2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 /* the Samba secrets database stores any generated, private information
24 such as the local SID and machine trust password */
29 #define DBGC_CLASS DBGC_PASSDB
31 static TDB_CONTEXT
*tdb
;
33 /* Urrrg. global.... */
34 BOOL global_machine_password_needs_changing
;
37 * Use a TDB to store an incrementing random seed.
39 * Initialised to the current pid, the very first time Samba starts,
40 * and incremented by one each time it is needed.
42 * @note Not called by systems with a working /dev/urandom.
44 static void get_rand_seed(int *new_seed
)
46 *new_seed
= sys_getpid();
48 tdb_change_int32_atomic(tdb
, "INFO/random_seed", new_seed
, 1);
52 /* open up the secrets database */
53 BOOL
secrets_init(void)
61 pstrcpy(fname
, lp_private_dir());
62 pstrcat(fname
,"/secrets.tdb");
64 tdb
= tdb_open_log(fname
, 0, TDB_DEFAULT
, O_RDWR
|O_CREAT
, 0600);
67 DEBUG(0,("Failed to open %s\n", fname
));
72 * Set a reseed function for the crypto random generator
74 * This avoids a problem where systems without /dev/urandom
75 * could send the same challenge to multiple clients
77 set_rand_reseed_callback(get_rand_seed
);
79 /* Ensure that the reseed is done now, while we are root, etc */
80 generate_random_buffer(&dummy
, sizeof(dummy
));
85 /* read a entry from the secrets database - the caller must free the result
86 if size is non-null then the size of the entry is put in there
88 void *secrets_fetch(const char *key
, size_t *size
)
94 dbuf
= tdb_fetch(tdb
, string_tdb_data(key
));
100 /* store a secrets entry
102 BOOL
secrets_store(const char *key
, const void *data
, size_t size
)
107 return tdb_trans_store(tdb
, string_tdb_data(key
),
108 make_tdb_data((const char *)data
, size
),
113 /* delete a secets database entry
115 BOOL
secrets_delete(const char *key
)
120 return tdb_delete(tdb
, string_tdb_data(key
)) == 0;
123 BOOL
secrets_store_domain_sid(const char *domain
, const DOM_SID
*sid
)
128 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_DOMAIN_SID
, domain
);
130 ret
= secrets_store(key
, sid
, sizeof(DOM_SID
));
132 /* Force a re-query, in case we modified our domain */
134 reset_global_sam_sid();
138 BOOL
secrets_fetch_domain_sid(const char *domain
, DOM_SID
*sid
)
144 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_DOMAIN_SID
, domain
);
146 dyn_sid
= (DOM_SID
*)secrets_fetch(key
, &size
);
151 if (size
!= sizeof(DOM_SID
)) {
161 BOOL
secrets_store_domain_guid(const char *domain
, struct GUID
*guid
)
165 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_DOMAIN_GUID
, domain
);
167 return secrets_store(key
, guid
, sizeof(struct GUID
));
170 BOOL
secrets_fetch_domain_guid(const char *domain
, struct GUID
*guid
)
172 struct GUID
*dyn_guid
;
175 struct GUID new_guid
;
177 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_DOMAIN_GUID
, domain
);
179 dyn_guid
= (struct GUID
*)secrets_fetch(key
, &size
);
182 if (lp_server_role() == ROLE_DOMAIN_PDC
) {
183 smb_uuid_generate_random(&new_guid
);
184 if (!secrets_store_domain_guid(domain
, &new_guid
))
186 dyn_guid
= (struct GUID
*)secrets_fetch(key
, &size
);
188 if (dyn_guid
== NULL
) {
193 if (size
!= sizeof(struct GUID
)) {
194 DEBUG(1,("UUID size %d is wrong!\n", (int)size
));
205 * Form a key for fetching the machine trust account password
207 * @param domain domain name
209 * @return stored password's key
211 static const char *trust_keystr(const char *domain
)
213 static fstring keystr
;
215 slprintf(keystr
,sizeof(keystr
)-1,"%s/%s",
216 SECRETS_MACHINE_ACCT_PASS
, domain
);
223 * Form a key for fetching a trusted domain password
225 * @param domain trusted domain name
227 * @return stored password's key
229 static char *trustdom_keystr(const char *domain
)
231 static pstring keystr
;
233 pstr_sprintf(keystr
, "%s/%s", SECRETS_DOMTRUST_ACCT_PASS
, domain
);
239 /************************************************************************
240 Lock the trust password entry.
241 ************************************************************************/
243 BOOL
secrets_lock_trust_account_password(const char *domain
, BOOL dolock
)
249 return (tdb_lock_bystring(tdb
, trust_keystr(domain
)) == 0);
251 tdb_unlock_bystring(tdb
, trust_keystr(domain
));
255 /************************************************************************
256 Routine to get the default secure channel type for trust accounts
257 ************************************************************************/
259 uint32
get_default_sec_channel(void)
261 if (lp_server_role() == ROLE_DOMAIN_BDC
||
262 lp_server_role() == ROLE_DOMAIN_PDC
) {
265 return SEC_CHAN_WKSTA
;
269 /************************************************************************
270 Routine to get the trust account password for a domain.
271 The user of this function must have locked the trust password file using
272 the above secrets_lock_trust_account_password().
273 ************************************************************************/
275 BOOL
secrets_fetch_trust_account_password(const char *domain
, uint8 ret_pwd
[16],
276 time_t *pass_last_set_time
,
279 struct machine_acct_pass
*pass
;
283 plaintext
= secrets_fetch_machine_password(domain
, pass_last_set_time
,
286 DEBUG(4,("Using cleartext machine password\n"));
287 E_md4hash(plaintext
, ret_pwd
);
288 SAFE_FREE(plaintext
);
292 if (!(pass
= (struct machine_acct_pass
*)secrets_fetch(
293 trust_keystr(domain
), &size
))) {
294 DEBUG(5, ("secrets_fetch failed!\n"));
298 if (size
!= sizeof(*pass
)) {
299 DEBUG(0, ("secrets were of incorrect size!\n"));
303 if (pass_last_set_time
) {
304 *pass_last_set_time
= pass
->mod_time
;
306 memcpy(ret_pwd
, pass
->hash
, 16);
309 *channel
= get_default_sec_channel();
312 /* Test if machine password has expired and needs to be changed */
313 if (lp_machine_password_timeout()) {
314 if (pass
->mod_time
> 0 && time(NULL
) > (pass
->mod_time
+
315 (time_t)lp_machine_password_timeout())) {
316 global_machine_password_needs_changing
= True
;
325 * Pack SID passed by pointer
327 * @param pack_buf pointer to buffer which is to be filled with packed data
328 * @param bufsize size of packing buffer
329 * @param sid pointer to sid to be packed
331 * @return length of the packed representation of the whole structure
333 static size_t tdb_sid_pack(char* pack_buf
, int bufsize
, DOM_SID
* sid
)
338 if (!sid
|| !pack_buf
) return -1;
340 len
+= tdb_pack(pack_buf
+ len
, bufsize
- len
, "bb", sid
->sid_rev_num
,
343 for (idx
= 0; idx
< 6; idx
++) {
344 len
+= tdb_pack(pack_buf
+ len
, bufsize
- len
, "b",
348 for (idx
= 0; idx
< MAXSUBAUTHS
; idx
++) {
349 len
+= tdb_pack(pack_buf
+ len
, bufsize
- len
, "d",
350 sid
->sub_auths
[idx
]);
357 * Unpack SID into a pointer
359 * @param pack_buf pointer to buffer with packed representation
360 * @param bufsize size of the buffer
361 * @param sid pointer to sid structure to be filled with unpacked data
363 * @return size of structure unpacked from buffer
365 static size_t tdb_sid_unpack(char* pack_buf
, int bufsize
, DOM_SID
* sid
)
369 if (!sid
|| !pack_buf
) return -1;
371 len
+= tdb_unpack(pack_buf
+ len
, bufsize
- len
, "bb",
372 &sid
->sid_rev_num
, &sid
->num_auths
);
374 for (idx
= 0; idx
< 6; idx
++) {
375 len
+= tdb_unpack(pack_buf
+ len
, bufsize
- len
, "b",
379 for (idx
= 0; idx
< MAXSUBAUTHS
; idx
++) {
380 len
+= tdb_unpack(pack_buf
+ len
, bufsize
- len
, "d",
381 &sid
->sub_auths
[idx
]);
388 * Pack TRUSTED_DOM_PASS passed by pointer
390 * @param pack_buf pointer to buffer which is to be filled with packed data
391 * @param bufsize size of the buffer
392 * @param pass pointer to trusted domain password to be packed
394 * @return length of the packed representation of the whole structure
396 static size_t tdb_trusted_dom_pass_pack(char* pack_buf
, int bufsize
,
397 TRUSTED_DOM_PASS
* pass
)
401 if (!pack_buf
|| !pass
) return -1;
403 /* packing unicode domain name and password */
404 len
+= tdb_pack(pack_buf
+ len
, bufsize
- len
, "d",
407 for (idx
= 0; idx
< 32; idx
++)
408 len
+= tdb_pack(pack_buf
+ len
, bufsize
- len
, "w",
409 pass
->uni_name
[idx
]);
411 len
+= tdb_pack(pack_buf
+ len
, bufsize
- len
, "dPd", pass
->pass_len
,
412 pass
->pass
, pass
->mod_time
);
414 /* packing SID structure */
415 len
+= tdb_sid_pack(pack_buf
+ len
, bufsize
- len
, &pass
->domain_sid
);
422 * Unpack TRUSTED_DOM_PASS passed by pointer
424 * @param pack_buf pointer to buffer with packed representation
425 * @param bufsize size of the buffer
426 * @param pass pointer to trusted domain password to be filled with unpacked data
428 * @return size of structure unpacked from buffer
430 static size_t tdb_trusted_dom_pass_unpack(char* pack_buf
, int bufsize
,
431 TRUSTED_DOM_PASS
* pass
)
435 if (!pack_buf
|| !pass
) return -1;
437 /* unpack unicode domain name and plaintext password */
438 len
+= tdb_unpack(pack_buf
, bufsize
- len
, "d", &pass
->uni_name_len
);
440 for (idx
= 0; idx
< 32; idx
++)
441 len
+= tdb_unpack(pack_buf
+ len
, bufsize
- len
, "w",
442 &pass
->uni_name
[idx
]);
444 len
+= tdb_unpack(pack_buf
+ len
, bufsize
- len
, "dPd",
445 &pass
->pass_len
, &pass
->pass
, &pass
->mod_time
);
447 /* unpack domain sid */
448 len
+= tdb_sid_unpack(pack_buf
+ len
, bufsize
- len
,
454 /************************************************************************
455 Routine to get account password to trusted domain
456 ************************************************************************/
458 BOOL
secrets_fetch_trusted_domain_password(const char *domain
, char** pwd
,
459 DOM_SID
*sid
, time_t *pass_last_set_time
)
461 struct trusted_dom_pass pass
;
464 /* unpacking structures */
470 /* fetching trusted domain password structure */
471 if (!(pass_buf
= (char *)secrets_fetch(trustdom_keystr(domain
),
473 DEBUG(5, ("secrets_fetch failed!\n"));
477 /* unpack trusted domain password */
478 pass_len
= tdb_trusted_dom_pass_unpack(pass_buf
, size
, &pass
);
481 if (pass_len
!= size
) {
482 DEBUG(5, ("Invalid secrets size. Unpacked data doesn't match trusted_dom_pass structure.\n"));
486 /* the trust's password */
488 *pwd
= SMB_STRDUP(pass
.pass
);
494 /* last change time */
495 if (pass_last_set_time
) *pass_last_set_time
= pass
.mod_time
;
498 if (sid
!= NULL
) sid_copy(sid
, &pass
.domain_sid
);
504 * Routine to store the password for trusted domain
506 * @param domain remote domain name
507 * @param pwd plain text password of trust relationship
508 * @param sid remote domain sid
510 * @return true if succeeded
513 BOOL
secrets_store_trusted_domain_password(const char* domain
, const char* pwd
,
516 smb_ucs2_t
*uni_dom_name
;
518 /* packing structures */
521 int pass_buf_len
= sizeof(pass_buf
);
523 struct trusted_dom_pass pass
;
526 if (push_ucs2_allocate(&uni_dom_name
, domain
) == (size_t)-1) {
527 DEBUG(0, ("Could not convert domain name %s to unicode\n",
532 strncpy_w(pass
.uni_name
, uni_dom_name
, sizeof(pass
.uni_name
) - 1);
533 pass
.uni_name_len
= strlen_w(uni_dom_name
)+1;
534 SAFE_FREE(uni_dom_name
);
536 /* last change time */
537 pass
.mod_time
= time(NULL
);
539 /* password of the trust */
540 pass
.pass_len
= strlen(pwd
);
541 fstrcpy(pass
.pass
, pwd
);
544 sid_copy(&pass
.domain_sid
, sid
);
546 pass_len
= tdb_trusted_dom_pass_pack(pass_buf
, pass_buf_len
, &pass
);
548 return secrets_store(trustdom_keystr(domain
), (void *)&pass_buf
, pass_len
);
551 /************************************************************************
552 Routine to set the plaintext machine account password for a realm
553 the password is assumed to be a null terminated ascii string
554 ************************************************************************/
556 BOOL
secrets_store_machine_password(const char *pass
, const char *domain
, uint32 sec_channel
)
560 uint32 last_change_time
;
561 uint32 sec_channel_type
;
563 asprintf(&key
, "%s/%s", SECRETS_MACHINE_PASSWORD
, domain
);
568 ret
= secrets_store(key
, pass
, strlen(pass
)+1);
574 asprintf(&key
, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME
, domain
);
579 SIVAL(&last_change_time
, 0, time(NULL
));
580 ret
= secrets_store(key
, &last_change_time
, sizeof(last_change_time
));
583 asprintf(&key
, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE
, domain
);
588 SIVAL(&sec_channel_type
, 0, sec_channel
);
589 ret
= secrets_store(key
, &sec_channel_type
, sizeof(sec_channel_type
));
595 /************************************************************************
596 Routine to fetch the plaintext machine account password for a realm
597 the password is assumed to be a null terminated ascii string.
598 ************************************************************************/
600 char *secrets_fetch_machine_password(const char *domain
,
601 time_t *pass_last_set_time
,
606 asprintf(&key
, "%s/%s", SECRETS_MACHINE_PASSWORD
, domain
);
608 ret
= (char *)secrets_fetch(key
, NULL
);
611 if (pass_last_set_time
) {
613 uint32
*last_set_time
;
614 asprintf(&key
, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME
, domain
);
616 last_set_time
= (unsigned int *)secrets_fetch(key
, &size
);
618 *pass_last_set_time
= IVAL(last_set_time
,0);
619 SAFE_FREE(last_set_time
);
621 *pass_last_set_time
= 0;
628 uint32
*channel_type
;
629 asprintf(&key
, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE
, domain
);
631 channel_type
= (unsigned int *)secrets_fetch(key
, &size
);
633 *channel
= IVAL(channel_type
,0);
634 SAFE_FREE(channel_type
);
636 *channel
= get_default_sec_channel();
644 /*******************************************************************
645 Wrapper around retrieving the trust account password
646 *******************************************************************/
648 BOOL
get_trust_pw(const char *domain
, uint8 ret_pwd
[16], uint32
*channel
)
652 time_t last_set_time
;
654 /* if we are a DC and this is not our domain, then lookup an account
655 for the domain trust */
657 if ( IS_DC
&& !strequal(domain
, lp_workgroup()) && lp_allow_trusted_domains() ) {
658 if (!secrets_fetch_trusted_domain_password(domain
, &pwd
, &sid
,
660 DEBUG(0, ("get_trust_pw: could not fetch trust "
661 "account password for trusted domain %s\n",
666 *channel
= SEC_CHAN_DOMAIN
;
667 E_md4hash(pwd
, ret_pwd
);
673 /* Just get the account for the requested domain. In the future this
674 * might also cover to be member of more than one domain. */
676 if (secrets_fetch_trust_account_password(domain
, ret_pwd
,
677 &last_set_time
, channel
))
680 DEBUG(5, ("get_trust_pw: could not fetch trust account "
681 "password for domain %s\n", domain
));
685 /************************************************************************
686 Routine to delete the password for trusted domain
687 ************************************************************************/
689 BOOL
trusted_domain_password_delete(const char *domain
)
691 return secrets_delete(trustdom_keystr(domain
));
694 BOOL
secrets_store_ldap_pw(const char* dn
, char* pw
)
699 if (asprintf(&key
, "%s/%s", SECRETS_LDAP_BIND_PW
, dn
) < 0) {
700 DEBUG(0, ("secrets_store_ldap_pw: asprintf failed!\n"));
704 ret
= secrets_store(key
, pw
, strlen(pw
)+1);
710 /*******************************************************************
711 Find the ldap password.
712 ******************************************************************/
714 BOOL
fetch_ldap_pw(char **dn
, char** pw
)
719 *dn
= smb_xstrdup(lp_ldap_admin_dn());
721 if (asprintf(&key
, "%s/%s", SECRETS_LDAP_BIND_PW
, *dn
) < 0) {
723 DEBUG(0, ("fetch_ldap_pw: asprintf failed!\n"));
726 *pw
=(char *)secrets_fetch(key
, &size
);
730 /* Upgrade 2.2 style entry */
732 char* old_style_key
= SMB_STRDUP(*dn
);
734 fstring old_style_pw
;
736 if (!old_style_key
) {
737 DEBUG(0, ("fetch_ldap_pw: strdup failed!\n"));
741 for (p
=old_style_key
; *p
; p
++)
742 if (*p
== ',') *p
= '/';
744 data
=(char *)secrets_fetch(old_style_key
, &size
);
745 if (!size
&& size
< sizeof(old_style_pw
)) {
746 DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
747 SAFE_FREE(old_style_key
);
752 size
= MIN(size
, sizeof(fstring
)-1);
753 strncpy(old_style_pw
, data
, size
);
754 old_style_pw
[size
] = 0;
758 if (!secrets_store_ldap_pw(*dn
, old_style_pw
)) {
759 DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
760 SAFE_FREE(old_style_key
);
764 if (!secrets_delete(old_style_key
)) {
765 DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
768 SAFE_FREE(old_style_key
);
770 *pw
= smb_xstrdup(old_style_pw
);
777 * Get trusted domains info from secrets.tdb.
780 NTSTATUS
secrets_trusted_domains(TALLOC_CTX
*mem_ctx
, uint32
*num_domains
,
781 struct trustdom_info
***domains
)
783 TDB_LIST_NODE
*keys
, *k
;
787 if (!(tmp_ctx
= talloc_new(mem_ctx
))) {
788 return NT_STATUS_NO_MEMORY
;
791 if (!secrets_init()) return NT_STATUS_ACCESS_DENIED
;
793 /* generate searching pattern */
794 pattern
= talloc_asprintf(tmp_ctx
, "%s/*", SECRETS_DOMTRUST_ACCT_PASS
);
795 if (pattern
== NULL
) {
796 DEBUG(0, ("secrets_trusted_domains: talloc_asprintf() "
798 TALLOC_FREE(tmp_ctx
);
799 return NT_STATUS_NO_MEMORY
;
805 * Make sure that a talloc context for the trustdom_info structs
809 if (!(*domains
= TALLOC_ARRAY(mem_ctx
, struct trustdom_info
*, 1))) {
810 TALLOC_FREE(tmp_ctx
);
811 return NT_STATUS_NO_MEMORY
;
814 /* fetching trusted domains' data and collecting them in a list */
815 keys
= tdb_search_keys(tdb
, pattern
);
817 /* searching for keys in secrets db -- way to go ... */
818 for (k
= keys
; k
; k
= k
->next
) {
820 size_t size
= 0, packed_size
= 0;
821 struct trusted_dom_pass pass
;
823 struct trustdom_info
*dom_info
;
825 /* important: ensure null-termination of the key string */
826 secrets_key
= talloc_strndup(tmp_ctx
,
830 DEBUG(0, ("strndup failed!\n"));
831 tdb_search_list_free(keys
);
832 TALLOC_FREE(tmp_ctx
);
833 return NT_STATUS_NO_MEMORY
;
836 packed_pass
= (char *)secrets_fetch(secrets_key
, &size
);
837 packed_size
= tdb_trusted_dom_pass_unpack(packed_pass
, size
,
839 /* packed representation isn't needed anymore */
840 SAFE_FREE(packed_pass
);
842 if (size
!= packed_size
) {
843 DEBUG(2, ("Secrets record %s is invalid!\n",
848 if (pass
.domain_sid
.num_auths
!= 4) {
849 DEBUG(0, ("SID %s is not a domain sid, has %d "
850 "auths instead of 4\n",
851 sid_string_static(&pass
.domain_sid
),
852 pass
.domain_sid
.num_auths
));
856 if (!(dom_info
= TALLOC_P(*domains
, struct trustdom_info
))) {
857 DEBUG(0, ("talloc failed\n"));
858 tdb_search_list_free(keys
);
859 TALLOC_FREE(tmp_ctx
);
860 return NT_STATUS_NO_MEMORY
;
863 if (pull_ucs2_talloc(dom_info
, &dom_info
->name
,
864 pass
.uni_name
) == (size_t)-1) {
865 DEBUG(2, ("pull_ucs2_talloc failed\n"));
866 tdb_search_list_free(keys
);
867 TALLOC_FREE(tmp_ctx
);
868 return NT_STATUS_NO_MEMORY
;
871 sid_copy(&dom_info
->sid
, &pass
.domain_sid
);
873 ADD_TO_ARRAY(*domains
, struct trustdom_info
*, dom_info
,
874 domains
, num_domains
);
876 if (*domains
== NULL
) {
877 tdb_search_list_free(keys
);
878 TALLOC_FREE(tmp_ctx
);
879 return NT_STATUS_NO_MEMORY
;
883 DEBUG(5, ("secrets_get_trusted_domains: got %d domains\n",
886 /* free the results of searching the keys */
887 tdb_search_list_free(keys
);
888 TALLOC_FREE(tmp_ctx
);
893 /*******************************************************************************
894 Lock the secrets tdb based on a string - this is used as a primitive form of mutex
895 between smbd instances.
896 *******************************************************************************/
898 BOOL
secrets_named_mutex(const char *name
, unsigned int timeout
)
905 ret
= tdb_lock_bystring_with_timeout(tdb
, name
, timeout
);
907 DEBUG(10,("secrets_named_mutex: got mutex for %s\n", name
));
912 /*******************************************************************************
913 Unlock a named mutex.
914 *******************************************************************************/
916 void secrets_named_mutex_release(const char *name
)
918 tdb_unlock_bystring(tdb
, name
);
919 DEBUG(10,("secrets_named_mutex: released mutex for %s\n", name
));
922 /*******************************************************************************
923 Store a complete AFS keyfile into secrets.tdb.
924 *******************************************************************************/
926 BOOL
secrets_store_afs_keyfile(const char *cell
, const struct afs_keyfile
*keyfile
)
930 if ((cell
== NULL
) || (keyfile
== NULL
))
933 if (ntohl(keyfile
->nkeys
) > SECRETS_AFS_MAXKEYS
)
936 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_AFS_KEYFILE
, cell
);
937 return secrets_store(key
, keyfile
, sizeof(struct afs_keyfile
));
940 /*******************************************************************************
941 Fetch the current (highest) AFS key from secrets.tdb
942 *******************************************************************************/
943 BOOL
secrets_fetch_afs_key(const char *cell
, struct afs_key
*result
)
946 struct afs_keyfile
*keyfile
;
950 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_AFS_KEYFILE
, cell
);
952 keyfile
= (struct afs_keyfile
*)secrets_fetch(key
, &size
);
957 if (size
!= sizeof(struct afs_keyfile
)) {
962 i
= ntohl(keyfile
->nkeys
);
964 if (i
> SECRETS_AFS_MAXKEYS
) {
969 *result
= keyfile
->entry
[i
-1];
971 result
->kvno
= ntohl(result
->kvno
);
976 /******************************************************************************
977 When kerberos is not available, choose between anonymous or
978 authenticated connections.
980 We need to use an authenticated connection if DCs have the
981 RestrictAnonymous registry entry set > 0, or the "Additional
982 restrictions for anonymous connections" set in the win2k Local
985 Caller to free() result in domain, username, password
986 *******************************************************************************/
987 void secrets_fetch_ipc_userpass(char **username
, char **domain
, char **password
)
989 *username
= (char *)secrets_fetch(SECRETS_AUTH_USER
, NULL
);
990 *domain
= (char *)secrets_fetch(SECRETS_AUTH_DOMAIN
, NULL
);
991 *password
= (char *)secrets_fetch(SECRETS_AUTH_PASSWORD
, NULL
);
993 if (*username
&& **username
) {
995 if (!*domain
|| !**domain
)
996 *domain
= smb_xstrdup(lp_workgroup());
998 if (!*password
|| !**password
)
999 *password
= smb_xstrdup("");
1001 DEBUG(3, ("IPC$ connections done by user %s\\%s\n",
1002 *domain
, *username
));
1005 DEBUG(3, ("IPC$ connections done anonymously\n"));
1006 *username
= smb_xstrdup("");
1007 *domain
= smb_xstrdup("");
1008 *password
= smb_xstrdup("");
1012 /******************************************************************************
1013 Open or create the schannel session store tdb.
1014 *******************************************************************************/
1016 static TDB_CONTEXT
*open_schannel_session_store(TALLOC_CTX
*mem_ctx
)
1020 TDB_CONTEXT
*tdb_sc
= NULL
;
1021 char *fname
= talloc_asprintf(mem_ctx
, "%s/schannel_store.tdb", lp_private_dir());
1027 tdb_sc
= tdb_open_log(fname
, 0, TDB_DEFAULT
, O_RDWR
|O_CREAT
, 0600);
1030 DEBUG(0,("open_schannel_session_store: Failed to open %s\n", fname
));
1035 vers
= tdb_fetch_bystring(tdb_sc
, "SCHANNEL_STORE_VERSION");
1036 if (vers
.dptr
== NULL
) {
1037 /* First opener, no version. */
1039 vers
.dptr
= (char *)&ver
;
1041 tdb_store_bystring(tdb_sc
, "SCHANNEL_STORE_VERSION", vers
, TDB_REPLACE
);
1043 } else if (vers
.dsize
== 4) {
1044 ver
= IVAL(vers
.dptr
,0);
1048 DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n",
1054 DEBUG(0,("open_schannel_session_store: wrong version number size %d in %s\n",
1055 (int)vers
.dsize
, fname
));
1058 SAFE_FREE(vers
.dptr
);
1064 /******************************************************************************
1065 Store the schannel state after an AUTH2 call.
1066 Note we must be root here.
1067 *******************************************************************************/
1069 BOOL
secrets_store_schannel_session_info(TALLOC_CTX
*mem_ctx
,
1070 const char *remote_machine
,
1071 const struct dcinfo
*pdc
)
1073 TDB_CONTEXT
*tdb_sc
= NULL
;
1076 char *keystr
= talloc_asprintf(mem_ctx
, "%s/%s", SECRETS_SCHANNEL_STATE
,
1084 /* Work out how large the record is. */
1085 value
.dsize
= tdb_pack(NULL
, 0, "dBBBBBfff",
1087 8, pdc
->seed_chal
.data
,
1088 8, pdc
->clnt_chal
.data
,
1089 8, pdc
->srv_chal
.data
,
1093 pdc
->remote_machine
,
1096 value
.dptr
= (char *)TALLOC(mem_ctx
, value
.dsize
);
1098 TALLOC_FREE(keystr
);
1102 value
.dsize
= tdb_pack(value
.dptr
, value
.dsize
, "dBBBBBfff",
1104 8, pdc
->seed_chal
.data
,
1105 8, pdc
->clnt_chal
.data
,
1106 8, pdc
->srv_chal
.data
,
1110 pdc
->remote_machine
,
1113 tdb_sc
= open_schannel_session_store(mem_ctx
);
1115 TALLOC_FREE(keystr
);
1116 TALLOC_FREE(value
.dptr
);
1120 ret
= (tdb_store_bystring(tdb_sc
, keystr
, value
, TDB_REPLACE
) == 0 ? True
: False
);
1122 DEBUG(3,("secrets_store_schannel_session_info: stored schannel info with key %s\n",
1126 TALLOC_FREE(keystr
);
1127 TALLOC_FREE(value
.dptr
);
1131 /******************************************************************************
1132 Restore the schannel state on a client reconnect.
1133 Note we must be root here.
1134 *******************************************************************************/
1136 BOOL
secrets_restore_schannel_session_info(TALLOC_CTX
*mem_ctx
,
1137 const char *remote_machine
,
1138 struct dcinfo
**ppdc
)
1140 TDB_CONTEXT
*tdb_sc
= NULL
;
1142 unsigned char *pseed_chal
= NULL
;
1143 unsigned char *pclnt_chal
= NULL
;
1144 unsigned char *psrv_chal
= NULL
;
1145 unsigned char *psess_key
= NULL
;
1146 unsigned char *pmach_pw
= NULL
;
1147 uint32 l1
, l2
, l3
, l4
, l5
;
1149 struct dcinfo
*pdc
= NULL
;
1150 char *keystr
= talloc_asprintf(mem_ctx
, "%s/%s", SECRETS_SCHANNEL_STATE
,
1161 tdb_sc
= open_schannel_session_store(mem_ctx
);
1163 TALLOC_FREE(keystr
);
1167 value
= tdb_fetch_bystring(tdb_sc
, keystr
);
1169 DEBUG(0,("secrets_restore_schannel_session_info: Failed to find entry with key %s\n",
1175 pdc
= TALLOC_ZERO_P(mem_ctx
, struct dcinfo
);
1177 /* Retrieve the record. */
1178 ret
= tdb_unpack(value
.dptr
, value
.dsize
, "dBBBBBfff",
1186 &pdc
->remote_machine
,
1189 if (ret
== -1 || l1
!= 8 || l2
!= 8 || l3
!= 8 || l4
!= 16 || l5
!= 16) {
1190 /* Bad record - delete it. */
1191 tdb_delete_bystring(tdb_sc
, keystr
);
1193 TALLOC_FREE(keystr
);
1195 SAFE_FREE(pseed_chal
);
1196 SAFE_FREE(pclnt_chal
);
1197 SAFE_FREE(psrv_chal
);
1198 SAFE_FREE(psess_key
);
1199 SAFE_FREE(pmach_pw
);
1200 SAFE_FREE(value
.dptr
);
1206 memcpy(pdc
->seed_chal
.data
, pseed_chal
, 8);
1207 memcpy(pdc
->clnt_chal
.data
, pclnt_chal
, 8);
1208 memcpy(pdc
->srv_chal
.data
, psrv_chal
, 8);
1209 memcpy(pdc
->sess_key
, psess_key
, 16);
1210 memcpy(pdc
->mach_pw
, pmach_pw
, 16);
1212 /* We know these are true so didn't bother to store them. */
1213 pdc
->challenge_sent
= True
;
1214 pdc
->authenticated
= True
;
1216 DEBUG(3,("secrets_restore_schannel_session_info: restored schannel info key %s\n",
1219 SAFE_FREE(pseed_chal
);
1220 SAFE_FREE(pclnt_chal
);
1221 SAFE_FREE(psrv_chal
);
1222 SAFE_FREE(psess_key
);
1223 SAFE_FREE(pmach_pw
);
1225 TALLOC_FREE(keystr
);
1226 SAFE_FREE(value
.dptr
);
1233 BOOL
secrets_store_generic(const char *owner
, const char *key
, const char *secret
)
1235 char *tdbkey
= NULL
;
1238 if (asprintf(&tdbkey
, "SECRETS/GENERIC/%s/%s", owner
, key
) < 0) {
1239 DEBUG(0, ("asprintf failed!\n"));
1243 ret
= secrets_store(tdbkey
, secret
, strlen(secret
)+1);
1249 /*******************************************************************
1250 Find the ldap password.
1251 ******************************************************************/
1253 char *secrets_fetch_generic(const char *owner
, const char *key
)
1255 char *secret
= NULL
;
1256 char *tdbkey
= NULL
;
1258 if (( ! owner
) || ( ! key
)) {
1259 DEBUG(1, ("Invalid Paramters"));
1263 if (asprintf(&tdbkey
, "SECRETS/GENERIC/%s/%s", owner
, key
) < 0) {
1264 DEBUG(0, ("Out of memory!\n"));
1268 secret
= (char *)secrets_fetch(tdbkey
, NULL
);