static int net_getdomainsid(int argc, const char **argv) { DOM_SID domain_sid; fstring sid_str; if(!initialize_password_db(False)) { DEBUG(0, ("WARNING: Could not open passdb - domain sid may not reflect passdb\n" "backend knowlege (such as the sid stored in LDAP)\n")); } /* Generate one, if it doesn't exist */ get_global_sam_sid(); if (!secrets_fetch_domain_sid(global_myname(), &domain_sid)) { d_fprintf(stderr, "Could not fetch local SID\n"); return 1; } sid_to_string(sid_str, &domain_sid); d_printf("SID for domain %s is: %s\n", global_myname(), sid_str); if (!secrets_fetch_domain_sid(opt_workgroup, &domain_sid)) { d_fprintf(stderr, "Could not fetch domain SID\n"); return 1; } sid_to_string(sid_str, &domain_sid); d_printf("SID for domain %s is: %s\n", opt_workgroup, sid_str); return 0; }
static int net_getdomainsid(struct net_context *c, int argc, const char **argv) { struct dom_sid domain_sid; fstring sid_str; if (argc > 0) { d_printf(_("Usage:")); d_printf(" net getdomainsid\n"); return 1; } if(!initialize_password_db(false, NULL)) { DEBUG(0, ("WARNING: Could not open passdb - domain SID may " "not reflect passdb\n" "backend knowledge (such as the SID stored in " "LDAP)\n")); } /* first check to see if we can even access secrets, so we don't panic when we can't. */ if (!secrets_init()) { d_fprintf(stderr, _("Unable to open secrets.tdb. Can't fetch " "domain SID for name: %s\n"), get_global_sam_name()); return 1; } /* Generate one, if it doesn't exist */ get_global_sam_sid(); if (!secrets_fetch_domain_sid(lp_netbios_name(), &domain_sid)) { d_fprintf(stderr, _("Could not fetch local SID\n")); return 1; } sid_to_fstring(sid_str, &domain_sid); d_printf(_("SID for local machine %s is: %s\n"), lp_netbios_name(), sid_str); if (!secrets_fetch_domain_sid(c->opt_workgroup, &domain_sid)) { d_fprintf(stderr, _("Could not fetch domain SID\n")); return 1; } sid_to_fstring(sid_str, &domain_sid); d_printf(_("SID for domain %s is: %s\n"), c->opt_workgroup, sid_str); return 0; }
static int net_getdomainsid(int argc, const char **argv) { DOM_SID domain_sid; fstring sid_str; if(!initialize_password_db(False)) { DEBUG(1, ("WARNING: Could not open passdb - domain sid may not reflect passdb\n" "backend knowlege (such as the sid stored in LDAP)\n")); } /* first check to see if we can even access secrets, so we don't panic when we can't. */ if (!secrets_init()) { d_fprintf(stderr, "Unable to open secrets.tdb. " "Can't fetch domainSID for name: %s\n", get_global_sam_name()); return 1; } /* Generate one, if it doesn't exist */ get_global_sam_sid(); if (!secrets_fetch_domain_sid(global_myname(), &domain_sid)) { d_fprintf(stderr, "Could not fetch local SID\n"); return 1; } sid_to_string(sid_str, &domain_sid); d_printf("SID for domain %s is: %s\n", global_myname(), sid_str); if (!secrets_fetch_domain_sid(opt_workgroup, &domain_sid)) { d_fprintf(stderr, "Could not fetch domain SID\n"); return 1; } sid_to_string(sid_str, &domain_sid); d_printf("SID for domain %s is: %s\n", opt_workgroup, sid_str); return 0; }
static char *longvar_domainsid( void ) { DOM_SID sid; char *sid_string; if ( !secrets_fetch_domain_sid( lp_workgroup(), &sid ) ) { return NULL; } sid_string = SMB_STRDUP( sid_string_static( &sid ) ); if ( !sid_string ) { DEBUG(0,("longvar_domainsid: failed to dup SID string!\n")); } return sid_string; }
/* Retrieve our local SID or the SID for the specified name */ static int net_getlocalsid(struct net_context *c, int argc, const char **argv) { struct dom_sid sid; const char *name; fstring sid_str; if (argc >= 1) { name = argv[0]; } else { name = lp_netbios_name(); } if(!initialize_password_db(false, NULL)) { DEBUG(0, ("WARNING: Could not open passdb - local sid may not reflect passdb\n" "backend knowledge (such as the sid stored in LDAP)\n")); } /* first check to see if we can even access secrets, so we don't panic when we can't. */ if (!secrets_init()) { d_fprintf(stderr, _("Unable to open secrets.tdb. Can't fetch domain " "SID for name: %s\n"), name); return 1; } /* Generate one, if it doesn't exist */ get_global_sam_sid(); if (!secrets_fetch_domain_sid(name, &sid)) { DEBUG(0, ("Can't fetch domain SID for name: %s\n", name)); return 1; } sid_to_fstring(sid_str, &sid); d_printf(_("SID for domain %s is: %s\n"), name, sid_str); return 0; }
bool lookup_name(TALLOC_CTX *mem_ctx, const char *full_name, int flags, const char **ret_domain, const char **ret_name, DOM_SID *ret_sid, enum lsa_SidType *ret_type) { char *p; const char *tmp; const char *domain = NULL; const char *name = NULL; uint32 rid; DOM_SID sid; enum lsa_SidType type; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { DEBUG(0, ("talloc_new failed\n")); return false; } p = strchr_m(full_name, '\\'); if (p != NULL) { domain = talloc_strndup(tmp_ctx, full_name, PTR_DIFF(p, full_name)); name = talloc_strdup(tmp_ctx, p+1); } else { domain = talloc_strdup(tmp_ctx, ""); name = talloc_strdup(tmp_ctx, full_name); } if ((domain == NULL) || (name == NULL)) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n", full_name, domain, name)); DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags)); if ((flags & LOOKUP_NAME_DOMAIN) && strequal(domain, get_global_sam_name())) { /* It's our own domain, lookup the name in passdb */ if (lookup_global_sam_name(name, flags, &rid, &type)) { sid_copy(&sid, get_global_sam_sid()); sid_append_rid(&sid, rid); goto ok; } TALLOC_FREE(tmp_ctx); return false; } if ((flags & LOOKUP_NAME_BUILTIN) && strequal(domain, builtin_domain_name())) { /* Explicit request for a name in BUILTIN */ if (lookup_builtin_name(name, &rid)) { sid_copy(&sid, &global_sid_Builtin); sid_append_rid(&sid, rid); type = SID_NAME_ALIAS; goto ok; } TALLOC_FREE(tmp_ctx); return false; } /* Try the explicit winbind lookup first, don't let it guess the * domain yet at this point yet. This comes later. */ if ((domain[0] != '\0') && (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) && (winbind_lookup_name(domain, name, &sid, &type))) { goto ok; } if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_users_domain_name())) { if (lookup_unix_user_name(name, &sid)) { type = SID_NAME_USER; goto ok; } TALLOC_FREE(tmp_ctx); return false; } if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_groups_domain_name())) { if (lookup_unix_group_name(name, &sid)) { type = SID_NAME_DOM_GRP; goto ok; } TALLOC_FREE(tmp_ctx); return false; } if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) { TALLOC_FREE(tmp_ctx); return false; } /* Now the guesswork begins, we haven't been given an explicit * domain. Try the sequence as documented on * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp * November 27, 2005 */ /* 1. well-known names */ if ((flags & LOOKUP_NAME_WKN) && lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) { type = SID_NAME_WKN_GRP; goto ok; } /* 2. Builtin domain as such */ if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) && strequal(name, builtin_domain_name())) { /* Swap domain and name */ tmp = name; name = domain; domain = tmp; sid_copy(&sid, &global_sid_Builtin); type = SID_NAME_DOMAIN; goto ok; } /* 3. Account domain */ if ((flags & LOOKUP_NAME_DOMAIN) && strequal(name, get_global_sam_name())) { if (!secrets_fetch_domain_sid(name, &sid)) { DEBUG(3, ("Could not fetch my SID\n")); TALLOC_FREE(tmp_ctx); return false; } /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; goto ok; } /* 4. Primary domain */ if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC && strequal(name, lp_workgroup())) { if (!secrets_fetch_domain_sid(name, &sid)) { DEBUG(3, ("Could not fetch the domain SID\n")); TALLOC_FREE(tmp_ctx); return false; } /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; goto ok; } /* 5. Trusted domains as such, to me it looks as if members don't do this, tested an XP workstation in a NT domain -- vl */ if ((flags & LOOKUP_NAME_REMOTE) && IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) { /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; goto ok; } /* 6. Builtin aliases */ if ((flags & LOOKUP_NAME_BUILTIN) && lookup_builtin_name(name, &rid)) { domain = talloc_strdup(tmp_ctx, builtin_domain_name()); sid_copy(&sid, &global_sid_Builtin); sid_append_rid(&sid, rid); type = SID_NAME_ALIAS; goto ok; } /* 7. Local systems' SAM (DCs don't have a local SAM) */ /* 8. Primary SAM (On members, this is the domain) */ /* Both cases are done by looking at our passdb */ if ((flags & LOOKUP_NAME_DOMAIN) && lookup_global_sam_name(name, flags, &rid, &type)) { domain = talloc_strdup(tmp_ctx, get_global_sam_name()); sid_copy(&sid, get_global_sam_sid()); sid_append_rid(&sid, rid); goto ok; } /* Now our local possibilities are exhausted. */ if (!(flags & LOOKUP_NAME_REMOTE)) { TALLOC_FREE(tmp_ctx); return false; } /* If we are not a DC, we have to ask in our primary domain. Let * winbind do that. */ if (!IS_DC && (winbind_lookup_name(lp_workgroup(), name, &sid, &type))) { domain = talloc_strdup(tmp_ctx, lp_workgroup()); goto ok; } /* 9. Trusted domains */ /* If we're a DC we have to ask all trusted DC's. Winbind does not do * that (yet), but give it a chance. */ if (IS_DC && winbind_lookup_name("", name, &sid, &type)) { DOM_SID dom_sid; uint32 tmp_rid; enum lsa_SidType domain_type; if (type == SID_NAME_DOMAIN) { /* Swap name and type */ tmp = name; name = domain; domain = tmp; goto ok; } /* Here we have to cope with a little deficiency in the * winbind API: We have to ask it again for the name of the * domain it figured out itself. Maybe fix that later... */ sid_copy(&dom_sid, &sid); sid_split_rid(&dom_sid, &tmp_rid); if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL, &domain_type) || (domain_type != SID_NAME_DOMAIN)) { DEBUG(2, ("winbind could not find the domain's name " "it just looked up for us\n")); TALLOC_FREE(tmp_ctx); return false; } goto ok; } /* 10. Don't translate */ /* 11. Ok, windows would end here. Samba has two more options: Unmapped users and unmapped groups */ if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_user_name(name, &sid)) { domain = talloc_strdup(tmp_ctx, unix_users_domain_name()); type = SID_NAME_USER; goto ok; } if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_group_name(name, &sid)) { domain = talloc_strdup(tmp_ctx, unix_groups_domain_name()); type = SID_NAME_DOM_GRP; goto ok; } /* * Ok, all possibilities tried. Fail. */ TALLOC_FREE(tmp_ctx); return false; ok: if ((domain == NULL) || (name == NULL)) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } /* * Hand over the results to the talloc context we've been given. */ if ((ret_name != NULL) && !(*ret_name = talloc_strdup(mem_ctx, name))) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } if (ret_domain != NULL) { char *tmp_dom; if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } strupper_m(tmp_dom); *ret_domain = tmp_dom; } if (ret_sid != NULL) { sid_copy(ret_sid, &sid); } if (ret_type != NULL) { *ret_type = type; } TALLOC_FREE(tmp_ctx); return true; }
static NTSTATUS _idmap_adex_init(struct idmap_domain *dom) { ADS_STRUCT *ads = NULL; ADS_STATUS status; static NTSTATUS init_status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; struct dom_sid domain_sid; fstring dcname; struct sockaddr_storage ip; struct likewise_cell *lwcell; if (NT_STATUS_IS_OK(init_status)) return NT_STATUS_OK; /* Silently fail if we are not a member server in security = ads */ if ((lp_server_role() != ROLE_DOMAIN_MEMBER) || (lp_security() != SEC_ADS)) { init_status = NT_STATUS_INVALID_SERVER_STATE; BAIL_ON_NTSTATUS_ERROR(init_status); } /* fetch our domain SID first */ if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { init_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; BAIL_ON_NTSTATUS_ERROR(init_status); } /* reuse the same ticket cache as winbindd */ setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); /* Establish a connection to a DC */ if ((ads = ads_init(lp_realm(), lp_workgroup(), NULL)) == NULL) { init_status = NT_STATUS_NO_MEMORY; BAIL_ON_NTSTATUS_ERROR(init_status); } ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); ads->auth.realm = SMB_STRDUP(lp_realm()); /* get the DC name here to setup the server affinity cache and local krb5.conf */ get_dc_name(lp_workgroup(), lp_realm(), dcname, &ip); status = ads_connect(ads); if (!ADS_ERR_OK(status)) { DEBUG(0, ("_idmap_adex_init: ads_connect() failed! (%s)\n", ads_errstr(status))); } init_status = ads_ntstatus(status); BAIL_ON_NTSTATUS_ERROR(init_status); /* Find out cell membership */ init_status = cell_locate_membership(ads); if (!NT_STATUS_IS_OK(init_status)) { DEBUG(0,("LWI: Fail to locate cell membership (%s).", nt_errstr(init_status))); goto done; } /* Fill in the cell information */ lwcell = cell_list_head(); init_status = cell_lookup_settings(lwcell); BAIL_ON_NTSTATUS_ERROR(init_status); /* Miscellaneous setup. E.g. set up the list of GC servers and domain list for our forest (does not actually connect). */ init_status = gc_init_list(); BAIL_ON_NTSTATUS_ERROR(init_status); init_status = domain_init_list(); BAIL_ON_NTSTATUS_ERROR(init_status); done: if (!NT_STATUS_IS_OK(init_status)) { DEBUG(1,("Likewise initialization failed (%s)\n", nt_errstr(init_status))); } /* cleanup */ if (!NT_STATUS_IS_OK(init_status)) { cell_list_destroy(); /* init_status stores the failure reason but we need to return success or else idmap_init() will drop us from the backend list */ return NT_STATUS_OK; } init_status = NT_STATUS_OK; return init_status; }
static struct dom_sid *pdb_generate_sam_sid(void) { struct dom_sid domain_sid; char *fname = NULL; struct dom_sid *sam_sid; if(!(sam_sid=SMB_MALLOC_P(struct dom_sid))) return NULL; if ( IS_DC ) { if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { sid_copy(sam_sid, &domain_sid); return sam_sid; } } if (secrets_fetch_domain_sid(lp_netbios_name(), sam_sid)) { /* We got our sid. If not a pdc/bdc, we're done. */ if ( !IS_DC ) return sam_sid; if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { /* No domain sid and we're a pdc/bdc. Store it */ if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n")); SAFE_FREE(sam_sid); return NULL; } return sam_sid; } if (!dom_sid_equal(&domain_sid, sam_sid)) { /* Domain name sid doesn't match global sam sid. Re-store domain sid as 'local' sid. */ DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n")); if (!secrets_store_domain_sid(lp_netbios_name(), &domain_sid)) { DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID for local sid as PDC/BDC.\n")); SAFE_FREE(sam_sid); return NULL; } return sam_sid; } return sam_sid; } /* check for an old MACHINE.SID file for backwards compatibility */ if (asprintf(&fname, "%s/MACHINE.SID", lp_private_dir()) == -1) { SAFE_FREE(sam_sid); return NULL; } if (read_sid_from_file(fname, sam_sid)) { /* remember it for future reference and unlink the old MACHINE.SID */ if (!secrets_store_domain_sid(lp_netbios_name(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n")); SAFE_FREE(fname); SAFE_FREE(sam_sid); return NULL; } unlink(fname); if ( !IS_DC ) { if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n")); SAFE_FREE(fname); SAFE_FREE(sam_sid); return NULL; } } /* Stored the old sid from MACHINE.SID successfully.*/ SAFE_FREE(fname); return sam_sid; } SAFE_FREE(fname); /* we don't have the SID in secrets.tdb, we will need to generate one and save it */ generate_random_sid(sam_sid); if (!secrets_store_domain_sid(lp_netbios_name(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n")); SAFE_FREE(sam_sid); return NULL; } if ( IS_DC ) { if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n")); SAFE_FREE(sam_sid); return NULL; } } return sam_sid; }
WERROR NetUnjoinDomain_l(struct libnetapi_ctx *mem_ctx, struct NetUnjoinDomain *r) { struct libnet_UnjoinCtx *u = NULL; struct dom_sid domain_sid; const char *domain = NULL; WERROR werr; if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { return WERR_SETUP_NOT_JOINED; } werr = libnet_init_UnjoinCtx(mem_ctx, &u); W_ERROR_NOT_OK_RETURN(werr); if (lp_realm()) { domain = lp_realm(); } else { domain = lp_workgroup(); } if (r->in.server_name) { u->in.dc_name = talloc_strdup(mem_ctx, r->in.server_name); W_ERROR_HAVE_NO_MEMORY(u->in.dc_name); } else { NTSTATUS status; struct netr_DsRGetDCNameInfo *info = NULL; const char *dc = NULL; uint32_t flags = DS_DIRECTORY_SERVICE_REQUIRED | DS_WRITABLE_REQUIRED | DS_RETURN_DNS_NAME; status = dsgetdcname(mem_ctx, NULL, domain, NULL, NULL, flags, &info); if (!NT_STATUS_IS_OK(status)) { libnetapi_set_error_string(mem_ctx, "failed to find DC for domain %s: %s", domain, get_friendly_nt_error_msg(status)); return ntstatus_to_werror(status); } dc = strip_hostname(info->dc_unc); u->in.dc_name = talloc_strdup(mem_ctx, dc); W_ERROR_HAVE_NO_MEMORY(u->in.dc_name); u->in.domain_name = domain; } if (r->in.account) { u->in.admin_account = talloc_strdup(mem_ctx, r->in.account); W_ERROR_HAVE_NO_MEMORY(u->in.admin_account); } if (r->in.password) { u->in.admin_password = talloc_strdup(mem_ctx, r->in.password); W_ERROR_HAVE_NO_MEMORY(u->in.admin_password); } u->in.domain_name = domain; u->in.unjoin_flags = r->in.unjoin_flags; u->in.delete_machine_account = false; u->in.modify_config = true; u->in.debug = true; u->in.domain_sid = &domain_sid; werr = libnet_Unjoin(mem_ctx, u); if (!W_ERROR_IS_OK(werr) && u->out.error_string) { libnetapi_set_error_string(mem_ctx, "%s", u->out.error_string); } TALLOC_FREE(u); return werr; }
static BOOL pdb_generate_sam_sid(void) { DOM_SID domain_sid; char *fname = NULL; BOOL is_dc = False; if(global_sam_sid==NULL) if(!(global_sam_sid=(DOM_SID *)malloc(sizeof(DOM_SID)))) return False; generate_wellknown_sids(); switch (lp_server_role()) { case ROLE_DOMAIN_PDC: case ROLE_DOMAIN_BDC: is_dc = True; break; default: is_dc = False; break; } if (is_dc) { if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { sid_copy(global_sam_sid, &domain_sid); return True; } } if (secrets_fetch_domain_sid(global_myname(), global_sam_sid)) { /* We got our sid. If not a pdc/bdc, we're done. */ if (!is_dc) return True; if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { /* No domain sid and we're a pdc/bdc. Store it */ if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n")); return False; } return True; } if (!sid_equal(&domain_sid, global_sam_sid)) { /* Domain name sid doesn't match global sam sid. Re-store domain sid as 'local' sid. */ DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n")); if (!secrets_store_domain_sid(global_myname(), &domain_sid)) { DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID for local sid as PDC/BDC.\n")); return False; } return True; } return True; } /* check for an old MACHINE.SID file for backwards compatibility */ asprintf(&fname, "%s/MACHINE.SID", lp_private_dir()); if (read_sid_from_file(fname, global_sam_sid)) { /* remember it for future reference and unlink the old MACHINE.SID */ if (!secrets_store_domain_sid(global_myname(), global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n")); SAFE_FREE(fname); return False; } unlink(fname); if (is_dc) { if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n")); SAFE_FREE(fname); return False; } } /* Stored the old sid from MACHINE.SID successfully.*/ SAFE_FREE(fname); return True; } SAFE_FREE(fname); /* we don't have the SID in secrets.tdb, we will need to generate one and save it */ generate_random_sid(global_sam_sid); if (!secrets_store_domain_sid(global_myname(), global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n")); return False; } if (is_dc) { if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n")); return False; } } return True; }
BOOL pdb_generate_sam_sid(void) { char *fname = NULL; extern pstring global_myname; extern fstring global_myworkgroup; BOOL is_dc = False; pstring priv_dir; generate_wellknown_sids(); switch (lp_server_role()) { case ROLE_DOMAIN_PDC: case ROLE_DOMAIN_BDC: is_dc = True; break; default: is_dc = False; break; } if (secrets_fetch_domain_sid(global_myname, &global_sam_sid)) { DOM_SID domain_sid; /* We got our sid. If not a pdc/bdc, we're done. */ if (!is_dc) return True; if (!secrets_fetch_domain_sid(global_myworkgroup, &domain_sid)) { /* No domain sid and we're a pdc/bdc. Store it */ if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n")); return False; } return True; } if (!sid_equal(&domain_sid, &global_sam_sid)) { /* Domain name sid doesn't match global sam sid. Re-store global sam sid as domain sid. */ DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n")); if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID as a pdc/bdc.\n")); return False; } return True; } return True; } /* check for an old MACHINE.SID file for backwards compatibility */ get_private_directory(priv_dir); asprintf(&fname, "%s/MACHINE.SID", priv_dir); if (read_sid_from_file(fname, &global_sam_sid)) { /* remember it for future reference and unlink the old MACHINE.SID */ if (!secrets_store_domain_sid(global_myname, &global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n")); SAFE_FREE(fname); return False; } unlink(fname); if (is_dc) { if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n")); SAFE_FREE(fname); return False; } } /* Stored the old sid from MACHINE.SID successfully. Patch from Stefan "metze" Metzmacher <*****@*****.**>*/ SAFE_FREE(fname); return True; } SAFE_FREE(fname); /* we don't have the SID in secrets.tdb, we will need to generate one and save it */ generate_random_sid(&global_sam_sid); DEBUG(10, ("Generated random SID ...\n")); if (!secrets_store_domain_sid(global_myname, &global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n")); return False; } if (is_dc) { if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) { DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n")); return False; } } return True; }
/******************************************************************* Process command line options ******************************************************************/ static void process_options(int argc, char **argv, BOOL amroot) { int ch; DOM_SID dom_sid; fstring sid_str; user_name[0] = '\0'; while ((ch = getopt(argc, argv, "c:axdehmnj:t:r:sw:R:D:U:LSW:X:")) != EOF) { switch(ch) { case 'L': local_mode = amroot = True; break; case 'c': pstrcpy(servicesf,optarg); break; case 'a': if (!amroot) goto bad_args; local_flags |= LOCAL_ADD_USER; break; case 'x': if (!amroot) goto bad_args; local_flags |= LOCAL_DELETE_USER; new_passwd = strdup_x("XXXXXX"); break; case 'd': if (!amroot) goto bad_args; local_flags |= LOCAL_DISABLE_USER; new_passwd = strdup_x("XXXXXX"); break; case 'e': if (!amroot) goto bad_args; local_flags |= LOCAL_ENABLE_USER; break; case 'm': if (!amroot) goto bad_args; local_flags |= LOCAL_TRUST_ACCOUNT; break; case 'n': if (!amroot) goto bad_args; local_flags |= LOCAL_SET_NO_PASSWORD; new_passwd = strdup_x("NO PASSWORD"); break; case 'j': if (!amroot) goto bad_args; new_domain = optarg; strupper(new_domain); joining_domain = True; break; case 't': if (!amroot) goto bad_args; new_domain = optarg; strupper(new_domain); changing_trust_pw = True; break; case 'r': remote_machine = optarg; break; case 'S': if (!amroot) goto bad_args; local_flags |= LOCAL_GET_DOM_SID; break; case 's': set_line_buffering(stdin); set_line_buffering(stdout); set_line_buffering(stderr); stdin_passwd_get = True; break; case 'w': if (!amroot) goto bad_args; #ifdef WITH_LDAP_SAM local_flags |= LOCAL_SET_LDAP_ADMIN_PW; fstrcpy(ldap_secret, optarg); break; #else printf("-w not available unless configured --with-ldapsam\n"); goto bad_args; #endif case 'R': if (!amroot) goto bad_args; lp_set_name_resolve_order(optarg); break; case 'D': DEBUGLEVEL = atoi(optarg); break; case 'U': { char *lp; got_username = True; fstrcpy(user_name, optarg); if ((lp = strchr(user_name, '%'))) { *lp = 0; fstrcpy(user_password, lp + 1); got_pass = True; memset(strchr(optarg, '%') + 1, 'X', strlen(user_password)); } } break; case 'W': /* Take the SID on the command line and make it ours */ if (!lp_load(servicesf,True,False,False)) { fprintf(stderr, "Can't load %s - run testparm to debug it\n", servicesf); exit(1); } if (!string_to_sid(&dom_sid, optarg)) { fprintf(stderr, "Invalid SID: %s\n", optarg); exit(1); } if (!secrets_init()) { fprintf(stderr, "Unable to open secrets database!\n"); exit(1); } if (!secrets_store_domain_sid(global_myname, &dom_sid)) { fprintf(stderr, "Unable to write the new SID %s as the server SID for %s\n", optarg, global_myname); exit(1); } /* * Now, write it to the workgroup as well, to make * things consistent. This is a risk however. */ if (!secrets_store_domain_sid(lp_workgroup(), &dom_sid)) { fprintf(stderr, "Unable to write the new SID %s as the domain SID for %s\n", optarg, lp_workgroup()); exit(1); } exit(0); break; case 'X': /* Extract the SID for a domain from secrets */ if (!lp_load(servicesf,True,False,False)) { fprintf(stderr, "Can't load %s - run testparm to debug it\n", servicesf); exit(1); } if (!secrets_init()) { fprintf(stderr, "Unable to open secrets database!\n"); exit(1); } if (secrets_fetch_domain_sid(optarg, &dom_sid)) { sid_to_string(sid_str, &dom_sid); printf("SID for domain %s is: %s\n", optarg, sid_str); exit(0); } else { fprintf(stderr, "Could not retrieve SID for domain: %s\n", optarg); exit(1); } break; case 'h': default: bad_args: usage(); } } argc -= optind; argv += optind; if (joining_domain && (argc != 0)) usage(); switch(argc) { case 0: if (!got_username) fstrcpy(user_name, ""); break; case 1: if (!amroot == 1) { new_passwd = argv[0]; break; } if (got_username) usage(); fstrcpy(user_name, argv[0]); break; case 2: if (!amroot || got_username || got_pass) usage(); fstrcpy(user_name, argv[0]); new_passwd = strdup_x(argv[1]); break; default: usage(); } }
WERROR spoolss_create_default_secdesc(TALLOC_CTX *mem_ctx, struct spoolss_security_descriptor **secdesc) { struct security_ace ace[7]; /* max number of ace entries */ int i = 0; uint32_t sa; struct security_acl *psa = NULL; struct security_descriptor *psd = NULL; struct dom_sid adm_sid; size_t sd_size; /* Create an ACE where Everyone is allowed to print */ sa = PRINTER_ACE_PRINT; init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); /* Add the domain admins group if we are a DC */ if ( IS_DC ) { struct dom_sid domadmins_sid; sid_compose(&domadmins_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS); sa = PRINTER_ACE_FULL_CONTROL; init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); } else if (secrets_fetch_domain_sid(lp_workgroup(), &adm_sid)) { sid_append_rid(&adm_sid, DOMAIN_RID_ADMINISTRATOR); sa = PRINTER_ACE_FULL_CONTROL; init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); } /* add BUILTIN\Administrators as FULL CONTROL */ sa = PRINTER_ACE_FULL_CONTROL; init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); /* add BUILTIN\Print Operators as FULL CONTROL */ sa = PRINTER_ACE_FULL_CONTROL; init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); /* Make the security descriptor owned by the BUILTIN\Administrators */ /* The ACL revision number in rpc_secdesc.h differs from the one created by NT when setting ACE entries in printer descriptors. NT4 complains about the property being edited by a NT5 machine. */ if ((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) != NULL) { psd = make_sec_desc(mem_ctx, SD_REVISION, SEC_DESC_SELF_RELATIVE, &global_sid_Builtin_Administrators, &global_sid_Builtin_Administrators, NULL, psa, &sd_size); } if (psd == NULL) { DEBUG(0,("construct_default_printer_sd: Failed to make SEC_DESC.\n")); return WERR_NOMEM; } DEBUG(4,("construct_default_printer_sdb: size = %u.\n", (unsigned int)sd_size)); *secdesc = psd; return WERR_OK; }