The branch, v4-2-test has been updated via 60748d1 s3:passdb: let pdb_get_trust_credentials() try pdb_get_trusteddom_creds() first via 26c011d s3:passdb: add optional get_trusteddom_creds() hooks via 611e95e pdb: fix build issues with shared modules via ddc2bba s3:idmap_cache: remove unused idmap_cache_set_sid2[u|g]id() via dac59a2 pdb: Increase version number to fix ABI via 1a91c09 idmap: return the correct id type to *id_to_sid methods via d655b56 idmap: unify passdb *id_to_sid methods via 0c32df4 s3:passdb: avoid invalid pointer type warnings in pdb_wbc_sam.c via f87e9b1 s3:passdb: always copy the history in pdb_set_plaintext_passwd() via f1f0ca3 pdb_tdb: Avoid a nasty error message with ctdb via a681688 pdb_tdb: don't leak state_path onto talloc tos via 741ac3b account_pol: don't leak state_path onto talloc tos via b14bed4 passdb: Use common code in cli_credentials_set_machine_account_db_ctx() via d26278a auth/credentials: Ensure that we set the realm when reading secrets.tdb via e3b6d3b credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account() via a81b814 credentials: Improve error message on failure to set machine account password via a13c21b credentials: Set secure_channel_type from secrets.tdb in cli_credentials_set_machine_account via f80a108 s3:locking: fix uninitialiazed variable in brl_get_locks_readonly_parser() from 5d3a3c8b ctdb-build: fix build without xsltproc
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test - Log ----------------------------------------------------------------- commit 60748d1153491cccbcaa354b88cc4d7203c8223b Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 16 15:05:17 2014 +0000 s3:passdb: let pdb_get_trust_credentials() try pdb_get_trusteddom_creds() first NT_STATUS_NOT_IMPLEMENTED lets it fallback to the old get_trust_pw_clear2() code. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Thu Dec 18 06:46:05 CET 2014 on sn-devel-104 (cherry picked from commit 12aaafd2971ac71823ccbebda7b2afd689239770) Autobuild-User(v4-2-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-2-test): Thu Dec 18 13:06:40 CET 2014 on sn-devel-104 commit 26c011d33c561fac1c6c8ab4ac32a706ac535312 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 11 10:52:53 2014 +0000 s3:passdb: add optional get_trusteddom_creds() hooks Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 8e90b93ddceabd582cb28e40882036e7772608aa) commit 611e95e02085ff75a7e76c78e38700431a83d000 Author: Garming Sam <garm...@catalyst.net.nz> Date: Thu Dec 4 10:44:26 2014 +1300 pdb: fix build issues with shared modules Bug: https://bugzilla.samba.org/show_bug.cgi?id=10355 Change-Id: I26e78b56ead0c66afcda6b3fb8b1fd09130b24a5 Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 7a9147dab593a495c5ed5e1157ec8eb8a2809586) commit ddc2bba9e1f0339dceae60189717ae1c6716b7a7 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Nov 29 10:52:05 2014 +0100 s3:idmap_cache: remove unused idmap_cache_set_sid2[u|g]id() Change-Id: I40bcfacb812b0dac7917533c9baf82a79f598efd Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> Autobuild-User(master): Garming Sam <garm...@samba.org> Autobuild-Date(master): Wed Dec 3 06:44:29 CET 2014 on sn-devel-104 (cherry picked from commit 816751a3a8ed564f2cf880fd1ca3b1e8f9c85471) commit dac59a2b62bda35c075c61a943fc03dfc0f3c93c Author: Garming Sam <garm...@catalyst.net.nz> Date: Tue Nov 25 14:56:45 2014 +1300 pdb: Increase version number to fix ABI In the process, we can also rename pdb to avoid conflicts with libpdb. We don't depend directly on pdb to avoid duplicate symbols. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10355 Change-Id: I4df6ba2f4ce35d3718dc4198b527cca46a139efe Pair-programmed-with: Andrew Bartlett <abart...@samba.org> Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 3b76b705f03b8f639ece2308afdc0962d230c42a) commit 1a91c09bbd42dddb7f65983aa93b70cd5b93cbf0 Author: Garming Sam <garm...@catalyst.net.nz> Date: Wed Nov 26 15:33:35 2014 +1300 idmap: return the correct id type to *id_to_sid methods We have a pointer to a unixid which is sent down instead of a uid or gid. We can use this as an in-out variable so that pdb_samba_dsdb can be returned ID_TYPE_BOTH to cache correctly instead of leaving it as ID_TYPE_UID or ID_TYPE_GID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720 Change-Id: I0cef2e419cbb337531244b7b41c708cf2ab883e3 Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 58b343be4742b3ba1f447701a8254453c21af413) commit d655b56996e3cba4bd0cc2a2b655ccb06f454310 Author: Garming Sam <garm...@catalyst.net.nz> Date: Tue Nov 25 14:45:26 2014 +1300 idmap: unify passdb *id_to_sid methods Instead of passing down gid or uid, a pointer to a unixid is now sent down. This acts as an in-out variable so that the idmap functions can correctly receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720 Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066 Pair-programmed-with: Andrew Bartlett <abar...@samba.org> Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 7979c6cc50eaa792e5094866878c63df36e715c3) commit 0c32df451437529b5e551035e9c806eabc0054c8 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 26 20:16:26 2014 +0100 s3:passdb: avoid invalid pointer type warnings in pdb_wbc_sam.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 7ec8401f82994070eaaf81ff067c0cd0576d58e3) commit f87e9b1d69d2f2039e7691dfc404618c16c41c6d Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 26 20:16:26 2014 +0100 s3:passdb: always copy the history in pdb_set_plaintext_passwd() We should not write to memory marked as const (returned from pdb_get_pw_history())! Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 966192ee16d6802da5c2b046d2488ddd1a7ec960) commit f1f0ca3e5c548013f9a9fcff073a07f84a6fdbb6 Author: Volker Lendecke <v...@samba.org> Date: Tue Nov 11 10:36:23 2014 +0000 pdb_tdb: Avoid a nasty error message with ctdb ctdb gives us 0-sized records for deleted passdb entries Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> Autobuild-User(master): David Disseldorp <dd...@samba.org> Autobuild-Date(master): Tue Nov 11 16:19:37 CET 2014 on sn-devel-104 (cherry picked from commit c2bda5bfae2cac4e473f2ae42775d2e35995c790) commit a681688f63fe848b1474ebe9dd088d2722d2b3f2 Author: David Disseldorp <dd...@samba.org> Date: Sun Nov 2 20:21:28 2014 +0100 pdb_tdb: don't leak state_path onto talloc tos Also check for allocation failures. Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 6d5b8dd70e542840a96c45b916b1bd2b9685697f) commit 741ac3b58ece43981e98e56c599bfd40b50d09bd Author: David Disseldorp <dd...@samba.org> Date: Sun Nov 2 20:21:27 2014 +0100 account_pol: don't leak state_path onto talloc tos Also check for allocation failures. Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit f88535e56e23e27492851c0fc6e9a86cfdaab041) commit b14bed45da261591000e439234ee6120f00a5ccd Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 3 06:35:28 2014 +1300 passdb: Use common code in cli_credentials_set_machine_account_db_ctx() This avoids some duplication in setting the machine account passsword for the domain member and DC case. This does not yet remove the duplication, that requires a bigger restructure of the various routines used here to obtain the machine and domain trust secrets. Also no longer used is the timeout/2 code to not set the previous password. It is now always passed to the caller. Andrew Bartlett Change-Id: Idd5bafedf4cbac30b174955d743ec4128a6902ee Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 37f5d822d636d4286bd8ee64c7e9e44ae1a297e1) commit d26278a01ade800d0cfbdfa71f675efd522d1faf Author: Andrew Bartlett <abart...@samba.org> Date: Mon Oct 6 13:51:25 2014 +1300 auth/credentials: Ensure that we set the realm when reading secrets.tdb Otherwise, we try and kinit as host$@DOMAIN and that will not work. Andrew Bartlett Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit e9dc6423d3f1ab3401314e134ecc574fc5d4c18b) commit e3b6d3be9fe0b8fbc5d91a8c2e575a2a82bf5e5f Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 3 06:32:39 2014 +1300 credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account() This adds a new wrapper, cli_credentials_set_machine_account_db_ctx() Andrew Bartlett Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 35b8ed7710f60abcc70e0b070afc16bf3faef263) commit a81b814b7df43de2106cfdbc9453c6d8e3394403 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 3 05:14:56 2014 +1300 credentials: Improve error message on failure to set machine account password Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 89daf5dc534ab03724a2622d3b6b4d6783756bae) commit a13c21bd3ccc631a7b4c8cc0c68e694ec0c71c51 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 3 05:14:21 2014 +1300 credentials: Set secure_channel_type from secrets.tdb in cli_credentials_set_machine_account This should ensure more parts of the source4 code can work with a password set in secrets.tdb. Andrew Bartlett Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit adb3eb79ea828b6e6e1858c3d1b8b5ffe868f8ed) commit f80a108f22eb87a0817529382a3f6bc46bfdeaa4 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Dec 17 10:43:33 2014 +0100 s3:locking: fix uninitialiazed variable in brl_get_locks_readonly_parser() In a cluster this can be called with an empty record, while brl_parse_data() relies on an initialized structure. This is a regression in commit 837e29035c911f3509135252c3f423d0f56b606d. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10911 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 6bc41c459f6da7de62d2113590bc7d0c2d04e136) ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials.h | 16 ++++ auth/credentials/credentials_secrets.c | 87 +++++++++++++++++----- source3/include/passdb.h | 36 +++++++-- source3/lib/idmap_cache.c | 72 ------------------ source3/lib/idmap_cache.h | 2 - source3/locking/brlock.c | 1 + .../{pdb-0.1.2.sigs => samba-passdb-0.2.0.sigs} | 3 +- .../{pdb-0.1.2.sigs => samba-passdb-0.24.1.sigs} | 4 +- source3/passdb/account_pol.c | 12 ++- source3/passdb/lookup_sid.c | 19 ++++- source3/passdb/passdb.c | 59 ++++++++++++++- source3/passdb/pdb_get_set.c | 33 ++++---- source3/passdb/pdb_interface.c | 68 ++++++++++------- source3/passdb/pdb_ldap.c | 24 +++++- source3/passdb/pdb_samba_dsdb.c | 46 ++++-------- source3/passdb/pdb_tdb.c | 16 +++- source3/passdb/pdb_wbc_sam.c | 42 +++++++---- source3/passdb/py_passdb.c | 13 +++- source3/utils/net_sam.c | 6 +- source3/winbindd/idmap_passdb.c | 16 +--- source3/winbindd/wscript_build | 2 +- source3/wscript_build | 31 ++++---- source4/winbind/idmap.c | 20 ++++- 23 files changed, 391 insertions(+), 237 deletions(-) copy source3/passdb/ABI/{pdb-0.1.2.sigs => samba-passdb-0.2.0.sigs} (99%) copy source3/passdb/ABI/{pdb-0.1.2.sigs => samba-passdb-0.24.1.sigs} (99%) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index fdd35bb..2da47d2 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -36,6 +36,7 @@ struct ccache_container; struct gssapi_creds_container; struct smb_krb5_context; struct keytab_container; +struct db_context; /* In order of priority */ enum credentials_obtained { @@ -161,6 +162,21 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, const char *serviceprincipal); NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx); +/** + * Fill in credentials for the machine trust account, from the + * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB). + * + * This version is used in parts of the code that can link in the + * CTDB dbwrap backend, by passing down the already open handle. + * + * @param cred Credentials structure to fill in + * @param db_ctx dbwrap context for secrets.tdb + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct db_context *db_ctx); + bool cli_credentials_authentication_requested(struct cli_credentials *cred); void cli_credentials_guess(struct cli_credentials *cred, struct loadparm_context *lp_ctx); diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index 625ce20..d259a4d 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -231,6 +231,43 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { + struct db_context *db_ctx; + char *secrets_tdb_path; + + secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets"); + if (secrets_tdb_path == NULL) { + return NT_STATUS_NO_MEMORY; + } + + db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb_path, 0, + TDB_DEFAULT, O_RDWR, 0600, + DBWRAP_LOCK_ORDER_1, + DBWRAP_FLAG_NONE); + TALLOC_FREE(secrets_tdb_path); + + /* + * We do not check for errors here, we might not have a + * secrets.tdb at all, and so we just need to check the + * secrets.ldb + */ + return cli_credentials_set_machine_account_db_ctx(cred, lp_ctx, db_ctx); +} + +/** + * Fill in credentials for the machine trust account, from the + * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB). + * + * This version is used in parts of the code that can link in the + * CTDB dbwrap backend, by passing down the already open handle. + * + * @param cred Credentials structure to fill in + * @param db_ctx dbwrap context for secrets.tdb + * @retval NTSTATUS error detailing any failure + */ +_PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct db_context *db_ctx) +{ NTSTATUS status; char *filter; char *error_string; @@ -239,24 +276,14 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr time_t secrets_tdb_lct = 0; char *secrets_tdb_password = NULL; char *secrets_tdb_old_password = NULL; + uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL; char *keystr; char *keystr_upper = NULL; - char *secrets_tdb; - struct db_context *db_ctx; TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - secrets_tdb = lpcfg_private_db_path(cred, lp_ctx, "secrets"); - if (!secrets_tdb) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0, - TDB_DEFAULT, O_RDWR, 0600, - DBWRAP_LOCK_ORDER_1, - DBWRAP_FLAG_NONE); + /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ @@ -287,6 +314,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr if (NT_STATUS_IS_OK(status)) { secrets_tdb_password = (char *)dbuf.dptr; } + keystr = talloc_asprintf(tmp_ctx, "%s/%s", SECRETS_MACHINE_PASSWORD_PREV, domain); @@ -296,6 +324,16 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr if (NT_STATUS_IS_OK(status)) { secrets_tdb_old_password = (char *)dbuf.dptr; } + + keystr = talloc_asprintf(tmp_ctx, "%s/%s", + SECRETS_MACHINE_SEC_CHANNEL_TYPE, + domain); + keystr_upper = strupper_talloc(tmp_ctx, keystr); + status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper), + &dbuf); + if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) { + secrets_tdb_secure_channel_type = IVAL(dbuf.dptr,0); + } } filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, @@ -321,20 +359,35 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); + if (strequal(domain, lpcfg_workgroup(lp_ctx))) { + cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); + } cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); + cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); status = NT_STATUS_OK; } else if (!NT_STATUS_IS_OK(status)) { if (db_ctx) { - error_string = talloc_asprintf(cred, - "Failed to fetch machine account password from " - "secrets.ldb: %s and failed to fetch %s from %s", - error_string, keystr_upper, secrets_tdb); + error_string + = talloc_asprintf(cred, + "Failed to fetch machine account password for %s from both " + "secrets.ldb (%s) and from %s", + domain, error_string, + dbwrap_name(db_ctx)); } else { + char *secrets_tdb_path; + + secrets_tdb_path = lpcfg_private_db_path(tmp_ctx, + lp_ctx, + "secrets"); + if (secrets_tdb_path == NULL) { + return NT_STATUS_NO_MEMORY; + } + error_string = talloc_asprintf(cred, "Failed to fetch machine account password from " "secrets.ldb: %s and failed to open %s", - error_string, secrets_tdb); + error_string, secrets_tdb_path); } DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n", error_string, nt_errstr(status))); diff --git a/source3/include/passdb.h b/source3/include/passdb.h index 86cb16e..893d0d0 100644 --- a/source3/include/passdb.h +++ b/source3/include/passdb.h @@ -34,6 +34,7 @@ #include "../librpc/gen_ndr/lsa.h" #include <tevent.h> struct unixid; +struct cli_credentials; /* group mapping headers */ @@ -415,9 +416,11 @@ enum pdb_policy_type { * Changed to 21, set/enum_upn_suffixes. AB. * Changed to 22, idmap control functions * Changed to 23, new idmap control functions + * Changed to 24, removed uid_to_sid and gid_to_sid, replaced with id_to_sid + * Leave at 24, add optional get_trusteddom_creds() */ -#define PASSDB_INTERFACE_VERSION 23 +#define PASSDB_INTERFACE_VERSION 24 struct pdb_methods { @@ -560,10 +563,16 @@ struct pdb_methods struct pdb_search *search, const struct dom_sid *sid); - bool (*uid_to_sid)(struct pdb_methods *methods, uid_t uid, - struct dom_sid *sid); - bool (*gid_to_sid)(struct pdb_methods *methods, gid_t gid, - struct dom_sid *sid); + /* + * Instead of passing down a gid or uid, this function sends down a pointer + * to a unixid. + * + * This acts as an in-out variable so that the idmap functions can correctly + * receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing + * the cache to store ID_TYPE_UID or ID_TYPE_GID. + */ + bool (*id_to_sid)(struct pdb_methods *methods, struct unixid *id, + struct dom_sid *sid); bool (*sid_to_id)(struct pdb_methods *methods, const struct dom_sid *sid, struct unixid *id); @@ -574,6 +583,10 @@ struct pdb_methods bool (*get_trusteddom_pw)(struct pdb_methods *methods, const char *domain, char** pwd, struct dom_sid *sid, time_t *pass_last_set_time); + NTSTATUS (*get_trusteddom_creds)(struct pdb_methods *methods, + const char *domain, + TALLOC_CTX *mem_ctx, + struct cli_credentials **creds); bool (*set_trusteddom_pw)(struct pdb_methods *methods, const char* domain, const char* pwd, const struct dom_sid *sid); @@ -889,8 +902,15 @@ NTSTATUS pdb_lookup_names(const struct dom_sid *domain_sid, bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value); bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value); bool pdb_get_seq_num(time_t *seq_num); -bool pdb_uid_to_sid(uid_t uid, struct dom_sid *sid); -bool pdb_gid_to_sid(gid_t gid, struct dom_sid *sid); +/* + * Instead of passing down a gid or uid, this function sends down a pointer + * to a unixid. + * + * This acts as an in-out variable so that the idmap functions can correctly + * receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing + * the cache to store ID_TYPE_UID or ID_TYPE_GID. + */ +bool pdb_id_to_sid(struct unixid *id, struct dom_sid *sid); bool pdb_sid_to_id(const struct dom_sid *sid, struct unixid *id); uint32_t pdb_capabilities(void); bool pdb_new_rid(uint32_t *rid); @@ -905,6 +925,8 @@ uint32_t pdb_search_entries(struct pdb_search *search, struct samr_displayentry **result); bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid, time_t *pass_last_set_time); +NTSTATUS pdb_get_trusteddom_creds(const char *domain, TALLOC_CTX *mem_ctx, + struct cli_credentials **creds); bool pdb_set_trusteddom_pw(const char* domain, const char* pwd, const struct dom_sid *sid); bool pdb_del_trusteddom_pw(const char *domain); diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c index 8844171..11bda39 100644 --- a/source3/lib/idmap_cache.c +++ b/source3/lib/idmap_cache.c @@ -346,78 +346,6 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i } } -/** - * Store a mapping in the idmap cache - * @param[in] sid the sid to map - * @param[in] uid the uid to map - * - * If both parameters are valid values, then a positive mapping in both - * directions is stored. If "is_null_sid(sid)" is true, then this will be a - * negative mapping of uid, we want to cache that for this uid we could not - * find anything. Likewise if "uid==-1", then we want to cache that we did not - * find a mapping for the sid passed here. - */ - -void idmap_cache_set_sid2uid(const struct dom_sid *sid, uid_t uid) -{ - struct unixid id; - id.type = ID_TYPE_UID; - id.id = uid; - - if (uid == -1) { - uid_t tmp_gid; - bool expired; - /* If we were asked to invalidate this SID -> UID - * mapping, it was because we found out that this was - * not a UID at all. Do not overwrite a valid GID or - * BOTH mapping */ - if (idmap_cache_find_sid2gid(sid, &tmp_gid, &expired)) { - if (!expired) { - return; - } - } - } - - idmap_cache_set_sid2unixid(sid, &id); - return; -} - -/** - * Store a mapping in the idmap cache - * @param[in] sid the sid to map - * @param[in] gid the gid to map - * - * If both parameters are valid values, then a positive mapping in both - * directions is stored. If "is_null_sid(sid)" is true, then this will be a - * negative mapping of gid, we want to cache that for this gid we could not - * find anything. Likewise if "gid==-1", then we want to cache that we did not - * find a mapping for the sid passed here. - */ - -void idmap_cache_set_sid2gid(const struct dom_sid *sid, gid_t gid) -{ - struct unixid id; - id.type = ID_TYPE_GID; - id.id = gid; - - if (gid == -1) { - uid_t tmp_uid; - bool expired; - /* If we were asked to invalidate this SID -> GID - * mapping, it was because we found out that this was - * not a GID at all. Do not overwrite a valid UID or - * BOTH mapping */ - if (idmap_cache_find_sid2uid(sid, &tmp_uid, &expired)) { - if (!expired) { - return; - } - } - } - - idmap_cache_set_sid2unixid(sid, &id); - return; -} - static char* key_xid2sid_str(TALLOC_CTX* mem_ctx, char t, const char* id) { return talloc_asprintf(mem_ctx, "IDMAP/%cID2SID/%s", t, id); } diff --git a/source3/lib/idmap_cache.h b/source3/lib/idmap_cache.h index 0885266..5b8586f 100644 --- a/source3/lib/idmap_cache.h +++ b/source3/lib/idmap_cache.h @@ -32,8 +32,6 @@ bool idmap_cache_find_sid2gid(const struct dom_sid *sid, gid_t *pgid, bool idmap_cache_find_uid2sid(uid_t uid, struct dom_sid *sid, bool *expired); bool idmap_cache_find_gid2sid(gid_t gid, struct dom_sid *sid, bool *expired); void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); -void idmap_cache_set_sid2uid(const struct dom_sid *sid, uid_t uid); -void idmap_cache_set_sid2gid(const struct dom_sid *sid, gid_t gid); bool idmap_cache_del_uid(uid_t uid); bool idmap_cache_del_gid(gid_t gid); diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c index b7dcb41..7d4d838 100644 --- a/source3/locking/brlock.c +++ b/source3/locking/brlock.c @@ -2005,6 +2005,7 @@ static void brl_get_locks_readonly_parser(TDB_DATA key, TDB_DATA data, *state->br_lock = NULL; return; } + *br_lck = (struct byte_range_lock) {}; if (!brl_parse_data(br_lck, data)) { *state->br_lock = NULL; return; diff --git a/source3/passdb/ABI/pdb-0.1.2.sigs b/source3/passdb/ABI/samba-passdb-0.2.0.sigs similarity index 99% copy from source3/passdb/ABI/pdb-0.1.2.sigs copy to source3/passdb/ABI/samba-passdb-0.2.0.sigs index 8b97bac..e2246f6 100644 --- a/source3/passdb/ABI/pdb-0.1.2.sigs +++ b/source3/passdb/ABI/samba-passdb-0.2.0.sigs @@ -173,8 +173,8 @@ pdb_gethexhours: bool (const char *, unsigned char *) pdb_gethexpwd: bool (const char *, unsigned char *) pdb_getsampwnam: bool (struct samu *, const char *) pdb_getsampwsid: bool (struct samu *, const struct dom_sid *) -pdb_gid_to_sid: bool (gid_t, struct dom_sid *) pdb_group_rid_to_gid: gid_t (uint32_t) +pdb_id_to_sid: bool (struct unixid *, struct dom_sid *) pdb_increment_bad_password_count: bool (struct samu *) pdb_is_password_change_time_max: bool (time_t) pdb_is_responsible_for_builtin: bool (void) @@ -249,7 +249,6 @@ pdb_sethexhours: void (char *, const unsigned char *) pdb_sethexpwd: void (char *, const unsigned char *, uint32_t) pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *) pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *) -pdb_uid_to_sid: bool (uid_t, struct dom_sid *) pdb_update_autolock_flag: bool (struct samu *, bool *) pdb_update_bad_password_count: bool (struct samu *, bool *) pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *) diff --git a/source3/passdb/ABI/pdb-0.1.2.sigs b/source3/passdb/ABI/samba-passdb-0.24.1.sigs similarity index 99% copy from source3/passdb/ABI/pdb-0.1.2.sigs copy to source3/passdb/ABI/samba-passdb-0.24.1.sigs index 8b97bac..e5885d0 100644 --- a/source3/passdb/ABI/pdb-0.1.2.sigs +++ b/source3/passdb/ABI/samba-passdb-0.24.1.sigs @@ -160,6 +160,7 @@ pdb_get_tevent_context: struct tevent_context *(void) pdb_get_trust_credentials: NTSTATUS (const char *, const char *, TALLOC_CTX *, struct cli_credentials **) pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **) pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **) +pdb_get_trusteddom_creds: NTSTATUS (const char *, TALLOC_CTX *, struct cli_credentials **) pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *) pdb_get_unknown_6: uint32_t (const struct samu *) pdb_get_user_rid: uint32_t (const struct samu *) @@ -173,8 +174,8 @@ pdb_gethexhours: bool (const char *, unsigned char *) pdb_gethexpwd: bool (const char *, unsigned char *) pdb_getsampwnam: bool (struct samu *, const char *) pdb_getsampwsid: bool (struct samu *, const struct dom_sid *) -pdb_gid_to_sid: bool (gid_t, struct dom_sid *) pdb_group_rid_to_gid: gid_t (uint32_t) +pdb_id_to_sid: bool (struct unixid *, struct dom_sid *) pdb_increment_bad_password_count: bool (struct samu *) pdb_is_password_change_time_max: bool (time_t) pdb_is_responsible_for_builtin: bool (void) @@ -249,7 +250,6 @@ pdb_sethexhours: void (char *, const unsigned char *) pdb_sethexpwd: void (char *, const unsigned char *, uint32_t) pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *) pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *) -pdb_uid_to_sid: bool (uid_t, struct dom_sid *) pdb_update_autolock_flag: bool (struct samu *, bool *) pdb_update_bad_password_count: bool (struct samu *, bool *) pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *) diff --git a/source3/passdb/account_pol.c b/source3/passdb/account_pol.c index 5f2c7ab..6b1066e 100644 --- a/source3/passdb/account_pol.c +++ b/source3/passdb/account_pol.c @@ -214,24 +214,32 @@ bool init_account_policy(void) uint32_t version = 0; int i; NTSTATUS status; + char *db_path; if (db != NULL) { return True; } - db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT, + db_path = state_path("account_policy.tdb"); + if (db_path == NULL) { + return false; + } + + db = db_open(NULL, db_path, 0, TDB_DEFAULT, O_RDWR, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE); if (db == NULL) { /* the account policies files does not exist or open * failed, try to create a new one */ - db = db_open(NULL, state_path("account_policy.tdb"), 0, + db = db_open(NULL, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE); if (db == NULL) { DEBUG(0,("Failed to open account policy database\n")); + TALLOC_FREE(db_path); return False; } } + TALLOC_FREE(db_path); status = dbwrap_fetch_uint32_bystring(db, vstring, &version); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index d541719..494a840 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -1029,11 +1029,15 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, static void legacy_uid_to_sid(struct dom_sid *psid, uid_t uid) { bool ret; + struct unixid id; ZERO_STRUCTP(psid); + id.id = uid; + id.type = ID_TYPE_UID; + become_root(); - ret = pdb_uid_to_sid(uid, psid); + ret = pdb_id_to_sid(&id, psid); unbecome_root(); if (ret) { @@ -1059,11 +1063,15 @@ static void legacy_uid_to_sid(struct dom_sid *psid, uid_t uid) static void legacy_gid_to_sid(struct dom_sid *psid, gid_t gid) { bool ret; + struct unixid id; ZERO_STRUCTP(psid); + id.id = gid; + id.type = ID_TYPE_GID; + become_root(); - ret = pdb_gid_to_sid(gid, psid); + ret = pdb_id_to_sid(&id, psid); unbecome_root(); -- Samba Shared Repository