From f004d84f683673b7cb167320e3e78a3fcefdfd07 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 11 May 1998 15:56:01 +0000 Subject: ldap back-end database development Makefile: created PASSBD_OBJ group includes.h: added #ifdef USE_LDAP to #include headers ldap.c: - renamed "_machine" to "_trust" everywhere. - added sam_passwd support routines - removed get_ldappwd_entry function: replaced with get_sampwd_entry - removed getldappwnam/uid: replaced with getsampwnam/uid - other messing about bits which are probably going to annoy the hell out of jean-francois (sorry!) mkproto.awk: - added stuff to wrap ldap.c protos with #ifdef USE_LDAP - added uid_t and gid_t return results to the prototype generation passdb.c: - created getsam21pwent, add_sam21pwd_entry, mod_sam21pwd_entry. - modified getsampwnam/uid and created getsam21pwnam/rid functions to replace the local get_smbpwd_entry() and get_ldappwd_entry() functions, which jeremy didn't like anyway because they were dual-purpose. - added utility routines which are or may be useful to all the password database routines. password.c: - renamed "machine_" to "trust_" everywhere. smbpass.c: - removed get_smbpwd_entry function: replaced it with get_sampwd_entry functions in passdb.c - moved code that decoded acct_ctrl into passdb.c - moved encode_acct_ctrl into passdb.c - removed getsmbpwnam/uid: replaced with getsampwnam/uid - renamed "machine_" to "trust_" everywhere. smbpasswd.c: - renamed "machine_" to "trust_" everywhere. util.c: - moved gethexpwd function into passdb.c lib/rpc/server/srv_util.c: - moved user_rid_to_uid, group_rid_to_rid etc etc into passdb.c (This used to be commit 673ab50c4c2c25db355d90efde3a6bfbb4d8369e) --- source3/include/includes.h | 5 + source3/include/proto.h | 65 +++++-- source3/lib/util.c | 26 --- source3/passdb/ldap.c | 334 ++++++++++++++++---------------- source3/passdb/passdb.c | 430 +++++++++++++++++++++++++++++++++++++++--- source3/passdb/smbpass.c | 233 ++++------------------- source3/rpc_server/srv_util.c | 164 ++++------------ source3/script/mkproto.awk | 12 +- source3/smbd/password.c | 12 +- source3/utils/smbpasswd.c | 48 ++--- 10 files changed, 725 insertions(+), 604 deletions(-) diff --git a/source3/include/includes.h b/source3/include/includes.h index 44ed317ae9..d741e07c28 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1180,6 +1180,11 @@ union semun { #include #endif +#ifdef USE_LDAP +#include +#include +#endif + #ifdef NO_UTIMBUF struct utimbuf { time_t actime; diff --git a/source3/include/proto.h b/source3/include/proto.h index 833794a4fb..1d4f917b70 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -223,6 +223,25 @@ int reply_trans(char *inbuf,char *outbuf, int size, int bufsize); void interpret_coding_system(char *str); void initialize_multibyte_vectors( int client_codepage); +/*The following definitions come from ldap.c */ + +#ifdef USE_LDAP +BOOL ldap_open_connection(LDAP **ldap_struct); +BOOL ldap_connect_system(LDAP *ldap_struct); +BOOL ldap_search_one_user_by_name(LDAP *ldap_struct, char *user, LDAPMessage **result); +BOOL ldap_search_one_user_by_uid(LDAP *ldap_struct, int uid, LDAPMessage **result); +void get_single_attribute(LDAP *ldap_struct, LDAPMessage *entry, char *attribute, char *value); +BOOL ldap_check_user(LDAP *ldap_struct, LDAPMessage *entry); +BOOL ldap_check_trust(LDAP *ldap_struct, LDAPMessage *entry); +BOOL add_ldappwd_entry(struct smb_passwd *newpwd); +BOOL mod_ldappwd_entry(struct smb_passwd* pwd, BOOL override); +void *startldappwent(BOOL update); +struct smb_passwd *getldappwent(void *vp); +void endldappwent(void *vp); +unsigned long getldappwpos(void *vp); +BOOL setldappwpos(void *vp, unsigned long tok); +#endif /* USE_LDAP */ + /*The following definitions come from lib/rpc/client/cli_login.c */ BOOL cli_nt_setup_creds(struct cli_state *cli, unsigned char mach_pwd[16]); @@ -899,20 +918,17 @@ BOOL api_srvsvc_rpc(pipes_struct *p, prs_struct *data); /*The following definitions come from lib/rpc/server/srv_util.c */ int make_dom_gids(char *gids_str, DOM_GID *gids); -void get_domain_user_groups(char *domain_groups, char *user); BOOL create_rpc_reply(pipes_struct *p, uint32 data_start, uint32 data_end); BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds, prs_struct *data); +void get_domain_user_groups(char *domain_groups, char *user); uint32 lookup_group_name(uint32 rid, char *group_name, uint32 *type); uint32 lookup_alias_name(uint32 rid, char *alias_name, uint32 *type); uint32 lookup_user_name(uint32 rid, char *user_name, uint32 *type); uint32 lookup_group_rid(char *group_name, uint32 *rid); uint32 lookup_alias_rid(char *alias_name, uint32 *rid); uint32 lookup_user_rid(char *user_name, uint32 *rid); -BOOL name_to_rid(char *user_name, uint32 *u_rid, uint32 *g_rid); -uint32 uid_to_user_rid(uint32 uid); -uint32 gid_to_group_rid(uint32 gid); /*The following definitions come from lib/rpc/server/srv_wkssvc.c */ @@ -1560,15 +1576,28 @@ BOOL pm_process( char *FileName, /*The following definitions come from passdb.c */ -struct smb_passwd *getsampwnam(char *name); -struct smb_passwd *getsampwuid(unsigned int uid); void *startsampwent(BOOL update); void endsampwent(void *vp); struct smb_passwd *getsampwent(void *vp); +struct sam_passwd *getsam21pwent(void *vp); unsigned long getsampwpos(void *vp); BOOL setsampwpos(void *vp, unsigned long tok); BOOL add_sampwd_entry(struct smb_passwd *newpwd); +BOOL add_sam21pwd_entry(struct sam_passwd *newpwd); BOOL mod_sampwd_entry(struct smb_passwd* pwd, BOOL override); +BOOL mod_sam21pwd_entry(struct sam_passwd* pwd, BOOL override); +struct smb_passwd *getsampwnam(char *name); +struct sam_passwd *getsam21pwnam(char *name); +struct smb_passwd *getsampwuid(uid_t smb_userid); +struct sam_passwd *getsam21pwrid(uint32 rid); +char *encode_acct_ctrl(uint16 acct_ctrl); +uint16 decode_acct_ctrl(char *p); +int gethexpwd(char *p, char *pwd); +BOOL name_to_rid(char *user_name, uint32 *u_rid, uint32 *g_rid); +uid_t user_rid_to_uid(uint32 u_rid); +uid_t group_rid_to_uid(uint32 u_gid); +uint32 uid_to_user_rid(uint32 uid); +uint32 gid_to_group_rid(uint32 gid); /*The following definitions come from password.c */ @@ -1766,6 +1795,11 @@ struct shmem_ops *smb_shm_open(int ronly); struct shmem_ops *sysv_shm_open(int ronly); +/*The following definitions come from slprintf.c */ + +int vslprintf(char *str, int n, char *format, va_list ap); +int slprintf(char *str, int n, char *format, ...); + /*The following definitions come from smbdes.c */ void E_P16(unsigned char *p14,unsigned char *p16); @@ -1795,21 +1829,13 @@ void endsmbpwent(void *vp); struct smb_passwd *getsmbpwent(void *vp); unsigned long getsmbpwpos(void *vp); BOOL setsmbpwpos(void *vp, unsigned long tok); -struct smb_passwd *getsmbpwnam(char *name); -struct smb_passwd *getsmbpwuid(unsigned int uid); -char *encode_acct_ctrl(uint16 acct_ctrl); BOOL add_smbpwd_entry(struct smb_passwd *newpwd); BOOL mod_smbpwd_entry(struct smb_passwd* pwd, BOOL override); -BOOL machine_password_lock( char *domain, char *name, BOOL update); -BOOL machine_password_unlock(void); -BOOL machine_password_delete( char *domain, char *name ); -BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set_time); -BOOL set_machine_account_password( unsigned char *md4_new_pwd); - -/*The following definitions come from snprintf.c */ - -int vslprintf(char *str, int n, char *format, va_list ap); -int slprintf(char *str, int n, char *format, ...); +BOOL trust_password_lock( char *domain, char *name, BOOL update); +BOOL trust_password_unlock(void); +BOOL trust_password_delete( char *domain, char *name ); +BOOL get_trust_account_password( unsigned char *ret_pwd, time_t *pass_last_set_time); +BOOL set_trust_account_password( unsigned char *md4_new_pwd); /*The following definitions come from status.c */ @@ -2033,7 +2059,6 @@ void print_asc(int level, unsigned char *buf,int len); void dump_data(int level,char *buf1,int len); char *tab_depth(int depth); char *dom_sid_to_string(DOM_SID *sid); -int gethexpwd(char *p, char *pwd); /*The following definitions come from web/cgi.c */ diff --git a/source3/lib/util.c b/source3/lib/util.c index ee87d48388..d2600512e2 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -4966,29 +4966,3 @@ char *dom_sid_to_string(DOM_SID *sid) return sidstr; } -/************************************************************* - Routine to get the next 32 hex characters and turn them - into a 16 byte array. -**************************************************************/ -int gethexpwd(char *p, char *pwd) -{ - int i; - unsigned char lonybble, hinybble; - char *hexchars = "0123456789ABCDEF"; - char *p1, *p2; - - for (i = 0; i < 32; i += 2) { - hinybble = toupper(p[i]); - lonybble = toupper(p[i + 1]); - - p1 = strchr(hexchars, hinybble); - p2 = strchr(hexchars, lonybble); - if (!p1 || !p2) - return (False); - hinybble = PTR_DIFF(p1, hexchars); - lonybble = PTR_DIFF(p2, hexchars); - - pwd[i / 2] = (hinybble << 4) | lonybble; - } - return (True); -} diff --git a/source3/passdb/ldap.c b/source3/passdb/ldap.c index e14742a3aa..8547cf45cf 100644 --- a/source3/passdb/ldap.c +++ b/source3/passdb/ldap.c @@ -23,8 +23,6 @@ #ifdef USE_LDAP #include "includes.h" -#include "lber.h" -#include "ldap.h" extern int DEBUGLEVEL; @@ -190,13 +188,13 @@ BOOL ldap_check_user(LDAP *ldap_struct, LDAPMessage *entry) /******************************************************************* check if the returned entry is a sambaMachine objectclass. ******************************************************************/ -BOOL ldap_check_machine(LDAP *ldap_struct, LDAPMessage *entry) +BOOL ldap_check_trust(LDAP *ldap_struct, LDAPMessage *entry) { BOOL sambaMachine=False; char **valeur; int i; - DEBUG(2,("ldap_check_machine: ")); + DEBUG(2,("ldap_check_trust: ")); valeur=ldap_get_values(ldap_struct, entry, "objectclass"); if (valeur!=NULL) { @@ -213,188 +211,195 @@ BOOL ldap_check_machine(LDAP *ldap_struct, LDAPMessage *entry) /******************************************************************* retrieve the user's info and contruct a smb_passwd structure. ******************************************************************/ -static void ldap_get_user(LDAP *ldap_struct,LDAPMessage *entry, - struct smb_passwd *ldap_passwd) +static void ldap_get_sam_passwd(LDAP *ldap_struct, LDAPMessage *entry, + struct sam_passwd *user) { static pstring user_name; - static unsigned char ldappwd[16]; - static unsigned char smbntpwd[16]; - char **valeur; + static pstring fullname; + static pstring home_dir; + static pstring dir_drive; + static pstring logon_script; + static pstring profile_path; + static pstring acct_desc; + static pstring workstations; + static pstring temp; + + bzero(user, sizeof(*user)); + + user->logon_time = (time_t)-1; + user->logoff_time = (time_t)-1; + user->kickoff_time = (time_t)-1; + user->pass_last_set_time = (time_t)-1; + user->pass_can_change_time = (time_t)-1; + user->pass_must_change_time = (time_t)-1; + + get_single_attribute(ldap_struct, entry, "logonTime", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "logoffTime", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "kickoffTime", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "pwdLastSet", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "pwdCanChange", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); + + get_single_attribute(ldap_struct, entry, "pwdMustChange", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); get_single_attribute(ldap_struct, entry, "cn", user_name); + user->smb_name = user_name; + + DEBUG(2,("ldap_get_sam_passwd: user: %s\n", user_name)); - DEBUG(2,("ldap_get_user: user: %s\n",user_name)); - - if ( (valeur=ldap_get_values(ldap_struct, entry, "uidAccount")) != NULL) - { - ldap_passwd->smb_userid=atoi(valeur[0]); - ldap_value_free(valeur); - } + get_single_attribute(ldap_struct, entry, "userFullName", fullname); + user->full_name = fullname; + + get_single_attribute(ldap_struct, entry, "homeDirectory", home_dir); + user->home_dir = home_dir; + + get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive); + user->dir_drive = dir_drive; + + get_single_attribute(ldap_struct, entry, "scriptPath", logon_script); + user->logon_script = logon_script; + + get_single_attribute(ldap_struct, entry, "profilePath", profile_path); + user->profile_path = profile_path; + + get_single_attribute(ldap_struct, entry, "comment", acct_desc); + user->acct_desc = acct_desc; + + get_single_attribute(ldap_struct, entry, "userWorkstations", workstations); + user->workstations = workstations; + + + user->unknown_str = NULL; /* don't know, yet! */ + user->munged_dial = NULL; /* "munged" dial-back telephone number */ + + get_single_attribute(ldap_struct, entry, "userPassword", temp); + nt_lm_owf_gen(temp, user->smb_nt_passwd, user->smb_passwd); + bzero(temp, sizeof(temp)); /* destroy local copy of the password */ - if ( (valeur=ldap_get_values(ldap_struct, entry, "userPassword")) != NULL) + get_single_attribute(ldap_struct, entry, "rid", temp); + user->user_rid=atoi(temp); + + get_single_attribute(ldap_struct, entry, "primaryGroupID", temp); + user->group_rid=atoi(temp); + + /* the smb (unix) ids are not stored: they are created */ + user->smb_userid = user_rid_to_uid (user->user_rid); + user->smb_grpid = group_rid_to_uid(user->group_rid); + + get_single_attribute(ldap_struct, entry, "userAccountControl", temp); + user->acct_ctrl=atoi(temp); + + user->unknown_3 = 0xffffff; /* don't know */ + user->logon_divs = 168; /* hours per week */ + user->hours_len = 21; /* 21 times 8 bits = 168 */ + memset(user->hours, 0xff, user->hours_len); /* available at all hours */ + user->unknown_5 = 0x00020000; /* don't know */ + user->unknown_5 = 0x000004ec; /* don't know */ + + if (user->acct_ctrl & (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST) ) { - memset(smbntpwd, '\0', 16); - E_md4hash((uchar *) valeur[0], smbntpwd); - valeur[0][14] = '\0'; - strupper(valeur[0]); - memset(ldappwd, '\0', 16); - E_P16((uchar *) valeur[0], ldappwd); - ldap_value_free(valeur); + DEBUG(0,("Inconsistency in the LDAP database\n")); } - - if ( (valeur=ldap_get_values(ldap_struct,entry, "userAccountControl") ) != NULL) + + if (!(user->acct_ctrl & ACB_NORMAL)) { - ldap_passwd->acct_ctrl=atoi(valeur[0]); - if (ldap_passwd->acct_ctrl & (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST) ) - { - DEBUG(0,("Inconsistency in the LDAP database\n")); - - } - if (ldap_passwd->acct_ctrl & ACB_NORMAL) - { - ldap_passwd->smb_name=user_name; - ldap_passwd->smb_passwd=ldappwd; - ldap_passwd->smb_nt_passwd=smbntpwd; - } - ldap_value_free(valeur); - } - - if ( (valeur=ldap_get_values(ldap_struct,entry, "pwdLastSet")) != NULL) - { - ldap_passwd->pass_last_set_time=(time_t)strtol(valeur[0], NULL, 16); - ldap_value_free(valeur); + DEBUG(0,("User's acct_ctrl bits not set to ACT_NORMAL in LDAP database\n")); + return; } + } /******************************************************************* - retrieve the machine's info and contruct a smb_passwd structure. + retrieve the user's info and contruct a smb_passwd structure. ******************************************************************/ -static void ldap_get_machine(LDAP *ldap_struct,LDAPMessage *entry, - struct smb_passwd *ldap_passwd) +static void ldap_get_smb_passwd(LDAP *ldap_struct,LDAPMessage *entry, + struct smb_passwd *user) { - static pstring user_name; + static pstring user_name; + static pstring user_pass; + static pstring temp; + static unsigned char smblmpwd[16]; static unsigned char smbntpwd[16]; - char **valeur; - - /* by default it's a station */ - ldap_passwd->acct_ctrl = ACB_WSTRUST; + + user->smb_name = NULL; + user->smb_passwd = NULL; + user->smb_nt_passwd = NULL; + user->smb_userid = 0; + user->pass_last_set_time = (time_t)-1; get_single_attribute(ldap_struct, entry, "cn", user_name); - DEBUG(2,("ldap_get_machine: machine: %s\n", user_name)); + DEBUG(2,("ldap_get_smb_passwd: user: %s\n",user_name)); - if ( (valeur=ldap_get_values(ldap_struct, entry, "uidAccount")) != NULL) - { - ldap_passwd->smb_userid=atoi(valeur[0]); - ldap_value_free(valeur); - } - - if ( (valeur=ldap_get_values(ldap_struct, entry, "machinePassword")) != NULL) - { - gethexpwd(valeur[0],smbntpwd); - ldap_value_free(valeur); - } + get_single_attribute(ldap_struct, entry, "userPassword", user_pass); + nt_lm_owf_gen(user_pass, smbntpwd, smblmpwd); + bzero(user_pass, sizeof(user_pass)); /* destroy local copy of the password */ - if ( (valeur=ldap_get_values(ldap_struct,entry, "machineRole") ) != NULL) - { - if ( !strcmp(valeur[0],"workstation") ) - ldap_passwd->acct_ctrl=ACB_WSTRUST; - else - if ( !strcmp(valeur[0],"server") ) - ldap_passwd->acct_ctrl=ACB_SVRTRUST; - ldap_value_free(valeur); - } + get_single_attribute(ldap_struct, entry, "userAccountControl", temp); + user->acct_ctrl=decode_acct_ctrl(temp); - ldap_passwd->smb_name=user_name; - ldap_passwd->smb_passwd=smbntpwd; - ldap_passwd->smb_nt_passwd=smbntpwd; -} + get_single_attribute(ldap_struct, entry, "pwdLastSet", temp); + user->pass_last_set_time = (time_t)strtol(temp, NULL, 16); -/******************************************************************* - find a user or a machine return a smbpass struct. -******************************************************************/ -static struct smb_passwd *get_ldappwd_entry(char *name, int smb_userid) -{ - LDAP *ldap_struct; - LDAPMessage *result; - LDAPMessage *entry; - BOOL machine=False; - - static struct smb_passwd ldap_passwd; - - bzero(&ldap_passwd, sizeof(ldap_passwd)); - - ldap_passwd.smb_name = NULL; - ldap_passwd.smb_passwd = NULL; - ldap_passwd.smb_nt_passwd = NULL; - - ldap_passwd.smb_userid = -1; - ldap_passwd.acct_ctrl = ACB_DISABLED; - ldap_passwd.pass_last_set_time = (time_t)-1; + get_single_attribute(ldap_struct, entry, "rid", temp); - ldap_struct=NULL; + /* the smb (unix) ids are not stored: they are created */ + user->smb_userid = user_rid_to_uid (atoi(temp)); - if (name != NULL) + if (user->acct_ctrl & (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST) ) { - DEBUG(10, ("get_ldappwd_entry: search by name: %s\n", name)); + DEBUG(0,("Inconsistency in the LDAP database\n")); + } - else + if (user->acct_ctrl & ACB_NORMAL) { - DEBUG(10, ("get_ldappwd_entry: search by smb_userid: %x\n", smb_userid)); + user->smb_name = user_name; + user->smb_passwd = smblmpwd; + user->smb_nt_passwd = smbntpwd; } +} - if (!ldap_open_connection(&ldap_struct)) - return (NULL); - if (!ldap_connect_system(ldap_struct)) - return (NULL); - - if (name != NULL) - { - if (!ldap_search_one_user_by_name(ldap_struct, name, &result)) - return (NULL); - } - else - { - if (!ldap_search_one_user_by_uid(ldap_struct, smb_userid, &result)) - return (NULL); - } +/******************************************************************* + retrieve the trust's info and contruct a smb_passwd structure. +******************************************************************/ +static void ldap_get_trust(LDAP *ldap_struct,LDAPMessage *entry, + struct smb_passwd *trust) +{ + static pstring user_name; + static unsigned char smbntpwd[16]; + static pstring temp; - if (ldap_count_entries(ldap_struct, result) == 0) - { - DEBUG(2,("%s: Non existant user!\n", timestring() )); - return (NULL); - } + get_single_attribute(ldap_struct, entry, "cn", user_name); + DEBUG(2,("ldap_get_trust: trust: %s\n", user_name)); - if (ldap_count_entries(ldap_struct, result) > 1) - { - DEBUG(2,("%s: Strange %d users in the base!\n", - timestring(), ldap_count_entries(ldap_struct, result) )); - } - /* take the first and unique entry */ - entry=ldap_first_entry(ldap_struct, result); + get_single_attribute(ldap_struct, entry, "trustPassword", temp); + gethexpwd(temp,smbntpwd); + + get_single_attribute(ldap_struct, entry, "rid", temp); - if (name != NULL) - { - DEBUG(0,("get_ldappwd_entry: Found user: %s\n",name)); + /* the smb (unix) ids are not stored: they are created */ + trust->smb_userid = user_rid_to_uid(atoi(temp)); - machine = name[strlen(name)-1] == '$'; - } - - if (!machine) - { - if (ldap_check_user(ldap_struct, entry)) - ldap_get_user(ldap_struct, entry, &ldap_passwd); - } - else + get_single_attribute(ldap_struct, entry, "trustAccountControl", temp); + trust->acct_ctrl=decode_acct_ctrl(temp); + + if (trust->acct_ctrl == 0) { - if (ldap_check_machine(ldap_struct, entry)) - ldap_get_machine(ldap_struct, entry, &ldap_passwd); + /* by default it's a workstation (or stand-alone server) */ + trust->acct_ctrl = ACB_WSTRUST; } - - ldap_msgfree(result); - result=NULL; - ldap_unbind(ldap_struct); - - return(&ldap_passwd); + + trust->smb_name = user_name; + trust->smb_passwd = NULL; + trust->smb_nt_passwd = smbntpwd; } /************************************************************************ @@ -424,30 +429,6 @@ BOOL mod_ldappwd_entry(struct smb_passwd* pwd, BOOL override) return False; } -/************************************************************************ - Routine to search ldap passwd by name. - - do not call this function directly. use passdb.c instead. - -*************************************************************************/ - -struct smb_passwd *getldappwnam(char *name) -{ - return get_ldappwd_entry(name, 0); -} - -/************************************************************************ - Routine to search ldap passwd by uid. - - do not call this function directly. use passdb.c instead. - -*************************************************************************/ - -struct smb_passwd *getldappwuid(unsigned int uid) -{ - return get_ldappwd_entry(NULL, uid); -} - /*************************************************************** Start to enumerate the ldap passwd list. Returns a void pointer to ensure no modification outside this module. @@ -526,6 +507,9 @@ struct smb_passwd *getldappwent(void *vp) /*************************************************************** End enumeration of the ldap passwd list. + + do not call this function directly. use passdb.c instead. + ****************************************************************/ void endldappwent(void *vp) { diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 9e5b3ef145..263bbe57cd 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -21,40 +21,34 @@ */ #include "includes.h" +#include "nterr.h" extern int DEBUGLEVEL; -/************************************************************************ - Routine to search sam passwd by name. -*************************************************************************/ +/********************************************************** + ********************************************************** -struct smb_passwd *getsampwnam(char *name) -{ -#ifdef USE_LDAP - return getldappwnam(name); -#else - return getsmbpwnam(name); -#endif /* USE_LDAP */ -} + low-level redirection routines: -/************************************************************************ - Routine to search sam passwd by uid. -*************************************************************************/ + startsampwent() + endsampwent() + getsampwent() + getsam21pwent() + getsampwpos() + setsampwpos() -struct smb_passwd *getsampwuid(unsigned int uid) -{ -#ifdef USE_LDAP - return getldappwuid(uid); -#else - return getsmbpwuid(uid); -#endif /* USE_LDAP */ -} + add_sampwd_entry() + mod_sampwd_entry() + add_sam21pwd_entry() + mod_sam21pwd_entry() + + ********************************************************** + **********************************************************/ /*************************************************************** Start to enumerate the sam passwd list. Returns a void pointer to ensure no modification outside this module. ****************************************************************/ - void *startsampwent(BOOL update) { #ifdef USE_LDAP @@ -67,7 +61,6 @@ void *startsampwent(BOOL update) /*************************************************************** End enumeration of the sam passwd list. ****************************************************************/ - void endsampwent(void *vp) { #ifdef USE_LDAP @@ -80,7 +73,6 @@ void endsampwent(void *vp) /************************************************************************* Routine to return the next entry in the sam passwd list. *************************************************************************/ - struct smb_passwd *getsampwent(void *vp) { #ifdef USE_LDAP @@ -90,6 +82,23 @@ struct smb_passwd *getsampwent(void *vp) #endif /* USE_LDAP */ } +/************************************************************************* + Routine to return the next entry in the sam passwd list. + *************************************************************************/ +struct sam_passwd *getsam21pwent(void *vp) +{ +#if 0 +#ifdef USE_LDAP + return getldap21pwent(vp); +#else + return getsmb21pwent(vp); +#endif /* USE_LDAP */ +#else + DEBUG(0,("getsam21pwent: under development\n")); + return NULL; +#endif +} + /************************************************************************* Return the current position in the sam passwd list as an unsigned long. This must be treated as an opaque token. @@ -119,7 +128,6 @@ BOOL setsampwpos(void *vp, unsigned long tok) /************************************************************************ Routine to add an entry to the sam passwd file. *************************************************************************/ - BOOL add_sampwd_entry(struct smb_passwd *newpwd) { #ifdef USE_LDAP @@ -129,6 +137,23 @@ BOOL add_sampwd_entry(struct smb_passwd *newpwd) #endif /* USE_LDAP */ } +/************************************************************************ + Routine to add an entry to the sam passwd file. +*************************************************************************/ +BOOL add_sam21pwd_entry(struct sam_passwd *newpwd) +{ +#if 0 +#ifdef USE_LDAP + return add_ldappwd_entry(newpwd); +#else + return add_smbpwd_entry(newpwd); +#endif /* USE_LDAP */ +#else + DEBUG(0,("add_sam21pwd_entry() - under development\n")); + return False; +#endif +} + /************************************************************************ Routine to search the sam passwd file for an entry matching the username. and then modify its password entry. We can't use the startsampwent()/ @@ -137,7 +162,6 @@ BOOL add_sampwd_entry(struct smb_passwd *newpwd) override = False, normal override = True, override XXXXXXXX'd out password or NO PASS ************************************************************************/ - BOOL mod_sampwd_entry(struct smb_passwd* pwd, BOOL override) { #ifdef USE_LDAP @@ -147,3 +171,355 @@ BOOL mod_sampwd_entry(struct smb_passwd* pwd, BOOL override) #endif /* USE_LDAP */ } +/************************************************************************ + Routine to search the sam passwd file for an entry matching the username. + and then modify its password entry. We can't use the startsampwent()/ + getsampwent()/endsampwent() interfaces here as we depend on looking + in the actual file to decide how much room we have to write data. + override = False, normal + override = True, override XXXXXXXX'd out password or NO PASS +************************************************************************/ +BOOL mod_sam21pwd_entry(struct sam_passwd* pwd, BOOL override) +{ +#if 0 +#ifdef USE_LDAP + return mod_ldappwd_entry(pwd, override); +#else + return mod_smbpwd_entry(pwd, override); +#endif /* USE_LDAP */ +#else + DEBUG(0,("mod_sam21pwd_entry() - under development\n")); + return False; +#endif +} + +/********************************************************** + ********************************************************** + + high-level database routines: + getsampwnam() + getsampwuid() + getsam21pwnam() + getsam21pwuid() + + ********************************************************** + **********************************************************/ + +/************************************************************************ + Routine to search sam passwd by name. +*************************************************************************/ +struct smb_passwd *getsampwnam(char *name) +{ + struct smb_passwd *pwd = NULL; + void *fp = NULL; + + DEBUG(10, ("getsampwnam: search by name: %s\n", name)); + + /* Open the sam password file - not for update. */ + fp = startsampwent(False); + + if (fp == NULL) + { + DEBUG(0, ("getsampwnam: unable to open sam password database.\n")); + return NULL; + } + + while ((pwd = getsampwent(fp)) != NULL && !strequal(pwd->smb_name, name)); + + if (pwd != NULL) + { + DEBUG(10, ("getsampwnam: found by name: %s\n", name)); + } + + endsampwent(fp); + return pwd; +} + +/************************************************************************ + Routine to search sam passwd by name. +*************************************************************************/ +struct sam_passwd *getsam21pwnam(char *name) +{ + struct sam_passwd *pwd = NULL; + void *fp = NULL; + + DEBUG(10, ("getsam21pwnam: search by name: %s\n", name)); + + /* Open the sam password file - not for update. */ + fp = startsampwent(False); + + if (fp == NULL) + { + DEBUG(0, ("getsam21pwnam: unable to open sam password database.\n")); + return NULL; + } + + while ((pwd = getsam21pwent(fp)) != NULL && !strequal(pwd->smb_name, name)); + + if (pwd != NULL) + { + DEBUG(10, ("getsam21pwnam: found by name: %s\n", name)); + } + + endsampwent(fp); + return pwd; +} + +/************************************************************************ + Routine to search sam passwd by uid. +*************************************************************************/ +struct smb_passwd *getsampwuid(uid_t smb_userid) +{ + struct smb_passwd *pwd = NULL; + void *fp = NULL; + + DEBUG(10, ("getsampwuid: search by smb_userid: %x\n", smb_userid)); + + /* Open the sam password file - not for update. */ + fp = startsampwent(False); + + if (fp == NULL) + { + DEBUG(0, ("getsampwuid: unable to open sam password database.\n")); + return NULL; + } + + while ((pwd = getsampwent(fp)) != NULL && pwd->smb_userid != smb_userid); + + if (pwd != NULL) + { + DEBUG(10, ("getsampwuid: found by smb_userid: %x\n", smb_userid)); + } + + endsmbpwent(fp); + return pwd; +} + +/************************************************************************ + Routine to search sam passwd by rid. +*************************************************************************/ +struct sam_passwd *getsam21pwrid(uint32 rid) +{ + struct sam_passwd *pwd = NULL; + void *fp = NULL; + + DEBUG(10, ("getsam21pwrid: search by rid: %x\n", rid)); + + /* Open the sam password file - not for update. */ + fp = startsampwent(False); + + if (fp == NULL) + { + DEBUG(0, ("getsam21pwrid: unable to open sam password database.\n")); + return NULL; + } + + while ((pwd = getsam21pwent(fp)) != NULL && pwd->user_rid != rid); + + if (pwd != NULL) + { + DEBUG(10, ("getsam21pwrid: found by smb_userid: %x\n", rid)); + } + + endsmbpwent(fp); + return pwd; +} + + +/********************************************************** + ********************************************************** + + utility routines which are likely to be useful to all password + databases + + ********************************************************** + **********************************************************/ + +/********************************************************** + Encode the account control bits into a string. + **********************************************************/ +char *encode_acct_ctrl(uint16 acct_ctrl) +{ + static fstring acct_str; + char *p = acct_str; + + *p++ = '['; + + if (acct_ctrl & ACB_HOMDIRREQ) *p++ = 'H'; + if (acct_ctrl & ACB_TEMPDUP ) *p++ = 'T'; + if (acct_ctrl & ACB_NORMAL ) *p++ = 'U'; + if (acct_ctrl & ACB_MNS ) *p++ = 'M'; + if (acct_ctrl & ACB_WSTRUST ) *p++ = 'W'; + if (acct_ctrl & ACB_SVRTRUST ) *p++ = 'S'; + if (acct_ctrl & ACB_AUTOLOCK ) *p++ = 'L'; + if (acct_ctrl & ACB_PWNOEXP ) *p++ = 'X'; + if (acct_ctrl & ACB_DOMTRUST ) *p++ = 'I'; + + *p++ = ']'; + *p = '\0'; + return acct_str; +} + +/********************************************************** + Decode the account control bits from a string. + + this function breaks coding standards minimum line width of 80 chars. + reason: vertical line-up code clarity - all case statements fit into + 15 lines, which is more important. + **********************************************************/ +uint16 decode_acct_ctrl(char *p) +{ + uint16 acct_ctrl = 0; + BOOL finished = False; + + /* + * Check if the account type bits have been encoded after the + * NT password (in the form [NDHTUWSLXI]). + */ + + if (*p != '[') return 0; + + for (p++; *p && !finished; p++) + { + switch (*p) + { +#if 0 + /* + * Hmmm. Don't allow these to be set/read independently + * of the actual password fields. We don't want a mismatch. + * JRA. + */ + case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ } + case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ } +#endif + case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ } + case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ } + case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ } + case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ } + case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ } + case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ } + case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ } + case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ } + case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ } + + case ':': + case '\n': + case '\0': + case ']': + default: { finished = True; } + } + } + + return acct_ctrl; +} + +/************************************************************* + Routine to get the next 32 hex characters and turn them + into a 16 byte array. +**************************************************************/ +int gethexpwd(char *p, char *pwd) +{ + int i; + unsigned char lonybble, hinybble; + char *hexchars = "0123456789ABCDEF"; + char *p1, *p2; + + for (i = 0; i < 32; i += 2) { + hinybble = toupper(p[i]); + lonybble = toupper(p[i + 1]); + + p1 = strchr(hexchars, hinybble); + p2 = strchr(hexchars, lonybble); + if (!p1 || !p2) + return (False); + hinybble = PTR_DIFF(p1, hexchars); + lonybble = PTR_DIFF(p2, hexchars); + + pwd[i / 2] = (hinybble << 4) | lonybble; + } + return (True); +} + +/******************************************************************* + Group and User RID username mapping function + ********************************************************************/ +BOOL name_to_rid(char *user_name, uint32 *u_rid, uint32 *g_rid) +{ + struct passwd *pw = Get_Pwnam(user_name, False); + + if (u_rid == NULL || g_rid == NULL || user_name == NULL) + { + return False; + } + + if (!pw) + { + DEBUG(1,("Username %s is invalid on this system\n", user_name)); + return False; + } + + if (user_in_list(user_name, lp_domain_guest_users())) + { + *u_rid = DOMAIN_USER_RID_GUEST; + } + else if (user_in_list(user_name, lp_domain_admin_users())) + { + *u_rid = DOMAIN_USER_RID_ADMIN; + } + else + { + /* turn the unix UID into a Domain RID. this is what the posix + sub-system does (adds 1000 to the uid) */ + *u_rid = uid_to_user_rid(pw->pw_uid); + } + + /* absolutely no idea what to do about the unix GID to Domain RID mapping */ + *g_rid = gid_to_group_rid(pw->pw_gid); + + return True; +} + +/******************************************************************* + XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION + INSIDE smbpass.c + + converts NT User RID to a UNIX uid. + ********************************************************************/ +uid_t user_rid_to_uid(uint32 u_rid) +{ + return (uid_t)(u_rid - 1000); +} + +/******************************************************************* + XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION + INSIDE smbpass.c + + converts NT Group RID to a UNIX uid. + ********************************************************************/ +uid_t group_rid_to_uid(uint32 u_gid) +{ + return (uid_t)(u_gid - 1000); +} + +/******************************************************************* + XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION + INSIDE smbpass.c + + converts UNIX uid to an NT User RID. + ********************************************************************/ +uint32 uid_to_user_rid(uint32 uid) +{ + return (uint32)(uid + 1000); +} + +/******************************************************************* + XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION + INSIDE smbpass.c + + converts NT Group RID to a UNIX uid. + ********************************************************************/ +uint32 gid_to_group_rid(uint32 gid) +{ + return (uint32)(gid + 1000); +} + diff --git a/source3/passdb/smbpass.c b/source3/passdb/smbpass.c index cb75d62e42..3f6ce8aaef 100644 --- a/source3/passdb/smbpass.c +++ b/source3/passdb/smbpass.c @@ -336,78 +336,9 @@ struct smb_passwd *getsmbpwent(void *vp) DEBUG(5, ("getsmbpwent: returning passwd entry for user %s, uid %d\n", user_name, uidval)); - /* - * Check if the account type bits have been encoded after the - * NT password (in the form [NDHTUWSLXI]). - */ - - if (*p == '[') { - BOOL finished = False; - - pw_buf.acct_ctrl = 0; - - for(p++;*p && !finished; p++) { - switch (*p) { -#if 0 - /* - * Hmmm. Don't allow these to be set/read independently - * of the actual password fields. We don't want a mismatch. - * JRA. - */ - case 'N': - /* 'N'o password. */ - pw_buf.acct_ctrl |= ACB_PWNOTREQ; - break; - case 'D': - /* 'D'isabled. */ - pw_buf.acct_ctrl |= ACB_DISABLED; - break; -#endif - case 'H': - /* 'H'omedir required. */ - pw_buf.acct_ctrl |= ACB_HOMDIRREQ; - break; - case 'T': - /* 'T'emp account. */ - pw_buf.acct_ctrl |= ACB_TEMPDUP; - break; - case 'U': - /* 'U'ser account (normal). */ - pw_buf.acct_ctrl |= ACB_NORMAL; - break; - case 'M': - /* 'M'NS logon user account. What is this ? */ - pw_buf.acct_ctrl |= ACB_MNS; - break; - case 'W': - /* 'W'orkstation account. */ - pw_buf.acct_ctrl |= ACB_WSTRUST; - break; - case 'S': - /* 'S'erver account. */ - pw_buf.acct_ctrl |= ACB_SVRTRUST; - break; - case 'L': - /* 'L'ocked account. */ - pw_buf.acct_ctrl |= ACB_AUTOLOCK; - break; - case 'X': - /* No 'X'piry. */ - pw_buf.acct_ctrl |= ACB_PWNOEXP; - break; - case 'I': - /* 'I'nterdomain trust account. */ - pw_buf.acct_ctrl |= ACB_DOMTRUST; - break; - - case ':': - case '\n': - case '\0': - case ']': - default: - finished = True; - } - } + if (*p == '[') + { + pw_buf.acct_ctrl = decode_acct_ctrl(p); /* Must have some account type set. */ if(pw_buf.acct_ctrl == 0) @@ -438,7 +369,7 @@ struct smb_passwd *getsmbpwent(void *vp) } else { /* 'Old' style file. Fake up based on user name. */ /* - * Currently machine accounts are kept in the same + * Currently trust accounts are kept in the same * password file as 'normal accounts'. If this changes * we will have to fix this code. JRA. */ @@ -479,107 +410,12 @@ BOOL setsmbpwpos(void *vp, unsigned long tok) return !fseek((FILE *)vp, tok, SEEK_SET); } -/************************************************************************* - Routine to search the smbpasswd file for an entry matching the username - or user id. if the name is NULL, then the smb_uid is used instead. - *************************************************************************/ -static struct smb_passwd *get_smbpwd_entry(char *name, int smb_userid) -{ - struct smb_passwd *pwd = NULL; - FILE *fp = NULL; - - if (name != NULL) { - DEBUG(10, ("get_smbpwd_entry: search by name: %s\n", name)); - } else { - DEBUG(10, ("get_smbpwd_entry: search by smb_userid: %x\n", smb_userid)); - } - - /* Open the smbpassword file - not for update. */ - fp = startsmbpwent(False); - - if (fp == NULL) { - DEBUG(0, ("get_smbpwd_entry: unable to open password file.\n")); - return NULL; - } - - /* - * Scan the file, a line at a time and check if the name - * or uid matches. - */ - - while ((pwd = getsmbpwent(fp)) != NULL) { - if (name != NULL) { - /* Search is by user name */ - if (!strequal(pwd->smb_name, name)) - continue; - DEBUG(10, ("get_smbpwd_entry: found by name: %s\n", name)); - break; - } else { - /* Search is by user id */ - if (pwd->smb_userid != smb_userid) - continue; - DEBUG(10, ("get_smbpwd_entry: found by smb_userid: %x\n", smb_userid)); - break; - } - } - - endsmbpwent(fp); - return pwd; -} - -/************************************************************************ - Routine to search smb passwd by name. -*************************************************************************/ - -struct smb_passwd *getsmbpwnam(char *name) -{ - return get_smbpwd_entry(name, 0); -} - - -/************************************************************************ - Routine to search smb passwd by uid. -*************************************************************************/ - -struct smb_passwd *getsmbpwuid(unsigned int uid) -{ - return get_smbpwd_entry(NULL, uid); -} - - -/********************************************************** - Encode the account control bits into a string. -**********************************************************/ - -char *encode_acct_ctrl(uint16 acct_ctrl) -{ - static fstring acct_str; - char *p = acct_str; - - *p++ = '['; - - if (acct_ctrl & ACB_HOMDIRREQ) *p++ = 'H'; - if (acct_ctrl & ACB_TEMPDUP ) *p++ = 'T'; - if (acct_ctrl & ACB_NORMAL ) *p++ = 'U'; - if (acct_ctrl & ACB_MNS ) *p++ = 'M'; - if (acct_ctrl & ACB_WSTRUST ) *p++ = 'W'; - if (acct_ctrl & ACB_SVRTRUST ) *p++ = 'S'; - if (acct_ctrl & ACB_AUTOLOCK ) *p++ = 'L'; - if (acct_ctrl & ACB_PWNOEXP ) *p++ = 'X'; - if (acct_ctrl & ACB_DOMTRUST ) *p++ = 'I'; - - *p++ = ']'; - *p = '\0'; - return acct_str; -} - /************************************************************************ Routine to add an entry to the smbpasswd file. do not call this function directly. use passdb.c instead. *************************************************************************/ - BOOL add_smbpwd_entry(struct smb_passwd *newpwd) { char *pfile = lp_smb_passwd_file(); @@ -713,7 +549,6 @@ Error was %s. Password file may be corrupt ! Please examine by hand !\n", do not call this function directly. use passdb.c instead. ************************************************************************/ - BOOL mod_smbpwd_entry(struct smb_passwd* pwd, BOOL override) { /* Static buffers we will return. */ @@ -1060,10 +895,10 @@ static int mach_passwd_lock_depth; static FILE *mach_passwd_fp; /************************************************************************ - Routine to get the name for a machine account file. + Routine to get the name for a trust account file. ************************************************************************/ -static void get_machine_account_file_name( char *domain, char *name, char *mac_file) +static void get_trust_account_file_name( char *domain, char *name, char *mac_file) { unsigned int mac_file_len; char *p; @@ -1077,7 +912,7 @@ static void get_machine_account_file_name( char *domain, char *name, char *mac_f if ((int)(sizeof(pstring) - mac_file_len - strlen(domain) - strlen(name) - 6) < 0) { - DEBUG(0,("machine_password_lock: path %s too long to add machine details.\n", + DEBUG(0,("trust_password_lock: path %s too long to add trust details.\n", mac_file)); return; } @@ -1089,16 +924,16 @@ static void get_machine_account_file_name( char *domain, char *name, char *mac_f } /************************************************************************ - Routine to lock the machine account password file for a domain. + Routine to lock the trust account password file for a domain. ************************************************************************/ -BOOL machine_password_lock( char *domain, char *name, BOOL update) +BOOL trust_password_lock( char *domain, char *name, BOOL update) { pstring mac_file; if(mach_passwd_lock_depth == 0) { - get_machine_account_file_name( domain, name, mac_file); + get_trust_account_file_name( domain, name, mac_file); if((mach_passwd_fp = fopen(mac_file, "r+b")) == NULL) { if(errno == ENOENT && update) { @@ -1106,7 +941,7 @@ BOOL machine_password_lock( char *domain, char *name, BOOL update) } if(mach_passwd_fp == NULL) { - DEBUG(0,("machine_password_lock: cannot open file %s - Error was %s.\n", + DEBUG(0,("trust_password_lock: cannot open file %s - Error was %s.\n", mac_file, strerror(errno) )); return False; } @@ -1117,7 +952,7 @@ BOOL machine_password_lock( char *domain, char *name, BOOL update) if(!pw_file_lock(fileno(mach_passwd_fp), (update ? F_WRLCK : F_RDLCK), 60, &mach_passwd_lock_depth)) { - DEBUG(0,("machine_password_lock: cannot lock file %s\n", mac_file)); + DEBUG(0,("trust_password_lock: cannot lock file %s\n", mac_file)); fclose(mach_passwd_fp); return False; } @@ -1128,10 +963,10 @@ BOOL machine_password_lock( char *domain, char *name, BOOL update) } /************************************************************************ - Routine to unlock the machine account password file for a domain. + Routine to unlock the trust account password file for a domain. ************************************************************************/ -BOOL machine_password_unlock(void) +BOOL trust_password_unlock(void) { BOOL ret = pw_file_unlock(fileno(mach_passwd_fp), &mach_passwd_lock_depth); if(mach_passwd_lock_depth == 0) @@ -1140,23 +975,23 @@ BOOL machine_password_unlock(void) } /************************************************************************ - Routine to delete the machine account password file for a domain. + Routine to delete the trust account password file for a domain. ************************************************************************/ -BOOL machine_password_delete( char *domain, char *name ) +BOOL trust_password_delete( char *domain, char *name ) { pstring mac_file; - get_machine_account_file_name( domain, name, mac_file); + get_trust_account_file_name( domain, name, mac_file); return (unlink( mac_file ) == 0); } /************************************************************************ - Routine to get the machine account password for a domain. - The user of this function must have locked the machine password file. + Routine to get the trust account password for a domain. + The user of this function must have locked the trust password file. ************************************************************************/ -BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set_time) +BOOL get_trust_account_password( unsigned char *ret_pwd, time_t *pass_last_set_time) { char linebuf[256]; char *p; @@ -1168,14 +1003,14 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set memset(ret_pwd, '\0', 16); if(fseek( mach_passwd_fp, 0L, SEEK_SET) == -1) { - DEBUG(0,("get_machine_account_password: Failed to seek to start of file. Error was %s.\n", + DEBUG(0,("get_trust_account_password: Failed to seek to start of file. Error was %s.\n", strerror(errno) )); return False; } fgets(linebuf, sizeof(linebuf), mach_passwd_fp); if(ferror(mach_passwd_fp)) { - DEBUG(0,("get_machine_account_password: Failed to read password. Error was %s.\n", + DEBUG(0,("get_trust_account_password: Failed to read password. Error was %s.\n", strerror(errno) )); return False; } @@ -1186,9 +1021,9 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set */ if(strlen(linebuf) != 45) { - DEBUG(0,("get_machine_account_password: Malformed machine password file (wrong length).\n")); + DEBUG(0,("get_trust_account_password: Malformed trust password file (wrong length).\n")); #ifdef DEBUG_PASSWORD - DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf)); + DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf)); #endif return False; } @@ -1199,9 +1034,9 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set if (!gethexpwd((char *)linebuf, (char *)ret_pwd) || linebuf[32] != ':' || strncmp(&linebuf[33], "TLC-", 4)) { - DEBUG(0,("get_machine_account_password: Malformed machine password file (incorrect format).\n")); + DEBUG(0,("get_trust_account_password: Malformed trust password file (incorrect format).\n")); #ifdef DEBUG_PASSWORD - DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf)); + DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf)); #endif return False; } @@ -1213,9 +1048,9 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set for(i = 0; i < 8; i++) { if(p[i] == '\0' || !isxdigit(p[i])) { - DEBUG(0,("get_machine_account_password: Malformed machine password file (no timestamp).\n")); + DEBUG(0,("get_trust_account_password: Malformed trust password file (no timestamp).\n")); #ifdef DEBUG_PASSWORD - DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf)); + DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf)); #endif return False; } @@ -1233,17 +1068,17 @@ BOOL get_machine_account_password( unsigned char *ret_pwd, time_t *pass_last_set } /************************************************************************ - Routine to get the machine account password for a domain. - The user of this function must have locked the machine password file. + Routine to get the trust account password for a domain. + The user of this function must have locked the trust password file. ************************************************************************/ -BOOL set_machine_account_password( unsigned char *md4_new_pwd) +BOOL set_trust_account_password( unsigned char *md4_new_pwd) { char linebuf[64]; int i; if(fseek( mach_passwd_fp, 0L, SEEK_SET) == -1) { - DEBUG(0,("set_machine_account_password: Failed to seek to start of file. Error was %s.\n", + DEBUG(0,("set_trust_account_password: Failed to seek to start of file. Error was %s.\n", strerror(errno) )); return False; } @@ -1254,8 +1089,8 @@ BOOL set_machine_account_password( unsigned char *md4_new_pwd) sprintf(&linebuf[32], ":TLC-%08X\n", (unsigned)time(NULL)); if(fwrite( linebuf, 1, 45, mach_passwd_fp)!= 45) { - DEBUG(0,("set_machine_account_password: Failed to write file. Warning - the machine \ -machine account is now invalid. Please recreate. Error was %s.\n", strerror(errno) )); + DEBUG(0,("set_trust_account_password: Failed to write file. Warning - the trust \ +account is now invalid. Please recreate. Error was %s.\n", strerror(errno) )); return False; } diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index a84dbb43ef..210a3f55e2 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -79,7 +79,6 @@ rid_name domain_group_rids[] = }; - int make_dom_gids(char *gids_str, DOM_GID *gids) { char *ptr; @@ -133,44 +132,6 @@ int make_dom_gids(char *gids_str, DOM_GID *gids) return count; } -/******************************************************************* - gets a domain user's groups - ********************************************************************/ -void get_domain_user_groups(char *domain_groups, char *user) -{ - pstring tmp; - - if (domain_groups == NULL || user == NULL) return; - - /* any additional groups this user is in. e.g power users */ - pstrcpy(domain_groups, lp_domain_groups()); - - /* can only be a user or a guest. cannot be guest _and_ admin */ - if (user_in_list(user, lp_domain_guest_users())) - { - sprintf(tmp, " %ld/7 ", DOMAIN_GROUP_RID_GUESTS); - strcat(domain_groups, tmp); - - DEBUG(3,("domain guest access %s granted\n", tmp)); - } - else - { - sprintf(tmp, " %ld/7 ", DOMAIN_GROUP_RID_USERS); - strcat(domain_groups, tmp); - - DEBUG(3,("domain user access %s granted\n", tmp)); - - if (user_in_list(user, lp_domain_admin_users())) - { - sprintf(tmp, " %ld/7 ", DOMAIN_GROUP_RID_ADMINS); - strcat(domain_groups, tmp); - - DEBUG(3,("domain admin access %s granted\n", tmp)); - } - } -} - - /******************************************************************* turns a DCE/RPC request into a DCE/RPC reply @@ -320,7 +281,44 @@ BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds return True; } -extern rid_name domain_group_rids[]; + +/******************************************************************* + gets a domain user's groups + ********************************************************************/ +void get_domain_user_groups(char *domain_groups, char *user) +{ + pstring tmp; + + if (domain_groups == NULL || user == NULL) return; + + /* any additional groups this user is in. e.g power users */ + pstrcpy(domain_groups, lp_domain_groups()); + + /* can only be a user or a guest. cannot be guest _and_ admin */ + if (user_in_list(user, lp_domain_guest_users())) + { + sprintf(tmp, " %ld/7 ", DOMAIN_GROUP_RID_GUESTS); + strcat(domain_groups, tmp); + + DEBUG(3,("domain guest access %s granted\n", tmp)); + } + else + { + sprintf(tmp, " %ld/7 ", DOMAIN_GROUP_RID_USERS); + strcat(domain_groups, tmp); + + DEBUG(3,("domain user access %s granted\n", tmp)); + + if (user_in_list(user, lp_domain_admin_users())) + { + sprintf(tmp, " %ld/7 ", DOMAIN_GROUP_RID_ADMINS); + strcat(domain_groups, tmp); + + DEBUG(3,("domain admin access %s granted\n", tmp)); + } + } +} + /******************************************************************* lookup_group_name @@ -348,8 +346,6 @@ uint32 lookup_group_name(uint32 rid, char *group_name, uint32 *type) return 0xC0000000 | NT_STATUS_NONE_MAPPED; } -extern rid_name domain_alias_rids[]; - /******************************************************************* lookup_alias_name ********************************************************************/ @@ -480,87 +476,3 @@ uint32 lookup_user_rid(char *user_name, uint32 *rid) return 0xC0000000 | NT_STATUS_NONE_MAPPED; } - -/******************************************************************* - Group and User RID username mapping function - ********************************************************************/ -BOOL name_to_rid(char *user_name, uint32 *u_rid, uint32 *g_rid) -{ - struct passwd *pw = Get_Pwnam(user_name, False); - - if (u_rid == NULL || g_rid == NULL || user_name == NULL) - { - return False; - } - - if (!pw) - { - DEBUG(1,("Username %s is invalid on this system\n", user_name)); - return False; - } - - if (user_in_list(user_name, lp_domain_guest_users())) - { - *u_rid = DOMAIN_USER_RID_GUEST; - } - else if (user_in_list(user_name, lp_domain_admin_users())) - { - *u_rid = DOMAIN_USER_RID_ADMIN; - } - else - { - /* turn the unix UID into a Domain RID. this is what the posix - sub-system does (adds 1000 to the uid) */ - *u_rid = uid_to_user_rid(pw->pw_uid); - } - - /* absolutely no idea what to do about the unix GID to Domain RID mapping */ - *g_rid = gid_to_group_rid(pw->pw_gid); - - return True; -} - -/******************************************************************* - XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION - INSIDE smbpass.c - - converts NT User RID to a UNIX uid. - ********************************************************************/ -uid_t user_rid_to_uid(uint32 u_rid) -{ - return (uid_t)(u_rid - 1000); -} - -/******************************************************************* - XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION - INSIDE smbpass.c - - converts NT Group RID to a UNIX uid. - ********************************************************************/ -uid_t group_rid_to_uid(uint32 u_gid) -{ - return (uid_t)(u_gid - 1000); -} - -/******************************************************************* - XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION - INSIDE smbpass.c - - converts UNIX uid to an NT User RID. - ********************************************************************/ -uint32 uid_to_user_rid(uint32 uid) -{ - return (uint32)(uid + 1000); -} - -/******************************************************************* - XXXX THIS FUNCTION SHOULD NOT BE HERE: IT SHOULD BE A STATIC FUNCTION - INSIDE smbpass.c - - converts NT Group RID to a UNIX uid. - ********************************************************************/ -uint32 gid_to_group_rid(uint32 gid) -{ - return (uint32)(gid + 1000); -} - diff --git a/source3/script/mkproto.awk b/source3/script/mkproto.awk index 6e1242b84f..b1c7f79c18 100644 --- a/source3/script/mkproto.awk +++ b/source3/script/mkproto.awk @@ -1,5 +1,6 @@ BEGIN { inheader=0; + use_ldap_define = 0; current_file=""; print "/* This file is automatically generated with \"make proto\". DO NOT EDIT */" print "" @@ -7,10 +8,19 @@ BEGIN { { if (FILENAME!=current_file) { + if (use_ldap_define) + { + print "#endif /* USE_LDAP */" + use_ldap_define = 0; + } print "" print "/*The following definitions come from ",FILENAME," */" print "" current_file=FILENAME + if (current_file=="ldap.c") { + print "#ifdef USE_LDAP" + use_ldap_define = 1; + } } if (inheader) { if (match($0,"[)][ \t]*$")) { @@ -64,7 +74,7 @@ BEGIN { next; } -!/^unsigned|^mode_t|^DIR|^user|^int|^char|^uint|^struct|^BOOL|^void|^time|^smb_shm_offset_t|^shm_offset_t|^enum remote_arch_types|^FILE/ { +!/^uid_t|^gid_t|^unsigned|^mode_t|^DIR|^user|^int|^char|^uint|^struct|^BOOL|^void|^time|^smb_shm_offset_t|^shm_offset_t|^enum remote_arch_types|^FILE/ { next; } diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 67de0523e8..327bfba371 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -1919,7 +1919,7 @@ BOOL domain_client_validate( char *user, char *domain, unsigned char local_challenge[8]; unsigned char local_lm_response[24]; unsigned char local_nt_reponse[24]; - unsigned char machine_passwd[16]; + unsigned char trust_passwd[16]; time_t lct; fstring remote_machine; char *p; @@ -1977,20 +1977,20 @@ BOOL domain_client_validate( char *user, char *domain, /* * Get the machine account password. */ - if(!machine_password_lock( global_myworkgroup, global_myname, False)) { + if(!trust_password_lock( global_myworkgroup, global_myname, False)) { DEBUG(0,("domain_client_validate: unable to open the machine account password file for \ machine %s in domain %s.\n", global_myname, global_myworkgroup )); return False; } - if(get_machine_account_password( machine_passwd, &lct) == False) { + if(get_trust_account_password( trust_passwd, &lct) == False) { DEBUG(0,("domain_client_validate: unable to read the machine account password for \ machine %s in domain %s.\n", global_myname, global_myworkgroup )); - machine_password_unlock(); + trust_password_unlock(); return False; } - machine_password_unlock(); + trust_password_unlock(); unbecome_root(False); @@ -2115,7 +2115,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); return False; } - if(cli_nt_setup_creds(&cli, machine_passwd) == False) { + if(cli_nt_setup_creds(&cli, trust_passwd) == False) { DEBUG(0,("domain_client_validate: unable to setup the PDC credentials to machine \ %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); cli_nt_session_close(&cli); diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 77dcfb0d43..d58d6396c1 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -44,8 +44,8 @@ Join a domain. **********************************************************/ static int setup_account( char *domain, char *remote_machine, - unsigned char orig_machine_passwd_hash[16], - unsigned char new_machine_passwd_hash[16]) + unsigned char orig_trust_passwd_hash[16], + unsigned char new_trust_passwd_hash[16]) { struct in_addr dest_ip; struct cli_state cli; @@ -132,7 +132,7 @@ machine %s. Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli)); return 1; } - if(cli_nt_setup_creds(&cli, orig_machine_passwd_hash) == False) { + if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) { fprintf(stderr, "%s: unable to setup the PDC credentials to machine \ %s. Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli)); cli_nt_session_close(&cli); @@ -141,7 +141,7 @@ machine %s. Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli)); return 1; } - if( cli_nt_srv_pwset( &cli,new_machine_passwd_hash ) == False) { + if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) { fprintf(stderr, "%s: unable to change password for machine %s in domain \ %s to Domain controller %s. Error was %s.\n", prog_name, global_myname, domain, remote_machine, cli_errstr(&cli)); @@ -166,17 +166,17 @@ static int join_domain( char *domain, char *remote) { fstring remote_machine; char *p; - fstring machine_passwd; - unsigned char machine_passwd_hash[16]; - unsigned char new_machine_passwd_hash[16]; + fstring trust_passwd; + unsigned char trust_passwd_hash[16]; + unsigned char new_trust_passwd_hash[16]; int ret = 1; fstrcpy(remote_machine, remote ? remote : ""); - fstrcpy(machine_passwd, global_myname); - strlower(machine_passwd); - E_md4hash((uchar *)machine_passwd, machine_passwd_hash); + fstrcpy(trust_passwd, global_myname); + strlower(trust_passwd); + E_md4hash( (uchar *)trust_passwd, trust_passwd_hash); - generate_random_buffer( new_machine_passwd_hash, 16, True); + generate_random_buffer( new_trust_passwd_hash, 16, True); /* Ensure that we are not trying to join a domain if we are locally set up as a domain @@ -195,20 +195,20 @@ for that domain.\n", prog_name, domain); /* * Get the machine account password. */ - if(!machine_password_lock( domain, global_myname, True)) { + if(!trust_password_lock( domain, global_myname, True)) { fprintf(stderr, "%s: unable to open the machine account password file for \ machine %s in domain %s.\n", prog_name, global_myname, domain); return 1; } - if(!set_machine_account_password( new_machine_passwd_hash)) { + if(!set_trust_account_password( new_trust_passwd_hash)) { fprintf(stderr, "%s: unable to read the machine account password for \ machine %s in domain %s.\n", prog_name, global_myname, domain); - machine_password_unlock(); + trust_password_unlock(); return 1; } - machine_password_unlock(); + trust_password_unlock(); /* * If we are given a remote machine assume this is the PDC. @@ -216,7 +216,7 @@ machine %s in domain %s.\n", prog_name, global_myname, domain); if(remote != NULL) { strupper(remote_machine); - ret = setup_account( domain, remote_machine, machine_passwd_hash, new_machine_passwd_hash); + ret = setup_account( domain, remote_machine, trust_passwd_hash, new_trust_passwd_hash); if(ret == 0) printf("%s: Joined domain %s.\n", prog_name, domain); } else { @@ -235,7 +235,7 @@ unable to join domain.\n", prog_name); while(p && next_token( &p, remote_machine, LIST_SEP)) { strupper(remote_machine); - if(setup_account( domain, remote_machine, machine_passwd_hash, new_machine_passwd_hash) == 0) { + if(setup_account( domain, remote_machine, trust_passwd_hash, new_trust_passwd_hash) == 0) { printf("%s: Joined domain %s.\n", prog_name, domain); return 0; } @@ -243,7 +243,7 @@ unable to join domain.\n", prog_name); } if(ret) { - machine_password_delete( domain, global_myname); + trust_password_delete( domain, global_myname); fprintf(stderr,"%s: Unable to join domain %s.\n", prog_name, domain); } @@ -275,7 +275,7 @@ int main(int argc, char **argv) char *remote_machine = NULL; BOOL add_user = False; BOOL got_new_pass = False; - BOOL machine_account = False; + BOOL trust_account = False; BOOL disable_user = False; BOOL set_no_password = False; BOOL joining_domain = False; @@ -370,7 +370,7 @@ int main(int argc, char **argv) usage(prog_name, is_root); case 'm': if(is_root) { - machine_account = True; + trust_account = True; } else usage(prog_name, is_root); break; @@ -433,7 +433,7 @@ int main(int argc, char **argv) if(*user_name) { - if(machine_account) { + if(trust_account) { int username_len = strlen(user_name); if(username_len >= sizeof(pstring) - 1) { fprintf(stderr, "%s: machine account name too long.\n", user_name); @@ -500,7 +500,7 @@ int main(int argc, char **argv) * the machinename as the password. */ - if(add_user && machine_account) { + if(add_user && trust_account) { got_new_pass = True; strncpy(new_passwd, user_name, sizeof(fstring)); new_passwd[sizeof(fstring)-1] = '\0'; @@ -611,7 +611,7 @@ int main(int argc, char **argv) * Check for a machine account. */ - if(machine_account && !pwd) { + if(trust_account && !pwd) { fprintf(stderr, "%s: User %s does not exist in system password file \ (usually /etc/passwd). Cannot add machine account without a valid system user.\n", prog_name, user_name); @@ -673,7 +673,7 @@ int main(int argc, char **argv) new_smb_pwent.smb_name = pwd->pw_name; new_smb_pwent.smb_passwd = NULL; new_smb_pwent.smb_nt_passwd = NULL; - new_smb_pwent.acct_ctrl = (machine_account ? ACB_WSTRUST : ACB_NORMAL); + new_smb_pwent.acct_ctrl = (trust_account ? ACB_WSTRUST : ACB_NORMAL); if(disable_user) { new_smb_pwent.acct_ctrl |= ACB_DISABLED; -- cgit