Changeset 224 for branches/samba-3.3.x/source/rpc_server

Timestamp:

May 24, 2009, 7:55:48 AM (16 years ago)

Author:

Herwig Bauernfeind

Message:

Update Samba 3.3 branch to 3.3.4

Location:

branches/samba-3.3.x/source/rpc_server

Files:

• srv_lsa_nt.c (modified) (1 diff)
• srv_pipe.c (modified) (1 diff)
• srv_samr_nt.c (modified) (14 diffs)
• srv_samr_util.c (modified) (5 diffs)

branches/samba-3.3.x/source/rpc_server/srv_lsa_nt.c

@@ -829 +829 @@
                                            &mapped_count);
 
-        if (NT_STATUS_IS_ERR(status)) {
+        /* Only return here when there is a real error.
+           NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
+           the requested sids could be resolved. Older versions of XP (pre SP3)
+           rely that we return with the string representations of those SIDs in
+           that case. If we don't, XP crashes - Guenther
+           */
+
+        if (NT_STATUS_IS_ERR(status) &&
+            !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
                 return status;
         }

branches/samba-3.3.x/source/rpc_server/srv_pipe.c

@@ -995 +995 @@
         for (i=0; i<rpc_lookup_size; i++) {
                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
-                if (strequal(rpc_lookup[i].pipe.clnt, p->name)
-                    && ndr_syntax_id_equal(
+                if (ndr_syntax_id_equal(
                             abstract, &rpc_lookup[i].rpc_interface)
                     && ndr_syntax_id_equal(

branches/samba-3.3.x/source/rpc_server/srv_samr_nt.c

@@ -621 +621 @@
                 return NT_STATUS_INVALID_HANDLE;
 
-        status = access_check_samr_function(info->acc_granted,
-                                            SAMR_ACCESS_OPEN_DOMAIN,
-                                            "_samr_OpenDomain" );
-
-        if ( !NT_STATUS_IS_OK(status) )
-                return status;
-
         /*check if access can be granted as requested by client. */
         map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
@@ -2898 +2891 @@
 
         status = access_check_samr_function(info->acc_granted,
-                                            SAMR_ACCESS_OPEN_DOMAIN,
+                                            SAMR_ACCESS_LOOKUP_DOMAIN,
                                             "_samr_QueryDomainInfo" );
 
@@ -3323 +3316 @@
 
         se_map_generic( &des_access, &sam_generic_mapping );
-        info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_OPEN_DOMAIN);
+        info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_LOOKUP_DOMAIN);
 
         /* get a (unique) handle.  open a policy on it. */
@@ -3459 +3452 @@
 
         status = access_check_samr_function(info->acc_granted,
-                                            SAMR_ACCESS_OPEN_DOMAIN,
+                                            SAMR_ACCESS_LOOKUP_DOMAIN,
                                             "_samr_LookupDomain");
         if (!NT_STATUS_IS_OK(status)) {
@@ -3744 +3737 @@
         }
 
-        if (id18->password_expired) {
-                pdb_set_pass_last_set_time(pwd, 0, PDB_CHANGED);
-        } else {
-                /* FIXME */
-                pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
-        }
+        copy_id18_to_sam_passwd(pwd, id18);
 
         return pdb_update_sam_account(pwd);
@@ -3956 +3944 @@
  ********************************************************************/
 
-static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
-                             int level)
+static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
 {
         uint32 len = 0;
         char *plaintext_buf = NULL;
         uint32 acct_ctrl;
-        time_t last_set_time;
-        enum pdb_value_state last_set_state;
 
         DEBUG(5, ("Attempting administrator password change for user %s\n",
@@ -3969 +3954 @@
 
         acct_ctrl = pdb_get_acct_ctrl(pwd);
-        /* we need to know if it's expired, because this is an admin change, not a
-           user change, so it's still expired when we're done */
-        last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
-        last_set_time = pdb_get_pass_last_set_time(pwd);
 
         if (!decode_pw_buffer(talloc_tos(),
@@ -4015 +3996 @@
         memset(plaintext_buf, '\0', strlen(plaintext_buf));
 
-        /*
-         * A level 25 change does reset the pwdlastset field, a level 24
-         * change does not. I know this is probably not the full story, but
-         * it is needed to make XP join LDAP correctly, without it the later
-         * auth2 check can fail with PWD_MUST_CHANGE.
-         */
-        if (level != 25) {
-                /*
-                 * restore last set time as this is an admin change, not a
-                 * user pw change
-                 */
-                pdb_set_pass_last_set_time (pwd, last_set_time,
-                                            last_set_state);
-        }
-
         DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
 
-        /* update the SAMBA password */
-        if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
-                return False;
+        return True;
+}
+
+/*******************************************************************
+ set_user_info_24
+ ********************************************************************/
+
+static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
+                                 struct samr_UserInfo24 *id24,
+                                 struct samu *pwd)
+{
+        NTSTATUS status;
+
+        if (id24 == NULL) {
+                DEBUG(5, ("set_user_info_24: NULL id24\n"));
+                return NT_STATUS_INVALID_PARAMETER;
+        }
+
+        if (!set_user_info_pw(id24->password.data, pwd)) {
+                return NT_STATUS_WRONG_PASSWORD;
+        }
+
+        copy_id24_to_sam_passwd(pwd, id24);
+
+        status = pdb_update_sam_account(pwd);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
         }
 
-        return True;
+        return NT_STATUS_OK;
 }
 
@@ -4061 +4051 @@
         if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
                 return NT_STATUS_ACCESS_DENIED;
+        }
+
+        if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+            (id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
+
+                if (!set_user_info_pw(id25->password.data, pwd)) {
+                        return NT_STATUS_WRONG_PASSWORD;
+                }
         }
 
@@ -4087 +4085 @@
         return NT_STATUS_OK;
 }
+
+/*******************************************************************
+ set_user_info_26
+ ********************************************************************/
+
+static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
+                                 struct samr_UserInfo26 *id26,
+                                 struct samu *pwd)
+{
+        NTSTATUS status;
+
+        if (id26 == NULL) {
+                DEBUG(5, ("set_user_info_26: NULL id26\n"));
+                return NT_STATUS_INVALID_PARAMETER;
+        }
+
+        if (!set_user_info_pw(id26->password.data, pwd)) {
+                return NT_STATUS_WRONG_PASSWORD;
+        }
+
+        copy_id26_to_sam_passwd(pwd, id26);
+
+        status = pdb_update_sam_account(pwd);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+
+        return NT_STATUS_OK;
+}
+
 
 /*******************************************************************
@@ -4248 +4276 @@
                         dump_data(100, info->info24.password.data, 516);
 
-                        if (!set_user_info_pw(info->info24.password.data, pwd,
-                                              switch_value)) {
-                                status = NT_STATUS_WRONG_PASSWORD;
-                        }
+                        status = set_user_info_24(p->mem_ctx,
+                                                  &info->info24, pwd);
                         break;
 
@@ -4266 +4292 @@
                         status = set_user_info_25(p->mem_ctx,
                                                   &info->info25, pwd);
-                        if (!NT_STATUS_IS_OK(status)) {
-                                goto done;
-                        }
-                        if (!set_user_info_pw(info->info25.password.data, pwd,
-                                              switch_value)) {
-                                status = NT_STATUS_WRONG_PASSWORD;
-                        }
                         break;
 
@@ -4285 +4304 @@
                         dump_data(100, info->info26.password.data, 516);
 
-                        if (!set_user_info_pw(info->info26.password.data, pwd,
-                                              switch_value)) {
-                                status = NT_STATUS_WRONG_PASSWORD;
-                        }
+                        status = set_user_info_26(p->mem_ctx,
+                                                  &info->info26, pwd);
                         break;
 
@@ -4294 +4311 @@
                         status = NT_STATUS_INVALID_INFO_CLASS;
         }
-
- done:
 
         TALLOC_FREE(pwd);

branches/samba-3.3.x/source/rpc_server/srv_samr_util.c

@@ -35 +35 @@
                     (!(s1) && (s2)) ||\
                 ((s1) && (s2) && (strcmp((s1), (s2)) != 0))
+
+/*************************************************************
+ Copies a struct samr_UserInfo18 to a struct samu
+**************************************************************/
+
+void copy_id18_to_sam_passwd(struct samu *to,
+                             struct samr_UserInfo18 *from)
+{
+        struct samr_UserInfo21 i;
+
+        if (from == NULL || to == NULL) {
+                return;
+        }
+
+        ZERO_STRUCT(i);
+
+        i.fields_present        = SAMR_FIELD_EXPIRED_FLAG;
+        i.password_expired      = from->password_expired;
+
+        copy_id21_to_sam_passwd("INFO_18", to, &i);
+}
 
 /*************************************************************
@@ -337 +358 @@
                 DEBUG(10,("%s SAMR_FIELD_EXPIRED_FLAG: %02X\n", l,
                         from->password_expired));
-                if (from->password_expired == PASS_MUST_CHANGE_AT_NEXT_LOGON) {
+                if (from->password_expired != 0) {
                         pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
                 } else {
@@ -346 +367 @@
                            for example, to clear an autolocked acct.
                            We must check to see if it's expired first. jmcd */
+
+                        uint32_t pwd_max_age = 0;
+                        time_t now = time(NULL);
+
+                        pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &pwd_max_age);
+
+                        if (pwd_max_age == (uint32_t)-1 || pwd_max_age == 0) {
+                                pwd_max_age = get_time_t_max();
+                        }
+
                         stored_time = pdb_get_pass_last_set_time(to);
-                        if (stored_time == 0)
-                                pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED);
+
+                        /* we will only *set* a pwdlastset date when
+                           a) the last pwdlastset time was 0 (user was forced to
+                              change password).
+                           b) the users password has not expired. gd. */
+
+                        if ((stored_time == 0) ||
+                            ((now - stored_time) > pwd_max_age)) {
+                                pdb_set_pass_last_set_time(to, now, PDB_CHANGED);
+                        }
                 }
         }
@@ -369 +408 @@
 
 /*************************************************************
+ Copies a struct samr_UserInfo24 to a struct samu
+**************************************************************/
+
+void copy_id24_to_sam_passwd(struct samu *to,
+                             struct samr_UserInfo24 *from)
+{
+        struct samr_UserInfo21 i;
+
+        if (from == NULL || to == NULL) {
+                return;
+        }
+
+        ZERO_STRUCT(i);
+
+        i.fields_present        = SAMR_FIELD_EXPIRED_FLAG;
+        i.password_expired      = from->password_expired;
+
+        copy_id21_to_sam_passwd("INFO_24", to, &i);
+}
+
+/*************************************************************
  Copies a struct samr_UserInfo25 to a struct samu
 **************************************************************/
@@ -381 +441 @@
         copy_id21_to_sam_passwd("INFO_25", to, &from->info);
 }
+
+/*************************************************************
+ Copies a struct samr_UserInfo26 to a struct samu
+**************************************************************/
+
+void copy_id26_to_sam_passwd(struct samu *to,
+                             struct samr_UserInfo26 *from)
+{
+        struct samr_UserInfo21 i;
+
+        if (from == NULL || to == NULL) {
+                return;
+        }
+
+        ZERO_STRUCT(i);
+
+        i.fields_present        = SAMR_FIELD_EXPIRED_FLAG;
+        i.password_expired      = from->password_expired;
+
+        copy_id21_to_sam_passwd("INFO_26", to, &i);
+}