diff options
Diffstat (limited to 'meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch')
| -rw-r--r-- | meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch | 1448 |
1 files changed, 1448 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch new file mode 100644 index 0000000000..6c08cccc6c --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch @@ -0,0 +1,1448 @@ +From 80f3551d4f594438dcc93dd82a7953c4a913badd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@samba.org> +Date: Mon, 16 Dec 2013 12:57:20 +0100 +Subject: [PATCH 1/7] s3-lib: Add winbind_lookup_usersids(). + +Pair-Programmed-With: Guenther Deschner <gd@samba.org> +Signed-off-by: Guenther Deschner <gd@samba.org> +Signed-off-by: Andreas Schneider <asn@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +(cherry picked from commit 241e98d8ee099f9cc5feb835085b4abd2b1ee663) +--- + source3/lib/winbind_util.c | 34 +++++ + source3/lib/winbind_util.h | 4 + + source3/passdb/ABI/pdb-0.1.0.sigs | 311 ++++++++++++++++++++++++++++++++++++++ + source3/wscript_build | 2 +- + 4 files changed, 350 insertions(+), 1 deletion(-) + create mode 100644 source3/passdb/ABI/pdb-0.1.0.sigs + +diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c +index b458ebe..f62682b 100644 +--- a/source3/lib/winbind_util.c ++++ b/source3/lib/winbind_util.c +@@ -342,6 +342,40 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx, + return true; + } + ++bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx, ++ const struct dom_sid *user_sid, ++ uint32_t *p_num_sids, ++ struct dom_sid **p_sids) ++{ ++ wbcErr ret; ++ struct wbcDomainSid dom_sid; ++ struct wbcDomainSid *sid_list = NULL; ++ uint32_t num_sids; ++ ++ memcpy(&dom_sid, user_sid, sizeof(dom_sid)); ++ ++ ret = wbcLookupUserSids(&dom_sid, ++ false, ++ &num_sids, ++ &sid_list); ++ if (ret != WBC_ERR_SUCCESS) { ++ return false; ++ } ++ ++ *p_sids = talloc_array(mem_ctx, struct dom_sid, num_sids); ++ if (*p_sids == NULL) { ++ wbcFreeMemory(sid_list); ++ return false; ++ } ++ ++ memcpy(*p_sids, sid_list, sizeof(dom_sid) * num_sids); ++ ++ *p_num_sids = num_sids; ++ wbcFreeMemory(sid_list); ++ ++ return true; ++} ++ + #else /* WITH_WINBIND */ + + struct passwd * winbind_getpwnam(const char * name) +diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h +index 541bb95..abbc5a9 100644 +--- a/source3/lib/winbind_util.h ++++ b/source3/lib/winbind_util.h +@@ -58,5 +58,9 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx, + size_t num_members, + uint32_t **pp_alias_rids, + size_t *p_num_alias_rids); ++bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx, ++ const struct dom_sid *user_sid, ++ uint32_t *p_num_sids, ++ struct dom_sid **p_sids); + + #endif /* __LIB__WINBIND_UTIL_H__ */ +diff --git a/source3/passdb/ABI/pdb-0.1.0.sigs b/source3/passdb/ABI/pdb-0.1.0.sigs +new file mode 100644 +index 0000000..f4de9c4 +--- /dev/null ++++ b/source3/passdb/ABI/pdb-0.1.0.sigs +@@ -0,0 +1,311 @@ ++PDB_secrets_clear_domain_protection: bool (const char *) ++PDB_secrets_fetch_domain_guid: bool (const char *, struct GUID *) ++PDB_secrets_fetch_domain_sid: bool (const char *, struct dom_sid *) ++PDB_secrets_mark_domain_protected: bool (const char *) ++PDB_secrets_store_domain_guid: bool (const char *, struct GUID *) ++PDB_secrets_store_domain_sid: bool (const char *, const struct dom_sid *) ++account_policy_get: bool (enum pdb_policy_type, uint32_t *) ++account_policy_get_default: bool (enum pdb_policy_type, uint32_t *) ++account_policy_get_desc: const char *(enum pdb_policy_type) ++account_policy_name_to_typenum: enum pdb_policy_type (const char *) ++account_policy_names_list: void (TALLOC_CTX *, const char ***, int *) ++account_policy_set: bool (enum pdb_policy_type, uint32_t) ++add_initial_entry: NTSTATUS (gid_t, const char *, enum lsa_SidType, const char *, const char *) ++algorithmic_pdb_gid_to_group_rid: uint32_t (gid_t) ++algorithmic_pdb_rid_is_user: bool (uint32_t) ++algorithmic_pdb_uid_to_user_rid: uint32_t (uid_t) ++algorithmic_pdb_user_rid_to_uid: uid_t (uint32_t) ++algorithmic_rid_base: int (void) ++builtin_domain_name: const char *(void) ++cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *) ++cache_account_policy_set: bool (enum pdb_policy_type, uint32_t) ++create_builtin_administrators: NTSTATUS (const struct dom_sid *) ++create_builtin_users: NTSTATUS (const struct dom_sid *) ++decode_account_policy_name: const char *(enum pdb_policy_type) ++get_account_pol_db: struct db_context *(void) ++get_account_policy_attr: const char *(enum pdb_policy_type) ++get_domain_group_from_sid: bool (struct dom_sid, GROUP_MAP *) ++get_primary_group_sid: NTSTATUS (TALLOC_CTX *, const char *, struct passwd **, struct dom_sid **) ++get_privileges_for_sid_as_set: NTSTATUS (TALLOC_CTX *, PRIVILEGE_SET **, struct dom_sid *) ++get_privileges_for_sids: bool (uint64_t *, struct dom_sid *, int) ++get_trust_pw_clear: bool (const char *, char **, const char **, enum netr_SchannelType *) ++get_trust_pw_hash: bool (const char *, uint8_t *, const char **, enum netr_SchannelType *) ++gid_to_sid: void (struct dom_sid *, gid_t) ++gid_to_unix_groups_sid: void (gid_t, struct dom_sid *) ++grab_named_mutex: struct named_mutex *(TALLOC_CTX *, const char *, int) ++grant_all_privileges: bool (const struct dom_sid *) ++grant_privilege_by_name: bool (const struct dom_sid *, const char *) ++grant_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *) ++groupdb_tdb_init: const struct mapping_backend *(void) ++init_account_policy: bool (void) ++init_buffer_from_samu: uint32_t (uint8_t **, struct samu *, bool) ++init_samu_from_buffer: bool (struct samu *, uint32_t, uint8_t *, uint32_t) ++initialize_password_db: bool (bool, struct tevent_context *) ++is_dc_trusted_domain_situation: bool (const char *) ++is_privileged_sid: bool (const struct dom_sid *) ++local_password_change: NTSTATUS (const char *, int, const char *, char **, char **) ++login_cache_delentry: bool (const struct samu *) ++login_cache_init: bool (void) ++login_cache_read: bool (struct samu *, struct login_cache *) ++login_cache_shutdown: bool (void) ++login_cache_write: bool (const struct samu *, const struct login_cache *) ++lookup_builtin_name: bool (const char *, uint32_t *) ++lookup_builtin_rid: bool (TALLOC_CTX *, uint32_t, const char **) ++lookup_global_sam_name: bool (const char *, int, uint32_t *, enum lsa_SidType *) ++lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *) ++lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *) ++lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *) ++lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **) ++lookup_unix_group_name: bool (const char *, struct dom_sid *) ++lookup_unix_user_name: bool (const char *, struct dom_sid *) ++lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **) ++lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **) ++make_pdb_method: NTSTATUS (struct pdb_methods **) ++make_pdb_method_name: NTSTATUS (struct pdb_methods **, const char *) ++max_algorithmic_gid: gid_t (void) ++max_algorithmic_uid: uid_t (void) ++my_sam_name: const char *(void) ++pdb_add_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *) ++pdb_add_group_mapping_entry: NTSTATUS (GROUP_MAP *) ++pdb_add_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t) ++pdb_add_sam_account: NTSTATUS (struct samu *) ++pdb_build_fields_present: uint32_t (struct samu *) ++pdb_capabilities: uint32_t (void) ++pdb_copy_sam_account: bool (struct samu *, struct samu *) ++pdb_create_alias: NTSTATUS (const char *, uint32_t *) ++pdb_create_builtin: NTSTATUS (uint32_t) ++pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t) ++pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *) ++pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *) ++pdb_decode_acct_ctrl: uint32_t (const char *) ++pdb_default_add_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *) ++pdb_default_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) ++pdb_default_alias_memberships: NTSTATUS (struct pdb_methods *, TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) ++pdb_default_create_alias: NTSTATUS (struct pdb_methods *, const char *, uint32_t *) ++pdb_default_del_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *) ++pdb_default_delete_alias: NTSTATUS (struct pdb_methods *, const struct dom_sid *) ++pdb_default_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid) ++pdb_default_enum_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *) ++pdb_default_enum_group_mapping: NTSTATUS (struct pdb_methods *, const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool) ++pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *) ++pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t) ++pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *) ++pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid) ++pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *) ++pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) ++pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *) ++pdb_del_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t) ++pdb_del_trusted_domain: NTSTATUS (const char *) ++pdb_del_trusteddom_pw: bool (const char *) ++pdb_delete_alias: NTSTATUS (const struct dom_sid *) ++pdb_delete_dom_group: NTSTATUS (TALLOC_CTX *, uint32_t) ++pdb_delete_group_mapping_entry: NTSTATUS (struct dom_sid) ++pdb_delete_sam_account: NTSTATUS (struct samu *) ++pdb_delete_secret: NTSTATUS (const char *) ++pdb_delete_user: NTSTATUS (TALLOC_CTX *, struct samu *) ++pdb_element_is_changed: bool (const struct samu *, enum pdb_elements) ++pdb_element_is_set_or_changed: bool (const struct samu *, enum pdb_elements) ++pdb_encode_acct_ctrl: char *(uint32_t, size_t) ++pdb_enum_alias_memberships: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) ++pdb_enum_aliasmem: NTSTATUS (const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *) ++pdb_enum_group_mapping: bool (const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool) ++pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t **, size_t *) ++pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *) ++pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***) ++pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***) ++pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***) ++pdb_find_backend_entry: struct pdb_init_function_entry *(const char *) ++pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *) ++pdb_get_acct_ctrl: uint32_t (const struct samu *) ++pdb_get_acct_desc: const char *(const struct samu *) ++pdb_get_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *) ++pdb_get_backend_private_data: void *(const struct samu *, const struct pdb_methods *) ++pdb_get_backends: const struct pdb_init_function_entry *(void) ++pdb_get_bad_password_count: uint16_t (const struct samu *) ++pdb_get_bad_password_time: time_t (const struct samu *) ++pdb_get_code_page: uint16_t (const struct samu *) ++pdb_get_comment: const char *(const struct samu *) ++pdb_get_country_code: uint16_t (const struct samu *) ++pdb_get_dir_drive: const char *(const struct samu *) ++pdb_get_domain: const char *(const struct samu *) ++pdb_get_domain_info: struct pdb_domain_info *(TALLOC_CTX *) ++pdb_get_fullname: const char *(const struct samu *) ++pdb_get_group_rid: uint32_t (struct samu *) ++pdb_get_group_sid: const struct dom_sid *(struct samu *) ++pdb_get_homedir: const char *(const struct samu *) ++pdb_get_hours: const uint8_t *(const struct samu *) ++pdb_get_hours_len: uint32_t (const struct samu *) ++pdb_get_init_flags: enum pdb_value_state (const struct samu *, enum pdb_elements) ++pdb_get_kickoff_time: time_t (const struct samu *) ++pdb_get_lanman_passwd: const uint8_t *(const struct samu *) ++pdb_get_logoff_time: time_t (const struct samu *) ++pdb_get_logon_count: uint16_t (const struct samu *) ++pdb_get_logon_divs: uint16_t (const struct samu *) ++pdb_get_logon_script: const char *(const struct samu *) ++pdb_get_logon_time: time_t (const struct samu *) ++pdb_get_munged_dial: const char *(const struct samu *) ++pdb_get_nt_passwd: const uint8_t *(const struct samu *) ++pdb_get_nt_username: const char *(const struct samu *) ++pdb_get_pass_can_change: bool (const struct samu *) ++pdb_get_pass_can_change_time: time_t (const struct samu *) ++pdb_get_pass_can_change_time_noncalc: time_t (const struct samu *) ++pdb_get_pass_last_set_time: time_t (const struct samu *) ++pdb_get_pass_must_change_time: time_t (const struct samu *) ++pdb_get_plaintext_passwd: const char *(const struct samu *) ++pdb_get_profile_path: const char *(const struct samu *) ++pdb_get_pw_history: const uint8_t *(const struct samu *, uint32_t *) ++pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *, DATA_BLOB *, NTTIME *, struct security_descriptor **) ++pdb_get_seq_num: bool (time_t *) ++pdb_get_tevent_context: struct tevent_context *(void) ++pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **) ++pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **) ++pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *) ++pdb_get_unknown_6: uint32_t (const struct samu *) ++pdb_get_user_rid: uint32_t (const struct samu *) ++pdb_get_user_sid: const struct dom_sid *(const struct samu *) ++pdb_get_username: const char *(const struct samu *) ++pdb_get_workstations: const char *(const struct samu *) ++pdb_getgrgid: bool (GROUP_MAP *, gid_t) ++pdb_getgrnam: bool (GROUP_MAP *, const char *) ++pdb_getgrsid: bool (GROUP_MAP *, struct dom_sid) ++pdb_gethexhours: bool (const char *, unsigned char *) ++pdb_gethexpwd: bool (const char *, unsigned char *) ++pdb_getsampwnam: bool (struct samu *, const char *) ++pdb_getsampwsid: bool (struct samu *, const struct dom_sid *) ++pdb_gid_to_sid: bool (gid_t, struct dom_sid *) ++pdb_group_rid_to_gid: gid_t (uint32_t) ++pdb_increment_bad_password_count: bool (struct samu *) ++pdb_is_password_change_time_max: bool (time_t) ++pdb_is_responsible_for_builtin: bool (void) ++pdb_is_responsible_for_our_sam: bool (void) ++pdb_is_responsible_for_unix_groups: bool (void) ++pdb_is_responsible_for_unix_users: bool (void) ++pdb_is_responsible_for_wellknown: bool (void) ++pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char **, enum lsa_SidType *) ++pdb_new_rid: bool (uint32_t *) ++pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) ++pdb_nop_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid) ++pdb_nop_enum_group_mapping: NTSTATUS (struct pdb_methods *, enum lsa_SidType, GROUP_MAP **, size_t *, bool) ++pdb_nop_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t) ++pdb_nop_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *) ++pdb_nop_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid) ++pdb_nop_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) ++pdb_rename_sam_account: NTSTATUS (struct samu *, const char *) ++pdb_search_aliases: struct pdb_search *(TALLOC_CTX *, const struct dom_sid *) ++pdb_search_entries: uint32_t (struct pdb_search *, uint32_t, uint32_t, struct samr_displayentry **) ++pdb_search_groups: struct pdb_search *(TALLOC_CTX *) ++pdb_search_init: struct pdb_search *(TALLOC_CTX *, enum pdb_search_type) ++pdb_search_users: struct pdb_search *(TALLOC_CTX *, uint32_t) ++pdb_set_account_policy: bool (enum pdb_policy_type, uint32_t) ++pdb_set_acct_ctrl: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_acct_desc: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *) ++pdb_set_backend_private_data: bool (struct samu *, void *, void (*)(void **), const struct pdb_methods *, enum pdb_value_state) ++pdb_set_bad_password_count: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_bad_password_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_code_page: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_comment: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_country_code: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_dir_drive: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_domain: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_fullname: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_group_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state) ++pdb_set_group_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_homedir: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_hours: bool (struct samu *, const uint8_t *, int, enum pdb_value_state) ++pdb_set_hours_len: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_init_flags: bool (struct samu *, enum pdb_elements, enum pdb_value_state) ++pdb_set_kickoff_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_lanman_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state) ++pdb_set_logoff_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_logon_count: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_logon_divs: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_logon_script: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_logon_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_munged_dial: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_nt_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state) ++pdb_set_nt_username: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_pass_can_change: bool (struct samu *, bool) ++pdb_set_pass_can_change_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_pass_last_set_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_plaintext_passwd: bool (struct samu *, const char *) ++pdb_set_plaintext_pw_only: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_profile_path: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_pw_history: bool (struct samu *, const uint8_t *, uint32_t, enum pdb_value_state) ++pdb_set_secret: NTSTATUS (const char *, DATA_BLOB *, DATA_BLOB *, struct security_descriptor *) ++pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain *) ++pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *) ++pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *) ++pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **) ++pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state) ++pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_username: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_workstations: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_sethexhours: void (char *, const unsigned char *) ++pdb_sethexpwd: void (char *, const unsigned char *, uint32_t) ++pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *) ++pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *) ++pdb_uid_to_sid: bool (uid_t, struct dom_sid *) ++pdb_update_autolock_flag: bool (struct samu *, bool *) ++pdb_update_bad_password_count: bool (struct samu *, bool *) ++pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *) ++pdb_update_login_attempts: NTSTATUS (struct samu *, bool) ++pdb_update_sam_account: NTSTATUS (struct samu *) ++privilege_create_account: NTSTATUS (const struct dom_sid *) ++privilege_delete_account: NTSTATUS (const struct dom_sid *) ++privilege_enum_sids: NTSTATUS (enum sec_privilege, TALLOC_CTX *, struct dom_sid **, int *) ++privilege_enumerate_accounts: NTSTATUS (struct dom_sid **, int *) ++revoke_all_privileges: bool (const struct dom_sid *) ++revoke_privilege_by_name: bool (const struct dom_sid *, const char *) ++revoke_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *) ++samu_alloc_rid_unix: NTSTATUS (struct pdb_methods *, struct samu *, const struct passwd *) ++samu_new: struct samu *(TALLOC_CTX *) ++samu_set_unix: NTSTATUS (struct samu *, const struct passwd *) ++secrets_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***) ++sid_check_is_builtin: bool (const struct dom_sid *) ++sid_check_is_for_passdb: bool (const struct dom_sid *) ++sid_check_is_in_builtin: bool (const struct dom_sid *) ++sid_check_is_in_unix_groups: bool (const struct dom_sid *) ++sid_check_is_in_unix_users: bool (const struct dom_sid *) ++sid_check_is_in_wellknown_domain: bool (const struct dom_sid *) ++sid_check_is_unix_groups: bool (const struct dom_sid *) ++sid_check_is_unix_users: bool (const struct dom_sid *) ++sid_check_is_wellknown_builtin: bool (const struct dom_sid *) ++sid_check_is_wellknown_domain: bool (const struct dom_sid *, const char **) ++sid_check_object_is_for_passdb: bool (const struct dom_sid *) ++sid_to_gid: bool (const struct dom_sid *, gid_t *) ++sid_to_uid: bool (const struct dom_sid *, uid_t *) ++sids_to_unixids: bool (const struct dom_sid *, uint32_t, struct unixid *) ++smb_add_user_group: int (const char *, const char *) ++smb_create_group: int (const char *, gid_t *) ++smb_delete_group: int (const char *) ++smb_delete_user_group: int (const char *, const char *) ++smb_nscd_flush_group_cache: void (void) ++smb_nscd_flush_user_cache: void (void) ++smb_register_passdb: NTSTATUS (int, const char *, pdb_init_function) ++smb_set_primary_group: int (const char *, const char *) ++uid_to_sid: void (struct dom_sid *, uid_t) ++uid_to_unix_users_sid: void (uid_t, struct dom_sid *) ++unix_groups_domain_name: const char *(void) ++unix_users_domain_name: const char *(void) ++unixid_from_both: void (struct unixid *, uint32_t) ++unixid_from_gid: void (struct unixid *, uint32_t) ++unixid_from_uid: void (struct unixid *, uint32_t) ++wb_is_trusted_domain: wbcErr (const char *) ++winbind_allocate_gid: bool (gid_t *) ++winbind_allocate_uid: bool (uid_t *) ++winbind_get_groups: bool (TALLOC_CTX *, const char *, uint32_t *, gid_t **) ++winbind_get_sid_aliases: bool (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) ++winbind_getpwnam: struct passwd *(const char *) ++winbind_getpwsid: struct passwd *(const struct dom_sid *) ++winbind_gid_to_sid: bool (struct dom_sid *, gid_t) ++winbind_lookup_name: bool (const char *, const char *, struct dom_sid *, enum lsa_SidType *) ++winbind_lookup_rids: bool (TALLOC_CTX *, const struct dom_sid *, int, uint32_t *, const char **, const char ***, enum lsa_SidType **) ++winbind_lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *) ++winbind_lookup_usersids: bool (TALLOC_CTX *, const struct dom_sid *, uint32_t *, struct dom_sid **) ++winbind_ping: bool (void) ++winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *) ++winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *) ++winbind_uid_to_sid: bool (struct dom_sid *, uid_t) +diff --git a/source3/wscript_build b/source3/wscript_build +index e0432bf..6d6b6aa 100755 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -736,7 +736,7 @@ bld.SAMBA3_LIBRARY('pdb', + passdb/lookup_sid.h''', + abi_match=private_pdb_match, + abi_directory='passdb/ABI', +- vnum='0', ++ vnum='0.1.0', + vars=locals()) + + bld.SAMBA3_LIBRARY('smbldaphelper', +-- +1.8.5.2 + + +From 91debcafd196a9e821efddce0a9d75c48f8e168d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@samba.org> +Date: Fri, 13 Dec 2013 19:08:34 +0100 +Subject: [PATCH 2/7] s3-auth: Add passwd_to_SamInfo3(). + +First this function tries to contacts winbind if the user is a domain +user to get valid information about it. If winbind isn't running it will +try to create everything from the passwd struct. This is not always +reliable but works in most cases. It improves the current situation +which doesn't talk to winbind at all. + +Pair-Programmed-With: Guenther Deschner <gd@samba.org> +Signed-off-by: Guenther Deschner <gd@samba.org> +Signed-off-by: Andreas Schneider <asn@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 1bb11c7744df6928cb8a096373ab920366b38770) +--- + source3/auth/proto.h | 4 ++ + source3/auth/server_info.c | 116 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 120 insertions(+) + +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 76661fc..8385e66 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -286,6 +286,10 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, + const char *login_server, + struct netr_SamInfo3 **_info3, + struct extra_auth_info *extra); ++NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, ++ const char *unix_username, ++ const struct passwd *pwd, ++ struct netr_SamInfo3 **pinfo3); + struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, + struct netr_SamInfo3 *orig); + struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, +diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c +index d2b7d6e..46d8178 100644 +--- a/source3/auth/server_info.c ++++ b/source3/auth/server_info.c +@@ -24,6 +24,7 @@ + #include "../libcli/security/security.h" + #include "rpc_client/util_netlogon.h" + #include "nsswitch/libwbclient/wbclient.h" ++#include "lib/winbind_util.h" + #include "passdb.h" + + #undef DBGC_CLASS +@@ -436,6 +437,121 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, + return NT_STATUS_OK; + } + ++NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, ++ const char *unix_username, ++ const struct passwd *pwd, ++ struct netr_SamInfo3 **pinfo3) ++{ ++ struct netr_SamInfo3 *info3; ++ NTSTATUS status; ++ TALLOC_CTX *tmp_ctx; ++ const char *domain_name = NULL; ++ const char *user_name = NULL; ++ struct dom_sid domain_sid; ++ struct dom_sid user_sid; ++ struct dom_sid group_sid; ++ enum lsa_SidType type; ++ uint32_t num_sids = 0; ++ struct dom_sid *user_sids = NULL; ++ bool ok; ++ ++ tmp_ctx = talloc_stackframe(); ++ ++ ok = lookup_name_smbconf(tmp_ctx, ++ unix_username, ++ LOOKUP_NAME_ALL, ++ &domain_name, ++ &user_name, ++ &user_sid, ++ &type); ++ if (!ok) { ++ status = NT_STATUS_NO_SUCH_USER; ++ goto done; ++ } ++ ++ if (type != SID_NAME_USER) { ++ status = NT_STATUS_NO_SUCH_USER; ++ goto done; ++ } ++ ++ ok = winbind_lookup_usersids(tmp_ctx, ++ &user_sid, ++ &num_sids, ++ &user_sids); ++ /* Check if winbind is running */ ++ if (ok) { ++ /* ++ * Winbind is running and the first element of the user_sids ++ * is the primary group. ++ */ ++ if (num_sids > 0) { ++ group_sid = user_sids[0]; ++ } ++ } else { ++ /* ++ * Winbind is not running, create the group_sid from the ++ * group id. ++ */ ++ gid_to_sid(&group_sid, pwd->pw_gid); ++ } ++ ++ /* Make sure we have a valid group sid */ ++ ok = !is_null_sid(&group_sid); ++ if (!ok) { ++ status = NT_STATUS_NO_SUCH_USER; ++ goto done; ++ } ++ ++ /* Construct a netr_SamInfo3 from the information we have */ ++ info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3); ++ if (!info3) { ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ ++ info3->base.account_name.string = talloc_strdup(info3, unix_username); ++ if (info3->base.account_name.string == NULL) { ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ ++ ZERO_STRUCT(domain_sid); ++ ++ sid_copy(&domain_sid, &user_sid); ++ sid_split_rid(&domain_sid, &info3->base.rid); ++ info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); ++ ++ ok = sid_peek_check_rid(&domain_sid, &group_sid, ++ &info3->base.primary_gid); ++ if (!ok) { ++ DEBUG(1, ("The primary group domain sid(%s) does not " ++ "match the domain sid(%s) for %s(%s)\n", ++ sid_string_dbg(&group_sid), ++ sid_string_dbg(&domain_sid), ++ unix_username, ++ sid_string_dbg(&user_sid))); ++ status = NT_STATUS_INVALID_SID; ++ goto done; ++ } ++ ++ info3->base.acct_flags = ACB_NORMAL; ++ ++ if (num_sids) { ++ status = group_sids_to_info3(info3, user_sids, num_sids); ++ if (!NT_STATUS_IS_OK(status)) { ++ goto done; ++ } ++ } ++ ++ *pinfo3 = talloc_steal(mem_ctx, info3); ++ ++ status = NT_STATUS_OK; ++done: ++ talloc_free(tmp_ctx); ++ ++ return status; ++} ++ + #undef RET_NOMEM + + #define RET_NOMEM(ptr) do { \ +-- +1.8.5.2 + + +From c7b7670dc5cd8dbf727258666b6417d67afafb33 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@samba.org> +Date: Fri, 13 Dec 2013 19:11:01 +0100 +Subject: [PATCH 3/7] s3-auth: Pass talloc context to make_server_info_pw(). + +Pair-Programmed-With: Guenther Deschner <gd@samba.org> +Signed-off-by: Guenther Deschner <gd@samba.org> +Signed-off-by: Andreas Schneider <asn@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 1b59c9743cf3fbd66b0b8b52162b2cc8d922e5cf) +--- + source3/auth/auth_unix.c | 7 +++++-- + source3/auth/auth_util.c | 52 +++++++++++++++++++++++++++++------------------- + source3/auth/proto.h | 7 ++++--- + source3/auth/user_krb5.c | 5 +---- + 4 files changed, 42 insertions(+), 29 deletions(-) + +diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c +index c8b5435..7b483a2 100644 +--- a/source3/auth/auth_unix.c ++++ b/source3/auth/auth_unix.c +@@ -67,8 +67,11 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, + unbecome_root(); + + if (NT_STATUS_IS_OK(nt_status)) { +- if (pass) { +- make_server_info_pw(server_info, pass->pw_name, pass); ++ if (pass != NULL) { ++ nt_status = make_server_info_pw(mem_ctx, ++ pass->pw_name, ++ pass, ++ server_info); + } else { + /* we need to do somthing more useful here */ + nt_status = NT_STATUS_NO_SUCH_USER; +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index ceaa706..b225b0d 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -639,14 +639,15 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, + to a struct samu + ***************************************************************************/ + +-NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, +- char *unix_username, +- struct passwd *pwd) ++NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, ++ const char *unix_username, ++ const struct passwd *pwd, ++ struct auth_serversupplied_info **server_info) + { + NTSTATUS status; + struct samu *sampass = NULL; + char *qualified_name = NULL; +- TALLOC_CTX *mem_ctx = NULL; ++ TALLOC_CTX *tmp_ctx; + struct dom_sid u_sid; + enum lsa_SidType type; + struct auth_serversupplied_info *result; +@@ -664,27 +665,27 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, + * plaintext passwords were used with no SAM backend. + */ + +- mem_ctx = talloc_init("make_server_info_pw_tmp"); +- if (!mem_ctx) { ++ tmp_ctx = talloc_stackframe(); ++ if (tmp_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + +- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", ++ qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s", + unix_users_domain_name(), + unix_username ); + if (!qualified_name) { +- TALLOC_FREE(mem_ctx); ++ TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + +- if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, ++ if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL, + NULL, NULL, + &u_sid, &type)) { +- TALLOC_FREE(mem_ctx); ++ TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_SUCH_USER; + } + +- TALLOC_FREE(mem_ctx); ++ TALLOC_FREE(tmp_ctx); + + if (type != SID_NAME_USER) { + return NT_STATUS_NO_SUCH_USER; +@@ -707,7 +708,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, + /* set the user sid to be the calculated u_sid */ + pdb_set_user_sid(sampass, &u_sid, PDB_SET); + +- result = make_server_info(NULL); ++ result = make_server_info(mem_ctx); + if (result == NULL) { + TALLOC_FREE(sampass); + return NT_STATUS_NO_MEMORY; +@@ -992,25 +993,36 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, + struct passwd *pwd; + NTSTATUS status; + struct auth_serversupplied_info *result; ++ TALLOC_CTX *tmp_ctx; + +- pwd = Get_Pwnam_alloc(talloc_tos(), username); +- if (pwd == NULL) { +- return NT_STATUS_NO_SUCH_USER; ++ tmp_ctx = talloc_stackframe(); ++ if (tmp_ctx == NULL) { ++ return NT_STATUS_NO_MEMORY; + } + +- status = make_server_info_pw(&result, pwd->pw_name, pwd); ++ pwd = Get_Pwnam_alloc(tmp_ctx, username); ++ if (pwd == NULL) { ++ status = NT_STATUS_NO_SUCH_USER; ++ goto done; ++ } + ++ status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result); + if (!NT_STATUS_IS_OK(status)) { +- return status; ++ goto done; + } + + result->nss_token = true; + result->guest = is_guest; + + /* Now turn the server_info into a session_info with the full token etc */ +- status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info); +- TALLOC_FREE(result); +- TALLOC_FREE(pwd); ++ status = create_local_token(mem_ctx, ++ result, ++ NULL, ++ pwd->pw_name, ++ session_info); ++ ++done: ++ talloc_free(tmp_ctx); + + return status; + } +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 8385e66..7abca07 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -206,9 +206,10 @@ bool user_in_group_sid(const char *username, const struct dom_sid *group_sid); + bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid); + bool user_in_group(const char *username, const char *groupname); + struct passwd; +-NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, +- char *unix_username, +- struct passwd *pwd); ++NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, ++ const char *unix_username, ++ const struct passwd *pwd, ++ struct auth_serversupplied_info **server_info); + NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, + const char *username, + bool is_guest, +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index 974a8aa..7d44285 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -242,7 +242,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + */ + DEBUG(10, ("didn't find user %s in passdb, calling " + "make_server_info_pw\n", username)); +- status = make_server_info_pw(&tmp, username, pw); ++ status = make_server_info_pw(mem_ctx, username, pw, &tmp); + } + + TALLOC_FREE(sampass); +@@ -253,9 +253,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + return status; + } + +- /* Steal tmp server info into the server_info pointer. */ +- server_info = talloc_move(mem_ctx, &tmp); +- + /* make_server_info_pw does not set the domain. Without this + * we end up with the local netbios name in substitutions for + * %D. */ +-- +1.8.5.2 + + +From 4fbd13598e8bdc6acf41329f71de806de4265f36 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@samba.org> +Date: Fri, 13 Dec 2013 19:19:02 +0100 +Subject: [PATCH 4/7] s3-auth: Add passwd_to_SamInfo3(). + +Correctly lookup users which come from smb.conf. passwd_to_SamInfo3() +tries to contact winbind if the user is a domain user to get +valid information about it. If winbind isn't running it will try to +create everything from the passwd struct. This is not always reliable +but works in most cases. It improves the current situation which doesn't +talk to winbind at all. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 + +Pair-Programmed-With: Guenther Deschner <gd@samba.org> +Signed-off-by: Andreas Schneider <asn@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> +Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104 + +(cherry picked from commit 40e6456b5896e934fcd581c2cac2389984256e09) +--- + source3/auth/auth_util.c | 87 +++++++++------------------------------------- + source3/auth/server_info.c | 22 ++++++++++-- + 2 files changed, 36 insertions(+), 73 deletions(-) + +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index b225b0d..24190af 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -645,98 +645,43 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, + struct auth_serversupplied_info **server_info) + { + NTSTATUS status; +- struct samu *sampass = NULL; +- char *qualified_name = NULL; +- TALLOC_CTX *tmp_ctx; +- struct dom_sid u_sid; +- enum lsa_SidType type; ++ TALLOC_CTX *tmp_ctx = NULL; + struct auth_serversupplied_info *result; + +- /* +- * The SID returned in server_info->sam_account is based +- * on our SAM sid even though for a pure UNIX account this should +- * not be the case as it doesn't really exist in the SAM db. +- * This causes lookups on "[in]valid users" to fail as they +- * will lookup this name as a "Unix User" SID to check against +- * the user token. Fix this by adding the "Unix User"\unix_username +- * SID to the sid array. The correct fix should probably be +- * changing the server_info->sam_account user SID to be a +- * S-1-22 Unix SID, but this might break old configs where +- * plaintext passwords were used with no SAM backend. +- */ +- + tmp_ctx = talloc_stackframe(); + if (tmp_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + +- qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s", +- unix_users_domain_name(), +- unix_username ); +- if (!qualified_name) { +- TALLOC_FREE(tmp_ctx); +- return NT_STATUS_NO_MEMORY; +- } +- +- if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL, +- NULL, NULL, +- &u_sid, &type)) { +- TALLOC_FREE(tmp_ctx); +- return NT_STATUS_NO_SUCH_USER; +- } +- +- TALLOC_FREE(tmp_ctx); +- +- if (type != SID_NAME_USER) { +- return NT_STATUS_NO_SUCH_USER; +- } +- +- if ( !(sampass = samu_new( NULL )) ) { +- return NT_STATUS_NO_MEMORY; +- } +- +- status = samu_set_unix( sampass, pwd ); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } +- +- /* In pathological cases the above call can set the account +- * name to the DOMAIN\username form. Reset the account name +- * using unix_username */ +- pdb_set_username(sampass, unix_username, PDB_SET); +- +- /* set the user sid to be the calculated u_sid */ +- pdb_set_user_sid(sampass, &u_sid, PDB_SET); +- +- result = make_server_info(mem_ctx); ++ result = make_server_info(tmp_ctx); + if (result == NULL) { +- TALLOC_FREE(sampass); +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + +- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(), +- &result->info3, &result->extra); +- TALLOC_FREE(sampass); ++ status = passwd_to_SamInfo3(result, ++ unix_username, ++ pwd, ++ &result->info3); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("Failed to convert samu to info3: %s\n", +- nt_errstr(status))); +- TALLOC_FREE(result); +- return status; ++ goto done; + } + + result->unix_name = talloc_strdup(result, unix_username); +- + if (result->unix_name == NULL) { +- TALLOC_FREE(result); +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + + result->utok.uid = pwd->pw_uid; + result->utok.gid = pwd->pw_gid; + +- *server_info = result; ++ *server_info = talloc_steal(mem_ctx, result); ++ status = NT_STATUS_OK; ++done: ++ talloc_free(tmp_ctx); + +- return NT_STATUS_OK; ++ return status; + } + + static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, +diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c +index 46d8178..43711d5 100644 +--- a/source3/auth/server_info.c ++++ b/source3/auth/server_info.c +@@ -489,10 +489,28 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, + } + } else { + /* +- * Winbind is not running, create the group_sid from the +- * group id. ++ * Winbind is not running, try to create the group_sid from the ++ * passwd group id. ++ */ ++ ++ /* ++ * This can lead to a primary group of S-1-22-2-XX which ++ * will be rejected by other Samba code. + */ + gid_to_sid(&group_sid, pwd->pw_gid); ++ ++ ZERO_STRUCT(domain_sid); ++ ++ /* ++ * If we are a unix group, set the group_sid to the ++ * 'Domain Users' RID of 513 which will always resolve to a ++ * name. ++ */ ++ if (sid_check_is_in_unix_groups(&group_sid)) { ++ sid_compose(&group_sid, ++ get_global_sam_sid(), ++ DOMAIN_RID_USERS); ++ } + } + + /* Make sure we have a valid group sid */ +-- +1.8.5.2 + + +From 76bb5e0888f4131ab773d90160051a51c401c90d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@samba.org> +Date: Tue, 18 Feb 2014 10:02:57 +0100 +Subject: [PATCH 5/7] s3-auth: Pass mem_ctx to make_server_info_sam(). + +Coverity-Id: 1168009 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 + +Signed-off-by: Andreas Schneider <asn@samba.org> + +Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 3dc72266005e87a291f5bf9847257e8c54314d39) +--- + source3/auth/check_samsec.c | 2 +- + source3/auth/proto.h | 5 ++-- + source3/auth/server_info_sam.c | 56 +++++++++++++++++++++++++++--------------- + source3/auth/user_krb5.c | 12 +++++---- + 4 files changed, 47 insertions(+), 28 deletions(-) + +diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c +index 7ed8cc2..b6cac60 100644 +--- a/source3/auth/check_samsec.c ++++ b/source3/auth/check_samsec.c +@@ -482,7 +482,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, + } + + become_root(); +- nt_status = make_server_info_sam(server_info, sampass); ++ nt_status = make_server_info_sam(mem_ctx, sampass, server_info); + unbecome_root(); + + TALLOC_FREE(sampass); +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 7abca07..eac3e54 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -190,8 +190,9 @@ bool make_user_info_guest(const struct tsocket_address *remote_address, + struct auth_usersupplied_info **user_info); + + struct samu; +-NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, +- struct samu *sampass); ++NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, ++ struct samu *sampass, ++ struct auth_serversupplied_info **pserver_info); + NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, + const struct auth_serversupplied_info *server_info, + DATA_BLOB *session_key, +diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c +index 5d657f9..47087b1 100644 +--- a/source3/auth/server_info_sam.c ++++ b/source3/auth/server_info_sam.c +@@ -58,39 +58,51 @@ static bool is_our_machine_account(const char *username) + Make (and fill) a user_info struct from a struct samu + ***************************************************************************/ + +-NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, +- struct samu *sampass) ++NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, ++ struct samu *sampass, ++ struct auth_serversupplied_info **pserver_info) + { + struct passwd *pwd; +- struct auth_serversupplied_info *result; ++ struct auth_serversupplied_info *server_info; + const char *username = pdb_get_username(sampass); ++ TALLOC_CTX *tmp_ctx; + NTSTATUS status; + +- if ( !(result = make_server_info(NULL)) ) { ++ tmp_ctx = talloc_stackframe(); ++ if (tmp_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + +- if ( !(pwd = Get_Pwnam_alloc(result, username)) ) { ++ server_info = make_server_info(tmp_ctx); ++ if (server_info == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ pwd = Get_Pwnam_alloc(tmp_ctx, username); ++ if (pwd == NULL) { + DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", + pdb_get_username(sampass))); +- TALLOC_FREE(result); +- return NT_STATUS_NO_SUCH_USER; ++ status = NT_STATUS_NO_SUCH_USER; ++ goto out; + } + +- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(), +- &result->info3, &result->extra); ++ status = samu_to_SamInfo3(server_info, ++ sampass, ++ lp_netbios_name(), ++ &server_info->info3, ++ &server_info->extra); + if (!NT_STATUS_IS_OK(status)) { +- TALLOC_FREE(result); +- return status; ++ goto out; + } + +- result->unix_name = pwd->pw_name; +- /* Ensure that we keep pwd->pw_name, because we will free pwd below */ +- talloc_steal(result, pwd->pw_name); +- result->utok.gid = pwd->pw_gid; +- result->utok.uid = pwd->pw_uid; ++ server_info->unix_name = talloc_strdup(server_info, pwd->pw_name); ++ if (server_info->unix_name == NULL) { ++ status = NT_STATUS_NO_MEMORY; ++ goto out; ++ } + +- TALLOC_FREE(pwd); ++ server_info->utok.gid = pwd->pw_gid; ++ server_info->utok.uid = pwd->pw_uid; + + if (IS_DC && is_our_machine_account(username)) { + /* +@@ -110,9 +122,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, + } + + DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", +- pdb_get_username(sampass), result->unix_name)); ++ pdb_get_username(sampass), server_info->unix_name)); ++ ++ *pserver_info = talloc_steal(mem_ctx, server_info); + +- *server_info = result; ++ status = NT_STATUS_OK; ++out: ++ talloc_free(tmp_ctx); + +- return NT_STATUS_OK; ++ return status; + } +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index 7d44285..e40c8ac 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -223,9 +223,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + * SID consistency with ntlmssp session setup + */ + struct samu *sampass; +- /* The stupid make_server_info_XX functions here +- don't take a talloc context. */ +- struct auth_serversupplied_info *tmp = NULL; + + sampass = samu_new(talloc_tos()); + if (sampass == NULL) { +@@ -235,14 +232,19 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + if (pdb_getsampwnam(sampass, username)) { + DEBUG(10, ("found user %s in passdb, calling " + "make_server_info_sam\n", username)); +- status = make_server_info_sam(&tmp, sampass); ++ status = make_server_info_sam(mem_ctx, ++ sampass, ++ &server_info); + } else { + /* + * User not in passdb, make it up artificially + */ + DEBUG(10, ("didn't find user %s in passdb, calling " + "make_server_info_pw\n", username)); +- status = make_server_info_pw(mem_ctx, username, pw, &tmp); ++ status = make_server_info_pw(mem_ctx, ++ username, ++ pw, ++ &server_info); + } + + TALLOC_FREE(sampass); +-- +1.8.5.2 + + +From f9c0adb6237c6e60c33ee6af21f55c0cdefa132c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@samba.org> +Date: Tue, 18 Feb 2014 10:19:57 +0100 +Subject: [PATCH 6/7] s3-auth: Pass mem_ctx to auth_check_ntlm_password(). + +Coverity-Id: 1168009 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 + +Signed-off-by: Andreas Schneider <asn@samba.org> + +Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 4d792db03f18aa164b565c7fdc7b446c174fba28) +--- + source3/auth/auth.c | 50 ++++++++++++++++++----------- + source3/auth/auth_ntlmssp.c | 6 ++-- + source3/auth/proto.h | 8 +++-- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++-- + source3/torture/pdbtest.c | 5 ++- + 5 files changed, 48 insertions(+), 27 deletions(-) + +diff --git a/source3/auth/auth.c b/source3/auth/auth.c +index c3797cf..dc9af02 100644 +--- a/source3/auth/auth.c ++++ b/source3/auth/auth.c +@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain) + * + **/ + +-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, +- const struct auth_usersupplied_info *user_info, +- struct auth_serversupplied_info **server_info) ++NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, ++ const struct auth_context *auth_context, ++ const struct auth_usersupplied_info *user_info, ++ struct auth_serversupplied_info **pserver_info) + { + /* if all the modules say 'not for me' this is reasonable */ + NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; + const char *unix_username; + auth_methods *auth_method; +- TALLOC_CTX *mem_ctx; + +- if (!user_info || !auth_context || !server_info) ++ if (user_info == NULL || auth_context == NULL || pserver_info == NULL) { + return NT_STATUS_LOGON_FAILURE; ++ } + + DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name)); +@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, + return NT_STATUS_LOGON_FAILURE; + + for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { ++ struct auth_serversupplied_info *server_info; ++ TALLOC_CTX *tmp_ctx; + NTSTATUS result; + +- mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, +- user_info->mapped.domain_name, user_info->client.account_name); ++ tmp_ctx = talloc_named(mem_ctx, ++ 0, ++ "%s authentication for user %s\\%s", ++ auth_method->name, ++ user_info->mapped.domain_name, ++ user_info->client.account_name); + +- result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); ++ result = auth_method->auth(auth_context, ++ auth_method->private_data, ++ tmp_ctx, ++ user_info, ++ &server_info); + + /* check if the module did anything */ + if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) { + DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); +- talloc_destroy(mem_ctx); ++ TALLOC_FREE(tmp_ctx); + continue; + } + +@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, + auth_method->name, user_info->client.account_name, nt_errstr(nt_status))); + } + +- talloc_destroy(mem_ctx); +- +- if ( NT_STATUS_IS_OK(nt_status)) +- { +- break; ++ if (NT_STATUS_IS_OK(nt_status)) { ++ *pserver_info = talloc_steal(mem_ctx, server_info); ++ TALLOC_FREE(tmp_ctx); ++ break; + } ++ ++ TALLOC_FREE(tmp_ctx); + } + + /* successful authentication */ + + if (NT_STATUS_IS_OK(nt_status)) { +- unix_username = (*server_info)->unix_name; +- if (!(*server_info)->guest) { ++ unix_username = (*pserver_info)->unix_name; ++ if (!(*pserver_info)->guest) { + const char *rhost; + + if (tsocket_address_is_inet(user_info->remote_host, "ip")) { +@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, + } + + if (NT_STATUS_IS_OK(nt_status)) { +- DEBUG((*server_info)->guest ? 5 : 2, ++ DEBUG((*pserver_info)->guest ? 5 : 2, + ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", +- (*server_info)->guest ? "guest " : "", ++ (*pserver_info)->guest ? "guest " : "", + user_info->client.account_name, + user_info->mapped.account_name, + unix_username)); +@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, + DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", + user_info->client.account_name, user_info->mapped.account_name, + nt_errstr(nt_status))); +- ZERO_STRUCTP(server_info); ++ ZERO_STRUCTP(pserver_info); + + return nt_status; + } +diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c +index f99bd44..cb7726c 100644 +--- a/source3/auth/auth_ntlmssp.c ++++ b/source3/auth/auth_ntlmssp.c +@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, + + mapped_user_info->flags = user_info->flags; + +- nt_status = auth_check_ntlm_password(auth_context, +- mapped_user_info, &server_info); ++ nt_status = auth_check_ntlm_password(mem_ctx, ++ auth_context, ++ mapped_user_info, ++ &server_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n", +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index eac3e54..15b1ba0 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, + * struct. When the return is other than NT_STATUS_OK the contents + * of that structure is undefined. + * ++ * @param mem_ctx The memory context to use to allocate server_info ++ * + * @param user_info Contains the user supplied components, including the passwords. + * Must be created with make_user_info() or one of its wrappers. + * +@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, + * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. + * + **/ +- +-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, +- const struct auth_usersupplied_info *user_info, ++NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, ++ const struct auth_context *auth_context, ++ const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info); + + /* The following definitions come from auth/auth_builtin.c */ +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index e5ca474..0c8c9a5 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1650,8 +1650,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + } /* end switch */ + + if ( NT_STATUS_IS_OK(status) ) { +- status = auth_check_ntlm_password(auth_context, +- user_info, &server_info); ++ status = auth_check_ntlm_password(p->mem_ctx, ++ auth_context, ++ user_info, ++ &server_info); + } + + TALLOC_FREE(auth_context); +diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c +index 17da455..14d58b9 100644 +--- a/source3/torture/pdbtest.c ++++ b/source3/torture/pdbtest.c +@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) + return False; + } + +- status = auth_check_ntlm_password(auth_context, user_info, &server_info); ++ status = auth_check_ntlm_password(mem_ctx, ++ auth_context, ++ user_info, ++ &server_info); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status))); +-- +1.8.5.2 + + +From a48bcd84c59b5b2cb8c3e0f5d68b35065bed81d7 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@samba.org> +Date: Tue, 18 Feb 2014 13:52:49 +0100 +Subject: [PATCH 7/7] s3-auth: Pass mem_ctx to do_map_to_guest_server_info(). + +Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> +Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104 + +(cherry picked from commit 79e2725f339e7c5336b4053348c4266268de6ca3) +--- + source3/auth/auth_ntlmssp.c | 7 ++++--- + source3/auth/auth_util.c | 12 +++++++----- + source3/auth/proto.h | 8 +++++--- + 3 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c +index cb7726c..d4fe901 100644 +--- a/source3/auth/auth_ntlmssp.c ++++ b/source3/auth/auth_ntlmssp.c +@@ -151,10 +151,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, + free_user_info(&mapped_user_info); + + if (!NT_STATUS_IS_OK(nt_status)) { +- nt_status = do_map_to_guest_server_info(nt_status, +- &server_info, ++ nt_status = do_map_to_guest_server_info(mem_ctx, ++ nt_status, + user_info->client.account_name, +- user_info->client.domain_name); ++ user_info->client.domain_name, ++ &server_info); + *server_returned_info = talloc_steal(mem_ctx, server_info); + return nt_status; + } +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index 24190af..8cf5cb7 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1536,9 +1536,11 @@ bool is_trusted_domain(const char* dom_name) + on a logon error possibly map the error to success if "map to guest" + is set approriately + */ +-NTSTATUS do_map_to_guest_server_info(NTSTATUS status, +- struct auth_serversupplied_info **server_info, +- const char *user, const char *domain) ++NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx, ++ NTSTATUS status, ++ const char *user, ++ const char *domain, ++ struct auth_serversupplied_info **server_info) + { + user = user ? user : ""; + domain = domain ? domain : ""; +@@ -1548,13 +1550,13 @@ NTSTATUS do_map_to_guest_server_info(NTSTATUS status, + (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { + DEBUG(3,("No such user %s [%s] - using guest account\n", + user, domain)); +- return make_server_info_guest(NULL, server_info); ++ return make_server_info_guest(mem_ctx, server_info); + } + } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { + if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { + DEBUG(3,("Registered username %s for guest access\n", + user)); +- return make_server_info_guest(NULL, server_info); ++ return make_server_info_guest(mem_ctx, server_info); + } + } + +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 15b1ba0..7b8959f 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -264,9 +264,11 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, + enum auth_password_state password_state); + void free_user_info(struct auth_usersupplied_info **user_info); + +-NTSTATUS do_map_to_guest_server_info(NTSTATUS status, +- struct auth_serversupplied_info **server_info, +- const char *user, const char *domain); ++NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx, ++ NTSTATUS status, ++ const char *user, ++ const char *domain, ++ struct auth_serversupplied_info **server_info); + + /* The following definitions come from auth/auth_winbind.c */ + +-- +1.8.5.2 + |