svn commit: samba r8981 - in branches/SAMBA_4_0/source/libnet: .

abartlet at samba.org abartlet at samba.org
Wed Aug 3 05:24:13 GMT 2005 

Author: abartlet
Date: 2005-08-03 05:24:13 +0000 (Wed, 03 Aug 2005)
New Revision: 8981

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8981

Log:
Add comments, fix typos (in attribute names) and check for errors in
SamSync and 'net join'.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/libnet/libnet_join.c
   branches/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c


Changeset:
Modified: branches/SAMBA_4_0/source/libnet/libnet_join.c
===================================================================
--- branches/SAMBA_4_0/source/libnet/libnet_join.c	2005-08-03 04:41:10 UTC (rev 8980)
+++ branches/SAMBA_4_0/source/libnet/libnet_join.c	2005-08-03 05:24:13 UTC (rev 8981)
@@ -158,6 +158,8 @@
 		return status;
 	}
 
+	/* Look to see if this is ADS (a fault indicates NT4 or Samba 3.0) */
+
 	lsa_query_info2.in.handle = &lsa_p_handle;
 	lsa_query_info2.in.level = LSA_POLICY_INFO_DNS;
 
@@ -175,6 +177,8 @@
 		realm = lsa_query_info2.out.info->dns.dns_domain.string;
 	}
 
+	/* Grab the domain SID (regardless of the result of the previous call */
+
 	lsa_query_info.in.handle = &lsa_p_handle;
 	lsa_query_info.in.level = LSA_POLICY_INFO_DOMAIN;
 
@@ -196,7 +200,7 @@
 	r->out.realm = talloc_steal(mem_ctx, realm);
 
 	/*
-	  step 1 - establish a SAMR connection, on the same CIFS transport
+	  establish a SAMR connection, on the same CIFS transport
 	*/
 
 	/* Find the original binding string */
@@ -357,13 +361,15 @@
 		}
 	}
 
+	/* Find out what password policy this user has */
 	pwp.in.user_handle = &u_handle;
 
 	status = dcerpc_samr_GetUserPwInfo(samr_pipe, tmp_ctx, &pwp);
 	if (NT_STATUS_IS_OK(status)) {
 		policy_min_pw_len = pwp.out.info.min_password_length;
 	}
-
+	
+	/* Grab a password of that minimum length */
 	r->out.join_password = generate_random_str(mem_ctx, MAX(8, policy_min_pw_len));
 
 	r2.samr_handle.level		= LIBNET_SET_PASSWORD_SAMR_HANDLE;
@@ -436,12 +442,21 @@
 	}
 
 	/* Now, if it was AD, then we want to start looking changing a
-	 * few more things */
+	 * few more things.  Otherwise, we are done. */
 	if (!realm) {
+		r->out.realm = NULL;
+		r->out.kvno = 0;
 		talloc_free(tmp_ctx);
 		return NT_STATUS_OK;
 	}
 
+	/* We need to convert between a samAccountName and domain to a
+	 * DN in the directory.  The correct way to do this is with
+	 * DRSUAPI CrackNames */
+
+
+	/* Fiddle with the bindings, so get to DRSUAPI on
+	 * NCACN_IP_TCP, sealed */
 	drsuapi_binding = talloc(tmp_ctx, struct dcerpc_binding);
 	*drsuapi_binding = *samr_binding;
 	drsuapi_binding->transport = NCACN_IP_TCP;
@@ -464,6 +479,7 @@
 		return status;
 	}
 	
+	/* get a DRSUAPI pipe handle */
 	GUID_from_string(DRSUAPI_DS_BIND_GUID, &drsuapi_bind_guid);
 
 	r_drsuapi_bind.in.bind_guid = &drsuapi_bind_guid;
@@ -497,6 +513,7 @@
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
+	/* Actually 'crack' the names */
 	ZERO_STRUCT(r_crack_names);
 	r_crack_names.in.bind_handle		= &drsuapi_bind_handle;
 	r_crack_names.in.level			= 1;
@@ -534,10 +551,21 @@
 						  "DsCrackNames failed - %s\n", win_errstr(r_crack_names.out.result));
 		talloc_free(tmp_ctx);
 		return NT_STATUS_UNSUCCESSFUL;
+	} else if (r_crack_names.out.level != 1 
+		   || !r_crack_names.out.ctr.ctr1 
+		   || r_crack_names.out.ctr.ctr1->count != 1 
+		   || r_crack_names.out.ctr.ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
+		
+		r->out.error_string = talloc_asprintf(mem_ctx, "DsCrackNames failed\n");
+		talloc_free(tmp_ctx);
+		return NT_STATUS_UNSUCCESSFUL;
 	}
 
 	account_dn = r_crack_names.out.ctr.ctr1->array[0].result_name;
 
+
+	/* Now we know the user's DN, open with LDAP, read and modify a few things */
+
 	remote_ldb_url = talloc_asprintf(tmp_ctx, "ldap://%s", 
 					 drsuapi_binding->host);
 	remote_ldb = ldb_wrap_connect(tmp_ctx, remote_ldb_url, 0, NULL);
@@ -546,7 +574,7 @@
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	/* search for the secret record */
+	/* search for the user's record */
 	ldb_ret = ldb_search(remote_ldb, account_dn, LDB_SCOPE_BASE, 
 			     NULL, attrs, &msgs);
 
@@ -558,8 +586,11 @@
 					  ldb_errstring(remote_ldb));
 		return NT_STATUS_UNSUCCESSFUL;
 	}
+
+	/* If we have a kvno recorded in AD, we need it locally as well */
 	r->out.kvno = ldb_msg_find_uint(msgs[0], "msDS-KeyVersionNumber", 0);
 
+	/* Prepare a new message, for the modify */
 	msg = ldb_msg_new(tmp_ctx);
 	if (!msg) {
 		return NT_STATUS_NO_MEMORY;

Modified: branches/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c
===================================================================
--- branches/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c	2005-08-03 04:41:10 UTC (rev 8980)
+++ branches/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c	2005-08-03 05:24:13 UTC (rev 8981)
@@ -163,8 +163,8 @@
 	samdb_msg_add_string(state->sam_ldb, mem_ctx, 
 			     msg, "oEMInformation", domain->comment.string);
 
-	samdb_msg_add_uint64(state->sam_ldb, mem_ctx, 
-			     msg, "forceLogff", domain->force_logoff_time);
+	samdb_msg_add_int64(state->sam_ldb, mem_ctx, 
+			     msg, "forceLogoff", domain->force_logoff_time);
 
 	samdb_msg_add_uint(state->sam_ldb, mem_ctx, 
 			  msg, "minPwdLen", domain->min_password_length);
@@ -179,7 +179,7 @@
 			  msg, "pwdHistoryLength", domain->password_history_length);
 
 	samdb_msg_add_uint64(state->sam_ldb, mem_ctx, 
-			     msg, "modifiedCountAtLastProm", 
+			     msg, "modifiedCount", 
 			     domain->sequence_num);
 
 	samdb_msg_add_uint64(state->sam_ldb, mem_ctx, 
@@ -283,7 +283,7 @@
 	ADD_OR_DEL(uint64, "accountExpires", acct_expiry);
 	
 	if (samdb_msg_add_acct_flags(state->sam_ldb, mem_ctx, msg, 
-				     "userAccountConrol", user->acct_flags) != 0) { 
+				     "userAccountControl", user->acct_flags) != 0) { 
 		return NT_STATUS_NO_MEMORY; 
 	}

More information about the samba-cvs mailing list