Changeset 124 for branches/samba-3.0/source/utils

Timestamp:

Mar 12, 2008, 9:08:18 AM (17 years ago)

Author:

Paul Smedley

Message:

Update source to 3.0.28a

Location:

branches/samba-3.0/source/utils

Files:

• net.c (modified) (1 diff)
• net_domain.c (modified) (4 diffs)
• net_rpc.c (modified) (5 diffs)
• net_rpc_join.c (modified) (4 diffs)
• net_rpc_samsync.c (modified) (1 diff)
• net_sam.c (modified) (10 diffs)
• smbcacls.c (modified) (1 diff)
• smbpasswd.c (modified) (1 diff)
• status.c (modified) (1 diff)

branches/samba-3.0/source/utils/net.c

@@ -676 +676 @@
                 DEBUG(0, ("WARNING: Could not open passdb - domain sid may not reflect passdb\n"
                           "backend knowlege (such as the sid stored in LDAP)\n"));
+        }
+
+        /* first check to see if we can even access secrets, so we don't
+           panic when we can't. */
+
+        if (!secrets_init()) {
+                d_fprintf(stderr, "Unable to open secrets.tdb.  "
+                                  "Can't fetch domainSID for name: %s\n",
+                                  get_global_sam_name());
+                return 1;
         }
 

branches/samba-3.0/source/utils/net_domain.c

@@ -210 +210 @@
         uint32 flags = 0x3e8;
         uint32 acb_info = ACB_WSTRUST;
-        uchar pwbuf[516];
+        uint32 acct_flags=0;
+        uint32 fields_present;
+        uchar pwbuf[532];
         SAM_USERINFO_CTR ctr;
-        SAM_USER_INFO_24 p24;
-        SAM_USER_INFO_16 p16;
+        SAM_USER_INFO_25 p25;
+        const int infolevel = 25;
+        struct MD5Context md5ctx;
+        uchar md5buffer[16];
+        DATA_BLOB digested_session_key;
         uchar md4_trust_password[16];
 
@@ -243 +248 @@
         /* Don't try to set any acb_info flags other than ACB_WSTRUST */
 
+        acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE |
+                SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC |
+                SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR |
+                SAMR_USER_SETATTR;
+        DEBUG(10, ("Creating account with flags: %d\n",acct_flags));
         status = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol,
-                        acct_name, acb_info, 0xe005000b, &user_pol, &user_rid);
+                        acct_name, acb_info, acct_flags, &user_pol, &user_rid);
 
         if ( !NT_STATUS_IS_OK(status) 
@@ -284 +294 @@
         status = rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol,
                         SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, &user_pol);
-        
-        /* Create a random machine account password */
-
-        E_md4hash( clear_pw, md4_trust_password);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+        
+        /* Create a random machine account password and generate the hash */
+
+        E_md4hash(clear_pw, md4_trust_password);
         encode_pw_buffer(pwbuf, clear_pw, STR_UNICODE);
-
-        /* Set password on machine account */
-
-        ZERO_STRUCT(ctr);
-        ZERO_STRUCT(p24);
-
-        init_sam_user_info24(&p24, (char *)pwbuf,24);
-
-        ctr.switch_value = 24;
-        ctr.info.id24 = &p24;
-
-        status = rpccli_samr_set_userinfo(pipe_hnd, mem_ctx, &user_pol, 
-                        24, &cli->user_session_key, &ctr);
-
-        if ( !NT_STATUS_IS_OK(status) ) {
-                d_fprintf( stderr, "Failed to set password for machine account (%s)\n", 
-                        nt_errstr(status));
-                return status;
-        }
-
-
-        /* Why do we have to try to (re-)set the ACB to be the same as what
-           we passed in the samr_create_dom_user() call?  When a NT
-           workstation is joined to a domain by an administrator the
-           acb_info is set to 0x80.  For a normal user with "Add
-           workstations to the domain" rights the acb_info is 0x84.  I'm
-           not sure whether it is supposed to make a difference or not.  NT
-           seems to cope with either value so don't bomb out if the set
-           userinfo2 level 0x10 fails.  -tpot */
-
-        ZERO_STRUCT(ctr);
-        ctr.switch_value = 16;
-        ctr.info.id16 = &p16;
+        
+        generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
+        digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
+        
+        MD5Init(&md5ctx);
+        MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
+        MD5Update(&md5ctx, cli->user_session_key.data, cli->user_session_key.length);
+        MD5Final(digested_session_key.data, &md5ctx);
+        
+        SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
+        memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
 
         /* Fill in the additional account flags now */
@@ -333 +324 @@
         }
 
-        init_sam_user_info16(&p16, acb_info);
-
-        status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, 
-                                        &cli->user_session_key, &ctr);
+        /* Set password and account flags on machine account */
+
+        ZERO_STRUCT(ctr);
+        ZERO_STRUCT(p25);
+
+        fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | ACCT_FLAGS;
+        init_sam_user_info25P(&p25, fields_present, acb_info, (char *)pwbuf);
+
+        ctr.switch_value = infolevel;
+        ctr.info.id25    = &p25;
+
+        status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol,
+                                           infolevel, &cli->user_session_key, &ctr);
+
+        if ( !NT_STATUS_IS_OK(status) ) {
+                d_fprintf( stderr, "Failed to set password for machine account (%s)\n", 
+                        nt_errstr(status));
+                return status;
+        }
 
         rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);

branches/samba-3.0/source/utils/net_rpc.c

@@ -382 +382 @@
  *              stripped
  *
- * Main 'net_rpc_join()' (where the admain username/password is used) is 
+ * Main 'net_rpc_join()' (where the admin username/password is used) is
  * in net_rpc_join.c
  * Try to just change the password, but if that doesn't work, use/prompt
@@ -582 +582 @@
         const char *acct_name;
         uint32 acb_info;
-        uint32 unknown, user_rid;
+        uint32 acct_flags=0;
+        uint32 user_rid;
 
         if (argc < 1) {
@@ -612 +613 @@
 
         acb_info = ACB_NORMAL;
-        unknown = 0xe005000b; /* No idea what this is - a permission mask? */
+        acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE |
+                SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC |
+                SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR |
+                SAMR_USER_SETATTR;
+        DEBUG(10, ("Creating account with flags: %d\n",acct_flags));
 
         result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol,
-                                          acct_name, acb_info, unknown,
+                                          acct_name, acb_info, acct_flags,
                                           &user_pol, &user_rid);
         if (!NT_STATUS_IS_OK(result)) {
@@ -5336 +5341 @@
         char *acct_name;
         uint32 acb_info;
-        uint32 unknown, user_rid;
+        uint32 user_rid;
+        uint32 acct_flags=0;
 
         if (argc != 2) {
@@ -5370 +5376 @@
         /* Create trusting domain's account */
         acb_info = ACB_NORMAL; 
-        unknown = 0xe00500b0; /* No idea what this is - a permission mask?
-                                 mimir: yes, most probably it is */
+        acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE |
+                SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC |
+                SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR |
+                SAMR_USER_SETATTR;
 
         result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol,
-                                          acct_name, acb_info, unknown,
+                                          acct_name, acb_info, acct_flags,
                                           &user_pol, &user_rid);
         if (!NT_STATUS_IS_OK(result)) {

branches/samba-3.0/source/utils/net_rpc_join.c

@@ -44 +44 @@
 int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
 {
-        uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+        uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
         struct cli_state *cli = NULL;
         struct rpc_pipe_client *pipe_hnd = NULL;
@@ -115 +115 @@
         TALLOC_CTX *mem_ctx;
         uint32 acb_info = ACB_WSTRUST;
-        uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0);
+        uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0);
         uint32 sec_channel_type;
         struct rpc_pipe_client *pipe_hnd = NULL;
@@ -143 +143 @@
         char *acct_name;
         const char *const_acct_name;
+        uint32 acct_flags=0;
 
         /* check what type of join */
@@ -230 +231 @@
         const_acct_name = acct_name;
 
+        acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE |
+                SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC |
+                SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR |
+                SAMR_USER_SETATTR;
+        DEBUG(10, ("Creating account with flags: %d\n",acct_flags));
         result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol,
                                           acct_name, acb_info,
-                                          0xe005000b, &user_pol, 
+                                          acct_flags, &user_pol, 
                                           &user_rid);
 

branches/samba-3.0/source/utils/net_rpc_samsync.c

@@ -239 +239 @@
         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
         uchar trust_password[16];
-        uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+        uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
         uint32 sec_channel_type = 0;
 

branches/samba-3.0/source/utils/net_sam.c

@@ -43 +43 @@
         }
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_LOCAL,
                          &dom, &name, &sid, &type)) {
                 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
@@ -140 +140 @@
         }
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_LOCAL,
                          &dom, &name, &sid, &type)) {
                 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
@@ -224 +224 @@
         }
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_LOCAL,
                          &dom, &name, &sid, &type)) {
                 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
@@ -285 +285 @@
         }
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_LOCAL,
                          &dom, &name, &sid, &type)) {
                 d_fprintf(stderr, "Could not find name %s\n", argv[0]);
@@ -640 +640 @@
         }
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_LOCAL,
                          &groupdomain, &groupname, &group, &grouptype)) {
                 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
@@ -648 +648 @@
         /* check to see if the member to be added is a name or a SID */
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[1], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[1], LOOKUP_NAME_LOCAL,
                          &memberdomain, &membername, &member, &membertype))
         {
@@ -713 +713 @@
         }
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_LOCAL,
                          &groupdomain, &groupname, &group, &grouptype)) {
                 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
@@ -719 +719 @@
         }
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[1], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[1], LOOKUP_NAME_LOCAL,
                          &memberdomain, &membername, &member, NULL)) {
                 if (!string_to_sid(&member, argv[1])) {
@@ -771 +771 @@
         }
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_LOCAL,
                          &groupdomain, &groupname, &group, &grouptype)) {
                 d_fprintf(stderr, "Could not find group %s\n", argv[0]);
@@ -919 +919 @@
         }
 
-        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_ISOLATED,
+        if (!lookup_name(tmp_talloc_ctx(), argv[0], LOOKUP_NAME_LOCAL,
                          &dom, &name, &sid, &type)) {
                 d_fprintf(stderr, "Could not find name %s\n", argv[0]);

branches/samba-3.0/source/utils/smbcacls.c

@@ -789 +789 @@
                                                             share, "?????",  
                                                             cmdline_auth_info.username, lp_workgroup(),
-                                                            cmdline_auth_info.password, 0,
+                                                            cmdline_auth_info.password,
+                                                            cmdline_auth_info.use_kerberos ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
                                                             cmdline_auth_info.signing_state, NULL))) {
                 return c;

branches/samba-3.0/source/utils/smbpasswd.c

@@ -97 +97 @@
                 switch(ch) {
                 case 'L':
+#if !defined(DEVELOPER)
+                        if (getuid() != 0) {
+                                fprintf(stderr, "smbpasswd -L can only be used by root.\n");
+                                exit(1);
+                        }
+#endif
                         local_flags |= LOCAL_AM_ROOT;
                         break;

branches/samba-3.0/source/utils/status.c

@@ -368 +368 @@
                 int ret;
 
+                tdb = tdb_open_log(lock_path("locking.tdb"), 0, TDB_DEFAULT, O_RDONLY, 0);
+
+                if (!tdb) {
+                        d_printf("%s not initialised\n", lock_path("locking.tdb"));
+                        d_printf("This is normal if an SMB client has never connected to your server.\n");
+                        exit(0);
+                } else {
+                        tdb_close(tdb);
+                }
+
                 if (!locking_init(1)) {
                         d_printf("Can't initialise locking module - exiting\n");