const unsigned char *)lm_key, sizeof(lm_key), &hex_lm_key); x_fprintf(x_stdout, "LM_KEY: %s\n", hex_lm_key); @@ -949,7 +1139,7 @@ static BOOL check_auth_crap(void) if (request_nt_key && (memcmp(zeros, nt_key, sizeof(nt_key)) != 0)) { - hex_encode(nt_key, + hex_encode((const unsigned char *)nt_key, sizeof(nt_key), &hex_nt_key); x_fprintf(x_stdout, "NT_KEY: %s\n", hex_nt_key); @@ -1023,16 +1213,16 @@ static BOOL test_lm(void) sizeof(lm_key)) != 0) { DEBUG(1, ("LM Key does not match expectations!\n")); DEBUG(1, ("lm_key:\n")); - dump_data(1, lm_key, 8); + dump_data(1, (const char *)lm_key, 8); DEBUG(1, ("expected:\n")); - dump_data(1, lm_hash, 8); + dump_data(1, (const char *)lm_hash, 8); } if (memcmp(lm_hash, nt_key, 8) != 0) { DEBUG(1, ("Session Key (first 8, lm hash) does not match expectations!\n")); DEBUG(1, ("nt_key:\n")); - dump_data(1, nt_key, 8); + dump_data(1, (const char *)nt_key, 8); DEBUG(1, ("expected:\n")); - dump_data(1, lm_hash, 8); + dump_data(1, (const char *)lm_hash, 8); } return True; } @@ -1095,18 +1285,18 @@ static BOOL test_lm_ntlm(void) sizeof(lm_key)) != 0) { DEBUG(1, ("LM Key does not match expectations!\n")); DEBUG(1, ("lm_key:\n")); - dump_data(1, lm_key, 8); + dump_data(1, (const char *)lm_key, 8); DEBUG(1, ("expected:\n")); - dump_data(1, lm_hash, 8); + dump_data(1, (const char *)lm_hash, 8); pass = False; } if (memcmp(session_key.data, nt_key, sizeof(nt_key)) != 0) { DEBUG(1, ("NT Session Key does not match expectations!\n")); DEBUG(1, ("nt_key:\n")); - dump_data(1, nt_key, 16); + dump_data(1, (const char *)nt_key, 16); DEBUG(1, ("expected:\n")); - dump_data(1, session_key.data, session_key.length); + dump_data(1, (const char *)session_key.data, session_key.length); pass = False; } return pass; @@ -1138,10 +1328,10 @@ static BOOL test_ntlm(void) flags |= WBFLAG_PAM_NTKEY; SMBNTencrypt(opt_password,chall.data,nt_response.data); - E_md4hash(opt_password, nt_hash); - SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); + E_md4hash(opt_password, (unsigned char *)nt_hash); + SMBsesskeygen_ntv1((const unsigned char *)nt_hash, NULL, session_key.data); - E_deshash(opt_password, lm_hash); + E_deshash(opt_password, (unsigned char *)lm_hash); nt_status = contact_winbind_auth_crap(opt_username, opt_domain, opt_workstation, @@ -1149,8 +1339,8 @@ static BOOL test_ntlm(void) NULL, &nt_response, flags, - lm_key, - nt_key, + (unsigned char *)lm_key, + (unsigned char *)nt_key, &error_string); data_blob_free(&nt_response); @@ -1178,7 +1368,7 @@ static BOOL test_ntlm(void) DEBUG(1, ("nt_key:\n")); dump_data(1, nt_key, 16); DEBUG(1, ("expected:\n")); - dump_data(1, session_key.data, session_key.length); + dump_data(1, (const char *)session_key.data, session_key.length); pass = False; } return pass; @@ -1234,17 +1424,17 @@ static BOOL test_ntlm_in_lm(void) sizeof(lm_key)) != 0) { DEBUG(1, ("LM Key does not match expectations!\n")); DEBUG(1, ("lm_key:\n")); - dump_data(1, lm_key, 8); + dump_data(1, (const char *)lm_key, 8); DEBUG(1, ("expected:\n")); - dump_data(1, lm_hash, 8); + dump_data(1, (const char *)lm_hash, 8); pass = False; } if (memcmp(lm_hash, nt_key, 8) != 0) { DEBUG(1, ("Session Key (first 8 lm hash) does not match expectations!\n")); DEBUG(1, ("nt_key:\n")); - dump_data(1, nt_key, 16); + dump_data(1, (const char *)nt_key, 16); DEBUG(1, ("expected:\n")); - dump_data(1, lm_hash, 8); + dump_data(1, (const char *)lm_hash, 8); pass = False; } return pass; @@ -1276,10 +1466,10 @@ static BOOL test_ntlm_in_both(void) flags |= WBFLAG_PAM_NTKEY; SMBNTencrypt(opt_password,chall.data,nt_response.data); - E_md4hash(opt_password, nt_hash); - SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); + E_md4hash(opt_password, (unsigned char *)nt_hash); + SMBsesskeygen_ntv1((const unsigned char *)nt_hash, NULL, session_key.data); - E_deshash(opt_password, lm_hash); + E_deshash(opt_password, (unsigned char *)lm_hash); nt_status = contact_winbind_auth_crap(opt_username, opt_domain, opt_workstation, @@ -1287,8 +1477,8 @@ static BOOL test_ntlm_in_both(void) &nt_response, &nt_response, flags, - lm_key, - nt_key, + (unsigned char *)lm_key, + (unsigned char *)nt_key, &error_string); data_blob_free(&nt_response); @@ -1316,7 +1506,7 @@ static BOOL test_ntlm_in_both(void) DEBUG(1, ("nt_key:\n")); dump_data(1, nt_key, 16); DEBUG(1, ("expected:\n")); - dump_data(1, session_key.data, session_key.length); + dump_data(1, (const char *)session_key.data, session_key.length); pass = False; } @@ -1378,9 +1568,9 @@ static BOOL test_ntlmv2(void) sizeof(nt_key)) != 0) { DEBUG(1, ("NT Session Key does not match expectations!\n")); DEBUG(1, ("nt_key:\n")); - dump_data(1, nt_key, 16); + dump_data(1, (const char *)nt_key, 16); DEBUG(1, ("expected:\n")); - dump_data(1, nt_session_key.data, nt_session_key.length); + dump_data(1, (const char *)nt_session_key.data, nt_session_key.length); pass = False; } return pass; @@ -1442,9 +1632,9 @@ static BOOL test_lmv2_ntlmv2(void) sizeof(nt_key)) != 0) { DEBUG(1, ("NT Session Key does not match expectations!\n")); DEBUG(1, ("nt_key:\n")); - dump_data(1, nt_key, 16); + dump_data(1, (const char *)nt_key, 16); DEBUG(1, ("expected:\n")); - dump_data(1, nt_session_key.data, nt_session_key.length); + dump_data(1, (const char *)nt_session_key.data, nt_session_key.length); pass = False; } return pass; @@ -1557,18 +1747,18 @@ static BOOL test_ntlm_broken(BOOL break_lm) sizeof(lm_key)) != 0) { DEBUG(1, ("LM Key does not match expectations!\n")); DEBUG(1, ("lm_key:\n")); - dump_data(1, lm_key, 8); + dump_data(1, (const char *)lm_key, 8); DEBUG(1, ("expected:\n")); - dump_data(1, lm_hash, 8); + dump_data(1, (const char *)lm_hash, 8); pass = False; } if (memcmp(session_key.data, nt_key, sizeof(nt_key)) != 0) { DEBUG(1, ("NT Session Key does not match expectations!\n")); DEBUG(1, ("nt_key:\n")); - dump_data(1, nt_key, 16); + dump_data(1, (const char *)nt_key, 16); DEBUG(1, ("expected:\n")); - dump_data(1, session_key.data, session_key.length); + dump_data(1, (const char *)session_key.data, session_key.length); pass = False; } return pass; diff --git a/source3/utils/profiles.c b/source3/utils/profiles.c index 23df26d150..3230eb21fc 100644 --- a/source3/utils/profiles.c +++ b/source3/utils/profiles.c @@ -448,7 +448,7 @@ static int get_sid(DOM_SID *sid, const unsigned char *sid_str) SIVAL(&sid->sub_auths[i], 0, auth); i++; - lstr = strchr(lstr + 1, '-'); + lstr = (const unsigned char *)strchr(lstr + 1, '-'); } return 1; diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index c90c042106..58ee57b5dd 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -751,7 +751,7 @@ static struct cli_state *connect_one(const char *share) POPT_AUTOHELP { "delete", 'D', POPT_ARG_STRING, NULL, 'D', "Delete an acl", "ACL" }, { "modify", 'M', POPT_ARG_STRING, NULL, 'M', "Modify an acl", "ACL" }, - { "add", 'A', POPT_ARG_STRING, NULL, 'A', "Add an acl", "ACL" }, + { "add", 'a', POPT_ARG_STRING, NULL, 'a', "Add an acl", "ACL" }, { "set", 'S', POPT_ARG_STRING, NULL, 'S', "Set acls", "ACLS" }, { "chown", 'C', POPT_ARG_STRING, NULL, 'C', "Change ownership of a file", "USERNAME" }, { "chgrp", 'G', POPT_ARG_STRING, NULL, 'G', "Change group ownership of a file", "GROUPNAME" }, @@ -796,7 +796,7 @@ static struct cli_state *connect_one(const char *share) mode = SMB_ACL_MODIFY; break; - case 'A': + case 'a': the_acl = smb_xstrdup(poptGetOptArg(pc)); mode = SMB_ACL_ADD; break; diff --git a/source3/utils/smbgroupedit.c b/source3/utils/smbgroupedit.c deleted file mode 100644 index 0faa0513ed..0000000000 --- a/source3/utils/smbgroupedit.c +++ /dev/null @@ -1,405 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * RPC Pipe client / server routines - * Copyright (C) Andrew Tridgell 1992-2000, - * Copyright (C) Jean Fran�ois Micouleau 1998-2001. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" - -/* - * Next two lines needed for SunOS and don't - * hurt anything else... - */ -extern char *optarg; -extern int optind; - -/********************************************************* - Print command usage on stderr and die. -**********************************************************/ -static void usage(void) -{ - if (getuid() == 0) { - printf("smbgroupedit options\n"); - } else { - printf("You need to be root to use this tool!\n"); - } - printf("options:\n"); - printf(" -a group create new group\n"); - printf(" -n group NT group name\n"); - printf(" -p privilege only local\n"); - printf(" -d description group description\n"); - printf(" -v list groups\n"); - printf(" -l long list (include details)\n"); - printf(" -s short list (default)\n"); - printf(" -c SID change group\n"); - printf(" -u unix group\n"); - printf(" -d description group description\n"); - printf(" -r rid RID of new group\n"); - printf(" -x group delete this group\n"); - printf("\n"); - printf(" -t[b|d|l] type: builtin, domain, local \n"); - exit(1); -} - -/********************************************************* - Figure out if the input was an NT group or a SID string. - Return the SID. -**********************************************************/ -static BOOL get_sid_from_input(DOM_SID *sid, char *input) -{ - GROUP_MAP map; - - if (StrnCaseCmp( input, "S-", 2)) { - /* Perhaps its the NT group name? */ - if (!pdb_getgrnam(&map, input, MAPPING_WITHOUT_PRIV)) { - printf("NT Group %s doesn't exist in mapping DB\n", input); - return False; - } else { - *sid = map.sid; - } - } else { - if (!string_to_sid(sid, input)) { - printf("converting sid %s from a string failed!\n", input); - return False; - } - } - return True; -} - -/********************************************************* - add a group. -**********************************************************/ -static int addgroup(gid_t gid, enum SID_NAME_USE sid_type, char *ntgroup, char *ntcomment, char *privilege, uint32 rid) -{ - PRIVILEGE_SET se_priv; - DOM_SID sid; - fstring string_sid; - fstring comment; - - sid_copy(&sid, get_global_sam_sid()); - sid_append_rid(&sid, rid); - - sid_to_string(string_sid, &sid); - - if (ntcomment==NULL) - fstrcpy(comment, "Local Unix group"); - else - fstrcpy(comment, ntcomment); - - init_privilege(&se_priv); - if (privilege!=NULL) - convert_priv_from_text(&se_priv, privilege); - - if(!add_initial_entry(gid, string_sid, sid_type, ntgroup, - comment, se_priv, PR_ACCESS_FROM_NETWORK)) { - printf("adding entry for group %s failed!\n", ntgroup); - free_privilege(&se_priv); - return -1; - } - - free_privilege(&se_priv); - return 0; -} - -/********************************************************* - Change a group. -**********************************************************/ -static int changegroup(char *sid_string, char *group, enum SID_NAME_USE sid_type, char *ntgroup, char *groupdesc, char *privilege) -{ - DOM_SID sid; - GROUP_MAP map; - gid_t gid; - - if (!get_sid_from_input(&sid, sid_string)) { - return -1; - } - - /* Get the current mapping from the database */ - if(!pdb_getgrsid(&map, sid, MAPPING_WITH_PRIV)) { - printf("This SID does not exist in the database\n"); - return -1; - } - - /* If a new Unix group is specified, check and change */ - if (group!=NULL) { - gid=nametogid(group); - if (gid==-1) { - printf("The UNIX group does not exist\n"); - return -1; - } else - map.gid=gid; - } - - /* - * Allow changing of group type only between domain and local - * We disallow changing Builtin groups !!! (SID problem) - */ - if (sid_type==SID_NAME_ALIAS - || sid_type==SID_NAME_DOM_GRP - || sid_type==SID_NAME_UNKNOWN) { - if (map.sid_name_use==SID_NAME_ALIAS - || map.sid_name_use==SID_NAME_DOM_GRP - || map.sid_name_use==SID_NAME_UNKNOWN) { - map.sid_name_use=sid_type; - } else { - printf("cannot change group type to builtin\n"); - }; - } else { - printf("cannot change group type from builtin\n"); - } - - if (ntgroup!=NULL) - fstrcpy(map.nt_name, ntgroup); - - /* Change comment if new one */ - if (groupdesc!=NULL) - fstrcpy(map.comment, groupdesc); - - /* Change the privilege if new one */ - if (privilege!=NULL) - convert_priv_from_text(&map.priv_set, privilege); - - if (!pdb_update_group_mapping_entry(&map)) { - printf("Could not update group database\n"); - free_privilege(&map.priv_set); - return -1; - } - - free_privilege(&map.priv_set); - return 0; -} - -/********************************************************* - Delete the group. -**********************************************************/ -static int deletegroup(char *group) -{ - DOM_SID sid; - - if (!get_sid_from_input(&sid, group)) { - return -1; - } - - if(!pdb_delete_group_mapping_entry(sid)) { - printf("removing group %s from the mapping db failed!\n", group); - return -1; - } - - return 0; -} - -/********************************************************* - List the groups. -**********************************************************/ -static int listgroup(enum SID_NAME_USE sid_type, BOOL long_list) -{ - int entries,i; - GROUP_MAP *map=NULL; - fstring string_sid; - fstring group_type; - fstring priv_text; - - if (!long_list) - printf("NT group (SID) -> Unix group\n"); - - if (!pdb_enum_group_mapping(sid_type, &map, &entries, ENUM_ALL_MAPPED, MAPPING_WITH_PRIV)) - return -1; - - for (i=0; i<entries; i++) { - decode_sid_name_use(group_type, (map[i]).sid_name_use); - sid_to_string(string_sid, &map[i].sid); - convert_priv_to_text(&(map[i].priv_set), priv_text); - free_privilege(&(map[i].priv_set)); - - if (!long_list) - printf("%s (%s) -> %s\n", map[i].nt_name, string_sid, gidtoname(map[i].gid)); - else { - printf("%s\n", map[i].nt_name); - printf("\tSID : %s\n", string_sid); - printf("\tUnix group: %s\n", gidtoname(map[i].gid)); - printf("\tGroup type: %s\n", group_type); - printf("\tComment : %s\n", map[i].comment); - printf("\tPrivilege : %s\n\n", priv_text); - } - } - - return 0; -} - -/********************************************************* - Start here. -**********************************************************/ -int main (int argc, char **argv) -{ - int ch; - BOOL add_group = False; - BOOL view_group = False; - BOOL change_group = False; - BOOL delete_group = False; - BOOL nt_group = False; - BOOL priv = False; - BOOL group_type = False; - BOOL long_list = False; - - char *group = NULL; - char *sid = NULL; - char *ntgroup = NULL; - char *privilege = NULL; - char *groupt = NULL; - char *group_desc = NULL; - - enum SID_NAME_USE sid_type; - uint32 rid = -1; - - setup_logging("groupedit", True); - - if (argc < 2) { - usage(); - return 0; - } - - if (!lp_load(dyn_CONFIGFILE,True,False,False)) { - fprintf(stderr, "Can't load %s - run testparm to debug it\n", - dyn_CONFIGFILE); - exit(1); - } - - if (!init_names()) - exit(1); - - if(!initialize_password_db(True)) { - fprintf(stderr, "Can't setup password database vectors.\n"); - exit(1); - } - - if(get_global_sam_sid()==False) { - fprintf(stderr, "Can not read machine SID\n"); - return 0; - } - - while ((ch = getopt(argc, argv, "a:c:d:ln:p:r:st:u:vx:")) != EOF) { - switch(ch) { - case 'a': - add_group = True; - group=optarg; - break; - case 'c': - change_group = True; - sid=optarg; - break; - case 'd': - group_desc=optarg; - break; - case 'l': - long_list = True; - break; - case 'n': - nt_group = True; - ntgroup=optarg; - break; - case 'p': - priv = True; - privilege=optarg; - break; - case 'r': - rid = atoi(optarg); - break; - case 's': - long_list = False; - break; - case 't': - group_type = True; - groupt=optarg; - break; - case 'u': - group=optarg; - break; - case 'v': - view_group = True; - break; - case 'x': - delete_group = True; - group=optarg; - break; - /*default: - usage();*/ - } - } - - - if (((add_group?1:0) + (view_group?1:0) + (change_group?1:0) + (delete_group?1:0)) > 1) { - fprintf (stderr, "Incompatible options on command line!\n"); - usage(); - exit(1); - } - - /* no option on command line -> list groups */ - if (((add_group?1:0) + (view_group?1:0) + (change_group?1:0) + (delete_group?1:0)) == 0) - view_group = True; - - - if (group_type==False) - sid_type=SID_NAME_UNKNOWN; - else { - switch (groupt[0]) { - case 'l': - case 'L': - sid_type=SID_NAME_ALIAS; - break; - case 'd': - case 'D': - sid_type=SID_NAME_DOM_GRP; - break; - case 'b': - case 'B': - sid_type=SID_NAME_WKN_GRP; - break; - default: - sid_type=SID_NAME_UNKNOWN; - break; - } - } - - if (add_group) { - gid_t gid=nametogid(group); - if (gid==-1) { - printf("unix group %s doesn't exist!\n", group); - return -1; - } - - if (rid == -1) { - rid = pdb_gid_to_group_rid(gid); - } - return addgroup(gid, sid_type, ntgroup?ntgroup:group, - group_desc, privilege, rid); - } - - if (view_group) - return listgroup(sid_type, long_list); - - if (delete_group) - return deletegroup(group); - - if (change_group) { - return changegroup(sid, group, sid_type, ntgroup, group_desc, privilege); - } - - usage(); - - return 0; -} diff --git a/source3/utils/status.c b/source3/utils/status.c index 8bf67fc4d6..c17e080b6b 100644 --- a/source3/utils/status.c +++ b/source3/utils/status.c @@ -597,7 +597,7 @@ static int traverse_sessionid(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, vo } else { if (locks_only) goto locks; - d_printf("\nSamba version %s\n",VERSION); + d_printf("\nSamba version %s\n",SAMBA_VERSION_STRING); d_printf("PID Username Group Machine \n"); d_printf("-------------------------------------------------------------------\n"); diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c index 16918ecd4a..0a87b4bc1e 100644 --- a/source3/utils/testparm.c +++ b/source3/utils/testparm.c @@ -287,6 +287,27 @@ via the %%o substitution. With encrypted passwords this is not possible.\n", lp_ Level II oplocks can only be set if oplocks are also set.\n", lp_servicename(s) ); } + + if (lp_map_hidden(s) && !(lp_create_mask(s) & S_IXOTH)) { + printf("Invalid combination of parameters for service %s. \ + Map hidden can only work if create mask includes octal 01 (S_IXOTH).\n", + lp_servicename(s) ); + } + if (lp_map_hidden(s) && (lp_force_create_mode(s) & S_IXOTH)) { + printf("Invalid combination of parameters for service %s. \ + Map hidden can only work if force create mode excludes octal 01 (S_IXOTH).\n", + lp_servicename(s) ); + } + if (lp_map_system(s) && !(lp_create_mask(s) & S_IXGRP)) { + printf("Invalid combination of parameters for service %s. \ + Map system can only work if create mask includes octal 010 (S_IXGRP).\n", + lp_servicename(s) ); + } + if (lp_map_system(s) && (lp_force_create_mode(s) & S_IXGRP)) { + printf("Invalid combination of parameters for service %s. \ + Map system can only work if force create mode excludes octal 010 (S_IXGRP).\n", + lp_servicename(s) ); + } } } |