From 613860a3aa3523642b01b8eaa62db7e08612a584 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Thu, 5 Nov 1998 16:51:34 +0000 Subject: util_file.c: split some routines out of various places (e.g smbpass.c) because they now get used in more than one location. util_sid.c: need sid_copy, compare, split rid, append rid etc etc... (This used to be commit 71dfaa307ec954041c09ed157594a46503fb6db8) --- source3/lib/util_sid.c | 178 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 source3/lib/util_sid.c (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c new file mode 100644 index 0000000000..17af94a79c --- /dev/null +++ b/source3/lib/util_sid.c @@ -0,0 +1,178 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Samba utility functions + Copyright (C) Andrew Tridgell 1992-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + + +extern int DEBUGLEVEL; + + +/***************************************************************** + Convert a SID to an ascii string. +*****************************************************************/ + +char *sid_to_string(pstring sidstr_out, DOM_SID *sid) +{ + char subauth[16]; + int i; + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ + uint32 ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); + + slprintf(sidstr_out, sizeof(pstring) - 1, "S-%d-%d", sid->sid_rev_num, ia); + + for (i = 0; i < sid->num_auths; i++) + { + slprintf(subauth, sizeof(subauth)-1, "-%d", sid->sub_auths[i]); + pstrcat(sidstr_out, subauth); + } + + DEBUG(7,("sid_to_string returning %s\n", sidstr_out)); + return sidstr_out; +} + +/***************************************************************** + Convert a string to a SID. Returns True on success, False on fail. +*****************************************************************/ + +BOOL string_to_sid(DOM_SID *sidout, char *sidstr) +{ + pstring tok; + char *p = sidstr; + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ + uint32 ia; + + memset((char *)sidout, '\0', sizeof(DOM_SID)); + + if (StrnCaseCmp( sidstr, "S-", 2)) { + DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); + return False; + } + + p += 2; + if (!next_token(&p, tok, "-", sizeof(tok))) { + DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + return False; + } + + /* Get the revision number. */ + sidout->sid_rev_num = atoi(tok); + + if (!next_token(&p, tok, "-", sizeof(tok))) { + DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + return False; + } + + /* identauth in decimal should be < 2^32 */ + ia = atoi(tok); + + /* NOTE - the ia value is in big-endian format. */ + sidout->id_auth[0] = 0; + sidout->id_auth[1] = 0; + sidout->id_auth[2] = (ia & 0xff000000) >> 24; + sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; + sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; + sidout->id_auth[5] = (ia & 0x000000ff); + + sidout->num_auths = 0; + + while(next_token(&p, tok, "-", sizeof(tok)) && + sidout->num_auths < MAXSUBAUTHS) + { + /* + * NOTE - the subauths are in native machine-endian format. They + * are converted to little-endian when linearized onto the wire. + */ + sid_append_rid(sidout, atoi(tok)); + } + + DEBUG(7,("string_to_sid: converted SID %s ok\n", sidstr)); + + return True; +} + +/***************************************************************** + add a rid to the end of a sid +*****************************************************************/ +BOOL sid_append_rid(DOM_SID *sid, uint32 rid) +{ + if (sid->num_auths < MAXSUBAUTHS) + { + sid->sub_auths[sid->num_auths++] = rid; + return True; + } + return False; +} + +/***************************************************************** + removes the last rid from the end of a sid +*****************************************************************/ +BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) +{ + if (sid->num_auths > 0) + { + sid->num_auths--; + (*rid) = sid->sub_auths[sid->num_auths]; + return True; + } + return False; +} + +/***************************************************************** + copies a sid +*****************************************************************/ +void sid_copy(DOM_SID *sid1, DOM_SID *sid2) +{ + int i; + + for (i = 0; i < sid2->num_auths; i++) + { + sid1->sub_auths[i] = sid2->sub_auths[i]; + } + + sid1->num_auths = sid2->num_auths; + sid1->sid_rev_num = sid2->sid_rev_num; +} +/***************************************************************** + compare two sids +*****************************************************************/ +BOOL sid_equal(DOM_SID *sid1, DOM_SID *sid2) +{ + int i; + + /* compare most likely different rids, first: i.e start at end */ + for (i = sid1->num_auths-1; i >= 0; --i) + { + if (sid1->sub_auths[i] != sid2->sub_auths[i]) return False; + } + + if (sid1->num_auths != sid2->num_auths ) return False; + if (sid1->sid_rev_num != sid2->sid_rev_num) return False; + + for (i = 0; i < 6; i++) + { + if (sid1->id_auth[i] != sid2->id_auth[i]) return False; + } + + return True; +} -- cgit From 2c7f6da1fa95ff77d6c60fcd109205847519434f Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Thu, 12 Nov 1998 23:35:05 +0000 Subject: security descriptors. kanji const char* warnings. (This used to be commit 06abdfd68e1d7fa8741afc3f56ec7a13b5fa4ccc) --- source3/lib/util_sid.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 17af94a79c..9ca3a59ad4 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -176,3 +176,16 @@ BOOL sid_equal(DOM_SID *sid1, DOM_SID *sid2) return True; } + + +/***************************************************************** + calculates size of a sid +*****************************************************************/ +int sid_size(DOM_SID *sid) +{ + if (sid == NULL) + { + return 0; + } + return sid->num_auths * sizeof(uint32) + 8; +} -- cgit From 4cee58780cb15fe5889b9dd0dc34459512d75062 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 23 Nov 1998 21:51:05 +0000 Subject: unix instance of group database API (This used to be commit e76f593b3572ac881f1aa1fb3326d8b7169b0078) --- source3/lib/util_sid.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 9ca3a59ad4..cce360f4c1 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -43,7 +43,7 @@ char *sid_to_string(pstring sidstr_out, DOM_SID *sid) for (i = 0; i < sid->num_auths; i++) { - slprintf(subauth, sizeof(subauth)-1, "-%d", sid->sub_auths[i]); + slprintf(subauth, sizeof(subauth)-1, "-%u", sid->sub_auths[i]); pstrcat(sidstr_out, subauth); } @@ -103,7 +103,9 @@ BOOL string_to_sid(DOM_SID *sidout, char *sidstr) * NOTE - the subauths are in native machine-endian format. They * are converted to little-endian when linearized onto the wire. */ - sid_append_rid(sidout, atoi(tok)); + uint32 rid = (uint32)strtoul(tok, NULL, 10); + DEBUG(50,("string_to_sid: tok: %s rid 0x%x\n", tok, rid)); + sid_append_rid(sidout, rid); } DEBUG(7,("string_to_sid: converted SID %s ok\n", sidstr)); @@ -145,6 +147,11 @@ void sid_copy(DOM_SID *sid1, DOM_SID *sid2) { int i; + for (i = 0; i < 6; i++) + { + sid1->id_auth[i] = sid2->id_auth[i]; + } + for (i = 0; i < sid2->num_auths; i++) { sid1->sub_auths[i] = sid2->sub_auths[i]; -- cgit From ced486c8415c7ece457edecb3246f7277a57d60b Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 24 Nov 1998 16:47:49 +0000 Subject: sorting out difference between aliases and groups in the cases where unix groups are not explicitly mapped. i.e as a PDC or BDC you can have domain groups, as a member of a domain you cannot. as a member of a domain, unmapped unix groups are assumed to be aliases, and as a PDC or BDC, unmapped unix groups are assumed to be unix groups. there is _one_ other check needed with aliases to be added: unmapped unix groups that have the same name as an NT group on the PDC (for which i will need to write an LsaLookupNames call) should be assumed to be domain groups on the PDC. (This used to be commit 53b49b44e13a4ca9818ebc947372b1374831b568) --- source3/lib/util_sid.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index cce360f4c1..a483f85b84 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -134,7 +134,10 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) if (sid->num_auths > 0) { sid->num_auths--; - (*rid) = sid->sub_auths[sid->num_auths]; + if (rid != NULL) + { + (*rid) = sid->sub_auths[sid->num_auths]; + } return True; } return False; -- cgit From bfc38ff872446e0ad365c22327c779e72a81bef9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 25 Nov 1998 21:17:20 +0000 Subject: Makefile.in: Added maintainer mode fixes. aclocal.m4: Added AC_LIBTESTFUNC. configure.in: Fixed -lsecurity -lsec problems. client.c: dos_ fixes. groupdb/aliasunix.c: Dead code removal. include/includes.h: Added default PRINTCAP_NAME. lib/genrand.c: dos_ fixes. lib/replace.c: Added strtoul. lib/system.c: dos_ fixes. lib/util.c: dos_ fixes. lib/util_sid.c: Signed/unsigned fixes. lib/util_str.c: removed bad const. locking/locking_slow.c: dos_ fixes. printing/printing.c: dos_ fixes. rpc_server/srv_samr.c: Dead code removal. rpc_server/srv_sid.c: global_myworkgroup defined with wrong size AGAIN ! smbd/dir.c: dos_ fixes. smbd/open.c: dos_ fixes. smbd/oplock.c: dos_ fixes. smbd/reply.c smbd/server.c smbd/service.c smbd/uid.c: dos_ fixes. Jeremy. (This used to be commit 6acb4b68f68d516e2ac3c47e500f5600d653435e) --- source3/lib/util_sid.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index a483f85b84..8741479067 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -39,11 +39,11 @@ char *sid_to_string(pstring sidstr_out, DOM_SID *sid) (sid->id_auth[3] << 16) + (sid->id_auth[2] << 24); - slprintf(sidstr_out, sizeof(pstring) - 1, "S-%d-%d", sid->sid_rev_num, ia); + slprintf(sidstr_out, sizeof(pstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); for (i = 0; i < sid->num_auths; i++) { - slprintf(subauth, sizeof(subauth)-1, "-%u", sid->sub_auths[i]); + slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); pstrcat(sidstr_out, subauth); } @@ -76,7 +76,7 @@ BOOL string_to_sid(DOM_SID *sidout, char *sidstr) } /* Get the revision number. */ - sidout->sid_rev_num = atoi(tok); + sidout->sid_rev_num = (uint8)strtoul(tok,NULL,10); if (!next_token(&p, tok, "-", sizeof(tok))) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); @@ -84,7 +84,7 @@ BOOL string_to_sid(DOM_SID *sidout, char *sidstr) } /* identauth in decimal should be < 2^32 */ - ia = atoi(tok); + ia = (uint32)strtoul(tok,NULL,10); /* NOTE - the ia value is in big-endian format. */ sidout->id_auth[0] = 0; @@ -104,7 +104,7 @@ BOOL string_to_sid(DOM_SID *sidout, char *sidstr) * are converted to little-endian when linearized onto the wire. */ uint32 rid = (uint32)strtoul(tok, NULL, 10); - DEBUG(50,("string_to_sid: tok: %s rid 0x%x\n", tok, rid)); + DEBUG(50,("string_to_sid: tok: %s rid 0x%lx\n", tok, (unsigned long)rid)); sid_append_rid(sidout, rid); } -- cgit From 30038de4623bc827ee8019c569faf00583d1fe58 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Sun, 29 Nov 1998 20:03:33 +0000 Subject: weekend work. user / group database API. - split sam_passwd and smb_passwd into separate higher-order function tables - renamed struct smb_passwd's "smb_user" to "unix_user". added "nt_user" plus user_rid, and added a "wrap" function in both sam_passwd and smb_passwd password databases to fill in the blank entries that are not obtained from whatever password database API instance is being used. NOTE: whenever a struct smb_passwd or struct sam_passwd is used, it MUST be initialised with pwdb_sam_init() or pwd_smb_init(), see chgpasswd.c for the only example outside of the password database APIs i could find. - added query_useraliases code to rpcclient. - dealt with some nasty interdependencies involving non-smbd programs and the password database API. this is still not satisfactorily resolved completelely, but it's the best i can do for now. - #ifdef'd out some password database options so that people don't mistakenly set them unless they recompile to _use_ those options. lots of debugging done, it's still not finished. the unix/NT uid/gid and user-rid/group-rid issues are better, but not perfect. the "BUILTIN" domain is still missing: users cannot be added to "BUILTIN" groups yet, as we only have an "alias" db API and a "group" db API but not "builtin-alias" db API... (This used to be commit 5d5d7e4de7d1514ab87b07ede629de8aa00519a1) --- source3/lib/util_sid.c | 37 +++++++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 8741479067..48c092ecf7 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -29,7 +29,7 @@ extern int DEBUGLEVEL; Convert a SID to an ascii string. *****************************************************************/ -char *sid_to_string(pstring sidstr_out, DOM_SID *sid) +char *sid_to_string(pstring sidstr_out, const DOM_SID *sid) { char subauth[16]; int i; @@ -55,10 +55,10 @@ char *sid_to_string(pstring sidstr_out, DOM_SID *sid) Convert a string to a SID. Returns True on success, False on fail. *****************************************************************/ -BOOL string_to_sid(DOM_SID *sidout, char *sidstr) +BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) { pstring tok; - char *p = sidstr; + const char *p = sidstr; /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ uint32 ia; @@ -146,7 +146,7 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) /***************************************************************** copies a sid *****************************************************************/ -void sid_copy(DOM_SID *sid1, DOM_SID *sid2) +void sid_copy(DOM_SID *sid1, const DOM_SID *sid2) { int i; @@ -163,10 +163,35 @@ void sid_copy(DOM_SID *sid1, DOM_SID *sid2) sid1->num_auths = sid2->num_auths; sid1->sid_rev_num = sid2->sid_rev_num; } + +/***************************************************************** + compare two sids up to the auths of the first sid +*****************************************************************/ +BOOL sid_front_equal(const DOM_SID *sid1, const DOM_SID *sid2) +{ + int i; + + /* compare most likely different rids, first: i.e start at end */ + for (i = sid1->num_auths-1; i >= 0; --i) + { + if (sid1->sub_auths[i] != sid2->sub_auths[i]) return False; + } + + if (sid1->num_auths > sid2->num_auths ) return False; + if (sid1->sid_rev_num != sid2->sid_rev_num) return False; + + for (i = 0; i < 6; i++) + { + if (sid1->id_auth[i] != sid2->id_auth[i]) return False; + } + + return True; +} + /***************************************************************** compare two sids *****************************************************************/ -BOOL sid_equal(DOM_SID *sid1, DOM_SID *sid2) +BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) { int i; @@ -191,7 +216,7 @@ BOOL sid_equal(DOM_SID *sid1, DOM_SID *sid2) /***************************************************************** calculates size of a sid *****************************************************************/ -int sid_size(DOM_SID *sid) +int sid_size(const DOM_SID *sid) { if (sid == NULL) { -- cgit From 137f9c7042678bbc4b4a351364eb3819677183bd Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Wed, 2 Dec 1998 16:01:40 +0000 Subject: string_to_sid was using next_token() this is bad as it stops you from being able to use next_token() outside of string_to_sid calls. use strchr instead (This used to be commit 1c478ca1723558cc5dde693b4abacb56bd98cd43) --- source3/lib/util_sid.c | 87 +++++++++++++++++++++++++------------------------- 1 file changed, 44 insertions(+), 43 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 48c092ecf7..dce398f36f 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -57,60 +57,61 @@ char *sid_to_string(pstring sidstr_out, const DOM_SID *sid) BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) { - pstring tok; - const char *p = sidstr; - /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - uint32 ia; + const char *p = sidstr; + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ + uint32 ia; - memset((char *)sidout, '\0', sizeof(DOM_SID)); + memset((char *)sidout, '\0', sizeof(DOM_SID)); - if (StrnCaseCmp( sidstr, "S-", 2)) { - DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); - return False; - } + if (StrnCaseCmp( sidstr, "S-", 2)) + { + DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); + return False; + } - p += 2; - if (!next_token(&p, tok, "-", sizeof(tok))) { - DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - return False; - } + if ((p = strchr(p, '-')) == NULL) + { + DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + return False; + } - /* Get the revision number. */ - sidout->sid_rev_num = (uint8)strtoul(tok,NULL,10); + p++; - if (!next_token(&p, tok, "-", sizeof(tok))) { - DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - return False; - } + /* Get the revision number. */ + sidout->sid_rev_num = (uint8)strtoul(p,NULL,10); - /* identauth in decimal should be < 2^32 */ - ia = (uint32)strtoul(tok,NULL,10); + if ((p = strchr(p, '-')) == NULL) + { + DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + return False; + } - /* NOTE - the ia value is in big-endian format. */ - sidout->id_auth[0] = 0; - sidout->id_auth[1] = 0; - sidout->id_auth[2] = (ia & 0xff000000) >> 24; - sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; - sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; - sidout->id_auth[5] = (ia & 0x000000ff); + p++; - sidout->num_auths = 0; + /* identauth in decimal should be < 2^32 */ + ia = (uint32)strtoul(p,NULL,10); - while(next_token(&p, tok, "-", sizeof(tok)) && - sidout->num_auths < MAXSUBAUTHS) - { - /* - * NOTE - the subauths are in native machine-endian format. They - * are converted to little-endian when linearized onto the wire. - */ - uint32 rid = (uint32)strtoul(tok, NULL, 10); - DEBUG(50,("string_to_sid: tok: %s rid 0x%lx\n", tok, (unsigned long)rid)); - sid_append_rid(sidout, rid); - } + /* NOTE - the ia value is in big-endian format. */ + sidout->id_auth[0] = 0; + sidout->id_auth[1] = 0; + sidout->id_auth[2] = (ia & 0xff000000) >> 24; + sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; + sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; + sidout->id_auth[5] = (ia & 0x000000ff); - DEBUG(7,("string_to_sid: converted SID %s ok\n", sidstr)); + sidout->num_auths = 0; - return True; + while (((p = strchr(p, '-')) != NULL) && sidout->num_auths < MAXSUBAUTHS) + { + p++; + /* + * NOTE - the subauths are in native machine-endian format. They + * are converted to little-endian when linearized onto the wire. + */ + sid_append_rid(sidout, (uint32)strtoul(p, NULL, 10)); + } + + return True; } /***************************************************************** -- cgit From 1e71ecdcb21f24e70ee5edbbc05de0284fa588f4 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 23 Feb 1999 22:39:54 +0000 Subject: added jeremy's new c++-like code for parsing of security descriptors. (This used to be commit ec1b7000fd88c5a08e438c7033f60e49b9ec44a8) --- source3/lib/util_sid.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index dce398f36f..77997df1e6 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -225,3 +225,23 @@ int sid_size(const DOM_SID *sid) } return sid->num_auths * sizeof(uint32) + 8; } + + +/***************************************************************** + Duplicates a sid - mallocs the target. +*****************************************************************/ + +DOM_SID *sid_dup(DOM_SID *src) +{ + DOM_SID *dst; + + if(!src) + return NULL; + + if((dst = malloc(sizeof(DOM_SID))) != NULL) { + memset(dst, '\0', sizeof(DOM_SID)); + sid_copy( dst, src); + } + + return dst; +} -- cgit From 8598bf2a7f0f71ae7a023aac054c4df42b969ce6 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 3 Aug 1999 20:30:25 +0000 Subject: reverted jeremy's c++-like security descriptor modifications as the simplest method to get rpcclient's reggetsec command working. the buffers passed as arguments in do_reg_get_key_sec() do need to be locally allocated not dynamically allocated, as two calls to reg_get_key_sec() are needed. on the first, the server fills in the size of the security descriptor buffer needed. on the second, the server fills in the security descriptor buffer. (This used to be commit b2d9cbef6f65bb696df8d8f49aa0c240e0bb1f50) --- source3/lib/util_sid.c | 20 -------------------- 1 file changed, 20 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 77997df1e6..dce398f36f 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -225,23 +225,3 @@ int sid_size(const DOM_SID *sid) } return sid->num_auths * sizeof(uint32) + 8; } - - -/***************************************************************** - Duplicates a sid - mallocs the target. -*****************************************************************/ - -DOM_SID *sid_dup(DOM_SID *src) -{ - DOM_SID *dst; - - if(!src) - return NULL; - - if((dst = malloc(sizeof(DOM_SID))) != NULL) { - memset(dst, '\0', sizeof(DOM_SID)); - sid_copy( dst, src); - } - - return dst; -} -- cgit From 56128244261f8e4c6e1144da66c736fbc2104665 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 25 Oct 1999 19:03:27 +0000 Subject: - typecast malloc / Realloc issues. - signed / unsigned issues. (This used to be commit c8fd555179314baf1672a23db34dc8ad9f2d02bf) --- source3/lib/util_sid.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index dce398f36f..3be81ce811 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -225,3 +225,23 @@ int sid_size(const DOM_SID *sid) } return sid->num_auths * sizeof(uint32) + 8; } + + +/***************************************************************** + Duplicates a sid - mallocs the target. +*****************************************************************/ + +DOM_SID *sid_dup(DOM_SID *src) +{ + DOM_SID *dst; + + if(!src) + return NULL; + + if((dst = (DOM_SID*)malloc(sizeof(DOM_SID))) != NULL) { + memset(dst, '\0', sizeof(DOM_SID)); + sid_copy( dst, src); + } + + return dst; +} -- cgit From de573ca8916bbe5d67bc1f38cf23c98f43ad0aaa Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 1 Nov 1999 21:09:24 +0000 Subject: rewrote rpcclient enumaliases command. (This used to be commit 492fdaaf2009e7d7e840323357a333fdf9c4d2e1) --- source3/lib/util_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 3be81ce811..295fd0efac 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -231,7 +231,7 @@ int sid_size(const DOM_SID *sid) Duplicates a sid - mallocs the target. *****************************************************************/ -DOM_SID *sid_dup(DOM_SID *src) +DOM_SID *sid_dup(const DOM_SID *src) { DOM_SID *dst; -- cgit From a56bea383b4813f77478f9859dc33c90a564f540 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Sat, 20 Nov 1999 19:43:37 +0000 Subject: doing a code reshuffle. want to add code to establish trust relationships. (This used to be commit 3ec269b402ba6898d905ea1029c427e1b645faf4) --- source3/lib/util_sid.c | 296 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 296 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 295fd0efac..b497a1e455 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -245,3 +245,299 @@ DOM_SID *sid_dup(const DOM_SID *src) return dst; } + + +/**************************************************************************** + Read a SID from a file. +****************************************************************************/ + +static BOOL read_sid_from_file(int fd, char *sid_file, DOM_SID *sid) +{ + fstring fline; + fstring sid_str; + + memset(fline, '\0', sizeof(fline)); + + if (read(fd, fline, sizeof(fline) -1 ) < 0) { + DEBUG(0,("unable to read file %s. Error was %s\n", + sid_file, strerror(errno) )); + return False; + } + + /* + * Convert to the machine SID. + */ + + fline[sizeof(fline)-1] = '\0'; + if (!string_to_sid(sid, fline)) { + DEBUG(0,("unable to generate machine SID.\n")); + return False; + } + + sid_to_string(sid_str, sid); + DEBUG(5,("read_sid_from_file: sid %s\n", sid_str)); + + return True; +} + +/**************************************************************************** + Generate the global machine sid. Look for the DOMAINNAME.SID file first, if + not found then look in smb.conf and use it to create the DOMAINNAME.SID file. +****************************************************************************/ +BOOL read_sid(char *domain_name, DOM_SID *sid) +{ + int fd; + char *p; + pstring sid_file; + fstring sid_string; + fstring file_name; + SMB_STRUCT_STAT st; + + pstrcpy(sid_file, lp_smb_passwd_file()); + sid_to_string(sid_string, sid); + + DEBUG(10,("read_sid: Domain: %s SID: %s\n", domain_name, sid_string)); + fstrcat(sid_string, "\n"); + + if (sid_file[0] == 0) + { + DEBUG(0,("cannot find smb passwd file\n")); + return False; + } + + p = strrchr(sid_file, '/'); + if (p != NULL) + { + *++p = '\0'; + } + + if (!directory_exist(sid_file, NULL)) + { + if (mkdir(sid_file, 0700) != 0) + { + DEBUG(0,("can't create private directory %s : %s\n", + sid_file, strerror(errno))); + return False; + } + } + + slprintf(file_name, sizeof(file_name)-1, "%s.SID", domain_name); + strupper(file_name); + pstrcat(sid_file, file_name); + + if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) { + DEBUG(0,("unable to open or create file %s. Error was %s\n", + sid_file, strerror(errno) )); + return False; + } + + /* + * Check if the file contains data. + */ + + if (sys_fstat(fd, &st) < 0) { + DEBUG(0,("unable to stat file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + if (st.st_size == 0) + { + close(fd); + return False; + } + + /* + * We have a valid SID - read it. + */ + + if (!read_sid_from_file(fd, sid_file, sid)) + { + DEBUG(0,("unable to read file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + close(fd); + return True; +} + + +/**************************************************************************** + Generate the global machine sid. Look for the DOMAINNAME.SID file first, if + not found then look in smb.conf and use it to create the DOMAINNAME.SID file. +****************************************************************************/ +BOOL write_sid(char *domain_name, DOM_SID *sid) +{ + int fd; + char *p; + pstring sid_file; + fstring sid_string; + fstring file_name; + SMB_STRUCT_STAT st; + + pstrcpy(sid_file, lp_smb_passwd_file()); + sid_to_string(sid_string, sid); + + DEBUG(10,("write_sid: Domain: %s SID: %s\n", domain_name, sid_string)); + fstrcat(sid_string, "\n"); + + if (sid_file[0] == 0) + { + DEBUG(0,("cannot find smb passwd file\n")); + return False; + } + + p = strrchr(sid_file, '/'); + if (p != NULL) + { + *++p = '\0'; + } + + if (!directory_exist(sid_file, NULL)) { + if (mkdir(sid_file, 0700) != 0) { + DEBUG(0,("can't create private directory %s : %s\n", + sid_file, strerror(errno))); + return False; + } + } + + slprintf(file_name, sizeof(file_name)-1, "%s.SID", domain_name); + strupper(file_name); + pstrcat(sid_file, file_name); + + if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) { + DEBUG(0,("unable to open or create file %s. Error was %s\n", + sid_file, strerror(errno) )); + return False; + } + + /* + * Check if the file contains data. + */ + + if (sys_fstat(fd, &st) < 0) { + DEBUG(0,("unable to stat file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + if (st.st_size > 0) + { + /* + * We have a valid SID already. + */ + close(fd); + DEBUG(0,("SID file %s already exists\n", sid_file)); + return False; + } + + if (!do_file_lock(fd, 60, F_WRLCK)) + { + DEBUG(0,("unable to lock file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + /* + * At this point we have a blocking lock on the SID + * file - check if in the meantime someone else wrote + * SID data into the file. If so - they were here first, + * use their data. + */ + + if (sys_fstat(fd, &st) < 0) + { + DEBUG(0,("unable to stat file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + if (st.st_size > 0) + { + /* + * Unlock as soon as possible to reduce + * contention on the exclusive lock. + */ + do_file_lock(fd, 60, F_UNLCK); + + /* + * We have a valid SID already. + */ + + DEBUG(0,("SID file %s already exists\n", sid_file)); + close(fd); + return False; + } + + /* + * The file is still empty and we have an exlusive lock on it. + * Write out out SID data into the file. + */ + + if (fchmod(fd, 0644) < 0) + { + DEBUG(0,("unable to set correct permissions on file %s. \ +Error was %s\n", sid_file, strerror(errno) )); + close(fd); + return False; + } + + if (write(fd, sid_string, strlen(sid_string)) != strlen(sid_string)) + { + DEBUG(0,("unable to write file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + /* + * Unlock & exit. + */ + + do_file_lock(fd, 60, F_UNLCK); + close(fd); + return True; +} + +/**************************************************************************** +create a random SID. +****************************************************************************/ +BOOL create_new_sid(DOM_SID *sid) +{ + uchar raw_sid_data[12]; + fstring sid_string; + int i; + + /* + * Generate the new sid data & turn it into a string. + */ + generate_random_buffer(raw_sid_data, 12, True); + + fstrcpy(sid_string, "S-1-5-21"); + for(i = 0; i < 3; i++) + { + fstring tmp_string; + slprintf(tmp_string, sizeof(tmp_string) - 1, "-%u", IVAL(raw_sid_data, i*4)); + fstrcat(sid_string, tmp_string); + } + + fstrcat(sid_string, "\n"); + + /* + * Ensure our new SID is valid. + */ + + if (!string_to_sid(sid, sid_string)) + { + DEBUG(0,("unable to generate machine SID.\n")); + return False; + } + + return True; +} + -- cgit From e9b8c7743a45b4d045892f9039075fb8cfbd84e5 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Thu, 2 Dec 1999 16:31:24 +0000 Subject: default SID map now reads in "trusted domains" from smb.conf. (This used to be commit f0946d1ccafeb5f541935b41f2d54bcbc06797ed) --- source3/lib/util_sid.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index b497a1e455..a966484484 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -270,7 +270,7 @@ static BOOL read_sid_from_file(int fd, char *sid_file, DOM_SID *sid) fline[sizeof(fline)-1] = '\0'; if (!string_to_sid(sid, fline)) { - DEBUG(0,("unable to generate machine SID.\n")); + DEBUG(0,("unable to read sid.\n")); return False; } @@ -289,15 +289,12 @@ BOOL read_sid(char *domain_name, DOM_SID *sid) int fd; char *p; pstring sid_file; - fstring sid_string; fstring file_name; SMB_STRUCT_STAT st; pstrcpy(sid_file, lp_smb_passwd_file()); - sid_to_string(sid_string, sid); - DEBUG(10,("read_sid: Domain: %s SID: %s\n", domain_name, sid_string)); - fstrcat(sid_string, "\n"); + DEBUG(10,("read_sid: Domain: %s\n", domain_name)); if (sid_file[0] == 0) { -- cgit From 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 13 Dec 1999 13:27:58 +0000 Subject: first pass at updating head branch to be to be the same as the SAMBA_2_0 branch (This used to be commit 453a822a76780063dff23526c35408866d0c0154) --- source3/lib/util_sid.c | 708 +++++++++++++++++++++---------------------------- 1 file changed, 297 insertions(+), 411 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index a966484484..9e5154d259 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -3,6 +3,8 @@ Version 1.9. Samba utility functions Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 + Copyright (C) Jeremy Allison 1999 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -23,13 +25,206 @@ extern int DEBUGLEVEL; +DOM_SID global_sam_sid; +extern pstring global_myname; +extern fstring global_myworkgroup; + +/* + * Some useful sids + */ + +DOM_SID global_sid_S_1_5_0x20; /* local well-known domain */ +DOM_SID global_sid_World_Domain; /* everyone */ +DOM_SID global_sid_World; /* everyone */ +DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner */ +DOM_SID global_sid_Creator_Owner; /* Creator Owner */ +DOM_SID global_sid_NT_Authority; /* NT Authority */ + +typedef struct _known_sid_users { + uint32 rid; + uint8 sid_name_use; + char *known_user_name; +} known_sid_users; + +/* static known_sid_users no_users[] = {{0, 0, NULL}}; */ +static known_sid_users everyone_users[] = {{ 0, SID_NAME_WKN_GRP, "Everyone" }, {0, 0, NULL}}; +static known_sid_users creator_owner_users[] = {{ 0, SID_NAME_ALIAS, "Creator Owner" }, {0, 0, NULL}}; +static known_sid_users nt_authority_users[] = {{ 1, SID_NAME_ALIAS, "Dialup" }, + { 2, SID_NAME_ALIAS, "Network"}, + { 3, SID_NAME_ALIAS, "Batch"}, + { 4, SID_NAME_ALIAS, "Interactive"}, + { 6, SID_NAME_ALIAS, "Service"}, + { 7, SID_NAME_ALIAS, "AnonymousLogon"}, + { 8, SID_NAME_ALIAS, "Proxy"}, + { 9, SID_NAME_ALIAS, "ServerLogon"}, + {0, 0, NULL}}; + +static struct sid_name_map_info +{ + DOM_SID *sid; + char *name; + known_sid_users *known_users; +} +sid_name_map[] = +{ + { &global_sam_sid, global_myname, NULL}, + { &global_sam_sid, global_myworkgroup, NULL}, + { &global_sid_S_1_5_0x20, "BUILTIN", NULL}, + { &global_sid_World_Domain, "", &everyone_users[0] }, + { &global_sid_Creator_Owner_Domain, "", &creator_owner_users[0] }, + { &global_sid_NT_Authority, "NT Authority", &nt_authority_users[0] }, + { NULL, NULL, NULL} +}; + +/**************************************************************************** + Creates some useful well known sids +****************************************************************************/ + +void generate_wellknown_sids(void) +{ + string_to_sid(&global_sid_S_1_5_0x20, "S-1-5-32"); + string_to_sid(&global_sid_World_Domain, "S-1-1"); + string_to_sid(&global_sid_World, "S-1-1-0"); + string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); + string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); + string_to_sid(&global_sid_NT_Authority, "S-1-5"); +} + +/************************************************************************** + Turns a domain SID into a name, returned in the nt_domain argument. +***************************************************************************/ + +BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain) +{ + fstring sid_str; + int i = 0; + sid_to_string(sid_str, sid); + + DEBUG(5,("map_domain_sid_to_name: %s\n", sid_str)); + + if (nt_domain == NULL) + return False; + + while (sid_name_map[i].sid != NULL) { + sid_to_string(sid_str, sid_name_map[i].sid); + DEBUG(5,("map_domain_sid_to_name: compare: %s\n", sid_str)); + if (sid_equal(sid_name_map[i].sid, sid)) { + fstrcpy(nt_domain, sid_name_map[i].name); + DEBUG(5,("map_domain_sid_to_name: found '%s'\n", nt_domain)); + return True; + } + i++; + } + + DEBUG(5,("map_domain_sid_to_name: mapping for %s not found\n", sid_str)); + + return False; +} + +/************************************************************************** + Looks up a known username from one of the known domains. +***************************************************************************/ + +BOOL lookup_known_rid(DOM_SID *sid, uint32 rid, char *name, uint8 *psid_name_use) +{ + int i = 0; + struct sid_name_map_info *psnm; + + for(i = 0; sid_name_map[i].sid != NULL; i++) { + psnm = &sid_name_map[i]; + if(sid_equal(psnm->sid, sid)) { + int j; + for(j = 0; psnm->known_users && psnm->known_users[j].known_user_name != NULL; j++) { + if(rid == psnm->known_users[j].rid) { + DEBUG(5,("lookup_builtin_rid: rid = %u, domain = '%s', user = '%s'\n", + (unsigned int)rid, psnm->name, psnm->known_users[j].known_user_name )); + fstrcpy( name, psnm->known_users[j].known_user_name); + *psid_name_use = psnm->known_users[j].sid_name_use; + return True; + } + } + } + } + + return False; +} + +/************************************************************************** + Turns a domain name into a SID. + *** side-effect: if the domain name is NULL, it is set to our domain *** +***************************************************************************/ + +BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain) +{ + int i = 0; + + if (nt_domain == NULL) { + DEBUG(5,("map_domain_name_to_sid: mapping NULL domain to our SID.\n")); + sid_copy(sid, &global_sam_sid); + return True; + } + + if (nt_domain[0] == 0) { + fstrcpy(nt_domain, global_myname); + DEBUG(5,("map_domain_name_to_sid: overriding blank name to %s\n", nt_domain)); + sid_copy(sid, &global_sam_sid); + return True; + } + + DEBUG(5,("map_domain_name_to_sid: %s\n", nt_domain)); + + while (sid_name_map[i].name != NULL) { + DEBUG(5,("map_domain_name_to_sid: compare: %s\n", sid_name_map[i].name)); + if (strequal(sid_name_map[i].name, nt_domain)) { + fstring sid_str; + sid_copy(sid, sid_name_map[i].sid); + sid_to_string(sid_str, sid_name_map[i].sid); + DEBUG(5,("map_domain_name_to_sid: found %s\n", sid_str)); + return True; + } + i++; + } + + DEBUG(0,("map_domain_name_to_sid: mapping to %s not found.\n", nt_domain)); + return False; +} + +/************************************************************************** + Splits a name of format \DOMAIN\name or name into its two components. + Sets the DOMAIN name to global_myname if it has not been specified. +***************************************************************************/ + +void split_domain_name(const char *fullname, char *domain, char *name) +{ + pstring full_name; + char *p; + + *domain = *name = '\0'; + if (fullname[0] == '\\') + fullname++; + + pstrcpy(full_name, fullname); + p = strchr(full_name+1, '\\'); + + if (p != NULL) { + *p = 0; + fstrcpy(domain, full_name); + fstrcpy(name, p+1); + } else { + fstrcpy(domain, global_myname); + fstrcpy(name, full_name); + } + + DEBUG(10,("split_domain_name:name '%s' split into domain :'%s' and user :'%s'\n", + fullname, domain, name)); +} /***************************************************************** Convert a SID to an ascii string. *****************************************************************/ -char *sid_to_string(pstring sidstr_out, const DOM_SID *sid) +char *sid_to_string(fstring sidstr_out, DOM_SID *sid) { char subauth[16]; int i; @@ -39,12 +234,11 @@ char *sid_to_string(pstring sidstr_out, const DOM_SID *sid) (sid->id_auth[3] << 16) + (sid->id_auth[2] << 24); - slprintf(sidstr_out, sizeof(pstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); + slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); - for (i = 0; i < sid->num_auths; i++) - { + for (i = 0; i < sid->num_auths; i++) { slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); - pstrcat(sidstr_out, subauth); + fstrcat(sidstr_out, subauth); } DEBUG(7,("sid_to_string returning %s\n", sidstr_out)); @@ -55,72 +249,68 @@ char *sid_to_string(pstring sidstr_out, const DOM_SID *sid) Convert a string to a SID. Returns True on success, False on fail. *****************************************************************/ -BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) +BOOL string_to_sid(DOM_SID *sidout, char *sidstr) { - const char *p = sidstr; - /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - uint32 ia; + pstring tok; + char *p = sidstr; + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ + uint32 ia; - memset((char *)sidout, '\0', sizeof(DOM_SID)); + memset((char *)sidout, '\0', sizeof(DOM_SID)); - if (StrnCaseCmp( sidstr, "S-", 2)) - { - DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); - return False; - } + if (StrnCaseCmp( sidstr, "S-", 2)) { + DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); + return False; + } - if ((p = strchr(p, '-')) == NULL) - { - DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - return False; - } + p += 2; + if (!next_token(&p, tok, "-", sizeof(tok))) { + DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + return False; + } - p++; + /* Get the revision number. */ + sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10); - /* Get the revision number. */ - sidout->sid_rev_num = (uint8)strtoul(p,NULL,10); + if (!next_token(&p, tok, "-", sizeof(tok))) { + DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + return False; + } - if ((p = strchr(p, '-')) == NULL) - { - DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - return False; - } + /* identauth in decimal should be < 2^32 */ + ia = (uint32)strtoul(tok, NULL, 10); + + /* NOTE - the ia value is in big-endian format. */ + sidout->id_auth[0] = 0; + sidout->id_auth[1] = 0; + sidout->id_auth[2] = (ia & 0xff000000) >> 24; + sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; + sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; + sidout->id_auth[5] = (ia & 0x000000ff); + + sidout->num_auths = 0; + + while(next_token(&p, tok, "-", sizeof(tok)) && + sidout->num_auths < MAXSUBAUTHS) { + /* + * NOTE - the subauths are in native machine-endian format. They + * are converted to little-endian when linearized onto the wire. + */ + sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10)); + } - p++; - - /* identauth in decimal should be < 2^32 */ - ia = (uint32)strtoul(p,NULL,10); - - /* NOTE - the ia value is in big-endian format. */ - sidout->id_auth[0] = 0; - sidout->id_auth[1] = 0; - sidout->id_auth[2] = (ia & 0xff000000) >> 24; - sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; - sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; - sidout->id_auth[5] = (ia & 0x000000ff); - - sidout->num_auths = 0; - - while (((p = strchr(p, '-')) != NULL) && sidout->num_auths < MAXSUBAUTHS) - { - p++; - /* - * NOTE - the subauths are in native machine-endian format. They - * are converted to little-endian when linearized onto the wire. - */ - sid_append_rid(sidout, (uint32)strtoul(p, NULL, 10)); - } + DEBUG(7,("string_to_sid: converted SID %s ok\n", sidstr)); - return True; + return True; } /***************************************************************** - add a rid to the end of a sid + Add a rid to the end of a sid *****************************************************************/ + BOOL sid_append_rid(DOM_SID *sid, uint32 rid) { - if (sid->num_auths < MAXSUBAUTHS) - { + if (sid->num_auths < MAXSUBAUTHS) { sid->sub_auths[sid->num_auths++] = rid; return True; } @@ -128,413 +318,109 @@ BOOL sid_append_rid(DOM_SID *sid, uint32 rid) } /***************************************************************** - removes the last rid from the end of a sid + Removes the last rid from the end of a sid *****************************************************************/ + BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) { - if (sid->num_auths > 0) - { + if (sid->num_auths > 0) { sid->num_auths--; - if (rid != NULL) - { - (*rid) = sid->sub_auths[sid->num_auths]; - } + *rid = sid->sub_auths[sid->num_auths]; return True; } return False; } /***************************************************************** - copies a sid + Copies a sid *****************************************************************/ -void sid_copy(DOM_SID *sid1, const DOM_SID *sid2) -{ - int i; - - for (i = 0; i < 6; i++) - { - sid1->id_auth[i] = sid2->id_auth[i]; - } - - for (i = 0; i < sid2->num_auths; i++) - { - sid1->sub_auths[i] = sid2->sub_auths[i]; - } - sid1->num_auths = sid2->num_auths; - sid1->sid_rev_num = sid2->sid_rev_num; -} - -/***************************************************************** - compare two sids up to the auths of the first sid -*****************************************************************/ -BOOL sid_front_equal(const DOM_SID *sid1, const DOM_SID *sid2) +void sid_copy(DOM_SID *dst, DOM_SID *src) { int i; - /* compare most likely different rids, first: i.e start at end */ - for (i = sid1->num_auths-1; i >= 0; --i) - { - if (sid1->sub_auths[i] != sid2->sub_auths[i]) return False; - } - - if (sid1->num_auths > sid2->num_auths ) return False; - if (sid1->sid_rev_num != sid2->sid_rev_num) return False; + dst->sid_rev_num = src->sid_rev_num; + dst->num_auths = src->num_auths; - for (i = 0; i < 6; i++) - { - if (sid1->id_auth[i] != sid2->id_auth[i]) return False; - } + memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth)); - return True; + for (i = 0; i < src->num_auths; i++) + dst->sub_auths[i] = src->sub_auths[i]; } -/***************************************************************** - compare two sids -*****************************************************************/ -BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) -{ - int i; - - /* compare most likely different rids, first: i.e start at end */ - for (i = sid1->num_auths-1; i >= 0; --i) - { - if (sid1->sub_auths[i] != sid2->sub_auths[i]) return False; - } - - if (sid1->num_auths != sid2->num_auths ) return False; - if (sid1->sid_rev_num != sid2->sid_rev_num) return False; - - for (i = 0; i < 6; i++) - { - if (sid1->id_auth[i] != sid2->id_auth[i]) return False; - } - - return True; -} - - -/***************************************************************** - calculates size of a sid -*****************************************************************/ -int sid_size(const DOM_SID *sid) -{ - if (sid == NULL) - { - return 0; - } - return sid->num_auths * sizeof(uint32) + 8; -} - - /***************************************************************** Duplicates a sid - mallocs the target. *****************************************************************/ -DOM_SID *sid_dup(const DOM_SID *src) +DOM_SID *sid_dup(DOM_SID *src) { DOM_SID *dst; if(!src) return NULL; - if((dst = (DOM_SID*)malloc(sizeof(DOM_SID))) != NULL) { - memset(dst, '\0', sizeof(DOM_SID)); - sid_copy( dst, src); + if((dst = malloc(sizeof(DOM_SID))) != NULL) { + memset(dst, '\0', sizeof(DOM_SID)); + sid_copy( dst, src); } return dst; } +/***************************************************************** + Write a sid out into on-the-wire format. +*****************************************************************/ -/**************************************************************************** - Read a SID from a file. -****************************************************************************/ - -static BOOL read_sid_from_file(int fd, char *sid_file, DOM_SID *sid) -{ - fstring fline; - fstring sid_str; - - memset(fline, '\0', sizeof(fline)); - - if (read(fd, fline, sizeof(fline) -1 ) < 0) { - DEBUG(0,("unable to read file %s. Error was %s\n", - sid_file, strerror(errno) )); - return False; - } - - /* - * Convert to the machine SID. - */ - - fline[sizeof(fline)-1] = '\0'; - if (!string_to_sid(sid, fline)) { - DEBUG(0,("unable to read sid.\n")); - return False; - } - - sid_to_string(sid_str, sid); - DEBUG(5,("read_sid_from_file: sid %s\n", sid_str)); - - return True; -} - -/**************************************************************************** - Generate the global machine sid. Look for the DOMAINNAME.SID file first, if - not found then look in smb.conf and use it to create the DOMAINNAME.SID file. -****************************************************************************/ -BOOL read_sid(char *domain_name, DOM_SID *sid) +BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) { - int fd; - char *p; - pstring sid_file; - fstring file_name; - SMB_STRUCT_STAT st; - - pstrcpy(sid_file, lp_smb_passwd_file()); - - DEBUG(10,("read_sid: Domain: %s\n", domain_name)); + size_t i; - if (sid_file[0] == 0) - { - DEBUG(0,("cannot find smb passwd file\n")); + if(len < sid_size(sid)) return False; - } - - p = strrchr(sid_file, '/'); - if (p != NULL) - { - *++p = '\0'; - } - if (!directory_exist(sid_file, NULL)) - { - if (mkdir(sid_file, 0700) != 0) - { - DEBUG(0,("can't create private directory %s : %s\n", - sid_file, strerror(errno))); - return False; - } - } + SCVAL(outbuf,0,sid->sid_rev_num); + SCVAL(outbuf,1,sid->num_auths); + memcpy(&outbuf[2], sid->id_auth, 6); + for(i = 0; i < sid->num_auths; i++) + SIVAL(outbuf, 8 + (i*4), sid->sub_auths[i]); - slprintf(file_name, sizeof(file_name)-1, "%s.SID", domain_name); - strupper(file_name); - pstrcat(sid_file, file_name); - - if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) { - DEBUG(0,("unable to open or create file %s. Error was %s\n", - sid_file, strerror(errno) )); - return False; - } - - /* - * Check if the file contains data. - */ - - if (sys_fstat(fd, &st) < 0) { - DEBUG(0,("unable to stat file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - if (st.st_size == 0) - { - close(fd); - return False; - } - - /* - * We have a valid SID - read it. - */ - - if (!read_sid_from_file(fd, sid_file, sid)) - { - DEBUG(0,("unable to read file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - close(fd); return True; -} +} +/***************************************************************** + Compare two sids. +*****************************************************************/ -/**************************************************************************** - Generate the global machine sid. Look for the DOMAINNAME.SID file first, if - not found then look in smb.conf and use it to create the DOMAINNAME.SID file. -****************************************************************************/ -BOOL write_sid(char *domain_name, DOM_SID *sid) +BOOL sid_equal(DOM_SID *sid1, DOM_SID *sid2) { - int fd; - char *p; - pstring sid_file; - fstring sid_string; - fstring file_name; - SMB_STRUCT_STAT st; - - pstrcpy(sid_file, lp_smb_passwd_file()); - sid_to_string(sid_string, sid); + int i; - DEBUG(10,("write_sid: Domain: %s SID: %s\n", domain_name, sid_string)); - fstrcat(sid_string, "\n"); + /* compare most likely different rids, first: i.e start at end */ + for (i = sid1->num_auths-1; i >= 0; --i) + if (sid1->sub_auths[i] != sid2->sub_auths[i]) + return False; - if (sid_file[0] == 0) - { - DEBUG(0,("cannot find smb passwd file\n")); + if (sid1->num_auths != sid2->num_auths) + return False; + if (sid1->sid_rev_num != sid2->sid_rev_num) return False; - } - - p = strrchr(sid_file, '/'); - if (p != NULL) - { - *++p = '\0'; - } - if (!directory_exist(sid_file, NULL)) { - if (mkdir(sid_file, 0700) != 0) { - DEBUG(0,("can't create private directory %s : %s\n", - sid_file, strerror(errno))); + for (i = 0; i < 6; i++) + if (sid1->id_auth[i] != sid2->id_auth[i]) return False; - } - } - slprintf(file_name, sizeof(file_name)-1, "%s.SID", domain_name); - strupper(file_name); - pstrcat(sid_file, file_name); - - if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) { - DEBUG(0,("unable to open or create file %s. Error was %s\n", - sid_file, strerror(errno) )); - return False; - } - - /* - * Check if the file contains data. - */ - - if (sys_fstat(fd, &st) < 0) { - DEBUG(0,("unable to stat file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - if (st.st_size > 0) - { - /* - * We have a valid SID already. - */ - close(fd); - DEBUG(0,("SID file %s already exists\n", sid_file)); - return False; - } - - if (!do_file_lock(fd, 60, F_WRLCK)) - { - DEBUG(0,("unable to lock file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - /* - * At this point we have a blocking lock on the SID - * file - check if in the meantime someone else wrote - * SID data into the file. If so - they were here first, - * use their data. - */ - - if (sys_fstat(fd, &st) < 0) - { - DEBUG(0,("unable to stat file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - if (st.st_size > 0) - { - /* - * Unlock as soon as possible to reduce - * contention on the exclusive lock. - */ - do_file_lock(fd, 60, F_UNLCK); - - /* - * We have a valid SID already. - */ - - DEBUG(0,("SID file %s already exists\n", sid_file)); - close(fd); - return False; - } - - /* - * The file is still empty and we have an exlusive lock on it. - * Write out out SID data into the file. - */ - - if (fchmod(fd, 0644) < 0) - { - DEBUG(0,("unable to set correct permissions on file %s. \ -Error was %s\n", sid_file, strerror(errno) )); - close(fd); - return False; - } - - if (write(fd, sid_string, strlen(sid_string)) != strlen(sid_string)) - { - DEBUG(0,("unable to write file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - /* - * Unlock & exit. - */ - - do_file_lock(fd, 60, F_UNLCK); - close(fd); return True; -} +} -/**************************************************************************** -create a random SID. -****************************************************************************/ -BOOL create_new_sid(DOM_SID *sid) -{ - uchar raw_sid_data[12]; - fstring sid_string; - int i; - /* - * Generate the new sid data & turn it into a string. - */ - generate_random_buffer(raw_sid_data, 12, True); - - fstrcpy(sid_string, "S-1-5-21"); - for(i = 0; i < 3; i++) - { - fstring tmp_string; - slprintf(tmp_string, sizeof(tmp_string) - 1, "-%u", IVAL(raw_sid_data, i*4)); - fstrcat(sid_string, tmp_string); - } - - fstrcat(sid_string, "\n"); - - /* - * Ensure our new SID is valid. - */ - - if (!string_to_sid(sid, sid_string)) - { - DEBUG(0,("unable to generate machine SID.\n")); - return False; - } +/***************************************************************** + Calculates size of a sid. +*****************************************************************/ - return True; +size_t sid_size(DOM_SID *sid) +{ + if (sid == NULL) + return 0; + + return sid->num_auths * sizeof(uint32) + 8; } - -- cgit From fbd17c8dafeefac788f4bc1c41045726825f513f Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 3 Jan 2000 19:19:48 +0000 Subject: simple mods to add msrpc pipe redirection. default behaviour: fall back to using internal msrpc code in smbd. (This used to be commit 8976e26d46cb991710bc77463f7f928ac00dd4d8) --- source3/lib/util_sid.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 289 insertions(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 9e5154d259..f2f7b3c8ae 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -335,7 +335,7 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) Copies a sid *****************************************************************/ -void sid_copy(DOM_SID *dst, DOM_SID *src) +void sid_copy(DOM_SID *dst, const DOM_SID *src) { int i; @@ -424,3 +424,291 @@ size_t sid_size(DOM_SID *sid) return sid->num_auths * sizeof(uint32) + 8; } + +static BOOL read_sid_from_file(int fd, char *sid_file, DOM_SID *sid) +{ + fstring fline; + fstring sid_str; + + memset(fline, '\0', sizeof(fline)); + + if (read(fd, fline, sizeof(fline) -1 ) < 0) { + DEBUG(0,("unable to read file %s. Error was %s\n", + sid_file, strerror(errno) )); + return False; + } + + /* + * Convert to the machine SID. + */ + + fline[sizeof(fline)-1] = '\0'; + if (!string_to_sid(sid, fline)) { + DEBUG(0,("unable to read sid.\n")); + return False; + } + + sid_to_string(sid_str, sid); + DEBUG(5,("read_sid_from_file: sid %s\n", sid_str)); + + return True; +} + +/**************************************************************************** + Generate the global machine sid. Look for the DOMAINNAME.SID file first, if + not found then look in smb.conf and use it to create the DOMAINNAME.SID file. +****************************************************************************/ +BOOL read_sid(char *sam_name, DOM_SID *sid) +{ + int fd; + char *p; + pstring sid_file; + fstring file_name; + SMB_STRUCT_STAT st; + + pstrcpy(sid_file, lp_smb_passwd_file()); + + DEBUG(10,("read_sid: Domain: %s\n", sam_name)); + + if (sid_file[0] == 0) + { + DEBUG(0,("cannot find smb passwd file\n")); + return False; + } + + p = strrchr(sid_file, '/'); + if (p != NULL) + { + *++p = '\0'; + } + + if (!directory_exist(sid_file, NULL)) + { + if (mkdir(sid_file, 0700) != 0) + { + DEBUG(0,("can't create private directory %s : %s\n", + sid_file, strerror(errno))); + return False; + } + } + + slprintf(file_name, sizeof(file_name)-1, "%s.SID", sam_name); + strupper(file_name); + pstrcat(sid_file, file_name); + + if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) { + DEBUG(0,("unable to open or create file %s. Error was %s\n", + sid_file, strerror(errno) )); + return False; + } + + /* + * Check if the file contains data. + */ + + if (sys_fstat(fd, &st) < 0) { + DEBUG(0,("unable to stat file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + if (st.st_size == 0) + { + close(fd); + return False; + } + + /* + * We have a valid SID - read it. + */ + + if (!read_sid_from_file(fd, sid_file, sid)) + { + DEBUG(0,("unable to read file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + close(fd); + return True; +} + + +/**************************************************************************** + Generate the global machine sid. Look for the DOMAINNAME.SID file first, if + not found then look in smb.conf and use it to create the DOMAINNAME.SID file. +****************************************************************************/ +BOOL write_sid(char *sam_name, DOM_SID *sid) +{ + int fd; + char *p; + pstring sid_file; + fstring sid_string; + fstring file_name; + SMB_STRUCT_STAT st; + + pstrcpy(sid_file, lp_smb_passwd_file()); + sid_to_string(sid_string, sid); + + DEBUG(10,("write_sid: Domain: %s SID: %s\n", sam_name, sid_string)); + fstrcat(sid_string, "\n"); + + if (sid_file[0] == 0) + { + DEBUG(0,("cannot find smb passwd file\n")); + return False; + } + + p = strrchr(sid_file, '/'); + if (p != NULL) + { + *++p = '\0'; + } + + if (!directory_exist(sid_file, NULL)) { + if (mkdir(sid_file, 0700) != 0) { + DEBUG(0,("can't create private directory %s : %s\n", + sid_file, strerror(errno))); + return False; + } + } + + slprintf(file_name, sizeof(file_name)-1, "%s.SID", sam_name); + strupper(file_name); + pstrcat(sid_file, file_name); + + if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) { + DEBUG(0,("unable to open or create file %s. Error was %s\n", + sid_file, strerror(errno) )); + return False; + } + + /* + * Check if the file contains data. + */ + + if (sys_fstat(fd, &st) < 0) { + DEBUG(0,("unable to stat file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + if (st.st_size > 0) + { + /* + * We have a valid SID already. + */ + close(fd); + DEBUG(0,("SID file %s already exists\n", sid_file)); + return False; + } + + if (!do_file_lock(fd, 60, F_WRLCK)) + { + DEBUG(0,("unable to lock file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + /* + * At this point we have a blocking lock on the SID + * file - check if in the meantime someone else wrote + * SID data into the file. If so - they were here first, + * use their data. + */ + + if (sys_fstat(fd, &st) < 0) + { + DEBUG(0,("unable to stat file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + if (st.st_size > 0) + { + /* + * Unlock as soon as possible to reduce + * contention on the exclusive lock. + */ + do_file_lock(fd, 60, F_UNLCK); + + /* + * We have a valid SID already. + */ + + DEBUG(0,("SID file %s already exists\n", sid_file)); + close(fd); + return False; + } + + /* + * The file is still empty and we have an exlusive lock on it. + * Write out out SID data into the file. + */ + + if (fchmod(fd, 0644) < 0) + { + DEBUG(0,("unable to set correct permissions on file %s. \ +Error was %s\n", sid_file, strerror(errno) )); + close(fd); + return False; + } + + if (write(fd, sid_string, strlen(sid_string)) != strlen(sid_string)) + { + DEBUG(0,("unable to write file %s. Error was %s\n", + sid_file, strerror(errno) )); + close(fd); + return False; + } + + /* + * Unlock & exit. + */ + + do_file_lock(fd, 60, F_UNLCK); + close(fd); + return True; +} + +/**************************************************************************** +create a random SID. +****************************************************************************/ +BOOL create_new_sid(DOM_SID *sid) +{ + uchar raw_sid_data[12]; + fstring sid_string; + int i; + + /* + * Generate the new sid data & turn it into a string. + */ + generate_random_buffer(raw_sid_data, 12, True); + + fstrcpy(sid_string, "S-1-5-21"); + for(i = 0; i < 3; i++) + { + fstring tmp_string; + slprintf(tmp_string, sizeof(tmp_string) - 1, "-%u", IVAL(raw_sid_data, i*4)); + fstrcat(sid_string, tmp_string); + } + + fstrcat(sid_string, "\n"); + + /* + * Ensure our new SID is valid. + */ + + if (!string_to_sid(sid, sid_string)) + { + DEBUG(0,("unable to generate machine SID.\n")); + return False; + } + + return True; +} + -- cgit From e1083ea7df16323e63efb6f752a6d5c6f0c4910e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 12 Apr 2000 00:37:08 +0000 Subject: Roll back to using static MACHINE.SID after consultation with Andrew. This code will be removed soon and a SID auto-generated from (probably) primary hostname and never stored in a file will replace it. Jeremy. (This used to be commit fbfe94a799cda7f728bc920d4f0655d4f537e3b6) --- source3/lib/util_sid.c | 288 ------------------------------------------------- 1 file changed, 288 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index f2f7b3c8ae..65bc2fe85d 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -424,291 +424,3 @@ size_t sid_size(DOM_SID *sid) return sid->num_auths * sizeof(uint32) + 8; } - -static BOOL read_sid_from_file(int fd, char *sid_file, DOM_SID *sid) -{ - fstring fline; - fstring sid_str; - - memset(fline, '\0', sizeof(fline)); - - if (read(fd, fline, sizeof(fline) -1 ) < 0) { - DEBUG(0,("unable to read file %s. Error was %s\n", - sid_file, strerror(errno) )); - return False; - } - - /* - * Convert to the machine SID. - */ - - fline[sizeof(fline)-1] = '\0'; - if (!string_to_sid(sid, fline)) { - DEBUG(0,("unable to read sid.\n")); - return False; - } - - sid_to_string(sid_str, sid); - DEBUG(5,("read_sid_from_file: sid %s\n", sid_str)); - - return True; -} - -/**************************************************************************** - Generate the global machine sid. Look for the DOMAINNAME.SID file first, if - not found then look in smb.conf and use it to create the DOMAINNAME.SID file. -****************************************************************************/ -BOOL read_sid(char *sam_name, DOM_SID *sid) -{ - int fd; - char *p; - pstring sid_file; - fstring file_name; - SMB_STRUCT_STAT st; - - pstrcpy(sid_file, lp_smb_passwd_file()); - - DEBUG(10,("read_sid: Domain: %s\n", sam_name)); - - if (sid_file[0] == 0) - { - DEBUG(0,("cannot find smb passwd file\n")); - return False; - } - - p = strrchr(sid_file, '/'); - if (p != NULL) - { - *++p = '\0'; - } - - if (!directory_exist(sid_file, NULL)) - { - if (mkdir(sid_file, 0700) != 0) - { - DEBUG(0,("can't create private directory %s : %s\n", - sid_file, strerror(errno))); - return False; - } - } - - slprintf(file_name, sizeof(file_name)-1, "%s.SID", sam_name); - strupper(file_name); - pstrcat(sid_file, file_name); - - if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) { - DEBUG(0,("unable to open or create file %s. Error was %s\n", - sid_file, strerror(errno) )); - return False; - } - - /* - * Check if the file contains data. - */ - - if (sys_fstat(fd, &st) < 0) { - DEBUG(0,("unable to stat file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - if (st.st_size == 0) - { - close(fd); - return False; - } - - /* - * We have a valid SID - read it. - */ - - if (!read_sid_from_file(fd, sid_file, sid)) - { - DEBUG(0,("unable to read file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - close(fd); - return True; -} - - -/**************************************************************************** - Generate the global machine sid. Look for the DOMAINNAME.SID file first, if - not found then look in smb.conf and use it to create the DOMAINNAME.SID file. -****************************************************************************/ -BOOL write_sid(char *sam_name, DOM_SID *sid) -{ - int fd; - char *p; - pstring sid_file; - fstring sid_string; - fstring file_name; - SMB_STRUCT_STAT st; - - pstrcpy(sid_file, lp_smb_passwd_file()); - sid_to_string(sid_string, sid); - - DEBUG(10,("write_sid: Domain: %s SID: %s\n", sam_name, sid_string)); - fstrcat(sid_string, "\n"); - - if (sid_file[0] == 0) - { - DEBUG(0,("cannot find smb passwd file\n")); - return False; - } - - p = strrchr(sid_file, '/'); - if (p != NULL) - { - *++p = '\0'; - } - - if (!directory_exist(sid_file, NULL)) { - if (mkdir(sid_file, 0700) != 0) { - DEBUG(0,("can't create private directory %s : %s\n", - sid_file, strerror(errno))); - return False; - } - } - - slprintf(file_name, sizeof(file_name)-1, "%s.SID", sam_name); - strupper(file_name); - pstrcat(sid_file, file_name); - - if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) { - DEBUG(0,("unable to open or create file %s. Error was %s\n", - sid_file, strerror(errno) )); - return False; - } - - /* - * Check if the file contains data. - */ - - if (sys_fstat(fd, &st) < 0) { - DEBUG(0,("unable to stat file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - if (st.st_size > 0) - { - /* - * We have a valid SID already. - */ - close(fd); - DEBUG(0,("SID file %s already exists\n", sid_file)); - return False; - } - - if (!do_file_lock(fd, 60, F_WRLCK)) - { - DEBUG(0,("unable to lock file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - /* - * At this point we have a blocking lock on the SID - * file - check if in the meantime someone else wrote - * SID data into the file. If so - they were here first, - * use their data. - */ - - if (sys_fstat(fd, &st) < 0) - { - DEBUG(0,("unable to stat file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - if (st.st_size > 0) - { - /* - * Unlock as soon as possible to reduce - * contention on the exclusive lock. - */ - do_file_lock(fd, 60, F_UNLCK); - - /* - * We have a valid SID already. - */ - - DEBUG(0,("SID file %s already exists\n", sid_file)); - close(fd); - return False; - } - - /* - * The file is still empty and we have an exlusive lock on it. - * Write out out SID data into the file. - */ - - if (fchmod(fd, 0644) < 0) - { - DEBUG(0,("unable to set correct permissions on file %s. \ -Error was %s\n", sid_file, strerror(errno) )); - close(fd); - return False; - } - - if (write(fd, sid_string, strlen(sid_string)) != strlen(sid_string)) - { - DEBUG(0,("unable to write file %s. Error was %s\n", - sid_file, strerror(errno) )); - close(fd); - return False; - } - - /* - * Unlock & exit. - */ - - do_file_lock(fd, 60, F_UNLCK); - close(fd); - return True; -} - -/**************************************************************************** -create a random SID. -****************************************************************************/ -BOOL create_new_sid(DOM_SID *sid) -{ - uchar raw_sid_data[12]; - fstring sid_string; - int i; - - /* - * Generate the new sid data & turn it into a string. - */ - generate_random_buffer(raw_sid_data, 12, True); - - fstrcpy(sid_string, "S-1-5-21"); - for(i = 0; i < 3; i++) - { - fstring tmp_string; - slprintf(tmp_string, sizeof(tmp_string) - 1, "-%u", IVAL(raw_sid_data, i*4)); - fstrcat(sid_string, tmp_string); - } - - fstrcat(sid_string, "\n"); - - /* - * Ensure our new SID is valid. - */ - - if (!string_to_sid(sid, sid_string)) - { - DEBUG(0,("unable to generate machine SID.\n")); - return False; - } - - return True; -} - -- cgit From 54695647ef52558e5f83744898b7c5c95c9fed5a Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Sat, 27 May 2000 01:56:26 +0000 Subject: fixed nttrans.c (This used to be commit 06cd46b0ec10b32af54edd8256d2fdbec45e1371) --- source3/lib/util_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 65bc2fe85d..3605dfbf27 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -391,7 +391,7 @@ BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) Compare two sids. *****************************************************************/ -BOOL sid_equal(DOM_SID *sid1, DOM_SID *sid2) +BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) { int i; -- cgit From badb7fc0d21267110e39287c897c0f956f43bb16 Mon Sep 17 00:00:00 2001 From: Matthew Chapman Date: Mon, 29 May 2000 01:23:48 +0000 Subject: Fixed LsaQueryInformationPolicy level 3 to return primary domain info. Domain SID is saved in secrets.tdb upon joining domain. Added "Authenticated Users" and "SYSTEM" well-known SIDs (under NT Authority). (This used to be commit 7710b4f48d3e8532df5e37f99a779758f750efdb) --- source3/lib/util_sid.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 3605dfbf27..46904162b1 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -49,15 +49,18 @@ typedef struct _known_sid_users { /* static known_sid_users no_users[] = {{0, 0, NULL}}; */ static known_sid_users everyone_users[] = {{ 0, SID_NAME_WKN_GRP, "Everyone" }, {0, 0, NULL}}; static known_sid_users creator_owner_users[] = {{ 0, SID_NAME_ALIAS, "Creator Owner" }, {0, 0, NULL}}; -static known_sid_users nt_authority_users[] = {{ 1, SID_NAME_ALIAS, "Dialup" }, - { 2, SID_NAME_ALIAS, "Network"}, - { 3, SID_NAME_ALIAS, "Batch"}, - { 4, SID_NAME_ALIAS, "Interactive"}, - { 6, SID_NAME_ALIAS, "Service"}, - { 7, SID_NAME_ALIAS, "AnonymousLogon"}, - { 8, SID_NAME_ALIAS, "Proxy"}, - { 9, SID_NAME_ALIAS, "ServerLogon"}, - {0, 0, NULL}}; +static known_sid_users nt_authority_users[] = { + { 1, SID_NAME_ALIAS, "Dialup" }, + { 2, SID_NAME_ALIAS, "Network"}, + { 3, SID_NAME_ALIAS, "Batch"}, + { 4, SID_NAME_ALIAS, "Interactive"}, + { 6, SID_NAME_ALIAS, "Service"}, + { 7, SID_NAME_ALIAS, "AnonymousLogon"}, + { 8, SID_NAME_ALIAS, "Proxy"}, + { 9, SID_NAME_ALIAS, "ServerLogon"}, + { 11, SID_NAME_ALIAS, "Authenticated Users"}, + { 18, SID_NAME_ALIAS, "SYSTEM"}, + { 0, 0, NULL}}; static struct sid_name_map_info { -- cgit From 1bdbb4e6012307b366c064554361c59f27b1ae7e Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Thu, 8 Jun 2000 08:41:28 +0000 Subject: added se_access_check. (This used to be commit 6de329f6bf9c26e132869cf43d4976d4881e285c) --- source3/lib/util_sid.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 46904162b1..add2494346 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -40,6 +40,8 @@ DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner */ DOM_SID global_sid_Creator_Owner; /* Creator Owner */ DOM_SID global_sid_NT_Authority; /* NT Authority */ +const DOM_SID *global_sid_everyone = &global_sid_World; + typedef struct _known_sid_users { uint32 rid; uint8 sid_name_use; -- cgit From ec1c58fcc0dc19138fe04533484b8acffef2cf0f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 24 Jun 2000 00:15:08 +0000 Subject: lib/util_sid.c: Uninitialized memory read. rpc_parse/parse_spoolss.c: Added note about prs_align when marshalling a SEC_DESC... rpc_server/srv_lsa.c: Tim - your changes broke the display of the 'everyone' group when doing file access with no winbindd running. This is a partial fix - more when I have analysed this more. rpc_server/srv_spoolss_nt.c: Fix for the 'change driver' problem ! Hurrah ! Jeremy. (This used to be commit 151b131ee01ef916c072bcdaa9943a2e984a0f45) --- source3/lib/util_sid.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index add2494346..43fd7ecc59 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -344,6 +344,8 @@ void sid_copy(DOM_SID *dst, const DOM_SID *src) { int i; + memset((char *)dst, '\0', sizeof(DOM_SID)); + dst->sid_rev_num = src->sid_rev_num; dst->num_auths = src->num_auths; -- cgit From 084af3c5be2d7cd6ab68431f4f2b12113e246528 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 6 Jul 2000 06:48:54 +0000 Subject: Added global_sid_NULL S-1-0-0 to list of global sids. (This used to be commit f49905e74c6e3891b5816b136fd1d0d77c392e2f) --- source3/lib/util_sid.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 43fd7ecc59..42fdfb15fe 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -39,6 +39,7 @@ DOM_SID global_sid_World; /* everyone */ DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner */ DOM_SID global_sid_Creator_Owner; /* Creator Owner */ DOM_SID global_sid_NT_Authority; /* NT Authority */ +DOM_SID global_sid_NULL; /* NULL sid */ const DOM_SID *global_sid_everyone = &global_sid_World; @@ -93,6 +94,7 @@ void generate_wellknown_sids(void) string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); string_to_sid(&global_sid_NT_Authority, "S-1-5"); + string_to_sid(&global_sid_NULL, "S-1-0-0"); } /************************************************************************** -- cgit From 5a98f9cb35835efdfe384b82e31e319276496ef4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 25 Jul 2000 20:26:50 +0000 Subject: if the sids are not the same pointer and either of the sids are NULL then the two sids are not equal (This used to be commit 9ccf3b1dc5baf0e00d032d8b932ab0fb5b1e11b1) --- source3/lib/util_sid.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 42fdfb15fe..3572f2c775 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -404,6 +404,9 @@ BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) { int i; + if (sid1 == sid2) return True; + if (!sid1 || !sid2) return False; + /* compare most likely different rids, first: i.e start at end */ for (i = sid1->num_auths-1; i >= 0; --i) if (sid1->sub_auths[i] != sid2->sub_auths[i]) -- cgit From f87399915b009f88c41cb75a583c2972fe3daf30 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Aug 2000 22:38:43 +0000 Subject: Added an NT_USER_TOKEN structure that is copied/passed around associated with the current user. This will allow se_access_check() to quickly do a SD check without having to translate uid/gid's to SIDs. Still needs work on pipe calls. Jeremy. (This used to be commit e28d01b744b3dbd33e0e54af4e7f426fa8c082b8) --- source3/lib/util_sid.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 3572f2c775..52e9f63039 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -33,13 +33,14 @@ extern fstring global_myworkgroup; * Some useful sids */ -DOM_SID global_sid_S_1_5_0x20; /* local well-known domain */ +DOM_SID global_sid_Builtin; /* local well-known domain */ DOM_SID global_sid_World_Domain; /* everyone */ DOM_SID global_sid_World; /* everyone */ DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner */ DOM_SID global_sid_Creator_Owner; /* Creator Owner */ DOM_SID global_sid_NT_Authority; /* NT Authority */ DOM_SID global_sid_NULL; /* NULL sid */ +DOM_SID global_sid_Builtin_Guests; const DOM_SID *global_sid_everyone = &global_sid_World; @@ -75,7 +76,7 @@ sid_name_map[] = { { &global_sam_sid, global_myname, NULL}, { &global_sam_sid, global_myworkgroup, NULL}, - { &global_sid_S_1_5_0x20, "BUILTIN", NULL}, + { &global_sid_Builtin, "BUILTIN", NULL}, { &global_sid_World_Domain, "", &everyone_users[0] }, { &global_sid_Creator_Owner_Domain, "", &creator_owner_users[0] }, { &global_sid_NT_Authority, "NT Authority", &nt_authority_users[0] }, @@ -88,7 +89,8 @@ sid_name_map[] = void generate_wellknown_sids(void) { - string_to_sid(&global_sid_S_1_5_0x20, "S-1-5-32"); + string_to_sid(&global_sid_Builtin, "S-1-5-32"); + string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546"); string_to_sid(&global_sid_World_Domain, "S-1-1"); string_to_sid(&global_sid_World, "S-1-1-0"); string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); -- cgit From 641d9e85ea6a134be1d3359b41b8872f6ef65872 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Aug 2000 00:45:40 +0000 Subject: Added code to do SID to uid/gid conversion. Needed for ACL support. Jeremy. (This used to be commit 81c5380f91839b6416c8a42739dadf00e7388528) --- source3/lib/util_sid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 52e9f63039..439bb74a83 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -46,7 +46,7 @@ const DOM_SID *global_sid_everyone = &global_sid_World; typedef struct _known_sid_users { uint32 rid; - uint8 sid_name_use; + enum SID_NAME_USE sid_name_use; char *known_user_name; } known_sid_users; @@ -134,7 +134,7 @@ BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain) Looks up a known username from one of the known domains. ***************************************************************************/ -BOOL lookup_known_rid(DOM_SID *sid, uint32 rid, char *name, uint8 *psid_name_use) +BOOL lookup_known_rid(DOM_SID *sid, uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) { int i = 0; struct sid_name_map_info *psnm; -- cgit From 1ef79dbcabbe58c1338040eaea9fbcfe3b7ea105 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 28 Sep 2000 00:07:19 +0000 Subject: Removed annoying unecessary debug message. (This used to be commit b1a893b74114ee4ab6a295ac0cb0e8fdccda3f53) --- source3/lib/util_sid.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 439bb74a83..b4b88c9d88 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -250,7 +250,6 @@ char *sid_to_string(fstring sidstr_out, DOM_SID *sid) fstrcat(sidstr_out, subauth); } - DEBUG(7,("sid_to_string returning %s\n", sidstr_out)); return sidstr_out; } -- cgit From 23f78fd7b91878176c518471cdca84cad826cba9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 4 Oct 2000 01:03:23 +0000 Subject: Adding Herb's compile warning fixes to HEAD. Jeremy. (This used to be commit d131ad1ce3f6e72e295f865a463f8dcbfa6f8d42) --- source3/lib/util_sid.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index b4b88c9d88..80254318c4 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -51,8 +51,12 @@ typedef struct _known_sid_users { } known_sid_users; /* static known_sid_users no_users[] = {{0, 0, NULL}}; */ -static known_sid_users everyone_users[] = {{ 0, SID_NAME_WKN_GRP, "Everyone" }, {0, 0, NULL}}; -static known_sid_users creator_owner_users[] = {{ 0, SID_NAME_ALIAS, "Creator Owner" }, {0, 0, NULL}}; +static known_sid_users everyone_users[] = { + { 0, SID_NAME_WKN_GRP, "Everyone" }, + {0, (enum SID_NAME_USE)0, NULL}}; +static known_sid_users creator_owner_users[] = { + { 0, SID_NAME_ALIAS, "Creator Owner" }, + {0, (enum SID_NAME_USE)0, NULL}}; static known_sid_users nt_authority_users[] = { { 1, SID_NAME_ALIAS, "Dialup" }, { 2, SID_NAME_ALIAS, "Network"}, @@ -64,7 +68,7 @@ static known_sid_users nt_authority_users[] = { { 9, SID_NAME_ALIAS, "ServerLogon"}, { 11, SID_NAME_ALIAS, "Authenticated Users"}, { 18, SID_NAME_ALIAS, "SYSTEM"}, - { 0, 0, NULL}}; + { 0, (enum SID_NAME_USE)0, NULL}}; static struct sid_name_map_info { -- cgit From 276364e2a4cee00f4521845347a0b0a371f6b0e6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Dec 2000 02:36:14 +0000 Subject: Removed the special casing of SIDs in se_access_check. This is now done (correctly) when the NT_USER_TOKEN is *created*. Jeremy. (This used to be commit 27d72ed1cf8ece2bede812341279ba5a7262ace4) --- source3/lib/util_sid.c | 53 ++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 43 insertions(+), 10 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 80254318c4..94144bbbd1 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -33,14 +33,17 @@ extern fstring global_myworkgroup; * Some useful sids */ -DOM_SID global_sid_Builtin; /* local well-known domain */ -DOM_SID global_sid_World_Domain; /* everyone */ -DOM_SID global_sid_World; /* everyone */ -DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner */ -DOM_SID global_sid_Creator_Owner; /* Creator Owner */ -DOM_SID global_sid_NT_Authority; /* NT Authority */ -DOM_SID global_sid_NULL; /* NULL sid */ -DOM_SID global_sid_Builtin_Guests; +DOM_SID global_sid_Builtin; /* Local well-known domain */ +DOM_SID global_sid_World_Domain; /* Everyone domain */ +DOM_SID global_sid_World; /* Everyone */ +DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */ +DOM_SID global_sid_Creator_Owner; /* Creator Owner */ +DOM_SID global_sid_NT_Authority; /* NT Authority */ +DOM_SID global_sid_NULL; /* NULL sid */ +DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ +DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ +DOM_SID global_sid_Network; /* Network rids */ +DOM_SID global_sid_Anonymous; /* Anonymous login */ const DOM_SID *global_sid_everyone = &global_sid_World; @@ -51,12 +54,15 @@ typedef struct _known_sid_users { } known_sid_users; /* static known_sid_users no_users[] = {{0, 0, NULL}}; */ + static known_sid_users everyone_users[] = { { 0, SID_NAME_WKN_GRP, "Everyone" }, {0, (enum SID_NAME_USE)0, NULL}}; + static known_sid_users creator_owner_users[] = { { 0, SID_NAME_ALIAS, "Creator Owner" }, {0, (enum SID_NAME_USE)0, NULL}}; + static known_sid_users nt_authority_users[] = { { 1, SID_NAME_ALIAS, "Dialup" }, { 2, SID_NAME_ALIAS, "Network"}, @@ -70,6 +76,10 @@ static known_sid_users nt_authority_users[] = { { 18, SID_NAME_ALIAS, "SYSTEM"}, { 0, (enum SID_NAME_USE)0, NULL}}; +static known_sid_users builtin_users[] = { + { DOMAIN_USER_RID_ADMIN, SID_NAME_USER, "Administrator" }, + { 0, (enum SID_NAME_USE)0, NULL}}; + static struct sid_name_map_info { DOM_SID *sid; @@ -81,12 +91,24 @@ sid_name_map[] = { &global_sam_sid, global_myname, NULL}, { &global_sam_sid, global_myworkgroup, NULL}, { &global_sid_Builtin, "BUILTIN", NULL}, + { &global_sid_Builtin, "", &builtin_users[0]}, { &global_sid_World_Domain, "", &everyone_users[0] }, { &global_sid_Creator_Owner_Domain, "", &creator_owner_users[0] }, { &global_sid_NT_Authority, "NT Authority", &nt_authority_users[0] }, { NULL, NULL, NULL} }; +/* + * An NT compatible anonymous token. + */ + +static DOM_SID anon_sid_array[3]; + +NT_USER_TOKEN anonymous_token = { + 3, + anon_sid_array +}; + /**************************************************************************** Creates some useful well known sids ****************************************************************************/ @@ -101,6 +123,14 @@ void generate_wellknown_sids(void) string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); string_to_sid(&global_sid_NT_Authority, "S-1-5"); string_to_sid(&global_sid_NULL, "S-1-0-0"); + string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); + string_to_sid(&global_sid_Network, "S-1-5-2"); + string_to_sid(&global_sid_Anonymous, "S-1-5-7"); + + /* Create the anon token. */ + sid_copy( &anonymous_token.user_sids[0], &global_sid_World); + sid_copy( &anonymous_token.user_sids[1], &global_sid_Network); + sid_copy( &anonymous_token.user_sids[2], &global_sid_Anonymous); } /************************************************************************** @@ -210,15 +240,18 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain) void split_domain_name(const char *fullname, char *domain, char *name) { pstring full_name; - char *p; + char *p, *sep; + + sep = lp_winbind_separator(); *domain = *name = '\0'; - if (fullname[0] == '\\') + if (fullname[0] == sep[0] || fullname[0] == '\\') fullname++; pstrcpy(full_name, fullname); p = strchr(full_name+1, '\\'); + if (!p) p = strchr(full_name+1, sep[0]); if (p != NULL) { *p = 0; -- cgit From 27922c0430bf28dca910d2a2903cf410a4187643 Mon Sep 17 00:00:00 2001 From: David O'Neill Date: Mon, 15 Jan 2001 18:36:50 +0000 Subject: Changes from APPLIANCE_HEAD: source/rpc_parse/parse_lsa.c - off by one unistr length bug in init_lsa_trans_name() source/lib/util_sid.c - resolve more BUILTIN sid values to names. source/nsswitch/wb_client.c - fix typo in debug message - set errno on error so we don't get bogus value from last failure. source/rpc_server/srv_spoolss_nt.c - add debug to track number of open printer handles for ease of tracking handle leaks in the future. source/rpc_server/srv_lsa.c - fix off-by-one string bug. This was preventing NT from displaying names for well-know SIDs in printer permissions dialog. (This used to be commit 59229b9025cff54cbdd05e374616ffbf9c6fee33) --- source3/lib/util_sid.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 94144bbbd1..98d4e77712 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -76,8 +76,14 @@ static known_sid_users nt_authority_users[] = { { 18, SID_NAME_ALIAS, "SYSTEM"}, { 0, (enum SID_NAME_USE)0, NULL}}; -static known_sid_users builtin_users[] = { - { DOMAIN_USER_RID_ADMIN, SID_NAME_USER, "Administrator" }, +static known_sid_users builtin_groups[] = { + { BUILTIN_ALIAS_RID_ADMINS, SID_NAME_ALIAS, "Administrators" }, + { BUILTIN_ALIAS_RID_USERS, SID_NAME_ALIAS, "Users" }, + { BUILTIN_ALIAS_RID_GUESTS, SID_NAME_ALIAS, "Guests" }, + { BUILTIN_ALIAS_RID_ACCOUNT_OPS, SID_NAME_ALIAS, "Account Operators" }, + { BUILTIN_ALIAS_RID_SYSTEM_OPS, SID_NAME_ALIAS, "Server Operators" }, + { BUILTIN_ALIAS_RID_PRINT_OPS, SID_NAME_ALIAS, "Print Operators" }, + { BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" }, { 0, (enum SID_NAME_USE)0, NULL}}; static struct sid_name_map_info @@ -90,8 +96,7 @@ sid_name_map[] = { { &global_sam_sid, global_myname, NULL}, { &global_sam_sid, global_myworkgroup, NULL}, - { &global_sid_Builtin, "BUILTIN", NULL}, - { &global_sid_Builtin, "", &builtin_users[0]}, + { &global_sid_Builtin, "BUILTIN", &builtin_groups[0]}, { &global_sid_World_Domain, "", &everyone_users[0] }, { &global_sid_Creator_Owner_Domain, "", &creator_owner_users[0] }, { &global_sid_NT_Authority, "NT Authority", &nt_authority_users[0] }, -- cgit From 8d070c60fc99e27d7e58f6d45aa64657c462b875 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 23 Feb 2001 07:20:11 +0000 Subject: - fixed the sort_acl bug, sorting now works right - don't allow setting of duplicate ACEs - fixed a ACE delete bug (This used to be commit 61293979ce2aded58a5ef2a54b3b05d1d278f7cf) --- source3/lib/util_sid.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 98d4e77712..e888c1cbcb 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -442,29 +442,40 @@ BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) /***************************************************************** Compare two sids. *****************************************************************/ - -BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) +int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) { int i; - if (sid1 == sid2) return True; - if (!sid1 || !sid2) return False; + if (sid1 == sid2) return 0; + if (!sid1) return -1; + if (!sid2) return 1; /* compare most likely different rids, first: i.e start at end */ for (i = sid1->num_auths-1; i >= 0; --i) if (sid1->sub_auths[i] != sid2->sub_auths[i]) - return False; + return sid1->sub_auths[i] - sid2->sub_auths[i]; if (sid1->num_auths != sid2->num_auths) - return False; + return sid1->num_auths - sid2->num_auths; + if (sid1->sid_rev_num != sid2->sid_rev_num) - return False; + return sid1->sid_rev_num - sid2->sid_rev_num; for (i = 0; i < 6; i++) if (sid1->id_auth[i] != sid2->id_auth[i]) - return False; + return sid1->id_auth[i] - sid2->id_auth[i]; - return True; + return 0; +} + + +/***************************************************************** + Compare two sids. +*****************************************************************/ + +BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) +{ + return sid_compare(sid1, sid2) == 0; } -- cgit From c6e8e75a64e9cebd0bc5ac31fcb2181d6b5bb287 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 May 2001 02:50:11 +0000 Subject: Merging Gerald's PDC SAM name fix. Jeremy. (This used to be commit d31799850440c6c2267a4edb217d447df75aab5a) --- source3/lib/util_sid.c | 89 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 76 insertions(+), 13 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index e888c1cbcb..de86b956c3 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -86,22 +86,16 @@ static known_sid_users builtin_groups[] = { { BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" }, { 0, (enum SID_NAME_USE)0, NULL}}; +#define MAX_SID_NAMES 7 + static struct sid_name_map_info { DOM_SID *sid; char *name; known_sid_users *known_users; -} -sid_name_map[] = -{ - { &global_sam_sid, global_myname, NULL}, - { &global_sam_sid, global_myworkgroup, NULL}, - { &global_sid_Builtin, "BUILTIN", &builtin_groups[0]}, - { &global_sid_World_Domain, "", &everyone_users[0] }, - { &global_sid_Creator_Owner_Domain, "", &creator_owner_users[0] }, - { &global_sid_NT_Authority, "NT Authority", &nt_authority_users[0] }, - { NULL, NULL, NULL} -}; +} sid_name_map[MAX_SID_NAMES]; + +static BOOL sid_name_map_initialized = False; /* * An NT compatible anonymous token. @@ -114,6 +108,65 @@ NT_USER_TOKEN anonymous_token = { anon_sid_array }; +/************************************************************************** + quick init function + *************************************************************************/ +static void init_sid_name_map (void) +{ + int i = 0; + + if (sid_name_map_initialized) return; + + + if ((lp_security() == SEC_USER) && lp_domain_logons()) { + sid_name_map[i].sid = &global_sam_sid; + sid_name_map[i].name = global_myworkgroup; + sid_name_map[i].known_users = NULL; + i++; + sid_name_map[i].sid = &global_sam_sid; + sid_name_map[i].name = global_myname; + sid_name_map[i].known_users = NULL; + i++; + } + else { + sid_name_map[i].sid = &global_sam_sid; + sid_name_map[i].name = global_myname; + sid_name_map[i].known_users = NULL; + i++; + } + + sid_name_map[i].sid = &global_sid_Builtin; + sid_name_map[i].name = "BUILTIN"; + sid_name_map[i].known_users = &builtin_groups[0]; + i++; + + sid_name_map[i].sid = &global_sid_World_Domain; + sid_name_map[i].name = ""; + sid_name_map[i].known_users = &everyone_users[0]; + i++; + + sid_name_map[i].sid = &global_sid_Creator_Owner_Domain; + sid_name_map[i].name = ""; + sid_name_map[i].known_users = &creator_owner_users[0]; + i++; + + sid_name_map[i].sid = &global_sid_NT_Authority; + sid_name_map[i].name = "NT Authority"; + sid_name_map[i].known_users = &nt_authority_users[0]; + i++; + + + /* end of array */ + sid_name_map[i].sid = NULL; + sid_name_map[i].name = NULL; + sid_name_map[i].known_users = NULL; + + sid_name_map_initialized = True; + + return; + +} + /**************************************************************************** Creates some useful well known sids ****************************************************************************/ @@ -146,8 +199,12 @@ BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain) { fstring sid_str; int i = 0; + sid_to_string(sid_str, sid); + if (!sid_name_map_initialized) + init_sid_name_map(); + DEBUG(5,("map_domain_sid_to_name: %s\n", sid_str)); if (nt_domain == NULL) @@ -156,7 +213,7 @@ BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain) while (sid_name_map[i].sid != NULL) { sid_to_string(sid_str, sid_name_map[i].sid); DEBUG(5,("map_domain_sid_to_name: compare: %s\n", sid_str)); - if (sid_equal(sid_name_map[i].sid, sid)) { + if (sid_equal(sid_name_map[i].sid, sid)) { fstrcpy(nt_domain, sid_name_map[i].name); DEBUG(5,("map_domain_sid_to_name: found '%s'\n", nt_domain)); return True; @@ -178,6 +235,9 @@ BOOL lookup_known_rid(DOM_SID *sid, uint32 rid, char *name, enum SID_NAME_USE *p int i = 0; struct sid_name_map_info *psnm; + if (!sid_name_map_initialized) + init_sid_name_map(); + for(i = 0; sid_name_map[i].sid != NULL; i++) { psnm = &sid_name_map[i]; if(sid_equal(psnm->sid, sid)) { @@ -217,10 +277,13 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain) DEBUG(5,("map_domain_name_to_sid: overriding blank name to %s\n", nt_domain)); sid_copy(sid, &global_sam_sid); return True; - } + } DEBUG(5,("map_domain_name_to_sid: %s\n", nt_domain)); + if (!sid_name_map_initialized) + init_sid_name_map(); + while (sid_name_map[i].name != NULL) { DEBUG(5,("map_domain_name_to_sid: compare: %s\n", sid_name_map[i].name)); if (strequal(sid_name_map[i].name, nt_domain)) { -- cgit From 281629ac063d431cc8a9b7975520ee7fa65a5568 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 10 May 2001 00:48:06 +0000 Subject: Added sid_peek_rid() function to return the rid of a sid. Saves mucking around with copying a sid to a temporary variable and using sid_split_rid(). (This used to be commit 9ee43d61be1284b72fd04054c44545847c73120f) --- source3/lib/util_sid.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index de86b956c3..70341507cb 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -444,6 +444,19 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) return False; } +/***************************************************************** + Return the last rid from the end of a sid +*****************************************************************/ + +BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid) +{ + if (sid->num_auths > 0) { + *rid = sid->sub_auths[sid->num_auths - 1]; + return True; + } + return False; +} + /***************************************************************** Copies a sid *****************************************************************/ -- cgit From 527e824293ee934ca5da0ef5424efe5ab7757248 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 4 Jul 2001 07:36:09 +0000 Subject: strchr and strrchr are macros when compiling with optimisation in gcc, so we can't redefine them. damn. (This used to be commit c41fc06376d1a2b83690612304e85010b5e5f3cf) --- source3/lib/util_sid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 70341507cb..c89c7c70d9 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -318,8 +318,8 @@ void split_domain_name(const char *fullname, char *domain, char *name) fullname++; pstrcpy(full_name, fullname); - p = strchr(full_name+1, '\\'); - if (!p) p = strchr(full_name+1, sep[0]); + p = strchr_m(full_name+1, '\\'); + if (!p) p = strchr_m(full_name+1, sep[0]); if (p != NULL) { *p = 0; -- cgit From 0492effcf36bc1229d0d2e9250b6c6c36af0b117 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 22 Sep 2001 06:45:24 +0000 Subject: Ignore unmappable (NT Authority, BUILTIN etc.) SIDs in an ACL set. Jeremy. (This used to be commit bc7963bd643422cce081b6284e3bdd49ae3a02ab) --- source3/lib/util_sid.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index c89c7c70d9..10813a4605 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -566,3 +566,27 @@ size_t sid_size(DOM_SID *sid) return sid->num_auths * sizeof(uint32) + 8; } + +/***************************************************************** + Returns true if SID is internal (and non-mappable). +*****************************************************************/ + +BOOL non_mappable_sid(DOM_SID *sid) +{ + DOM_SID dom; + uint32 rid; + + sid_copy(&dom, sid); + sid_split_rid(&dom, &rid); + + if (sid_equal(&dom, &global_sid_Builtin)) + return True; + + if (sid_equal(&dom, &global_sid_Creator_Owner_Domain)) + return True; + + if (sid_equal(&dom, &global_sid_NT_Authority)) + return True; + + return False; +} -- cgit From dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Oct 2001 04:29:50 +0000 Subject: Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header. (This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e) --- source3/lib/util_sid.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 10813a4605..8903bb1465 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -23,8 +23,6 @@ #include "includes.h" - -extern int DEBUGLEVEL; DOM_SID global_sam_sid; extern pstring global_myname; extern fstring global_myworkgroup; -- cgit From ade911c1c6ae51f0535beaf1c222de77fd860036 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 5 Nov 2001 22:57:14 +0000 Subject: Removed totally annoying verbose debug in sid_to_string() (This used to be commit 4f21ddb8737d3f72a84465d3384351ccd2b07d15) --- source3/lib/util_sid.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 8903bb1465..06ff9510b7 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -410,8 +410,6 @@ BOOL string_to_sid(DOM_SID *sidout, char *sidstr) sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10)); } - DEBUG(7,("string_to_sid: converted SID %s ok\n", sidstr)); - return True; } -- cgit From 2285b99cb1047ea85589ef23d4ca73278a15ee08 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 3 Dec 2001 06:04:18 +0000 Subject: added a basic ADS backend to winbind. More work needed, but at least basic operations work (This used to be commit 88241cab983b2c7db7d477c6c4654694a7a56cd3) --- source3/lib/util_sid.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 06ff9510b7..0f1b22ca27 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -494,7 +494,6 @@ DOM_SID *sid_dup(DOM_SID *src) /***************************************************************** Write a sid out into on-the-wire format. *****************************************************************/ - BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) { size_t i; @@ -511,6 +510,23 @@ BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) return True; } +/***************************************************************** + parse a on-the-wire SID to a DOM_SID +*****************************************************************/ +BOOL sid_parse(char *inbuf, size_t len, DOM_SID *sid) +{ + int i; + if (len < 8) return False; + sid->sid_rev_num = CVAL(inbuf, 0); + sid->num_auths = CVAL(inbuf, 1); + memcpy(sid->id_auth, inbuf+2, 6); + if (len < 8 + sid->num_auths*4) return False; + for (i=0;inum_auths;i++) { + sid->sub_auths[i] = IVAL(inbuf, 8+i*4); + } + return True; +} + /***************************************************************** Compare two sids. *****************************************************************/ -- cgit From 6f907af4e73b53c3ddab934ba954788a2134b913 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 3 Dec 2001 11:11:14 +0000 Subject: put sid_to_name behind the winbindd backend interface I spent quite a while trying to work out how to make this call via ldap and failed. I then found that MS servers seem use rpc for sid_to_name, and it works even when in native mode, I ended up just implementing it via rpc (This used to be commit 789833b44e342c0b5de463ed8f9b5f7474a99f27) --- source3/lib/util_sid.c | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 0f1b22ca27..7e9299b053 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -498,7 +498,7 @@ BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) { size_t i; - if(len < sid_size(sid)) + if (len < sid_size(sid)) return False; SCVAL(outbuf,0,sid->sid_rev_num); @@ -527,10 +527,11 @@ BOOL sid_parse(char *inbuf, size_t len, DOM_SID *sid) return True; } + /***************************************************************** - Compare two sids. + Compare the domain portion of two sids. *****************************************************************/ -int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) +int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2) { int i; @@ -538,14 +539,6 @@ int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) if (!sid1) return -1; if (!sid2) return 1; - /* compare most likely different rids, first: i.e start at end */ - for (i = sid1->num_auths-1; i >= 0; --i) - if (sid1->sub_auths[i] != sid2->sub_auths[i]) - return sid1->sub_auths[i] - sid2->sub_auths[i]; - - if (sid1->num_auths != sid2->num_auths) - return sid1->num_auths - sid2->num_auths; - if (sid1->sid_rev_num != sid2->sid_rev_num) return sid1->sid_rev_num - sid2->sid_rev_num; @@ -556,11 +549,32 @@ int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) return 0; } - /***************************************************************** Compare two sids. *****************************************************************/ +int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) +{ + int i; + if (sid1 == sid2) return 0; + if (!sid1) return -1; + if (!sid2) return 1; + + /* compare most likely different rids, first: i.e start at end */ + if (sid1->num_auths != sid2->num_auths) + return sid1->num_auths - sid2->num_auths; + + for (i = sid1->num_auths-1; i >= 0; --i) + if (sid1->sub_auths[i] != sid2->sub_auths[i]) + return sid1->sub_auths[i] - sid2->sub_auths[i]; + + return sid_compare_domain(sid1, sid2); +} + + +/***************************************************************** + Compare two sids. +*****************************************************************/ BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) { return sid_compare(sid1, sid2) == 0; -- cgit From 922eb763d7365716fd3c20aa069746fc9bfb8ab3 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Tue, 4 Dec 2001 21:53:47 +0000 Subject: added a boolean to the group mapping functions to specify if we need or not the privileges. Usually we don't need them, so the memory is free early. lib/util_sid.c: added some helper functions to check an SID. passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass an RID all the way. If the group doesn't exist on the domain SID, don't return a faked one as it can collide with a builtin one. Some rpc structures have been badly designed, they return only rids and force the client to do subsequent lsa_lookup_sid() on the domain sid and the builtin sid ! rpc_server/srv_util.c: wrote a new version of get_domain_user_groups(). Only the samr code uses it atm. It uses the group mapping code instead of a bloody hard coded crap. The netlogon code will use it too, but I have to do some test first. J.F. (This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c) --- source3/lib/util_sid.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 7e9299b053..923037f479 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -581,6 +581,53 @@ BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) } +/***************************************************************** + Check if the SID is our domain SID (S-1-5-21-x-y-z). +*****************************************************************/ +BOOL sid_check_is_domain(const DOM_SID *sid) +{ + return sid_equal(sid, &global_sam_sid); +} + + +/***************************************************************** + Check if the SID is the builtin SID (S-1-5-32). +*****************************************************************/ +BOOL sid_check_is_builtin(const DOM_SID *sid) +{ + return sid_equal(sid, &global_sid_Builtin); +} + + +/***************************************************************** + Check if the SID is our domain SID (S-1-5-21-x-y-z). +*****************************************************************/ +BOOL sid_check_is_in_our_domain(const DOM_SID *sid) +{ + DOM_SID dom_sid; + uint32 rid; + + sid_copy(&dom_sid, sid); + sid_split_rid(&dom_sid, &rid); + + return sid_equal(&dom_sid, &global_sam_sid); +} + +/***************************************************************** + Check if the SID is our domain SID (S-1-5-21-x-y-z). +*****************************************************************/ +BOOL sid_check_is_in_builtin(const DOM_SID *sid) +{ + DOM_SID dom_sid; + uint32 rid; + + sid_copy(&dom_sid, sid); + sid_split_rid(&dom_sid, &rid); + + return sid_equal(&dom_sid, &global_sid_Builtin); +} + + /***************************************************************** Calculates size of a sid. *****************************************************************/ @@ -608,7 +655,7 @@ BOOL non_mappable_sid(DOM_SID *sid) if (sid_equal(&dom, &global_sid_Builtin)) return True; - if (sid_equal(&dom, &global_sid_Creator_Owner_Domain)) + if (sid_equal(&dom, &global_sid_Creator_Owner_Domain)) return True; if (sid_equal(&dom, &global_sid_NT_Authority)) -- cgit From e051c2c430f706835f250b10cc63e5621054b5ec Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 10 Dec 2001 00:39:01 +0000 Subject: make sid_binstring available without HAVE_ADS (This used to be commit 4a6d29768665f71b72cf48ee34ee9a9c451232f6) --- source3/lib/util_sid.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 923037f479..72365f5e46 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -663,3 +663,20 @@ BOOL non_mappable_sid(DOM_SID *sid) return False; } + +/* + return the binary string representation of a DOM_SID + caller must free +*/ +char *sid_binstring(DOM_SID *sid) +{ + char *buf, *s; + int len = sid_size(sid); + buf = malloc(len); + if (!buf) return NULL; + sid_linearize(buf, len, sid); + s = binary_string(buf, len); + free(buf); + return s; +} + -- cgit From dccc1ed3f8344968129c73104c1bdf8ab8b2a1e5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Dec 2001 19:44:14 +0000 Subject: Fixup JF's weird SID return :-). Jeremy (This used to be commit 7b8fb8d85c406b8755f60cf14dc2377bc59eda53) --- source3/lib/util_sid.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 72365f5e46..1e0feac049 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -42,6 +42,7 @@ DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ DOM_SID global_sid_Network; /* Network rids */ DOM_SID global_sid_Anonymous; /* Anonymous login */ +DOM_SID global_sid_nonexistent; /* S-0-0. Used in Lsa level 3. */ const DOM_SID *global_sid_everyone = &global_sid_World; @@ -182,6 +183,7 @@ void generate_wellknown_sids(void) string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); string_to_sid(&global_sid_Network, "S-1-5-2"); string_to_sid(&global_sid_Anonymous, "S-1-5-7"); + string_to_sid(&global_sid_nonexistent, "S-0-0"); /* Used in Lsa level 3. */ /* Create the anon token. */ sid_copy( &anonymous_token.user_sids[0], &global_sid_World); @@ -360,10 +362,10 @@ char *sid_to_string(fstring sidstr_out, DOM_SID *sid) Convert a string to a SID. Returns True on success, False on fail. *****************************************************************/ -BOOL string_to_sid(DOM_SID *sidout, char *sidstr) +BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) { pstring tok; - char *p = sidstr; + const char *p = sidstr; /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ uint32 ia; -- cgit From 279276c9ca0106e4191e170a442b871543c034ac Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 19 Dec 2001 08:37:03 +0000 Subject: fixed sid_compare_domain() (This used to be commit c11c27b2812ceb06a52afbb7662f82a8676b1707) --- source3/lib/util_sid.c | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 1e0feac049..009cc7742a 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -358,6 +358,16 @@ char *sid_to_string(fstring sidstr_out, DOM_SID *sid) return sidstr_out; } +/* + useful function for debug lines +*/ +const char *sid_string_static(DOM_SID *sid) +{ + static fstring sid_str; + sid_to_string(sid_str, sid); + return sid_str; +} + /***************************************************************** Convert a string to a SID. Returns True on success, False on fail. *****************************************************************/ @@ -531,9 +541,9 @@ BOOL sid_parse(char *inbuf, size_t len, DOM_SID *sid) /***************************************************************** - Compare the domain portion of two sids. + Compare the auth portion of two sids. *****************************************************************/ -int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2) +int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2) { int i; @@ -570,9 +580,25 @@ int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) if (sid1->sub_auths[i] != sid2->sub_auths[i]) return sid1->sub_auths[i] - sid2->sub_auths[i]; - return sid_compare_domain(sid1, sid2); + return sid_compare_auth(sid1, sid2); } +/***************************************************************** +see if 2 SIDs are in the same domain +this just compares the leading sub-auths +*****************************************************************/ +int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2) +{ + int n, i; + + n = MIN(sid1->num_auths, sid2->num_auths); + + for (i = n-1; i >= 0; --i) + if (sid1->sub_auths[i] != sid2->sub_auths[i]) + return sid1->sub_auths[i] - sid2->sub_auths[i]; + + return sid_compare_auth(sid1, sid2); +} /***************************************************************** Compare two sids. -- cgit From 0608a60390db336bf179564aefdf16c43f1793ad Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 30 Dec 2001 19:21:25 +0000 Subject: util_sid.c - respect a const variabile (addedd strdup) cli_reg.c - indentation pdb_ldap.c - some checks on init fns parameters pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure (This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380) --- source3/lib/util_sid.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 009cc7742a..d35e8a8ac9 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -375,20 +375,26 @@ const char *sid_string_static(DOM_SID *sid) BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) { pstring tok; - const char *p = sidstr; + char *p; /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ uint32 ia; + + if (StrnCaseCmp( sidstr, "S-", 2)) { + DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); + return False; + } memset((char *)sidout, '\0', sizeof(DOM_SID)); - if (StrnCaseCmp( sidstr, "S-", 2)) { - DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); + p = strdup(sidstr + 2); + if (p == NULL) { + DEBUG(0, ("string_to_sid: out of memory!\n")); return False; } - p += 2; if (!next_token(&p, tok, "-", sizeof(tok))) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + SAFE_FREE(p); return False; } @@ -397,6 +403,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) if (!next_token(&p, tok, "-", sizeof(tok))) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + SAFE_FREE(p); return False; } @@ -422,6 +429,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10)); } + SAFE_FREE(p); return True; } -- cgit From 78528b4ec6cb675bfb81a1b8c1b7e62ae19db8ef Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 30 Dec 2001 22:55:04 +0000 Subject: freeing the wrong pointer, sorry my mistake. (This used to be commit ce7e89949ae1755f9faa008784a5b1a9b137945e) --- source3/lib/util_sid.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index d35e8a8ac9..1a19d55830 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -375,7 +375,7 @@ const char *sid_string_static(DOM_SID *sid) BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) { pstring tok; - char *p; + char *p, *q; /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ uint32 ia; @@ -386,7 +386,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) memset((char *)sidout, '\0', sizeof(DOM_SID)); - p = strdup(sidstr + 2); + q = p = strdup(sidstr + 2); if (p == NULL) { DEBUG(0, ("string_to_sid: out of memory!\n")); return False; @@ -394,7 +394,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) if (!next_token(&p, tok, "-", sizeof(tok))) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - SAFE_FREE(p); + SAFE_FREE(q); return False; } @@ -403,7 +403,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) if (!next_token(&p, tok, "-", sizeof(tok))) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - SAFE_FREE(p); + SAFE_FREE(q); return False; } @@ -429,7 +429,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10)); } - SAFE_FREE(p); + SAFE_FREE(q); return True; } -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/lib/util_sid.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 1a19d55830..d4f8abb089 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 1.9. + Unix SMB/CIFS implementation. Samba utility functions Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 -- cgit From b48750fba603f9e04b08e346744bcc9c6a49a1af Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 31 Jan 2002 09:37:26 +0000 Subject: this fixes the problem of not being able to add a SD to a file on a non-domain Samba server from a NT4 client. Note that this exactly reverses a change by Jeremy on the 18th of December 2001, reverting the code back to what JF originally wrote. I have looked carefully with a sniffer and JFs original NULL sid is correct (ie. it matches what NT4 does) and also fixes the problem. Sending a blank sid (which is what jeremy's patch did) causes NT4 to give a classic "parameter is incorrect error" and prevents the addition of new ACLs. (This used to be commit 9930cf97330dd93985c5558cec6b24406e90c228) --- source3/lib/util_sid.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index d4f8abb089..436f045e97 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -41,7 +41,6 @@ DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ DOM_SID global_sid_Network; /* Network rids */ DOM_SID global_sid_Anonymous; /* Anonymous login */ -DOM_SID global_sid_nonexistent; /* S-0-0. Used in Lsa level 3. */ const DOM_SID *global_sid_everyone = &global_sid_World; @@ -182,7 +181,6 @@ void generate_wellknown_sids(void) string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); string_to_sid(&global_sid_Network, "S-1-5-2"); string_to_sid(&global_sid_Anonymous, "S-1-5-7"); - string_to_sid(&global_sid_nonexistent, "S-0-0"); /* Used in Lsa level 3. */ /* Create the anon token. */ sid_copy( &anonymous_token.user_sids[0], &global_sid_World); -- cgit From 683ba419ff2aeca94971a3bba9d7a1ee45374045 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 10 Mar 2002 01:51:15 +0000 Subject: add a note about the meaning of global_sam_sid (This used to be commit 3db97530b62ac12d334d0244ea52db8750cebf2e) --- source3/lib/util_sid.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 436f045e97..8bd19bb46b 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -22,6 +22,9 @@ #include "includes.h" +/* NOTE! the global_sam_sid is the SID of our local SAM. This is only + equal to the domain SID when we are a DC, otherwise its our + workstation SID */ DOM_SID global_sam_sid; extern pstring global_myname; extern fstring global_myworkgroup; -- cgit From dac047366a534994e40952ddfcdb491c2fd4d1e5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 13 Mar 2002 01:29:30 +0000 Subject: Add "Creator Group" - was in 2.2.x and I'm syncing up the two. Jeremy. (This used to be commit bcf38961a7786c5cf1eb7568b87c19712c3ea9cc) --- source3/lib/util_sid.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 8bd19bb46b..cd7b64bb70 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -38,6 +38,7 @@ DOM_SID global_sid_World_Domain; /* Everyone domain */ DOM_SID global_sid_World; /* Everyone */ DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */ DOM_SID global_sid_Creator_Owner; /* Creator Owner */ +DOM_SID global_sid_Creator_Group; /* Creator Group */ DOM_SID global_sid_NT_Authority; /* NT Authority */ DOM_SID global_sid_NULL; /* NULL sid */ DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ @@ -179,6 +180,7 @@ void generate_wellknown_sids(void) string_to_sid(&global_sid_World, "S-1-1-0"); string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); + string_to_sid(&global_sid_Creator_Group, "S-1-3-1"); string_to_sid(&global_sid_NT_Authority, "S-1-5"); string_to_sid(&global_sid_NULL, "S-1-0-0"); string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/lib/util_sid.c | 344 +++++++++++-------------------------------------- 1 file changed, 74 insertions(+), 270 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index cd7b64bb70..5dd1d75c70 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -1,10 +1,11 @@ /* Unix SMB/CIFS implementation. Samba utility functions - Copyright (C) Andrew Tridgell 1992-1998 - Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 - Copyright (C) Jeremy Allison 1999 - + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 + Copyright (C) Jeremy Allison 1999 + Copyright (C) Stefan (metze) Metzmacher 2002 + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or @@ -22,10 +23,6 @@ #include "includes.h" -/* NOTE! the global_sam_sid is the SID of our local SAM. This is only - equal to the domain SID when we are a DC, otherwise its our - workstation SID */ -DOM_SID global_sam_sid; extern pstring global_myname; extern fstring global_myworkgroup; @@ -37,66 +34,15 @@ DOM_SID global_sid_Builtin; /* Local well-known domain */ DOM_SID global_sid_World_Domain; /* Everyone domain */ DOM_SID global_sid_World; /* Everyone */ DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */ -DOM_SID global_sid_Creator_Owner; /* Creator Owner */ -DOM_SID global_sid_Creator_Group; /* Creator Group */ DOM_SID global_sid_NT_Authority; /* NT Authority */ DOM_SID global_sid_NULL; /* NULL sid */ DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ DOM_SID global_sid_Network; /* Network rids */ -DOM_SID global_sid_Anonymous; /* Anonymous login */ - -const DOM_SID *global_sid_everyone = &global_sid_World; -typedef struct _known_sid_users { - uint32 rid; - enum SID_NAME_USE sid_name_use; - char *known_user_name; -} known_sid_users; - -/* static known_sid_users no_users[] = {{0, 0, NULL}}; */ - -static known_sid_users everyone_users[] = { - { 0, SID_NAME_WKN_GRP, "Everyone" }, - {0, (enum SID_NAME_USE)0, NULL}}; - -static known_sid_users creator_owner_users[] = { - { 0, SID_NAME_ALIAS, "Creator Owner" }, - {0, (enum SID_NAME_USE)0, NULL}}; - -static known_sid_users nt_authority_users[] = { - { 1, SID_NAME_ALIAS, "Dialup" }, - { 2, SID_NAME_ALIAS, "Network"}, - { 3, SID_NAME_ALIAS, "Batch"}, - { 4, SID_NAME_ALIAS, "Interactive"}, - { 6, SID_NAME_ALIAS, "Service"}, - { 7, SID_NAME_ALIAS, "AnonymousLogon"}, - { 8, SID_NAME_ALIAS, "Proxy"}, - { 9, SID_NAME_ALIAS, "ServerLogon"}, - { 11, SID_NAME_ALIAS, "Authenticated Users"}, - { 18, SID_NAME_ALIAS, "SYSTEM"}, - { 0, (enum SID_NAME_USE)0, NULL}}; - -static known_sid_users builtin_groups[] = { - { BUILTIN_ALIAS_RID_ADMINS, SID_NAME_ALIAS, "Administrators" }, - { BUILTIN_ALIAS_RID_USERS, SID_NAME_ALIAS, "Users" }, - { BUILTIN_ALIAS_RID_GUESTS, SID_NAME_ALIAS, "Guests" }, - { BUILTIN_ALIAS_RID_ACCOUNT_OPS, SID_NAME_ALIAS, "Account Operators" }, - { BUILTIN_ALIAS_RID_SYSTEM_OPS, SID_NAME_ALIAS, "Server Operators" }, - { BUILTIN_ALIAS_RID_PRINT_OPS, SID_NAME_ALIAS, "Print Operators" }, - { BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" }, - { 0, (enum SID_NAME_USE)0, NULL}}; - -#define MAX_SID_NAMES 7 - -static struct sid_name_map_info -{ - DOM_SID *sid; - char *name; - known_sid_users *known_users; -} sid_name_map[MAX_SID_NAMES]; - -static BOOL sid_name_map_initialized = False; +static DOM_SID global_sid_Creator_Owner; /* Creator Owner */ +static DOM_SID global_sid_Creator_Group; /* Creator Group */ +static DOM_SID global_sid_Anonymous; /* Anonymous login */ /* * An NT compatible anonymous token. @@ -109,65 +55,43 @@ NT_USER_TOKEN anonymous_token = { anon_sid_array }; -/************************************************************************** - quick init function - *************************************************************************/ -static void init_sid_name_map (void) +/**************************************************************************** + Lookup string names for SID types. +****************************************************************************/ + +const static struct { + enum SID_NAME_USE sid_type; + char *string; +} sid_name_type[] = { + {SID_NAME_USER, "user"}, + {SID_NAME_DOM_GRP, "domain group"}, + {SID_NAME_DOMAIN, "domain"}, + {SID_NAME_ALIAS, "local group"}, + {SID_NAME_WKN_GRP, "well-known group"}, + {SID_NAME_DELETED, "deleted account"}, + {SID_NAME_INVALID, "invalid account"}, + {SID_NAME_UNKNOWN, "UNKNOWN"}, + + {SID_NAME_USE_NONE, NULL} +}; + +const char *sid_type_lookup(uint32 sid_type) { int i = 0; - - if (sid_name_map_initialized) return; - - if ((lp_security() == SEC_USER) && lp_domain_logons()) { - sid_name_map[i].sid = &global_sam_sid; - sid_name_map[i].name = global_myworkgroup; - sid_name_map[i].known_users = NULL; - i++; - sid_name_map[i].sid = &global_sam_sid; - sid_name_map[i].name = global_myname; - sid_name_map[i].known_users = NULL; - i++; - } - else { - sid_name_map[i].sid = &global_sam_sid; - sid_name_map[i].name = global_myname; - sid_name_map[i].known_users = NULL; + /* Look through list */ + while(sid_name_type[i].sid_type != 0) { + if (sid_name_type[i].sid_type == sid_type) + return sid_name_type[i].string; i++; } - sid_name_map[i].sid = &global_sid_Builtin; - sid_name_map[i].name = "BUILTIN"; - sid_name_map[i].known_users = &builtin_groups[0]; - i++; + /* Default return */ + return "SID *TYPE* is INVALID"; - sid_name_map[i].sid = &global_sid_World_Domain; - sid_name_map[i].name = ""; - sid_name_map[i].known_users = &everyone_users[0]; - i++; - - sid_name_map[i].sid = &global_sid_Creator_Owner_Domain; - sid_name_map[i].name = ""; - sid_name_map[i].known_users = &creator_owner_users[0]; - i++; - - sid_name_map[i].sid = &global_sid_NT_Authority; - sid_name_map[i].name = "NT Authority"; - sid_name_map[i].known_users = &nt_authority_users[0]; - i++; - - - /* end of array */ - sid_name_map[i].sid = NULL; - sid_name_map[i].name = NULL; - sid_name_map[i].known_users = NULL; - - sid_name_map_initialized = True; - - return; - } + /**************************************************************************** Creates some useful well known sids ****************************************************************************/ @@ -193,115 +117,6 @@ void generate_wellknown_sids(void) sid_copy( &anonymous_token.user_sids[2], &global_sid_Anonymous); } -/************************************************************************** - Turns a domain SID into a name, returned in the nt_domain argument. -***************************************************************************/ - -BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain) -{ - fstring sid_str; - int i = 0; - - sid_to_string(sid_str, sid); - - if (!sid_name_map_initialized) - init_sid_name_map(); - - DEBUG(5,("map_domain_sid_to_name: %s\n", sid_str)); - - if (nt_domain == NULL) - return False; - - while (sid_name_map[i].sid != NULL) { - sid_to_string(sid_str, sid_name_map[i].sid); - DEBUG(5,("map_domain_sid_to_name: compare: %s\n", sid_str)); - if (sid_equal(sid_name_map[i].sid, sid)) { - fstrcpy(nt_domain, sid_name_map[i].name); - DEBUG(5,("map_domain_sid_to_name: found '%s'\n", nt_domain)); - return True; - } - i++; - } - - DEBUG(5,("map_domain_sid_to_name: mapping for %s not found\n", sid_str)); - - return False; -} - -/************************************************************************** - Looks up a known username from one of the known domains. -***************************************************************************/ - -BOOL lookup_known_rid(DOM_SID *sid, uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) -{ - int i = 0; - struct sid_name_map_info *psnm; - - if (!sid_name_map_initialized) - init_sid_name_map(); - - for(i = 0; sid_name_map[i].sid != NULL; i++) { - psnm = &sid_name_map[i]; - if(sid_equal(psnm->sid, sid)) { - int j; - for(j = 0; psnm->known_users && psnm->known_users[j].known_user_name != NULL; j++) { - if(rid == psnm->known_users[j].rid) { - DEBUG(5,("lookup_builtin_rid: rid = %u, domain = '%s', user = '%s'\n", - (unsigned int)rid, psnm->name, psnm->known_users[j].known_user_name )); - fstrcpy( name, psnm->known_users[j].known_user_name); - *psid_name_use = psnm->known_users[j].sid_name_use; - return True; - } - } - } - } - - return False; -} - -/************************************************************************** - Turns a domain name into a SID. - *** side-effect: if the domain name is NULL, it is set to our domain *** -***************************************************************************/ - -BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain) -{ - int i = 0; - - if (nt_domain == NULL) { - DEBUG(5,("map_domain_name_to_sid: mapping NULL domain to our SID.\n")); - sid_copy(sid, &global_sam_sid); - return True; - } - - if (nt_domain[0] == 0) { - fstrcpy(nt_domain, global_myname); - DEBUG(5,("map_domain_name_to_sid: overriding blank name to %s\n", nt_domain)); - sid_copy(sid, &global_sam_sid); - return True; - } - - DEBUG(5,("map_domain_name_to_sid: %s\n", nt_domain)); - - if (!sid_name_map_initialized) - init_sid_name_map(); - - while (sid_name_map[i].name != NULL) { - DEBUG(5,("map_domain_name_to_sid: compare: %s\n", sid_name_map[i].name)); - if (strequal(sid_name_map[i].name, nt_domain)) { - fstring sid_str; - sid_copy(sid, sid_name_map[i].sid); - sid_to_string(sid_str, sid_name_map[i].sid); - DEBUG(5,("map_domain_name_to_sid: found %s\n", sid_str)); - return True; - } - i++; - } - - DEBUG(0,("map_domain_name_to_sid: mapping to %s not found.\n", nt_domain)); - return False; -} - /************************************************************************** Splits a name of format \DOMAIN\name or name into its two components. Sets the DOMAIN name to global_myname if it has not been specified. @@ -340,15 +155,22 @@ void split_domain_name(const char *fullname, char *domain, char *name) Convert a SID to an ascii string. *****************************************************************/ -char *sid_to_string(fstring sidstr_out, DOM_SID *sid) +char *sid_to_string(fstring sidstr_out, const DOM_SID *sid) { char subauth[16]; int i; + uint32 ia; + + if (!sid) { + fstrcpy(sidstr_out, "(NULL SID)"); + return sidstr_out; + } + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - uint32 ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); + ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); @@ -363,7 +185,7 @@ char *sid_to_string(fstring sidstr_out, DOM_SID *sid) /* useful function for debug lines */ -const char *sid_string_static(DOM_SID *sid) +const char *sid_string_static(const DOM_SID *sid) { static fstring sid_str; sid_to_string(sid_str, sid); @@ -466,8 +288,11 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) Return the last rid from the end of a sid *****************************************************************/ -BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid) +BOOL sid_peek_rid(const DOM_SID *sid, uint32 *rid) { + if (!sid || !rid) + return False; + if (sid->num_auths > 0) { *rid = sid->sub_auths[sid->num_auths - 1]; return True; @@ -475,6 +300,25 @@ BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid) return False; } +/***************************************************************** + Return the last rid from the end of a sid + and check the sid against the exp_dom_sid +*****************************************************************/ + +BOOL sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid) +{ + if (!exp_dom_sid || !sid || !rid) + return False; + + + if (sid_compare_domain(exp_dom_sid, sid)!=0){ + *rid=(-1); + return False; + } + + return sid_peek_rid(sid, rid); +} + /***************************************************************** Copies a sid *****************************************************************/ @@ -483,7 +327,7 @@ void sid_copy(DOM_SID *dst, const DOM_SID *src) { int i; - memset((char *)dst, '\0', sizeof(DOM_SID)); + ZERO_STRUCTP(dst); dst->sid_rev_num = src->sid_rev_num; dst->num_auths = src->num_auths; @@ -494,24 +338,6 @@ void sid_copy(DOM_SID *dst, const DOM_SID *src) dst->sub_auths[i] = src->sub_auths[i]; } -/***************************************************************** - Duplicates a sid - mallocs the target. -*****************************************************************/ - -DOM_SID *sid_dup(DOM_SID *src) -{ - DOM_SID *dst; - - if(!src) - return NULL; - - if((dst = malloc(sizeof(DOM_SID))) != NULL) { - memset(dst, '\0', sizeof(DOM_SID)); - sid_copy( dst, src); - } - - return dst; -} /***************************************************************** Write a sid out into on-the-wire format. @@ -553,7 +379,7 @@ BOOL sid_parse(char *inbuf, size_t len, DOM_SID *sid) /***************************************************************** Compare the auth portion of two sids. *****************************************************************/ -int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2) +static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2) { int i; @@ -619,14 +445,6 @@ BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) } -/***************************************************************** - Check if the SID is our domain SID (S-1-5-21-x-y-z). -*****************************************************************/ -BOOL sid_check_is_domain(const DOM_SID *sid) -{ - return sid_equal(sid, &global_sam_sid); -} - /***************************************************************** Check if the SID is the builtin SID (S-1-5-32). @@ -637,20 +455,6 @@ BOOL sid_check_is_builtin(const DOM_SID *sid) } -/***************************************************************** - Check if the SID is our domain SID (S-1-5-21-x-y-z). -*****************************************************************/ -BOOL sid_check_is_in_our_domain(const DOM_SID *sid) -{ - DOM_SID dom_sid; - uint32 rid; - - sid_copy(&dom_sid, sid); - sid_split_rid(&dom_sid, &rid); - - return sid_equal(&dom_sid, &global_sam_sid); -} - /***************************************************************** Check if the SID is our domain SID (S-1-5-21-x-y-z). *****************************************************************/ -- cgit From b2edf254eda92f775e7d3d9b6793b4d77f9000b6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 17:00:51 +0000 Subject: sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290) --- source3/lib/util_sid.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 5dd1d75c70..ad09f91234 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -365,6 +365,9 @@ BOOL sid_parse(char *inbuf, size_t len, DOM_SID *sid) { int i; if (len < 8) return False; + + ZERO_STRUCTP(sid); + sid->sid_rev_num = CVAL(inbuf, 0); sid->num_auths = CVAL(inbuf, 1); memcpy(sid->id_auth, inbuf+2, 6); -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/lib/util_sid.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index ad09f91234..e9635fc7f8 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -30,13 +30,11 @@ extern fstring global_myworkgroup; * Some useful sids */ -DOM_SID global_sid_Builtin; /* Local well-known domain */ DOM_SID global_sid_World_Domain; /* Everyone domain */ DOM_SID global_sid_World; /* Everyone */ DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */ DOM_SID global_sid_NT_Authority; /* NT Authority */ DOM_SID global_sid_NULL; /* NULL sid */ -DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ DOM_SID global_sid_Network; /* Network rids */ @@ -44,6 +42,11 @@ static DOM_SID global_sid_Creator_Owner; /* Creator Owner */ static DOM_SID global_sid_Creator_Group; /* Creator Group */ static DOM_SID global_sid_Anonymous; /* Anonymous login */ +DOM_SID global_sid_Builtin; /* Local well-known domain */ +DOM_SID global_sid_Builtin_Administrators; +DOM_SID global_sid_Builtin_Users; +DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ + /* * An NT compatible anonymous token. */ @@ -99,6 +102,8 @@ const char *sid_type_lookup(uint32 sid_type) void generate_wellknown_sids(void) { string_to_sid(&global_sid_Builtin, "S-1-5-32"); + string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); + string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546"); string_to_sid(&global_sid_World_Domain, "S-1-1"); string_to_sid(&global_sid_World, "S-1-1-0"); @@ -525,3 +530,18 @@ char *sid_binstring(DOM_SID *sid) return s; } + +/* + print a GUID structure for debugging +*/ +void print_guid(GUID *guid) +{ + int i; + + d_printf("%08x-%04x-%04x", + IVAL(guid->info, 0), SVAL(guid->info, 4), SVAL(guid->info, 6)); + d_printf("-%02x%02x-", guid->info[8], guid->info[9]); + for (i=10;iinfo[i]); + d_printf("\n"); +} -- cgit From f2d1f19a66ebaf9b88d23c0faa2412536cc74cda Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Oct 2002 18:26:00 +0000 Subject: syncing up with HEAD. Seems to be a lot of differences creeping in (i ignored the new SAMBA stuff, but the rest of this looks like it should have been merged already). (This used to be commit 3de09e5cf1f667e410ee8b9516a956860ce7290f) --- source3/lib/util_sid.c | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index e9635fc7f8..1439471f64 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -34,6 +34,7 @@ DOM_SID global_sid_World_Domain; /* Everyone domain */ DOM_SID global_sid_World; /* Everyone */ DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */ DOM_SID global_sid_NT_Authority; /* NT Authority */ +DOM_SID global_sid_System; /* System */ DOM_SID global_sid_NULL; /* NULL sid */ DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ DOM_SID global_sid_Network; /* Network rids */ @@ -58,6 +59,12 @@ NT_USER_TOKEN anonymous_token = { anon_sid_array }; +static DOM_SID system_sid_array[4]; +NT_USER_TOKEN system_token = { + 1, + system_sid_array +}; + /**************************************************************************** Lookup string names for SID types. ****************************************************************************/ @@ -101,6 +108,10 @@ const char *sid_type_lookup(uint32 sid_type) void generate_wellknown_sids(void) { + static BOOL initialised = False; + if (initialised) + return; + string_to_sid(&global_sid_Builtin, "S-1-5-32"); string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); @@ -111,6 +122,7 @@ void generate_wellknown_sids(void) string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); string_to_sid(&global_sid_Creator_Group, "S-1-3-1"); string_to_sid(&global_sid_NT_Authority, "S-1-5"); + string_to_sid(&global_sid_System, "S-1-5-18"); string_to_sid(&global_sid_NULL, "S-1-0-0"); string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); string_to_sid(&global_sid_Network, "S-1-5-2"); @@ -120,6 +132,17 @@ void generate_wellknown_sids(void) sid_copy( &anonymous_token.user_sids[0], &global_sid_World); sid_copy( &anonymous_token.user_sids[1], &global_sid_Network); sid_copy( &anonymous_token.user_sids[2], &global_sid_Anonymous); + + /* Create the system token. */ + sid_copy( &system_token.user_sids[0], &global_sid_System); + + initialised = True; +} + +NT_USER_TOKEN *get_system_token(void) +{ + generate_wellknown_sids(); /* The token is initialised here */ + return &system_token; } /************************************************************************** @@ -347,7 +370,7 @@ void sid_copy(DOM_SID *dst, const DOM_SID *src) /***************************************************************** Write a sid out into on-the-wire format. *****************************************************************/ -BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) +BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid) { size_t i; @@ -366,7 +389,7 @@ BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) /***************************************************************** parse a on-the-wire SID to a DOM_SID *****************************************************************/ -BOOL sid_parse(char *inbuf, size_t len, DOM_SID *sid) +BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid) { int i; if (len < 8) return False; @@ -482,7 +505,7 @@ BOOL sid_check_is_in_builtin(const DOM_SID *sid) Calculates size of a sid. *****************************************************************/ -size_t sid_size(DOM_SID *sid) +size_t sid_size(const DOM_SID *sid) { if (sid == NULL) return 0; @@ -518,7 +541,7 @@ BOOL non_mappable_sid(DOM_SID *sid) return the binary string representation of a DOM_SID caller must free */ -char *sid_binstring(DOM_SID *sid) +char *sid_binstring(const DOM_SID *sid) { char *buf, *s; int len = sid_size(sid); -- cgit From e9cc37b0bb26a67e80868cf53d2db08361d182dd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 18 Oct 2002 19:46:32 +0000 Subject: Start to merge the new ACL mapping code from Andreas Gruenbacher . Jeremy. (This used to be commit 597c4610090d711fd30c1ffacc97212cf399a264) --- source3/lib/util_sid.c | 148 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 97 insertions(+), 51 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 1439471f64..f01479f1cc 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -5,6 +5,7 @@ Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 Copyright (C) Jeremy Allison 1999 Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Simo Sorce 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -37,16 +38,28 @@ DOM_SID global_sid_NT_Authority; /* NT Authority */ DOM_SID global_sid_System; /* System */ DOM_SID global_sid_NULL; /* NULL sid */ DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ -DOM_SID global_sid_Network; /* Network rids */ - -static DOM_SID global_sid_Creator_Owner; /* Creator Owner */ -static DOM_SID global_sid_Creator_Group; /* Creator Group */ -static DOM_SID global_sid_Anonymous; /* Anonymous login */ - -DOM_SID global_sid_Builtin; /* Local well-known domain */ -DOM_SID global_sid_Builtin_Administrators; -DOM_SID global_sid_Builtin_Users; -DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ +DOM_SID global_sid_Network; /* Network rids */ + +static DOM_SID global_sid_Creator_Owner; /* Creator Owner */ +static DOM_SID global_sid_Creator_Group; /* Creator Group */ +static DOM_SID global_sid_Anonymous; /* Anonymous login */ + +DOM_SID global_sid_Builtin; /* Local well-known domain */ +DOM_SID global_sid_Builtin_Administrators; /* Builtin administrators */ +DOM_SID global_sid_Builtin_Users; /* Builtin users */ +DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ +DOM_SID global_sid_Builtin_Power_Users; /* Builtin power users */ +DOM_SID global_sid_Builtin_Account_Operators; /* Builtin account operators */ +DOM_SID global_sid_Builtin_Server_Operators; /* Builtin server operators */ +DOM_SID global_sid_Builtin_Print_Operators; /* Builtin print operators */ +DOM_SID global_sid_Builtin_Backup_Operators; /* Builtin backup operators */ +DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */ + +#define SECURITY_NULL_SID_AUTHORITY 0 +#define SECURITY_WORLD_SID_AUTHORITY 1 +#define SECURITY_LOCAL_SID_AUTHORITY 2 +#define SECURITY_CREATOR_SID_AUTHORITY 3 +#define SECURITY_NT_AUTHORITY 5 /* * An NT compatible anonymous token. @@ -55,14 +68,14 @@ DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ static DOM_SID anon_sid_array[3]; NT_USER_TOKEN anonymous_token = { - 3, - anon_sid_array + 3, + anon_sid_array }; static DOM_SID system_sid_array[4]; NT_USER_TOKEN system_token = { - 1, - system_sid_array + 1, + system_sid_array }; /**************************************************************************** @@ -73,13 +86,13 @@ const static struct { enum SID_NAME_USE sid_type; char *string; } sid_name_type[] = { - {SID_NAME_USER, "user"}, - {SID_NAME_DOM_GRP, "domain group"}, - {SID_NAME_DOMAIN, "domain"}, - {SID_NAME_ALIAS, "local group"}, - {SID_NAME_WKN_GRP, "well-known group"}, - {SID_NAME_DELETED, "deleted account"}, - {SID_NAME_INVALID, "invalid account"}, + {SID_NAME_USER, "User"}, + {SID_NAME_DOM_GRP, "Domain Group"}, + {SID_NAME_DOMAIN, "Domain"}, + {SID_NAME_ALIAS, "Local Group"}, + {SID_NAME_WKN_GRP, "Well-known Group"}, + {SID_NAME_DELETED, "Deleted Account"}, + {SID_NAME_INVALID, "Invalid Account"}, {SID_NAME_UNKNOWN, "UNKNOWN"}, {SID_NAME_USE_NONE, NULL} @@ -98,10 +111,8 @@ const char *sid_type_lookup(uint32 sid_type) /* Default return */ return "SID *TYPE* is INVALID"; - } - /**************************************************************************** Creates some useful well known sids ****************************************************************************/ @@ -109,24 +120,40 @@ const char *sid_type_lookup(uint32 sid_type) void generate_wellknown_sids(void) { static BOOL initialised = False; + if (initialised) return; - string_to_sid(&global_sid_Builtin, "S-1-5-32"); - string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); - string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); - string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546"); + /* SECURITY_NULL_SID_AUTHORITY */ + string_to_sid(&global_sid_NULL, "S-1-0-0"); + + /* SECURITY_WORLD_SID_AUTHORITY */ string_to_sid(&global_sid_World_Domain, "S-1-1"); string_to_sid(&global_sid_World, "S-1-1-0"); + + /* SECURITY_CREATOR_SID_AUTHORITY */ string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); string_to_sid(&global_sid_Creator_Group, "S-1-3-1"); + + /* SECURITY_NT_AUTHORITY */ string_to_sid(&global_sid_NT_Authority, "S-1-5"); - string_to_sid(&global_sid_System, "S-1-5-18"); - string_to_sid(&global_sid_NULL, "S-1-0-0"); - string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); string_to_sid(&global_sid_Network, "S-1-5-2"); string_to_sid(&global_sid_Anonymous, "S-1-5-7"); + string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); + string_to_sid(&global_sid_System, "S-1-5-18"); + + /* SECURITY_BUILTIN_DOMAIN_RID */ + string_to_sid(&global_sid_Builtin, "S-1-5-32"); + string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); + string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); + string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546"); + string_to_sid(&global_sid_Builtin_Power_Users, "S-1-5-32-547"); + string_to_sid(&global_sid_Builtin_Account_Operators, "S-1-5-32-548"); + string_to_sid(&global_sid_Builtin_Server_Operators, "S-1-5-32-549"); + string_to_sid(&global_sid_Builtin_Print_Operators, "S-1-5-32-550"); + string_to_sid(&global_sid_Builtin_Backup_Operators, "S-1-5-32-551"); + string_to_sid(&global_sid_Builtin_Replicator, "S-1-5-32-552"); /* Create the anon token. */ sid_copy( &anonymous_token.user_sids[0], &global_sid_World); @@ -179,40 +206,59 @@ void split_domain_name(const char *fullname, char *domain, char *name) fullname, domain, name)); } +/**************************************************************************** + Test if a SID is wellknown and resolvable. +****************************************************************************/ + +BOOL resolvable_wellknown_sid(DOM_SID *sid) +{ + uint32 ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); + + if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1) + return False; + + return (ia == SECURITY_WORLD_SID_AUTHORITY || + ia == SECURITY_CREATOR_SID_AUTHORITY); +} + /***************************************************************** Convert a SID to an ascii string. *****************************************************************/ char *sid_to_string(fstring sidstr_out, const DOM_SID *sid) { - char subauth[16]; - int i; - uint32 ia; + char subauth[16]; + int i; + uint32 ia; - if (!sid) { - fstrcpy(sidstr_out, "(NULL SID)"); - return sidstr_out; - } + if (!sid) { + fstrcpy(sidstr_out, "(NULL SID)"); + return sidstr_out; + } - /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ + ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); - slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); + slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); - for (i = 0; i < sid->num_auths; i++) { - slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); - fstrcat(sidstr_out, subauth); - } + for (i = 0; i < sid->num_auths; i++) { + slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); + fstrcat(sidstr_out, subauth); + } - return sidstr_out; + return sidstr_out; } -/* - useful function for debug lines -*/ +/***************************************************************** + Useful function for debug lines. +*****************************************************************/ + const char *sid_string_static(const DOM_SID *sid) { static fstring sid_str; -- cgit From f735551b9edef66b152261cf6eb2f29b7b69d65b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Oct 2002 01:22:32 +0000 Subject: First cut of new ACL mapping code from Andreas Gruenbacher . This is not 100% the same as what SuSE shipped in their Samba, there is a crash bug fix, a race condition fix, and a few logic changes I'd like to discuss with Andreas. Added Andreas to (C) notices for posix_acls.c Jeremy. (This used to be commit 40eafb9dde113af9f7f1808fda22908953f7e8c3) --- source3/lib/util_sid.c | 200 ++++++++++++++++++++++++++----------------------- 1 file changed, 108 insertions(+), 92 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index f01479f1cc..f0daf9787e 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -40,9 +40,9 @@ DOM_SID global_sid_NULL; /* NULL sid */ DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ DOM_SID global_sid_Network; /* Network rids */ -static DOM_SID global_sid_Creator_Owner; /* Creator Owner */ -static DOM_SID global_sid_Creator_Group; /* Creator Group */ -static DOM_SID global_sid_Anonymous; /* Anonymous login */ +DOM_SID global_sid_Creator_Owner; /* Creator Owner */ +DOM_SID global_sid_Creator_Group; /* Creator Group */ +DOM_SID global_sid_Anonymous; /* Anonymous login */ DOM_SID global_sid_Builtin; /* Local well-known domain */ DOM_SID global_sid_Builtin_Administrators; /* Builtin administrators */ @@ -166,6 +166,10 @@ void generate_wellknown_sids(void) initialised = True; } +/************************************************************************** + Create the SYSTEM token. +***************************************************************************/ + NT_USER_TOKEN *get_system_token(void) { generate_wellknown_sids(); /* The token is initialised here */ @@ -239,7 +243,10 @@ char *sid_to_string(fstring sidstr_out, const DOM_SID *sid) return sidstr_out; } - /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ + /* + * BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 + * in a range of 2^48. + */ ia = (sid->id_auth[5]) + (sid->id_auth[4] << 8 ) + (sid->id_auth[3] << 16) + @@ -272,63 +279,63 @@ const char *sid_string_static(const DOM_SID *sid) BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) { - pstring tok; - char *p, *q; - /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - uint32 ia; + pstring tok; + char *p, *q; + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ + uint32 ia; - if (StrnCaseCmp( sidstr, "S-", 2)) { - DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); - return False; - } - - memset((char *)sidout, '\0', sizeof(DOM_SID)); - - q = p = strdup(sidstr + 2); - if (p == NULL) { - DEBUG(0, ("string_to_sid: out of memory!\n")); - return False; - } - - if (!next_token(&p, tok, "-", sizeof(tok))) { - DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - SAFE_FREE(q); - return False; - } - - /* Get the revision number. */ - sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10); - - if (!next_token(&p, tok, "-", sizeof(tok))) { - DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - SAFE_FREE(q); - return False; - } - - /* identauth in decimal should be < 2^32 */ - ia = (uint32)strtoul(tok, NULL, 10); - - /* NOTE - the ia value is in big-endian format. */ - sidout->id_auth[0] = 0; - sidout->id_auth[1] = 0; - sidout->id_auth[2] = (ia & 0xff000000) >> 24; - sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; - sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; - sidout->id_auth[5] = (ia & 0x000000ff); - - sidout->num_auths = 0; - - while(next_token(&p, tok, "-", sizeof(tok)) && - sidout->num_auths < MAXSUBAUTHS) { - /* - * NOTE - the subauths are in native machine-endian format. They - * are converted to little-endian when linearized onto the wire. - */ - sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10)); - } - - SAFE_FREE(q); - return True; + if (StrnCaseCmp( sidstr, "S-", 2)) { + DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); + return False; + } + + memset((char *)sidout, '\0', sizeof(DOM_SID)); + + q = p = strdup(sidstr + 2); + if (p == NULL) { + DEBUG(0, ("string_to_sid: out of memory!\n")); + return False; + } + + if (!next_token(&p, tok, "-", sizeof(tok))) { + DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + SAFE_FREE(q); + return False; + } + + /* Get the revision number. */ + sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10); + + if (!next_token(&p, tok, "-", sizeof(tok))) { + DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + SAFE_FREE(q); + return False; + } + + /* identauth in decimal should be < 2^32 */ + ia = (uint32)strtoul(tok, NULL, 10); + + /* NOTE - the ia value is in big-endian format. */ + sidout->id_auth[0] = 0; + sidout->id_auth[1] = 0; + sidout->id_auth[2] = (ia & 0xff000000) >> 24; + sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; + sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; + sidout->id_auth[5] = (ia & 0x000000ff); + + sidout->num_auths = 0; + + while(next_token(&p, tok, "-", sizeof(tok)) && + sidout->num_auths < MAXSUBAUTHS) { + /* + * NOTE - the subauths are in native machine-endian format. They + * are converted to little-endian when linearized onto the wire. + */ + sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10)); + } + + SAFE_FREE(q); + return True; } /***************************************************************** @@ -412,10 +419,10 @@ void sid_copy(DOM_SID *dst, const DOM_SID *src) dst->sub_auths[i] = src->sub_auths[i]; } - /***************************************************************** Write a sid out into on-the-wire format. *****************************************************************/ + BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid) { size_t i; @@ -433,36 +440,41 @@ BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid) } /***************************************************************** - parse a on-the-wire SID to a DOM_SID + Parse a on-the-wire SID to a DOM_SID. *****************************************************************/ + BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid) { int i; - if (len < 8) return False; + if (len < 8) + return False; ZERO_STRUCTP(sid); sid->sid_rev_num = CVAL(inbuf, 0); sid->num_auths = CVAL(inbuf, 1); memcpy(sid->id_auth, inbuf+2, 6); - if (len < 8 + sid->num_auths*4) return False; - for (i=0;inum_auths;i++) { + if (len < 8 + sid->num_auths*4) + return False; + for (i=0;inum_auths;i++) sid->sub_auths[i] = IVAL(inbuf, 8+i*4); - } return True; } - /***************************************************************** Compare the auth portion of two sids. *****************************************************************/ + static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2) { int i; - if (sid1 == sid2) return 0; - if (!sid1) return -1; - if (!sid2) return 1; + if (sid1 == sid2) + return 0; + if (!sid1) + return -1; + if (!sid2) + return 1; if (sid1->sid_rev_num != sid2->sid_rev_num) return sid1->sid_rev_num - sid2->sid_rev_num; @@ -477,15 +489,19 @@ static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2) /***************************************************************** Compare two sids. *****************************************************************/ + int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) { int i; - if (sid1 == sid2) return 0; - if (!sid1) return -1; - if (!sid2) return 1; + if (sid1 == sid2) + return 0; + if (!sid1) + return -1; + if (!sid2) + return 1; - /* compare most likely different rids, first: i.e start at end */ + /* Compare most likely different rids, first: i.e start at end */ if (sid1->num_auths != sid2->num_auths) return sid1->num_auths - sid2->num_auths; @@ -497,9 +513,10 @@ int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) } /***************************************************************** -see if 2 SIDs are in the same domain -this just compares the leading sub-auths + See if 2 SIDs are in the same domain + this just compares the leading sub-auths *****************************************************************/ + int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2) { int n, i; @@ -516,25 +533,25 @@ int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2) /***************************************************************** Compare two sids. *****************************************************************/ + BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) { return sid_compare(sid1, sid2) == 0; } - - /***************************************************************** Check if the SID is the builtin SID (S-1-5-32). *****************************************************************/ + BOOL sid_check_is_builtin(const DOM_SID *sid) { return sid_equal(sid, &global_sid_Builtin); } - /***************************************************************** - Check if the SID is our domain SID (S-1-5-21-x-y-z). + Check if the SID is one of the builtin SIDs (S-1-5-32-a). *****************************************************************/ + BOOL sid_check_is_in_builtin(const DOM_SID *sid) { DOM_SID dom_sid; @@ -546,7 +563,6 @@ BOOL sid_check_is_in_builtin(const DOM_SID *sid) return sid_equal(&dom_sid, &global_sid_Builtin); } - /***************************************************************** Calculates size of a sid. *****************************************************************/ @@ -574,25 +590,24 @@ BOOL non_mappable_sid(DOM_SID *sid) if (sid_equal(&dom, &global_sid_Builtin)) return True; - if (sid_equal(&dom, &global_sid_Creator_Owner_Domain)) - return True; - if (sid_equal(&dom, &global_sid_NT_Authority)) return True; return False; } -/* - return the binary string representation of a DOM_SID - caller must free -*/ +/***************************************************************** + Return the binary string representation of a DOM_SID. + Caller must free. +*****************************************************************/ + char *sid_binstring(const DOM_SID *sid) { char *buf, *s; int len = sid_size(sid); buf = malloc(len); - if (!buf) return NULL; + if (!buf) + return NULL; sid_linearize(buf, len, sid); s = binary_string(buf, len); free(buf); @@ -600,9 +615,10 @@ char *sid_binstring(const DOM_SID *sid) } -/* - print a GUID structure for debugging -*/ +/***************************************************************** + Print a GUID structure for debugging. +*****************************************************************/ + void print_guid(GUID *guid) { int i; -- cgit From 2f194322d419350f35a48dff750066894d68eccf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Nov 2002 23:20:50 +0000 Subject: Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89) --- source3/lib/util_sid.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index f0daf9787e..edd59ae109 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -24,9 +24,6 @@ #include "includes.h" -extern pstring global_myname; -extern fstring global_myworkgroup; - /* * Some useful sids */ @@ -178,7 +175,7 @@ NT_USER_TOKEN *get_system_token(void) /************************************************************************** Splits a name of format \DOMAIN\name or name into its two components. - Sets the DOMAIN name to global_myname if it has not been specified. + Sets the DOMAIN name to global_myname() if it has not been specified. ***************************************************************************/ void split_domain_name(const char *fullname, char *domain, char *name) @@ -202,7 +199,7 @@ void split_domain_name(const char *fullname, char *domain, char *name) fstrcpy(domain, full_name); fstrcpy(name, p+1); } else { - fstrcpy(domain, global_myname); + fstrcpy(domain, global_myname()); fstrcpy(name, full_name); } @@ -280,7 +277,8 @@ const char *sid_string_static(const DOM_SID *sid) BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) { pstring tok; - char *p, *q; + char *q; + const char *p; /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ uint32 ia; @@ -291,7 +289,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) memset((char *)sidout, '\0', sizeof(DOM_SID)); - q = p = strdup(sidstr + 2); + p = q = strdup(sidstr + 2); if (p == NULL) { DEBUG(0, ("string_to_sid: out of memory!\n")); return False; -- cgit From 634c54310c92c48dd4eceec602e230a021bdcfc5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Jan 2003 08:28:12 +0000 Subject: Merge from HEAD - make Samba compile with -Wwrite-strings without additional warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c) --- source3/lib/util_sid.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index edd59ae109..824987f189 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -79,9 +79,9 @@ NT_USER_TOKEN system_token = { Lookup string names for SID types. ****************************************************************************/ -const static struct { +static const struct { enum SID_NAME_USE sid_type; - char *string; + const char *string; } sid_name_type[] = { {SID_NAME_USER, "User"}, {SID_NAME_DOM_GRP, "Domain Group"}, @@ -181,7 +181,8 @@ NT_USER_TOKEN *get_system_token(void) void split_domain_name(const char *fullname, char *domain, char *name) { pstring full_name; - char *p, *sep; + const char *sep; + char *p; sep = lp_winbind_separator(); -- cgit From 886d4e6fe2b4fc4a2c06014abdc2d796936bbcac Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 14 Apr 2003 02:26:41 +0000 Subject: Merge of new sid type (SID_NAME_COMPUTER) and tidyup. (This used to be commit c91cf2b38df9f51dd6cb46f0742e1c57bb36b508) --- source3/lib/util_sid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 824987f189..9e5ae6b441 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -91,8 +91,9 @@ static const struct { {SID_NAME_DELETED, "Deleted Account"}, {SID_NAME_INVALID, "Invalid Account"}, {SID_NAME_UNKNOWN, "UNKNOWN"}, + {SID_NAME_COMPUTER, "Computer"}, - {SID_NAME_USE_NONE, NULL} + {0, NULL} }; const char *sid_type_lookup(uint32 sid_type) -- cgit From 1a9394195d0c53c23b9377ce122f399fa914f58c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Apr 2003 11:54:56 +0000 Subject: Merge HEAD's winbind into 3.0. This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666) --- source3/lib/util_sid.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 9e5ae6b441..e239ef56c7 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -630,3 +630,21 @@ void print_guid(GUID *guid) d_printf("%02x", guid->info[i]); d_printf("\n"); } + +/******************************************************************* + Tallocs a duplicate SID. +********************************************************************/ + +DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, DOM_SID *src) +{ + DOM_SID *dst; + + if(!src) + return NULL; + + if((dst = talloc_zero(ctx, sizeof(DOM_SID))) != NULL) { + sid_copy( dst, src); + } + + return dst; +} -- cgit From cfe8b79c779f313c45c213621f8c5fc48148fc7d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 9 May 2003 09:33:51 +0000 Subject: When checking if a SID is in a domain, make sure that indeed the user RID is one element longer than the domain sid. Andrew Bartlett (This used to be commit c61e5e38776d2de53d120b592a6685158e79ebb8) --- source3/lib/util_sid.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index e239ef56c7..00f14d7d26 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -391,6 +391,9 @@ BOOL sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 * if (!exp_dom_sid || !sid || !rid) return False; + if (sid->num_auths != (exp_dom_sid->num_auths+1)) { + return False; + } if (sid_compare_domain(exp_dom_sid, sid)!=0){ *rid=(-1); -- cgit From 937041e3fdb41f9b6735564f26de60ba2f124e08 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 15 Aug 2003 02:28:13 +0000 Subject: get rid of compiler warnings (This used to be commit ae25e7746e87409aae554d390753c7a3e3717052) --- source3/lib/util_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 00f14d7d26..fbb393770d 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -93,7 +93,7 @@ static const struct { {SID_NAME_UNKNOWN, "UNKNOWN"}, {SID_NAME_COMPUTER, "Computer"}, - {0, NULL} + {(enum SID_NAME_USE)0, NULL} }; const char *sid_type_lookup(uint32 sid_type) -- cgit From b1f610ebb1ba1e6ae0f0e9fbbc703f6a4af68b67 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 6 Oct 2003 01:38:46 +0000 Subject: split some security related functions in their own files. (no need to include all of smbd files to use some basic sec functions) also minor compile fixes couldn't compile to test these due to some kerberos problems wirh 3.0, but on HEAD they're working well, so I suppose it's ok to commit (This used to be commit c78f2d0bd15ecd2ba643bb141cc35a3405787aa1) --- source3/lib/util_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index fbb393770d..50bbb4c72c 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -638,7 +638,7 @@ void print_guid(GUID *guid) Tallocs a duplicate SID. ********************************************************************/ -DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, DOM_SID *src) +DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) { DOM_SID *dst; -- cgit From ddc0716fa88bcef0dfe2396ad4b93a5904629d71 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 6 Apr 2004 22:02:47 +0000 Subject: r91: Fix lsalookupnames. Previously we'd fail if we didn't find the name, but we never checked if it was a domain user and didn't find a local one. (This used to be commit 68022f5ebc55d1f3403dee5198d364cff300baf5) --- source3/lib/util_sid.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 50bbb4c72c..e317f8f84e 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -201,6 +201,13 @@ void split_domain_name(const char *fullname, char *domain, char *name) fstrcpy(domain, full_name); fstrcpy(name, p+1); } else { + if(!lp_domain_logons()) { + fstrcpy(domain, global_myname()); + fstrcpy(name, full_name); + } else { + fstrcpy(domain, lp_workgroup()); + fstrcpy(name, full_name); + } fstrcpy(domain, global_myname()); fstrcpy(name, full_name); } -- cgit From 8ad3d8c9b065f3a2040beff801bdc9dceac868a8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 13 Apr 2004 14:39:48 +0000 Subject: r196: merging struct uuid from trunk (This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb) --- source3/lib/util_sid.c | 17 ----------------- 1 file changed, 17 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index e317f8f84e..e4043c4e92 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -624,23 +624,6 @@ char *sid_binstring(const DOM_SID *sid) return s; } - -/***************************************************************** - Print a GUID structure for debugging. -*****************************************************************/ - -void print_guid(GUID *guid) -{ - int i; - - d_printf("%08x-%04x-%04x", - IVAL(guid->info, 0), SVAL(guid->info, 4), SVAL(guid->info, 6)); - d_printf("-%02x%02x-", guid->info[8], guid->info[9]); - for (i=10;iinfo[i]); - d_printf("\n"); -} - /******************************************************************* Tallocs a duplicate SID. ********************************************************************/ -- cgit From 0d6acfe19a6bf09305ba9727a4f967199dfa29a1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 21 Apr 2004 15:04:05 +0000 Subject: r316: Fix split_domain_name. This defaulted to get_myname() instead of get_global_sam_name(). Error case: Adding a domain user to a XP local group did a lsalookupname on the user without domain prefix, and this then failed. Jerry: This is a must-fix before 3.0.3. Volker (This used to be commit f35e353454b6825da1de138a3f0d8106787e938b) --- source3/lib/util_sid.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index e4043c4e92..6b27fc84dd 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -174,6 +174,19 @@ NT_USER_TOKEN *get_system_token(void) return &system_token; } +/****************************************************************** + get the default domain/netbios name to be used when dealing + with our passdb list of accounts +******************************************************************/ + +const char *get_global_sam_name(void) +{ + if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) { + return lp_workgroup(); + } + return global_myname(); +} + /************************************************************************** Splits a name of format \DOMAIN\name or name into its two components. Sets the DOMAIN name to global_myname() if it has not been specified. @@ -201,14 +214,7 @@ void split_domain_name(const char *fullname, char *domain, char *name) fstrcpy(domain, full_name); fstrcpy(name, p+1); } else { - if(!lp_domain_logons()) { - fstrcpy(domain, global_myname()); - fstrcpy(name, full_name); - } else { - fstrcpy(domain, lp_workgroup()); - fstrcpy(name, full_name); - } - fstrcpy(domain, global_myname()); + fstrcpy(domain, get_global_sam_name()); fstrcpy(name, full_name); } -- cgit From acf9d61421faa6c0055d57fdee7db300dc5431aa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Dec 2004 18:25:53 +0000 Subject: r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a) --- source3/lib/util_sid.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 6b27fc84dd..197157a2f7 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -304,7 +304,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) memset((char *)sidout, '\0', sizeof(DOM_SID)); - p = q = strdup(sidstr + 2); + p = q = SMB_STRDUP(sidstr + 2); if (p == NULL) { DEBUG(0, ("string_to_sid: out of memory!\n")); return False; @@ -621,7 +621,7 @@ char *sid_binstring(const DOM_SID *sid) { char *buf, *s; int len = sid_size(sid); - buf = malloc(len); + buf = SMB_MALLOC(len); if (!buf) return NULL; sid_linearize(buf, len, sid); @@ -641,7 +641,7 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) if(!src) return NULL; - if((dst = talloc_zero(ctx, sizeof(DOM_SID))) != NULL) { + if((dst = TALLOC_ZERO_P(ctx, DOM_SID)) != NULL) { sid_copy( dst, src); } -- cgit From d94d87472ca2f3875caa146424caa178ce20274f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 13 Jan 2005 18:20:37 +0000 Subject: r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c) --- source3/lib/util_sid.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 197157a2f7..0ba774e184 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -647,3 +647,67 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) return dst; } + +/******************************************************************** + Add SID to an array SIDs +********************************************************************/ + +void add_sid_to_array(const DOM_SID *sid, DOM_SID **sids, int *num) +{ + *sids = SMB_REALLOC_ARRAY(*sids, DOM_SID, (*num)+1); + + if (*sids == NULL) + return; + + sid_copy(&((*sids)[*num]), sid); + *num += 1; + + return; +} + + +/******************************************************************** + Add SID to an array SIDs ensuring that it is not already there +********************************************************************/ + +void add_sid_to_array_unique(const DOM_SID *sid, DOM_SID **sids, int *num_sids) +{ + int i; + + for (i=0; i<(*num_sids); i++) { + if (sid_compare(sid, &(*sids)[i]) == 0) + return; + } + + add_sid_to_array(sid, sids, num_sids); +} + +/******************************************************************** + Remove SID from an array +********************************************************************/ + +void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, int *num) +{ + DOM_SID *sid_list = *sids; + int i; + + for ( i=0; i<*num; i++ ) { + + /* if we find the SID, then decrement the count + and break out of the loop */ + + if ( sid_equal(sid, &sid_list[i]) ) { + *num -= 1; + break; + } + } + + /* This loop will copy the remainder of the array + if i < num of sids ni the array */ + + for ( ; i<*num; i++ ) + sid_copy( &sid_list[i], &sid_list[i+1] ); + + return; +} + -- cgit From e84ead0cfdc5e45a577387cc54dceb4c3f32948a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 27 Mar 2005 16:33:04 +0000 Subject: r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f) --- source3/lib/util_sid.c | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 0ba774e184..00fb40cd73 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -351,6 +351,19 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) return True; } +DOM_SID *string_sid_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) +{ + DOM_SID *result = TALLOC_P(mem_ctx, DOM_SID); + + if (result == NULL) + return NULL; + + if (!string_to_sid(result, sidstr)) + return NULL; + + return result; +} + /***************************************************************** Add a rid to the end of a sid *****************************************************************/ @@ -652,9 +665,14 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) Add SID to an array SIDs ********************************************************************/ -void add_sid_to_array(const DOM_SID *sid, DOM_SID **sids, int *num) +void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, + DOM_SID **sids, int *num) { - *sids = SMB_REALLOC_ARRAY(*sids, DOM_SID, (*num)+1); + if (mem_ctx != NULL) + *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID, + (*num)+1); + else + *sids = SMB_REALLOC_ARRAY(*sids, DOM_SID, (*num)+1); if (*sids == NULL) return; @@ -670,7 +688,8 @@ void add_sid_to_array(const DOM_SID *sid, DOM_SID **sids, int *num) Add SID to an array SIDs ensuring that it is not already there ********************************************************************/ -void add_sid_to_array_unique(const DOM_SID *sid, DOM_SID **sids, int *num_sids) +void add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid, + DOM_SID **sids, int *num_sids) { int i; @@ -679,7 +698,7 @@ void add_sid_to_array_unique(const DOM_SID *sid, DOM_SID **sids, int *num_sids) return; } - add_sid_to_array(sid, sids, num_sids); + add_sid_to_array(mem_ctx, sid, sids, num_sids); } /******************************************************************** -- cgit From 83e11ba86c2401ece3c845fd10c22b84e6be7811 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 9 Apr 2005 11:46:40 +0000 Subject: r6263: Get rid of generate_wellknown_sids, they are const static and initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9) --- source3/lib/util_sid.c | 141 +++++++++++++++++++------------------------------ 1 file changed, 53 insertions(+), 88 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 00fb40cd73..1838da1313 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -28,29 +28,51 @@ * Some useful sids */ -DOM_SID global_sid_World_Domain; /* Everyone domain */ -DOM_SID global_sid_World; /* Everyone */ -DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */ -DOM_SID global_sid_NT_Authority; /* NT Authority */ -DOM_SID global_sid_System; /* System */ -DOM_SID global_sid_NULL; /* NULL sid */ -DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ -DOM_SID global_sid_Network; /* Network rids */ - -DOM_SID global_sid_Creator_Owner; /* Creator Owner */ -DOM_SID global_sid_Creator_Group; /* Creator Group */ -DOM_SID global_sid_Anonymous; /* Anonymous login */ - -DOM_SID global_sid_Builtin; /* Local well-known domain */ -DOM_SID global_sid_Builtin_Administrators; /* Builtin administrators */ -DOM_SID global_sid_Builtin_Users; /* Builtin users */ -DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ -DOM_SID global_sid_Builtin_Power_Users; /* Builtin power users */ -DOM_SID global_sid_Builtin_Account_Operators; /* Builtin account operators */ -DOM_SID global_sid_Builtin_Server_Operators; /* Builtin server operators */ -DOM_SID global_sid_Builtin_Print_Operators; /* Builtin print operators */ -DOM_SID global_sid_Builtin_Backup_Operators; /* Builtin backup operators */ -DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */ + +const DOM_SID global_sid_World_Domain = /* Everyone domain */ +{ 1, 0, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_World = /* Everyone */ +{ 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Creator_Owner_Domain = /* Creator Owner domain */ +{ 1, 0, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_NT_Authority = /* NT Authority */ +{ 1, 0, {0,0,0,0,0,5}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_System = /* System */ +{ 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_NULL = /* NULL sid */ +{ 1, 1, {0,0,0,0,0,0}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Authenticated_Users = /* All authenticated rids */ +{ 1, 1, {0,0,0,0,0,5}, {11,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Network = /* Network rids */ +{ 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; + +const DOM_SID global_sid_Creator_Owner = /* Creator Owner */ +{ 1, 1, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Creator_Group = /* Creator Group */ +{ 1, 1, {0,0,0,0,0,3}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Anonymous = /* Anonymous login */ +{ 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; + +const DOM_SID global_sid_Builtin = /* Local well-known domain */ +{ 1, 1, {0,0,0,0,0,5}, {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_Administrators = /* Builtin administrators */ +{ 1, 2, {0,0,0,0,0,5}, {32,544,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_Users = /* Builtin users */ +{ 1, 2, {0,0,0,0,0,5}, {32,545,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_Guests = /* Builtin guest users */ +{ 1, 2, {0,0,0,0,0,5}, {32,546,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_Power_Users = /* Builtin power users */ +{ 1, 2, {0,0,0,0,0,5}, {32,547,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_Account_Operators = /* Builtin account operators */ +{ 1, 2, {0,0,0,0,0,5}, {32,548,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_Server_Operators = /* Builtin server operators */ +{ 1, 2, {0,0,0,0,0,5}, {32,549,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_Print_Operators = /* Builtin print operators */ +{ 1, 2, {0,0,0,0,0,5}, {32,550,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_Backup_Operators = /* Builtin backup operators */ +{ 1, 2, {0,0,0,0,0,5}, {32,551,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_Replicator = /* Builtin replicator */ +{ 1, 2, {0,0,0,0,0,5}, {32,552,0,0,0,0,0,0,0,0,0,0,0,0,0}}; #define SECURITY_NULL_SID_AUTHORITY 0 #define SECURITY_WORLD_SID_AUTHORITY 1 @@ -62,18 +84,15 @@ DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */ * An NT compatible anonymous token. */ -static DOM_SID anon_sid_array[3]; - -NT_USER_TOKEN anonymous_token = { - 3, - anon_sid_array -}; +static DOM_SID anon_sid_array[3] = +{ { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}, + { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}, + { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} }; +NT_USER_TOKEN anonymous_token = { 3, anon_sid_array, SE_NONE }; -static DOM_SID system_sid_array[4]; -NT_USER_TOKEN system_token = { - 1, - system_sid_array -}; +static DOM_SID system_sid_array[1] = +{ { 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} }; +NT_USER_TOKEN system_token = { 1, system_sid_array, SE_ALL_PRIVS }; /**************************************************************************** Lookup string names for SID types. @@ -111,66 +130,12 @@ const char *sid_type_lookup(uint32 sid_type) return "SID *TYPE* is INVALID"; } -/**************************************************************************** - Creates some useful well known sids -****************************************************************************/ - -void generate_wellknown_sids(void) -{ - static BOOL initialised = False; - - if (initialised) - return; - - /* SECURITY_NULL_SID_AUTHORITY */ - string_to_sid(&global_sid_NULL, "S-1-0-0"); - - /* SECURITY_WORLD_SID_AUTHORITY */ - string_to_sid(&global_sid_World_Domain, "S-1-1"); - string_to_sid(&global_sid_World, "S-1-1-0"); - - /* SECURITY_CREATOR_SID_AUTHORITY */ - string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); - string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); - string_to_sid(&global_sid_Creator_Group, "S-1-3-1"); - - /* SECURITY_NT_AUTHORITY */ - string_to_sid(&global_sid_NT_Authority, "S-1-5"); - string_to_sid(&global_sid_Network, "S-1-5-2"); - string_to_sid(&global_sid_Anonymous, "S-1-5-7"); - string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); - string_to_sid(&global_sid_System, "S-1-5-18"); - - /* SECURITY_BUILTIN_DOMAIN_RID */ - string_to_sid(&global_sid_Builtin, "S-1-5-32"); - string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); - string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); - string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546"); - string_to_sid(&global_sid_Builtin_Power_Users, "S-1-5-32-547"); - string_to_sid(&global_sid_Builtin_Account_Operators, "S-1-5-32-548"); - string_to_sid(&global_sid_Builtin_Server_Operators, "S-1-5-32-549"); - string_to_sid(&global_sid_Builtin_Print_Operators, "S-1-5-32-550"); - string_to_sid(&global_sid_Builtin_Backup_Operators, "S-1-5-32-551"); - string_to_sid(&global_sid_Builtin_Replicator, "S-1-5-32-552"); - - /* Create the anon token. */ - sid_copy( &anonymous_token.user_sids[0], &global_sid_World); - sid_copy( &anonymous_token.user_sids[1], &global_sid_Network); - sid_copy( &anonymous_token.user_sids[2], &global_sid_Anonymous); - - /* Create the system token. */ - sid_copy( &system_token.user_sids[0], &global_sid_System); - - initialised = True; -} - /************************************************************************** Create the SYSTEM token. ***************************************************************************/ NT_USER_TOKEN *get_system_token(void) { - generate_wellknown_sids(); /* The token is initialised here */ return &system_token; } -- cgit From fed660877c16562265327c6093ea645cf4176b5c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 Jun 2005 22:10:34 +0000 Subject: r7415: * big change -- volker's new async winbindd from trunk (This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8) --- source3/lib/util_sid.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 1838da1313..b9b4aff420 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -342,6 +342,12 @@ BOOL sid_append_rid(DOM_SID *sid, uint32 rid) return False; } +BOOL sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid) +{ + sid_copy(dst, domain_sid); + return sid_append_rid(dst, rid); +} + /***************************************************************** Removes the last rid from the end of a sid *****************************************************************/ @@ -630,7 +636,7 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) Add SID to an array SIDs ********************************************************************/ -void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, +void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, DOM_SID **sids, int *num) { if (mem_ctx != NULL) -- cgit From 8d7c88667190fe286971ac4fffb64ee5bd9eeeb0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Oct 2005 03:24:00 +0000 Subject: r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208) --- source3/lib/util_sid.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index b9b4aff420..f3f6c938ee 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -637,7 +637,7 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) ********************************************************************/ void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, - DOM_SID **sids, int *num) + DOM_SID **sids, size_t *num) { if (mem_ctx != NULL) *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID, @@ -660,9 +660,9 @@ void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, ********************************************************************/ void add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid, - DOM_SID **sids, int *num_sids) + DOM_SID **sids, size_t *num_sids) { - int i; + size_t i; for (i=0; i<(*num_sids); i++) { if (sid_compare(sid, &(*sids)[i]) == 0) @@ -676,10 +676,10 @@ void add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid, Remove SID from an array ********************************************************************/ -void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, int *num) +void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num) { DOM_SID *sid_list = *sids; - int i; + size_t i; for ( i=0; i<*num; i++ ) { @@ -700,4 +700,3 @@ void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, int *num) return; } - -- cgit From 87d6e590f261ca6137fcaa115fcb5d6b00ed447e Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Thu, 20 Oct 2005 15:09:41 +0000 Subject: r11228: Speed up string_to_sid by removing next_token calls, thus eliminating the need for allocating memory to duplicate the string. (This used to be commit e5cc94f13ff2dacb219c8a56fa13853d620ecda6) --- source3/lib/util_sid.c | 61 ++++++++++++++++++++++---------------------------- 1 file changed, 27 insertions(+), 34 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index f3f6c938ee..cc1f55330f 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -6,6 +6,7 @@ Copyright (C) Jeremy Allison 1999 Copyright (C) Stefan (metze) Metzmacher 2002 Copyright (C) Simo Sorce 2002 + Copyright (C) Jim McDonough 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -256,63 +257,55 @@ const char *sid_string_static(const DOM_SID *sid) BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) { - pstring tok; - char *q; const char *p; + char *q; /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - uint32 ia; + uint32 conv; if (StrnCaseCmp( sidstr, "S-", 2)) { DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); return False; } - memset((char *)sidout, '\0', sizeof(DOM_SID)); + ZERO_STRUCTP(sidout); - p = q = SMB_STRDUP(sidstr + 2); - if (p == NULL) { - DEBUG(0, ("string_to_sid: out of memory!\n")); - return False; - } - - if (!next_token(&p, tok, "-", sizeof(tok))) { + /* Get the revision number. */ + p = sidstr + 2; + conv = (uint32) strtoul(p, &q, 10); + if (!q || (*q != '-')) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - SAFE_FREE(q); return False; } + sidout->sid_rev_num = (uint8) conv; + q++; - /* Get the revision number. */ - sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10); - - if (!next_token(&p, tok, "-", sizeof(tok))) { + /* get identauth */ + conv = (uint32) strtoul(q, &q, 10); + if (!q || (*q != '-')) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - SAFE_FREE(q); return False; } - /* identauth in decimal should be < 2^32 */ - ia = (uint32)strtoul(tok, NULL, 10); - - /* NOTE - the ia value is in big-endian format. */ + /* NOTE - the conv value is in big-endian format. */ sidout->id_auth[0] = 0; sidout->id_auth[1] = 0; - sidout->id_auth[2] = (ia & 0xff000000) >> 24; - sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; - sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; - sidout->id_auth[5] = (ia & 0x000000ff); + sidout->id_auth[2] = (conv & 0xff000000) >> 24; + sidout->id_auth[3] = (conv & 0x00ff0000) >> 16; + sidout->id_auth[4] = (conv & 0x0000ff00) >> 8; + sidout->id_auth[5] = (conv & 0x000000ff); + q++; sidout->num_auths = 0; - while(next_token(&p, tok, "-", sizeof(tok)) && - sidout->num_auths < MAXSUBAUTHS) { - /* - * NOTE - the subauths are in native machine-endian format. They - * are converted to little-endian when linearized onto the wire. - */ - sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10)); + for(conv = (uint32) strtoul(q, &q, 10); + q && (*q =='-' || *q =='\0') && (sidout->num_auths < MAXSUBAUTHS); + conv = (uint32) strtoul(q, &q, 10)) { + sid_append_rid(sidout, conv); + if (*q == '\0') + break; + q++; } - - SAFE_FREE(q); + return True; } -- cgit From 46c6d81a4a977c9a83cfd53c2d748876a080dc71 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Thu, 20 Oct 2005 16:05:12 +0000 Subject: r11229: an even bigger speedup spotted by Volker. string_to_sid() is now taking 1/5th the time it used to. Replace strcasecmp with invididual char checks for "S-" sid prefix. (This used to be commit de3d0094b78cb20da7ed958e8d3a428583694309) --- source3/lib/util_sid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index cc1f55330f..0a9e6fe310 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -262,12 +262,12 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ uint32 conv; - if (StrnCaseCmp( sidstr, "S-", 2)) { + if ((sidstr[0] != 'S' && sidstr[0] != 's') || sidstr[1] != '-') { DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); return False; } - ZERO_STRUCTP(sidout); +// ZERO_STRUCTP(sidout); /* Get the revision number. */ p = sidstr + 2; -- cgit From fc8292f38151705e520880acbf57a87982e4325c Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Thu, 20 Oct 2005 16:07:36 +0000 Subject: r11230: Remove the '//' i was using to test something...oops (This used to be commit cda5a81bbe52308a81a79eb0354aea63027a9701) --- source3/lib/util_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 0a9e6fe310..4c274b5e01 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -267,7 +267,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) return False; } -// ZERO_STRUCTP(sidout); + ZERO_STRUCTP(sidout); /* Get the revision number. */ p = sidstr + 2; -- cgit From 05ac2de0df78d22ad5afb42ea5c72ba17bef8395 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 3 Dec 2005 18:34:13 +0000 Subject: r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7) --- source3/lib/util_sid.c | 45 +++------------------------------------------ 1 file changed, 3 insertions(+), 42 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 4c274b5e01..92bc2fb893 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -75,11 +75,14 @@ const DOM_SID global_sid_Builtin_Backup_Operators = /* Builtin backup operators const DOM_SID global_sid_Builtin_Replicator = /* Builtin replicator */ { 1, 2, {0,0,0,0,0,5}, {32,552,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +/* Unused, left here for documentary purposes */ +#if 0 #define SECURITY_NULL_SID_AUTHORITY 0 #define SECURITY_WORLD_SID_AUTHORITY 1 #define SECURITY_LOCAL_SID_AUTHORITY 2 #define SECURITY_CREATOR_SID_AUTHORITY 3 #define SECURITY_NT_AUTHORITY 5 +#endif /* * An NT compatible anonymous token. @@ -188,24 +191,6 @@ void split_domain_name(const char *fullname, char *domain, char *name) fullname, domain, name)); } -/**************************************************************************** - Test if a SID is wellknown and resolvable. -****************************************************************************/ - -BOOL resolvable_wellknown_sid(DOM_SID *sid) -{ - uint32 ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); - - if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1) - return False; - - return (ia == SECURITY_WORLD_SID_AUTHORITY || - ia == SECURITY_CREATOR_SID_AUTHORITY); -} - /***************************************************************** Convert a SID to an ascii string. *****************************************************************/ @@ -532,30 +517,6 @@ BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) return sid_compare(sid1, sid2) == 0; } -/***************************************************************** - Check if the SID is the builtin SID (S-1-5-32). -*****************************************************************/ - -BOOL sid_check_is_builtin(const DOM_SID *sid) -{ - return sid_equal(sid, &global_sid_Builtin); -} - -/***************************************************************** - Check if the SID is one of the builtin SIDs (S-1-5-32-a). -*****************************************************************/ - -BOOL sid_check_is_in_builtin(const DOM_SID *sid) -{ - DOM_SID dom_sid; - uint32 rid; - - sid_copy(&dom_sid, sid); - sid_split_rid(&dom_sid, &rid); - - return sid_equal(&dom_sid, &global_sid_Builtin); -} - /***************************************************************** Calculates size of a sid. *****************************************************************/ -- cgit From c911ac23a94909b61a8e7cdcb4a9e2f7e6b31600 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 10 Dec 2005 23:29:39 +0000 Subject: r12169: Remove an unused function (This used to be commit 209e4f8793fe9375fc6af1aedb5bd1fe57193bbc) --- source3/lib/util_sid.c | 35 ----------------------------------- 1 file changed, 35 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 92bc2fb893..b94be474a9 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -156,41 +156,6 @@ const char *get_global_sam_name(void) return global_myname(); } -/************************************************************************** - Splits a name of format \DOMAIN\name or name into its two components. - Sets the DOMAIN name to global_myname() if it has not been specified. -***************************************************************************/ - -void split_domain_name(const char *fullname, char *domain, char *name) -{ - pstring full_name; - const char *sep; - char *p; - - sep = lp_winbind_separator(); - - *domain = *name = '\0'; - - if (fullname[0] == sep[0] || fullname[0] == '\\') - fullname++; - - pstrcpy(full_name, fullname); - p = strchr_m(full_name+1, '\\'); - if (!p) p = strchr_m(full_name+1, sep[0]); - - if (p != NULL) { - *p = 0; - fstrcpy(domain, full_name); - fstrcpy(name, p+1); - } else { - fstrcpy(domain, get_global_sam_name()); - fstrcpy(name, full_name); - } - - DEBUG(10,("split_domain_name:name '%s' split into domain :'%s' and user :'%s'\n", - fullname, domain, name)); -} - /***************************************************************** Convert a SID to an ascii string. *****************************************************************/ -- cgit From 894979c69ba3d90b6361908cde4e29a68989419f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 20 Dec 2005 00:16:18 +0000 Subject: r12387: Make string_to_sid a little more silent. Jeremy. (This used to be commit 7ccff8071abf2bd85f4022abace1f96c7f7f0d29) --- source3/lib/util_sid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index b94be474a9..f3fc5af9ea 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -213,7 +213,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) uint32 conv; if ((sidstr[0] != 'S' && sidstr[0] != 's') || sidstr[1] != '-') { - DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); + DEBUG(3,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); return False; } @@ -223,7 +223,7 @@ BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) p = sidstr + 2; conv = (uint32) strtoul(p, &q, 10); if (!q || (*q != '-')) { - DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); + DEBUG(3,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); return False; } sidout->sid_rev_num = (uint8) conv; -- cgit From 7b575d7cc513b4da8734f6f06694e7c426cfd41c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 19 Jan 2006 00:03:07 +0000 Subject: r13024: Add is_null_sid. GUenther (This used to be commit 3a6e41a0cb2872a656ea79c8d4fc4b8bce436492) --- source3/lib/util_sid.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index f3fc5af9ea..e2b2ebf28c 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -619,3 +619,9 @@ void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num) return; } + +BOOL is_null_sid(const DOM_SID *sid) +{ + static const DOM_SID null_sid = {0}; + return sid_equal(sid, &null_sid); +} -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/lib/util_sid.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index e2b2ebf28c..c7f9dc2fdb 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -75,6 +75,11 @@ const DOM_SID global_sid_Builtin_Backup_Operators = /* Builtin backup operators const DOM_SID global_sid_Builtin_Replicator = /* Builtin replicator */ { 1, 2, {0,0,0,0,0,5}, {32,552,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Unix_Users = /* Unmapped Unix users */ +{ 1, 1, {0,0,0,0,0,22}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Unix_Groups = /* Unmapped Unix groups */ +{ 1, 1, {0,0,0,0,0,22}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; + /* Unused, left here for documentary purposes */ #if 0 #define SECURITY_NULL_SID_AUTHORITY 0 -- cgit From 894358a8f3e338b339b6c37233edef794b312087 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Mar 2006 06:31:04 +0000 Subject: r13915: Fixed a very interesting class of realloc() bugs found by Coverity. realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0) --- source3/lib/util_sid.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index c7f9dc2fdb..3be52dd9f7 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -563,14 +563,16 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, DOM_SID **sids, size_t *num) { - if (mem_ctx != NULL) + if (mem_ctx != NULL) { *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID, (*num)+1); - else + } else { *sids = SMB_REALLOC_ARRAY(*sids, DOM_SID, (*num)+1); + } - if (*sids == NULL) + if (*sids == NULL) { return; + } sid_copy(&((*sids)[*num]), sid); *num += 1; -- cgit From 7588769316ecf84c99f94e2f7a5db09b7c12fd7a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 25 Apr 2006 20:14:46 +0000 Subject: r15251: Adding PreWin2kAccess builtin sid. Guenther (This used to be commit 4330d1b74cba14501c2864105b2fae53ccf9475f) --- source3/lib/util_sid.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 3be52dd9f7..0710337637 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -74,6 +74,8 @@ const DOM_SID global_sid_Builtin_Backup_Operators = /* Builtin backup operators { 1, 2, {0,0,0,0,0,5}, {32,551,0,0,0,0,0,0,0,0,0,0,0,0,0}}; const DOM_SID global_sid_Builtin_Replicator = /* Builtin replicator */ { 1, 2, {0,0,0,0,0,5}, {32,552,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +const DOM_SID global_sid_Builtin_PreWin2kAccess = /* Builtin pre win2k access */ +{ 1, 2, {0,0,0,0,0,5}, {32,554,0,0,0,0,0,0,0,0,0,0,0,0,0}}; const DOM_SID global_sid_Unix_Users = /* Unmapped Unix users */ { 1, 1, {0,0,0,0,0,22}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; -- cgit From 34e810076df8720a145f5a619ed648c384898563 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 28 Apr 2006 14:44:43 +0000 Subject: r15305: Let winbind search by sid directly (or in windows terms: "bind to a sid"); works in all AD versions I tested. Also add "net ads sid" search tool. Guenther (This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5) --- source3/lib/util_sid.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 0710337637..307f3e3415 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -528,6 +528,24 @@ BOOL non_mappable_sid(DOM_SID *sid) *****************************************************************/ char *sid_binstring(const DOM_SID *sid) +{ + char *buf, *s; + int len = sid_size(sid); + buf = SMB_MALLOC(len); + if (!buf) + return NULL; + sid_linearize(buf, len, sid); + s = binary_string_rfc2254(buf, len); + free(buf); + return s; +} + +/***************************************************************** + Return the binary string representation of a DOM_SID. + Caller must free. +*****************************************************************/ + +char *sid_binstring_hex(const DOM_SID *sid) { char *buf, *s; int len = sid_size(sid); -- cgit From 17cbb65317d72646301194d4659b64fa198c3ae5 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 19 Jun 2006 16:25:19 +0000 Subject: r16350: Fix the build. GUenther (This used to be commit 3203ce3b49e6f21ed690e9d7393e98419de54c27) --- source3/lib/util_sid.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 307f3e3415..09fe30f81b 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -647,6 +647,25 @@ void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num) return; } +void add_rid_to_array_unique(TALLOC_CTX *mem_ctx, + uint32 rid, uint32 **pp_rids, size_t *p_num) +{ + size_t i; + + for (i=0; i<*p_num; i++) { + if ((*pp_rids)[i] == rid) + return; + } + + *pp_rids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_rids, uint32, *p_num+1); + + if (*pp_rids == NULL) + return; + + (*pp_rids)[*p_num] = rid; + *p_num += 1; +} + BOOL is_null_sid(const DOM_SID *sid) { static const DOM_SID null_sid = {0}; -- cgit From e23781b3b304d1e69ad80af5ae9c0ed8d02cf996 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 30 Jul 2006 16:36:56 +0000 Subject: r17316: More C++ warnings -- 456 left (This used to be commit 1e4ee728df7eeafc1b4d533240acb032f73b4f5c) --- source3/lib/util_sid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 09fe30f81b..4d31080ec9 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -531,7 +531,7 @@ char *sid_binstring(const DOM_SID *sid) { char *buf, *s; int len = sid_size(sid); - buf = SMB_MALLOC(len); + buf = (char *)SMB_MALLOC(len); if (!buf) return NULL; sid_linearize(buf, len, sid); @@ -549,7 +549,7 @@ char *sid_binstring_hex(const DOM_SID *sid) { char *buf, *s; int len = sid_size(sid); - buf = SMB_MALLOC(len); + buf = (char *)SMB_MALLOC(len); if (!buf) return NULL; sid_linearize(buf, len, sid); -- cgit From 2b27c93a9a8471693d7dcb5fdbe8afe65b22ff66 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 8 Sep 2006 14:28:06 +0000 Subject: r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951) --- source3/lib/util_sid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 4d31080ec9..b6952fca81 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -110,7 +110,7 @@ NT_USER_TOKEN system_token = { 1, system_sid_array, SE_ALL_PRIVS }; ****************************************************************************/ static const struct { - enum SID_NAME_USE sid_type; + enum lsa_SidType sid_type; const char *string; } sid_name_type[] = { {SID_NAME_USER, "User"}, @@ -123,7 +123,7 @@ static const struct { {SID_NAME_UNKNOWN, "UNKNOWN"}, {SID_NAME_COMPUTER, "Computer"}, - {(enum SID_NAME_USE)0, NULL} + {(enum lsa_SidType)0, NULL} }; const char *sid_type_lookup(uint32 sid_type) -- cgit From 63609fbb04d2ce620338b4b79e7c1abf39f08ef8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 9 Dec 2006 02:58:18 +0000 Subject: r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24) --- source3/lib/util_sid.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index b6952fca81..032be9aa93 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -580,24 +580,20 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) Add SID to an array SIDs ********************************************************************/ -void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, +BOOL add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, DOM_SID **sids, size_t *num) { - if (mem_ctx != NULL) { - *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID, + *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID, (*num)+1); - } else { - *sids = SMB_REALLOC_ARRAY(*sids, DOM_SID, (*num)+1); - } - if (*sids == NULL) { - return; + *num = 0; + return False; } sid_copy(&((*sids)[*num]), sid); *num += 1; - return; + return True; } @@ -605,17 +601,17 @@ void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, Add SID to an array SIDs ensuring that it is not already there ********************************************************************/ -void add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid, +BOOL add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid, DOM_SID **sids, size_t *num_sids) { size_t i; for (i=0; i<(*num_sids); i++) { if (sid_compare(sid, &(*sids)[i]) == 0) - return; + return True; } - add_sid_to_array(mem_ctx, sid, sids, num_sids); + return add_sid_to_array(mem_ctx, sid, sids, num_sids); } /******************************************************************** @@ -647,23 +643,26 @@ void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num) return; } -void add_rid_to_array_unique(TALLOC_CTX *mem_ctx, +BOOL add_rid_to_array_unique(TALLOC_CTX *mem_ctx, uint32 rid, uint32 **pp_rids, size_t *p_num) { size_t i; for (i=0; i<*p_num; i++) { if ((*pp_rids)[i] == rid) - return; + return True; } *pp_rids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_rids, uint32, *p_num+1); - if (*pp_rids == NULL) - return; + if (*pp_rids == NULL) { + *p_num = 0; + return False; + } (*pp_rids)[*p_num] = rid; *p_num += 1; + return True; } BOOL is_null_sid(const DOM_SID *sid) -- cgit From 5e7174a2c831883a23ce17b48e3787855b3bb8ff Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Apr 2007 09:19:35 +0000 Subject: r22481: Move check for non-mappable SIDs to after sid_to_uid, sid_to_gid mapping, add LocalSystem to non-mappable list. Jeremy. (This used to be commit 805f01464f3feb30725dbce1f90d4296380dd796) --- source3/lib/util_sid.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 032be9aa93..c89abc916f 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -510,6 +510,9 @@ BOOL non_mappable_sid(DOM_SID *sid) DOM_SID dom; uint32 rid; + if (sid_equal(sid, &global_sid_System)) + return True; + sid_copy(&dom, sid); sid_split_rid(&dom, &rid); -- cgit From f5d6c8e0d77683af8818a37e7daaa169cc6fd0f9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Apr 2007 16:32:17 +0000 Subject: r22611: Fix from Jens Nissen . Fix bad memory leak I introduced into acl code, also remove redundent extra check for global_sid_System : global_sid_System == S-1-5-18 which is already included in the check for a domain of global_sid_NT_Authority == S-1-5 Jeremy. (This used to be commit 10649540ac11e679997f414d4a6b12d057bd7913) --- source3/lib/util_sid.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index c89abc916f..032be9aa93 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -510,9 +510,6 @@ BOOL non_mappable_sid(DOM_SID *sid) DOM_SID dom; uint32 rid; - if (sid_equal(sid, &global_sid_System)) - return True; - sid_copy(&dom, sid); sid_split_rid(&dom, &rid); -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/lib/util_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 032be9aa93..1473190abd 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -10,7 +10,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/lib/util_sid.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 1473190abd..9915085f5a 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -19,8 +19,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 4b4a3c7df1b894c32473ee559185f6253b895800 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 17 Jul 2007 11:47:17 +0000 Subject: r23928: Merge all "copy-info3-groups-to-sid-array" blocks to a sid_array_from_info3() function. Guenther (This used to be commit 1e1e480115e37b3f4c85f979ddd800b8de0b9c57) --- source3/lib/util_sid.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 9915085f5a..7c6fc9b217 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -669,3 +669,68 @@ BOOL is_null_sid(const DOM_SID *sid) static const DOM_SID null_sid = {0}; return sid_equal(sid, &null_sid); } + +NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, + const NET_USER_INFO_3 *info3, + DOM_SID **user_sids, + size_t *num_user_sids, + BOOL include_user_group_rid) +{ + DOM_SID sid; + DOM_SID *sid_array = NULL; + size_t num_sids = 0; + int i; + + if (include_user_group_rid) { + + if (!sid_compose(&sid, &(info3->dom_sid.sid), + info3->user_rid) + || !add_sid_to_array(mem_ctx, &sid, + &sid_array, &num_sids)) { + DEBUG(3,("could not add user SID from rid 0x%x\n", + info3->user_rid)); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!sid_compose(&sid, &(info3->dom_sid.sid), + info3->group_rid) + || !add_sid_to_array(mem_ctx, &sid, + &sid_array, &num_sids)) { + DEBUG(3,("could not append additional group rid 0x%x\n", + info3->group_rid)); + + return NT_STATUS_INVALID_PARAMETER; + } + } + + for (i = 0; i < info3->num_groups2; i++) { + if (!sid_compose(&sid, &(info3->dom_sid.sid), + info3->gids[i].g_rid) + || !add_sid_to_array(mem_ctx, &sid, + &sid_array, &num_sids)) { + DEBUG(3,("could not append additional group rid 0x%x\n", + info3->gids[i].g_rid)); + return NT_STATUS_INVALID_PARAMETER; + } + } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < info3->num_other_sids; i++) { + if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, + &sid_array, &num_sids)) { + DEBUG(3, ("could not add SID to array: %s\n", + sid_string_static(&info3->other_sids[i].sid))); + return NT_STATUS_NO_MEMORY; + } + } + + *user_sids = sid_array; + *num_user_sids = num_sids; + + return NT_STATUS_OK; +} -- cgit From 54d3c7f61d612ca041aafc0fba964e0431cbf463 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 8 Sep 2007 20:30:51 +0000 Subject: r25040: Add "net sam rights" Not strictly in the SAM, but close enough. This command acts directly on the local tdb, no running smbd required This also changes the root-only check to a warning (This used to be commit 0c5657b5eff60e3c52de8fbb4ce9346d0341854c) --- source3/lib/util_sid.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 7c6fc9b217..85cb96bd60 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -207,6 +207,13 @@ const char *sid_string_static(const DOM_SID *sid) return sid_str; } +char *sid_string_tos(const DOM_SID *sid) +{ + fstring sid_str; + sid_to_string(sid_str, sid); + return talloc_strdup(talloc_tos(), sid_str); +} + /***************************************************************** Convert a string to a SID. Returns True on success, False on fail. *****************************************************************/ -- cgit From 52ef68ad4b2cdf07a7b82cc87ffb692741bbda46 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 8 Oct 2007 13:31:08 +0000 Subject: r25575: Document S-1-5-12 (restriced code sid). Guenther (This used to be commit 109b09edef4bcad06c3b850edf7db74419c3ad78) --- source3/lib/util_sid.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 85cb96bd60..498919876c 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -25,7 +25,8 @@ #include "includes.h" /* - * Some useful sids + * Some useful sids, more well known sids can be found at + * http://support.microsoft.com/kb/243330/EN-US/ */ @@ -43,6 +44,11 @@ const DOM_SID global_sid_NULL = /* NULL sid */ { 1, 1, {0,0,0,0,0,0}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; const DOM_SID global_sid_Authenticated_Users = /* All authenticated rids */ { 1, 1, {0,0,0,0,0,5}, {11,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +#if 0 +/* for documentation */ +const DOM_SID global_sid_Restriced = /* Restriced Code */ +{ 1, 1, {0,0,0,0,0,5}, {12,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; +#endif const DOM_SID global_sid_Network = /* Network rids */ { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/lib/util_sid.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 498919876c..f46d363895 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -224,7 +224,7 @@ char *sid_string_tos(const DOM_SID *sid) Convert a string to a SID. Returns True on success, False on fail. *****************************************************************/ -BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) +bool string_to_sid(DOM_SID *sidout, const char *sidstr) { const char *p; char *q; @@ -295,7 +295,7 @@ DOM_SID *string_sid_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) Add a rid to the end of a sid *****************************************************************/ -BOOL sid_append_rid(DOM_SID *sid, uint32 rid) +bool sid_append_rid(DOM_SID *sid, uint32 rid) { if (sid->num_auths < MAXSUBAUTHS) { sid->sub_auths[sid->num_auths++] = rid; @@ -304,7 +304,7 @@ BOOL sid_append_rid(DOM_SID *sid, uint32 rid) return False; } -BOOL sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid) +bool sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid) { sid_copy(dst, domain_sid); return sid_append_rid(dst, rid); @@ -314,7 +314,7 @@ BOOL sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid) Removes the last rid from the end of a sid *****************************************************************/ -BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) +bool sid_split_rid(DOM_SID *sid, uint32 *rid) { if (sid->num_auths > 0) { sid->num_auths--; @@ -328,7 +328,7 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) Return the last rid from the end of a sid *****************************************************************/ -BOOL sid_peek_rid(const DOM_SID *sid, uint32 *rid) +bool sid_peek_rid(const DOM_SID *sid, uint32 *rid) { if (!sid || !rid) return False; @@ -345,7 +345,7 @@ BOOL sid_peek_rid(const DOM_SID *sid, uint32 *rid) and check the sid against the exp_dom_sid *****************************************************************/ -BOOL sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid) +bool sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid) { if (!exp_dom_sid || !sid || !rid) return False; @@ -385,7 +385,7 @@ void sid_copy(DOM_SID *dst, const DOM_SID *src) Write a sid out into on-the-wire format. *****************************************************************/ -BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid) +bool sid_linearize(char *outbuf, size_t len, const DOM_SID *sid) { size_t i; @@ -405,7 +405,7 @@ BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid) Parse a on-the-wire SID to a DOM_SID. *****************************************************************/ -BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid) +bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid) { int i; if (len < 8) @@ -496,7 +496,7 @@ int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2) Compare two sids. *****************************************************************/ -BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) +bool sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) { return sid_compare(sid1, sid2) == 0; } @@ -517,7 +517,7 @@ size_t sid_size(const DOM_SID *sid) Returns true if SID is internal (and non-mappable). *****************************************************************/ -BOOL non_mappable_sid(DOM_SID *sid) +bool non_mappable_sid(DOM_SID *sid) { DOM_SID dom; uint32 rid; @@ -592,7 +592,7 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) Add SID to an array SIDs ********************************************************************/ -BOOL add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, +bool add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, DOM_SID **sids, size_t *num) { *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID, @@ -613,7 +613,7 @@ BOOL add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, Add SID to an array SIDs ensuring that it is not already there ********************************************************************/ -BOOL add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid, +bool add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid, DOM_SID **sids, size_t *num_sids) { size_t i; @@ -655,7 +655,7 @@ void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num) return; } -BOOL add_rid_to_array_unique(TALLOC_CTX *mem_ctx, +bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx, uint32 rid, uint32 **pp_rids, size_t *p_num) { size_t i; @@ -677,7 +677,7 @@ BOOL add_rid_to_array_unique(TALLOC_CTX *mem_ctx, return True; } -BOOL is_null_sid(const DOM_SID *sid) +bool is_null_sid(const DOM_SID *sid) { static const DOM_SID null_sid = {0}; return sid_equal(sid, &null_sid); @@ -687,7 +687,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, const NET_USER_INFO_3 *info3, DOM_SID **user_sids, size_t *num_user_sids, - BOOL include_user_group_rid) + bool include_user_group_rid) { DOM_SID sid; DOM_SID *sid_array = NULL; -- cgit From 2cb7f5f632fc3c30c0afa57d1c99f506885f113a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 19:00:42 +0100 Subject: add sid_string_talloc (This used to be commit 9e3ef0923d71cc06b8445be2625ebd8dfed1b42d) --- source3/lib/util_sid.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index f46d363895..fcbbbb44d9 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -213,11 +213,19 @@ const char *sid_string_static(const DOM_SID *sid) return sid_str; } -char *sid_string_tos(const DOM_SID *sid) +char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid) { fstring sid_str; + char *result; sid_to_string(sid_str, sid); - return talloc_strdup(talloc_tos(), sid_str); + result = talloc_strdup(mem_ctx, sid_str); + SMB_ASSERT(result != NULL); + return result; +} + +char *sid_string_tos(const DOM_SID *sid) +{ + return sid_string_talloc(talloc_tos(), sid); } /***************************************************************** -- cgit From f498f661bcd6f2d97d55aa275dcd1eb2cbcda8a4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 21:06:20 +0100 Subject: Add sid_string_dbg This makes use of the just added debug_ctx and will kill many sid_string_static() calls (This used to be commit 3e4148c280efe154c3f8d552731c8b29d6977507) --- source3/lib/util_sid.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index fcbbbb44d9..344784aee2 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -223,6 +223,11 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid) return result; } +char *sid_string_dbg(const DOM_SID *sid) +{ + return sid_string_talloc(debug_ctx(), sid); +} + char *sid_string_tos(const DOM_SID *sid) { return sid_string_talloc(talloc_tos(), sid); -- cgit From 900288a2b86abd247f9eb4cd15dc5617a17cfef1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 21:11:36 +0100 Subject: Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09) --- source3/lib/util_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 344784aee2..e27c72dbc4 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -750,7 +750,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, &sid_array, &num_sids)) { DEBUG(3, ("could not add SID to array: %s\n", - sid_string_static(&info3->other_sids[i].sid))); + sid_string_dbg(&info3->other_sids[i].sid))); return NT_STATUS_NO_MEMORY; } } -- cgit From 4312ad8b98456a59bd5b020d83010695b4baf209 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 22:08:09 +0100 Subject: sid_string_static is no more :-) We now have four ways to do sid_to_string: sid_to_string: Convert it into an existing fstring, when you have one sid_string_talloc: The obvious thing sid_string_tos: For the lazy, use only with care sid_string_dbg: The one to use in DEBUG statements (This used to be commit 7b8276aaa48852270c6b70b081c3f28e316a7a2c) --- source3/lib/util_sid.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index e27c72dbc4..b28626cd66 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -202,17 +202,6 @@ char *sid_to_string(fstring sidstr_out, const DOM_SID *sid) return sidstr_out; } -/***************************************************************** - Useful function for debug lines. -*****************************************************************/ - -const char *sid_string_static(const DOM_SID *sid) -{ - static fstring sid_str; - sid_to_string(sid_str, sid); - return sid_str; -} - char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid) { fstring sid_str; @@ -223,11 +212,19 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid) return result; } +/***************************************************************** + Useful function for debug lines. +*****************************************************************/ + char *sid_string_dbg(const DOM_SID *sid) { return sid_string_talloc(debug_ctx(), sid); } +/***************************************************************** + Use with care! +*****************************************************************/ + char *sid_string_tos(const DOM_SID *sid) { return sid_string_talloc(talloc_tos(), sid); -- cgit From 79cd97cc3f496f781d809c1ab619afa2cc07293d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 22:33:52 +0100 Subject: Use dom_sid_string for sid_string_talloc Remove some code duplication, but introduce one more dependency on librpc/ndr. Easily turned around so that librpc/ndr depends on lib/util_sid if necessary (This used to be commit 3a0b1b2060facd5f1ac1461b23dd86c75cdd9458) --- source3/lib/util_sid.c | 41 ++++++++++++----------------------------- 1 file changed, 12 insertions(+), 29 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index b28626cd66..868ac36d11 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -174,40 +174,23 @@ const char *get_global_sam_name(void) char *sid_to_string(fstring sidstr_out, const DOM_SID *sid) { - char subauth[16]; - int i; - uint32 ia; - - if (!sid) { - fstrcpy(sidstr_out, "(NULL SID)"); - return sidstr_out; - } - - /* - * BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 - * in a range of 2^48. - */ - ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); - - slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); - - for (i = 0; i < sid->num_auths; i++) { - slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); - fstrcat(sidstr_out, subauth); - } - + char *str = sid_string_talloc(talloc_tos(), sid); + fstrcpy(sidstr_out, str); + TALLOC_FREE(str); return sidstr_out; } +/***************************************************************** + Essentially a renamed dom_sid_string from librpc/ndr with a + panic if it didn't work + + This introduces a dependency on librpc/ndr/sid.o which can easily + be turned around if necessary +*****************************************************************/ + char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid) { - fstring sid_str; - char *result; - sid_to_string(sid_str, sid); - result = talloc_strdup(mem_ctx, sid_str); + char *result = dom_sid_string(mem_ctx, sid); SMB_ASSERT(result != NULL); return result; } -- cgit From 2e07c2ade89f4ff281c61f74cb88e09990cf5f46 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 22:47:30 +0100 Subject: s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546) --- source3/lib/util_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 868ac36d11..52f65aa77d 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -172,7 +172,7 @@ const char *get_global_sam_name(void) Convert a SID to an ascii string. *****************************************************************/ -char *sid_to_string(fstring sidstr_out, const DOM_SID *sid) +char *sid_to_fstring(fstring sidstr_out, const DOM_SID *sid) { char *str = sid_string_talloc(talloc_tos(), sid); fstrcpy(sidstr_out, str); -- cgit From a59280792cab616f5b269960ab68bc44ccc1fd38 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 29 Dec 2007 22:16:31 +0100 Subject: Remove tiny code duplication sid_size did the same as ndr_size_dom_sid (This used to be commit 8aec5d09ba023413bd8ecbdfbc7d23904df94389) --- source3/lib/util_sid.c | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 52f65aa77d..222b32ed3a 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -382,7 +382,7 @@ bool sid_linearize(char *outbuf, size_t len, const DOM_SID *sid) { size_t i; - if (len < sid_size(sid)) + if (len < ndr_size_dom_sid(sid, 0)) return False; SCVAL(outbuf,0,sid->sid_rev_num); @@ -494,18 +494,6 @@ bool sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) return sid_compare(sid1, sid2) == 0; } -/***************************************************************** - Calculates size of a sid. -*****************************************************************/ - -size_t sid_size(const DOM_SID *sid) -{ - if (sid == NULL) - return 0; - - return sid->num_auths * sizeof(uint32) + 8; -} - /***************************************************************** Returns true if SID is internal (and non-mappable). *****************************************************************/ @@ -535,7 +523,7 @@ bool non_mappable_sid(DOM_SID *sid) char *sid_binstring(const DOM_SID *sid) { char *buf, *s; - int len = sid_size(sid); + int len = ndr_size_dom_sid(sid, 0); buf = (char *)SMB_MALLOC(len); if (!buf) return NULL; @@ -553,7 +541,7 @@ char *sid_binstring(const DOM_SID *sid) char *sid_binstring_hex(const DOM_SID *sid) { char *buf, *s; - int len = sid_size(sid); + int len = ndr_size_dom_sid(sid, 0); buf = (char *)SMB_MALLOC(len); if (!buf) return NULL; -- cgit From f3603d5a5ab878d45b67bf0f33e2beca50d0af2d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 9 Jan 2008 00:11:31 +0100 Subject: Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a) --- source3/lib/util_sid.c | 70 ++++++++++++++++++++++++++++++-------------------- 1 file changed, 42 insertions(+), 28 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 222b32ed3a..37865238a5 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -573,20 +573,20 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) Add SID to an array SIDs ********************************************************************/ -bool add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, - DOM_SID **sids, size_t *num) +NTSTATUS add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, + DOM_SID **sids, size_t *num) { *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID, (*num)+1); if (*sids == NULL) { *num = 0; - return False; + return NT_STATUS_NO_MEMORY; } sid_copy(&((*sids)[*num]), sid); *num += 1; - return True; + return NT_STATUS_OK; } @@ -594,14 +594,14 @@ bool add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, Add SID to an array SIDs ensuring that it is not already there ********************************************************************/ -bool add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid, - DOM_SID **sids, size_t *num_sids) +NTSTATUS add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid, + DOM_SID **sids, size_t *num_sids) { size_t i; for (i=0; i<(*num_sids); i++) { if (sid_compare(sid, &(*sids)[i]) == 0) - return True; + return NT_STATUS_OK; } return add_sid_to_array(mem_ctx, sid, sids, num_sids); @@ -670,6 +670,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, size_t *num_user_sids, bool include_user_group_rid) { + NTSTATUS status; DOM_SID sid; DOM_SID *sid_array = NULL; size_t num_sids = 0; @@ -677,35 +678,47 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, if (include_user_group_rid) { - if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->user_rid) - || !add_sid_to_array(mem_ctx, &sid, - &sid_array, &num_sids)) { - DEBUG(3,("could not add user SID from rid 0x%x\n", - info3->user_rid)); + if (!sid_compose(&sid, &(info3->dom_sid.sid), info3->user_rid)) + { + DEBUG(3, ("could not compose user SID from rid 0x%x\n", + info3->user_rid)); return NT_STATUS_INVALID_PARAMETER; } + status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("could not append user SID from rid 0x%x\n", + info3->user_rid)); + return status; + } - if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->group_rid) - || !add_sid_to_array(mem_ctx, &sid, - &sid_array, &num_sids)) { - DEBUG(3,("could not append additional group rid 0x%x\n", - info3->group_rid)); - + if (!sid_compose(&sid, &(info3->dom_sid.sid), info3->group_rid)) + { + DEBUG(3, ("could not compose group SID from rid 0x%x\n", + info3->group_rid)); return NT_STATUS_INVALID_PARAMETER; } + status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("could not append group SID from rid 0x%x\n", + info3->group_rid)); + return status; + } } for (i = 0; i < info3->num_groups2; i++) { if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->gids[i].g_rid) - || !add_sid_to_array(mem_ctx, &sid, - &sid_array, &num_sids)) { - DEBUG(3,("could not append additional group rid 0x%x\n", - info3->gids[i].g_rid)); + info3->gids[i].g_rid)) + { + DEBUG(3, ("could not compose SID from additional group " + "rid 0x%x\n", info3->gids[i].g_rid)); return NT_STATUS_INVALID_PARAMETER; } + status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("could not append SID from additional group " + "rid 0x%x\n", info3->gids[i].g_rid)); + return status; + } } /* Copy 'other' sids. We need to do sid filtering here to @@ -715,11 +728,12 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, */ for (i = 0; i < info3->num_other_sids; i++) { - if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, - &sid_array, &num_sids)) { + status = add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, + &sid_array, &num_sids); + if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("could not add SID to array: %s\n", sid_string_dbg(&info3->other_sids[i].sid))); - return NT_STATUS_NO_MEMORY; + return status; } } -- cgit From b1d09a82f44dfebe3317d96ec69eaf81dfa452be Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 16 Feb 2008 18:51:01 +0100 Subject: Use netr_SamInfo3 in sid_array_from_info3. Guenther (This used to be commit 06095e8c705fc292323fa8d0110ae3aaeccab949) --- source3/lib/util_sid.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 37865238a5..fd2e93a697 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -665,7 +665,7 @@ bool is_null_sid(const DOM_SID *sid) } NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, - const NET_USER_INFO_3 *info3, + const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, bool include_user_group_rid) @@ -678,45 +678,45 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, if (include_user_group_rid) { - if (!sid_compose(&sid, &(info3->dom_sid.sid), info3->user_rid)) + if (!sid_compose(&sid, info3->base.domain_sid, info3->base.rid)) { DEBUG(3, ("could not compose user SID from rid 0x%x\n", - info3->user_rid)); + info3->base.rid)); return NT_STATUS_INVALID_PARAMETER; } status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("could not append user SID from rid 0x%x\n", - info3->user_rid)); + info3->base.rid)); return status; } - if (!sid_compose(&sid, &(info3->dom_sid.sid), info3->group_rid)) + if (!sid_compose(&sid, info3->base.domain_sid, info3->base.primary_gid)) { DEBUG(3, ("could not compose group SID from rid 0x%x\n", - info3->group_rid)); + info3->base.primary_gid)); return NT_STATUS_INVALID_PARAMETER; } status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("could not append group SID from rid 0x%x\n", - info3->group_rid)); + info3->base.rid)); return status; } } - for (i = 0; i < info3->num_groups2; i++) { - if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->gids[i].g_rid)) + for (i = 0; i < info3->base.groups.count; i++) { + if (!sid_compose(&sid, info3->base.domain_sid, + info3->base.groups.rids[i].rid)) { DEBUG(3, ("could not compose SID from additional group " - "rid 0x%x\n", info3->gids[i].g_rid)); + "rid 0x%x\n", info3->base.groups.rids[i].rid)); return NT_STATUS_INVALID_PARAMETER; } status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("could not append SID from additional group " - "rid 0x%x\n", info3->gids[i].g_rid)); + "rid 0x%x\n", info3->base.groups.rids[i].rid)); return status; } } @@ -727,12 +727,12 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp */ - for (i = 0; i < info3->num_other_sids; i++) { - status = add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, + for (i = 0; i < info3->sidcount; i++) { + status = add_sid_to_array(mem_ctx, info3->sids[i].sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("could not add SID to array: %s\n", - sid_string_dbg(&info3->other_sids[i].sid))); + sid_string_dbg(info3->sids[i].sid))); return status; } } -- cgit From bea4541e11f0664aaa8b62d525e0a02b14fc3afa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 4 Apr 2008 02:53:40 +0200 Subject: Use sid_array_from_info3 in lookup_usergroups_cached(). Guenther (This used to be commit 65b4cb20ea3fb806cfd50281e08f32bea70fafce) --- source3/lib/util_sid.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index fd2e93a697..6b83f9ce65 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -668,7 +668,8 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, - bool include_user_group_rid) + bool include_user_group_rid, + bool skip_ressource_groups) { NTSTATUS status; DOM_SID sid; @@ -728,6 +729,12 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, */ for (i = 0; i < info3->sidcount; i++) { + + if (skip_ressource_groups && + (info3->sids[i].attributes & SE_GROUP_RESOURCE)) { + continue; + } + status = add_sid_to_array(mem_ctx, info3->sids[i].sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { -- cgit From 63ff9e008147b105316dcb0ea2df9b4304a8851e Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 15 Aug 2008 15:28:23 -0700 Subject: I think the problem with these functions is that lookup_usergroups should never include the user SID. The comment for the function in winbindd/winbindd_ads.c says /* Lookup groups a user is a member of. */ The following patch makes the wbinfo calls return the correct data before and after a login. wbinfo --user-domgroups and --user-sids (This used to be commit 7849938906a9c859805cbaeca66fae9d3c515aad) --- source3/lib/util_sid.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) (limited to 'source3/lib/util_sid.c') diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 6b83f9ce65..53614ed1ac 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -678,9 +678,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, int i; if (include_user_group_rid) { - - if (!sid_compose(&sid, info3->base.domain_sid, info3->base.rid)) - { + if (!sid_compose(&sid, info3->base.domain_sid, info3->base.rid)) { DEBUG(3, ("could not compose user SID from rid 0x%x\n", info3->base.rid)); return NT_STATUS_INVALID_PARAMETER; @@ -691,25 +689,27 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, info3->base.rid)); return status; } + } - if (!sid_compose(&sid, info3->base.domain_sid, info3->base.primary_gid)) - { - DEBUG(3, ("could not compose group SID from rid 0x%x\n", - info3->base.primary_gid)); - return NT_STATUS_INVALID_PARAMETER; - } - status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("could not append group SID from rid 0x%x\n", - info3->base.rid)); - return status; - } + if (!sid_compose(&sid, info3->base.domain_sid, info3->base.primary_gid)) { + DEBUG(3, ("could not compose group SID from rid 0x%x\n", + info3->base.primary_gid)); + return NT_STATUS_INVALID_PARAMETER; + } + status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("could not append group SID from rid 0x%x\n", + info3->base.rid)); + return status; } for (i = 0; i < info3->base.groups.count; i++) { + /* Don't add the primary group sid twice. */ + if (info3->base.primary_gid == info3->base.groups.rids[i].rid) { + continue; + } if (!sid_compose(&sid, info3->base.domain_sid, - info3->base.groups.rids[i].rid)) - { + info3->base.groups.rids[i].rid)) { DEBUG(3, ("could not compose SID from additional group " "rid 0x%x\n", info3->base.groups.rids[i].rid)); return NT_STATUS_INVALID_PARAMETER; -- cgit