diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/passdb/machine_sid.c | 67 | ||||
-rw-r--r-- | source3/passdb/pdb_ldap.c | 9 | ||||
-rw-r--r-- | source3/utils/net.c | 10 | ||||
-rw-r--r-- | source3/utils/smbpasswd.c | 6 |
4 files changed, 61 insertions, 31 deletions
diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c index 21ae95af5b..235187abf0 100644 --- a/source3/passdb/machine_sid.c +++ b/source3/passdb/machine_sid.c @@ -76,15 +76,15 @@ static void generate_random_sid(DOM_SID *sid) Generate the global machine sid. ****************************************************************************/ -static BOOL pdb_generate_sam_sid(void) +static DOM_SID *pdb_generate_sam_sid(void) { DOM_SID domain_sid; char *fname = NULL; BOOL is_dc = False; - - if(global_sam_sid==NULL) - if(!(global_sam_sid=(DOM_SID *)malloc(sizeof(DOM_SID)))) - return False; + DOM_SID *sam_sid; + + if(!(sam_sid=(DOM_SID *)malloc(sizeof(DOM_SID)))) + return NULL; generate_wellknown_sids(); @@ -100,86 +100,93 @@ static BOOL pdb_generate_sam_sid(void) if (is_dc) { if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { - sid_copy(global_sam_sid, &domain_sid); - return True; + sid_copy(sam_sid, &domain_sid); + return sam_sid; } } - if (secrets_fetch_domain_sid(global_myname(), global_sam_sid)) { + if (secrets_fetch_domain_sid(global_myname(), sam_sid)) { /* We got our sid. If not a pdc/bdc, we're done. */ if (!is_dc) - return True; + return sam_sid; if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { /* No domain sid and we're a pdc/bdc. Store it */ - if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) { + if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n")); - return False; + SAFE_FREE(sam_sid); + return NULL; } - return True; + return sam_sid; } - if (!sid_equal(&domain_sid, global_sam_sid)) { + if (!sid_equal(&domain_sid, sam_sid)) { /* Domain name sid doesn't match global sam sid. Re-store domain sid as 'local' sid. */ DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n")); if (!secrets_store_domain_sid(global_myname(), &domain_sid)) { DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID for local sid as PDC/BDC.\n")); - return False; + SAFE_FREE(sam_sid); + return NULL; } - return True; + return sam_sid; } - return True; + return sam_sid; } /* check for an old MACHINE.SID file for backwards compatibility */ asprintf(&fname, "%s/MACHINE.SID", lp_private_dir()); - if (read_sid_from_file(fname, global_sam_sid)) { + if (read_sid_from_file(fname, sam_sid)) { /* remember it for future reference and unlink the old MACHINE.SID */ - if (!secrets_store_domain_sid(global_myname(), global_sam_sid)) { + if (!secrets_store_domain_sid(global_myname(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n")); SAFE_FREE(fname); - return False; + SAFE_FREE(sam_sid); + return NULL; } unlink(fname); if (is_dc) { - if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) { + if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n")); SAFE_FREE(fname); - return False; + SAFE_FREE(sam_sid); + return NULL; } } /* Stored the old sid from MACHINE.SID successfully.*/ SAFE_FREE(fname); - return True; + SAFE_FREE(sam_sid); + return sam_sid; } SAFE_FREE(fname); /* we don't have the SID in secrets.tdb, we will need to generate one and save it */ - generate_random_sid(global_sam_sid); + generate_random_sid(sam_sid); - if (!secrets_store_domain_sid(global_myname(), global_sam_sid)) { + if (!secrets_store_domain_sid(global_myname(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n")); - return False; + SAFE_FREE(sam_sid); + return NULL; } if (is_dc) { - if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) { + if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n")); - return False; + SAFE_FREE(sam_sid); + return NULL; } } - return True; + return sam_sid; } /* return our global_sam_sid */ @@ -191,10 +198,10 @@ DOM_SID *get_global_sam_sid(void) /* memory for global_sam_sid is allocated in pdb_generate_sam_sid() as needed */ - if (!pdb_generate_sam_sid()) { + if (!(global_sam_sid = pdb_generate_sam_sid())) { smb_panic("Could not generate a machine SID\n"); } - + return global_sam_sid; } diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 3db0702c92..eefd302d42 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -2353,7 +2353,7 @@ static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_met /* Try to setup the Domain Name, Domain SID, algorithmic rid base */ nt_status = smbldap_search_domain_info(ldap_state->smbldap_state, &result, - ldap_state->domain_name, True); + ldap_state->domain_name, True); if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain\n")); @@ -2382,8 +2382,15 @@ and will risk BDCs having inconsistant SIDs\n")); } found_sid = secrets_fetch_domain_sid(ldap_state->domain_name, &secrets_domain_sid); if (!found_sid || !sid_equal(&secrets_domain_sid, &ldap_domain_sid)) { + fstring new_sid_str, old_sid_str; + DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain %s based on pdb_ldap results %s -> %s\n", + ldap_state->domain_name, + sid_to_string(old_sid_str, &secrets_domain_sid), + sid_to_string(new_sid_str, &ldap_domain_sid))); + /* reset secrets.tdb sid */ secrets_store_domain_sid(ldap_state->domain_name, &ldap_domain_sid); + DEBUG(1, ("New global sam SID: %s\n", sid_to_string(new_sid_str, get_global_sam_sid()))); } sid_copy(&ldap_state->domain_sid, &ldap_domain_sid); } diff --git a/source3/utils/net.c b/source3/utils/net.c index b9081c3e31..9026900e81 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -418,6 +418,11 @@ static int net_getlocalsid(int argc, const char **argv) name = global_myname(); } + if(!initialize_password_db(False)) { + DEBUG(0, ("WARNING: Could not open passdb - local sid may not reflect passdb\n" + "backend knowlege (such as the sid stored in LDAP)\n")); + } + if (!secrets_fetch_domain_sid(name, &sid)) { DEBUG(0, ("Can't fetch domain SID for name: %s\n", name)); return 1; @@ -452,6 +457,11 @@ static int net_getdomainsid(int argc, const char **argv) DOM_SID domain_sid; fstring sid_str; + if(!initialize_password_db(False)) { + DEBUG(0, ("WARNING: Could not open passdb - domain sid may not reflect passdb\n" + "backend knowlege (such as the sid stored in LDAP)\n")); + } + if (!secrets_fetch_domain_sid(global_myname(), &domain_sid)) { d_printf("Could not fetch local SID\n"); return 1; diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index ea8bf7a472..5507727498 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -348,6 +348,12 @@ static int process_root(int local_flags) goto done; } + /* Ensure passdb startup(). */ + if(!initialize_password_db(False)) { + DEBUG(0, ("Failed to open passdb!\n")); + exit(1); + } + /* Ensure we have a SAM sid. */ get_global_sam_sid(); |