diff options
-rw-r--r-- | source3/include/proto.h | 3 | ||||
-rw-r--r-- | source3/include/secrets.h | 3 | ||||
-rw-r--r-- | source3/lib/util_sid.c | 21 | ||||
-rw-r--r-- | source3/passdb/secrets.c | 32 | ||||
-rw-r--r-- | source3/rpc_client/cli_lsarpc.c | 23 | ||||
-rw-r--r-- | source3/rpc_client/cli_netlogon.c | 9 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa.c | 42 |
7 files changed, 103 insertions, 30 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 7a95dd838e..83efdaf0df 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1576,6 +1576,8 @@ BOOL secrets_init(void); void *secrets_fetch(char *key, size_t *size); BOOL secrets_store(char *key, void *data, size_t size); BOOL secrets_delete(char *key); +BOOL secrets_store_domain_sid(char *domain, DOM_SID *sid); +BOOL secrets_fetch_domain_sid(char *domain, DOM_SID *sid); /*The following definitions come from passdb/smbpass.c */ @@ -1711,6 +1713,7 @@ BOOL do_lsa_query_info_pol(struct cli_state *cli, POLICY_HND *hnd, uint16 info_class, fstring domain_name, DOM_SID *domain_sid); BOOL do_lsa_close(struct cli_state *cli, POLICY_HND *hnd); +BOOL cli_lsa_get_domain_sid(struct cli_state *cli, char *server); /*The following definitions come from rpc_client/cli_netlogon.c */ diff --git a/source3/include/secrets.h b/source3/include/secrets.h index a87bdef56b..c16d5c7b30 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -2,7 +2,8 @@ #define SECRETS_MACHINE_ACCT_PASS "SECRETS/$MACHINE.ACC" -#define SECRETS_SAM_SID "SAM/SAM_SID" +#define SECRETS_DOMAIN_SID "SECRETS/SID" +#define SECRETS_SAM_SID "SAM/SID" struct machine_acct_pass { uint8 hash[16]; diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 3605dfbf27..46904162b1 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -49,15 +49,18 @@ typedef struct _known_sid_users { /* static known_sid_users no_users[] = {{0, 0, NULL}}; */ static known_sid_users everyone_users[] = {{ 0, SID_NAME_WKN_GRP, "Everyone" }, {0, 0, NULL}}; static known_sid_users creator_owner_users[] = {{ 0, SID_NAME_ALIAS, "Creator Owner" }, {0, 0, NULL}}; -static known_sid_users nt_authority_users[] = {{ 1, SID_NAME_ALIAS, "Dialup" }, - { 2, SID_NAME_ALIAS, "Network"}, - { 3, SID_NAME_ALIAS, "Batch"}, - { 4, SID_NAME_ALIAS, "Interactive"}, - { 6, SID_NAME_ALIAS, "Service"}, - { 7, SID_NAME_ALIAS, "AnonymousLogon"}, - { 8, SID_NAME_ALIAS, "Proxy"}, - { 9, SID_NAME_ALIAS, "ServerLogon"}, - {0, 0, NULL}}; +static known_sid_users nt_authority_users[] = { + { 1, SID_NAME_ALIAS, "Dialup" }, + { 2, SID_NAME_ALIAS, "Network"}, + { 3, SID_NAME_ALIAS, "Batch"}, + { 4, SID_NAME_ALIAS, "Interactive"}, + { 6, SID_NAME_ALIAS, "Service"}, + { 7, SID_NAME_ALIAS, "AnonymousLogon"}, + { 8, SID_NAME_ALIAS, "Proxy"}, + { 9, SID_NAME_ALIAS, "ServerLogon"}, + { 11, SID_NAME_ALIAS, "Authenticated Users"}, + { 18, SID_NAME_ALIAS, "SYSTEM"}, + { 0, 0, NULL}}; static struct sid_name_map_info { diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index b0021599cc..459cc6ae36 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -88,3 +88,35 @@ BOOL secrets_delete(char *key) kbuf.dsize = strlen(key); return tdb_delete(tdb, kbuf) == 0; } + +BOOL secrets_store_domain_sid(char *domain, DOM_SID *sid) +{ + fstring key; + + slprintf(key, sizeof(key), "%s/%s", SECRETS_DOMAIN_SID, domain); + return secrets_store(key, sid, sizeof(DOM_SID)); +} + +BOOL secrets_fetch_domain_sid(char *domain, DOM_SID *sid) +{ + DOM_SID *dyn_sid; + fstring key; + int size; + + slprintf(key, sizeof(key), "%s/%s", SECRETS_DOMAIN_SID, domain); + dyn_sid = (DOM_SID *)secrets_fetch(key, &size); + + if (dyn_sid == NULL) + return False; + + if (size != sizeof(DOM_SID)) + { + free(dyn_sid); + return False; + } + + *sid = *dyn_sid; + free(dyn_sid); + return True; +} + diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index 34201ebc16..8362c1d172 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -379,3 +379,26 @@ BOOL do_lsa_close(struct cli_state *cli, POLICY_HND *hnd) return True; } + +/**************************************************************************** +obtain a server's SAM SID and save it in the secrets database +****************************************************************************/ + +BOOL cli_lsa_get_domain_sid(struct cli_state *cli, char *server) +{ + fstring domain, key; + POLICY_HND pol; + DOM_SID sid; + BOOL res, res2, res3; + + res = cli_nt_session_open(cli, PIPE_LSARPC); + res2 = res ? do_lsa_open_policy(cli, server, &pol, 0) : False; + res3 = res2 ? do_lsa_query_info_pol(cli, &pol, 5, domain, &sid) : False; + + res3 = res3 ? secrets_store_domain_sid(domain, &sid) : False; + + res2 = res2 ? do_lsa_close(cli, &pol) : False; + cli_nt_session_close(cli); + + return res3; +} diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ce4468d112..0043a1894e 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -579,7 +579,14 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) )); * Ok - we have an anonymous connection to the IPC$ share. * Now start the NT Domain stuff :-). */ - + + if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) { + DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) { DEBUG(0,("modify_trust_password: unable to open the domain client session to \ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c index e7d08ff788..71162ac782 100644 --- a/source3/rpc_server/srv_lsa.c +++ b/source3/rpc_server/srv_lsa.c @@ -88,24 +88,18 @@ Init dom_query static void init_dom_query(DOM_QUERY *d_q, char *dom_name, DOM_SID *dom_sid) { - fstring sid_str; - int domlen = strlen(dom_name); - - *sid_str = '\0'; + int domlen = (dom_name != NULL) ? strlen(dom_name) : 0; d_q->uni_dom_max_len = domlen * 2; d_q->uni_dom_str_len = domlen * 2; - d_q->buffer_dom_name = domlen != 0 ? 1 : 0; /* domain buffer pointer */ - d_q->buffer_dom_sid = dom_sid != NULL ? 1 : 0; /* domain sid pointer */ + d_q->buffer_dom_name = (dom_name != 0) ? 1 : 0; + d_q->buffer_dom_sid = (dom_sid != NULL) ? 1 : 0; /* this string is supposed to be character short */ init_unistr2(&d_q->uni_domain_name, dom_name, domlen); - - if(dom_sid) { - sid_to_string(sid_str, dom_sid); + if (dom_sid != NULL) init_dom_sid2(&d_q->dom_sid, dom_sid); - } } /*************************************************************************** @@ -506,12 +500,11 @@ api_lsa_query_info static BOOL api_lsa_query_info(prs_struct *data, prs_struct *rdata) { LSA_Q_QUERY_INFO q_i; - fstring name; + DOM_SID domain_sid; + char *name = NULL; DOM_SID *sid = NULL; uint32 status_code = 0; - memset(name, 0, sizeof(name)); - ZERO_STRUCT(q_i); /* grab the info class and policy handle */ @@ -522,15 +515,26 @@ static BOOL api_lsa_query_info(prs_struct *data, prs_struct *rdata) switch (q_i.info_class) { case 0x03: - if(lp_domain_logons()) { - fstrcpy(name, global_myworkgroup); - sid = &global_sam_sid; - } else { - *name = '\0'; + switch (lp_server_role()) + { + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + name = global_myworkgroup; + sid = &global_sam_sid; + break; + case ROLE_DOMAIN_MEMBER: + if (secrets_fetch_domain_sid(global_myworkgroup, + &domain_sid)) + { + name = global_myworkgroup; + sid = &domain_sid; + } + default: + break; } break; case 0x05: - fstrcpy(name, global_myname); + name = global_myname; sid = &global_sam_sid; break; default: |