summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/change_trust_pw.c95
-rw-r--r--source3/smbd/oplock.c2
-rw-r--r--source3/smbd/process.c6
-rw-r--r--source3/smbd/reply.c19
-rw-r--r--source3/smbd/server.c8
-rw-r--r--source3/smbd/sesssetup.c6
-rw-r--r--source3/smbd/uid.c122
7 files changed, 82 insertions, 176 deletions
diff --git a/source3/smbd/change_trust_pw.c b/source3/smbd/change_trust_pw.c
index 8aff96d0d6..a140978733 100644
--- a/source3/smbd/change_trust_pw.c
+++ b/source3/smbd/change_trust_pw.c
@@ -24,36 +24,26 @@
#include "includes.h"
-/************************************************************************
- Change the trust account password for a domain.
-************************************************************************/
+/*********************************************************
+ Change the domain password on the PDC.
+**********************************************************/
-NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
+static NTSTATUS modify_trust_password( const char *domain, const char *remote_machine,
+ unsigned char orig_trust_passwd_hash[16])
{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct in_addr pdc_ip;
- fstring dc_name;
struct cli_state *cli;
+ DOM_SID domain_sid;
+ NTSTATUS nt_status;
- if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
- /* Use the PDC *only* for this */
-
- if ( !get_pdc_ip(domain, &pdc_ip) ) {
- DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
- goto failed;
- }
+ /*
+ * Ensure we have the domain SID for this domain.
+ */
- if ( !lookup_dc_name(global_myname(), domain, &pdc_ip, dc_name) )
- goto failed;
- }
- /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
- else {
- fstrcpy( dc_name, remote_machine );
+ if (!secrets_fetch_domain_sid(domain, &domain_sid)) {
+ DEBUG(0, ("modify_trust_password: unable to fetch domain sid.\n"));
+ return NT_STATUS_UNSUCCESSFUL;
}
-
- /* if this next call fails, then give up. We can't do
- password changes on BDC's --jerry */
-
+
if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname(), remote_machine,
NULL, 0,
"IPC$", "IPC",
@@ -61,8 +51,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
"", 0, NULL)))
{
DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine));
- nt_status = NT_STATUS_UNSUCCESSFUL;
- goto failed;
+ return NT_STATUS_UNSUCCESSFUL;
}
/*
@@ -76,22 +65,64 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
cli_nt_session_close(cli);
cli_ulogoff(cli);
cli_shutdown(cli);
- nt_status = NT_STATUS_UNSUCCESSFUL;
- goto failed;
+ return NT_STATUS_UNSUCCESSFUL;
}
- nt_status = trust_pw_find_change_and_store_it(cli, cli->mem_ctx,
- domain);
+ nt_status = trust_pw_change_and_store_it(cli, cli->mem_ctx,
+ orig_trust_passwd_hash);
cli_nt_session_close(cli);
cli_ulogoff(cli);
cli_shutdown(cli);
+ return nt_status;
+}
+
+/************************************************************************
+ Change the trust account password for a domain.
+************************************************************************/
+
+NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
+{
+ unsigned char old_trust_passwd_hash[16];
+ time_t lct;
+ NTSTATUS res = NT_STATUS_UNSUCCESSFUL;
+ struct in_addr pdc_ip;
+ fstring dc_name;
+
+
+ if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) {
+ DEBUG(0,("change_trust_account_password: unable to read the machine account password for domain %s.\n",
+ domain));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
+ /* Use the PDC *only* for this */
+
+ if ( !get_pdc_ip(domain, &pdc_ip) ) {
+ DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
+ goto failed;
+ }
+
+ if ( !lookup_dc_name(global_myname(), domain, &pdc_ip, dc_name) )
+ goto failed;
+ }
+ /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
+ else {
+ fstrcpy( dc_name, remote_machine );
+ }
+
+ /* if this next call fails, then give up. We can't do
+ password changes on BDC's --jerry */
+
+ res = modify_trust_password(domain, dc_name, old_trust_passwd_hash);
+
failed:
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_IS_OK(res)) {
DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
timestring(False), domain));
}
- return nt_status;
+ return res;
}
diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c
index d6c44893d6..f5c19bcf62 100644
--- a/source3/smbd/oplock.c
+++ b/source3/smbd/oplock.c
@@ -391,7 +391,7 @@ pid %d, port %d, dev = %x, inode = %.0f, file_id = %lu\n",
/*
* Keep this as a debug case - eventually we can remove it.
*/
- case (CMD_REPLY | KERNEL_OPLOCK_BREAK_CMD):
+ case 0x8001:
DEBUG(0,("process_local_message: Received unsolicited break \
reply - dumping info.\n"));
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 54fd4a90d9..de1bea493f 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1179,11 +1179,9 @@ machine %s in domain %s.\n", global_myname(), lp_workgroup() ));
return True;
}
- if(!secrets_fetch_trust_account_password(lp_workgroup(),
- trust_passwd_hash,
- &lct, NULL)) {
+ if(!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd_hash, &lct)) {
DEBUG(0,("process: unable to read the machine account password for \
-machine %s in domain %s.\n", global_myname(), lp_workgroup()));
+machine %s in domain %s.\n", global_myname(), lp_workgroup() ));
secrets_lock_trust_account_password(lp_workgroup(), False);
return True;
}
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index b2dab2fea2..d655184042 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -148,7 +148,7 @@ int reply_tcon(connection_struct *conn,
const char *service;
pstring service_buf;
pstring password;
- fstring dev;
+ pstring dev;
int outsize = 0;
uint16 vuid = SVAL(inbuf,smb_uid);
int pwlen=0;
@@ -204,7 +204,7 @@ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
{
fstring service;
DATA_BLOB password;
-
+
/* what the cleint thinks the device is */
fstring client_devicetype;
/* what the server tells the client the share represents */
@@ -286,12 +286,13 @@ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
const char *fsname = IS_IPC(conn) ? "" : lp_fstype(SNUM(conn));
set_message(outbuf,3,0,True);
-
- p = smb_buf(outbuf);
+
+ p = smb_buf(outbuf);
p += srvstr_push(outbuf, p, server_devicetype, -1,
- STR_TERMINATE|STR_ASCII);
- p += srvstr_push(outbuf, p, fsname, -1,
- STR_TERMINATE);
+ STR_TERMINATE|STR_ASCII);
+ p += srvstr_push(outbuf, p, fsname, -1,
+ STR_TERMINATE);
+
set_message_end(outbuf,p);
/* what does setting this bit do? It is set by NT4 and
@@ -1463,6 +1464,7 @@ void send_file_readbraw(connection_struct *conn, files_struct *fsp, SMB_OFF_T st
int reply_readbraw(connection_struct *conn, char *inbuf, char *outbuf, int dum_size, int dum_buffsize)
{
+ extern struct current_user current_user;
ssize_t maxcount,mincount;
size_t nread = 0;
SMB_OFF_T startpos;
@@ -2360,6 +2362,7 @@ int reply_exit(connection_struct *conn,
int reply_close(connection_struct *conn, char *inbuf,char *outbuf, int size,
int dum_buffsize)
{
+ extern struct current_user current_user;
int outsize = 0;
time_t mtime;
int32 eclass = 0, err = 0;
@@ -2380,7 +2383,7 @@ int reply_close(connection_struct *conn, char *inbuf,char *outbuf, int size,
* We can only use CHECK_FSP if we know it's not a directory.
*/
- if(!fsp || (fsp->conn != conn)) {
+ if(!fsp || (fsp->conn != conn) || (fsp->vuid != current_user.vuid)) {
END_PROFILE(SMBclose);
return ERROR_DOS(ERRDOS,ERRbadfid);
}
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 8ce20c87a4..5c59dce4df 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -833,9 +833,6 @@ static BOOL init_structs(void )
if (!init_registry())
exit(1);
- if (!idmap_init(lp_idmap_backend()))
- exit(1);
-
if(!initialize_password_db(False))
exit(1);
@@ -871,10 +868,6 @@ static BOOL init_structs(void )
if (!init_change_notify())
exit(1);
- /* Setup privileges database */
- if (!privilege_init())
- exit(1);
-
/* re-initialise the timezone */
TimeInit();
@@ -884,7 +877,6 @@ static BOOL init_structs(void )
smbd_process();
uni_group_cache_shutdown();
- namecache_shutdown();
exit_server("normal exit");
return(0);
}
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 25f9d424ab..e36760c148 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -77,6 +77,9 @@ static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
set_message(outbuf,4,0,True);
+ /* we set NT_STATUS_MORE_PROCESSING_REQUIRED to tell the other end
+ that we aren't finished yet */
+
nt_status = nt_status_squash(nt_status);
SIVAL(outbuf, smb_rcls, NT_STATUS_V(nt_status));
SSVAL(outbuf, smb_vwv0, 0xFF); /* no chaining possible */
@@ -306,9 +309,6 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
ret = reply_sesssetup_blob(conn, outbuf, response, nt_status);
data_blob_free(&response);
- /* NT_STATUS_MORE_PROCESSING_REQUIRED from our NTLMSSP code tells us,
- and the other end, that we are not finished yet. */
-
if (!ret || !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
auth_ntlmssp_end(auth_ntlmssp_state);
}
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 0fa65f47ca..b9cf0de3bd 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -722,33 +722,6 @@ static void store_gid_sid_cache(const DOM_SID *psid, const enum SID_NAME_USE sid
DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid)
{
-#ifdef WITH_IDMAP
- unid_t id;
-
- DEBUG(10,("uid_to_sid: uid = [%d]\n", uid));
-
- id.uid = uid;
- if (NT_STATUS_IS_OK(idmap_get_sid_from_id(psid, id, ID_USERID))) {
- DEBUG(10, ("uid_to_sid: sid = [%s]\n", sid_string_static(psid)));
- return psid;
- }
-
- /* If mapping is not found in idmap try with traditional method,
- then stores the result in idmap.
- We may add a switch in future to allow smooth migrations to
- idmap-only db ---Simo */
-
- become_root();
- psid = local_uid_to_sid(psid, uid);
- unbecome_root();
-
- DEBUG(10,("uid_to_sid: algorithmic %u -> %s\n", (unsigned int)uid, sid_string_static(psid)));
- if (psid)
- idmap_set_mapping(psid, id, ID_USERID);
-
- return psid;
-
-#else
uid_t low, high;
enum SID_NAME_USE sidtype;
fstring sid;
@@ -756,7 +729,7 @@ DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid)
if (fetch_sid_from_uid_cache(psid, &sidtype, uid))
return psid;
- if (lp_idmap_uid(&low, &high) && uid >= low && uid <= high) {
+ if (lp_winbind_uid(&low, &high) && uid >= low && uid <= high) {
if (winbind_uid_to_sid(psid, uid)) {
DEBUG(10,("uid_to_sid: winbindd %u -> %s\n",
@@ -778,7 +751,6 @@ DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid)
store_uid_sid_cache(psid, SID_NAME_USER, uid);
return psid;
-#endif
}
/*****************************************************************
@@ -789,33 +761,6 @@ DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid)
DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid)
{
-#ifdef WITH_IDMAP
- unid_t id;
-
- DEBUG(10,("gid_to_sid: gid = [%d]\n", gid));
-
- id.gid = gid;
- if (NT_STATUS_IS_OK(idmap_get_sid_from_id(psid, id, ID_GROUPID))) {
- DEBUG(10, ("gid_to_sid: sid = [%s]\n", sid_string_static(psid)));
- return psid;
- }
-
- /* If mapping is not found in idmap try with traditional method,
- then stores the result in idmap.
- We may add a switch in future to allow smooth migrations to
- idmap-only db ---Simo */
-
- become_root();
- psid = local_gid_to_sid(psid, gid);
- unbecome_root();
-
- DEBUG(10,("gid_to_sid: algorithmic %u -> %s\n", (unsigned int)gid, sid_string_static(psid)));
- if (psid)
- idmap_set_mapping(psid, id, ID_GROUPID);
-
- return psid;
-
-#else
gid_t low, high;
enum SID_NAME_USE sidtype;
fstring sid;
@@ -823,7 +768,7 @@ DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid)
if (fetch_sid_from_gid_cache(psid, &sidtype, gid))
return psid;
- if (lp_idmap_gid(&low, &high) && gid >= low && gid <= high) {
+ if (lp_winbind_gid(&low, &high) && gid >= low && gid <= high) {
if (winbind_gid_to_sid(psid, gid)) {
DEBUG(10,("gid_to_sid: winbindd %u -> %s\n",
@@ -844,7 +789,6 @@ DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid)
store_gid_sid_cache(psid, SID_NAME_DOM_GRP, gid);
return psid;
-#endif
}
/*****************************************************************
@@ -856,35 +800,6 @@ DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid)
BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype)
{
-#ifdef WITH_IDMAP
- unid_t id;
- int type;
-
- DEBUG(10,("sid_to_uid: sid = [%s]\n", sid_string_static(psid)));
-
- *sidtype = SID_NAME_USER;
-
- type = ID_USERID;
- if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, psid))) {
- DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid));
- *puid = id.uid;
- return True;
- }
-
- if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
- BOOL result;
- become_root();
- result = local_sid_to_uid(puid, psid, sidtype);
- unbecome_root();
- if (result) {
- id.uid = *puid;
- DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid));
- idmap_set_mapping(psid, id, ID_USERID);
- return True;
- }
- }
- return False;
-#else
fstring sid_str;
if (fetch_uid_from_cache(puid, psid, *sidtype))
@@ -958,7 +873,6 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype)
store_uid_sid_cache(psid, *sidtype, *puid);
return True;
-#endif
}
/*****************************************************************
@@ -970,37 +884,6 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype)
BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype)
{
-#ifdef WITH_IDMAP
- unid_t id;
- int type;
-
- DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(psid)));
-
- *sidtype = SID_NAME_ALIAS;
-
- type = ID_GROUPID;
- if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, psid))) {
- DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid));
- *pgid = id.gid;
- return True;
- }
-
- if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
- BOOL result;
- become_root();
- result = local_sid_to_gid(pgid, psid, sidtype);
- unbecome_root();
- if (result) {
- id.gid = *pgid;
- DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid));
- idmap_set_mapping(psid, id, ID_GROUPID);
- return True;
- }
- }
-
- return False;
-
-#else
fstring dom_name, name, sid_str;
enum SID_NAME_USE name_type;
@@ -1061,6 +944,5 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype)
store_gid_sid_cache(psid, *sidtype, *pgid);
return True;
-#endif
}
generated by cgit (git 2.34.1) at 2024-12-12 11:06:14 +0000