summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/Makefile.in34
-rw-r--r--source3/auth/auth_rhosts.c19
-rw-r--r--source3/auth/auth_util.c43
-rw-r--r--source3/client/client.c187
-rw-r--r--source3/configure.in21
-rw-r--r--source3/groupdb/mapping.c23
-rw-r--r--source3/include/auth.h3
-rw-r--r--source3/include/debug.h1
-rw-r--r--source3/include/idmap.h12
-rw-r--r--source3/include/includes.h30
-rw-r--r--source3/include/passdb.h149
-rw-r--r--source3/include/rpc_lsa.h20
-rw-r--r--source3/include/rpc_misc.h16
-rw-r--r--source3/include/smb.h130
-rw-r--r--source3/lib/debug.c1
-rw-r--r--source3/lib/readline.c24
-rw-r--r--source3/lib/snprintf.c10
-rw-r--r--source3/lib/username.c2
-rw-r--r--source3/nsswitch/winbindd.c8
-rw-r--r--source3/nsswitch/winbindd_cache.c7
-rw-r--r--source3/nsswitch/winbindd_group.c37
-rw-r--r--source3/nsswitch/winbindd_sid.c13
-rw-r--r--source3/nsswitch/winbindd_user.c19
-rw-r--r--source3/nsswitch/winbindd_util.c9
-rw-r--r--source3/pam_smbpass/pam_smb_passwd.c21
-rw-r--r--source3/pam_smbpass/support.c42
-rw-r--r--source3/param/loadparm.c89
-rw-r--r--source3/passdb/passdb.c322
-rw-r--r--source3/passdb/pdb_get_set.c42
-rw-r--r--source3/passdb/pdb_guest.c70
-rw-r--r--source3/passdb/pdb_ldap.c168
-rw-r--r--source3/passdb/pdb_nisplus.c80
-rw-r--r--source3/passdb/pdb_smbpasswd.c59
-rw-r--r--source3/passdb/pdb_tdb.c188
-rw-r--r--source3/passdb/pdb_xml.c2
-rw-r--r--source3/rpc_server/srv_pipe.c10
-rw-r--r--source3/rpc_server/srv_samr_nt.c30
-rw-r--r--source3/rpc_server/srv_util.c9
-rw-r--r--source3/smbd/chgpasswd.c13
-rw-r--r--source3/smbd/ntquotas.c8
-rw-r--r--source3/smbd/nttrans.c8
-rw-r--r--source3/smbd/password.c11
-rw-r--r--source3/smbd/posix_acls.c10
-rw-r--r--source3/smbd/server.c6
-rw-r--r--source3/smbd/uid.c419
-rw-r--r--source3/utils/pdbedit.c60
-rw-r--r--source3/utils/profiles.c4
47 files changed, 973 insertions, 1516 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 492d73d4b7..f1c497663f 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -274,12 +274,14 @@ PASSDB_GET_SET_OBJ = passdb/pdb_get_set.o
PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \
passdb/machine_sid.o passdb/util_sam_sid.o passdb/pdb_compat.o \
- @PDB_STATIC@
+ passdb/privileges.o @PDB_STATIC@
XML_OBJ = passdb/pdb_xml.o
MYSQL_OBJ = passdb/pdb_mysql.o
DEVEL_HELP_OBJ = modules/weird.o
+IDMAP_OBJ = sam/idmap.o sam/idmap_util.o sam/idmap_tdb.o
+
GROUPDB_OBJ = groupdb/mapping.o
PROFILE_OBJ = profile/profile.o
@@ -340,7 +342,7 @@ SMBD_OBJ_BASE = $(PARAM_OBJ) $(SMBD_OBJ_SRV) $(MSDFS_OBJ) $(LIBSMB_OBJ) \
$(NOTIFY_OBJ) $(GROUPDB_OBJ) $(AUTH_OBJ) \
$(LIBMSRPC_OBJ) $(LIBMSRPC_SERVER_OBJ) \
$(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(LIBADS_SERVER_OBJ) \
- $(LIB_SMBD_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ)
+ $(LIB_SMBD_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ) $(IDMAP_OBJ)
PRINTING_OBJ = printing/pcap.o printing/print_svid.o \
printing/print_cups.o printing/print_generic.o \
@@ -378,9 +380,9 @@ SWAT_OBJ1 = web/cgi.o web/diagnose.o web/startstop.o web/statuspage.o \
web/swat.o web/neg_lang.o
SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(PRINTING_OBJ) $(LIBSMB_OBJ) \
- $(LOCKING_OBJ) $(PASSDB_OBJ) $(SECRETS_OBJ) $(KRBCLIENT_OBJ) \
+ $(LOCKING_OBJ) $(PASSDB_OBJ) $(SECRETS_OBJ) $(KRBCLIENT_OBJ) \
$(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) $(PLAINTEXT_AUTH_OBJ) \
- $(POPT_LIB_OBJ)
+ $(POPT_LIB_OBJ) $(IDMAP_OBJ)
SMBSH_OBJ = smbwrapper/smbsh.o smbwrapper/shared.o \
$(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
@@ -404,11 +406,12 @@ TESTPRNS_OBJ = utils/testprns.o $(PARAM_OBJ) $(PRINTING_OBJ) $(UBIQX_OBJ) \
SMBPASSWD_OBJ = utils/smbpasswd.o $(PARAM_OBJ) $(SECRETS_OBJ) \
$(LIBSMB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ)\
- $(UBIQX_OBJ) $(LIB_OBJ) $(KRBCLIENT_OBJ)
+ $(UBIQX_OBJ) $(LIB_OBJ) $(KRBCLIENT_OBJ) \
+ $(IDMAP_OBJ)
PDBEDIT_OBJ = utils/pdbedit.o $(PARAM_OBJ) $(PASSDB_OBJ) $(LIBSAMBA_OBJ) \
$(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) $(SECRETS_OBJ) \
- $(POPT_LIB_OBJ)
+ $(POPT_LIB_OBJ) $(IDMAP_OBJ)
RPCCLIENT_OBJ1 = rpcclient/rpcclient.o rpcclient/cmd_lsarpc.o \
rpcclient/cmd_samr.o rpcclient/cmd_spoolss.o \
@@ -421,7 +424,8 @@ RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \
$(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
$(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(LIBMSRPC_OBJ) \
$(READLINE_OBJ) $(GROUPDB_OBJ) $(KRBCLIENT_OBJ) \
- $(LIBADS_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ)
+ $(LIBADS_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) \
+ $(IDMAP_OBJ)
PAM_WINBIND_OBJ = nsswitch/pam_winbind.po nsswitch/wb_common.po lib/snprintf.po
@@ -468,7 +472,8 @@ NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
$(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
$(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
$(LIBMSRPC_OBJ) $(LIBMSRPC_SERVER_OBJ) \
- $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ)
+ $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) \
+ $(IDMAP_OBJ)
CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \
$(LIB_OBJ) $(KRBCLIENT_OBJ)
@@ -547,7 +552,7 @@ PROTO_OBJ = $(SMBD_OBJ_MAIN) \
$(LIB_SMBD_OBJ) $(SAM_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ) \
$(RPC_LSA_OBJ) $(RPC_NETLOG_OBJ) $(RPC_SAMR_OBJ) $(RPC_REG_OBJ) \
$(RPC_SVC_OBJ) $(RPC_WKS_OBJ) $(RPC_DFS_OBJ) $(RPC_SPOOLSS_OBJ) \
- $(RPC_ECHO_OBJ)
+ $(IDMAP_OBJ) $(RPC_ECHO_OBJ)
NSS_OBJ_0 = nsswitch/wins.o $(PARAM_OBJ) $(UBIQX_OBJ) $(LIBSMB_OBJ) \
$(LIB_OBJ) $(NSSWINS_OBJ)
@@ -562,7 +567,7 @@ PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
pam_smbpass/pam_smb_acct.o pam_smbpass/support.o \
libsmb/smbencrypt.o libsmb/smbdes.o libsmb/nterr.o \
$(PARAM_OBJ) $(LIB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
- $(SECRETS_OBJ) $(UBIQX_OBJ)
+ $(SECRETS_OBJ) $(UBIQX_OBJ) $(IDMAP_OBJ)
PAM_SMBPASS_PICOOBJ = $(PAM_SMBPASS_OBJ_0:.o=.po)
@@ -570,8 +575,6 @@ WINBINDD_OBJ1 = \
nsswitch/winbindd.o \
nsswitch/winbindd_user.o \
nsswitch/winbindd_group.o \
- nsswitch/winbindd_idmap.o \
- nsswitch/winbindd_idmap_tdb.o \
nsswitch/winbindd_util.o \
nsswitch/winbindd_cache.o \
nsswitch/winbindd_pam.o \
@@ -581,13 +584,14 @@ WINBINDD_OBJ1 = \
nsswitch/winbindd_wins.o \
nsswitch/winbindd_rpc.o \
nsswitch/winbindd_ads.o \
- nsswitch/winbindd_dual.o
+ nsswitch/winbindd_dual.o \
+ nsswitch/winbindd_passdb.o
WINBINDD_OBJ = \
- $(WINBINDD_OBJ1) $(PASSDB_GET_SET_OBJ) \
+ $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
$(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
$(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \
- $(PROFILE_OBJ) $(UNIGRP_OBJ) \
+ $(PROFILE_OBJ) $(UNIGRP_OBJ) $(IDMAP_OBJ) \
$(SECRETS_OBJ) $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ)
WBINFO_OBJ = nsswitch/wbinfo.o $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c
index 0875c48280..3411083116 100644
--- a/source3/auth/auth_rhosts.c
+++ b/source3/auth/auth_rhosts.c
@@ -135,17 +135,20 @@ check for a possible hosts equiv or rhosts entry for the user
static BOOL check_hosts_equiv(SAM_ACCOUNT *account)
{
- char *fname = NULL;
+ uid_t uid;
+ char *fname = NULL;
- fname = lp_hosts_equiv();
+ fname = lp_hosts_equiv();
+ if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(account), &uid)))
+ return False;
- /* note: don't allow hosts.equiv on root */
- if (IS_SAM_UNIX_USER(account) && fname && *fname && (pdb_get_uid(account) != 0)) {
- if (check_user_equiv(pdb_get_username(account),client_name(),fname))
- return(True);
- }
+ /* note: don't allow hosts.equiv on root */
+ if (fname && *fname && uid != 0) {
+ if (check_user_equiv(pdb_get_username(account),client_name(),fname))
+ return True;
+ }
- return(False);
+ return False;
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index a3ca0b226f..e8f2af41f3 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -611,21 +611,21 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups,
NT_USER_TOKEN *token;
int i;
- if (!uid_to_sid(&user_sid, uid)) {
+ if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, uid))) {
return NULL;
}
- if (!gid_to_sid(&group_sid, gid)) {
+ if (NT_STATUS_IS_ERR(gid_to_sid(&group_sid, gid))) {
return NULL;
}
- group_sids = malloc(sizeof(DOM_SID) * ngroups);
+ group_sids = malloc(sizeof(DOM_SID) * ngroups);
if (!group_sids) {
DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n"));
return NULL;
}
for (i = 0; i < ngroups; i++) {
- if (!gid_to_sid(&(group_sids)[i], (groups)[i])) {
+ if (NT_STATUS_IS_ERR(gid_to_sid(&(group_sids)[i], (groups)[i]))) {
DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i]));
SAFE_FREE(group_sids);
return NULL;
@@ -648,7 +648,7 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups,
* If this samba server is a DC of the domain the user belongs to, it returns
* both domain groups and local / builtin groups. If the user is in a trusted
* domain, or samba is a member server of a domain, then this function returns
- * local and builtin groups the user is a member of.
+ * local and builtin groups the user is a member of.
*
* currently this is a hack, as there is no sam implementation that is capable
* of groups.
@@ -661,23 +661,18 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
gid_t gid;
int n_unix_groups;
int i;
- struct passwd *usr;
*n_groups = 0;
*groups = NULL;
- if (!IS_SAM_UNIX_USER(sampass)) {
- DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass)));
- return NT_STATUS_NO_SUCH_USER;
+ if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) {
+ DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
}
-
- uid = pdb_get_uid(sampass);
- gid = pdb_get_gid(sampass);
n_unix_groups = groups_max();
if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) {
DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n"));
- passwd_free(&usr);
return NT_STATUS_NO_MEMORY;
}
@@ -686,7 +681,6 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups);
if (!groups_tmp) {
SAFE_FREE(*unix_groups);
- passwd_free(&usr);
return NT_STATUS_NO_MEMORY;
}
*unix_groups = groups_tmp;
@@ -694,7 +688,6 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n"));
SAFE_FREE(*unix_groups);
- passwd_free(&usr);
return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */
}
}
@@ -713,7 +706,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
*n_groups = n_unix_groups;
for (i = 0; i < *n_groups; i++) {
- if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) {
+ if (NT_STATUS_IS_ERR(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) {
DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1]));
SAFE_FREE(*groups);
SAFE_FREE(*unix_groups);
@@ -730,6 +723,8 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass)
{
+ NTSTATUS ret;
+
*server_info = malloc(sizeof(**server_info));
if (!*server_info) {
DEBUG(0,("make_server_info: malloc failed!\n"));
@@ -739,6 +734,10 @@ static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACC
(*server_info)->sam_fill_level = SAM_FILL_ALL;
(*server_info)->sam_account = sampass;
+ if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid))))
+ return ret;
+ if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid))))
+ return ret;
return NT_STATUS_OK;
}
@@ -869,8 +868,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
struct passwd *passwd;
- uid_t uid;
- gid_t gid;
+ unid_t u_id, g_id;
+ int u_type, g_type;
int n_lgroupSIDs;
DOM_SID *lgroupSIDs = NULL;
@@ -907,9 +906,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
domain = domain;
}
- if (winbind_sid_to_uid(&uid, &user_sid)
- && winbind_sid_to_gid(&gid, &group_sid)
- && ((passwd = getpwuid_alloc(uid)))) {
+ u_type = ID_USERID;
+ g_type = ID_GROUPID;
+ if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid))
+ && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid))
+ && ((passwd = getpwuid_alloc(u_id.uid)))) {
nt_status = pdb_init_sam_pw(&sam_account, passwd);
passwd_free(&passwd);
} else {
diff --git a/source3/client/client.c b/source3/client/client.c
index 36c76cbf15..b498b5b4a8 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -2214,40 +2214,181 @@ static int process_command_string(char *cmd)
return rc;
}
-/****************************************************************************
-handle completion of commands for readline
-****************************************************************************/
-static char **completion_fn(char *text, int start, int end)
-{
#define MAX_COMPLETIONS 100
- char **matches;
- int i, count=0;
- /* for words not at the start of the line fallback to filename completion */
- if (start) return NULL;
+typedef struct {
+ pstring dirmask;
+ char **matches;
+ int count, samelen;
+ const char *text;
+ int len;
+} completion_remote_t;
- matches = (char **)malloc(sizeof(matches[0])*MAX_COMPLETIONS);
- if (!matches) return NULL;
+static void completion_remote_filter(file_info *f, const char *mask, void *state)
+{
+ completion_remote_t *info = (completion_remote_t *)state;
- matches[count++] = strdup(text);
- if (!matches[0]) return NULL;
+ if ((info->count < MAX_COMPLETIONS - 1) && (strncmp(info->text, f->name, info->len) == 0) && (strcmp(f->name, ".") != 0) && (strcmp(f->name, "..") != 0)) {
+ if ((info->dirmask[0] == 0) && !(f->mode & aDIR))
+ info->matches[info->count] = strdup(f->name);
+ else {
+ pstring tmp;
- for (i=0;commands[i].fn && count < MAX_COMPLETIONS-1;i++) {
- if (strncmp(text, commands[i].name, strlen(text)) == 0) {
- matches[count] = strdup(commands[i].name);
- if (!matches[count]) return NULL;
- count++;
+ if (info->dirmask[0] != 0)
+ pstrcpy(tmp, info->dirmask);
+ else
+ tmp[0] = 0;
+ pstrcat(tmp, f->name);
+ if (f->mode & aDIR)
+ pstrcat(tmp, "/");
+ info->matches[info->count] = strdup(tmp);
}
+ if (info->matches[info->count] == NULL)
+ return;
+ if (f->mode & aDIR)
+ smb_readline_ca_char(0);
+
+ if (info->count == 1)
+ info->samelen = strlen(info->matches[info->count]);
+ else
+ while (strncmp(info->matches[info->count], info->matches[info->count-1], info->samelen) != 0)
+ info->samelen--;
+ info->count++;
}
+}
+
+static char **remote_completion(const char *text, int len)
+{
+ pstring dirmask;
+ int i;
+ completion_remote_t info = { "", NULL, 1, len, text, len };
+
+ if (len >= PATH_MAX)
+ return(NULL);
+
+ info.matches = (char **)malloc(sizeof(info.matches[0])*MAX_COMPLETIONS);
+ if (!info.matches) return NULL;
+ info.matches[0] = NULL;
+
+ for (i = len-1; i >= 0; i--)
+ if ((text[i] == '/') || (text[i] == '\\'))
+ break;
+ info.text = text+i+1;
+ info.samelen = info.len = len-i-1;
- if (count == 2) {
- SAFE_FREE(matches[0]);
- matches[0] = strdup(matches[1]);
+ if (i > 0) {
+ strncpy(info.dirmask, text, i+1);
+ info.dirmask[i+1] = 0;
+ snprintf(dirmask, sizeof(dirmask), "%s%*s*", cur_dir, i-1, text);
+ } else
+ snprintf(dirmask, sizeof(dirmask), "%s*", cur_dir);
+
+ if (cli_list(cli, dirmask, aDIR | aSYSTEM | aHIDDEN, completion_remote_filter, &info) < 0)
+ goto cleanup;
+
+ if (info.count == 2)
+ info.matches[0] = strdup(info.matches[1]);
+ else {
+ info.matches[0] = malloc(info.samelen+1);
+ if (!info.matches[0])
+ goto cleanup;
+ strncpy(info.matches[0], info.matches[1], info.samelen);
+ info.matches[0][info.samelen] = 0;
}
- matches[count] = NULL;
- return matches;
+ info.matches[info.count] = NULL;
+ return info.matches;
+
+cleanup:
+ for (i = 0; i < info.count; i++)
+ free(info.matches[i]);
+ free(info.matches);
+ return NULL;
}
+static char **completion_fn(const char *text, int start, int end)
+{
+ smb_readline_ca_char(' ');
+
+ if (start) {
+ const char *buf, *sp;
+ int i;
+ char compl_type;
+
+ buf = smb_readline_get_line_buffer();
+ if (buf == NULL)
+ return NULL;
+
+ sp = strchr(buf, ' ');
+ if (sp == NULL)
+ return NULL;
+
+ for (i = 0; commands[i].name; i++)
+ if ((strncmp(commands[i].name, text, sp - buf) == 0) && (commands[i].name[sp - buf] == 0))
+ break;
+ if (commands[i].name == NULL)
+ return NULL;
+
+ while (*sp == ' ')
+ sp++;
+
+ if (sp == (buf + start))
+ compl_type = commands[i].compl_args[0];
+ else
+ compl_type = commands[i].compl_args[1];
+
+ if (compl_type == COMPL_REMOTE)
+ return remote_completion(text, end - start);
+ else /* fall back to local filename completion */
+ return NULL;
+ } else {
+ char **matches;
+ int i, len, samelen, count=1;
+
+ matches = (char **)malloc(sizeof(matches[0])*MAX_COMPLETIONS);
+ if (!matches) return NULL;
+ matches[0] = NULL;
+
+ len = strlen(text);
+ for (i=0;commands[i].fn && count < MAX_COMPLETIONS-1;i++) {
+ if (strncmp(text, commands[i].name, len) == 0) {
+ matches[count] = strdup(commands[i].name);
+ if (!matches[count])
+ goto cleanup;
+ if (count == 1)
+ samelen = strlen(matches[count]);
+ else
+ while (strncmp(matches[count], matches[count-1], samelen) != 0)
+ samelen--;
+ count++;
+ }
+ }
+
+ switch (count) {
+ case 0: /* should never happen */
+ case 1:
+ goto cleanup;
+ case 2:
+ matches[0] = strdup(matches[1]);
+ break;
+ default:
+ matches[0] = malloc(samelen+1);
+ if (!matches[0])
+ goto cleanup;
+ strncpy(matches[0], matches[1], samelen);
+ matches[0][samelen] = 0;
+ }
+ matches[count] = NULL;
+ return matches;
+
+cleanup:
+ while (i >= 0) {
+ free(matches[i]);
+ i--;
+ }
+ free(matches);
+ return NULL;
+ }
+}
/****************************************************************************
make sure we swallow keepalives during idle time
diff --git a/source3/configure.in b/source3/configure.in
index 529e54c9a1..28b3a3a26b 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -2497,6 +2497,27 @@ AC_ARG_WITH(ldapsam,
AC_MSG_RESULT(no)
)
+#################################################
+# check for IDMAP
+
+AC_DEFINE(WITH_IDMAP,1, [Include IDMAP support])
+
+AC_MSG_CHECKING(whether to use IDMAP only for [ug]id mapping)
+AC_ARG_WITH(idmap,
+[ --with-idmap Include experimental IDMAP support (default=yes)],
+[ case "$withval" in
+ yes)
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(WITH_IDMAP,1,[Whether to include experimental IDMAP support])
+ ;;
+ no)
+ AC_MSG_RESULT(no)
+ AC_DEFINE(WITH_IDMAP,0,[Whether to include experimental IDMAP support])
+ ;;
+ esac ],
+ AC_MSG_RESULT(yes)
+)
+
########################################################################################
##
## END OF TESTS FOR SAM BACKENDS.
diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c
index b718f42f93..2b7a852688 100644
--- a/source3/groupdb/mapping.c
+++ b/source3/groupdb/mapping.c
@@ -170,17 +170,17 @@ static BOOL default_group_mapping(void)
/* Add the Wellknown groups */
- add_initial_entry(-1, "S-1-5-32-544", SID_NAME_ALIAS, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-545", SID_NAME_ALIAS, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-546", SID_NAME_ALIAS, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
- add_initial_entry(-1, "S-1-5-32-547", SID_NAME_ALIAS, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
+ add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-548", SID_NAME_ALIAS, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-549", SID_NAME_ALIAS, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-550", SID_NAME_ALIAS, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-551", SID_NAME_ALIAS, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-552", SID_NAME_ALIAS, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK);
+ add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK);
/* Add the defaults domain groups */
@@ -763,7 +763,7 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0)
continue;
-
+
dbuf = tdb_fetch(tdb, kbuf);
if (!dbuf.dptr)
continue;
@@ -803,7 +803,7 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
free_privilege(set);
continue;
}
-
+
if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name));
free_privilege(set);
@@ -838,6 +838,7 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
free_privilege(&(mapt[entries].priv_set));
entries++;
+
}
*num_entries=entries;
diff --git a/source3/include/auth.h b/source3/include/auth.h
index 626b9f3ba0..eb80e3c5b4 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -75,6 +75,9 @@ typedef struct auth_usersupplied_info
typedef struct auth_serversupplied_info
{
BOOL guest;
+
+ uid_t uid;
+ gid_t gid;
/* This groups info is needed for when we become_user() for this uid */
int n_groups;
diff --git a/source3/include/debug.h b/source3/include/debug.h
index d4f45539f4..70f9f7706d 100644
--- a/source3/include/debug.h
+++ b/source3/include/debug.h
@@ -88,6 +88,7 @@ extern int DEBUGLEVEL;
#define DBGC_AUTH 10
#define DBGC_WINBIND 11
#define DBGC_VFS 12
+#define DBGC_IDMAP 13
/* So you can define DBGC_CLASS before including debug.h */
#ifndef DBGC_CLASS
diff --git a/source3/include/idmap.h b/source3/include/idmap.h
index 47114f5469..5d8e31a163 100644
--- a/source3/include/idmap.h
+++ b/source3/include/idmap.h
@@ -32,21 +32,15 @@
#define ID_NOMAP 0x10
#define ID_CACHE 0x20
-typedef union unid_t {
- uid_t uid;
- gid_t gid;
-} unid_t;
-
-struct DOM_SID;
/* Filled out by IDMAP backends */
struct idmap_methods {
/* Called when backend is first loaded */
NTSTATUS (*init)(void);
- NTSTATUS (*get_sid_from_id)(struct DOM_SID *sid, unid_t id, int id_type);
- NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const struct DOM_SID *sid);
- NTSTATUS (*set_mapping)(const struct DOM_SID *sid, unid_t id, int id_type);
+ NTSTATUS (*get_sid_from_id)(DOM_SID *sid, unid_t id, int id_type);
+ NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const DOM_SID *sid);
+ NTSTATUS (*set_mapping)(const DOM_SID *sid, unid_t id, int id_type);
/* Called when backend is unloaded */
NTSTATUS (*close)(void);
diff --git a/source3/include/includes.h b/source3/include/includes.h
index c1b84c1d35..8de1395aca 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -767,23 +767,35 @@ extern int errno;
#include "debugparse.h"
#include "version.h"
-#include "idmap.h"
+
#include "smb.h"
-#include "smbw.h"
+
#include "nameserv.h"
#include "secrets.h"
#include "byteorder.h"
+#include "privileges.h"
+
+#include "rpc_creds.h"
+
+#include "mapping.h"
+
+#include "passdb.h"
+
#include "ntdomain.h"
+#include "rpc_misc.h"
+
+#include "rpc_secdes.h"
+
+#include "nt_printing.h"
+
#include "msdfs.h"
#include "smbprofile.h"
-#include "mapping.h"
-
#include "rap.h"
#include "md5.h"
@@ -793,7 +805,11 @@ extern int errno;
#include "auth.h"
-#include "passdb.h"
+#include "idmap.h"
+
+#include "client.h"
+
+#include "smbw.h"
#include "session.h"
@@ -851,6 +867,8 @@ struct functable {
struct printjob;
+struct smb_ldap_privates;
+
/***** automatically generated prototypes *****/
#ifndef NO_PROTO_H
#include "proto.h"
@@ -898,7 +916,7 @@ struct printjob;
#define MAP_FILE 0
#endif
-#if (!defined(WITH_NISPLUS) && !defined(WITH_LDAP))
+#if (!defined(WITH_NISPLUS) && !defined(WITH_LDAP) && !defined(WITH_TDB_SAM))
#define USE_SMBPASS_DB 1
#endif
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 06409aa34e..e14e250d34 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -3,6 +3,8 @@
passdb structures and parameters
Copyright (C) Gerald Carter 2001
Copyright (C) Luke Kenneth Casson Leighton 1998 - 2000
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Simo Sorce 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -23,6 +25,149 @@
#define _PASSDB_H
+/*
+ * bit flags representing initialized fields in SAM_ACCOUNT
+ */
+enum pdb_elements {
+ PDB_UNINIT,
+ PDB_SMBHOME,
+ PDB_PROFILE,
+ PDB_DRIVE,
+ PDB_LOGONSCRIPT,
+ PDB_LOGONTIME,
+ PDB_LOGOFFTIME,
+ PDB_KICKOFFTIME,
+ PDB_CANCHANGETIME,
+ PDB_MUSTCHANGETIME,
+ PDB_PLAINTEXT_PW,
+ PDB_USERNAME,
+ PDB_FULLNAME,
+ PDB_DOMAIN,
+ PDB_NTUSERNAME,
+ PDB_HOURSLEN,
+ PDB_LOGONDIVS,
+ PDB_USERSID,
+ PDB_GROUPSID,
+ PDB_ACCTCTRL,
+ PDB_PASSLASTSET,
+ PDB_UNIXHOMEDIR,
+ PDB_ACCTDESC,
+ PDB_WORKSTATIONS,
+ PDB_UNKNOWNSTR,
+ PDB_MUNGEDDIAL,
+ PDB_HOURS,
+ PDB_UNKNOWN3,
+ PDB_UNKNOWN5,
+ PDB_UNKNOWN6,
+ PDB_LMPASSWD,
+ PDB_NTPASSWD,
+
+ /* this must be the last element */
+ PDB_COUNT
+};
+
+enum pdb_group_elements {
+ PDB_GROUP_NAME,
+ PDB_GROUP_SID,
+ PDB_GROUP_SID_NAME_USE,
+ PDB_GROUP_MEMBERS,
+
+ /* this must be the last element */
+ PDB_GROUP_COUNT
+};
+
+
+enum pdb_value_state {
+ PDB_DEFAULT=0,
+ PDB_SET,
+ PDB_CHANGED
+};
+
+#define IS_SAM_SET(x, flag) (pdb_get_init_flags(x, flag) == PDB_SET)
+#define IS_SAM_CHANGED(x, flag) (pdb_get_init_flags(x, flag) == PDB_CHANGED)
+#define IS_SAM_DEFAULT(x, flag) (pdb_get_init_flags(x, flag) == PDB_DEFAULT)
+
+typedef struct sam_passwd
+{
+ TALLOC_CTX *mem_ctx;
+
+ void (*free_fn)(struct sam_passwd **);
+
+ struct pdb_methods *methods;
+
+ struct user_data {
+ /* initiailization flags */
+ struct bitmap *change_flags;
+ struct bitmap *set_flags;
+
+ time_t logon_time; /* logon time */
+ time_t logoff_time; /* logoff time */
+ time_t kickoff_time; /* kickoff time */
+ time_t pass_last_set_time; /* password last set time */
+ time_t pass_can_change_time; /* password can change time */
+ time_t pass_must_change_time; /* password must change time */
+
+ const char * username; /* UNIX username string */
+ const char * domain; /* Windows Domain name */
+ const char * nt_username; /* Windows username string */
+ const char * full_name; /* user's full name string */
+ const char * unix_home_dir; /* UNIX home directory string */
+ const char * home_dir; /* home directory string */
+ const char * dir_drive; /* home directory drive string */
+ const char * logon_script; /* logon script string */
+ const char * profile_path; /* profile path string */
+ const char * acct_desc ; /* user description string */
+ const char * workstations; /* login from workstations string */
+ const char * unknown_str ; /* don't know what this is, yet. */
+ const char * munged_dial ; /* munged path name and dial-back tel number */
+
+ DOM_SID user_sid; /* Primary User SID */
+ DOM_SID group_sid; /* Primary Group SID */
+
+ DATA_BLOB lm_pw; /* .data is Null if no password */
+ DATA_BLOB nt_pw; /* .data is Null if no password */
+ char* plaintext_pw; /* is Null if not available */
+
+ uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */
+ uint32 unknown_3; /* 0x00ff ffff */
+
+ uint16 logon_divs; /* 168 - number of hours in a week */
+ uint32 hours_len; /* normally 21 bytes */
+ uint8 hours[MAX_HOURS_LEN];
+
+ uint32 unknown_5; /* 0x0002 0000 */
+ uint32 unknown_6; /* 0x0000 04ec */
+ } private;
+
+ /* Lets see if the remaining code can get the hint that you
+ are meant to use the pdb_...() functions. */
+
+} SAM_ACCOUNT;
+
+typedef struct sam_group {
+ TALLOC_CTX *mem_ctx;
+
+ void (*free_fn)(struct sam_group **);
+
+ struct pdb_methods *methods;
+
+ struct group_data {
+ /* initiailization flags */
+ struct bitmap *change_flags;
+ struct bitmap *set_flags;
+
+ const char *name; /* Windows group name string */
+
+ DOM_SID sid; /* Group SID */
+ enum SID_NAME_USE sid_name_use; /* Group type */
+
+ uint32 mem_num; /* Number of member SIDs */
+ DOM_SID *members; /* SID array */
+ } private;
+
+} SAM_GROUP;
+
+
/*****************************************************************
Functions to be implemented by the new (v2) passdb API
****************************************************************/
@@ -51,7 +196,7 @@ typedef struct pdb_context
NTSTATUS (*pdb_getsampwnam)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const char *username);
NTSTATUS (*pdb_getsampwsid)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const DOM_SID *sid);
-
+
NTSTATUS (*pdb_add_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass);
NTSTATUS (*pdb_update_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass);
@@ -104,7 +249,7 @@ typedef struct pdb_methods
NTSTATUS (*getsampwnam)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const char *username);
- NTSTATUS (*getsampwsid)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const DOM_SID *Sid);
+ NTSTATUS (*getsampwsid)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const DOM_SID *sid);
NTSTATUS (*add_sam_account)(struct pdb_methods *, SAM_ACCOUNT *sampass);
diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h
index 33dde6e3cb..135fd76d6c 100644
--- a/source3/include/rpc_lsa.h
+++ b/source3/include/rpc_lsa.h
@@ -647,26 +647,6 @@ typedef struct lsa_q_enumprivsaccount
POLICY_HND pol; /* policy handle */
} LSA_Q_ENUMPRIVSACCOUNT;
-
-typedef struct LUID
-{
- uint32 low;
- uint32 high;
-} LUID;
-
-typedef struct LUID_ATTR
-{
- LUID luid;
- uint32 attr;
-} LUID_ATTR ;
-
-typedef struct privilege_set
-{
- uint32 count;
- uint32 control;
- LUID_ATTR *set;
-} PRIVILEGE_SET;
-
typedef struct lsa_r_enumprivsaccount
{
uint32 ptr;
diff --git a/source3/include/rpc_misc.h b/source3/include/rpc_misc.h
index d04a84d508..a0572a0bfd 100644
--- a/source3/include/rpc_misc.h
+++ b/source3/include/rpc_misc.h
@@ -227,6 +227,22 @@ typedef struct
UNISTR2_ARRAY_EL *strings;
} UNISTR2_ARRAY;
+
+/* an element in a sid array */
+typedef struct
+{
+ uint32 ref_id;
+ DOM_SID2 sid;
+} SID_ARRAY_EL;
+
+/* an array of sids */
+typedef struct
+{
+ uint32 ref_id;
+ uint32 count;
+ SID_ARRAY_EL *sids;
+} SID_ARRAY;
+
/* DOM_RID2 - domain RID structure for ntlsa pipe */
typedef struct domrid2_info
{
diff --git a/source3/include/smb.h b/source3/include/smb.h
index bba5d5cd52..4dacf79a13 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -155,6 +155,11 @@ typedef int BOOL;
#include "doserr.h"
+typedef union unid_t {
+ uid_t uid;
+ gid_t gid;
+} unid_t;
+
/*
* SMB UCS2 (16-bit unicode) internal type.
*/
@@ -260,7 +265,7 @@ enum SID_NAME_USE
*
* @sa http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/accctrl_38yn.asp
**/
-typedef struct DOM_SID
+typedef struct sid_info
{
uint8 sid_rev_num; /**< SID revision number */
uint8 num_auths; /**< Number of sub-authorities */
@@ -582,122 +587,6 @@ typedef struct {
#define LM_HASH_LEN 16
/*
- * bit flags representing initialized fields in SAM_ACCOUNT
- */
-enum pdb_elements {
- PDB_UNINIT,
- PDB_UID,
- PDB_GID,
- PDB_SMBHOME,
- PDB_PROFILE,
- PDB_DRIVE,
- PDB_LOGONSCRIPT,
- PDB_LOGONTIME,
- PDB_LOGOFFTIME,
- PDB_KICKOFFTIME,
- PDB_CANCHANGETIME,
- PDB_MUSTCHANGETIME,
- PDB_PLAINTEXT_PW,
- PDB_USERNAME,
- PDB_FULLNAME,
- PDB_DOMAIN,
- PDB_NTUSERNAME,
- PDB_HOURSLEN,
- PDB_LOGONDIVS,
- PDB_USERSID,
- PDB_GROUPSID,
- PDB_ACCTCTRL,
- PDB_PASSLASTSET,
- PDB_UNIXHOMEDIR,
- PDB_ACCTDESC,
- PDB_WORKSTATIONS,
- PDB_UNKNOWNSTR,
- PDB_MUNGEDDIAL,
- PDB_HOURS,
- PDB_UNKNOWN3,
- PDB_UNKNOWN5,
- PDB_UNKNOWN6,
- PDB_LMPASSWD,
- PDB_NTPASSWD,
-
- /* this must be the last element */
- PDB_COUNT
-};
-
-enum pdb_value_state {
- PDB_DEFAULT=0,
- PDB_SET,
- PDB_CHANGED
-};
-
-#define IS_SAM_UNIX_USER(x) \
- (( pdb_get_init_flags(x, PDB_UID) != PDB_DEFAULT ) \
- && ( pdb_get_init_flags(x,PDB_GID) != PDB_DEFAULT ))
-
-#define IS_SAM_SET(x, flag) (pdb_get_init_flags(x, flag) == PDB_SET)
-#define IS_SAM_CHANGED(x, flag) (pdb_get_init_flags(x, flag) == PDB_CHANGED)
-#define IS_SAM_DEFAULT(x, flag) (pdb_get_init_flags(x, flag) == PDB_DEFAULT)
-
-typedef struct sam_passwd
-{
- TALLOC_CTX *mem_ctx;
-
- void (*free_fn)(struct sam_passwd **);
-
- struct pdb_methods *methods;
-
- struct user_data {
- /* initiailization flags */
- struct bitmap *change_flags;
- struct bitmap *set_flags;
-
- time_t logon_time; /* logon time */
- time_t logoff_time; /* logoff time */
- time_t kickoff_time; /* kickoff time */
- time_t pass_last_set_time; /* password last set time */
- time_t pass_can_change_time; /* password can change time */
- time_t pass_must_change_time; /* password must change time */
-
- const char * username; /* UNIX username string */
- const char * domain; /* Windows Domain name */
- const char * nt_username; /* Windows username string */
- const char * full_name; /* user's full name string */
- const char * unix_home_dir; /* UNIX home directory string */
- const char * home_dir; /* home directory string */
- const char * dir_drive; /* home directory drive string */
- const char * logon_script; /* logon script string */
- const char * profile_path; /* profile path string */
- const char * acct_desc ; /* user description string */
- const char * workstations; /* login from workstations string */
- const char * unknown_str ; /* don't know what this is, yet. */
- const char * munged_dial ; /* munged path name and dial-back tel number */
-
- uid_t uid; /* this is a unix uid_t */
- gid_t gid; /* this is a unix gid_t */
- DOM_SID user_sid; /* Primary User SID */
- DOM_SID group_sid; /* Primary Group SID */
-
- DATA_BLOB lm_pw; /* .data is Null if no password */
- DATA_BLOB nt_pw; /* .data is Null if no password */
- char* plaintext_pw; /* is Null if not available */
-
- uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */
- uint32 unknown_3; /* 0x00ff ffff */
-
- uint16 logon_divs; /* 168 - number of hours in a week */
- uint32 hours_len; /* normally 21 bytes */
- uint8 hours[MAX_HOURS_LEN];
-
- uint32 unknown_5; /* 0x0002 0000 */
- uint32 unknown_6; /* 0x0000 04ec */
- } private;
-
- /* Lets see if the remaining code can get the hint that you
- are meant to use the pdb_...() functions. */
-
-} SAM_ACCOUNT;
-
-/*
* Flags for account policy.
*/
#define AP_MIN_PASSWORD_LEN 1
@@ -1628,11 +1517,6 @@ struct pwd_info
uchar sess_key[16];
};
-#include "rpc_creds.h"
-#include "rpc_misc.h"
-#include "rpc_secdes.h"
-#include "nt_printing.h"
-
typedef struct user_struct
{
struct user_struct *next, *prev;
@@ -1672,9 +1556,11 @@ struct unix_error_map {
NTSTATUS nt_error;
};
+/*
#include "ntdomain.h"
#include "client.h"
+*/
/*
* Size of new password account encoding string. This is enough space to
diff --git a/source3/lib/debug.c b/source3/lib/debug.c
index dc675037a0..fdbd54fafb 100644
--- a/source3/lib/debug.c
+++ b/source3/lib/debug.c
@@ -154,6 +154,7 @@ static const char *default_classname_table[] = {
"auth", /* DBGC_AUTH */
"winbind", /* DBGC_WINBIND */
"vfs", /* DBGC_VFS */
+ "idmap", /* DBGC_IDMAP */
NULL
};
diff --git a/source3/lib/readline.c b/source3/lib/readline.c
index 8b90c32c7f..ceb02ef749 100644
--- a/source3/lib/readline.c
+++ b/source3/lib/readline.c
@@ -116,6 +116,29 @@ char *smb_readline(char *prompt, void (*callback)(void),
}
/****************************************************************************
+ * return line buffer text
+ ****************************************************************************/
+const char *smb_readline_get_line_buffer(void)
+{
+#if defined(HAVE_LIBREADLINE)
+ return rl_line_buffer;
+#else
+ return NULL;
+#endif
+}
+
+
+/****************************************************************************
+ * set completion append character
+ ***************************************************************************/
+void smb_readline_ca_char(char c)
+{
+#if defined(HAVE_LIBREADLINE)
+ rl_completion_append_character = c;
+#endif
+}
+
+/****************************************************************************
history
****************************************************************************/
int cmd_history(void)
@@ -135,3 +158,4 @@ int cmd_history(void)
return 0;
}
+
diff --git a/source3/lib/snprintf.c b/source3/lib/snprintf.c
index 02cf782520..4aef82c7d8 100644
--- a/source3/lib/snprintf.c
+++ b/source3/lib/snprintf.c
@@ -83,6 +83,12 @@
* Remove NO_CONFIG_H so that the test case can be built within a source
* tree with less trouble.
* Remove unnecessary SAFE_FREE() definition.
+ *
+ * Martin Pool (mbp@samba.org) May 2003
+ * Put in a prototype for dummy_snprintf() to quiet compiler warnings.
+ *
+ * Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
+ * if the C library has some snprintf functions already.
**************************************************************/
#ifndef NO_CONFIG_H
@@ -123,8 +129,9 @@
/* only include stdio.h if we are not re-defining snprintf or vsnprintf */
#include <stdio.h>
/* make the compiler happy with an empty file */
+ void dummy_snprintf(void);
void dummy_snprintf(void) {}
-#else
+#endif /* HAVE_SNPRINTF, etc */
#ifdef HAVE_LONG_DOUBLE
#define LDOUBLE long double
@@ -144,7 +151,6 @@
#else
#define VA_COPY(dest, src) (dest) = (src)
#endif
-#endif
static size_t dopr(char *buffer, size_t maxlen, const char *format,
va_list args_in);
diff --git a/source3/lib/username.c b/source3/lib/username.c
index b8f33494ee..d8f4ff80ed 100644
--- a/source3/lib/username.c
+++ b/source3/lib/username.c
@@ -339,7 +339,7 @@ static BOOL user_in_winbind_group_list(const char *user, const char *gname, BOOL
goto err;
}
- if (!lp_winbind_gid(&gid_low, &gid_high)) {
+ if (!lp_idmap_gid(&gid_low, &gid_high)) {
DEBUG(4, ("winbind gid range not configured, therefore %s cannot be a winbind group\n", gname));
goto err;
}
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index fb6f67625c..c7e45e5429 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -128,7 +128,6 @@ static void winbindd_status(void)
static void print_winbindd_status(void)
{
winbindd_status();
- winbindd_idmap_status();
winbindd_cm_status();
}
@@ -146,7 +145,7 @@ static void terminate(void)
{
pstring path;
- winbindd_idmap_close();
+ idmap_close();
/* Remove socket file */
snprintf(path, sizeof(path), "%s/%s",
@@ -834,9 +833,12 @@ int main(int argc, char **argv)
/* Winbind daemon initialisation */
- if (!winbindd_idmap_init())
+ if (!idmap_init())
return 1;
+ if (!idmap_init_wellknown_sids())
+ exit(1);
+
/* Unblock all signals we are interested in as they may have been
blocked by the parent process. */
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index 5eabcfca20..dc40142a77 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -100,7 +100,12 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain)
ret = smb_xmalloc(sizeof(*ret));
ZERO_STRUCTP(ret);
- switch (lp_security()) {
+ switch (lp_security()) { /* winbind pdc disabled until ready
+ if (!strcmp(domain->name, lp_workgroup()) && (lp_security() == SEC_USER)) {
+ extern struct winbindd_methods passdb_methods;
+ ret->backend = &passdb_methods;
+
+ } else switch (lp_security()) { */
#ifdef HAVE_ADS
case SEC_ADS: {
extern struct winbindd_methods ads_methods;
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index b3ded2a2f4..14ebb78466 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -193,8 +193,8 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
enum SID_NAME_USE name_type;
fstring name_domain, name_group;
char *tmp, *gr_mem;
- gid_t gid;
int gr_mem_len;
+ gid_t gid;
/* Ensure null termination */
state->request.data.groupname[sizeof(state->request.data.groupname)-1]='\0';
@@ -210,11 +210,6 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
if (!parse_domain_user(tmp, name_domain, name_group))
return WINBINDD_ERROR;
- /* fail if we are a PDC and this is our domain; should be done by passdb */
-
- if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp( domain->name, lp_workgroup()) )
- return WINBINDD_ERROR;
-
/* Get info for the domain */
if ((domain = find_domain_from_name(name_domain)) == NULL) {
@@ -238,7 +233,7 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
return WINBINDD_ERROR;
}
- if (!winbindd_idmap_get_gid_from_sid(&group_sid, &gid)) {
+ if (NT_STATUS_IS_ERR(sid_to_gid(&group_sid, &gid))) {
DEBUG(1, ("error converting unix gid to sid\n"));
return WINBINDD_ERROR;
}
@@ -283,8 +278,7 @@ enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
return WINBINDD_ERROR;
/* Get rid from gid */
-
- if (!winbindd_idmap_get_sid_from_gid(state->request.data.gid, &group_sid)) {
+ if (NT_STATUS_IS_ERR(uid_to_sid(&group_sid, state->request.data.gid))) {
DEBUG(1, ("could not convert gid %d to rid\n",
state->request.data.gid));
return WINBINDD_ERROR;
@@ -410,9 +404,6 @@ static BOOL get_sam_group_entries(struct getent_state *ent)
if (ent->got_sam_entries)
return False;
-
- if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp(lp_workgroup(), ent->domain_name))
- return False;
if (!(mem_ctx = talloc_init("get_sam_group_entries(%s)",
ent->domain_name))) {
@@ -598,9 +589,7 @@ enum winbindd_result winbindd_getgrent(struct winbindd_cli_state *state)
sid_copy(&group_sid, &domain->sid);
sid_append_rid(&group_sid, name_list[ent->sam_entry_index].rid);
- if (!winbindd_idmap_get_gid_from_sid(
- &group_sid,
- &group_gid)) {
+ if (NT_STATUS_IS_ERR(sid_to_gid(&group_sid, &group_gid))) {
DEBUG(1, ("could not look up gid for group %s\n",
name_list[ent->sam_entry_index].acct_name));
@@ -749,11 +738,6 @@ enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state)
for (domain = domain_list(); domain; domain = domain->next) {
struct getent_state groups;
-
- /* fail if we are a PDC and this is our domain; should be done by passdb */
-
- if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp( domain->name, lp_workgroup()) )
- continue;
ZERO_STRUCT(groups);
@@ -846,11 +830,6 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
name_user))
goto done;
- /* fail if we are a PDC and this is our domain; should be done by passdb */
-
- if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp( name_domain, lp_workgroup()) )
- return WINBINDD_ERROR;
-
/* Get info for the domain */
if ((domain = find_domain_from_name(name_domain)) == NULL) {
@@ -887,16 +866,16 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
goto done;
for (i = 0; i < num_groups; i++) {
- if (!winbindd_idmap_get_gid_from_sid(
- user_gids[i],
- &gid_list[num_gids])) {
+ gid_t gid;
+
+ if (NT_STATUS_IS_ERR(sid_to_gid(user_gids[i], &gid))) {
fstring sid_string;
DEBUG(1, ("unable to convert group sid %s to gid\n",
sid_to_string(sid_string, user_gids[i])));
continue;
}
-
+ gid_list[num_gids] = gid;
num_gids++;
}
diff --git a/source3/nsswitch/winbindd_sid.c b/source3/nsswitch/winbindd_sid.c
index 41bda7e5bc..f5dd904dc1 100644
--- a/source3/nsswitch/winbindd_sid.c
+++ b/source3/nsswitch/winbindd_sid.c
@@ -98,11 +98,6 @@ enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state)
name_domain = state->request.data.name.dom_name;
name_user = state->request.data.name.name;
- /* fail if we are a PDC and this is our domain; should be done by passdb */
-
- if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp( name_domain, lp_workgroup()) )
- return WINBINDD_ERROR;
-
if ((domain = find_domain_from_name(name_domain)) == NULL) {
DEBUG(0, ("could not find domain entry for domain %s\n",
name_domain));
@@ -142,7 +137,7 @@ enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state)
}
/* Find uid for this sid and return it */
- if (!winbindd_idmap_get_uid_from_sid(&sid, &state->response.data.uid)) {
+ if (NT_STATUS_IS_ERR(sid_to_uid(&sid, &(state->response.data.uid)))) {
DEBUG(1, ("Could not get uid for sid %s\n",
state->request.data.sid));
return WINBINDD_ERROR;
@@ -171,7 +166,7 @@ enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state)
}
/* Find gid for this sid and return it */
- if (!winbindd_idmap_get_gid_from_sid(&sid, &state->response.data.gid)) {
+ if (NT_STATUS_IS_ERR(sid_to_gid(&sid, &(state->response.data.gid)))) {
DEBUG(1, ("Could not get gid for sid %s\n",
state->request.data.sid));
return WINBINDD_ERROR;
@@ -197,7 +192,7 @@ enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state)
state->request.data.uid));
/* Lookup rid for this uid */
- if (!winbindd_idmap_get_sid_from_uid(state->request.data.uid, &sid)) {
+ if (NT_STATUS_IS_ERR(uid_to_sid(&sid, state->request.data.uid))) {
DEBUG(1, ("Could not convert uid %d to rid\n",
state->request.data.uid));
return WINBINDD_ERROR;
@@ -226,7 +221,7 @@ enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state)
state->request.data.gid));
/* Lookup sid for this uid */
- if (!winbindd_idmap_get_sid_from_gid(state->request.data.gid, &sid)) {
+ if (NT_STATUS_IS_ERR(gid_to_sid(&sid, state->request.data.gid))) {
DEBUG(1, ("Could not convert gid %d to sid\n",
state->request.data.gid));
return WINBINDD_ERROR;
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index d2bd231918..dc07bc42e7 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -41,17 +41,15 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
return False;
/* Resolve the uid number */
-
- if (!winbindd_idmap_get_uid_from_sid(user_sid,
- &pw->pw_uid)) {
+
+ if (NT_STATUS_IS_ERR(sid_to_uid(user_sid, &(pw->pw_uid)))) {
DEBUG(1, ("error getting user id for sid %s\n", sid_to_string(sid_string, user_sid)));
return False;
}
/* Resolve the gid number */
-
- if (!winbindd_idmap_get_gid_from_sid(group_sid,
- &pw->pw_gid)) {
+
+ if (NT_STATUS_IS_ERR(sid_to_gid(group_sid, &(pw->pw_gid)))) {
DEBUG(1, ("error getting group id for sid %s\n", sid_to_string(sid_string, group_sid)));
return False;
}
@@ -178,9 +176,9 @@ enum winbindd_result winbindd_getpwuid(struct winbindd_cli_state *state)
fstring user_name;
enum SID_NAME_USE name_type;
WINBIND_USERINFO user_info;
- gid_t gid;
TALLOC_CTX *mem_ctx;
NTSTATUS status;
+ gid_t gid;
/* Bug out if the uid isn't in the winbind range */
@@ -193,8 +191,7 @@ enum winbindd_result winbindd_getpwuid(struct winbindd_cli_state *state)
/* Get rid from uid */
- if (!winbindd_idmap_get_sid_from_uid(state->request.data.uid,
- &user_sid)) {
+ if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, state->request.data.uid))) {
DEBUG(1, ("could not convert uid %d to SID\n",
state->request.data.uid));
return WINBINDD_ERROR;
@@ -236,9 +233,9 @@ enum winbindd_result winbindd_getpwuid(struct winbindd_cli_state *state)
return WINBINDD_ERROR;
}
- /* Resolve gid number */
+ /* Check group has a gid number */
- if (!winbindd_idmap_get_gid_from_sid(user_info.group_sid, &gid)) {
+ if (NT_STATUS_IS_ERR(sid_to_gid(user_info.group_sid, &gid))) {
DEBUG(1, ("error getting group id for user %s\n", user_name));
talloc_destroy(mem_ctx);
return WINBINDD_ERROR;
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index ef030e2c7b..ac0b317b42 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -126,7 +126,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
/* see if this is a native mode win2k domain, but only for our own domain */
- if ( lp_server_role() != ROLE_DOMAIN_PDC && strequal( lp_workgroup(), domain_name) ) {
+ if ( strequal( lp_workgroup(), domain_name) ) {
domain->native_mode = cm_check_for_native_mode_win2k( domain_name );
DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", domain_name,
domain->native_mode ? "native" : "mixed" ));
@@ -211,7 +211,6 @@ BOOL init_domain_list(void)
/* Add ourselves as the first entry */
domain = add_trusted_domain(lp_workgroup(), NULL, &cache_methods, NULL);
-
if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
DEBUG(1, ("Could not fetch sid for our domain %s\n",
domain->name));
@@ -220,7 +219,7 @@ BOOL init_domain_list(void)
/* get any alternate name for the primary domain */
cache_methods.alternate_name(domain);
-
+
/* do an initial scan for trusted domains */
rescan_trusted_domains(True);
@@ -381,12 +380,12 @@ BOOL winbindd_param_init(void)
{
/* Parse winbind uid and winbind_gid parameters */
- if (!lp_winbind_uid(&server_state.uid_low, &server_state.uid_high)) {
+ if (!lp_idmap_uid(&server_state.uid_low, &server_state.uid_high)) {
DEBUG(0, ("winbind uid range missing or invalid\n"));
return False;
}
- if (!lp_winbind_gid(&server_state.gid_low, &server_state.gid_high)) {
+ if (!lp_idmap_gid(&server_state.gid_low, &server_state.gid_high)) {
DEBUG(0, ("winbind gid range missing or invalid\n"));
return False;
}
diff --git a/source3/pam_smbpass/pam_smb_passwd.c b/source3/pam_smbpass/pam_smb_passwd.c
index 9e75efccf4..78b89c60b7 100644
--- a/source3/pam_smbpass/pam_smb_passwd.c
+++ b/source3/pam_smbpass/pam_smb_passwd.c
@@ -295,14 +295,21 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
retval = smb_update_db(pamh, ctrl, user, pass_new);
if (retval == PAM_SUCCESS) {
+ uid_t uid;
+
/* password updated */
- _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)"
- , user, pdb_get_uid(sampass), uidtoname( getuid() )
- , getuid() );
- } else {
- _log_err( LOG_ERR, "password change failed for user %s"
- , user );
- }
+ if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid))) {
+ _log_err( LOG_NOTICE, "Unable to get uid for user %s",
+ pdb_get_username(sampass));
+ _log_err( LOG_NOTICE, "password for (%s) changed by (%s/%d)",
+ user, uidtoname(getuid()), getuid());
+ } else {
+ _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)",
+ user, uid, uidtoname(getuid()), getuid());
+ }
+ } else {
+ _log_err( LOG_ERR, "password change failed for user %s", user);
+ }
pass_old = pass_new = NULL;
if (sampass) {
diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c
index 11de306d13..62cc866fae 100644
--- a/source3/pam_smbpass/support.c
+++ b/source3/pam_smbpass/support.c
@@ -308,7 +308,6 @@ void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass,
const char *p, unsigned int ctrl )
{
- uchar hash_pass[16];
uchar lm_pw[16];
uchar nt_pw[16];
int retval = PAM_AUTH_ERR;
@@ -339,11 +338,8 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass,
const char *service;
pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , pdb_get_uid(sampass) );
+ _log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s",
+ uidtoname(getuid()), service ? service : "**unknown**", name);
return PAM_AUTH_ERR;
}
}
@@ -397,32 +393,34 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass,
retval = PAM_MAXTRIES;
}
} else {
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , pdb_get_uid(sampass) );
+ _log_err(LOG_NOTICE,
+ "failed auth request by %s for service %s as %s",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
new->count = 1;
}
+ if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &(new->id)))) {
+ _log_err(LOG_NOTICE,
+ "failed auth request by %s for service %s as %s",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
+ }
new->user = smbpXstrDup( name );
- new->id = pdb_get_uid(sampass);
new->agent = smbpXstrDup( uidtoname( getuid() ) );
pam_set_data( pamh, data_name, new, _cleanup_failures );
} else {
_log_err( LOG_CRIT, "no memory for failure recorder" );
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , pdb_get_uid(sampass) );
+ _log_err(LOG_NOTICE,
+ "failed auth request by %s for service %s as %s(%d)",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
}
} else {
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , pdb_get_uid(sampass) );
+ _log_err(LOG_NOTICE,
+ "failed auth request by %s for service %s as %s(%d)",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
retval = PAM_AUTH_ERR;
}
}
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 45c95d1258..5740ce1b70 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -8,6 +8,7 @@
Copyright (C) Simo Sorce 2001
Copyright (C) Alexander Bokovoy 2002
Copyright (C) Stefan (metze) Metzmacher 2002
+ Copyright (C) Anthony Liguori 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -163,10 +164,11 @@ typedef struct
BOOL bUtmp;
#endif
char *szSourceEnv;
- char *szWinbindUID;
- char *szWinbindGID;
+ char *szIdmapUID;
+ char *szIdmapGID;
+ BOOL *bIdmapOnly;
char *szNonUnixAccountRange;
- BOOL bAlgorithmicRidBase;
+ int AlgorithmicRidBase;
char *szTemplateHomedir;
char *szTemplateShell;
char *szWinbindSeparator;
@@ -174,6 +176,7 @@ typedef struct
BOOL bWinbindEnumGroups;
BOOL bWinbindUseDefaultDomain;
char *szWinbindBackend;
+ char *szIdmapBackend;
char *szAddShareCommand;
char *szChangeShareCommand;
char *szDeleteShareCommand;
@@ -550,8 +553,8 @@ static BOOL handle_include(const char *pszParmValue, char **ptr);
static BOOL handle_copy(const char *pszParmValue, char **ptr);
static BOOL handle_source_env(const char *pszParmValue, char **ptr);
static BOOL handle_netbios_name(const char *pszParmValue, char **ptr);
-static BOOL handle_winbind_uid(const char *pszParmValue, char **ptr);
-static BOOL handle_winbind_gid(const char *pszParmValue, char **ptr);
+static BOOL handle_idmap_uid(const char *pszParmValue, char **ptr);
+static BOOL handle_idmap_gid(const char *pszParmValue, char **ptr);
static BOOL handle_debug_list( const char *pszParmValue, char **ptr );
static BOOL handle_workgroup( const char *pszParmValue, char **ptr );
static BOOL handle_netbios_aliases( const char *pszParmValue, char **ptr );
@@ -759,7 +762,7 @@ static struct parm_struct parm_table[] = {
{"smb passwd file", P_STRING, P_GLOBAL, &Globals.szSMBPasswdFile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"private dir", P_STRING, P_GLOBAL, &Globals.szPrivateDir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"passdb backend", P_LIST, P_GLOBAL, &Globals.szPassdbBackend, NULL, NULL, FLAG_ADVANCED | FLAG_WIZARD | FLAG_DEVELOPER},
- {"algorithmic rid base", P_INTEGER, P_GLOBAL, &Globals.bAlgorithmicRidBase, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"algorithmic rid base", P_INTEGER, P_GLOBAL, &Globals.AlgorithmicRidBase, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"root directory", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"root dir", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"root", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, FLAG_HIDE | FLAG_DEVELOPER},
@@ -1113,8 +1116,12 @@ static struct parm_struct parm_table[] = {
{"Winbind options", P_SEP, P_SEPARATOR},
- {"winbind uid", P_STRING, P_GLOBAL, &Globals.szWinbindUID, handle_winbind_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
- {"winbind gid", P_STRING, P_GLOBAL, &Globals.szWinbindGID, handle_winbind_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"idmap only", P_BOOL, P_GLOBAL, &Globals.bIdmapOnly, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"idmap backend", P_STRING, P_GLOBAL, &Globals.szIdmapBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"idmap uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"winbind uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE},
+ {"idmap gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"winbind gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE},
{"template homedir", P_STRING, P_GLOBAL, &Globals.szTemplateHomedir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"template shell", P_STRING, P_GLOBAL, &Globals.szTemplateShell, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind separator", P_STRING, P_GLOBAL, &Globals.szWinbindSeparator, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1122,7 +1129,6 @@ static struct parm_struct parm_table[] = {
{"winbind enum users", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumUsers, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind enum groups", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumGroups, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind use default domain", P_BOOL, P_GLOBAL, &Globals.bWinbindUseDefaultDomain, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
- {"winbind backend", P_STRING, P_GLOBAL, &Globals.szWinbindBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{NULL, P_BOOL, P_NONE, NULL, NULL, NULL, 0}
};
@@ -1311,7 +1317,7 @@ static void init_globals(void)
string_set(&Globals.szNameResolveOrder, "lmhosts wins host bcast");
string_set(&Globals.szPasswordServer, "*");
- Globals.bAlgorithmicRidBase = BASE_RID;
+ Globals.AlgorithmicRidBase = BASE_RID;
Globals.bLoadPrinters = True;
Globals.mangled_stack = 50;
@@ -1458,7 +1464,7 @@ static void init_globals(void)
Globals.bWinbindEnumGroups = True;
Globals.bWinbindUseDefaultDomain = False;
- string_set(&Globals.szWinbindBackend, "tdb");
+ Globals.bIdmapOnly = False;
Globals.name_cache_timeout = 660; /* In seconds */
@@ -1636,7 +1642,9 @@ FN_GLOBAL_STRING(lp_acl_compatibility, &Globals.szAclCompat)
FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers)
FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups)
FN_GLOBAL_BOOL(lp_winbind_use_default_domain, &Globals.bWinbindUseDefaultDomain)
-FN_GLOBAL_STRING(lp_winbind_backend, &Globals.szWinbindBackend)
+
+FN_GLOBAL_STRING(lp_idmap_backend, &Globals.szIdmapBackend)
+FN_GLOBAL_BOOL(lp_idmap_only, &Globals.bIdmapOnly)
#ifdef WITH_LDAP_SAMCONFIG
FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer)
@@ -1847,7 +1855,7 @@ FN_LOCAL_INTEGER(lp_block_size, iBlock_size)
FN_LOCAL_CHAR(lp_magicchar, magic_char)
FN_GLOBAL_INTEGER(lp_winbind_cache_time, &Globals.winbind_cache_time)
FN_GLOBAL_BOOL(lp_hide_local_users, &Globals.bHideLocalUsers)
-FN_GLOBAL_BOOL(lp_algorithmic_rid_base, &Globals.bAlgorithmicRidBase)
+FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
FN_GLOBAL_BOOL(lp_client_signing, &Globals.client_signing)
@@ -2839,55 +2847,55 @@ static BOOL handle_copy(const char *pszParmValue, char **ptr)
}
/***************************************************************************
- Handle winbind uid and gid allocation parameters. The format of these
+ Handle idmap/non unix account uid and gid allocation parameters. The format of these
parameters is:
[global]
- winbind uid = 1000-1999
- winbind gid = 700-899
+ idmap uid = 1000-1999
+ idmap gid = 700-899
We only do simple parsing checks here. The strings are parsed into useful
- structures in the winbind daemon code.
+ structures in the idmap daemon code.
***************************************************************************/
-/* Some lp_ routines to return winbind [ug]id information */
+/* Some lp_ routines to return idmap [ug]id information */
-static uid_t winbind_uid_low, winbind_uid_high;
-static gid_t winbind_gid_low, winbind_gid_high;
+static uid_t idmap_uid_low, idmap_uid_high;
+static gid_t idmap_gid_low, idmap_gid_high;
-BOOL lp_winbind_uid(uid_t *low, uid_t *high)
+BOOL lp_idmap_uid(uid_t *low, uid_t *high)
{
- if (winbind_uid_low == 0 || winbind_uid_high == 0)
+ if (idmap_uid_low == 0 || idmap_uid_high == 0)
return False;
if (low)
- *low = winbind_uid_low;
+ *low = idmap_uid_low;
if (high)
- *high = winbind_uid_high;
+ *high = idmap_uid_high;
return True;
}
-BOOL lp_winbind_gid(gid_t *low, gid_t *high)
+BOOL lp_idmap_gid(gid_t *low, gid_t *high)
{
- if (winbind_gid_low == 0 || winbind_gid_high == 0)
+ if (idmap_gid_low == 0 || idmap_gid_high == 0)
return False;
if (low)
- *low = winbind_gid_low;
+ *low = idmap_gid_low;
if (high)
- *high = winbind_gid_high;
+ *high = idmap_gid_high;
return True;
}
-/* Do some simple checks on "winbind [ug]id" parameter values */
+/* Do some simple checks on "idmap [ug]id" parameter values */
-static BOOL handle_winbind_uid(const char *pszParmValue, char **ptr)
+static BOOL handle_idmap_uid(const char *pszParmValue, char **ptr)
{
uint32 low, high;
@@ -2898,13 +2906,13 @@ static BOOL handle_winbind_uid(const char *pszParmValue, char **ptr)
string_set(ptr, pszParmValue);
- winbind_uid_low = low;
- winbind_uid_high = high;
+ idmap_uid_low = low;
+ idmap_uid_high = high;
return True;
}
-static BOOL handle_winbind_gid(const char *pszParmValue, char **ptr)
+static BOOL handle_idmap_gid(const char *pszParmValue, char **ptr)
{
uint32 low, high;
@@ -2915,8 +2923,8 @@ static BOOL handle_winbind_gid(const char *pszParmValue, char **ptr)
string_set(ptr, pszParmValue);
- winbind_gid_low = low;
- winbind_gid_high = high;
+ idmap_gid_low = low;
+ idmap_gid_high = high;
return True;
}
@@ -3800,7 +3808,18 @@ static void set_server_role(void)
DEBUG(0, ("Server's Role (logon server) conflicts with share-level security\n"));
break;
case SEC_SERVER:
+ if (lp_domain_logons())
+ DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
+ server_role = ROLE_DOMAIN_MEMBER;
+ break;
case SEC_DOMAIN:
+ if (lp_domain_logons()) {
+ DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n"));
+ server_role = ROLE_DOMAIN_BDC;
+ break;
+ }
+ server_role = ROLE_DOMAIN_MEMBER;
+ break;
case SEC_ADS:
if (lp_domain_logons()) {
server_role = ROLE_DOMAIN_PDC;
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 3fef3ea745..d3554cdbde 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -5,6 +5,7 @@
Copyright (C) Luke Kenneth Casson Leighton 1996-1998
Copyright (C) Gerald (Jerry) Carter 2000-2001
Copyright (C) Andrew Bartlett 2001-2002
+ Copyright (C) Simo Sorce 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -34,11 +35,17 @@ const char *get_global_sam_name(void)
return global_myname();
}
+/*
+ * This is set on startup - it defines the SID for this
+ * machine, and therefore the SAM database for which it is
+ * responsible.
+ */
+
/************************************************************
Fill the SAM_ACCOUNT with default values.
***********************************************************/
-static void pdb_fill_default_sam(SAM_ACCOUNT *user)
+void pdb_fill_default_sam(SAM_ACCOUNT *user)
{
ZERO_STRUCT(user->private); /* Don't touch the talloc context */
@@ -48,8 +55,6 @@ static void pdb_fill_default_sam(SAM_ACCOUNT *user)
/* Don't change these timestamp settings without a good reason.
They are important for NT member server compatibility. */
- user->private.uid = user->private.gid = -1;
-
user->private.logon_time = (time_t)0;
user->private.pass_last_set_time = (time_t)0;
user->private.pass_can_change_time = (time_t)0;
@@ -165,13 +170,7 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user)
NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
{
- GROUP_MAP map;
-
- const char *guest_account = lp_guestaccount();
- if (!(guest_account && *guest_account)) {
- DEBUG(1, ("NULL guest account!?!?\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
+ NTSTATUS ret;
if (!pwd) {
return NT_STATUS_UNSUCCESSFUL;
@@ -184,10 +183,7 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
pdb_set_unix_homedir(sam_account, pwd->pw_dir, PDB_SET);
- pdb_set_domain (sam_account, get_global_sam_name(), PDB_DEFAULT);
-
- pdb_set_uid(sam_account, pwd->pw_uid, PDB_SET);
- pdb_set_gid(sam_account, pwd->pw_gid, PDB_SET);
+ pdb_set_domain (sam_account, lp_workgroup(), PDB_DEFAULT);
/* When we get a proper uid -> SID and SID -> uid allocation
mechinism, we should call it here.
@@ -199,37 +195,8 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
-- abartlet 11-May-02
*/
-
- /* Ensure this *must* be set right */
- if (strcmp(pwd->pw_name, guest_account) == 0) {
- if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_SET)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
- if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_SET)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
- } else {
-
- if (!pdb_set_user_sid_from_rid(sam_account,
- fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
- DEBUG(0,("Can't set User SID from RID!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* call the mapping code here */
- if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) {
- if (!pdb_set_group_sid(sam_account,&map.sid, PDB_SET)){
- DEBUG(0,("Can't set Group SID!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- }
- else {
- if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
- DEBUG(0,("Can't set Group SID\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- }
- }
+ ret = pdb_set_sam_sids(sam_account, pwd);
+ if (NT_STATUS_IS_ERR(ret)) return ret;
/* check if this is a user account or a machine account */
if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
@@ -322,6 +289,7 @@ NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username)
return nt_status;
}
} else {
+ DOM_SID g_sid;
if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(new_sam_acct))) {
*new_sam_acct = NULL;
return nt_status;
@@ -330,6 +298,13 @@ NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username)
pdb_free_sam(new_sam_acct);
return nt_status;
}
+
+ pdb_set_domain (*new_sam_acct, lp_workgroup(), PDB_DEFAULT);
+
+ /* set Domain Users by default ! */
+ sid_copy(&g_sid, get_global_sam_sid());
+ sid_append_rid(&g_sid, DOMAIN_GROUP_RID_USERS);
+ pdb_set_group_sid(*new_sam_acct, &g_sid, PDB_SET);
}
return NT_STATUS_OK;
}
@@ -402,6 +377,63 @@ NTSTATUS pdb_free_sam(SAM_ACCOUNT **user)
return NT_STATUS_OK;
}
+/**************************************************************************
+ * This function will take care of all the steps needed to correctly
+ * allocate and set the user SID, please do use this function to create new
+ * users, messing with SIDs is not good.
+ *
+ * account_data must be provided initialized, pwd may be null.
+ * SSS
+ ***************************************************************************/
+
+NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
+{
+ const char *guest_account = lp_guestaccount();
+ GROUP_MAP map;
+
+ if (!account_data || !pwd) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* this is a hack this thing should not be set
+ this way --SSS */
+ if (!(guest_account && *guest_account)) {
+ DEBUG(1, ("NULL guest account!?!?\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ } else {
+ /* Ensure this *must* be set right */
+ if (strcmp(pwd->pw_name, guest_account) == 0) {
+ if (!pdb_set_user_sid_from_rid(account_data, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (!pdb_set_group_sid_from_rid(account_data, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ return NT_STATUS_OK;
+ }
+ }
+
+ if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
+ DEBUG(0,("Can't set User SID from RID!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* call the mapping code here */
+ if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) {
+ if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){
+ DEBUG(0,("Can't set Group SID!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+ else {
+ if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
+ DEBUG(0,("Can't set Group SID\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
/**********************************************************
Encode the account control bits into a string.
@@ -531,10 +563,6 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
return (True);
}
-/*******************************************************************
- Converts NT user RID to a UNIX uid.
- ********************************************************************/
-
static int algorithmic_rid_base(void)
{
static int rid_offset = 0;
@@ -557,14 +585,16 @@ static int algorithmic_rid_base(void)
return rid_offset;
}
+/*******************************************************************
+ Converts NT user RID to a UNIX uid.
+ ********************************************************************/
uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid)
{
int rid_offset = algorithmic_rid_base();
- return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
+ return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
}
-
/*******************************************************************
converts UNIX uid to an NT User RID.
********************************************************************/
@@ -615,7 +645,7 @@ static BOOL pdb_rid_is_well_known(uint32 rid)
Decides if a RID is a user or group RID.
********************************************************************/
-BOOL pdb_rid_is_user(uint32 rid)
+BOOL fallback_pdb_rid_is_user(uint32 rid)
{
/* lkcl i understand that NT attaches an enumeration to a RID
* such that it can be identified as either a user, group etc
@@ -648,7 +678,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
GROUP_MAP map;
if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){
- DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n",
+ DEBUG(0,("local_lookup_sid: sid_peek_check_rid return False! SID: %s\n",
sid_string_static(&map.sid)));
return False;
}
@@ -705,7 +735,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
return True;
}
- if (pdb_rid_is_user(rid)) {
+ if (fallback_pdb_rid_is_user(rid)) {
uid_t uid;
DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid));
@@ -838,190 +868,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
return True;
}
-/****************************************************************************
- Convert a uid to SID - locally.
-****************************************************************************/
-
-DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
-{
- struct passwd *pass;
- SAM_ACCOUNT *sam_user = NULL;
- fstring str; /* sid string buffer */
-
- sid_copy(psid, get_global_sam_sid());
-
- if((pass = getpwuid_alloc(uid))) {
-
- if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) {
- passwd_free(&pass);
- return NULL;
- }
-
- if (pdb_getsampwnam(sam_user, pass->pw_name)) {
- sid_copy(psid, pdb_get_user_sid(sam_user));
- } else {
- sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
- }
-
- DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (%s).\n",
- (unsigned)uid, sid_to_string( str, psid),
- pass->pw_name ));
-
- passwd_free(&pass);
- pdb_free_sam(&sam_user);
-
- } else {
- sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
-
- DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (unknown user).\n",
- (unsigned)uid, sid_to_string( str, psid)));
- }
-
- return psid;
-}
-
-/****************************************************************************
- Convert a SID to uid - locally.
-****************************************************************************/
-
-BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
-{
- fstring str;
- SAM_ACCOUNT *sam_user = NULL;
-
- *name_type = SID_NAME_UNKNOWN;
-
- if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
- return False;
-
- if (pdb_getsampwsid(sam_user, psid)) {
-
- if (!IS_SAM_SET(sam_user,PDB_UID)&&!IS_SAM_CHANGED(sam_user,PDB_UID)) {
- pdb_free_sam(&sam_user);
- return False;
- }
-
- *puid = pdb_get_uid(sam_user);
-
- DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid),
- (unsigned int)*puid, pdb_get_username(sam_user)));
- pdb_free_sam(&sam_user);
- } else {
-
- DOM_SID dom_sid;
- uint32 rid;
- GROUP_MAP map;
-
- pdb_free_sam(&sam_user);
-
- if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) {
- DEBUG(3, ("local_sid_to_uid: SID '%s' is a group, not a user... \n", sid_to_string(str, psid)));
- /* It's a group, not a user... */
- return False;
- }
-
- sid_copy(&dom_sid, psid);
- if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
- DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
- return False;
- }
-
- if (!pdb_rid_is_user(rid)) {
- DEBUG(3, ("local_sid_to_uid: sid '%s' cannot be mapped to a uid algorithmicly becouse it is a group\n", sid_to_string(str, psid)));
- return False;
- }
-
- *puid = fallback_pdb_user_rid_to_uid(rid);
-
- DEBUG(5,("local_sid_to_uid: SID %s algorithmicly mapped to %ld mapped becouse SID was not found in passdb.\n",
- sid_to_string(str, psid), (signed long int)(*puid)));
- }
-
- *name_type = SID_NAME_USER;
-
- return True;
-}
-
-/****************************************************************************
- Convert a gid to SID - locally.
-****************************************************************************/
-
-DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
-{
- GROUP_MAP map;
-
- sid_copy(psid, get_global_sam_sid());
-
- if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
- sid_copy(psid, &map.sid);
- }
- else {
- sid_append_rid(psid, pdb_gid_to_group_rid(gid));
- }
-
- return psid;
-}
-
-/****************************************************************************
- Convert a SID to gid - locally.
-****************************************************************************/
-
-BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
-{
- fstring str;
- GROUP_MAP map;
-
- *name_type = SID_NAME_UNKNOWN;
-
- /*
- * We can only convert to a gid if this is our local
- * Domain SID (ie. we are the controling authority).
- *
- * Or in the Builtin SID too. JFM, 11/30/2001
- */
-
- if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) {
-
- /* the SID is in the mapping table but not mapped */
- if (map.gid==(gid_t)-1)
- return False;
-
- *pgid = map.gid;
- *name_type = map.sid_name_use;
- DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n",
- sid_to_string( str, psid),
- map.nt_name, (unsigned int)*pgid));
-
- } else {
- uint32 rid;
- SAM_ACCOUNT *sam_user = NULL;
- if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
- return False;
-
- if (pdb_getsampwsid(sam_user, psid)) {
- return False;
- pdb_free_sam(&sam_user);
- }
-
- pdb_free_sam(&sam_user);
-
- if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
- DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
- return False;
- }
-
- if (pdb_rid_is_user(rid))
- return False;
-
- *pgid = pdb_group_rid_to_gid(rid);
- *name_type = SID_NAME_ALIAS;
- DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid),
- (unsigned int)*pgid));
- }
-
- return True;
-}
-
/*************************************************************
Change a password entry in the local smbpasswd file.
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index a86d936263..4370dc2c36 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -202,22 +202,6 @@ enum pdb_value_state pdb_get_init_flags (const SAM_ACCOUNT *sampass, enum pdb_el
return ret;
}
-uid_t pdb_get_uid (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.uid);
- else
- return (-1);
-}
-
-gid_t pdb_get_gid (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.gid);
- else
- return (-1);
-}
-
const char* pdb_get_username (const SAM_ACCOUNT *sampass)
{
if (sampass)
@@ -509,32 +493,6 @@ BOOL pdb_set_init_flags (SAM_ACCOUNT *sampass, enum pdb_elements element, enum p
return True;
}
-BOOL pdb_set_uid (SAM_ACCOUNT *sampass, const uid_t uid, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- DEBUG(10, ("pdb_set_uid: setting uid %d, was %d\n",
- (int)uid, (int)sampass->private.uid));
-
- sampass->private.uid = uid;
-
- return pdb_set_init_flags(sampass, PDB_UID, flag);
-}
-
-BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- DEBUG(10, ("pdb_set_gid: setting gid %d, was %d\n",
- (int)gid, (int)sampass->private.gid));
-
- sampass->private.gid = gid;
-
- return pdb_set_init_flags(sampass, PDB_GID, flag);
-}
-
BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid, enum pdb_value_state flag)
{
if (!sampass || !u_sid)
diff --git a/source3/passdb/pdb_guest.c b/source3/passdb/pdb_guest.c
index 7ecfa7d4c3..9bcdccc7e7 100644
--- a/source3/passdb/pdb_guest.c
+++ b/source3/passdb/pdb_guest.c
@@ -24,11 +24,16 @@
Lookup a name in the SAM database
******************************************************************/
-static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname)
+static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *sam_account, const char *sname)
{
NTSTATUS nt_status;
- struct passwd *pass;
const char *guest_account = lp_guestaccount();
+
+ if (!sam_account || !sname) {
+ DEBUG(0,("invalid name specified"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
if (!(guest_account && *guest_account)) {
DEBUG(1, ("NULL guest account!?!?\n"));
return NT_STATUS_UNSUCCESSFUL;
@@ -38,21 +43,31 @@ static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *
DEBUG(0,("invalid methods\n"));
return NT_STATUS_UNSUCCESSFUL;
}
- if (!sname) {
- DEBUG(0,("invalid name specified"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
if (!strequal(guest_account, sname)) {
return NT_STATUS_NO_SUCH_USER;
}
- pass = getpwnam_alloc(guest_account);
-
- nt_status = pdb_fill_sam_pw(user, pass);
+ pdb_fill_default_sam(sam_account);
+
+ if (!pdb_set_username(sam_account, guest_account, PDB_SET))
+ return NT_STATUS_UNSUCCESSFUL;
+
+ if (!pdb_set_fullname(sam_account, guest_account, PDB_SET))
+ return NT_STATUS_UNSUCCESSFUL;
+
+ if (!pdb_set_domain(sam_account, lp_workgroup(), PDB_DEFAULT))
+ return NT_STATUS_UNSUCCESSFUL;
+
+ if (!pdb_set_acct_ctrl(sam_account, ACB_NORMAL, PDB_DEFAULT))
+ return NT_STATUS_UNSUCCESSFUL;
+
+ if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_DEFAULT))
+ return NT_STATUS_UNSUCCESSFUL;
+
+ if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT))
+ return NT_STATUS_UNSUCCESSFUL;
- passwd_free(&pass);
- return nt_status;
+ return NT_STATUS_OK;
}
@@ -61,35 +76,17 @@ static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *
**************************************************************************/
static NTSTATUS guestsam_getsampwrid (struct pdb_methods *methods,
- SAM_ACCOUNT *user, uint32 rid)
+ SAM_ACCOUNT *sam_account, uint32 rid)
{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct passwd *pass = NULL;
- const char *guest_account = lp_guestaccount();
- if (!(guest_account && *guest_account)) {
- DEBUG(1, ("NULL guest account!?!?\n"));
- return nt_status;
- }
-
- if (!methods) {
- DEBUG(0,("invalid methods\n"));
- return nt_status;
- }
-
- if (rid == DOMAIN_USER_RID_GUEST) {
- pass = getpwnam_alloc(guest_account);
- if (!pass) {
- DEBUG(1, ("guest account %s does not seem to exist...\n", guest_account));
- return NT_STATUS_NO_SUCH_USER;
- }
- } else {
+ if (rid != DOMAIN_USER_RID_GUEST) {
return NT_STATUS_NO_SUCH_USER;
}
- nt_status = pdb_fill_sam_pw(user, pass);
- passwd_free(&pass);
+ if (!sam_account) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- return nt_status;
+ return guestsam_getsampwnam (methods, sam_account, lp_guestaccount());
}
static NTSTATUS guestsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
@@ -97,6 +94,7 @@ static NTSTATUS guestsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT
uint32 rid;
if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
return NT_STATUS_NO_SUCH_USER;
+
return guestsam_getsampwrid(my_methods, user, rid);
}
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index dbc0bdc1c0..da3a163c1e 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -164,7 +164,7 @@ static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
"smbHome", "scriptPath",
"profilePath", "description",
"userWorkstations", "rid", "ntSid",
- "primaryGroupID", "primaryGroupSid", "lmPassword",
+ "primaryGroupID", "lmPassword",
"ntPassword", "acctFlags",
"domain", "objectClass",
"uidNumber", "gidNumber",
@@ -519,10 +519,9 @@ static int ldapsam_retry_open(struct ldapsam_privates *ldap_state, int *attempts
if (*attempts != 0) {
unsigned int sleep_time;
- uint8 rand_byte;
+ uint8 rand_byte = 128; /* a reasonable place to start */
- /* Sleep for a random timeout */
- rand_byte = (char)(sys_random());
+ generate_random_buffer(&rand_byte, 1, False);
sleep_time = (((*attempts)*(*attempts))/2)*rand_byte*2;
/* we retry after (0.5, 1, 2, 3, 4.5, 6) seconds
@@ -1534,12 +1533,11 @@ Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
*********************************************************************/
static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
SAM_ACCOUNT * sampass,
- LDAPMessage * entry)
+ LDAPMessage * entry,
+ gid_t *gid)
{
pstring homedir;
pstring temp;
- uid_t uid;
- gid_t gid;
char **ldap_values;
char **values;
@@ -1564,19 +1562,12 @@ static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir))
return False;
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
- return False;
-
- uid = (uid_t)atol(temp);
-
if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
return False;
gid = (gid_t)atol(temp);
pdb_set_unix_homedir(sampass, homedir, PDB_SET);
- pdb_set_uid(sampass, uid, PDB_SET);
- pdb_set_gid(sampass, gid, PDB_SET);
DEBUG(10, ("user has posixAcccount attributes\n"));
return True;
@@ -1618,8 +1609,7 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
uint8 hours[MAX_HOURS_LEN];
pstring temp;
uid_t uid = -1;
- gid_t gid = getegid();
-
+ gid_t gid = getegid();
/*
* do a little initialization
@@ -1667,31 +1657,11 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
if (get_single_attribute(ldap_state->ldap_struct, entry, "ntSid", temp)) {
pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
}
- if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupSid", temp)) {
- pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
- } else {
- pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
- }
} else {
if (get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp)) {
user_rid = (uint32)atol(temp);
pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
}
- if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
- uint32 group_rid;
- group_rid = (uint32)atol(temp);
-
- if (group_rid > 0) {
- /* for some reason, we often have 0 as a primary group RID.
- Make sure that we treat this just as a 'default' value
- */
- pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
- } else {
- pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
- }
- } else {
- pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
- }
}
if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
@@ -1699,44 +1669,29 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
return False;
}
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
+ pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+ } else {
+ uint32 group_rid;
+ group_rid = (uint32)atol(temp);
+ pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
+ }
+
/*
* If so configured, try and get the values from LDAP
*/
- if (!lp_ldap_trust_ids() || (!get_unix_attributes(ldap_state, sampass, entry))) {
+ if (!lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid))) {
- /*
- * Otherwise just ask the system getpw() calls.
- */
-
- pw = getpwnam_alloc(username);
- if (pw == NULL) {
- if (! ldap_state->permit_non_unix_accounts) {
- DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
- return False;
+ if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT) {
+ GROUP_MAP map;
+ /* call the mapping code here */
+ if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+ pdb_set_group_sid(sampass, &map.sid, PDB_SET);
+ }
+ else {
+ pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
}
- } else {
- uid = pw->pw_uid;
- pdb_set_uid(sampass, uid, PDB_SET);
- gid = pw->pw_gid;
- pdb_set_gid(sampass, gid, PDB_SET);
-
- pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
- passwd_free(&pw);
- }
- }
-
- if ((pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT)
- && (pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT)) {
- GROUP_MAP map;
- gid = pdb_get_gid(sampass);
- /* call the mapping code here */
- if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
- pdb_set_group_sid(sampass, &map.sid, PDB_SET);
- }
- else {
- pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
}
}
@@ -1964,16 +1919,15 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
if (need_update(sampass, PDB_USERSID)) {
fstring sid_string;
fstring dom_sid_string;
- const DOM_SID *user_sid = pdb_get_user_sid(sampass);
+ const DOM_SID *user_sid;
+ user_sid = pdb_get_user_sid(sampass);
if (ldap_state->use_ntsid) {
make_ldap_mod(ldap_state->ldap_struct, existing, mods,
"ntSid", sid_to_string(sid_string, user_sid));
} else {
if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) {
- DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
- sid_to_string(sid_string, user_sid),
- sid_to_string(dom_sid_string, get_global_sam_sid())));
+ DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", sid_to_string(sid_string, user_sid), sid_to_string(dom_sid_string, get_global_sam_sid())));
return False;
}
slprintf(temp, sizeof(temp) - 1, "%i", rid);
@@ -1987,24 +1941,10 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
'free' to hang off the unix primary group makes life easier */
if (need_update(sampass, PDB_GROUPSID)) {
- fstring sid_string;
- fstring dom_sid_string;
- const DOM_SID *group_sid = pdb_get_group_sid(sampass);
-
- if (ldap_state->use_ntsid) {
- make_ldap_mod(ldap_state->ldap_struct, existing, mods,
- "primaryGroupSid", sid_to_string(sid_string, group_sid));
- } else {
- if (!sid_peek_check_rid(get_global_sam_sid(), group_sid, &rid)) {
- DEBUG(1, ("User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
- sid_to_string(sid_string, group_sid),
- sid_to_string(dom_sid_string, get_global_sam_sid())));
- return False;
- }
- slprintf(temp, sizeof(temp) - 1, "%i", rid);
- make_ldap_mod(ldap_state->ldap_struct, existing, mods,
- "primaryGroupID", temp);
- }
+ rid = pdb_get_group_rid(sampass);
+ slprintf(temp, sizeof(temp) - 1, "%i", rid);
+ make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+ "primaryGroupID", temp);
}
/* displayName, cn, and gecos should all be the same
@@ -2416,8 +2356,7 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A
{ "lmPassword", "ntPassword", "pwdLastSet", "logonTime", "logoffTime",
"kickoffTime", "pwdCanChange", "pwdMustChange", "acctFlags",
"displayName", "smbHome", "homeDrive", "scriptPath", "profilePath",
- "userWorkstations", "primaryGroupID", "primaryGroupSid", "domain",
- "rid", "ntSid", NULL };
+ "userWorkstations", "primaryGroupID", "domain", "rid", "ntSid", NULL };
if (!sam_acct) {
DEBUG(0, ("sam_acct was NULL!\n"));
@@ -3130,7 +3069,7 @@ static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
return NT_STATUS_OK;
}
-static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
{
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
@@ -3173,7 +3112,7 @@ static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_met
ldap_state->uri = "ldap://localhost";
}
- ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
+ ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, lp_workgroup());
if (!ldap_state->domain_name) {
return NT_STATUS_NO_MEMORY;
}
@@ -3186,9 +3125,6 @@ static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_met
(*pdb_method)->free_private_data = free_private_data;
- /* setup random, for our backoffs */
- sys_srandom(sys_getpid() ^ time(NULL));
-
return NT_STATUS_OK;
}
@@ -3197,7 +3133,7 @@ static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) {
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
return nt_status;
}
@@ -3229,50 +3165,54 @@ static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **
return NT_STATUS_OK;
}
-static NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
{
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
- uint32 low_winbind_uid, high_winbind_uid;
- uint32 low_winbind_gid, high_winbind_gid;
+ uint32 low_idmap_uid, high_idmap_uid;
+ uint32 low_idmap_gid, high_idmap_gid;
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) {
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
return nt_status;
}
- (*pdb_method)->name = "ldapsam_nua";
+ (*pdb_method)->name = "ldapsam";
ldap_state = (*pdb_method)->private_data;
ldap_state->permit_non_unix_accounts = True;
/* We know these uids can't turn up as allogorithmic RIDs */
- if (!lp_winbind_uid(&low_winbind_uid, &high_winbind_uid)) {
- DEBUG(0, ("cannot use ldapsam_nua without 'winbind uid' range in smb.conf!\n"));
+ if (!lp_idmap_uid(&low_idmap_uid, &high_idmap_uid)) {
+ DEBUG(0, ("cannot use ldapsam_nua without 'idmap uid' range in smb.conf!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
/* We know these gids can't turn up as allogorithmic RIDs */
- if (!lp_winbind_gid(&low_winbind_gid, &high_winbind_gid)) {
- DEBUG(0, ("cannot use ldapsam_nua without 'winbind gid' range in smb.conf!\n"));
+ if (!lp_idmap_gid(&low_idmap_gid, &high_idmap_gid)) {
+ DEBUG(0, ("cannot use ldapsam_nua without 'wibnind gid' range in smb.conf!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
- ldap_state->low_allocated_user_rid=fallback_pdb_uid_to_user_rid(low_winbind_uid);
+ ldap_state->low_allocated_user_rid=fallback_pdb_uid_to_user_rid(low_idmap_uid);
- ldap_state->high_allocated_user_rid=fallback_pdb_uid_to_user_rid(high_winbind_uid);
+ ldap_state->high_allocated_user_rid=fallback_pdb_uid_to_user_rid(high_idmap_uid);
- ldap_state->low_allocated_group_rid=pdb_gid_to_group_rid(low_winbind_gid);
+ ldap_state->low_allocated_group_rid=pdb_gid_to_group_rid(low_idmap_gid);
- ldap_state->high_allocated_group_rid=pdb_gid_to_group_rid(high_winbind_gid);
+ ldap_state->high_allocated_group_rid=pdb_gid_to_group_rid(high_idmap_gid);
return NT_STATUS_OK;
}
NTSTATUS pdb_ldap_init(void)
{
- smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam);
- smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat);
- smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_nua", pdb_init_ldapsam_nua);
+ NTSTATUS nt_status;
+ if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
+ return nt_status;
+
+ if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
+ return nt_status;
+
return NT_STATUS_OK;
}
diff --git a/source3/passdb/pdb_nisplus.c b/source3/passdb/pdb_nisplus.c
index cd9288fed0..4e4aaed02b 100644
--- a/source3/passdb/pdb_nisplus.c
+++ b/source3/passdb/pdb_nisplus.c
@@ -876,8 +876,6 @@ static BOOL make_sam_from_nisp_object (SAM_ACCOUNT * pw_buf,
pdb_set_workstations (pw_buf, ENTRY_VAL (obj, NPF_WORKSTATIONS), PDB_SET);
pdb_set_munged_dial (pw_buf, NULL, PDB_DEFAULT);
- pdb_set_uid (pw_buf, atoi (ENTRY_VAL (obj, NPF_UID)), PDB_SET);
- pdb_set_gid (pw_buf, atoi (ENTRY_VAL (obj, NPF_SMB_GRPID)), PDB_SET);
pdb_set_user_sid_from_rid (pw_buf,
atoi (ENTRY_VAL (obj, NPF_USER_RID)), PDB_SET);
pdb_set_group_sid_from_rid (pw_buf,
@@ -949,8 +947,8 @@ static BOOL make_sam_from_nisp_object (SAM_ACCOUNT * pw_buf,
if (!(pdb_get_acct_ctrl (pw_buf) & ACB_PWNOTREQ) &&
strncasecmp (ptr, "NO PASSWORD", 11)) {
if (strlen (ptr) != 32 || !pdb_gethexpwd (ptr, smbntpwd)) {
- DEBUG (0, ("malformed NT pwd entry:\
- uid = %d.\n", pdb_get_uid (pw_buf)));
+ DEBUG (0, ("malformed NT pwd entry:\ %s.\n",
+ pdb_get_username (pw_buf)));
return False;
}
if (!pdb_set_nt_passwd (pw_buf, smbntpwd, PDB_SET))
@@ -1047,6 +1045,8 @@ static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass,
BOOL need_to_modify = False;
const char *name = pdb_get_username (sampass); /* from SAM */
+ uint32 u_rid;
+ uint32 g_rid;
/* these must be static or allocate and free entry columns! */
static fstring uid; /* from SAM */
static fstring user_rid; /* from SAM */
@@ -1065,31 +1065,15 @@ static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass,
static fstring acct_desc; /* from SAM */
static char empty[1]; /* just an empty string */
- slprintf (uid, sizeof (uid) - 1, "%u", pdb_get_uid (sampass));
- slprintf (user_rid, sizeof (user_rid) - 1, "%u",
- pdb_get_user_rid (sampass) ? pdb_get_user_rid (sampass) :
- fallback_pdb_uid_to_user_rid (pdb_get_uid (sampass)));
- slprintf (gid, sizeof (gid) - 1, "%u", pdb_get_gid (sampass));
-
- {
- uint32 rid;
- GROUP_MAP map;
-
- rid = pdb_get_group_rid (sampass);
-
- if (rid == 0) {
- if (pdb_getgrgid(&map, pdb_get_gid (sampass),
- MAPPING_WITHOUT_PRIV)) {
- if (!sid_peek_check_rid
- (get_global_sam_sid (), &map.sid, &rid))
- return False;
- } else
- rid = pdb_gid_to_group_rid (pdb_get_gid
- (sampass));
- }
+ if (!(u_rid = pdb_get_user_rid (sampass)))
+ return False;
+ if (!(g_rid = pdb_get_group_rid (sampass)))
+ return False;
- slprintf (group_rid, sizeof (group_rid) - 1, "%u", rid);
- }
+ slprintf (uid, sizeof (uid) - 1, "%u", fallback_pdb_user_rid_to_uid (u_rid));
+ slprintf (user_rid, sizeof (user_rid) - 1, "%u", u_rid);
+ slprintf (gid, sizeof (gid) - 1, "%u", fallback_pdb_group_rid_to_uid (g_rid));
+ slprintf (group_rid, sizeof (group_rid) - 1, "%u", g_rid);
acb = pdb_encode_acct_ctrl (pdb_get_acct_ctrl (sampass),
NEW_PW_FORMAT_SPACE_PADDED_LEN);
@@ -1133,51 +1117,27 @@ static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass,
/* uid */
- if (pdb_get_uid (sampass) != -1) {
- if (!ENTRY_VAL (old, NPF_UID)
- || strcmp (ENTRY_VAL (old, NPF_UID), uid)) {
+ if (!ENTRY_VAL (old, NPF_UID) || strcmp (ENTRY_VAL (old, NPF_UID), uid)) {
need_to_modify = True;
- set_single_attribute (obj, NPF_UID, uid,
- strlen (uid),
- EN_MODIFIED);
- }
+ set_single_attribute (obj, NPF_UID, uid, strlen (uid), EN_MODIFIED);
}
/* user_rid */
- if (pdb_get_user_rid (sampass)) {
- if (!ENTRY_VAL (old, NPF_USER_RID) ||
- strcmp (ENTRY_VAL (old, NPF_USER_RID),
- user_rid)) {
+ if (!ENTRY_VAL (old, NPF_USER_RID) || strcmp (ENTRY_VAL (old, NPF_USER_RID), user_rid)) {
need_to_modify = True;
- set_single_attribute (obj, NPF_USER_RID,
- user_rid,
- strlen (user_rid),
- EN_MODIFIED);
- }
+ set_single_attribute (obj, NPF_USER_RID, user_rid, strlen (user_rid), EN_MODIFIED);
}
/* smb_grpid */
- if (pdb_get_gid (sampass) != -1) {
- if (!ENTRY_VAL (old, NPF_SMB_GRPID) ||
- strcmp (ENTRY_VAL (old, NPF_SMB_GRPID), gid)) {
+ if (!ENTRY_VAL (old, NPF_SMB_GRPID) || strcmp (ENTRY_VAL (old, NPF_SMB_GRPID), gid)) {
need_to_modify = True;
- set_single_attribute (obj, NPF_SMB_GRPID, gid,
- strlen (gid),
- EN_MODIFIED);
- }
+ set_single_attribute (obj, NPF_SMB_GRPID, gid, strlen (gid), EN_MODIFIED);
}
/* group_rid */
- if (pdb_get_group_rid (sampass)) {
- if (!ENTRY_VAL (old, NPF_GROUP_RID) ||
- strcmp (ENTRY_VAL (old, NPF_GROUP_RID),
- group_rid)) {
+ if (!ENTRY_VAL (old, NPF_GROUP_RID) || strcmp (ENTRY_VAL (old, NPF_GROUP_RID), group_rid)) {
need_to_modify = True;
- set_single_attribute (obj, NPF_GROUP_RID,
- group_rid,
- strlen (group_rid),
- EN_MODIFIED);
- }
+ set_single_attribute (obj, NPF_GROUP_RID, group_rid, strlen (group_rid), EN_MODIFIED);
}
/* acb */
diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c
index cfbb37ce91..91fc7bc8e0 100644
--- a/source3/passdb/pdb_smbpasswd.c
+++ b/source3/passdb/pdb_smbpasswd.c
@@ -1134,28 +1134,23 @@ Error was %s\n", pwd->smb_name, pfile2, strerror(errno)));
static BOOL build_smb_pass (struct smb_passwd *smb_pw, const SAM_ACCOUNT *sampass)
{
uid_t uid;
+ uint32 rid;
if (sampass == NULL)
return False;
- ZERO_STRUCTP(smb_pw);
-
- if (!IS_SAM_UNIX_USER(sampass)) {
- smb_pw->smb_userid_set = False;
- DEBUG(5,("build_smb_pass: storing user without a UNIX uid or gid. \n"));
- } else {
- uint32 rid = pdb_get_user_rid(sampass);
- smb_pw->smb_userid_set = True;
- uid = pdb_get_uid(sampass);
+ rid = pdb_get_user_rid(sampass);
- /* If the user specified a RID, make sure its able to be both stored and retreived */
- if (rid && rid != DOMAIN_USER_RID_GUEST && uid != fallback_pdb_user_rid_to_uid(rid)) {
- DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n"));
- return False;
- }
+ /* If the user specified a RID, make sure its able to be both stored and retreived */
+ if (rid && rid != DOMAIN_USER_RID_GUEST && uid != fallback_pdb_user_rid_to_uid(rid)) {
+ DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n"));
+ return False;
+ }
- smb_pw->smb_userid=uid;
- }
+ ZERO_STRUCTP(smb_pw);
+
+ smb_pw->smb_userid_set = True;
+ smb_pw->smb_userid=uid;
smb_pw->smb_name=(const char*)pdb_get_username(sampass);
@@ -1215,7 +1210,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state,
*/
pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET);
pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET);
- pdb_set_domain (sam_pass, get_global_sam_name(), PDB_DEFAULT);
+ pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT);
} else {
DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid %u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid));
@@ -1507,7 +1502,6 @@ static void free_private_data(void **vp)
/* No need to free any further, as it is talloc()ed */
}
-
NTSTATUS pdb_init_smbpasswd(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
{
NTSTATUS nt_status;
@@ -1554,35 +1548,16 @@ NTSTATUS pdb_init_smbpasswd(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method,
(*pdb_method)->free_private_data = free_private_data;
- return NT_STATUS_OK;
-}
-
-NTSTATUS pdb_init_smbpasswd_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
- struct smbpasswd_privates *privates;
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_smbpasswd(pdb_context, pdb_method, location))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "smbpasswd_nua";
-
- privates = (*pdb_method)->private_data;
-
- privates->permit_non_unix_accounts = True;
-
- if (!lp_winbind_uid(&privates->low_nua_userid, &privates->high_nua_userid)) {
- DEBUG(0, ("cannot use smbpasswd_nua without 'winbind uid' range in smb.conf!\n"));
- return NT_STATUS_UNSUCCESSFUL;
+ if (lp_idmap_uid(&privates->low_nua_userid, &privates->high_nua_userid)) {
+ DEBUG(0, ("idmap uid range defined, non unix accounts enabled\n"));
+ privates->permit_non_unix_accounts = True;
}
return NT_STATUS_OK;
}
-NTSTATUS pdb_smbpasswd_init(void)
+int pdb_smbpasswd_init(void)
{
smb_register_passdb(PASSDB_INTERFACE_VERSION, "smbpasswd", pdb_init_smbpasswd);
- smb_register_passdb(PASSDB_INTERFACE_VERSION, "smbpasswd_nua", pdb_init_smbpasswd_nua);
- return NT_STATUS_OK;
+ return True;
}
diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
index c3538042ee..74437cba6f 100644
--- a/source3/passdb/pdb_tdb.c
+++ b/source3/passdb/pdb_tdb.c
@@ -101,7 +101,7 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state,
BOOL ret = True;
struct passwd *pw;
uid_t uid = -1;
- gid_t gid = -1; /* This is what standard sub advanced expects if no gid is known */
+ gid_t gid = -1;
if(sampass == NULL || buf == NULL) {
DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
@@ -145,30 +145,6 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state,
goto done;
}
- /* validate the account and fill in UNIX uid and gid. Standard
- * getpwnam() is used instead of Get_Pwnam() as we do not need
- * to try case permutations
- */
- if (!username || !(pw = getpwnam_alloc(username))) {
- if (!(tdb_state->permit_non_unix_accounts)) {
- DEBUG(0,("tdbsam: getpwnam_alloc(%s) return NULL. User does not exist!\n", username));
- ret = False;
- goto done;
- }
- }
-
- if (pw) {
- uid = pw->pw_uid;
- gid = pw->pw_gid;
-
- pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
- passwd_free(&pw);
-
- pdb_set_uid(sampass, uid, PDB_SET);
- pdb_set_gid(sampass, gid, PDB_SET);
- }
-
pdb_set_logon_time(sampass, logon_time, PDB_SET);
pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
@@ -664,7 +640,7 @@ static NTSTATUS tdbsam_getsampwrid (struct pdb_methods *my_methods, SAM_ACCOUNT
return nt_status;
}
- fstrcpy (name, data.dptr);
+ fstrcpy(name, data.dptr);
SAFE_FREE(data.dptr);
tdb_close (pwd_tdb);
@@ -768,54 +744,40 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
return False;
}
+ if (!pdb_get_group_rid(newpwd)) {
+ DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
+ ret = False;
+ goto done;
+ }
+
/* if flag == TDB_INSERT then make up a new RID else throw an error. */
if (!(user_rid = pdb_get_user_rid(newpwd))) {
- if (flag & TDB_INSERT) {
- if (IS_SAM_UNIX_USER(newpwd)) {
- if (tdb_state->algorithmic_rids) {
- user_rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(newpwd));
- } else {
- user_rid = BASE_RID;
- tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER);
- if (!tdb_ret) {
- ret = False;
- goto done;
- }
- }
- pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED);
- } else {
- user_rid = tdb_state->low_nua_rid;
- tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER);
- if (!tdb_ret) {
- ret = False;
- goto done;
- }
- if (user_rid > tdb_state->high_nua_rid) {
- DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd)));
- ret = False;
- goto done;
- }
- pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED);
+ if ((flag & TDB_INSERT) && tdb_state->permit_non_unix_accounts) {
+ uint32 lowrid, highrid;
+ if (!idmap_get_free_rid_range(&lowrid, &highrid)) {
+ /* should never happen */
+ DEBUG(0, ("tdbsam: something messed up, no high/low rids but nua enabled ?!\n"));
+ ret = False;
+ goto done;
}
- } else {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
- ret = False;
- goto done;
- }
- }
-
- if (!pdb_get_group_rid(newpwd)) {
- if (flag & TDB_INSERT) {
- if (!tdb_state->permit_non_unix_accounts) {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
+ user_rid = lowrid;
+ tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER);
+ if (!tdb_ret) {
+ ret = False;
+ goto done;
+ }
+ if (user_rid > highrid) {
+ DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd)));
+ ret = False;
+ goto done;
+ }
+ if (!pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED)) {
+ DEBUG(0, ("tdbsam: not able to set new allocated user RID into sam account!\n"));
ret = False;
goto done;
- } else {
- /* This seems like a good default choice for non-unix users */
- pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
}
} else {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
+ DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
ret = False;
goto done;
}
@@ -837,7 +799,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
/* setup the USER index key */
slprintf(keystr, sizeof(keystr)-1, "%s%s", USERPREFIX, name);
key.dptr = keystr;
- key.dsize = strlen (keystr) + 1;
+ key.dsize = strlen(keystr) + 1;
/* add the account */
if (tdb_store(pwd_tdb, key, data, flag) != TDB_SUCCESS) {
@@ -849,7 +811,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
}
/* setup RID data */
- data.dsize = sizeof(fstring);
+ data.dsize = strlen(name) + 1;
data.dptr = name;
/* setup the RID index key */
@@ -874,6 +836,49 @@ done:
return (ret);
}
+#if 0
+/***************************************************************************
+ Allocates a new RID and returns it to the caller as a domain sid
+
+ NOTE: Use carefullt, do not waste RIDs they are a limited resource!
+ - SSS
+ ***************************************************************************/
+
+static NTSTATUS tdbsam_get_next_sid (struct pdb_methods *my_methods, DOM_SID *sid)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
+ TDB_CONTEXT *pwd_tdb;
+ uint32 rid;
+
+ if (sid == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0600);
+ if (!pwd_tdb)
+ {
+ DEBUG(0, ("tdbsam_get_next_sid: Unable to open TDB passwd (%s)!\n", tdb_state->tdbsam_location));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ rid = BASE_RID;
+ if (tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &rid, 1)) {
+
+ sid_copy(sid, get_global_sam_sid());
+ if (!sid_append_rid(sid, rid)) {
+ goto done;
+ }
+
+ ret = NT_STATUS_OK;
+ }
+
+done:
+ tdb_close (pwd_tdb);
+ return ret;
+}
+#endif
+
/***************************************************************************
Modifies an existing SAM_ACCOUNT
****************************************************************************/
@@ -912,14 +917,7 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con
{
NTSTATUS nt_status;
struct tdbsam_privates *tdb_state;
-
-#if 0 /* when made a module use this */
- tdbsam_debug_level = debug_add_class("tdbsam");
- if(tdbsam_debug_level == -1) {
- tdbsam_debug_level = DBGC_ALL;
- DEBUG(0, ("tdbsam: Couldn't register custom debugging class!\n"));
- }
-#endif
+ uint32 low_nua_uid, high_nua_uid;
if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
return nt_status;
@@ -953,47 +951,29 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con
tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, tdbfile);
}
- tdb_state->algorithmic_rids = True;
-
(*pdb_method)->private_data = tdb_state;
(*pdb_method)->free_private_data = free_private_data;
- return NT_STATUS_OK;
-}
+ if (lp_idmap_uid(&low_nua_uid, &high_nua_uid)) {
+ DEBUG(0, ("idmap uid range defined, non unix accounts enabled\n"));
-NTSTATUS pdb_init_tdbsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
- struct tdbsam_privates *tdb_state;
- uint32 low_nua_uid, high_nua_uid;
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_tdbsam(pdb_context, pdb_method, location))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "tdbsam_nua";
+ tdb_state->permit_non_unix_accounts = True;
- tdb_state = (*pdb_method)->private_data;
+ tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid);
- tdb_state->permit_non_unix_accounts = True;
+ tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
- if (!lp_winbind_uid(&low_nua_uid, &high_nua_uid)) {
- DEBUG(0, ("cannot use tdbsam_nua without 'winbind uid' range in smb.conf!\n"));
- return NT_STATUS_UNSUCCESSFUL;
+ } else {
+ tdb_state->algorithmic_rids = True;
}
- tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid);
-
- tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
-
return NT_STATUS_OK;
}
-NTSTATUS pdb_tdbsam_init(void)
+int pdb_tdbsam_init(void)
{
smb_register_passdb(PASSDB_INTERFACE_VERSION, "tdbsam", pdb_init_tdbsam);
- smb_register_passdb(PASSDB_INTERFACE_VERSION, "tdbsam_nua", pdb_init_tdbsam_nua);
- return NT_STATUS_OK;
+ return True;
}
diff --git a/source3/passdb/pdb_xml.c b/source3/passdb/pdb_xml.c
index de2ee4594c..7a5c0e2b53 100644
--- a/source3/passdb/pdb_xml.c
+++ b/source3/passdb/pdb_xml.c
@@ -524,7 +524,7 @@ static NTSTATUS xmlsam_init(PDB_CONTEXT * pdb_context, PDB_METHODS ** pdb_method
return nt_status;
}
- (*pdb_method)->name = "xml";
+ (*pdb_method)->name = "xmlsam";
(*pdb_method)->setsampwent = xmlsam_setsampwent;
(*pdb_method)->endsampwent = xmlsam_endsampwent;
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 5b9d39ddc7..6a9e591f64 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -472,16 +472,10 @@ failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
* Store the UNIX credential data (uid/gid pair) in the pipe structure.
*/
- if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
- DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
- free_server_info(&server_info);
- return False;
- }
-
memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
- p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
- p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
+ p->pipe_user.uid = server_info->uid;
+ p->pipe_user.gid = server_info->gid;
p->pipe_user.ngroups = server_info->n_groups;
if (p->pipe_user.ngroups) {
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 970756d47c..8c9e22966a 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -6,7 +6,7 @@
* Copyright (C) Paul Ashton 1997,
* Copyright (C) Marc Jacobsen 1999,
* Copyright (C) Jeremy Allison 2001-2002,
- * Copyright (C) Jean François Micouleau 1998-2001,
+ * Copyright (C) Jean François Micouleau 1998-2001,
* Copyright (C) Anthony Liguori 2002,
* Copyright (C) Jim McDonough 2002.
*
@@ -920,7 +920,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM
struct sys_grent *grp;
struct passwd *pw;
gid_t winbind_gid_low, winbind_gid_high;
- BOOL winbind_groups_exist = lp_winbind_gid(&winbind_gid_low, &winbind_gid_high);
+ BOOL winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high);
/* local aliases */
/* we return the UNIX groups here. This seems to be the right */
@@ -2811,8 +2811,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid)
copy_id23_to_sam_passwd(pwd, id23);
/* if it's a trust account, don't update /etc/passwd */
- if ( (!IS_SAM_UNIX_USER(pwd)) ||
- ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
+ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
@@ -2873,8 +2872,7 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid)
}
/* if it's a trust account, don't update /etc/passwd */
- if ( (!IS_SAM_UNIX_USER(pwd)) ||
- ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
+ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
@@ -3389,9 +3387,9 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD
pdb_free_sam(&sam_user);
return NT_STATUS_NO_SUCH_USER;
}
-
- uid = pdb_get_uid(sam_user);
- if (uid == -1) {
+
+ /* check a real user exist before we run the script to add a user to a group */
+ if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) {
pdb_free_sam(&sam_user);
return NT_STATUS_NO_SUCH_USER;
}
@@ -3401,7 +3399,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD
if ((pwd=getpwuid_alloc(uid)) == NULL) {
return NT_STATUS_NO_SUCH_USER;
}
-
+
if ((grp=getgrgid(map.gid)) == NULL) {
passwd_free(&pwd);
return NT_STATUS_NO_SUCH_ALIAS;
@@ -3550,18 +3548,6 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD
return NT_STATUS_NO_SUCH_USER;
}
- uid = pdb_get_uid(sam_user);
- if (uid == -1) {
- pdb_free_sam(&sam_user);
- return NT_STATUS_NO_SUCH_USER;
- }
-
- pdb_free_sam(&sam_user);
-
- if ((pwd=getpwuid_alloc(uid)) == NULL) {
- return NT_STATUS_NO_SUCH_USER;
- }
-
if ((grp=getgrgid(map.gid)) == NULL) {
passwd_free(&pwd);
return NT_STATUS_NO_SUCH_GROUP;
diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c
index 4eba9c7d1f..f96ccaef67 100644
--- a/source3/rpc_server/srv_util.c
+++ b/source3/rpc_server/srv_util.c
@@ -112,7 +112,7 @@ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, ui
*prids=NULL;
*numgroups=0;
- winbind_groups_exist = lp_winbind_gid(&winbind_gid_low, &winbind_gid_high);
+ winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high);
DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n",
@@ -129,7 +129,12 @@ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, ui
fstrcpy(user_name, pdb_get_username(sam_pass));
grid=pdb_get_group_rid(sam_pass);
- gid=pdb_get_gid(sam_pass);
+ if (NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sam_pass), &gid))) {
+ /* this should never happen */
+ DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n"));
+ pdb_free_sam(&sam_pass);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
become_root();
/* on some systems this must run as root */
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 31c4fa7cc9..3d25f33f45 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -478,6 +478,12 @@ BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL
if (!name) {
DEBUG(1, ("NULL username specfied to chgpasswd()!\n"));
}
+
+ pass = Get_Pwnam(name);
+ if (!pass) {
+ DEBUG(1, ("Username does not exist in system passwd!\n"));
+ return False;
+ }
if (!oldpass) {
oldpass = "";
@@ -528,8 +534,6 @@ BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL
}
}
- pass = Get_Pwnam(name);
-
#ifdef WITH_PAM
if (lp_pam_password_change()) {
BOOL ret;
@@ -983,9 +987,8 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw
* to touch the unix db unless we have admin permission.
*/
- if(lp_unix_password_sync() && IS_SAM_UNIX_USER(hnd)
- && !chgpasswd(pdb_get_username(hnd),
- old_passwd, new_passwd, False)) {
+ if(lp_unix_password_sync() &&
+ !chgpasswd(pdb_get_username(hnd), old_passwd, new_passwd, False)) {
return NT_STATUS_ACCESS_DENIED;
}
diff --git a/source3/smbd/ntquotas.c b/source3/smbd/ntquotas.c
index f34d61541c..a23b480627 100644
--- a/source3/smbd/ntquotas.c
+++ b/source3/smbd/ntquotas.c
@@ -74,7 +74,6 @@ int vfs_get_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid,
int ret;
SMB_DISK_QUOTA D;
unid_t id;
- enum SID_NAME_USE sid_use = SID_NAME_USE_NONE;
ZERO_STRUCT(D);
@@ -85,7 +84,7 @@ int vfs_get_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid,
id.uid = -1;
- if (psid && !sid_to_uid(psid, &id.uid, &sid_use)) {
+ if (psid && NT_STATUS_IS_ERR(sid_to_uid(psid, &id.uid))) {
DEBUG(0,("sid_to_uid: failed, SID[%s]\n",
sid_string_static(psid)));
}
@@ -113,7 +112,6 @@ int vfs_set_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid,
int ret;
SMB_DISK_QUOTA D;
unid_t id;
- enum SID_NAME_USE sid_use = SID_NAME_USE_NONE;
ZERO_STRUCT(D);
if (!fsp||!fsp->conn||!qt)
@@ -133,7 +131,7 @@ int vfs_set_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid,
D.isoftlimit = limit_blk2inodes(D.softlimit);
D.ihardlimit = limit_blk2inodes(D.hardlimit);
- if (psid && !sid_to_uid(psid, &id.uid, &sid_use)) {
+ if (psid && NT_STATUS_IS_ERR(sid_to_uid(psid, &id.uid))) {
DEBUG(0,("sid_to_uid: failed, SID[%s]\n",
sid_string_static(psid)));
}
@@ -187,7 +185,7 @@ int vfs_get_user_ntquota_list(files_struct *fsp, SMB_NTQUOTA_LIST **qt_list)
continue;
}
- if (uid_to_sid(&sid,usr->pw_uid)==NULL) {
+ if (NT_STATUS_IS_ERR(uid_to_sid(&sid, usr->pw_uid))) {
DEBUG(0,("uid_to_sid failed for %d\n",usr->pw_uid));
continue;
}
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index e7c834f531..fef176cae1 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1780,7 +1780,6 @@ static int call_nt_transact_ioctl(connection_struct *conn,
DOM_SID sid;
uid_t uid;
- enum SID_NAME_USE sid_use = 0;
size_t sid_len=SID_MAX_SIZE;
DEBUG(1,("FSCTL_FIND_FILES_BY_SID: fnum=%d control=0x%08x\n",fnum,control));
@@ -1792,10 +1791,9 @@ static int call_nt_transact_ioctl(connection_struct *conn,
sid_parse(pdata+4,sid_len,&sid);
DEBUGADD(2,("SID: %s\n",sid_string_static(&sid)));
- if (!sid_to_uid(&sid, &uid, &sid_use)
- ||sid_use!=SID_NAME_USER) {
- DEBUG(0,("sid_to_uid: failed, sid[%s] sid_use: %d\n",
- sid_string_static(&sid),sid_use));
+ if (NT_STATUS_IS_ERR(sid_to_uid(&sid, &uid))) {
+ DEBUG(0,("sid_to_uid: failed, sid[%s]\n",
+ sid_string_static(&sid)));
uid = (-1);
}
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 415025f649..81849b709a 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -68,7 +68,6 @@ void invalidate_vuid(uint16 vuid)
SAFE_FREE(vuser->logon_script);
session_yield(vuser);
- SAFE_FREE(vuser->session_keystr);
free_server_info(&vuser->server_info);
@@ -142,15 +141,9 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name)
/* the next functions should be done by a SID mapping system (SMS) as
* the new real sam db won't have reference to unix uids or gids
*/
- if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
- DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT\n"));
- free(vuser);
- free_server_info(&server_info);
- return UID_FIELD_INVALID;
- }
- vuser->uid = pdb_get_uid(server_info->sam_account);
- vuser->gid = pdb_get_gid(server_info->sam_account);
+ vuser->uid = server_info->uid;
+ vuser->gid = server_info->gid;
vuser->n_groups = server_info->n_groups;
if (vuser->n_groups) {
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 34c33af473..228322dc42 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -443,7 +443,6 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp,
{
DOM_SID owner_sid;
DOM_SID grp_sid;
- enum SID_NAME_USE sid_type;
*puser = (uid_t)-1;
*pgrp = (gid_t)-1;
@@ -469,7 +468,7 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp,
if (security_info_sent & OWNER_SECURITY_INFORMATION) {
sid_copy(&owner_sid, psd->owner_sid);
- if (!sid_to_uid( &owner_sid, puser, &sid_type)) {
+ if (NT_STATUS_IS_ERR(sid_to_uid(&owner_sid, puser))) {
#if ACL_FORCE_UNMAPPABLE
/* this allows take ownership to work reasonably */
extern struct current_user current_user;
@@ -489,7 +488,7 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp,
if (security_info_sent & GROUP_SECURITY_INFORMATION) {
sid_copy(&grp_sid, psd->grp_sid);
- if (!sid_to_gid( &grp_sid, pgrp, &sid_type)) {
+ if (NT_STATUS_IS_ERR(sid_to_gid( &grp_sid, pgrp))) {
#if ACL_FORCE_UNMAPPABLE
/* this allows take group ownership to work reasonably */
extern struct current_user current_user;
@@ -938,7 +937,6 @@ static BOOL create_canon_ace_lists(files_struct *fsp,
}
for(i = 0; i < dacl->num_aces; i++) {
- enum SID_NAME_USE sid_type;
SEC_ACE *psa = &dacl->ace[i];
/*
@@ -1003,10 +1001,10 @@ static BOOL create_canon_ace_lists(files_struct *fsp,
if (nt4_compatible_acls())
psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
- } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid, &sid_type)) {
+ } else if (NT_STATUS_IS_OK(sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid))) {
current_ace->owner_type = GID_ACE;
current_ace->type = SMB_ACL_GROUP;
- } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid, &sid_type)) {
+ } else if (NT_STATUS_IS_OK(sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid))) {
current_ace->owner_type = UID_ACE;
current_ace->type = SMB_ACL_USER;
} else {
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index d46be42eba..edc7b57ba3 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -839,6 +839,12 @@ static BOOL init_structs(void )
if(!initialize_password_db(False))
exit(1);
+ if (!idmap_init())
+ exit(1);
+
+ if (!idmap_init_wellknown_sids())
+ exit(1);
+
static_init_rpc;
init_modules();
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index b9cf0de3bd..c68d00025c 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -405,10 +405,9 @@ void add_supplementary_nt_login_groups(int *n_groups, gid_t **pp_groups, NT_USER
memcpy(final_groups, *pp_groups, current_n_groups * sizeof(gid_t));
for (i = 0; i < ptok->num_sids; i++) {
- enum SID_NAME_USE sid_type;
gid_t new_grp;
- if (sid_to_gid(&ptok->user_sids[i], &new_grp, &sid_type)) {
+ if (NT_STATUS_IS_OK(sid_to_gid(&ptok->user_sids[i], &new_grp))) {
/*
* Don't add the gid_t if it is already in the current group
* list. Some UNIXen don't like the same group more than once.
@@ -530,419 +529,3 @@ BOOL lookup_sid(DOM_SID *sid, fstring dom_name, fstring name, enum SID_NAME_USE
}
return True;
}
-
-/*****************************************************************
- Id mapping cache. This is to avoid Winbind mappings already
- seen by smbd to be queried too frequently, keeping winbindd
- busy, and blocking smbd while winbindd is busy with other
- stuff. Written by Michael Steffens <michael.steffens@hp.com>,
- modified to use linked lists by jra.
-*****************************************************************/
-
-#define MAX_UID_SID_CACHE_SIZE 100
-#define TURNOVER_UID_SID_CACHE_SIZE 10
-#define MAX_GID_SID_CACHE_SIZE 100
-#define TURNOVER_GID_SID_CACHE_SIZE 10
-
-static size_t n_uid_sid_cache = 0;
-static size_t n_gid_sid_cache = 0;
-
-static struct uid_sid_cache {
- struct uid_sid_cache *next, *prev;
- uid_t uid;
- DOM_SID sid;
- enum SID_NAME_USE sidtype;
-} *uid_sid_cache_head;
-
-static struct gid_sid_cache {
- struct gid_sid_cache *next, *prev;
- gid_t gid;
- DOM_SID sid;
- enum SID_NAME_USE sidtype;
-} *gid_sid_cache_head;
-
-/*****************************************************************
- Find a SID given a uid.
-*****************************************************************/
-
-static BOOL fetch_sid_from_uid_cache(DOM_SID *psid, enum SID_NAME_USE *psidtype, uid_t uid)
-{
- struct uid_sid_cache *pc;
-
- for (pc = uid_sid_cache_head; pc; pc = pc->next) {
- if (pc->uid == uid) {
- fstring sid;
- *psid = pc->sid;
- *psidtype = pc->sidtype;
- DEBUG(3,("fetch sid from uid cache %u -> %s\n",
- (unsigned int)uid, sid_to_string(sid, psid)));
- DLIST_PROMOTE(uid_sid_cache_head, pc);
- return True;
- }
- }
- return False;
-}
-
-/*****************************************************************
- Find a uid given a SID.
-*****************************************************************/
-
-static BOOL fetch_uid_from_cache(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE sidtype)
-{
- struct uid_sid_cache *pc;
-
- for (pc = uid_sid_cache_head; pc; pc = pc->next) {
- if (sid_compare(&pc->sid, psid) == 0) {
- fstring sid;
- *puid = pc->uid;
- DEBUG(3,("fetch uid from cache %u -> %s\n",
- (unsigned int)*puid, sid_to_string(sid, psid)));
- DLIST_PROMOTE(uid_sid_cache_head, pc);
- return True;
- }
- }
- return False;
-}
-
-/*****************************************************************
- Store uid to SID mapping in cache.
-*****************************************************************/
-
-static void store_uid_sid_cache(const DOM_SID *psid, const enum SID_NAME_USE sidtype, uid_t uid)
-{
- struct uid_sid_cache *pc;
-
- if (n_uid_sid_cache >= MAX_UID_SID_CACHE_SIZE && n_uid_sid_cache > TURNOVER_UID_SID_CACHE_SIZE) {
- /* Delete the last TURNOVER_UID_SID_CACHE_SIZE entries. */
- struct uid_sid_cache *pc_next;
- size_t i;
-
- for (i = 0, pc = uid_sid_cache_head; i < (n_uid_sid_cache - TURNOVER_UID_SID_CACHE_SIZE); i++, pc = pc->next)
- ;
- for(; pc; pc = pc_next) {
- pc_next = pc->next;
- DLIST_REMOVE(uid_sid_cache_head,pc);
- SAFE_FREE(pc);
- n_uid_sid_cache--;
- }
- }
-
- pc = (struct uid_sid_cache *)malloc(sizeof(struct uid_sid_cache));
- if (!pc)
- return;
- pc->uid = uid;
- sid_copy(&pc->sid, psid);
- pc->sidtype = sidtype;
- DLIST_ADD(uid_sid_cache_head, pc);
- n_uid_sid_cache++;
-}
-
-/*****************************************************************
- Find a SID given a gid.
-*****************************************************************/
-
-static BOOL fetch_sid_from_gid_cache(DOM_SID *psid, enum SID_NAME_USE *psidtype, gid_t gid)
-{
- struct gid_sid_cache *pc;
-
- for (pc = gid_sid_cache_head; pc; pc = pc->next) {
- if (pc->gid == gid) {
- fstring sid;
- *psid = pc->sid;
- *psidtype = pc->sidtype;
- DEBUG(3,("fetch sid from gid cache %u -> %s\n",
- (unsigned int)gid, sid_to_string(sid, psid)));
- DLIST_PROMOTE(gid_sid_cache_head, pc);
- return True;
- }
- }
- return False;
-}
-
-/*****************************************************************
- Find a gid given a SID.
-*****************************************************************/
-
-static BOOL fetch_gid_from_cache(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE sidtype)
-{
- struct gid_sid_cache *pc;
-
- for (pc = gid_sid_cache_head; pc; pc = pc->next) {
- if (sid_compare(&pc->sid, psid) == 0) {
- fstring sid;
- *pgid = pc->gid;
- DEBUG(3,("fetch uid from cache %u -> %s\n",
- (unsigned int)*pgid, sid_to_string(sid, psid)));
- DLIST_PROMOTE(gid_sid_cache_head, pc);
- return True;
- }
- }
- return False;
-}
-
-/*****************************************************************
- Store gid to SID mapping in cache.
-*****************************************************************/
-
-static void store_gid_sid_cache(const DOM_SID *psid, const enum SID_NAME_USE sidtype, gid_t gid)
-{
- struct gid_sid_cache *pc;
-
- if (n_gid_sid_cache >= MAX_GID_SID_CACHE_SIZE && n_gid_sid_cache > TURNOVER_GID_SID_CACHE_SIZE) {
- /* Delete the last TURNOVER_GID_SID_CACHE_SIZE entries. */
- struct gid_sid_cache *pc_next;
- size_t i;
-
- for (i = 0, pc = gid_sid_cache_head; i < (n_gid_sid_cache - TURNOVER_GID_SID_CACHE_SIZE); i++, pc = pc->next)
- ;
- for(; pc; pc = pc_next) {
- pc_next = pc->next;
- DLIST_REMOVE(gid_sid_cache_head,pc);
- SAFE_FREE(pc);
- n_gid_sid_cache--;
- }
- }
-
- pc = (struct gid_sid_cache *)malloc(sizeof(struct gid_sid_cache));
- if (!pc)
- return;
- pc->gid = gid;
- sid_copy(&pc->sid, psid);
- pc->sidtype = sidtype;
- DLIST_ADD(gid_sid_cache_head, pc);
- n_gid_sid_cache++;
-}
-
-
-/*****************************************************************
- *THE CANONICAL* convert uid_t to SID function.
- Tries winbind first - then uses local lookup.
- Returns SID pointer.
-*****************************************************************/
-
-DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid)
-{
- uid_t low, high;
- enum SID_NAME_USE sidtype;
- fstring sid;
-
- if (fetch_sid_from_uid_cache(psid, &sidtype, uid))
- return psid;
-
- if (lp_winbind_uid(&low, &high) && uid >= low && uid <= high) {
- if (winbind_uid_to_sid(psid, uid)) {
-
- DEBUG(10,("uid_to_sid: winbindd %u -> %s\n",
- (unsigned int)uid, sid_to_string(sid, psid)));
-
- if (psid)
- store_uid_sid_cache(psid, SID_NAME_USER, uid);
- return psid;
- }
- }
-
- /* Make sure we report failure, (when psid == NULL) */
- become_root();
- psid = local_uid_to_sid(psid, uid);
- unbecome_root();
-
- DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid, sid_to_string(sid, psid)));
- if (psid)
- store_uid_sid_cache(psid, SID_NAME_USER, uid);
-
- return psid;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert gid_t to SID function.
- Tries winbind first - then uses local lookup.
- Returns SID pointer.
-*****************************************************************/
-
-DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid)
-{
- gid_t low, high;
- enum SID_NAME_USE sidtype;
- fstring sid;
-
- if (fetch_sid_from_gid_cache(psid, &sidtype, gid))
- return psid;
-
- if (lp_winbind_gid(&low, &high) && gid >= low && gid <= high) {
- if (winbind_gid_to_sid(psid, gid)) {
-
- DEBUG(10,("gid_to_sid: winbindd %u -> %s\n",
- (unsigned int)gid, sid_to_string(sid, psid)));
-
- if (psid)
- store_gid_sid_cache(psid, SID_NAME_DOM_GRP, gid);
- return psid;
- }
- }
-
- /* Make sure we report failure, (when psid == NULL) */
- become_root();
- psid = local_gid_to_sid(psid, gid);
- unbecome_root();
- DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, sid_to_string(sid, psid)));
- if (psid)
- store_gid_sid_cache(psid, SID_NAME_DOM_GRP, gid);
-
- return psid;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert SID to uid function.
- Tries winbind first - then uses local lookup.
- Returns True if this name is a user sid and the conversion
- was done correctly, False if not. sidtype is set by this function.
-*****************************************************************/
-
-BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype)
-{
- fstring sid_str;
-
- if (fetch_uid_from_cache(puid, psid, *sidtype))
- return True;
-
- /* if we know its local then don't try winbindd */
- if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
- BOOL result;
- become_root();
- result = local_sid_to_uid(puid, psid, sidtype);
- unbecome_root();
- if (result)
- store_uid_sid_cache(psid, *sidtype, *puid);
- return result;
- }
-
-/* (tridge) I commented out the slab of code below in order to support foreign SIDs
- Do we really need to validate the type of SID we have in this case?
-*/
-#if 0
- fstring dom_name, name;
- enum SID_NAME_USE name_type;
-
- *sidtype = SID_NAME_UNKNOWN;
- /*
- * First we must look up the name and decide if this is a user sid.
- */
-
- if ( (!winbind_lookup_sid(psid, dom_name, name, &name_type)) || (name_type != SID_NAME_USER) ) {
- BOOL result;
- DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed - trying local.\n",
- sid_to_string(sid_str, psid) ));
-
- become_root();
- result = local_sid_to_uid(puid, psid, sidtype);
- unbecome_root();
- return result;
- }
-
- /*
- * Ensure this is a user sid.
- */
-
- if (name_type != SID_NAME_USER) {
- DEBUG(10,("sid_to_uid: winbind lookup succeeded but SID is not a uid (%u)\n",
- (unsigned int)name_type ));
- return False;
- }
-#endif
- *sidtype = SID_NAME_USER;
-
- /*
- * Get the uid for this SID.
- */
-
- if (!winbind_sid_to_uid(puid, psid)) {
- BOOL result;
- DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed.\n",
- sid_to_string(sid_str, psid) ));
- become_root();
- result = local_sid_to_uid(puid, psid, sidtype);
- unbecome_root();
- if (result)
- store_uid_sid_cache(psid, *sidtype, *puid);
- return result;
- }
-
- DEBUG(10,("sid_to_uid: winbindd %s -> %u\n",
- sid_to_string(sid_str, psid),
- (unsigned int)*puid ));
-
- store_uid_sid_cache(psid, *sidtype, *puid);
- return True;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert SID to gid function.
- Tries winbind first - then uses local lookup.
- Returns True if this name is a user sid and the conversion
- was done correctly, False if not.
-*****************************************************************/
-
-BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype)
-{
- fstring dom_name, name, sid_str;
- enum SID_NAME_USE name_type;
-
- *sidtype = SID_NAME_UNKNOWN;
-
- if (fetch_gid_from_cache(pgid, psid, *sidtype))
- return True;
-
- /*
- * First we must look up the name and decide if this is a group sid.
- */
-
- /* if we know its local then don't try winbindd */
- if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
- BOOL result;
- become_root();
- result = local_sid_to_gid(pgid, psid, sidtype);
- unbecome_root();
- if (result)
- store_gid_sid_cache(psid, *sidtype, *pgid);
- return result;
- }
-
- if (!winbind_lookup_sid(psid, dom_name, name, &name_type)) {
- DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed.\n",
- sid_to_string(sid_str, psid) ));
- /* this was probably a foreign sid - assume its a group rid
- and continue */
- name_type = SID_NAME_DOM_GRP;
- }
-
- /*
- * Ensure this is a group sid.
- */
-
- if ((name_type != SID_NAME_DOM_GRP) && (name_type != SID_NAME_ALIAS) && (name_type != SID_NAME_WKN_GRP)) {
- DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is not a known group (%u)\n",
- (unsigned int)name_type ));
-
- return False;
- }
-
- *sidtype = name_type;
-
- /*
- * Get the gid for this SID.
- */
-
- if (!winbind_sid_to_gid(pgid, psid)) {
- DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed.\n",
- sid_to_string(sid_str, psid) ));
- return False;
- }
-
- DEBUG(10,("sid_to_gid: winbindd %s -> %u\n",
- sid_to_string(sid_str, psid),
- (unsigned int)*pgid ));
-
- store_gid_sid_cache(psid, *sidtype, *pgid);
- return True;
-}
-
diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
index e5df6ab038..13f35e8880 100644
--- a/source3/utils/pdbedit.c
+++ b/source3/utils/pdbedit.c
@@ -122,12 +122,6 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst
printf ("Unix username: %s\n", pdb_get_username(sam_pwent));
printf ("NT username: %s\n", pdb_get_nt_username(sam_pwent));
printf ("Account Flags: %s\n", pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent), NEW_PW_FORMAT_SPACE_PADDED_LEN));
-
- if (IS_SAM_UNIX_USER(sam_pwent)) {
- uid = pdb_get_uid(sam_pwent);
- gid = pdb_get_gid(sam_pwent);
- printf ("User ID/Group ID: %d/%d\n", uid, gid);
- }
printf ("User SID: %s\n",
sid_string_static(pdb_get_user_sid(sam_pwent)));
printf ("Primary Group SID: %s\n",
@@ -161,35 +155,25 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst
printf ("Password must change: %s\n", tmp ? http_timestring(tmp) : "0");
} else if (smbpwdstyle) {
- if (IS_SAM_UNIX_USER(sam_pwent)) {
- char lm_passwd[33];
- char nt_passwd[33];
-
- uid = pdb_get_uid(sam_pwent);
- pdb_sethexpwd(lm_passwd,
- pdb_get_lanman_passwd(sam_pwent),
- pdb_get_acct_ctrl(sam_pwent));
- pdb_sethexpwd(nt_passwd,
- pdb_get_nt_passwd(sam_pwent),
- pdb_get_acct_ctrl(sam_pwent));
+ char lm_passwd[33];
+ char nt_passwd[33];
+
+ uid = -1;
+ sid_to_uid(pdb_get_user_sid(sam_pwent), &uid);
+ pdb_sethexpwd(lm_passwd, pdb_get_lanman_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent));
+ pdb_sethexpwd(nt_passwd, pdb_get_nt_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent));
- printf("%s:%d:%s:%s:%s:LCT-%08X:\n",
- pdb_get_username(sam_pwent),
- uid,
- lm_passwd,
- nt_passwd,
- pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent),NEW_PW_FORMAT_SPACE_PADDED_LEN),
- (uint32)pdb_get_pass_last_set_time(sam_pwent));
- } else {
- fprintf(stderr, "Can't output in smbpasswd format, no uid on this record.\n");
- }
+ printf("%s:%d:%s:%s:%s:LCT-%08X:\n",
+ pdb_get_username(sam_pwent),
+ uid,
+ lm_passwd,
+ nt_passwd,
+ pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent),NEW_PW_FORMAT_SPACE_PADDED_LEN),
+ (uint32)pdb_get_pass_last_set_time(sam_pwent));
} else {
- if (IS_SAM_UNIX_USER(sam_pwent)) {
- printf ("%s:%d:%s\n", pdb_get_username(sam_pwent), pdb_get_uid(sam_pwent),
- pdb_get_fullname(sam_pwent));
- } else {
- printf ("%s:(null):%s\n", pdb_get_username(sam_pwent), pdb_get_fullname(sam_pwent));
- }
+ uid = -1;
+ sid_to_uid(pdb_get_user_sid(sam_pwent), &uid);
+ printf ("%s:%d:%s\n", pdb_get_username(sam_pwent), uid, pdb_get_fullname(sam_pwent));
}
return 0;
@@ -583,8 +567,8 @@ int main (int argc, char **argv)
{"drive", 'D', POPT_ARG_STRING, &home_drive, 0, "set home drive", NULL},
{"script", 'S', POPT_ARG_STRING, &logon_script, 0, "set logon script", NULL},
{"profile", 'p', POPT_ARG_STRING, &profile_path, 0, "set profile path", NULL},
- {"user-SID", 'U', POPT_ARG_STRING, &user_sid, 0, "set user SID or RID", NULL},
- {"group-SID", 'G', POPT_ARG_STRING, &group_sid, 0, "set group SID or RID", NULL},
+ {"user SID", 'U', POPT_ARG_STRING, &user_sid, 0, "set user SID or RID", NULL},
+ {"group SID", 'G', POPT_ARG_STRING, &group_sid, 0, "set group SID or RID", NULL},
{"create", 'a', POPT_ARG_NONE, &add_user, 0, "create user", NULL},
{"modify", 'r', POPT_ARG_NONE, &modify_user, 0, "modify user", NULL},
{"machine", 'm', POPT_ARG_NONE, &machine, 0, "account is a machine account", NULL},
@@ -626,6 +610,12 @@ int main (int argc, char **argv)
if (!init_names())
exit(1);
+ if (!idmap_init())
+ exit(1);
+
+ if (!idmap_init_wellknown_sids())
+ exit(1);
+
setparms = (backend ? BIT_BACKEND : 0) +
(verbose ? BIT_VERBOSE : 0) +
(spstyle ? BIT_SPSTYLE : 0) +
diff --git a/source3/utils/profiles.c b/source3/utils/profiles.c
index 7c2d820c81..afaa83f638 100644
--- a/source3/utils/profiles.c
+++ b/source3/utils/profiles.c
@@ -418,10 +418,10 @@ static int my_sid_equal(DOM_SID *s1, DOM_SID *s2)
* Quick and dirty to read a SID in S-1-5-21-x-y-z-rid format and
* construct a DOM_SID
*/
-static int get_sid(DOM_SID *sid, char *sid_str)
+static int get_sid(DOM_SID *sid, const unsigned char *sid_str)
{
int i = 0, auth;
- char *lstr;
+ const unsigned char *lstr;
if (strncmp(sid_str, "S-1-5", 5)) {
fprintf(stderr, "Does not conform to S-1-5...: %s\n", sid_str);