source4/dsdb/samdb/ldb_modules/update_keytab.c

   1 /*
   2    ldb database library
   3
   4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 /*
  21  *  Name: ldb
  22  *
  23  *  Component: ldb update_keytabs module
  24  *
  25  *  Description: Update keytabs whenever their matching secret record changes
  26  *
  27  *  Author: Andrew Bartlett
  28  */
  29
  30 #include "includes.h"
  31 #include "ldb/include/ldb_includes.h"
  32 #include "auth/credentials/credentials.h"
  33 #include "auth/credentials/credentials_krb5.h"
  34 #include "system/kerberos.h"
  35 #include "param/param.h"
  36
  37 struct dn_list {
  38         struct cli_credentials *creds;
  39         struct dn_list *prev, *next;
  40 };
  41
  42 struct update_kt_private {
  43         struct dn_list *changed_dns;
  44 };
  45
  46 static int add_modified(struct ldb_module *module, struct ldb_dn *dn, bool delete) {
  47         struct update_kt_private *data = talloc_get_type(module->private_data, struct update_kt_private);
  48         struct dn_list *item;
  49         char *filter;
  50         struct ldb_result *res;
  51         const char *attrs[] = { NULL };
  52         int ret;
  53         NTSTATUS status;
  54
  55         filter = talloc_asprintf(data, "(&(dn=%s)(&(objectClass=kerberosSecret)(privateKeytab=*)))",
  56                                  ldb_dn_get_linearized(dn));
  57         if (!filter) {
  58                 ldb_oom(module->ldb);
  59                 return LDB_ERR_OPERATIONS_ERROR;
  60         }
  61
  62         ret = ldb_search(module->ldb, data, &res,
  63                          dn, LDB_SCOPE_BASE, attrs, "%s", filter);
  64         if (ret != LDB_SUCCESS) {
  65                 talloc_free(filter);
  66                 return ret;
  67         }
  68
  69         if (res->count != 1) {
  70                 /* if it's not a kerberosSecret then we don't have anything to update */
  71                 talloc_free(res);
  72                 talloc_free(filter);
  73                 return LDB_SUCCESS;
  74         }
  75         talloc_free(res);
  76
  77         item = talloc(data->changed_dns? (void *)data->changed_dns: (void *)data, struct dn_list);
  78         if (!item) {
  79                 talloc_free(filter);
  80                 ldb_oom(module->ldb);
  81                 return LDB_ERR_OPERATIONS_ERROR;
  82         }
  83
  84         item->creds = cli_credentials_init(item);
  85         if (!item->creds) {
  86                 DEBUG(1, ("cli_credentials_init failed!"));
  87                 talloc_free(filter);
  88                 ldb_oom(module->ldb);
  89                 return LDB_ERR_OPERATIONS_ERROR;
  90         }
  91
  92         cli_credentials_set_conf(item->creds, ldb_get_opaque(module->ldb, "loadparm"));
  93         status = cli_credentials_set_secrets(item->creds, ldb_get_opaque(module->ldb, "EventContext"), ldb_get_opaque(module->ldb, "loadparm"), module->ldb, NULL, filter);
  94         talloc_free(filter);
  95         if (NT_STATUS_IS_OK(status)) {
  96                 if (delete) {
  97                         /* Ensure we don't helpfully keep an old keytab entry */
  98                         cli_credentials_set_kvno(item->creds, cli_credentials_get_kvno(item->creds)+2);
  99                         /* Wipe passwords */
 100                         cli_credentials_set_nt_hash(item->creds, NULL,
 101                                                     CRED_SPECIFIED);
 102                 }
 103                 DLIST_ADD_END(data->changed_dns, item, struct dn_list *);
 104         }
 105         return LDB_SUCCESS;
 106 }
 107
 108 /* add */
 109 static int update_kt_add(struct ldb_module *module, struct ldb_request *req)
 110 {
 111         int ret;
 112         ret = ldb_next_request(module, req);
 113         if (ret != LDB_SUCCESS) {
 114                 return ret;
 115         }
 116         return add_modified(module, req->op.add.message->dn, false);
 117 }
 118
 119 /* modify */
 120 static int update_kt_modify(struct ldb_module *module, struct ldb_request *req)
 121 {
 122         int ret;
 123         ret = ldb_next_request(module, req);
 124         if (ret != LDB_SUCCESS) {
 125                 return ret;
 126         }
 127         return add_modified(module, req->op.mod.message->dn, false);
 128 }
 129
 130 /* delete */
 131 static int update_kt_delete(struct ldb_module *module, struct ldb_request *req)
 132 {
 133         int ret;
 134         /* Before we delete it, record the details */
 135         ret = add_modified(module, req->op.del.dn, true);
 136         if (ret != LDB_SUCCESS) {
 137                 return ret;
 138         }
 139         return ldb_next_request(module, req);
 140 }
 141
 142 /* rename */
 143 static int update_kt_rename(struct ldb_module *module, struct ldb_request *req)
 144 {
 145         int ret;
 146         ret = ldb_next_request(module, req);
 147         if (ret != LDB_SUCCESS) {
 148                 return ret;
 149         }
 150         return add_modified(module, req->op.rename.newdn, false);
 151 }
 152
 153 /* end a transaction */
 154 static int update_kt_end_trans(struct ldb_module *module)
 155 {
 156         struct update_kt_private *data = talloc_get_type(module->private_data, struct update_kt_private);
 157
 158         struct dn_list *p;
 159         for (p=data->changed_dns; p; p = p->next) {
 160                 int kret;
 161                 kret = cli_credentials_update_keytab(p->creds, ldb_get_opaque(module->ldb, "EventContext"), ldb_get_opaque(module->ldb, "loadparm"));
 162                 if (kret != 0) {
 163                         talloc_free(data->changed_dns);
 164                         data->changed_dns = NULL;
 165                         ldb_asprintf_errstring(module->ldb, "Failed to update keytab: %s", error_message(kret));
 166                         return LDB_ERR_OPERATIONS_ERROR;
 167                 }
 168         }
 169
 170         talloc_free(data->changed_dns);
 171         data->changed_dns = NULL;
 172         return ldb_next_end_trans(module);
 173 }
 174
 175 /* end a transaction */
 176 static int update_kt_del_trans(struct ldb_module *module)
 177 {
 178         struct update_kt_private *data = talloc_get_type(module->private_data, struct update_kt_private);
 179
 180         talloc_free(data->changed_dns);
 181         data->changed_dns = NULL;
 182
 183         return ldb_next_del_trans(module);
 184 }
 185
 186 static int update_kt_init(struct ldb_module *module)
 187 {
 188         struct update_kt_private *data;
 189
 190         data = talloc(module, struct update_kt_private);
 191         if (data == NULL) {
 192                 ldb_oom(module->ldb);
 193                 return LDB_ERR_OPERATIONS_ERROR;
 194         }
 195
 196         module->private_data = data;
 197         data->changed_dns = NULL;
 198
 199         return ldb_next_init(module);
 200 }
 201
 202 _PUBLIC_ const struct ldb_module_ops ldb_update_keytab_module_ops = {
 203         .name              = "update_keytab",
 204         .init_context      = update_kt_init,
 205         .add               = update_kt_add,
 206         .modify            = update_kt_modify,
 207         .rename            = update_kt_rename,
 208         .del               = update_kt_delete,
 209         .end_transaction   = update_kt_end_trans,
 210         .del_transaction   = update_kt_del_trans,
 211 };