Ubuntu

Merge lp:~ssalley/ubuntu/lucid/likewise-open/likewise-open.fix627272 into lp:ubuntu/lucid/likewise-open

Proposed by Scott Salley on 2010-12-01
Reviewer Review Type Date Requested Status
Dustin Kirkland  2010-12-01 Needs Fixing on 2010-12-08
Review via email: mp+42422@code.launchpad.net

Description of the Change

These changes have been sitting in a PPA and tested by users and our QA team for a long while.

The changelog describes the changes in more detail but here is a short summary of fixed bugs:
lp:534629 AssumeDefaultDomain does not work
lp:575152 RequireMembershipOf Does Not Work
lp:591893 likewise-open depends on psmisc
lp:605326 Likewise open 5 or 6 conflicts with winbind
lp:572271 CacheEntryExpire setting ignored & default value of 4 hours is too
low
lp:574443 likewise-open5 upgrade mangles RequireMembershipOf settings

Additionally, many bugs dealing with installation and upgrading were corrected but matching them up to bug reports is difficult to do reproducibility.

To post a comment you must log in.
Dustin Kirkland  (kirkland) wrote :

Hi there Scott,

Reviewing this merge proposal, a couple of comments...
 1) To note that a bug is fixed in the changelog, please use this syntax: "LP: #575019", rather than "LP BUG 575019"
 2) Usually, SRUs are held to a pretty tight standard, typically fixing one or two issues; this merge fixes 9 bugs
 3) Each of those 9 bugs are going to need an SRU statement in the main body, explaining a) the impact, b) an explanation of how the bug is fixed, c) a pointer to the commit or minimal patch that solves that one issue, d) detailed instructions on how to reproduce the bug, e) a description of the regression potential
   - See: https://wiki.ubuntu.com/StableReleaseUpdates

I'll be happy to sponsor this as soon as (1) is trivially fixed in your branch, and as soon as each bug is updated per (2). Then, the package will go into the -proposed queue, and we'll need you or someone else to go through each of those 9 bugs and work their way through the reproduce instructions, noting if the new package fixes the known bugs and does cause regression.

Thanks!
Dustin

review: Needs Fixing

Unmerged revisions

18. By Scott Salley on 2010-12-01

* patches/ignore_group_update_failure_on_leave.diff: Added upstream patch
  to prevent "domainjoin-XXX leave" from failing if user/admin domain
  groups could not be removed from the builtin user/admin groups
  (LP BUG 575019)
* patches/assume_default_domain.diff: Fix regression in AssumeDefaultDomain
  (LP BUG 534629)
* patches/offline_v2.diff: Additional offline logon fixes (LP BUG 572271)
* patches/lwupgrade_mulit_sz.diff: Make preservation of multi-string values
  more robust (e.g. "RequireMembershipOf" LP BUG 574443)
* patches/reg_import_multi_sz.diff: Fix importing REG_MULTI_SZ strings
  that use the "\" character (LP BUG 575152)
* Added missing dependencies that prevent distribution and package upgrades
  from succeeding:
  - debian/control: Added libpam-runtime (LP BUG 627272, LP BUG 625105)
  - debian/control: Added psmisc (LP BUG 591893)
* Added statements to kill hung daemons that may prevent distribution and
  package upgrades from succeeding (LP BUG 621980):
  - debian/control: Added procps for pkill
  - debian/likewise-open.postinst, debian/likewise-open.preinst: Added
    explict kill for daemons that may hang
* debian/control: Modified XSBC-Original-Maintainer as Gerald Cater would
  like Scott Salley to handle likewise-open.

17. By Gerald Carter <email address hidden> on 2010-07-27

Fix lsassd crash due to invalid hDirectory handle (LP: #610300).

16. By Scott Salley on 2010-07-21

* SECURITY UPDATE: local access restrictions bypass.
  - Set the Administrator account as disabled when first provisioned.
  - Explicitly mark lsassd local provider accounts accounts as disabled
    if the account exists in its initial provisioned state
  - Force pam password changes, when run under the context of root services,
    to require the existing password for authentication
  - Enforce the "user cannot change password" field on local provider
    account in the provider interface as well as the RPC server interface
  - CVE-2010-0833
* likewise-open.postinst
  - Ensure that lsassd is properly restarted after upgrade

Preview Diff

1=== modified file 'debian/changelog'
2--- debian/changelog 2010-04-09 12:30:18 +0000
3+++ debian/changelog 2010-12-01 21:33:36 +0000
4@@ -1,3 +1,52 @@
5+likewise-open (5.4.0.42111-2ubuntu2) lucid; urgency=low
6+
7+ * patches/ignore_group_update_failure_on_leave.diff: Added upstream patch
8+ to prevent "domainjoin-XXX leave" from failing if user/admin domain
9+ groups could not be removed from the builtin user/admin groups
10+ (LP BUG 575019)
11+ * patches/assume_default_domain.diff: Fix regression in AssumeDefaultDomain
12+ (LP BUG 534629)
13+ * patches/offline_v2.diff: Additional offline logon fixes (LP BUG 572271)
14+ * patches/lwupgrade_mulit_sz.diff: Make preservation of multi-string values
15+ more robust (e.g. "RequireMembershipOf" LP BUG 574443)
16+ * patches/reg_import_multi_sz.diff: Fix importing REG_MULTI_SZ strings
17+ that use the "\" character (LP BUG 575152)
18+ * Added missing dependencies that prevent distribution and package upgrades
19+ from succeeding:
20+ - debian/control: Added libpam-runtime (LP BUG 627272, LP BUG 625105)
21+ - debian/control: Added psmisc (LP BUG 591893)
22+ * Added statements to kill hung daemons that may prevent distribution and
23+ package upgrades from succeeding (LP BUG 621980):
24+ - debian/control: Added procps for pkill
25+ - debian/likewise-open.postinst, debian/likewise-open.preinst: Added
26+ explict kill for daemons that may hang
27+ * debian/control: Modified XSBC-Original-Maintainer as Gerald Cater would
28+ like Scott Salley to handle likewise-open.
29+
30+ -- Scott Salley <ssalley@likewise.com> Wed, 13 Oct 2010 17:24:08 -0700
31+
32+likewise-open (5.4.0.42111-2ubuntu1.2) lucid-security; urgency=low
33+
34+ * Fix lsassd crash due to invalid hDirectory handle (LP: #610300).
35+
36+ -- Gerald Carter <gcarter@likewise.com> Tue, 27 Jul 2010 17:35:01 -0500
37+
38+likewise-open (5.4.0.42111-2ubuntu1.1) lucid-security; urgency=low
39+
40+ * SECURITY UPDATE: local access restrictions bypass.
41+ - Set the Administrator account as disabled when first provisioned.
42+ - Explicitly mark lsassd local provider accounts accounts as disabled
43+ if the account exists in its initial provisioned state
44+ - Force pam password changes, when run under the context of root services,
45+ to require the existing password for authentication
46+ - Enforce the "user cannot change password" field on local provider
47+ account in the provider interface as well as the RPC server interface
48+ - CVE-2010-0833
49+ * likewise-open.postinst
50+ - Ensure that lsassd is properly restarted after upgrade
51+
52+ -- Scott Salley <ssalley@likewise.com> Wed, 21 Jul 2010 13:54:00 -0700
53+
54 likewise-open (5.4.0.42111-2ubuntu1) lucid; urgency=low
55
56 * Properly fix ARM FTBFS (LP: #517300)
57
58=== modified file 'debian/control'
59--- debian/control 2010-04-09 12:30:18 +0000
60+++ debian/control 2010-12-01 21:33:36 +0000
61@@ -2,7 +2,7 @@
62 Section: net
63 Priority: optional
64 Maintainer: Chuck Short <zulcss@ubuntu.com>
65-XSBC-Original-Maintainer: Gerald Carter <gcarter@likewise.com>
66+XSBC-Original-Maintainer: Scott Salley <ssalley@likewise.com>
67 Build-Depends: autoconf (>=2.53), automake, bison, debhelper (>= 7),
68 libglade2-dev, libncurses5-dev, libpam0g-dev, libpam-runtime,
69 libssl-dev, libtool, libsqlite3-dev, uuid-dev, quilt, rsync, libxml2,
70@@ -40,7 +40,7 @@
71 Depends: ${misc:Depends}, likewise-open
72 Architecture: all
73 Description: transitional dummy package
74- This is a dummy package to faciliate clean upgrades. You can savely remove
75+ This is a dummy package to facilitate clean upgrades. You can safely remove
76 this package after the upgrade.
77
78 Package: likewise-open5-eventlog
79@@ -48,7 +48,7 @@
80 Depends: ${misc:Depends}, likewise-open
81 Architecture: all
82 Description: transitional dummy package
83- This is a dummy package to faciliate clean upgrades. You can savely remove
84+ This is a dummy package to facilitate clean upgrades. You can safely remove
85 this package after the upgrade.
86
87 Package: likewise-open5-netlogon
88@@ -56,7 +56,7 @@
89 Depends: ${misc:Depends}, likewise-open
90 Architecture: all
91 Description: transitional dummy package
92- This is a dummy package to faciliate clean upgrades. You can savely remove
93+ This is a dummy package to facilitate clean upgrades. You can safely remove
94 this package after the upgrade.
95
96 Package: likewise-open5-rpc
97@@ -64,12 +64,13 @@
98 Depends: ${misc:Depends}, likewise-open
99 Architecture: all
100 Description: transitional dummy package
101- This is a dummy package to faciliate clean upgrades. You can savely remove
102+ This is a dummy package to facilitate clean upgrades. You can safely remove
103 this package after the upgrade.
104
105 Package: likewise-open
106 Architecture: any
107-Depends: ${shlibs:Depends}, ${misc:Depends}, krb5-user
108+Depends: ${shlibs:Depends}, ${misc:Depends}, krb5-user, psmisc, libpam-runtime,
109+ procps
110 Suggests: likewise-open-gui
111 Provides: likewise-open, likewise-open5
112 Conflicts: likewise-open,
113
114=== modified file 'debian/likewise-open.postinst'
115--- debian/likewise-open.postinst 2010-01-05 16:21:34 +0000
116+++ debian/likewise-open.postinst 2010-12-01 21:33:36 +0000
117@@ -20,7 +20,7 @@
118 rm -rf "${UPGRADEDIR4}"
119
120 if [ -f /etc/likewise-open/lwiauthd.reg ]; then
121- $REGSHELL import /etc/likewise-open/lwiauthd.reg
122+ $REGSHELL upgrade /etc/likewise-open/lwiauthd.reg
123
124 $DOMAINJOIN configure --enable nsswitch > /dev/null 2>&1
125 $DOMAINJOIN configure --enable ssh > /dev/null 2>&1
126@@ -40,7 +40,7 @@
127 if [ -f $SOURCE ]; then
128 $CONVERT $COMMAND $SOURCE $DEST > /dev/null 2>&1 || true
129 if [ -n "$DEST" -a -f "$DEST" ]; then
130- $REGSHELL import $DEST
131+ $REGSHELL upgrade $DEST
132 fi
133 fi
134 }
135@@ -63,8 +63,9 @@
136
137 $DOMAINJOIN configure --enable nsswitch > /dev/null 2>&1
138 $DOMAINJOIN configure --enable ssh > /dev/null 2>&1
139- $DOMAINJOIN configure --long `hostname --long` --short `hostname --short` \
140- --enable krb5 > /dev/null 2>&1
141+ $DOMAINJOIN configure --long `hostname --long` \
142+ --short `hostname --short` \
143+ --enable krb5 > /dev/null 2>&1
144 }
145
146 case "$1" in
147@@ -79,18 +80,27 @@
148 ;;
149
150 configure)
151- $LWSMD start
152-
153- $REGSHELL import /etc/likewise-open/dcerpcd.reg
154- $REGSHELL import /etc/likewise-open/eventlogd.reg
155- $REGSHELL import /etc/likewise-open/lwreg.reg
156- $REGSHELL import /etc/likewise-open/lsassd.reg
157- $REGSHELL import /etc/likewise-open/lwiod.reg
158- $REGSHELL import /etc/likewise-open/netlogond.reg
159- $REGSHELL import /etc/likewise-open/pstore.reg
160- $REGSHELL import /etc/likewise-open/srvsvcd.reg
161-
162- $LWSMD reload
163+ # All daemons should be gone -- but sometimes they hang.
164+ pkill -KILL -x srvsvcd > /dev/null 2>&1 || true
165+ pkill -KILL -x lsassd > /dev/null 2>&1 || true
166+ pkill -KILL -x lwiod > /dev/null 2>&1 || true
167+ pkill -KILL -x netlogond > /dev/null 2>&1 || true
168+ pkill -KILL -x eventlogd > /dev/null 2>&1 || true
169+ pkill -KILL -x dcerpcd > /dev/null 2>&1 || true
170+ pkill -KILL -x netlogond > /dev/null 2>&1 || true
171+ pkill -KILL -x lwsmd > /dev/null 2>&1 || true
172+ pkill -KILL -x lwregd > /dev/null 2>&1 || true
173+
174+ /usr/sbin/lwsmd --start-as-daemon
175+
176+ $REGSHELL upgrade /etc/likewise-open/dcerpcd.reg
177+ $REGSHELL upgrade /etc/likewise-open/eventlogd.reg
178+ $REGSHELL upgrade /etc/likewise-open/lwreg.reg
179+ $REGSHELL upgrade /etc/likewise-open/lsassd.reg
180+ $REGSHELL upgrade /etc/likewise-open/lwiod.reg
181+ $REGSHELL upgrade /etc/likewise-open/netlogond.reg
182+ $REGSHELL upgrade /etc/likewise-open/pstore.reg
183+ $REGSHELL upgrade /etc/likewise-open/srvsvcd.reg
184
185 if [ -n "$2" ]; then
186 if dpkg --compare-versions "$2" le "4.1.2982-0ubuntu3"; then
187@@ -103,11 +113,16 @@
188 if [ -d "${UPGRADEDIR5}" ]; then
189 import_machine_account_5_0
190 fi
191- fi
192-
193- # This will start all the sevices and hook things up in /etc/rc[0-6].d
194+ fi
195+
196+ /etc/init.d/lwsmd stop
197+
198+ /etc/init.d/lwsmd start
199+
200 $DOMAINJOIN query > /dev/null 2>&1
201
202+ /usr/bin/lwsm start lsass || true
203+
204 pam-auth-update --package
205 ;;
206 esac
207
208=== modified file 'debian/likewise-open.preinst'
209--- debian/likewise-open.preinst 2010-01-05 16:21:34 +0000
210+++ debian/likewise-open.preinst 2010-12-01 21:33:36 +0000
211@@ -62,13 +62,15 @@
212
213 # remove obsolete conffiles from previous versions
214 if dpkg --compare-versions "$2" lt-nl "5.4.0"; then
215- # from 4.1
216- rm_conffile /etc/samba/lwiauthd.conf
217- rm_conffile /etc/security/pam_lwidentity.conf
218- rm_conffile /etc/default/likewise-open
219- rm_conffile /etc/init.d/likewise-open
220- # from 5.0
221- rm_conffile /etc/init.d/npcmuxd
222+
223+ # from 4.1
224+ rm_conffile /etc/samba/lwiauthd.conf
225+ rm_conffile /etc/security/pam_lwidentity.conf
226+ rm_conffile /etc/default/likewise-open
227+ rm_conffile /etc/init.d/likewise-open
228+
229+ # from 5.0
230+ rm_conffile /etc/init.d/npcmuxd
231 fi
232 ;;
233
234
235=== modified file 'debian/likewise-open.prerm'
236--- debian/likewise-open.prerm 2010-01-05 16:21:34 +0000
237+++ debian/likewise-open.prerm 2010-12-01 21:33:36 +0000
238@@ -26,6 +26,15 @@
239 $LWSMD stop
240 fi
241
242+ pkill -KILL -x srvsvcd > /dev/null 2>&1 || true
243+ pkill -KILL -x lsassd > /dev/null 2>&1 || true
244+ pkill -KILL -x lwiod > /dev/null 2>&1 || true
245+ pkill -KILL -x netlogond > /dev/null 2>&1 || true
246+ pkill -KILL -x eventlogd > /dev/null 2>&1 || true
247+ pkill -KILL -x dcerpcd > /dev/null 2>&1 || true
248+ pkill -KILL -x lwsmd > /dev/null 2>&1 || true
249+ pkill -KILL -x lwregd > /dev/null 2>&1 || true
250+
251 ;;
252
253 failed-upgrade)
254
255=== added file 'debian/patches/assume_default_domain.diff'
256--- debian/patches/assume_default_domain.diff 1970-01-01 00:00:00 +0000
257+++ debian/patches/assume_default_domain.diff 2010-12-01 21:33:36 +0000
258@@ -0,0 +1,334 @@
259+commit d1cba75403be0af010b5df5ba22a1d0704f29fc3
260+Author: Brian Koropoff <bkoropoff@likewise.com>
261+Date: Wed May 5 22:21:47 2010 +0000
262+
263+ svn merge -c 43891 /Platform/src/linux/lsass/server/auth-providers/ad-open-provider -> src/linux/lsass/server/auth-providers/ad-provider
264+
265+ (lsass: r43911)
266+
267+Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/ad_marshal_group.c
268+===================================================================
269+--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/ad_marshal_group.c 2010-05-07 08:37:00.000000000 +0200
270++++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/ad_marshal_group.c 2010-05-07 08:37:03.000000000 +0200
271+@@ -59,12 +59,17 @@
272+ PSTR pszResult = NULL;
273+
274+ if(pObject->type == LSA_OBJECT_TYPE_GROUP &&
275+- !LW_IS_NULL_OR_EMPTY_STR(pObject->groupInfo.pszAliasName))
276++ !LW_IS_NULL_OR_EMPTY_STR(pObject->groupInfo.pszAliasName))
277+ {
278+ dwError = LwAllocateString(
279+ pObject->groupInfo.pszAliasName,
280+ &pszResult);
281+ BAIL_ON_LSA_ERROR(dwError);
282++
283++ LwStrCharReplace(
284++ pszResult,
285++ ' ',
286++ AD_GetSpaceReplacement());
287+ }
288+ else if(pObject->type == LSA_OBJECT_TYPE_USER &&
289+ !LW_IS_NULL_OR_EMPTY_STR(pObject->userInfo.pszAliasName))
290+@@ -73,6 +78,11 @@
291+ pObject->userInfo.pszAliasName,
292+ &pszResult);
293+ BAIL_ON_LSA_ERROR(dwError);
294++
295++ LwStrCharReplace(
296++ pszResult,
297++ ' ',
298++ AD_GetSpaceReplacement());
299+ }
300+ else
301+ {
302+Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/batch_marshal.c
303+===================================================================
304+--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/batch_marshal.c 2010-05-07 08:37:00.000000000 +0200
305++++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/batch_marshal.c 2010-05-07 08:37:03.000000000 +0200
306+@@ -580,6 +580,28 @@
307+ BAIL_ON_LSA_ERROR(dwError);
308+ }
309+
310++ /* Fix up alias fields when in AssumeDefaultDomain mode */
311++ if (AD_ShouldAssumeDefaultDomain() &&
312++ pObject->enabled &&
313++ ((pObject->type == LSA_OBJECT_TYPE_USER &&
314++ !pObject->userInfo.pszAliasName) ||
315++ (pObject->type == LSA_OBJECT_TYPE_GROUP &&
316++ !pObject->groupInfo.pszAliasName)) &&
317++ !strcmp(pObject->pszNetbiosDomainName, gpADProviderData->szShortDomain))
318++ {
319++ dwError = LwAllocateString(
320++ pObject->pszSamAccountName,
321++ pObject->type == LSA_OBJECT_TYPE_USER ?
322++ &pObject->userInfo.pszAliasName : &pObject->groupInfo.pszAliasName);
323++ BAIL_ON_LSA_ERROR(dwError);
324++
325++ LwStrCharReplace(
326++ pObject->type == LSA_OBJECT_TYPE_USER ?
327++ pObject->userInfo.pszAliasName : pObject->groupInfo.pszAliasName,
328++ ' ',
329++ AD_GetSpaceReplacement());
330++ }
331++
332+ cleanup:
333+ *ppObject = pObject;
334+ return dwError;
335+Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/online.c
336+===================================================================
337+--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/online.c 2010-05-07 08:37:00.000000000 +0200
338++++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/online.c 2010-05-07 08:37:03.000000000 +0200
339+@@ -4087,6 +4087,112 @@
340+
341+ static
342+ DWORD
343++AD_OnlineFindObjectByName(
344++ IN HANDLE hProvider,
345++ IN LSA_FIND_FLAGS FindFlags,
346++ IN OPTIONAL LSA_OBJECT_TYPE ObjectType,
347++ IN LSA_QUERY_TYPE QueryType,
348++ IN PCSTR pszLoginName,
349++ IN PLSA_LOGIN_NAME_INFO pUserNameInfo,
350++ OUT PLSA_SECURITY_OBJECT* ppObject
351++ )
352++{
353++ DWORD dwError = 0;
354++ PLSA_SECURITY_OBJECT pCachedUser = NULL;
355++
356++ switch(ObjectType)
357++ {
358++ case LSA_OBJECT_TYPE_USER:
359++ dwError = ADCacheFindUserByName(
360++ gpLsaAdProviderState->hCacheConnection,
361++ pUserNameInfo,
362++ &pCachedUser);
363++ break;
364++ case LSA_OBJECT_TYPE_GROUP:
365++ dwError = ADCacheFindGroupByName(
366++ gpLsaAdProviderState->hCacheConnection,
367++ pUserNameInfo,
368++ &pCachedUser);
369++ break;
370++ default:
371++ dwError = ADCacheFindUserByName(
372++ gpLsaAdProviderState->hCacheConnection,
373++ pUserNameInfo,
374++ &pCachedUser);
375++ if (dwError == LW_ERROR_NO_SUCH_USER ||
376++ dwError == LW_ERROR_NOT_HANDLED)
377++ {
378++ dwError = ADCacheFindGroupByName(
379++ gpLsaAdProviderState->hCacheConnection,
380++ pUserNameInfo,
381++ &pCachedUser);
382++ }
383++ break;
384++ }
385++
386++ if (dwError == LW_ERROR_SUCCESS)
387++ {
388++ dwError = AD_CheckExpiredObject(&pCachedUser);
389++ }
390++
391++ switch (dwError)
392++ {
393++ case LW_ERROR_SUCCESS:
394++ break;
395++ case LW_ERROR_NOT_HANDLED:
396++ case LW_ERROR_NO_SUCH_USER:
397++ case LW_ERROR_NO_SUCH_GROUP:
398++ case LW_ERROR_NO_SUCH_OBJECT:
399++ dwError = AD_FindObjectByNameTypeNoCache(
400++ hProvider,
401++ pszLoginName,
402++ pUserNameInfo->nameType,
403++ ObjectType,
404++ &pCachedUser);
405++ switch (dwError)
406++ {
407++ case LW_ERROR_SUCCESS:
408++ dwError = ADCacheStoreObjectEntry(
409++ gpLsaAdProviderState->hCacheConnection,
410++ pCachedUser);
411++ BAIL_ON_LSA_ERROR(dwError);
412++
413++ break;
414++ case LW_ERROR_NO_SUCH_USER:
415++ case LW_ERROR_NO_SUCH_GROUP:
416++ case LW_ERROR_NO_SUCH_OBJECT:
417++ case LW_ERROR_DOMAIN_IS_OFFLINE:
418++ dwError = LW_ERROR_SUCCESS;
419++ break;
420++ default:
421++ BAIL_ON_LSA_ERROR(dwError);
422++ break;
423++ }
424++ break;
425++ default:
426++ BAIL_ON_LSA_ERROR(dwError);
427++ }
428++
429++ *ppObject = pCachedUser;
430++
431++cleanup:
432++
433++ return dwError;
434++
435++error:
436++
437++ *ppObject = NULL;
438++
439++ if (pCachedUser)
440++ {
441++ LsaUtilFreeSecurityObject(pCachedUser);
442++ }
443++
444++ goto cleanup;
445++}
446++
447++static
448++DWORD
449+ AD_OnlineFindObjectsByName(
450+ IN HANDLE hProvider,
451+ IN LSA_FIND_FLAGS FindFlags,
452+@@ -4100,7 +4206,6 @@
453+ DWORD dwError = 0;
454+ PLSA_LOGIN_NAME_INFO pUserNameInfo = NULL;
455+ PSTR pszLoginId_copy = NULL;
456+- PLSA_SECURITY_OBJECT pCachedUser = NULL;
457+ DWORD dwIndex = 0;
458+ PLSA_SECURITY_OBJECT* ppObjects = NULL;
459+ LSA_QUERY_TYPE type = LSA_QUERY_TYPE_UNDEFINED;
460+@@ -4145,77 +4250,74 @@
461+ BAIL_ON_LSA_ERROR(dwError);
462+ }
463+
464+- switch(ObjectType)
465+- {
466+- case LSA_OBJECT_TYPE_USER:
467+- dwError = ADCacheFindUserByName(
468+- gpLsaAdProviderState->hCacheConnection,
469+- pUserNameInfo,
470+- &pCachedUser);
471+- break;
472+- case LSA_OBJECT_TYPE_GROUP:
473+- dwError = ADCacheFindGroupByName(
474+- gpLsaAdProviderState->hCacheConnection,
475+- pUserNameInfo,
476+- &pCachedUser);
477+- break;
478+- default:
479+- dwError = ADCacheFindUserByName(
480+- gpLsaAdProviderState->hCacheConnection,
481+- pUserNameInfo,
482+- &pCachedUser);
483+- if (dwError == LW_ERROR_NO_SUCH_USER ||
484+- dwError == LW_ERROR_NOT_HANDLED)
485+- {
486+- dwError = ADCacheFindGroupByName(
487+- gpLsaAdProviderState->hCacheConnection,
488+- pUserNameInfo,
489+- &pCachedUser);
490+- }
491+- break;
492+- }
493+-
494+- if (dwError == LW_ERROR_SUCCESS)
495+- {
496+- dwError = AD_CheckExpiredObject(&pCachedUser);
497+- }
498++ dwError = AD_OnlineFindObjectByName(
499++ hProvider,
500++ FindFlags,
501++ ObjectType,
502++ QueryType,
503++ pszLoginId_copy,
504++ pUserNameInfo,
505++ &ppObjects[dwIndex]);
506+
507+ switch (dwError)
508+ {
509+ case LW_ERROR_SUCCESS:
510+- ppObjects[dwIndex] = pCachedUser;
511+- pCachedUser = NULL;
512+ break;
513+ case LW_ERROR_NOT_HANDLED:
514+ case LW_ERROR_NO_SUCH_USER:
515+ case LW_ERROR_NO_SUCH_GROUP:
516+ case LW_ERROR_NO_SUCH_OBJECT:
517+- dwError = AD_FindObjectByNameTypeNoCache(
518+- hProvider,
519+- pszLoginId_copy,
520+- pUserNameInfo->nameType,
521+- ObjectType,
522+- &pCachedUser);
523+- switch (dwError)
524++ case LW_ERROR_NOT_SUPPORTED:
525++ ppObjects[dwIndex] = NULL;
526++ dwError = LW_ERROR_SUCCESS;
527++
528++ if (QueryType == LSA_QUERY_TYPE_BY_ALIAS &&
529++ AD_ShouldAssumeDefaultDomain())
530+ {
531+- case LW_ERROR_SUCCESS:
532+- dwError = ADCacheStoreObjectEntry(
533+- gpLsaAdProviderState->hCacheConnection,
534+- pCachedUser);
535++ LW_SAFE_FREE_STRING(pszLoginId_copy);
536++ LsaFreeNameInfo(pUserNameInfo);
537++ pUserNameInfo = NULL;
538++
539++ dwError = LwAllocateStringPrintf(
540++ &pszLoginId_copy,
541++ "%s\\%s",
542++ gpADProviderData->szShortDomain,
543++ QueryList.ppszStrings[dwIndex]);
544+ BAIL_ON_LSA_ERROR(dwError);
545+
546+- ppObjects[dwIndex] = pCachedUser;
547+- pCachedUser = NULL;
548+- break;
549+- case LW_ERROR_NO_SUCH_USER:
550+- case LW_ERROR_NO_SUCH_GROUP:
551+- case LW_ERROR_NO_SUCH_OBJECT:
552+- case LW_ERROR_DOMAIN_IS_OFFLINE:
553+- dwError = LW_ERROR_SUCCESS;
554+- break;
555+- default:
556++ LwStrCharReplace(
557++ pszLoginId_copy,
558++ AD_GetSpaceReplacement(),
559++ ' ');
560++
561++ dwError = LsaCrackDomainQualifiedName(
562++ pszLoginId_copy,
563++ gpADProviderData->szDomain,
564++ &pUserNameInfo);
565+ BAIL_ON_LSA_ERROR(dwError);
566+- break;
567++
568++ dwError = AD_OnlineFindObjectByName(
569++ hProvider,
570++ FindFlags,
571++ ObjectType,
572++ LSA_QUERY_TYPE_BY_NT4,
573++ pszLoginId_copy,
574++ pUserNameInfo,
575++ &ppObjects[dwIndex]);
576++ switch (dwError)
577++ {
578++ case LW_ERROR_SUCCESS:
579++ break;
580++ case LW_ERROR_NOT_HANDLED:
581++ case LW_ERROR_NO_SUCH_USER:
582++ case LW_ERROR_NO_SUCH_GROUP:
583++ case LW_ERROR_NO_SUCH_OBJECT:
584++ ppObjects[dwIndex] = NULL;
585++ dwError = LW_ERROR_SUCCESS;
586++ break;
587++ default:
588++ BAIL_ON_LSA_ERROR(dwError);
589++ }
590+ }
591+ break;
592+ default:
593
594=== added file 'debian/patches/disable_dcerpc_auto_start.diff'
595--- debian/patches/disable_dcerpc_auto_start.diff 1970-01-01 00:00:00 +0000
596+++ debian/patches/disable_dcerpc_auto_start.diff 2010-12-01 21:33:36 +0000
597@@ -0,0 +1,26 @@
598+Index: likewise-open-5.4.0.42111/domainjoin/domainjoin-cli/src/main.c
599+===================================================================
600+--- likewise-open-5.4.0.42111.orig/domainjoin/domainjoin-cli/src/main.c 2010-04-18 07:54:32.000000000 -0500
601++++ likewise-open-5.4.0.42111/domainjoin/domainjoin-cli/src/main.c 2010-04-18 07:55:33.000000000 -0500
602+@@ -801,7 +801,7 @@
603+ DWORD dwLogLevel;
604+ BOOLEAN showHelp = FALSE;
605+ BOOLEAN showInternalHelp = FALSE;
606+- BOOLEAN bEnableDcerpcd = TRUE;
607++ BOOLEAN bEnableDcerpcd = FALSE;
608+ int remainingArgs = argc;
609+ char **argPos = argv;
610+ int i;
611+Index: likewise-open-5.4.0.42111/domainjoin/domainjoin-gui/gtk/main.c
612+===================================================================
613+--- likewise-open-5.4.0.42111.orig/domainjoin/domainjoin-gui/gtk/main.c 2010-04-18 07:54:32.000000000 -0500
614++++ likewise-open-5.4.0.42111/domainjoin/domainjoin-gui/gtk/main.c 2010-04-18 07:55:42.000000000 -0500
615+@@ -589,7 +589,7 @@
616+
617+ gtk_init(&argc, &argv);
618+
619+- LW_TRY(&exc, DJNetInitialize(TRUE, &LW_EXC));
620++ LW_TRY(&exc, DJNetInitialize(FALSE, &LW_EXC));
621+
622+ do
623+ {
624
625=== added file 'debian/patches/ignore_group_update_failure_on_leave.diff'
626--- debian/patches/ignore_group_update_failure_on_leave.diff 1970-01-01 00:00:00 +0000
627+++ debian/patches/ignore_group_update_failure_on_leave.diff 2010-12-01 21:33:36 +0000
628@@ -0,0 +1,37 @@
629+commit 69148891011976fa239773af570c123023ac27ab
630+Author: Gerald W. Carter <gcarter@likewiseopen.org>
631+Date: Thu Apr 8 21:05:23 2010 +0000
632+
633+ lsass: Don't fail a "leave" if we cannot remove the domain groups from the builtin groups
634+
635+ Occurs in certain upgrade scenarios where "Domain {Admins,Users}" was not
636+ added into the "Builtin\{Administrators,Users}" group
637+
638+ (lsass: r43096)
639+
640+diff --git a/lsass/join/join.c b/lsass/join/join.c
641+index 0a694dc..ecafa4b 100644
642+--- a/lsass/join/join.c
643++++ b/lsass/join/join.c
644+@@ -725,13 +725,19 @@ LsaChangeDomainGroupMembership(
645+ }
646+ else
647+ {
648++ // This should not cause the join to fail even if we cannot
649++ // remove the group members
650++
651+ ntStatus = SamrDeleteAliasMember(hSamrBinding,
652+ hAlias,
653+ (*ppSid));
654+- if (ntStatus == STATUS_MEMBER_NOT_IN_ALIAS)
655++ if ((ntStatus != STATUS_SUCCESS) &&
656++ (ntStatus != STATUS_NO_SUCH_MEMBER))
657+ {
658+- ntStatus = STATUS_SUCCESS;
659++ // Perhaps log an error here
660++ ;
661+ }
662++ ntStatus = STATUS_SUCCESS;
663+ }
664+ BAIL_ON_NT_STATUS(ntStatus);
665+ }
666
667=== added file 'debian/patches/lp-security-CVE-2010-0833.diff'
668--- debian/patches/lp-security-CVE-2010-0833.diff 1970-01-01 00:00:00 +0000
669+++ debian/patches/lp-security-CVE-2010-0833.diff 2010-12-01 21:33:36 +0000
670@@ -0,0 +1,390 @@
671+diff -Nurb likewise-open-5.4.0.42111/lsass/interop/auth/pam/pam-passwd.c likewise-open-5.4.0.42111.patched/lsass/interop/auth/pam/pam-passwd.c
672+--- likewise-open-5.4.0.42111/lsass/interop/auth/pam/pam-passwd.c 2010-03-12 20:33:45.000000000 -0800
673++++ likewise-open-5.4.0.42111.patched/lsass/interop/auth/pam/pam-passwd.c 2010-07-21 13:51:11.000000000 -0700
674+@@ -293,7 +293,6 @@
675+ PSTR pszPassword = NULL;
676+ PSTR pszLoginId = NULL;
677+ HANDLE hLsaConnection = (HANDLE)NULL;
678+- BOOLEAN bCheckOldPassword = FALSE;
679+
680+ LSA_LOG_PAM_DEBUG("LsaPamUpdatePassword::begin");
681+
682+@@ -319,20 +318,11 @@
683+ dwError = LsaOpenServer(&hLsaConnection);
684+ BAIL_ON_LSA_ERROR(dwError);
685+
686+- dwError = LsaPamMustCheckCurrentPassword(
687+- hLsaConnection,
688+- pszLoginId,
689+- &bCheckOldPassword);
690+- BAIL_ON_LSA_ERROR(dwError);
691+-
692+- if (bCheckOldPassword)
693+- {
694+ dwError = LsaPamGetOldPassword(
695+ pamh,
696+ pPamContext,
697+ &pszOldPassword);
698+ BAIL_ON_LSA_ERROR(dwError);
699+- }
700+
701+ dwError = LsaPamGetNewPassword(
702+ pamh,
703+@@ -340,23 +330,12 @@
704+ &pszPassword);
705+ BAIL_ON_LSA_ERROR(dwError);
706+
707+- if (bCheckOldPassword)
708+- {
709+ dwError = LsaChangePassword(
710+ hLsaConnection,
711+ pszLoginId,
712+ pszPassword,
713+ pszOldPassword);
714+ BAIL_ON_LSA_ERROR(dwError);
715+- }
716+- else
717+- {
718+- dwError = LsaSetPassword(
719+- hLsaConnection,
720+- pszLoginId,
721+- pszPassword);
722+- BAIL_ON_LSA_ERROR(dwError);
723+- }
724+
725+ cleanup:
726+
727+diff -Nurb likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/includes.h likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/includes.h
728+--- likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/includes.h 2010-03-12 20:33:45.000000000 -0800
729++++ likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/includes.h 2010-07-21 13:51:11.000000000 -0700
730+@@ -89,6 +89,8 @@
731+ #include <lwrpc/LMcrypt.h>
732+ #include <lwrpc/samr.h>
733+
734++#include <lwmapsecurity/lwmapsecurity.h>
735++
736+ #include <openssl/evp.h>
737+ #include <openssl/md4.h>
738+ #include <openssl/hmac.h>
739+diff -Nurb likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/lpdefs.h.in likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/lpdefs.h.in
740+--- likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/lpdefs.h.in 2010-03-12 20:33:45.000000000 -0800
741++++ likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/lpdefs.h.in 2010-07-21 13:51:11.000000000 -0700
742+@@ -109,6 +109,8 @@
743+ {'O','b','j','e','c','t','C','l','a','s','s',0}
744+ #define LOCAL_DIR_ATTR_OBJECT_SID \
745+ {'O','b','j','e','c','t','S','I','D',0}
746++#define LOCAL_DIR_ATTR_SECURITY_DESCRIPTOR \
747++ {'S','e','c','u','r','i','t','y','D','e','s','c','r','i','p','t','o','r',0}
748+ #define LOCAL_DIR_ATTR_DISTINGUISHED_NAME \
749+ {'D','i','s','t','i','n','g','u','i','s','h','e','d','N','a','m','e',0}
750+ #define LOCAL_DIR_ATTR_DOMAIN \
751+diff -Nurb likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/lpuser.c likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/lpuser.c
752+--- likewise-open-5.4.0.42111/lsass/server/auth-providers/local-provider/lpuser.c 2010-03-12 20:33:45.000000000 -0800
753++++ likewise-open-5.4.0.42111.patched/lsass/server/auth-providers/local-provider/lpuser.c 2010-07-21 13:51:11.000000000 -0700
754+@@ -1136,7 +1136,75 @@
755+ )
756+ {
757+ DWORD dwError = 0;
758++ NTSTATUS ntStatus = STATUS_SUCCESS;
759+ PLOCAL_PROVIDER_CONTEXT pContext = (PLOCAL_PROVIDER_CONTEXT)hProvider;
760++ PLW_MAP_SECURITY_CONTEXT pSecCtx = NULL;
761++ PACCESS_TOKEN pUserToken = NULL;
762++ PWSTR pwszBase = NULL;
763++ DWORD dwScope = 0;
764++ PWSTR pwszFilter = NULL;
765++ WCHAR wszAttrSecurityDescriptor[] = LOCAL_DIR_ATTR_SECURITY_DESCRIPTOR;
766++
767++ PWSTR wszAttributes[] = {
768++ wszAttrSecurityDescriptor,
769++ NULL
770++ };
771++
772++ PDIRECTORY_ENTRY pUserEntry = NULL;
773++ DWORD dwNumEntries = 0;
774++ PSECURITY_DESCRIPTOR_ABSOLUTE pSecDesc = NULL;
775++ GENERIC_MAPPING GenericMapping = {0};
776++ DWORD dwAccessGranted = 0;
777++
778++ /*
779++ * Check if user has right to change the password first
780++ */
781++ ntStatus = LwMapSecurityCreateContext(&pSecCtx);
782++ BAIL_ON_NT_STATUS(ntStatus);
783++
784++ ntStatus = LwMapSecurityCreateAccessTokenFromUidGid(
785++ pSecCtx,
786++ &pUserToken,
787++ pContext->uid,
788++ pContext->gid);
789++ BAIL_ON_NT_STATUS(ntStatus);
790++
791++ dwError = DirectorySearch(
792++ pContext->hDirectory,
793++ pwszBase,
794++ dwScope,
795++ pwszFilter,
796++ wszAttributes,
797++ FALSE,
798++ &pUserEntry,
799++ &dwNumEntries);
800++ BAIL_ON_LSA_ERROR(dwError);
801++
802++ if (dwNumEntries == 0)
803++ {
804++ dwError = LW_ERROR_NO_SUCH_USER;
805++ }
806++ else if (dwNumEntries != 1)
807++ {
808++ dwError = LW_ERROR_DATA_ERROR;
809++ }
810++ BAIL_ON_LSA_ERROR(dwError);
811++
812++ dwError = DirectoryGetEntrySecurityDescriptor(
813++ pUserEntry,
814++ &pSecDesc);
815++ BAIL_ON_LSA_ERROR(dwError);
816++
817++ if (!RtlAccessCheck(pSecDesc,
818++ pUserToken,
819++ USER_ACCESS_CHANGE_PASSWORD,
820++ 0,
821++ &GenericMapping,
822++ &dwAccessGranted,
823++ &ntStatus))
824++ {
825++ BAIL_ON_NT_STATUS(ntStatus);
826++ }
827+
828+ dwError = DirectoryChangePassword(
829+ pContext->hDirectory,
830+@@ -1145,9 +1213,29 @@
831+ pwszNewPassword);
832+ BAIL_ON_LSA_ERROR(dwError);
833+
834+-error:
835++cleanup:
836++ if (pUserEntry)
837++ {
838++ DirectoryFreeEntries(pUserEntry, dwNumEntries);
839++ }
840++
841++ LW_SAFE_FREE_MEMORY(pwszFilter);
842++
843++ DirectoryFreeEntrySecurityDescriptor(&pSecDesc);
844++
845++ RtlReleaseAccessToken(&pUserToken);
846++ LwMapSecurityFreeContext(&pSecCtx);
847++
848++ if (dwError == ERROR_SUCCESS &&
849++ ntStatus != STATUS_SUCCESS)
850++ {
851++ dwError = LwNtStatusToWin32Error(ntStatus);
852++ }
853+
854+ return dwError;
855++
856++error:
857++ goto cleanup;
858+ }
859+
860+ DWORD
861+diff -Nurb likewise-open-5.4.0.42111/lsass/server/store/samdb/samdbinit.c likewise-open-5.4.0.42111.patched/lsass/server/store/samdb/samdbinit.c
862+--- likewise-open-5.4.0.42111/lsass/server/store/samdb/samdbinit.c 2010-03-12 20:33:45.000000000 -0800
863++++ likewise-open-5.4.0.42111.patched/lsass/server/store/samdb/samdbinit.c 2010-07-21 13:51:47.000000000 -0700
864+@@ -125,6 +125,11 @@
865+ HANDLE hDirectory
866+ );
867+
868++static
869++DWORD
870++SamDbFixLocalAccounts(
871++ HANDLE hDirectory
872++ );
873+
874+ DWORD
875+ DirectoryInitializeProvider(
876+@@ -226,6 +231,7 @@
877+ )
878+ {
879+ DWORD dwError = 0;
880++ HANDLE hDirectory1 = (HANDLE)NULL;
881+ HANDLE hDirectory = (HANDLE)NULL;
882+ PSAM_DIRECTORY_CONTEXT pDirectory = NULL;
883+ PCSTR pszDbDirPath = SAM_DB_DIR;
884+@@ -240,6 +246,12 @@
885+ // TODO: Implement an upgrade scenario
886+ if (bExists)
887+ {
888++ dwError = SamDbOpen(&hDirectory1);
889++ BAIL_ON_SAMDB_ERROR(dwError);
890++
891++ dwError = SamDbFixLocalAccounts(hDirectory1);
892++ BAIL_ON_SAMDB_ERROR(dwError);
893++
894+ goto cleanup;
895+ }
896+
897+@@ -284,6 +296,10 @@
898+ BAIL_ON_SAMDB_ERROR(dwError);
899+
900+ cleanup:
901++ if (hDirectory1)
902++ {
903++ SamDbClose(hDirectory1);
904++ }
905+
906+ if (hDirectory)
907+ {
908+@@ -1193,7 +1209,7 @@
909+ "computer/domain",
910+ .pszShell = SAM_DB_DEFAULT_ADMINISTRATOR_SHELL,
911+ .pszHomedir = SAM_DB_DEFAULT_ADMINISTRATOR_HOMEDIR,
912+- .flags = SAMDB_ACB_NORMAL,
913++ .flags = SAMDB_ACB_NORMAL | SAMDB_ACB_DISABLED,
914+ .objectClass = SAMDB_OBJECT_CLASS_USER
915+ },
916+ {
917+@@ -1786,6 +1802,143 @@
918+ goto cleanup;
919+ }
920+
921++static
922++DWORD
923++SamDbFixLocalAccounts(
924++ HANDLE hDirectory
925++ )
926++{
927++
928++ DWORD dwError = 0;
929++ const wchar_t wszUserObjectFilterFmt[] = L"%ws = %u";
930++ const DWORD dwInt32StrSize = 10;
931++ WCHAR wszAttrObjectClass[] = SAM_DB_DIR_ATTR_OBJECT_CLASS;
932++ WCHAR wszAttrObjectDN[] = SAM_DB_DIR_ATTR_DISTINGUISHED_NAME;
933++ WCHAR wszAttrAccountFlags[] = SAM_DB_DIR_ATTR_ACCOUNT_FLAGS;
934++ WCHAR wszAttrNtHash[] = SAM_DB_DIR_ATTR_NT_HASH;
935++ DWORD dwUserObjectFilterLen = 0;
936++ PWSTR pwszUserObjectFilter = NULL;
937++ ULONG ulScope = 0;
938++ ULONG ulAttributesOnly = 0;
939++ PWSTR pwszBase = NULL;
940++ PWSTR wszAttributes[] = {
941++ &wszAttrObjectDN[0],
942++ &wszAttrAccountFlags[0],
943++ &wszAttrNtHash[0],
944++ NULL
945++ };
946++
947++ PDIRECTORY_ENTRY pUserEntries = NULL;
948++ DWORD dwNumUserEntries = 0;
949++ PDIRECTORY_ENTRY pUserEntry = NULL;
950++ DWORD iEntry = 0;
951++ PWSTR pwszUserObjectDN = NULL;
952++ DWORD dwAccountFlags = 0;
953++ POCTET_STRING pNtHash = NULL;
954++ DWORD iMod = 0;
955++
956++ enum AttrValueIndex {
957++ ATTR_VAL_IDX_ACCOUNT_FLAGS = 0,
958++ ATTR_VAL_IDX_SENTINEL
959++ };
960++
961++ ATTRIBUTE_VALUE AttrValues[] = {
962++ { /* ATTR_VAL_IDX_ACCOUNT_FLAGS */
963++ .Type = DIRECTORY_ATTR_TYPE_LARGE_INTEGER,
964++ .data.ulValue = 0
965++ }
966++ };
967++
968++ DIRECTORY_MOD ModAccountFlags = {
969++ DIR_MOD_FLAGS_REPLACE,
970++ wszAttrAccountFlags,
971++ 1,
972++ &AttrValues[ATTR_VAL_IDX_ACCOUNT_FLAGS]
973++ };
974++
975++ DIRECTORY_MOD Mods[ATTR_VAL_IDX_SENTINEL + 1];
976++ memset(&Mods, 0, sizeof(Mods));
977++
978++ dwUserObjectFilterLen = (sizeof(wszAttrObjectClass)/sizeof(wszAttrObjectClass[0]) +
979++ dwInt32StrSize +
980++ sizeof(wszUserObjectFilterFmt));
981++ dwError = LwAllocateMemory(dwUserObjectFilterLen * sizeof(WCHAR),
982++ OUT_PPVOID(&pwszUserObjectFilter));
983++ BAIL_ON_SAMDB_ERROR(dwError);
984++
985++ if (sw16printfw(pwszUserObjectFilter, dwUserObjectFilterLen,
986++ wszUserObjectFilterFmt,
987++ &wszAttrObjectClass[0], SAMDB_OBJECT_CLASS_USER) < 0)
988++ {
989++ dwError = LwErrnoToWin32Error(errno);
990++ BAIL_ON_SAMDB_ERROR(dwError);
991++ }
992++
993++ dwError = SamDbSearchObject(hDirectory,
994++ pwszBase,
995++ ulScope,
996++ pwszUserObjectFilter,
997++ wszAttributes,
998++ ulAttributesOnly,
999++ &pUserEntries,
1000++ &dwNumUserEntries);
1001++ BAIL_ON_SAMDB_ERROR(dwError);
1002++
1003++ for (iEntry = 0; iEntry < dwNumUserEntries; iEntry++)
1004++ {
1005++ pUserEntry = &(pUserEntries[iEntry]);
1006++
1007++ dwError = DirectoryGetEntryAttrValueByName(
1008++ pUserEntry,
1009++ wszAttrObjectDN,
1010++ DIRECTORY_ATTR_TYPE_UNICODE_STRING,
1011++ &pwszUserObjectDN);
1012++ BAIL_ON_SAMDB_ERROR(dwError);
1013++
1014++ dwError = DirectoryGetEntryAttrValueByName(
1015++ pUserEntry,
1016++ wszAttrAccountFlags,
1017++ DIRECTORY_ATTR_TYPE_INTEGER,
1018++ &dwAccountFlags);
1019++ BAIL_ON_SAMDB_ERROR(dwError);
1020++
1021++ dwError = DirectoryGetEntryAttrValueByName(
1022++ pUserEntry,
1023++ wszAttrNtHash,
1024++ DIRECTORY_ATTR_TYPE_OCTET_STREAM,
1025++ &pNtHash);
1026++ BAIL_ON_SAMDB_ERROR(dwError);
1027++
1028++ if ((pNtHash == NULL || pNtHash->ulNumBytes == 0) &&
1029++ !(dwAccountFlags & SAMDB_ACB_DISABLED))
1030++ {
1031++ dwAccountFlags |= SAMDB_ACB_DISABLED;
1032++
1033++ AttrValues[ATTR_VAL_IDX_ACCOUNT_FLAGS].data.ulValue = dwAccountFlags;
1034++
1035++ Mods[iMod++] = ModAccountFlags;
1036++
1037++ dwError = SamDbModifyObject(hDirectory,
1038++ pwszUserObjectDN,
1039++ Mods);
1040++ BAIL_ON_SAMDB_ERROR(dwError);
1041++ }
1042++ }
1043++
1044++cleanup:
1045++ if (pUserEntries)
1046++ {
1047++ DirectoryFreeEntries(pUserEntries, dwNumUserEntries);
1048++ }
1049++
1050++ LW_SAFE_FREE_MEMORY(pwszUserObjectFilter);
1051++
1052++ return dwError;
1053++
1054++error:
1055++ goto cleanup;
1056++}
1057++
1058+
1059+ /*
1060+ local variables:
1061
1062=== added file 'debian/patches/lsass_turn_off_ncacn_ip_tcp.diff'
1063--- debian/patches/lsass_turn_off_ncacn_ip_tcp.diff 1970-01-01 00:00:00 +0000
1064+++ debian/patches/lsass_turn_off_ncacn_ip_tcp.diff 2010-12-01 21:33:36 +0000
1065@@ -0,0 +1,39 @@
1066+Index: likewise-open-5.4.0.42111/lsass/server/rpc/dssetup/dssetup_srv.c
1067+===================================================================
1068+--- likewise-open-5.4.0.42111.orig/lsass/server/rpc/dssetup/dssetup_srv.c 2010-04-17 14:55:19.000000000 -0500
1069++++ likewise-open-5.4.0.42111/lsass/server/rpc/dssetup/dssetup_srv.c 2010-04-17 14:56:31.000000000 -0500
1070+@@ -118,7 +118,7 @@
1071+
1072+ ENDPOINT EndPoints[] = {
1073+ { "ncacn_np", "\\\\pipe\\\\lsass" },
1074+- { "ncacn_ip_tcp", NULL },
1075++ // { "ncacn_ip_tcp", NULL },
1076+ { NULL, NULL }
1077+ };
1078+ DWORD dwError = 0;
1079+Index: likewise-open-5.4.0.42111/lsass/server/rpc/lsa/lsa_srv.c
1080+===================================================================
1081+--- likewise-open-5.4.0.42111.orig/lsass/server/rpc/lsa/lsa_srv.c 2010-04-17 14:55:19.000000000 -0500
1082++++ likewise-open-5.4.0.42111/lsass/server/rpc/lsa/lsa_srv.c 2010-04-17 14:56:06.000000000 -0500
1083+@@ -119,7 +119,7 @@
1084+ ENDPOINT EndPoints[] = {
1085+ { "ncacn_np", "\\\\pipe\\\\lsarpc" },
1086+ { "ncacn_np", "\\\\pipe\\\\lsass" },
1087+- { "ncacn_ip_tcp", NULL },
1088++ // { "ncacn_ip_tcp", NULL },
1089+ { "ncalrpc", NULL }, /* endpoint is fetched from config parameter */
1090+ { NULL, NULL }
1091+ };
1092+Index: likewise-open-5.4.0.42111/lsass/server/rpc/samr/samr_srv.c
1093+===================================================================
1094+--- likewise-open-5.4.0.42111.orig/lsass/server/rpc/samr/samr_srv.c 2010-04-17 14:55:19.000000000 -0500
1095++++ likewise-open-5.4.0.42111/lsass/server/rpc/samr/samr_srv.c 2010-04-17 14:55:51.000000000 -0500
1096+@@ -121,7 +121,7 @@
1097+ PCSTR pszDescription = "Security Accounts Manager";
1098+ ENDPOINT EndPoints[] = {
1099+ { "ncacn_np", "\\\\pipe\\\\samr" },
1100+- { "ncacn_ip_tcp", NULL },
1101++ // { "ncacn_ip_tcp", NULL },
1102+ { "ncalrpc", NULL }, /* endpoint is fetched from config parameter */
1103+ { NULL, NULL }
1104+ };
1105
1106=== added file 'debian/patches/lwupgrade_multi_sz.diff'
1107--- debian/patches/lwupgrade_multi_sz.diff 1970-01-01 00:00:00 +0000
1108+++ debian/patches/lwupgrade_multi_sz.diff 2010-12-01 21:33:36 +0000
1109@@ -0,0 +1,77 @@
1110+commit a1812bb292173c1e7265b6ab523a0df78b1010d5
1111+Author: Scott Salley <ssalley@likewise.com>
1112+Date: Mon May 3 23:14:34 2010 +0000
1113+
1114+ Merge: -c 43867 ^/trunk/Platform -> ~/branches/lwidentity-5.4
1115+
1116+ Multistring handling was extremely poor, now it is a bit better.
1117+
1118+ (lwupgrade: r43874)
1119+
1120+diff --git a/lwupgrade/utils/convert.c b/lwupgrade/utils/convert.c
1121+index f399d93..381bb03 100644
1122+--- a/lwupgrade/utils/convert.c
1123++++ b/lwupgrade/utils/convert.c
1124+@@ -47,12 +47,18 @@ UpStringToMultiString(
1125+ DWORD i = 0;
1126+ DWORD j = 0;
1127+ PSTR pszCompactIn = NULL;
1128+- DWORD dwLength = 0;
1129+
1130+- // First, remove all whitespace from the string.
1131+- dwError = LwAllocateString(pszIn, &pszCompactIn);
1132++ // Make a copy of the string, reserving enough space for terminator.
1133++ dwError = LwAllocateMemory(strlen(pszIn) + 2, (PVOID*)&pszCompactIn);
1134+ BAIL_ON_UP_ERROR(dwError);
1135+
1136++ memcpy(pszCompactIn, pszIn, strlen(pszIn) + 1);
1137++
1138++ // First, remove all whitespace from the string.
1139++ //dwError = LwAllocateString(pszIn, &pszCompactIn);
1140++ //BAIL_ON_UP_ERROR(dwError);
1141++
1142++
1143+ i = 0;
1144+ j = 0;
1145+ while (pszCompactIn[i])
1146+@@ -79,16 +85,20 @@ UpStringToMultiString(
1147+ bCharacterIsDelimiter = TRUE;
1148+ }
1149+
1150++ // Don't want to delimiters in a row.
1151+ if (!(bPreviousCharacterIsDelimiter && bCharacterIsDelimiter))
1152+ {
1153+ pszCompactIn[j++] = pszCompactIn[i];
1154+- bPreviousCharacterIsDelimiter = bCharacterIsDelimiter;
1155+ }
1156++
1157++ bPreviousCharacterIsDelimiter = bCharacterIsDelimiter;
1158+ i++;
1159+ }
1160++ pszCompactIn[j++] = '\0';
1161+
1162+
1163+ // Finally, replace all delmiters with '\0'.
1164++ i = 0;
1165+ while (pszCompactIn[i])
1166+ {
1167+ if (strchr(pszDelims, pszCompactIn[i]))
1168+@@ -97,17 +107,7 @@ UpStringToMultiString(
1169+ }
1170+ i++;
1171+ }
1172+-
1173+- // Third, remove all 'empty' strings.
1174+- dwLength = i;
1175+- while (i < dwLength - 1)
1176+- {
1177+- if (!pszCompactIn[i] && !pszCompactIn[i + 1])
1178+- {
1179+- pszCompactIn[j++] = pszCompactIn[i];
1180+- }
1181+- i++;
1182+- }
1183++ pszCompactIn[i+1] = '\0';
1184+
1185+ cleanup:
1186+
1187
1188=== added file 'debian/patches/offline_v2.diff'
1189--- debian/patches/offline_v2.diff 1970-01-01 00:00:00 +0000
1190+++ debian/patches/offline_v2.diff 2010-12-01 21:33:36 +0000
1191@@ -0,0 +1,201 @@
1192+Index: likewise-open-5.4.0.42111/lsass/common/utils/lsalist.c
1193+===================================================================
1194+--- likewise-open-5.4.0.42111.orig/lsass/common/utils/lsalist.c 2010-06-17 22:17:40.000000000 -0700
1195++++ likewise-open-5.4.0.42111/lsass/common/utils/lsalist.c 2010-06-17 22:20:26.000000000 -0700
1196+@@ -106,6 +106,7 @@
1197+ {
1198+ Element->Prev->Next = Element->Next;
1199+ Element->Next->Prev = Element->Prev;
1200++ LsaListInit(Element);
1201+ }
1202+
1203+ LSA_LIST_LINKS*
1204+Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/offline.c
1205+===================================================================
1206+--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/offline.c 2010-06-17 22:17:40.000000000 -0700
1207++++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/offline.c 2010-06-17 22:20:50.000000000 -0700
1208+@@ -111,7 +111,7 @@
1209+ &pszNT4UserName,
1210+ "%s\\%s",
1211+ pUserInfo->pszNetbiosDomainName,
1212+- pUserInfo->userInfo.pszUPN);
1213++ pUserInfo->pszSamAccountName);
1214+ BAIL_ON_LSA_ERROR(dwError);
1215+
1216+ dwError = LsaUmAddUser(
1217+@@ -592,11 +592,6 @@
1218+ break;
1219+ }
1220+
1221+- if (dwError == LW_ERROR_SUCCESS)
1222+- {
1223+- dwError = AD_CheckExpiredObject(&pCachedUser);
1224+- }
1225+-
1226+ switch (dwError)
1227+ {
1228+ case LW_ERROR_SUCCESS:
1229+@@ -681,10 +676,6 @@
1230+ dwError = LW_ERROR_INVALID_PARAMETER;
1231+ BAIL_ON_LSA_ERROR(dwError);
1232+ }
1233+- if (dwError == LW_ERROR_SUCCESS)
1234+- {
1235+- dwError = AD_CheckExpiredObject(&pCachedUser);
1236+- }
1237+
1238+ switch (dwError)
1239+ {
1240+@@ -834,10 +825,19 @@
1241+ PLSA_GROUP_MEMBERSHIP* ppMemberships = NULL;
1242+ // Only free top level array, do not free string pointers.
1243+ PSTR pszGroupSid = NULL;
1244+- PLSA_SECURITY_OBJECT pUserInfo = NULL;
1245++ PLSA_SECURITY_OBJECT* ppUserObject = NULL;
1246+ DWORD dwIndex = 0;
1247+
1248+- dwError = AD_FindObjectBySid(hProvider, pszSid, &pUserInfo);
1249++ dwError = AD_OfflineFindObjectsBySidList(
1250++ 1,
1251++ &pszSid,
1252++ &ppUserObject);
1253++ BAIL_ON_LSA_ERROR(dwError);
1254++
1255++ if (!ppUserObject[0])
1256++ {
1257++ dwError = LW_ERROR_NO_SUCH_USER;
1258++ }
1259+ BAIL_ON_LSA_ERROR(dwError);
1260+
1261+ dwError = ADCacheGetGroupsForUser(
1262+@@ -874,7 +874,7 @@
1263+ cleanup:
1264+
1265+ LW_SAFE_FREE_MEMORY(pszGroupSid);
1266+- ADCacheSafeFreeObject(&pUserInfo);
1267++ ADCacheSafeFreeObjectList(1, &ppUserObject);
1268+ ADCacheSafeFreeGroupMembershipList(sMembershipCount, &ppMemberships);
1269+
1270+ return dwError;
1271+Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/online.c
1272+===================================================================
1273+--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/online.c 2010-06-17 22:17:40.000000000 -0700
1274++++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/online.c 2010-06-17 22:20:50.000000000 -0700
1275+@@ -4161,7 +4161,6 @@
1276+ case LW_ERROR_NO_SUCH_USER:
1277+ case LW_ERROR_NO_SUCH_GROUP:
1278+ case LW_ERROR_NO_SUCH_OBJECT:
1279+- case LW_ERROR_DOMAIN_IS_OFFLINE:
1280+ dwError = LW_ERROR_SUCCESS;
1281+ break;
1282+ default:
1283+@@ -4426,7 +4425,6 @@
1284+ case LW_ERROR_NO_SUCH_USER:
1285+ case LW_ERROR_NO_SUCH_GROUP:
1286+ case LW_ERROR_NO_SUCH_OBJECT:
1287+- case LW_ERROR_DOMAIN_IS_OFFLINE:
1288+ dwError = LW_ERROR_SUCCESS;
1289+ break;
1290+ default:
1291+Index: likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/provider-main.c
1292+===================================================================
1293+--- likewise-open-5.4.0.42111.orig/lsass/server/auth-providers/ad-provider/provider-main.c 2010-06-17 22:17:40.000000000 -0700
1294++++ likewise-open-5.4.0.42111/lsass/server/auth-providers/ad-provider/provider-main.c 2010-06-17 22:20:50.000000000 -0700
1295+@@ -3498,7 +3498,11 @@
1296+
1297+ if (AD_IsOffline())
1298+ {
1299+- dwError = AD_OfflineFindObjects(
1300++ dwError = LW_ERROR_DOMAIN_IS_OFFLINE;
1301++ }
1302++ else
1303++ {
1304++ dwError = AD_OnlineFindObjects(
1305+ hProvider,
1306+ FindFlags,
1307+ ObjectType,
1308+@@ -3506,11 +3510,11 @@
1309+ dwCount,
1310+ QueryList,
1311+ &ppObjects);
1312+- BAIL_ON_LSA_ERROR(dwError);
1313+ }
1314+- else
1315++
1316++ if (LW_ERROR_DOMAIN_IS_OFFLINE == dwError)
1317+ {
1318+- dwError = AD_OnlineFindObjects(
1319++ dwError = AD_OfflineFindObjects(
1320+ hProvider,
1321+ FindFlags,
1322+ ObjectType,
1323+@@ -3518,8 +3522,8 @@
1324+ dwCount,
1325+ QueryList,
1326+ &ppObjects);
1327+- BAIL_ON_LSA_ERROR(dwError);
1328+ }
1329++ BAIL_ON_LSA_ERROR(dwError);
1330+
1331+ if (ppObjects)
1332+ {
1333+@@ -3704,24 +3708,28 @@
1334+
1335+ if (AD_IsOffline())
1336+ {
1337+- dwError = AD_OfflineGetGroupMemberSids(
1338++ dwError = LW_ERROR_DOMAIN_IS_OFFLINE;
1339++ }
1340++ else
1341++ {
1342++ dwError = AD_OnlineGetGroupMemberSids(
1343+ hProvider,
1344+ FindFlags,
1345+ pszSid,
1346+ &pEnum->dwSidCount,
1347+ &pEnum->ppszSids);
1348+- BAIL_ON_LSA_ERROR(dwError);
1349+ }
1350+- else
1351++
1352++ if (LW_ERROR_DOMAIN_IS_OFFLINE == dwError)
1353+ {
1354+- dwError = AD_OnlineGetGroupMemberSids(
1355++ dwError = AD_OfflineGetGroupMemberSids(
1356+ hProvider,
1357+ FindFlags,
1358+ pszSid,
1359+ &pEnum->dwSidCount,
1360+ &pEnum->ppszSids);
1361+- BAIL_ON_LSA_ERROR(dwError);
1362+ }
1363++ BAIL_ON_LSA_ERROR(dwError);
1364+
1365+ *phEnum = pEnum;
1366+
1367+@@ -3817,7 +3825,11 @@
1368+
1369+ if (AD_IsOffline())
1370+ {
1371+- dwError = AD_OfflineQueryMemberOf(
1372++ dwError = LW_ERROR_DOMAIN_IS_OFFLINE;
1373++ }
1374++ else
1375++ {
1376++ dwError = AD_OnlineQueryMemberOf(
1377+ hProvider,
1378+ FindFlags,
1379+ dwSidCount,
1380+@@ -3825,9 +3837,10 @@
1381+ pdwGroupSidCount,
1382+ pppszGroupSids);
1383+ }
1384+- else
1385++
1386++ if (LW_ERROR_DOMAIN_IS_OFFLINE == dwError)
1387+ {
1388+- dwError = AD_OnlineQueryMemberOf(
1389++ dwError = AD_OfflineQueryMemberOf(
1390+ hProvider,
1391+ FindFlags,
1392+ dwSidCount,
1393
1394=== added file 'debian/patches/reg_import_multi_sz.diff'
1395--- debian/patches/reg_import_multi_sz.diff 1970-01-01 00:00:00 +0000
1396+++ debian/patches/reg_import_multi_sz.diff 2010-12-01 21:33:36 +0000
1397@@ -0,0 +1,14 @@
1398+diff --git a/lwreg/parse/reglex.c b/lwreg/parse/reglex.c
1399+index 8d01668..747c9c6 100644
1400+--- a/lwreg/parse/reglex.c
1401++++ b/lwreg/parse/reglex.c
1402+@@ -449,7 +449,8 @@ RegLexParseBackslash(
1403+ dwError = RegIOUnGetChar(ioHandle, NULL);
1404+ }
1405+ }
1406+- else if (lexHandle->state == REGLEX_STATE_IN_QUOTE)
1407++
1408++ if (lexHandle->state == REGLEX_STATE_IN_QUOTE)
1409+ {
1410+ /*
1411+ * Treat sequence '\C' (C=any character) as
1412
1413=== modified file 'debian/patches/series'
1414--- debian/patches/series 2010-04-09 12:30:18 +0000
1415+++ debian/patches/series 2010-12-01 21:33:36 +0000
1416@@ -14,3 +14,11 @@
1417 autoreconf_dcerpc.diff
1418 correct_lsass_configure_platform_detection.patch
1419 autoreconf_lsass.conf
1420+ignore_group_update_failure_on_leave.diff
1421+#lsass_turn_off_ncacn_ip_tcp.diff
1422+#disable_dcerpc_auto_start.diff
1423+lwupgrade_multi_sz.diff
1424+assume_default_domain.diff
1425+reg_import_multi_sz.diff
1426+offline_v2.diff
1427+lp-security-CVE-2010-0833.diff

Subscribers

People subscribed via source and target branches