summaryrefslogtreecommitdiff
path: root/source4/auth/sam.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/sam.c')
-rw-r--r--source4/auth/sam.c84
1 files changed, 47 insertions, 37 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index c70c02cb3c..68eaacf255 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -28,6 +28,7 @@
#include "libcli/security/security.h"
#include "libcli/ldap/ldap.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_security.h"
#include "param/param.h"
#include "auth/auth_sam.h"
@@ -66,6 +67,7 @@ const char *user_attrs[] = {
"badPwdCount",
"logonCount",
"primaryGroupID",
+ "memberOf",
NULL,
};
@@ -261,9 +263,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
struct auth_serversupplied_info **_server_info)
{
struct auth_serversupplied_info *server_info;
- struct ldb_message **group_msgs;
- int group_ret;
- const char *group_attrs[3] = { "sAMAccountType", "objectSid", NULL };
+ int group_ret = 0;
/* find list of sids */
struct dom_sid **groupSIDs = NULL;
struct dom_sid *account_sid;
@@ -271,39 +271,48 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
const char *str;
int i;
uint_t rid;
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-
- group_ret = gendb_search(sam_ctx,
- tmp_ctx, NULL, &group_msgs, group_attrs,
- "(&(member=%s)(sAMAccountType=*))",
- ldb_dn_get_linearized(msg->dn));
- if (group_ret == -1) {
- talloc_free(tmp_ctx);
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct ldb_message_element *el;
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
+ server_info = talloc(tmp_ctx, struct auth_serversupplied_info);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, tmp_ctx);
- if (group_ret > 0) {
+ el = ldb_msg_find_element(msg, "memberOf");
+ if (el != NULL) {
+ group_ret = el->num_values;
groupSIDs = talloc_array(server_info, struct dom_sid *, group_ret);
- NT_STATUS_HAVE_NO_MEMORY(groupSIDs);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
}
- /* Need to unroll some nested groups, but not aliases */
+ /* TODO Note: this is incomplete. We need to unroll some
+ * nested groups, but not aliases */
for (i = 0; i < group_ret; i++) {
- groupSIDs[i] = samdb_result_dom_sid(groupSIDs,
- group_msgs[i], "objectSid");
- NT_STATUS_HAVE_NO_MEMORY(groupSIDs[i]);
+ struct ldb_dn *dn;
+ const struct ldb_val *v;
+ enum ndr_err_code ndr_err;
+
+ dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, &el->values[i]);
+ if (dn == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ v = ldb_dn_get_extended_component(dn, "SID");
+ groupSIDs[i] = talloc(groupSIDs, struct dom_sid);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs[i], tmp_ctx);
+
+ ndr_err = ndr_pull_struct_blob(v, groupSIDs[i], NULL, groupSIDs[i],
+ (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
}
- talloc_free(tmp_ctx);
-
account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
- NT_STATUS_HAVE_NO_MEMORY(account_sid);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, tmp_ctx);
primary_group_sid = dom_sid_dup(server_info, account_sid);
- NT_STATUS_HAVE_NO_MEMORY(primary_group_sid);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_sid, tmp_ctx);
rid = samdb_result_uint(msg, "primaryGroupID", ~0);
if (rid == ~0) {
@@ -325,30 +334,30 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
server_info->account_name = talloc_steal(server_info, samdb_result_string(msg, "sAMAccountName", NULL));
server_info->domain_name = talloc_strdup(server_info, domain_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_name, tmp_ctx);
str = samdb_result_string(msg, "displayName", "");
server_info->full_name = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->full_name, tmp_ctx);
str = samdb_result_string(msg, "scriptPath", "");
server_info->logon_script = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_script, tmp_ctx);
str = samdb_result_string(msg, "profilePath", "");
server_info->profile_path = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->profile_path, tmp_ctx);
str = samdb_result_string(msg, "homeDirectory", "");
server_info->home_directory = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_directory, tmp_ctx);
str = samdb_result_string(msg, "homeDrive", "");
server_info->home_drive = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_drive, tmp_ctx);
server_info->logon_server = talloc_strdup(server_info, netbios_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_server, tmp_ctx);
server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
server_info->last_logoff = samdb_result_nttime(msg, "lastLogoff", 0);
@@ -373,7 +382,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
server_info->authenticated = true;
- *_server_info = server_info;
+ *_server_info = talloc_steal(mem_ctx, server_info);
return NT_STATUS_OK;
}
@@ -381,7 +390,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx, const char *principal,
struct ldb_dn **domain_dn,
- struct ldb_message ***msgs)
+ struct ldb_message **msg)
{
struct ldb_dn *user_dn;
NTSTATUS nt_status;
@@ -399,12 +408,13 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
}
/* pull the user attributes */
- ret = gendb_search_dn(sam_ctx, tmp_ctx, user_dn, msgs, user_attrs);
- if (ret != 1) {
+ ret = gendb_search_single_extended_dn(sam_ctx, tmp_ctx, user_dn, LDB_SCOPE_BASE,
+ msg, user_attrs, "(objectClass=*)");
+ if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- talloc_steal(mem_ctx, *msgs);
+ talloc_steal(mem_ctx, *msg);
talloc_steal(mem_ctx, *domain_dn);
talloc_free(tmp_ctx);
generated by cgit (git 2.34.1) at 2024-07-12 10:27:50 +0000