2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Jelmer Vernooij 2002
6 Copyright (C) Simo Sorce 2003
7 Copyright (C) Volker Lendecke 2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/passwd.h"
29 #include "../librpc/gen_ndr/samr.h"
30 #include "../librpc/gen_ndr/drsblobs.h"
31 #include "../librpc/gen_ndr/ndr_drsblobs.h"
32 #include "../librpc/gen_ndr/idmap.h"
33 #include "../lib/util/memcache.h"
34 #include "nsswitch/winbind_client.h"
35 #include "../libcli/security/security.h"
36 #include "../lib/util/util_pw.h"
37 #include "passdb/pdb_secrets.h"
38 #include "lib/util_sid_passdb.h"
39 #include "idmap_cache.h"
42 #define DBGC_CLASS DBGC_PASSDB
46 static struct pdb_init_function_entry
*backends
= NULL
;
48 static void lazy_initialize_passdb(void)
50 static bool initialized
= False
;
54 static_init_pdb(NULL
);
58 static bool lookup_global_sam_rid(TALLOC_CTX
*mem_ctx
, uint32_t rid
,
60 enum lsa_SidType
*psid_name_use
,
61 uid_t
*uid
, gid_t
*gid
);
63 NTSTATUS
smb_register_passdb(int version
, const char *name
, pdb_init_function init
)
65 struct pdb_init_function_entry
*entry
= NULL
;
67 if(version
!= PASSDB_INTERFACE_VERSION
) {
68 DEBUG(0,("Can't register passdb backend!\n"
69 "You tried to register a passdb module with PASSDB_INTERFACE_VERSION %d, "
70 "while this version of samba uses version %d\n",
71 version
,PASSDB_INTERFACE_VERSION
));
72 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
76 return NT_STATUS_INVALID_PARAMETER
;
79 DEBUG(5,("Attempting to register passdb backend %s\n", name
));
81 /* Check for duplicates */
82 if (pdb_find_backend_entry(name
)) {
83 DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name
));
84 return NT_STATUS_OBJECT_NAME_COLLISION
;
87 entry
= SMB_XMALLOC_P(struct pdb_init_function_entry
);
88 entry
->name
= smb_xstrdup(name
);
91 DLIST_ADD(backends
, entry
);
92 DEBUG(5,("Successfully added passdb backend '%s'\n", name
));
96 struct pdb_init_function_entry
*pdb_find_backend_entry(const char *name
)
98 struct pdb_init_function_entry
*entry
= backends
;
101 if (strcmp(entry
->name
, name
)==0) return entry
;
108 const struct pdb_init_function_entry
*pdb_get_backends(void)
115 * The event context for the passdb backend. I know this is a bad hack and yet
116 * another static variable, but our pdb API is a global thing per
117 * definition. The first use for this is the LDAP idle function, more might be
120 * I don't feel too bad about this static variable, it replaces the
121 * smb_idle_event_list that used to exist in lib/module.c. -- VL
124 static struct tevent_context
*pdb_tevent_ctx
;
126 struct tevent_context
*pdb_get_tevent_context(void)
128 return pdb_tevent_ctx
;
131 /******************************************************************
132 Make a pdb_methods from scratch
133 *******************************************************************/
135 NTSTATUS
make_pdb_method_name(struct pdb_methods
**methods
, const char *selected
)
137 char *module_name
= smb_xstrdup(selected
);
138 char *module_location
= NULL
, *p
;
139 struct pdb_init_function_entry
*entry
;
142 lazy_initialize_passdb();
144 p
= strchr(module_name
, ':');
148 module_location
= p
+1;
149 trim_char(module_location
, ' ', ' ');
152 trim_char(module_name
, ' ', ' ');
155 DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected
, module_name
));
157 entry
= pdb_find_backend_entry(module_name
);
159 /* Try to find a module that contains this module */
161 DEBUG(2,("No builtin backend found, trying to load plugin\n"));
162 if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name
)) && !(entry
= pdb_find_backend_entry(module_name
))) {
163 DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name
));
164 SAFE_FREE(module_name
);
165 return NT_STATUS_UNSUCCESSFUL
;
169 /* No such backend found */
171 DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name
));
172 SAFE_FREE(module_name
);
173 return NT_STATUS_INVALID_PARAMETER
;
176 DEBUG(5,("Found pdb backend %s\n", module_name
));
178 if ( !NT_STATUS_IS_OK( nt_status
= entry
->init(methods
, module_location
) ) ) {
179 DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
180 selected
, nt_errstr(nt_status
)));
181 SAFE_FREE(module_name
);
185 SAFE_FREE(module_name
);
187 DEBUG(5,("pdb backend %s has a valid init\n", selected
));
192 /******************************************************************
193 Return an already initialized pdb_methods structure
194 *******************************************************************/
196 static struct pdb_methods
*pdb_get_methods_reload( bool reload
)
198 static struct pdb_methods
*pdb
= NULL
;
200 if ( pdb
&& reload
) {
201 if (pdb
->free_private_data
!= NULL
) {
202 pdb
->free_private_data( &(pdb
->private_data
) );
204 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb
, lp_passdb_backend() ) ) ) {
210 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb
, lp_passdb_backend() ) ) ) {
218 static struct pdb_methods
*pdb_get_methods(void)
220 struct pdb_methods
*pdb
;
222 pdb
= pdb_get_methods_reload(false);
225 if (asprintf(&msg
, "pdb_get_methods: "
226 "failed to get pdb methods for backend %s\n",
227 lp_passdb_backend()) > 0) {
230 smb_panic("pdb_get_methods");
237 struct pdb_domain_info
*pdb_get_domain_info(TALLOC_CTX
*mem_ctx
)
239 struct pdb_methods
*pdb
= pdb_get_methods();
240 return pdb
->get_domain_info(pdb
, mem_ctx
);
244 * @brief Check if the user account has been locked out and try to unlock it.
246 * If the user has been automatically locked out and a lockout duration is set,
247 * then check if we can unlock the account and reset the bad password values.
249 * @param[in] sampass The sam user to check.
251 * @return True if the function was successfull, false on an error.
253 static bool pdb_try_account_unlock(struct samu
*sampass
)
255 uint32_t acb_info
= pdb_get_acct_ctrl(sampass
);
257 if ((acb_info
& ACB_NORMAL
) && (acb_info
& ACB_AUTOLOCK
)) {
258 uint32_t lockout_duration
;
259 time_t bad_password_time
;
260 time_t now
= time(NULL
);
263 ok
= pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION
,
266 DEBUG(0, ("pdb_try_account_unlock: "
267 "pdb_get_account_policy failed.\n"));
271 if (lockout_duration
== (uint32_t) -1 ||
272 lockout_duration
== 0) {
273 DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
274 "can't reset autolock\n"));
277 lockout_duration
*= 60;
279 bad_password_time
= pdb_get_bad_password_time(sampass
);
280 if (bad_password_time
== (time_t) 0) {
281 DEBUG(2, ("pdb_try_account_unlock: Account %s "
282 "administratively locked out "
283 "with no bad password "
284 "time. Leaving locked out.\n",
285 pdb_get_username(sampass
)));
289 if ((bad_password_time
+
290 convert_uint32_t_to_time_t(lockout_duration
)) < now
) {
293 pdb_set_acct_ctrl(sampass
, acb_info
& ~ACB_AUTOLOCK
,
295 pdb_set_bad_password_count(sampass
, 0, PDB_CHANGED
);
296 pdb_set_bad_password_time(sampass
, 0, PDB_CHANGED
);
299 status
= pdb_update_sam_account(sampass
);
301 if (!NT_STATUS_IS_OK(status
)) {
302 DEBUG(0, ("_samr_OpenUser: Couldn't "
303 "update account %s - %s\n",
304 pdb_get_username(sampass
),
315 * @brief Get a sam user structure by the given username.
317 * This functions also checks if the account has been automatically locked out
318 * and unlocks it if a lockout duration time has been defined and the time has
321 * @param[in] sam_acct The sam user structure to fill.
323 * @param[in] username The username to look for.
325 * @return True on success, false on error.
327 bool pdb_getsampwnam(struct samu
*sam_acct
, const char *username
)
329 struct pdb_methods
*pdb
= pdb_get_methods();
330 struct samu
*for_cache
;
331 const struct dom_sid
*user_sid
;
335 status
= pdb
->getsampwnam(pdb
, sam_acct
, username
);
336 if (!NT_STATUS_IS_OK(status
)) {
340 ok
= pdb_try_account_unlock(sam_acct
);
342 DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
346 for_cache
= samu_new(NULL
);
347 if (for_cache
== NULL
) {
351 if (!pdb_copy_sam_account(for_cache
, sam_acct
)) {
352 TALLOC_FREE(for_cache
);
356 user_sid
= pdb_get_user_sid(for_cache
);
358 memcache_add_talloc(NULL
, PDB_GETPWSID_CACHE
,
359 data_blob_const(user_sid
, sizeof(*user_sid
)),
365 /**********************************************************************
366 **********************************************************************/
368 static bool guest_user_info( struct samu
*user
)
372 const char *guestname
= lp_guest_account();
374 pwd
= Get_Pwnam_alloc(talloc_tos(), guestname
);
376 DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
381 result
= samu_set_unix(user
, pwd
);
385 return NT_STATUS_IS_OK( result
);
389 * @brief Get a sam user structure by the given username.
391 * This functions also checks if the account has been automatically locked out
392 * and unlocks it if a lockout duration time has been defined and the time has
396 * @param[in] sam_acct The sam user structure to fill.
398 * @param[in] sid The user SDI to look up.
400 * @return True on success, false on error.
402 bool pdb_getsampwsid(struct samu
*sam_acct
, const struct dom_sid
*sid
)
404 struct pdb_methods
*pdb
= pdb_get_methods();
409 /* hard code the Guest RID of 501 */
411 if ( !sid_peek_check_rid( get_global_sam_sid(), sid
, &rid
) )
414 if ( rid
== DOMAIN_RID_GUEST
) {
415 DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
416 return guest_user_info( sam_acct
);
419 /* check the cache first */
421 cache_data
= memcache_lookup_talloc(
422 NULL
, PDB_GETPWSID_CACHE
, data_blob_const(sid
, sizeof(*sid
)));
424 if (cache_data
!= NULL
) {
425 struct samu
*cache_copy
= talloc_get_type_abort(
426 cache_data
, struct samu
);
428 ok
= pdb_copy_sam_account(sam_acct
, cache_copy
);
430 ok
= NT_STATUS_IS_OK(pdb
->getsampwsid(pdb
, sam_acct
, sid
));
437 ok
= pdb_try_account_unlock(sam_acct
);
439 DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
440 sam_acct
->username
));
446 static NTSTATUS
pdb_default_create_user(struct pdb_methods
*methods
,
447 TALLOC_CTX
*tmp_ctx
, const char *name
,
448 uint32_t acb_info
, uint32_t *rid
)
450 const struct loadparm_substitution
*lp_sub
=
451 loadparm_s3_global_substitution();
452 struct samu
*sam_pass
;
456 if ((sam_pass
= samu_new(tmp_ctx
)) == NULL
) {
457 return NT_STATUS_NO_MEMORY
;
460 if ( !(pwd
= Get_Pwnam_alloc(tmp_ctx
, name
)) ) {
461 char *add_script
= NULL
;
465 if ((acb_info
& ACB_NORMAL
) && name
[strlen(name
)-1] != '$') {
466 add_script
= lp_add_user_script(tmp_ctx
, lp_sub
);
468 add_script
= lp_add_machine_script(tmp_ctx
, lp_sub
);
471 if (!add_script
|| add_script
[0] == '\0') {
472 DEBUG(3, ("Could not find user %s and no add script "
474 return NT_STATUS_NO_SUCH_USER
;
477 /* lowercase the username before creating the Unix account for
478 compatibility with previous Samba releases */
479 fstrcpy( name2
, name
);
480 if (!strlower_m( name2
)) {
481 return NT_STATUS_INVALID_PARAMETER
;
483 add_script
= talloc_all_string_sub(tmp_ctx
,
488 return NT_STATUS_NO_MEMORY
;
490 add_ret
= smbrun(add_script
, NULL
, NULL
);
491 DEBUG(add_ret
? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
492 add_script
, add_ret
));
494 smb_nscd_flush_user_cache();
499 pwd
= Get_Pwnam_alloc(tmp_ctx
, name
);
502 DEBUG(3, ("Could not find user %s, add script did not work\n", name
));
503 return NT_STATUS_NO_SUCH_USER
;
507 /* we have a valid SID coming out of this call */
509 status
= samu_alloc_rid_unix(methods
, sam_pass
, pwd
);
513 if (!NT_STATUS_IS_OK(status
)) {
514 DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status
)));
518 if (!sid_peek_check_rid(get_global_sam_sid(),
519 pdb_get_user_sid(sam_pass
), rid
)) {
520 DEBUG(0, ("Could not get RID of fresh user\n"));
521 return NT_STATUS_INTERNAL_ERROR
;
524 /* Use the username case specified in the original request */
526 pdb_set_username( sam_pass
, name
, PDB_SET
);
528 /* Disable the account on creation, it does not have a reasonable password yet. */
530 acb_info
|= ACB_DISABLED
;
532 pdb_set_acct_ctrl(sam_pass
, acb_info
, PDB_CHANGED
);
534 status
= methods
->add_sam_account(methods
, sam_pass
);
536 TALLOC_FREE(sam_pass
);
541 NTSTATUS
pdb_create_user(TALLOC_CTX
*mem_ctx
, const char *name
, uint32_t flags
,
544 struct pdb_methods
*pdb
= pdb_get_methods();
545 return pdb
->create_user(pdb
, mem_ctx
, name
, flags
, rid
);
548 /****************************************************************************
549 Delete a UNIX user on demand.
550 ****************************************************************************/
552 static int smb_delete_user(const char *unix_user
)
554 const struct loadparm_substitution
*lp_sub
=
555 loadparm_s3_global_substitution();
556 char *del_script
= NULL
;
561 if ( strequal( unix_user
, "root" ) ) {
562 DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
566 del_script
= lp_delete_user_script(talloc_tos(), lp_sub
);
567 if (!del_script
|| !*del_script
) {
570 del_script
= talloc_all_string_sub(talloc_tos(),
577 ret
= smbrun(del_script
, NULL
, NULL
);
580 smb_nscd_flush_user_cache();
582 DEBUG(ret
? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script
,ret
));
587 static NTSTATUS
pdb_default_delete_user(struct pdb_methods
*methods
,
589 struct samu
*sam_acct
)
594 status
= methods
->delete_sam_account(methods
, sam_acct
);
595 if (!NT_STATUS_IS_OK(status
)) {
600 * Now delete the unix side ....
601 * note: we don't check if the delete really happened as the script is
602 * not necessary present and maybe the sysadmin doesn't want to delete
606 /* always lower case the username before handing it off to
609 fstrcpy( username
, pdb_get_username(sam_acct
) );
610 if (!strlower_m( username
)) {
614 smb_delete_user( username
);
619 NTSTATUS
pdb_delete_user(TALLOC_CTX
*mem_ctx
, struct samu
*sam_acct
)
621 struct pdb_methods
*pdb
= pdb_get_methods();
624 const struct dom_sid
*user_sid
;
627 user_sid
= pdb_get_user_sid(sam_acct
);
629 /* sanity check to make sure we don't delete root */
631 if ( !sid_to_uid(user_sid
, &uid
) ) {
632 return NT_STATUS_NO_SUCH_USER
;
636 return NT_STATUS_ACCESS_DENIED
;
639 memcache_delete(NULL
,
641 data_blob_const(user_sid
, sizeof(*user_sid
)));
643 status
= pdb
->delete_user(pdb
, mem_ctx
, sam_acct
);
644 if (!NT_STATUS_IS_OK(status
)) {
648 msg_data
= talloc_asprintf(mem_ctx
, "USER %s",
649 pdb_get_username(sam_acct
));
651 /* not fatal, and too late to rollback,
655 messaging_send_all(global_messaging_context(),
658 strlen(msg_data
) + 1);
660 TALLOC_FREE(msg_data
);
664 NTSTATUS
pdb_add_sam_account(struct samu
*sam_acct
)
666 struct pdb_methods
*pdb
= pdb_get_methods();
667 return pdb
->add_sam_account(pdb
, sam_acct
);
670 NTSTATUS
pdb_update_sam_account(struct samu
*sam_acct
)
672 struct pdb_methods
*pdb
= pdb_get_methods();
674 memcache_flush(NULL
, PDB_GETPWSID_CACHE
);
676 return pdb
->update_sam_account(pdb
, sam_acct
);
679 NTSTATUS
pdb_delete_sam_account(struct samu
*sam_acct
)
681 struct pdb_methods
*pdb
= pdb_get_methods();
682 const struct dom_sid
*user_sid
= pdb_get_user_sid(sam_acct
);
684 memcache_delete(NULL
,
686 data_blob_const(user_sid
, sizeof(*user_sid
)));
688 return pdb
->delete_sam_account(pdb
, sam_acct
);
691 NTSTATUS
pdb_rename_sam_account(struct samu
*oldname
, const char *newname
)
693 struct pdb_methods
*pdb
= pdb_get_methods();
697 memcache_flush(NULL
, PDB_GETPWSID_CACHE
);
699 /* sanity check to make sure we don't rename root */
701 if ( !sid_to_uid( pdb_get_user_sid(oldname
), &uid
) ) {
702 return NT_STATUS_NO_SUCH_USER
;
706 return NT_STATUS_ACCESS_DENIED
;
709 status
= pdb
->rename_sam_account(pdb
, oldname
, newname
);
711 /* always flush the cache here just to be safe */
717 NTSTATUS
pdb_update_login_attempts(struct samu
*sam_acct
, bool success
)
719 struct pdb_methods
*pdb
= pdb_get_methods();
720 return pdb
->update_login_attempts(pdb
, sam_acct
, success
);
723 bool pdb_getgrsid(GROUP_MAP
*map
, struct dom_sid sid
)
725 struct pdb_methods
*pdb
= pdb_get_methods();
726 return NT_STATUS_IS_OK(pdb
->getgrsid(pdb
, map
, sid
));
729 bool pdb_getgrgid(GROUP_MAP
*map
, gid_t gid
)
731 struct pdb_methods
*pdb
= pdb_get_methods();
732 return NT_STATUS_IS_OK(pdb
->getgrgid(pdb
, map
, gid
));
735 bool pdb_getgrnam(GROUP_MAP
*map
, const char *name
)
737 struct pdb_methods
*pdb
= pdb_get_methods();
738 return NT_STATUS_IS_OK(pdb
->getgrnam(pdb
, map
, name
));
741 static NTSTATUS
pdb_default_create_dom_group(struct pdb_methods
*methods
,
746 struct dom_sid group_sid
;
748 struct dom_sid_buf tmp
;
750 grp
= getgrnam(name
);
755 if (smb_create_group(name
, &gid
) != 0) {
756 return NT_STATUS_ACCESS_DENIED
;
763 return NT_STATUS_ACCESS_DENIED
;
766 if (pdb_capabilities() & PDB_CAP_STORE_RIDS
) {
767 if (!pdb_new_rid(rid
)) {
768 return NT_STATUS_ACCESS_DENIED
;
771 *rid
= algorithmic_pdb_gid_to_group_rid( grp
->gr_gid
);
774 sid_compose(&group_sid
, get_global_sam_sid(), *rid
);
776 return add_initial_entry(
778 dom_sid_str_buf(&group_sid
, &tmp
),
784 NTSTATUS
pdb_create_dom_group(TALLOC_CTX
*mem_ctx
, const char *name
,
787 struct pdb_methods
*pdb
= pdb_get_methods();
788 return pdb
->create_dom_group(pdb
, mem_ctx
, name
, rid
);
791 static NTSTATUS
pdb_default_delete_dom_group(struct pdb_methods
*methods
,
795 struct dom_sid group_sid
;
799 const char *grp_name
;
801 map
= talloc_zero(mem_ctx
, GROUP_MAP
);
803 return NT_STATUS_NO_MEMORY
;
807 map
->gid
= (gid_t
) -1;
809 sid_compose(&group_sid
, get_global_sam_sid(), rid
);
811 if (!get_domain_group_from_sid(group_sid
, map
)) {
812 DEBUG(10, ("Could not find group for rid %d\n", rid
));
813 return NT_STATUS_NO_SUCH_GROUP
;
816 /* We need the group name for the smb_delete_group later on */
818 if (map
->gid
== (gid_t
)-1) {
819 return NT_STATUS_NO_SUCH_GROUP
;
822 grp
= getgrgid(map
->gid
);
824 return NT_STATUS_NO_SUCH_GROUP
;
829 /* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
831 grp_name
= talloc_strdup(mem_ctx
, grp
->gr_name
);
832 if (grp_name
== NULL
) {
833 return NT_STATUS_NO_MEMORY
;
836 status
= pdb_delete_group_mapping_entry(group_sid
);
838 if (!NT_STATUS_IS_OK(status
)) {
842 /* Don't check the result of smb_delete_group */
844 smb_delete_group(grp_name
);
849 NTSTATUS
pdb_delete_dom_group(TALLOC_CTX
*mem_ctx
, uint32_t rid
)
851 struct pdb_methods
*pdb
= pdb_get_methods();
852 return pdb
->delete_dom_group(pdb
, mem_ctx
, rid
);
855 NTSTATUS
pdb_add_group_mapping_entry(GROUP_MAP
*map
)
857 struct pdb_methods
*pdb
= pdb_get_methods();
858 return pdb
->add_group_mapping_entry(pdb
, map
);
861 NTSTATUS
pdb_update_group_mapping_entry(GROUP_MAP
*map
)
863 struct pdb_methods
*pdb
= pdb_get_methods();
864 return pdb
->update_group_mapping_entry(pdb
, map
);
867 NTSTATUS
pdb_delete_group_mapping_entry(struct dom_sid sid
)
869 struct pdb_methods
*pdb
= pdb_get_methods();
870 return pdb
->delete_group_mapping_entry(pdb
, sid
);
873 bool pdb_enum_group_mapping(const struct dom_sid
*sid
,
874 enum lsa_SidType sid_name_use
,
875 GROUP_MAP
***pp_rmap
,
876 size_t *p_num_entries
,
879 struct pdb_methods
*pdb
= pdb_get_methods();
880 return NT_STATUS_IS_OK(pdb
-> enum_group_mapping(pdb
, sid
, sid_name_use
,
881 pp_rmap
, p_num_entries
, unix_only
));
884 NTSTATUS
pdb_enum_group_members(TALLOC_CTX
*mem_ctx
,
885 const struct dom_sid
*sid
,
886 uint32_t **pp_member_rids
,
887 size_t *p_num_members
)
889 struct pdb_methods
*pdb
= pdb_get_methods();
892 result
= pdb
->enum_group_members(pdb
, mem_ctx
,
893 sid
, pp_member_rids
, p_num_members
);
895 /* special check for rid 513 */
897 if ( !NT_STATUS_IS_OK( result
) ) {
900 sid_peek_rid( sid
, &rid
);
902 if ( rid
== DOMAIN_RID_USERS
) {
904 *pp_member_rids
= NULL
;
913 NTSTATUS
pdb_enum_group_memberships(TALLOC_CTX
*mem_ctx
, struct samu
*user
,
914 struct dom_sid
**pp_sids
, gid_t
**pp_gids
,
915 uint32_t *p_num_groups
)
917 struct pdb_methods
*pdb
= pdb_get_methods();
918 return pdb
->enum_group_memberships(
920 pp_sids
, pp_gids
, p_num_groups
);
923 static NTSTATUS
pdb_default_set_unix_primary_group(struct pdb_methods
*methods
,
925 struct samu
*sampass
)
930 if (!sid_to_gid(pdb_get_group_sid(sampass
), &gid
) ||
931 (grp
= getgrgid(gid
)) == NULL
) {
932 return NT_STATUS_INVALID_PRIMARY_GROUP
;
935 if (smb_set_primary_group(grp
->gr_name
,
936 pdb_get_username(sampass
)) != 0) {
937 return NT_STATUS_ACCESS_DENIED
;
943 NTSTATUS
pdb_set_unix_primary_group(TALLOC_CTX
*mem_ctx
, struct samu
*user
)
945 struct pdb_methods
*pdb
= pdb_get_methods();
946 return pdb
->set_unix_primary_group(pdb
, mem_ctx
, user
);
950 * Helper function to see whether a user is in a group. We can't use
951 * user_in_group_sid here because this creates dependencies only smbd can
955 static bool pdb_user_in_group(TALLOC_CTX
*mem_ctx
, struct samu
*account
,
956 const struct dom_sid
*group_sid
)
958 struct dom_sid
*sids
;
960 uint32_t i
, num_groups
;
962 if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx
, account
,
968 for (i
=0; i
<num_groups
; i
++) {
969 if (dom_sid_equal(group_sid
, &sids
[i
])) {
976 static NTSTATUS
pdb_default_add_groupmem(struct pdb_methods
*methods
,
981 struct dom_sid group_sid
, member_sid
;
982 struct samu
*account
= NULL
;
986 const char *group_name
;
989 map
= talloc_zero(mem_ctx
, GROUP_MAP
);
991 return NT_STATUS_NO_MEMORY
;
995 map
->gid
= (gid_t
) -1;
997 sid_compose(&group_sid
, get_global_sam_sid(), group_rid
);
998 sid_compose(&member_sid
, get_global_sam_sid(), member_rid
);
1000 if (!get_domain_group_from_sid(group_sid
, map
) ||
1001 (map
->gid
== (gid_t
)-1) ||
1002 ((grp
= getgrgid(map
->gid
)) == NULL
)) {
1003 return NT_STATUS_NO_SUCH_GROUP
;
1008 group_name
= talloc_strdup(mem_ctx
, grp
->gr_name
);
1009 if (group_name
== NULL
) {
1010 return NT_STATUS_NO_MEMORY
;
1013 if ( !(account
= samu_new( NULL
)) ) {
1014 return NT_STATUS_NO_MEMORY
;
1017 if (!pdb_getsampwsid(account
, &member_sid
) ||
1018 !sid_to_uid(&member_sid
, &uid
) ||
1019 ((pwd
= getpwuid_alloc(mem_ctx
, uid
)) == NULL
)) {
1020 return NT_STATUS_NO_SUCH_USER
;
1023 if (pdb_user_in_group(mem_ctx
, account
, &group_sid
)) {
1024 return NT_STATUS_MEMBER_IN_GROUP
;
1028 * ok, the group exist, the user exist, the user is not in the group,
1029 * we can (finally) add it to the group !
1032 smb_add_user_group(group_name
, pwd
->pw_name
);
1034 if (!pdb_user_in_group(mem_ctx
, account
, &group_sid
)) {
1035 return NT_STATUS_ACCESS_DENIED
;
1038 return NT_STATUS_OK
;
1041 NTSTATUS
pdb_add_groupmem(TALLOC_CTX
*mem_ctx
, uint32_t group_rid
,
1042 uint32_t member_rid
)
1044 struct pdb_methods
*pdb
= pdb_get_methods();
1045 return pdb
->add_groupmem(pdb
, mem_ctx
, group_rid
, member_rid
);
1048 static NTSTATUS
pdb_default_del_groupmem(struct pdb_methods
*methods
,
1049 TALLOC_CTX
*mem_ctx
,
1051 uint32_t member_rid
)
1053 struct dom_sid group_sid
, member_sid
;
1054 struct samu
*account
= NULL
;
1058 const char *group_name
;
1061 map
= talloc_zero(mem_ctx
, GROUP_MAP
);
1063 return NT_STATUS_NO_MEMORY
;
1066 sid_compose(&group_sid
, get_global_sam_sid(), group_rid
);
1067 sid_compose(&member_sid
, get_global_sam_sid(), member_rid
);
1069 if (!get_domain_group_from_sid(group_sid
, map
) ||
1070 (map
->gid
== (gid_t
)-1) ||
1071 ((grp
= getgrgid(map
->gid
)) == NULL
)) {
1072 return NT_STATUS_NO_SUCH_GROUP
;
1077 group_name
= talloc_strdup(mem_ctx
, grp
->gr_name
);
1078 if (group_name
== NULL
) {
1079 return NT_STATUS_NO_MEMORY
;
1082 if ( !(account
= samu_new( NULL
)) ) {
1083 return NT_STATUS_NO_MEMORY
;
1086 if (!pdb_getsampwsid(account
, &member_sid
) ||
1087 !sid_to_uid(&member_sid
, &uid
) ||
1088 ((pwd
= getpwuid_alloc(mem_ctx
, uid
)) == NULL
)) {
1089 return NT_STATUS_NO_SUCH_USER
;
1092 if (!pdb_user_in_group(mem_ctx
, account
, &group_sid
)) {
1093 return NT_STATUS_MEMBER_NOT_IN_GROUP
;
1097 * ok, the group exist, the user exist, the user is in the group,
1098 * we can (finally) delete it from the group!
1101 smb_delete_user_group(group_name
, pwd
->pw_name
);
1103 if (pdb_user_in_group(mem_ctx
, account
, &group_sid
)) {
1104 return NT_STATUS_ACCESS_DENIED
;
1107 return NT_STATUS_OK
;
1110 NTSTATUS
pdb_del_groupmem(TALLOC_CTX
*mem_ctx
, uint32_t group_rid
,
1111 uint32_t member_rid
)
1113 struct pdb_methods
*pdb
= pdb_get_methods();
1114 return pdb
->del_groupmem(pdb
, mem_ctx
, group_rid
, member_rid
);
1117 NTSTATUS
pdb_create_alias(const char *name
, uint32_t *rid
)
1119 struct pdb_methods
*pdb
= pdb_get_methods();
1120 return pdb
->create_alias(pdb
, name
, rid
);
1123 NTSTATUS
pdb_delete_alias(const struct dom_sid
*sid
)
1125 struct pdb_methods
*pdb
= pdb_get_methods();
1126 return pdb
->delete_alias(pdb
, sid
);
1129 NTSTATUS
pdb_get_aliasinfo(const struct dom_sid
*sid
, struct acct_info
*info
)
1131 struct pdb_methods
*pdb
= pdb_get_methods();
1132 return pdb
->get_aliasinfo(pdb
, sid
, info
);
1135 NTSTATUS
pdb_set_aliasinfo(const struct dom_sid
*sid
, struct acct_info
*info
)
1137 struct pdb_methods
*pdb
= pdb_get_methods();
1138 return pdb
->set_aliasinfo(pdb
, sid
, info
);
1141 NTSTATUS
pdb_add_aliasmem(const struct dom_sid
*alias
, const struct dom_sid
*member
)
1143 struct pdb_methods
*pdb
= pdb_get_methods();
1144 return pdb
->add_aliasmem(pdb
, alias
, member
);
1147 NTSTATUS
pdb_del_aliasmem(const struct dom_sid
*alias
, const struct dom_sid
*member
)
1149 struct pdb_methods
*pdb
= pdb_get_methods();
1150 return pdb
->del_aliasmem(pdb
, alias
, member
);
1153 NTSTATUS
pdb_enum_aliasmem(const struct dom_sid
*alias
, TALLOC_CTX
*mem_ctx
,
1154 struct dom_sid
**pp_members
, size_t *p_num_members
)
1156 struct pdb_methods
*pdb
= pdb_get_methods();
1157 return pdb
->enum_aliasmem(pdb
, alias
, mem_ctx
, pp_members
,
1161 NTSTATUS
pdb_enum_alias_memberships(TALLOC_CTX
*mem_ctx
,
1162 const struct dom_sid
*domain_sid
,
1163 const struct dom_sid
*members
, size_t num_members
,
1164 uint32_t **pp_alias_rids
,
1165 size_t *p_num_alias_rids
)
1167 struct pdb_methods
*pdb
= pdb_get_methods();
1168 return pdb
->enum_alias_memberships(pdb
, mem_ctx
,
1170 members
, num_members
,
1175 NTSTATUS
pdb_lookup_rids(const struct dom_sid
*domain_sid
,
1179 enum lsa_SidType
*attrs
)
1181 struct pdb_methods
*pdb
= pdb_get_methods();
1182 return pdb
->lookup_rids(pdb
, domain_sid
, num_rids
, rids
, names
, attrs
);
1185 bool pdb_get_account_policy(enum pdb_policy_type type
, uint32_t *value
)
1187 struct pdb_methods
*pdb
= pdb_get_methods();
1191 status
= pdb
->get_account_policy(pdb
, type
, value
);
1194 return NT_STATUS_IS_OK(status
);
1197 bool pdb_set_account_policy(enum pdb_policy_type type
, uint32_t value
)
1199 struct pdb_methods
*pdb
= pdb_get_methods();
1203 status
= pdb
->set_account_policy(pdb
, type
, value
);
1206 return NT_STATUS_IS_OK(status
);
1209 bool pdb_get_seq_num(time_t *seq_num
)
1211 struct pdb_methods
*pdb
= pdb_get_methods();
1212 return NT_STATUS_IS_OK(pdb
->get_seq_num(pdb
, seq_num
));
1216 * Instead of passing down a gid or uid, this function sends down a pointer
1219 * This acts as an in-out variable so that the idmap functions can correctly
1220 * receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing
1221 * the cache to store ID_TYPE_UID or ID_TYPE_GID.
1223 bool pdb_id_to_sid(struct unixid
*id
, struct dom_sid
*sid
)
1225 struct pdb_methods
*pdb
= pdb_get_methods();
1228 ret
= pdb
->id_to_sid(pdb
, id
, sid
);
1231 idmap_cache_set_sid2unixid(sid
, id
);
1237 bool pdb_sid_to_id(const struct dom_sid
*sid
, struct unixid
*id
)
1239 struct pdb_methods
*pdb
= pdb_get_methods();
1242 /* only ask the backend if it is responsible */
1243 if (!sid_check_object_is_for_passdb(sid
)) {
1247 ret
= pdb
->sid_to_id(pdb
, sid
, id
);
1250 idmap_cache_set_sid2unixid(sid
, id
);
1256 uint32_t pdb_capabilities(void)
1258 struct pdb_methods
*pdb
= pdb_get_methods();
1259 return pdb
->capabilities(pdb
);
1262 /********************************************************************
1263 Allocate a new RID from the passdb backend. Verify that it is free
1264 by calling lookup_global_sam_rid() to verify that the RID is not
1265 in use. This handles servers that have existing users or groups
1266 with add RIDs (assigned from previous algorithmic mappings)
1267 ********************************************************************/
1269 bool pdb_new_rid(uint32_t *rid
)
1271 struct pdb_methods
*pdb
= pdb_get_methods();
1272 const char *name
= NULL
;
1273 enum lsa_SidType type
;
1274 uint32_t allocated_rid
= 0;
1278 if ((pdb_capabilities() & PDB_CAP_STORE_RIDS
) == 0) {
1279 DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
1284 if (algorithmic_rid_base() != BASE_RID
) {
1285 DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
1286 "without algorithmic RIDs is chosen.\n"));
1287 DEBUGADD(0, ("Please map all used groups using 'net groupmap "
1288 "add', set the maximum used RID\n"));
1289 DEBUGADD(0, ("and remove the parameter\n"));
1293 if ( (ctx
= talloc_init("pdb_new_rid")) == NULL
) {
1294 DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
1298 /* Attempt to get an unused RID (max tires is 250...yes that it is
1299 and arbitrary number I pulkled out of my head). -- jerry */
1301 for ( i
=0; allocated_rid
==0 && i
<250; i
++ ) {
1304 if ( !pdb
->new_rid(pdb
, &allocated_rid
) ) {
1308 /* validate that the RID is not in use */
1310 if (lookup_global_sam_rid(ctx
, allocated_rid
, &name
, &type
, NULL
, NULL
)) {
1317 if ( allocated_rid
== 0 ) {
1318 DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
1322 *rid
= allocated_rid
;
1327 /***************************************************************
1328 Initialize the static context (at smbd startup etc).
1330 If uninitialised, context will auto-init on first use.
1331 ***************************************************************/
1333 bool initialize_password_db(bool reload
, struct tevent_context
*tevent_ctx
)
1336 pdb_tevent_ctx
= tevent_ctx
;
1338 return (pdb_get_methods_reload(reload
) != NULL
);
1341 /***************************************************************************
1342 Default implementations of some functions.
1343 ****************************************************************************/
1345 static NTSTATUS
pdb_default_getsampwnam (struct pdb_methods
*methods
, struct samu
*user
, const char *sname
)
1347 return NT_STATUS_NO_SUCH_USER
;
1350 static NTSTATUS
pdb_default_getsampwsid(struct pdb_methods
*my_methods
, struct samu
* user
, const struct dom_sid
*sid
)
1352 return NT_STATUS_NO_SUCH_USER
;
1355 static NTSTATUS
pdb_default_add_sam_account (struct pdb_methods
*methods
, struct samu
*newpwd
)
1357 return NT_STATUS_NOT_IMPLEMENTED
;
1360 static NTSTATUS
pdb_default_update_sam_account (struct pdb_methods
*methods
, struct samu
*newpwd
)
1362 return NT_STATUS_NOT_IMPLEMENTED
;
1365 static NTSTATUS
pdb_default_delete_sam_account (struct pdb_methods
*methods
, struct samu
*pwd
)
1367 return NT_STATUS_NOT_IMPLEMENTED
;
1370 static NTSTATUS
pdb_default_rename_sam_account (struct pdb_methods
*methods
, struct samu
*pwd
, const char *newname
)
1372 return NT_STATUS_NOT_IMPLEMENTED
;
1375 static NTSTATUS
pdb_default_update_login_attempts (struct pdb_methods
*methods
, struct samu
*newpwd
, bool success
)
1377 /* Only the pdb_nds backend implements this, by
1378 * default just return ok. */
1379 return NT_STATUS_OK
;
1382 static NTSTATUS
pdb_default_get_account_policy(struct pdb_methods
*methods
, enum pdb_policy_type type
, uint32_t *value
)
1384 return account_policy_get(type
, value
) ? NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1387 static NTSTATUS
pdb_default_set_account_policy(struct pdb_methods
*methods
, enum pdb_policy_type type
, uint32_t value
)
1389 return account_policy_set(type
, value
) ? NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1392 static NTSTATUS
pdb_default_get_seq_num(struct pdb_methods
*methods
, time_t *seq_num
)
1394 *seq_num
= time(NULL
);
1395 return NT_STATUS_OK
;
1398 static bool pdb_default_uid_to_sid(struct pdb_methods
*methods
, uid_t uid
,
1399 struct dom_sid
*sid
)
1401 struct samu
*sampw
= NULL
;
1402 struct passwd
*unix_pw
;
1405 unix_pw
= getpwuid( uid
);
1408 DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
1409 "%lu\n", (unsigned long)uid
));
1413 if ( !(sampw
= samu_new( NULL
)) ) {
1414 DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
1419 ret
= NT_STATUS_IS_OK(
1420 methods
->getsampwnam(methods
, sampw
, unix_pw
->pw_name
));
1424 DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
1425 "%s (%u)\n", unix_pw
->pw_name
, (unsigned int)uid
));
1430 sid_copy(sid
, pdb_get_user_sid(sampw
));
1437 static bool pdb_default_gid_to_sid(struct pdb_methods
*methods
, gid_t gid
,
1438 struct dom_sid
*sid
)
1442 map
= talloc_zero(NULL
, GROUP_MAP
);
1447 if (!NT_STATUS_IS_OK(methods
->getgrgid(methods
, map
, gid
))) {
1452 sid_copy(sid
, &map
->sid
);
1457 static bool pdb_default_id_to_sid(struct pdb_methods
*methods
, struct unixid
*id
,
1458 struct dom_sid
*sid
)
1462 return pdb_default_uid_to_sid(methods
, id
->id
, sid
);
1465 return pdb_default_gid_to_sid(methods
, id
->id
, sid
);
1472 * The "Unix User" and "Unix Group" domains have a special
1473 * id mapping that is a rid-algorithm with range starting at 0.
1475 bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid
*sid
,
1482 if (sid_peek_check_rid(&global_sid_Unix_Users
, sid
, &rid
)) {
1484 id
->type
= ID_TYPE_UID
;
1488 if (sid_peek_check_rid(&global_sid_Unix_Groups
, sid
, &rid
)) {
1490 id
->type
= ID_TYPE_GID
;
1497 static bool pdb_default_sid_to_id(struct pdb_methods
*methods
,
1498 const struct dom_sid
*sid
,
1501 TALLOC_CTX
*mem_ctx
;
1504 struct dom_sid_buf buf
;
1508 mem_ctx
= talloc_new(NULL
);
1510 if (mem_ctx
== NULL
) {
1511 DEBUG(0, ("talloc_new failed\n"));
1515 if (sid_peek_check_rid(get_global_sam_sid(), sid
, &rid
)) {
1517 enum lsa_SidType type
;
1518 uid_t uid
= (uid_t
)-1;
1519 gid_t gid
= (gid_t
)-1;
1520 /* Here we might have users as well as groups and aliases */
1521 ret
= lookup_global_sam_rid(mem_ctx
, rid
, &name
, &type
, &uid
, &gid
);
1524 case SID_NAME_DOM_GRP
:
1525 case SID_NAME_ALIAS
:
1526 id
->type
= ID_TYPE_GID
;
1530 id
->type
= ID_TYPE_UID
;
1534 DEBUG(5, ("SID %s belongs to our domain, and "
1535 "an object exists in the database, "
1536 "but it is neither a user nor a "
1537 "group (got type %d).\n",
1538 dom_sid_str_buf(sid
, &buf
),
1543 DEBUG(5, ("SID %s belongs to our domain, but there is "
1544 "no corresponding object in the database.\n",
1545 dom_sid_str_buf(sid
, &buf
)));
1551 * "Unix User" and "Unix Group"
1553 ret
= pdb_sid_to_id_unix_users_and_groups(sid
, id
);
1560 if (sid_check_is_in_builtin(sid
) ||
1561 sid_check_is_in_wellknown_domain(sid
)) {
1562 /* Here we only have aliases */
1565 map
= talloc_zero(mem_ctx
, GROUP_MAP
);
1571 if (!NT_STATUS_IS_OK(methods
->getgrsid(methods
, map
, *sid
))) {
1572 DEBUG(10, ("Could not find map for sid %s\n",
1573 dom_sid_str_buf(sid
, &buf
)));
1576 if ((map
->sid_name_use
!= SID_NAME_ALIAS
) &&
1577 (map
->sid_name_use
!= SID_NAME_WKN_GRP
)) {
1578 DEBUG(10, ("Map for sid %s is a %s, expected an "
1580 dom_sid_str_buf(sid
, &buf
),
1581 sid_type_lookup(map
->sid_name_use
)));
1586 id
->type
= ID_TYPE_GID
;
1591 DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
1592 dom_sid_str_buf(sid
, &buf
)));
1596 TALLOC_FREE(mem_ctx
);
1600 static bool get_memberuids(TALLOC_CTX
*mem_ctx
, gid_t gid
, uid_t
**pp_uids
, uint32_t *p_num
)
1611 /* We only look at our own sam, so don't care about imported stuff */
1612 winbind_env
= winbind_env_set();
1613 (void)winbind_off();
1615 if ((grp
= getgrgid(gid
)) == NULL
) {
1616 /* allow winbindd lookups, but only if they weren't already disabled */
1620 /* Primary group members */
1622 while ((pwd
= getpwent()) != NULL
) {
1623 if (pwd
->pw_gid
== gid
) {
1624 if (!add_uid_to_array_unique(mem_ctx
, pwd
->pw_uid
,
1632 /* Secondary group members */
1633 for (gr
= grp
->gr_mem
; (*gr
!= NULL
) && ((*gr
)[0] != '\0'); gr
+= 1) {
1634 struct passwd
*pw
= getpwnam(*gr
);
1638 if (!add_uid_to_array_unique(mem_ctx
, pw
->pw_uid
, pp_uids
, p_num
)) {
1647 /* allow winbindd lookups, but only if they weren't already disabled */
1655 static NTSTATUS
pdb_default_enum_group_members(struct pdb_methods
*methods
,
1656 TALLOC_CTX
*mem_ctx
,
1657 const struct dom_sid
*group
,
1658 uint32_t **pp_member_rids
,
1659 size_t *p_num_members
)
1663 uint32_t i
, num_uids
;
1665 *pp_member_rids
= NULL
;
1668 if (!sid_to_gid(group
, &gid
))
1669 return NT_STATUS_NO_SUCH_GROUP
;
1671 if(!get_memberuids(mem_ctx
, gid
, &uids
, &num_uids
))
1672 return NT_STATUS_NO_SUCH_GROUP
;
1675 return NT_STATUS_OK
;
1677 *pp_member_rids
= talloc_zero_array(mem_ctx
, uint32_t, num_uids
);
1679 for (i
=0; i
<num_uids
; i
++) {
1682 uid_to_sid(&sid
, uids
[i
]);
1684 if (!sid_check_is_in_our_sam(&sid
)) {
1685 DEBUG(5, ("Inconsistent SAM -- group member uid not "
1686 "in our domain\n"));
1690 sid_peek_rid(&sid
, &(*pp_member_rids
)[*p_num_members
]);
1691 *p_num_members
+= 1;
1694 return NT_STATUS_OK
;
1697 static NTSTATUS
pdb_default_enum_group_memberships(struct pdb_methods
*methods
,
1698 TALLOC_CTX
*mem_ctx
,
1700 struct dom_sid
**pp_sids
,
1702 uint32_t *p_num_groups
)
1707 const char *username
= pdb_get_username(user
);
1710 /* Ignore the primary group SID. Honor the real Unix primary group.
1711 The primary group SID is only of real use to Windows clients */
1713 if ( !(pw
= Get_Pwnam_alloc(mem_ctx
, username
)) ) {
1714 return NT_STATUS_NO_SUCH_USER
;
1721 if (!getgroups_unix_user(mem_ctx
, username
, gid
, pp_gids
, p_num_groups
)) {
1722 return NT_STATUS_NO_SUCH_USER
;
1725 if (*p_num_groups
== 0) {
1726 smb_panic("primary group missing");
1729 *pp_sids
= talloc_array(mem_ctx
, struct dom_sid
, *p_num_groups
);
1731 if (*pp_sids
== NULL
) {
1732 TALLOC_FREE(*pp_gids
);
1733 return NT_STATUS_NO_MEMORY
;
1736 for (i
=0; i
<*p_num_groups
; i
++) {
1737 gid_to_sid(&(*pp_sids
)[i
], (*pp_gids
)[i
]);
1740 return NT_STATUS_OK
;
1743 /*******************************************************************
1744 Look up a rid in the SAM we're responsible for (i.e. passdb)
1745 ********************************************************************/
1747 static bool lookup_global_sam_rid(TALLOC_CTX
*mem_ctx
, uint32_t rid
,
1749 enum lsa_SidType
*psid_name_use
,
1750 uid_t
*uid
, gid_t
*gid
)
1752 struct samu
*sam_account
= NULL
;
1753 GROUP_MAP
*map
= NULL
;
1757 *psid_name_use
= SID_NAME_UNKNOWN
;
1759 DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
1760 (unsigned int)rid
));
1762 sid_compose(&sid
, get_global_sam_sid(), rid
);
1764 /* see if the passdb can help us with the name of the user */
1766 if ( !(sam_account
= samu_new( NULL
)) ) {
1770 map
= talloc_zero(mem_ctx
, GROUP_MAP
);
1775 /* BEING ROOT BLOCK */
1777 ret
= pdb_getsampwsid(sam_account
, &sid
);
1779 TALLOC_FREE(sam_account
);
1780 ret
= pdb_getgrsid(map
, sid
);
1783 /* END BECOME_ROOT BLOCK */
1785 if (sam_account
|| !ret
) {
1792 *name
= talloc_strdup(mem_ctx
, pdb_get_username(sam_account
));
1794 TALLOC_FREE(sam_account
);
1798 *psid_name_use
= SID_NAME_USER
;
1800 TALLOC_FREE(sam_account
);
1806 pw
= Get_Pwnam_alloc(talloc_tos(), *name
);
1814 } else if (map
&& (map
->gid
!= (gid_t
)-1)) {
1816 /* do not resolve SIDs to a name unless there is a valid
1817 gid associated with it */
1819 *name
= talloc_steal(mem_ctx
, map
->nt_name
);
1820 *psid_name_use
= map
->sid_name_use
;
1832 /* Windows will always map RID 513 to something. On a non-domain
1833 controller, this gets mapped to SERVER\None. */
1836 DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
1840 if ( rid
== DOMAIN_RID_USERS
) {
1841 *name
= talloc_strdup(mem_ctx
, "None" );
1842 *psid_name_use
= SID_NAME_DOM_GRP
;
1850 static NTSTATUS
pdb_default_lookup_rids(struct pdb_methods
*methods
,
1851 const struct dom_sid
*domain_sid
,
1855 enum lsa_SidType
*attrs
)
1859 bool have_mapped
= False
;
1860 bool have_unmapped
= False
;
1862 if (sid_check_is_builtin(domain_sid
)) {
1864 for (i
=0; i
<num_rids
; i
++) {
1867 if (lookup_builtin_rid(names
, rids
[i
], &name
)) {
1868 attrs
[i
] = SID_NAME_ALIAS
;
1870 DEBUG(5,("lookup_rids: %s:%d\n",
1871 names
[i
], attrs
[i
]));
1874 have_unmapped
= True
;
1875 attrs
[i
] = SID_NAME_UNKNOWN
;
1881 /* Should not happen, but better check once too many */
1882 if (!sid_check_is_our_sam(domain_sid
)) {
1883 return NT_STATUS_INVALID_HANDLE
;
1886 for (i
= 0; i
< num_rids
; i
++) {
1889 if (lookup_global_sam_rid(names
, rids
[i
], &name
, &attrs
[i
],
1892 return NT_STATUS_NO_MEMORY
;
1895 DEBUG(5,("lookup_rids: %s:%d\n", names
[i
], attrs
[i
]));
1898 have_unmapped
= True
;
1899 attrs
[i
] = SID_NAME_UNKNOWN
;
1905 result
= NT_STATUS_NONE_MAPPED
;
1908 result
= have_unmapped
? STATUS_SOME_UNMAPPED
: NT_STATUS_OK
;
1913 static int pdb_search_destructor(struct pdb_search
*search
)
1915 if ((!search
->search_ended
) && (search
->search_end
!= NULL
)) {
1916 search
->search_end(search
);
1921 struct pdb_search
*pdb_search_init(TALLOC_CTX
*mem_ctx
,
1922 enum pdb_search_type type
)
1924 struct pdb_search
*result
;
1926 result
= talloc(mem_ctx
, struct pdb_search
);
1927 if (result
== NULL
) {
1928 DEBUG(0, ("talloc failed\n"));
1932 result
->type
= type
;
1933 result
->cache
= NULL
;
1934 result
->num_entries
= 0;
1935 result
->cache_size
= 0;
1936 result
->search_ended
= False
;
1937 result
->search_end
= NULL
;
1939 /* Segfault appropriately if not initialized */
1940 result
->next_entry
= NULL
;
1941 result
->search_end
= NULL
;
1943 talloc_set_destructor(result
, pdb_search_destructor
);
1948 static void fill_displayentry(TALLOC_CTX
*mem_ctx
, uint32_t rid
,
1949 uint16_t acct_flags
,
1950 const char *account_name
,
1951 const char *fullname
,
1952 const char *description
,
1953 struct samr_displayentry
*entry
)
1956 entry
->acct_flags
= acct_flags
;
1958 if (account_name
!= NULL
)
1959 entry
->account_name
= talloc_strdup(mem_ctx
, account_name
);
1961 entry
->account_name
= "";
1963 if (fullname
!= NULL
)
1964 entry
->fullname
= talloc_strdup(mem_ctx
, fullname
);
1966 entry
->fullname
= "";
1968 if (description
!= NULL
)
1969 entry
->description
= talloc_strdup(mem_ctx
, description
);
1971 entry
->description
= "";
1974 struct group_search
{
1976 size_t num_groups
, current_group
;
1979 static bool next_entry_groups(struct pdb_search
*s
,
1980 struct samr_displayentry
*entry
)
1982 struct group_search
*state
= (struct group_search
*)s
->private_data
;
1986 if (state
->current_group
== state
->num_groups
)
1989 map
= state
->groups
[state
->current_group
];
1991 sid_peek_rid(&map
->sid
, &rid
);
1993 fill_displayentry(s
, rid
, 0, map
->nt_name
, NULL
, map
->comment
, entry
);
1995 state
->current_group
+= 1;
1999 static void search_end_groups(struct pdb_search
*search
)
2001 struct group_search
*state
=
2002 (struct group_search
*)search
->private_data
;
2003 TALLOC_FREE(state
->groups
);
2006 static bool pdb_search_grouptype(struct pdb_methods
*methods
,
2007 struct pdb_search
*search
,
2008 const struct dom_sid
*sid
, enum lsa_SidType type
)
2010 struct group_search
*state
;
2012 state
= talloc_zero(search
, struct group_search
);
2013 if (state
== NULL
) {
2014 DEBUG(0, ("talloc failed\n"));
2018 if (!NT_STATUS_IS_OK(methods
->enum_group_mapping(methods
, sid
, type
,
2019 &state
->groups
, &state
->num_groups
,
2021 DEBUG(0, ("Could not enum groups\n"));
2025 state
->current_group
= 0;
2026 search
->private_data
= state
;
2027 search
->next_entry
= next_entry_groups
;
2028 search
->search_end
= search_end_groups
;
2032 static bool pdb_default_search_groups(struct pdb_methods
*methods
,
2033 struct pdb_search
*search
)
2035 return pdb_search_grouptype(methods
, search
, get_global_sam_sid(), SID_NAME_DOM_GRP
);
2038 static bool pdb_default_search_aliases(struct pdb_methods
*methods
,
2039 struct pdb_search
*search
,
2040 const struct dom_sid
*sid
)
2043 return pdb_search_grouptype(methods
, search
, sid
, SID_NAME_ALIAS
);
2046 static struct samr_displayentry
*pdb_search_getentry(struct pdb_search
*search
,
2049 if (idx
< search
->num_entries
)
2050 return &search
->cache
[idx
];
2052 if (search
->search_ended
)
2055 while (idx
>= search
->num_entries
) {
2056 struct samr_displayentry entry
;
2058 if (!search
->next_entry(search
, &entry
)) {
2059 search
->search_end(search
);
2060 search
->search_ended
= True
;
2064 ADD_TO_LARGE_ARRAY(search
, struct samr_displayentry
,
2065 entry
, &search
->cache
, &search
->num_entries
,
2066 &search
->cache_size
);
2069 return (search
->num_entries
> idx
) ? &search
->cache
[idx
] : NULL
;
2072 struct pdb_search
*pdb_search_users(TALLOC_CTX
*mem_ctx
, uint32_t acct_flags
)
2074 struct pdb_methods
*pdb
= pdb_get_methods();
2075 struct pdb_search
*result
;
2077 result
= pdb_search_init(mem_ctx
, PDB_USER_SEARCH
);
2078 if (result
== NULL
) {
2082 if (!pdb
->search_users(pdb
, result
, acct_flags
)) {
2083 TALLOC_FREE(result
);
2089 struct pdb_search
*pdb_search_groups(TALLOC_CTX
*mem_ctx
)
2091 struct pdb_methods
*pdb
= pdb_get_methods();
2092 struct pdb_search
*result
;
2094 result
= pdb_search_init(mem_ctx
, PDB_GROUP_SEARCH
);
2095 if (result
== NULL
) {
2099 if (!pdb
->search_groups(pdb
, result
)) {
2100 TALLOC_FREE(result
);
2106 struct pdb_search
*pdb_search_aliases(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
)
2108 struct pdb_methods
*pdb
= pdb_get_methods();
2109 struct pdb_search
*result
;
2111 if (pdb
== NULL
) return NULL
;
2113 result
= pdb_search_init(mem_ctx
, PDB_ALIAS_SEARCH
);
2114 if (result
== NULL
) {
2118 if (!pdb
->search_aliases(pdb
, result
, sid
)) {
2119 TALLOC_FREE(result
);
2125 uint32_t pdb_search_entries(struct pdb_search
*search
,
2126 uint32_t start_idx
, uint32_t max_entries
,
2127 struct samr_displayentry
**result
)
2129 struct samr_displayentry
*end_entry
;
2130 uint32_t end_idx
= start_idx
+max_entries
-1;
2132 /* The first entry needs to be searched after the last. Otherwise the
2133 * first entry might have moved due to a realloc during the search for
2134 * the last entry. */
2136 end_entry
= pdb_search_getentry(search
, end_idx
);
2137 *result
= pdb_search_getentry(search
, start_idx
);
2139 if (end_entry
!= NULL
)
2142 if (start_idx
>= search
->num_entries
)
2145 return search
->num_entries
- start_idx
;
2148 /*******************************************************************
2150 *******************************************************************/
2152 bool pdb_get_trusteddom_pw(const char *domain
, char** pwd
, struct dom_sid
*sid
,
2153 time_t *pass_last_set_time
)
2155 struct pdb_methods
*pdb
= pdb_get_methods();
2156 return pdb
->get_trusteddom_pw(pdb
, domain
, pwd
, sid
,
2157 pass_last_set_time
);
2160 NTSTATUS
pdb_get_trusteddom_creds(const char *domain
, TALLOC_CTX
*mem_ctx
,
2161 struct cli_credentials
**creds
)
2163 struct pdb_methods
*pdb
= pdb_get_methods();
2164 return pdb
->get_trusteddom_creds(pdb
, domain
, mem_ctx
, creds
);
2167 bool pdb_set_trusteddom_pw(const char* domain
, const char* pwd
,
2168 const struct dom_sid
*sid
)
2170 struct pdb_methods
*pdb
= pdb_get_methods();
2171 return pdb
->set_trusteddom_pw(pdb
, domain
, pwd
, sid
);
2174 bool pdb_del_trusteddom_pw(const char *domain
)
2176 struct pdb_methods
*pdb
= pdb_get_methods();
2177 return pdb
->del_trusteddom_pw(pdb
, domain
);
2180 NTSTATUS
pdb_enum_trusteddoms(TALLOC_CTX
*mem_ctx
, uint32_t *num_domains
,
2181 struct trustdom_info
***domains
)
2183 struct pdb_methods
*pdb
= pdb_get_methods();
2184 return pdb
->enum_trusteddoms(pdb
, mem_ctx
, num_domains
, domains
);
2187 /*******************************************************************
2188 the defaults for trustdom methods:
2189 these simply call the original passdb/secrets.c actions,
2190 to be replaced by pdb_ldap.
2191 *******************************************************************/
2193 static bool pdb_default_get_trusteddom_pw(struct pdb_methods
*methods
,
2196 struct dom_sid
*sid
,
2197 time_t *pass_last_set_time
)
2199 return secrets_fetch_trusted_domain_password(domain
, pwd
,
2200 sid
, pass_last_set_time
);
2204 static NTSTATUS
pdb_default_get_trusteddom_creds(struct pdb_methods
*methods
,
2206 TALLOC_CTX
*mem_ctx
,
2207 struct cli_credentials
**creds
)
2210 return NT_STATUS_NOT_IMPLEMENTED
;
2213 static bool pdb_default_set_trusteddom_pw(struct pdb_methods
*methods
,
2216 const struct dom_sid
*sid
)
2218 return secrets_store_trusted_domain_password(domain
, pwd
, sid
);
2221 static bool pdb_default_del_trusteddom_pw(struct pdb_methods
*methods
,
2224 return trusted_domain_password_delete(domain
);
2227 static NTSTATUS
pdb_default_enum_trusteddoms(struct pdb_methods
*methods
,
2228 TALLOC_CTX
*mem_ctx
,
2229 uint32_t *num_domains
,
2230 struct trustdom_info
***domains
)
2232 return secrets_trusted_domains(mem_ctx
, num_domains
, domains
);
2235 /*******************************************************************
2236 trusted_domain methods
2237 *******************************************************************/
2239 NTSTATUS
pdb_get_trusted_domain(TALLOC_CTX
*mem_ctx
, const char *domain
,
2240 struct pdb_trusted_domain
**td
)
2242 struct pdb_methods
*pdb
= pdb_get_methods();
2243 return pdb
->get_trusted_domain(pdb
, mem_ctx
, domain
, td
);
2246 NTSTATUS
pdb_get_trusted_domain_by_sid(TALLOC_CTX
*mem_ctx
, struct dom_sid
*sid
,
2247 struct pdb_trusted_domain
**td
)
2249 struct pdb_methods
*pdb
= pdb_get_methods();
2250 return pdb
->get_trusted_domain_by_sid(pdb
, mem_ctx
, sid
, td
);
2253 NTSTATUS
pdb_set_trusted_domain(const char* domain
,
2254 const struct pdb_trusted_domain
*td
)
2256 struct pdb_methods
*pdb
= pdb_get_methods();
2257 return pdb
->set_trusted_domain(pdb
, domain
, td
);
2260 NTSTATUS
pdb_del_trusted_domain(const char *domain
)
2262 struct pdb_methods
*pdb
= pdb_get_methods();
2263 return pdb
->del_trusted_domain(pdb
, domain
);
2266 NTSTATUS
pdb_enum_trusted_domains(TALLOC_CTX
*mem_ctx
, uint32_t *num_domains
,
2267 struct pdb_trusted_domain
***domains
)
2269 struct pdb_methods
*pdb
= pdb_get_methods();
2270 return pdb
->enum_trusted_domains(pdb
, mem_ctx
, num_domains
, domains
);
2273 static NTSTATUS
pdb_default_get_trusted_domain(struct pdb_methods
*methods
,
2274 TALLOC_CTX
*mem_ctx
,
2276 struct pdb_trusted_domain
**td
)
2278 struct trustAuthInOutBlob taiob
;
2279 struct AuthenticationInformation aia
;
2280 struct pdb_trusted_domain
*tdom
;
2281 enum ndr_err_code ndr_err
;
2282 time_t last_set_time
;
2286 tdom
= talloc(mem_ctx
, struct pdb_trusted_domain
);
2288 return NT_STATUS_NO_MEMORY
;
2291 tdom
->domain_name
= talloc_strdup(tdom
, domain
);
2292 tdom
->netbios_name
= talloc_strdup(tdom
, domain
);
2293 if (!tdom
->domain_name
|| !tdom
->netbios_name
) {
2295 return NT_STATUS_NO_MEMORY
;
2298 tdom
->trust_auth_incoming
= data_blob_null
;
2300 ok
= pdb_get_trusteddom_pw(domain
, &pwd
, &tdom
->security_identifier
,
2304 return NT_STATUS_UNSUCCESSFUL
;
2310 taiob
.current
.count
= 1;
2311 taiob
.current
.array
= &aia
;
2312 unix_to_nt_time(&aia
.LastUpdateTime
, last_set_time
);
2314 aia
.AuthType
= TRUST_AUTH_TYPE_CLEAR
;
2315 aia
.AuthInfo
.clear
.size
= strlen(pwd
);
2316 aia
.AuthInfo
.clear
.password
= (uint8_t *)talloc_memdup(tdom
, pwd
,
2317 aia
.AuthInfo
.clear
.size
);
2319 if (aia
.AuthInfo
.clear
.password
== NULL
) {
2321 return NT_STATUS_NO_MEMORY
;
2324 taiob
.previous
.count
= 0;
2325 taiob
.previous
.array
= NULL
;
2327 ndr_err
= ndr_push_struct_blob(&tdom
->trust_auth_outgoing
,
2329 (ndr_push_flags_fn_t
)ndr_push_trustAuthInOutBlob
);
2330 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2332 return NT_STATUS_UNSUCCESSFUL
;
2335 tdom
->trust_direction
= LSA_TRUST_DIRECTION_OUTBOUND
;
2336 tdom
->trust_type
= LSA_TRUST_TYPE_DOWNLEVEL
;
2337 tdom
->trust_attributes
= 0;
2338 tdom
->trust_forest_trust_info
= data_blob_null
;
2341 return NT_STATUS_OK
;
2344 static NTSTATUS
pdb_default_get_trusted_domain_by_sid(struct pdb_methods
*methods
,
2345 TALLOC_CTX
*mem_ctx
,
2346 struct dom_sid
*sid
,
2347 struct pdb_trusted_domain
**td
)
2349 return NT_STATUS_NOT_IMPLEMENTED
;
2352 #define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
2354 static NTSTATUS
pdb_default_set_trusted_domain(struct pdb_methods
*methods
,
2356 const struct pdb_trusted_domain
*td
)
2358 struct trustAuthInOutBlob taiob
;
2359 struct AuthenticationInformation
*aia
;
2360 enum ndr_err_code ndr_err
;
2364 if (td
->trust_attributes
!= 0 ||
2365 td
->trust_type
!= LSA_TRUST_TYPE_DOWNLEVEL
||
2366 td
->trust_direction
!= LSA_TRUST_DIRECTION_OUTBOUND
||
2367 !IS_NULL_DATA_BLOB(td
->trust_auth_incoming
) ||
2368 !IS_NULL_DATA_BLOB(td
->trust_forest_trust_info
)) {
2369 return NT_STATUS_NOT_IMPLEMENTED
;
2373 ndr_err
= ndr_pull_struct_blob(&td
->trust_auth_outgoing
, talloc_tos(),
2375 (ndr_pull_flags_fn_t
)ndr_pull_trustAuthInOutBlob
);
2376 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2377 return NT_STATUS_UNSUCCESSFUL
;
2380 aia
= (struct AuthenticationInformation
*) taiob
.current
.array
;
2382 if (taiob
.count
!= 1 || taiob
.current
.count
!= 1 ||
2383 taiob
.previous
.count
!= 0 ||
2384 aia
->AuthType
!= TRUST_AUTH_TYPE_CLEAR
) {
2385 return NT_STATUS_NOT_IMPLEMENTED
;
2388 pwd
= talloc_strndup(talloc_tos(), (char *) aia
->AuthInfo
.clear
.password
,
2389 aia
->AuthInfo
.clear
.size
);
2391 return NT_STATUS_NO_MEMORY
;
2394 ok
= pdb_set_trusteddom_pw(domain
, pwd
, &td
->security_identifier
);
2396 return NT_STATUS_UNSUCCESSFUL
;
2399 return NT_STATUS_OK
;
2402 static NTSTATUS
pdb_default_del_trusted_domain(struct pdb_methods
*methods
,
2405 return NT_STATUS_NOT_IMPLEMENTED
;
2408 static NTSTATUS
pdb_default_enum_trusted_domains(struct pdb_methods
*methods
,
2409 TALLOC_CTX
*mem_ctx
,
2410 uint32_t *num_domains
,
2411 struct pdb_trusted_domain
***domains
)
2413 return NT_STATUS_NOT_IMPLEMENTED
;
2416 static struct pdb_domain_info
*pdb_default_get_domain_info(
2417 struct pdb_methods
*m
, TALLOC_CTX
*mem_ctx
)
2422 /*****************************************************************
2424 *****************************************************************/
2425 static NTSTATUS
pdb_default_enum_upn_suffixes(struct pdb_methods
*pdb
,
2426 TALLOC_CTX
*mem_ctx
,
2427 uint32_t *num_suffixes
,
2430 return NT_STATUS_NOT_IMPLEMENTED
;
2433 static NTSTATUS
pdb_default_set_upn_suffixes(struct pdb_methods
*pdb
,
2434 uint32_t num_suffixes
,
2435 const char **suffixes
)
2437 return NT_STATUS_NOT_IMPLEMENTED
;
2440 NTSTATUS
pdb_enum_upn_suffixes(TALLOC_CTX
*mem_ctx
,
2441 uint32_t *num_suffixes
,
2444 struct pdb_methods
*pdb
= pdb_get_methods();
2445 return pdb
->enum_upn_suffixes(pdb
, mem_ctx
, num_suffixes
, suffixes
);
2448 NTSTATUS
pdb_set_upn_suffixes(uint32_t num_suffixes
,
2449 const char **suffixes
)
2451 struct pdb_methods
*pdb
= pdb_get_methods();
2452 return pdb
->set_upn_suffixes(pdb
, num_suffixes
, suffixes
);
2455 /*******************************************************************
2456 idmap control methods
2457 *******************************************************************/
2458 static bool pdb_default_is_responsible_for_our_sam(
2459 struct pdb_methods
*methods
)
2464 static bool pdb_default_is_responsible_for_builtin(
2465 struct pdb_methods
*methods
)
2470 static bool pdb_default_is_responsible_for_wellknown(
2471 struct pdb_methods
*methods
)
2476 static bool pdb_default_is_responsible_for_unix_users(
2477 struct pdb_methods
*methods
)
2482 static bool pdb_default_is_responsible_for_unix_groups(
2483 struct pdb_methods
*methods
)
2488 static bool pdb_default_is_responsible_for_everything_else(
2489 struct pdb_methods
*methods
)
2494 bool pdb_is_responsible_for_our_sam(void)
2496 struct pdb_methods
*pdb
= pdb_get_methods();
2497 return pdb
->is_responsible_for_our_sam(pdb
);
2500 bool pdb_is_responsible_for_builtin(void)
2502 struct pdb_methods
*pdb
= pdb_get_methods();
2503 return pdb
->is_responsible_for_builtin(pdb
);
2506 bool pdb_is_responsible_for_wellknown(void)
2508 struct pdb_methods
*pdb
= pdb_get_methods();
2509 return pdb
->is_responsible_for_wellknown(pdb
);
2512 bool pdb_is_responsible_for_unix_users(void)
2514 struct pdb_methods
*pdb
= pdb_get_methods();
2515 return pdb
->is_responsible_for_unix_users(pdb
);
2518 bool pdb_is_responsible_for_unix_groups(void)
2520 struct pdb_methods
*pdb
= pdb_get_methods();
2521 return pdb
->is_responsible_for_unix_groups(pdb
);
2524 bool pdb_is_responsible_for_everything_else(void)
2526 struct pdb_methods
*pdb
= pdb_get_methods();
2527 return pdb
->is_responsible_for_everything_else(pdb
);
2530 /*******************************************************************
2532 *******************************************************************/
2534 NTSTATUS
pdb_get_secret(TALLOC_CTX
*mem_ctx
,
2535 const char *secret_name
,
2536 DATA_BLOB
*secret_current
,
2537 NTTIME
*secret_current_lastchange
,
2538 DATA_BLOB
*secret_old
,
2539 NTTIME
*secret_old_lastchange
,
2540 struct security_descriptor
**sd
)
2542 struct pdb_methods
*pdb
= pdb_get_methods();
2543 return pdb
->get_secret(pdb
, mem_ctx
, secret_name
,
2544 secret_current
, secret_current_lastchange
,
2545 secret_old
, secret_old_lastchange
,
2549 NTSTATUS
pdb_set_secret(const char *secret_name
,
2550 DATA_BLOB
*secret_current
,
2551 DATA_BLOB
*secret_old
,
2552 struct security_descriptor
*sd
)
2554 struct pdb_methods
*pdb
= pdb_get_methods();
2555 return pdb
->set_secret(pdb
, secret_name
,
2561 NTSTATUS
pdb_delete_secret(const char *secret_name
)
2563 struct pdb_methods
*pdb
= pdb_get_methods();
2564 return pdb
->delete_secret(pdb
, secret_name
);
2567 static NTSTATUS
pdb_default_get_secret(struct pdb_methods
*methods
,
2568 TALLOC_CTX
*mem_ctx
,
2569 const char *secret_name
,
2570 DATA_BLOB
*secret_current
,
2571 NTTIME
*secret_current_lastchange
,
2572 DATA_BLOB
*secret_old
,
2573 NTTIME
*secret_old_lastchange
,
2574 struct security_descriptor
**sd
)
2576 return lsa_secret_get(mem_ctx
, secret_name
,
2578 secret_current_lastchange
,
2580 secret_old_lastchange
,
2584 static NTSTATUS
pdb_default_set_secret(struct pdb_methods
*methods
,
2585 const char *secret_name
,
2586 DATA_BLOB
*secret_current
,
2587 DATA_BLOB
*secret_old
,
2588 struct security_descriptor
*sd
)
2590 return lsa_secret_set(secret_name
,
2596 static NTSTATUS
pdb_default_delete_secret(struct pdb_methods
*methods
,
2597 const char *secret_name
)
2599 return lsa_secret_delete(secret_name
);
2602 /*******************************************************************
2603 Create a pdb_methods structure and initialize it with the default
2604 operations. In this way a passdb module can simply implement
2605 the functionality it cares about. However, normally this is done
2606 in groups of related functions.
2607 *******************************************************************/
2609 NTSTATUS
make_pdb_method( struct pdb_methods
**methods
)
2611 /* allocate memory for the structure as its own talloc CTX */
2613 *methods
= talloc_zero(NULL
, struct pdb_methods
);
2614 if (*methods
== NULL
) {
2615 return NT_STATUS_NO_MEMORY
;
2618 (*methods
)->get_domain_info
= pdb_default_get_domain_info
;
2619 (*methods
)->getsampwnam
= pdb_default_getsampwnam
;
2620 (*methods
)->getsampwsid
= pdb_default_getsampwsid
;
2621 (*methods
)->create_user
= pdb_default_create_user
;
2622 (*methods
)->delete_user
= pdb_default_delete_user
;
2623 (*methods
)->add_sam_account
= pdb_default_add_sam_account
;
2624 (*methods
)->update_sam_account
= pdb_default_update_sam_account
;
2625 (*methods
)->delete_sam_account
= pdb_default_delete_sam_account
;
2626 (*methods
)->rename_sam_account
= pdb_default_rename_sam_account
;
2627 (*methods
)->update_login_attempts
= pdb_default_update_login_attempts
;
2629 (*methods
)->getgrsid
= pdb_default_getgrsid
;
2630 (*methods
)->getgrgid
= pdb_default_getgrgid
;
2631 (*methods
)->getgrnam
= pdb_default_getgrnam
;
2632 (*methods
)->create_dom_group
= pdb_default_create_dom_group
;
2633 (*methods
)->delete_dom_group
= pdb_default_delete_dom_group
;
2634 (*methods
)->add_group_mapping_entry
= pdb_default_add_group_mapping_entry
;
2635 (*methods
)->update_group_mapping_entry
= pdb_default_update_group_mapping_entry
;
2636 (*methods
)->delete_group_mapping_entry
= pdb_default_delete_group_mapping_entry
;
2637 (*methods
)->enum_group_mapping
= pdb_default_enum_group_mapping
;
2638 (*methods
)->enum_group_members
= pdb_default_enum_group_members
;
2639 (*methods
)->enum_group_memberships
= pdb_default_enum_group_memberships
;
2640 (*methods
)->set_unix_primary_group
= pdb_default_set_unix_primary_group
;
2641 (*methods
)->add_groupmem
= pdb_default_add_groupmem
;
2642 (*methods
)->del_groupmem
= pdb_default_del_groupmem
;
2643 (*methods
)->create_alias
= pdb_default_create_alias
;
2644 (*methods
)->delete_alias
= pdb_default_delete_alias
;
2645 (*methods
)->get_aliasinfo
= pdb_default_get_aliasinfo
;
2646 (*methods
)->set_aliasinfo
= pdb_default_set_aliasinfo
;
2647 (*methods
)->add_aliasmem
= pdb_default_add_aliasmem
;
2648 (*methods
)->del_aliasmem
= pdb_default_del_aliasmem
;
2649 (*methods
)->enum_aliasmem
= pdb_default_enum_aliasmem
;
2650 (*methods
)->enum_alias_memberships
= pdb_default_alias_memberships
;
2651 (*methods
)->lookup_rids
= pdb_default_lookup_rids
;
2652 (*methods
)->get_account_policy
= pdb_default_get_account_policy
;
2653 (*methods
)->set_account_policy
= pdb_default_set_account_policy
;
2654 (*methods
)->get_seq_num
= pdb_default_get_seq_num
;
2655 (*methods
)->id_to_sid
= pdb_default_id_to_sid
;
2656 (*methods
)->sid_to_id
= pdb_default_sid_to_id
;
2658 (*methods
)->search_groups
= pdb_default_search_groups
;
2659 (*methods
)->search_aliases
= pdb_default_search_aliases
;
2661 (*methods
)->get_trusteddom_pw
= pdb_default_get_trusteddom_pw
;
2662 (*methods
)->get_trusteddom_creds
= pdb_default_get_trusteddom_creds
;
2663 (*methods
)->set_trusteddom_pw
= pdb_default_set_trusteddom_pw
;
2664 (*methods
)->del_trusteddom_pw
= pdb_default_del_trusteddom_pw
;
2665 (*methods
)->enum_trusteddoms
= pdb_default_enum_trusteddoms
;
2667 (*methods
)->get_trusted_domain
= pdb_default_get_trusted_domain
;
2668 (*methods
)->get_trusted_domain_by_sid
= pdb_default_get_trusted_domain_by_sid
;
2669 (*methods
)->set_trusted_domain
= pdb_default_set_trusted_domain
;
2670 (*methods
)->del_trusted_domain
= pdb_default_del_trusted_domain
;
2671 (*methods
)->enum_trusted_domains
= pdb_default_enum_trusted_domains
;
2673 (*methods
)->get_secret
= pdb_default_get_secret
;
2674 (*methods
)->set_secret
= pdb_default_set_secret
;
2675 (*methods
)->delete_secret
= pdb_default_delete_secret
;
2677 (*methods
)->enum_upn_suffixes
= pdb_default_enum_upn_suffixes
;
2678 (*methods
)->set_upn_suffixes
= pdb_default_set_upn_suffixes
;
2680 (*methods
)->is_responsible_for_our_sam
=
2681 pdb_default_is_responsible_for_our_sam
;
2682 (*methods
)->is_responsible_for_builtin
=
2683 pdb_default_is_responsible_for_builtin
;
2684 (*methods
)->is_responsible_for_wellknown
=
2685 pdb_default_is_responsible_for_wellknown
;
2686 (*methods
)->is_responsible_for_unix_users
=
2687 pdb_default_is_responsible_for_unix_users
;
2688 (*methods
)->is_responsible_for_unix_groups
=
2689 pdb_default_is_responsible_for_unix_groups
;
2690 (*methods
)->is_responsible_for_everything_else
=
2691 pdb_default_is_responsible_for_everything_else
;
2693 return NT_STATUS_OK
;