From 856ee665374071c89f5ecf540dcc3d68ccf2ff16 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 17 Nov 2004 14:35:29 +0000 Subject: r3810: create a LIB_SECURITY subsystem - move dom_sid, security_descriptor, security_* funtions to one place and rename some of them metze (This used to be commit b620bdd672cfdf0e009492e648b0709e6b6d8596) --- source4/libcli/security/dom_sid.c | 242 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 242 insertions(+) create mode 100644 source4/libcli/security/dom_sid.c (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c new file mode 100644 index 0000000000..701fa88017 --- /dev/null +++ b/source4/libcli/security/dom_sid.c @@ -0,0 +1,242 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + Copyright (C) Andrew Tridgell 1992-2004 + Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 + Copyright (C) Jeremy Allison 1999 + Copyright (C) Stefan (metze) Metzmacher 2002-2004 + Copyright (C) Simo Sorce 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_security.h" + +/***************************************************************** + Compare the auth portion of two sids. +*****************************************************************/ + +static int dom_sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + int i; + + if (sid1 == sid2) + return 0; + if (!sid1) + return -1; + if (!sid2) + return 1; + + if (sid1->sid_rev_num != sid2->sid_rev_num) + return sid1->sid_rev_num - sid2->sid_rev_num; + + for (i = 0; i < 6; i++) + if (sid1->id_auth[i] != sid2->id_auth[i]) + return sid1->id_auth[i] - sid2->id_auth[i]; + + return 0; +} + +/***************************************************************** + Compare two sids. +*****************************************************************/ + +static int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + int i; + + if (sid1 == sid2) + return 0; + if (!sid1) + return -1; + if (!sid2) + return 1; + + /* Compare most likely different rids, first: i.e start at end */ + if (sid1->num_auths != sid2->num_auths) + return sid1->num_auths - sid2->num_auths; + + for (i = sid1->num_auths-1; i >= 0; --i) + if (sid1->sub_auths[i] != sid2->sub_auths[i]) + return sid1->sub_auths[i] - sid2->sub_auths[i]; + + return dom_sid_compare_auth(sid1, sid2); +} + +/***************************************************************** + Compare two sids. +*****************************************************************/ + +BOOL dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + return dom_sid_compare(sid1, sid2) == 0; +} + +/* + convert a dom_sid to a string +*/ +char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) +{ + int i, ofs, maxlen; + uint32_t ia; + char *ret; + + if (!sid) { + return talloc_strdup(mem_ctx, "(NULL SID)"); + } + + maxlen = sid->num_auths * 11 + 25; + ret = talloc(mem_ctx, maxlen); + if (!ret) return talloc_strdup(mem_ctx, "(SID ERR)"); + + ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); + + ofs = snprintf(ret, maxlen, "S-%u-%lu", + (uint_t)sid->sid_rev_num, (unsigned long)ia); + + for (i = 0; i < sid->num_auths; i++) { + ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]); + } + + return ret; +} + + +/* + convert a string to a dom_sid, returning a talloc'd dom_sid +*/ +struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) +{ + struct dom_sid *ret; + uint_t rev, ia, num_sub_auths, i; + char *p; + + if (strncasecmp(sidstr, "S-", 2)) { + return NULL; + } + + sidstr += 2; + + rev = strtol(sidstr, &p, 10); + if (*p != '-') { + return NULL; + } + sidstr = p+1; + + ia = strtol(sidstr, &p, 10); + if (p == sidstr) { + return NULL; + } + sidstr = p; + + num_sub_auths = 0; + for (i=0;sidstr[i];i++) { + if (sidstr[i] == '-') num_sub_auths++; + } + + ret = talloc_p(mem_ctx, struct dom_sid); + if (!ret) { + return NULL; + } + + ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, num_sub_auths); + if (!ret->sub_auths) { + return NULL; + } + + ret->sid_rev_num = rev; + ret->id_auth[0] = 0; + ret->id_auth[1] = 0; + ret->id_auth[2] = ia >> 24; + ret->id_auth[3] = ia >> 16; + ret->id_auth[4] = ia >> 8; + ret->id_auth[5] = ia; + ret->num_auths = num_sub_auths; + + for (i=0;isub_auths[i] = strtoul(sidstr, &p, 10); + if (p == sidstr) { + return NULL; + } + sidstr = p; + } + + return ret; +} + +/* + convert a string to a dom_sid, returning a talloc'd dom_sid +*/ +struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) +{ + struct dom_sid *ret; + int i; + ret = talloc_p(mem_ctx, struct dom_sid); + if (!ret) { + return NULL; + } + + ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, dom_sid->num_auths); + if (!ret->sub_auths) { + return NULL; + } + + ret->sid_rev_num = dom_sid->sid_rev_num; + ret->id_auth[0] = dom_sid->id_auth[0]; + ret->id_auth[1] = dom_sid->id_auth[1]; + ret->id_auth[2] = dom_sid->id_auth[2]; + ret->id_auth[3] = dom_sid->id_auth[3]; + ret->id_auth[4] = dom_sid->id_auth[4]; + ret->id_auth[5] = dom_sid->id_auth[5]; + ret->num_auths = dom_sid->num_auths; + + for (i=0;inum_auths;i++) { + ret->sub_auths[i] = dom_sid->sub_auths[i]; + } + + return ret; +} + +/* + add a rid to a domain dom_sid to make a full dom_sid +*/ +struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, + const struct dom_sid *domain_sid, + uint32_t rid) +{ + struct dom_sid *sid; + + sid = talloc_p(mem_ctx, struct dom_sid); + if (!sid) return NULL; + + *sid = *domain_sid; + /*TODO: use realloc! */ + sid->sub_auths = talloc_array_p(mem_ctx, uint32_t, sid->num_auths+1); + if (!sid->sub_auths) { + return NULL; + } + memcpy(sid->sub_auths, domain_sid->sub_auths, sid->num_auths*sizeof(uint32_t)); + sid->sub_auths[sid->num_auths] = rid; + sid->num_auths++; + return sid; +} -- cgit From 6695019d027f19f7ebe97435fdb9826a7868768f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 17 Nov 2004 22:12:46 +0000 Subject: r3827: fixed copyright notices to remove simo and lkcl who have no code left in this file (This used to be commit c75eb859391f747abc3fe513166c9f8d73ca349c) --- source4/libcli/security/dom_sid.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 701fa88017..254b8dbfab 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -1,11 +1,10 @@ /* Unix SMB/CIFS implementation. Samba utility functions + + Copyright (C) Stefan (metze) Metzmacher 2002-2004 Copyright (C) Andrew Tridgell 1992-2004 - Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 Copyright (C) Jeremy Allison 1999 - Copyright (C) Stefan (metze) Metzmacher 2002-2004 - Copyright (C) Simo Sorce 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -- cgit From bbf009b46f75f292a625b853b9331b5d5e0da7c2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 18 Nov 2004 01:02:27 +0000 Subject: r3829: added a RAW-ACLS test suite that tests query/set of ACLs on a file (This used to be commit 2ff9816ae0ae41e0e63e4276a70d292888346dc7) --- source4/libcli/security/dom_sid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 254b8dbfab..001618bb07 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -184,7 +184,7 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) } /* - convert a string to a dom_sid, returning a talloc'd dom_sid + copy a dom_sid structure */ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) { @@ -195,7 +195,7 @@ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) return NULL; } - ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, dom_sid->num_auths); + ret->sub_auths = talloc_array_p(ret, uint32_t, dom_sid->num_auths); if (!ret->sub_auths) { return NULL; } -- cgit From 20c0900edbba66106d602f43262cb97a48c6cbe9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 26 Nov 2004 12:30:39 +0000 Subject: r3979: added server side code for lsa_LookupSids2() and fixed authority_name return code to include our own domain. editing of ACLs via the w2k3 GUI works nicely (and faster) with these changes (This used to be commit a3f7f34b3965ddbd89b06334e03d2e1bb6aa364b) --- source4/libcli/security/dom_sid.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 001618bb07..dbd03108e4 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -239,3 +239,29 @@ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, sid->num_auths++; return sid; } + + +/* + return True if the 2nd sid is in the domain given by the first sid +*/ +BOOL dom_sid_in_domain(const struct dom_sid *domain_sid, + const struct dom_sid *sid) +{ + int i; + + if (!domain_sid || !sid) { + return False; + } + + if (domain_sid->num_auths > sid->num_auths) { + return False; + } + + for (i = domain_sid->num_auths-1; i >= 0; --i) { + if (domain_sid->sub_auths[i] != sid->sub_auths[i]) { + return False; + } + } + + return dom_sid_compare_auth(domain_sid, sid) == 0; +} -- cgit From 3342a53c0f20af2f255152bc9077294e18376b09 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 29 Nov 2004 03:19:28 +0000 Subject: r3988: made dom_sid_add_rid() allocate the new sid with proper parent/child talloc relationship (This used to be commit 5db0eb1fe3abb5150bef27bfed4b7da723e4a287) --- source4/libcli/security/dom_sid.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index dbd03108e4..108e2f5500 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -217,7 +217,8 @@ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) } /* - add a rid to a domain dom_sid to make a full dom_sid + add a rid to a domain dom_sid to make a full dom_sid. This function + returns a new sid in the suppplied memory context */ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *domain_sid, @@ -229,14 +230,15 @@ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, if (!sid) return NULL; *sid = *domain_sid; - /*TODO: use realloc! */ - sid->sub_auths = talloc_array_p(mem_ctx, uint32_t, sid->num_auths+1); + + sid->sub_auths = talloc_array_p(sid, uint32_t, sid->num_auths+1); if (!sid->sub_auths) { return NULL; } memcpy(sid->sub_auths, domain_sid->sub_auths, sid->num_auths*sizeof(uint32_t)); sid->sub_auths[sid->num_auths] = rid; sid->num_auths++; + return sid; } -- cgit From b5b1c52a9850de18e756cdd073cf5f44f26882fe Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 30 Dec 2004 20:34:20 +0000 Subject: r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40) --- source4/libcli/security/dom_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 108e2f5500..368278708a 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -22,7 +22,7 @@ */ #include "includes.h" -#include "librpc/gen_ndr/ndr_security.h" +#include "libcli/security/security.h" /***************************************************************** Compare the auth portion of two sids. -- cgit From ddc10d4d37984246a6547e34a32d629c689c40d1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 6 Jan 2005 03:06:58 +0000 Subject: r4549: got rid of a lot more uses of plain talloc(), instead using talloc_size() or talloc_array_p() where appropriate. also fixed a memory leak in pvfs_copy_file() (failed to free a memory context) (This used to be commit 89b74b53546e1570b11b3702f40bee58aed8c503) --- source4/libcli/security/dom_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 368278708a..d76f9fa239 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -98,7 +98,7 @@ char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) } maxlen = sid->num_auths * 11 + 25; - ret = talloc(mem_ctx, maxlen); + ret = talloc_size(mem_ctx, maxlen); if (!ret) return talloc_strdup(mem_ctx, "(SID ERR)"); ia = (sid->id_auth[5]) + -- cgit From 759da3b915e2006d4c87b5ace47f399accd9ce91 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 27 Jan 2005 07:08:20 +0000 Subject: r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0) --- source4/libcli/security/dom_sid.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index d76f9fa239..493ecab183 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -149,12 +149,12 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) if (sidstr[i] == '-') num_sub_auths++; } - ret = talloc_p(mem_ctx, struct dom_sid); + ret = talloc(mem_ctx, struct dom_sid); if (!ret) { return NULL; } - ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, num_sub_auths); + ret->sub_auths = talloc_array(mem_ctx, uint32_t, num_sub_auths); if (!ret->sub_auths) { return NULL; } @@ -190,12 +190,12 @@ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) { struct dom_sid *ret; int i; - ret = talloc_p(mem_ctx, struct dom_sid); + ret = talloc(mem_ctx, struct dom_sid); if (!ret) { return NULL; } - ret->sub_auths = talloc_array_p(ret, uint32_t, dom_sid->num_auths); + ret->sub_auths = talloc_array(ret, uint32_t, dom_sid->num_auths); if (!ret->sub_auths) { return NULL; } @@ -226,12 +226,12 @@ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, { struct dom_sid *sid; - sid = talloc_p(mem_ctx, struct dom_sid); + sid = talloc(mem_ctx, struct dom_sid); if (!sid) return NULL; *sid = *domain_sid; - sid->sub_auths = talloc_array_p(sid, uint32_t, sid->num_auths+1); + sid->sub_auths = talloc_array(sid, uint32_t, sid->num_auths+1); if (!sid->sub_auths) { return NULL; } -- cgit From e7dd6a12913464fd752ddb94bd2f553f14007c74 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 10 Apr 2005 23:08:04 +0000 Subject: r6287: sorted out a small but surprisingly tricky dependency problem with the ndr code for handling sids and security descriptors now that we have a sid in the nbt IDL (This used to be commit f8e77fcdeac704aed5e501aa9108f3ed0ab26ca4) --- source4/libcli/security/dom_sid.c | 32 -------------------------------- 1 file changed, 32 deletions(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 493ecab183..80e481c3e4 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -84,38 +84,6 @@ BOOL dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) return dom_sid_compare(sid1, sid2) == 0; } -/* - convert a dom_sid to a string -*/ -char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) -{ - int i, ofs, maxlen; - uint32_t ia; - char *ret; - - if (!sid) { - return talloc_strdup(mem_ctx, "(NULL SID)"); - } - - maxlen = sid->num_auths * 11 + 25; - ret = talloc_size(mem_ctx, maxlen); - if (!ret) return talloc_strdup(mem_ctx, "(SID ERR)"); - - ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); - - ofs = snprintf(ret, maxlen, "S-%u-%lu", - (uint_t)sid->sid_rev_num, (unsigned long)ia); - - for (i = 0; i < sid->num_auths; i++) { - ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]); - } - - return ret; -} - /* convert a string to a dom_sid, returning a talloc'd dom_sid -- cgit From 3be75a4c6d4b9d86f1b85c75fb2f41c6c0eeec94 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 11 Aug 2005 13:12:45 +0000 Subject: r9240: - move struct security_token to the idl file, with this we can the ndr_pull/push/print functions for it in the ntacl-lsm module - fix compiler warnings in the ldap_encode_ndr_* code metze (This used to be commit 83d65d0d7ed9c240ad44aa2c881c1f07212bfda4) --- source4/libcli/security/dom_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 80e481c3e4..f457900efc 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -22,7 +22,7 @@ */ #include "includes.h" -#include "libcli/security/security.h" +#include "librpc/gen_ndr/ndr_security.h" /***************************************************************** Compare the auth portion of two sids. -- cgit From aaa0aff2d6cea65b07320790c16fff127c12a65b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 23 Aug 2005 09:29:32 +0000 Subject: r9510: fix the memory tree metze (This used to be commit 6d412cf0a4186ec04cee61dd5387903de051fde7) --- source4/libcli/security/dom_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index f457900efc..c19959f8ae 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -122,7 +122,7 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) return NULL; } - ret->sub_auths = talloc_array(mem_ctx, uint32_t, num_sub_auths); + ret->sub_auths = talloc_array(ret, uint32_t, num_sub_auths); if (!ret->sub_auths) { return NULL; } -- cgit From d4de4c2d210d2e8c9b5aedf70695594809ad6a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 13:16:54 +0000 Subject: r12608: Remove some unused #include lines. (This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981) --- source4/libcli/security/dom_sid.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index c19959f8ae..646a513df5 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -22,7 +22,6 @@ */ #include "includes.h" -#include "librpc/gen_ndr/ndr_security.h" /***************************************************************** Compare the auth portion of two sids. -- cgit From b135f4467f8413f6ac44df54b8430305f6c26c0c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 12 Jan 2006 03:02:00 +0000 Subject: r12858: This moves the libnet_LookupPdc code to use a GetDC request to find the remote server's name, or in the absence of a local nbt_server to communicate with (or without root access), a node status request. The result is that we are in a better position to use kerberos, as well as to remove the 'password server' mandatory parameter for the samsync and samdump commands. (I need this to put these into SWAT). The only problem I have is that I must create a messaging context, which requires a server ID. As a client process, I don't expect to get messages, but it is currently required for replies, so I generate a random() number. We probably need the servers to accept connections on streamed sockets too, for client-only tasks that want IRPC. Because I wanted to test this code, I have put the NET-API-* tests into our test scripts, to ensure they pass and keep passing. They are good frontends onto the libnet system, and I see no reason not to test them. In doing so the NET-API-RPCCONNECT test was simplified to take a binding string on the command line, removing duplicate code, and testing the combinations in the scripts instead. (I have done a bit of work on the list shares code in libnet_share.c to make it pass 'make test') In the future, I would like to extend the libcli/findds.c code (based off volker's winbind/wb_async_helpers.c, which is why it shows up a bit odd in the patch) to handle getting multiple name replies, sending a getdc request to each in turn. (posted to samba-technical for review, and I'll happily update with any comments) Andrew Bartlett (This used to be commit 7ccddfd3515fc2c0d6f447c768ccbf7a220c3380) --- source4/libcli/security/dom_sid.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 646a513df5..b5ced9fcc2 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -157,6 +157,11 @@ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) { struct dom_sid *ret; int i; + + if (!dom_sid) { + return NULL; + } + ret = talloc(mem_ctx, struct dom_sid); if (!ret) { return NULL; -- cgit From 35349a58df5b69446607fbd742a05f57f3515319 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 18 Mar 2006 15:42:57 +0000 Subject: r14542: Remove librpc, libndr and libnbt from includes.h (This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f) --- source4/libcli/security/dom_sid.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index b5ced9fcc2..131d1afa9c 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -22,6 +22,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/security.h" /***************************************************************** Compare the auth portion of two sids. -- cgit From e002300f238dd0937dd9f768e366c006945e8baa Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 29 Apr 2006 17:34:49 +0000 Subject: r15328: Move some functions around, remove dependencies. Remove some autogenerated headers (which had prototypes now autogenerated by pidl) Remove ndr_security.h from a few places - it's no longer necessary (This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8) --- source4/libcli/security/dom_sid.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 131d1afa9c..39841e5a70 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -240,3 +240,35 @@ BOOL dom_sid_in_domain(const struct dom_sid *domain_sid, return dom_sid_compare_auth(domain_sid, sid) == 0; } + +/* + convert a dom_sid to a string +*/ +char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) +{ + int i, ofs, maxlen; + uint32_t ia; + char *ret; + + if (!sid) { + return talloc_strdup(mem_ctx, "(NULL SID)"); + } + + maxlen = sid->num_auths * 11 + 25; + ret = talloc_size(mem_ctx, maxlen); + if (!ret) return talloc_strdup(mem_ctx, "(SID ERR)"); + + ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); + + ofs = snprintf(ret, maxlen, "S-%u-%lu", + (uint_t)sid->sid_rev_num, (unsigned long)ia); + + for (i = 0; i < sid->num_auths; i++) { + ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]); + } + + return ret; +} -- cgit From b56789c3491d227dd4107a37de701101c780a0f9 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 5 May 2006 13:02:14 +0000 Subject: r15457: Get rid of more usages of uint_t (This used to be commit 849818dcdeb8eaf2eb22fea3896a4f7c777d8c5f) --- source4/libcli/security/dom_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 39841e5a70..951c0f5956 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -264,7 +264,7 @@ char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) (sid->id_auth[2] << 24); ofs = snprintf(ret, maxlen, "S-%u-%lu", - (uint_t)sid->sid_rev_num, (unsigned long)ia); + (unsigned int)sid->sid_rev_num, (unsigned long)ia); for (i = 0; i < sid->num_auths; i++) { ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]); -- cgit From 152ea280f1982831c31071eec5c5a17f072073b0 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 17 Jul 2006 08:05:02 +0000 Subject: r17082: Add a test that walks and tests denying tconX access via the share security descriptor. This is something that W2k3 does _not_ pass and probably is not expected to, it seems the don't check access at tconX time. Thanks to metze for the hint how in the srvsvc_NetShareInfo1501 struct the length of the sd can be encoded in idl. As metze says, there's probably more to the share secdesc, this needs more testing. This one is here to walk the samba3 code. Volker (This used to be commit 67185508229a8d7f144c22cb194f573c932d6de5) --- source4/libcli/security/dom_sid.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 951c0f5956..54242eb515 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -215,6 +215,24 @@ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, return sid; } +/* + Split up a SID into its domain and RID part +*/ +NTSTATUS dom_sid_split_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, + struct dom_sid **domain, uint32_t *rid) +{ + if (sid->num_auths == 0) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!(*domain = dom_sid_dup(mem_ctx, sid))) { + return NT_STATUS_NO_MEMORY; + } + + (*domain)->num_auths -= 1; + *rid = (*domain)->sub_auths[(*domain)->num_auths]; + return NT_STATUS_OK; +} /* return True if the 2nd sid is in the domain given by the first sid -- cgit From 9ba16109e50ca9e411c62dbdfd7a0ed44591d2be Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 26 Aug 2006 22:27:29 +0000 Subject: r17846: Ok, this is a patch that needs further discussion. On Solaris, snprintf seems to be broken. The %lu modifies apparently can not cope with the high bit==1. In dom_sid_string I added some printfs and got: auth: 21 auth: 2666793276 auth: 679821296 auth: 2310223117 auth: 1206 sid=S-1-5-21-8446744072081377596-679821296-8446744071724807437-1206 The "auth:" values are direct printfs, the sid= is the resulting code from dom_sid_string. I could not reproduce it with a simple test program, and #ifdef'ing out HAVE_SNPRINTF in config.h manually does not help either, probably because the dynamic linker overwrites the symbol in lib/replace. Checking it in because it fixes the RPC-SAMBA3-SHARESEC test directly on host "sunx", I would like to see whether it also fixes IRIX and AIX. Volker (This used to be commit 1a9401738f652a87d377a32086342f5f98525fc2) --- source4/libcli/security/dom_sid.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 54242eb515..90421104a7 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -285,7 +285,14 @@ char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) (unsigned int)sid->sid_rev_num, (unsigned long)ia); for (i = 0; i < sid->num_auths; i++) { - ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]); + char *tmp = talloc_asprintf(mem_ctx, "%lu", + (unsigned long)sid->sub_auths[i]); + if (tmp == NULL) { + talloc_free(ret); + return NULL; + } + ofs += snprintf(ret + ofs, maxlen - ofs, "-%s", tmp); + talloc_free(tmp); } return ret; -- cgit From 7917a26fabb7835017a6c3a2780c8425a4a92ffa Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 27 Aug 2006 10:08:18 +0000 Subject: r17848: Ok, this did not do it. Still got the same problem. (This used to be commit bb393603707ada3d4b917f8374b7738f16c78f46) --- source4/libcli/security/dom_sid.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 90421104a7..54242eb515 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -285,14 +285,7 @@ char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) (unsigned int)sid->sid_rev_num, (unsigned long)ia); for (i = 0; i < sid->num_auths; i++) { - char *tmp = talloc_asprintf(mem_ctx, "%lu", - (unsigned long)sid->sub_auths[i]); - if (tmp == NULL) { - talloc_free(ret); - return NULL; - } - ofs += snprintf(ret + ofs, maxlen - ofs, "-%s", tmp); - talloc_free(tmp); + ofs += snprintf(ret + ofs, maxlen - ofs, "-%lu", (unsigned long)sid->sub_auths[i]); } return ret; -- cgit From 08de05ce5a4da17403fc8feb2a1760ab21a767fa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 13 Feb 2007 09:27:56 +0000 Subject: r21307: make it possible to pass in NULL for domain or rid, if someone isn't interessted in one of it metze (This used to be commit 1fdc71918a430c35af91fa7788e191d381f76d56) --- source4/libcli/security/dom_sid.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 54242eb515..a72588dee1 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -225,12 +225,18 @@ NTSTATUS dom_sid_split_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, return NT_STATUS_INVALID_PARAMETER; } - if (!(*domain = dom_sid_dup(mem_ctx, sid))) { - return NT_STATUS_NO_MEMORY; + if (domain) { + if (!(*domain = dom_sid_dup(mem_ctx, sid))) { + return NT_STATUS_NO_MEMORY; + } + + (*domain)->num_auths -= 1; + } + + if (rid) { + *rid = sid->sub_auths[sid->num_auths - 1]; } - (*domain)->num_auths -= 1; - *rid = (*domain)->sub_auths[(*domain)->num_auths]; return NT_STATUS_OK; } -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/libcli/security/dom_sid.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index a72588dee1..64e418677a 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From cd962355abad90a2161765a7be7d26e63572cab7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 7 Sep 2007 15:08:14 +0000 Subject: r25000: Fix some more C++ compatibility warnings. (This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4) --- source4/libcli/security/dom_sid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 64e418677a..8d6bb79714 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -278,7 +278,7 @@ char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid) } maxlen = sid->num_auths * 11 + 25; - ret = talloc_size(mem_ctx, maxlen); + ret = talloc_array(mem_ctx, char, maxlen); if (!ret) return talloc_strdup(mem_ctx, "(SID ERR)"); ia = (sid->id_auth[5]) + -- cgit From dccf3f99e45137b6cd18c1de1c79808ad67130d1 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 13:27:14 +0000 Subject: r25027: Fix more warnings. (This used to be commit 5085c53fcfade614e83d21fc2c1a5bc43bb2a729) --- source4/libcli/security/dom_sid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 8d6bb79714..1ba3edd9bf 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -22,6 +22,7 @@ #include "includes.h" #include "librpc/gen_ndr/security.h" +#include "libcli/security/security.h" /***************************************************************** Compare the auth portion of two sids. @@ -78,7 +79,7 @@ static int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid Compare two sids. *****************************************************************/ -BOOL dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) +bool dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) { return dom_sid_compare(sid1, sid2) == 0; } -- cgit From 2151cde58014ea2e822c13d2f8a369b45dc19ca8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:28:14 +0000 Subject: r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9) --- source4/libcli/security/dom_sid.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 1ba3edd9bf..f5457e7e0e 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -241,24 +241,24 @@ NTSTATUS dom_sid_split_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, } /* - return True if the 2nd sid is in the domain given by the first sid + return true if the 2nd sid is in the domain given by the first sid */ -BOOL dom_sid_in_domain(const struct dom_sid *domain_sid, +bool dom_sid_in_domain(const struct dom_sid *domain_sid, const struct dom_sid *sid) { int i; if (!domain_sid || !sid) { - return False; + return false; } if (domain_sid->num_auths > sid->num_auths) { - return False; + return false; } for (i = domain_sid->num_auths-1; i >= 0; --i) { if (domain_sid->sub_auths[i] != sid->sub_auths[i]) { - return False; + return false; } } -- cgit From 4ad97a1d0593b3401a352407009a99ead23f21f2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 21 Aug 2008 19:24:58 +1000 Subject: Don't walk past the end of ldb values. This is a partial fix towards bugs due to us walking past the end of what we think are strings in ldb. There is much more work to do in this area. Andrew Bartlett (This used to be commit 5805a9a8f35fd90fa4f718f73534817fa3bbdfd2) --- source4/libcli/security/dom_sid.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'source4/libcli/security/dom_sid.c') diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index f5457e7e0e..1a7519e362 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -151,6 +151,21 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) return ret; } +/* + convert a string to a dom_sid, returning a talloc'd dom_sid +*/ +struct dom_sid *dom_sid_parse_length(TALLOC_CTX *mem_ctx, const DATA_BLOB *sid) +{ + struct dom_sid *ret; + char *p = talloc_strndup(mem_ctx, sid->data, sid->length); + if (!p) { + return NULL; + } + ret = dom_sid_parse_talloc(mem_ctx, p); + talloc_free(p); + return ret; +} + /* copy a dom_sid structure */ -- cgit