search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:torture: Initialize param arrays
[Samba.git] / source3 / passdb / pdb_interface.c
blobd3648f155edccadf7fd2fb7ea142edcb01f47899
1 /*
2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Jelmer Vernooij 2002
6 Copyright (C) Simo Sorce 2003
7 Copyright (C) Volker Lendecke 2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/passwd.h"
25 #include "passdb.h"
26 #include "secrets.h"
27 #include "messages.h"
28 #include "serverid.h"
29 #include "../librpc/gen_ndr/samr.h"
30 #include "../librpc/gen_ndr/drsblobs.h"
31 #include "../librpc/gen_ndr/ndr_drsblobs.h"
32 #include "../librpc/gen_ndr/idmap.h"
33 #include "../lib/util/memcache.h"
34 #include "nsswitch/winbind_client.h"
35 #include "../libcli/security/security.h"
36 #include "../lib/util/util_pw.h"
37 #include "passdb/pdb_secrets.h"
38 #include "lib/util_sid_passdb.h"
39 #include "idmap_cache.h"
40 #include "lib/util/string_wrappers.h"
41 #include "lib/global_contexts.h"
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_PASSDB
45
46 static_decl_pdb;
47
48 static struct pdb_init_function_entry *backends = NULL;
49
50 static void lazy_initialize_passdb(void)
51 {
52 static bool initialized = False;
53 if(initialized) {
54 return;
55 }
56 static_init_pdb(NULL);
57 initialized = True;
58 }
59
60 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
61 const char **name,
62 enum lsa_SidType *psid_name_use,
63 uid_t *uid, gid_t *gid);
64
65 NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
66 {
67 struct pdb_init_function_entry *entry = NULL;
68
69 if(version != PASSDB_INTERFACE_VERSION) {
70 DEBUG(0,("Can't register passdb backend!\n"
71 "You tried to register a passdb module with PASSDB_INTERFACE_VERSION %d, "
72 "while this version of samba uses version %d\n",
73 version,PASSDB_INTERFACE_VERSION));
74 return NT_STATUS_OBJECT_TYPE_MISMATCH;
75 }
76
77 if (!name || !init) {
78 return NT_STATUS_INVALID_PARAMETER;
79 }
80
81 DEBUG(5,("Attempting to register passdb backend %s\n", name));
82
83 /* Check for duplicates */
84 if (pdb_find_backend_entry(name)) {
85 DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name));
86 return NT_STATUS_OBJECT_NAME_COLLISION;
87 }
88
89 entry = SMB_XMALLOC_P(struct pdb_init_function_entry);
90 entry->name = smb_xstrdup(name);
91 entry->init = init;
92
93 DLIST_ADD(backends, entry);
94 DEBUG(5,("Successfully added passdb backend '%s'\n", name));
95 return NT_STATUS_OK;
96 }
97
98 struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
99 {
100 struct pdb_init_function_entry *entry = backends;
101
102 while(entry) {
103 if (strcmp(entry->name, name)==0) return entry;
104 entry = entry->next;
105 }
106
107 return NULL;
108 }
109
110 const struct pdb_init_function_entry *pdb_get_backends(void)
111 {
112 return backends;
113 }
114
115
116 /*
117 * The event context for the passdb backend. I know this is a bad hack and yet
118 * another static variable, but our pdb API is a global thing per
119 * definition. The first use for this is the LDAP idle function, more might be
120 * added later.
121 *
122 * I don't feel too bad about this static variable, it replaces the
123 * smb_idle_event_list that used to exist in lib/module.c. -- VL
124 */
125
126 static struct tevent_context *pdb_tevent_ctx;
127
128 struct tevent_context *pdb_get_tevent_context(void)
129 {
130 return pdb_tevent_ctx;
131 }
132
133 /******************************************************************
134 Make a pdb_methods from scratch
135 *******************************************************************/
136
137 NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected)
138 {
139 char *module_name = smb_xstrdup(selected);
140 char *module_location = NULL, *p;
141 struct pdb_init_function_entry *entry;
142 NTSTATUS nt_status;
143
144 lazy_initialize_passdb();
145
146 p = strchr(module_name, ':');
147
148 if (p) {
149 *p = 0;
150 module_location = p+1;
151 trim_char(module_location, ' ', ' ');
152 }
153
154 trim_char(module_name, ' ', ' ');
155
156
157 DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected, module_name));
158
159 entry = pdb_find_backend_entry(module_name);
160
161 /* Try to find a module that contains this module */
162 if (!entry) {
163 DEBUG(2,("No builtin backend found, trying to load plugin\n"));
164 if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
165 DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
166 SAFE_FREE(module_name);
167 return NT_STATUS_UNSUCCESSFUL;
168 }
169 }
170
171 /* No such backend found */
172 if(!entry) {
173 DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
174 SAFE_FREE(module_name);
175 return NT_STATUS_INVALID_PARAMETER;
176 }
177
178 DEBUG(5,("Found pdb backend %s\n", module_name));
179
180 nt_status = entry->init(methods, module_location);
181 if (!NT_STATUS_IS_OK(nt_status)) {
182 DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
183 selected, nt_errstr(nt_status)));
184 SAFE_FREE(module_name);
185 return nt_status;
186 }
187
188 SAFE_FREE(module_name);
189
190 DEBUG(5,("pdb backend %s has a valid init\n", selected));
191
192 return nt_status;
193 }
194
195 /******************************************************************
196 Return an already initialized pdb_methods structure
197 *******************************************************************/
198
199 static struct pdb_methods *pdb_get_methods_reload( bool reload )
200 {
201 static struct pdb_methods *pdb = NULL;
202 const char *backend = lp_passdb_backend();
203 NTSTATUS status = NT_STATUS_OK;
204
205 if ( pdb && reload ) {
206 if (pdb->free_private_data != NULL) {
207 pdb->free_private_data( &(pdb->private_data) );
208 }
209 status = make_pdb_method_name(&pdb, backend);
210 }
211
212 if ( !pdb ) {
213 status = make_pdb_method_name(&pdb, backend);
214 }
215
216 if (!NT_STATUS_IS_OK(status)) {
217 return NULL;
218 }
219
220 return pdb;
221 }
222
223 static struct pdb_methods *pdb_get_methods(void)
224 {
225 struct pdb_methods *pdb;
226
227 pdb = pdb_get_methods_reload(false);
228 if (!pdb) {
229 char *msg = NULL;
230 if (asprintf(&msg, "pdb_get_methods: "
231 "failed to get pdb methods for backend %s\n",
232 lp_passdb_backend()) > 0) {
233 smb_panic(msg);
234 } else {
235 smb_panic("pdb_get_methods");
236 }
237 }
238
239 return pdb;
240 }
241
242 struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
243 {
244 struct pdb_methods *pdb = pdb_get_methods();
245 return pdb->get_domain_info(pdb, mem_ctx);
246 }
247
248 /**
249 * @brief Check if the user account has been locked out and try to unlock it.
250 *
251 * If the user has been automatically locked out and a lockout duration is set,
252 * then check if we can unlock the account and reset the bad password values.
253 *
254 * @param[in] sampass The sam user to check.
255 *
256 * @return True if the function was successful, false on an error.
257 */
258 static bool pdb_try_account_unlock(struct samu *sampass)
259 {
260 uint32_t acb_info = pdb_get_acct_ctrl(sampass);
261
262 if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
263 uint32_t lockout_duration;
264 time_t bad_password_time;
265 time_t now = time(NULL);
266 bool ok;
267
268 ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
269 &lockout_duration);
270 if (!ok) {
271 DEBUG(0, ("pdb_try_account_unlock: "
272 "pdb_get_account_policy failed.\n"));
273 return false;
274 }
275
276 if (lockout_duration == (uint32_t) -1 ||
277 lockout_duration == 0) {
278 DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
279 "can't reset autolock\n"));
280 return false;
281 }
282 lockout_duration *= 60;
283
284 bad_password_time = pdb_get_bad_password_time(sampass);
285 if (bad_password_time == (time_t) 0) {
286 DEBUG(2, ("pdb_try_account_unlock: Account %s "
287 "administratively locked out "
288 "with no bad password "
289 "time. Leaving locked out.\n",
290 pdb_get_username(sampass)));
291 return true;
292 }
293
294 if ((bad_password_time +
295 convert_uint32_t_to_time_t(lockout_duration)) < now) {
296 NTSTATUS status;
297
298 pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
299 PDB_CHANGED);
300 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
301 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
302
303 become_root();
304 status = pdb_update_sam_account(sampass);
305 unbecome_root();
306 if (!NT_STATUS_IS_OK(status)) {
307 DEBUG(0, ("_samr_OpenUser: Couldn't "
308 "update account %s - %s\n",
309 pdb_get_username(sampass),
310 nt_errstr(status)));
311 return false;
312 }
313 }
314 }
315
316 return true;
317 }
318
319 /**
320 * @brief Get a sam user structure by the given username.
321 *
322 * This functions also checks if the account has been automatically locked out
323 * and unlocks it if a lockout duration time has been defined and the time has
324 * elapsed.
325 *
326 * @param[in] sam_acct The sam user structure to fill.
327 *
328 * @param[in] username The username to look for.
329 *
330 * @return True on success, false on error.
331 */
332 bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
333 {
334 struct pdb_methods *pdb = pdb_get_methods();
335 struct samu *for_cache;
336 const struct dom_sid *user_sid;
337 NTSTATUS status;
338 bool ok;
339
340 status = pdb->getsampwnam(pdb, sam_acct, username);
341 if (!NT_STATUS_IS_OK(status)) {
342 return false;
343 }
344
345 ok = pdb_try_account_unlock(sam_acct);
346 if (!ok) {
347 DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
348 username));
349 }
350
351 for_cache = samu_new(NULL);
352 if (for_cache == NULL) {
353 return False;
354 }
355
356 if (!pdb_copy_sam_account(for_cache, sam_acct)) {
357 TALLOC_FREE(for_cache);
358 return False;
359 }
360
361 user_sid = pdb_get_user_sid(for_cache);
362
363 ok = memcache_add_talloc(NULL,
364 PDB_GETPWSID_CACHE,
365 data_blob_const(user_sid, sizeof(*user_sid)),
366 &for_cache);
367 if (!ok) {
368 TALLOC_FREE(for_cache);
369 }
370
371 return True;
372 }
373
374 /**********************************************************************
375 **********************************************************************/
376
377 static bool guest_user_info( struct samu *user )
378 {
379 struct passwd *pwd;
380 NTSTATUS result;
381 const char *guestname = lp_guest_account();
382
383 pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
384 if (pwd == NULL) {
385 DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
386 guestname));
387 return False;
388 }
389
390 result = samu_set_unix(user, pwd );
391
392 TALLOC_FREE( pwd );
393
394 return NT_STATUS_IS_OK( result );
395 }
396
397 /**
398 * @brief Get a sam user structure by the given username.
399 *
400 * This functions also checks if the account has been automatically locked out
401 * and unlocks it if a lockout duration time has been defined and the time has
402 * elapsed.
403 *
404 *
405 * @param[in] sam_acct The sam user structure to fill.
406 *
407 * @param[in] sid The user SDI to look up.
408 *
409 * @return True on success, false on error.
410 */
411 bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
412 {
413 struct pdb_methods *pdb = pdb_get_methods();
414 uint32_t rid;
415 void *cache_data;
416 bool ok = false;
417
418 /* hard code the Guest RID of 501 */
419
420 if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
421 return False;
422
423 if ( rid == DOMAIN_RID_GUEST ) {
424 DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
425 return guest_user_info( sam_acct );
426 }
427
428 /* check the cache first */
429
430 cache_data = memcache_lookup_talloc(
431 NULL, PDB_GETPWSID_CACHE, data_blob_const(sid, sizeof(*sid)));
432
433 if (cache_data != NULL) {
434 struct samu *cache_copy = talloc_get_type_abort(
435 cache_data, struct samu);
436
437 ok = pdb_copy_sam_account(sam_acct, cache_copy);
438 } else {
439 ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
440 }
441
442 if (!ok) {
443 return false;
444 }
445
446 ok = pdb_try_account_unlock(sam_acct);
447 if (!ok) {
448 DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
449 sam_acct->username));
450 }
451
452 return true;
453 }
454
455 static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
456 TALLOC_CTX *tmp_ctx, const char *name,
457 uint32_t acb_info, uint32_t *rid)
458 {
459 const struct loadparm_substitution *lp_sub =
460 loadparm_s3_global_substitution();
461 struct samu *sam_pass;
462 NTSTATUS status;
463 struct passwd *pwd;
464
465 if ((sam_pass = samu_new(tmp_ctx)) == NULL) {
466 return NT_STATUS_NO_MEMORY;
467 }
468
469 if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
470 char *add_script = NULL;
471 int add_ret;
472 fstring name2;
473
474 if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
475 add_script = lp_add_user_script(tmp_ctx, lp_sub);
476 } else {
477 add_script = lp_add_machine_script(tmp_ctx, lp_sub);
478 }
479
480 if (!add_script || add_script[0] == '\0') {
481 DEBUG(3, ("Could not find user %s and no add script "
482 "defined\n", name));
483 return NT_STATUS_NO_SUCH_USER;
484 }
485
486 /* lowercase the username before creating the Unix account for
487 compatibility with previous Samba releases */
488 fstrcpy( name2, name );
489 if (!strlower_m( name2 )) {
490 return NT_STATUS_INVALID_PARAMETER;
491 }
492 add_script = talloc_all_string_sub(tmp_ctx,
493 add_script,
494 "%u",
495 name2);
496 if (!add_script) {
497 return NT_STATUS_NO_MEMORY;
498 }
499 add_ret = smbrun(add_script, NULL, NULL);
500 DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
501 add_script, add_ret));
502 if (add_ret == 0) {
503 smb_nscd_flush_user_cache();
504 }
505
506 flush_pwnam_cache();
507
508 pwd = Get_Pwnam_alloc(tmp_ctx, name);
509
510 if(pwd == NULL) {
511 DEBUG(3, ("Could not find user %s, add script did not work\n", name));
512 return NT_STATUS_NO_SUCH_USER;
513 }
514 }
515
516 /* we have a valid SID coming out of this call */
517
518 status = samu_alloc_rid_unix(methods, sam_pass, pwd);
519
520 TALLOC_FREE( pwd );
521
522 if (!NT_STATUS_IS_OK(status)) {
523 DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status)));
524 return status;
525 }
526
527 if (!sid_peek_check_rid(get_global_sam_sid(),
528 pdb_get_user_sid(sam_pass), rid)) {
529 DEBUG(0, ("Could not get RID of fresh user\n"));
530 return NT_STATUS_INTERNAL_ERROR;
531 }
532
533 /* Use the username case specified in the original request */
534
535 pdb_set_username( sam_pass, name, PDB_SET );
536
537 /* Disable the account on creation, it does not have a reasonable password yet. */
538
539 acb_info |= ACB_DISABLED;
540
541 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
542
543 status = methods->add_sam_account(methods, sam_pass);
544
545 TALLOC_FREE(sam_pass);
546
547 return status;
548 }
549
550 NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32_t flags,
551 uint32_t *rid)
552 {
553 struct pdb_methods *pdb = pdb_get_methods();
554 return pdb->create_user(pdb, mem_ctx, name, flags, rid);
555 }
556
557 /****************************************************************************
558 Delete a UNIX user on demand.
559 ****************************************************************************/
560
561 static int smb_delete_user(const char *unix_user)
562 {
563 const struct loadparm_substitution *lp_sub =
564 loadparm_s3_global_substitution();
565 char *del_script = NULL;
566 int ret;
567
568 /* safety check */
569
570 if ( strequal( unix_user, "root" ) ) {
571 DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
572 return -1;
573 }
574
575 del_script = lp_delete_user_script(talloc_tos(), lp_sub);
576 if (!del_script || !*del_script) {
577 return -1;
578 }
579 del_script = talloc_all_string_sub(talloc_tos(),
580 del_script,
581 "%u",
582 unix_user);
583 if (!del_script) {
584 return -1;
585 }
586 ret = smbrun(del_script, NULL, NULL);
587 flush_pwnam_cache();
588 if (ret == 0) {
589 smb_nscd_flush_user_cache();
590 }
591 DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
592
593 return ret;
594 }
595
596 static NTSTATUS pdb_default_delete_user(struct pdb_methods *methods,
597 TALLOC_CTX *mem_ctx,
598 struct samu *sam_acct)
599 {
600 NTSTATUS status;
601 fstring username;
602
603 status = methods->delete_sam_account(methods, sam_acct);
604 if (!NT_STATUS_IS_OK(status)) {
605 return status;
606 }
607
608 /*
609 * Now delete the unix side ....
610 * note: we don't check if the delete really happened as the script is
611 * not necessary present and maybe the sysadmin doesn't want to delete
612 * the unix side
613 */
614
615 /* always lower case the username before handing it off to
616 external scripts */
617
618 fstrcpy( username, pdb_get_username(sam_acct) );
619 if (!strlower_m( username )) {
620 return status;
621 }
622
623 smb_delete_user( username );
624
625 return status;
626 }
627
628 NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
629 {
630 struct pdb_methods *pdb = pdb_get_methods();
631 uid_t uid = -1;
632 NTSTATUS status;
633 const struct dom_sid *user_sid;
634 char *msg_data;
635
636 user_sid = pdb_get_user_sid(sam_acct);
637
638 /* sanity check to make sure we don't delete root */
639
640 if ( !sid_to_uid(user_sid, &uid ) ) {
641 return NT_STATUS_NO_SUCH_USER;
642 }
643
644 if ( uid == 0 ) {
645 return NT_STATUS_ACCESS_DENIED;
646 }
647
648 memcache_delete(NULL,
649 PDB_GETPWSID_CACHE,
650 data_blob_const(user_sid, sizeof(*user_sid)));
651
652 status = pdb->delete_user(pdb, mem_ctx, sam_acct);
653 if (!NT_STATUS_IS_OK(status)) {
654 return status;
655 }
656
657 msg_data = talloc_asprintf(mem_ctx, "USER %s",
658 pdb_get_username(sam_acct));
659 if (!msg_data) {
660 /* not fatal, and too late to rollback,
661 * just return */
662 return status;
663 }
664 messaging_send_all(global_messaging_context(),
665 ID_CACHE_DELETE,
666 msg_data,
667 strlen(msg_data) + 1);
668
669 TALLOC_FREE(msg_data);
670 return status;
671 }
672
673 NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
674 {
675 struct pdb_methods *pdb = pdb_get_methods();
676 return pdb->add_sam_account(pdb, sam_acct);
677 }
678
679 NTSTATUS pdb_update_sam_account(struct samu *sam_acct)
680 {
681 struct pdb_methods *pdb = pdb_get_methods();
682
683 memcache_flush(NULL, PDB_GETPWSID_CACHE);
684
685 return pdb->update_sam_account(pdb, sam_acct);
686 }
687
688 NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
689 {
690 struct pdb_methods *pdb = pdb_get_methods();
691 const struct dom_sid *user_sid = pdb_get_user_sid(sam_acct);
692
693 memcache_delete(NULL,
694 PDB_GETPWSID_CACHE,
695 data_blob_const(user_sid, sizeof(*user_sid)));
696
697 return pdb->delete_sam_account(pdb, sam_acct);
698 }
699
700 NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
701 {
702 struct pdb_methods *pdb = pdb_get_methods();
703 uid_t uid;
704 NTSTATUS status;
705
706 memcache_flush(NULL, PDB_GETPWSID_CACHE);
707
708 /* sanity check to make sure we don't rename root */
709
710 if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
711 return NT_STATUS_NO_SUCH_USER;
712 }
713
714 if ( uid == 0 ) {
715 return NT_STATUS_ACCESS_DENIED;
716 }
717
718 status = pdb->rename_sam_account(pdb, oldname, newname);
719
720 /* always flush the cache here just to be safe */
721 flush_pwnam_cache();
722
723 return status;
724 }
725
726 NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, bool success)
727 {
728 struct pdb_methods *pdb = pdb_get_methods();
729 return pdb->update_login_attempts(pdb, sam_acct, success);
730 }
731
732 bool pdb_getgrsid(GROUP_MAP *map, struct dom_sid sid)
733 {
734 struct pdb_methods *pdb = pdb_get_methods();
735 return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
736 }
737
738 bool pdb_getgrgid(GROUP_MAP *map, gid_t gid)
739 {
740 struct pdb_methods *pdb = pdb_get_methods();
741 return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
742 }
743
744 bool pdb_getgrnam(GROUP_MAP *map, const char *name)
745 {
746 struct pdb_methods *pdb = pdb_get_methods();
747 return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
748 }
749
750 static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
751 TALLOC_CTX *mem_ctx,
752 const char *name,
753 uint32_t *rid)
754 {
755 struct dom_sid group_sid;
756 struct group *grp;
757 struct dom_sid_buf tmp;
758
759 grp = getgrnam(name);
760
761 if (grp == NULL) {
762 gid_t gid;
763
764 if (smb_create_group(name, &gid) != 0) {
765 return NT_STATUS_ACCESS_DENIED;
766 }
767
768 grp = getgrgid(gid);
769 }
770
771 if (grp == NULL) {
772 return NT_STATUS_ACCESS_DENIED;
773 }
774
775 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
776 if (!pdb_new_rid(rid)) {
777 return NT_STATUS_ACCESS_DENIED;
778 }
779 } else {
780 *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
781 }
782
783 sid_compose(&group_sid, get_global_sam_sid(), *rid);
784
785 return add_initial_entry(
786 grp->gr_gid,
787 dom_sid_str_buf(&group_sid, &tmp),
788 SID_NAME_DOM_GRP,
789 name,
790 NULL);
791 }
792
793 NTSTATUS pdb_create_dom_group(TALLOC_CTX *mem_ctx, const char *name,
794 uint32_t *rid)
795 {
796 struct pdb_methods *pdb = pdb_get_methods();
797 return pdb->create_dom_group(pdb, mem_ctx, name, rid);
798 }
799
800 static NTSTATUS pdb_default_delete_dom_group(struct pdb_methods *methods,
801 TALLOC_CTX *mem_ctx,
802 uint32_t rid)
803 {
804 struct dom_sid group_sid;
805 GROUP_MAP *map;
806 NTSTATUS status;
807 struct group *grp;
808 const char *grp_name;
809
810 map = talloc_zero(mem_ctx, GROUP_MAP);
811 if (!map) {
812 return NT_STATUS_NO_MEMORY;
813 }
814
815 /* coverity */
816 map->gid = (gid_t) -1;
817
818 sid_compose(&group_sid, get_global_sam_sid(), rid);
819
820 if (!get_domain_group_from_sid(group_sid, map)) {
821 DEBUG(10, ("Could not find group for rid %d\n", rid));
822 return NT_STATUS_NO_SUCH_GROUP;
823 }
824
825 /* We need the group name for the smb_delete_group later on */
826
827 if (map->gid == (gid_t)-1) {
828 return NT_STATUS_NO_SUCH_GROUP;
829 }
830
831 grp = getgrgid(map->gid);
832 if (grp == NULL) {
833 return NT_STATUS_NO_SUCH_GROUP;
834 }
835
836 TALLOC_FREE(map);
837
838 /* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
839
840 grp_name = talloc_strdup(mem_ctx, grp->gr_name);
841 if (grp_name == NULL) {
842 return NT_STATUS_NO_MEMORY;
843 }
844
845 status = pdb_delete_group_mapping_entry(group_sid);
846
847 if (!NT_STATUS_IS_OK(status)) {
848 return status;
849 }
850
851 /* Don't check the result of smb_delete_group */
852
853 smb_delete_group(grp_name);
854
855 return NT_STATUS_OK;
856 }
857
858 NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32_t rid)
859 {
860 struct pdb_methods *pdb = pdb_get_methods();
861 return pdb->delete_dom_group(pdb, mem_ctx, rid);
862 }
863
864 NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
865 {
866 struct pdb_methods *pdb = pdb_get_methods();
867 return pdb->add_group_mapping_entry(pdb, map);
868 }
869
870 NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
871 {
872 struct pdb_methods *pdb = pdb_get_methods();
873 return pdb->update_group_mapping_entry(pdb, map);
874 }
875
876 NTSTATUS pdb_delete_group_mapping_entry(struct dom_sid sid)
877 {
878 struct pdb_methods *pdb = pdb_get_methods();
879 return pdb->delete_group_mapping_entry(pdb, sid);
880 }
881
882 bool pdb_enum_group_mapping(const struct dom_sid *sid,
883 enum lsa_SidType sid_name_use,
884 GROUP_MAP ***pp_rmap,
885 size_t *p_num_entries,
886 bool unix_only)
887 {
888 struct pdb_methods *pdb = pdb_get_methods();
889 return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
890 pp_rmap, p_num_entries, unix_only));
891 }
892
893 NTSTATUS pdb_enum_group_members(TALLOC_CTX *mem_ctx,
894 const struct dom_sid *sid,
895 uint32_t **pp_member_rids,
896 size_t *p_num_members)
897 {
898 struct pdb_methods *pdb = pdb_get_methods();
899 NTSTATUS result;
900
901 result = pdb->enum_group_members(pdb, mem_ctx,
902 sid, pp_member_rids, p_num_members);
903
904 /* special check for rid 513 */
905
906 if ( !NT_STATUS_IS_OK( result ) ) {
907 uint32_t rid;
908
909 sid_peek_rid( sid, &rid );
910
911 if ( rid == DOMAIN_RID_USERS ) {
912 *p_num_members = 0;
913 *pp_member_rids = NULL;
914
915 return NT_STATUS_OK;
916 }
917 }
918
919 return result;
920 }
921
922 NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
923 struct dom_sid **pp_sids, gid_t **pp_gids,
924 uint32_t *p_num_groups)
925 {
926 struct pdb_methods *pdb = pdb_get_methods();
927 return pdb->enum_group_memberships(
928 pdb, mem_ctx, user,
929 pp_sids, pp_gids, p_num_groups);
930 }
931
932 static NTSTATUS pdb_default_set_unix_primary_group(struct pdb_methods *methods,
933 TALLOC_CTX *mem_ctx,
934 struct samu *sampass)
935 {
936 struct group *grp;
937 gid_t gid;
938
939 if (!sid_to_gid(pdb_get_group_sid(sampass), &gid) ||
940 (grp = getgrgid(gid)) == NULL) {
941 return NT_STATUS_INVALID_PRIMARY_GROUP;
942 }
943
944 if (smb_set_primary_group(grp->gr_name,
945 pdb_get_username(sampass)) != 0) {
946 return NT_STATUS_ACCESS_DENIED;
947 }
948
949 return NT_STATUS_OK;
950 }
951
952 NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
953 {
954 struct pdb_methods *pdb = pdb_get_methods();
955 return pdb->set_unix_primary_group(pdb, mem_ctx, user);
956 }
957
958 /*
959 * Helper function to see whether a user is in a group. We can't use
960 * user_in_group_sid here because this creates dependencies only smbd can
961 * fulfil.
962 */
963
964 static bool pdb_user_in_group(TALLOC_CTX *mem_ctx, struct samu *account,
965 const struct dom_sid *group_sid)
966 {
967 struct dom_sid *sids;
968 gid_t *gids;
969 uint32_t i, num_groups;
970
971 if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
972 &sids, &gids,
973 &num_groups))) {
974 return False;
975 }
976
977 for (i=0; i<num_groups; i++) {
978 if (dom_sid_equal(group_sid, &sids[i])) {
979 return True;
980 }
981 }
982 return False;
983 }
984
985 static NTSTATUS pdb_default_add_groupmem(struct pdb_methods *methods,
986 TALLOC_CTX *mem_ctx,
987 uint32_t group_rid,
988 uint32_t member_rid)
989 {
990 struct dom_sid group_sid, member_sid;
991 struct samu *account = NULL;
992 GROUP_MAP *map;
993 struct group *grp;
994 struct passwd *pwd;
995 const char *group_name;
996 uid_t uid;
997
998 map = talloc_zero(mem_ctx, GROUP_MAP);
999 if (!map) {
1000 return NT_STATUS_NO_MEMORY;
1001 }
1002
1003 /* coverity */
1004 map->gid = (gid_t) -1;
1005
1006 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
1007 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
1008
1009 if (!get_domain_group_from_sid(group_sid, map) ||
1010 (map->gid == (gid_t)-1) ||
1011 ((grp = getgrgid(map->gid)) == NULL)) {
1012 return NT_STATUS_NO_SUCH_GROUP;
1013 }
1014
1015 TALLOC_FREE(map);
1016
1017 group_name = talloc_strdup(mem_ctx, grp->gr_name);
1018 if (group_name == NULL) {
1019 return NT_STATUS_NO_MEMORY;
1020 }
1021
1022 if ( !(account = samu_new( NULL )) ) {
1023 return NT_STATUS_NO_MEMORY;
1024 }
1025
1026 if (!pdb_getsampwsid(account, &member_sid) ||
1027 !sid_to_uid(&member_sid, &uid) ||
1028 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1029 return NT_STATUS_NO_SUCH_USER;
1030 }
1031
1032 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1033 return NT_STATUS_MEMBER_IN_GROUP;
1034 }
1035
1036 /*
1037 * ok, the group exist, the user exist, the user is not in the group,
1038 * we can (finally) add it to the group !
1039 */
1040
1041 smb_add_user_group(group_name, pwd->pw_name);
1042
1043 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1044 return NT_STATUS_ACCESS_DENIED;
1045 }
1046
1047 return NT_STATUS_OK;
1048 }
1049
1050 NTSTATUS pdb_add_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1051 uint32_t member_rid)
1052 {
1053 struct pdb_methods *pdb = pdb_get_methods();
1054 return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
1055 }
1056
1057 static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
1058 TALLOC_CTX *mem_ctx,
1059 uint32_t group_rid,
1060 uint32_t member_rid)
1061 {
1062 struct dom_sid group_sid, member_sid;
1063 struct samu *account = NULL;
1064 GROUP_MAP *map;
1065 struct group *grp;
1066 struct passwd *pwd;
1067 const char *group_name;
1068 uid_t uid;
1069
1070 map = talloc_zero(mem_ctx, GROUP_MAP);
1071 if (!map) {
1072 return NT_STATUS_NO_MEMORY;
1073 }
1074
1075 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
1076 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
1077
1078 if (!get_domain_group_from_sid(group_sid, map) ||
1079 (map->gid == (gid_t)-1) ||
1080 ((grp = getgrgid(map->gid)) == NULL)) {
1081 return NT_STATUS_NO_SUCH_GROUP;
1082 }
1083
1084 TALLOC_FREE(map);
1085
1086 group_name = talloc_strdup(mem_ctx, grp->gr_name);
1087 if (group_name == NULL) {
1088 return NT_STATUS_NO_MEMORY;
1089 }
1090
1091 if ( !(account = samu_new( NULL )) ) {
1092 return NT_STATUS_NO_MEMORY;
1093 }
1094
1095 if (!pdb_getsampwsid(account, &member_sid) ||
1096 !sid_to_uid(&member_sid, &uid) ||
1097 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1098 return NT_STATUS_NO_SUCH_USER;
1099 }
1100
1101 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1102 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1103 }
1104
1105 /*
1106 * ok, the group exist, the user exist, the user is in the group,
1107 * we can (finally) delete it from the group!
1108 */
1109
1110 smb_delete_user_group(group_name, pwd->pw_name);
1111
1112 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1113 return NT_STATUS_ACCESS_DENIED;
1114 }
1115
1116 return NT_STATUS_OK;
1117 }
1118
1119 NTSTATUS pdb_del_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1120 uint32_t member_rid)
1121 {
1122 struct pdb_methods *pdb = pdb_get_methods();
1123 return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
1124 }
1125
1126 NTSTATUS pdb_create_alias(const char *name, uint32_t *rid)
1127 {
1128 struct pdb_methods *pdb = pdb_get_methods();
1129 return pdb->create_alias(pdb, name, rid);
1130 }
1131
1132 NTSTATUS pdb_delete_alias(const struct dom_sid *sid)
1133 {
1134 struct pdb_methods *pdb = pdb_get_methods();
1135 return pdb->delete_alias(pdb, sid);
1136 }
1137
1138 NTSTATUS pdb_get_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1139 {
1140 struct pdb_methods *pdb = pdb_get_methods();
1141 return pdb->get_aliasinfo(pdb, sid, info);
1142 }
1143
1144 NTSTATUS pdb_set_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1145 {
1146 struct pdb_methods *pdb = pdb_get_methods();
1147 return pdb->set_aliasinfo(pdb, sid, info);
1148 }
1149
1150 NTSTATUS pdb_add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1151 {
1152 struct pdb_methods *pdb = pdb_get_methods();
1153 return pdb->add_aliasmem(pdb, alias, member);
1154 }
1155
1156 NTSTATUS pdb_del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1157 {
1158 struct pdb_methods *pdb = pdb_get_methods();
1159 return pdb->del_aliasmem(pdb, alias, member);
1160 }
1161
1162 NTSTATUS pdb_enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
1163 struct dom_sid **pp_members, size_t *p_num_members)
1164 {
1165 struct pdb_methods *pdb = pdb_get_methods();
1166 return pdb->enum_aliasmem(pdb, alias, mem_ctx, pp_members,
1167 p_num_members);
1168 }
1169
1170 NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
1171 const struct dom_sid *domain_sid,
1172 const struct dom_sid *members, size_t num_members,
1173 uint32_t **pp_alias_rids,
1174 size_t *p_num_alias_rids)
1175 {
1176 struct pdb_methods *pdb = pdb_get_methods();
1177 return pdb->enum_alias_memberships(pdb, mem_ctx,
1178 domain_sid,
1179 members, num_members,
1180 pp_alias_rids,
1181 p_num_alias_rids);
1182 }
1183
1184 NTSTATUS pdb_lookup_rids(const struct dom_sid *domain_sid,
1185 int num_rids,
1186 uint32_t *rids,
1187 const char **names,
1188 enum lsa_SidType *attrs)
1189 {
1190 struct pdb_methods *pdb = pdb_get_methods();
1191 return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
1192 }
1193
1194 bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
1195 {
1196 struct pdb_methods *pdb = pdb_get_methods();
1197 NTSTATUS status;
1198
1199 become_root();
1200 status = pdb->get_account_policy(pdb, type, value);
1201 unbecome_root();
1202
1203 return NT_STATUS_IS_OK(status);
1204 }
1205
1206 bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value)
1207 {
1208 struct pdb_methods *pdb = pdb_get_methods();
1209 NTSTATUS status;
1210
1211 become_root();
1212 status = pdb->set_account_policy(pdb, type, value);
1213 unbecome_root();
1214
1215 return NT_STATUS_IS_OK(status);
1216 }
1217
1218 bool pdb_get_seq_num(time_t *seq_num)
1219 {
1220 struct pdb_methods *pdb = pdb_get_methods();
1221 return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
1222 }
1223
1224 /*
1225 * Instead of passing down a gid or uid, this function sends down a pointer
1226 * to a unixid.
1227 *
1228 * This acts as an in-out variable so that the idmap functions can correctly
1229 * receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing
1230 * the cache to store ID_TYPE_UID or ID_TYPE_GID.
1231 */
1232 bool pdb_id_to_sid(struct unixid *id, struct dom_sid *sid)
1233 {
1234 struct pdb_methods *pdb = pdb_get_methods();
1235 bool ret;
1236
1237 ret = pdb->id_to_sid(pdb, id, sid);
1238
1239 if (ret) {
1240 idmap_cache_set_sid2unixid(sid, id);
1241 }
1242
1243 return ret;
1244 }
1245
1246 bool pdb_sid_to_id(const struct dom_sid *sid, struct unixid *id)
1247 {
1248 struct pdb_methods *pdb = pdb_get_methods();
1249 bool ret;
1250
1251 /* only ask the backend if it is responsible */
1252 if (!sid_check_object_is_for_passdb(sid)) {
1253 return false;
1254 }
1255
1256 ret = pdb->sid_to_id(pdb, sid, id);
1257
1258 if (ret) {
1259 idmap_cache_set_sid2unixid(sid, id);
1260 }
1261
1262 return ret;
1263 }
1264
1265 uint32_t pdb_capabilities(void)
1266 {
1267 struct pdb_methods *pdb = pdb_get_methods();
1268 return pdb->capabilities(pdb);
1269 }
1270
1271 /********************************************************************
1272 Allocate a new RID from the passdb backend. Verify that it is free
1273 by calling lookup_global_sam_rid() to verify that the RID is not
1274 in use. This handles servers that have existing users or groups
1275 with add RIDs (assigned from previous algorithmic mappings)
1276 ********************************************************************/
1277
1278 bool pdb_new_rid(uint32_t *rid)
1279 {
1280 struct pdb_methods *pdb = pdb_get_methods();
1281 const char *name = NULL;
1282 enum lsa_SidType type;
1283 uint32_t allocated_rid = 0;
1284 int i;
1285 TALLOC_CTX *ctx;
1286
1287 if ((pdb_capabilities() & PDB_CAP_STORE_RIDS) == 0) {
1288 DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
1289 "are active\n"));
1290 return False;
1291 }
1292
1293 if (algorithmic_rid_base() != BASE_RID) {
1294 DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
1295 "without algorithmic RIDs is chosen.\n"));
1296 DEBUGADD(0, ("Please map all used groups using 'net groupmap "
1297 "add', set the maximum used RID\n"));
1298 DEBUGADD(0, ("and remove the parameter\n"));
1299 return False;
1300 }
1301
1302 if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
1303 DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
1304 return False;
1305 }
1306
1307 /* Attempt to get an unused RID (max tires is 250...yes that it is
1308 and arbitrary number I pulkled out of my head). -- jerry */
1309
1310 for ( i=0; allocated_rid==0 && i<250; i++ ) {
1311 /* get a new RID */
1312
1313 if ( !pdb->new_rid(pdb, &allocated_rid) ) {
1314 return False;
1315 }
1316
1317 /* validate that the RID is not in use */
1318
1319 if (lookup_global_sam_rid(ctx, allocated_rid, &name, &type, NULL, NULL)) {
1320 allocated_rid = 0;
1321 }
1322 }
1323
1324 TALLOC_FREE( ctx );
1325
1326 if ( allocated_rid == 0 ) {
1327 DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
1328 return False;
1329 }
1330
1331 *rid = allocated_rid;
1332
1333 return True;
1334 }
1335
1336 /***************************************************************
1337 Initialize the static context (at smbd startup etc).
1338
1339 If uninitialised, context will auto-init on first use.
1340 ***************************************************************/
1341
1342 bool initialize_password_db(bool reload, struct tevent_context *tevent_ctx)
1343 {
1344 if (tevent_ctx) {
1345 pdb_tevent_ctx = tevent_ctx;
1346 }
1347 return (pdb_get_methods_reload(reload) != NULL);
1348 }
1349
1350 /***************************************************************************
1351 Default implementations of some functions.
1352 ****************************************************************************/
1353
1354 static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, struct samu *user, const char *sname)
1355 {
1356 return NT_STATUS_NO_SUCH_USER;
1357 }
1358
1359 static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1360 {
1361 return NT_STATUS_NO_SUCH_USER;
1362 }
1363
1364 static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1365 {
1366 return NT_STATUS_NOT_IMPLEMENTED;
1367 }
1368
1369 static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1370 {
1371 return NT_STATUS_NOT_IMPLEMENTED;
1372 }
1373
1374 static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, struct samu *pwd)
1375 {
1376 return NT_STATUS_NOT_IMPLEMENTED;
1377 }
1378
1379 static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, struct samu *pwd, const char *newname)
1380 {
1381 return NT_STATUS_NOT_IMPLEMENTED;
1382 }
1383
1384 static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success)
1385 {
1386 /* Only the pdb_nds backend implements this, by
1387 * default just return ok. */
1388 return NT_STATUS_OK;
1389 }
1390
1391 static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t *value)
1392 {
1393 return account_policy_get(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1394 }
1395
1396 static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t value)
1397 {
1398 return account_policy_set(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1399 }
1400
1401 static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq_num)
1402 {
1403 *seq_num = time(NULL);
1404 return NT_STATUS_OK;
1405 }
1406
1407 static bool pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
1408 struct dom_sid *sid)
1409 {
1410 struct samu *sampw = NULL;
1411 struct passwd *unix_pw;
1412 fstring pw_name = { 0 };
1413 bool ret;
1414
1415 unix_pw = getpwuid( uid );
1416
1417 if ( !unix_pw ) {
1418 DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
1419 "%lu\n", (unsigned long)uid));
1420 return False;
1421 }
1422
1423 if (unix_pw->pw_name == NULL) {
1424 DBG_DEBUG("No pw_name for uid %d\n", (int)uid);
1425 return false;
1426 }
1427
1428 /*
1429 * Make a copy, "unix_pw" might go away soon.
1430 */
1431 fstrcpy(pw_name, unix_pw->pw_name);
1432
1433 if ( !(sampw = samu_new( NULL )) ) {
1434 DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
1435 return False;
1436 }
1437
1438 become_root();
1439 ret = NT_STATUS_IS_OK(methods->getsampwnam(methods, sampw, pw_name));
1440 unbecome_root();
1441
1442 if (!ret) {
1443 DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
1444 "%s (%u)\n", unix_pw->pw_name, (unsigned int)uid));
1445 TALLOC_FREE(sampw);
1446 return False;
1447 }
1448
1449 sid_copy(sid, pdb_get_user_sid(sampw));
1450
1451 TALLOC_FREE(sampw);
1452
1453 return True;
1454 }
1455
1456 static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
1457 struct dom_sid *sid)
1458 {
1459 GROUP_MAP *map;
1460
1461 map = talloc_zero(NULL, GROUP_MAP);
1462 if (!map) {
1463 return false;
1464 }
1465
1466 if (!NT_STATUS_IS_OK(methods->getgrgid(methods, map, gid))) {
1467 TALLOC_FREE(map);
1468 return false;
1469 }
1470
1471 sid_copy(sid, &map->sid);
1472 TALLOC_FREE(map);
1473 return true;
1474 }
1475
1476 static bool pdb_default_id_to_sid(struct pdb_methods *methods, struct unixid *id,
1477 struct dom_sid *sid)
1478 {
1479 switch (id->type) {
1480 case ID_TYPE_UID:
1481 return pdb_default_uid_to_sid(methods, id->id, sid);
1482
1483 case ID_TYPE_GID:
1484 return pdb_default_gid_to_sid(methods, id->id, sid);
1485
1486 default:
1487 return false;
1488 }
1489 }
1490 /**
1491 * The "Unix User" and "Unix Group" domains have a special
1492 * id mapping that is a rid-algorithm with range starting at 0.
1493 */
1494 bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid *sid,
1495 struct unixid *id)
1496 {
1497 uint32_t rid;
1498
1499 id->id = -1;
1500
1501 if (sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid)) {
1502 id->id = rid;
1503 id->type = ID_TYPE_UID;
1504 return true;
1505 }
1506
1507 if (sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid)) {
1508 id->id = rid;
1509 id->type = ID_TYPE_GID;
1510 return true;
1511 }
1512
1513 return false;
1514 }
1515
1516 static bool pdb_default_sid_to_id(struct pdb_methods *methods,
1517 const struct dom_sid *sid,
1518 struct unixid *id)
1519 {
1520 TALLOC_CTX *mem_ctx;
1521 bool ret = False;
1522 uint32_t rid;
1523 struct dom_sid_buf buf;
1524
1525 id->id = -1;
1526
1527 mem_ctx = talloc_new(NULL);
1528
1529 if (mem_ctx == NULL) {
1530 DEBUG(0, ("talloc_new failed\n"));
1531 return False;
1532 }
1533
1534 if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
1535 const char *name;
1536 enum lsa_SidType type;
1537 uid_t uid = (uid_t)-1;
1538 gid_t gid = (gid_t)-1;
1539 /* Here we might have users as well as groups and aliases */
1540 ret = lookup_global_sam_rid(mem_ctx, rid, &name, &type, &uid, &gid);
1541 if (ret) {
1542 switch (type) {
1543 case SID_NAME_DOM_GRP:
1544 case SID_NAME_ALIAS:
1545 id->type = ID_TYPE_GID;
1546 id->id = gid;
1547 break;
1548 case SID_NAME_USER:
1549 id->type = ID_TYPE_UID;
1550 id->id = uid;
1551 break;
1552 default:
1553 DEBUG(5, ("SID %s belongs to our domain, and "
1554 "an object exists in the database, "
1555 "but it is neither a user nor a "
1556 "group (got type %d).\n",
1557 dom_sid_str_buf(sid, &buf),
1558 type));
1559 ret = false;
1560 }
1561 } else {
1562 DEBUG(5, ("SID %s belongs to our domain, but there is "
1563 "no corresponding object in the database.\n",
1564 dom_sid_str_buf(sid, &buf)));
1565 }
1566 goto done;
1567 }
1568
1569 /*
1570 * "Unix User" and "Unix Group"
1571 */
1572 ret = pdb_sid_to_id_unix_users_and_groups(sid, id);
1573 if (ret) {
1574 goto done;
1575 }
1576
1577 /* BUILTIN */
1578
1579 if (sid_check_is_in_builtin(sid) ||
1580 sid_check_is_in_wellknown_domain(sid)) {
1581 /* Here we only have aliases */
1582 GROUP_MAP *map;
1583
1584 map = talloc_zero(mem_ctx, GROUP_MAP);
1585 if (!map) {
1586 ret = false;
1587 goto done;
1588 }
1589
1590 if (!NT_STATUS_IS_OK(methods->getgrsid(methods, map, *sid))) {
1591 DEBUG(10, ("Could not find map for sid %s\n",
1592 dom_sid_str_buf(sid, &buf)));
1593 goto done;
1594 }
1595 if ((map->sid_name_use != SID_NAME_ALIAS) &&
1596 (map->sid_name_use != SID_NAME_WKN_GRP)) {
1597 DEBUG(10, ("Map for sid %s is a %s, expected an "
1598 "alias\n",
1599 dom_sid_str_buf(sid, &buf),
1600 sid_type_lookup(map->sid_name_use)));
1601 goto done;
1602 }
1603
1604 id->id = map->gid;
1605 id->type = ID_TYPE_GID;
1606 ret = True;
1607 goto done;
1608 }
1609
1610 DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
1611 dom_sid_str_buf(sid, &buf)));
1612
1613 done:
1614
1615 TALLOC_FREE(mem_ctx);
1616 return ret;
1617 }
1618
1619 static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
1620 {
1621 struct group *grp;
1622 char **gr;
1623 struct passwd *pwd;
1624 bool winbind_env;
1625 bool ret = False;
1626
1627 *pp_uids = NULL;
1628 *p_num = 0;
1629
1630 /* We only look at our own sam, so don't care about imported stuff */
1631 winbind_env = winbind_env_set();
1632 (void)winbind_off();
1633
1634 if ((grp = getgrgid(gid)) == NULL) {
1635 /* allow winbindd lookups, but only if they weren't already disabled */
1636 goto done;
1637 }
1638
1639 /* Primary group members */
1640 setpwent();
1641 while ((pwd = getpwent()) != NULL) {
1642 if (pwd->pw_gid == gid) {
1643 if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
1644 pp_uids, p_num)) {
1645 goto done;
1646 }
1647 }
1648 }
1649 endpwent();
1650
1651 /* Secondary group members */
1652 for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
1653 struct passwd *pw = getpwnam(*gr);
1654
1655 if (pw == NULL)
1656 continue;
1657 if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
1658 goto done;
1659 }
1660 }
1661
1662 ret = True;
1663
1664 done:
1665
1666 /* allow winbindd lookups, but only if they weren't already disabled */
1667 if (!winbind_env) {
1668 (void)winbind_on();
1669 }
1670
1671 return ret;
1672 }
1673
1674 static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
1675 TALLOC_CTX *mem_ctx,
1676 const struct dom_sid *group,
1677 uint32_t **pp_member_rids,
1678 size_t *p_num_members)
1679 {
1680 gid_t gid;
1681 uid_t *uids;
1682 uint32_t i, num_uids;
1683
1684 *pp_member_rids = NULL;
1685 *p_num_members = 0;
1686
1687 if (!sid_to_gid(group, &gid))
1688 return NT_STATUS_NO_SUCH_GROUP;
1689
1690 if(!get_memberuids(mem_ctx, gid, &uids, &num_uids))
1691 return NT_STATUS_NO_SUCH_GROUP;
1692
1693 if (num_uids == 0)
1694 return NT_STATUS_OK;
1695
1696 *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
1697
1698 for (i=0; i<num_uids; i++) {
1699 struct dom_sid sid;
1700
1701 uid_to_sid(&sid, uids[i]);
1702
1703 if (!sid_check_is_in_our_sam(&sid)) {
1704 DEBUG(5, ("Inconsistent SAM -- group member uid not "
1705 "in our domain\n"));
1706 continue;
1707 }
1708
1709 sid_peek_rid(&sid, &(*pp_member_rids)[*p_num_members]);
1710 *p_num_members += 1;
1711 }
1712
1713 return NT_STATUS_OK;
1714 }
1715
1716 static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
1717 TALLOC_CTX *mem_ctx,
1718 struct samu *user,
1719 struct dom_sid **pp_sids,
1720 gid_t **pp_gids,
1721 uint32_t *p_num_groups)
1722 {
1723 size_t i;
1724 gid_t gid;
1725 struct passwd *pw;
1726 const char *username = pdb_get_username(user);
1727
1728
1729 /* Ignore the primary group SID. Honor the real Unix primary group.
1730 The primary group SID is only of real use to Windows clients */
1731
1732 if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
1733 return NT_STATUS_NO_SUCH_USER;
1734 }
1735
1736 gid = pw->pw_gid;
1737
1738 TALLOC_FREE( pw );
1739
1740 if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
1741 return NT_STATUS_NO_SUCH_USER;
1742 }
1743
1744 if (*p_num_groups == 0) {
1745 smb_panic("primary group missing");
1746 }
1747
1748 *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
1749
1750 if (*pp_sids == NULL) {
1751 TALLOC_FREE(*pp_gids);
1752 return NT_STATUS_NO_MEMORY;
1753 }
1754
1755 for (i=0; i<*p_num_groups; i++) {
1756 gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
1757 }
1758
1759 return NT_STATUS_OK;
1760 }
1761
1762 /*******************************************************************
1763 Look up a rid in the SAM we're responsible for (i.e. passdb)
1764 ********************************************************************/
1765
1766 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
1767 const char **name,
1768 enum lsa_SidType *psid_name_use,
1769 uid_t *uid, gid_t *gid)
1770 {
1771 struct samu *sam_account = NULL;
1772 GROUP_MAP *map = NULL;
1773 bool ret;
1774 struct dom_sid sid;
1775
1776 *psid_name_use = SID_NAME_UNKNOWN;
1777
1778 DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
1779 (unsigned int)rid));
1780
1781 sid_compose(&sid, get_global_sam_sid(), rid);
1782
1783 /* see if the passdb can help us with the name of the user */
1784
1785 if ( !(sam_account = samu_new( NULL )) ) {
1786 return False;
1787 }
1788
1789 map = talloc_zero(mem_ctx, GROUP_MAP);
1790 if (!map) {
1791 return false;
1792 }
1793
1794 /* BEING ROOT BLOCK */
1795 become_root();
1796 ret = pdb_getsampwsid(sam_account, &sid);
1797 if (!ret) {
1798 TALLOC_FREE(sam_account);
1799 ret = pdb_getgrsid(map, sid);
1800 }
1801 unbecome_root();
1802 /* END BECOME_ROOT BLOCK */
1803
1804 if (sam_account || !ret) {
1805 TALLOC_FREE(map);
1806 }
1807
1808 if (sam_account) {
1809 struct passwd *pw;
1810
1811 *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
1812 if (!*name) {
1813 TALLOC_FREE(sam_account);
1814 return False;
1815 }
1816
1817 *psid_name_use = SID_NAME_USER;
1818
1819 TALLOC_FREE(sam_account);
1820
1821 if (uid == NULL) {
1822 return True;
1823 }
1824
1825 pw = Get_Pwnam_alloc(talloc_tos(), *name);
1826 if (pw == NULL) {
1827 return False;
1828 }
1829 *uid = pw->pw_uid;
1830 TALLOC_FREE(pw);
1831 return True;
1832
1833 } else if (map && (map->gid != (gid_t)-1)) {
1834
1835 /* do not resolve SIDs to a name unless there is a valid
1836 gid associated with it */
1837
1838 *name = talloc_steal(mem_ctx, map->nt_name);
1839 *psid_name_use = map->sid_name_use;
1840
1841 if (gid) {
1842 *gid = map->gid;
1843 }
1844
1845 TALLOC_FREE(map);
1846 return True;
1847 }
1848
1849 TALLOC_FREE(map);
1850
1851 /* Windows will always map RID 513 to something. On a non-domain
1852 controller, this gets mapped to SERVER\None. */
1853
1854 if (uid || gid) {
1855 DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
1856 return False;
1857 }
1858
1859 if ( rid == DOMAIN_RID_USERS ) {
1860 *name = talloc_strdup(mem_ctx, "None" );
1861 *psid_name_use = SID_NAME_DOM_GRP;
1862
1863 return True;
1864 }
1865
1866 return False;
1867 }
1868
1869 static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
1870 const struct dom_sid *domain_sid,
1871 int num_rids,
1872 uint32_t *rids,
1873 const char **names,
1874 enum lsa_SidType *attrs)
1875 {
1876 int i;
1877 NTSTATUS result;
1878 bool have_mapped = False;
1879 bool have_unmapped = False;
1880
1881 if (sid_check_is_builtin(domain_sid)) {
1882
1883 for (i=0; i<num_rids; i++) {
1884 const char *name;
1885
1886 if (lookup_builtin_rid(names, rids[i], &name)) {
1887 attrs[i] = SID_NAME_ALIAS;
1888 names[i] = name;
1889 DEBUG(5,("lookup_rids: %s:%d\n",
1890 names[i], attrs[i]));
1891 have_mapped = True;
1892 } else {
1893 have_unmapped = True;
1894 attrs[i] = SID_NAME_UNKNOWN;
1895 }
1896 }
1897 goto done;
1898 }
1899
1900 /* Should not happen, but better check once too many */
1901 if (!sid_check_is_our_sam(domain_sid)) {
1902 return NT_STATUS_INVALID_HANDLE;
1903 }
1904
1905 for (i = 0; i < num_rids; i++) {
1906 const char *name;
1907
1908 if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
1909 NULL, NULL)) {
1910 if (name == NULL) {
1911 return NT_STATUS_NO_MEMORY;
1912 }
1913 names[i] = name;
1914 DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
1915 have_mapped = True;
1916 } else {
1917 have_unmapped = True;
1918 attrs[i] = SID_NAME_UNKNOWN;
1919 }
1920 }
1921
1922 done:
1923
1924 result = NT_STATUS_NONE_MAPPED;
1925
1926 if (have_mapped)
1927 result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1928
1929 return result;
1930 }
1931
1932 static int pdb_search_destructor(struct pdb_search *search)
1933 {
1934 if ((!search->search_ended) && (search->search_end != NULL)) {
1935 search->search_end(search);
1936 }
1937 return 0;
1938 }
1939
1940 struct pdb_search *pdb_search_init(TALLOC_CTX *mem_ctx,
1941 enum pdb_search_type type)
1942 {
1943 struct pdb_search *result;
1944
1945 result = talloc(mem_ctx, struct pdb_search);
1946 if (result == NULL) {
1947 DEBUG(0, ("talloc failed\n"));
1948 return NULL;
1949 }
1950
1951 result->type = type;
1952 result->cache = NULL;
1953 result->num_entries = 0;
1954 result->cache_size = 0;
1955 result->search_ended = False;
1956 result->search_end = NULL;
1957
1958 /* Segfault appropriately if not initialized */
1959 result->next_entry = NULL;
1960 result->search_end = NULL;
1961
1962 talloc_set_destructor(result, pdb_search_destructor);
1963
1964 return result;
1965 }
1966
1967 static void fill_displayentry(TALLOC_CTX *mem_ctx, uint32_t rid,
1968 uint16_t acct_flags,
1969 const char *account_name,
1970 const char *fullname,
1971 const char *description,
1972 struct samr_displayentry *entry)
1973 {
1974 entry->rid = rid;
1975 entry->acct_flags = acct_flags;
1976
1977 if (account_name != NULL)
1978 entry->account_name = talloc_strdup(mem_ctx, account_name);
1979 else
1980 entry->account_name = "";
1981
1982 if (fullname != NULL)
1983 entry->fullname = talloc_strdup(mem_ctx, fullname);
1984 else
1985 entry->fullname = "";
1986
1987 if (description != NULL)
1988 entry->description = talloc_strdup(mem_ctx, description);
1989 else
1990 entry->description = "";
1991 }
1992
1993 struct group_search {
1994 GROUP_MAP **groups;
1995 size_t num_groups, current_group;
1996 };
1997
1998 static bool next_entry_groups(struct pdb_search *s,
1999 struct samr_displayentry *entry)
2000 {
2001 struct group_search *state = (struct group_search *)s->private_data;
2002 uint32_t rid;
2003 GROUP_MAP *map;
2004
2005 if (state->current_group == state->num_groups)
2006 return False;
2007
2008 map = state->groups[state->current_group];
2009
2010 sid_peek_rid(&map->sid, &rid);
2011
2012 fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
2013
2014 state->current_group += 1;
2015 return True;
2016 }
2017
2018 static void search_end_groups(struct pdb_search *search)
2019 {
2020 struct group_search *state =
2021 (struct group_search *)search->private_data;
2022 TALLOC_FREE(state->groups);
2023 }
2024
2025 static bool pdb_search_grouptype(struct pdb_methods *methods,
2026 struct pdb_search *search,
2027 const struct dom_sid *sid, enum lsa_SidType type)
2028 {
2029 struct group_search *state;
2030
2031 state = talloc_zero(search, struct group_search);
2032 if (state == NULL) {
2033 DEBUG(0, ("talloc failed\n"));
2034 return False;
2035 }
2036
2037 if (!NT_STATUS_IS_OK(methods->enum_group_mapping(methods, sid, type,
2038 &state->groups, &state->num_groups,
2039 True))) {
2040 DEBUG(0, ("Could not enum groups\n"));
2041 return False;
2042 }
2043
2044 state->current_group = 0;
2045 search->private_data = state;
2046 search->next_entry = next_entry_groups;
2047 search->search_end = search_end_groups;
2048 return True;
2049 }
2050
2051 static bool pdb_default_search_groups(struct pdb_methods *methods,
2052 struct pdb_search *search)
2053 {
2054 return pdb_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
2055 }
2056
2057 static bool pdb_default_search_aliases(struct pdb_methods *methods,
2058 struct pdb_search *search,
2059 const struct dom_sid *sid)
2060 {
2061
2062 return pdb_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
2063 }
2064
2065 static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
2066 uint32_t idx)
2067 {
2068 if (idx < search->num_entries)
2069 return &search->cache[idx];
2070
2071 if (search->search_ended)
2072 return NULL;
2073
2074 while (idx >= search->num_entries) {
2075 struct samr_displayentry entry;
2076
2077 if (!search->next_entry(search, &entry)) {
2078 search->search_end(search);
2079 search->search_ended = True;
2080 break;
2081 }
2082
2083 ADD_TO_LARGE_ARRAY(search, struct samr_displayentry,
2084 entry, &search->cache, &search->num_entries,
2085 &search->cache_size);
2086 }
2087
2088 return (search->num_entries > idx) ? &search->cache[idx] : NULL;
2089 }
2090
2091 struct pdb_search *pdb_search_users(TALLOC_CTX *mem_ctx, uint32_t acct_flags)
2092 {
2093 struct pdb_methods *pdb = pdb_get_methods();
2094 struct pdb_search *result;
2095
2096 result = pdb_search_init(mem_ctx, PDB_USER_SEARCH);
2097 if (result == NULL) {
2098 return NULL;
2099 }
2100
2101 if (!pdb->search_users(pdb, result, acct_flags)) {
2102 TALLOC_FREE(result);
2103 return NULL;
2104 }
2105 return result;
2106 }
2107
2108 struct pdb_search *pdb_search_groups(TALLOC_CTX *mem_ctx)
2109 {
2110 struct pdb_methods *pdb = pdb_get_methods();
2111 struct pdb_search *result;
2112
2113 result = pdb_search_init(mem_ctx, PDB_GROUP_SEARCH);
2114 if (result == NULL) {
2115 return NULL;
2116 }
2117
2118 if (!pdb->search_groups(pdb, result)) {
2119 TALLOC_FREE(result);
2120 return NULL;
2121 }
2122 return result;
2123 }
2124
2125 struct pdb_search *pdb_search_aliases(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
2126 {
2127 struct pdb_methods *pdb = pdb_get_methods();
2128 struct pdb_search *result;
2129
2130 if (pdb == NULL) return NULL;
2131
2132 result = pdb_search_init(mem_ctx, PDB_ALIAS_SEARCH);
2133 if (result == NULL) {
2134 return NULL;
2135 }
2136
2137 if (!pdb->search_aliases(pdb, result, sid)) {
2138 TALLOC_FREE(result);
2139 return NULL;
2140 }
2141 return result;
2142 }
2143
2144 uint32_t pdb_search_entries(struct pdb_search *search,
2145 uint32_t start_idx, uint32_t max_entries,
2146 struct samr_displayentry **result)
2147 {
2148 struct samr_displayentry *end_entry;
2149 uint32_t end_idx = start_idx+max_entries-1;
2150
2151 /* The first entry needs to be searched after the last. Otherwise the
2152 * first entry might have moved due to a realloc during the search for
2153 * the last entry. */
2154
2155 end_entry = pdb_search_getentry(search, end_idx);
2156 *result = pdb_search_getentry(search, start_idx);
2157
2158 if (end_entry != NULL)
2159 return max_entries;
2160
2161 if (start_idx >= search->num_entries)
2162 return 0;
2163
2164 return search->num_entries - start_idx;
2165 }
2166
2167 /*******************************************************************
2168 trustdom methods
2169 *******************************************************************/
2170
2171 bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
2172 time_t *pass_last_set_time)
2173 {
2174 struct pdb_methods *pdb = pdb_get_methods();
2175 return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
2176 pass_last_set_time);
2177 }
2178
2179 NTSTATUS pdb_get_trusteddom_creds(const char *domain, TALLOC_CTX *mem_ctx,
2180 struct cli_credentials **creds)
2181 {
2182 struct pdb_methods *pdb = pdb_get_methods();
2183 return pdb->get_trusteddom_creds(pdb, domain, mem_ctx, creds);
2184 }
2185
2186 bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
2187 const struct dom_sid *sid)
2188 {
2189 struct pdb_methods *pdb = pdb_get_methods();
2190 return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
2191 }
2192
2193 bool pdb_del_trusteddom_pw(const char *domain)
2194 {
2195 struct pdb_methods *pdb = pdb_get_methods();
2196 return pdb->del_trusteddom_pw(pdb, domain);
2197 }
2198
2199 NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2200 struct trustdom_info ***domains)
2201 {
2202 struct pdb_methods *pdb = pdb_get_methods();
2203 return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
2204 }
2205
2206 /*******************************************************************
2207 the defaults for trustdom methods:
2208 these simply call the original passdb/secrets.c actions,
2209 to be replaced by pdb_ldap.
2210 *******************************************************************/
2211
2212 static bool pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
2213 const char *domain,
2214 char** pwd,
2215 struct dom_sid *sid,
2216 time_t *pass_last_set_time)
2217 {
2218 return secrets_fetch_trusted_domain_password(domain, pwd,
2219 sid, pass_last_set_time);
2220
2221 }
2222
2223 static NTSTATUS pdb_default_get_trusteddom_creds(struct pdb_methods *methods,
2224 const char *domain,
2225 TALLOC_CTX *mem_ctx,
2226 struct cli_credentials **creds)
2227 {
2228 *creds = NULL;
2229 return NT_STATUS_NOT_IMPLEMENTED;
2230 }
2231
2232 static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
2233 const char* domain,
2234 const char* pwd,
2235 const struct dom_sid *sid)
2236 {
2237 return secrets_store_trusted_domain_password(domain, pwd, sid);
2238 }
2239
2240 static bool pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
2241 const char *domain)
2242 {
2243 return trusted_domain_password_delete(domain);
2244 }
2245
2246 static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
2247 TALLOC_CTX *mem_ctx,
2248 uint32_t *num_domains,
2249 struct trustdom_info ***domains)
2250 {
2251 return secrets_trusted_domains(mem_ctx, num_domains, domains);
2252 }
2253
2254 /*******************************************************************
2255 trusted_domain methods
2256 *******************************************************************/
2257
2258 NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
2259 struct pdb_trusted_domain **td)
2260 {
2261 struct pdb_methods *pdb = pdb_get_methods();
2262 return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
2263 }
2264
2265 NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
2266 struct pdb_trusted_domain **td)
2267 {
2268 struct pdb_methods *pdb = pdb_get_methods();
2269 return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
2270 }
2271
2272 NTSTATUS pdb_set_trusted_domain(const char* domain,
2273 const struct pdb_trusted_domain *td)
2274 {
2275 struct pdb_methods *pdb = pdb_get_methods();
2276 return pdb->set_trusted_domain(pdb, domain, td);
2277 }
2278
2279 NTSTATUS pdb_del_trusted_domain(const char *domain)
2280 {
2281 struct pdb_methods *pdb = pdb_get_methods();
2282 return pdb->del_trusted_domain(pdb, domain);
2283 }
2284
2285 NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2286 struct pdb_trusted_domain ***domains)
2287 {
2288 struct pdb_methods *pdb = pdb_get_methods();
2289 return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
2290 }
2291
2292 static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
2293 TALLOC_CTX *mem_ctx,
2294 const char *domain,
2295 struct pdb_trusted_domain **td)
2296 {
2297 struct trustAuthInOutBlob taiob;
2298 struct AuthenticationInformation aia;
2299 struct pdb_trusted_domain *tdom;
2300 enum ndr_err_code ndr_err;
2301 time_t last_set_time;
2302 char *pwd;
2303 bool ok;
2304
2305 tdom = talloc(mem_ctx, struct pdb_trusted_domain);
2306 if (!tdom) {
2307 return NT_STATUS_NO_MEMORY;
2308 }
2309
2310 tdom->domain_name = talloc_strdup(tdom, domain);
2311 tdom->netbios_name = talloc_strdup(tdom, domain);
2312 if (!tdom->domain_name || !tdom->netbios_name) {
2313 talloc_free(tdom);
2314 return NT_STATUS_NO_MEMORY;
2315 }
2316
2317 tdom->trust_auth_incoming = data_blob_null;
2318
2319 ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
2320 &last_set_time);
2321 if (!ok) {
2322 talloc_free(tdom);
2323 return NT_STATUS_UNSUCCESSFUL;
2324 }
2325
2326 ZERO_STRUCT(taiob);
2327 ZERO_STRUCT(aia);
2328 taiob.count = 1;
2329 taiob.current.count = 1;
2330 taiob.current.array = &aia;
2331 unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
2332
2333 aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
2334 aia.AuthInfo.clear.size = strlen(pwd);
2335 aia.AuthInfo.clear.password = (uint8_t *)talloc_memdup(tdom, pwd,
2336 aia.AuthInfo.clear.size);
2337 SAFE_FREE(pwd);
2338 if (aia.AuthInfo.clear.password == NULL) {
2339 talloc_free(tdom);
2340 return NT_STATUS_NO_MEMORY;
2341 }
2342
2343 taiob.previous.count = 0;
2344 taiob.previous.array = NULL;
2345
2346 ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
2347 tdom, &taiob,
2348 (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2349 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2350 talloc_free(tdom);
2351 return NT_STATUS_UNSUCCESSFUL;
2352 }
2353
2354 tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
2355 tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
2356 tdom->trust_attributes = 0;
2357 tdom->trust_forest_trust_info = data_blob_null;
2358
2359 *td = tdom;
2360 return NT_STATUS_OK;
2361 }
2362
2363 static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
2364 TALLOC_CTX *mem_ctx,
2365 struct dom_sid *sid,
2366 struct pdb_trusted_domain **td)
2367 {
2368 return NT_STATUS_NOT_IMPLEMENTED;
2369 }
2370
2371 #define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
2372
2373 static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
2374 const char* domain,
2375 const struct pdb_trusted_domain *td)
2376 {
2377 struct trustAuthInOutBlob taiob;
2378 struct AuthenticationInformation *aia;
2379 enum ndr_err_code ndr_err;
2380 char *pwd;
2381 bool ok;
2382
2383 if (td->trust_attributes != 0 ||
2384 td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
2385 td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
2386 !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
2387 !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
2388 return NT_STATUS_NOT_IMPLEMENTED;
2389 }
2390
2391 ZERO_STRUCT(taiob);
2392 ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
2393 &taiob,
2394 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2395 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2396 return NT_STATUS_UNSUCCESSFUL;
2397 }
2398
2399 aia = (struct AuthenticationInformation *) taiob.current.array;
2400
2401 if (taiob.count != 1 || taiob.current.count != 1 ||
2402 taiob.previous.count != 0 ||
2403 aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
2404 return NT_STATUS_NOT_IMPLEMENTED;
2405 }
2406
2407 pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
2408 aia->AuthInfo.clear.size);
2409 if (!pwd) {
2410 return NT_STATUS_NO_MEMORY;
2411 }
2412
2413 ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
2414 if (!ok) {
2415 return NT_STATUS_UNSUCCESSFUL;
2416 }
2417
2418 return NT_STATUS_OK;
2419 }
2420
2421 static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
2422 const char *domain)
2423 {
2424 return NT_STATUS_NOT_IMPLEMENTED;
2425 }
2426
2427 static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
2428 TALLOC_CTX *mem_ctx,
2429 uint32_t *num_domains,
2430 struct pdb_trusted_domain ***domains)
2431 {
2432 return NT_STATUS_NOT_IMPLEMENTED;
2433 }
2434
2435 static struct pdb_domain_info *pdb_default_get_domain_info(
2436 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
2437 {
2438 return NULL;
2439 }
2440
2441 /*****************************************************************
2442 UPN suffixes
2443 *****************************************************************/
2444 static NTSTATUS pdb_default_enum_upn_suffixes(struct pdb_methods *pdb,
2445 TALLOC_CTX *mem_ctx,
2446 uint32_t *num_suffixes,
2447 char ***suffixes)
2448 {
2449 return NT_STATUS_NOT_IMPLEMENTED;
2450 }
2451
2452 static NTSTATUS pdb_default_set_upn_suffixes(struct pdb_methods *pdb,
2453 uint32_t num_suffixes,
2454 const char **suffixes)
2455 {
2456 return NT_STATUS_NOT_IMPLEMENTED;
2457 }
2458
2459 NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx,
2460 uint32_t *num_suffixes,
2461 char ***suffixes)
2462 {
2463 struct pdb_methods *pdb = pdb_get_methods();
2464 return pdb->enum_upn_suffixes(pdb, mem_ctx, num_suffixes, suffixes);
2465 }
2466
2467 NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes,
2468 const char **suffixes)
2469 {
2470 struct pdb_methods *pdb = pdb_get_methods();
2471 return pdb->set_upn_suffixes(pdb, num_suffixes, suffixes);
2472 }
2473
2474 /*******************************************************************
2475 idmap control methods
2476 *******************************************************************/
2477 static bool pdb_default_is_responsible_for_our_sam(
2478 struct pdb_methods *methods)
2479 {
2480 return true;
2481 }
2482
2483 static bool pdb_default_is_responsible_for_builtin(
2484 struct pdb_methods *methods)
2485 {
2486 return true;
2487 }
2488
2489 static bool pdb_default_is_responsible_for_wellknown(
2490 struct pdb_methods *methods)
2491 {
2492 return false;
2493 }
2494
2495 static bool pdb_default_is_responsible_for_unix_users(
2496 struct pdb_methods *methods)
2497 {
2498 return true;
2499 }
2500
2501 static bool pdb_default_is_responsible_for_unix_groups(
2502 struct pdb_methods *methods)
2503 {
2504 return true;
2505 }
2506
2507 static bool pdb_default_is_responsible_for_everything_else(
2508 struct pdb_methods *methods)
2509 {
2510 return false;
2511 }
2512
2513 bool pdb_is_responsible_for_our_sam(void)
2514 {
2515 struct pdb_methods *pdb = pdb_get_methods();
2516 return pdb->is_responsible_for_our_sam(pdb);
2517 }
2518
2519 bool pdb_is_responsible_for_builtin(void)
2520 {
2521 struct pdb_methods *pdb = pdb_get_methods();
2522 return pdb->is_responsible_for_builtin(pdb);
2523 }
2524
2525 bool pdb_is_responsible_for_wellknown(void)
2526 {
2527 struct pdb_methods *pdb = pdb_get_methods();
2528 return pdb->is_responsible_for_wellknown(pdb);
2529 }
2530
2531 bool pdb_is_responsible_for_unix_users(void)
2532 {
2533 struct pdb_methods *pdb = pdb_get_methods();
2534 return pdb->is_responsible_for_unix_users(pdb);
2535 }
2536
2537 bool pdb_is_responsible_for_unix_groups(void)
2538 {
2539 struct pdb_methods *pdb = pdb_get_methods();
2540 return pdb->is_responsible_for_unix_groups(pdb);
2541 }
2542
2543 bool pdb_is_responsible_for_everything_else(void)
2544 {
2545 struct pdb_methods *pdb = pdb_get_methods();
2546 return pdb->is_responsible_for_everything_else(pdb);
2547 }
2548
2549 /*******************************************************************
2550 secret methods
2551 *******************************************************************/
2552
2553 NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
2554 const char *secret_name,
2555 DATA_BLOB *secret_current,
2556 NTTIME *secret_current_lastchange,
2557 DATA_BLOB *secret_old,
2558 NTTIME *secret_old_lastchange,
2559 struct security_descriptor **sd)
2560 {
2561 struct pdb_methods *pdb = pdb_get_methods();
2562 return pdb->get_secret(pdb, mem_ctx, secret_name,
2563 secret_current, secret_current_lastchange,
2564 secret_old, secret_old_lastchange,
2565 sd);
2566 }
2567
2568 NTSTATUS pdb_set_secret(const char *secret_name,
2569 DATA_BLOB *secret_current,
2570 DATA_BLOB *secret_old,
2571 struct security_descriptor *sd)
2572 {
2573 struct pdb_methods *pdb = pdb_get_methods();
2574 return pdb->set_secret(pdb, secret_name,
2575 secret_current,
2576 secret_old,
2577 sd);
2578 }
2579
2580 NTSTATUS pdb_delete_secret(const char *secret_name)
2581 {
2582 struct pdb_methods *pdb = pdb_get_methods();
2583 return pdb->delete_secret(pdb, secret_name);
2584 }
2585
2586 static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
2587 TALLOC_CTX *mem_ctx,
2588 const char *secret_name,
2589 DATA_BLOB *secret_current,
2590 NTTIME *secret_current_lastchange,
2591 DATA_BLOB *secret_old,
2592 NTTIME *secret_old_lastchange,
2593 struct security_descriptor **sd)
2594 {
2595 return lsa_secret_get(mem_ctx, secret_name,
2596 secret_current,
2597 secret_current_lastchange,
2598 secret_old,
2599 secret_old_lastchange,
2600 sd);
2601 }
2602
2603 static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
2604 const char *secret_name,
2605 DATA_BLOB *secret_current,
2606 DATA_BLOB *secret_old,
2607 struct security_descriptor *sd)
2608 {
2609 return lsa_secret_set(secret_name,
2610 secret_current,
2611 secret_old,
2612 sd);
2613 }
2614
2615 static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
2616 const char *secret_name)
2617 {
2618 return lsa_secret_delete(secret_name);
2619 }
2620
2621 /*******************************************************************
2622 Create a pdb_methods structure and initialize it with the default
2623 operations. In this way a passdb module can simply implement
2624 the functionality it cares about. However, normally this is done
2625 in groups of related functions.
2626 *******************************************************************/
2627
2628 NTSTATUS make_pdb_method( struct pdb_methods **methods )
2629 {
2630 /* allocate memory for the structure as its own talloc CTX */
2631
2632 *methods = talloc_zero(NULL, struct pdb_methods);
2633 if (*methods == NULL) {
2634 return NT_STATUS_NO_MEMORY;
2635 }
2636
2637 (*methods)->get_domain_info = pdb_default_get_domain_info;
2638 (*methods)->getsampwnam = pdb_default_getsampwnam;
2639 (*methods)->getsampwsid = pdb_default_getsampwsid;
2640 (*methods)->create_user = pdb_default_create_user;
2641 (*methods)->delete_user = pdb_default_delete_user;
2642 (*methods)->add_sam_account = pdb_default_add_sam_account;
2643 (*methods)->update_sam_account = pdb_default_update_sam_account;
2644 (*methods)->delete_sam_account = pdb_default_delete_sam_account;
2645 (*methods)->rename_sam_account = pdb_default_rename_sam_account;
2646 (*methods)->update_login_attempts = pdb_default_update_login_attempts;
2647
2648 (*methods)->getgrsid = pdb_default_getgrsid;
2649 (*methods)->getgrgid = pdb_default_getgrgid;
2650 (*methods)->getgrnam = pdb_default_getgrnam;
2651 (*methods)->create_dom_group = pdb_default_create_dom_group;
2652 (*methods)->delete_dom_group = pdb_default_delete_dom_group;
2653 (*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
2654 (*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
2655 (*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
2656 (*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
2657 (*methods)->enum_group_members = pdb_default_enum_group_members;
2658 (*methods)->enum_group_memberships = pdb_default_enum_group_memberships;
2659 (*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
2660 (*methods)->add_groupmem = pdb_default_add_groupmem;
2661 (*methods)->del_groupmem = pdb_default_del_groupmem;
2662 (*methods)->create_alias = pdb_default_create_alias;
2663 (*methods)->delete_alias = pdb_default_delete_alias;
2664 (*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
2665 (*methods)->set_aliasinfo = pdb_default_set_aliasinfo;
2666 (*methods)->add_aliasmem = pdb_default_add_aliasmem;
2667 (*methods)->del_aliasmem = pdb_default_del_aliasmem;
2668 (*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
2669 (*methods)->enum_alias_memberships = pdb_default_alias_memberships;
2670 (*methods)->lookup_rids = pdb_default_lookup_rids;
2671 (*methods)->get_account_policy = pdb_default_get_account_policy;
2672 (*methods)->set_account_policy = pdb_default_set_account_policy;
2673 (*methods)->get_seq_num = pdb_default_get_seq_num;
2674 (*methods)->id_to_sid = pdb_default_id_to_sid;
2675 (*methods)->sid_to_id = pdb_default_sid_to_id;
2676
2677 (*methods)->search_groups = pdb_default_search_groups;
2678 (*methods)->search_aliases = pdb_default_search_aliases;
2679
2680 (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
2681 (*methods)->get_trusteddom_creds = pdb_default_get_trusteddom_creds;
2682 (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
2683 (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
2684 (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
2685
2686 (*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
2687 (*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
2688 (*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
2689 (*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
2690 (*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
2691
2692 (*methods)->get_secret = pdb_default_get_secret;
2693 (*methods)->set_secret = pdb_default_set_secret;
2694 (*methods)->delete_secret = pdb_default_delete_secret;
2695
2696 (*methods)->enum_upn_suffixes = pdb_default_enum_upn_suffixes;
2697 (*methods)->set_upn_suffixes = pdb_default_set_upn_suffixes;
2698
2699 (*methods)->is_responsible_for_our_sam =
2700 pdb_default_is_responsible_for_our_sam;
2701 (*methods)->is_responsible_for_builtin =
2702 pdb_default_is_responsible_for_builtin;
2703 (*methods)->is_responsible_for_wellknown =
2704 pdb_default_is_responsible_for_wellknown;
2705 (*methods)->is_responsible_for_unix_users =
2706 pdb_default_is_responsible_for_unix_users;
2707 (*methods)->is_responsible_for_unix_groups =
2708 pdb_default_is_responsible_for_unix_groups;
2709 (*methods)->is_responsible_for_everything_else =
2710 pdb_default_is_responsible_for_everything_else;
2711
2712 return NT_STATUS_OK;
2713 }
Samba GIT mirror