The branch, v4-2-test has been updated
via 60748d1 s3:passdb: let pdb_get_trust_credentials() try
pdb_get_trusteddom_creds() first
via 26c011d s3:passdb: add optional get_trusteddom_creds() hooks
via 611e95e pdb: fix build issues with shared modules
via ddc2bba s3:idmap_cache: remove unused idmap_cache_set_sid2[u|g]id()
via dac59a2 pdb: Increase version number to fix ABI
via 1a91c09 idmap: return the correct id type to *id_to_sid methods
via d655b56 idmap: unify passdb *id_to_sid methods
via 0c32df4 s3:passdb: avoid invalid pointer type warnings in
pdb_wbc_sam.c
via f87e9b1 s3:passdb: always copy the history in
pdb_set_plaintext_passwd()
via f1f0ca3 pdb_tdb: Avoid a nasty error message with ctdb
via a681688 pdb_tdb: don't leak state_path onto talloc tos
via 741ac3b account_pol: don't leak state_path onto talloc tos
via b14bed4 passdb: Use common code in
cli_credentials_set_machine_account_db_ctx()
via d26278a auth/credentials: Ensure that we set the realm when reading
secrets.tdb
via e3b6d3b credentials: Allow the secret.tdb handle to be passed in to
cli_credentials_set_machine_account()
via a81b814 credentials: Improve error message on failure to set
machine account password
via a13c21b credentials: Set secure_channel_type from secrets.tdb in
cli_credentials_set_machine_account
via f80a108 s3:locking: fix uninitialiazed variable in
brl_get_locks_readonly_parser()
from 5d3a3c8b ctdb-build: fix build without xsltproc
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test
- Log -----------------------------------------------------------------
commit 60748d1153491cccbcaa354b88cc4d7203c8223b
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 16 15:05:17 2014 +0000
s3:passdb: let pdb_get_trust_credentials() try pdb_get_trusteddom_creds()
first
NT_STATUS_NOT_IMPLEMENTED lets it fallback to the old get_trust_pw_clear2()
code.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Thu Dec 18 06:46:05 CET 2014 on sn-devel-104
(cherry picked from commit 12aaafd2971ac71823ccbebda7b2afd689239770)
Autobuild-User(v4-2-test): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(v4-2-test): Thu Dec 18 13:06:40 CET 2014 on sn-devel-104
commit 26c011d33c561fac1c6c8ab4ac32a706ac535312
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 11 10:52:53 2014 +0000
s3:passdb: add optional get_trusteddom_creds() hooks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 8e90b93ddceabd582cb28e40882036e7772608aa)
commit 611e95e02085ff75a7e76c78e38700431a83d000
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Thu Dec 4 10:44:26 2014 +1300
pdb: fix build issues with shared modules
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10355
Change-Id: I26e78b56ead0c66afcda6b3fb8b1fd09130b24a5
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
(cherry picked from commit 7a9147dab593a495c5ed5e1157ec8eb8a2809586)
commit ddc2bba9e1f0339dceae60189717ae1c6716b7a7
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Nov 29 10:52:05 2014 +0100
s3:idmap_cache: remove unused idmap_cache_set_sid2[u|g]id()
Change-Id: I40bcfacb812b0dac7917533c9baf82a79f598efd
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garm...@samba.org>
Autobuild-Date(master): Wed Dec 3 06:44:29 CET 2014 on sn-devel-104
(cherry picked from commit 816751a3a8ed564f2cf880fd1ca3b1e8f9c85471)
commit dac59a2b62bda35c075c61a943fc03dfc0f3c93c
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Tue Nov 25 14:56:45 2014 +1300
pdb: Increase version number to fix ABI
In the process, we can also rename pdb to avoid conflicts with libpdb.
We don't depend directly on pdb to avoid duplicate symbols.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10355
Change-Id: I4df6ba2f4ce35d3718dc4198b527cca46a139efe
Pair-programmed-with: Andrew Bartlett <abart...@samba.org>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 3b76b705f03b8f639ece2308afdc0962d230c42a)
commit 1a91c09bbd42dddb7f65983aa93b70cd5b93cbf0
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Wed Nov 26 15:33:35 2014 +1300
idmap: return the correct id type to *id_to_sid methods
We have a pointer to a unixid which is sent down instead of a uid or
gid. We can use this as an in-out variable so that pdb_samba_dsdb can be
returned ID_TYPE_BOTH to cache correctly instead of leaving it as
ID_TYPE_UID or ID_TYPE_GID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720
Change-Id: I0cef2e419cbb337531244b7b41c708cf2ab883e3
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 58b343be4742b3ba1f447701a8254453c21af413)
commit d655b56996e3cba4bd0cc2a2b655ccb06f454310
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Tue Nov 25 14:45:26 2014 +1300
idmap: unify passdb *id_to_sid methods
Instead of passing down gid or uid, a pointer to a unixid is now sent
down. This acts as an in-out variable so that the idmap functions can
correctly receive ID_TYPE_BOTH, filling in cache details correctly
rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720
Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066
Pair-programmed-with: Andrew Bartlett <abar...@samba.org>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 7979c6cc50eaa792e5094866878c63df36e715c3)
commit 0c32df451437529b5e551035e9c806eabc0054c8
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 26 20:16:26 2014 +0100
s3:passdb: avoid invalid pointer type warnings in pdb_wbc_sam.c
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 7ec8401f82994070eaaf81ff067c0cd0576d58e3)
commit f87e9b1d69d2f2039e7691dfc404618c16c41c6d
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 26 20:16:26 2014 +0100
s3:passdb: always copy the history in pdb_set_plaintext_passwd()
We should not write to memory marked as const
(returned from pdb_get_pw_history())!
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 966192ee16d6802da5c2b046d2488ddd1a7ec960)
commit f1f0ca3e5c548013f9a9fcff073a07f84a6fdbb6
Author: Volker Lendecke <v...@samba.org>
Date: Tue Nov 11 10:36:23 2014 +0000
pdb_tdb: Avoid a nasty error message with ctdb
ctdb gives us 0-sized records for deleted passdb entries
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: David Disseldorp <dd...@samba.org>
Autobuild-User(master): David Disseldorp <dd...@samba.org>
Autobuild-Date(master): Tue Nov 11 16:19:37 CET 2014 on sn-devel-104
(cherry picked from commit c2bda5bfae2cac4e473f2ae42775d2e35995c790)
commit a681688f63fe848b1474ebe9dd088d2722d2b3f2
Author: David Disseldorp <dd...@samba.org>
Date: Sun Nov 2 20:21:28 2014 +0100
pdb_tdb: don't leak state_path onto talloc tos
Also check for allocation failures.
Signed-off-by: David Disseldorp <dd...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 6d5b8dd70e542840a96c45b916b1bd2b9685697f)
commit 741ac3b58ece43981e98e56c599bfd40b50d09bd
Author: David Disseldorp <dd...@samba.org>
Date: Sun Nov 2 20:21:27 2014 +0100
account_pol: don't leak state_path onto talloc tos
Also check for allocation failures.
Signed-off-by: David Disseldorp <dd...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit f88535e56e23e27492851c0fc6e9a86cfdaab041)
commit b14bed45da261591000e439234ee6120f00a5ccd
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Oct 3 06:35:28 2014 +1300
passdb: Use common code in cli_credentials_set_machine_account_db_ctx()
This avoids some duplication in setting the machine account passsword
for the domain member and DC case.
This does not yet remove the duplication, that requires a bigger
restructure of the various routines used here to obtain the machine
and domain trust secrets.
Also no longer used is the timeout/2 code to not set the previous
password. It is now always passed to the caller.
Andrew Bartlett
Change-Id: Idd5bafedf4cbac30b174955d743ec4128a6902ee
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 37f5d822d636d4286bd8ee64c7e9e44ae1a297e1)
commit d26278a01ade800d0cfbdfa71f675efd522d1faf
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Oct 6 13:51:25 2014 +1300
auth/credentials: Ensure that we set the realm when reading secrets.tdb
Otherwise, we try and kinit as host$@DOMAIN and that will not work.
Andrew Bartlett
Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit e9dc6423d3f1ab3401314e134ecc574fc5d4c18b)
commit e3b6d3be9fe0b8fbc5d91a8c2e575a2a82bf5e5f
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Oct 3 06:32:39 2014 +1300
credentials: Allow the secret.tdb handle to be passed in to
cli_credentials_set_machine_account()
This adds a new wrapper, cli_credentials_set_machine_account_db_ctx()
Andrew Bartlett
Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 35b8ed7710f60abcc70e0b070afc16bf3faef263)
commit a81b814b7df43de2106cfdbc9453c6d8e3394403
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Oct 3 05:14:56 2014 +1300
credentials: Improve error message on failure to set machine account
password
Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 89daf5dc534ab03724a2622d3b6b4d6783756bae)
commit a13c21bd3ccc631a7b4c8cc0c68e694ec0c71c51
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Oct 3 05:14:21 2014 +1300
credentials: Set secure_channel_type from secrets.tdb in
cli_credentials_set_machine_account
This should ensure more parts of the source4 code can work with a
password set in secrets.tdb.
Andrew Bartlett
Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit adb3eb79ea828b6e6e1858c3d1b8b5ffe868f8ed)
commit f80a108f22eb87a0817529382a3f6bc46bfdeaa4
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 17 10:43:33 2014 +0100
s3:locking: fix uninitialiazed variable in brl_get_locks_readonly_parser()
In a cluster this can be called with an empty record, while
brl_parse_data() relies on an initialized structure.
This is a regression in commit 837e29035c911f3509135252c3f423d0f56b606d.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10911
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 6bc41c459f6da7de62d2113590bc7d0c2d04e136)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.h | 16 ++++
auth/credentials/credentials_secrets.c | 87 +++++++++++++++++-----
source3/include/passdb.h | 36 +++++++--
source3/lib/idmap_cache.c | 72 ------------------
source3/lib/idmap_cache.h | 2 -
source3/locking/brlock.c | 1 +
.../{pdb-0.1.2.sigs => samba-passdb-0.2.0.sigs} | 3 +-
.../{pdb-0.1.2.sigs => samba-passdb-0.24.1.sigs} | 4 +-
source3/passdb/account_pol.c | 12 ++-
source3/passdb/lookup_sid.c | 19 ++++-
source3/passdb/passdb.c | 59 ++++++++++++++-
source3/passdb/pdb_get_set.c | 33 ++++----
source3/passdb/pdb_interface.c | 68 ++++++++++-------
source3/passdb/pdb_ldap.c | 24 +++++-
source3/passdb/pdb_samba_dsdb.c | 46 ++++--------
source3/passdb/pdb_tdb.c | 16 +++-
source3/passdb/pdb_wbc_sam.c | 42 +++++++----
source3/passdb/py_passdb.c | 13 +++-
source3/utils/net_sam.c | 6 +-
source3/winbindd/idmap_passdb.c | 16 +---
source3/winbindd/wscript_build | 2 +-
source3/wscript_build | 31 ++++----
source4/winbind/idmap.c | 20 ++++-
23 files changed, 391 insertions(+), 237 deletions(-)
copy source3/passdb/ABI/{pdb-0.1.2.sigs => samba-passdb-0.2.0.sigs} (99%)
copy source3/passdb/ABI/{pdb-0.1.2.sigs => samba-passdb-0.24.1.sigs} (99%)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index fdd35bb..2da47d2 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -36,6 +36,7 @@ struct ccache_container;
struct gssapi_creds_container;
struct smb_krb5_context;
struct keytab_container;
+struct db_context;
/* In order of priority */
enum credentials_obtained {
@@ -161,6 +162,21 @@ NTSTATUS cli_credentials_set_stored_principal(struct
cli_credentials *cred,
const char *serviceprincipal);
NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
+/**
+ * Fill in credentials for the machine trust account, from the
+ * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
+ *
+ * This version is used in parts of the code that can link in the
+ * CTDB dbwrap backend, by passing down the already open handle.
+ *
+ * @param cred Credentials structure to fill in
+ * @param db_ctx dbwrap context for secrets.tdb
+ * @retval NTSTATUS error detailing any failure
+ */
+NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials
*cred,
+ struct loadparm_context
*lp_ctx,
+ struct db_context *db_ctx);
+
bool cli_credentials_authentication_requested(struct cli_credentials *cred);
void cli_credentials_guess(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
diff --git a/auth/credentials/credentials_secrets.c
b/auth/credentials/credentials_secrets.c
index 625ce20..d259a4d 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -231,6 +231,43 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct
cli_credentials *cred,
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials
*cred,
struct loadparm_context
*lp_ctx)
{
+ struct db_context *db_ctx;
+ char *secrets_tdb_path;
+
+ secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets");
+ if (secrets_tdb_path == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb_path, 0,
+ TDB_DEFAULT, O_RDWR, 0600,
+ DBWRAP_LOCK_ORDER_1,
+ DBWRAP_FLAG_NONE);
+ TALLOC_FREE(secrets_tdb_path);
+
+ /*
+ * We do not check for errors here, we might not have a
+ * secrets.tdb at all, and so we just need to check the
+ * secrets.ldb
+ */
+ return cli_credentials_set_machine_account_db_ctx(cred, lp_ctx, db_ctx);
+}
+
+/**
+ * Fill in credentials for the machine trust account, from the
+ * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
+ *
+ * This version is used in parts of the code that can link in the
+ * CTDB dbwrap backend, by passing down the already open handle.
+ *
+ * @param cred Credentials structure to fill in
+ * @param db_ctx dbwrap context for secrets.tdb
+ * @retval NTSTATUS error detailing any failure
+ */
+_PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct
cli_credentials *cred,
+ struct
loadparm_context *lp_ctx,
+ struct db_context
*db_ctx)
+{
NTSTATUS status;
char *filter;
char *error_string;
@@ -239,24 +276,14 @@ _PUBLIC_ NTSTATUS
cli_credentials_set_machine_account(struct cli_credentials *cr
time_t secrets_tdb_lct = 0;
char *secrets_tdb_password = NULL;
char *secrets_tdb_old_password = NULL;
+ uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL;
char *keystr;
char *keystr_upper = NULL;
- char *secrets_tdb;
- struct db_context *db_ctx;
TALLOC_CTX *tmp_ctx = talloc_named(cred, 0,
"cli_credentials_set_secrets from ldb");
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
- secrets_tdb = lpcfg_private_db_path(cred, lp_ctx, "secrets");
- if (!secrets_tdb) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0,
- TDB_DEFAULT, O_RDWR, 0600,
- DBWRAP_LOCK_ORDER_1,
- DBWRAP_FLAG_NONE);
+
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
@@ -287,6 +314,7 @@ _PUBLIC_ NTSTATUS
cli_credentials_set_machine_account(struct cli_credentials *cr
if (NT_STATUS_IS_OK(status)) {
secrets_tdb_password = (char *)dbuf.dptr;
}
+
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_PASSWORD_PREV,
domain);
@@ -296,6 +324,16 @@ _PUBLIC_ NTSTATUS
cli_credentials_set_machine_account(struct cli_credentials *cr
if (NT_STATUS_IS_OK(status)) {
secrets_tdb_old_password = (char *)dbuf.dptr;
}
+
+ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
+ SECRETS_MACHINE_SEC_CHANNEL_TYPE,
+ domain);
+ keystr_upper = strupper_talloc(tmp_ctx, keystr);
+ status = dbwrap_fetch(db_ctx, tmp_ctx,
string_tdb_data(keystr_upper),
+ &dbuf);
+ if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
+ secrets_tdb_secure_channel_type = IVAL(dbuf.dptr,0);
+ }
}
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
@@ -321,20 +359,35 @@ _PUBLIC_ NTSTATUS
cli_credentials_set_machine_account(struct cli_credentials *cr
cli_credentials_set_password(cred, secrets_tdb_password,
CRED_SPECIFIED);
cli_credentials_set_old_password(cred,
secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
+ if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
+ cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx),
CRED_SPECIFIED);
+ }
cli_credentials_set_username(cred, machine_account,
CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred,
secrets_tdb_lct);
+ cli_credentials_set_secure_channel_type(cred,
secrets_tdb_secure_channel_type);
status = NT_STATUS_OK;
} else if (!NT_STATUS_IS_OK(status)) {
if (db_ctx) {
- error_string = talloc_asprintf(cred,
- "Failed to fetch machine
account password from "
- "secrets.ldb: %s and
failed to fetch %s from %s",
- error_string,
keystr_upper, secrets_tdb);
+ error_string
+ = talloc_asprintf(cred,
+ "Failed to fetch machine
account password for %s from both "
+ "secrets.ldb (%s) and from
%s",
+ domain, error_string,
+ dbwrap_name(db_ctx));
} else {
+ char *secrets_tdb_path;
+
+ secrets_tdb_path = lpcfg_private_db_path(tmp_ctx,
+ lp_ctx,
+ "secrets");
+ if (secrets_tdb_path == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
error_string = talloc_asprintf(cred,
"Failed to fetch machine
account password from "
"secrets.ldb: %s and
failed to open %s",
- error_string,
secrets_tdb);
+ error_string,
secrets_tdb_path);
}
DEBUG(1, ("Could not find machine account in secrets database:
%s: %s\n",
error_string, nt_errstr(status)));
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 86cb16e..893d0d0 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -34,6 +34,7 @@
#include "../librpc/gen_ndr/lsa.h"
#include <tevent.h>
struct unixid;
+struct cli_credentials;
/* group mapping headers */
@@ -415,9 +416,11 @@ enum pdb_policy_type {
* Changed to 21, set/enum_upn_suffixes. AB.
* Changed to 22, idmap control functions
* Changed to 23, new idmap control functions
+ * Changed to 24, removed uid_to_sid and gid_to_sid, replaced with id_to_sid
+ * Leave at 24, add optional get_trusteddom_creds()
*/
-#define PASSDB_INTERFACE_VERSION 23
+#define PASSDB_INTERFACE_VERSION 24
struct pdb_methods
{
@@ -560,10 +563,16 @@ struct pdb_methods
struct pdb_search *search,
const struct dom_sid *sid);
- bool (*uid_to_sid)(struct pdb_methods *methods, uid_t uid,
- struct dom_sid *sid);
- bool (*gid_to_sid)(struct pdb_methods *methods, gid_t gid,
- struct dom_sid *sid);
+ /*
+ * Instead of passing down a gid or uid, this function sends down a
pointer
+ * to a unixid.
+ *
+ * This acts as an in-out variable so that the idmap functions can
correctly
+ * receive ID_TYPE_BOTH, filling in cache details correctly rather than
forcing
+ * the cache to store ID_TYPE_UID or ID_TYPE_GID.
+ */
+ bool (*id_to_sid)(struct pdb_methods *methods, struct unixid *id,
+ struct dom_sid *sid);
bool (*sid_to_id)(struct pdb_methods *methods, const struct dom_sid
*sid,
struct unixid *id);
@@ -574,6 +583,10 @@ struct pdb_methods
bool (*get_trusteddom_pw)(struct pdb_methods *methods,
const char *domain, char** pwd,
struct dom_sid *sid, time_t
*pass_last_set_time);
+ NTSTATUS (*get_trusteddom_creds)(struct pdb_methods *methods,
+ const char *domain,
+ TALLOC_CTX *mem_ctx,
+ struct cli_credentials **creds);
bool (*set_trusteddom_pw)(struct pdb_methods *methods,
const char* domain, const char* pwd,
const struct dom_sid *sid);
@@ -889,8 +902,15 @@ NTSTATUS pdb_lookup_names(const struct dom_sid *domain_sid,
bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value);
bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value);
bool pdb_get_seq_num(time_t *seq_num);
-bool pdb_uid_to_sid(uid_t uid, struct dom_sid *sid);
-bool pdb_gid_to_sid(gid_t gid, struct dom_sid *sid);
+/*
+ * Instead of passing down a gid or uid, this function sends down a pointer
+ * to a unixid.
+ *
+ * This acts as an in-out variable so that the idmap functions can correctly
+ * receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing
+ * the cache to store ID_TYPE_UID or ID_TYPE_GID.
+ */
+bool pdb_id_to_sid(struct unixid *id, struct dom_sid *sid);
bool pdb_sid_to_id(const struct dom_sid *sid, struct unixid *id);
uint32_t pdb_capabilities(void);
bool pdb_new_rid(uint32_t *rid);
@@ -905,6 +925,8 @@ uint32_t pdb_search_entries(struct pdb_search *search,
struct samr_displayentry **result);
bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
time_t *pass_last_set_time);
+NTSTATUS pdb_get_trusteddom_creds(const char *domain, TALLOC_CTX *mem_ctx,
+ struct cli_credentials **creds);
bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
const struct dom_sid *sid);
bool pdb_del_trusteddom_pw(const char *domain);
diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c
index 8844171..11bda39 100644
--- a/source3/lib/idmap_cache.c
+++ b/source3/lib/idmap_cache.c
@@ -346,78 +346,6 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid,
struct unixid *unix_i
}
}
-/**
- * Store a mapping in the idmap cache
- * @param[in] sid the sid to map
- * @param[in] uid the uid to map
- *
- * If both parameters are valid values, then a positive mapping in both
- * directions is stored. If "is_null_sid(sid)" is true, then this will be a
- * negative mapping of uid, we want to cache that for this uid we could not
- * find anything. Likewise if "uid==-1", then we want to cache that we did not
- * find a mapping for the sid passed here.
- */
-
-void idmap_cache_set_sid2uid(const struct dom_sid *sid, uid_t uid)
-{
- struct unixid id;
- id.type = ID_TYPE_UID;
- id.id = uid;
-
- if (uid == -1) {
- uid_t tmp_gid;
- bool expired;
- /* If we were asked to invalidate this SID -> UID
- * mapping, it was because we found out that this was
- * not a UID at all. Do not overwrite a valid GID or
- * BOTH mapping */
- if (idmap_cache_find_sid2gid(sid, &tmp_gid, &expired)) {
- if (!expired) {
- return;
- }
- }
- }
-
- idmap_cache_set_sid2unixid(sid, &id);
- return;
-}
-
-/**
- * Store a mapping in the idmap cache
- * @param[in] sid the sid to map
- * @param[in] gid the gid to map
- *
- * If both parameters are valid values, then a positive mapping in both
- * directions is stored. If "is_null_sid(sid)" is true, then this will be a
- * negative mapping of gid, we want to cache that for this gid we could not
- * find anything. Likewise if "gid==-1", then we want to cache that we did not
- * find a mapping for the sid passed here.
- */
-
-void idmap_cache_set_sid2gid(const struct dom_sid *sid, gid_t gid)
-{
- struct unixid id;
- id.type = ID_TYPE_GID;
- id.id = gid;
-
- if (gid == -1) {
- uid_t tmp_uid;
- bool expired;
- /* If we were asked to invalidate this SID -> GID
- * mapping, it was because we found out that this was
- * not a GID at all. Do not overwrite a valid UID or
- * BOTH mapping */
- if (idmap_cache_find_sid2uid(sid, &tmp_uid, &expired)) {
- if (!expired) {
- return;
- }
- }
- }
-
- idmap_cache_set_sid2unixid(sid, &id);
- return;
-}
-
static char* key_xid2sid_str(TALLOC_CTX* mem_ctx, char t, const char* id) {
return talloc_asprintf(mem_ctx, "IDMAP/%cID2SID/%s", t, id);
}
diff --git a/source3/lib/idmap_cache.h b/source3/lib/idmap_cache.h
index 0885266..5b8586f 100644
--- a/source3/lib/idmap_cache.h
+++ b/source3/lib/idmap_cache.h
@@ -32,8 +32,6 @@ bool idmap_cache_find_sid2gid(const struct dom_sid *sid,
gid_t *pgid,
bool idmap_cache_find_uid2sid(uid_t uid, struct dom_sid *sid, bool *expired);
bool idmap_cache_find_gid2sid(gid_t gid, struct dom_sid *sid, bool *expired);
void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid
*unix_id);
-void idmap_cache_set_sid2uid(const struct dom_sid *sid, uid_t uid);
-void idmap_cache_set_sid2gid(const struct dom_sid *sid, gid_t gid);
bool idmap_cache_del_uid(uid_t uid);
bool idmap_cache_del_gid(gid_t gid);
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
index b7dcb41..7d4d838 100644
--- a/source3/locking/brlock.c
+++ b/source3/locking/brlock.c
@@ -2005,6 +2005,7 @@ static void brl_get_locks_readonly_parser(TDB_DATA key,
TDB_DATA data,
*state->br_lock = NULL;
return;
}
+ *br_lck = (struct byte_range_lock) {};
if (!brl_parse_data(br_lck, data)) {
*state->br_lock = NULL;
return;
diff --git a/source3/passdb/ABI/pdb-0.1.2.sigs
b/source3/passdb/ABI/samba-passdb-0.2.0.sigs
similarity index 99%
copy from source3/passdb/ABI/pdb-0.1.2.sigs
copy to source3/passdb/ABI/samba-passdb-0.2.0.sigs
index 8b97bac..e2246f6 100644
--- a/source3/passdb/ABI/pdb-0.1.2.sigs
+++ b/source3/passdb/ABI/samba-passdb-0.2.0.sigs
@@ -173,8 +173,8 @@ pdb_gethexhours: bool (const char *, unsigned char *)
pdb_gethexpwd: bool (const char *, unsigned char *)
pdb_getsampwnam: bool (struct samu *, const char *)
pdb_getsampwsid: bool (struct samu *, const struct dom_sid *)
-pdb_gid_to_sid: bool (gid_t, struct dom_sid *)
pdb_group_rid_to_gid: gid_t (uint32_t)
+pdb_id_to_sid: bool (struct unixid *, struct dom_sid *)
pdb_increment_bad_password_count: bool (struct samu *)
pdb_is_password_change_time_max: bool (time_t)
pdb_is_responsible_for_builtin: bool (void)
@@ -249,7 +249,6 @@ pdb_sethexhours: void (char *, const unsigned char *)
pdb_sethexpwd: void (char *, const unsigned char *, uint32_t)
pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *)
pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct
unixid *)
-pdb_uid_to_sid: bool (uid_t, struct dom_sid *)
pdb_update_autolock_flag: bool (struct samu *, bool *)
pdb_update_bad_password_count: bool (struct samu *, bool *)
pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *)
diff --git a/source3/passdb/ABI/pdb-0.1.2.sigs
b/source3/passdb/ABI/samba-passdb-0.24.1.sigs
similarity index 99%
copy from source3/passdb/ABI/pdb-0.1.2.sigs
copy to source3/passdb/ABI/samba-passdb-0.24.1.sigs
index 8b97bac..e5885d0 100644
--- a/source3/passdb/ABI/pdb-0.1.2.sigs
+++ b/source3/passdb/ABI/samba-passdb-0.24.1.sigs
@@ -160,6 +160,7 @@ pdb_get_tevent_context: struct tevent_context *(void)
pdb_get_trust_credentials: NTSTATUS (const char *, const char *, TALLOC_CTX *,
struct cli_credentials **)
pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct
pdb_trusted_domain **)
pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *,
struct pdb_trusted_domain **)
+pdb_get_trusteddom_creds: NTSTATUS (const char *, TALLOC_CTX *, struct
cli_credentials **)
pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *)
pdb_get_unknown_6: uint32_t (const struct samu *)
pdb_get_user_rid: uint32_t (const struct samu *)
@@ -173,8 +174,8 @@ pdb_gethexhours: bool (const char *, unsigned char *)
pdb_gethexpwd: bool (const char *, unsigned char *)
pdb_getsampwnam: bool (struct samu *, const char *)
pdb_getsampwsid: bool (struct samu *, const struct dom_sid *)
-pdb_gid_to_sid: bool (gid_t, struct dom_sid *)
pdb_group_rid_to_gid: gid_t (uint32_t)
+pdb_id_to_sid: bool (struct unixid *, struct dom_sid *)
pdb_increment_bad_password_count: bool (struct samu *)
pdb_is_password_change_time_max: bool (time_t)
pdb_is_responsible_for_builtin: bool (void)
@@ -249,7 +250,6 @@ pdb_sethexhours: void (char *, const unsigned char *)
pdb_sethexpwd: void (char *, const unsigned char *, uint32_t)
pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *)
pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct
unixid *)
-pdb_uid_to_sid: bool (uid_t, struct dom_sid *)
pdb_update_autolock_flag: bool (struct samu *, bool *)
pdb_update_bad_password_count: bool (struct samu *, bool *)
pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *)
diff --git a/source3/passdb/account_pol.c b/source3/passdb/account_pol.c
index 5f2c7ab..6b1066e 100644
--- a/source3/passdb/account_pol.c
+++ b/source3/passdb/account_pol.c
@@ -214,24 +214,32 @@ bool init_account_policy(void)
uint32_t version = 0;
int i;
NTSTATUS status;
+ char *db_path;
if (db != NULL) {
return True;
}
- db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
+ db_path = state_path("account_policy.tdb");
+ if (db_path == NULL) {
+ return false;
+ }
+
+ db = db_open(NULL, db_path, 0, TDB_DEFAULT,
O_RDWR, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
if (db == NULL) { /* the account policies files does not exist or open
* failed, try to create a new one */
- db = db_open(NULL, state_path("account_policy.tdb"), 0,
+ db = db_open(NULL, db_path, 0,
TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
if (db == NULL) {
DEBUG(0,("Failed to open account policy database\n"));
+ TALLOC_FREE(db_path);
return False;
}
}
+ TALLOC_FREE(db_path);
status = dbwrap_fetch_uint32_bystring(db, vstring, &version);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index d541719..494a840 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -1029,11 +1029,15 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct
dom_sid *sid,
static void legacy_uid_to_sid(struct dom_sid *psid, uid_t uid)
{
bool ret;
+ struct unixid id;
ZERO_STRUCTP(psid);
+ id.id = uid;
+ id.type = ID_TYPE_UID;
+
become_root();
- ret = pdb_uid_to_sid(uid, psid);
+ ret = pdb_id_to_sid(&id, psid);
unbecome_root();
if (ret) {
@@ -1059,11 +1063,15 @@ static void legacy_uid_to_sid(struct dom_sid *psid,
uid_t uid)
static void legacy_gid_to_sid(struct dom_sid *psid, gid_t gid)
{
bool ret;
+ struct unixid id;
ZERO_STRUCTP(psid);
+ id.id = gid;
+ id.type = ID_TYPE_GID;
+
become_root();
- ret = pdb_gid_to_sid(gid, psid);
+ ret = pdb_id_to_sid(&id, psid);
unbecome_root();
--
Samba Shared Repository
