Updates from Samba HEAD:

- Fix segfaults in the 'net ads' commands when no password is provided
 - Readd --with-ldapsam for 2.2 compatability.  This conditionally compiles the
   old options, but the actual code is available on all ldap systems.
 - Fix shadow passwords (as per work with vl)
 - Fix sending plaintext passwords to unicode servers (again vl)
 - Add a bit of const to secrets.c functions
 - Fix some spelling and grammer by vance.
 - Document the -r option in smbgroupedit.

There are more changes in HEAD, I'm only merging the changes I've been involved
with.

Andrew Bartlett
(This used to be commit 83973c3893)

source3/Makefile.in

@@ -70,7 +70,7 @@ SWATDIR = @swatdir@
 # the directory where lock files go
 LOCKDIR = @lockdir@
 
-# the directorty where pid files go
+# the directory where pid files go
 PIDDIR = @piddir@
 # man pages language(s)
 man_langs = "@manlangs@"

source3/acconfig.h

@@ -167,7 +167,7 @@
 #undef HAVE_IMMEDIATE_STRUCTURES
 #undef HAVE_CUPS
 #undef WITH_SAM
-#undef WITH_LDAP_SAM
+#undef WITH_LDAP_SAMCONFIG
 #undef WITH_NISPLUS_SAM
 #undef WITH_TDB_SAM
 #undef LINUX_QUOTAS_1

source3/auth/pass_check.c

@@ -634,6 +634,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
 	/* Also the place to keep the 'password' no matter what
 	   crazy struct it started in... */
 	fstrcpy(this_crypted, pass->pw_passwd);
+	fstrcpy(this_salt, pass->pw_passwd);
 
 #ifdef HAVE_GETSPNAM
 	{
@@ -645,8 +646,10 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
 		   perhaps for IPC password changing requests */
 
 		spass = getspnam(pass->pw_name);
-		if (spass && spass->sp_pwdp)
+		if (spass && spass->sp_pwdp) {
 			fstrcpy(this_crypted, spass->sp_pwdp);
+			fstrcpy(this_salt, spass->sp_pwdp);
+		}
 	}
 #elif defined(IA_UINFO)
 	{
@@ -704,9 +707,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
 	}
 #endif
 
-	/* extract relevant info */
-	fstrcpy(this_salt, pass->pw_passwd);
-
 #if defined(HAVE_TRUNCATED_SALT)
 	/* crypt on some platforms (HPUX in particular)
 	   won't work with more than 2 salt characters. */

source3/configure.in

@@ -2215,6 +2215,23 @@ AC_ARG_WITH(sam,
 ##
 ########################################################################################
 
+#################################################
+# check for a LDAP password database configuration backwards compatibility
+AC_MSG_CHECKING(whether to use LDAP SAM 2.2 compatible configuration)
+AC_ARG_WITH(ldapsam,
+[  --with-ldapsam           Include LDAP SAM 2.2 compatible configuration (default=no)],
+[ case "$withval" in
+  yes)
+    AC_MSG_RESULT(yes)
+    AC_DEFINE(WITH_LDAP_SAMCONFIG)
+    ;;
+  *)
+    AC_MSG_RESULT(no)
+    ;;
+  esac ],
+  AC_MSG_RESULT(no)
+)
+
 #################################################
 # check for a TDB password database
 AC_MSG_CHECKING(whether to use TDB SAM database)

source3/include/config.h.in

@@ -233,7 +233,7 @@
 #undef HAVE_IMMEDIATE_STRUCTURES
 #undef HAVE_CUPS
 #undef WITH_SAM
-#undef WITH_LDAP_SAM
+#undef WITH_LDAP_SAMCONFIG
 #undef WITH_NISPLUS_SAM
 #undef WITH_TDB_SAM
 #undef LINUX_QUOTAS_1

source3/lib/util_str.c

@@ -643,8 +643,8 @@ void string_free(char **s)
 }
 
 /****************************************************************************
-set a string value, allocing the space for the string, and deallocating any 
-existing space
+set a string value, deallocating any existing space, and allocing the space
+for the string
 ****************************************************************************/
 BOOL string_set(char **dest,const char *src)
 {
@@ -724,7 +724,7 @@ void pstring_sub(char *s,const char *pattern,const char *insert)
 
 /* similar to string_sub, but it will accept only allocated strings
  * and may realloc them so pay attention at what you pass on no
- * pointers inside strings, no pstrings or const must be passed
+ * pointers inside strings, no pstrings or const may be passed
  * as string.
  */
 
@@ -830,7 +830,7 @@ void all_string_sub(char *s,const char *pattern,const char *insert, size_t len)
 
 /****************************************************************************
 similar to all_string_sub but for unicode strings.
-return a new allocate unicode string.
+return a new allocated unicode string.
   similar to string_sub() but allows for any character to be substituted.
   Use with caution!
 ****************************************************************************/
@@ -1203,7 +1203,7 @@ BOOL str_list_copy(char ***dest, char **src)
 			lsize += S_LIST_ABS;
 			rlist = (char **)Realloc(list, ((sizeof(char **)) * (lsize +1)));
 			if (!rlist) {
-				DEBUG(0,("str_list_copy: Unable to allocate memory"));
+				DEBUG(0,("str_list_copy: Unable to re-allocate memory"));
 				str_list_free(&list);
 				return False;
 			}
@@ -1225,7 +1225,7 @@ BOOL str_list_copy(char ***dest, char **src)
 	return True;	
 }
 
-/* return true if all the elemnts of the list matches exactly */
+/* return true if all the elements of the list match exactly */
 
 BOOL str_list_compare(char **list1, char **list2)
 {

source3/libads/kerberos.c

@@ -114,7 +114,14 @@ int ads_kinit_password(ADS_STRUCT *ads)
 	char *s;
 	int ret;
 
-	asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm);
+	if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) {
+		return KRB5_CC_NOMEM;
+	}
+
+	if (!ads->auth.password) {
+		return KRB5_LIBOS_CANTREADPWD;
+	}
+	
 	ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset);
 
 	if (ret) {

source3/libsmb/cliconnect.c

@@ -184,12 +184,8 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user,
 					char *pass, char *workgroup)
 {
 	uint32 capabilities = cli_session_setup_capabilities(cli);
-	fstring pword;
-	int passlen;
 	char *p;
 
-	passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE|STR_ASCII);
-
 	set_message(cli->outbuf,13,0,True);
 	SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
 	cli_setup_packet(cli);
@@ -202,7 +198,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user,
 	SSVAL(cli->outbuf,smb_vwv8,0);
 	SIVAL(cli->outbuf,smb_vwv11,capabilities); 
 	p = smb_buf(cli->outbuf);
-	p += clistr_push(cli, p, pword, -1, STR_TERMINATE); /* password */
+	p += clistr_push(cli, p, pass, -1, STR_TERMINATE); /* password */
 	SSVAL(cli->outbuf,smb_vwv7,PTR_DIFF(p, smb_buf(cli->outbuf)));
 	p += clistr_push(cli, p, user, -1, STR_TERMINATE); /* username */
 	p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE); /* workgroup */

source3/param/loadparm.c

@@ -207,6 +207,10 @@ typedef struct
 	int iLockSpinTime;
 	char *szLdapMachineSuffix;
 	char *szLdapUserSuffix;
+#ifdef WITH_LDAP_SAMCONFIG
+	int ldap_port;
+	char *szLdapServer;
+#endif
 	int ldap_ssl;
 	char *szLdapSuffix;
 	char *szLdapFilter;
@@ -596,7 +600,7 @@ static struct enum_list enum_ldap_ssl[] = {
 	{LDAP_SSL_OFF, "off"},
 	{LDAP_SSL_OFF, "Off"},
 	{LDAP_SSL_START_TLS, "start tls"},
-	{LDAP_SSL_START_TLS, "start_tls"},
+	{LDAP_SSL_START_TLS, "Start_tls"},
 	{-1, NULL}
 };
 
@@ -1003,6 +1007,10 @@ static struct parm_struct parm_table[] = {
 
 	{"Ldap Options", P_SEP, P_SEPARATOR},
 	
+#ifdef WITH_LDAP_SAMCONFIG
+	{"ldap server", P_STRING, P_GLOBAL, &Globals.szLdapServer, NULL, NULL, 0},
+	{"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0}, 
+#endif
 	{"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, handle_ldap_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"ldap machine suffix", P_STRING, P_GLOBAL, &Globals.szLdapMachineSuffix, handle_ldap_machine_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"ldap user suffix", P_STRING, P_GLOBAL, &Globals.szLdapUserSuffix, handle_ldap_user_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1177,7 +1185,7 @@ static void init_printer_values(void)
 				   "lp -i %p-%j -H hold");
 			string_set(&sDefault.szLpresumecommand,
 				   "lp -i %p-%j -H resume");
-#endif /* SYSV */
+#endif /* HPUX */
 			break;
 
 		case PRINT_QNX:
@@ -1244,7 +1252,6 @@ static void init_globals(void)
 
 	string_set(&Globals.szSMBPasswdFile, dyn_SMB_PASSWD_FILE);
 	string_set(&Globals.szPrivateDir, dyn_PRIVATE_DIR);
-	Globals.szPassdbBackend = str_list_make("smbpasswd unixsam", NULL);
 
 	/* use the new 'hash2' method by default */
 	string_set(&Globals.szManglingMethod, "hash2");
@@ -1367,6 +1374,14 @@ static void init_globals(void)
 	   a large number of sites (tridge) */
 	Globals.bHostnameLookups = False;
 
+#ifdef WITH_LDAP_SAMCONFIG
+	string_set(&Globals.szLdapServer, "localhost");
+	Globals.ldap_port = 636;
+	Globals.szPassdbBackend = str_list_make("ldapsam unixsam", NULL);
+#else
+	Globals.szPassdbBackend = str_list_make("smbpasswd unixsam", NULL);
+#endif /* WITH_LDAP_SAMCONFIG */
+
 	string_set(&Globals.szLdapSuffix, "");
 	string_set(&Globals.szLdapMachineSuffix, "");
 	string_set(&Globals.szLdapUserSuffix, "");
@@ -1582,6 +1597,11 @@ FN_GLOBAL_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
 FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers)
 FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups)
 FN_GLOBAL_BOOL(lp_winbind_use_default_domain, &Globals.bWinbindUseDefaultDomain)
+
+#ifdef WITH_LDAP_SAMCONFIG
+FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer)
+FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port)
+#endif
 FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)
 FN_GLOBAL_STRING(lp_ldap_machine_suffix, &Globals.szLdapMachineSuffix)
 FN_GLOBAL_STRING(lp_ldap_user_suffix, &Globals.szLdapUserSuffix)

source3/passdb/pdb_ldap.c

@@ -1730,8 +1730,23 @@ NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, co
 
 	if (location) {
 		ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
+#ifdef WITH_LDAP_SAMCONFIG
 	} else {
-		ldap_state->uri = "ldap://localhost";
+		int ldap_port = lp_ldap_port();
+			
+		/* remap default port is no SSL */
+		if ( (lp_ldap_ssl() == LDAP_SSL_OFF) && (ldap_port == 636) ) {
+			ldap_port = 389;
+		}
+
+		ldap_state->uri = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() ? "ldap" : "ldaps", lp_ldap_server(), ldap_port);
+		if (!ldap_state->uri) {
+			return NT_STATUS_NO_MEMORY;
+		}
+#else
+	} else {
+		ldap_state->uri = "ldaps://localhost";
+#endif
 	}
 
 	(*pdb_method)->private_data = ldap_state;

source3/passdb/secrets.c

@@ -95,7 +95,7 @@ BOOL secrets_delete(const char *key)
 	return tdb_delete(tdb, kbuf) == 0;
 }
 
-BOOL secrets_store_domain_sid(char *domain, const DOM_SID *sid)
+BOOL secrets_store_domain_sid(const char *domain, const DOM_SID *sid)
 {
 	fstring key;
 
@@ -104,7 +104,7 @@ BOOL secrets_store_domain_sid(char *domain, const DOM_SID *sid)
 	return secrets_store(key, sid, sizeof(DOM_SID));
 }
 
-BOOL secrets_fetch_domain_sid(char *domain, DOM_SID *sid)
+BOOL secrets_fetch_domain_sid(const char *domain, DOM_SID *sid)
 {
 	DOM_SID *dyn_sid;
 	fstring key;
@@ -128,7 +128,7 @@ BOOL secrets_fetch_domain_sid(char *domain, DOM_SID *sid)
 	return True;
 }
 
-BOOL secrets_store_domain_guid(char *domain, GUID *guid)
+BOOL secrets_store_domain_guid(const char *domain, GUID *guid)
 {
 	fstring key;
 
@@ -137,7 +137,7 @@ BOOL secrets_store_domain_guid(char *domain, GUID *guid)
 	return secrets_store(key, guid, sizeof(GUID));
 }
 
-BOOL secrets_fetch_domain_guid(char *domain, GUID *guid)
+BOOL secrets_fetch_domain_guid(const char *domain, GUID *guid)
 {
 	GUID *dyn_guid;
 	fstring key;
@@ -227,7 +227,7 @@ BOOL secrets_lock_trust_account_password(char *domain, BOOL dolock)
  the above call.
 ************************************************************************/
 
-BOOL secrets_fetch_trust_account_password(char *domain, uint8 ret_pwd[16],
+BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
 					  time_t *pass_last_set_time)
 {
 	struct machine_acct_pass *pass;

source3/utils/net.c

@@ -277,8 +277,13 @@ struct cli_state *net_make_ipc_connection(unsigned flags)
 	} else {
 		nt_status = connect_to_ipc(&cli, &server_ip, server_name);
 	}
+
 	SAFE_FREE(server_name);
+	if (NT_STATUS_IS_OK(nt_status)) {
 		return cli;
+	} else {
+		return NULL;
+	}
 }
 
 static int net_user(int argc, const char **argv)

source3/utils/net_rpc.c

@@ -309,17 +309,26 @@ static int rpc_join_usage(int argc, const char **argv)
  * Main 'net_rpc_join()' (where the admain username/password is used) is 
  * in net_rpc_join.c
  * Assume if a -U is specified, it's the new style, otherwise it's the
- * old style
+ * old style.  If 'oldstyle' is specfied explicity, do it and don't prompt.
  **/
 
 int net_rpc_join(int argc, const char **argv) 
 {
+	struct functable func[] = {
+		{"oldstyle", net_rpc_join_oldstyle},
+		{NULL, NULL}
+	};
+
+	if (argc == 0) {
 		if ((net_rpc_join_oldstyle(argc, argv) == 0))
 			return 0;
 		
 		return net_rpc_join_newstyle(argc, argv);
 	}
 
+	return net_run_function(argc, argv, func, rpc_join_usage);
+}
+
 
 
 /** 

source3/utils/smbgroupedit.c

@@ -52,6 +52,7 @@ static void usage(void)
 	printf("  -c SID               change group\n");
 	printf("     -u unix group\n");
 	printf("     -d description    group description\n");
+	printf("  -r rid               RID of new group\n");
 	printf("  -x group             delete this group\n");
 	printf("\n");
 	printf("    -t[b|d|l]          type: builtin, domain, local \n");