samba-cvs.cvs
[Top] [All Lists]

[SCM] Samba Shared Repository - branch master updated - 6a627b440e8b3f42

Subject: [SCM] Samba Shared Repository - branch master updated - 6a627b440e8b3f42db2a8a27047dd3482bad0d28
From: Günther Deschner
Date: Thu, 27 Nov 2008 11:30:09 -0600 CST
The branch, master has been updated
       via  6a627b440e8b3f42db2a8a27047dd3482bad0d28 (commit)
       via  257d99d0cd441697d67b52f3e7c260c17a4a0916 (commit)
       via  e398eed15a7a94d2a53d3bb865927a9db411008c (commit)
       via  d94f3e3db35580af366017e100b2047b96d85a9d (commit)
       via  5f9524a9561ba3b29113ac0d2894617f1c6c40e6 (commit)
       via  9c2ed82d07a4c989896610d91aa2ff1614c579aa (commit)
      from  bed91c0e463ed425288f7b4223739108c1fced45 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 6a627b440e8b3f42db2a8a27047dd3482bad0d28
Author: Günther Deschner <gd@xxxxxxxxx>
Date:   Thu Nov 27 17:29:30 2008 +0100

    s3-samr: never allow to alter pwdlastset directly.
    
    Guenther

commit 257d99d0cd441697d67b52f3e7c260c17a4a0916
Author: Günther Deschner <gd@xxxxxxxxx>
Date:   Thu Nov 27 01:25:46 2008 +0100

    s3-samr: fix return code for invalid password sets in SetUserInfo.
    
    Guenther

commit e398eed15a7a94d2a53d3bb865927a9db411008c
Author: Günther Deschner <gd@xxxxxxxxx>
Date:   Thu Nov 27 01:22:39 2008 +0100

    s3-samr: fix return code for invalid name in _samr_LookupDomain.
    
    Guenther

commit d94f3e3db35580af366017e100b2047b96d85a9d
Author: Günther Deschner <gd@xxxxxxxxx>
Date:   Thu Nov 27 01:21:49 2008 +0100

    s3-samr: avoid enumeration and user creation on builtin domain handle.
    
    Guenther

commit 5f9524a9561ba3b29113ac0d2894617f1c6c40e6
Author: Günther Deschner <gd@xxxxxxxxx>
Date:   Tue Nov 25 15:51:35 2008 +0100

    s3-samr: support samr_CreateUser as well.
    
    Guenther

commit 9c2ed82d07a4c989896610d91aa2ff1614c579aa
Author: Günther Deschner <gd@xxxxxxxxx>
Date:   Tue Nov 25 15:50:28 2008 +0100

    s3-samr: support samr_QueryUserInfo2 as well.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/rpc_server/srv_samr_nt.c |   92 ++++++++++++++++++++++++++++----------
 1 files changed, 68 insertions(+), 24 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 0623dfb..c45be02 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -1484,6 +1484,11 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
+       if (info->builtin_domain) {
+               DEBUG(5,("_samr_QueryDisplayInfo: Nothing in BUILTIN\n"));
+               return NT_STATUS_OK;
+       }
+
        status = access_check_samr_function(info->acc_granted,
                                            SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
                                            "_samr_QueryDisplayInfo");
@@ -2837,6 +2842,21 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
        return status;
 }
 
+/****************************************************************
+****************************************************************/
+
+NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
+                             struct samr_QueryUserInfo2 *r)
+{
+       struct samr_QueryUserInfo u;
+
+       u.in.user_handle        = r->in.user_handle;
+       u.in.level              = r->in.level;
+       u.out.info              = r->out.info;
+
+       return _samr_QueryUserInfo(p, &u);
+}
+
 /*******************************************************************
  _samr_GetGroupsForUser
  ********************************************************************/
@@ -3266,6 +3286,11 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
                                     &disp_info))
                return NT_STATUS_INVALID_HANDLE;
 
+       if (disp_info->builtin_domain) {
+               DEBUG(5,("_samr_CreateUser2: Refusing user create in 
BUILTIN\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        nt_status = access_check_samr_function(acc_granted,
                                               SAMR_DOMAIN_ACCESS_CREATE_USER,
                                               "_samr_CreateUser2");
@@ -3381,6 +3406,26 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
        return NT_STATUS_OK;
 }
 
+/****************************************************************
+****************************************************************/
+
+NTSTATUS _samr_CreateUser(pipes_struct *p,
+                         struct samr_CreateUser *r)
+{
+       struct samr_CreateUser2 c;
+       uint32_t access_granted;
+
+       c.in.domain_handle      = r->in.domain_handle;
+       c.in.account_name       = r->in.account_name;
+       c.in.acct_flags         = ACB_NORMAL;
+       c.in.access_mask        = r->in.access_mask;
+       c.out.user_handle       = r->out.user_handle;
+       c.out.access_granted    = &access_granted;
+       c.out.rid               = r->out.rid;
+
+       return _samr_CreateUser2(p, &c);
+}
+
 /*******************************************************************
  _samr_Connect
  ********************************************************************/
@@ -3605,6 +3650,9 @@ NTSTATUS _samr_LookupDomain(pipes_struct *p,
        }
 
        domain_name = r->in.domain_name->string;
+       if (!domain_name) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
 
        sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
        if (!sid) {
@@ -3911,6 +3959,11 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+               TALLOC_FREE(pwd);
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        /* we need to separately check for an account rename first */
 
        if (id21->account_name.string &&
@@ -3994,6 +4047,12 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+               TALLOC_FREE(pwd);
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+
        DEBUG(5, ("Attempting administrator password change (level 23) for user 
%s\n",
                  pdb_get_username(pwd)));
 
@@ -4005,7 +4064,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
                                &len,
                                STR_UNICODE)) {
                TALLOC_FREE(pwd);
-               return NT_STATUS_INVALID_PARAMETER;
+               return NT_STATUS_WRONG_PASSWORD;
        }
 
        if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
@@ -4172,6 +4231,11 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+               TALLOC_FREE(pwd);
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        copy_id25_to_sam_passwd(pwd, id25);
 
        /* write the change out */
@@ -4362,7 +4426,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
 
                        if (!set_user_info_pw(info->info24.password.data, pwd,
                                              switch_value)) {
-                               status = NT_STATUS_ACCESS_DENIED;
+                               status = NT_STATUS_WRONG_PASSWORD;
                        }
                        break;
 
@@ -4383,7 +4447,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
                        }
                        if (!set_user_info_pw(info->info25.password.data, pwd,
                                              switch_value)) {
-                               status = NT_STATUS_ACCESS_DENIED;
+                               status = NT_STATUS_WRONG_PASSWORD;
                        }
                        break;
 
@@ -4399,7 +4463,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
 
                        if (!set_user_info_pw(info->info26.password.data, pwd,
                                              switch_value)) {
-                               status = NT_STATUS_ACCESS_DENIED;
+                               status = NT_STATUS_WRONG_PASSWORD;
                        }
                        break;
 
@@ -5962,16 +6026,6 @@ NTSTATUS _samr_Shutdown(pipes_struct *p,
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_CreateUser(pipes_struct *p,
-                         struct samr_CreateUser *r)
-{
-       p->rng_fault_state = true;
-       return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-/****************************************************************
-****************************************************************/
-
 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
                                          struct 
samr_SetMemberAttributesOfGroup *r)
 {
@@ -6012,16 +6066,6 @@ NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
-                             struct samr_QueryUserInfo2 *r)
-{
-       p->rng_fault_state = true;
-       return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-/****************************************************************
-****************************************************************/
-
 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
                                         struct samr_AddMultipleMembersToAlias 
*r)
 {


-- 
Samba Shared Repository

<Prev in Thread] Current Thread [Next in Thread>
  • [SCM] Samba Shared Repository - branch master updated - 6a627b440e8b3f42db2a8a27047dd3482bad0d28, Günther Deschner <=