Changeset 124 for branches/samba-3.0/source/passdb
- Timestamp:
- Mar 12, 2008, 9:08:18 AM (17 years ago)
- Location:
- branches/samba-3.0/source/passdb
- Files:
-
- 3 edited
-
lookup_sid.c (modified) (11 diffs)
-
pdb_ldap.c (modified) (4 diffs)
-
secrets.c (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.0/source/passdb/lookup_sid.c
r39 r124 61 61 } 62 62 63 DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",64 full_name, domain, name));65 66 63 if ((domain == NULL) || (name == NULL)) { 67 64 DEBUG(0, ("talloc failed\n")); … … 70 67 } 71 68 72 if (strequal(domain, get_global_sam_name())) { 69 DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n", 70 full_name, domain, name)); 71 DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags)); 72 73 if ((flags & LOOKUP_NAME_DOMAIN) && 74 strequal(domain, get_global_sam_name())) 75 { 73 76 74 77 /* It's our own domain, lookup the name in passdb */ … … 82 85 } 83 86 84 if (strequal(domain, builtin_domain_name())) { 85 87 if ((flags & LOOKUP_NAME_BUILTIN) && 88 strequal(domain, builtin_domain_name())) 89 { 86 90 /* Explicit request for a name in BUILTIN */ 87 91 if (lookup_builtin_name(name, &rid)) { … … 99 103 100 104 if ((domain[0] != '\0') && 105 (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) && 101 106 (winbind_lookup_name(domain, name, &sid, &type))) { 102 107 goto ok; … … 133 138 /* 1. well-known names */ 134 139 135 if (lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) { 140 if ((flags & LOOKUP_NAME_WKN) && 141 lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) 142 { 136 143 type = SID_NAME_WKN_GRP; 137 144 goto ok; … … 140 147 /* 2. Builtin domain as such */ 141 148 142 if (strequal(name, builtin_domain_name())) { 149 if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) && 150 strequal(name, builtin_domain_name())) 151 { 143 152 /* Swap domain and name */ 144 153 tmp = name; name = domain; domain = tmp; … … 150 159 /* 3. Account domain */ 151 160 152 if (strequal(name, get_global_sam_name())) { 161 if ((flags & LOOKUP_NAME_DOMAIN) && 162 strequal(name, get_global_sam_name())) 163 { 153 164 if (!secrets_fetch_domain_sid(name, &sid)) { 154 165 DEBUG(3, ("Could not fetch my SID\n")); … … 164 175 /* 4. Primary domain */ 165 176 166 if (!IS_DC && strequal(name, lp_workgroup())) { 177 if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC && 178 strequal(name, lp_workgroup())) 179 { 167 180 if (!secrets_fetch_domain_sid(name, &sid)) { 168 181 DEBUG(3, ("Could not fetch the domain SID\n")); … … 179 192 this, tested an XP workstation in a NT domain -- vl */ 180 193 181 if (IS_DC && (secrets_fetch_trusted_domain_password(name, NULL, 182 &sid, NULL))) { 194 if ((flags & LOOKUP_NAME_REMOTE) && IS_DC && 195 (secrets_fetch_trusted_domain_password(name, NULL, &sid, NULL))) 196 { 183 197 /* Swap domain and name */ 184 198 tmp = name; name = domain; domain = tmp; … … 189 203 /* 6. Builtin aliases */ 190 204 191 if (lookup_builtin_name(name, &rid)) { 205 if ((flags & LOOKUP_NAME_BUILTIN) && 206 lookup_builtin_name(name, &rid)) 207 { 192 208 domain = talloc_strdup(tmp_ctx, builtin_domain_name()); 193 209 sid_copy(&sid, &global_sid_Builtin); … … 202 218 /* Both cases are done by looking at our passdb */ 203 219 204 if (lookup_global_sam_name(name, flags, &rid, &type)) { 220 if ((flags & LOOKUP_NAME_DOMAIN) && 221 lookup_global_sam_name(name, flags, &rid, &type)) 222 { 205 223 domain = talloc_strdup(tmp_ctx, get_global_sam_name()); 206 224 sid_copy(&sid, get_global_sam_sid()); -
branches/samba-3.0/source/passdb/pdb_ldap.c
r62 r124 1652 1652 SAFE_FREE(ld_error); 1653 1653 ber_bvfree(bv); 1654 #if defined(LDAP_CONSTRAINT_VIOLATION) 1655 if (rc == LDAP_CONSTRAINT_VIOLATION) 1656 return NT_STATUS_PASSWORD_RESTRICTION; 1657 #endif 1654 1658 return NT_STATUS_UNSUCCESSFUL; 1655 1659 } else { … … 2455 2459 } 2456 2460 2457 rc = smbldap_search(conn, lp_ldap_ user_suffix(),2461 rc = smbldap_search(conn, lp_ldap_suffix(), 2458 2462 LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0, 2459 2463 &result); … … 2511 2515 gidstr); 2512 2516 2513 rc = smbldap_search(conn, lp_ldap_ user_suffix(),2517 rc = smbldap_search(conn, lp_ldap_suffix(), 2514 2518 LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0, 2515 2519 &result); … … 2595 2599 } 2596 2600 2597 rc = smbldap_search(conn, lp_ldap_ user_suffix(),2601 rc = smbldap_search(conn, lp_ldap_suffix(), 2598 2602 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result); 2599 2603 -
branches/samba-3.0/source/passdb/secrets.c
r1 r124 269 269 /************************************************************************ 270 270 Routine to get the trust account password for a domain. 271 This only tries to get the legacy hashed version of the password. 271 272 The user of this function must have locked the trust password file using 272 273 the above secrets_lock_trust_account_password(). 273 274 ************************************************************************/ 274 275 276 BOOL secrets_fetch_trust_account_password_legacy(const char *domain, 277 uint8 ret_pwd[16], 278 time_t *pass_last_set_time, 279 uint32 *channel) 280 { 281 struct machine_acct_pass *pass; 282 size_t size = 0; 283 284 if (!(pass = (struct machine_acct_pass *)secrets_fetch( 285 trust_keystr(domain), &size))) { 286 DEBUG(5, ("secrets_fetch failed!\n")); 287 return False; 288 } 289 290 if (size != sizeof(*pass)) { 291 DEBUG(0, ("secrets were of incorrect size!\n")); 292 return False; 293 } 294 295 if (pass_last_set_time) { 296 *pass_last_set_time = pass->mod_time; 297 } 298 memcpy(ret_pwd, pass->hash, 16); 299 300 if (channel) { 301 *channel = get_default_sec_channel(); 302 } 303 304 /* Test if machine password has expired and needs to be changed */ 305 if (lp_machine_password_timeout()) { 306 if (pass->mod_time > 0 && time(NULL) > (pass->mod_time + 307 (time_t)lp_machine_password_timeout())) { 308 global_machine_password_needs_changing = True; 309 } 310 } 311 312 SAFE_FREE(pass); 313 return True; 314 } 315 316 /************************************************************************ 317 Routine to get the trust account password for a domain. 318 The user of this function must have locked the trust password file using 319 the above secrets_lock_trust_account_password(). 320 ************************************************************************/ 321 275 322 BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16], 276 323 time_t *pass_last_set_time, 277 324 uint32 *channel) 278 325 { 279 struct machine_acct_pass *pass;280 326 char *plaintext; 281 size_t size = 0; 282 283 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time, 327 328 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time, 284 329 channel); 285 330 if (plaintext) { … … 290 335 } 291 336 292 if (!(pass = (struct machine_acct_pass *)secrets_fetch( 293 trust_keystr(domain), &size))) { 294 DEBUG(5, ("secrets_fetch failed!\n")); 295 return False; 296 } 297 298 if (size != sizeof(*pass)) { 299 DEBUG(0, ("secrets were of incorrect size!\n")); 300 return False; 301 } 302 303 if (pass_last_set_time) { 304 *pass_last_set_time = pass->mod_time; 305 } 306 memcpy(ret_pwd, pass->hash, 16); 307 308 if (channel) { 309 *channel = get_default_sec_channel(); 310 } 311 312 /* Test if machine password has expired and needs to be changed */ 313 if (lp_machine_password_timeout()) { 314 if (pass->mod_time > 0 && time(NULL) > (pass->mod_time + 315 (time_t)lp_machine_password_timeout())) { 316 global_machine_password_needs_changing = True; 317 } 318 } 319 320 SAFE_FREE(pass); 321 return True; 337 return secrets_fetch_trust_account_password_legacy(domain, ret_pwd, 338 pass_last_set_time, 339 channel); 322 340 } 323 341 … … 499 517 500 518 return True; 501 }502 503 /************************************************************************504 Routine to set the trust account password for a domain.505 ************************************************************************/506 507 BOOL secrets_store_trust_account_password(const char *domain, uint8 new_pwd[16])508 {509 struct machine_acct_pass pass;510 511 pass.mod_time = time(NULL);512 memcpy(pass.hash, new_pwd, 16);513 514 return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass));515 519 } 516 520 … … 656 660 } 657 661 662 BOOL is_trusted_domain_situation(const char *domain_name) 663 { 664 return IS_DC && 665 lp_allow_trusted_domains() && 666 !strequal(domain_name, lp_workgroup()); 667 } 668 658 669 /******************************************************************* 659 Wrapper around retrieving the trust account password 670 Wrapper around retrieving the clear text trust account password. 671 appropriate account name is stored in account_name. 672 Caller must free password, but not account_name. 660 673 *******************************************************************/ 661 662 BOOL get_trust_pw (const char *domain, uint8 ret_pwd[16], uint32 *channel)663 { 664 DOM_SID sid; 674 675 BOOL get_trust_pw_clear(const char *domain, char **ret_pwd, 676 const char **account_name, uint32 *channel) 677 { 665 678 char *pwd; 666 679 time_t last_set_time; 667 680 668 681 /* if we are a DC and this is not our domain, then lookup an account 669 for the domain trust */ 670 671 if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) { 672 if (!secrets_fetch_trusted_domain_password(domain, &pwd, &sid, 673 &last_set_time)) { 682 * for the domain trust */ 683 684 if (is_trusted_domain_situation(domain)) { 685 if (!secrets_fetch_trusted_domain_password(domain, ret_pwd, 686 NULL, &last_set_time)) 687 { 674 688 DEBUG(0, ("get_trust_pw: could not fetch trust " 675 689 "account password for trusted domain %s\n", … … 677 691 return False; 678 692 } 679 680 *channel = SEC_CHAN_DOMAIN; 693 694 if (channel != NULL) { 695 *channel = SEC_CHAN_DOMAIN; 696 } 697 698 if (account_name != NULL) { 699 *account_name = lp_workgroup(); 700 } 701 702 return True; 703 } 704 705 /* Just get the account for the requested domain. In the future this 706 * might also cover to be member of more than one domain. */ 707 708 pwd = secrets_fetch_machine_password(domain, &last_set_time, channel); 709 710 if (pwd != NULL) { 711 *ret_pwd = pwd; 712 if (account_name != NULL) { 713 *account_name = global_myname(); 714 } 715 716 return True; 717 } 718 719 DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust " 720 "account password for domain %s\n", domain)); 721 return False; 722 } 723 724 /******************************************************************* 725 Wrapper around retrieving the trust account password. 726 appropriate account name is stored in account_name. 727 *******************************************************************/ 728 729 BOOL get_trust_pw_hash(const char *domain, uint8 ret_pwd[16], 730 const char **account_name, uint32 *channel) 731 { 732 char *pwd = NULL; 733 time_t last_set_time; 734 735 if (get_trust_pw_clear(domain, &pwd, account_name, channel)) { 681 736 E_md4hash(pwd, ret_pwd); 682 737 SAFE_FREE(pwd); 683 684 738 return True; 685 } 686 687 /* Just get the account for the requested domain. In the future this 688 * might also cover to be member of more than one domain. */ 689 690 if (secrets_fetch_trust_account_password(domain, ret_pwd, 691 &last_set_time, channel)) 739 } else if (is_trusted_domain_situation(domain)) { 740 return False; 741 } 742 743 /* as a fallback, try to get the hashed pwd directly from the tdb... */ 744 745 if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd, 746 &last_set_time, 747 channel)) 748 { 749 if (account_name != NULL) { 750 *account_name = global_myname(); 751 } 752 692 753 return True; 693 694 DEBUG(5, ("get_trust_pw: could not fetch trust account " 754 } 755 756 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account " 695 757 "password for domain %s\n", domain)); 696 758 return False; 697 }698 699 /************************************************************************700 Routine to delete the machine trust account password file for a domain.701 ************************************************************************/702 703 BOOL trust_password_delete(const char *domain)704 {705 return secrets_delete(trust_keystr(domain));706 759 } 707 760
Note:
See TracChangeset
for help on using the changeset viewer.
