diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/auth_sam.c | 14 | ||||
-rw-r--r-- | source4/auth/auth_util.c | 14 | ||||
-rw-r--r-- | source4/lib/util_sid.c | 70 | ||||
-rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 27 | ||||
-rw-r--r-- | source4/torture/rpc/netlogon.c | 13 |
5 files changed, 29 insertions, 109 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index 3c35031643..1c33b26528 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -183,14 +183,13 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, uint_t ret_domain; const char *domain_dn; + const char *domain_sid; NTSTATUS nt_status; DATA_BLOB user_sess_key = data_blob(NULL, 0); DATA_BLOB lm_sess_key = data_blob(NULL, 0); uint8 *lm_pwd, *nt_pwd; - struct dom_sid *domain_sid; - const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", "userAccountControl", "pwdLastSet", @@ -228,28 +227,27 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_INTERNAL_DB_CORRUPTION; } - domain_sid = dom_sid_parse_talloc(mem_ctx, samdb_result_string(msgs[0], "objectSid", NULL)); + domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); if (!domain_sid) { samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } - sid_split_rid(domain_sid, NULL); - /* find the domain's DN */ ret_domain = samdb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", - dom_sid_string(mem_ctx, domain_sid)); + domain_sid); if (ret_domain == 0) { DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", - dom_sid_string(mem_ctx, domain_sid))); + domain_sid)); samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; } if (ret_domain > 1) { - DEBUG(1,("Found %d records matching domain [%s]\n", ret_domain, dom_sid_string(mem_ctx, domain_sid))); + DEBUG(1,("Found %d records matching domain [%s]\n", + ret_domain, domain_sid)); samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index e72368132a..17d864b718 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -390,7 +390,8 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) { - fstring sid_str; + TALLOC_CTX *mem_ctx; + size_t i; if (!token) { @@ -398,12 +399,19 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) return; } + mem_ctx = talloc_init("debug_nt_user_token()"); + if (!mem_ctx) { + return; + } + DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", - sid_to_string(sid_str, token->user_sids[0]) )); + dom_sid_string(mem_ctx, token->user_sids[0]) )); DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids)); for (i = 0; i < token->num_sids; i++) DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, - sid_to_string(sid_str, token->user_sids[i]))); + dom_sid_string(mem_ctx, token->user_sids[i]))); + + talloc_destroy(mem_ctx); } /**************************************************************************** diff --git a/source4/lib/util_sid.c b/source4/lib/util_sid.c index 6f63e25c5d..5ce72a6f51 100644 --- a/source4/lib/util_sid.c +++ b/source4/lib/util_sid.c @@ -143,76 +143,6 @@ void generate_wellknown_sids(void) initialised = True; } -/************************************************************************** - Splits a name of format \DOMAIN\name or name into its two components. - Sets the DOMAIN name to lp_netbios_name() if it has not been specified. -***************************************************************************/ - -void split_domain_name(const char *fullname, char *domain, char *name) -{ - pstring full_name; - const char *sep; - char *p; - - sep = lp_winbind_separator(); - - *domain = *name = '\0'; - - if (fullname[0] == sep[0] || fullname[0] == '\\') - fullname++; - - pstrcpy(full_name, fullname); - p = strchr_m(full_name+1, '\\'); - if (!p) p = strchr_m(full_name+1, sep[0]); - - if (p != NULL) { - *p = 0; - fstrcpy(domain, full_name); - fstrcpy(name, p+1); - } else { - fstrcpy(domain, lp_netbios_name()); - fstrcpy(name, full_name); - } - - DEBUG(10,("split_domain_name:name '%s' split into domain :'%s' and user :'%s'\n", - fullname, domain, name)); -} - -/***************************************************************** - Convert a SID to an ascii string. -*****************************************************************/ - -char *sid_to_string(fstring sidstr_out, const struct dom_sid *sid) -{ - char *tmp_string; - TALLOC_CTX *mem_ctx; - if (!(mem_ctx = talloc_init("sid_to_string temp context"))) { - return NULL; - } - - tmp_string = dom_sid_string(mem_ctx, sid); - if (!tmp_string) - return NULL; - - fstrcpy(sidstr_out, tmp_string); - return sidstr_out; -} - -/***************************************************************** - Removes the last rid from the end of a sid -*****************************************************************/ - -BOOL sid_split_rid(struct dom_sid *sid, uint32 *rid) -{ - if (sid->num_auths > 0) { - sid->num_auths--; - if (rid) - *rid = sid->sub_auths[sid->num_auths]; - return True; - } - return False; -} - /***************************************************************** Return the last rid from the end of a sid *****************************************************************/ diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 853a8b39e9..1dab39ebc1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -332,14 +332,13 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO int num_records; int num_records_domain; int ret; - int i; struct ldb_message **msgs; struct ldb_message **msgs_domain; NTSTATUS nt_status; struct samr_Hash newNtHash; struct ldb_message mod, *msg_set_pw = &mod; const char *domain_dn; - struct dom_sid *domain_sid; + const char *domain_sid; const char *attrs[] = {"objectSid", NULL }; @@ -379,32 +378,28 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO return NT_STATUS_INTERNAL_DB_CORRUPTION; } - domain_sid = dom_sid_parse_talloc(mem_ctx, - samdb_result_string(msgs[0], - "objectSid", - NULL)); + domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); if (!domain_sid) { samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } - sid_split_rid(domain_sid, NULL); - /* find the domain's DN */ num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", - dom_sid_string(mem_ctx, domain_sid)); + domain_sid); if (num_records_domain == 0) { DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", - dom_sid_string(mem_ctx, domain_sid))); + domain_sid)); samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; } if (num_records_domain > 1) { - DEBUG(1,("Found %d records matching domain [%s]\n", num_records_domain, dom_sid_string(mem_ctx, domain_sid))); + DEBUG(1,("Found %d records matching domain [%s]\n", + num_records_domain, domain_sid)); samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -435,15 +430,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO return nt_status; } - /* mark all the message elements as LDB_FLAG_MOD_REPLACE, - unless they are already marked with some other flag */ - for (i=0;i<mod.num_elements;i++) { - if (mod.elements[i].flags == 0) { - mod.elements[i].flags = LDB_FLAG_MOD_REPLACE; - } - } - - ret = samdb_modify(sam_ctx, mem_ctx, msg_set_pw); + ret = samdb_replace(sam_ctx, mem_ctx, msg_set_pw); if (ret != 0) { /* we really need samdb.c to return NTSTATUS */ diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 50e4dd36d4..524af42e01 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -1050,15 +1050,12 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) printf("Credential chaining failed\n"); } - password = generate_random_str(mem_ctx, 8); - E_md4hash(password, r.in.new_password.data); - - creds_des_encrypt(&creds, &r.in.new_password); - - /* by changing the machine password twice we test the credentials - chaining fully */ + /* by changing the machine password twice we test the + credentials chaining fully, and we verify that the server + allows the password to be set to the same value twice in a + row (match win2k3) */ printf("Testing a second ServerPasswordSet on machine account\n"); - printf("Changing machine account password to '%s'\n", password); + printf("Changing machine account password to '%s' (same as pervsious run)\n", password); creds_client_authenticator(&creds, &r.in.credential); |