Hi! Recently I have done some work on the passdb interface in order to get it work with 'net rpc vampire'. The main problem with both of them playing together is the question of RIDs. When doing the 'net rpc vampire', the PDC dictates our RIDs, and the old 2.2 style algorithmic uid->RID translation is around everywhere, esp. in mapping.c and passdb.c. So I tried to move all the calls to the functions to the smbpasswd and unix backends, where they really have a case.
Some points to look at: * There are no unmapped groups anymore. get_group_from_gid creates mappings on the fly when needed. * pdb_fill_sam_pw does *not* fill group and user SID anymore. * NULL user sid for pdb_add_sam_account means 'allocate a RID'. * local_uid_to_sid has to hand out a SID for each unix user. If the unix user is not in pdb, we now hand out 'S-1-5-33-unixuid'. This works fine on NT and W2k. Current question(s): * The RID allocator is in the wrong place. It's currently storing its stuff in secrets.tdb. smbpasswd should use the old algorithmic mapping, net rpc vampire will not work with smbpasswd. To let this not interfere with group RID allocation, the passdb backend must be asked 'give me a RID for this unix gid'. * The other alternative is to move the (not too big) groupdb API entirely to the passdb backend. This would make it possible to get LDAP replication for group mapping quite easily. We could encapsulate LDAP (with connection caching.... ;-) in one file. * Design of LDAP replication: What about a sambaGroup objectclass as supplementary to posixGroup that contains gid, sid, ntname, grouptype, comment etc? All the stuff that mapping.c stores in the tdb. I'm sure I forgot to tell a lot. Comments? Volker
Index: source/Makefile.in
===================================================================
RCS file: /data/cvs/samba/source/Makefile.in,v
retrieving revision 1.545
diff -u -r1.545 Makefile.in
--- source/Makefile.in 28 Sep 2002 12:27:04 -0000 1.545
+++ source/Makefile.in 30 Sep 2002 07:14:23 -0000
@@ -430,8 +430,9 @@
$(UBIQX_OBJ) $(LIB_OBJ)
SMBCACLS_OBJ = utils/smbcacls.o $(LOCKING_OBJ) $(LIBSMB_OBJ) $(PARAM_OBJ) \
- $(UBIQX_OBJ) $(LIB_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \
- $(LIBMSRPC_OBJ)
+ $(UBIQX_OBJ) $(LIB_OBJ) $(RPC_PARSE_OBJ) $(SECRETS_OBJ) \
+ $(LIBMSRPC_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ)
+
TALLOCTORT_OBJ = lib/talloctort.o $(LIB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ)
@@ -495,7 +496,7 @@
nsswitch/winbindd_dual.o
WINBINDD_OBJ = \
- $(WINBINDD_OBJ1) $(PASSDB_GET_SET_OBJ) \
+ $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
$(LIBNMB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
$(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \
$(PROFILE_OBJ) $(UNIGRP_OBJ) \
Index: source/auth/auth_util.c
===================================================================
RCS file: /data/cvs/samba/source/auth/auth_util.c,v
retrieving revision 1.54
diff -u -r1.54 auth_util.c
--- source/auth/auth_util.c 25 Sep 2002 09:34:43 -0000 1.54
+++ source/auth/auth_util.c 30 Sep 2002 07:14:24 -0000
@@ -799,8 +799,13 @@
{
NTSTATUS nt_status;
SAM_ACCOUNT *sampass = NULL;
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {
+
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass)))
return nt_status;
+
+ if (!pdb_getsampwnam(sampass, pwd->pw_name)) {
+ pdb_free_sam(&sampass);
+ return NT_STATUS_NO_SUCH_USER;
}
return make_server_info_sam(server_info, sampass);
}
@@ -893,10 +898,19 @@
domain = domain;
}
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_account))) {
+ return nt_status;
+ }
+
if (winbind_sid_to_uid(&uid, &user_sid)
&& winbind_sid_to_gid(&gid, &group_sid)
- && ((passwd = getpwuid_alloc(uid)))) {
- nt_status = pdb_init_sam_pw(&sam_account, passwd);
+ && (passwd = getpwuid_alloc(uid))) {
+ if (!pdb_getsampwnam(sam_account,
+ passwd->pw_name)) {
+ passwd_free(&passwd);
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_SUCH_USER;
+ }
passwd_free(&passwd);
} else {
char *dom_user;
@@ -907,27 +921,28 @@
if (!dom_user) {
DEBUG(0, ("talloc_asprintf failed!\n"));
+ pdb_free_sam(&sam_account);
return NT_STATUS_NO_MEMORY;
- } else {
+ }
- if (!(passwd = Get_Pwnam(dom_user))
+ if (!(passwd = Get_Pwnam(dom_user))
/* Only lookup local for the local
domain, we don't want this for
trusted domains */
- && strequal(nt_domain, lp_workgroup())) {
- passwd = Get_Pwnam(internal_username);
- }
-
- if (!passwd) {
- return NT_STATUS_NO_SUCH_USER;
- } else {
- nt_status = pdb_init_sam_pw(&sam_account, passwd);
- }
+ && strequal(nt_domain, lp_workgroup())) {
+ passwd = Get_Pwnam(internal_username);
+ }
+
+ nt_status = NT_STATUS_NO_SUCH_USER;
+
+ if (passwd && pdb_getsampwnam(sam_account, passwd->pw_name)) {
+ nt_status = NT_STATUS_OK;
}
}
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n"));
+ pdb_free_sam(&sam_account);
return nt_status;
}
Index: source/groupdb/mapping.c
===================================================================
RCS file: /data/cvs/samba/source/groupdb/mapping.c,v
retrieving revision 1.37
diff -u -r1.37 mapping.c
--- source/groupdb/mapping.c 23 Sep 2002 16:21:01 -0000 1.37
+++ source/groupdb/mapping.c 30 Sep 2002 07:14:24 -0000
@@ -962,44 +962,30 @@
}
/* The group is in the mapping table */
- if(get_group_map_from_sid(sid, map, with_priv)) {
- if (map->sid_name_use!=SID_NAME_ALIAS) {
- if (with_priv)
- free_privilege(&map->priv_set);
- return False;
- }
-
- if (map->gid==-1) {
- if (with_priv)
- free_privilege(&map->priv_set);
- return False;
- }
-
- if ( (grp=getgrgid(map->gid)) == NULL) {
- if (with_priv)
- free_privilege(&map->priv_set);
- return False;
- }
- } else {
- /* the group isn't in the mapping table.
- * make one based on the unix information */
- uint32 alias_rid;
-
- sid_peek_rid(&sid, &alias_rid);
- map->gid=pdb_group_rid_to_gid(alias_rid);
-
- if ((grp=getgrgid(map->gid)) == NULL)
- return False;
-
- map->sid_name_use=SID_NAME_ALIAS;
- map->systemaccount=PR_ACCESS_FROM_NETWORK;
+ if(!get_group_map_from_sid(sid, map, with_priv)) {
+ /* The group is not in the mapping table. All places
+ where this is called (mainly srv_samr_nt.c) the SID
+ must have gone through get_group_map_from_gid
+ before. So it's perfectly valid to fail here. */
+ return False;
+ }
- fstrcpy(map->nt_name, grp->gr_name);
- fstrcpy(map->comment, "Local Unix Group");
+ if (map->sid_name_use!=SID_NAME_ALIAS) {
+ if (with_priv)
+ free_privilege(&map->priv_set);
+ return False;
+ }
- init_privilege(&map->priv_set);
+ if (map->gid==-1) {
+ if (with_priv)
+ free_privilege(&map->priv_set);
+ return False;
+ }
- sid_copy(&map->sid, &sid);
+ if ( (grp=getgrgid(map->gid)) == NULL) {
+ if (with_priv)
+ free_privilege(&map->priv_set);
+ return False;
}
return True;
@@ -1040,42 +1026,49 @@
return True;
}
-
-
/****************************************************************************
Returns a GROUP_MAP struct based on the gid.
****************************************************************************/
BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv)
{
struct group *grp;
+ uint32 rid;
+ fstring name;
if(!init_group_mapping()) {
DEBUG(0,("failed to initialize group mapping"));
return(False);
}
- if ( (grp=getgrgid(gid)) == NULL)
- return False;
-
- /*
- * make a group map from scratch if doesn't exist.
- */
- if (!get_group_map_from_gid(gid, map, with_priv)) {
- map->gid=gid;
- map->sid_name_use=SID_NAME_ALIAS;
- map->systemaccount=PR_ACCESS_FROM_NETWORK;
- init_privilege(&map->priv_set);
+ if (get_group_map_from_gid(gid, map, with_priv))
+ return True;
- /* interim solution until we have a last RID allocated */
+ /* There's no mapping, try to create one on the fly. */
- sid_copy(&map->sid, get_global_sam_sid());
- sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid));
+ if ((grp=getgrgid(gid)) != NULL) {
+ slprintf(name, sizeof(name), "Group %s", grp->gr_name);
+ } else {
+ slprintf(name, sizeof(name), "Group %d", gid);
+ }
- fstrcpy(map->nt_name, grp->gr_name);
- fstrcpy(map->comment, "Local Unix Group");
+ if ((rid = secrets_allocate_rid()) != 0) {
+ DOM_SID sid;
+ fstring string_sid;
+ PRIVILEGE_SET priv_set;
+
+ sid_copy(&sid, get_global_sam_sid());
+ sid_append_rid(&sid, rid);
+ sid_to_string(string_sid, &sid);
+ init_privilege(&priv_set);
+
+ if (!add_initial_entry(gid, string_sid, SID_NAME_ALIAS,
+ name, "Local Unix Group",
+ priv_set, PR_ACCESS_FROM_NETWORK)) {
+ return False;
+ }
}
-
- return True;
+
+ return get_group_map_from_gid(gid, map, with_priv);
}
Index: source/include/secrets.h
===================================================================
RCS file: /data/cvs/samba/source/include/secrets.h,v
retrieving revision 1.12
diff -u -r1.12 secrets.h
--- source/include/secrets.h 30 Jul 2002 17:23:06 -0000 1.12
+++ source/include/secrets.h 30 Sep 2002 07:14:25 -0000
@@ -35,6 +35,9 @@
#define SECRETS_DOMAIN_SID "SECRETS/SID"
#define SECRETS_SAM_SID "SAM/SID"
+/* The next RID for a domain */
+#define SECRETS_NEXTRID "SECRETS/NEXTRID"
+
/* The domain GUID and server GUID (NOT the same) are also not secret */
#define SECRETS_DOMAIN_GUID "SECRETS/DOMGUID"
#define SECRETS_SERVER_GUID "SECRETS/GUID"
Index: source/lib/util_sid.c
===================================================================
RCS file: /data/cvs/samba/source/lib/util_sid.c,v
retrieving revision 1.60
diff -u -r1.60 util_sid.c
--- source/lib/util_sid.c 28 Sep 2002 00:12:49 -0000 1.60
+++ source/lib/util_sid.c 30 Sep 2002 07:14:26 -0000
@@ -34,6 +34,7 @@
DOM_SID global_sid_World; /* Everyone */
DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */
DOM_SID global_sid_NT_Authority; /* NT Authority */
+DOM_SID global_sid_Unix_Authority; /* Unix Authority */
DOM_SID global_sid_NULL; /* NULL sid */
DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */
DOM_SID global_sid_Network; /* Network rids */
@@ -111,6 +112,7 @@
string_to_sid(&global_sid_Creator_Owner, "S-1-3-0");
string_to_sid(&global_sid_Creator_Group, "S-1-3-1");
string_to_sid(&global_sid_NT_Authority, "S-1-5");
+ string_to_sid(&global_sid_Unix_Authority, "S-1-5-33");
string_to_sid(&global_sid_NULL, "S-1-0-0");
string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
string_to_sid(&global_sid_Network, "S-1-5-2");
Index: source/passdb/passdb.c
===================================================================
RCS file: /data/cvs/samba/source/passdb/passdb.c,v
retrieving revision 1.174
diff -u -r1.174 passdb.c
--- source/passdb/passdb.c 26 Sep 2002 10:25:34 -0000 1.174
+++ source/passdb/passdb.c 30 Sep 2002 07:14:26 -0000
@@ -163,8 +163,6 @@
NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
{
- GROUP_MAP map;
-
const char *guest_account = lp_guestaccount();
if (!(guest_account && *guest_account)) {
DEBUG(1, ("NULL guest account!?!?\n"));
@@ -187,47 +185,7 @@
pdb_set_uid(sam_account, pwd->pw_uid);
pdb_set_gid(sam_account, pwd->pw_gid);
- /* When we get a proper uid -> SID and SID -> uid allocation
- mechinism, we should call it here.
-
- We can't just set this to 0 or allow it only to be filled
- in when added to the backend, becouse the user's SID
- may already be in security descriptors etc.
-
- -- abartlet 11-May-02
- */
-
-
- /* Ensure this *must* be set right */
- if (strcmp(pwd->pw_name, guest_account) == 0) {
- if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
- if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS))
{
- return NT_STATUS_UNSUCCESSFUL;
- }
- } else {
-
- if (!pdb_set_user_sid_from_rid(sam_account,
-
fallback_pdb_uid_to_user_rid(pwd->pw_uid))) {
- DEBUG(0,("Can't set User SID from RID!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* call the mapping code here */
- if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
- if (!pdb_set_group_sid(sam_account,&map.sid)){
- DEBUG(0,("Can't set Group SID!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- }
- else {
- if
(!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid))) {
- DEBUG(0,("Can't set Group SID\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- }
- }
+ /* We explicitly do NOT set the User and Group SIDs here. */
/* check if this is a user account or a machine account */
if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
@@ -648,41 +606,7 @@
*psid_name_use = map.sid_name_use;
return True;
}
-
- if (pdb_rid_is_user(rid)) {
- uid_t uid;
-
- DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid));
-
- uid = fallback_pdb_user_rid_to_uid(rid);
- slprintf(name, sizeof(fstring)-1, "unix_user.%u", (unsigned int)uid);
-
- return False; /* Indicates that this user was 'not mapped' */
- } else {
- gid_t gid;
- struct group *gr;
-
- DEBUG(5, ("assuming RID %u is a group\n", (unsigned)rid));
-
- gid = pdb_group_rid_to_gid(rid);
- gr = getgrgid(gid);
-
- *psid_name_use = SID_NAME_ALIAS;
-
- DEBUG(5,("local_lookup_sid: looking up gid %u %s\n", (unsigned int)gid,
- gr ? "succeeded" : "failed" ));
-
- if(!gr) {
- slprintf(name, sizeof(fstring)-1, "unix_group.%u", (unsigned
int)gid);
- return False; /* Indicates that this group was 'not mapped' */
- }
-
- fstrcpy( name, gr->gr_name);
-
- DEBUG(5,("local_lookup_sid: found group %s for rid %u\n", name,
- (unsigned int)rid ));
- return True;
- }
+ return False;
}
/*******************************************************************
@@ -695,7 +619,6 @@
DOM_SID local_sid;
fstring user;
SAM_ACCOUNT *sam_account = NULL;
- struct group *grp;
GROUP_MAP map;
*psid_name_use = SID_NAME_UNKNOWN;
@@ -749,37 +672,12 @@
/* check if it's a mapped group */
if (get_group_map_from_ntname(user, &map, MAPPING_WITHOUT_PRIV)) {
/* yes it's a mapped group */
- sid_copy(&local_sid, &map.sid);
+ sid_copy(psid, &map.sid);
*psid_name_use = map.sid_name_use;
- } else {
- /* it's not a mapped group */
- grp = getgrnam(user);
- if(!grp)
- return False;
-
- /*
- *check if it's mapped, if it is reply it doesn't exist
- *
- * that's to prevent this case:
- *
- * unix group ug is mapped to nt group ng
- * someone does a lookup on ug
- * we must not reply as it doesn't "exist" anymore
- * for NT. For NT only ng exists.
- * JFM, 30/11/2001
- */
-
- if (get_group_map_from_gid(grp->gr_gid, &map, MAPPING_WITHOUT_PRIV)){
- return False;
- }
-
- sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
- *psid_name_use = SID_NAME_ALIAS;
+ return True;
}
- sid_copy( psid, &local_sid);
-
- return True;
+ return False;
}
/****************************************************************************
@@ -788,6 +686,8 @@
DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
{
+ extern DOM_SID global_sid_Unix_Authority;
+
struct passwd *pass;
SAM_ACCOUNT *sam_user = NULL;
fstring str; /* sid string buffer */
@@ -806,7 +706,8 @@
} else if (strcmp(pass->pw_name, lp_guestaccount()) == 0) {
sid_append_rid(psid, DOMAIN_USER_RID_GUEST);
} else {
- sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
+ sid_copy(psid, &global_sid_Unix_Authority);
+ sid_append_rid(psid, uid);
}
DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (%s).\n",
@@ -817,10 +718,10 @@
pdb_free_sam(&sam_user);
} else {
- sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
-
- DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (unknown user).\n",
- (unsigned)uid, sid_to_string( str, psid)));
+ sid_copy(psid, &global_sid_Unix_Authority);
+ sid_append_rid(psid, uid);
+ DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s).\n",
+ (unsigned)uid, sid_string_static(psid)));
}
return psid;
@@ -848,44 +749,16 @@
}
*puid = pdb_get_uid(sam_user);
+ *name_type = SID_NAME_USER;
DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n",
sid_to_string( str, psid),
(unsigned int)*puid, pdb_get_username(sam_user)));
pdb_free_sam(&sam_user);
- } else {
-
- DOM_SID dom_sid;
- uint32 rid;
- GROUP_MAP map;
-
- pdb_free_sam(&sam_user);
-
- if (get_group_map_from_sid(*psid, &map, MAPPING_WITHOUT_PRIV)) {
- DEBUG(3, ("local_sid_to_uid: SID '%s' is a group, not a
user... \n", sid_to_string(str, psid)));
- /* It's a group, not a user... */
- return False;
- }
-
- sid_copy(&dom_sid, psid);
- if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
- DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our
domain\n", sid_to_string(str, psid)));
- return False;
- }
+ return True;
- if (!pdb_rid_is_user(rid)) {
- DEBUG(3, ("local_sid_to_uid: sid '%s' cannot be mapped to a
uid algorithmicly becouse it is a group\n", sid_to_string(str, psid)));
- return False;
- }
-
- *puid = fallback_pdb_user_rid_to_uid(rid);
-
- DEBUG(5,("local_sid_to_uid: SID %s algorithmicly mapped to %ld mapped
becouse SID was not found in passdb.\n",
- sid_to_string(str, psid), (signed long int)(*puid)));
}
- *name_type = SID_NAME_USER;
-
- return True;
+ return False;
}
/****************************************************************************
@@ -896,15 +769,12 @@
{
GROUP_MAP map;
- sid_copy(psid, get_global_sam_sid());
-
- if (get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
- sid_copy(psid, &map.sid);
+ if (!get_group_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
+ DEBUG(0, ("GID does not exist!\n"));
+ return NULL;
}
- else {
- sid_append_rid(psid, pdb_gid_to_group_rid(gid));
- }
+ sid_copy(psid, &map.sid);
return psid;
}
@@ -937,35 +807,10 @@
DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n",
sid_to_string( str, psid),
map.nt_name, (unsigned int)*pgid));
-
- } else {
- uint32 rid;
- SAM_ACCOUNT *sam_user = NULL;
- if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
- return False;
-
- if (pdb_getsampwsid(sam_user, psid)) {
- return False;
- pdb_free_sam(&sam_user);
- }
-
- pdb_free_sam(&sam_user);
-
- if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
- DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our
domain\n", sid_to_string(str, psid)));
- return False;
- }
-
- if (pdb_rid_is_user(rid))
- return False;
-
- *pgid = pdb_group_rid_to_gid(rid);
- *name_type = SID_NAME_ALIAS;
- DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string(
str, psid),
- (unsigned int)*pgid));
+ return True;
}
-
- return True;
+
+ return False;
}
/**
Index: source/passdb/pdb_get_set.c
===================================================================
RCS file: /data/cvs/samba/source/passdb/pdb_get_set.c,v
retrieving revision 1.19
diff -u -r1.19 pdb_get_set.c
--- source/passdb/pdb_get_set.c 25 Sep 2002 14:18:11 -0000 1.19
+++ source/passdb/pdb_get_set.c 30 Sep 2002 07:14:26 -0000
@@ -166,11 +166,23 @@
const DOM_SID *pdb_get_group_sid(const SAM_ACCOUNT *sampass)
{
- if (sampass)
- return &sampass->private.group_sid;
- else
+ struct passwd *pwd;
+ static GROUP_MAP map;
+
+ if (!sampass)
return (NULL);
-}
+
+ /* If the user's unix primary group is mapped to a NT SID, use
+ that. Otherwise use the pdb-stored SID. Unix is still boss
+ here :-) */
+
+ if ( ((pwd = getpwuid(sampass->private.uid)) != NULL)
+ && get_group_map_from_gid(pwd->pw_gid, &map, False))
+ return &map.sid;
+
+ DEBUG(5, ("Detected NON-Unix account\n"));
+ return &sampass->private.group_sid;
+}
/**
* Get flags showing what is initalised in the SAM_ACCOUNT
Index: source/passdb/pdb_ldap.c
===================================================================
RCS file: /data/cvs/samba/source/passdb/pdb_ldap.c,v
retrieving revision 1.58
diff -u -r1.58 pdb_ldap.c
--- source/passdb/pdb_ldap.c 27 Sep 2002 01:02:37 -0000 1.58
+++ source/passdb/pdb_ldap.c 30 Sep 2002 07:14:27 -0000
@@ -506,11 +506,6 @@
snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
- if (rc != LDAP_SUCCESS)
- rc = ldapsam_search_one_user_by_uid(ldap_state, ldap_struct,
- fallback_pdb_user_rid_to_uid(rid),
- result);
-
return rc;
}
@@ -639,8 +634,7 @@
munged_dial,
workstations;
struct passwd *pw;
- uint32 user_rid,
- group_rid;
+ uint32 user_rid;
uint8 smblmpwd[16],
smbntpwd[16];
uint16 acct_ctrl,
@@ -685,13 +679,6 @@
pdb_set_user_sid_from_rid(sampass, user_rid);
- if (!get_single_attribute(ldap_struct, entry, "primaryGroupID", temp)) {
- group_rid = 0;
- } else {
- group_rid = (uint32)atol(temp);
- pdb_set_group_sid_from_rid(sampass, group_rid);
- }
-
if ((ldap_state->permit_non_unix_accounts)
&& (user_rid >= ldap_state->low_nua_rid)
&& (user_rid <= ldap_state->high_nua_rid)) {
@@ -716,17 +703,6 @@
pdb_set_uid(sampass, uid);
pdb_set_gid(sampass, gid);
-
- if (group_rid == 0) {
- GROUP_MAP map;
- /* call the mapping code here */
- if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
- pdb_set_group_sid(sampass, &map.sid);
- }
- else {
- pdb_set_group_sid_from_rid(sampass,
pdb_gid_to_group_rid(gid));
- }
- }
}
if (!get_single_attribute(ldap_struct, entry, "pwdLastSet", temp)) {
@@ -924,34 +900,17 @@
if ( pdb_get_user_rid(sampass) ) {
rid = pdb_get_user_rid(sampass);
} else if (IS_SAM_SET(sampass, FLAG_SAM_UID)) {
- rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(sampass));
+ rid = secrets_allocate_rid();
} else if (ldap_state->permit_non_unix_accounts) {
- rid = ldapsam_get_next_available_nua_rid(ldap_state);
- if (rid == 0) {
- DEBUG(0, ("NO user RID specified on account %s, and findining
next available NUA RID failed, cannot store!\n", pdb_get_username(sampass)));
- return False;
- }
+ rid = secrets_allocate_rid();
} else {
- DEBUG(0, ("NO user RID specified on account %s, cannot store!\n",
pdb_get_username(sampass)));
+ DEBUG(0, ("NO user RID specified on account %s, cannot store!\n",
+ pdb_get_username(sampass)));
return False;
}
slprintf(temp, sizeof(temp) - 1, "%i", rid);
make_a_mod(mods, ldap_op, "rid", temp);
-
- if ( pdb_get_group_rid(sampass) ) {
- rid = pdb_get_group_rid(sampass);
- } else if (IS_SAM_SET(sampass, FLAG_SAM_GID)) {
- rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
- } else if (ldap_state->permit_non_unix_accounts) {
- rid = DOMAIN_GROUP_RID_USERS;
- } else {
- DEBUG(0, ("NO group RID specified on account %s, cannot store!\n",
pdb_get_username(sampass)));
- return False;
- }
-
- slprintf(temp, sizeof(temp) - 1, "%i", rid);
- make_a_mod(mods, ldap_op, "primaryGroupID", temp);
/* displayName, cn, and gecos should all be the same
* most easily accomplished by giving them the same OID
Index: source/passdb/pdb_nisplus.c
===================================================================
RCS file: /data/cvs/samba/source/passdb/pdb_nisplus.c,v
retrieving revision 1.30
diff -u -r1.30 pdb_nisplus.c
--- source/passdb/pdb_nisplus.c 26 Sep 2002 09:50:53 -0000 1.30
+++ source/passdb/pdb_nisplus.c 30 Sep 2002 07:14:27 -0000
@@ -1078,7 +1078,7 @@
rid = pdb_get_group_rid (sampass);
if (rid == 0) {
- if (get_group_map_from_gid
+ if (get_group_from_gid
(pdb_get_gid (sampass), &map,
MAPPING_WITHOUT_PRIV)) {
if (!sid_peek_check_rid
Index: source/passdb/pdb_smbpasswd.c
===================================================================
RCS file: /data/cvs/samba/source/passdb/pdb_smbpasswd.c,v
retrieving revision 1.56
diff -u -r1.56 pdb_smbpasswd.c
--- source/passdb/pdb_smbpasswd.c 26 Sep 2002 09:50:53 -0000 1.56
+++ source/passdb/pdb_smbpasswd.c 30 Sep 2002 07:14:28 -0000
@@ -1194,6 +1194,7 @@
SAM_ACCOUNT *sam_pass, const struct smb_passwd *pw_buf)
{
struct passwd *pwfile;
+ uint32 group_rid;
if (sam_pass==NULL) {
DEBUG(5,("build_sam_account: SAM_ACCOUNT is NULL\n"));
@@ -1204,14 +1205,14 @@
&& (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid)
&& (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
- pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid
(pw_buf->smb_userid));
-
/* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here.
This was down the bottom for machines, but it looks pretty good as
a general default for non-unix users. --abartlet 2002-01-08
*/
- pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS);
+
+ group_rid = DOMAIN_GROUP_RID_USERS;
+
pdb_set_username (sam_pass, pw_buf->smb_name);
pdb_set_domain (sam_pass, lp_workgroup());
} else {
@@ -1225,10 +1226,14 @@
if (!NT_STATUS_IS_OK(pdb_fill_sam_pw(sam_pass, pwfile))) {
return False;
}
-
+
+ group_rid = pdb_gid_to_group_rid(pwfile->pw_gid);
passwd_free(&pwfile);
}
+ pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid
+(pw_buf->smb_userid));
+ pdb_set_group_sid_from_rid(sam_pass, group_rid);
+
pdb_set_nt_passwd (sam_pass, pw_buf->smb_nt_passwd);
pdb_set_lanman_passwd (sam_pass, pw_buf->smb_passwd);
pdb_set_acct_ctrl (sam_pass, pw_buf->acct_ctrl);
Index: source/passdb/pdb_tdb.c
===================================================================
RCS file: /data/cvs/samba/source/passdb/pdb_tdb.c,v
retrieving revision 1.70
diff -u -r1.70 pdb_tdb.c
--- source/passdb/pdb_tdb.c 26 Sep 2002 09:50:53 -0000 1.70
+++ source/passdb/pdb_tdb.c 30 Sep 2002 07:14:28 -0000
@@ -54,8 +54,6 @@
BOOL permit_non_unix_accounts;
- BOOL algorithmic_rids;
-
uint32 low_nua_rid;
uint32 high_nua_rid;
};
@@ -94,7 +92,7 @@
fullname_len, homedir_len, logon_script_len,
profile_path_len, acct_desc_len, workstations_len;
- uint32 user_rid, group_rid, unknown_3, hours_len, unknown_5, unknown_6;
+ uint32 user_rid, dummy, unknown_3, hours_len, unknown_5, unknown_6;
uint16 acct_ctrl, logon_divs;
uint8 *hours;
static uint8 *lm_pw_ptr, *nt_pw_ptr;
@@ -131,7 +129,7 @@
&unknown_str_len, &unknown_str,
&munged_dial_len, &munged_dial,
&user_rid,
- &group_rid,
+ &dummy, /* Used to be group rid. Now unused. */
&lm_pw_len, &lm_pw_ptr,
&nt_pw_len, &nt_pw_ptr,
&acct_ctrl,
@@ -247,7 +245,6 @@
}
pdb_set_user_sid_from_rid(sampass, user_rid);
- pdb_set_group_sid_from_rid(sampass, group_rid);
pdb_set_unknown_3(sampass, unknown_3);
pdb_set_hours_len(sampass, hours_len);
pdb_set_unknown_5(sampass, unknown_5);
@@ -291,7 +288,7 @@
pass_can_change_time,
pass_must_change_time;
- uint32 user_rid, group_rid;
+ uint32 user_rid;
const char *username;
const char *domain;
@@ -332,7 +329,6 @@
pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
user_rid = pdb_get_user_rid(sampass);
- group_rid = pdb_get_group_rid(sampass);
username = pdb_get_username(sampass);
if (username) username_len = strlen(username) +1;
@@ -417,7 +413,7 @@
unknown_str_len, unknown_str,
munged_dial_len, munged_dial,
user_rid,
- group_rid,
+ -1, /* Used to be group rid. Now unused. */
lm_pw_len, lm_pw,
nt_pw_len, nt_pw,
pdb_get_acct_ctrl(sampass),
@@ -456,7 +452,7 @@
unknown_str_len, unknown_str,
munged_dial_len, munged_dial,
user_rid,
- group_rid,
+ -1, /* Used to be group rid. Now unused. */
lm_pw_len, lm_pw,
nt_pw_len, nt_pw,
pdb_get_acct_ctrl(sampass),
@@ -771,16 +767,7 @@
if (!(user_rid = pdb_get_user_rid(newpwd))) {
if (flag & TDB_INSERT) {
if (IS_SAM_UNIX_USER(newpwd)) {
- if (tdb_state->algorithmic_rids) {
- user_rid =
fallback_pdb_uid_to_user_rid(pdb_get_uid(newpwd));
- } else {
- user_rid = BASE_RID;
- tdb_ret = tdb_change_uint32_atomic(pwd_tdb,
"RID_COUNTER", &user_rid, RID_MULTIPLIER);
- if (!tdb_ret) {
- ret = False;
- goto done;
- }
- }
+ user_rid = secrets_allocate_rid();
pdb_set_user_sid_from_rid(newpwd, user_rid);
} else {
user_rid = tdb_state->low_nua_rid;
@@ -803,23 +790,6 @@
}
}
- if (!pdb_get_group_rid(newpwd)) {
- if (flag & TDB_INSERT) {
- if (!tdb_state->permit_non_unix_accounts) {
- DEBUG (0,("tdb_update_sam: Failing to store a
SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
- ret = False;
- goto done;
- } else {
- /* This seems like a good default choice for non-unix
users */
- pdb_set_group_sid_from_rid(newpwd,
DOMAIN_GROUP_RID_USERS);
- }
- } else {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for
[%s] without a primary group RID\n",pdb_get_username(newpwd)));
- ret = False;
- goto done;
- }
- }
-
/* copy the SAM_ACCOUNT struct into a BYTE buffer for storage */
if ((data.dsize=init_buffer_from_sam (tdb_state, &buf, newpwd)) == -1) {
DEBUG(0,("tdb_update_sam: ERROR - Unable to copy SAM_ACCOUNT info BYTE
buffer!\n"));
@@ -950,8 +920,6 @@
pstrcat(tdbfile, PASSDB_FILE_NAME);
tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx,
tdbfile);
}
-
- tdb_state->algorithmic_rids = True;
(*pdb_method)->private_data = tdb_state;
Index: source/passdb/pdb_unix.c
===================================================================
RCS file: /data/cvs/samba/source/passdb/pdb_unix.c,v
retrieving revision 1.8
diff -u -r1.8 pdb_unix.c
--- source/passdb/pdb_unix.c 26 Sep 2002 09:50:53 -0000 1.8
+++ source/passdb/pdb_unix.c 30 Sep 2002 07:14:28 -0000
@@ -26,6 +26,8 @@
static NTSTATUS unixsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user,
const char *sname)
{
struct passwd *pass;
+ NTSTATUS nt_status;
+
if (!methods) {
DEBUG(0,("invalid methods\n"));
return NT_STATUS_UNSUCCESSFUL;
@@ -36,7 +38,12 @@
}
pass = Get_Pwnam(sname);
- return pdb_fill_sam_pw(user, pass);
+ if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(user, pass)))
+ return nt_status;
+
+ pdb_set_user_sid_from_rid(user, fallback_pdb_uid_to_user_rid (pass->pw_uid));
+ pdb_set_group_sid_from_rid(user, pdb_gid_to_group_rid(pass->pw_gid));
+ return NT_STATUS_OK;
}
@@ -73,6 +80,10 @@
}
nt_status = pdb_fill_sam_pw(user, pass);
+
+ pdb_set_user_sid_from_rid(user, rid);
+ pdb_set_group_sid_from_rid(user, pdb_gid_to_group_rid(pass->pw_gid));
+
passwd_free(&pass);
return nt_status;
Index: source/passdb/secrets.c
===================================================================
RCS file: /data/cvs/samba/source/passdb/secrets.c,v
retrieving revision 1.47
diff -u -r1.47 secrets.c
--- source/passdb/secrets.c 28 Sep 2002 12:09:21 -0000 1.47
+++ source/passdb/secrets.c 30 Sep 2002 07:14:29 -0000
@@ -645,3 +645,70 @@
tdb_chainunlock(tdb, key);
DEBUG(10,("secrets_named_mutex: released mutex for %s\n", name ));
}
+
+/*
+ Store an initial 'next rid' to secrets.tdb.
+*/
+BOOL secrets_init_nextrid(uint32 rid)
+{
+ fstring key;
+ fstring new_rid;
+
+ if (!secrets_init())
+ return False;
+
+ slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_NEXTRID, lp_workgroup());
+
+ if (tdb_lock_bystring(tdb, key) != 0)
+ return False;
+
+ slprintf(new_rid, sizeof(new_rid), "%d", rid);
+ secrets_store(key, new_rid, strlen(new_rid)+1);
+ tdb_unlock_bystring(tdb, key);
+
+ return True;
+}
+
+/*
+ Allocate a new RID
+*/
+uint32 secrets_allocate_rid(void)
+{
+ fstring key;
+ char *rid_string;
+ fstring new_rid;
+ uint32 rid;
+
+ if (!secrets_init())
+ return 0;
+
+ slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_NEXTRID, lp_workgroup());
+
+ if (tdb_lock_bystring(tdb, key) != 0)
+ return 0;
+
+ if ((rid_string = secrets_fetch(key, NULL)) == NULL) {
+ tdb_unlock_bystring(tdb, key);
+ DEBUG(0, ("Can't allocate a RID for Domain %s: "
+ "You should run 'net initrid'\n",
+ lp_workgroup()));
+ return 0;
+ }
+
+ rid = atoi(rid_string);
+
+ if (rid == 0) {
+ tdb_unlock_bystring(tdb, key);
+ DEBUG(0, ("Ran out of RIDs for Domain %s -- Boom!\n",
+ lp_workgroup()));
+ return 0;
+ }
+
+ SAFE_FREE(rid_string);
+
+ slprintf(new_rid, sizeof(new_rid), "%d", rid+1);
+ secrets_store(key, new_rid, strlen(new_rid)+1);
+ tdb_unlock_bystring(tdb, key);
+
+ return rid;
+}
Index: source/passdb/util_sam_sid.c
===================================================================
RCS file: /data/cvs/samba/source/passdb/util_sam_sid.c,v
retrieving revision 1.3
diff -u -r1.3 util_sam_sid.c
--- source/passdb/util_sam_sid.c 21 Jul 2002 04:01:04 -0000 1.3
+++ source/passdb/util_sam_sid.c 30 Sep 2002 07:14:29 -0000
@@ -25,7 +25,7 @@
extern pstring global_myname;
extern fstring global_myworkgroup;
-#define MAX_SID_NAMES 7
+#define MAX_SID_NAMES 8
typedef struct _known_sid_users {
uint32 rid;
@@ -44,6 +44,7 @@
extern DOM_SID global_sid_World_Domain; /* Everyone domain */
extern DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */
extern DOM_SID global_sid_NT_Authority; /* NT Authority */
+extern DOM_SID global_sid_Unix_Authority; /* Unknown numeric unix users */
static BOOL sid_name_map_initialized = False;
@@ -74,12 +75,17 @@
{ BUILTIN_ALIAS_RID_ADMINS, SID_NAME_ALIAS, "Administrators" },
{ BUILTIN_ALIAS_RID_USERS, SID_NAME_ALIAS, "Users" },
{ BUILTIN_ALIAS_RID_GUESTS, SID_NAME_ALIAS, "Guests" },
+ { BUILTIN_ALIAS_RID_POWER_USERS, SID_NAME_ALIAS, "Power Users" },
{ BUILTIN_ALIAS_RID_ACCOUNT_OPS, SID_NAME_ALIAS, "Account Operators" },
{ BUILTIN_ALIAS_RID_SYSTEM_OPS, SID_NAME_ALIAS, "Server Operators" },
{ BUILTIN_ALIAS_RID_PRINT_OPS, SID_NAME_ALIAS, "Print Operators" },
{ BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" },
+ { BUILTIN_ALIAS_RID_REPLICATOR, SID_NAME_ALIAS, "Replicators" },
{ 0, (enum SID_NAME_USE)0, NULL}};
+static known_sid_users unix_authority_users[] = {
+ { 0, (enum SID_NAME_USE)0, NULL}};
+
/**************************************************************************
@@ -133,7 +139,11 @@
sid_name_map[i].known_users = &nt_authority_users[0];
i++;
-
+ sid_name_map[i].sid = &global_sid_Unix_Authority;
+ sid_name_map[i].name = "Local Unix";
+ sid_name_map[i].known_users = &unix_authority_users[0];
+ i++;
+
/* end of array */
sid_name_map[i].sid = NULL;
sid_name_map[i].name = NULL;
Index: source/rpc_server/srv_samr_nt.c
===================================================================
RCS file: /data/cvs/samba/source/rpc_server/srv_samr_nt.c,v
retrieving revision 1.120
diff -u -r1.120 srv_samr_nt.c
--- source/rpc_server/srv_samr_nt.c 29 Sep 2002 10:39:03 -0000 1.120
+++ source/rpc_server/srv_samr_nt.c 30 Sep 2002 07:14:31 -0000
@@ -894,7 +894,7 @@
/* well-known aliases */
if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) {
- enum_group_mapping(SID_NAME_ALIAS, &map, (int *)&num_entries,
ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV);
+ enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries,
+ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV);
if (num_entries != 0) {
*d_grp=(DOMAIN_GRP *)talloc_zero(ctx,
num_entries*sizeof(DOMAIN_GRP));
@@ -2294,6 +2294,9 @@
}
}
+ /* There's no User SID set in sam_pass, to indicate to
+ pdb_add_sam_account to allocate one. */
+
pdb_set_acct_ctrl(sam_pass, acb_info);
if (!pdb_add_sam_account(sam_pass)) {
@@ -3899,7 +3902,8 @@
if ((grp=getgrgid(gid)) == NULL)
return NT_STATUS_ACCESS_DENIED;
- r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
+ if ((r_u->rid=secrets_allocate_rid()) == 0)
+ return NT_STATUS_ACCESS_DENIED;
/* add the group to the mapping table */
sid_copy(&info_sid, get_global_sam_sid());
@@ -3964,7 +3968,8 @@
if ((grp=getgrgid(gid)) == NULL)
return NT_STATUS_ACCESS_DENIED;
- r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
+ if ((r_u->rid=secrets_allocate_rid()) == 0)
+ return NT_STATUS_ACCESS_DENIED;
sid_copy(&info_sid, get_global_sam_sid());
sid_append_rid(&info_sid, r_u->rid);
Index: source/rpc_server/srv_samr_util.c
===================================================================
RCS file: /data/cvs/samba/source/rpc_server/srv_samr_util.c,v
retrieving revision 1.2
diff -u -r1.2 srv_samr_util.c
--- source/rpc_server/srv_samr_util.c 26 Sep 2002 10:25:34 -0000 1.2
+++ source/rpc_server/srv_samr_util.c 30 Sep 2002 07:14:31 -0000
@@ -175,11 +175,6 @@
/* pdb_set_user_sid_from_rid(to, from->user_rid);*/
}
- if (from->group_rid) {
- DEBUG(10,("INFO_21 GROUP_RID: %u ->
%u\n",pdb_get_group_rid(to),from->group_rid));
- pdb_set_group_sid_from_rid(to, from->group_rid);
- }
-
DEBUG(10,("INFO_21 ACCT_CTRL: %08X ->
%08X\n",pdb_get_acct_ctrl(to),from->acb_info));
pdb_set_acct_ctrl(to, from->acb_info);
@@ -362,11 +357,6 @@
DEBUG(10,("INFO_23 USER_RID: %u -> %u NOT
UPDATED!\n",pdb_get_user_rid(to),from->user_rid));
/* we really allow this ??? metze */
/* pdb_set_user_sid_from_rid(to, from->user_rid);*/
- }
-
- if (from->group_rid) {
- DEBUG(10,("INFO_23 GROUP_RID: %u ->
%u\n",pdb_get_group_rid(to),from->group_rid));
- pdb_set_group_sid_from_rid(to, from->group_rid);
}
DEBUG(10,("INFO_23 ACCT_CTRL: %08X ->
%08X\n",pdb_get_acct_ctrl(to),from->acb_info));
Index: source/rpcclient/samsync.c
===================================================================
RCS file: /data/cvs/samba/source/rpcclient/samsync.c,v
retrieving revision 1.27
diff -u -r1.27 samsync.c
--- source/rpcclient/samsync.c 30 Aug 2002 10:46:59 -0000 1.27
+++ source/rpcclient/samsync.c 30 Sep 2002 07:14:31 -0000
@@ -298,10 +298,6 @@
sid_append_rid(&sid, delta->user_rid);
pdb_set_user_sid(account, &sid);
- sid_copy(&sid, &domain_sid);
- sid_append_rid(&sid, delta->group_rid);
- pdb_set_group_sid(account, &sid);
-
/* Logon and password information */
pdb_set_logon_time(account, nt_time_to_unix(&delta->logon_time), True);
Index: source/utils/net.c
===================================================================
RCS file: /data/cvs/samba/source/utils/net.c,v
retrieving revision 1.60
diff -u -r1.60 net.c
--- source/utils/net.c 27 Sep 2002 04:33:58 -0000 1.60
+++ source/utils/net.c 30 Sep 2002 07:14:33 -0000
@@ -402,6 +402,106 @@
return 0;
}
+static uint32 get_maxrid(void)
+{
+ SAM_ACCOUNT *pwd = NULL;
+ uint32 max_rid = 0;
+ GROUP_MAP *map = NULL;
+ int num_entries = 0;
+ int i;
+
+ if (!pdb_setsampwent(False)) {
+ DEBUG(0, ("load_sampwd_entries: Unable to open passdb.\n"));
+ return 0;
+ }
+
+ for (; (NT_STATUS_IS_OK(pdb_init_sam(&pwd)))
+ && pdb_getsampwent(pwd) == True; pwd=NULL) {
+ uint32 rid;
+
+ if (!sid_peek_rid(pdb_get_user_sid(pwd), &rid)) {
+ DEBUG(0, ("can't get RID for user '%s'\n",
+ pdb_get_username(pwd)));
+ pdb_free_sam(&pwd);
+ continue;
+ }
+
+ if (rid > max_rid)
+ max_rid = rid;
+
+ d_printf("%d is user '%s'\n", rid, pdb_get_username(pwd));
+ pdb_free_sam(&pwd);
+ }
+
+ pdb_endsampwent();
+ pdb_free_sam(&pwd);
+
+ if (!enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries,
+ ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
+ return max_rid;
+
+ for (i = 0; i < num_entries; i++) {
+ uint32 rid;
+
+ if (!sid_peek_check_rid(get_global_sam_sid(), &map[i].sid,
+ &rid)) {
+ DEBUG(3, ("skipping map for group '%s', SID %s\n",
+ map[i].nt_name,
+ sid_string_static(&map[i].sid)));
+ continue;
+ }
+ d_printf("%d is group '%s'\n", rid, map[i].nt_name);
+
+ if (rid > max_rid)
+ max_rid = rid;
+ }
+
+ SAFE_FREE(map);
+
+ return max_rid;
+}
+
+static int net_initrid(int argc, const char **argv)
+{
+ uint32 rid;
+
+ if (argc != 0) {
+ DEBUG(0, ("usage: net initrid\n"));
+ return 1;
+ }
+
+ if ((rid = get_maxrid()) == 0) {
+ DEBUG(0, ("can't get current maximum rid\n"));
+ return 1;
+ }
+
+ if (!secrets_init_nextrid(rid+1)) {
+ DEBUG(0, ("can't store new 'next rid' in secrets.tdb\n"));
+ return 1;
+ }
+
+ return 0;
+}
+
+static int net_allocrid(int argc, const char **argv)
+{
+ uint32 rid;
+
+ if (argc != 0) {
+ DEBUG(0, ("usage: net allocrid\n"));
+ return 1;
+ }
+
+ if ((rid = secrets_allocate_rid()) == 0) {
+ DEBUG(0, ("Could not allocate a RID\n"));
+ return 1;
+ }
+
+ d_printf("Next RID to use: %d\n", rid);
+ return 0;
+}
+
+
/* main function table */
static struct functable net_func[] = {
{"RPC", net_rpc},
@@ -429,6 +529,8 @@
{"GETLOCALSID", net_getlocalsid},
{"SETLOCALSID", net_setlocalsid},
{"GETDOMAINSID", net_getdomainsid},
+ {"INITRID", net_initrid},
+ {"ALLOCRID", net_allocrid},
{"HELP", net_help},
{NULL, NULL}
Index: source/utils/net_rpc_samsync.c
===================================================================
RCS file: /data/cvs/samba/source/utils/net_rpc_samsync.c,v
retrieving revision 1.9
diff -u -r1.9 net_rpc_samsync.c
--- source/utils/net_rpc_samsync.c 29 Sep 2002 10:53:47 -0000 1.9
+++ source/utils/net_rpc_samsync.c 30 Sep 2002 07:14:33 -0000
@@ -279,27 +279,31 @@
pdb_free_sam(&sam_account);
- /* Create appropriate user */
- if (delta->acb_info & ACB_NORMAL) {
- pstrcpy(add_script, lp_adduser_script());
- } else if ( (delta->acb_info & ACB_WSTRUST) ||
- (delta->acb_info & ACB_SVRTRUST) ) {
- pstrcpy(add_script, lp_addmachine_script());
- } else {
- DEBUG(1, ("Unknown user type: %s\n",
- smbpasswd_encode_acb_info(delta->acb_info)));
- pdb_free_sam(&sam_account);
- return NT_STATUS_NO_SUCH_USER;
+ if ((pw = getpwnam_alloc(account)) == NULL) {
+
+ /* Create appropriate user */
+ if (delta->acb_info & ACB_NORMAL) {
+ pstrcpy(add_script, lp_adduser_script());
+ } else if ( (delta->acb_info & ACB_WSTRUST) ||
+ (delta->acb_info & ACB_SVRTRUST) ) {
+ pstrcpy(add_script, lp_addmachine_script());
+ } else {
+ DEBUG(1, ("Unknown user type: %s\n",
+ smbpasswd_encode_acb_info(delta->acb_info)));
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ if (*add_script) {
+ int add_ret;
+ all_string_sub(add_script, "%u", account,
+ sizeof(account));
+ add_ret = smbrun(add_script,NULL);
+ DEBUG(1,("fetch_account: Running the command `%s' "
+ "gave %d\n", add_script, add_ret));
+ }
+ pw = getpwnam_alloc(account);
}
- if (*add_script) {
- int add_ret;
- all_string_sub(add_script, "%u", account,
- sizeof(account));
- add_ret = smbrun(add_script,NULL);
- DEBUG(1,("fetch_account: Running the command `%s' "
- "gave %d\n", add_script, add_ret));
- }
- pw = getpwnam_alloc(account);
+
if (pw) {
nt_ret = pdb_init_sam_pw(&sam_account, pw);
Index: source/utils/smbgroupedit.c
===================================================================
RCS file: /data/cvs/samba/source/utils/smbgroupedit.c,v
retrieving revision 1.24
diff -u -r1.24 smbgroupedit.c
--- source/utils/smbgroupedit.c 27 Sep 2002 02:11:54 -0000 1.24
+++ source/utils/smbgroupedit.c 30 Sep 2002 07:14:33 -0000
@@ -395,7 +395,7 @@
}
if (rid == -1) {
- rid = pdb_gid_to_group_rid(gid);
+ rid = secrets_allocate_rid();
}
return addgroup(gid, sid_type, ntgroup?ntgroup:group,
group_desc, privilege, rid);
msg03369/pgp00000.pgp
Description: PGP signature
