The Samba-Bugzilla – Attachment 9699 Details for
Bug 8598
force user fails for active directory users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v4-1-test patch
look (text/plain), 57.02 KB, created by
Andreas Schneider
on 2014-02-20 10:17:18 UTC
(
hide
)
Description:
v4-1-test patch
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2014-02-20 10:17:18 UTC
Size:
57.02 KB
patch
obsolete
>From 80f3551d4f594438dcc93dd82a7953c4a913badd Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 16 Dec 2013 12:57:20 +0100 >Subject: [PATCH 1/7] s3-lib: Add winbind_lookup_usersids(). > >Pair-Programmed-With: Guenther Deschner <gd@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >(cherry picked from commit 241e98d8ee099f9cc5feb835085b4abd2b1ee663) >--- > source3/lib/winbind_util.c | 34 +++++ > source3/lib/winbind_util.h | 4 + > source3/passdb/ABI/pdb-0.1.0.sigs | 311 ++++++++++++++++++++++++++++++++++++++ > source3/wscript_build | 2 +- > 4 files changed, 350 insertions(+), 1 deletion(-) > create mode 100644 source3/passdb/ABI/pdb-0.1.0.sigs > >diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c >index b458ebe..f62682b 100644 >--- a/source3/lib/winbind_util.c >+++ b/source3/lib/winbind_util.c >@@ -342,6 +342,40 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx, > return true; > } > >+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx, >+ const struct dom_sid *user_sid, >+ uint32_t *p_num_sids, >+ struct dom_sid **p_sids) >+{ >+ wbcErr ret; >+ struct wbcDomainSid dom_sid; >+ struct wbcDomainSid *sid_list = NULL; >+ uint32_t num_sids; >+ >+ memcpy(&dom_sid, user_sid, sizeof(dom_sid)); >+ >+ ret = wbcLookupUserSids(&dom_sid, >+ false, >+ &num_sids, >+ &sid_list); >+ if (ret != WBC_ERR_SUCCESS) { >+ return false; >+ } >+ >+ *p_sids = talloc_array(mem_ctx, struct dom_sid, num_sids); >+ if (*p_sids == NULL) { >+ wbcFreeMemory(sid_list); >+ return false; >+ } >+ >+ memcpy(*p_sids, sid_list, sizeof(dom_sid) * num_sids); >+ >+ *p_num_sids = num_sids; >+ wbcFreeMemory(sid_list); >+ >+ return true; >+} >+ > #else /* WITH_WINBIND */ > > struct passwd * winbind_getpwnam(const char * name) >diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h >index 541bb95..abbc5a9 100644 >--- a/source3/lib/winbind_util.h >+++ b/source3/lib/winbind_util.h >@@ -58,5 +58,9 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx, > size_t num_members, > uint32_t **pp_alias_rids, > size_t *p_num_alias_rids); >+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx, >+ const struct dom_sid *user_sid, >+ uint32_t *p_num_sids, >+ struct dom_sid **p_sids); > > #endif /* __LIB__WINBIND_UTIL_H__ */ >diff --git a/source3/passdb/ABI/pdb-0.1.0.sigs b/source3/passdb/ABI/pdb-0.1.0.sigs >new file mode 100644 >index 0000000..f4de9c4 >--- /dev/null >+++ b/source3/passdb/ABI/pdb-0.1.0.sigs >@@ -0,0 +1,311 @@ >+PDB_secrets_clear_domain_protection: bool (const char *) >+PDB_secrets_fetch_domain_guid: bool (const char *, struct GUID *) >+PDB_secrets_fetch_domain_sid: bool (const char *, struct dom_sid *) >+PDB_secrets_mark_domain_protected: bool (const char *) >+PDB_secrets_store_domain_guid: bool (const char *, struct GUID *) >+PDB_secrets_store_domain_sid: bool (const char *, const struct dom_sid *) >+account_policy_get: bool (enum pdb_policy_type, uint32_t *) >+account_policy_get_default: bool (enum pdb_policy_type, uint32_t *) >+account_policy_get_desc: const char *(enum pdb_policy_type) >+account_policy_name_to_typenum: enum pdb_policy_type (const char *) >+account_policy_names_list: void (TALLOC_CTX *, const char ***, int *) >+account_policy_set: bool (enum pdb_policy_type, uint32_t) >+add_initial_entry: NTSTATUS (gid_t, const char *, enum lsa_SidType, const char *, const char *) >+algorithmic_pdb_gid_to_group_rid: uint32_t (gid_t) >+algorithmic_pdb_rid_is_user: bool (uint32_t) >+algorithmic_pdb_uid_to_user_rid: uint32_t (uid_t) >+algorithmic_pdb_user_rid_to_uid: uid_t (uint32_t) >+algorithmic_rid_base: int (void) >+builtin_domain_name: const char *(void) >+cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *) >+cache_account_policy_set: bool (enum pdb_policy_type, uint32_t) >+create_builtin_administrators: NTSTATUS (const struct dom_sid *) >+create_builtin_users: NTSTATUS (const struct dom_sid *) >+decode_account_policy_name: const char *(enum pdb_policy_type) >+get_account_pol_db: struct db_context *(void) >+get_account_policy_attr: const char *(enum pdb_policy_type) >+get_domain_group_from_sid: bool (struct dom_sid, GROUP_MAP *) >+get_primary_group_sid: NTSTATUS (TALLOC_CTX *, const char *, struct passwd **, struct dom_sid **) >+get_privileges_for_sid_as_set: NTSTATUS (TALLOC_CTX *, PRIVILEGE_SET **, struct dom_sid *) >+get_privileges_for_sids: bool (uint64_t *, struct dom_sid *, int) >+get_trust_pw_clear: bool (const char *, char **, const char **, enum netr_SchannelType *) >+get_trust_pw_hash: bool (const char *, uint8_t *, const char **, enum netr_SchannelType *) >+gid_to_sid: void (struct dom_sid *, gid_t) >+gid_to_unix_groups_sid: void (gid_t, struct dom_sid *) >+grab_named_mutex: struct named_mutex *(TALLOC_CTX *, const char *, int) >+grant_all_privileges: bool (const struct dom_sid *) >+grant_privilege_by_name: bool (const struct dom_sid *, const char *) >+grant_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *) >+groupdb_tdb_init: const struct mapping_backend *(void) >+init_account_policy: bool (void) >+init_buffer_from_samu: uint32_t (uint8_t **, struct samu *, bool) >+init_samu_from_buffer: bool (struct samu *, uint32_t, uint8_t *, uint32_t) >+initialize_password_db: bool (bool, struct tevent_context *) >+is_dc_trusted_domain_situation: bool (const char *) >+is_privileged_sid: bool (const struct dom_sid *) >+local_password_change: NTSTATUS (const char *, int, const char *, char **, char **) >+login_cache_delentry: bool (const struct samu *) >+login_cache_init: bool (void) >+login_cache_read: bool (struct samu *, struct login_cache *) >+login_cache_shutdown: bool (void) >+login_cache_write: bool (const struct samu *, const struct login_cache *) >+lookup_builtin_name: bool (const char *, uint32_t *) >+lookup_builtin_rid: bool (TALLOC_CTX *, uint32_t, const char **) >+lookup_global_sam_name: bool (const char *, int, uint32_t *, enum lsa_SidType *) >+lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *) >+lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *) >+lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *) >+lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **) >+lookup_unix_group_name: bool (const char *, struct dom_sid *) >+lookup_unix_user_name: bool (const char *, struct dom_sid *) >+lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **) >+lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **) >+make_pdb_method: NTSTATUS (struct pdb_methods **) >+make_pdb_method_name: NTSTATUS (struct pdb_methods **, const char *) >+max_algorithmic_gid: gid_t (void) >+max_algorithmic_uid: uid_t (void) >+my_sam_name: const char *(void) >+pdb_add_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *) >+pdb_add_group_mapping_entry: NTSTATUS (GROUP_MAP *) >+pdb_add_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t) >+pdb_add_sam_account: NTSTATUS (struct samu *) >+pdb_build_fields_present: uint32_t (struct samu *) >+pdb_capabilities: uint32_t (void) >+pdb_copy_sam_account: bool (struct samu *, struct samu *) >+pdb_create_alias: NTSTATUS (const char *, uint32_t *) >+pdb_create_builtin: NTSTATUS (uint32_t) >+pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t) >+pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *) >+pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *) >+pdb_decode_acct_ctrl: uint32_t (const char *) >+pdb_default_add_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *) >+pdb_default_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) >+pdb_default_alias_memberships: NTSTATUS (struct pdb_methods *, TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) >+pdb_default_create_alias: NTSTATUS (struct pdb_methods *, const char *, uint32_t *) >+pdb_default_del_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *) >+pdb_default_delete_alias: NTSTATUS (struct pdb_methods *, const struct dom_sid *) >+pdb_default_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid) >+pdb_default_enum_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *) >+pdb_default_enum_group_mapping: NTSTATUS (struct pdb_methods *, const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool) >+pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *) >+pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t) >+pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *) >+pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid) >+pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *) >+pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) >+pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *) >+pdb_del_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t) >+pdb_del_trusted_domain: NTSTATUS (const char *) >+pdb_del_trusteddom_pw: bool (const char *) >+pdb_delete_alias: NTSTATUS (const struct dom_sid *) >+pdb_delete_dom_group: NTSTATUS (TALLOC_CTX *, uint32_t) >+pdb_delete_group_mapping_entry: NTSTATUS (struct dom_sid) >+pdb_delete_sam_account: NTSTATUS (struct samu *) >+pdb_delete_secret: NTSTATUS (const char *) >+pdb_delete_user: NTSTATUS (TALLOC_CTX *, struct samu *) >+pdb_element_is_changed: bool (const struct samu *, enum pdb_elements) >+pdb_element_is_set_or_changed: bool (const struct samu *, enum pdb_elements) >+pdb_encode_acct_ctrl: char *(uint32_t, size_t) >+pdb_enum_alias_memberships: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) >+pdb_enum_aliasmem: NTSTATUS (const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *) >+pdb_enum_group_mapping: bool (const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool) >+pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t **, size_t *) >+pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *) >+pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***) >+pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***) >+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***) >+pdb_find_backend_entry: struct pdb_init_function_entry *(const char *) >+pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *) >+pdb_get_acct_ctrl: uint32_t (const struct samu *) >+pdb_get_acct_desc: const char *(const struct samu *) >+pdb_get_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *) >+pdb_get_backend_private_data: void *(const struct samu *, const struct pdb_methods *) >+pdb_get_backends: const struct pdb_init_function_entry *(void) >+pdb_get_bad_password_count: uint16_t (const struct samu *) >+pdb_get_bad_password_time: time_t (const struct samu *) >+pdb_get_code_page: uint16_t (const struct samu *) >+pdb_get_comment: const char *(const struct samu *) >+pdb_get_country_code: uint16_t (const struct samu *) >+pdb_get_dir_drive: const char *(const struct samu *) >+pdb_get_domain: const char *(const struct samu *) >+pdb_get_domain_info: struct pdb_domain_info *(TALLOC_CTX *) >+pdb_get_fullname: const char *(const struct samu *) >+pdb_get_group_rid: uint32_t (struct samu *) >+pdb_get_group_sid: const struct dom_sid *(struct samu *) >+pdb_get_homedir: const char *(const struct samu *) >+pdb_get_hours: const uint8_t *(const struct samu *) >+pdb_get_hours_len: uint32_t (const struct samu *) >+pdb_get_init_flags: enum pdb_value_state (const struct samu *, enum pdb_elements) >+pdb_get_kickoff_time: time_t (const struct samu *) >+pdb_get_lanman_passwd: const uint8_t *(const struct samu *) >+pdb_get_logoff_time: time_t (const struct samu *) >+pdb_get_logon_count: uint16_t (const struct samu *) >+pdb_get_logon_divs: uint16_t (const struct samu *) >+pdb_get_logon_script: const char *(const struct samu *) >+pdb_get_logon_time: time_t (const struct samu *) >+pdb_get_munged_dial: const char *(const struct samu *) >+pdb_get_nt_passwd: const uint8_t *(const struct samu *) >+pdb_get_nt_username: const char *(const struct samu *) >+pdb_get_pass_can_change: bool (const struct samu *) >+pdb_get_pass_can_change_time: time_t (const struct samu *) >+pdb_get_pass_can_change_time_noncalc: time_t (const struct samu *) >+pdb_get_pass_last_set_time: time_t (const struct samu *) >+pdb_get_pass_must_change_time: time_t (const struct samu *) >+pdb_get_plaintext_passwd: const char *(const struct samu *) >+pdb_get_profile_path: const char *(const struct samu *) >+pdb_get_pw_history: const uint8_t *(const struct samu *, uint32_t *) >+pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *, DATA_BLOB *, NTTIME *, struct security_descriptor **) >+pdb_get_seq_num: bool (time_t *) >+pdb_get_tevent_context: struct tevent_context *(void) >+pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **) >+pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **) >+pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *) >+pdb_get_unknown_6: uint32_t (const struct samu *) >+pdb_get_user_rid: uint32_t (const struct samu *) >+pdb_get_user_sid: const struct dom_sid *(const struct samu *) >+pdb_get_username: const char *(const struct samu *) >+pdb_get_workstations: const char *(const struct samu *) >+pdb_getgrgid: bool (GROUP_MAP *, gid_t) >+pdb_getgrnam: bool (GROUP_MAP *, const char *) >+pdb_getgrsid: bool (GROUP_MAP *, struct dom_sid) >+pdb_gethexhours: bool (const char *, unsigned char *) >+pdb_gethexpwd: bool (const char *, unsigned char *) >+pdb_getsampwnam: bool (struct samu *, const char *) >+pdb_getsampwsid: bool (struct samu *, const struct dom_sid *) >+pdb_gid_to_sid: bool (gid_t, struct dom_sid *) >+pdb_group_rid_to_gid: gid_t (uint32_t) >+pdb_increment_bad_password_count: bool (struct samu *) >+pdb_is_password_change_time_max: bool (time_t) >+pdb_is_responsible_for_builtin: bool (void) >+pdb_is_responsible_for_our_sam: bool (void) >+pdb_is_responsible_for_unix_groups: bool (void) >+pdb_is_responsible_for_unix_users: bool (void) >+pdb_is_responsible_for_wellknown: bool (void) >+pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char **, enum lsa_SidType *) >+pdb_new_rid: bool (uint32_t *) >+pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) >+pdb_nop_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid) >+pdb_nop_enum_group_mapping: NTSTATUS (struct pdb_methods *, enum lsa_SidType, GROUP_MAP **, size_t *, bool) >+pdb_nop_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t) >+pdb_nop_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *) >+pdb_nop_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid) >+pdb_nop_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) >+pdb_rename_sam_account: NTSTATUS (struct samu *, const char *) >+pdb_search_aliases: struct pdb_search *(TALLOC_CTX *, const struct dom_sid *) >+pdb_search_entries: uint32_t (struct pdb_search *, uint32_t, uint32_t, struct samr_displayentry **) >+pdb_search_groups: struct pdb_search *(TALLOC_CTX *) >+pdb_search_init: struct pdb_search *(TALLOC_CTX *, enum pdb_search_type) >+pdb_search_users: struct pdb_search *(TALLOC_CTX *, uint32_t) >+pdb_set_account_policy: bool (enum pdb_policy_type, uint32_t) >+pdb_set_acct_ctrl: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_acct_desc: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *) >+pdb_set_backend_private_data: bool (struct samu *, void *, void (*)(void **), const struct pdb_methods *, enum pdb_value_state) >+pdb_set_bad_password_count: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_bad_password_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_code_page: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_comment: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_country_code: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_dir_drive: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_domain: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_fullname: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_group_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state) >+pdb_set_group_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_homedir: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_hours: bool (struct samu *, const uint8_t *, int, enum pdb_value_state) >+pdb_set_hours_len: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_init_flags: bool (struct samu *, enum pdb_elements, enum pdb_value_state) >+pdb_set_kickoff_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_lanman_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state) >+pdb_set_logoff_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_logon_count: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_logon_divs: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_logon_script: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_logon_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_munged_dial: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_nt_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state) >+pdb_set_nt_username: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_pass_can_change: bool (struct samu *, bool) >+pdb_set_pass_can_change_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_pass_last_set_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_plaintext_passwd: bool (struct samu *, const char *) >+pdb_set_plaintext_pw_only: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_profile_path: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_pw_history: bool (struct samu *, const uint8_t *, uint32_t, enum pdb_value_state) >+pdb_set_secret: NTSTATUS (const char *, DATA_BLOB *, DATA_BLOB *, struct security_descriptor *) >+pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain *) >+pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *) >+pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *) >+pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **) >+pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state) >+pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_username: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_workstations: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_sethexhours: void (char *, const unsigned char *) >+pdb_sethexpwd: void (char *, const unsigned char *, uint32_t) >+pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *) >+pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *) >+pdb_uid_to_sid: bool (uid_t, struct dom_sid *) >+pdb_update_autolock_flag: bool (struct samu *, bool *) >+pdb_update_bad_password_count: bool (struct samu *, bool *) >+pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *) >+pdb_update_login_attempts: NTSTATUS (struct samu *, bool) >+pdb_update_sam_account: NTSTATUS (struct samu *) >+privilege_create_account: NTSTATUS (const struct dom_sid *) >+privilege_delete_account: NTSTATUS (const struct dom_sid *) >+privilege_enum_sids: NTSTATUS (enum sec_privilege, TALLOC_CTX *, struct dom_sid **, int *) >+privilege_enumerate_accounts: NTSTATUS (struct dom_sid **, int *) >+revoke_all_privileges: bool (const struct dom_sid *) >+revoke_privilege_by_name: bool (const struct dom_sid *, const char *) >+revoke_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *) >+samu_alloc_rid_unix: NTSTATUS (struct pdb_methods *, struct samu *, const struct passwd *) >+samu_new: struct samu *(TALLOC_CTX *) >+samu_set_unix: NTSTATUS (struct samu *, const struct passwd *) >+secrets_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***) >+sid_check_is_builtin: bool (const struct dom_sid *) >+sid_check_is_for_passdb: bool (const struct dom_sid *) >+sid_check_is_in_builtin: bool (const struct dom_sid *) >+sid_check_is_in_unix_groups: bool (const struct dom_sid *) >+sid_check_is_in_unix_users: bool (const struct dom_sid *) >+sid_check_is_in_wellknown_domain: bool (const struct dom_sid *) >+sid_check_is_unix_groups: bool (const struct dom_sid *) >+sid_check_is_unix_users: bool (const struct dom_sid *) >+sid_check_is_wellknown_builtin: bool (const struct dom_sid *) >+sid_check_is_wellknown_domain: bool (const struct dom_sid *, const char **) >+sid_check_object_is_for_passdb: bool (const struct dom_sid *) >+sid_to_gid: bool (const struct dom_sid *, gid_t *) >+sid_to_uid: bool (const struct dom_sid *, uid_t *) >+sids_to_unixids: bool (const struct dom_sid *, uint32_t, struct unixid *) >+smb_add_user_group: int (const char *, const char *) >+smb_create_group: int (const char *, gid_t *) >+smb_delete_group: int (const char *) >+smb_delete_user_group: int (const char *, const char *) >+smb_nscd_flush_group_cache: void (void) >+smb_nscd_flush_user_cache: void (void) >+smb_register_passdb: NTSTATUS (int, const char *, pdb_init_function) >+smb_set_primary_group: int (const char *, const char *) >+uid_to_sid: void (struct dom_sid *, uid_t) >+uid_to_unix_users_sid: void (uid_t, struct dom_sid *) >+unix_groups_domain_name: const char *(void) >+unix_users_domain_name: const char *(void) >+unixid_from_both: void (struct unixid *, uint32_t) >+unixid_from_gid: void (struct unixid *, uint32_t) >+unixid_from_uid: void (struct unixid *, uint32_t) >+wb_is_trusted_domain: wbcErr (const char *) >+winbind_allocate_gid: bool (gid_t *) >+winbind_allocate_uid: bool (uid_t *) >+winbind_get_groups: bool (TALLOC_CTX *, const char *, uint32_t *, gid_t **) >+winbind_get_sid_aliases: bool (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) >+winbind_getpwnam: struct passwd *(const char *) >+winbind_getpwsid: struct passwd *(const struct dom_sid *) >+winbind_gid_to_sid: bool (struct dom_sid *, gid_t) >+winbind_lookup_name: bool (const char *, const char *, struct dom_sid *, enum lsa_SidType *) >+winbind_lookup_rids: bool (TALLOC_CTX *, const struct dom_sid *, int, uint32_t *, const char **, const char ***, enum lsa_SidType **) >+winbind_lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *) >+winbind_lookup_usersids: bool (TALLOC_CTX *, const struct dom_sid *, uint32_t *, struct dom_sid **) >+winbind_ping: bool (void) >+winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *) >+winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *) >+winbind_uid_to_sid: bool (struct dom_sid *, uid_t) >diff --git a/source3/wscript_build b/source3/wscript_build >index e0432bf..6d6b6aa 100755 >--- a/source3/wscript_build >+++ b/source3/wscript_build >@@ -736,7 +736,7 @@ bld.SAMBA3_LIBRARY('pdb', > passdb/lookup_sid.h''', > abi_match=private_pdb_match, > abi_directory='passdb/ABI', >- vnum='0', >+ vnum='0.1.0', > vars=locals()) > > bld.SAMBA3_LIBRARY('smbldaphelper', >-- >1.8.5.2 > > >From 91debcafd196a9e821efddce0a9d75c48f8e168d Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 13 Dec 2013 19:08:34 +0100 >Subject: [PATCH 2/7] s3-auth: Add passwd_to_SamInfo3(). > >First this function tries to contacts winbind if the user is a domain >user to get valid information about it. If winbind isn't running it will >try to create everything from the passwd struct. This is not always >reliable but works in most cases. It improves the current situation >which doesn't talk to winbind at all. > >Pair-Programmed-With: Guenther Deschner <gd@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 1bb11c7744df6928cb8a096373ab920366b38770) >--- > source3/auth/proto.h | 4 ++ > source3/auth/server_info.c | 116 +++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 120 insertions(+) > >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 76661fc..8385e66 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -286,6 +286,10 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, > const char *login_server, > struct netr_SamInfo3 **_info3, > struct extra_auth_info *extra); >+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, >+ const char *unix_username, >+ const struct passwd *pwd, >+ struct netr_SamInfo3 **pinfo3); > struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, > struct netr_SamInfo3 *orig); > struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, >diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c >index d2b7d6e..46d8178 100644 >--- a/source3/auth/server_info.c >+++ b/source3/auth/server_info.c >@@ -24,6 +24,7 @@ > #include "../libcli/security/security.h" > #include "rpc_client/util_netlogon.h" > #include "nsswitch/libwbclient/wbclient.h" >+#include "lib/winbind_util.h" > #include "passdb.h" > > #undef DBGC_CLASS >@@ -436,6 +437,121 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, > return NT_STATUS_OK; > } > >+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, >+ const char *unix_username, >+ const struct passwd *pwd, >+ struct netr_SamInfo3 **pinfo3) >+{ >+ struct netr_SamInfo3 *info3; >+ NTSTATUS status; >+ TALLOC_CTX *tmp_ctx; >+ const char *domain_name = NULL; >+ const char *user_name = NULL; >+ struct dom_sid domain_sid; >+ struct dom_sid user_sid; >+ struct dom_sid group_sid; >+ enum lsa_SidType type; >+ uint32_t num_sids = 0; >+ struct dom_sid *user_sids = NULL; >+ bool ok; >+ >+ tmp_ctx = talloc_stackframe(); >+ >+ ok = lookup_name_smbconf(tmp_ctx, >+ unix_username, >+ LOOKUP_NAME_ALL, >+ &domain_name, >+ &user_name, >+ &user_sid, >+ &type); >+ if (!ok) { >+ status = NT_STATUS_NO_SUCH_USER; >+ goto done; >+ } >+ >+ if (type != SID_NAME_USER) { >+ status = NT_STATUS_NO_SUCH_USER; >+ goto done; >+ } >+ >+ ok = winbind_lookup_usersids(tmp_ctx, >+ &user_sid, >+ &num_sids, >+ &user_sids); >+ /* Check if winbind is running */ >+ if (ok) { >+ /* >+ * Winbind is running and the first element of the user_sids >+ * is the primary group. >+ */ >+ if (num_sids > 0) { >+ group_sid = user_sids[0]; >+ } >+ } else { >+ /* >+ * Winbind is not running, create the group_sid from the >+ * group id. >+ */ >+ gid_to_sid(&group_sid, pwd->pw_gid); >+ } >+ >+ /* Make sure we have a valid group sid */ >+ ok = !is_null_sid(&group_sid); >+ if (!ok) { >+ status = NT_STATUS_NO_SUCH_USER; >+ goto done; >+ } >+ >+ /* Construct a netr_SamInfo3 from the information we have */ >+ info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3); >+ if (!info3) { >+ status = NT_STATUS_NO_MEMORY; >+ goto done; >+ } >+ >+ info3->base.account_name.string = talloc_strdup(info3, unix_username); >+ if (info3->base.account_name.string == NULL) { >+ status = NT_STATUS_NO_MEMORY; >+ goto done; >+ } >+ >+ ZERO_STRUCT(domain_sid); >+ >+ sid_copy(&domain_sid, &user_sid); >+ sid_split_rid(&domain_sid, &info3->base.rid); >+ info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); >+ >+ ok = sid_peek_check_rid(&domain_sid, &group_sid, >+ &info3->base.primary_gid); >+ if (!ok) { >+ DEBUG(1, ("The primary group domain sid(%s) does not " >+ "match the domain sid(%s) for %s(%s)\n", >+ sid_string_dbg(&group_sid), >+ sid_string_dbg(&domain_sid), >+ unix_username, >+ sid_string_dbg(&user_sid))); >+ status = NT_STATUS_INVALID_SID; >+ goto done; >+ } >+ >+ info3->base.acct_flags = ACB_NORMAL; >+ >+ if (num_sids) { >+ status = group_sids_to_info3(info3, user_sids, num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ goto done; >+ } >+ } >+ >+ *pinfo3 = talloc_steal(mem_ctx, info3); >+ >+ status = NT_STATUS_OK; >+done: >+ talloc_free(tmp_ctx); >+ >+ return status; >+} >+ > #undef RET_NOMEM > > #define RET_NOMEM(ptr) do { \ >-- >1.8.5.2 > > >From c7b7670dc5cd8dbf727258666b6417d67afafb33 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 13 Dec 2013 19:11:01 +0100 >Subject: [PATCH 3/7] s3-auth: Pass talloc context to make_server_info_pw(). > >Pair-Programmed-With: Guenther Deschner <gd@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 1b59c9743cf3fbd66b0b8b52162b2cc8d922e5cf) >--- > source3/auth/auth_unix.c | 7 +++++-- > source3/auth/auth_util.c | 52 +++++++++++++++++++++++++++++------------------- > source3/auth/proto.h | 7 ++++--- > source3/auth/user_krb5.c | 5 +---- > 4 files changed, 42 insertions(+), 29 deletions(-) > >diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c >index c8b5435..7b483a2 100644 >--- a/source3/auth/auth_unix.c >+++ b/source3/auth/auth_unix.c >@@ -67,8 +67,11 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, > unbecome_root(); > > if (NT_STATUS_IS_OK(nt_status)) { >- if (pass) { >- make_server_info_pw(server_info, pass->pw_name, pass); >+ if (pass != NULL) { >+ nt_status = make_server_info_pw(mem_ctx, >+ pass->pw_name, >+ pass, >+ server_info); > } else { > /* we need to do somthing more useful here */ > nt_status = NT_STATUS_NO_SUCH_USER; >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index ceaa706..b225b0d 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -639,14 +639,15 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > to a struct samu > ***************************************************************************/ > >-NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, >- char *unix_username, >- struct passwd *pwd) >+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, >+ const char *unix_username, >+ const struct passwd *pwd, >+ struct auth_serversupplied_info **server_info) > { > NTSTATUS status; > struct samu *sampass = NULL; > char *qualified_name = NULL; >- TALLOC_CTX *mem_ctx = NULL; >+ TALLOC_CTX *tmp_ctx; > struct dom_sid u_sid; > enum lsa_SidType type; > struct auth_serversupplied_info *result; >@@ -664,27 +665,27 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, > * plaintext passwords were used with no SAM backend. > */ > >- mem_ctx = talloc_init("make_server_info_pw_tmp"); >- if (!mem_ctx) { >+ tmp_ctx = talloc_stackframe(); >+ if (tmp_ctx == NULL) { > return NT_STATUS_NO_MEMORY; > } > >- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", >+ qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s", > unix_users_domain_name(), > unix_username ); > if (!qualified_name) { >- TALLOC_FREE(mem_ctx); >+ TALLOC_FREE(tmp_ctx); > return NT_STATUS_NO_MEMORY; > } > >- if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, >+ if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL, > NULL, NULL, > &u_sid, &type)) { >- TALLOC_FREE(mem_ctx); >+ TALLOC_FREE(tmp_ctx); > return NT_STATUS_NO_SUCH_USER; > } > >- TALLOC_FREE(mem_ctx); >+ TALLOC_FREE(tmp_ctx); > > if (type != SID_NAME_USER) { > return NT_STATUS_NO_SUCH_USER; >@@ -707,7 +708,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, > /* set the user sid to be the calculated u_sid */ > pdb_set_user_sid(sampass, &u_sid, PDB_SET); > >- result = make_server_info(NULL); >+ result = make_server_info(mem_ctx); > if (result == NULL) { > TALLOC_FREE(sampass); > return NT_STATUS_NO_MEMORY; >@@ -992,25 +993,36 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, > struct passwd *pwd; > NTSTATUS status; > struct auth_serversupplied_info *result; >+ TALLOC_CTX *tmp_ctx; > >- pwd = Get_Pwnam_alloc(talloc_tos(), username); >- if (pwd == NULL) { >- return NT_STATUS_NO_SUCH_USER; >+ tmp_ctx = talloc_stackframe(); >+ if (tmp_ctx == NULL) { >+ return NT_STATUS_NO_MEMORY; > } > >- status = make_server_info_pw(&result, pwd->pw_name, pwd); >+ pwd = Get_Pwnam_alloc(tmp_ctx, username); >+ if (pwd == NULL) { >+ status = NT_STATUS_NO_SUCH_USER; >+ goto done; >+ } > >+ status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result); > if (!NT_STATUS_IS_OK(status)) { >- return status; >+ goto done; > } > > result->nss_token = true; > result->guest = is_guest; > > /* Now turn the server_info into a session_info with the full token etc */ >- status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info); >- TALLOC_FREE(result); >- TALLOC_FREE(pwd); >+ status = create_local_token(mem_ctx, >+ result, >+ NULL, >+ pwd->pw_name, >+ session_info); >+ >+done: >+ talloc_free(tmp_ctx); > > return status; > } >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 8385e66..7abca07 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -206,9 +206,10 @@ bool user_in_group_sid(const char *username, const struct dom_sid *group_sid); > bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid); > bool user_in_group(const char *username, const char *groupname); > struct passwd; >-NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, >- char *unix_username, >- struct passwd *pwd); >+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, >+ const char *unix_username, >+ const struct passwd *pwd, >+ struct auth_serversupplied_info **server_info); > NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, > const char *username, > bool is_guest, >diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c >index 974a8aa..7d44285 100644 >--- a/source3/auth/user_krb5.c >+++ b/source3/auth/user_krb5.c >@@ -242,7 +242,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > */ > DEBUG(10, ("didn't find user %s in passdb, calling " > "make_server_info_pw\n", username)); >- status = make_server_info_pw(&tmp, username, pw); >+ status = make_server_info_pw(mem_ctx, username, pw, &tmp); > } > > TALLOC_FREE(sampass); >@@ -253,9 +253,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > return status; > } > >- /* Steal tmp server info into the server_info pointer. */ >- server_info = talloc_move(mem_ctx, &tmp); >- > /* make_server_info_pw does not set the domain. Without this > * we end up with the local netbios name in substitutions for > * %D. */ >-- >1.8.5.2 > > >From 4fbd13598e8bdc6acf41329f71de806de4265f36 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 13 Dec 2013 19:19:02 +0100 >Subject: [PATCH 4/7] s3-auth: Add passwd_to_SamInfo3(). > >Correctly lookup users which come from smb.conf. passwd_to_SamInfo3() >tries to contact winbind if the user is a domain user to get >valid information about it. If winbind isn't running it will try to >create everything from the passwd struct. This is not always reliable >but works in most cases. It improves the current situation which doesn't >talk to winbind at all. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 > >Pair-Programmed-With: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104 > >(cherry picked from commit 40e6456b5896e934fcd581c2cac2389984256e09) >--- > source3/auth/auth_util.c | 87 +++++++++------------------------------------- > source3/auth/server_info.c | 22 ++++++++++-- > 2 files changed, 36 insertions(+), 73 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index b225b0d..24190af 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -645,98 +645,43 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, > struct auth_serversupplied_info **server_info) > { > NTSTATUS status; >- struct samu *sampass = NULL; >- char *qualified_name = NULL; >- TALLOC_CTX *tmp_ctx; >- struct dom_sid u_sid; >- enum lsa_SidType type; >+ TALLOC_CTX *tmp_ctx = NULL; > struct auth_serversupplied_info *result; > >- /* >- * The SID returned in server_info->sam_account is based >- * on our SAM sid even though for a pure UNIX account this should >- * not be the case as it doesn't really exist in the SAM db. >- * This causes lookups on "[in]valid users" to fail as they >- * will lookup this name as a "Unix User" SID to check against >- * the user token. Fix this by adding the "Unix User"\unix_username >- * SID to the sid array. The correct fix should probably be >- * changing the server_info->sam_account user SID to be a >- * S-1-22 Unix SID, but this might break old configs where >- * plaintext passwords were used with no SAM backend. >- */ >- > tmp_ctx = talloc_stackframe(); > if (tmp_ctx == NULL) { > return NT_STATUS_NO_MEMORY; > } > >- qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s", >- unix_users_domain_name(), >- unix_username ); >- if (!qualified_name) { >- TALLOC_FREE(tmp_ctx); >- return NT_STATUS_NO_MEMORY; >- } >- >- if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL, >- NULL, NULL, >- &u_sid, &type)) { >- TALLOC_FREE(tmp_ctx); >- return NT_STATUS_NO_SUCH_USER; >- } >- >- TALLOC_FREE(tmp_ctx); >- >- if (type != SID_NAME_USER) { >- return NT_STATUS_NO_SUCH_USER; >- } >- >- if ( !(sampass = samu_new( NULL )) ) { >- return NT_STATUS_NO_MEMORY; >- } >- >- status = samu_set_unix( sampass, pwd ); >- if (!NT_STATUS_IS_OK(status)) { >- return status; >- } >- >- /* In pathological cases the above call can set the account >- * name to the DOMAIN\username form. Reset the account name >- * using unix_username */ >- pdb_set_username(sampass, unix_username, PDB_SET); >- >- /* set the user sid to be the calculated u_sid */ >- pdb_set_user_sid(sampass, &u_sid, PDB_SET); >- >- result = make_server_info(mem_ctx); >+ result = make_server_info(tmp_ctx); > if (result == NULL) { >- TALLOC_FREE(sampass); >- return NT_STATUS_NO_MEMORY; >+ status = NT_STATUS_NO_MEMORY; >+ goto done; > } > >- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(), >- &result->info3, &result->extra); >- TALLOC_FREE(sampass); >+ status = passwd_to_SamInfo3(result, >+ unix_username, >+ pwd, >+ &result->info3); > if (!NT_STATUS_IS_OK(status)) { >- DEBUG(10, ("Failed to convert samu to info3: %s\n", >- nt_errstr(status))); >- TALLOC_FREE(result); >- return status; >+ goto done; > } > > result->unix_name = talloc_strdup(result, unix_username); >- > if (result->unix_name == NULL) { >- TALLOC_FREE(result); >- return NT_STATUS_NO_MEMORY; >+ status = NT_STATUS_NO_MEMORY; >+ goto done; > } > > result->utok.uid = pwd->pw_uid; > result->utok.gid = pwd->pw_gid; > >- *server_info = result; >+ *server_info = talloc_steal(mem_ctx, result); >+ status = NT_STATUS_OK; >+done: >+ talloc_free(tmp_ctx); > >- return NT_STATUS_OK; >+ return status; > } > > static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, >diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c >index 46d8178..43711d5 100644 >--- a/source3/auth/server_info.c >+++ b/source3/auth/server_info.c >@@ -489,10 +489,28 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, > } > } else { > /* >- * Winbind is not running, create the group_sid from the >- * group id. >+ * Winbind is not running, try to create the group_sid from the >+ * passwd group id. >+ */ >+ >+ /* >+ * This can lead to a primary group of S-1-22-2-XX which >+ * will be rejected by other Samba code. > */ > gid_to_sid(&group_sid, pwd->pw_gid); >+ >+ ZERO_STRUCT(domain_sid); >+ >+ /* >+ * If we are a unix group, set the group_sid to the >+ * 'Domain Users' RID of 513 which will always resolve to a >+ * name. >+ */ >+ if (sid_check_is_in_unix_groups(&group_sid)) { >+ sid_compose(&group_sid, >+ get_global_sam_sid(), >+ DOMAIN_RID_USERS); >+ } > } > > /* Make sure we have a valid group sid */ >-- >1.8.5.2 > > >From 76bb5e0888f4131ab773d90160051a51c401c90d Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 18 Feb 2014 10:02:57 +0100 >Subject: [PATCH 5/7] s3-auth: Pass mem_ctx to make_server_info_sam(). > >Coverity-Id: 1168009 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 > >Signed-off-by: Andreas Schneider <asn@samba.org> > >Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 3dc72266005e87a291f5bf9847257e8c54314d39) >--- > source3/auth/check_samsec.c | 2 +- > source3/auth/proto.h | 5 ++-- > source3/auth/server_info_sam.c | 56 +++++++++++++++++++++++++++--------------- > source3/auth/user_krb5.c | 12 +++++---- > 4 files changed, 47 insertions(+), 28 deletions(-) > >diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c >index 7ed8cc2..b6cac60 100644 >--- a/source3/auth/check_samsec.c >+++ b/source3/auth/check_samsec.c >@@ -482,7 +482,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, > } > > become_root(); >- nt_status = make_server_info_sam(server_info, sampass); >+ nt_status = make_server_info_sam(mem_ctx, sampass, server_info); > unbecome_root(); > > TALLOC_FREE(sampass); >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 7abca07..eac3e54 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -190,8 +190,9 @@ bool make_user_info_guest(const struct tsocket_address *remote_address, > struct auth_usersupplied_info **user_info); > > struct samu; >-NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, >- struct samu *sampass); >+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, >+ struct samu *sampass, >+ struct auth_serversupplied_info **pserver_info); > NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > const struct auth_serversupplied_info *server_info, > DATA_BLOB *session_key, >diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c >index 5d657f9..47087b1 100644 >--- a/source3/auth/server_info_sam.c >+++ b/source3/auth/server_info_sam.c >@@ -58,39 +58,51 @@ static bool is_our_machine_account(const char *username) > Make (and fill) a user_info struct from a struct samu > ***************************************************************************/ > >-NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, >- struct samu *sampass) >+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, >+ struct samu *sampass, >+ struct auth_serversupplied_info **pserver_info) > { > struct passwd *pwd; >- struct auth_serversupplied_info *result; >+ struct auth_serversupplied_info *server_info; > const char *username = pdb_get_username(sampass); >+ TALLOC_CTX *tmp_ctx; > NTSTATUS status; > >- if ( !(result = make_server_info(NULL)) ) { >+ tmp_ctx = talloc_stackframe(); >+ if (tmp_ctx == NULL) { > return NT_STATUS_NO_MEMORY; > } > >- if ( !(pwd = Get_Pwnam_alloc(result, username)) ) { >+ server_info = make_server_info(tmp_ctx); >+ if (server_info == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ pwd = Get_Pwnam_alloc(tmp_ctx, username); >+ if (pwd == NULL) { > DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", > pdb_get_username(sampass))); >- TALLOC_FREE(result); >- return NT_STATUS_NO_SUCH_USER; >+ status = NT_STATUS_NO_SUCH_USER; >+ goto out; > } > >- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(), >- &result->info3, &result->extra); >+ status = samu_to_SamInfo3(server_info, >+ sampass, >+ lp_netbios_name(), >+ &server_info->info3, >+ &server_info->extra); > if (!NT_STATUS_IS_OK(status)) { >- TALLOC_FREE(result); >- return status; >+ goto out; > } > >- result->unix_name = pwd->pw_name; >- /* Ensure that we keep pwd->pw_name, because we will free pwd below */ >- talloc_steal(result, pwd->pw_name); >- result->utok.gid = pwd->pw_gid; >- result->utok.uid = pwd->pw_uid; >+ server_info->unix_name = talloc_strdup(server_info, pwd->pw_name); >+ if (server_info->unix_name == NULL) { >+ status = NT_STATUS_NO_MEMORY; >+ goto out; >+ } > >- TALLOC_FREE(pwd); >+ server_info->utok.gid = pwd->pw_gid; >+ server_info->utok.uid = pwd->pw_uid; > > if (IS_DC && is_our_machine_account(username)) { > /* >@@ -110,9 +122,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, > } > > DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", >- pdb_get_username(sampass), result->unix_name)); >+ pdb_get_username(sampass), server_info->unix_name)); >+ >+ *pserver_info = talloc_steal(mem_ctx, server_info); > >- *server_info = result; >+ status = NT_STATUS_OK; >+out: >+ talloc_free(tmp_ctx); > >- return NT_STATUS_OK; >+ return status; > } >diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c >index 7d44285..e40c8ac 100644 >--- a/source3/auth/user_krb5.c >+++ b/source3/auth/user_krb5.c >@@ -223,9 +223,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > * SID consistency with ntlmssp session setup > */ > struct samu *sampass; >- /* The stupid make_server_info_XX functions here >- don't take a talloc context. */ >- struct auth_serversupplied_info *tmp = NULL; > > sampass = samu_new(talloc_tos()); > if (sampass == NULL) { >@@ -235,14 +232,19 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > if (pdb_getsampwnam(sampass, username)) { > DEBUG(10, ("found user %s in passdb, calling " > "make_server_info_sam\n", username)); >- status = make_server_info_sam(&tmp, sampass); >+ status = make_server_info_sam(mem_ctx, >+ sampass, >+ &server_info); > } else { > /* > * User not in passdb, make it up artificially > */ > DEBUG(10, ("didn't find user %s in passdb, calling " > "make_server_info_pw\n", username)); >- status = make_server_info_pw(mem_ctx, username, pw, &tmp); >+ status = make_server_info_pw(mem_ctx, >+ username, >+ pw, >+ &server_info); > } > > TALLOC_FREE(sampass); >-- >1.8.5.2 > > >From f9c0adb6237c6e60c33ee6af21f55c0cdefa132c Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 18 Feb 2014 10:19:57 +0100 >Subject: [PATCH 6/7] s3-auth: Pass mem_ctx to auth_check_ntlm_password(). > >Coverity-Id: 1168009 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 > >Signed-off-by: Andreas Schneider <asn@samba.org> > >Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 4d792db03f18aa164b565c7fdc7b446c174fba28) >--- > source3/auth/auth.c | 50 ++++++++++++++++++----------- > source3/auth/auth_ntlmssp.c | 6 ++-- > source3/auth/proto.h | 8 +++-- > source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++-- > source3/torture/pdbtest.c | 5 ++- > 5 files changed, 48 insertions(+), 27 deletions(-) > >diff --git a/source3/auth/auth.c b/source3/auth/auth.c >index c3797cf..dc9af02 100644 >--- a/source3/auth/auth.c >+++ b/source3/auth/auth.c >@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain) > * > **/ > >-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, >- const struct auth_usersupplied_info *user_info, >- struct auth_serversupplied_info **server_info) >+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, >+ const struct auth_context *auth_context, >+ const struct auth_usersupplied_info *user_info, >+ struct auth_serversupplied_info **pserver_info) > { > /* if all the modules say 'not for me' this is reasonable */ > NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; > const char *unix_username; > auth_methods *auth_method; >- TALLOC_CTX *mem_ctx; > >- if (!user_info || !auth_context || !server_info) >+ if (user_info == NULL || auth_context == NULL || pserver_info == NULL) { > return NT_STATUS_LOGON_FAILURE; >+ } > > DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", > user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name)); >@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, > return NT_STATUS_LOGON_FAILURE; > > for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { >+ struct auth_serversupplied_info *server_info; >+ TALLOC_CTX *tmp_ctx; > NTSTATUS result; > >- mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, >- user_info->mapped.domain_name, user_info->client.account_name); >+ tmp_ctx = talloc_named(mem_ctx, >+ 0, >+ "%s authentication for user %s\\%s", >+ auth_method->name, >+ user_info->mapped.domain_name, >+ user_info->client.account_name); > >- result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); >+ result = auth_method->auth(auth_context, >+ auth_method->private_data, >+ tmp_ctx, >+ user_info, >+ &server_info); > > /* check if the module did anything */ > if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) { > DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); >- talloc_destroy(mem_ctx); >+ TALLOC_FREE(tmp_ctx); > continue; > } > >@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, > auth_method->name, user_info->client.account_name, nt_errstr(nt_status))); > } > >- talloc_destroy(mem_ctx); >- >- if ( NT_STATUS_IS_OK(nt_status)) >- { >- break; >+ if (NT_STATUS_IS_OK(nt_status)) { >+ *pserver_info = talloc_steal(mem_ctx, server_info); >+ TALLOC_FREE(tmp_ctx); >+ break; > } >+ >+ TALLOC_FREE(tmp_ctx); > } > > /* successful authentication */ > > if (NT_STATUS_IS_OK(nt_status)) { >- unix_username = (*server_info)->unix_name; >- if (!(*server_info)->guest) { >+ unix_username = (*pserver_info)->unix_name; >+ if (!(*pserver_info)->guest) { > const char *rhost; > > if (tsocket_address_is_inet(user_info->remote_host, "ip")) { >@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, > } > > if (NT_STATUS_IS_OK(nt_status)) { >- DEBUG((*server_info)->guest ? 5 : 2, >+ DEBUG((*pserver_info)->guest ? 5 : 2, > ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", >- (*server_info)->guest ? "guest " : "", >+ (*pserver_info)->guest ? "guest " : "", > user_info->client.account_name, > user_info->mapped.account_name, > unix_username)); >@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, > DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", > user_info->client.account_name, user_info->mapped.account_name, > nt_errstr(nt_status))); >- ZERO_STRUCTP(server_info); >+ ZERO_STRUCTP(pserver_info); > > return nt_status; > } >diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c >index f99bd44..cb7726c 100644 >--- a/source3/auth/auth_ntlmssp.c >+++ b/source3/auth/auth_ntlmssp.c >@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, > > mapped_user_info->flags = user_info->flags; > >- nt_status = auth_check_ntlm_password(auth_context, >- mapped_user_info, &server_info); >+ nt_status = auth_check_ntlm_password(mem_ctx, >+ auth_context, >+ mapped_user_info, >+ &server_info); > > if (!NT_STATUS_IS_OK(nt_status)) { > DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n", >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index eac3e54..15b1ba0 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, > * struct. When the return is other than NT_STATUS_OK the contents > * of that structure is undefined. > * >+ * @param mem_ctx The memory context to use to allocate server_info >+ * > * @param user_info Contains the user supplied components, including the passwords. > * Must be created with make_user_info() or one of its wrappers. > * >@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, > * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. > * > **/ >- >-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, >- const struct auth_usersupplied_info *user_info, >+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, >+ const struct auth_context *auth_context, >+ const struct auth_usersupplied_info *user_info, > struct auth_serversupplied_info **server_info); > > /* The following definitions come from auth/auth_builtin.c */ >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index e5ca474..0c8c9a5 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1650,8 +1650,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, > } /* end switch */ > > if ( NT_STATUS_IS_OK(status) ) { >- status = auth_check_ntlm_password(auth_context, >- user_info, &server_info); >+ status = auth_check_ntlm_password(p->mem_ctx, >+ auth_context, >+ user_info, >+ &server_info); > } > > TALLOC_FREE(auth_context); >diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c >index 17da455..14d58b9 100644 >--- a/source3/torture/pdbtest.c >+++ b/source3/torture/pdbtest.c >@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) > return False; > } > >- status = auth_check_ntlm_password(auth_context, user_info, &server_info); >+ status = auth_check_ntlm_password(mem_ctx, >+ auth_context, >+ user_info, >+ &server_info); > > if (!NT_STATUS_IS_OK(status)) { > DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status))); >-- >1.8.5.2 > > >From a48bcd84c59b5b2cb8c3e0f5d68b35065bed81d7 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 18 Feb 2014 13:52:49 +0100 >Subject: [PATCH 7/7] s3-auth: Pass mem_ctx to do_map_to_guest_server_info(). > >Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104 > >(cherry picked from commit 79e2725f339e7c5336b4053348c4266268de6ca3) >--- > source3/auth/auth_ntlmssp.c | 7 ++++--- > source3/auth/auth_util.c | 12 +++++++----- > source3/auth/proto.h | 8 +++++--- > 3 files changed, 16 insertions(+), 11 deletions(-) > >diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c >index cb7726c..d4fe901 100644 >--- a/source3/auth/auth_ntlmssp.c >+++ b/source3/auth/auth_ntlmssp.c >@@ -151,10 +151,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, > free_user_info(&mapped_user_info); > > if (!NT_STATUS_IS_OK(nt_status)) { >- nt_status = do_map_to_guest_server_info(nt_status, >- &server_info, >+ nt_status = do_map_to_guest_server_info(mem_ctx, >+ nt_status, > user_info->client.account_name, >- user_info->client.domain_name); >+ user_info->client.domain_name, >+ &server_info); > *server_returned_info = talloc_steal(mem_ctx, server_info); > return nt_status; > } >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 24190af..8cf5cb7 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1536,9 +1536,11 @@ bool is_trusted_domain(const char* dom_name) > on a logon error possibly map the error to success if "map to guest" > is set approriately > */ >-NTSTATUS do_map_to_guest_server_info(NTSTATUS status, >- struct auth_serversupplied_info **server_info, >- const char *user, const char *domain) >+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx, >+ NTSTATUS status, >+ const char *user, >+ const char *domain, >+ struct auth_serversupplied_info **server_info) > { > user = user ? user : ""; > domain = domain ? domain : ""; >@@ -1548,13 +1550,13 @@ NTSTATUS do_map_to_guest_server_info(NTSTATUS status, > (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { > DEBUG(3,("No such user %s [%s] - using guest account\n", > user, domain)); >- return make_server_info_guest(NULL, server_info); >+ return make_server_info_guest(mem_ctx, server_info); > } > } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { > if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { > DEBUG(3,("Registered username %s for guest access\n", > user)); >- return make_server_info_guest(NULL, server_info); >+ return make_server_info_guest(mem_ctx, server_info); > } > } > >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 15b1ba0..7b8959f 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -264,9 +264,11 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, > enum auth_password_state password_state); > void free_user_info(struct auth_usersupplied_info **user_info); > >-NTSTATUS do_map_to_guest_server_info(NTSTATUS status, >- struct auth_serversupplied_info **server_info, >- const char *user, const char *domain); >+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx, >+ NTSTATUS status, >+ const char *user, >+ const char *domain, >+ struct auth_serversupplied_info **server_info); > > /* The following definitions come from auth/auth_winbind.c */ > >-- >1.8.5.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review?
(
gd
)
asn
:
review?
(
ddiss
)
jra
:
review+
Actions:
View
Attachments on
bug 8598
:
7078
|
7090
|
7542
|
7543
|
7548
|
9469
|
9642
|
9643
|
9644
|
9696
|
9697
| 9699 |
9700
|
9869
|
9870