From bad738e6536e983064eee7647229354bc9028183 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 13 Jun 2002 14:06:08 +0000 Subject: Latest patch from metze to move most of samba across to using SIDs instead of RIDs. The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument. The idea here is to prevent mistakes where the SID is implict, but isn't the same one that we have in the struct. Andrew Bartlett (This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901) --- source3/include/smb.h | 4 +- source3/lib/util_sid.c | 31 +++++++++++-- source3/nsswitch/winbindd_ads.c | 10 ++-- source3/nsswitch/winbindd_cache.c | 3 +- source3/nsswitch/winbindd_group.c | 3 +- source3/passdb/passdb.c | 78 ++++++++++++------------------- source3/passdb/pdb_get_set.c | 97 ++++++++++++++++++++++++++++++++------- source3/passdb/pdb_ldap.c | 10 ++-- source3/passdb/pdb_nisplus.c | 12 +++-- source3/passdb/pdb_smbpasswd.c | 7 +-- source3/passdb/pdb_tdb.c | 13 +++--- source3/passdb/pdb_unix.c | 3 +- source3/rpc_server/srv_samr_nt.c | 15 ++---- source3/utils/pdbedit.c | 10 ++-- 14 files changed, 183 insertions(+), 113 deletions(-) diff --git a/source3/include/smb.h b/source3/include/smb.h index c604599180..531f270c3d 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -624,8 +624,8 @@ typedef struct sam_passwd uid_t uid; /* this is a unix uid_t */ gid_t gid; /* this is a unix gid_t */ - uint32 user_rid; /* Primary User ID */ - uint32 group_rid; /* Primary Group ID */ + DOM_SID user_sid; /* Primary User SID */ + DOM_SID group_sid; /* Primary Group SID */ DATA_BLOB lm_pw; /* .data is Null if no password */ DATA_BLOB nt_pw; /* .data is Null if no password */ diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 21ef9e081b..3ad9e909d8 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -1,10 +1,11 @@ /* Unix SMB/CIFS implementation. Samba utility functions - Copyright (C) Andrew Tridgell 1992-1998 - Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 - Copyright (C) Jeremy Allison 1999 - + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 + Copyright (C) Jeremy Allison 1999 + Copyright (C) Stefan (metze) Metzmacher 2002 + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or @@ -253,6 +254,9 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid) { + if (!sid || !rid) + return False; + if (sid->num_auths > 0) { *rid = sid->sub_auths[sid->num_auths - 1]; return True; @@ -260,6 +264,25 @@ BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid) return False; } +/***************************************************************** + Return the last rid from the end of a sid + and check the sid against the exp_dom_sid +*****************************************************************/ + +BOOL sid_peek_check_rid(DOM_SID *exp_dom_sid,DOM_SID *sid, uint32 *rid) +{ + if (!exp_dom_sid || !sid || !rid) + return False; + + + if (sid_compare_domain(exp_dom_sid, sid)!=0){ + *rid=(-1); + return False; + } + + return sid_peek_rid(sid,rid); +} + /***************************************************************** Copies a sid *****************************************************************/ diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index 545ee411a4..28aeb39730 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -273,7 +273,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, continue; } - if (!sid_peek_rid(&sid, &rid)) { + if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) { DEBUG(1,("No rid for %s !?\n", name)); continue; } @@ -356,7 +356,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, continue; } - if (!sid_peek_rid(&sid, &rid)) { + if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) { DEBUG(1,("No rid for %s !?\n", name)); continue; } @@ -584,7 +584,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, goto done; } - if (!sid_peek_rid(&sid, &info->user_rid)) { + if (!sid_peek_check_rid(&domain->sid,&sid, &info->user_rid)) { DEBUG(1,("No rid for %d !?\n", user_rid)); goto done; } @@ -662,7 +662,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, for (i=1;isid, &sids[i-1], &rid)) continue; (*user_gids)[*num_groups] = rid; (*num_groups)++; } @@ -737,7 +737,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, DEBUG(1,("No sid for %s !?\n", (*names)[*num_names])); continue; } - if (!sid_peek_rid(&sid, &rid)) { + if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) { DEBUG(1,("No rid for %s !?\n", (*names)[*num_names])); continue; } diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c index dcb93fa3b5..d9ed63baf8 100644 --- a/source3/nsswitch/winbindd_cache.c +++ b/source3/nsswitch/winbindd_cache.c @@ -658,7 +658,8 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain, NTSTATUS status; uint32 rid = 0; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(&domain->sid, sid, &rid)) + return NT_STATUS_INVALID_PARAMETER; if (!cache->tdb) goto do_query; diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index 4ef57513bb..ab8e1cfd78 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -228,7 +228,8 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state) } /* Fill in group structure */ - sid_peek_rid(&group_sid, &group_rid); + if (!sid_peek_check_rid(&domain->sid, &group_sid, &group_rid)) + return WINBINDD_ERROR; if (!winbindd_idmap_get_gid_from_sid(&group_sid, &gid)) { DEBUG(1, ("error converting unix gid to sid\n")); diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 154963e2a0..31bbf14299 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -156,7 +156,6 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user) NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) { GROUP_MAP map; - uint32 rid; if (!pwd) { return NT_STATUS_UNSUCCESSFUL; @@ -184,18 +183,25 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) -- abartlet 11-May-02 */ - pdb_set_user_rid(sam_account, - fallback_pdb_uid_to_user_rid(pwd->pw_uid)); + if (!pdb_set_user_sid_from_rid(sam_account, + fallback_pdb_uid_to_user_rid(pwd->pw_uid))) { + DEBUG(0,("Can't set User SID from RID!\n")); + return NT_STATUS_INVALID_PARAMETER; + } /* call the mapping code here */ if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) { - sid_peek_rid(&map.sid, &rid); + if (!pdb_set_group_sid(sam_account,&map.sid)){ + DEBUG(0,("Can't set Group SID!\n")); + return NT_STATUS_INVALID_PARAMETER; + } } else { - rid=pdb_gid_to_group_rid(pwd->pw_gid); + if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid))) { + DEBUG(0,("Can't set Group SID\n")); + return NT_STATUS_INVALID_PARAMETER; + } } - - pdb_set_group_rid(sam_account, rid); /* check if this is a user account or a machine account */ if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$') @@ -455,39 +461,6 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd) return (True); } -#if 0 /* seem it is not used by anyone */ -/******************************************************************* - Group and User RID username mapping function - ********************************************************************/ - -BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid) -{ - GROUP_MAP map; - struct passwd *pw = Get_Pwnam(user_name); - - if (u_rid == NULL || g_rid == NULL || user_name == NULL) - return False; - - if (!pw) { - DEBUG(1,("Username %s is invalid on this system\n", user_name)); - return False; - } - - /* turn the unix UID into a Domain RID. this is what the posix - sub-system does (adds 1000 to the uid) */ - *u_rid = fallback_pdb_uid_to_user_rid(pw->pw_uid); - - /* absolutely no idea what to do about the unix GID to Domain RID mapping */ - /* map it ! */ - if (get_group_map_from_gid(pw->pw_gid, &map, MAPPING_WITHOUT_PRIV)) { - sid_peek_rid(&map.sid, g_rid); - } else - *g_rid = pdb_gid_to_group_rid(pw->pw_gid); - - return True; -} -#endif /* seem it is not used by anyone */ - /******************************************************************* Converts NT user RID to a UNIX uid. ********************************************************************/ @@ -578,7 +551,11 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use SAM_ACCOUNT *sam_account = NULL; GROUP_MAP map; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){ + DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n", + sid_string_static(&map.sid))); + return False; + } *psid_name_use = SID_NAME_UNKNOWN; DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid)); @@ -724,10 +701,9 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi } if (pdb_getsampwnam(sam_account, user)) { - sid_append_rid( &local_sid, pdb_get_user_rid(sam_account)); + sid_copy(psid, (DOM_SID *) pdb_get_user_sid(sam_account)); *psid_name_use = SID_NAME_USER; - sid_copy( psid, &local_sid); pdb_free_sam(&sam_account); return True; } @@ -800,7 +776,7 @@ DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid) } if (pdb_getsampwnam(sam_user, pass->pw_name)) { - sid_append_rid(psid, pdb_get_user_rid(sam_user)); + sid_copy(psid, (DOM_SID *) pdb_get_user_sid(sam_user)); } else { sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); } @@ -920,7 +896,11 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type) if (map.gid==-1) return False; - sid_peek_rid(&map.sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid)){ + DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n", + sid_string_static(&map.sid))); + return False; + } *pgid = map.gid; *name_type = map.sid_name_use; DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", sid_to_string( str, psid), @@ -996,9 +976,9 @@ void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from) pdb_set_munged_dial(to , pdb_unistr2_convert(&from->uni_munged_dial )); if (from->user_rid) - pdb_set_user_rid(to, from->user_rid); + pdb_set_user_sid_from_rid(to, from->user_rid); if (from->group_rid) - pdb_set_group_rid(to, from->group_rid); + pdb_set_group_sid_from_rid(to, from->group_rid); pdb_set_acct_ctrl(to, from->acb_info); pdb_set_unknown_3(to, from->unknown_3); @@ -1051,9 +1031,9 @@ void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from) pdb_set_munged_dial(to , pdb_unistr2_convert(&from->uni_munged_dial )); if (from->user_rid) - pdb_set_user_rid(to, from->user_rid); + pdb_set_user_sid_from_rid(to, from->user_rid); if (from->group_rid) - pdb_set_group_rid(to, from->group_rid); + pdb_set_group_sid_from_rid(to, from->group_rid); /* FIXME!! Do we need to copy the passwords here as well? I don't know. Need to figure this out --jerry */ diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index 5ed54a9857..0b5a1053ae 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -5,6 +5,7 @@ Copyright (C) Luke Kenneth Casson Leighton 1996-1998 Copyright (C) Gerald (Jerry) Carter 2000-2001 Copyright (C) Andrew Bartlett 2001-2002 + Copyright (C) Stefan (metze) Metzmacher 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -155,21 +156,41 @@ const char* pdb_get_plaintext_passwd (const SAM_ACCOUNT *sampass) else return (NULL); } +const DOM_SID *pdb_get_user_sid(const SAM_ACCOUNT *sampass) +{ + if (sampass) + return &sampass->private.user_sid; + else + return (NULL); +} + +const DOM_SID *pdb_get_group_sid(const SAM_ACCOUNT *sampass) +{ + if (sampass) + return &sampass->private.group_sid; + else + return (NULL); +} uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass) { + uint32 u_rid; + if (sampass) - return (sampass->private.user_rid); - else - return (-1); + if (sid_peek_check_rid(get_global_sam_sid(), (DOM_SID *) pdb_get_user_sid(sampass),&u_rid)) + return u_rid; + + return (-1); } uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass) { + uint32 g_rid; + if (sampass) - return (sampass->private.group_rid); - else - return (-1); + if (sid_peek_check_rid(get_global_sam_sid(), (DOM_SID *) pdb_get_group_sid(sampass),&g_rid)) + return g_rid; + return (-1); } /** @@ -487,27 +508,71 @@ BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid) } -BOOL pdb_set_user_rid (SAM_ACCOUNT *sampass, uint32 rid) +BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid) +{ + if (!sampass || !u_sid) + return False; + + sid_copy(&sampass->private.user_sid, u_sid); + + DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n", + sid_string_static(&sampass->private.user_sid))); + + return True; +} + +BOOL pdb_set_group_sid(SAM_ACCOUNT *sampass, DOM_SID *g_sid) { + if (!sampass || !g_sid) + return False; + + sid_copy(&sampass->private.group_sid, g_sid); + + DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n", + sid_string_static(&sampass->private.group_sid))); + + return True; +} + +BOOL pdb_set_user_sid_from_rid (SAM_ACCOUNT *sampass, uint32 rid) +{ + DOM_SID u_sid; + if (!sampass) return False; - DEBUG(10, ("pdb_set_rid: setting user rid %d, was %d\n", - rid, sampass->private.user_rid)); - - sampass->private.user_rid = rid; + sid_copy(&u_sid, get_global_sam_sid()); + + if (!sid_append_rid(&u_sid, rid)) + return False; + + if (!pdb_set_user_sid(sampass, &u_sid)) + return False; + + DEBUG(10, ("pdb_set_user_sid_from_rid:\n\tsetting user sid %s from rid %d\n", + sid_string_static(&u_sid),rid)); + return True; } -BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid) +BOOL pdb_set_group_sid_from_rid (SAM_ACCOUNT *sampass, uint32 grid) { + DOM_SID g_sid; + if (!sampass) return False; + + sid_copy(&g_sid, get_global_sam_sid()); + + if (!sid_append_rid(&g_sid, grid)) + return False; + + if (!pdb_set_group_sid(sampass, &g_sid)) + return False; + + DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s from rid %d\n", + sid_string_static(&g_sid), grid)); - DEBUG(10, ("pdb_set_group_rid: setting group rid %d, was %d\n", - grid, sampass->private.group_rid)); - - sampass->private.group_rid = grid; return True; } diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 28c08e0f63..7ba8d4a810 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -624,7 +624,8 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, GROUP_MAP map; /* call the mapping code here */ if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) { - sid_peek_rid(&map.sid, &group_rid); + if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &group_rid)) + return False; } else { group_rid=pdb_gid_to_group_rid(gid); @@ -780,8 +781,8 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, pdb_set_hours_len(sampass, hours_len); pdb_set_logon_divs(sampass, logon_divs); - pdb_set_user_rid(sampass, user_rid); - pdb_set_group_rid(sampass, group_rid); + pdb_set_user_sid_from_rid(sampass, user_rid); + pdb_set_group_sid_from_rid(sampass, group_rid); pdb_set_username(sampass, username); @@ -1273,7 +1274,8 @@ static BOOL ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT * us static BOOL ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return ldapsam_getsampwrid(my_methods, user, rid); } diff --git a/source3/passdb/pdb_nisplus.c b/source3/passdb/pdb_nisplus.c index 0c4c2c5bb3..80f918d1a6 100644 --- a/source3/passdb/pdb_nisplus.c +++ b/source3/passdb/pdb_nisplus.c @@ -339,8 +339,8 @@ static BOOL make_sam_from_nisp_object(SAM_ACCOUNT *pw_buf, const nis_object *obj pdb_set_uid(pw_buf, atoi(ENTRY_VAL(obj, NPF_UID))); pdb_set_gid(pw_buf, atoi(ENTRY_VAL(obj, NPF_SMB_GRPID))); - pdb_set_user_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID))); - pdb_set_group_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID))); + pdb_set_user_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID))); + pdb_set_group_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID))); /* values, must exist for user */ if( !(pdb_get_acct_ctrl(pw_buf) & ACB_WSTRUST) ) { @@ -381,7 +381,7 @@ static BOOL make_sam_from_nisp_object(SAM_ACCOUNT *pw_buf, const nis_object *obj else { /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */ - pdb_set_group_rid (pw_buf, DOMAIN_GROUP_RID_USERS); + pdb_set_group_sid_from_rid (pw_buf, DOMAIN_GROUP_RID_USERS); } /* Check the lanman password column. */ @@ -538,7 +538,8 @@ static BOOL init_nisp_from_sam(nis_object *obj, const SAM_ACCOUNT *sampass, if (rid==0) { if (get_group_map_from_gid(pdb_get_gid(sampass), &map, MAPPING_WITHOUT_PRIV)) { - sid_peek_rid(&map.sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid)) + return False; } else rid=pdb_gid_to_group_rid(pdb_get_gid(sampass)); } @@ -1034,7 +1035,8 @@ BOOL pdb_getsampwnam(SAM_ACCOUNT * user, const char *sname) BOOL pdb_getsampwsid(SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return pdb_getsampwrid(user, rid); } diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index a6bd66eace..25957100d8 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -1242,14 +1242,14 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid) && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) { - pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid)); + pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid)); /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. This was down the bottom for machines, but it looks pretty good as a general default for non-unix users. --abartlet 2002-01-08 */ - pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS); + pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS); pdb_set_username (sam_pass, pw_buf->smb_name); pdb_set_domain (sam_pass, lp_workgroup()); } else { @@ -1458,7 +1458,8 @@ static BOOL smbpasswd_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *s static BOOL smbpasswd_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return smbpasswd_getsampwrid(my_methods, user, rid); } diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index 2341210e39..b309f675b3 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -246,8 +246,8 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state, } } - pdb_set_user_rid(sampass, user_rid); - pdb_set_group_rid(sampass, group_rid); + pdb_set_user_sid_from_rid(sampass, user_rid); + pdb_set_group_sid_from_rid(sampass, group_rid); pdb_set_unknown_3(sampass, unknown_3); pdb_set_hours_len(sampass, hours_len); pdb_set_unknown_5(sampass, unknown_5); @@ -671,7 +671,8 @@ static BOOL tdbsam_getsampwrid (struct pdb_methods *my_methods, SAM_ACCOUNT *use static BOOL tdbsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return tdbsam_getsampwrid(my_methods, user, rid); } @@ -775,7 +776,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, goto done; } } - pdb_set_user_rid(newpwd, user_rid); + pdb_set_user_sid_from_rid(newpwd, user_rid); } else { user_rid = tdb_state->low_nua_rid; tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER); @@ -788,7 +789,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, ret = False; goto done; } - pdb_set_user_rid(newpwd, user_rid); + pdb_set_user_sid_from_rid(newpwd, user_rid); } } else { DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd))); @@ -805,7 +806,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, goto done; } else { /* This seems like a good default choice for non-unix users */ - pdb_set_group_rid(newpwd, DOMAIN_GROUP_RID_USERS); + pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS); } } else { DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd))); diff --git a/source3/passdb/pdb_unix.c b/source3/passdb/pdb_unix.c index 85ff5bd933..b4092b88f8 100644 --- a/source3/passdb/pdb_unix.c +++ b/source3/passdb/pdb_unix.c @@ -68,7 +68,8 @@ static BOOL unixsam_getsampwrid (struct pdb_methods *methods, static BOOL unixsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return unixsam_getsampwrid(my_methods, user, rid); } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index daa39b215f..a6f936feca 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2019,18 +2019,9 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ return NT_STATUS_ACCESS_DENIED; } - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_INVALID_HANDLE; - } - - /* append the user's RID to it */ - if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { - pdb_free_sam(&sam_pass); - return NT_STATUS_NO_SUCH_USER; - } - + /* Get the user's SID */ + sid_copy(&sid, (DOM_SID *) pdb_get_user_sid(sam_pass)); + /* associate the user's SID with the new handle. */ if ((info = get_samr_info_by_sid(&sid)) == NULL) { pdb_free_sam(&sam_pass); diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c index 51254667c9..ed7f648f2d 100644 --- a/source3/utils/pdbedit.c +++ b/source3/utils/pdbedit.c @@ -81,10 +81,12 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst if (IS_SAM_UNIX_USER(sam_pwent)) { uid = pdb_get_uid(sam_pwent); gid = pdb_get_gid(sam_pwent); - printf ("user ID/Group: %d/%d\n", uid, gid); + printf ("User ID/Group ID: %d/%d\n", uid, gid); } - printf ("user RID/GRID: %u/%u\n", (unsigned int)pdb_get_user_rid(sam_pwent), - (unsigned int)pdb_get_group_rid(sam_pwent)); + printf ("User SID: %s\n", + sid_string_static((DOM_SID *)pdb_get_user_sid(sam_pwent))); + printf ("Primary Group SID: %s\n", + sid_string_static((DOM_SID *)pdb_get_group_sid(sam_pwent))); printf ("Full Name: %s\n", pdb_get_fullname(sam_pwent)); printf ("Home Directory: %s\n", pdb_get_homedir(sam_pwent)); printf ("HomeDir Drive: %s\n", pdb_get_dirdrive(sam_pwent)); @@ -329,7 +331,7 @@ static int new_machine (struct pdb_context *in, char *machinename) pdb_set_acct_ctrl (sam_pwent, ACB_WSTRUST); - pdb_set_group_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS); + pdb_set_group_sid_from_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS); if (in->pdb_add_sam_account (in, sam_pwent)) { print_user_info (in, name, True, False); -- cgit