[SCM] Samba Shared Repository - branch v3-3-stable updated -
release-3-3-0pre2-77-gdf97ffb
Karolin Seeger
kseeger at samba.org
Thu Oct 23 07:56:01 GMT 2008
The branch, v3-3-stable has been updated
via df97ffbaf376ea322b30465332cbba0f2af5ce42 (commit)
via ed04743ba9362402fc1d92b649cc06783c1b8bfd (commit)
via f9152d58889aacff4529929883e841ab3dc9d165 (commit)
via fa1f4c9a26839fdd7305e40df8decc684263bbc9 (commit)
via 96f461fb5cbc99cb0952fd4e9e39df8fbe23c6b9 (commit)
via d104f6b53f36cd8e534714f1a3d02bfe32e25965 (commit)
via cdf23296ce7fe2bc060a4ef92517f8d7b30652aa (commit)
via 7d39ee10d3ba9674819182f8d1436d1ee031836c (commit)
via 2c259d04eff457884d030637c35623bfd27c9ba6 (commit)
via 14d009a9fbd94e7acb08d5b209439d46b5589f77 (commit)
from 271d77cc9d3543276ab88da140392b1bcbdc855d (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable
- Log -----------------------------------------------------------------
commit df97ffbaf376ea322b30465332cbba0f2af5ce42
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Oct 23 09:24:28 2008 +0200
WHATSNEW: Update changes since 3.3.0pre2.
Karolin
(cherry picked from commit 4c6a222272d5e0510472247e49edf341d27a6ecb)
commit ed04743ba9362402fc1d92b649cc06783c1b8bfd
Author: Günther Deschner <gd at samba.org>
Date: Thu Oct 23 01:43:06 2008 +0200
netapi: NetGroupEnum_r needs to handle servers with no groups.
Guenther
(cherry picked from commit 9d325aef4ba694c6adfc0b951baafdee9057ed43)
commit f9152d58889aacff4529929883e841ab3dc9d165
Author: Günther Deschner <gd at samba.org>
Date: Thu Oct 23 01:42:27 2008 +0200
s3-samr-server: _samr_DeleteUser needs to wipe out the user_handle on success.
Guenther
(cherry picked from commit 8a0054c6d273049bea235803db25912f6cf03610)
commit fa1f4c9a26839fdd7305e40df8decc684263bbc9
Author: Günther Deschner <gd at samba.org>
Date: Wed Oct 22 23:16:19 2008 +0200
s3-samr-server: fix access check in _samr_QuerySecurity().
Guenther
(cherry picked from commit 7693d853933e1d7ece9261847bab53e2b73dfa50)
commit 96f461fb5cbc99cb0952fd4e9e39df8fbe23c6b9
Author: Jeremy Allison <jra at samba.org>
Date: Wed Oct 22 13:29:21 2008 -0700
Janitor for Guenther, "fix _lsa_GetUserName."
Jeremy.
(cherry picked from commit 5ee3d6c3b1394e705691247b471c4511244a97af)
commit d104f6b53f36cd8e534714f1a3d02bfe32e25965
Author: Jeremy Allison <jra at samba.org>
Date: Wed Oct 22 13:21:13 2008 -0700
Fix net rpc vampire, based on an *amazing* piece of debugging work by "Cooper S. Blake" <the_analogkid at yahoo.com>.
"I believe I have found two bugs in the 3.2 code and one bug that
carried on to the 3.3 branch. In the 3.2 code, everything is
located in the utils/net_rpc_samsync.c file. What I believe is the
first problem is that fetch_database() is calling
samsync_fix_delta_array() with rid_crypt set to true, which means
the password hashes are unencrypted from the RID encryption.
However, I believe this call is redundant, and the corresponding
call for samdump has rid_crypt set to false. So I think the
rid_crypt param should be false in fetch_database().
If you follow the code, it makes its way to sam_account_from_delta()
where the password hashes are decrypted a second time by calling
sam_pwd_hash(). I believe this is what is scrambling my passwords.
These methods were refactored somewhere in the 3.3 branch. Now the
net_rpc_samsync.c class calls rpc_vampire_internals, which calls
libnet/libnet_samsync.c, which calls samsync_fix_delta_array() with
rid_crypt always set to false. I think that's correct. But the
second bug has carried through in the sam_account_from_delta()
function:
208 if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
209 sam_pwd_hash(r->rid, r->ntpassword.hash, lm_passwd, 0);
210 pdb_set_lanman_passwd(account, lm_passwd, PDB_CHANGED);
211 }
212
213 if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
214 sam_pwd_hash(r->rid, r->lmpassword.hash, nt_passwd, 0);
215 pdb_set_nt_passwd(account, nt_passwd, PDB_CHANGED);
If you look closely you'll see that the nt hash is going into the
lm_passwd variable and the decrypted value is being set in the lanman
hash, and the lanman hash is being decrypted and put into the nt hash
field. So the LanMan and NT hashes look like they're being put in
the opposite fields."
Fix this by removing the rid_crypt parameter.
Jeremy.
(cherry picked from commit 3690f2d87549840b5408771d2596069ff1732fc5)
commit cdf23296ce7fe2bc060a4ef92517f8d7b30652aa
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 22 14:26:05 2008 +0200
Fix bug 5840: Segfault in "rpcclient lsaaddacctrights"
(cherry picked from commit da21102b557d809009d59aa7dff3c55e72a3afea)
commit 7d39ee10d3ba9674819182f8d1436d1ee031836c
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 21 18:06:01 2008 -0700
Cope with MAXIMUM_ALLOWED_ACCESS requests when opening handles.
Jeremy.
(cherry picked from commit 9c0fc1d83ceae0ac78b8ea2408e6c385402b6f86)
commit 2c259d04eff457884d030637c35623bfd27c9ba6
Author: Andreas Schneider <mail at cynapses.org>
Date: Mon Oct 20 17:35:42 2008 +0200
Delete the krb5 ccname variable from the PAM environment if set.
If winbind sets the KRB5CCNAME variable it should unset it when
the cache gets destroyed.
(cherry picked from commit e61a0cc2cd51c97df316377f74dd6c9430c5f7cc)
commit 14d009a9fbd94e7acb08d5b209439d46b5589f77
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 20 16:52:11 2008 -0700
Remove the requirement for ldap call made as root. Add in security
checks for all SAMR calls.
Jeremy.
(cherry picked from commit 6873be9cc7a6700a5b32c140738d40112d32c229)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 13 +++
source/include/proto.h | 1 +
source/lib/netapi/group.c | 2 +-
source/lib/smbldap.c | 7 --
source/lib/util_sid.c | 11 +++
source/libnet/libnet_samsync.c | 53 ++++++++-----
source/libnet/libnet_samsync_display.c | 11 +--
source/libnet/libnet_samsync_keytab.c | 5 +-
source/libnet/libnet_samsync_ldif.c | 11 +--
source/libnet/libnet_samsync_passdb.c | 15 ++--
source/nsswitch/pam_winbind.c | 7 ++
source/rpc_server/srv_lsa_nt.c | 27 +++++--
source/rpc_server/srv_samr_nt.c | 133 +++++++++++++++++++++++++++++--
source/rpcclient/cmd_lsarpc.c | 5 +-
source/utils/net_rpc.c | 11 ---
15 files changed, 230 insertions(+), 82 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cd64f6d..1925866 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -180,6 +180,10 @@ o Jeremy Allison <jra at samba.org>
* Correctly fix smbclient to terminate on eof from server.
* Fix client timeout when searching for a large number of cups printers.
* Unify access checks for lsa server functions.
+ * Remove the requirement for ldap call made as root.
+ * Cope with MAXIMUM_ALLOWED_ACCESS requests when opening handles.
+ * Fix net rpc vampire, based on an *amazing* piece of debugging work by
+ "Cooper S. Blake" <the_analogkid at yahoo.com>.
o Gerald (Jerry) Carter <jerry at samba.org>
@@ -189,6 +193,10 @@ o Gerald (Jerry) Carter <jerry at samba.org>
o Günther Deschner <gd at samba.org>
* Ensure consistency when reporting password complexity.
+ * Fix _lsa_GetUserName.
+ * Fix access check in _samr_QuerySecurity().
+ * _samr_DeleteUser needs to wipe out the user_handle on success.
+ * NetGroupEnum_r needs to handle servers with no groups.
o Jeff Layton <jlayton at redhat.com>
@@ -198,6 +206,7 @@ o Jeff Layton <jlayton at redhat.com>
o Volker Lendecke <vl at samba.org>
* BUG 5691: Fig smbd panic on Solaris.
+ * BUG 5840: Fix segfault in "rpcclient lsaaddacctrights".
* Fix a potential NULL deref in found by the IBM Checker.
* Fix an uninitialized variable found by the IBM Checker.
* Fix an unlikely memleak found by the IBM Checker.
@@ -215,6 +224,10 @@ o Tim Prouty <tim.prouty at isilon.com>
* Fix several build warnings.
+o Andreas Schneider <mail at cynapses.org>
+ * Delete the krb5 ccname variable from the PAM environment if set.
+
+
Commit Highlights:
------------------
diff --git a/source/include/proto.h b/source/include/proto.h
index d69de44..bbe6319 100644
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -1507,6 +1507,7 @@ void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num);
bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx,
uint32 rid, uint32 **pp_rids, size_t *p_num);
bool is_null_sid(const DOM_SID *sid);
+bool is_sid_in_token(const NT_USER_TOKEN *token, const DOM_SID *sid);
NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
const struct netr_SamInfo3 *info3,
DOM_SID **user_sids,
diff --git a/source/lib/netapi/group.c b/source/lib/netapi/group.c
index c3fccb4..a78c784 100644
--- a/source/lib/netapi/group.c
+++ b/source/lib/netapi/group.c
@@ -1243,7 +1243,7 @@ WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
goto done;
}
- if (r->out.resume_handle) {
+ if (r->out.resume_handle && info.info3.count > 0) {
*r->out.resume_handle =
info.info3.entries[info.info3.count-1].idx;
}
diff --git a/source/lib/smbldap.c b/source/lib/smbldap.c
index 93494d6..9c2ee3a 100644
--- a/source/lib/smbldap.c
+++ b/source/lib/smbldap.c
@@ -1025,13 +1025,6 @@ static int smbldap_open(struct smbldap_state *ldap_state)
int rc, opt_rc;
bool reopen = False;
SMB_ASSERT(ldap_state);
-
-#ifndef NO_LDAP_SECURITY
- if (geteuid() != 0) {
- DEBUG(0, ("smbldap_open: cannot access LDAP when not root\n"));
- return LDAP_INSUFFICIENT_ACCESS;
- }
-#endif
if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time(NULL))) {
diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c
index 53614ed..f656bb1 100644
--- a/source/lib/util_sid.c
+++ b/source/lib/util_sid.c
@@ -664,6 +664,17 @@ bool is_null_sid(const DOM_SID *sid)
return sid_equal(sid, &null_sid);
}
+bool is_sid_in_token(const NT_USER_TOKEN *token, const DOM_SID *sid)
+{
+ int i;
+
+ for (i=0; i<token->num_sids; i++) {
+ if (sid_compare(sid, &token->user_sids[i]) == 0)
+ return true;
+ }
+ return false;
+}
+
NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
const struct netr_SamInfo3 *info3,
DOM_SID **user_sids,
diff --git a/source/libnet/libnet_samsync.c b/source/libnet/libnet_samsync.c
index daf27ff..ad1b20a 100644
--- a/source/libnet/libnet_samsync.c
+++ b/source/libnet/libnet_samsync.c
@@ -33,7 +33,6 @@
static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
- bool rid_crypt,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM *delta)
{
@@ -42,17 +41,29 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
struct netr_DELTA_USER *user = delta->delta_union.user;
struct samr_Password lm_hash;
struct samr_Password nt_hash;
+ unsigned char zero_buf[16];
- if (rid_crypt) {
- if (user->lm_password_present) {
+ memset(zero_buf, '\0', sizeof(zero_buf));
+
+ /* Note that win2000 may send us all zeros
+ * for the hashes if it doesn't
+ * think this channel is secure enough. */
+ if (user->lm_password_present) {
+ if (memcmp(user->lmpassword.hash, zero_buf, 16) != 0) {
sam_pwd_hash(rid, user->lmpassword.hash, lm_hash.hash, 0);
- user->lmpassword = lm_hash;
+ } else {
+ memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
}
+ user->lmpassword = lm_hash;
+ }
- if (user->nt_password_present) {
+ if (user->nt_password_present) {
+ if (memcmp(user->ntpassword.hash, zero_buf, 16) != 0) {
sam_pwd_hash(rid, user->ntpassword.hash, nt_hash.hash, 0);
- user->ntpassword = nt_hash;
+ } else {
+ memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
}
+ user->ntpassword = nt_hash;
}
if (user->user_private_info.SensitiveData) {
@@ -72,26 +83,31 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
return ndr_map_error2ntstatus(ndr_err);
}
+ /* Note that win2000 may send us all zeros
+ * for the hashes if it doesn't
+ * think this channel is secure enough. */
if (keys.keys.keys2.lmpassword.length == 16) {
- if (rid_crypt) {
+ if (memcmp(keys.keys.keys2.lmpassword.pwd.hash,
+ zero_buf, 16) != 0) {
sam_pwd_hash(rid,
- keys.keys.keys2.lmpassword.pwd.hash,
- lm_hash.hash, 0);
- user->lmpassword = lm_hash;
+ keys.keys.keys2.lmpassword.pwd.hash,
+ lm_hash.hash, 0);
} else {
- user->lmpassword = keys.keys.keys2.lmpassword.pwd;
+ memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
}
+ user->lmpassword = lm_hash;
user->lm_password_present = true;
}
if (keys.keys.keys2.ntpassword.length == 16) {
- if (rid_crypt) {
+ if (memcmp(keys.keys.keys2.ntpassword.pwd.hash,
+ zero_buf, 16) != 0) {
sam_pwd_hash(rid,
- keys.keys.keys2.ntpassword.pwd.hash,
- nt_hash.hash, 0);
- user->ntpassword = nt_hash;
+ keys.keys.keys2.ntpassword.pwd.hash,
+ nt_hash.hash, 0);
} else {
- user->ntpassword = keys.keys.keys2.ntpassword.pwd;
+ memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
}
+ user->ntpassword = nt_hash;
user->nt_password_present = true;
}
/* TODO: rid decrypt history fields */
@@ -129,7 +145,6 @@ static NTSTATUS fix_secret(TALLOC_CTX *mem_ctx,
static NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
- bool rid_crypt,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM *delta)
{
@@ -140,7 +155,6 @@ static NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
status = fix_user(mem_ctx,
session_key,
- rid_crypt,
database_id,
delta);
break;
@@ -165,7 +179,6 @@ static NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
- bool rid_crypt,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM_ARRAY *r)
{
@@ -176,7 +189,6 @@ static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx,
status = samsync_fix_delta(mem_ctx,
session_key,
- rid_crypt,
database_id,
&r->delta_enum[i]);
if (!NT_STATUS_IS_OK(status)) {
@@ -330,7 +342,6 @@ NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
samsync_fix_delta_array(mem_ctx,
&session_key,
- false,
database_id,
delta_enum_array);
diff --git a/source/libnet/libnet_samsync_display.c b/source/libnet/libnet_samsync_display.c
index 6f7ae4e..47c032a 100644
--- a/source/libnet/libnet_samsync_display.c
+++ b/source/libnet/libnet_samsync_display.c
@@ -59,21 +59,20 @@ static void display_account_info(uint32_t rid,
struct netr_DELTA_USER *r)
{
fstring hex_nt_passwd, hex_lm_passwd;
- uchar lm_passwd[16], nt_passwd[16];
- static uchar zero_buf[16];
+ uchar zero_buf[16];
+
+ memset(zero_buf, '\0', sizeof(zero_buf));
/* Decode hashes from password hash (if they are not NULL) */
if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->lmpassword.hash, lm_passwd, 0);
- pdb_sethexpwd(hex_lm_passwd, lm_passwd, r->acct_flags);
+ pdb_sethexpwd(hex_lm_passwd, r->lmpassword.hash, r->acct_flags);
} else {
pdb_sethexpwd(hex_lm_passwd, NULL, 0);
}
if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->ntpassword.hash, nt_passwd, 0);
- pdb_sethexpwd(hex_nt_passwd, nt_passwd, r->acct_flags);
+ pdb_sethexpwd(hex_nt_passwd, r->ntpassword.hash, r->acct_flags);
} else {
pdb_sethexpwd(hex_nt_passwd, NULL, 0);
}
diff --git a/source/libnet/libnet_samsync_keytab.c b/source/libnet/libnet_samsync_keytab.c
index 9e666ce..4b0cc06 100644
--- a/source/libnet/libnet_samsync_keytab.c
+++ b/source/libnet/libnet_samsync_keytab.c
@@ -78,20 +78,17 @@ static NTSTATUS fetch_sam_entry_keytab(TALLOC_CTX *mem_ctx,
bool last_query,
struct libnet_keytab_context *ctx)
{
- uchar nt_passwd[16];
struct libnet_keytab_entry entry;
if (memcmp(r->ntpassword.hash, ctx->zero_buf, 16) == 0) {
return NT_STATUS_OK;
}
- sam_pwd_hash(rid, r->ntpassword.hash, nt_passwd, 0);
-
entry.name = talloc_strdup(mem_ctx, r->account_name.string);
entry.principal = talloc_asprintf(mem_ctx, "%s@%s",
r->account_name.string,
ctx->dns_domain_name);
- entry.password = data_blob_talloc(mem_ctx, nt_passwd, 16);
+ entry.password = data_blob_talloc(mem_ctx, r->ntpassword.hash, 16);
entry.kvno = ads_get_kvno(ctx->ads, entry.name);
entry.enctype = ENCTYPE_NULL;
diff --git a/source/libnet/libnet_samsync_ldif.c b/source/libnet/libnet_samsync_ldif.c
index cbae22a..dd5380b 100644
--- a/source/libnet/libnet_samsync_ldif.c
+++ b/source/libnet/libnet_samsync_ldif.c
@@ -576,15 +576,16 @@ static NTSTATUS fetch_account_info_to_ldif(TALLOC_CTX *mem_ctx,
fstring username, logonscript, homedrive, homepath = "", homedir = "";
fstring hex_nt_passwd, hex_lm_passwd;
fstring description, profilepath, fullname, sambaSID;
- uchar lm_passwd[16], nt_passwd[16];
char *flags, *user_rdn;
const char *ou;
const char* nopasswd = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
- static uchar zero_buf[16];
+ uchar zero_buf[16];
uint32 rid = 0, group_rid = 0, gidNumber = 0;
time_t unix_time;
int i;
+ memset(zero_buf, '\0', sizeof(zero_buf));
+
/* Get the username */
fstrcpy(username, r->account_name.string);
@@ -630,14 +631,12 @@ static NTSTATUS fetch_account_info_to_ldif(TALLOC_CTX *mem_ctx,
/* Get lm and nt password data */
if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->lmpassword.hash, lm_passwd, 0);
- pdb_sethexpwd(hex_lm_passwd, lm_passwd, r->acct_flags);
+ pdb_sethexpwd(hex_lm_passwd, r->lmpassword.hash, r->acct_flags);
} else {
pdb_sethexpwd(hex_lm_passwd, NULL, 0);
}
if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->ntpassword.hash, nt_passwd, 0);
- pdb_sethexpwd(hex_nt_passwd, nt_passwd, r->acct_flags);
+ pdb_sethexpwd(hex_nt_passwd, r->ntpassword.hash, r->acct_flags);
} else {
pdb_sethexpwd(hex_nt_passwd, NULL, 0);
}
diff --git a/source/libnet/libnet_samsync_passdb.c b/source/libnet/libnet_samsync_passdb.c
index 7d07bcb..1faef7b 100644
--- a/source/libnet/libnet_samsync_passdb.c
+++ b/source/libnet/libnet_samsync_passdb.c
@@ -40,8 +40,9 @@ static NTSTATUS sam_account_from_delta(struct samu *account,
{
const char *old_string, *new_string;
time_t unix_time, stored_time;
- uchar lm_passwd[16], nt_passwd[16];
- static uchar zero_buf[16];
+ uchar zero_buf[16];
+
+ memset(zero_buf, '\0', sizeof(zero_buf));
/* Username, fullname, home dir, dir drive, logon script, acct
desc, workstations, profile. */
@@ -205,14 +206,12 @@ static NTSTATUS sam_account_from_delta(struct samu *account,
think this channel is secure enough - don't set the passwords at all
in that case
*/
- if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->ntpassword.hash, lm_passwd, 0);
- pdb_set_lanman_passwd(account, lm_passwd, PDB_CHANGED);
+ if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
+ pdb_set_lanman_passwd(account, r->lmpassword.hash, PDB_CHANGED);
}
- if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
- sam_pwd_hash(r->rid, r->lmpassword.hash, nt_passwd, 0);
- pdb_set_nt_passwd(account, nt_passwd, PDB_CHANGED);
+ if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
+ pdb_set_nt_passwd(account, r->ntpassword.hash, PDB_CHANGED);
}
/* TODO: account expiry time */
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index beb0d47..5593114 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -2428,6 +2428,13 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
}
out:
+ /*
+ * Delete the krb5 ccname variable from the PAM environment
+ * if it was set by winbind.
+ */
+ if (ctx->ctrl & WINBIND_KRB5_AUTH) {
+ pam_putenv(pamh, "KRB5CCNAME");
+ }
_PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, retval);
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 910b302..77eecaf 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -1462,6 +1462,16 @@ NTSTATUS _lsa_GetUserName(pipes_struct *p,
struct lsa_String *account_name = NULL;
struct lsa_String *authority_name = NULL;
+ if (r->in.account_name &&
+ *r->in.account_name) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (r->in.authority_name &&
+ *r->in.authority_name) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
if (p->server_info->guest) {
/*
* I'm 99% sure this is not the right place to do this,
@@ -1481,17 +1491,20 @@ NTSTATUS _lsa_GetUserName(pipes_struct *p,
if (!account_name) {
return NT_STATUS_NO_MEMORY;
}
+ init_lsa_String(account_name, username);
- authority_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_String);
- if (!authority_name) {
- return NT_STATUS_NO_MEMORY;
+ if (r->out.authority_name) {
+ authority_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_String);
+ if (!authority_name) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ init_lsa_String(authority_name, domname);
}
- init_lsa_String(account_name, username);
- init_lsa_String(authority_name, domname);
-
*r->out.account_name = account_name;
- *r->out.authority_name = authority_name;
+ if (r->out.authority_name) {
+ *r->out.authority_name = authority_name;
+ }
return NT_STATUS_OK;
}
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 59728c6..86e5d83 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -5,7 +5,7 @@
* Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
* Copyright (C) Paul Ashton 1997,
* Copyright (C) Marc Jacobsen 1999,
- * Copyright (C) Jeremy Allison 2001-2005,
+ * Copyright (C) Jeremy Allison 2001-2008,
* Copyright (C) Jean François Micouleau 1998-2001,
* Copyright (C) Jim McDonough <jmcd at us.ibm.com> 2002,
* Copyright (C) Gerald (Jerry) Carter 2003-2004,
@@ -248,6 +248,48 @@ static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_requir
}
/*******************************************************************
+ Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
+********************************************************************/
+
+static void map_max_allowed_access(const NT_USER_TOKEN *token,
+ uint32_t *pacc_requested)
+{
+ if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
+ return;
+ }
+ *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
+
+ /* At least try for generic read. */
+ *pacc_requested = GENERIC_READ_ACCESS;
+
+ /* root gets anything. */
+ if (geteuid() == sec_initial_uid()) {
+ *pacc_requested |= GENERIC_ALL_ACCESS;
+ return;
+ }
+
+ /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
+
+ if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
+ is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
+ *pacc_requested |= GENERIC_ALL_ACCESS;
+ return;
+ }
+
+ /* Full access for DOMAIN\Domain Admins. */
+ if ( IS_DC ) {
+ DOM_SID domadmin_sid;
+ sid_copy( &domadmin_sid, get_global_sam_sid() );
+ sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
+ if (is_sid_in_token(token, &domadmin_sid)) {
+ *pacc_requested |= GENERIC_ALL_ACCESS;
+ return;
+ }
+ }
+ /* TODO ! Check privileges. */
+}
+
+/*******************************************************************
Fetch or create a dispinfo struct.
********************************************************************/
--
Samba Shared Repository
More information about the samba-cvs
mailing list