2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
29 #include "passdb/pdb_ldap.h"
30 #include "passdb/pdb_ipa.h"
31 #include "passdb/pdb_ldap_schema.h"
33 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
34 #define IPA_MAGIC_ID_STR "999"
36 #define LDAP_TRUST_CONTAINER "ou=system"
37 #define LDAP_ATTRIBUTE_CN "cn"
38 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
39 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
40 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
41 #define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
42 #define LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE "sambaSupportedEncryptionTypes"
43 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
44 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
45 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
46 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
47 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
48 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
49 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
51 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
52 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
53 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
55 #define LDAP_OBJ_IPAOBJECT "ipaObject"
56 #define LDAP_OBJ_IPAHOST "ipaHost"
57 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
59 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
60 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
61 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
62 #define LDAP_OBJ_POSIXGROUP "posixGroup"
64 #define HAS_KRB_PRINCIPAL (1<<0)
65 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
66 #define HAS_IPAOBJECT (1<<2)
67 #define HAS_IPAHOST (1<<3)
68 #define HAS_POSIXACCOUNT (1<<4)
69 #define HAS_GROUPOFNAMES (1<<5)
70 #define HAS_NESTEDGROUP (1<<6)
71 #define HAS_IPAUSERGROUP (1<<7)
72 #define HAS_POSIXGROUP (1<<8)
74 struct ipasam_privates
{
76 NTSTATUS (*ldapsam_add_sam_account
)(struct pdb_methods
*,
77 struct samu
*sampass
);
78 NTSTATUS (*ldapsam_update_sam_account
)(struct pdb_methods
*,
79 struct samu
*sampass
);
80 NTSTATUS (*ldapsam_create_user
)(struct pdb_methods
*my_methods
,
81 TALLOC_CTX
*tmp_ctx
, const char *name
,
82 uint32_t acb_info
, uint32_t *rid
);
83 NTSTATUS (*ldapsam_create_dom_group
)(struct pdb_methods
*my_methods
,
89 static bool ipasam_get_trusteddom_pw(struct pdb_methods
*methods
,
93 time_t *pass_last_set_time
)
98 static bool ipasam_set_trusteddom_pw(struct pdb_methods
*methods
,
101 const struct dom_sid
*sid
)
106 static bool ipasam_del_trusteddom_pw(struct pdb_methods
*methods
,
112 static char *get_account_dn(const char *name
)
117 escape_name
= escape_rdn_val_string_alloc(name
);
122 if (name
[strlen(name
)-1] == '$') {
123 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
124 lp_ldap_machine_suffix());
126 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
127 lp_ldap_user_suffix());
130 SAFE_FREE(escape_name
);
135 static char *trusted_domain_dn(struct ldapsam_privates
*ldap_state
,
138 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
139 LDAP_ATTRIBUTE_CN
, domain
,
140 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
143 static char *trusted_domain_base_dn(struct ldapsam_privates
*ldap_state
)
145 return talloc_asprintf(talloc_tos(), "%s,%s",
146 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
149 static bool get_trusted_domain_int(struct ldapsam_privates
*ldap_state
,
151 const char *filter
, LDAPMessage
**entry
)
154 char *base_dn
= NULL
;
155 LDAPMessage
*result
= NULL
;
158 base_dn
= trusted_domain_base_dn(ldap_state
);
159 if (base_dn
== NULL
) {
163 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
,
164 LDAP_SCOPE_SUBTREE
, filter
, NULL
, 0, &result
);
165 TALLOC_FREE(base_dn
);
167 if (result
!= NULL
) {
168 talloc_autofree_ldapmsg(mem_ctx
, result
);
171 if (rc
== LDAP_NO_SUCH_OBJECT
) {
176 if (rc
!= LDAP_SUCCESS
) {
180 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
182 if (num_result
> 1) {
183 DEBUG(1, ("get_trusted_domain_int: more than one "
184 "%s object with filter '%s'?!\n",
185 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
189 if (num_result
== 0) {
190 DEBUG(1, ("get_trusted_domain_int: no "
191 "%s object with filter '%s'.\n",
192 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
195 *entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
201 static bool get_trusted_domain_by_name_int(struct ldapsam_privates
*ldap_state
,
208 filter
= talloc_asprintf(talloc_tos(),
209 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
210 LDAP_OBJ_TRUSTED_DOMAIN
,
211 LDAP_ATTRIBUTE_FLAT_NAME
, domain
,
212 LDAP_ATTRIBUTE_TRUST_PARTNER
, domain
, domain
);
213 if (filter
== NULL
) {
217 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
220 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates
*ldap_state
,
222 const char *sid
, LDAPMessage
**entry
)
226 filter
= talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
227 LDAP_OBJ_TRUSTED_DOMAIN
,
228 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
, sid
);
229 if (filter
== NULL
) {
233 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
236 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates
*ldap_state
,
245 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
248 DEBUG(9, ("Attribute %s not present.\n", attr
));
253 l
= strtoul(dummy
, &endptr
, 10);
256 if (l
< 0 || l
> UINT32_MAX
|| *endptr
!= '\0') {
265 static void get_data_blob_from_ldap_msg(TALLOC_CTX
*mem_ctx
,
266 struct ldapsam_privates
*ldap_state
,
267 LDAPMessage
*entry
, const char *attr
,
273 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
, attr
,
276 DEBUG(9, ("Attribute %s not present.\n", attr
));
279 blob
= base64_decode_data_blob(dummy
);
280 if (blob
.length
== 0) {
283 _blob
->length
= blob
.length
;
284 _blob
->data
= talloc_steal(mem_ctx
, blob
.data
);
290 static bool fill_pdb_trusted_domain(TALLOC_CTX
*mem_ctx
,
291 struct ldapsam_privates
*ldap_state
,
293 struct pdb_trusted_domain
**_td
)
297 struct pdb_trusted_domain
*td
;
303 td
= talloc_zero(mem_ctx
, struct pdb_trusted_domain
);
308 /* All attributes are MAY */
310 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
311 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
314 DEBUG(9, ("Attribute %s not present.\n",
315 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
));
316 ZERO_STRUCT(td
->security_identifier
);
318 res
= string_to_sid(&td
->security_identifier
, dummy
);
325 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
326 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
327 &td
->trust_auth_incoming
);
329 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
330 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
331 &td
->trust_auth_outgoing
);
333 td
->netbios_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
335 LDAP_ATTRIBUTE_FLAT_NAME
,
337 if (td
->netbios_name
== NULL
) {
338 DEBUG(9, ("Attribute %s not present.\n",
339 LDAP_ATTRIBUTE_FLAT_NAME
));
342 td
->domain_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
344 LDAP_ATTRIBUTE_TRUST_PARTNER
,
346 if (td
->domain_name
== NULL
) {
347 DEBUG(9, ("Attribute %s not present.\n",
348 LDAP_ATTRIBUTE_TRUST_PARTNER
));
351 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
352 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
353 &td
->trust_direction
);
358 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
359 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
360 &td
->trust_attributes
);
365 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
366 LDAP_ATTRIBUTE_TRUST_TYPE
,
372 td
->trust_posix_offset
= talloc(td
, uint32_t);
373 if (td
->trust_posix_offset
== NULL
) {
376 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
377 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET
,
378 td
->trust_posix_offset
);
383 td
->supported_enc_type
= talloc(td
, uint32_t);
384 if (td
->supported_enc_type
== NULL
) {
387 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
388 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE
,
389 td
->supported_enc_type
);
395 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
396 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
397 &td
->trust_forest_trust_info
);
404 static NTSTATUS
ipasam_get_trusted_domain(struct pdb_methods
*methods
,
407 struct pdb_trusted_domain
**td
)
409 struct ldapsam_privates
*ldap_state
=
410 (struct ldapsam_privates
*)methods
->private_data
;
411 LDAPMessage
*entry
= NULL
;
413 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain
));
415 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
417 return NT_STATUS_UNSUCCESSFUL
;
420 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
422 return NT_STATUS_NO_SUCH_DOMAIN
;
425 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
426 return NT_STATUS_UNSUCCESSFUL
;
432 static NTSTATUS
ipasam_get_trusted_domain_by_sid(struct pdb_methods
*methods
,
435 struct pdb_trusted_domain
**td
)
437 struct ldapsam_privates
*ldap_state
=
438 (struct ldapsam_privates
*)methods
->private_data
;
439 LDAPMessage
*entry
= NULL
;
442 sid_str
= sid_string_tos(sid
);
444 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
447 if (!get_trusted_domain_by_sid_int(ldap_state
, talloc_tos(), sid_str
,
449 return NT_STATUS_UNSUCCESSFUL
;
452 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
453 "with sid: %s\n", sid_str
));
454 return NT_STATUS_NO_SUCH_DOMAIN
;
457 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
458 return NT_STATUS_UNSUCCESSFUL
;
464 static bool smbldap_make_mod_uint32_t(LDAP
*ldap_struct
, LDAPMessage
*entry
,
465 LDAPMod
***mods
, const char *attribute
,
470 dummy
= talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val
);
474 smbldap_make_mod(ldap_struct
, entry
, mods
, attribute
, dummy
);
480 static NTSTATUS
ipasam_set_trusted_domain(struct pdb_methods
*methods
,
482 const struct pdb_trusted_domain
*td
)
484 struct ldapsam_privates
*ldap_state
=
485 (struct ldapsam_privates
*)methods
->private_data
;
486 LDAPMessage
*entry
= NULL
;
489 char *trusted_dn
= NULL
;
492 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain
));
494 res
= get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
497 return NT_STATUS_UNSUCCESSFUL
;
501 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
, "objectClass",
502 LDAP_OBJ_TRUSTED_DOMAIN
);
504 if (td
->netbios_name
!= NULL
) {
505 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
506 LDAP_ATTRIBUTE_FLAT_NAME
,
510 if (td
->domain_name
!= NULL
) {
511 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
512 LDAP_ATTRIBUTE_TRUST_PARTNER
,
516 if (!is_null_sid(&td
->security_identifier
)) {
517 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
518 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
519 sid_string_tos(&td
->security_identifier
));
522 if (td
->trust_type
!= 0) {
523 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
524 &mods
, LDAP_ATTRIBUTE_TRUST_TYPE
,
527 return NT_STATUS_UNSUCCESSFUL
;
531 if (td
->trust_attributes
!= 0) {
532 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
534 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
535 td
->trust_attributes
);
537 return NT_STATUS_UNSUCCESSFUL
;
541 if (td
->trust_direction
!= 0) {
542 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
544 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
545 td
->trust_direction
);
547 return NT_STATUS_UNSUCCESSFUL
;
551 if (td
->trust_posix_offset
!= NULL
) {
552 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
554 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET
,
555 *td
->trust_posix_offset
);
557 return NT_STATUS_UNSUCCESSFUL
;
561 if (td
->supported_enc_type
!= NULL
) {
562 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
564 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE
,
565 *td
->supported_enc_type
);
567 return NT_STATUS_UNSUCCESSFUL
;
571 if (td
->trust_auth_outgoing
.data
!= NULL
) {
572 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
573 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
574 &td
->trust_auth_outgoing
);
577 if (td
->trust_auth_incoming
.data
!= NULL
) {
578 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
579 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
580 &td
->trust_auth_incoming
);
583 if (td
->trust_forest_trust_info
.data
!= NULL
) {
584 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
585 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
586 &td
->trust_forest_trust_info
);
589 talloc_autofree_ldapmod(talloc_tos(), mods
);
591 trusted_dn
= trusted_domain_dn(ldap_state
, domain
);
592 if (trusted_dn
== NULL
) {
593 return NT_STATUS_NO_MEMORY
;
596 ret
= smbldap_add(ldap_state
->smbldap_state
, trusted_dn
, mods
);
598 ret
= smbldap_modify(ldap_state
->smbldap_state
, trusted_dn
, mods
);
601 if (ret
!= LDAP_SUCCESS
) {
602 DEBUG(1, ("error writing trusted domain data!\n"));
603 return NT_STATUS_UNSUCCESSFUL
;
608 static NTSTATUS
ipasam_del_trusted_domain(struct pdb_methods
*methods
,
612 struct ldapsam_privates
*ldap_state
=
613 (struct ldapsam_privates
*)methods
->private_data
;
614 LDAPMessage
*entry
= NULL
;
617 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
619 return NT_STATUS_UNSUCCESSFUL
;
623 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
625 return NT_STATUS_NO_SUCH_DOMAIN
;
628 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
630 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
631 return NT_STATUS_NO_MEMORY
;
634 ret
= smbldap_delete(ldap_state
->smbldap_state
, dn
);
635 if (ret
!= LDAP_SUCCESS
) {
636 return NT_STATUS_UNSUCCESSFUL
;
642 static NTSTATUS
ipasam_enum_trusted_domains(struct pdb_methods
*methods
,
644 uint32_t *num_domains
,
645 struct pdb_trusted_domain
***domains
)
648 struct ldapsam_privates
*ldap_state
=
649 (struct ldapsam_privates
*)methods
->private_data
;
650 char *base_dn
= NULL
;
652 int scope
= LDAP_SCOPE_SUBTREE
;
653 LDAPMessage
*result
= NULL
;
654 LDAPMessage
*entry
= NULL
;
656 filter
= talloc_asprintf(talloc_tos(), "(objectClass=%s)",
657 LDAP_OBJ_TRUSTED_DOMAIN
);
658 if (filter
== NULL
) {
659 return NT_STATUS_NO_MEMORY
;
662 base_dn
= trusted_domain_base_dn(ldap_state
);
663 if (base_dn
== NULL
) {
665 return NT_STATUS_NO_MEMORY
;
668 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
, scope
, filter
,
671 TALLOC_FREE(base_dn
);
673 if (result
!= NULL
) {
674 talloc_autofree_ldapmsg(mem_ctx
, result
);
677 if (rc
== LDAP_NO_SUCH_OBJECT
) {
683 if (rc
!= LDAP_SUCCESS
) {
684 return NT_STATUS_UNSUCCESSFUL
;
688 if (!(*domains
= talloc_array(mem_ctx
, struct pdb_trusted_domain
*, 1))) {
689 DEBUG(1, ("talloc failed\n"));
690 return NT_STATUS_NO_MEMORY
;
693 for (entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
695 entry
= ldap_next_entry(priv2ld(ldap_state
), entry
))
697 struct pdb_trusted_domain
*dom_info
;
699 if (!fill_pdb_trusted_domain(*domains
, ldap_state
, entry
,
701 return NT_STATUS_UNSUCCESSFUL
;
704 ADD_TO_ARRAY(*domains
, struct pdb_trusted_domain
*, dom_info
,
705 domains
, num_domains
);
707 if (*domains
== NULL
) {
708 DEBUG(1, ("talloc failed\n"));
709 return NT_STATUS_NO_MEMORY
;
713 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains
));
717 static NTSTATUS
ipasam_enum_trusteddoms(struct pdb_methods
*methods
,
719 uint32_t *num_domains
,
720 struct trustdom_info
***domains
)
723 struct pdb_trusted_domain
**td
;
726 status
= ipasam_enum_trusted_domains(methods
, talloc_tos(),
728 if (!NT_STATUS_IS_OK(status
)) {
732 if (*num_domains
== 0) {
736 if (!(*domains
= talloc_array(mem_ctx
, struct trustdom_info
*,
738 DEBUG(1, ("talloc failed\n"));
739 return NT_STATUS_NO_MEMORY
;
742 for (i
= 0; i
< *num_domains
; i
++) {
743 struct trustdom_info
*dom_info
;
745 dom_info
= talloc(*domains
, struct trustdom_info
);
746 if (dom_info
== NULL
) {
747 DEBUG(1, ("talloc failed\n"));
748 return NT_STATUS_NO_MEMORY
;
751 dom_info
->name
= talloc_steal(mem_ctx
, td
[i
]->netbios_name
);
752 sid_copy(&dom_info
->sid
, &td
[i
]->security_identifier
);
754 (*domains
)[i
] = dom_info
;
760 static uint32_t pdb_ipasam_capabilities(struct pdb_methods
*methods
)
762 return PDB_CAP_STORE_RIDS
| PDB_CAP_ADS
| PDB_CAP_TRUSTED_DOMAINS_EX
;
765 static struct pdb_domain_info
*pdb_ipasam_get_domain_info(struct pdb_methods
*pdb_methods
,
768 struct pdb_domain_info
*info
;
769 struct ldapsam_privates
*ldap_state
=
770 (struct ldapsam_privates
*)pdb_methods
->private_data
;
775 info
= talloc(mem_ctx
, struct pdb_domain_info
);
780 info
->name
= talloc_strdup(info
, ldap_state
->domain_name
);
781 if (info
->name
== NULL
) {
785 /* TODO: read dns_domain, dns_forest and guid from LDAP */
786 info
->dns_domain
= talloc_strdup(info
, lp_realm());
787 if (info
->dns_domain
== NULL
) {
790 strlower_m(info
->dns_domain
);
791 info
->dns_forest
= talloc_strdup(info
, info
->dns_domain
);
793 /* we expect a domain SID to have 4 sub IDs */
794 if (ldap_state
->domain_sid
.num_auths
!= 4) {
798 sid_copy(&info
->sid
, &ldap_state
->domain_sid
);
800 if (!sid_linearize(sid_buf
, sizeof(sid_buf
), &info
->sid
)) {
804 /* the first 8 bytes of the linearized SID are not random,
806 sid_blob
.data
= (uint8_t *) sid_buf
+ 8 ;
807 sid_blob
.length
= 16;
809 status
= GUID_from_ndr_blob(&sid_blob
, &info
->guid
);
810 if (!NT_STATUS_IS_OK(status
)) {
821 static NTSTATUS
modify_ipa_password_exop(struct ldapsam_privates
*ldap_state
,
822 struct samu
*sampass
)
825 BerElement
*ber
= NULL
;
826 struct berval
*bv
= NULL
;
828 struct berval
*retdata
= NULL
;
829 const char *password
;
832 password
= pdb_get_plaintext_passwd(sampass
);
833 if (password
== NULL
|| *password
== '\0') {
834 return NT_STATUS_INVALID_PARAMETER
;
837 dn
= get_account_dn(pdb_get_username(sampass
));
839 return NT_STATUS_INVALID_PARAMETER
;
842 ber
= ber_alloc_t( LBER_USE_DER
);
844 DEBUG(7, ("ber_alloc_t failed.\n"));
845 return NT_STATUS_NO_MEMORY
;
848 ret
= ber_printf(ber
, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID
, dn
,
849 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW
, password
);
851 DEBUG(7, ("ber_printf failed.\n"));
853 return NT_STATUS_UNSUCCESSFUL
;
856 ret
= ber_flatten(ber
, &bv
);
859 DEBUG(1, ("ber_flatten failed.\n"));
860 return NT_STATUS_UNSUCCESSFUL
;
863 ret
= smbldap_extended_operation(ldap_state
->smbldap_state
,
864 LDAP_EXOP_MODIFY_PASSWD
, bv
, NULL
,
865 NULL
, &retoid
, &retdata
);
871 ldap_memfree(retoid
);
873 if (ret
!= LDAP_SUCCESS
) {
874 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
875 return NT_STATUS_UNSUCCESSFUL
;
881 static NTSTATUS
ipasam_get_objectclasses(struct ldapsam_privates
*ldap_state
,
882 const char *dn
, LDAPMessage
*entry
,
883 uint32_t *has_objectclass
)
885 char **objectclasses
;
888 objectclasses
= ldap_get_values(priv2ld(ldap_state
), entry
,
889 LDAP_ATTRIBUTE_OBJECTCLASS
);
890 if (objectclasses
== NULL
) {
891 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn
));
892 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
895 *has_objectclass
= 0;
896 for (c
= 0; objectclasses
[c
] != NULL
; c
++) {
897 if (strequal(objectclasses
[c
], LDAP_OBJ_KRB_PRINCIPAL
)) {
898 *has_objectclass
|= HAS_KRB_PRINCIPAL
;
899 } else if (strequal(objectclasses
[c
],
900 LDAP_OBJ_KRB_PRINCIPAL_AUX
)) {
901 *has_objectclass
|= HAS_KRB_PRINCIPAL_AUX
;
902 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAOBJECT
)) {
903 *has_objectclass
|= HAS_IPAOBJECT
;
904 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAHOST
)) {
905 *has_objectclass
|= HAS_IPAHOST
;
906 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXACCOUNT
)) {
907 *has_objectclass
|= HAS_POSIXACCOUNT
;
908 } else if (strequal(objectclasses
[c
], LDAP_OBJ_GROUPOFNAMES
)) {
909 *has_objectclass
|= HAS_GROUPOFNAMES
;
910 } else if (strequal(objectclasses
[c
], LDAP_OBJ_NESTEDGROUP
)) {
911 *has_objectclass
|= HAS_NESTEDGROUP
;
912 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAUSERGROUP
)) {
913 *has_objectclass
|= HAS_IPAUSERGROUP
;
914 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXGROUP
)) {
915 *has_objectclass
|= HAS_POSIXGROUP
;
918 ldap_value_free(objectclasses
);
929 static NTSTATUS
find_obj(struct ldapsam_privates
*ldap_state
, const char *name
,
930 enum obj_type type
, char **_dn
,
931 uint32_t *_has_objectclass
)
936 LDAPMessage
*result
= NULL
;
937 LDAPMessage
*entry
= NULL
;
940 uint32_t has_objectclass
;
942 const char *obj_class
= NULL
;
946 obj_class
= LDAP_OBJ_POSIXACCOUNT
;
949 obj_class
= LDAP_OBJ_POSIXGROUP
;
952 DEBUG(0, ("Unsupported IPA object.\n"));
953 return NT_STATUS_INVALID_PARAMETER
;
956 username
= escape_ldap_string(talloc_tos(), name
);
957 if (username
== NULL
) {
958 return NT_STATUS_NO_MEMORY
;
960 filter
= talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
961 username
, obj_class
);
962 if (filter
== NULL
) {
963 return NT_STATUS_NO_MEMORY
;
965 TALLOC_FREE(username
);
967 ret
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, NULL
,
969 if (ret
!= LDAP_SUCCESS
) {
970 DEBUG(0, ("smbldap_search_suffix failed.\n"));
971 return NT_STATUS_ACCESS_DENIED
;
974 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
976 if (num_result
!= 1) {
977 if (num_result
== 0) {
980 status
= NT_STATUS_NO_SUCH_USER
;
983 status
= NT_STATUS_NO_SUCH_GROUP
;
986 status
= NT_STATUS_INVALID_PARAMETER
;
989 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
991 status
= NT_STATUS_INTERNAL_DB_CORRUPTION
;
996 entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
998 DEBUG(0,("find_user: Out of memory!\n"));
999 status
= NT_STATUS_UNSUCCESSFUL
;
1003 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
1005 DEBUG(0,("find_user: Out of memory!\n"));
1006 status
= NT_STATUS_NO_MEMORY
;
1010 status
= ipasam_get_objectclasses(ldap_state
, dn
, entry
, &has_objectclass
);
1011 if (!NT_STATUS_IS_OK(status
)) {
1016 *_has_objectclass
= has_objectclass
;
1018 status
= NT_STATUS_OK
;
1021 ldap_msgfree(result
);
1026 static NTSTATUS
find_user(struct ldapsam_privates
*ldap_state
, const char *name
,
1027 char **_dn
, uint32_t *_has_objectclass
)
1029 return find_obj(ldap_state
, name
, IPA_USER_OBJ
, _dn
, _has_objectclass
);
1032 static NTSTATUS
find_group(struct ldapsam_privates
*ldap_state
, const char *name
,
1033 char **_dn
, uint32_t *_has_objectclass
)
1035 return find_obj(ldap_state
, name
, IPA_GROUP_OBJ
, _dn
, _has_objectclass
);
1038 static NTSTATUS
ipasam_add_posix_account_objectclass(struct ldapsam_privates
*ldap_state
,
1041 const char *username
)
1044 LDAPMod
**mods
= NULL
;
1046 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1047 "objectclass", "posixAccount");
1048 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1050 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1051 "uidNumber", IPA_MAGIC_ID_STR
);
1052 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1053 "gidNumber", "12345");
1054 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1055 "homeDirectory", "/dev/null");
1057 if (ldap_op
== LDAP_MOD_ADD
) {
1058 ret
= smbldap_add(ldap_state
->smbldap_state
, dn
, mods
);
1060 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1062 ldap_mods_free(mods
, 1);
1063 if (ret
!= LDAP_SUCCESS
) {
1064 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1066 return NT_STATUS_LDAP(ret
);
1069 return NT_STATUS_OK
;
1072 static NTSTATUS
ipasam_add_ipa_group_objectclasses(struct ldapsam_privates
*ldap_state
,
1075 uint32_t has_objectclass
)
1077 LDAPMod
**mods
= NULL
;
1080 if (!(has_objectclass
& HAS_GROUPOFNAMES
)) {
1081 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1082 LDAP_ATTRIBUTE_OBJECTCLASS
,
1083 LDAP_OBJ_GROUPOFNAMES
);
1086 if (!(has_objectclass
& HAS_NESTEDGROUP
)) {
1087 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1088 LDAP_ATTRIBUTE_OBJECTCLASS
,
1089 LDAP_OBJ_NESTEDGROUP
);
1092 if (!(has_objectclass
& HAS_IPAUSERGROUP
)) {
1093 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1094 LDAP_ATTRIBUTE_OBJECTCLASS
,
1095 LDAP_OBJ_IPAUSERGROUP
);
1098 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1099 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1100 LDAP_ATTRIBUTE_OBJECTCLASS
,
1101 LDAP_OBJ_IPAOBJECT
);
1104 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1105 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1106 LDAP_ATTRIBUTE_OBJECTCLASS
,
1107 LDAP_OBJ_POSIXGROUP
);
1108 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1111 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1112 LDAP_ATTRIBUTE_GIDNUMBER
,
1116 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1117 ldap_mods_free(mods
, 1);
1118 if (ret
!= LDAP_SUCCESS
) {
1119 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1121 return NT_STATUS_LDAP(ret
);
1124 return NT_STATUS_OK
;
1127 static NTSTATUS
ipasam_add_ipa_objectclasses(struct ldapsam_privates
*ldap_state
,
1128 const char *dn
, const char *name
,
1130 uint32_t acct_flags
,
1131 uint32_t has_objectclass
)
1133 LDAPMod
**mods
= NULL
;
1137 if (!(has_objectclass
& HAS_KRB_PRINCIPAL
)) {
1138 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1139 LDAP_ATTRIBUTE_OBJECTCLASS
,
1140 LDAP_OBJ_KRB_PRINCIPAL
);
1142 princ
= talloc_asprintf(talloc_tos(), "%s@%s", name
, lp_realm());
1143 if (princ
== NULL
) {
1144 return NT_STATUS_NO_MEMORY
;
1147 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, LDAP_ATTRIBUTE_KRB_PRINCIPAL
, princ
);
1150 if (!(has_objectclass
& HAS_KRB_PRINCIPAL_AUX
)) {
1151 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1152 LDAP_ATTRIBUTE_OBJECTCLASS
,
1153 LDAP_OBJ_KRB_PRINCIPAL_AUX
);
1156 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1157 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1158 LDAP_ATTRIBUTE_OBJECTCLASS
, LDAP_OBJ_IPAOBJECT
);
1161 if ((acct_flags
!= 0) &&
1162 (((acct_flags
& ACB_NORMAL
) && name
[strlen(name
)-1] == '$') ||
1163 ((acct_flags
& (ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
)) != 0))) {
1165 if (!(has_objectclass
& HAS_IPAHOST
)) {
1166 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1167 LDAP_ATTRIBUTE_OBJECTCLASS
,
1170 if (domain
== NULL
) {
1171 return NT_STATUS_INVALID_PARAMETER
;
1174 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1179 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1180 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1181 "objectclass", "posixAccount");
1182 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "cn", name
);
1183 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1184 "uidNumber", IPA_MAGIC_ID_STR
);
1185 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1186 "gidNumber", "12345");
1187 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1188 "homeDirectory", "/dev/null");
1192 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1193 ldap_mods_free(mods
, 1);
1194 if (ret
!= LDAP_SUCCESS
) {
1195 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1197 return NT_STATUS_LDAP(ret
);
1201 return NT_STATUS_OK
;
1204 static NTSTATUS
pdb_ipasam_add_sam_account(struct pdb_methods
*pdb_methods
,
1205 struct samu
*sampass
)
1208 struct ldapsam_privates
*ldap_state
;
1211 uint32_t has_objectclass
;
1213 struct dom_sid user_sid
;
1215 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1217 if (IS_SAM_SET(sampass
, PDB_USERSID
) ||
1218 IS_SAM_CHANGED(sampass
, PDB_USERSID
)) {
1219 if (!pdb_new_rid(&rid
)) {
1220 return NT_STATUS_DS_NO_MORE_RIDS
;
1222 sid_compose(&user_sid
, get_global_sam_sid(), rid
);
1223 if (!pdb_set_user_sid(sampass
, &user_sid
, PDB_SET
)) {
1224 return NT_STATUS_UNSUCCESSFUL
;
1228 status
= ldap_state
->ipasam_privates
->ldapsam_add_sam_account(pdb_methods
,
1230 if (!NT_STATUS_IS_OK(status
)) {
1234 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1235 name
= pdb_get_username(sampass
);
1236 if (name
== NULL
|| *name
== '\0') {
1237 return NT_STATUS_INVALID_PARAMETER
;
1240 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1241 if (!NT_STATUS_IS_OK(status
)) {
1245 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
,
1246 pdb_get_domain(sampass
),
1247 pdb_get_acct_ctrl(sampass
),
1249 if (!NT_STATUS_IS_OK(status
)) {
1253 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1254 status
= ipasam_add_posix_account_objectclass(ldap_state
,
1257 if (!NT_STATUS_IS_OK(status
)) {
1262 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1263 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1264 if (!NT_STATUS_IS_OK(status
)) {
1270 return NT_STATUS_OK
;
1273 static NTSTATUS
pdb_ipasam_update_sam_account(struct pdb_methods
*pdb_methods
,
1274 struct samu
*sampass
)
1277 struct ldapsam_privates
*ldap_state
;
1278 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1280 status
= ldap_state
->ipasam_privates
->ldapsam_update_sam_account(pdb_methods
,
1282 if (!NT_STATUS_IS_OK(status
)) {
1286 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1287 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1288 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1289 if (!NT_STATUS_IS_OK(status
)) {
1295 return NT_STATUS_OK
;
1298 static NTSTATUS
ipasam_create_dom_group(struct pdb_methods
*pdb_methods
,
1299 TALLOC_CTX
*tmp_ctx
, const char *name
,
1303 struct ldapsam_privates
*ldap_state
;
1304 int ldap_op
= LDAP_MOD_REPLACE
;
1306 uint32_t has_objectclass
= 0;
1308 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1310 if (name
== NULL
|| *name
== '\0') {
1311 return NT_STATUS_INVALID_PARAMETER
;
1314 status
= find_group(ldap_state
, name
, &dn
, &has_objectclass
);
1315 if (NT_STATUS_IS_OK(status
)) {
1316 ldap_op
= LDAP_MOD_REPLACE
;
1317 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1318 ldap_op
= LDAP_MOD_ADD
;
1323 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1324 status
= ipasam_add_ipa_group_objectclasses(ldap_state
, dn
,
1327 if (!NT_STATUS_IS_OK(status
)) {
1332 status
= ldap_state
->ipasam_privates
->ldapsam_create_dom_group(pdb_methods
,
1336 if (!NT_STATUS_IS_OK(status
)) {
1340 return NT_STATUS_OK
;
1342 static NTSTATUS
ipasam_create_user(struct pdb_methods
*pdb_methods
,
1343 TALLOC_CTX
*tmp_ctx
, const char *name
,
1344 uint32_t acb_info
, uint32_t *rid
)
1347 struct ldapsam_privates
*ldap_state
;
1348 int ldap_op
= LDAP_MOD_REPLACE
;
1350 uint32_t has_objectclass
= 0;
1352 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1354 if (name
== NULL
|| *name
== '\0') {
1355 return NT_STATUS_INVALID_PARAMETER
;
1358 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1359 if (NT_STATUS_IS_OK(status
)) {
1360 ldap_op
= LDAP_MOD_REPLACE
;
1361 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1362 char *escape_username
;
1363 ldap_op
= LDAP_MOD_ADD
;
1364 escape_username
= escape_rdn_val_string_alloc(name
);
1365 if (!escape_username
) {
1366 return NT_STATUS_NO_MEMORY
;
1368 if (name
[strlen(name
)-1] == '$') {
1369 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1371 lp_ldap_machine_suffix());
1373 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1375 lp_ldap_user_suffix());
1377 SAFE_FREE(escape_username
);
1379 return NT_STATUS_NO_MEMORY
;
1385 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1386 status
= ipasam_add_posix_account_objectclass(ldap_state
, ldap_op
,
1388 if (!NT_STATUS_IS_OK(status
)) {
1391 has_objectclass
|= HAS_POSIXACCOUNT
;
1394 status
= ldap_state
->ipasam_privates
->ldapsam_create_user(pdb_methods
,
1397 if (!NT_STATUS_IS_OK(status
)) {
1401 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
, lp_realm(),
1402 acb_info
, has_objectclass
);
1403 if (!NT_STATUS_IS_OK(status
)) {
1407 return NT_STATUS_OK
;
1410 static NTSTATUS
pdb_init_IPA_ldapsam(struct pdb_methods
**pdb_method
, const char *location
)
1412 struct ldapsam_privates
*ldap_state
;
1415 status
= pdb_init_ldapsam(pdb_method
, location
);
1416 if (!NT_STATUS_IS_OK(status
)) {
1420 (*pdb_method
)->name
= "IPA_ldapsam";
1422 ldap_state
= (struct ldapsam_privates
*)((*pdb_method
)->private_data
);
1423 ldap_state
->ipasam_privates
= talloc_zero(ldap_state
,
1424 struct ipasam_privates
);
1425 if (ldap_state
->ipasam_privates
== NULL
) {
1426 return NT_STATUS_NO_MEMORY
;
1428 ldap_state
->is_ipa_ldap
= True
;
1430 ldap_state
->ipasam_privates
->server_is_ipa
= smbldap_has_extension(
1431 priv2ld(ldap_state
), IPA_KEYTAB_SET_OID
);
1432 ldap_state
->ipasam_privates
->ldapsam_add_sam_account
= (*pdb_method
)->add_sam_account
;
1433 ldap_state
->ipasam_privates
->ldapsam_update_sam_account
= (*pdb_method
)->update_sam_account
;
1434 ldap_state
->ipasam_privates
->ldapsam_create_user
= (*pdb_method
)->create_user
;
1435 ldap_state
->ipasam_privates
->ldapsam_create_dom_group
= (*pdb_method
)->create_dom_group
;
1437 (*pdb_method
)->add_sam_account
= pdb_ipasam_add_sam_account
;
1438 (*pdb_method
)->update_sam_account
= pdb_ipasam_update_sam_account
;
1440 if (lp_parm_bool(-1, "ldapsam", "trusted", False
)) {
1441 if (lp_parm_bool(-1, "ldapsam", "editposix", False
)) {
1442 (*pdb_method
)->create_user
= ipasam_create_user
;
1443 (*pdb_method
)->create_dom_group
= ipasam_create_dom_group
;
1447 (*pdb_method
)->capabilities
= pdb_ipasam_capabilities
;
1448 (*pdb_method
)->get_domain_info
= pdb_ipasam_get_domain_info
;
1450 (*pdb_method
)->get_trusteddom_pw
= ipasam_get_trusteddom_pw
;
1451 (*pdb_method
)->set_trusteddom_pw
= ipasam_set_trusteddom_pw
;
1452 (*pdb_method
)->del_trusteddom_pw
= ipasam_del_trusteddom_pw
;
1453 (*pdb_method
)->enum_trusteddoms
= ipasam_enum_trusteddoms
;
1455 (*pdb_method
)->get_trusted_domain
= ipasam_get_trusted_domain
;
1456 (*pdb_method
)->get_trusted_domain_by_sid
= ipasam_get_trusted_domain_by_sid
;
1457 (*pdb_method
)->set_trusted_domain
= ipasam_set_trusted_domain
;
1458 (*pdb_method
)->del_trusted_domain
= ipasam_del_trusted_domain
;
1459 (*pdb_method
)->enum_trusted_domains
= ipasam_enum_trusted_domains
;
1461 return NT_STATUS_OK
;
1464 NTSTATUS
pdb_ipa_init(void)
1468 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "IPA_ldapsam", pdb_init_IPA_ldapsam
)))
1471 return NT_STATUS_OK
;