From f35157f39293f9fa240a28642c41708b55d301c8 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 4 May 2001 15:44:27 +0000 Subject: Big cleanup of passdb and backends. I did some basic tests but I have probably broken something. Notably the password changing. So don't cry ;-) J.F. (This used to be commit a4a4c02b12f030a3b9e6225b999c90689dfc4719) --- source3/Makefile.in | 12 +- source3/groupdb/mapping.c | 37 +- source3/include/mapping.h | 4 + source3/include/proto.h | 37 +- source3/include/smb.h | 41 +- source3/passdb/passdb.c | 733 ++++++++++++---------------------- source3/passdb/pdb_smbpasswd.c | 222 ++++++----- source3/passdb/pdb_tdb.c | 97 +++-- source3/rpc_server/srv_netlog_nt.c | 90 +++-- source3/rpc_server/srv_pipe.c | 29 +- source3/rpc_server/srv_samr.c | 129 +++--- source3/rpc_server/srv_samr_nt.c | 782 ++++++++++++++++++++++--------------- source3/rpc_server/srv_util.c | 29 +- source3/smbd/chgpasswd.c | 98 +++-- source3/smbd/lanman.c | 8 +- source3/smbd/password.c | 24 +- source3/smbd/reply.c | 14 +- source3/utils/pdbedit.c | 93 +++-- source3/utils/smbgroupedit.c | 9 +- source3/utils/smbpasswd.c | 21 +- 20 files changed, 1271 insertions(+), 1238 deletions(-) diff --git a/source3/Makefile.in b/source3/Makefile.in index a62886246a..2b31ace4c3 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -156,7 +156,7 @@ LOCKING_OBJ = locking/locking.o locking/brlock.o locking/posix.o PASSDB_OBJ = passdb/passdb.o passdb/secrets.o \ passdb/pass_check.o passdb/smbpassfile.o \ passdb/machine_sid.o passdb/pdb_smbpasswd.o \ - passdb/pdb_tdb.o passdb/pampass.o + passdb/pampass.o passdb/pdb_tdb.o GROUPDB_OBJ = groupdb/mapping.o @@ -214,7 +214,7 @@ NMBD_OBJ = $(NMBD_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \ SWAT_OBJ = web/cgi.o web/diagnose.o web/startstop.o web/statuspage.o \ web/swat.o $(PRINTING_OBJ) $(LIBSMB_OBJ) $(LOCKING_OBJ) \ $(PARAM_OBJ) $(PASSDB_OBJ) $(RPC_CLIENT_OBJ) $(RPC_PARSE_OBJ) \ - $(UBIQX_OBJ) $(LIB_OBJ) + $(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) SMBSH_OBJ = smbwrapper/smbsh.o smbwrapper/shared.o \ $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) @@ -241,11 +241,11 @@ TESTPRNS_OBJ = utils/testprns.o $(PARAM_OBJ) $(PRINTING_OBJ) $(UBIQX_OBJ) \ $(LIB_OBJ) SMBPASSWD_OBJ = utils/smbpasswd.o $(PARAM_OBJ) \ - $(LIBSMB_OBJ) $(PASSDB_OBJ) \ + $(LIBSMB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ)\ $(UBIQX_OBJ) $(RPC_CLIENT_OBJ) $(RPC_PARSE_OBJ) $(LIB_OBJ) PDBEDIT_OBJ = utils/pdbedit.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(PASSDB_OBJ) \ - $(UBIQX_OBJ) $(LIB_OBJ) + $(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) SMBGROUPEDIT_OBJ = utils/smbgroupedit.o $(GROUPDB_OBJ) $(PARAM_OBJ) \ $(LIBSMB_OBJ) $(PASSDB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) @@ -256,7 +256,7 @@ RPCCLIENT_OBJ1 = rpcclient/rpcclient.o rpcclient/cmd_lsarpc.o \ RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \ $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \ $(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(LIBMSRPC_OBJ) \ - $(READLINE_OBJ) + $(READLINE_OBJ) $(GROUPDB_OBJ) PAM_WINBIND_OBJ = nsswitch/pam_winbind.po nsswitch/wb_common.po @@ -304,7 +304,7 @@ LOCKTEST_OBJ = utils/locktest.o $(LOCKING_OBJ) $(LIBSMB_OBJ) $(PARAM_OBJ) \ SMBCACLS_OBJ = utils/smbcacls.o $(LOCKING_OBJ) $(LIBSMB_OBJ) $(PARAM_OBJ) \ $(UBIQX_OBJ) $(LIB_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_OBJ) \ - $(LIBMSRPC_OBJ) + $(LIBMSRPC_OBJ) $(GROUPDB_OBJ) LOCKTEST2_OBJ = utils/locktest2.o $(LOCKING_OBJ) $(LIBSMB_OBJ) $(PARAM_OBJ) \ diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index 435d315518..bc5ac3e9eb 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -388,7 +388,8 @@ BOOL group_map_remove(DOM_SID sid) /**************************************************************************** enumerate the group mapping ****************************************************************************/ -BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries) +BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, + int *num_entries, BOOL unix_only) { TDB_DATA kbuf, dbuf, newkey; fstring string_sid; @@ -405,10 +406,12 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *n kbuf.dptr; newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) { - if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue; + if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) + continue; dbuf = tdb_fetch(tdb, kbuf); - if (!dbuf.dptr) continue; + if (!dbuf.dptr) + continue; fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX)); @@ -416,10 +419,15 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *n &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.privilege); safe_free(dbuf.dptr); - if (ret != dbuf.dsize) continue; + if (ret != dbuf.dsize) + continue; /* list only the type or everything if UNKNOWN */ - if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) continue; + if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) + continue; + + if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) + continue; string_to_sid(&map.sid, string_sid); @@ -513,19 +521,29 @@ BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map) { struct group *grp; + DEBUG(10, ("get_domain_group_from_sid\n")); + /* if the group is NOT in the database, it CAN NOT be a domain group */ if(!get_group_map_from_sid(sid, map)) return False; + DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n")); + /* if it's not a domain group, continue */ if (map->sid_name_use!=SID_NAME_DOM_GRP) return False; + + DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n")); if (map->gid==-1) return False; + DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%d\n",map->gid)); + if ( (grp=getgrgid(map->gid)) == NULL) - return False; + return False; + + DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n")); return True; } @@ -599,8 +617,6 @@ Returns a GROUP_MAP struct based on the gid. BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map) { struct group *grp; - DOM_SID sid; - uint32 rid; if ( (grp=getgrgid(gid)) == NULL) return False; @@ -613,9 +629,8 @@ BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map) map->sid_name_use=SID_NAME_ALIAS; map->privilege=SE_PRIV_NONE; - rid=pdb_gid_to_group_rid(gid); - sid_copy(&sid, &global_sam_sid); - sid_append_rid(&sid, rid); + sid_copy(&map->sid, &global_sam_sid); + sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid)); fstrcpy(map->nt_name, grp->gr_name); fstrcpy(map->comment, "Local Unix Group"); diff --git a/source3/include/mapping.h b/source3/include/mapping.h index 2543f6e42a..f3e0be6e4a 100644 --- a/source3/include/mapping.h +++ b/source3/include/mapping.h @@ -42,3 +42,7 @@ typedef struct _PRIVS { #define SE_PRIV_ALL 0xffff #define PRIV_ALL_INDEX 4 + + +#define ENUM_ONLY_MAPPED True +#define ENUM_ALL_MAPPED False diff --git a/source3/include/proto.h b/source3/include/proto.h index 98922a06f9..daa393e0e1 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -29,7 +29,8 @@ BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map); BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map); BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map); BOOL group_map_remove(DOM_SID sid); -BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries); +BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, + int *num_entries, BOOL unix_only); void convert_priv_from_text(uint32 *se_priv, char *privilege); void convert_priv_to_text(uint32 se_priv, char *privilege); BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map); @@ -2051,8 +2052,8 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, /*The following definitions come from passdb/passdb.c */ BOOL initialize_password_db(BOOL reload); -void pdb_init_sam(SAM_ACCOUNT *user); -void pdb_clear_sam(SAM_ACCOUNT *user); +BOOL pdb_init_sam(SAM_ACCOUNT **user); +BOOL pdb_clear_sam(SAM_ACCOUNT *user); struct sam_disp_info *pdb_sam_to_dispinfo(SAM_ACCOUNT *user); char *pdb_encode_acct_ctrl(uint16 acct_ctrl, size_t length); uint16 pdb_decode_acct_ctrl(const char *p); @@ -2120,11 +2121,11 @@ BOOL pdb_set_uid (SAM_ACCOUNT *sampass, uid_t uid); BOOL pdb_set_gid (SAM_ACCOUNT *sampass, gid_t gid); BOOL pdb_set_user_rid (SAM_ACCOUNT *sampass, uint32 rid); BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid); -BOOL pdb_set_username (SAM_ACCOUNT *sampass, char *username); -BOOL pdb_set_domain (SAM_ACCOUNT *sampass, char *domain); -BOOL pdb_set_nt_username (SAM_ACCOUNT *sampass, char *nt_username); -BOOL pdb_set_fullname (SAM_ACCOUNT *sampass, char *fullname); -BOOL pdb_set_logon_script (SAM_ACCOUNT *sampass, char *logon_script); +BOOL pdb_set_username(SAM_ACCOUNT *sampass, char *username); +BOOL pdb_set_domain(SAM_ACCOUNT *sampass, char *domain); +BOOL pdb_set_nt_username(SAM_ACCOUNT *sampass, char *nt_username); +BOOL pdb_set_fullname(SAM_ACCOUNT *sampass, char *fullname); +BOOL pdb_set_logon_script(SAM_ACCOUNT *sampass, char *logon_script); BOOL pdb_set_profile_path (SAM_ACCOUNT *sampass, char *profile_path); BOOL pdb_set_dir_drive (SAM_ACCOUNT *sampass, char *dir_drive); BOOL pdb_set_homedir (SAM_ACCOUNT *sampass, char *homedir); @@ -2142,22 +2143,22 @@ BOOL pdb_set_hours (SAM_ACCOUNT *sampass, uint8 *hours); BOOL pdb_setsampwent (BOOL update); void pdb_endsampwent (void); -SAM_ACCOUNT* pdb_getsampwent (void); -SAM_ACCOUNT* pdb_getsampwnam (char *username); -SAM_ACCOUNT* pdb_getsampwuid (uid_t uid); -SAM_ACCOUNT* pdb_getsampwrid (uint32 rid); -BOOL pdb_add_sam_account (SAM_ACCOUNT *sampass); -BOOL pdb_update_sam_account (SAM_ACCOUNT *sampass, BOOL override); +BOOL pdb_getsampwent(SAM_ACCOUNT *user); +BOOL pdb_getsampwnam(SAM_ACCOUNT *sam_acct, char *username); +BOOL pdb_getsampwuid (SAM_ACCOUNT *sam_acct, uid_t uid); +BOOL pdb_getsampwrid(SAM_ACCOUNT *sam_acct,uint32 rid); +BOOL pdb_add_sam_account(SAM_ACCOUNT *sampass); +BOOL pdb_update_sam_account(SAM_ACCOUNT *sampass, BOOL override); BOOL pdb_delete_sam_account (char* username); /*The following definitions come from passdb/pdb_tdb.c */ BOOL pdb_setsampwent(BOOL update); void pdb_endsampwent(void); -SAM_ACCOUNT* pdb_getsampwent(void); -SAM_ACCOUNT* pdb_getsampwnam (char *sname); -SAM_ACCOUNT* pdb_getsampwuid (uid_t uid); -SAM_ACCOUNT* pdb_getsampwrid (uint32 rid); +BOOL pdb_getsampwent(SAM_ACCOUNT *user); +BOOL pdb_getsampwnam (SAM_ACCOUNT *user, char *sname); +BOOL pdb_getsampwuid (SAM_ACCOUNT* user, uid_t uid); +BOOL pdb_getsampwrid (SAM_ACCOUNT *user, uint32 rid); BOOL pdb_delete_sam_account(char *sname); BOOL pdb_update_sam_account (SAM_ACCOUNT *newpwd, BOOL override); BOOL pdb_add_sam_account (SAM_ACCOUNT *newpwd); diff --git a/source3/include/smb.h b/source3/include/smb.h index 7f4825b501..0993d349a2 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -644,28 +644,25 @@ typedef struct typedef struct sam_passwd { - TALLOC_CTX *mem_ctx; /* used for all dynamically allocated - memory in this struct*/ - - time_t logon_time; /* logon time */ - time_t logoff_time; /* logoff time */ - time_t kickoff_time; /* kickoff time */ - time_t pass_last_set_time; /* password last set time */ - time_t pass_can_change_time; /* password can change time */ - time_t pass_must_change_time; /* password must change time */ - - char *username; /* UNIX username string */ - char *domain; /* Windows Domain name */ - char *nt_username; /* Windows username string */ - char *full_name; /* user's full name string */ - char *home_dir; /* home directory string */ - char *dir_drive; /* home directory drive string */ - char *logon_script; /* logon script string */ - char *profile_path; /* profile path string */ - char *acct_desc ; /* user description string */ - char *workstations; /* login from workstations string */ - char *unknown_str ; /* don't know what this is, yet. */ - char *munged_dial ; /* munged path name and dial-back tel number */ + time_t logon_time; /* logon time */ + time_t logoff_time; /* logoff time */ + time_t kickoff_time; /* kickoff time */ + time_t pass_last_set_time; /* password last set time */ + time_t pass_can_change_time; /* password can change time */ + time_t pass_must_change_time; /* password must change time */ + + pstring username; /* UNIX username string */ + pstring domain; /* Windows Domain name */ + pstring nt_username; /* Windows username string */ + pstring full_name; /* user's full name string */ + pstring home_dir; /* home directory string */ + pstring dir_drive; /* home directory drive string */ + pstring logon_script; /* logon script string */ + pstring profile_path; /* profile path string */ + pstring acct_desc ; /* user description string */ + pstring workstations; /* login from workstations string */ + pstring unknown_str ; /* don't know what this is, yet. */ + pstring munged_dial ; /* munged path name and dial-back tel number */ uid_t uid; /* this is actually the unix uid_t */ gid_t gid; /* this is actually the unix gid_t */ diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 50bf5e73f3..3df58b2e7a 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -98,49 +98,66 @@ static void pdb_init_dispinfo(struct sam_disp_info *user) } /************************************************************* - initialises a struct sam_passwd. + alloc memory and initialises a struct sam_passwd. ************************************************************/ -void pdb_init_sam(SAM_ACCOUNT *user) +BOOL pdb_init_sam(SAM_ACCOUNT **user) { - if (user == NULL) - return; + if (*user != NULL) { + DEBUG(0,("pdb_init_sam: SAM_ACCOUNT was non NULL\n")); +#if 0 + smb_panic("NULL pointer passed to pdb_init_sam\n"); +#endif + return False; + } - ZERO_STRUCTP(user); - - user->mem_ctx = talloc_init(); - DEBUG(10, ("pdb_init_sam: obtained a talloc context of 0x%x\n", - (unsigned)user->mem_ctx)); - - user->logon_time = (time_t)0; - user->logoff_time = (time_t)-1; - user->kickoff_time = (time_t)-1; - user->pass_last_set_time = (time_t)-1; - user->pass_can_change_time = (time_t)-1; - user->pass_must_change_time = (time_t)-1; - - user->unknown_3 = 0x00ffffff; /* don't know */ - user->logon_divs = 168; /* hours per week */ - user->hours_len = 21; /* 21 times 8 bits = 168 */ - memset(user->hours, 0xff, user->hours_len); /* available at all hours */ - user->unknown_5 = 0x00000000; /* don't know */ - user->unknown_6 = 0x000004ec; /* don't know */ + *user=(SAM_ACCOUNT *)malloc(sizeof(SAM_ACCOUNT)); + + if (*user==NULL) { + DEBUG(0,("pdb_init_sam: error while allocating memory\n")); + return False; + } + + ZERO_STRUCTP(*user); + + (*user)->logon_time = (time_t)0; + (*user)->logoff_time = (time_t)-1; + (*user)->kickoff_time = (time_t)-1; + (*user)->pass_last_set_time = (time_t)-1; + (*user)->pass_can_change_time = (time_t)-1; + (*user)->pass_must_change_time = (time_t)-1; + + (*user)->unknown_3 = 0x00ffffff; /* don't know */ + (*user)->logon_divs = 168; /* hours per week */ + (*user)->hours_len = 21; /* 21 times 8 bits = 168 */ + memset((*user)->hours, 0xff, (*user)->hours_len); /* available at all hours */ + (*user)->unknown_5 = 0x00000000; /* don't know */ + (*user)->unknown_6 = 0x000004ec; /* don't know */ + + return True; } /************************************************************ - free all pointer members and then reinit the SAM_ACCOUNT + free the SAM_ACCOUNT and the NT/LM hashes. ***********************************************************/ -void pdb_clear_sam(SAM_ACCOUNT *user) +BOOL pdb_clear_sam(SAM_ACCOUNT *user) { - if (user == NULL) - return; + if (user == NULL) { + DEBUG(0,("pdb_clear_sam: SAM_ACCOUNT was NULL\n")); +#if 0 + smb_panic("NULL pointer passed to pdb_clear_sam\n"); +#endif + return False; + } - /* free upany memory used */ - DEBUG(10, ("pdb_clear_sam: releasing memory. talloc context is 0x%x\n",(unsigned)user->mem_ctx)); - talloc_destroy (user->mem_ctx); - - /* now initialize */ - pdb_init_sam(user); + if (user->nt_pw) + free(user->nt_pw); + + if (user->lm_pw) + free(user->lm_pw); + + free(user); + return True; } @@ -455,9 +472,10 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) } } else { - gid_t gid; + gid_t gid=-1; struct group *gr; - + GROUP_MAP map; + DOM_SID sid; /* * Don't try to convert the rid to a name if running * in appliance mode @@ -466,11 +484,30 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) if (lp_hide_local_users()) return False; - gid = pdb_user_rid_to_gid(rid); - gr = getgrgid(gid); + /* + * First try the TDB. If the RID exists and is mapped to a unix group, + * return the NT name and the type. + */ + + sid_copy(&sid, &global_sam_sid); + sid_append_rid(&sid, rid); + if (get_group_map_from_sid(sid, &map) && map.gid!=-1) { + *psid_name_use = map.sid_name_use; + fstrcpy(name, map.nt_name); - *psid_name_use = SID_NAME_ALIAS; + DEBUG(5,("local_lookup_rid: found NT group %s mapped to Unix gid %u for rid %u\n", + name, (unsigned int)map.gid, (unsigned int)rid )); + if(!getgrgid(gid)) + return False; + else + return True; + } + + *psid_name_use = SID_NAME_ALIAS; + gid = pdb_user_rid_to_gid(rid); + + gr = getgrgid(gid); DEBUG(5,("local_local_rid: looking up gid %u %s\n", (unsigned int)gid, gr ? "succeeded" : "failed" )); @@ -481,8 +518,7 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) fstrcpy( name, gr->gr_name); - DEBUG(5,("local_lookup_rid: found group %s for rid %u\n", name, - (unsigned int)rid )); + DEBUG(5,("local_lookup_rid: found group %s for rid %u\n", name, (unsigned int)rid )); } return True; @@ -529,21 +565,34 @@ BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid, (void)map_username(user); - if(!(pass = Get_Pwnam(user, True))) { + if((pass = Get_Pwnam(user, True))) { + sid_append_rid( &local_sid, pdb_uid_to_user_rid(pass->pw_uid)); + *psid_name_use = SID_NAME_USER; + } else { /* * Maybe it was a group ? */ - struct group *grp = getgrnam(user); + GROUP_MAP map; + struct group *grp = NULL; - if(!grp) - return False; + /* It can be a mapped group */ + if (get_group_map_from_ntname(user, &map) && map.gid!=-1) { - sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid)); - *psid_name_use = SID_NAME_ALIAS; - } else { + grp=getgrgid(map.gid); + if (!grp) + return False; - sid_append_rid( &local_sid, pdb_uid_to_user_rid(pass->pw_uid)); - *psid_name_use = SID_NAME_USER; + sid_copy(&local_sid, &map.sid); + *psid_name_use = map.sid_name_use; + } else { + /* It wasn't mapped, it can be a Unix group */ + grp=getgrnam(user); + if(!grp) + return False; + + sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid)); + *psid_name_use = SID_NAME_ALIAS; + } } sid_copy( psid, &local_sid); @@ -661,13 +710,10 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type) return True; } -static void select_name(fstring *string, char **name, const UNISTR2 *from) +static void select_name(pstring string, const UNISTR2 *from) { if (from->buffer != 0) - { - unistr2_to_ascii(*string, from, sizeof(*string)); - *name = *string; - } + unistr2_to_ascii(string, from, sizeof(*string)); } /************************************************************* @@ -675,16 +721,6 @@ static void select_name(fstring *string, char **name, const UNISTR2 *from) **************************************************************/ void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from) { - static fstring smb_name; - static fstring full_name; - static fstring home_dir; - static fstring dir_drive; - static fstring logon_script; - static fstring profile_path; - static fstring acct_desc; - static fstring workstations; - static fstring unknown_str; - static fstring munged_dial; if (from == NULL || to == NULL) return; @@ -696,16 +732,16 @@ void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from) to->pass_can_change_time = nt_time_to_unix(&from->pass_can_change_time); to->pass_must_change_time = nt_time_to_unix(&from->pass_must_change_time); - select_name(&smb_name , &to->username , &from->uni_user_name ); - select_name(&full_name , &to->full_name , &from->uni_full_name ); - select_name(&home_dir , &to->home_dir , &from->uni_home_dir ); - select_name(&dir_drive , &to->dir_drive , &from->uni_dir_drive ); - select_name(&logon_script, &to->logon_script, &from->uni_logon_script); - select_name(&profile_path, &to->profile_path, &from->uni_profile_path); - select_name(&acct_desc , &to->acct_desc , &from->uni_acct_desc ); - select_name(&workstations, &to->workstations, &from->uni_workstations); - select_name(&unknown_str , &to->unknown_str , &from->uni_unknown_str ); - select_name(&munged_dial , &to->munged_dial , &from->uni_munged_dial ); + select_name(to->username , &from->uni_user_name ); + select_name(to->full_name , &from->uni_full_name ); + select_name(to->home_dir , &from->uni_home_dir ); + select_name(to->dir_drive , &from->uni_dir_drive ); + select_name(to->logon_script, &from->uni_logon_script); + select_name(to->profile_path, &from->uni_profile_path); + select_name(to->acct_desc , &from->uni_acct_desc ); + select_name(to->workstations, &from->uni_workstations); + select_name(to->unknown_str , &from->uni_unknown_str ); + select_name(to->munged_dial , &from->uni_munged_dial ); to->user_rid = from->user_rid; to->group_rid = from->group_rid; @@ -726,17 +762,6 @@ void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from) **************************************************************/ void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from) { - static fstring smb_name; - static fstring full_name; - static fstring home_dir; - static fstring dir_drive; - static fstring logon_script; - static fstring profile_path; - static fstring acct_desc; - static fstring workstations; - static fstring unknown_str; - static fstring munged_dial; - if (from == NULL || to == NULL) return; @@ -747,16 +772,16 @@ void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from) to->pass_can_change_time = nt_time_to_unix(&from->pass_can_change_time); to->pass_must_change_time = nt_time_to_unix(&from->pass_must_change_time); - select_name(&smb_name , &to->username , &from->uni_user_name ); - select_name(&full_name , &to->full_name , &from->uni_full_name ); - select_name(&home_dir , &to->home_dir , &from->uni_home_dir ); - select_name(&dir_drive , &to->dir_drive , &from->uni_dir_drive ); - select_name(&logon_script, &to->logon_script, &from->uni_logon_script); - select_name(&profile_path, &to->profile_path, &from->uni_profile_path); - select_name(&acct_desc , &to->acct_desc , &from->uni_acct_desc ); - select_name(&workstations, &to->workstations, &from->uni_workstations); - select_name(&unknown_str , &to->unknown_str , &from->uni_unknown_str ); - select_name(&munged_dial , &to->munged_dial , &from->uni_munged_dial ); + select_name(to->username , &from->uni_user_name ); + select_name(to->full_name , &from->uni_full_name ); + select_name(to->home_dir , &from->uni_home_dir ); + select_name(to->dir_drive , &from->uni_dir_drive ); + select_name(to->logon_script, &from->uni_logon_script); + select_name(to->profile_path, &from->uni_profile_path); + select_name(to->acct_desc , &from->uni_acct_desc ); + select_name(to->workstations, &from->uni_workstations); + select_name(to->unknown_str , &from->uni_unknown_str ); + select_name(to->munged_dial , &from->uni_munged_dial ); to->user_rid = from->user_rid; to->group_rid = from->group_rid; @@ -781,93 +806,9 @@ void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from) **************************************************************/ void copy_sam_passwd(SAM_ACCOUNT *to, const SAM_ACCOUNT *from) { - int len; - if (!from || !to) return; - pdb_clear_sam (to); - - /* copy all non-pointers */ - memcpy(to, from, sizeof(*from)); - - if (from->username) { - len=strlen(from->username)+1; - to->username = talloc(to->mem_ctx, len); - StrnCpy (to->username, from->username, len-1); - } - - if (from->full_name) { - len=strlen(from->full_name)+1; - to->full_name = talloc(to->mem_ctx, len); - StrnCpy (to->full_name, from->full_name, len-1); - } - - if (from->nt_username) { - len=strlen(from->nt_username)+1; - to->nt_username = talloc(to->mem_ctx, len); - StrnCpy (to->nt_username, from->nt_username, len-1); - } - - if (from->profile_path) { - len=strlen(from->profile_path)+1; - to->profile_path = talloc(to->mem_ctx, len); - StrnCpy (to->profile_path, from->profile_path, len-1); - } - - if (from->logon_script) { - len=strlen(from->logon_script)+1; - to->logon_script = talloc(to->mem_ctx, len); - StrnCpy (to->logon_script, from->logon_script, len-1); - } - - if (from->home_dir) { - len=strlen(from->home_dir)+1; - to->home_dir = talloc(to->mem_ctx, len); - StrnCpy (to->home_dir, from->home_dir, len-1); - } - - if (from->dir_drive) { - len=strlen(from->dir_drive)+1; - to->dir_drive = talloc(to->mem_ctx, len); - StrnCpy (to->dir_drive, from->dir_drive, len-1); - } - - if (from->workstations) { - len=strlen(from->workstations)+1; - to->workstations = talloc(to->mem_ctx, len); - StrnCpy (to->workstations, from->workstations, len-1); - } - - if (from->acct_desc) { - len=strlen(from->acct_desc)+1; - to->acct_desc = talloc(to->mem_ctx, len); - StrnCpy (to->acct_desc, from->acct_desc, len-1); - } - - if (from->munged_dial) { - len=strlen(from->munged_dial)+1; - to->munged_dial = talloc(to->mem_ctx, len); - StrnCpy (to->munged_dial, from->munged_dial, len); - } - - if (from->unknown_str) { - len=strlen(from->unknown_str)+1; - to->unknown_str = talloc(to->mem_ctx, len); - StrnCpy (to->unknown_str, from->unknown_str, len-1); - } - - - if (from->nt_pw) { - to->nt_pw = talloc(to->mem_ctx, 16); - memcpy (to->nt_pw, from->nt_pw, 16); - } - - if (from->lm_pw) { - to->lm_pw = talloc(to->mem_ctx, 16); - memcpy (to->lm_pw, from->lm_pw, 16); - } - - return; + memcpy(to, from, sizeof(SAM_ACCOUNT)); } /************************************************************* @@ -886,8 +827,8 @@ BOOL local_password_change(char *user_name, int local_flags, char *msg_str, size_t msg_str_len) { struct passwd *pwd = NULL; - SAM_ACCOUNT *sam_pass; - SAM_ACCOUNT new_sam_acct; + SAM_ACCOUNT *sam_pass=NULL; + SAM_ACCOUNT *new_sam_acct=NULL; uchar new_p16[16]; uchar new_nt_p16[16]; @@ -912,62 +853,60 @@ account without a valid local system user.\n", user_name); nt_lm_owf_gen(new_passwd, new_nt_p16, new_p16); /* Get the smb passwd entry for this user */ - sam_pass = pdb_getsampwnam(user_name); - if (sam_pass == NULL) - { - if(!(local_flags & LOCAL_ADD_USER)) - { + pdb_init_sam(&sam_pass); + if(!pdb_getsampwnam(sam_pass, user_name)) { + pdb_clear_sam(sam_pass); + return False; + } + + if (sam_pass == NULL) { + if(!(local_flags & LOCAL_ADD_USER)) { slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name); + pdb_clear_sam(sam_pass); return False; } /* create the SAM_ACCOUNT struct and call pdb_add_sam_account. Because the new_sam_pwd only exists in the scope of this function we will not allocate memory for members */ - pdb_init_sam (&new_sam_acct); - pdb_set_username (&new_sam_acct, user_name); - pdb_set_fullname (&new_sam_acct, pwd->pw_gecos); - pdb_set_uid (&new_sam_acct, pwd->pw_uid); - pdb_set_gid (&new_sam_acct, pwd->pw_gid); - pdb_set_pass_last_set_time(&new_sam_acct, time(NULL)); - pdb_set_profile_path (&new_sam_acct, lp_logon_path()); - pdb_set_homedir (&new_sam_acct, lp_logon_home()); - pdb_set_dir_drive (&new_sam_acct, lp_logon_drive()); - pdb_set_logon_script (&new_sam_acct, lp_logon_script()); + pdb_init_sam(&new_sam_acct); + pdb_set_username(new_sam_acct, user_name); + pdb_set_fullname(new_sam_acct, pwd->pw_gecos); + pdb_set_uid(new_sam_acct, pwd->pw_uid); + pdb_set_gid(new_sam_acct, pwd->pw_gid); + pdb_set_pass_last_set_time(new_sam_acct, time(NULL)); + pdb_set_profile_path(new_sam_acct, lp_logon_path()); + pdb_set_homedir(new_sam_acct, lp_logon_home()); + pdb_set_dir_drive(new_sam_acct, lp_logon_drive()); + pdb_set_logon_script(new_sam_acct, lp_logon_script()); /* set account flags */ - pdb_set_acct_ctrl(&new_sam_acct,((local_flags & LOCAL_TRUST_ACCOUNT) ? ACB_WSTRUST : ACB_NORMAL) ); + pdb_set_acct_ctrl(new_sam_acct,((local_flags & LOCAL_TRUST_ACCOUNT) ? ACB_WSTRUST : ACB_NORMAL) ); + if (local_flags & LOCAL_DISABLE_USER) - { - pdb_set_acct_ctrl (&new_sam_acct, pdb_get_acct_ctrl(&new_sam_acct)|ACB_DISABLED); - } + pdb_set_acct_ctrl (new_sam_acct, pdb_get_acct_ctrl(new_sam_acct)|ACB_DISABLED); + if (local_flags & LOCAL_SET_NO_PASSWORD) - { - pdb_set_acct_ctrl (&new_sam_acct, pdb_get_acct_ctrl(&new_sam_acct)|ACB_PWNOTREQ); - } - else - { + pdb_set_acct_ctrl (new_sam_acct, pdb_get_acct_ctrl(new_sam_acct)|ACB_PWNOTREQ); + else { /* set the passwords here. if we get to here it means we have a valid, active account */ - pdb_set_lanman_passwd (&new_sam_acct, new_p16); - pdb_set_nt_passwd (&new_sam_acct, new_nt_p16); + pdb_set_lanman_passwd (new_sam_acct, new_p16); + pdb_set_nt_passwd (new_sam_acct, new_nt_p16); } - - - if (pdb_add_sam_account(&new_sam_acct)) - { + + pdb_clear_sam(sam_pass); + + if (pdb_add_sam_account(new_sam_acct)) { slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name); - pdb_clear_sam (&new_sam_acct); + pdb_clear_sam(new_sam_acct); return True; - } - else - { + } else { slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name); + pdb_clear_sam(new_sam_acct); return False; } - } - else - { + } else { /* the entry already existed */ local_flags &= ~LOCAL_ADD_USER; } @@ -978,25 +917,21 @@ account without a valid local system user.\n", user_name); */ if(local_flags & LOCAL_DISABLE_USER) - { pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED); - } else if (local_flags & LOCAL_ENABLE_USER) - { - if(pdb_get_lanman_passwd(sam_pass) == NULL) { + if(pdb_get_lanman_passwd(sam_pass) == NULL) { pdb_set_lanman_passwd (sam_pass, new_p16); pdb_set_nt_passwd (sam_pass, new_nt_p16); } pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED)); - } else if (local_flags & LOCAL_SET_NO_PASSWORD) - { + } else if (local_flags & LOCAL_SET_NO_PASSWORD) { pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ); /* This is needed to preserve ACB_PWNOTREQ in mod_smbfilepwd_entry */ pdb_set_lanman_passwd (sam_pass, NULL); pdb_set_nt_passwd (sam_pass, NULL); - } + } else { /* @@ -1015,20 +950,19 @@ account without a valid local system user.\n", user_name); pdb_set_nt_passwd (sam_pass, new_nt_p16); } - if(local_flags & LOCAL_DELETE_USER) - { - if (!pdb_delete_sam_account(user_name)) - { + if(local_flags & LOCAL_DELETE_USER) { + if (!pdb_delete_sam_account(user_name)) { slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name); + pdb_clear_sam(sam_pass); return False; } slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name); } else { - if(!pdb_update_sam_account(sam_pass, True)) - { + if(!pdb_update_sam_account(sam_pass, True)) { slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name); + pdb_clear_sam(sam_pass); return False; } if(local_flags & LOCAL_DISABLE_USER) @@ -1039,6 +973,7 @@ account without a valid local system user.\n", user_name); slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name); } + pdb_clear_sam(sam_pass); return True; } @@ -1412,333 +1347,182 @@ BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid) return True; } -BOOL pdb_set_username (SAM_ACCOUNT *sampass, char *username) -{ - int len; - - if (!sampass || !sampass->mem_ctx) return False; - - if (!username) - { - sampass->username = NULL; - return True; - } - - len = strlen(username)+1; - sampass->username = (char*)talloc(sampass->mem_ctx, len); - - if (sampass->username == NULL ) - { - DEBUG (0,("pdb_set_username: ERROR - Unable to talloc memory for [%s]\n", username)); +/********************************************************************* + set the user's UNIX name + ********************************************************************/ +BOOL pdb_set_username(SAM_ACCOUNT *sampass, char *username) +{ + if (!sampass || !username) return False; - } - - StrnCpy (sampass->username, username, len-1); + + StrnCpy (sampass->username, username, strlen(username)); return True; } -BOOL pdb_set_domain (SAM_ACCOUNT *sampass, char *domain) -{ - int len; - - if (!sampass || !sampass->mem_ctx) return False; - - if (!domain) - { - sampass->domain = NULL; - return True; - } - - len = strlen(domain)+1; - sampass->domain = talloc (sampass->mem_ctx, len); - - if (sampass->domain == NULL ) - { - DEBUG (0,("pdb_set_domain: ERROR - Unable to talloc memory for [%s]\n", domain)); +/********************************************************************* + set the domain name + ********************************************************************/ +BOOL pdb_set_domain(SAM_ACCOUNT *sampass, char *domain) +{ + if (!sampass || !domain) return False; - } - - StrnCpy (sampass->domain, domain, len-1); + + StrnCpy (sampass->domain, domain, strlen(domain)); return True; } -BOOL pdb_set_nt_username (SAM_ACCOUNT *sampass, char *nt_username) +/********************************************************************* + set the user's NT name + ********************************************************************/ +BOOL pdb_set_nt_username(SAM_ACCOUNT *sampass, char *nt_username) { - int len; - - if (!sampass || !sampass->mem_ctx) return False; - - if (!nt_username) - { - sampass->nt_username = NULL; - return True; - } - - len = strlen(nt_username)+1; - sampass->nt_username = talloc (sampass->mem_ctx, len); - - if (sampass->nt_username == NULL ) - { - DEBUG (0,("pdb_set_nt_username: ERROR - Unable to talloc memory for [%s]\n", nt_username)); + if (!sampass || !nt_username) return False; - } - - StrnCpy (sampass->nt_username, nt_username, len-1); + + StrnCpy (sampass->nt_username, nt_username, strlen(nt_username)); return True; } -BOOL pdb_set_fullname (SAM_ACCOUNT *sampass, char *fullname) +/********************************************************************* + set the user's full name + ********************************************************************/ +BOOL pdb_set_fullname(SAM_ACCOUNT *sampass, char *fullname) { - int len; - - if (!sampass || !sampass->mem_ctx) return False; - - if (!fullname) - { - sampass->full_name = NULL; - return True; - } - - len = strlen(fullname)+1; - sampass->full_name = talloc (sampass->mem_ctx, len); - - if (sampass->full_name == NULL ) - { - DEBUG (0,("pdb_set_fullname: ERROR - Unable to talloc memory for [%s]\n", fullname)); + if (!sampass || !fullname) return False; - } - - StrnCpy (sampass->full_name, fullname, len-1); + + StrnCpy (sampass->full_name, fullname, strlen(fullname)); return True; } -BOOL pdb_set_logon_script (SAM_ACCOUNT *sampass, char *logon_script) +/********************************************************************* + set the user's logon script + ********************************************************************/ +BOOL pdb_set_logon_script(SAM_ACCOUNT *sampass, char *logon_script) { - int len; - - if (!sampass || !sampass->mem_ctx) return False; - - if (!logon_script) - { - sampass->logon_script = NULL; - return True; - } - - len = strlen(logon_script)+1; - sampass->logon_script = talloc (sampass->mem_ctx, len); - - if (sampass->logon_script == NULL ) - { - DEBUG (0,("pdb_set_logon_script: ERROR - Unable to talloc memory for [%s]\n", logon_script)); + if (!sampass || !logon_script) return False; - } - - StrnCpy (sampass->logon_script, logon_script, len-1); + + StrnCpy (sampass->logon_script, logon_script, strlen(logon_script)); return True; } +/********************************************************************* + set the user's profile path + ********************************************************************/ BOOL pdb_set_profile_path (SAM_ACCOUNT *sampass, char *profile_path) { - int len; - - if (!sampass || !sampass->mem_ctx) return False; - - if (!profile_path) - { - sampass->profile_path = NULL; - return True; - } - - len = strlen(profile_path)+1; - sampass->profile_path = talloc (sampass->mem_ctx, len); - - if (!sampass->profile_path) - { - DEBUG (0,("pdb_set_profile_path: ERROR - Unable to talloc memory for [%s]\n", profile_path)); + if (!sampass || !profile_path) return False; - } - StrnCpy (sampass->profile_path, profile_path, len-1); + StrnCpy (sampass->profile_path, profile_path, strlen(profile_path)); return True; } +/********************************************************************* + set the user's directory drive + ********************************************************************/ BOOL pdb_set_dir_drive (SAM_ACCOUNT *sampass, char *dir_drive) { - int len; - - if (!sampass || !sampass->mem_ctx) return False; - - if (!dir_drive) - { - sampass->dir_drive = NULL; - return True; - } - - len = strlen(dir_drive)+1; - sampass->dir_drive = talloc (sampass->mem_ctx, len); - - if (sampass->dir_drive == NULL ) - { - DEBUG (0,("pdb_set_dir_drive: ERROR - Unable to talloc memory for [%s]\n", dir_drive)); + if (!sampass || !dir_drive) return False; - } - - StrnCpy (sampass->dir_drive, dir_drive, len-1); + + StrnCpy (sampass->dir_drive, dir_drive, strlen(dir_drive)); return True; } +/********************************************************************* + set the user's home directory + ********************************************************************/ BOOL pdb_set_homedir (SAM_ACCOUNT *sampass, char *homedir) { - int len; - - if (!sampass || !sampass->mem_ctx) return False; - - if (!homedir) - { - sampass->home_dir = NULL; - return True; - } - - len = strlen(homedir)+1; - sampass->home_dir = talloc (sampass->mem_ctx, len); - - if (sampass->home_dir == NULL ) - { - DEBUG (0,("pdb_set_homedir: ERROR - Unable to talloc memory for [%s]\n", homedir)); + if (!sampass || !homedir) return False; - } - StrnCpy (sampass->home_dir, homedir, len-1); + StrnCpy (sampass->home_dir, homedir, strlen(homedir)); return True; } +/********************************************************************* + set the user's account description + ********************************************************************/ BOOL pdb_set_acct_desc (SAM_ACCOUNT *sampass, char *acct_desc) { - int len; - - if (!sampass || !sampass->mem_ctx) return False; - - if (!acct_desc) - { - sampass->acct_desc = NULL; - return True; - } - - len = strlen(acct_desc)+1; - sampass->acct_desc = talloc (sampass->mem_ctx, len); - - if (sampass->acct_desc == NULL ) - { - DEBUG (0,("pdb_set_acct_desc: ERROR - Unable to talloc memory for [%s]\n", acct_desc)); + if (!sampass || !acct_desc) return False; - } - StrnCpy (sampass->acct_desc, acct_desc, len-1); + StrnCpy (sampass->acct_desc, acct_desc, strlen(acct_desc)); return True; } +/********************************************************************* + set the user's workstation allowed list + ********************************************************************/ BOOL pdb_set_workstations (SAM_ACCOUNT *sampass, char *workstations) { - int len; - - if (!sampass || !sampass->mem_ctx) return False; + if (!sampass || !workstations) return False; - if (!workstations) - { - sampass->workstations = NULL; - return True; - } - - len = strlen(workstations)+1; - sampass->workstations = talloc (sampass->mem_ctx, len); - - if (sampass->workstations == NULL ) - { - DEBUG (0,("pdb_set_workstations: ERROR - Unable to talloc memory for [%s]\n", workstations)); - return False; - } - - StrnCpy (sampass->workstations, workstations, len-1); + StrnCpy (sampass->workstations, workstations, strlen(workstations)); return True; } +/********************************************************************* + set the user's dial string + ********************************************************************/ BOOL pdb_set_munged_dial (SAM_ACCOUNT *sampass, char *munged_dial) { - int len; - - if (!sampass || !sampass->mem_ctx) return False; + if (!sampass || !munged_dial) return False; - if (!munged_dial) - { - sampass->munged_dial = NULL; - return True; - } - - len = strlen(munged_dial)+1; - sampass->munged_dial = talloc (sampass->mem_ctx, len); - - if (sampass->munged_dial == NULL ) - { - DEBUG (0,("pdb_set_munged_dial: ERROR - Unable to talloc memory for [%s]\n", munged_dial)); - return False; - } - - StrnCpy (sampass->munged_dial, munged_dial, len-1); + StrnCpy (sampass->munged_dial, munged_dial, strlen(munged_dial)); return True; } +/********************************************************************* + set the user's NT hash + ********************************************************************/ BOOL pdb_set_nt_passwd (SAM_ACCOUNT *sampass, uint8 *pwd) { - if (!sampass || !sampass->mem_ctx) return False; - - if (!pwd) - { - sampass->nt_pw = NULL; - return True; - } + if (!sampass || !pwd) return False; - sampass->nt_pw = talloc (sampass->mem_ctx, 16); - - if (sampass->nt_pw == NULL ) - { - DEBUG (0,("pdb_set_nt_passwd: ERROR - Unable to talloc memory for [%s]\n", pwd)); - return False; - } + if (sampass->nt_pw!=NULL) + DEBUG(0,("pdb_set_nt_passwd: NT hash non NULL overwritting ?\n")); + else + sampass->nt_pw=(unsigned char *)malloc(sizeof(unsigned char)*16); + if (sampass->nt_pw==NULL) + return False; + memcpy (sampass->nt_pw, pwd, 16); return True; } +/********************************************************************* + set the user's LM hash + ********************************************************************/ BOOL pdb_set_lanman_passwd (SAM_ACCOUNT *sampass, uint8 *pwd) { - if (!sampass || !sampass->mem_ctx) return False; + if (!sampass || !*pwd) return False; - if (!pwd) - { - sampass->lm_pw = NULL; - return True; - } - - sampass->lm_pw = talloc (sampass->mem_ctx, 16); - - if (sampass->lm_pw == NULL ) - { - DEBUG (0,("pdb_set_lanman_passwd: ERROR - Unable to talloc memory for [%s]\n", pwd)); - return False; - } + if (sampass->lm_pw!=NULL) + DEBUG(0,("pdb_set_nt_passwd: LM hash non NULL overwritting ?\n")); + else + sampass->lm_pw=(unsigned char *)malloc(sizeof(unsigned char)*16); + if (sampass->lm_pw==NULL) + return False; + memcpy (sampass->lm_pw, pwd, 16); return True; @@ -1773,7 +1557,7 @@ BOOL pdb_set_unknown_6 (SAM_ACCOUNT *sampass, uint32 unkn) BOOL pdb_set_hours (SAM_ACCOUNT *sampass, uint8 *hours) { - if (!sampass || !sampass->mem_ctx) return False; + if (!sampass) return False; if (!hours) { @@ -1785,4 +1569,3 @@ BOOL pdb_set_hours (SAM_ACCOUNT *sampass, uint8 *hours) return True; } - diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index 57253d9b78..3679bd1319 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -56,7 +56,7 @@ static void *global_vp; /* static memory area used by all passdb search functions in this module */ -static SAM_ACCOUNT global_sam_pass; +/*static SAM_ACCOUNT global_sam_pass;*/ enum pwf_access_type { PWF_READ, PWF_UPDATE, PWF_CREATE }; @@ -1163,16 +1163,16 @@ static BOOL build_smb_pass (struct smb_passwd *smb_pw, SAM_ACCOUNT *sampass) if (sampass == NULL) return False; - ZERO_STRUCTP (smb_pw); + ZERO_STRUCTP(smb_pw); - smb_pw->smb_userid = pdb_get_uid(sampass); - smb_pw->smb_name = pdb_get_username(sampass); + smb_pw->smb_userid=pdb_get_uid(sampass); + smb_pw->smb_name=pdb_get_username(sampass); - smb_pw->smb_passwd = pdb_get_lanman_passwd(sampass); - smb_pw->smb_nt_passwd = pdb_get_nt_passwd(sampass); + smb_pw->smb_passwd=pdb_get_lanman_passwd(sampass); + smb_pw->smb_nt_passwd=pdb_get_nt_passwd(sampass); - smb_pw->acct_ctrl = pdb_get_acct_ctrl(sampass); - smb_pw->pass_last_set_time = pdb_get_pass_last_set_time(sampass); + smb_pw->acct_ctrl=pdb_get_acct_ctrl(sampass); + smb_pw->pass_last_set_time=pdb_get_pass_last_set_time(sampass); return True; @@ -1181,23 +1181,21 @@ static BOOL build_smb_pass (struct smb_passwd *smb_pw, SAM_ACCOUNT *sampass) /********************************************************************* Create a SAM_ACCOUNT from a smb_passwd struct ********************************************************************/ -static BOOL build_sam_account (SAM_ACCOUNT *sam_pass, - struct smb_passwd *pw_buf) +static BOOL build_sam_account(SAM_ACCOUNT *sam_pass, struct smb_passwd *pw_buf) { - struct passwd *pwfile; + struct passwd *pwfile; - if (!sam_pass) - return (False); - - pdb_clear_sam (sam_pass); + if (sam_pass==NULL) { + DEBUG(5,("build_sam_account: SAM_ACCOUNT is NULL\n")); + return False; + } /* Verify in system password file... FIXME!!! This is where we should look up an internal mapping of allocated uid for machine accounts as well --jerry */ pwfile = sys_getpwnam(pw_buf->smb_name); - if (pwfile == NULL) - { + if (pwfile == NULL) { DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s not in unix passwd database!\n", pw_buf->smb_name)); return False; } @@ -1206,17 +1204,25 @@ static BOOL build_sam_account (SAM_ACCOUNT *sam_pass, --jerry */ pstrcpy(samlogon_user, pw_buf->smb_name); - pdb_set_uid (sam_pass, pwfile->pw_uid); - pdb_set_gid (sam_pass, pwfile->pw_gid); - pdb_set_user_rid (sam_pass, pdb_uid_to_user_rid (pdb_get_uid(sam_pass)) ); - pdb_set_username (sam_pass, pw_buf->smb_name); - pdb_set_nt_passwd (sam_pass, pw_buf->smb_nt_passwd); + pdb_set_uid (sam_pass, pwfile->pw_uid); + pdb_set_gid (sam_pass, pwfile->pw_gid); + pdb_set_fullname(sam_pass, pwfile->pw_gecos); + + pdb_set_user_rid(sam_pass, pdb_uid_to_user_rid (pwfile->pw_uid)); + + /* should check the group mapping here instead of static mappig. JFM */ + pdb_set_group_rid(sam_pass, pdb_gid_to_group_rid(pwfile->pw_gid)); + + pdb_set_username (sam_pass, pw_buf->smb_name); + pdb_set_nt_passwd (sam_pass, pw_buf->smb_nt_passwd); pdb_set_lanman_passwd (sam_pass, pw_buf->smb_passwd); - pdb_set_acct_ctrl (sam_pass, pw_buf->acct_ctrl); + pdb_set_acct_ctrl (sam_pass, pw_buf->acct_ctrl); pdb_set_pass_last_set_time (sam_pass, pw_buf->pass_last_set_time); pdb_set_pass_can_change_time (sam_pass, pw_buf->pass_last_set_time); - pdb_set_domain (sam_pass, lp_workgroup()); + pdb_set_domain (sam_pass, lp_workgroup()); + pdb_set_dir_drive (sam_pass, lp_logon_drive()); + /* FIXME!! What should this be set to? New smb.conf parameter maybe? max password age? For now, we'll use the current time + 21 days. --jerry */ @@ -1241,17 +1247,9 @@ static BOOL build_sam_account (SAM_ACCOUNT *sam_pass, pstrcpy(str, lp_logon_home()); standard_sub_advanced(-1, pw_buf->smb_name, "", gid, str); pdb_set_homedir(sam_pass, str); - - pdb_set_fullname(sam_pass, pwfile->pw_gecos); - - /* set other user information that we have */ - pdb_set_group_rid (sam_pass, pdb_gid_to_group_rid(pdb_get_gid(&global_sam_pass)) ); - pdb_set_dir_drive (sam_pass, lp_logon_drive()); - + sam_logon_in_ssb = False; - } - else - { + } else { /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */ pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS); } @@ -1295,31 +1293,34 @@ void pdb_endsampwent (void) } /***************************************************************** - pdb_getsampwent() uses a static memory ares (returning a pointer - to this) for all instances. This is identical behavior to the - getpwnam() call. If the caller wishes to save the SAM_ACCOUNT - struct, it should make a copy immediately after calling this - function. ****************************************************************/ -SAM_ACCOUNT* pdb_getsampwent (void) +BOOL pdb_getsampwent(SAM_ACCOUNT *user) { - struct smb_passwd *pw_buf; - - + struct smb_passwd *pw_buf=NULL; + DEBUG(5,("pdb_getsampwent\n")); + if (user==NULL) { + DEBUG(5,("pdb_getsampwent: user is NULL\n")); +#if 0 + smb_panic("NULL pointer passed to pdb_getsampwent\n"); +#endif + return False; + } + /* do we have an entry? */ pw_buf = getsmbfilepwent(global_vp); if (pw_buf == NULL) - return NULL; + return False; - /* build the SAM_ACCOUNT entry from the smb_passwd struct. - This will also clear out the previous SAM_ACCOUNT fields */ - if (!build_sam_account (&global_sam_pass, pw_buf)) - return NULL; + /* build the SAM_ACCOUNT entry from the smb_passwd struct. */ + if (!build_sam_account(user, pw_buf)) + return False; + + DEBUG(5,("pdb_getsampwent:done\n")); /* success */ - return &global_sam_pass; + return True; } @@ -1328,13 +1329,13 @@ SAM_ACCOUNT* pdb_getsampwent (void) call getpwnam() for unix account information until we have found the correct entry ***************************************************************/ -SAM_ACCOUNT* pdb_getsampwnam (char *username) +BOOL pdb_getsampwnam(SAM_ACCOUNT *sam_acct, char *username) { - struct smb_passwd *smb_pw; - void *fp = NULL; - char *domain = NULL; - char *user = NULL; - fstring name; + struct smb_passwd *smb_pw; + void *fp = NULL; + char *domain = NULL; + char *user = NULL; + fstring name; DEBUG(10, ("pdb_getsampwnam: search by name: %s\n", username)); @@ -1345,8 +1346,7 @@ SAM_ACCOUNT* pdb_getsampwnam (char *username) /* break the username from the domain if we have been given a string in the form 'DOMAIN\user' */ fstrcpy (name, username); - if ((user=strchr(name, '\\')) != NULL) - { + if ((user=strchr(name, '\\')) != NULL) { domain = name; *user = '\0'; user++; @@ -1354,18 +1354,17 @@ SAM_ACCOUNT* pdb_getsampwnam (char *username) /* if a domain was specified and it wasn't ours then there is no chance of matching */ - if ( (domain) && (!StrCaseCmp(domain, lp_workgroup())) ) - return (NULL); + if ( domain && !StrCaseCmp(domain, lp_workgroup()) ) + return False; /* startsmbfilepwent() is used here as we don't want to lookup the UNIX account in the local system password file until we have a match. */ fp = startsmbfilepwent(lp_smb_passwd_file(), PWF_READ, &pw_file_lock_depth); - if (fp == NULL) - { + if (fp == NULL) { DEBUG(0, ("unable to open passdb database.\n")); - return NULL; + return False; } /* if we have a domain name, then we should map it to a UNIX @@ -1381,35 +1380,40 @@ SAM_ACCOUNT* pdb_getsampwnam (char *username) /* did we locate the username in smbpasswd */ if (smb_pw == NULL) - { - return (NULL); - } + return False; DEBUG(10, ("pdb_getsampwnam: found by name: %s\n", smb_pw->smb_name)); + + if (!sam_acct) { + DEBUG(10,("pdb_getsampwnam:SAM_ACCOUNT is NULL\n")); +#if 0 + smb_panic("NULL pointer passed to pdb_getsampwnam\n"); +#endif + return False; + } /* now build the SAM_ACCOUNT */ - if (!build_sam_account (&global_sam_pass, smb_pw)) - return NULL; + if (!build_sam_account(sam_acct, smb_pw)) + return False; /* success */ - return (&global_sam_pass); + return True; } -SAM_ACCOUNT* pdb_getsampwuid (uid_t uid) +BOOL pdb_getsampwuid (SAM_ACCOUNT *sam_acct, uid_t uid) { - struct smb_passwd *smb_pw; - void *fp = NULL; + struct smb_passwd *smb_pw; + void *fp = NULL; DEBUG(10, ("pdb_getsampwuid: search by uid: %d\n", uid)); /* Open the sam password file - not for update. */ fp = startsmbfilepwent(lp_smb_passwd_file(), PWF_READ, &pw_file_lock_depth); - if (fp == NULL) - { + if (fp == NULL) { DEBUG(0, ("unable to open passdb database.\n")); - return NULL; + return False; } while ( ((smb_pw=getsmbfilepwent(fp)) != NULL) && (smb_pw->smb_userid != uid) ) @@ -1417,37 +1421,41 @@ SAM_ACCOUNT* pdb_getsampwuid (uid_t uid) endsmbfilepwent(fp, &pw_file_lock_depth); - /* did we locate the username in smbpasswd */ if (smb_pw == NULL) - { - return (NULL); - } + return False; DEBUG(10, ("pdb_getsampwuid: found by name: %s\n", smb_pw->smb_name)); + if (!sam_acct) { + DEBUG(10,("pdb_getsampwuid:SAM_ACCOUNT is NULL\n")); +#if 0 + smb_panic("NULL pointer passed to pdb_getsampwuid\n"); +#endif + return False; + } + /* now build the SAM_ACCOUNT */ - if (!build_sam_account (&global_sam_pass, smb_pw)) - return NULL; + if (!build_sam_account(sam_acct, smb_pw)) + return False; /* success */ - return (&global_sam_pass); + return True; } -SAM_ACCOUNT* pdb_getsampwrid (uint32 rid) +BOOL pdb_getsampwrid(SAM_ACCOUNT *sam_acct,uint32 rid) { - struct smb_passwd *smb_pw; - void *fp = NULL; + struct smb_passwd *smb_pw; + void *fp = NULL; DEBUG(10, ("pdb_getsampwrid: search by rid: %d\n", rid)); /* Open the sam password file - not for update. */ fp = startsmbfilepwent(lp_smb_passwd_file(), PWF_READ, &pw_file_lock_depth); - if (fp == NULL) - { + if (fp == NULL) { DEBUG(0, ("unable to open passdb database.\n")); - return NULL; + return False; } while ( ((smb_pw=getsmbfilepwent(fp)) != NULL) && (pdb_uid_to_user_rid(smb_pw->smb_userid) != rid) ) @@ -1458,51 +1466,57 @@ SAM_ACCOUNT* pdb_getsampwrid (uint32 rid) /* did we locate the username in smbpasswd */ if (smb_pw == NULL) - { - return (NULL); - } + return False; DEBUG(10, ("pdb_getsampwrid: found by name: %s\n", smb_pw->smb_name)); + if (!sam_acct) { + DEBUG(10,("pdb_getsampwrid:SAM_ACCOUNT is NULL\n")); +#if 0 + smb_panic("NULL pointer passed to pdb_getsampwrid\n"); +#endif + return False; + } + /* now build the SAM_ACCOUNT */ - if (!build_sam_account (&global_sam_pass, smb_pw)) - return NULL; + if (!build_sam_account (sam_acct, smb_pw)) + return False; /* success */ - return (&global_sam_pass); + return True; } -BOOL pdb_add_sam_account (SAM_ACCOUNT *sampass) +BOOL pdb_add_sam_account(SAM_ACCOUNT *sampass) { - struct smb_passwd smb_pw; - BOOL ret; + struct smb_passwd smb_pw; /* convert the SAM_ACCOUNT */ build_smb_pass(&smb_pw, sampass); /* add the entry */ - ret = add_smbfilepwd_entry(&smb_pw); + if(!add_smbfilepwd_entry(&smb_pw)) + return False; - return (ret); + return True; } -BOOL pdb_update_sam_account (SAM_ACCOUNT *sampass, BOOL override) +BOOL pdb_update_sam_account(SAM_ACCOUNT *sampass, BOOL override) { - struct smb_passwd smb_pw; - BOOL ret; + struct smb_passwd smb_pw; /* convert the SAM_ACCOUNT */ build_smb_pass(&smb_pw, sampass); /* update the entry */ - ret = mod_smbfilepwd_entry(&smb_pw, override); + if(!mod_smbfilepwd_entry(&smb_pw, override)) + return False; - return (ret); + return True; } BOOL pdb_delete_sam_account (char* username) { - return ( del_smbfilepwd_entry(username) ); + return del_smbfilepwd_entry(username); } #else diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index 8db8b2e60d..0bf8ca2da5 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -40,7 +40,7 @@ struct tdb_enum_info }; static struct tdb_enum_info global_tdb_ent; -static SAM_ACCOUNT global_sam_pass; +/*static SAM_ACCOUNT global_sam_pass;*/ /********************************************************************** Intialize a SAM_ACCOUNT struct from a BYTE buffer of size len @@ -79,7 +79,6 @@ static BOOL init_sam_from_buffer (SAM_ACCOUNT *sampass, uint8 *buf, *nt_pw_ptr; uint32 len = 0; uint32 lmpwlen, ntpwlen, hourslen; - /* unpack the buffer into variables */ len = tdb_unpack (buf, buflen, TDB_FORMAT_STRING, @@ -376,7 +375,7 @@ void pdb_endsampwent(void) /***************************************************************** Get one SAM_ACCOUNT from the TDB (next in line) *****************************************************************/ -SAM_ACCOUNT* pdb_getsampwent(void) +BOOL pdb_getsampwent(SAM_ACCOUNT *user) { TDB_DATA data; struct passwd *pw; @@ -385,6 +384,11 @@ SAM_ACCOUNT* pdb_getsampwent(void) char *prefix = USERPREFIX; int prefixlen = strlen (prefix); + if (user==NULL) { + DEBUG(0,("pdb_get_sampwent: SAM_ACCOUNT is NULL.\n")); + return False; + } + /* skip all RID entries */ while ((global_tdb_ent.key.dsize != 0) && (strncmp (global_tdb_ent.key.dptr, prefix, prefixlen))) /* increment to next in line */ @@ -394,56 +398,55 @@ SAM_ACCOUNT* pdb_getsampwent(void) if(global_tdb_ent.passwd_tdb == NULL) { DEBUG(0,("pdb_get_sampwent: Bad TDB Context pointer.\n")); - return NULL; + return False; } data = tdb_fetch (global_tdb_ent.passwd_tdb, global_tdb_ent.key); if (!data.dptr) { DEBUG(5,("pdb_getsampwent: database entry not found.\n")); - return NULL; + return False; } /* unpack the buffer */ - pdb_clear_sam (&global_sam_pass); - if (!init_sam_from_buffer (&global_sam_pass, data.dptr, data.dsize)) + if (!init_sam_from_buffer (user, data.dptr, data.dsize)) { DEBUG(0,("pdb_getsampwent: Bad SAM_ACCOUNT entry returned from TDB!\n")); - return NULL; + return False; } /* validate the account and fill in UNIX uid and gid. sys_getpwnam() is used instaed of Get_Pwnam() as we do not need to try case permutations */ - if ((pw=sys_getpwnam(pdb_get_username(&global_sam_pass))) == NULL) + if ((pw=sys_getpwnam(pdb_get_username(user))) == NULL) { DEBUG(0,("pdb_getsampwent: getpwnam(%s) return NULL. User does not exist!\n", - pdb_get_username(&global_sam_pass))); - return NULL; + pdb_get_username(user))); + return False; } uid = pw->pw_uid; gid = pw->pw_gid; - pdb_set_uid (&global_sam_pass, uid); - pdb_set_gid (&global_sam_pass, gid); + pdb_set_uid (user, uid); + pdb_set_gid (user, gid); /* 21 days from present */ - pdb_set_pass_must_change_time(&global_sam_pass, time(NULL)+1814400); + pdb_set_pass_must_change_time(user, time(NULL)+1814400); - standard_sub_advanced(-1, pdb_get_username(&global_sam_pass), "", gid, pdb_get_logon_script(&global_sam_pass)); - standard_sub_advanced(-1, pdb_get_username(&global_sam_pass), "", gid, pdb_get_profile_path(&global_sam_pass)); - standard_sub_advanced(-1, pdb_get_username(&global_sam_pass), "", gid, pdb_get_homedir(&global_sam_pass)); + standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_logon_script(user)); + standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_profile_path(user)); + standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_homedir(user)); /* increment to next in line */ global_tdb_ent.key = tdb_nextkey (global_tdb_ent.passwd_tdb, global_tdb_ent.key); - return (&global_sam_pass); + return True; } /****************************************************************** Lookup a name in the SAM TDB ******************************************************************/ -SAM_ACCOUNT* pdb_getsampwnam (char *sname) +BOOL pdb_getsampwnam (SAM_ACCOUNT *user, char *sname) { TDB_CONTEXT *pwd_tdb; TDB_DATA data, key; @@ -453,7 +456,13 @@ SAM_ACCOUNT* pdb_getsampwnam (char *sname) fstring name; uid_t uid; gid_t gid; - + + + if (user==NULL) { + DEBUG(0,("pdb_getsampwnam: SAM_ACCOUNT is NULL.\n")); + return False; + } + fstrcpy (name, sname); strlower (name); pstrcpy (tdbfile, lp_private_dir()); @@ -478,53 +487,58 @@ SAM_ACCOUNT* pdb_getsampwnam (char *sname) DEBUG(5,("pdb_getsampwnam (TDB): error fetching database.\n")); DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb))); tdb_close (pwd_tdb); - return NULL; + return False; } /* unpack the buffer */ - pdb_clear_sam (&global_sam_pass); - if (!init_sam_from_buffer (&global_sam_pass, data.dptr, data.dsize)) + /*pdb_clear_sam (&global_sam_pass);*/ + if (!init_sam_from_buffer (user, data.dptr, data.dsize)) { DEBUG(0,("pdb_getsampwent: Bad SAM_ACCOUNT entry returned from TDB!\n")); - return NULL; + return False; } /* validate the account and fill in UNIX uid and gid. sys_getpwnam() is used instaed of Get_Pwnam() as we do not need to try case permutations */ - if ((pw=sys_getpwnam(pdb_get_username(&global_sam_pass))) == NULL) + if ((pw=sys_getpwnam(pdb_get_username(user))) == NULL) { DEBUG(0,("pdb_getsampwent: getpwnam(%s) return NULL. User does not exist!\n", - pdb_get_username(&global_sam_pass))); - return NULL; + pdb_get_username(user))); + return False; } uid = pw->pw_uid; gid = pw->pw_gid; - pdb_set_uid (&global_sam_pass, uid); - pdb_set_gid (&global_sam_pass, gid); + pdb_set_uid (user, uid); + pdb_set_gid (user, gid); /* 21 days from present */ - pdb_set_pass_must_change_time(&global_sam_pass, time(NULL)+1814400); + pdb_set_pass_must_change_time(user, time(NULL)+1814400); - standard_sub_advanced(-1, pdb_get_username(&global_sam_pass), "", gid, pdb_get_logon_script(&global_sam_pass)); - standard_sub_advanced(-1, pdb_get_username(&global_sam_pass), "", gid, pdb_get_profile_path(&global_sam_pass)); - standard_sub_advanced(-1, pdb_get_username(&global_sam_pass), "", gid, pdb_get_homedir(&global_sam_pass)); + standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_logon_script(user)); + standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_profile_path(user)); + standard_sub_advanced(-1, pdb_get_username(user), "", gid, pdb_get_homedir(user)); /* cleanup */ tdb_close (pwd_tdb); - return (&global_sam_pass); + return True; } /*************************************************************************** Search by uid **************************************************************************/ -SAM_ACCOUNT* pdb_getsampwuid (uid_t uid) +BOOL pdb_getsampwuid (SAM_ACCOUNT* user, uid_t uid) { struct passwd *pw; fstring name; + if (user==NULL) { + DEBUG(0,("pdb_getsampwuid: SAM_ACCOUNT is NULL.\n")); + return False; + } + pw = sys_getpwuid(uid); if (pw == NULL) { @@ -533,14 +547,14 @@ SAM_ACCOUNT* pdb_getsampwuid (uid_t uid) } fstrcpy (name, pw->pw_name); - return pdb_getsampwnam (name); + return pdb_getsampwnam (user, name); } /*************************************************************************** Search by rid **************************************************************************/ -SAM_ACCOUNT* pdb_getsampwrid (uint32 rid) +BOOL pdb_getsampwrid (SAM_ACCOUNT *user, uint32 rid) { TDB_CONTEXT *pwd_tdb; TDB_DATA data, key; @@ -548,6 +562,11 @@ SAM_ACCOUNT* pdb_getsampwrid (uint32 rid) pstring tdbfile; fstring name; + if (user==NULL) { + DEBUG(0,("pdb_getsampwrid: SAM_ACCOUNT is NULL.\n")); + return False; + } + pstrcpy (tdbfile, lp_private_dir()); pstrcat (tdbfile, PASSDB_FILE_NAME); @@ -570,14 +589,14 @@ SAM_ACCOUNT* pdb_getsampwrid (uint32 rid) DEBUG(5,("pdb_getsampwrid (TDB): error fetching database.\n")); DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb))); tdb_close (pwd_tdb); - return NULL; + return False; } fstrcpy (name, data.dptr); tdb_close (pwd_tdb); - return pdb_getsampwnam (name); + return pdb_getsampwnam (user, name); } diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 6b1fe64ddc..2047aaf255 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -119,6 +119,7 @@ static BOOL get_md4pw(char *md4pw, char *mach_acct) { SAM_ACCOUNT *sampass = NULL; uint8 *pass; + BOOL ret; #if 0 /* @@ -138,23 +139,31 @@ static BOOL get_md4pw(char *md4pw, char *mach_acct) } #endif /* 0 */ - /* JRA. This is ok as it is only used for generating the challenge. */ + if(!pdb_init_sam(&sampass)) + return False; + /* JRA. This is ok as it is only used for generating the challenge. */ become_root(); - sampass = pdb_getsampwnam(mach_acct); + ret=pdb_getsampwnam(sampass, mach_acct); unbecome_root(); - if ((sampass) != NULL && !(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) && - ((pass=pdb_get_nt_passwd(sampass)) != NULL)) - { + if (ret==False) { + DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct)); + pdb_clear_sam(sampass); + return False; + } + + if (!(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) && ((pass=pdb_get_nt_passwd(sampass)) != NULL)) { memcpy(md4pw, pass, 16); dump_data(5, md4pw, 16); - + pdb_clear_sam(sampass); return True; } - + DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct)); + pdb_clear_sam(sampass); return False; + } /************************************************************************* @@ -308,7 +317,7 @@ uint32 _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *r_ uint32 status = NT_STATUS_WRONG_PASSWORD; DOM_CRED srv_cred; pstring mach_acct; - SAM_ACCOUNT *sampass; + SAM_ACCOUNT *sampass=NULL; BOOL ret = False; unsigned char pwd[16]; int i; @@ -328,15 +337,19 @@ uint32 _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *r_ q_u->clnt_id.login.uni_acct_name.uni_str_len)); DEBUG(3,("Server Password Set Wksta:[%s]\n", mach_acct)); + + pdb_init_sam(&sampass); become_root(); - sampass = pdb_getsampwnam(mach_acct); + ret=pdb_getsampwnam(sampass, mach_acct); unbecome_root(); /* Ensure the account exists and is a machine account. */ - if (sampass == NULL || !(pdb_get_acct_ctrl(sampass) & ACB_WSTRUST)) + if (ret==False || !(pdb_get_acct_ctrl(sampass) & ACB_WSTRUST)) { + pdb_clear_sam(sampass); return NT_STATUS_NO_SUCH_USER; + } /* * Check the machine account name we're changing is the same @@ -344,8 +357,10 @@ uint32 _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *r_ * machines changing other machine account passwords. */ - if (!strequal(mach_acct, p->dc.mach_acct)) + if (!strequal(mach_acct, p->dc.mach_acct)) { + pdb_clear_sam(sampass); return NT_STATUS_ACCESS_DENIED; + } DEBUG(100,("Server password set : new given value was :\n")); @@ -370,6 +385,7 @@ uint32 _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *r_ /* set up the LSA Server Password Set response */ init_net_r_srv_pwset(r_u, &srv_cred, status); + pdb_clear_sam(sampass); return r_u->status; } @@ -500,26 +516,28 @@ static uint32 net_login_network(NET_ID_INFO_2 *id2, SAM_ACCOUNT *sampass) uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_u) { uint32 status = NT_STATUS_NOPROBLEMO; - NET_USER_INFO_3 *usr_info = NULL; - DOM_CRED srv_cred; - SAM_ACCOUNT *sampass = NULL; + NET_USER_INFO_3 *usr_info = NULL; + DOM_CRED srv_cred; + SAM_ACCOUNT *sampass = NULL; uint16 acct_ctrl; - UNISTR2 *uni_samlogon_user = NULL; - fstring nt_username; + UNISTR2 *uni_samlogon_user = NULL; + fstring nt_username; + BOOL ret; usr_info = (NET_USER_INFO_3 *)talloc(p->mem_ctx, sizeof(NET_USER_INFO_3)); if (!usr_info) return NT_STATUS_NO_MEMORY; + ZERO_STRUCTP(usr_info); - if (!get_valid_user_struct(p->vuid)) - return NT_STATUS_NO_SUCH_USER; + if (!get_valid_user_struct(p->vuid)) + return NT_STATUS_NO_SUCH_USER; - /* checks and updates credentials. creates reply credentials */ - if (!deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->sam_id.client.cred, &srv_cred)) - return NT_STATUS_INVALID_HANDLE; - else - memcpy(&p->dc.srv_cred, &p->dc.clnt_cred, sizeof(p->dc.clnt_cred)); + /* checks and updates credentials. creates reply credentials */ + if (!deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->sam_id.client.cred, &srv_cred)) + return NT_STATUS_INVALID_HANDLE; + else + memcpy(&p->dc.srv_cred, &p->dc.clnt_cred, sizeof(p->dc.clnt_cred)); r_u->buffer_creds = 1; /* yes, we have valid server credentials */ memcpy(&r_u->srv_creds, &srv_cred, sizeof(r_u->srv_creds)); @@ -530,7 +548,7 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ r_u->auth_resp = 1; /* authoritative response */ r_u->switch_value = 3; /* indicates type of validation user info */ - /* find the username */ + /* find the username */ switch (q_u->sam_id.logon_level) { case INTERACTIVE_LOGON_TYPE: @@ -560,18 +578,24 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ map_username(nt_username); + pdb_init_sam(&sampass); + /* get the account information */ become_root(); - sampass = pdb_getsampwnam(nt_username); + ret = pdb_getsampwnam(sampass, nt_username); unbecome_root(); - if (sampass == NULL) + if (ret == False){ + pdb_clear_sam(sampass); return NT_STATUS_NO_SUCH_USER; + } acct_ctrl = pdb_get_acct_ctrl(sampass); - if (acct_ctrl & ACB_DISABLED) + if (acct_ctrl & ACB_DISABLED) { + pdb_clear_sam(sampass); return NT_STATUS_ACCOUNT_DISABLED; + } /* Validate password - if required. */ @@ -588,8 +612,10 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ } } - if (status != NT_STATUS_NOPROBLEMO) + if (status != NT_STATUS_NOPROBLEMO) { + pdb_clear_sam(sampass); return status; + } /* lkclXXXX this is the point at which, if the login was successful, that the SAM Local Security Authority should @@ -633,7 +659,7 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ sam_logon_in_ssb = False; - init_net_user_info3(p->mem_ctx, usr_info, sampass, + init_net_user_info3(p->mem_ctx, usr_info, sampass, 0, /* logon_count */ 0, /* bad_pw_count */ num_gids, /* uint32 num_groups */ @@ -644,7 +670,7 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ my_workgroup, /* char *logon_dom */ &global_sam_sid, /* DOM_SID *dom_sid */ NULL); /* char *other_sids */ - } - - return status; + } + pdb_clear_sam(sampass); + return status; } diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 0654f24493..7060979ce4 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -370,27 +370,32 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name return False; } - if(!(sampass = pdb_getsampwnam(pipe_user_name))) { + pdb_init_sam(&sampass); + + if(!pdb_getsampwnam(sampass, pipe_user_name)) { DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n", pipe_user_name)); + pdb_clear_sam(sampass); unbecome_root(); return False; } unbecome_root(); - /* Quit if the account was disabled. */ - if((pdb_get_acct_ctrl(sampass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sampass)) { - DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name)); - return(False); - } + /* Quit if the account was disabled. */ + if((pdb_get_acct_ctrl(sampass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sampass)) { + DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name)); + pdb_clear_sam(sampass); + return False; + } - if(!pdb_get_nt_passwd(sampass)) { - DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name)); - return(False); - } + if(!pdb_get_nt_passwd(sampass)) { + DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name)); + pdb_clear_sam(sampass); + return False; + } - smb_passwd_ptr = pdb_get_lanman_passwd(sampass); + smb_passwd_ptr = pdb_get_lanman_passwd(sampass); } /* @@ -454,6 +459,8 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name guest_user); p->ntlmssp_auth_validated = True; + + pdb_clear_sam(sampass); return True; } diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c index ca7be9831a..5012f0c483 100644 --- a/source3/rpc_server/srv_samr.c +++ b/source3/rpc_server/srv_samr.c @@ -1284,86 +1284,55 @@ static BOOL api_samr_unknown_2d(pipes_struct *p) static struct api_struct api_samr_cmds [] = { - {"SAMR_CLOSE_HND", SAMR_CLOSE_HND, api_samr_close_hnd}, - {"SAMR_CONNECT", SAMR_CONNECT, api_samr_connect}, - {"SAMR_CONNECT_ANON", SAMR_CONNECT_ANON, api_samr_connect_anon}, - {"SAMR_ENUM_DOMAINS", SAMR_ENUM_DOMAINS, api_samr_enum_domains}, - {"SAMR_ENUM_DOM_USERS", SAMR_ENUM_DOM_USERS, api_samr_enum_dom_users}, - - {"SAMR_ENUM_DOM_GROUPS", SAMR_ENUM_DOM_GROUPS, api_samr_enum_dom_groups}, - {"SAMR_ENUM_DOM_ALIASES", SAMR_ENUM_DOM_ALIASES, api_samr_enum_dom_aliases}, - {"SAMR_QUERY_USERALIASES", SAMR_QUERY_USERALIASES, api_samr_query_useraliases}, - {"SAMR_QUERY_ALIASMEM", SAMR_QUERY_ALIASMEM, api_samr_query_aliasmem}, - {"SAMR_QUERY_GROUPMEM", SAMR_QUERY_GROUPMEM, api_samr_query_groupmem}, - {"SAMR_ADD_ALIASMEM", SAMR_ADD_ALIASMEM, api_samr_add_aliasmem}, - {"SAMR_DEL_ALIASMEM", SAMR_DEL_ALIASMEM, api_samr_del_aliasmem}, - {"SAMR_ADD_GROUPMEM", SAMR_ADD_GROUPMEM, api_samr_add_groupmem}, - {"SAMR_DEL_GROUPMEM", SAMR_DEL_GROUPMEM, api_samr_del_groupmem}, - - {"SAMR_DELETE_DOM_USER", SAMR_DELETE_DOM_USER, api_samr_delete_dom_user}, - {"SAMR_DELETE_DOM_GROUP", SAMR_DELETE_DOM_GROUP, api_samr_delete_dom_group}, - {"SAMR_DELETE_DOM_ALIAS", SAMR_DELETE_DOM_ALIAS, api_samr_delete_dom_alias}, - {"SAMR_CREATE_DOM_GROUP", SAMR_CREATE_DOM_GROUP, api_samr_create_dom_group}, - {"SAMR_CREATE_DOM_ALIAS", SAMR_CREATE_DOM_ALIAS, api_samr_create_dom_alias}, - {"SAMR_LOOKUP_NAMES", SAMR_LOOKUP_NAMES, api_samr_lookup_names}, - {"SAMR_OPEN_USER", SAMR_OPEN_USER, api_samr_open_user}, - {"SAMR_QUERY_USERINFO", SAMR_QUERY_USERINFO, api_samr_query_userinfo}, - {"SAMR_SET_USERINFO", SAMR_SET_USERINFO, api_samr_set_userinfo}, - {"SAMR_SET_USERINFO2", SAMR_SET_USERINFO2, api_samr_set_userinfo2}, - - {"SAMR_QUERY_DOMAIN_INFO", SAMR_QUERY_DOMAIN_INFO, api_samr_query_dom_info}, - {"SAMR_QUERY_USERGROUPS", SAMR_QUERY_USERGROUPS, api_samr_query_usergroups}, - {"SAMR_QUERY_DISPINFO", SAMR_QUERY_DISPINFO, api_samr_query_dispinfo}, - {"SAMR_QUERY_DISPINFO3", SAMR_QUERY_DISPINFO3, api_samr_query_dispinfo}, - {"SAMR_QUERY_DISPINFO4", SAMR_QUERY_DISPINFO4, api_samr_query_dispinfo}, - - {"SAMR_QUERY_ALIASINFO", SAMR_QUERY_ALIASINFO, api_samr_query_aliasinfo}, - {"SAMR_QUERY_GROUPINFO", SAMR_QUERY_GROUPINFO, api_samr_query_groupinfo}, - {"SAMR_SET_GROUPINFO", SAMR_SET_GROUPINFO, api_samr_set_groupinfo}, - {"SAMR_CREATE_USER", SAMR_CREATE_USER, api_samr_create_user}, - {"SAMR_LOOKUP_RIDS", SAMR_LOOKUP_RIDS, api_samr_lookup_rids}, - {"SAMR_GET_DOM_PWINFO", SAMR_GET_DOM_PWINFO, api_samr_get_dom_pwinfo}, - {"SAMR_CHGPASSWD_USER", SAMR_CHGPASSWD_USER, api_samr_chgpasswd_user}, - {"SAMR_OPEN_ALIAS", SAMR_OPEN_ALIAS, api_samr_open_alias}, - {"SAMR_OPEN_GROUP", SAMR_OPEN_GROUP, api_samr_open_group}, - {"SAMR_OPEN_DOMAIN", SAMR_OPEN_DOMAIN, api_samr_open_domain}, - {"SAMR_UNKNOWN_2D", SAMR_UNKNOWN_2D, api_samr_unknown_2d}, - {"SAMR_LOOKUP_DOMAIN", SAMR_LOOKUP_DOMAIN, api_samr_lookup_domain}, - - {"SAMR_QUERY_SEC_OBJECT", SAMR_QUERY_SEC_OBJECT, api_samr_query_sec_obj}, - {"SAMR_GET_USRDOM_PWINFO", SAMR_GET_USRDOM_PWINFO, api_samr_get_usrdom_pwinfo}, - {NULL, 0, NULL} - -#if 0 - - { "SAMR_CLOSE_HND" , SAMR_CLOSE_HND , api_samr_close_hnd }, - { "SAMR_CONNECT" , SAMR_CONNECT , api_samr_connect }, - { "SAMR_CONNECT_ANON" , SAMR_CONNECT_ANON , api_samr_connect_anon }, - { "SAMR_ENUM_DOM_USERS" , SAMR_ENUM_DOM_USERS , api_samr_enum_dom_users }, - { "SAMR_ENUM_DOM_GROUPS" , SAMR_ENUM_DOM_GROUPS , api_samr_enum_dom_groups }, - { "SAMR_ENUM_DOM_ALIASES" , SAMR_ENUM_DOM_ALIASES , api_samr_enum_dom_aliases }, - { "SAMR_LOOKUP_IDS" , SAMR_LOOKUP_IDS , api_samr_lookup_ids }, - { "SAMR_LOOKUP_NAMES" , SAMR_LOOKUP_NAMES , api_samr_lookup_names }, - { "SAMR_OPEN_USER" , SAMR_OPEN_USER , api_samr_open_user }, - { "SAMR_QUERY_USERINFO" , SAMR_QUERY_USERINFO , api_samr_query_userinfo }, - { "SAMR_QUERY_DOMAIN_INFO", SAMR_QUERY_DOMAIN_INFO, api_samr_query_dom_info }, - { "SAMR_QUERY_USERGROUPS" , SAMR_QUERY_USERGROUPS , api_samr_query_usergroups }, - { "SAMR_QUERY_DISPINFO" , SAMR_QUERY_DISPINFO , api_samr_query_dispinfo }, - { "SAMR_QUERY_ALIASINFO" , SAMR_QUERY_ALIASINFO , api_samr_query_aliasinfo }, - { "SAMR_CREATE_USER" , SAMR_CREATE_USER , api_samr_create_user }, - { "SAMR_LOOKUP_RIDS" , SAMR_LOOKUP_RIDS , api_samr_lookup_rids }, - { "SAMR_UNKNOWN_38" , SAMR_UNKNOWN_38 , api_samr_unknown_38 }, - { "SAMR_CHGPASSWD_USER" , SAMR_CHGPASSWD_USER , api_samr_chgpasswd_user }, - { "SAMR_OPEN_ALIAS" , SAMR_OPEN_ALIAS , api_samr_open_alias }, - { "SAMR_OPEN_DOMAIN" , SAMR_OPEN_DOMAIN , api_samr_open_domain }, - { "SAMR_QUERY_SEC_OBJECT" , SAMR_QUERY_SEC_OBJECT , api_samr_query_sec_obj }, - { "SAMR_GET_USRDOM_PWINFO", SAMR_GET_USRDOM_PWINFO, api_samr_get_usrdom_pwinfo}, - { "SAMR_LOOKUP_DOMAIN" , SAMR_LOOKUP_DOMAIN , api_samr_lookup_domain }, - { "SAMR_ENUM_DOMAINS" , SAMR_ENUM_DOMAINS , api_samr_enum_domains }, - { "SAMR_SET_USERINFO" , SAMR_SET_USERINFO , api_samr_set_userinfo }, - { "SAMR_SET_USERINFO2" , SAMR_SET_USERINFO2 , api_samr_set_userinfo2 }, - { NULL , 0 , NULL } -#endif + {"SAMR_CLOSE_HND" , SAMR_CLOSE_HND , api_samr_close_hnd }, + {"SAMR_CONNECT" , SAMR_CONNECT , api_samr_connect }, + {"SAMR_CONNECT_ANON" , SAMR_CONNECT_ANON , api_samr_connect_anon }, + {"SAMR_ENUM_DOMAINS" , SAMR_ENUM_DOMAINS , api_samr_enum_domains }, + {"SAMR_ENUM_DOM_USERS" , SAMR_ENUM_DOM_USERS , api_samr_enum_dom_users }, + + {"SAMR_ENUM_DOM_GROUPS" , SAMR_ENUM_DOM_GROUPS , api_samr_enum_dom_groups }, + {"SAMR_ENUM_DOM_ALIASES" , SAMR_ENUM_DOM_ALIASES , api_samr_enum_dom_aliases }, + {"SAMR_QUERY_USERALIASES" , SAMR_QUERY_USERALIASES, api_samr_query_useraliases}, + {"SAMR_QUERY_ALIASMEM" , SAMR_QUERY_ALIASMEM , api_samr_query_aliasmem }, + {"SAMR_QUERY_GROUPMEM" , SAMR_QUERY_GROUPMEM , api_samr_query_groupmem }, + {"SAMR_ADD_ALIASMEM" , SAMR_ADD_ALIASMEM , api_samr_add_aliasmem }, + {"SAMR_DEL_ALIASMEM" , SAMR_DEL_ALIASMEM , api_samr_del_aliasmem }, + {"SAMR_ADD_GROUPMEM" , SAMR_ADD_GROUPMEM , api_samr_add_groupmem }, + {"SAMR_DEL_GROUPMEM" , SAMR_DEL_GROUPMEM , api_samr_del_groupmem }, + + {"SAMR_DELETE_DOM_USER" , SAMR_DELETE_DOM_USER , api_samr_delete_dom_user }, + {"SAMR_DELETE_DOM_GROUP" , SAMR_DELETE_DOM_GROUP , api_samr_delete_dom_group }, + {"SAMR_DELETE_DOM_ALIAS" , SAMR_DELETE_DOM_ALIAS , api_samr_delete_dom_alias }, + {"SAMR_CREATE_DOM_GROUP" , SAMR_CREATE_DOM_GROUP , api_samr_create_dom_group }, + {"SAMR_CREATE_DOM_ALIAS" , SAMR_CREATE_DOM_ALIAS , api_samr_create_dom_alias }, + {"SAMR_LOOKUP_NAMES" , SAMR_LOOKUP_NAMES , api_samr_lookup_names }, + {"SAMR_OPEN_USER" , SAMR_OPEN_USER , api_samr_open_user }, + {"SAMR_QUERY_USERINFO" , SAMR_QUERY_USERINFO , api_samr_query_userinfo }, + {"SAMR_SET_USERINFO" , SAMR_SET_USERINFO , api_samr_set_userinfo }, + {"SAMR_SET_USERINFO2" , SAMR_SET_USERINFO2 , api_samr_set_userinfo2 }, + + {"SAMR_QUERY_DOMAIN_INFO" , SAMR_QUERY_DOMAIN_INFO, api_samr_query_dom_info }, + {"SAMR_QUERY_USERGROUPS" , SAMR_QUERY_USERGROUPS , api_samr_query_usergroups }, + {"SAMR_QUERY_DISPINFO" , SAMR_QUERY_DISPINFO , api_samr_query_dispinfo }, + {"SAMR_QUERY_DISPINFO3" , SAMR_QUERY_DISPINFO3 , api_samr_query_dispinfo }, + {"SAMR_QUERY_DISPINFO4" , SAMR_QUERY_DISPINFO4 , api_samr_query_dispinfo }, + + {"SAMR_QUERY_ALIASINFO" , SAMR_QUERY_ALIASINFO , api_samr_query_aliasinfo }, + {"SAMR_QUERY_GROUPINFO" , SAMR_QUERY_GROUPINFO , api_samr_query_groupinfo }, + {"SAMR_SET_GROUPINFO" , SAMR_SET_GROUPINFO , api_samr_set_groupinfo }, + {"SAMR_CREATE_USER" , SAMR_CREATE_USER , api_samr_create_user }, + {"SAMR_LOOKUP_RIDS" , SAMR_LOOKUP_RIDS , api_samr_lookup_rids }, + {"SAMR_GET_DOM_PWINFO" , SAMR_GET_DOM_PWINFO , api_samr_get_dom_pwinfo }, + {"SAMR_CHGPASSWD_USER" , SAMR_CHGPASSWD_USER , api_samr_chgpasswd_user }, + {"SAMR_OPEN_ALIAS" , SAMR_OPEN_ALIAS , api_samr_open_alias }, + {"SAMR_OPEN_GROUP" , SAMR_OPEN_GROUP , api_samr_open_group }, + {"SAMR_OPEN_DOMAIN" , SAMR_OPEN_DOMAIN , api_samr_open_domain }, + {"SAMR_UNKNOWN_2D" , SAMR_UNKNOWN_2D , api_samr_unknown_2d }, + {"SAMR_LOOKUP_DOMAIN" , SAMR_LOOKUP_DOMAIN , api_samr_lookup_domain }, + + {"SAMR_QUERY_SEC_OBJECT" , SAMR_QUERY_SEC_OBJECT , api_samr_query_sec_obj }, + {"SAMR_GET_USRDOM_PWINFO" , SAMR_GET_USRDOM_PWINFO, api_samr_get_usrdom_pwinfo}, + {NULL , 0 , NULL } }; /******************************************************************* diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7054f85ff9..38b4bbd0a9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -74,15 +74,13 @@ static void samr_clear_passwd_fields( SAM_USER_INFO_21 *pass, int num_entries) } } -static void samr_clear_sam_passwd( SAM_ACCOUNT *sam_pass) +static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) { if (!sam_pass) return; - if (sam_pass->lm_pw) - memset(sam_pass->lm_pw, '\0', 16); - if (sam_pass->nt_pw) - memset(sam_pass->nt_pw, '\0', 16); + memset(sam_pass->lm_pw, '\0', 16); + memset(sam_pass->nt_pw, '\0', 16); } /******************************************************************* @@ -94,20 +92,24 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int *total_entries, int *num_entries, int max_num_entries, uint16 acb_mask) { - SAM_ACCOUNT *pwd = NULL; + SAM_ACCOUNT *pwd = NULL; + BOOL ret; + + (*num_entries) = 0; + (*total_entries) = 0; - (*num_entries) = 0; - (*total_entries) = 0; + if (pw_buf == NULL) + return False; - if (pw_buf == NULL) - return False; + pdb_init_sam(&pwd); if (!pdb_setsampwent(False)) { - DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); - return False; - } + DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); + pdb_clear_sam(pwd); + return False; + } - while (((pwd = pdb_getsampwent()) != NULL) && (*num_entries) < max_num_entries) { + while (((ret = pdb_getsampwent(pwd)) != False) && (*num_entries) < max_num_entries) { int user_name_len; if (start_idx > 0) { @@ -143,29 +145,35 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, (*total_entries)++; } - pdb_endsampwent(); + pdb_endsampwent(); + pdb_clear_sam(pwd); - return (*num_entries) > 0; + return (*num_entries) > 0; } static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int *total_entries, uint32 *num_entries, int max_num_entries, uint16 acb_mask) { - SAM_ACCOUNT *pwd = NULL; + SAM_ACCOUNT *pwd = NULL; *num_entries = 0; *total_entries = 0; if (pw_buf == NULL) return False; + + DEBUG(10,("jf_get_sampwd_entries: start index:%d, max entries:%d, mask:%d\n", + start_idx, max_num_entries, acb_mask)); if (!pdb_setsampwent(False)) { - DEBUG(0, ("jf_get_sampwd_entries: Unable to open passdb.\n")); - return False; - } + DEBUG(0, ("jf_get_sampwd_entries: Unable to open passdb.\n")); + return False; + } + + pdb_init_sam(&pwd); - while (((pwd = pdb_getsampwent()) != NULL) && (*num_entries) < max_num_entries) { + while ((pdb_getsampwent(pwd) != False) && (*num_entries) < max_num_entries) { int user_name_len; int full_name_len; @@ -194,19 +202,23 @@ static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); /* Now check if the NT compatible password is available. */ - if (pdb_get_nt_passwd(pwd)) - memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); + if (pdb_get_nt_passwd(pwd)) + memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); pw_buf[(*num_entries)].acb_info = pdb_get_acct_ctrl(pwd); DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x\n", (*num_entries), pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); + (*num_entries)++; } - pdb_endsampwent(); + pdb_endsampwent(); *total_entries = *num_entries; + + pdb_clear_sam(pwd); + return True; } @@ -756,35 +768,42 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST Get the group entries - similar to get_sampwd_entries(). ********************************************************************/ -static BOOL get_group_alias_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 start_idx, +static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries) { fstring sid_str; - fstring sam_sid_str; uint32 num_entries = 0; + int i; + GROUP_MAP smap; + GROUP_MAP *map; sid_to_string(sid_str, sid); - sid_to_string(sam_sid_str, &global_sam_sid); + DEBUG(5, ("get_group_alias_entries: enumerating aliases on SID: %s\n", sid_str)); *p_num_entries = 0; /* well-known aliases */ - if (strequal(sid_str, "S-1-5-32")) { - char *name; - while (!lp_hide_local_users() && - num_entries < max_entries && - ((name = builtin_alias_rids[num_entries].name) != NULL)) { - - fstrcpy(d_grp[num_entries].name, name); - d_grp[num_entries].rid = builtin_alias_rids[num_entries].rid; + if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { + + enum_group_mapping(SID_NAME_WKN_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); + + *d_grp=(DOMAIN_GRP *)malloc(num_entries*sizeof(DOMAIN_GRP)); + if (*d_grp==NULL) + return NT_STATUS_NO_MEMORY; + + for(i=0; igr_name; + + if(!get_group_from_gid(grp->gr_gid, &smap)) + continue; + + if (smap.sid_name_use!=SID_NAME_ALIAS) + continue; - DEBUG(10,("get_group_alias_entries: got group %s\n", name )); + sid_split_rid(&smap.sid, &trid); /* Don't return winbind groups as they are not local! */ - - if (strchr(name, *sep) != NULL) { - DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", name )); + if (strchr(smap.nt_name, *sep) != NULL) { + DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", smap.nt_name )); continue; } /* Don't return user private groups... */ - if (Get_Pwnam(name, False) != 0) { - DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", name )); - continue; + if (Get_Pwnam(smap.nt_name, False) != 0) { + DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap.nt_name )); + continue; } - trid = pdb_gid_to_group_rid(grp->gr_gid); for( i = 0; i < num_entries; i++) - if ( d_grp[i].rid == trid ) break; + if ( (*d_grp)[i].rid == trid ) break; if ( i < num_entries ) continue; /* rid was there, dup! */ @@ -830,8 +852,12 @@ static BOOL get_group_alias_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 star continue; } - fstrcpy(d_grp[num_entries].name, name); - d_grp[num_entries].rid = trid; + *d_grp=Realloc(*d_grp, (num_entries+1)*sizeof(DOMAIN_GRP)); + if (*d_grp==NULL) + return NT_STATUS_NO_MEMORY; + + fstrcpy((*d_grp)[num_entries].name, smap.nt_name); + (*d_grp)[num_entries].rid = trid; num_entries++; } @@ -847,31 +873,29 @@ static BOOL get_group_alias_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 star Get the group entries - similar to get_sampwd_entries(). ********************************************************************/ -static BOOL get_group_domain_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 start_idx, +static BOOL get_group_domain_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries) { - fstring sid_str; - fstring sam_sid_str; + GROUP_MAP *map=NULL; + int i; uint32 num_entries = 0; - fstring name="Domain Admins"; - fstring comment="Just to make it work !"; - - sid_to_string(sid_str, sid); - sid_to_string(sam_sid_str, &global_sam_sid); *p_num_entries = 0; - fstrcpy(d_grp[0].name, name); - fstrcpy(d_grp[0].comment, comment); - d_grp[0].rid = DOMAIN_GROUP_RID_ADMINS; - d_grp[0].attr=SID_NAME_DOM_GRP; + enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); - fstrcpy(d_grp[1].name, "Domain Users"); - fstrcpy(d_grp[1].comment, "Just to make it work !"); - d_grp[1].rid = DOMAIN_GROUP_RID_USERS; - d_grp[1].attr=SID_NAME_DOM_GRP; + *d_grp=(DOMAIN_GRP *)malloc(num_entries*sizeof(DOMAIN_GRP)); + if (*d_grp==NULL) + return False; + + for (i=0; istart_idx, &num_entries, MAX_SAM_ENTRIES); + /* the domain group array is being allocated in the function below */ + get_group_domain_entries(&grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); + safe_free(grp); + init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_entries); DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); @@ -915,7 +942,7 @@ uint32 _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u) { - DOMAIN_GRP grp[MAX_SAM_ENTRIES]; + DOMAIN_GRP *grp=NULL; uint32 num_entries = 0; fstring sid_str; DOM_SID sid; @@ -928,11 +955,13 @@ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAM sid_to_string(sid_str, &sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); - if (!get_group_alias_entries(grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)) + if (!get_group_alias_entries(&grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)) return NT_STATUS_ACCESS_DENIED; make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); + safe_free(grp); + init_samr_r_enum_dom_aliases(r_u, q_u->start_idx, num_entries); DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__)); @@ -947,12 +976,12 @@ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAM uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) { SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; - DOMAIN_GRP grps[MAX_SAM_ENTRIES]; + DOMAIN_GRP *grps=NULL; uint16 acb_mask = ACB_NORMAL; - uint32 num_entries = 0; - int orig_num_entries = 0; - int total_entries = 0; - uint32 data_size = 0; + uint32 num_entries = 0; + int orig_num_entries = 0; + int total_entries = 0; + uint32 data_size = 0; DOM_SID sid; BOOL ret; SAM_DISPINFO_CTR *ctr; @@ -1001,7 +1030,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ break; case 0x3: case 0x5: - ret = get_group_domain_entries(grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); + ret = get_group_domain_entries(&grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); if (!ret) return NT_STATUS_ACCESS_DENIED; break; @@ -1040,6 +1069,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ case 0x3: ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_3)); init_sam_dispinfo_3(ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); + safe_free(grps); break; case 0x4: ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_4)); @@ -1048,6 +1078,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ case 0x5: ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_5)); init_sam_dispinfo_5(ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); + safe_free(grps); break; default: ctr->sam.info = NULL; @@ -1368,49 +1399,53 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) { - SAM_ACCOUNT *sampass; - DOM_SID sid; - POLICY_HND domain_pol = q_u->domain_pol; - uint32 user_rid = q_u->user_rid; - POLICY_HND *user_pol = &r_u->user_pol; + SAM_ACCOUNT *sampass=NULL; + DOM_SID sid; + POLICY_HND domain_pol = q_u->domain_pol; + uint32 user_rid = q_u->user_rid; + POLICY_HND *user_pol = &r_u->user_pol; struct samr_info *info = NULL; + BOOL ret; - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NO_PROBLEMO; - /* find the domain policy handle. */ - if (!find_policy_by_hnd(p, &domain_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; + /* find the domain policy handle. */ + if (!find_policy_by_hnd(p, &domain_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; - become_root(); - sampass = pdb_getsampwrid(user_rid); - unbecome_root(); + become_root(); + ret=pdb_getsampwrid(sampass, user_rid); + unbecome_root(); - /* check that the RID exists in our domain. */ - if (sampass == NULL) - return NT_STATUS_NO_SUCH_USER; + /* check that the RID exists in our domain. */ + if (ret == False) { + pdb_clear_sam(sampass); + return NT_STATUS_NO_SUCH_USER; + } samr_clear_sam_passwd(sampass); + pdb_clear_sam(sampass); - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) - return NT_STATUS_INVALID_HANDLE; + /* Get the domain SID stored in the domain policy */ + if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) + return NT_STATUS_INVALID_HANDLE; - /* append the user's RID to it */ - if(!sid_append_rid(&sid, user_rid)) - return NT_STATUS_NO_SUCH_USER; + /* append the user's RID to it */ + if(!sid_append_rid(&sid, user_rid)) + return NT_STATUS_NO_SUCH_USER; - /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) - return NT_STATUS_NO_MEMORY; + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(info); - info->sid = sid; + ZERO_STRUCTP(info); + info->sid = sid; - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return r_u->status; + return r_u->status; } /************************************************************************* @@ -1419,27 +1454,34 @@ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_U static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) { - SAM_ACCOUNT *smbpass; + SAM_ACCOUNT *smbpass=NULL; + BOOL ret; - if (!pdb_rid_is_user(user_rid)) { - DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); - return False; - } + if (!pdb_rid_is_user(user_rid)) { + DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); + return False; + } - become_root(); - smbpass = pdb_getsampwrid(user_rid); - unbecome_root(); + pdb_init_sam(&smbpass); - if (smbpass == NULL) { - DEBUG(4,("User 0x%x not found\n", user_rid)); - return False; - } + become_root(); + ret = pdb_getsampwrid(smbpass, user_rid); + unbecome_root(); + + if (ret==False) { + DEBUG(4,("User 0x%x not found\n", user_rid)); + pdb_clear_sam(smbpass); + return False; + } + + DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); - DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); + init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); - init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); + samr_clear_sam_passwd(smbpass); + pdb_clear_sam(smbpass); - return True; + return True; } /************************************************************************* @@ -1450,7 +1492,8 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 user_rid) { - SAM_ACCOUNT *smbpass; + SAM_ACCOUNT *smbpass=NULL; + BOOL ret; if (!p->ntlmssp_auth_validated) return NT_STATUS_ACCESS_DENIED; @@ -1461,20 +1504,26 @@ static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 /* * Do *NOT* do become_root()/unbecome_root() here ! JRA. */ + pdb_init_sam(&smbpass); - smbpass = pdb_getsampwrid(user_rid); + ret = pdb_getsampwrid(smbpass, user_rid); - if (smbpass == NULL) { + if (ret == False) { DEBUG(4, ("User 0x%x not found\n", user_rid)); + pdb_clear_sam(smbpass); return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED; } - DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) )); + DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) )); - if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) - return NT_STATUS_ACCOUNT_DISABLED; + if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) { + pdb_clear_sam(smbpass); + return NT_STATUS_ACCOUNT_DISABLED; + } init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); + + pdb_clear_sam(smbpass); return NT_STATUS_NOPROBLEMO; } @@ -1485,29 +1534,33 @@ static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) { - SAM_ACCOUNT *sampass; + SAM_ACCOUNT *sampass=NULL; + BOOL ret; - if (!pdb_rid_is_user(user_rid)) { - DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); - return False; - } + if (!pdb_rid_is_user(user_rid)) { + DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); + return False; + } - become_root(); - sampass = pdb_getsampwrid(user_rid); - unbecome_root(); + become_root(); + ret = pdb_getsampwrid(sampass, user_rid); + unbecome_root(); - if (sampass == NULL) { - DEBUG(4,("User 0x%x not found\n", user_rid)); - return False; - } + if (ret == False) { + DEBUG(4,("User 0x%x not found\n", user_rid)); + pdb_clear_sam(sampass); + return False; + } samr_clear_sam_passwd(sampass); - DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); + DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); init_sam_user_info21A(id21, sampass); + + pdb_clear_sam(sampass); - return True; + return True; } /******************************************************************* @@ -1610,44 +1663,49 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) { - struct sam_passwd *sam_pass; - DOM_GID *gids = NULL; - int num_groups = 0; - pstring groups; - uint32 rid; + struct sam_passwd *sam_pass=NULL; + DOM_GID *gids = NULL; + int num_groups = 0; + pstring groups; + uint32 rid; struct samr_info *info = NULL; + BOOL ret; - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NO_PROBLEMO; - DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) - return NT_STATUS_INVALID_HANDLE; + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + return NT_STATUS_INVALID_HANDLE; - /* find the user's rid */ - if ((rid = get_lsa_policy_samr_rid(info)) == 0xffffffff) - return NT_STATUS_OBJECT_TYPE_MISMATCH; + /* find the user's rid */ + if ((rid = get_lsa_policy_samr_rid(info)) == 0xffffffff) + return NT_STATUS_OBJECT_TYPE_MISMATCH; - become_root(); - sam_pass = pdb_getsampwrid(rid); - unbecome_root(); + pdb_init_sam(&sam_pass); - if (sam_pass == NULL) - return NT_STATUS_NO_SUCH_USER; + become_root(); + ret = pdb_getsampwrid(sam_pass, rid); + unbecome_root(); - samr_clear_sam_passwd(sam_pass); + if (ret == False) { + samr_clear_sam_passwd(sam_pass); + return NT_STATUS_NO_SUCH_USER; + } - get_domain_user_groups(groups, pdb_get_username(sam_pass)); - gids = NULL; - num_groups = make_dom_gids(p->mem_ctx, groups, &gids); + get_domain_user_groups(groups, pdb_get_username(sam_pass)); + gids = NULL; + num_groups = make_dom_gids(p->mem_ctx, groups, &gids); - /* construct the response. lkclXXXX: gids are not copied! */ - init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); + /* construct the response. lkclXXXX: gids are not copied! */ + init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); - DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + + samr_clear_sam_passwd(sam_pass); - return r_u->status; + return r_u->status; } /******************************************************************* @@ -1708,111 +1766,124 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) { - SAM_ACCOUNT *sam_pass; - fstring mach_acct; - pstring err_str; - pstring msg_str; - int local_flags=0; - DOM_SID sid; - pstring add_script; - POLICY_HND dom_pol = q_u->domain_pol; - UNISTR2 user_account = q_u->uni_name; - uint16 acb_info = q_u->acb_info; - POLICY_HND *user_pol = &r_u->user_pol; + SAM_ACCOUNT *sam_pass=NULL; + fstring mach_acct; + pstring err_str; + pstring msg_str; + int local_flags=0; + DOM_SID sid; + pstring add_script; + POLICY_HND dom_pol = q_u->domain_pol; + UNISTR2 user_account = q_u->uni_name; + uint16 acb_info = q_u->acb_info; + POLICY_HND *user_pol = &r_u->user_pol; struct samr_info *info = NULL; + BOOL ret; - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &dom_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &dom_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; - /* find the machine account: tell the caller if it exists. - lkclXXXX i have *no* idea if this is a problem or not - or even if you are supposed to construct a different - reply if the account already exists... - */ - - fstrcpy(mach_acct, dos_unistrn2(user_account.buffer, user_account.uni_str_len)); - strlower(mach_acct); - - become_root(); - sam_pass = pdb_getsampwnam(mach_acct); - unbecome_root(); - if (sam_pass != NULL) { - /* machine account exists: say so */ - return NT_STATUS_USER_EXISTS; - } + /* find the machine account: tell the caller if it exists. + lkclXXXX i have *no* idea if this is a problem or not + or even if you are supposed to construct a different + reply if the account already exists... + */ - local_flags=LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_SET_NO_PASSWORD; - local_flags|= (acb_info & ACB_WSTRUST) ? LOCAL_TRUST_ACCOUNT:0; - - /* - * NB. VERY IMPORTANT ! This call must be done as the current pipe user, - * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures - * that only people with write access to the smbpasswd file will be able - * to create a user. JRA. - */ - - /* - * add the user in the /etc/passwd file or the unix authority system. - * We don't check if the smb_create_user() function succed or not for 2 reasons: - * a) local_password_change() checks for us if the /etc/passwd account really exists - * b) smb_create_user() would return an error if the account already exists - * and as it could return an error also if it can't create the account, it would be tricky. - * - * So we go the easy way, only check after if the account exists. - * JFM (2/3/2001), to clear any possible bad understanding (-: - */ - - pstrcpy(add_script, lp_adduser_script()); - - if(*add_script) - smb_create_user(mach_acct, NULL); - - /* add the user in the smbpasswd file or the Samba authority database */ - if (!local_password_change(mach_acct, local_flags, NULL, err_str, - sizeof(err_str), msg_str, sizeof(msg_str))) - { - DEBUG(0, ("%s\n", err_str)); - close_policy_hnd(p, user_pol); - return NT_STATUS_ACCESS_DENIED; - } + fstrcpy(mach_acct, dos_unistrn2(user_account.buffer, user_account.uni_str_len)); + strlower(mach_acct); - become_root(); - sam_pass = pdb_getsampwnam(mach_acct); - unbecome_root(); - if (sam_pass == NULL) { - /* account doesn't exist: say so */ - close_policy_hnd(p, user_pol); - return NT_STATUS_ACCESS_DENIED; - } + pdb_init_sam(&sam_pass); - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { - close_policy_hnd(p, user_pol); - return NT_STATUS_INVALID_HANDLE; - } + become_root(); + ret = pdb_getsampwnam(sam_pass, mach_acct); + unbecome_root(); + if (ret == True) { + /* machine account exists: say so */ + pdb_clear_sam(sam_pass); + return NT_STATUS_USER_EXISTS; + } - /* append the user's RID to it */ - if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { - close_policy_hnd(p, user_pol); - return NT_STATUS_NO_SUCH_USER; - } + local_flags=LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_SET_NO_PASSWORD; + local_flags|= (acb_info & ACB_WSTRUST) ? LOCAL_TRUST_ACCOUNT:0; - /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) - return NT_STATUS_NO_MEMORY; + /* + * NB. VERY IMPORTANT ! This call must be done as the current pipe user, + * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures + * that only people with write access to the smbpasswd file will be able + * to create a user. JRA. + */ - ZERO_STRUCTP(info); - info->sid = sid; + /* + * add the user in the /etc/passwd file or the unix authority system. + * We don't check if the smb_create_user() function succed or not for 2 reasons: + * a) local_password_change() checks for us if the /etc/passwd account really exists + * b) smb_create_user() would return an error if the account already exists + * and as it could return an error also if it can't create the account, it would be tricky. + * + * So we go the easy way, only check after if the account exists. + * JFM (2/3/2001), to clear any possible bad understanding (-: + */ - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + pstrcpy(add_script, lp_adduser_script()); + + if(*add_script) + smb_create_user(mach_acct, NULL); + + /* add the user in the smbpasswd file or the Samba authority database */ + if (!local_password_change(mach_acct, local_flags, NULL, err_str, + sizeof(err_str), msg_str, sizeof(msg_str))) { + DEBUG(0, ("%s\n", err_str)); + close_policy_hnd(p, user_pol); + pdb_clear_sam(sam_pass); + return NT_STATUS_ACCESS_DENIED; + } + + become_root(); + ret = pdb_getsampwnam(sam_pass, mach_acct); + unbecome_root(); + if (ret == False) { + /* account doesn't exist: say so */ + close_policy_hnd(p, user_pol); + pdb_clear_sam(sam_pass); + return NT_STATUS_ACCESS_DENIED; + } + + /* Get the domain SID stored in the domain policy */ + if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { + close_policy_hnd(p, user_pol); + pdb_clear_sam(sam_pass); + return NT_STATUS_INVALID_HANDLE; + } + + /* append the user's RID to it */ + if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { + close_policy_hnd(p, user_pol); + pdb_clear_sam(sam_pass); + return NT_STATUS_NO_SUCH_USER; + } + + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) { + pdb_clear_sam(sam_pass); + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCTP(info); + info->sid = sid; + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) { + pdb_clear_sam(sam_pass); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } - r_u->user_rid=sam_pass->user_rid; - r_u->unknown_0 = 0x000703ff; + r_u->user_rid=sam_pass->user_rid; + r_u->unknown_0 = 0x000703ff; - return NT_STATUS_NO_PROBLEMO; + pdb_clear_sam(sam_pass); + + return NT_STATUS_NO_PROBLEMO; } /******************************************************************* @@ -1998,21 +2069,32 @@ uint32 _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); + SAM_ACCOUNT *pwd =NULL; + BOOL ret; + + pdb_init_sam(&pwd); + + ret = pdb_getsampwrid(pwd, rid); + + if(ret==False) { + pdb_clear_sam(pwd); + return False; + } if (id10 == NULL) { DEBUG(5, ("set_user_info_10: NULL id10\n")); + pdb_clear_sam(pwd); return False; } - pwd = pdb_getsampwrid(rid); - if (!pwd) - return False; - pdb_set_acct_ctrl(pwd, id10->acb_info); - if(!pdb_update_sam_account(pwd, True)) + if(!pdb_update_sam_account(pwd, True)) { + pdb_clear_sam(pwd); return False; + } + + pdb_clear_sam(pwd); return True; } @@ -2023,22 +2105,31 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); - - if (pwd == NULL) + SAM_ACCOUNT *pwd = NULL; + BOOL ret; + + pdb_init_sam(&pwd); + + if(!pdb_getsampwrid(pwd, rid)) { + pdb_clear_sam(pwd); return False; - + } + if (id12 == NULL) { DEBUG(2, ("set_user_info_12: id12 is NULL\n")); + pdb_clear_sam(pwd); return False; } pdb_set_lanman_passwd (pwd, id12->lm_pwd); pdb_set_nt_passwd (pwd, id12->nt_pwd); - if(!pdb_update_sam_account(pwd, True)) + if(!pdb_update_sam_account(pwd, True)) { + pdb_clear_sam(pwd); return False; - + } + + pdb_clear_sam(pwd); return True; } @@ -2048,21 +2139,26 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); - SAM_ACCOUNT new_pwd; + SAM_ACCOUNT *pwd = NULL; + SAM_ACCOUNT *new_pwd = NULL; if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); return False; } - if (pwd == NULL) + pdb_init_sam(&pwd); + pdb_init_sam(&new_pwd); + + if (!pdb_getsampwrid(pwd, rid)) { + pdb_clear_sam(pwd); + pdb_clear_sam(new_pwd); return False; + } /* we make a copy so that we can modify stuff */ - ZERO_STRUCT(new_pwd); - copy_sam_passwd(&new_pwd, pwd); - copy_id21_to_sam_passwd(&new_pwd, id21); + copy_sam_passwd(new_pwd, pwd); + copy_id21_to_sam_passwd(new_pwd, id21); /* * The funny part about the previous two calls is @@ -2072,9 +2168,15 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) */ /* write the change out */ - if(!pdb_update_sam_account(&new_pwd, True)) + if(!pdb_update_sam_account(new_pwd, True)) { + pdb_clear_sam(pwd); + pdb_clear_sam(new_pwd); return False; - + } + + pdb_clear_sam(pwd); + pdb_clear_sam(new_pwd); + return True; } @@ -2084,33 +2186,42 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); - SAM_ACCOUNT new_pwd; - uint8 nt_hash[16]; - uint8 lm_hash[16]; - pstring buf; - uint32 len; + SAM_ACCOUNT *pwd = NULL; + SAM_ACCOUNT *new_pwd = NULL; + uint8 nt_hash[16]; + uint8 lm_hash[16]; + pstring buf; + uint32 len; uint16 acct_ctrl; - if (id23 == NULL) { - DEBUG(5, ("set_user_info_23: NULL id23\n")); - return False; - } + if (id23 == NULL) { + DEBUG(5, ("set_user_info_23: NULL id23\n")); + return False; + } - if (pwd == NULL) - return False; + pdb_init_sam(&pwd); + pdb_init_sam(&new_pwd); - acct_ctrl = pdb_get_acct_ctrl(pwd); + if (pdb_getsampwrid(pwd, rid)) { + pdb_clear_sam(pwd); + pdb_clear_sam(new_pwd); + return False; + } - ZERO_STRUCT (new_pwd); - copy_sam_passwd(&new_pwd, pwd); - copy_id23_to_sam_passwd(&new_pwd, id23); + acct_ctrl = pdb_get_acct_ctrl(pwd); + + copy_sam_passwd(new_pwd, pwd); + pdb_clear_sam(pwd); + + copy_id23_to_sam_passwd(new_pwd, id23); - if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len, nt_hash, lm_hash)) - return False; + if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len, nt_hash, lm_hash)) { + pdb_clear_sam(new_pwd); + return False; + } - pdb_set_lanman_passwd (&new_pwd, lm_hash); - pdb_set_nt_passwd (&new_pwd, nt_hash); + pdb_set_lanman_passwd (new_pwd, lm_hash); + pdb_set_nt_passwd (new_pwd, nt_hash); /* if it's a trust account, don't update /etc/passwd */ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || @@ -2118,19 +2229,24 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { DEBUG(5, ("Changing trust account password, not updating /etc/passwd\n")); } else { - /* update the UNIX password */ /* update the UNIX password */ if (lp_unix_password_sync() ) - if(!chgpasswd(pdb_get_username(&new_pwd), "", buf, True)) + if(!chgpasswd(pdb_get_username(new_pwd), "", buf, True)) { + pdb_clear_sam(new_pwd); return False; + } } - memset(buf, 0, sizeof(buf)); + memset(buf, 0, sizeof(buf)); - if(!pdb_update_sam_account(&new_pwd, True)) - return False; + if(!pdb_update_sam_account(new_pwd, True)) { + pdb_clear_sam(new_pwd); + return False; + } - return True; + pdb_clear_sam(new_pwd); + + return True; } /******************************************************************* @@ -2139,23 +2255,29 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); + SAM_ACCOUNT *pwd = NULL; uchar nt_hash[16]; uchar lm_hash[16]; uint32 len; pstring buf; uint16 acct_ctrl; - if (pwd == NULL) - return False; + pdb_init_sam(&pwd); + if (!pdb_getsampwrid(pwd, rid)) { + pdb_clear_sam(pwd); + return False; + } + acct_ctrl = pdb_get_acct_ctrl(pwd); memset(buf, 0, sizeof(buf)); - if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len, nt_hash, lm_hash)) + if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len, nt_hash, lm_hash)) { + pdb_clear_sam(pwd); return False; - + } + pdb_set_lanman_passwd (pwd, lm_hash); pdb_set_nt_passwd (pwd, nt_hash); @@ -2167,19 +2289,25 @@ static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) } else { /* update the UNIX password */ if (lp_unix_password_sync()) - if(!chgpasswd(pdb_get_username(pwd), "", buf, True)) + if(!chgpasswd(pdb_get_username(pwd), "", buf, True)) { + pdb_clear_sam(pwd); return False; + } } - memset(buf, 0, sizeof(buf)); - - DEBUG(0,("set_user_info_24: pdb_update_sam_account()\n")); + memset(buf, 0, sizeof(buf)); - /* update the SAMBA password */ - if(!pdb_update_sam_account(pwd, True)) - return False; + DEBUG(0,("set_user_info_24: pdb_update_sam_account()\n")); - return True; + /* update the SAMBA password */ + if(!pdb_update_sam_account(pwd, True)) { + pdb_clear_sam(pwd); + return False; + } + + pdb_clear_sam(pwd); + + return True; } /******************************************************************* @@ -2191,11 +2319,12 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ uint32 rid = 0x0; DOM_SID sid; struct current_user user; - SAM_ACCOUNT *sam_pass; + SAM_ACCOUNT *sam_pass=NULL; unsigned char sess_key[16]; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; SAM_USERINFO_CTR *ctr = q_u->ctr; + BOOL ret; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -2222,6 +2351,8 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ } + pdb_init_sam(&sam_pass); + /* * We need the NT hash of the user who is changing the user's password. * This NT hash is used to generate a "user session key" @@ -2229,16 +2360,19 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ */ become_root(); - sam_pass = pdb_getsampwuid(user.uid); + ret = pdb_getsampwuid(sam_pass, user.uid); unbecome_root(); - if(sam_pass == NULL) { + if(ret == False) { DEBUG(0,("_samr_set_userinfo: Unable to get smbpasswd entry for uid %u\n", (unsigned int)user.uid )); + pdb_clear_sam(sam_pass); return NT_STATUS_ACCESS_DENIED; } memset(sess_key, '\0', 16); mdfour(sess_key, pdb_get_nt_passwd(sam_pass), 16); + pdb_clear_sam(sam_pass); + /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { case 0x12: diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index 82125a7085..b4472671fc 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -247,8 +247,10 @@ uint32 local_lookup_alias_name(uint32 rid, char *alias_name, uint32 *type) ********************************************************************/ uint32 local_lookup_user_name(uint32 rid, char *user_name, uint32 *type) { - SAM_ACCOUNT *sampwd; + SAM_ACCOUNT *sampwd=NULL; int i = 0; + BOOL ret; + (*type) = SID_NAME_USER; DEBUG(5,("lookup_user_name: rid: %d", rid)); @@ -259,26 +261,28 @@ uint32 local_lookup_user_name(uint32 rid, char *user_name, uint32 *type) i++; } - if (domain_user_rids[i].rid != 0) - { + if (domain_user_rids[i].rid != 0) { fstrcpy(user_name, domain_user_rids[i].name); DEBUG(5,(" = %s\n", user_name)); return 0x0; } + pdb_init_sam(&sampwd); + /* ok, it's a user. find the user account */ become_root(); - sampwd = pdb_getsampwrid(rid); + ret = pdb_getsampwrid(sampwd, rid); unbecome_root(); - if (sampwd != NULL) - { + if (ret == True) { fstrcpy(user_name, pdb_get_username(sampwd) ); DEBUG(5,(" = %s\n", user_name)); + pdb_clear_sam(sampwd); return 0x0; } DEBUG(5,(" none mapped\n")); + pdb_clear_sam(sampwd); return NT_STATUS_NONE_MAPPED; } @@ -325,19 +329,24 @@ uint32 local_lookup_alias_rid(char *alias_name, uint32 *rid) ********************************************************************/ uint32 local_lookup_user_rid(char *user_name, uint32 *rid) { - SAM_ACCOUNT *sampass; + SAM_ACCOUNT *sampass=NULL; + BOOL ret; + (*rid) = 0; + pdb_init_sam(&sampass); + /* find the user account */ become_root(); - sampass = pdb_getsampwnam(user_name); + ret = pdb_getsampwnam(sampass, user_name); unbecome_root(); - if (sampass != NULL) - { + if (ret == True) { (*rid) = pdb_get_user_rid(sampass); + pdb_clear_sam(sampass); return 0x0; } + pdb_clear_sam(sampass); return NT_STATUS_NONE_MAPPED; } diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index d503e65897..2b4676eb33 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -557,37 +557,36 @@ BOOL check_lanman_password(char *user, uchar * pass1, SAM_ACCOUNT *sampass = NULL; uint16 acct_ctrl; uint8 *lanman_pw; - + BOOL ret; + become_root(); - sampass = pdb_getsampwnam(user); + ret = pdb_getsampwnam(sampass, user); unbecome_root(); - if (sampass == NULL) - { + if (ret == False) { DEBUG(0,("check_lanman_password: getsampwnam returned NULL\n")); + pdb_clear_sam(sampass); return False; } acct_ctrl = pdb_get_acct_ctrl (sampass); lanman_pw = pdb_get_lanman_passwd (sampass); - if (acct_ctrl & ACB_DISABLED) - { - DEBUG(0,("check_lanman_password: account %s disabled.\n", - user)); + if (acct_ctrl & ACB_DISABLED) { + DEBUG(0,("check_lanman_password: account %s disabled.\n", user)); + pdb_clear_sam(sampass); return False; } - if ((lanman_pw == NULL) && (acct_ctrl & ACB_PWNOTREQ)) - { + if ((lanman_pw == NULL) && (acct_ctrl & ACB_PWNOTREQ)) { uchar no_pw[14]; memset(no_pw, '\0', 14); E_P16(no_pw, null_pw); pdb_set_lanman_passwd (sampass, null_pw); } - else if (lanman_pw == NULL) - { + else if (lanman_pw == NULL) { DEBUG(0, ("check_lanman_password: no lanman password !\n")); + pdb_clear_sam(sampass); return False; } @@ -598,9 +597,9 @@ BOOL check_lanman_password(char *user, uchar * pass1, D_P16(unenc_new_pw, pass1, unenc_old_pw); /* Check that the two old passwords match. */ - if (memcmp(lanman_pw, unenc_old_pw, 16)) - { + if (memcmp(lanman_pw, unenc_old_pw, 16)) { DEBUG(0,("check_lanman_password: old password doesn't match.\n")); + pdb_clear_sam(sampass); return False; } @@ -625,30 +624,27 @@ BOOL change_lanman_password(SAM_ACCOUNT *sampass, uchar * pass1, uint16 acct_ctrl; uint8 *pwd; - if (sampass == NULL) - { + if (sampass == NULL) { DEBUG(0,("change_lanman_password: no smb password entry.\n")); return False; } + acct_ctrl = pdb_get_acct_ctrl(sampass); pwd = pdb_get_lanman_passwd(sampass); - if (acct_ctrl & ACB_DISABLED) - { + if (acct_ctrl & ACB_DISABLED) { DEBUG(0,("change_lanman_password: account %s disabled.\n", pdb_get_username(sampass))); return False; } - if ((pwd == NULL) && (acct_ctrl & ACB_PWNOTREQ)) - { + if ((pwd == NULL) && (acct_ctrl & ACB_PWNOTREQ)) { uchar no_pw[14]; memset(no_pw, '\0', 14); E_P16(no_pw, null_pw); pdb_set_lanman_passwd(sampass, null_pw); } - else if (pwd == NULL) - { + else if (pwd == NULL) { DEBUG(0,("change_lanman_password: no lanman password !\n")); return False; } @@ -689,17 +685,15 @@ BOOL pass_oem_change(char *user, */ if (ret && lp_unix_password_sync()) - { ret = chgpasswd(user, "", new_passwd, True); - } if (ret) - { ret = change_oem_password(sampass, new_passwd, False); - } memset(new_passwd, 0, sizeof(new_passwd)); + pdb_clear_sam(sampass); + return ret; } @@ -727,22 +721,26 @@ BOOL check_oem_password(char *user, uchar new_p16[16]; uchar unenc_old_pw[16]; char no_pw[2]; + BOOL ret; BOOL nt_pass_set = (ntdata != NULL && nthash != NULL); + pdb_init_sam(&sampass); + become_root(); - *hnd = sampass = pdb_getsampwnam(user); + ret = pdb_getsampwnam(sampass, user); unbecome_root(); - if (sampass == NULL) - { + if (ret == False) { DEBUG(0, ("check_oem_password: getsmbpwnam returned NULL\n")); return False; } + + *hnd = sampass; + acct_ctrl = pdb_get_acct_ctrl(sampass); - if (acct_ctrl & ACB_DISABLED) - { + if (acct_ctrl & ACB_DISABLED) { DEBUG(0,("check_lanman_password: account %s disabled.\n", user)); return False; } @@ -757,27 +755,19 @@ BOOL check_oem_password(char *user, nt_pw = pdb_get_nt_passwd (sampass); /* check for null passwords */ - if (lanman_pw == NULL) - { + if (lanman_pw == NULL) { if (acct_ctrl & ACB_PWNOTREQ) - { pdb_set_lanman_passwd(sampass, null_pw); - } - else - { + else { DEBUG(0,("check_oem_password: no lanman password !\n")); return False; } } - if (pdb_get_nt_passwd(sampass) == NULL && nt_pass_set) - { + if (pdb_get_nt_passwd(sampass) == NULL && nt_pass_set) { if (acct_ctrl & ACB_PWNOTREQ) - { pdb_set_nt_passwd(sampass, null_pw); - } - else - { + else { DEBUG(0,("check_oem_password: no ntlm password !\n")); return False; } @@ -794,15 +784,12 @@ BOOL check_oem_password(char *user, */ new_pw_len = IVAL(lmdata, 512); - if (new_pw_len < 0 || new_pw_len > new_passwd_size - 1) - { - DEBUG(0,("check_oem_password: incorrect password length (%d).\n", - new_pw_len)); + if (new_pw_len < 0 || new_pw_len > new_passwd_size - 1) { + DEBUG(0,("check_oem_password: incorrect password length (%d).\n", new_pw_len)); return False; } - if (nt_pass_set) - { + if (nt_pass_set) { /* * nt passwords are in unicode */ @@ -811,9 +798,7 @@ BOOL check_oem_password(char *user, new_pw_len /= 2; pw = dos_unistrn2((uint16 *)(&lmdata[512 - uni_pw_len]),new_pw_len); memcpy(new_passwd, pw, new_pw_len + 1); - } - else - { + } else { memcpy(new_passwd, &lmdata[512 - new_pw_len], new_pw_len); new_passwd[new_pw_len] = '\0'; } @@ -908,12 +893,17 @@ BOOL check_plaintext_password(char *user, char *old_passwd, { SAM_ACCOUNT *sampass = NULL; uchar old_pw[16], old_ntpw[16]; + BOOL ret; + + pdb_init_sam(&sampass); become_root(); - *hnd = sampass = pdb_getsampwnam(user); + ret = pdb_getsampwnam(sampass, user); unbecome_root(); - if (sampass == NULL) + *hnd = sampass; + + if (ret == False) { DEBUG(0,("check_plaintext_password: getsmbpwnam returned NULL\n")); return False; diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 8dc3d8308a..d5dd876670 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -1765,7 +1765,7 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param { fstring saved_pass2; - SAM_ACCOUNT *sampass; + SAM_ACCOUNT *sampass=NULL; /* * Save the new password as change_oem_password overwrites it @@ -1788,7 +1788,9 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param if(lp_unix_password_sync() && !chgpasswd(user,pass1,saved_pass2,False)) SSVAL(*rparam,0,NERR_badpass); } - } + pdb_clear_sam(sampass); + } + /* * If the above failed, attempt the plaintext password change. @@ -1823,8 +1825,10 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param { SSVAL(*rparam,0,NERR_Success); } + pdb_clear_sam(hnd); } + memset((char *)pass1,'\0',sizeof(fstring)); memset((char *)pass2,'\0',sizeof(fstring)); diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 5820afacc8..f42451dceb 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -368,12 +368,15 @@ static BOOL update_smbpassword_file(char *user, char *password) SAM_ACCOUNT *sampass = NULL; BOOL ret; + pdb_init_sam(&sampass); + become_root(); - sampass = pdb_getsampwnam(user); + ret = pdb_getsampwnam(sampass, user); unbecome_root(); - if(sampass == NULL) { + if(ret == False) { DEBUG(0,("pdb_getsampwnam returned NULL\n")); + pdb_clear_sam(sampass); return False; } @@ -390,6 +393,7 @@ static BOOL update_smbpassword_file(char *user, char *password) DEBUG(3,("change_oem_password returned False\n")); } + pdb_clear_sam(sampass); return ret; } @@ -519,7 +523,8 @@ BOOL pass_check_smb(char *user, char *domain, uchar *chal, uchar *lm_pwd, uchar *nt_pwd, struct passwd *pwd) { struct passwd *pass; - SAM_ACCOUNT *sampass; + SAM_ACCOUNT *sampass=NULL; + BOOL ret; if (!lm_pwd || !nt_pwd) { @@ -546,17 +551,21 @@ BOOL pass_check_smb(char *user, char *domain, uchar *chal, return(False); } + pdb_init_sam(&sampass); + /* get the account information */ - sampass = pdb_getsampwnam(user); - if (sampass == NULL) + ret = pdb_getsampwnam(sampass, user); + if (ret == False) { DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user)); + pdb_clear_sam(sampass); return(False); } /* Quit if the account was disabled. */ if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { DEBUG(1,("Account for user '%s' was disabled.\n", user)); + pdb_clear_sam(sampass); return(False); } @@ -566,6 +575,7 @@ BOOL pass_check_smb(char *user, char *domain, uchar *chal, if (smb_pass->smb_userid != pass->pw_uid) { DEBUG(0,("Error : UNIX and SMB uids in password files do not match for user '%s'!\n", user)); + pdb_clear_sam(sampass); return(False); } #endif @@ -575,21 +585,25 @@ BOOL pass_check_smb(char *user, char *domain, uchar *chal, if (lp_null_passwords()) { DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user)); + pdb_clear_sam(sampass); return(True); } else { DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user)); + pdb_clear_sam(sampass); return(False); } } if (smb_password_ok(sampass, chal, lm_pwd, nt_pwd)) { + pdb_clear_sam(sampass); return(True); } DEBUG(2,("pass_check_smb failed - invalid password for user [%s]\n", user)); + pdb_clear_sam(sampass); return False; } diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 61b9390d08..c9ef881b59 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -427,34 +427,42 @@ static int session_trust_account(connection_struct *conn, char *inbuf, char *out /* check if trust account exists */ SAM_ACCOUNT *sam_trust_acct = NULL; uint16 acct_ctrl; + BOOL ret; + + pdb_init_sam(&sam_trust_acct); if (lp_security() == SEC_USER) { - sam_trust_acct = pdb_getsampwnam(user); + ret = pdb_getsampwnam(sam_trust_acct, user); } else { DEBUG(0,("session_trust_account: Trust account %s only supported with security = user\n", user)); SSVAL(outbuf, smb_flg2, SVAL(outbuf, smb_flg2) | FLAGS2_32_BIT_ERROR_CODES); + pdb_clear_sam(sam_trust_acct); return(ERROR(0, NT_STATUS_LOGON_FAILURE)); } - if (sam_trust_acct == NULL) { + if (ret == False) { /* lkclXXXX: workstation entry doesn't exist */ DEBUG(0,("session_trust_account: Trust account %s user doesn't exist\n",user)); SSVAL(outbuf, smb_flg2, SVAL(outbuf, smb_flg2) | FLAGS2_32_BIT_ERROR_CODES); + pdb_clear_sam(sam_trust_acct); return(ERROR(0, NT_STATUS_NO_SUCH_USER)); } else { if ((smb_passlen != 24) || (smb_nt_passlen != 24)) { DEBUG(0,("session_trust_account: Trust account %s - password length wrong.\n", user)); SSVAL(outbuf, smb_flg2, SVAL(outbuf, smb_flg2) | FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, NT_STATUS_LOGON_FAILURE)); + pdb_clear_sam(sam_trust_acct); + return(ERROR(0, NT_STATUS_LOGON_FAILURE)); } if (!smb_password_ok(sam_trust_acct, NULL, (unsigned char *)smb_passwd, (unsigned char *)smb_nt_passwd)) { DEBUG(0,("session_trust_account: Trust Account %s - password failed\n", user)); SSVAL(outbuf, smb_flg2, SVAL(outbuf, smb_flg2) | FLAGS2_32_BIT_ERROR_CODES); + pdb_clear_sam(sam_trust_acct); return(ERROR(0, NT_STATUS_LOGON_FAILURE)); } acct_ctrl = pdb_get_acct_ctrl(sam_trust_acct); + pdb_clear_sam(sam_trust_acct); if (acct_ctrl & ACB_DOMTRUST) { DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n",user)); SSVAL(outbuf, smb_flg2, SVAL(outbuf, smb_flg2) | FLAGS2_32_BIT_ERROR_CODES); diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c index 6022f9aef2..9a545fbb45 100644 --- a/source3/utils/pdbedit.c +++ b/source3/utils/pdbedit.c @@ -113,12 +113,23 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst **********************************************************/ static int print_user_info (char *username, BOOL verbosity, BOOL smbpwdstyle) { - SAM_ACCOUNT *sam_pwent; + SAM_ACCOUNT *sam_pwent=NULL; + BOOL ret; + + pdb_init_sam(&sam_pwent); - sam_pwent = pdb_getsampwnam (username); - if (sam_pwent) return print_sam_info (sam_pwent, verbosity, smbpwdstyle); - else fprintf (stderr, "Username not found!\n"); - return -1; + ret = pdb_getsampwnam (sam_pwent, username); + + if (ret==False) { + fprintf (stderr, "Username not found!\n"); + pdb_clear_sam(sam_pwent); + return -1; + } + + ret=print_sam_info (sam_pwent, verbosity, smbpwdstyle); + pdb_clear_sam(sam_pwent); + + return ret; } /********************************************************* @@ -126,22 +137,26 @@ static int print_user_info (char *username, BOOL verbosity, BOOL smbpwdstyle) **********************************************************/ static int print_users_list (BOOL verbosity, BOOL smbpwdstyle) { - SAM_ACCOUNT *sam_pwent; + SAM_ACCOUNT *sam_pwent=NULL; BOOL ret; + pdb_init_sam(&sam_pwent); + ret = pdb_setsampwent(False); if (ret && errno == ENOENT) { fprintf (stderr,"Password database not found!\n"); + pdb_clear_sam(sam_pwent); exit(1); } - while ((sam_pwent = pdb_getsampwent ())) + while ((ret = pdb_getsampwent (sam_pwent))) { if (verbosity) printf ("---------------\n"); print_sam_info (sam_pwent, verbosity, smbpwdstyle); } pdb_endsampwent (); + pdb_clear_sam(sam_pwent); return 0; } @@ -150,27 +165,33 @@ static int print_users_list (BOOL verbosity, BOOL smbpwdstyle) **********************************************************/ static int set_user_info (char *username, char *fullname, char *homedir, char *drive, char *script, char *profile) { - SAM_ACCOUNT *sam_pwent; + SAM_ACCOUNT *sam_pwent=NULL; + BOOL ret; + + pdb_init_sam(&sam_pwent); - sam_pwent = pdb_getsampwnam (username); - if (!sam_pwent) + ret = pdb_getsampwnam (sam_pwent, username); + if (ret==False) { fprintf (stderr, "Username not found!\n"); + pdb_clear_sam(sam_pwent); return -1; } - if (fullname) sam_pwent->full_name = fullname; - if (homedir) sam_pwent->home_dir = homedir; - if (drive) sam_pwent->dir_drive = drive; - if (script) sam_pwent->logon_script = script; - if (profile) sam_pwent->profile_path = profile; + if (fullname) pdb_set_fullname(sam_pwent, fullname); + if (homedir) pdb_set_homedir(sam_pwent, homedir); + if (drive) pdb_set_dir_drive(sam_pwent,drive); + if (script) pdb_set_logon_script(sam_pwent, script); + if (profile) pdb_set_profile_path (sam_pwent, profile); if (pdb_update_sam_account (sam_pwent, TRUE)) print_user_info (username, TRUE, FALSE); else { fprintf (stderr, "Unable to modify entry!\n"); + pdb_clear_sam(sam_pwent); return -1; } + pdb_clear_sam(sam_pwent); return 0; } @@ -180,6 +201,7 @@ static int set_user_info (char *username, char *fullname, char *homedir, char *d static int new_user (char *username, char *fullname, char *homedir, char *drive, char *script, char *profile) { SAM_ACCOUNT sam_pwent; + BOOL ret; struct passwd *pwd = NULL; uchar new_p16[16]; uchar new_nt_p16[16]; @@ -187,7 +209,7 @@ static int new_user (char *username, char *fullname, char *homedir, char *drive, ZERO_STRUCT(sam_pwent); - if (pdb_getsampwnam (username)) + if (pdb_getsampwnam (&sam_pwent, username)) { fprintf (stderr, "Username already exist in database!\n"); return -1; @@ -208,12 +230,12 @@ static int new_user (char *username, char *fullname, char *homedir, char *drive, } nt_lm_owf_gen (password1, new_nt_p16, new_p16); - sam_pwent.username = username; - if (fullname) sam_pwent.full_name = fullname; - if (homedir) sam_pwent.home_dir = homedir; - if (drive) sam_pwent.dir_drive = drive; - if (script) sam_pwent.logon_script = script; - if (profile) sam_pwent.profile_path = profile; + pdb_set_username(&sam_pwent, username); + if (fullname) pdb_set_fullname(&sam_pwent, fullname); + if (homedir) pdb_set_homedir (&sam_pwent, homedir); + if (drive) pdb_set_dir_drive (&sam_pwent, drive); + if (script) pdb_set_logon_script(&sam_pwent, script); + if (profile) pdb_set_profile_path (&sam_pwent, profile); /* TODO: Check uid not being in MACHINE UID range!! */ sam_pwent.uid = pwd->pw_uid; @@ -239,6 +261,7 @@ static int new_user (char *username, char *fullname, char *homedir, char *drive, static int new_machine (char *machinename) { SAM_ACCOUNT sam_pwent; + SAM_ACCOUNT sam_trust; uchar new_p16[16]; uchar new_nt_p16[16]; char name[16]; @@ -254,14 +277,17 @@ static int new_machine (char *machinename) strlower(password); nt_lm_owf_gen (password, new_nt_p16, new_p16); - sam_pwent.username = name; + pdb_set_username(&sam_pwent, name); + + for (uid=BASE_MACHINE_UID; uid<=MAX_MACHINE_UID; uid++) + if (!(pdb_getsampwuid (&sam_trust, uid))) + break; - for (uid=BASE_MACHINE_UID; uid<=MAX_MACHINE_UID; uid++) if (!(pdb_getsampwuid (uid))) break; - if (uid>MAX_MACHINE_UID) - { + if (uid>MAX_MACHINE_UID) { fprintf (stderr, "No more free UIDs available to Machine accounts!\n"); return -1; } + sam_pwent.uid = uid; sam_pwent.gid = BASE_MACHINE_UID; /* TODO: set there more appropriate value!! */ sam_pwent.user_rid = pdb_uid_to_user_rid (uid); @@ -270,9 +296,9 @@ static int new_machine (char *machinename) sam_pwent.nt_pw = new_nt_p16; sam_pwent.acct_ctrl = ACB_WSTRUST; - if (pdb_add_sam_account (&sam_pwent)) print_user_info (name, TRUE, FALSE); - else - { + if (pdb_add_sam_account (&sam_pwent)) + print_user_info (name, TRUE, FALSE); + else { fprintf (stderr, "Unable to add machine!\n"); return -1; } @@ -309,6 +335,7 @@ static int import_users (char *filename) { FILE *fp = NULL; SAM_ACCOUNT sam_pwent; + SAM_ACCOUNT sam_test; static pstring user_name; static unsigned char smbpwd[16]; static unsigned char smbntpwd[16]; @@ -360,7 +387,7 @@ static int import_users (char *filename) line++; if (linebuf[0] == '#' || linebuf[0] == '\0') continue; - pdb_init_sam (&sam_pwent); + /*pdb_init_sam (&sam_pwent);*/ sam_pwent.acct_ctrl = ACB_NORMAL; /* Get user name */ @@ -393,8 +420,8 @@ static int import_users (char *filename) continue; } - sam_pwent.username = user_name; - sam_pwent.uid = uidval; + pdb_set_username(&sam_pwent, user_name); + pdb_set_uid (&sam_pwent, uidval); /* Get passwords */ p++; @@ -503,7 +530,7 @@ static int import_users (char *filename) { struct passwd *pwd = NULL; - if (pdb_getsampwnam (user_name)) + if (pdb_getsampwnam (&sam_test,user_name)) { fprintf (stderr, "Error: Username already exist in database!\n"); continue; diff --git a/source3/utils/smbgroupedit.c b/source3/utils/smbgroupedit.c index 01ae7091b3..76624312d5 100644 --- a/source3/utils/smbgroupedit.c +++ b/source3/utils/smbgroupedit.c @@ -48,7 +48,8 @@ static void usage(void) printf(" -n group NT group name\n"); printf(" -p privilege only local\n"); printf(" -v list groups\n"); - printf(" -c SID change group\n"); + printf(" -c SID change group\n"); + printf(" -u unix group\n"); printf(" -x group delete this group\n"); printf("\n"); printf(" -t[b|d|l] type: builtin, domain, local \n"); @@ -68,7 +69,7 @@ int addgroup(char *group, enum SID_NAME_USE sid_type, char *ntgroup, char *ntcom /* convert_priv_from_text(&se_priv, privilege);*/ - se_priv=0xff; + se_priv=0x0; gid=nametogid(group); if (gid==-1) @@ -87,7 +88,7 @@ int addgroup(char *group, enum SID_NAME_USE sid_type, char *ntgroup, char *ntcom else fstrcpy(comment, ntcomment); - if(!add_initial_entry(gid, string_sid, sid_type, group, comment, se_priv)) + if(!add_initial_entry(gid, string_sid, sid_type, name, comment, se_priv)) return -1; return 0; @@ -176,7 +177,7 @@ int listgroup(enum SID_NAME_USE sid_type) printf("Unix\tSID\ttype\tnt name\tnt comment\tprivilege\n"); - if (!enum_group_mapping(sid_type, &map, &entries)) + if (!enum_group_mapping(sid_type, &map, &entries, ENUM_ALL_MAPPED)) return -1; for (i=0; i