static BOOL check_hosts_equiv(SAM_ACCOUNT *account)
{
- char *fname = NULL;
+ uid_t uid;
+ char *fname = NULL;
- fname = lp_hosts_equiv();
+ fname = lp_hosts_equiv();
+ if (!sid_to_uid(pdb_get_user_sid(account), &uid))
+ return False;
- /* note: don't allow hosts.equiv on root */
- if (IS_SAM_UNIX_USER(account) && fname && *fname && (pdb_get_uid(account) != 0)) {
- if (check_user_equiv(pdb_get_username(account),client_name(),fname))
- return(True);
- }
+ /* note: don't allow hosts.equiv on root */
+ if (fname && *fname && uid != 0) {
+ if (check_user_equiv(pdb_get_username(account),client_name(),fname))
+ return True;
+ }
- return(False);
+ return False;
}
gid_t gid;
int n_unix_groups;
int i;
- struct passwd *usr;
*n_groups = 0;
*groups = NULL;
- if (!IS_SAM_UNIX_USER(sampass)) {
- DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass)));
- return NT_STATUS_NO_SUCH_USER;
+ if (!sid_to_uid(pdb_get_user_sid(sampass), &uid) || !sid_to_gid(pdb_get_group_sid(sampass), &gid)) {
+ DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
}
-
- uid = pdb_get_uid(sampass);
- gid = pdb_get_gid(sampass);
n_unix_groups = groups_max();
if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) {
DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n"));
- passwd_free(&usr);
return NT_STATUS_NO_MEMORY;
}
groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups);
if (!groups_tmp) {
SAFE_FREE(*unix_groups);
- passwd_free(&usr);
return NT_STATUS_NO_MEMORY;
}
*unix_groups = groups_tmp;
if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n"));
SAFE_FREE(*unix_groups);
- passwd_free(&usr);
return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */
}
}
(*server_info)->sam_fill_level = SAM_FILL_ALL;
(*server_info)->sam_account = sampass;
+ if (!sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))
+ return NT_STATUS_UNSUCCESSFUL;
+ if (!sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))
+ return NT_STATUS_UNSUCCESSFUL;
return NT_STATUS_OK;
}
typedef struct auth_serversupplied_info
{
BOOL guest;
+
+ uid_t uid;
+ gid_t gid;
/* This groups info is needed for when we become_user() for this uid */
int n_groups;
*/
enum pdb_elements {
PDB_UNINIT,
- PDB_UID,
- PDB_GID,
PDB_SMBHOME,
PDB_PROFILE,
PDB_DRIVE,
PDB_CHANGED
};
-#define IS_SAM_UNIX_USER(x) \
- (( pdb_get_init_flags(x, PDB_UID) != PDB_DEFAULT ) \
- && ( pdb_get_init_flags(x,PDB_GID) != PDB_DEFAULT ))
-
#define IS_SAM_SET(x, flag) (pdb_get_init_flags(x, flag) == PDB_SET)
#define IS_SAM_CHANGED(x, flag) (pdb_get_init_flags(x, flag) == PDB_CHANGED)
#define IS_SAM_DEFAULT(x, flag) (pdb_get_init_flags(x, flag) == PDB_DEFAULT)
const char * unknown_str ; /* don't know what this is, yet. */
const char * munged_dial ; /* munged path name and dial-back tel number */
- uid_t uid; /* this is a unix uid_t */
- gid_t gid; /* this is a unix gid_t */
DOM_SID user_sid; /* Primary User SID */
DOM_SID group_sid; /* Primary Group SID */
retval = smb_update_db(pamh, ctrl, user, pass_new);
if (retval == PAM_SUCCESS) {
+ uid_t uid;
+
/* password updated */
- _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)"
- , user, pdb_get_uid(sampass), uidtoname( getuid() )
- , getuid() );
- } else {
- _log_err( LOG_ERR, "password change failed for user %s"
- , user );
- }
+ if (!sid_to_uid(sampass, &uid)) {
+ _log_err( LOG_NOTICE "Unable to get uid for user %s",
+ pdb_get_username(sampass));
+ _log_err( LOG_NOTICE, "password for (%s) changed by (%s/%d)",
+ user, uidtoname(getuid()), getuid());
+ } else {
+ _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)",
+ user, uid, uidtoname(getuid()), getuid());
+ }
+ } else {
+ _log_err( LOG_ERR, "password change failed for user %s", user);
+ }
pass_old = pass_new = NULL;
if (sampass) {
const char *service;
pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , pdb_get_uid(sampass) );
+ _log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s",
+ uidtoname(getuid()), service ? service : "**unknown**", name);
return PAM_AUTH_ERR;
}
}
pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
if (data_name != NULL) {
+ int type;
struct _pam_failed_auth *new = NULL;
const struct _pam_failed_auth *old = NULL;
retval = PAM_MAXTRIES;
}
} else {
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , pdb_get_uid(sampass) );
+ _log_err(LOG_NOTICE,
+ "failed auth request by %s for service %s as %s",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
new->count = 1;
}
+ if (!sid_to_uid(pdb_get_user_sid(sampass, &(new->id), &type))) {
+ _log_err(LOG_NOTICE,
+ "failed auth request by %s for service %s as %s",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
+ }
new->user = smbpXstrDup( name );
- new->id = pdb_get_uid(sampass);
new->agent = smbpXstrDup( uidtoname( getuid() ) );
pam_set_data( pamh, data_name, new, _cleanup_failures );
} else {
_log_err( LOG_CRIT, "no memory for failure recorder" );
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , pdb_get_uid(sampass) );
+ _log_err(LOG_NOTICE,
+ "failed auth request by %s for service %s as %s(%d)",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
}
} else {
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , pdb_get_uid(sampass) );
+ _log_err(LOG_NOTICE,
+ "failed auth request by %s for service %s as %s(%d)",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
retval = PAM_AUTH_ERR;
}
}
Copyright (C) Luke Kenneth Casson Leighton 1996-1998
Copyright (C) Gerald (Jerry) Carter 2000-2001
Copyright (C) Andrew Bartlett 2001-2002
+ Copyright (C) Simo Sorce 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
/* Don't change these timestamp settings without a good reason.
They are important for NT member server compatibility. */
- user->private.uid = user->private.gid = -1;
-
user->private.logon_time = (time_t)0;
user->private.pass_last_set_time = (time_t)0;
user->private.pass_can_change_time = (time_t)0;
pdb_set_unix_homedir(sam_account, pwd->pw_dir, PDB_SET);
pdb_set_domain (sam_account, lp_workgroup(), PDB_DEFAULT);
-
- pdb_set_uid(sam_account, pwd->pw_uid, PDB_SET);
- pdb_set_gid(sam_account, pwd->pw_gid, PDB_SET);
/* When we get a proper uid -> SID and SID -> uid allocation
mechinism, we should call it here.
Decides if a RID is a user or group RID.
********************************************************************/
-BOOL pdb_rid_is_user(uint32 rid)
+BOOL fallback_pdb_rid_is_user(uint32 rid)
{
/* lkcl i understand that NT attaches an enumeration to a RID
* such that it can be identified as either a user, group etc
return True;
}
- if (pdb_rid_is_user(rid)) {
+ if (fallback_pdb_rid_is_user(rid)) {
uid_t uid;
DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid));
return ret;
}
-uid_t pdb_get_uid (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.uid);
- else
- return (-1);
-}
-
-gid_t pdb_get_gid (const SAM_ACCOUNT *sampass)
-{
- if (sampass)
- return (sampass->private.gid);
- else
- return (-1);
-}
-
const char* pdb_get_username (const SAM_ACCOUNT *sampass)
{
if (sampass)
return True;
}
-BOOL pdb_set_uid (SAM_ACCOUNT *sampass, const uid_t uid, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- DEBUG(10, ("pdb_set_uid: setting uid %d, was %d\n",
- (int)uid, (int)sampass->private.uid));
-
- sampass->private.uid = uid;
-
- return pdb_set_init_flags(sampass, PDB_UID, flag);
-}
-
-BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid, enum pdb_value_state flag)
-{
- if (!sampass)
- return False;
-
- DEBUG(10, ("pdb_set_gid: setting gid %d, was %d\n",
- (int)gid, (int)sampass->private.gid));
-
- sampass->private.gid = gid;
-
- return pdb_set_init_flags(sampass, PDB_GID, flag);
-}
-
BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid, enum pdb_value_state flag)
{
if (!sampass || !u_sid)
*********************************************************************/
static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
SAM_ACCOUNT * sampass,
- LDAPMessage * entry)
+ LDAPMessage * entry,
+ gid_t *gid)
{
pstring homedir;
pstring temp;
- uid_t uid;
- gid_t gid;
char **ldap_values;
char **values;
if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir))
return False;
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
- return False;
-
- uid = (uid_t)atol(temp);
-
if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
return False;
gid = (gid_t)atol(temp);
pdb_set_unix_homedir(sampass, homedir, PDB_SET);
- pdb_set_uid(sampass, uid, PDB_SET);
- pdb_set_gid(sampass, gid, PDB_SET);
DEBUG(10, ("user has posixAcccount attributes\n"));
return True;
uint8 hours[MAX_HOURS_LEN];
pstring temp;
uid_t uid = -1;
- gid_t gid = getegid();
-
+ gid_t gid = getegid();
/*
* do a little initialization
* If so configured, try and get the values from LDAP
*/
- if (!lp_ldap_trust_ids() || (!get_unix_attributes(ldap_state, sampass, entry))) {
+ if (!lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid))) {
- /*
- * Otherwise just ask the system getpw() calls.
- */
-
- pw = getpwnam_alloc(username);
- if (pw == NULL) {
- if (! ldap_state->permit_non_unix_accounts) {
- DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
- return False;
+ if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT) {
+ GROUP_MAP map;
+ /* call the mapping code here */
+ if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+ pdb_set_group_sid(sampass, &map.sid, PDB_SET);
+ }
+ else {
+ pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
}
- } else {
- uid = pw->pw_uid;
- pdb_set_uid(sampass, uid, PDB_SET);
- gid = pw->pw_gid;
- pdb_set_gid(sampass, gid, PDB_SET);
-
- pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
- passwd_free(&pw);
- }
- }
-
- if ((pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT)
- && (pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT)) {
- GROUP_MAP map;
- gid = pdb_get_gid(sampass);
- /* call the mapping code here */
- if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
- pdb_set_group_sid(sampass, &map.sid, PDB_SET);
- }
- else {
- pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
}
}
pdb_set_workstations (pw_buf, ENTRY_VAL (obj, NPF_WORKSTATIONS), PDB_SET);
pdb_set_munged_dial (pw_buf, NULL, PDB_DEFAULT);
- pdb_set_uid (pw_buf, atoi (ENTRY_VAL (obj, NPF_UID)), PDB_SET);
- pdb_set_gid (pw_buf, atoi (ENTRY_VAL (obj, NPF_SMB_GRPID)), PDB_SET);
pdb_set_user_sid_from_rid (pw_buf,
atoi (ENTRY_VAL (obj, NPF_USER_RID)), PDB_SET);
pdb_set_group_sid_from_rid (pw_buf,
if (!(pdb_get_acct_ctrl (pw_buf) & ACB_PWNOTREQ) &&
strncasecmp (ptr, "NO PASSWORD", 11)) {
if (strlen (ptr) != 32 || !pdb_gethexpwd (ptr, smbntpwd)) {
- DEBUG (0, ("malformed NT pwd entry:\
- uid = %d.\n", pdb_get_uid (pw_buf)));
+ DEBUG (0, ("malformed NT pwd entry:\ %s.\n",
+ pdb_get_username (pw_buf)));
return False;
}
if (!pdb_set_nt_passwd (pw_buf, smbntpwd, PDB_SET))
BOOL need_to_modify = False;
const char *name = pdb_get_username (sampass); /* from SAM */
+ uint32 u_rid;
+ uint32 g_rid;
/* these must be static or allocate and free entry columns! */
static fstring uid; /* from SAM */
static fstring user_rid; /* from SAM */
static fstring acct_desc; /* from SAM */
static char empty[1]; /* just an empty string */
- slprintf (uid, sizeof (uid) - 1, "%u", pdb_get_uid (sampass));
- slprintf (user_rid, sizeof (user_rid) - 1, "%u",
- pdb_get_user_rid (sampass) ? pdb_get_user_rid (sampass) :
- fallback_pdb_uid_to_user_rid (pdb_get_uid (sampass)));
- slprintf (gid, sizeof (gid) - 1, "%u", pdb_get_gid (sampass));
-
- {
- uint32 rid;
- GROUP_MAP map;
-
- rid = pdb_get_group_rid (sampass);
-
- if (rid == 0) {
- if (pdb_getgrgid(&map, pdb_get_gid (sampass),
- MAPPING_WITHOUT_PRIV)) {
- if (!sid_peek_check_rid
- (get_global_sam_sid (), &map.sid, &rid))
- return False;
- } else
- rid = pdb_gid_to_group_rid (pdb_get_gid
- (sampass));
- }
+ if (!(u_rid = pdb_get_user_rid (sampass)))
+ return False;
+ if (!(g_rid = pdb_get_group_rid (sampass)))
+ return False;
- slprintf (group_rid, sizeof (group_rid) - 1, "%u", rid);
- }
+ slprintf (uid, sizeof (uid) - 1, "%u", fallback_pdb_user_rid_to_uid (u_rid));
+ slprintf (user_rid, sizeof (user_rid) - 1, "%u", u_rid);
+ slprintf (gid, sizeof (gid) - 1, "%u", fallback_pdb_group_rid_to_uid (g_rid));
+ slprintf (group_rid, sizeof (group_rid) - 1, "%u", g_rid);
acb = pdb_encode_acct_ctrl (pdb_get_acct_ctrl (sampass),
NEW_PW_FORMAT_SPACE_PADDED_LEN);
/* uid */
- if (pdb_get_uid (sampass) != -1) {
- if (!ENTRY_VAL (old, NPF_UID)
- || strcmp (ENTRY_VAL (old, NPF_UID), uid)) {
+ if (!ENTRY_VAL (old, NPF_UID) || strcmp (ENTRY_VAL (old, NPF_UID), uid)) {
need_to_modify = True;
- set_single_attribute (obj, NPF_UID, uid,
- strlen (uid),
- EN_MODIFIED);
- }
+ set_single_attribute (obj, NPF_UID, uid, strlen (uid), EN_MODIFIED);
}
/* user_rid */
- if (pdb_get_user_rid (sampass)) {
- if (!ENTRY_VAL (old, NPF_USER_RID) ||
- strcmp (ENTRY_VAL (old, NPF_USER_RID),
- user_rid)) {
+ if (!ENTRY_VAL (old, NPF_USER_RID) || strcmp (ENTRY_VAL (old, NPF_USER_RID), user_rid)) {
need_to_modify = True;
- set_single_attribute (obj, NPF_USER_RID,
- user_rid,
- strlen (user_rid),
- EN_MODIFIED);
- }
+ set_single_attribute (obj, NPF_USER_RID, user_rid, strlen (user_rid), EN_MODIFIED);
}
/* smb_grpid */
- if (pdb_get_gid (sampass) != -1) {
- if (!ENTRY_VAL (old, NPF_SMB_GRPID) ||
- strcmp (ENTRY_VAL (old, NPF_SMB_GRPID), gid)) {
+ if (!ENTRY_VAL (old, NPF_SMB_GRPID) || strcmp (ENTRY_VAL (old, NPF_SMB_GRPID), gid)) {
need_to_modify = True;
- set_single_attribute (obj, NPF_SMB_GRPID, gid,
- strlen (gid),
- EN_MODIFIED);
- }
+ set_single_attribute (obj, NPF_SMB_GRPID, gid, strlen (gid), EN_MODIFIED);
}
/* group_rid */
- if (pdb_get_group_rid (sampass)) {
- if (!ENTRY_VAL (old, NPF_GROUP_RID) ||
- strcmp (ENTRY_VAL (old, NPF_GROUP_RID),
- group_rid)) {
+ if (!ENTRY_VAL (old, NPF_GROUP_RID) || strcmp (ENTRY_VAL (old, NPF_GROUP_RID), group_rid)) {
need_to_modify = True;
- set_single_attribute (obj, NPF_GROUP_RID,
- group_rid,
- strlen (group_rid),
- EN_MODIFIED);
- }
+ set_single_attribute (obj, NPF_GROUP_RID, group_rid, strlen (group_rid), EN_MODIFIED);
}
/* acb */
static BOOL build_smb_pass (struct smb_passwd *smb_pw, const SAM_ACCOUNT *sampass)
{
uid_t uid;
+ uint32 rid;
if (sampass == NULL)
return False;
- ZERO_STRUCTP(smb_pw);
-
- if (!IS_SAM_UNIX_USER(sampass)) {
- smb_pw->smb_userid_set = False;
- DEBUG(5,("build_smb_pass: storing user without a UNIX uid or gid. \n"));
- } else {
- uint32 rid = pdb_get_user_rid(sampass);
- smb_pw->smb_userid_set = True;
- uid = pdb_get_uid(sampass);
+ rid = pdb_get_user_rid(sampass);
- /* If the user specified a RID, make sure its able to be both stored and retreived */
- if (rid && rid != DOMAIN_USER_RID_GUEST && uid != fallback_pdb_user_rid_to_uid(rid)) {
- DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n"));
- return False;
- }
+ /* If the user specified a RID, make sure its able to be both stored and retreived */
+ if (rid && rid != DOMAIN_USER_RID_GUEST && uid != fallback_pdb_user_rid_to_uid(rid)) {
+ DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n"));
+ return False;
+ }
- smb_pw->smb_userid=uid;
- }
+ ZERO_STRUCTP(smb_pw);
+
+ smb_pw->smb_userid_set = True;
+ smb_pw->smb_userid=uid;
smb_pw->smb_name=(const char*)pdb_get_username(sampass);
BOOL ret = True;
struct passwd *pw;
uid_t uid = -1;
- gid_t gid = -1; /* This is what standard sub advanced expects if no gid is known */
+ gid_t gid = -1;
if(sampass == NULL || buf == NULL) {
DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
/* validate the account and fill in UNIX uid and gid. Standard
* getpwnam() is used instead of Get_Pwnam() as we do not need
* to try case permutations
+ *
+ * FIXME: are we sure we do not need ?
*/
if (!username || !(pw = getpwnam_alloc(username))) {
if (!(tdb_state->permit_non_unix_accounts)) {
}
if (pw) {
- uid = pw->pw_uid;
- gid = pw->pw_gid;
-
pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
passwd_free(&pw);
-
- pdb_set_uid(sampass, uid, PDB_SET);
- pdb_set_gid(sampass, gid, PDB_SET);
}
pdb_set_logon_time(sampass, logon_time, PDB_SET);
return False;
}
+ if (!pdb_get_group_rid(newpwd)) {
+ DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
+ ret = False;
+ goto done;
+ }
+
/* if flag == TDB_INSERT then make up a new RID else throw an error. */
if (!(user_rid = pdb_get_user_rid(newpwd))) {
- if (flag & TDB_INSERT) {
- if (IS_SAM_UNIX_USER(newpwd)) {
- if (tdb_state->algorithmic_rids) {
- user_rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(newpwd));
- } else {
- user_rid = BASE_RID;
- tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER);
- if (!tdb_ret) {
- ret = False;
- goto done;
- }
- }
- pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED);
- } else {
- user_rid = tdb_state->low_nua_rid;
- tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER);
- if (!tdb_ret) {
- ret = False;
- goto done;
- }
- if (user_rid > tdb_state->high_nua_rid) {
- DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd)));
- ret = False;
- goto done;
- }
- pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED);
+ if ((flag & TDB_INSERT) && tdb_state->permit_non_unix_accounts) {
+ uint32 lowrid, highrid;
+ if (!pdb_get_free_rid_range(&lowrid, &highrid)) {
+ /* should never happen */
+ DEBUG(0, ("tdbsam: something messed up, no high/low rids but nua enabled ?!\n"));
+ ret = False;
+ goto done;
}
- } else {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
- ret = False;
- goto done;
- }
- }
-
- if (!pdb_get_group_rid(newpwd)) {
- if (flag & TDB_INSERT) {
- if (!tdb_state->permit_non_unix_accounts) {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
+ user_rid = lowrid;
+ tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER);
+ if (!tdb_ret) {
+ ret = False;
+ goto done;
+ }
+ if (user_rid > highrid) {
+ DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd)));
ret = False;
goto done;
- } else {
- /* This seems like a good default choice for non-unix users */
- pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
}
} else {
- DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
+ DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
ret = False;
goto done;
}
DEBUG(1, ("guest account %s does not seem to exist...\n", guest_account));
return nt_status;
}
- } else if (pdb_rid_is_user(rid)) {
+ } else if (fallback_pdb_rid_is_user(rid)) {
pass = getpwuid_alloc(fallback_pdb_user_rid_to_uid (rid));
}
* Store the UNIX credential data (uid/gid pair) in the pipe structure.
*/
- if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
- DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
- free_server_info(&server_info);
- return False;
- }
-
memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
- p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
- p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
+ p->pipe_user.uid = server_info->uid;
+ p->pipe_user.gid = server_info->gid;
p->pipe_user.ngroups = server_info->n_groups;
if (p->pipe_user.ngroups) {
copy_id23_to_sam_passwd(pwd, id23);
/* if it's a trust account, don't update /etc/passwd */
- if ( (!IS_SAM_UNIX_USER(pwd)) ||
- ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
+ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
}
/* if it's a trust account, don't update /etc/passwd */
- if ( (!IS_SAM_UNIX_USER(pwd)) ||
- ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
+ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
pdb_free_sam(&sam_user);
return NT_STATUS_NO_SUCH_USER;
}
-
- uid = pdb_get_uid(sam_user);
- if (uid == -1) {
+
+ /* check a real user exist before we run the script to add a user to a group */
+ if (!sid_to_uid(pdb_get_user_sid(sam_user), &uid)) {
pdb_free_sam(&sam_user);
return NT_STATUS_NO_SUCH_USER;
}
if ((pwd=getpwuid_alloc(uid)) == NULL) {
return NT_STATUS_NO_SUCH_USER;
}
-
+
if ((grp=getgrgid(map.gid)) == NULL) {
passwd_free(&pwd);
return NT_STATUS_NO_SUCH_ALIAS;
return NT_STATUS_NO_SUCH_USER;
}
- uid = pdb_get_uid(sam_user);
- if (uid == -1) {
- pdb_free_sam(&sam_user);
- return NT_STATUS_NO_SUCH_USER;
- }
-
- pdb_free_sam(&sam_user);
-
- if ((pwd=getpwuid_alloc(uid)) == NULL) {
- return NT_STATUS_NO_SUCH_USER;
- }
-
if ((grp=getgrgid(map.gid)) == NULL) {
passwd_free(&pwd);
return NT_STATUS_NO_SUCH_GROUP;
fstrcpy(user_name, pdb_get_username(sam_pass));
grid=pdb_get_group_rid(sam_pass);
- gid=pdb_get_gid(sam_pass);
+ if (!sid_to_gid(pdb_get_group_sid(sam_pass), &gid)) {
+ /* this should never happen */
+ DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n"));
+ pdb_free_sam(&sam_pass);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
become_root();
/* on some systems this must run as root */
static NTSTATUS db_idmap_init(void)
{
SMB_STRUCT_STAT stbuf;
- char *tdbfile;
+ char *tdbfile = NULL;
int32 version;
+ BOOL tdb_is_new = False;
/* use the old database if present */
if (!file_exist(lock_path("idmap.tdb"), &stbuf)) {
DEBUG(0, ("idmap_init: out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
+ } else {
+ tdb_is_new = True;
}
- } else {
+ }
+ if (!tdbfile) {
tdbfile = strdup(lock_path("idmap.tdb"));
if (!tdbfile) {
DEBUG(0, ("idmap_init: out of memory!\n"));
SAFE_FREE(tdbfile);
/* check against earlier versions */
- version = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
- if (version != IDMAP_VERSION) {
- DEBUG(0, ("idmap_init: Unable to open idmap database, it's in an old format!\n"));
- return NT_STATUS_INTERNAL_DB_ERROR;
+ if (tdb_is_new) {
+ /* TODO: delete the file if this fail */
+ tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION);
+ } else {
+ version = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
+ if (version != IDMAP_VERSION) {
+ DEBUG(0, ("idmap_init: Unable to open idmap database, it's in an old format!\n"));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
}
/* Create high water marks for group and user id */
was done correctly, False if not. sidtype is set by this function.
*****************************************************************/
-BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype)
+BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
{
unid_t id;
int type;
DEBUG(10,("sid_to_uid: sid = [%s]\n", sid_string_static(psid)));
- *sidtype = SID_NAME_USER;
-
type = ID_USERID;
if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, psid))) {
DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid));
DEBUG(0, ("sid_to_uid: Error extracting RID from SID\n!"));
return False;
}
- if (!pdb_rid_is_user(rid)) {
+ if (!fallback_pdb_rid_is_user(rid)) {
DEBUG(3, ("sid_to_uid: RID %u is *NOT* a user\n", (unsigned)rid));
return False;
}
was done correctly, False if not.
*****************************************************************/
-BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype)
+BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
{
unid_t id;
int type;
DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(psid)));
- *sidtype = SID_NAME_ALIAS;
-
type = ID_GROUPID;
if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, psid))) {
DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid));
return False;
*pgid = map.gid;
- *sidtype = map.sid_name_use;
return True;
} else {
uint32 rid;
DEBUG(0, ("sid_to_gid: Error extracting RID from SID\n!"));
return False;
}
- if (pdb_rid_is_user(rid)) {
+ if (fallback_pdb_rid_is_user(rid)) {
DEBUG(3, ("sid_to_gid: RID %u is *NOT* a group\n", (unsigned)rid));
return False;
}
*pgid = pdb_group_rid_to_gid(rid);
- *sidtype = SID_NAME_ALIAS;
}
}
if (!name) {
DEBUG(1, ("NULL username specfied to chgpasswd()!\n"));
}
+
+ pass = Get_Pwnam(name);
+ if (!pass) {
+ DEBUG(1, ("Username does not exist in system passwd!\n"));
+ return False;
+ }
if (!oldpass) {
oldpass = "";
}
}
- pass = Get_Pwnam(name);
-
#ifdef WITH_PAM
if (lp_pam_password_change()) {
BOOL ret;
* to touch the unix db unless we have admin permission.
*/
- if(lp_unix_password_sync() && IS_SAM_UNIX_USER(hnd)
- && !chgpasswd(pdb_get_username(hnd),
- old_passwd, new_passwd, False)) {
+ if(lp_unix_password_sync() &&
+ !chgpasswd(pdb_get_username(hnd), old_passwd, new_passwd, False)) {
return NT_STATUS_ACCESS_DENIED;
}
/* the next functions should be done by a SID mapping system (SMS) as
* the new real sam db won't have reference to unix uids or gids
*/
- if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
- DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT\n"));
- free(vuser);
- free_server_info(&server_info);
- return UID_FIELD_INVALID;
- }
- vuser->uid = pdb_get_uid(server_info->sam_account);
- vuser->gid = pdb_get_gid(server_info->sam_account);
+ vuser->uid = server_info->uid;
+ vuser->gid = server_info->gid;
vuser->n_groups = server_info->n_groups;
if (vuser->n_groups) {
{
DOM_SID owner_sid;
DOM_SID grp_sid;
- enum SID_NAME_USE sid_type;
*puser = (uid_t)-1;
*pgrp = (gid_t)-1;
if (security_info_sent & OWNER_SECURITY_INFORMATION) {
sid_copy(&owner_sid, psd->owner_sid);
- if (!sid_to_uid( &owner_sid, puser, &sid_type)) {
+ if (!sid_to_uid( &owner_sid, puser)) {
#if ACL_FORCE_UNMAPPABLE
/* this allows take ownership to work reasonably */
extern struct current_user current_user;
if (security_info_sent & GROUP_SECURITY_INFORMATION) {
sid_copy(&grp_sid, psd->grp_sid);
- if (!sid_to_gid( &grp_sid, pgrp, &sid_type)) {
+ if (!sid_to_gid( &grp_sid, pgrp)) {
#if ACL_FORCE_UNMAPPABLE
/* this allows take group ownership to work reasonably */
extern struct current_user current_user;
}
for(i = 0; i < dacl->num_aces; i++) {
- enum SID_NAME_USE sid_type;
SEC_ACE *psa = &dacl->ace[i];
/*
if (nt4_compatible_acls())
psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
- } else if (sid_to_gid( ¤t_ace->trustee, ¤t_ace->unix_ug.gid, &sid_type)) {
+ } else if (sid_to_gid( ¤t_ace->trustee, ¤t_ace->unix_ug.gid)) {
current_ace->owner_type = GID_ACE;
current_ace->type = SMB_ACL_GROUP;
- } else if (sid_to_uid( ¤t_ace->trustee, ¤t_ace->unix_ug.uid, &sid_type)) {
+ } else if (sid_to_uid( ¤t_ace->trustee, ¤t_ace->unix_ug.uid)) {
current_ace->owner_type = UID_ACE;
current_ace->type = SMB_ACL_USER;
} else {
memcpy(final_groups, *pp_groups, current_n_groups * sizeof(gid_t));
for (i = 0; i < ptok->num_sids; i++) {
- enum SID_NAME_USE sid_type;
gid_t new_grp;
- if (sid_to_gid(&ptok->user_sids[i], &new_grp, &sid_type)) {
+ if (sid_to_gid(&ptok->user_sids[i], &new_grp)) {
/*
* Don't add the gid_t if it is already in the current group
* list. Some UNIXen don't like the same group more than once.
printf ("Unix username: %s\n", pdb_get_username(sam_pwent));
printf ("NT username: %s\n", pdb_get_nt_username(sam_pwent));
printf ("Account Flags: %s\n", pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent), NEW_PW_FORMAT_SPACE_PADDED_LEN));
-
- if (IS_SAM_UNIX_USER(sam_pwent)) {
- uid = pdb_get_uid(sam_pwent);
- gid = pdb_get_gid(sam_pwent);
- printf ("User ID/Group ID: %d/%d\n", uid, gid);
- }
printf ("User SID: %s\n",
sid_string_static(pdb_get_user_sid(sam_pwent)));
printf ("Primary Group SID: %s\n",
printf ("Password must change: %s\n", tmp ? http_timestring(tmp) : "0");
} else if (smbpwdstyle) {
- if (IS_SAM_UNIX_USER(sam_pwent)) {
- char lm_passwd[33];
- char nt_passwd[33];
-
- uid = pdb_get_uid(sam_pwent);
- pdb_sethexpwd(lm_passwd,
- pdb_get_lanman_passwd(sam_pwent),
- pdb_get_acct_ctrl(sam_pwent));
- pdb_sethexpwd(nt_passwd,
- pdb_get_nt_passwd(sam_pwent),
- pdb_get_acct_ctrl(sam_pwent));
+ char lm_passwd[33];
+ char nt_passwd[33];
+
+ sid_to_uid(pdb_get_user_sid(sam_pwent), &uid);
+ pdb_sethexpwd(lm_passwd, pdb_get_lanman_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent));
+ pdb_sethexpwd(nt_passwd, pdb_get_nt_passwd(sam_pwent), pdb_get_acct_ctrl(sam_pwent));
- printf("%s:%d:%s:%s:%s:LCT-%08X:\n",
- pdb_get_username(sam_pwent),
- uid,
- lm_passwd,
- nt_passwd,
- pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent),NEW_PW_FORMAT_SPACE_PADDED_LEN),
- (uint32)pdb_get_pass_last_set_time(sam_pwent));
- } else {
- fprintf(stderr, "Can't output in smbpasswd format, no uid on this record.\n");
- }
+ printf("%s:%d:%s:%s:%s:LCT-%08X:\n",
+ pdb_get_username(sam_pwent),
+ uid,
+ lm_passwd,
+ nt_passwd,
+ pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent),NEW_PW_FORMAT_SPACE_PADDED_LEN),
+ (uint32)pdb_get_pass_last_set_time(sam_pwent));
} else {
- if (IS_SAM_UNIX_USER(sam_pwent)) {
- printf ("%s:%d:%s\n", pdb_get_username(sam_pwent), pdb_get_uid(sam_pwent),
- pdb_get_fullname(sam_pwent));
- } else {
- printf ("%s:(null):%s\n", pdb_get_username(sam_pwent), pdb_get_fullname(sam_pwent));
- }
+ sid_to_uid(pdb_get_user_sid(sam_pwent), &uid);
+ printf ("%s:%d:%s\n", pdb_get_username(sam_pwent), uid, pdb_get_fullname(sam_pwent));
}
return 0;
git.samba.org / samba.git / commitdiff