summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/auth_sam.c14
-rw-r--r--source4/auth/auth_util.c14
-rw-r--r--source4/lib/util_sid.c70
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c27
-rw-r--r--source4/torture/rpc/netlogon.c13
5 files changed, 29 insertions, 109 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 3c35031643..1c33b26528 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -183,14 +183,13 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
uint_t ret_domain;
const char *domain_dn;
+ const char *domain_sid;
NTSTATUS nt_status;
DATA_BLOB user_sess_key = data_blob(NULL, 0);
DATA_BLOB lm_sess_key = data_blob(NULL, 0);
uint8 *lm_pwd, *nt_pwd;
- struct dom_sid *domain_sid;
-
const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash",
"userAccountControl",
"pwdLastSet",
@@ -228,28 +227,27 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- domain_sid = dom_sid_parse_talloc(mem_ctx, samdb_result_string(msgs[0], "objectSid", NULL));
+ domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
if (!domain_sid) {
samdb_close(sam_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- sid_split_rid(domain_sid, NULL);
-
/* find the domain's DN */
ret_domain = samdb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs,
"(&(objectSid=%s)(objectclass=domain))",
- dom_sid_string(mem_ctx, domain_sid));
+ domain_sid);
if (ret_domain == 0) {
DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
- dom_sid_string(mem_ctx, domain_sid)));
+ domain_sid));
samdb_close(sam_ctx);
return NT_STATUS_NO_SUCH_USER;
}
if (ret_domain > 1) {
- DEBUG(1,("Found %d records matching domain [%s]\n", ret_domain, dom_sid_string(mem_ctx, domain_sid)));
+ DEBUG(1,("Found %d records matching domain [%s]\n",
+ ret_domain, domain_sid));
samdb_close(sam_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c
index e72368132a..17d864b718 100644
--- a/source4/auth/auth_util.c
+++ b/source4/auth/auth_util.c
@@ -390,7 +390,8 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info)
void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
{
- fstring sid_str;
+ TALLOC_CTX *mem_ctx;
+
size_t i;
if (!token) {
@@ -398,12 +399,19 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
return;
}
+ mem_ctx = talloc_init("debug_nt_user_token()");
+ if (!mem_ctx) {
+ return;
+ }
+
DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n",
- sid_to_string(sid_str, token->user_sids[0]) ));
+ dom_sid_string(mem_ctx, token->user_sids[0]) ));
DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids));
for (i = 0; i < token->num_sids; i++)
DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i,
- sid_to_string(sid_str, token->user_sids[i])));
+ dom_sid_string(mem_ctx, token->user_sids[i])));
+
+ talloc_destroy(mem_ctx);
}
/****************************************************************************
diff --git a/source4/lib/util_sid.c b/source4/lib/util_sid.c
index 6f63e25c5d..5ce72a6f51 100644
--- a/source4/lib/util_sid.c
+++ b/source4/lib/util_sid.c
@@ -143,76 +143,6 @@ void generate_wellknown_sids(void)
initialised = True;
}
-/**************************************************************************
- Splits a name of format \DOMAIN\name or name into its two components.
- Sets the DOMAIN name to lp_netbios_name() if it has not been specified.
-***************************************************************************/
-
-void split_domain_name(const char *fullname, char *domain, char *name)
-{
- pstring full_name;
- const char *sep;
- char *p;
-
- sep = lp_winbind_separator();
-
- *domain = *name = '\0';
-
- if (fullname[0] == sep[0] || fullname[0] == '\\')
- fullname++;
-
- pstrcpy(full_name, fullname);
- p = strchr_m(full_name+1, '\\');
- if (!p) p = strchr_m(full_name+1, sep[0]);
-
- if (p != NULL) {
- *p = 0;
- fstrcpy(domain, full_name);
- fstrcpy(name, p+1);
- } else {
- fstrcpy(domain, lp_netbios_name());
- fstrcpy(name, full_name);
- }
-
- DEBUG(10,("split_domain_name:name '%s' split into domain :'%s' and user :'%s'\n",
- fullname, domain, name));
-}
-
-/*****************************************************************
- Convert a SID to an ascii string.
-*****************************************************************/
-
-char *sid_to_string(fstring sidstr_out, const struct dom_sid *sid)
-{
- char *tmp_string;
- TALLOC_CTX *mem_ctx;
- if (!(mem_ctx = talloc_init("sid_to_string temp context"))) {
- return NULL;
- }
-
- tmp_string = dom_sid_string(mem_ctx, sid);
- if (!tmp_string)
- return NULL;
-
- fstrcpy(sidstr_out, tmp_string);
- return sidstr_out;
-}
-
-/*****************************************************************
- Removes the last rid from the end of a sid
-*****************************************************************/
-
-BOOL sid_split_rid(struct dom_sid *sid, uint32 *rid)
-{
- if (sid->num_auths > 0) {
- sid->num_auths--;
- if (rid)
- *rid = sid->sub_auths[sid->num_auths];
- return True;
- }
- return False;
-}
-
/*****************************************************************
Return the last rid from the end of a sid
*****************************************************************/
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 853a8b39e9..1dab39ebc1 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -332,14 +332,13 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
int num_records;
int num_records_domain;
int ret;
- int i;
struct ldb_message **msgs;
struct ldb_message **msgs_domain;
NTSTATUS nt_status;
struct samr_Hash newNtHash;
struct ldb_message mod, *msg_set_pw = &mod;
const char *domain_dn;
- struct dom_sid *domain_sid;
+ const char *domain_sid;
const char *attrs[] = {"objectSid", NULL
};
@@ -379,32 +378,28 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- domain_sid = dom_sid_parse_talloc(mem_ctx,
- samdb_result_string(msgs[0],
- "objectSid",
- NULL));
+ domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
if (!domain_sid) {
samdb_close(sam_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- sid_split_rid(domain_sid, NULL);
-
/* find the domain's DN */
num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL,
&msgs_domain, domain_attrs,
"(&(objectSid=%s)(objectclass=domain))",
- dom_sid_string(mem_ctx, domain_sid));
+ domain_sid);
if (num_records_domain == 0) {
DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
- dom_sid_string(mem_ctx, domain_sid)));
+ domain_sid));
samdb_close(sam_ctx);
return NT_STATUS_NO_SUCH_USER;
}
if (num_records_domain > 1) {
- DEBUG(1,("Found %d records matching domain [%s]\n", num_records_domain, dom_sid_string(mem_ctx, domain_sid)));
+ DEBUG(1,("Found %d records matching domain [%s]\n",
+ num_records_domain, domain_sid));
samdb_close(sam_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -435,15 +430,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
return nt_status;
}
- /* mark all the message elements as LDB_FLAG_MOD_REPLACE,
- unless they are already marked with some other flag */
- for (i=0;i<mod.num_elements;i++) {
- if (mod.elements[i].flags == 0) {
- mod.elements[i].flags = LDB_FLAG_MOD_REPLACE;
- }
- }
-
- ret = samdb_modify(sam_ctx, mem_ctx, msg_set_pw);
+ ret = samdb_replace(sam_ctx, mem_ctx, msg_set_pw);
if (ret != 0) {
/* we really need samdb.c to return NTSTATUS */
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 50e4dd36d4..524af42e01 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -1050,15 +1050,12 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
printf("Credential chaining failed\n");
}
- password = generate_random_str(mem_ctx, 8);
- E_md4hash(password, r.in.new_password.data);
-
- creds_des_encrypt(&creds, &r.in.new_password);
-
- /* by changing the machine password twice we test the credentials
- chaining fully */
+ /* by changing the machine password twice we test the
+ credentials chaining fully, and we verify that the server
+ allows the password to be set to the same value twice in a
+ row (match win2k3) */
printf("Testing a second ServerPasswordSet on machine account\n");
- printf("Changing machine account password to '%s'\n", password);
+ printf("Changing machine account password to '%s' (same as pervsious run)\n", password);
creds_client_authenticator(&creds, &r.in.credential);