diff options
47 files changed, 973 insertions, 1516 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 492d73d4b7..f1c497663f 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -274,12 +274,14 @@ PASSDB_GET_SET_OBJ = passdb/pdb_get_set.o PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \ passdb/machine_sid.o passdb/util_sam_sid.o passdb/pdb_compat.o \ - @PDB_STATIC@ + passdb/privileges.o @PDB_STATIC@ XML_OBJ = passdb/pdb_xml.o MYSQL_OBJ = passdb/pdb_mysql.o DEVEL_HELP_OBJ = modules/weird.o +IDMAP_OBJ = sam/idmap.o sam/idmap_util.o sam/idmap_tdb.o + GROUPDB_OBJ = groupdb/mapping.o PROFILE_OBJ = profile/profile.o @@ -340,7 +342,7 @@ SMBD_OBJ_BASE = $(PARAM_OBJ) $(SMBD_OBJ_SRV) $(MSDFS_OBJ) $(LIBSMB_OBJ) \ $(NOTIFY_OBJ) $(GROUPDB_OBJ) $(AUTH_OBJ) \ $(LIBMSRPC_OBJ) $(LIBMSRPC_SERVER_OBJ) \ $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(LIBADS_SERVER_OBJ) \ - $(LIB_SMBD_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ) + $(LIB_SMBD_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ) $(IDMAP_OBJ) PRINTING_OBJ = printing/pcap.o printing/print_svid.o \ printing/print_cups.o printing/print_generic.o \ @@ -378,9 +380,9 @@ SWAT_OBJ1 = web/cgi.o web/diagnose.o web/startstop.o web/statuspage.o \ web/swat.o web/neg_lang.o SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(PRINTING_OBJ) $(LIBSMB_OBJ) \ - $(LOCKING_OBJ) $(PASSDB_OBJ) $(SECRETS_OBJ) $(KRBCLIENT_OBJ) \ + $(LOCKING_OBJ) $(PASSDB_OBJ) $(SECRETS_OBJ) $(KRBCLIENT_OBJ) \ $(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) $(PLAINTEXT_AUTH_OBJ) \ - $(POPT_LIB_OBJ) + $(POPT_LIB_OBJ) $(IDMAP_OBJ) SMBSH_OBJ = smbwrapper/smbsh.o smbwrapper/shared.o \ $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) @@ -404,11 +406,12 @@ TESTPRNS_OBJ = utils/testprns.o $(PARAM_OBJ) $(PRINTING_OBJ) $(UBIQX_OBJ) \ SMBPASSWD_OBJ = utils/smbpasswd.o $(PARAM_OBJ) $(SECRETS_OBJ) \ $(LIBSMB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ)\ - $(UBIQX_OBJ) $(LIB_OBJ) $(KRBCLIENT_OBJ) + $(UBIQX_OBJ) $(LIB_OBJ) $(KRBCLIENT_OBJ) \ + $(IDMAP_OBJ) PDBEDIT_OBJ = utils/pdbedit.o $(PARAM_OBJ) $(PASSDB_OBJ) $(LIBSAMBA_OBJ) \ $(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) $(SECRETS_OBJ) \ - $(POPT_LIB_OBJ) + $(POPT_LIB_OBJ) $(IDMAP_OBJ) RPCCLIENT_OBJ1 = rpcclient/rpcclient.o rpcclient/cmd_lsarpc.o \ rpcclient/cmd_samr.o rpcclient/cmd_spoolss.o \ @@ -421,7 +424,8 @@ RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \ $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \ $(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(LIBMSRPC_OBJ) \ $(READLINE_OBJ) $(GROUPDB_OBJ) $(KRBCLIENT_OBJ) \ - $(LIBADS_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) + $(LIBADS_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) \ + $(IDMAP_OBJ) PAM_WINBIND_OBJ = nsswitch/pam_winbind.po nsswitch/wb_common.po lib/snprintf.po @@ -468,7 +472,8 @@ NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \ $(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \ $(LIBMSRPC_OBJ) $(LIBMSRPC_SERVER_OBJ) \ - $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) + $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) \ + $(IDMAP_OBJ) CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \ $(LIB_OBJ) $(KRBCLIENT_OBJ) @@ -547,7 +552,7 @@ PROTO_OBJ = $(SMBD_OBJ_MAIN) \ $(LIB_SMBD_OBJ) $(SAM_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ) \ $(RPC_LSA_OBJ) $(RPC_NETLOG_OBJ) $(RPC_SAMR_OBJ) $(RPC_REG_OBJ) \ $(RPC_SVC_OBJ) $(RPC_WKS_OBJ) $(RPC_DFS_OBJ) $(RPC_SPOOLSS_OBJ) \ - $(RPC_ECHO_OBJ) + $(IDMAP_OBJ) $(RPC_ECHO_OBJ) NSS_OBJ_0 = nsswitch/wins.o $(PARAM_OBJ) $(UBIQX_OBJ) $(LIBSMB_OBJ) \ $(LIB_OBJ) $(NSSWINS_OBJ) @@ -562,7 +567,7 @@ PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \ pam_smbpass/pam_smb_acct.o pam_smbpass/support.o \ libsmb/smbencrypt.o libsmb/smbdes.o libsmb/nterr.o \ $(PARAM_OBJ) $(LIB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ - $(SECRETS_OBJ) $(UBIQX_OBJ) + $(SECRETS_OBJ) $(UBIQX_OBJ) $(IDMAP_OBJ) PAM_SMBPASS_PICOOBJ = $(PAM_SMBPASS_OBJ_0:.o=.po) @@ -570,8 +575,6 @@ WINBINDD_OBJ1 = \ nsswitch/winbindd.o \ nsswitch/winbindd_user.o \ nsswitch/winbindd_group.o \ - nsswitch/winbindd_idmap.o \ - nsswitch/winbindd_idmap_tdb.o \ nsswitch/winbindd_util.o \ nsswitch/winbindd_cache.o \ nsswitch/winbindd_pam.o \ @@ -581,13 +584,14 @@ WINBINDD_OBJ1 = \ nsswitch/winbindd_wins.o \ nsswitch/winbindd_rpc.o \ nsswitch/winbindd_ads.o \ - nsswitch/winbindd_dual.o + nsswitch/winbindd_dual.o \ + nsswitch/winbindd_passdb.o WINBINDD_OBJ = \ - $(WINBINDD_OBJ1) $(PASSDB_GET_SET_OBJ) \ + $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \ $(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \ - $(PROFILE_OBJ) $(UNIGRP_OBJ) \ + $(PROFILE_OBJ) $(UNIGRP_OBJ) $(IDMAP_OBJ) \ $(SECRETS_OBJ) $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) WBINFO_OBJ = nsswitch/wbinfo.o $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \ diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 0875c48280..3411083116 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -135,17 +135,20 @@ check for a possible hosts equiv or rhosts entry for the user static BOOL check_hosts_equiv(SAM_ACCOUNT *account) { - char *fname = NULL; + uid_t uid; + char *fname = NULL; - fname = lp_hosts_equiv(); + fname = lp_hosts_equiv(); + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(account), &uid))) + return False; - /* note: don't allow hosts.equiv on root */ - if (IS_SAM_UNIX_USER(account) && fname && *fname && (pdb_get_uid(account) != 0)) { - if (check_user_equiv(pdb_get_username(account),client_name(),fname)) - return(True); - } + /* note: don't allow hosts.equiv on root */ + if (fname && *fname && uid != 0) { + if (check_user_equiv(pdb_get_username(account),client_name(),fname)) + return True; + } - return(False); + return False; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a3ca0b226f..e8f2af41f3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -611,21 +611,21 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, NT_USER_TOKEN *token; int i; - if (!uid_to_sid(&user_sid, uid)) { + if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, uid))) { return NULL; } - if (!gid_to_sid(&group_sid, gid)) { + if (NT_STATUS_IS_ERR(gid_to_sid(&group_sid, gid))) { return NULL; } - group_sids = malloc(sizeof(DOM_SID) * ngroups); + group_sids = malloc(sizeof(DOM_SID) * ngroups); if (!group_sids) { DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); return NULL; } for (i = 0; i < ngroups; i++) { - if (!gid_to_sid(&(group_sids)[i], (groups)[i])) { + if (NT_STATUS_IS_ERR(gid_to_sid(&(group_sids)[i], (groups)[i]))) { DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); SAFE_FREE(group_sids); return NULL; @@ -648,7 +648,7 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * If this samba server is a DC of the domain the user belongs to, it returns * both domain groups and local / builtin groups. If the user is in a trusted * domain, or samba is a member server of a domain, then this function returns - * local and builtin groups the user is a member of. + * local and builtin groups the user is a member of. * * currently this is a hack, as there is no sam implementation that is capable * of groups. @@ -661,23 +661,18 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, gid_t gid; int n_unix_groups; int i; - struct passwd *usr; *n_groups = 0; *groups = NULL; - if (!IS_SAM_UNIX_USER(sampass)) { - DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass))); - return NT_STATUS_NO_SUCH_USER; + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) { + DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n")); + return NT_STATUS_UNSUCCESSFUL; } - - uid = pdb_get_uid(sampass); - gid = pdb_get_gid(sampass); n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); - passwd_free(&usr); return NT_STATUS_NO_MEMORY; } @@ -686,7 +681,6 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { SAFE_FREE(*unix_groups); - passwd_free(&usr); return NT_STATUS_NO_MEMORY; } *unix_groups = groups_tmp; @@ -694,7 +688,6 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); - passwd_free(&usr); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ } } @@ -713,7 +706,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, *n_groups = n_unix_groups; for (i = 0; i < *n_groups; i++) { - if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { + if (NT_STATUS_IS_ERR(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); SAFE_FREE(*groups); SAFE_FREE(*unix_groups); @@ -730,6 +723,8 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { + NTSTATUS ret; + *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); @@ -739,6 +734,10 @@ static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACC (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->sam_account = sampass; + if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) + return ret; + if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) + return ret; return NT_STATUS_OK; } @@ -869,8 +868,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct passwd *passwd; - uid_t uid; - gid_t gid; + unid_t u_id, g_id; + int u_type, g_type; int n_lgroupSIDs; DOM_SID *lgroupSIDs = NULL; @@ -907,9 +906,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, domain = domain; } - if (winbind_sid_to_uid(&uid, &user_sid) - && winbind_sid_to_gid(&gid, &group_sid) - && ((passwd = getpwuid_alloc(uid)))) { + u_type = ID_USERID; + g_type = ID_GROUPID; + if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) + && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) + && ((passwd = getpwuid_alloc(u_id.uid)))) { nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { diff --git a/source3/client/client.c b/source3/client/client.c index 36c76cbf15..b498b5b4a8 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -2214,40 +2214,181 @@ static int process_command_string(char *cmd) return rc; } -/**************************************************************************** -handle completion of commands for readline -****************************************************************************/ -static char **completion_fn(char *text, int start, int end) -{ #define MAX_COMPLETIONS 100 - char **matches; - int i, count=0; - /* for words not at the start of the line fallback to filename completion */ - if (start) return NULL; +typedef struct { + pstring dirmask; + char **matches; + int count, samelen; + const char *text; + int len; +} completion_remote_t; - matches = (char **)malloc(sizeof(matches[0])*MAX_COMPLETIONS); - if (!matches) return NULL; +static void completion_remote_filter(file_info *f, const char *mask, void *state) +{ + completion_remote_t *info = (completion_remote_t *)state; - matches[count++] = strdup(text); - if (!matches[0]) return NULL; + if ((info->count < MAX_COMPLETIONS - 1) && (strncmp(info->text, f->name, info->len) == 0) && (strcmp(f->name, ".") != 0) && (strcmp(f->name, "..") != 0)) { + if ((info->dirmask[0] == 0) && !(f->mode & aDIR)) + info->matches[info->count] = strdup(f->name); + else { + pstring tmp; - for (i=0;commands[i].fn && count < MAX_COMPLETIONS-1;i++) { - if (strncmp(text, commands[i].name, strlen(text)) == 0) { - matches[count] = strdup(commands[i].name); - if (!matches[count]) return NULL; - count++; + if (info->dirmask[0] != 0) + pstrcpy(tmp, info->dirmask); + else + tmp[0] = 0; + pstrcat(tmp, f->name); + if (f->mode & aDIR) + pstrcat(tmp, "/"); + info->matches[info->count] = strdup(tmp); } + if (info->matches[info->count] == NULL) + return; + if (f->mode & aDIR) + smb_readline_ca_char(0); + + if (info->count == 1) + info->samelen = strlen(info->matches[info->count]); + else + while (strncmp(info->matches[info->count], info->matches[info->count-1], info->samelen) != 0) + info->samelen--; + info->count++; } +} + +static char **remote_completion(const char *text, int len) +{ + pstring dirmask; + int i; + completion_remote_t info = { "", NULL, 1, len, text, len }; + + if (len >= PATH_MAX) + return(NULL); + + info.matches = (char **)malloc(sizeof(info.matches[0])*MAX_COMPLETIONS); + if (!info.matches) return NULL; + info.matches[0] = NULL; + + for (i = len-1; i >= 0; i--) + if ((text[i] == '/') || (text[i] == '\\')) + break; + info.text = text+i+1; + info.samelen = info.len = len-i-1; - if (count == 2) { - SAFE_FREE(matches[0]); - matches[0] = strdup(matches[1]); + if (i > 0) { + strncpy(info.dirmask, text, i+1); + info.dirmask[i+1] = 0; + snprintf(dirmask, sizeof(dirmask), "%s%*s*", cur_dir, i-1, text); + } else + snprintf(dirmask, sizeof(dirmask), "%s*", cur_dir); + + if (cli_list(cli, dirmask, aDIR | aSYSTEM | aHIDDEN, completion_remote_filter, &info) < 0) + goto cleanup; + + if (info.count == 2) + info.matches[0] = strdup(info.matches[1]); + else { + info.matches[0] = malloc(info.samelen+1); + if (!info.matches[0]) + goto cleanup; + strncpy(info.matches[0], info.matches[1], info.samelen); + info.matches[0][info.samelen] = 0; } - matches[count] = NULL; - return matches; + info.matches[info.count] = NULL; + return info.matches; + +cleanup: + for (i = 0; i < info.count; i++) + free(info.matches[i]); + free(info.matches); + return NULL; } +static char **completion_fn(const char *text, int start, int end) +{ + smb_readline_ca_char(' '); + + if (start) { + const char *buf, *sp; + int i; + char compl_type; + + buf = smb_readline_get_line_buffer(); + if (buf == NULL) + return NULL; + + sp = strchr(buf, ' '); + if (sp == NULL) + return NULL; + + for (i = 0; commands[i].name; i++) + if ((strncmp(commands[i].name, text, sp - buf) == 0) && (commands[i].name[sp - buf] == 0)) + break; + if (commands[i].name == NULL) + return NULL; + + while (*sp == ' ') + sp++; + + if (sp == (buf + start)) + compl_type = commands[i].compl_args[0]; + else + compl_type = commands[i].compl_args[1]; + + if (compl_type == COMPL_REMOTE) + return remote_completion(text, end - start); + else /* fall back to local filename completion */ + return NULL; + } else { + char **matches; + int i, len, samelen, count=1; + + matches = (char **)malloc(sizeof(matches[0])*MAX_COMPLETIONS); + if (!matches) return NULL; + matches[0] = NULL; + + len = strlen(text); + for (i=0;commands[i].fn && count < MAX_COMPLETIONS-1;i++) { + if (strncmp(text, commands[i].name, len) == 0) { + matches[count] = strdup(commands[i].name); + if (!matches[count]) + goto cleanup; + if (count == 1) + samelen = strlen(matches[count]); + else + while (strncmp(matches[count], matches[count-1], samelen) != 0) + samelen--; + count++; + } + } + + switch (count) { + case 0: /* should never happen */ + case 1: + goto cleanup; + case 2: + matches[0] = strdup(matches[1]); + break; + default: + matches[0] = malloc(samelen+1); + if (!matches[0]) + goto cleanup; + strncpy(matches[0], matches[1], samelen); + matches[0][samelen] = 0; + } + matches[count] = NULL; + return matches; + +cleanup: + while (i >= 0) { + free(matches[i]); + i--; + } + free(matches); + return NULL; + } +} /**************************************************************************** make sure we swallow keepalives during idle time diff --git a/source3/configure.in b/source3/configure.in index 529e54c9a1..28b3a3a26b 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -2497,6 +2497,27 @@ AC_ARG_WITH(ldapsam, AC_MSG_RESULT(no) ) +################################################# +# check for IDMAP + +AC_DEFINE(WITH_IDMAP,1, [Include IDMAP support]) + +AC_MSG_CHECKING(whether to use IDMAP only for [ug]id mapping) +AC_ARG_WITH(idmap, +[ --with-idmap Include experimental IDMAP support (default=yes)], +[ case "$withval" in + yes) + AC_MSG_RESULT(yes) + AC_DEFINE(WITH_IDMAP,1,[Whether to include experimental IDMAP support]) + ;; + no) + AC_MSG_RESULT(no) + AC_DEFINE(WITH_IDMAP,0,[Whether to include experimental IDMAP support]) + ;; + esac ], + AC_MSG_RESULT(yes) +) + ######################################################################################## ## ## END OF TESTS FOR SAM BACKENDS. diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index b718f42f93..2b7a852688 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -170,17 +170,17 @@ static BOOL default_group_mapping(void) /* Add the Wellknown groups */ - add_initial_entry(-1, "S-1-5-32-544", SID_NAME_ALIAS, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-545", SID_NAME_ALIAS, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-546", SID_NAME_ALIAS, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK); - add_initial_entry(-1, "S-1-5-32-547", SID_NAME_ALIAS, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK); + add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-548", SID_NAME_ALIAS, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-549", SID_NAME_ALIAS, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-550", SID_NAME_ALIAS, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-551", SID_NAME_ALIAS, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-552", SID_NAME_ALIAS, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK); + add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK); /* Add the defaults domain groups */ @@ -763,7 +763,7 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue; - + dbuf = tdb_fetch(tdb, kbuf); if (!dbuf.dptr) continue; @@ -803,7 +803,7 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, free_privilege(set); continue; } - + if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) { DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name)); free_privilege(set); @@ -838,6 +838,7 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, free_privilege(&(mapt[entries].priv_set)); entries++; + } *num_entries=entries; diff --git a/source3/include/auth.h b/source3/include/auth.h index 626b9f3ba0..eb80e3c5b4 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -75,6 +75,9 @@ typedef struct auth_usersupplied_info typedef struct auth_serversupplied_info { BOOL guest; + + uid_t uid; + gid_t gid; /* This groups info is needed for when we become_user() for this uid */ int n_groups; diff --git a/source3/include/debug.h b/source3/include/debug.h index d4f45539f4..70f9f7706d 100644 --- a/source3/include/debug.h +++ b/source3/include/debug.h @@ -88,6 +88,7 @@ extern int DEBUGLEVEL; #define DBGC_AUTH 10 #define DBGC_WINBIND 11 #define DBGC_VFS 12 +#define DBGC_IDMAP 13 /* So you can define DBGC_CLASS before including debug.h */ #ifndef DBGC_CLASS diff --git a/source3/include/idmap.h b/source3/include/idmap.h index 47114f5469..5d8e31a163 100644 --- a/source3/include/idmap.h +++ b/source3/include/idmap.h @@ -32,21 +32,15 @@ #define ID_NOMAP 0x10 #define ID_CACHE 0x20 -typedef union unid_t { - uid_t uid; - gid_t gid; -} unid_t; - -struct DOM_SID; /* Filled out by IDMAP backends */ struct idmap_methods { /* Called when backend is first loaded */ NTSTATUS (*init)(void); - NTSTATUS (*get_sid_from_id)(struct DOM_SID *sid, unid_t id, int id_type); - NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const struct DOM_SID *sid); - NTSTATUS (*set_mapping)(const struct DOM_SID *sid, unid_t id, int id_type); + NTSTATUS (*get_sid_from_id)(DOM_SID *sid, unid_t id, int id_type); + NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const DOM_SID *sid); + NTSTATUS (*set_mapping)(const DOM_SID *sid, unid_t id, int id_type); /* Called when backend is unloaded */ NTSTATUS (*close)(void); diff --git a/source3/include/includes.h b/source3/include/includes.h index c1b84c1d35..8de1395aca 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -767,23 +767,35 @@ extern int errno; #include "debugparse.h" #include "version.h" -#include "idmap.h" + #include "smb.h" -#include "smbw.h" + #include "nameserv.h" #include "secrets.h" #include "byteorder.h" +#include "privileges.h" + +#include "rpc_creds.h" + +#include "mapping.h" + +#include "passdb.h" + #include "ntdomain.h" +#include "rpc_misc.h" + +#include "rpc_secdes.h" + +#include "nt_printing.h" + #include "msdfs.h" #include "smbprofile.h" -#include "mapping.h" - #include "rap.h" #include "md5.h" @@ -793,7 +805,11 @@ extern int errno; #include "auth.h" -#include "passdb.h" +#include "idmap.h" + +#include "client.h" + +#include "smbw.h" #include "session.h" @@ -851,6 +867,8 @@ struct functable { struct printjob; +struct smb_ldap_privates; + /***** automatically generated prototypes *****/ #ifndef NO_PROTO_H #include "proto.h" @@ -898,7 +916,7 @@ struct printjob; #define MAP_FILE 0 #endif -#if (!defined(WITH_NISPLUS) && !defined(WITH_LDAP)) +#if (!defined(WITH_NISPLUS) && !defined(WITH_LDAP) && !defined(WITH_TDB_SAM)) #define USE_SMBPASS_DB 1 #endif diff --git a/source3/include/passdb.h b/source3/include/passdb.h index 06409aa34e..e14e250d34 100644 --- a/source3/include/passdb.h +++ b/source3/include/passdb.h @@ -3,6 +3,8 @@ passdb structures and parameters Copyright (C) Gerald Carter 2001 Copyright (C) Luke Kenneth Casson Leighton 1998 - 2000 + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Simo Sorce 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -23,6 +25,149 @@ #define _PASSDB_H +/* + * bit flags representing initialized fields in SAM_ACCOUNT + */ +enum pdb_elements { + PDB_UNINIT, + PDB_SMBHOME, + PDB_PROFILE, + PDB_DRIVE, + PDB_LOGONSCRIPT, + PDB_LOGONTIME, + PDB_LOGOFFTIME, + PDB_KICKOFFTIME, + PDB_CANCHANGETIME, + PDB_MUSTCHANGETIME, + PDB_PLAINTEXT_PW, + PDB_USERNAME, + PDB_FULLNAME, + PDB_DOMAIN, + PDB_NTUSERNAME, + PDB_HOURSLEN, + PDB_LOGONDIVS, + PDB_USERSID, + PDB_GROUPSID, + PDB_ACCTCTRL, + PDB_PASSLASTSET, + PDB_UNIXHOMEDIR, + PDB_ACCTDESC, + PDB_WORKSTATIONS, + PDB_UNKNOWNSTR, + PDB_MUNGEDDIAL, + PDB_HOURS, + PDB_UNKNOWN3, + PDB_UNKNOWN5, + PDB_UNKNOWN6, + PDB_LMPASSWD, + PDB_NTPASSWD, + + /* this must be the last element */ + PDB_COUNT +}; + +enum pdb_group_elements { + PDB_GROUP_NAME, + PDB_GROUP_SID, + PDB_GROUP_SID_NAME_USE, + PDB_GROUP_MEMBERS, + + /* this must be the last element */ + PDB_GROUP_COUNT +}; + + +enum pdb_value_state { + PDB_DEFAULT=0, + PDB_SET, + PDB_CHANGED +}; + +#define IS_SAM_SET(x, flag) (pdb_get_init_flags(x, flag) == PDB_SET) +#define IS_SAM_CHANGED(x, flag) (pdb_get_init_flags(x, flag) == PDB_CHANGED) +#define IS_SAM_DEFAULT(x, flag) (pdb_get_init_flags(x, flag) == PDB_DEFAULT) + +typedef struct sam_passwd +{ + TALLOC_CTX *mem_ctx; + + void (*free_fn)(struct sam_passwd **); + + struct pdb_methods *methods; + + struct user_data { + /* initiailization flags */ + struct bitmap *change_flags; + struct bitmap *set_flags; + + time_t logon_time; /* logon time */ + time_t logoff_time; /* logoff time */ + time_t kickoff_time; /* kickoff time */ + time_t pass_last_set_time; /* password last set time */ + time_t pass_can_change_time; /* password can change time */ + time_t pass_must_change_time; /* password must change time */ + + const char * username; /* UNIX username string */ + const char * domain; /* Windows Domain name */ + const char * nt_username; /* Windows username string */ + const char * full_name; /* user's full name string */ + const char * unix_home_dir; /* UNIX home directory string */ + const char * home_dir; /* home directory string */ + const char * dir_drive; /* home directory drive string */ + const char * logon_script; /* logon script string */ + const char * profile_path; /* profile path string */ + const char * acct_desc ; /* user description string */ + const char * workstations; /* login from workstations string */ + const char * unknown_str ; /* don't know what this is, yet. */ + const char * munged_dial ; /* munged path name and dial-back tel number */ + + DOM_SID user_sid; /* Primary User SID */ + DOM_SID group_sid; /* Primary Group SID */ + + DATA_BLOB lm_pw; /* .data is Null if no password */ + DATA_BLOB nt_pw; /* .data is Null if no password */ + char* plaintext_pw; /* is Null if not available */ + + uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */ + uint32 unknown_3; /* 0x00ff ffff */ + + uint16 logon_divs; /* 168 - number of hours in a week */ + uint32 hours_len; /* normally 21 bytes */ + uint8 hours[MAX_HOURS_LEN]; + + uint32 unknown_5; /* 0x0002 0000 */ + uint32 unknown_6; /* 0x0000 04ec */ + } private; + + /* Lets see if the remaining code can get the hint that you + are meant to use the pdb_...() functions. */ + +} SAM_ACCOUNT; + +typedef struct sam_group { + TALLOC_CTX *mem_ctx; + + void (*free_fn)(struct sam_group **); + + struct pdb_methods *methods; + + struct group_data { + /* initiailization flags */ + struct bitmap *change_flags; + struct bitmap *set_flags; + + const char *name; /* Windows group name string */ + + DOM_SID sid; /* Group SID */ + enum SID_NAME_USE sid_name_use; /* Group type */ + + uint32 mem_num; /* Number of member SIDs */ + DOM_SID *members; /* SID array */ + } private; + +} SAM_GROUP; + + /***************************************************************** Functions to be implemented by the new (v2) passdb API ****************************************************************/ @@ -51,7 +196,7 @@ typedef struct pdb_context NTSTATUS (*pdb_getsampwnam)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const char *username); NTSTATUS (*pdb_getsampwsid)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const DOM_SID *sid); - + NTSTATUS (*pdb_add_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass); NTSTATUS (*pdb_update_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass); @@ -104,7 +249,7 @@ typedef struct pdb_methods NTSTATUS (*getsampwnam)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const char *username); - NTSTATUS (*getsampwsid)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const DOM_SID *Sid); + NTSTATUS (*getsampwsid)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const DOM_SID *sid); NTSTATUS (*add_sam_account)(struct pdb_methods *, SAM_ACCOUNT *sampass); diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h index 33dde6e3cb..135fd76d6c 100644 --- a/source3/include/rpc_lsa.h +++ b/source3/include/rpc_lsa.h @@ -647,26 +647,6 @@ typedef struct lsa_q_enumprivsaccount POLICY_HND pol; /* policy handle */ } LSA_Q_ENUMPRIVSACCOUNT; - -typedef struct LUID -{ - uint32 low; - uint32 high; -} LUID; - -typedef struct LUID_ATTR -{ - LUID luid; - uint32 attr; -} LUID_ATTR ; - -typedef struct privilege_set -{ - uint32 count; - uint32 control; - LUID_ATTR *set; -} PRIVILEGE_SET; - typedef struct lsa_r_enumprivsaccount { uint32 ptr; diff --git a/source3/include/rpc_misc.h b/source3/include/rpc_misc.h index d04a84d508..a0572a0bfd 100644 --- a/source3/include/rpc_misc.h +++ b/source3/include/rpc_misc.h @@ -227,6 +227,22 @@ typedef struct UNISTR2_ARRAY_EL *strings; } UNISTR2_ARRAY; + +/* an element in a sid array */ +typedef struct +{ + uint32 ref_id; + DOM_SID2 sid; +} SID_ARRAY_EL; + +/* an array of sids */ +typedef struct +{ + uint32 ref_id; + uint32 count; + SID_ARRAY_EL *sids; +} SID_ARRAY; + /* DOM_RID2 - domain RID structure for ntlsa pipe */ typedef struct domrid2_info { diff --git a/source3/include/smb.h b/source3/include/smb.h index bba5d5cd52..4dacf79a13 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -155,6 +155,11 @@ typedef int BOOL; #include "doserr.h" +typedef union unid_t { + uid_t uid; + gid_t gid; +} unid_t; + /* * SMB UCS2 (16-bit unicode) internal type. */ @@ -260,7 +265,7 @@ enum SID_NAME_USE * * @sa http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/accctrl_38yn.asp **/ -typedef struct DOM_SID +typedef struct sid_info { uint8 sid_rev_num; /**< SID revision number */ uint8 num_auths; /**< Number of sub-authorities */ @@ -582,122 +587,6 @@ typedef struct { #define LM_HASH_LEN 16 /* - * bit flags representing initialized fields in SAM_ACCOUNT - */ -enum pdb_elements { - PDB_UNINIT, - PDB_UID, - PDB_GID, - PDB_SMBHOME, - PDB_PROFILE, - PDB_DRIVE, - PDB_LOGONSCRIPT, - PDB_LOGONTIME, - PDB_LOGOFFTIME, - PDB_KICKOFFTIME, - PDB_CANCHANGETIME, - PDB_MUSTCHANGETIME, - PDB_PLAINTEXT_PW, - PDB_USERNAME, - PDB_FULLNAME, - PDB_DOMAIN, - PDB_NTUSERNAME, - PDB_HOURSLEN, - PDB_LOGONDIVS, - PDB_USERSID, - PDB_GROUPSID, - PDB_ACCTCTRL, - PDB_PASSLASTSET, - PDB_UNIXHOMEDIR, - PDB_ACCTDESC, - PDB_WORKSTATIONS, - PDB_UNKNOWNSTR, - PDB_MUNGEDDIAL, - PDB_HOURS, - PDB_UNKNOWN3, - PDB_UNKNOWN5, - PDB_UNKNOWN6, - PDB_LMPASSWD, - PDB_NTPASSWD, - - /* this must be the last element */ - PDB_COUNT -}; - -enum pdb_value_state { - PDB_DEFAULT=0, - PDB_SET, - PDB_CHANGED -}; - -#define IS_SAM_UNIX_USER(x) \ - (( pdb_get_init_flags(x, PDB_UID) != PDB_DEFAULT ) \ - && ( pdb_get_init_flags(x,PDB_GID) != PDB_DEFAULT )) - -#define IS_SAM_SET(x, flag) (pdb_get_init_flags(x, flag) == PDB_SET) -#define IS_SAM_CHANGED(x, flag) (pdb_get_init_flags(x, flag) == PDB_CHANGED) -#define IS_SAM_DEFAULT(x, flag) (pdb_get_init_flags(x, flag) == PDB_DEFAULT) - -typedef struct sam_passwd -{ - TALLOC_CTX *mem_ctx; - - void (*free_fn)(struct sam_passwd **); - - struct pdb_methods *methods; - - struct user_data { - /* initiailization flags */ - struct bitmap *change_flags; - struct bitmap *set_flags; - - time_t logon_time; /* logon time */ - time_t logoff_time; /* logoff time */ - time_t kickoff_time; /* kickoff time */ - time_t pass_last_set_time; /* password last set time */ - time_t pass_can_change_time; /* password can change time */ - time_t pass_must_change_time; /* password must change time */ - - const char * username; /* UNIX username string */ - const char * domain; /* Windows Domain name */ - const char * nt_username; /* Windows username string */ - const char * full_name; /* user's full name string */ - const char * unix_home_dir; /* UNIX home directory string */ - const char * home_dir; /* home directory string */ - const char * dir_drive; /* home directory drive string */ - const char * logon_script; /* logon script string */ - const char * profile_path; /* profile path string */ - const char * acct_desc ; /* user description string */ - const char * workstations; /* login from workstations string */ - const char * unknown_str ; /* don't know what this is, yet. */ - const char * munged_dial ; /* munged path name and dial-back tel number */ - - uid_t uid; /* this is a unix uid_t */ - gid_t gid; /* this is a unix gid_t */ - DOM_SID user_sid; /* Primary User SID */ - DOM_SID group_sid; /* Primary Group SID */ - - DATA_BLOB lm_pw; /* .data is Null if no password */ - DATA_BLOB nt_pw; /* .data is Null if no password */ - char* plaintext_pw; /* is Null if not available */ - - uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */ - uint32 unknown_3; /* 0x00ff ffff */ - - uint16 logon_divs; /* 168 - number of hours in a week */ - uint32 hours_len; /* normally 21 bytes */ - uint8 hours[MAX_HOURS_LEN]; - - uint32 unknown_5; /* 0x0002 0000 */ - uint32 unknown_6; /* 0x0000 04ec */ - } private; - - /* Lets see if the remaining code can get the hint that you - are meant to use the pdb_...() functions. */ - -} SAM_ACCOUNT; - -/* * Flags for account policy. */ #define AP_MIN_PASSWORD_LEN 1 @@ -1628,11 +1517,6 @@ struct pwd_info uchar sess_key[16]; }; -#include "rpc_creds.h" -#include "rpc_misc.h" -#include "rpc_secdes.h" -#include "nt_printing.h" - typedef struct user_struct { struct user_struct *next, *prev; @@ -1672,9 +1556,11 @@ struct unix_error_map { NTSTATUS nt_error; }; +/* #include "ntdomain.h" #include "client.h" +*/ /* * Size of new password account encoding string. This is enough space to diff --git a/source3/lib/debug.c b/source3/lib/debug.c index dc675037a0..fdbd54fafb 100644 --- a/source3/lib/debug.c +++ b/source3/lib/debug.c @@ -154,6 +154,7 @@ static const char *default_classname_table[] = { "auth", /* DBGC_AUTH */ "winbind", /* DBGC_WINBIND */ "vfs", /* DBGC_VFS */ + "idmap", /* DBGC_IDMAP */ NULL }; diff --git a/source3/lib/readline.c b/source3/lib/readline.c index 8b90c32c7f..ceb02ef749 100644 --- a/source3/lib/readline.c +++ b/source3/lib/readline.c @@ -116,6 +116,29 @@ char *smb_readline(char *prompt, void (*callback)(void), } /**************************************************************************** + * return line buffer text + ****************************************************************************/ +const char *smb_readline_get_line_buffer(void) +{ +#if defined(HAVE_LIBREADLINE) + return rl_line_buffer; +#else + return NULL; +#endif +} + + +/**************************************************************************** + * set completion append character + ***************************************************************************/ +void smb_readline_ca_char(char c) +{ +#if defined(HAVE_LIBREADLINE) + rl_completion_append_character = c; +#endif +} + +/**************************************************************************** history ****************************************************************************/ int cmd_history(void) @@ -135,3 +158,4 @@ int cmd_history(void) return 0; } + diff --git a/source3/lib/snprintf.c b/source3/lib/snprintf.c index 02cf782520..4aef82c7d8 100644 --- a/source3/lib/snprintf.c +++ b/source3/lib/snprintf.c @@ -83,6 +83,12 @@ * Remove NO_CONFIG_H so that the test case can be built within a source * tree with less trouble. * Remove unnecessary SAFE_FREE() definition. + * + * Martin Pool (mbp@samba.org) May 2003 + * Put in a prototype for dummy_snprintf() to quiet compiler warnings. + * + * Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even + * if the C library has some snprintf functions already. **************************************************************/ #ifndef NO_CONFIG_H @@ -123,8 +129,9 @@ /* only include stdio.h if we are not re-defining snprintf or vsnprintf */ #include <stdio.h> /* make the compiler happy with an empty file */ + void dummy_snprintf(void); void dummy_snprintf(void) {} -#else +#endif /* HAVE_SNPRINTF, etc */ #ifdef HAVE_LONG_DOUBLE #define LDOUBLE long double @@ -144,7 +151,6 @@ #else #define VA_COPY(dest, src) (dest) = (src) #endif -#endif static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in); diff --git a/source3/lib/username.c b/source3/lib/username.c index b8f33494ee..d8f4ff80ed 100644 --- a/source3/lib/username.c +++ b/source3/lib/username.c @@ -339,7 +339,7 @@ static BOOL user_in_winbind_group_list(const char *user, const char *gname, BOOL goto err; } - if (!lp_winbind_gid(&gid_low, &gid_high)) { + if (!lp_idmap_gid(&gid_low, &gid_high)) { DEBUG(4, ("winbind gid range not configured, therefore %s cannot be a winbind group\n", gname)); goto err; } diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index fb6f67625c..c7e45e5429 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -128,7 +128,6 @@ static void winbindd_status(void) static void print_winbindd_status(void) { winbindd_status(); - winbindd_idmap_status(); winbindd_cm_status(); } @@ -146,7 +145,7 @@ static void terminate(void) { pstring path; - winbindd_idmap_close(); + idmap_close(); /* Remove socket file */ snprintf(path, sizeof(path), "%s/%s", @@ -834,9 +833,12 @@ int main(int argc, char **argv) /* Winbind daemon initialisation */ - if (!winbindd_idmap_init()) + if (!idmap_init()) return 1; + if (!idmap_init_wellknown_sids()) + exit(1); + /* Unblock all signals we are interested in as they may have been blocked by the parent process. */ diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c index 5eabcfca20..dc40142a77 100644 --- a/source3/nsswitch/winbindd_cache.c +++ b/source3/nsswitch/winbindd_cache.c @@ -100,7 +100,12 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain) ret = smb_xmalloc(sizeof(*ret)); ZERO_STRUCTP(ret); - switch (lp_security()) { + switch (lp_security()) { /* winbind pdc disabled until ready + if (!strcmp(domain->name, lp_workgroup()) && (lp_security() == SEC_USER)) { + extern struct winbindd_methods passdb_methods; + ret->backend = &passdb_methods; + + } else switch (lp_security()) { */ #ifdef HAVE_ADS case SEC_ADS: { extern struct winbindd_methods ads_methods; diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index b3ded2a2f4..14ebb78466 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -193,8 +193,8 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state) enum SID_NAME_USE name_type; fstring name_domain, name_group; char *tmp, *gr_mem; - gid_t gid; int gr_mem_len; + gid_t gid; /* Ensure null termination */ state->request.data.groupname[sizeof(state->request.data.groupname)-1]='\0'; @@ -210,11 +210,6 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state) if (!parse_domain_user(tmp, name_domain, name_group)) return WINBINDD_ERROR; - /* fail if we are a PDC and this is our domain; should be done by passdb */ - - if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp( domain->name, lp_workgroup()) ) - return WINBINDD_ERROR; - /* Get info for the domain */ if ((domain = find_domain_from_name(name_domain)) == NULL) { @@ -238,7 +233,7 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state) return WINBINDD_ERROR; } - if (!winbindd_idmap_get_gid_from_sid(&group_sid, &gid)) { + if (NT_STATUS_IS_ERR(sid_to_gid(&group_sid, &gid))) { DEBUG(1, ("error converting unix gid to sid\n")); return WINBINDD_ERROR; } @@ -283,8 +278,7 @@ enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state) return WINBINDD_ERROR; /* Get rid from gid */ - - if (!winbindd_idmap_get_sid_from_gid(state->request.data.gid, &group_sid)) { + if (NT_STATUS_IS_ERR(uid_to_sid(&group_sid, state->request.data.gid))) { DEBUG(1, ("could not convert gid %d to rid\n", state->request.data.gid)); return WINBINDD_ERROR; @@ -410,9 +404,6 @@ static BOOL get_sam_group_entries(struct getent_state *ent) if (ent->got_sam_entries) return False; - - if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp(lp_workgroup(), ent->domain_name)) - return False; if (!(mem_ctx = talloc_init("get_sam_group_entries(%s)", ent->domain_name))) { @@ -598,9 +589,7 @@ enum winbindd_result winbindd_getgrent(struct winbindd_cli_state *state) sid_copy(&group_sid, &domain->sid); sid_append_rid(&group_sid, name_list[ent->sam_entry_index].rid); - if (!winbindd_idmap_get_gid_from_sid( - &group_sid, - &group_gid)) { + if (NT_STATUS_IS_ERR(sid_to_gid(&group_sid, &group_gid))) { DEBUG(1, ("could not look up gid for group %s\n", name_list[ent->sam_entry_index].acct_name)); @@ -749,11 +738,6 @@ enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state) for (domain = domain_list(); domain; domain = domain->next) { struct getent_state groups; - - /* fail if we are a PDC and this is our domain; should be done by passdb */ - - if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp( domain->name, lp_workgroup()) ) - continue; ZERO_STRUCT(groups); @@ -846,11 +830,6 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) name_user)) goto done; - /* fail if we are a PDC and this is our domain; should be done by passdb */ - - if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp( name_domain, lp_workgroup()) ) - return WINBINDD_ERROR; - /* Get info for the domain */ if ((domain = find_domain_from_name(name_domain)) == NULL) { @@ -887,16 +866,16 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) goto done; for (i = 0; i < num_groups; i++) { - if (!winbindd_idmap_get_gid_from_sid( - user_gids[i], - &gid_list[num_gids])) { + gid_t gid; + + if (NT_STATUS_IS_ERR(sid_to_gid(user_gids[i], &gid))) { fstring sid_string; DEBUG(1, ("unable to convert group sid %s to gid\n", sid_to_string(sid_string, user_gids[i]))); continue; } - + gid_list[num_gids] = gid; num_gids++; } diff --git a/source3/nsswitch/winbindd_sid.c b/source3/nsswitch/winbindd_sid.c index 41bda7e5bc..f5dd904dc1 100644 --- a/source3/nsswitch/winbindd_sid.c +++ b/source3/nsswitch/winbindd_sid.c @@ -98,11 +98,6 @@ enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state) name_domain = state->request.data.name.dom_name; name_user = state->request.data.name.name; - /* fail if we are a PDC and this is our domain; should be done by passdb */ - - if ( lp_server_role() == ROLE_DOMAIN_PDC && 0==StrCaseCmp( name_domain, lp_workgroup()) ) - return WINBINDD_ERROR; - if ((domain = find_domain_from_name(name_domain)) == NULL) { DEBUG(0, ("could not find domain entry for domain %s\n", name_domain)); @@ -142,7 +137,7 @@ enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state) } /* Find uid for this sid and return it */ - if (!winbindd_idmap_get_uid_from_sid(&sid, &state->response.data.uid)) { + if (NT_STATUS_IS_ERR(sid_to_uid(&sid, &(state->response.data.uid)))) { DEBUG(1, ("Could not get uid for sid %s\n", state->request.data.sid)); return WINBINDD_ERROR; @@ -171,7 +166,7 @@ enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state) } /* Find gid for this sid and return it */ - if (!winbindd_idmap_get_gid_from_sid(&sid, &state->response.data.gid)) { + if (NT_STATUS_IS_ERR(sid_to_gid(&sid, &(state->response.data.gid)))) { DEBUG(1, ("Could not get gid for sid %s\n", state->request.data.sid)); return WINBINDD_ERROR; @@ -197,7 +192,7 @@ enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state) state->request.data.uid)); /* Lookup rid for this uid */ - if (!winbindd_idmap_get_sid_from_uid(state->request.data.uid, &sid)) { + if (NT_STATUS_IS_ERR(uid_to_sid(&sid, state->request.data.uid))) { DEBUG(1, ("Could not convert uid %d to rid\n", state->request.data.uid)); return WINBINDD_ERROR; @@ -226,7 +221,7 @@ enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state) state->request.data.gid)); /* Lookup sid for this uid */ - if (!winbindd_idmap_get_sid_from_gid(state->request.data.gid, &sid)) { + if (NT_STATUS_IS_ERR(gid_to_sid(&sid, state->request.data.gid))) { DEBUG(1, ("Could not convert gid %d to sid\n", state->request.data.gid)); return WINBINDD_ERROR; diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c index d2bd231918..dc07bc42e7 100644 --- a/source3/nsswitch/winbindd_user.c +++ b/source3/nsswitch/winbindd_user.c @@ -41,17 +41,15 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name, return False; /* Resolve the uid number */ - - if (!winbindd_idmap_get_uid_from_sid(user_sid, - &pw->pw_uid)) { + + if (NT_STATUS_IS_ERR(sid_to_uid(user_sid, &(pw->pw_uid)))) { DEBUG(1, ("error getting user id for sid %s\n", sid_to_string(sid_string, user_sid))); return False; } /* Resolve the gid number */ - - if (!winbindd_idmap_get_gid_from_sid(group_sid, - &pw->pw_gid)) { + + if (NT_STATUS_IS_ERR(sid_to_gid(group_sid, &(pw->pw_gid)))) { DEBUG(1, ("error getting group id for sid %s\n", sid_to_string(sid_string, group_sid))); return False; } @@ -178,9 +176,9 @@ enum winbindd_result winbindd_getpwuid(struct winbindd_cli_state *state) fstring user_name; enum SID_NAME_USE name_type; WINBIND_USERINFO user_info; - gid_t gid; TALLOC_CTX *mem_ctx; NTSTATUS status; + gid_t gid; /* Bug out if the uid isn't in the winbind range */ @@ -193,8 +191,7 @@ enum winbindd_result winbindd_getpwuid(struct winbindd_cli_state *state) /* Get rid from uid */ - if (!winbindd_idmap_get_sid_from_uid(state->request.data.uid, - &user_sid)) { + if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, state->request.data.uid))) { DEBUG(1, ("could not convert uid %d to SID\n", state->request.data.uid)); return WINBINDD_ERROR; @@ -236,9 +233,9 @@ enum winbindd_result winbindd_getpwuid(struct winbindd_cli_state *state) return WINBINDD_ERROR; } - /* Resolve gid number */ + /* Check group has a gid number */ - if (!winbindd_idmap_get_gid_from_sid(user_info.group_sid, &gid)) { + if (NT_STATUS_IS_ERR(sid_to_gid(user_info.group_sid, &gid))) { DEBUG(1, ("error getting group id for user %s\n", user_name)); talloc_destroy(mem_ctx); return WINBINDD_ERROR; diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index ef030e2c7b..ac0b317b42 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -126,7 +126,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const /* see if this is a native mode win2k domain, but only for our own domain */ - if ( lp_server_role() != ROLE_DOMAIN_PDC && strequal( lp_workgroup(), domain_name) ) { + if ( strequal( lp_workgroup(), domain_name) ) { domain->native_mode = cm_check_for_native_mode_win2k( domain_name ); DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", domain_name, domain->native_mode ? "native" : "mixed" )); @@ -211,7 +211,6 @@ BOOL init_domain_list(void) /* Add ourselves as the first entry */ domain = add_trusted_domain(lp_workgroup(), NULL, &cache_methods, NULL); - if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) { DEBUG(1, ("Could not fetch sid for our domain %s\n", domain->name)); @@ -220,7 +219,7 @@ BOOL init_domain_list(void) /* get any alternate name for the primary domain */ cache_methods.alternate_name(domain); - + /* do an initial scan for trusted domains */ rescan_trusted_domains(True); @@ -381,12 +380,12 @@ BOOL winbindd_param_init(void) { /* Parse winbind uid and winbind_gid parameters */ - if (!lp_winbind_uid(&server_state.uid_low, &server_state.uid_high)) { + if (!lp_idmap_uid(&server_state.uid_low, &server_state.uid_high)) { DEBUG(0, ("winbind uid range missing or invalid\n")); return False; } - if (!lp_winbind_gid(&server_state.gid_low, &server_state.gid_high)) { + if (!lp_idmap_gid(&server_state.gid_low, &server_state.gid_high)) { DEBUG(0, ("winbind gid range missing or invalid\n")); return False; } diff --git a/source3/pam_smbpass/pam_smb_passwd.c b/source3/pam_smbpass/pam_smb_passwd.c index 9e75efccf4..78b89c60b7 100644 --- a/source3/pam_smbpass/pam_smb_passwd.c +++ b/source3/pam_smbpass/pam_smb_passwd.c @@ -295,14 +295,21 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, retval = smb_update_db(pamh, ctrl, user, pass_new); if (retval == PAM_SUCCESS) { + uid_t uid; + /* password updated */ - _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)" - , user, pdb_get_uid(sampass), uidtoname( getuid() ) - , getuid() ); - } else { - _log_err( LOG_ERR, "password change failed for user %s" - , user ); - } + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid))) { + _log_err( LOG_NOTICE, "Unable to get uid for user %s", + pdb_get_username(sampass)); + _log_err( LOG_NOTICE, "password for (%s) changed by (%s/%d)", + user, uidtoname(getuid()), getuid()); + } else { + _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)", + user, uid, uidtoname(getuid()), getuid()); + } + } else { + _log_err( LOG_ERR, "password change failed for user %s", user); + } pass_old = pass_new = NULL; if (sampass) { diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 11de306d13..62cc866fae 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -308,7 +308,6 @@ void _cleanup_failures( pam_handle_t * pamh, void *fl, int err ) int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, const char *p, unsigned int ctrl ) { - uchar hash_pass[16]; uchar lm_pw[16]; uchar nt_pw[16]; int retval = PAM_AUTH_ERR; @@ -339,11 +338,8 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, const char *service; pam_get_item( pamh, PAM_SERVICE, (const void **)&service ); - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , pdb_get_uid(sampass) ); + _log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s", + uidtoname(getuid()), service ? service : "**unknown**", name); return PAM_AUTH_ERR; } } @@ -397,32 +393,34 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, retval = PAM_MAXTRIES; } } else { - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , pdb_get_uid(sampass) ); + _log_err(LOG_NOTICE, + "failed auth request by %s for service %s as %s", + uidtoname(getuid()), + service ? service : "**unknown**", name); new->count = 1; } + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &(new->id)))) { + _log_err(LOG_NOTICE, + "failed auth request by %s for service %s as %s", + uidtoname(getuid()), + service ? service : "**unknown**", name); + } new->user = smbpXstrDup( name ); - new->id = pdb_get_uid(sampass); new->agent = smbpXstrDup( uidtoname( getuid() ) ); pam_set_data( pamh, data_name, new, _cleanup_failures ); } else { _log_err( LOG_CRIT, "no memory for failure recorder" ); - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , pdb_get_uid(sampass) ); + _log_err(LOG_NOTICE, + "failed auth request by %s for service %s as %s(%d)", + uidtoname(getuid()), + service ? service : "**unknown**", name); } } else { - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , pdb_get_uid(sampass) ); + _log_err(LOG_NOTICE, + "failed auth request by %s for service %s as %s(%d)", + uidtoname(getuid()), + service ? service : "**unknown**", name); retval = PAM_AUTH_ERR; } } diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 45c95d1258..5740ce1b70 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -8,6 +8,7 @@ Copyright (C) Simo Sorce 2001 Copyright (C) Alexander Bokovoy 2002 Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Anthony Liguori 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -163,10 +164,11 @@ typedef struct BOOL bUtmp; #endif char *szSourceEnv; - char *szWinbindUID; - char *szWinbindGID; + char *szIdmapUID; + char *szIdmapGID; + BOOL *bIdmapOnly; char *szNonUnixAccountRange; - BOOL bAlgorithmicRidBase; + int AlgorithmicRidBase; char *szTemplateHomedir; char *szTemplateShell; char *szWinbindSeparator; @@ -174,6 +176,7 @@ typedef struct BOOL bWinbindEnumGroups; BOOL bWinbindUseDefaultDomain; char *szWinbindBackend; + char *szIdmapBackend; char *szAddShareCommand; char *szChangeShareCommand; char *szDeleteShareCommand; @@ -550,8 +553,8 @@ static BOOL handle_include(const char *pszParmValue, char **ptr); static BOOL handle_copy(const char *pszParmValue, char **ptr); static BOOL handle_source_env(const char *pszParmValue, char **ptr); static BOOL handle_netbios_name(const char *pszParmValue, char **ptr); -static BOOL handle_winbind_uid(const char *pszParmValue, char **ptr); -static BOOL handle_winbind_gid(const char *pszParmValue, char **ptr); +static BOOL handle_idmap_uid(const char *pszParmValue, char **ptr); +static BOOL handle_idmap_gid(const char *pszParmValue, char **ptr); static BOOL handle_debug_list( const char *pszParmValue, char **ptr ); static BOOL handle_workgroup( const char *pszParmValue, char **ptr ); static BOOL handle_netbios_aliases( const char *pszParmValue, char **ptr ); @@ -759,7 +762,7 @@ static struct parm_struct parm_table[] = { {"smb passwd file", P_STRING, P_GLOBAL, &Globals.szSMBPasswdFile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"private dir", P_STRING, P_GLOBAL, &Globals.szPrivateDir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"passdb backend", P_LIST, P_GLOBAL, &Globals.szPassdbBackend, NULL, NULL, FLAG_ADVANCED | FLAG_WIZARD | FLAG_DEVELOPER}, - {"algorithmic rid base", P_INTEGER, P_GLOBAL, &Globals.bAlgorithmicRidBase, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"algorithmic rid base", P_INTEGER, P_GLOBAL, &Globals.AlgorithmicRidBase, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"root directory", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"root dir", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"root", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, FLAG_HIDE | FLAG_DEVELOPER}, @@ -1113,8 +1116,12 @@ static struct parm_struct parm_table[] = { {"Winbind options", P_SEP, P_SEPARATOR}, - {"winbind uid", P_STRING, P_GLOBAL, &Globals.szWinbindUID, handle_winbind_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, - {"winbind gid", P_STRING, P_GLOBAL, &Globals.szWinbindGID, handle_winbind_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"idmap only", P_BOOL, P_GLOBAL, &Globals.bIdmapOnly, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"idmap backend", P_STRING, P_GLOBAL, &Globals.szIdmapBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"idmap uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"winbind uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE}, + {"idmap gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"winbind gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE}, {"template homedir", P_STRING, P_GLOBAL, &Globals.szTemplateHomedir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"template shell", P_STRING, P_GLOBAL, &Globals.szTemplateShell, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"winbind separator", P_STRING, P_GLOBAL, &Globals.szWinbindSeparator, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, @@ -1122,7 +1129,6 @@ static struct parm_struct parm_table[] = { {"winbind enum users", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumUsers, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"winbind enum groups", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumGroups, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"winbind use default domain", P_BOOL, P_GLOBAL, &Globals.bWinbindUseDefaultDomain, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, - {"winbind backend", P_STRING, P_GLOBAL, &Globals.szWinbindBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {NULL, P_BOOL, P_NONE, NULL, NULL, NULL, 0} }; @@ -1311,7 +1317,7 @@ static void init_globals(void) string_set(&Globals.szNameResolveOrder, "lmhosts wins host bcast"); string_set(&Globals.szPasswordServer, "*"); - Globals.bAlgorithmicRidBase = BASE_RID; + Globals.AlgorithmicRidBase = BASE_RID; Globals.bLoadPrinters = True; Globals.mangled_stack = 50; @@ -1458,7 +1464,7 @@ static void init_globals(void) Globals.bWinbindEnumGroups = True; Globals.bWinbindUseDefaultDomain = False; - string_set(&Globals.szWinbindBackend, "tdb"); + Globals.bIdmapOnly = False; Globals.name_cache_timeout = 660; /* In seconds */ @@ -1636,7 +1642,9 @@ FN_GLOBAL_STRING(lp_acl_compatibility, &Globals.szAclCompat) FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers) FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups) FN_GLOBAL_BOOL(lp_winbind_use_default_domain, &Globals.bWinbindUseDefaultDomain) -FN_GLOBAL_STRING(lp_winbind_backend, &Globals.szWinbindBackend) + +FN_GLOBAL_STRING(lp_idmap_backend, &Globals.szIdmapBackend) +FN_GLOBAL_BOOL(lp_idmap_only, &Globals.bIdmapOnly) #ifdef WITH_LDAP_SAMCONFIG FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer) @@ -1847,7 +1855,7 @@ FN_LOCAL_INTEGER(lp_block_size, iBlock_size) FN_LOCAL_CHAR(lp_magicchar, magic_char) FN_GLOBAL_INTEGER(lp_winbind_cache_time, &Globals.winbind_cache_time) FN_GLOBAL_BOOL(lp_hide_local_users, &Globals.bHideLocalUsers) -FN_GLOBAL_BOOL(lp_algorithmic_rid_base, &Globals.bAlgorithmicRidBase) +FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase) FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout) FN_GLOBAL_BOOL(lp_client_signing, &Globals.client_signing) @@ -2839,55 +2847,55 @@ static BOOL handle_copy(const char *pszParmValue, char **ptr) } /*************************************************************************** - Handle winbind uid and gid allocation parameters. The format of these + Handle idmap/non unix account uid and gid allocation parameters. The format of these parameters is: [global] - winbind uid = 1000-1999 - winbind gid = 700-899 + idmap uid = 1000-1999 + idmap gid = 700-899 We only do simple parsing checks here. The strings are parsed into useful - structures in the winbind daemon code. + structures in the idmap daemon code. ***************************************************************************/ -/* Some lp_ routines to return winbind [ug]id information */ +/* Some lp_ routines to return idmap [ug]id information */ -static uid_t winbind_uid_low, winbind_uid_high; -static gid_t winbind_gid_low, winbind_gid_high; +static uid_t idmap_uid_low, idmap_uid_high; +static gid_t idmap_gid_low, idmap_gid_high; -BOOL lp_winbind_uid(uid_t *low, uid_t *high) +BOOL lp_idmap_uid(uid_t *low, uid_t *high) { - if (winbind_uid_low == 0 || winbind_uid_high == 0) + if (idmap_uid_low == 0 || idmap_uid_high == 0) return False; if (low) - *low = winbind_uid_low; + *low = idmap_uid_low; if (high) - *high = winbind_uid_high; + *high = idmap_uid_high; return True; } -BOOL lp_winbind_gid(gid_t *low, gid_t *high) +BOOL lp_idmap_gid(gid_t *low, gid_t *high) { - if (winbind_gid_low == 0 || winbind_gid_high == 0) + if (idmap_gid_low == 0 || idmap_gid_high == 0) return False; if (low) - *low = winbind_gid_low; + *low = idmap_gid_low; if (high) - *high = winbind_gid_high; + *high = idmap_gid_high; return True; } -/* Do some simple checks on "winbind [ug]id" parameter values */ +/* Do some simple checks on "idmap [ug]id" parameter values */ -static BOOL handle_winbind_uid(const char *pszParmValue, char **ptr) +static BOOL handle_idmap_uid(const char *pszParmValue, char **ptr) { uint32 low, high; @@ -2898,13 +2906,13 @@ static BOOL handle_winbind_uid(const char *pszParmValue, char **ptr) string_set(ptr, pszParmValue); - winbind_uid_low = low; - winbind_uid_high = high; + idmap_uid_low = low; + idmap_uid_high = high; return True; } -static BOOL handle_winbind_gid(const char *pszParmValue, char **ptr) +static BOOL handle_idmap_gid(const char *pszParmValue, char **ptr) { uint32 low, high; @@ -2915,8 +2923,8 @@ static BOOL handle_winbind_gid(const char *pszParmValue, char **ptr) string_set(ptr, pszParmValue); - winbind_gid_low = low; - winbind_gid_high = high; + idmap_gid_low = low; + idmap_gid_high = high; return True; } @@ -3800,7 +3808,18 @@ static void set_server_role(void) DEBUG(0, ("Server's Role (logon server) conflicts with share-level security\n")); break; case SEC_SERVER: + if (lp_domain_logons()) + DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n")); + server_role = ROLE_DOMAIN_MEMBER; + break; case SEC_DOMAIN: + if (lp_domain_logons()) { + DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n")); + server_role = ROLE_DOMAIN_BDC; + break; + } + server_role = ROLE_DOMAIN_MEMBER; + break; case SEC_ADS: if (lp_domain_logons()) { server_role = ROLE_DOMAIN_PDC; diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 3fef3ea745..d3554cdbde 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -5,6 +5,7 @@ Copyright (C) Luke Kenneth Casson Leighton 1996-1998 Copyright (C) Gerald (Jerry) Carter 2000-2001 Copyright (C) Andrew Bartlett 2001-2002 + Copyright (C) Simo Sorce 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -34,11 +35,17 @@ const char *get_global_sam_name(void) return global_myname(); } +/* + * This is set on startup - it defines the SID for this + * machine, and therefore the SAM database for which it is + * responsible. + */ + /************************************************************ Fill the SAM_ACCOUNT with default values. ***********************************************************/ -static void pdb_fill_default_sam(SAM_ACCOUNT *user) +void pdb_fill_default_sam(SAM_ACCOUNT *user) { ZERO_STRUCT(user->private); /* Don't touch the talloc context */ @@ -48,8 +55,6 @@ static void pdb_fill_default_sam(SAM_ACCOUNT *user) /* Don't change these timestamp settings without a good reason. They are important for NT member server compatibility. */ - user->private.uid = user->private.gid = -1; - user->private.logon_time = (time_t)0; user->private.pass_last_set_time = (time_t)0; user->private.pass_can_change_time = (time_t)0; @@ -165,13 +170,7 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user) NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) { - GROUP_MAP map; - - const char *guest_account = lp_guestaccount(); - if (!(guest_account && *guest_account)) { - DEBUG(1, ("NULL guest account!?!?\n")); - return NT_STATUS_UNSUCCESSFUL; - } + NTSTATUS ret; if (!pwd) { return NT_STATUS_UNSUCCESSFUL; @@ -184,10 +183,7 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) pdb_set_unix_homedir(sam_account, pwd->pw_dir, PDB_SET); - pdb_set_domain (sam_account, get_global_sam_name(), PDB_DEFAULT); - - pdb_set_uid(sam_account, pwd->pw_uid, PDB_SET); - pdb_set_gid(sam_account, pwd->pw_gid, PDB_SET); + pdb_set_domain (sam_account, lp_workgroup(), PDB_DEFAULT); /* When we get a proper uid -> SID and SID -> uid allocation mechinism, we should call it here. @@ -199,37 +195,8 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) -- abartlet 11-May-02 */ - - /* Ensure this *must* be set right */ - if (strcmp(pwd->pw_name, guest_account) == 0) { - if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_SET)) { - return NT_STATUS_UNSUCCESSFUL; - } - if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_SET)) { - return NT_STATUS_UNSUCCESSFUL; - } - } else { - - if (!pdb_set_user_sid_from_rid(sam_account, - fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) { - DEBUG(0,("Can't set User SID from RID!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - /* call the mapping code here */ - if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) { - if (!pdb_set_group_sid(sam_account,&map.sid, PDB_SET)){ - DEBUG(0,("Can't set Group SID!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - } - else { - if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) { - DEBUG(0,("Can't set Group SID\n")); - return NT_STATUS_INVALID_PARAMETER; - } - } - } + ret = pdb_set_sam_sids(sam_account, pwd); + if (NT_STATUS_IS_ERR(ret)) return ret; /* check if this is a user account or a machine account */ if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$') @@ -322,6 +289,7 @@ NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username) return nt_status; } } else { + DOM_SID g_sid; if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(new_sam_acct))) { *new_sam_acct = NULL; return nt_status; @@ -330,6 +298,13 @@ NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username) pdb_free_sam(new_sam_acct); return nt_status; } + + pdb_set_domain (*new_sam_acct, lp_workgroup(), PDB_DEFAULT); + + /* set Domain Users by default ! */ + sid_copy(&g_sid, get_global_sam_sid()); + sid_append_rid(&g_sid, DOMAIN_GROUP_RID_USERS); + pdb_set_group_sid(*new_sam_acct, &g_sid, PDB_SET); } return NT_STATUS_OK; } @@ -402,6 +377,63 @@ NTSTATUS pdb_free_sam(SAM_ACCOUNT **user) return NT_STATUS_OK; } +/************************************************************************** + * This function will take care of all the steps needed to correctly + * allocate and set the user SID, please do use this function to create new + * users, messing with SIDs is not good. + * + * account_data must be provided initialized, pwd may be null. + * SSS + ***************************************************************************/ + +NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd) +{ + const char *guest_account = lp_guestaccount(); + GROUP_MAP map; + + if (!account_data || !pwd) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* this is a hack this thing should not be set + this way --SSS */ + if (!(guest_account && *guest_account)) { + DEBUG(1, ("NULL guest account!?!?\n")); + return NT_STATUS_UNSUCCESSFUL; + } else { + /* Ensure this *must* be set right */ + if (strcmp(pwd->pw_name, guest_account) == 0) { + if (!pdb_set_user_sid_from_rid(account_data, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) { + return NT_STATUS_UNSUCCESSFUL; + } + if (!pdb_set_group_sid_from_rid(account_data, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) { + return NT_STATUS_UNSUCCESSFUL; + } + return NT_STATUS_OK; + } + } + + if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) { + DEBUG(0,("Can't set User SID from RID!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + /* call the mapping code here */ + if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) { + if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){ + DEBUG(0,("Can't set Group SID!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + } + else { + if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) { + DEBUG(0,("Can't set Group SID\n")); + return NT_STATUS_INVALID_PARAMETER; + } + } + + return NT_STATUS_OK; +} /********************************************************** Encode the account control bits into a string. @@ -531,10 +563,6 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd) return (True); } -/******************************************************************* - Converts NT user RID to a UNIX uid. - ********************************************************************/ - static int algorithmic_rid_base(void) { static int rid_offset = 0; @@ -557,14 +585,16 @@ static int algorithmic_rid_base(void) return rid_offset; } +/******************************************************************* + Converts NT user RID to a UNIX uid. + ********************************************************************/ uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid) { int rid_offset = algorithmic_rid_base(); - return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER); + return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER); } - /******************************************************************* converts UNIX uid to an NT User RID. ********************************************************************/ @@ -615,7 +645,7 @@ static BOOL pdb_rid_is_well_known(uint32 rid) Decides if a RID is a user or group RID. ********************************************************************/ -BOOL pdb_rid_is_user(uint32 rid) +BOOL fallback_pdb_rid_is_user(uint32 rid) { /* lkcl i understand that NT attaches an enumeration to a RID * such that it can be identified as either a user, group etc @@ -648,7 +678,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use GROUP_MAP map; if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){ - DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n", + DEBUG(0,("local_lookup_sid: sid_peek_check_rid return False! SID: %s\n", sid_string_static(&map.sid))); return False; } @@ -705,7 +735,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use return True; } - if (pdb_rid_is_user(rid)) { + if (fallback_pdb_rid_is_user(rid)) { uid_t uid; DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid)); @@ -838,190 +868,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi return True; } -/**************************************************************************** - Convert a uid to SID - locally. -****************************************************************************/ - -DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid) -{ - struct passwd *pass; - SAM_ACCOUNT *sam_user = NULL; - fstring str; /* sid string buffer */ - - sid_copy(psid, get_global_sam_sid()); - - if((pass = getpwuid_alloc(uid))) { - - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) { - passwd_free(&pass); - return NULL; - } - - if (pdb_getsampwnam(sam_user, pass->pw_name)) { - sid_copy(psid, pdb_get_user_sid(sam_user)); - } else { - sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); - } - - DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (%s).\n", - (unsigned)uid, sid_to_string( str, psid), - pass->pw_name )); - - passwd_free(&pass); - pdb_free_sam(&sam_user); - - } else { - sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); - - DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (unknown user).\n", - (unsigned)uid, sid_to_string( str, psid))); - } - - return psid; -} - -/**************************************************************************** - Convert a SID to uid - locally. -****************************************************************************/ - -BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type) -{ - fstring str; - SAM_ACCOUNT *sam_user = NULL; - - *name_type = SID_NAME_UNKNOWN; - - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) - return False; - - if (pdb_getsampwsid(sam_user, psid)) { - - if (!IS_SAM_SET(sam_user,PDB_UID)&&!IS_SAM_CHANGED(sam_user,PDB_UID)) { - pdb_free_sam(&sam_user); - return False; - } - - *puid = pdb_get_uid(sam_user); - - DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid), - (unsigned int)*puid, pdb_get_username(sam_user))); - pdb_free_sam(&sam_user); - } else { - - DOM_SID dom_sid; - uint32 rid; - GROUP_MAP map; - - pdb_free_sam(&sam_user); - - if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) { - DEBUG(3, ("local_sid_to_uid: SID '%s' is a group, not a user... \n", sid_to_string(str, psid))); - /* It's a group, not a user... */ - return False; - } - - sid_copy(&dom_sid, psid); - if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) { - DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid))); - return False; - } - - if (!pdb_rid_is_user(rid)) { - DEBUG(3, ("local_sid_to_uid: sid '%s' cannot be mapped to a uid algorithmicly becouse it is a group\n", sid_to_string(str, psid))); - return False; - } - - *puid = fallback_pdb_user_rid_to_uid(rid); - - DEBUG(5,("local_sid_to_uid: SID %s algorithmicly mapped to %ld mapped becouse SID was not found in passdb.\n", - sid_to_string(str, psid), (signed long int)(*puid))); - } - - *name_type = SID_NAME_USER; - - return True; -} - -/**************************************************************************** - Convert a gid to SID - locally. -****************************************************************************/ - -DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid) -{ - GROUP_MAP map; - - sid_copy(psid, get_global_sam_sid()); - - if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { - sid_copy(psid, &map.sid); - } - else { - sid_append_rid(psid, pdb_gid_to_group_rid(gid)); - } - - return psid; -} - -/**************************************************************************** - Convert a SID to gid - locally. -****************************************************************************/ - -BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type) -{ - fstring str; - GROUP_MAP map; - - *name_type = SID_NAME_UNKNOWN; - - /* - * We can only convert to a gid if this is our local - * Domain SID (ie. we are the controling authority). - * - * Or in the Builtin SID too. JFM, 11/30/2001 - */ - - if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) { - - /* the SID is in the mapping table but not mapped */ - if (map.gid==(gid_t)-1) - return False; - - *pgid = map.gid; - *name_type = map.sid_name_use; - DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", - sid_to_string( str, psid), - map.nt_name, (unsigned int)*pgid)); - - } else { - uint32 rid; - SAM_ACCOUNT *sam_user = NULL; - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) - return False; - - if (pdb_getsampwsid(sam_user, psid)) { - return False; - pdb_free_sam(&sam_user); - } - - pdb_free_sam(&sam_user); - - if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) { - DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid))); - return False; - } - - if (pdb_rid_is_user(rid)) - return False; - - *pgid = pdb_group_rid_to_gid(rid); - *name_type = SID_NAME_ALIAS; - DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid), - (unsigned int)*pgid)); - } - - return True; -} - /************************************************************* Change a password entry in the local smbpasswd file. diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index a86d936263..4370dc2c36 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -202,22 +202,6 @@ enum pdb_value_state pdb_get_init_flags (const SAM_ACCOUNT *sampass, enum pdb_el return ret; } -uid_t pdb_get_uid (const SAM_ACCOUNT *sampass) -{ - if (sampass) - return (sampass->private.uid); - else - return (-1); -} - -gid_t pdb_get_gid (const SAM_ACCOUNT *sampass) -{ - if (sampass) - return (sampass->private.gid); - else - return (-1); -} - const char* pdb_get_username (const SAM_ACCOUNT *sampass) { if (sampass) @@ -509,32 +493,6 @@ BOOL pdb_set_init_flags (SAM_ACCOUNT *sampass, enum pdb_elements element, enum p return True; } -BOOL pdb_set_uid (SAM_ACCOUNT *sampass, const uid_t uid, enum pdb_value_state flag) -{ - if (!sampass) - return False; - - DEBUG(10, ("pdb_set_uid: setting uid %d, was %d\n", - (int)uid, (int)sampass->private.uid)); - - sampass->private.uid = uid; - - return pdb_set_init_flags(sampass, PDB_UID, flag); -} - -BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid, enum pdb_value_state flag) -{ - if (!sampass) - return False; - - DEBUG(10, ("pdb_set_gid: setting gid %d, was %d\n", - (int)gid, (int)sampass->private.gid)); - - sampass->private.gid = gid; - - return pdb_set_init_flags(sampass, PDB_GID, flag); -} - BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid, enum pdb_value_state flag) { if (!sampass || !u_sid) diff --git a/source3/passdb/pdb_guest.c b/source3/passdb/pdb_guest.c index 7ecfa7d4c3..9bcdccc7e7 100644 --- a/source3/passdb/pdb_guest.c +++ b/source3/passdb/pdb_guest.c @@ -24,11 +24,16 @@ Lookup a name in the SAM database ******************************************************************/ -static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname) +static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *sam_account, const char *sname) { NTSTATUS nt_status; - struct passwd *pass; const char *guest_account = lp_guestaccount(); + + if (!sam_account || !sname) { + DEBUG(0,("invalid name specified")); + return NT_STATUS_UNSUCCESSFUL; + } + if (!(guest_account && *guest_account)) { DEBUG(1, ("NULL guest account!?!?\n")); return NT_STATUS_UNSUCCESSFUL; @@ -38,21 +43,31 @@ static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT * DEBUG(0,("invalid methods\n")); return NT_STATUS_UNSUCCESSFUL; } - if (!sname) { - DEBUG(0,("invalid name specified")); - return NT_STATUS_UNSUCCESSFUL; - } - if (!strequal(guest_account, sname)) { return NT_STATUS_NO_SUCH_USER; } - pass = getpwnam_alloc(guest_account); - - nt_status = pdb_fill_sam_pw(user, pass); + pdb_fill_default_sam(sam_account); + + if (!pdb_set_username(sam_account, guest_account, PDB_SET)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_fullname(sam_account, guest_account, PDB_SET)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_domain(sam_account, lp_workgroup(), PDB_DEFAULT)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_acct_ctrl(sam_account, ACB_NORMAL, PDB_DEFAULT)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) + return NT_STATUS_UNSUCCESSFUL; - passwd_free(&pass); - return nt_status; + return NT_STATUS_OK; } @@ -61,35 +76,17 @@ static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT * **************************************************************************/ static NTSTATUS guestsam_getsampwrid (struct pdb_methods *methods, - SAM_ACCOUNT *user, uint32 rid) + SAM_ACCOUNT *sam_account, uint32 rid) { - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - struct passwd *pass = NULL; - const char *guest_account = lp_guestaccount(); - if (!(guest_account && *guest_account)) { - DEBUG(1, ("NULL guest account!?!?\n")); - return nt_status; - } - - if (!methods) { - DEBUG(0,("invalid methods\n")); - return nt_status; - } - - if (rid == DOMAIN_USER_RID_GUEST) { - pass = getpwnam_alloc(guest_account); - if (!pass) { - DEBUG(1, ("guest account %s does not seem to exist...\n", guest_account)); - return NT_STATUS_NO_SUCH_USER; - } - } else { + if (rid != DOMAIN_USER_RID_GUEST) { return NT_STATUS_NO_SUCH_USER; } - nt_status = pdb_fill_sam_pw(user, pass); - passwd_free(&pass); + if (!sam_account) { + return NT_STATUS_INVALID_PARAMETER; + } - return nt_status; + return guestsam_getsampwnam (methods, sam_account, lp_guestaccount()); } static NTSTATUS guestsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid) @@ -97,6 +94,7 @@ static NTSTATUS guestsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT uint32 rid; if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) return NT_STATUS_NO_SUCH_USER; + return guestsam_getsampwrid(my_methods, user, rid); } diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index dbc0bdc1c0..da3a163c1e 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -164,7 +164,7 @@ static const char *attr[] = {"uid", "pwdLastSet", "logonTime", "smbHome", "scriptPath", "profilePath", "description", "userWorkstations", "rid", "ntSid", - "primaryGroupID", "primaryGroupSid", "lmPassword", + "primaryGroupID", "lmPassword", "ntPassword", "acctFlags", "domain", "objectClass", "uidNumber", "gidNumber", @@ -519,10 +519,9 @@ static int ldapsam_retry_open(struct ldapsam_privates *ldap_state, int *attempts if (*attempts != 0) { unsigned int sleep_time; - uint8 rand_byte; + uint8 rand_byte = 128; /* a reasonable place to start */ - /* Sleep for a random timeout */ - rand_byte = (char)(sys_random()); + generate_random_buffer(&rand_byte, 1, False); sleep_time = (((*attempts)*(*attempts))/2)*rand_byte*2; /* we retry after (0.5, 1, 2, 3, 4.5, 6) seconds @@ -1534,12 +1533,11 @@ Initialize SAM_ACCOUNT from an LDAP query (unix attributes only) *********************************************************************/ static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, SAM_ACCOUNT * sampass, - LDAPMessage * entry) + LDAPMessage * entry, + gid_t *gid) { pstring homedir; pstring temp; - uid_t uid; - gid_t gid; char **ldap_values; char **values; @@ -1564,19 +1562,12 @@ static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir)) return False; - if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp)) - return False; - - uid = (uid_t)atol(temp); - if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp)) return False; gid = (gid_t)atol(temp); pdb_set_unix_homedir(sampass, homedir, PDB_SET); - pdb_set_uid(sampass, uid, PDB_SET); - pdb_set_gid(sampass, gid, PDB_SET); DEBUG(10, ("user has posixAcccount attributes\n")); return True; @@ -1618,8 +1609,7 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, uint8 hours[MAX_HOURS_LEN]; pstring temp; uid_t uid = -1; - gid_t gid = getegid(); - + gid_t gid = getegid(); /* * do a little initialization @@ -1667,31 +1657,11 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, if (get_single_attribute(ldap_state->ldap_struct, entry, "ntSid", temp)) { pdb_set_user_sid_from_string(sampass, temp, PDB_SET); } - if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupSid", temp)) { - pdb_set_group_sid_from_string(sampass, temp, PDB_SET); - } else { - pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); - } } else { if (get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp)) { user_rid = (uint32)atol(temp); pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET); } - if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) { - uint32 group_rid; - group_rid = (uint32)atol(temp); - - if (group_rid > 0) { - /* for some reason, we often have 0 as a primary group RID. - Make sure that we treat this just as a 'default' value - */ - pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET); - } else { - pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); - } - } else { - pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); - } } if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) { @@ -1699,44 +1669,29 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, return False; } + if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) { + pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); + } else { + uint32 group_rid; + group_rid = (uint32)atol(temp); + pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET); + } + /* * If so configured, try and get the values from LDAP */ - if (!lp_ldap_trust_ids() || (!get_unix_attributes(ldap_state, sampass, entry))) { + if (!lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid))) { - /* - * Otherwise just ask the system getpw() calls. - */ - - pw = getpwnam_alloc(username); - if (pw == NULL) { - if (! ldap_state->permit_non_unix_accounts) { - DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username)); - return False; + if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT) { + GROUP_MAP map; + /* call the mapping code here */ + if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { + pdb_set_group_sid(sampass, &map.sid, PDB_SET); + } + else { + pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET); } - } else { - uid = pw->pw_uid; - pdb_set_uid(sampass, uid, PDB_SET); - gid = pw->pw_gid; - pdb_set_gid(sampass, gid, PDB_SET); - - pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET); - - passwd_free(&pw); - } - } - - if ((pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT) - && (pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT)) { - GROUP_MAP map; - gid = pdb_get_gid(sampass); - /* call the mapping code here */ - if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { - pdb_set_group_sid(sampass, &map.sid, PDB_SET); - } - else { - pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET); } } @@ -1964,16 +1919,15 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, if (need_update(sampass, PDB_USERSID)) { fstring sid_string; fstring dom_sid_string; - const DOM_SID *user_sid = pdb_get_user_sid(sampass); + const DOM_SID *user_sid; + user_sid = pdb_get_user_sid(sampass); if (ldap_state->use_ntsid) { make_ldap_mod(ldap_state->ldap_struct, existing, mods, "ntSid", sid_to_string(sid_string, user_sid)); } else { if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) { - DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", - sid_to_string(sid_string, user_sid), - sid_to_string(dom_sid_string, get_global_sam_sid()))); + DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", sid_to_string(sid_string, user_sid), sid_to_string(dom_sid_string, get_global_sam_sid()))); return False; } slprintf(temp, sizeof(temp) - 1, "%i", rid); @@ -1987,24 +1941,10 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, 'free' to hang off the unix primary group makes life easier */ if (need_update(sampass, PDB_GROUPSID)) { - fstring sid_string; - fstring dom_sid_string; - const DOM_SID *group_sid = pdb_get_group_sid(sampass); - - if (ldap_state->use_ntsid) { - make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "primaryGroupSid", sid_to_string(sid_string, group_sid)); - } else { - if (!sid_peek_check_rid(get_global_sam_sid(), group_sid, &rid)) { - DEBUG(1, ("User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n", - sid_to_string(sid_string, group_sid), - sid_to_string(dom_sid_string, get_global_sam_sid()))); - return False; - } - slprintf(temp, sizeof(temp) - 1, "%i", rid); - make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "primaryGroupID", temp); - } + rid = pdb_get_group_rid(sampass); + slprintf(temp, sizeof(temp) - 1, "%i", rid); + make_ldap_mod(ldap_state->ldap_struct, existing, mods, + "primaryGroupID", temp); } /* displayName, cn, and gecos should all be the same @@ -2416,8 +2356,7 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A { "lmPassword", "ntPassword", "pwdLastSet", "logonTime", "logoffTime", "kickoffTime", "pwdCanChange", "pwdMustChange", "acctFlags", "displayName", "smbHome", "homeDrive", "scriptPath", "profilePath", - "userWorkstations", "primaryGroupID", "primaryGroupSid", "domain", - "rid", "ntSid", NULL }; + "userWorkstations", "primaryGroupID", "domain", "rid", "ntSid", NULL }; if (!sam_acct) { DEBUG(0, ("sam_acct was NULL!\n")); @@ -3130,7 +3069,7 @@ static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods, return NT_STATUS_OK; } -static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) +static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { NTSTATUS nt_status; struct ldapsam_privates *ldap_state; @@ -3173,7 +3112,7 @@ static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_met ldap_state->uri = "ldap://localhost"; } - ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name()); + ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, lp_workgroup()); if (!ldap_state->domain_name) { return NT_STATUS_NO_MEMORY; } @@ -3186,9 +3125,6 @@ static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_met (*pdb_method)->free_private_data = free_private_data; - /* setup random, for our backoffs */ - sys_srandom(sys_getpid() ^ time(NULL)); - return NT_STATUS_OK; } @@ -3197,7 +3133,7 @@ static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS ** NTSTATUS nt_status; struct ldapsam_privates *ldap_state; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) { + if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) { return nt_status; } @@ -3229,50 +3165,54 @@ static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS ** return NT_STATUS_OK; } -static NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) +static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { NTSTATUS nt_status; struct ldapsam_privates *ldap_state; - uint32 low_winbind_uid, high_winbind_uid; - uint32 low_winbind_gid, high_winbind_gid; + uint32 low_idmap_uid, high_idmap_uid; + uint32 low_idmap_gid, high_idmap_gid; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) { + if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) { return nt_status; } - (*pdb_method)->name = "ldapsam_nua"; + (*pdb_method)->name = "ldapsam"; ldap_state = (*pdb_method)->private_data; ldap_state->permit_non_unix_accounts = True; /* We know these uids can't turn up as allogorithmic RIDs */ - if (!lp_winbind_uid(&low_winbind_uid, &high_winbind_uid)) { - DEBUG(0, ("cannot use ldapsam_nua without 'winbind uid' range in smb.conf!\n")); + if (!lp_idmap_uid(&low_idmap_uid, &high_idmap_uid)) { + DEBUG(0, ("cannot use ldapsam_nua without 'idmap uid' range in smb.conf!\n")); return NT_STATUS_UNSUCCESSFUL; } /* We know these gids can't turn up as allogorithmic RIDs */ - if (!lp_winbind_gid(&low_winbind_gid, &high_winbind_gid)) { - DEBUG(0, ("cannot use ldapsam_nua without 'winbind gid' range in smb.conf!\n")); + if (!lp_idmap_gid(&low_idmap_gid, &high_idmap_gid)) { + DEBUG(0, ("cannot use ldapsam_nua without 'wibnind gid' range in smb.conf!\n")); return NT_STATUS_UNSUCCESSFUL; } - ldap_state->low_allocated_user_rid=fallback_pdb_uid_to_user_rid(low_winbind_uid); + ldap_state->low_allocated_user_rid=fallback_pdb_uid_to_user_rid(low_idmap_uid); - ldap_state->high_allocated_user_rid=fallback_pdb_uid_to_user_rid(high_winbind_uid); + ldap_state->high_allocated_user_rid=fallback_pdb_uid_to_user_rid(high_idmap_uid); - ldap_state->low_allocated_group_rid=pdb_gid_to_group_rid(low_winbind_gid); + ldap_state->low_allocated_group_rid=pdb_gid_to_group_rid(low_idmap_gid); - ldap_state->high_allocated_group_rid=pdb_gid_to_group_rid(high_winbind_gid); + ldap_state->high_allocated_group_rid=pdb_gid_to_group_rid(high_idmap_gid); return NT_STATUS_OK; } NTSTATUS pdb_ldap_init(void) { - smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam); - smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat); - smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_nua", pdb_init_ldapsam_nua); + NTSTATUS nt_status; + if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam))) + return nt_status; + + if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat))) + return nt_status; + return NT_STATUS_OK; } diff --git a/source3/passdb/pdb_nisplus.c b/source3/passdb/pdb_nisplus.c index cd9288fed0..4e4aaed02b 100644 --- a/source3/passdb/pdb_nisplus.c +++ b/source3/passdb/pdb_nisplus.c @@ -876,8 +876,6 @@ static BOOL make_sam_from_nisp_object (SAM_ACCOUNT * pw_buf, pdb_set_workstations (pw_buf, ENTRY_VAL (obj, NPF_WORKSTATIONS), PDB_SET); pdb_set_munged_dial (pw_buf, NULL, PDB_DEFAULT); - pdb_set_uid (pw_buf, atoi (ENTRY_VAL (obj, NPF_UID)), PDB_SET); - pdb_set_gid (pw_buf, atoi (ENTRY_VAL (obj, NPF_SMB_GRPID)), PDB_SET); pdb_set_user_sid_from_rid (pw_buf, atoi (ENTRY_VAL (obj, NPF_USER_RID)), PDB_SET); pdb_set_group_sid_from_rid (pw_buf, @@ -949,8 +947,8 @@ static BOOL make_sam_from_nisp_object (SAM_ACCOUNT * pw_buf, if (!(pdb_get_acct_ctrl (pw_buf) & ACB_PWNOTREQ) && strncasecmp (ptr, "NO PASSWORD", 11)) { if (strlen (ptr) != 32 || !pdb_gethexpwd (ptr, smbntpwd)) { - DEBUG (0, ("malformed NT pwd entry:\ - uid = %d.\n", pdb_get_uid (pw_buf))); + DEBUG (0, ("malformed NT pwd entry:\ %s.\n", + pdb_get_username (pw_buf))); return False; } if (!pdb_set_nt_passwd (pw_buf, smbntpwd, PDB_SET)) @@ -1047,6 +1045,8 @@ static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass, BOOL need_to_modify = False; const char *name = pdb_get_username (sampass); /* from SAM */ + uint32 u_rid; + uint32 g_rid; /* these must be static or allocate and free entry columns! */ static fstring uid; /* from SAM */ static fstring user_rid; /* from SAM */ @@ -1065,31 +1065,15 @@ static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass, static fstring acct_desc; /* from SAM */ static char empty[1]; /* just an empty string */ - slprintf (uid, sizeof (uid) - 1, "%u", pdb_get_uid (sampass)); - slprintf (user_rid, sizeof (user_rid) - 1, "%u", - pdb_get_user_rid (sampass) ? pdb_get_user_rid (sampass) : - fallback_pdb_uid_to_user_rid (pdb_get_uid (sampass))); - slprintf (gid, sizeof (gid) - 1, "%u", pdb_get_gid (sampass)); - - { - uint32 rid; - GROUP_MAP map; - - rid = pdb_get_group_rid (sampass); - - if (rid == 0) { - if (pdb_getgrgid(&map, pdb_get_gid (sampass), - MAPPING_WITHOUT_PRIV)) { - if (!sid_peek_check_rid - (get_global_sam_sid (), &map.sid, &rid)) - return False; - } else - rid = pdb_gid_to_group_rid (pdb_get_gid - (sampass)); - } + if (!(u_rid = pdb_get_user_rid (sampass))) + return False; + if (!(g_rid = pdb_get_group_rid (sampass))) + return False; - slprintf (group_rid, sizeof (group_rid) - 1, "%u", rid); - } + slprintf (uid, sizeof (uid) - 1, "%u", fallback_pdb_user_rid_to_uid (u_rid)); + slprintf (user_rid, sizeof (user_rid) - 1, "%u", u_rid); + slprintf (gid, sizeof (gid) - 1, "%u", fallback_pdb_group_rid_to_uid (g_rid)); + slprintf (group_rid, sizeof (group_rid) - 1, "%u", g_rid); acb = pdb_encode_acct_ctrl (pdb_get_acct_ctrl (sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN); @@ -1133,51 +1117,27 @@ static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass, /* uid */ - if (pdb_get_uid (sampass) != -1) { - if (!ENTRY_VAL (old, NPF_UID) - || strcmp (ENTRY_VAL (old, NPF_UID), uid)) { + if (!ENTRY_VAL (old, NPF_UID) || strcmp (ENTRY_VAL (old, NPF_UID), uid)) { need_to_modify = True; - set_single_attribute (obj, NPF_UID, uid, - strlen (uid), - EN_MODIFIED); - } + set_single_attribute (obj, NPF_UID, uid, strlen (uid), EN_MODIFIED); } /* user_rid */ - if (pdb_get_user_rid (sampass)) { - if (!ENTRY_VAL (old, NPF_USER_RID) || - strcmp (ENTRY_VAL (old, NPF_USER_RID), - user_rid)) { + if (!ENTRY_VAL (old, NPF_USER_RID) || strcmp (ENTRY_VAL (old, NPF_USER_RID), user_rid)) { need_to_modify = True; - set_single_attribute (obj, NPF_USER_RID, - user_rid, - strlen (user_rid), - EN_MODIFIED); - } + set_single_attribute (obj, NPF_USER_RID, user_rid, strlen (user_rid), EN_MODIFIED); } /* smb_grpid */ - if (pdb_get_gid (sampass) != -1) { - if (!ENTRY_VAL (old, NPF_SMB_GRPID) || - strcmp (ENTRY_VAL (old, NPF_SMB_GRPID), gid)) { + if (!ENTRY_VAL (old, NPF_SMB_GRPID) || strcmp (ENTRY_VAL (old, NPF_SMB_GRPID), gid)) { need_to_modify = True; - set_single_attribute (obj, NPF_SMB_GRPID, gid, - strlen (gid), - EN_MODIFIED); - } + set_single_attribute (obj, NPF_SMB_GRPID, gid, strlen (gid), EN_MODIFIED); } /* group_rid */ - if (pdb_get_group_rid (sampass)) { - if (!ENTRY_VAL (old, NPF_GROUP_RID) || - strcmp (ENTRY_VAL (old, NPF_GROUP_RID), - group_rid)) { + if (!ENTRY_VAL (old, NPF_GROUP_RID) || strcmp (ENTRY_VAL (old, NPF_GROUP_RID), group_rid)) { need_to_modify = True; - set_single_attribute (obj, NPF_GROUP_RID, - group_rid, - strlen (group_rid), - EN_MODIFIED); - } + set_single_attribute (obj, NPF_GROUP_RID, group_rid, strlen (group_rid), EN_MODIFIED); } /* acb */ diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index cfbb37ce91..91fc7bc8e0 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -1134,28 +1134,23 @@ Error was %s\n", pwd->smb_name, pfile2, strerror(errno))); static BOOL build_smb_pass (struct smb_passwd *smb_pw, const SAM_ACCOUNT *sampass) { uid_t uid; + uint32 rid; if (sampass == NULL) return False; - ZERO_STRUCTP(smb_pw); - - if (!IS_SAM_UNIX_USER(sampass)) { - smb_pw->smb_userid_set = False; - DEBUG(5,("build_smb_pass: storing user without a UNIX uid or gid. \n")); - } else { - uint32 rid = pdb_get_user_rid(sampass); - smb_pw->smb_userid_set = True; - uid = pdb_get_uid(sampass); + rid = pdb_get_user_rid(sampass); - /* If the user specified a RID, make sure its able to be both stored and retreived */ - if (rid && rid != DOMAIN_USER_RID_GUEST && uid != fallback_pdb_user_rid_to_uid(rid)) { - DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n")); - return False; - } + /* If the user specified a RID, make sure its able to be both stored and retreived */ + if (rid && rid != DOMAIN_USER_RID_GUEST && uid != fallback_pdb_user_rid_to_uid(rid)) { + DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n")); + return False; + } - smb_pw->smb_userid=uid; - } + ZERO_STRUCTP(smb_pw); + + smb_pw->smb_userid_set = True; + smb_pw->smb_userid=uid; smb_pw->smb_name=(const char*)pdb_get_username(sampass); @@ -1215,7 +1210,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, */ pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET); pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET); - pdb_set_domain (sam_pass, get_global_sam_name(), PDB_DEFAULT); + pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT); } else { DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid %u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid)); @@ -1507,7 +1502,6 @@ static void free_private_data(void **vp) /* No need to free any further, as it is talloc()ed */ } - NTSTATUS pdb_init_smbpasswd(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { NTSTATUS nt_status; @@ -1554,35 +1548,16 @@ NTSTATUS pdb_init_smbpasswd(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, (*pdb_method)->free_private_data = free_private_data; - return NT_STATUS_OK; -} - -NTSTATUS pdb_init_smbpasswd_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) -{ - NTSTATUS nt_status; - struct smbpasswd_privates *privates; - - if (!NT_STATUS_IS_OK(nt_status = pdb_init_smbpasswd(pdb_context, pdb_method, location))) { - return nt_status; - } - - (*pdb_method)->name = "smbpasswd_nua"; - - privates = (*pdb_method)->private_data; - - privates->permit_non_unix_accounts = True; - - if (!lp_winbind_uid(&privates->low_nua_userid, &privates->high_nua_userid)) { - DEBUG(0, ("cannot use smbpasswd_nua without 'winbind uid' range in smb.conf!\n")); - return NT_STATUS_UNSUCCESSFUL; + if (lp_idmap_uid(&privates->low_nua_userid, &privates->high_nua_userid)) { + DEBUG(0, ("idmap uid range defined, non unix accounts enabled\n")); + privates->permit_non_unix_accounts = True; } return NT_STATUS_OK; } -NTSTATUS pdb_smbpasswd_init(void) +int pdb_smbpasswd_init(void) { smb_register_passdb(PASSDB_INTERFACE_VERSION, "smbpasswd", pdb_init_smbpasswd); - smb_register_passdb(PASSDB_INTERFACE_VERSION, "smbpasswd_nua", pdb_init_smbpasswd_nua); - return NT_STATUS_OK; + return True; } diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index c3538042ee..74437cba6f 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -101,7 +101,7 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state, BOOL ret = True; struct passwd *pw; uid_t uid = -1; - gid_t gid = -1; /* This is what standard sub advanced expects if no gid is known */ + gid_t gid = -1; if(sampass == NULL || buf == NULL) { DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n")); @@ -145,30 +145,6 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state, goto done; } - /* validate the account and fill in UNIX uid and gid. Standard - * getpwnam() is used instead of Get_Pwnam() as we do not need - * to try case permutations - */ - if (!username || !(pw = getpwnam_alloc(username))) { - if (!(tdb_state->permit_non_unix_accounts)) { - DEBUG(0,("tdbsam: getpwnam_alloc(%s) return NULL. User does not exist!\n", username)); - ret = False; - goto done; - } - } - - if (pw) { - uid = pw->pw_uid; - gid = pw->pw_gid; - - pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET); - - passwd_free(&pw); - - pdb_set_uid(sampass, uid, PDB_SET); - pdb_set_gid(sampass, gid, PDB_SET); - } - pdb_set_logon_time(sampass, logon_time, PDB_SET); pdb_set_logoff_time(sampass, logoff_time, PDB_SET); pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET); @@ -664,7 +640,7 @@ static NTSTATUS tdbsam_getsampwrid (struct pdb_methods *my_methods, SAM_ACCOUNT return nt_status; } - fstrcpy (name, data.dptr); + fstrcpy(name, data.dptr); SAFE_FREE(data.dptr); tdb_close (pwd_tdb); @@ -768,54 +744,40 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, return False; } + if (!pdb_get_group_rid(newpwd)) { + DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd))); + ret = False; + goto done; + } + /* if flag == TDB_INSERT then make up a new RID else throw an error. */ if (!(user_rid = pdb_get_user_rid(newpwd))) { - if (flag & TDB_INSERT) { - if (IS_SAM_UNIX_USER(newpwd)) { - if (tdb_state->algorithmic_rids) { - user_rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(newpwd)); - } else { - user_rid = BASE_RID; - tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER); - if (!tdb_ret) { - ret = False; - goto done; - } - } - pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED); - } else { - user_rid = tdb_state->low_nua_rid; - tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER); - if (!tdb_ret) { - ret = False; - goto done; - } - if (user_rid > tdb_state->high_nua_rid) { - DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd))); - ret = False; - goto done; - } - pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED); + if ((flag & TDB_INSERT) && tdb_state->permit_non_unix_accounts) { + uint32 lowrid, highrid; + if (!idmap_get_free_rid_range(&lowrid, &highrid)) { + /* should never happen */ + DEBUG(0, ("tdbsam: something messed up, no high/low rids but nua enabled ?!\n")); + ret = False; + goto done; } - } else { - DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd))); - ret = False; - goto done; - } - } - - if (!pdb_get_group_rid(newpwd)) { - if (flag & TDB_INSERT) { - if (!tdb_state->permit_non_unix_accounts) { - DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd))); + user_rid = lowrid; + tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER); + if (!tdb_ret) { + ret = False; + goto done; + } + if (user_rid > highrid) { + DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd))); + ret = False; + goto done; + } + if (!pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED)) { + DEBUG(0, ("tdbsam: not able to set new allocated user RID into sam account!\n")); ret = False; goto done; - } else { - /* This seems like a good default choice for non-unix users */ - pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); } } else { - DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd))); + DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd))); ret = False; goto done; } @@ -837,7 +799,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, /* setup the USER index key */ slprintf(keystr, sizeof(keystr)-1, "%s%s", USERPREFIX, name); key.dptr = keystr; - key.dsize = strlen (keystr) + 1; + key.dsize = strlen(keystr) + 1; /* add the account */ if (tdb_store(pwd_tdb, key, data, flag) != TDB_SUCCESS) { @@ -849,7 +811,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, } /* setup RID data */ - data.dsize = sizeof(fstring); + data.dsize = strlen(name) + 1; data.dptr = name; /* setup the RID index key */ @@ -874,6 +836,49 @@ done: return (ret); } +#if 0 +/*************************************************************************** + Allocates a new RID and returns it to the caller as a domain sid + + NOTE: Use carefullt, do not waste RIDs they are a limited resource! + - SSS + ***************************************************************************/ + +static NTSTATUS tdbsam_get_next_sid (struct pdb_methods *my_methods, DOM_SID *sid) +{ + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data; + TDB_CONTEXT *pwd_tdb; + uint32 rid; + + if (sid == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0600); + if (!pwd_tdb) + { + DEBUG(0, ("tdbsam_get_next_sid: Unable to open TDB passwd (%s)!\n", tdb_state->tdbsam_location)); + return NT_STATUS_UNSUCCESSFUL; + } + + rid = BASE_RID; + if (tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &rid, 1)) { + + sid_copy(sid, get_global_sam_sid()); + if (!sid_append_rid(sid, rid)) { + goto done; + } + + ret = NT_STATUS_OK; + } + +done: + tdb_close (pwd_tdb); + return ret; +} +#endif + /*************************************************************************** Modifies an existing SAM_ACCOUNT ****************************************************************************/ @@ -912,14 +917,7 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con { NTSTATUS nt_status; struct tdbsam_privates *tdb_state; - -#if 0 /* when made a module use this */ - tdbsam_debug_level = debug_add_class("tdbsam"); - if(tdbsam_debug_level == -1) { - tdbsam_debug_level = DBGC_ALL; - DEBUG(0, ("tdbsam: Couldn't register custom debugging class!\n")); - } -#endif + uint32 low_nua_uid, high_nua_uid; if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) { return nt_status; @@ -953,47 +951,29 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, tdbfile); } - tdb_state->algorithmic_rids = True; - (*pdb_method)->private_data = tdb_state; (*pdb_method)->free_private_data = free_private_data; - return NT_STATUS_OK; -} + if (lp_idmap_uid(&low_nua_uid, &high_nua_uid)) { + DEBUG(0, ("idmap uid range defined, non unix accounts enabled\n")); -NTSTATUS pdb_init_tdbsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) -{ - NTSTATUS nt_status; - struct tdbsam_privates *tdb_state; - uint32 low_nua_uid, high_nua_uid; - - if (!NT_STATUS_IS_OK(nt_status = pdb_init_tdbsam(pdb_context, pdb_method, location))) { - return nt_status; - } - - (*pdb_method)->name = "tdbsam_nua"; + tdb_state->permit_non_unix_accounts = True; - tdb_state = (*pdb_method)->private_data; + tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid); - tdb_state->permit_non_unix_accounts = True; + tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid); - if (!lp_winbind_uid(&low_nua_uid, &high_nua_uid)) { - DEBUG(0, ("cannot use tdbsam_nua without 'winbind uid' range in smb.conf!\n")); - return NT_STATUS_UNSUCCESSFUL; + } else { + tdb_state->algorithmic_rids = True; } - tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid); - - tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid); - return NT_STATUS_OK; } -NTSTATUS pdb_tdbsam_init(void) +int pdb_tdbsam_init(void) { smb_register_passdb(PASSDB_INTERFACE_VERSION, "tdbsam", pdb_init_tdbsam); - smb_register_passdb(PASSDB_INTERFACE_VERSION, "tdbsam_nua", pdb_init_tdbsam_nua); - return NT_STATUS_OK; + return True; } diff --git a/source3/passdb/pdb_xml.c b/source3/passdb/pdb_xml.c index de2ee4594c..7a5c0e2b53 100644 --- a/source3/passdb/pdb_xml.c +++ b/source3/passdb/pdb_xml.c @@ -524,7 +524,7 @@ static NTSTATUS xmlsam_init(PDB_CONTEXT * pdb_context, PDB_METHODS ** pdb_method return nt_status; } - (*pdb_method)->name = "xml"; + (*pdb_method)->name = "xmlsam"; (*pdb_method)->setsampwent = xmlsam_setsampwent; (*pdb_method)->endsampwent = xmlsam_endsampwent; diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 5b9d39ddc7..6a9e591f64 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -472,16 +472,10 @@ failed authentication on named pipe %s.\n", domain, user_name, wks, p->name )); * Store the UNIX credential data (uid/gid pair) in the pipe structure. */ - if (!IS_SAM_UNIX_USER(server_info->sam_account)) { - DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n")); - free_server_info(&server_info); - return False; - } - memcpy(p->session_key, server_info->session_key, sizeof(p->session_key)); - p->pipe_user.uid = pdb_get_uid(server_info->sam_account); - p->pipe_user.gid = pdb_get_gid(server_info->sam_account); + p->pipe_user.uid = server_info->uid; + p->pipe_user.gid = server_info->gid; p->pipe_user.ngroups = server_info->n_groups; if (p->pipe_user.ngroups) { diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 970756d47c..8c9e22966a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -6,7 +6,7 @@ * Copyright (C) Paul Ashton 1997, * Copyright (C) Marc Jacobsen 1999, * Copyright (C) Jeremy Allison 2001-2002, - * Copyright (C) Jean François Micouleau 1998-2001, + * Copyright (C) Jean François Micouleau 1998-2001, * Copyright (C) Anthony Liguori 2002, * Copyright (C) Jim McDonough 2002. * @@ -920,7 +920,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM struct sys_grent *grp; struct passwd *pw; gid_t winbind_gid_low, winbind_gid_high; - BOOL winbind_groups_exist = lp_winbind_gid(&winbind_gid_low, &winbind_gid_high); + BOOL winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high); /* local aliases */ /* we return the UNIX groups here. This seems to be the right */ @@ -2811,8 +2811,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) copy_id23_to_sam_passwd(pwd, id23); /* if it's a trust account, don't update /etc/passwd */ - if ( (!IS_SAM_UNIX_USER(pwd)) || - ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); @@ -2873,8 +2872,7 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid) } /* if it's a trust account, don't update /etc/passwd */ - if ( (!IS_SAM_UNIX_USER(pwd)) || - ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); @@ -3389,9 +3387,9 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; } - - uid = pdb_get_uid(sam_user); - if (uid == -1) { + + /* check a real user exist before we run the script to add a user to a group */ + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; } @@ -3401,7 +3399,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if ((pwd=getpwuid_alloc(uid)) == NULL) { return NT_STATUS_NO_SUCH_USER; } - + if ((grp=getgrgid(map.gid)) == NULL) { passwd_free(&pwd); return NT_STATUS_NO_SUCH_ALIAS; @@ -3550,18 +3548,6 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD return NT_STATUS_NO_SUCH_USER; } - uid = pdb_get_uid(sam_user); - if (uid == -1) { - pdb_free_sam(&sam_user); - return NT_STATUS_NO_SUCH_USER; - } - - pdb_free_sam(&sam_user); - - if ((pwd=getpwuid_alloc(uid)) == NULL) { - return NT_STATUS_NO_SUCH_USER; - } - if ((grp=getgrgid(map.gid)) == NULL) { passwd_free(&pwd); return NT_STATUS_NO_SUCH_GROUP; diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index 4eba9c7d1f..f96ccaef67 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -112,7 +112,7 @@ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, ui *prids=NULL; *numgroups=0; - winbind_groups_exist = lp_winbind_gid(&winbind_gid_low, &winbind_gid_high); + winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high); DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n", @@ -129,7 +129,12 @@ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, ui fstrcpy(user_name, pdb_get_username(sam_pass)); grid=pdb_get_group_rid(sam_pass); - gid=pdb_get_gid(sam_pass); + if (NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sam_pass), &gid))) { + /* this should never happen */ + DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n")); + pdb_free_sam(&sam_pass); + return NT_STATUS_UNSUCCESSFUL; + } become_root(); /* on some systems this must run as root */ diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index 31c4fa7cc9..3d25f33f45 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -478,6 +478,12 @@ BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL if (!name) { DEBUG(1, ("NULL username specfied to chgpasswd()!\n")); } + + pass = Get_Pwnam(name); + if (!pass) { + DEBUG(1, ("Username does not exist in system passwd!\n")); + return False; + } if (!oldpass) { oldpass = ""; @@ -528,8 +534,6 @@ BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL } } - pass = Get_Pwnam(name); - #ifdef WITH_PAM if (lp_pam_password_change()) { BOOL ret; @@ -983,9 +987,8 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw * to touch the unix db unless we have admin permission. */ - if(lp_unix_password_sync() && IS_SAM_UNIX_USER(hnd) - && !chgpasswd(pdb_get_username(hnd), - old_passwd, new_passwd, False)) { + if(lp_unix_password_sync() && + !chgpasswd(pdb_get_username(hnd), old_passwd, new_passwd, False)) { return NT_STATUS_ACCESS_DENIED; } diff --git a/source3/smbd/ntquotas.c b/source3/smbd/ntquotas.c index f34d61541c..a23b480627 100644 --- a/source3/smbd/ntquotas.c +++ b/source3/smbd/ntquotas.c @@ -74,7 +74,6 @@ int vfs_get_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid, int ret; SMB_DISK_QUOTA D; unid_t id; - enum SID_NAME_USE sid_use = SID_NAME_USE_NONE; ZERO_STRUCT(D); @@ -85,7 +84,7 @@ int vfs_get_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid, id.uid = -1; - if (psid && !sid_to_uid(psid, &id.uid, &sid_use)) { + if (psid && NT_STATUS_IS_ERR(sid_to_uid(psid, &id.uid))) { DEBUG(0,("sid_to_uid: failed, SID[%s]\n", sid_string_static(psid))); } @@ -113,7 +112,6 @@ int vfs_set_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid, int ret; SMB_DISK_QUOTA D; unid_t id; - enum SID_NAME_USE sid_use = SID_NAME_USE_NONE; ZERO_STRUCT(D); if (!fsp||!fsp->conn||!qt) @@ -133,7 +131,7 @@ int vfs_set_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid, D.isoftlimit = limit_blk2inodes(D.softlimit); D.ihardlimit = limit_blk2inodes(D.hardlimit); - if (psid && !sid_to_uid(psid, &id.uid, &sid_use)) { + if (psid && NT_STATUS_IS_ERR(sid_to_uid(psid, &id.uid))) { DEBUG(0,("sid_to_uid: failed, SID[%s]\n", sid_string_static(psid))); } @@ -187,7 +185,7 @@ int vfs_get_user_ntquota_list(files_struct *fsp, SMB_NTQUOTA_LIST **qt_list) continue; } - if (uid_to_sid(&sid,usr->pw_uid)==NULL) { + if (NT_STATUS_IS_ERR(uid_to_sid(&sid, usr->pw_uid))) { DEBUG(0,("uid_to_sid failed for %d\n",usr->pw_uid)); continue; } diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index e7c834f531..fef176cae1 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -1780,7 +1780,6 @@ static int call_nt_transact_ioctl(connection_struct *conn, DOM_SID sid; uid_t uid; - enum SID_NAME_USE sid_use = 0; size_t sid_len=SID_MAX_SIZE; DEBUG(1,("FSCTL_FIND_FILES_BY_SID: fnum=%d control=0x%08x\n",fnum,control)); @@ -1792,10 +1791,9 @@ static int call_nt_transact_ioctl(connection_struct *conn, sid_parse(pdata+4,sid_len,&sid); DEBUGADD(2,("SID: %s\n",sid_string_static(&sid))); - if (!sid_to_uid(&sid, &uid, &sid_use) - ||sid_use!=SID_NAME_USER) { - DEBUG(0,("sid_to_uid: failed, sid[%s] sid_use: %d\n", - sid_string_static(&sid),sid_use)); + if (NT_STATUS_IS_ERR(sid_to_uid(&sid, &uid))) { + DEBUG(0,("sid_to_uid: failed, sid[%s]\n", + sid_string_static(&sid))); uid = (-1); } diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 415025f649..81849b709a 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -68,7 +68,6 @@ void invalidate_vuid(uint16 vuid) SAFE_FREE(vuser->logon_script); session_yield(vuser); - SAFE_FREE(vuser->session_keystr); free_server_info(&vuser->server_info); @@ -142,15 +141,9 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) /* the next functions should be done by a SID mapping system (SMS) as * the new real sam db won't have reference to unix uids or gids */ - if (!IS_SAM_UNIX_USER(server_info->sam_account)) { - DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT\n")); - free(vuser); - free_server_info(&server_info); - return UID_FIELD_INVALID; - } - vuser->uid = pdb_get_uid(server_info->sam_account); - vuser->gid = pdb_get_gid(server_info->sam_account); + vuser->uid = server_info->uid; + vuser->gid = server_info->gid; vuser->n_groups = server_info->n_groups; if (vuser->n_groups) { diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 34c33af473..228322dc42 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -443,7 +443,6 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, { DOM_SID owner_sid; DOM_SID grp_sid; - enum SID_NAME_USE sid_type; *puser = (uid_t)-1; *pgrp = (gid_t)-1; @@ -469,7 +468,7 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, if (security_info_sent & OWNER_SECURITY_INFORMATION) { sid_copy(&owner_sid, psd->owner_sid); - if (!sid_to_uid( &owner_sid, puser, &sid_type)) { + if (NT_STATUS_IS_ERR(sid_to_uid(&owner_sid, puser))) { #if ACL_FORCE_UNMAPPABLE /* this allows take ownership to work reasonably */ extern struct current_user current_user; @@ -489,7 +488,7 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, if (security_info_sent & GROUP_SECURITY_INFORMATION) { sid_copy(&grp_sid, psd->grp_sid); - if (!sid_to_gid( &grp_sid, pgrp, &sid_type)) { + if (NT_STATUS_IS_ERR(sid_to_gid( &grp_sid, pgrp))) { #if ACL_FORCE_UNMAPPABLE /* this allows take group ownership to work reasonably */ extern struct current_user current_user; @@ -938,7 +937,6 @@ static BOOL create_canon_ace_lists(files_struct *fsp, } for(i = 0; i < dacl->num_aces; i++) { - enum SID_NAME_USE sid_type; SEC_ACE *psa = &dacl->ace[i]; /* @@ -1003,10 +1001,10 @@ static BOOL create_canon_ace_lists(files_struct *fsp, if (nt4_compatible_acls()) psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY; - } else if (sid_to_gid( ¤t_ace->trustee, ¤t_ace->unix_ug.gid, &sid_type)) { + } else if (NT_STATUS_IS_OK(sid_to_gid( ¤t_ace->trustee, ¤t_ace->unix_ug.gid))) { current_ace->owner_type = GID_ACE; current_ace->type = SMB_ACL_GROUP; - } else if (sid_to_uid( ¤t_ace->trustee, ¤t_ace->unix_ug.uid, &sid_type)) { + } else if (NT_STATUS_IS_OK(sid_to_uid( ¤t_ace->trustee, ¤t_ace->unix_ug.uid))) { current_ace->owner_type = UID_ACE; current_ace->type = SMB_ACL_USER; } else { diff --git a/source3/smbd/server.c b/source3/smbd/server.c index d46be42eba..edc7b57ba3 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -839,6 +839,12 @@ static BOOL init_structs(void ) if(!initialize_password_db(False)) exit(1); + if (!idmap_init()) + exit(1); + + if (!idmap_init_wellknown_sids()) + exit(1); + static_init_rpc; init_modules(); diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index b9cf0de3bd..c68d00025c 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -405,10 +405,9 @@ void add_supplementary_nt_login_groups(int *n_groups, gid_t **pp_groups, NT_USER memcpy(final_groups, *pp_groups, current_n_groups * sizeof(gid_t)); for (i = 0; i < ptok->num_sids; i++) { - enum SID_NAME_USE sid_type; gid_t new_grp; - if (sid_to_gid(&ptok->user_sids[i], &new_grp, &sid_type)) { + if (NT_STATUS_IS_OK(sid_to_gid(&ptok->user_sids[i], &new_grp))) { /* * Don't add the gid_t if it is already in the current group * list. Some UNIXen don't like the same group more than once. @@ -530,419 +529,3 @@ BOOL lookup_sid(DOM_SID *sid, fstring dom_name, fstring name, enum SID_NAME_USE } return True; } - -/***************************************************************** - Id mapping cache. This is to avoid Winbind mappings already - seen by smbd to be queried too frequently, keeping winbindd - busy, and blocking smbd while winbindd is busy with other - stuff. Written by Michael Steffens <michael.steffens@hp.com>, - modified to use linked lists by jra. -*****************************************************************/ - -#define MAX_UID_SID_CACHE_SIZE 100 -#define TURNOVER_UID_SID_CACHE_SIZE 10 -#define MAX_GID_SID_CACHE_SIZE 100 -#define TURNOVER_GID_SID_CACHE_SIZE 10 - -static size_t n_uid_sid_cache = 0; -static size_t n_gid_sid_cache = 0; - -static struct uid_sid_cache { - struct uid_sid_cache *next, *prev; - uid_t uid; - DOM_SID sid; - enum SID_NAME_USE sidtype; -} *uid_sid_cache_head; - -static struct gid_sid_cache { - struct gid_sid_cache *next, *prev; - gid_t gid; - DOM_SID sid; - enum SID_NAME_USE sidtype; -} *gid_sid_cache_head; - -/***************************************************************** - Find a SID given a uid. -*****************************************************************/ - -static BOOL fetch_sid_from_uid_cache(DOM_SID *psid, enum SID_NAME_USE *psidtype, uid_t uid) -{ - struct uid_sid_cache *pc; - - for (pc = uid_sid_cache_head; pc; pc = pc->next) { - if (pc->uid == uid) { - fstring sid; - *psid = pc->sid; - *psidtype = pc->sidtype; - DEBUG(3,("fetch sid from uid cache %u -> %s\n", - (unsigned int)uid, sid_to_string(sid, psid))); - DLIST_PROMOTE(uid_sid_cache_head, pc); - return True; - } - } - return False; -} - -/***************************************************************** - Find a uid given a SID. -*****************************************************************/ - -static BOOL fetch_uid_from_cache(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE sidtype) -{ - struct uid_sid_cache *pc; - - for (pc = uid_sid_cache_head; pc; pc = pc->next) { - if (sid_compare(&pc->sid, psid) == 0) { - fstring sid; - *puid = pc->uid; - DEBUG(3,("fetch uid from cache %u -> %s\n", - (unsigned int)*puid, sid_to_string(sid, psid))); - DLIST_PROMOTE(uid_sid_cache_head, pc); - return True; - } - } - return False; -} - -/***************************************************************** - Store uid to SID mapping in cache. -*****************************************************************/ - -static void store_uid_sid_cache(const DOM_SID *psid, const enum SID_NAME_USE sidtype, uid_t uid) -{ - struct uid_sid_cache *pc; - - if (n_uid_sid_cache >= MAX_UID_SID_CACHE_SIZE && n_uid_sid_cache > TURNOVER_UID_SID_CACHE_SIZE) { - /* Delete the last TURNOVER_UID_SID_CACHE_SIZE entries. */ - struct uid_sid_cache *pc_next; - size_t i; - - for (i = 0, pc = uid_sid_cache_head; i < (n_uid_sid_cache - TURNOVER_UID_SID_CACHE_SIZE); i++, pc = pc->next) - ; - for(; pc; pc = pc_next) { - pc_next = pc->next; - DLIST_REMOVE(uid_sid_cache_head,pc); - SAFE_FREE(pc); - n_uid_sid_cache--; - } - } - - pc = (struct uid_sid_cache *)malloc(sizeof(struct uid_sid_cache)); - if (!pc) - return; - pc->uid = uid; - sid_copy(&pc->sid, psid); - pc->sidtype = sidtype; - DLIST_ADD(uid_sid_cache_head, pc); - n_uid_sid_cache++; -} - -/***************************************************************** - Find a SID given a gid. -*****************************************************************/ - -static BOOL fetch_sid_from_gid_cache(DOM_SID *psid, enum SID_NAME_USE *psidtype, gid_t gid) -{ - struct gid_sid_cache *pc; - - for (pc = gid_sid_cache_head; pc; pc = pc->next) { - if (pc->gid == gid) { - fstring sid; - *psid = pc->sid; - *psidtype = pc->sidtype; - DEBUG(3,("fetch sid from gid cache %u -> %s\n", - (unsigned int)gid, sid_to_string(sid, psid))); - DLIST_PROMOTE(gid_sid_cache_head, pc); - return True; - } - } - return False; -} - -/***************************************************************** - Find a gid given a SID. -*****************************************************************/ - -static BOOL fetch_gid_from_cache(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE sidtype) -{ - struct gid_sid_cache *pc; - - for (pc = gid_sid_cache_head; pc; pc = pc->next) { - if (sid_compare(&pc->sid, psid) == 0) { - fstring sid; - *pgid = pc->gid; - DEBUG(3,("fetch uid from cache %u -> %s\n", - (unsigned int)*pgid, sid_to_string(sid, psid))); - DLIST_PROMOTE(gid_sid_cache_head, pc); - return True; - } - } - return False; -} - -/***************************************************************** - Store gid to SID mapping in cache. -*****************************************************************/ - -static void store_gid_sid_cache(const DOM_SID *psid, const enum SID_NAME_USE sidtype, gid_t gid) -{ - struct gid_sid_cache *pc; - - if (n_gid_sid_cache >= MAX_GID_SID_CACHE_SIZE && n_gid_sid_cache > TURNOVER_GID_SID_CACHE_SIZE) { - /* Delete the last TURNOVER_GID_SID_CACHE_SIZE entries. */ - struct gid_sid_cache *pc_next; - size_t i; - - for (i = 0, pc = gid_sid_cache_head; i < (n_gid_sid_cache - TURNOVER_GID_SID_CACHE_SIZE); i++, pc = pc->next) - ; - for(; pc; pc = pc_next) { - pc_next = pc->next; - DLIST_REMOVE(gid_sid_cache_head,pc); - SAFE_FREE(pc); - n_gid_sid_cache--; - } - } - - pc = (struct gid_sid_cache *)malloc(sizeof(struct gid_sid_cache)); - if (!pc) - return; - pc->gid = gid; - sid_copy(&pc->sid, psid); - pc->sidtype = sidtype; - DLIST_ADD(gid_sid_cache_head, pc); - n_gid_sid_cache++; -} - - -/***************************************************************** - *THE CANONICAL* convert uid_t to SID function. - Tries winbind first - then uses local lookup. - Returns SID pointer. -*****************************************************************/ - -DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid) -{ - uid_t low, high; - enum SID_NAME_USE sidtype; - fstring sid; - - if (fetch_sid_from_uid_cache(psid, &sidtype, uid)) - return psid; - - if (lp_winbind_uid(&low, &high) && uid >= low && uid <= high) { - if (winbind_uid_to_sid(psid, uid)) { - - DEBUG(10,("uid_to_sid: winbindd %u -> %s\n", - (unsigned int)uid, sid_to_string(sid, psid))); - - if (psid) - store_uid_sid_cache(psid, SID_NAME_USER, uid); - return psid; - } - } - - /* Make sure we report failure, (when psid == NULL) */ - become_root(); - psid = local_uid_to_sid(psid, uid); - unbecome_root(); - - DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid, sid_to_string(sid, psid))); - if (psid) - store_uid_sid_cache(psid, SID_NAME_USER, uid); - - return psid; -} - -/***************************************************************** - *THE CANONICAL* convert gid_t to SID function. - Tries winbind first - then uses local lookup. - Returns SID pointer. -*****************************************************************/ - -DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid) -{ - gid_t low, high; - enum SID_NAME_USE sidtype; - fstring sid; - - if (fetch_sid_from_gid_cache(psid, &sidtype, gid)) - return psid; - - if (lp_winbind_gid(&low, &high) && gid >= low && gid <= high) { - if (winbind_gid_to_sid(psid, gid)) { - - DEBUG(10,("gid_to_sid: winbindd %u -> %s\n", - (unsigned int)gid, sid_to_string(sid, psid))); - - if (psid) - store_gid_sid_cache(psid, SID_NAME_DOM_GRP, gid); - return psid; - } - } - - /* Make sure we report failure, (when psid == NULL) */ - become_root(); - psid = local_gid_to_sid(psid, gid); - unbecome_root(); - DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, sid_to_string(sid, psid))); - if (psid) - store_gid_sid_cache(psid, SID_NAME_DOM_GRP, gid); - - return psid; -} - -/***************************************************************** - *THE CANONICAL* convert SID to uid function. - Tries winbind first - then uses local lookup. - Returns True if this name is a user sid and the conversion - was done correctly, False if not. sidtype is set by this function. -*****************************************************************/ - -BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype) -{ - fstring sid_str; - - if (fetch_uid_from_cache(puid, psid, *sidtype)) - return True; - - /* if we know its local then don't try winbindd */ - if (sid_compare_domain(get_global_sam_sid(), psid) == 0) { - BOOL result; - become_root(); - result = local_sid_to_uid(puid, psid, sidtype); - unbecome_root(); - if (result) - store_uid_sid_cache(psid, *sidtype, *puid); - return result; - } - -/* (tridge) I commented out the slab of code below in order to support foreign SIDs - Do we really need to validate the type of SID we have in this case? -*/ -#if 0 - fstring dom_name, name; - enum SID_NAME_USE name_type; - - *sidtype = SID_NAME_UNKNOWN; - /* - * First we must look up the name and decide if this is a user sid. - */ - - if ( (!winbind_lookup_sid(psid, dom_name, name, &name_type)) || (name_type != SID_NAME_USER) ) { - BOOL result; - DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed - trying local.\n", - sid_to_string(sid_str, psid) )); - - become_root(); - result = local_sid_to_uid(puid, psid, sidtype); - unbecome_root(); - return result; - } - - /* - * Ensure this is a user sid. - */ - - if (name_type != SID_NAME_USER) { - DEBUG(10,("sid_to_uid: winbind lookup succeeded but SID is not a uid (%u)\n", - (unsigned int)name_type )); - return False; - } -#endif - *sidtype = SID_NAME_USER; - - /* - * Get the uid for this SID. - */ - - if (!winbind_sid_to_uid(puid, psid)) { - BOOL result; - DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed.\n", - sid_to_string(sid_str, psid) )); - become_root(); - result = local_sid_to_uid(puid, psid, sidtype); - unbecome_root(); - if (result) - store_uid_sid_cache(psid, *sidtype, *puid); - return result; - } - - DEBUG(10,("sid_to_uid: winbindd %s -> %u\n", - sid_to_string(sid_str, psid), - (unsigned int)*puid )); - - store_uid_sid_cache(psid, *sidtype, *puid); - return True; -} - -/***************************************************************** - *THE CANONICAL* convert SID to gid function. - Tries winbind first - then uses local lookup. - Returns True if this name is a user sid and the conversion - was done correctly, False if not. -*****************************************************************/ - -BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype) -{ - fstring dom_name, name, sid_str; - enum SID_NAME_USE name_type; - - *sidtype = SID_NAME_UNKNOWN; - - if (fetch_gid_from_cache(pgid, psid, *sidtype)) - return True; - - /* - * First we must look up the name and decide if this is a group sid. - */ - - /* if we know its local then don't try winbindd */ - if (sid_compare_domain(get_global_sam_sid(), psid) == 0) { - BOOL result; - become_root(); - result = local_sid_to_gid(pgid, psid, sidtype); - unbecome_root(); - if (result) - store_gid_sid_cache(psid, *sidtype, *pgid); - return result; - } - - if (!winbind_lookup_sid(psid, dom_name, name, &name_type)) { - DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed.\n", - sid_to_string(sid_str, psid) )); - /* this was probably a foreign sid - assume its a group rid - and continue */ - name_type = SID_NAME_DOM_GRP; - } - - /* - * Ensure this is a group sid. - */ - - if ((name_type != SID_NAME_DOM_GRP) && (name_type != SID_NAME_ALIAS) && (name_type != SID_NAME_WKN_GRP)) { - DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is not a known group (%u)\n", - (unsigned int)name_type )); - - return False; - } - - *sidtype = name_type; - - /* - * Get the gid for this SID. - */ - - if (!winbind_sid_to_gid(pgid, psid)) { - DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed.\n", - sid_to_string(sid_str, psid) )); - return False; - } - - DEBUG(10,("sid_to_gid: winbindd %s -> %u\n", - sid_to_string(sid_str, psid), - (unsigned int)*pgid )); - - store_gid_sid_cache(psid, *sidtype, *pgid); - return True; -} - diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c index e5df6ab038..13f35e8880 100644 --- a/source3/utils/pdbedit.c +++ b/source3/utils/pdbedit.c @@ -122,12 +122,6 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst printf ("Unix username: %s\n", pdb_get_username(sam_pwent)); printf ("NT username: %s\n", pdb_get_nt_username(sam_pwent)); printf ("Account Flags: %s\n", pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent), NEW_PW_FORMAT_SPACE_PADDED_LEN)); - - if (IS_SAM_UNIX_USER(sam_pwent)) { - uid = pdb_get_uid(sam_pwent); - gid = pdb_get_gid(sam_pwent); - printf ("User ID/Group ID: %d/%d\n", uid, gid); - } printf ("User SID: %s\n", sid_string_static(pdb_get_user_sid(sam_pwent))); printf ("Primary Group SID: %s\n", @@ -161,35 +155,25 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst printf ("Password must change: %s\n", tmp ? http_timestring(tmp) : "0"); } else if (smbpwdstyle) { - if (IS_SAM_UNIX_USER(sam_pwent)) { - char lm_passwd[33]; - char nt_passwd[33]; - - uid = pdb_get_uid(sam_pwent); - pdb_sethexpwd(lm_passwd, - pdb_get_lanman_passwd(sam_pwent), - pdb_get_acct_ctrl(sam_pwent)); - pdb_sethexpwd(nt_passwd, - pdb_get_nt_passwd(sam_pwent), - pdb_get_acct_ctrl(sam_pwent)); + char lm_passwd[33]; + char nt_passwd[33]; + + uid = -1; + sid_to_uid(pdb_get_user_sid(sam_pwent), &uid); + pdb_sethexpwd(lm_passwd, pdb_get_lanman_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent)); + pdb_sethexpwd(nt_passwd, pdb_get_nt_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent)); - printf("%s:%d:%s:%s:%s:LCT-%08X:\n", - pdb_get_username(sam_pwent), - uid, - lm_passwd, - nt_passwd, - pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent),NEW_PW_FORMAT_SPACE_PADDED_LEN), - (uint32)pdb_get_pass_last_set_time(sam_pwent)); - } else { - fprintf(stderr, "Can't output in smbpasswd format, no uid on this record.\n"); - } + printf("%s:%d:%s:%s:%s:LCT-%08X:\n", + pdb_get_username(sam_pwent), + uid, + lm_passwd, + nt_passwd, + pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent),NEW_PW_FORMAT_SPACE_PADDED_LEN), + (uint32)pdb_get_pass_last_set_time(sam_pwent)); } else { - if (IS_SAM_UNIX_USER(sam_pwent)) { - printf ("%s:%d:%s\n", pdb_get_username(sam_pwent), pdb_get_uid(sam_pwent), - pdb_get_fullname(sam_pwent)); - } else { - printf ("%s:(null):%s\n", pdb_get_username(sam_pwent), pdb_get_fullname(sam_pwent)); - } + uid = -1; + sid_to_uid(pdb_get_user_sid(sam_pwent), &uid); + printf ("%s:%d:%s\n", pdb_get_username(sam_pwent), uid, pdb_get_fullname(sam_pwent)); } return 0; @@ -583,8 +567,8 @@ int main (int argc, char **argv) {"drive", 'D', POPT_ARG_STRING, &home_drive, 0, "set home drive", NULL}, {"script", 'S', POPT_ARG_STRING, &logon_script, 0, "set logon script", NULL}, {"profile", 'p', POPT_ARG_STRING, &profile_path, 0, "set profile path", NULL}, - {"user-SID", 'U', POPT_ARG_STRING, &user_sid, 0, "set user SID or RID", NULL}, - {"group-SID", 'G', POPT_ARG_STRING, &group_sid, 0, "set group SID or RID", NULL}, + {"user SID", 'U', POPT_ARG_STRING, &user_sid, 0, "set user SID or RID", NULL}, + {"group SID", 'G', POPT_ARG_STRING, &group_sid, 0, "set group SID or RID", NULL}, {"create", 'a', POPT_ARG_NONE, &add_user, 0, "create user", NULL}, {"modify", 'r', POPT_ARG_NONE, &modify_user, 0, "modify user", NULL}, {"machine", 'm', POPT_ARG_NONE, &machine, 0, "account is a machine account", NULL}, @@ -626,6 +610,12 @@ int main (int argc, char **argv) if (!init_names()) exit(1); + if (!idmap_init()) + exit(1); + + if (!idmap_init_wellknown_sids()) + exit(1); + setparms = (backend ? BIT_BACKEND : 0) + (verbose ? BIT_VERBOSE : 0) + (spstyle ? BIT_SPSTYLE : 0) + diff --git a/source3/utils/profiles.c b/source3/utils/profiles.c index 7c2d820c81..afaa83f638 100644 --- a/source3/utils/profiles.c +++ b/source3/utils/profiles.c @@ -418,10 +418,10 @@ static int my_sid_equal(DOM_SID *s1, DOM_SID *s2) * Quick and dirty to read a SID in S-1-5-21-x-y-z-rid format and * construct a DOM_SID */ -static int get_sid(DOM_SID *sid, char *sid_str) +static int get_sid(DOM_SID *sid, const unsigned char *sid_str) { int i = 0, auth; - char *lstr; + const unsigned char *lstr; if (strncmp(sid_str, "S-1-5", 5)) { fprintf(stderr, "Does not conform to S-1-5...: %s\n", sid_str); |