LDAP machine accounts

Fri Feb 14 16:25:30 GMT 2003

On Fri, 2003-02-14 at 10:37, Illtud Daniel wrote:
> Nope. None again. But looking in the headers:
> 
> X-Content-Filtered-By: Mailman/MimeDel 2.1
> 
> The mailing list stripped the attachments (as it should, IMHO!).
> 
> Can't you send diff patches for the changes you made?

The diff for pdb_ldap.c is:

--- samba-2.2.7a/source/passdb/pdb_ldap.c       2002-12-10
09:58:15.000000000 -0500
+++ ../samba-2.2.7a/source/passdb/pdb_ldap.c    2003-02-13
15:49:18.000000000 -0500
@@ -2,6 +2,7 @@
    Unix SMB/Netbios implementation.
    Version 2.9.
    LDAP protocol helper functions for SAMBA
+   Copyright (C) Daniel T Gynn 2003
    Copyright (C) Gerald Carter 2001
    Copyright (C) Shahms King 2001
    Copyright (C) Jean Fran�is Micouleau 1998
@@ -590,8 +591,12 @@
         */
        sys_user = sys_getpwnam(username);
        if (sys_user == NULL) {
-               DEBUG (2,("init_sam_from_ldap: User [%s] does not ave a
uid!\n", username));
-               return False;
+               DEBUG (2,("init_sam_from_ldap: User [%s] does not have a
uid!\n", username));
+
+               /* If we aren't looking for a machine then return false
+                */
+               if ( username[strlen(username) - 1] != '$' )
+                       return False;
        }


@@ -625,8 +630,10 @@
        pdb_set_hours_len(sampass, hours_len);
        pdb_set_logon_divs(sampass, logon_divs);

-       pdb_set_uid(sampass, sys_user->pw_uid);
-       pdb_set_gid(sampass, sys_user->pw_gid);
+       if (sys_user != NULL) {
+           pdb_set_uid(sampass, sys_user->pw_uid);
+           pdb_set_gid(sampass, sys_user->pw_gid);
+       }
        pdb_set_user_rid(sampass, user_rid);
        pdb_set_group_rid(sampass, group_rid);

@@ -641,10 +648,12 @@
        pdb_set_workstations(sampass, workstations);
        pdb_set_munged_dial(sampass, munged_dial);

-       if (!pdb_set_nt_passwd(sampass, smbntpwd))
-               return False;
-       if (!pdb_set_lanman_passwd(sampass, smblmpwd))
-               return False;
+       if (!pdb_set_nt_passwd(sampass, smbntpwd)) {
+               return False;
+       }
+       if (!pdb_set_lanman_passwd(sampass, smblmpwd)) {
+               return False;
+       }

        /* pdb_set_unknown_3(sampass, unknown3); */
        /* pdb_set_unknown_5(sampass, unknown5); */
@@ -839,6 +848,7 @@

        if (!ldap_open_connection(&ldap_struct))
                return False;
+
        if (!ldap_connect_system(ldap_struct))
        {
                ldap_unbind(ldap_struct);
@@ -877,6 +887,16 @@
 }

 /**********************************************************************
+DTG. Get SAM_ACCOUNT entry from LDAP by username
+       Added to make sure get_md4pw in src_netlog_nt.c calls
+       the correct function
+*********************************************************************/
+BOOL pdb_getldapsampwnam(SAM_ACCOUNT * user, char *sname)
+{
+  return pdb_getsampwnam ( user, sname ) ;
+}
+
+/**********************************************************************
 Get SAM_ACCOUNT entry from LDAP by rid
 *********************************************************************/
 BOOL pdb_getsampwrid(SAM_ACCOUNT * user, uint32 rid)



The diff for srv_netlog_nt.c:

--- samba-2.2.7a/source/rpc_server/srv_netlog_nt.c      2002-05-18
09:40:44.000000000 -0400
+++ ../samba-2.2.7a/source/rpc_server/srv_netlog_nt.c   2003-02-13
15:45:52.000000000 -0500
@@ -7,6 +7,7 @@
  *  Copyright (C) Paul Ashton                       1997.
  *  Copyright (C) Jeremy Allison               1998-2001.
  *  Copyirht  (C) Andrew Bartlett                   2001.
+ *  Copyright (C) Daniel T Gynn                     2003.
  *
  *  This program is free software; you can redistribute it and/or
modify
  *  it under the terms of the GNU General Public License as published
by
@@ -173,7 +174,7 @@
        unbecome_root();

        if (ret==False) {
-               DEBUG(0,("get_md4pw: Workstation %s: no account in
domain\n", mach_acct));
+               DEBUG(0,("get_md4pw: Workstation %s: no account in
domain via pdb_getsampwnam()\n", mach_acct));
                pdb_free_sam(sampass);
                return False;
        }
@@ -185,8 +186,32 @@
                return True;
        }

-       DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n",
mach_acct));
-       pdb_free_sam(sampass);
+       /* DTG. Added to check if workstation is in LDAP since it
+               isn't in the passwd file
+        */
+       DEBUG(1,("get_md4pw: Checking if workstation %s exists in
LDAP\n", mach_acct));
+       become_root();
+       /* DTG. This just calls the pdb_getsampwnam in pdb_ldap.c
+               instead of the other functions with the same name
+        */
+       ret=pdb_getldapsampwnam(sampass, mach_acct);
+       unbecome_root();
+
+       if (ret==False) {
+               DEBUG(0,("get_md4pw: Workstation %s: no account in
domain via pdb_getsampwnam()\n", mach_acct));
+               pdb_free_sam(sampass);
+               return False;
+       }
+
+       if (!(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) &&
((pass=pdb_get_nt_passwd(sampass)) != NULL)) {
+               memcpy(md4pw, pass, 16);
+               dump_data(5, md4pw, 16);
+               pdb_free_sam(sampass);
+               return True;
+       }
+
+       DEBUG(0,("get_md4pw: Workstation %s does not have an account in
the password file or LDAP\n", mach_acct));
+       pdb_free_sam(sampass) ;
        return False;
 }


-- 
-----------------------
Daniel T. Gynn
RHCE #806200978201621
Essential Systems, Inc.
412-931-5403 ext. 1
fax: 412-931-5425
dan.gynn at essensys.com
GnuPG Key http://www.essensys.com/~dan/gpgring.asc
Fingerprint: 1341 3132 FDAC C415 8F5F 03D7 FD4E 166B FA90 58E1

