sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-08 04:58:40 +03:00
Code

Merge branch 'master' of /home/tridge/samba/git/combined

Browse Source
This commit is contained in:
Andrew Tridgell 2009-09-18 14:12:02 -07:00
commit 716ddc2a89
38 changed files with 2036 additions and 702 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
libcli/named_pipe_auth/npa_tstream.c
View File

@ -66,8 +66,9 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
const char *client_name_in,
const struct tsocket_address *server,
const char *server_name,
const struct netr_SamInfo3 *info3,
DATA_BLOB session_key)
const struct netr_SamInfo3 *sam_info3,
DATA_BLOB session_key,
DATA_BLOB delegated_creds)
{
struct tevent_req *req;
struct tstream_npa_connect_state *state;
@ -109,45 +110,48 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(state->auth_req);
if (client) {
struct named_pipe_auth_req_info2 *info2;
struct named_pipe_auth_req_info3 *info3;
if (!server) {
tevent_req_error(req, EINVAL);
goto post;
}
state->auth_req.level = 2;
info2 = &state->auth_req.info.info2;
state->auth_req.level = 3;
info3 = &state->auth_req.info.info3;
info2->client_name = client_name_in;
info2->client_addr = tsocket_address_inet_addr_string(client, state);
if (!info2->client_addr) {
info3->client_name = client_name_in;
info3->client_addr = tsocket_address_inet_addr_string(client, state);
if (!info3->client_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
info2->client_port = tsocket_address_inet_port(client);
if (!info2->client_name) {
info2->client_name = info2->client_addr;
info3->client_port = tsocket_address_inet_port(client);
if (!info3->client_name) {
info3->client_name = info3->client_addr;
}
info2->server_addr = tsocket_address_inet_addr_string(server, state);
if (!info2->server_addr) {
info3->server_addr = tsocket_address_inet_addr_string(server, state);
if (!info3->server_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
info2->server_port = tsocket_address_inet_port(server);
if (!info2->server_name) {
info2->server_name = info2->server_addr;
info3->server_port = tsocket_address_inet_port(server);
if (!info3->server_name) {
info3->server_name = info3->server_addr;
}
info2->sam_info3 = discard_const_p(struct netr_SamInfo3, info3);
info2->session_key_length = session_key.length;
info2->session_key = session_key.data;
} else if (info3) {
info3->sam_info3 = discard_const_p(struct netr_SamInfo3, sam_info3);
info3->session_key_length = session_key.length;
info3->session_key = session_key.data;
info3->gssapi_delegated_creds_length = delegated_creds.length;
info3->gssapi_delegated_creds = delegated_creds.data;
} else if (sam_info3) {
state->auth_req.level = 1;
state->auth_req.info.info1 = *info3;
state->auth_req.info.info1 = *sam_info3;
} else {
state->auth_req.level = 0;
}
@ -429,6 +433,11 @@ int _tstream_npa_connect_recv(struct tevent_req *req,
device_state = state->auth_rep.info.info2.device_state;
allocation_size = state->auth_rep.info.info2.allocation_size;
break;
case 3:
npas->file_type = state->auth_rep.info.info3.file_type;
device_state = state->auth_rep.info.info3.device_state;
allocation_size = state->auth_rep.info.info3.allocation_size;
break;
}
*_stream = stream;

3
libcli/named_pipe_auth/npa_tstream.h
View File

@ -34,7 +34,8 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
const struct tsocket_address *server,
const char *server_name,
const struct netr_SamInfo3 *info3,
DATA_BLOB session_key);
DATA_BLOB session_key,
DATA_BLOB delegated_creds);
int _tstream_npa_connect_recv(struct tevent_req *req,
int *perrno,
TALLOC_CTX *mem_ctx,

22
librpc/gen_ndr/named_pipe_auth.h
View File

@ -21,9 +21,24 @@ struct named_pipe_auth_req_info2 {
uint8_t *session_key;/* [unique,size_is(session_key_length)] */
};
struct named_pipe_auth_req_info3 {
const char *client_name;/* [unique,charset(UTF8)] */
const char *client_addr;/* [unique,charset(DOS)] */
uint16_t client_port;
const char *server_name;/* [unique,charset(UTF8)] */
const char *server_addr;/* [unique,charset(DOS)] */
uint16_t server_port;
struct netr_SamInfo3 *sam_info3;/* [unique] */
uint32_t session_key_length;
uint8_t *session_key;/* [unique,size_is(session_key_length)] */
uint32_t gssapi_delegated_creds_length;
uint8_t *gssapi_delegated_creds;/* [unique,size_is(gssapi_delegated_creds_length)] */
};
union named_pipe_auth_req_info {
struct netr_SamInfo3 info1;/* [case] */
struct named_pipe_auth_req_info2 info2;/* [case(2)] */
struct named_pipe_auth_req_info3 info3;/* [case(3)] */
}/* [switch_type(uint32)] */;
struct named_pipe_auth_req {
@ -39,8 +54,15 @@ struct named_pipe_auth_rep_info2 {
uint64_t allocation_size;
};
struct named_pipe_auth_rep_info3 {
uint16_t file_type;
uint16_t device_state;
uint64_t allocation_size;
};
union named_pipe_auth_rep_info {
struct named_pipe_auth_rep_info2 info2;/* [case(2)] */
struct named_pipe_auth_rep_info3 info3;/* [case(3)] */
}/* [switch_type(uint32)] */;
struct named_pipe_auth_rep {

329
librpc/gen_ndr/ndr_named_pipe_auth.c
View File

@ -226,6 +226,261 @@ _PUBLIC_ void ndr_print_named_pipe_auth_req_info2(struct ndr_print *ndr, const c
ndr->depth--;
}
static enum ndr_err_code ndr_push_named_pipe_auth_req_info3(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_req_info3 *r)
{
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_push_align(ndr, 5));
NDR_CHECK(ndr_push_unique_ptr(ndr, r->client_name));
NDR_CHECK(ndr_push_unique_ptr(ndr, r->client_addr));
NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->client_port));
NDR_CHECK(ndr_push_unique_ptr(ndr, r->server_name));
NDR_CHECK(ndr_push_unique_ptr(ndr, r->server_addr));
NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->server_port));
NDR_CHECK(ndr_push_unique_ptr(ndr, r->sam_info3));
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->session_key_length));
NDR_CHECK(ndr_push_unique_ptr(ndr, r->session_key));
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->gssapi_delegated_creds_length));
NDR_CHECK(ndr_push_unique_ptr(ndr, r->gssapi_delegated_creds));
}
if (ndr_flags & NDR_BUFFERS) {
if (r->client_name) {
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->client_name, CH_UTF8)));
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0));
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->client_name, CH_UTF8)));
NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->client_name, ndr_charset_length(r->client_name, CH_UTF8), sizeof(uint8_t), CH_UTF8));
}
if (r->client_addr) {
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->client_addr, CH_DOS)));
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0));
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->client_addr, CH_DOS)));
NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->client_addr, ndr_charset_length(r->client_addr, CH_DOS), sizeof(uint8_t), CH_DOS));
}
if (r->server_name) {
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->server_name, CH_UTF8)));
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0));
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->server_name, CH_UTF8)));
NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->server_name, ndr_charset_length(r->server_name, CH_UTF8), sizeof(uint8_t), CH_UTF8));
}
if (r->server_addr) {
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->server_addr, CH_DOS)));
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0));
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->server_addr, CH_DOS)));
NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->server_addr, ndr_charset_length(r->server_addr, CH_DOS), sizeof(uint8_t), CH_DOS));
}
if (r->sam_info3) {
NDR_CHECK(ndr_push_netr_SamInfo3(ndr, NDR_SCALARS|NDR_BUFFERS, r->sam_info3));
}
if (r->session_key) {
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, r->session_key_length));
NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->session_key, r->session_key_length));
}
if (r->gssapi_delegated_creds) {
NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, r->gssapi_delegated_creds_length));
NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->gssapi_delegated_creds, r->gssapi_delegated_creds_length));
}
}
return NDR_ERR_SUCCESS;
}
static enum ndr_err_code ndr_pull_named_pipe_auth_req_info3(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req_info3 *r)
{
uint32_t _ptr_client_name;
TALLOC_CTX *_mem_save_client_name_0;
uint32_t _ptr_client_addr;
TALLOC_CTX *_mem_save_client_addr_0;
uint32_t _ptr_server_name;
TALLOC_CTX *_mem_save_server_name_0;
uint32_t _ptr_server_addr;
TALLOC_CTX *_mem_save_server_addr_0;
uint32_t _ptr_sam_info3;
TALLOC_CTX *_mem_save_sam_info3_0;
uint32_t _ptr_session_key;
TALLOC_CTX *_mem_save_session_key_0;
uint32_t _ptr_gssapi_delegated_creds;
TALLOC_CTX *_mem_save_gssapi_delegated_creds_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 5));
NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client_name));
if (_ptr_client_name) {
NDR_PULL_ALLOC(ndr, r->client_name);
} else {
r->client_name = NULL;
}
NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client_addr));
if (_ptr_client_addr) {
NDR_PULL_ALLOC(ndr, r->client_addr);
} else {
r->client_addr = NULL;
}
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->client_port));
NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_name));
if (_ptr_server_name) {
NDR_PULL_ALLOC(ndr, r->server_name);
} else {
r->server_name = NULL;
}
NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_addr));
if (_ptr_server_addr) {
NDR_PULL_ALLOC(ndr, r->server_addr);
} else {
r->server_addr = NULL;
}
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->server_port));
NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam_info3));
if (_ptr_sam_info3) {
NDR_PULL_ALLOC(ndr, r->sam_info3);
} else {
r->sam_info3 = NULL;
}
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->session_key_length));
NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_session_key));
if (_ptr_session_key) {
NDR_PULL_ALLOC(ndr, r->session_key);
} else {
r->session_key = NULL;
}
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->gssapi_delegated_creds_length));
NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_gssapi_delegated_creds));
if (_ptr_gssapi_delegated_creds) {
NDR_PULL_ALLOC(ndr, r->gssapi_delegated_creds);
} else {
r->gssapi_delegated_creds = NULL;
}
}
if (ndr_flags & NDR_BUFFERS) {
if (r->client_name) {
_mem_save_client_name_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->client_name, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->client_name));
NDR_CHECK(ndr_pull_array_length(ndr, &r->client_name));
if (ndr_get_array_length(ndr, &r->client_name) > ndr_get_array_size(ndr, &r->client_name)) {
return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_name), ndr_get_array_length(ndr, &r->client_name));
}
NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t)));
NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_name, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t), CH_UTF8));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_name_0, 0);
}
if (r->client_addr) {
_mem_save_client_addr_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->client_addr, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->client_addr));
NDR_CHECK(ndr_pull_array_length(ndr, &r->client_addr));
if (ndr_get_array_length(ndr, &r->client_addr) > ndr_get_array_size(ndr, &r->client_addr)) {
return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_addr), ndr_get_array_length(ndr, &r->client_addr));
}
NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t)));
NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_addr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t), CH_DOS));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_addr_0, 0);
}
if (r->server_name) {
_mem_save_server_name_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name));
NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name));
if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) {
return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name));
}
NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t)));
NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t), CH_UTF8));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0);
}
if (r->server_addr) {
_mem_save_server_addr_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->server_addr, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->server_addr));
NDR_CHECK(ndr_pull_array_length(ndr, &r->server_addr));
if (ndr_get_array_length(ndr, &r->server_addr) > ndr_get_array_size(ndr, &r->server_addr)) {
return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_addr), ndr_get_array_length(ndr, &r->server_addr));
}
NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t)));
NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_addr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t), CH_DOS));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_addr_0, 0);
}
if (r->sam_info3) {
_mem_save_sam_info3_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->sam_info3, 0);
NDR_CHECK(ndr_pull_netr_SamInfo3(ndr, NDR_SCALARS|NDR_BUFFERS, r->sam_info3));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sam_info3_0, 0);
}
if (r->session_key) {
_mem_save_session_key_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->session_key, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->session_key));
NDR_PULL_ALLOC_N(ndr, r->session_key, ndr_get_array_size(ndr, &r->session_key));
NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, ndr_get_array_size(ndr, &r->session_key)));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_session_key_0, 0);
}
if (r->gssapi_delegated_creds) {
_mem_save_gssapi_delegated_creds_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->gssapi_delegated_creds, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->gssapi_delegated_creds));
NDR_PULL_ALLOC_N(ndr, r->gssapi_delegated_creds, ndr_get_array_size(ndr, &r->gssapi_delegated_creds));
NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->gssapi_delegated_creds, ndr_get_array_size(ndr, &r->gssapi_delegated_creds)));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_gssapi_delegated_creds_0, 0);
}
if (r->session_key) {
NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->session_key, r->session_key_length));
}
if (r->gssapi_delegated_creds) {
NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->gssapi_delegated_creds, r->gssapi_delegated_creds_length));
}
}
return NDR_ERR_SUCCESS;
}
_PUBLIC_ void ndr_print_named_pipe_auth_req_info3(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req_info3 *r)
{
ndr_print_struct(ndr, name, "named_pipe_auth_req_info3");
ndr->depth++;
ndr_print_ptr(ndr, "client_name", r->client_name);
ndr->depth++;
if (r->client_name) {
ndr_print_string(ndr, "client_name", r->client_name);
}
ndr->depth--;
ndr_print_ptr(ndr, "client_addr", r->client_addr);
ndr->depth++;
if (r->client_addr) {
ndr_print_string(ndr, "client_addr", r->client_addr);
}
ndr->depth--;
ndr_print_uint16(ndr, "client_port", r->client_port);
ndr_print_ptr(ndr, "server_name", r->server_name);
ndr->depth++;
if (r->server_name) {
ndr_print_string(ndr, "server_name", r->server_name);
}
ndr->depth--;
ndr_print_ptr(ndr, "server_addr", r->server_addr);
ndr->depth++;
if (r->server_addr) {
ndr_print_string(ndr, "server_addr", r->server_addr);
}
ndr->depth--;
ndr_print_uint16(ndr, "server_port", r->server_port);
ndr_print_ptr(ndr, "sam_info3", r->sam_info3);
ndr->depth++;
if (r->sam_info3) {
ndr_print_netr_SamInfo3(ndr, "sam_info3", r->sam_info3);
}
ndr->depth--;
ndr_print_uint32(ndr, "session_key_length", r->session_key_length);
ndr_print_ptr(ndr, "session_key", r->session_key);
ndr->depth++;
if (r->session_key) {
ndr_print_array_uint8(ndr, "session_key", r->session_key, r->session_key_length);
}
ndr->depth--;
ndr_print_uint32(ndr, "gssapi_delegated_creds_length", r->gssapi_delegated_creds_length);
ndr_print_ptr(ndr, "gssapi_delegated_creds", r->gssapi_delegated_creds);
ndr->depth++;
if (r->gssapi_delegated_creds) {
ndr_print_array_uint8(ndr, "gssapi_delegated_creds", r->gssapi_delegated_creds, r->gssapi_delegated_creds_length);
}
ndr->depth--;
ndr->depth--;
}
static enum ndr_err_code ndr_push_named_pipe_auth_req_info(struct ndr_push *ndr, int ndr_flags, const union named_pipe_auth_req_info *r)
{
if (ndr_flags & NDR_SCALARS) {
@ -243,6 +498,10 @@ static enum ndr_err_code ndr_push_named_pipe_auth_req_info(struct ndr_push *ndr,
NDR_CHECK(ndr_push_named_pipe_auth_req_info2(ndr, NDR_SCALARS, &r->info2));
break; }
case 3: {
NDR_CHECK(ndr_push_named_pipe_auth_req_info3(ndr, NDR_SCALARS, &r->info3));
break; }
default:
return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@ -261,6 +520,10 @@ static enum ndr_err_code ndr_push_named_pipe_auth_req_info(struct ndr_push *ndr,
NDR_CHECK(ndr_push_named_pipe_auth_req_info2(ndr, NDR_BUFFERS, &r->info2));
break;
case 3:
NDR_CHECK(ndr_push_named_pipe_auth_req_info3(ndr, NDR_BUFFERS, &r->info3));
break;
default:
return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@ -290,6 +553,10 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info(struct ndr_pull *ndr,
NDR_CHECK(ndr_pull_named_pipe_auth_req_info2(ndr, NDR_SCALARS, &r->info2));
break; }
case 3: {
NDR_CHECK(ndr_pull_named_pipe_auth_req_info3(ndr, NDR_SCALARS, &r->info3));
break; }
default:
return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@ -307,6 +574,10 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info(struct ndr_pull *ndr,
NDR_CHECK(ndr_pull_named_pipe_auth_req_info2(ndr, NDR_BUFFERS, &r->info2));
break;
case 3:
NDR_CHECK(ndr_pull_named_pipe_auth_req_info3(ndr, NDR_BUFFERS, &r->info3));
break;
default:
return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@ -331,6 +602,10 @@ _PUBLIC_ void ndr_print_named_pipe_auth_req_info(struct ndr_print *ndr, const ch
ndr_print_named_pipe_auth_req_info2(ndr, "info2", &r->info2);
break;
case 3:
ndr_print_named_pipe_auth_req_info3(ndr, "info3", &r->info3);
break;
default:
ndr_print_bad_level(ndr, name, level);
}
@ -431,6 +706,42 @@ _PUBLIC_ void ndr_print_named_pipe_auth_rep_info2(struct ndr_print *ndr, const c
ndr->depth--;
}
static enum ndr_err_code ndr_push_named_pipe_auth_rep_info3(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_rep_info3 *r)
{
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_push_align(ndr, 8));
NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->file_type));
NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->device_state));
NDR_CHECK(ndr_push_hyper(ndr, NDR_SCALARS, r->allocation_size));
}
if (ndr_flags & NDR_BUFFERS) {
}
return NDR_ERR_SUCCESS;
}
static enum ndr_err_code ndr_pull_named_pipe_auth_rep_info3(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep_info3 *r)
{
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 8));
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->file_type));
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->device_state));
NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->allocation_size));
}
if (ndr_flags & NDR_BUFFERS) {
}
return NDR_ERR_SUCCESS;
}
_PUBLIC_ void ndr_print_named_pipe_auth_rep_info3(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep_info3 *r)
{
ndr_print_struct(ndr, name, "named_pipe_auth_rep_info3");
ndr->depth++;
ndr_print_uint16(ndr, "file_type", r->file_type);
ndr_print_uint16(ndr, "device_state", r->device_state);
ndr_print_hyper(ndr, "allocation_size", r->allocation_size);
ndr->depth--;
}
static enum ndr_err_code ndr_push_named_pipe_auth_rep_info(struct ndr_push *ndr, int ndr_flags, const union named_pipe_auth_rep_info *r)
{
if (ndr_flags & NDR_SCALARS) {
@ -447,6 +758,10 @@ static enum ndr_err_code ndr_push_named_pipe_auth_rep_info(struct ndr_push *ndr,
NDR_CHECK(ndr_push_named_pipe_auth_rep_info2(ndr, NDR_SCALARS, &r->info2));
break; }
case 3: {
NDR_CHECK(ndr_push_named_pipe_auth_rep_info3(ndr, NDR_SCALARS, &r->info3));
break; }
default:
return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@ -463,6 +778,9 @@ static enum ndr_err_code ndr_push_named_pipe_auth_rep_info(struct ndr_push *ndr,
case 2:
break;
case 3:
break;
default:
return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@ -491,6 +809,10 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_rep_info(struct ndr_pull *ndr,
NDR_CHECK(ndr_pull_named_pipe_auth_rep_info2(ndr, NDR_SCALARS, &r->info2));
break; }
case 3: {
NDR_CHECK(ndr_pull_named_pipe_auth_rep_info3(ndr, NDR_SCALARS, &r->info3));
break; }
default:
return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@ -506,6 +828,9 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_rep_info(struct ndr_pull *ndr,
case 2:
break;
case 3:
break;
default:
return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@ -529,6 +854,10 @@ _PUBLIC_ void ndr_print_named_pipe_auth_rep_info(struct ndr_print *ndr, const ch
ndr_print_named_pipe_auth_rep_info2(ndr, "info2", &r->info2);
break;
case 3:
ndr_print_named_pipe_auth_rep_info3(ndr, "info3", &r->info3);
break;
default:
ndr_print_bad_level(ndr, name, level);
}

2
librpc/gen_ndr/ndr_named_pipe_auth.h
View File

@ -8,12 +8,14 @@
#define NDR_NAMED_PIPE_AUTH_CALL_COUNT (0)
void ndr_print_named_pipe_auth_req_info2(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req_info2 *r);
void ndr_print_named_pipe_auth_req_info3(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req_info3 *r);
void ndr_print_named_pipe_auth_req_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_req_info *r);
enum ndr_err_code ndr_push_named_pipe_auth_req(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_req *r);
enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req *r);
void ndr_print_named_pipe_auth_req(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req *r);
size_t ndr_size_named_pipe_auth_req(const struct named_pipe_auth_req *r, struct smb_iconv_convenience *ic, int flags);
void ndr_print_named_pipe_auth_rep_info2(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep_info2 *r);
void ndr_print_named_pipe_auth_rep_info3(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep_info3 *r);
void ndr_print_named_pipe_auth_rep_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_rep_info *r);
enum ndr_err_code ndr_push_named_pipe_auth_rep(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_rep *r);
enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep *r);

23
librpc/idl/named_pipe_auth.idl
View File

@ -24,10 +24,26 @@ interface named_pipe_auth
[size_is(session_key_length)] uint8 *session_key;
} named_pipe_auth_req_info2;
typedef struct {
[charset(UTF8),string] uint8 *client_name;
[charset(DOS),string] uint8 *client_addr;
uint16 client_port;
[charset(UTF8),string] uint8 *server_name;
[charset(DOS),string] uint8 *server_addr;
uint16 server_port;
netr_SamInfo3 *sam_info3;
uint32 session_key_length;
[size_is(session_key_length)] uint8 *session_key;
uint32 gssapi_delegated_creds_length;
[size_is(gssapi_delegated_creds_length)]
uint8 *gssapi_delegated_creds;
} named_pipe_auth_req_info3;
typedef [switch_type(uint32)] union {
[case(0)] ;/* anonymous */
[case(1)] netr_SamInfo3 info1;
[case(2)] named_pipe_auth_req_info2 info2;
[case(3)] named_pipe_auth_req_info3 info3;
} named_pipe_auth_req_info;
typedef [public,gensize] struct {
@ -45,10 +61,17 @@ interface named_pipe_auth
hyper allocation_size;
} named_pipe_auth_rep_info2;
typedef struct {
uint16 file_type;
uint16 device_state;
hyper allocation_size;
} named_pipe_auth_rep_info3;
typedef [switch_type(uint32)] union {
[case(0)] ;
[case(1)] ;
[case(2)] named_pipe_auth_rep_info2 info2;
[case(3)] named_pipe_auth_rep_info3 info3;
} named_pipe_auth_rep_info;
typedef [public,gensize] struct {

4
source3/lib/dprintf.c
View File

@ -66,6 +66,10 @@ again:
}
clen = convert_string(CH_UNIX, CH_DISPLAY, p, ret, p2, maxlen, True);
if (clen == -1) {
ret = -1;
goto out;
}
if (clen >= maxlen) {
/* it didn't fit - try a larger buffer */

2
source3/rpc_client/cli_lsarpc.c
View File

@ -152,6 +152,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli,
struct lsa_TransNameArray2 lsa_names2;
uint32_t n;
ZERO_STRUCT(lsa_names2);
result = rpccli_lsa_LookupSids3(cli, mem_ctx,
&sid_array,
&ref_domains,

4
source3/smbd/trans2.c
View File

@ -156,7 +156,9 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
ssize_t sizeret = -1;
if (!lp_ea_support(SNUM(conn))) {
*pnames = NULL;
if (pnames) {
*pnames = NULL;
}
*pnum_names = 0;
return NT_STATUS_OK;
}

62
source3/utils/status.c
View File

@ -2,17 +2,17 @@
Unix SMB/CIFS implementation.
status reporting
Copyright (C) Andrew Tridgell 1994-1998
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
@ -61,25 +61,25 @@ static unsigned int Ucrit_checkUid(uid_t uid)
{
if ( !Ucrit_IsActive )
return 1;
if ( uid == Ucrit_uid )
return 1;
return 0;
}
static unsigned int Ucrit_checkPid(struct server_id pid)
{
int i;
if ( !Ucrit_IsActive )
return 1;
for (i=0;i<Ucrit_MaxPid;i++) {
if (cluster_id_equal(&pid, &Ucrit_pid[i]))
return 1;
}
return 0;
}
@ -96,7 +96,7 @@ static bool Ucrit_addPid( struct server_id pid )
}
Ucrit_pid[Ucrit_MaxPid++] = pid;
return True;
}
@ -276,7 +276,7 @@ static int traverse_sessionid(struct db_record *db, void *state)
numeric_only ? uid_str : uidtoname(sessionid.uid),
numeric_only ? gid_str : gidtoname(sessionid.gid),
sessionid.remote_machine, sessionid.hostname);
return 0;
}
@ -312,9 +312,9 @@ static int traverse_sessionid(struct db_record *db, void *state)
load_case_tables();
setup_logging(argv[0],True);
dbf = x_stderr;
if (getuid() != geteuid()) {
d_printf("smbstatus should not be run setuid\n");
ret = 1;
@ -323,7 +323,7 @@ static int traverse_sessionid(struct db_record *db, void *state)
pc = poptGetContext(NULL, argc, (const char **) argv, long_options,
POPT_CONTEXT_KEEP_FIRST);
while ((c = poptGetNextOpt(pc)) != -1) {
switch (c) {
case 'p':
@ -377,18 +377,20 @@ static int traverse_sessionid(struct db_record *db, void *state)
goto done;
}
/*
* This implicitly initializes the global ctdbd connection, usable by
* the db_open() calls further down.
*/
msg_ctx = messaging_init(NULL, procid_self(),
event_context_init(NULL));
if (msg_ctx == NULL) {
fprintf(stderr, "messaging_init failed\n");
ret = -1;
goto done;
if (lp_clustering()) {
/*
* This implicitly initializes the global ctdbd
* connection, usable by the db_open() calls further
* down.
*/
msg_ctx = messaging_init(NULL, procid_self(),
event_context_init(NULL));
if (msg_ctx == NULL) {
fprintf(stderr, "messaging_init failed\n");
ret = -1;
goto done;
}
}
if (!lp_load(get_dyn_CONFIGFILE(),False,False,False,True)) {
@ -432,7 +434,7 @@ static int traverse_sessionid(struct db_record *db, void *state)
goto done;
}
}
if ( show_shares ) {
if (verbose) {
d_printf("Opened %s\n", lock_path("connections.tdb"));
@ -441,10 +443,10 @@ static int traverse_sessionid(struct db_record *db, void *state)
if (brief) {
goto done;
}
d_printf("\nService pid machine Connected at\n");
d_printf("-------------------------------------------------------\n");
connections_forall(traverse_fn1, NULL);
d_printf("\n");
@ -475,7 +477,7 @@ static int traverse_sessionid(struct db_record *db, void *state)
ret = 1;
goto done;
}
result = share_mode_forall(print_share_mode, NULL);
if (result == 0) {
@ -483,13 +485,13 @@ static int traverse_sessionid(struct db_record *db, void *state)
} else if (result == -1) {
d_printf("locked file list truncated\n");
}
d_printf("\n");
if (show_brl) {
brl_forall(print_brl, NULL);
}
locking_end();
}

42
source4/dsdb/samdb/ldb_modules/repl_meta_data.c
View File

@ -2123,7 +2123,9 @@ linked_attributes[0]:
talloc_free(tmp_ctx);
return ret;
}
ret_el->values = talloc_array(msg, struct ldb_val, 1);
/* we allocate two entries here, in case we need a remove/add
pair */
ret_el->values = talloc_array(msg, struct ldb_val, 2);
if (!ret_el->values) {
ldb_oom(ldb);
talloc_free(tmp_ctx);
@ -2168,10 +2170,48 @@ linked_attributes[0]:
ret = ldb_wait(mod_req->handle, LDB_WAIT_ALL);
}
if (ret == LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS) {
/* the link destination exists, we need to update it
* by deleting the old one for the same DN then adding
* the new one */
msg->elements = talloc_realloc(msg, msg->elements,
struct ldb_message_element,
msg->num_elements+1);
if (msg->elements == NULL) {
ldb_oom(ldb);
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
/* this relies on the backend matching the old entry
only by the DN portion of the extended DN */
msg->elements[1] = msg->elements[0];
msg->elements[0].flags = LDB_FLAG_MOD_DELETE;
msg->num_elements++;
ret = ldb_build_mod_req(&mod_req, ldb, tmp_ctx,
msg,
NULL,
NULL,
ldb_op_default_callback,
NULL);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* Run the new request */
ret = ldb_next_request(module, mod_req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(mod_req->handle, LDB_WAIT_ALL);
}
}
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_WARNING, "Failed to apply linked attribute change '%s' %s\n",
ldb_errstring(ldb),
ldb_ldif_message_string(ldb, tmp_ctx, LDB_CHANGETYPE_MODIFY, msg));
ret = LDB_SUCCESS;
}
talloc_free(tmp_ctx);

1
source4/heimdal/lib/gssapi/krb5/creds.c
View File

@ -249,5 +249,6 @@ _gsskrb5_import_cred(OM_uint32 * minor_status,
handle->ccache = id;
handle->cred_flags = flags;
*cred_handle = (gss_cred_id_t)handle;
return GSS_S_COMPLETE;
}

17
source4/libcli/security/tests/bindings.py
View File

@ -57,6 +57,16 @@ class SecurityDescriptorTests(unittest.TestCase):
self.assertEquals(desc.sacl, None)
self.assertEquals(desc.type, 0x8004)
def test_from_sddl_invalidsddl(self):
self.assertRaises(TypeError,security.descriptor.from_sddl, "foo",security.dom_sid("S-2-0-0"))
def test_from_sddl_invalidtype1(self):
self.assertRaises(TypeError,security.descriptor.from_sddl, security.dom_sid('S-2-0-0-512'),security.dom_sid("S-2-0-0"))
def test_from_sddl_invalidtype1(self):
sddl = "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
self.assertRaises(TypeError,security.descriptor.from_sddl, sddl,"S-2-0-0")
def test_as_sddl(self):
text = "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
dom = security.dom_sid("S-2-0-0")
@ -67,6 +77,13 @@ class SecurityDescriptorTests(unittest.TestCase):
self.assertEquals(desc1.sacl, desc2.sacl)
self.assertEquals(desc1.type, desc2.type)
def test_as_sddl_invalid(self):
text = "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
dom = security.dom_sid("S-2-0-0")
desc1 = security.descriptor.from_sddl(text, dom)
self.assertRaises(TypeError, desc1.as_sddl,text)
def test_as_sddl_no_domainsid(self):
dom = security.dom_sid("S-2-0-0")
text = "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"

4
source4/librpc/ndr/py_security.c
View File

@ -173,7 +173,7 @@ static PyObject *py_descriptor_from_sddl(PyObject *self, PyObject *args)
PyObject *py_sid;
struct dom_sid *sid;
if (!PyArg_ParseTuple(args, "sO", &sddl, &py_sid))
if (!PyArg_ParseTuple(args, "sO!", &sddl, &dom_sid_Type, &py_sid))
return NULL;
sid = py_talloc_get_ptr(py_sid);
@ -195,7 +195,7 @@ static PyObject *py_descriptor_as_sddl(PyObject *self, PyObject *args)
char *text;
PyObject *ret;
if (!PyArg_ParseTuple(args, "|O", &py_sid))
if (!PyArg_ParseTuple(args, "|O!", &dom_sid_Type, &py_sid))
return NULL;
if (py_sid != Py_None)

4
source4/ntvfs/config.mk
View File

@ -71,7 +71,9 @@ ntvfs_print_OBJ_FILES = $(ntvfssrcdir)/print/vfs_print.o
[MODULE::ntvfs_ipc]
SUBSYSTEM = ntvfs
INIT_FUNCTION = ntvfs_ipc_init
PRIVATE_DEPENDENCIES = dcerpc_server DCERPC_COMMON
PRIVATE_DEPENDENCIES = \
NDR_NAMED_PIPE_AUTH NAMED_PIPE_AUTH_TSTREAM \
HEIMDAL_GSSAPI CREDENTIALS
# End MODULE ntvfs_ipc
################################################

908
source4/ntvfs/ipc/vfs_ipc.c
View File

File diff suppressed because it is too large Load Diff

3
source4/rpc_server/config.mk
View File

@ -230,3 +230,6 @@ SUBSYSTEM = service
PRIVATE_DEPENDENCIES = dcerpc_server
DCESRV_OBJ_FILES = $(rpc_serversrcdir)/service_rpc.o
$(eval $(call proto_header_template,$(rpc_serversrcdir)/service_rpc.h,$(DCESRV_OBJ_FILES:.o=.c)))

184
source4/rpc_server/dcerpc_server.c
View File

@ -339,44 +339,6 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
return NT_STATUS_OK;
}
/*
search and connect to a dcerpc endpoint
*/
_PUBLIC_ NTSTATUS dcesrv_endpoint_search_connect(struct dcesrv_context *dce_ctx,
TALLOC_CTX *mem_ctx,
const struct dcerpc_binding *ep_description,
struct auth_session_info *session_info,
struct tevent_context *event_ctx,
struct messaging_context *msg_ctx,
struct server_id server_id,
uint32_t state_flags,
struct dcesrv_connection **dce_conn_p)
{
NTSTATUS status;
const struct dcesrv_endpoint *ep;
/* make sure this endpoint exists */
ep = find_endpoint(dce_ctx, ep_description);
if (!ep) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
status = dcesrv_endpoint_connect(dce_ctx, mem_ctx, ep, session_info,
event_ctx, msg_ctx, server_id,
state_flags, dce_conn_p);
NT_STATUS_NOT_OK_RETURN(status);
(*dce_conn_p)->auth_state.session_key = dcesrv_inherited_session_key;
/* TODO: check security descriptor of the endpoint here
* if it's a smb named pipe
* if it's failed free dce_conn_p
*/
return NT_STATUS_OK;
}
static void dcesrv_init_hdr(struct ncacn_packet *pkt, bool bigendian)
{
pkt->rpc_vers = 5;
@ -1255,133 +1217,6 @@ NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
return status;
}
/*
provide some input to a dcerpc endpoint server. This passes data
from a dcerpc client into the server
*/
_PUBLIC_ NTSTATUS dcesrv_input(struct dcesrv_connection *dce_conn, const DATA_BLOB *data)
{
dce_conn->partial_input.data = talloc_realloc(dce_conn,
dce_conn->partial_input.data,
uint8_t,
dce_conn->partial_input.length + data->length);
if (!dce_conn->partial_input.data) {
return NT_STATUS_NO_MEMORY;
}
memcpy(dce_conn->partial_input.data + dce_conn->partial_input.length,
data->data, data->length);
dce_conn->partial_input.length += data->length;
while (dce_full_packet(&dce_conn->partial_input)) {
NTSTATUS status;
struct ndr_pull *ndr;
enum ndr_err_code ndr_err;
DATA_BLOB blob;
struct ncacn_packet *pkt;
blob = dce_conn->partial_input;
blob.length = dcerpc_get_frag_length(&blob);
blob = data_blob_talloc(dce_conn, blob.data, blob.length);
if (!blob.data) {
data_blob_free(&dce_conn->partial_input);
return NT_STATUS_NO_MEMORY;
}
dce_partial_advance(dce_conn, blob.length);
pkt = talloc(dce_conn, struct ncacn_packet);
if (!pkt) {
data_blob_free(&blob);
return NT_STATUS_NO_MEMORY;
}
ndr = ndr_pull_init_blob(&blob, pkt, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx));
if (!ndr) {
data_blob_free(&blob);
talloc_free(pkt);
return NT_STATUS_NO_MEMORY;
}
if (!(CVAL(blob.data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) {
ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
}
if (CVAL(blob.data, DCERPC_PFC_OFFSET) & DCERPC_PFC_FLAG_OBJECT_UUID) {
ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
}
ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
TALLOC_FREE(ndr);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
data_blob_free(&blob);
talloc_free(pkt);
return ndr_map_error2ntstatus(ndr_err);
}
status = dcesrv_process_ncacn_packet(dce_conn, pkt, blob);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
return NT_STATUS_OK;
}
/*
retrieve some output from a dcerpc server
The caller supplies a function that will be called to do the
actual output.
The first argument to write_fn() will be 'private', the second will
be a pointer to a buffer containing the data to be sent and the 3rd
will be a pointer to a size_t variable that will be set to the
number of bytes that are consumed from the output.
from the current fragment
*/
_PUBLIC_ NTSTATUS dcesrv_output(struct dcesrv_connection *dce_conn,
void *private_data,
NTSTATUS (*write_fn)(void *private_data, DATA_BLOB *output, size_t *nwritten))
{
NTSTATUS status;
struct dcesrv_call_state *call;
struct data_blob_list_item *rep;
size_t nwritten;
call = dce_conn->call_list;
if (!call || !call->replies) {
if (dce_conn->pending_call_list) {
/* TODO: we need to say act async here
* as we know we have pending requests
* which will be finished at a time
*/
return NT_STATUS_FOOBAR;
}
return NT_STATUS_FOOBAR;
}
rep = call->replies;
status = write_fn(private_data, &rep->blob, &nwritten);
NT_STATUS_IS_ERR_RETURN(status);
rep->blob.length -= nwritten;
rep->blob.data += nwritten;
if (rep->blob.length == 0) {
/* we're done with this section of the call */
DLIST_REMOVE(call->replies, rep);
}
if (call->replies == NULL) {
/* we're done with the whole call */
dcesrv_call_set_list(call, DCESRV_LIST_NONE);
talloc_free(call);
}
return status;
}
_PUBLIC_ NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char **endpoint_servers, struct dcesrv_context **_dce_ctx)
@ -1534,22 +1369,3 @@ const struct dcesrv_critical_sizes *dcerpc_module_version(void)
return &critical_sizes;
}
/*
initialise the dcerpc server context for ncacn_np based services
*/
_PUBLIC_ NTSTATUS dcesrv_init_ipc_context(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
struct dcesrv_context **_dce_ctx)
{
NTSTATUS status;
struct dcesrv_context *dce_ctx;
dcerpc_server_init(lp_ctx);
status = dcesrv_init_context(mem_ctx, lp_ctx, lp_dcerpc_endpoint_servers(lp_ctx), &dce_ctx);
NT_STATUS_NOT_OK_RETURN(status);
*_dce_ctx = dce_ctx;
return NT_STATUS_OK;
}

15
source4/rpc_server/dcerpc_server.h
View File

@ -298,21 +298,6 @@ NTSTATUS dcerpc_register_ep_server(const void *_ep_server);
NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char **endpoint_servers, struct dcesrv_context **_dce_ctx);
NTSTATUS dcesrv_init_ipc_context(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
struct dcesrv_context **_dce_ctx);
NTSTATUS dcesrv_endpoint_search_connect(struct dcesrv_context *dce_ctx,
TALLOC_CTX *mem_ctx,
const struct dcerpc_binding *ep_description,
struct auth_session_info *session_info,
struct tevent_context *event_ctx,
struct messaging_context *msg_ctx,
struct server_id server_id,
uint32_t state_flags,
struct dcesrv_connection **dce_conn_p);
NTSTATUS dcesrv_output(struct dcesrv_connection *dce_conn,
void *private_data,
NTSTATUS (*write_fn)(void *private_data, DATA_BLOB *output, size_t *nwritten));
NTSTATUS dcesrv_input(struct dcesrv_connection *dce_conn, const DATA_BLOB *data);
NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
TALLOC_CTX *mem_ctx,
const struct dcesrv_endpoint *ep,

11
source4/rpc_server/service_rpc.c
View File

@ -28,6 +28,7 @@
#include "../lib/util/dlinklist.h"
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/dcerpc_server_proto.h"
#include "rpc_server/service_rpc.h"
#include "lib/events/events.h"
#include "smbd/service_task.h"
#include "smbd/service_stream.h"
@ -658,11 +659,11 @@ static NTSTATUS dcesrv_add_ep_tcp(struct dcesrv_context *dce_ctx,
return NT_STATUS_OK;
}
static NTSTATUS dcesrv_add_ep(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
struct tevent_context *event_ctx, const struct model_ops *model_ops)
NTSTATUS dcesrv_add_ep(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
struct tevent_context *event_ctx,
const struct model_ops *model_ops)
{
switch (e->ep_description->transport) {
case NCACN_UNIX_STREAM:

2
source4/scripting/bin/fullschema
View File

@ -1,6 +1,6 @@
#!/usr/bin/python
#
# work out the minimal schema for a set of objectclasses
# Works out the full schema
#
import base64

2
source4/scripting/bin/minschema
View File

@ -1,6 +1,6 @@
#!/usr/bin/python
#
# work out the minimal schema for a set of objectclasses
# Works out the minimal schema for a set of objectclasses
#
import base64

60
source4/scripting/bin/reorgldb.py Executable file
View File

@ -0,0 +1,60 @@
#!/usr/bin/python
#
# Copyright (C) Matthieu Patou <mat@matws.net> 2009
# This script realize an offline reorganisation of an LDB
# file it helps to reduce (sometime drastically) the
# size of LDB files.
import sys
import optparse
import os
sys.path.insert(0, "bin/python")
import samba
from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session
from samba import Ldb, substitute_var, valid_netbios_name, check_all_substituted
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
import ldb
import samba.getopt as options
from samba.samdb import SamDB
from samba import param
from samba.provision import ProvisionPaths, ProvisionNames,provision_paths_from_lp, Schema
parser = optparse.OptionParser("provision [options]")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--database", type="string", metavar="FILE",
help="LDB to reorganize")
opts = parser.parse_args()[0]
lp = sambaopts.get_loadparm()
smbconf = lp.configfile
if not opts.database:
print "Parameter database is mandatory"
sys.exit(1)
creds = credopts.get_credentials(lp)
creds.set_kerberos_state(DONT_USE_KERBEROS)
session = system_session()
empty = ldb.Message()
newname="%s.new"%(opts.database)
if os.path.exists(newname):
os.remove(newname)
old_ldb = Ldb(opts.database, session_info=session, credentials=creds,lp=lp)
new_ldb = Ldb(newname,session_info=session, credentials=creds,lp=lp)
new_ldb.transaction_start()
res = old_ldb.search(expression="(dn=*)",base="", scope=SCOPE_SUBTREE)
for i in range(0,len(res)):
if str(res[i].dn) == "@BASEINFO":
continue
if str(res[i].dn).startswith("@INDEX:"):
continue
delta = new_ldb.msg_diff(empty,res[i])
delta.dn = res[i].dn
delta.remove("distinguishedName")
new_ldb.add(delta)
new_ldb.transaction_commit()

2
source4/scripting/python/samba/idmap.py
View File

@ -34,7 +34,7 @@ class IDmapDB(samba.Ldb):
def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
credentials=None, flags=0, options=None):
"""Opens the IDmap Database.
"""Opens the IDMap Database
For parameter meanings see the super class (samba.Ldb)
"""

13
source4/scripting/python/samba/provision.py
View File

@ -44,7 +44,7 @@ from credentials import Credentials, DONT_USE_KERBEROS
from auth import system_session, admin_session
from samba import version, Ldb, substitute_var, valid_netbios_name
from samba import check_all_substituted
from samba import DS_DOMAIN_FUNCTION_2008_R2, DS_DC_FUNCTION_2008_R2
from samba import DS_DOMAIN_FUNCTION_2000, DS_DC_FUNCTION_2008_R2
from samba.samdb import SamDB
from samba.idmap import IDmapDB
from samba.dcerpc import security
@ -835,8 +835,8 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
:note: This will wipe the main SAM database file!
"""
domainFunctionality = DS_DOMAIN_FUNCTION_2008_R2
forestFunctionality = DS_DOMAIN_FUNCTION_2008_R2
domainFunctionality = DS_DOMAIN_FUNCTION_2000
forestFunctionality = DS_DOMAIN_FUNCTION_2000
domainControllerFunctionality = DS_DC_FUNCTION_2008_R2
# Also wipes the database
@ -978,6 +978,7 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
"DOMAINDN": names.domaindn})
message("Setting up sam.ldb data")
setup_add_ldif(samdb, setup_path("provision.ldif"), {
"CREATTIME": str(int(time.time()) * 1e7), # seconds -> ticks
"DOMAINDN": names.domaindn,
"NETBIOSNAME": names.netbiosname,
"DEFAULTSITE": names.sitename,
@ -1005,10 +1006,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
policyguid_dc=policyguid_dc,
setup_path=setup_path,
domainControllerFunctionality=domainControllerFunctionality)
# add the NTDSGUID based SPNs
ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn)
names.ntdsguid = samdb.searchone(basedn=ntds_dn, attribute="objectGUID",
expression="", scope=SCOPE_BASE)
names.ntdsguid = samdb.searchone(basedn=ntds_dn,
attribute="objectGUID", expression="", scope=SCOPE_BASE)
assert isinstance(names.ntdsguid, str)
except:

90
source4/scripting/python/samba/samdb.py
View File

@ -37,7 +37,7 @@ class SamDB(samba.Ldb):
def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
credentials=None, flags=0, options=None):
"""Opens the Sam Database.
"""Opens the SAM Database
For parameter meanings see the super class (samba.Ldb)
"""
@ -55,13 +55,25 @@ class SamDB(samba.Ldb):
super(SamDB, self).connect(url=self.lp.private_path(url), flags=flags,
options=options)
def enable_account(self, user_dn):
"""Enable an account.
def domain_dn(self):
# find the DNs for the domain
res = self.search(base="",
scope=ldb.SCOPE_BASE,
expression="(defaultNamingContext=*)",
attrs=["defaultNamingContext"])
assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
return res[0]["defaultNamingContext"][0]
def enable_account(self, filter):
"""Enables an account
:param user_dn: Dn of the account to enable.
:param filter: LDAP filter to find the user (eg samccountname=name)
"""
res = self.search(user_dn, ldb.SCOPE_BASE, None, ["userAccountControl"])
assert len(res) == 1
res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
expression=filter, attrs=["userAccountControl"])
assert(len(res) == 1)
user_dn = res[0].dn
userAccountControl = int(res[0]["userAccountControl"][0])
if (userAccountControl & 0x2):
userAccountControl = userAccountControl & ~0x2 # remove disabled bit
@ -76,11 +88,16 @@ userAccountControl: %u
""" % (user_dn, userAccountControl)
self.modify_ldif(mod)
def force_password_change_at_next_login(self, user_dn):
"""Force a password change at next login
def force_password_change_at_next_login(self, filter):
"""Forces a password change at next login
:param user_dn: Dn of the account to force password change on
:param filter: LDAP filter to find the user (eg samccountname=name)
"""
res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
expression=filter, attrs=[])
assert(len(res) == 1)
user_dn = res[0].dn
mod = """
dn: %s
changetype: modify
@ -89,17 +106,12 @@ pwdLastSet: 0
""" % (user_dn)
self.modify_ldif(mod)
def domain_dn(self):
# find the DNs for the domain
res = self.search(base="",
scope=ldb.SCOPE_BASE,
expression="(defaultNamingContext=*)",
attrs=["defaultNamingContext"])
assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
return res[0]["defaultNamingContext"][0]
def newuser(self, username, unixname, password, force_password_change_at_next_login=False):
"""add a new user record.
"""Adds a new user
Note: This call uses the "userPassword" attribute to set the password.
This works correctly on SAMBA 4 DCs and on Windows DCs with
"2003 Native" or higer domain function level.
:param username: Name of the new user.
:param unixname: Name of the unix user to map to.
@ -110,11 +122,8 @@ pwdLastSet: 0
try:
user_dn = "CN=%s,CN=Users,%s" % (username, self.domain_dn())
#
# the new user record. note the reliance on the samdb module to
# fill in a sid, guid etc
#
# now the real work
# The new user record. Note the reliance on the SAMLDB module which
# fills in the default informations
self.add({"dn": user_dn,
"sAMAccountName": username,
"userPassword": password,
@ -130,30 +139,34 @@ pwdLastSet: 0
idmap = IDmapDB(lp=self.lp)
user = pwd.getpwnam(unixname)
# setup ID mapping for this UID
idmap.setup_name_mapping(user_sid, idmap.TYPE_UID, user[2])
except KeyError:
pass
if force_password_change_at_next_login:
self.force_password_change_at_next_login(user_dn)
self.force_password_change_at_next_login("(dn=" + user_dn + ")")
# modify the userAccountControl to remove the disabled bit
self.enable_account(user_dn)
self.enable_account("(dn=" + user_dn + ")")
except:
self.transaction_cancel()
raise
self.transaction_commit()
def setpassword(self, filter, password, force_password_change_at_next_login=False):
"""Set a password on a user record
"""Sets the password for a user
Note: This call uses the "userPassword" attribute to set the password.
This works correctly on SAMBA 4 DCs and on Windows DCs with
"2003 Native" or higer domain function level.
:param filter: LDAP filter to find the user (eg samccountname=name)
:param password: Password for the user
:param force_password_change_at_next_login: Force password change
"""
# connect to the sam
self.transaction_start()
try:
res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
@ -174,24 +187,27 @@ userPassword:: %s
self.force_password_change_at_next_login(user_dn)
# modify the userAccountControl to remove the disabled bit
self.enable_account(user_dn)
self.enable_account(filter)
except:
self.transaction_cancel()
raise
self.transaction_commit()
def setexpiry(self, user, expiry_seconds, noexpiry):
"""Set the account expiry for a user
def setexpiry(self, filter, expiry_seconds, noexpiry=False):
"""Sets the account expiry for a user
:param filter: LDAP filter to find the user (eg samccountname=name)
:param expiry_seconds: expiry time from now in seconds
:param noexpiry: if set, then don't expire password
"""
self.transaction_start()
try:
res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
expression=("(samAccountName=%s)" % user),
expression=filter,
attrs=["userAccountControl", "accountExpires"])
assert len(res) == 1
user_dn = res[0].dn
userAccountControl = int(res[0]["userAccountControl"][0])
accountExpires = int(res[0]["accountExpires"][0])
if noexpiry:
@ -201,16 +217,16 @@ userPassword:: %s
userAccountControl = userAccountControl & ~0x10000
accountExpires = glue.unix2nttime(expiry_seconds + int(time.time()))
mod = """
setexp = """
dn: %s
changetype: modify
replace: userAccountControl
userAccountControl: %u
replace: accountExpires
accountExpires: %u
""" % (res[0].dn, userAccountControl, accountExpires)
# now change the database
self.modify_ldif(mod)
""" % (user_dn, userAccountControl, accountExpires)
self.modify_ldif(setexp)
except:
self.transaction_cancel()
raise

187
source4/setup/domainlevel Executable file
View File

@ -0,0 +1,187 @@
#!/usr/bin/python
#
# Raises domain and forest function levels
#
# Copyright Matthias Dieter Wallnoefer 2009
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
# Find right directory when running from source tree
sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
import ldb
from samba.auth import system_session
from samba.samdb import SamDB
from samba import DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2003
from samba import DS_DOMAIN_FUNCTION_2008, DS_DOMAIN_FUNCTION_2008_R2
parser = optparse.OptionParser("domainlevel (show | raise <options>)")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--quiet", help="Be quiet", action="store_true")
parser.add_option("--forest",
help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
parser.add_option("--domain",
help="The domain function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
opts, args = parser.parse_args()
#
# print a message if quiet is not set
#
def message(text):
if not opts.quiet:
print text
if len(args) == 0:
parser.print_usage()
sys.exit(1)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
credentials=creds, lp=lp)
domain_dn = SamDB.domain_dn(samdb)
res_forest = samdb.search("CN=Partitions,CN=Configuration," + domain_dn,
scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])
assert(len(res_forest) == 1)
res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
attrs=["msDS-Behavior-Version"])
assert(len(res_domain) == 1)
try:
level_forest = int(res_forest[0]["msDS-Behavior-Version"][0])
level_domain = int(res_domain[0]["msDS-Behavior-Version"][0])
if level_forest < 0 or level_forest == 1 or level_forest > 4 or level_domain < 0 or level_domain == 1 or level_domain > 4:
print "ERROR: Domain and/or forest functional level(s) is/are invalid. Correct them or reprovision!"
sys.exit(1)
if level_forest > level_domain:
print "ERROR: Forest function level is higher than the domain level(s). That can't be. Correct this or reprovision!"
sys.exit(1)
except:
print "ERROR: Could not retrieve the actual domain and forest level!"
if args[0] == "show":
print "So the levels can't be displayed!"
sys.exit(1)
if args[0] == "show":
message("Domain and forest function level for domain '" + domain_dn + "'")
message("")
if level_forest == DS_DOMAIN_FUNCTION_2000:
outstr = "2000"
elif level_forest == DS_DOMAIN_FUNCTION_2003:
outstr = "2003"
elif level_forest == DS_DOMAIN_FUNCTION_2008:
outstr = "2008"
elif level_forest == DS_DOMAIN_FUNCTION_2008_R2:
outstr = "2008 R2"
message("Forest function level: (Windows) " + outstr)
if level_domain == DS_DOMAIN_FUNCTION_2000:
outstr = "2000"
elif level_domain == DS_DOMAIN_FUNCTION_2003:
outstr = "2003"
elif level_domain == DS_DOMAIN_FUNCTION_2008:
outstr = "2008"
elif level_domain == DS_DOMAIN_FUNCTION_2008_R2:
outstr = "2008 R2"
message("Domain function level: (Windows) " + outstr)
elif args[0] == "raise":
msgs = []
if opts.domain is not None:
arg = opts.domain
if arg == "2000":
new_level_domain = DS_DOMAIN_FUNCTION_2000
elif arg == "2003":
new_level_domain = DS_DOMAIN_FUNCTION_2003
elif arg == "2008":
new_level_domain = DS_DOMAIN_FUNCTION_2008
elif arg == "2008_R2":
new_level_domain = DS_DOMAIN_FUNCTION_2008_R2
else:
print "ERROR: Wrong argument '" + arg + "'!"
sys.exit(1)
if new_level_domain <= level_domain:
print "ERROR: Domain function level can't be smaller equal to the actual one!"
sys.exit(1)
m = ldb.Message()
m.dn = ldb.Dn(samdb, domain_dn)
m["msDS-Behavior-Version"]= ldb.MessageElement(
str(new_level_domain), ldb.FLAG_MOD_REPLACE,
"msDS-Behavior-Version")
samdb.modify(m)
level_domain = new_level_domain
msgs.append("Domain function level changed!")
if opts.forest is not None:
arg = opts.forest
if arg == "2000":
new_level_forest = DS_DOMAIN_FUNCTION_2000
elif arg == "2003":
new_level_forest = DS_DOMAIN_FUNCTION_2003
elif arg == "2008":
new_level_forest = DS_DOMAIN_FUNCTION_2008
elif arg == "2008_R2":
new_level_forest = DS_DOMAIN_FUNCTION_2008_R2
else:
print "ERROR: Wrong argument '" + arg + "'!"
sys.exit(1)
if new_level_forest <= level_forest:
print "ERROR: Forest function level can't be smaller equal to the actual one!"
sys.exit(1)
if new_level_forest > level_domain:
print "ERROR: Forest function level can't be higher than the domain function level(s). Please raise it/them first!"
sys.exit(1)
m = ldb.Message()
m.dn = ldb.Dn(samdb, "CN=Partitions,CN=Configuration,"
+ domain_dn)
m["msDS-Behavior-Version"]= ldb.MessageElement(
str(new_level_forest), ldb.FLAG_MOD_REPLACE,
"msDS-Behavior-Version")
samdb.modify(m)
msgs.append("Forest function level changed!")
msgs.append("All changes applied successfully!")
message("\n".join(msgs))
else:
print "ERROR: Wrong argument '" + args[0] + "'!"
sys.exit(1)

72
source4/setup/enableaccount
View File

@ -1,18 +1,31 @@
#!/usr/bin/python
#
# Enables a disabled user account on a Samba4 server
# Copyright Andrew Tridgell 2005
# Copyright Jelmer Vernooij 2008
# Released under the GNU GPL version 3 or later
# Enables an user account on a Samba4 server
# Copyright Jelmer Vernooij 2008
#
# Based on the original in EJS:
# Copyright Andrew Tridgell 2005
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os, sys
sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python"))
import sys
sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
import pwd
import ldb
from samba.auth import system_session
from samba.samdb import SamDB
@ -23,49 +36,24 @@ parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("-H", help="LDB URL for database or target server", type=str)
parser.add_option("--base", help="Base DN to search for user under", type=str)
parser.add_option("--filter", help="LDAP Filter to set password on", type=str)
opts, args = parser.parse_args()
#
# print a message if quiet is not set
#
def message(text):
if not opts.quiet:
print text
filter = opts.filter
if len(args) == 0:
if (len(args) == 0) and (filter is None):
print "Either the username or '--filter' must be specified!"
parser.print_usage()
sys.exit(1)
username = args[0]
if username is None:
print "username must be specified"
if filter is None:
username = args[0]
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
if opts.H is not None:
url = opts.H
else:
url = lp.get("sam database")
samdb = SamDB(url=url, session_info=system_session(),
samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
credentials=creds, lp=lp)
domain_dn = opts.base
if domain_dn is None:
domain_dn = SamDB.domain_dn(samdb)
filter = "(&(objectClass=user)(samAccountName=%s))" % username
res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
expression=filter,
attrs=[])
assert(len(res) == 1)
user_dn = res[0].dn
samdb.enable_account(user_dn)
samdb.enable_account(filter)

10
source4/setup/newuser
View File

@ -1,6 +1,6 @@
#!/usr/bin/python
#
# Add a new user to a Samba4 server
# Adds a new user to a Samba4 server
# Copyright Jelmer Vernooij 2008
#
# Based on the original in EJS:
@ -18,6 +18,7 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys
# Find right directory when running from source tree
@ -25,8 +26,10 @@ sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
from getpass import getpass
from samba.auth import system_session
from samba.samdb import SamDB
parser = optparse.OptionParser("newuser [options] <username> [<password>]")
sambaopts = options.SambaOptions(parser)
@ -34,7 +37,6 @@ parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--quiet", help="Be quiet", action="store_true")
parser.add_option("--unixname", help="Unix Username", type=str)
parser.add_option("--must-change-at-next-login", help="Force password to be changed on next login", action="store_true")
@ -56,6 +58,6 @@ if opts.unixname is None:
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = sambaopts.get_hostconfig().get_samdb(session_info=system_session(),
credentials=creds)
samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
credentials=creds, lp=lp)
samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login=opts.must_change_at_next_login)

15
source4/setup/provision.ldif
View File

@ -5,24 +5,25 @@
dn: CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: builtinDomain
creationTime: ${CREATTIME}
forceLogoff: -9223372036854775808
isCriticalSystemObject: TRUE
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -37108517437440
minPwdAge: 0
minPwdLength: 0
modifiedCount: 1
modifiedCountAtLastProm: 0
nextRid: 1000
pwdProperties: 0
pwdHistoryLength: 0
objectSid: S-1-5-32
pwdHistoryLength: 0
pwdProperties: 0
serverState: 1
uASCompat: 1
modifiedCount: 1
systemFlags: -1946157056
isCriticalSystemObject: TRUE
showInAdvancedViewOnly: FALSE
systemFlags: -1946157056
uASCompat: 1
dn: CN=Deleted Objects,${DOMAINDN}
objectClass: top
@ -366,6 +367,8 @@ objectClass: nTFRSSettings
systemFlags: -1946157056
isCriticalSystemObject: TRUE
# Here are missing the FRS objects since we don't support this technique yet
dn: CN=FileLinks,CN=System,${DOMAINDN}
objectClass: top
objectClass: fileLinkTracking

263
source4/setup/provision_configuration.ldif
View File

@ -15,6 +15,8 @@ isDeleted: TRUE
isCriticalSystemObject: TRUE
systemFlags: -1946157056
# Extended rights
dn: CN=Extended-Rights,${CONFIGDN}
objectClass: top
objectClass: container
@ -637,6 +639,8 @@ appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
localizationDisplayId: 28
validAccesses: 256
# Forest updates
dn: CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
@ -645,6 +649,154 @@ dn: CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=6b800a81-affe-4a15-8e41-6ea0c7aa89e4,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=dd07182c-3174-4c95-902a-d64fee285bbf,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=ffa5ee3c-1405-476d-b344-7ad37d69cc25,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=099f1587-af70-49c6-ab6c-7b3e82be0fe2,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=94fdebc6-8eeb-4640-80de-ec52b9ca17fa,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=1a3f6b15-55f2-4752-ba27-3d38a8232c4d,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=dee21a17-4e8e-4f40-a58c-c0c009b685a7,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=9bd98bb4-4047-4de5-bf4c-7bd1d0f6d21d,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=3fe80fbf-bf39-4773-b5bd-3e5767a30d2d,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=f02915e2-9141-4f73-b8e7-2804662782da,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=39902c52-ef24-4b4b-8033-2c9dfdd173a2,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=20bf09b4-6d0b-4cd1-9c09-4231edf1209b,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=94f238bb-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=94f238bc-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=94f238bd-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=94f238be-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=94f238bf-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=94f238c0-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=eda27b47-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=eda27b48-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=eda27b49-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=eda27b4a-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=26d9c510-e61a-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=26d9c511-e61a-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=3467dae5-dedd-4648-9066-f48ac186b20a,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=33b7ee33-1386-47cf-baa1-b03e06473253,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=e9ee8d55-c2fb-4723-a333-c80ff4dfbf45,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=ccfae63a-7fb5-454c-83ab-0e8e1214974e,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=ad3c7909-b154-4c16-8bf7-2c3a7870bb3d,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=26ad2ebf-f8f5-44a4-b97c-a616c8b9d09a,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=4444c516-f43a-4c12-9c4b-b5c064941d61,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=436a1a4b-f41a-46e6-ac86-427720ef29f3,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=b2b7fb45-f50d-41bc-a73b-8f580f3b636a,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=1bdf6366-c3db-4d0b-b8cb-f99ba9bce20f,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=63c0f51a-067c-4640-8a4f-044fb33f1049,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=dae441c0-366e-482e-98d9-60a99a1898cc,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=7dd09ca6-f0d6-43bf-b7f8-ef348f435617,CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=Windows2003Update,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
@ -662,6 +814,8 @@ description: Quota specifications container
msDS-TombstoneQuotaFactor: 100
systemFlags: -2147483648
# Partitions
dn: CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRefContainer
@ -669,27 +823,30 @@ systemFlags: -2147483648
msDS-Behavior-Version: ${FOREST_FUNCTIONALALITY}
showInAdvancedViewOnly: TRUE
# Partitions for DNS are missing since we don't support AD DNS
dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
systemFlags: 1
nCName: ${CONFIGDN}
dnsRoot: ${DNSDOMAIN}
nCName: ${CONFIGDN}
systemFlags: 1
dn: CN=Enterprise Schema,CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
systemFlags: 1
nCName: ${SCHEMADN}
dnsRoot: ${DNSDOMAIN}
nCName: ${SCHEMADN}
systemFlags: 1
dn: CN=${DOMAIN},CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
systemFlags: 3
dnsRoot: ${DNSDOMAIN}
nCName: ${DOMAINDN}
nETBIOSName: ${DOMAIN}
dnsRoot: ${DNSDOMAIN}
nTMixedDomain: 0
systemFlags: 3
dn: CN=Physical Locations,${CONFIGDN}
objectClass: top
@ -699,11 +856,91 @@ l: Physical Locations tree root
# Schema located in "ad-schema/*.txt"
# Services
dn: CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
systemFlags: -2147483648
dn: CN=MsmqServices,CN=Services,${CONFIGDN}
objectClass: top
objectClass: mSMQEnterpriseSettings
mSMQVersion: 200
dn: CN=NetServices,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=Public Key Services,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=Certificate Templates,CN=Public Key Services,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=Enrollment Services,CN=Public Key Services,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=Certification Authorities,CN=Public Key Services,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=AIA,CN=Public Key Services,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=CDP,CN=Public Key Services,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=KRA,CN=Public Key Services,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=OID,CN=Public Key Services,CN=Services,${CONFIGDN}
objectClass: top
objectClass: msPKI-Enterprise-Oid
dn: CN=RRAS,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
dn: CN=IdentityDictionary,CN=RRAS,CN=Services,${CONFIGDN}
objectClass: top
objectClass: rRASAdministrationDictionary
msRRASVendorAttributeEntry: 311:6:803:RADIUS Accouting
msRRASVendorAttributeEntry: 311:6:802:RADIUS Authentication
msRRASVendorAttributeEntry: 311:6:801:NT Domain Authentication
msRRASVendorAttributeEntry: 311:6:714:Point to point parallel connection
msRRASVendorAttributeEntry: 311:6:713:Point to point serial connection
msRRASVendorAttributeEntry: 311:6:712:Generic LAN
msRRASVendorAttributeEntry: 311:6:711:Generic WAN
msRRASVendorAttributeEntry: 311:6:710:X.25
msRRASVendorAttributeEntry: 311:6:709:IrDA
msRRASVendorAttributeEntry: 311:6:708:Switched 56
msRRASVendorAttributeEntry: 311:6:707:SONET
msRRASVendorAttributeEntry: 311:6:706:Modem
msRRASVendorAttributeEntry: 311:6:705:ISDN
msRRASVendorAttributeEntry: 311:6:704:ATM
msRRASVendorAttributeEntry: 311:6:703:Frame Relay
msRRASVendorAttributeEntry: 311:6:702:Layer 2 Tunneling Protocol
msRRASVendorAttributeEntry: 311:6:701:Point-to-Point Tunneling Protocol
msRRASVendorAttributeEntry: 311:6:604:Network Address and Port Translation
msRRASVendorAttributeEntry: 311:6:603:Demand Dial Router
msRRASVendorAttributeEntry: 311:6:602:Remote Access Server
msRRASVendorAttributeEntry: 311:6:601:LAN-to- LAN Router
msRRASVendorAttributeEntry: 311:6:503:AppleTalk Forwarding Enabled
msRRASVendorAttributeEntry: 311:6:502:IPX Forwarding Enabled
msRRASVendorAttributeEntry: 311:6:501:IP Forwarding Enabled
msRRASVendorAttributeEntry: 311:5:2:IPX SAP
msRRASVendorAttributeEntry: 311::5:1:IPX RIP
msRRASVendorAttributeEntry: 311:1:10:IGMP Only
msRRASVendorAttributeEntry: 311:0:13:OSPF
msRRASVendorAttributeEntry: 311:0:8:RIP (version 1 or 2)
dn: CN=Windows NT,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
@ -711,7 +948,12 @@ objectClass: container
dn: CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN}
objectClass: top
objectClass: nTDSService
sPNMappings: host=ldap,dns,cifs,http
msDS-Other-Settings: DisableVLVSupport=0
msDS-Other-Settings: DynamicObjectMinTTL=900
msDS-Other-Settings: DynamicObjectDefaultTTL=86400
# "sPNMappings" needs to be enhanced when we add features
sPNMappings: host=dns,netlogon,rpc,cifs,wins,http
tombstoneLifetime: 180
dn: CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN}
objectClass: top
@ -734,6 +976,8 @@ lDAPAdminLimits: MaxConnIdleTime=900
lDAPAdminLimits: InitRecvTimeout=120
lDAPAdminLimits: MaxConnections=5000
# Sites
dn: CN=Sites,${CONFIGDN}
objectClass: top
objectClass: sitesContainer
@ -759,6 +1003,7 @@ objectClass: top
objectClass: interSiteTransport
transportAddressAttribute: dNSHostName
transportDLLName: ismip.dll
systemFlags: -2147483648
dn: CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,${CONFIGDN}
objectClass: top
@ -785,3 +1030,7 @@ objectClass: top
objectClass: serversContainer
systemFlags: 33554432
dn: CN=Subnets,CN=Sites,${CONFIGDN}
objectClass: top
objectClass: subnetContainer
systemFlags: -1073741824

88
source4/setup/provision_self_join.ldif
View File

@ -1,41 +1,43 @@
# Join the DC to itself
# Accounts for selfjoin (joins DC to itself)
# Object under "Domain Controllers"
dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
userAccountControl: 532480
localPolicyFlags: 0
primaryGroupID: 516
accountExpires: 9223372036854775807
sAMAccountName: ${NETBIOSNAME}$
dNSHostName: ${DNSNAME}
# "frsComputerReferenceBL" doesn't exist since we still miss FRS support
isCriticalSystemObject: TRUE
localPolicyFlags: 0
operatingSystem: Samba
operatingSystemVersion: ${SAMBA_VERSION_STRING}
dNSHostName: ${DNSNAME}
userPassword:: ${MACHINEPASS_B64}
servicePrincipalName: HOST/${DNSNAME}
servicePrincipalName: HOST/${NETBIOSNAME}
servicePrincipalName: HOST/${DNSNAME}/${REALM}
servicePrincipalName: HOST/${NETBIOSNAME}/${REALM}
primaryGroupID: 516
# "rIDSetReferences" doesn't exist since we still miss distributed RIDs
sAMAccountName: ${NETBIOSNAME}$
# "servicePrincipalName" for FRS doesn't exit since we still miss FRS support
# "servicePrincipalName"s for DNS ("ldap/../ForestDnsZones",
# "ldap/../DomainDnsZones", "DNS/..") don't exist since we don't support AD DNS
servicePrincipalName: GC/${DNSNAME}/${REALM}
servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
isCriticalSystemObject: TRUE
servicePrincipalName: HOST/${NETBIOSNAME}
servicePrincipalName: HOST/${DNSNAME}
servicePrincipalName: HOST/${DNSNAME}/${REALM}
# "servicePrincipalName"s with GUIDs are located in
# "provision_self_join_modify.ldif"
servicePrincipalName: ldap/${DNSNAME}/${DOMAIN}
servicePrincipalName: ldap/${NETBIOSNAME}
servicePrincipalName: ldap/${DNSNAME}
servicePrincipalName: ldap/${DNSNAME}/${REALM}
userAccountControl: 532480
userPassword:: ${MACHINEPASS_B64}
#Provide a account for DNS keytab export
dn: CN=dns,CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: DNS Service Account
userAccountControl: 514
accountExpires: 9223372036854775807
sAMAccountName: dns
servicePrincipalName: DNS/${DNSDOMAIN}
userPassword:: ${DNSPASS_B64}
isCriticalSystemObject: TRUE
# Here are missing the objects for the NTFRS subscription and the RID set since
# we don't support those techniques (FRS, distributed RIDs) yet.
# Objects under "Configuration/Sites/<Default sitename>/Servers"
dn: ${SERVERDN}
objectClass: top
@ -48,14 +50,34 @@ dn: CN=NTDS Settings,${SERVERDN}
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
options: 1
systemFlags: 33554432
dMDLocation: ${SCHEMADN}
invocationId: ${INVOCATIONID}
msDS-Behavior-Version: ${DOMAIN_CONTROLLER_FUNCTIONALITY}
msDS-hasMasterNCs: ${CONFIGDN}
msDS-hasMasterNCs: ${SCHEMADN}
msDS-hasMasterNCs: ${DOMAINDN}
hasMasterNCs: ${CONFIGDN}
hasMasterNCs: ${SCHEMADN}
hasMasterNCs: ${DOMAINDN}
invocationId: ${INVOCATIONID}
msDS-Behavior-Version: ${DOMAIN_CONTROLLER_FUNCTIONALITY}
msDS-HasDomainNCs: ${DOMAINDN}
# "msDS-HasInstantiatedNCs"s for DNS don't exist since we don't support AD DNS
msDS-HasInstantiatedNCs: B:8:0000000D:${CONFIGDN}
msDS-HasInstantiatedNCs: B:8:0000000D:${SCHEMADN}
msDS-HasInstantiatedNCs: B:8:00000005:${DOMAINDN}
# "msDS-hasMasterNCs"s for DNS don't exist since we don't support AD DNS
msDS-hasMasterNCs: ${CONFIGDN}
msDS-hasMasterNCs: ${SCHEMADN}
msDS-hasMasterNCs: ${DOMAINDN}
options: 1
systemFlags: 33554432
# Provides an account for DNS keytab export
dn: CN=dns,CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: DNS Service Account
userAccountControl: 514
accountExpires: 9223372036854775807
sAMAccountName: dns
servicePrincipalName: DNS/${DNSDOMAIN}
userPassword:: ${DNSPASS_B64}
isCriticalSystemObject: TRUE

47
source4/setup/pwsettings
View File

@ -1,21 +1,32 @@
#!/usr/bin/python
#
# Sets password settings (Password complexity, history length,
# minimum password length, the minimum and maximum password age) on a
# Samba4 server
# Sets password settings (Password complexity, history length, minimum password
# length, the minimum and maximum password age) on a Samba4 server
#
# Copyright Jelmer Vernooij 2008
# Copyright Matthias Dieter Wallnoefer 2009
# Copyright Andrew Kroeger 2009
# Released under the GNU GPL version 3 or later
# Copyright Matthias Dieter Wallnoefer 2009
# Copyright Andrew Kroeger 2009
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os, sys
sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python"))
import sys
# Find right directory when running from source tree
sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
import pwd
import ldb
from samba.auth import system_session
@ -29,7 +40,6 @@ parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--quiet", help="Be quiet", action="store_true")
parser.add_option("-H", help="LDB URL for database or target server", type=str)
parser.add_option("--complexity",
help="The password complexity (on | off | default). Default is 'on'", type=str)
parser.add_option("--history-length",
@ -55,15 +65,9 @@ if len(args) == 0:
sys.exit(1)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
if opts.H is not None:
url = opts.H
else:
url = lp.get("sam database")
samdb = SamDB(url=url, session_info=system_session(),
samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
credentials=creds, lp=lp)
domain_dn = SamDB.domain_dn(samdb)
@ -79,13 +83,10 @@ try:
min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
except:
print "ERROR: Could not retrieve password properties!"
if args[0] == "show":
print "ERROR: Password informations missing in your AD domain object!"
print "So no settings can be displayed!"
sys.exit(1)
else:
print "ERROR: Could not retrieve password properties (used for password complexity setting)"
sys.exit(1)
sys.exit(1)
if args[0] == "show":
message("Password informations for domain '" + domain_dn + "'")

52
source4/setup/setexpiry
View File

@ -1,9 +1,23 @@
#!/usr/bin/python
#
# Sets the password expiry for a user on a Samba4 server
# Copyright Andrew Tridgell 2005
# Copyright Jelmer Vernooij 2008
# Released under the GNU GPL version 3 or later
# Sets the user password expiry on a Samba4 server
# Copyright Jelmer Vernooij 2008
#
# Based on the original in EJS:
# Copyright Andrew Tridgell 2005
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
@ -13,32 +27,38 @@ sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
from getpass import getpass
from samba.auth import system_session
parser = optparse.OptionParser("setexpiry [options] <username>")
from samba.auth import system_session
from samba.samdb import SamDB
parser = optparse.OptionParser("setexpiry [username] [options]")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--filter", help="LDAP Filter to set password on", type=str)
parser.add_option("--days", help="Days to expiry", type=int)
parser.add_option("--noexpiry", help="Never expire", action="store_true")
parser.add_option("--noexpiry", help="Password does never expire", action="store_true")
opts, args = parser.parse_args()
if len(args) == 0:
if (len(args) == 0) and (filter is None):
print "Either the username or '--filter' must be specified!"
parser.print_usage()
sys.exit(1)
username = args[0]
days = opts.days
if days is None:
days = 0
if filter is None:
username = args[0]
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
samdb = sambaopts.get_hostconfig().get_samdb(session_info=system_session(),
credentials=creds)
days = opts.days
if days is None:
days = 0
samdb.setexpiry(username, days*24*3600, opts.noexpiry)
samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
credentials=creds, lp=lp)
samdb.setexpiry(filter, days*24*3600, noexpiry=opts.noexpiry)

14
source4/setup/setpassword
View File

@ -20,15 +20,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os, sys
import sys
# Find right directory when running from source tree
sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
import pwd
import sys
from getpass import getpass
from samba.auth import system_session
from samba.samdb import SamDB
@ -45,13 +44,6 @@ parser.add_option("--must-change-at-next-login", help="Force password to be chan
opts, args = parser.parse_args()
#
# print a message if quiet is not set
#
def message(text):
if not opts.quiet:
print text
filter = opts.filter
if (len(args) == 0) and (filter is None):
@ -65,7 +57,7 @@ if password is None:
if filter is None:
username = args[0]
filter = "(&(objectclass=user)(samAccountName=%s))" % (username)
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)

4
source4/smbd/config.mk
View File

@ -2,7 +2,9 @@
[SUBSYSTEM::service]
PRIVATE_DEPENDENCIES = \
LIBTEVENT MESSAGING samba_socket NDR_NAMED_PIPE_AUTH NAMED_PIPE_AUTH_TSTREAM
LIBTEVENT MESSAGING samba_socket \
NDR_NAMED_PIPE_AUTH NAMED_PIPE_AUTH_TSTREAM \
HEIMDAL_GSSAPI CREDENTIALS
service_OBJ_FILES = $(addprefix $(smbdsrcdir)/, \
service.o \

100
source4/smbd/service_named_pipe.c
View File

@ -30,6 +30,9 @@
#include "librpc/gen_ndr/ndr_named_pipe_auth.h"
#include "system/passwd.h"
#include "libcli/raw/smb.h"
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_krb5.h"
#include <gssapi/gssapi.h>
struct named_pipe_socket {
const char *pipe_name;
@ -53,6 +56,11 @@ static void named_pipe_handover_connection(void *private_data)
TEVENT_FD_NOT_WRITEABLE(conn->event.fde);
packet_set_socket(pipe_conn->packet, NULL);
packet_set_event_context(pipe_conn->packet, NULL);
packet_set_fde(pipe_conn->packet, NULL);
TALLOC_FREE(pipe_conn->packet);
if (!NT_STATUS_IS_OK(pipe_conn->status)) {
stream_terminate_connection(conn, nt_errstr(pipe_conn->status));
return;
@ -63,7 +71,7 @@ static void named_pipe_handover_connection(void *private_data)
*/
conn->ops = pipe_conn->pipe_sock->ops;
conn->private_data = pipe_conn->pipe_sock->private_data;
talloc_free(pipe_conn);
talloc_unlink(conn, pipe_conn);
/* we're now ready to start receiving events on this stream */
TEVENT_FD_READABLE(conn->event.fde);
@ -213,6 +221,94 @@ static NTSTATUS named_pipe_recv_auth_request(void *private_data,
req.info.info2.session_key_length);
talloc_steal(conn->session_info, req.info.info2.session_key);
break;
case 3:
rep.level = 3;
rep.info.info3.file_type = FILE_TYPE_MESSAGE_MODE_PIPE;
rep.info.info3.device_state = 0xff | 0x0400 | 0x0100;
rep.info.info3.allocation_size = 4096;
if (!req.info.info3.sam_info3) {
/*
* anon connection, we don't create a session info
* and leave it NULL
*/
rep.status = NT_STATUS_OK;
break;
}
val.sam3 = req.info.info3.sam_info3;
rep.status = make_server_info_netlogon_validation(pipe_conn,
val.sam3->base.account_name.string,
3, &val, &server_info);
if (!NT_STATUS_IS_OK(rep.status)) {
DEBUG(2, ("make_server_info_netlogon_validation returned "
"%s\n", nt_errstr(rep.status)));
goto reply;
}
/* setup the session_info on the connection */
rep.status = auth_generate_session_info(conn,
conn->event.ctx,
conn->lp_ctx,
server_info,
&conn->session_info);
if (!NT_STATUS_IS_OK(rep.status)) {
DEBUG(2, ("auth_generate_session_info failed: %s\n",
nt_errstr(rep.status)));
goto reply;
}
if (req.info.info3.gssapi_delegated_creds_length) {
OM_uint32 minor_status;
gss_buffer_desc cred_token;
gss_cred_id_t cred_handle;
int ret;
DEBUG(10, ("named_pipe_auth: delegated credentials supplied by client\n"));
cred_token.value = req.info.info3.gssapi_delegated_creds;
cred_token.length = req.info.info3.gssapi_delegated_creds_length;
ret = gss_import_cred(&minor_status,
&cred_token,
&cred_handle);
if (ret != GSS_S_COMPLETE) {
rep.status = NT_STATUS_INTERNAL_ERROR;
goto reply;
}
conn->session_info->credentials = cli_credentials_init(conn->session_info);
if (!conn->session_info->credentials) {
rep.status = NT_STATUS_NO_MEMORY;
goto reply;
}
cli_credentials_set_conf(conn->session_info->credentials,
conn->lp_ctx);
/* Just so we don't segfault trying to get at a username */
cli_credentials_set_anonymous(conn->session_info->credentials);
ret = cli_credentials_set_client_gss_creds(conn->session_info->credentials,
conn->event.ctx,
conn->lp_ctx,
cred_handle,
CRED_SPECIFIED);
if (ret) {
rep.status = NT_STATUS_INTERNAL_ERROR;
goto reply;
}
/* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
cli_credentials_set_kerberos_state(conn->session_info->credentials,
CRED_MUST_USE_KERBEROS);
}
conn->session_info->session_key = data_blob_const(req.info.info3.session_key,
req.info.info3.session_key_length);
talloc_steal(conn->session_info, req.info.info3.session_key);
break;
default:
DEBUG(2, ("named_pipe_auth_req: unknown level %u\n",
@ -235,7 +331,7 @@ reply:
return status;
}
DEBUG(10,("named_pipe_auth reply[%u]\n", rep_blob.length));
DEBUG(10,("named_pipe_auth reply[%u]\n", (unsigned)rep_blob.length));
dump_data(11, rep_blob.data, rep_blob.length);
if (DEBUGLVL(10)) {
NDR_PRINT_DEBUG(named_pipe_auth_rep, &rep);

26
source4/torture/rpc/spoolss_notify.c
View File

@ -20,10 +20,12 @@
*/
#include "includes.h"
#include "system/filesys.h"
#include "torture/torture.h"
#include "torture/rpc/rpc.h"
#include "librpc/gen_ndr/ndr_spoolss_c.h"
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/service_rpc.h"
#include "lib/events/events.h"
#include "smbd/process_model.h"
#include "smb_server/smb_server.h"
@ -191,6 +193,7 @@ static bool test_RFFPCNEx(struct torture_context *tctx,
NTSTATUS status;
struct dcesrv_context *dce_ctx;
const char *endpoints[] = { "spoolss", NULL };
struct dcesrv_endpoint *e;
struct spoolss_NotifyOption t1;
struct spoolss_ClosePrinter cp;
@ -244,6 +247,23 @@ static bool test_RFFPCNEx(struct torture_context *tctx,
torture_assert_ntstatus_ok(tctx, status,
"unable to initialize DCE/RPC server");
/* Make sure the directory for NCALRPC exists */
if (!directory_exist(lp_ncalrpc_dir(tctx->lp_ctx))) {
int ret;
ret = mkdir(lp_ncalrpc_dir(tctx->lp_ctx), 0755);
torture_assert(tctx, (ret == 0), talloc_asprintf(tctx,
"failed to mkdir(%s) ret[%d] errno[%d - %s]",
lp_ncalrpc_dir(tctx->lp_ctx), ret,
errno, strerror(errno)));
}
for (e=dce_ctx->endpoint_list;e;e=e->next) {
status = dcesrv_add_ep(dce_ctx, tctx->lp_ctx,
e, tctx->ev, &single_ops);
torture_assert_ntstatus_ok(tctx, status,
"unable listen on dcerpc endpoint server");
}
r.in.flags = 0;
r.in.local_machine = talloc_asprintf(tctx, "\\\\%s", address);
r.in.options = 0;
@ -293,7 +313,7 @@ static bool test_RFFPCNEx(struct torture_context *tctx,
* on Samba 4 will cause an irpc broadcast call.
*/
static bool test_ReplyOpenPrinter(struct torture_context *tctx,
struct dcerpc_pipe *pipe)
struct dcerpc_pipe *p)
{
struct spoolss_ReplyOpenPrinter r;
struct spoolss_ReplyClosePrinter s;
@ -307,7 +327,7 @@ static bool test_ReplyOpenPrinter(struct torture_context *tctx,
r.out.handle = &h;
torture_assert_ntstatus_ok(tctx,
dcerpc_spoolss_ReplyOpenPrinter(pipe, tctx, &r),
dcerpc_spoolss_ReplyOpenPrinter(p, tctx, &r),
"spoolss_ReplyOpenPrinter call failed");
torture_assert_werr_ok(tctx, r.out.result, "error return code");
@ -316,7 +336,7 @@ static bool test_ReplyOpenPrinter(struct torture_context *tctx,
s.out.handle = &h;
torture_assert_ntstatus_ok(tctx,
dcerpc_spoolss_ReplyClosePrinter(pipe, tctx, &s),
dcerpc_spoolss_ReplyClosePrinter(p, tctx, &s),
"spoolss_ReplyClosePrinter call failed");
torture_assert_werr_ok(tctx, r.out.result, "error return code");