2 Unix SMB/CIFS implementation.
3 pdb glue module for direct access to the dsdb via LDB APIs
4 Copyright (C) Volker Lendecke 2009-2011
5 Copyright (C) Andrew Bartlett 2010-2012
6 Copyright (C) Matthias Dieter Wallnöfer 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* This module, is a port of Volker's pdb_ads to ldb and DSDB APIs */
25 #include "source3/include/passdb.h"
26 #include "source4/dsdb/samdb/samdb.h"
27 #include "ldb_errors.h"
28 #include "libcli/security/dom_sid.h"
29 #include "source4/winbind/idmap.h"
30 #include "librpc/gen_ndr/ndr_security.h"
31 #include "librpc/gen_ndr/ndr_drsblobs.h"
32 #include "librpc/gen_ndr/ndr_lsa.h"
33 #include "libds/common/flag_mapping.h"
34 #include "source4/lib/events/events.h"
35 #include "source4/auth/session.h"
36 #include "source4/auth/system_session_proto.h"
37 #include "lib/param/param.h"
38 #include "source4/dsdb/common/util.h"
39 #include "source3/include/secrets.h"
40 #include "source4/auth/auth_sam.h"
41 #include "auth/credentials/credentials.h"
43 struct pdb_samba_dsdb_state
{
44 struct tevent_context
*ev
;
45 struct ldb_context
*ldb
;
46 struct idmap_context
*idmap_ctx
;
47 struct loadparm_context
*lp_ctx
;
50 static NTSTATUS
pdb_samba_dsdb_getsampwsid(struct pdb_methods
*m
,
51 struct samu
*sam_acct
,
52 const struct dom_sid
*sid
);
53 static NTSTATUS
pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state
*state
,
56 struct ldb_message
**pmsg
);
57 static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods
*m
, const struct dom_sid
*sid
,
60 static bool pdb_samba_dsdb_pull_time(struct ldb_message
*msg
, const char *attr
,
64 if (! ldb_msg_find_element(msg
, attr
)) {
67 tmp
= ldb_msg_find_attr_as_uint64(msg
, attr
, 0);
68 *ptime
= nt_time_to_unix(tmp
);
72 static struct pdb_domain_info
*pdb_samba_dsdb_get_domain_info(
73 struct pdb_methods
*m
, TALLOC_CTX
*mem_ctx
)
75 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
76 m
->private_data
, struct pdb_samba_dsdb_state
);
77 struct pdb_domain_info
*info
;
78 struct dom_sid
*domain_sid
;
79 struct ldb_dn
*forest_dn
, *domain_dn
;
80 struct ldb_result
*dom_res
= NULL
;
81 const char *dom_attrs
[] = {
90 info
= talloc(mem_ctx
, struct pdb_domain_info
);
95 domain_dn
= ldb_get_default_basedn(state
->ldb
);
97 ret
= ldb_search(state
->ldb
, info
, &dom_res
,
98 domain_dn
, LDB_SCOPE_BASE
, dom_attrs
, NULL
);
99 if (ret
!= LDB_SUCCESS
) {
102 if (dom_res
->count
!= 1) {
106 info
->guid
= samdb_result_guid(dom_res
->msgs
[0], "objectGUID");
108 domain_sid
= samdb_result_dom_sid(state
, dom_res
->msgs
[0], "objectSid");
112 info
->sid
= *domain_sid
;
114 TALLOC_FREE(dom_res
);
116 info
->name
= talloc_strdup(info
, lpcfg_sam_name(state
->lp_ctx
));
117 info
->dns_domain
= ldb_dn_canonical_string(info
, domain_dn
);
119 if (!info
->dns_domain
) {
122 p
= strchr(info
->dns_domain
, '/');
127 forest_dn
= ldb_get_root_basedn(state
->ldb
);
132 info
->dns_forest
= ldb_dn_canonical_string(info
, forest_dn
);
133 if (!info
->dns_forest
) {
136 p
= strchr(info
->dns_forest
, '/');
144 TALLOC_FREE(dom_res
);
149 static struct ldb_message
*pdb_samba_dsdb_get_samu_private(
150 struct pdb_methods
*m
, struct samu
*sam
)
152 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
153 m
->private_data
, struct pdb_samba_dsdb_state
);
154 struct ldb_message
*msg
;
155 char *sidstr
, *filter
;
158 msg
= (struct ldb_message
*)
159 pdb_get_backend_private_data(sam
, m
);
162 return talloc_get_type_abort(msg
, struct ldb_message
);
165 sidstr
= dom_sid_string(talloc_tos(), pdb_get_user_sid(sam
));
166 if (sidstr
== NULL
) {
170 filter
= talloc_asprintf(
171 talloc_tos(), "(&(objectsid=%s)(objectclass=user))", sidstr
);
173 if (filter
== NULL
) {
177 status
= pdb_samba_dsdb_getsamupriv(state
, filter
, sam
, &msg
);
179 if (!NT_STATUS_IS_OK(status
)) {
186 static NTSTATUS
pdb_samba_dsdb_init_sam_from_priv(struct pdb_methods
*m
,
188 struct ldb_message
*msg
)
190 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
191 m
->private_data
, struct pdb_samba_dsdb_state
);
192 TALLOC_CTX
*frame
= talloc_stackframe();
193 NTSTATUS status
= NT_STATUS_INTERNAL_DB_CORRUPTION
;
196 struct dom_sid
*sid
, group_sid
;
198 const DATA_BLOB
*blob
;
200 str
= ldb_msg_find_attr_as_string(msg
, "samAccountName", NULL
);
202 DEBUG(10, ("no samAccountName\n"));
205 pdb_set_username(sam
, str
, PDB_SET
);
207 if (pdb_samba_dsdb_pull_time(msg
, "lastLogon", &tmp_time
)) {
208 pdb_set_logon_time(sam
, tmp_time
, PDB_SET
);
210 if (pdb_samba_dsdb_pull_time(msg
, "lastLogoff", &tmp_time
)) {
211 pdb_set_logoff_time(sam
, tmp_time
, PDB_SET
);
213 if (pdb_samba_dsdb_pull_time(msg
, "pwdLastSet", &tmp_time
)) {
214 pdb_set_pass_last_set_time(sam
, tmp_time
, PDB_SET
);
216 if (pdb_samba_dsdb_pull_time(msg
, "accountExpires", &tmp_time
)) {
217 pdb_set_kickoff_time(sam
, tmp_time
, PDB_SET
);
220 str
= ldb_msg_find_attr_as_string(msg
, "displayName",
223 pdb_set_fullname(sam
, str
, PDB_SET
);
226 str
= ldb_msg_find_attr_as_string(msg
, "homeDirectory",
229 pdb_set_homedir(sam
, str
, PDB_SET
);
232 str
= ldb_msg_find_attr_as_string(msg
, "homeDrive", NULL
);
234 pdb_set_dir_drive(sam
, str
, PDB_SET
);
237 str
= ldb_msg_find_attr_as_string(msg
, "scriptPath", NULL
);
239 pdb_set_logon_script(sam
, str
, PDB_SET
);
242 str
= ldb_msg_find_attr_as_string(msg
, "profilePath",
245 pdb_set_profile_path(sam
, str
, PDB_SET
);
248 str
= ldb_msg_find_attr_as_string(msg
, "comment",
251 pdb_set_comment(sam
, str
, PDB_SET
);
254 str
= ldb_msg_find_attr_as_string(msg
, "description",
257 pdb_set_acct_desc(sam
, str
, PDB_SET
);
260 str
= ldb_msg_find_attr_as_string(msg
, "userWorkstations",
263 pdb_set_workstations(sam
, str
, PDB_SET
);
266 blob
= ldb_msg_find_ldb_val(msg
, "userParameters");
268 str
= base64_encode_data_blob(frame
, *blob
);
270 DEBUG(0, ("base64_encode_data_blob() failed\n"));
273 pdb_set_munged_dial(sam
, str
, PDB_SET
);
276 sid
= samdb_result_dom_sid(talloc_tos(), msg
, "objectSid");
278 DEBUG(10, ("Could not pull SID\n"));
281 pdb_set_user_sid(sam
, sid
, PDB_SET
);
283 n
= samdb_result_acct_flags(msg
, "msDS-User-Account-Control-Computed");
285 DEBUG(10, ("Could not pull userAccountControl\n"));
288 pdb_set_acct_ctrl(sam
, n
, PDB_SET
);
290 blob
= ldb_msg_find_ldb_val(msg
, "unicodePwd");
292 if (blob
->length
!= NT_HASH_LEN
) {
293 DEBUG(0, ("Got NT hash of length %d, expected %d\n",
294 (int)blob
->length
, NT_HASH_LEN
));
297 pdb_set_nt_passwd(sam
, blob
->data
, PDB_SET
);
300 blob
= ldb_msg_find_ldb_val(msg
, "dBCSPwd");
302 if (blob
->length
!= LM_HASH_LEN
) {
303 DEBUG(0, ("Got LM hash of length %d, expected %d\n",
304 (int)blob
->length
, LM_HASH_LEN
));
307 pdb_set_lanman_passwd(sam
, blob
->data
, PDB_SET
);
310 n
= ldb_msg_find_attr_as_uint(msg
, "primaryGroupID", 0);
312 DEBUG(10, ("Could not pull primaryGroupID\n"));
315 sid_compose(&group_sid
, samdb_domain_sid(state
->ldb
), n
);
316 pdb_set_group_sid(sam
, &group_sid
, PDB_SET
);
318 status
= NT_STATUS_OK
;
324 static bool pdb_samba_dsdb_add_time(struct ldb_message
*msg
,
325 const char *attrib
, time_t t
)
329 unix_to_nt_time(&nt_time
, t
);
331 return ldb_msg_add_fmt(msg
, attrib
, "%llu", (unsigned long long) nt_time
);
334 static int pdb_samba_dsdb_replace_by_sam(struct pdb_samba_dsdb_state
*state
,
335 bool (*need_update
)(const struct samu
*,
340 TALLOC_CTX
*frame
= talloc_stackframe();
341 int ret
= LDB_SUCCESS
;
343 struct ldb_message
*msg
;
344 struct ldb_request
*req
;
345 uint32_t dsdb_flags
= 0;
346 /* TODO: All fields :-) */
348 msg
= ldb_msg_new(frame
);
356 /* build modify request */
357 ret
= ldb_build_mod_req(&req
, state
->ldb
, frame
, msg
, NULL
, NULL
,
358 ldb_op_default_callback
,
360 if (ret
!= LDB_SUCCESS
) {
365 /* If we set a plaintext password, the system will
366 * force the pwdLastSet to now() */
367 if (need_update(sam
, PDB_PASSLASTSET
)) {
368 dsdb_flags
= DSDB_PASSWORD_BYPASS_LAST_SET
;
370 ret
|= pdb_samba_dsdb_add_time(msg
, "pwdLastSet",
371 pdb_get_pass_last_set_time(sam
));
374 pw
= pdb_get_plaintext_passwd(sam
);
375 if (need_update(sam
, PDB_PLAINTEXT_PW
)) {
376 struct ldb_val pw_utf16
;
379 return LDB_ERR_OPERATIONS_ERROR
;
382 if (!convert_string_talloc(msg
,
385 (void *)&pw_utf16
.data
,
388 return LDB_ERR_OPERATIONS_ERROR
;
390 ret
|= ldb_msg_add_value(msg
, "clearTextPassword", &pw_utf16
, NULL
);
392 bool changed_lm_pw
= false;
393 bool changed_nt_pw
= false;
394 bool changed_history
= false;
395 if (need_update(sam
, PDB_LMPASSWD
)) {
397 val
.data
= discard_const_p(uint8_t, pdb_get_lanman_passwd(sam
));
399 samdb_msg_add_delete(state
->ldb
, msg
, msg
,
402 val
.length
= LM_HASH_LEN
;
403 ret
|= ldb_msg_add_value(msg
, "dBCSPwd", &val
, NULL
);
405 changed_lm_pw
= true;
407 if (need_update(sam
, PDB_NTPASSWD
)) {
409 val
.data
= discard_const_p(uint8_t, pdb_get_nt_passwd(sam
));
411 samdb_msg_add_delete(state
->ldb
, msg
, msg
,
414 val
.length
= NT_HASH_LEN
;
415 ret
|= ldb_msg_add_value(msg
, "unicodePwd", &val
, NULL
);
417 changed_nt_pw
= true;
420 /* Try to ensure we don't get out of sync */
421 if (changed_lm_pw
&& !changed_nt_pw
) {
422 samdb_msg_add_delete(state
->ldb
, msg
, msg
,
424 } else if (changed_nt_pw
&& !changed_lm_pw
) {
425 samdb_msg_add_delete(state
->ldb
, msg
, msg
,
428 if (changed_lm_pw
|| changed_nt_pw
) {
429 samdb_msg_add_delete(state
->ldb
, msg
, msg
,
430 "supplementalCredentials");
434 if (need_update(sam
, PDB_PWHISTORY
)) {
435 uint32_t current_hist_len
;
436 const uint8_t *history
= pdb_get_pw_history(sam
, ¤t_hist_len
);
438 bool invalid_history
= false;
439 struct samr_Password
*history_hashes
= talloc_array(talloc_tos(), struct samr_Password
,
442 invalid_history
= true;
445 static const uint8_t zeros
[16];
446 /* Parse the history into the correct format */
447 for (i
= 0; i
< current_hist_len
; i
++) {
448 if (memcmp(&history
[i
*PW_HISTORY_ENTRY_LEN
], zeros
, 16) != 0) {
449 /* If the history is in the old format, with a salted hash, then we can't migrate it to AD format */
450 invalid_history
= true;
453 /* Copy out the 2nd 16 bytes of the 32 byte password history, containing the NT hash */
454 memcpy(history_hashes
[i
].hash
,
455 &history
[(i
*PW_HISTORY_ENTRY_LEN
) + PW_HISTORY_SALT_LEN
],
456 sizeof(history_hashes
[i
].hash
));
459 if (invalid_history
) {
460 ret
|= samdb_msg_add_delete(state
->ldb
, msg
, msg
,
463 ret
|= samdb_msg_add_delete(state
->ldb
, msg
, msg
,
466 ret
|= samdb_msg_add_hashes(state
->ldb
, msg
, msg
,
471 changed_history
= true;
473 if (changed_lm_pw
|| changed_nt_pw
|| changed_history
) {
474 /* These attributes can only be modified directly by using a special control */
475 dsdb_flags
= DSDB_BYPASS_PASSWORD_HASH
;
479 /* PDB_USERSID is only allowed on ADD, handled in caller */
480 if (need_update(sam
, PDB_GROUPSID
)) {
481 const struct dom_sid
*sid
= pdb_get_group_sid(sam
);
483 NTSTATUS status
= dom_sid_split_rid(NULL
, sid
, NULL
, &rid
);
484 if (!NT_STATUS_IS_OK(status
)) {
486 return LDB_ERR_OPERATIONS_ERROR
;
488 if (!dom_sid_in_domain(samdb_domain_sid(state
->ldb
), sid
)) {
490 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
492 ret
|= samdb_msg_add_uint(state
->ldb
, msg
, msg
, "primaryGroupID", rid
);
494 if (need_update(sam
, PDB_FULLNAME
)) {
495 ret
|= ldb_msg_add_string(msg
, "displayName", pdb_get_fullname(sam
));
498 if (need_update(sam
, PDB_SMBHOME
)) {
499 ret
|= ldb_msg_add_string(msg
, "homeDirectory",
500 pdb_get_homedir(sam
));
503 if (need_update(sam
, PDB_PROFILE
)) {
504 ret
|= ldb_msg_add_string(msg
, "profilePath",
505 pdb_get_profile_path(sam
));
508 if (need_update(sam
, PDB_DRIVE
)) {
509 ret
|= ldb_msg_add_string(msg
, "homeDrive",
510 pdb_get_dir_drive(sam
));
513 if (need_update(sam
, PDB_LOGONSCRIPT
)) {
514 ret
|= ldb_msg_add_string(msg
, "scriptPath",
515 pdb_get_logon_script(sam
));
518 if (need_update(sam
, PDB_KICKOFFTIME
)) {
519 ret
|= pdb_samba_dsdb_add_time(msg
, "accountExpires",
520 pdb_get_kickoff_time(sam
));
523 if (need_update(sam
, PDB_LOGONTIME
)) {
524 ret
|= pdb_samba_dsdb_add_time(msg
, "lastLogon",
525 pdb_get_logon_time(sam
));
528 if (need_update(sam
, PDB_LOGOFFTIME
)) {
529 ret
|= pdb_samba_dsdb_add_time(msg
, "lastLogoff",
530 pdb_get_logoff_time(sam
));
533 if (need_update(sam
, PDB_USERNAME
)) {
534 ret
|= ldb_msg_add_string(msg
, "samAccountName",
535 pdb_get_username(sam
));
538 if (need_update(sam
, PDB_HOURSLEN
) || need_update(sam
, PDB_HOURS
)) {
539 struct ldb_val hours
= data_blob_const(pdb_get_hours(sam
), pdb_get_hours_len(sam
));
540 ret
|= ldb_msg_add_value(msg
, "logonHours",
544 if (need_update(sam
, PDB_ACCTCTRL
)) {
545 ret
|= samdb_msg_add_acct_flags(state
->ldb
, msg
, msg
,
546 "userAccountControl", pdb_get_acct_ctrl(sam
));
549 if (need_update(sam
, PDB_COMMENT
)) {
550 ret
|= ldb_msg_add_string(msg
, "comment",
551 pdb_get_comment(sam
));
554 if (need_update(sam
, PDB_ACCTDESC
)) {
555 ret
|= ldb_msg_add_string(msg
, "description",
556 pdb_get_acct_desc(sam
));
559 if (need_update(sam
, PDB_WORKSTATIONS
)) {
560 ret
|= ldb_msg_add_string(msg
, "userWorkstations",
561 pdb_get_workstations(sam
));
564 /* This will need work, it is actually a UTF8 'string' with internal NULLs, to handle TS parameters */
565 if (need_update(sam
, PDB_MUNGEDDIAL
)) {
566 const char *base64_munged_dial
= NULL
;
568 base64_munged_dial
= pdb_get_munged_dial(sam
);
569 if (base64_munged_dial
!= NULL
&& strlen(base64_munged_dial
) > 0) {
572 blob
= base64_decode_data_blob_talloc(msg
,
574 if (blob
.data
== NULL
) {
575 DEBUG(0, ("Failed to decode userParameters from "
576 "munged dialback string[%s] for %s\n",
578 ldb_dn_get_linearized(msg
->dn
)));
580 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
582 ret
|= ldb_msg_add_steal_value(msg
, "userParameters",
587 if (need_update(sam
, PDB_COUNTRY_CODE
)) {
588 ret
|= ldb_msg_add_fmt(msg
, "countryCode",
589 "%i", (int)pdb_get_country_code(sam
));
592 if (need_update(sam
, PDB_CODE_PAGE
)) {
593 ret
|= ldb_msg_add_fmt(msg
, "codePage",
594 "%i", (int)pdb_get_code_page(sam
));
597 /* Not yet handled here or not meaningful for modifies on a Samba_Dsdb backend:
598 PDB_BAD_PASSWORD_TIME,
599 PDB_CANCHANGETIME, - these are calculated per policy, not stored
601 PDB_NTUSERNAME, - this makes no sense, and never really did
603 PDB_USERSID, - Handled in pdb_samba_dsdb_add_sam_account()
605 PDB_BAD_PASSWORD_COUNT,
608 PDB_BACKEND_PRIVATE_DATA,
611 if (ret
!= LDB_SUCCESS
) {
613 return LDB_ERR_OPERATIONS_ERROR
;
616 if (msg
->num_elements
== 0) {
618 /* Nothing to do, just return success */
622 ret
= dsdb_replace(state
->ldb
, msg
, dsdb_flags
);
624 if (ret
!= LDB_SUCCESS
) {
625 DEBUG(0,("Failed to modify account record %s to set user attributes: %s\n",
626 ldb_dn_get_linearized(msg
->dn
),
627 ldb_errstring(state
->ldb
)));
634 static NTSTATUS
pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state
*state
,
637 struct ldb_message
**msg
)
639 const char * attrs
[] = {
640 "lastLogon", "lastLogoff", "pwdLastSet", "accountExpires",
641 "sAMAccountName", "displayName", "homeDirectory",
642 "homeDrive", "scriptPath", "profilePath", "description",
643 "userWorkstations", "comment", "userParameters", "objectSid",
644 "primaryGroupID", "userAccountControl",
645 "msDS-User-Account-Control-Computed", "logonHours",
646 "badPwdCount", "logonCount", "countryCode", "codePage",
647 "unicodePwd", "dBCSPwd", NULL
};
649 int rc
= dsdb_search_one(state
->ldb
, mem_ctx
, msg
, ldb_get_default_basedn(state
->ldb
), LDB_SCOPE_SUBTREE
, attrs
, 0, "%s", filter
);
650 if (rc
!= LDB_SUCCESS
) {
651 DEBUG(10, ("ldap_search failed %s\n",
652 ldb_errstring(state
->ldb
)));
653 return NT_STATUS_LDAP(rc
);
659 static NTSTATUS
pdb_samba_dsdb_getsampwfilter(struct pdb_methods
*m
,
660 struct pdb_samba_dsdb_state
*state
,
661 struct samu
*sam_acct
,
662 const char *exp_fmt
, ...) _PRINTF_ATTRIBUTE(4, 5)
664 struct ldb_message
*priv
;
667 char *expression
= NULL
;
668 TALLOC_CTX
*tmp_ctx
= talloc_new(state
);
669 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
671 va_start(ap
, exp_fmt
);
672 expression
= talloc_vasprintf(tmp_ctx
, exp_fmt
, ap
);
676 talloc_free(tmp_ctx
);
677 return NT_STATUS_NO_MEMORY
;
680 status
= pdb_samba_dsdb_getsamupriv(state
, expression
, sam_acct
, &priv
);
681 talloc_free(tmp_ctx
);
682 if (!NT_STATUS_IS_OK(status
)) {
683 DEBUG(10, ("pdb_samba_dsdb_getsamupriv failed: %s\n",
688 status
= pdb_samba_dsdb_init_sam_from_priv(m
, sam_acct
, priv
);
689 if (!NT_STATUS_IS_OK(status
)) {
690 DEBUG(10, ("pdb_samba_dsdb_init_sam_from_priv failed: %s\n",
696 pdb_set_backend_private_data(sam_acct
, priv
, NULL
, m
, PDB_SET
);
700 static NTSTATUS
pdb_samba_dsdb_getsampwnam(struct pdb_methods
*m
,
701 struct samu
*sam_acct
,
702 const char *username
)
704 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
705 m
->private_data
, struct pdb_samba_dsdb_state
);
707 return pdb_samba_dsdb_getsampwfilter(m
, state
, sam_acct
,
708 "(&(samaccountname=%s)(objectclass=user))",
712 static NTSTATUS
pdb_samba_dsdb_getsampwsid(struct pdb_methods
*m
,
713 struct samu
*sam_acct
,
714 const struct dom_sid
*sid
)
717 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
718 m
->private_data
, struct pdb_samba_dsdb_state
);
721 sidstr
= dom_sid_string(talloc_tos(), sid
);
722 NT_STATUS_HAVE_NO_MEMORY(sidstr
);
724 status
= pdb_samba_dsdb_getsampwfilter(m
, state
, sam_acct
,
725 "(&(objectsid=%s)(objectclass=user))",
731 static NTSTATUS
pdb_samba_dsdb_create_user(struct pdb_methods
*m
,
733 const char *name
, uint32_t acct_flags
,
736 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
737 m
->private_data
, struct pdb_samba_dsdb_state
);
741 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
742 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
744 /* Internally this uses transactions to ensure all the steps
745 * happen or fail as one */
746 status
= dsdb_add_user(state
->ldb
, tmp_ctx
, name
, acct_flags
, NULL
,
748 if (!NT_STATUS_IS_OK(status
)) {
749 talloc_free(tmp_ctx
);
752 sid_peek_rid(sid
, rid
);
753 talloc_free(tmp_ctx
);
757 static NTSTATUS
pdb_samba_dsdb_delete_user(struct pdb_methods
*m
,
761 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
762 m
->private_data
, struct pdb_samba_dsdb_state
);
765 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
766 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
768 dn
= ldb_dn_new_fmt(tmp_ctx
, state
->ldb
, "<SID=%s>", dom_sid_string(tmp_ctx
, pdb_get_user_sid(sam
)));
769 if (!dn
|| !ldb_dn_validate(dn
)) {
770 talloc_free(tmp_ctx
);
771 return NT_STATUS_NO_MEMORY
;
773 rc
= ldb_delete(state
->ldb
, dn
);
775 if (rc
!= LDB_SUCCESS
) {
776 DEBUG(10, ("ldb_delete for %s failed: %s\n", ldb_dn_get_linearized(dn
),
777 ldb_errstring(state
->ldb
)));
778 talloc_free(tmp_ctx
);
779 return NT_STATUS_LDAP(rc
);
781 talloc_free(tmp_ctx
);
785 /* This interface takes a fully populated struct samu and places it in
786 * the database. This is not implemented at this time as we need to
787 * be careful around the creation of arbitary SIDs (ie, we must ensrue
788 * they are not left in a RID pool */
789 static NTSTATUS
pdb_samba_dsdb_add_sam_account(struct pdb_methods
*m
,
790 struct samu
*sampass
)
795 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
796 m
->private_data
, struct pdb_samba_dsdb_state
);
797 uint32_t acb_flags
= pdb_get_acct_ctrl(sampass
);
798 const char *username
= pdb_get_username(sampass
);
799 const struct dom_sid
*user_sid
= pdb_get_user_sid(sampass
);
800 TALLOC_CTX
*tframe
= talloc_stackframe();
802 acb_flags
&= (ACB_NORMAL
|ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
);
804 ret
= ldb_transaction_start(state
->ldb
);
805 if (ret
!= LDB_SUCCESS
) {
807 return NT_STATUS_LOCK_NOT_GRANTED
;
810 status
= dsdb_add_user(state
->ldb
, talloc_tos(), username
,
811 acb_flags
, user_sid
, NULL
, &dn
);
812 if (!NT_STATUS_IS_OK(status
)) {
813 ldb_transaction_cancel(state
->ldb
);
818 ret
= pdb_samba_dsdb_replace_by_sam(state
, pdb_element_is_set_or_changed
,
820 if (ret
!= LDB_SUCCESS
) {
821 ldb_transaction_cancel(state
->ldb
);
823 return dsdb_ldb_err_to_ntstatus(ret
);
826 ret
= ldb_transaction_commit(state
->ldb
);
827 if (ret
!= LDB_SUCCESS
) {
828 DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
829 ldb_dn_get_linearized(dn
),
830 ldb_errstring(state
->ldb
)));
832 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
839 * Update the Samba_Dsdb LDB with the changes from a struct samu.
841 * This takes care not to update elements that have not been changed
844 static NTSTATUS
pdb_samba_dsdb_update_sam_account(struct pdb_methods
*m
,
847 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
848 m
->private_data
, struct pdb_samba_dsdb_state
);
849 struct ldb_message
*msg
= pdb_samba_dsdb_get_samu_private(
853 ret
= pdb_samba_dsdb_replace_by_sam(state
, pdb_element_is_changed
, msg
->dn
,
855 return dsdb_ldb_err_to_ntstatus(ret
);
858 static NTSTATUS
pdb_samba_dsdb_delete_sam_account(struct pdb_methods
*m
,
859 struct samu
*username
)
862 TALLOC_CTX
*tmp_ctx
= talloc_new(NULL
);
863 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
864 status
= pdb_samba_dsdb_delete_user(m
, tmp_ctx
, username
);
865 talloc_free(tmp_ctx
);
869 static NTSTATUS
pdb_samba_dsdb_rename_sam_account(struct pdb_methods
*m
,
870 struct samu
*oldname
,
873 return NT_STATUS_NOT_IMPLEMENTED
;
876 /* This is not implemented, as this module is exptected to be used
877 * with auth_samba_dsdb, and this is responible for login counters etc
880 static NTSTATUS
pdb_samba_dsdb_update_login_attempts(struct pdb_methods
*m
,
881 struct samu
*sam_acct
,
884 return NT_STATUS_NOT_IMPLEMENTED
;
887 static NTSTATUS
pdb_samba_dsdb_getgrfilter(struct pdb_methods
*m
, GROUP_MAP
*map
,
888 const char *exp_fmt
, ...) _PRINTF_ATTRIBUTE(4, 5)
890 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
891 m
->private_data
, struct pdb_samba_dsdb_state
);
892 const char *attrs
[] = { "objectClass", "objectSid", "description", "samAccountName", "groupType",
894 struct ldb_message
*msg
;
896 char *expression
= NULL
;
900 struct id_map id_map
;
901 struct id_map
*id_maps
[2];
902 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
903 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
905 va_start(ap
, exp_fmt
);
906 expression
= talloc_vasprintf(tmp_ctx
, exp_fmt
, ap
);
910 talloc_free(tmp_ctx
);
911 return NT_STATUS_NO_MEMORY
;
914 rc
= dsdb_search_one(state
->ldb
, tmp_ctx
, &msg
, ldb_get_default_basedn(state
->ldb
), LDB_SCOPE_SUBTREE
, attrs
, 0, "%s", expression
);
915 if (rc
== LDB_ERR_NO_SUCH_OBJECT
) {
916 talloc_free(tmp_ctx
);
917 return NT_STATUS_NO_SUCH_GROUP
;
918 } else if (rc
!= LDB_SUCCESS
) {
919 talloc_free(tmp_ctx
);
920 DEBUG(10, ("dsdb_search_one failed %s\n",
921 ldb_errstring(state
->ldb
)));
922 return NT_STATUS_LDAP(rc
);
925 sid
= samdb_result_dom_sid(tmp_ctx
, msg
, "objectSid");
927 talloc_free(tmp_ctx
);
928 DEBUG(10, ("Could not pull SID\n"));
929 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
934 if (samdb_find_attribute(state
->ldb
, msg
, "objectClass", "group")) {
936 uint32_t grouptype
= ldb_msg_find_attr_as_uint(msg
, "groupType", 0);
938 case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
:
939 case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
:
940 map
->sid_name_use
= SID_NAME_ALIAS
;
942 case GTYPE_SECURITY_GLOBAL_GROUP
:
943 map
->sid_name_use
= SID_NAME_DOM_GRP
;
946 talloc_free(tmp_ctx
);
947 DEBUG(10, ("Could not pull groupType\n"));
948 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
953 id_maps
[0] = &id_map
;
956 status
= idmap_sids_to_xids(state
->idmap_ctx
, tmp_ctx
, id_maps
);
958 if (!NT_STATUS_IS_OK(status
)) {
959 talloc_free(tmp_ctx
);
962 if (id_map
.xid
.type
== ID_TYPE_GID
|| id_map
.xid
.type
== ID_TYPE_BOTH
) {
963 map
->gid
= id_map
.xid
.id
;
965 DEBUG(1, (__location__
"Did not get GUID when mapping SID for %s", expression
));
966 talloc_free(tmp_ctx
);
967 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
969 } else if (samdb_find_attribute(state
->ldb
, msg
, "objectClass", "user")) {
970 DEBUG(1, (__location__
"Got SID_NAME_USER when searching for a group with %s", expression
));
971 talloc_free(tmp_ctx
);
972 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
975 str
= ldb_msg_find_attr_as_string(msg
, "samAccountName",
978 talloc_free(tmp_ctx
);
979 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
981 map
->nt_name
= talloc_strdup(map
, str
);
983 talloc_free(tmp_ctx
);
984 return NT_STATUS_NO_MEMORY
;
987 str
= ldb_msg_find_attr_as_string(msg
, "description",
990 map
->comment
= talloc_strdup(map
, str
);
992 map
->comment
= talloc_strdup(map
, "");
995 talloc_free(tmp_ctx
);
996 return NT_STATUS_NO_MEMORY
;
999 talloc_free(tmp_ctx
);
1000 return NT_STATUS_OK
;
1003 static NTSTATUS
pdb_samba_dsdb_getgrsid(struct pdb_methods
*m
, GROUP_MAP
*map
,
1009 filter
= talloc_asprintf(talloc_tos(),
1010 "(&(objectsid=%s)(objectclass=group))",
1011 sid_string_talloc(talloc_tos(), &sid
));
1012 if (filter
== NULL
) {
1013 return NT_STATUS_NO_MEMORY
;
1016 status
= pdb_samba_dsdb_getgrfilter(m
, map
, filter
);
1017 TALLOC_FREE(filter
);
1021 static NTSTATUS
pdb_samba_dsdb_getgrgid(struct pdb_methods
*m
, GROUP_MAP
*map
,
1024 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1025 m
->private_data
, struct pdb_samba_dsdb_state
);
1027 struct id_map id_map
;
1028 struct id_map
*id_maps
[2];
1029 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
1030 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1032 id_map
.xid
.id
= gid
;
1033 id_map
.xid
.type
= ID_TYPE_GID
;
1034 id_maps
[0] = &id_map
;
1037 status
= idmap_xids_to_sids(state
->idmap_ctx
, tmp_ctx
, id_maps
);
1038 if (!NT_STATUS_IS_OK(status
)) {
1039 talloc_free(tmp_ctx
);
1042 status
= pdb_samba_dsdb_getgrsid(m
, map
, *id_map
.sid
);
1043 talloc_free(tmp_ctx
);
1047 static NTSTATUS
pdb_samba_dsdb_getgrnam(struct pdb_methods
*m
, GROUP_MAP
*map
,
1053 filter
= talloc_asprintf(talloc_tos(),
1054 "(&(samaccountname=%s)(objectclass=group))",
1056 if (filter
== NULL
) {
1057 return NT_STATUS_NO_MEMORY
;
1060 status
= pdb_samba_dsdb_getgrfilter(m
, map
, filter
);
1061 TALLOC_FREE(filter
);
1065 static NTSTATUS
pdb_samba_dsdb_create_dom_group(struct pdb_methods
*m
,
1066 TALLOC_CTX
*mem_ctx
, const char *name
,
1069 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1070 m
->private_data
, struct pdb_samba_dsdb_state
);
1072 struct dom_sid
*sid
;
1074 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1075 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1077 status
= dsdb_add_domain_group(state
->ldb
, tmp_ctx
, name
, &sid
, &dn
);
1078 if (!NT_STATUS_IS_OK(status
)) {
1079 talloc_free(tmp_ctx
);
1083 sid_peek_rid(sid
, rid
);
1084 talloc_free(tmp_ctx
);
1085 return NT_STATUS_OK
;
1088 static NTSTATUS
pdb_samba_dsdb_delete_dom_group(struct pdb_methods
*m
,
1089 TALLOC_CTX
*mem_ctx
, uint32_t rid
)
1091 const char *attrs
[] = { NULL
};
1092 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1093 m
->private_data
, struct pdb_samba_dsdb_state
);
1095 struct ldb_message
*msg
;
1098 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1099 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1101 sid_compose(&sid
, samdb_domain_sid(state
->ldb
), rid
);
1103 if (ldb_transaction_start(state
->ldb
) != LDB_SUCCESS
) {
1104 DEBUG(0, ("Unable to start transaction in pdb_samba_dsdb_delete_dom_group()\n"));
1105 return NT_STATUS_INTERNAL_ERROR
;
1108 dn
= ldb_dn_new_fmt(tmp_ctx
, state
->ldb
, "<SID=%s>", dom_sid_string(tmp_ctx
, &sid
));
1109 if (!dn
|| !ldb_dn_validate(dn
)) {
1110 talloc_free(tmp_ctx
);
1111 ldb_transaction_cancel(state
->ldb
);
1112 return NT_STATUS_NO_MEMORY
;
1114 rc
= dsdb_search_one(state
->ldb
, tmp_ctx
, &msg
, dn
, LDB_SCOPE_BASE
, attrs
, 0, "objectclass=group");
1115 if (rc
== LDB_ERR_NO_SUCH_OBJECT
) {
1116 talloc_free(tmp_ctx
);
1117 ldb_transaction_cancel(state
->ldb
);
1118 return NT_STATUS_NO_SUCH_GROUP
;
1120 rc
= ldb_delete(state
->ldb
, dn
);
1121 if (rc
== LDB_ERR_NO_SUCH_OBJECT
) {
1122 talloc_free(tmp_ctx
);
1123 ldb_transaction_cancel(state
->ldb
);
1124 return NT_STATUS_NO_SUCH_GROUP
;
1125 } else if (rc
!= LDB_SUCCESS
) {
1126 DEBUG(10, ("ldb_delete failed %s\n",
1127 ldb_errstring(state
->ldb
)));
1128 ldb_transaction_cancel(state
->ldb
);
1129 return NT_STATUS_LDAP(rc
);
1132 if (ldb_transaction_commit(state
->ldb
) != LDB_SUCCESS
) {
1133 DEBUG(0, ("Unable to commit transaction in pdb_samba_dsdb_delete_dom_group()\n"));
1134 return NT_STATUS_INTERNAL_ERROR
;
1136 return NT_STATUS_OK
;
1139 static NTSTATUS
pdb_samba_dsdb_add_group_mapping_entry(struct pdb_methods
*m
,
1142 return NT_STATUS_NOT_IMPLEMENTED
;
1145 static NTSTATUS
pdb_samba_dsdb_update_group_mapping_entry(struct pdb_methods
*m
,
1148 return NT_STATUS_NOT_IMPLEMENTED
;
1151 static NTSTATUS
pdb_samba_dsdb_delete_group_mapping_entry(struct pdb_methods
*m
,
1154 return NT_STATUS_NOT_IMPLEMENTED
;
1157 static NTSTATUS
pdb_samba_dsdb_enum_group_mapping(struct pdb_methods
*m
,
1158 const struct dom_sid
*sid
,
1159 enum lsa_SidType sid_name_use
,
1160 GROUP_MAP
***pp_rmap
,
1161 size_t *p_num_entries
,
1164 return NT_STATUS_NOT_IMPLEMENTED
;
1167 static NTSTATUS
pdb_samba_dsdb_enum_group_members(struct pdb_methods
*m
,
1168 TALLOC_CTX
*mem_ctx
,
1169 const struct dom_sid
*group
,
1170 uint32_t **pmembers
,
1171 size_t *pnum_members
)
1173 unsigned int i
, num_sids
, num_members
;
1174 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1175 m
->private_data
, struct pdb_samba_dsdb_state
);
1176 struct dom_sid
*members_as_sids
;
1177 struct dom_sid
*dom_sid
;
1182 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1183 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1185 dn
= ldb_dn_new_fmt(tmp_ctx
, state
->ldb
, "<SID=%s>", dom_sid_string(tmp_ctx
, group
));
1186 if (!dn
|| !ldb_dn_validate(dn
)) {
1187 return NT_STATUS_NO_MEMORY
;
1190 status
= dsdb_enum_group_mem(state
->ldb
, tmp_ctx
, dn
, &members_as_sids
, &num_sids
);
1191 if (!NT_STATUS_IS_OK(status
)) {
1192 talloc_free(tmp_ctx
);
1195 status
= dom_sid_split_rid(tmp_ctx
, group
, &dom_sid
, NULL
);
1196 if (!NT_STATUS_IS_OK(status
)) {
1197 talloc_free(tmp_ctx
);
1201 *pmembers
= members
= talloc_array(mem_ctx
, uint32_t, num_sids
);
1202 if (*pmembers
== NULL
) {
1203 TALLOC_FREE(tmp_ctx
);
1204 return NT_STATUS_NO_MEMORY
;
1208 for (i
= 0; i
< num_sids
; i
++) {
1209 if (!dom_sid_in_domain(dom_sid
, &members_as_sids
[i
])) {
1212 status
= dom_sid_split_rid(NULL
, &members_as_sids
[i
],
1213 NULL
, &members
[num_members
]);
1214 if (!NT_STATUS_IS_OK(status
)) {
1215 talloc_free(tmp_ctx
);
1220 *pnum_members
= num_members
;
1221 return NT_STATUS_OK
;
1224 /* Just convert the primary group SID into a group */
1225 static NTSTATUS
fake_enum_group_memberships(struct pdb_samba_dsdb_state
*state
,
1226 TALLOC_CTX
*mem_ctx
,
1228 struct dom_sid
**pp_sids
,
1230 uint32_t *p_num_groups
)
1233 size_t num_groups
= 0;
1234 struct dom_sid
*group_sids
= NULL
;
1236 TALLOC_CTX
*tmp_ctx
;
1238 tmp_ctx
= talloc_new(mem_ctx
);
1239 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1241 if (user
->group_sid
) {
1242 struct id_map
*id_maps
[2];
1243 struct id_map id_map
;
1247 group_sids
= talloc_array(tmp_ctx
, struct dom_sid
, num_groups
);
1248 if (group_sids
== NULL
) {
1249 talloc_free(tmp_ctx
);
1250 return NT_STATUS_NO_MEMORY
;
1252 gids
= talloc_array(tmp_ctx
, gid_t
, num_groups
);
1254 talloc_free(tmp_ctx
);
1255 return NT_STATUS_NO_MEMORY
;
1258 group_sids
[0] = *user
->group_sid
;
1260 ZERO_STRUCT(id_map
);
1261 id_map
.sid
= &group_sids
[0];
1262 id_maps
[0] = &id_map
;
1265 status
= idmap_sids_to_xids(state
->idmap_ctx
, tmp_ctx
, id_maps
);
1266 if (!NT_STATUS_IS_OK(status
)) {
1267 talloc_free(tmp_ctx
);
1270 if (id_map
.xid
.type
== ID_TYPE_GID
|| id_map
.xid
.type
== ID_TYPE_BOTH
) {
1271 gids
[0] = id_map
.xid
.id
;
1273 DEBUG(1, (__location__
1274 "Group %s, of which %s is a member, could not be converted to a GID\n",
1275 dom_sid_string(tmp_ctx
, &group_sids
[0]),
1276 dom_sid_string(tmp_ctx
, &user
->user_sid
)));
1277 talloc_free(tmp_ctx
);
1278 /* We must error out, otherwise a user might
1279 * avoid a DENY acl based on a group they
1281 return NT_STATUS_NO_SUCH_GROUP
;
1285 *pp_sids
= talloc_steal(mem_ctx
, group_sids
);
1286 *pp_gids
= talloc_steal(mem_ctx
, gids
);
1287 *p_num_groups
= num_groups
;
1288 talloc_free(tmp_ctx
);
1289 return NT_STATUS_OK
;
1292 static NTSTATUS
pdb_samba_dsdb_enum_group_memberships(struct pdb_methods
*m
,
1293 TALLOC_CTX
*mem_ctx
,
1295 struct dom_sid
**pp_sids
,
1297 uint32_t *p_num_groups
)
1299 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1300 m
->private_data
, struct pdb_samba_dsdb_state
);
1301 struct ldb_message
*msg
= pdb_samba_dsdb_get_samu_private(
1303 const char *attrs
[] = { "tokenGroups", NULL
};
1304 struct ldb_message
*tokengroups_msg
;
1305 struct ldb_message_element
*tokengroups
;
1308 unsigned int count
= 0;
1310 struct dom_sid
*group_sids
;
1312 TALLOC_CTX
*tmp_ctx
;
1315 /* Fake up some things here */
1316 return fake_enum_group_memberships(state
,
1319 pp_gids
, p_num_groups
);
1322 tmp_ctx
= talloc_new(mem_ctx
);
1323 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1325 rc
= dsdb_search_one(state
->ldb
, tmp_ctx
, &tokengroups_msg
, msg
->dn
, LDB_SCOPE_BASE
, attrs
, 0, NULL
);
1327 if (rc
== LDB_ERR_NO_SUCH_OBJECT
) {
1328 talloc_free(tmp_ctx
);
1329 return NT_STATUS_NO_SUCH_USER
;
1330 } else if (rc
!= LDB_SUCCESS
) {
1331 DEBUG(10, ("dsdb_search_one failed %s\n",
1332 ldb_errstring(state
->ldb
)));
1333 talloc_free(tmp_ctx
);
1334 return NT_STATUS_LDAP(rc
);
1337 tokengroups
= ldb_msg_find_element(tokengroups_msg
, "tokenGroups");
1340 count
= tokengroups
->num_values
;
1343 group_sids
= talloc_array(tmp_ctx
, struct dom_sid
, count
);
1344 if (group_sids
== NULL
) {
1345 talloc_free(tmp_ctx
);
1346 return NT_STATUS_NO_MEMORY
;
1348 gids
= talloc_array(tmp_ctx
, gid_t
, count
);
1350 talloc_free(tmp_ctx
);
1351 return NT_STATUS_NO_MEMORY
;
1355 for (i
=0; i
<count
; i
++) {
1356 struct id_map
*id_maps
[2];
1357 struct id_map id_map
;
1358 struct ldb_val
*v
= &tokengroups
->values
[i
];
1359 enum ndr_err_code ndr_err
1360 = ndr_pull_struct_blob(v
, group_sids
, &group_sids
[num_groups
],
1361 (ndr_pull_flags_fn_t
)ndr_pull_dom_sid
);
1362 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1363 talloc_free(tmp_ctx
);
1364 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
1367 ZERO_STRUCT(id_map
);
1368 id_map
.sid
= &group_sids
[num_groups
];
1369 id_maps
[0] = &id_map
;
1372 status
= idmap_sids_to_xids(state
->idmap_ctx
, tmp_ctx
, id_maps
);
1373 if (!NT_STATUS_IS_OK(status
)) {
1374 talloc_free(tmp_ctx
);
1377 if (id_map
.xid
.type
== ID_TYPE_GID
|| id_map
.xid
.type
== ID_TYPE_BOTH
) {
1378 gids
[num_groups
] = id_map
.xid
.id
;
1380 DEBUG(1, (__location__
1381 "Group %s, of which %s is a member, could not be converted to a GID\n",
1382 dom_sid_string(tmp_ctx
, &group_sids
[num_groups
]),
1383 ldb_dn_get_linearized(msg
->dn
)));
1384 talloc_free(tmp_ctx
);
1385 /* We must error out, otherwise a user might
1386 * avoid a DENY acl based on a group they
1388 return NT_STATUS_NO_SUCH_GROUP
;
1392 if (num_groups
== count
) {
1397 *pp_sids
= talloc_steal(mem_ctx
, group_sids
);
1398 *pp_gids
= talloc_steal(mem_ctx
, gids
);
1399 *p_num_groups
= num_groups
;
1400 talloc_free(tmp_ctx
);
1401 return NT_STATUS_OK
;
1404 static NTSTATUS
pdb_samba_dsdb_set_unix_primary_group(struct pdb_methods
*m
,
1405 TALLOC_CTX
*mem_ctx
,
1408 return NT_STATUS_NOT_IMPLEMENTED
;
1411 static NTSTATUS
pdb_samba_dsdb_mod_groupmem_by_sid(struct pdb_methods
*m
,
1412 TALLOC_CTX
*mem_ctx
,
1413 const struct dom_sid
*groupsid
,
1414 const struct dom_sid
*membersid
,
1417 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1418 m
->private_data
, struct pdb_samba_dsdb_state
);
1419 struct ldb_message
*msg
;
1421 struct ldb_message_element
*el
;
1422 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1423 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1424 msg
= ldb_msg_new(tmp_ctx
);
1426 TALLOC_FREE(tmp_ctx
);
1427 return NT_STATUS_NO_MEMORY
;
1430 msg
->dn
= ldb_dn_new_fmt(msg
, state
->ldb
, "<SID=%s>", dom_sid_string(tmp_ctx
, groupsid
));
1431 if (!msg
->dn
|| !ldb_dn_validate(msg
->dn
)) {
1432 talloc_free(tmp_ctx
);
1433 return NT_STATUS_NO_MEMORY
;
1435 ret
= ldb_msg_add_fmt(msg
, "member", "<SID=%s>", dom_sid_string(tmp_ctx
, membersid
));
1436 if (ret
!= LDB_SUCCESS
) {
1437 talloc_free(tmp_ctx
);
1438 return NT_STATUS_NO_MEMORY
;
1440 el
= ldb_msg_find_element(msg
, "member");
1443 /* No need for transactions here, the ldb auto-transaction
1444 * code will handle things for the single operation */
1445 ret
= ldb_modify(state
->ldb
, msg
);
1446 talloc_free(tmp_ctx
);
1447 if (ret
!= LDB_SUCCESS
) {
1448 DEBUG(10, ("ldb_modify failed: %s\n",
1449 ldb_errstring(state
->ldb
)));
1450 if (ret
== LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS
) {
1451 return NT_STATUS_MEMBER_IN_GROUP
;
1453 if (ret
== LDB_ERR_NO_SUCH_ATTRIBUTE
) {
1454 return NT_STATUS_MEMBER_NOT_IN_GROUP
;
1456 return NT_STATUS_LDAP(ret
);
1459 return NT_STATUS_OK
;
1462 static NTSTATUS
pdb_samba_dsdb_mod_groupmem(struct pdb_methods
*m
,
1463 TALLOC_CTX
*mem_ctx
,
1464 uint32_t grouprid
, uint32_t memberrid
,
1467 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1468 m
->private_data
, struct pdb_samba_dsdb_state
);
1469 const struct dom_sid
*dom_sid
, *groupsid
, *membersid
;
1471 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1472 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1474 dom_sid
= samdb_domain_sid(state
->ldb
);
1476 groupsid
= dom_sid_add_rid(tmp_ctx
, dom_sid
, grouprid
);
1477 if (groupsid
== NULL
) {
1478 TALLOC_FREE(tmp_ctx
);
1479 return NT_STATUS_NO_MEMORY
;
1481 membersid
= dom_sid_add_rid(tmp_ctx
, dom_sid
, memberrid
);
1482 if (membersid
== NULL
) {
1483 TALLOC_FREE(tmp_ctx
);
1484 return NT_STATUS_NO_MEMORY
;
1486 status
= pdb_samba_dsdb_mod_groupmem_by_sid(m
, tmp_ctx
, groupsid
, membersid
, mod_op
);
1487 talloc_free(tmp_ctx
);
1491 static NTSTATUS
pdb_samba_dsdb_add_groupmem(struct pdb_methods
*m
,
1492 TALLOC_CTX
*mem_ctx
,
1493 uint32_t group_rid
, uint32_t member_rid
)
1495 return pdb_samba_dsdb_mod_groupmem(m
, mem_ctx
, group_rid
, member_rid
,
1499 static NTSTATUS
pdb_samba_dsdb_del_groupmem(struct pdb_methods
*m
,
1500 TALLOC_CTX
*mem_ctx
,
1501 uint32_t group_rid
, uint32_t member_rid
)
1503 return pdb_samba_dsdb_mod_groupmem(m
, mem_ctx
, group_rid
, member_rid
,
1504 LDB_FLAG_MOD_DELETE
);
1507 static NTSTATUS
pdb_samba_dsdb_create_alias(struct pdb_methods
*m
,
1508 const char *name
, uint32_t *rid
)
1510 TALLOC_CTX
*frame
= talloc_stackframe();
1511 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1512 m
->private_data
, struct pdb_samba_dsdb_state
);
1513 struct dom_sid
*sid
;
1518 /* Internally this uses transactions to ensure all the steps
1519 * happen or fail as one */
1520 status
= dsdb_add_domain_alias(state
->ldb
, frame
, name
, &sid
, &dn
);
1521 if (!NT_STATUS_IS_OK(status
)) {
1525 sid_peek_rid(sid
, rid
);
1527 return NT_STATUS_OK
;
1530 static NTSTATUS
pdb_samba_dsdb_delete_alias(struct pdb_methods
*m
,
1531 const struct dom_sid
*sid
)
1533 const char *attrs
[] = { NULL
};
1534 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1535 m
->private_data
, struct pdb_samba_dsdb_state
);
1536 struct ldb_message
*msg
;
1539 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
1540 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1542 dn
= ldb_dn_new_fmt(tmp_ctx
, state
->ldb
, "<SID=%s>", dom_sid_string(tmp_ctx
, sid
));
1543 if (!dn
|| !ldb_dn_validate(dn
)) {
1544 talloc_free(tmp_ctx
);
1545 return NT_STATUS_NO_MEMORY
;
1548 if (ldb_transaction_start(state
->ldb
) != LDB_SUCCESS
) {
1549 DEBUG(0, ("Failed to start transaction in dsdb_add_domain_alias(): %s\n", ldb_errstring(state
->ldb
)));
1550 talloc_free(tmp_ctx
);
1551 return NT_STATUS_INTERNAL_ERROR
;
1554 rc
= dsdb_search_one(state
->ldb
, tmp_ctx
, &msg
, dn
, LDB_SCOPE_BASE
, attrs
, 0, "(objectclass=group)"
1555 "(|(grouptype=%d)(grouptype=%d)))",
1556 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
,
1557 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
);
1558 if (rc
== LDB_ERR_NO_SUCH_OBJECT
) {
1559 talloc_free(tmp_ctx
);
1560 ldb_transaction_cancel(state
->ldb
);
1561 return NT_STATUS_NO_SUCH_ALIAS
;
1563 rc
= ldb_delete(state
->ldb
, dn
);
1564 if (rc
== LDB_ERR_NO_SUCH_OBJECT
) {
1565 talloc_free(tmp_ctx
);
1566 ldb_transaction_cancel(state
->ldb
);
1567 return NT_STATUS_NO_SUCH_ALIAS
;
1568 } else if (rc
!= LDB_SUCCESS
) {
1569 DEBUG(10, ("ldb_delete failed %s\n",
1570 ldb_errstring(state
->ldb
)));
1571 ldb_transaction_cancel(state
->ldb
);
1572 talloc_free(tmp_ctx
);
1573 return NT_STATUS_LDAP(rc
);
1576 if (ldb_transaction_commit(state
->ldb
) != LDB_SUCCESS
) {
1577 DEBUG(0, ("Failed to commit transaction in pdb_samba_dsdb_delete_alias(): %s\n",
1578 ldb_errstring(state
->ldb
)));
1579 talloc_free(tmp_ctx
);
1580 return NT_STATUS_INTERNAL_ERROR
;
1583 talloc_free(tmp_ctx
);
1584 return NT_STATUS_OK
;
1588 static NTSTATUS
pdb_samba_dsdb_set_aliasinfo(struct pdb_methods
*m
,
1589 const struct dom_sid
*sid
,
1590 struct acct_info
*info
)
1592 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1593 m
->private_data
, struct pdb_samba_dsdb_state
);
1594 struct tldap_context
*ld
;
1595 const char *attrs
[3] = { "objectSid", "description",
1597 struct ldb_message
**msg
;
1600 struct tldap_mod
*mods
;
1604 ld
= pdb_samba_dsdb_ld(state
);
1606 return NT_STATUS_LDAP(TLDAP_SERVER_DOWN
);
1609 sidstr
= sid_binstring(talloc_tos(), sid
);
1610 NT_STATUS_HAVE_NO_MEMORY(sidstr
);
1612 rc
= pdb_samba_dsdb_search_fmt(state
, state
->domaindn
, TLDAP_SCOPE_SUB
,
1613 attrs
, ARRAY_SIZE(attrs
), 0, talloc_tos(),
1614 &msg
, "(&(objectSid=%s)(objectclass=group)"
1615 "(|(grouptype=%d)(grouptype=%d)))",
1616 sidstr
, GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
,
1617 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
);
1619 if (rc
!= LDB_SUCCESS
) {
1620 DEBUG(10, ("ldap_search failed %s\n",
1621 ldb_errstring(state
->ldb
)));
1622 return NT_STATUS_LDAP(rc
);
1624 switch talloc_array_length(msg
) {
1626 return NT_STATUS_NO_SUCH_ALIAS
;
1630 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
1633 if (!tldap_entry_dn(msg
[0], &dn
)) {
1635 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
1642 ok
&= tldap_make_mod_fmt(
1643 msg
[0], msg
, &num_mods
, &mods
, "description",
1644 "%s", info
->acct_desc
);
1645 ok
&= tldap_make_mod_fmt(
1646 msg
[0], msg
, &num_mods
, &mods
, "samAccountName",
1647 "%s", info
->acct_name
);
1650 return NT_STATUS_NO_MEMORY
;
1652 if (num_mods
== 0) {
1655 return NT_STATUS_OK
;
1658 rc
= tldap_modify(ld
, dn
, num_mods
, mods
, NULL
, 0, NULL
, 0);
1660 if (rc
!= LDB_SUCCESS
) {
1661 DEBUG(10, ("ldap_modify failed: %s\n",
1662 ldb_errstring(state
->ldb
)));
1663 return NT_STATUS_LDAP(rc
);
1665 return NT_STATUS_OK
;
1668 static NTSTATUS
pdb_samba_dsdb_add_aliasmem(struct pdb_methods
*m
,
1669 const struct dom_sid
*alias
,
1670 const struct dom_sid
*member
)
1673 TALLOC_CTX
*frame
= talloc_stackframe();
1674 status
= pdb_samba_dsdb_mod_groupmem_by_sid(m
, frame
, alias
, member
, LDB_FLAG_MOD_ADD
);
1679 static NTSTATUS
pdb_samba_dsdb_del_aliasmem(struct pdb_methods
*m
,
1680 const struct dom_sid
*alias
,
1681 const struct dom_sid
*member
)
1684 TALLOC_CTX
*frame
= talloc_stackframe();
1685 status
= pdb_samba_dsdb_mod_groupmem_by_sid(m
, frame
, alias
, member
, LDB_FLAG_MOD_DELETE
);
1690 static NTSTATUS
pdb_samba_dsdb_enum_aliasmem(struct pdb_methods
*m
,
1691 const struct dom_sid
*alias
,
1692 TALLOC_CTX
*mem_ctx
,
1693 struct dom_sid
**pmembers
,
1694 size_t *pnum_members
)
1696 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1697 m
->private_data
, struct pdb_samba_dsdb_state
);
1699 unsigned int num_members
;
1701 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1702 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1704 dn
= ldb_dn_new_fmt(tmp_ctx
, state
->ldb
, "<SID=%s>", dom_sid_string(tmp_ctx
, alias
));
1705 if (!dn
|| !ldb_dn_validate(dn
)) {
1706 return NT_STATUS_NO_MEMORY
;
1709 status
= dsdb_enum_group_mem(state
->ldb
, mem_ctx
, dn
, pmembers
, &num_members
);
1710 *pnum_members
= num_members
;
1711 if (NT_STATUS_IS_OK(status
)) {
1712 talloc_steal(mem_ctx
, pmembers
);
1714 talloc_free(tmp_ctx
);
1718 static NTSTATUS
pdb_samba_dsdb_enum_alias_memberships(struct pdb_methods
*m
,
1719 TALLOC_CTX
*mem_ctx
,
1720 const struct dom_sid
*domain_sid
,
1721 const struct dom_sid
*members
,
1723 uint32_t **palias_rids
,
1724 size_t *pnum_alias_rids
)
1726 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1727 m
->private_data
, struct pdb_samba_dsdb_state
);
1728 uint32_t *alias_rids
= NULL
;
1729 size_t num_alias_rids
= 0;
1731 struct dom_sid
*groupSIDs
= NULL
;
1732 unsigned int num_groupSIDs
= 0;
1735 const char *sid_string
;
1739 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1740 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1742 * TODO: Get the filter right so that we only get the aliases from
1743 * either the SAM or BUILTIN
1746 filter
= talloc_asprintf(tmp_ctx
, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
1747 GROUP_TYPE_BUILTIN_LOCAL_GROUP
);
1748 if (filter
== NULL
) {
1749 return NT_STATUS_NO_MEMORY
;
1752 for (i
= 0; i
< num_members
; i
++) {
1753 sid_string
= dom_sid_string(tmp_ctx
, &members
[i
]);
1754 if (sid_string
== NULL
) {
1755 TALLOC_FREE(tmp_ctx
);
1756 return NT_STATUS_NO_MEMORY
;
1759 sid_dn
= talloc_asprintf(tmp_ctx
, "<SID=%s>", sid_string
);
1760 if (sid_dn
== NULL
) {
1761 TALLOC_FREE(tmp_ctx
);
1762 return NT_STATUS_NO_MEMORY
;
1765 sid_blob
= data_blob_string_const(sid_dn
);
1767 status
= dsdb_expand_nested_groups(state
->ldb
, &sid_blob
, true, filter
,
1768 tmp_ctx
, &groupSIDs
, &num_groupSIDs
);
1769 if (!NT_STATUS_IS_OK(status
)) {
1770 talloc_free(tmp_ctx
);
1775 alias_rids
= talloc_array(mem_ctx
, uint32_t, num_groupSIDs
);
1776 if (alias_rids
== NULL
) {
1777 talloc_free(tmp_ctx
);
1778 return NT_STATUS_NO_MEMORY
;
1781 for (i
=0; i
<num_groupSIDs
; i
++) {
1782 if (sid_peek_check_rid(domain_sid
, &groupSIDs
[i
],
1783 &alias_rids
[num_alias_rids
])) {
1788 *palias_rids
= alias_rids
;
1789 *pnum_alias_rids
= num_alias_rids
;
1790 return NT_STATUS_OK
;
1793 static NTSTATUS
pdb_samba_dsdb_lookup_rids(struct pdb_methods
*m
,
1794 const struct dom_sid
*domain_sid
,
1798 enum lsa_SidType
*lsa_attrs
)
1800 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1801 m
->private_data
, struct pdb_samba_dsdb_state
);
1804 TALLOC_CTX
*tmp_ctx
;
1806 if (num_rids
== 0) {
1807 return NT_STATUS_NONE_MAPPED
;
1810 tmp_ctx
= talloc_stackframe();
1811 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1813 status
= dsdb_lookup_rids(state
->ldb
, tmp_ctx
, domain_sid
, num_rids
, rids
, names
, lsa_attrs
);
1814 talloc_free(tmp_ctx
);
1818 static NTSTATUS
pdb_samba_dsdb_lookup_names(struct pdb_methods
*m
,
1819 const struct dom_sid
*domain_sid
,
1821 const char **pp_names
,
1823 enum lsa_SidType
*attrs
)
1825 return NT_STATUS_NOT_IMPLEMENTED
;
1828 static NTSTATUS
pdb_samba_dsdb_get_account_policy(struct pdb_methods
*m
,
1829 enum pdb_policy_type type
,
1832 return account_policy_get(type
, value
)
1833 ? NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1836 static NTSTATUS
pdb_samba_dsdb_set_account_policy(struct pdb_methods
*m
,
1837 enum pdb_policy_type type
,
1840 return account_policy_set(type
, value
)
1841 ? NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1844 static NTSTATUS
pdb_samba_dsdb_get_seq_num(struct pdb_methods
*m
,
1845 time_t *seq_num_out
)
1847 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1848 m
->private_data
, struct pdb_samba_dsdb_state
);
1850 int ret
= ldb_sequence_number(state
->ldb
, LDB_SEQ_HIGHEST_SEQ
, &seq_num
);
1851 if (ret
== LDB_SUCCESS
) {
1852 *seq_num_out
= seq_num
;
1853 return NT_STATUS_OK
;
1855 return NT_STATUS_UNSUCCESSFUL
;
1859 struct pdb_samba_dsdb_search_state
{
1860 uint32_t acct_flags
;
1861 struct samr_displayentry
*entries
;
1862 uint32_t num_entries
;
1867 static bool pdb_samba_dsdb_next_entry(struct pdb_search
*search
,
1868 struct samr_displayentry
*entry
)
1870 struct pdb_samba_dsdb_search_state
*state
= talloc_get_type_abort(
1871 search
->private_data
, struct pdb_samba_dsdb_search_state
);
1873 if (state
->current
== state
->num_entries
) {
1877 entry
->idx
= state
->entries
[state
->current
].idx
;
1878 entry
->rid
= state
->entries
[state
->current
].rid
;
1879 entry
->acct_flags
= state
->entries
[state
->current
].acct_flags
;
1881 entry
->account_name
= talloc_strdup(
1882 search
, state
->entries
[state
->current
].account_name
);
1883 entry
->fullname
= talloc_strdup(
1884 search
, state
->entries
[state
->current
].fullname
);
1885 entry
->description
= talloc_strdup(
1886 search
, state
->entries
[state
->current
].description
);
1888 state
->current
+= 1;
1892 static void pdb_samba_dsdb_search_end(struct pdb_search
*search
)
1894 struct pdb_samba_dsdb_search_state
*state
= talloc_get_type_abort(
1895 search
->private_data
, struct pdb_samba_dsdb_search_state
);
1899 static bool pdb_samba_dsdb_search_filter(struct pdb_methods
*m
,
1900 struct pdb_search
*search
,
1901 struct pdb_samba_dsdb_search_state
**pstate
,
1902 const char *exp_fmt
, ...) _PRINTF_ATTRIBUTE(4, 5)
1904 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
1905 m
->private_data
, struct pdb_samba_dsdb_state
);
1906 struct pdb_samba_dsdb_search_state
*sstate
;
1907 const char * attrs
[] = { "objectSid", "sAMAccountName", "displayName",
1908 "userAccountControl", "description", NULL
};
1909 struct ldb_result
*res
;
1910 int i
, rc
, num_users
;
1913 char *expression
= NULL
;
1915 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
1920 va_start(ap
, exp_fmt
);
1921 expression
= talloc_vasprintf(tmp_ctx
, exp_fmt
, ap
);
1925 talloc_free(tmp_ctx
);
1926 return LDB_ERR_OPERATIONS_ERROR
;
1929 sstate
= talloc_zero(tmp_ctx
, struct pdb_samba_dsdb_search_state
);
1930 if (sstate
== NULL
) {
1931 talloc_free(tmp_ctx
);
1935 rc
= dsdb_search(state
->ldb
, tmp_ctx
, &res
, ldb_get_default_basedn(state
->ldb
), LDB_SCOPE_SUBTREE
, attrs
, 0, "%s", expression
);
1936 if (rc
!= LDB_SUCCESS
) {
1937 talloc_free(tmp_ctx
);
1938 DEBUG(10, ("dsdb_search failed: %s\n",
1939 ldb_errstring(state
->ldb
)));
1943 num_users
= res
->count
;
1945 sstate
->entries
= talloc_array(sstate
, struct samr_displayentry
,
1947 if (sstate
->entries
== NULL
) {
1948 talloc_free(tmp_ctx
);
1949 DEBUG(10, ("talloc failed\n"));
1953 sstate
->num_entries
= 0;
1955 for (i
=0; i
<num_users
; i
++) {
1956 struct samr_displayentry
*e
;
1957 struct dom_sid
*sid
;
1959 e
= &sstate
->entries
[sstate
->num_entries
];
1961 e
->idx
= sstate
->num_entries
;
1962 sid
= samdb_result_dom_sid(tmp_ctx
, res
->msgs
[i
], "objectSid");
1964 talloc_free(tmp_ctx
);
1965 DEBUG(10, ("Could not pull SID\n"));
1968 sid_peek_rid(sid
, &e
->rid
);
1970 e
->acct_flags
= samdb_result_acct_flags(res
->msgs
[i
], "userAccountControl");
1971 e
->account_name
= ldb_msg_find_attr_as_string(
1972 res
->msgs
[i
], "samAccountName", NULL
);
1973 if (e
->account_name
== NULL
) {
1974 talloc_free(tmp_ctx
);
1977 e
->fullname
= ldb_msg_find_attr_as_string(
1978 res
->msgs
[i
], "displayName", "");
1979 e
->description
= ldb_msg_find_attr_as_string(
1980 res
->msgs
[i
], "description", "");
1982 sstate
->num_entries
+= 1;
1983 if (sstate
->num_entries
>= num_users
) {
1987 talloc_steal(sstate
->entries
, res
->msgs
);
1988 search
->private_data
= talloc_steal(search
, sstate
);
1989 search
->next_entry
= pdb_samba_dsdb_next_entry
;
1990 search
->search_end
= pdb_samba_dsdb_search_end
;
1992 talloc_free(tmp_ctx
);
1996 static bool pdb_samba_dsdb_search_users(struct pdb_methods
*m
,
1997 struct pdb_search
*search
,
1998 uint32_t acct_flags
)
2000 struct pdb_samba_dsdb_search_state
*sstate
;
2003 ret
= pdb_samba_dsdb_search_filter(m
, search
, &sstate
, "(objectclass=user)");
2007 sstate
->acct_flags
= acct_flags
;
2011 static bool pdb_samba_dsdb_search_groups(struct pdb_methods
*m
,
2012 struct pdb_search
*search
)
2014 struct pdb_samba_dsdb_search_state
*sstate
;
2017 ret
= pdb_samba_dsdb_search_filter(m
, search
, &sstate
,
2018 "(&(grouptype=%d)(objectclass=group))",
2019 GTYPE_SECURITY_GLOBAL_GROUP
);
2023 sstate
->acct_flags
= 0;
2027 static bool pdb_samba_dsdb_search_aliases(struct pdb_methods
*m
,
2028 struct pdb_search
*search
,
2029 const struct dom_sid
*sid
)
2031 struct pdb_samba_dsdb_search_state
*sstate
;
2034 ret
= pdb_samba_dsdb_search_filter(m
, search
, &sstate
,
2035 "(&(grouptype=%d)(objectclass=group))",
2036 sid_check_is_builtin(sid
)
2037 ? GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
2038 : GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
);
2042 sstate
->acct_flags
= 0;
2047 * Instead of taking a gid or uid, this function takes a pointer to a
2050 * This acts as an in-out variable so that the idmap functions can correctly
2051 * receive ID_TYPE_BOTH, and this function ensures cache details are filled
2052 * correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID.
2054 static bool pdb_samba_dsdb_id_to_sid(struct pdb_methods
*m
, struct unixid
*id
,
2055 struct dom_sid
*sid
)
2057 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
2058 m
->private_data
, struct pdb_samba_dsdb_state
);
2060 struct id_map id_map
;
2061 struct id_map
*id_maps
[2];
2062 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
2068 id_maps
[0] = &id_map
;
2071 status
= idmap_xids_to_sids(state
->idmap_ctx
, tmp_ctx
, id_maps
);
2072 if (!NT_STATUS_IS_OK(status
)) {
2073 talloc_free(tmp_ctx
);
2077 if (id_map
.xid
.type
!= ID_TYPE_NOT_SPECIFIED
) {
2078 id
->type
= id_map
.xid
.type
;
2081 talloc_free(tmp_ctx
);
2085 static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods
*m
, const struct dom_sid
*sid
,
2088 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
2089 m
->private_data
, struct pdb_samba_dsdb_state
);
2090 struct id_map id_map
;
2091 struct id_map
*id_maps
[2];
2093 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
2098 ZERO_STRUCT(id_map
);
2099 id_map
.sid
= discard_const_p(struct dom_sid
, sid
);
2100 id_maps
[0] = &id_map
;
2103 status
= idmap_sids_to_xids(state
->idmap_ctx
, tmp_ctx
, id_maps
);
2104 talloc_free(tmp_ctx
);
2105 if (!NT_STATUS_IS_OK(status
)) {
2108 if (id_map
.xid
.type
!= ID_TYPE_NOT_SPECIFIED
) {
2115 static uint32_t pdb_samba_dsdb_capabilities(struct pdb_methods
*m
)
2117 return PDB_CAP_STORE_RIDS
| PDB_CAP_ADS
;
2120 static bool pdb_samba_dsdb_new_rid(struct pdb_methods
*m
, uint32_t *rid
)
2125 static bool pdb_samba_dsdb_get_trusteddom_pw(struct pdb_methods
*m
,
2126 const char *domain
, char** pwd
,
2127 struct dom_sid
*sid
,
2128 time_t *pass_last_set_time
)
2130 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
2131 m
->private_data
, struct pdb_samba_dsdb_state
);
2132 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
2133 const char * const attrs
[] = {
2134 "securityIdentifier",
2137 "trustAuthOutgoing",
2139 "msDS-SupportedEncryptionTypes",
2145 struct ldb_message
*msg
;
2146 const struct ldb_val
*password_val
;
2147 int trust_direction_flags
;
2150 DATA_BLOB password_utf16
;
2151 struct trustAuthInOutBlob password_blob
;
2152 struct AuthenticationInformationArray
*auth_array
;
2153 char *password_talloc
;
2154 size_t password_len
;
2155 enum ndr_err_code ndr_err
;
2157 const char *netbios_domain
= NULL
;
2158 const struct dom_sid
*domain_sid
= NULL
;
2160 status
= dsdb_trust_search_tdo(state
->ldb
, domain
, NULL
,
2161 attrs
, tmp_ctx
, &msg
);
2162 if (!NT_STATUS_IS_OK(status
)) {
2164 * This can be called to work out of a domain is
2165 * trusted, rather than just to get the password
2167 DEBUG(2, ("Failed to get trusted domain password for %s - %s. "
2168 "It may not be a trusted domain.\n", domain
,
2169 nt_errstr(status
)));
2170 TALLOC_FREE(tmp_ctx
);
2174 netbios_domain
= ldb_msg_find_attr_as_string(msg
, "flatName", NULL
);
2175 if (netbios_domain
== NULL
) {
2176 DEBUG(2, ("Trusted domain %s has to flatName defined.\n",
2178 TALLOC_FREE(tmp_ctx
);
2182 domain_sid
= samdb_result_dom_sid(tmp_ctx
, msg
, "securityIdentifier");
2183 if (domain_sid
== NULL
) {
2184 DEBUG(2, ("Trusted domain %s has no securityIdentifier defined.\n",
2186 TALLOC_FREE(tmp_ctx
);
2190 trust_direction_flags
= ldb_msg_find_attr_as_int(msg
, "trustDirection", 0);
2191 if (!(trust_direction_flags
& LSA_TRUST_DIRECTION_OUTBOUND
)) {
2192 DEBUG(2, ("Trusted domain %s is is not an outbound trust.\n",
2194 TALLOC_FREE(tmp_ctx
);
2198 trust_type
= ldb_msg_find_attr_as_int(msg
, "trustType", 0);
2199 if (trust_type
== LSA_TRUST_TYPE_MIT
) {
2200 DEBUG(1, ("Trusted domain %s is is not an AD trust "
2201 "(trustType == LSA_TRUST_TYPE_MIT).\n",
2203 TALLOC_FREE(tmp_ctx
);
2207 password_val
= ldb_msg_find_ldb_val(msg
, "trustAuthOutgoing");
2208 if (password_val
== NULL
) {
2209 DEBUG(2, ("Failed to get trusted domain password for %s, "
2210 "attribute trustAuthOutgoing not returned.\n", domain
));
2211 TALLOC_FREE(tmp_ctx
);
2215 ndr_err
= ndr_pull_struct_blob(password_val
, tmp_ctx
, &password_blob
,
2216 (ndr_pull_flags_fn_t
)ndr_pull_trustAuthInOutBlob
);
2217 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2218 DEBUG(0, ("Failed to get trusted domain password for %s, "
2219 "attribute trustAuthOutgoing coult not be parsed %s.\n",
2221 ndr_map_error2string(ndr_err
)));
2222 TALLOC_FREE(tmp_ctx
);
2226 auth_array
= &password_blob
.current
;
2228 for (i
=0; i
< auth_array
->count
; i
++) {
2229 if (auth_array
->array
[i
].AuthType
== TRUST_AUTH_TYPE_CLEAR
) {
2234 if (i
== auth_array
->count
) {
2235 DEBUG(0, ("Trusted domain %s does not have a "
2236 "clear-text password stored\n",
2238 TALLOC_FREE(tmp_ctx
);
2242 password_utf16
= data_blob_const(auth_array
->array
[i
].AuthInfo
.clear
.password
,
2243 auth_array
->array
[i
].AuthInfo
.clear
.size
);
2246 * In the future, make this function return a
2247 * cli_credentials that can store a MD4 hash with cli_credential_set_nt_hash()
2248 * but for now convert to UTF8 and fail if the string can not be converted.
2250 * We can't safely convert the random strings windows uses into
2253 if (!convert_string_talloc(tmp_ctx
,
2254 CH_UTF16MUNGED
, CH_UTF8
,
2255 password_utf16
.data
, password_utf16
.length
,
2256 (void *)&password_talloc
,
2258 DEBUG(0, ("FIXME: Could not convert password for trusted domain %s"
2259 " to UTF8. This may be a password set from Windows.\n",
2261 TALLOC_FREE(tmp_ctx
);
2264 *pwd
= SMB_STRNDUP(password_talloc
, password_len
);
2265 if (pass_last_set_time
) {
2266 *pass_last_set_time
= nt_time_to_unix(auth_array
->array
[i
].LastUpdateTime
);
2270 sid_copy(sid
, domain_sid
);
2273 TALLOC_FREE(tmp_ctx
);
2277 static NTSTATUS
pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods
*m
,
2279 TALLOC_CTX
*mem_ctx
,
2280 struct cli_credentials
**_creds
)
2282 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
2283 m
->private_data
, struct pdb_samba_dsdb_state
);
2284 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
2285 const char * const attrs
[] = {
2286 "securityIdentifier",
2289 "trustAuthOutgoing",
2291 "msDS-SupportedEncryptionTypes",
2297 struct ldb_message
*msg
;
2298 const struct ldb_val
*password_val
;
2299 int trust_direction_flags
;
2302 DATA_BLOB password_utf16
= {};
2303 struct samr_Password
*password_nt
= NULL
;
2304 uint32_t password_version
= 0;
2305 DATA_BLOB old_password_utf16
= {};
2306 struct samr_Password
*old_password_nt
= NULL
;
2307 struct trustAuthInOutBlob password_blob
;
2308 enum ndr_err_code ndr_err
;
2310 time_t last_set_time
= 0;
2311 struct cli_credentials
*creds
= NULL
;
2313 const char *my_netbios_name
= NULL
;
2314 const char *my_netbios_domain
= NULL
;
2315 const char *my_dns_domain
= NULL
;
2316 const char *netbios_domain
= NULL
;
2317 char *account_name
= NULL
;
2318 char *principal_name
= NULL
;
2319 const char *dns_domain
= NULL
;
2321 status
= dsdb_trust_search_tdo(state
->ldb
, domain
, NULL
,
2322 attrs
, tmp_ctx
, &msg
);
2323 if (!NT_STATUS_IS_OK(status
)) {
2325 * This can be called to work out of a domain is
2326 * trusted, rather than just to get the password
2328 DEBUG(2, ("Failed to get trusted domain password for %s - %s "
2329 "It may not be a trusted domain.\n", domain
,
2330 nt_errstr(status
)));
2331 TALLOC_FREE(tmp_ctx
);
2332 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2335 netbios_domain
= ldb_msg_find_attr_as_string(msg
, "flatName", NULL
);
2336 if (netbios_domain
== NULL
) {
2337 DEBUG(2, ("Trusted domain %s has to flatName defined.\n",
2339 TALLOC_FREE(tmp_ctx
);
2340 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2343 dns_domain
= ldb_msg_find_attr_as_string(msg
, "trustPartner", NULL
);
2345 trust_direction_flags
= ldb_msg_find_attr_as_int(msg
, "trustDirection", 0);
2346 if (!(trust_direction_flags
& LSA_TRUST_DIRECTION_OUTBOUND
)) {
2347 DEBUG(2, ("Trusted domain %s is is not an outbound trust.\n",
2349 TALLOC_FREE(tmp_ctx
);
2350 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2353 trust_type
= ldb_msg_find_attr_as_int(msg
, "trustType", 0);
2354 if (trust_type
== LSA_TRUST_TYPE_MIT
) {
2355 DEBUG(1, ("Trusted domain %s is is not an AD trust "
2356 "(trustType == LSA_TRUST_TYPE_MIT).\n",
2358 TALLOC_FREE(tmp_ctx
);
2359 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2362 password_val
= ldb_msg_find_ldb_val(msg
, "trustAuthOutgoing");
2363 if (password_val
== NULL
) {
2364 DEBUG(2, ("Failed to get trusted domain password for %s, "
2365 "attribute trustAuthOutgoing not returned.\n", domain
));
2366 TALLOC_FREE(tmp_ctx
);
2367 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2370 ndr_err
= ndr_pull_struct_blob(password_val
, tmp_ctx
, &password_blob
,
2371 (ndr_pull_flags_fn_t
)ndr_pull_trustAuthInOutBlob
);
2372 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2373 DEBUG(0, ("Failed to get trusted domain password for %s, "
2374 "attribute trustAuthOutgoing coult not be parsed %s.\n",
2376 ndr_map_error2string(ndr_err
)));
2377 TALLOC_FREE(tmp_ctx
);
2378 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2381 for (i
=0; i
< password_blob
.current
.count
; i
++) {
2382 struct AuthenticationInformation
*a
=
2383 &password_blob
.current
.array
[i
];
2385 switch (a
->AuthType
) {
2386 case TRUST_AUTH_TYPE_NONE
:
2389 case TRUST_AUTH_TYPE_VERSION
:
2390 password_version
= a
->AuthInfo
.version
.version
;
2393 case TRUST_AUTH_TYPE_CLEAR
:
2394 last_set_time
= nt_time_to_unix(a
->LastUpdateTime
);
2396 password_utf16
= data_blob_const(a
->AuthInfo
.clear
.password
,
2397 a
->AuthInfo
.clear
.size
);
2401 case TRUST_AUTH_TYPE_NT4OWF
:
2402 if (password_utf16
.length
!= 0) {
2406 last_set_time
= nt_time_to_unix(a
->LastUpdateTime
);
2408 password_nt
= &a
->AuthInfo
.nt4owf
.password
;
2413 for (i
=0; i
< password_blob
.previous
.count
; i
++) {
2414 struct AuthenticationInformation
*a
= &password_blob
.previous
.array
[i
];
2416 switch (a
->AuthType
) {
2417 case TRUST_AUTH_TYPE_NONE
:
2420 case TRUST_AUTH_TYPE_VERSION
:
2423 case TRUST_AUTH_TYPE_CLEAR
:
2424 old_password_utf16
= data_blob_const(a
->AuthInfo
.clear
.password
,
2425 a
->AuthInfo
.clear
.size
);
2426 old_password_nt
= NULL
;
2429 case TRUST_AUTH_TYPE_NT4OWF
:
2430 if (old_password_utf16
.length
!= 0) {
2434 old_password_nt
= &a
->AuthInfo
.nt4owf
.password
;
2439 if (password_utf16
.length
== 0 && password_nt
== NULL
) {
2440 DEBUG(0, ("Trusted domain %s does not have a "
2441 "clear-text nor nt password stored\n",
2443 TALLOC_FREE(tmp_ctx
);
2444 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2447 my_netbios_name
= lpcfg_netbios_name(state
->lp_ctx
);
2448 my_netbios_domain
= lpcfg_workgroup(state
->lp_ctx
);
2449 my_dns_domain
= lpcfg_dnsdomain(state
->lp_ctx
);
2451 creds
= cli_credentials_init(tmp_ctx
);
2452 if (creds
== NULL
) {
2453 TALLOC_FREE(tmp_ctx
);
2454 return NT_STATUS_NO_MEMORY
;
2457 ok
= cli_credentials_set_workstation(creds
, my_netbios_name
, CRED_SPECIFIED
);
2459 TALLOC_FREE(tmp_ctx
);
2460 return NT_STATUS_NO_MEMORY
;
2463 ok
= cli_credentials_set_domain(creds
, netbios_domain
, CRED_SPECIFIED
);
2465 TALLOC_FREE(tmp_ctx
);
2466 return NT_STATUS_NO_MEMORY
;
2468 ok
= cli_credentials_set_realm(creds
, dns_domain
, CRED_SPECIFIED
);
2470 TALLOC_FREE(tmp_ctx
);
2471 return NT_STATUS_NO_MEMORY
;
2474 if (my_dns_domain
!= NULL
&& dns_domain
!= NULL
) {
2475 cli_credentials_set_secure_channel_type(creds
, SEC_CHAN_DNS_DOMAIN
);
2476 account_name
= talloc_asprintf(tmp_ctx
, "%s.", my_dns_domain
);
2477 if (account_name
== NULL
) {
2478 TALLOC_FREE(tmp_ctx
);
2479 return NT_STATUS_NO_MEMORY
;
2481 principal_name
= talloc_asprintf(tmp_ctx
, "%s$@%s", my_netbios_domain
,
2482 cli_credentials_get_realm(creds
));
2483 if (principal_name
== NULL
) {
2484 TALLOC_FREE(tmp_ctx
);
2485 return NT_STATUS_NO_MEMORY
;
2488 cli_credentials_set_secure_channel_type(creds
, SEC_CHAN_DOMAIN
);
2489 account_name
= talloc_asprintf(tmp_ctx
, "%s$", my_netbios_domain
);
2490 if (account_name
== NULL
) {
2491 TALLOC_FREE(tmp_ctx
);
2492 return NT_STATUS_NO_MEMORY
;
2494 principal_name
= NULL
;
2497 ok
= cli_credentials_set_username(creds
, account_name
, CRED_SPECIFIED
);
2499 TALLOC_FREE(tmp_ctx
);
2500 return NT_STATUS_NO_MEMORY
;
2503 if (principal_name
!= NULL
) {
2504 ok
= cli_credentials_set_principal(creds
, principal_name
,
2507 TALLOC_FREE(tmp_ctx
);
2508 return NT_STATUS_NO_MEMORY
;
2512 if (old_password_nt
!= NULL
) {
2513 ok
= cli_credentials_set_old_nt_hash(creds
, old_password_nt
);
2515 TALLOC_FREE(tmp_ctx
);
2516 return NT_STATUS_NO_MEMORY
;
2520 if (old_password_utf16
.length
> 0) {
2521 ok
= cli_credentials_set_old_utf16_password(creds
,
2522 &old_password_utf16
);
2524 TALLOC_FREE(tmp_ctx
);
2525 return NT_STATUS_NO_MEMORY
;
2529 if (password_nt
!= NULL
) {
2530 ok
= cli_credentials_set_nt_hash(creds
, password_nt
,
2533 TALLOC_FREE(tmp_ctx
);
2534 return NT_STATUS_NO_MEMORY
;
2538 if (password_utf16
.length
> 0) {
2539 ok
= cli_credentials_set_utf16_password(creds
,
2543 TALLOC_FREE(tmp_ctx
);
2544 return NT_STATUS_NO_MEMORY
;
2548 cli_credentials_set_password_last_changed_time(creds
, last_set_time
);
2549 cli_credentials_set_kvno(creds
, password_version
);
2551 if (password_utf16
.length
> 0 && dns_domain
!= NULL
) {
2553 * Force kerberos if this is an active directory domain
2555 cli_credentials_set_kerberos_state(creds
,
2556 CRED_MUST_USE_KERBEROS
);
2559 * TODO: we should allow krb5 with the raw nt hash.
2561 cli_credentials_set_kerberos_state(creds
,
2562 CRED_DONT_USE_KERBEROS
);
2565 *_creds
= talloc_move(mem_ctx
, &creds
);
2566 TALLOC_FREE(tmp_ctx
);
2567 return NT_STATUS_OK
;
2570 static bool pdb_samba_dsdb_set_trusteddom_pw(struct pdb_methods
*m
,
2571 const char* domain
, const char* pwd
,
2572 const struct dom_sid
*sid
)
2574 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
2575 m
->private_data
, struct pdb_samba_dsdb_state
);
2576 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
2577 const char * const attrs
[] = {
2578 "trustAuthOutgoing",
2583 struct ldb_message
*msg
= NULL
;
2584 int trust_direction_flags
;
2587 const struct ldb_val
*old_val
= NULL
;
2588 struct trustAuthInOutBlob old_blob
= {};
2589 uint32_t old_version
= 0;
2590 uint32_t new_version
= 0;
2591 DATA_BLOB new_utf16
= {};
2592 struct trustAuthInOutBlob new_blob
= {};
2593 struct ldb_val new_val
= {};
2594 struct timeval tv
= timeval_current();
2595 NTTIME now
= timeval_to_nttime(&tv
);
2596 enum ndr_err_code ndr_err
;
2601 ret
= ldb_transaction_start(state
->ldb
);
2602 if (ret
!= LDB_SUCCESS
) {
2603 DEBUG(2, ("Failed to start transaction.\n"));
2604 TALLOC_FREE(tmp_ctx
);
2608 ok
= samdb_is_pdc(state
->ldb
);
2610 DEBUG(2, ("Password changes for domain %s are only allowed on a PDC.\n",
2612 TALLOC_FREE(tmp_ctx
);
2613 ldb_transaction_cancel(state
->ldb
);
2617 status
= dsdb_trust_search_tdo(state
->ldb
, domain
, NULL
,
2618 attrs
, tmp_ctx
, &msg
);
2619 if (!NT_STATUS_IS_OK(status
)) {
2621 * This can be called to work out of a domain is
2622 * trusted, rather than just to get the password
2624 DEBUG(2, ("Failed to get trusted domain password for %s - %s. "
2625 "It may not be a trusted domain.\n", domain
,
2626 nt_errstr(status
)));
2627 TALLOC_FREE(tmp_ctx
);
2628 ldb_transaction_cancel(state
->ldb
);
2632 trust_direction_flags
= ldb_msg_find_attr_as_int(msg
, "trustDirection", 0);
2633 if (!(trust_direction_flags
& LSA_TRUST_DIRECTION_OUTBOUND
)) {
2634 DEBUG(2, ("Trusted domain %s is is not an outbound trust, can't set a password.\n",
2636 TALLOC_FREE(tmp_ctx
);
2637 ldb_transaction_cancel(state
->ldb
);
2641 trust_type
= ldb_msg_find_attr_as_int(msg
, "trustType", 0);
2642 switch (trust_type
) {
2643 case LSA_TRUST_TYPE_DOWNLEVEL
:
2644 case LSA_TRUST_TYPE_UPLEVEL
:
2647 DEBUG(0, ("Trusted domain %s is of type 0x%X - "
2648 "password changes are not supported\n",
2649 domain
, (unsigned)trust_type
));
2650 TALLOC_FREE(tmp_ctx
);
2651 ldb_transaction_cancel(state
->ldb
);
2655 old_val
= ldb_msg_find_ldb_val(msg
, "trustAuthOutgoing");
2656 if (old_val
!= NULL
) {
2657 ndr_err
= ndr_pull_struct_blob(old_val
, tmp_ctx
, &old_blob
,
2658 (ndr_pull_flags_fn_t
)ndr_pull_trustAuthInOutBlob
);
2659 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2660 DEBUG(0, ("Failed to get trusted domain password for %s, "
2661 "attribute trustAuthOutgoing coult not be parsed %s.\n",
2663 ndr_map_error2string(ndr_err
)));
2664 TALLOC_FREE(tmp_ctx
);
2665 ldb_transaction_cancel(state
->ldb
);
2670 for (i
=0; i
< old_blob
.current
.count
; i
++) {
2671 struct AuthenticationInformation
*a
=
2672 &old_blob
.current
.array
[i
];
2674 switch (a
->AuthType
) {
2675 case TRUST_AUTH_TYPE_NONE
:
2678 case TRUST_AUTH_TYPE_VERSION
:
2679 old_version
= a
->AuthInfo
.version
.version
;
2682 case TRUST_AUTH_TYPE_CLEAR
:
2685 case TRUST_AUTH_TYPE_NT4OWF
:
2690 new_version
= old_version
+ 1;
2691 ok
= convert_string_talloc(tmp_ctx
,
2694 (void *)&new_utf16
.data
,
2697 DEBUG(0, ("Failed to generate new_utf16 password for domain %s\n",
2699 TALLOC_FREE(tmp_ctx
);
2700 ldb_transaction_cancel(state
->ldb
);
2704 if (new_utf16
.length
< 28) {
2705 DEBUG(0, ("new_utf16[%zu] version[%u] for domain %s to short.\n",
2707 (unsigned)new_version
,
2709 TALLOC_FREE(tmp_ctx
);
2710 ldb_transaction_cancel(state
->ldb
);
2713 if (new_utf16
.length
> 498) {
2714 DEBUG(0, ("new_utf16[%zu] version[%u] for domain %s to long.\n",
2716 (unsigned)new_version
,
2718 TALLOC_FREE(tmp_ctx
);
2719 ldb_transaction_cancel(state
->ldb
);
2723 new_blob
.count
= MAX(old_blob
.current
.count
, 2);
2724 new_blob
.current
.array
= talloc_zero_array(tmp_ctx
,
2725 struct AuthenticationInformation
,
2727 if (new_blob
.current
.array
== NULL
) {
2728 DEBUG(0, ("talloc_zero_array(%u) failed\n",
2729 (unsigned)new_blob
.count
));
2730 TALLOC_FREE(tmp_ctx
);
2731 ldb_transaction_cancel(state
->ldb
);
2734 new_blob
.previous
.array
= talloc_zero_array(tmp_ctx
,
2735 struct AuthenticationInformation
,
2737 if (new_blob
.current
.array
== NULL
) {
2738 DEBUG(0, ("talloc_zero_array(%u) failed\n",
2739 (unsigned)new_blob
.count
));
2740 TALLOC_FREE(tmp_ctx
);
2741 ldb_transaction_cancel(state
->ldb
);
2745 for (i
= 0; i
< old_blob
.current
.count
; i
++) {
2746 struct AuthenticationInformation
*o
=
2747 &old_blob
.current
.array
[i
];
2748 struct AuthenticationInformation
*p
=
2749 &new_blob
.previous
.array
[i
];
2752 new_blob
.previous
.count
++;
2754 for (; i
< new_blob
.count
; i
++) {
2755 struct AuthenticationInformation
*pi
=
2756 &new_blob
.previous
.array
[i
];
2760 * new_blob.previous is still empty so
2761 * we'll do new_blob.previous = new_blob.current
2767 pi
->LastUpdateTime
= now
;
2768 pi
->AuthType
= TRUST_AUTH_TYPE_NONE
;
2769 new_blob
.previous
.count
++;
2772 for (i
= 0; i
< new_blob
.count
; i
++) {
2773 struct AuthenticationInformation
*ci
=
2774 &new_blob
.current
.array
[i
];
2776 ci
->LastUpdateTime
= now
;
2779 ci
->AuthType
= TRUST_AUTH_TYPE_CLEAR
;
2780 ci
->AuthInfo
.clear
.size
= new_utf16
.length
;
2781 ci
->AuthInfo
.clear
.password
= new_utf16
.data
;
2784 ci
->AuthType
= TRUST_AUTH_TYPE_VERSION
;
2785 ci
->AuthInfo
.version
.version
= new_version
;
2788 ci
->AuthType
= TRUST_AUTH_TYPE_NONE
;
2792 new_blob
.current
.count
++;
2795 if (new_blob
.previous
.count
== 0) {
2796 TALLOC_FREE(new_blob
.previous
.array
);
2797 new_blob
.previous
= new_blob
.current
;
2800 ndr_err
= ndr_push_struct_blob(&new_val
, tmp_ctx
, &new_blob
,
2801 (ndr_push_flags_fn_t
)ndr_push_trustAuthInOutBlob
);
2802 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2803 DEBUG(0, ("Failed to generate trustAuthOutgoing for "
2804 "trusted domain password for %s: %s.\n",
2805 domain
, ndr_map_error2string(ndr_err
)));
2806 TALLOC_FREE(tmp_ctx
);
2807 ldb_transaction_cancel(state
->ldb
);
2811 msg
->num_elements
= 0;
2812 ret
= ldb_msg_add_empty(msg
, "trustAuthOutgoing",
2813 LDB_FLAG_MOD_REPLACE
, NULL
);
2814 if (ret
!= LDB_SUCCESS
) {
2815 DEBUG(0, ("ldb_msg_add_empty() failed\n"));
2816 TALLOC_FREE(tmp_ctx
);
2817 ldb_transaction_cancel(state
->ldb
);
2820 ret
= ldb_msg_add_value(msg
, "trustAuthOutgoing",
2822 if (ret
!= LDB_SUCCESS
) {
2823 DEBUG(0, ("ldb_msg_add_value() failed\n"));
2824 TALLOC_FREE(tmp_ctx
);
2825 ldb_transaction_cancel(state
->ldb
);
2829 ret
= ldb_modify(state
->ldb
, msg
);
2830 if (ret
!= LDB_SUCCESS
) {
2831 DEBUG(0, ("Failed to replace trustAuthOutgoing for "
2832 "trusted domain password for %s: %s - %s\n",
2833 domain
, ldb_strerror(ret
), ldb_errstring(state
->ldb
)));
2834 TALLOC_FREE(tmp_ctx
);
2835 ldb_transaction_cancel(state
->ldb
);
2839 ret
= ldb_transaction_commit(state
->ldb
);
2840 if (ret
!= LDB_SUCCESS
) {
2841 DEBUG(0, ("Failed to commit trustAuthOutgoing for "
2842 "trusted domain password for %s: %s - %s\n",
2843 domain
, ldb_strerror(ret
), ldb_errstring(state
->ldb
)));
2844 TALLOC_FREE(tmp_ctx
);
2848 DEBUG(1, ("Added new_version[%u] to trustAuthOutgoing for "
2849 "trusted domain password for %s.\n",
2850 (unsigned)new_version
, domain
));
2851 TALLOC_FREE(tmp_ctx
);
2855 static bool pdb_samba_dsdb_del_trusteddom_pw(struct pdb_methods
*m
,
2861 static NTSTATUS
pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods
*m
,
2862 TALLOC_CTX
*mem_ctx
,
2863 uint32_t *num_domains
,
2864 struct trustdom_info
***domains
)
2868 return NT_STATUS_OK
;
2871 static bool pdb_samba_dsdb_is_responsible_for_wellknown(struct pdb_methods
*m
)
2876 static bool pdb_samba_dsdb_is_responsible_for_everything_else(struct pdb_methods
*m
)
2881 static void pdb_samba_dsdb_init_methods(struct pdb_methods
*m
)
2883 m
->name
= "samba_dsdb";
2884 m
->get_domain_info
= pdb_samba_dsdb_get_domain_info
;
2885 m
->getsampwnam
= pdb_samba_dsdb_getsampwnam
;
2886 m
->getsampwsid
= pdb_samba_dsdb_getsampwsid
;
2887 m
->create_user
= pdb_samba_dsdb_create_user
;
2888 m
->delete_user
= pdb_samba_dsdb_delete_user
;
2889 m
->add_sam_account
= pdb_samba_dsdb_add_sam_account
;
2890 m
->update_sam_account
= pdb_samba_dsdb_update_sam_account
;
2891 m
->delete_sam_account
= pdb_samba_dsdb_delete_sam_account
;
2892 m
->rename_sam_account
= pdb_samba_dsdb_rename_sam_account
;
2893 m
->update_login_attempts
= pdb_samba_dsdb_update_login_attempts
;
2894 m
->getgrsid
= pdb_samba_dsdb_getgrsid
;
2895 m
->getgrgid
= pdb_samba_dsdb_getgrgid
;
2896 m
->getgrnam
= pdb_samba_dsdb_getgrnam
;
2897 m
->create_dom_group
= pdb_samba_dsdb_create_dom_group
;
2898 m
->delete_dom_group
= pdb_samba_dsdb_delete_dom_group
;
2899 m
->add_group_mapping_entry
= pdb_samba_dsdb_add_group_mapping_entry
;
2900 m
->update_group_mapping_entry
= pdb_samba_dsdb_update_group_mapping_entry
;
2901 m
->delete_group_mapping_entry
= pdb_samba_dsdb_delete_group_mapping_entry
;
2902 m
->enum_group_mapping
= pdb_samba_dsdb_enum_group_mapping
;
2903 m
->enum_group_members
= pdb_samba_dsdb_enum_group_members
;
2904 m
->enum_group_memberships
= pdb_samba_dsdb_enum_group_memberships
;
2905 m
->set_unix_primary_group
= pdb_samba_dsdb_set_unix_primary_group
;
2906 m
->add_groupmem
= pdb_samba_dsdb_add_groupmem
;
2907 m
->del_groupmem
= pdb_samba_dsdb_del_groupmem
;
2908 m
->create_alias
= pdb_samba_dsdb_create_alias
;
2909 m
->delete_alias
= pdb_samba_dsdb_delete_alias
;
2910 m
->get_aliasinfo
= pdb_default_get_aliasinfo
;
2911 m
->add_aliasmem
= pdb_samba_dsdb_add_aliasmem
;
2912 m
->del_aliasmem
= pdb_samba_dsdb_del_aliasmem
;
2913 m
->enum_aliasmem
= pdb_samba_dsdb_enum_aliasmem
;
2914 m
->enum_alias_memberships
= pdb_samba_dsdb_enum_alias_memberships
;
2915 m
->lookup_rids
= pdb_samba_dsdb_lookup_rids
;
2916 m
->lookup_names
= pdb_samba_dsdb_lookup_names
;
2917 m
->get_account_policy
= pdb_samba_dsdb_get_account_policy
;
2918 m
->set_account_policy
= pdb_samba_dsdb_set_account_policy
;
2919 m
->get_seq_num
= pdb_samba_dsdb_get_seq_num
;
2920 m
->search_users
= pdb_samba_dsdb_search_users
;
2921 m
->search_groups
= pdb_samba_dsdb_search_groups
;
2922 m
->search_aliases
= pdb_samba_dsdb_search_aliases
;
2923 m
->id_to_sid
= pdb_samba_dsdb_id_to_sid
;
2924 m
->sid_to_id
= pdb_samba_dsdb_sid_to_id
;
2925 m
->capabilities
= pdb_samba_dsdb_capabilities
;
2926 m
->new_rid
= pdb_samba_dsdb_new_rid
;
2927 m
->get_trusteddom_pw
= pdb_samba_dsdb_get_trusteddom_pw
;
2928 m
->get_trusteddom_creds
= pdb_samba_dsdb_get_trusteddom_creds
;
2929 m
->set_trusteddom_pw
= pdb_samba_dsdb_set_trusteddom_pw
;
2930 m
->del_trusteddom_pw
= pdb_samba_dsdb_del_trusteddom_pw
;
2931 m
->enum_trusteddoms
= pdb_samba_dsdb_enum_trusteddoms
;
2932 m
->is_responsible_for_wellknown
=
2933 pdb_samba_dsdb_is_responsible_for_wellknown
;
2934 m
->is_responsible_for_everything_else
=
2935 pdb_samba_dsdb_is_responsible_for_everything_else
;
2938 static void free_private_data(void **vp
)
2940 struct pdb_samba_dsdb_state
*state
= talloc_get_type_abort(
2941 *vp
, struct pdb_samba_dsdb_state
);
2942 talloc_unlink(state
, state
->ldb
);
2946 static NTSTATUS
pdb_samba_dsdb_init_secrets(struct pdb_methods
*m
)
2948 struct pdb_domain_info
*dom_info
;
2949 struct dom_sid stored_sid
;
2950 struct GUID stored_guid
;
2951 bool sid_exists_and_matches
= false;
2952 bool guid_exists_and_matches
= false;
2955 dom_info
= pdb_samba_dsdb_get_domain_info(m
, m
);
2957 return NT_STATUS_UNSUCCESSFUL
;
2960 ret
= secrets_fetch_domain_sid(dom_info
->name
, &stored_sid
);
2962 if (dom_sid_equal(&stored_sid
, &dom_info
->sid
)) {
2963 sid_exists_and_matches
= true;
2967 if (sid_exists_and_matches
== false) {
2968 secrets_clear_domain_protection(dom_info
->name
);
2969 ret
= secrets_store_domain_sid(dom_info
->name
,
2971 ret
&= secrets_mark_domain_protected(dom_info
->name
);
2977 ret
= secrets_fetch_domain_guid(dom_info
->name
, &stored_guid
);
2979 if (GUID_equal(&stored_guid
, &dom_info
->guid
)) {
2980 guid_exists_and_matches
= true;
2984 if (guid_exists_and_matches
== false) {
2985 secrets_clear_domain_protection(dom_info
->name
);
2986 ret
= secrets_store_domain_guid(dom_info
->name
,
2988 ret
&= secrets_mark_domain_protected(dom_info
->name
);
2995 TALLOC_FREE(dom_info
);
2997 return NT_STATUS_UNSUCCESSFUL
;
2999 return NT_STATUS_OK
;
3002 static NTSTATUS
pdb_init_samba_dsdb(struct pdb_methods
**pdb_method
,
3003 const char *location
)
3005 struct pdb_methods
*m
;
3006 struct pdb_samba_dsdb_state
*state
;
3009 if ( !NT_STATUS_IS_OK(status
= make_pdb_method( &m
)) ) {
3013 state
= talloc_zero(m
, struct pdb_samba_dsdb_state
);
3014 if (state
== NULL
) {
3017 m
->private_data
= state
;
3018 m
->free_private_data
= free_private_data
;
3019 pdb_samba_dsdb_init_methods(m
);
3021 state
->ev
= s4_event_context_init(state
);
3023 DEBUG(0, ("s4_event_context_init failed\n"));
3027 state
->lp_ctx
= loadparm_init_s3(state
, loadparm_s3_helpers());
3028 if (state
->lp_ctx
== NULL
) {
3029 DEBUG(0, ("loadparm_init_s3 failed\n"));
3034 state
->ldb
= samdb_connect_url(state
,
3037 system_session(state
->lp_ctx
),
3040 state
->ldb
= samdb_connect(state
,
3043 system_session(state
->lp_ctx
), 0);
3047 DEBUG(0, ("samdb_connect failed\n"));
3048 status
= NT_STATUS_INTERNAL_ERROR
;
3052 state
->idmap_ctx
= idmap_init(state
, state
->ev
,
3054 if (!state
->idmap_ctx
) {
3055 DEBUG(0, ("idmap failed\n"));
3056 status
= NT_STATUS_INTERNAL_ERROR
;
3060 status
= pdb_samba_dsdb_init_secrets(m
);
3061 if (!NT_STATUS_IS_OK(status
)) {
3062 DEBUG(10, ("pdb_samba_dsdb_init_secrets failed!\n"));
3067 return NT_STATUS_OK
;
3069 status
= NT_STATUS_NO_MEMORY
;
3075 NTSTATUS
pdb_samba_dsdb_init(void);
3076 NTSTATUS
pdb_samba_dsdb_init(void)
3078 NTSTATUS status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "samba_dsdb",
3079 pdb_init_samba_dsdb
);
3080 if (!NT_STATUS_IS_OK(status
)) {
3083 return smb_register_passdb(PASSDB_INTERFACE_VERSION
, "samba4",
3084 pdb_init_samba_dsdb
);