diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/auth_sam.c | 15 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 51 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 99 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb_privilege.c | 11 | ||||
-rw-r--r-- | source4/lib/db_wrap.c | 9 | ||||
-rw-r--r-- | source4/lib/ldb/config.mk | 4 | ||||
-rw-r--r-- | source4/lib/ldb/samba/ldif_handlers.c | 6 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_ndr.c | 2 | ||||
-rw-r--r-- | source4/ntvfs/common/sidmap.c | 97 | ||||
-rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 68 | ||||
-rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 17 | ||||
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.c | 263 | ||||
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.h | 4 | ||||
-rw-r--r-- | source4/rpc_server/samr/samr_password.c | 10 | ||||
-rw-r--r-- | source4/setup/provision.ldif | 2 |
15 files changed, 303 insertions, 355 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index 1ad9087bfe..3318238fda 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -257,7 +257,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * } if (!domain_name) { - const char *domain_sid; + struct dom_sid *domain_sid; domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); if (!domain_sid) { @@ -267,20 +267,20 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * /* find the domain's DN */ ret = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_tmp, NULL, "(&(objectSid=%s)(objectclass=domain))", - domain_sid); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (ret == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } if (ret == 0) { DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n", - domain_sid)); + dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_NO_SUCH_USER; } if (ret > 1) { DEBUG(0,("Found %d records matching domain_sid [%s]\n", - ret, domain_sid)); + ret, dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -400,15 +400,14 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context /* Need to unroll some nested groups, but not aliases */ for (i = 0; i < group_ret; i++) { - str = ldb_msg_find_string(group_msgs[i], "objectSid", NULL); - groupSIDs[i] = dom_sid_parse_talloc(groupSIDs, str); + groupSIDs[i] = samdb_result_dom_sid(groupSIDs, + group_msgs[i], "objectSid"); NT_STATUS_HAVE_NO_MEMORY(groupSIDs[i]); } talloc_free(tmp_ctx); - str = ldb_msg_find_string(msgs[0], "objectSid", NULL); - account_sid = dom_sid_parse_talloc(server_info, str); + account_sid = samdb_result_dom_sid(server_info, msgs[0], "objectSid"); NT_STATUS_HAVE_NO_MEMORY(account_sid); primary_group_sid = dom_sid_dup(server_info, account_sid); diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 5472bed107..b5440c3cd1 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -35,7 +35,8 @@ #include "includes.h" #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_private.h" -#include <time.h> +#include "system/time.h" +#include "librpc/gen_ndr/ndr_security.h" #define SAM_ACCOUNT_NAME_BASE "$000000-000000000000" @@ -169,14 +170,15 @@ static char *samldb_search_domain(struct ldb_module *module, TALLOC_CTX *mem_ctx allocate a new RID for the domain return the new sid string */ -static char *samldb_get_new_sid(struct ldb_module *module, TALLOC_CTX *mem_ctx, const char *obj_dn) +static struct dom_sid *samldb_get_new_sid(struct ldb_module *module, + TALLOC_CTX *mem_ctx, const char *obj_dn) { const char * const attrs[2] = { "objectSid", NULL }; struct ldb_message **res = NULL; - const char *dom_dn, *dom_sid; - char *obj_sid; + const char *dom_dn; uint32_t rid; int ret, tries = 10; + struct dom_sid *dom_sid, *obj_sid; /* get the domain component part of the provided dn */ @@ -197,11 +199,11 @@ static char *samldb_get_new_sid(struct ldb_module *module, TALLOC_CTX *mem_ctx, ret = ldb_search(module->ldb, dom_dn, LDB_SCOPE_BASE, "objectSid=*", attrs, &res); if (ret != 1) { ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain sid!\n"); - if (res) talloc_free(res); + talloc_free(res); return NULL; } - dom_sid = ldb_msg_find_string(res[0], "objectSid", NULL); + dom_sid = samdb_result_dom_sid(res, res[0], "objectSid"); if (dom_sid == NULL) { ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain sid!\n"); talloc_free(res); @@ -225,12 +227,10 @@ static char *samldb_get_new_sid(struct ldb_module *module, TALLOC_CTX *mem_ctx, } /* return the new object sid */ - - obj_sid = talloc_asprintf(mem_ctx, "%s-%u", dom_sid, rid); + obj_sid = dom_sid_add_rid(mem_ctx, dom_sid, rid); talloc_free(res); - return obj_sid; } @@ -307,6 +307,18 @@ static BOOL samldb_msg_add_string(struct ldb_module *module, struct ldb_message return True; } +static BOOL samldb_msg_add_sid(struct ldb_module *module, struct ldb_message *msg, const char *name, const struct dom_sid *sid) +{ + struct ldb_val v; + NTSTATUS status; + status = ndr_push_struct_blob(&v, msg, sid, + (ndr_push_flags_fn_t)ndr_push_dom_sid); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + return (ldb_msg_add_value(module->ldb, msg, name, &v) == 0); +} + static BOOL samldb_find_or_add_attribute(struct ldb_module *module, struct ldb_message *msg, const char *name, const char *value, const char *set_value) { if (samldb_find_attribute(msg, name, value) == NULL) { @@ -367,7 +379,7 @@ static struct ldb_message *samldb_fill_group_object(struct ldb_module *module, c { struct ldb_message *msg2; struct ldb_message_element *attribute; - char *rdn, *basedn, *sidstr; + char *rdn, *basedn; if (samldb_find_attribute(msg, "objectclass", "group") == NULL) { return NULL; @@ -418,15 +430,17 @@ static struct ldb_message *samldb_fill_group_object(struct ldb_module *module, c } if ((attribute = samldb_find_attribute(msg2, "objectSid", NULL)) == NULL ) { - - if ((sidstr = samldb_get_new_sid(module, msg2, msg2->dn)) == NULL) { + struct dom_sid *sid = samldb_get_new_sid(module, msg2, msg2->dn); + if (sid == NULL) { ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_group_object: internal error! Can't generate new sid\n"); return NULL; } - if ( ! samldb_msg_add_string(module, msg2, "objectSid", sidstr)) { + if (!samldb_msg_add_sid(module, msg2, "objectSid", sid)) { + talloc_free(sid); return NULL; } + talloc_free(sid); } if ( ! samldb_find_or_add_attribute(module, msg2, "sAMAccountName", NULL, samldb_generate_samAccountName(msg2))) { @@ -444,7 +458,7 @@ static struct ldb_message *samldb_fill_user_or_computer_object(struct ldb_module { struct ldb_message *msg2; struct ldb_message_element *attribute; - char *rdn, *basedn, *sidstr; + char *rdn, *basedn; if ((samldb_find_attribute(msg, "objectclass", "user") == NULL) && (samldb_find_attribute(msg, "objectclass", "computer") == NULL)) { return NULL; @@ -500,15 +514,18 @@ static struct ldb_message *samldb_fill_user_or_computer_object(struct ldb_module } if ((attribute = samldb_find_attribute(msg2, "objectSid", NULL)) == NULL ) { - - if ((sidstr = samldb_get_new_sid(module, msg2, msg2->dn)) == NULL) { + struct dom_sid *sid; + sid = samldb_get_new_sid(module, msg2, msg2->dn); + if (sid == NULL) { ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_user_or_computer_object: internal error! Can't generate new sid\n"); return NULL; } - if ( ! samldb_msg_add_string(module, msg2, "objectSid", sidstr)) { + if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) { + talloc_free(sid); return NULL; } + talloc_free(sid); } if ( ! samldb_find_or_add_attribute(module, msg2, "sAMAccountName", NULL, samldb_generate_samAccountName(msg2))) { diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 5f9764ce42..e2426738da 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -61,17 +61,17 @@ int samdb_search_domain(struct ldb_context *sam_ldb, while (i<count) { struct dom_sid *entry_sid; - entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], - "objectSid"); + entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid"); if ((entry_sid == NULL) || (!dom_sid_in_domain(domain_sid, entry_sid))) { - /* Delete that entry from the result set */ (*res)[i] = (*res)[count-1]; count -= 1; + talloc_free(entry_sid); continue; } + talloc_free(entry_sid); i += 1; } @@ -125,6 +125,37 @@ const char *samdb_search_string(struct ldb_context *sam_ldb, } /* + search the sam for a dom_sid attribute in exactly 1 record +*/ +struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb, + TALLOC_CTX *mem_ctx, + const char *basedn, + const char *attr_name, + const char *format, ...) _PRINTF_ATTRIBUTE(5,6) +{ + va_list ap; + int count; + struct ldb_message **res; + const char * const attrs[2] = { attr_name, NULL }; + struct dom_sid *sid; + + va_start(ap, format); + count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap); + va_end(ap); + if (count > 1) { + DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n", + attr_name, format, count)); + } + if (count != 1) { + talloc_free(res); + return NULL; + } + sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name); + talloc_free(res); + return sid; +} + +/* return the count of the number of records in the sam matching the query */ int samdb_search_count(struct ldb_context *sam_ldb, @@ -274,16 +305,18 @@ const char *samdb_result_string(struct ldb_message *msg, const char *attr, pull a rid from a objectSid in a result set. */ uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg, - const char *attr, uint32_t default_value) + const char *attr, uint32_t default_value) { struct dom_sid *sid; - const char *sidstr = ldb_msg_find_string(msg, attr, NULL); - if (!sidstr) return default_value; - - sid = dom_sid_parse_talloc(mem_ctx, sidstr); - if (!sid) return default_value; + uint32_t rid; - return sid->sub_auths[sid->num_auths-1]; + sid = samdb_result_dom_sid(mem_ctx, msg, attr); + if (sid == NULL) { + return default_value; + } + rid = sid->sub_auths[sid->num_auths-1]; + talloc_free(sid); + return rid; } /* @@ -292,10 +325,24 @@ uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr) { - const char *sidstr = ldb_msg_find_string(msg, attr, NULL); - if (!sidstr) return NULL; - - return dom_sid_parse_talloc(mem_ctx, sidstr); + const struct ldb_val *v; + struct dom_sid *sid; + NTSTATUS status; + v = ldb_msg_find_ldb_val(msg, attr); + if (v == NULL) { + return NULL; + } + sid = talloc(mem_ctx, struct dom_sid); + if (sid == NULL) { + return NULL; + } + status = ndr_pull_struct_blob(v, sid, sid, + (ndr_pull_flags_fn_t)ndr_pull_dom_sid); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(sid); + return NULL; + } + return sid; } /* @@ -324,15 +371,13 @@ struct GUID samdb_result_guid(struct ldb_message *msg, const char *attr) pull a sid prefix from a objectSid in a result set. this is used to find the domain sid for a user */ -const char *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg, - const char *attr) +struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr) { struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr); if (!sid || sid->num_auths < 1) return NULL; - sid->num_auths--; - - return dom_sid_string(mem_ctx, sid); + return sid; } /* @@ -704,6 +749,22 @@ int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struc } /* + add a dom_sid element to a message +*/ +int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr_name, struct dom_sid *sid) +{ + struct ldb_val v; + NTSTATUS status; + status = ndr_push_struct_blob(&v, mem_ctx, sid, + (ndr_push_flags_fn_t)ndr_push_dom_sid); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + return ldb_msg_add_value(sam_ldb, msg, attr_name, &v); +} + +/* add a delete element operation to a message */ int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c index 77ddcbbdcd..bfd37f6417 100644 --- a/source4/dsdb/samdb/samdb_privilege.c +++ b/source4/dsdb/samdb/samdb_privilege.c @@ -31,29 +31,26 @@ static NTSTATUS samdb_privilege_setup_sid(void *samctx, TALLOC_CTX *mem_ctx, const struct dom_sid *sid, uint64_t *mask) { - char *sidstr; const char * const attrs[] = { "privilege", NULL }; struct ldb_message **res = NULL; struct ldb_message_element *el; int ret, i; + char *sidstr; *mask = 0; - sidstr = dom_sid_string(mem_ctx, sid); - if (sidstr == NULL) { - return NT_STATUS_NO_MEMORY; - } + sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid); + NT_STATUS_HAVE_NO_MEMORY(sidstr); ret = gendb_search(samctx, mem_ctx, NULL, &res, attrs, "objectSid=%s", sidstr); + talloc_free(sidstr); if (ret != 1) { - talloc_free(sidstr); /* not an error to not match */ return NT_STATUS_OK; } el = ldb_msg_find_element(res[0], "privilege"); if (el == NULL) { - talloc_free(sidstr); return NT_STATUS_OK; } diff --git a/source4/lib/db_wrap.c b/source4/lib/db_wrap.c index c277f2d975..b000225bbf 100644 --- a/source4/lib/db_wrap.c +++ b/source4/lib/db_wrap.c @@ -102,6 +102,15 @@ struct ldb_context *ldb_wrap_connect(TALLOC_CTX *mem_ctx, ev = talloc_find_parent_bytype(mem_ctx, struct event_context); if (ev) { ldb_set_opaque(ldb, "EventContext", ev); + } else { + DEBUG(0,("WARNING: event_context not found\n")); + talloc_show_parents(mem_ctx, stdout); + } + + ret = ldb_register_samba_handlers(ldb); + if (ret == -1) { + talloc_free(ldb); + return NULL; } ret = ldb_connect(ldb, url, flags, options); diff --git a/source4/lib/ldb/config.mk b/source4/lib/ldb/config.mk index 00568aeda8..cf3a7fa93d 100644 --- a/source4/lib/ldb/config.mk +++ b/source4/lib/ldb/config.mk @@ -72,7 +72,7 @@ ADD_OBJ_FILES = \ lib/ldb/common/ldb_modules.o \ lib/ldb/common/ldb_explode_dn.o REQUIRED_SUBSYSTEMS = \ - LIBREPLACE LIBTALLOC + LIBREPLACE LIBTALLOC LDBSAMBA NOPROTO = YES # # End SUBSYSTEM LIBLDB @@ -103,7 +103,7 @@ OBJ_FILES = \ [SUBSYSTEM::LIBLDB_CMDLINE] OBJ_FILES= \ lib/ldb/tools/cmdline.o -REQUIRED_SUBSYSTEMS = LIBLDB LIBCMDLINE LIBBASIC LDBSAMBA +REQUIRED_SUBSYSTEMS = LIBLDB LIBCMDLINE LIBBASIC # End SUBSYSTEM LIBLDB_CMDLINE ################################################ diff --git a/source4/lib/ldb/samba/ldif_handlers.c b/source4/lib/ldb/samba/ldif_handlers.c index 7252d081f1..17a45df78d 100644 --- a/source4/lib/ldb/samba/ldif_handlers.c +++ b/source4/lib/ldb/samba/ldif_handlers.c @@ -85,11 +85,5 @@ static const struct ldb_ldif_handler samba_handlers[] = { */ int ldb_register_samba_handlers(struct ldb_context *ldb) { -#if 0 - /* we can't enable this until we fix the sam code to handle - non-string elements */ return ldb_ldif_add_handlers(ldb, samba_handlers, ARRAY_SIZE(samba_handlers)); -#else - return 0; -#endif } diff --git a/source4/libcli/ldap/ldap_ndr.c b/source4/libcli/ldap/ldap_ndr.c index 88ca1ece77..f490b9983d 100644 --- a/source4/libcli/ldap/ldap_ndr.c +++ b/source4/libcli/ldap/ldap_ndr.c @@ -41,7 +41,7 @@ const char *ldap_encode_ndr_uint32(TALLOC_CTX *mem_ctx, uint32_t value) /* encode a NDR dom_sid as a ldap filter element */ -const char *ldap_encode_ndr_dom_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid) +const char *ldap_encode_ndr_dom_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) { DATA_BLOB blob; NTSTATUS status; diff --git a/source4/ntvfs/common/sidmap.c b/source4/ntvfs/common/sidmap.c index a39ee2f0eb..b29f197b34 100644 --- a/source4/ntvfs/common/sidmap.c +++ b/source4/ntvfs/common/sidmap.c @@ -97,26 +97,18 @@ static NTSTATUS sidmap_primary_domain_sid(struct sidmap_context *sidmap, TALLOC_CTX *mem_ctx, struct dom_sid **sid) { const char *attrs[] = { "objectSid", NULL }; - void *ctx = talloc_new(mem_ctx); - const char *sidstr; int ret; - struct ldb_message **res; + struct ldb_message **res = NULL; - ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, + ret = gendb_search(sidmap->samctx, mem_ctx, NULL, &res, attrs, "(&(objectClass=domain)(name=%s))", lp_workgroup()); if (ret != 1) { - talloc_free(ctx); + talloc_free(res); return NT_STATUS_NO_SUCH_DOMAIN; } - sidstr = samdb_result_string(res[0], "objectSid", NULL); - if (sidstr == NULL) { - talloc_free(ctx); - return NT_STATUS_NO_SUCH_DOMAIN; - } - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); - talloc_free(ctx); + *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid"); + talloc_free(res); if (*sid == NULL) { return NT_STATUS_NO_MEMORY; } @@ -137,26 +129,21 @@ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap, const char *s; void *ctx; struct ldb_message **res; - const char *sidstr; struct dom_sid *domain_sid; NTSTATUS status; ctx = talloc_new(sidmap); - sidstr = dom_sid_string(ctx, sid); - if (sidstr == NULL) { - talloc_free(ctx); - return NT_STATUS_NO_MEMORY; - } ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, - "objectSid=%s", sidstr); + "objectSid=%s", ldap_encode_ndr_dom_sid(ctx, sid)); if (ret != 1) { goto allocated_sid; } /* make sure its a user, not a group */ if (!is_user_account(res[0])) { - DEBUG(0,("sid_to_unixuid: sid %s is not an account!\n", sidstr)); + DEBUG(0,("sid_to_unixuid: sid %s is not an account!\n", + dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_INVALID_SID; } @@ -174,7 +161,7 @@ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap, if (s != NULL) { struct passwd *pwd = getpwnam(s); if (!pwd) { - DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s, sidstr)); + DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s, dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_NO_SUCH_USER; } @@ -188,7 +175,8 @@ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap, if (s != NULL) { struct passwd *pwd = getpwnam(s); if (!pwd) { - DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n", s, sidstr)); + DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n", + s, dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_NO_SUCH_USER; } @@ -217,7 +205,7 @@ allocated_sid: DEBUG(0,("sid_to_unixuid: no unixID, unixName or sAMAccountName for sid %s\n", - sidstr)); + dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_INVALID_SID; @@ -236,26 +224,21 @@ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap, const char *s; void *ctx; struct ldb_message **res; - const char *sidstr; NTSTATUS status; struct dom_sid *domain_sid; ctx = talloc_new(sidmap); - sidstr = dom_sid_string(ctx, sid); - if (sidstr == NULL) { - talloc_free(ctx); - return NT_STATUS_NO_MEMORY; - } ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, - "objectSid=%s", sidstr); + "objectSid=%s", ldap_encode_ndr_dom_sid(ctx, sid)); if (ret != 1) { goto allocated_sid; } /* make sure its not a user */ if (!is_group_account(res[0])) { - DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n", sidstr)); + DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n", + dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_INVALID_SID; } @@ -274,7 +257,7 @@ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap, struct group *grp = getgrnam(s); if (!grp) { DEBUG(0,("unixName '%s' for sid %s does not exist as a local group\n", - s, sidstr)); + s, dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_NO_SUCH_USER; } @@ -288,7 +271,7 @@ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap, if (s != NULL) { struct group *grp = getgrnam(s); if (!grp) { - DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, sidstr)); + DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_NO_SUCH_USER; } @@ -314,7 +297,7 @@ allocated_sid: } DEBUG(0,("sid_to_unixgid: no unixID, unixName or sAMAccountName for sid %s\n", - sidstr)); + dom_sid_string(ctx, sid))); talloc_free(ctx); return NT_STATUS_INVALID_SID; @@ -363,18 +346,11 @@ NTSTATUS sidmap_uid_to_sid(struct sidmap_context *sidmap, ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, "unixID=%u", (unsigned int)uid); for (i=0;i<ret;i++) { - const char *sidstr; - if (!is_user_account(res[i])) continue; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) continue; - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); + *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(ctx); - if (*sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } @@ -391,18 +367,11 @@ NTSTATUS sidmap_uid_to_sid(struct sidmap_context *sidmap, "(|(unixName=%s)(sAMAccountName=%s))", pwd->pw_name, pwd->pw_name); for (i=0;i<ret;i++) { - const char *sidstr; - if (!is_user_account(res[i])) continue; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) continue; - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); + *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(ctx); - if (*sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } @@ -475,18 +444,11 @@ NTSTATUS sidmap_gid_to_sid(struct sidmap_context *sidmap, ret = gendb_search(sidmap->samctx, ctx, NULL, &res, attrs, "unixID=%u", (unsigned int)gid); for (i=0;i<ret;i++) { - const char *sidstr; - if (!is_group_account(res[i])) continue; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) continue; - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); + *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(ctx); - if (*sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } @@ -503,18 +465,11 @@ NTSTATUS sidmap_gid_to_sid(struct sidmap_context *sidmap, "(|(unixName=%s)(sAMAccountName=%s))", grp->gr_name, grp->gr_name); for (i=0;i<ret;i++) { - const char *sidstr; - if (!is_group_account(res[i])) continue; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) continue; - - *sid = dom_sid_parse_talloc(mem_ctx, sidstr); + *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(ctx); - if (*sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index b3de4e4ba1..726c82364b 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -65,7 +65,6 @@ struct lsa_account_state { struct lsa_policy_state *policy; uint32_t access_mask; struct dom_sid *account_sid; - const char *account_sid_str; const char *account_dn; }; @@ -221,7 +220,6 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_ struct lsa_policy_state **_state) { struct lsa_policy_state *state; - const char *sid_str; state = talloc(mem_ctx, struct lsa_policy_state); if (!state) { @@ -266,13 +264,8 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_ return NT_STATUS_NO_SUCH_DOMAIN; } - sid_str = samdb_search_string(state->sam_ldb, mem_ctx, - state->domain_dn, "objectSid", NULL); - if (!sid_str) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - - state->domain_sid = dom_sid_parse_talloc(state, sid_str); + state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state, + state->domain_dn, "objectSid", NULL); if (!state->domain_sid) { return NT_STATUS_NO_SUCH_DOMAIN; } @@ -519,16 +512,11 @@ static NTSTATUS lsa_EnumAccounts(struct dcesrv_call_state *dce_call, TALLOC_CTX } for (i=0;i<count;i++) { - const char *sidstr; - - sidstr = samdb_result_string(res[i + *r->in.resume_handle], "objectSid", NULL); - if (sidstr == NULL) { - return NT_STATUS_NO_MEMORY; - } - r->out.sids->sids[i].sid = dom_sid_parse_talloc(r->out.sids->sids, sidstr); - if (r->out.sids->sids[i].sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + r->out.sids->sids[i].sid = + samdb_result_dom_sid(r->out.sids->sids, + res[i + *r->in.resume_handle], + "objectSid"); + NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid); } r->out.sids->num_sids = count; @@ -1104,7 +1092,7 @@ static NTSTATUS lsa_lookup_sid(struct lsa_policy_state *state, TALLOC_CTX *mem_c NTSTATUS status; ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs, - "objectSid=%s", sid_str); + "objectSid=%s", ldap_encode_ndr_dom_sid(mem_ctx, sid)); if (ret == 1) { *name = ldb_msg_find_string(res[0], "sAMAccountName", NULL); if (!*name) { @@ -1315,17 +1303,13 @@ static NTSTATUS lsa_OpenAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX * return NT_STATUS_NO_MEMORY; } - astate->account_sid_str = dom_sid_string(astate, astate->account_sid); - if (astate->account_sid_str == NULL) { - talloc_free(astate); - return NT_STATUS_NO_MEMORY; - } - /* check it really exists */ - astate->account_dn = samdb_search_string(state->sam_ldb, astate, - NULL, "dn", - "(&(objectSid=%s)(objectClass=group))", - astate->account_sid_str); + astate->account_dn = + samdb_search_string(state->sam_ldb, astate, + NULL, "dn", + "(&(objectSid=%s)(objectClass=group))", + ldap_encode_ndr_dom_sid(mem_ctx, + astate->account_sid)); if (astate->account_dn == NULL) { talloc_free(astate); return NT_STATUS_NO_SUCH_USER; @@ -1422,7 +1406,7 @@ static NTSTATUS lsa_EnumAccountRights(struct dcesrv_call_state *dce_call, state = h->data; - sidstr = dom_sid_string(mem_ctx, r->in.sid); + sidstr = ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid); if (sidstr == NULL) { return NT_STATUS_NO_MEMORY; } @@ -1471,7 +1455,7 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call, const char *dn; struct lsa_EnumAccountRights r2; - sidstr = dom_sid_string(mem_ctx, sid); + sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid); if (sidstr == NULL) { return NT_STATUS_NO_MEMORY; } @@ -2348,16 +2332,9 @@ static NTSTATUS lsa_EnumAccountsWithUserRight(struct dcesrv_call_state *dce_call return NT_STATUS_NO_MEMORY; } for (i=0;i<ret;i++) { - const char *sidstr; - sidstr = samdb_result_string(res[i], "objectSid", NULL); - if (sidstr == NULL) { - return NT_STATUS_NO_MEMORY; - } - r->out.sids->sids[i].sid = dom_sid_parse_talloc(r->out.sids->sids, - sidstr); - if (r->out.sids->sids[i].sid == NULL) { - return NT_STATUS_NO_MEMORY; - } + r->out.sids->sids[i].sid = samdb_result_dom_sid(r->out.sids->sids, + res[i], "objectSid"); + NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid); } r->out.sids->num_sids = ret; @@ -2540,12 +2517,7 @@ static NTSTATUS lsa_lookup_name(struct lsa_policy_state *state, TALLOC_CTX *mem_ ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs, "sAMAccountName=%s", name); if (ret == 1) { - const char *sid_str = ldb_msg_find_string(res[0], "objectSid", NULL); - if (sid_str == NULL) { - return NT_STATUS_INVALID_SID; - } - - *sid = dom_sid_parse_talloc(mem_ctx, sid_str); + *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid"); if (*sid == NULL) { return NT_STATUS_INVALID_SID; } diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index bd20deedb9..4dd8312df5 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -313,7 +313,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO struct ldb_message **msgs_domain; NTSTATUS nt_status; struct ldb_message *mod; - const char *domain_sid; + struct dom_sid *domain_sid; const char *attrs[] = {"objectSid", NULL }; @@ -356,20 +356,20 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", - domain_sid); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (num_records_domain == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } if (num_records_domain == 0) { DEBUG(3,("Couldn't find domain [%s] in samdb.\n", - domain_sid)); + dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_NO_SUCH_USER; } if (num_records_domain > 1) { DEBUG(0,("Found %d records matching domain [%s]\n", - num_records_domain, domain_sid)); + num_records_domain, dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1036,7 +1036,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL struct ldb_message **msgs_domain; NTSTATUS nt_status; struct ldb_message *mod; - const char *domain_sid; + struct dom_sid *domain_sid; char new_pass[512]; uint32_t new_pass_len; @@ -1083,20 +1083,21 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", - domain_sid); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (num_records_domain == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } if (num_records_domain == 0) { DEBUG(3,("Couldn't find domain [%s] in samdb.\n", - domain_sid)); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid))); return NT_STATUS_NO_SUCH_USER; } if (num_records_domain > 1) { DEBUG(0,("Found %d records matching domain [%s]\n", - num_records_domain, domain_sid)); + num_records_domain, + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 337c300203..cce446533d 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -160,8 +160,7 @@ static NTSTATUS samr_LookupDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX { struct samr_connect_state *c_state; struct dcesrv_handle *h; - struct dom_sid2 *sid; - const char *sidstr; + struct dom_sid *sid; r->out.sid = NULL; @@ -173,19 +172,12 @@ static NTSTATUS samr_LookupDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX return NT_STATUS_INVALID_PARAMETER; } - sidstr = samdb_search_string(c_state->sam_ctx, - mem_ctx, NULL, "objectSid", - "(&(name=%s)(objectclass=domain))", - r->in.domain_name->string); - if (sidstr == NULL) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - - sid = dom_sid_parse_talloc(mem_ctx, sidstr); + sid = samdb_search_dom_sid(c_state->sam_ctx, + mem_ctx, NULL, "objectSid", + "(&(name=%s)(objectclass=domain))", + r->in.domain_name->string); if (sid == NULL) { - DEBUG(0,("samdb: Invalid sid '%s' for domain %s\n", - sidstr, r->in.domain_name->string)); - return NT_STATUS_INTERNAL_DB_CORRUPTION; + return NT_STATUS_NO_SUCH_DOMAIN; } r->out.sid = sid; @@ -266,7 +258,7 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX * struct samr_OpenDomain *r) { struct dcesrv_handle *h_conn, *h_domain; - const char *sidstr, *domain_name; + const char *domain_name; struct samr_connect_state *c_state; struct samr_domain_state *d_state; const char * const attrs[2] = { "name", NULL}; @@ -283,15 +275,10 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX * return NT_STATUS_INVALID_PARAMETER; } - sidstr = dom_sid_string(mem_ctx, r->in.sid); - if (sidstr == NULL) { - return NT_STATUS_INVALID_PARAMETER; - } - ret = gendb_search(c_state->sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(objectSid=%s)(objectclass=domain))", - sidstr); + ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid)); if (ret != 1) { return NT_STATUS_NO_SUCH_DOMAIN; } @@ -308,7 +295,7 @@ static NTSTATUS samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX * d_state->connect_state = talloc_reference(d_state, c_state); d_state->sam_ctx = c_state->sam_ctx; - d_state->domain_sid = talloc_strdup(d_state, sidstr); + d_state->domain_sid = dom_sid_dup(d_state, r->in.sid); d_state->domain_name = talloc_strdup(d_state, domain_name); d_state->domain_dn = talloc_strdup(d_state, msgs[0]->dn); if (!d_state->domain_sid || !d_state->domain_name || !d_state->domain_dn) { @@ -470,7 +457,7 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO const char *name; struct ldb_message *msg; struct dom_sid *sid; - const char *groupname, *sidstr; + const char *groupname; struct dcesrv_handle *g_handle; int ret; @@ -526,10 +513,10 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msg->dn); - /* retrieve the sidstring for the group just created */ - sidstr = samdb_search_string(d_state->sam_ctx, a_state, - msg->dn, "objectSid", NULL); - if (sidstr == NULL) { + /* retrieve the sid for the group just created */ + sid = samdb_search_dom_sid(d_state->sam_ctx, a_state, + msg->dn, "objectSid", NULL); + if (sid == NULL) { return NT_STATUS_UNSUCCESSFUL; } @@ -547,11 +534,6 @@ static NTSTATUS samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLO g_handle->data = talloc_steal(g_handle, a_state); *r->out.group_handle = g_handle->wire_handle; - - sid = dom_sid_parse_talloc(mem_ctx, sidstr); - if (!sid) - return NT_STATUS_UNSUCCESSFUL; - *r->out.rid = sid->sub_auths[sid->num_auths-1]; return NT_STATUS_OK; @@ -578,7 +560,6 @@ static NTSTATUS samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, TALLOC int ldb_cnt, count, i, first; struct samr_SamEntry *entries; const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL }; - struct dom_sid *domain_sid; *r->out.resume_handle = 0; r->out.sam = NULL; @@ -588,15 +569,11 @@ static NTSTATUS samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, TALLOC d_state = h->data; - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; - /* search for all domain groups in this domain. This could possibly be cached and resumed based on resume_key */ ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - domain_sid, + d_state->domain_sid, "(&(grouptype=%s)(objectclass=group))", ldb_hexstr(mem_ctx, GTYPE_SECURITY_GLOBAL_GROUP)); @@ -680,7 +657,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX const char *name; struct ldb_message *msg; struct dom_sid *sid; - const char *account_name, *sidstr; + const char *account_name; struct dcesrv_handle *u_handle; int ret; const char *container, *class=NULL; @@ -756,10 +733,10 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msg->dn); - /* retrieve the sidstring for the group just created */ - sidstr = samdb_search_string(d_state->sam_ctx, a_state, + /* retrieve the sid for the group just created */ + sid = samdb_search_dom_sid(d_state->sam_ctx, a_state, msg->dn, "objectSid", NULL); - if (sidstr == NULL) { + if (sid == NULL) { return NT_STATUS_UNSUCCESSFUL; } @@ -779,10 +756,6 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *r->out.user_handle = u_handle->wire_handle; *r->out.access_granted = 0xf07ff; /* TODO: fix access mask calculations */ - sid = dom_sid_parse_talloc(mem_ctx, sidstr); - if (!sid) - return NT_STATUS_UNSUCCESSFUL; - *r->out.rid = sid->sub_auths[sid->num_auths-1]; return NT_STATUS_OK; @@ -898,7 +871,7 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C struct samr_domain_state *d_state; struct samr_account_state *a_state; struct dcesrv_handle *h; - const char *alias_name, *name, *sidstr; + const char *alias_name, *name; struct ldb_message *msg; struct dom_sid *sid; struct dcesrv_handle *a_handle; @@ -960,12 +933,9 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msg->dn); - /* retrieve the sidstring for the group just created */ - sidstr = samdb_search_string(d_state->sam_ctx, a_state, + /* retrieve the sid for the alias just created */ + sid = samdb_search_dom_sid(d_state->sam_ctx, a_state, msg->dn, "objectSid", NULL); - if (sidstr == NULL) { - return NT_STATUS_UNSUCCESSFUL; - } a_state->account_name = talloc_strdup(a_state, alias_name); if (!a_state->account_name) { @@ -981,10 +951,6 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C *r->out.alias_handle = a_handle->wire_handle; - sid = dom_sid_parse_talloc(mem_ctx, sidstr); - if (!sid) - return NT_STATUS_UNSUCCESSFUL; - *r->out.rid = sid->sub_auths[sid->num_auths-1]; return NT_STATUS_OK; @@ -1003,7 +969,6 @@ static NTSTATUS samr_EnumDomainAliases(struct dcesrv_call_state *dce_call, TALLO int ldb_cnt, count, i, first; struct samr_SamEntry *entries; const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL }; - struct dom_sid *domain_sid; *r->out.resume_handle = 0; r->out.sam = NULL; @@ -1013,15 +978,12 @@ static NTSTATUS samr_EnumDomainAliases(struct dcesrv_call_state *dce_call, TALLO d_state = h->data; - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; - /* search for all domain groups in this domain. This could possibly be cached and resumed based on resume_key */ ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, - &res, attrs, domain_sid, + &res, attrs, + d_state->domain_sid, "(&(|(grouptype=%s)(grouptype=%s)))" "(objectclass=group))", ldb_hexstr(mem_ctx, @@ -1102,7 +1064,6 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL struct dcesrv_handle *h; struct samr_domain_state *d_state; struct ldb_message **res; - struct dom_sid *domain_sid; int i, count = 0; DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN); @@ -1124,17 +1085,14 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; for (i=0; i<r->in.sids->num_sids; i++) { - const char *sidstr, *memberdn; + const char *memberdn; - sidstr = dom_sid_string(mem_ctx, - r->in.sids->sids[i].sid); - if (sidstr == NULL) - return NT_STATUS_NO_MEMORY; - - memberdn = samdb_search_string(d_state->sam_ctx, - mem_ctx, NULL, "dn", - "(objectSid=%s)", - sidstr); + memberdn = + samdb_search_string(d_state->sam_ctx, + mem_ctx, NULL, "dn", + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, + r->in.sids->sids[i].sid)); if (memberdn == NULL) continue; @@ -1145,14 +1103,9 @@ static NTSTATUS samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; } - domain_sid = dom_sid_parse_talloc(mem_ctx, - d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; - count = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - domain_sid, "%s))", filter); + d_state->domain_sid, "%s))", filter); if (count < 0) return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1215,8 +1168,7 @@ static NTSTATUS samr_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX for (i=0;i<r->in.num_names;i++) { struct ldb_message **res; - struct dom_sid2 *sid; - const char *sidstr; + struct dom_sid *sid; uint32_t atype, rtype; r->out.rids.ids[i] = 0; @@ -1229,18 +1181,12 @@ static NTSTATUS samr_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX continue; } - sidstr = samdb_result_string(res[0], "objectSid", NULL); - if (sidstr == NULL) { - status = STATUS_SOME_UNMAPPED; - continue; - } - - sid = dom_sid_parse_talloc(mem_ctx, sidstr); + sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid"); if (sid == NULL) { status = STATUS_SOME_UNMAPPED; continue; } - + atype = samdb_result_uint(res[0], "sAMAccountType", 0); if (atype == 0) { status = STATUS_SOME_UNMAPPED; @@ -1300,13 +1246,21 @@ static NTSTATUS samr_LookupRids(struct dcesrv_call_state *dce_call, TALLOC_CTX * const char * const attrs[] = { "sAMAccountType", "sAMAccountName", NULL }; uint32_t atype; + struct dom_sid *sid; ids[i] = SID_NAME_UNKNOWN; + sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rids[i]); + if (sid == NULL) { + names[i].string = NULL; + status = STATUS_SOME_UNMAPPED; + continue; + } + count = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - "(objectSid=%s-%u)", d_state->domain_sid, - r->in.rids[i]); + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, sid)); if (count != 1) { names[i].string = NULL; status = STATUS_SOME_UNMAPPED; @@ -1349,7 +1303,8 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m struct samr_domain_state *d_state; struct samr_account_state *a_state; struct dcesrv_handle *h; - const char *groupname, *sidstr; + const char *groupname; + struct dom_sid *sid; struct ldb_message **msgs; struct dcesrv_handle *g_handle; const char * const attrs[2] = { "sAMAccountName", NULL }; @@ -1362,8 +1317,8 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m d_state = h->data; /* form the group SID */ - sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, r->in.rid); - if (!sidstr) { + sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (!sid) { return NT_STATUS_NO_MEMORY; } @@ -1372,19 +1327,22 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=group)" "(grouptype=%s))", - sidstr, ldb_hexstr(mem_ctx, - GTYPE_SECURITY_GLOBAL_GROUP)); + ldap_encode_ndr_dom_sid(mem_ctx, sid), + ldb_hexstr(mem_ctx, + GTYPE_SECURITY_GLOBAL_GROUP)); if (ret == 0) { return NT_STATUS_NO_SUCH_GROUP; } if (ret != 1) { - DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr)); + DEBUG(0,("Found %d records matching sid %s\n", + ret, dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } groupname = samdb_result_string(msgs[0], "sAMAccountName", NULL); if (groupname == NULL) { - DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr)); + DEBUG(0,("sAMAccountName field missing for sid %s\n", + dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1396,7 +1354,7 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m a_state->access_mask = r->in.access_mask; a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msgs[0]->dn); - a_state->account_sid = talloc_steal(a_state, sidstr); + a_state->account_sid = talloc_steal(a_state, sid); a_state->account_name = talloc_strdup(a_state, groupname); if (!a_state->account_name) { return NT_STATUS_NO_MEMORY; @@ -1586,7 +1544,7 @@ static NTSTATUS samr_AddGroupMember(struct dcesrv_call_state *dce_call, TALLOC_C struct samr_account_state *a_state; struct samr_domain_state *d_state; struct ldb_message *mod; - char *membersidstr; + struct dom_sid *membersid; const char *memberdn; struct ldb_message **msgs; const char * const attrs[2] = { "dn", NULL }; @@ -1597,16 +1555,15 @@ static NTSTATUS samr_AddGroupMember(struct dcesrv_call_state *dce_call, TALLOC_C a_state = h->data; d_state = a_state->domain_state; - membersidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, - r->in.rid); - if (membersidstr == NULL) + membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (membersid == NULL) return NT_STATUS_NO_MEMORY; /* In native mode, AD can also nest domain groups. Not sure yet * whether this is also available via RPC. */ ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=user))", - membersidstr); + ldap_encode_ndr_dom_sid(mem_ctx, membersid)); if (ret == 0) return NT_STATUS_NO_SUCH_USER; @@ -1674,7 +1631,7 @@ static NTSTATUS samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLO struct samr_account_state *a_state; struct samr_domain_state *d_state; struct ldb_message *mod; - char *membersidstr; + struct dom_sid *membersid; const char *memberdn; struct ldb_message **msgs; const char * const attrs[2] = { "dn", NULL }; @@ -1685,16 +1642,15 @@ static NTSTATUS samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLO a_state = h->data; d_state = a_state->domain_state; - membersidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, - r->in.rid); - if (membersidstr == NULL) + membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (membersid == NULL) return NT_STATUS_NO_MEMORY; /* In native mode, AD can also nest domain groups. Not sure yet * whether this is also available via RPC. */ ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=user))", - membersidstr); + ldap_encode_ndr_dom_sid(mem_ctx, membersid)); if (ret == 0) return NT_STATUS_NO_SUCH_USER; @@ -1820,7 +1776,8 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m struct samr_domain_state *d_state; struct samr_account_state *a_state; struct dcesrv_handle *h; - const char *alias_name, *sidstr; + const char *alias_name; + struct dom_sid *sid; struct ldb_message **msgs; struct dcesrv_handle *g_handle; const char * const attrs[2] = { "sAMAccountName", NULL }; @@ -1833,9 +1790,8 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m d_state = h->data; /* form the alias SID */ - sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, - r->in.rid); - if (sidstr == NULL) + sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (sid == NULL) return NT_STATUS_NO_MEMORY; /* search for the group record */ @@ -1843,7 +1799,7 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=group)" "(|(grouptype=%s)(grouptype=%s)))", - sidstr, + ldap_encode_ndr_dom_sid(mem_ctx, sid), ldb_hexstr(mem_ctx, GTYPE_SECURITY_BUILTIN_LOCAL_GROUP), ldb_hexstr(mem_ctx, @@ -1852,13 +1808,15 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m return NT_STATUS_NO_SUCH_ALIAS; } if (ret != 1) { - DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr)); + DEBUG(0,("Found %d records matching sid %s\n", + ret, dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } alias_name = samdb_result_string(msgs[0], "sAMAccountName", NULL); if (alias_name == NULL) { - DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr)); + DEBUG(0,("sAMAccountName field missing for sid %s\n", + dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1870,7 +1828,7 @@ static NTSTATUS samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *m a_state->access_mask = r->in.access_mask; a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msgs[0]->dn); - a_state->account_sid = talloc_steal(a_state, sidstr); + a_state->account_sid = talloc_steal(a_state, sid); a_state->account_name = talloc_strdup(a_state, alias_name); if (!a_state->account_name) { return NT_STATUS_NO_MEMORY; @@ -2030,7 +1988,6 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C struct dcesrv_handle *h; struct samr_account_state *a_state; struct samr_domain_state *d_state; - const char *sidstr; struct ldb_message *mod; struct ldb_message **msgs; const char * const attrs[2] = { "dn", NULL }; @@ -2042,28 +1999,27 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C a_state = h->data; d_state = a_state->domain_state; - sidstr = dom_sid_string(mem_ctx, r->in.sid); - if (sidstr == NULL) - return NT_STATUS_INVALID_PARAMETER; - ret = gendb_search(d_state->sam_ctx, mem_ctx, NULL, - &msgs, attrs, "(objectsid=%s)", sidstr); + &msgs, attrs, "(objectsid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid)); if (ret == 1) { memberdn = ldb_msg_find_string(msgs[0], "dn", NULL); } else if (ret > 1) { - DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr)); + DEBUG(0,("Found %d records matching sid %s\n", + ret, dom_sid_string(mem_ctx, r->in.sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } else if (ret == 0) { struct ldb_message *msg; struct GUID guid; - const char *guidstr, *basedn; + const char *guidstr, *basedn, *sidstr; + + sidstr = dom_sid_string(mem_ctx, r->in.sid); + NT_STATUS_HAVE_NO_MEMORY(sidstr); /* We might have to create a ForeignSecurityPrincipal, but * only if it's not our own domain */ - if (dom_sid_in_domain(dom_sid_parse_talloc(mem_ctx, - d_state->domain_sid), - r->in.sid)) + if (dom_sid_in_domain(d_state->domain_sid, r->in.sid)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; msg = ldb_msg_new(mem_ctx); @@ -2166,7 +2122,6 @@ static NTSTATUS samr_DeleteAliasMember(struct dcesrv_call_state *dce_call, TALLO struct dcesrv_handle *h; struct samr_account_state *a_state; struct samr_domain_state *d_state; - const char *sidstr; struct ldb_message *mod; const char *memberdn; @@ -2175,12 +2130,9 @@ static NTSTATUS samr_DeleteAliasMember(struct dcesrv_call_state *dce_call, TALLO a_state = h->data; d_state = a_state->domain_state; - sidstr = dom_sid_string(mem_ctx, r->in.sid); - if (sidstr == NULL) - return NT_STATUS_INVALID_PARAMETER; - memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, - "dn", "(objectSid=%s)", sidstr); + "dn", "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid)); if (memberdn == NULL) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -2274,7 +2226,8 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me struct samr_domain_state *d_state; struct samr_account_state *a_state; struct dcesrv_handle *h; - const char *account_name, *sidstr; + const char *account_name; + struct dom_sid *sid; struct ldb_message **msgs; struct dcesrv_handle *u_handle; const char * const attrs[2] = { "sAMAccountName", NULL }; @@ -2287,8 +2240,8 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me d_state = h->data; /* form the users SID */ - sidstr = talloc_asprintf(mem_ctx, "%s-%u", d_state->domain_sid, r->in.rid); - if (!sidstr) { + sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid); + if (!sid) { return NT_STATUS_NO_MEMORY; } @@ -2296,18 +2249,20 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me ret = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &msgs, attrs, "(&(objectSid=%s)(objectclass=user))", - sidstr); + ldap_encode_ndr_dom_sid(mem_ctx, sid)); if (ret == 0) { return NT_STATUS_NO_SUCH_USER; } if (ret != 1) { - DEBUG(0,("Found %d records matching sid %s\n", ret, sidstr)); + DEBUG(0,("Found %d records matching sid %s\n", ret, + dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } account_name = samdb_result_string(msgs[0], "sAMAccountName", NULL); if (account_name == NULL) { - DEBUG(0,("sAMAccountName field missing for sid %s\n", sidstr)); + DEBUG(0,("sAMAccountName field missing for sid %s\n", + dom_sid_string(mem_ctx, sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -2319,7 +2274,7 @@ static NTSTATUS samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *me a_state->access_mask = r->in.access_mask; a_state->domain_state = talloc_reference(a_state, d_state); a_state->account_dn = talloc_steal(a_state, msgs[0]->dn); - a_state->account_sid = talloc_steal(a_state, sidstr); + a_state->account_sid = talloc_steal(a_state, sid); a_state->account_name = talloc_strdup(a_state, account_name); if (!a_state->account_name) { return NT_STATUS_NO_MEMORY; @@ -2801,7 +2756,6 @@ static NTSTATUS samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, TALLOC struct samr_account_state *a_state; struct samr_domain_state *d_state; struct ldb_message **res; - struct dom_sid *domain_sid; const char * const attrs[2] = { "objectSid", NULL }; struct samr_RidWithTypeArray *array; int count; @@ -2810,12 +2764,9 @@ static NTSTATUS samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, TALLOC a_state = h->data; d_state = a_state->domain_state; - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; count = samdb_search_domain(a_state->sam_ctx, mem_ctx, NULL, &res, - attrs, domain_sid, + attrs, d_state->domain_sid, "(&(member=%s)(grouptype=%s)(objectclass=group))", a_state->account_dn, ldb_hexstr(mem_ctx, @@ -2873,7 +2824,6 @@ static NTSTATUS samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, TALLOC int ldb_cnt, count, i; const char * const attrs[4] = { "objectSid", "sAMAccountName", "description", NULL }; - struct dom_sid *domain_sid; struct samr_DispEntryFull *entriesFull = NULL; struct samr_DispEntryAscii *entriesAscii = NULL; struct samr_DispEntryGeneral * entriesGeneral = NULL; @@ -2907,15 +2857,11 @@ static NTSTATUS samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, TALLOC return NT_STATUS_INVALID_INFO_CLASS; } - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - if (domain_sid == NULL) - return NT_STATUS_NO_MEMORY; - /* search for all requested objects in this domain. This could possibly be cached and resumed based on resume_key */ ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - domain_sid, "%s", filter); + d_state->domain_sid, "%s", filter); if (ldb_cnt == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -3127,8 +3073,7 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce { struct dcesrv_handle *h; struct samr_domain_state *d_state; - struct dom_sid *domain_sid; - const char *membersid, *memberdn; + const char *memberdn; struct ldb_message **res; const char * const attrs[3] = { "dn", "objectSid", NULL }; int i, count; @@ -3137,13 +3082,9 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce d_state = h->data; - domain_sid = dom_sid_parse_talloc(mem_ctx, d_state->domain_sid); - membersid = dom_sid_string(mem_ctx, r->in.sid); - if ((domain_sid == NULL) || (membersid == NULL)) - return NT_STATUS_NO_MEMORY; - memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, - "dn", "(objectSid=%s)", membersid); + "dn", "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid)); if (memberdn == NULL) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -3152,7 +3093,7 @@ static NTSTATUS samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce count = samdb_search_domain(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, - domain_sid, + d_state->domain_sid, "(&(member=%s)(objectClass=group)" "(|(groupType=%s)(groupType=%s)))", memberdn, diff --git a/source4/rpc_server/samr/dcesrv_samr.h b/source4/rpc_server/samr/dcesrv_samr.h index 9e41937328..51e0869eef 100644 --- a/source4/rpc_server/samr/dcesrv_samr.h +++ b/source4/rpc_server/samr/dcesrv_samr.h @@ -47,7 +47,7 @@ struct samr_domain_state { struct samr_connect_state *connect_state; void *sam_ctx; uint32_t access_mask; - const char *domain_sid; + struct dom_sid *domain_sid; const char *domain_name; const char *domain_dn; }; @@ -59,7 +59,7 @@ struct samr_account_state { struct samr_domain_state *domain_state; void *sam_ctx; uint32_t access_mask; - const char *account_sid; + struct dom_sid *account_sid; const char *account_name; const char *account_dn; }; diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 8fa261cf35..d251c02eca 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -147,11 +147,11 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_ int ret; struct ldb_message **res, *mod; const char * const attrs[] = { "objectSid", "lmPwdHash", "unicodePwd", NULL }; - const char *domain_sid; struct samr_Password *lm_pwd; DATA_BLOB lm_pwd_blob; uint8_t new_lm_hash[16]; struct samr_Password lm_verifier; + struct dom_sid *domain_sid; if (pwbuf == NULL) { return NT_STATUS_WRONG_PASSWORD; @@ -211,7 +211,8 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_ } domain_dn = samdb_search_string(sam_ctx, mem_ctx, NULL, "dn", - "(objectSid=%s)", domain_sid); + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (!domain_dn) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -267,7 +268,7 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, const char * const dom_attrs[] = { "minPwdLength", "pwdHistoryLength", "pwdProperties", "minPwdAge", "maxPwdAge", NULL }; - const char *domain_sid; + struct dom_sid *domain_sid; struct samr_Password *nt_pwd, *lm_pwd; DATA_BLOB nt_pwd_blob; struct samr_DomInfo1 *dominfo; @@ -360,7 +361,8 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, } domain_dn = samdb_search_string(sam_ctx, mem_ctx, NULL, "dn", - "(objectSid=%s)", domain_sid); + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (!domain_dn) { status = NT_STATUS_INTERNAL_DB_CORRUPTION; goto failed; diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index c3968495e4..ce6d349aca 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -1,7 +1,7 @@ dn: @INDEXLIST @IDXATTR: name @IDXATTR: sAMAccountName -@IDXATTR: objectSid +@IDXATTR: objectSid_DISABLED_BY_TRIDGE @IDXATTR: objectClass @IDXATTR: member @IDXATTR: unixID |