[PATCH] Cleanups

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Nov 23 14:49:56 UTC 2018 

Hi!

Review appreciated!

Thanks, Volker

-- 
Besuchen Sie die verinice.XP 2019 in Berlin!
Anwenderkonferenz für Informationssicherheit
26.-28. Februar 2019 - im Hotel Radisson Blu
Info & Anmeldung hier: http://veriniceXP.org

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 6da626141af380eef648e451522f0750dc896fc8 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 23 Nov 2018 12:34:50 +0100
Subject: [PATCH 1/9] libads: Give krb5_errs.c its own header

The protos were declared in lib/krb5_wrap but the functions are not
available there.

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 lib/krb5_wrap/krb5_samba.h               |  3 ---
 source3/libads/ads_status.c              |  1 +
 source3/libads/authdata.c                |  1 +
 source3/libads/kerberos.c                |  1 +
 source3/libads/krb5_errs.c               |  2 ++
 source3/libads/krb5_errs.h               | 30 ++++++++++++++++++++++++++++++
 source3/libnet/libnet_dssync.c           |  1 +
 source3/libnet/libnet_dssync_keytab.c    |  1 +
 source3/libsmb/cliconnect.c              |  1 +
 source3/passdb/machine_account_secrets.c |  1 +
 source3/winbindd/winbindd_cred_cache.c   |  1 +
 source3/winbindd/winbindd_pam.c          |  1 +
 12 files changed, 41 insertions(+), 3 deletions(-)
 create mode 100644 source3/libads/krb5_errs.h

diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 8305c1f77af..fb3cb5f2ad8 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -188,9 +188,6 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *cli
 krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr,
 						  const char *netbios_name);
 krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
-NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
-krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
-
 krb5_enctype smb_krb5_kt_get_enctype_from_entry(krb5_keytab_entry *kt_entry);
 
 krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c
index 70569949aeb..fb3646386ca 100644
--- a/source3/libads/ads_status.c
+++ b/source3/libads/ads_status.c
@@ -25,6 +25,7 @@
 #include "system/gssapi.h"
 #include "smb_ldap.h"
 #include "libads/ads_status.h"
+#include "krb5_errs.h"
 
 /*
   build a ADS_STATUS structure
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index d8a6487dc27..86a1be71bf9 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -32,6 +32,7 @@
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_internal.h" /* TODO: remove this */
 #include "../libcli/auth/spnego.h"
+#include "krb5_errs.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 58f38cdc55d..418e5a72243 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -31,6 +31,7 @@
 #include "secrets.h"
 #include "../lib/tsocket/tsocket.h"
 #include "lib/util/asn1.h"
+#include "krb5_errs.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c
index 8eb5d8247b1..0c2ada59966 100644
--- a/source3/libads/krb5_errs.c
+++ b/source3/libads/krb5_errs.c
@@ -20,6 +20,8 @@
 #include "includes.h"
 #include "smb_krb5.h"
 
+#include "krb5_errs.h"
+
 #ifdef HAVE_KRB5
 
 static const struct {
diff --git a/source3/libads/krb5_errs.h b/source3/libads/krb5_errs.h
new file mode 100644
index 00000000000..57b6391ff74
--- /dev/null
+++ b/source3/libads/krb5_errs.h
@@ -0,0 +1,30 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  Kerberos error mapping functions
+ *  Copyright (C) Guenther Deschner 2005
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __KRB5_ERRS_H__
+#define __KRB5_ERRS_H__
+
+#include "replace.h"
+#include "libcli/util/ntstatus.h"
+#include <krb5.h>
+
+NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
+krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
+
+#endif
diff --git a/source3/libnet/libnet_dssync.c b/source3/libnet/libnet_dssync.c
index e593ae8536c..2b6995bd566 100644
--- a/source3/libnet/libnet_dssync.c
+++ b/source3/libnet/libnet_dssync.c
@@ -25,6 +25,7 @@
 #include "rpc_client/cli_pipe.h"
 #include "../libcli/drsuapi/drsuapi.h"
 #include "../librpc/gen_ndr/ndr_drsuapi_c.h"
+#include "libads/krb5_errs.h"
 
 /****************************************************************
 ****************************************************************/
diff --git a/source3/libnet/libnet_dssync_keytab.c b/source3/libnet/libnet_dssync_keytab.c
index 8999a3535fb..7526cd3294e 100644
--- a/source3/libnet/libnet_dssync_keytab.c
+++ b/source3/libnet/libnet_dssync_keytab.c
@@ -23,6 +23,7 @@
 #include "libnet/libnet_dssync.h"
 #include "libnet/libnet_keytab.h"
 #include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "libads/krb5_errs.h"
 
 #if defined(HAVE_ADS)
 
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 837299d9220..0a54d47227a 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -41,6 +41,7 @@
 #include "../libcli/smb/smb_seal.h"
 #include "lib/param/param.h"
 #include "../libcli/smb/smb2_negotiate_context.h"
+#include "libads/krb5_errs.h"
 
 #define STAR_SMBSERVER "*SMBSERVER"
 
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index d8ffcaa7fb6..b816b3aa7f8 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -37,6 +37,7 @@
 #include "lib/krb5_wrap/krb5_samba.h"
 #include "lib/util/time_basic.h"
 #include "../libds/common/flags.h"
+#include "libads/krb5_errs.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_PASSDB
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index c7332297982..85ad426446a 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -26,6 +26,7 @@
 #include "../libcli/auth/libcli_auth.h"
 #include "smb_krb5.h"
 #include "libads/kerberos_proto.h"
+#include "libads/krb5_errs.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a02926decb2..873c2f6d3e8 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -45,6 +45,7 @@
 #include "lib/afs/afs_funcs.h"
 #include "libsmb/samlogon_cache.h"
 #include "rpc_client/util_netlogon.h"
+#include "libads/krb5_errs.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
-- 
2.11.0


From a86f8d9670258fb7dfcb1a3c67738f99a0dcdaf5 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 23 Nov 2018 08:39:02 +0100
Subject: [PATCH 2/9] libads: Use dom_sid_string_buf

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/libads/disp_sec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c
index 472741fa1b6..96c29078378 100644
--- a/source3/libads/disp_sec.c
+++ b/source3/libads/disp_sec.c
@@ -22,6 +22,7 @@
 #include "libads/ldap_schema.h"
 #include "../libcli/security/secace.h"
 #include "../librpc/ndr/libndr.h"
+#include "libcli/security/dom_sid.h"
 
 /* for ADS */
 #define SEC_RIGHTS_FULL_CTRL		0xf01ff
@@ -139,6 +140,7 @@ static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
 static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
 {
 	const char *access_type = "UNKNOWN";
+	struct dom_sid_buf sidbuf;
 
 	if (!sec_ace_object(sec_ace->type)) {
 		printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n", 
@@ -169,8 +171,9 @@ static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_a
 		access_type = "AUDIT OBJECT";
 	}
 
-	printf("access SID:  %s\naccess type: %s\n", 
-               sid_string_talloc(mem_ctx, &sec_ace->trustee), access_type);
+	printf("access SID:  %s\naccess type: %s\n",
+	       dom_sid_str_buf(&sec_ace->trustee, &sidbuf),
+	       access_type);
 
 	if (sec_ace_object(sec_ace->type)) {
 		ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
-- 
2.11.0


From 159b86355004be6dd97a7951bff2fbbe48fe6387 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 23 Nov 2018 08:40:57 +0100
Subject: [PATCH 3/9] libads: Align integer types

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/libads/disp_sec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c
index 96c29078378..8ec4a32bd7e 100644
--- a/source3/libads/disp_sec.c
+++ b/source3/libads/disp_sec.c
@@ -199,7 +199,7 @@ static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
 /* display SD */
 void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
 {
-	int i;
+	uint32_t i;
 	char *tmp_path = NULL;
 
 	if (!sd) {
-- 
2.11.0


From d9ed0aff4ef384fc1f290354d1ff65e082e52fa3 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 23 Nov 2018 08:49:44 +0100
Subject: [PATCH 4/9] libgpo: Use dom_sid_str_buf

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 libgpo/gpo_reg.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/libgpo/gpo_reg.c b/libgpo/gpo_reg.c
index 18d0498c7e9..cb4e5c87c88 100644
--- a/libgpo/gpo_reg.c
+++ b/libgpo/gpo_reg.c
@@ -26,6 +26,7 @@
 #include "registry/reg_api_util.h"
 #include "registry/reg_init_basic.h"
 #include "../libcli/security/security.h"
+#include "libcli/security/dom_sid.h"
 #include "../libcli/registry/util_reg.h"
 
 
@@ -306,12 +307,17 @@ static const char *gp_reg_groupmembership_path(TALLOC_CTX *mem_ctx,
 					       const struct dom_sid *sid,
 					       uint32_t flags)
 {
+	struct dom_sid_buf sidbuf;
+
 	if (flags & GPO_LIST_FLAG_MACHINE) {
 		return "GroupMembership";
 	}
 
-	return talloc_asprintf(mem_ctx, "%s\\%s", sid_string_tos(sid),
-			       "GroupMembership");
+	return talloc_asprintf(
+		mem_ctx,
+		"%s\\%s",
+		dom_sid_str_buf(sid, &sidbuf),
+		"GroupMembership");
 }
 
 /****************************************************************
@@ -435,11 +441,17 @@ static const char *gp_req_state_path(TALLOC_CTX *mem_ctx,
 				     const struct dom_sid *sid,
 				     uint32_t flags)
 {
+	struct dom_sid_buf sidbuf;
+
 	if (flags & GPO_LIST_FLAG_MACHINE) {
 		return GPO_REG_STATE_MACHINE;
 	}
 
-	return talloc_asprintf(mem_ctx, "%s\\%s", "State", sid_string_tos(sid));
+	return talloc_asprintf(
+		mem_ctx,
+		"%s\\%s",
+		"State",
+		dom_sid_str_buf(sid, &sidbuf));
 }
 
 /****************************************************************
-- 
2.11.0


From 85138f1787e513fa35afbad36b888edefb404ced Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 23 Nov 2018 08:50:47 +0100
Subject: [PATCH 5/9] libgpo: Align integer types

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 libgpo/gpo_reg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libgpo/gpo_reg.c b/libgpo/gpo_reg.c
index cb4e5c87c88..644b4d36d62 100644
--- a/libgpo/gpo_reg.c
+++ b/libgpo/gpo_reg.c
@@ -348,7 +348,7 @@ static WERROR gp_reg_store_groupmembership(TALLOC_CTX *mem_ctx,
 {
 	struct registry_key *key = NULL;
 	WERROR werr;
-	int i = 0;
+	uint32_t i = 0;
 	const char *valname = NULL;
 	const char *path = NULL;
 	const char *val = NULL;
-- 
2.11.0


From 7d87bfa0e484840b65860827b71536908207ac3a Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 23 Nov 2018 08:53:45 +0100
Subject: [PATCH 6/9] winbind: Use dom_sid_str_buf

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/winbindd/winbindd_getusersids.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/source3/winbindd/winbindd_getusersids.c b/source3/winbindd/winbindd_getusersids.c
index 024bad2b9e5..9a6a24107b9 100644
--- a/source3/winbindd/winbindd_getusersids.c
+++ b/source3/winbindd/winbindd_getusersids.c
@@ -104,13 +104,11 @@ NTSTATUS winbindd_getusersids_recv(struct tevent_req *req,
 	}
 
 	for (i=0; i<state->num_sids; i++) {
-		char *str = sid_string_tos(&state->sids[i]);
-		if (str == NULL) {
-			TALLOC_FREE(result);
-			return NT_STATUS_NO_MEMORY;
-		}
-		result = talloc_asprintf_append_buffer(result, "%s\n", str);
-		TALLOC_FREE(str);
+		struct dom_sid_buf sidbuf;
+		result = talloc_asprintf_append_buffer(
+			result,
+			"%s\n",
+			dom_sid_str_buf(&state->sids[i], &sidbuf));
 		if (result == NULL) {
 			return NT_STATUS_NO_MEMORY;
 		}
-- 
2.11.0


From 34976eca58428530b461147620a7bb4304327b57 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 23 Nov 2018 08:55:13 +0100
Subject: [PATCH 7/9] winbind: Use dom_sid_str_buf

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/winbindd/winbindd_getgroups.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
index 16c06395d70..39a8c3556cf 100644
--- a/source3/winbindd/winbindd_getgroups.c
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -20,6 +20,7 @@
 #include "includes.h"
 #include "winbindd.h"
 #include "passdb/lookup_sid.h" /* only for LOOKUP_NAME_NO_NSS flag */
+#include "libcli/security/dom_sid.h"
 
 struct winbindd_getgroups_state {
 	struct tevent_context *ev;
@@ -204,6 +205,8 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
 		}
 
 		if (!include_gid) {
+			struct dom_sid_buf sidbuf;
+
 			if (debug_missing == NULL) {
 				continue;
 			}
@@ -214,7 +217,7 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
 				   "This might be a security problem when ACLs "
 				   "contain DENY ACEs!\n",
 				   (unsigned)xids[i].id,
-				   sid_string_tos(&state->sids[i]),
+				   dom_sid_str_buf(&state->sids[i], &sidbuf),
 				   debug_missing));
 			continue;
 		}
-- 
2.11.0


From bd2f4ae317efb6ae1b2f8bacb55f89248f3d70f3 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 23 Nov 2018 08:58:59 +0100
Subject: [PATCH 8/9] winbind: Use dom_sid_str_buf

Also fix a DBG format string specifier

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/winbindd/wb_lookupsids.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
index af02a0c9547..5c73d3843ea 100644
--- a/source3/winbindd/wb_lookupsids.c
+++ b/source3/winbindd/wb_lookupsids.c
@@ -251,13 +251,16 @@ static bool wb_lookupsids_next(struct tevent_req *req,
 
 static bool wb_lookupsids_bulk(const struct dom_sid *sid)
 {
+	struct dom_sid_buf sidbuf;
+
 	if (sid->num_auths != 5) {
 		/*
 		 * Only do "S-1-5-21-x-y-z-rid" domains via bulk
 		 * lookup
 		 */
-		DEBUG(10, ("No bulk setup for SID %s with %d subauths\n",
-			   sid_string_dbg(sid), sid->num_auths));
+		DBG_DEBUG("No bulk setup for SID %s with %"PRIi8" subauths\n",
+			  dom_sid_str_buf(sid, &sidbuf),
+			  sid->num_auths);
 		return false;
 	}
 
@@ -265,7 +268,8 @@ static bool wb_lookupsids_bulk(const struct dom_sid *sid)
 		/*
 		 * Passdb lookup via lookuprids
 		 */
-		DEBUG(10, ("%s is in our domain\n", sid_string_tos(sid)));
+		DBG_DEBUG("%s is in our domain\n",
+			  dom_sid_str_buf(sid, &sidbuf));
 		return true;
 	}
 
-- 
2.11.0


From 03efe45b8124b399df9cfed8b2a4196d981f7939 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Fri, 23 Nov 2018 09:03:13 +0100
Subject: [PATCH 9/9] winbind: Fix "wbint_Principals" definition

A signed integer does not make any sense for an IDL array length

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 librpc/idl/winbind.idl                 | 2 +-
 source3/winbindd/wb_query_user_list.c  | 2 +-
 source3/winbindd/winbindd_lookuprids.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index f5e3507bff5..258dd284ad5 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -120,7 +120,7 @@ interface winbind
     } wbint_Principal;
 
     typedef [public] struct {
-	int num_principals;
+	uint32 num_principals;
 	[size_is(num_principals)] wbint_Principal principals[];
     } wbint_Principals;
 
diff --git a/source3/winbindd/wb_query_user_list.c b/source3/winbindd/wb_query_user_list.c
index 6d699875e9b..5e80aae8469 100644
--- a/source3/winbindd/wb_query_user_list.c
+++ b/source3/winbindd/wb_query_user_list.c
@@ -93,7 +93,7 @@ static void wb_query_user_list_done(struct tevent_req *subreq)
 	struct wb_query_user_list_state *state = tevent_req_data(
 		req, struct wb_query_user_list_state);
 	NTSTATUS status, result;
-	int i;
+	uint32_t i;
 
 	status = dcerpc_wbint_LookupRids_recv(subreq, state, &result);
 	TALLOC_FREE(subreq);
diff --git a/source3/winbindd/winbindd_lookuprids.c b/source3/winbindd/winbindd_lookuprids.c
index 6d0c0efd429..ed5d951e7de 100644
--- a/source3/winbindd/winbindd_lookuprids.c
+++ b/source3/winbindd/winbindd_lookuprids.c
@@ -117,7 +117,7 @@ NTSTATUS winbindd_lookuprids_recv(struct tevent_req *req,
 		req, struct winbindd_lookuprids_state);
 	NTSTATUS status;
 	char *result;
-	int i;
+	uint32_t i;
 
 	if (tevent_req_is_nterror(req, &status)) {
 		DEBUG(5, ("Lookuprids failed: %s\n",nt_errstr(status)));
-- 
2.11.0

More information about the samba-technical mailing list