diff options
| author | Gerald Carter <jerry@samba.org> | 2003-07-01 18:39:20 +0000 |
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2003-07-01 18:39:20 +0000 |
| commit | 9bf43910a73be1fee7d8ec77afa8ab2a581f6b26 (patch) | |
| tree | 5d8e70d396fab2640209c34e662e07b952f1ec95 | |
| parent | 4ef35ae91af666801bc5391e45372328cf1d47a1 (diff) | |
| download | samba-9bf43910a73be1fee7d8ec77afa8ab2a581f6b26.tar.gz | |
syncing up latest changes
| -rw-r--r-- | WHATSNEW.txt | 154 | ||||
| -rw-r--r-- | docs/docbook/smbdotconf/base/adsserver.xml | 15 | ||||
| -rw-r--r-- | docs/docbook/smbdotconf/protocol/nameresolveorder.xml | 16 | ||||
| -rw-r--r-- | docs/docbook/smbdotconf/security/authmethods.xml | 14 | ||||
| -rw-r--r-- | docs/docbook/smbdotconf/security/passwordserver.xml | 32 | ||||
| -rwxr-xr-x | examples/LDAP/convertSambaAccount | 2 | ||||
| -rw-r--r-- | source/Makefile.in | 5 | ||||
| -rw-r--r-- | source/auth/auth_util.c | 45 | ||||
| -rw-r--r-- | source/configure.in | 9 | ||||
| -rw-r--r-- | source/libsmb/trusts_util.c | 79 | ||||
| -rw-r--r-- | source/passdb/pdb_nisplus.c | 1519 |
11 files changed, 231 insertions, 1659 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 342996a2751..07a650af895 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,9 +1,10 @@ - WHATS NEW IN Samba 3.0.0 beta1 - June 7 2003 + WHATS NEW IN Samba 3.0.0 beta2 + July 1 2003 ============================== -This is a beta release of Samba 3.0.0. This is a non-production release -intended for testing purposes. Use at your own risk. +This is the second beta release of Samba 3.0.0. This is a +non-production release intended for testing purposes. Use +at your own risk. The purpose of this beta release is to get wider testing of the major new pieces of code in the current Samba 3.0 development tree. We have @@ -76,6 +77,105 @@ begin with the Samba-HOWTO-Collection for overviews and specific tasks (the current book is up to approximately 400 pages) and to refer to the various man pages for information on individual options. +###################################################################### +Changes since 3.0beta1 +###################### + +Please refer to the CVS log for the SAMBA_3_0 branch for complete +details + +1) Rework our smb signing code again, this factors out some of + the common MAC calcuation code, and now supports multiple + outstanding packets (bug #40) +2) Enforce 'client plaintext auth', 'client lanman auth' and 'client + ntlmv2 auth' +3) Correct timestamp problem on 64-bit machines (bug #140) +4) Add extra debugging staements to winbindd for tracking down + failures +5) Fix bug when aliased 'winbind uid/gid' parameters +6) Added an auth flag that indicates if we should be allowed + to fallback to NTLMSSP for SASL if krb5 fails +7) Fixed the bug that forced us not to use the winbindd cache when + we have a primary ADS domain and a secondary (trusted) NT4 domain. +8) Use lp_realm() to find the default realm for 'net ads password' +9) Removed editreg from standard build until it is portable. +10) Fix domain membership for servers not running winbindd +11) Correct race condition in determining the high water make + in the idmap backend (bug #181) +12) Set the user's primary unix group from usrmgr.exe (partial + fix for bug #45) +13) Show comments when doing 'net group -l' (bug #3) +14) Add trivial extension to 'net' to dump current local idmap + and restore mappings as well +15) Modify 'net rpc vampire' to add new and existing users to + both the idmap and the SAM. +16) Fix crash bug in ADS searches +17) Build libnss_wins.so as part of nsswitch target (bug #160) +18) Make net rpc vampire return an error if the sam sync RPC + returns an error +19) Fail to join an NT 4 domain as a BDC if an workstation account + using our name exists +20) Fix various memory leaks in server and client code +21) Remove the short option to --set-auth-user for wbinfo (-A) to + prevent confusion with the -a option (bug #158) +22) Added new 'map acl inheritence' parameter +23) Removed unused 'privileges' code from group mapping database +24) Don't segfault on empty passdb backend list (bug #136) +25) Fixed acl sorting algorithm forWwindows 2000 clients +26) Replace universal group cache with netsamlogon_cache + from APPLIANCE_HEAD branch +27) Fix autoconf detection issues surrounding --with-ads=yes + but no Krb5 header files installed (bug #152) +28) Add LDAP lookup for domain sequence number in case we are + joined using NT4 protocols to a native mode AD domain +29) Fix backend method selection for trusted NT 4 (or 2k + mixed mode) domains +30) Fixed bug that caused us to enuemrate dmain local groups + from native mode AD domains other than our own +31) Correct group enumeration for viewing in the Windows + security tab (bug #110) +32) Consolidate the DC location code +33) Moved 'ads server' functionality into 'password server' for + backwards compatibility +34) Fix winbindd_idmap tdb upgrades from a 2.2 installation + ( if you installed beta1, be sure to + 'mv idmap.tdb winbindd_idamap.tdb' ) +35) Fix pdb_ldap segfaults, and wrong default values for + ldapsam_compat +36) Enable negative connection cache for winbindd's ADS backend + functions +37) Enable address caching for active directory DC's so we don't + have to hit DNS so much +38) Fix bug in idmap code that caused mapping to randomly be + redefined +39) Add tdb locking code to prevent race condition when adding a + new mapping to idmap +40) Fix 'map to guest = bad user' when acting as a PDC supporting + trust relationships +41) Prevent deadlock issues when running winbindd on a Samba PDC + to handle allocating uids & gids for trusted users and groups +42) added LOCALE patch from Steve Langasek (bug #122) +43) Add the 'guest' passdb backend automatically to the end of + the 'passdb backend' list if 'guest account' has a valid + username. +44) Remove samstrict_dc auth method. Rework 'samstrict' to only + handle our local names (or domain name if we are a PDC). + Move existing permissive 'sam' method to 'sam_ignoredomain' + and make 'samstrict' the new default 'sam' auth method. +45) Match Windows NT4/2k behavior when authenticating a user with + and unknown domain (default to our domain if we are a DC or + domain member; default to our local name if we are a + standalone server) +46) Fix Get_Pwnam() to always fall back to lookup 'user' if the + 'DOMAIN\user' lookup fails. This matches 2.2. behavior. +47) Fix the trustdom_cache code to update the list of trusted + domains when operating as a domain member and not using + winbindd +48) Remove 'nisplussam' passdb backend since it has suffered for + too long without a maintainer + + + ###################################################################### Upgrading from Samba 2.2 @@ -162,7 +262,6 @@ New Parameters (new parameters have been grouped by function): Authentication -------------- * auth methods - * ads server * realm Protocol Options @@ -187,6 +286,7 @@ New Parameters (new parameters have been grouped by function): * hostname lookups * kernel change notify * mangle prefix + * map acl inheritence * msdfs proxy * set quota command * use sendfile @@ -248,25 +348,24 @@ ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will upgrade databases as they are opened (if necessary), but downgrading from 3.0 to 2.2 is an unsupported path. -Name Description Backup? ----- ----------- ------- -account_policy User policy settings yes -gencache Generic caching db no -group_mapping Mapping table from Windows yes - groups/SID to unix groups -idmap new ID map table from SIDS yes - to UNIX uids/gids. -namecache Name resolution cache entries no -netlogon_unigrp Cache of universal group no - membership obtained when - operating as a member of a - Windows domain -printing/*.tdb Cached output from 'lpq no - command' created on a per print - service basis -registry Read-only samba registry skeleton no - that provides support for exporting - various db tables via the winreg RPCs +Name Description Backup? +---- ----------- ------- +account_policy User policy settings yes +gencache Generic caching db no +group_mapping Mapping table from Windows yes + groups/SID to unix groups +idmap new ID map table from SIDS yes + to UNIX uids/gids. +namecache Name resolution cache entries no +netsamlogon_cache Cache of NET_USER_INFO_3 structure no + returned as part of a successful + net_sam_logon request +printing/*.tdb Cached output from 'lpq no + command' created on a per print + service basis +registry Read-only samba registry skeleton no + that provides support for exporting + various db tables via the winreg RPCs Changes in Behavior @@ -426,13 +525,6 @@ with NFS that were present in Samba 2.2. Known Issues ############ -* One such limitation that is worth mentioning (and will be corrected - before the actual stable 3.0.0 release is the dead lock problem with - running winbindd on a Samba PDC in order to allocate uids and gids for - users and groups in a trusted domain. When the Samba domain is acting - as the trusted domain to a Windows NT 4.0 domain, there are no known - issues. - * The smbldap perl scripts for managing user entries in an LDAP directory have not be updated to function with the Samba 3.0 schema changes. This (or an equivalent solution) work is planned diff --git a/docs/docbook/smbdotconf/base/adsserver.xml b/docs/docbook/smbdotconf/base/adsserver.xml deleted file mode 100644 index 4dd2a4b6351..00000000000 --- a/docs/docbook/smbdotconf/base/adsserver.xml +++ /dev/null @@ -1,15 +0,0 @@ -<samba:parameter name="ads server" - context="G" - basic="1" advanced="1" wizard="1" developer="1" - xmlns:samba="http://samba.org/common"> -<listitem> - <para>If this option is specified, samba does not try to figure out what - ads server to use itself, but uses the specified ads server. Either one - DNS name or IP address can be used.</para> - - <para>Default: <command moreinfo="none">ads server = </command></para> - - <para>Example: <command moreinfo="none">ads server = 192.168.1.2</command></para> -</listitem> - -</samba:parameter> diff --git a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml index c029dcd181d..777fc2268ea 100644 --- a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml +++ b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml @@ -5,7 +5,8 @@ <listitem> <para>This option is used by the programs in the Samba suite to determine what naming services to use and in what order - to resolve host names to IP addresses. The option takes a space + to resolve host names to IP addresses. Its main purpose to is to + control how netbios name resolution is performed. The option takes a space separated string of name resolution options.</para> <para>The options are: "lmhosts", "host", @@ -16,7 +17,8 @@ <listitem> <para><constant>lmhosts</constant> : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the <ulink url="lmhosts.5.html">lmhosts(5)</ulink> for details) then + no name type attached to the NetBIOS name (see the <ulink + url="lmhosts.5.html">lmhosts(5)</ulink> for details) then any name type matches for lookup.</para> </listitem> @@ -26,9 +28,10 @@ </filename>, NIS, or DNS lookups. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the <filename moreinfo="none">/etc/nsswitch.conf</filename> - file. Note that this method is only used if the NetBIOS name - type being queried is the 0x20 (server) name type, otherwise - it is ignored.</para> + file. Note that this method is used only if the NetBIOS name + type being queried is the 0x20 (server) name type or 0x1c (domain controllers). + The latter case is only useful for active directory domains and results in a DNS + query for the SRV RR entry matching _ldap._tcp.domain.</para> </listitem> <listitem> @@ -59,6 +62,9 @@ it is advised to use following settings for <parameter moreinfo="none">name resolve order</parameter>:</para> <para><command moreinfo="none">name resolve order = wins bcast</command></para> + + <para>DC lookups will still be done via DNS, but fallbacks to netbios names will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.</para> </listitem> </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml index 0b7965d55bf..7c0f5a71e11 100644 --- a/docs/docbook/smbdotconf/security/authmethods.xml +++ b/docs/docbook/smbdotconf/security/authmethods.xml @@ -6,14 +6,24 @@ <para>This option allows the administrator to chose what authentication methods <command moreinfo="none">smbd</command> will use when authenticating a user. This option defaults to sensible values based on <link linkend="SECURITY"> - <parameter moreinfo="none">security</parameter></link>.</para> + <parameter moreinfo="none">security</parameter></link>. This should be considered + a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate.</para> <para>Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication. </para> + <para>Possible options include <constant>guest</constant> (anonymous access), + <constant>sam</constant> (lookups in local list of accounts based on netbios + name or domain name), <constant>winbind</constant> (relay authentication requests + for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + <constant>trustdomain</constant> (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method).</para> + <para>Default: <command moreinfo="none">auth methods = <empty string></command></para> - <para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para> + <para>Example: <command moreinfo="none">auth methods = guest sam winbind</command></para> </listitem> </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml index e40ff32b75f..f8540270415 100644 --- a/docs/docbook/smbdotconf/security/passwordserver.xml +++ b/docs/docbook/smbdotconf/security/passwordserver.xml @@ -3,18 +3,22 @@ advanced="1" wizard="1" developer="1" xmlns:samba="http://samba.org/common"> <listitem> - <para>By specifying the name of another SMB server (such - as a WinNT box) with this option, and using <command moreinfo="none">security = domain - </command> or <command moreinfo="none">security = server</command> you can get Samba - to do all its username/password validation via a remote server.</para> + <para>By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using <command moreinfo="none">security = [ads|domain|server]</command> + it is possible to get Samba to + to do all its username/password validation using a specific remote server.</para> - <para>This option sets the name of the password server to use. - It must be a NetBIOS name, so if the machine's NetBIOS name is - different from its Internet name then you may have to add its NetBIOS - name to the lmhosts file which is stored in the same directory - as the <filename moreinfo="none">smb.conf</filename> file.</para> + <para>This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections.</para> - <para>The name of the password server is looked up using the + <para>If parameter is a name, it is looked up using the parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name resolve order</parameter></link> and so may resolved by any method and order described in that parameter.</para> @@ -38,14 +42,14 @@ trust your clients, and you had better restrict them with hosts allow!</para> <para>If the <parameter moreinfo="none">security</parameter> parameter is set to - <constant>domain</constant>, then the list of machines in this + <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using <command moreinfo="none"> security = domain</command> is that if you list several hosts in the <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd - </command> will try each in turn till it finds one that responds. This + </command> will try each in turn till it finds one that responds. This is useful in case your primary server goes down.</para> <para>If the <parameter moreinfo="none">password server</parameter> option is set @@ -55,7 +59,7 @@ and then contacting each server returned in the list of IP addresses from the name resolution source. </para> - <para>If the list of servers contains both names and the '*' + <para>If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize @@ -93,6 +97,8 @@ <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *</command></para> + <para>Example: <command moreinfo="none">password server = windc.mydomain.com:389 192.168.1.101 *</command></para> + <para>Example: <command moreinfo="none">password server = *</command></para> </listitem> </samba:parameter> diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount index 5b7febd6a04..223c43eadab 100755 --- a/examples/LDAP/convertSambaAccount +++ b/examples/LDAP/convertSambaAccount @@ -105,7 +105,7 @@ while ( !$ldif->eof ) { } elsif ( defined ( $is_samba_group ) ) { foreach $key ( keys %group_attr_map ) { if ( defined($entry->get_value($key)) ) { - $entry->add( $attr_map{$key} => $entry->get_value($key) ); + $entry->add( $group_attr_map{$key} => $entry->get_value($key) ); $entry->delete( $key ); } } diff --git a/source/Makefile.in b/source/Makefile.in index 7f85619bc2e..c72fc11ac51 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -1020,11 +1020,6 @@ bin/smbpasswd.@SHLIBEXT@: passdb/pdb_smbpasswd.po @$(SHLD) $(LDSHFLAGS) -o $@ passdb/pdb_smbpasswd.po \ @SONAMEFLAG@`basename $@` -bin/nisplussam.@SHLIBEXT@: passdb/pdb_nisplus.po - @echo "Building plugin $@" - @$(SHLD) $(LDSHFLAGS) -o $@ passdb/pdb_nisplus.po \ - @SONAMEFLAG@`basename $@` - bin/weird.@SHLIBEXT@: $(DEVEL_HELP_OBJ:.o=.po) @echo "Building plugin $@" @$(SHLD) $(LDSHFLAGS) -o $@ $(DEVEL_HELP_OBJ:.o=.po) \ diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c index ab08a28ff65..4e25d7fd340 100644 --- a/source/auth/auth_util.c +++ b/source/auth/auth_util.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. Authentication utility functions Copyright (C) Andrew Tridgell 1992-1998 @@ -1258,4 +1258,47 @@ NTSTATUS nt_status_squash(NTSTATUS nt_status) } +/** + * Verify whether or not given domain is trusted. + * + * @param domain_name name of the domain to be verified + * @return true if domain is one of the trusted once or + * false if otherwise + **/ + +BOOL is_trusted_domain(const char* dom_name) +{ + DOM_SID trustdom_sid; + char *pass = NULL; + time_t lct; + BOOL ret; + + /* if we are a DC, then check for a direct trust relationships */ + + if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { + become_root(); + ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); + unbecome_root(); + SAFE_FREE(pass); + if (ret) + return True; + } + else { + /* if winbindd is not up and we are a domain member) then we need to update the + trustdom_cache ourselves */ + + if ( !winbind_ping() ) + update_trustdom_cache(); + } + + /* now the trustdom cache should be available a DC could still + * have a transitive trust so fall back to the cache of trusted + * domains (like a domain member would use */ + + if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) { + return True; + } + + return False; +} diff --git a/source/configure.in b/source/configure.in index 69d901cdc27..094e8c85e74 100644 --- a/source/configure.in +++ b/source/configure.in @@ -2442,10 +2442,10 @@ AC_MSG_CHECKING(whether to build experimental passdb libraries) AC_ARG_WITH(expsam, [ --with-expsam=<list> Include experimental passdb libraries (default=no)] [ Valid choices include (comma separated list): ] -[ xml, mysql, & nisplussam ], +[ xml & mysql], [ expsam_pdb_modules=`echo "$withval" | sed 's/,/ /g'` if test "z$expsam_pdb_modules" = "zyes"; then - expsam_pdb_modules="xml mysql nisplussam" + expsam_pdb_modules="xml mysql" fi AC_MSG_RESULT($expsam_pdb_modules) for i in $expsam_pdb_modules @@ -2461,10 +2461,6 @@ AC_ARG_WITH(expsam, AM_PATH_MYSQL([0.11.0],[default_shared_modules="$default_shared_modules pdb_mysql"],[]) CFLAGS="$CFLAGS $MYSQL_CFLAGS" ;; - nisplussam) - ## pdb_nisplussam - default_shared_modules="$default_shared_modules pdb_nisplussam" - ;; *) echo "Unknown module name \"$i\"! Exiting..." exit 1 @@ -3843,7 +3839,6 @@ SMB_MODULE(pdb_xml, passdb/pdb_xml.o, "bin/xml.$SHLIBEXT", PDB, [ PASSDBLIBS="$PASSDBLIBS $XML_LIBS" ] ) SMB_MODULE(pdb_mysql, passdb/pdb_mysql.o, "bin/mysql.$SHLIBEXT", PDB, [ PASSDBLIBS="$PASSDBLIBS $MYSQL_LIBS" ] ) -SMB_MODULE(pdb_nisplussam, passdb/pdb_nisplus.o, "bin/nisplussam.$SHLIBEXT", PDB) ## end of contributed pdb_modules ########################################################################### diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c index 464a3324c16..77e63709aac 100644 --- a/source/libsmb/trusts_util.c +++ b/source/libsmb/trusts_util.c @@ -1,4 +1,4 @@ -/* +/* * Unix SMB/CIFS implementation. * Routines to operate on various trust relationships * Copyright (C) Andrew Bartlett 2001 @@ -127,8 +127,8 @@ NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, Enumerate the list of trusted domains from a DC *********************************************************************/ -BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, - char ***domain_names, uint32 *num_domains, +BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, + char ***domain_names, uint32 *num_domains, DOM_SID **sids ) { POLICY_HND pol; @@ -138,36 +138,36 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, uint32 enum_ctx = 0; struct cli_state *cli = NULL; BOOL retry; - + *domain_names = NULL; *num_domains = 0; *sids = NULL; - + /* lookup a DC first */ - + if ( !get_dc_name(domain, dc_name, &dc_ip) ) { DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n", domain)); return False; } - + /* setup the anonymous connection */ - - result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC", + + result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC", "", "", "", 0, &retry); if ( !NT_STATUS_IS_OK(result) ) goto done; - + /* open the LSARPC_PIPE */ - + if ( !cli_nt_session_open( cli, PI_LSARPC ) ) { result = NT_STATUS_UNSUCCESSFUL; goto done; } - + /* get a handle */ - - result = cli_lsa_open_policy(cli, mem_ctx, True, + + result = cli_lsa_open_policy(cli, mem_ctx, True, POLICY_VIEW_LOCAL_INFORMATION, &pol); if ( !NT_STATUS_IS_OK(result) ) goto done; @@ -176,56 +176,15 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, result = cli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx, num_domains, domain_names, sids); - if ( !NT_STATUS_IS_OK(result) ) + if ( !NT_STATUS_IS_OK(result) ) goto done; - -done: + +done: /* cleanup */ - + cli_nt_session_close( cli ); cli_shutdown( cli ); - - return NT_STATUS_IS_OK(result); -} - - -/** - * Verify whether or not given domain is trusted. - * - * @param domain_name name of the domain to be verified - * @return true if domain is one of the trusted once or - * false if otherwise - **/ - -BOOL is_trusted_domain(const char* dom_name) -{ - DOM_SID trustdom_sid; - char *pass = NULL; - time_t lct; - BOOL ret; - /* if we are a DC, then check for a direct trust relationships */ - - if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { - ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); - SAFE_FREE(pass); - if (ret) - return True; - } - - /* if winbindd is not up then we need to update the trustdom_cache ourselves */ - - if ( !winbind_ping() ) - update_trustdom_cache(); - - /* now the trustdom cache should be available a DC could still - * have a transitive trust so fall back to the cache of trusted - * domains (like a domain member would use */ - - if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) { - return True; - } - - return False; + return NT_STATUS_IS_OK(result); } diff --git a/source/passdb/pdb_nisplus.c b/source/passdb/pdb_nisplus.c deleted file mode 100644 index 4e4aaed02b2..00000000000 --- a/source/passdb/pdb_nisplus.c +++ /dev/null @@ -1,1519 +0,0 @@ - -/* - * NIS+ Passdb Backend - * Copyright (C) Andrew Tridgell 1992-1998 Modified by Jeremy Allison 1995. - * Copyright (C) Benny Holmgren 1998 <bigfoot@astrakan.hgs.se> - * Copyright (C) Luke Kenneth Casson Leighton 1996-1998. - * Copyright (C) Toomas Soome <tsoome@ut.ee> 2001 - * Copyright (C) Jelmer Vernooij 2002 - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" - -#ifdef BROKEN_NISPLUS_INCLUDE_FILES - -/* - * The following lines are needed due to buggy include files - * in Solaris 2.6 which define GROUP in both /usr/include/sys/acl.h and - * also in /usr/include/rpcsvc/nis.h. The definitions conflict. JRA. - * Also GROUP_OBJ is defined as 0x4 in /usr/include/sys/acl.h and as - * an enum in /usr/include/rpcsvc/nis.h. - */ - - -#if defined(GROUP) -#undef GROUP -#endif - -#if defined(GROUP_OBJ) -#undef GROUP_OBJ -#endif - -#endif - -#include <rpcsvc/nis.h> - -/*************************************************************** - - the fields for the NIS+ table, generated from mknissmbpwtbl.sh, are: - - name=S,nogw=r - uid=S,nogw=r - user_rid=S,nogw=r - smb_grpid=,nw+r - group_rid=,nw+r - acb=,nw+r - - lmpwd=C,nw=,g=r,o=rm - ntpwd=C,nw=,g=r,o=rm - - logon_t=,nw+r - logoff_t=,nw+r - kick_t=,nw+r - pwdlset_t=,nw+r - pwdlchg_t=,nw+r - pwdmchg_t=,nw+r - - full_name=,nw+r - home_dir=,nw+r - dir_drive=,nw+r - logon_script=,nw+r - profile_path=,nw+r - acct_desc=,nw+r - workstations=,nw+r - - hours=,nw+r - -****************************************************************/ - -#define NPF_NAME 0 -#define NPF_UID 1 -#define NPF_USER_RID 2 -#define NPF_SMB_GRPID 3 -#define NPF_GROUP_RID 4 -#define NPF_ACB 5 -#define NPF_LMPWD 6 -#define NPF_NTPWD 7 -#define NPF_LOGON_T 8 -#define NPF_LOGOFF_T 9 -#define NPF_KICK_T 10 -#define NPF_PWDLSET_T 11 -#define NPF_PWDCCHG_T 12 -#define NPF_PWDMCHG_T 13 -#define NPF_FULL_NAME 14 -#define NPF_HOME_DIR 15 -#define NPF_DIR_DRIVE 16 -#define NPF_LOGON_SCRIPT 17 -#define NPF_PROFILE_PATH 18 -#define NPF_ACCT_DESC 19 -#define NPF_WORKSTATIONS 20 -#define NPF_HOURS 21 - -struct nisplus_private_info { - nis_result *result; - int enum_entry; - char *location; -}; - -static char *make_nisname_from_user_rid (uint32 rid, char *pfile); -static char *make_nisname_from_name (const char *user_name, char *pfile); -static void get_single_attribute (const nis_object * new_obj, int col, - char *val, int len);; -static BOOL make_sam_from_nisp_object (SAM_ACCOUNT * pw_buf, - const nis_object * obj); -static BOOL make_sam_from_nisresult (SAM_ACCOUNT * pw_buf, - const nis_result * result);; -static void set_single_attribute (nis_object * new_obj, int col, - const char *val, int len, int flags); -static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass, - nis_object * old); -static nis_result *nisp_get_nis_list (const char *nisname, - unsigned int flags); - -/*************************************************************** - Start enumeration of the passwd list. -****************************************************************/ - -static NTSTATUS nisplussam_setsampwent (struct pdb_methods *methods, BOOL update) -{ - struct nisplus_private_info *private = - (struct nisplus_private_info *) methods->private_data; - - char *sp; - pstring pfiletmp; - - if ((sp = strrchr (private->location, '/'))) - safe_strcpy (pfiletmp, sp + 1, sizeof (pfiletmp) - 1); - else - safe_strcpy (pfiletmp, p, sizeof (pfiletmp) - 1); - safe_strcat (pfiletmp, ".org_dir", - sizeof (pfiletmp) - strlen (pfiletmp) - 1); - - pdb_endsampwent (); /* just in case */ - global_nisp_ent->result = nisp_get_nis_list (pfiletmp, 0); - global_nisp_ent->enum_entry = 0; - if (global_nisp_ent->result != NULL) - return NT_STATUS_UNSUCCESSFUL; - else - return NT_STATUS_OK; -} - -/*************************************************************** - End enumeration of the passwd list. -****************************************************************/ - -static void nisplussam_endsampwent (struct pdb_methods *methods) -{ - struct nisplus_private_info *global_nisp_ent = - (struct nisplus_private_info *) methods->private_data; - if (global_nisp_ent->result) - nis_freeresult (global_nisp_ent->result); - global_nisp_ent->result = NULL; - global_nisp_ent->enum_entry = 0; -} - -/***************************************************************** - Get one SAM_ACCOUNT from the list (next in line) -*****************************************************************/ - -static NTSTATUS nisplussam_getsampwent (struct pdb_methods *methods, - SAM_ACCOUNT * user) -{ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - struct nisplus_private_info *global_nisp_ent = - (struct nisplus_private_info *) methods->private_data; - int enum_entry = (int) (global_nisp_ent->enum_entry); - nis_result *result = global_nisp_ent->result; - - if (user == NULL) { - DEBUG (0, ("SAM_ACCOUNT is NULL.\n")); - return nt_status; - } - - if (result == NULL || enum_entry < 0 || enum_entry >= (NIS_RES_NUMOBJ (result) - 1)) { - return nt_status; - } - - if (!make_sam_from_nisp_object(user, &NIS_RES_OBJECT (result)[enum_entry])) { - DEBUG (0, ("Bad SAM_ACCOUNT entry returned from NIS+!\n")); - return nt_status; - } - (int) (global_nisp_ent->enum_entry)++; - - return nt_status; -} - -/****************************************************************** - Lookup a name in the SAM database -******************************************************************/ - -static NTSTATUS nisplussam_getsampwnam (struct pdb_methods *methods, - SAM_ACCOUNT * user, const char *sname) -{ - /* Static buffers we will return. */ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - nis_result *result = NULL; - pstring nisname; - BOOL ret; - struct nisplus_private_info *private = - (struct nisplus_private_info *) methods->private_data; - - if (!private->location || !(*private->location)) { - DEBUG (0, ("No SMB password file set\n")); - return nt_status; - } - if (strrchr (private->location, '/')) - private->location = strrchr (private->location, '/') + 1; - - slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.org_dir", - sname, private->location); - DEBUG (10, ("search by nisname: %s\n", nisname)); - - /* Search the table. */ - - if (!(result = nisp_get_nis_list (nisname, 0))) { - return nt_status; - } - - ret = make_sam_from_nisresult (user, result); - nis_freeresult (result); - - if (ret) nt_status = NT_STATUS_OK; - - return nt_status; -} - -/*************************************************************************** - Search by sid - **************************************************************************/ - -static NTSTATUS nisplussam_getsampwrid (struct pdb_methods *methods, - SAM_ACCOUNT * user, uint32 rid) -{ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - nis_result *result; - char *nisname; - BOOL ret; - char *sp; - pstring pfiletmp; - struct nisplus_private_info *private = - (struct nisplus_private_info *) methods->private_data; - - if (!private->location || !(*private->location)) { - DEBUG (0, ("no SMB password file set\n")); - return nt_status; - } - - if ((sp = strrchr (private->location, '/'))) - safe_strcpy (pfiletmp, sp + 1, sizeof (pfiletmp) - 1); - else - safe_strcpy (pfiletmp, private->location, sizeof (pfiletmp) - 1); - safe_strcat (pfiletmp, ".org_dir", - sizeof (pfiletmp) - strlen (pfiletmp) - 1); - - nisname = make_nisname_from_user_rid (rid, pfiletmp); - - DEBUG (10, ("search by rid: %s\n", nisname)); - - /* Search the table. */ - - if (!(result = nisp_get_nis_list (nisname, 0))) { - return nt_status; - } - - ret = make_sam_from_nisresult (user, result); - nis_freeresult (result); - - if (ret) nt_status = NT_STATUS_OK; - - return nt_status; -} - -static NTSTATUS nisplussam_getsampwsid (struct pdb_methods *methods, - SAM_ACCOUNT * user, const DOM_SID * sid) -{ - uint32 rid; - - if (!sid_peek_check_rid (get_global_sam_sid (), sid, &rid)) - return NT_STATUS_UNSUCCESSFUL; - return nisplussam_getsampwrid (methods, user, rid); -} - - - -/*************************************************************************** - Delete a SAM_ACCOUNT -****************************************************************************/ - -static NTSTATUS nisplussam_delete_sam_account (struct pdb_methods *methods, - SAM_ACCOUNT * user) -{ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - const char *sname; - pstring nisname; - nis_result *result, *delresult; - nis_object *obj; - struct nisplus_private_info *private = - (struct nisplus_private_info *) methods->private_data; - - if (!user) { - DEBUG (0, ("no SAM_ACCOUNT specified!\n")); - return nt_status; - } - - sname = pdb_get_username (user); - - if (!private->location || !(*private->location)) { - DEBUG (0, ("no SMB password file set\n")); - return nt_status; - } - - if (strrchr (private->location, '/')) - private->location = strrchr (private->location, '/') + 1; - - slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.org_dir", - sname, private->location); - - /* Search the table. */ - - if (!(result = nisp_get_nis_list (nisname, - MASTER_ONLY | FOLLOW_LINKS | - FOLLOW_PATH | EXPAND_NAME | - HARD_LOOKUP))) { - return nt_status; - } - - if (result->status != NIS_SUCCESS || NIS_RES_NUMOBJ (result) <= 0) { - /* User not found. */ - DEBUG (0, ("user not found in NIS+\n")); - nis_freeresult (result); - return nt_status; - } - - obj = NIS_RES_OBJECT (result); - slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.%s", sname, - obj->zo_name, obj->zo_domain); - - DEBUG (10, ("removing name: %s\n", nisname)); - delresult = nis_remove_entry (nisname, obj, - MASTER_ONLY | REM_MULTIPLE | ALL_RESULTS - | FOLLOW_PATH | EXPAND_NAME | - HARD_LOOKUP); - - nis_freeresult (result); - - if (delresult->status != NIS_SUCCESS) { - DEBUG (0, ("NIS+ table update failed: %s %s\n", - nisname, nis_sperrno (delresult->status))); - nis_freeresult (delresult); - return nt_status; - } - nis_freeresult (delresult); - - return NT_STATUS_OK; -} - -/*************************************************************************** - Modifies an existing SAM_ACCOUNT -****************************************************************************/ - -static NTSTATUS nisplussam_update_sam_account (struct pdb_methods *methods, - SAM_ACCOUNT * newpwd) -{ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - nis_result *result, *addresult; - nis_object *obj; - nis_object new_obj; - entry_col *ecol; - int ta_maxcol; - struct nisplus_private_info *private = - (struct nisplus_private_info *) methods->private_data; - pstring nisname; - - if (!private->location || !(*private->location)) { - DEBUG (0, ("no SMB password file set\n")); - return nt_status; - } - if (strrchr (private->location, '/')) - private->location = strrchr (private->location, '/') + 1; - - slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.org_dir", - pdb_get_username (newpwd), private->location); - - DEBUG (10, ("search by name: %s\n", nisname)); - - /* Search the table. */ - - if (! - (result = - nisp_get_nis_list (nisname, - MASTER_ONLY | FOLLOW_LINKS | FOLLOW_PATH | - EXPAND_NAME | HARD_LOOKUP))) { - return ne_status; - } - - if (result->status != NIS_SUCCESS || NIS_RES_NUMOBJ (result) <= 0) { - /* User not found. */ - DEBUG (0, ("user not found in NIS+\n")); - nis_freeresult (result); - return nt_status; - } - - obj = NIS_RES_OBJECT (result); - DEBUG (6, ("entry found in %s\n", obj->zo_domain)); - - /* we must create new stub object with EN_MODIFIED flag. - this is because obj from result is going to be freed and - we do not want to break it or cause memory leaks or corruption. - */ - - memmove ((char *) &new_obj, obj, sizeof (new_obj)); - ta_maxcol = obj->TA_data.ta_maxcol; - - if (!(ecol = (entry_col *) malloc (ta_maxcol * sizeof (entry_col)))) { - DEBUG (0, ("memory allocation failure\n")); - nis_freeresult (result); - return nt_status; - } - - memmove ((char *) ecol, obj->EN_data.en_cols.en_cols_val, - ta_maxcol * sizeof (entry_col)); - new_obj.EN_data.en_cols.en_cols_val = ecol; - new_obj.EN_data.en_cols.en_cols_len = ta_maxcol; - - if (init_nisp_from_sam (&new_obj, newpwd, obj) == True) { - slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.%s", - pdb_get_username (newpwd), private->location, obj->zo_domain); - - DEBUG (10, ("NIS+ table update: %s\n", nisname)); - addresult = - nis_modify_entry (nisname, &new_obj, - MOD_SAMEOBJ | FOLLOW_PATH | - EXPAND_NAME | HARD_LOOKUP); - - if (addresult->status != NIS_SUCCESS) { - DEBUG (0, ("NIS+ table update failed: %s %s\n", - nisname, nis_sperrno (addresult->status))); - nis_freeresult (addresult); - nis_freeresult (result); - free (ecol); - return nt_status; - } - - DEBUG (6, ("password changed\n")); - nis_freeresult (addresult); - } else { - DEBUG (6, ("nothing to change!\n")); - } - - free (ecol); - nis_freeresult (result); - - return NT_STATUS_OK; -} - -/*************************************************************************** - Adds an existing SAM_ACCOUNT -****************************************************************************/ - -static NTSTATUS nisplussam_add_sam_account (struct pdb_methods *methods, - SAM_ACCOUNT * newpwd) -{ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - int local_user = 0; - char *pfile; - pstring pfiletmp; - char *nisname; - nis_result *result = NULL, *tblresult = NULL; - nis_object new_obj; - entry_col *ecol; - int ta_maxcol; - - /* - * 1. find user domain. - * a. try nis search in passwd.org_dir - if found use domain from result. - * b. try getpwnam. this may be needed if user is defined - * in /etc/passwd file (or elsewere) and not in passwd.org_dir. - * if found, use host default domain. - * c. exit with False - no such user. - * - * 2. add user - * a. find smbpasswd table - * search pfile in user domain if not found, try host default - * domain. - * b. smbpasswd domain is found, fill data and add entry. - * - * pfile should contain ONLY table name, org_dir will be concated. - * so, at first we will clear path prefix from pfile, and - * then we will use pfiletmp as playground to put together full - * nisname string. - * such approach will make it possible to specify samba private dir - * AND still use NIS+ table. as all domain related data is normally - * stored in org_dir.DOMAIN, this should be ok do do. - */ - - pfile = private->location; - if (strrchr (pfile, '/')) - pfile = strrchr (pfile, '/') + 1; - - /* - * Check if user is already there. - */ - safe_strcpy (pfiletmp, pfile, sizeof (pfiletmp) - 1); - safe_strcat (pfiletmp, ".org_dir", - sizeof (pfiletmp) - strlen (pfiletmp) - 1); - - if (pdb_get_username (newpwd) != NULL) { - nisname = make_nisname_from_name (pdb_get_username (newpwd), - pfiletmp); - } else { - return nt_status; - } - - if (! - (result = - nisp_get_nis_list (nisname, - MASTER_ONLY | FOLLOW_LINKS | FOLLOW_PATH | - EXPAND_NAME | HARD_LOOKUP))) { - return nt_status; - } - if (result->status != NIS_SUCCESS && result->status != NIS_NOTFOUND) { - DEBUG (3, ("nis_list failure: %s: %s\n", - nisname, nis_sperrno (result->status))); - nis_freeresult (result); - return nt_status; - } - - if (result->status == NIS_SUCCESS && NIS_RES_NUMOBJ (result) > 0) { - DEBUG (3, ("User already exists in NIS+ password db: %s\n", - pfile)); - nis_freeresult (result); - return nt_status; - } - - nis_freeresult (result); /* no such user, free results */ - - /* - * check for user in unix password database. we need this to get - * domain, where smbpasswd entry should be stored. - */ - - nisname = make_nisname_from_name (pdb_get_username (newpwd), - "passwd.org_dir"); - - result = nisp_get_nis_list (nisname, - MASTER_ONLY | FOLLOW_LINKS | FOLLOW_PATH | - EXPAND_NAME | HARD_LOOKUP); - - if (result->status != NIS_SUCCESS || NIS_RES_NUMOBJ (result) <= 0) { - struct passwd *passwd; - - DEBUG (3, ("nis_list failure: %s: %s\n", - nisname, nis_sperrno (result->status))); - nis_freeresult (result); - - if (!(passwd = getpwnam_alloc (pdb_get_username (newpwd)))) { - /* no such user in system! */ - return nt_status; - } - passwd_free (&passwd); - - /* - * user is defined, but not in passwd.org_dir. - */ - local_user = 1; - } else { - safe_strcpy (pfiletmp, pfile, sizeof (pfiletmp) - 1); - safe_strcat (pfiletmp, ".", - sizeof (pfiletmp) - strlen (pfiletmp) - 1); - safe_strcat (pfiletmp, NIS_RES_OBJECT (result)->zo_domain, - sizeof (pfiletmp) - strlen (pfiletmp) - 1); - nis_freeresult (result); /* not needed any more */ - - tblresult = nisp_get_nis_list (pfiletmp, - MASTER_ONLY | FOLLOW_LINKS | - FOLLOW_PATH | EXPAND_NAME | - HARD_LOOKUP); - } - - if (local_user || tblresult->status != NIS_SUCCESS) { - /* - * no user domain or - * smbpasswd table not found in user domain, fallback to - * default domain. - */ - if (!local_user) /* free previous failed search result */ - nis_freeresult (tblresult); - - safe_strcpy (pfiletmp, pfile, sizeof (pfiletmp) - 1); - safe_strcat (pfiletmp, ".org_dir", - sizeof (pfiletmp) - strlen (pfiletmp) - 1); - tblresult = nis_lookup (pfiletmp, MASTER_ONLY | FOLLOW_LINKS | - FOLLOW_PATH | EXPAND_NAME | - HARD_LOOKUP); - if (tblresult->status != NIS_SUCCESS) { - /* still nothing. bail out */ - nis_freeresult (tblresult); - DEBUG (3, ("nis_lookup failure: %s\n", - nis_sperrno (tblresult->status))); - return nt_status; - } - /* we need full name for nis_add_entry() */ - safe_strcpy (pfiletmp, pfile, sizeof (pfiletmp) - 1); - safe_strcat (pfiletmp, ".", - sizeof (pfiletmp) - strlen (pfiletmp) - 1); - safe_strcat (pfiletmp, NIS_RES_OBJECT (tblresult)->zo_domain, - sizeof (pfiletmp) - strlen (pfiletmp) - 1); - } - - memset ((char *) &new_obj, 0, sizeof (new_obj)); - /* fill entry headers */ - /* we do not free these. */ - new_obj.zo_name = NIS_RES_OBJECT (tblresult)->zo_name; - new_obj.zo_owner = NIS_RES_OBJECT (tblresult)->zo_owner; - new_obj.zo_group = NIS_RES_OBJECT (tblresult)->zo_group; - new_obj.zo_domain = NIS_RES_OBJECT (tblresult)->zo_domain; - /* uints */ - new_obj.zo_access = NIS_RES_OBJECT (tblresult)->zo_access; - new_obj.zo_ttl = NIS_RES_OBJECT (tblresult)->zo_ttl; - - new_obj.zo_data.zo_type = ENTRY_OBJ; - new_obj.EN_data.en_type = NIS_RES_OBJECT (tblresult)->TA_data.ta_type; - - ta_maxcol = NIS_RES_OBJECT (tblresult)->TA_data.ta_maxcol; - - if (!(ecol = (entry_col *) malloc (ta_maxcol * sizeof (entry_col)))) { - DEBUG (0, ("memory allocation failure\n")); - nis_freeresult (tblresult); - return nt_status; - } - - memset ((char *) ecol, 0, ta_maxcol * sizeof (entry_col)); - new_obj.EN_data.en_cols.en_cols_val = ecol; - new_obj.EN_data.en_cols.en_cols_len = ta_maxcol; - - init_nisp_from_sam (&new_obj, newpwd, NULL); - - DEBUG (10, ("add NIS+ entry: %s\n", nisname)); - result = nis_add_entry (pfiletmp, &new_obj, 0); - - free (ecol); /* free allocated entry space */ - - if (result->status != NIS_SUCCESS) { - DEBUG (3, ("NIS+ table update failed: %s,%s\n", - nisname, nis_sperrno (result->status))); - nis_freeresult (tblresult); - nis_freeresult (result); - return nt_status; - } - - nis_freeresult (tblresult); - nis_freeresult (result); - - return NT_STATUS_OK; -} - -/*************************************************************** - make_nisname_from_user_rid - ****************************************************************/ -static char *make_nisname_from_user_rid (uint32 rid, char *pfile) -{ - static pstring nisname; - - safe_strcpy (nisname, "[user_rid=", sizeof (nisname) - 1); - slprintf (nisname, sizeof (nisname) - 1, "%s%d", nisname, rid); - safe_strcat (nisname, "],", sizeof (nisname) - strlen (nisname) - 1); - safe_strcat (nisname, pfile, sizeof (nisname) - strlen (nisname) - 1); - - return nisname; -} - -/*************************************************************** - make_nisname_from_name - ****************************************************************/ -static char *make_nisname_from_name (const char *user_name, char *pfile) -{ - static pstring nisname; - - safe_strcpy (nisname, "[name=", sizeof (nisname) - 1); - safe_strcat (nisname, user_name, - sizeof (nisname) - strlen (nisname) - 1); - safe_strcat (nisname, "],", sizeof (nisname) - strlen (nisname) - 1); - safe_strcat (nisname, pfile, sizeof (nisname) - strlen (nisname) - 1); - - return nisname; -} - -/************************************************************************* - gets a NIS+ attribute - *************************************************************************/ -static void get_single_attribute (const nis_object * new_obj, int col, - char *val, int len) -{ - int entry_len; - - if (new_obj == NULL || val == NULL) - return; - - entry_len = ENTRY_LEN (new_obj, col); - if (len > entry_len) { - len = entry_len; - } - - safe_strcpy (val, ENTRY_VAL (new_obj, col), len - 1); -} - -/************************************************************************ - makes a struct sam_passwd from a NIS+ object. - ************************************************************************/ -static BOOL make_sam_from_nisp_object (SAM_ACCOUNT * pw_buf, - const nis_object * obj) -{ - char *ptr; - pstring full_name; /* this must be translated to dos code page */ - pstring acct_desc; /* this must be translated to dos code page */ - pstring home_dir; /* set default value from smb.conf for user */ - pstring home_drive; /* set default value from smb.conf for user */ - pstring logon_script; /* set default value from smb.conf for user */ - pstring profile_path; /* set default value from smb.conf for user */ - pstring hours; - int hours_len; - unsigned char smbpwd[16]; - unsigned char smbntpwd[16]; - - - /* - * time values. note: this code assumes 32bit time_t! - */ - - /* Don't change these timestamp settings without a good reason. They are - important for NT member server compatibility. */ - - pdb_set_logon_time (pw_buf, (time_t) 0, PDB_DEFAULT); - ptr = (uchar *) ENTRY_VAL (obj, NPF_LOGON_T); - if (ptr && *ptr && (StrnCaseCmp (ptr, "LNT-", 4) == 0)) { - int i; - - ptr += 4; - for (i = 0; i < 8; i++) { - if (ptr[i] == '\0' || !isxdigit (ptr[i])) - break; - } - if (i == 8) { - pdb_set_logon_time (pw_buf, - (time_t) strtol (ptr, NULL, 16), - PDB_SET); - } - } - - pdb_set_logoff_time (pw_buf, get_time_t_max (), PDB_DEFAULT); - ptr = (uchar *) ENTRY_VAL (obj, NPF_LOGOFF_T); - if (ptr && *ptr && (StrnCaseCmp (ptr, "LOT-", 4) == 0)) { - int i; - - ptr += 4; - for (i = 0; i < 8; i++) { - if (ptr[i] == '\0' || !isxdigit (ptr[i])) - break; - } - if (i == 8) { - pdb_set_logoff_time (pw_buf, - (time_t) strtol (ptr, NULL, 16), - PDB_SET); - } - } - - pdb_set_kickoff_time (pw_buf, get_time_t_max (), PDB_DEFAULT); - ptr = (uchar *) ENTRY_VAL (obj, NPF_KICK_T); - if (ptr && *ptr && (StrnCaseCmp (ptr, "KOT-", 4) == 0)) { - int i; - - ptr += 4; - for (i = 0; i < 8; i++) { - if (ptr[i] == '\0' || !isxdigit (ptr[i])) - break; - } - if (i == 8) { - pdb_set_kickoff_time (pw_buf, - (time_t) strtol (ptr, NULL, 16), - PDB_SET); - } - } - - pdb_set_pass_last_set_time (pw_buf, (time_t) 0, PDB_DEFAULT); - ptr = (uchar *) ENTRY_VAL (obj, NPF_PWDLSET_T); - if (ptr && *ptr && (StrnCaseCmp (ptr, "LCT-", 4) == 0)) { - int i; - - ptr += 4; - for (i = 0; i < 8; i++) { - if (ptr[i] == '\0' || !isxdigit (ptr[i])) - break; - } - if (i == 8) { - pdb_set_pass_last_set_time (pw_buf, - (time_t) strtol (ptr, - NULL, - 16), - PDB_SET); - } - } - - pdb_set_pass_can_change_time (pw_buf, (time_t) 0, PDB_DEFAULT); - ptr = (uchar *) ENTRY_VAL (obj, NPF_PWDCCHG_T); - if (ptr && *ptr && (StrnCaseCmp (ptr, "CCT-", 4) == 0)) { - int i; - - ptr += 4; - for (i = 0; i < 8; i++) { - if (ptr[i] == '\0' || !isxdigit (ptr[i])) - break; - } - if (i == 8) { - pdb_set_pass_can_change_time (pw_buf, - (time_t) strtol (ptr, - NULL, - 16), - PDB_SET); - } - } - - pdb_set_pass_must_change_time (pw_buf, get_time_t_max (), PDB_DEFAULT); /* Password never expires. */ - ptr = (uchar *) ENTRY_VAL (obj, NPF_PWDMCHG_T); - if (ptr && *ptr && (StrnCaseCmp (ptr, "MCT-", 4) == 0)) { - int i; - - ptr += 4; - for (i = 0; i < 8; i++) { - if (ptr[i] == '\0' || !isxdigit (ptr[i])) - break; - } - if (i == 8) { - pdb_set_pass_must_change_time (pw_buf, - (time_t) strtol (ptr, - NULL, - 16), - PDB_SET); - } - } - - /* string values */ - pdb_set_username (pw_buf, ENTRY_VAL (obj, NPF_NAME), PDB_SET); - pdb_set_domain (pw_buf, lp_workgroup (), PDB_DEFAULT); - /* pdb_set_nt_username() -- cant set it here... */ - - get_single_attribute (obj, NPF_FULL_NAME, full_name, - sizeof (pstring)); -#if 0 - unix_to_dos (full_name, True); -#endif - pdb_set_fullname (pw_buf, full_name, PDB_SET); - - pdb_set_acct_ctrl (pw_buf, pdb_decode_acct_ctrl (ENTRY_VAL (obj, - NPF_ACB), PDB_SET)); - - get_single_attribute (obj, NPF_ACCT_DESC, acct_desc, - sizeof (pstring)); -#if 0 - unix_to_dos (acct_desc, True); -#endif - pdb_set_acct_desc (pw_buf, acct_desc, PDB_SET); - - pdb_set_workstations (pw_buf, ENTRY_VAL (obj, NPF_WORKSTATIONS), PDB_SET); - pdb_set_munged_dial (pw_buf, NULL, PDB_DEFAULT); - - pdb_set_user_sid_from_rid (pw_buf, - atoi (ENTRY_VAL (obj, NPF_USER_RID)), PDB_SET); - pdb_set_group_sid_from_rid (pw_buf, - atoi (ENTRY_VAL (obj, NPF_GROUP_RID)), PDB_SET); - - /* values, must exist for user */ - if (!(pdb_get_acct_ctrl (pw_buf) & ACB_WSTRUST)) { - - get_single_attribute (obj, NPF_HOME_DIR, home_dir, - sizeof (pstring)); - if (!(home_dir && *home_dir)) { - pstrcpy (home_dir, lp_logon_home ()); - pdb_set_homedir (pw_buf, home_dir, PDB_DEFAULT); - } else - pdb_set_homedir (pw_buf, home_dir, PDB_SET); - - get_single_attribute (obj, NPF_DIR_DRIVE, home_drive, - sizeof (pstring)); - if (!(home_drive && *home_drive)) { - pstrcpy (home_drive, lp_logon_drive ()); - pdb_set_dir_drive (pw_buf, home_drive, PDB_DEFAULT); - } else - pdb_set_dir_drive (pw_buf, home_drive, PDB_SET); - - get_single_attribute (obj, NPF_LOGON_SCRIPT, logon_script, - sizeof (pstring)); - if (!(logon_script && *logon_script)) { - pstrcpy (logon_script, lp_logon_script ()); - pdb_set_logon_script (pw_buf, logon_script, PDB_DEFAULT); - } else - pdb_set_logon_script (pw_buf, logon_script, PDB_SET); - - get_single_attribute (obj, NPF_PROFILE_PATH, profile_path, - sizeof (pstring)); - if (!(profile_path && *profile_path)) { - pstrcpy (profile_path, lp_logon_path ()); - pdb_set_profile_path (pw_buf, profile_path, PDB_DEFAULT); - } else - pdb_set_profile_path (pw_buf, profile_path, PDB_SET); - - } else { - /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */ - pdb_set_group_sid_from_rid (pw_buf, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); - } - - /* Check the lanman password column. */ - ptr = (char *) ENTRY_VAL (obj, NPF_LMPWD); - if (!pdb_set_lanman_passwd (pw_buf, NULL, PDB_DEFAULT)) - return False; - - if (!strncasecmp (ptr, "NO PASSWORD", 11)) { - pdb_set_acct_ctrl (pw_buf, - pdb_get_acct_ctrl (pw_buf) | ACB_PWNOTREQ, PDB_SET); - } else { - if (strlen (ptr) != 32 || !pdb_gethexpwd (ptr, smbpwd)) { - DEBUG (0, ("malformed LM pwd entry: %s.\n", - pdb_get_username (pw_buf))); - return False; - } - if (!pdb_set_lanman_passwd (pw_buf, smbpwd, PDB_SET)) - return False; - } - - /* Check the NT password column. */ - ptr = ENTRY_VAL (obj, NPF_NTPWD); - if (!pdb_set_nt_passwd (pw_buf, NULL, PDB_DEFAULT)) - return False; - - if (!(pdb_get_acct_ctrl (pw_buf) & ACB_PWNOTREQ) && - strncasecmp (ptr, "NO PASSWORD", 11)) { - if (strlen (ptr) != 32 || !pdb_gethexpwd (ptr, smbntpwd)) { - DEBUG (0, ("malformed NT pwd entry:\ %s.\n", - pdb_get_username (pw_buf))); - return False; - } - if (!pdb_set_nt_passwd (pw_buf, smbntpwd, PDB_SET)) - return False; - } - - pdb_set_unknown_3 (pw_buf, 0xffffff, PDB_DEFAULT); /* don't know */ - pdb_set_logon_divs (pw_buf, 168, PDB_DEFAULT); /* hours per week */ - - if ((hours_len = ENTRY_LEN (obj, NPF_HOURS)) == 21) { - memcpy (hours, ENTRY_VAL (obj, NPF_HOURS), hours_len); - } else { - hours_len = 21; /* 21 times 8 bits = 168 */ - /* available at all hours */ - memset (hours, 0xff, hours_len); - } - pdb_set_hours_len (pw_buf, hours_len, PDB_SET); - pdb_set_hours (pw_buf, hours, PDB_SET); - - pdb_set_unknown_5 (pw_buf, 0x00020000, PDB_DEFAULT); /* don't know */ - pdb_set_unknown_6 (pw_buf, 0x000004ec, PDB_DEFAULT); /* don't know */ - - return True; -} - -/************************************************************************ - makes a struct sam_passwd from a NIS+ result. - ************************************************************************/ -static BOOL make_sam_from_nisresult (SAM_ACCOUNT * pw_buf, - const nis_result * result) -{ - if (pw_buf == NULL || result == NULL) - return False; - - if (result->status != NIS_SUCCESS && result->status != NIS_NOTFOUND) { - DEBUG (0, ("NIS+ lookup failure: %s\n", - nis_sperrno (result->status))); - return False; - } - - /* User not found. */ - if (NIS_RES_NUMOBJ (result) <= 0) { - DEBUG (10, ("user not found in NIS+\n")); - return False; - } - - if (NIS_RES_NUMOBJ (result) > 1) { - DEBUG (10, - ("WARNING: Multiple entries for user in NIS+ table!\n")); - } - - /* Grab the first hit. */ - return make_sam_from_nisp_object (pw_buf, - &NIS_RES_OBJECT (result)[0]); -} - -/************************************************************************* - sets a NIS+ attribute - *************************************************************************/ -static void set_single_attribute (nis_object * new_obj, int col, - const char *val, int len, int flags) -{ - if (new_obj == NULL) - return; - - ENTRY_VAL (new_obj, col) = val; - ENTRY_LEN (new_obj, col) = len + 1; - - if (flags != 0) { - new_obj->EN_data.en_cols.en_cols_val[col].ec_flags = flags; - } -} - -/*************************************************************** - copy or modify nis object. this object is used to add or update - nisplus table entry. - ****************************************************************/ -static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass, - nis_object * old) -{ - /* - * Fill nis_object for entry add or update. - * if we are updateing, we have to find out differences and set - * EN_MODIFIED flag. also set need_to_modify to trigger - * nis_modify_entry() call in pdb_update_sam_account(). - * - * TODO: - * get data from SAM - * if (modify) get data from nis_object, compare and store if - * different + set EN_MODIFIED and need_to_modify - * else - * store - */ - BOOL need_to_modify = False; - const char *name = pdb_get_username (sampass); /* from SAM */ - - uint32 u_rid; - uint32 g_rid; - /* these must be static or allocate and free entry columns! */ - static fstring uid; /* from SAM */ - static fstring user_rid; /* from SAM */ - static fstring gid; /* from SAM */ - static fstring group_rid; /* from SAM */ - char *acb; /* from SAM */ - static fstring smb_passwd; /* from SAM */ - static fstring smb_nt_passwd; /* from SAM */ - static fstring logon_t; /* from SAM */ - static fstring logoff_t; /* from SAM */ - static fstring kickoff_t; /* from SAM */ - static fstring pwdlset_t; /* from SAM */ - static fstring pwdlchg_t; /* from SAM */ - static fstring pwdmchg_t; /* from SAM */ - static fstring full_name; /* from SAM */ - static fstring acct_desc; /* from SAM */ - static char empty[1]; /* just an empty string */ - - if (!(u_rid = pdb_get_user_rid (sampass))) - return False; - if (!(g_rid = pdb_get_group_rid (sampass))) - return False; - - slprintf (uid, sizeof (uid) - 1, "%u", fallback_pdb_user_rid_to_uid (u_rid)); - slprintf (user_rid, sizeof (user_rid) - 1, "%u", u_rid); - slprintf (gid, sizeof (gid) - 1, "%u", fallback_pdb_group_rid_to_uid (g_rid)); - slprintf (group_rid, sizeof (group_rid) - 1, "%u", g_rid); - - acb = pdb_encode_acct_ctrl (pdb_get_acct_ctrl (sampass), - NEW_PW_FORMAT_SPACE_PADDED_LEN); - pdb_sethexpwd (smb_passwd, pdb_get_lanman_passwd (sampass), - pdb_get_acct_ctrl (sampass)); - pdb_sethexpwd (smb_nt_passwd, pdb_get_nt_passwd (sampass), - pdb_get_acct_ctrl (sampass)); - slprintf (logon_t, 13, "LNT-%08X", - (uint32) pdb_get_logon_time (sampass)); - slprintf (logoff_t, 13, "LOT-%08X", - (uint32) pdb_get_logoff_time (sampass)); - slprintf (kickoff_t, 13, "KOT-%08X", - (uint32) pdb_get_kickoff_time (sampass)); - slprintf (pwdlset_t, 13, "LCT-%08X", - (uint32) pdb_get_pass_last_set_time (sampass)); - slprintf (pwdlchg_t, 13, "CCT-%08X", - (uint32) pdb_get_pass_can_change_time (sampass)); - slprintf (pwdmchg_t, 13, "MCT-%08X", - (uint32) pdb_get_pass_must_change_time (sampass)); - safe_strcpy (full_name, pdb_get_fullname (sampass), - sizeof (full_name) - 1); - safe_strcpy (acct_desc, pdb_get_acct_desc (sampass), - sizeof (acct_desc) - 1); - -#if 0 - - /* Not sure what to do with these guys. -tpot */ - - dos_to_unix (full_name, True); - dos_to_unix (acct_desc, True); - -#endif - - if (old) { - /* name */ - if (strcmp (ENTRY_VAL (old, NPF_NAME), name)) { - need_to_modify = True; - set_single_attribute (obj, NPF_NAME, name, - strlen (name), EN_MODIFIED); - } - - - /* uid */ - if (!ENTRY_VAL (old, NPF_UID) || strcmp (ENTRY_VAL (old, NPF_UID), uid)) { - need_to_modify = True; - set_single_attribute (obj, NPF_UID, uid, strlen (uid), EN_MODIFIED); - } - - /* user_rid */ - if (!ENTRY_VAL (old, NPF_USER_RID) || strcmp (ENTRY_VAL (old, NPF_USER_RID), user_rid)) { - need_to_modify = True; - set_single_attribute (obj, NPF_USER_RID, user_rid, strlen (user_rid), EN_MODIFIED); - } - - /* smb_grpid */ - if (!ENTRY_VAL (old, NPF_SMB_GRPID) || strcmp (ENTRY_VAL (old, NPF_SMB_GRPID), gid)) { - need_to_modify = True; - set_single_attribute (obj, NPF_SMB_GRPID, gid, strlen (gid), EN_MODIFIED); - } - - /* group_rid */ - if (!ENTRY_VAL (old, NPF_GROUP_RID) || strcmp (ENTRY_VAL (old, NPF_GROUP_RID), group_rid)) { - need_to_modify = True; - set_single_attribute (obj, NPF_GROUP_RID, group_rid, strlen (group_rid), EN_MODIFIED); - } - - /* acb */ - if (!ENTRY_VAL (old, NPF_ACB) || - strcmp (ENTRY_VAL (old, NPF_ACB), acb)) { - need_to_modify = True; - set_single_attribute (obj, NPF_ACB, acb, strlen (acb), - EN_MODIFIED); - } - - /* lmpwd */ - if (!ENTRY_VAL (old, NPF_LMPWD) || - strcmp (ENTRY_VAL (old, NPF_LMPWD), smb_passwd)) { - need_to_modify = True; - set_single_attribute (obj, NPF_LMPWD, smb_passwd, - strlen (smb_passwd), - EN_CRYPT | EN_MODIFIED); - } - - /* ntpwd */ - if (!ENTRY_VAL (old, NPF_NTPWD) || - strcmp (ENTRY_VAL (old, NPF_NTPWD), smb_nt_passwd)) { - need_to_modify = True; - set_single_attribute (obj, NPF_NTPWD, smb_nt_passwd, - strlen (smb_nt_passwd), - EN_CRYPT | EN_MODIFIED); - } - - /* logon_t */ - if (pdb_get_logon_time (sampass) && - (!ENTRY_VAL (old, NPF_LOGON_T) || - strcmp (ENTRY_VAL (old, NPF_LOGON_T), logon_t))) { - need_to_modify = True; - set_single_attribute (obj, NPF_LOGON_T, logon_t, - strlen (logon_t), EN_MODIFIED); - } - - /* logoff_t */ - if (pdb_get_logoff_time (sampass) && - (!ENTRY_VAL (old, NPF_LOGOFF_T) || - strcmp (ENTRY_VAL (old, NPF_LOGOFF_T), logoff_t))) { - need_to_modify = True; - set_single_attribute (obj, NPF_LOGOFF_T, logoff_t, - strlen (logoff_t), EN_MODIFIED); - } - - /* kick_t */ - if (pdb_get_kickoff_time (sampass) && - (!ENTRY_VAL (old, NPF_KICK_T) || - strcmp (ENTRY_VAL (old, NPF_KICK_T), kickoff_t))) { - need_to_modify = True; - set_single_attribute (obj, NPF_KICK_T, kickoff_t, - strlen (kickoff_t), - EN_MODIFIED); - } - - /* pwdlset_t */ - if (pdb_get_pass_last_set_time (sampass) && - (!ENTRY_VAL (old, NPF_PWDLSET_T) || - strcmp (ENTRY_VAL (old, NPF_PWDLSET_T), pwdlset_t))) { - need_to_modify = True; - set_single_attribute (obj, NPF_PWDLSET_T, pwdlset_t, - strlen (pwdlset_t), - EN_MODIFIED); - } - - /* pwdlchg_t */ - if (pdb_get_pass_can_change_time (sampass) && - (!ENTRY_VAL (old, NPF_PWDCCHG_T) || - strcmp (ENTRY_VAL (old, NPF_PWDCCHG_T), pwdlchg_t))) { - need_to_modify = True; - set_single_attribute (obj, NPF_PWDCCHG_T, pwdlchg_t, - strlen (pwdlchg_t), - EN_MODIFIED); - } - - /* pwdmchg_t */ - if (pdb_get_pass_must_change_time (sampass) && - (!ENTRY_VAL (old, NPF_PWDMCHG_T) || - strcmp (ENTRY_VAL (old, NPF_PWDMCHG_T), pwdmchg_t))) { - need_to_modify = True; - set_single_attribute (obj, NPF_PWDMCHG_T, pwdmchg_t, - strlen (pwdmchg_t), - EN_MODIFIED); - } - - /* full_name */ - /* must support set, unset and change */ - if ((pdb_get_fullname (sampass) && - !ENTRY_VAL (old, NPF_FULL_NAME)) || - (ENTRY_VAL (old, NPF_FULL_NAME) && - !pdb_get_fullname (sampass)) || - (ENTRY_VAL (old, NPF_FULL_NAME) && - pdb_get_fullname (sampass) && - strcmp (ENTRY_VAL (old, NPF_FULL_NAME), full_name))) { - need_to_modify = True; - set_single_attribute (obj, NPF_FULL_NAME, full_name, - strlen (full_name), - EN_MODIFIED); - } - - /* home_dir */ - /* must support set, unset and change */ - if ((pdb_get_homedir (sampass) && - !ENTRY_VAL (old, NPF_HOME_DIR)) || - (ENTRY_VAL (old, NPF_HOME_DIR) && - !pdb_get_homedir (sampass)) || - (ENTRY_VAL (old, NPF_HOME_DIR) && - pdb_get_homedir (sampass) && - strcmp (ENTRY_VAL (old, NPF_HOME_DIR), - pdb_get_homedir (sampass)))) { - need_to_modify = True; - set_single_attribute (obj, NPF_HOME_DIR, - pdb_get_homedir (sampass), - strlen (pdb_get_homedir - (sampass)), - EN_MODIFIED); - } - - /* dir_drive */ - /* must support set, unset and change */ - if ((pdb_get_dir_drive (sampass) && - !ENTRY_VAL (old, NPF_DIR_DRIVE)) || - (ENTRY_VAL (old, NPF_DIR_DRIVE) && - !pdb_get_dir_drive (sampass)) || - (ENTRY_VAL (old, NPF_DIR_DRIVE) && - pdb_get_dir_drive (sampass) && - strcmp (ENTRY_VAL (old, NPF_DIR_DRIVE), - pdb_get_dir_drive (sampass)))) { - need_to_modify = True; - set_single_attribute (obj, NPF_DIR_DRIVE, - pdb_get_dir_drive (sampass), - strlen (pdb_get_dir_drive - (sampass)), - EN_MODIFIED); - } - - /* logon_script */ - /* must support set, unset and change */ - if (((pdb_get_logon_script (sampass) && - !ENTRY_VAL (old, NPF_LOGON_SCRIPT)) || - ((ENTRY_VAL (old, NPF_LOGON_SCRIPT) && - (!pdb_get_logon_script (sampass)))) || - ((ENTRY_VAL (old, NPF_LOGON_SCRIPT) && - pdb_get_logon_script (sampass) && - strcmp (ENTRY_VAL (old, NPF_LOGON_SCRIPT), - pdb_get_logon_script (sampass)))))) { - need_to_modify = True; - set_single_attribute (obj, NPF_LOGON_SCRIPT, - pdb_get_logon_script (sampass), - strlen (pdb_get_logon_script - (sampass)), - EN_MODIFIED); - } - - /* profile_path */ - /* must support set, unset and change */ - if ((pdb_get_profile_path (sampass) && - !ENTRY_VAL (old, NPF_PROFILE_PATH)) || - (ENTRY_VAL (old, NPF_PROFILE_PATH) && - !pdb_get_profile_path (sampass)) || - (ENTRY_VAL (old, NPF_PROFILE_PATH) && - pdb_get_profile_path (sampass) && - strcmp (ENTRY_VAL (old, NPF_PROFILE_PATH), - pdb_get_profile_path (sampass)))) { - need_to_modify = True; - set_single_attribute (obj, NPF_PROFILE_PATH, - pdb_get_profile_path (sampass), - strlen (pdb_get_profile_path - (sampass)), - EN_MODIFIED); - } - - /* acct_desc */ - /* must support set, unset and change */ - if ((pdb_get_acct_desc (sampass) && - !ENTRY_VAL (old, NPF_ACCT_DESC)) || - (ENTRY_VAL (old, NPF_ACCT_DESC) && - !pdb_get_acct_desc (sampass)) || - (ENTRY_VAL (old, NPF_ACCT_DESC) && - pdb_get_acct_desc (sampass) && - strcmp (ENTRY_VAL (old, NPF_ACCT_DESC), acct_desc))) { - need_to_modify = True; - set_single_attribute (obj, NPF_ACCT_DESC, acct_desc, - strlen (acct_desc), - EN_MODIFIED); - } - - /* workstations */ - /* must support set, unset and change */ - if ((pdb_get_workstations (sampass) && - !ENTRY_VAL (old, NPF_WORKSTATIONS)) || - (ENTRY_VAL (old, NPF_WORKSTATIONS) && - !pdb_get_workstations (sampass)) || - (ENTRY_VAL (old, NPF_WORKSTATIONS) && - (pdb_get_workstations (sampass)) && - strcmp (ENTRY_VAL (old, NPF_WORKSTATIONS), - pdb_get_workstations (sampass)))) { - need_to_modify = True; - set_single_attribute (obj, NPF_WORKSTATIONS, - pdb_get_workstations (sampass), - strlen (pdb_get_workstations - (sampass)), - EN_MODIFIED); - } - - /* hours */ - if ((pdb_get_hours_len (sampass) != - ENTRY_LEN (old, NPF_HOURS)) - || memcmp (pdb_get_hours (sampass), - ENTRY_VAL (old, NPF_HOURS), ENTRY_LEN (old, - NPF_HOURS))) - { - need_to_modify = True; - /* set_single_attribute will add 1 for len ... */ - set_single_attribute (obj, NPF_HOURS, - pdb_get_hours (sampass), - pdb_get_hours_len (sampass) - 1, - EN_MODIFIED); - } - } else { - const char *homedir, *dirdrive, *logon_script, *profile_path, - *workstations; - - *empty = '\0'; /* empty string */ - - set_single_attribute (obj, NPF_NAME, name, strlen (name), 0); - set_single_attribute (obj, NPF_UID, uid, strlen (uid), 0); - set_single_attribute (obj, NPF_USER_RID, user_rid, - strlen (user_rid), 0); - set_single_attribute (obj, NPF_SMB_GRPID, gid, strlen (gid), - 0); - set_single_attribute (obj, NPF_GROUP_RID, group_rid, - strlen (group_rid), 0); - set_single_attribute (obj, NPF_ACB, acb, strlen (acb), 0); - set_single_attribute (obj, NPF_LMPWD, smb_passwd, - strlen (smb_passwd), EN_CRYPT); - set_single_attribute (obj, NPF_NTPWD, smb_nt_passwd, - strlen (smb_nt_passwd), EN_CRYPT); - set_single_attribute (obj, NPF_LOGON_T, logon_t, - strlen (logon_t), 0); - set_single_attribute (obj, NPF_LOGOFF_T, logoff_t, - strlen (logoff_t), 0); - set_single_attribute (obj, NPF_KICK_T, kickoff_t, - strlen (kickoff_t), 0); - set_single_attribute (obj, NPF_PWDLSET_T, pwdlset_t, - strlen (pwdlset_t), 0); - set_single_attribute (obj, NPF_PWDCCHG_T, pwdlchg_t, - strlen (pwdlchg_t), 0); - set_single_attribute (obj, NPF_PWDMCHG_T, pwdmchg_t, - strlen (pwdmchg_t), 0); - set_single_attribute (obj, NPF_FULL_NAME, - full_name, strlen (full_name), 0); - - if (!(homedir = pdb_get_homedir (sampass))) - homedir = empty; - - set_single_attribute (obj, NPF_HOME_DIR, - homedir, strlen (homedir), 0); - - if (!(dirdrive = pdb_get_dir_drive (sampass))) - dirdrive = empty; - - set_single_attribute (obj, NPF_DIR_DRIVE, - dirdrive, strlen (dirdrive), 0); - - if (!(logon_script = pdb_get_logon_script (sampass))) - logon_script = empty; - - set_single_attribute (obj, NPF_LOGON_SCRIPT, - logon_script, strlen (logon_script), 0); - - if (!(profile_path = pdb_get_profile_path (sampass))) - profile_path = empty; - - set_single_attribute (obj, NPF_PROFILE_PATH, - profile_path, strlen (profile_path), 0); - - set_single_attribute (obj, NPF_ACCT_DESC, - acct_desc, strlen (acct_desc), 0); - - if (!(workstations = pdb_get_workstations (sampass))) - workstations = empty; - - set_single_attribute (obj, NPF_WORKSTATIONS, - workstations, strlen (workstations), 0); - - /* set_single_attribute will add 1 for len ... */ - set_single_attribute (obj, NPF_HOURS, - pdb_get_hours (sampass), - pdb_get_hours_len (sampass) - 1, 0); - } - - return need_to_modify; -} - -/*************************************************************** - calls nis_list, returns results. - ****************************************************************/ -static nis_result *nisp_get_nis_list (const char *nisname, unsigned int flags) -{ - nis_result *result; - int i; - - if (!flags) - flags = FOLLOW_LINKS | FOLLOW_PATH | EXPAND_NAME | - HARD_LOOKUP; - - for (i = 0; i < 2; i++) { - alarm (60); /* hopefully ok for long searches */ - result = nis_list (nisname, flags, NULL, NULL); - - alarm (0); - CatchSignal (SIGALRM, SIGNAL_CAST SIG_DFL); - - if (!(flags & MASTER_ONLY) && NIS_RES_NUMOBJ (result) <= 0) { - /* nis replicas are not in sync perhaps? - * this can happen, if account was just added. - */ - DEBUG (10, ("will try master only\n")); - nis_freeresult (result); - flags |= MASTER_ONLY; - } else - break; - } - return result; -} - -static void free_private_data(void **vp) -{ - struct nisplus_private_info **private = (struct nisplus_private_info **)vp; - - if ((*private)->result) { - nis_freeresult ((*private)->result); - } - - free(*private); - - /* No need to free any further, as it is talloc()ed */ -} - -NTSTATUS pdb_init_nisplussam (PDB_CONTEXT * pdb_context, - PDB_METHODS ** pdb_method, const char *location) -{ - NTSTATUS nt_status; - struct nisplus_private_info *private = malloc (sizeof (struct nisplus_private_info)); - - ZERO_STRUCT(private); - p->location = talloc_strdup(pdb_context->mem_ctx, location); - - if (!NT_STATUS_IS_OK - (nt_status = - make_pdb_methods (pdb_context->mem_ctx, pdb_method))) { - return nt_status; - } - - (*pdb_method)->name = "nisplussam"; - - /* Functions your pdb module doesn't provide should be set - * to NULL */ - - (*pdb_method)->setsampwent = nisplussam_setsampwent; - (*pdb_method)->endsampwent = nisplussam_endsampwent; - (*pdb_method)->getsampwent = nisplussam_getsampwent; - (*pdb_method)->getsampwnam = nisplussam_getsampwnam; - (*pdb_method)->getsampwsid = nisplussam_getsampwsid; - (*pdb_method)->add_sam_account = nisplussam_add_sam_account; - (*pdb_method)->update_sam_account = nisplussam_update_sam_account; - (*pdb_method)->delete_sam_account = nisplussam_delete_sam_account; - (*pdb_method)->free_private_data = free_private_data; - (*pdb_method)->private_data = private; - - return NT_STATUS_OK; -} - -NTSTATUS pdb_nisplus_init(void) -{ - return smb_register_passdb(PASSDB_INTERFACE_VERSION, "nisplussam", pdb_init_nisplussam); -} |