2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 /* the Samba secrets database stores any generated, private information
22 such as the local SID and machine trust password */
26 #include "param/param.h"
27 #include "system/filesys.h"
29 #include "lib/ldb-samba/ldb_wrap.h"
31 #include "../lib/util/util_tdb.h"
32 #include "librpc/gen_ndr/ndr_security.h"
33 #include "dsdb/samdb/samdb.h"
36 * Use a TDB to store an incrementing random seed.
38 * Initialised to the current pid, the very first time Samba starts,
39 * and incremented by one each time it is needed.
41 * @note Not called by systems with a working /dev/urandom.
43 static void get_rand_seed(struct tdb_wrap
*secretsdb
, int *new_seed
)
46 if (secretsdb
!= NULL
) {
47 tdb_change_int32_atomic(secretsdb
->tdb
, "INFO/random_seed", new_seed
, 1);
52 * open up the secrets database
54 struct tdb_wrap
*secrets_init(TALLOC_CTX
*mem_ctx
, struct loadparm_context
*lp_ctx
)
60 fname
= lpcfg_private_path(mem_ctx
, lp_ctx
, "secrets.tdb");
62 tdb
= tdb_wrap_open(mem_ctx
, fname
, 0, TDB_DEFAULT
, O_RDWR
|O_CREAT
, 0600);
65 DEBUG(0,("Failed to open %s\n", fname
));
72 * Set a reseed function for the crypto random generator
74 * This avoids a problem where systems without /dev/urandom
75 * could send the same challenge to multiple clients
77 set_rand_reseed_callback((void (*) (void *, int *))get_rand_seed
, tdb
);
79 /* Ensure that the reseed is done now, while we are root, etc */
80 generate_random_buffer(&dummy
, sizeof(dummy
));
86 connect to the secrets ldb
88 struct ldb_context
*secrets_db_connect(TALLOC_CTX
*mem_ctx
,
89 struct loadparm_context
*lp_ctx
)
91 return ldb_wrap_connect(mem_ctx
, NULL
, lp_ctx
, lpcfg_secrets_url(lp_ctx
),
96 * Retrieve the domain SID from the secrets database.
97 * @return pointer to a SID object if the SID could be obtained, NULL otherwise
99 struct dom_sid
*secrets_get_domain_sid(TALLOC_CTX
*mem_ctx
,
100 struct loadparm_context
*lp_ctx
,
102 enum netr_SchannelType
*sec_channel_type
,
105 struct ldb_context
*ldb
;
106 struct ldb_message
*msg
;
108 const char *attrs
[] = { "objectSid", "secureChannelType", NULL
};
109 struct dom_sid
*result
= NULL
;
110 const struct ldb_val
*v
;
111 enum ndr_err_code ndr_err
;
115 ldb
= secrets_db_connect(mem_ctx
, lp_ctx
);
117 DEBUG(5, ("secrets_db_connect failed\n"));
121 ldb_ret
= dsdb_search_one(ldb
, ldb
, &msg
,
122 ldb_dn_new(mem_ctx
, ldb
, SECRETS_PRIMARY_DOMAIN_DN
),
124 attrs
, 0, SECRETS_PRIMARY_DOMAIN_FILTER
, domain
);
126 if (ldb_ret
!= LDB_SUCCESS
) {
127 *errstring
= talloc_asprintf(mem_ctx
, "Failed to find record for %s in %s: %s: %s",
128 domain
, (char *) ldb_get_opaque(ldb
, "ldb_url"),
129 ldb_strerror(ldb_ret
), ldb_errstring(ldb
));
132 v
= ldb_msg_find_ldb_val(msg
, "objectSid");
134 *errstring
= talloc_asprintf(mem_ctx
, "Failed to find a SID on record for %s in %s",
135 domain
, (char *) ldb_get_opaque(ldb
, "ldb_url"));
139 if (sec_channel_type
) {
141 t
= ldb_msg_find_attr_as_int(msg
, "secureChannelType", -1);
143 *errstring
= talloc_asprintf(mem_ctx
, "Failed to find secureChannelType for %s in %s",
144 domain
, (char *) ldb_get_opaque(ldb
, "ldb_url"));
147 *sec_channel_type
= t
;
150 result
= talloc(mem_ctx
, struct dom_sid
);
151 if (result
== NULL
) {
156 ndr_err
= ndr_pull_struct_blob(v
, result
, result
,
157 (ndr_pull_flags_fn_t
)ndr_pull_dom_sid
);
158 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
159 *errstring
= talloc_asprintf(mem_ctx
, "Failed to parse SID on record for %s in %s",
160 domain
, (char *) ldb_get_opaque(ldb
, "ldb_url"));
169 char *keytab_name_from_msg(TALLOC_CTX
*mem_ctx
, struct ldb_context
*ldb
, struct ldb_message
*msg
)
171 const char *krb5keytab
= ldb_msg_find_attr_as_string(msg
, "krb5Keytab", NULL
);
173 return talloc_strdup(mem_ctx
, krb5keytab
);
177 const char *privateKeytab
= ldb_msg_find_attr_as_string(msg
, "privateKeytab", NULL
);
178 if (!privateKeytab
) {
182 relative_path
= ldb_relative_path(ldb
, mem_ctx
, privateKeytab
);
183 if (!relative_path
) {
186 file_keytab
= talloc_asprintf(mem_ctx
, "FILE:%s", relative_path
);
187 talloc_free(relative_path
);