diff options
Diffstat (limited to 'source3/passdb')
-rw-r--r-- | source3/passdb/ldap.c | 334 | ||||
-rw-r--r-- | source3/passdb/passdb.c | 430 | ||||
-rw-r--r-- | source3/passdb/smbpass.c | 233 |
3 files changed, 596 insertions, 401 deletions
diff --git a/source3/passdb/ldap.c b/source3/passdb/ldap.c index e14742a3aa..8547cf45cf 100644 --- a/source3/passdb/ldap.c +++ b/source3/passdb/ldap.c @@ -23,8 +23,6 @@ #ifdef USE_LDAP #include "includes.h" -#include "lber.h" -#include "ldap.h" extern int DEBUGLEVEL; @@ -190,13 +188,13 @@ BOOL ldap_check_user(LDAP *ldap_struct, LDAPMessage *entry) /******************************************************************* check if the returned entry is a sambaMachine objectclass. ******************************************************************/ -BOOL ldap_check_machine(LDAP *ldap_struct, LDAPMessage *entry) +BOOL ldap_check_trust(LDAP *ldap_struct, LDAPMessage *entry) { BOOL sambaMachine=False; char **valeur; int i; - DEBUG(2,("ldap_check_machine: ")); + DEBUG(2,("ldap_check_trust: ")); valeur=ldap_get_values(ldap_struct, entry, "objectclass"); if (valeur!=NULL) { @@ -213,188 +211,195 @@ BOOL ldap_check_machine(LDAP *ldap_struct, LDAPMessage *entry) /******************************************************************* retrieve the user's info and contruct a smb_passwd structure. ******************************************************************/ -static void ldap_get_user(LDAP *ldap_struct,LDAPMessage *entry, - struct smb_passwd *ldap_passwd) +static void ldap_get_sam_passwd(LDAP *ldap_struct, LDAPMessage *entry, + struct sam_passwd *user) { static pstring user_name; - static unsigned char ldappwd[16]; - static unsigned char smbntpwd[16]; - char **valeur; + static pstring fullname; + static pstring home_dir; + static pstring dir_drive; + static pstring logon_script; + static pstring profile_path; + static pstring acct_desc; + static pstring workstations; + static pstring temp; + + bzero(user, sizeof(*user)); + + user->logon_time = (time_t)-1; + user->logoff_time = (time_t)-1; + user->kickoff_time = (time_t)-1; + user->pass_last_set_time = (time_t)-1; + user->pass_can_change_time = (time_t)-1; + user->pass_must_change_time = (time_t)-1; + + get_single_attribute(ldap_struct, entry, "logonTime", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "logoffTime", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "kickoffTime", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "pwdLastSet", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "pwdCanChange", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "pwdMustChange", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); get_single_attribute(ldap_struct, entry, "cn", user_name); + user->smb_name = user_name; + + DEBUG(2,("ldap_get_sam_passwd: user: %s\n", user_name)); - DEBUG(2,("ldap_get_user: user: %s\n",user_name)); - - if ( (valeur=ldap_get_values(ldap_struct, entry, "uidAccount")) != NULL) - { - ldap_passwd->smb_userid=atoi(valeur[0]); - ldap_value_free(valeur); - } + get_single_attribute(ldap_struct, entry, "userFullName", fullname); + user->full_name = fullname; + + get_single_attribute(ldap_struct, entry, "homeDirectory", home_dir); + user->home_dir = home_dir; + + get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive); + user->dir_drive = dir_drive; + + get_single_attribute(ldap_struct, entry, "scriptPath", logon_script); + user->logon_script = logon_script; + + get_single_attribute(ldap_struct, entry, "profilePath", profile_path); + user->profile_path = profile_path; + + get_single_attribute(ldap_struct, entry, "comment", acct_desc); + user->acct_desc = acct_desc; + + get_single_attribute(ldap_struct, entry, "userWorkstations", workstations); + user->workstations = workstations; + + + user->unknown_str = NULL; /* don't know, yet! */ + user->munged_dial = NULL; /* "munged" dial-back telephone number */ + + get_single_attribute(ldap_struct, entry, "userPassword", temp); + nt_lm_owf_gen(temp, user->smb_nt_passwd, user->smb_passwd); + bzero(temp, sizeof(temp)); /* destroy local copy of the password */ - if ( (valeur=ldap_get_values(ldap_struct, entry, "userPassword")) != NULL) + get_single_attribute(ldap_struct, entry, "rid", temp); + user->user_rid=atoi(temp); + + get_single_attribute(ldap_struct, entry, "primaryGroupID", temp); + user->group_rid=atoi(temp); + + /* the smb (unix) ids are not stored: they are created */ + user->smb_userid = user_rid_to_uid (user->user_rid); + user->smb_grpid = group_rid_to_uid(user->group_rid); + + get_single_attribute(ldap_struct, entry, "userAccountControl", temp); + user->acct_ctrl=atoi(temp); + + user->unknown_3 = 0xffffff; /* don't know */ + user->logon_divs = 168; /* hours per week */ + user->hours_len = 21; /* 21 times 8 bits = 168 */ + memset(user->hours, 0xff, user->hours_len); /* available at all hours */ + user->unknown_5 = 0x00020000; /* don't know */ + user->unknown_5 = 0x000004ec; /* don't know */ + + if (user->acct_ctrl & (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST) ) { - memset(smbntpwd, '\0', 16); - E_md4hash((uchar *) valeur[0], smbntpwd); - valeur[0][14] = '\0'; - strupper(valeur[0]); - memset(ldappwd, '\0', 16); - E_P16((uchar *) valeur[0], ldappwd); - ldap_value_free(valeur); + DEBUG(0,("Inconsistency in the LDAP database\n")); } - - if ( (valeur=ldap_get_values(ldap_struct,entry, "userAccountControl") ) != NULL) + + if (!(user->acct_ctrl & ACB_NORMAL)) { - ldap_passwd->acct_ctrl=atoi(valeur[0]); - if (ldap_passwd->acct_ctrl & (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST) ) - { - DEBUG(0,("Inconsistency in the LDAP database\n")); - - } - if (ldap_passwd->acct_ctrl & ACB_NORMAL) - { - ldap_passwd->smb_name=user_name; - ldap_passwd->smb_passwd=ldappwd; - ldap_passwd->smb_nt_passwd=smbntpwd; - } - ldap_value_free(valeur); - } - - if ( (valeur=ldap_get_values(ldap_struct,entry, "pwdLastSet")) != NULL) - { - ldap_passwd->pass_last_set_time=(time_t)strtol(valeur[0], NULL, 16); - ldap_value_free(valeur); + DEBUG(0,("User's acct_ctrl bits not set to ACT_NORMAL in LDAP database\n")); + return; } + } /******************************************************************* - retrieve the machine's info and contruct a smb_passwd structure. + retrieve the user's info and contruct a smb_passwd structure. ******************************************************************/ -static void ldap_get_machine(LDAP *ldap_struct,LDAPMessage *entry, - struct smb_passwd *ldap_passwd) +static void ldap_get_smb_passwd(LDAP *ldap_struct,LDAPMessage *entry, + struct smb_passwd *user) { - static pstring user_name; + static pstring user_name; + static pstring user_pass; + static pstring temp; + static unsigned char smblmpwd[16]; static unsigned char smbntpwd[16]; - char **valeur; - - /* by default it's a station */ - ldap_passwd->acct_ctrl = ACB_WSTRUST; + + user->smb_name = NULL; + user->smb_passwd = NULL; + user->smb_nt_passwd = NULL; + user->smb_userid = 0; + user->pass_last_set_time = (time_t)-1; get_single_attribute(ldap_struct, entry, "cn", user_name); - DEBUG(2,("ldap_get_machine: machine: %s\n", user_name)); + DEBUG(2,("ldap_get_smb_passwd: user: %s\n",user_name)); - if ( (valeur=ldap_get_values(ldap_struct, entry, "uidAccount")) != NULL) - { - ldap_passwd->smb_userid=atoi(valeur[0]); - ldap_value_free(valeur); - } - - if ( (valeur=ldap_get_values(ldap_struct, entry, "machinePassword")) != NULL) - { - gethexpwd(valeur[0],smbntpwd); - ldap_value_free(valeur); - } + get_single_attribute(ldap_struct, entry, "userPassword", user_pass); + nt_lm_owf_gen(user_pass, smbntpwd, smblmpwd); + bzero(user_pass, sizeof(user_pass)); /* destroy local copy of the password */ - if ( (valeur=ldap_get_values(ldap_struct,entry, "machineRole") ) != NULL) - { - if ( !strcmp(valeur[0],"workstation") ) - ldap_passwd->acct_ctrl=ACB_WSTRUST; - else - if ( !strcmp(valeur[0],"server") ) - ldap_passwd->acct_ctrl=ACB_SVRTRUST; - ldap_value_free(valeur); - } + get_single_attribute(ldap_struct, entry, "userAccountControl", temp); + user->acct_ctrl=decode_acct_ctrl(temp); - ldap_passwd->smb_name=user_name; - ldap_passwd->smb_passwd=smbntpwd; - ldap_passwd->smb_nt_passwd=smbntpwd; -} + get_single_attribute(ldap_struct, entry, "pwdLastSet", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); -/******************************************************************* - find a user or a machine return a smbpass struct. -******************************************************************/ -static struct smb_passwd *get_ldappwd_entry(char *name, int smb_userid) -{ - LDAP *ldap_struct; - LDAPMessage *result; - LDAPMessage *entry; - BOOL machine=False; - - static struct smb_passwd ldap_passwd; - - bzero(&ldap_passwd, sizeof(ldap_passwd)); - - ldap_passwd.smb_name = NULL; - ldap_passwd.smb_passwd = NULL; - ldap_passwd.smb_nt_passwd = NULL; - - ldap_passwd.smb_userid = -1; - ldap_passwd.acct_ctrl = ACB_DISABLED; - ldap_passwd.pass_last_set_time = (time_t)-1; + get_single_attribute(ldap_struct, entry, "rid", temp); - ldap_struct=NULL; + /* the smb (unix) ids are not stored: they are created */ + user->smb_userid = user_rid_to_uid (atoi(temp)); - if (name != NULL) + if (user->acct_ctrl & (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST) ) { - DEBUG(10, ("get_ldappwd_entry: search by name: %s\n", name)); + DEBUG(0,("Inconsistency in the LDAP database\n")); + } - else + if (user->acct_ctrl & ACB_NORMAL) { - DEBUG(10, ("get_ldappwd_entry: search by smb_userid: %x\n", smb_userid)); + user->smb_name = user_name; + user->smb_passwd = smblmpwd; + user->smb_nt_passwd = smbntpwd; } +} - if (!ldap_open_connection(&ldap_struct)) - return (NULL); - if (!ldap_connect_system(ldap_struct)) - return (NULL); - - if (name != NULL) - { - if (!ldap_search_one_user_by_name(ldap_struct, name, &result)) - return (NULL); - } - else - { - if (!ldap_search_one_user_by_uid(ldap_struct, smb_userid, &result)) - return (NULL); - } +/******************************************************************* + retrieve the trust's info and contruct a smb_passwd structure. +******************************************************************/ +static void ldap_get_trust(LDAP *ldap_struct,LDAPMessage *entry, + struct smb_passwd *trust) +{ + static pstring user_name; + static unsigned char smbntpwd[16]; + static pstring temp; - if (ldap_count_entries(ldap_struct, result) == 0) - { - DEBUG(2,("%s: Non existant user!\n", timestring() )); - return (NULL); - } + get_single_attribute(ldap_struct, entry, "cn", user_name); + DEBUG(2,("ldap_get_trust: trust: %s\n", user_name)); - if (ldap_count_entries(ldap_struct, result) > 1) - { - DEBUG(2,("%s: Strange %d users in the base!\n", - timestring(), ldap_count_entries(ldap_struct, result) )); - } - /* take the first and unique entry */ - entry=ldap_first_entry(ldap_struct, result); + get_single_attribute(ldap_struct, entry, "trustPassword", temp); + gethexpwd(temp,smbntpwd); + + get_single_attribute(ldap_struct, entry, "rid", temp); - if (name != NULL) - { - DEBUG(0,("get_ldappwd_entry: Found user: %s\n",name)); + /* the smb (unix) ids are not stored: they are created */ + trust->smb_userid = user_rid_to_uid(atoi(temp)); - machine = name[strlen(name)-1] == '$'; - } - - if (!machine) - { - if (ldap_check_user(ldap_struct, entry)) - ldap_get_user(ldap_struct, entry, &ldap_passwd); - } - else + get_single_attribute(ldap_struct, entry, "trustAccountControl", temp); + trust->acct_ctrl=decode_acct_ctrl(temp); + + if (trust->acct_ctrl == 0) { - if (ldap_check_machine(ldap_struct, entry)) - ldap_get_machine(ldap_struct, entry, &ldap_passwd); + /* by default it's a workstation (or stand-alone server) */ + trust->acct_ctrl = ACB_WSTRUST; } - - ldap_msgfree(result); - result=NULL; - ldap_unbind(ldap_struct); - - return(&ldap_passwd); + + trust->smb_name = user_name; + trust->smb_passwd = NULL; + trust->smb_nt_passwd = smbntpwd; } /************************************************************************ @@ -424,30 +429,6 @@ BOOL mod_ldappwd_entry(struct smb_passwd* pwd, BOOL override) return False; } -/************************************************************************ - Routine to search ldap passwd by name. - - do not call this function directly. use passdb.c instead. - -*************************************************************************/ - -struct smb_passwd *getldappwnam(char *name) -{ - return get_ldappwd_entry(name, 0); -} - -/************************************************************************ - Routine to search ldap passwd by uid. - - do not call this function directly. use passdb.c instead. - -*************************************************************************/ - -struct smb_passwd *getldappwuid(unsigned int uid) -{ - return get_ldappwd_entry(NULL, uid); -} - /*************************************************************** Start to enumerate the ldap passwd list. Returns a void pointer to ensure no modification outside this module. @@ -526,6 +507,9 @@ struct smb_passwd *getldappwent(void *vp) /*************************************************************** End enumeration of the ldap passwd list. + + do not call this function directly. use passdb.c instead. + ****************************************************************/ void endldappwent(void *vp) { diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 9e5b3ef145..263bbe57cd 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -21,40 +21,34 @@ */ #include "includes.h" +#include "nterr.h" extern int DEBUGLEVEL; -/************************************************************************ - Routine to search sam passwd by name. -*************************************************************************/ +/********************************************************** + ********************************************************** -struct smb_passwd *getsampwnam(char *name) -{ -#ifdef USE_LDAP - return getldappwnam(name); -#else - return getsmbpwnam(name); -#endif /* USE_LDAP */ -} + low-level redirection routines: -/************************************************************************ - Routine to search sam passwd by uid. -*************************************************************************/ + startsampwent() + endsampwent() + getsampwent() + getsam21pwent() + getsampwpos() + setsampwpos() -struct smb_passwd *getsampwuid(unsigned int uid) -{ -#ifdef USE_LDAP - return getldappwuid(uid); -#else - return getsmbpwuid(uid); -#endif /* USE_LDAP */ -} + add_sampwd_entry() + mod_sampwd_entry() + add_sam21pwd_entry() + mod_sam21pwd_entry() + + ********************************************************** + **********************************************************/ /*************************************************************** Start to enumerate the sam passwd list. Returns a void pointer to ensure no modification outside this module. ****************************************************************/ - void *startsampwent(BOOL update) { #ifdef USE_LDAP @@ -67,7 +61,6 @@ void *startsampwent(BOOL update) /*************************************************************** End enumeration of the sam passwd list. ****************************************************************/ - void endsampwent(void *vp) { #ifdef USE_LDAP @@ -80,7 +73,6 @@ void endsampwent(void *vp) /************************************************************************* Routine to return the next entry in the sam passwd list. *************************************************************************/ - struct smb_passwd *getsampwent(void *vp) { #ifdef USE_LDAP @@ -91,6 +83,23 @@ struct smb_passwd *getsampwent(void *vp) } /************************************************************************* + Routine to return the next entry in the sam passwd list. + *************************************************************************/ +struct sam_passwd *getsam21pwent(void *vp) +{ +#if 0 +#ifdef USE_LDAP + return getldap21pwent(vp); +#else + return getsmb21pwent(vp); +#endif /* USE_LDAP */ +#else + DEBUG(0,("getsam21pwent: under development\n")); + return NULL; +#endif +} + +/************************************************************************* Return the current position in the sam passwd list as an unsigned long. This must be treated as an opaque token. *************************************************************************/ @@ -119,7 +128,6 @@ BOOL setsampwpos(void *vp, unsigned long tok) /************************************************************************ Routine to add an entry to the sam passwd file. *************************************************************************/ - BOOL add_sampwd_entry(struct smb_passwd *newpwd) { #ifdef USE_LDAP @@ -130,6 +138,23 @@ BOOL add_sampwd_entry(struct smb_passwd *newpwd) } /************************************************************************ + Routine to add an entry to the sam passwd file. +*************************************************************************/ +BOOL add_sam21pwd_entry(struct sam_passwd *newpwd) +{ +#if 0 +#ifdef USE_LDAP + return add_ldappwd_entry(newpwd); +#else + return add_smbpwd_entry(newpwd); +#endif /* USE_LDAP */ +#else + DEBUG(0,("add_sam21pwd_entry() - under development\n")); + return False; +#endif +} + +/************************************************************************ Routine to search the sam passwd file for an entry matching the username. and then modify its password entry. We can't use the startsampwent()/ getsampwent()/endsampwent() interfaces here as we depend on looking @@ -137,7 +162,6 @@ BOOL add_sampwd_entry(struct smb_passwd *newpwd) override = False, normal override = True, override XXXXXXXX'd out password or NO PASS ************************************************************************/ - BOOL mod_sampwd_entry(struct smb_passwd* pwd, BOOL override) { #ifdef USE_LDAP @@ -147,3 +171,355 @@ BOOL mod_sampwd_entry(struct smb_passwd* pwd, BOOL override) #endif /* USE_LDAP */ } +/************************************************************************ + Routine to search the sam passwd file for an entry matching the username. + and then modify its password entry. We can't use the startsampwent()/ + getsampwent()/endsampwent() interfaces here as we depend on looking + in the actual file to decide how much room we have to write data. + override = False, normal + override = True, override XXXXXXXX'd out password or NO PASS +************************************************************************/ +BOOL mod_sam21pwd_entry(struct sam_passwd* pwd, BOOL override) +{ +#if 0 +#ifdef USE_LDAP + return mod_ldappwd_entry(pwd, override); +#else + return mod_smbpwd_entry(pwd, override); +#endif /* USE_LDAP */ +#else + DEBUG(0,("mod_sam21pwd_entry() - under development\n")); + return False; +#endif +} + +/********************************************************** + ********************************************************** + + high-level database routines: + getsampwnam() + getsampwuid() + getsam21pwnam() + getsam21pwuid() + + ********************************************************** + **********************************************************/ + +/************************************************************************ + Routine to search sam passwd by name. +*************************************************************************/ +struct smb_passwd *getsampwnam(char *name) +{ + struct smb_passwd *pwd = NULL; + void *fp = NULL; + + DEBUG(10, ("getsampwnam: search by name: %s\n", name)); + + /* Open the sam password file - not for update. */ + fp = startsampwent(False); + + if (fp == NULL) + { + DEBUG(0, ("getsampwnam: unable to open sam password database.\n")); + return NULL; + } + + while ((pwd = getsampwent(fp)) != NULL && !strequal(pwd->smb_name, name)); + + if (pwd != NULL) + { + DEBUG(10, ("getsampwnam: found by name: %s\n", name)); + } + + endsampwent(fp); + return pwd; +} + +/************************************************************************ + Routine to search sam passwd by name. +*************************************************************************/ +struct sam_passwd *getsam21pwnam(char *name) +{ + struct sam_passwd *pwd = NULL; + void *fp = NULL; + + DEBUG(10, ("getsam21pwnam: search by name: %s\n", name)); + + /* Open the sam password file - not for update. */ + fp = startsampwent(False); + + if (fp == NULL) + { + DEBUG(0, ("getsam21pwnam: unable to open sam password database.\n")); + return NULL; + } + + while ((pwd = getsam21pwent(fp)) != NULL && !strequal(pwd->smb_name, name)); + + if (pwd != NULL) + { + DEBUG(10, ("getsam21pwnam: found by name: %s\n", name)); + } + + endsampwent(fp); + return pwd; +} + +/************************************************************************ + Routine to search sam passwd by uid. +*************************************************************************/ +struct smb_passwd *getsampwuid(uid_t smb_userid) +{ + struct smb_passwd *pwd = NULL; + void *fp = NULL; + + DEBUG(10, ("getsampwuid: search by smb_userid: %x\n", smb_userid)); + + /* Open the sam password file - not for update. */ + fp = startsampwent(False); + + if (fp == NULL) + { + DEBUG(0, ("getsampwuid: unable to open sam password database.\n")); + return NULL; + } + + while ((pwd = getsampwent(fp)) != NULL && pwd->smb_userid != smb_userid); + + if (pwd != NULL) + { + DEBUG(10, ("getsampwuid: found by smb_userid: %x\n", smb_userid)); + } + + endsmbpwent(fp); + return pwd; +} + +/************************************************************************ + Routine to search sam passwd by rid. +*************************************************************************/ +struct sam_passwd *getsam21pwrid(uint32 rid) +{ + struct sam_passwd *pwd = NULL; + void *fp = NULL; + + DEBUG(10, ("getsam21pwrid: search by rid: %x\n", rid)); + + /* Open the sam password file - not for update. */ + fp = startsampwent(False); + + if (fp == NULL) + { + DEBUG(0, ("getsam21pwrid: unable to open sam password database.\n")); + return NULL; + } + + while ((pwd = getsam21pwent(fp)) != NULL && pwd->user_rid != rid); + + if (pwd != NULL) + { + DEBUG(10, ("getsam21pwrid: found by smb_userid: %x\n", rid)); + } + + endsmbpwent(fp); + return pwd; +} + + +/********************************************************** + ********************************************************** + + utility routines which are likely to be useful to all password + databases + + ********************************************************** + **********************************************************/ + +/********************************************************** + Encode the account control bits into a string. + **********************************************************/ +char *encode_acct_ctrl(uint16 acct_ctrl) +{ + static fstring acct_str; + char *p = acct_str; + + *p++ = '['; + + if (acct_ctrl & ACB_HOMDIRREQ) *p++ = 'H'; + if (acct_ctrl & ACB_TEMPDUP ) *p++ = 'T'; + if (acct_ctrl & ACB_NORMAL ) *p++ = 'U'; + if (acct_ctrl & ACB_MNS ) *p++ = 'M'; + if (acct_ctrl & ACB_WSTRUST ) *p++ = 'W'; + if (acct_ctrl & ACB_SVRTRUST ) *p++ = 'S'; + if (acct_ctrl & ACB_AUTOLOCK ) *p++ = 'L'; + if (acct_ctrl & ACB_PWNOEXP ) *p++ = 'X'; + if (acct_ctrl & ACB_DOMTRUST ) *p++ = 'I'; + + *p++ = ']'; + *p = '\0'; + return acct_str; +} + +/********************************************************** + Decode the account control bits from a string. + + this function breaks coding standards minimum line width of 80 chars. + reason: vertical line-up code clarity - all case statements fit into + 15 lines, which is more important. + **********************************************************/ +uint16 decode_acct_ctrl(char *p) +{ + uint16 acct_ctrl = 0; + BOOL finished = False; + + /* + * Check if the account type bits have been encoded after the + * NT password (in the form [NDHTUWSLXI]). + */ + + if (*p != '[') return 0; + + for (p++; *p && !finished; p++) + { + switch (*p) + { +#if 0 + /* + * Hmmm. Don't allow these to be set/read independently + * of the actual password fields. We don't want a mismatch. + * JRA. + */ + case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ } + case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ } +#endif + case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ } + case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ } + case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ } + case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ } + case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ } + case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ } + case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ } + case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ } + case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ } + + case ':': + case '\n': + case '\0': + case ']': + default: { finished = True; } + } + } + + return acct_ctrl; +} + +/************************************************************* + Routine to get the next 32 hex characters and turn them + into a 16 byte array. +**************************************************************/ +int gethexpwd(char *p, char *pwd) +{ + int i; + unsigned char lonybble, hinybble; + char *hexchars = "0123456789ABCDEF"; + char *p1, *p2; + + for (i = 0; i < 32; i += 2) { + hinybble = toupper(p[i]); + lonybble = toupper(p[i + 1]); + + p1 = strchr(hexchars, hinybble); + p2 = strchr(hexchars, lonybble); + if (!p1 || !p2) + return (False); + hinybble = PTR_DIFF(p1, hexchars); + lonybble = PTR_DIFF(p2, hexchars); + + pwd[i / 2] = (hinybble << 4) | lonybble; + } + return (True); +} + +/******************************************************************* + Group and User RID username mapping function + ********************************************************************/ +BOOL name_to_rid(char *user_name, uint32 *u_rid, uint32 *g_rid) +{ + struct passwd *pw = Get_Pwnam(user_name, False); + + if (u_rid == NULL || g_rid == NULL || user_name == NULL) + { + return False; + } + + if (!pw) + { + DEBUG(1,("Username %s is invalid on this system\n", user_name)); + return False; + } + + if (user_in_list(user_name, lp_domain_guest_users())) + { + *u_rid = DOMAIN_USER_RID_GUEST; + } + else if (user_in_list(user_name, lp_domain_admin_users())) + { + *u_rid = DOMAIN_USER_RID_ADMIN; + } + else + { + /* turn the unix UID into a Domain RID. this is what the posix + sub-system does (adds 1000 to the uid) */ + *u_rid = uid_to_user_rid(pw->pw_uid); + } + + /* absolutely no idea what to do about the unix GID to Domain RID mapping */ + *g_rid = gid_to_group_rid(pw->pw_gid); + + return True; +} + +/******************************************************************* + XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION + INSIDE smbpass.c + + converts NT User RID to a UNIX uid. + ********************************************************************/ +uid_t user_rid_to_uid(uint32 u_rid) +{ + return (uid_t)(u_rid - 1000); +} + +/******************************************************************* + XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION + INSIDE smbpass.c + + converts NT Group RID to a UNIX uid. + ********************************************************************/ +uid_t group_rid_to_uid(uint32 u_gid) +{ + return (uid_t)(u_gid - 1000); +} + +/******************************************************************* + XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION + INSIDE smbpass.c + + converts UNIX uid to an NT User RID. + ********************************************************************/ +uint32 uid_to_user_rid(uint32 uid) +{ + return (uint32)(uid + 1000); +} + +/******************************************************************* + XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION + INSIDE smbpass.c + + converts NT Group RID to a UNIX uid. + ********************************************************************/ +uint32 gid_to_group_rid(uint32 gid) +{ + return (uint32)(gid + 1000); +} + diff --git a/source3/passdb/smbpass.c b/source3/passdb/smbpass.c index cb75d62e42..3f6ce8aaef 100644 --- a/source3/passdb/smbpass.c +++ b/source3/passdb/smbpass.c @@ -336,78 +336,9 @@ struct smb_passwd *getsmbpwent(void *vp) DEBUG(5, ("getsmbpwent: returning passwd entry for user %s, uid %d\n", user_name, uidval)); - /* - * Check if the account type bits have been encoded after the - * NT password (in the form [NDHTUWSLXI]). - */ - - if (*p == '[') { - BOOL finished = False; - - pw_buf.acct_ctrl = 0; - - for(p++;*p && !finished; p++) { - switch (*p) { -#if 0 - /* - * Hmmm. Don't allow these to be set/read independently - * of the actual password fields. We don't want a mismatch. - * JRA. - */ - case 'N': - /* 'N'o password. */ - pw_buf.acct_ctrl |= ACB_PWNOTREQ; - break; - case 'D': - /* 'D'isabled. */ - pw_buf.acct_ctrl |= ACB_DISABLED; - break; -#endif - case 'H': - /* 'H'omedir required. */ - pw_buf.acct_ctrl |= ACB_HOMDIRREQ; - break; - case 'T': - /* 'T'emp account. */ - pw_buf.acct_ctrl |= ACB_TEMPDUP; - break; - case 'U': - /* 'U'ser account (normal). */ - pw_buf.acct_ctrl |= ACB_NORMAL; - break; - case 'M': - /* 'M'NS logon user account. What is this ? */ - pw_buf.acct_ctrl |= ACB_MNS; - break; - case 'W': - /* 'W'orkstation account. */ - pw_buf.acct_ctrl |= ACB_WSTRUST; - break; - case 'S': - /* 'S'erver account. */ - pw_buf.acct_ctrl |= ACB_SVRTRUST; - break; - case 'L': - /* 'L'ocked account. */ - pw_buf.acct_ctrl |= ACB_AUTOLOCK; - break; - case 'X': - /* No 'X'piry. */ - pw_buf.acct_ctrl |= ACB_PWNOEXP; - break; - case 'I': - /* 'I'nterdomain trust account. */ - pw_buf.acct_ctrl |= ACB_DOMTRUST; - break; - - case ':': - case '\n': - case '\0': - case ']': - default: - finished = True; - } - } + if (*p == '[') + { + pw_buf.acct_ctrl = decode_acct_ctrl(p); /* Must have some account type set. */ if(pw_buf.acct_ctrl == 0) @@ -438,7 +369,7 @@ struct smb_passwd *getsmbpwent(void *vp) } else { /* 'Old' style file. Fake up based on user name. */ /* - * Currently machine accounts are kept in the same + * Currently trust accounts are kept in the same * password file as 'normal accounts'. If this changes * we will have to fix this code. JRA. */ @@ -479,107 +410,12 @@ BOOL setsmbpwpos(void *vp, unsigned long tok) return !fseek((FILE *)vp, tok, SEEK_SET); } -/************************************************************************* - Routine to search the smbpasswd file for an entry matching the username - or user id. if the name is NULL, then the smb_uid is used instead. - *************************************************************************/ -static struct smb_passwd *get_smbpwd_entry(char *name, int smb_userid) -{ - struct smb_passwd *pwd = NULL; - FILE *fp = NULL; - - if (name != NULL) { - DEBUG(10, ("get_smbpwd_entry: search by name: %s\n", name)); - } else { - DEBUG(10, ("get_smbpwd_entry: search by smb_userid: %x\n", smb_userid)); - } - - /* Open the smbpassword file - not for update. */ - fp = startsmbpwent(False); - - if (fp == NULL) { - DEBUG(0, ("get_smbpwd_entry: unable to open password file.\n")); - return NULL; - } - - /* - * Scan the file, a line at a time and check if the name - * or uid matches. - */ - - while ((pwd = getsmbpwent(fp)) != NULL) { - if (name != NULL) { - /* Search is by user name */ - if (!strequal(pwd->smb_name, name)) - continue; - DEBUG(10, ("get_smbpwd_entry: found by name: %s\n", name)); - break; - } else { - /* Search is by user id */ - if (pwd->smb_userid != smb_userid) - continue; - DEBUG(10, ("get_smbpwd_entry: found by smb_userid: %x\n", smb_userid)); - break; - } - } - - endsmbpwent(fp); - return pwd; -} - -/************************************************************************ - Routine to search smb passwd by name. -*************************************************************************/ - -struct smb_passwd *getsmbpwnam(char *name) -{ - return get_smbpwd_entry(name, 0); -} - - -/************************************************************************ - Routine to search smb passwd by uid. -*************************************************************************/ - -struct smb_passwd *getsmbpwuid(unsigned int uid) -{ - return get_smbpwd_entry(NULL, uid); -} - - -/********************************************************** - Encode the account control bits into a string. -**********************************************************/ - -char *encode_acct_ctrl(uint16 acct_ctrl) -{ - static fstring acct_str; - char *p = acct_str; - - *p++ = '['; - - if (acct_ctrl & ACB_HOMDIRREQ) *p++ = 'H'; - if (acct_ctrl & ACB_TEMPDUP ) *p++ = 'T'; - if (acct_ctrl & ACB_NORMAL ) *p++ = 'U'; - if (acct_ctrl & ACB_MNS ) *p++ = 'M'; - if (acct_ctrl & ACB_WSTRUST ) *p++ = 'W'; - if (acct_ctrl & ACB_SVRTRUST ) *p++ = 'S'; - if (acct_ctrl & ACB_AUTOLOCK ) *p++ = 'L'; - if (acct_ctrl & ACB_PWNOEXP ) *p++ = 'X'; - if (acct_ctrl & ACB_DOMTRUST ) *p++ = 'I'; - - *p++ = ']'; - *p = '\0'; - return acct_str; -} - /************************************************************************ Routine to add an entry to the smbpasswd file. do not call this function directly. use passdb.c instead. *************************************************************************/ - BOOL add_smbpwd_entry(struct smb_passwd *newpwd) { char *pfile = lp_smb_passwd_file(); @@ -713,7 +549,6 @@ Error was %s. Password file may be corrupt ! Please examine by hand !\n", do not call this function directly. use passdb.c instead. ************************************************************************/ - BOOL mod_smbpwd_entry(struct smb_passwd* pwd, BOOL override) { /* Static buffers we will return. */ @@ -1060,10 +895,10 @@ static int mach_passwd_lock_depth; static FILE *mach_passwd_fp; /************************************************************************ - Routine to get the name for a machine account file. + Routine to get the name for a trust account file. ************************************************************************/ -static void get_machine_account_file_name( char *domain, char *name, char *mac_file) +static void get_trust_account_file_name( char *domain, char *name, char *mac_file) { unsigned int mac_file_len; char *p; @@ -1077,7 +912,7 @@ static void get_machine_account_file_name( char *domain, char *name, char *mac_f if ((int)(sizeof(pstring) - mac_file_len - strlen(domain) - strlen(name) - 6) < 0) { - DEBUG(0,("machine_password_lock: path %s too long to add machine details.\n", + DEBUG(0,("trust_password_lock: path %s too long to add trust details.\n", mac_file)); return; } @@ -1089,16 +924,16 @@ static void get_machine_account_file_name( char *domain, char *name, char *mac_f } /************************************************************************ - Routine to lock the machine account password file for a domain. + Routine to lock the trust account password file for a domain. ************************************************************************/ -BOOL machine_password_lock( char *domain, char *name, BOOL update) +BOOL trust_password_lock( char *domain, char *name, BOOL update) { pstring mac_file; if(mach_passwd_lock_depth == 0) { - get_machine_account_file_name( domain, name, mac_file); + get_trust_account_file_name( domain, name, mac_file); if((mach_passwd_fp = fopen(mac_file, "r+b")) == NULL) { if(errno == ENOENT && update) { @@ -1106,7 +941,7 @@ BOOL machine_password_lock( char *domain, char *name, BOOL update) } if(mach_passwd_fp == NULL) { - DEBUG(0,("machine_password_lock: cannot open file %s - Error was %s.\n", + DEBUG(0,("trust_password_lock: cannot open file %s - Error was %s.\n", mac_file, strerror(errno) )); return False; } @@ -1117,7 +952,7 @@ BOOL machine_password_lock( char *domain, char *name, BOOL update) if(!pw_file_lock(fileno(mach_passwd_fp), (update ? F_WRLCK : F_RDLCK), 60, &mach_passwd_lock_depth)) { - DEBUG(0,("machine_password_lock: cannot lock file %s\n", mac_file)); + DEBUG(0,("trust_password_lock: cannot lock file %s\n", mac_file)); fclose(mach_passwd_fp); return False; } @@ -1128,10 +963,10 @@ BOOL machine_password_lock( char *domain, char *name, BOOL update) } /************************************************************************ - Routine to unlock the machine account password file for a domain. + Routine to unlock the trust account password file for a domain. ************************************************************************/ -BOOL machine_password_unlock(void) +BOOL trust_password_unlock(void) { BOOL ret = pw_file_unlock(fileno(mach_passwd_fp), &mach_passwd_lock_depth); if(mach_passwd_lock_depth == 0) @@ -1140,23 +975,23 @@ BOOL machine_password_unlock(void) } /************************************************************************ - Routine to delete the machine account password file for a domain. + Routine to delete the trust account password file for a domain. ************************************************************************/ -BOOL machine_password_delete( char *domain, char *name ) +BOOL trust_password_delete( char *domain, char *name ) { pstring mac_file; - get_machine_account_file_name( domain, name, mac_file); + get_trust_account_file_name( domain, name, mac_file); return (unlink( mac_file ) == 0); } /************************************************************************ - Routine to get the machine account password for a domain. - The user of this function must have locked the machine password file. + Routine to get the trust account password for a domain. + The user of this function must have locked the trust password file. ************************************************************************/ -BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set_time) +BOOL get_trust_account_password( unsigned char *ret_pwd, time_t *pass_last_set_time) { char linebuf[256]; char *p; @@ -1168,14 +1003,14 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set memset(ret_pwd, '\0', 16); if(fseek( mach_passwd_fp, 0L, SEEK_SET) == -1) { - DEBUG(0,("get_machine_account_password: Failed to seek to start of file. Error was %s.\n", + DEBUG(0,("get_trust_account_password: Failed to seek to start of file. Error was %s.\n", strerror(errno) )); return False; } fgets(linebuf, sizeof(linebuf), mach_passwd_fp); if(ferror(mach_passwd_fp)) { - DEBUG(0,("get_machine_account_password: Failed to read password. Error was %s.\n", + DEBUG(0,("get_trust_account_password: Failed to read password. Error was %s.\n", strerror(errno) )); return False; } @@ -1186,9 +1021,9 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set */ if(strlen(linebuf) != 45) { - DEBUG(0,("get_machine_account_password: Malformed machine password file (wrong length).\n")); + DEBUG(0,("get_trust_account_password: Malformed trust password file (wrong length).\n")); #ifdef DEBUG_PASSWORD - DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf)); + DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf)); #endif return False; } @@ -1199,9 +1034,9 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set if (!gethexpwd((char *)linebuf, (char *)ret_pwd) || linebuf[32] != ':' || strncmp(&linebuf[33], "TLC-", 4)) { - DEBUG(0,("get_machine_account_password: Malformed machine password file (incorrect format).\n")); + DEBUG(0,("get_trust_account_password: Malformed trust password file (incorrect format).\n")); #ifdef DEBUG_PASSWORD - DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf)); + DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf)); #endif return False; } @@ -1213,9 +1048,9 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set for(i = 0; i < 8; i++) { if(p[i] == '\0' || !isxdigit(p[i])) { - DEBUG(0,("get_machine_account_password: Malformed machine password file (no timestamp).\n")); + DEBUG(0,("get_trust_account_password: Malformed trust password file (no timestamp).\n")); #ifdef DEBUG_PASSWORD - DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf)); + DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf)); #endif return False; } @@ -1233,17 +1068,17 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set } /************************************************************************ - Routine to get the machine account password for a domain. - The user of this function must have locked the machine password file. + Routine to get the trust account password for a domain. + The user of this function must have locked the trust password file. ************************************************************************/ -BOOL set_machine_account_password( unsigned char *md4_new_pwd) +BOOL set_trust_account_password( unsigned char *md4_new_pwd) { char linebuf[64]; int i; if(fseek( mach_passwd_fp, 0L, SEEK_SET) == -1) { - DEBUG(0,("set_machine_account_password: Failed to seek to start of file. Error was %s.\n", + DEBUG(0,("set_trust_account_password: Failed to seek to start of file. Error was %s.\n", strerror(errno) )); return False; } @@ -1254,8 +1089,8 @@ BOOL set_machine_account_password( unsigned char *md4_new_pwd) sprintf(&linebuf[32], ":TLC-%08X\n", (unsigned)time(NULL)); if(fwrite( linebuf, 1, 45, mach_passwd_fp)!= 45) { - DEBUG(0,("set_machine_account_password: Failed to write file. Warning - the machine \ -machine account is now invalid. Please recreate. Error was %s.\n", strerror(errno) )); + DEBUG(0,("set_trust_account_password: Failed to write file. Warning - the trust \ +account is now invalid. Please recreate. Error was %s.\n", strerror(errno) )); return False; } |