2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
29 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
30 #define IPA_MAGIC_ID_STR "999"
32 #define LDAP_TRUST_CONTAINER "ou=system"
33 #define LDAP_ATTRIBUTE_CN "cn"
34 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
35 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
36 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
37 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
38 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
39 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
40 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
41 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
42 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
43 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
45 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
46 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
47 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
49 #define LDAP_OBJ_IPAOBJECT "ipaObject"
50 #define LDAP_OBJ_IPAHOST "ipaHost"
51 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
53 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
54 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
55 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
56 #define LDAP_OBJ_POSIXGROUP "posixGroup"
58 #define HAS_KRB_PRINCIPAL (1<<0)
59 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
60 #define HAS_IPAOBJECT (1<<2)
61 #define HAS_IPAHOST (1<<3)
62 #define HAS_POSIXACCOUNT (1<<4)
63 #define HAS_GROUPOFNAMES (1<<5)
64 #define HAS_NESTEDGROUP (1<<6)
65 #define HAS_IPAUSERGROUP (1<<7)
66 #define HAS_POSIXGROUP (1<<8)
68 struct ipasam_privates
{
70 NTSTATUS (*ldapsam_add_sam_account
)(struct pdb_methods
*,
71 struct samu
*sampass
);
72 NTSTATUS (*ldapsam_update_sam_account
)(struct pdb_methods
*,
73 struct samu
*sampass
);
74 NTSTATUS (*ldapsam_create_user
)(struct pdb_methods
*my_methods
,
75 TALLOC_CTX
*tmp_ctx
, const char *name
,
76 uint32_t acb_info
, uint32_t *rid
);
77 NTSTATUS (*ldapsam_create_dom_group
)(struct pdb_methods
*my_methods
,
83 static bool ipasam_get_trusteddom_pw(struct pdb_methods
*methods
,
87 time_t *pass_last_set_time
)
92 static bool ipasam_set_trusteddom_pw(struct pdb_methods
*methods
,
95 const struct dom_sid
*sid
)
100 static bool ipasam_del_trusteddom_pw(struct pdb_methods
*methods
,
106 static char *get_account_dn(const char *name
)
111 escape_name
= escape_rdn_val_string_alloc(name
);
116 if (name
[strlen(name
)-1] == '$') {
117 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
118 lp_ldap_machine_suffix());
120 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
121 lp_ldap_user_suffix());
124 SAFE_FREE(escape_name
);
129 static char *trusted_domain_dn(struct ldapsam_privates
*ldap_state
,
132 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
133 LDAP_ATTRIBUTE_CN
, domain
,
134 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
137 static char *trusted_domain_base_dn(struct ldapsam_privates
*ldap_state
)
139 return talloc_asprintf(talloc_tos(), "%s,%s",
140 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
143 static bool get_trusted_domain_int(struct ldapsam_privates
*ldap_state
,
145 const char *filter
, LDAPMessage
**entry
)
148 char *base_dn
= NULL
;
149 LDAPMessage
*result
= NULL
;
152 base_dn
= trusted_domain_base_dn(ldap_state
);
153 if (base_dn
== NULL
) {
157 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
,
158 LDAP_SCOPE_SUBTREE
, filter
, NULL
, 0, &result
);
159 TALLOC_FREE(base_dn
);
161 if (result
!= NULL
) {
162 talloc_autofree_ldapmsg(mem_ctx
, result
);
165 if (rc
== LDAP_NO_SUCH_OBJECT
) {
170 if (rc
!= LDAP_SUCCESS
) {
174 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
176 if (num_result
> 1) {
177 DEBUG(1, ("get_trusted_domain_int: more than one "
178 "%s object with filter '%s'?!\n",
179 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
183 if (num_result
== 0) {
184 DEBUG(1, ("get_trusted_domain_int: no "
185 "%s object with filter '%s'.\n",
186 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
189 *entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
195 static bool get_trusted_domain_by_name_int(struct ldapsam_privates
*ldap_state
,
202 filter
= talloc_asprintf(talloc_tos(),
203 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
204 LDAP_OBJ_TRUSTED_DOMAIN
,
205 LDAP_ATTRIBUTE_FLAT_NAME
, domain
,
206 LDAP_ATTRIBUTE_TRUST_PARTNER
, domain
, domain
);
207 if (filter
== NULL
) {
211 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
214 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates
*ldap_state
,
216 const char *sid
, LDAPMessage
**entry
)
220 filter
= talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
221 LDAP_OBJ_TRUSTED_DOMAIN
,
222 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
, sid
);
223 if (filter
== NULL
) {
227 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
230 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates
*ldap_state
,
239 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
242 DEBUG(9, ("Attribute %s not present.\n", attr
));
247 l
= strtoul(dummy
, &endptr
, 10);
250 if (l
< 0 || l
> UINT32_MAX
|| *endptr
!= '\0') {
259 static void get_data_blob_from_ldap_msg(TALLOC_CTX
*mem_ctx
,
260 struct ldapsam_privates
*ldap_state
,
261 LDAPMessage
*entry
, const char *attr
,
267 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
, attr
,
270 DEBUG(9, ("Attribute %s not present.\n", attr
));
273 blob
= base64_decode_data_blob(dummy
);
274 if (blob
.length
== 0) {
277 _blob
->length
= blob
.length
;
278 _blob
->data
= talloc_steal(mem_ctx
, blob
.data
);
284 static bool fill_pdb_trusted_domain(TALLOC_CTX
*mem_ctx
,
285 struct ldapsam_privates
*ldap_state
,
287 struct pdb_trusted_domain
**_td
)
291 struct pdb_trusted_domain
*td
;
297 td
= talloc_zero(mem_ctx
, struct pdb_trusted_domain
);
302 /* All attributes are MAY */
304 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
305 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
308 DEBUG(9, ("Attribute %s not present.\n",
309 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
));
310 ZERO_STRUCT(td
->security_identifier
);
312 res
= string_to_sid(&td
->security_identifier
, dummy
);
319 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
320 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
321 &td
->trust_auth_incoming
);
323 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
324 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
325 &td
->trust_auth_outgoing
);
327 td
->netbios_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
329 LDAP_ATTRIBUTE_FLAT_NAME
,
331 if (td
->netbios_name
== NULL
) {
332 DEBUG(9, ("Attribute %s not present.\n",
333 LDAP_ATTRIBUTE_FLAT_NAME
));
336 td
->domain_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
338 LDAP_ATTRIBUTE_TRUST_PARTNER
,
340 if (td
->domain_name
== NULL
) {
341 DEBUG(9, ("Attribute %s not present.\n",
342 LDAP_ATTRIBUTE_TRUST_PARTNER
));
345 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
346 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
347 &td
->trust_direction
);
352 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
353 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
354 &td
->trust_attributes
);
359 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
360 LDAP_ATTRIBUTE_TRUST_TYPE
,
366 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
367 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
368 &td
->trust_forest_trust_info
);
375 static NTSTATUS
ipasam_get_trusted_domain(struct pdb_methods
*methods
,
378 struct pdb_trusted_domain
**td
)
380 struct ldapsam_privates
*ldap_state
=
381 (struct ldapsam_privates
*)methods
->private_data
;
382 LDAPMessage
*entry
= NULL
;
384 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain
));
386 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
388 return NT_STATUS_UNSUCCESSFUL
;
391 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
393 return NT_STATUS_NO_SUCH_DOMAIN
;
396 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
397 return NT_STATUS_UNSUCCESSFUL
;
403 static NTSTATUS
ipasam_get_trusted_domain_by_sid(struct pdb_methods
*methods
,
406 struct pdb_trusted_domain
**td
)
408 struct ldapsam_privates
*ldap_state
=
409 (struct ldapsam_privates
*)methods
->private_data
;
410 LDAPMessage
*entry
= NULL
;
413 sid_str
= sid_string_tos(sid
);
415 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
418 if (!get_trusted_domain_by_sid_int(ldap_state
, talloc_tos(), sid_str
,
420 return NT_STATUS_UNSUCCESSFUL
;
423 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
424 "with sid: %s\n", sid_str
));
425 return NT_STATUS_NO_SUCH_DOMAIN
;
428 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
429 return NT_STATUS_UNSUCCESSFUL
;
435 static bool smbldap_make_mod_uint32_t(LDAP
*ldap_struct
, LDAPMessage
*entry
,
436 LDAPMod
***mods
, const char *attribute
,
441 dummy
= talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val
);
445 smbldap_make_mod(ldap_struct
, entry
, mods
, attribute
, dummy
);
451 static NTSTATUS
ipasam_set_trusted_domain(struct pdb_methods
*methods
,
453 const struct pdb_trusted_domain
*td
)
455 struct ldapsam_privates
*ldap_state
=
456 (struct ldapsam_privates
*)methods
->private_data
;
457 LDAPMessage
*entry
= NULL
;
460 char *trusted_dn
= NULL
;
463 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain
));
465 res
= get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
468 return NT_STATUS_UNSUCCESSFUL
;
472 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
, "objectClass",
473 LDAP_OBJ_TRUSTED_DOMAIN
);
475 if (td
->netbios_name
!= NULL
) {
476 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
477 LDAP_ATTRIBUTE_FLAT_NAME
,
481 if (td
->domain_name
!= NULL
) {
482 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
483 LDAP_ATTRIBUTE_TRUST_PARTNER
,
487 if (!is_null_sid(&td
->security_identifier
)) {
488 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
489 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
490 sid_string_tos(&td
->security_identifier
));
493 if (td
->trust_type
!= 0) {
494 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
495 &mods
, LDAP_ATTRIBUTE_TRUST_TYPE
,
498 return NT_STATUS_UNSUCCESSFUL
;
502 if (td
->trust_attributes
!= 0) {
503 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
505 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
506 td
->trust_attributes
);
508 return NT_STATUS_UNSUCCESSFUL
;
512 if (td
->trust_direction
!= 0) {
513 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
515 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
516 td
->trust_direction
);
518 return NT_STATUS_UNSUCCESSFUL
;
522 if (td
->trust_auth_outgoing
.data
!= NULL
) {
523 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
524 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
525 &td
->trust_auth_outgoing
);
528 if (td
->trust_auth_incoming
.data
!= NULL
) {
529 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
530 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
531 &td
->trust_auth_incoming
);
534 if (td
->trust_forest_trust_info
.data
!= NULL
) {
535 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
536 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
537 &td
->trust_forest_trust_info
);
540 talloc_autofree_ldapmod(talloc_tos(), mods
);
542 trusted_dn
= trusted_domain_dn(ldap_state
, domain
);
543 if (trusted_dn
== NULL
) {
544 return NT_STATUS_NO_MEMORY
;
547 ret
= smbldap_add(ldap_state
->smbldap_state
, trusted_dn
, mods
);
549 ret
= smbldap_modify(ldap_state
->smbldap_state
, trusted_dn
, mods
);
552 if (ret
!= LDAP_SUCCESS
) {
553 DEBUG(1, ("error writing trusted domain data!\n"));
554 return NT_STATUS_UNSUCCESSFUL
;
559 static NTSTATUS
ipasam_del_trusted_domain(struct pdb_methods
*methods
,
563 struct ldapsam_privates
*ldap_state
=
564 (struct ldapsam_privates
*)methods
->private_data
;
565 LDAPMessage
*entry
= NULL
;
568 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
570 return NT_STATUS_UNSUCCESSFUL
;
574 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
576 return NT_STATUS_NO_SUCH_DOMAIN
;
579 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
581 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
582 return NT_STATUS_NO_MEMORY
;
585 ret
= smbldap_delete(ldap_state
->smbldap_state
, dn
);
586 if (ret
!= LDAP_SUCCESS
) {
587 return NT_STATUS_UNSUCCESSFUL
;
593 static NTSTATUS
ipasam_enum_trusted_domains(struct pdb_methods
*methods
,
595 uint32_t *num_domains
,
596 struct pdb_trusted_domain
***domains
)
599 struct ldapsam_privates
*ldap_state
=
600 (struct ldapsam_privates
*)methods
->private_data
;
601 char *base_dn
= NULL
;
603 int scope
= LDAP_SCOPE_SUBTREE
;
604 LDAPMessage
*result
= NULL
;
605 LDAPMessage
*entry
= NULL
;
607 filter
= talloc_asprintf(talloc_tos(), "(objectClass=%s)",
608 LDAP_OBJ_TRUSTED_DOMAIN
);
609 if (filter
== NULL
) {
610 return NT_STATUS_NO_MEMORY
;
613 base_dn
= trusted_domain_base_dn(ldap_state
);
614 if (base_dn
== NULL
) {
616 return NT_STATUS_NO_MEMORY
;
619 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
, scope
, filter
,
622 TALLOC_FREE(base_dn
);
624 if (result
!= NULL
) {
625 talloc_autofree_ldapmsg(mem_ctx
, result
);
628 if (rc
== LDAP_NO_SUCH_OBJECT
) {
634 if (rc
!= LDAP_SUCCESS
) {
635 return NT_STATUS_UNSUCCESSFUL
;
639 if (!(*domains
= TALLOC_ARRAY(mem_ctx
, struct pdb_trusted_domain
*, 1))) {
640 DEBUG(1, ("talloc failed\n"));
641 return NT_STATUS_NO_MEMORY
;
644 for (entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
646 entry
= ldap_next_entry(priv2ld(ldap_state
), entry
))
648 struct pdb_trusted_domain
*dom_info
;
650 if (!fill_pdb_trusted_domain(*domains
, ldap_state
, entry
,
652 return NT_STATUS_UNSUCCESSFUL
;
655 ADD_TO_ARRAY(*domains
, struct pdb_trusted_domain
*, dom_info
,
656 domains
, num_domains
);
658 if (*domains
== NULL
) {
659 DEBUG(1, ("talloc failed\n"));
660 return NT_STATUS_NO_MEMORY
;
664 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains
));
668 static NTSTATUS
ipasam_enum_trusteddoms(struct pdb_methods
*methods
,
670 uint32_t *num_domains
,
671 struct trustdom_info
***domains
)
674 struct pdb_trusted_domain
**td
;
677 status
= ipasam_enum_trusted_domains(methods
, talloc_tos(),
679 if (!NT_STATUS_IS_OK(status
)) {
683 if (*num_domains
== 0) {
687 if (!(*domains
= TALLOC_ARRAY(mem_ctx
, struct trustdom_info
*,
689 DEBUG(1, ("talloc failed\n"));
690 return NT_STATUS_NO_MEMORY
;
693 for (i
= 0; i
< *num_domains
; i
++) {
694 struct trustdom_info
*dom_info
;
696 dom_info
= TALLOC_P(*domains
, struct trustdom_info
);
697 if (dom_info
== NULL
) {
698 DEBUG(1, ("talloc failed\n"));
699 return NT_STATUS_NO_MEMORY
;
702 dom_info
->name
= talloc_steal(mem_ctx
, td
[i
]->netbios_name
);
703 sid_copy(&dom_info
->sid
, &td
[i
]->security_identifier
);
705 (*domains
)[i
] = dom_info
;
711 static uint32_t pdb_ipasam_capabilities(struct pdb_methods
*methods
)
713 return PDB_CAP_STORE_RIDS
| PDB_CAP_ADS
| PDB_CAP_TRUSTED_DOMAINS_EX
;
716 static struct pdb_domain_info
*pdb_ipasam_get_domain_info(struct pdb_methods
*pdb_methods
,
719 struct pdb_domain_info
*info
;
721 struct ldapsam_privates
*ldap_state
= pdb_methods
->private_data
;
723 info
= talloc(mem_ctx
, struct pdb_domain_info
);
728 info
->name
= talloc_strdup(info
, ldap_state
->domain_name
);
729 if (info
->name
== NULL
) {
733 /* TODO: read dns_domain, dns_forest and guid from LDAP */
734 info
->dns_domain
= talloc_strdup(info
, lp_realm());
735 if (info
->dns_domain
== NULL
) {
738 strlower_m(info
->dns_domain
);
739 info
->dns_forest
= talloc_strdup(info
, info
->dns_domain
);
740 sid_copy(&info
->sid
, &ldap_state
->domain_sid
);
742 status
= GUID_from_string("testguid", &info
->guid
);
751 static NTSTATUS
modify_ipa_password_exop(struct ldapsam_privates
*ldap_state
,
752 struct samu
*sampass
)
755 BerElement
*ber
= NULL
;
756 struct berval
*bv
= NULL
;
758 struct berval
*retdata
= NULL
;
759 const char *password
;
762 password
= pdb_get_plaintext_passwd(sampass
);
763 if (password
== NULL
|| *password
== '\0') {
764 return NT_STATUS_INVALID_PARAMETER
;
767 dn
= get_account_dn(pdb_get_username(sampass
));
769 return NT_STATUS_INVALID_PARAMETER
;
772 ber
= ber_alloc_t( LBER_USE_DER
);
774 DEBUG(7, ("ber_alloc_t failed.\n"));
775 return NT_STATUS_NO_MEMORY
;
778 ret
= ber_printf(ber
, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID
, dn
,
779 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW
, password
);
781 DEBUG(7, ("ber_printf failed.\n"));
783 return NT_STATUS_UNSUCCESSFUL
;
786 ret
= ber_flatten(ber
, &bv
);
789 DEBUG(1, ("ber_flatten failed.\n"));
790 return NT_STATUS_UNSUCCESSFUL
;
793 ret
= smbldap_extended_operation(ldap_state
->smbldap_state
,
794 LDAP_EXOP_MODIFY_PASSWD
, bv
, NULL
,
795 NULL
, &retoid
, &retdata
);
801 ldap_memfree(retoid
);
803 if (ret
!= LDAP_SUCCESS
) {
804 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
805 return NT_STATUS_UNSUCCESSFUL
;
811 static NTSTATUS
ipasam_get_objectclasses(struct ldapsam_privates
*ldap_state
,
812 const char *dn
, LDAPMessage
*entry
,
813 uint32_t *has_objectclass
)
815 char **objectclasses
;
818 objectclasses
= ldap_get_values(priv2ld(ldap_state
), entry
,
819 LDAP_ATTRIBUTE_OBJECTCLASS
);
820 if (objectclasses
== NULL
) {
821 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn
));
822 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
825 *has_objectclass
= 0;
826 for (c
= 0; objectclasses
[c
] != NULL
; c
++) {
827 if (strequal(objectclasses
[c
], LDAP_OBJ_KRB_PRINCIPAL
)) {
828 *has_objectclass
|= HAS_KRB_PRINCIPAL
;
829 } else if (strequal(objectclasses
[c
],
830 LDAP_OBJ_KRB_PRINCIPAL_AUX
)) {
831 *has_objectclass
|= HAS_KRB_PRINCIPAL_AUX
;
832 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAOBJECT
)) {
833 *has_objectclass
|= HAS_IPAOBJECT
;
834 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAHOST
)) {
835 *has_objectclass
|= HAS_IPAHOST
;
836 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXACCOUNT
)) {
837 *has_objectclass
|= HAS_POSIXACCOUNT
;
838 } else if (strequal(objectclasses
[c
], LDAP_OBJ_GROUPOFNAMES
)) {
839 *has_objectclass
|= HAS_GROUPOFNAMES
;
840 } else if (strequal(objectclasses
[c
], LDAP_OBJ_NESTEDGROUP
)) {
841 *has_objectclass
|= HAS_NESTEDGROUP
;
842 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAUSERGROUP
)) {
843 *has_objectclass
|= HAS_IPAUSERGROUP
;
844 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXGROUP
)) {
845 *has_objectclass
|= HAS_POSIXGROUP
;
848 ldap_value_free(objectclasses
);
859 static NTSTATUS
find_obj(struct ldapsam_privates
*ldap_state
, const char *name
,
860 enum obj_type type
, char **_dn
,
861 uint32_t *_has_objectclass
)
866 LDAPMessage
*result
= NULL
;
867 LDAPMessage
*entry
= NULL
;
870 uint32_t has_objectclass
;
872 const char *obj_class
= NULL
;
876 obj_class
= LDAP_OBJ_POSIXACCOUNT
;
879 obj_class
= LDAP_OBJ_POSIXGROUP
;
882 DEBUG(0, ("Unsupported IPA object.\n"));
883 return NT_STATUS_INVALID_PARAMETER
;
886 username
= escape_ldap_string(talloc_tos(), name
);
887 if (username
== NULL
) {
888 return NT_STATUS_NO_MEMORY
;
890 filter
= talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
891 username
, obj_class
);
892 if (filter
== NULL
) {
893 return NT_STATUS_NO_MEMORY
;
895 TALLOC_FREE(username
);
897 ret
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, NULL
,
899 if (ret
!= LDAP_SUCCESS
) {
900 DEBUG(0, ("smbldap_search_suffix failed.\n"));
901 return NT_STATUS_ACCESS_DENIED
;
904 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
906 if (num_result
!= 1) {
907 if (num_result
== 0) {
910 status
= NT_STATUS_NO_SUCH_USER
;
913 status
= NT_STATUS_NO_SUCH_GROUP
;
916 status
= NT_STATUS_INVALID_PARAMETER
;
919 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
921 status
= NT_STATUS_INTERNAL_DB_CORRUPTION
;
926 entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
928 DEBUG(0,("find_user: Out of memory!\n"));
929 status
= NT_STATUS_UNSUCCESSFUL
;
933 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
935 DEBUG(0,("find_user: Out of memory!\n"));
936 status
= NT_STATUS_NO_MEMORY
;
940 status
= ipasam_get_objectclasses(ldap_state
, dn
, entry
, &has_objectclass
);
941 if (!NT_STATUS_IS_OK(status
)) {
946 *_has_objectclass
= has_objectclass
;
948 status
= NT_STATUS_OK
;
951 ldap_msgfree(result
);
956 static NTSTATUS
find_user(struct ldapsam_privates
*ldap_state
, const char *name
,
957 char **_dn
, uint32_t *_has_objectclass
)
959 return find_obj(ldap_state
, name
, IPA_USER_OBJ
, _dn
, _has_objectclass
);
962 static NTSTATUS
find_group(struct ldapsam_privates
*ldap_state
, const char *name
,
963 char **_dn
, uint32_t *_has_objectclass
)
965 return find_obj(ldap_state
, name
, IPA_GROUP_OBJ
, _dn
, _has_objectclass
);
968 static NTSTATUS
ipasam_add_posix_account_objectclass(struct ldapsam_privates
*ldap_state
,
971 const char *username
)
974 LDAPMod
**mods
= NULL
;
977 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
978 "objectclass", "posixAccount");
979 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
981 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
982 "uidNumber", IPA_MAGIC_ID_STR
);
983 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
984 "gidNumber", "12345");
985 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
986 "homeDirectory", "/dev/null");
988 if (ldap_op
== LDAP_MOD_ADD
) {
989 ret
= smbldap_add(ldap_state
->smbldap_state
, dn
, mods
);
991 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
993 ldap_mods_free(mods
, 1);
994 if (ret
!= LDAP_SUCCESS
) {
995 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1000 return NT_STATUS_OK
;
1003 static NTSTATUS
ipasam_add_ipa_group_objectclasses(struct ldapsam_privates
*ldap_state
,
1006 uint32_t has_objectclass
)
1008 LDAPMod
**mods
= NULL
;
1012 if (!(has_objectclass
& HAS_GROUPOFNAMES
)) {
1013 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1014 LDAP_ATTRIBUTE_OBJECTCLASS
,
1015 LDAP_OBJ_GROUPOFNAMES
);
1018 if (!(has_objectclass
& HAS_NESTEDGROUP
)) {
1019 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1020 LDAP_ATTRIBUTE_OBJECTCLASS
,
1021 LDAP_OBJ_NESTEDGROUP
);
1024 if (!(has_objectclass
& HAS_IPAUSERGROUP
)) {
1025 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1026 LDAP_ATTRIBUTE_OBJECTCLASS
,
1027 LDAP_OBJ_IPAUSERGROUP
);
1030 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1031 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1032 LDAP_ATTRIBUTE_OBJECTCLASS
,
1033 LDAP_OBJ_IPAOBJECT
);
1036 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1037 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1038 LDAP_ATTRIBUTE_OBJECTCLASS
,
1039 LDAP_OBJ_POSIXGROUP
);
1040 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1043 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1044 LDAP_ATTRIBUTE_GIDNUMBER
,
1048 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1049 ldap_mods_free(mods
, 1);
1050 if (ret
!= LDAP_SUCCESS
) {
1051 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1056 return NT_STATUS_OK
;
1059 static NTSTATUS
ipasam_add_ipa_objectclasses(struct ldapsam_privates
*ldap_state
,
1060 const char *dn
, const char *name
,
1062 uint32_t acct_flags
,
1063 uint32_t has_objectclass
)
1065 LDAPMod
**mods
= NULL
;
1070 if (!(has_objectclass
& HAS_KRB_PRINCIPAL
)) {
1071 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1072 LDAP_ATTRIBUTE_OBJECTCLASS
,
1073 LDAP_OBJ_KRB_PRINCIPAL
);
1075 princ
= talloc_asprintf(talloc_tos(), "%s@%s", name
, lp_realm());
1076 if (princ
== NULL
) {
1077 return NT_STATUS_NO_MEMORY
;
1080 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, LDAP_ATTRIBUTE_KRB_PRINCIPAL
, princ
);
1083 if (!(has_objectclass
& HAS_KRB_PRINCIPAL_AUX
)); {
1084 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1085 LDAP_ATTRIBUTE_OBJECTCLASS
,
1086 LDAP_OBJ_KRB_PRINCIPAL_AUX
);
1089 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1090 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1091 LDAP_ATTRIBUTE_OBJECTCLASS
, LDAP_OBJ_IPAOBJECT
);
1094 if ((acct_flags
!= 0) &&
1095 (((acct_flags
& ACB_NORMAL
) && name
[strlen(name
)-1] == '$') ||
1096 ((acct_flags
& (ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
)) != 0))) {
1098 if (!(has_objectclass
& HAS_IPAHOST
)) {
1099 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1100 LDAP_ATTRIBUTE_OBJECTCLASS
,
1103 if (domain
== NULL
) {
1104 return NT_STATUS_INVALID_PARAMETER
;
1107 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1112 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1113 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1114 "objectclass", "posixAccount");
1115 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "cn", name
);
1116 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1117 "uidNumber", IPA_MAGIC_ID_STR
);
1118 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1119 "gidNumber", "12345");
1120 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1121 "homeDirectory", "/dev/null");
1125 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1126 ldap_mods_free(mods
, 1);
1127 if (ret
!= LDAP_SUCCESS
) {
1128 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1134 return NT_STATUS_OK
;
1137 static NTSTATUS
pdb_ipasam_add_sam_account(struct pdb_methods
*pdb_methods
,
1138 struct samu
*sampass
)
1141 struct ldapsam_privates
*ldap_state
;
1144 uint32_t has_objectclass
;
1146 struct dom_sid user_sid
;
1148 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1150 if (IS_SAM_SET(sampass
, PDB_USERSID
) ||
1151 IS_SAM_CHANGED(sampass
, PDB_USERSID
)) {
1152 if (!pdb_new_rid(&rid
)) {
1153 return NT_STATUS_DS_NO_MORE_RIDS
;
1155 sid_compose(&user_sid
, get_global_sam_sid(), rid
);
1156 if (!pdb_set_user_sid(sampass
, &user_sid
, PDB_SET
)) {
1157 return NT_STATUS_UNSUCCESSFUL
;
1161 status
= ldap_state
->ipasam_privates
->ldapsam_add_sam_account(pdb_methods
,
1163 if (!NT_STATUS_IS_OK(status
)) {
1167 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1168 name
= pdb_get_username(sampass
);
1169 if (name
== NULL
|| *name
== '\0') {
1170 return NT_STATUS_INVALID_PARAMETER
;
1173 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1174 if (!NT_STATUS_IS_OK(status
)) {
1178 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
,
1179 pdb_get_domain(sampass
),
1180 pdb_get_acct_ctrl(sampass
),
1182 if (!NT_STATUS_IS_OK(status
)) {
1186 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1187 status
= ipasam_add_posix_account_objectclass(ldap_state
,
1190 if (!NT_STATUS_IS_OK(status
)) {
1195 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1196 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1197 if (!NT_STATUS_IS_OK(status
)) {
1203 return NT_STATUS_OK
;
1206 static NTSTATUS
pdb_ipasam_update_sam_account(struct pdb_methods
*pdb_methods
,
1207 struct samu
*sampass
)
1210 struct ldapsam_privates
*ldap_state
;
1211 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1213 status
= ldap_state
->ipasam_privates
->ldapsam_update_sam_account(pdb_methods
,
1215 if (!NT_STATUS_IS_OK(status
)) {
1219 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1220 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1221 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1222 if (!NT_STATUS_IS_OK(status
)) {
1228 return NT_STATUS_OK
;
1231 static NTSTATUS
ipasam_create_dom_group(struct pdb_methods
*pdb_methods
,
1232 TALLOC_CTX
*tmp_ctx
, const char *name
,
1236 struct ldapsam_privates
*ldap_state
;
1237 int ldap_op
= LDAP_MOD_REPLACE
;
1239 uint32_t has_objectclass
= 0;
1241 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1243 if (name
== NULL
|| *name
== '\0') {
1244 return NT_STATUS_INVALID_PARAMETER
;
1247 status
= find_group(ldap_state
, name
, &dn
, &has_objectclass
);
1248 if (NT_STATUS_IS_OK(status
)) {
1249 ldap_op
= LDAP_MOD_REPLACE
;
1250 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1251 ldap_op
= LDAP_MOD_ADD
;
1256 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1257 status
= ipasam_add_ipa_group_objectclasses(ldap_state
, dn
,
1260 if (!NT_STATUS_IS_OK(status
)) {
1265 status
= ldap_state
->ipasam_privates
->ldapsam_create_dom_group(pdb_methods
,
1269 if (!NT_STATUS_IS_OK(status
)) {
1273 return NT_STATUS_OK
;
1275 static NTSTATUS
ipasam_create_user(struct pdb_methods
*pdb_methods
,
1276 TALLOC_CTX
*tmp_ctx
, const char *name
,
1277 uint32_t acb_info
, uint32_t *rid
)
1280 struct ldapsam_privates
*ldap_state
;
1281 int ldap_op
= LDAP_MOD_REPLACE
;
1283 uint32_t has_objectclass
= 0;
1285 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1287 if (name
== NULL
|| *name
== '\0') {
1288 return NT_STATUS_INVALID_PARAMETER
;
1291 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1292 if (NT_STATUS_IS_OK(status
)) {
1293 ldap_op
= LDAP_MOD_REPLACE
;
1294 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1295 char *escape_username
;
1296 ldap_op
= LDAP_MOD_ADD
;
1297 escape_username
= escape_rdn_val_string_alloc(name
);
1298 if (!escape_username
) {
1299 return NT_STATUS_NO_MEMORY
;
1301 if (name
[strlen(name
)-1] == '$') {
1302 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1304 lp_ldap_machine_suffix());
1306 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1308 lp_ldap_user_suffix());
1310 SAFE_FREE(escape_username
);
1312 return NT_STATUS_NO_MEMORY
;
1318 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1319 status
= ipasam_add_posix_account_objectclass(ldap_state
, ldap_op
,
1321 if (!NT_STATUS_IS_OK(status
)) {
1324 has_objectclass
|= HAS_POSIXACCOUNT
;
1327 status
= ldap_state
->ipasam_privates
->ldapsam_create_user(pdb_methods
,
1330 if (!NT_STATUS_IS_OK(status
)) {
1334 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
, lp_realm(),
1335 acb_info
, has_objectclass
);
1336 if (!NT_STATUS_IS_OK(status
)) {
1340 return NT_STATUS_OK
;
1343 static NTSTATUS
pdb_init_IPA_ldapsam(struct pdb_methods
**pdb_method
, const char *location
)
1345 struct ldapsam_privates
*ldap_state
;
1348 status
= pdb_init_ldapsam(pdb_method
, location
);
1349 if (!NT_STATUS_IS_OK(status
)) {
1353 (*pdb_method
)->name
= "IPA_ldapsam";
1355 ldap_state
= (struct ldapsam_privates
*)((*pdb_method
)->private_data
);
1356 ldap_state
->ipasam_privates
= talloc_zero(ldap_state
,
1357 struct ipasam_privates
);
1358 if (ldap_state
->ipasam_privates
== NULL
) {
1359 return NT_STATUS_NO_MEMORY
;
1361 ldap_state
->is_ipa_ldap
= True
;
1363 ldap_state
->ipasam_privates
->server_is_ipa
= smbldap_has_extension(
1364 priv2ld(ldap_state
), IPA_KEYTAB_SET_OID
);
1365 ldap_state
->ipasam_privates
->ldapsam_add_sam_account
= (*pdb_method
)->add_sam_account
;
1366 ldap_state
->ipasam_privates
->ldapsam_update_sam_account
= (*pdb_method
)->update_sam_account
;
1367 ldap_state
->ipasam_privates
->ldapsam_create_user
= (*pdb_method
)->create_user
;
1368 ldap_state
->ipasam_privates
->ldapsam_create_dom_group
= (*pdb_method
)->create_dom_group
;
1370 (*pdb_method
)->add_sam_account
= pdb_ipasam_add_sam_account
;
1371 (*pdb_method
)->update_sam_account
= pdb_ipasam_update_sam_account
;
1373 if (lp_parm_bool(-1, "ldapsam", "trusted", False
)) {
1374 if (lp_parm_bool(-1, "ldapsam", "editposix", False
)) {
1375 (*pdb_method
)->create_user
= ipasam_create_user
;
1376 (*pdb_method
)->create_dom_group
= ipasam_create_dom_group
;
1380 (*pdb_method
)->capabilities
= pdb_ipasam_capabilities
;
1381 (*pdb_method
)->get_domain_info
= pdb_ipasam_get_domain_info
;
1383 (*pdb_method
)->get_trusteddom_pw
= ipasam_get_trusteddom_pw
;
1384 (*pdb_method
)->set_trusteddom_pw
= ipasam_set_trusteddom_pw
;
1385 (*pdb_method
)->del_trusteddom_pw
= ipasam_del_trusteddom_pw
;
1386 (*pdb_method
)->enum_trusteddoms
= ipasam_enum_trusteddoms
;
1388 (*pdb_method
)->get_trusted_domain
= ipasam_get_trusted_domain
;
1389 (*pdb_method
)->get_trusted_domain_by_sid
= ipasam_get_trusted_domain_by_sid
;
1390 (*pdb_method
)->set_trusted_domain
= ipasam_set_trusted_domain
;
1391 (*pdb_method
)->del_trusted_domain
= ipasam_del_trusted_domain
;
1392 (*pdb_method
)->enum_trusted_domains
= ipasam_enum_trusted_domains
;
1394 return NT_STATUS_OK
;
1397 NTSTATUS
pdb_ipa_init(void)
1401 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "IPA_ldapsam", pdb_init_IPA_ldapsam
)))
1404 return NT_STATUS_OK
;