summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/proto.h3
-rw-r--r--source3/include/secrets.h3
-rw-r--r--source3/lib/util_sid.c21
-rw-r--r--source3/passdb/secrets.c32
-rw-r--r--source3/rpc_client/cli_lsarpc.c23
-rw-r--r--source3/rpc_client/cli_netlogon.c9
-rw-r--r--source3/rpc_server/srv_lsa.c42
7 files changed, 103 insertions, 30 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 7a95dd838e..83efdaf0df 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1576,6 +1576,8 @@ BOOL secrets_init(void);
void *secrets_fetch(char *key, size_t *size);
BOOL secrets_store(char *key, void *data, size_t size);
BOOL secrets_delete(char *key);
+BOOL secrets_store_domain_sid(char *domain, DOM_SID *sid);
+BOOL secrets_fetch_domain_sid(char *domain, DOM_SID *sid);
/*The following definitions come from passdb/smbpass.c */
@@ -1711,6 +1713,7 @@ BOOL do_lsa_query_info_pol(struct cli_state *cli,
POLICY_HND *hnd, uint16 info_class,
fstring domain_name, DOM_SID *domain_sid);
BOOL do_lsa_close(struct cli_state *cli, POLICY_HND *hnd);
+BOOL cli_lsa_get_domain_sid(struct cli_state *cli, char *server);
/*The following definitions come from rpc_client/cli_netlogon.c */
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index a87bdef56b..c16d5c7b30 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -2,7 +2,8 @@
#define SECRETS_MACHINE_ACCT_PASS "SECRETS/$MACHINE.ACC"
-#define SECRETS_SAM_SID "SAM/SAM_SID"
+#define SECRETS_DOMAIN_SID "SECRETS/SID"
+#define SECRETS_SAM_SID "SAM/SID"
struct machine_acct_pass {
uint8 hash[16];
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 3605dfbf27..46904162b1 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -49,15 +49,18 @@ typedef struct _known_sid_users {
/* static known_sid_users no_users[] = {{0, 0, NULL}}; */
static known_sid_users everyone_users[] = {{ 0, SID_NAME_WKN_GRP, "Everyone" }, {0, 0, NULL}};
static known_sid_users creator_owner_users[] = {{ 0, SID_NAME_ALIAS, "Creator Owner" }, {0, 0, NULL}};
-static known_sid_users nt_authority_users[] = {{ 1, SID_NAME_ALIAS, "Dialup" },
- { 2, SID_NAME_ALIAS, "Network"},
- { 3, SID_NAME_ALIAS, "Batch"},
- { 4, SID_NAME_ALIAS, "Interactive"},
- { 6, SID_NAME_ALIAS, "Service"},
- { 7, SID_NAME_ALIAS, "AnonymousLogon"},
- { 8, SID_NAME_ALIAS, "Proxy"},
- { 9, SID_NAME_ALIAS, "ServerLogon"},
- {0, 0, NULL}};
+static known_sid_users nt_authority_users[] = {
+ { 1, SID_NAME_ALIAS, "Dialup" },
+ { 2, SID_NAME_ALIAS, "Network"},
+ { 3, SID_NAME_ALIAS, "Batch"},
+ { 4, SID_NAME_ALIAS, "Interactive"},
+ { 6, SID_NAME_ALIAS, "Service"},
+ { 7, SID_NAME_ALIAS, "AnonymousLogon"},
+ { 8, SID_NAME_ALIAS, "Proxy"},
+ { 9, SID_NAME_ALIAS, "ServerLogon"},
+ { 11, SID_NAME_ALIAS, "Authenticated Users"},
+ { 18, SID_NAME_ALIAS, "SYSTEM"},
+ { 0, 0, NULL}};
static struct sid_name_map_info
{
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index b0021599cc..459cc6ae36 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -88,3 +88,35 @@ BOOL secrets_delete(char *key)
kbuf.dsize = strlen(key);
return tdb_delete(tdb, kbuf) == 0;
}
+
+BOOL secrets_store_domain_sid(char *domain, DOM_SID *sid)
+{
+ fstring key;
+
+ slprintf(key, sizeof(key), "%s/%s", SECRETS_DOMAIN_SID, domain);
+ return secrets_store(key, sid, sizeof(DOM_SID));
+}
+
+BOOL secrets_fetch_domain_sid(char *domain, DOM_SID *sid)
+{
+ DOM_SID *dyn_sid;
+ fstring key;
+ int size;
+
+ slprintf(key, sizeof(key), "%s/%s", SECRETS_DOMAIN_SID, domain);
+ dyn_sid = (DOM_SID *)secrets_fetch(key, &size);
+
+ if (dyn_sid == NULL)
+ return False;
+
+ if (size != sizeof(DOM_SID))
+ {
+ free(dyn_sid);
+ return False;
+ }
+
+ *sid = *dyn_sid;
+ free(dyn_sid);
+ return True;
+}
+
diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index 34201ebc16..8362c1d172 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -379,3 +379,26 @@ BOOL do_lsa_close(struct cli_state *cli, POLICY_HND *hnd)
return True;
}
+
+/****************************************************************************
+obtain a server's SAM SID and save it in the secrets database
+****************************************************************************/
+
+BOOL cli_lsa_get_domain_sid(struct cli_state *cli, char *server)
+{
+ fstring domain, key;
+ POLICY_HND pol;
+ DOM_SID sid;
+ BOOL res, res2, res3;
+
+ res = cli_nt_session_open(cli, PIPE_LSARPC);
+ res2 = res ? do_lsa_open_policy(cli, server, &pol, 0) : False;
+ res3 = res2 ? do_lsa_query_info_pol(cli, &pol, 5, domain, &sid) : False;
+
+ res3 = res3 ? secrets_store_domain_sid(domain, &sid) : False;
+
+ res2 = res2 ? do_lsa_close(cli, &pol) : False;
+ cli_nt_session_close(cli);
+
+ return res3;
+}
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index ce4468d112..0043a1894e 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -579,7 +579,14 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
* Ok - we have an anonymous connection to the IPC$ share.
* Now start the NT Domain stuff :-).
*/
-
+
+ if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) {
+ DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return False;
+ }
+
if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) {
DEBUG(0,("modify_trust_password: unable to open the domain client session to \
machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c
index e7d08ff788..71162ac782 100644
--- a/source3/rpc_server/srv_lsa.c
+++ b/source3/rpc_server/srv_lsa.c
@@ -88,24 +88,18 @@ Init dom_query
static void init_dom_query(DOM_QUERY *d_q, char *dom_name, DOM_SID *dom_sid)
{
- fstring sid_str;
- int domlen = strlen(dom_name);
-
- *sid_str = '\0';
+ int domlen = (dom_name != NULL) ? strlen(dom_name) : 0;
d_q->uni_dom_max_len = domlen * 2;
d_q->uni_dom_str_len = domlen * 2;
- d_q->buffer_dom_name = domlen != 0 ? 1 : 0; /* domain buffer pointer */
- d_q->buffer_dom_sid = dom_sid != NULL ? 1 : 0; /* domain sid pointer */
+ d_q->buffer_dom_name = (dom_name != 0) ? 1 : 0;
+ d_q->buffer_dom_sid = (dom_sid != NULL) ? 1 : 0;
/* this string is supposed to be character short */
init_unistr2(&d_q->uni_domain_name, dom_name, domlen);
-
- if(dom_sid) {
- sid_to_string(sid_str, dom_sid);
+ if (dom_sid != NULL)
init_dom_sid2(&d_q->dom_sid, dom_sid);
- }
}
/***************************************************************************
@@ -506,12 +500,11 @@ api_lsa_query_info
static BOOL api_lsa_query_info(prs_struct *data, prs_struct *rdata)
{
LSA_Q_QUERY_INFO q_i;
- fstring name;
+ DOM_SID domain_sid;
+ char *name = NULL;
DOM_SID *sid = NULL;
uint32 status_code = 0;
- memset(name, 0, sizeof(name));
-
ZERO_STRUCT(q_i);
/* grab the info class and policy handle */
@@ -522,15 +515,26 @@ static BOOL api_lsa_query_info(prs_struct *data, prs_struct *rdata)
switch (q_i.info_class) {
case 0x03:
- if(lp_domain_logons()) {
- fstrcpy(name, global_myworkgroup);
- sid = &global_sam_sid;
- } else {
- *name = '\0';
+ switch (lp_server_role())
+ {
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ name = global_myworkgroup;
+ sid = &global_sam_sid;
+ break;
+ case ROLE_DOMAIN_MEMBER:
+ if (secrets_fetch_domain_sid(global_myworkgroup,
+ &domain_sid))
+ {
+ name = global_myworkgroup;
+ sid = &domain_sid;
+ }
+ default:
+ break;
}
break;
case 0x05:
- fstrcpy(name, global_myname);
+ name = global_myname;
sid = &global_sam_sid;
break;
default: