From 1377cca5f4beb43cf67fcc65eed79f14178d6349 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 7 Oct 2005 11:31:45 +0000 Subject: r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71) --- source4/rpc_server/samr/dcesrv_samr.c | 5 +++-- source4/rpc_server/samr/samr_password.c | 29 +++++++++++++++++------------ 2 files changed, 20 insertions(+), 14 deletions(-) (limited to 'source4/rpc_server/samr') diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 249fb1c8a4..c985187cd9 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -60,12 +60,13 @@ static NTSTATUS samr_Connect(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem } /* make sure the sam database is accessible */ - c_state->sam_ctx = samdb_connect(c_state); + c_state->sam_ctx = samdb_connect(c_state, dce_call->conn->auth_state.session_info); if (c_state->sam_ctx == NULL) { talloc_free(c_state); return NT_STATUS_INVALID_SYSTEM_SERVICE; } + handle = dcesrv_handle_new(dce_call->context, SAMR_HANDLE_CONNECT); if (!handle) { talloc_free(c_state); @@ -3305,7 +3306,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX ZERO_STRUCT(r->out.info); - sam_ctx = samdb_connect(mem_ctx); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index ab99b69458..6fab231619 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -38,6 +38,7 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX { struct dcesrv_handle *h; struct samr_account_state *a_state; + struct ldb_context *sam_ctx; struct ldb_message **res, *msg; int ret; struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash; @@ -49,8 +50,14 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX a_state = h->data; + /* To change a password we need to open as system */ + sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); + if (sam_ctx == NULL) { + return NT_STATUS_INVALID_SYSTEM_SERVICE; + } + /* fetch the old hashes */ - ret = gendb_search_dn(a_state->sam_ctx, mem_ctx, + ret = gendb_search_dn(sam_ctx, mem_ctx, a_state->account_dn, &res, attrs); if (ret != 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; @@ -113,7 +120,7 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX return NT_STATUS_NO_MEMORY; } - status = samdb_set_password(a_state->sam_ctx, mem_ctx, + status = samdb_set_password(sam_ctx, mem_ctx, a_state->account_dn, a_state->domain_state->domain_dn, msg, NULL, &new_lmPwdHash, &new_ntPwdHash, True, /* this is a user password change */ @@ -124,7 +131,7 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX } /* modify the samdb record */ - ret = samdb_replace(a_state->sam_ctx, mem_ctx, msg); + ret = samdb_replace(sam_ctx, mem_ctx, msg); if (ret != 0) { return NT_STATUS_UNSUCCESSFUL; } @@ -142,7 +149,7 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_ char new_pass[512]; uint32_t new_pass_len; struct samr_CryptPassword *pwbuf = r->in.password; - void *sam_ctx; + struct ldb_context *sam_ctx; const struct ldb_dn *user_dn, *domain_dn; int ret; struct ldb_message **res, *mod; @@ -157,9 +164,8 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_ return NT_STATUS_WRONG_PASSWORD; } - /* this call doesn't take a policy handle, so we need to open - the sam db from scratch */ - sam_ctx = samdb_connect(mem_ctx); + /* To change a password we need to open as system */ + sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -260,7 +266,7 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, NTSTATUS status; char new_pass[512]; uint32_t new_pass_len; - void *sam_ctx = NULL; + struct ldb_context *sam_ctx; const struct ldb_dn *user_dn, *domain_dn = NULL; int ret; struct ldb_message **res, *mod; @@ -285,11 +291,10 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, goto failed; } - /* this call doesn't take a policy handle, so we need to open - the sam db from scratch */ - sam_ctx = samdb_connect(mem_ctx); + /* To change a password we need to open as system */ + sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); if (sam_ctx == NULL) { - status = NT_STATUS_INVALID_SYSTEM_SERVICE; + return NT_STATUS_INVALID_SYSTEM_SERVICE; goto failed; } -- cgit