summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/auth_sam.c4
-rw-r--r--source4/auth/auth_util.c115
-rw-r--r--source4/cldap_server/netlogon.c2
-rw-r--r--source4/dsdb/samdb/samdb.c9
-rw-r--r--source4/dsdb/samdb/samdb_privilege.c16
-rw-r--r--source4/kdc/hdb-ldb.c2
-rw-r--r--source4/ldap_server/config.mk3
-rw-r--r--source4/ldap_server/ldap_backend.c16
-rw-r--r--source4/ldap_server/ldap_bind.c23
-rw-r--r--source4/ldap_server/ldap_hacked_ldb.c1038
-rw-r--r--source4/ldap_server/ldap_rootdse.c17
-rw-r--r--source4/ldap_server/ldap_server.c62
-rw-r--r--source4/ldap_server/ldap_server.h9
-rw-r--r--source4/ldap_server/ldap_simple_ldb.c76
-rw-r--r--source4/lib/ldb/tools/cmdline.c5
-rw-r--r--source4/libcli/security/security_token.c25
-rw-r--r--source4/libnet/libnet_join.c2
-rw-r--r--source4/libnet/libnet_samsync_ldb.c4
-rw-r--r--source4/nbt_server/dgram/netlogon.c4
-rw-r--r--source4/ntvfs/common/sidmap.c2
-rw-r--r--source4/rpc_server/drsuapi/dcesrv_drsuapi.c3
-rw-r--r--source4/rpc_server/drsuapi/drsuapi_cracknames.c55
-rw-r--r--source4/rpc_server/dssetup/dcesrv_dssetup.c19
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c40
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c19
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c5
-rw-r--r--source4/rpc_server/samr/samr_password.c29
27 files changed, 425 insertions, 1179 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 1df2103eb6..de4be9586c 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -521,7 +521,7 @@ NTSTATUS sam_get_server_info(TALLOC_CTX *mem_ctx, const char *account_name, cons
struct ldb_message **domain_msgs;
void *sam_ctx;
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
@@ -558,7 +558,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
return NT_STATUS_NOT_IMPLEMENTED;
}
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c
index 19fd63ed2e..da5df9b368 100644
--- a/source4/auth/auth_util.c
+++ b/source4/auth/auth_util.c
@@ -427,6 +427,73 @@ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, struct auth_serversuppl
return NT_STATUS_OK;
}
+NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **_server_info)
+{
+ struct auth_serversupplied_info *server_info;
+ server_info = talloc(mem_ctx, struct auth_serversupplied_info);
+ NT_STATUS_HAVE_NO_MEMORY(server_info);
+
+ server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
+
+ /* is this correct? */
+ server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
+
+ server_info->n_domain_groups = 0;
+ server_info->domain_groups = NULL;
+
+ /* annoying, but the Anonymous really does have a session key,
+ and it is all zeros! */
+ server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
+
+ server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
+
+ data_blob_clear(&server_info->user_session_key);
+ data_blob_clear(&server_info->lm_session_key);
+
+ server_info->account_name = talloc_strdup(server_info, "sYSTEM");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+
+ server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+
+ server_info->full_name = talloc_strdup(server_info, "System");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
+
+ server_info->logon_script = talloc_strdup(server_info, "");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
+
+ server_info->profile_path = talloc_strdup(server_info, "");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
+
+ server_info->home_directory = talloc_strdup(server_info, "");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
+
+ server_info->home_drive = talloc_strdup(server_info, "");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
+
+ server_info->last_logon = 0;
+ server_info->last_logoff = 0;
+ server_info->acct_expiry = 0;
+ server_info->last_password_change = 0;
+ server_info->allow_password_change = 0;
+ server_info->force_password_change = 0;
+
+ server_info->logon_count = 0;
+ server_info->bad_password_count = 0;
+
+ server_info->acct_flags = ACB_NORMAL;
+
+ server_info->authenticated = False;
+
+ *_server_info = server_info;
+
+ return NT_STATUS_OK;
+}
+
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct auth_serversupplied_info *server_info,
struct auth_session_info **_session_info)
@@ -482,6 +549,54 @@ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
return NT_STATUS_OK;
}
+struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx)
+{
+ NTSTATUS nt_status;
+ struct auth_session_info *session_info = NULL;
+ nt_status = auth_anonymous_session_info(mem_ctx, &session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return NULL;
+ }
+ return session_info;
+}
+
+NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
+ struct auth_session_info **_session_info)
+{
+ NTSTATUS nt_status;
+ struct auth_serversupplied_info *server_info = NULL;
+ struct auth_session_info *session_info = NULL;
+ TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
+
+ nt_status = auth_system_server_info(mem_ctx,
+ &server_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(mem_ctx);
+ return nt_status;
+ }
+
+ /* references the server_info into the session_info */
+ nt_status = auth_generate_session_info(parent_ctx, server_info, &session_info);
+ talloc_free(mem_ctx);
+
+ NT_STATUS_NOT_OK_RETURN(nt_status);
+
+ *_session_info = session_info;
+
+ return NT_STATUS_OK;
+}
+
+struct auth_session_info *system_session(TALLOC_CTX *mem_ctx)
+{
+ NTSTATUS nt_status;
+ struct auth_session_info *session_info = NULL;
+ nt_status = auth_system_session_info(mem_ctx, &session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return NULL;
+ }
+ return session_info;
+}
+
/****************************************************************************
prints a struct auth_session_info security token to debug output.
****************************************************************************/
diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c
index bfecc3576f..95d0250268 100644
--- a/source4/cldap_server/netlogon.c
+++ b/source4/cldap_server/netlogon.c
@@ -56,7 +56,7 @@ static NTSTATUS cldapd_netlogon_fill(struct cldapd_server *cldapd,
const char *pdc_ip;
if (cldapd->samctx == NULL) {
- cldapd->samctx = samdb_connect(cldapd);
+ cldapd->samctx = samdb_connect(cldapd, anonymous_session(cldapd));
if (cldapd->samctx == NULL) {
DEBUG(2,("Unable to open sam in cldap netlogon reply\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 717b72ded2..93cf6f4b8d 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -32,9 +32,14 @@
connect to the SAM database
return an opaque context pointer on success, or NULL on failure
*/
-struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx)
+struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, struct auth_session_info *session_info)
{
- return ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
+ struct ldb_context *ldb;
+ ldb = ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
+ if (ldb_set_opaque(ldb, "sessionInfo", session_info)) {
+ return NULL;
+ }
+ return ldb;
}
/*
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c
index 059d612225..55dfef04aa 100644
--- a/source4/dsdb/samdb/samdb_privilege.c
+++ b/source4/dsdb/samdb/samdb_privilege.c
@@ -75,11 +75,23 @@ static NTSTATUS samdb_privilege_setup_sid(void *samctx, TALLOC_CTX *mem_ctx,
NTSTATUS samdb_privilege_setup(struct security_token *token)
{
void *samctx;
- TALLOC_CTX *mem_ctx = talloc_new(token);
+ TALLOC_CTX *mem_ctx;
int i;
NTSTATUS status;
- samctx = samdb_connect(mem_ctx);
+ /* Shortcuts to prevent recursion and avoid lookups */
+ if (is_system_token(token)) {
+ token->privilege_mask = ~0;
+ return NT_STATUS_OK;
+ }
+
+ if (is_anonymous_token(token)) {
+ token->privilege_mask = 0;
+ return NT_STATUS_OK;
+ }
+
+ mem_ctx = talloc_new(token);
+ samctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (samctx == NULL) {
talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index ecdda16150..2f97fd6ee8 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -1040,7 +1040,7 @@ krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx,
(*db)->hdb_db = NULL;
/* Setup the link to LDB */
- (*db)->hdb_db = samdb_connect(db);
+ (*db)->hdb_db = samdb_connect(db, system_session(db));
if ((*db)->hdb_db == NULL) {
krb5_warnx(context, "hdb_ldb_create: samdb_connect failed!");
krb5_set_error_string(context, "samdb_connect failed!");
diff --git a/source4/ldap_server/config.mk b/source4/ldap_server/config.mk
index 3d39b397bd..59f1d5c178 100644
--- a/source4/ldap_server/config.mk
+++ b/source4/ldap_server/config.mk
@@ -8,8 +8,7 @@ INIT_OBJ_FILES = \
ldap_server/ldap_backend.o \
ldap_server/ldap_bind.o \
ldap_server/ldap_rootdse.o \
- ldap_server/ldap_simple_ldb.o \
- ldap_server/ldap_hacked_ldb.o
+ ldap_server/ldap_simple_ldb.o
REQUIRED_SUBSYSTEMS = \
LIBCLI_LDAP SAMDB
# End SUBSYSTEM SMB
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 96c9b16f5d..65e6d9d4d4 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -53,10 +53,10 @@ struct ldapsrv_partition *ldapsrv_get_partition(struct ldapsrv_connection *conn,
{
if (scope == LDAP_SEARCH_SCOPE_BASE
&& strcasecmp("", dn) == 0) {
- return conn->service->rootDSE;
+ return conn->rootDSE;
}
- return conn->service->default_partition;
+ return conn->default_partition;
}
NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
@@ -257,15 +257,3 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
}
-/*
- connect to the sam database
-*/
-struct ldb_context *ldapsrv_sam_connect(struct ldapsrv_call *call)
-{
- const char *url;
- url = lp_parm_string(-1, "ldapsrv", "samdb");
- if (url) {
- return ldb_wrap_connect(call, url, 0, NULL);
- }
- return samdb_connect(call);
-}
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 166bd31ede..9c9cca362b 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -32,6 +32,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
DEBUG(10, ("BindSimple dn: %s\n",req->dn));
+ /* When we add authentication here, we also need to handle telling the backends */
+
reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
if (!reply) {
return NT_STATUS_NO_MEMORY;
@@ -102,14 +104,33 @@ reply:
result = LDAP_SASL_BIND_IN_PROGRESS;
errstr = NULL;
} else if (NT_STATUS_IS_OK(status)) {
+ struct ldapsrv_partition *part;
+
result = LDAP_SUCCESS;
errstr = NULL;
if (gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SEAL) ||
gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SIGN)) {
call->conn->enable_wrap = True;
}
+ status = gensec_session_info(call->conn->gensec, &call->conn->session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ result = LDAP_OPERATIONS_ERROR;
+ errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status));
+ } else {
+ for (part = call->conn->partitions; part; part = part->next) {
+ if (!part->ops->Bind) {
+ continue;
+ }
+ status = part->ops->Bind(part, conn);
+ if (!NT_STATUS_IS_OK(status)) {
+ result = LDAP_OPERATIONS_ERROR;
+ errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to advise partition %s of new credentials: %s", req->creds.SASL.mechanism, part->base_dn, nt_errstr(status));
+ }
+ }
+ }
} else {
- result = 49;
+ status = auth_nt_status_squash(status);
+ result = LDAP_INVALID_CREDENTIALS;
errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
}
diff --git a/source4/ldap_server/ldap_hacked_ldb.c b/source4/ldap_server/ldap_hacked_ldb.c
deleted file mode 100644
index 8923bc5a1b..0000000000
--- a/source4/ldap_server/ldap_hacked_ldb.c
+++ /dev/null
@@ -1,1038 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- LDAP server HACKED LDB implementation to hopefully get a DsGetNCChanges() request from a
- w2k3 box
-
- Copyright (C) Stefan Metzmacher 2004-2005
- Copyright (C) Simo Sorce 2004
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#include "ldap_server/ldap_server.h"
-#include "lib/ldb/include/ldb.h"
-#include "librpc/gen_ndr/ndr_security.h"
-#include "librpc/gen_ndr/ndr_misc.h"
-#include "db_wrap.h"
-
-
-#define VALID_DN_SYNTAX(dn,i) do {\
- if (!(dn)) {\
- return NT_STATUS_NO_MEMORY;\
- } else if ((dn)->comp_num < (i)) {\
- result = LDAP_INVALID_DN_SYNTAX;\
- errstr = "Invalid DN (" #i " components needed for '" #dn "')";\
- goto reply;\
- }\
-} while(0)
-
-#define ATTR_BLOB_CONST(val) data_blob_talloc(mem_ctx, val, sizeof(val)-1)
-
-#define ATTR_SINGLE_NOVAL(ctx, attr, blob, num, nam) do { \
- attr->name = talloc_strdup(ctx, nam);\
- NT_STATUS_HAVE_NO_MEMORY(attr->name);\
- attr->num_values = num; \
- attr->values = blob;\
-} while(0)
-
-
-static NTSTATUS convert_values(TALLOC_CTX *mem_ctx,
- struct ldb_message_element *elem,
- struct ldb_message_element *attrs,
- struct ldb_context *samdb,
- const char **dn,
- struct ldap_SearchRequest *r)
-{
- NTSTATUS status;
- DEBUG(10, ("convert_values for %s\n", attrs[0].name));
-
- attrs->name = talloc_steal(mem_ctx, elem->name);
- attrs->values[0].length = elem->values[0].length;
- attrs->values[0].data = talloc_steal(mem_ctx, elem->values[0].data);
-
- if (strcasecmp(attrs->name, "objectGUID") == 0 ||
- strcasecmp(attrs->name, "invocationID") == 0)
- {
- struct GUID guid;
- DATA_BLOB blob;
-
- status = GUID_from_string((const char *)elem->values[0].data, &guid);
- NT_STATUS_NOT_OK_RETURN(status);
-
- status = ndr_push_struct_blob(&blob, mem_ctx, &guid,
- (ndr_push_flags_fn_t)ndr_push_GUID);
- NT_STATUS_NOT_OK_RETURN(status);
-
- attrs->values[0].length = blob.length;
- attrs->values[0].data = talloc_steal(mem_ctx, blob.data);
- }
-
- if (strcasecmp(attrs->name, "objectSID") == 0)
- {
- struct dom_sid *sid;
- DATA_BLOB blob;
-
- sid = dom_sid_parse_talloc(mem_ctx, (const char *)elem->values[0].data);
- NT_STATUS_HAVE_NO_MEMORY(sid);
-
- status = ndr_push_struct_blob(&blob, mem_ctx, sid,
- (ndr_push_flags_fn_t)ndr_push_dom_sid);
- NT_STATUS_NOT_OK_RETURN(status);
-
- attrs->values[0].length = blob.length;
- attrs->values[0].data = talloc_steal(mem_ctx, blob.data);
- }
-
- if (strcasecmp(attrs->name, "ncname") == 0)
- {
- char *filter = ldb_filter_from_tree(mem_ctx, r->tree);
- struct ldb_message **res = NULL;
- int count;
- const char *dom_dn;
- const char *dom_filter;
-
- const char *dom_sid_str;
- struct dom_sid *dom_sid;
- DATA_BLOB dom_sid_blob;
- const char *dom_sid_hex;
-
- const char *dom_guid_str;
- struct GUID dom_guid;
- DATA_BLOB dom_guid_blob;
- const char *dom_guid_hex;
-
- const char *nc_filter;
- const char *nc_guid_str;
- struct GUID nc_guid;
- DATA_BLOB nc_guid_blob;
- char *nc_guid_hex;
- const char *ncname;
-
- const char *s_attrs[] = {"objectGUID", "objectSid", NULL};
- char *p2;
-
- nc_filter = talloc_asprintf(mem_ctx, "(dn=%s)", *dn);
-DEBUG(0, (__location__": convert_values(ncname): nc dn = '%s'\n", nc_filter));
-
-
- /* first the NC stuff */
- count = ldb_search(samdb, NULL, LDB_SCOPE_BASE, nc_filter, s_attrs, &res);
- if (count != 1) {
- DEBUG(0, (__location__": convert_values(ncname): nc_count: %d \n", count));
- return NT_STATUS_FOOBAR;
- }
-DEBUG(0, (__location__": convert_values(ncname): nc_res '%s'\n", ldb_dn_linearize(mem_ctx, res[0]->dn)));
- nc_guid_str = samdb_result_string(res[0], "objectGUID", NULL);
-
- status = GUID_from_string(nc_guid_str, &nc_guid);
-
- status = ndr_push_struct_blob(&nc_guid_blob, mem_ctx, &nc_guid,
- (ndr_push_flags_fn_t)ndr_push_GUID);
-
- nc_guid_hex = data_blob_hex_string(mem_ctx, &nc_guid_blob);
-
- /* overwrite the dn of the search result */
- *dn = talloc_asprintf(mem_ctx, "<GUID=%s>;%s", nc_guid_hex, *dn);
-DEBUG(0, (__location__": convert_values(ncname): dn='%s'\n",*dn));
- /* now the domain stuff */
-
- dom_dn = strchr(filter, '=');
- dom_dn++;
-
- p2 = strchr(filter, ')');
- *p2 ='\0';
-
- dom_filter = talloc_asprintf(mem_ctx, "(dn=%s)", dom_dn);
-DEBUG(0, (__location__": convert_values(ncname): dom dn = '%s'\n", dom_filter));
- count = ldb_search(samdb, NULL, LDB_SCOPE_BASE, dom_filter, s_attrs, &res);
- if (count != 1) {
- DEBUG(0, (__location__": convert_values(ncname): dom_count: %d \n", count));
- return NT_STATUS_OK;
- }
-
- dom_guid_str = samdb_result_string(res[0], "objectGUID", NULL);
-
- status = GUID_from_string(dom_guid_str, &dom_guid);
-
- status = ndr_push_struct_blob(&dom_guid_blob, mem_ctx, &dom_guid,
- (ndr_push_flags_fn_t)ndr_push_GUID);
-
- dom_guid_hex = data_blob_hex_string(mem_ctx, &dom_guid_blob);
-
- dom_sid_str = samdb_result_string(res[0], "objectSid", NULL);
-
- dom_sid = dom_sid_parse_talloc(mem_ctx, dom_sid_str);
-
- status = ndr_push_struct_blob(&dom_sid_blob, mem_ctx, dom_sid,
- (ndr_push_flags_fn_t)ndr_push_dom_sid);
-
- dom_sid_hex = data_blob_hex_string(mem_ctx, &dom_sid_blob);
-
- ncname = talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
- dom_guid_hex, dom_sid_hex, dom_dn);
-DEBUG(0, (__location__": convert_values(ncname): ncname='%s'\n",ncname));
-
- attrs->values[0].length = strlen(ncname);
- attrs->values[0].data = talloc_steal(mem_ctx, ncname);
-DEBUG(0, (__location__": convert_values(ncname): end ok\n"));
- }
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS hacked_wellknown_Search(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
- struct ldap_SearchRequest *r)
-{
- void *local_ctx;
- struct ldap_SearchResEntry *ent;
- struct ldap_Result *done;
- struct ldapsrv_reply *ent_r, *done_r;
- int count;
- const char *dn_prefix;
- const char *wkdn;
- char *p, *p2;
- enum ldb_scope scope = LDB_SCOPE_DEFAULT;
- char *basedn_str;
-
- local_ctx = talloc_named(call, 0, "hacked_wellknown_Search local memory context");
- NT_STATUS_HAVE_NO_MEMORY(local_ctx);
-
- switch (r->scope) {
- case LDAP_SEARCH_SCOPE_BASE:
- scope = LDB_SCOPE_BASE;
- break;
- default:
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
-#define WKGUID_prefix "<WKGUID="
- if (strncasecmp(WKGUID_prefix, r->basedn, strlen(WKGUID_prefix)) != 0) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- basedn_str = talloc_strdup(call, r->basedn);
-
-#define WKGUID_Infrastructure "<WKGUID=2FBAC1870ADE11D297C400C04FD8D5CD,"
-#define WKGUID_Infrastructure_DN "CN=Infrastructure,"
- if (strncasecmp(WKGUID_Infrastructure, r->basedn, strlen(WKGUID_Infrastructure)) == 0) {
- dn_prefix = WKGUID_Infrastructure_DN;
- } else
-#define WKGUID_Domain_Controllers "<WKGUID=A361B2FFFFD211D1AA4B00C04FD7D83A,"
-#define WKGUID_Domain_Controllers_DN "OU=Domain Controllers,"
- if (strncasecmp(WKGUID_Domain_Controllers, r->basedn, strlen(WKGUID_Domain_Controllers)) == 0) {
- dn_prefix = WKGUID_Domain_Controllers_DN;
- } else {
- DEBUG(0,("UKNOWN dn '%s'\n", basedn_str));
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- p = strchr(basedn_str, ',');
- p++;
-
- p2 = strchr(basedn_str, '>');
- *p2 ='\0';
-
- wkdn = talloc_asprintf(call, "%s%s", dn_prefix, p);
-
- count = 1;
- ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
- NT_STATUS_HAVE_NO_MEMORY(ent_r);
-
- ent = &ent_r->msg->r.SearchResultEntry;
- ent->dn = talloc_steal(ent_r, wkdn);
- DEBUG(0,("hacked result [0] dn: %s\n", ent->dn));
- ent->num_attributes = 0;
- ent->attributes = NULL;
-
- ldapsrv_queue_reply(call, ent_r);
-
- done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
- NT_STATUS_HAVE_NO_MEMORY(done_r);
-
- DEBUG(10,("hacked_Search: results: [%d]\n",count));
-
- done = &done_r->msg->r.SearchResultDone;
- done->dn = NULL;
- done->resultcode = LDAP_SUCCESS;
- done->errormessage = NULL;
- done->referral = NULL;
-
- talloc_free(local_ctx);
-
- ldapsrv_queue_reply(call, done_r);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS hacked_Search(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
- struct ldap_SearchRequest *r, struct ldb_context *samdb)
-{
- NTSTATUS status;
- void *local_ctx;
- struct ldap_SearchResEntry *ent;
- struct ldap_Result *done;
- struct ldb_message **res = NULL;
- int result = LDAP_SUCCESS;
- struct ldapsrv_reply *ent_r, *done_r;
- const char *errstr = NULL;
- int count, j, y, i;
- const char **attrs = NULL;
- enum ldb_scope scope = LDB_SCOPE_DEFAULT;
- struct ldb_dn *basedn;
-
- local_ctx = talloc_named(call, 0, "hacked_Search local memory context");
- NT_STATUS_HAVE_NO_MEMORY(local_ctx);
-
- basedn = ldb_dn_explode(local_ctx, r->basedn);
-
- switch (r->scope) {
- case LDAP_SEARCH_SCOPE_BASE:
- DEBUG(10,("hldb_Search: scope: [BASE]\n"));
- scope = LDB_SCOPE_BASE;
- break;
- case LDAP_SEARCH_SCOPE_SINGLE:
- DEBUG(10,("hldb_Search: scope: [ONE]\n"));
- scope = LDB_SCOPE_ONELEVEL;
- break;
- case LDAP_SEARCH_SCOPE_SUB:
- DEBUG(10,("hldb_Search: scope: [SUB]\n"));
- scope = LDB_SCOPE_SUBTREE;
- break;
- }
-
- if (r->num_attributes >= 1) {
- attrs = talloc_array(samdb, const char *, r->num_attributes+1);
- NT_STATUS_HAVE_NO_MEMORY(attrs);
-
- for (j=0; j < r->num_attributes; j++) {
- DEBUG(10,("hacked_Search: attrs: [%s]\n",r->attributes[j]));
- attrs[j] = r->attributes[j];
- }
- attrs[j] = NULL;
- }
-DEBUG(0,("hacked basedn: %s\n", ldb_dn_linearize(local_ctx, basedn)));
-DEBUGADD(0,("hacked filter: %s\n", ldb_filter_from_tree(r, r->tree)));
- count = ldb_search_bytree(samdb, basedn, scope, r->tree, attrs, &res);
- talloc_steal(samdb, res);
-
- if (count < 1) {
- DEBUG(0,("hacked not found\n"));
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- if (scope == LDAP_SEARCH_SCOPE_BASE) {
- ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
- NT_STATUS_HAVE_NO_MEMORY(ent_r);
-
- ent = &ent_r->msg->r.SearchResultEntry;
- ent->dn = ldb_dn_linearize(ent_r, res[0]->dn);
- DEBUG(0,("hacked result [0] dn: %s\n", ent->dn));
- ent->num_attributes = 0;
- ent->attributes = NULL;
- if (res[0]->num_elements == 0) {
- goto queue_reply;
- }
- ent->num_attributes = res[0]->num_elements;
- ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
- NT_STATUS_HAVE_NO_MEMORY(ent->attributes);
- for (j=0; j < ent->num_attributes; j++) {
- ent->attributes[j].name = talloc_steal(ent->attributes, res[0]->elements[j].name);
- ent->attributes[j].num_values = 0;
- ent->attributes[j].values = NULL;
- ent->attributes[j].num_values = res[0]->elements[j].num_values;
- if (ent->attributes[j].num_values == 1) {
- ent->attributes[j].values = talloc_array(ent->attributes,
- DATA_BLOB, ent->attributes[j].num_values);
- NT_STATUS_HAVE_NO_MEMORY(ent->attributes[j].values);
- status = convert_values(ent_r,
- &(res[0]->elements[j]),
- &(ent->attributes[j]),
- samdb, &ent->dn, r);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- } else {
- ent->attributes[j].values = talloc_array(ent->attributes,
- DATA_BLOB, ent->attributes[j].num_values);
- NT_STATUS_HAVE_NO_MEMORY(ent->attributes[j].values);
- for (y=0; y < ent->attributes[j].num_values; y++) {
- ent->attributes[j].values[y].length = res[0]->elements[j].values[y].length;
- ent->attributes[j].values[y].data = talloc_steal(ent->attributes[j].values,
- res[0]->elements[j].values[y].data);
- }
- }
- }
-queue_reply:
- ldapsrv_queue_reply(call, ent_r);
- } else {
- for (i=0; i < count; i++) {
- ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
- NT_STATUS_HAVE_NO_MEMORY(ent_r);
-
- ent = &ent_r->msg->r.SearchResultEntry;
- ent->dn = ldb_dn_linearize(ent_r, res[i]->dn);
- DEBUG(0,("hacked result [%d] dn: %s\n", i, ent->dn));
- ent->num_attributes = 0;
- ent->attributes = NULL;
- if (res[i]->num_elements == 0) {
- goto queue_reply2;
- }
- ent->num_attributes = res[i]->num_elements;
- ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
- NT_STATUS_HAVE_NO_MEMORY(ent->attributes);
- for (j=0; j < ent->num_attributes; j++) {
- ent->attributes[j].name = talloc_steal(ent->attributes, res[i]->elements[j].name);
- ent->attributes[j].num_values = 0;
- ent->attributes[j].values = NULL;
- if (r->attributesonly && (res[i]->elements[j].num_values == 0)) {
- continue;
- }
- ent->attributes[j].num_values = res[i]->elements[j].num_values;
- ent->attributes[j].values = talloc_array(ent->attributes,
- DATA_BLOB, ent->attributes[j].num_values);
- NT_STATUS_HAVE_NO_MEMORY(ent->attributes[j].values);
- if (ent->attributes[j].num_values == 1) {
- status = convert_values(ent_r,
- &(res[0]->elements[j]),
- &(ent->attributes[j]),
- samdb, &ent->dn, r);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- } else {
- for (y=0; y < ent->attributes[j].num_values; y++) {
- ent->attributes[j].values[y].length = res[i]->elements[j].values[y].length;
- ent->attributes[j].values[y].data = talloc_steal(ent->attributes[j].values,
- res[i]->elements[j].values[y].data);
- }
- }
- }
-queue_reply2:
- ldapsrv_queue_reply(call, ent_r);
- }
- }
-
- done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
- NT_STATUS_HAVE_NO_MEMORY(done_r);
-
- if (count > 0) {
- DEBUG(10,("hacked_Search: results: [%d]\n",count));
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else if (count == 0) {
- DEBUG(10,("hacked_Search: no results\n"));
- result = LDAP_NO_SUCH_OBJECT;
- errstr = ldb_errstring(samdb);
- } else if (count == -1) {
- DEBUG(10,("hacked_Search: error\n"));
- result = LDAP_OTHER;
- errstr = ldb_errstring(samdb);
- }
-
- done = &done_r->msg->r.SearchResultDone;
- done->dn = NULL;
- done->resultcode = result;
- done->errormessage = (errstr?talloc_strdup(done_r,errstr):NULL);;
- done->referral = NULL;
-
- talloc_free(local_ctx);
-
- ldapsrv_queue_reply(call, done_r);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS hldb_Search(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
- struct ldap_SearchRequest *r)
-{
- NTSTATUS status;
- void *local_ctx;
- struct ldb_context *samdb;
-#if 0
- struct ldap_dn *basedn;
- struct ldap_Result *done;
- struct ldap_SearchResEntry *ent;
- struct ldapsrv_reply *ent_r, *done_r;
- int result = LDAP_SUCCESS;
- struct ldb_message **res = NULL;
- int i, j, y, count = 0;
- enum ldb_scope scope = LDB_SCOPE_DEFAULT;
- const char **attrs = NULL;
- const char *errstr = NULL;
-#endif
- local_ctx = talloc_named(call, 0, "hldb_Search local memory context");
- NT_STATUS_HAVE_NO_MEMORY(local_ctx);
-
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
-
- status = hacked_Search(partition, call, r, samdb);
- talloc_free(local_ctx);
- NT_STATUS_IS_OK_RETURN(status);
- status = hacked_wellknown_Search(partition, call, r);
- NT_STATUS_IS_OK_RETURN(status);
- return status;
-#if 0
- basedn = ldap_parse_dn(local_ctx, r->basedn);
- VALID_DN_SYNTAX(basedn,0);
-
- DEBUG(10, ("hldb_Search: basedn: [%s]\n", basedn->dn));
- DEBUG(10, ("hldb_Search: filter: [%s]\n", r->filter));
-
- switch (r->scope) {
- case LDAP_SEARCH_SCOPE_BASE:
- DEBUG(10,("hldb_Search: scope: [BASE]\n"));
- scope = LDB_SCOPE_BASE;
- break;
- case LDAP_SEARCH_SCOPE_SINGLE:
- DEBUG(10,("hldb_Search: scope: [ONE]\n"));
- scope = LDB_SCOPE_ONELEVEL;
- break;
- case LDAP_SEARCH_SCOPE_SUB:
- DEBUG(10,("hldb_Search: scope: [SUB]\n"));
- scope = LDB_SCOPE_SUBTREE;
- break;
- }
-
- if (r->num_attributes >= 1) {
- attrs = talloc_array(samdb, const char *, r->num_attributes+1);
- NT_STATUS_HAVE_NO_MEMORY(attrs);
-
- for (i=0; i < r->num_attributes; i++) {
- DEBUG(10,("hldb_Search: attrs: [%s]\n",r->attributes[i]));
- attrs[i] = r->attributes[i];
- }
- attrs[i] = NULL;
- }
-
- count = ldb_search(samdb, basedn->dn, scope, r->filter, attrs, &res);
- talloc_steal(samdb, res);
-
- if (count < 1) {
- status = hacked_Search(partition, call, r, samdb);
- NT_STATUS_IS_OK_RETURN(status);
- status = hacked_wellknown_Search(partition, call, r);
- NT_STATUS_IS_OK_RETURN(status);
- }
-
- for (i=0; i < count; i++) {
- ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
- NT_STATUS_HAVE_NO_MEMORY(ent_r);
-
- ent = &ent_r->msg.r.SearchResultEntry;
- ent->dn = talloc_steal(ent_r, res[i]->dn);
- ent->num_attributes = 0;
- ent->attributes = NULL;
- if (res[i]->num_elements == 0) {
- goto queue_reply;
- }
- ent->num_attributes = res[i]->num_elements;
- ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
- NT_STATUS_HAVE_NO_MEMORY(ent->attributes);
- for (j=0; j < ent->num_attributes; j++) {
- ent->attributes[j].name = talloc_steal(ent->attributes, res[i]->elements[j].name);
- ent->attributes[j].num_values = 0;
- ent->attributes[j].values = NULL;
- if (r->attributesonly && (res[i]->elements[j].num_values == 0)) {
- continue;
- }
- ent->attributes[j].num_values = res[i]->elements[j].num_values;
- ent->attributes[j].values = talloc_array(ent->attributes,
- DATA_BLOB, ent->attributes[j].num_values);
- NT_STATUS_HAVE_NO_MEMORY(ent->attributes[j].values);
- for (y=0; y < ent->attributes[j].num_values; y++) {
- ent->attributes[j].values[y].length = res[i]->elements[j].values[y].length;
- ent->attributes[j].values[y].data = talloc_steal(ent->attributes[j].values,
- res[i]->elements[j].values[y].data);
- }
- }
-queue_reply:
- ldapsrv_queue_reply(call, ent_r);
- }
-
-reply:
- done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
- NT_STATUS_HAVE_NO_MEMORY(done_r);
-
- if (result == LDAP_SUCCESS) {
- if (count > 0) {
- DEBUG(10,("hldb_Search: results: [%d]\n",count));
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else if (count == 0) {
- DEBUG(10,("hldb_Search: no results\n"));
- result = LDAP_NO_SUCH_OBJECT;
- errstr = ldb_errstring(samdb);
- } else if (count == -1) {
- DEBUG(10,("hldb_Search: error\n"));
- result = LDAP_OTHER;
- errstr = ldb_errstring(samdb);
- }
- }
-
- done = &done_r->msg.r.SearchResultDone;
- done->dn = NULL;
- done->resultcode = result;
- done->errormessage = (errstr?talloc_strdup(done_r,errstr):NULL);
- done->referral = NULL;
-
- talloc_free(local_ctx);
-
- ldapsrv_queue_reply(call, done_r);
- return NT_STATUS_OK;
-#endif
-}
-
-static NTSTATUS hldb_Add(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
- struct ldap_AddRequest *r)
-{
- void *local_ctx;
- struct ldb_dn *dn;
- struct ldap_Result *add_result;
- struct ldapsrv_reply *add_reply;
- int ldb_ret;
- struct ldb_context *samdb;
- struct ldb_message *msg = NULL;
- int result = LDAP_SUCCESS;
- const char *errstr = NULL;
- int i,j;
-
- local_ctx = talloc_named(call, 0, "hldb_Add local memory context");
- NT_STATUS_HAVE_NO_MEMORY(local_ctx);
-
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
-
- msg = talloc(local_ctx, struct ldb_message);
- NT_STATUS_HAVE_NO_MEMORY(msg);
-
- msg->dn = ldb_dn_explode(local_ctx, r->dn);
- VALID_DN_SYNTAX(dn, 1);
-
- DEBUG(10, ("hldb_add: dn: [%s]\n", ldb_dn_linearize(local_ctx, dn)));
-
- msg->private_data = NULL;
- msg->num_elements = 0;
- msg->elements = NULL;
-
- if (r->num_attributes > 0) {
- msg->num_elements = r->num_attributes;
- msg->elements = talloc_array(msg, struct ldb_message_element, msg->num_elements);
- NT_STATUS_HAVE_NO_MEMORY(msg->elements);
-
- for (i=0; i < msg->num_elements; i++) {
- msg->elements[i].name = discard_const_p(char, r->attributes[i].name);
- msg->elements[i].flags = 0;
- msg->elements[i].num_values = 0;
- msg->elements[i].values = NULL;
-
- if (r->attributes[i].num_values > 0) {
- msg->elements[i].num_values = r->attributes[i].num_values;
- msg->elements[i].values = talloc_array(msg, struct ldb_val, msg->elements[i].num_values);
- NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
-
- for (j=0; j < msg->elements[i].num_values; j++) {
- if (!(r->attributes[i].values[j].length > 0)) {
- result = LDAP_OTHER;
- errstr = "Empty attribute values are not allowed";
- goto reply;
- }
- msg->elements[i].values[j].length = r->attributes[i].values[j].length;
- msg->elements[i].values[j].data = r->attributes[i].values[j].data;
- }
- } else {
- result = LDAP_OTHER;
- errstr = "No attribute values are not allowed";
- goto reply;
- }
- }
- } else {
- result = LDAP_OTHER;
- errstr = "No attributes are not allowed";
- goto reply;
- }
-
-reply:
- add_reply = ldapsrv_init_reply(call, LDAP_TAG_AddResponse);
- NT_STATUS_HAVE_NO_MEMORY(add_reply);
-
- if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_add(samdb, msg);
- if (ldb_ret == 0) {
- DEBUG(0,("hldb_Add: added: '%s'\n", ldb_dn_linearize(msg, msg->dn)));
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else {
- /* currently we have no way to tell if there was an internal ldb error
- * or if the object was not found, return the most probable error
- */
- result = LDAP_OPERATIONS_ERROR;
- errstr = ldb_errstring(samdb);
- }
- }
-
- add_result = &add_reply->msg->r.AddResponse;
- add_result->dn = NULL;
- add_result->resultcode = result;
- add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
- add_result->referral = NULL;
-
- talloc_free(local_ctx);
-
- ldapsrv_queue_reply(call, add_reply);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS hldb_Del(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
- struct ldap_DelRequest *r)
-{
- void *local_ctx;
- struct ldb_dn *dn;
- struct ldap_Result *del_result;
- struct ldapsrv_reply *del_reply;
- int ldb_ret;
- struct ldb_context *samdb;
- const char *errstr = NULL;
- int result = LDAP_SUCCESS;
-
- local_ctx = talloc_named(call, 0, "hldb_Del local memory context");
- NT_STATUS_HAVE_NO_MEMORY(local_ctx);
-
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
-
- dn = ldb_dn_explode(local_ctx, r->dn);
- VALID_DN_SYNTAX(dn,1);
-
- DEBUG(10, ("hldb_Del: dn: [%s]\n", ldb_dn_linearize(local_ctx, dn)));
-
-reply:
- del_reply = ldapsrv_init_reply(call, LDAP_TAG_DelResponse);
- NT_STATUS_HAVE_NO_MEMORY(del_reply);
-
- if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_delete(samdb, dn);
- if (ldb_ret == 0) {
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else {
- /* currently we have no way to tell if there was an internal ldb error
- * or if the object was not found, return the most probable error
- */
- result = LDAP_NO_SUCH_OBJECT;
- errstr = ldb_errstring(samdb);
- }
- }
-
- del_result = &del_reply->msg->r.DelResponse;
- del_result->dn = NULL;
- del_result->resultcode = result;
- del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
- del_result->referral = NULL;
-
- talloc_free(local_ctx);
-
- ldapsrv_queue_reply(call, del_reply);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS hldb_Modify(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
- struct ldap_ModifyRequest *r)
-{
- void *local_ctx;
- struct ldb_dn *dn;
- struct ldap_Result *modify_result;
- struct ldapsrv_reply *modify_reply;
- int ldb_ret;
- struct ldb_context *samdb;
- struct ldb_message *msg = NULL;
- int result = LDAP_SUCCESS;
- const char *errstr = NULL;
- int i,j;
-
- local_ctx = talloc_named(call, 0, "hldb_Modify local memory context");
- NT_STATUS_HAVE_NO_MEMORY(local_ctx);
-
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
-
- msg = talloc(local_ctx, struct ldb_message);
- NT_STATUS_HAVE_NO_MEMORY(msg);
-
- msg->dn = ldb_dn_explode(local_ctx, r->dn);
- VALID_DN_SYNTAX(dn,1);
-
- DEBUG(10, ("hldb_modify: dn: [%s]\n", ldb_dn_linearize(local_ctx, dn)));
-
- msg->private_data = NULL;
- msg->num_elements = 0;
- msg->elements = NULL;
-
- if (r->num_mods > 0) {
- msg->num_elements = r->num_mods;
- msg->elements = talloc_array(msg, struct ldb_message_element, r->num_mods);
- NT_STATUS_HAVE_NO_MEMORY(msg->elements);
-
- for (i=0; i < msg->num_elements; i++) {
- msg->elements[i].name = discard_const_p(char, r->mods[i].attrib.name);
- msg->elements[i].num_values = 0;
- msg->elements[i].values = NULL;
-
- switch (r->mods[i].type) {
- default:
- result = LDAP_PROTOCOL_ERROR;
- errstr = "Invalid LDAP_MODIFY_* type";
- goto reply;
- case LDAP_MODIFY_ADD:
- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
- break;
- case LDAP_MODIFY_DELETE:
- msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
- break;
- case LDAP_MODIFY_REPLACE:
- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
- break;
- }
-
- msg->elements[i].num_values = r->mods[i].attrib.num_values;
- if (msg->elements[i].num_values > 0) {
- msg->elements[i].values = talloc_array(msg, struct ldb_val, msg->elements[i].num_values);
- NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
-
- for (j=0; j < msg->elements[i].num_values; j++) {
- if (!(r->mods[i].attrib.values[j].length > 0)) {
- result = LDAP_OTHER;
- errstr = "Empty attribute values are not allowed";
- goto reply;
- }
- msg->elements[i].values[j].length = r->mods[i].attrib.values[j].length;
- msg->elements[i].values[j].data = r->mods[i].attrib.values[j].data;
- }
- }
- }
- } else {
- result = LDAP_OTHER;
- errstr = "No mods are not allowed";
- goto reply;
- }
-
-reply:
- modify_reply = ldapsrv_init_reply(call, LDAP_TAG_ModifyResponse);
- NT_STATUS_HAVE_NO_MEMORY(modify_reply);
-
- if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_modify(samdb, msg);
- if (ldb_ret == 0) {
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else {
- /* currently we have no way to tell if there was an internal ldb error
- * or if the object was not found, return the most probable error
- */
- result = LDAP_ATTRIBUTE_OR_VALUE_EXISTS;
- result = LDAP_OPERATIONS_ERROR;
- errstr = ldb_errstring(samdb);
- if (strcmp("Type or value exists", errstr) ==0){
- result = LDAP_ATTRIBUTE_OR_VALUE_EXISTS;
- }
- DEBUG(0,("failed to modify: %s - %u - %s\n", ldb_dn_linearize(local_ctx, msg->dn), result, errstr));
- }
- }
-
- modify_result = &modify_reply->msg->r.AddResponse;
- modify_result->dn = NULL;
- modify_result->resultcode = result;
- modify_result->errormessage = (errstr?talloc_strdup(modify_reply,errstr):NULL);
- modify_result->referral = NULL;
-
- talloc_free(local_ctx);
-
- ldapsrv_queue_reply(call, modify_reply);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS hldb_Compare(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
- struct ldap_CompareRequest *r)
-{
- void *local_ctx;
- struct ldb_dn *dn;
- struct ldap_Result *compare;
- struct ldapsrv_reply *compare_r;
- int result = LDAP_SUCCESS;
- struct ldb_context *samdb;
- struct ldb_message **res = NULL;
- const char *attrs[1];
- const char *errstr = NULL;
- const char *filter = NULL;
- int count;
-
- local_ctx = talloc_named(call, 0, "hldb_Compare local_memory_context");
- NT_STATUS_HAVE_NO_MEMORY(local_ctx);
-
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
-
- dn = ldb_dn_explode(local_ctx, r->dn);
- VALID_DN_SYNTAX(dn,1);
-
- DEBUG(10, ("hldb_Compare: dn: [%s]\n", ldb_dn_linearize(local_ctx, dn)));
- filter = talloc_asprintf(local_ctx, "(%s=%*s)", r->attribute,
- (int)r->value.length, r->value.data);
- NT_STATUS_HAVE_NO_MEMORY(filter);
-
- DEBUGADD(10, ("hldb_Compare: attribute: [%s]\n", filter));
-
- attrs[0] = NULL;
-
-reply:
- compare_r = ldapsrv_init_reply(call, LDAP_TAG_CompareResponse);
- NT_STATUS_HAVE_NO_MEMORY(compare_r);
-
- if (result == LDAP_SUCCESS) {
- count = ldb_search(samdb, dn, LDB_SCOPE_BASE, filter, attrs, &res);
- talloc_steal(samdb, res);
- if (count == 1) {
- DEBUG(10,("hldb_Compare: matched\n"));
- result = LDAP_COMPARE_TRUE;
- errstr = NULL;
- } else if (count == 0) {
- DEBUG(10,("hldb_Compare: doesn't matched\n"));
- result = LDAP_COMPARE_FALSE;
- errstr = NULL;
- } else if (count > 1) {
- result = LDAP_OTHER;
- errstr = "too many objects match";
- DEBUG(10,("hldb_Compare: %d results: %s\n", count, errstr));
- } else if (count == -1) {
- result = LDAP_OTHER;
- errstr = ldb_errstring(samdb);
- DEBUG(10,("hldb_Compare: error: %s\n", errstr));
- }
- }
-
- compare = &compare_r->msg->r.CompareResponse;
- compare->dn = NULL;
- compare->resultcode = result;
- compare->errormessage = (errstr?talloc_strdup(compare_r,errstr):NULL);
- compare->referral = NULL;
-
- talloc_free(local_ctx);
-
- ldapsrv_queue_reply(call, compare_r);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS hldb_ModifyDN(struct ldapsrv_partition *partition, struct ldapsrv_call *call, struct ldap_ModifyDNRequest *r)
-{
- void *local_ctx;
- struct ldb_dn *olddn, *newrdn, *newsuperior;
- struct ldap_Result *modifydn;
- struct ldapsrv_reply *modifydn_r;
- int ldb_ret;
- struct ldb_context *samdb;
- const char *errstr = NULL;
- int result = LDAP_SUCCESS;
- const struct ldb_dn *newdn = NULL;
- struct ldb_dn *parentdn = NULL;
-
- local_ctx = talloc_named(call, 0, "hldb_ModifyDN local memory context");
- NT_STATUS_HAVE_NO_MEMORY(local_ctx);
-
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
-
- olddn = ldb_dn_explode(local_ctx, r->dn);
- VALID_DN_SYNTAX(olddn,2);
-
- newrdn = ldb_dn_explode(local_ctx, r->newrdn);
- VALID_DN_SYNTAX(newrdn,1);
-
- DEBUG(10, ("hldb_ModifyDN: olddn: [%s]\n", ldb_dn_linearize(local_ctx, olddn)));
- DEBUG(10, ("hldb_ModifyDN: newrdn: [%s]\n", ldb_dn_linearize(local_ctx, newrdn)));
-
- /* we can't handle the rename if we should not remove the old dn */
- if (!r->deleteolddn) {
- result = LDAP_UNWILLING_TO_PERFORM;
- errstr = "Old RDN must be deleted";
- goto reply;
- }
-
- if (newrdn->comp_num > 1) {
- result = LDAP_NAMING_VIOLATION;
- errstr = "Error new RDN invalid";
- goto reply;
- }
-
- if (r->newsuperior) {
- newsuperior = ldb_dn_explode(local_ctx, r->newsuperior);
- VALID_DN_SYNTAX(newsuperior,0);
- DEBUG(10, ("hldb_ModifyDN: newsuperior: [%s]\n", ldb_dn_linearize(local_ctx, newsuperior)));
-
- if (newsuperior->comp_num < 1) {
- result = LDAP_AFFECTS_MULTIPLE_DSAS;
- errstr = "Error new Superior DN invalid";
- goto reply;
- }
- parentdn = newsuperior;
- }
-
- if (!parentdn) {
- parentdn = ldb_dn_get_parent(local_ctx, olddn);
- }
- newdn = ldb_dn_make_child(local_ctx, ldb_dn_get_rdn(local_ctx, newrdn), parentdn);
- NT_STATUS_HAVE_NO_MEMORY(newdn);
-
-reply:
- modifydn_r = ldapsrv_init_reply(call, LDAP_TAG_ModifyDNResponse);
- NT_STATUS_HAVE_NO_MEMORY(modifydn_r);
-
- if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_rename(samdb, olddn, newdn);
- if (ldb_ret == 0) {
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else {
- /* currently we have no way to tell if there was an internal ldb error
- * or if the object was not found, return the most probable error
- */
- result = LDAP_NO_SUCH_OBJECT;
- errstr = ldb_errstring(samdb);
- }
- }
-
- modifydn = &modifydn_r->msg->r.ModifyDNResponse;
- modifydn->dn = NULL;
- modifydn->resultcode = result;
- modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
- modifydn->referral = NULL;
-
- talloc_free(local_ctx);
-
- ldapsrv_queue_reply(call, modifydn_r);
- return NT_STATUS_OK;
-}
-
-static const struct ldapsrv_partition_ops hldb_ops = {
- .Search = hldb_Search,
- .Add = hldb_Add,
- .Del = hldb_Del,
- .Modify = hldb_Modify,
- .Compare = hldb_Compare,
- .ModifyDN = hldb_ModifyDN
-};
-
-const struct ldapsrv_partition_ops *ldapsrv_get_hldb_partition_ops(void)
-{
- return &hldb_ops;
-}
diff --git a/source4/ldap_server/ldap_rootdse.c b/source4/ldap_server/ldap_rootdse.c
index 2392f23799..75429b1843 100644
--- a/source4/ldap_server/ldap_rootdse.c
+++ b/source4/ldap_server/ldap_rootdse.c
@@ -52,25 +52,28 @@ static void rootdse_db_debug(void *context, enum ldb_debug_level level, const ch
/*
connect to the SAM database
*/
-static struct ldb_context *rootdse_db_connect(TALLOC_CTX *mem_ctx)
+NTSTATUS rootdse_Init(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn)
{
char *db_path;
struct ldb_context *ldb;
+ TALLOC_CTX *mem_ctx = talloc_new(partition);
db_path = talloc_asprintf(mem_ctx, "tdb://%s",
private_path(mem_ctx, "rootdse.ldb"));
if (db_path == NULL) {
- return NULL;
+ return NT_STATUS_NO_MEMORY;
}
ldb = ldb_wrap_connect(mem_ctx, db_path, 0, NULL);
if (ldb == NULL) {
- return NULL;
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
ldb_set_debug(ldb, rootdse_db_debug, NULL);
- return ldb;
+ talloc_steal(partition, ldb);
+ partition->private = ldb;
+ return NT_STATUS_OK;
}
@@ -258,7 +261,7 @@ static NTSTATUS fill_dynamic_values(void *mem_ctx, struct ldb_message_element *a
}
static NTSTATUS rootdse_Search(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
- struct ldap_SearchRequest *r)
+ struct ldap_SearchRequest *r)
{
NTSTATUS status;
void *local_ctx;
@@ -279,8 +282,7 @@ static NTSTATUS rootdse_Search(struct ldapsrv_partition *partition, struct ldaps
local_ctx = talloc_named(call, 0, "rootdse_Search local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
- ldb = rootdse_db_connect(local_ctx);
- NT_STATUS_HAVE_NO_MEMORY(ldb);
+ ldb = partition->private;
if (r->num_attributes >= 1) {
attrs = talloc_array(ldb, const char *, r->num_attributes+1);
@@ -359,6 +361,7 @@ queue_reply:
}
static const struct ldapsrv_partition_ops rootdse_ops = {
+ .Init = rootdse_Init,
.Search = rootdse_Search
};
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index 83ce059756..dac7feecfb 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -356,6 +356,8 @@ static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
*/
static void ldapsrv_accept(struct stream_connection *c)
{
+ struct ldapsrv_partition *rootDSE_part;
+ struct ldapsrv_partition *part;
struct ldapsrv_service *ldapsrv_service =
talloc_get_type(c->private, struct ldapsrv_service);
struct ldapsrv_connection *conn;
@@ -386,6 +388,42 @@ static void ldapsrv_accept(struct stream_connection *c)
return;
}
+ /* Connections start out anonymous */
+ if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
+ ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
+ return;
+ }
+
+ rootDSE_part = talloc(conn, struct ldapsrv_partition);
+ if (rootDSE_part == NULL) {
+ ldapsrv_terminate_connection(conn, "talloc failed");
+ return;
+ }
+
+ rootDSE_part->base_dn = ""; /* RootDSE */
+ rootDSE_part->ops = ldapsrv_get_rootdse_partition_ops();
+ if (!NT_STATUS_IS_OK(rootDSE_part->ops->Init(rootDSE_part, conn))) {
+ ldapsrv_terminate_connection(conn, "rootDSE Init failed");
+ }
+
+ conn->rootDSE = rootDSE_part;
+ DLIST_ADD_END(conn->partitions, rootDSE_part, struct ldapsrv_partition *);
+
+ part = talloc(conn, struct ldapsrv_partition);
+ if (part == NULL) {
+ ldapsrv_terminate_connection(conn, "talloc failed");
+ return;
+ }
+
+ part->base_dn = "*"; /* default partition */
+ part->ops = ldapsrv_get_sldb_partition_ops();
+ if (!NT_STATUS_IS_OK(part->ops->Init(part, conn))) {
+ ldapsrv_terminate_connection(conn, "default partition Init failed");
+ }
+
+ conn->default_partition = part;
+ DLIST_ADD_END(conn->partitions, part, struct ldapsrv_partition *);
+
irpc_add_name(c->msg_ctx, "ldap_server");
}
@@ -433,8 +471,6 @@ static NTSTATUS add_socket(struct event_context *event_context,
static void ldapsrv_task_init(struct task_server *task)
{
struct ldapsrv_service *ldap_service;
- struct ldapsrv_partition *rootDSE_part;
- struct ldapsrv_partition *part;
NTSTATUS status;
ldap_service = talloc_zero(task, struct ldapsrv_service);
@@ -443,28 +479,6 @@ static void ldapsrv_task_init(struct task_server *task)
ldap_service->tls_params = tls_initialise(ldap_service);
if (ldap_service->tls_params == NULL) goto failed;
- rootDSE_part = talloc(ldap_service, struct ldapsrv_partition);
- if (rootDSE_part == NULL) goto failed;
-
- rootDSE_part->base_dn = ""; /* RootDSE */
- rootDSE_part->ops = ldapsrv_get_rootdse_partition_ops();
-
- ldap_service->rootDSE = rootDSE_part;
- DLIST_ADD_END(ldap_service->partitions, rootDSE_part, struct ldapsrv_partition *);
-
- part = talloc(ldap_service, struct ldapsrv_partition);
- if (part == NULL) goto failed;
-
- part->base_dn = "*"; /* default partition */
- if (lp_parm_bool(-1, "ldapsrv", "hacked", False)) {
- part->ops = ldapsrv_get_hldb_partition_ops();
- } else {
- part->ops = ldapsrv_get_sldb_partition_ops();
- }
-
- ldap_service->default_partition = part;
- DLIST_ADD_END(ldap_service->partitions, part, struct ldapsrv_partition *);
-
if (lp_interfaces() && lp_bind_interfaces_only()) {
int num_interfaces = iface_count();
int i;
diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h
index 2aa6530f9f..8eb02a97db 100644
--- a/source4/ldap_server/ldap_server.h
+++ b/source4/ldap_server/ldap_server.h
@@ -27,6 +27,9 @@ struct ldapsrv_connection {
struct auth_session_info *session_info;
struct ldapsrv_service *service;
struct tls_context *tls;
+ struct ldapsrv_partition *rootDSE;
+ struct ldapsrv_partition *default_partition;
+ struct ldapsrv_partition *partitions;
/* partially received request */
DATA_BLOB partial;
@@ -58,6 +61,7 @@ struct ldapsrv_partition;
struct ldapsrv_partition_ops {
const char *name;
NTSTATUS (*Init)(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn);
+ NTSTATUS (*Bind)(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn);
NTSTATUS (*Search)(struct ldapsrv_partition *partition, struct ldapsrv_call *call, struct ldap_SearchRequest *r);
NTSTATUS (*Modify)(struct ldapsrv_partition *partition, struct ldapsrv_call *call, struct ldap_ModifyRequest *r);
NTSTATUS (*Add)(struct ldapsrv_partition *partition, struct ldapsrv_call *call, struct ldap_AddRequest *r);
@@ -71,15 +75,12 @@ struct ldapsrv_partition_ops {
struct ldapsrv_partition {
struct ldapsrv_partition *prev,*next;
- void *private_data;
+ void *private;
const struct ldapsrv_partition_ops *ops;
const char *base_dn;
};
struct ldapsrv_service {
- struct ldapsrv_partition *rootDSE;
- struct ldapsrv_partition *default_partition;
- struct ldapsrv_partition *partitions;
struct tls_params *tls_params;
};
diff --git a/source4/ldap_server/ldap_simple_ldb.c b/source4/ldap_server/ldap_simple_ldb.c
index fbeec2f3ca..8a68004599 100644
--- a/source4/ldap_server/ldap_simple_ldb.c
+++ b/source4/ldap_server/ldap_simple_ldb.c
@@ -22,6 +22,7 @@
#include "includes.h"
#include "ldap_server/ldap_server.h"
#include "lib/ldb/include/ldb.h"
+#include "auth/auth.h"
#include "db_wrap.h"
#define VALID_DN_SYNTAX(dn,i) do {\
@@ -34,8 +35,61 @@
}\
} while(0)
+/*
+ connect to the sam database
+*/
+NTSTATUS sldb_Init(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn)
+{
+ TALLOC_CTX *mem_ctx = talloc_new(partition);
+ struct ldb_context *ldb;
+ const char *url;
+ url = lp_parm_string(-1, "ldapsrv", "samdb");
+ if (url) {
+
+ ldb = ldb_wrap_connect(mem_ctx, url, 0, NULL);
+ if (ldb == NULL) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ if (ldb_set_opaque(ldb, "sessionInfo", conn->session_info)) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ talloc_steal(partition, ldb);
+ partition->private = ldb;
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+ }
+
+ ldb = samdb_connect(mem_ctx, conn->session_info);
+ if (ldb == NULL) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ talloc_steal(partition, ldb);
+ partition->private = ldb;
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
+
+/*
+ Re-connect to the ldb after a bind (this does not handle the bind
+ itself, but just notes the change in credentials)
+*/
+NTSTATUS sldb_Bind(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn)
+{
+ struct ldb_context *samdb = partition->private;
+ NTSTATUS status;
+ status = sldb_Init(partition, conn);
+ if (NT_STATUS_IS_OK(status)) {
+ /* don't leak the old LDB */
+ talloc_free(samdb);
+ }
+ return status;
+}
+
static NTSTATUS sldb_Search(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
- struct ldap_SearchRequest *r)
+ struct ldap_SearchRequest *r)
{
void *local_ctx;
struct ldb_dn *basedn;
@@ -54,8 +108,7 @@ static NTSTATUS sldb_Search(struct ldapsrv_partition *partition, struct ldapsrv_
local_ctx = talloc_named(call, 0, "sldb_Search local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
+ samdb = partition->private;
basedn = ldb_dn_explode(local_ctx, r->basedn);
VALID_DN_SYNTAX(basedn, 0);
@@ -182,8 +235,7 @@ static NTSTATUS sldb_Add(struct ldapsrv_partition *partition, struct ldapsrv_cal
local_ctx = talloc_named(call, 0, "sldb_Add local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
+ samdb = partition->private;
dn = ldb_dn_explode(local_ctx, r->dn);
VALID_DN_SYNTAX(dn,1);
@@ -280,8 +332,7 @@ static NTSTATUS sldb_Del(struct ldapsrv_partition *partition, struct ldapsrv_cal
local_ctx = talloc_named(call, 0, "sldb_Del local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
+ samdb = partition->private;
dn = ldb_dn_explode(local_ctx, r->dn);
VALID_DN_SYNTAX(dn,1);
@@ -335,8 +386,7 @@ static NTSTATUS sldb_Modify(struct ldapsrv_partition *partition, struct ldapsrv_
local_ctx = talloc_named(call, 0, "sldb_Modify local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
+ samdb = partition->private;
dn = ldb_dn_explode(local_ctx, r->dn);
VALID_DN_SYNTAX(dn, 1);
@@ -447,8 +497,7 @@ static NTSTATUS sldb_Compare(struct ldapsrv_partition *partition, struct ldapsrv
local_ctx = talloc_named(call, 0, "sldb_Compare local_memory_context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
+ samdb = partition->private;
dn = ldb_dn_explode(local_ctx, r->dn);
VALID_DN_SYNTAX(dn, 1);
@@ -515,8 +564,7 @@ static NTSTATUS sldb_ModifyDN(struct ldapsrv_partition *partition, struct ldapsr
local_ctx = talloc_named(call, 0, "sldb_ModifyDN local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
- samdb = ldapsrv_sam_connect(call);
- NT_STATUS_HAVE_NO_MEMORY(samdb);
+ samdb = partition->private;
olddn = ldb_dn_explode(local_ctx, r->dn);
VALID_DN_SYNTAX(olddn, 2);
@@ -591,6 +639,8 @@ reply:
}
static const struct ldapsrv_partition_ops sldb_ops = {
+ .Init = sldb_Init,
+ .Bind = sldb_Bind,
.Search = sldb_Search,
.Add = sldb_Add,
.Del = sldb_Del,
diff --git a/source4/lib/ldb/tools/cmdline.c b/source4/lib/ldb/tools/cmdline.c
index 7cdecc334f..642ad127d8 100644
--- a/source4/lib/ldb/tools/cmdline.c
+++ b/source4/lib/ldb/tools/cmdline.c
@@ -75,6 +75,11 @@ struct ldb_cmdline *ldb_cmdline_process(struct ldb_context *ldb, int argc, const
if (r != 0) {
goto failed;
}
+
+ if (ldb_set_opaque(ldb, "securityToken", system_session(ldb))) {
+ goto failed;
+ }
+
#endif
ret = talloc_zero(ldb, struct ldb_cmdline);
diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index a23aa92bf3..8e52759e70 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -165,3 +165,28 @@ void security_token_debug(int dbg_lev, const struct security_token *token)
talloc_free(mem_ctx);
}
+
+/* These really should be cheaper... */
+
+BOOL is_system_token(struct security_token *token)
+{
+ TALLOC_CTX *mem_ctx = talloc_new(token);
+ if (dom_sid_equal(token->user_sid, dom_sid_parse_talloc(mem_ctx, SID_NT_SYSTEM))) {
+ talloc_free(mem_ctx);
+ return True;
+ }
+ talloc_free(mem_ctx);
+ return False;
+}
+
+BOOL is_anonymous_token(struct security_token *token)
+{
+ TALLOC_CTX *mem_ctx = talloc_new(token);
+ if (dom_sid_equal(token->user_sid, dom_sid_parse_talloc(mem_ctx, SID_NT_ANONYMOUS))) {
+ talloc_free(mem_ctx);
+ return True;
+ }
+ talloc_free(mem_ctx);
+ return False;
+}
+
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index a580cc6b13..c71fe0c53e 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -701,6 +701,8 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
domain_sid = lsa_query_info.out.info->domain.sid;
domain_name = lsa_query_info.out.info->domain.name.string;
+ DEBUG(0, ("Joining domain %s\n", domain_name));
+
/*
establish a SAMR connection, on the same CIFS transport
*/
diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c
index 837170afac..ca9dc6b089 100644
--- a/source4/libnet/libnet_samsync_ldb.c
+++ b/source4/libnet/libnet_samsync_ldb.c
@@ -1069,9 +1069,7 @@ static NTSTATUS libnet_samsync_ldb_netlogon(struct libnet_context *ctx, TALLOC_C
state->secrets = NULL;
state->trusted_domains = NULL;
- state->sam_ldb = samdb_connect(state);
-
-
+ state->sam_ldb = samdb_connect(state, system_session(state));
r2.error_string = NULL;
r2.delta_fn = libnet_samsync_ldb_fn;
diff --git a/source4/nbt_server/dgram/netlogon.c b/source4/nbt_server/dgram/netlogon.c
index ab2f1cc579..b007ca8114 100644
--- a/source4/nbt_server/dgram/netlogon.c
+++ b/source4/nbt_server/dgram/netlogon.c
@@ -48,7 +48,7 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot,
return;
}
- samctx = samdb_connect(packet);
+ samctx = samdb_connect(packet, anonymous_session(packet));
if (samctx == NULL) {
DEBUG(2,("Unable to open sam in getdc reply\n"));
return;
@@ -108,7 +108,7 @@ static void nbtd_netlogon_getdc2(struct dgram_mailslot_handler *dgmslot,
return;
}
- samctx = samdb_connect(packet);
+ samctx = samdb_connect(packet, anonymous_session(packet));
if (samctx == NULL) {
DEBUG(2,("Unable to open sam in getdc reply\n"));
return;
diff --git a/source4/ntvfs/common/sidmap.c b/source4/ntvfs/common/sidmap.c
index 95d2b756d9..f3ee938d84 100644
--- a/source4/ntvfs/common/sidmap.c
+++ b/source4/ntvfs/common/sidmap.c
@@ -52,7 +52,7 @@ struct sidmap_context *sidmap_open(TALLOC_CTX *mem_ctx)
if (sidmap == NULL) {
return NULL;
}
- sidmap->samctx = samdb_connect(sidmap);
+ sidmap->samctx = samdb_connect(sidmap, system_session(sidmap));
if (sidmap->samctx == NULL) {
talloc_free(sidmap);
return NULL;
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index 94a16d0a09..c8578a7cc1 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -25,6 +25,7 @@
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/common/common.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "auth/auth.h"
/*
drsuapi_DsBind
@@ -43,7 +44,7 @@ static WERROR drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem
b_state = talloc(dce_call->conn, struct drsuapi_bind_state);
WERR_TALLOC_CHECK(b_state);
- b_state->sam_ctx = samdb_connect(b_state);
+ b_state->sam_ctx = samdb_connect(b_state, dce_call->conn->auth_state.session_info);
if (!b_state->sam_ctx) {
talloc_free(b_state);
return WERR_FOOBAR;
diff --git a/source4/rpc_server/drsuapi/drsuapi_cracknames.c b/source4/rpc_server/drsuapi/drsuapi_cracknames.c
index 866faf49b9..fae84484ee 100644
--- a/source4/rpc_server/drsuapi/drsuapi_cracknames.c
+++ b/source4/rpc_server/drsuapi/drsuapi_cracknames.c
@@ -41,6 +41,11 @@ static WERROR DsCrackNameOneName(struct drsuapi_bind_state *b_state, TALLOC_CTX
uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
const char *name, struct drsuapi_DsNameInfo1 *info1);
+static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
+ uint32_t format_offered, uint32_t format_desired,
+ const struct ldb_dn *name_dn, const char *name,
+ struct drsuapi_DsNameInfo1 *info1);
+
static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, struct ldb_context *ldb_ctx,
TALLOC_CTX *mem_ctx,
const char *alias_from,
@@ -349,6 +354,14 @@ static WERROR DsCrackNameOneName(struct drsuapi_bind_state *b_state, TALLOC_CTX
WERR_TALLOC_CHECK(result_filter);
break;
}
+ case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
+ domain_filter = NULL;
+
+ result_filter = talloc_asprintf(mem_ctx, "(|(displayName=%s)(samAccountName=%s))",
+ name, name);
+ WERR_TALLOC_CHECK(result_filter);
+ break;
+ }
case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
struct dom_sid *sid = dom_sid_parse_talloc(mem_ctx, name);
@@ -424,6 +437,11 @@ static WERROR DsCrackNameOneName(struct drsuapi_bind_state *b_state, TALLOC_CTX
}
}
+
+ if (format_flags & DRSUAPI_DS_NAME_FLAG_SYNTACTICAL_ONLY) {
+ return DsCrackNameOneSyntactical(mem_ctx, format_offered, format_desired,
+ name_dn, name, info1);
+ }
return DsCrackNameOneFilter(b_state, mem_ctx,
smb_krb5_context,
@@ -433,6 +451,32 @@ static WERROR DsCrackNameOneName(struct drsuapi_bind_state *b_state, TALLOC_CTX
info1);
}
+static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
+ uint32_t format_offered, uint32_t format_desired,
+ const struct ldb_dn *name_dn, const char *name,
+ struct drsuapi_DsNameInfo1 *info1)
+{
+ if (format_offered != DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
+ info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
+ return WERR_OK;
+ }
+
+ switch (format_desired) {
+ case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
+ break;
+ case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
+ break;
+ default:
+ info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
+ return WERR_OK;
+ }
+
+
+
+ return WERR_OK;
+
+}
+
static WERROR DsCrackNameOneFilter(struct drsuapi_bind_state *b_state, TALLOC_CTX *mem_ctx,
struct smb_krb5_context *smb_krb5_context,
uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
@@ -616,6 +660,17 @@ static WERROR DsCrackNameOneFilter(struct drsuapi_bind_state *b_state, TALLOC_CT
info1->status = DRSUAPI_DS_NAME_STATUS_OK;
return WERR_OK;
}
+ case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
+ info1->result_name = samdb_result_string(result_res[0], "displayName", NULL);
+ if (!info1->result_name) {
+ info1->result_name = samdb_result_string(result_res[0], "sAMAccountName", NULL);
+ }
+ if (!info1->result_name) {
+ info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
+ } else {
+ info1->status = DRSUAPI_DS_NAME_STATUS_OK;
+ }
+ }
default:
return WERR_OK;
}
diff --git a/source4/rpc_server/dssetup/dcesrv_dssetup.c b/source4/rpc_server/dssetup/dcesrv_dssetup.c
index fa219343c1..1d391f588f 100644
--- a/source4/rpc_server/dssetup/dcesrv_dssetup.c
+++ b/source4/rpc_server/dssetup/dcesrv_dssetup.c
@@ -25,8 +25,7 @@
#include "librpc/gen_ndr/ndr_samr.h"
#include "librpc/gen_ndr/ndr_dssetup.h"
#include "rpc_server/common/common.h"
-
-
+#include "ldb/include/ldb.h"
/*
dssetup_DsRoleGetPrimaryDomainInformation
*/
@@ -82,13 +81,12 @@ static WERROR dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_call_state
break;
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
if (!sam_ctx) {
return WERR_SERVER_UNAVAILABLE;
}
- ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
- "(&(objectClass=domainDNS)(!(objectClass=builtinDomain)))");
+ ret = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &res, attrs);
if (ret != 1) {
return WERR_SERVER_UNAVAILABLE;
}
@@ -96,15 +94,18 @@ static WERROR dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_call_state
flags = DS_ROLE_PRIMARY_DS_RUNNING;
if (samdb_result_uint(res[0], "nTMixedDomain", 0) == 1) {
- flags |= DS_ROLE_PRIMARY_DS_MIXED_MODE;
+ flags |= DS_ROLE_PRIMARY_DS_MIXED_MODE;
}
-
- domain = samdb_result_string(res[0], "name", NULL);
+
+ domain = samdb_search_string(sam_ctx, mem_ctx, NULL, "nETBIOSName",
+ "(&(objectclass=crossRef)(ncName=%s))",
+ ldb_dn_linearize(mem_ctx, samdb_base_dn(mem_ctx)));
+
dns_domain = samdb_result_string(res[0], "dnsDomain", NULL);
forest = samdb_result_string(res[0], "dnsDomain", NULL);
- flags |= DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT;
domain_guid = samdb_result_guid(res[0], "objectGUID");
+ flags |= DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT;
break;
}
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index ba28462d5e..e4b0e8c8ba 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -27,9 +27,9 @@
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/common/common.h"
#include "lib/ldb/include/ldb.h"
-#include "auth/auth.h"
#include "system/time.h"
#include "db_wrap.h"
+#include "auth/auth.h"
/*
this type allows us to distinguish handle types
@@ -220,9 +220,6 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
struct lsa_policy_state **_state)
{
struct lsa_policy_state *state;
- const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL};
- int ret_domain;
- struct ldb_message **msgs_domain;
state = talloc(mem_ctx, struct lsa_policy_state);
if (!state) {
@@ -230,7 +227,7 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
}
/* make sure the sam database is accessible */
- state->sam_ldb = samdb_connect(state);
+ state->sam_ldb = samdb_connect(state, dce_call->conn->auth_state.session_info);
if (state->sam_ldb == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
@@ -247,16 +244,14 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
return NT_STATUS_NO_MEMORY;
}
- ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
- "(&(objectclass=crossRef)(ncName=%s))", ldb_dn_linearize(mem_ctx, state->domain_dn));
+ state->domain_name
+ = samdb_search_string(state->sam_ldb, mem_ctx, NULL, "nETBIOSName",
+ "(&(objectclass=crossRef)(ncName=%s))", ldb_dn_linearize(mem_ctx, state->domain_dn));
- if (ret_domain == -1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- if (ret_domain != 1) {
+ if (!state->domain_name) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
+ talloc_steal(state, state->domain_name);
/* work out the builtin_dn - useful for so many calls its worth
fetching here */
@@ -273,23 +268,20 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
return NT_STATUS_NO_SUCH_DOMAIN;
}
- state->domain_sid = talloc_steal(state,
- samdb_search_dom_sid(state->sam_ldb, state,
- state->domain_dn, "objectSid", "dn=%s",
- ldb_dn_linearize(mem_ctx, state->domain_dn)));
+ state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state,
+ state->domain_dn, "objectSid", "dn=%s",
+ ldb_dn_linearize(mem_ctx, state->domain_dn));
if (!state->domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
+ talloc_steal(state, state->domain_sid);
+
state->builtin_sid = dom_sid_parse_talloc(state, SID_BUILTIN);
if (!state->builtin_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
- state->domain_name = talloc_strdup(state,
- samdb_result_string(msgs_domain[0], "nETBIOSName",
- lp_workgroup()));
-
*_state = state;
return NT_STATUS_OK;
@@ -2426,14 +2418,6 @@ static NTSTATUS lsa_GetUserName(struct dcesrv_call_state *dce_call, TALLOC_CTX *
return NT_STATUS_INVALID_PARAMETER;
}
- /* TODO: this check should go and we should rely on the calling code that this is valid */
- if (!dce_call->conn->auth_state.session_info ||
- !dce_call->conn->auth_state.session_info->server_info ||
- !dce_call->conn->auth_state.session_info->server_info->account_name ||
- !dce_call->conn->auth_state.session_info->server_info->domain_name) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
account_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->account_name);
authority_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->domain_name);
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index cea645cd02..99701fc4f1 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -26,8 +26,8 @@
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/common/common.h"
#include "librpc/gen_ndr/ndr_dcom.h"
-#include "auth/auth.h"
#include "lib/ldb/include/ldb.h"
+#include "auth/auth.h"
struct server_pipe_state {
struct netr_Credential client_challenge;
@@ -147,7 +147,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
return NT_STATUS_ACCESS_DENIED;
}
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
@@ -159,7 +159,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
if (num_records == 0) {
DEBUG(3,("Couldn't find user [%s] in samdb.\n",
r->in.account_name));
- return NT_STATUS_NO_SUCH_USER;
+ return NT_STATUS_ACCESS_DENIED;
}
if (num_records > 1) {
@@ -322,7 +322,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
NT_STATUS_NOT_OK_RETURN(nt_status);
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
@@ -937,7 +937,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL
return status;
}
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
@@ -1034,7 +1034,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL
nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
NT_STATUS_NOT_OK_RETURN(nt_status);
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
@@ -1167,7 +1167,7 @@ static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CT
ZERO_STRUCT(r->out);
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
if (sam_ctx == NULL) {
return WERR_DS_SERVICE_UNAVAILABLE;
}
@@ -1256,13 +1256,12 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call,
ZERO_STRUCT(r->out);
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
if (sam_ctx == NULL) {
return WERR_GENERAL_FAILURE;
}
- ret = gendb_search(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs,
- "(&(objectClass=domainDNS)(dnsDomain=%s))", lp_realm());
+ ret = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &dom_res, dom_attrs);
if (ret == -1) {
return WERR_GENERAL_FAILURE;
}
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 249fb1c8a4..c985187cd9 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -60,12 +60,13 @@ static NTSTATUS samr_Connect(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem
}
/* make sure the sam database is accessible */
- c_state->sam_ctx = samdb_connect(c_state);
+ c_state->sam_ctx = samdb_connect(c_state, dce_call->conn->auth_state.session_info);
if (c_state->sam_ctx == NULL) {
talloc_free(c_state);
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
+
handle = dcesrv_handle_new(dce_call->context, SAMR_HANDLE_CONNECT);
if (!handle) {
talloc_free(c_state);
@@ -3305,7 +3306,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
ZERO_STRUCT(r->out.info);
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index ab99b69458..6fab231619 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -38,6 +38,7 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
{
struct dcesrv_handle *h;
struct samr_account_state *a_state;
+ struct ldb_context *sam_ctx;
struct ldb_message **res, *msg;
int ret;
struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
@@ -49,8 +50,14 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
a_state = h->data;
+ /* To change a password we need to open as system */
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
+ if (sam_ctx == NULL) {
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
+
/* fetch the old hashes */
- ret = gendb_search_dn(a_state->sam_ctx, mem_ctx,
+ ret = gendb_search_dn(sam_ctx, mem_ctx,
a_state->account_dn, &res, attrs);
if (ret != 1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -113,7 +120,7 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
return NT_STATUS_NO_MEMORY;
}
- status = samdb_set_password(a_state->sam_ctx, mem_ctx,
+ status = samdb_set_password(sam_ctx, mem_ctx,
a_state->account_dn, a_state->domain_state->domain_dn,
msg, NULL, &new_lmPwdHash, &new_ntPwdHash,
True, /* this is a user password change */
@@ -124,7 +131,7 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
}
/* modify the samdb record */
- ret = samdb_replace(a_state->sam_ctx, mem_ctx, msg);
+ ret = samdb_replace(sam_ctx, mem_ctx, msg);
if (ret != 0) {
return NT_STATUS_UNSUCCESSFUL;
}
@@ -142,7 +149,7 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
char new_pass[512];
uint32_t new_pass_len;
struct samr_CryptPassword *pwbuf = r->in.password;
- void *sam_ctx;
+ struct ldb_context *sam_ctx;
const struct ldb_dn *user_dn, *domain_dn;
int ret;
struct ldb_message **res, *mod;
@@ -157,9 +164,8 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
return NT_STATUS_WRONG_PASSWORD;
}
- /* this call doesn't take a policy handle, so we need to open
- the sam db from scratch */
- sam_ctx = samdb_connect(mem_ctx);
+ /* To change a password we need to open as system */
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
@@ -260,7 +266,7 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
NTSTATUS status;
char new_pass[512];
uint32_t new_pass_len;
- void *sam_ctx = NULL;
+ struct ldb_context *sam_ctx;
const struct ldb_dn *user_dn, *domain_dn = NULL;
int ret;
struct ldb_message **res, *mod;
@@ -285,11 +291,10 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
goto failed;
}
- /* this call doesn't take a policy handle, so we need to open
- the sam db from scratch */
- sam_ctx = samdb_connect(mem_ctx);
+ /* To change a password we need to open as system */
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (sam_ctx == NULL) {
- status = NT_STATUS_INVALID_SYSTEM_SERVICE;
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
goto failed;
}