diff --git a/source/include/smb.h b/source/include/smb.h index c6045991800..531f270c3da 100644 --- a/source/include/smb.h +++ b/source/include/smb.h @@ -624,8 +624,8 @@ typedef struct sam_passwd uid_t uid; /* this is a unix uid_t */ gid_t gid; /* this is a unix gid_t */ - uint32 user_rid; /* Primary User ID */ - uint32 group_rid; /* Primary Group ID */ + DOM_SID user_sid; /* Primary User SID */ + DOM_SID group_sid; /* Primary Group SID */ DATA_BLOB lm_pw; /* .data is Null if no password */ DATA_BLOB nt_pw; /* .data is Null if no password */ diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c index 21ef9e081b4..3ad9e909d87 100644 --- a/source/lib/util_sid.c +++ b/source/lib/util_sid.c @@ -1,10 +1,11 @@ /* Unix SMB/CIFS implementation. Samba utility functions - Copyright (C) Andrew Tridgell 1992-1998 - Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 - Copyright (C) Jeremy Allison 1999 - + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 + Copyright (C) Jeremy Allison 1999 + Copyright (C) Stefan (metze) Metzmacher 2002 + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or @@ -253,6 +254,9 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid) { + if (!sid || !rid) + return False; + if (sid->num_auths > 0) { *rid = sid->sub_auths[sid->num_auths - 1]; return True; @@ -260,6 +264,25 @@ BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid) return False; } +/***************************************************************** + Return the last rid from the end of a sid + and check the sid against the exp_dom_sid +*****************************************************************/ + +BOOL sid_peek_check_rid(DOM_SID *exp_dom_sid,DOM_SID *sid, uint32 *rid) +{ + if (!exp_dom_sid || !sid || !rid) + return False; + + + if (sid_compare_domain(exp_dom_sid, sid)!=0){ + *rid=(-1); + return False; + } + + return sid_peek_rid(sid,rid); +} + /***************************************************************** Copies a sid *****************************************************************/ diff --git a/source/nsswitch/winbindd_ads.c b/source/nsswitch/winbindd_ads.c index 545ee411a44..28aeb397303 100644 --- a/source/nsswitch/winbindd_ads.c +++ b/source/nsswitch/winbindd_ads.c @@ -273,7 +273,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, continue; } - if (!sid_peek_rid(&sid, &rid)) { + if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) { DEBUG(1,("No rid for %s !?\n", name)); continue; } @@ -356,7 +356,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, continue; } - if (!sid_peek_rid(&sid, &rid)) { + if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) { DEBUG(1,("No rid for %s !?\n", name)); continue; } @@ -584,7 +584,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, goto done; } - if (!sid_peek_rid(&sid, &info->user_rid)) { + if (!sid_peek_check_rid(&domain->sid,&sid, &info->user_rid)) { DEBUG(1,("No rid for %d !?\n", user_rid)); goto done; } @@ -662,7 +662,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, for (i=1;isid, &sids[i-1], &rid)) continue; (*user_gids)[*num_groups] = rid; (*num_groups)++; } @@ -737,7 +737,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, DEBUG(1,("No sid for %s !?\n", (*names)[*num_names])); continue; } - if (!sid_peek_rid(&sid, &rid)) { + if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) { DEBUG(1,("No rid for %s !?\n", (*names)[*num_names])); continue; } diff --git a/source/nsswitch/winbindd_cache.c b/source/nsswitch/winbindd_cache.c index dcb93fa3b59..d9ed63baf8d 100644 --- a/source/nsswitch/winbindd_cache.c +++ b/source/nsswitch/winbindd_cache.c @@ -658,7 +658,8 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain, NTSTATUS status; uint32 rid = 0; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(&domain->sid, sid, &rid)) + return NT_STATUS_INVALID_PARAMETER; if (!cache->tdb) goto do_query; diff --git a/source/nsswitch/winbindd_group.c b/source/nsswitch/winbindd_group.c index 4ef57513bb0..ab8e1cfd784 100644 --- a/source/nsswitch/winbindd_group.c +++ b/source/nsswitch/winbindd_group.c @@ -228,7 +228,8 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state) } /* Fill in group structure */ - sid_peek_rid(&group_sid, &group_rid); + if (!sid_peek_check_rid(&domain->sid, &group_sid, &group_rid)) + return WINBINDD_ERROR; if (!winbindd_idmap_get_gid_from_sid(&group_sid, &gid)) { DEBUG(1, ("error converting unix gid to sid\n")); diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c index 154963e2a0a..31bbf14299f 100644 --- a/source/passdb/passdb.c +++ b/source/passdb/passdb.c @@ -156,7 +156,6 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user) NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) { GROUP_MAP map; - uint32 rid; if (!pwd) { return NT_STATUS_UNSUCCESSFUL; @@ -184,18 +183,25 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) -- abartlet 11-May-02 */ - pdb_set_user_rid(sam_account, - fallback_pdb_uid_to_user_rid(pwd->pw_uid)); + if (!pdb_set_user_sid_from_rid(sam_account, + fallback_pdb_uid_to_user_rid(pwd->pw_uid))) { + DEBUG(0,("Can't set User SID from RID!\n")); + return NT_STATUS_INVALID_PARAMETER; + } /* call the mapping code here */ if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) { - sid_peek_rid(&map.sid, &rid); + if (!pdb_set_group_sid(sam_account,&map.sid)){ + DEBUG(0,("Can't set Group SID!\n")); + return NT_STATUS_INVALID_PARAMETER; + } } else { - rid=pdb_gid_to_group_rid(pwd->pw_gid); + if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid))) { + DEBUG(0,("Can't set Group SID\n")); + return NT_STATUS_INVALID_PARAMETER; + } } - - pdb_set_group_rid(sam_account, rid); /* check if this is a user account or a machine account */ if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$') @@ -455,39 +461,6 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd) return (True); } -#if 0 /* seem it is not used by anyone */ -/******************************************************************* - Group and User RID username mapping function - ********************************************************************/ - -BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid) -{ - GROUP_MAP map; - struct passwd *pw = Get_Pwnam(user_name); - - if (u_rid == NULL || g_rid == NULL || user_name == NULL) - return False; - - if (!pw) { - DEBUG(1,("Username %s is invalid on this system\n", user_name)); - return False; - } - - /* turn the unix UID into a Domain RID. this is what the posix - sub-system does (adds 1000 to the uid) */ - *u_rid = fallback_pdb_uid_to_user_rid(pw->pw_uid); - - /* absolutely no idea what to do about the unix GID to Domain RID mapping */ - /* map it ! */ - if (get_group_map_from_gid(pw->pw_gid, &map, MAPPING_WITHOUT_PRIV)) { - sid_peek_rid(&map.sid, g_rid); - } else - *g_rid = pdb_gid_to_group_rid(pw->pw_gid); - - return True; -} -#endif /* seem it is not used by anyone */ - /******************************************************************* Converts NT user RID to a UNIX uid. ********************************************************************/ @@ -578,7 +551,11 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use SAM_ACCOUNT *sam_account = NULL; GROUP_MAP map; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){ + DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n", + sid_string_static(&map.sid))); + return False; + } *psid_name_use = SID_NAME_UNKNOWN; DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid)); @@ -724,10 +701,9 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi } if (pdb_getsampwnam(sam_account, user)) { - sid_append_rid( &local_sid, pdb_get_user_rid(sam_account)); + sid_copy(psid, (DOM_SID *) pdb_get_user_sid(sam_account)); *psid_name_use = SID_NAME_USER; - sid_copy( psid, &local_sid); pdb_free_sam(&sam_account); return True; } @@ -800,7 +776,7 @@ DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid) } if (pdb_getsampwnam(sam_user, pass->pw_name)) { - sid_append_rid(psid, pdb_get_user_rid(sam_user)); + sid_copy(psid, (DOM_SID *) pdb_get_user_sid(sam_user)); } else { sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); } @@ -920,7 +896,11 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type) if (map.gid==-1) return False; - sid_peek_rid(&map.sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid)){ + DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n", + sid_string_static(&map.sid))); + return False; + } *pgid = map.gid; *name_type = map.sid_name_use; DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", sid_to_string( str, psid), @@ -996,9 +976,9 @@ void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from) pdb_set_munged_dial(to , pdb_unistr2_convert(&from->uni_munged_dial )); if (from->user_rid) - pdb_set_user_rid(to, from->user_rid); + pdb_set_user_sid_from_rid(to, from->user_rid); if (from->group_rid) - pdb_set_group_rid(to, from->group_rid); + pdb_set_group_sid_from_rid(to, from->group_rid); pdb_set_acct_ctrl(to, from->acb_info); pdb_set_unknown_3(to, from->unknown_3); @@ -1051,9 +1031,9 @@ void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from) pdb_set_munged_dial(to , pdb_unistr2_convert(&from->uni_munged_dial )); if (from->user_rid) - pdb_set_user_rid(to, from->user_rid); + pdb_set_user_sid_from_rid(to, from->user_rid); if (from->group_rid) - pdb_set_group_rid(to, from->group_rid); + pdb_set_group_sid_from_rid(to, from->group_rid); /* FIXME!! Do we need to copy the passwords here as well? I don't know. Need to figure this out --jerry */ diff --git a/source/passdb/pdb_get_set.c b/source/passdb/pdb_get_set.c index 5ed54a98572..0b5a1053ae5 100644 --- a/source/passdb/pdb_get_set.c +++ b/source/passdb/pdb_get_set.c @@ -5,6 +5,7 @@ Copyright (C) Luke Kenneth Casson Leighton 1996-1998 Copyright (C) Gerald (Jerry) Carter 2000-2001 Copyright (C) Andrew Bartlett 2001-2002 + Copyright (C) Stefan (metze) Metzmacher 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -155,21 +156,41 @@ const char* pdb_get_plaintext_passwd (const SAM_ACCOUNT *sampass) else return (NULL); } +const DOM_SID *pdb_get_user_sid(const SAM_ACCOUNT *sampass) +{ + if (sampass) + return &sampass->private.user_sid; + else + return (NULL); +} + +const DOM_SID *pdb_get_group_sid(const SAM_ACCOUNT *sampass) +{ + if (sampass) + return &sampass->private.group_sid; + else + return (NULL); +} uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass) { + uint32 u_rid; + if (sampass) - return (sampass->private.user_rid); - else - return (-1); + if (sid_peek_check_rid(get_global_sam_sid(), (DOM_SID *) pdb_get_user_sid(sampass),&u_rid)) + return u_rid; + + return (-1); } uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass) { + uint32 g_rid; + if (sampass) - return (sampass->private.group_rid); - else - return (-1); + if (sid_peek_check_rid(get_global_sam_sid(), (DOM_SID *) pdb_get_group_sid(sampass),&g_rid)) + return g_rid; + return (-1); } /** @@ -487,27 +508,71 @@ BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid) } -BOOL pdb_set_user_rid (SAM_ACCOUNT *sampass, uint32 rid) +BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid) { - if (!sampass) + if (!sampass || !u_sid) return False; + + sid_copy(&sampass->private.user_sid, u_sid); - DEBUG(10, ("pdb_set_rid: setting user rid %d, was %d\n", - rid, sampass->private.user_rid)); - - sampass->private.user_rid = rid; + DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n", + sid_string_static(&sampass->private.user_sid))); + return True; } -BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid) +BOOL pdb_set_group_sid(SAM_ACCOUNT *sampass, DOM_SID *g_sid) { + if (!sampass || !g_sid) + return False; + + sid_copy(&sampass->private.group_sid, g_sid); + + DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n", + sid_string_static(&sampass->private.group_sid))); + + return True; +} + +BOOL pdb_set_user_sid_from_rid (SAM_ACCOUNT *sampass, uint32 rid) +{ + DOM_SID u_sid; + if (!sampass) return False; - DEBUG(10, ("pdb_set_group_rid: setting group rid %d, was %d\n", - grid, sampass->private.group_rid)); - - sampass->private.group_rid = grid; + sid_copy(&u_sid, get_global_sam_sid()); + + if (!sid_append_rid(&u_sid, rid)) + return False; + + if (!pdb_set_user_sid(sampass, &u_sid)) + return False; + + DEBUG(10, ("pdb_set_user_sid_from_rid:\n\tsetting user sid %s from rid %d\n", + sid_string_static(&u_sid),rid)); + + return True; +} + +BOOL pdb_set_group_sid_from_rid (SAM_ACCOUNT *sampass, uint32 grid) +{ + DOM_SID g_sid; + + if (!sampass) + return False; + + sid_copy(&g_sid, get_global_sam_sid()); + + if (!sid_append_rid(&g_sid, grid)) + return False; + + if (!pdb_set_group_sid(sampass, &g_sid)) + return False; + + DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s from rid %d\n", + sid_string_static(&g_sid), grid)); + return True; } diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index 28c08e0f631..7ba8d4a8101 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -624,7 +624,8 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, GROUP_MAP map; /* call the mapping code here */ if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) { - sid_peek_rid(&map.sid, &group_rid); + if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &group_rid)) + return False; } else { group_rid=pdb_gid_to_group_rid(gid); @@ -780,8 +781,8 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, pdb_set_hours_len(sampass, hours_len); pdb_set_logon_divs(sampass, logon_divs); - pdb_set_user_rid(sampass, user_rid); - pdb_set_group_rid(sampass, group_rid); + pdb_set_user_sid_from_rid(sampass, user_rid); + pdb_set_group_sid_from_rid(sampass, group_rid); pdb_set_username(sampass, username); @@ -1273,7 +1274,8 @@ static BOOL ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT * us static BOOL ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return ldapsam_getsampwrid(my_methods, user, rid); } diff --git a/source/passdb/pdb_nisplus.c b/source/passdb/pdb_nisplus.c index 0c4c2c5bb35..80f918d1a6c 100644 --- a/source/passdb/pdb_nisplus.c +++ b/source/passdb/pdb_nisplus.c @@ -339,8 +339,8 @@ static BOOL make_sam_from_nisp_object(SAM_ACCOUNT *pw_buf, const nis_object *obj pdb_set_uid(pw_buf, atoi(ENTRY_VAL(obj, NPF_UID))); pdb_set_gid(pw_buf, atoi(ENTRY_VAL(obj, NPF_SMB_GRPID))); - pdb_set_user_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID))); - pdb_set_group_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID))); + pdb_set_user_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID))); + pdb_set_group_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID))); /* values, must exist for user */ if( !(pdb_get_acct_ctrl(pw_buf) & ACB_WSTRUST) ) { @@ -381,7 +381,7 @@ static BOOL make_sam_from_nisp_object(SAM_ACCOUNT *pw_buf, const nis_object *obj else { /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */ - pdb_set_group_rid (pw_buf, DOMAIN_GROUP_RID_USERS); + pdb_set_group_sid_from_rid (pw_buf, DOMAIN_GROUP_RID_USERS); } /* Check the lanman password column. */ @@ -538,7 +538,8 @@ static BOOL init_nisp_from_sam(nis_object *obj, const SAM_ACCOUNT *sampass, if (rid==0) { if (get_group_map_from_gid(pdb_get_gid(sampass), &map, MAPPING_WITHOUT_PRIV)) { - sid_peek_rid(&map.sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid)) + return False; } else rid=pdb_gid_to_group_rid(pdb_get_gid(sampass)); } @@ -1034,7 +1035,8 @@ BOOL pdb_getsampwnam(SAM_ACCOUNT * user, const char *sname) BOOL pdb_getsampwsid(SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return pdb_getsampwrid(user, rid); } diff --git a/source/passdb/pdb_smbpasswd.c b/source/passdb/pdb_smbpasswd.c index a6bd66eacee..25957100d87 100644 --- a/source/passdb/pdb_smbpasswd.c +++ b/source/passdb/pdb_smbpasswd.c @@ -1242,14 +1242,14 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid) && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) { - pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid)); + pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid)); /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. This was down the bottom for machines, but it looks pretty good as a general default for non-unix users. --abartlet 2002-01-08 */ - pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS); + pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS); pdb_set_username (sam_pass, pw_buf->smb_name); pdb_set_domain (sam_pass, lp_workgroup()); } else { @@ -1458,7 +1458,8 @@ static BOOL smbpasswd_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *s static BOOL smbpasswd_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return smbpasswd_getsampwrid(my_methods, user, rid); } diff --git a/source/passdb/pdb_tdb.c b/source/passdb/pdb_tdb.c index 2341210e392..b309f675b35 100644 --- a/source/passdb/pdb_tdb.c +++ b/source/passdb/pdb_tdb.c @@ -246,8 +246,8 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state, } } - pdb_set_user_rid(sampass, user_rid); - pdb_set_group_rid(sampass, group_rid); + pdb_set_user_sid_from_rid(sampass, user_rid); + pdb_set_group_sid_from_rid(sampass, group_rid); pdb_set_unknown_3(sampass, unknown_3); pdb_set_hours_len(sampass, hours_len); pdb_set_unknown_5(sampass, unknown_5); @@ -671,7 +671,8 @@ static BOOL tdbsam_getsampwrid (struct pdb_methods *my_methods, SAM_ACCOUNT *use static BOOL tdbsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return tdbsam_getsampwrid(my_methods, user, rid); } @@ -775,7 +776,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, goto done; } } - pdb_set_user_rid(newpwd, user_rid); + pdb_set_user_sid_from_rid(newpwd, user_rid); } else { user_rid = tdb_state->low_nua_rid; tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER); @@ -788,7 +789,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, ret = False; goto done; } - pdb_set_user_rid(newpwd, user_rid); + pdb_set_user_sid_from_rid(newpwd, user_rid); } } else { DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd))); @@ -805,7 +806,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, goto done; } else { /* This seems like a good default choice for non-unix users */ - pdb_set_group_rid(newpwd, DOMAIN_GROUP_RID_USERS); + pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS); } } else { DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd))); diff --git a/source/passdb/pdb_unix.c b/source/passdb/pdb_unix.c index 85ff5bd9338..b4092b88f8a 100644 --- a/source/passdb/pdb_unix.c +++ b/source/passdb/pdb_unix.c @@ -68,7 +68,8 @@ static BOOL unixsam_getsampwrid (struct pdb_methods *methods, static BOOL unixsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid) { uint32 rid; - sid_peek_rid(sid, &rid); + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; return unixsam_getsampwrid(my_methods, user, rid); } diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index daa39b215fe..a6f936fecaf 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -2019,18 +2019,9 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ return NT_STATUS_ACCESS_DENIED; } - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_INVALID_HANDLE; - } - - /* append the user's RID to it */ - if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { - pdb_free_sam(&sam_pass); - return NT_STATUS_NO_SUCH_USER; - } - + /* Get the user's SID */ + sid_copy(&sid, (DOM_SID *) pdb_get_user_sid(sam_pass)); + /* associate the user's SID with the new handle. */ if ((info = get_samr_info_by_sid(&sid)) == NULL) { pdb_free_sam(&sam_pass); diff --git a/source/utils/pdbedit.c b/source/utils/pdbedit.c index 51254667c9b..ed7f648f2dd 100644 --- a/source/utils/pdbedit.c +++ b/source/utils/pdbedit.c @@ -81,10 +81,12 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst if (IS_SAM_UNIX_USER(sam_pwent)) { uid = pdb_get_uid(sam_pwent); gid = pdb_get_gid(sam_pwent); - printf ("user ID/Group: %d/%d\n", uid, gid); + printf ("User ID/Group ID: %d/%d\n", uid, gid); } - printf ("user RID/GRID: %u/%u\n", (unsigned int)pdb_get_user_rid(sam_pwent), - (unsigned int)pdb_get_group_rid(sam_pwent)); + printf ("User SID: %s\n", + sid_string_static((DOM_SID *)pdb_get_user_sid(sam_pwent))); + printf ("Primary Group SID: %s\n", + sid_string_static((DOM_SID *)pdb_get_group_sid(sam_pwent))); printf ("Full Name: %s\n", pdb_get_fullname(sam_pwent)); printf ("Home Directory: %s\n", pdb_get_homedir(sam_pwent)); printf ("HomeDir Drive: %s\n", pdb_get_dirdrive(sam_pwent)); @@ -329,7 +331,7 @@ static int new_machine (struct pdb_context *in, char *machinename) pdb_set_acct_ctrl (sam_pwent, ACB_WSTRUST); - pdb_set_group_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS); + pdb_set_group_sid_from_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS); if (in->pdb_add_sam_account (in, sam_pwent)) { print_user_info (in, name, True, False);