search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tdb: introduce TDB_SUPPORTED_FEATURE_FLAGS
[Samba.git] / source3 / passdb / pdb_samba_dsdb.c
blob01e747a00fc71ea054681fb69f2c39ac861ce4c3
1 /*
2 Unix SMB/CIFS implementation.
3 pdb glue module for direct access to the dsdb via LDB APIs
4 Copyright (C) Volker Lendecke 2009-2011
5 Copyright (C) Andrew Bartlett 2010-2012
6 Copyright (C) Matthias Dieter Wallnöfer 2009
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /* This module, is a port of Volker's pdb_ads to ldb and DSDB APIs */
23
24 #include "includes.h"
25 #include "source3/include/passdb.h"
26 #include "source4/dsdb/samdb/samdb.h"
27 #include "ldb_errors.h"
28 #include "libcli/security/dom_sid.h"
29 #include "source4/winbind/idmap.h"
30 #include "librpc/gen_ndr/ndr_security.h"
31 #include "libds/common/flag_mapping.h"
32 #include "source4/lib/events/events.h"
33 #include "source4/auth/session.h"
34 #include "source4/auth/system_session_proto.h"
35 #include "lib/param/param.h"
36 #include "source4/dsdb/common/util.h"
37 #include "source3/include/secrets.h"
38
39 struct pdb_samba_dsdb_state {
40 struct tevent_context *ev;
41 struct ldb_context *ldb;
42 struct idmap_context *idmap_ctx;
43 struct loadparm_context *lp_ctx;
44 };
45
46 static NTSTATUS pdb_samba_dsdb_getsampwsid(struct pdb_methods *m,
47 struct samu *sam_acct,
48 const struct dom_sid *sid);
49 static NTSTATUS pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state *state,
50 const char *filter,
51 TALLOC_CTX *mem_ctx,
52 struct ldb_message **pmsg);
53 static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods *m, const struct dom_sid *sid,
54 struct unixid *id);
55
56 static bool pdb_samba_dsdb_pull_time(struct ldb_message *msg, const char *attr,
57 time_t *ptime)
58 {
59 uint64_t tmp;
60 if (! ldb_msg_find_element(msg, attr)) {
61 return false;
62 }
63 tmp = ldb_msg_find_attr_as_uint64(msg, attr, 0);
64 *ptime = nt_time_to_unix(tmp);
65 return true;
66 }
67
68 static struct pdb_domain_info *pdb_samba_dsdb_get_domain_info(
69 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
70 {
71 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
72 m->private_data, struct pdb_samba_dsdb_state);
73 struct pdb_domain_info *info;
74 struct dom_sid *domain_sid;
75 struct ldb_dn *forest_dn, *domain_dn;
76 struct ldb_result *dom_res = NULL;
77 const char *dom_attrs[] = {
78 "objectSid",
79 "objectGUID",
80 "fSMORoleOwner",
81 NULL
82 };
83 char *p;
84 int ret;
85
86 info = talloc(mem_ctx, struct pdb_domain_info);
87 if (info == NULL) {
88 return NULL;
89 }
90
91 domain_dn = ldb_get_default_basedn(state->ldb);
92
93 ret = ldb_search(state->ldb, info, &dom_res,
94 domain_dn, LDB_SCOPE_BASE, dom_attrs, NULL);
95 if (ret != LDB_SUCCESS) {
96 goto fail;
97 }
98 if (dom_res->count != 1) {
99 goto fail;
100 }
101
102 info->guid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
103
104 domain_sid = samdb_result_dom_sid(state, dom_res->msgs[0], "objectSid");
105 if (!domain_sid) {
106 goto fail;
107 }
108 info->sid = *domain_sid;
109
110 TALLOC_FREE(dom_res);
111
112 info->name = talloc_strdup(info, lpcfg_sam_name(state->lp_ctx));
113 info->dns_domain = ldb_dn_canonical_string(info, domain_dn);
114
115 if (!info->dns_domain) {
116 goto fail;
117 }
118 p = strchr(info->dns_domain, '/');
119 if (p) {
120 *p = '\0';
121 }
122
123 forest_dn = ldb_get_root_basedn(state->ldb);
124 if (!forest_dn) {
125 goto fail;
126 }
127
128 info->dns_forest = ldb_dn_canonical_string(info, forest_dn);
129 if (!info->dns_forest) {
130 goto fail;
131 }
132 p = strchr(info->dns_forest, '/');
133 if (p) {
134 *p = '\0';
135 }
136
137 return info;
138
139 fail:
140 TALLOC_FREE(dom_res);
141 TALLOC_FREE(info);
142 return NULL;
143 }
144
145 static struct ldb_message *pdb_samba_dsdb_get_samu_private(
146 struct pdb_methods *m, struct samu *sam)
147 {
148 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
149 m->private_data, struct pdb_samba_dsdb_state);
150 struct ldb_message *msg;
151 char *sidstr, *filter;
152 NTSTATUS status;
153
154 msg = (struct ldb_message *)
155 pdb_get_backend_private_data(sam, m);
156
157 if (msg != NULL) {
158 return talloc_get_type_abort(msg, struct ldb_message);
159 }
160
161 sidstr = dom_sid_string(talloc_tos(), pdb_get_user_sid(sam));
162 if (sidstr == NULL) {
163 return NULL;
164 }
165
166 filter = talloc_asprintf(
167 talloc_tos(), "(&(objectsid=%s)(objectclass=user))", sidstr);
168 TALLOC_FREE(sidstr);
169 if (filter == NULL) {
170 return NULL;
171 }
172
173 status = pdb_samba_dsdb_getsamupriv(state, filter, sam, &msg);
174 TALLOC_FREE(filter);
175 if (!NT_STATUS_IS_OK(status)) {
176 return NULL;
177 }
178
179 return msg;
180 }
181
182 static NTSTATUS pdb_samba_dsdb_init_sam_from_priv(struct pdb_methods *m,
183 struct samu *sam,
184 struct ldb_message *msg)
185 {
186 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
187 m->private_data, struct pdb_samba_dsdb_state);
188 TALLOC_CTX *frame = talloc_stackframe();
189 NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION;
190 const char *str;
191 time_t tmp_time;
192 struct dom_sid *sid, group_sid;
193 uint64_t n;
194 const DATA_BLOB *blob;
195
196 str = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
197 if (str == NULL) {
198 DEBUG(10, ("no samAccountName\n"));
199 goto fail;
200 }
201 pdb_set_username(sam, str, PDB_SET);
202
203 if (pdb_samba_dsdb_pull_time(msg, "lastLogon", &tmp_time)) {
204 pdb_set_logon_time(sam, tmp_time, PDB_SET);
205 }
206 if (pdb_samba_dsdb_pull_time(msg, "lastLogoff", &tmp_time)) {
207 pdb_set_logoff_time(sam, tmp_time, PDB_SET);
208 }
209 if (pdb_samba_dsdb_pull_time(msg, "pwdLastSet", &tmp_time)) {
210 pdb_set_pass_last_set_time(sam, tmp_time, PDB_SET);
211 }
212 if (pdb_samba_dsdb_pull_time(msg, "accountExpires", &tmp_time)) {
213 pdb_set_kickoff_time(sam, tmp_time, PDB_SET);
214 }
215
216 str = ldb_msg_find_attr_as_string(msg, "displayName",
217 NULL);
218 if (str != NULL) {
219 pdb_set_fullname(sam, str, PDB_SET);
220 }
221
222 str = ldb_msg_find_attr_as_string(msg, "homeDirectory",
223 NULL);
224 if (str != NULL) {
225 pdb_set_homedir(sam, str, PDB_SET);
226 }
227
228 str = ldb_msg_find_attr_as_string(msg, "homeDrive", NULL);
229 if (str != NULL) {
230 pdb_set_dir_drive(sam, str, PDB_SET);
231 }
232
233 str = ldb_msg_find_attr_as_string(msg, "scriptPath", NULL);
234 if (str != NULL) {
235 pdb_set_logon_script(sam, str, PDB_SET);
236 }
237
238 str = ldb_msg_find_attr_as_string(msg, "profilePath",
239 NULL);
240 if (str != NULL) {
241 pdb_set_profile_path(sam, str, PDB_SET);
242 }
243
244 str = ldb_msg_find_attr_as_string(msg, "comment",
245 NULL);
246 if (str != NULL) {
247 pdb_set_comment(sam, str, PDB_SET);
248 }
249
250 str = ldb_msg_find_attr_as_string(msg, "description",
251 NULL);
252 if (str != NULL) {
253 pdb_set_acct_desc(sam, str, PDB_SET);
254 }
255
256 str = ldb_msg_find_attr_as_string(msg, "userWorkstations",
257 NULL);
258 if (str != NULL) {
259 pdb_set_workstations(sam, str, PDB_SET);
260 }
261
262 str = ldb_msg_find_attr_as_string(msg, "userParameters",
263 NULL);
264 if (str != NULL) {
265 pdb_set_munged_dial(sam, str, PDB_SET);
266 }
267
268 sid = samdb_result_dom_sid(talloc_tos(), msg, "objectSid");
269 if (!sid) {
270 DEBUG(10, ("Could not pull SID\n"));
271 goto fail;
272 }
273 pdb_set_user_sid(sam, sid, PDB_SET);
274
275 n = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
276 if (n == 0) {
277 DEBUG(10, ("Could not pull userAccountControl\n"));
278 goto fail;
279 }
280 pdb_set_acct_ctrl(sam, n, PDB_SET);
281
282 blob = ldb_msg_find_ldb_val(msg, "unicodePwd");
283 if (blob) {
284 if (blob->length != NT_HASH_LEN) {
285 DEBUG(0, ("Got NT hash of length %d, expected %d\n",
286 (int)blob->length, NT_HASH_LEN));
287 goto fail;
288 }
289 pdb_set_nt_passwd(sam, blob->data, PDB_SET);
290 }
291
292 blob = ldb_msg_find_ldb_val(msg, "dBCSPwd");
293 if (blob) {
294 if (blob->length != LM_HASH_LEN) {
295 DEBUG(0, ("Got LM hash of length %d, expected %d\n",
296 (int)blob->length, LM_HASH_LEN));
297 goto fail;
298 }
299 pdb_set_lanman_passwd(sam, blob->data, PDB_SET);
300 }
301
302 n = ldb_msg_find_attr_as_uint(msg, "primaryGroupID", 0);
303 if (n == 0) {
304 DEBUG(10, ("Could not pull primaryGroupID\n"));
305 goto fail;
306 }
307 sid_compose(&group_sid, samdb_domain_sid(state->ldb), n);
308 pdb_set_group_sid(sam, &group_sid, PDB_SET);
309
310 status = NT_STATUS_OK;
311 fail:
312 TALLOC_FREE(frame);
313 return status;
314 }
315
316 static bool pdb_samba_dsdb_add_time(struct ldb_message *msg,
317 const char *attrib, time_t t)
318 {
319 uint64_t nt_time;
320
321 unix_to_nt_time(&nt_time, t);
322
323 return ldb_msg_add_fmt(msg, attrib, "%llu", (unsigned long long) nt_time);
324 }
325
326 static int pdb_samba_dsdb_replace_by_sam(struct pdb_samba_dsdb_state *state,
327 bool (*need_update)(const struct samu *,
328 enum pdb_elements),
329 struct ldb_dn *dn,
330 struct samu *sam)
331 {
332 TALLOC_CTX *frame = talloc_stackframe();
333 int ret = LDB_SUCCESS;
334 const char *pw;
335 struct ldb_message *msg;
336 struct ldb_request *req;
337 uint32_t dsdb_flags = 0;
338 /* TODO: All fields :-) */
339
340 msg = ldb_msg_new(frame);
341 if (!msg) {
342 return false;
343 }
344
345 msg->dn = dn;
346
347 /* build modify request */
348 ret = ldb_build_mod_req(&req, state->ldb, frame, msg, NULL, NULL,
349 ldb_op_default_callback,
350 NULL);
351 if (ret != LDB_SUCCESS) {
352 talloc_free(frame);
353 return ret;
354 }
355
356 /* If we set a plaintext password, the system will
357 * force the pwdLastSet to now() */
358 if (need_update(sam, PDB_PASSLASTSET)) {
359 dsdb_flags = DSDB_PASSWORD_BYPASS_LAST_SET;
360
361 ret |= pdb_samba_dsdb_add_time(msg, "pwdLastSet",
362 pdb_get_pass_last_set_time(sam));
363 }
364
365 pw = pdb_get_plaintext_passwd(sam);
366 if (need_update(sam, PDB_PLAINTEXT_PW)) {
367 struct ldb_val pw_utf16;
368 if (pw == NULL) {
369 talloc_free(frame);
370 return LDB_ERR_OPERATIONS_ERROR;
371 }
372
373 if (!convert_string_talloc(msg,
374 CH_UNIX, CH_UTF16,
375 pw, strlen(pw),
376 (void *)&pw_utf16.data,
377 &pw_utf16.length)) {
378 return LDB_ERR_OPERATIONS_ERROR;
379 }
380 ret |= ldb_msg_add_value(msg, "clearTextPassword", &pw_utf16, NULL);
381 } else {
382 bool changed_lm_pw = false;
383 bool changed_nt_pw = false;
384 bool changed_history = false;
385 if (need_update(sam, PDB_LMPASSWD)) {
386 struct ldb_val val;
387 val.data = discard_const_p(uint8_t, pdb_get_lanman_passwd(sam));
388 if (!val.data) {
389 samdb_msg_add_delete(state->ldb, msg, msg,
390 "dBCSPwd");
391 } else {
392 val.length = LM_HASH_LEN;
393 ret |= ldb_msg_add_value(msg, "dBCSPwd", &val, NULL);
394 }
395 changed_lm_pw = true;
396 }
397 if (need_update(sam, PDB_NTPASSWD)) {
398 struct ldb_val val;
399 val.data = discard_const_p(uint8_t, pdb_get_nt_passwd(sam));
400 if (!val.data) {
401 samdb_msg_add_delete(state->ldb, msg, msg,
402 "unicodePwd");
403 } else {
404 val.length = NT_HASH_LEN;
405 ret |= ldb_msg_add_value(msg, "unicodePwd", &val, NULL);
406 }
407 changed_nt_pw = true;
408 }
409
410 /* Try to ensure we don't get out of sync */
411 if (changed_lm_pw && !changed_nt_pw) {
412 samdb_msg_add_delete(state->ldb, msg, msg,
413 "unicodePwd");
414 } else if (changed_nt_pw && !changed_lm_pw) {
415 samdb_msg_add_delete(state->ldb, msg, msg,
416 "dBCSPwd");
417 }
418 if (changed_lm_pw || changed_nt_pw) {
419 samdb_msg_add_delete(state->ldb, msg, msg,
420 "supplementalCredentials");
421
422 }
423
424 if (need_update(sam, PDB_PWHISTORY)) {
425 uint32_t current_hist_len;
426 const uint8_t *history = pdb_get_pw_history(sam, &current_hist_len);
427
428 bool invalid_history = false;
429 struct samr_Password *history_hashes = talloc_array(talloc_tos(), struct samr_Password,
430 current_hist_len);
431 if (!history) {
432 invalid_history = true;
433 } else {
434 unsigned int i;
435 static const uint8_t zeros[16];
436 /* Parse the history into the correct format */
437 for (i = 0; i < current_hist_len; i++) {
438 if (memcmp(&history[i*PW_HISTORY_ENTRY_LEN], zeros, 16) != 0) {
439 /* If the history is in the old format, with a salted hash, then we can't migrate it to AD format */
440 invalid_history = true;
441 break;
442 }
443 /* Copy out the 2nd 16 bytes of the 32 byte password history, containing the NT hash */
444 memcpy(history_hashes[i].hash,
445 &history[(i*PW_HISTORY_ENTRY_LEN) + PW_HISTORY_SALT_LEN],
446 sizeof(history_hashes[i].hash));
447 }
448 }
449 if (invalid_history) {
450 ret |= samdb_msg_add_delete(state->ldb, msg, msg,
451 "ntPwdHistory");
452
453 ret |= samdb_msg_add_delete(state->ldb, msg, msg,
454 "lmPwdHistory");
455 } else {
456 ret |= samdb_msg_add_hashes(state->ldb, msg, msg,
457 "ntPwdHistory",
458 history_hashes,
459 current_hist_len);
460 }
461 changed_history = true;
462 }
463 if (changed_lm_pw || changed_nt_pw || changed_history) {
464 /* These attributes can only be modified directly by using a special control */
465 dsdb_flags = DSDB_BYPASS_PASSWORD_HASH;
466 }
467 }
468
469 /* PDB_USERSID is only allowed on ADD, handled in caller */
470 if (need_update(sam, PDB_GROUPSID)) {
471 const struct dom_sid *sid = pdb_get_group_sid(sam);
472 uint32_t rid;
473 NTSTATUS status = dom_sid_split_rid(NULL, sid, NULL, &rid);
474 if (!NT_STATUS_IS_OK(status)) {
475 talloc_free(frame);
476 return LDB_ERR_OPERATIONS_ERROR;
477 }
478 if (!dom_sid_in_domain(samdb_domain_sid(state->ldb), sid)) {
479 talloc_free(frame);
480 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
481 }
482 ret |= samdb_msg_add_uint(state->ldb, msg, msg, "primaryGroupID", rid);
483 }
484 if (need_update(sam, PDB_FULLNAME)) {
485 ret |= ldb_msg_add_string(msg, "displayName", pdb_get_fullname(sam));
486 }
487
488 if (need_update(sam, PDB_SMBHOME)) {
489 ret |= ldb_msg_add_string(msg, "homeDirectory",
490 pdb_get_homedir(sam));
491 }
492
493 if (need_update(sam, PDB_PROFILE)) {
494 ret |= ldb_msg_add_string(msg, "profilePath",
495 pdb_get_profile_path(sam));
496 }
497
498 if (need_update(sam, PDB_DRIVE)) {
499 ret |= ldb_msg_add_string(msg, "homeDrive",
500 pdb_get_dir_drive(sam));
501 }
502
503 if (need_update(sam, PDB_LOGONSCRIPT)) {
504 ret |= ldb_msg_add_string(msg, "scriptPath",
505 pdb_get_logon_script(sam));
506 }
507
508 if (need_update(sam, PDB_KICKOFFTIME)) {
509 ret |= pdb_samba_dsdb_add_time(msg, "accountExpires",
510 pdb_get_kickoff_time(sam));
511 }
512
513 if (need_update(sam, PDB_LOGONTIME)) {
514 ret |= pdb_samba_dsdb_add_time(msg, "lastLogon",
515 pdb_get_logon_time(sam));
516 }
517
518 if (need_update(sam, PDB_LOGOFFTIME)) {
519 ret |= pdb_samba_dsdb_add_time(msg, "lastLogoff",
520 pdb_get_logoff_time(sam));
521 }
522
523 if (need_update(sam, PDB_USERNAME)) {
524 ret |= ldb_msg_add_string(msg, "samAccountName",
525 pdb_get_username(sam));
526 }
527
528 if (need_update(sam, PDB_HOURSLEN) || need_update(sam, PDB_HOURS)) {
529 struct ldb_val hours = data_blob_const(pdb_get_hours(sam), pdb_get_hours_len(sam));
530 ret |= ldb_msg_add_value(msg, "logonHours",
531 &hours, NULL);
532 }
533
534 if (need_update(sam, PDB_ACCTCTRL)) {
535 ret |= samdb_msg_add_acct_flags(state->ldb, msg, msg,
536 "userAccountControl", pdb_get_acct_ctrl(sam));
537 }
538
539 if (need_update(sam, PDB_COMMENT)) {
540 ret |= ldb_msg_add_string(msg, "comment",
541 pdb_get_comment(sam));
542 }
543
544 if (need_update(sam, PDB_ACCTDESC)) {
545 ret |= ldb_msg_add_string(msg, "description",
546 pdb_get_acct_desc(sam));
547 }
548
549 if (need_update(sam, PDB_WORKSTATIONS)) {
550 ret |= ldb_msg_add_string(msg, "userWorkstations",
551 pdb_get_workstations(sam));
552 }
553
554 /* This will need work, it is actually a UTF8 'string' with internal NULLs, to handle TS parameters */
555 if (need_update(sam, PDB_MUNGEDDIAL)) {
556 ret |= ldb_msg_add_string(msg, "userParameters",
557 pdb_get_munged_dial(sam));
558 }
559
560 if (need_update(sam, PDB_COUNTRY_CODE)) {
561 ret |= ldb_msg_add_fmt(msg, "countryCode",
562 "%i", (int)pdb_get_country_code(sam));
563 }
564
565 if (need_update(sam, PDB_CODE_PAGE)) {
566 ret |= ldb_msg_add_fmt(msg, "codePage",
567 "%i", (int)pdb_get_code_page(sam));
568 }
569
570 /* Not yet handled here or not meaningful for modifies on a Samba_Dsdb backend:
571 PDB_BAD_PASSWORD_TIME,
572 PDB_CANCHANGETIME, - these are calculated per policy, not stored
573 PDB_DOMAIN,
574 PDB_NTUSERNAME, - this makes no sense, and never really did
575 PDB_LOGONDIVS,
576 PDB_USERSID, - Handled in pdb_samba_dsdb_add_sam_account()
577 PDB_FIELDS_PRESENT,
578 PDB_BAD_PASSWORD_COUNT,
579 PDB_LOGON_COUNT,
580 PDB_UNKNOWN6,
581 PDB_BACKEND_PRIVATE_DATA,
582
583 */
584 if (ret != LDB_SUCCESS) {
585 talloc_free(frame);
586 return LDB_ERR_OPERATIONS_ERROR;
587 }
588
589 if (msg->num_elements == 0) {
590 talloc_free(frame);
591 /* Nothing to do, just return success */
592 return LDB_SUCCESS;
593 }
594
595 ret = dsdb_replace(state->ldb, msg, dsdb_flags);
596
597 if (ret != LDB_SUCCESS) {
598 DEBUG(0,("Failed to modify account record %s to set user attributes: %s\n",
599 ldb_dn_get_linearized(msg->dn),
600 ldb_errstring(state->ldb)));
601 }
602
603 talloc_free(frame);
604 return ret;
605 }
606
607 static NTSTATUS pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state *state,
608 const char *filter,
609 TALLOC_CTX *mem_ctx,
610 struct ldb_message **msg)
611 {
612 const char * attrs[] = {
613 "lastLogon", "lastLogoff", "pwdLastSet", "accountExpires",
614 "sAMAccountName", "displayName", "homeDirectory",
615 "homeDrive", "scriptPath", "profilePath", "description",
616 "userWorkstations", "comment", "userParameters", "objectSid",
617 "primaryGroupID", "userAccountControl",
618 "msDS-User-Account-Control-Computed", "logonHours",
619 "badPwdCount", "logonCount", "countryCode", "codePage",
620 "unicodePwd", "dBCSPwd", NULL };
621
622 int rc = dsdb_search_one(state->ldb, mem_ctx, msg, ldb_get_default_basedn(state->ldb), LDB_SCOPE_SUBTREE, attrs, 0, "%s", filter);
623 if (rc != LDB_SUCCESS) {
624 DEBUG(10, ("ldap_search failed %s\n",
625 ldb_errstring(state->ldb)));
626 return NT_STATUS_LDAP(rc);
627 }
628
629 return NT_STATUS_OK;
630 }
631
632 static NTSTATUS pdb_samba_dsdb_getsampwfilter(struct pdb_methods *m,
633 struct pdb_samba_dsdb_state *state,
634 struct samu *sam_acct,
635 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(4, 5)
636 {
637 struct ldb_message *priv;
638 NTSTATUS status;
639 va_list ap;
640 char *expression = NULL;
641 TALLOC_CTX *tmp_ctx = talloc_new(state);
642 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
643
644 va_start(ap, exp_fmt);
645 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
646 va_end(ap);
647
648 if (!expression) {
649 talloc_free(tmp_ctx);
650 return NT_STATUS_NO_MEMORY;
651 }
652
653 status = pdb_samba_dsdb_getsamupriv(state, expression, sam_acct, &priv);
654 talloc_free(tmp_ctx);
655 if (!NT_STATUS_IS_OK(status)) {
656 DEBUG(10, ("pdb_samba_dsdb_getsamupriv failed: %s\n",
657 nt_errstr(status)));
658 return status;
659 }
660
661 status = pdb_samba_dsdb_init_sam_from_priv(m, sam_acct, priv);
662 if (!NT_STATUS_IS_OK(status)) {
663 DEBUG(10, ("pdb_samba_dsdb_init_sam_from_priv failed: %s\n",
664 nt_errstr(status)));
665 TALLOC_FREE(priv);
666 return status;
667 }
668
669 pdb_set_backend_private_data(sam_acct, priv, NULL, m, PDB_SET);
670 return NT_STATUS_OK;
671 }
672
673 static NTSTATUS pdb_samba_dsdb_getsampwnam(struct pdb_methods *m,
674 struct samu *sam_acct,
675 const char *username)
676 {
677 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
678 m->private_data, struct pdb_samba_dsdb_state);
679
680 return pdb_samba_dsdb_getsampwfilter(m, state, sam_acct,
681 "(&(samaccountname=%s)(objectclass=user))",
682 username);
683 }
684
685 static NTSTATUS pdb_samba_dsdb_getsampwsid(struct pdb_methods *m,
686 struct samu *sam_acct,
687 const struct dom_sid *sid)
688 {
689 NTSTATUS status;
690 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
691 m->private_data, struct pdb_samba_dsdb_state);
692 char *sidstr;
693
694 sidstr = dom_sid_string(talloc_tos(), sid);
695 NT_STATUS_HAVE_NO_MEMORY(sidstr);
696
697 status = pdb_samba_dsdb_getsampwfilter(m, state, sam_acct,
698 "(&(objectsid=%s)(objectclass=user))",
699 sidstr);
700 talloc_free(sidstr);
701 return status;
702 }
703
704 static NTSTATUS pdb_samba_dsdb_create_user(struct pdb_methods *m,
705 TALLOC_CTX *mem_ctx,
706 const char *name, uint32 acct_flags,
707 uint32 *rid)
708 {
709 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
710 m->private_data, struct pdb_samba_dsdb_state);
711 struct dom_sid *sid;
712 struct ldb_dn *dn;
713 NTSTATUS status;
714 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
715 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
716
717 /* Internally this uses transactions to ensure all the steps
718 * happen or fail as one */
719 status = dsdb_add_user(state->ldb, tmp_ctx, name, acct_flags, NULL,
720 &sid, &dn);
721 if (!NT_STATUS_IS_OK(status)) {
722 talloc_free(tmp_ctx);
723 return status;
724 }
725 sid_peek_rid(sid, rid);
726 talloc_free(tmp_ctx);
727 return NT_STATUS_OK;
728 }
729
730 static NTSTATUS pdb_samba_dsdb_delete_user(struct pdb_methods *m,
731 TALLOC_CTX *mem_ctx,
732 struct samu *sam)
733 {
734 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
735 m->private_data, struct pdb_samba_dsdb_state);
736 struct ldb_dn *dn;
737 int rc;
738 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
739 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
740
741 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, pdb_get_user_sid(sam)));
742 if (!dn || !ldb_dn_validate(dn)) {
743 talloc_free(tmp_ctx);
744 return NT_STATUS_NO_MEMORY;
745 }
746 rc = ldb_delete(state->ldb, dn);
747
748 if (rc != LDB_SUCCESS) {
749 DEBUG(10, ("ldb_delete for %s failed: %s\n", ldb_dn_get_linearized(dn),
750 ldb_errstring(state->ldb)));
751 talloc_free(tmp_ctx);
752 return NT_STATUS_LDAP(rc);
753 }
754 talloc_free(tmp_ctx);
755 return NT_STATUS_OK;
756 }
757
758 /* This interface takes a fully populated struct samu and places it in
759 * the database. This is not implemented at this time as we need to
760 * be careful around the creation of arbitary SIDs (ie, we must ensrue
761 * they are not left in a RID pool */
762 static NTSTATUS pdb_samba_dsdb_add_sam_account(struct pdb_methods *m,
763 struct samu *sampass)
764 {
765 int ret;
766 NTSTATUS status;
767 struct ldb_dn *dn;
768 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
769 m->private_data, struct pdb_samba_dsdb_state);
770 uint32_t acb_flags = pdb_get_acct_ctrl(sampass);
771 const char *username = pdb_get_username(sampass);
772 const struct dom_sid *user_sid = pdb_get_user_sid(sampass);
773 TALLOC_CTX *tframe = talloc_stackframe();
774
775 acb_flags &= (ACB_NORMAL|ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST);
776
777 ret = ldb_transaction_start(state->ldb);
778 if (ret != LDB_SUCCESS) {
779 talloc_free(tframe);
780 return NT_STATUS_LOCK_NOT_GRANTED;
781 }
782
783 status = dsdb_add_user(state->ldb, talloc_tos(), username,
784 acb_flags, user_sid, NULL, &dn);
785 if (!NT_STATUS_IS_OK(status)) {
786 ldb_transaction_cancel(state->ldb);
787 talloc_free(tframe);
788 return status;
789 }
790
791 ret = pdb_samba_dsdb_replace_by_sam(state, pdb_element_is_set_or_changed,
792 dn, sampass);
793 if (ret != LDB_SUCCESS) {
794 ldb_transaction_cancel(state->ldb);
795 talloc_free(tframe);
796 return dsdb_ldb_err_to_ntstatus(ret);
797 }
798
799 ret = ldb_transaction_commit(state->ldb);
800 if (ret != LDB_SUCCESS) {
801 DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
802 ldb_dn_get_linearized(dn),
803 ldb_errstring(state->ldb)));
804 talloc_free(tframe);
805 return NT_STATUS_INTERNAL_DB_CORRUPTION;
806 }
807 talloc_free(tframe);
808 return NT_STATUS_OK;
809 }
810
811 /*
812 * Update the Samba_Dsdb LDB with the changes from a struct samu.
813 *
814 * This takes care not to update elements that have not been changed
815 * by the caller
816 */
817 static NTSTATUS pdb_samba_dsdb_update_sam_account(struct pdb_methods *m,
818 struct samu *sam)
819 {
820 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
821 m->private_data, struct pdb_samba_dsdb_state);
822 struct ldb_message *msg = pdb_samba_dsdb_get_samu_private(
823 m, sam);
824 int ret;
825
826 ret = pdb_samba_dsdb_replace_by_sam(state, pdb_element_is_changed, msg->dn,
827 sam);
828 return dsdb_ldb_err_to_ntstatus(ret);
829 }
830
831 static NTSTATUS pdb_samba_dsdb_delete_sam_account(struct pdb_methods *m,
832 struct samu *username)
833 {
834 NTSTATUS status;
835 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
836 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
837 status = pdb_samba_dsdb_delete_user(m, tmp_ctx, username);
838 talloc_free(tmp_ctx);
839 return status;
840 }
841
842 static NTSTATUS pdb_samba_dsdb_rename_sam_account(struct pdb_methods *m,
843 struct samu *oldname,
844 const char *newname)
845 {
846 return NT_STATUS_NOT_IMPLEMENTED;
847 }
848
849 /* This is not implemented, as this module is exptected to be used
850 * with auth_samba_dsdb, and this is responible for login counters etc
851 *
852 */
853 static NTSTATUS pdb_samba_dsdb_update_login_attempts(struct pdb_methods *m,
854 struct samu *sam_acct,
855 bool success)
856 {
857 return NT_STATUS_NOT_IMPLEMENTED;
858 }
859
860 static NTSTATUS pdb_samba_dsdb_getgrfilter(struct pdb_methods *m, GROUP_MAP *map,
861 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(4, 5)
862 {
863 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
864 m->private_data, struct pdb_samba_dsdb_state);
865 const char *attrs[] = { "objectSid", "description", "samAccountName", "groupType",
866 NULL };
867 struct ldb_message *msg;
868 va_list ap;
869 char *expression = NULL;
870 struct dom_sid *sid;
871 const char *str;
872 int rc;
873 struct id_map id_map;
874 struct id_map *id_maps[2];
875 TALLOC_CTX *tmp_ctx = talloc_stackframe();
876 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
877
878 va_start(ap, exp_fmt);
879 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
880 va_end(ap);
881
882 if (!expression) {
883 talloc_free(tmp_ctx);
884 return NT_STATUS_NO_MEMORY;
885 }
886
887 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, ldb_get_default_basedn(state->ldb), LDB_SCOPE_SUBTREE, attrs, 0, "%s", expression);
888 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
889 talloc_free(tmp_ctx);
890 return NT_STATUS_NO_SUCH_GROUP;
891 } else if (rc != LDB_SUCCESS) {
892 talloc_free(tmp_ctx);
893 DEBUG(10, ("dsdb_search_one failed %s\n",
894 ldb_errstring(state->ldb)));
895 return NT_STATUS_LDAP(rc);
896 }
897
898 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
899 if (!sid) {
900 talloc_free(tmp_ctx);
901 DEBUG(10, ("Could not pull SID\n"));
902 return NT_STATUS_INTERNAL_DB_CORRUPTION;
903 }
904
905 map->sid = *sid;
906
907 if (samdb_find_attribute(state->ldb, msg, "objectClass", "group")) {
908 NTSTATUS status;
909 uint32_t grouptype = ldb_msg_find_attr_as_uint(msg, "groupType", 0);
910 switch (grouptype) {
911 case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
912 case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
913 map->sid_name_use = SID_NAME_ALIAS;
914 break;
915 case GTYPE_SECURITY_GLOBAL_GROUP:
916 map->sid_name_use = SID_NAME_DOM_GRP;
917 break;
918 default:
919 talloc_free(tmp_ctx);
920 DEBUG(10, ("Could not pull groupType\n"));
921 return NT_STATUS_INTERNAL_DB_CORRUPTION;
922 }
923
924 map->sid_name_use = SID_NAME_DOM_GRP;
925
926 ZERO_STRUCT(id_map);
927 id_map.sid = sid;
928 id_maps[0] = &id_map;
929 id_maps[1] = NULL;
930
931 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
932 talloc_free(tmp_ctx);
933 if (!NT_STATUS_IS_OK(status)) {
934 talloc_free(tmp_ctx);
935 return status;
936 }
937 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
938 map->gid = id_map.xid.id;
939 } else {
940 DEBUG(1, (__location__ "Did not get GUID when mapping SID for %s", expression));
941 talloc_free(tmp_ctx);
942 return NT_STATUS_INTERNAL_DB_CORRUPTION;
943 }
944 } else if (samdb_find_attribute(state->ldb, msg, "objectClass", "user")) {
945 DEBUG(1, (__location__ "Got SID_NAME_USER when searching for a group with %s", expression));
946 talloc_free(tmp_ctx);
947 return NT_STATUS_INTERNAL_DB_CORRUPTION;
948 }
949
950 str = ldb_msg_find_attr_as_string(msg, "samAccountName",
951 NULL);
952 if (str == NULL) {
953 talloc_free(tmp_ctx);
954 return NT_STATUS_INTERNAL_DB_CORRUPTION;
955 }
956 map->nt_name = talloc_strdup(map, str);
957 if (!map->nt_name) {
958 talloc_free(tmp_ctx);
959 return NT_STATUS_NO_MEMORY;
960 }
961
962 str = ldb_msg_find_attr_as_string(msg, "description",
963 NULL);
964 if (str != NULL) {
965 map->comment = talloc_strdup(map, str);
966 } else {
967 map->comment = talloc_strdup(map, "");
968 }
969 if (!map->comment) {
970 talloc_free(tmp_ctx);
971 return NT_STATUS_NO_MEMORY;
972 }
973
974 talloc_free(tmp_ctx);
975 return NT_STATUS_OK;
976 }
977
978 static NTSTATUS pdb_samba_dsdb_getgrsid(struct pdb_methods *m, GROUP_MAP *map,
979 struct dom_sid sid)
980 {
981 char *filter;
982 NTSTATUS status;
983
984 filter = talloc_asprintf(talloc_tos(),
985 "(&(objectsid=%s)(objectclass=group))",
986 sid_string_talloc(talloc_tos(), &sid));
987 if (filter == NULL) {
988 return NT_STATUS_NO_MEMORY;
989 }
990
991 status = pdb_samba_dsdb_getgrfilter(m, map, filter);
992 TALLOC_FREE(filter);
993 return status;
994 }
995
996 static NTSTATUS pdb_samba_dsdb_getgrgid(struct pdb_methods *m, GROUP_MAP *map,
997 gid_t gid)
998 {
999 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1000 m->private_data, struct pdb_samba_dsdb_state);
1001 NTSTATUS status;
1002 struct id_map id_map;
1003 struct id_map *id_maps[2];
1004 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1005 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1006
1007 id_map.xid.id = gid;
1008 id_map.xid.type = ID_TYPE_GID;
1009 id_maps[0] = &id_map;
1010 id_maps[1] = NULL;
1011
1012 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
1013 if (!NT_STATUS_IS_OK(status)) {
1014 return status;
1015 }
1016 status = pdb_samba_dsdb_getgrsid(m, map, *id_map.sid);
1017 talloc_free(tmp_ctx);
1018 return status;
1019 }
1020
1021 static NTSTATUS pdb_samba_dsdb_getgrnam(struct pdb_methods *m, GROUP_MAP *map,
1022 const char *name)
1023 {
1024 char *filter;
1025 NTSTATUS status;
1026
1027 filter = talloc_asprintf(talloc_tos(),
1028 "(&(samaccountname=%s)(objectclass=group))",
1029 name);
1030 if (filter == NULL) {
1031 return NT_STATUS_NO_MEMORY;
1032 }
1033
1034 status = pdb_samba_dsdb_getgrfilter(m, map, filter);
1035 TALLOC_FREE(filter);
1036 return status;
1037 }
1038
1039 static NTSTATUS pdb_samba_dsdb_create_dom_group(struct pdb_methods *m,
1040 TALLOC_CTX *mem_ctx, const char *name,
1041 uint32 *rid)
1042 {
1043 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1044 m->private_data, struct pdb_samba_dsdb_state);
1045 NTSTATUS status;
1046 struct dom_sid *sid;
1047 struct ldb_dn *dn;
1048 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1049 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1050
1051 status = dsdb_add_domain_group(state->ldb, tmp_ctx, name, &sid, &dn);
1052 if (!NT_STATUS_IS_OK(status)) {
1053 talloc_free(tmp_ctx);
1054 return status;
1055 }
1056
1057 sid_peek_rid(sid, rid);
1058 talloc_free(tmp_ctx);
1059 return NT_STATUS_OK;
1060 }
1061
1062 static NTSTATUS pdb_samba_dsdb_delete_dom_group(struct pdb_methods *m,
1063 TALLOC_CTX *mem_ctx, uint32 rid)
1064 {
1065 const char *attrs[] = { NULL };
1066 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1067 m->private_data, struct pdb_samba_dsdb_state);
1068 struct dom_sid sid;
1069 struct ldb_message *msg;
1070 struct ldb_dn *dn;
1071 int rc;
1072 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1073 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1074
1075 sid_compose(&sid, samdb_domain_sid(state->ldb), rid);
1076
1077 if (ldb_transaction_start(state->ldb) != LDB_SUCCESS) {
1078 DEBUG(0, ("Unable to start transaction in pdb_samba_dsdb_delete_dom_group()\n"));
1079 return NT_STATUS_INTERNAL_ERROR;
1080 }
1081
1082 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, &sid));
1083 if (!dn || !ldb_dn_validate(dn)) {
1084 talloc_free(tmp_ctx);
1085 ldb_transaction_cancel(state->ldb);
1086 return NT_STATUS_NO_MEMORY;
1087 }
1088 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "objectclass=group");
1089 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1090 talloc_free(tmp_ctx);
1091 ldb_transaction_cancel(state->ldb);
1092 return NT_STATUS_NO_SUCH_GROUP;
1093 }
1094 rc = ldb_delete(state->ldb, dn);
1095 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1096 talloc_free(tmp_ctx);
1097 ldb_transaction_cancel(state->ldb);
1098 return NT_STATUS_NO_SUCH_GROUP;
1099 } else if (rc != LDB_SUCCESS) {
1100 DEBUG(10, ("ldb_delete failed %s\n",
1101 ldb_errstring(state->ldb)));
1102 ldb_transaction_cancel(state->ldb);
1103 return NT_STATUS_LDAP(rc);
1104 }
1105
1106 if (ldb_transaction_commit(state->ldb) != LDB_SUCCESS) {
1107 DEBUG(0, ("Unable to commit transaction in pdb_samba_dsdb_delete_dom_group()\n"));
1108 return NT_STATUS_INTERNAL_ERROR;
1109 }
1110 return NT_STATUS_OK;
1111 }
1112
1113 static NTSTATUS pdb_samba_dsdb_add_group_mapping_entry(struct pdb_methods *m,
1114 GROUP_MAP *map)
1115 {
1116 return NT_STATUS_NOT_IMPLEMENTED;
1117 }
1118
1119 static NTSTATUS pdb_samba_dsdb_update_group_mapping_entry(struct pdb_methods *m,
1120 GROUP_MAP *map)
1121 {
1122 return NT_STATUS_NOT_IMPLEMENTED;
1123 }
1124
1125 static NTSTATUS pdb_samba_dsdb_delete_group_mapping_entry(struct pdb_methods *m,
1126 struct dom_sid sid)
1127 {
1128 return NT_STATUS_NOT_IMPLEMENTED;
1129 }
1130
1131 static NTSTATUS pdb_samba_dsdb_enum_group_mapping(struct pdb_methods *m,
1132 const struct dom_sid *sid,
1133 enum lsa_SidType sid_name_use,
1134 GROUP_MAP ***pp_rmap,
1135 size_t *p_num_entries,
1136 bool unix_only)
1137 {
1138 return NT_STATUS_NOT_IMPLEMENTED;
1139 }
1140
1141 static NTSTATUS pdb_samba_dsdb_enum_group_members(struct pdb_methods *m,
1142 TALLOC_CTX *mem_ctx,
1143 const struct dom_sid *group,
1144 uint32_t **pmembers,
1145 size_t *pnum_members)
1146 {
1147 unsigned int i, num_sids, num_members;
1148 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1149 m->private_data, struct pdb_samba_dsdb_state);
1150 struct dom_sid *members_as_sids;
1151 struct dom_sid *dom_sid;
1152 uint32_t *members;
1153 struct ldb_dn *dn;
1154 NTSTATUS status;
1155
1156 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1157 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1158
1159 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, group));
1160 if (!dn || !ldb_dn_validate(dn)) {
1161 return NT_STATUS_NO_MEMORY;
1162 }
1163
1164 status = dsdb_enum_group_mem(state->ldb, tmp_ctx, dn, &members_as_sids, &num_sids);
1165 if (!NT_STATUS_IS_OK(status)) {
1166 talloc_free(tmp_ctx);
1167 return status;
1168 }
1169 status = dom_sid_split_rid(tmp_ctx, group, &dom_sid, NULL);
1170 if (!NT_STATUS_IS_OK(status)) {
1171 talloc_free(tmp_ctx);
1172 return status;
1173 }
1174
1175 *pmembers = members = talloc_array(mem_ctx, uint32_t, num_sids);
1176 if (*pmembers == NULL) {
1177 TALLOC_FREE(tmp_ctx);
1178 return NT_STATUS_NO_MEMORY;
1179 }
1180 num_members = 0;
1181
1182 for (i = 0; i < num_sids; i++) {
1183 if (!dom_sid_in_domain(dom_sid, &members_as_sids[i])) {
1184 continue;
1185 }
1186 status = dom_sid_split_rid(NULL, &members_as_sids[i],
1187 NULL, &members[num_members]);
1188 if (!NT_STATUS_IS_OK(status)) {
1189 talloc_free(tmp_ctx);
1190 return status;
1191 }
1192 num_members++;
1193 }
1194 *pnum_members = num_members;
1195 return NT_STATUS_OK;
1196 }
1197
1198 /* Just convert the primary group SID into a group */
1199 static NTSTATUS fake_enum_group_memberships(struct pdb_samba_dsdb_state *state,
1200 TALLOC_CTX *mem_ctx,
1201 struct samu *user,
1202 struct dom_sid **pp_sids,
1203 gid_t **pp_gids,
1204 uint32_t *p_num_groups)
1205 {
1206 NTSTATUS status;
1207 size_t num_groups = 0;
1208 struct dom_sid *group_sids = NULL;
1209 gid_t *gids = NULL;
1210 TALLOC_CTX *tmp_ctx;
1211
1212 tmp_ctx = talloc_new(mem_ctx);
1213 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1214
1215 if (user->group_sid) {
1216 struct id_map *id_maps[2];
1217 struct id_map id_map;
1218
1219 num_groups = 1;
1220
1221 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_groups);
1222 if (group_sids == NULL) {
1223 talloc_free(tmp_ctx);
1224 return NT_STATUS_NO_MEMORY;
1225 }
1226 gids = talloc_array(tmp_ctx, gid_t, num_groups);
1227 if (gids == NULL) {
1228 talloc_free(tmp_ctx);
1229 return NT_STATUS_NO_MEMORY;
1230 }
1231
1232 group_sids[0] = *user->group_sid;
1233
1234 ZERO_STRUCT(id_map);
1235 id_map.sid = &group_sids[0];
1236 id_maps[0] = &id_map;
1237 id_maps[1] = NULL;
1238
1239 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1240 if (!NT_STATUS_IS_OK(status)) {
1241 talloc_free(tmp_ctx);
1242 return status;
1243 }
1244 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
1245 gids[0] = id_map.xid.id;
1246 } else {
1247 DEBUG(1, (__location__
1248 "Group %s, of which %s is a member, could not be converted to a GID\n",
1249 dom_sid_string(tmp_ctx, &group_sids[0]),
1250 dom_sid_string(tmp_ctx, &user->user_sid)));
1251 talloc_free(tmp_ctx);
1252 /* We must error out, otherwise a user might
1253 * avoid a DENY acl based on a group they
1254 * missed out on */
1255 return NT_STATUS_NO_SUCH_GROUP;
1256 }
1257 }
1258
1259 *pp_sids = talloc_steal(mem_ctx, group_sids);
1260 *pp_gids = talloc_steal(mem_ctx, gids);
1261 *p_num_groups = num_groups;
1262 talloc_free(tmp_ctx);
1263 return NT_STATUS_OK;
1264 }
1265
1266 static NTSTATUS pdb_samba_dsdb_enum_group_memberships(struct pdb_methods *m,
1267 TALLOC_CTX *mem_ctx,
1268 struct samu *user,
1269 struct dom_sid **pp_sids,
1270 gid_t **pp_gids,
1271 uint32_t *p_num_groups)
1272 {
1273 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1274 m->private_data, struct pdb_samba_dsdb_state);
1275 struct ldb_message *msg = pdb_samba_dsdb_get_samu_private(
1276 m, user);
1277 const char *attrs[] = { "tokenGroups", NULL};
1278 struct ldb_message *tokengroups_msg;
1279 struct ldb_message_element *tokengroups;
1280 int i, rc;
1281 NTSTATUS status;
1282 unsigned int count = 0;
1283 size_t num_groups;
1284 struct dom_sid *group_sids;
1285 gid_t *gids;
1286 TALLOC_CTX *tmp_ctx;
1287
1288 if (msg == NULL) {
1289 /* Fake up some things here */
1290 return fake_enum_group_memberships(state,
1291 mem_ctx,
1292 user, pp_sids,
1293 pp_gids, p_num_groups);
1294 }
1295
1296 tmp_ctx = talloc_new(mem_ctx);
1297 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1298
1299 rc = dsdb_search_one(state->ldb, tmp_ctx, &tokengroups_msg, msg->dn, LDB_SCOPE_BASE, attrs, 0, NULL);
1300
1301 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1302 talloc_free(tmp_ctx);
1303 return NT_STATUS_NO_SUCH_USER;
1304 } else if (rc != LDB_SUCCESS) {
1305 DEBUG(10, ("dsdb_search_one failed %s\n",
1306 ldb_errstring(state->ldb)));
1307 talloc_free(tmp_ctx);
1308 return NT_STATUS_LDAP(rc);
1309 }
1310
1311 tokengroups = ldb_msg_find_element(tokengroups_msg, "tokenGroups");
1312
1313 if (tokengroups) {
1314 count = tokengroups->num_values;
1315 }
1316
1317 group_sids = talloc_array(tmp_ctx, struct dom_sid, count);
1318 if (group_sids == NULL) {
1319 talloc_free(tmp_ctx);
1320 return NT_STATUS_NO_MEMORY;
1321 }
1322 gids = talloc_array(tmp_ctx, gid_t, count);
1323 if (gids == NULL) {
1324 talloc_free(tmp_ctx);
1325 return NT_STATUS_NO_MEMORY;
1326 }
1327 num_groups = 0;
1328
1329 for (i=0; i<count; i++) {
1330 struct id_map *id_maps[2];
1331 struct id_map id_map;
1332 struct ldb_val *v = &tokengroups->values[i];
1333 enum ndr_err_code ndr_err
1334 = ndr_pull_struct_blob(v, group_sids, &group_sids[num_groups],
1335 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
1336 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1337 talloc_free(tmp_ctx);
1338 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1339 }
1340
1341 ZERO_STRUCT(id_map);
1342 id_map.sid = &group_sids[num_groups];
1343 id_maps[0] = &id_map;
1344 id_maps[1] = NULL;
1345
1346 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1347 if (!NT_STATUS_IS_OK(status)) {
1348 talloc_free(tmp_ctx);
1349 return status;
1350 }
1351 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
1352 gids[num_groups] = id_map.xid.id;
1353 } else {
1354 DEBUG(1, (__location__
1355 "Group %s, of which %s is a member, could not be converted to a GID\n",
1356 dom_sid_string(tmp_ctx, &group_sids[num_groups]),
1357 ldb_dn_get_linearized(msg->dn)));
1358 talloc_free(tmp_ctx);
1359 /* We must error out, otherwise a user might
1360 * avoid a DENY acl based on a group they
1361 * missed out on */
1362 return NT_STATUS_NO_SUCH_GROUP;
1363 }
1364
1365 num_groups += 1;
1366 if (num_groups == count) {
1367 break;
1368 }
1369 }
1370
1371 *pp_sids = talloc_steal(mem_ctx, group_sids);
1372 *pp_gids = talloc_steal(mem_ctx, gids);
1373 *p_num_groups = num_groups;
1374 talloc_free(tmp_ctx);
1375 return NT_STATUS_OK;
1376 }
1377
1378 static NTSTATUS pdb_samba_dsdb_set_unix_primary_group(struct pdb_methods *m,
1379 TALLOC_CTX *mem_ctx,
1380 struct samu *user)
1381 {
1382 return NT_STATUS_NOT_IMPLEMENTED;
1383 }
1384
1385 static NTSTATUS pdb_samba_dsdb_mod_groupmem_by_sid(struct pdb_methods *m,
1386 TALLOC_CTX *mem_ctx,
1387 const struct dom_sid *groupsid,
1388 const struct dom_sid *membersid,
1389 int mod_op)
1390 {
1391 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1392 m->private_data, struct pdb_samba_dsdb_state);
1393 struct ldb_message *msg;
1394 int ret;
1395 struct ldb_message_element *el;
1396 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1397 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1398 msg = ldb_msg_new(tmp_ctx);
1399 if (msg == NULL) {
1400 TALLOC_FREE(tmp_ctx);
1401 return NT_STATUS_NO_MEMORY;
1402 }
1403
1404 msg->dn = ldb_dn_new_fmt(msg, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, groupsid));
1405 if (!msg->dn || !ldb_dn_validate(msg->dn)) {
1406 talloc_free(tmp_ctx);
1407 return NT_STATUS_NO_MEMORY;
1408 }
1409 ret = ldb_msg_add_fmt(msg, "member", "<SID=%s>", dom_sid_string(tmp_ctx, membersid));
1410 if (ret != LDB_SUCCESS) {
1411 talloc_free(tmp_ctx);
1412 return NT_STATUS_NO_MEMORY;
1413 }
1414 el = ldb_msg_find_element(msg, "member");
1415 el->flags = mod_op;
1416
1417 /* No need for transactions here, the ldb auto-transaction
1418 * code will handle things for the single operation */
1419 ret = ldb_modify(state->ldb, msg);
1420 talloc_free(tmp_ctx);
1421 if (ret != LDB_SUCCESS) {
1422 DEBUG(10, ("ldb_modify failed: %s\n",
1423 ldb_errstring(state->ldb)));
1424 if (ret == LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS) {
1425 return NT_STATUS_MEMBER_IN_GROUP;
1426 }
1427 if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
1428 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1429 }
1430 return NT_STATUS_LDAP(ret);
1431 }
1432
1433 return NT_STATUS_OK;
1434 }
1435
1436 static NTSTATUS pdb_samba_dsdb_mod_groupmem(struct pdb_methods *m,
1437 TALLOC_CTX *mem_ctx,
1438 uint32 grouprid, uint32 memberrid,
1439 int mod_op)
1440 {
1441 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1442 m->private_data, struct pdb_samba_dsdb_state);
1443 const struct dom_sid *dom_sid, *groupsid, *membersid;
1444 NTSTATUS status;
1445 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1446 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1447
1448 dom_sid = samdb_domain_sid(state->ldb);
1449
1450 groupsid = dom_sid_add_rid(tmp_ctx, dom_sid, grouprid);
1451 if (groupsid == NULL) {
1452 TALLOC_FREE(tmp_ctx);
1453 return NT_STATUS_NO_MEMORY;
1454 }
1455 membersid = dom_sid_add_rid(tmp_ctx, dom_sid, memberrid);
1456 if (membersid == NULL) {
1457 TALLOC_FREE(tmp_ctx);
1458 return NT_STATUS_NO_MEMORY;
1459 }
1460 status = pdb_samba_dsdb_mod_groupmem_by_sid(m, tmp_ctx, groupsid, membersid, mod_op);
1461 talloc_free(tmp_ctx);
1462 return status;
1463 }
1464
1465 static NTSTATUS pdb_samba_dsdb_add_groupmem(struct pdb_methods *m,
1466 TALLOC_CTX *mem_ctx,
1467 uint32 group_rid, uint32 member_rid)
1468 {
1469 return pdb_samba_dsdb_mod_groupmem(m, mem_ctx, group_rid, member_rid,
1470 LDB_FLAG_MOD_ADD);
1471 }
1472
1473 static NTSTATUS pdb_samba_dsdb_del_groupmem(struct pdb_methods *m,
1474 TALLOC_CTX *mem_ctx,
1475 uint32 group_rid, uint32 member_rid)
1476 {
1477 return pdb_samba_dsdb_mod_groupmem(m, mem_ctx, group_rid, member_rid,
1478 LDB_FLAG_MOD_DELETE);
1479 }
1480
1481 static NTSTATUS pdb_samba_dsdb_create_alias(struct pdb_methods *m,
1482 const char *name, uint32 *rid)
1483 {
1484 TALLOC_CTX *frame = talloc_stackframe();
1485 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1486 m->private_data, struct pdb_samba_dsdb_state);
1487 struct dom_sid *sid;
1488
1489 struct ldb_dn *dn;
1490 NTSTATUS status;
1491
1492 /* Internally this uses transactions to ensure all the steps
1493 * happen or fail as one */
1494 status = dsdb_add_domain_alias(state->ldb, frame, name, &sid, &dn);
1495 if (!NT_STATUS_IS_OK(status)) {
1496 TALLOC_FREE(frame);
1497 }
1498
1499 sid_peek_rid(sid, rid);
1500 TALLOC_FREE(frame);
1501 return NT_STATUS_OK;
1502 }
1503
1504 static NTSTATUS pdb_samba_dsdb_delete_alias(struct pdb_methods *m,
1505 const struct dom_sid *sid)
1506 {
1507 const char *attrs[] = { NULL };
1508 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1509 m->private_data, struct pdb_samba_dsdb_state);
1510 struct ldb_message *msg;
1511 struct ldb_dn *dn;
1512 int rc;
1513 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1514 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1515
1516 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, sid));
1517 if (!dn || !ldb_dn_validate(dn)) {
1518 talloc_free(tmp_ctx);
1519 return NT_STATUS_NO_MEMORY;
1520 }
1521
1522 if (ldb_transaction_start(state->ldb) != LDB_SUCCESS) {
1523 DEBUG(0, ("Failed to start transaction in dsdb_add_domain_alias(): %s\n", ldb_errstring(state->ldb)));
1524 return NT_STATUS_INTERNAL_ERROR;
1525 }
1526
1527 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "(objectclass=group)"
1528 "(|(grouptype=%d)(grouptype=%d)))",
1529 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
1530 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
1531 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1532 talloc_free(tmp_ctx);
1533 ldb_transaction_cancel(state->ldb);
1534 return NT_STATUS_NO_SUCH_ALIAS;
1535 }
1536 rc = ldb_delete(state->ldb, dn);
1537 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1538 talloc_free(tmp_ctx);
1539 ldb_transaction_cancel(state->ldb);
1540 return NT_STATUS_NO_SUCH_ALIAS;
1541 } else if (rc != LDB_SUCCESS) {
1542 DEBUG(10, ("ldb_delete failed %s\n",
1543 ldb_errstring(state->ldb)));
1544 ldb_transaction_cancel(state->ldb);
1545 return NT_STATUS_LDAP(rc);
1546 }
1547
1548 if (ldb_transaction_commit(state->ldb) != LDB_SUCCESS) {
1549 DEBUG(0, ("Failed to commit transaction in pdb_samba_dsdb_delete_alias(): %s\n",
1550 ldb_errstring(state->ldb)));
1551 return NT_STATUS_INTERNAL_ERROR;
1552 }
1553
1554 return NT_STATUS_OK;
1555 }
1556
1557 #if 0
1558 static NTSTATUS pdb_samba_dsdb_set_aliasinfo(struct pdb_methods *m,
1559 const struct dom_sid *sid,
1560 struct acct_info *info)
1561 {
1562 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1563 m->private_data, struct pdb_samba_dsdb_state);
1564 struct tldap_context *ld;
1565 const char *attrs[3] = { "objectSid", "description",
1566 "samAccountName" };
1567 struct ldb_message **msg;
1568 char *sidstr, *dn;
1569 int rc;
1570 struct tldap_mod *mods;
1571 int num_mods;
1572 bool ok;
1573
1574 ld = pdb_samba_dsdb_ld(state);
1575 if (ld == NULL) {
1576 return NT_STATUS_LDAP(TLDAP_SERVER_DOWN);
1577 }
1578
1579 sidstr = sid_binstring(talloc_tos(), sid);
1580 NT_STATUS_HAVE_NO_MEMORY(sidstr);
1581
1582 rc = pdb_samba_dsdb_search_fmt(state, state->domaindn, TLDAP_SCOPE_SUB,
1583 attrs, ARRAY_SIZE(attrs), 0, talloc_tos(),
1584 &msg, "(&(objectSid=%s)(objectclass=group)"
1585 "(|(grouptype=%d)(grouptype=%d)))",
1586 sidstr, GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
1587 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
1588 TALLOC_FREE(sidstr)
1589 if (rc != LDB_SUCCESS) {
1590 DEBUG(10, ("ldap_search failed %s\n",
1591 ldb_errstring(state->ldb)));
1592 return NT_STATUS_LDAP(rc);
1593 }
1594 switch talloc_array_length(msg) {
1595 case 0:
1596 return NT_STATUS_NO_SUCH_ALIAS;
1597 case 1:
1598 break;
1599 default:
1600 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1601 }
1602
1603 if (!tldap_entry_dn(msg[0], &dn)) {
1604 TALLOC_FREE(msg);
1605 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1606 }
1607
1608 mods = NULL;
1609 num_mods = 0;
1610 ok = true;
1611
1612 ok &= tldap_make_mod_fmt(
1613 msg[0], msg, &num_mods, &mods, "description",
1614 "%s", info->acct_desc);
1615 ok &= tldap_make_mod_fmt(
1616 msg[0], msg, &num_mods, &mods, "samAccountName",
1617 "%s", info->acct_name);
1618 if (!ok) {
1619 TALLOC_FREE(msg);
1620 return NT_STATUS_NO_MEMORY;
1621 }
1622 if (num_mods == 0) {
1623 /* no change */
1624 TALLOC_FREE(msg);
1625 return NT_STATUS_OK;
1626 }
1627
1628 rc = tldap_modify(ld, dn, num_mods, mods, NULL, 0, NULL, 0);
1629 TALLOC_FREE(msg);
1630 if (rc != LDB_SUCCESS) {
1631 DEBUG(10, ("ldap_modify failed: %s\n",
1632 ldb_errstring(state->ldb)));
1633 return NT_STATUS_LDAP(rc);
1634 }
1635 return NT_STATUS_OK;
1636 }
1637 #endif
1638 static NTSTATUS pdb_samba_dsdb_add_aliasmem(struct pdb_methods *m,
1639 const struct dom_sid *alias,
1640 const struct dom_sid *member)
1641 {
1642 NTSTATUS status;
1643 TALLOC_CTX *frame = talloc_stackframe();
1644 status = pdb_samba_dsdb_mod_groupmem_by_sid(m, frame, alias, member, LDB_FLAG_MOD_ADD);
1645 talloc_free(frame);
1646 return status;
1647 }
1648
1649 static NTSTATUS pdb_samba_dsdb_del_aliasmem(struct pdb_methods *m,
1650 const struct dom_sid *alias,
1651 const struct dom_sid *member)
1652 {
1653 NTSTATUS status;
1654 TALLOC_CTX *frame = talloc_stackframe();
1655 status = pdb_samba_dsdb_mod_groupmem_by_sid(m, frame, alias, member, LDB_FLAG_MOD_DELETE);
1656 talloc_free(frame);
1657 return status;
1658 }
1659
1660 static NTSTATUS pdb_samba_dsdb_enum_aliasmem(struct pdb_methods *m,
1661 const struct dom_sid *alias,
1662 TALLOC_CTX *mem_ctx,
1663 struct dom_sid **pmembers,
1664 size_t *pnum_members)
1665 {
1666 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1667 m->private_data, struct pdb_samba_dsdb_state);
1668 struct ldb_dn *dn;
1669 unsigned int num_members;
1670 NTSTATUS status;
1671 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1672 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1673
1674 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, alias));
1675 if (!dn || !ldb_dn_validate(dn)) {
1676 return NT_STATUS_NO_MEMORY;
1677 }
1678
1679 status = dsdb_enum_group_mem(state->ldb, mem_ctx, dn, pmembers, &num_members);
1680 *pnum_members = num_members;
1681 if (NT_STATUS_IS_OK(status)) {
1682 talloc_steal(mem_ctx, pmembers);
1683 }
1684 talloc_free(tmp_ctx);
1685 return status;
1686 }
1687
1688 static NTSTATUS pdb_samba_dsdb_enum_alias_memberships(struct pdb_methods *m,
1689 TALLOC_CTX *mem_ctx,
1690 const struct dom_sid *domain_sid,
1691 const struct dom_sid *members,
1692 size_t num_members,
1693 uint32_t **palias_rids,
1694 size_t *pnum_alias_rids)
1695 {
1696 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1697 m->private_data, struct pdb_samba_dsdb_state);
1698 uint32_t *alias_rids = NULL;
1699 size_t num_alias_rids = 0;
1700 int i;
1701 struct dom_sid *groupSIDs = NULL;
1702 unsigned int num_groupSIDs = 0;
1703 char *filter;
1704 NTSTATUS status;
1705 const char *sid_string;
1706 const char *sid_dn;
1707 DATA_BLOB sid_blob;
1708
1709 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1710 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1711 /*
1712 * TODO: Get the filter right so that we only get the aliases from
1713 * either the SAM or BUILTIN
1714 */
1715
1716 filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
1717 GROUP_TYPE_BUILTIN_LOCAL_GROUP);
1718 if (filter == NULL) {
1719 return NT_STATUS_NO_MEMORY;
1720 }
1721
1722 for (i = 0; i < num_members; i++) {
1723 sid_string = dom_sid_string(tmp_ctx, &members[i]);
1724 if (sid_string == NULL) {
1725 TALLOC_FREE(tmp_ctx);
1726 return NT_STATUS_NO_MEMORY;
1727 }
1728
1729 sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
1730 if (sid_dn == NULL) {
1731 TALLOC_FREE(tmp_ctx);
1732 return NT_STATUS_NO_MEMORY;
1733 }
1734
1735 sid_blob = data_blob_string_const(sid_dn);
1736
1737 status = dsdb_expand_nested_groups(state->ldb, &sid_blob, true, filter,
1738 tmp_ctx, &groupSIDs, &num_groupSIDs);
1739 if (!NT_STATUS_IS_OK(status)) {
1740 talloc_free(tmp_ctx);
1741 return status;
1742 }
1743 }
1744
1745 alias_rids = talloc_array(mem_ctx, uint32_t, num_groupSIDs);
1746 if (alias_rids == NULL) {
1747 talloc_free(tmp_ctx);
1748 return NT_STATUS_NO_MEMORY;
1749 }
1750
1751 for (i=0; i<num_groupSIDs; i++) {
1752 if (sid_peek_check_rid(domain_sid, &groupSIDs[i],
1753 &alias_rids[num_alias_rids])) {
1754 num_alias_rids++;;
1755 }
1756 }
1757
1758 *palias_rids = alias_rids;
1759 *pnum_alias_rids = num_alias_rids;
1760 return NT_STATUS_OK;
1761 }
1762
1763 static NTSTATUS pdb_samba_dsdb_lookup_rids(struct pdb_methods *m,
1764 const struct dom_sid *domain_sid,
1765 int num_rids,
1766 uint32 *rids,
1767 const char **names,
1768 enum lsa_SidType *lsa_attrs)
1769 {
1770 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1771 m->private_data, struct pdb_samba_dsdb_state);
1772 NTSTATUS status;
1773
1774 TALLOC_CTX *tmp_ctx;
1775
1776 if (num_rids == 0) {
1777 return NT_STATUS_NONE_MAPPED;
1778 }
1779
1780 tmp_ctx = talloc_stackframe();
1781 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1782
1783 status = dsdb_lookup_rids(state->ldb, tmp_ctx, domain_sid, num_rids, rids, names, lsa_attrs);
1784 talloc_free(tmp_ctx);
1785 return status;
1786 }
1787
1788 static NTSTATUS pdb_samba_dsdb_lookup_names(struct pdb_methods *m,
1789 const struct dom_sid *domain_sid,
1790 int num_names,
1791 const char **pp_names,
1792 uint32 *rids,
1793 enum lsa_SidType *attrs)
1794 {
1795 return NT_STATUS_NOT_IMPLEMENTED;
1796 }
1797
1798 static NTSTATUS pdb_samba_dsdb_get_account_policy(struct pdb_methods *m,
1799 enum pdb_policy_type type,
1800 uint32_t *value)
1801 {
1802 return account_policy_get(type, value)
1803 ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1804 }
1805
1806 static NTSTATUS pdb_samba_dsdb_set_account_policy(struct pdb_methods *m,
1807 enum pdb_policy_type type,
1808 uint32_t value)
1809 {
1810 return account_policy_set(type, value)
1811 ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1812 }
1813
1814 static NTSTATUS pdb_samba_dsdb_get_seq_num(struct pdb_methods *m,
1815 time_t *seq_num_out)
1816 {
1817 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1818 m->private_data, struct pdb_samba_dsdb_state);
1819 uint64_t seq_num;
1820 int ret = ldb_sequence_number(state->ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
1821 if (ret == LDB_SUCCESS) {
1822 *seq_num_out = seq_num;
1823 return NT_STATUS_OK;
1824 } else {
1825 return NT_STATUS_UNSUCCESSFUL;
1826 }
1827 }
1828
1829 struct pdb_samba_dsdb_search_state {
1830 uint32_t acct_flags;
1831 struct samr_displayentry *entries;
1832 uint32_t num_entries;
1833 ssize_t array_size;
1834 uint32_t current;
1835 };
1836
1837 static bool pdb_samba_dsdb_next_entry(struct pdb_search *search,
1838 struct samr_displayentry *entry)
1839 {
1840 struct pdb_samba_dsdb_search_state *state = talloc_get_type_abort(
1841 search->private_data, struct pdb_samba_dsdb_search_state);
1842
1843 if (state->current == state->num_entries) {
1844 return false;
1845 }
1846
1847 entry->idx = state->entries[state->current].idx;
1848 entry->rid = state->entries[state->current].rid;
1849 entry->acct_flags = state->entries[state->current].acct_flags;
1850
1851 entry->account_name = talloc_strdup(
1852 search, state->entries[state->current].account_name);
1853 entry->fullname = talloc_strdup(
1854 search, state->entries[state->current].fullname);
1855 entry->description = talloc_strdup(
1856 search, state->entries[state->current].description);
1857
1858 state->current += 1;
1859 return true;
1860 }
1861
1862 static void pdb_samba_dsdb_search_end(struct pdb_search *search)
1863 {
1864 struct pdb_samba_dsdb_search_state *state = talloc_get_type_abort(
1865 search->private_data, struct pdb_samba_dsdb_search_state);
1866 talloc_free(state);
1867 }
1868
1869 static bool pdb_samba_dsdb_search_filter(struct pdb_methods *m,
1870 struct pdb_search *search,
1871 struct pdb_samba_dsdb_search_state **pstate,
1872 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(4, 5)
1873 {
1874 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1875 m->private_data, struct pdb_samba_dsdb_state);
1876 struct pdb_samba_dsdb_search_state *sstate;
1877 const char * attrs[] = { "objectSid", "sAMAccountName", "displayName",
1878 "userAccountControl", "description", NULL };
1879 struct ldb_result *res;
1880 int i, rc, num_users;
1881
1882 va_list ap;
1883 char *expression = NULL;
1884
1885 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1886 if (!tmp_ctx) {
1887 return false;
1888 }
1889
1890 va_start(ap, exp_fmt);
1891 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
1892 va_end(ap);
1893
1894 if (!expression) {
1895 talloc_free(tmp_ctx);
1896 return LDB_ERR_OPERATIONS_ERROR;
1897 }
1898
1899 sstate = talloc_zero(tmp_ctx, struct pdb_samba_dsdb_search_state);
1900 if (sstate == NULL) {
1901 talloc_free(tmp_ctx);
1902 return false;
1903 }
1904
1905 rc = dsdb_search(state->ldb, tmp_ctx, &res, ldb_get_default_basedn(state->ldb), LDB_SCOPE_SUBTREE, attrs, 0, "%s", expression);
1906 if (rc != LDB_SUCCESS) {
1907 talloc_free(tmp_ctx);
1908 DEBUG(10, ("dsdb_search failed: %s\n",
1909 ldb_errstring(state->ldb)));
1910 return false;
1911 }
1912
1913 num_users = res->count;
1914
1915 sstate->entries = talloc_array(sstate, struct samr_displayentry,
1916 num_users);
1917 if (sstate->entries == NULL) {
1918 talloc_free(tmp_ctx);
1919 DEBUG(10, ("talloc failed\n"));
1920 return false;
1921 }
1922
1923 sstate->num_entries = 0;
1924
1925 for (i=0; i<num_users; i++) {
1926 struct samr_displayentry *e;
1927 struct dom_sid *sid;
1928
1929 e = &sstate->entries[sstate->num_entries];
1930
1931 e->idx = sstate->num_entries;
1932 sid = samdb_result_dom_sid(tmp_ctx, res->msgs[i], "objectSid");
1933 if (!sid) {
1934 talloc_free(tmp_ctx);
1935 DEBUG(10, ("Could not pull SID\n"));
1936 return false;
1937 }
1938 sid_peek_rid(sid, &e->rid);
1939
1940 e->acct_flags = samdb_result_acct_flags(res->msgs[i], "userAccountControl");
1941 e->account_name = ldb_msg_find_attr_as_string(
1942 res->msgs[i], "samAccountName", NULL);
1943 if (e->account_name == NULL) {
1944 talloc_free(tmp_ctx);
1945 return false;
1946 }
1947 e->fullname = ldb_msg_find_attr_as_string(
1948 res->msgs[i], "displayName", "");
1949 e->description = ldb_msg_find_attr_as_string(
1950 res->msgs[i], "description", "");
1951
1952 sstate->num_entries += 1;
1953 if (sstate->num_entries >= num_users) {
1954 break;
1955 }
1956 }
1957 talloc_steal(sstate->entries, res->msgs);
1958 search->private_data = talloc_steal(search, sstate);
1959 search->next_entry = pdb_samba_dsdb_next_entry;
1960 search->search_end = pdb_samba_dsdb_search_end;
1961 *pstate = sstate;
1962 talloc_free(tmp_ctx);
1963 return true;
1964 }
1965
1966 static bool pdb_samba_dsdb_search_users(struct pdb_methods *m,
1967 struct pdb_search *search,
1968 uint32 acct_flags)
1969 {
1970 struct pdb_samba_dsdb_search_state *sstate;
1971 bool ret;
1972
1973 ret = pdb_samba_dsdb_search_filter(m, search, &sstate, "(objectclass=user)");
1974 if (!ret) {
1975 return false;
1976 }
1977 sstate->acct_flags = acct_flags;
1978 return true;
1979 }
1980
1981 static bool pdb_samba_dsdb_search_groups(struct pdb_methods *m,
1982 struct pdb_search *search)
1983 {
1984 struct pdb_samba_dsdb_search_state *sstate;
1985 bool ret;
1986
1987 ret = pdb_samba_dsdb_search_filter(m, search, &sstate,
1988 "(&(grouptype=%d)(objectclass=group))",
1989 GTYPE_SECURITY_GLOBAL_GROUP);
1990 if (!ret) {
1991 return false;
1992 }
1993 sstate->acct_flags = 0;
1994 return true;
1995 }
1996
1997 static bool pdb_samba_dsdb_search_aliases(struct pdb_methods *m,
1998 struct pdb_search *search,
1999 const struct dom_sid *sid)
2000 {
2001 struct pdb_samba_dsdb_search_state *sstate;
2002 bool ret;
2003
2004 ret = pdb_samba_dsdb_search_filter(m, search, &sstate,
2005 "(&(grouptype=%d)(objectclass=group))",
2006 sid_check_is_builtin(sid)
2007 ? GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
2008 : GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
2009 if (!ret) {
2010 return false;
2011 }
2012 sstate->acct_flags = 0;
2013 return true;
2014 }
2015
2016 static bool pdb_samba_dsdb_uid_to_sid(struct pdb_methods *m, uid_t uid,
2017 struct dom_sid *sid)
2018 {
2019 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2020 m->private_data, struct pdb_samba_dsdb_state);
2021 NTSTATUS status;
2022 struct id_map id_map;
2023 struct id_map *id_maps[2];
2024 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2025 if (!tmp_ctx) {
2026 return false;
2027 }
2028
2029 id_map.xid.id = uid;
2030 id_map.xid.type = ID_TYPE_UID;
2031 id_maps[0] = &id_map;
2032 id_maps[1] = NULL;
2033
2034 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
2035 if (!NT_STATUS_IS_OK(status)) {
2036 talloc_free(tmp_ctx);
2037 return false;
2038 }
2039 *sid = *id_map.sid;
2040 talloc_free(tmp_ctx);
2041 return true;
2042 }
2043
2044 static bool pdb_samba_dsdb_gid_to_sid(struct pdb_methods *m, gid_t gid,
2045 struct dom_sid *sid)
2046 {
2047 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2048 m->private_data, struct pdb_samba_dsdb_state);
2049 NTSTATUS status;
2050 struct id_map id_map;
2051 struct id_map *id_maps[2];
2052 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2053 if (!tmp_ctx) {
2054 return false;
2055 }
2056
2057 id_map.xid.id = gid;
2058 id_map.xid.type = ID_TYPE_GID;
2059 id_maps[0] = &id_map;
2060 id_maps[1] = NULL;
2061
2062 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
2063 if (!NT_STATUS_IS_OK(status)) {
2064 return false;
2065 }
2066 *sid = *id_map.sid;
2067 talloc_free(tmp_ctx);
2068 return true;
2069 }
2070
2071 static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods *m, const struct dom_sid *sid,
2072 struct unixid *id)
2073 {
2074 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2075 m->private_data, struct pdb_samba_dsdb_state);
2076 struct id_map id_map;
2077 struct id_map *id_maps[2];
2078 NTSTATUS status;
2079 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2080 if (!tmp_ctx) {
2081 return false;
2082 }
2083
2084 ZERO_STRUCT(id_map);
2085 id_map.sid = discard_const_p(struct dom_sid, sid);
2086 id_maps[0] = &id_map;
2087 id_maps[1] = NULL;
2088
2089 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
2090 talloc_free(tmp_ctx);
2091 if (!NT_STATUS_IS_OK(status)) {
2092 return false;
2093 }
2094 if (id_map.xid.type != ID_TYPE_NOT_SPECIFIED) {
2095 *id = id_map.xid;
2096 return true;
2097 }
2098 return false;
2099 }
2100
2101 static uint32_t pdb_samba_dsdb_capabilities(struct pdb_methods *m)
2102 {
2103 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS;
2104 }
2105
2106 static bool pdb_samba_dsdb_new_rid(struct pdb_methods *m, uint32 *rid)
2107 {
2108 return false;
2109 }
2110
2111 static bool pdb_samba_dsdb_get_trusteddom_pw(struct pdb_methods *m,
2112 const char *domain, char** pwd,
2113 struct dom_sid *sid,
2114 time_t *pass_last_set_time)
2115 {
2116 return false;
2117 }
2118
2119 static bool pdb_samba_dsdb_set_trusteddom_pw(struct pdb_methods *m,
2120 const char* domain, const char* pwd,
2121 const struct dom_sid *sid)
2122 {
2123 return false;
2124 }
2125
2126 static bool pdb_samba_dsdb_del_trusteddom_pw(struct pdb_methods *m,
2127 const char *domain)
2128 {
2129 return false;
2130 }
2131
2132 static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m,
2133 TALLOC_CTX *mem_ctx,
2134 uint32 *num_domains,
2135 struct trustdom_info ***domains)
2136 {
2137 *num_domains = 0;
2138 *domains = NULL;
2139 return NT_STATUS_OK;
2140 }
2141
2142 static bool pdb_samba_dsdb_is_responsible_for_wellknown(struct pdb_methods *m)
2143 {
2144 return true;
2145 }
2146
2147 static void pdb_samba_dsdb_init_methods(struct pdb_methods *m)
2148 {
2149 m->name = "samba_dsdb";
2150 m->get_domain_info = pdb_samba_dsdb_get_domain_info;
2151 m->getsampwnam = pdb_samba_dsdb_getsampwnam;
2152 m->getsampwsid = pdb_samba_dsdb_getsampwsid;
2153 m->create_user = pdb_samba_dsdb_create_user;
2154 m->delete_user = pdb_samba_dsdb_delete_user;
2155 m->add_sam_account = pdb_samba_dsdb_add_sam_account;
2156 m->update_sam_account = pdb_samba_dsdb_update_sam_account;
2157 m->delete_sam_account = pdb_samba_dsdb_delete_sam_account;
2158 m->rename_sam_account = pdb_samba_dsdb_rename_sam_account;
2159 m->update_login_attempts = pdb_samba_dsdb_update_login_attempts;
2160 m->getgrsid = pdb_samba_dsdb_getgrsid;
2161 m->getgrgid = pdb_samba_dsdb_getgrgid;
2162 m->getgrnam = pdb_samba_dsdb_getgrnam;
2163 m->create_dom_group = pdb_samba_dsdb_create_dom_group;
2164 m->delete_dom_group = pdb_samba_dsdb_delete_dom_group;
2165 m->add_group_mapping_entry = pdb_samba_dsdb_add_group_mapping_entry;
2166 m->update_group_mapping_entry = pdb_samba_dsdb_update_group_mapping_entry;
2167 m->delete_group_mapping_entry = pdb_samba_dsdb_delete_group_mapping_entry;
2168 m->enum_group_mapping = pdb_samba_dsdb_enum_group_mapping;
2169 m->enum_group_members = pdb_samba_dsdb_enum_group_members;
2170 m->enum_group_memberships = pdb_samba_dsdb_enum_group_memberships;
2171 m->set_unix_primary_group = pdb_samba_dsdb_set_unix_primary_group;
2172 m->add_groupmem = pdb_samba_dsdb_add_groupmem;
2173 m->del_groupmem = pdb_samba_dsdb_del_groupmem;
2174 m->create_alias = pdb_samba_dsdb_create_alias;
2175 m->delete_alias = pdb_samba_dsdb_delete_alias;
2176 m->get_aliasinfo = pdb_default_get_aliasinfo;
2177 m->add_aliasmem = pdb_samba_dsdb_add_aliasmem;
2178 m->del_aliasmem = pdb_samba_dsdb_del_aliasmem;
2179 m->enum_aliasmem = pdb_samba_dsdb_enum_aliasmem;
2180 m->enum_alias_memberships = pdb_samba_dsdb_enum_alias_memberships;
2181 m->lookup_rids = pdb_samba_dsdb_lookup_rids;
2182 m->lookup_names = pdb_samba_dsdb_lookup_names;
2183 m->get_account_policy = pdb_samba_dsdb_get_account_policy;
2184 m->set_account_policy = pdb_samba_dsdb_set_account_policy;
2185 m->get_seq_num = pdb_samba_dsdb_get_seq_num;
2186 m->search_users = pdb_samba_dsdb_search_users;
2187 m->search_groups = pdb_samba_dsdb_search_groups;
2188 m->search_aliases = pdb_samba_dsdb_search_aliases;
2189 m->uid_to_sid = pdb_samba_dsdb_uid_to_sid;
2190 m->gid_to_sid = pdb_samba_dsdb_gid_to_sid;
2191 m->sid_to_id = pdb_samba_dsdb_sid_to_id;
2192 m->capabilities = pdb_samba_dsdb_capabilities;
2193 m->new_rid = pdb_samba_dsdb_new_rid;
2194 m->get_trusteddom_pw = pdb_samba_dsdb_get_trusteddom_pw;
2195 m->set_trusteddom_pw = pdb_samba_dsdb_set_trusteddom_pw;
2196 m->del_trusteddom_pw = pdb_samba_dsdb_del_trusteddom_pw;
2197 m->enum_trusteddoms = pdb_samba_dsdb_enum_trusteddoms;
2198 m->is_responsible_for_wellknown =
2199 pdb_samba_dsdb_is_responsible_for_wellknown;
2200 }
2201
2202 static void free_private_data(void **vp)
2203 {
2204 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2205 *vp, struct pdb_samba_dsdb_state);
2206 talloc_unlink(state, state->ldb);
2207 return;
2208 }
2209
2210 static NTSTATUS pdb_samba_dsdb_init_secrets(struct pdb_methods *m)
2211 {
2212 struct pdb_domain_info *dom_info;
2213 bool ret;
2214
2215 dom_info = pdb_samba_dsdb_get_domain_info(m, m);
2216 if (!dom_info) {
2217 return NT_STATUS_UNSUCCESSFUL;
2218 }
2219
2220 secrets_clear_domain_protection(dom_info->name);
2221 ret = secrets_store_domain_sid(dom_info->name,
2222 &dom_info->sid);
2223 if (!ret) {
2224 goto done;
2225 }
2226 ret = secrets_store_domain_guid(dom_info->name,
2227 &dom_info->guid);
2228 if (!ret) {
2229 goto done;
2230 }
2231 ret = secrets_mark_domain_protected(dom_info->name);
2232 if (!ret) {
2233 goto done;
2234 }
2235
2236 done:
2237 TALLOC_FREE(dom_info);
2238 if (!ret) {
2239 return NT_STATUS_UNSUCCESSFUL;
2240 }
2241 return NT_STATUS_OK;
2242 }
2243
2244 static NTSTATUS pdb_init_samba_dsdb(struct pdb_methods **pdb_method,
2245 const char *location)
2246 {
2247 struct pdb_methods *m;
2248 struct pdb_samba_dsdb_state *state;
2249 NTSTATUS status;
2250
2251 if ( !NT_STATUS_IS_OK(status = make_pdb_method( &m )) ) {
2252 return status;
2253 }
2254
2255 state = talloc_zero(m, struct pdb_samba_dsdb_state);
2256 if (state == NULL) {
2257 goto nomem;
2258 }
2259 m->private_data = state;
2260 m->free_private_data = free_private_data;
2261 pdb_samba_dsdb_init_methods(m);
2262
2263 state->ev = s4_event_context_init(state);
2264 if (!state->ev) {
2265 DEBUG(0, ("s4_event_context_init failed\n"));
2266 goto nomem;
2267 }
2268
2269 state->lp_ctx = loadparm_init_s3(state, loadparm_s3_helpers());
2270 if (state->lp_ctx == NULL) {
2271 DEBUG(0, ("loadparm_init_s3 failed\n"));
2272 goto nomem;
2273 }
2274
2275 if (location) {
2276 state->ldb = samdb_connect_url(state,
2277 state->ev,
2278 state->lp_ctx,
2279 system_session(state->lp_ctx),
2280 0, location);
2281 } else {
2282 state->ldb = samdb_connect(state,
2283 state->ev,
2284 state->lp_ctx,
2285 system_session(state->lp_ctx), 0);
2286 }
2287
2288 if (!state->ldb) {
2289 DEBUG(0, ("samdb_connect failed\n"));
2290 status = NT_STATUS_INTERNAL_ERROR;
2291 goto fail;
2292 }
2293
2294 state->idmap_ctx = idmap_init(state, state->ev,
2295 state->lp_ctx);
2296 if (!state->idmap_ctx) {
2297 DEBUG(0, ("idmap failed\n"));
2298 status = NT_STATUS_INTERNAL_ERROR;
2299 goto fail;
2300 }
2301
2302 status = pdb_samba_dsdb_init_secrets(m);
2303 if (!NT_STATUS_IS_OK(status)) {
2304 DEBUG(10, ("pdb_samba_dsdb_init_secrets failed!\n"));
2305 goto fail;
2306 }
2307
2308 *pdb_method = m;
2309 return NT_STATUS_OK;
2310 nomem:
2311 status = NT_STATUS_NO_MEMORY;
2312 fail:
2313 TALLOC_FREE(m);
2314 return status;
2315 }
2316
2317 NTSTATUS pdb_samba_dsdb_init(void);
2318 NTSTATUS pdb_samba_dsdb_init(void)
2319 {
2320 NTSTATUS status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "samba_dsdb",
2321 pdb_init_samba_dsdb);
2322 if (!NT_STATUS_IS_OK(status)) {
2323 return status;
2324 }
2325 return smb_register_passdb(PASSDB_INTERFACE_VERSION, "samba4",
2326 pdb_init_samba_dsdb);
2327 }
Samba GIT mirror