summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/smb.h4
-rw-r--r--source3/lib/util_sid.c31
-rw-r--r--source3/nsswitch/winbindd_ads.c10
-rw-r--r--source3/nsswitch/winbindd_cache.c3
-rw-r--r--source3/nsswitch/winbindd_group.c3
-rw-r--r--source3/passdb/passdb.c78
-rw-r--r--source3/passdb/pdb_get_set.c97
-rw-r--r--source3/passdb/pdb_ldap.c10
-rw-r--r--source3/passdb/pdb_nisplus.c12
-rw-r--r--source3/passdb/pdb_smbpasswd.c7
-rw-r--r--source3/passdb/pdb_tdb.c13
-rw-r--r--source3/passdb/pdb_unix.c3
-rw-r--r--source3/rpc_server/srv_samr_nt.c15
-rw-r--r--source3/utils/pdbedit.c10
14 files changed, 183 insertions, 113 deletions
diff --git a/source3/include/smb.h b/source3/include/smb.h
index c604599180..531f270c3d 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -624,8 +624,8 @@ typedef struct sam_passwd
uid_t uid; /* this is a unix uid_t */
gid_t gid; /* this is a unix gid_t */
- uint32 user_rid; /* Primary User ID */
- uint32 group_rid; /* Primary Group ID */
+ DOM_SID user_sid; /* Primary User SID */
+ DOM_SID group_sid; /* Primary Group SID */
DATA_BLOB lm_pw; /* .data is Null if no password */
DATA_BLOB nt_pw; /* .data is Null if no password */
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 21ef9e081b..3ad9e909d8 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -1,10 +1,11 @@
/*
Unix SMB/CIFS implementation.
Samba utility functions
- Copyright (C) Andrew Tridgell 1992-1998
- Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
- Copyright (C) Jeremy Allison 1999
-
+ Copyright (C) Andrew Tridgell 1992-1998
+ Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
+ Copyright (C) Jeremy Allison 1999
+ Copyright (C) Stefan (metze) Metzmacher 2002
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
@@ -253,6 +254,9 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid)
BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid)
{
+ if (!sid || !rid)
+ return False;
+
if (sid->num_auths > 0) {
*rid = sid->sub_auths[sid->num_auths - 1];
return True;
@@ -261,6 +265,25 @@ BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid)
}
/*****************************************************************
+ Return the last rid from the end of a sid
+ and check the sid against the exp_dom_sid
+*****************************************************************/
+
+BOOL sid_peek_check_rid(DOM_SID *exp_dom_sid,DOM_SID *sid, uint32 *rid)
+{
+ if (!exp_dom_sid || !sid || !rid)
+ return False;
+
+
+ if (sid_compare_domain(exp_dom_sid, sid)!=0){
+ *rid=(-1);
+ return False;
+ }
+
+ return sid_peek_rid(sid,rid);
+}
+
+/*****************************************************************
Copies a sid
*****************************************************************/
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 545ee411a4..28aeb39730 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -273,7 +273,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
continue;
}
- if (!sid_peek_rid(&sid, &rid)) {
+ if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
DEBUG(1,("No rid for %s !?\n", name));
continue;
}
@@ -356,7 +356,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
continue;
}
- if (!sid_peek_rid(&sid, &rid)) {
+ if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
DEBUG(1,("No rid for %s !?\n", name));
continue;
}
@@ -584,7 +584,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
goto done;
}
- if (!sid_peek_rid(&sid, &info->user_rid)) {
+ if (!sid_peek_check_rid(&domain->sid,&sid, &info->user_rid)) {
DEBUG(1,("No rid for %d !?\n", user_rid));
goto done;
}
@@ -662,7 +662,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
for (i=1;i<count;i++) {
uint32 rid;
- if (!sid_peek_rid(&sids[i-1], &rid)) continue;
+ if (!sid_peek_check_rid(&domain->sid, &sids[i-1], &rid)) continue;
(*user_gids)[*num_groups] = rid;
(*num_groups)++;
}
@@ -737,7 +737,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
continue;
}
- if (!sid_peek_rid(&sid, &rid)) {
+ if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
continue;
}
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index dcb93fa3b5..d9ed63baf8 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -658,7 +658,8 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain,
NTSTATUS status;
uint32 rid = 0;
- sid_peek_rid(sid, &rid);
+ if (!sid_peek_check_rid(&domain->sid, sid, &rid))
+ return NT_STATUS_INVALID_PARAMETER;
if (!cache->tdb) goto do_query;
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 4ef57513bb..ab8e1cfd78 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -228,7 +228,8 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
}
/* Fill in group structure */
- sid_peek_rid(&group_sid, &group_rid);
+ if (!sid_peek_check_rid(&domain->sid, &group_sid, &group_rid))
+ return WINBINDD_ERROR;
if (!winbindd_idmap_get_gid_from_sid(&group_sid, &gid)) {
DEBUG(1, ("error converting unix gid to sid\n"));
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 154963e2a0..31bbf14299 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -156,7 +156,6 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user)
NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
{
GROUP_MAP map;
- uint32 rid;
if (!pwd) {
return NT_STATUS_UNSUCCESSFUL;
@@ -184,18 +183,25 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
-- abartlet 11-May-02
*/
- pdb_set_user_rid(sam_account,
- fallback_pdb_uid_to_user_rid(pwd->pw_uid));
+ if (!pdb_set_user_sid_from_rid(sam_account,
+ fallback_pdb_uid_to_user_rid(pwd->pw_uid))) {
+ DEBUG(0,("Can't set User SID from RID!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
/* call the mapping code here */
if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
- sid_peek_rid(&map.sid, &rid);
+ if (!pdb_set_group_sid(sam_account,&map.sid)){
+ DEBUG(0,("Can't set Group SID!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
}
else {
- rid=pdb_gid_to_group_rid(pwd->pw_gid);
+ if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid))) {
+ DEBUG(0,("Can't set Group SID\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
}
-
- pdb_set_group_rid(sam_account, rid);
/* check if this is a user account or a machine account */
if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
@@ -455,39 +461,6 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
return (True);
}
-#if 0 /* seem it is not used by anyone */
-/*******************************************************************
- Group and User RID username mapping function
- ********************************************************************/
-
-BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
-{
- GROUP_MAP map;
- struct passwd *pw = Get_Pwnam(user_name);
-
- if (u_rid == NULL || g_rid == NULL || user_name == NULL)
- return False;
-
- if (!pw) {
- DEBUG(1,("Username %s is invalid on this system\n", user_name));
- return False;
- }
-
- /* turn the unix UID into a Domain RID. this is what the posix
- sub-system does (adds 1000 to the uid) */
- *u_rid = fallback_pdb_uid_to_user_rid(pw->pw_uid);
-
- /* absolutely no idea what to do about the unix GID to Domain RID mapping */
- /* map it ! */
- if (get_group_map_from_gid(pw->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
- sid_peek_rid(&map.sid, g_rid);
- } else
- *g_rid = pdb_gid_to_group_rid(pw->pw_gid);
-
- return True;
-}
-#endif /* seem it is not used by anyone */
-
/*******************************************************************
Converts NT user RID to a UNIX uid.
********************************************************************/
@@ -578,7 +551,11 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
SAM_ACCOUNT *sam_account = NULL;
GROUP_MAP map;
- sid_peek_rid(sid, &rid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){
+ DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n",
+ sid_string_static(&map.sid)));
+ return False;
+ }
*psid_name_use = SID_NAME_UNKNOWN;
DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid));
@@ -724,10 +701,9 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
}
if (pdb_getsampwnam(sam_account, user)) {
- sid_append_rid( &local_sid, pdb_get_user_rid(sam_account));
+ sid_copy(psid, (DOM_SID *) pdb_get_user_sid(sam_account));
*psid_name_use = SID_NAME_USER;
- sid_copy( psid, &local_sid);
pdb_free_sam(&sam_account);
return True;
}
@@ -800,7 +776,7 @@ DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
}
if (pdb_getsampwnam(sam_user, pass->pw_name)) {
- sid_append_rid(psid, pdb_get_user_rid(sam_user));
+ sid_copy(psid, (DOM_SID *) pdb_get_user_sid(sam_user));
} else {
sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
}
@@ -920,7 +896,11 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
if (map.gid==-1)
return False;
- sid_peek_rid(&map.sid, &rid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid)){
+ DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n",
+ sid_string_static(&map.sid)));
+ return False;
+ }
*pgid = map.gid;
*name_type = map.sid_name_use;
DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", sid_to_string( str, psid),
@@ -996,9 +976,9 @@ void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from)
pdb_set_munged_dial(to , pdb_unistr2_convert(&from->uni_munged_dial ));
if (from->user_rid)
- pdb_set_user_rid(to, from->user_rid);
+ pdb_set_user_sid_from_rid(to, from->user_rid);
if (from->group_rid)
- pdb_set_group_rid(to, from->group_rid);
+ pdb_set_group_sid_from_rid(to, from->group_rid);
pdb_set_acct_ctrl(to, from->acb_info);
pdb_set_unknown_3(to, from->unknown_3);
@@ -1051,9 +1031,9 @@ void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from)
pdb_set_munged_dial(to , pdb_unistr2_convert(&from->uni_munged_dial ));
if (from->user_rid)
- pdb_set_user_rid(to, from->user_rid);
+ pdb_set_user_sid_from_rid(to, from->user_rid);
if (from->group_rid)
- pdb_set_group_rid(to, from->group_rid);
+ pdb_set_group_sid_from_rid(to, from->group_rid);
/* FIXME!! Do we need to copy the passwords here as well?
I don't know. Need to figure this out --jerry */
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 5ed54a9857..0b5a1053ae 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -5,6 +5,7 @@
Copyright (C) Luke Kenneth Casson Leighton 1996-1998
Copyright (C) Gerald (Jerry) Carter 2000-2001
Copyright (C) Andrew Bartlett 2001-2002
+ Copyright (C) Stefan (metze) Metzmacher 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -155,21 +156,41 @@ const char* pdb_get_plaintext_passwd (const SAM_ACCOUNT *sampass)
else
return (NULL);
}
+const DOM_SID *pdb_get_user_sid(const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return &sampass->private.user_sid;
+ else
+ return (NULL);
+}
+
+const DOM_SID *pdb_get_group_sid(const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return &sampass->private.group_sid;
+ else
+ return (NULL);
+}
uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass)
{
+ uint32 u_rid;
+
if (sampass)
- return (sampass->private.user_rid);
- else
- return (-1);
+ if (sid_peek_check_rid(get_global_sam_sid(), (DOM_SID *) pdb_get_user_sid(sampass),&u_rid))
+ return u_rid;
+
+ return (-1);
}
uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass)
{
+ uint32 g_rid;
+
if (sampass)
- return (sampass->private.group_rid);
- else
- return (-1);
+ if (sid_peek_check_rid(get_global_sam_sid(), (DOM_SID *) pdb_get_group_sid(sampass),&g_rid))
+ return g_rid;
+ return (-1);
}
/**
@@ -487,27 +508,71 @@ BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid)
}
-BOOL pdb_set_user_rid (SAM_ACCOUNT *sampass, uint32 rid)
+BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid)
+{
+ if (!sampass || !u_sid)
+ return False;
+
+ sid_copy(&sampass->private.user_sid, u_sid);
+
+ DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n",
+ sid_string_static(&sampass->private.user_sid)));
+
+ return True;
+}
+
+BOOL pdb_set_group_sid(SAM_ACCOUNT *sampass, DOM_SID *g_sid)
{
+ if (!sampass || !g_sid)
+ return False;
+
+ sid_copy(&sampass->private.group_sid, g_sid);
+
+ DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n",
+ sid_string_static(&sampass->private.group_sid)));
+
+ return True;
+}
+
+BOOL pdb_set_user_sid_from_rid (SAM_ACCOUNT *sampass, uint32 rid)
+{
+ DOM_SID u_sid;
+
if (!sampass)
return False;
- DEBUG(10, ("pdb_set_rid: setting user rid %d, was %d\n",
- rid, sampass->private.user_rid));
-
- sampass->private.user_rid = rid;
+ sid_copy(&u_sid, get_global_sam_sid());
+
+ if (!sid_append_rid(&u_sid, rid))
+ return False;
+
+ if (!pdb_set_user_sid(sampass, &u_sid))
+ return False;
+
+ DEBUG(10, ("pdb_set_user_sid_from_rid:\n\tsetting user sid %s from rid %d\n",
+ sid_string_static(&u_sid),rid));
+
return True;
}
-BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid)
+BOOL pdb_set_group_sid_from_rid (SAM_ACCOUNT *sampass, uint32 grid)
{
+ DOM_SID g_sid;
+
if (!sampass)
return False;
+
+ sid_copy(&g_sid, get_global_sam_sid());
+
+ if (!sid_append_rid(&g_sid, grid))
+ return False;
+
+ if (!pdb_set_group_sid(sampass, &g_sid))
+ return False;
+
+ DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s from rid %d\n",
+ sid_string_static(&g_sid), grid));
- DEBUG(10, ("pdb_set_group_rid: setting group rid %d, was %d\n",
- grid, sampass->private.group_rid));
-
- sampass->private.group_rid = grid;
return True;
}
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 28c08e0f63..7ba8d4a810 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -624,7 +624,8 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
GROUP_MAP map;
/* call the mapping code here */
if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
- sid_peek_rid(&map.sid, &group_rid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &group_rid))
+ return False;
}
else {
group_rid=pdb_gid_to_group_rid(gid);
@@ -780,8 +781,8 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
pdb_set_hours_len(sampass, hours_len);
pdb_set_logon_divs(sampass, logon_divs);
- pdb_set_user_rid(sampass, user_rid);
- pdb_set_group_rid(sampass, group_rid);
+ pdb_set_user_sid_from_rid(sampass, user_rid);
+ pdb_set_group_sid_from_rid(sampass, group_rid);
pdb_set_username(sampass, username);
@@ -1273,7 +1274,8 @@ static BOOL ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT * us
static BOOL ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
{
uint32 rid;
- sid_peek_rid(sid, &rid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return False;
return ldapsam_getsampwrid(my_methods, user, rid);
}
diff --git a/source3/passdb/pdb_nisplus.c b/source3/passdb/pdb_nisplus.c
index 0c4c2c5bb3..80f918d1a6 100644
--- a/source3/passdb/pdb_nisplus.c
+++ b/source3/passdb/pdb_nisplus.c
@@ -339,8 +339,8 @@ static BOOL make_sam_from_nisp_object(SAM_ACCOUNT *pw_buf, const nis_object *obj
pdb_set_uid(pw_buf, atoi(ENTRY_VAL(obj, NPF_UID)));
pdb_set_gid(pw_buf, atoi(ENTRY_VAL(obj, NPF_SMB_GRPID)));
- pdb_set_user_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID)));
- pdb_set_group_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID)));
+ pdb_set_user_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID)));
+ pdb_set_group_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID)));
/* values, must exist for user */
if( !(pdb_get_acct_ctrl(pw_buf) & ACB_WSTRUST) ) {
@@ -381,7 +381,7 @@ static BOOL make_sam_from_nisp_object(SAM_ACCOUNT *pw_buf, const nis_object *obj
else
{
/* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */
- pdb_set_group_rid (pw_buf, DOMAIN_GROUP_RID_USERS);
+ pdb_set_group_sid_from_rid (pw_buf, DOMAIN_GROUP_RID_USERS);
}
/* Check the lanman password column. */
@@ -538,7 +538,8 @@ static BOOL init_nisp_from_sam(nis_object *obj, const SAM_ACCOUNT *sampass,
if (rid==0) {
if (get_group_map_from_gid(pdb_get_gid(sampass), &map, MAPPING_WITHOUT_PRIV)) {
- sid_peek_rid(&map.sid, &rid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid))
+ return False;
} else
rid=pdb_gid_to_group_rid(pdb_get_gid(sampass));
}
@@ -1034,7 +1035,8 @@ BOOL pdb_getsampwnam(SAM_ACCOUNT * user, const char *sname)
BOOL pdb_getsampwsid(SAM_ACCOUNT * user, DOM_SID *sid)
{
uint32 rid;
- sid_peek_rid(sid, &rid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return False;
return pdb_getsampwrid(user, rid);
}
diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c
index a6bd66eace..25957100d8 100644
--- a/source3/passdb/pdb_smbpasswd.c
+++ b/source3/passdb/pdb_smbpasswd.c
@@ -1242,14 +1242,14 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state,
&& (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid)
&& (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
- pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid));
+ pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid));
/* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here.
This was down the bottom for machines, but it looks pretty good as
a general default for non-unix users. --abartlet 2002-01-08
*/
- pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS);
+ pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS);
pdb_set_username (sam_pass, pw_buf->smb_name);
pdb_set_domain (sam_pass, lp_workgroup());
} else {
@@ -1458,7 +1458,8 @@ static BOOL smbpasswd_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *s
static BOOL smbpasswd_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
{
uint32 rid;
- sid_peek_rid(sid, &rid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return False;
return smbpasswd_getsampwrid(my_methods, user, rid);
}
diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
index 2341210e39..b309f675b3 100644
--- a/source3/passdb/pdb_tdb.c
+++ b/source3/passdb/pdb_tdb.c
@@ -246,8 +246,8 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state,
}
}
- pdb_set_user_rid(sampass, user_rid);
- pdb_set_group_rid(sampass, group_rid);
+ pdb_set_user_sid_from_rid(sampass, user_rid);
+ pdb_set_group_sid_from_rid(sampass, group_rid);
pdb_set_unknown_3(sampass, unknown_3);
pdb_set_hours_len(sampass, hours_len);
pdb_set_unknown_5(sampass, unknown_5);
@@ -671,7 +671,8 @@ static BOOL tdbsam_getsampwrid (struct pdb_methods *my_methods, SAM_ACCOUNT *use
static BOOL tdbsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
{
uint32 rid;
- sid_peek_rid(sid, &rid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return False;
return tdbsam_getsampwrid(my_methods, user, rid);
}
@@ -775,7 +776,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
goto done;
}
}
- pdb_set_user_rid(newpwd, user_rid);
+ pdb_set_user_sid_from_rid(newpwd, user_rid);
} else {
user_rid = tdb_state->low_nua_rid;
tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER);
@@ -788,7 +789,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
ret = False;
goto done;
}
- pdb_set_user_rid(newpwd, user_rid);
+ pdb_set_user_sid_from_rid(newpwd, user_rid);
}
} else {
DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
@@ -805,7 +806,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
goto done;
} else {
/* This seems like a good default choice for non-unix users */
- pdb_set_group_rid(newpwd, DOMAIN_GROUP_RID_USERS);
+ pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS);
}
} else {
DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
diff --git a/source3/passdb/pdb_unix.c b/source3/passdb/pdb_unix.c
index 85ff5bd933..b4092b88f8 100644
--- a/source3/passdb/pdb_unix.c
+++ b/source3/passdb/pdb_unix.c
@@ -68,7 +68,8 @@ static BOOL unixsam_getsampwrid (struct pdb_methods *methods,
static BOOL unixsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
{
uint32 rid;
- sid_peek_rid(sid, &rid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return False;
return unixsam_getsampwrid(my_methods, user, rid);
}
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index daa39b215f..a6f936feca 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2019,18 +2019,9 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
return NT_STATUS_ACCESS_DENIED;
}
- /* Get the domain SID stored in the domain policy */
- if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) {
- pdb_free_sam(&sam_pass);
- return NT_STATUS_INVALID_HANDLE;
- }
-
- /* append the user's RID to it */
- if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) {
- pdb_free_sam(&sam_pass);
- return NT_STATUS_NO_SUCH_USER;
- }
-
+ /* Get the user's SID */
+ sid_copy(&sid, (DOM_SID *) pdb_get_user_sid(sam_pass));
+
/* associate the user's SID with the new handle. */
if ((info = get_samr_info_by_sid(&sid)) == NULL) {
pdb_free_sam(&sam_pass);
diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
index 51254667c9..ed7f648f2d 100644
--- a/source3/utils/pdbedit.c
+++ b/source3/utils/pdbedit.c
@@ -81,10 +81,12 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst
if (IS_SAM_UNIX_USER(sam_pwent)) {
uid = pdb_get_uid(sam_pwent);
gid = pdb_get_gid(sam_pwent);
- printf ("user ID/Group: %d/%d\n", uid, gid);
+ printf ("User ID/Group ID: %d/%d\n", uid, gid);
}
- printf ("user RID/GRID: %u/%u\n", (unsigned int)pdb_get_user_rid(sam_pwent),
- (unsigned int)pdb_get_group_rid(sam_pwent));
+ printf ("User SID: %s\n",
+ sid_string_static((DOM_SID *)pdb_get_user_sid(sam_pwent)));
+ printf ("Primary Group SID: %s\n",
+ sid_string_static((DOM_SID *)pdb_get_group_sid(sam_pwent)));
printf ("Full Name: %s\n", pdb_get_fullname(sam_pwent));
printf ("Home Directory: %s\n", pdb_get_homedir(sam_pwent));
printf ("HomeDir Drive: %s\n", pdb_get_dirdrive(sam_pwent));
@@ -329,7 +331,7 @@ static int new_machine (struct pdb_context *in, char *machinename)
pdb_set_acct_ctrl (sam_pwent, ACB_WSTRUST);
- pdb_set_group_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS);
+ pdb_set_group_sid_from_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS);
if (in->pdb_add_sam_account (in, sam_pwent)) {
print_user_info (in, name, True, False);