diff options
author | Andrew Tridgell <tridge@samba.org> | 2005-06-24 00:18:20 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:18:44 -0500 |
commit | bdee131f30e1bef31498b08bb648ddee35ea4892 (patch) | |
tree | c0ad71d994361020334bb280a9a5cbd31f73db5b /source4 | |
parent | 3022bfef70f4d76d3a12cfb8ee8cbdc72644b58f (diff) | |
download | samba-bdee131f30e1bef31498b08bb648ddee35ea4892.tar.gz samba-bdee131f30e1bef31498b08bb648ddee35ea4892.tar.bz2 samba-bdee131f30e1bef31498b08bb648ddee35ea4892.zip |
r7860: switch our ldb storage format to use a NDR encoded objectSid. This is
quite a large change as we had lots of code that assumed that
objectSid was a string in S- format.
metze and simo tried to convince me to use NDR format months ago, but
I didn't listen, so its fair that I have the pain of fixing all the
code now :-)
This builds on the ldb_register_samba_handlers() and ldif handlers
code I did earlier this week. There are still three parts of this
conversion I have not finished:
- the ltdb index records need to use the string form of the objectSid
(to keep the DNs sane). Until that it done I have disabled indexing on
objectSid, which is a big performance hit, but allows us to pass
all our tests while I rejig the indexing system to use a externally
supplied conversion function
- I haven't yet put in place the code that allows client to use the
"S-xxx-yyy" form for objectSid in ldap search expressions. w2k3
supports this, presumably by looking for the "S-" prefix to
determine what type of objectSid form is being used by the client. I
have been working on ways to handle this, but am not happy with
them yet so they aren't part of this patch
- I need to change pidl to generate push functions that take a
"const void *" instead of a "void*" for the data pointer. That will
fix the couple of new warnings this code generates.
Luckily it many places the conversion to NDR formatted records
actually simplified the code, as it means we no longer need as many
calls to dom_sid_parse_talloc(). In some places it got more complex,
but not many.
(This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/auth_sam.c | 15 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 51 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 99 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb_privilege.c | 11 | ||||
-rw-r--r-- | source4/lib/db_wrap.c | 9 | ||||
-rw-r--r-- | source4/lib/ldb/config.mk | 4 | ||||
-rw-r--r-- | source4/lib/ldb/samba/ldif_handlers.c | 6 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_ndr.c | 2 | ||||
-rw-r--r-- | source4/ntvfs/common/sidmap.c | 97 | ||||
-rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 68 | ||||
-rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 17 | ||||
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.c | 263 | ||||
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.h | 4 | ||||
-rw-r--r-- | source4/rpc_server/samr/samr_password.c | 10 | ||||
-rw-r--r-- | source4/setup/provision.ldif | 2 |
15 files changed, 303 insertions, 355 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index 1ad9087bfe..3318238fda 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -257,7 +257,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * } if (!domain_name) { - const char *domain_sid; + struct dom_sid *domain_sid; domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); if (!domain_sid) { @@ -267,20 +267,20 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * /* find the domain's DN */ ret = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_tmp, NULL, "(&(objectSid=%s)(objectclass=domain))", - domain_sid); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (ret == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } if (ret == 0) { DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n", - domain_sid)); + dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_NO_SUCH_USER; } if (ret > 1) { DEBUG(0,("Found %d records matching domain_sid [%s]\n", - ret, domain_sid)); + ret, dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -400,15 +400,14 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context /* Need to unroll some nested groups, but not aliases */ for (i = 0; i < group_ret; i++) { - str = ldb_msg_find_string(group_msgs[i], "objectSid", NULL); - groupSIDs[i] = dom_sid_parse_talloc(groupSIDs, str); + groupSIDs[i] = samdb_result_dom_sid(groupSIDs, + group_msgs[i], "objectSid"); NT_STATUS_HAVE_NO_MEMORY(groupSIDs[i]); } talloc_free(tmp_ctx); - str = ldb_msg_find_string(msgs[0], "objectSid", NULL); - account_sid = dom_sid_parse_talloc(server_info, str); + account_sid = samdb_result_dom_sid(server_info, msgs[0], "objectSid"); NT_STATUS_HAVE_NO_MEMORY(account_sid); primary_group_sid = dom_sid_dup(server_info, account_sid); diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 5472bed107..b5440c3cd1 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -35,7 +35,8 @@ #include "includes.h" #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_private.h" -#include <time.h> +#include "system/time.h" +#include "librpc/gen_ndr/ndr_security.h" #define SAM_ACCOUNT_NAME_BASE "$000000-000000000000" @@ -169,14 +170,15 @@ static char *samldb_search_domain(struct ldb_module *module, TALLOC_CTX *mem_ctx allocate a new RID for the domain return the new sid string */ -static char *samldb_get_new_sid(struct ldb_module *module, TALLOC_CTX *mem_ctx, const char *obj_dn) +static struct dom_sid *samldb_get_new_sid(struct ldb_module *module, + TALLOC_CTX *mem_ctx, const char *obj_dn) { const char * const attrs[2] = { "objectSid", NULL }; struct ldb_message **res = NULL; - const char *dom_dn, *dom_sid; - char *obj_sid; + const char *dom_dn; uint32_t rid; int ret, tries = 10; + struct dom_sid *dom_sid, *obj_sid; /* get the domain component part of the provided dn */ @@ -197,11 +199,11 @@ static char *samldb_get_new_sid(struct ldb_module *module, TALLOC_CTX *mem_ctx, ret = ldb_search(module->ldb, dom_dn, LDB_SCOPE_BASE, "objectSid=*", attrs, &res); if (ret != 1) { ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain sid!\n"); - if (res) talloc_free(res); + talloc_free(res); return NULL; } - dom_sid = ldb_msg_find_string(res[0], "objectSid", NULL); + dom_sid = samdb_result_dom_sid(res, res[0], "objectSid"); if (dom_sid == NULL) { ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain sid!\n"); talloc_free(res); @@ -225,12 +227,10 @@ static char *samldb_get_new_sid(struct ldb_module *module, TALLOC_CTX *mem_ctx, } /* return the new object sid */ - - obj_sid = talloc_asprintf(mem_ctx, "%s-%u", dom_sid, rid); + obj_sid = dom_sid_add_rid(mem_ctx, dom_sid, rid); talloc_free(res); - return obj_sid; } @@ -307,6 +307,18 @@ static BOOL samldb_msg_add_string(struct ldb_module *module, struct ldb_message return True; } +static BOOL samldb_msg_add_sid(struct ldb_module *module, struct ldb_message *msg, const char *name, const struct dom_sid *sid) +{ + struct ldb_val v; + NTSTATUS status; + status = ndr_push_struct_blob(&v, msg, sid, + (ndr_push_flags_fn_t)ndr_push_dom_sid); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + return (ldb_msg_add_value(module->ldb, msg, name, &v) == 0); +} + static BOOL samldb_find_or_add_attribute(struct ldb_module *module, struct ldb_message *msg, const char *name, const char *value, const char *set_value) { if (samldb_find_attribute(msg, name, value) == NULL) { @@ -367,7 +379,7 @@ static struct ldb_message *samldb_fill_group_object(struct ldb_module *module, c { struct ldb_message *msg2; struct ldb_message_element *attribute; - char *rdn, *basedn, *sidstr; + char *rdn, *basedn; if (samldb_find_attribute(msg, "objectclass", "group") == NULL) { return NULL; @@ -418,15 +430,17 @@ static struct ldb_message *samldb_fill_group_object(struct ldb_module *module, c } if ((attribute = samldb_find_attribute(msg2, "objectSid", NULL)) == NULL ) { - - if ((sidstr = samldb_get_new_sid(module, msg2, msg2->dn)) == NULL) { + struct dom_sid *sid = samldb_get_new_sid(module, msg2, msg2->dn); + if (sid == NULL) { ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_group_object: internal error! Can't generate new sid\n"); return NULL; } - if ( ! samldb_msg_add_string(module, msg2, "objectSid", sidstr)) { + if (!samldb_msg_add_sid(module, msg2, "objectSid", sid)) { + talloc_free(sid); return NULL; } + talloc_free(sid); } if ( ! samldb_find_or_add_attribute(module, msg2, "sAMAccountName", NULL, samldb_generate_samAccountName(msg2))) { @@ -444,7 +458,7 @@ static struct ldb_message *samldb_fill_user_or_computer_object(struct ldb_module { struct ldb_message *msg2; struct ldb_message_element *attribute; - char *rdn, *basedn, *sidstr; + char *rdn, *basedn; if ((samldb_find_attribute(msg, "objectclass", "user") == NULL) && (samldb_find_attribute(msg, "objectclass", "computer") == NULL)) { return NULL; @@ -500,15 +514,18 @@ static struct ldb_message *samldb_fill_user_or_computer_object(struct ldb_module } if ((attribute = samldb_find_attribute(msg2, "objectSid", NULL)) == NULL ) { - - if ((sidstr = samldb_get_new_sid(module, msg2, msg2->dn)) == NULL) { + struct dom_sid *sid; + sid = samldb_get_new_sid(module, msg2, msg2->dn); + if (sid == NULL) { ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_user_or_computer_object: internal error! Can't generate new sid\n"); return NULL; } - if ( ! samldb_msg_add_string(module, msg2, "objectSid", sidstr)) { + if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) { + talloc_free(sid); return NULL; } + talloc_free(sid); } if ( ! samldb_find_or_add_attribute(module, msg2, "sAMAccountName", NULL, samldb_generate_samAccountName(msg2))) { diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 5f9764ce42..e2426738da 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -61,17 +61,17 @@ int samdb_search_domain(struct ldb_context *sam_ldb, while (i<count) { struct dom_sid *entry_sid; - entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], - "objectSid"); + entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid"); if ((entry_sid == NULL) || (!dom_sid_in_domain(domain_sid, entry_sid))) { - /* Delete that entry from the result set */ (*res)[i] = (*res)[count-1]; count -= 1; + talloc_free(entry_sid); continue; } + talloc_free(entry_sid); i += 1; } @@ -125,6 +125,37 @@ const char *samdb_search_string(struct ldb_context *sam_ldb, } /* + search the sam for a dom_sid attribute in exactly 1 record +*/ +struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb, + TALLOC_CTX *mem_ctx, + const char *basedn, + const char *attr_name, + const char *format, ...) _PRINTF_ATTRIBUTE(5,6) +{ + va_list ap; + int count; + struct ldb_message **res; + const char * const attrs[2] = { attr_name, NULL }; + struct dom_sid *sid; + + va_start(ap, format); + count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap); + va_end(ap); + if (count > 1) { + DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n", + attr_name, format, count)); + } + if (count != 1) { + talloc_free(res); + return NULL; + } + sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name); + talloc_free(res); + return sid; +} + +/* return the count of the number of records in the sam matching the query */ int samdb_search_count(struct ldb_context *sam_ldb, @@ -274,16 +305,18 @@ const char *samdb_result_string(struct ldb_message *msg, const char *attr, pull a rid from a objectSid in a result set. */ uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg, - const char *attr, uint32_t default_value) + const char *attr, uint32_t default_value) { struct dom_sid *sid; - const char *sidstr = ldb_msg_find_string(msg, attr, NULL); - if (!sidstr) return default_value; - - sid = dom_sid_parse_talloc(mem_ctx, sidstr); - if (!sid) return default_value; + uint32_t rid; - return sid->sub_auths[sid->num_auths-1]; + sid = samdb_result_dom_sid(mem_ctx, msg, attr); + if (sid == NULL) { + return default_value; + } + rid = sid->sub_auths[sid->num_auths-1]; + talloc_free(sid); + return rid; } /* @@ -292,10 +325,24 @@ uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr) { - const char *sidstr = ldb_msg_find_string(msg, attr, NULL); - if (!sidstr) return NULL; - - return dom_sid_parse_talloc(mem_ctx, sidstr); + const struct ldb_val *v; + struct dom_sid *sid; + NTSTATUS status; + v = ldb_msg_find_ldb_val(msg, attr); + if (v == NULL) { + return NULL; + } + sid = talloc(mem_ctx, struct dom_sid); + if (sid == NULL) { + return NULL; + } + status = ndr_pull_struct_blob(v, sid, sid, + (ndr_pull_flags_fn_t)ndr_pull_dom_sid); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(sid); + return NULL; + } + return sid; } /* @@ -324,15 +371,13 @@ struct GUID samdb_result_guid(struct ldb_message *msg, const char *attr) pull a sid prefix from a objectSid in a result set. this is used to find the domain sid for a user */ -const char *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg, - const char *attr) +struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr) { struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr); if (!sid || sid->num_auths < 1) return NULL; - sid->num_auths--; - - return dom_sid_string(mem_ctx, sid); + return sid; } /* @@ -704,6 +749,22 @@ int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struc } /* + add a dom_sid element to a message +*/ +int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr_name, struct dom_sid *sid) +{ + struct ldb_val v; + NTSTATUS status; + status = ndr_push_struct_blob(&v, mem_ctx, sid, + (ndr_push_flags_fn_t)ndr_push_dom_sid); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + return ldb_msg_add_value(sam_ldb, msg, attr_name, &v); +} + +/* add a delete element operation to a message */ int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c index 77ddcbbdcd..bfd37f6417 100644 --- a/source4/dsdb/samdb/samdb_privilege.c +++ b/source4/dsdb/samdb/samdb_privilege.c @@ -31,29 +31,26 @@ static NTSTATUS samdb_privilege_setup_sid(void *samctx, TALLOC_CTX *mem_ctx, const struct dom_sid *sid, uint64_t *mask) { - char *sidstr; const char * const attrs[] = { "privilege", NULL }; struct ldb_message **res = NULL; struct ldb_message_element *el; int ret, i; + char *sidstr; *mask = 0; - sidstr = dom_sid_string(mem_ctx, sid); - if (sidstr == NULL) { - return NT_STATUS_NO_MEMORY; - } + sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid); + NT_STATUS_HAVE_NO_MEMORY(sidstr); ret = gendb_search(samctx, mem_ctx, NULL, &res, attrs, "objectSid=%s", sidstr); + talloc_free(sidstr); if (ret != 1) { - talloc_free(sidstr); /* not an error to not match */ return NT_STATUS_OK; } el = ldb_msg_find_element(res[0], "privilege"); if (el == NULL) { - talloc_free(sidstr); return NT_STATUS_OK; } diff --git a/source4/lib/db_wrap.c b/source4/lib/db_wrap.c index c277f2d975..b000225bbf 100644 --- a/source4/lib/db_wrap.c +++ b/source4/lib/db_wrap.c @@ -102,6 +102,15 @@ struct ldb_context *ldb_wrap_connect(TALLOC_CTX *mem_ctx, ev = talloc_find_parent_bytype(mem_ctx, struct event_context); if (ev) { ldb_set_opaque(ldb, "EventContext", ev); + } else { + DEBUG(0,("WARNING: event_context not found\n")); + talloc_show_parents(mem_ctx, stdout); + } + + ret = ldb_register_samba_handlers(ldb); + if (ret == -1) { + talloc_free(ldb); + return NULL; } ret = ldb_connect(ldb, url, flags, options); diff --git a/source4/lib/ldb/config.mk b/source4/lib/ldb/config.mk index 00568aeda8..cf3a7fa93d 100644 --- a/source4/lib/ldb/config.mk +++ b/source4/lib/ldb/config.mk @@ -72,7 +72,7 @@ ADD_OBJ_FILES = \ lib/ldb/common/ldb_modules.o \ lib/ldb/common/ldb_explode_dn.o REQUIRED_SUBSYSTEMS = \ - LIBREPLACE LIBTALLOC + LIBREPLACE LIBTALLOC LDBSAMBA NOPROTO = YES # # End SUBSYSTEM LIBLDB @@ -103,7 +103,7 @@ OBJ_FILES = \ [SUBSYSTEM::LIBLDB_CMDLINE] OBJ_FILES= \ lib/ldb/tools/cmdline.o -REQUIRED_SUBSYSTEMS = LIBLDB LIBCMDLINE LIBBASIC LDBSAMBA +REQUIRED_SUBSYSTEMS = LIBLDB LIBCMDLINE LIBBASIC # End SUBSYSTEM LIBLDB_CMDLINE ################################################ diff --git a/source4/lib/ldb/samba/ldif_handlers.c b/source4/lib/ldb/samba/ldif_handlers.c index 7252d081f1..17a45df78d 100644 --- a/source4/lib/ldb/samba/ldif_handlers.c +++ b/source4/lib/ldb/samba/ldif_handlers.c @@ -85,11 +85,5 @@ static const struct ldb_ldif_handler samba_handlers[] = { */ int ldb_register_samba_handlers(struct ldb_context *ldb) { -#if 0 - /* we can't enable this until we fix the sam code to handle - non-string elements */ return ldb_ldif_add_handlers(ldb, samba_handlers, ARRAY_SIZE(samba_handlers)); -#else - return 0; -#endif } diff --git a/source4/libcli/ldap/ldap_ndr.c b/source4/libcli/ldap/ldap_ndr.c index 88ca1ece77..f490b9983d 100644 --- a/source4/libcli/ldap/ldap_ndr.c +++ b/source4/libcli/ldap/ldap_ndr.c @@ -41,7 +41,7 @@ const char *ldap_encode_ndr_uint32(TALLOC_CTX *mem_ctx, uint32_t value) /* encode a NDR dom_sid as a ldap filter element */ -const char *ldap_encode_ndr_dom_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid) +const char *ldap_encode_ndr_dom_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) { DATA_BLOB blob; NTSTATUS status; diff --git a/source4/ntvfs/common/sidmap.c b/source4/ntvfs/common/sidmap.c index a39ee2f0eb..b29f197b34 100644 --- a/source4/ntvfs/common/sidmap.c +++ b/source4/ntvfs/common/sidmap.c @@ -97,26 +97,18 @@ static NTSTATUS sidmap_primary_domain_sid(struct sidmap_context *sidmap, TALLOC_CTX *mem_ctx, struct dom_sid **sid) { const char *attrs[] = { "objectSid", NULL }; - void *ctx = talloc_new(mem_ctx); - const char *sidstr; int ret; - struct ldb_message **res; + struct ldb_message **res = NULL; - ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, + ret = gendb_search(sidmap->samctx, mem_ctx, NULL, &res, attrs, "(&(objectClass=domain)(name=%s))", lp_workgroup()); if (ret != 1) { - talloc_free(ctx); + talloc_free(res); return NT_STATUS_NO_SUCH_DOMAIN; } - sidstr = samdb_result_string(res[0], "objectSid", NULL); - if (sidstr == NULL) { - talloc_free(ctx); - return NT_STATUS_NO_SUCH_DOMAIN; - } - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); - talloc_free(ctx); + *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid"); + talloc_free(res); if (*sid == NULL) { return NT_STATUS_NO_MEMORY; } @@ -137,26 +129,21 @@ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap, const char *s; void *ctx; struct ldb_message **res; - const char *sidstr; struct dom_sid *domain_sid; NTSTATUS status; ctx = talloc_new(sidmap); - sidstr = dom_sid_string(ctx, sid); - if (sidstr == NULL) { - talloc_free(ctx); - return NT_STATUS_NO_MEMORY; - } ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, - "objectSid=%s", sidstr); + "objectSid=%s", ldap_encode_ndr_dom_sid(ctx, sid)); if (ret != 1) { goto allocated_sid; } /* make sure its a user, not a group */ if (!is_user_account(res[0])) { - DEBUG(0,("sid_to_unixuid: sid %s is not an account!\n", sidstr)); + DEBUG(0,("sid_to_unixuid: sid %s is not an account!\n", + dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_INVALID_SID; } @@ -174,7 +161,7 @@ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap, if (s != NULL) { struct passwd *pwd = getpwnam(s); if (!pwd) { - DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s, sidstr)); + DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s, dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_NO_SUCH_USER; } @@ -188,7 +175,8 @@ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap, if (s != NULL) { struct passwd *pwd = getpwnam(s); if (!pwd) { - DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n", s, sidstr)); + DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n", + s, dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_NO_SUCH_USER; } @@ -217,7 +205,7 @@ allocated_sid: DEBUG(0,("sid_to_unixuid: no unixID, unixName or sAMAccountName for sid %s\n", - sidstr)); + dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_INVALID_SID; @@ -236,26 +224,21 @@ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap, const char *s; void *ctx; struct ldb_message **res; - const char *sidstr; NTSTATUS status; struct dom_sid *domain_sid; ctx = talloc_new(sidmap); - sidstr = dom_sid_string(ctx, sid); - if (sidstr == NULL) { - talloc_free(ctx); - return NT_STATUS_NO_MEMORY; - } ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, - "objectSid=%s", sidstr); + "objectSid=%s", ldap_encode_ndr_dom_sid(ctx, sid)); if (ret != 1) { goto allocated_sid; } /* make sure its not a user */ if (!is_group_account(res[0])) { - DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n", sidstr)); + DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n", + dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_INVALID_SID; } @@ -274,7 +257,7 @@ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap, struct group *grp = getgrnam(s); if (!grp) { DEBUG(0,("unixName '%s' for sid %s does not exist as a local group\n", - s, sidstr)); + s, dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_NO_SUCH_USER; } @@ -288,7 +271,7 @@ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap, if (s != NULL) { struct group *grp = getgrnam(s); if (!grp) { - DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, sidstr)); + DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_NO_SUCH_USER; } @@ -314,7 +297,7 @@ allocated_sid: } DEBUG(0,("sid_to_unixgid: no unixID, unixName or sAMAccountName for sid %s\n", - sidstr)); + dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_INVALID_SID; @@ -363,18 +346,11 @@ NTSTATUS sidmap_uid_to_sid(struct sidmap_context *sidmap, ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, "unixID=%u", (unsigned int)uid); for (i=0;i<ret;i++) { - const char *sidstr; - if (!is_user_account(res[i])) continue; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) continue; - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); + *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(ctx); - if (*sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } @@ -391,18 +367,11 @@ NTSTATUS sidmap_uid_to_sid(struct sidmap_context *sidmap, "(|(unixName=%s)(sAMAccountName=%s))", pwd->pw_name, pwd->pw_name); for (i=0;i<ret;i++) { - const char *sidstr; - if (!is_user_account(res[i])) continue; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) continue; - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); + *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(ctx); - if (*sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } @@ -475,18 +444,11 @@ NTSTATUS sidmap_gid_to_sid(struct sidmap_context *sidmap, ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, "unixID=%u", (unsigned int)gid); for (i=0;i<ret;i++) { - const char *sidstr; - if (!is_group_account(res[i])) continue; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) continue; - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); + *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(ctx); - if (*sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } @@ -503,18 +465,11 @@ NTSTATUS sidmap_gid_to_sid(struct sidmap_context *sidmap, "(|(unixName=%s)(sAMAccountName=%s))", grp->gr_name, grp->gr_name); for (i=0;i<ret;i++) { - const char *sidstr; - if (!is_group_account(res[i])) continue; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) continue; - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); + *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(ctx); - if (*sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index b3de4e4ba1..726c82364b 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -65,7 +65,6 @@ struct lsa_account_state { struct lsa_policy_state *policy; uint32_t access_mask; struct dom_sid *account_sid; - const char *account_sid_str; const char *account_dn; }; @@ -221,7 +220,6 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_ struct lsa_policy_state **_state) { struct lsa_policy_state *state; - const char *sid_str; state = talloc(mem_ctx, struct lsa_policy_state); if (!state) { @@ -266,13 +264,8 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_ return NT_STATUS_NO_SUCH_DOMAIN; } - sid_str = samdb_search_string(state->sam_ldb, mem_ctx, - state->domain_dn, "objectSid", NULL); - if (!sid_str) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - - state->domain_sid = dom_sid_parse_talloc(state, sid_str); + state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state, + state->domain_dn, "objectSid", NULL); if (!state->domain_sid) { return NT_STATUS_NO_SUCH_DOMAIN; } @@ -519,16 +512,11 @@ static NTSTATUS lsa_EnumAccounts(struct dcesrv_call_state *dce_call, TALLOC_CTX } for (i=0;i<count;i++) { - const char *sidstr; - - sidstr = samdb_result_string(res[i + *r->in.resume_handle], "objectSid", NULL); - if (sidstr == NULL) { - return NT_STATUS_NO_MEMORY; - } - r->out.sids->sids[i].sid = dom_sid_parse_talloc(r->out.sids->sids, sidstr); - if (r->out.sids->sids[i].sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + r->out.sids->sids[i].sid = + samdb_result_dom_sid(r->out.sids->sids, + res[i + *r->in.resume_handle], + "objectSid"); + NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid); } r->out.sids->num_sids = count; @@ -1104,7 +1092,7 @@ static NTSTATUS lsa_lookup_sid(struct lsa_policy_state *state, TALLOC_CTX *mem_c NTSTATUS status; ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs, - "objectSid=%s", sid_str); + "objectSid=%s", ldap_encode_ndr_dom_sid(mem_ctx, sid)); if (ret == 1) { *name = ldb_msg_find_string(res[0], "sAMAccountName", NULL); if (!*name) { @@ -1315,17 +1303,13 @@ static NTSTATUS lsa_OpenAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX * return NT_STATUS_NO_MEMORY; } - astate->account_sid_str = dom_sid_string(astate, astate->account_sid); - if (astate->account_sid_str == NULL) { - talloc_free(astate); - return NT_STATUS_NO_MEMORY; - } - /* check it really exists */ - astate->account_dn = samdb_search_string(state->sam_ldb, astate, - NULL, "dn", - "(&(objectSid=%s)(objectClass=group))", - astate->account_sid_str); + astate->account_dn = + samdb_search_string(state->sam_ldb, astate, + NULL, "dn", + "(&(objectSid=%s)(objectClass=group))", + ldap_encode_ndr_dom_sid(mem_ctx, + astate->account_sid)); if (astate->account_dn == NULL) { talloc_free(astate); return NT_STATUS_NO_SUCH_USER; @@ -1422,7 +1406,7 @@ static NTSTATUS lsa_EnumAccountRights(struct dcesrv_call_state *dce_call, state = h->data; - sidstr = dom_sid_string(mem_ctx, r->in.sid); + sidstr = ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid); if (sidstr == NULL) { return NT_STATUS_NO_MEMORY; } @@ -1471,7 +1455,7 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call, const char *dn; struct lsa_EnumAccountRights r2; - sidstr = dom_sid_string(mem_ctx, sid); + sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid); if (sidstr == NULL) { return NT_STATUS_NO_MEMORY; } @@ -2348,16 +2332,9 @@ static NTSTATUS lsa_EnumAccountsWithUserRight(struct dcesrv_call_state *dce_call return NT_STATUS_NO_MEMORY; } for (i=0;i<ret;i++) { - const char *sidstr; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) { - return NT_STATUS_NO_MEMORY; - } - r->out.sids->sids[i].sid = dom_sid_parse_talloc(r->out.sids->sids, - sidstr); - if (r->out.sids->sids[i].sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + r->out.sids->sids[i].sid = samdb_result_dom_sid(r->out.sids->sids, + res[i], "objectSid"); + NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid); } r->out.sids->num_sids = ret; @@ -2540,12 +2517,7 @@ static NTSTATUS lsa_lookup_name(struct lsa_policy_state *state, TALLOC_CTX *mem_ ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs, "sAMAccountName=%s", name); if (ret == 1) { - const char *sid_str = ldb_msg_find_string(res[0], "objectSid", NULL); - if (sid_str == NULL) { - return NT_STATUS_INVALID_SID; - } - - *sid = dom_sid_parse_talloc(mem_ctx, sid_str); + *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid"); if (*sid == NULL) { return NT_STATUS_INVALID_SID; } diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index bd20deedb9..4dd8312df5 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -313,7 +313,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO struct ldb_message **msgs_domain; NTSTATUS nt_status; struct ldb_message *mod; - const char *domain_sid; + struct dom_sid *domain_sid; const char *attrs[] = {"objectSid", NULL }; @@ -356,20 +356,20 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", - domain_sid); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (num_records_domain == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } if (num_records_domain == 0) { DEBUG(3,("Couldn't find domain [%s] in samdb.\n", - domain_sid)); + dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_NO_SUCH_USER; } if (num_records_domain > 1) { DEBUG(0,("Found %d records matching domain [%s]\n", - num_records_domain, domain_sid)); + num_records_domain, dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1036,7 +1036,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL struct ldb_message **msgs_domain; NTSTATUS nt_status; struct ldb_message *mod; - const char *domain_sid; + struct dom_sid *domain_sid; char new_pass[512]; uint32_t new_pass_len; @@ -1083,20 +1083,21 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", - domain_sid); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (num_records_domain == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } if (num_records_domain == 0) { DEBUG(3,("Couldn't find domain [%s] in samdb.\n", - domain_sid)); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid))); return NT_STATUS_NO_SUCH_USER; } if (num_records_domain > 1) { DEBUG(0,("Found %d records matching domain [%s]\n", - num_records_domain, domain_sid)); + num_records_domain, + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 337c300203..cce446533d 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -160,8 +160,7 @@ static NTSTATUS samr_LookupDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX { struct samr_connect_state *c_state; struct dcesrv_handle *h; - struct dom_sid2 *sid; - const char *sidstr; + struct dom_sid *sid; r->out.sid = NULL; @@ -173,19 +172,12 @@ static NTSTATUS samr_LookupDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX return NT_STATUS_INVALID_PARAMETER; } - sidstr = samdb_search_string(c_state->sam_ctx, - mem_ctx, NULL, "objectSid", - "(&(name=%s)(objectclass=domain))", - r->in.domain_name->string); - if (sidstr == NULL) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - - sid = dom_sid_parse_talloc(mem_ctx, sidstr); + sid = samdb_search_dom_sid(c_state->sam_ctx, + mem_ctx, NULL, "objectSid", + "(&(name=%s)(objectclass=domain))", + r->in.domain_name->string); if (sid == NULL) { - DEBUG(0,("samdb: Invalid sid '%s' for domain %s\n", - sidstr, r->in.domain_name->string)); - return NT_STATUS_INTERNAL_DB_CORRUPTION; + return NT_STATUS_NO_SUCH_DOMAIN; } r->out.sid = sid; @@ -266,7 +258,7 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX * struct samr_OpenDomain *r) { struct dcesrv_handle *h_conn, *h_domain; - const char *sidstr, *domain_name; + const char *domain_name; struct samr_connect_state *c_state; struct samr_domain_state *d_state; const char * const attrs[2] = { "name", NULL}; @@ -283,15 +275,10 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX * return NT_STATUS_INVALID_PARAMETER; } - sidstr = dom_sid_string(mem_ctx, r->in.sid); - if (sidstr == NULL) { - return NT_STATUS_INVALID_PARAMETER; - } - ret = gendb_search(c_state->sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(objectSid=%s)(objectclass=domain))", - sidstr); + ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid)); if (ret != 1) { return NT_STATUS_NO_SUCH_DOMAIN; } @@ -308,7 +295,7 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX * d_state->connect_state = talloc_reference(d_state, c_state); d_state->sam_ctx = c_state->sam_ctx; - d_state->domain_sid = talloc_strdup(d_state, sidstr); + d_state->domain_sid = dom_sid_dup(d_state, r->in.sid); d_state->domain_name = talloc_strdup(d_state, domain_name); d_state->domain_dn = talloc_strdup(d_state, msgs[0]->dn); if (!d_state->domain_sid || !d_state->domain_name || !d_state->domain_dn) { @@ -470,7 +457,7 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO const char *name; struct ldb_message *msg; struct dom_sid *sid; - const char *groupname, *sidstr; + const char *groupname; struct dcesrv_handle *g_handle; int ret; @@ -526,10 +513,10 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msg->dn); - /* retrieve the sidstring for the group just created */ - sidstr = samdb_search_string(d_state->sam_ctx, a_state, - msg->dn, "objectSid", NULL); - if (sidstr == NULL) { + /* retrieve the sid for the group just created */ + sid = samdb_search_dom_sid(d_state->sam_ctx, a_state, + msg->dn, "objectSid", NULL); + if (sid == NULL) { return NT_STATUS_UNSUCCESSFUL; } @@ -547,11 +534,6 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO g_handle->data = talloc_steal(g_handle, a_state); *r->out.group_handle = g_handle->wire_handle; - - sid = dom_sid_parse_talloc(mem_ctx, sidstr); - if (!sid) - return NT_STATUS_UNSUCCESSFUL; - *r->out.rid = sid->sub_auths[sid->num_auths-1]; return NT_STATUS_OK; @@ -578,7 +560,6 @@ static NTSTATUS samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, TALLOC int ldb_cnt, count, i, first; struct samr_SamEntry *entries; const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL }; - struct dom_sid *domain_sid; *r->out.resume_handle = 0; r->out.sam = NULL; @@ -588,15 +569,11 @@ static NTSTATUS samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, TALLOC d_state = h->data; - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; - /* search for all domain groups in this domain. This could possibly be cached and resumed based on resume_key */ ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - domain_sid, + d_state->domain_sid, "(&(grouptype=%s)(objectclass=group))", ldb_hexstr(mem_ctx, GTYPE_SECURITY_GLOBAL_GROUP)); @@ -680,7 +657,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX const char *name; struct ldb_message *msg; struct dom_sid *sid; - const char *account_name, *sidstr; + const char *account_name; struct dcesrv_handle *u_handle; int ret; const char *container, *class=NULL; @@ -756,10 +733,10 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msg->dn); - /* retrieve the sidstring for the group just created */ - sidstr = samdb_search_string(d_state->sam_ctx, a_state, + /* retrieve the sid for the group just created */ + sid = samdb_search_dom_sid(d_state->sam_ctx, a_state, msg->dn, "objectSid", NULL); - if (sidstr == NULL) { + if (sid == NULL) { return NT_STATUS_UNSUCCESSFUL; } @@ -779,10 +756,6 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *r->out.user_handle = u_handle->wire_handle; *r->out.access_granted = 0xf07ff; /* TODO: fix access mask calculations */ - sid = dom_sid_parse_talloc(mem_ctx, sidstr); - if (!sid) - return NT_STATUS_UNSUCCESSFUL; - *r->out.rid = sid->sub_auths[sid->num_auths-1]; return NT_STATUS_OK; @@ -898,7 +871,7 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C struct samr_domain_state *d_state; struct samr_account_state *a_state; struct dcesrv_handle *h; - const char *alias_name, *name, *sidstr; + const char *alias_name, *name; struct ldb_message *msg; struct dom_sid *sid; struct dcesrv_handle *a_handle; @@ -960,12 +933,9 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msg->dn); - /* retrieve the sidstring for the group just created */ - sidstr = samdb_search_string(d_state->sam_ctx, a_state, + /* retrieve the sid for the alias just created */ + sid = samdb_search_dom_sid(d_state->sam_ctx, a_state, msg->dn, "objectSid", NULL); - if (sidstr == NULL) { - return NT_STATUS_UNSUCCESSFUL; - } a_state->account_name = talloc_strdup(a_state, alias_name); if (!a_state->account_name) { @@ -981,10 +951,6 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C *r->out.alias_handle = a_handle->wire_handle; - sid = dom_sid_parse_talloc(mem_ctx, sidstr); - if (!sid) - return NT_STATUS_UNSUCCESSFUL; - *r->out.rid = sid->sub_auths[sid->num_auths-1]; return NT_STATUS_OK; @@ -1003,7 +969,6 @@ static NTSTATUS samr_EnumDomainAliases(struct dcesrv_call_state *dce_call, TALLO int ldb_cnt, count, i, first; struct samr_SamEntry *entries; const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL }; - struct dom_sid *domain_sid; *r->out.resume_handle = 0; r->out.sam = NULL; @@ -1013,15 +978,12 @@ static NTSTATUS samr_EnumDomainAliases(struct dcesrv_call_state *dce_call, TALLO d_state = h->data; - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; - /* search for all domain groups in this domain. This could possibly be cached and resumed based on resume_key */ ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, - &res, attrs, domain_sid, + &res, attrs, + d_state->domain_sid, "(&(|(grouptype=%s)(grouptype=%s)))" "(objectclass=group))", ldb_hexstr(mem_ctx, @@ -1102,7 +1064,6 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL struct dcesrv_handle *h; struct samr_domain_state *d_state; struct ldb_message **res; - struct dom_sid *domain_sid; int i, count = 0; DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN); @@ -1124,17 +1085,14 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; for (i=0; i<r->in.sids->num_sids; i++) { - const char *sidstr, *memberdn; + const char *memberdn; - sidstr = dom_sid_string(mem_ctx, - r->in.sids->sids[i].sid); - if (sidstr == NULL) - return NT_STATUS_NO_MEMORY; - - memberdn = samdb_search_string(d_state->sam_ctx, - mem_ctx, NULL, "dn", - "(objectSid=%s)", - sidstr); + memberdn = + samdb_search_string(d_state->sam_ctx, + mem_ctx, NULL, "dn", + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, + r->in.sids->sids[i].sid)); if (memberdn == NULL) continue; @@ -1145,14 +1103,9 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; } - domain_sid = dom_sid_parse_talloc(mem_ctx, - d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; - count = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - domain_sid, "%s))", filter); + d_state->domain_sid, "%s))", filter); if (count < 0) return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1215,8 +1168,7 @@ static NTSTATUS samr_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX for (i=0;i<r->in.num_names;i++) { struct ldb_message **res; - struct dom_sid2 *sid; - const char *sidstr; + struct dom_sid *sid; uint32_t atype, rtype; r->out.rids.ids[i] = 0; @@ -1229,18 +1181,12 @@ static NTSTATUS samr_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX continue; } - sidstr = samdb_result_string(res[0], "objectSid", NULL); - if (sidstr == NULL) { - status = STATUS_SOME_UNMAPPED; - continue; - } - - sid = dom_sid_parse_talloc(mem_ctx, sidstr); + sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid"); if (sid == NULL) { status = STATUS_SOME_UNMAPPED; continue; } - + atype = samdb_result_uint(res[0], "sAMAccountType", 0); if (atype == 0) { status = STATUS_SOME_UNMAPPED; @@ -1300,13 +1246,21 @@ static NTSTATUS samr_LookupRids(struct dcesrv_call_state *dce_call, TALLOC_CTX * const char * const attrs[] = { "sAMAccountType", "sAMAccountName", NULL }; uint32_t atype; + struct dom_sid *sid; ids[i] = SID_NAME_UNKNOWN; + sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rids[i]); + if (sid == NULL) { + names[i].string = NULL; + status = STATUS_SOME_UNMAPPED; + continue; + } + count = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - "(objectSid=%s-%u)", d_state->domain_sid, - r->in.rids[i]); + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, sid)); if (count != 1) { names[i].string = NULL; status = STATUS_SOME_UNMAPPED; @@ -1349,7 +1303,8 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m struct samr_domain_state *d_state; struct samr_account_state *a_state; struct dcesrv_handle *h; - const char *groupname, *sidstr; + const char *groupname; + struct dom_sid *sid; struct ldb_message **msgs; struct dcesrv_handle *g_handle; const char * const attrs[2] = { "sAMAccountName", NULL }; @@ -1362,8 +1317,8 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m d_state = h->data; /* form the group SID */ - sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, r->in.rid); - if (!sidstr) { + sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (!sid) { return NT_STATUS_NO_MEMORY; } @@ -1372,19 +1327,22 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=group)" "(grouptype=%s))", - sidstr, ldb_hexstr(mem_ctx, - GTYPE_SECURITY_GLOBAL_GROUP)); + ldap_encode_ndr_dom_sid(mem_ctx, sid), + ldb_hexstr(mem_ctx, + GTYPE_SECURITY_GLOBAL_GROUP)); if (ret == 0) { return NT_STATUS_NO_SUCH_GROUP; } if (ret != 1) { - DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr)); + DEBUG(0,("Found %d records matching sid %s\n", + ret, dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } groupname = samdb_result_string(msgs[0], "sAMAccountName", NULL); if (groupname == NULL) { - DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr)); + DEBUG(0,("sAMAccountName field missing for sid %s\n", + dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1396,7 +1354,7 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m a_state->access_mask = r->in.access_mask; a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msgs[0]->dn); - a_state->account_sid = talloc_steal(a_state, sidstr); + a_state->account_sid = talloc_steal(a_state, sid); a_state->account_name = talloc_strdup(a_state, groupname); if (!a_state->account_name) { return NT_STATUS_NO_MEMORY; @@ -1586,7 +1544,7 @@ static NTSTATUS samr_AddGroupMember(struct dcesrv_call_state *dce_call, TALLOC_C struct samr_account_state *a_state; struct samr_domain_state *d_state; struct ldb_message *mod; - char *membersidstr; + struct dom_sid *membersid; const char *memberdn; struct ldb_message **msgs; const char * const attrs[2] = { "dn", NULL }; @@ -1597,16 +1555,15 @@ static NTSTATUS samr_AddGroupMember(struct dcesrv_call_state *dce_call, TALLOC_C a_state = h->data; d_state = a_state->domain_state; - membersidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, - r->in.rid); - if (membersidstr == NULL) + membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (membersid == NULL) return NT_STATUS_NO_MEMORY; /* In native mode, AD can also nest domain groups. Not sure yet * whether this is also available via RPC. */ ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=user))", - membersidstr); + ldap_encode_ndr_dom_sid(mem_ctx, membersid)); if (ret == 0) return NT_STATUS_NO_SUCH_USER; @@ -1674,7 +1631,7 @@ static NTSTATUS samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLO struct samr_account_state *a_state; struct samr_domain_state *d_state; struct ldb_message *mod; - char *membersidstr; + struct dom_sid *membersid; const char *memberdn; struct ldb_message **msgs; const char * const attrs[2] = { "dn", NULL }; @@ -1685,16 +1642,15 @@ static NTSTATUS samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLO a_state = h->data; d_state = a_state->domain_state; - membersidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, - r->in.rid); - if (membersidstr == NULL) + membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (membersid == NULL) return NT_STATUS_NO_MEMORY; /* In native mode, AD can also nest domain groups. Not sure yet * whether this is also available via RPC. */ ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=user))", - membersidstr); + ldap_encode_ndr_dom_sid(mem_ctx, membersid)); if (ret == 0) return NT_STATUS_NO_SUCH_USER; @@ -1820,7 +1776,8 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m struct samr_domain_state *d_state; struct samr_account_state *a_state; struct dcesrv_handle *h; - const char *alias_name, *sidstr; + const char *alias_name; + struct dom_sid *sid; struct ldb_message **msgs; struct dcesrv_handle *g_handle; const char * const attrs[2] = { "sAMAccountName", NULL }; @@ -1833,9 +1790,8 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m d_state = h->data; /* form the alias SID */ - sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, - r->in.rid); - if (sidstr == NULL) + sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (sid == NULL) return NT_STATUS_NO_MEMORY; /* search for the group record */ @@ -1843,7 +1799,7 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=group)" "(|(grouptype=%s)(grouptype=%s)))", - sidstr, + ldap_encode_ndr_dom_sid(mem_ctx, sid), ldb_hexstr(mem_ctx, GTYPE_SECURITY_BUILTIN_LOCAL_GROUP), ldb_hexstr(mem_ctx, @@ -1852,13 +1808,15 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m return NT_STATUS_NO_SUCH_ALIAS; } if (ret != 1) { - DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr)); + DEBUG(0,("Found %d records matching sid %s\n", + ret, dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } alias_name = samdb_result_string(msgs[0], "sAMAccountName", NULL); if (alias_name == NULL) { - DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr)); + DEBUG(0,("sAMAccountName field missing for sid %s\n", + dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1870,7 +1828,7 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m a_state->access_mask = r->in.access_mask; a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msgs[0]->dn); - a_state->account_sid = talloc_steal(a_state, sidstr); + a_state->account_sid = talloc_steal(a_state, sid); a_state->account_name = talloc_strdup(a_state, alias_name); if (!a_state->account_name) { return NT_STATUS_NO_MEMORY; @@ -2030,7 +1988,6 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C struct dcesrv_handle *h; struct samr_account_state *a_state; struct samr_domain_state *d_state; - const char *sidstr; struct ldb_message *mod; struct ldb_message **msgs; const char * const attrs[2] = { "dn", NULL }; @@ -2042,28 +1999,27 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C a_state = h->data; d_state = a_state->domain_state; - sidstr = dom_sid_string(mem_ctx, r->in.sid); - if (sidstr == NULL) - return NT_STATUS_INVALID_PARAMETER; - ret = gendb_search(d_state->sam_ctx, mem_ctx, NULL, - &msgs, attrs, "(objectsid=%s)", sidstr); + &msgs, attrs, "(objectsid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid)); if (ret == 1) { memberdn = ldb_msg_find_string(msgs[0], "dn", NULL); } else if (ret > 1) { - DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr)); + DEBUG(0,("Found %d records matching sid %s\n", + ret, dom_sid_string(mem_ctx, r->in.sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } else if (ret == 0) { struct ldb_message *msg; struct GUID guid; - const char *guidstr, *basedn; + const char *guidstr, *basedn, *sidstr; + + sidstr = dom_sid_string(mem_ctx, r->in.sid); + NT_STATUS_HAVE_NO_MEMORY(sidstr); /* We might have to create a ForeignSecurityPrincipal, but * only if it's not our own domain */ - if (dom_sid_in_domain(dom_sid_parse_talloc(mem_ctx, - d_state->domain_sid), - r->in.sid)) + if (dom_sid_in_domain(d_state->domain_sid, r->in.sid)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; msg = ldb_msg_new(mem_ctx); @@ -2166,7 +2122,6 @@ static NTSTATUS samr_DeleteAliasMember(struct dcesrv_call_state *dce_call, TALLO struct dcesrv_handle *h; struct samr_account_state *a_state; struct samr_domain_state *d_state; - const char *sidstr; struct ldb_message *mod; const char *memberdn; @@ -2175,12 +2130,9 @@ static NTSTATUS samr_DeleteAliasMember(struct dcesrv_call_state *dce_call, TALLO a_state = h->data; d_state = a_state->domain_state; - sidstr = dom_sid_string(mem_ctx, r->in.sid); - if (sidstr == NULL) - return NT_STATUS_INVALID_PARAMETER; - memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, - "dn", "(objectSid=%s)", sidstr); + "dn", "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid)); if (memberdn == NULL) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -2274,7 +2226,8 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me struct samr_domain_state *d_state; struct samr_account_state *a_state; struct dcesrv_handle *h; - const char *account_name, *sidstr; + const char *account_name; + struct dom_sid *sid; struct ldb_message **msgs; struct dcesrv_handle *u_handle; const char * const attrs[2] = { "sAMAccountName", NULL }; @@ -2287,8 +2240,8 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me d_state = h->data; /* form the users SID */ - sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, r->in.rid); - if (!sidstr) { + sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (!sid) { return NT_STATUS_NO_MEMORY; } @@ -2296,18 +2249,20 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=user))", - sidstr); + ldap_encode_ndr_dom_sid(mem_ctx, sid)); if (ret == 0) { return NT_STATUS_NO_SUCH_USER; } if (ret != 1) { - DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr)); + DEBUG(0,("Found %d records matching sid %s\n", ret, + dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } account_name = samdb_result_string(msgs[0], "sAMAccountName", NULL); if (account_name == NULL) { - DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr)); + DEBUG(0,("sAMAccountName field missing for sid %s\n", + dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -2319,7 +2274,7 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me a_state->access_mask = r->in.access_mask; a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msgs[0]->dn); - a_state->account_sid = talloc_steal(a_state, sidstr); + a_state->account_sid = talloc_steal(a_state, sid); a_state->account_name = talloc_strdup(a_state, account_name); if (!a_state->account_name) { return NT_STATUS_NO_MEMORY; @@ -2801,7 +2756,6 @@ static NTSTATUS samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, TALLOC struct samr_account_state *a_state; struct samr_domain_state *d_state; struct ldb_message **res; - struct dom_sid *domain_sid; const char * const attrs[2] = { "objectSid", NULL }; struct samr_RidWithTypeArray *array; int count; @@ -2810,12 +2764,9 @@ static NTSTATUS samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, TALLOC a_state = h->data; d_state = a_state->domain_state; - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; count = samdb_search_domain(a_state->sam_ctx, mem_ctx, NULL, &res, - attrs, domain_sid, + attrs, d_state->domain_sid, "(&(member=%s)(grouptype=%s)(objectclass=group))", a_state->account_dn, ldb_hexstr(mem_ctx, @@ -2873,7 +2824,6 @@ static NTSTATUS samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, TALLOC int ldb_cnt, count, i; const char * const attrs[4] = { "objectSid", "sAMAccountName", "description", NULL }; - struct dom_sid *domain_sid; struct samr_DispEntryFull *entriesFull = NULL; struct samr_DispEntryAscii *entriesAscii = NULL; struct samr_DispEntryGeneral * entriesGeneral = NULL; @@ -2907,15 +2857,11 @@ static NTSTATUS samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, TALLOC return NT_STATUS_INVALID_INFO_CLASS; } - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; - /* search for all requested objects in this domain. This could possibly be cached and resumed based on resume_key */ ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - domain_sid, "%s", filter); + d_state->domain_sid, "%s", filter); if (ldb_cnt == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -3127,8 +3073,7 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce { struct dcesrv_handle *h; struct samr_domain_state *d_state; - struct dom_sid *domain_sid; - const char *membersid, *memberdn; + const char *memberdn; struct ldb_message **res; const char * const attrs[3] = { "dn", "objectSid", NULL }; int i, count; @@ -3137,13 +3082,9 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce d_state = h->data; - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - membersid = dom_sid_string(mem_ctx, r->in.sid); - if ((domain_sid == NULL) || (membersid == NULL)) - return NT_STATUS_NO_MEMORY; - memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, - "dn", "(objectSid=%s)", membersid); + "dn", "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid)); if (memberdn == NULL) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -3152,7 +3093,7 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce count = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - domain_sid, + d_state->domain_sid, "(&(member=%s)(objectClass=group)" "(|(groupType=%s)(groupType=%s)))", memberdn, diff --git a/source4/rpc_server/samr/dcesrv_samr.h b/source4/rpc_server/samr/dcesrv_samr.h index 9e41937328..51e0869eef 100644 --- a/source4/rpc_server/samr/dcesrv_samr.h +++ b/source4/rpc_server/samr/dcesrv_samr.h @@ -47,7 +47,7 @@ struct samr_domain_state { struct samr_connect_state *connect_state; void *sam_ctx; uint32_t access_mask; - const char *domain_sid; + struct dom_sid *domain_sid; const char *domain_name; const char *domain_dn; }; @@ -59,7 +59,7 @@ struct samr_account_state { struct samr_domain_state *domain_state; void *sam_ctx; uint32_t access_mask; - const char *account_sid; + struct dom_sid *account_sid; const char *account_name; const char *account_dn; }; diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 8fa261cf35..d251c02eca 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -147,11 +147,11 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_ int ret; struct ldb_message **res, *mod; const char * const attrs[] = { "objectSid", "lmPwdHash", "unicodePwd", NULL }; - const char *domain_sid; struct samr_Password *lm_pwd; DATA_BLOB lm_pwd_blob; uint8_t new_lm_hash[16]; struct samr_Password lm_verifier; + struct dom_sid *domain_sid; if (pwbuf == NULL) { return NT_STATUS_WRONG_PASSWORD; @@ -211,7 +211,8 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_ } domain_dn = samdb_search_string(sam_ctx, mem_ctx, NULL, "dn", - "(objectSid=%s)", domain_sid); + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (!domain_dn) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -267,7 +268,7 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, const char * const dom_attrs[] = { "minPwdLength", "pwdHistoryLength", "pwdProperties", "minPwdAge", "maxPwdAge", NULL }; - const char *domain_sid; + struct dom_sid *domain_sid; struct samr_Password *nt_pwd, *lm_pwd; DATA_BLOB nt_pwd_blob; struct samr_DomInfo1 *dominfo; @@ -360,7 +361,8 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, } domain_dn = samdb_search_string(sam_ctx, mem_ctx, NULL, "dn", - "(objectSid=%s)", domain_sid); + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (!domain_dn) { status = NT_STATUS_INTERNAL_DB_CORRUPTION; goto failed; diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index c3968495e4..ce6d349aca 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -1,7 +1,7 @@ dn: @INDEXLIST @IDXATTR: name @IDXATTR: sAMAccountName -@IDXATTR: objectSid +@IDXATTR: objectSid_DISABLED_BY_TRIDGE @IDXATTR: objectClass @IDXATTR: member @IDXATTR: unixID |