[Freeipa-devel] [PATCHES] Remove dependencies to private samba libs
Sumit Bose
sbose at redhat.com
Sun Sep 2 17:04:22 UTC 2012
Hi,
private samba libraries will become a new version with every new samba
release. To avoid rebuilding of IPA whenever a new samba version is
released the following series of patches removes the dependencies to
private samba libraries by replacing the related calls with others.
This should fix https://fedorahosted.org/freeipa/ticket/3013
bye,
Sumit
-------------- next part --------------
From 802cbf261c164371d6777ae0f6d7e7f2f305343f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 24 Aug 2012 13:21:11 +0200
Subject: [PATCH 42/59] ipasam: cleanup explicit dependencies to samba libs
---
daemons/ipa-sam/Makefile.am | 2 --
1 Datei ge?ndert, 2 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index ad7e516f0c94f82cc209ee55ff0b67c6a6bd54f9..ae0de4ecb7e4eb0298c87e6b544c643d7ba7f4ce 100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -1,9 +1,7 @@
NULL =
SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH) \
-lsmbldap \
- -lcliauth \
-lpdb \
- -lsamba-security \
-lsmbconf \
$(NULL)
--
1.7.11.4
-------------- next part --------------
From aaa717997f8869f9aa5308dfb97dee1f08b1e99a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 24 Aug 2012 14:46:05 +0200
Subject: [PATCH 43/59] Make encode_ntlm_keys() public
---
daemons/ipa-sam/Makefile.am | 3 +-
.../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 3 +-
.../ipa-pwd-extop/ipapwd_encoding.c | 207 ++------------------
util/ipa_pwd.c | 2 +
util/ipa_pwd.h | 11 ++
util/ipa_pwd_ntlm.c | 213 +++++++++++++++++++++
6 Dateien ge?ndert, 242 Zeilen hinzugef?gt(+), 197 Zeilen entfernt(-)
create mode 100644 util/ipa_pwd_ntlm.c
diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index ae0de4ecb7e4eb0298c87e6b544c643d7ba7f4ce..11179276c17f9b0415fc5ad944b88bcbbb0529c3 100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -6,7 +6,7 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH) \
$(NULL)
KRB5_UTIL_DIR=../../util
-KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
+KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c $(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c
INCLUDES = \
-I. \
@@ -48,6 +48,7 @@ ipasam_la_LIBADD = \
$(LDAP_LIBS) \
$(KRB5_LIBS) \
$(TALLOC_LIBS) \
+ $(SSL_LIBS) \
$(SAMBAUTIL_LIBS) \
$(NDR_LIBS) \
$(SAMBA40EXTRA_LIBS) \
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index bdc583566409cfd44c4f144469ca4605295f3286..f3bb589611efbd53eb2f0969ee858c2007829892 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -3,7 +3,8 @@ NULL =
PLUGIN_COMMON_DIR=../common
KRB5_UTIL_DIR= ../../../util
KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
- $(KRB5_UTIL_DIR)/ipa_pwd.c
+ $(KRB5_UTIL_DIR)/ipa_pwd.c \
+ $(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c
INCLUDES = \
-I. \
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index 9c1623a3b28932fba48c878dc6084862a2ba7831..a92eaf0da33809e5a4b81c7f10a801e256880743 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -198,201 +198,6 @@ enc_error:
return NULL;
}
-
-#define KTF_DOS_CHARSET "CP850" /* same default as samba */
-#define KTF_UTF8 "UTF-8"
-#define KTF_UCS2 "UCS-2LE"
-
-static const uint8_t parity_table[128] = {
- 1, 2, 4, 7, 8, 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31,
- 32, 35, 37, 38, 41, 42, 44, 47, 49, 50, 52, 55, 56, 59, 61, 62,
- 64, 67, 69, 70, 73, 74, 76, 79, 81, 82, 84, 87, 88, 91, 93, 94,
- 97, 98,100,103,104,107,109,110,112,115,117,118,121,122,124,127,
- 128,131,133,134,137,138,140,143,145,146,148,151,152,155,157,158,
- 161,162,164,167,168,171,173,174,176,179,181,182,185,186,188,191,
- 193,194,196,199,200,203,205,206,208,211,213,214,217,218,220,223,
- 224,227,229,230,233,234,236,239,241,242,244,247,248,251,253,254
-};
-
-static void lm_shuffle(uint8_t *out, uint8_t *in)
-{
- out[0] = parity_table[in[0]>>1];
- out[1] = parity_table[((in[0]<<6)|(in[1]>>2)) & 0x7F];
- out[2] = parity_table[((in[1]<<5)|(in[2]>>3)) & 0x7F];
- out[3] = parity_table[((in[2]<<4)|(in[3]>>4)) & 0x7F];
- out[4] = parity_table[((in[3]<<3)|(in[4]>>5)) & 0x7F];
- out[5] = parity_table[((in[4]<<2)|(in[5]>>6)) & 0x7F];
- out[6] = parity_table[((in[5]<<1)|(in[6]>>7)) & 0x7F];
- out[7] = parity_table[in[6] & 0x7F];
-}
-
-struct ntlm_keys {
- uint8_t lm[16];
- uint8_t nt[16];
-};
-
-/* create the lm and nt hashes
- newPassword: the clear text utf8 password
- do_lm_hash: determine if LM hash is generated
- do_nt_hash: determine if NT hash is generated
- keys[out]: array with generated hashes
-*/
-static int encode_ntlm_keys(char *newPasswd,
- bool do_lm_hash,
- bool do_nt_hash,
- struct ntlm_keys *keys)
-{
- int ret = 0;
-
- /* do lanman first */
- if (do_lm_hash) {
- iconv_t cd;
- size_t cs, il, ol;
- char *inc, *outc;
- char *upperPasswd;
- char *asciiPasswd;
- DES_key_schedule schedule;
- DES_cblock deskey;
- DES_cblock magic = "KGS!@#$%";
-
- /* TODO: must store the dos charset somewhere in the directory */
- cd = iconv_open(KTF_DOS_CHARSET, KTF_UTF8);
- if (cd == (iconv_t)(-1)) {
- ret = -1;
- goto done;
- }
-
- /* the lanman password is upper case */
- upperPasswd = (char *)slapi_utf8StrToUpper((unsigned char *)newPasswd);
- if (!upperPasswd) {
- iconv_close(cd);
- ret = -1;
- goto done;
- }
- il = strlen(upperPasswd);
-
- /* an ascii string can only be smaller than or equal to an utf8 one */
- ol = il;
- if (ol < 14) ol = 14;
- asciiPasswd = calloc(ol+1, 1);
- if (!asciiPasswd) {
- slapi_ch_free_string(&upperPasswd);
- iconv_close(cd);
- ret = -1;
- goto done;
- }
-
- inc = upperPasswd;
- outc = asciiPasswd;
- cs = iconv(cd, &inc, &il, &outc, &ol);
- if (cs == -1) {
- ret = -1;
- slapi_ch_free_string(&upperPasswd);
- free(asciiPasswd);
- iconv_close(cd);
- goto done;
- }
-
- /* done with these */
- slapi_ch_free_string(&upperPasswd);
- iconv_close(cd);
-
- /* we are interested only in the first 14 ASCII chars for lanman */
- if (strlen(asciiPasswd) > 14) {
- asciiPasswd[14] = '\0';
- }
-
- /* first half */
- lm_shuffle(deskey, (uint8_t *)asciiPasswd);
-
- DES_set_key_unchecked(&deskey, &schedule);
- DES_ecb_encrypt(&magic, (DES_cblock *)keys->lm,
- &schedule, DES_ENCRYPT);
-
- /* second half */
- lm_shuffle(deskey, (uint8_t *)&asciiPasswd[7]);
-
- DES_set_key_unchecked(&deskey, &schedule);
- DES_ecb_encrypt(&magic, (DES_cblock *)&(keys->lm[8]),
- &schedule, DES_ENCRYPT);
-
- /* done with it */
- free(asciiPasswd);
-
- } else {
- memset(keys->lm, 0, 16);
- }
-
- if (do_nt_hash) {
- iconv_t cd;
- size_t cs, il, ol, sl;
- char *inc, *outc;
- char *ucs2Passwd;
- MD4_CTX md4ctx;
-
- /* TODO: must store the dos charset somewhere in the directory */
- cd = iconv_open(KTF_UCS2, KTF_UTF8);
- if (cd == (iconv_t)(-1)) {
- ret = -1;
- goto done;
- }
-
- il = strlen(newPasswd);
-
- /* an ucs2 string can be at most double than an utf8 one */
- sl = ol = (il+1)*2;
- ucs2Passwd = calloc(ol, 1);
- if (!ucs2Passwd) {
- ret = -1;
- iconv_close(cd);
- goto done;
- }
-
- inc = newPasswd;
- outc = ucs2Passwd;
- cs = iconv(cd, &inc, &il, &outc, &ol);
- if (cs == -1) {
- ret = -1;
- free(ucs2Passwd);
- iconv_close(cd);
- goto done;
- }
-
- /* done with it */
- iconv_close(cd);
-
- /* get the final ucs2 string length */
- sl -= ol;
-
- ret = MD4_Init(&md4ctx);
- if (ret == 0) {
- ret = -1;
- free(ucs2Passwd);
- goto done;
- }
- ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
- if (ret == 0) {
- ret = -1;
- free(ucs2Passwd);
- goto done;
- }
- ret = MD4_Final(keys->nt, &md4ctx);
- if (ret == 0) {
- ret = -1;
- free(ucs2Passwd);
- goto done;
- }
-
- } else {
- memset(keys->nt, 0, 16);
- }
-
- ret = 0;
-
-done:
- return ret;
-}
-
int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, char *userpw,
int is_krb, int is_smb, int is_ipant, Slapi_Value ***svals,
@@ -400,6 +205,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
char **errMesg)
{
int rc;
+ char *userpw_uc = NULL;
*svals = NULL;
*nthash = NULL;
@@ -423,10 +229,21 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ntlm_keys ntlm;
int ret;
+ userpw_uc = (char *) slapi_utf8StrToUpper((unsigned char *) userpw);
+ if (!userpw_uc) {
+ *errMesg = "Failed to generate upper case password\n";
+ LOG_FATAL("%s", *errMesg);
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
ret = encode_ntlm_keys(userpw,
+ userpw_uc,
krbcfg->allow_lm_hash,
krbcfg->allow_nt_hash,
&ntlm);
+ memset(userpw_uc, 0, strlen(userpw_uc));
+ slapi_ch_free_string(&userpw_uc);
if (ret) {
*errMesg = "Failed to generate NT/LM hashes\n";
LOG_FATAL("%s", *errMesg);
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index 92fb3b0298418592881d100fb7a9ccfac99fd665..761d1efb8cbcb303d4ec4edd49254b433b048b31 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -20,7 +20,9 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#ifndef _GNU_SOURCE
#define _GNU_SOURCE
+#endif
#include <stdbool.h>
#include <stdio.h>
#include <time.h>
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index 2e537753e4b6b72cab19f3ce62c04f453e237664..00de889ff53cdc113a6c926e35c87e7b08238e4a 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -71,4 +71,15 @@ int ipapwd_generate_new_history(char *password,
char ***new_pwd_history,
int *new_pwd_hlen);
+struct ntlm_keys {
+ uint8_t lm[16];
+ uint8_t nt[16];
+};
+
+int encode_ntlm_keys(char *newPasswd,
+ char *upperPasswd,
+ bool do_lm_hash,
+ bool do_nt_hash,
+ struct ntlm_keys *keys);
+
#endif
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
new file mode 100644
index 0000000000000000000000000000000000000000..a3399b58e006e340677fa43773e6282249858062
--- /dev/null
+++ b/util/ipa_pwd_ntlm.c
@@ -0,0 +1,213 @@
+/*
+ * Password related utils for FreeIPA
+ *
+ * Authors: Simo Sorce <ssorce at redhat.com>
+ *
+ * Copyright (C) 2011,2012 Simo Sorce, Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdbool.h>
+#include <iconv.h>
+#include <openssl/des.h>
+#include <openssl/md4.h>
+#include <dirsrv/slapi-plugin.h>
+
+#include "ipa_pwd.h"
+
+#define KTF_DOS_CHARSET "CP850" /* same default as samba */
+#define KTF_UTF8 "UTF-8"
+#define KTF_UCS2 "UCS-2LE"
+
+static const uint8_t parity_table[128] = {
+ 1, 2, 4, 7, 8, 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31,
+ 32, 35, 37, 38, 41, 42, 44, 47, 49, 50, 52, 55, 56, 59, 61, 62,
+ 64, 67, 69, 70, 73, 74, 76, 79, 81, 82, 84, 87, 88, 91, 93, 94,
+ 97, 98,100,103,104,107,109,110,112,115,117,118,121,122,124,127,
+ 128,131,133,134,137,138,140,143,145,146,148,151,152,155,157,158,
+ 161,162,164,167,168,171,173,174,176,179,181,182,185,186,188,191,
+ 193,194,196,199,200,203,205,206,208,211,213,214,217,218,220,223,
+ 224,227,229,230,233,234,236,239,241,242,244,247,248,251,253,254
+};
+
+static void lm_shuffle(uint8_t *out, uint8_t *in)
+{
+ out[0] = parity_table[in[0]>>1];
+ out[1] = parity_table[((in[0]<<6)|(in[1]>>2)) & 0x7F];
+ out[2] = parity_table[((in[1]<<5)|(in[2]>>3)) & 0x7F];
+ out[3] = parity_table[((in[2]<<4)|(in[3]>>4)) & 0x7F];
+ out[4] = parity_table[((in[3]<<3)|(in[4]>>5)) & 0x7F];
+ out[5] = parity_table[((in[4]<<2)|(in[5]>>6)) & 0x7F];
+ out[6] = parity_table[((in[5]<<1)|(in[6]>>7)) & 0x7F];
+ out[7] = parity_table[in[6] & 0x7F];
+}
+
+/* create the lm and nt hashes
+ newPassword: the clear text utf8 password
+ upperPasswd: upper case version of clear text utf8 password
+ do_lm_hash: determine if LM hash is generated
+ do_nt_hash: determine if NT hash is generated
+ keys[out]: array with generated hashes
+*/
+int encode_ntlm_keys(char *newPasswd,
+ char *upperPasswd,
+ bool do_lm_hash,
+ bool do_nt_hash,
+ struct ntlm_keys *keys)
+{
+ int ret = 0;
+
+ /* do lanman first */
+ if (do_lm_hash) {
+ iconv_t cd;
+ size_t cs, il, ol;
+ char *inc, *outc;
+ char *asciiPasswd;
+ DES_key_schedule schedule;
+ DES_cblock deskey;
+ DES_cblock magic = "KGS!@#$%";
+
+ if (upperPasswd == NULL) {
+ ret = -1;
+ goto done;
+ }
+ il = strlen(upperPasswd);
+
+ /* TODO: must store the dos charset somewhere in the directory */
+ cd = iconv_open(KTF_DOS_CHARSET, KTF_UTF8);
+ if (cd == (iconv_t)(-1)) {
+ ret = -1;
+ goto done;
+ }
+
+ /* an ascii string can only be smaller than or equal to an utf8 one */
+ ol = il;
+ if (ol < 14) ol = 14;
+ asciiPasswd = calloc(ol+1, 1);
+ if (!asciiPasswd) {
+ iconv_close(cd);
+ ret = -1;
+ goto done;
+ }
+
+ inc = upperPasswd;
+ outc = asciiPasswd;
+ cs = iconv(cd, &inc, &il, &outc, &ol);
+ if (cs == -1) {
+ ret = -1;
+ free(asciiPasswd);
+ iconv_close(cd);
+ goto done;
+ }
+
+ /* done with these */
+ iconv_close(cd);
+
+ /* we are interested only in the first 14 ASCII chars for lanman */
+ if (strlen(asciiPasswd) > 14) {
+ asciiPasswd[14] = '\0';
+ }
+
+ /* first half */
+ lm_shuffle(deskey, (uint8_t *)asciiPasswd);
+
+ DES_set_key_unchecked(&deskey, &schedule);
+ DES_ecb_encrypt(&magic, (DES_cblock *)keys->lm,
+ &schedule, DES_ENCRYPT);
+
+ /* second half */
+ lm_shuffle(deskey, (uint8_t *)&asciiPasswd[7]);
+
+ DES_set_key_unchecked(&deskey, &schedule);
+ DES_ecb_encrypt(&magic, (DES_cblock *)&(keys->lm[8]),
+ &schedule, DES_ENCRYPT);
+
+ /* done with it */
+ free(asciiPasswd);
+
+ } else {
+ memset(keys->lm, 0, 16);
+ }
+
+ if (do_nt_hash) {
+ iconv_t cd;
+ size_t cs, il, ol, sl;
+ char *inc, *outc;
+ char *ucs2Passwd;
+ MD4_CTX md4ctx;
+
+ /* TODO: must store the dos charset somewhere in the directory */
+ cd = iconv_open(KTF_UCS2, KTF_UTF8);
+ if (cd == (iconv_t)(-1)) {
+ ret = -1;
+ goto done;
+ }
+
+ il = strlen(newPasswd);
+
+ /* an ucs2 string can be at most double than an utf8 one */
+ sl = ol = (il+1)*2;
+ ucs2Passwd = calloc(ol, 1);
+ if (!ucs2Passwd) {
+ ret = -1;
+ iconv_close(cd);
+ goto done;
+ }
+
+ inc = newPasswd;
+ outc = ucs2Passwd;
+ cs = iconv(cd, &inc, &il, &outc, &ol);
+ if (cs == -1) {
+ ret = -1;
+ free(ucs2Passwd);
+ iconv_close(cd);
+ goto done;
+ }
+
+ /* done with it */
+ iconv_close(cd);
+
+ /* get the final ucs2 string length */
+ sl -= ol;
+
+ ret = MD4_Init(&md4ctx);
+ if (ret == 0) {
+ ret = -1;
+ free(ucs2Passwd);
+ goto done;
+ }
+ ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
+ if (ret == 0) {
+ ret = -1;
+ free(ucs2Passwd);
+ goto done;
+ }
+ ret = MD4_Final(keys->nt, &md4ctx);
+ if (ret == 0) {
+ ret = -1;
+ free(ucs2Passwd);
+ goto done;
+ }
+
+ } else {
+ memset(keys->nt, 0, 16);
+ }
+
+ ret = 0;
+
+done:
+ return ret;
+}
--
1.7.11.4
-------------- next part --------------
From f7e1cd0d664bd1779e5b40c189da69bc88d7a1b2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 24 Aug 2012 14:46:29 +0200
Subject: [PATCH 44/59] ipasam: remove nt_lm_owf_gen() and dependency to
libcliauth.so
---
daemons/ipa-sam/ipa_sam.c | 71 +++++++++++++++++++++++++++++++++++++++--------
1 Datei ge?ndert, 59 Zeilen hinzugef?gt(+), 12 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 8a4a08bc7a5951553a463805a8aedb82ee887936..aacae68a4d1c23af3f47ad7f4a7f115c90ea8626 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -30,6 +30,7 @@
#include <sasl/sasl.h>
#include <krb5/krb5.h>
#include "ipa_krb5.h"
+#include "ipa_pwd.h"
/* from drsblobs.h */
struct AuthInfoNone {
@@ -81,7 +82,6 @@ struct trustAuthInOutBlob {
enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flags, struct trustAuthInOutBlob *r); /*available in libndr-samba.so */
bool fetch_ldap_pw(char **dn, char** pw); /* available in libpdb.so */
-void nt_lm_owf_gen(const char *pwd, uint8_t nt_p16[16], uint8_t p16[16]); /* available in libcliauth.so */
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_check_is_our_sam(const struct dom_sid *sid);
@@ -2348,9 +2348,14 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
NTSTATUS status;
struct dom_sid u_sid;
char *name;
- uint8_t smblmpwd[LM_HASH_LEN];
- uint8_t smbntpwd[NT_HASH_LEN];
- char *trustpw;
+ char *trustpw = NULL;
+ char *trustpw_utf8 = NULL;
+ char *trustpw_utf8_uc = NULL;
+ char *tmp_str = NULL;
+ int ret;
+ struct ntlm_keys ntlm_keys;
+ size_t converted_size;
+ bool res;
if (!pdb_set_acct_ctrl(user, ACB_DOMTRUST | ACB_TRUSTED_FOR_DELEGATION,
PDB_SET)) {
@@ -2387,17 +2392,59 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
if (!NT_STATUS_IS_OK(status)) {
return false;
}
- nt_lm_owf_gen(trustpw, smbntpwd, smblmpwd);
- memset(trustpw, 0, strlen(trustpw));
- talloc_free(trustpw);
- if (!pdb_set_lanman_passwd(user, smblmpwd, PDB_SET)) {
- return false;
+
+ if (!push_utf8_talloc(user, &trustpw_utf8, trustpw, &converted_size)) {
+ res = false;
+ goto done;
+ }
+
+ tmp_str = talloc_strdup_upper(user, trustpw);
+ if (tmp_str == NULL) {
+ res = false;
+ goto done;
+ }
+
+ if (!push_utf8_talloc(user, &trustpw_utf8_uc, tmp_str, &converted_size)) {
+ res = false;
+ goto done;
+ }
+
+ ret = encode_ntlm_keys(trustpw_utf8, trustpw_utf8_uc, true, true,
+ &ntlm_keys);
+ if (ret != 0) {
+ res = false;
+ goto done;
+ }
+
+ if (!pdb_set_lanman_passwd(user, ntlm_keys.lm, PDB_SET)) {
+ res = false;
+ goto done;
+ }
+ if (!pdb_set_nt_passwd(user, ntlm_keys.nt, PDB_SET)) {
+ res = false;
+ goto done;
+ }
+
+ res = true;
+done:
+ if (trustpw != NULL) {
+ memset(trustpw, 0, strlen(trustpw));
+ talloc_free(trustpw);
+ }
+ if (trustpw_utf8 != NULL) {
+ memset(trustpw_utf8, 0, strlen(trustpw_utf8));
+ talloc_free(trustpw_utf8);
+ }
+ if (tmp_str != NULL) {
+ memset(tmp_str, 0, strlen(tmp_str));
+ talloc_free(tmp_str);
}
- if (!pdb_set_nt_passwd(user, smbntpwd, PDB_SET)) {
- return false;
+ if (trustpw_utf8_uc != NULL) {
+ memset(trustpw_utf8_uc, 0, strlen(trustpw_utf8_uc));
+ talloc_free(trustpw_utf8_uc);
}
- return true;
+ return res;
}
static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state,
--
1.7.11.4
-------------- next part --------------
From 002f63ac97a5936e471993b114b41e675539145b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 24 Aug 2012 15:01:57 +0200
Subject: [PATCH 45/59] ipasam: remove sid_peek_rid()
---
daemons/ipa-sam/ipa_sam.c | 29 ++++++++++++++++++-----------
1 Datei ge?ndert, 18 Zeilen hinzugef?gt(+), 11 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index aacae68a4d1c23af3f47ad7f4a7f115c90ea8626..ce8f623bdc5af9cdedb57e92bdee421326ce68bd 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -91,7 +91,6 @@ void sid_copy(struct dom_sid *dst, const struct dom_sid *src); /* available in l
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in libsecurity.so */
bool sid_compose(struct dom_sid *dst, const struct dom_sid *domain_sid, uint32_t rid); /* available in libsecurity.so */
-bool sid_peek_rid(const struct dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */
int dom_sid_compare_domain(const struct dom_sid *sid1, const struct dom_sid *sid2); /* available in libsecurity.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
@@ -246,35 +245,43 @@ static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
const struct dom_sid *domain_sid,
uint32_t *rid)
{
- char *str;
+ char *str = NULL;
struct dom_sid sid;
+ bool res = false;
str = get_single_attribute(NULL, ldap_struct, entry,
LDAP_ATTRIBUTE_SID);
if (str == NULL) {
DEBUG(10, ("Could not find SID attribute\n"));
- return false;
+ res = false;
+ goto done;
}
if (!string_to_sid(&sid, str)) {
- talloc_free(str);
DEBUG(10, ("Could not convert string %s to sid\n", str));
- return false;
+ res = false;
+ goto done;
}
- talloc_free(str);
if (dom_sid_compare_domain(&sid, domain_sid) != 0) {
DEBUG(10, ("SID %s is not in expected domain %s\n",
str, sid_string_dbg(domain_sid)));
- return false;
+ res = false;
+ goto done;
}
- if (!sid_peek_rid(&sid, rid)) {
- DEBUG(10, ("Could not peek into RID\n"));
- return false;
+ if (sid.num_auths <= 0) {
+ DEBUG(10, ("Invalid num_auths in SID %s.\n", str));
+ res = false;
+ goto done;
}
- return true;
+ *rid = sid.sub_auths[sid.num_auths - 1];
+
+ res = true;
+done:
+ talloc_free(str);
+ return res;
}
static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
--
1.7.11.4
-------------- next part --------------
From 6546840d06bb1cac9faf260a2065a27a9584015a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 24 Aug 2012 15:12:21 +0200
Subject: [PATCH 46/59] ipasam: replace strnequal()
---
daemons/ipa-sam/ipa_sam.c | 17 ++++++++++++++++-
1 Datei ge?ndert, 16 Zeilen hinzugef?gt(+), 1 Zeile entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index ce8f623bdc5af9cdedb57e92bdee421326ce68bd..be033476d4cbeff1e91019986aebf9504329ec4f 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -95,7 +95,6 @@ int dom_sid_compare_domain(const struct dom_sid *sid1, const struct dom_sid *sid
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
bool is_null_sid(const struct dom_sid *sid); /* available in libsecurity.so */
-bool strnequal(const char *s1,const char *s2,size_t n); /* available in libutil_str.so */
bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */
bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
@@ -169,6 +168,22 @@ struct ipasam_privates {
char *client_princ;
};
+static bool strnequal(const char *s1, const char *s2, size_t n) {
+ if (s1 == s2) {
+ return true;
+ }
+
+ if (s1 == NULL || s2 == NULL || n == 0) {
+ return false;
+ }
+
+ if (strncasecmp(s1, s2, n) == 0) {
+ return true;
+ }
+
+ return false;
+}
+
static LDAP *priv2ld(struct ldapsam_privates *priv)
{
return priv->smbldap_state->ldap_struct;
--
1.7.11.4
-------------- next part --------------
From b4e4d4c65f56a856e867db62955fb43805ec2963 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 24 Aug 2012 18:02:02 +0200
Subject: [PATCH 47/59] ipasam: remove strlower_m()
---
daemons/ipa-sam/ipa_sam.c | 4 +---
1 Datei ge?ndert, 1 Zeile hinzugef?gt(+), 3 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index be033476d4cbeff1e91019986aebf9504329ec4f..331df733323b34437cfff423ed72c88845976efc 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -85,7 +85,6 @@ bool fetch_ldap_pw(char **dn, char** pw); /* available in libpdb.so */
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_check_is_our_sam(const struct dom_sid *sid);
-void strlower_m(char *s); /* available in libutil_str.so */
char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...); /* available in libutil_str.so */
void sid_copy(struct dom_sid *dst, const struct dom_sid *src); /* available in libsecurity.so */
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
@@ -2910,11 +2909,10 @@ static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pd
}
/* TODO: read dns_domain, dns_forest and guid from LDAP */
- info->dns_domain = talloc_strdup(info, ldap_state->ipasam_privates->realm);
+ info->dns_domain = strlower_talloc(info, ldap_state->ipasam_privates->realm);
if (info->dns_domain == NULL) {
goto fail;
}
- strlower_m(info->dns_domain);
info->dns_forest = talloc_strdup(info, info->dns_domain);
/* we expect a domain SID to have 4 sub IDs */
--
1.7.11.4
-------------- next part --------------
From fb3fc61f3ff6e0c7827dc0b944ec6f3c7c308fc4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 24 Aug 2012 18:22:34 +0200
Subject: [PATCH 48/59] ipasam: remove talloc_asprintf_strupper_m()
---
daemons/ipa-sam/ipa_sam.c | 11 ++++++++---
1 Datei ge?ndert, 8 Zeilen hinzugef?gt(+), 3 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 331df733323b34437cfff423ed72c88845976efc..c3eff47d3abfdbe40f4f49448a968f9bef4132d1 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -85,7 +85,6 @@ bool fetch_ldap_pw(char **dn, char** pw); /* available in libpdb.so */
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_check_is_our_sam(const struct dom_sid *sid);
-char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...); /* available in libutil_str.so */
void sid_copy(struct dom_sid *dst, const struct dom_sid *src); /* available in libsecurity.so */
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in libsecurity.so */
@@ -3169,8 +3168,14 @@ static NTSTATUS ipasam_get_realm(struct ldapsam_privates *ldap_state,
#define SECRETS_DOMAIN_SID "SECRETS/SID"
static char *sec_key(TALLOC_CTX *mem_ctx, const char *d)
{
- return talloc_asprintf_strupper_m(mem_ctx, "%s/%s",
- SECRETS_DOMAIN_SID, d);
+ char *tmp;
+ char *res;
+
+ tmp = talloc_asprintf(mem_ctx, "%s/%s", SECRETS_DOMAIN_SID, d);
+ res = talloc_strdup_upper(mem_ctx, tmp);
+ talloc_free(tmp);
+
+ return res;
}
static NTSTATUS save_sid_to_secret(struct ldapsam_privates *ldap_state)
--
1.7.11.4
-------------- next part --------------
From 59a37e80c1285f99290bfb28fd05a35d29e3622a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 27 Aug 2012 13:42:26 +0200
Subject: [PATCH 49/59] ipasam: replace sid_copy()
---
daemons/ipa-sam/ipa_sam.c | 16 +++++++++++++++-
1 Datei ge?ndert, 15 Zeilen hinzugef?gt(+), 1 Zeile entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index c3eff47d3abfdbe40f4f49448a968f9bef4132d1..e7774f5b3d14ce6ed4ac87eda5af5dda79813e20 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -85,7 +85,6 @@ bool fetch_ldap_pw(char **dn, char** pw); /* available in libpdb.so */
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_check_is_our_sam(const struct dom_sid *sid);
-void sid_copy(struct dom_sid *dst, const struct dom_sid *src); /* available in libsecurity.so */
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in libsecurity.so */
bool sid_compose(struct dom_sid *dst, const struct dom_sid *domain_sid, uint32_t rid); /* available in libsecurity.so */
@@ -166,6 +165,21 @@ struct ipasam_privates {
char *client_princ;
};
+static void sid_copy(struct dom_sid *dst, const struct dom_sid *src)
+{
+ size_t c;
+
+ memset(dst, 0, sizeof(*dst));
+
+ dst->sid_rev_num = src->sid_rev_num;
+ dst->num_auths = src->num_auths;
+ memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
+
+ for (c = 0; c < src->num_auths; c++) {
+ dst->sub_auths[c] = src->sub_auths[c];
+ }
+}
+
static bool strnequal(const char *s1, const char *s2, size_t n) {
if (s1 == s2) {
return true;
--
1.7.11.4
-------------- next part --------------
From 0e260f624cda9dc424da7cec6da23a9aff644177 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 27 Aug 2012 13:54:08 +0200
Subject: [PATCH 50/59] ipasam: replace sid_compose()
---
daemons/ipa-sam/ipa_sam.c | 15 ++++++++++++++-
1 Datei ge?ndert, 14 Zeilen hinzugef?gt(+), 1 Zeile entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index e7774f5b3d14ce6ed4ac87eda5af5dda79813e20..3f656246f6f0f5f59a2f92d5ee53b57be78a17dd 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -87,7 +87,6 @@ bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so
bool sid_check_is_our_sam(const struct dom_sid *sid);
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in libsecurity.so */
-bool sid_compose(struct dom_sid *dst, const struct dom_sid *domain_sid, uint32_t rid); /* available in libsecurity.so */
int dom_sid_compare_domain(const struct dom_sid *sid1, const struct dom_sid *sid2); /* available in libsecurity.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
@@ -180,6 +179,20 @@ static void sid_copy(struct dom_sid *dst, const struct dom_sid *src)
}
}
+static bool sid_compose(struct dom_sid *dst, const struct dom_sid *dom_sid,
+ uint32_t rid)
+{
+ if (dom_sid->num_auths >= 15) {
+ return false;
+ }
+
+ sid_copy(dst, dom_sid);
+
+ dst->sub_auths[dst->num_auths++] = rid;
+
+ return true;
+}
+
static bool strnequal(const char *s1, const char *s2, size_t n) {
if (s1 == s2) {
return true;
--
1.7.11.4
-------------- next part --------------
From 35a1e7d830f3998ee40ec8a5beed5193fcb6097d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 27 Aug 2012 14:03:43 +0200
Subject: [PATCH 51/59] ipasam: Replace is_null_sid()
---
daemons/ipa-sam/ipa_sam.c | 25 ++++++++++++++++++++++++-
1 Datei ge?ndert, 24 Zeilen hinzugef?gt(+), 1 Zeile entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3f656246f6f0f5f59a2f92d5ee53b57be78a17dd..879e60ba49bc7625efbf39aec45ed19b4becfd29 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -90,7 +90,6 @@ bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in
int dom_sid_compare_domain(const struct dom_sid *sid1, const struct dom_sid *sid2); /* available in libsecurity.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
-bool is_null_sid(const struct dom_sid *sid); /* available in libsecurity.so */
bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */
bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
@@ -193,6 +192,30 @@ static bool sid_compose(struct dom_sid *dst, const struct dom_sid *dom_sid,
return true;
}
+static bool is_null_sid(const struct dom_sid *sid)
+{
+ size_t c;
+
+ if (sid->sid_rev_num != 0 || sid->num_auths != 0) {
+ return false;
+ }
+
+ for (c = 0; c < 6; c++) {
+ if (sid->id_auth[c] != 0) {
+ return false;
+ }
+ }
+
+ for (c = 0; c < 15; c++) {
+ if (sid->sub_auths[c] != 0) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+
static bool strnequal(const char *s1, const char *s2, size_t n) {
if (s1 == s2) {
return true;
--
1.7.11.4
-------------- next part --------------
From d980d03d52138108b30b269daff0a11c82b8499d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 27 Aug 2012 16:21:02 +0200
Subject: [PATCH 52/59] ipasam: Replace dom_sid_compare_domain()
---
daemons/ipa-sam/ipa_sam.c | 28 +++++++++++++++++++++++++++-
1 Datei ge?ndert, 27 Zeilen hinzugef?gt(+), 1 Zeile entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 879e60ba49bc7625efbf39aec45ed19b4becfd29..5ef27dc4d75bcc5eb504cbbc1883fb98374f9c2b 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -87,7 +87,6 @@ bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so
bool sid_check_is_our_sam(const struct dom_sid *sid);
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in libsecurity.so */
-int dom_sid_compare_domain(const struct dom_sid *sid1, const struct dom_sid *sid2); /* available in libsecurity.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */
@@ -215,6 +214,33 @@ static bool is_null_sid(const struct dom_sid *sid)
return true;
}
+static int dom_sid_compare_domain(const struct dom_sid *sid1,
+ const struct dom_sid *sid2)
+{
+ size_t c;
+ size_t n_sub_auths;
+
+ if (sid1->sid_rev_num != sid2->sid_rev_num) {
+ return sid1->sid_rev_num - sid2->sid_rev_num;
+ }
+
+ for (c = 0; c < 6; c++) {
+ if (sid1->id_auth[c] != sid2->id_auth[c]) {
+ return sid1->id_auth[c] - sid2->id_auth[c];
+ }
+ }
+
+ n_sub_auths = (sid1->num_auths < sid2->num_auths) ? sid1->num_auths :
+ sid2->num_auths;
+
+ for (c = 0; c < n_sub_auths; c++) {
+ if (sid1->sub_auths[c] != sid2->sub_auths[c]) {
+ return sid1->sub_auths[c] - sid2->sub_auths[c];
+ }
+ }
+
+ return 0;
+}
static bool strnequal(const char *s1, const char *s2, size_t n) {
if (s1 == s2) {
--
1.7.11.4
-------------- next part --------------
From 658e275ac2480964ac8a5552ea82a88d0b5024a7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 27 Aug 2012 16:28:48 +0200
Subject: [PATCH 53/59] ipasam: Replace sid_check_is_our_sam()
---
daemons/ipa-sam/ipa_sam.c | 3 +--
1 Datei ge?ndert, 1 Zeile hinzugef?gt(+), 2 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 5ef27dc4d75bcc5eb504cbbc1883fb98374f9c2b..d666664a74cc914bce922f1db9a339db939eb88d 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -84,7 +84,6 @@ enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flag
bool fetch_ldap_pw(char **dn, char** pw); /* available in libpdb.so */
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
-bool sid_check_is_our_sam(const struct dom_sid *sid);
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in libsecurity.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
@@ -398,7 +397,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
}
if (!sid_check_is_builtin(domain_sid) &&
- !sid_check_is_our_sam(domain_sid)) {
+ dom_sid_compare_domain(&ldap_state->domain_sid, domain_sid) != 0) {
result = NT_STATUS_INVALID_PARAMETER;
goto done;
}
--
1.7.11.4
-------------- next part --------------
From 9f696010e4b4b5cdea3a6d45560eabc31e48d6e6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 27 Aug 2012 17:19:26 +0200
Subject: [PATCH 54/59] ipasam: Replace sid_peek_check_rid()
---
daemons/ipa-sam/ipa_sam.c | 18 +++++++++++++++++-
1 Datei ge?ndert, 17 Zeilen hinzugef?gt(+), 1 Zeile entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index d666664a74cc914bce922f1db9a339db939eb88d..199c306a7e2402b3c2dd1d9ca0154d59ff5ac335 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -89,7 +89,6 @@ bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */
-bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
extern const struct dom_sid global_sid_Builtin; /* available in libsecurity.so */
bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
@@ -241,6 +240,23 @@ static int dom_sid_compare_domain(const struct dom_sid *sid1,
return 0;
}
+static bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid,
+ const struct dom_sid *sid, uint32_t *rid)
+{
+ if((exp_dom_sid->num_auths + 1) != sid->num_auths ||
+ sid->num_auths <= 0) {
+ return false;
+ }
+
+ if (dom_sid_compare_domain(exp_dom_sid, sid) != 0) {
+ return false;
+ }
+
+ *rid = sid->sub_auths[sid->num_auths - 1];
+
+ return true;
+}
+
static bool strnequal(const char *s1, const char *s2, size_t n) {
if (s1 == s2) {
return true;
--
1.7.11.4
-------------- next part --------------
From 10b5780ebf6d2329a7269e9e7327555f1a01026e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 27 Aug 2012 17:26:57 +0200
Subject: [PATCH 55/59] ipasam: Replace global_sid_Builtin
---
daemons/ipa-sam/ipa_sam.c | 4 +++-
1 Datei ge?ndert, 3 Zeilen hinzugef?gt(+), 1 Zeile entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 199c306a7e2402b3c2dd1d9ca0154d59ff5ac335..b3be5a67921045e5b704b2a20098721aa0c8fa5b 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -90,7 +90,6 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* avai
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
-extern const struct dom_sid global_sid_Builtin; /* available in libsecurity.so */
bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
#define LDAP_PAGE_SIZE 1024
@@ -150,6 +149,9 @@ bool secrets_store(const char *key, const void *data, size_t size); /* available
#define HAS_POSIXGROUP (1<<8)
#define HAS_KRB_TICKET_POLICY_AUX (1<<9)
+const struct dom_sid global_sid_Builtin = { 1, 1, {0,0,0,0,0,5},
+ {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
struct ipasam_privates {
char *realm;
char *base_dn;
--
1.7.11.4
-------------- next part --------------
From 15921a09d48b01d5234e3d8748dce7e5ed89cbde Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 27 Aug 2012 21:26:30 +0200
Subject: [PATCH 56/59] ipasam: add libsss_idmap context and replace
string_to_sid()
---
daemons/ipa-sam/Makefile.am | 2 +
daemons/ipa-sam/ipa_sam.c | 118 ++++++++++++++++++++++++++++++++------------
2 Dateien ge?ndert, 89 Zeilen hinzugef?gt(+), 31 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index 11179276c17f9b0415fc5ad944b88bcbbb0529c3..53c8f47bbfe927caf785a5529fb5d6e2dcbc7525 100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -27,6 +27,7 @@ INCLUDES = \
$(TALLOC_CFLAGS) \
$(SAMBAUTIL_CFLAGS) \
$(NDR_CFLAGS) \
+ $(SSSIDMAP_CFLAGS) \
$(NULL)
plugindir = $(libdir)/samba/pdb
@@ -52,6 +53,7 @@ ipasam_la_LIBADD = \
$(SAMBAUTIL_LIBS) \
$(NDR_LIBS) \
$(SAMBA40EXTRA_LIBS) \
+ $(SSSIDMAP_LIBS) \
$(NULL)
EXTRA_DIST = \
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index b3be5a67921045e5b704b2a20098721aa0c8fa5b..58a598f5aaf88dfeb95a76adef3a79b085638cd0 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -29,6 +29,7 @@
#include <sasl/sasl.h>
#include <krb5/krb5.h>
+#include <sss_idmap.h>
#include "ipa_krb5.h"
#include "ipa_pwd.h"
@@ -85,7 +86,6 @@ bool fetch_ldap_pw(char **dn, char** pw); /* available in libpdb.so */
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
-bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in libsecurity.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */
@@ -160,8 +160,19 @@ struct ipasam_privates {
char *fallback_primary_group;
char *server_princ;
char *client_princ;
+ struct sss_idmap_ctx *idmap_ctx;
};
+static void *idmap_talloc(size_t size, void *pvt)
+{
+ return talloc_size(pvt, size);
+}
+
+static void idmap_talloc_free(void *ptr, void *pvt)
+{
+ talloc_free(ptr);
+}
+
static void sid_copy(struct dom_sid *dst, const struct dom_sid *src)
{
size_t c;
@@ -348,12 +359,14 @@ done:
static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
LDAPMessage *entry,
+ struct sss_idmap_ctx *idmap_ctx,
const struct dom_sid *domain_sid,
uint32_t *rid)
{
char *str = NULL;
- struct dom_sid sid;
+ struct dom_sid *sid = NULL;
bool res = false;
+ enum idmap_error_code err;
str = get_single_attribute(NULL, ldap_struct, entry,
LDAP_ATTRIBUTE_SID);
@@ -363,29 +376,31 @@ static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
goto done;
}
- if (!string_to_sid(&sid, str)) {
+ err = sss_idmap_sid_to_smb_sid(idmap_ctx, str, &sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(10, ("Could not convert string %s to sid\n", str));
res = false;
goto done;
}
- if (dom_sid_compare_domain(&sid, domain_sid) != 0) {
+ if (dom_sid_compare_domain(sid, domain_sid) != 0) {
DEBUG(10, ("SID %s is not in expected domain %s\n",
str, sid_string_dbg(domain_sid)));
res = false;
goto done;
}
- if (sid.num_auths <= 0) {
+ if (sid->num_auths <= 0) {
DEBUG(10, ("Invalid num_auths in SID %s.\n", str));
res = false;
goto done;
}
- *rid = sid.sub_auths[sid.num_auths - 1];
+ *rid = sid->sub_auths[sid->num_auths - 1];
res = true;
done:
+ talloc_free(sid);
talloc_free(str);
return res;
}
@@ -479,7 +494,9 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
int rid_index;
const char *name;
- if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
+ if (!ldapsam_extract_rid_from_entry(ld, entry,
+ ldap_state->ipasam_privates->idmap_ctx,
+ domain_sid,
&rid)) {
DEBUG(2, ("Could not find sid from ldap entry\n"));
continue;
@@ -564,8 +581,9 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
}
- if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
- &rid)) {
+ if (!ldapsam_extract_rid_from_entry(ld, entry,
+ ldap_state->ipasam_privates->idmap_ctx,
+ domain_sid, &rid)) {
DEBUG(2, ("Could not find sid from ldap entry %s\n", dn));
continue;
}
@@ -718,8 +736,9 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
LDAPMessage *entry = NULL;
bool ret = false;
char *user_sid_string;
- struct dom_sid user_sid;
+ struct dom_sid *user_sid = NULL;
int rc;
+ enum idmap_error_code err;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
filter = talloc_asprintf(tmp_ctx,
@@ -757,17 +776,20 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
goto done;
}
- if (!string_to_sid(&user_sid, user_sid_string)) {
+ err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx,
+ user_sid_string, &user_sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
user_sid_string));
goto done;
}
- sid_copy(sid, &user_sid);
+ sid_copy(sid, user_sid);
ret = true;
- done:
+done:
+ talloc_free(user_sid);
TALLOC_FREE(tmp_ctx);
return ret;
}
@@ -783,8 +805,9 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
LDAPMessage *entry = NULL;
bool ret = false;
char *group_sid_string;
- struct dom_sid group_sid;
+ struct dom_sid *group_sid = NULL;
int rc;
+ enum idmap_error_code err;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
filter = talloc_asprintf(tmp_ctx,
@@ -820,17 +843,20 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
goto done;
}
- if (!string_to_sid(&group_sid, group_sid_string)) {
+ err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx,
+ group_sid_string, &group_sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
group_sid_string));
goto done;
}
- sid_copy(sid, &group_sid);
+ sid_copy(sid, group_sid);
ret = true;
- done:
+done:
+ talloc_free(group_sid);
TALLOC_FREE(tmp_ctx);
return ret;
}
@@ -897,6 +923,7 @@ struct ldap_search_state {
const char **attrs;
int attrsonly;
void *pagedresults_cookie;
+ struct sss_idmap_ctx *idmap_ctx;
LDAPMessage *entries, *current_entry;
bool (*ldap2displayentry)(struct ldap_search_state *state,
@@ -1066,7 +1093,9 @@ static bool ldapuser2displayentry(struct ldap_search_state *state,
{
char **vals;
size_t converted_size;
- struct dom_sid sid;
+ struct dom_sid *sid = NULL;
+ enum idmap_error_code err;
+ bool res;
/* FIXME: SB try to figure out which flags to set instead of hardcode them */
result->acct_flags = 66048;
@@ -1128,14 +1157,17 @@ static bool ldapuser2displayentry(struct ldap_search_state *state,
return false;
}
- if (!string_to_sid(&sid, vals[0])) {
+ err = sss_idmap_sid_to_smb_sid(state->idmap_ctx, vals[0], &sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
ldap_value_free(vals);
return false;
}
ldap_value_free(vals);
- if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
+ res = sid_peek_check_rid(get_global_sam_sid(), sid, &result->rid);
+ talloc_free(sid);
+ if (!res) {
DEBUG(0, ("sid does not belong to our domain\n"));
return false;
}
@@ -1170,6 +1202,7 @@ static bool ldapsam_search_users(struct pdb_methods *methods,
state->attrsonly = 0;
state->pagedresults_cookie = NULL;
state->entries = NULL;
+ state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx;
state->ldap2displayentry = ldapuser2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
@@ -1191,8 +1224,9 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
{
char **vals = NULL;
size_t converted_size;
- struct dom_sid sid;
+ struct dom_sid *sid = NULL;
uint16_t group_type;
+ enum idmap_error_code err;
result->account_name = "";
result->fullname = "";
@@ -1268,8 +1302,10 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
return false;
}
- if (!string_to_sid(&sid, vals[0])) {
+ err = sss_idmap_sid_to_smb_sid(state->idmap_ctx, vals[0], &sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
+ ldap_value_free(vals);
return false;
}
@@ -1279,9 +1315,10 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
- if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
- && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &result->rid)
+ && !sid_peek_check_rid(&global_sid_Builtin, sid, &result->rid))
{
+ talloc_free(sid);
DEBUG(0, ("SID is not in our domain\n"));
return false;
}
@@ -1289,8 +1326,10 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
default:
DEBUG(0,("unknown group type: %d\n", group_type));
+ talloc_free(sid);
return false;
}
+ talloc_free(sid);
result->acct_flags = 0;
@@ -1327,6 +1366,7 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods,
state->pagedresults_cookie = NULL;
state->entries = NULL;
state->group_type = type;
+ state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx;
state->ldap2displayentry = ldapgroup2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
@@ -1848,6 +1888,8 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
char *dummy;
bool res;
struct pdb_trusted_domain *td;
+ struct dom_sid *sid = NULL;
+ enum idmap_error_code err;
if (entry == NULL) {
return false;
@@ -1867,11 +1909,14 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
LDAP_ATTRIBUTE_TRUST_SID));
ZERO_STRUCT(td->security_identifier);
} else {
- res = string_to_sid(&td->security_identifier, dummy);
+ err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx,
+ dummy, &sid);
TALLOC_FREE(dummy);
- if (!res) {
+ if (err != IDMAP_SUCCESS) {
return false;
}
+ sid_copy(&td->security_identifier, sid);
+ talloc_free(sid);
}
if (!smbldap_talloc_single_blob(td, priv2ld(ldap_state), entry,
@@ -3634,12 +3679,13 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
NTSTATUS status;
char *dn = NULL;
char *domain_sid_string = NULL;
- struct dom_sid ldap_domain_sid;
+ struct dom_sid *ldap_domain_sid = NULL;
char *bind_dn = NULL;
char *bind_secret = NULL;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
+ enum idmap_error_code err;
status = make_pdb_method(pdb_method);
if (!NT_STATUS_IS_OK(status)) {
@@ -3776,15 +3822,27 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
entry,
LDAP_ATTRIBUTE_SID);
+ err = sss_idmap_init(idmap_talloc, ldap_state->ipasam_privates,
+ idmap_talloc_free,
+ &ldap_state->ipasam_privates->idmap_ctx);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(1, ("Failed to setup idmap context.\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
if (domain_sid_string) {
- if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
+ err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx,
+ domain_sid_string,
+ &ldap_domain_sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be "
"read as a valid SID\n", domain_sid_string));
ldap_msgfree(result);
TALLOC_FREE(domain_sid_string);
return NT_STATUS_INVALID_PARAMETER;
}
- sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
+ sid_copy(&ldap_state->domain_sid, ldap_domain_sid);
+ talloc_free(ldap_domain_sid);
talloc_free(domain_sid_string);
status = save_sid_to_secret(ldap_state);
@@ -3793,8 +3851,6 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
}
}
-
-
(*pdb_method)->getsampwnam = ldapsam_getsampwnam;
(*pdb_method)->search_users = ldapsam_search_users;
(*pdb_method)->search_groups = ldapsam_search_groups;
--
1.7.11.4
-------------- next part --------------
From 2a612c1a31c5478d56aa407ae98569c7312e9e6c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 28 Aug 2012 10:53:38 +0200
Subject: [PATCH 57/59] ipasam: replace get_global_sam_sid()
---
daemons/ipa-sam/ipa_sam.c | 16 ++++++++++++----
1 Datei ge?ndert, 12 Zeilen hinzugef?gt(+), 4 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 58a598f5aaf88dfeb95a76adef3a79b085638cd0..65e32c7dd542d3fbaed4e28a14d23a8e901d18c1 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -924,6 +924,7 @@ struct ldap_search_state {
int attrsonly;
void *pagedresults_cookie;
struct sss_idmap_ctx *idmap_ctx;
+ const struct dom_sid *dom_sid;
LDAPMessage *entries, *current_entry;
bool (*ldap2displayentry)(struct ldap_search_state *state,
@@ -1165,7 +1166,7 @@ static bool ldapuser2displayentry(struct ldap_search_state *state,
}
ldap_value_free(vals);
- res = sid_peek_check_rid(get_global_sam_sid(), sid, &result->rid);
+ res = sid_peek_check_rid(state->dom_sid, sid, &result->rid);
talloc_free(sid);
if (!res) {
DEBUG(0, ("sid does not belong to our domain\n"));
@@ -1203,6 +1204,7 @@ static bool ldapsam_search_users(struct pdb_methods *methods,
state->pagedresults_cookie = NULL;
state->entries = NULL;
state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx;
+ state->dom_sid = &ldap_state->domain_sid;
state->ldap2displayentry = ldapuser2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
@@ -1315,7 +1317,7 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
- if (!sid_peek_check_rid(get_global_sam_sid(), sid, &result->rid)
+ if (!sid_peek_check_rid(state->dom_sid, sid, &result->rid)
&& !sid_peek_check_rid(&global_sid_Builtin, sid, &result->rid))
{
talloc_free(sid);
@@ -1338,7 +1340,7 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
static bool ldapsam_search_grouptype(struct pdb_methods *methods,
struct pdb_search *search,
- const struct dom_sid *sid,
+ const struct dom_sid *sid,
enum lsa_SidType type)
{
struct ldapsam_privates *ldap_state =
@@ -1367,6 +1369,7 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods,
state->entries = NULL;
state->group_type = type;
state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx;
+ state->dom_sid = &ldap_state->domain_sid;
state->ldap2displayentry = ldapgroup2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
@@ -1384,7 +1387,12 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods,
static bool ldapsam_search_groups(struct pdb_methods *methods,
struct pdb_search *search)
{
- return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)methods->private_data;
+
+ return ldapsam_search_grouptype(methods, search,
+ &ldap_state->domain_sid,
+ SID_NAME_DOM_GRP);
}
static bool ldapsam_search_aliases(struct pdb_methods *methods,
--
1.7.11.4
-------------- next part --------------
From fdf0a4fe9e3bc682a612abfec510cd13682d4436 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 28 Aug 2012 10:56:21 +0200
Subject: [PATCH 58/59] ipasam: remove fetch_ldap_pw()
---
daemons/ipa-sam/ipa_sam.c | 12 ++----------
1 Datei ge?ndert, 2 Zeilen hinzugef?gt(+), 10 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 65e32c7dd542d3fbaed4e28a14d23a8e901d18c1..95add09d15cb42b2603a038a977b817efb63b1d5 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -82,7 +82,6 @@ struct trustAuthInOutBlob {
enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flags, struct trustAuthInOutBlob *r); /*available in libndr-samba.so */
-bool fetch_ldap_pw(char **dn, char** pw); /* available in libpdb.so */
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
@@ -3688,8 +3687,6 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
char *dn = NULL;
char *domain_sid_string = NULL;
struct dom_sid *ldap_domain_sid = NULL;
- char *bind_dn = NULL;
- char *bind_secret = NULL;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
@@ -3723,13 +3720,8 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
status = ipasam_generate_principals(ldap_state->ipasam_privates);
if (!NT_STATUS_IS_OK(status)) {
- if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
- DEBUG(0, ("pdb_init_ipasam: Failed to retrieve LDAP password from secrets.tdb\n"));
- return NT_STATUS_NO_MEMORY;
- }
- status = smbldap_init(*pdb_method, pdb_get_tevent_context(),
- uri, false, bind_dn, bind_secret,
- &ldap_state->smbldap_state);
+ DEBUG(0, ("Failed to generate kerberos principal for LDAP authentication.\n"));
+ return status;
} else {
/* We authenticate via GSSAPI and thus will use kerberos principal to bind our access */
status = smbldap_init(*pdb_method, pdb_get_tevent_context(),
--
1.7.11.4
-------------- next part --------------
From 7312f3d01b2ca420845980bd4dc62cbdeac36108 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 28 Aug 2012 13:03:13 +0200
Subject: [PATCH 59/59] ipasam: replace trim_char() with trim_string()
---
daemons/ipa-sam/ipa_sam.c | 3 +--
1 Datei ge?ndert, 1 Zeile hinzugef?gt(+), 2 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 95add09d15cb42b2603a038a977b817efb63b1d5..b3c336443d28d6850a283a373351043b2460eeaa 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -87,7 +87,6 @@ bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
-bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
@@ -3715,7 +3714,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
if (uri == NULL) {
return NT_STATUS_NO_MEMORY;
}
- trim_char( uri, '\"', '\"' );
+ trim_string( uri, "\"", "\"" );
status = ipasam_generate_principals(ldap_state->ipasam_privates);
--
1.7.11.4
More information about the Freeipa-devel
mailing list