[SCM] Samba Shared Repository - branch v4-0-test updated

Karolin Seeger kseeger at samba.org
Tue Mar 11 12:33:30 MDT 2014


The branch, v4-0-test has been updated
       via  58cb450 VERSION: Bump version number up to 4.0.17.
       via  887e04b VERSION: Disable git snapshots for the 4.0.16 release.
       via  a656392 WHATSNEW: Add release notes for Samba 4.0.16.
       via  caad2f0 CVE-2013-6442: s3:smbcacls - ensure we don't lose an existing ACL when setting owner or group owner.
       via  e999b98 CVE-2013-4496:Revert remainder of ce895609b04380bfc41e4f8fddc84bd2f9324340
       via  6b8bca5 CVE-2013-4496:samr: Remove ChangePasswordUser
       via  d8b5c1b CVE-2013-4496:s3:auth: fix memory leak in the ACCOUNT_LOCKED_OUT case.
       via  ac0ef44 CVE-2013-4496:s3-samr: Block attempts to crack passwords via repeated password changes
      from  24fec62 s3-spoolssd: Don't register spoolssd if epmd is not running.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test


- Log -----------------------------------------------------------------
commit 58cb450bae8cc1b3d73167422dfdeb4d964f3070
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Mar 11 19:31:59 2014 +0100

    VERSION: Bump version number up to 4.0.17.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 887e04b646952c7b59db00bbf72782b8566173f2
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Mar 11 12:00:52 2014 +0100

    VERSION: Disable git snapshots for the 4.0.16 release.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
    CVE-2013-4496: Enforce password lockout for SAMR password
    changes.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10327
    CVE-2013-6442: ensure we don't lose an existing ACL when
    setting owner or group owner.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit a656392aa2be9c11c0f61766341b56e4ded21af4
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Mar 11 11:42:21 2014 +0100

    WHATSNEW: Add release notes for Samba 4.0.16.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
    CVE-2013-4496: Password lockout not enforced for SAMR password
    changes.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10327
    CVE-2013-6442: smbcacls --chown | --chgrp dacl regression
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit caad2f06991c0c9c245f86935d45d405c177f445
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Dec 18 13:56:18 2013 -0800

    CVE-2013-6442: s3:smbcacls - ensure we don't lose an existing ACL when setting owner or group owner.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10327
    Bug 10327 - CVE-2013-6442: smbcacls --chown | --chgrp dacl regression
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit e999b98ccead0794007a14326c894d2a4a6d7bea
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Nov 28 06:50:01 2013 +1300

    CVE-2013-4496:Revert remainder of ce895609b04380bfc41e4f8fddc84bd2f9324340
    
    Part of this was removed when ChangePasswordUser was unimplemented,
    but remove the remainder of this flawed commit.  Fully check the
    password first, as extract_pw_from_buffer() already does a partial
    check of the password because it needs a correct old password to
    correctly decrypt the length.
    
    Andrew Bartlett
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 6b8bca5d9345517979342ca12cb9f65857c21ca2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 5 16:16:46 2013 +1300

    CVE-2013-4496:samr: Remove ChangePasswordUser
    
    This old password change mechanism does not provide the plaintext to
    validate against password complexity, and it is not used by modern
    clients.
    
    The missing features in both implementations (by design) were:
    
     - the password complexity checks (no plaintext)
     - the minimum password length (no plaintext)
    
    Additionally, the source3 version did not check:
    
     - the minimum password age
     - pdb_get_pass_can_change() which checks the security
       descriptor for the 'user cannot change password' setting.
     - the password history
     - the output of the 'passwd program' if 'unix passwd sync = yes'.
    
    Finally, the mechanism was almost useless, as it was incorrectly
    only made available to administrative users with permission
    to reset the password.  It is removed here so that it is not
    mistakenly reinstated in the future.
    
    Andrew Bartlett
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d8b5c1bb6577102b8e0dcb43be673b09b5187455
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 5 14:04:20 2013 +0100

    CVE-2013-4496:s3:auth: fix memory leak in the ACCOUNT_LOCKED_OUT case.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ac0ef44bc30352fccbbe5fa2ac58a8d5610b0384
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Nov 1 14:55:44 2013 +1300

    CVE-2013-4496:s3-samr: Block attempts to crack passwords via repeated password changes
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                      |    4 +-
 WHATSNEW.txt                                 |   70 +++++++-
 source3/auth/check_samsec.c                  |    1 +
 source3/rpc_server/samr/srv_samr_chgpasswd.c |   55 ++++++
 source3/rpc_server/samr/srv_samr_nt.c        |  111 +-----------
 source3/smbd/lanman.c                        |  254 --------------------------
 source3/utils/smbcacls.c                     |    2 +-
 source4/rpc_server/samr/samr_password.c      |  214 ++++-----------------
 source4/torture/rpc/samr.c                   |    6 +
 9 files changed, 182 insertions(+), 535 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 6eed1e9..8a57f26 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=16
+SAMBA_VERSION_RELEASE=17
 
 ########################################################
 # If a official release has a serious bug              #
@@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=
 # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes               #
 #  ->  "3.0.0-SVN-build-199"                           #
 ########################################################
-SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
+SAMBA_VERSION_IS_GIT_SNAPSHOT=no
 
 ########################################################
 # This is for specifying a release nickname            #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f602152..654a252 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,70 @@
                    ==============================
+                   Release Notes for Samba 4.0.16
+                           March 11, 2014
+                   ==============================
+
+
+This is a security release in order to address
+CVE-2013-4496 (Password lockout not enforced for SAMR password changes) and
+CVE-2013-6442 (smbcacls can remove a file or directory ACL by mistake).
+
+o  CVE-2013-4496:
+   Samba versions 3.4.0 and above allow the administrator to implement
+   locking out Samba accounts after a number of bad password attempts.
+
+   However, all released versions of Samba did not implement this check for
+   password changes, such as are available over multiple SAMR and RAP
+   interfaces, allowing password guessing attacks.
+
+o  CVE-2013-6442:
+   Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
+   smbcacls is used with the "-C|--chown name" or "-G|--chgrp name"
+   command options it will remove the existing ACL on the object being
+   modified, leaving the file or directory unprotected.
+
+
+Changes since 4.0.15:
+---------------------
+
+o   Jeremy Allison <jra at samba.org>
+    * BUG 10327: CVE-2013-6442: ensure we don't lose an existing ACL when
+      setting owner or group owner.
+
+
+o   Andrew Bartlett <abartlet at samba.org>
+    * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+      changes.
+
+
+o   Stefan Metzmacher <metze at samba.org>
+    * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+      changes.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.0 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   ==============================
                    Release Notes for Samba 4.0.15
                          February 18, 2014
                    ==============================
@@ -75,8 +141,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================
                    Release Notes for Samba 4.0.14
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 7ed8cc2..94f30b1 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -408,6 +408,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
 	/* Quit if the account was locked out. */
 	if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
 		DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username));
+		TALLOC_FREE(sampass);
 		return NT_STATUS_ACCOUNT_LOCKED_OUT;
 	}
 
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index db1f459..1c9c33a 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -1106,6 +1106,8 @@ NTSTATUS pass_oem_change(char *user, const char *rhost,
 	struct samu *sampass = NULL;
 	NTSTATUS nt_status;
 	bool ret = false;
+	bool updated_badpw = false;
+	NTSTATUS update_login_attempts_status;
 
 	if (!(sampass = samu_new(NULL))) {
 		return NT_STATUS_NO_MEMORY;
@@ -1121,6 +1123,13 @@ NTSTATUS pass_oem_change(char *user, const char *rhost,
 		return NT_STATUS_NO_SUCH_USER;
 	}
 
+	/* Quit if the account was locked out. */
+	if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
+		DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", user));
+		TALLOC_FREE(sampass);
+		return NT_STATUS_ACCOUNT_LOCKED_OUT;
+	}
+
 	nt_status = check_oem_password(user,
 				       password_encrypted_with_lm_hash,
 				       old_lm_hash_encrypted,
@@ -1129,6 +1138,52 @@ NTSTATUS pass_oem_change(char *user, const char *rhost,
 				       sampass,
 				       &new_passwd);
 
+	/*
+	 * Notify passdb backend of login success/failure. If not
+	 * NT_STATUS_OK the backend doesn't like the login
+	 */
+	update_login_attempts_status = pdb_update_login_attempts(sampass,
+						NT_STATUS_IS_OK(nt_status));
+
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		bool increment_bad_pw_count = false;
+
+		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) &&
+		    (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
+		    NT_STATUS_IS_OK(update_login_attempts_status))
+		{
+			increment_bad_pw_count = true;
+		}
+
+		if (increment_bad_pw_count) {
+			pdb_increment_bad_password_count(sampass);
+			updated_badpw = true;
+		} else {
+			pdb_update_bad_password_count(sampass,
+						      &updated_badpw);
+		}
+	} else {
+
+		if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
+		    (pdb_get_bad_password_count(sampass) > 0)){
+			pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+			pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+			updated_badpw = true;
+		}
+	}
+
+	if (updated_badpw) {
+		NTSTATUS update_status;
+		become_root();
+		update_status = pdb_update_sam_account(sampass);
+		unbecome_root();
+
+		if (!NT_STATUS_IS_OK(update_status)) {
+			DEBUG(1, ("Failed to modify entry: %s\n",
+				  nt_errstr(update_status)));
+		}
+	}
+
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		TALLOC_FREE(sampass);
 		return nt_status;
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 1065f2a..2c9eff2 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -1713,114 +1713,19 @@ NTSTATUS _samr_LookupNames(struct pipes_struct *p,
 }
 
 /****************************************************************
- _samr_ChangePasswordUser
+ _samr_ChangePasswordUser.  
+ 
+ So old it is just not worth implementing
+ because it does not supply a plaintext and so we can't do password
+ complexity checking and cannot update other services that use a
+ plaintext password via passwd chat/pam password change/ldap password
+ sync.
 ****************************************************************/
 
 NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
 				  struct samr_ChangePasswordUser *r)
 {
-	NTSTATUS status;
-	bool ret = false;
-	struct samr_user_info *uinfo;
-	struct samu *pwd;
-	struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
-	struct samr_Password lm_pwd, nt_pwd;
-
-	uinfo = policy_handle_find(p, r->in.user_handle,
-				   SAMR_USER_ACCESS_SET_PASSWORD, NULL,
-				   struct samr_user_info, &status);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
-		  sid_string_dbg(&uinfo->sid)));
-
-	if (!(pwd = samu_new(NULL))) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	become_root();
-	ret = pdb_getsampwsid(pwd, &uinfo->sid);
-	unbecome_root();
-
-	if (!ret) {
-		TALLOC_FREE(pwd);
-		return NT_STATUS_WRONG_PASSWORD;
-	}
-
-	{
-		const uint8_t *lm_pass, *nt_pass;
-
-		lm_pass = pdb_get_lanman_passwd(pwd);
-		nt_pass = pdb_get_nt_passwd(pwd);
-
-		if (!lm_pass || !nt_pass) {
-			status = NT_STATUS_WRONG_PASSWORD;
-			goto out;
-		}
-
-		memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
-		memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
-	}
-
-	/* basic sanity checking on parameters.  Do this before any database ops */
-	if (!r->in.lm_present || !r->in.nt_present ||
-	    !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
-	    !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
-		/* we should really handle a change with lm not
-		   present */
-		status = NT_STATUS_INVALID_PARAMETER_MIX;
-		goto out;
-	}
-
-	/* decrypt and check the new lm hash */
-	D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
-	D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
-	if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
-		status = NT_STATUS_WRONG_PASSWORD;
-		goto out;
-	}
-
-	/* decrypt and check the new nt hash */
-	D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
-	D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
-	if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
-		status = NT_STATUS_WRONG_PASSWORD;
-		goto out;
-	}
-
-	/* The NT Cross is not required by Win2k3 R2, but if present
-	   check the nt cross hash */
-	if (r->in.cross1_present && r->in.nt_cross) {
-		D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
-		if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
-			status = NT_STATUS_WRONG_PASSWORD;
-			goto out;
-		}
-	}
-
-	/* The LM Cross is not required by Win2k3 R2, but if present
-	   check the lm cross hash */
-	if (r->in.cross2_present && r->in.lm_cross) {
-		D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
-		if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
-			status = NT_STATUS_WRONG_PASSWORD;
-			goto out;
-		}
-	}
-
-	if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) ||
-	    !pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) {
-		status = NT_STATUS_ACCESS_DENIED;
-		goto out;
-	}
-
-	status = pdb_update_sam_account(pwd);
- out:
-	TALLOC_FREE(pwd);
-
-	return status;
+	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
 /*******************************************************************
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index e6b9530..1b734a7 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2948,259 +2948,6 @@ static bool api_NetRemoteTOD(struct smbd_server_connection *sconn,
 }
 
 /****************************************************************************
- Set the user password.
-*****************************************************************************/
-
-static bool api_SetUserPassword(struct smbd_server_connection *sconn,
-				connection_struct *conn,uint64_t vuid,
-				char *param, int tpscnt,
-				char *data, int tdscnt,
-				int mdrcnt,int mprcnt,
-				char **rdata,char **rparam,
-				int *rdata_len,int *rparam_len)
-{
-	char *np = get_safe_str_ptr(param,tpscnt,param,2);
-	char *p = NULL;
-	fstring user;
-	fstring pass1,pass2;
-	TALLOC_CTX *mem_ctx = talloc_tos();
-	NTSTATUS status, result;
-	struct rpc_pipe_client *cli = NULL;
-	struct policy_handle connect_handle, domain_handle, user_handle;
-	struct lsa_String domain_name;
-	struct dom_sid2 *domain_sid;
-	struct lsa_String names;
-	struct samr_Ids rids;
-	struct samr_Ids types;
-	struct samr_Password old_lm_hash;
-	struct samr_Password new_lm_hash;
-	int errcode = NERR_badpass;
-	uint32_t rid;
-	int encrypted;
-	int min_pwd_length;
-	struct dcerpc_binding_handle *b = NULL;
-
-	/* Skip 2 strings. */
-	p = skip_string(param,tpscnt,np);
-	p = skip_string(param,tpscnt,p);
-
-	if (!np || !p) {
-		return False;
-	}
-
-	/* Do we have a string ? */
-	if (skip_string(param,tpscnt,p) == NULL) {
-		return False;
-	}
-	pull_ascii_fstring(user,p);
-
-	p = skip_string(param,tpscnt,p);
-	if (!p) {
-		return False;
-	}
-
-	memset(pass1,'\0',sizeof(pass1));
-	memset(pass2,'\0',sizeof(pass2));
-	/*
-	 * We use 31 here not 32 as we're checking
-	 * the last byte we want to access is safe.
-	 */
-	if (!is_offset_safe(param,tpscnt,p,31)) {
-		return False;
-	}
-	memcpy(pass1,p,16);
-	memcpy(pass2,p+16,16);
-
-	encrypted = get_safe_SVAL(param,tpscnt,p+32,0,-1);
-	if (encrypted == -1) {
-		errcode = W_ERROR_V(WERR_INVALID_PARAM);
-		goto out;
-	}
-
-	min_pwd_length = get_safe_SVAL(param,tpscnt,p+34,0,-1);
-	if (min_pwd_length == -1) {
-		errcode = W_ERROR_V(WERR_INVALID_PARAM);
-		goto out;
-	}
-
-	*rparam_len = 4;
-	*rparam = smb_realloc_limit(*rparam,*rparam_len);
-	if (!*rparam) {
-		return False;
-	}
-
-	*rdata_len = 0;
-
-	DEBUG(3,("Set password for <%s> (encrypted: %d, min_pwd_length: %d)\n",
-		user, encrypted, min_pwd_length));
-
-	ZERO_STRUCT(connect_handle);
-	ZERO_STRUCT(domain_handle);
-	ZERO_STRUCT(user_handle);
-
-	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
-					conn->session_info,
-					conn->sconn->remote_address,
-					conn->sconn->msg_ctx,
-					&cli);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("api_SetUserPassword: could not connect to samr: %s\n",
-			  nt_errstr(status)));
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-
-	b = cli->binding_handle;
-
-	status = dcerpc_samr_Connect2(b, mem_ctx,
-				      lp_netbios_name(),
-				      SAMR_ACCESS_CONNECT_TO_SERVER |
-				      SAMR_ACCESS_ENUM_DOMAINS |
-				      SAMR_ACCESS_LOOKUP_DOMAIN,
-				      &connect_handle,
-				      &result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(result));
-		goto out;
-	}
-
-	init_lsa_String(&domain_name, get_global_sam_name());
-
-	status = dcerpc_samr_LookupDomain(b, mem_ctx,
-					  &connect_handle,
-					  &domain_name,
-					  &domain_sid,
-					  &result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(result));
-		goto out;
-	}
-
-	status = dcerpc_samr_OpenDomain(b, mem_ctx,
-					&connect_handle,
-					SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
-					domain_sid,
-					&domain_handle,
-					&result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(result));
-		goto out;
-	}
-
-	init_lsa_String(&names, user);
-
-	status = dcerpc_samr_LookupNames(b, mem_ctx,
-					 &domain_handle,
-					 1,
-					 &names,
-					 &rids,
-					 &types,
-					 &result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {


-- 
Samba Shared Repository


More information about the samba-cvs mailing list