search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
KCC: docstring for kcc.graph.InternalEdge
[Samba.git] / source3 / libnet / libnet_dssync_passdb.c
blob561777688ed87d98bbb7b7ce161988989388c06a
1 /*
2 Unix SMB/CIFS implementation.
3
4 Copyright (C) Guenther Deschner <gd@samba.org> 2008
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/passwd.h"
22 #include "libnet/libnet_dssync.h"
23 #include "../libcli/security/security.h"
24 #include "../libds/common/flags.h"
25 #include "../librpc/gen_ndr/ndr_drsuapi.h"
26 #include "util_tdb.h"
27 #include "dbwrap/dbwrap.h"
28 #include "dbwrap/dbwrap_rbt.h"
29 #include "../libds/common/flag_mapping.h"
30 #include "passdb.h"
31
32 /****************************************************************
33 ****************************************************************/
34
35 struct dssync_passdb {
36 struct pdb_methods *methods;
37 struct db_context *all;
38 struct db_context *aliases;
39 struct db_context *groups;
40 };
41
42 struct dssync_passdb_obj {
43 struct dssync_passdb_obj *self;
44 uint32_t type;
45 struct drsuapi_DsReplicaObjectListItemEx *cur;
46 TDB_DATA key;
47 TDB_DATA data;
48 struct db_context *members;
49 };
50
51 struct dssync_passdb_mem {
52 struct dssync_passdb_mem *self;
53 bool active;
54 struct drsuapi_DsReplicaObjectIdentifier3 *cur;
55 struct dssync_passdb_obj *obj;
56 TDB_DATA key;
57 TDB_DATA data;
58 };
59
60 static NTSTATUS dssync_insert_obj(struct dssync_passdb *pctx,
61 struct db_context *db,
62 struct dssync_passdb_obj *obj)
63 {
64 NTSTATUS status;
65 struct db_record *rec;
66 TDB_DATA value;
67
68 rec = dbwrap_fetch_locked(db, talloc_tos(), obj->key);
69 if (rec == NULL) {
70 return NT_STATUS_NO_MEMORY;
71 }
72
73 value = dbwrap_record_get_value(rec);
74 if (value.dsize != 0) {
75 abort();
76 }
77
78 status = dbwrap_record_store(rec, obj->data, TDB_INSERT);
79 if (!NT_STATUS_IS_OK(status)) {
80 TALLOC_FREE(rec);
81 return status;
82 }
83 TALLOC_FREE(rec);
84 return NT_STATUS_OK;
85 }
86
87 static struct dssync_passdb_obj *dssync_parse_obj(const TDB_DATA data)
88 {
89 struct dssync_passdb_obj *obj;
90
91 if (data.dsize != sizeof(obj)) {
92 return NULL;
93 }
94
95 /*
96 * we need to copy the pointer to avoid alignment problems
97 * on some systems.
98 */
99 memcpy(&obj, data.dptr, sizeof(obj));
100
101 return talloc_get_type_abort(obj, struct dssync_passdb_obj);
102 }
103
104 static struct dssync_passdb_obj *dssync_search_obj_by_guid(struct dssync_passdb *pctx,
105 struct db_context *db,
106 const struct GUID *guid)
107 {
108 struct dssync_passdb_obj *obj;
109 TDB_DATA key;
110 TDB_DATA data;
111 NTSTATUS status;
112
113 key = make_tdb_data((const uint8_t *)(const void *)guid,
114 sizeof(*guid));
115
116 status = dbwrap_fetch(db, talloc_tos(), key, &data);
117 if (!NT_STATUS_IS_OK(status)) {
118 return NULL;
119 }
120
121 obj = dssync_parse_obj(data);
122 return obj;
123 }
124
125 static NTSTATUS dssync_create_obj(struct dssync_passdb *pctx,
126 struct db_context *db,
127 uint32_t type,
128 struct drsuapi_DsReplicaObjectListItemEx *cur,
129 struct dssync_passdb_obj **_obj)
130 {
131 NTSTATUS status;
132 struct dssync_passdb_obj *obj;
133
134 obj = talloc_zero(pctx, struct dssync_passdb_obj);
135 if (obj == NULL) {
136 return NT_STATUS_NO_MEMORY;
137 }
138 obj->self = obj;
139 obj->cur = cur;
140 obj->type = type;
141 obj->key = make_tdb_data((const uint8_t *)(void *)&cur->object.identifier->guid,
142 sizeof(cur->object.identifier->guid));
143 obj->data = make_tdb_data((const uint8_t *)(void *)&obj->self,
144 sizeof(obj->self));
145
146 obj->members = db_open_rbt(obj);
147 if (obj->members == NULL) {
148 return NT_STATUS_NO_MEMORY;
149 }
150
151 status = dssync_insert_obj(pctx, db, obj);
152 if (!NT_STATUS_IS_OK(status)) {
153 TALLOC_FREE(obj);
154 return status;
155 }
156 *_obj = obj;
157 return NT_STATUS_OK;
158 }
159
160 static NTSTATUS dssync_insert_mem(struct dssync_passdb *pctx,
161 struct dssync_passdb_obj *obj,
162 struct dssync_passdb_mem *mem)
163 {
164 NTSTATUS status;
165 struct db_record *rec;
166 TDB_DATA value;
167
168 rec = dbwrap_fetch_locked(obj->members, talloc_tos(), mem->key);
169 if (rec == NULL) {
170 return NT_STATUS_NO_MEMORY;
171 }
172
173 value = dbwrap_record_get_value(rec);
174 if (value.dsize != 0) {
175 abort();
176 }
177
178 status = dbwrap_record_store(rec, mem->data, TDB_INSERT);
179 if (!NT_STATUS_IS_OK(status)) {
180 TALLOC_FREE(rec);
181 return status;
182 }
183 TALLOC_FREE(rec);
184 return NT_STATUS_OK;
185 }
186
187 static NTSTATUS dssync_create_mem(struct dssync_passdb *pctx,
188 struct dssync_passdb_obj *obj,
189 bool active,
190 struct drsuapi_DsReplicaObjectIdentifier3 *cur,
191 struct dssync_passdb_mem **_mem)
192 {
193 NTSTATUS status;
194 struct dssync_passdb_mem *mem;
195
196 mem = talloc_zero(pctx, struct dssync_passdb_mem);
197 if (mem == NULL) {
198 return NT_STATUS_NO_MEMORY;
199 }
200 mem->self = mem;
201 mem->cur = cur;
202 mem->active = active;
203 mem->obj = NULL;
204 mem->key = make_tdb_data((const uint8_t *)(void *)&cur->guid,
205 sizeof(cur->guid));
206 mem->data = make_tdb_data((const uint8_t *)(void *)&mem->self,
207 sizeof(mem->self));
208
209 status = dssync_insert_mem(pctx, obj, mem);
210 if (!NT_STATUS_IS_OK(status)) {
211 TALLOC_FREE(obj);
212 return status;
213 }
214 *_mem = mem;
215 return NT_STATUS_OK;
216 }
217
218 static struct dssync_passdb_mem *dssync_parse_mem(const TDB_DATA data)
219 {
220 struct dssync_passdb_mem *mem;
221
222 if (data.dsize != sizeof(mem)) {
223 return NULL;
224 }
225
226 /*
227 * we need to copy the pointer to avoid alignment problems
228 * on some systems.
229 */
230 memcpy(&mem, data.dptr, sizeof(mem));
231
232 return talloc_get_type_abort(mem, struct dssync_passdb_mem);
233 }
234
235 static NTSTATUS passdb_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
236 struct replUpToDateVectorBlob **pold_utdv)
237 {
238 NTSTATUS status;
239 struct dssync_passdb *pctx;
240
241 pctx = talloc_zero(mem_ctx, struct dssync_passdb);
242 if (pctx == NULL) {
243 return NT_STATUS_NO_MEMORY;
244 }
245
246 if (ctx->output_filename) {
247 status = make_pdb_method_name(&pctx->methods, ctx->output_filename);
248 } else {
249 status = make_pdb_method_name(&pctx->methods, lp_passdb_backend());
250 }
251
252 if (!NT_STATUS_IS_OK(status)) {
253 return status;
254 }
255
256 pctx->all = db_open_rbt(pctx);
257 if (pctx->all == NULL) {
258 return NT_STATUS_NO_MEMORY;
259 }
260 pctx->aliases = db_open_rbt(pctx);
261 if (pctx->aliases == NULL) {
262 return NT_STATUS_NO_MEMORY;
263 }
264 pctx->groups = db_open_rbt(pctx);
265 if (pctx->groups == NULL) {
266 return NT_STATUS_NO_MEMORY;
267 }
268
269 ctx->private_data = pctx;
270
271 return status;
272 }
273
274 /****************************************************************
275 ****************************************************************/
276
277 struct dssync_passdb_traverse_amembers {
278 struct dssync_context *ctx;
279 struct dssync_passdb_obj *obj;
280 const char *name;
281 uint32_t idx;
282 };
283
284 struct dssync_passdb_traverse_aliases {
285 struct dssync_context *ctx;
286 const char *name;
287 uint32_t idx;
288 };
289
290 static int dssync_passdb_traverse_amembers(struct db_record *rec,
291 void *private_data)
292 {
293 struct dssync_passdb_traverse_amembers *state =
294 (struct dssync_passdb_traverse_amembers *)private_data;
295 struct dssync_passdb *pctx =
296 talloc_get_type_abort(state->ctx->private_data,
297 struct dssync_passdb);
298 struct dssync_passdb_mem *mem;
299 NTSTATUS status;
300 struct dom_sid alias_sid;
301 struct dom_sid member_sid;
302 const char *member_dn;
303 size_t num_members;
304 size_t i;
305 struct dom_sid *members;
306 bool is_member = false;
307 const char *action;
308 TDB_DATA value;
309
310 state->idx++;
311
312 alias_sid = state->obj->cur->object.identifier->sid;
313
314 value = dbwrap_record_get_value(rec);
315 mem = dssync_parse_mem(value);
316 if (mem == NULL) {
317 return -1;
318 }
319
320 member_sid = mem->cur->sid;
321 member_dn = mem->cur->dn;
322
323 mem->obj = dssync_search_obj_by_guid(pctx, pctx->all, &mem->cur->guid);
324 if (mem->obj == NULL) {
325 DEBUG(0,("alias[%s] member[%s] can't resolve member - ignoring\n",
326 sid_string_dbg(&alias_sid),
327 is_null_sid(&member_sid)?
328 sid_string_dbg(&member_sid):
329 member_dn));
330 return 0;
331 }
332
333 switch (mem->obj->type) {
334 case ATYPE_DISTRIBUTION_LOCAL_GROUP:
335 case ATYPE_DISTRIBUTION_GLOBAL_GROUP:
336 DEBUG(0, ("alias[%s] ignore distribution group [%s]\n",
337 sid_string_dbg(&alias_sid),
338 member_dn));
339 return 0;
340 default:
341 break;
342 }
343
344 DEBUG(0,("alias[%s] member[%s]\n",
345 sid_string_dbg(&alias_sid),
346 sid_string_dbg(&member_sid)));
347
348 status = pdb_enum_aliasmem(&alias_sid, talloc_tos(),
349 &members, &num_members);
350 if (!NT_STATUS_IS_OK(status)) {
351 DEBUG(0, ("Could not find current alias members %s - %s\n",
352 sid_string_dbg(&alias_sid),
353 nt_errstr(status)));
354 return -1;
355 }
356
357 for (i=0; i < num_members; i++) {
358 bool match;
359
360 match = dom_sid_equal(&members[i], &member_sid);
361 if (match) {
362 is_member = true;
363 break;
364 }
365 }
366
367 status = NT_STATUS_OK;
368 action = "none";
369 if (!is_member && mem->active) {
370 action = "add";
371 pdb_add_aliasmem(&alias_sid, &member_sid);
372 } else if (is_member && !mem->active) {
373 action = "delete";
374 pdb_del_aliasmem(&alias_sid, &member_sid);
375 }
376 if (!NT_STATUS_IS_OK(status)) {
377 DEBUG(0, ("Could not %s %s as alias members of %s - %s\n",
378 action,
379 sid_string_dbg(&member_sid),
380 sid_string_dbg(&alias_sid),
381 nt_errstr(status)));
382 return -1;
383 }
384
385 return 0;
386 }
387
388 static int dssync_passdb_traverse_aliases(struct db_record *rec,
389 void *private_data)
390 {
391 struct dssync_passdb_traverse_aliases *state =
392 (struct dssync_passdb_traverse_aliases *)private_data;
393 struct dssync_passdb *pctx =
394 talloc_get_type_abort(state->ctx->private_data,
395 struct dssync_passdb);
396 struct dssync_passdb_traverse_amembers mstate;
397 struct dssync_passdb_obj *obj;
398 TDB_DATA value;
399 NTSTATUS status;
400
401 state->idx++;
402 if (pctx->methods == NULL) {
403 return -1;
404 }
405
406 value = dbwrap_record_get_value(rec);
407 obj = dssync_parse_obj(value);
408 if (obj == NULL) {
409 return -1;
410 }
411
412 ZERO_STRUCT(mstate);
413 mstate.ctx = state->ctx;
414 mstate.name = "members";
415 mstate.obj = obj;
416 status = dbwrap_traverse_read(obj->members,
417 dssync_passdb_traverse_amembers,
418 &mstate, NULL);
419 if (!NT_STATUS_IS_OK(status)) {
420 return -1;
421 }
422
423 return 0;
424 }
425
426 struct dssync_passdb_traverse_gmembers {
427 struct dssync_context *ctx;
428 struct dssync_passdb_obj *obj;
429 const char *name;
430 uint32_t idx;
431 };
432
433 struct dssync_passdb_traverse_groups {
434 struct dssync_context *ctx;
435 const char *name;
436 uint32_t idx;
437 };
438
439 static int dssync_passdb_traverse_gmembers(struct db_record *rec,
440 void *private_data)
441 {
442 struct dssync_passdb_traverse_gmembers *state =
443 (struct dssync_passdb_traverse_gmembers *)private_data;
444 struct dssync_passdb *pctx =
445 talloc_get_type_abort(state->ctx->private_data,
446 struct dssync_passdb);
447 struct dssync_passdb_mem *mem;
448 NTSTATUS status;
449 char *nt_member = NULL;
450 char **unix_members;
451 struct dom_sid group_sid;
452 struct dom_sid member_sid;
453 struct samu *member = NULL;
454 const char *member_dn = NULL;
455 GROUP_MAP *map;
456 struct group *grp;
457 uint32_t rid;
458 bool is_unix_member = false;
459 TDB_DATA value;
460
461 state->idx++;
462
463 group_sid = state->obj->cur->object.identifier->sid;
464
465 status = dom_sid_split_rid(talloc_tos(), &group_sid, NULL, &rid);
466 if (!NT_STATUS_IS_OK(status)) {
467 return -1;
468 }
469
470 value = dbwrap_record_get_value(rec);
471
472 mem = dssync_parse_mem(value);
473 if (mem == NULL) {
474 return -1;
475 }
476
477 member_sid = mem->cur->sid;
478 member_dn = mem->cur->dn;
479
480 mem->obj = dssync_search_obj_by_guid(pctx, pctx->all, &mem->cur->guid);
481 if (mem->obj == NULL) {
482 DEBUG(0,("group[%s] member[%s] can't resolve member - ignoring\n",
483 sid_string_dbg(&group_sid),
484 is_null_sid(&member_sid)?
485 sid_string_dbg(&member_sid):
486 member_dn));
487 return 0;
488 }
489
490 member_sid = mem->obj->cur->object.identifier->sid;
491 member_dn = mem->obj->cur->object.identifier->dn;
492
493 switch (mem->obj->type) {
494 case ATYPE_SECURITY_LOCAL_GROUP:
495 case ATYPE_SECURITY_GLOBAL_GROUP:
496 DEBUG(0, ("Group[%s] ignore member group [%s]\n",
497 sid_string_dbg(&group_sid),
498 sid_string_dbg(&member_sid)));
499 return 0;
500
501 case ATYPE_DISTRIBUTION_LOCAL_GROUP:
502 case ATYPE_DISTRIBUTION_GLOBAL_GROUP:
503 DEBUG(0, ("Group[%s] ignore distribution group [%s]\n",
504 sid_string_dbg(&group_sid),
505 member_dn));
506 return 0;
507 default:
508 break;
509 }
510
511 map = talloc_zero(NULL, GROUP_MAP);
512 if (!map) {
513 return -1;
514 }
515
516 if (!get_domain_group_from_sid(group_sid, map)) {
517 DEBUG(0, ("Could not find global group %s\n",
518 sid_string_dbg(&group_sid)));
519 //return NT_STATUS_NO_SUCH_GROUP;
520 TALLOC_FREE(map);
521 return -1;
522 }
523
524 if (!(grp = getgrgid(map->gid))) {
525 DEBUG(0, ("Could not find unix group %lu\n",
526 (unsigned long)map->gid));
527 //return NT_STATUS_NO_SUCH_GROUP;
528 TALLOC_FREE(map);
529 return -1;
530 }
531
532 TALLOC_FREE(map);
533
534 DEBUG(0,("Group members of %s: ", grp->gr_name));
535
536 if ( !(member = samu_new(talloc_tos())) ) {
537 //return NT_STATUS_NO_MEMORY;
538 return -1;
539 }
540
541 if (!pdb_getsampwsid(member, &member_sid)) {
542 DEBUG(1, ("Found bogus group member: (member_sid=%s group=%s)\n",
543 sid_string_tos(&member_sid), grp->gr_name));
544 TALLOC_FREE(member);
545 return -1;
546 }
547
548 if (pdb_get_group_rid(member) == rid) {
549 DEBUGADD(0,("%s(primary),", pdb_get_username(member)));
550 TALLOC_FREE(member);
551 return -1;
552 }
553
554 DEBUGADD(0,("%s,", pdb_get_username(member)));
555 nt_member = talloc_strdup(talloc_tos(), pdb_get_username(member));
556 TALLOC_FREE(member);
557
558 DEBUGADD(0,("\n"));
559
560 unix_members = grp->gr_mem;
561
562 while (*unix_members) {
563 if (strcmp(*unix_members, nt_member) == 0) {
564 is_unix_member = true;
565 break;
566 }
567 unix_members += 1;
568 }
569
570 if (!is_unix_member && mem->active) {
571 smb_add_user_group(grp->gr_name, nt_member);
572 } else if (is_unix_member && !mem->active) {
573 smb_delete_user_group(grp->gr_name, nt_member);
574 }
575
576 return 0;
577 }
578
579 static int dssync_passdb_traverse_groups(struct db_record *rec,
580 void *private_data)
581 {
582 struct dssync_passdb_traverse_groups *state =
583 (struct dssync_passdb_traverse_groups *)private_data;
584 struct dssync_passdb *pctx =
585 talloc_get_type_abort(state->ctx->private_data,
586 struct dssync_passdb);
587 struct dssync_passdb_traverse_gmembers mstate;
588 struct dssync_passdb_obj *obj;
589 TDB_DATA value;
590 NTSTATUS status;
591
592 state->idx++;
593 if (pctx->methods == NULL) {
594 return -1;
595 }
596
597 value = dbwrap_record_get_value(rec);
598
599 obj = dssync_parse_obj(value);
600 if (obj == NULL) {
601 return -1;
602 }
603
604 ZERO_STRUCT(mstate);
605 mstate.ctx = state->ctx;
606 mstate.name = "members";
607 mstate.obj = obj;
608 status = dbwrap_traverse_read(obj->members,
609 dssync_passdb_traverse_gmembers,
610 &mstate, NULL);
611 if (!NT_STATUS_IS_OK(status)) {
612 return -1;
613 }
614
615 return 0;
616 }
617
618 static NTSTATUS passdb_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
619 struct replUpToDateVectorBlob *new_utdv)
620 {
621 struct dssync_passdb *pctx =
622 talloc_get_type_abort(ctx->private_data,
623 struct dssync_passdb);
624 struct dssync_passdb_traverse_aliases astate;
625 struct dssync_passdb_traverse_groups gstate;
626 NTSTATUS status;
627
628 ZERO_STRUCT(astate);
629 astate.ctx = ctx;
630 astate.name = "aliases";
631 status = dbwrap_traverse_read(pctx->aliases,
632 dssync_passdb_traverse_aliases,
633 &astate, NULL);
634 if (!NT_STATUS_IS_OK(status)) {
635 return NT_STATUS_INTERNAL_ERROR;
636 }
637
638 ZERO_STRUCT(gstate);
639 gstate.ctx = ctx;
640 gstate.name = "groups";
641 status = dbwrap_traverse_read(pctx->groups,
642 dssync_passdb_traverse_groups,
643 &gstate, NULL);
644 if (!NT_STATUS_IS_OK(status)) {
645 return NT_STATUS_INTERNAL_ERROR;
646 }
647
648 TALLOC_FREE(pctx->methods);
649 TALLOC_FREE(pctx);
650
651 return NT_STATUS_OK;
652 }
653
654 /****************************************************************
655 ****************************************************************/
656
657 static NTSTATUS smb_create_user(TALLOC_CTX *mem_ctx,
658 uint32_t acct_flags,
659 const char *account,
660 struct passwd **passwd_p)
661 {
662 struct passwd *passwd;
663 char *add_script = NULL;
664
665 passwd = Get_Pwnam_alloc(mem_ctx, account);
666 if (passwd) {
667 *passwd_p = passwd;
668 return NT_STATUS_OK;
669 }
670
671 /* Create appropriate user */
672 if (acct_flags & ACB_NORMAL) {
673 add_script = lp_add_user_script(mem_ctx);
674 } else if ( (acct_flags & ACB_WSTRUST) ||
675 (acct_flags & ACB_SVRTRUST) ||
676 (acct_flags & ACB_DOMTRUST) ) {
677 add_script = lp_add_machine_script(mem_ctx);
678 } else {
679 DEBUG(1, ("Unknown user type: %s\n",
680 pdb_encode_acct_ctrl(acct_flags, NEW_PW_FORMAT_SPACE_PADDED_LEN)));
681 return NT_STATUS_UNSUCCESSFUL;
682 }
683
684 if (!add_script) {
685 return NT_STATUS_NO_MEMORY;
686 }
687
688 if (*add_script) {
689 int add_ret;
690 add_script = talloc_all_string_sub(mem_ctx, add_script,
691 "%u", account);
692 if (!add_script) {
693 return NT_STATUS_NO_MEMORY;
694 }
695 add_ret = smbrun(add_script, NULL);
696 DEBUG(add_ret ? 0 : 1,("fetch_account: Running the command `%s' "
697 "gave %d\n", add_script, add_ret));
698 if (add_ret == 0) {
699 smb_nscd_flush_user_cache();
700 }
701 }
702
703 /* try and find the possible unix account again */
704 passwd = Get_Pwnam_alloc(mem_ctx, account);
705 if (!passwd) {
706 return NT_STATUS_NO_SUCH_USER;
707 }
708
709 *passwd_p = passwd;
710
711 return NT_STATUS_OK;
712 }
713
714 static struct drsuapi_DsReplicaAttribute *find_drsuapi_attr(
715 const struct drsuapi_DsReplicaObjectListItemEx *cur,
716 uint32_t attid)
717 {
718 int i = 0;
719
720 for (i = 0; i < cur->object.attribute_ctr.num_attributes; i++) {
721 struct drsuapi_DsReplicaAttribute *attr;
722
723 attr = &cur->object.attribute_ctr.attributes[i];
724
725 if (attr->attid == attid) {
726 return attr;
727 }
728 }
729
730 return NULL;
731 }
732
733 static NTSTATUS find_drsuapi_attr_string(TALLOC_CTX *mem_ctx,
734 const struct drsuapi_DsReplicaObjectListItemEx *cur,
735 uint32_t attid,
736 uint32_t *_count,
737 char ***_array)
738 {
739 struct drsuapi_DsReplicaAttribute *attr;
740 char **array;
741 uint32_t a;
742
743 attr = find_drsuapi_attr(cur, attid);
744 if (attr == NULL) {
745 return NT_STATUS_PROPSET_NOT_FOUND;
746 }
747
748 array = talloc_array(mem_ctx, char *, attr->value_ctr.num_values);
749 if (array == NULL) {
750 return NT_STATUS_NO_MEMORY;
751 }
752
753 for (a = 0; a < attr->value_ctr.num_values; a++) {
754 const DATA_BLOB *blob;
755 ssize_t ret;
756
757 blob = attr->value_ctr.values[a].blob;
758
759 if (blob == NULL) {
760 return NT_STATUS_INTERNAL_DB_CORRUPTION;
761 }
762
763 ret = pull_string_talloc(array, NULL, 0, &array[a],
764 blob->data, blob->length,
765 STR_UNICODE);
766 if (ret == -1) {
767 //TODO
768 return NT_STATUS_INTERNAL_ERROR;
769 }
770 }
771
772 *_count = attr->value_ctr.num_values;
773 *_array = array;
774 return NT_STATUS_OK;
775 }
776
777 static NTSTATUS find_drsuapi_attr_int32(TALLOC_CTX *mem_ctx,
778 const struct drsuapi_DsReplicaObjectListItemEx *cur,
779 uint32_t attid,
780 uint32_t *_count,
781 int32_t **_array)
782 {
783 struct drsuapi_DsReplicaAttribute *attr;
784 int32_t *array;
785 uint32_t a;
786
787 attr = find_drsuapi_attr(cur, attid);
788 if (attr == NULL) {
789 return NT_STATUS_PROPSET_NOT_FOUND;
790 }
791
792 array = talloc_array(mem_ctx, int32_t, attr->value_ctr.num_values);
793 if (array == NULL) {
794 return NT_STATUS_NO_MEMORY;
795 }
796
797 for (a = 0; a < attr->value_ctr.num_values; a++) {
798 const DATA_BLOB *blob;
799
800 blob = attr->value_ctr.values[a].blob;
801
802 if (blob == NULL) {
803 return NT_STATUS_INTERNAL_DB_CORRUPTION;
804 }
805
806 if (blob->length != 4) {
807 return NT_STATUS_INTERNAL_DB_CORRUPTION;
808 }
809
810 array[a] = IVAL(blob->data, 0);
811 }
812
813 *_count = attr->value_ctr.num_values;
814 *_array = array;
815 return NT_STATUS_OK;
816 }
817
818 static NTSTATUS find_drsuapi_attr_blob(TALLOC_CTX *mem_ctx,
819 const struct drsuapi_DsReplicaObjectListItemEx *cur,
820 uint32_t attid,
821 uint32_t *_count,
822 DATA_BLOB **_array)
823 {
824 struct drsuapi_DsReplicaAttribute *attr;
825 DATA_BLOB *array;
826 uint32_t a;
827
828 attr = find_drsuapi_attr(cur, attid);
829 if (attr == NULL) {
830 return NT_STATUS_PROPSET_NOT_FOUND;
831 }
832
833 array = talloc_array(mem_ctx, DATA_BLOB, attr->value_ctr.num_values);
834 if (array == NULL) {
835 return NT_STATUS_NO_MEMORY;
836 }
837
838 for (a = 0; a < attr->value_ctr.num_values; a++) {
839 const DATA_BLOB *blob;
840
841 blob = attr->value_ctr.values[a].blob;
842
843 if (blob == NULL) {
844 return NT_STATUS_INTERNAL_DB_CORRUPTION;
845 }
846
847 array[a] = data_blob_talloc(array, blob->data, blob->length);
848 if (array[a].length != blob->length) {
849 return NT_STATUS_NO_MEMORY;
850 }
851 }
852 *_count = attr->value_ctr.num_values;
853 *_array = array;
854 return NT_STATUS_OK;
855 }
856
857 static NTSTATUS find_drsuapi_attr_int64(TALLOC_CTX *mem_ctx,
858 const struct drsuapi_DsReplicaObjectListItemEx *cur,
859 uint32_t attid,
860 uint32_t *_count,
861 int64_t **_array)
862 {
863 struct drsuapi_DsReplicaAttribute *attr;
864 int64_t *array;
865 uint32_t a;
866
867 attr = find_drsuapi_attr(cur, attid);
868 if (attr == NULL) {
869 return NT_STATUS_PROPSET_NOT_FOUND;
870 }
871
872 array = talloc_array(mem_ctx, int64_t, attr->value_ctr.num_values);
873 if (array == NULL) {
874 return NT_STATUS_NO_MEMORY;
875 }
876
877 for (a = 0; a < attr->value_ctr.num_values; a++) {
878 const DATA_BLOB *blob;
879
880 blob = attr->value_ctr.values[a].blob;
881
882 if (blob == NULL) {
883 return NT_STATUS_INTERNAL_DB_CORRUPTION;
884 }
885
886 if (blob->length != 8) {
887 return NT_STATUS_INTERNAL_DB_CORRUPTION;
888 }
889
890 array[a] = BVAL(blob->data, 0);
891 }
892 *_count = attr->value_ctr.num_values;
893 *_array = array;
894 return NT_STATUS_OK;
895 }
896
897 static NTSTATUS find_drsuapi_attr_dn(TALLOC_CTX *mem_ctx,
898 const struct drsuapi_DsReplicaObjectListItemEx *cur,
899 uint32_t attid,
900 uint32_t *_count,
901 struct drsuapi_DsReplicaObjectIdentifier3 **_array)
902 {
903 struct drsuapi_DsReplicaAttribute *attr;
904 struct drsuapi_DsReplicaObjectIdentifier3 *array;
905 uint32_t a;
906
907 attr = find_drsuapi_attr(cur, attid);
908 if (attr == NULL) {
909 return NT_STATUS_PROPSET_NOT_FOUND;
910 }
911
912 array = talloc_array(mem_ctx,
913 struct drsuapi_DsReplicaObjectIdentifier3,
914 attr->value_ctr.num_values);
915 if (array == NULL) {
916 return NT_STATUS_NO_MEMORY;
917 }
918
919 for (a = 0; a < attr->value_ctr.num_values; a++) {
920 const DATA_BLOB *blob;
921 enum ndr_err_code ndr_err;
922 NTSTATUS status;
923
924 blob = attr->value_ctr.values[a].blob;
925
926 if (blob == NULL) {
927 return NT_STATUS_INTERNAL_DB_CORRUPTION;
928 }
929
930 /* windows sometimes sends an extra two pad bytes here */
931 ndr_err = ndr_pull_struct_blob(blob, array, &array[a],
932 (ndr_pull_flags_fn_t)ndr_pull_drsuapi_DsReplicaObjectIdentifier3);
933 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
934 status = ndr_map_error2ntstatus(ndr_err);
935 return status;
936 }
937 }
938 *_count = attr->value_ctr.num_values;
939 *_array = array;
940 return NT_STATUS_OK;
941 }
942
943 #define GET_BLOB_EX(attr, needed) do { \
944 NTSTATUS _status; \
945 uint32_t _cnt; \
946 DATA_BLOB *_vals = NULL; \
947 attr = data_blob_null; \
948 _status = find_drsuapi_attr_blob(mem_ctx, cur, \
949 DRSUAPI_ATTID_ ## attr, \
950 &_cnt, &_vals); \
951 if (NT_STATUS_EQUAL(_status, NT_STATUS_PROPSET_NOT_FOUND)) { \
952 if (!needed) { \
953 _status = NT_STATUS_OK; \
954 _cnt = 0; \
955 } \
956 } \
957 if (!NT_STATUS_IS_OK(_status)) { \
958 DEBUG(0,(__location__ "attr[%s] %s\n", \
959 #attr, nt_errstr(_status))); \
960 return _status; \
961 } \
962 if (_cnt == 0) { \
963 if (needed) { \
964 talloc_free(_vals); \
965 DEBUG(0,(__location__ "attr[%s] count[%u]\n", #attr, _cnt)); \
966 return NT_STATUS_OBJECT_NAME_NOT_FOUND; \
967 } \
968 } else if (_cnt > 1) { \
969 talloc_free(_vals); \
970 DEBUG(0,(__location__ "attr[%s] count[%u]\n", #attr, _cnt)); \
971 return NT_STATUS_INTERNAL_DB_CORRUPTION; \
972 } else { \
973 attr = _vals[0]; \
974 (void)talloc_steal(mem_ctx, _vals[0].data); \
975 } \
976 talloc_free(_vals); \
977 } while(0)
978
979 #define GET_STRING_EX(attr, needed) do { \
980 NTSTATUS _status; \
981 uint32_t _cnt; \
982 char **_vals = NULL; \
983 attr = NULL; \
984 _status = find_drsuapi_attr_string(mem_ctx, cur, \
985 DRSUAPI_ATTID_ ## attr, \
986 &_cnt, &_vals); \
987 if (NT_STATUS_EQUAL(_status, NT_STATUS_PROPSET_NOT_FOUND)) { \
988 if (!needed) { \
989 _status = NT_STATUS_OK; \
990 _cnt = 0; \
991 } \
992 } \
993 if (!NT_STATUS_IS_OK(_status)) { \
994 DEBUG(0,(__location__ "attr[%s] %s\n", \
995 #attr, nt_errstr(_status))); \
996 return _status; \
997 } \
998 if (_cnt == 0) { \
999 if (needed) { \
1000 talloc_free(_vals); \
1001 DEBUG(0,(__location__ "attr[%s] count[%u]\n", #attr, _cnt)); \
1002 return NT_STATUS_OBJECT_NAME_NOT_FOUND; \
1003 } \
1004 } else if (_cnt > 1) { \
1005 talloc_free(_vals); \
1006 DEBUG(0,(__location__ "attr[%s] count[%u]\n", #attr, _cnt)); \
1007 return NT_STATUS_INTERNAL_DB_CORRUPTION; \
1008 } else { \
1009 attr = talloc_move(mem_ctx, &_vals[0]); \
1010 } \
1011 talloc_free(_vals); \
1012 } while(0)
1013
1014 #define GET_UINT32_EX(attr, needed) do { \
1015 NTSTATUS _status; \
1016 uint32_t _cnt; \
1017 int32_t*_vals = NULL; \
1018 attr = 0; \
1019 _status = find_drsuapi_attr_int32(mem_ctx, cur, \
1020 DRSUAPI_ATTID_ ## attr, \
1021 &_cnt, &_vals); \
1022 if (NT_STATUS_EQUAL(_status, NT_STATUS_PROPSET_NOT_FOUND)) { \
1023 if (!needed) { \
1024 _status = NT_STATUS_OK; \
1025 _cnt = 0; \
1026 } \
1027 } \
1028 if (!NT_STATUS_IS_OK(_status)) { \
1029 DEBUG(0,(__location__ "attr[%s] %s\n", \
1030 #attr, nt_errstr(_status))); \
1031 return _status; \
1032 } \
1033 if (_cnt == 0) { \
1034 if (needed) { \
1035 talloc_free(_vals); \
1036 DEBUG(0,(__location__ "attr[%s] count[%u]\n", #attr, _cnt)); \
1037 return NT_STATUS_OBJECT_NAME_NOT_FOUND; \
1038 } \
1039 } else if (_cnt > 1) { \
1040 talloc_free(_vals); \
1041 DEBUG(0,(__location__ "attr[%s] count[%u]\n", #attr, _cnt)); \
1042 return NT_STATUS_INTERNAL_DB_CORRUPTION; \
1043 } else { \
1044 attr = (uint32_t)_vals[0]; \
1045 } \
1046 talloc_free(_vals); \
1047 } while(0)
1048
1049 #define GET_UINT64_EX(attr, needed) do { \
1050 NTSTATUS _status; \
1051 uint32_t _cnt; \
1052 int64_t *_vals = NULL; \
1053 attr = 0; \
1054 _status = find_drsuapi_attr_int64(mem_ctx, cur, \
1055 DRSUAPI_ATTID_ ## attr, \
1056 &_cnt, &_vals); \
1057 if (NT_STATUS_EQUAL(_status, NT_STATUS_PROPSET_NOT_FOUND)) { \
1058 if (!needed) { \
1059 _status = NT_STATUS_OK; \
1060 _cnt = 0; \
1061 } \
1062 } \
1063 if (!NT_STATUS_IS_OK(_status)) { \
1064 DEBUG(0,(__location__ "attr[%s] %s\n", \
1065 #attr, nt_errstr(_status))); \
1066 return _status; \
1067 } \
1068 if (_cnt == 0) { \
1069 if (needed) { \
1070 talloc_free(_vals); \
1071 DEBUG(0,(__location__ "attr[%s] count[%u]\n", #attr, _cnt)); \
1072 return NT_STATUS_OBJECT_NAME_NOT_FOUND; \
1073 } \
1074 } else if (_cnt > 1) { \
1075 talloc_free(_vals); \
1076 DEBUG(0,(__location__ "attr[%s] count[%u]\n", #attr, _cnt)); \
1077 return NT_STATUS_INTERNAL_DB_CORRUPTION; \
1078 } else { \
1079 attr = (uint64_t)_vals[0]; \
1080 } \
1081 talloc_free(_vals); \
1082 } while(0)
1083
1084 #define GET_BLOB(attr) GET_BLOB_EX(attr, false)
1085 #define GET_STRING(attr) GET_STRING_EX(attr, false)
1086 #define GET_UINT32(attr) GET_UINT32_EX(attr, false)
1087 #define GET_UINT64(attr) GET_UINT64_EX(attr, false)
1088
1089 /* Convert a struct samu_DELTA to a struct samu. */
1090 #define STRING_CHANGED (old_string && !new_string) ||\
1091 (!old_string && new_string) ||\
1092 (old_string && new_string && (strcmp(old_string, new_string) != 0))
1093
1094 #define STRING_CHANGED_NC(s1,s2) ((s1) && !(s2)) ||\
1095 (!(s1) && (s2)) ||\
1096 ((s1) && (s2) && (strcmp((s1), (s2)) != 0))
1097
1098 /****************************************************************
1099 ****************************************************************/
1100
1101 static NTSTATUS sam_account_from_object(struct samu *account,
1102 struct drsuapi_DsReplicaObjectListItemEx *cur)
1103 {
1104 TALLOC_CTX *mem_ctx = account;
1105 const char *old_string, *new_string;
1106 time_t unix_time, stored_time;
1107 uchar zero_buf[16];
1108 NTSTATUS status;
1109
1110 NTTIME lastLogon;
1111 NTTIME lastLogoff;
1112 NTTIME pwdLastSet;
1113 NTTIME accountExpires;
1114 const char *sAMAccountName;
1115 const char *displayName;
1116 const char *homeDirectory;
1117 const char *homeDrive;
1118 const char *scriptPath;
1119 const char *profilePath;
1120 const char *description;
1121 const char *userWorkstations;
1122 DATA_BLOB userParameters;
1123 struct dom_sid objectSid;
1124 uint32_t primaryGroupID;
1125 uint32_t userAccountControl;
1126 DATA_BLOB logonHours;
1127 uint32_t badPwdCount;
1128 uint32_t logonCount;
1129 DATA_BLOB unicodePwd;
1130 DATA_BLOB dBCSPwd;
1131
1132 uint32_t rid = 0;
1133 uint32_t acct_flags;
1134 uint32_t units_per_week;
1135
1136 memset(zero_buf, '\0', sizeof(zero_buf));
1137
1138 objectSid = cur->object.identifier->sid;
1139 GET_STRING_EX(sAMAccountName, true);
1140 DEBUG(0,("sam_account_from_object(%s, %s) start\n",
1141 sAMAccountName, sid_string_dbg(&objectSid)));
1142 GET_UINT64(lastLogon);
1143 GET_UINT64(lastLogoff);
1144 GET_UINT64(pwdLastSet);
1145 GET_UINT64(accountExpires);
1146 GET_STRING(displayName);
1147 GET_STRING(homeDirectory);
1148 GET_STRING(homeDrive);
1149 GET_STRING(scriptPath);
1150 GET_STRING(profilePath);
1151 GET_STRING(description);
1152 GET_STRING(userWorkstations);
1153 GET_BLOB(userParameters);
1154 GET_UINT32(primaryGroupID);
1155 GET_UINT32(userAccountControl);
1156 GET_BLOB(logonHours);
1157 GET_UINT32(badPwdCount);
1158 GET_UINT32(logonCount);
1159 GET_BLOB(unicodePwd);
1160 GET_BLOB(dBCSPwd);
1161
1162 status = dom_sid_split_rid(mem_ctx, &objectSid, NULL, &rid);
1163 if (!NT_STATUS_IS_OK(status)) {
1164 return status;
1165 }
1166 acct_flags = ds_uf2acb(userAccountControl);
1167
1168 /* Username, fullname, home dir, dir drive, logon script, acct
1169 desc, workstations, profile. */
1170
1171 if (sAMAccountName) {
1172 old_string = pdb_get_nt_username(account);
1173 new_string = sAMAccountName;
1174
1175 if (STRING_CHANGED) {
1176 pdb_set_nt_username(account, new_string, PDB_CHANGED);
1177 }
1178
1179 /* Unix username is the same - for sanity */
1180 old_string = pdb_get_username( account );
1181 if (STRING_CHANGED) {
1182 pdb_set_username(account, new_string, PDB_CHANGED);
1183 }
1184 }
1185
1186 if (displayName) {
1187 old_string = pdb_get_fullname(account);
1188 new_string = displayName;
1189
1190 if (STRING_CHANGED)
1191 pdb_set_fullname(account, new_string, PDB_CHANGED);
1192 }
1193
1194 if (homeDirectory) {
1195 old_string = pdb_get_homedir(account);
1196 new_string = homeDirectory;
1197
1198 if (STRING_CHANGED)
1199 pdb_set_homedir(account, new_string, PDB_CHANGED);
1200 }
1201
1202 if (homeDrive) {
1203 old_string = pdb_get_dir_drive(account);
1204 new_string = homeDrive;
1205
1206 if (STRING_CHANGED)
1207 pdb_set_dir_drive(account, new_string, PDB_CHANGED);
1208 }
1209
1210 if (scriptPath) {
1211 old_string = pdb_get_logon_script(account);
1212 new_string = scriptPath;
1213
1214 if (STRING_CHANGED)
1215 pdb_set_logon_script(account, new_string, PDB_CHANGED);
1216 }
1217
1218 if (description) {
1219 old_string = pdb_get_acct_desc(account);
1220 new_string = description;
1221
1222 if (STRING_CHANGED)
1223 pdb_set_acct_desc(account, new_string, PDB_CHANGED);
1224 }
1225
1226 if (userWorkstations) {
1227 old_string = pdb_get_workstations(account);
1228 new_string = userWorkstations;
1229
1230 if (STRING_CHANGED)
1231 pdb_set_workstations(account, new_string, PDB_CHANGED);
1232 }
1233
1234 if (profilePath) {
1235 old_string = pdb_get_profile_path(account);
1236 new_string = profilePath;
1237
1238 if (STRING_CHANGED)
1239 pdb_set_profile_path(account, new_string, PDB_CHANGED);
1240 }
1241
1242 if (userParameters.data) {
1243 char *newstr;
1244 old_string = pdb_get_munged_dial(account);
1245 newstr = (userParameters.length == 0) ? NULL :
1246 base64_encode_data_blob(talloc_tos(), userParameters);
1247
1248 if (STRING_CHANGED_NC(old_string, newstr))
1249 pdb_set_munged_dial(account, newstr, PDB_CHANGED);
1250 TALLOC_FREE(newstr);
1251 }
1252
1253 /* User and group sid */
1254 if (rid != 0 && pdb_get_user_rid(account) != rid) {
1255 pdb_set_user_sid_from_rid(account, rid, PDB_CHANGED);
1256 }
1257 if (primaryGroupID != 0 && pdb_get_group_rid(account) != primaryGroupID) {
1258 pdb_set_group_sid_from_rid(account, primaryGroupID, PDB_CHANGED);
1259 }
1260
1261 /* Logon and password information */
1262 if (!nt_time_is_zero(&lastLogon)) {
1263 unix_time = nt_time_to_unix(lastLogon);
1264 stored_time = pdb_get_logon_time(account);
1265 if (stored_time != unix_time)
1266 pdb_set_logon_time(account, unix_time, PDB_CHANGED);
1267 }
1268
1269 if (!nt_time_is_zero(&lastLogoff)) {
1270 unix_time = nt_time_to_unix(lastLogoff);
1271 stored_time = pdb_get_logoff_time(account);
1272 if (stored_time != unix_time)
1273 pdb_set_logoff_time(account, unix_time,PDB_CHANGED);
1274 }
1275
1276 /* Logon Divs */
1277 units_per_week = logonHours.length * 8;
1278
1279 if (pdb_get_logon_divs(account) != units_per_week) {
1280 pdb_set_logon_divs(account, units_per_week, PDB_CHANGED);
1281 }
1282
1283 /* Logon Hours Len */
1284 if (units_per_week/8 != pdb_get_hours_len(account)) {
1285 pdb_set_hours_len(account, units_per_week/8, PDB_CHANGED);
1286 }
1287
1288 /* Logon Hours */
1289 if (logonHours.data) {
1290 char oldstr[44], newstr[44];
1291 pdb_sethexhours(oldstr, pdb_get_hours(account));
1292 pdb_sethexhours(newstr, logonHours.data);
1293 if (!strequal(oldstr, newstr)) {
1294 pdb_set_hours(account, logonHours.data,
1295 logonHours.length, PDB_CHANGED);
1296 }
1297 }
1298
1299 if (pdb_get_bad_password_count(account) != badPwdCount)
1300 pdb_set_bad_password_count(account, badPwdCount, PDB_CHANGED);
1301
1302 if (pdb_get_logon_count(account) != logonCount)
1303 pdb_set_logon_count(account, logonCount, PDB_CHANGED);
1304
1305 if (!nt_time_is_zero(&pwdLastSet)) {
1306 unix_time = nt_time_to_unix(pwdLastSet);
1307 stored_time = pdb_get_pass_last_set_time(account);
1308 if (stored_time != unix_time)
1309 pdb_set_pass_last_set_time(account, unix_time, PDB_CHANGED);
1310 } else {
1311 /* no last set time, make it now */
1312 pdb_set_pass_last_set_time(account, time(NULL), PDB_CHANGED);
1313 }
1314
1315 if (!nt_time_is_zero(&accountExpires)) {
1316 unix_time = nt_time_to_unix(accountExpires);
1317 stored_time = pdb_get_kickoff_time(account);
1318 if (stored_time != unix_time)
1319 pdb_set_kickoff_time(account, unix_time, PDB_CHANGED);
1320 }
1321
1322 /* Decode hashes from password hash
1323 Note that win2000 may send us all zeros for the hashes if it doesn't
1324 think this channel is secure enough - don't set the passwords at all
1325 in that case
1326 */
1327 if (dBCSPwd.length == 16 && memcmp(dBCSPwd.data, zero_buf, 16) != 0) {
1328 pdb_set_lanman_passwd(account, dBCSPwd.data, PDB_CHANGED);
1329 }
1330
1331 if (unicodePwd.length == 16 && memcmp(unicodePwd.data, zero_buf, 16) != 0) {
1332 pdb_set_nt_passwd(account, unicodePwd.data, PDB_CHANGED);
1333 }
1334
1335 /* TODO: history */
1336
1337 /* TODO: account expiry time */
1338
1339 pdb_set_acct_ctrl(account, acct_flags, PDB_CHANGED);
1340
1341 pdb_set_domain(account, lp_workgroup(), PDB_CHANGED);
1342
1343 DEBUG(0,("sam_account_from_object(%s, %s) done\n",
1344 sAMAccountName, sid_string_dbg(&objectSid)));
1345 return NT_STATUS_OK;
1346 }
1347
1348 /****************************************************************
1349 ****************************************************************/
1350
1351 static NTSTATUS handle_account_object(struct dssync_passdb *pctx,
1352 TALLOC_CTX *mem_ctx,
1353 struct dssync_passdb_obj *obj)
1354 {
1355 struct drsuapi_DsReplicaObjectListItemEx *cur = obj->cur;
1356 NTSTATUS status;
1357 fstring account;
1358 struct samu *sam_account=NULL;
1359 GROUP_MAP *map;
1360 struct group *grp;
1361 struct dom_sid user_sid;
1362 struct dom_sid group_sid;
1363 struct passwd *passwd = NULL;
1364 uint32_t acct_flags;
1365 uint32_t rid;
1366
1367 const char *sAMAccountName;
1368 uint32_t userAccountControl;
1369
1370 user_sid = cur->object.identifier->sid;
1371 GET_STRING_EX(sAMAccountName, true);
1372 GET_UINT32_EX(userAccountControl, true);
1373
1374 status = dom_sid_split_rid(mem_ctx, &user_sid, NULL, &rid);
1375 if (!NT_STATUS_IS_OK(status)) {
1376 return status;
1377 }
1378
1379 fstrcpy(account, sAMAccountName);
1380 if (rid == DOMAIN_RID_GUEST) {
1381 /*
1382 * pdb_getsampwsid() has special handling for DOMAIN_RID_GUEST
1383 * that's why we need to ignore it here.
1384 *
1385 * pdb_smbpasswd.c also has some DOMAIN_RID_GUEST related
1386 * code...
1387 */
1388 DEBUG(0,("Ignore %s - %s\n", account, sid_string_dbg(&user_sid)));
1389 return NT_STATUS_OK;
1390 }
1391 DEBUG(0,("Creating account: %s\n", account));
1392
1393 if ( !(sam_account = samu_new(mem_ctx)) ) {
1394 return NT_STATUS_NO_MEMORY;
1395 }
1396
1397 acct_flags = ds_uf2acb(userAccountControl);
1398 status = smb_create_user(sam_account, acct_flags, account, &passwd);
1399 if (!NT_STATUS_IS_OK(status)) {
1400 DEBUG(0,("Could not create posix account info for '%s'- %s\n",
1401 account, nt_errstr(status)));
1402 TALLOC_FREE(sam_account);
1403 return status;
1404 }
1405
1406 DEBUG(3, ("Attempting to find SID %s for user %s in the passdb\n",
1407 sid_string_dbg(&user_sid), account));
1408 if (!pdb_getsampwsid(sam_account, &user_sid)) {
1409 sam_account_from_object(sam_account, cur);
1410 DEBUG(3, ("Attempting to add user SID %s for user %s in the passdb\n",
1411 sid_string_dbg(&user_sid),
1412 pdb_get_username(sam_account)));
1413 if (!NT_STATUS_IS_OK(pdb_add_sam_account(sam_account))) {
1414 DEBUG(1, ("SAM Account for %s failed to be added to the passdb!\n",
1415 account));
1416 TALLOC_FREE(sam_account);
1417 return NT_STATUS_ACCESS_DENIED;
1418 }
1419 } else {
1420 sam_account_from_object(sam_account, cur);
1421 DEBUG(3, ("Attempting to update user SID %s for user %s in the passdb\n",
1422 sid_string_dbg(&user_sid),
1423 pdb_get_username(sam_account)));
1424 if (!NT_STATUS_IS_OK(pdb_update_sam_account(sam_account))) {
1425 DEBUG(1, ("SAM Account for %s failed to be updated in the passdb!\n",
1426 account));
1427 TALLOC_FREE(sam_account);
1428 return NT_STATUS_ACCESS_DENIED;
1429 }
1430 }
1431
1432 if (pdb_get_group_sid(sam_account) == NULL) {
1433 TALLOC_FREE(sam_account);
1434 return NT_STATUS_UNSUCCESSFUL;
1435 }
1436
1437 group_sid = *pdb_get_group_sid(sam_account);
1438
1439 map = talloc_zero(NULL, GROUP_MAP);
1440 if (!map) {
1441 return NT_STATUS_NO_MEMORY;
1442 }
1443
1444 if (!pdb_getgrsid(map, group_sid)) {
1445 DEBUG(0, ("Primary group of %s has no mapping!\n",
1446 pdb_get_username(sam_account)));
1447 } else {
1448 if (map->gid != passwd->pw_gid) {
1449 if (!(grp = getgrgid(map->gid))) {
1450 DEBUG(0, ("Could not find unix group %lu for user %s (group SID=%s)\n",
1451 (unsigned long)map->gid, pdb_get_username(sam_account),
1452 sid_string_dbg(&group_sid)));
1453 } else {
1454 smb_set_primary_group(grp->gr_name, pdb_get_username(sam_account));
1455 }
1456 }
1457 }
1458
1459 TALLOC_FREE(map);
1460
1461 if ( !passwd ) {
1462 DEBUG(1, ("No unix user for this account (%s), cannot adjust mappings\n",
1463 pdb_get_username(sam_account)));
1464 }
1465
1466 TALLOC_FREE(sam_account);
1467 return NT_STATUS_OK;
1468 }
1469
1470 /****************************************************************
1471 ****************************************************************/
1472
1473 static NTSTATUS handle_alias_object(struct dssync_passdb *pctx,
1474 TALLOC_CTX *mem_ctx,
1475 struct dssync_passdb_obj *obj)
1476 {
1477 struct drsuapi_DsReplicaObjectListItemEx *cur = obj->cur;
1478 NTSTATUS status;
1479 struct group *grp = NULL;
1480 struct dom_sid group_sid;
1481 uint32_t rid = 0;
1482 struct dom_sid *dom_sid = NULL;
1483 fstring sid_string;
1484 GROUP_MAP *map;
1485 bool insert = true;
1486
1487 const char *sAMAccountName;
1488 const char *description;
1489 uint32_t i;
1490 uint32_t num_members = 0;
1491 struct drsuapi_DsReplicaObjectIdentifier3 *members = NULL;
1492
1493 group_sid = cur->object.identifier->sid;
1494 GET_STRING_EX(sAMAccountName, true);
1495 GET_STRING(description);
1496
1497 status = find_drsuapi_attr_dn(obj, cur, DRSUAPI_ATTID_member,
1498 &num_members, &members);
1499 if (NT_STATUS_EQUAL(status, NT_STATUS_PROPSET_NOT_FOUND)) {
1500 status = NT_STATUS_OK;
1501 }
1502 if (!NT_STATUS_IS_OK(status)) {
1503 return status;
1504 }
1505
1506 dom_sid_split_rid(mem_ctx, &group_sid, &dom_sid, &rid);
1507
1508 map = talloc_zero(mem_ctx, GROUP_MAP);
1509 if (map == NULL) {
1510 status = NT_STATUS_NO_MEMORY;
1511 goto done;
1512 }
1513
1514 map->nt_name = talloc_strdup(map, sAMAccountName);
1515 if (map->nt_name == NULL) {
1516 status = NT_STATUS_NO_MEMORY;
1517 goto done;
1518 }
1519
1520 if (description) {
1521 map->comment = talloc_strdup(map, description);
1522 } else {
1523 map->comment = talloc_strdup(map, "");
1524 }
1525 if (map->comment == NULL) {
1526 status = NT_STATUS_NO_MEMORY;
1527 goto done;
1528 }
1529
1530 sid_to_fstring(sid_string, &group_sid);
1531 DEBUG(0,("Creating alias[%s] - %s members[%u]\n",
1532 map->nt_name, sid_string, num_members));
1533
1534 status = dssync_insert_obj(pctx, pctx->aliases, obj);
1535 if (!NT_STATUS_IS_OK(status)) {
1536 goto done;
1537 }
1538
1539 if (pdb_getgrsid(map, group_sid)) {
1540 if (map->gid != -1) {
1541 grp = getgrgid(map->gid);
1542 }
1543 insert = false;
1544 }
1545
1546 if (grp == NULL) {
1547 gid_t gid;
1548
1549 /* No group found from mapping, find it from its name. */
1550 if ((grp = getgrnam(map->nt_name)) == NULL) {
1551
1552 /* No appropriate group found, create one */
1553
1554 DEBUG(0, ("Creating unix group: '%s'\n",
1555 map->nt_name));
1556
1557 if (smb_create_group(map->nt_name, &gid) != 0) {
1558 status = NT_STATUS_ACCESS_DENIED;
1559 goto done;
1560 }
1561
1562 if ((grp = getgrgid(gid)) == NULL) {
1563 status = NT_STATUS_ACCESS_DENIED;
1564 goto done;
1565 }
1566 }
1567 }
1568
1569 map->gid = grp->gr_gid;
1570 map->sid = group_sid;
1571
1572 if (dom_sid_equal(dom_sid, &global_sid_Builtin)) {
1573 /*
1574 * pdb_ldap does not like SID_NAME_WKN_GRP...
1575 *
1576 * map.sid_name_use = SID_NAME_WKN_GRP;
1577 */
1578 map->sid_name_use = SID_NAME_ALIAS;
1579 } else {
1580 map->sid_name_use = SID_NAME_ALIAS;
1581 }
1582
1583 if (insert) {
1584 pdb_add_group_mapping_entry(map);
1585 } else {
1586 pdb_update_group_mapping_entry(map);
1587 }
1588
1589 for (i=0; i < num_members; i++) {
1590 struct dssync_passdb_mem *mem;
1591
1592 status = dssync_create_mem(pctx, obj,
1593 true /* active */,
1594 &members[i], &mem);
1595 if (!NT_STATUS_IS_OK(status)) {
1596 goto done;
1597 }
1598 }
1599
1600 status = NT_STATUS_OK;
1601
1602 done:
1603 TALLOC_FREE(map);
1604 return status;
1605 }
1606
1607 /****************************************************************
1608 ****************************************************************/
1609
1610 static NTSTATUS handle_group_object(struct dssync_passdb *pctx,
1611 TALLOC_CTX *mem_ctx,
1612 struct dssync_passdb_obj *obj)
1613 {
1614 struct drsuapi_DsReplicaObjectListItemEx *cur = obj->cur;
1615 NTSTATUS status;
1616 struct group *grp = NULL;
1617 struct dom_sid group_sid;
1618 fstring sid_string;
1619 GROUP_MAP *map;
1620 bool insert = true;
1621
1622 const char *sAMAccountName;
1623 const char *description;
1624 uint32_t i;
1625 uint32_t num_members = 0;
1626 struct drsuapi_DsReplicaObjectIdentifier3 *members = NULL;
1627
1628 group_sid = cur->object.identifier->sid;
1629 GET_STRING_EX(sAMAccountName, true);
1630 GET_STRING(description);
1631
1632 status = find_drsuapi_attr_dn(obj, cur, DRSUAPI_ATTID_member,
1633 &num_members, &members);
1634 if (NT_STATUS_EQUAL(status, NT_STATUS_PROPSET_NOT_FOUND)) {
1635 status = NT_STATUS_OK;
1636 }
1637 if (!NT_STATUS_IS_OK(status)) {
1638 return status;
1639 }
1640
1641 map = talloc_zero(NULL, GROUP_MAP);
1642 if (!map) {
1643 return NT_STATUS_NO_MEMORY;
1644 }
1645
1646 map->nt_name = talloc_strdup(map, sAMAccountName);
1647 if (!map->nt_name) {
1648 status = NT_STATUS_NO_MEMORY;
1649 goto done;
1650 }
1651 if (description) {
1652 map->comment = talloc_strdup(map, description);
1653 } else {
1654 map->comment = talloc_strdup(map, "");
1655 }
1656 if (!map->comment) {
1657 status = NT_STATUS_NO_MEMORY;
1658 goto done;
1659 }
1660
1661 sid_to_fstring(sid_string, &group_sid);
1662 DEBUG(0,("Creating group[%s] - %s members [%u]\n",
1663 map->nt_name, sid_string, num_members));
1664
1665 status = dssync_insert_obj(pctx, pctx->groups, obj);
1666 if (!NT_STATUS_IS_OK(status)) {
1667 goto done;
1668 }
1669
1670 if (pdb_getgrsid(map, group_sid)) {
1671 if (map->gid != -1) {
1672 grp = getgrgid(map->gid);
1673 }
1674 insert = false;
1675 }
1676
1677 if (grp == NULL) {
1678 gid_t gid;
1679
1680 /* No group found from mapping, find it from its name. */
1681 if ((grp = getgrnam(map->nt_name)) == NULL) {
1682
1683 /* No appropriate group found, create one */
1684
1685 DEBUG(0, ("Creating unix group: '%s'\n",
1686 map->nt_name));
1687
1688 if (smb_create_group(map->nt_name, &gid) != 0) {
1689 status = NT_STATUS_ACCESS_DENIED;
1690 goto done;
1691 }
1692
1693 if ((grp = getgrnam(map->nt_name)) == NULL) {
1694 status = NT_STATUS_ACCESS_DENIED;
1695 goto done;
1696 }
1697 }
1698 }
1699
1700 map->gid = grp->gr_gid;
1701 map->sid = group_sid;
1702 map->sid_name_use = SID_NAME_DOM_GRP;
1703
1704 if (insert) {
1705 pdb_add_group_mapping_entry(map);
1706 } else {
1707 pdb_update_group_mapping_entry(map);
1708 }
1709
1710 for (i=0; i < num_members; i++) {
1711 struct dssync_passdb_mem *mem;
1712
1713 status = dssync_create_mem(pctx, obj,
1714 true /* active */,
1715 &members[i], &mem);
1716 if (!NT_STATUS_IS_OK(status)) {
1717 goto done;
1718 }
1719 }
1720
1721 status = NT_STATUS_OK;
1722
1723 done:
1724 TALLOC_FREE(map);
1725 return status;
1726 }
1727
1728 /****************************************************************
1729 ****************************************************************/
1730
1731 static NTSTATUS handle_interdomain_trust_object(struct dssync_passdb *pctx,
1732 TALLOC_CTX *mem_ctx,
1733 struct dssync_passdb_obj *obj)
1734 {
1735 struct drsuapi_DsReplicaObjectListItemEx *cur = obj->cur;
1736 DEBUG(0,("trust: %s\n", cur->object.identifier->dn));
1737 return NT_STATUS_NOT_IMPLEMENTED;
1738 }
1739
1740 /****************************************************************
1741 ****************************************************************/
1742
1743 struct dssync_object_table_t {
1744 uint32_t type;
1745 NTSTATUS (*fn) (struct dssync_passdb *pctx,
1746 TALLOC_CTX *mem_ctx,
1747 struct dssync_passdb_obj *obj);
1748 };
1749
1750 static const struct dssync_object_table_t dssync_object_table[] = {
1751 { ATYPE_NORMAL_ACCOUNT, handle_account_object },
1752 { ATYPE_WORKSTATION_TRUST, handle_account_object },
1753 { ATYPE_SECURITY_LOCAL_GROUP, handle_alias_object },
1754 { ATYPE_SECURITY_GLOBAL_GROUP, handle_group_object },
1755 { ATYPE_INTERDOMAIN_TRUST, handle_interdomain_trust_object },
1756 };
1757
1758 /****************************************************************
1759 ****************************************************************/
1760
1761 static NTSTATUS parse_object(struct dssync_passdb *pctx,
1762 TALLOC_CTX *mem_ctx,
1763 struct drsuapi_DsReplicaObjectListItemEx *cur)
1764 {
1765 NTSTATUS status = NT_STATUS_OK;
1766 DATA_BLOB *blob;
1767 int i = 0;
1768 int a = 0;
1769 struct drsuapi_DsReplicaAttribute *attr;
1770
1771 char *name = NULL;
1772 uint32_t sam_type = 0;
1773
1774 DEBUG(3, ("parsing object '%s'\n", cur->object.identifier->dn));
1775
1776 for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
1777
1778 attr = &cur->object.attribute_ctr.attributes[i];
1779
1780 if (attr->value_ctr.num_values != 1) {
1781 continue;
1782 }
1783
1784 if (!attr->value_ctr.values[0].blob) {
1785 continue;
1786 }
1787
1788 blob = attr->value_ctr.values[0].blob;
1789
1790 switch (attr->attid) {
1791 case DRSUAPI_ATTID_sAMAccountName:
1792 pull_string_talloc(mem_ctx, NULL, 0, &name,
1793 blob->data, blob->length,
1794 STR_UNICODE);
1795 break;
1796 case DRSUAPI_ATTID_sAMAccountType:
1797 sam_type = IVAL(blob->data, 0);
1798 break;
1799 default:
1800 break;
1801 }
1802 }
1803
1804 for (a=0; a < ARRAY_SIZE(dssync_object_table); a++) {
1805 if (sam_type == dssync_object_table[a].type) {
1806 if (dssync_object_table[a].fn) {
1807 struct dssync_passdb_obj *obj;
1808 status = dssync_create_obj(pctx, pctx->all,
1809 sam_type, cur, &obj);
1810 if (!NT_STATUS_IS_OK(status)) {
1811 break;
1812 }
1813 status = dssync_object_table[a].fn(pctx,
1814 mem_ctx,
1815 obj);
1816 break;
1817 }
1818 }
1819 }
1820
1821 return status;
1822 }
1823
1824 static NTSTATUS parse_link(struct dssync_passdb *pctx,
1825 TALLOC_CTX *mem_ctx,
1826 struct drsuapi_DsReplicaLinkedAttribute *cur)
1827 {
1828 struct drsuapi_DsReplicaObjectIdentifier3 *id3;
1829 const DATA_BLOB *blob;
1830 enum ndr_err_code ndr_err;
1831 NTSTATUS status;
1832 bool active = false;
1833 struct dssync_passdb_mem *mem;
1834 struct dssync_passdb_obj *obj;
1835
1836 if (cur->attid != DRSUAPI_ATTID_member) {
1837 return NT_STATUS_OK;
1838 }
1839
1840 if (cur->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE) {
1841 active = true;
1842 }
1843
1844 DEBUG(3, ("parsing link '%s' - %s\n",
1845 cur->identifier->dn, active?"adding":"deleting"));
1846
1847 blob = cur->value.blob;
1848
1849 if (blob == NULL) {
1850 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1851 }
1852
1853 obj = dssync_search_obj_by_guid(pctx, pctx->all, &cur->identifier->guid);
1854 if (obj == NULL) {
1855 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1856 }
1857
1858 id3 = talloc_zero(obj, struct drsuapi_DsReplicaObjectIdentifier3);
1859 if (id3 == NULL) {
1860 return NT_STATUS_NO_MEMORY;
1861 }
1862
1863 /* windows sometimes sends an extra two pad bytes here */
1864 ndr_err = ndr_pull_struct_blob(blob, id3, id3,
1865 (ndr_pull_flags_fn_t)ndr_pull_drsuapi_DsReplicaObjectIdentifier3);
1866 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1867 status = ndr_map_error2ntstatus(ndr_err);
1868 return status;
1869 }
1870
1871 status = dssync_create_mem(pctx, obj,
1872 active,
1873 id3, &mem);
1874 if (!NT_STATUS_IS_OK(status)) {
1875 return status;
1876 }
1877
1878 return NT_STATUS_OK;
1879 }
1880
1881 /****************************************************************
1882 ****************************************************************/
1883
1884 static NTSTATUS passdb_process_objects(struct dssync_context *ctx,
1885 TALLOC_CTX *mem_ctx,
1886 struct drsuapi_DsReplicaObjectListItemEx *cur,
1887 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
1888 {
1889 NTSTATUS status = NT_STATUS_OK;
1890 struct dssync_passdb *pctx =
1891 talloc_get_type_abort(ctx->private_data,
1892 struct dssync_passdb);
1893
1894 for (; cur; cur = cur->next_object) {
1895 status = parse_object(pctx, mem_ctx, cur);
1896 if (!NT_STATUS_IS_OK(status)) {
1897 goto out;
1898 }
1899 }
1900
1901 out:
1902 return status;
1903 }
1904
1905 /****************************************************************
1906 ****************************************************************/
1907
1908 static NTSTATUS passdb_process_links(struct dssync_context *ctx,
1909 TALLOC_CTX *mem_ctx,
1910 uint32_t count,
1911 struct drsuapi_DsReplicaLinkedAttribute *links,
1912 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
1913 {
1914 NTSTATUS status = NT_STATUS_OK;
1915 struct dssync_passdb *pctx =
1916 talloc_get_type_abort(ctx->private_data,
1917 struct dssync_passdb);
1918 uint32_t i;
1919
1920 for (i = 0; i < count; i++) {
1921 status = parse_link(pctx, mem_ctx, &links[i]);
1922 if (!NT_STATUS_IS_OK(status)) {
1923 goto out;
1924 }
1925 }
1926
1927 out:
1928 return status;
1929 }
1930
1931 /****************************************************************
1932 ****************************************************************/
1933
1934 const struct dssync_ops libnet_dssync_passdb_ops = {
1935 .startup = passdb_startup,
1936 .process_objects = passdb_process_objects,
1937 .process_links = passdb_process_links,
1938 .finish = passdb_finish,
1939 };
Samba GIT mirror