trusted domains patch n+3
Rafal Szczesniak
mimir at diament.ists.pwr.wroc.pl
Mon Sep 2 07:23:00 GMT 2002
This is a patch consisting of various fixes. Short list
includes:
- using user_info.client_domain structure (from user supplied auth info)
instead of user_info.domain
- new (and soon completely rewritten when generic cache comes
up) make_user_info_map function
- return type NTSTATUS instead of BOOL for make_user_info_map
make_user_info and make_user_info_for_reply_encI
(the rest of these routines should do the same, imho)
- occasional segfault fix in local groups fetching code when
no uid to unix name can be found by winbind
- additional degug lines for soon-to-be-changed namecache
- samr_r_enum_dom_users parsing fix
- a bit more aesthetics for 'net rpc trustdom list'
Some changes are quite radical, so I expect criticism, especially
from some of the Team members ;-)
Part of this patch is a draft rather than completed proposition
and as such, much of the code may yet be changed.
--
cheers,
+------------------------------------------------------------+
|Rafal 'Mimir' Szczesniak <mimir at diament.ists.pwr.wroc.pl> |
|*BSD, GNU/Linux and Samba /
|__________________________________________________________/
-------------- next part --------------
Index: Makefile.in
===================================================================
RCS file: /cvsroot/samba/source/Makefile.in,v
retrieving revision 1.527
diff -u -r1.527 Makefile.in
--- Makefile.in 30 Aug 2002 12:46:54 -0000 1.527
+++ Makefile.in 2 Sep 2002 10:37:24 -0000
@@ -242,7 +242,8 @@
AUTH_OBJ = auth/auth.o auth/auth_sam.o auth/auth_server.o auth/auth_domain.o \
auth/auth_rhosts.o auth/auth_unix.o auth/auth_util.o auth/auth_winbind.o \
- auth/auth_builtin.o auth/auth_compat.o $(PLAINTEXT_AUTH_OBJ) $(UNIGRP_OBJ)
+ auth/auth_builtin.o auth/auth_compat.o \
+ $(PLAINTEXT_AUTH_OBJ) $(UNIGRP_OBJ)
MANGLE_OBJ = smbd/mangle.o smbd/mangle_hash.o smbd/mangle_map.o smbd/mangle_hash2.o
Index: auth/auth.c
===================================================================
RCS file: /cvsroot/samba/source/auth/auth.c,v
retrieving revision 1.41
diff -u -r1.41 auth.c
--- auth/auth.c 31 Jul 2002 12:17:32 -0000 1.41
+++ auth/auth.c 2 Sep 2002 10:37:26 -0000
@@ -211,7 +211,7 @@
if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) {
return NT_STATUS_LOGON_FAILURE;
}
-
+
for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next)
{
mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name,
Index: auth/auth_domain.c
===================================================================
RCS file: /cvsroot/samba/source/auth/auth_domain.c,v
retrieving revision 1.57
diff -u -r1.57 auth_domain.c
--- auth/auth_domain.c 30 Aug 2002 10:46:58 -0000 1.57
+++ auth/auth_domain.c 2 Sep 2002 10:37:27 -0000
@@ -164,13 +164,13 @@
* With NT4.x DC's *all* authentication must be serialized to avoid
* ACCESS_DENIED errors if 2 auths are done from the same machine. JRA.
*/
-
+
if (!grab_server_mutex(server))
return NT_STATUS_NO_LOGON_SERVERS;
/* Attempt connection */
result = cli_full_connection(cli, global_myname, remote_machine,
- &dest_ip, 0, "IPC$", "IPC", "", "", "",0);
+ &dest_ip, 0, "IPC$", "IPC", "", "", "",0);
if (!NT_STATUS_IS_OK(result)) {
release_server_mutex();
@@ -251,7 +251,7 @@
}
/***********************************************************************
- We have been asked to dynamcially determine the IP addresses of
+ We have been asked to dynamically determine the IP addresses of
the PDC and BDC's for DOMAIN, and query them in turn.
************************************************************************/
static NTSTATUS find_connect_pdc(struct cli_state **cli,
@@ -388,7 +388,7 @@
*/
nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx,
- user_info->smb_name.str, user_info->domain.str,
+ user_info->smb_name.str, user_info->client_domain.str,
user_info->wksta_name.str, chal,
user_info->lm_resp, user_info->nt_resp,
&info3);
@@ -552,7 +552,7 @@
* If it is, we should use our own local password file.
*/
- if(strequal(lp_workgroup(), (user_info->domain.str))) {
+ if(strequal(lp_workgroup(), (user_info->client_domain.str))) {
DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n"));
return NT_STATUS_LOGON_FAILURE;
}
@@ -562,14 +562,14 @@
* No need to become_root() as secrets_init() is done at startup.
*/
- if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time))
+ if (!secrets_fetch_trusted_domain_password(user_info->client_domain.str, &trust_password, &sid, &last_change_time))
{
DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
#ifdef DEBUG_PASSWORD
- DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password));
+ DEBUG(100, ("Trust password for domain %s is: %s\n", user_info->client_domain.str, trust_password));
#endif
E_md4hash(trust_password, trust_md4_password);
SAFE_FREE(trust_password);
@@ -582,7 +582,7 @@
}
#endif
- nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str,
+ nt_status = domain_client_validate(mem_ctx, user_info, user_info->client_domain.str,
(uchar *)auth_context->challenge.data,
server_info, "*" /* Do a lookup */,
lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time);
Index: auth/auth_sam.c
===================================================================
RCS file: /cvsroot/samba/source/auth/auth_sam.c,v
retrieving revision 1.44
diff -u -r1.44 auth_sam.c
--- auth/auth_sam.c 26 Aug 2002 03:08:37 -0000 1.44
+++ auth/auth_sam.c 2 Sep 2002 10:37:28 -0000
@@ -368,7 +368,7 @@
NTSTATUS nt_status;
uint8 user_sess_key[16];
const uint8* lm_hash;
-
+
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
}
Index: auth/auth_util.c
===================================================================
RCS file: /cvsroot/samba/source/auth/auth_util.c,v
retrieving revision 1.50
diff -u -r1.50 auth_util.c
--- auth/auth_util.c 30 Aug 2002 18:56:46 -0000 1.50
+++ auth/auth_util.c 2 Sep 2002 10:37:30 -0000
@@ -4,6 +4,7 @@
Copyright (C) Andrew Tridgell 1992-1998
Copyright (C) Andrew Bartlett 2001
Copyright (C) Jeremy Allison 2000-2001
+ Copyright (C) Rafal Szczesniak 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -56,7 +57,7 @@
Add and Delete UNIX users on demand, based on NTSTATUS codes.
****************************************************************************/
-void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status)
+void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status)
{
struct passwd *pwd=NULL;
@@ -81,15 +82,15 @@
Create an auth_usersupplied_data structure
****************************************************************************/
-static BOOL make_user_info(auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *internal_username,
- const char *client_domain,
- const char *domain,
- const char *wksta_name,
- DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
- DATA_BLOB plaintext,
- uint32 auth_flags, BOOL encrypted)
+static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
+ const char *smb_name,
+ const char *internal_username,
+ const char *client_domain,
+ const char *domain,
+ const char *wksta_name,
+ DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
+ DATA_BLOB plaintext,
+ uint32 auth_flags, BOOL encrypted)
{
DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
@@ -97,7 +98,7 @@
*user_info = malloc(sizeof(**user_info));
if (!user_info) {
DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info)));
- return False;
+ return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCTP(*user_info);
@@ -109,7 +110,7 @@
(*user_info)->smb_name.len = strlen(smb_name);
} else {
free_user_info(user_info);
- return False;
+ return NT_STATUS_NO_MEMORY;
}
(*user_info)->internal_username.str = strdup(internal_username);
@@ -117,7 +118,7 @@
(*user_info)->internal_username.len = strlen(internal_username);
} else {
free_user_info(user_info);
- return False;
+ return NT_STATUS_NO_MEMORY;
}
(*user_info)->domain.str = strdup(domain);
@@ -125,7 +126,7 @@
(*user_info)->domain.len = strlen(domain);
} else {
free_user_info(user_info);
- return False;
+ return NT_STATUS_NO_MEMORY;
}
(*user_info)->client_domain.str = strdup(client_domain);
@@ -133,7 +134,7 @@
(*user_info)->client_domain.len = strlen(client_domain);
} else {
free_user_info(user_info);
- return False;
+ return NT_STATUS_NO_MEMORY;
}
(*user_info)->wksta_name.str = strdup(wksta_name);
@@ -141,7 +142,7 @@
(*user_info)->wksta_name.len = strlen(wksta_name);
} else {
free_user_info(user_info);
- return False;
+ return NT_STATUS_NO_MEMORY;
}
DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
@@ -155,81 +156,143 @@
DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
- return True;
+ return NT_STATUS_OK;
}
/****************************************************************************
Create an auth_usersupplied_data structure after appropriate mapping.
****************************************************************************/
-BOOL make_user_info_map(auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
- const char *wksta_name,
- DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
- DATA_BLOB plaintext,
- uint32 ntlmssp_flags, BOOL encrypted)
+NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
+ const char *smb_name,
+ const char *client_domain,
+ const char *wksta_name,
+ DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
+ DATA_BLOB plaintext, uint32 ntlmssp_flags,
+ BOOL encrypted)
{
- const char *domain;
+ const char *domain = NULL;
fstring internal_username;
fstrcpy(internal_username, smb_name);
- map_username(internal_username);
-
+ map_username(internal_username);
+
DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, wksta_name));
- if (lp_allow_trusted_domains() && *client_domain) {
+ if (*client_domain) {
/* the client could have given us a workstation name
or other crap for the workgroup - we really need a
way of telling if this domain name is one of our
- trusted domain names
-
- Also don't allow "" as a domain, fixes a Win9X bug
- where it doens't supply a domain for logon script
- 'net use' commands.
-
- The way I do it here is by checking if the fully
- qualified username exists. This is rather reliant
- on winbind, but until we have a better method this
- will have to do
+ trusted domain names...
+ ... and here we do such a check (mimir)
*/
-
- domain = client_domain;
-
- if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
- char *user = NULL;
- if (asprintf(&user, "%s%s%s",
- client_domain, lp_winbind_separator(),
- smb_name) < 0) {
- DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
- return False;
+
+ if (lp_server_role() == ROLE_DOMAIN_PDC || lp_server_role() == ROLE_DOMAIN_BDC) {
+
+ if (strequal(client_domain, lp_workgroup())) {
+ /*
+ * This is the simplest case - our domain's user attempts
+ * to access this server
+ */
+
+ domain = lp_workgroup();
+ return make_user_info(user_info, smb_name, internal_username,
+ client_domain, domain, wksta_name,
+ lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
+ encrypted);
+
+ } else if (lp_allow_trusted_domains()) {
+ /*
+ * Since we're our domain's DC, just make a lookup in secrets.tdb.
+ * If domain name matches to one of a trusted domains, pass
+ * the args to make_user_info(). If not, return false.
+ */
+
+ int enum_ctx, num_domains, max_num_domains = 5;
+ TRUSTDOM **trust_doms;
+ NTSTATUS nt_status = NT_STATUS_NO_MORE_ENTRIES;
+
+ TALLOC_CTX* mem_ctx = talloc_init_named("client's domain trust checking");
+ enum_ctx = 0;
+
+ do {
+ nt_status = secrets_get_trusted_domains(mem_ctx, &enum_ctx, max_num_domains,
+ &num_domains, &trust_doms);
+ while (num_domains--) {
+ fstring trust_domain;
+ pull_string(NULL, trust_domain, trust_doms[num_domains]->name,
+ FSTRING_LEN, 32, STR_UNICODE);
+
+ if (strequal(trust_domain, client_domain)) {
+
+ talloc_destroy(mem_ctx);
+ domain = lp_workgroup();
+
+ return make_user_info(user_info, smb_name, internal_username,
+ client_domain, domain, wksta_name,
+ lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
+ encrypted);
+ }
+ }
+ } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
+
+ /* no matching trusted domain found */
+ return NT_STATUS_NO_TRUST_LSA_SECRET;
}
+ } else {
+ /*
+ * We're only a domain member server, so lookup in cache shared
+ * together with winbind. If domain name does not match to one of
+ * our trusted domains, return false.
+ *
+ * TODO: implement the cache, of course!
+ * Right now it's done by testing user name against winbind
+ */
+
+ /*
+ Also don't allow "" as a domain, fixes a Win9X bug
+ where it doesn't supply a domain for logon script
+ 'net use' commands.
+
+ The way I do it here is by checking if the fully
+ qualified username exists. This is rather reliant
+ on winbind, but until we have a better method this
+ will have to do
+ */
+
+ if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
+ char *user = NULL;
+ if (asprintf(&user, "%s%s%s", client_domain,
+ lp_winbind_separator(), smb_name) < 0) {
+ DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
- DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
+ DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
- if (Get_Pwnam(user) == NULL) {
- DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
- domain = lp_workgroup();
- DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n",
- client_domain, domain));
+ if (Get_Pwnam(user) == NULL) {
+ DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
+ domain = lp_workgroup();
+ DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n",
+ client_domain, domain));
+ } else {
+ DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
+ }
+ SAFE_FREE(user);
} else {
- DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
- }
- SAFE_FREE(user);
+ domain = lp_workgroup();
+ };
+
+ return make_user_info(user_info, smb_name, internal_username,
+ client_domain, domain, wksta_name,
+ lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
+ encrypted);
}
- } else {
- domain = lp_workgroup();
}
- return make_user_info(user_info,
- smb_name, internal_username,
- client_domain, domain,
- wksta_name,
- lm_pwd, nt_pwd,
- plaintext,
- ntlmssp_flags, encrypted);
-
+ /* if flow control ends up here, there must be something wrong */
+ return NT_STATUS_UNSUCCESSFUL;
}
/****************************************************************************
@@ -245,6 +308,7 @@
const uchar *nt_network_pwd, int nt_pwd_len)
{
BOOL ret;
+ NTSTATUS nt_status;
DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
DATA_BLOB plaintext_blob = data_blob(NULL, 0);
@@ -258,12 +322,14 @@
auth_flags |= AUTH_FLAG_NTLMv2_RESP;
}
- ret = make_user_info_map(user_info,
- smb_name, client_domain,
- wksta_name,
- lm_blob, nt_blob,
- plaintext_blob,
- auth_flags, True);
+ nt_status = make_user_info_map(user_info,
+ smb_name, client_domain,
+ wksta_name,
+ lm_blob, nt_blob,
+ plaintext_blob,
+ auth_flags, True);
+
+ ret = NT_STATUS_IS_OK(nt_status) ? True : False;
data_blob_free(&lm_blob);
data_blob_free(&nt_blob);
@@ -329,6 +395,7 @@
{
BOOL ret;
+ NTSTATUS nt_status;
DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response));
DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response));
DATA_BLOB plaintext_blob = data_blob(NULL, 0);
@@ -338,14 +405,15 @@
if (nt_interactive_pwd)
auth_flags |= AUTH_FLAG_NTLM_RESP;
- ret = make_user_info_map(user_info,
- smb_name, client_domain,
- wksta_name,
- local_lm_blob,
- local_nt_blob,
- plaintext_blob,
- auth_flags, True);
+ nt_status = make_user_info_map(user_info,
+ smb_name, client_domain,
+ wksta_name,
+ local_lm_blob,
+ local_nt_blob,
+ plaintext_blob,
+ auth_flags, True);
+ ret = NT_STATUS_IS_OK(nt_status) ? True : False;
data_blob_free(&local_lm_blob);
data_blob_free(&local_nt_blob);
return ret;
@@ -366,7 +434,7 @@
DATA_BLOB local_lm_blob;
DATA_BLOB local_nt_blob;
- BOOL ret = False;
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
uint32 auth_flags = AUTH_FLAG_NONE;
/*
@@ -397,25 +465,25 @@
}
ret = make_user_info_map(user_info, smb_name,
- client_domain,
- get_remote_machine_name(),
- local_lm_blob,
- local_nt_blob,
- plaintext_password,
- auth_flags, False);
+ client_domain,
+ get_remote_machine_name(),
+ local_lm_blob,
+ local_nt_blob,
+ plaintext_password,
+ auth_flags, False);
data_blob_free(&local_lm_blob);
- return ret;
+ return NT_STATUS_IS_OK(ret) ? True : False;
}
/****************************************************************************
Create an auth_usersupplied_data structure
****************************************************************************/
-BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
- DATA_BLOB lm_resp, DATA_BLOB nt_resp)
+NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
+ const char *smb_name,
+ const char *client_domain,
+ DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
uint32 auth_flags = AUTH_FLAG_NONE;
@@ -450,14 +518,17 @@
DATA_BLOB nt_blob = data_blob(NULL, 0);
DATA_BLOB plaintext_blob = data_blob(NULL, 0);
uint32 auth_flags = AUTH_FLAG_NONE;
+ NTSTATUS nt_status;
- return make_user_info(user_info,
+ nt_status = make_user_info(user_info,
"","",
"","",
"",
nt_blob, lm_blob,
plaintext_blob,
auth_flags, True);
+
+ return NT_STATUS_IS_OK(nt_status) ? True : False;
}
/****************************************************************************
@@ -633,7 +704,14 @@
return NT_STATUS_OK;
}
- usr = getpwuid_alloc(uid);
+ /*
+ * This is _essential_ to prevent occasional segfaults when
+ * winbind can't find uid -> username mapping
+ */
+ if (!(usr = getpwuid_alloc(uid))) {
+ DEBUG(0, ("Couldn't find passdb structure for UID = %d ! Aborting.\n", uid));
+ return NT_STATUS_NO_SUCH_USER;
+ };
n_unix_groups = groups_max();
if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) {
@@ -840,7 +918,7 @@
trusted domains, and verify that the SID
matches.
*/
-
+
sid_copy(&user_sid, &info3->dom_sid.sid);
if (!sid_append_rid(&user_sid, info3->user_rid)) {
return NT_STATUS_INVALID_PARAMETER;
@@ -860,7 +938,7 @@
/* If the server didn't give us one, just use the one we sent them */
domain = domain;
}
-
+
if (winbind_sid_to_uid(&uid, &user_sid)
&& winbind_sid_to_gid(&gid, &group_sid)
&& ((passwd = getpwuid_alloc(uid)))) {
@@ -984,7 +1062,7 @@
if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs], info3->gids[i].g_rid)) {
nt_status = NT_STATUS_INVALID_PARAMETER;
DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n",
- info3->gids[i].g_rid));
+ info3->gids[i].g_rid));
SAFE_FREE(lgroupSIDs);
return nt_status;
}
Index: libsmb/cliconnect.c
===================================================================
RCS file: /cvsroot/samba/source/libsmb/cliconnect.c,v
retrieving revision 1.97
diff -u -r1.97 cliconnect.c
--- libsmb/cliconnect.c 30 Aug 2002 06:59:52 -0000 1.97
+++ libsmb/cliconnect.c 2 Sep 2002 10:37:36 -0000
@@ -1003,7 +1003,7 @@
* about this and accounts for those four bytes.
* CRH.
*/
- len -= 4;
+ len -= 4;
_smb_setlen(cli->outbuf,len);
SCVAL(cli->outbuf,0,0x81);
Index: libsmb/namequery.c
===================================================================
RCS file: /cvsroot/samba/source/libsmb/namequery.c,v
retrieving revision 1.111
diff -u -r1.111 namequery.c
--- libsmb/namequery.c 16 Aug 2002 00:25:47 -0000 1.111
+++ libsmb/namequery.c 2 Sep 2002 10:37:39 -0000
@@ -839,7 +839,7 @@
} else {
/* Store negative lookup result */
-
+ DEBUG(100, ("Storing INVALID name %s of type %d in namecache\n", name, name_type));
namecache_store(name, name_type, 0, NULL);
}
}
@@ -915,7 +915,10 @@
}
/* Save in name cache */
-
+ for (i = 0; i < *return_count && DEBUGLEVEL == 100; i++)
+ DEBUG(100, ("Storing VALID name %s of type %d (ip: %s)\n", name,
+ name_type, inet_ntoa(*return_iplist[i])));
+
namecache_store(name, name_type, *return_count, *return_iplist);
/* Display some debugging info */
Index: rpc_client/cli_lsarpc.c
===================================================================
RCS file: /cvsroot/samba/source/rpc_client/cli_lsarpc.c,v
retrieving revision 1.68
diff -u -r1.68 cli_lsarpc.c
--- rpc_client/cli_lsarpc.c 12 Aug 2002 13:40:59 -0000 1.68
+++ rpc_client/cli_lsarpc.c 2 Sep 2002 10:37:50 -0000
@@ -648,7 +648,7 @@
/* Marshall data and send request */
/* 64k is enough for about 2000 trusted domains */
- init_q_enum_trust_dom(&q, pol, *enum_ctx, 0x10000);
+ init_q_enum_trust_dom(&q, pol, *enum_ctx, 0x10000);
if (!lsa_io_q_enum_trust_dom("", &q, &qbuf, 0) ||
!rpc_api_pipe_req(cli, LSA_ENUMTRUSTDOM, &qbuf, &rbuf)) {
Index: rpc_parse/parse_samr.c
===================================================================
RCS file: /cvsroot/samba/source/rpc_parse/parse_samr.c,v
retrieving revision 1.155
diff -u -r1.155 parse_samr.c
--- rpc_parse/parse_samr.c 15 Aug 2002 19:40:34 -0000 1.155
+++ rpc_parse/parse_samr.c 2 Sep 2002 10:37:56 -0000
@@ -1356,18 +1356,12 @@
r_u->next_idx = next_idx;
- if (num_sam_entries != 0) {
- r_u->ptr_entries1 = 1;
- r_u->ptr_entries2 = 1;
- r_u->num_entries2 = num_sam_entries;
- r_u->num_entries3 = num_sam_entries;
+ r_u->ptr_entries1 = 1;
+ r_u->ptr_entries2 = 2;
+ r_u->num_entries2 = num_sam_entries;
+ r_u->num_entries3 = num_sam_entries;
- r_u->num_entries4 = num_sam_entries;
- } else {
- r_u->ptr_entries1 = 0;
- r_u->num_entries2 = num_sam_entries;
- r_u->ptr_entries2 = 1;
- }
+ r_u->num_entries4 = num_sam_entries;
}
/*******************************************************************
Index: rpc_server/srv_lsa_nt.c
===================================================================
RCS file: /cvsroot/samba/source/rpc_server/srv_lsa_nt.c,v
retrieving revision 1.59
diff -u -r1.59 srv_lsa_nt.c
--- rpc_server/srv_lsa_nt.c 30 Jul 2002 17:23:07 -0000 1.59
+++ rpc_server/srv_lsa_nt.c 2 Sep 2002 10:37:58 -0000
@@ -473,6 +473,8 @@
/*
* preferred length is set to 5 as a "our" preferred length
* nt sets this parameter to 2
+ * update (20.08.2002): it's not preferred length, but preferred size!
+ * it needs further investigation how to optimally choose this value
*/
uint32 max_num_domains = q_u->preferred_len < 5 ? q_u->preferred_len : 10;
TRUSTDOM **trust_doms;
Index: rpc_server/srv_samr.c
===================================================================
RCS file: /cvsroot/samba/source/rpc_server/srv_samr.c,v
retrieving revision 1.140
diff -u -r1.140 srv_samr.c
--- rpc_server/srv_samr.c 6 Aug 2002 18:02:56 -0000 1.140
+++ rpc_server/srv_samr.c 2 Sep 2002 10:38:00 -0000
@@ -202,7 +202,7 @@
ZERO_STRUCT(q_u);
ZERO_STRUCT(r_u);
-
+
/* grab the samr open */
if(!samr_io_q_enum_dom_users("", &q_u, data, 0)) {
DEBUG(0,("api_samr_enum_dom_users: unable to unmarshall SAMR_Q_ENUM_DOM_USERS.\n"));
Index: smbd/sesssetup.c
===================================================================
RCS file: /cvsroot/samba/source/smbd/sesssetup.c,v
retrieving revision 1.68
diff -u -r1.68 sesssetup.c
--- smbd/sesssetup.c 31 Aug 2002 06:59:00 -0000 1.68
+++ smbd/sesssetup.c 2 Sep 2002 10:38:02 -0000
@@ -439,14 +439,14 @@
auth_flags |= AUTH_FLAG_NTLM_RESP;
} else if (nthash.length > 24) {
auth_flags |= AUTH_FLAG_NTLMv2_RESP;
- }
+ };
+
+ nt_status = make_user_info_map(&user_info, user, workgroup, machine,
+ lmhash, nthash, plaintext_password,
+ auth_flags, True);
- if (!make_user_info_map(&user_info,
- user, workgroup,
- machine,
- lmhash, nthash,
- plaintext_password,
- auth_flags, True)) {
+ /* it looks a bit weird, but this function returns int type... */
+ if (!NT_STATUS_IS_OK(nt_status)) {
return ERROR_NT(NT_STATUS_NO_MEMORY);
}
@@ -621,7 +621,7 @@
NTSTATUS nt_status;
BOOL doencrypt = global_encrypted_passwords_negotiated;
-
+
START_PROFILE(SMBsesssetupX);
ZERO_STRUCT(lm_resp);
@@ -776,11 +776,9 @@
nt_status = check_guest_password(&server_info);
} else if (doencrypt) {
- if (!make_user_info_for_reply_enc(&user_info,
- user, domain,
- lm_resp, nt_resp)) {
- nt_status = NT_STATUS_NO_MEMORY;
- } else {
+ nt_status = make_user_info_for_reply_enc(&user_info, user, domain,
+ lm_resp, nt_resp);
+ if (NT_STATUS_IS_OK(nt_status)) {
nt_status = negprot_global_auth_context->check_ntlm_password(negprot_global_auth_context,
user_info,
&server_info);
Index: utils/net_rpc.c
===================================================================
RCS file: /cvsroot/samba/source/utils/net_rpc.c,v
retrieving revision 1.33
diff -u -r1.33 net_rpc.c
--- utils/net_rpc.c 28 Aug 2002 10:34:28 -0000 1.33
+++ utils/net_rpc.c 2 Sep 2002 10:38:05 -0000
@@ -1972,6 +1972,12 @@
d_printf("%s%s%s\n", trusted_dom_names[i], padding, ascii_sid);
};
+
+ /*
+ * in case of no trusted domains say something rather
+ * than just display blank line
+ */
+ if (!num_domains) d_printf("none\n");
} while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
@@ -2025,7 +2031,7 @@
enum_ctx = 0; /* reset enumeration context from last enumeration */
do {
-
+
nt_status = cli_samr_enum_dom_users(cli, mem_ctx, &domain_hnd,
&enum_ctx, ACB_DOMTRUST, 0xffff,
&trusting_dom_names, &trusting_dom_rids,
@@ -2037,7 +2043,7 @@
};
for (i = 0; i < num_domains; i++) {
-
+
/*
* get each single domain's sid (do we _really_ need this ?):
* 1) connect to domain's pdc
@@ -2075,6 +2081,8 @@
d_printf("domain controller is not responding\n");
};
};
+
+ if (!num_domains) d_printf("none\n");
} while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
More information about the samba-technical
mailing list