static int net_getdomainsid(int argc, const char **argv)
{
DOM_SID domain_sid;
fstring sid_str;
if(!initialize_password_db(False)) {
DEBUG(0, ("WARNING: Could not open passdb - domain sid may not reflect passdb\n"
"backend knowlege (such as the sid stored in LDAP)\n"));
}
/* Generate one, if it doesn't exist */
get_global_sam_sid();
if (!secrets_fetch_domain_sid(global_myname(), &domain_sid)) {
d_fprintf(stderr, "Could not fetch local SID\n");
return 1;
}
sid_to_string(sid_str, &domain_sid);
d_printf("SID for domain %s is: %s\n", global_myname(), sid_str);
if (!secrets_fetch_domain_sid(opt_workgroup, &domain_sid)) {
d_fprintf(stderr, "Could not fetch domain SID\n");
return 1;
}
sid_to_string(sid_str, &domain_sid);
d_printf("SID for domain %s is: %s\n", opt_workgroup, sid_str);
return 0;
}
static int net_getdomainsid(struct net_context *c, int argc, const char **argv)
{
struct dom_sid domain_sid;
fstring sid_str;
if (argc > 0) {
d_printf(_("Usage:"));
d_printf(" net getdomainsid\n");
return 1;
}
if(!initialize_password_db(false, NULL)) {
DEBUG(0, ("WARNING: Could not open passdb - domain SID may "
"not reflect passdb\n"
"backend knowledge (such as the SID stored in "
"LDAP)\n"));
}
/* first check to see if we can even access secrets, so we don't
panic when we can't. */
if (!secrets_init()) {
d_fprintf(stderr, _("Unable to open secrets.tdb. Can't fetch "
"domain SID for name: %s\n"),
get_global_sam_name());
return 1;
}
/* Generate one, if it doesn't exist */
get_global_sam_sid();
if (!secrets_fetch_domain_sid(lp_netbios_name(), &domain_sid)) {
d_fprintf(stderr, _("Could not fetch local SID\n"));
return 1;
}
sid_to_fstring(sid_str, &domain_sid);
d_printf(_("SID for local machine %s is: %s\n"),
lp_netbios_name(), sid_str);
if (!secrets_fetch_domain_sid(c->opt_workgroup, &domain_sid)) {
d_fprintf(stderr, _("Could not fetch domain SID\n"));
return 1;
}
sid_to_fstring(sid_str, &domain_sid);
d_printf(_("SID for domain %s is: %s\n"), c->opt_workgroup, sid_str);
return 0;
}
static int net_getdomainsid(int argc, const char **argv)
{
DOM_SID domain_sid;
fstring sid_str;
if(!initialize_password_db(False)) {
DEBUG(1, ("WARNING: Could not open passdb - domain sid may not reflect passdb\n"
"backend knowlege (such as the sid stored in LDAP)\n"));
}
/* first check to see if we can even access secrets, so we don't
panic when we can't. */
if (!secrets_init()) {
d_fprintf(stderr, "Unable to open secrets.tdb. "
"Can't fetch domainSID for name: %s\n",
get_global_sam_name());
return 1;
}
/* Generate one, if it doesn't exist */
get_global_sam_sid();
if (!secrets_fetch_domain_sid(global_myname(), &domain_sid)) {
d_fprintf(stderr, "Could not fetch local SID\n");
return 1;
}
sid_to_string(sid_str, &domain_sid);
d_printf("SID for domain %s is: %s\n", global_myname(), sid_str);
if (!secrets_fetch_domain_sid(opt_workgroup, &domain_sid)) {
d_fprintf(stderr, "Could not fetch domain SID\n");
return 1;
}
sid_to_string(sid_str, &domain_sid);
d_printf("SID for domain %s is: %s\n", opt_workgroup, sid_str);
return 0;
}
static char *longvar_domainsid( void )
{
DOM_SID sid;
char *sid_string;
if ( !secrets_fetch_domain_sid( lp_workgroup(), &sid ) ) {
return NULL;
}
sid_string = SMB_STRDUP( sid_string_static( &sid ) );
if ( !sid_string ) {
DEBUG(0,("longvar_domainsid: failed to dup SID string!\n"));
}
return sid_string;
}
/*
Retrieve our local SID or the SID for the specified name
*/
static int net_getlocalsid(struct net_context *c, int argc, const char **argv)
{
struct dom_sid sid;
const char *name;
fstring sid_str;
if (argc >= 1) {
name = argv[0];
}
else {
name = lp_netbios_name();
}
if(!initialize_password_db(false, NULL)) {
DEBUG(0, ("WARNING: Could not open passdb - local sid may not reflect passdb\n"
"backend knowledge (such as the sid stored in LDAP)\n"));
}
/* first check to see if we can even access secrets, so we don't
panic when we can't. */
if (!secrets_init()) {
d_fprintf(stderr,
_("Unable to open secrets.tdb. Can't fetch domain "
"SID for name: %s\n"), name);
return 1;
}
/* Generate one, if it doesn't exist */
get_global_sam_sid();
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(0, ("Can't fetch domain SID for name: %s\n", name));
return 1;
}
sid_to_fstring(sid_str, &sid);
d_printf(_("SID for domain %s is: %s\n"), name, sid_str);
return 0;
}
bool lookup_name(TALLOC_CTX *mem_ctx,
const char *full_name, int flags,
const char **ret_domain, const char **ret_name,
DOM_SID *ret_sid, enum lsa_SidType *ret_type)
{
char *p;
const char *tmp;
const char *domain = NULL;
const char *name = NULL;
uint32 rid;
DOM_SID sid;
enum lsa_SidType type;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return false;
}
p = strchr_m(full_name, '\\');
if (p != NULL) {
domain = talloc_strndup(tmp_ctx, full_name,
PTR_DIFF(p, full_name));
name = talloc_strdup(tmp_ctx, p+1);
} else {
domain = talloc_strdup(tmp_ctx, "");
name = talloc_strdup(tmp_ctx, full_name);
}
if ((domain == NULL) || (name == NULL)) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
full_name, domain, name));
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
if ((flags & LOOKUP_NAME_DOMAIN) &&
strequal(domain, get_global_sam_name()))
{
/* It's our own domain, lookup the name in passdb */
if (lookup_global_sam_name(name, flags, &rid, &type)) {
sid_copy(&sid, get_global_sam_sid());
sid_append_rid(&sid, rid);
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
if ((flags & LOOKUP_NAME_BUILTIN) &&
strequal(domain, builtin_domain_name()))
{
/* Explicit request for a name in BUILTIN */
if (lookup_builtin_name(name, &rid)) {
sid_copy(&sid, &global_sid_Builtin);
sid_append_rid(&sid, rid);
type = SID_NAME_ALIAS;
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
/* Try the explicit winbind lookup first, don't let it guess the
* domain yet at this point yet. This comes later. */
if ((domain[0] != '\0') &&
(flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
(winbind_lookup_name(domain, name, &sid, &type))) {
goto ok;
}
if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_users_domain_name())) {
if (lookup_unix_user_name(name, &sid)) {
type = SID_NAME_USER;
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_groups_domain_name())) {
if (lookup_unix_group_name(name, &sid)) {
type = SID_NAME_DOM_GRP;
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
TALLOC_FREE(tmp_ctx);
return false;
}
/* Now the guesswork begins, we haven't been given an explicit
* domain. Try the sequence as documented on
* http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
* November 27, 2005 */
/* 1. well-known names */
if ((flags & LOOKUP_NAME_WKN) &&
lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
{
type = SID_NAME_WKN_GRP;
goto ok;
}
/* 2. Builtin domain as such */
if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
strequal(name, builtin_domain_name()))
{
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
sid_copy(&sid, &global_sid_Builtin);
type = SID_NAME_DOMAIN;
goto ok;
}
/* 3. Account domain */
if ((flags & LOOKUP_NAME_DOMAIN) &&
strequal(name, get_global_sam_name()))
{
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch my SID\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
goto ok;
}
/* 4. Primary domain */
if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
strequal(name, lp_workgroup()))
{
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch the domain SID\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
goto ok;
}
/* 5. Trusted domains as such, to me it looks as if members don't do
this, tested an XP workstation in a NT domain -- vl */
if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
(pdb_get_trusteddom_pw(name, NULL, &sid, NULL)))
{
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
goto ok;
}
/* 6. Builtin aliases */
if ((flags & LOOKUP_NAME_BUILTIN) &&
lookup_builtin_name(name, &rid))
{
domain = talloc_strdup(tmp_ctx, builtin_domain_name());
sid_copy(&sid, &global_sid_Builtin);
sid_append_rid(&sid, rid);
type = SID_NAME_ALIAS;
goto ok;
}
/* 7. Local systems' SAM (DCs don't have a local SAM) */
/* 8. Primary SAM (On members, this is the domain) */
/* Both cases are done by looking at our passdb */
if ((flags & LOOKUP_NAME_DOMAIN) &&
lookup_global_sam_name(name, flags, &rid, &type))
{
domain = talloc_strdup(tmp_ctx, get_global_sam_name());
sid_copy(&sid, get_global_sam_sid());
sid_append_rid(&sid, rid);
goto ok;
}
/* Now our local possibilities are exhausted. */
if (!(flags & LOOKUP_NAME_REMOTE)) {
TALLOC_FREE(tmp_ctx);
return false;
}
/* If we are not a DC, we have to ask in our primary domain. Let
* winbind do that. */
if (!IS_DC &&
(winbind_lookup_name(lp_workgroup(), name, &sid, &type))) {
domain = talloc_strdup(tmp_ctx, lp_workgroup());
goto ok;
}
/* 9. Trusted domains */
/* If we're a DC we have to ask all trusted DC's. Winbind does not do
* that (yet), but give it a chance. */
if (IS_DC && winbind_lookup_name("", name, &sid, &type)) {
DOM_SID dom_sid;
uint32 tmp_rid;
enum lsa_SidType domain_type;
if (type == SID_NAME_DOMAIN) {
/* Swap name and type */
tmp = name; name = domain; domain = tmp;
goto ok;
}
/* Here we have to cope with a little deficiency in the
* winbind API: We have to ask it again for the name of the
* domain it figured out itself. Maybe fix that later... */
sid_copy(&dom_sid, &sid);
sid_split_rid(&dom_sid, &tmp_rid);
if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL,
&domain_type) ||
(domain_type != SID_NAME_DOMAIN)) {
DEBUG(2, ("winbind could not find the domain's name "
"it just looked up for us\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
goto ok;
}
/* 10. Don't translate */
/* 11. Ok, windows would end here. Samba has two more options:
Unmapped users and unmapped groups */
if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_user_name(name, &sid)) {
domain = talloc_strdup(tmp_ctx, unix_users_domain_name());
type = SID_NAME_USER;
goto ok;
}
if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_group_name(name, &sid)) {
domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
type = SID_NAME_DOM_GRP;
goto ok;
}
/*
* Ok, all possibilities tried. Fail.
*/
TALLOC_FREE(tmp_ctx);
return false;
ok:
if ((domain == NULL) || (name == NULL)) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
/*
* Hand over the results to the talloc context we've been given.
*/
if ((ret_name != NULL) &&
!(*ret_name = talloc_strdup(mem_ctx, name))) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
if (ret_domain != NULL) {
char *tmp_dom;
if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
strupper_m(tmp_dom);
*ret_domain = tmp_dom;
}
if (ret_sid != NULL) {
sid_copy(ret_sid, &sid);
}
if (ret_type != NULL) {
*ret_type = type;
}
TALLOC_FREE(tmp_ctx);
return true;
}
static NTSTATUS _idmap_adex_init(struct idmap_domain *dom)
{
ADS_STRUCT *ads = NULL;
ADS_STATUS status;
static NTSTATUS init_status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
struct dom_sid domain_sid;
fstring dcname;
struct sockaddr_storage ip;
struct likewise_cell *lwcell;
if (NT_STATUS_IS_OK(init_status))
return NT_STATUS_OK;
/* Silently fail if we are not a member server in security = ads */
if ((lp_server_role() != ROLE_DOMAIN_MEMBER) ||
(lp_security() != SEC_ADS)) {
init_status = NT_STATUS_INVALID_SERVER_STATE;
BAIL_ON_NTSTATUS_ERROR(init_status);
}
/* fetch our domain SID first */
if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
init_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
BAIL_ON_NTSTATUS_ERROR(init_status);
}
/* reuse the same ticket cache as winbindd */
setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
/* Establish a connection to a DC */
if ((ads = ads_init(lp_realm(), lp_workgroup(), NULL)) == NULL) {
init_status = NT_STATUS_NO_MEMORY;
BAIL_ON_NTSTATUS_ERROR(init_status);
}
ads->auth.password =
secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
ads->auth.realm = SMB_STRDUP(lp_realm());
/* get the DC name here to setup the server affinity cache and
local krb5.conf */
get_dc_name(lp_workgroup(), lp_realm(), dcname, &ip);
status = ads_connect(ads);
if (!ADS_ERR_OK(status)) {
DEBUG(0, ("_idmap_adex_init: ads_connect() failed! (%s)\n",
ads_errstr(status)));
}
init_status = ads_ntstatus(status);
BAIL_ON_NTSTATUS_ERROR(init_status);
/* Find out cell membership */
init_status = cell_locate_membership(ads);
if (!NT_STATUS_IS_OK(init_status)) {
DEBUG(0,("LWI: Fail to locate cell membership (%s).",
nt_errstr(init_status)));
goto done;
}
/* Fill in the cell information */
lwcell = cell_list_head();
init_status = cell_lookup_settings(lwcell);
BAIL_ON_NTSTATUS_ERROR(init_status);
/* Miscellaneous setup. E.g. set up the list of GC
servers and domain list for our forest (does not actually
connect). */
init_status = gc_init_list();
BAIL_ON_NTSTATUS_ERROR(init_status);
init_status = domain_init_list();
BAIL_ON_NTSTATUS_ERROR(init_status);
done:
if (!NT_STATUS_IS_OK(init_status)) {
DEBUG(1,("Likewise initialization failed (%s)\n",
nt_errstr(init_status)));
}
/* cleanup */
if (!NT_STATUS_IS_OK(init_status)) {
cell_list_destroy();
/* init_status stores the failure reason but we need to
return success or else idmap_init() will drop us from the
backend list */
return NT_STATUS_OK;
}
init_status = NT_STATUS_OK;
return init_status;
}
static struct dom_sid *pdb_generate_sam_sid(void)
{
struct dom_sid domain_sid;
char *fname = NULL;
struct dom_sid *sam_sid;
if(!(sam_sid=SMB_MALLOC_P(struct dom_sid)))
return NULL;
if ( IS_DC ) {
if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
sid_copy(sam_sid, &domain_sid);
return sam_sid;
}
}
if (secrets_fetch_domain_sid(lp_netbios_name(), sam_sid)) {
/* We got our sid. If not a pdc/bdc, we're done. */
if ( !IS_DC )
return sam_sid;
if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
/* No domain sid and we're a pdc/bdc. Store it */
if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n"));
SAFE_FREE(sam_sid);
return NULL;
}
return sam_sid;
}
if (!dom_sid_equal(&domain_sid, sam_sid)) {
/* Domain name sid doesn't match global sam sid. Re-store domain sid as 'local' sid. */
DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
if (!secrets_store_domain_sid(lp_netbios_name(), &domain_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID for local sid as PDC/BDC.\n"));
SAFE_FREE(sam_sid);
return NULL;
}
return sam_sid;
}
return sam_sid;
}
/* check for an old MACHINE.SID file for backwards compatibility */
if (asprintf(&fname, "%s/MACHINE.SID", lp_private_dir()) == -1) {
SAFE_FREE(sam_sid);
return NULL;
}
if (read_sid_from_file(fname, sam_sid)) {
/* remember it for future reference and unlink the old MACHINE.SID */
if (!secrets_store_domain_sid(lp_netbios_name(), sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n"));
SAFE_FREE(fname);
SAFE_FREE(sam_sid);
return NULL;
}
unlink(fname);
if ( !IS_DC ) {
if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n"));
SAFE_FREE(fname);
SAFE_FREE(sam_sid);
return NULL;
}
}
/* Stored the old sid from MACHINE.SID successfully.*/
SAFE_FREE(fname);
return sam_sid;
}
SAFE_FREE(fname);
/* we don't have the SID in secrets.tdb, we will need to
generate one and save it */
generate_random_sid(sam_sid);
if (!secrets_store_domain_sid(lp_netbios_name(), sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n"));
SAFE_FREE(sam_sid);
return NULL;
}
if ( IS_DC ) {
if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n"));
SAFE_FREE(sam_sid);
return NULL;
}
}
return sam_sid;
}
WERROR NetUnjoinDomain_l(struct libnetapi_ctx *mem_ctx,
struct NetUnjoinDomain *r)
{
struct libnet_UnjoinCtx *u = NULL;
struct dom_sid domain_sid;
const char *domain = NULL;
WERROR werr;
if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
return WERR_SETUP_NOT_JOINED;
}
werr = libnet_init_UnjoinCtx(mem_ctx, &u);
W_ERROR_NOT_OK_RETURN(werr);
if (lp_realm()) {
domain = lp_realm();
} else {
domain = lp_workgroup();
}
if (r->in.server_name) {
u->in.dc_name = talloc_strdup(mem_ctx, r->in.server_name);
W_ERROR_HAVE_NO_MEMORY(u->in.dc_name);
} else {
NTSTATUS status;
struct netr_DsRGetDCNameInfo *info = NULL;
const char *dc = NULL;
uint32_t flags = DS_DIRECTORY_SERVICE_REQUIRED |
DS_WRITABLE_REQUIRED |
DS_RETURN_DNS_NAME;
status = dsgetdcname(mem_ctx, NULL, domain,
NULL, NULL, flags, &info);
if (!NT_STATUS_IS_OK(status)) {
libnetapi_set_error_string(mem_ctx,
"failed to find DC for domain %s: %s",
domain,
get_friendly_nt_error_msg(status));
return ntstatus_to_werror(status);
}
dc = strip_hostname(info->dc_unc);
u->in.dc_name = talloc_strdup(mem_ctx, dc);
W_ERROR_HAVE_NO_MEMORY(u->in.dc_name);
u->in.domain_name = domain;
}
if (r->in.account) {
u->in.admin_account = talloc_strdup(mem_ctx, r->in.account);
W_ERROR_HAVE_NO_MEMORY(u->in.admin_account);
}
if (r->in.password) {
u->in.admin_password = talloc_strdup(mem_ctx, r->in.password);
W_ERROR_HAVE_NO_MEMORY(u->in.admin_password);
}
u->in.domain_name = domain;
u->in.unjoin_flags = r->in.unjoin_flags;
u->in.delete_machine_account = false;
u->in.modify_config = true;
u->in.debug = true;
u->in.domain_sid = &domain_sid;
werr = libnet_Unjoin(mem_ctx, u);
if (!W_ERROR_IS_OK(werr) && u->out.error_string) {
libnetapi_set_error_string(mem_ctx, "%s", u->out.error_string);
}
TALLOC_FREE(u);
return werr;
}
static BOOL pdb_generate_sam_sid(void)
{
DOM_SID domain_sid;
char *fname = NULL;
BOOL is_dc = False;
if(global_sam_sid==NULL)
if(!(global_sam_sid=(DOM_SID *)malloc(sizeof(DOM_SID))))
return False;
generate_wellknown_sids();
switch (lp_server_role()) {
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
is_dc = True;
break;
default:
is_dc = False;
break;
}
if (is_dc) {
if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
sid_copy(global_sam_sid, &domain_sid);
return True;
}
}
if (secrets_fetch_domain_sid(global_myname(), global_sam_sid)) {
/* We got our sid. If not a pdc/bdc, we're done. */
if (!is_dc)
return True;
if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
/* No domain sid and we're a pdc/bdc. Store it */
if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n"));
return False;
}
return True;
}
if (!sid_equal(&domain_sid, global_sam_sid)) {
/* Domain name sid doesn't match global sam sid. Re-store domain sid as 'local' sid. */
DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
if (!secrets_store_domain_sid(global_myname(), &domain_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID for local sid as PDC/BDC.\n"));
return False;
}
return True;
}
return True;
}
/* check for an old MACHINE.SID file for backwards compatibility */
asprintf(&fname, "%s/MACHINE.SID", lp_private_dir());
if (read_sid_from_file(fname, global_sam_sid)) {
/* remember it for future reference and unlink the old MACHINE.SID */
if (!secrets_store_domain_sid(global_myname(), global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n"));
SAFE_FREE(fname);
return False;
}
unlink(fname);
if (is_dc) {
if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n"));
SAFE_FREE(fname);
return False;
}
}
/* Stored the old sid from MACHINE.SID successfully.*/
SAFE_FREE(fname);
return True;
}
SAFE_FREE(fname);
/* we don't have the SID in secrets.tdb, we will need to
generate one and save it */
generate_random_sid(global_sam_sid);
if (!secrets_store_domain_sid(global_myname(), global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n"));
return False;
}
if (is_dc) {
if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n"));
return False;
}
}
return True;
}
BOOL pdb_generate_sam_sid(void)
{
char *fname = NULL;
extern pstring global_myname;
extern fstring global_myworkgroup;
BOOL is_dc = False;
pstring priv_dir;
generate_wellknown_sids();
switch (lp_server_role()) {
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
is_dc = True;
break;
default:
is_dc = False;
break;
}
if (secrets_fetch_domain_sid(global_myname, &global_sam_sid)) {
DOM_SID domain_sid;
/* We got our sid. If not a pdc/bdc, we're done. */
if (!is_dc)
return True;
if (!secrets_fetch_domain_sid(global_myworkgroup, &domain_sid)) {
/* No domain sid and we're a pdc/bdc. Store it */
if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n"));
return False;
}
return True;
}
if (!sid_equal(&domain_sid, &global_sam_sid)) {
/* Domain name sid doesn't match global sam sid. Re-store global sam sid as domain sid. */
DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID as a pdc/bdc.\n"));
return False;
}
return True;
}
return True;
}
/* check for an old MACHINE.SID file for backwards compatibility */
get_private_directory(priv_dir);
asprintf(&fname, "%s/MACHINE.SID", priv_dir);
if (read_sid_from_file(fname, &global_sam_sid)) {
/* remember it for future reference and unlink the old MACHINE.SID */
if (!secrets_store_domain_sid(global_myname, &global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n"));
SAFE_FREE(fname);
return False;
}
unlink(fname);
if (is_dc) {
if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n"));
SAFE_FREE(fname);
return False;
}
}
/* Stored the old sid from MACHINE.SID successfully.
Patch from Stefan "metze" Metzmacher <*****@*****.**>*/
SAFE_FREE(fname);
return True;
}
SAFE_FREE(fname);
/* we don't have the SID in secrets.tdb, we will need to
generate one and save it */
generate_random_sid(&global_sam_sid);
DEBUG(10, ("Generated random SID ...\n"));
if (!secrets_store_domain_sid(global_myname, &global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n"));
return False;
}
if (is_dc) {
if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n"));
return False;
}
}
return True;
}
/*******************************************************************
Process command line options
******************************************************************/
static void process_options(int argc, char **argv, BOOL amroot)
{
int ch;
DOM_SID dom_sid;
fstring sid_str;
user_name[0] = '\0';
while ((ch = getopt(argc, argv, "c:axdehmnj:t:r:sw:R:D:U:LSW:X:")) != EOF) {
switch(ch) {
case 'L':
local_mode = amroot = True;
break;
case 'c':
pstrcpy(servicesf,optarg);
break;
case 'a':
if (!amroot) goto bad_args;
local_flags |= LOCAL_ADD_USER;
break;
case 'x':
if (!amroot) goto bad_args;
local_flags |= LOCAL_DELETE_USER;
new_passwd = strdup_x("XXXXXX");
break;
case 'd':
if (!amroot) goto bad_args;
local_flags |= LOCAL_DISABLE_USER;
new_passwd = strdup_x("XXXXXX");
break;
case 'e':
if (!amroot) goto bad_args;
local_flags |= LOCAL_ENABLE_USER;
break;
case 'm':
if (!amroot) goto bad_args;
local_flags |= LOCAL_TRUST_ACCOUNT;
break;
case 'n':
if (!amroot) goto bad_args;
local_flags |= LOCAL_SET_NO_PASSWORD;
new_passwd = strdup_x("NO PASSWORD");
break;
case 'j':
if (!amroot) goto bad_args;
new_domain = optarg;
strupper(new_domain);
joining_domain = True;
break;
case 't':
if (!amroot) goto bad_args;
new_domain = optarg;
strupper(new_domain);
changing_trust_pw = True;
break;
case 'r':
remote_machine = optarg;
break;
case 'S':
if (!amroot) goto bad_args;
local_flags |= LOCAL_GET_DOM_SID;
break;
case 's':
set_line_buffering(stdin);
set_line_buffering(stdout);
set_line_buffering(stderr);
stdin_passwd_get = True;
break;
case 'w':
if (!amroot) goto bad_args;
#ifdef WITH_LDAP_SAM
local_flags |= LOCAL_SET_LDAP_ADMIN_PW;
fstrcpy(ldap_secret, optarg);
break;
#else
printf("-w not available unless configured --with-ldapsam\n");
goto bad_args;
#endif
case 'R':
if (!amroot) goto bad_args;
lp_set_name_resolve_order(optarg);
break;
case 'D':
DEBUGLEVEL = atoi(optarg);
break;
case 'U': {
char *lp;
got_username = True;
fstrcpy(user_name, optarg);
if ((lp = strchr(user_name, '%'))) {
*lp = 0;
fstrcpy(user_password, lp + 1);
got_pass = True;
memset(strchr(optarg, '%') + 1, 'X',
strlen(user_password));
}
}
break;
case 'W': /* Take the SID on the command line and make it ours */
if (!lp_load(servicesf,True,False,False)) {
fprintf(stderr, "Can't load %s - run testparm to debug it\n",
servicesf);
exit(1);
}
if (!string_to_sid(&dom_sid, optarg)) {
fprintf(stderr, "Invalid SID: %s\n", optarg);
exit(1);
}
if (!secrets_init()) {
fprintf(stderr, "Unable to open secrets database!\n");
exit(1);
}
if (!secrets_store_domain_sid(global_myname, &dom_sid)) {
fprintf(stderr, "Unable to write the new SID %s as the server SID for %s\n", optarg, global_myname);
exit(1);
}
/*
* Now, write it to the workgroup as well, to make
* things consistent. This is a risk however.
*/
if (!secrets_store_domain_sid(lp_workgroup(), &dom_sid)) {
fprintf(stderr, "Unable to write the new SID %s as the domain SID for %s\n", optarg, lp_workgroup());
exit(1);
}
exit(0);
break;
case 'X': /* Extract the SID for a domain from secrets */
if (!lp_load(servicesf,True,False,False)) {
fprintf(stderr, "Can't load %s - run testparm to debug it\n",
servicesf);
exit(1);
}
if (!secrets_init()) {
fprintf(stderr, "Unable to open secrets database!\n");
exit(1);
}
if (secrets_fetch_domain_sid(optarg, &dom_sid)) {
sid_to_string(sid_str, &dom_sid);
printf("SID for domain %s is: %s\n", optarg, sid_str);
exit(0);
}
else {
fprintf(stderr, "Could not retrieve SID for domain: %s\n", optarg);
exit(1);
}
break;
case 'h':
default:
bad_args:
usage();
}
}
argc -= optind;
argv += optind;
if (joining_domain && (argc != 0))
usage();
switch(argc) {
case 0:
if (!got_username)
fstrcpy(user_name, "");
break;
case 1:
if (!amroot == 1) {
new_passwd = argv[0];
break;
}
if (got_username)
usage();
fstrcpy(user_name, argv[0]);
break;
case 2:
if (!amroot || got_username || got_pass)
usage();
fstrcpy(user_name, argv[0]);
new_passwd = strdup_x(argv[1]);
break;
default:
usage();
}
}
WERROR spoolss_create_default_secdesc(TALLOC_CTX *mem_ctx,
struct spoolss_security_descriptor **secdesc)
{
struct security_ace ace[7]; /* max number of ace entries */
int i = 0;
uint32_t sa;
struct security_acl *psa = NULL;
struct security_descriptor *psd = NULL;
struct dom_sid adm_sid;
size_t sd_size;
/* Create an ACE where Everyone is allowed to print */
sa = PRINTER_ACE_PRINT;
init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
/* Add the domain admins group if we are a DC */
if ( IS_DC ) {
struct dom_sid domadmins_sid;
sid_compose(&domadmins_sid, get_global_sam_sid(),
DOMAIN_RID_ADMINS);
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &domadmins_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
}
else if (secrets_fetch_domain_sid(lp_workgroup(), &adm_sid)) {
sid_append_rid(&adm_sid, DOMAIN_RID_ADMINISTRATOR);
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &adm_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
}
/* add BUILTIN\Administrators as FULL CONTROL */
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
/* add BUILTIN\Print Operators as FULL CONTROL */
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators,
SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators,
SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
/* Make the security descriptor owned by the BUILTIN\Administrators */
/* The ACL revision number in rpc_secdesc.h differs from the one
created by NT when setting ACE entries in printer
descriptors. NT4 complains about the property being edited by a
NT5 machine. */
if ((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) != NULL) {
psd = make_sec_desc(mem_ctx,
SD_REVISION,
SEC_DESC_SELF_RELATIVE,
&global_sid_Builtin_Administrators,
&global_sid_Builtin_Administrators,
NULL,
psa,
&sd_size);
}
if (psd == NULL) {
DEBUG(0,("construct_default_printer_sd: Failed to make SEC_DESC.\n"));
return WERR_NOMEM;
}
DEBUG(4,("construct_default_printer_sdb: size = %u.\n",
(unsigned int)sd_size));
*secdesc = psd;
return WERR_OK;
}
