summaryrefslogtreecommitdiff
path: root/source4/rpc_server
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2005-06-24 00:18:20 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:18:44 -0500
commitbdee131f30e1bef31498b08bb648ddee35ea4892 (patch)
treec0ad71d994361020334bb280a9a5cbd31f73db5b /source4/rpc_server
parent3022bfef70f4d76d3a12cfb8ee8cbdc72644b58f (diff)
downloadsamba-bdee131f30e1bef31498b08bb648ddee35ea4892.tar.gz
samba-bdee131f30e1bef31498b08bb648ddee35ea4892.tar.bz2
samba-bdee131f30e1bef31498b08bb648ddee35ea4892.zip
r7860: switch our ldb storage format to use a NDR encoded objectSid. This is
quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
Diffstat (limited to 'source4/rpc_server')
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c68
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c17
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c263
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.h4
-rw-r--r--source4/rpc_server/samr/samr_password.c10
5 files changed, 139 insertions, 223 deletions
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index b3de4e4ba1..726c82364b 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -65,7 +65,6 @@ struct lsa_account_state {
struct lsa_policy_state *policy;
uint32_t access_mask;
struct dom_sid *account_sid;
- const char *account_sid_str;
const char *account_dn;
};
@@ -221,7 +220,6 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
struct lsa_policy_state **_state)
{
struct lsa_policy_state *state;
- const char *sid_str;
state = talloc(mem_ctx, struct lsa_policy_state);
if (!state) {
@@ -266,13 +264,8 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
return NT_STATUS_NO_SUCH_DOMAIN;
}
- sid_str = samdb_search_string(state->sam_ldb, mem_ctx,
- state->domain_dn, "objectSid", NULL);
- if (!sid_str) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- state->domain_sid = dom_sid_parse_talloc(state, sid_str);
+ state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state,
+ state->domain_dn, "objectSid", NULL);
if (!state->domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
@@ -519,16 +512,11 @@ static NTSTATUS lsa_EnumAccounts(struct dcesrv_call_state *dce_call, TALLOC_CTX
}
for (i=0;i<count;i++) {
- const char *sidstr;
-
- sidstr = samdb_result_string(res[i + *r->in.resume_handle], "objectSid", NULL);
- if (sidstr == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- r->out.sids->sids[i].sid = dom_sid_parse_talloc(r->out.sids->sids, sidstr);
- if (r->out.sids->sids[i].sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ r->out.sids->sids[i].sid =
+ samdb_result_dom_sid(r->out.sids->sids,
+ res[i + *r->in.resume_handle],
+ "objectSid");
+ NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid);
}
r->out.sids->num_sids = count;
@@ -1104,7 +1092,7 @@ static NTSTATUS lsa_lookup_sid(struct lsa_policy_state *state, TALLOC_CTX *mem_c
NTSTATUS status;
ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs,
- "objectSid=%s", sid_str);
+ "objectSid=%s", ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret == 1) {
*name = ldb_msg_find_string(res[0], "sAMAccountName", NULL);
if (!*name) {
@@ -1315,17 +1303,13 @@ static NTSTATUS lsa_OpenAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *
return NT_STATUS_NO_MEMORY;
}
- astate->account_sid_str = dom_sid_string(astate, astate->account_sid);
- if (astate->account_sid_str == NULL) {
- talloc_free(astate);
- return NT_STATUS_NO_MEMORY;
- }
-
/* check it really exists */
- astate->account_dn = samdb_search_string(state->sam_ldb, astate,
- NULL, "dn",
- "(&(objectSid=%s)(objectClass=group))",
- astate->account_sid_str);
+ astate->account_dn =
+ samdb_search_string(state->sam_ldb, astate,
+ NULL, "dn",
+ "(&(objectSid=%s)(objectClass=group))",
+ ldap_encode_ndr_dom_sid(mem_ctx,
+ astate->account_sid));
if (astate->account_dn == NULL) {
talloc_free(astate);
return NT_STATUS_NO_SUCH_USER;
@@ -1422,7 +1406,7 @@ static NTSTATUS lsa_EnumAccountRights(struct dcesrv_call_state *dce_call,
state = h->data;
- sidstr = dom_sid_string(mem_ctx, r->in.sid);
+ sidstr = ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid);
if (sidstr == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1471,7 +1455,7 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
const char *dn;
struct lsa_EnumAccountRights r2;
- sidstr = dom_sid_string(mem_ctx, sid);
+ sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
if (sidstr == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -2348,16 +2332,9 @@ static NTSTATUS lsa_EnumAccountsWithUserRight(struct dcesrv_call_state *dce_call
return NT_STATUS_NO_MEMORY;
}
for (i=0;i<ret;i++) {
- const char *sidstr;
- sidstr = samdb_result_string(res[i], "objectSid", NULL);
- if (sidstr == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- r->out.sids->sids[i].sid = dom_sid_parse_talloc(r->out.sids->sids,
- sidstr);
- if (r->out.sids->sids[i].sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ r->out.sids->sids[i].sid = samdb_result_dom_sid(r->out.sids->sids,
+ res[i], "objectSid");
+ NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid);
}
r->out.sids->num_sids = ret;
@@ -2540,12 +2517,7 @@ static NTSTATUS lsa_lookup_name(struct lsa_policy_state *state, TALLOC_CTX *mem_
ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs, "sAMAccountName=%s", name);
if (ret == 1) {
- const char *sid_str = ldb_msg_find_string(res[0], "objectSid", NULL);
- if (sid_str == NULL) {
- return NT_STATUS_INVALID_SID;
- }
-
- *sid = dom_sid_parse_talloc(mem_ctx, sid_str);
+ *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
if (*sid == NULL) {
return NT_STATUS_INVALID_SID;
}
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index bd20deedb9..4dd8312df5 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -313,7 +313,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
struct ldb_message **msgs_domain;
NTSTATUS nt_status;
struct ldb_message *mod;
- const char *domain_sid;
+ struct dom_sid *domain_sid;
const char *attrs[] = {"objectSid", NULL };
@@ -356,20 +356,20 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL,
&msgs_domain, domain_attrs,
"(&(objectSid=%s)(objectclass=domain))",
- domain_sid);
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
if (num_records_domain == -1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (num_records_domain == 0) {
DEBUG(3,("Couldn't find domain [%s] in samdb.\n",
- domain_sid));
+ dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_USER;
}
if (num_records_domain > 1) {
DEBUG(0,("Found %d records matching domain [%s]\n",
- num_records_domain, domain_sid));
+ num_records_domain, dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -1036,7 +1036,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL
struct ldb_message **msgs_domain;
NTSTATUS nt_status;
struct ldb_message *mod;
- const char *domain_sid;
+ struct dom_sid *domain_sid;
char new_pass[512];
uint32_t new_pass_len;
@@ -1083,20 +1083,21 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL
num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL,
&msgs_domain, domain_attrs,
"(&(objectSid=%s)(objectclass=domain))",
- domain_sid);
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
if (num_records_domain == -1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (num_records_domain == 0) {
DEBUG(3,("Couldn't find domain [%s] in samdb.\n",
- domain_sid));
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_USER;
}
if (num_records_domain > 1) {
DEBUG(0,("Found %d records matching domain [%s]\n",
- num_records_domain, domain_sid));
+ num_records_domain,
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 337c300203..cce446533d 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -160,8 +160,7 @@ static NTSTATUS samr_LookupDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX
{
struct samr_connect_state *c_state;
struct dcesrv_handle *h;
- struct dom_sid2 *sid;
- const char *sidstr;
+ struct dom_sid *sid;
r->out.sid = NULL;
@@ -173,19 +172,12 @@ static NTSTATUS samr_LookupDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX
return NT_STATUS_INVALID_PARAMETER;
}
- sidstr = samdb_search_string(c_state->sam_ctx,
- mem_ctx, NULL, "objectSid",
- "(&(name=%s)(objectclass=domain))",
- r->in.domain_name->string);
- if (sidstr == NULL) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
+ sid = samdb_search_dom_sid(c_state->sam_ctx,
+ mem_ctx, NULL, "objectSid",
+ "(&(name=%s)(objectclass=domain))",
+ r->in.domain_name->string);
if (sid == NULL) {
- DEBUG(0,("samdb: Invalid sid '%s' for domain %s\n",
- sidstr, r->in.domain_name->string));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ return NT_STATUS_NO_SUCH_DOMAIN;
}
r->out.sid = sid;
@@ -266,7 +258,7 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *
struct samr_OpenDomain *r)
{
struct dcesrv_handle *h_conn, *h_domain;
- const char *sidstr, *domain_name;
+ const char *domain_name;
struct samr_connect_state *c_state;
struct samr_domain_state *d_state;
const char * const attrs[2] = { "name", NULL};
@@ -283,15 +275,10 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *
return NT_STATUS_INVALID_PARAMETER;
}
- sidstr = dom_sid_string(mem_ctx, r->in.sid);
- if (sidstr == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
ret = gendb_search(c_state->sam_ctx,
mem_ctx, NULL, &msgs, attrs,
"(&(objectSid=%s)(objectclass=domain))",
- sidstr);
+ ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
if (ret != 1) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
@@ -308,7 +295,7 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *
d_state->connect_state = talloc_reference(d_state, c_state);
d_state->sam_ctx = c_state->sam_ctx;
- d_state->domain_sid = talloc_strdup(d_state, sidstr);
+ d_state->domain_sid = dom_sid_dup(d_state, r->in.sid);
d_state->domain_name = talloc_strdup(d_state, domain_name);
d_state->domain_dn = talloc_strdup(d_state, msgs[0]->dn);
if (!d_state->domain_sid || !d_state->domain_name || !d_state->domain_dn) {
@@ -470,7 +457,7 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO
const char *name;
struct ldb_message *msg;
struct dom_sid *sid;
- const char *groupname, *sidstr;
+ const char *groupname;
struct dcesrv_handle *g_handle;
int ret;
@@ -526,10 +513,10 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msg->dn);
- /* retrieve the sidstring for the group just created */
- sidstr = samdb_search_string(d_state->sam_ctx, a_state,
- msg->dn, "objectSid", NULL);
- if (sidstr == NULL) {
+ /* retrieve the sid for the group just created */
+ sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
+ msg->dn, "objectSid", NULL);
+ if (sid == NULL) {
return NT_STATUS_UNSUCCESSFUL;
}
@@ -547,11 +534,6 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO
g_handle->data = talloc_steal(g_handle, a_state);
*r->out.group_handle = g_handle->wire_handle;
-
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
- if (!sid)
- return NT_STATUS_UNSUCCESSFUL;
-
*r->out.rid = sid->sub_auths[sid->num_auths-1];
return NT_STATUS_OK;
@@ -578,7 +560,6 @@ static NTSTATUS samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, TALLOC
int ldb_cnt, count, i, first;
struct samr_SamEntry *entries;
const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL };
- struct dom_sid *domain_sid;
*r->out.resume_handle = 0;
r->out.sam = NULL;
@@ -588,15 +569,11 @@ static NTSTATUS samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, TALLOC
d_state = h->data;
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
-
/* search for all domain groups in this domain. This could possibly be
cached and resumed based on resume_key */
ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- domain_sid,
+ d_state->domain_sid,
"(&(grouptype=%s)(objectclass=group))",
ldb_hexstr(mem_ctx,
GTYPE_SECURITY_GLOBAL_GROUP));
@@ -680,7 +657,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
const char *name;
struct ldb_message *msg;
struct dom_sid *sid;
- const char *account_name, *sidstr;
+ const char *account_name;
struct dcesrv_handle *u_handle;
int ret;
const char *container, *class=NULL;
@@ -756,10 +733,10 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msg->dn);
- /* retrieve the sidstring for the group just created */
- sidstr = samdb_search_string(d_state->sam_ctx, a_state,
+ /* retrieve the sid for the group just created */
+ sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
msg->dn, "objectSid", NULL);
- if (sidstr == NULL) {
+ if (sid == NULL) {
return NT_STATUS_UNSUCCESSFUL;
}
@@ -779,10 +756,6 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
*r->out.user_handle = u_handle->wire_handle;
*r->out.access_granted = 0xf07ff; /* TODO: fix access mask calculations */
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
- if (!sid)
- return NT_STATUS_UNSUCCESSFUL;
-
*r->out.rid = sid->sub_auths[sid->num_auths-1];
return NT_STATUS_OK;
@@ -898,7 +871,7 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
- const char *alias_name, *name, *sidstr;
+ const char *alias_name, *name;
struct ldb_message *msg;
struct dom_sid *sid;
struct dcesrv_handle *a_handle;
@@ -960,12 +933,9 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msg->dn);
- /* retrieve the sidstring for the group just created */
- sidstr = samdb_search_string(d_state->sam_ctx, a_state,
+ /* retrieve the sid for the alias just created */
+ sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
msg->dn, "objectSid", NULL);
- if (sidstr == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
- }
a_state->account_name = talloc_strdup(a_state, alias_name);
if (!a_state->account_name) {
@@ -981,10 +951,6 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
*r->out.alias_handle = a_handle->wire_handle;
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
- if (!sid)
- return NT_STATUS_UNSUCCESSFUL;
-
*r->out.rid = sid->sub_auths[sid->num_auths-1];
return NT_STATUS_OK;
@@ -1003,7 +969,6 @@ static NTSTATUS samr_EnumDomainAliases(struct dcesrv_call_state *dce_call, TALLO
int ldb_cnt, count, i, first;
struct samr_SamEntry *entries;
const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL };
- struct dom_sid *domain_sid;
*r->out.resume_handle = 0;
r->out.sam = NULL;
@@ -1013,15 +978,12 @@ static NTSTATUS samr_EnumDomainAliases(struct dcesrv_call_state *dce_call, TALLO
d_state = h->data;
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
-
/* search for all domain groups in this domain. This could possibly be
cached and resumed based on resume_key */
ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn,
- &res, attrs, domain_sid,
+ &res, attrs,
+ d_state->domain_sid,
"(&(|(grouptype=%s)(grouptype=%s)))"
"(objectclass=group))",
ldb_hexstr(mem_ctx,
@@ -1102,7 +1064,6 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL
struct dcesrv_handle *h;
struct samr_domain_state *d_state;
struct ldb_message **res;
- struct dom_sid *domain_sid;
int i, count = 0;
DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN);
@@ -1124,17 +1085,14 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL
return NT_STATUS_NO_MEMORY;
for (i=0; i<r->in.sids->num_sids; i++) {
- const char *sidstr, *memberdn;
+ const char *memberdn;
- sidstr = dom_sid_string(mem_ctx,
- r->in.sids->sids[i].sid);
- if (sidstr == NULL)
- return NT_STATUS_NO_MEMORY;
-
- memberdn = samdb_search_string(d_state->sam_ctx,
- mem_ctx, NULL, "dn",
- "(objectSid=%s)",
- sidstr);
+ memberdn =
+ samdb_search_string(d_state->sam_ctx,
+ mem_ctx, NULL, "dn",
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx,
+ r->in.sids->sids[i].sid));
if (memberdn == NULL)
continue;
@@ -1145,14 +1103,9 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL
return NT_STATUS_NO_MEMORY;
}
- domain_sid = dom_sid_parse_talloc(mem_ctx,
- d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
-
count = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- domain_sid, "%s))", filter);
+ d_state->domain_sid, "%s))", filter);
if (count < 0)
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -1215,8 +1168,7 @@ static NTSTATUS samr_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX
for (i=0;i<r->in.num_names;i++) {
struct ldb_message **res;
- struct dom_sid2 *sid;
- const char *sidstr;
+ struct dom_sid *sid;
uint32_t atype, rtype;
r->out.rids.ids[i] = 0;
@@ -1229,18 +1181,12 @@ static NTSTATUS samr_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX
continue;
}
- sidstr = samdb_result_string(res[0], "objectSid", NULL);
- if (sidstr == NULL) {
- status = STATUS_SOME_UNMAPPED;
- continue;
- }
-
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
+ sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
if (sid == NULL) {
status = STATUS_SOME_UNMAPPED;
continue;
}
-
+
atype = samdb_result_uint(res[0], "sAMAccountType", 0);
if (atype == 0) {
status = STATUS_SOME_UNMAPPED;
@@ -1300,13 +1246,21 @@ static NTSTATUS samr_LookupRids(struct dcesrv_call_state *dce_call, TALLOC_CTX *
const char * const attrs[] = { "sAMAccountType",
"sAMAccountName", NULL };
uint32_t atype;
+ struct dom_sid *sid;
ids[i] = SID_NAME_UNKNOWN;
+ sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rids[i]);
+ if (sid == NULL) {
+ names[i].string = NULL;
+ status = STATUS_SOME_UNMAPPED;
+ continue;
+ }
+
count = gendb_search(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- "(objectSid=%s-%u)", d_state->domain_sid,
- r->in.rids[i]);
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (count != 1) {
names[i].string = NULL;
status = STATUS_SOME_UNMAPPED;
@@ -1349,7 +1303,8 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
- const char *groupname, *sidstr;
+ const char *groupname;
+ struct dom_sid *sid;
struct ldb_message **msgs;
struct dcesrv_handle *g_handle;
const char * const attrs[2] = { "sAMAccountName", NULL };
@@ -1362,8 +1317,8 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
d_state = h->data;
/* form the group SID */
- sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, r->in.rid);
- if (!sidstr) {
+ sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (!sid) {
return NT_STATUS_NO_MEMORY;
}
@@ -1372,19 +1327,22 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
mem_ctx, d_state->domain_dn, &msgs, attrs,
"(&(objectSid=%s)(objectclass=group)"
"(grouptype=%s))",
- sidstr, ldb_hexstr(mem_ctx,
- GTYPE_SECURITY_GLOBAL_GROUP));
+ ldap_encode_ndr_dom_sid(mem_ctx, sid),
+ ldb_hexstr(mem_ctx,
+ GTYPE_SECURITY_GLOBAL_GROUP));
if (ret == 0) {
return NT_STATUS_NO_SUCH_GROUP;
}
if (ret != 1) {
- DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr));
+ DEBUG(0,("Found %d records matching sid %s\n",
+ ret, dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
groupname = samdb_result_string(msgs[0], "sAMAccountName", NULL);
if (groupname == NULL) {
- DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr));
+ DEBUG(0,("sAMAccountName field missing for sid %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -1396,7 +1354,7 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
a_state->access_mask = r->in.access_mask;
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msgs[0]->dn);
- a_state->account_sid = talloc_steal(a_state, sidstr);
+ a_state->account_sid = talloc_steal(a_state, sid);
a_state->account_name = talloc_strdup(a_state, groupname);
if (!a_state->account_name) {
return NT_STATUS_NO_MEMORY;
@@ -1586,7 +1544,7 @@ static NTSTATUS samr_AddGroupMember(struct dcesrv_call_state *dce_call, TALLOC_C
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
struct ldb_message *mod;
- char *membersidstr;
+ struct dom_sid *membersid;
const char *memberdn;
struct ldb_message **msgs;
const char * const attrs[2] = { "dn", NULL };
@@ -1597,16 +1555,15 @@ static NTSTATUS samr_AddGroupMember(struct dcesrv_call_state *dce_call, TALLOC_C
a_state = h->data;
d_state = a_state->domain_state;
- membersidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid,
- r->in.rid);
- if (membersidstr == NULL)
+ membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (membersid == NULL)
return NT_STATUS_NO_MEMORY;
/* In native mode, AD can also nest domain groups. Not sure yet
* whether this is also available via RPC. */
ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn,
&msgs, attrs, "(&(objectSid=%s)(objectclass=user))",
- membersidstr);
+ ldap_encode_ndr_dom_sid(mem_ctx, membersid));
if (ret == 0)
return NT_STATUS_NO_SUCH_USER;
@@ -1674,7 +1631,7 @@ static NTSTATUS samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLO
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
struct ldb_message *mod;
- char *membersidstr;
+ struct dom_sid *membersid;
const char *memberdn;
struct ldb_message **msgs;
const char * const attrs[2] = { "dn", NULL };
@@ -1685,16 +1642,15 @@ static NTSTATUS samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLO
a_state = h->data;
d_state = a_state->domain_state;
- membersidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid,
- r->in.rid);
- if (membersidstr == NULL)
+ membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (membersid == NULL)
return NT_STATUS_NO_MEMORY;
/* In native mode, AD can also nest domain groups. Not sure yet
* whether this is also available via RPC. */
ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn,
&msgs, attrs, "(&(objectSid=%s)(objectclass=user))",
- membersidstr);
+ ldap_encode_ndr_dom_sid(mem_ctx, membersid));
if (ret == 0)
return NT_STATUS_NO_SUCH_USER;
@@ -1820,7 +1776,8 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
- const char *alias_name, *sidstr;
+ const char *alias_name;
+ struct dom_sid *sid;
struct ldb_message **msgs;
struct dcesrv_handle *g_handle;
const char * const attrs[2] = { "sAMAccountName", NULL };
@@ -1833,9 +1790,8 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
d_state = h->data;
/* form the alias SID */
- sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid,
- r->in.rid);
- if (sidstr == NULL)
+ sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (sid == NULL)
return NT_STATUS_NO_MEMORY;
/* search for the group record */
@@ -1843,7 +1799,7 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
mem_ctx, d_state->domain_dn, &msgs, attrs,
"(&(objectSid=%s)(objectclass=group)"
"(|(grouptype=%s)(grouptype=%s)))",
- sidstr,
+ ldap_encode_ndr_dom_sid(mem_ctx, sid),
ldb_hexstr(mem_ctx,
GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
ldb_hexstr(mem_ctx,
@@ -1852,13 +1808,15 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
return NT_STATUS_NO_SUCH_ALIAS;
}
if (ret != 1) {
- DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr));
+ DEBUG(0,("Found %d records matching sid %s\n",
+ ret, dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
alias_name = samdb_result_string(msgs[0], "sAMAccountName", NULL);
if (alias_name == NULL) {
- DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr));
+ DEBUG(0,("sAMAccountName field missing for sid %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -1870,7 +1828,7 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
a_state->access_mask = r->in.access_mask;
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msgs[0]->dn);
- a_state->account_sid = talloc_steal(a_state, sidstr);
+ a_state->account_sid = talloc_steal(a_state, sid);
a_state->account_name = talloc_strdup(a_state, alias_name);
if (!a_state->account_name) {
return NT_STATUS_NO_MEMORY;
@@ -2030,7 +1988,6 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
struct dcesrv_handle *h;
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
- const char *sidstr;
struct ldb_message *mod;
struct ldb_message **msgs;
const char * const attrs[2] = { "dn", NULL };
@@ -2042,28 +1999,27 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
a_state = h->data;
d_state = a_state->domain_state;
- sidstr = dom_sid_string(mem_ctx, r->in.sid);
- if (sidstr == NULL)
- return NT_STATUS_INVALID_PARAMETER;
-
ret = gendb_search(d_state->sam_ctx, mem_ctx, NULL,
- &msgs, attrs, "(objectsid=%s)", sidstr);
+ &msgs, attrs, "(objectsid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
if (ret == 1) {
memberdn = ldb_msg_find_string(msgs[0], "dn", NULL);
} else if (ret > 1) {
- DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr));
+ DEBUG(0,("Found %d records matching sid %s\n",
+ ret, dom_sid_string(mem_ctx, r->in.sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
struct ldb_message *msg;
struct GUID guid;
- const char *guidstr, *basedn;
+ const char *guidstr, *basedn, *sidstr;
+
+ sidstr = dom_sid_string(mem_ctx, r->in.sid);
+ NT_STATUS_HAVE_NO_MEMORY(sidstr);
/* We might have to create a ForeignSecurityPrincipal, but
* only if it's not our own domain */
- if (dom_sid_in_domain(dom_sid_parse_talloc(mem_ctx,
- d_state->domain_sid),
- r->in.sid))
+ if (dom_sid_in_domain(d_state->domain_sid, r->in.sid))
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
msg = ldb_msg_new(mem_ctx);
@@ -2166,7 +2122,6 @@ static NTSTATUS samr_DeleteAliasMember(struct dcesrv_call_state *dce_call, TALLO
struct dcesrv_handle *h;
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
- const char *sidstr;
struct ldb_message *mod;
const char *memberdn;
@@ -2175,12 +2130,9 @@ static NTSTATUS samr_DeleteAliasMember(struct dcesrv_call_state *dce_call, TALLO
a_state = h->data;
d_state = a_state->domain_state;
- sidstr = dom_sid_string(mem_ctx, r->in.sid);
- if (sidstr == NULL)
- return NT_STATUS_INVALID_PARAMETER;
-
memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
- "dn", "(objectSid=%s)", sidstr);
+ "dn", "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
if (memberdn == NULL)
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -2274,7 +2226,8 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
- const char *account_name, *sidstr;
+ const char *account_name;
+ struct dom_sid *sid;
struct ldb_message **msgs;
struct dcesrv_handle *u_handle;
const char * const attrs[2] = { "sAMAccountName", NULL };
@@ -2287,8 +2240,8 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
d_state = h->data;
/* form the users SID */
- sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, r->in.rid);
- if (!sidstr) {
+ sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
+ if (!sid) {
return NT_STATUS_NO_MEMORY;
}
@@ -2296,18 +2249,20 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
ret = gendb_search(d_state->sam_ctx,
mem_ctx, d_state->domain_dn, &msgs, attrs,
"(&(objectSid=%s)(objectclass=user))",
- sidstr);
+ ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret == 0) {
return NT_STATUS_NO_SUCH_USER;
}
if (ret != 1) {
- DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr));
+ DEBUG(0,("Found %d records matching sid %s\n", ret,
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
account_name = samdb_result_string(msgs[0], "sAMAccountName", NULL);
if (account_name == NULL) {
- DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr));
+ DEBUG(0,("sAMAccountName field missing for sid %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -2319,7 +2274,7 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me
a_state->access_mask = r->in.access_mask;
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msgs[0]->dn);
- a_state->account_sid = talloc_steal(a_state, sidstr);
+ a_state->account_sid = talloc_steal(a_state, sid);
a_state->account_name = talloc_strdup(a_state, account_name);
if (!a_state->account_name) {
return NT_STATUS_NO_MEMORY;
@@ -2801,7 +2756,6 @@ static NTSTATUS samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, TALLOC
struct samr_account_state *a_state;
struct samr_domain_state *d_state;
struct ldb_message **res;
- struct dom_sid *domain_sid;
const char * const attrs[2] = { "objectSid", NULL };
struct samr_RidWithTypeArray *array;
int count;
@@ -2810,12 +2764,9 @@ static NTSTATUS samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, TALLOC
a_state = h->data;
d_state = a_state->domain_state;
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
count = samdb_search_domain(a_state->sam_ctx, mem_ctx, NULL, &res,
- attrs, domain_sid,
+ attrs, d_state->domain_sid,
"(&(member=%s)(grouptype=%s)(objectclass=group))",
a_state->account_dn,
ldb_hexstr(mem_ctx,
@@ -2873,7 +2824,6 @@ static NTSTATUS samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, TALLOC
int ldb_cnt, count, i;
const char * const attrs[4] = { "objectSid", "sAMAccountName",
"description", NULL };
- struct dom_sid *domain_sid;
struct samr_DispEntryFull *entriesFull = NULL;
struct samr_DispEntryAscii *entriesAscii = NULL;
struct samr_DispEntryGeneral * entriesGeneral = NULL;
@@ -2907,15 +2857,11 @@ static NTSTATUS samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, TALLOC
return NT_STATUS_INVALID_INFO_CLASS;
}
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- if (domain_sid == NULL)
- return NT_STATUS_NO_MEMORY;
-
/* search for all requested objects in this domain. This could
possibly be cached and resumed based on resume_key */
ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- domain_sid, "%s", filter);
+ d_state->domain_sid, "%s", filter);
if (ldb_cnt == -1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -3127,8 +3073,7 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce
{
struct dcesrv_handle *h;
struct samr_domain_state *d_state;
- struct dom_sid *domain_sid;
- const char *membersid, *memberdn;
+ const char *memberdn;
struct ldb_message **res;
const char * const attrs[3] = { "dn", "objectSid", NULL };
int i, count;
@@ -3137,13 +3082,9 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce
d_state = h->data;
- domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid);
- membersid = dom_sid_string(mem_ctx, r->in.sid);
- if ((domain_sid == NULL) || (membersid == NULL))
- return NT_STATUS_NO_MEMORY;
-
memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
- "dn", "(objectSid=%s)", membersid);
+ "dn", "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
if (memberdn == NULL)
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -3152,7 +3093,7 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce
count = samdb_search_domain(d_state->sam_ctx, mem_ctx,
d_state->domain_dn, &res, attrs,
- domain_sid,
+ d_state->domain_sid,
"(&(member=%s)(objectClass=group)"
"(|(groupType=%s)(groupType=%s)))",
memberdn,
diff --git a/source4/rpc_server/samr/dcesrv_samr.h b/source4/rpc_server/samr/dcesrv_samr.h
index 9e41937328..51e0869eef 100644
--- a/source4/rpc_server/samr/dcesrv_samr.h
+++ b/source4/rpc_server/samr/dcesrv_samr.h
@@ -47,7 +47,7 @@ struct samr_domain_state {
struct samr_connect_state *connect_state;
void *sam_ctx;
uint32_t access_mask;
- const char *domain_sid;
+ struct dom_sid *domain_sid;
const char *domain_name;
const char *domain_dn;
};
@@ -59,7 +59,7 @@ struct samr_account_state {
struct samr_domain_state *domain_state;
void *sam_ctx;
uint32_t access_mask;
- const char *account_sid;
+ struct dom_sid *account_sid;
const char *account_name;
const char *account_dn;
};
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 8fa261cf35..d251c02eca 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -147,11 +147,11 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
int ret;
struct ldb_message **res, *mod;
const char * const attrs[] = { "objectSid", "lmPwdHash", "unicodePwd", NULL };
- const char *domain_sid;
struct samr_Password *lm_pwd;
DATA_BLOB lm_pwd_blob;
uint8_t new_lm_hash[16];
struct samr_Password lm_verifier;
+ struct dom_sid *domain_sid;
if (pwbuf == NULL) {
return NT_STATUS_WRONG_PASSWORD;
@@ -211,7 +211,8 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
}
domain_dn = samdb_search_string(sam_ctx, mem_ctx, NULL, "dn",
- "(objectSid=%s)", domain_sid);
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
if (!domain_dn) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -267,7 +268,7 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
const char * const dom_attrs[] = { "minPwdLength", "pwdHistoryLength",
"pwdProperties", "minPwdAge", "maxPwdAge",
NULL };
- const char *domain_sid;
+ struct dom_sid *domain_sid;
struct samr_Password *nt_pwd, *lm_pwd;
DATA_BLOB nt_pwd_blob;
struct samr_DomInfo1 *dominfo;
@@ -360,7 +361,8 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
}
domain_dn = samdb_search_string(sam_ctx, mem_ctx, NULL, "dn",
- "(objectSid=%s)", domain_sid);
+ "(objectSid=%s)",
+ ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
if (!domain_dn) {
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto failed;