Ubuntu
likewise-open package

Merge lp:~ssalley/ubuntu/lucid/likewise-open/likewise-open.fix627272 into lp:ubuntu/lucid/likewise-open

  1. Lucid (10.04)
  2. likewise-open.fix627272
  3. Merge into lucid
Proposed by Scott Salley
Status: Needs review
Proposed branch: lp:~ssalley/ubuntu/lucid/likewise-open/likewise-open.fix627272
Merge into: lp:ubuntu/lucid/likewise-open
Diff against target: 1427 lines (+1234/-32)
14 files modified
debian/changelog (+49/-0)
debian/control (+7/-6)
debian/likewise-open.postinst (+34/-19)
debian/likewise-open.preinst (+9/-7)
debian/likewise-open.prerm (+9/-0)
debian/patches/assume_default_domain.diff (+334/-0)
debian/patches/disable_dcerpc_auto_start.diff (+26/-0)
debian/patches/ignore_group_update_failure_on_leave.diff (+37/-0)
debian/patches/lp-security-CVE-2010-0833.diff (+390/-0)
debian/patches/lsass_turn_off_ncacn_ip_tcp.diff (+39/-0)
debian/patches/lwupgrade_multi_sz.diff (+77/-0)
debian/patches/offline_v2.diff (+201/-0)
debian/patches/reg_import_multi_sz.diff (+14/-0)
debian/patches/series (+8/-0)
To merge this branch: bzr merge lp:~ssalley/ubuntu/lucid/likewise-open/likewise-open.fix627272
Reviewer Review Type Date Requested Status
Dustin Kirkland  Needs Fixing
Review via email: mp+42422@code.launchpad.net

Description of the change

These changes have been sitting in a PPA and tested by users and our QA team for a long while.

The changelog describes the changes in more detail but here is a short summary of fixed bugs:
lp:534629 AssumeDefaultDomain does not work
lp:575152 RequireMembershipOf Does Not Work
lp:591893 likewise-open depends on psmisc
lp:605326 Likewise open 5 or 6 conflicts with winbind
lp:572271 CacheEntryExpire setting ignored & default value of 4 hours is too
low
lp:574443 likewise-open5 upgrade mangles RequireMembershipOf settings

Additionally, many bugs dealing with installation and upgrading were corrected but matching them up to bug reports is difficult to do reproducibility.

To post a comment you must log in.
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Hi there Scott,

Reviewing this merge proposal, a couple of comments...
 1) To note that a bug is fixed in the changelog, please use this syntax: "LP: #575019", rather than "LP BUG 575019"
 2) Usually, SRUs are held to a pretty tight standard, typically fixing one or two issues; this merge fixes 9 bugs
 3) Each of those 9 bugs are going to need an SRU statement in the main body, explaining a) the impact, b) an explanation of how the bug is fixed, c) a pointer to the commit or minimal patch that solves that one issue, d) detailed instructions on how to reproduce the bug, e) a description of the regression potential
   - See: https://wiki.ubuntu.com/StableReleaseUpdates

I'll be happy to sponsor this as soon as (1) is trivially fixed in your branch, and as soon as each bug is updated per (2). Then, the package will go into the -proposed queue, and we'll need you or someone else to go through each of those 9 bugs and work their way through the reproduce instructions, noting if the new package fixes the known bugs and does cause regression.

Thanks!
Dustin

review: Needs Fixing
Reply

Unmerged revisions

18. By Scott Salley

* patches/ignore_group_update_failure_on_leave.diff: Added upstream patch
  to prevent "domainjoin-XXX leave" from failing if user/admin domain
  groups could not be removed from the builtin user/admin groups
  (LP BUG 575019)
* patches/assume_default_domain.diff: Fix regression in AssumeDefaultDomain
  (LP BUG 534629)
* patches/offline_v2.diff: Additional offline logon fixes (LP BUG 572271)
* patches/lwupgrade_mulit_sz.diff: Make preservation of multi-string values
  more robust (e.g. "RequireMembershipOf" LP BUG 574443)
* patches/reg_import_multi_sz.diff: Fix importing REG_MULTI_SZ strings
  that use the "\" character (LP BUG 575152)
* Added missing dependencies that prevent distribution and package upgrades
  from succeeding:
  - debian/control: Added libpam-runtime (LP BUG 627272, LP BUG 625105)
  - debian/control: Added psmisc (LP BUG 591893)
* Added statements to kill hung daemons that may prevent distribution and
  package upgrades from succeeding (LP BUG 621980):
  - debian/control: Added procps for pkill
  - debian/likewise-open.postinst, debian/likewise-open.preinst: Added
    explict kill for daemons that may hang
* debian/control: Modified XSBC-Original-Maintainer as Gerald Cater would
  like Scott Salley to handle likewise-open.

17. By Gerald Carter <email address hidden>

Fix lsassd crash due to invalid hDirectory handle (LP: #610300).

16. By Scott Salley

* SECURITY UPDATE: local access restrictions bypass.
  - Set the Administrator account as disabled when first provisioned.
  - Explicitly mark lsassd local provider accounts accounts as disabled
    if the account exists in its initial provisioned state
  - Force pam password changes, when run under the context of root services,
    to require the existing password for authentication
  - Enforce the "user cannot change password" field on local provider
    account in the provider interface as well as the RPC server interface
  - CVE-2010-0833
* likewise-open.postinst
  - Ensure that lsassd is properly restarted after upgrade

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2010-04-09 12:30:18 +0000
+++ debian/changelog 2010-12-01 21:33:36 +0000
@@ -1,3 +1,52 @@
1likewise-open (5.4.0.42111-2ubuntu2) lucid; urgency=low
2
3 * patches/ignore_group_update_failure_on_leave.diff: Added upstream patch
4 to prevent "domainjoin-XXX leave" from failing if user/admin domain
5 groups could not be removed from the builtin user/admin groups
6 (LP BUG 575019)
7 * patches/assume_default_domain.diff: Fix regression in AssumeDefaultDomain
8 (LP BUG 534629)
9 * patches/offline_v2.diff: Additional offline logon fixes (LP BUG 572271)
10 * patches/lwupgrade_mulit_sz.diff: Make preservation of multi-string values
11 more robust (e.g. "RequireMembershipOf" LP BUG 574443)
12 * patches/reg_import_multi_sz.diff: Fix importing REG_MULTI_SZ strings
13 that use the "\" character (LP BUG 575152)
14 * Added missing dependencies that prevent distribution and package upgrades
15 from succeeding:
16 - debian/control: Added libpam-runtime (LP BUG 627272, LP BUG 625105)
17 - debian/control: Added psmisc (LP BUG 591893)
18 * Added statements to kill hung daemons that may prevent distribution and
19 package upgrades from succeeding (LP BUG 621980):
20 - debian/control: Added procps for pkill
21 - debian/likewise-open.postinst, debian/likewise-open.preinst: Added
22 explict kill for daemons that may hang
23 * debian/control: Modified XSBC-Original-Maintainer as Gerald Cater would
24 like Scott Salley to handle likewise-open.
25
26 -- Scott Salley <ssalley@likewise.com> Wed, 13 Oct 2010 17:24:08 -0700
27
28likewise-open (5.4.0.42111-2ubuntu1.2) lucid-security; urgency=low
29
30 * Fix lsassd crash due to invalid hDirectory handle (LP: #610300).
31
32 -- Gerald Carter <gcarter@likewise.com> Tue, 27 Jul 2010 17:35:01 -0500
33
34likewise-open (5.4.0.42111-2ubuntu1.1) lucid-security; urgency=low
35
36 * SECURITY UPDATE: local access restrictions bypass.
37 - Set the Administrator account as disabled when first provisioned.
38 - Explicitly mark lsassd local provider accounts accounts as disabled
39 if the account exists in its initial provisioned state
40 - Force pam password changes, when run under the context of root services,
41 to require the existing password for authentication
42 - Enforce the "user cannot change password" field on local provider
43 account in the provider interface as well as the RPC server interface
44 - CVE-2010-0833
45 * likewise-open.postinst
46 - Ensure that lsassd is properly restarted after upgrade
47
48 -- Scott Salley <ssalley@likewise.com> Wed, 21 Jul 2010 13:54:00 -0700
49
1likewise-open (5.4.0.42111-2ubuntu1) lucid; urgency=low50likewise-open (5.4.0.42111-2ubuntu1) lucid; urgency=low
251
3 * Properly fix ARM FTBFS (LP: #517300)52 * Properly fix ARM FTBFS (LP: #517300)
453
=== modified file 'debian/control'
--- debian/control 2010-04-09 12:30:18 +0000
+++ debian/control 2010-12-01 21:33:36 +0000
@@ -2,7 +2,7 @@
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: Chuck Short <zulcss@ubuntu.com>4Maintainer: Chuck Short <zulcss@ubuntu.com>
5XSBC-Original-Maintainer: Gerald Carter <gcarter@likewise.com>5XSBC-Original-Maintainer: Scott Salley <ssalley@likewise.com>
6Build-Depends: autoconf (>=2.53), automake, bison, debhelper (>= 7),6Build-Depends: autoconf (>=2.53), automake, bison, debhelper (>= 7),
7 libglade2-dev, libncurses5-dev, libpam0g-dev, libpam-runtime,7 libglade2-dev, libncurses5-dev, libpam0g-dev, libpam-runtime,
8 libssl-dev, libtool, libsqlite3-dev, uuid-dev, quilt, rsync, libxml2,8 libssl-dev, libtool, libsqlite3-dev, uuid-dev, quilt, rsync, libxml2,
@@ -40,7 +40,7 @@
40Depends: ${misc:Depends}, likewise-open40Depends: ${misc:Depends}, likewise-open
41Architecture: all41Architecture: all
42Description: transitional dummy package42Description: transitional dummy package
43 This is a dummy package to faciliate clean upgrades. You can savely remove43 This is a dummy package to facilitate clean upgrades. You can safely remove
44 this package after the upgrade.44 this package after the upgrade.
4545
46Package: likewise-open5-eventlog46Package: likewise-open5-eventlog
@@ -48,7 +48,7 @@
48Depends: ${misc:Depends}, likewise-open48Depends: ${misc:Depends}, likewise-open
49Architecture: all49Architecture: all
50Description: transitional dummy package50Description: transitional dummy package
51 This is a dummy package to faciliate clean upgrades. You can savely remove51 This is a dummy package to facilitate clean upgrades. You can safely remove
52 this package after the upgrade.52 this package after the upgrade.
5353
54Package: likewise-open5-netlogon54Package: likewise-open5-netlogon
@@ -56,7 +56,7 @@
56Depends: ${misc:Depends}, likewise-open56Depends: ${misc:Depends}, likewise-open
57Architecture: all57Architecture: all
58Description: transitional dummy package58Description: transitional dummy package
59 This is a dummy package to faciliate clean upgrades. You can savely remove59 This is a dummy package to facilitate clean upgrades. You can safely remove
60 this package after the upgrade.60 this package after the upgrade.
6161
62Package: likewise-open5-rpc62Package: likewise-open5-rpc
@@ -64,12 +64,13 @@
64Depends: ${misc:Depends}, likewise-open64Depends: ${misc:Depends}, likewise-open
65Architecture: all65Architecture: all
66Description: transitional dummy package66Description: transitional dummy package
67 This is a dummy package to faciliate clean upgrades. You can savely remove67 This is a dummy package to facilitate clean upgrades. You can safely remove
68 this package after the upgrade.68 this package after the upgrade.
6969
70Package: likewise-open70Package: likewise-open
71Architecture: any71Architecture: any
72Depends: ${shlibs:Depends}, ${misc:Depends}, krb5-user72Depends: ${shlibs:Depends}, ${misc:Depends}, krb5-user, psmisc, libpam-runtime,
73 procps
73Suggests: likewise-open-gui74Suggests: likewise-open-gui
74Provides: likewise-open, likewise-open575Provides: likewise-open, likewise-open5
75Conflicts: likewise-open,76Conflicts: likewise-open,
7677
=== modified file 'debian/likewise-open.postinst'
--- debian/likewise-open.postinst 2010-01-05 16:21:34 +0000
+++ debian/likewise-open.postinst 2010-12-01 21:33:36 +0000
@@ -20,7 +20,7 @@
20 rm -rf "${UPGRADEDIR4}"20 rm -rf "${UPGRADEDIR4}"
2121
22 if [ -f /etc/likewise-open/lwiauthd.reg ]; then22 if [ -f /etc/likewise-open/lwiauthd.reg ]; then
23 $REGSHELL import /etc/likewise-open/lwiauthd.reg23 $REGSHELL upgrade /etc/likewise-open/lwiauthd.reg
2424
25 $DOMAINJOIN configure --enable nsswitch > /dev/null 2>&125 $DOMAINJOIN configure --enable nsswitch > /dev/null 2>&1
26 $DOMAINJOIN configure --enable ssh > /dev/null 2>&126 $DOMAINJOIN configure --enable ssh > /dev/null 2>&1
@@ -40,7 +40,7 @@
40 if [ -f $SOURCE ]; then40 if [ -f $SOURCE ]; then
41 $CONVERT $COMMAND $SOURCE $DEST > /dev/null 2>&1 || true41 $CONVERT $COMMAND $SOURCE $DEST > /dev/null 2>&1 || true
42 if [ -n "$DEST" -a -f "$DEST" ]; then42 if [ -n "$DEST" -a -f "$DEST" ]; then
43 $REGSHELL import $DEST43 $REGSHELL upgrade $DEST
44 fi44 fi
45 fi45 fi
46}46}
@@ -63,8 +63,9 @@
6363
64 $DOMAINJOIN configure --enable nsswitch > /dev/null 2>&164 $DOMAINJOIN configure --enable nsswitch > /dev/null 2>&1
65 $DOMAINJOIN configure --enable ssh > /dev/null 2>&165 $DOMAINJOIN configure --enable ssh > /dev/null 2>&1
66 $DOMAINJOIN configure --long `hostname --long` --short `hostname --short` \66 $DOMAINJOIN configure --long `hostname --long` \
67 --enable krb5 > /dev/null 2>&167 --short `hostname --short` \
68 --enable krb5 > /dev/null 2>&1
68}69}
6970
70case "$1" in71case "$1" in
@@ -79,18 +80,27 @@
79 ;;80 ;;
8081
81 configure)82 configure)
82 $LWSMD start83 # All daemons should be gone -- but sometimes they hang.
8384 pkill -KILL -x srvsvcd > /dev/null 2>&1 || true
84 $REGSHELL import /etc/likewise-open/dcerpcd.reg85 pkill -KILL -x lsassd > /dev/null 2>&1 || true
85 $REGSHELL import /etc/likewise-open/eventlogd.reg86 pkill -KILL -x lwiod > /dev/null 2>&1 || true
86 $REGSHELL import /etc/likewise-open/lwreg.reg87 pkill -KILL -x netlogond > /dev/null 2>&1 || true
87 $REGSHELL import /etc/likewise-open/lsassd.reg88 pkill -KILL -x eventlogd > /dev/null 2>&1 || true
88 $REGSHELL import /etc/likewise-open/lwiod.reg89 pkill -KILL -x dcerpcd > /dev/null 2>&1 || true
89 $REGSHELL import /etc/likewise-open/netlogond.reg90 pkill -KILL -x netlogond > /dev/null 2>&1 || true
90 $REGSHELL import /etc/likewise-open/pstore.reg91 pkill -KILL -x lwsmd > /dev/null 2>&1 || true
91 $REGSHELL import /etc/likewise-open/srvsvcd.reg92 pkill -KILL -x lwregd > /dev/null 2>&1 || true
9293
93 $LWSMD reload94 /usr/sbin/lwsmd --start-as-daemon
95
96 $REGSHELL upgrade /etc/likewise-open/dcerpcd.reg
97 $REGSHELL upgrade /etc/likewise-open/eventlogd.reg
98 $REGSHELL upgrade /etc/likewise-open/lwreg.reg
99 $REGSHELL upgrade /etc/likewise-open/lsassd.reg
100 $REGSHELL upgrade /etc/likewise-open/lwiod.reg
101 $REGSHELL upgrade /etc/likewise-open/netlogond.reg
102 $REGSHELL upgrade /etc/likewise-open/pstore.reg
103 $REGSHELL upgrade /etc/likewise-open/srvsvcd.reg
94104
95 if [ -n "$2" ]; then105 if [ -n "$2" ]; then
96 if dpkg --compare-versions "$2" le "4.1.2982-0ubuntu3"; then106 if dpkg --compare-versions "$2" le "4.1.2982-0ubuntu3"; then
@@ -103,11 +113,16 @@
103 if [ -d "${UPGRADEDIR5}" ]; then113 if [ -d "${UPGRADEDIR5}" ]; then
104 import_machine_account_5_0114 import_machine_account_5_0
105 fi115 fi
106 fi116 fi
107117
108 # This will start all the sevices and hook things up in /etc/rc[0-6].d118 /etc/init.d/lwsmd stop
119
120 /etc/init.d/lwsmd start
121
109 $DOMAINJOIN query > /dev/null 2>&1122 $DOMAINJOIN query > /dev/null 2>&1
110123
124 /usr/bin/lwsm start lsass || true
125
111 pam-auth-update --package126 pam-auth-update --package
112 ;;127 ;;
113esac128esac
114129
=== modified file 'debian/likewise-open.preinst'
--- debian/likewise-open.preinst 2010-01-05 16:21:34 +0000
+++ debian/likewise-open.preinst 2010-12-01 21:33:36 +0000
@@ -62,13 +62,15 @@
6262
63 # remove obsolete conffiles from previous versions63 # remove obsolete conffiles from previous versions
64 if dpkg --compare-versions "$2" lt-nl "5.4.0"; then64 if dpkg --compare-versions "$2" lt-nl "5.4.0"; then
65 # from 4.165
66 rm_conffile /etc/samba/lwiauthd.conf66 # from 4.1
67 rm_conffile /etc/security/pam_lwidentity.conf67 rm_conffile /etc/samba/lwiauthd.conf
68 rm_conffile /etc/default/likewise-open68 rm_conffile /etc/security/pam_lwidentity.conf
69 rm_conffile /etc/init.d/likewise-open69 rm_conffile /etc/default/likewise-open
70 # from 5.070 rm_conffile /etc/init.d/likewise-open
71 rm_conffile /etc/init.d/npcmuxd71
72 # from 5.0
73 rm_conffile /etc/init.d/npcmuxd
72 fi74 fi
73 ;;75 ;;
7476
7577
=== modified file 'debian/likewise-open.prerm'
--- debian/likewise-open.prerm 2010-01-05 16:21:34 +0000
+++ debian/likewise-open.prerm 2010-12-01 21:33:36 +0000
@@ -26,6 +26,15 @@
26 $LWSMD stop26 $LWSMD stop
27 fi27 fi
2828
29 pkill -KILL -x srvsvcd > /dev/null 2>&1 || true
30 pkill -KILL -x lsassd > /dev/null 2>&1 || true
31 pkill -KILL -x lwiod > /dev/null 2>&1 || true
32 pkill -KILL -x netlogond > /dev/null 2>&1 || true
33 pkill -KILL -x eventlogd > /dev/null 2>&1 || true
34 pkill -KILL -x dcerpcd > /dev/null 2>&1 || true
35 pkill -KILL -x lwsmd > /dev/null 2>&1 || true
36 pkill -KILL -x lwregd > /dev/null 2>&1 || true
37
29 ;;38 ;;
3039
31 failed-upgrade)40 failed-upgrade)
3241
=== added file 'debian/patches/assume_default_domain.diff'
--- debian/patches/assume_default_domain.diff 1970-01-01 00:00:00 +0000
+++ debian/patches/assume_default_domain.diff 2010-12-01 21:33:36 +0000
@@ -0,0 +1,334 @@
1commit d1cba75403be0af010b5df5ba22a1d0704f29fc3
2Author: Brian Koropoff <bkoropoff@likewise.com>
3Date: Wed May 5 22:21:47 2010 +0000
4
5 svn merge -c 43891 /Platform/src/linux/lsass/server/auth-providers/ad-open-provider -> src/linux/lsass/server/auth-providers/ad-provider
6
7 (lsass: r43911)
8
9Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/ad_marshal_group.c
10===================================================================
11--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/ad_marshal_group.c 2010-05-07 08:37:00.000000000 +0200
12+++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/ad_marshal_group.c 2010-05-07 08:37:03.000000000 +0200
13@@ -59,12 +59,17 @@
14 PSTR pszResult = NULL;
15
16 if(pObject->type == LSA_OBJECT_TYPE_GROUP &&
17- !LW_IS_NULL_OR_EMPTY_STR(pObject->groupInfo.pszAliasName))
18+ !LW_IS_NULL_OR_EMPTY_STR(pObject->groupInfo.pszAliasName))
19 {
20 dwError = LwAllocateString(
21 pObject->groupInfo.pszAliasName,
22 &pszResult);
23 BAIL_ON_LSA_ERROR(dwError);
24+
25+ LwStrCharReplace(
26+ pszResult,
27+ ' ',
28+ AD_GetSpaceReplacement());
29 }
30 else if(pObject->type == LSA_OBJECT_TYPE_USER &&
31 !LW_IS_NULL_OR_EMPTY_STR(pObject->userInfo.pszAliasName))
32@@ -73,6 +78,11 @@
33 pObject->userInfo.pszAliasName,
34 &pszResult);
35 BAIL_ON_LSA_ERROR(dwError);
36+
37+ LwStrCharReplace(
38+ pszResult,
39+ ' ',
40+ AD_GetSpaceReplacement());
41 }
42 else
43 {
44Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/batch_marshal.c
45===================================================================
46--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/batch_marshal.c 2010-05-07 08:37:00.000000000 +0200
47+++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/batch_marshal.c 2010-05-07 08:37:03.000000000 +0200
48@@ -580,6 +580,28 @@
49 BAIL_ON_LSA_ERROR(dwError);
50 }
51
52+ /* Fix up alias fields when in AssumeDefaultDomain mode */
53+ if (AD_ShouldAssumeDefaultDomain() &&
54+ pObject->enabled &&
55+ ((pObject->type == LSA_OBJECT_TYPE_USER &&
56+ !pObject->userInfo.pszAliasName) ||
57+ (pObject->type == LSA_OBJECT_TYPE_GROUP &&
58+ !pObject->groupInfo.pszAliasName)) &&
59+ !strcmp(pObject->pszNetbiosDomainName, gpADProviderData->szShortDomain))
60+ {
61+ dwError = LwAllocateString(
62+ pObject->pszSamAccountName,
63+ pObject->type == LSA_OBJECT_TYPE_USER ?
64+ &pObject->userInfo.pszAliasName : &pObject->groupInfo.pszAliasName);
65+ BAIL_ON_LSA_ERROR(dwError);
66+
67+ LwStrCharReplace(
68+ pObject->type == LSA_OBJECT_TYPE_USER ?
69+ pObject->userInfo.pszAliasName : pObject->groupInfo.pszAliasName,
70+ ' ',
71+ AD_GetSpaceReplacement());
72+ }
73+
74 cleanup:
75 *ppObject = pObject;
76 return dwError;
77Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/online.c
78===================================================================
79--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/online.c 2010-05-07 08:37:00.000000000 +0200
80+++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/online.c 2010-05-07 08:37:03.000000000 +0200
81@@ -4087,6 +4087,112 @@
82
83 static
84 DWORD
85+AD_OnlineFindObjectByName(
86+ IN HANDLE hProvider,
87+ IN LSA_FIND_FLAGS FindFlags,
88+ IN OPTIONAL LSA_OBJECT_TYPE ObjectType,
89+ IN LSA_QUERY_TYPE QueryType,
90+ IN PCSTR pszLoginName,
91+ IN PLSA_LOGIN_NAME_INFO pUserNameInfo,
92+ OUT PLSA_SECURITY_OBJECT* ppObject
93+ )
94+{
95+ DWORD dwError = 0;
96+ PLSA_SECURITY_OBJECT pCachedUser = NULL;
97+
98+ switch(ObjectType)
99+ {
100+ case LSA_OBJECT_TYPE_USER:
101+ dwError = ADCacheFindUserByName(
102+ gpLsaAdProviderState->hCacheConnection,
103+ pUserNameInfo,
104+ &pCachedUser);
105+ break;
106+ case LSA_OBJECT_TYPE_GROUP:
107+ dwError = ADCacheFindGroupByName(
108+ gpLsaAdProviderState->hCacheConnection,
109+ pUserNameInfo,
110+ &pCachedUser);
111+ break;
112+ default:
113+ dwError = ADCacheFindUserByName(
114+ gpLsaAdProviderState->hCacheConnection,
115+ pUserNameInfo,
116+ &pCachedUser);
117+ if (dwError == LW_ERROR_NO_SUCH_USER ||
118+ dwError == LW_ERROR_NOT_HANDLED)
119+ {
120+ dwError = ADCacheFindGroupByName(
121+ gpLsaAdProviderState->hCacheConnection,
122+ pUserNameInfo,
123+ &pCachedUser);
124+ }
125+ break;
126+ }
127+
128+ if (dwError == LW_ERROR_SUCCESS)
129+ {
130+ dwError = AD_CheckExpiredObject(&pCachedUser);
131+ }
132+
133+ switch (dwError)
134+ {
135+ case LW_ERROR_SUCCESS:
136+ break;
137+ case LW_ERROR_NOT_HANDLED:
138+ case LW_ERROR_NO_SUCH_USER:
139+ case LW_ERROR_NO_SUCH_GROUP:
140+ case LW_ERROR_NO_SUCH_OBJECT:
141+ dwError = AD_FindObjectByNameTypeNoCache(
142+ hProvider,
143+ pszLoginName,
144+ pUserNameInfo->nameType,
145+ ObjectType,
146+ &pCachedUser);
147+ switch (dwError)
148+ {
149+ case LW_ERROR_SUCCESS:
150+ dwError = ADCacheStoreObjectEntry(
151+ gpLsaAdProviderState->hCacheConnection,
152+ pCachedUser);
153+ BAIL_ON_LSA_ERROR(dwError);
154+
155+ break;
156+ case LW_ERROR_NO_SUCH_USER:
157+ case LW_ERROR_NO_SUCH_GROUP:
158+ case LW_ERROR_NO_SUCH_OBJECT:
159+ case LW_ERROR_DOMAIN_IS_OFFLINE:
160+ dwError = LW_ERROR_SUCCESS;
161+ break;
162+ default:
163+ BAIL_ON_LSA_ERROR(dwError);
164+ break;
165+ }
166+ break;
167+ default:
168+ BAIL_ON_LSA_ERROR(dwError);
169+ }
170+
171+ *ppObject = pCachedUser;
172+
173+cleanup:
174+
175+ return dwError;
176+
177+error:
178+
179+ *ppObject = NULL;
180+
181+ if (pCachedUser)
182+ {
183+ LsaUtilFreeSecurityObject(pCachedUser);
184+ }
185+
186+ goto cleanup;
187+}
188+
189+static
190+DWORD
191 AD_OnlineFindObjectsByName(
192 IN HANDLE hProvider,
193 IN LSA_FIND_FLAGS FindFlags,
194@@ -4100,7 +4206,6 @@
195 DWORD dwError = 0;
196 PLSA_LOGIN_NAME_INFO pUserNameInfo = NULL;
197 PSTR pszLoginId_copy = NULL;
198- PLSA_SECURITY_OBJECT pCachedUser = NULL;
199 DWORD dwIndex = 0;
200 PLSA_SECURITY_OBJECT* ppObjects = NULL;
201 LSA_QUERY_TYPE type = LSA_QUERY_TYPE_UNDEFINED;
202@@ -4145,77 +4250,74 @@
203 BAIL_ON_LSA_ERROR(dwError);
204 }
205
206- switch(ObjectType)
207- {
208- case LSA_OBJECT_TYPE_USER:
209- dwError = ADCacheFindUserByName(
210- gpLsaAdProviderState->hCacheConnection,
211- pUserNameInfo,
212- &pCachedUser);
213- break;
214- case LSA_OBJECT_TYPE_GROUP:
215- dwError = ADCacheFindGroupByName(
216- gpLsaAdProviderState->hCacheConnection,
217- pUserNameInfo,
218- &pCachedUser);
219- break;
220- default:
221- dwError = ADCacheFindUserByName(
222- gpLsaAdProviderState->hCacheConnection,
223- pUserNameInfo,
224- &pCachedUser);
225- if (dwError == LW_ERROR_NO_SUCH_USER ||
226- dwError == LW_ERROR_NOT_HANDLED)
227- {
228- dwError = ADCacheFindGroupByName(
229- gpLsaAdProviderState->hCacheConnection,
230- pUserNameInfo,
231- &pCachedUser);
232- }
233- break;
234- }
235-
236- if (dwError == LW_ERROR_SUCCESS)
237- {
238- dwError = AD_CheckExpiredObject(&pCachedUser);
239- }
240+ dwError = AD_OnlineFindObjectByName(
241+ hProvider,
242+ FindFlags,
243+ ObjectType,
244+ QueryType,
245+ pszLoginId_copy,
246+ pUserNameInfo,
247+ &ppObjects[dwIndex]);
248
249 switch (dwError)
250 {
251 case LW_ERROR_SUCCESS:
252- ppObjects[dwIndex] = pCachedUser;
253- pCachedUser = NULL;
254 break;
255 case LW_ERROR_NOT_HANDLED:
256 case LW_ERROR_NO_SUCH_USER:
257 case LW_ERROR_NO_SUCH_GROUP:
258 case LW_ERROR_NO_SUCH_OBJECT:
259- dwError = AD_FindObjectByNameTypeNoCache(
260- hProvider,
261- pszLoginId_copy,
262- pUserNameInfo->nameType,
263- ObjectType,
264- &pCachedUser);
265- switch (dwError)
266+ case LW_ERROR_NOT_SUPPORTED:
267+ ppObjects[dwIndex] = NULL;
268+ dwError = LW_ERROR_SUCCESS;
269+
270+ if (QueryType == LSA_QUERY_TYPE_BY_ALIAS &&
271+ AD_ShouldAssumeDefaultDomain())
272 {
273- case LW_ERROR_SUCCESS:
274- dwError = ADCacheStoreObjectEntry(
275- gpLsaAdProviderState->hCacheConnection,
276- pCachedUser);
277+ LW_SAFE_FREE_STRING(pszLoginId_copy);
278+ LsaFreeNameInfo(pUserNameInfo);
279+ pUserNameInfo = NULL;
280+
281+ dwError = LwAllocateStringPrintf(
282+ &pszLoginId_copy,
283+ "%s\\%s",
284+ gpADProviderData->szShortDomain,
285+ QueryList.ppszStrings[dwIndex]);
286 BAIL_ON_LSA_ERROR(dwError);
287
288- ppObjects[dwIndex] = pCachedUser;
289- pCachedUser = NULL;
290- break;
291- case LW_ERROR_NO_SUCH_USER:
292- case LW_ERROR_NO_SUCH_GROUP:
293- case LW_ERROR_NO_SUCH_OBJECT:
294- case LW_ERROR_DOMAIN_IS_OFFLINE:
295- dwError = LW_ERROR_SUCCESS;
296- break;
297- default:
298+ LwStrCharReplace(
299+ pszLoginId_copy,
300+ AD_GetSpaceReplacement(),
301+ ' ');
302+
303+ dwError = LsaCrackDomainQualifiedName(
304+ pszLoginId_copy,
305+ gpADProviderData->szDomain,
306+ &pUserNameInfo);
307 BAIL_ON_LSA_ERROR(dwError);
308- break;
309+
310+ dwError = AD_OnlineFindObjectByName(
311+ hProvider,
312+ FindFlags,
313+ ObjectType,
314+ LSA_QUERY_TYPE_BY_NT4,
315+ pszLoginId_copy,
316+ pUserNameInfo,
317+ &ppObjects[dwIndex]);
318+ switch (dwError)
319+ {
320+ case LW_ERROR_SUCCESS:
321+ break;
322+ case LW_ERROR_NOT_HANDLED:
323+ case LW_ERROR_NO_SUCH_USER:
324+ case LW_ERROR_NO_SUCH_GROUP:
325+ case LW_ERROR_NO_SUCH_OBJECT:
326+ ppObjects[dwIndex] = NULL;
327+ dwError = LW_ERROR_SUCCESS;
328+ break;
329+ default:
330+ BAIL_ON_LSA_ERROR(dwError);
331+ }
332 }
333 break;
334 default:
0335
=== added file 'debian/patches/disable_dcerpc_auto_start.diff'
--- debian/patches/disable_dcerpc_auto_start.diff 1970-01-01 00:00:00 +0000
+++ debian/patches/disable_dcerpc_auto_start.diff 2010-12-01 21:33:36 +0000
@@ -0,0 +1,26 @@
1Index: likewise-open-5.4.0.42111/domainjoin/domainjoin-cli/src/main.c
2===================================================================
3--- likewise-open-5.4.0.42111.orig/domainjoin/domainjoin-cli/src/main.c 2010-04-18 07:54:32.000000000 -0500
4+++ likewise-open-5.4.0.42111/domainjoin/domainjoin-cli/src/main.c 2010-04-18 07:55:33.000000000 -0500
5@@ -801,7 +801,7 @@
6 DWORD dwLogLevel;
7 BOOLEAN showHelp = FALSE;
8 BOOLEAN showInternalHelp = FALSE;
9- BOOLEAN bEnableDcerpcd = TRUE;
10+ BOOLEAN bEnableDcerpcd = FALSE;
11 int remainingArgs = argc;
12 char **argPos = argv;
13 int i;
14Index: likewise-open-5.4.0.42111/domainjoin/domainjoin-gui/gtk/main.c
15===================================================================
16--- likewise-open-5.4.0.42111.orig/domainjoin/domainjoin-gui/gtk/main.c 2010-04-18 07:54:32.000000000 -0500
17+++ likewise-open-5.4.0.42111/domainjoin/domainjoin-gui/gtk/main.c 2010-04-18 07:55:42.000000000 -0500
18@@ -589,7 +589,7 @@
19
20 gtk_init(&argc, &argv);
21
22- LW_TRY(&exc, DJNetInitialize(TRUE, &LW_EXC));
23+ LW_TRY(&exc, DJNetInitialize(FALSE, &LW_EXC));
24
25 do
26 {
027
=== added file 'debian/patches/ignore_group_update_failure_on_leave.diff'
--- debian/patches/ignore_group_update_failure_on_leave.diff 1970-01-01 00:00:00 +0000
+++ debian/patches/ignore_group_update_failure_on_leave.diff 2010-12-01 21:33:36 +0000
@@ -0,0 +1,37 @@
1commit 69148891011976fa239773af570c123023ac27ab
2Author: Gerald W. Carter <gcarter@likewiseopen.org>
3Date: Thu Apr 8 21:05:23 2010 +0000
4
5 lsass: Don't fail a "leave" if we cannot remove the domain groups from the builtin groups
6
7 Occurs in certain upgrade scenarios where "Domain {Admins,Users}" was not
8 added into the "Builtin\{Administrators,Users}" group
9
10 (lsass: r43096)
11
12diff --git a/lsass/join/join.c b/lsass/join/join.c
13index 0a694dc..ecafa4b 100644
14--- a/lsass/join/join.c
15+++ b/lsass/join/join.c
16@@ -725,13 +725,19 @@ LsaChangeDomainGroupMembership(
17 }
18 else
19 {
20+ // This should not cause the join to fail even if we cannot
21+ // remove the group members
22+
23 ntStatus = SamrDeleteAliasMember(hSamrBinding,
24 hAlias,
25 (*ppSid));
26- if (ntStatus == STATUS_MEMBER_NOT_IN_ALIAS)
27+ if ((ntStatus != STATUS_SUCCESS) &&
28+ (ntStatus != STATUS_NO_SUCH_MEMBER))
29 {
30- ntStatus = STATUS_SUCCESS;
31+ // Perhaps log an error here
32+ ;
33 }
34+ ntStatus = STATUS_SUCCESS;
35 }
36 BAIL_ON_NT_STATUS(ntStatus);
37 }
038
=== added file 'debian/patches/lp-security-CVE-2010-0833.diff'
--- debian/patches/lp-security-CVE-2010-0833.diff 1970-01-01 00:00:00 +0000
+++ debian/patches/lp-security-CVE-2010-0833.diff 2010-12-01 21:33:36 +0000
@@ -0,0 +1,390 @@
1diff -Nurb likewise-open-5.4.0.42111/lsass/interop/auth/pam/pam-passwd.c likewise-open-5.4.0.42111.patched/lsass/interop/auth/pam/pam-passwd.c
2--- likewise-open-5.4.0.42111/lsass/interop/auth/pam/pam-passwd.c 2010-03-12 20:33:45.000000000 -0800
3+++ likewise-open-5.4.0.42111.patched/lsass/interop/auth/pam/pam-passwd.c 2010-07-21 13:51:11.000000000 -0700
4@@ -293,7 +293,6 @@
5 PSTR pszPassword = NULL;
6 PSTR pszLoginId = NULL;
7 HANDLE hLsaConnection = (HANDLE)NULL;
8- BOOLEAN bCheckOldPassword = FALSE;
9
10 LSA_LOG_PAM_DEBUG("LsaPamUpdatePassword::begin");
11
12@@ -319,20 +318,11 @@
13 dwError = LsaOpenServer(&hLsaConnection);
14 BAIL_ON_LSA_ERROR(dwError);
15
16- dwError = LsaPamMustCheckCurrentPassword(
17- hLsaConnection,
18- pszLoginId,
19- &bCheckOldPassword);
20- BAIL_ON_LSA_ERROR(dwError);
21-
22- if (bCheckOldPassword)
23- {
24 dwError = LsaPamGetOldPassword(
25 pamh,
26 pPamContext,
27 &pszOldPassword);
28 BAIL_ON_LSA_ERROR(dwError);
29- }
30
31 dwError = LsaPamGetNewPassword(
32 pamh,
33@@ -340,23 +330,12 @@
34 &pszPassword);
35 BAIL_ON_LSA_ERROR(dwError);
36
37- if (bCheckOldPassword)
38- {
39 dwError = LsaChangePassword(
40 hLsaConnection,
41 pszLoginId,
42 pszPassword,
43 pszOldPassword);
44 BAIL_ON_LSA_ERROR(dwError);
45- }
46- else
47- {
48- dwError = LsaSetPassword(
49- hLsaConnection,
50- pszLoginId,
51- pszPassword);
52- BAIL_ON_LSA_ERROR(dwError);
53- }
54
55 cleanup:
56
57diff -Nurb likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/includes.h likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/includes.h
58--- likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/includes.h 2010-03-12 20:33:45.000000000 -0800
59+++ likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/includes.h 2010-07-21 13:51:11.000000000 -0700
60@@ -89,6 +89,8 @@
61 #include <lwrpc/LMcrypt.h>
62 #include <lwrpc/samr.h>
63
64+#include <lwmapsecurity/lwmapsecurity.h>
65+
66 #include <openssl/evp.h>
67 #include <openssl/md4.h>
68 #include <openssl/hmac.h>
69diff -Nurb likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/lpdefs.h.in likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/lpdefs.h.in
70--- likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/lpdefs.h.in 2010-03-12 20:33:45.000000000 -0800
71+++ likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/lpdefs.h.in 2010-07-21 13:51:11.000000000 -0700
72@@ -109,6 +109,8 @@
73 {'O','b','j','e','c','t','C','l','a','s','s',0}
74 #define LOCAL_DIR_ATTR_OBJECT_SID \
75 {'O','b','j','e','c','t','S','I','D',0}
76+#define LOCAL_DIR_ATTR_SECURITY_DESCRIPTOR \
77+ {'S','e','c','u','r','i','t','y','D','e','s','c','r','i','p','t','o','r',0}
78 #define LOCAL_DIR_ATTR_DISTINGUISHED_NAME \
79 {'D','i','s','t','i','n','g','u','i','s','h','e','d','N','a','m','e',0}
80 #define LOCAL_DIR_ATTR_DOMAIN \
81diff -Nurb likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/lpuser.c likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/lpuser.c
82--- likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/lpuser.c 2010-03-12 20:33:45.000000000 -0800
83+++ likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/lpuser.c 2010-07-21 13:51:11.000000000 -0700
84@@ -1136,7 +1136,75 @@
85 )
86 {
87 DWORD dwError = 0;
88+ NTSTATUS ntStatus = STATUS_SUCCESS;
89 PLOCAL_PROVIDER_CONTEXT pContext = (PLOCAL_PROVIDER_CONTEXT)hProvider;
90+ PLW_MAP_SECURITY_CONTEXT pSecCtx = NULL;
91+ PACCESS_TOKEN pUserToken = NULL;
92+ PWSTR pwszBase = NULL;
93+ DWORD dwScope = 0;
94+ PWSTR pwszFilter = NULL;
95+ WCHAR wszAttrSecurityDescriptor[] = LOCAL_DIR_ATTR_SECURITY_DESCRIPTOR;
96+
97+ PWSTR wszAttributes[] = {
98+ wszAttrSecurityDescriptor,
99+ NULL
100+ };
101+
102+ PDIRECTORY_ENTRY pUserEntry = NULL;
103+ DWORD dwNumEntries = 0;
104+ PSECURITY_DESCRIPTOR_ABSOLUTE pSecDesc = NULL;
105+ GENERIC_MAPPING GenericMapping = {0};
106+ DWORD dwAccessGranted = 0;
107+
108+ /*
109+ * Check if user has right to change the password first
110+ */
111+ ntStatus = LwMapSecurityCreateContext(&pSecCtx);
112+ BAIL_ON_NT_STATUS(ntStatus);
113+
114+ ntStatus = LwMapSecurityCreateAccessTokenFromUidGid(
115+ pSecCtx,
116+ &pUserToken,
117+ pContext->uid,
118+ pContext->gid);
119+ BAIL_ON_NT_STATUS(ntStatus);
120+
121+ dwError = DirectorySearch(
122+ pContext->hDirectory,
123+ pwszBase,
124+ dwScope,
125+ pwszFilter,
126+ wszAttributes,
127+ FALSE,
128+ &pUserEntry,
129+ &dwNumEntries);
130+ BAIL_ON_LSA_ERROR(dwError);
131+
132+ if (dwNumEntries == 0)
133+ {
134+ dwError = LW_ERROR_NO_SUCH_USER;
135+ }
136+ else if (dwNumEntries != 1)
137+ {
138+ dwError = LW_ERROR_DATA_ERROR;
139+ }
140+ BAIL_ON_LSA_ERROR(dwError);
141+
142+ dwError = DirectoryGetEntrySecurityDescriptor(
143+ pUserEntry,
144+ &pSecDesc);
145+ BAIL_ON_LSA_ERROR(dwError);
146+
147+ if (!RtlAccessCheck(pSecDesc,
148+ pUserToken,
149+ USER_ACCESS_CHANGE_PASSWORD,
150+ 0,
151+ &GenericMapping,
152+ &dwAccessGranted,
153+ &ntStatus))
154+ {
155+ BAIL_ON_NT_STATUS(ntStatus);
156+ }
157
158 dwError = DirectoryChangePassword(
159 pContext->hDirectory,
160@@ -1145,9 +1213,29 @@
161 pwszNewPassword);
162 BAIL_ON_LSA_ERROR(dwError);
163
164-error:
165+cleanup:
166+ if (pUserEntry)
167+ {
168+ DirectoryFreeEntries(pUserEntry, dwNumEntries);
169+ }
170+
171+ LW_SAFE_FREE_MEMORY(pwszFilter);
172+
173+ DirectoryFreeEntrySecurityDescriptor(&pSecDesc);
174+
175+ RtlReleaseAccessToken(&pUserToken);
176+ LwMapSecurityFreeContext(&pSecCtx);
177+
178+ if (dwError == ERROR_SUCCESS &&
179+ ntStatus != STATUS_SUCCESS)
180+ {
181+ dwError = LwNtStatusToWin32Error(ntStatus);
182+ }
183
184 return dwError;
185+
186+error:
187+ goto cleanup;
188 }
189
190 DWORD
191diff -Nurb likewise-open-5.4.0.42111/lsass/server/store/samdb/samdbinit.c likewise-open-5.4.0.42111.patched/lsass/server/store/samdb/samdbinit.c
192--- likewise-open-5.4.0.42111/lsass/server/store/samdb/samdbinit.c 2010-03-12 20:33:45.000000000 -0800
193+++ likewise-open-5.4.0.42111.patched/lsass/server/store/samdb/samdbinit.c 2010-07-21 13:51:47.000000000 -0700
194@@ -125,6 +125,11 @@
195 HANDLE hDirectory
196 );
197
198+static
199+DWORD
200+SamDbFixLocalAccounts(
201+ HANDLE hDirectory
202+ );
203
204 DWORD
205 DirectoryInitializeProvider(
206@@ -226,6 +231,7 @@
207 )
208 {
209 DWORD dwError = 0;
210+ HANDLE hDirectory1 = (HANDLE)NULL;
211 HANDLE hDirectory = (HANDLE)NULL;
212 PSAM_DIRECTORY_CONTEXT pDirectory = NULL;
213 PCSTR pszDbDirPath = SAM_DB_DIR;
214@@ -240,6 +246,12 @@
215 // TODO: Implement an upgrade scenario
216 if (bExists)
217 {
218+ dwError = SamDbOpen(&hDirectory1);
219+ BAIL_ON_SAMDB_ERROR(dwError);
220+
221+ dwError = SamDbFixLocalAccounts(hDirectory1);
222+ BAIL_ON_SAMDB_ERROR(dwError);
223+
224 goto cleanup;
225 }
226
227@@ -284,6 +296,10 @@
228 BAIL_ON_SAMDB_ERROR(dwError);
229
230 cleanup:
231+ if (hDirectory1)
232+ {
233+ SamDbClose(hDirectory1);
234+ }
235
236 if (hDirectory)
237 {
238@@ -1193,7 +1209,7 @@
239 "computer/domain",
240 .pszShell = SAM_DB_DEFAULT_ADMINISTRATOR_SHELL,
241 .pszHomedir = SAM_DB_DEFAULT_ADMINISTRATOR_HOMEDIR,
242- .flags = SAMDB_ACB_NORMAL,
243+ .flags = SAMDB_ACB_NORMAL | SAMDB_ACB_DISABLED,
244 .objectClass = SAMDB_OBJECT_CLASS_USER
245 },
246 {
247@@ -1786,6 +1802,143 @@
248 goto cleanup;
249 }
250
251+static
252+DWORD
253+SamDbFixLocalAccounts(
254+ HANDLE hDirectory
255+ )
256+{
257+
258+ DWORD dwError = 0;
259+ const wchar_t wszUserObjectFilterFmt[] = L"%ws = %u";
260+ const DWORD dwInt32StrSize = 10;
261+ WCHAR wszAttrObjectClass[] = SAM_DB_DIR_ATTR_OBJECT_CLASS;
262+ WCHAR wszAttrObjectDN[] = SAM_DB_DIR_ATTR_DISTINGUISHED_NAME;
263+ WCHAR wszAttrAccountFlags[] = SAM_DB_DIR_ATTR_ACCOUNT_FLAGS;
264+ WCHAR wszAttrNtHash[] = SAM_DB_DIR_ATTR_NT_HASH;
265+ DWORD dwUserObjectFilterLen = 0;
266+ PWSTR pwszUserObjectFilter = NULL;
267+ ULONG ulScope = 0;
268+ ULONG ulAttributesOnly = 0;
269+ PWSTR pwszBase = NULL;
270+ PWSTR wszAttributes[] = {
271+ &wszAttrObjectDN[0],
272+ &wszAttrAccountFlags[0],
273+ &wszAttrNtHash[0],
274+ NULL
275+ };
276+
277+ PDIRECTORY_ENTRY pUserEntries = NULL;
278+ DWORD dwNumUserEntries = 0;
279+ PDIRECTORY_ENTRY pUserEntry = NULL;
280+ DWORD iEntry = 0;
281+ PWSTR pwszUserObjectDN = NULL;
282+ DWORD dwAccountFlags = 0;
283+ POCTET_STRING pNtHash = NULL;
284+ DWORD iMod = 0;
285+
286+ enum AttrValueIndex {
287+ ATTR_VAL_IDX_ACCOUNT_FLAGS = 0,
288+ ATTR_VAL_IDX_SENTINEL
289+ };
290+
291+ ATTRIBUTE_VALUE AttrValues[] = {
292+ { /* ATTR_VAL_IDX_ACCOUNT_FLAGS */
293+ .Type = DIRECTORY_ATTR_TYPE_LARGE_INTEGER,
294+ .data.ulValue = 0
295+ }
296+ };
297+
298+ DIRECTORY_MOD ModAccountFlags = {
299+ DIR_MOD_FLAGS_REPLACE,
300+ wszAttrAccountFlags,
301+ 1,
302+ &AttrValues[ATTR_VAL_IDX_ACCOUNT_FLAGS]
303+ };
304+
305+ DIRECTORY_MOD Mods[ATTR_VAL_IDX_SENTINEL + 1];
306+ memset(&Mods, 0, sizeof(Mods));
307+
308+ dwUserObjectFilterLen = (sizeof(wszAttrObjectClass)/sizeof(wszAttrObjectClass[0]) +
309+ dwInt32StrSize +
310+ sizeof(wszUserObjectFilterFmt));
311+ dwError = LwAllocateMemory(dwUserObjectFilterLen * sizeof(WCHAR),
312+ OUT_PPVOID(&pwszUserObjectFilter));
313+ BAIL_ON_SAMDB_ERROR(dwError);
314+
315+ if (sw16printfw(pwszUserObjectFilter, dwUserObjectFilterLen,
316+ wszUserObjectFilterFmt,
317+ &wszAttrObjectClass[0], SAMDB_OBJECT_CLASS_USER) < 0)
318+ {
319+ dwError = LwErrnoToWin32Error(errno);
320+ BAIL_ON_SAMDB_ERROR(dwError);
321+ }
322+
323+ dwError = SamDbSearchObject(hDirectory,
324+ pwszBase,
325+ ulScope,
326+ pwszUserObjectFilter,
327+ wszAttributes,
328+ ulAttributesOnly,
329+ &pUserEntries,
330+ &dwNumUserEntries);
331+ BAIL_ON_SAMDB_ERROR(dwError);
332+
333+ for (iEntry = 0; iEntry < dwNumUserEntries; iEntry++)
334+ {
335+ pUserEntry = &(pUserEntries[iEntry]);
336+
337+ dwError = DirectoryGetEntryAttrValueByName(
338+ pUserEntry,
339+ wszAttrObjectDN,
340+ DIRECTORY_ATTR_TYPE_UNICODE_STRING,
341+ &pwszUserObjectDN);
342+ BAIL_ON_SAMDB_ERROR(dwError);
343+
344+ dwError = DirectoryGetEntryAttrValueByName(
345+ pUserEntry,
346+ wszAttrAccountFlags,
347+ DIRECTORY_ATTR_TYPE_INTEGER,
348+ &dwAccountFlags);
349+ BAIL_ON_SAMDB_ERROR(dwError);
350+
351+ dwError = DirectoryGetEntryAttrValueByName(
352+ pUserEntry,
353+ wszAttrNtHash,
354+ DIRECTORY_ATTR_TYPE_OCTET_STREAM,
355+ &pNtHash);
356+ BAIL_ON_SAMDB_ERROR(dwError);
357+
358+ if ((pNtHash == NULL || pNtHash->ulNumBytes == 0) &&
359+ !(dwAccountFlags & SAMDB_ACB_DISABLED))
360+ {
361+ dwAccountFlags |= SAMDB_ACB_DISABLED;
362+
363+ AttrValues[ATTR_VAL_IDX_ACCOUNT_FLAGS].data.ulValue = dwAccountFlags;
364+
365+ Mods[iMod++] = ModAccountFlags;
366+
367+ dwError = SamDbModifyObject(hDirectory,
368+ pwszUserObjectDN,
369+ Mods);
370+ BAIL_ON_SAMDB_ERROR(dwError);
371+ }
372+ }
373+
374+cleanup:
375+ if (pUserEntries)
376+ {
377+ DirectoryFreeEntries(pUserEntries, dwNumUserEntries);
378+ }
379+
380+ LW_SAFE_FREE_MEMORY(pwszUserObjectFilter);
381+
382+ return dwError;
383+
384+error:
385+ goto cleanup;
386+}
387+
388
389 /*
390 local variables:
0391
=== added file 'debian/patches/lsass_turn_off_ncacn_ip_tcp.diff'
--- debian/patches/lsass_turn_off_ncacn_ip_tcp.diff 1970-01-01 00:00:00 +0000
+++ debian/patches/lsass_turn_off_ncacn_ip_tcp.diff 2010-12-01 21:33:36 +0000
@@ -0,0 +1,39 @@
1Index: likewise-open-5.4.0.42111/lsass/server/rpc/dssetup/dssetup_srv.c
2===================================================================
3--- likewise-open-5.4.0.42111.orig/lsass/server/rpc/dssetup/dssetup_srv.c 2010-04-17 14:55:19.000000000 -0500
4+++ likewise-open-5.4.0.42111/lsass/server/rpc/dssetup/dssetup_srv.c 2010-04-17 14:56:31.000000000 -0500
5@@ -118,7 +118,7 @@
6
7 ENDPOINT EndPoints[] = {
8 { "ncacn_np", "\\\\pipe\\\\lsass" },
9- { "ncacn_ip_tcp", NULL },
10+ // { "ncacn_ip_tcp", NULL },
11 { NULL, NULL }
12 };
13 DWORD dwError = 0;
14Index: likewise-open-5.4.0.42111/lsass/server/rpc/lsa/lsa_srv.c
15===================================================================
16--- likewise-open-5.4.0.42111.orig/lsass/server/rpc/lsa/lsa_srv.c 2010-04-17 14:55:19.000000000 -0500
17+++ likewise-open-5.4.0.42111/lsass/server/rpc/lsa/lsa_srv.c 2010-04-17 14:56:06.000000000 -0500
18@@ -119,7 +119,7 @@
19 ENDPOINT EndPoints[] = {
20 { "ncacn_np", "\\\\pipe\\\\lsarpc" },
21 { "ncacn_np", "\\\\pipe\\\\lsass" },
22- { "ncacn_ip_tcp", NULL },
23+ // { "ncacn_ip_tcp", NULL },
24 { "ncalrpc", NULL }, /* endpoint is fetched from config parameter */
25 { NULL, NULL }
26 };
27Index: likewise-open-5.4.0.42111/lsass/server/rpc/samr/samr_srv.c
28===================================================================
29--- likewise-open-5.4.0.42111.orig/lsass/server/rpc/samr/samr_srv.c 2010-04-17 14:55:19.000000000 -0500
30+++ likewise-open-5.4.0.42111/lsass/server/rpc/samr/samr_srv.c 2010-04-17 14:55:51.000000000 -0500
31@@ -121,7 +121,7 @@
32 PCSTR pszDescription = "Security Accounts Manager";
33 ENDPOINT EndPoints[] = {
34 { "ncacn_np", "\\\\pipe\\\\samr" },
35- { "ncacn_ip_tcp", NULL },
36+ // { "ncacn_ip_tcp", NULL },
37 { "ncalrpc", NULL }, /* endpoint is fetched from config parameter */
38 { NULL, NULL }
39 };
040
=== added file 'debian/patches/lwupgrade_multi_sz.diff'
--- debian/patches/lwupgrade_multi_sz.diff 1970-01-01 00:00:00 +0000
+++ debian/patches/lwupgrade_multi_sz.diff 2010-12-01 21:33:36 +0000
@@ -0,0 +1,77 @@
1commit a1812bb292173c1e7265b6ab523a0df78b1010d5
2Author: Scott Salley <ssalley@likewise.com>
3Date: Mon May 3 23:14:34 2010 +0000
4
5 Merge: -c 43867 ^/trunk/Platform -> ~/branches/lwidentity-5.4
6
7 Multistring handling was extremely poor, now it is a bit better.
8
9 (lwupgrade: r43874)
10
11diff --git a/lwupgrade/utils/convert.c b/lwupgrade/utils/convert.c
12index f399d93..381bb03 100644
13--- a/lwupgrade/utils/convert.c
14+++ b/lwupgrade/utils/convert.c
15@@ -47,12 +47,18 @@ UpStringToMultiString(
16 DWORD i = 0;
17 DWORD j = 0;
18 PSTR pszCompactIn = NULL;
19- DWORD dwLength = 0;
20
21- // First, remove all whitespace from the string.
22- dwError = LwAllocateString(pszIn, &pszCompactIn);
23+ // Make a copy of the string, reserving enough space for terminator.
24+ dwError = LwAllocateMemory(strlen(pszIn) + 2, (PVOID*)&pszCompactIn);
25 BAIL_ON_UP_ERROR(dwError);
26
27+ memcpy(pszCompactIn, pszIn, strlen(pszIn) + 1);
28+
29+ // First, remove all whitespace from the string.
30+ //dwError = LwAllocateString(pszIn, &pszCompactIn);
31+ //BAIL_ON_UP_ERROR(dwError);
32+
33+
34 i = 0;
35 j = 0;
36 while (pszCompactIn[i])
37@@ -79,16 +85,20 @@ UpStringToMultiString(
38 bCharacterIsDelimiter = TRUE;
39 }
40
41+ // Don't want to delimiters in a row.
42 if (!(bPreviousCharacterIsDelimiter && bCharacterIsDelimiter))
43 {
44 pszCompactIn[j++] = pszCompactIn[i];
45- bPreviousCharacterIsDelimiter = bCharacterIsDelimiter;
46 }
47+
48+ bPreviousCharacterIsDelimiter = bCharacterIsDelimiter;
49 i++;
50 }
51+ pszCompactIn[j++] = '\0';
52
53
54 // Finally, replace all delmiters with '\0'.
55+ i = 0;
56 while (pszCompactIn[i])
57 {
58 if (strchr(pszDelims, pszCompactIn[i]))
59@@ -97,17 +107,7 @@ UpStringToMultiString(
60 }
61 i++;
62 }
63-
64- // Third, remove all 'empty' strings.
65- dwLength = i;
66- while (i < dwLength - 1)
67- {
68- if (!pszCompactIn[i] && !pszCompactIn[i + 1])
69- {
70- pszCompactIn[j++] = pszCompactIn[i];
71- }
72- i++;
73- }
74+ pszCompactIn[i+1] = '\0';
75
76 cleanup:
77
078
=== added file 'debian/patches/offline_v2.diff'
--- debian/patches/offline_v2.diff 1970-01-01 00:00:00 +0000
+++ debian/patches/offline_v2.diff 2010-12-01 21:33:36 +0000
@@ -0,0 +1,201 @@
1Index: likewise-open-5.4.0.42111/lsass/common/utils/lsalist.c
2===================================================================
3--- likewise-open-5.4.0.42111.orig/lsass/common/utils/lsalist.c 2010-06-17 22:17:40.000000000 -0700
4+++ likewise-open-5.4.0.42111/lsass/common/utils/lsalist.c 2010-06-17 22:20:26.000000000 -0700
5@@ -106,6 +106,7 @@
6 {
7 Element->Prev->Next = Element->Next;
8 Element->Next->Prev = Element->Prev;
9+ LsaListInit(Element);
10 }
11
12 LSA_LIST_LINKS*
13Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/offline.c
14===================================================================
15--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/offline.c 2010-06-17 22:17:40.000000000 -0700
16+++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/offline.c 2010-06-17 22:20:50.000000000 -0700
17@@ -111,7 +111,7 @@
18 &pszNT4UserName,
19 "%s\\%s",
20 pUserInfo->pszNetbiosDomainName,
21- pUserInfo->userInfo.pszUPN);
22+ pUserInfo->pszSamAccountName);
23 BAIL_ON_LSA_ERROR(dwError);
24
25 dwError = LsaUmAddUser(
26@@ -592,11 +592,6 @@
27 break;
28 }
29
30- if (dwError == LW_ERROR_SUCCESS)
31- {
32- dwError = AD_CheckExpiredObject(&pCachedUser);
33- }
34-
35 switch (dwError)
36 {
37 case LW_ERROR_SUCCESS:
38@@ -681,10 +676,6 @@
39 dwError = LW_ERROR_INVALID_PARAMETER;
40 BAIL_ON_LSA_ERROR(dwError);
41 }
42- if (dwError == LW_ERROR_SUCCESS)
43- {
44- dwError = AD_CheckExpiredObject(&pCachedUser);
45- }
46
47 switch (dwError)
48 {
49@@ -834,10 +825,19 @@
50 PLSA_GROUP_MEMBERSHIP* ppMemberships = NULL;
51 // Only free top level array, do not free string pointers.
52 PSTR pszGroupSid = NULL;
53- PLSA_SECURITY_OBJECT pUserInfo = NULL;
54+ PLSA_SECURITY_OBJECT* ppUserObject = NULL;
55 DWORD dwIndex = 0;
56
57- dwError = AD_FindObjectBySid(hProvider, pszSid, &pUserInfo);
58+ dwError = AD_OfflineFindObjectsBySidList(
59+ 1,
60+ &pszSid,
61+ &ppUserObject);
62+ BAIL_ON_LSA_ERROR(dwError);
63+
64+ if (!ppUserObject[0])
65+ {
66+ dwError = LW_ERROR_NO_SUCH_USER;
67+ }
68 BAIL_ON_LSA_ERROR(dwError);
69
70 dwError = ADCacheGetGroupsForUser(
71@@ -874,7 +874,7 @@
72 cleanup:
73
74 LW_SAFE_FREE_MEMORY(pszGroupSid);
75- ADCacheSafeFreeObject(&pUserInfo);
76+ ADCacheSafeFreeObjectList(1, &ppUserObject);
77 ADCacheSafeFreeGroupMembershipList(sMembershipCount, &ppMemberships);
78
79 return dwError;
80Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/online.c
81===================================================================
82--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/online.c 2010-06-17 22:17:40.000000000 -0700
83+++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/online.c 2010-06-17 22:20:50.000000000 -0700
84@@ -4161,7 +4161,6 @@
85 case LW_ERROR_NO_SUCH_USER:
86 case LW_ERROR_NO_SUCH_GROUP:
87 case LW_ERROR_NO_SUCH_OBJECT:
88- case LW_ERROR_DOMAIN_IS_OFFLINE:
89 dwError = LW_ERROR_SUCCESS;
90 break;
91 default:
92@@ -4426,7 +4425,6 @@
93 case LW_ERROR_NO_SUCH_USER:
94 case LW_ERROR_NO_SUCH_GROUP:
95 case LW_ERROR_NO_SUCH_OBJECT:
96- case LW_ERROR_DOMAIN_IS_OFFLINE:
97 dwError = LW_ERROR_SUCCESS;
98 break;
99 default:
100Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/provider-main.c
101===================================================================
102--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/provider-main.c 2010-06-17 22:17:40.000000000 -0700
103+++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/provider-main.c 2010-06-17 22:20:50.000000000 -0700
104@@ -3498,7 +3498,11 @@
105
106 if (AD_IsOffline())
107 {
108- dwError = AD_OfflineFindObjects(
109+ dwError = LW_ERROR_DOMAIN_IS_OFFLINE;
110+ }
111+ else
112+ {
113+ dwError = AD_OnlineFindObjects(
114 hProvider,
115 FindFlags,
116 ObjectType,
117@@ -3506,11 +3510,11 @@
118 dwCount,
119 QueryList,
120 &ppObjects);
121- BAIL_ON_LSA_ERROR(dwError);
122 }
123- else
124+
125+ if (LW_ERROR_DOMAIN_IS_OFFLINE == dwError)
126 {
127- dwError = AD_OnlineFindObjects(
128+ dwError = AD_OfflineFindObjects(
129 hProvider,
130 FindFlags,
131 ObjectType,
132@@ -3518,8 +3522,8 @@
133 dwCount,
134 QueryList,
135 &ppObjects);
136- BAIL_ON_LSA_ERROR(dwError);
137 }
138+ BAIL_ON_LSA_ERROR(dwError);
139
140 if (ppObjects)
141 {
142@@ -3704,24 +3708,28 @@
143
144 if (AD_IsOffline())
145 {
146- dwError = AD_OfflineGetGroupMemberSids(
147+ dwError = LW_ERROR_DOMAIN_IS_OFFLINE;
148+ }
149+ else
150+ {
151+ dwError = AD_OnlineGetGroupMemberSids(
152 hProvider,
153 FindFlags,
154 pszSid,
155 &pEnum->dwSidCount,
156 &pEnum->ppszSids);
157- BAIL_ON_LSA_ERROR(dwError);
158 }
159- else
160+
161+ if (LW_ERROR_DOMAIN_IS_OFFLINE == dwError)
162 {
163- dwError = AD_OnlineGetGroupMemberSids(
164+ dwError = AD_OfflineGetGroupMemberSids(
165 hProvider,
166 FindFlags,
167 pszSid,
168 &pEnum->dwSidCount,
169 &pEnum->ppszSids);
170- BAIL_ON_LSA_ERROR(dwError);
171 }
172+ BAIL_ON_LSA_ERROR(dwError);
173
174 *phEnum = pEnum;
175
176@@ -3817,7 +3825,11 @@
177
178 if (AD_IsOffline())
179 {
180- dwError = AD_OfflineQueryMemberOf(
181+ dwError = LW_ERROR_DOMAIN_IS_OFFLINE;
182+ }
183+ else
184+ {
185+ dwError = AD_OnlineQueryMemberOf(
186 hProvider,
187 FindFlags,
188 dwSidCount,
189@@ -3825,9 +3837,10 @@
190 pdwGroupSidCount,
191 pppszGroupSids);
192 }
193- else
194+
195+ if (LW_ERROR_DOMAIN_IS_OFFLINE == dwError)
196 {
197- dwError = AD_OnlineQueryMemberOf(
198+ dwError = AD_OfflineQueryMemberOf(
199 hProvider,
200 FindFlags,
201 dwSidCount,
0202
=== added file 'debian/patches/reg_import_multi_sz.diff'
--- debian/patches/reg_import_multi_sz.diff 1970-01-01 00:00:00 +0000
+++ debian/patches/reg_import_multi_sz.diff 2010-12-01 21:33:36 +0000
@@ -0,0 +1,14 @@
1diff --git a/lwreg/parse/reglex.c b/lwreg/parse/reglex.c
2index 8d01668..747c9c6 100644
3--- a/lwreg/parse/reglex.c
4+++ b/lwreg/parse/reglex.c
5@@ -449,7 +449,8 @@ RegLexParseBackslash(
6 dwError = RegIOUnGetChar(ioHandle, NULL);
7 }
8 }
9- else if (lexHandle->state == REGLEX_STATE_IN_QUOTE)
10+
11+ if (lexHandle->state == REGLEX_STATE_IN_QUOTE)
12 {
13 /*
14 * Treat sequence '\C' (C=any character) as
015
=== modified file 'debian/patches/series'
--- debian/patches/series 2010-04-09 12:30:18 +0000
+++ debian/patches/series 2010-12-01 21:33:36 +0000
@@ -14,3 +14,11 @@
14autoreconf_dcerpc.diff14autoreconf_dcerpc.diff
15correct_lsass_configure_platform_detection.patch15correct_lsass_configure_platform_detection.patch
16autoreconf_lsass.conf16autoreconf_lsass.conf
17ignore_group_update_failure_on_leave.diff
18#lsass_turn_off_ncacn_ip_tcp.diff
19#disable_dcerpc_auto_start.diff
20lwupgrade_multi_sz.diff
21assume_default_domain.diff
22reg_import_multi_sz.diff
23offline_v2.diff
24lp-security-CVE-2010-0833.diff

Subscribers

People subscribed via source and target branches