[SCM] Samba Shared Repository - branch v3-2-test updated -
initial-v3-2-unstable-692-gf7efc0e
Michael Adam
obnox at samba.org
Mon Dec 17 12:23:01 GMT 2007
The branch, v3-2-test has been updated
via f7efc0eca9426e63b751c07a90265a12bb39cf95 (commit)
via 46bfbf5c8af6c030e67219a29c49fd2d40003b18 (commit)
via 6d0db17a9e255235d40eabc63e91c9f5d4febcde (commit)
via 1d4e0ad1142c61de402c925306f02f5de2c872f6 (commit)
via 280d6cb6c8e834ce0a08769e9187b0f40321716f (commit)
via cd8c0057446a1311a860f6cc3876a113568f6c30 (commit)
from b89f87242b9c949401f3fa9b352211906cb76895 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit f7efc0eca9426e63b751c07a90265a12bb39cf95
Author: Michael Adam <obnox at samba.org>
Date: Wed Dec 12 18:03:20 2007 +0100
Fix for bug #4801: Correctly implement lsa lookup levels for lookupnames.
This patch is still incomplete in that winbindd does not walk
the the trusted domains to lookup unqualified names here.
Apart from that this fix should be pretty much complete.
Michael
commit 46bfbf5c8af6c030e67219a29c49fd2d40003b18
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 10:54:05 2007 +0100
Fix flags in caller of lookup_name() in create_builtin_administrators().
Michael
commit 6d0db17a9e255235d40eabc63e91c9f5d4febcde
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 11:55:05 2007 +0100
Fix flags in all callers of lookup_name() in net_sam.c.
Michael
commit 1d4e0ad1142c61de402c925306f02f5de2c872f6
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 11:32:21 2007 +0100
Fix flags in call of lookup_name() in srv_samr_nt.c: can_create().
Use LOOKUP_NAME_LOCAL instead of LOOKUP_NAME_ISOLATED.
Michael
commit 280d6cb6c8e834ce0a08769e9187b0f40321716f
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 10:55:37 2007 +0100
Fix flags in call of lookup_name() in pdb_default_create_alias().
Use new flag LOOKUP_NAME_LOCAL.
Michael
commit cd8c0057446a1311a860f6cc3876a113568f6c30
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 11:28:56 2007 +0100
Add combined flag LOOKUP_NAME_LOCAL.
Presence of LOOKUP_NAME_ISOLATED as the only flag is not the sign
for doing local lookups only but the sign for allowing lookups
of unqualified names. The correct sign is absence of the flag
LOOKUP_NAME_REMOTE.
Michael
-----------------------------------------------------------------------
Summary of changes:
source/auth/token_util.c | 3 +-
source/groupdb/mapping.c | 2 +-
source/include/smb.h | 4 +++
source/passdb/lookup_sid.c | 45 +++++++++++++++++++++++++++-----------
source/rpc_server/srv_lsa_nt.c | 37 ++++++++++++++++++++++++-------
source/rpc_server/srv_samr_nt.c | 4 +-
source/utils/net_sam.c | 32 +++++++++++++-------------
7 files changed, 85 insertions(+), 42 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/auth/token_util.c b/source/auth/token_util.c
index 2415a90..eb8271f 100644
--- a/source/auth/token_util.c
+++ b/source/auth/token_util.c
@@ -249,7 +249,8 @@ static NTSTATUS create_builtin_administrators( void )
return NT_STATUS_NO_MEMORY;
}
fstr_sprintf( root_name, "%s\\root", get_global_sam_name() );
- ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type );
+ ret = lookup_name(ctx, root_name, LOOKUP_NAME_DOMAIN, NULL, NULL,
+ &root_sid, &type);
TALLOC_FREE( ctx );
if ( ret ) {
diff --git a/source/groupdb/mapping.c b/source/groupdb/mapping.c
index 3a3da0a..1ddda58 100644
--- a/source/groupdb/mapping.c
+++ b/source/groupdb/mapping.c
@@ -477,7 +477,7 @@ NTSTATUS pdb_default_create_alias(struct pdb_methods *methods,
return NT_STATUS_NO_MEMORY;
}
- exists = lookup_name(mem_ctx, name, LOOKUP_NAME_ISOLATED,
+ exists = lookup_name(mem_ctx, name, LOOKUP_NAME_LOCAL,
NULL, NULL, &sid, &type);
TALLOC_FREE(mem_ctx);
diff --git a/source/include/smb.h b/source/include/smb.h
index a725ae1..1222c9a 100644
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -254,6 +254,10 @@ typedef uint64_t NTTIME;
#define LOOKUP_NAME_BUILTIN 0x00000010 /* builtin names */
#define LOOKUP_NAME_WKN 0x00000020 /* well known names */
#define LOOKUP_NAME_DOMAIN 0x00000040 /* only lookup own domain */
+#define LOOKUP_NAME_LOCAL (LOOKUP_NAME_ISOLATED\
+ |LOOKUP_NAME_BUILTIN\
+ |LOOKUP_NAME_WKN\
+ |LOOKUP_NAME_DOMAIN)
#define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED\
|LOOKUP_NAME_REMOTE\
|LOOKUP_NAME_BUILTIN\
diff --git a/source/passdb/lookup_sid.c b/source/passdb/lookup_sid.c
index 3096fde..c7ffe5f 100644
--- a/source/passdb/lookup_sid.c
+++ b/source/passdb/lookup_sid.c
@@ -59,16 +59,19 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
name = talloc_strdup(tmp_ctx, full_name);
}
- DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
- full_name, domain, name));
-
if ((domain == NULL) || (name == NULL)) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
- if (strequal(domain, get_global_sam_name())) {
+ DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
+ full_name, domain, name));
+ DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
+
+ if ((flags & LOOKUP_NAME_DOMAIN) &&
+ strequal(domain, get_global_sam_name()))
+ {
/* It's our own domain, lookup the name in passdb */
if (lookup_global_sam_name(name, flags, &rid, &type)) {
@@ -80,8 +83,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
return false;
}
- if (strequal(domain, builtin_domain_name())) {
-
+ if ((flags & LOOKUP_NAME_BUILTIN) &&
+ strequal(domain, builtin_domain_name()))
+ {
/* Explicit request for a name in BUILTIN */
if (lookup_builtin_name(name, &rid)) {
sid_copy(&sid, &global_sid_Builtin);
@@ -97,6 +101,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
* domain yet at this point yet. This comes later. */
if ((domain[0] != '\0') &&
+ (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
(winbind_lookup_name(domain, name, &sid, &type))) {
goto ok;
}
@@ -131,14 +136,18 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 1. well-known names */
- if (lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) {
+ if ((flags & LOOKUP_NAME_WKN) &&
+ lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
+ {
type = SID_NAME_WKN_GRP;
goto ok;
}
/* 2. Builtin domain as such */
- if (strequal(name, builtin_domain_name())) {
+ if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
+ strequal(name, builtin_domain_name()))
+ {
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
sid_copy(&sid, &global_sid_Builtin);
@@ -148,7 +157,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 3. Account domain */
- if (strequal(name, get_global_sam_name())) {
+ if ((flags & LOOKUP_NAME_DOMAIN) &&
+ strequal(name, get_global_sam_name()))
+ {
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch my SID\n"));
TALLOC_FREE(tmp_ctx);
@@ -162,7 +173,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 4. Primary domain */
- if (!IS_DC && strequal(name, lp_workgroup())) {
+ if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
+ strequal(name, lp_workgroup()))
+ {
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch the domain SID\n"));
TALLOC_FREE(tmp_ctx);
@@ -177,7 +190,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 5. Trusted domains as such, to me it looks as if members don't do
this, tested an XP workstation in a NT domain -- vl */
- if (IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) {
+ if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
+ (secrets_fetch_trusted_domain_password(name, NULL, &sid, NULL)))
+ {
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
@@ -186,7 +201,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 6. Builtin aliases */
- if (lookup_builtin_name(name, &rid)) {
+ if ((flags & LOOKUP_NAME_BUILTIN) &&
+ lookup_builtin_name(name, &rid))
+ {
domain = talloc_strdup(tmp_ctx, builtin_domain_name());
sid_copy(&sid, &global_sid_Builtin);
sid_append_rid(&sid, rid);
@@ -199,7 +216,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* Both cases are done by looking at our passdb */
- if (lookup_global_sam_name(name, flags, &rid, &type)) {
+ if ((flags & LOOKUP_NAME_DOMAIN) &&
+ lookup_global_sam_name(name, flags, &rid, &type))
+ {
domain = talloc_strdup(tmp_ctx, get_global_sam_name());
sid_copy(&sid, get_global_sam_sid());
sid_append_rid(&sid, rid);
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index a1ddc8e..a289196 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -1037,6 +1037,31 @@ NTSTATUS _lsa_lookup_sids3(pipes_struct *p,
return r_u->status;
}
+static int lsa_lookup_level_to_flags(uint16 level)
+{
+ int flags;
+
+ switch (level) {
+ case 1:
+ flags = LOOKUP_NAME_ALL;
+ break;
+ case 2:
+ flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
+ break;
+ case 3:
+ flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
+ break;
+ case 4:
+ case 5:
+ case 6:
+ default:
+ flags = LOOKUP_NAME_NONE;
+ break;
+ }
+
+ return flags;
+}
+
/***************************************************************************
lsa_reply_lookup_names
***************************************************************************/
@@ -1056,10 +1081,7 @@ NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP
DEBUG(5,("_lsa_lookup_names: truncating name lookup list to %d\n", num_entries));
}
- /* Probably the lookup_level is some sort of bitmask. */
- if (q_u->lookup_level == 1) {
- flags = LOOKUP_NAME_ALL;
- }
+ flags = lsa_lookup_level_to_flags(q_u->lookup_level);
ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
if (!ref) {
@@ -1125,11 +1147,8 @@ NTSTATUS _lsa_lookup_names2(pipes_struct *p, LSA_Q_LOOKUP_NAMES2 *q_u, LSA_R_LOO
num_entries = MAX_LOOKUP_SIDS;
DEBUG(5,("_lsa_lookup_names2: truncating name lookup list to %d\n", num_entries));
}
-
- /* Probably the lookup_level is some sort of bitmask. */
- if (q_u->lookup_level == 1) {
- flags = LOOKUP_NAME_ALL;
- }
+
+ flags = lsa_lookup_level_to_flags(q_u->lookup_level);
ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
if (ref == NULL) {
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 1af4122..cc4b4f3 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -2494,9 +2494,9 @@ static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
become_root();
- /* Lookup in our local databases (only LOOKUP_NAME_ISOLATED set)
+ /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
* whether the name already exists */
- result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_ISOLATED,
+ result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
NULL, NULL, NULL, &type);
unbecome_root();
diff --git a/source/utils/net_sam.c b/source/utils/net_sam.c
index c82c89b..139eed6 100644
--- a/source/utils/net_sam.c
+++ b/source/utils/net_sam.c
@@ -41,7 +41,7 @@ static int net_sam_userset(int argc, const char **argv, const char *field,
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
@@ -138,7 +138,7 @@ static int net_sam_set_userflag(int argc, const char **argv, const char *field,
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
@@ -222,7 +222,7 @@ static int net_sam_set_pwdmustchangenow(int argc, const char **argv)
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
@@ -283,7 +283,7 @@ static int net_sam_set_comment(int argc, const char **argv)
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
@@ -569,7 +569,7 @@ static int net_sam_rights_grant(int argc, const char **argv)
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
@@ -602,7 +602,7 @@ static int net_sam_rights_revoke(int argc, const char **argv)
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
@@ -654,7 +654,7 @@ static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
map.gid = grp->gr_gid;
grpname = grp->gr_name;
- if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_ISOLATED,
+ if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
&dom, &name, NULL, NULL)) {
const char *tmp = talloc_asprintf(
@@ -665,7 +665,7 @@ static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
grpname = tmp;
}
- if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_ISOLATED,
+ if (lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
NULL, NULL, NULL, NULL)) {
DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
return NT_STATUS_GROUP_EXISTS;
@@ -740,7 +740,7 @@ static NTSTATUS unmap_unix_group(const struct group *grp, GROUP_MAP *pmap)
map.gid = grp->gr_gid;
grpname = grp->gr_name;
- if (!lookup_name(talloc_tos(), grpname, LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), grpname, LOOKUP_NAME_LOCAL,
NULL, NULL, NULL, NULL)) {
DEBUG(3, ("\"%s\" does not exist, can't unmap it\n", grp->gr_name));
return NT_STATUS_NO_SUCH_GROUP;
@@ -836,7 +836,7 @@ static int net_sam_deletelocalgroup(int argc, const char **argv)
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find %s.\n", argv[0]);
return -1;
@@ -929,7 +929,7 @@ static int net_sam_addmem(int argc, const char **argv)
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&groupdomain, &groupname, &group, &grouptype)) {
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
return -1;
@@ -937,7 +937,7 @@ static int net_sam_addmem(int argc, const char **argv)
/* check to see if the member to be added is a name or a SID */
- if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
&memberdomain, &membername, &member, &membertype))
{
/* try it as a SID */
@@ -1002,13 +1002,13 @@ static int net_sam_delmem(int argc, const char **argv)
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&groupdomain, &groupname, &group, &grouptype)) {
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
return -1;
}
- if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[1], LOOKUP_NAME_LOCAL,
&memberdomain, &membername, &member, NULL)) {
if (!string_to_sid(&member, argv[1])) {
d_fprintf(stderr, "Could not find member %s\n",
@@ -1060,7 +1060,7 @@ static int net_sam_listmem(int argc, const char **argv)
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&groupdomain, &groupname, &group, &grouptype)) {
d_fprintf(stderr, "Could not find group %s\n", argv[0]);
return -1;
@@ -1209,7 +1209,7 @@ static int net_sam_show(int argc, const char **argv)
return -1;
}
- if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_ISOLATED,
+ if (!lookup_name(talloc_tos(), argv[0], LOOKUP_NAME_LOCAL,
&dom, &name, &sid, &type)) {
d_fprintf(stderr, "Could not find name %s\n", argv[0]);
return -1;
--
Samba Shared Repository
More information about the samba-cvs
mailing list