search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-dsdb: Change talloc parent
[Samba.git] / source4 / dsdb / samdb / ldb_modules / update_keytab.c
blobf07d9b2aadf280bce36d37632798d2daa65153bf
1 /*
2 ldb database library
3
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21 * Name: ldb
22 *
23 * Component: ldb update_keytabs module
24 *
25 * Description: Update keytabs whenever their matching secret record changes
26 *
27 * Author: Andrew Bartlett
28 */
29
30 #include "includes.h"
31 #include "ldb_module.h"
32 #include "lib/util/dlinklist.h"
33 #include "auth/credentials/credentials.h"
34 #include "auth/credentials/credentials_krb5.h"
35 #include "system/kerberos.h"
36 #include "auth/kerberos/kerberos.h"
37 #include "auth/kerberos/kerberos_srv_keytab.h"
38 #include "dsdb/samdb/ldb_modules/util.h"
39 #include "param/secrets.h"
40
41 struct dn_list {
42 struct ldb_message *msg;
43 bool do_delete;
44 struct dn_list *prev, *next;
45 };
46
47 struct update_kt_private {
48 struct dn_list *changed_dns;
49 };
50
51 struct update_kt_ctx {
52 struct ldb_module *module;
53 struct ldb_request *req;
54
55 struct ldb_dn *dn;
56 bool do_delete;
57
58 struct ldb_reply *op_reply;
59 bool found;
60 };
61
62 static struct update_kt_ctx *update_kt_ctx_init(struct ldb_module *module,
63 struct ldb_request *req)
64 {
65 struct update_kt_ctx *ac;
66
67 ac = talloc_zero(req, struct update_kt_ctx);
68 if (ac == NULL) {
69 ldb_oom(ldb_module_get_ctx(module));
70 return NULL;
71 }
72
73 ac->module = module;
74 ac->req = req;
75
76 return ac;
77 }
78
79 /* FIXME: too many semi-async searches here for my taste, direct and indirect as
80 * cli_credentials_set_secrets() performs a sync ldb search.
81 * Just hope we are lucky and nothing breaks (using the tdb backend masks a lot
82 * of async issues). -SSS
83 */
84 static int add_modified(struct ldb_module *module, struct ldb_dn *dn, bool do_delete,
85 struct ldb_request *parent)
86 {
87 struct ldb_context *ldb = ldb_module_get_ctx(module);
88 struct update_kt_private *data = talloc_get_type(ldb_module_get_private(module), struct update_kt_private);
89 struct dn_list *item;
90 char *filter;
91 struct ldb_result *res;
92 int ret;
93
94 filter = talloc_asprintf(data,
95 "(&(objectClass=kerberosSecret)(privateKeytab=*))");
96 if (!filter) {
97 return ldb_oom(ldb);
98 }
99
100 ret = dsdb_module_search(module, data, &res,
101 dn, LDB_SCOPE_BASE, NULL,
102 DSDB_FLAG_NEXT_MODULE, parent,
103 "%s", filter);
104 talloc_free(filter);
105 if (ret != LDB_SUCCESS) {
106 return ret;
107 }
108
109 if (res->count != 1) {
110 /* if it's not a kerberosSecret then we don't have anything to update */
111 talloc_free(res);
112 talloc_free(filter);
113 return LDB_SUCCESS;
114 }
115
116 item = talloc(data->changed_dns? (void *)data->changed_dns: (void *)data, struct dn_list);
117 if (!item) {
118 talloc_free(res);
119 talloc_free(filter);
120 return ldb_oom(ldb);
121 }
122
123 item->msg = talloc_steal(item, res->msgs[0]);
124 item->do_delete = do_delete;
125 talloc_free(res);
126
127 DLIST_ADD_END(data->changed_dns, item, struct dn_list *);
128 return LDB_SUCCESS;
129 }
130
131 static int ukt_search_modified(struct update_kt_ctx *ac);
132
133 static int update_kt_op_callback(struct ldb_request *req,
134 struct ldb_reply *ares)
135 {
136 struct ldb_context *ldb;
137 struct update_kt_ctx *ac;
138 int ret;
139
140 ac = talloc_get_type(req->context, struct update_kt_ctx);
141 ldb = ldb_module_get_ctx(ac->module);
142
143 if (!ares) {
144 return ldb_module_done(ac->req, NULL, NULL,
145 LDB_ERR_OPERATIONS_ERROR);
146 }
147 if (ares->error != LDB_SUCCESS) {
148 return ldb_module_done(ac->req, ares->controls,
149 ares->response, ares->error);
150 }
151
152 if (ares->type != LDB_REPLY_DONE) {
153 ldb_set_errstring(ldb, "Invalid request type!\n");
154 return ldb_module_done(ac->req, NULL, NULL,
155 LDB_ERR_OPERATIONS_ERROR);
156 }
157
158 if (ac->do_delete) {
159 return ldb_module_done(ac->req, ares->controls,
160 ares->response, LDB_SUCCESS);
161 }
162
163 ac->op_reply = talloc_steal(ac, ares);
164
165 ret = ukt_search_modified(ac);
166 if (ret != LDB_SUCCESS) {
167 return ldb_module_done(ac->req, NULL, NULL, ret);
168 }
169
170 return LDB_SUCCESS;
171 }
172
173 static int ukt_del_op(struct update_kt_ctx *ac)
174 {
175 struct ldb_context *ldb;
176 struct ldb_request *down_req;
177 int ret;
178
179 ldb = ldb_module_get_ctx(ac->module);
180
181 ret = ldb_build_del_req(&down_req, ldb, ac,
182 ac->dn,
183 ac->req->controls,
184 ac, update_kt_op_callback,
185 ac->req);
186 LDB_REQ_SET_LOCATION(down_req);
187 if (ret != LDB_SUCCESS) {
188 return ret;
189 }
190 return ldb_next_request(ac->module, down_req);
191 }
192
193 static int ukt_search_modified_callback(struct ldb_request *req,
194 struct ldb_reply *ares)
195 {
196 struct update_kt_ctx *ac;
197 int ret;
198
199 ac = talloc_get_type(req->context, struct update_kt_ctx);
200
201 if (!ares) {
202 return ldb_module_done(ac->req, NULL, NULL,
203 LDB_ERR_OPERATIONS_ERROR);
204 }
205 if (ares->error != LDB_SUCCESS) {
206 return ldb_module_done(ac->req, ares->controls,
207 ares->response, ares->error);
208 }
209
210 switch (ares->type) {
211 case LDB_REPLY_ENTRY:
212
213 ac->found = true;
214 break;
215
216 case LDB_REPLY_REFERRAL:
217 /* ignore */
218 break;
219
220 case LDB_REPLY_DONE:
221
222 if (ac->found) {
223 /* do the dirty sync job here :/ */
224 ret = add_modified(ac->module, ac->dn, ac->do_delete, ac->req);
225 }
226
227 if (ac->do_delete) {
228 ret = ukt_del_op(ac);
229 if (ret != LDB_SUCCESS) {
230 return ldb_module_done(ac->req,
231 NULL, NULL, ret);
232 }
233 break;
234 }
235
236 return ldb_module_done(ac->req, ac->op_reply->controls,
237 ac->op_reply->response, LDB_SUCCESS);
238 }
239
240 talloc_free(ares);
241 return LDB_SUCCESS;
242 }
243
244 static int ukt_search_modified(struct update_kt_ctx *ac)
245 {
246 struct ldb_context *ldb;
247 static const char * const no_attrs[] = { NULL };
248 struct ldb_request *search_req;
249 int ret;
250
251 ldb = ldb_module_get_ctx(ac->module);
252
253 ret = ldb_build_search_req(&search_req, ldb, ac,
254 ac->dn, LDB_SCOPE_BASE,
255 "(&(objectClass=kerberosSecret)"
256 "(privateKeytab=*))", no_attrs,
257 NULL,
258 ac, ukt_search_modified_callback,
259 ac->req);
260 LDB_REQ_SET_LOCATION(search_req);
261 if (ret != LDB_SUCCESS) {
262 return ret;
263 }
264 return ldb_next_request(ac->module, search_req);
265 }
266
267
268 /* add */
269 static int update_kt_add(struct ldb_module *module, struct ldb_request *req)
270 {
271 struct ldb_context *ldb;
272 struct update_kt_ctx *ac;
273 struct ldb_request *down_req;
274 int ret;
275
276 ldb = ldb_module_get_ctx(module);
277
278 ac = update_kt_ctx_init(module, req);
279 if (ac == NULL) {
280 return ldb_operr(ldb);
281 }
282
283 ac->dn = req->op.add.message->dn;
284
285 ret = ldb_build_add_req(&down_req, ldb, ac,
286 req->op.add.message,
287 req->controls,
288 ac, update_kt_op_callback,
289 req);
290 LDB_REQ_SET_LOCATION(down_req);
291 if (ret != LDB_SUCCESS) {
292 return ret;
293 }
294
295 return ldb_next_request(module, down_req);
296 }
297
298 /* modify */
299 static int update_kt_modify(struct ldb_module *module, struct ldb_request *req)
300 {
301 struct ldb_context *ldb;
302 struct update_kt_ctx *ac;
303 struct ldb_request *down_req;
304 int ret;
305
306 ldb = ldb_module_get_ctx(module);
307
308 ac = update_kt_ctx_init(module, req);
309 if (ac == NULL) {
310 return ldb_operr(ldb);
311 }
312
313 ac->dn = req->op.mod.message->dn;
314
315 ret = ldb_build_mod_req(&down_req, ldb, ac,
316 req->op.mod.message,
317 req->controls,
318 ac, update_kt_op_callback,
319 req);
320 LDB_REQ_SET_LOCATION(down_req);
321 if (ret != LDB_SUCCESS) {
322 return ret;
323 }
324
325 return ldb_next_request(module, down_req);
326 }
327
328 /* delete */
329 static int update_kt_delete(struct ldb_module *module, struct ldb_request *req)
330 {
331 struct update_kt_ctx *ac;
332
333 ac = update_kt_ctx_init(module, req);
334 if (ac == NULL) {
335 return ldb_operr(ldb_module_get_ctx(module));
336 }
337
338 ac->dn = req->op.del.dn;
339 ac->do_delete = true;
340
341 return ukt_search_modified(ac);
342 }
343
344 /* rename */
345 static int update_kt_rename(struct ldb_module *module, struct ldb_request *req)
346 {
347 struct ldb_context *ldb;
348 struct update_kt_ctx *ac;
349 struct ldb_request *down_req;
350 int ret;
351
352 ldb = ldb_module_get_ctx(module);
353
354 ac = update_kt_ctx_init(module, req);
355 if (ac == NULL) {
356 return ldb_operr(ldb);
357 }
358
359 ac->dn = req->op.rename.newdn;
360
361 ret = ldb_build_rename_req(&down_req, ldb, ac,
362 req->op.rename.olddn,
363 req->op.rename.newdn,
364 req->controls,
365 ac, update_kt_op_callback,
366 req);
367 LDB_REQ_SET_LOCATION(down_req);
368 if (ret != LDB_SUCCESS) {
369 return ret;
370 }
371
372 return ldb_next_request(module, down_req);
373 }
374
375 /* prepare for a commit */
376 static int update_kt_prepare_commit(struct ldb_module *module)
377 {
378 struct ldb_context *ldb = ldb_module_get_ctx(module);
379 struct update_kt_private *data = talloc_get_type(ldb_module_get_private(module), struct update_kt_private);
380 struct dn_list *p;
381 struct smb_krb5_context *smb_krb5_context;
382 int krb5_ret = smb_krb5_init_context(data, ldb_get_event_context(ldb), ldb_get_opaque(ldb, "loadparm"),
383 &smb_krb5_context);
384 TALLOC_CTX *tmp_ctx;
385
386 if (krb5_ret != 0) {
387 ldb_asprintf_errstring(ldb, "Failed to setup krb5_context: %s", error_message(krb5_ret));
388 goto fail;
389 }
390
391 tmp_ctx = talloc_new(data);
392 if (!tmp_ctx) {
393 ldb_oom(ldb);
394 goto fail;
395 }
396
397 for (p=data->changed_dns; p; p = p->next) {
398 const char *error_string;
399 const char *realm;
400 char *upper_realm;
401 struct ldb_message_element *spn_el = ldb_msg_find_element(p->msg, "servicePrincipalName");
402 char **SPNs = NULL;
403 int num_SPNs = 0;
404 int i;
405
406 realm = ldb_msg_find_attr_as_string(p->msg, "realm", NULL);
407
408 if (spn_el) {
409 upper_realm = strupper_talloc(tmp_ctx, realm);
410 if (!upper_realm) {
411 ldb_oom(ldb);
412 goto fail;
413 }
414
415 num_SPNs = spn_el->num_values;
416 SPNs = talloc_array(tmp_ctx, char *, num_SPNs);
417 if (!SPNs) {
418 ldb_oom(ldb);
419 goto fail;
420 }
421 for (i = 0; i < num_SPNs; i++) {
422 SPNs[i] = talloc_asprintf(tmp_ctx, "%*.*s@%s",
423 (int)spn_el->values[i].length,
424 (int)spn_el->values[i].length,
425 (const char *)spn_el->values[i].data,
426 upper_realm);
427 if (!SPNs[i]) {
428 ldb_oom(ldb);
429 goto fail;
430 }
431 }
432 }
433
434 krb5_ret = smb_krb5_update_keytab(tmp_ctx, smb_krb5_context->krb5_context,
435 keytab_name_from_msg(tmp_ctx, ldb, p->msg),
436 ldb_msg_find_attr_as_string(p->msg, "samAccountName", NULL),
437 realm, (const char **)SPNs, num_SPNs,
438 ldb_msg_find_attr_as_string(p->msg, "saltPrincipal", NULL),
439 ldb_msg_find_attr_as_string(p->msg, "secret", NULL),
440 ldb_msg_find_attr_as_string(p->msg, "priorSecret", NULL),
441 ldb_msg_find_attr_as_int(p->msg, "msDS-KeyVersionNumber", 0),
442 (uint32_t)ldb_msg_find_attr_as_int(p->msg, "msDS-SupportedEncryptionTypes", ENC_ALL_TYPES),
443 p->do_delete, NULL, &error_string);
444 if (krb5_ret != 0) {
445 ldb_asprintf_errstring(ldb, "Failed to update keytab from entry %s in %s: %s",
446 ldb_dn_get_linearized(p->msg->dn),
447 (const char *)ldb_get_opaque(ldb, "ldb_url"),
448 error_string);
449 goto fail;
450 }
451 }
452
453 talloc_free(data->changed_dns);
454 data->changed_dns = NULL;
455 talloc_free(tmp_ctx);
456
457 return ldb_next_prepare_commit(module);
458
459 fail:
460 talloc_free(data->changed_dns);
461 data->changed_dns = NULL;
462 talloc_free(tmp_ctx);
463 return LDB_ERR_OPERATIONS_ERROR;
464 }
465
466 /* end a transaction */
467 static int update_kt_del_trans(struct ldb_module *module)
468 {
469 struct update_kt_private *data = talloc_get_type(ldb_module_get_private(module), struct update_kt_private);
470
471 talloc_free(data->changed_dns);
472 data->changed_dns = NULL;
473
474 return ldb_next_del_trans(module);
475 }
476
477 static int update_kt_init(struct ldb_module *module)
478 {
479 struct ldb_context *ldb;
480 struct update_kt_private *data;
481
482 ldb = ldb_module_get_ctx(module);
483
484 data = talloc(module, struct update_kt_private);
485 if (data == NULL) {
486 return ldb_oom(ldb);
487 }
488
489 data->changed_dns = NULL;
490
491 ldb_module_set_private(module, data);
492
493 return ldb_next_init(module);
494 }
495
496 static const struct ldb_module_ops ldb_update_keytab_module_ops = {
497 .name = "update_keytab",
498 .init_context = update_kt_init,
499 .add = update_kt_add,
500 .modify = update_kt_modify,
501 .rename = update_kt_rename,
502 .del = update_kt_delete,
503 .prepare_commit = update_kt_prepare_commit,
504 .del_transaction = update_kt_del_trans,
505 };
506
507 int ldb_update_keytab_module_init(const char *version)
508 {
509 LDB_MODULE_CHECK_VERSION(version);
510 return ldb_register_module(&ldb_update_keytab_module_ops);
511 }
Samba GIT mirror