search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mdssvc: move calling mds_es_search_set_pending() to mds_es_next_search_trigger()
[Samba.git] / source3 / passdb / pdb_interface.c
blob118a5d769265bc7934b48eb1e3ed7c51965bcb38
1 /*
2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Jelmer Vernooij 2002
6 Copyright (C) Simo Sorce 2003
7 Copyright (C) Volker Lendecke 2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/passwd.h"
25 #include "passdb.h"
26 #include "secrets.h"
27 #include "messages.h"
28 #include "serverid.h"
29 #include "../librpc/gen_ndr/samr.h"
30 #include "../librpc/gen_ndr/drsblobs.h"
31 #include "../librpc/gen_ndr/ndr_drsblobs.h"
32 #include "../librpc/gen_ndr/idmap.h"
33 #include "../lib/util/memcache.h"
34 #include "nsswitch/winbind_client.h"
35 #include "../libcli/security/security.h"
36 #include "../lib/util/util_pw.h"
37 #include "passdb/pdb_secrets.h"
38 #include "lib/util_sid_passdb.h"
39 #include "idmap_cache.h"
40 #include "lib/util/string_wrappers.h"
41 #include "lib/global_contexts.h"
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_PASSDB
45
46 static_decl_pdb;
47
48 static struct pdb_init_function_entry *backends = NULL;
49
50 static void lazy_initialize_passdb(void)
51 {
52 static bool initialized = False;
53 if(initialized) {
54 return;
55 }
56 static_init_pdb(NULL);
57 initialized = True;
58 }
59
60 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
61 const char **name,
62 enum lsa_SidType *psid_name_use,
63 uid_t *uid, gid_t *gid);
64
65 NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
66 {
67 struct pdb_init_function_entry *entry = NULL;
68
69 if(version != PASSDB_INTERFACE_VERSION) {
70 DEBUG(0,("Can't register passdb backend!\n"
71 "You tried to register a passdb module with PASSDB_INTERFACE_VERSION %d, "
72 "while this version of samba uses version %d\n",
73 version,PASSDB_INTERFACE_VERSION));
74 return NT_STATUS_OBJECT_TYPE_MISMATCH;
75 }
76
77 if (!name || !init) {
78 return NT_STATUS_INVALID_PARAMETER;
79 }
80
81 DEBUG(5,("Attempting to register passdb backend %s\n", name));
82
83 /* Check for duplicates */
84 if (pdb_find_backend_entry(name)) {
85 DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name));
86 return NT_STATUS_OBJECT_NAME_COLLISION;
87 }
88
89 entry = SMB_XMALLOC_P(struct pdb_init_function_entry);
90 entry->name = smb_xstrdup(name);
91 entry->init = init;
92
93 DLIST_ADD(backends, entry);
94 DEBUG(5,("Successfully added passdb backend '%s'\n", name));
95 return NT_STATUS_OK;
96 }
97
98 struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
99 {
100 struct pdb_init_function_entry *entry = backends;
101
102 while(entry) {
103 if (strcmp(entry->name, name)==0) return entry;
104 entry = entry->next;
105 }
106
107 return NULL;
108 }
109
110 const struct pdb_init_function_entry *pdb_get_backends(void)
111 {
112 return backends;
113 }
114
115
116 /*
117 * The event context for the passdb backend. I know this is a bad hack and yet
118 * another static variable, but our pdb API is a global thing per
119 * definition. The first use for this is the LDAP idle function, more might be
120 * added later.
121 *
122 * I don't feel too bad about this static variable, it replaces the
123 * smb_idle_event_list that used to exist in lib/module.c. -- VL
124 */
125
126 static struct tevent_context *pdb_tevent_ctx;
127
128 struct tevent_context *pdb_get_tevent_context(void)
129 {
130 return pdb_tevent_ctx;
131 }
132
133 /******************************************************************
134 Make a pdb_methods from scratch
135 *******************************************************************/
136
137 NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected)
138 {
139 char *module_name = smb_xstrdup(selected);
140 char *module_location = NULL, *p;
141 struct pdb_init_function_entry *entry;
142 NTSTATUS nt_status;
143
144 lazy_initialize_passdb();
145
146 p = strchr(module_name, ':');
147
148 if (p) {
149 *p = 0;
150 module_location = p+1;
151 trim_char(module_location, ' ', ' ');
152 }
153
154 trim_char(module_name, ' ', ' ');
155
156
157 DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected, module_name));
158
159 entry = pdb_find_backend_entry(module_name);
160
161 /* Try to find a module that contains this module */
162 if (!entry) {
163 DEBUG(2,("No builtin backend found, trying to load plugin\n"));
164 if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
165 DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
166 SAFE_FREE(module_name);
167 return NT_STATUS_UNSUCCESSFUL;
168 }
169 }
170
171 /* No such backend found */
172 if(!entry) {
173 DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
174 SAFE_FREE(module_name);
175 return NT_STATUS_INVALID_PARAMETER;
176 }
177
178 DEBUG(5,("Found pdb backend %s\n", module_name));
179
180 nt_status = entry->init(methods, module_location);
181 if (!NT_STATUS_IS_OK(nt_status)) {
182 DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
183 selected, nt_errstr(nt_status)));
184 SAFE_FREE(module_name);
185 return nt_status;
186 }
187
188 SAFE_FREE(module_name);
189
190 DEBUG(5,("pdb backend %s has a valid init\n", selected));
191
192 return nt_status;
193 }
194
195 /******************************************************************
196 Return an already initialized pdb_methods structure
197 *******************************************************************/
198
199 static struct pdb_methods *pdb_get_methods_reload( bool reload )
200 {
201 static struct pdb_methods *pdb = NULL;
202 const char *backend = lp_passdb_backend();
203 NTSTATUS status = NT_STATUS_OK;
204
205 if ( pdb && reload ) {
206 if (pdb->free_private_data != NULL) {
207 pdb->free_private_data( &(pdb->private_data) );
208 }
209 status = make_pdb_method_name(&pdb, backend);
210 }
211
212 if ( !pdb ) {
213 status = make_pdb_method_name(&pdb, backend);
214 }
215
216 if (!NT_STATUS_IS_OK(status)) {
217 return NULL;
218 }
219
220 return pdb;
221 }
222
223 static struct pdb_methods *pdb_get_methods(void)
224 {
225 struct pdb_methods *pdb;
226
227 pdb = pdb_get_methods_reload(false);
228 if (!pdb) {
229 char *msg = NULL;
230 if (asprintf(&msg, "pdb_get_methods: "
231 "failed to get pdb methods for backend %s\n",
232 lp_passdb_backend()) > 0) {
233 smb_panic(msg);
234 } else {
235 smb_panic("pdb_get_methods");
236 }
237 }
238
239 return pdb;
240 }
241
242 struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
243 {
244 struct pdb_methods *pdb = pdb_get_methods();
245 return pdb->get_domain_info(pdb, mem_ctx);
246 }
247
248 /**
249 * @brief Check if the user account has been locked out and try to unlock it.
250 *
251 * If the user has been automatically locked out and a lockout duration is set,
252 * then check if we can unlock the account and reset the bad password values.
253 *
254 * @param[in] sampass The sam user to check.
255 *
256 * @return True if the function was successfull, false on an error.
257 */
258 static bool pdb_try_account_unlock(struct samu *sampass)
259 {
260 uint32_t acb_info = pdb_get_acct_ctrl(sampass);
261
262 if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
263 uint32_t lockout_duration;
264 time_t bad_password_time;
265 time_t now = time(NULL);
266 bool ok;
267
268 ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
269 &lockout_duration);
270 if (!ok) {
271 DEBUG(0, ("pdb_try_account_unlock: "
272 "pdb_get_account_policy failed.\n"));
273 return false;
274 }
275
276 if (lockout_duration == (uint32_t) -1 ||
277 lockout_duration == 0) {
278 DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
279 "can't reset autolock\n"));
280 return false;
281 }
282 lockout_duration *= 60;
283
284 bad_password_time = pdb_get_bad_password_time(sampass);
285 if (bad_password_time == (time_t) 0) {
286 DEBUG(2, ("pdb_try_account_unlock: Account %s "
287 "administratively locked out "
288 "with no bad password "
289 "time. Leaving locked out.\n",
290 pdb_get_username(sampass)));
291 return true;
292 }
293
294 if ((bad_password_time +
295 convert_uint32_t_to_time_t(lockout_duration)) < now) {
296 NTSTATUS status;
297
298 pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
299 PDB_CHANGED);
300 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
301 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
302
303 become_root();
304 status = pdb_update_sam_account(sampass);
305 unbecome_root();
306 if (!NT_STATUS_IS_OK(status)) {
307 DEBUG(0, ("_samr_OpenUser: Couldn't "
308 "update account %s - %s\n",
309 pdb_get_username(sampass),
310 nt_errstr(status)));
311 return false;
312 }
313 }
314 }
315
316 return true;
317 }
318
319 /**
320 * @brief Get a sam user structure by the given username.
321 *
322 * This functions also checks if the account has been automatically locked out
323 * and unlocks it if a lockout duration time has been defined and the time has
324 * elapsed.
325 *
326 * @param[in] sam_acct The sam user structure to fill.
327 *
328 * @param[in] username The username to look for.
329 *
330 * @return True on success, false on error.
331 */
332 bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
333 {
334 struct pdb_methods *pdb = pdb_get_methods();
335 struct samu *for_cache;
336 const struct dom_sid *user_sid;
337 NTSTATUS status;
338 bool ok;
339
340 status = pdb->getsampwnam(pdb, sam_acct, username);
341 if (!NT_STATUS_IS_OK(status)) {
342 return false;
343 }
344
345 ok = pdb_try_account_unlock(sam_acct);
346 if (!ok) {
347 DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
348 username));
349 }
350
351 for_cache = samu_new(NULL);
352 if (for_cache == NULL) {
353 return False;
354 }
355
356 if (!pdb_copy_sam_account(for_cache, sam_acct)) {
357 TALLOC_FREE(for_cache);
358 return False;
359 }
360
361 user_sid = pdb_get_user_sid(for_cache);
362
363 memcache_add_talloc(NULL, PDB_GETPWSID_CACHE,
364 data_blob_const(user_sid, sizeof(*user_sid)),
365 &for_cache);
366
367 return True;
368 }
369
370 /**********************************************************************
371 **********************************************************************/
372
373 static bool guest_user_info( struct samu *user )
374 {
375 struct passwd *pwd;
376 NTSTATUS result;
377 const char *guestname = lp_guest_account();
378
379 pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
380 if (pwd == NULL) {
381 DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
382 guestname));
383 return False;
384 }
385
386 result = samu_set_unix(user, pwd );
387
388 TALLOC_FREE( pwd );
389
390 return NT_STATUS_IS_OK( result );
391 }
392
393 /**
394 * @brief Get a sam user structure by the given username.
395 *
396 * This functions also checks if the account has been automatically locked out
397 * and unlocks it if a lockout duration time has been defined and the time has
398 * elapsed.
399 *
400 *
401 * @param[in] sam_acct The sam user structure to fill.
402 *
403 * @param[in] sid The user SDI to look up.
404 *
405 * @return True on success, false on error.
406 */
407 bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
408 {
409 struct pdb_methods *pdb = pdb_get_methods();
410 uint32_t rid;
411 void *cache_data;
412 bool ok = false;
413
414 /* hard code the Guest RID of 501 */
415
416 if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
417 return False;
418
419 if ( rid == DOMAIN_RID_GUEST ) {
420 DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
421 return guest_user_info( sam_acct );
422 }
423
424 /* check the cache first */
425
426 cache_data = memcache_lookup_talloc(
427 NULL, PDB_GETPWSID_CACHE, data_blob_const(sid, sizeof(*sid)));
428
429 if (cache_data != NULL) {
430 struct samu *cache_copy = talloc_get_type_abort(
431 cache_data, struct samu);
432
433 ok = pdb_copy_sam_account(sam_acct, cache_copy);
434 } else {
435 ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
436 }
437
438 if (!ok) {
439 return false;
440 }
441
442 ok = pdb_try_account_unlock(sam_acct);
443 if (!ok) {
444 DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
445 sam_acct->username));
446 }
447
448 return true;
449 }
450
451 static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
452 TALLOC_CTX *tmp_ctx, const char *name,
453 uint32_t acb_info, uint32_t *rid)
454 {
455 const struct loadparm_substitution *lp_sub =
456 loadparm_s3_global_substitution();
457 struct samu *sam_pass;
458 NTSTATUS status;
459 struct passwd *pwd;
460
461 if ((sam_pass = samu_new(tmp_ctx)) == NULL) {
462 return NT_STATUS_NO_MEMORY;
463 }
464
465 if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
466 char *add_script = NULL;
467 int add_ret;
468 fstring name2;
469
470 if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
471 add_script = lp_add_user_script(tmp_ctx, lp_sub);
472 } else {
473 add_script = lp_add_machine_script(tmp_ctx, lp_sub);
474 }
475
476 if (!add_script || add_script[0] == '\0') {
477 DEBUG(3, ("Could not find user %s and no add script "
478 "defined\n", name));
479 return NT_STATUS_NO_SUCH_USER;
480 }
481
482 /* lowercase the username before creating the Unix account for
483 compatibility with previous Samba releases */
484 fstrcpy( name2, name );
485 if (!strlower_m( name2 )) {
486 return NT_STATUS_INVALID_PARAMETER;
487 }
488 add_script = talloc_all_string_sub(tmp_ctx,
489 add_script,
490 "%u",
491 name2);
492 if (!add_script) {
493 return NT_STATUS_NO_MEMORY;
494 }
495 add_ret = smbrun(add_script, NULL, NULL);
496 DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
497 add_script, add_ret));
498 if (add_ret == 0) {
499 smb_nscd_flush_user_cache();
500 }
501
502 flush_pwnam_cache();
503
504 pwd = Get_Pwnam_alloc(tmp_ctx, name);
505
506 if(pwd == NULL) {
507 DEBUG(3, ("Could not find user %s, add script did not work\n", name));
508 return NT_STATUS_NO_SUCH_USER;
509 }
510 }
511
512 /* we have a valid SID coming out of this call */
513
514 status = samu_alloc_rid_unix(methods, sam_pass, pwd);
515
516 TALLOC_FREE( pwd );
517
518 if (!NT_STATUS_IS_OK(status)) {
519 DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status)));
520 return status;
521 }
522
523 if (!sid_peek_check_rid(get_global_sam_sid(),
524 pdb_get_user_sid(sam_pass), rid)) {
525 DEBUG(0, ("Could not get RID of fresh user\n"));
526 return NT_STATUS_INTERNAL_ERROR;
527 }
528
529 /* Use the username case specified in the original request */
530
531 pdb_set_username( sam_pass, name, PDB_SET );
532
533 /* Disable the account on creation, it does not have a reasonable password yet. */
534
535 acb_info |= ACB_DISABLED;
536
537 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
538
539 status = methods->add_sam_account(methods, sam_pass);
540
541 TALLOC_FREE(sam_pass);
542
543 return status;
544 }
545
546 NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32_t flags,
547 uint32_t *rid)
548 {
549 struct pdb_methods *pdb = pdb_get_methods();
550 return pdb->create_user(pdb, mem_ctx, name, flags, rid);
551 }
552
553 /****************************************************************************
554 Delete a UNIX user on demand.
555 ****************************************************************************/
556
557 static int smb_delete_user(const char *unix_user)
558 {
559 const struct loadparm_substitution *lp_sub =
560 loadparm_s3_global_substitution();
561 char *del_script = NULL;
562 int ret;
563
564 /* safety check */
565
566 if ( strequal( unix_user, "root" ) ) {
567 DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
568 return -1;
569 }
570
571 del_script = lp_delete_user_script(talloc_tos(), lp_sub);
572 if (!del_script || !*del_script) {
573 return -1;
574 }
575 del_script = talloc_all_string_sub(talloc_tos(),
576 del_script,
577 "%u",
578 unix_user);
579 if (!del_script) {
580 return -1;
581 }
582 ret = smbrun(del_script, NULL, NULL);
583 flush_pwnam_cache();
584 if (ret == 0) {
585 smb_nscd_flush_user_cache();
586 }
587 DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
588
589 return ret;
590 }
591
592 static NTSTATUS pdb_default_delete_user(struct pdb_methods *methods,
593 TALLOC_CTX *mem_ctx,
594 struct samu *sam_acct)
595 {
596 NTSTATUS status;
597 fstring username;
598
599 status = methods->delete_sam_account(methods, sam_acct);
600 if (!NT_STATUS_IS_OK(status)) {
601 return status;
602 }
603
604 /*
605 * Now delete the unix side ....
606 * note: we don't check if the delete really happened as the script is
607 * not necessary present and maybe the sysadmin doesn't want to delete
608 * the unix side
609 */
610
611 /* always lower case the username before handing it off to
612 external scripts */
613
614 fstrcpy( username, pdb_get_username(sam_acct) );
615 if (!strlower_m( username )) {
616 return status;
617 }
618
619 smb_delete_user( username );
620
621 return status;
622 }
623
624 NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
625 {
626 struct pdb_methods *pdb = pdb_get_methods();
627 uid_t uid = -1;
628 NTSTATUS status;
629 const struct dom_sid *user_sid;
630 char *msg_data;
631
632 user_sid = pdb_get_user_sid(sam_acct);
633
634 /* sanity check to make sure we don't delete root */
635
636 if ( !sid_to_uid(user_sid, &uid ) ) {
637 return NT_STATUS_NO_SUCH_USER;
638 }
639
640 if ( uid == 0 ) {
641 return NT_STATUS_ACCESS_DENIED;
642 }
643
644 memcache_delete(NULL,
645 PDB_GETPWSID_CACHE,
646 data_blob_const(user_sid, sizeof(*user_sid)));
647
648 status = pdb->delete_user(pdb, mem_ctx, sam_acct);
649 if (!NT_STATUS_IS_OK(status)) {
650 return status;
651 }
652
653 msg_data = talloc_asprintf(mem_ctx, "USER %s",
654 pdb_get_username(sam_acct));
655 if (!msg_data) {
656 /* not fatal, and too late to rollback,
657 * just return */
658 return status;
659 }
660 messaging_send_all(global_messaging_context(),
661 ID_CACHE_DELETE,
662 msg_data,
663 strlen(msg_data) + 1);
664
665 TALLOC_FREE(msg_data);
666 return status;
667 }
668
669 NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
670 {
671 struct pdb_methods *pdb = pdb_get_methods();
672 return pdb->add_sam_account(pdb, sam_acct);
673 }
674
675 NTSTATUS pdb_update_sam_account(struct samu *sam_acct)
676 {
677 struct pdb_methods *pdb = pdb_get_methods();
678
679 memcache_flush(NULL, PDB_GETPWSID_CACHE);
680
681 return pdb->update_sam_account(pdb, sam_acct);
682 }
683
684 NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
685 {
686 struct pdb_methods *pdb = pdb_get_methods();
687 const struct dom_sid *user_sid = pdb_get_user_sid(sam_acct);
688
689 memcache_delete(NULL,
690 PDB_GETPWSID_CACHE,
691 data_blob_const(user_sid, sizeof(*user_sid)));
692
693 return pdb->delete_sam_account(pdb, sam_acct);
694 }
695
696 NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
697 {
698 struct pdb_methods *pdb = pdb_get_methods();
699 uid_t uid;
700 NTSTATUS status;
701
702 memcache_flush(NULL, PDB_GETPWSID_CACHE);
703
704 /* sanity check to make sure we don't rename root */
705
706 if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
707 return NT_STATUS_NO_SUCH_USER;
708 }
709
710 if ( uid == 0 ) {
711 return NT_STATUS_ACCESS_DENIED;
712 }
713
714 status = pdb->rename_sam_account(pdb, oldname, newname);
715
716 /* always flush the cache here just to be safe */
717 flush_pwnam_cache();
718
719 return status;
720 }
721
722 NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, bool success)
723 {
724 struct pdb_methods *pdb = pdb_get_methods();
725 return pdb->update_login_attempts(pdb, sam_acct, success);
726 }
727
728 bool pdb_getgrsid(GROUP_MAP *map, struct dom_sid sid)
729 {
730 struct pdb_methods *pdb = pdb_get_methods();
731 return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
732 }
733
734 bool pdb_getgrgid(GROUP_MAP *map, gid_t gid)
735 {
736 struct pdb_methods *pdb = pdb_get_methods();
737 return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
738 }
739
740 bool pdb_getgrnam(GROUP_MAP *map, const char *name)
741 {
742 struct pdb_methods *pdb = pdb_get_methods();
743 return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
744 }
745
746 static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
747 TALLOC_CTX *mem_ctx,
748 const char *name,
749 uint32_t *rid)
750 {
751 struct dom_sid group_sid;
752 struct group *grp;
753 struct dom_sid_buf tmp;
754
755 grp = getgrnam(name);
756
757 if (grp == NULL) {
758 gid_t gid;
759
760 if (smb_create_group(name, &gid) != 0) {
761 return NT_STATUS_ACCESS_DENIED;
762 }
763
764 grp = getgrgid(gid);
765 }
766
767 if (grp == NULL) {
768 return NT_STATUS_ACCESS_DENIED;
769 }
770
771 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
772 if (!pdb_new_rid(rid)) {
773 return NT_STATUS_ACCESS_DENIED;
774 }
775 } else {
776 *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
777 }
778
779 sid_compose(&group_sid, get_global_sam_sid(), *rid);
780
781 return add_initial_entry(
782 grp->gr_gid,
783 dom_sid_str_buf(&group_sid, &tmp),
784 SID_NAME_DOM_GRP,
785 name,
786 NULL);
787 }
788
789 NTSTATUS pdb_create_dom_group(TALLOC_CTX *mem_ctx, const char *name,
790 uint32_t *rid)
791 {
792 struct pdb_methods *pdb = pdb_get_methods();
793 return pdb->create_dom_group(pdb, mem_ctx, name, rid);
794 }
795
796 static NTSTATUS pdb_default_delete_dom_group(struct pdb_methods *methods,
797 TALLOC_CTX *mem_ctx,
798 uint32_t rid)
799 {
800 struct dom_sid group_sid;
801 GROUP_MAP *map;
802 NTSTATUS status;
803 struct group *grp;
804 const char *grp_name;
805
806 map = talloc_zero(mem_ctx, GROUP_MAP);
807 if (!map) {
808 return NT_STATUS_NO_MEMORY;
809 }
810
811 /* coverity */
812 map->gid = (gid_t) -1;
813
814 sid_compose(&group_sid, get_global_sam_sid(), rid);
815
816 if (!get_domain_group_from_sid(group_sid, map)) {
817 DEBUG(10, ("Could not find group for rid %d\n", rid));
818 return NT_STATUS_NO_SUCH_GROUP;
819 }
820
821 /* We need the group name for the smb_delete_group later on */
822
823 if (map->gid == (gid_t)-1) {
824 return NT_STATUS_NO_SUCH_GROUP;
825 }
826
827 grp = getgrgid(map->gid);
828 if (grp == NULL) {
829 return NT_STATUS_NO_SUCH_GROUP;
830 }
831
832 TALLOC_FREE(map);
833
834 /* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
835
836 grp_name = talloc_strdup(mem_ctx, grp->gr_name);
837 if (grp_name == NULL) {
838 return NT_STATUS_NO_MEMORY;
839 }
840
841 status = pdb_delete_group_mapping_entry(group_sid);
842
843 if (!NT_STATUS_IS_OK(status)) {
844 return status;
845 }
846
847 /* Don't check the result of smb_delete_group */
848
849 smb_delete_group(grp_name);
850
851 return NT_STATUS_OK;
852 }
853
854 NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32_t rid)
855 {
856 struct pdb_methods *pdb = pdb_get_methods();
857 return pdb->delete_dom_group(pdb, mem_ctx, rid);
858 }
859
860 NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
861 {
862 struct pdb_methods *pdb = pdb_get_methods();
863 return pdb->add_group_mapping_entry(pdb, map);
864 }
865
866 NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
867 {
868 struct pdb_methods *pdb = pdb_get_methods();
869 return pdb->update_group_mapping_entry(pdb, map);
870 }
871
872 NTSTATUS pdb_delete_group_mapping_entry(struct dom_sid sid)
873 {
874 struct pdb_methods *pdb = pdb_get_methods();
875 return pdb->delete_group_mapping_entry(pdb, sid);
876 }
877
878 bool pdb_enum_group_mapping(const struct dom_sid *sid,
879 enum lsa_SidType sid_name_use,
880 GROUP_MAP ***pp_rmap,
881 size_t *p_num_entries,
882 bool unix_only)
883 {
884 struct pdb_methods *pdb = pdb_get_methods();
885 return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
886 pp_rmap, p_num_entries, unix_only));
887 }
888
889 NTSTATUS pdb_enum_group_members(TALLOC_CTX *mem_ctx,
890 const struct dom_sid *sid,
891 uint32_t **pp_member_rids,
892 size_t *p_num_members)
893 {
894 struct pdb_methods *pdb = pdb_get_methods();
895 NTSTATUS result;
896
897 result = pdb->enum_group_members(pdb, mem_ctx,
898 sid, pp_member_rids, p_num_members);
899
900 /* special check for rid 513 */
901
902 if ( !NT_STATUS_IS_OK( result ) ) {
903 uint32_t rid;
904
905 sid_peek_rid( sid, &rid );
906
907 if ( rid == DOMAIN_RID_USERS ) {
908 *p_num_members = 0;
909 *pp_member_rids = NULL;
910
911 return NT_STATUS_OK;
912 }
913 }
914
915 return result;
916 }
917
918 NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
919 struct dom_sid **pp_sids, gid_t **pp_gids,
920 uint32_t *p_num_groups)
921 {
922 struct pdb_methods *pdb = pdb_get_methods();
923 return pdb->enum_group_memberships(
924 pdb, mem_ctx, user,
925 pp_sids, pp_gids, p_num_groups);
926 }
927
928 static NTSTATUS pdb_default_set_unix_primary_group(struct pdb_methods *methods,
929 TALLOC_CTX *mem_ctx,
930 struct samu *sampass)
931 {
932 struct group *grp;
933 gid_t gid;
934
935 if (!sid_to_gid(pdb_get_group_sid(sampass), &gid) ||
936 (grp = getgrgid(gid)) == NULL) {
937 return NT_STATUS_INVALID_PRIMARY_GROUP;
938 }
939
940 if (smb_set_primary_group(grp->gr_name,
941 pdb_get_username(sampass)) != 0) {
942 return NT_STATUS_ACCESS_DENIED;
943 }
944
945 return NT_STATUS_OK;
946 }
947
948 NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
949 {
950 struct pdb_methods *pdb = pdb_get_methods();
951 return pdb->set_unix_primary_group(pdb, mem_ctx, user);
952 }
953
954 /*
955 * Helper function to see whether a user is in a group. We can't use
956 * user_in_group_sid here because this creates dependencies only smbd can
957 * fulfil.
958 */
959
960 static bool pdb_user_in_group(TALLOC_CTX *mem_ctx, struct samu *account,
961 const struct dom_sid *group_sid)
962 {
963 struct dom_sid *sids;
964 gid_t *gids;
965 uint32_t i, num_groups;
966
967 if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
968 &sids, &gids,
969 &num_groups))) {
970 return False;
971 }
972
973 for (i=0; i<num_groups; i++) {
974 if (dom_sid_equal(group_sid, &sids[i])) {
975 return True;
976 }
977 }
978 return False;
979 }
980
981 static NTSTATUS pdb_default_add_groupmem(struct pdb_methods *methods,
982 TALLOC_CTX *mem_ctx,
983 uint32_t group_rid,
984 uint32_t member_rid)
985 {
986 struct dom_sid group_sid, member_sid;
987 struct samu *account = NULL;
988 GROUP_MAP *map;
989 struct group *grp;
990 struct passwd *pwd;
991 const char *group_name;
992 uid_t uid;
993
994 map = talloc_zero(mem_ctx, GROUP_MAP);
995 if (!map) {
996 return NT_STATUS_NO_MEMORY;
997 }
998
999 /* coverity */
1000 map->gid = (gid_t) -1;
1001
1002 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
1003 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
1004
1005 if (!get_domain_group_from_sid(group_sid, map) ||
1006 (map->gid == (gid_t)-1) ||
1007 ((grp = getgrgid(map->gid)) == NULL)) {
1008 return NT_STATUS_NO_SUCH_GROUP;
1009 }
1010
1011 TALLOC_FREE(map);
1012
1013 group_name = talloc_strdup(mem_ctx, grp->gr_name);
1014 if (group_name == NULL) {
1015 return NT_STATUS_NO_MEMORY;
1016 }
1017
1018 if ( !(account = samu_new( NULL )) ) {
1019 return NT_STATUS_NO_MEMORY;
1020 }
1021
1022 if (!pdb_getsampwsid(account, &member_sid) ||
1023 !sid_to_uid(&member_sid, &uid) ||
1024 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1025 return NT_STATUS_NO_SUCH_USER;
1026 }
1027
1028 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1029 return NT_STATUS_MEMBER_IN_GROUP;
1030 }
1031
1032 /*
1033 * ok, the group exist, the user exist, the user is not in the group,
1034 * we can (finally) add it to the group !
1035 */
1036
1037 smb_add_user_group(group_name, pwd->pw_name);
1038
1039 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1040 return NT_STATUS_ACCESS_DENIED;
1041 }
1042
1043 return NT_STATUS_OK;
1044 }
1045
1046 NTSTATUS pdb_add_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1047 uint32_t member_rid)
1048 {
1049 struct pdb_methods *pdb = pdb_get_methods();
1050 return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
1051 }
1052
1053 static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
1054 TALLOC_CTX *mem_ctx,
1055 uint32_t group_rid,
1056 uint32_t member_rid)
1057 {
1058 struct dom_sid group_sid, member_sid;
1059 struct samu *account = NULL;
1060 GROUP_MAP *map;
1061 struct group *grp;
1062 struct passwd *pwd;
1063 const char *group_name;
1064 uid_t uid;
1065
1066 map = talloc_zero(mem_ctx, GROUP_MAP);
1067 if (!map) {
1068 return NT_STATUS_NO_MEMORY;
1069 }
1070
1071 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
1072 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
1073
1074 if (!get_domain_group_from_sid(group_sid, map) ||
1075 (map->gid == (gid_t)-1) ||
1076 ((grp = getgrgid(map->gid)) == NULL)) {
1077 return NT_STATUS_NO_SUCH_GROUP;
1078 }
1079
1080 TALLOC_FREE(map);
1081
1082 group_name = talloc_strdup(mem_ctx, grp->gr_name);
1083 if (group_name == NULL) {
1084 return NT_STATUS_NO_MEMORY;
1085 }
1086
1087 if ( !(account = samu_new( NULL )) ) {
1088 return NT_STATUS_NO_MEMORY;
1089 }
1090
1091 if (!pdb_getsampwsid(account, &member_sid) ||
1092 !sid_to_uid(&member_sid, &uid) ||
1093 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1094 return NT_STATUS_NO_SUCH_USER;
1095 }
1096
1097 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1098 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1099 }
1100
1101 /*
1102 * ok, the group exist, the user exist, the user is in the group,
1103 * we can (finally) delete it from the group!
1104 */
1105
1106 smb_delete_user_group(group_name, pwd->pw_name);
1107
1108 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1109 return NT_STATUS_ACCESS_DENIED;
1110 }
1111
1112 return NT_STATUS_OK;
1113 }
1114
1115 NTSTATUS pdb_del_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1116 uint32_t member_rid)
1117 {
1118 struct pdb_methods *pdb = pdb_get_methods();
1119 return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
1120 }
1121
1122 NTSTATUS pdb_create_alias(const char *name, uint32_t *rid)
1123 {
1124 struct pdb_methods *pdb = pdb_get_methods();
1125 return pdb->create_alias(pdb, name, rid);
1126 }
1127
1128 NTSTATUS pdb_delete_alias(const struct dom_sid *sid)
1129 {
1130 struct pdb_methods *pdb = pdb_get_methods();
1131 return pdb->delete_alias(pdb, sid);
1132 }
1133
1134 NTSTATUS pdb_get_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1135 {
1136 struct pdb_methods *pdb = pdb_get_methods();
1137 return pdb->get_aliasinfo(pdb, sid, info);
1138 }
1139
1140 NTSTATUS pdb_set_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1141 {
1142 struct pdb_methods *pdb = pdb_get_methods();
1143 return pdb->set_aliasinfo(pdb, sid, info);
1144 }
1145
1146 NTSTATUS pdb_add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1147 {
1148 struct pdb_methods *pdb = pdb_get_methods();
1149 return pdb->add_aliasmem(pdb, alias, member);
1150 }
1151
1152 NTSTATUS pdb_del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1153 {
1154 struct pdb_methods *pdb = pdb_get_methods();
1155 return pdb->del_aliasmem(pdb, alias, member);
1156 }
1157
1158 NTSTATUS pdb_enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
1159 struct dom_sid **pp_members, size_t *p_num_members)
1160 {
1161 struct pdb_methods *pdb = pdb_get_methods();
1162 return pdb->enum_aliasmem(pdb, alias, mem_ctx, pp_members,
1163 p_num_members);
1164 }
1165
1166 NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
1167 const struct dom_sid *domain_sid,
1168 const struct dom_sid *members, size_t num_members,
1169 uint32_t **pp_alias_rids,
1170 size_t *p_num_alias_rids)
1171 {
1172 struct pdb_methods *pdb = pdb_get_methods();
1173 return pdb->enum_alias_memberships(pdb, mem_ctx,
1174 domain_sid,
1175 members, num_members,
1176 pp_alias_rids,
1177 p_num_alias_rids);
1178 }
1179
1180 NTSTATUS pdb_lookup_rids(const struct dom_sid *domain_sid,
1181 int num_rids,
1182 uint32_t *rids,
1183 const char **names,
1184 enum lsa_SidType *attrs)
1185 {
1186 struct pdb_methods *pdb = pdb_get_methods();
1187 return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
1188 }
1189
1190 bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
1191 {
1192 struct pdb_methods *pdb = pdb_get_methods();
1193 NTSTATUS status;
1194
1195 become_root();
1196 status = pdb->get_account_policy(pdb, type, value);
1197 unbecome_root();
1198
1199 return NT_STATUS_IS_OK(status);
1200 }
1201
1202 bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value)
1203 {
1204 struct pdb_methods *pdb = pdb_get_methods();
1205 NTSTATUS status;
1206
1207 become_root();
1208 status = pdb->set_account_policy(pdb, type, value);
1209 unbecome_root();
1210
1211 return NT_STATUS_IS_OK(status);
1212 }
1213
1214 bool pdb_get_seq_num(time_t *seq_num)
1215 {
1216 struct pdb_methods *pdb = pdb_get_methods();
1217 return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
1218 }
1219
1220 /*
1221 * Instead of passing down a gid or uid, this function sends down a pointer
1222 * to a unixid.
1223 *
1224 * This acts as an in-out variable so that the idmap functions can correctly
1225 * receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing
1226 * the cache to store ID_TYPE_UID or ID_TYPE_GID.
1227 */
1228 bool pdb_id_to_sid(struct unixid *id, struct dom_sid *sid)
1229 {
1230 struct pdb_methods *pdb = pdb_get_methods();
1231 bool ret;
1232
1233 ret = pdb->id_to_sid(pdb, id, sid);
1234
1235 if (ret) {
1236 idmap_cache_set_sid2unixid(sid, id);
1237 }
1238
1239 return ret;
1240 }
1241
1242 bool pdb_sid_to_id(const struct dom_sid *sid, struct unixid *id)
1243 {
1244 struct pdb_methods *pdb = pdb_get_methods();
1245 bool ret;
1246
1247 /* only ask the backend if it is responsible */
1248 if (!sid_check_object_is_for_passdb(sid)) {
1249 return false;
1250 }
1251
1252 ret = pdb->sid_to_id(pdb, sid, id);
1253
1254 if (ret) {
1255 idmap_cache_set_sid2unixid(sid, id);
1256 }
1257
1258 return ret;
1259 }
1260
1261 uint32_t pdb_capabilities(void)
1262 {
1263 struct pdb_methods *pdb = pdb_get_methods();
1264 return pdb->capabilities(pdb);
1265 }
1266
1267 /********************************************************************
1268 Allocate a new RID from the passdb backend. Verify that it is free
1269 by calling lookup_global_sam_rid() to verify that the RID is not
1270 in use. This handles servers that have existing users or groups
1271 with add RIDs (assigned from previous algorithmic mappings)
1272 ********************************************************************/
1273
1274 bool pdb_new_rid(uint32_t *rid)
1275 {
1276 struct pdb_methods *pdb = pdb_get_methods();
1277 const char *name = NULL;
1278 enum lsa_SidType type;
1279 uint32_t allocated_rid = 0;
1280 int i;
1281 TALLOC_CTX *ctx;
1282
1283 if ((pdb_capabilities() & PDB_CAP_STORE_RIDS) == 0) {
1284 DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
1285 "are active\n"));
1286 return False;
1287 }
1288
1289 if (algorithmic_rid_base() != BASE_RID) {
1290 DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
1291 "without algorithmic RIDs is chosen.\n"));
1292 DEBUGADD(0, ("Please map all used groups using 'net groupmap "
1293 "add', set the maximum used RID\n"));
1294 DEBUGADD(0, ("and remove the parameter\n"));
1295 return False;
1296 }
1297
1298 if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
1299 DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
1300 return False;
1301 }
1302
1303 /* Attempt to get an unused RID (max tires is 250...yes that it is
1304 and arbitrary number I pulkled out of my head). -- jerry */
1305
1306 for ( i=0; allocated_rid==0 && i<250; i++ ) {
1307 /* get a new RID */
1308
1309 if ( !pdb->new_rid(pdb, &allocated_rid) ) {
1310 return False;
1311 }
1312
1313 /* validate that the RID is not in use */
1314
1315 if (lookup_global_sam_rid(ctx, allocated_rid, &name, &type, NULL, NULL)) {
1316 allocated_rid = 0;
1317 }
1318 }
1319
1320 TALLOC_FREE( ctx );
1321
1322 if ( allocated_rid == 0 ) {
1323 DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
1324 return False;
1325 }
1326
1327 *rid = allocated_rid;
1328
1329 return True;
1330 }
1331
1332 /***************************************************************
1333 Initialize the static context (at smbd startup etc).
1334
1335 If uninitialised, context will auto-init on first use.
1336 ***************************************************************/
1337
1338 bool initialize_password_db(bool reload, struct tevent_context *tevent_ctx)
1339 {
1340 if (tevent_ctx) {
1341 pdb_tevent_ctx = tevent_ctx;
1342 }
1343 return (pdb_get_methods_reload(reload) != NULL);
1344 }
1345
1346 /***************************************************************************
1347 Default implementations of some functions.
1348 ****************************************************************************/
1349
1350 static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, struct samu *user, const char *sname)
1351 {
1352 return NT_STATUS_NO_SUCH_USER;
1353 }
1354
1355 static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1356 {
1357 return NT_STATUS_NO_SUCH_USER;
1358 }
1359
1360 static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1361 {
1362 return NT_STATUS_NOT_IMPLEMENTED;
1363 }
1364
1365 static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1366 {
1367 return NT_STATUS_NOT_IMPLEMENTED;
1368 }
1369
1370 static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, struct samu *pwd)
1371 {
1372 return NT_STATUS_NOT_IMPLEMENTED;
1373 }
1374
1375 static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, struct samu *pwd, const char *newname)
1376 {
1377 return NT_STATUS_NOT_IMPLEMENTED;
1378 }
1379
1380 static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success)
1381 {
1382 /* Only the pdb_nds backend implements this, by
1383 * default just return ok. */
1384 return NT_STATUS_OK;
1385 }
1386
1387 static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t *value)
1388 {
1389 return account_policy_get(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1390 }
1391
1392 static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t value)
1393 {
1394 return account_policy_set(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1395 }
1396
1397 static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq_num)
1398 {
1399 *seq_num = time(NULL);
1400 return NT_STATUS_OK;
1401 }
1402
1403 static bool pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
1404 struct dom_sid *sid)
1405 {
1406 struct samu *sampw = NULL;
1407 struct passwd *unix_pw;
1408 fstring pw_name = { 0 };
1409 bool ret;
1410
1411 unix_pw = getpwuid( uid );
1412
1413 if ( !unix_pw ) {
1414 DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
1415 "%lu\n", (unsigned long)uid));
1416 return False;
1417 }
1418
1419 if (unix_pw->pw_name == NULL) {
1420 DBG_DEBUG("No pw_name for uid %d\n", (int)uid);
1421 return false;
1422 }
1423
1424 /*
1425 * Make a copy, "unix_pw" might go away soon.
1426 */
1427 fstrcpy(pw_name, unix_pw->pw_name);
1428
1429 if ( !(sampw = samu_new( NULL )) ) {
1430 DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
1431 return False;
1432 }
1433
1434 become_root();
1435 ret = NT_STATUS_IS_OK(methods->getsampwnam(methods, sampw, pw_name));
1436 unbecome_root();
1437
1438 if (!ret) {
1439 DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
1440 "%s (%u)\n", unix_pw->pw_name, (unsigned int)uid));
1441 TALLOC_FREE(sampw);
1442 return False;
1443 }
1444
1445 sid_copy(sid, pdb_get_user_sid(sampw));
1446
1447 TALLOC_FREE(sampw);
1448
1449 return True;
1450 }
1451
1452 static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
1453 struct dom_sid *sid)
1454 {
1455 GROUP_MAP *map;
1456
1457 map = talloc_zero(NULL, GROUP_MAP);
1458 if (!map) {
1459 return false;
1460 }
1461
1462 if (!NT_STATUS_IS_OK(methods->getgrgid(methods, map, gid))) {
1463 TALLOC_FREE(map);
1464 return false;
1465 }
1466
1467 sid_copy(sid, &map->sid);
1468 TALLOC_FREE(map);
1469 return true;
1470 }
1471
1472 static bool pdb_default_id_to_sid(struct pdb_methods *methods, struct unixid *id,
1473 struct dom_sid *sid)
1474 {
1475 switch (id->type) {
1476 case ID_TYPE_UID:
1477 return pdb_default_uid_to_sid(methods, id->id, sid);
1478
1479 case ID_TYPE_GID:
1480 return pdb_default_gid_to_sid(methods, id->id, sid);
1481
1482 default:
1483 return false;
1484 }
1485 }
1486 /**
1487 * The "Unix User" and "Unix Group" domains have a special
1488 * id mapping that is a rid-algorithm with range starting at 0.
1489 */
1490 bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid *sid,
1491 struct unixid *id)
1492 {
1493 uint32_t rid;
1494
1495 id->id = -1;
1496
1497 if (sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid)) {
1498 id->id = rid;
1499 id->type = ID_TYPE_UID;
1500 return true;
1501 }
1502
1503 if (sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid)) {
1504 id->id = rid;
1505 id->type = ID_TYPE_GID;
1506 return true;
1507 }
1508
1509 return false;
1510 }
1511
1512 static bool pdb_default_sid_to_id(struct pdb_methods *methods,
1513 const struct dom_sid *sid,
1514 struct unixid *id)
1515 {
1516 TALLOC_CTX *mem_ctx;
1517 bool ret = False;
1518 uint32_t rid;
1519 struct dom_sid_buf buf;
1520
1521 id->id = -1;
1522
1523 mem_ctx = talloc_new(NULL);
1524
1525 if (mem_ctx == NULL) {
1526 DEBUG(0, ("talloc_new failed\n"));
1527 return False;
1528 }
1529
1530 if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
1531 const char *name;
1532 enum lsa_SidType type;
1533 uid_t uid = (uid_t)-1;
1534 gid_t gid = (gid_t)-1;
1535 /* Here we might have users as well as groups and aliases */
1536 ret = lookup_global_sam_rid(mem_ctx, rid, &name, &type, &uid, &gid);
1537 if (ret) {
1538 switch (type) {
1539 case SID_NAME_DOM_GRP:
1540 case SID_NAME_ALIAS:
1541 id->type = ID_TYPE_GID;
1542 id->id = gid;
1543 break;
1544 case SID_NAME_USER:
1545 id->type = ID_TYPE_UID;
1546 id->id = uid;
1547 break;
1548 default:
1549 DEBUG(5, ("SID %s belongs to our domain, and "
1550 "an object exists in the database, "
1551 "but it is neither a user nor a "
1552 "group (got type %d).\n",
1553 dom_sid_str_buf(sid, &buf),
1554 type));
1555 ret = false;
1556 }
1557 } else {
1558 DEBUG(5, ("SID %s belongs to our domain, but there is "
1559 "no corresponding object in the database.\n",
1560 dom_sid_str_buf(sid, &buf)));
1561 }
1562 goto done;
1563 }
1564
1565 /*
1566 * "Unix User" and "Unix Group"
1567 */
1568 ret = pdb_sid_to_id_unix_users_and_groups(sid, id);
1569 if (ret) {
1570 goto done;
1571 }
1572
1573 /* BUILTIN */
1574
1575 if (sid_check_is_in_builtin(sid) ||
1576 sid_check_is_in_wellknown_domain(sid)) {
1577 /* Here we only have aliases */
1578 GROUP_MAP *map;
1579
1580 map = talloc_zero(mem_ctx, GROUP_MAP);
1581 if (!map) {
1582 ret = false;
1583 goto done;
1584 }
1585
1586 if (!NT_STATUS_IS_OK(methods->getgrsid(methods, map, *sid))) {
1587 DEBUG(10, ("Could not find map for sid %s\n",
1588 dom_sid_str_buf(sid, &buf)));
1589 goto done;
1590 }
1591 if ((map->sid_name_use != SID_NAME_ALIAS) &&
1592 (map->sid_name_use != SID_NAME_WKN_GRP)) {
1593 DEBUG(10, ("Map for sid %s is a %s, expected an "
1594 "alias\n",
1595 dom_sid_str_buf(sid, &buf),
1596 sid_type_lookup(map->sid_name_use)));
1597 goto done;
1598 }
1599
1600 id->id = map->gid;
1601 id->type = ID_TYPE_GID;
1602 ret = True;
1603 goto done;
1604 }
1605
1606 DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
1607 dom_sid_str_buf(sid, &buf)));
1608
1609 done:
1610
1611 TALLOC_FREE(mem_ctx);
1612 return ret;
1613 }
1614
1615 static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
1616 {
1617 struct group *grp;
1618 char **gr;
1619 struct passwd *pwd;
1620 bool winbind_env;
1621 bool ret = False;
1622
1623 *pp_uids = NULL;
1624 *p_num = 0;
1625
1626 /* We only look at our own sam, so don't care about imported stuff */
1627 winbind_env = winbind_env_set();
1628 (void)winbind_off();
1629
1630 if ((grp = getgrgid(gid)) == NULL) {
1631 /* allow winbindd lookups, but only if they weren't already disabled */
1632 goto done;
1633 }
1634
1635 /* Primary group members */
1636 setpwent();
1637 while ((pwd = getpwent()) != NULL) {
1638 if (pwd->pw_gid == gid) {
1639 if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
1640 pp_uids, p_num)) {
1641 goto done;
1642 }
1643 }
1644 }
1645 endpwent();
1646
1647 /* Secondary group members */
1648 for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
1649 struct passwd *pw = getpwnam(*gr);
1650
1651 if (pw == NULL)
1652 continue;
1653 if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
1654 goto done;
1655 }
1656 }
1657
1658 ret = True;
1659
1660 done:
1661
1662 /* allow winbindd lookups, but only if they weren't already disabled */
1663 if (!winbind_env) {
1664 (void)winbind_on();
1665 }
1666
1667 return ret;
1668 }
1669
1670 static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
1671 TALLOC_CTX *mem_ctx,
1672 const struct dom_sid *group,
1673 uint32_t **pp_member_rids,
1674 size_t *p_num_members)
1675 {
1676 gid_t gid;
1677 uid_t *uids;
1678 uint32_t i, num_uids;
1679
1680 *pp_member_rids = NULL;
1681 *p_num_members = 0;
1682
1683 if (!sid_to_gid(group, &gid))
1684 return NT_STATUS_NO_SUCH_GROUP;
1685
1686 if(!get_memberuids(mem_ctx, gid, &uids, &num_uids))
1687 return NT_STATUS_NO_SUCH_GROUP;
1688
1689 if (num_uids == 0)
1690 return NT_STATUS_OK;
1691
1692 *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
1693
1694 for (i=0; i<num_uids; i++) {
1695 struct dom_sid sid;
1696
1697 uid_to_sid(&sid, uids[i]);
1698
1699 if (!sid_check_is_in_our_sam(&sid)) {
1700 DEBUG(5, ("Inconsistent SAM -- group member uid not "
1701 "in our domain\n"));
1702 continue;
1703 }
1704
1705 sid_peek_rid(&sid, &(*pp_member_rids)[*p_num_members]);
1706 *p_num_members += 1;
1707 }
1708
1709 return NT_STATUS_OK;
1710 }
1711
1712 static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
1713 TALLOC_CTX *mem_ctx,
1714 struct samu *user,
1715 struct dom_sid **pp_sids,
1716 gid_t **pp_gids,
1717 uint32_t *p_num_groups)
1718 {
1719 size_t i;
1720 gid_t gid;
1721 struct passwd *pw;
1722 const char *username = pdb_get_username(user);
1723
1724
1725 /* Ignore the primary group SID. Honor the real Unix primary group.
1726 The primary group SID is only of real use to Windows clients */
1727
1728 if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
1729 return NT_STATUS_NO_SUCH_USER;
1730 }
1731
1732 gid = pw->pw_gid;
1733
1734 TALLOC_FREE( pw );
1735
1736 if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
1737 return NT_STATUS_NO_SUCH_USER;
1738 }
1739
1740 if (*p_num_groups == 0) {
1741 smb_panic("primary group missing");
1742 }
1743
1744 *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
1745
1746 if (*pp_sids == NULL) {
1747 TALLOC_FREE(*pp_gids);
1748 return NT_STATUS_NO_MEMORY;
1749 }
1750
1751 for (i=0; i<*p_num_groups; i++) {
1752 gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
1753 }
1754
1755 return NT_STATUS_OK;
1756 }
1757
1758 /*******************************************************************
1759 Look up a rid in the SAM we're responsible for (i.e. passdb)
1760 ********************************************************************/
1761
1762 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
1763 const char **name,
1764 enum lsa_SidType *psid_name_use,
1765 uid_t *uid, gid_t *gid)
1766 {
1767 struct samu *sam_account = NULL;
1768 GROUP_MAP *map = NULL;
1769 bool ret;
1770 struct dom_sid sid;
1771
1772 *psid_name_use = SID_NAME_UNKNOWN;
1773
1774 DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
1775 (unsigned int)rid));
1776
1777 sid_compose(&sid, get_global_sam_sid(), rid);
1778
1779 /* see if the passdb can help us with the name of the user */
1780
1781 if ( !(sam_account = samu_new( NULL )) ) {
1782 return False;
1783 }
1784
1785 map = talloc_zero(mem_ctx, GROUP_MAP);
1786 if (!map) {
1787 return false;
1788 }
1789
1790 /* BEING ROOT BLOCK */
1791 become_root();
1792 ret = pdb_getsampwsid(sam_account, &sid);
1793 if (!ret) {
1794 TALLOC_FREE(sam_account);
1795 ret = pdb_getgrsid(map, sid);
1796 }
1797 unbecome_root();
1798 /* END BECOME_ROOT BLOCK */
1799
1800 if (sam_account || !ret) {
1801 TALLOC_FREE(map);
1802 }
1803
1804 if (sam_account) {
1805 struct passwd *pw;
1806
1807 *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
1808 if (!*name) {
1809 TALLOC_FREE(sam_account);
1810 return False;
1811 }
1812
1813 *psid_name_use = SID_NAME_USER;
1814
1815 TALLOC_FREE(sam_account);
1816
1817 if (uid == NULL) {
1818 return True;
1819 }
1820
1821 pw = Get_Pwnam_alloc(talloc_tos(), *name);
1822 if (pw == NULL) {
1823 return False;
1824 }
1825 *uid = pw->pw_uid;
1826 TALLOC_FREE(pw);
1827 return True;
1828
1829 } else if (map && (map->gid != (gid_t)-1)) {
1830
1831 /* do not resolve SIDs to a name unless there is a valid
1832 gid associated with it */
1833
1834 *name = talloc_steal(mem_ctx, map->nt_name);
1835 *psid_name_use = map->sid_name_use;
1836
1837 if (gid) {
1838 *gid = map->gid;
1839 }
1840
1841 TALLOC_FREE(map);
1842 return True;
1843 }
1844
1845 TALLOC_FREE(map);
1846
1847 /* Windows will always map RID 513 to something. On a non-domain
1848 controller, this gets mapped to SERVER\None. */
1849
1850 if (uid || gid) {
1851 DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
1852 return False;
1853 }
1854
1855 if ( rid == DOMAIN_RID_USERS ) {
1856 *name = talloc_strdup(mem_ctx, "None" );
1857 *psid_name_use = SID_NAME_DOM_GRP;
1858
1859 return True;
1860 }
1861
1862 return False;
1863 }
1864
1865 static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
1866 const struct dom_sid *domain_sid,
1867 int num_rids,
1868 uint32_t *rids,
1869 const char **names,
1870 enum lsa_SidType *attrs)
1871 {
1872 int i;
1873 NTSTATUS result;
1874 bool have_mapped = False;
1875 bool have_unmapped = False;
1876
1877 if (sid_check_is_builtin(domain_sid)) {
1878
1879 for (i=0; i<num_rids; i++) {
1880 const char *name;
1881
1882 if (lookup_builtin_rid(names, rids[i], &name)) {
1883 attrs[i] = SID_NAME_ALIAS;
1884 names[i] = name;
1885 DEBUG(5,("lookup_rids: %s:%d\n",
1886 names[i], attrs[i]));
1887 have_mapped = True;
1888 } else {
1889 have_unmapped = True;
1890 attrs[i] = SID_NAME_UNKNOWN;
1891 }
1892 }
1893 goto done;
1894 }
1895
1896 /* Should not happen, but better check once too many */
1897 if (!sid_check_is_our_sam(domain_sid)) {
1898 return NT_STATUS_INVALID_HANDLE;
1899 }
1900
1901 for (i = 0; i < num_rids; i++) {
1902 const char *name;
1903
1904 if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
1905 NULL, NULL)) {
1906 if (name == NULL) {
1907 return NT_STATUS_NO_MEMORY;
1908 }
1909 names[i] = name;
1910 DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
1911 have_mapped = True;
1912 } else {
1913 have_unmapped = True;
1914 attrs[i] = SID_NAME_UNKNOWN;
1915 }
1916 }
1917
1918 done:
1919
1920 result = NT_STATUS_NONE_MAPPED;
1921
1922 if (have_mapped)
1923 result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1924
1925 return result;
1926 }
1927
1928 static int pdb_search_destructor(struct pdb_search *search)
1929 {
1930 if ((!search->search_ended) && (search->search_end != NULL)) {
1931 search->search_end(search);
1932 }
1933 return 0;
1934 }
1935
1936 struct pdb_search *pdb_search_init(TALLOC_CTX *mem_ctx,
1937 enum pdb_search_type type)
1938 {
1939 struct pdb_search *result;
1940
1941 result = talloc(mem_ctx, struct pdb_search);
1942 if (result == NULL) {
1943 DEBUG(0, ("talloc failed\n"));
1944 return NULL;
1945 }
1946
1947 result->type = type;
1948 result->cache = NULL;
1949 result->num_entries = 0;
1950 result->cache_size = 0;
1951 result->search_ended = False;
1952 result->search_end = NULL;
1953
1954 /* Segfault appropriately if not initialized */
1955 result->next_entry = NULL;
1956 result->search_end = NULL;
1957
1958 talloc_set_destructor(result, pdb_search_destructor);
1959
1960 return result;
1961 }
1962
1963 static void fill_displayentry(TALLOC_CTX *mem_ctx, uint32_t rid,
1964 uint16_t acct_flags,
1965 const char *account_name,
1966 const char *fullname,
1967 const char *description,
1968 struct samr_displayentry *entry)
1969 {
1970 entry->rid = rid;
1971 entry->acct_flags = acct_flags;
1972
1973 if (account_name != NULL)
1974 entry->account_name = talloc_strdup(mem_ctx, account_name);
1975 else
1976 entry->account_name = "";
1977
1978 if (fullname != NULL)
1979 entry->fullname = talloc_strdup(mem_ctx, fullname);
1980 else
1981 entry->fullname = "";
1982
1983 if (description != NULL)
1984 entry->description = talloc_strdup(mem_ctx, description);
1985 else
1986 entry->description = "";
1987 }
1988
1989 struct group_search {
1990 GROUP_MAP **groups;
1991 size_t num_groups, current_group;
1992 };
1993
1994 static bool next_entry_groups(struct pdb_search *s,
1995 struct samr_displayentry *entry)
1996 {
1997 struct group_search *state = (struct group_search *)s->private_data;
1998 uint32_t rid;
1999 GROUP_MAP *map;
2000
2001 if (state->current_group == state->num_groups)
2002 return False;
2003
2004 map = state->groups[state->current_group];
2005
2006 sid_peek_rid(&map->sid, &rid);
2007
2008 fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
2009
2010 state->current_group += 1;
2011 return True;
2012 }
2013
2014 static void search_end_groups(struct pdb_search *search)
2015 {
2016 struct group_search *state =
2017 (struct group_search *)search->private_data;
2018 TALLOC_FREE(state->groups);
2019 }
2020
2021 static bool pdb_search_grouptype(struct pdb_methods *methods,
2022 struct pdb_search *search,
2023 const struct dom_sid *sid, enum lsa_SidType type)
2024 {
2025 struct group_search *state;
2026
2027 state = talloc_zero(search, struct group_search);
2028 if (state == NULL) {
2029 DEBUG(0, ("talloc failed\n"));
2030 return False;
2031 }
2032
2033 if (!NT_STATUS_IS_OK(methods->enum_group_mapping(methods, sid, type,
2034 &state->groups, &state->num_groups,
2035 True))) {
2036 DEBUG(0, ("Could not enum groups\n"));
2037 return False;
2038 }
2039
2040 state->current_group = 0;
2041 search->private_data = state;
2042 search->next_entry = next_entry_groups;
2043 search->search_end = search_end_groups;
2044 return True;
2045 }
2046
2047 static bool pdb_default_search_groups(struct pdb_methods *methods,
2048 struct pdb_search *search)
2049 {
2050 return pdb_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
2051 }
2052
2053 static bool pdb_default_search_aliases(struct pdb_methods *methods,
2054 struct pdb_search *search,
2055 const struct dom_sid *sid)
2056 {
2057
2058 return pdb_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
2059 }
2060
2061 static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
2062 uint32_t idx)
2063 {
2064 if (idx < search->num_entries)
2065 return &search->cache[idx];
2066
2067 if (search->search_ended)
2068 return NULL;
2069
2070 while (idx >= search->num_entries) {
2071 struct samr_displayentry entry;
2072
2073 if (!search->next_entry(search, &entry)) {
2074 search->search_end(search);
2075 search->search_ended = True;
2076 break;
2077 }
2078
2079 ADD_TO_LARGE_ARRAY(search, struct samr_displayentry,
2080 entry, &search->cache, &search->num_entries,
2081 &search->cache_size);
2082 }
2083
2084 return (search->num_entries > idx) ? &search->cache[idx] : NULL;
2085 }
2086
2087 struct pdb_search *pdb_search_users(TALLOC_CTX *mem_ctx, uint32_t acct_flags)
2088 {
2089 struct pdb_methods *pdb = pdb_get_methods();
2090 struct pdb_search *result;
2091
2092 result = pdb_search_init(mem_ctx, PDB_USER_SEARCH);
2093 if (result == NULL) {
2094 return NULL;
2095 }
2096
2097 if (!pdb->search_users(pdb, result, acct_flags)) {
2098 TALLOC_FREE(result);
2099 return NULL;
2100 }
2101 return result;
2102 }
2103
2104 struct pdb_search *pdb_search_groups(TALLOC_CTX *mem_ctx)
2105 {
2106 struct pdb_methods *pdb = pdb_get_methods();
2107 struct pdb_search *result;
2108
2109 result = pdb_search_init(mem_ctx, PDB_GROUP_SEARCH);
2110 if (result == NULL) {
2111 return NULL;
2112 }
2113
2114 if (!pdb->search_groups(pdb, result)) {
2115 TALLOC_FREE(result);
2116 return NULL;
2117 }
2118 return result;
2119 }
2120
2121 struct pdb_search *pdb_search_aliases(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
2122 {
2123 struct pdb_methods *pdb = pdb_get_methods();
2124 struct pdb_search *result;
2125
2126 if (pdb == NULL) return NULL;
2127
2128 result = pdb_search_init(mem_ctx, PDB_ALIAS_SEARCH);
2129 if (result == NULL) {
2130 return NULL;
2131 }
2132
2133 if (!pdb->search_aliases(pdb, result, sid)) {
2134 TALLOC_FREE(result);
2135 return NULL;
2136 }
2137 return result;
2138 }
2139
2140 uint32_t pdb_search_entries(struct pdb_search *search,
2141 uint32_t start_idx, uint32_t max_entries,
2142 struct samr_displayentry **result)
2143 {
2144 struct samr_displayentry *end_entry;
2145 uint32_t end_idx = start_idx+max_entries-1;
2146
2147 /* The first entry needs to be searched after the last. Otherwise the
2148 * first entry might have moved due to a realloc during the search for
2149 * the last entry. */
2150
2151 end_entry = pdb_search_getentry(search, end_idx);
2152 *result = pdb_search_getentry(search, start_idx);
2153
2154 if (end_entry != NULL)
2155 return max_entries;
2156
2157 if (start_idx >= search->num_entries)
2158 return 0;
2159
2160 return search->num_entries - start_idx;
2161 }
2162
2163 /*******************************************************************
2164 trustdom methods
2165 *******************************************************************/
2166
2167 bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
2168 time_t *pass_last_set_time)
2169 {
2170 struct pdb_methods *pdb = pdb_get_methods();
2171 return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
2172 pass_last_set_time);
2173 }
2174
2175 NTSTATUS pdb_get_trusteddom_creds(const char *domain, TALLOC_CTX *mem_ctx,
2176 struct cli_credentials **creds)
2177 {
2178 struct pdb_methods *pdb = pdb_get_methods();
2179 return pdb->get_trusteddom_creds(pdb, domain, mem_ctx, creds);
2180 }
2181
2182 bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
2183 const struct dom_sid *sid)
2184 {
2185 struct pdb_methods *pdb = pdb_get_methods();
2186 return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
2187 }
2188
2189 bool pdb_del_trusteddom_pw(const char *domain)
2190 {
2191 struct pdb_methods *pdb = pdb_get_methods();
2192 return pdb->del_trusteddom_pw(pdb, domain);
2193 }
2194
2195 NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2196 struct trustdom_info ***domains)
2197 {
2198 struct pdb_methods *pdb = pdb_get_methods();
2199 return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
2200 }
2201
2202 /*******************************************************************
2203 the defaults for trustdom methods:
2204 these simply call the original passdb/secrets.c actions,
2205 to be replaced by pdb_ldap.
2206 *******************************************************************/
2207
2208 static bool pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
2209 const char *domain,
2210 char** pwd,
2211 struct dom_sid *sid,
2212 time_t *pass_last_set_time)
2213 {
2214 return secrets_fetch_trusted_domain_password(domain, pwd,
2215 sid, pass_last_set_time);
2216
2217 }
2218
2219 static NTSTATUS pdb_default_get_trusteddom_creds(struct pdb_methods *methods,
2220 const char *domain,
2221 TALLOC_CTX *mem_ctx,
2222 struct cli_credentials **creds)
2223 {
2224 *creds = NULL;
2225 return NT_STATUS_NOT_IMPLEMENTED;
2226 }
2227
2228 static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
2229 const char* domain,
2230 const char* pwd,
2231 const struct dom_sid *sid)
2232 {
2233 return secrets_store_trusted_domain_password(domain, pwd, sid);
2234 }
2235
2236 static bool pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
2237 const char *domain)
2238 {
2239 return trusted_domain_password_delete(domain);
2240 }
2241
2242 static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
2243 TALLOC_CTX *mem_ctx,
2244 uint32_t *num_domains,
2245 struct trustdom_info ***domains)
2246 {
2247 return secrets_trusted_domains(mem_ctx, num_domains, domains);
2248 }
2249
2250 /*******************************************************************
2251 trusted_domain methods
2252 *******************************************************************/
2253
2254 NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
2255 struct pdb_trusted_domain **td)
2256 {
2257 struct pdb_methods *pdb = pdb_get_methods();
2258 return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
2259 }
2260
2261 NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
2262 struct pdb_trusted_domain **td)
2263 {
2264 struct pdb_methods *pdb = pdb_get_methods();
2265 return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
2266 }
2267
2268 NTSTATUS pdb_set_trusted_domain(const char* domain,
2269 const struct pdb_trusted_domain *td)
2270 {
2271 struct pdb_methods *pdb = pdb_get_methods();
2272 return pdb->set_trusted_domain(pdb, domain, td);
2273 }
2274
2275 NTSTATUS pdb_del_trusted_domain(const char *domain)
2276 {
2277 struct pdb_methods *pdb = pdb_get_methods();
2278 return pdb->del_trusted_domain(pdb, domain);
2279 }
2280
2281 NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2282 struct pdb_trusted_domain ***domains)
2283 {
2284 struct pdb_methods *pdb = pdb_get_methods();
2285 return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
2286 }
2287
2288 static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
2289 TALLOC_CTX *mem_ctx,
2290 const char *domain,
2291 struct pdb_trusted_domain **td)
2292 {
2293 struct trustAuthInOutBlob taiob;
2294 struct AuthenticationInformation aia;
2295 struct pdb_trusted_domain *tdom;
2296 enum ndr_err_code ndr_err;
2297 time_t last_set_time;
2298 char *pwd;
2299 bool ok;
2300
2301 tdom = talloc(mem_ctx, struct pdb_trusted_domain);
2302 if (!tdom) {
2303 return NT_STATUS_NO_MEMORY;
2304 }
2305
2306 tdom->domain_name = talloc_strdup(tdom, domain);
2307 tdom->netbios_name = talloc_strdup(tdom, domain);
2308 if (!tdom->domain_name || !tdom->netbios_name) {
2309 talloc_free(tdom);
2310 return NT_STATUS_NO_MEMORY;
2311 }
2312
2313 tdom->trust_auth_incoming = data_blob_null;
2314
2315 ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
2316 &last_set_time);
2317 if (!ok) {
2318 talloc_free(tdom);
2319 return NT_STATUS_UNSUCCESSFUL;
2320 }
2321
2322 ZERO_STRUCT(taiob);
2323 ZERO_STRUCT(aia);
2324 taiob.count = 1;
2325 taiob.current.count = 1;
2326 taiob.current.array = &aia;
2327 unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
2328
2329 aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
2330 aia.AuthInfo.clear.size = strlen(pwd);
2331 aia.AuthInfo.clear.password = (uint8_t *)talloc_memdup(tdom, pwd,
2332 aia.AuthInfo.clear.size);
2333 SAFE_FREE(pwd);
2334 if (aia.AuthInfo.clear.password == NULL) {
2335 talloc_free(tdom);
2336 return NT_STATUS_NO_MEMORY;
2337 }
2338
2339 taiob.previous.count = 0;
2340 taiob.previous.array = NULL;
2341
2342 ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
2343 tdom, &taiob,
2344 (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2345 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2346 talloc_free(tdom);
2347 return NT_STATUS_UNSUCCESSFUL;
2348 }
2349
2350 tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
2351 tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
2352 tdom->trust_attributes = 0;
2353 tdom->trust_forest_trust_info = data_blob_null;
2354
2355 *td = tdom;
2356 return NT_STATUS_OK;
2357 }
2358
2359 static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
2360 TALLOC_CTX *mem_ctx,
2361 struct dom_sid *sid,
2362 struct pdb_trusted_domain **td)
2363 {
2364 return NT_STATUS_NOT_IMPLEMENTED;
2365 }
2366
2367 #define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
2368
2369 static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
2370 const char* domain,
2371 const struct pdb_trusted_domain *td)
2372 {
2373 struct trustAuthInOutBlob taiob;
2374 struct AuthenticationInformation *aia;
2375 enum ndr_err_code ndr_err;
2376 char *pwd;
2377 bool ok;
2378
2379 if (td->trust_attributes != 0 ||
2380 td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
2381 td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
2382 !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
2383 !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
2384 return NT_STATUS_NOT_IMPLEMENTED;
2385 }
2386
2387 ZERO_STRUCT(taiob);
2388 ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
2389 &taiob,
2390 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2391 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2392 return NT_STATUS_UNSUCCESSFUL;
2393 }
2394
2395 aia = (struct AuthenticationInformation *) taiob.current.array;
2396
2397 if (taiob.count != 1 || taiob.current.count != 1 ||
2398 taiob.previous.count != 0 ||
2399 aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
2400 return NT_STATUS_NOT_IMPLEMENTED;
2401 }
2402
2403 pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
2404 aia->AuthInfo.clear.size);
2405 if (!pwd) {
2406 return NT_STATUS_NO_MEMORY;
2407 }
2408
2409 ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
2410 if (!ok) {
2411 return NT_STATUS_UNSUCCESSFUL;
2412 }
2413
2414 return NT_STATUS_OK;
2415 }
2416
2417 static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
2418 const char *domain)
2419 {
2420 return NT_STATUS_NOT_IMPLEMENTED;
2421 }
2422
2423 static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
2424 TALLOC_CTX *mem_ctx,
2425 uint32_t *num_domains,
2426 struct pdb_trusted_domain ***domains)
2427 {
2428 return NT_STATUS_NOT_IMPLEMENTED;
2429 }
2430
2431 static struct pdb_domain_info *pdb_default_get_domain_info(
2432 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
2433 {
2434 return NULL;
2435 }
2436
2437 /*****************************************************************
2438 UPN suffixes
2439 *****************************************************************/
2440 static NTSTATUS pdb_default_enum_upn_suffixes(struct pdb_methods *pdb,
2441 TALLOC_CTX *mem_ctx,
2442 uint32_t *num_suffixes,
2443 char ***suffixes)
2444 {
2445 return NT_STATUS_NOT_IMPLEMENTED;
2446 }
2447
2448 static NTSTATUS pdb_default_set_upn_suffixes(struct pdb_methods *pdb,
2449 uint32_t num_suffixes,
2450 const char **suffixes)
2451 {
2452 return NT_STATUS_NOT_IMPLEMENTED;
2453 }
2454
2455 NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx,
2456 uint32_t *num_suffixes,
2457 char ***suffixes)
2458 {
2459 struct pdb_methods *pdb = pdb_get_methods();
2460 return pdb->enum_upn_suffixes(pdb, mem_ctx, num_suffixes, suffixes);
2461 }
2462
2463 NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes,
2464 const char **suffixes)
2465 {
2466 struct pdb_methods *pdb = pdb_get_methods();
2467 return pdb->set_upn_suffixes(pdb, num_suffixes, suffixes);
2468 }
2469
2470 /*******************************************************************
2471 idmap control methods
2472 *******************************************************************/
2473 static bool pdb_default_is_responsible_for_our_sam(
2474 struct pdb_methods *methods)
2475 {
2476 return true;
2477 }
2478
2479 static bool pdb_default_is_responsible_for_builtin(
2480 struct pdb_methods *methods)
2481 {
2482 return true;
2483 }
2484
2485 static bool pdb_default_is_responsible_for_wellknown(
2486 struct pdb_methods *methods)
2487 {
2488 return false;
2489 }
2490
2491 static bool pdb_default_is_responsible_for_unix_users(
2492 struct pdb_methods *methods)
2493 {
2494 return true;
2495 }
2496
2497 static bool pdb_default_is_responsible_for_unix_groups(
2498 struct pdb_methods *methods)
2499 {
2500 return true;
2501 }
2502
2503 static bool pdb_default_is_responsible_for_everything_else(
2504 struct pdb_methods *methods)
2505 {
2506 return false;
2507 }
2508
2509 bool pdb_is_responsible_for_our_sam(void)
2510 {
2511 struct pdb_methods *pdb = pdb_get_methods();
2512 return pdb->is_responsible_for_our_sam(pdb);
2513 }
2514
2515 bool pdb_is_responsible_for_builtin(void)
2516 {
2517 struct pdb_methods *pdb = pdb_get_methods();
2518 return pdb->is_responsible_for_builtin(pdb);
2519 }
2520
2521 bool pdb_is_responsible_for_wellknown(void)
2522 {
2523 struct pdb_methods *pdb = pdb_get_methods();
2524 return pdb->is_responsible_for_wellknown(pdb);
2525 }
2526
2527 bool pdb_is_responsible_for_unix_users(void)
2528 {
2529 struct pdb_methods *pdb = pdb_get_methods();
2530 return pdb->is_responsible_for_unix_users(pdb);
2531 }
2532
2533 bool pdb_is_responsible_for_unix_groups(void)
2534 {
2535 struct pdb_methods *pdb = pdb_get_methods();
2536 return pdb->is_responsible_for_unix_groups(pdb);
2537 }
2538
2539 bool pdb_is_responsible_for_everything_else(void)
2540 {
2541 struct pdb_methods *pdb = pdb_get_methods();
2542 return pdb->is_responsible_for_everything_else(pdb);
2543 }
2544
2545 /*******************************************************************
2546 secret methods
2547 *******************************************************************/
2548
2549 NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
2550 const char *secret_name,
2551 DATA_BLOB *secret_current,
2552 NTTIME *secret_current_lastchange,
2553 DATA_BLOB *secret_old,
2554 NTTIME *secret_old_lastchange,
2555 struct security_descriptor **sd)
2556 {
2557 struct pdb_methods *pdb = pdb_get_methods();
2558 return pdb->get_secret(pdb, mem_ctx, secret_name,
2559 secret_current, secret_current_lastchange,
2560 secret_old, secret_old_lastchange,
2561 sd);
2562 }
2563
2564 NTSTATUS pdb_set_secret(const char *secret_name,
2565 DATA_BLOB *secret_current,
2566 DATA_BLOB *secret_old,
2567 struct security_descriptor *sd)
2568 {
2569 struct pdb_methods *pdb = pdb_get_methods();
2570 return pdb->set_secret(pdb, secret_name,
2571 secret_current,
2572 secret_old,
2573 sd);
2574 }
2575
2576 NTSTATUS pdb_delete_secret(const char *secret_name)
2577 {
2578 struct pdb_methods *pdb = pdb_get_methods();
2579 return pdb->delete_secret(pdb, secret_name);
2580 }
2581
2582 static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
2583 TALLOC_CTX *mem_ctx,
2584 const char *secret_name,
2585 DATA_BLOB *secret_current,
2586 NTTIME *secret_current_lastchange,
2587 DATA_BLOB *secret_old,
2588 NTTIME *secret_old_lastchange,
2589 struct security_descriptor **sd)
2590 {
2591 return lsa_secret_get(mem_ctx, secret_name,
2592 secret_current,
2593 secret_current_lastchange,
2594 secret_old,
2595 secret_old_lastchange,
2596 sd);
2597 }
2598
2599 static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
2600 const char *secret_name,
2601 DATA_BLOB *secret_current,
2602 DATA_BLOB *secret_old,
2603 struct security_descriptor *sd)
2604 {
2605 return lsa_secret_set(secret_name,
2606 secret_current,
2607 secret_old,
2608 sd);
2609 }
2610
2611 static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
2612 const char *secret_name)
2613 {
2614 return lsa_secret_delete(secret_name);
2615 }
2616
2617 /*******************************************************************
2618 Create a pdb_methods structure and initialize it with the default
2619 operations. In this way a passdb module can simply implement
2620 the functionality it cares about. However, normally this is done
2621 in groups of related functions.
2622 *******************************************************************/
2623
2624 NTSTATUS make_pdb_method( struct pdb_methods **methods )
2625 {
2626 /* allocate memory for the structure as its own talloc CTX */
2627
2628 *methods = talloc_zero(NULL, struct pdb_methods);
2629 if (*methods == NULL) {
2630 return NT_STATUS_NO_MEMORY;
2631 }
2632
2633 (*methods)->get_domain_info = pdb_default_get_domain_info;
2634 (*methods)->getsampwnam = pdb_default_getsampwnam;
2635 (*methods)->getsampwsid = pdb_default_getsampwsid;
2636 (*methods)->create_user = pdb_default_create_user;
2637 (*methods)->delete_user = pdb_default_delete_user;
2638 (*methods)->add_sam_account = pdb_default_add_sam_account;
2639 (*methods)->update_sam_account = pdb_default_update_sam_account;
2640 (*methods)->delete_sam_account = pdb_default_delete_sam_account;
2641 (*methods)->rename_sam_account = pdb_default_rename_sam_account;
2642 (*methods)->update_login_attempts = pdb_default_update_login_attempts;
2643
2644 (*methods)->getgrsid = pdb_default_getgrsid;
2645 (*methods)->getgrgid = pdb_default_getgrgid;
2646 (*methods)->getgrnam = pdb_default_getgrnam;
2647 (*methods)->create_dom_group = pdb_default_create_dom_group;
2648 (*methods)->delete_dom_group = pdb_default_delete_dom_group;
2649 (*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
2650 (*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
2651 (*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
2652 (*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
2653 (*methods)->enum_group_members = pdb_default_enum_group_members;
2654 (*methods)->enum_group_memberships = pdb_default_enum_group_memberships;
2655 (*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
2656 (*methods)->add_groupmem = pdb_default_add_groupmem;
2657 (*methods)->del_groupmem = pdb_default_del_groupmem;
2658 (*methods)->create_alias = pdb_default_create_alias;
2659 (*methods)->delete_alias = pdb_default_delete_alias;
2660 (*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
2661 (*methods)->set_aliasinfo = pdb_default_set_aliasinfo;
2662 (*methods)->add_aliasmem = pdb_default_add_aliasmem;
2663 (*methods)->del_aliasmem = pdb_default_del_aliasmem;
2664 (*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
2665 (*methods)->enum_alias_memberships = pdb_default_alias_memberships;
2666 (*methods)->lookup_rids = pdb_default_lookup_rids;
2667 (*methods)->get_account_policy = pdb_default_get_account_policy;
2668 (*methods)->set_account_policy = pdb_default_set_account_policy;
2669 (*methods)->get_seq_num = pdb_default_get_seq_num;
2670 (*methods)->id_to_sid = pdb_default_id_to_sid;
2671 (*methods)->sid_to_id = pdb_default_sid_to_id;
2672
2673 (*methods)->search_groups = pdb_default_search_groups;
2674 (*methods)->search_aliases = pdb_default_search_aliases;
2675
2676 (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
2677 (*methods)->get_trusteddom_creds = pdb_default_get_trusteddom_creds;
2678 (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
2679 (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
2680 (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
2681
2682 (*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
2683 (*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
2684 (*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
2685 (*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
2686 (*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
2687
2688 (*methods)->get_secret = pdb_default_get_secret;
2689 (*methods)->set_secret = pdb_default_set_secret;
2690 (*methods)->delete_secret = pdb_default_delete_secret;
2691
2692 (*methods)->enum_upn_suffixes = pdb_default_enum_upn_suffixes;
2693 (*methods)->set_upn_suffixes = pdb_default_set_upn_suffixes;
2694
2695 (*methods)->is_responsible_for_our_sam =
2696 pdb_default_is_responsible_for_our_sam;
2697 (*methods)->is_responsible_for_builtin =
2698 pdb_default_is_responsible_for_builtin;
2699 (*methods)->is_responsible_for_wellknown =
2700 pdb_default_is_responsible_for_wellknown;
2701 (*methods)->is_responsible_for_unix_users =
2702 pdb_default_is_responsible_for_unix_users;
2703 (*methods)->is_responsible_for_unix_groups =
2704 pdb_default_is_responsible_for_unix_groups;
2705 (*methods)->is_responsible_for_everything_else =
2706 pdb_default_is_responsible_for_everything_else;
2707
2708 return NT_STATUS_OK;
2709 }
Samba GIT mirror