search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-pdb_ipa: Add supprted encryption types to struct pdb_trusted_domain
[Samba.git] / source3 / passdb / pdb_ipa.c
blob15e65e0c2249dfa4b9134bd5de69551453cbd1ea
1 /*
2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18
19 */
20
21 #include "includes.h"
22 #include "passdb.h"
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
26 #include "secrets.h"
27
28 #include "smbldap.h"
29
30 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
31 #define IPA_MAGIC_ID_STR "999"
32
33 #define LDAP_TRUST_CONTAINER "ou=system"
34 #define LDAP_ATTRIBUTE_CN "cn"
35 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
36 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
37 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
38 #define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
39 #define LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE "sambaSupportedEncryptionTypes"
40 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
41 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
42 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
43 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
44 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
45 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
46 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
47
48 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
49 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
50 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
51
52 #define LDAP_OBJ_IPAOBJECT "ipaObject"
53 #define LDAP_OBJ_IPAHOST "ipaHost"
54 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
55
56 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
57 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
58 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
59 #define LDAP_OBJ_POSIXGROUP "posixGroup"
60
61 #define HAS_KRB_PRINCIPAL (1<<0)
62 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
63 #define HAS_IPAOBJECT (1<<2)
64 #define HAS_IPAHOST (1<<3)
65 #define HAS_POSIXACCOUNT (1<<4)
66 #define HAS_GROUPOFNAMES (1<<5)
67 #define HAS_NESTEDGROUP (1<<6)
68 #define HAS_IPAUSERGROUP (1<<7)
69 #define HAS_POSIXGROUP (1<<8)
70
71 struct ipasam_privates {
72 bool server_is_ipa;
73 NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
74 struct samu *sampass);
75 NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
76 struct samu *sampass);
77 NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
78 TALLOC_CTX *tmp_ctx, const char *name,
79 uint32_t acb_info, uint32_t *rid);
80 NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods,
81 TALLOC_CTX *tmp_ctx,
82 const char *name,
83 uint32_t *rid);
84 };
85
86 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
87 const char *domain,
88 char** pwd,
89 struct dom_sid *sid,
90 time_t *pass_last_set_time)
91 {
92 return false;
93 }
94
95 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
96 const char* domain,
97 const char* pwd,
98 const struct dom_sid *sid)
99 {
100 return false;
101 }
102
103 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
104 const char *domain)
105 {
106 return false;
107 }
108
109 static char *get_account_dn(const char *name)
110 {
111 char *escape_name;
112 char *dn;
113
114 escape_name = escape_rdn_val_string_alloc(name);
115 if (!escape_name) {
116 return NULL;
117 }
118
119 if (name[strlen(name)-1] == '$') {
120 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
121 lp_ldap_machine_suffix());
122 } else {
123 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
124 lp_ldap_user_suffix());
125 }
126
127 SAFE_FREE(escape_name);
128
129 return dn;
130 }
131
132 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
133 const char *domain)
134 {
135 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
136 LDAP_ATTRIBUTE_CN, domain,
137 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
138 }
139
140 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
141 {
142 return talloc_asprintf(talloc_tos(), "%s,%s",
143 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
144 }
145
146 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
147 TALLOC_CTX *mem_ctx,
148 const char *filter, LDAPMessage **entry)
149 {
150 int rc;
151 char *base_dn = NULL;
152 LDAPMessage *result = NULL;
153 uint32_t num_result;
154
155 base_dn = trusted_domain_base_dn(ldap_state);
156 if (base_dn == NULL) {
157 return false;
158 }
159
160 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
161 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
162 TALLOC_FREE(base_dn);
163
164 if (result != NULL) {
165 talloc_autofree_ldapmsg(mem_ctx, result);
166 }
167
168 if (rc == LDAP_NO_SUCH_OBJECT) {
169 *entry = NULL;
170 return true;
171 }
172
173 if (rc != LDAP_SUCCESS) {
174 return false;
175 }
176
177 num_result = ldap_count_entries(priv2ld(ldap_state), result);
178
179 if (num_result > 1) {
180 DEBUG(1, ("get_trusted_domain_int: more than one "
181 "%s object with filter '%s'?!\n",
182 LDAP_OBJ_TRUSTED_DOMAIN, filter));
183 return false;
184 }
185
186 if (num_result == 0) {
187 DEBUG(1, ("get_trusted_domain_int: no "
188 "%s object with filter '%s'.\n",
189 LDAP_OBJ_TRUSTED_DOMAIN, filter));
190 *entry = NULL;
191 } else {
192 *entry = ldap_first_entry(priv2ld(ldap_state), result);
193 }
194
195 return true;
196 }
197
198 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
199 TALLOC_CTX *mem_ctx,
200 const char *domain,
201 LDAPMessage **entry)
202 {
203 char *filter = NULL;
204
205 filter = talloc_asprintf(talloc_tos(),
206 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
207 LDAP_OBJ_TRUSTED_DOMAIN,
208 LDAP_ATTRIBUTE_FLAT_NAME, domain,
209 LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
210 if (filter == NULL) {
211 return false;
212 }
213
214 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
215 }
216
217 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
218 TALLOC_CTX *mem_ctx,
219 const char *sid, LDAPMessage **entry)
220 {
221 char *filter = NULL;
222
223 filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
224 LDAP_OBJ_TRUSTED_DOMAIN,
225 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
226 if (filter == NULL) {
227 return false;
228 }
229
230 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
231 }
232
233 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
234 LDAPMessage *entry,
235 const char *attr,
236 uint32_t *val)
237 {
238 char *dummy;
239 long int l;
240 char *endptr;
241
242 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
243 attr, talloc_tos());
244 if (dummy == NULL) {
245 DEBUG(9, ("Attribute %s not present.\n", attr));
246 *val = 0;
247 return true;
248 }
249
250 l = strtoul(dummy, &endptr, 10);
251 TALLOC_FREE(dummy);
252
253 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
254 return false;
255 }
256
257 *val = l;
258
259 return true;
260 }
261
262 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
263 struct ldapsam_privates *ldap_state,
264 LDAPMessage *entry, const char *attr,
265 DATA_BLOB *_blob)
266 {
267 char *dummy;
268 DATA_BLOB blob;
269
270 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
271 talloc_tos());
272 if (dummy == NULL) {
273 DEBUG(9, ("Attribute %s not present.\n", attr));
274 ZERO_STRUCTP(_blob);
275 } else {
276 blob = base64_decode_data_blob(dummy);
277 if (blob.length == 0) {
278 ZERO_STRUCTP(_blob);
279 } else {
280 _blob->length = blob.length;
281 _blob->data = talloc_steal(mem_ctx, blob.data);
282 }
283 }
284 TALLOC_FREE(dummy);
285 }
286
287 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
288 struct ldapsam_privates *ldap_state,
289 LDAPMessage *entry,
290 struct pdb_trusted_domain **_td)
291 {
292 char *dummy;
293 bool res;
294 struct pdb_trusted_domain *td;
295
296 if (entry == NULL) {
297 return false;
298 }
299
300 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
301 if (td == NULL) {
302 return false;
303 }
304
305 /* All attributes are MAY */
306
307 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
308 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
309 talloc_tos());
310 if (dummy == NULL) {
311 DEBUG(9, ("Attribute %s not present.\n",
312 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
313 ZERO_STRUCT(td->security_identifier);
314 } else {
315 res = string_to_sid(&td->security_identifier, dummy);
316 TALLOC_FREE(dummy);
317 if (!res) {
318 return false;
319 }
320 }
321
322 get_data_blob_from_ldap_msg(td, ldap_state, entry,
323 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
324 &td->trust_auth_incoming);
325
326 get_data_blob_from_ldap_msg(td, ldap_state, entry,
327 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
328 &td->trust_auth_outgoing);
329
330 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
331 entry,
332 LDAP_ATTRIBUTE_FLAT_NAME,
333 td);
334 if (td->netbios_name == NULL) {
335 DEBUG(9, ("Attribute %s not present.\n",
336 LDAP_ATTRIBUTE_FLAT_NAME));
337 }
338
339 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
340 entry,
341 LDAP_ATTRIBUTE_TRUST_PARTNER,
342 td);
343 if (td->domain_name == NULL) {
344 DEBUG(9, ("Attribute %s not present.\n",
345 LDAP_ATTRIBUTE_TRUST_PARTNER));
346 }
347
348 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
349 LDAP_ATTRIBUTE_TRUST_DIRECTION,
350 &td->trust_direction);
351 if (!res) {
352 return false;
353 }
354
355 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
356 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
357 &td->trust_attributes);
358 if (!res) {
359 return false;
360 }
361
362 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
363 LDAP_ATTRIBUTE_TRUST_TYPE,
364 &td->trust_type);
365 if (!res) {
366 return false;
367 }
368
369 td->trust_posix_offset = talloc(td, uint32_t);
370 if (td->trust_posix_offset == NULL) {
371 return false;
372 }
373 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
374 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
375 td->trust_posix_offset);
376 if (!res) {
377 return false;
378 }
379
380 td->supported_enc_type = talloc(td, uint32_t);
381 if (td->supported_enc_type == NULL) {
382 return false;
383 }
384 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
385 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
386 td->supported_enc_type);
387 if (!res) {
388 return false;
389 }
390
391
392 get_data_blob_from_ldap_msg(td, ldap_state, entry,
393 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
394 &td->trust_forest_trust_info);
395
396 *_td = td;
397
398 return true;
399 }
400
401 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
402 TALLOC_CTX *mem_ctx,
403 const char *domain,
404 struct pdb_trusted_domain **td)
405 {
406 struct ldapsam_privates *ldap_state =
407 (struct ldapsam_privates *)methods->private_data;
408 LDAPMessage *entry = NULL;
409
410 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
411
412 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
413 &entry)) {
414 return NT_STATUS_UNSUCCESSFUL;
415 }
416 if (entry == NULL) {
417 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
418 "%s\n", domain));
419 return NT_STATUS_NO_SUCH_DOMAIN;
420 }
421
422 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
423 return NT_STATUS_UNSUCCESSFUL;
424 }
425
426 return NT_STATUS_OK;
427 }
428
429 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
430 TALLOC_CTX *mem_ctx,
431 struct dom_sid *sid,
432 struct pdb_trusted_domain **td)
433 {
434 struct ldapsam_privates *ldap_state =
435 (struct ldapsam_privates *)methods->private_data;
436 LDAPMessage *entry = NULL;
437 char *sid_str;
438
439 sid_str = sid_string_tos(sid);
440
441 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
442 sid_str));
443
444 if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
445 &entry)) {
446 return NT_STATUS_UNSUCCESSFUL;
447 }
448 if (entry == NULL) {
449 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
450 "with sid: %s\n", sid_str));
451 return NT_STATUS_NO_SUCH_DOMAIN;
452 }
453
454 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
455 return NT_STATUS_UNSUCCESSFUL;
456 }
457
458 return NT_STATUS_OK;
459 }
460
461 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
462 LDAPMod ***mods, const char *attribute,
463 const uint32_t val)
464 {
465 char *dummy;
466
467 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
468 if (dummy == NULL) {
469 return false;
470 }
471 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
472 TALLOC_FREE(dummy);
473
474 return true;
475 }
476
477 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
478 const char* domain,
479 const struct pdb_trusted_domain *td)
480 {
481 struct ldapsam_privates *ldap_state =
482 (struct ldapsam_privates *)methods->private_data;
483 LDAPMessage *entry = NULL;
484 LDAPMod **mods;
485 bool res;
486 char *trusted_dn = NULL;
487 int ret;
488
489 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
490
491 res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
492 &entry);
493 if (!res) {
494 return NT_STATUS_UNSUCCESSFUL;
495 }
496
497 mods = NULL;
498 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
499 LDAP_OBJ_TRUSTED_DOMAIN);
500
501 if (td->netbios_name != NULL) {
502 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
503 LDAP_ATTRIBUTE_FLAT_NAME,
504 td->netbios_name);
505 }
506
507 if (td->domain_name != NULL) {
508 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
509 LDAP_ATTRIBUTE_TRUST_PARTNER,
510 td->domain_name);
511 }
512
513 if (!is_null_sid(&td->security_identifier)) {
514 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
515 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
516 sid_string_tos(&td->security_identifier));
517 }
518
519 if (td->trust_type != 0) {
520 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
521 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
522 td->trust_type);
523 if (!res) {
524 return NT_STATUS_UNSUCCESSFUL;
525 }
526 }
527
528 if (td->trust_attributes != 0) {
529 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
530 &mods,
531 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
532 td->trust_attributes);
533 if (!res) {
534 return NT_STATUS_UNSUCCESSFUL;
535 }
536 }
537
538 if (td->trust_direction != 0) {
539 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
540 &mods,
541 LDAP_ATTRIBUTE_TRUST_DIRECTION,
542 td->trust_direction);
543 if (!res) {
544 return NT_STATUS_UNSUCCESSFUL;
545 }
546 }
547
548 if (td->trust_posix_offset != NULL) {
549 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
550 &mods,
551 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
552 *td->trust_posix_offset);
553 if (!res) {
554 return NT_STATUS_UNSUCCESSFUL;
555 }
556 }
557
558 if (td->supported_enc_type != NULL) {
559 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
560 &mods,
561 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
562 *td->supported_enc_type);
563 if (!res) {
564 return NT_STATUS_UNSUCCESSFUL;
565 }
566 }
567
568 if (td->trust_auth_outgoing.data != NULL) {
569 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
570 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
571 &td->trust_auth_outgoing);
572 }
573
574 if (td->trust_auth_incoming.data != NULL) {
575 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
576 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
577 &td->trust_auth_incoming);
578 }
579
580 if (td->trust_forest_trust_info.data != NULL) {
581 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
582 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
583 &td->trust_forest_trust_info);
584 }
585
586 talloc_autofree_ldapmod(talloc_tos(), mods);
587
588 trusted_dn = trusted_domain_dn(ldap_state, domain);
589 if (trusted_dn == NULL) {
590 return NT_STATUS_NO_MEMORY;
591 }
592 if (entry == NULL) {
593 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
594 } else {
595 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
596 }
597
598 if (ret != LDAP_SUCCESS) {
599 DEBUG(1, ("error writing trusted domain data!\n"));
600 return NT_STATUS_UNSUCCESSFUL;
601 }
602 return NT_STATUS_OK;
603 }
604
605 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
606 const char *domain)
607 {
608 int ret;
609 struct ldapsam_privates *ldap_state =
610 (struct ldapsam_privates *)methods->private_data;
611 LDAPMessage *entry = NULL;
612 const char *dn;
613
614 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
615 &entry)) {
616 return NT_STATUS_UNSUCCESSFUL;
617 }
618
619 if (entry == NULL) {
620 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
621 "%s\n", domain));
622 return NT_STATUS_NO_SUCH_DOMAIN;
623 }
624
625 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
626 if (dn == NULL) {
627 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
628 return NT_STATUS_NO_MEMORY;
629 }
630
631 ret = smbldap_delete(ldap_state->smbldap_state, dn);
632 if (ret != LDAP_SUCCESS) {
633 return NT_STATUS_UNSUCCESSFUL;
634 }
635
636 return NT_STATUS_OK;
637 }
638
639 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
640 TALLOC_CTX *mem_ctx,
641 uint32_t *num_domains,
642 struct pdb_trusted_domain ***domains)
643 {
644 int rc;
645 struct ldapsam_privates *ldap_state =
646 (struct ldapsam_privates *)methods->private_data;
647 char *base_dn = NULL;
648 char *filter = NULL;
649 int scope = LDAP_SCOPE_SUBTREE;
650 LDAPMessage *result = NULL;
651 LDAPMessage *entry = NULL;
652
653 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
654 LDAP_OBJ_TRUSTED_DOMAIN);
655 if (filter == NULL) {
656 return NT_STATUS_NO_MEMORY;
657 }
658
659 base_dn = trusted_domain_base_dn(ldap_state);
660 if (base_dn == NULL) {
661 TALLOC_FREE(filter);
662 return NT_STATUS_NO_MEMORY;
663 }
664
665 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
666 NULL, 0, &result);
667 TALLOC_FREE(filter);
668 TALLOC_FREE(base_dn);
669
670 if (result != NULL) {
671 talloc_autofree_ldapmsg(mem_ctx, result);
672 }
673
674 if (rc == LDAP_NO_SUCH_OBJECT) {
675 *num_domains = 0;
676 *domains = NULL;
677 return NT_STATUS_OK;
678 }
679
680 if (rc != LDAP_SUCCESS) {
681 return NT_STATUS_UNSUCCESSFUL;
682 }
683
684 *num_domains = 0;
685 if (!(*domains = talloc_array(mem_ctx, struct pdb_trusted_domain *, 1))) {
686 DEBUG(1, ("talloc failed\n"));
687 return NT_STATUS_NO_MEMORY;
688 }
689
690 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
691 entry != NULL;
692 entry = ldap_next_entry(priv2ld(ldap_state), entry))
693 {
694 struct pdb_trusted_domain *dom_info;
695
696 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
697 &dom_info)) {
698 return NT_STATUS_UNSUCCESSFUL;
699 }
700
701 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
702 domains, num_domains);
703
704 if (*domains == NULL) {
705 DEBUG(1, ("talloc failed\n"));
706 return NT_STATUS_NO_MEMORY;
707 }
708 }
709
710 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
711 return NT_STATUS_OK;
712 }
713
714 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
715 TALLOC_CTX *mem_ctx,
716 uint32_t *num_domains,
717 struct trustdom_info ***domains)
718 {
719 NTSTATUS status;
720 struct pdb_trusted_domain **td;
721 int i;
722
723 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
724 num_domains, &td);
725 if (!NT_STATUS_IS_OK(status)) {
726 return status;
727 }
728
729 if (*num_domains == 0) {
730 return NT_STATUS_OK;
731 }
732
733 if (!(*domains = talloc_array(mem_ctx, struct trustdom_info *,
734 *num_domains))) {
735 DEBUG(1, ("talloc failed\n"));
736 return NT_STATUS_NO_MEMORY;
737 }
738
739 for (i = 0; i < *num_domains; i++) {
740 struct trustdom_info *dom_info;
741
742 dom_info = talloc(*domains, struct trustdom_info);
743 if (dom_info == NULL) {
744 DEBUG(1, ("talloc failed\n"));
745 return NT_STATUS_NO_MEMORY;
746 }
747
748 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
749 sid_copy(&dom_info->sid, &td[i]->security_identifier);
750
751 (*domains)[i] = dom_info;
752 }
753
754 return NT_STATUS_OK;
755 }
756
757 static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
758 {
759 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
760 }
761
762 static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pdb_methods,
763 TALLOC_CTX *mem_ctx)
764 {
765 struct pdb_domain_info *info;
766 struct ldapsam_privates *ldap_state =
767 (struct ldapsam_privates *)pdb_methods->private_data;
768 char sid_buf[24];
769 DATA_BLOB sid_blob;
770 NTSTATUS status;
771
772 info = talloc(mem_ctx, struct pdb_domain_info);
773 if (info == NULL) {
774 return NULL;
775 }
776
777 info->name = talloc_strdup(info, ldap_state->domain_name);
778 if (info->name == NULL) {
779 goto fail;
780 }
781
782 /* TODO: read dns_domain, dns_forest and guid from LDAP */
783 info->dns_domain = talloc_strdup(info, lp_realm());
784 if (info->dns_domain == NULL) {
785 goto fail;
786 }
787 strlower_m(info->dns_domain);
788 info->dns_forest = talloc_strdup(info, info->dns_domain);
789
790 /* we expect a domain SID to have 4 sub IDs */
791 if (ldap_state->domain_sid.num_auths != 4) {
792 goto fail;
793 }
794
795 sid_copy(&info->sid, &ldap_state->domain_sid);
796
797 if (!sid_linearize(sid_buf, sizeof(sid_buf), &info->sid)) {
798 goto fail;
799 }
800
801 /* the first 8 bytes of the linearized SID are not random,
802 * so we skip them */
803 sid_blob.data = (uint8_t *) sid_buf + 8 ;
804 sid_blob.length = 16;
805
806 status = GUID_from_ndr_blob(&sid_blob, &info->guid);
807 if (!NT_STATUS_IS_OK(status)) {
808 goto fail;
809 }
810
811 return info;
812
813 fail:
814 TALLOC_FREE(info);
815 return NULL;
816 }
817
818 static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
819 struct samu *sampass)
820 {
821 int ret;
822 BerElement *ber = NULL;
823 struct berval *bv = NULL;
824 char *retoid = NULL;
825 struct berval *retdata = NULL;
826 const char *password;
827 char *dn;
828
829 password = pdb_get_plaintext_passwd(sampass);
830 if (password == NULL || *password == '\0') {
831 return NT_STATUS_INVALID_PARAMETER;
832 }
833
834 dn = get_account_dn(pdb_get_username(sampass));
835 if (dn == NULL) {
836 return NT_STATUS_INVALID_PARAMETER;
837 }
838
839 ber = ber_alloc_t( LBER_USE_DER );
840 if (ber == NULL) {
841 DEBUG(7, ("ber_alloc_t failed.\n"));
842 return NT_STATUS_NO_MEMORY;
843 }
844
845 ret = ber_printf(ber, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, dn,
846 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, password);
847 if (ret == -1) {
848 DEBUG(7, ("ber_printf failed.\n"));
849 ber_free(ber, 1);
850 return NT_STATUS_UNSUCCESSFUL;
851 }
852
853 ret = ber_flatten(ber, &bv);
854 ber_free(ber, 1);
855 if (ret == -1) {
856 DEBUG(1, ("ber_flatten failed.\n"));
857 return NT_STATUS_UNSUCCESSFUL;
858 }
859
860 ret = smbldap_extended_operation(ldap_state->smbldap_state,
861 LDAP_EXOP_MODIFY_PASSWD, bv, NULL,
862 NULL, &retoid, &retdata);
863 ber_bvfree(bv);
864 if (retdata) {
865 ber_bvfree(retdata);
866 }
867 if (retoid) {
868 ldap_memfree(retoid);
869 }
870 if (ret != LDAP_SUCCESS) {
871 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
872 return NT_STATUS_UNSUCCESSFUL;
873 }
874
875 return NT_STATUS_OK;
876 }
877
878 static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
879 const char *dn, LDAPMessage *entry,
880 uint32_t *has_objectclass)
881 {
882 char **objectclasses;
883 size_t c;
884
885 objectclasses = ldap_get_values(priv2ld(ldap_state), entry,
886 LDAP_ATTRIBUTE_OBJECTCLASS);
887 if (objectclasses == NULL) {
888 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn));
889 return NT_STATUS_INTERNAL_DB_CORRUPTION;
890 }
891
892 *has_objectclass = 0;
893 for (c = 0; objectclasses[c] != NULL; c++) {
894 if (strequal(objectclasses[c], LDAP_OBJ_KRB_PRINCIPAL)) {
895 *has_objectclass |= HAS_KRB_PRINCIPAL;
896 } else if (strequal(objectclasses[c],
897 LDAP_OBJ_KRB_PRINCIPAL_AUX)) {
898 *has_objectclass |= HAS_KRB_PRINCIPAL_AUX;
899 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAOBJECT)) {
900 *has_objectclass |= HAS_IPAOBJECT;
901 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAHOST)) {
902 *has_objectclass |= HAS_IPAHOST;
903 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXACCOUNT)) {
904 *has_objectclass |= HAS_POSIXACCOUNT;
905 } else if (strequal(objectclasses[c], LDAP_OBJ_GROUPOFNAMES)) {
906 *has_objectclass |= HAS_GROUPOFNAMES;
907 } else if (strequal(objectclasses[c], LDAP_OBJ_NESTEDGROUP)) {
908 *has_objectclass |= HAS_NESTEDGROUP;
909 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAUSERGROUP)) {
910 *has_objectclass |= HAS_IPAUSERGROUP;
911 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXGROUP)) {
912 *has_objectclass |= HAS_POSIXGROUP;
913 }
914 }
915 ldap_value_free(objectclasses);
916
917 return NT_STATUS_OK;
918 }
919
920 enum obj_type {
921 IPA_NO_OBJ = 0,
922 IPA_USER_OBJ,
923 IPA_GROUP_OBJ
924 };
925
926 static NTSTATUS find_obj(struct ldapsam_privates *ldap_state, const char *name,
927 enum obj_type type, char **_dn,
928 uint32_t *_has_objectclass)
929 {
930 int ret;
931 char *username;
932 char *filter;
933 LDAPMessage *result = NULL;
934 LDAPMessage *entry = NULL;
935 int num_result;
936 char *dn;
937 uint32_t has_objectclass;
938 NTSTATUS status;
939 const char *obj_class = NULL;
940
941 switch (type) {
942 case IPA_USER_OBJ:
943 obj_class = LDAP_OBJ_POSIXACCOUNT;
944 break;
945 case IPA_GROUP_OBJ:
946 obj_class = LDAP_OBJ_POSIXGROUP;
947 break;
948 default:
949 DEBUG(0, ("Unsupported IPA object.\n"));
950 return NT_STATUS_INVALID_PARAMETER;
951 }
952
953 username = escape_ldap_string(talloc_tos(), name);
954 if (username == NULL) {
955 return NT_STATUS_NO_MEMORY;
956 }
957 filter = talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
958 username, obj_class);
959 if (filter == NULL) {
960 return NT_STATUS_NO_MEMORY;
961 }
962 TALLOC_FREE(username);
963
964 ret = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL,
965 &result);
966 if (ret != LDAP_SUCCESS) {
967 DEBUG(0, ("smbldap_search_suffix failed.\n"));
968 return NT_STATUS_ACCESS_DENIED;
969 }
970
971 num_result = ldap_count_entries(priv2ld(ldap_state), result);
972
973 if (num_result != 1) {
974 if (num_result == 0) {
975 switch (type) {
976 case IPA_USER_OBJ:
977 status = NT_STATUS_NO_SUCH_USER;
978 break;
979 case IPA_GROUP_OBJ:
980 status = NT_STATUS_NO_SUCH_GROUP;
981 break;
982 default:
983 status = NT_STATUS_INVALID_PARAMETER;
984 }
985 } else {
986 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
987 name));
988 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
989 }
990 goto done;
991 }
992
993 entry = ldap_first_entry(priv2ld(ldap_state), result);
994 if (!entry) {
995 DEBUG(0,("find_user: Out of memory!\n"));
996 status = NT_STATUS_UNSUCCESSFUL;
997 goto done;
998 }
999
1000 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
1001 if (!dn) {
1002 DEBUG(0,("find_user: Out of memory!\n"));
1003 status = NT_STATUS_NO_MEMORY;
1004 goto done;
1005 }
1006
1007 status = ipasam_get_objectclasses(ldap_state, dn, entry, &has_objectclass);
1008 if (!NT_STATUS_IS_OK(status)) {
1009 goto done;
1010 }
1011
1012 *_dn = dn;
1013 *_has_objectclass = has_objectclass;
1014
1015 status = NT_STATUS_OK;
1016
1017 done:
1018 ldap_msgfree(result);
1019
1020 return status;
1021 }
1022
1023 static NTSTATUS find_user(struct ldapsam_privates *ldap_state, const char *name,
1024 char **_dn, uint32_t *_has_objectclass)
1025 {
1026 return find_obj(ldap_state, name, IPA_USER_OBJ, _dn, _has_objectclass);
1027 }
1028
1029 static NTSTATUS find_group(struct ldapsam_privates *ldap_state, const char *name,
1030 char **_dn, uint32_t *_has_objectclass)
1031 {
1032 return find_obj(ldap_state, name, IPA_GROUP_OBJ, _dn, _has_objectclass);
1033 }
1034
1035 static NTSTATUS ipasam_add_posix_account_objectclass(struct ldapsam_privates *ldap_state,
1036 int ldap_op,
1037 const char *dn,
1038 const char *username)
1039 {
1040 int ret;
1041 LDAPMod **mods = NULL;
1042
1043 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1044 "objectclass", "posixAccount");
1045 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1046 "cn", username);
1047 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1048 "uidNumber", IPA_MAGIC_ID_STR);
1049 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1050 "gidNumber", "12345");
1051 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1052 "homeDirectory", "/dev/null");
1053
1054 if (ldap_op == LDAP_MOD_ADD) {
1055 ret = smbldap_add(ldap_state->smbldap_state, dn, mods);
1056 } else {
1057 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1058 }
1059 ldap_mods_free(mods, 1);
1060 if (ret != LDAP_SUCCESS) {
1061 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1062 username, dn));
1063 return NT_STATUS_LDAP(ret);
1064 }
1065
1066 return NT_STATUS_OK;
1067 }
1068
1069 static NTSTATUS ipasam_add_ipa_group_objectclasses(struct ldapsam_privates *ldap_state,
1070 const char *dn,
1071 const char *name,
1072 uint32_t has_objectclass)
1073 {
1074 LDAPMod **mods = NULL;
1075 int ret;
1076
1077 if (!(has_objectclass & HAS_GROUPOFNAMES)) {
1078 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1079 LDAP_ATTRIBUTE_OBJECTCLASS,
1080 LDAP_OBJ_GROUPOFNAMES);
1081 }
1082
1083 if (!(has_objectclass & HAS_NESTEDGROUP)) {
1084 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1085 LDAP_ATTRIBUTE_OBJECTCLASS,
1086 LDAP_OBJ_NESTEDGROUP);
1087 }
1088
1089 if (!(has_objectclass & HAS_IPAUSERGROUP)) {
1090 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1091 LDAP_ATTRIBUTE_OBJECTCLASS,
1092 LDAP_OBJ_IPAUSERGROUP);
1093 }
1094
1095 if (!(has_objectclass & HAS_IPAOBJECT)) {
1096 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1097 LDAP_ATTRIBUTE_OBJECTCLASS,
1098 LDAP_OBJ_IPAOBJECT);
1099 }
1100
1101 if (!(has_objectclass & HAS_POSIXGROUP)) {
1102 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1103 LDAP_ATTRIBUTE_OBJECTCLASS,
1104 LDAP_OBJ_POSIXGROUP);
1105 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1106 LDAP_ATTRIBUTE_CN,
1107 name);
1108 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1109 LDAP_ATTRIBUTE_GIDNUMBER,
1110 IPA_MAGIC_ID_STR);
1111 }
1112
1113 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1114 ldap_mods_free(mods, 1);
1115 if (ret != LDAP_SUCCESS) {
1116 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1117 name, dn));
1118 return NT_STATUS_LDAP(ret);
1119 }
1120
1121 return NT_STATUS_OK;
1122 }
1123
1124 static NTSTATUS ipasam_add_ipa_objectclasses(struct ldapsam_privates *ldap_state,
1125 const char *dn, const char *name,
1126 const char *domain,
1127 uint32_t acct_flags,
1128 uint32_t has_objectclass)
1129 {
1130 LDAPMod **mods = NULL;
1131 int ret;
1132 char *princ;
1133
1134 if (!(has_objectclass & HAS_KRB_PRINCIPAL)) {
1135 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1136 LDAP_ATTRIBUTE_OBJECTCLASS,
1137 LDAP_OBJ_KRB_PRINCIPAL);
1138
1139 princ = talloc_asprintf(talloc_tos(), "%s@%s", name, lp_realm());
1140 if (princ == NULL) {
1141 return NT_STATUS_NO_MEMORY;
1142 }
1143
1144 smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
1145 }
1146
1147 if (!(has_objectclass & HAS_KRB_PRINCIPAL_AUX)) {
1148 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1149 LDAP_ATTRIBUTE_OBJECTCLASS,
1150 LDAP_OBJ_KRB_PRINCIPAL_AUX);
1151 }
1152
1153 if (!(has_objectclass & HAS_IPAOBJECT)) {
1154 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1155 LDAP_ATTRIBUTE_OBJECTCLASS, LDAP_OBJ_IPAOBJECT);
1156 }
1157
1158 if ((acct_flags != 0) &&
1159 (((acct_flags & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
1160 ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))) {
1161
1162 if (!(has_objectclass & HAS_IPAHOST)) {
1163 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1164 LDAP_ATTRIBUTE_OBJECTCLASS,
1165 LDAP_OBJ_IPAHOST);
1166
1167 if (domain == NULL) {
1168 return NT_STATUS_INVALID_PARAMETER;
1169 }
1170
1171 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1172 "fqdn", domain);
1173 }
1174 }
1175
1176 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1177 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1178 "objectclass", "posixAccount");
1179 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1180 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1181 "uidNumber", IPA_MAGIC_ID_STR);
1182 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1183 "gidNumber", "12345");
1184 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1185 "homeDirectory", "/dev/null");
1186 }
1187
1188 if (mods != NULL) {
1189 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1190 ldap_mods_free(mods, 1);
1191 if (ret != LDAP_SUCCESS) {
1192 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1193 name, dn));
1194 return NT_STATUS_LDAP(ret);
1195 }
1196 }
1197
1198 return NT_STATUS_OK;
1199 }
1200
1201 static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
1202 struct samu *sampass)
1203 {
1204 NTSTATUS status;
1205 struct ldapsam_privates *ldap_state;
1206 const char *name;
1207 char *dn;
1208 uint32_t has_objectclass;
1209 uint32_t rid;
1210 struct dom_sid user_sid;
1211
1212 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1213
1214 if (IS_SAM_SET(sampass, PDB_USERSID) ||
1215 IS_SAM_CHANGED(sampass, PDB_USERSID)) {
1216 if (!pdb_new_rid(&rid)) {
1217 return NT_STATUS_DS_NO_MORE_RIDS;
1218 }
1219 sid_compose(&user_sid, get_global_sam_sid(), rid);
1220 if (!pdb_set_user_sid(sampass, &user_sid, PDB_SET)) {
1221 return NT_STATUS_UNSUCCESSFUL;
1222 }
1223 }
1224
1225 status = ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
1226 sampass);
1227 if (!NT_STATUS_IS_OK(status)) {
1228 return status;
1229 }
1230
1231 if (ldap_state->ipasam_privates->server_is_ipa) {
1232 name = pdb_get_username(sampass);
1233 if (name == NULL || *name == '\0') {
1234 return NT_STATUS_INVALID_PARAMETER;
1235 }
1236
1237 status = find_user(ldap_state, name, &dn, &has_objectclass);
1238 if (!NT_STATUS_IS_OK(status)) {
1239 return status;
1240 }
1241
1242 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name,
1243 pdb_get_domain(sampass),
1244 pdb_get_acct_ctrl(sampass),
1245 has_objectclass);
1246 if (!NT_STATUS_IS_OK(status)) {
1247 return status;
1248 }
1249
1250 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1251 status = ipasam_add_posix_account_objectclass(ldap_state,
1252 LDAP_MOD_REPLACE,
1253 dn, name);
1254 if (!NT_STATUS_IS_OK(status)) {
1255 return status;
1256 }
1257 }
1258
1259 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1260 status = modify_ipa_password_exop(ldap_state, sampass);
1261 if (!NT_STATUS_IS_OK(status)) {
1262 return status;
1263 }
1264 }
1265 }
1266
1267 return NT_STATUS_OK;
1268 }
1269
1270 static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
1271 struct samu *sampass)
1272 {
1273 NTSTATUS status;
1274 struct ldapsam_privates *ldap_state;
1275 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1276
1277 status = ldap_state->ipasam_privates->ldapsam_update_sam_account(pdb_methods,
1278 sampass);
1279 if (!NT_STATUS_IS_OK(status)) {
1280 return status;
1281 }
1282
1283 if (ldap_state->ipasam_privates->server_is_ipa) {
1284 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1285 status = modify_ipa_password_exop(ldap_state, sampass);
1286 if (!NT_STATUS_IS_OK(status)) {
1287 return status;
1288 }
1289 }
1290 }
1291
1292 return NT_STATUS_OK;
1293 }
1294
1295 static NTSTATUS ipasam_create_dom_group(struct pdb_methods *pdb_methods,
1296 TALLOC_CTX *tmp_ctx, const char *name,
1297 uint32_t *rid)
1298 {
1299 NTSTATUS status;
1300 struct ldapsam_privates *ldap_state;
1301 int ldap_op = LDAP_MOD_REPLACE;
1302 char *dn;
1303 uint32_t has_objectclass = 0;
1304
1305 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1306
1307 if (name == NULL || *name == '\0') {
1308 return NT_STATUS_INVALID_PARAMETER;
1309 }
1310
1311 status = find_group(ldap_state, name, &dn, &has_objectclass);
1312 if (NT_STATUS_IS_OK(status)) {
1313 ldap_op = LDAP_MOD_REPLACE;
1314 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1315 ldap_op = LDAP_MOD_ADD;
1316 } else {
1317 return status;
1318 }
1319
1320 if (!(has_objectclass & HAS_POSIXGROUP)) {
1321 status = ipasam_add_ipa_group_objectclasses(ldap_state, dn,
1322 name,
1323 has_objectclass);
1324 if (!NT_STATUS_IS_OK(status)) {
1325 return status;
1326 }
1327 }
1328
1329 status = ldap_state->ipasam_privates->ldapsam_create_dom_group(pdb_methods,
1330 tmp_ctx,
1331 name,
1332 rid);
1333 if (!NT_STATUS_IS_OK(status)) {
1334 return status;
1335 }
1336
1337 return NT_STATUS_OK;
1338 }
1339 static NTSTATUS ipasam_create_user(struct pdb_methods *pdb_methods,
1340 TALLOC_CTX *tmp_ctx, const char *name,
1341 uint32_t acb_info, uint32_t *rid)
1342 {
1343 NTSTATUS status;
1344 struct ldapsam_privates *ldap_state;
1345 int ldap_op = LDAP_MOD_REPLACE;
1346 char *dn;
1347 uint32_t has_objectclass = 0;
1348
1349 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1350
1351 if (name == NULL || *name == '\0') {
1352 return NT_STATUS_INVALID_PARAMETER;
1353 }
1354
1355 status = find_user(ldap_state, name, &dn, &has_objectclass);
1356 if (NT_STATUS_IS_OK(status)) {
1357 ldap_op = LDAP_MOD_REPLACE;
1358 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1359 char *escape_username;
1360 ldap_op = LDAP_MOD_ADD;
1361 escape_username = escape_rdn_val_string_alloc(name);
1362 if (!escape_username) {
1363 return NT_STATUS_NO_MEMORY;
1364 }
1365 if (name[strlen(name)-1] == '$') {
1366 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1367 escape_username,
1368 lp_ldap_machine_suffix());
1369 } else {
1370 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1371 escape_username,
1372 lp_ldap_user_suffix());
1373 }
1374 SAFE_FREE(escape_username);
1375 if (!dn) {
1376 return NT_STATUS_NO_MEMORY;
1377 }
1378 } else {
1379 return status;
1380 }
1381
1382 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1383 status = ipasam_add_posix_account_objectclass(ldap_state, ldap_op,
1384 dn, name);
1385 if (!NT_STATUS_IS_OK(status)) {
1386 return status;
1387 }
1388 has_objectclass |= HAS_POSIXACCOUNT;
1389 }
1390
1391 status = ldap_state->ipasam_privates->ldapsam_create_user(pdb_methods,
1392 tmp_ctx, name,
1393 acb_info, rid);
1394 if (!NT_STATUS_IS_OK(status)) {
1395 return status;
1396 }
1397
1398 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name, lp_realm(),
1399 acb_info, has_objectclass);
1400 if (!NT_STATUS_IS_OK(status)) {
1401 return status;
1402 }
1403
1404 return NT_STATUS_OK;
1405 }
1406
1407 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
1408 {
1409 struct ldapsam_privates *ldap_state;
1410 NTSTATUS status;
1411
1412 status = pdb_init_ldapsam(pdb_method, location);
1413 if (!NT_STATUS_IS_OK(status)) {
1414 return status;
1415 }
1416
1417 (*pdb_method)->name = "IPA_ldapsam";
1418
1419 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
1420 ldap_state->ipasam_privates = talloc_zero(ldap_state,
1421 struct ipasam_privates);
1422 if (ldap_state->ipasam_privates == NULL) {
1423 return NT_STATUS_NO_MEMORY;
1424 }
1425 ldap_state->is_ipa_ldap = True;
1426
1427 ldap_state->ipasam_privates->server_is_ipa = smbldap_has_extension(
1428 priv2ld(ldap_state), IPA_KEYTAB_SET_OID);
1429 ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
1430 ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
1431 ldap_state->ipasam_privates->ldapsam_create_user = (*pdb_method)->create_user;
1432 ldap_state->ipasam_privates->ldapsam_create_dom_group = (*pdb_method)->create_dom_group;
1433
1434 (*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
1435 (*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
1436
1437 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
1438 if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
1439 (*pdb_method)->create_user = ipasam_create_user;
1440 (*pdb_method)->create_dom_group = ipasam_create_dom_group;
1441 }
1442 }
1443
1444 (*pdb_method)->capabilities = pdb_ipasam_capabilities;
1445 (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
1446
1447 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
1448 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
1449 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
1450 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
1451
1452 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
1453 (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
1454 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
1455 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
1456 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
1457
1458 return NT_STATUS_OK;
1459 }
1460
1461 NTSTATUS pdb_ipa_init(void)
1462 {
1463 NTSTATUS nt_status;
1464
1465 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))
1466 return nt_status;
1467
1468 return NT_STATUS_OK;
1469 }
Samba GIT mirror