(merge from 3.0)

Make more functions static, and remove duplication in the use of functions
in lib/smbpasswd.c that were exact duplicates of functions in passdb/passdb.c

(These should perhaps be pulled back out to smbpasswd.c, but that can occour
later).

This also includes some >14 character password changes, and the start
of a move away from using 'admin user' to determine if the user is
root (as root can login without setting 'admin user').

Andrew Bartlett
(This used to be commit be0704abb919152c359a735023283acbf9be3076)

11 files changed, 30 insertions, 218 deletions

diff --git a/source3/Makefile.in b/source3/Makefile.in
index 1c8341a139..7fa0c14bd0 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -180,7 +180,7 @@ LIB_OBJ = lib/version.o lib/charcnv.o lib/debug.o lib/fault.o \
 	  lib/talloc.o lib/hash.o lib/substitute.o lib/fsusage.o \
 	  lib/ms_fnmatch.o lib/select.o lib/messages.o \
 	  lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \
-	  lib/md5.o lib/hmacmd5.o lib/iconv.o lib/smbpasswd.o \
+	  lib/md5.o lib/hmacmd5.o lib/iconv.o \
 	  nsswitch/wb_client.o nsswitch/wb_common.o \
 	  lib/pam_errors.o intl/lang_tdb.o lib/account_pol.o \
 	  lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
diff --git a/source3/lib/iconv.c b/source3/lib/iconv.c
index d0d2dcd1c4..7df73192f2 100644
--- a/source3/lib/iconv.c
+++ b/source3/lib/iconv.c
@@ -105,7 +105,7 @@ NTSTATUS smb_register_charset(struct charset_functions *funcs)
 	return NT_STATUS_OK;
 }
 
-void lazy_initialize_iconv(void)
+static void lazy_initialize_iconv(void)
 {
 	static BOOL initialized;
 	int i;
diff --git a/source3/lib/smbpasswd.c b/source3/lib/smbpasswd.c
index 92ae1ffea2..e69de29bb2 100644
--- a/source3/lib/smbpasswd.c
+++ b/source3/lib/smbpasswd.c
@@ -1,200 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-
-   smbpasswd file format routines
-
-   Copyright (C) Andrew Tridgell 1992-1998 
-   Modified by Jeremy Allison 1995.
-   Modified by Gerald (Jerry) Carter 2000-2001
-   Copyright (C) Tim Potter 2001
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-/*! \file lib/smbpasswd.c
-
-   The smbpasswd file is used to store encrypted passwords in a similar
-   fashion to the /etc/passwd file.  The format is colon separated fields
-   with one user per line like so:
-
-   <username>:<uid>:<lanman hash>:<nt hash>:<acb info>:<last change time>
-
-   The username and uid must correspond to an entry in the /etc/passwd
-   file.  The lanman and nt password hashes are 32 hex digits corresponding
-   to the 16-byte lanman and nt hashes respectively.  
-
-   The password last change time is stored as a string of the format
-   LCD-<change time> where the change time is expressed as an 
-
-   'N'    No password
-   'D'    Disabled
-   'H'    Homedir required
-   'T'    Temp account.
-   'U'    User account (normal) 
-   'M'    MNS logon user account - what is this ? 
-   'W'    Workstation account
-   'S'    Server account 
-   'L'    Locked account
-   'X'    No Xpiry on password 
-   'I'    Interdomain trust account
-
-*/
-
-#include "includes.h"
-
-/*! Convert 32 hex characters into a 16 byte array. */
-
-BOOL smbpasswd_gethexpwd(char *p, unsigned char *pwd)
-{
-	int i;
-	unsigned char   lonybble, hinybble;
-	const char      *hexchars = "0123456789ABCDEF";
-	char           *p1, *p2;
-	
-	if (!p) return (False);
-	
-	for (i = 0; i < 32; i += 2)
-	{
-		hinybble = toupper(p[i]);
-		lonybble = toupper(p[i + 1]);
-
-		p1 = strchr_m(hexchars, hinybble);
-		p2 = strchr_m(hexchars, lonybble);
-
-		if (!p1 || !p2)
-		{
-			return (False);
-		}
-
-		hinybble = PTR_DIFF(p1, hexchars);
-		lonybble = PTR_DIFF(p2, hexchars);
-
-		pwd[i / 2] = (hinybble << 4) | lonybble;
-	}
-	return (True);
-}
-
-/*! Convert a 16-byte array into 32 hex characters. */
-
-void smbpasswd_sethexpwd(fstring p, unsigned char *pwd, uint16 acb_info)
-{
-	if (pwd != NULL) {
-		int i;
-		for (i = 0; i < 16; i++)
-			slprintf(&p[i*2], 3, "%02X", pwd[i]);
-	} else {
-		if (acb_info & ACB_PWNOTREQ)
-			safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
-		else
-			safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
-	}
-}
-
-/*! Decode the account control bits (ACB) info from a string. */
-
-uint16 smbpasswd_decode_acb_info(const char *p)
-{
-	uint16 acb_info = 0;
-	BOOL finished = False;
-
-	/*
-	 * Check if the account type bits have been encoded after the
-	 * NT password (in the form [NDHTUWSLXI]).
-	 */
-
-	if (*p != '[') return 0;
-
-	for (p++; *p && !finished; p++)
-	{
-		switch (*p) {
-                case 'N': /* 'N'o password. */
-                        acb_info |= ACB_PWNOTREQ; 
-                        break;
-                case 'D': /* 'D'isabled. */
-                        acb_info |= ACB_DISABLED; 
-                        break; 
-                case 'H': /* 'H'omedir required. */
-                        acb_info |= ACB_HOMDIRREQ; 
-                        break;
-                case 'T': /* 'T'emp account. */
-                        acb_info |= ACB_TEMPDUP; 
-                        break;
-                case 'U': /* 'U'ser account (normal). */
-                        acb_info |= ACB_NORMAL;
-                        break;
-                case 'M': /* 'M'NS logon user account. What is this ? */
-                        acb_info |= ACB_MNS; 
-                        break; 
-                case 'W': /* 'W'orkstation account. */
-                        acb_info |= ACB_WSTRUST; 
-                        break; 
-                case 'S': /* 'S'erver account. */ 
-                        acb_info |= ACB_SVRTRUST; 
-                        break; 
-                case 'L': /* 'L'ocked account. */
-                        acb_info |= ACB_AUTOLOCK; 
-                        break; 
-                case 'X': /* No 'X'piry on password */
-                        acb_info |= ACB_PWNOEXP; 
-                        break; 
-                case 'I': /* 'I'nterdomain trust account. */
-                        acb_info |= ACB_DOMTRUST; 
-                        break; 
-
-                case ' ': 
-                        break;
-                case ':':
-                case '\n':
-                case '\0': 
-                case ']':
-                default:  
-                        finished = True;
-                        break;
-		}
-	}
-
-	return acb_info;
-}
-
-/*! Encode account control bits (ACBs) into a string. */
-
-char *smbpasswd_encode_acb_info(uint16 acb_info)
-{
-	static fstring acct_str;
-	size_t i = 0;
-
-	acct_str[i++] = '[';
-
-	if (acb_info & ACB_PWNOTREQ ) acct_str[i++] = 'N';
-	if (acb_info & ACB_DISABLED ) acct_str[i++] = 'D';
-	if (acb_info & ACB_HOMDIRREQ) acct_str[i++] = 'H';
-	if (acb_info & ACB_TEMPDUP  ) acct_str[i++] = 'T'; 
-	if (acb_info & ACB_NORMAL   ) acct_str[i++] = 'U';
-	if (acb_info & ACB_MNS      ) acct_str[i++] = 'M';
-	if (acb_info & ACB_WSTRUST  ) acct_str[i++] = 'W';
-	if (acb_info & ACB_SVRTRUST ) acct_str[i++] = 'S';
-	if (acb_info & ACB_AUTOLOCK ) acct_str[i++] = 'L';
-	if (acb_info & ACB_PWNOEXP  ) acct_str[i++] = 'X';
-	if (acb_info & ACB_DOMTRUST ) acct_str[i++] = 'I';
-
-	for ( ; i < NEW_PW_FORMAT_SPACE_PADDED_LEN - 2 ; i++ )
-                acct_str[i] = ' ';
-
-	i = NEW_PW_FORMAT_SPACE_PADDED_LEN - 2;
-	acct_str[i++] = ']';
-	acct_str[i++] = '\0';
-
-	return acct_str;
-}     
diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c
index 21e0c3092e..d4428a2f59 100644
--- a/source3/nsswitch/winbindd_rpc.c
+++ b/source3/nsswitch/winbindd_rpc.c
@@ -792,7 +792,7 @@ static int get_ldap_seq(const char *server, int port, uint32 *seq)
  LDAP queries
 **********************************************************************/
 
-int get_ldap_sequence_number( const char* domain, uint32 *seq)
+static int get_ldap_sequence_number( const char* domain, uint32 *seq)
 {
 	int ret = -1;
 	int i, port = LDAP_PORT;
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 869165f1dc..be03157636 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -1102,13 +1102,24 @@ BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext)
 	if (!sampass || !plaintext)
 		return False;
 	
-	nt_lm_owf_gen (plaintext, new_nt_p16, new_lanman_p16);
+	/* Calculate the MD4 hash (NT compatible) of the password */
+	E_md4hash(plaintext, new_nt_p16);
 
 	if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED)) 
 		return False;
 
-	if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED)) 
-		return False;
+	if (!E_deshash(plaintext, new_lanman_p16)) {
+		/* E_deshash returns false for 'long' passwords (> 14
+		   DOS chars).  This allows us to match Win2k, which
+		   does not store a LM hash for these passwords (which
+		   would reduce the effective password length to 14 */
+
+		if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED)) 
+			return False;
+	} else {
+		if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED)) 
+			return False;
+	}
 
 	if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED)) 
 		return False;
diff --git a/source3/rpc_parse/parse_misc.c b/source3/rpc_parse/parse_misc.c
index b34efa6667..cea31c88a8 100644
--- a/source3/rpc_parse/parse_misc.c
+++ b/source3/rpc_parse/parse_misc.c
@@ -32,7 +32,7 @@
 
 static TALLOC_CTX *current_rpc_talloc = NULL;
 
-TALLOC_CTX *get_current_rpc_talloc(void)
+static TALLOC_CTX *get_current_rpc_talloc(void)
 {
     return current_rpc_talloc;
 }
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 25721d99a8..0a2843629e 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -56,7 +56,7 @@ struct generic_mapping file_generic_mapping = {
 	FILE_GENERIC_ALL
 };
 
-char *nttrans_realloc(char **ptr, size_t size)
+static char *nttrans_realloc(char **ptr, size_t size)
 {
 	char *tptr = NULL;
 	if (ptr==NULL)
@@ -2022,11 +2022,12 @@ static int call_nt_transact_get_user_quota(connection_struct *conn, char *inbuf,
 	SMB_NTQUOTA_STRUCT qt;
 	SMB_NTQUOTA_LIST *tmp_list;
 	SMB_NTQUOTA_HANDLE *qt_handle = NULL;
+	extern struct current_user current_user;
 
 	ZERO_STRUCT(qt);
 
 	/* access check */
-	if (conn->admin_user != True) {
+	if (current_user.uid != 0) {
 		DEBUG(1,("set_user_quota: access_denied service [%s] user [%s]\n",
 			lp_servicename(SNUM(conn)),conn->user));
 		return ERROR_DOS(ERRDOS,ERRnoaccess);
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index e7aa41e343..26e4021443 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -145,7 +145,7 @@ static void msg_exit_server(int msg_type, pid_t src, void *buf, size_t len)
  Have we reached the process limit ?
 ****************************************************************************/
 
-BOOL allowable_number_of_smbd_processes(void)
+static BOOL allowable_number_of_smbd_processes(void)
 {
 	int max_processes = lp_max_smbd_processes();
 
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index 6bfeedc8a0..52e295949e 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -42,7 +42,7 @@
  * @return A shell status integer (0 for success)
  *
  **/
-int net_rpc_join_ok(const char *domain)
+static int net_rpc_join_ok(const char *domain)
 {
 	struct cli_state *cli;
 	uchar stored_md4_trust_password[16];
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index e97a362acc..cb395de828 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -62,21 +62,21 @@ static void display_account_info(uint32 rid, SAM_ACCOUNT_INFO *a)
 	
 	if (memcmp(a->pass.buf_lm_pwd, zero_buf, 16) != 0) {
 		sam_pwd_hash(a->user_rid, a->pass.buf_lm_pwd, lm_passwd, 0);
-		smbpasswd_sethexpwd(hex_lm_passwd, lm_passwd, a->acb_info);
+		pdb_sethexpwd(hex_lm_passwd, lm_passwd, a->acb_info);
 	} else {
-		smbpasswd_sethexpwd(hex_lm_passwd, NULL, 0);
+		pdb_sethexpwd(hex_lm_passwd, NULL, 0);
 	}
 
 	if (memcmp(a->pass.buf_nt_pwd, zero_buf, 16) != 0) {
 		sam_pwd_hash(a->user_rid, a->pass.buf_nt_pwd, nt_passwd, 0);
-		smbpasswd_sethexpwd(hex_nt_passwd, nt_passwd, a->acb_info);
+		pdb_sethexpwd(hex_nt_passwd, nt_passwd, a->acb_info);
 	} else {
-		smbpasswd_sethexpwd(hex_nt_passwd, NULL, 0);
+		pdb_sethexpwd(hex_nt_passwd, NULL, 0);
 	}
 	
 	printf("%s:%d:%s:%s:%s:LCT-0\n", unistr2_static(&a->uni_acct_name),
 	       a->user_rid, hex_lm_passwd, hex_nt_passwd,
-	       smbpasswd_encode_acb_info(a->acb_info));
+	       pdb_encode_acct_ctrl(a->acb_info, NEW_PW_FORMAT_SPACE_PADDED_LEN));
 }
 
 static void display_domain_info(SAM_DOMAIN_INFO *a)
@@ -432,7 +432,7 @@ static NTSTATUS fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
 			pstrcpy(add_script, lp_addmachine_script());
 		} else {
 			DEBUG(1, ("Unknown user type: %s\n",
-				  smbpasswd_encode_acb_info(delta->acb_info)));
+				  pdb_encode_acct_ctrl(delta->acb_info, NEW_PW_FORMAT_SPACE_PADDED_LEN)));
 			nt_ret = NT_STATUS_UNSUCCESSFUL;
 			goto done;
 		}
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 8a103fa57f..aac009893c 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -91,7 +91,7 @@ static char *grab_line(FILE *f, int *cl)
  (This was in rfc1738_unescape(), but that broke the squid helper)
 **/
 
-void plus_to_space_unescape(char *buf)
+static void plus_to_space_unescape(char *buf)
 {
 	char *p=buf;