diff options
-rw-r--r-- | source3/auth/auth_util.c | 407 | ||||
-rw-r--r-- | source3/auth/server_info.c | 277 | ||||
-rw-r--r-- | source3/auth/server_info_sam.c | 9 | ||||
-rw-r--r-- | source3/include/auth.h | 2 | ||||
-rw-r--r-- | source3/modules/vfs_expand_msdfs.c | 2 | ||||
-rw-r--r-- | source3/modules/vfs_full_audit.c | 2 | ||||
-rw-r--r-- | source3/modules/vfs_recycle.c | 2 | ||||
-rw-r--r-- | source3/modules/vfs_smb_traffic_analyzer.c | 6 | ||||
-rw-r--r-- | source3/printing/printing.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 2 | ||||
-rw-r--r-- | source3/smbd/lanman.c | 9 | ||||
-rw-r--r-- | source3/smbd/password.c | 6 | ||||
-rw-r--r-- | source3/smbd/process.c | 3 | ||||
-rw-r--r-- | source3/smbd/service.c | 12 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 6 | ||||
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 8 | ||||
-rw-r--r-- | source3/smbd/uid.c | 6 |
18 files changed, 158 insertions, 605 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ad454b6df1..d64cb537c7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -455,7 +455,7 @@ static NTSTATUS log_nt_token(NT_USER_TOKEN *token) } /* - * Create the token to use from server_info->sam_account and + * Create the token to use from server_info->info3 and * server_info->sids (the info3/sam groups). Find the unix gids. */ @@ -464,6 +464,7 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info) NTSTATUS status; size_t i; struct dom_sid tmp_sid; + struct dom_sid user_sid; /* * If winbind is not around, we can not make much use of the SIDs the @@ -482,9 +483,13 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info) &server_info->ptok); } else { + sid_compose(&user_sid, + server_info->info3->base.domain_sid, + server_info->info3->base.rid); + server_info->ptok = create_local_nt_token( server_info, - pdb_get_user_sid(server_info->sam_account), + &user_sid, server_info->guest, server_info->num_sids, server_info->sids); status = server_info->ptok ? @@ -592,7 +597,16 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - result->sam_account = sampass; + status = samu_to_SamInfo3(result, sampass, + global_myname(), &result->info3); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("Failed to convert samu to info3: %s\n", + nt_errstr(status))); + TALLOC_FREE(sampass); + TALLOC_FREE(result); + return status; + } + result->unix_name = talloc_strdup(result, unix_username); result->sanitized_username = sanitize_username(result, unix_username); @@ -614,10 +628,13 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", nt_errstr(status))); + TALLOC_FREE(sampass); TALLOC_FREE(result); return status; } + TALLOC_FREE(sampass); + /* * The SID returned in server_info->sam_account is based * on our SAM sid even though for a pure UNIX account this should @@ -661,6 +678,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, return NT_STATUS_NO_SUCH_USER; } + /* FIXME: add to info3 too ? */ status = add_sid_to_array_unique(result, &u_sid, &result->sids, &result->num_sids); @@ -812,13 +830,8 @@ struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data, src->lm_session_key.length); - dst->sam_account = samu_new(NULL); - if (!dst->sam_account) { - TALLOC_FREE(dst); - return NULL; - } - - if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) { + dst->info3 = copy_netr_SamInfo3(dst, src->info3); + if (!dst->info3) { TALLOC_FREE(dst); return NULL; } @@ -901,15 +914,12 @@ bool copy_current_user(struct current_user *dst, struct current_user *src) /*************************************************************************** Purely internal function for make_server_info_info3 - Fill the sam account from getpwnam ***************************************************************************/ -static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, - const char *domain, - const char *username, - char **found_username, - uid_t *uid, gid_t *gid, - struct samu *account, - bool *username_was_mapped) + +static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, + const char *username, char **found_username, + uid_t *uid, gid_t *gid, + bool *username_was_mapped) { struct smbd_server_connection *sconn = smbd_server_conn; NTSTATUS nt_status; @@ -923,7 +933,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(), lower_username); - /* Get the passwd struct. Try to create the account is necessary. */ + /* Get the passwd struct. Try to create the account if necessary. */ *username_was_mapped = map_username(sconn, dom_user); @@ -941,10 +951,6 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, *found_username = talloc_strdup( mem_ctx, real_username ); - DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username)); - - nt_status = samu_set_unix( account, passwd ); - TALLOC_FREE(passwd); return nt_status; @@ -1051,7 +1057,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, char *found_username = NULL; const char *nt_domain; const char *nt_username; - struct samu *sam_account = NULL; struct dom_sid user_sid; struct dom_sid group_sid; bool username_was_mapped; @@ -1090,8 +1095,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_domain = domain; } - /* try to fill the SAM account.. If getpwnam() fails, then try the - add user script (2.2.x behavior). + /* If getpwnam() fails try the add user script (2.2.x behavior). We use the _unmapped_ username here in an attempt to provide consistent username mapping behavior between kerberos and NTLM[SSP] @@ -1102,129 +1106,18 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, that is how the current code is designed. Making the change here is the least disruptive place. -- jerry */ - if ( !(sam_account = samu_new( NULL )) ) { - return NT_STATUS_NO_MEMORY; - } - /* this call will try to create the user if necessary */ - nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, sam_account, + nt_status = check_account(mem_ctx, nt_domain, sent_nt_username, + &found_username, &uid, &gid, &username_was_mapped); - - /* if we still don't have a valid unix account check for - 'map to guest = bad uid' */ - - if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE( sam_account ); - if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { - make_server_info_guest(NULL, server_info); - return NT_STATUS_OK; - } - return nt_status; - } - - if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!pdb_set_fullname(sam_account, - info3->base.full_name.string, - PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_logon_script(sam_account, - info3->base.logon_script.string, - PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_profile_path(sam_account, - info3->base.profile_path.string, - PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_homedir(sam_account, - info3->base.home_directory.string, - PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_dir_drive(sam_account, - info3->base.home_drive.string, - PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_pass_last_set_time( - sam_account, - nt_time_to_unix(info3->base.last_password_change), - PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_pass_can_change_time( - sam_account, - nt_time_to_unix(info3->base.allow_password_change), - PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_pass_must_change_time( - sam_account, - nt_time_to_unix(info3->base.force_password_change), - PDB_CHANGED)) { - TALLOC_FREE(sam_account); - return NT_STATUS_NO_MEMORY; - } - result = make_server_info(NULL); if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); - TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } - /* save this here to _net_sam_logon() doesn't fail (it assumes a - valid struct samu) */ - - result->sam_account = sam_account; result->unix_name = talloc_strdup(result, found_username); result->sanitized_username = sanitize_username(result, @@ -1234,6 +1127,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + /* copy in the info3 */ + result->info3 = copy_netr_SamInfo3(result, info3); + /* Fill in the unix info we found on the way */ result->utok.uid = uid; @@ -1294,237 +1190,16 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, const struct wbcAuthUserInfo *info, struct auth_serversupplied_info **server_info) { - static const char zeros[16] = {0, }; - - NTSTATUS nt_status = NT_STATUS_OK; - char *found_username = NULL; - const char *nt_domain; - const char *nt_username; - struct samu *sam_account = NULL; - struct dom_sid user_sid; - struct dom_sid group_sid; - bool username_was_mapped; - uint32_t i; - - uid_t uid = (uid_t)-1; - gid_t gid = (gid_t)-1; - - struct auth_serversupplied_info *result; - - result = make_server_info(NULL); - if (result == NULL) { - DEBUG(4, ("make_server_info failed!\n")); - return NT_STATUS_NO_MEMORY; - } - - /* - Here is where we should check the list of - trusted domains, and verify that the SID - matches. - */ - - memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid)); - memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid)); + struct netr_SamInfo3 *info3; - if (info->account_name) { - nt_username = talloc_strdup(result, info->account_name); - } else { - /* If the server didn't give us one, just use the one we sent - * them */ - nt_username = talloc_strdup(result, sent_nt_username); - } - if (!nt_username) { - TALLOC_FREE(result); + info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info); + if (!info3) { return NT_STATUS_NO_MEMORY; } - if (info->domain_name) { - nt_domain = talloc_strdup(result, info->domain_name); - } else { - /* If the server didn't give us one, just use the one we sent - * them */ - nt_domain = talloc_strdup(result, domain); - } - if (!nt_domain) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - /* try to fill the SAM account.. If getpwnam() fails, then try the - add user script (2.2.x behavior). - - We use the _unmapped_ username here in an attempt to provide - consistent username mapping behavior between kerberos and NTLM[SSP] - authentication in domain mode security. I.E. Username mapping - should be applied to the fully qualified username - (e.g. DOMAIN\user) and not just the login name. Yes this means we - called map_username() unnecessarily in make_user_info_map() but - that is how the current code is designed. Making the change here - is the least disruptive place. -- jerry */ - - if ( !(sam_account = samu_new( result )) ) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - /* this call will try to create the user if necessary */ - - nt_status = fill_sam_account(result, nt_domain, sent_nt_username, - &found_username, &uid, &gid, sam_account, - &username_was_mapped); - - /* if we still don't have a valid unix account check for - 'map to guest = bad uid' */ - - if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE( result ); - if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { - make_server_info_guest(NULL, server_info); - return NT_STATUS_OK; - } - return nt_status; - } - - if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_pass_last_set_time( - sam_account, - nt_time_to_unix(info->pass_last_set_time), - PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_pass_can_change_time( - sam_account, - nt_time_to_unix(info->pass_can_change_time), - PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_set_pass_must_change_time( - sam_account, - nt_time_to_unix(info->pass_must_change_time), - PDB_CHANGED)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - /* save this here to _net_sam_logon() doesn't fail (it assumes a - valid struct samu) */ - - result->sam_account = sam_account; - result->unix_name = talloc_strdup(result, found_username); - - result->sanitized_username = sanitize_username(result, - result->unix_name); - result->login_server = talloc_strdup(result, info->logon_server); - - if ((result->unix_name == NULL) - || (result->sanitized_username == NULL) - || (result->login_server == NULL)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - /* Fill in the unix info we found on the way */ - - result->utok.uid = uid; - result->utok.gid = gid; - - /* Create a 'combined' list of all SIDs we might want in the SD */ - - result->num_sids = info->num_sids - 2; - result->sids = talloc_array(result, struct dom_sid, result->num_sids); - if (result->sids == NULL) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - for (i=0; i < result->num_sids; i++) { - memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i])); - } - - /* Ensure the primary group sid is at position 0. */ - sort_sid_array_for_smbd(result, &group_sid); - - /* ensure we are never given NULL session keys */ - - if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) { - result->user_session_key = data_blob_null; - } else { - result->user_session_key = data_blob_talloc( - result, info->user_session_key, - sizeof(info->user_session_key)); - } - - if (memcmp(info->lm_session_key, zeros, 8) == 0) { - result->lm_session_key = data_blob_null; - } else { - result->lm_session_key = data_blob_talloc( - result, info->lm_session_key, - sizeof(info->lm_session_key)); - } - - result->nss_token |= username_was_mapped; - - *server_info = result; - - return NT_STATUS_OK; + return make_server_info_info3(mem_ctx, + sent_nt_username, domain, + server_info, info3); } /** diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c index d7ab19c58b..e9ccdb6700 100644 --- a/source3/auth/server_info.c +++ b/source3/auth/server_info.c @@ -23,9 +23,10 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH +/* FIXME: do we really still need this ? */ static int server_info_dtor(struct auth_serversupplied_info *server_info) { - TALLOC_FREE(server_info->sam_account); + TALLOC_FREE(server_info->info3); ZERO_STRUCTP(server_info); return 0; } @@ -55,211 +56,45 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) return result; } -/******************************************************************* - gets a domain user's groups from their already-calculated NT_USER_TOKEN - ********************************************************************/ - -static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx, - const struct dom_sid *domain_sid, - size_t num_sids, - const struct dom_sid *sids, - int *numgroups, - struct samr_RidWithAttribute **pgids) -{ - int i; - - *numgroups=0; - *pgids = NULL; - - for (i=0; i<num_sids; i++) { - struct samr_RidWithAttribute gid; - if (!sid_peek_check_rid(domain_sid, &sids[i], &gid.rid)) { - continue; - } - gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT| - SE_GROUP_ENABLED); - ADD_TO_ARRAY(mem_ctx, struct samr_RidWithAttribute, - gid, pgids, numgroups); - if (*pgids == NULL) { - return NT_STATUS_NO_MEMORY; - } - } - return NT_STATUS_OK; -} - /**************************************************************************** - inits a netr_SamBaseInfo structure from an auth_serversupplied_info. + inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must + already be initialized and is used as the talloc parent for its members. *****************************************************************************/ -static NTSTATUS serverinfo_to_SamInfo_base(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, - struct netr_SamBaseInfo *base) +NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, + uint8_t *pipe_session_key, + size_t pipe_session_key_len, + struct netr_SamInfo2 *sam2) { - struct samu *sampw; - struct samr_RidWithAttribute *gids = NULL; - const struct dom_sid *user_sid = NULL; - const struct dom_sid *group_sid = NULL; - struct dom_sid domain_sid; - uint32 user_rid, group_rid; - NTSTATUS status; - - int num_gids = 0; - const char *my_name; - - struct netr_UserSessionKey user_session_key; - struct netr_LMSessionKey lm_session_key; - - NTTIME last_logon, last_logoff, acct_expiry, last_password_change; - NTTIME allow_password_change, force_password_change; - struct samr_RidWithAttributeArray groups; - int i; - struct dom_sid2 *sid = NULL; - - ZERO_STRUCT(user_session_key); - ZERO_STRUCT(lm_session_key); - - sampw = server_info->sam_account; - - user_sid = pdb_get_user_sid(sampw); - group_sid = pdb_get_group_sid(sampw); - - if (pipe_session_key && pipe_session_key_len != 16) { - DEBUG(0,("serverinfo_to_SamInfo3: invalid " - "pipe_session_key_len[%zu] != 16\n", - pipe_session_key_len)); - return NT_STATUS_INTERNAL_ERROR; - } - - if ((user_sid == NULL) || (group_sid == NULL)) { - DEBUG(1, ("_netr_LogonSamLogon: User without group or user SID\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - sid_copy(&domain_sid, user_sid); - sid_split_rid(&domain_sid, &user_rid); + struct netr_SamInfo3 *info3; - sid = sid_dup_talloc(mem_ctx, &domain_sid); - if (!sid) { + info3 = copy_netr_SamInfo3(sam2, server_info->info3); + if (!info3) { return NT_STATUS_NO_MEMORY; } - if (!sid_peek_check_rid(&domain_sid, group_sid, &group_rid)) { - DEBUG(1, ("_netr_LogonSamLogon: user %s\\%s has user sid " - "%s\n but group sid %s.\n" - "The conflicting domain portions are not " - "supported for NETLOGON calls\n", - pdb_get_domain(sampw), - pdb_get_username(sampw), - sid_string_dbg(user_sid), - sid_string_dbg(group_sid))); - return NT_STATUS_UNSUCCESSFUL; - } - - if(server_info->login_server) { - my_name = server_info->login_server; - } else { - my_name = global_myname(); - } - - status = nt_token_to_group_list(mem_ctx, &domain_sid, - server_info->num_sids, - server_info->sids, - &num_gids, &gids); - - if (!NT_STATUS_IS_OK(status)) { - return status; - } - if (server_info->user_session_key.length) { - memcpy(user_session_key.key, + memcpy(info3->base.key.key, server_info->user_session_key.data, - MIN(sizeof(user_session_key.key), + MIN(sizeof(info3->base.key.key), server_info->user_session_key.length)); if (pipe_session_key) { - arcfour_crypt(user_session_key.key, pipe_session_key, 16); + arcfour_crypt(info3->base.key.key, + pipe_session_key, 16); } } if (server_info->lm_session_key.length) { - memcpy(lm_session_key.key, + memcpy(info3->base.LMSessKey.key, server_info->lm_session_key.data, - MIN(sizeof(lm_session_key.key), + MIN(sizeof(info3->base.LMSessKey.key), server_info->lm_session_key.length)); if (pipe_session_key) { - arcfour_crypt(lm_session_key.key, pipe_session_key, 8); + arcfour_crypt(info3->base.LMSessKey.key, + pipe_session_key, 8); } } - groups.count = num_gids; - groups.rids = TALLOC_ARRAY(mem_ctx, struct samr_RidWithAttribute, groups.count); - if (!groups.rids) { - return NT_STATUS_NO_MEMORY; - } - - for (i=0; i < groups.count; i++) { - groups.rids[i].rid = gids[i].rid; - groups.rids[i].attributes = gids[i].attributes; - } - - unix_to_nt_time(&last_logon, pdb_get_logon_time(sampw)); - unix_to_nt_time(&last_logoff, get_time_t_max()); - unix_to_nt_time(&acct_expiry, get_time_t_max()); - unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(sampw)); - unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(sampw)); - unix_to_nt_time(&force_password_change, pdb_get_pass_must_change_time(sampw)); - - base->last_logon = last_logon; - base->last_logoff = last_logoff; - base->acct_expiry = acct_expiry; - base->last_password_change = last_password_change; - base->allow_password_change = allow_password_change; - base->force_password_change = force_password_change; - base->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(sampw)); - base->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(sampw)); - base->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(sampw)); - base->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(sampw)); - base->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(sampw)); - base->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(sampw)); - base->logon_count = 0; /* ?? */ - base->bad_password_count = 0; /* ?? */ - base->rid = user_rid; - base->primary_gid = group_rid; - base->groups = groups; - base->user_flags = NETLOGON_EXTRA_SIDS; - base->key = user_session_key; - base->logon_server.string = talloc_strdup(mem_ctx, my_name); - base->domain.string = talloc_strdup(mem_ctx, pdb_get_domain(sampw)); - base->domain_sid = sid; - base->LMSessKey = lm_session_key; - base->acct_flags = pdb_get_acct_ctrl(sampw); - - ZERO_STRUCT(user_session_key); - ZERO_STRUCT(lm_session_key); - - return NT_STATUS_OK; -} - -/**************************************************************************** - inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must - already be initialized and is used as the talloc parent for its members. -*****************************************************************************/ - -NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, - struct netr_SamInfo2 *sam2) -{ - NTSTATUS status; - - status = serverinfo_to_SamInfo_base(sam2, - server_info, - pipe_session_key, - pipe_session_key_len, - &sam2->base); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + sam2->base = info3->base; return NT_STATUS_OK; } @@ -274,17 +109,36 @@ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, size_t pipe_session_key_len, struct netr_SamInfo3 *sam3) { - NTSTATUS status; + struct netr_SamInfo3 *info3; - status = serverinfo_to_SamInfo_base(sam3, - server_info, - pipe_session_key, - pipe_session_key_len, - &sam3->base); - if (!NT_STATUS_IS_OK(status)) { - return status; + info3 = copy_netr_SamInfo3(sam3, server_info->info3); + if (!info3) { + return NT_STATUS_NO_MEMORY; } + if (server_info->user_session_key.length) { + memcpy(info3->base.key.key, + server_info->user_session_key.data, + MIN(sizeof(info3->base.key.key), + server_info->user_session_key.length)); + if (pipe_session_key) { + arcfour_crypt(info3->base.key.key, + pipe_session_key, 16); + } + } + if (server_info->lm_session_key.length) { + memcpy(info3->base.LMSessKey.key, + server_info->lm_session_key.data, + MIN(sizeof(info3->base.LMSessKey.key), + server_info->lm_session_key.length)); + if (pipe_session_key) { + arcfour_crypt(info3->base.LMSessKey.key, + pipe_session_key, 8); + } + } + + sam3->base = info3->base; + sam3->sidcount = 0; sam3->sids = NULL; @@ -301,8 +155,8 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, size_t pipe_session_key_len, struct netr_SamInfo6 *sam6) { - NTSTATUS status; struct pdb_domain_info *dominfo; + struct netr_SamInfo3 *info3; if ((pdb_capabilities() & PDB_CAP_ADS) == 0) { DEBUG(10,("Not adding validation info level 6 " @@ -315,14 +169,33 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, return NT_STATUS_NO_MEMORY; } - status = serverinfo_to_SamInfo_base(sam6, - server_info, - pipe_session_key, - pipe_session_key_len, - &sam6->base); - if (!NT_STATUS_IS_OK(status)) { - return status; + info3 = copy_netr_SamInfo3(sam6, server_info->info3); + if (!info3) { + return NT_STATUS_NO_MEMORY; + } + + if (server_info->user_session_key.length) { + memcpy(info3->base.key.key, + server_info->user_session_key.data, + MIN(sizeof(info3->base.key.key), + server_info->user_session_key.length)); + if (pipe_session_key) { + arcfour_crypt(info3->base.key.key, + pipe_session_key, 16); + } } + if (server_info->lm_session_key.length) { + memcpy(info3->base.LMSessKey.key, + server_info->lm_session_key.data, + MIN(sizeof(info3->base.LMSessKey.key), + server_info->lm_session_key.length)); + if (pipe_session_key) { + arcfour_crypt(info3->base.LMSessKey.key, + pipe_session_key, 8); + } + } + + sam6->base = info3->base; sam6->sidcount = 0; sam6->sids = NULL; @@ -333,7 +206,7 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, } sam6->principle.string = talloc_asprintf(sam6, "%s@%s", - pdb_get_username(server_info->sam_account), + sam6->base.account_name.string, sam6->dns_domainname.string); if (sam6->principle.string == NULL) { return NT_STATUS_NO_MEMORY; diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c index c6e7522011..4dd3156fe5 100644 --- a/source3/auth/server_info_sam.c +++ b/source3/auth/server_info_sam.c @@ -77,7 +77,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, return NT_STATUS_NO_SUCH_USER; } - result->sam_account = sampass; + status = samu_to_SamInfo3(result, sampass, + global_myname(), &result->info3); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(result); + return status; + } + result->unix_name = pwd->pw_name; /* Ensure that we keep pwd->pw_name, because we will free pwd below */ talloc_steal(result, pwd->pw_name); @@ -128,7 +134,6 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", nt_errstr(status))); - result->sam_account = NULL; /* Don't free on error exit. */ TALLOC_FREE(result); return status; } diff --git a/source3/include/auth.h b/source3/include/auth.h index 9f49fcc478..7996fafe40 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -58,7 +58,7 @@ struct auth_serversupplied_info { char *login_server; /* which server authorized the login? */ - struct samu *sam_account; + struct netr_SamInfo3 *info3; void *pam_handle; diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c index 0772215a28..d7ae3976bf 100644 --- a/source3/modules/vfs_expand_msdfs.c +++ b/source3/modules/vfs_expand_msdfs.c @@ -147,7 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx, conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, targethost); DEBUG(10, ("Expanded targethost to %s\n", targethost)); diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c index a89b95f05c..9c665c81a0 100644 --- a/source3/modules/vfs_full_audit.c +++ b/source3/modules/vfs_full_audit.c @@ -396,7 +396,7 @@ static char *audit_prefix(TALLOC_CTX *ctx, connection_struct *conn) conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, prefix); TALLOC_FREE(prefix); return result; diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c index fb009a148f..3cd1f9dc80 100644 --- a/source3/modules/vfs_recycle.c +++ b/source3/modules/vfs_recycle.c @@ -467,7 +467,7 @@ static int recycle_unlink(vfs_handle_struct *handle, conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, recycle_repository(handle)); ALLOC_CHECK(repository, done); /* shouldn't we allow absolute path names here? --metze */ diff --git a/source3/modules/vfs_smb_traffic_analyzer.c b/source3/modules/vfs_smb_traffic_analyzer.c index 75450c79df..6384c97856 100644 --- a/source3/modules/vfs_smb_traffic_analyzer.c +++ b/source3/modules/vfs_smb_traffic_analyzer.c @@ -356,8 +356,8 @@ static char *smb_traffic_analyzer_create_string( TALLOC_CTX *ctx, (unsigned int) strlen(handle->conn->connectpath), handle->conn->connectpath, (unsigned int) - strlen(pdb_get_domain(handle->conn->server_info->sam_account)), - pdb_get_domain(handle->conn->server_info->sam_account), + strlen(handle->conn->server_info->info3->base.domain.string), + handle->conn->server_info->info3->base.domain.string, (unsigned int) strlen(timestr), timestr); @@ -460,7 +460,7 @@ static void smb_traffic_analyzer_send_data(vfs_handle_struct *handle, "\"%04d-%02d-%02d %02d:%02d:%02d.%03d\"\n", (unsigned int) s_data->len, username, - pdb_get_domain(handle->conn->server_info->sam_account), + handle->conn->server_info->info3->base.domain.string, Write ? 'W' : 'R', handle->conn->connectpath, s_data->filename, diff --git a/source3/printing/printing.c b/source3/printing/printing.c index b0f22c9b6f..05728d1731 100644 --- a/source3/printing/printing.c +++ b/source3/printing/printing.c @@ -2487,7 +2487,7 @@ uint32 print_job_start(struct auth_serversupplied_info *server_info, int snum, standard_sub_advanced(sharename, server_info->sanitized_username, path, server_info->utok.gid, server_info->sanitized_username, - pdb_get_domain(server_info->sam_account), + server_info->info3->base.domain.string, pjob.user, sizeof(pjob.user)-1); /* ensure NULL termination */ pjob.user[sizeof(pjob.user)-1] = '\0'; diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index e3e0dcb4ae..7e00e7aa33 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1654,7 +1654,7 @@ NTSTATUS _lsa_GetUserName(pipes_struct *p, } } else { username = p->server_info->sanitized_username; - domname = pdb_get_domain(p->server_info->sam_account); + domname = p->server_info->info3->base.domain.string; } account_name = TALLOC_P(p->mem_ctx, struct lsa_String); diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index a039b08869..ec6ade661f 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -194,7 +194,7 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p, return WERR_INVALID_PARAM; } - acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account); + acct_ctrl = p->server_info->info3->base.acct_flags; switch (r->in.function_code) { case NETLOGON_CONTROL_TC_VERIFY: diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 77ed2d422f..c0bc9090b8 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -113,7 +113,7 @@ static int CopyExpanded(connection_struct *conn, conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, buf); if (!buf) { *p_space_remaining = 0; @@ -164,7 +164,7 @@ static int StrlenExpanded(connection_struct *conn, int snum, char *s) conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, buf); if (!buf) { return 0; @@ -4455,8 +4455,9 @@ static bool api_WWkstaUserLogon(connection_struct *conn,uint16 vuid, } PACKS(&desc,"z",lp_workgroup());/* domain */ - PACKS(&desc,"z", vuser ? pdb_get_logon_script( - vuser->server_info->sam_account) : ""); /* script path */ + PACKS(&desc,"z", vuser ? + vuser->server_info->info3->base.logon_script.string + : ""); /* script path */ PACKI(&desc,"D",0x00000000); /* reserved */ } diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 5cf290c158..809a913d6c 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -274,12 +274,12 @@ int register_existing_vuid(struct smbd_server_connection *sconn, (unsigned int)vuser->server_info->utok.gid, vuser->server_info->unix_name, vuser->server_info->sanitized_username, - pdb_get_domain(vuser->server_info->sam_account), + vuser->server_info->info3->base.domain.string, vuser->server_info->guest )); DEBUG(3, ("register_existing_vuid: User name: %s\t" "Real name: %s\n", vuser->server_info->unix_name, - pdb_get_fullname(vuser->server_info->sam_account))); + vuser->server_info->info3->base.full_name.string)); if (!vuser->server_info->ptok) { DEBUG(1, ("register_existing_vuid: server_info does not " @@ -324,7 +324,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn, set_current_user_info( vuser->server_info->sanitized_username, vuser->server_info->unix_name, - pdb_get_domain(vuser->server_info->sam_account)); + vuser->server_info->info3->base.domain.string); return vuser->vuid; diff --git a/source3/smbd/process.c b/source3/smbd/process.c index ed70b9cdd8..c8497577a4 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1451,8 +1451,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in set_current_user_info( vuser->server_info->sanitized_username, vuser->server_info->unix_name, - pdb_get_domain(vuser->server_info - ->sam_account)); + vuser->server_info->info3->base.domain.string); } } } diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 689f0e2f07..afd9cad27d 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -589,7 +589,7 @@ static NTSTATUS create_connection_server_info(struct smbd_server_connection *sco } } else { if (!user_ok_token(vuid_serverinfo->unix_name, - pdb_get_domain(vuid_serverinfo->sam_account), + vuid_serverinfo->info3->base.domain.string, vuid_serverinfo->ptok, snum)) { DEBUG(2, ("user '%s' (from session setup) not " "permitted to access this share " @@ -788,7 +788,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, lp_pathname(snum)); if (!s) { *pstatus = NT_STATUS_NO_MEMORY; @@ -915,7 +915,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, lp_rootpreexec(snum)); DEBUG(5,("cmd=%s\n",cmd)); ret = smbrun(cmd,NULL); @@ -953,7 +953,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, lp_preexec(snum)); ret = smbrun(cmd,NULL); TALLOC_FREE(cmd); @@ -1257,7 +1257,7 @@ void close_cnum(connection_struct *conn, uint16 vuid) conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, lp_postexec(SNUM(conn))); smbrun(cmd,NULL); TALLOC_FREE(cmd); @@ -1273,7 +1273,7 @@ void close_cnum(connection_struct *conn, uint16 vuid) conn->connectpath, conn->server_info->utok.gid, conn->server_info->sanitized_username, - pdb_get_domain(conn->server_info->sam_account), + conn->server_info->info3->base.domain.string, lp_rootpostexec(SNUM(conn))); smbrun(cmd,NULL); TALLOC_FREE(cmd); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index df39aed0ed..a561e3a593 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -529,9 +529,9 @@ static void reply_spnego_kerberos(struct smb_request *req, * we end up with the local netbios name in substitutions for * %D. */ - if (server_info->sam_account != NULL) { - pdb_set_domain(server_info->sam_account, - domain, PDB_SET); + if (server_info->info3 != NULL) { + server_info->info3->base.domain.string = + talloc_strdup(server_info->info3, domain); } } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 92e77a5ff2..7ac003fad6 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -371,9 +371,9 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, * we end up with the local netbios name in substitutions for * %D. */ - if (session->server_info->sam_account != NULL) { - pdb_set_domain(session->server_info->sam_account, - domain, PDB_SET); + if (session->server_info->info3 != NULL) { + session->server_info->info3->base.domain.string = + talloc_strdup(session->server_info->info3, domain); } } @@ -979,7 +979,7 @@ NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req) set_current_user_info(session->server_info->sanitized_username, session->server_info->unix_name, - pdb_get_domain(session->server_info->sam_account)); + session->server_info->info3->base.domain.string); req->session = session; diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 5e61098ecb..f34ec5540a 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -104,13 +104,13 @@ static bool check_user_ok(connection_struct *conn, } if (!user_ok_token(server_info->unix_name, - pdb_get_domain(server_info->sam_account), + server_info->info3->base.domain.string, server_info->ptok, snum)) return(False); readonly_share = is_share_read_only_for_token( server_info->unix_name, - pdb_get_domain(server_info->sam_account), + server_info->info3->base.domain.string, server_info->ptok, conn); @@ -132,7 +132,7 @@ static bool check_user_ok(connection_struct *conn, admin_user = token_contains_name_in_list( server_info->unix_name, - pdb_get_domain(server_info->sam_account), + server_info->info3->base.domain.string, NULL, server_info->ptok, lp_admin_users(snum)); if (valid_vuid) { |