search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup.
[Samba.git] / source3 / passdb / pdb_interface.c
blobd67e04ec9c42f3136e90148bfd6cfb7cd576b1a4
1 /*
2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Jelmer Vernooij 2002
6 Copyright (C) Simo Sorce 2003
7 Copyright (C) Volker Lendecke 2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/passwd.h"
25 #include "passdb.h"
26 #include "secrets.h"
27 #include "messages.h"
28 #include "../librpc/gen_ndr/samr.h"
29 #include "../librpc/gen_ndr/drsblobs.h"
30 #include "../librpc/gen_ndr/ndr_drsblobs.h"
31 #include "../librpc/gen_ndr/idmap.h"
32 #include "../lib/util/memcache.h"
33 #include "nsswitch/winbind_client.h"
34 #include "../libcli/security/security.h"
35 #include "../lib/util/util_pw.h"
36 #include "passdb/pdb_secrets.h"
37 #include "lib/util_sid_passdb.h"
38 #include "idmap_cache.h"
39
40 #undef DBGC_CLASS
41 #define DBGC_CLASS DBGC_PASSDB
42
43 static_decl_pdb;
44
45 static struct pdb_init_function_entry *backends = NULL;
46
47 static void lazy_initialize_passdb(void)
48 {
49 static bool initialized = False;
50 if(initialized) {
51 return;
52 }
53 static_init_pdb;
54 initialized = True;
55 }
56
57 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
58 const char **name,
59 enum lsa_SidType *psid_name_use,
60 uid_t *uid, gid_t *gid);
61
62 NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
63 {
64 struct pdb_init_function_entry *entry = backends;
65
66 if(version != PASSDB_INTERFACE_VERSION) {
67 DEBUG(0,("Can't register passdb backend!\n"
68 "You tried to register a passdb module with PASSDB_INTERFACE_VERSION %d, "
69 "while this version of samba uses version %d\n",
70 version,PASSDB_INTERFACE_VERSION));
71 return NT_STATUS_OBJECT_TYPE_MISMATCH;
72 }
73
74 if (!name || !init) {
75 return NT_STATUS_INVALID_PARAMETER;
76 }
77
78 DEBUG(5,("Attempting to register passdb backend %s\n", name));
79
80 /* Check for duplicates */
81 if (pdb_find_backend_entry(name)) {
82 DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name));
83 return NT_STATUS_OBJECT_NAME_COLLISION;
84 }
85
86 entry = SMB_XMALLOC_P(struct pdb_init_function_entry);
87 entry->name = smb_xstrdup(name);
88 entry->init = init;
89
90 DLIST_ADD(backends, entry);
91 DEBUG(5,("Successfully added passdb backend '%s'\n", name));
92 return NT_STATUS_OK;
93 }
94
95 struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
96 {
97 struct pdb_init_function_entry *entry = backends;
98
99 while(entry) {
100 if (strcmp(entry->name, name)==0) return entry;
101 entry = entry->next;
102 }
103
104 return NULL;
105 }
106
107 const struct pdb_init_function_entry *pdb_get_backends(void)
108 {
109 return backends;
110 }
111
112
113 /*
114 * The event context for the passdb backend. I know this is a bad hack and yet
115 * another static variable, but our pdb API is a global thing per
116 * definition. The first use for this is the LDAP idle function, more might be
117 * added later.
118 *
119 * I don't feel too bad about this static variable, it replaces the
120 * smb_idle_event_list that used to exist in lib/module.c. -- VL
121 */
122
123 static struct tevent_context *pdb_tevent_ctx;
124
125 struct tevent_context *pdb_get_tevent_context(void)
126 {
127 return pdb_tevent_ctx;
128 }
129
130 /******************************************************************
131 Make a pdb_methods from scratch
132 *******************************************************************/
133
134 NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected)
135 {
136 char *module_name = smb_xstrdup(selected);
137 char *module_location = NULL, *p;
138 struct pdb_init_function_entry *entry;
139 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
140
141 lazy_initialize_passdb();
142
143 p = strchr(module_name, ':');
144
145 if (p) {
146 *p = 0;
147 module_location = p+1;
148 trim_char(module_location, ' ', ' ');
149 }
150
151 trim_char(module_name, ' ', ' ');
152
153
154 DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected, module_name));
155
156 entry = pdb_find_backend_entry(module_name);
157
158 /* Try to find a module that contains this module */
159 if (!entry) {
160 DEBUG(2,("No builtin backend found, trying to load plugin\n"));
161 if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
162 DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
163 SAFE_FREE(module_name);
164 return NT_STATUS_UNSUCCESSFUL;
165 }
166 }
167
168 /* No such backend found */
169 if(!entry) {
170 DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
171 SAFE_FREE(module_name);
172 return NT_STATUS_INVALID_PARAMETER;
173 }
174
175 DEBUG(5,("Found pdb backend %s\n", module_name));
176
177 if ( !NT_STATUS_IS_OK( nt_status = entry->init(methods, module_location) ) ) {
178 DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
179 selected, nt_errstr(nt_status)));
180 SAFE_FREE(module_name);
181 return nt_status;
182 }
183
184 SAFE_FREE(module_name);
185
186 DEBUG(5,("pdb backend %s has a valid init\n", selected));
187
188 return nt_status;
189 }
190
191 /******************************************************************
192 Return an already initialized pdb_methods structure
193 *******************************************************************/
194
195 static struct pdb_methods *pdb_get_methods_reload( bool reload )
196 {
197 static struct pdb_methods *pdb = NULL;
198
199 if ( pdb && reload ) {
200 if (pdb->free_private_data != NULL) {
201 pdb->free_private_data( &(pdb->private_data) );
202 }
203 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
204 return NULL;
205 }
206 }
207
208 if ( !pdb ) {
209 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
210 return NULL;
211 }
212 }
213
214 return pdb;
215 }
216
217 static struct pdb_methods *pdb_get_methods(void)
218 {
219 struct pdb_methods *pdb;
220
221 pdb = pdb_get_methods_reload(false);
222 if (!pdb) {
223 char *msg = NULL;
224 if (asprintf(&msg, "pdb_get_methods: "
225 "failed to get pdb methods for backend %s\n",
226 lp_passdb_backend()) > 0) {
227 smb_panic(msg);
228 } else {
229 smb_panic("pdb_get_methods");
230 }
231 }
232
233 return pdb;
234 }
235
236 struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
237 {
238 struct pdb_methods *pdb = pdb_get_methods();
239 return pdb->get_domain_info(pdb, mem_ctx);
240 }
241
242 /**
243 * @brief Check if the user account has been locked out and try to unlock it.
244 *
245 * If the user has been automatically locked out and a lockout duration is set,
246 * then check if we can unlock the account and reset the bad password values.
247 *
248 * @param[in] sampass The sam user to check.
249 *
250 * @return True if the function was successfull, false on an error.
251 */
252 static bool pdb_try_account_unlock(struct samu *sampass)
253 {
254 uint32_t acb_info = pdb_get_acct_ctrl(sampass);
255
256 if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
257 uint32_t lockout_duration;
258 time_t bad_password_time;
259 time_t now = time(NULL);
260 bool ok;
261
262 ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
263 &lockout_duration);
264 if (!ok) {
265 DEBUG(0, ("pdb_try_account_unlock: "
266 "pdb_get_account_policy failed.\n"));
267 return false;
268 }
269
270 if (lockout_duration == (uint32_t) -1 ||
271 lockout_duration == 0) {
272 DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
273 "can't reset autolock\n"));
274 return false;
275 }
276 lockout_duration *= 60;
277
278 bad_password_time = pdb_get_bad_password_time(sampass);
279 if (bad_password_time == (time_t) 0) {
280 DEBUG(2, ("pdb_try_account_unlock: Account %s "
281 "administratively locked out "
282 "with no bad password "
283 "time. Leaving locked out.\n",
284 pdb_get_username(sampass)));
285 return true;
286 }
287
288 if ((bad_password_time +
289 convert_uint32_t_to_time_t(lockout_duration)) < now) {
290 NTSTATUS status;
291
292 pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
293 PDB_CHANGED);
294 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
295 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
296
297 become_root();
298 status = pdb_update_sam_account(sampass);
299 unbecome_root();
300 if (!NT_STATUS_IS_OK(status)) {
301 DEBUG(0, ("_samr_OpenUser: Couldn't "
302 "update account %s - %s\n",
303 pdb_get_username(sampass),
304 nt_errstr(status)));
305 return false;
306 }
307 }
308 }
309
310 return true;
311 }
312
313 /**
314 * @brief Get a sam user structure by the given username.
315 *
316 * This functions also checks if the account has been automatically locked out
317 * and unlocks it if a lockout duration time has been defined and the time has
318 * elapsed.
319 *
320 * @param[in] sam_acct The sam user structure to fill.
321 *
322 * @param[in] username The username to look for.
323 *
324 * @return True on success, false on error.
325 */
326 bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
327 {
328 struct pdb_methods *pdb = pdb_get_methods();
329 struct samu *for_cache;
330 const struct dom_sid *user_sid;
331 NTSTATUS status;
332 bool ok;
333
334 status = pdb->getsampwnam(pdb, sam_acct, username);
335 if (!NT_STATUS_IS_OK(status)) {
336 return false;
337 }
338
339 ok = pdb_try_account_unlock(sam_acct);
340 if (!ok) {
341 DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
342 username));
343 }
344
345 for_cache = samu_new(NULL);
346 if (for_cache == NULL) {
347 return False;
348 }
349
350 if (!pdb_copy_sam_account(for_cache, sam_acct)) {
351 TALLOC_FREE(for_cache);
352 return False;
353 }
354
355 user_sid = pdb_get_user_sid(for_cache);
356
357 memcache_add_talloc(NULL, PDB_GETPWSID_CACHE,
358 data_blob_const(user_sid, sizeof(*user_sid)),
359 &for_cache);
360
361 return True;
362 }
363
364 /**********************************************************************
365 **********************************************************************/
366
367 static bool guest_user_info( struct samu *user )
368 {
369 struct passwd *pwd;
370 NTSTATUS result;
371 const char *guestname = lp_guest_account();
372
373 pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
374 if (pwd == NULL) {
375 DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
376 guestname));
377 return False;
378 }
379
380 result = samu_set_unix(user, pwd );
381
382 TALLOC_FREE( pwd );
383
384 return NT_STATUS_IS_OK( result );
385 }
386
387 /**
388 * @brief Get a sam user structure by the given username.
389 *
390 * This functions also checks if the account has been automatically locked out
391 * and unlocks it if a lockout duration time has been defined and the time has
392 * elapsed.
393 *
394 *
395 * @param[in] sam_acct The sam user structure to fill.
396 *
397 * @param[in] sid The user SDI to look up.
398 *
399 * @return True on success, false on error.
400 */
401 bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
402 {
403 struct pdb_methods *pdb = pdb_get_methods();
404 uint32_t rid;
405 void *cache_data;
406 bool ok = false;
407
408 /* hard code the Guest RID of 501 */
409
410 if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
411 return False;
412
413 if ( rid == DOMAIN_RID_GUEST ) {
414 DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
415 return guest_user_info( sam_acct );
416 }
417
418 /* check the cache first */
419
420 cache_data = memcache_lookup_talloc(
421 NULL, PDB_GETPWSID_CACHE, data_blob_const(sid, sizeof(*sid)));
422
423 if (cache_data != NULL) {
424 struct samu *cache_copy = talloc_get_type_abort(
425 cache_data, struct samu);
426
427 ok = pdb_copy_sam_account(sam_acct, cache_copy);
428 } else {
429 ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
430 }
431
432 if (!ok) {
433 return false;
434 }
435
436 ok = pdb_try_account_unlock(sam_acct);
437 if (!ok) {
438 DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
439 sam_acct->username));
440 }
441
442 return true;
443 }
444
445 static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
446 TALLOC_CTX *tmp_ctx, const char *name,
447 uint32_t acb_info, uint32_t *rid)
448 {
449 struct samu *sam_pass;
450 NTSTATUS status;
451 struct passwd *pwd;
452
453 if ((sam_pass = samu_new(tmp_ctx)) == NULL) {
454 return NT_STATUS_NO_MEMORY;
455 }
456
457 if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
458 char *add_script = NULL;
459 int add_ret;
460 fstring name2;
461
462 if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
463 add_script = lp_add_user_script(tmp_ctx);
464 } else {
465 add_script = lp_add_machine_script(tmp_ctx);
466 }
467
468 if (!add_script || add_script[0] == '\0') {
469 DEBUG(3, ("Could not find user %s and no add script "
470 "defined\n", name));
471 return NT_STATUS_NO_SUCH_USER;
472 }
473
474 /* lowercase the username before creating the Unix account for
475 compatibility with previous Samba releases */
476 fstrcpy( name2, name );
477 if (!strlower_m( name2 )) {
478 return NT_STATUS_INVALID_PARAMETER;
479 }
480 add_script = talloc_all_string_sub(tmp_ctx,
481 add_script,
482 "%u",
483 name2);
484 if (!add_script) {
485 return NT_STATUS_NO_MEMORY;
486 }
487 add_ret = smbrun(add_script,NULL);
488 DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
489 add_script, add_ret));
490 if (add_ret == 0) {
491 smb_nscd_flush_user_cache();
492 }
493
494 flush_pwnam_cache();
495
496 pwd = Get_Pwnam_alloc(tmp_ctx, name);
497
498 if(pwd == NULL) {
499 DEBUG(3, ("Could not find user %s, add script did not work\n", name));
500 return NT_STATUS_NO_SUCH_USER;
501 }
502 }
503
504 /* we have a valid SID coming out of this call */
505
506 status = samu_alloc_rid_unix(methods, sam_pass, pwd);
507
508 TALLOC_FREE( pwd );
509
510 if (!NT_STATUS_IS_OK(status)) {
511 DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status)));
512 return status;
513 }
514
515 if (!sid_peek_check_rid(get_global_sam_sid(),
516 pdb_get_user_sid(sam_pass), rid)) {
517 DEBUG(0, ("Could not get RID of fresh user\n"));
518 return NT_STATUS_INTERNAL_ERROR;
519 }
520
521 /* Use the username case specified in the original request */
522
523 pdb_set_username( sam_pass, name, PDB_SET );
524
525 /* Disable the account on creation, it does not have a reasonable password yet. */
526
527 acb_info |= ACB_DISABLED;
528
529 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
530
531 status = methods->add_sam_account(methods, sam_pass);
532
533 TALLOC_FREE(sam_pass);
534
535 return status;
536 }
537
538 NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32_t flags,
539 uint32_t *rid)
540 {
541 struct pdb_methods *pdb = pdb_get_methods();
542 return pdb->create_user(pdb, mem_ctx, name, flags, rid);
543 }
544
545 /****************************************************************************
546 Delete a UNIX user on demand.
547 ****************************************************************************/
548
549 static int smb_delete_user(const char *unix_user)
550 {
551 char *del_script = NULL;
552 int ret;
553
554 /* safety check */
555
556 if ( strequal( unix_user, "root" ) ) {
557 DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
558 return -1;
559 }
560
561 del_script = lp_delete_user_script(talloc_tos());
562 if (!del_script || !*del_script) {
563 return -1;
564 }
565 del_script = talloc_all_string_sub(talloc_tos(),
566 del_script,
567 "%u",
568 unix_user);
569 if (!del_script) {
570 return -1;
571 }
572 ret = smbrun(del_script,NULL);
573 flush_pwnam_cache();
574 if (ret == 0) {
575 smb_nscd_flush_user_cache();
576 }
577 DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
578
579 return ret;
580 }
581
582 static NTSTATUS pdb_default_delete_user(struct pdb_methods *methods,
583 TALLOC_CTX *mem_ctx,
584 struct samu *sam_acct)
585 {
586 NTSTATUS status;
587 fstring username;
588
589 status = methods->delete_sam_account(methods, sam_acct);
590 if (!NT_STATUS_IS_OK(status)) {
591 return status;
592 }
593
594 /*
595 * Now delete the unix side ....
596 * note: we don't check if the delete really happened as the script is
597 * not necessary present and maybe the sysadmin doesn't want to delete
598 * the unix side
599 */
600
601 /* always lower case the username before handing it off to
602 external scripts */
603
604 fstrcpy( username, pdb_get_username(sam_acct) );
605 if (!strlower_m( username )) {
606 return status;
607 }
608
609 smb_delete_user( username );
610
611 return status;
612 }
613
614 NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
615 {
616 struct pdb_methods *pdb = pdb_get_methods();
617 uid_t uid = -1;
618 NTSTATUS status;
619 const struct dom_sid *user_sid;
620 char *msg_data;
621
622 user_sid = pdb_get_user_sid(sam_acct);
623
624 /* sanity check to make sure we don't delete root */
625
626 if ( !sid_to_uid(user_sid, &uid ) ) {
627 return NT_STATUS_NO_SUCH_USER;
628 }
629
630 if ( uid == 0 ) {
631 return NT_STATUS_ACCESS_DENIED;
632 }
633
634 memcache_delete(NULL,
635 PDB_GETPWSID_CACHE,
636 data_blob_const(user_sid, sizeof(*user_sid)));
637
638 status = pdb->delete_user(pdb, mem_ctx, sam_acct);
639 if (!NT_STATUS_IS_OK(status)) {
640 return status;
641 }
642
643 msg_data = talloc_asprintf(mem_ctx, "USER %s",
644 pdb_get_username(sam_acct));
645 if (!msg_data) {
646 /* not fatal, and too late to rollback,
647 * just return */
648 return status;
649 }
650 message_send_all(server_messaging_context(),
651 ID_CACHE_DELETE,
652 msg_data,
653 strlen(msg_data) + 1,
654 NULL);
655
656 TALLOC_FREE(msg_data);
657 return status;
658 }
659
660 NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
661 {
662 struct pdb_methods *pdb = pdb_get_methods();
663 return pdb->add_sam_account(pdb, sam_acct);
664 }
665
666 NTSTATUS pdb_update_sam_account(struct samu *sam_acct)
667 {
668 struct pdb_methods *pdb = pdb_get_methods();
669
670 memcache_flush(NULL, PDB_GETPWSID_CACHE);
671
672 return pdb->update_sam_account(pdb, sam_acct);
673 }
674
675 NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
676 {
677 struct pdb_methods *pdb = pdb_get_methods();
678 const struct dom_sid *user_sid = pdb_get_user_sid(sam_acct);
679
680 memcache_delete(NULL,
681 PDB_GETPWSID_CACHE,
682 data_blob_const(user_sid, sizeof(*user_sid)));
683
684 return pdb->delete_sam_account(pdb, sam_acct);
685 }
686
687 NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
688 {
689 struct pdb_methods *pdb = pdb_get_methods();
690 uid_t uid;
691 NTSTATUS status;
692
693 memcache_flush(NULL, PDB_GETPWSID_CACHE);
694
695 /* sanity check to make sure we don't rename root */
696
697 if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
698 return NT_STATUS_NO_SUCH_USER;
699 }
700
701 if ( uid == 0 ) {
702 return NT_STATUS_ACCESS_DENIED;
703 }
704
705 status = pdb->rename_sam_account(pdb, oldname, newname);
706
707 /* always flush the cache here just to be safe */
708 flush_pwnam_cache();
709
710 return status;
711 }
712
713 NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, bool success)
714 {
715 struct pdb_methods *pdb = pdb_get_methods();
716 return pdb->update_login_attempts(pdb, sam_acct, success);
717 }
718
719 bool pdb_getgrsid(GROUP_MAP *map, struct dom_sid sid)
720 {
721 struct pdb_methods *pdb = pdb_get_methods();
722 return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
723 }
724
725 bool pdb_getgrgid(GROUP_MAP *map, gid_t gid)
726 {
727 struct pdb_methods *pdb = pdb_get_methods();
728 return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
729 }
730
731 bool pdb_getgrnam(GROUP_MAP *map, const char *name)
732 {
733 struct pdb_methods *pdb = pdb_get_methods();
734 return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
735 }
736
737 static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
738 TALLOC_CTX *mem_ctx,
739 const char *name,
740 uint32_t *rid)
741 {
742 struct dom_sid group_sid;
743 struct group *grp;
744 fstring tmp;
745
746 grp = getgrnam(name);
747
748 if (grp == NULL) {
749 gid_t gid;
750
751 if (smb_create_group(name, &gid) != 0) {
752 return NT_STATUS_ACCESS_DENIED;
753 }
754
755 grp = getgrgid(gid);
756 }
757
758 if (grp == NULL) {
759 return NT_STATUS_ACCESS_DENIED;
760 }
761
762 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
763 if (!pdb_new_rid(rid)) {
764 return NT_STATUS_ACCESS_DENIED;
765 }
766 } else {
767 *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
768 }
769
770 sid_compose(&group_sid, get_global_sam_sid(), *rid);
771
772 return add_initial_entry(grp->gr_gid, sid_to_fstring(tmp, &group_sid),
773 SID_NAME_DOM_GRP, name, NULL);
774 }
775
776 NTSTATUS pdb_create_dom_group(TALLOC_CTX *mem_ctx, const char *name,
777 uint32_t *rid)
778 {
779 struct pdb_methods *pdb = pdb_get_methods();
780 return pdb->create_dom_group(pdb, mem_ctx, name, rid);
781 }
782
783 static NTSTATUS pdb_default_delete_dom_group(struct pdb_methods *methods,
784 TALLOC_CTX *mem_ctx,
785 uint32_t rid)
786 {
787 struct dom_sid group_sid;
788 GROUP_MAP *map;
789 NTSTATUS status;
790 struct group *grp;
791 const char *grp_name;
792
793 map = talloc_zero(mem_ctx, GROUP_MAP);
794 if (!map) {
795 return NT_STATUS_NO_MEMORY;
796 }
797
798 /* coverity */
799 map->gid = (gid_t) -1;
800
801 sid_compose(&group_sid, get_global_sam_sid(), rid);
802
803 if (!get_domain_group_from_sid(group_sid, map)) {
804 DEBUG(10, ("Could not find group for rid %d\n", rid));
805 return NT_STATUS_NO_SUCH_GROUP;
806 }
807
808 /* We need the group name for the smb_delete_group later on */
809
810 if (map->gid == (gid_t)-1) {
811 return NT_STATUS_NO_SUCH_GROUP;
812 }
813
814 grp = getgrgid(map->gid);
815 if (grp == NULL) {
816 return NT_STATUS_NO_SUCH_GROUP;
817 }
818
819 TALLOC_FREE(map);
820
821 /* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
822
823 grp_name = talloc_strdup(mem_ctx, grp->gr_name);
824 if (grp_name == NULL) {
825 return NT_STATUS_NO_MEMORY;
826 }
827
828 status = pdb_delete_group_mapping_entry(group_sid);
829
830 if (!NT_STATUS_IS_OK(status)) {
831 return status;
832 }
833
834 /* Don't check the result of smb_delete_group */
835
836 smb_delete_group(grp_name);
837
838 return NT_STATUS_OK;
839 }
840
841 NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32_t rid)
842 {
843 struct pdb_methods *pdb = pdb_get_methods();
844 return pdb->delete_dom_group(pdb, mem_ctx, rid);
845 }
846
847 NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
848 {
849 struct pdb_methods *pdb = pdb_get_methods();
850 return pdb->add_group_mapping_entry(pdb, map);
851 }
852
853 NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
854 {
855 struct pdb_methods *pdb = pdb_get_methods();
856 return pdb->update_group_mapping_entry(pdb, map);
857 }
858
859 NTSTATUS pdb_delete_group_mapping_entry(struct dom_sid sid)
860 {
861 struct pdb_methods *pdb = pdb_get_methods();
862 return pdb->delete_group_mapping_entry(pdb, sid);
863 }
864
865 bool pdb_enum_group_mapping(const struct dom_sid *sid,
866 enum lsa_SidType sid_name_use,
867 GROUP_MAP ***pp_rmap,
868 size_t *p_num_entries,
869 bool unix_only)
870 {
871 struct pdb_methods *pdb = pdb_get_methods();
872 return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
873 pp_rmap, p_num_entries, unix_only));
874 }
875
876 NTSTATUS pdb_enum_group_members(TALLOC_CTX *mem_ctx,
877 const struct dom_sid *sid,
878 uint32_t **pp_member_rids,
879 size_t *p_num_members)
880 {
881 struct pdb_methods *pdb = pdb_get_methods();
882 NTSTATUS result;
883
884 result = pdb->enum_group_members(pdb, mem_ctx,
885 sid, pp_member_rids, p_num_members);
886
887 /* special check for rid 513 */
888
889 if ( !NT_STATUS_IS_OK( result ) ) {
890 uint32_t rid;
891
892 sid_peek_rid( sid, &rid );
893
894 if ( rid == DOMAIN_RID_USERS ) {
895 *p_num_members = 0;
896 *pp_member_rids = NULL;
897
898 return NT_STATUS_OK;
899 }
900 }
901
902 return result;
903 }
904
905 NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
906 struct dom_sid **pp_sids, gid_t **pp_gids,
907 uint32_t *p_num_groups)
908 {
909 struct pdb_methods *pdb = pdb_get_methods();
910 return pdb->enum_group_memberships(
911 pdb, mem_ctx, user,
912 pp_sids, pp_gids, p_num_groups);
913 }
914
915 static NTSTATUS pdb_default_set_unix_primary_group(struct pdb_methods *methods,
916 TALLOC_CTX *mem_ctx,
917 struct samu *sampass)
918 {
919 struct group *grp;
920 gid_t gid;
921
922 if (!sid_to_gid(pdb_get_group_sid(sampass), &gid) ||
923 (grp = getgrgid(gid)) == NULL) {
924 return NT_STATUS_INVALID_PRIMARY_GROUP;
925 }
926
927 if (smb_set_primary_group(grp->gr_name,
928 pdb_get_username(sampass)) != 0) {
929 return NT_STATUS_ACCESS_DENIED;
930 }
931
932 return NT_STATUS_OK;
933 }
934
935 NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
936 {
937 struct pdb_methods *pdb = pdb_get_methods();
938 return pdb->set_unix_primary_group(pdb, mem_ctx, user);
939 }
940
941 /*
942 * Helper function to see whether a user is in a group. We can't use
943 * user_in_group_sid here because this creates dependencies only smbd can
944 * fulfil.
945 */
946
947 static bool pdb_user_in_group(TALLOC_CTX *mem_ctx, struct samu *account,
948 const struct dom_sid *group_sid)
949 {
950 struct dom_sid *sids;
951 gid_t *gids;
952 uint32_t i, num_groups;
953
954 if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
955 &sids, &gids,
956 &num_groups))) {
957 return False;
958 }
959
960 for (i=0; i<num_groups; i++) {
961 if (dom_sid_equal(group_sid, &sids[i])) {
962 return True;
963 }
964 }
965 return False;
966 }
967
968 static NTSTATUS pdb_default_add_groupmem(struct pdb_methods *methods,
969 TALLOC_CTX *mem_ctx,
970 uint32_t group_rid,
971 uint32_t member_rid)
972 {
973 struct dom_sid group_sid, member_sid;
974 struct samu *account = NULL;
975 GROUP_MAP *map;
976 struct group *grp;
977 struct passwd *pwd;
978 const char *group_name;
979 uid_t uid;
980
981 map = talloc_zero(mem_ctx, GROUP_MAP);
982 if (!map) {
983 return NT_STATUS_NO_MEMORY;
984 }
985
986 /* coverity */
987 map->gid = (gid_t) -1;
988
989 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
990 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
991
992 if (!get_domain_group_from_sid(group_sid, map) ||
993 (map->gid == (gid_t)-1) ||
994 ((grp = getgrgid(map->gid)) == NULL)) {
995 return NT_STATUS_NO_SUCH_GROUP;
996 }
997
998 TALLOC_FREE(map);
999
1000 group_name = talloc_strdup(mem_ctx, grp->gr_name);
1001 if (group_name == NULL) {
1002 return NT_STATUS_NO_MEMORY;
1003 }
1004
1005 if ( !(account = samu_new( NULL )) ) {
1006 return NT_STATUS_NO_MEMORY;
1007 }
1008
1009 if (!pdb_getsampwsid(account, &member_sid) ||
1010 !sid_to_uid(&member_sid, &uid) ||
1011 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1012 return NT_STATUS_NO_SUCH_USER;
1013 }
1014
1015 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1016 return NT_STATUS_MEMBER_IN_GROUP;
1017 }
1018
1019 /*
1020 * ok, the group exist, the user exist, the user is not in the group,
1021 * we can (finally) add it to the group !
1022 */
1023
1024 smb_add_user_group(group_name, pwd->pw_name);
1025
1026 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1027 return NT_STATUS_ACCESS_DENIED;
1028 }
1029
1030 return NT_STATUS_OK;
1031 }
1032
1033 NTSTATUS pdb_add_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1034 uint32_t member_rid)
1035 {
1036 struct pdb_methods *pdb = pdb_get_methods();
1037 return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
1038 }
1039
1040 static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
1041 TALLOC_CTX *mem_ctx,
1042 uint32_t group_rid,
1043 uint32_t member_rid)
1044 {
1045 struct dom_sid group_sid, member_sid;
1046 struct samu *account = NULL;
1047 GROUP_MAP *map;
1048 struct group *grp;
1049 struct passwd *pwd;
1050 const char *group_name;
1051 uid_t uid;
1052
1053 map = talloc_zero(mem_ctx, GROUP_MAP);
1054 if (!map) {
1055 return NT_STATUS_NO_MEMORY;
1056 }
1057
1058 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
1059 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
1060
1061 if (!get_domain_group_from_sid(group_sid, map) ||
1062 (map->gid == (gid_t)-1) ||
1063 ((grp = getgrgid(map->gid)) == NULL)) {
1064 return NT_STATUS_NO_SUCH_GROUP;
1065 }
1066
1067 TALLOC_FREE(map);
1068
1069 group_name = talloc_strdup(mem_ctx, grp->gr_name);
1070 if (group_name == NULL) {
1071 return NT_STATUS_NO_MEMORY;
1072 }
1073
1074 if ( !(account = samu_new( NULL )) ) {
1075 return NT_STATUS_NO_MEMORY;
1076 }
1077
1078 if (!pdb_getsampwsid(account, &member_sid) ||
1079 !sid_to_uid(&member_sid, &uid) ||
1080 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1081 return NT_STATUS_NO_SUCH_USER;
1082 }
1083
1084 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1085 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1086 }
1087
1088 /*
1089 * ok, the group exist, the user exist, the user is in the group,
1090 * we can (finally) delete it from the group!
1091 */
1092
1093 smb_delete_user_group(group_name, pwd->pw_name);
1094
1095 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1096 return NT_STATUS_ACCESS_DENIED;
1097 }
1098
1099 return NT_STATUS_OK;
1100 }
1101
1102 NTSTATUS pdb_del_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1103 uint32_t member_rid)
1104 {
1105 struct pdb_methods *pdb = pdb_get_methods();
1106 return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
1107 }
1108
1109 NTSTATUS pdb_create_alias(const char *name, uint32_t *rid)
1110 {
1111 struct pdb_methods *pdb = pdb_get_methods();
1112 return pdb->create_alias(pdb, name, rid);
1113 }
1114
1115 NTSTATUS pdb_delete_alias(const struct dom_sid *sid)
1116 {
1117 struct pdb_methods *pdb = pdb_get_methods();
1118 return pdb->delete_alias(pdb, sid);
1119 }
1120
1121 NTSTATUS pdb_get_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1122 {
1123 struct pdb_methods *pdb = pdb_get_methods();
1124 return pdb->get_aliasinfo(pdb, sid, info);
1125 }
1126
1127 NTSTATUS pdb_set_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1128 {
1129 struct pdb_methods *pdb = pdb_get_methods();
1130 return pdb->set_aliasinfo(pdb, sid, info);
1131 }
1132
1133 NTSTATUS pdb_add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1134 {
1135 struct pdb_methods *pdb = pdb_get_methods();
1136 return pdb->add_aliasmem(pdb, alias, member);
1137 }
1138
1139 NTSTATUS pdb_del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1140 {
1141 struct pdb_methods *pdb = pdb_get_methods();
1142 return pdb->del_aliasmem(pdb, alias, member);
1143 }
1144
1145 NTSTATUS pdb_enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
1146 struct dom_sid **pp_members, size_t *p_num_members)
1147 {
1148 struct pdb_methods *pdb = pdb_get_methods();
1149 return pdb->enum_aliasmem(pdb, alias, mem_ctx, pp_members,
1150 p_num_members);
1151 }
1152
1153 NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
1154 const struct dom_sid *domain_sid,
1155 const struct dom_sid *members, size_t num_members,
1156 uint32_t **pp_alias_rids,
1157 size_t *p_num_alias_rids)
1158 {
1159 struct pdb_methods *pdb = pdb_get_methods();
1160 return pdb->enum_alias_memberships(pdb, mem_ctx,
1161 domain_sid,
1162 members, num_members,
1163 pp_alias_rids,
1164 p_num_alias_rids);
1165 }
1166
1167 NTSTATUS pdb_lookup_rids(const struct dom_sid *domain_sid,
1168 int num_rids,
1169 uint32_t *rids,
1170 const char **names,
1171 enum lsa_SidType *attrs)
1172 {
1173 struct pdb_methods *pdb = pdb_get_methods();
1174 return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
1175 }
1176
1177 bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
1178 {
1179 struct pdb_methods *pdb = pdb_get_methods();
1180 NTSTATUS status;
1181
1182 become_root();
1183 status = pdb->get_account_policy(pdb, type, value);
1184 unbecome_root();
1185
1186 return NT_STATUS_IS_OK(status);
1187 }
1188
1189 bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value)
1190 {
1191 struct pdb_methods *pdb = pdb_get_methods();
1192 NTSTATUS status;
1193
1194 become_root();
1195 status = pdb->set_account_policy(pdb, type, value);
1196 unbecome_root();
1197
1198 return NT_STATUS_IS_OK(status);
1199 }
1200
1201 bool pdb_get_seq_num(time_t *seq_num)
1202 {
1203 struct pdb_methods *pdb = pdb_get_methods();
1204 return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
1205 }
1206
1207 /*
1208 * Instead of passing down a gid or uid, this function sends down a pointer
1209 * to a unixid.
1210 *
1211 * This acts as an in-out variable so that the idmap functions can correctly
1212 * receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing
1213 * the cache to store ID_TYPE_UID or ID_TYPE_GID.
1214 */
1215 bool pdb_id_to_sid(struct unixid *id, struct dom_sid *sid)
1216 {
1217 struct pdb_methods *pdb = pdb_get_methods();
1218 bool ret;
1219
1220 ret = pdb->id_to_sid(pdb, id, sid);
1221
1222 if (ret == true) {
1223 idmap_cache_set_sid2unixid(sid, id);
1224 }
1225
1226 return ret;
1227 }
1228
1229 bool pdb_sid_to_id(const struct dom_sid *sid, struct unixid *id)
1230 {
1231 struct pdb_methods *pdb = pdb_get_methods();
1232 bool ret;
1233
1234 /* only ask the backend if it is responsible */
1235 if (!sid_check_object_is_for_passdb(sid)) {
1236 return false;
1237 }
1238
1239 ret = pdb->sid_to_id(pdb, sid, id);
1240
1241 if (ret == true) {
1242 idmap_cache_set_sid2unixid(sid, id);
1243 }
1244
1245 return ret;
1246 }
1247
1248 uint32_t pdb_capabilities(void)
1249 {
1250 struct pdb_methods *pdb = pdb_get_methods();
1251 return pdb->capabilities(pdb);
1252 }
1253
1254 /********************************************************************
1255 Allocate a new RID from the passdb backend. Verify that it is free
1256 by calling lookup_global_sam_rid() to verify that the RID is not
1257 in use. This handles servers that have existing users or groups
1258 with add RIDs (assigned from previous algorithmic mappings)
1259 ********************************************************************/
1260
1261 bool pdb_new_rid(uint32_t *rid)
1262 {
1263 struct pdb_methods *pdb = pdb_get_methods();
1264 const char *name = NULL;
1265 enum lsa_SidType type;
1266 uint32_t allocated_rid = 0;
1267 int i;
1268 TALLOC_CTX *ctx;
1269
1270 if ((pdb_capabilities() & PDB_CAP_STORE_RIDS) == 0) {
1271 DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
1272 "are active\n"));
1273 return False;
1274 }
1275
1276 if (algorithmic_rid_base() != BASE_RID) {
1277 DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
1278 "without algorithmic RIDs is chosen.\n"));
1279 DEBUGADD(0, ("Please map all used groups using 'net groupmap "
1280 "add', set the maximum used RID\n"));
1281 DEBUGADD(0, ("and remove the parameter\n"));
1282 return False;
1283 }
1284
1285 if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
1286 DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
1287 return False;
1288 }
1289
1290 /* Attempt to get an unused RID (max tires is 250...yes that it is
1291 and arbitrary number I pulkled out of my head). -- jerry */
1292
1293 for ( i=0; allocated_rid==0 && i<250; i++ ) {
1294 /* get a new RID */
1295
1296 if ( !pdb->new_rid(pdb, &allocated_rid) ) {
1297 return False;
1298 }
1299
1300 /* validate that the RID is not in use */
1301
1302 if (lookup_global_sam_rid(ctx, allocated_rid, &name, &type, NULL, NULL)) {
1303 allocated_rid = 0;
1304 }
1305 }
1306
1307 TALLOC_FREE( ctx );
1308
1309 if ( allocated_rid == 0 ) {
1310 DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
1311 return False;
1312 }
1313
1314 *rid = allocated_rid;
1315
1316 return True;
1317 }
1318
1319 /***************************************************************
1320 Initialize the static context (at smbd startup etc).
1321
1322 If uninitialised, context will auto-init on first use.
1323 ***************************************************************/
1324
1325 bool initialize_password_db(bool reload, struct tevent_context *tevent_ctx)
1326 {
1327 if (tevent_ctx) {
1328 pdb_tevent_ctx = tevent_ctx;
1329 }
1330 return (pdb_get_methods_reload(reload) != NULL);
1331 }
1332
1333 /***************************************************************************
1334 Default implementations of some functions.
1335 ****************************************************************************/
1336
1337 static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, struct samu *user, const char *sname)
1338 {
1339 return NT_STATUS_NO_SUCH_USER;
1340 }
1341
1342 static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1343 {
1344 return NT_STATUS_NO_SUCH_USER;
1345 }
1346
1347 static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1348 {
1349 return NT_STATUS_NOT_IMPLEMENTED;
1350 }
1351
1352 static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1353 {
1354 return NT_STATUS_NOT_IMPLEMENTED;
1355 }
1356
1357 static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, struct samu *pwd)
1358 {
1359 return NT_STATUS_NOT_IMPLEMENTED;
1360 }
1361
1362 static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, struct samu *pwd, const char *newname)
1363 {
1364 return NT_STATUS_NOT_IMPLEMENTED;
1365 }
1366
1367 static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success)
1368 {
1369 /* Only the pdb_nds backend implements this, by
1370 * default just return ok. */
1371 return NT_STATUS_OK;
1372 }
1373
1374 static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t *value)
1375 {
1376 return account_policy_get(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1377 }
1378
1379 static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t value)
1380 {
1381 return account_policy_set(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1382 }
1383
1384 static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq_num)
1385 {
1386 *seq_num = time(NULL);
1387 return NT_STATUS_OK;
1388 }
1389
1390 static bool pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
1391 struct dom_sid *sid)
1392 {
1393 struct samu *sampw = NULL;
1394 struct passwd *unix_pw;
1395 bool ret;
1396
1397 unix_pw = getpwuid( uid );
1398
1399 if ( !unix_pw ) {
1400 DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
1401 "%lu\n", (unsigned long)uid));
1402 return False;
1403 }
1404
1405 if ( !(sampw = samu_new( NULL )) ) {
1406 DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
1407 return False;
1408 }
1409
1410 become_root();
1411 ret = NT_STATUS_IS_OK(
1412 methods->getsampwnam(methods, sampw, unix_pw->pw_name ));
1413 unbecome_root();
1414
1415 if (!ret) {
1416 DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
1417 "%s (%u)\n", unix_pw->pw_name, (unsigned int)uid));
1418 TALLOC_FREE(sampw);
1419 return False;
1420 }
1421
1422 sid_copy(sid, pdb_get_user_sid(sampw));
1423
1424 TALLOC_FREE(sampw);
1425
1426 return True;
1427 }
1428
1429 static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
1430 struct dom_sid *sid)
1431 {
1432 GROUP_MAP *map;
1433
1434 map = talloc_zero(NULL, GROUP_MAP);
1435 if (!map) {
1436 return false;
1437 }
1438
1439 if (!NT_STATUS_IS_OK(methods->getgrgid(methods, map, gid))) {
1440 TALLOC_FREE(map);
1441 return false;
1442 }
1443
1444 sid_copy(sid, &map->sid);
1445 TALLOC_FREE(map);
1446 return true;
1447 }
1448
1449 static bool pdb_default_id_to_sid(struct pdb_methods *methods, struct unixid *id,
1450 struct dom_sid *sid)
1451 {
1452 switch (id->type) {
1453 case ID_TYPE_UID:
1454 return pdb_default_uid_to_sid(methods, id->id, sid);
1455
1456 case ID_TYPE_GID:
1457 return pdb_default_gid_to_sid(methods, id->id, sid);
1458
1459 default:
1460 return false;
1461 }
1462 }
1463 /**
1464 * The "Unix User" and "Unix Group" domains have a special
1465 * id mapping that is a rid-algorithm with range starting at 0.
1466 */
1467 bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid *sid,
1468 struct unixid *id)
1469 {
1470 uint32_t rid;
1471
1472 id->id = -1;
1473
1474 if (sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid)) {
1475 id->id = rid;
1476 id->type = ID_TYPE_UID;
1477 return true;
1478 }
1479
1480 if (sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid)) {
1481 id->id = rid;
1482 id->type = ID_TYPE_GID;
1483 return true;
1484 }
1485
1486 return false;
1487 }
1488
1489 static bool pdb_default_sid_to_id(struct pdb_methods *methods,
1490 const struct dom_sid *sid,
1491 struct unixid *id)
1492 {
1493 TALLOC_CTX *mem_ctx;
1494 bool ret = False;
1495 uint32_t rid;
1496 id->id = -1;
1497
1498 mem_ctx = talloc_new(NULL);
1499
1500 if (mem_ctx == NULL) {
1501 DEBUG(0, ("talloc_new failed\n"));
1502 return False;
1503 }
1504
1505 if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
1506 const char *name;
1507 enum lsa_SidType type;
1508 uid_t uid = (uid_t)-1;
1509 gid_t gid = (gid_t)-1;
1510 /* Here we might have users as well as groups and aliases */
1511 ret = lookup_global_sam_rid(mem_ctx, rid, &name, &type, &uid, &gid);
1512 if (ret) {
1513 switch (type) {
1514 case SID_NAME_DOM_GRP:
1515 case SID_NAME_ALIAS:
1516 id->type = ID_TYPE_GID;
1517 id->id = gid;
1518 break;
1519 case SID_NAME_USER:
1520 id->type = ID_TYPE_UID;
1521 id->id = uid;
1522 break;
1523 default:
1524 DEBUG(5, ("SID %s belongs to our domain, and "
1525 "an object exists in the database, "
1526 "but it is neither a user nor a "
1527 "group (got type %d).\n",
1528 sid_string_dbg(sid), type));
1529 ret = false;
1530 }
1531 } else {
1532 DEBUG(5, ("SID %s belongs to our domain, but there is "
1533 "no corresponding object in the database.\n",
1534 sid_string_dbg(sid)));
1535 }
1536 goto done;
1537 }
1538
1539 /*
1540 * "Unix User" and "Unix Group"
1541 */
1542 ret = pdb_sid_to_id_unix_users_and_groups(sid, id);
1543 if (ret == true) {
1544 goto done;
1545 }
1546
1547 /* BUILTIN */
1548
1549 if (sid_check_is_in_builtin(sid) ||
1550 sid_check_is_in_wellknown_domain(sid)) {
1551 /* Here we only have aliases */
1552 GROUP_MAP *map;
1553
1554 map = talloc_zero(mem_ctx, GROUP_MAP);
1555 if (!map) {
1556 ret = false;
1557 goto done;
1558 }
1559
1560 if (!NT_STATUS_IS_OK(methods->getgrsid(methods, map, *sid))) {
1561 DEBUG(10, ("Could not find map for sid %s\n",
1562 sid_string_dbg(sid)));
1563 goto done;
1564 }
1565 if ((map->sid_name_use != SID_NAME_ALIAS) &&
1566 (map->sid_name_use != SID_NAME_WKN_GRP)) {
1567 DEBUG(10, ("Map for sid %s is a %s, expected an "
1568 "alias\n", sid_string_dbg(sid),
1569 sid_type_lookup(map->sid_name_use)));
1570 goto done;
1571 }
1572
1573 id->id = map->gid;
1574 id->type = ID_TYPE_GID;
1575 ret = True;
1576 goto done;
1577 }
1578
1579 DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
1580 sid_string_dbg(sid)));
1581
1582 done:
1583
1584 TALLOC_FREE(mem_ctx);
1585 return ret;
1586 }
1587
1588 static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
1589 {
1590 struct group *grp;
1591 char **gr;
1592 struct passwd *pwd;
1593 bool winbind_env;
1594 bool ret = False;
1595
1596 *pp_uids = NULL;
1597 *p_num = 0;
1598
1599 /* We only look at our own sam, so don't care about imported stuff */
1600 winbind_env = winbind_env_set();
1601 (void)winbind_off();
1602
1603 if ((grp = getgrgid(gid)) == NULL) {
1604 /* allow winbindd lookups, but only if they weren't already disabled */
1605 goto done;
1606 }
1607
1608 /* Primary group members */
1609 setpwent();
1610 while ((pwd = getpwent()) != NULL) {
1611 if (pwd->pw_gid == gid) {
1612 if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
1613 pp_uids, p_num)) {
1614 goto done;
1615 }
1616 }
1617 }
1618 endpwent();
1619
1620 /* Secondary group members */
1621 for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
1622 struct passwd *pw = getpwnam(*gr);
1623
1624 if (pw == NULL)
1625 continue;
1626 if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
1627 goto done;
1628 }
1629 }
1630
1631 ret = True;
1632
1633 done:
1634
1635 /* allow winbindd lookups, but only if they weren't already disabled */
1636 if (!winbind_env) {
1637 (void)winbind_on();
1638 }
1639
1640 return ret;
1641 }
1642
1643 static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
1644 TALLOC_CTX *mem_ctx,
1645 const struct dom_sid *group,
1646 uint32_t **pp_member_rids,
1647 size_t *p_num_members)
1648 {
1649 gid_t gid;
1650 uid_t *uids;
1651 uint32_t i, num_uids;
1652
1653 *pp_member_rids = NULL;
1654 *p_num_members = 0;
1655
1656 if (!sid_to_gid(group, &gid))
1657 return NT_STATUS_NO_SUCH_GROUP;
1658
1659 if(!get_memberuids(mem_ctx, gid, &uids, &num_uids))
1660 return NT_STATUS_NO_SUCH_GROUP;
1661
1662 if (num_uids == 0)
1663 return NT_STATUS_OK;
1664
1665 *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
1666
1667 for (i=0; i<num_uids; i++) {
1668 struct dom_sid sid;
1669
1670 uid_to_sid(&sid, uids[i]);
1671
1672 if (!sid_check_is_in_our_sam(&sid)) {
1673 DEBUG(5, ("Inconsistent SAM -- group member uid not "
1674 "in our domain\n"));
1675 continue;
1676 }
1677
1678 sid_peek_rid(&sid, &(*pp_member_rids)[*p_num_members]);
1679 *p_num_members += 1;
1680 }
1681
1682 return NT_STATUS_OK;
1683 }
1684
1685 static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
1686 TALLOC_CTX *mem_ctx,
1687 struct samu *user,
1688 struct dom_sid **pp_sids,
1689 gid_t **pp_gids,
1690 uint32_t *p_num_groups)
1691 {
1692 size_t i;
1693 gid_t gid;
1694 struct passwd *pw;
1695 const char *username = pdb_get_username(user);
1696
1697
1698 /* Ignore the primary group SID. Honor the real Unix primary group.
1699 The primary group SID is only of real use to Windows clients */
1700
1701 if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
1702 return NT_STATUS_NO_SUCH_USER;
1703 }
1704
1705 gid = pw->pw_gid;
1706
1707 TALLOC_FREE( pw );
1708
1709 if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
1710 return NT_STATUS_NO_SUCH_USER;
1711 }
1712
1713 if (*p_num_groups == 0) {
1714 smb_panic("primary group missing");
1715 }
1716
1717 *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
1718
1719 if (*pp_sids == NULL) {
1720 TALLOC_FREE(*pp_gids);
1721 return NT_STATUS_NO_MEMORY;
1722 }
1723
1724 for (i=0; i<*p_num_groups; i++) {
1725 gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
1726 }
1727
1728 return NT_STATUS_OK;
1729 }
1730
1731 /*******************************************************************
1732 Look up a rid in the SAM we're responsible for (i.e. passdb)
1733 ********************************************************************/
1734
1735 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
1736 const char **name,
1737 enum lsa_SidType *psid_name_use,
1738 uid_t *uid, gid_t *gid)
1739 {
1740 struct samu *sam_account = NULL;
1741 GROUP_MAP *map = NULL;
1742 bool ret;
1743 struct dom_sid sid;
1744
1745 *psid_name_use = SID_NAME_UNKNOWN;
1746
1747 DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
1748 (unsigned int)rid));
1749
1750 sid_compose(&sid, get_global_sam_sid(), rid);
1751
1752 /* see if the passdb can help us with the name of the user */
1753
1754 if ( !(sam_account = samu_new( NULL )) ) {
1755 return False;
1756 }
1757
1758 map = talloc_zero(mem_ctx, GROUP_MAP);
1759 if (!map) {
1760 return false;
1761 }
1762
1763 /* BEING ROOT BLOCK */
1764 become_root();
1765 ret = pdb_getsampwsid(sam_account, &sid);
1766 if (!ret) {
1767 TALLOC_FREE(sam_account);
1768 ret = pdb_getgrsid(map, sid);
1769 }
1770 unbecome_root();
1771 /* END BECOME_ROOT BLOCK */
1772
1773 if (sam_account || !ret) {
1774 TALLOC_FREE(map);
1775 }
1776
1777 if (sam_account) {
1778 struct passwd *pw;
1779
1780 *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
1781 if (!*name) {
1782 TALLOC_FREE(sam_account);
1783 return False;
1784 }
1785
1786 *psid_name_use = SID_NAME_USER;
1787
1788 TALLOC_FREE(sam_account);
1789
1790 if (uid == NULL) {
1791 return True;
1792 }
1793
1794 pw = Get_Pwnam_alloc(talloc_tos(), *name);
1795 if (pw == NULL) {
1796 return False;
1797 }
1798 *uid = pw->pw_uid;
1799 TALLOC_FREE(pw);
1800 return True;
1801
1802 } else if (map && (map->gid != (gid_t)-1)) {
1803
1804 /* do not resolve SIDs to a name unless there is a valid
1805 gid associated with it */
1806
1807 *name = talloc_steal(mem_ctx, map->nt_name);
1808 *psid_name_use = map->sid_name_use;
1809
1810 if (gid) {
1811 *gid = map->gid;
1812 }
1813
1814 TALLOC_FREE(map);
1815 return True;
1816 }
1817
1818 TALLOC_FREE(map);
1819
1820 /* Windows will always map RID 513 to something. On a non-domain
1821 controller, this gets mapped to SERVER\None. */
1822
1823 if (uid || gid) {
1824 DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
1825 return False;
1826 }
1827
1828 if ( rid == DOMAIN_RID_USERS ) {
1829 *name = talloc_strdup(mem_ctx, "None" );
1830 *psid_name_use = SID_NAME_DOM_GRP;
1831
1832 return True;
1833 }
1834
1835 return False;
1836 }
1837
1838 static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
1839 const struct dom_sid *domain_sid,
1840 int num_rids,
1841 uint32_t *rids,
1842 const char **names,
1843 enum lsa_SidType *attrs)
1844 {
1845 int i;
1846 NTSTATUS result;
1847 bool have_mapped = False;
1848 bool have_unmapped = False;
1849
1850 if (sid_check_is_builtin(domain_sid)) {
1851
1852 for (i=0; i<num_rids; i++) {
1853 const char *name;
1854
1855 if (lookup_builtin_rid(names, rids[i], &name)) {
1856 attrs[i] = SID_NAME_ALIAS;
1857 names[i] = name;
1858 DEBUG(5,("lookup_rids: %s:%d\n",
1859 names[i], attrs[i]));
1860 have_mapped = True;
1861 } else {
1862 have_unmapped = True;
1863 attrs[i] = SID_NAME_UNKNOWN;
1864 }
1865 }
1866 goto done;
1867 }
1868
1869 /* Should not happen, but better check once too many */
1870 if (!sid_check_is_our_sam(domain_sid)) {
1871 return NT_STATUS_INVALID_HANDLE;
1872 }
1873
1874 for (i = 0; i < num_rids; i++) {
1875 const char *name;
1876
1877 if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
1878 NULL, NULL)) {
1879 if (name == NULL) {
1880 return NT_STATUS_NO_MEMORY;
1881 }
1882 names[i] = name;
1883 DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
1884 have_mapped = True;
1885 } else {
1886 have_unmapped = True;
1887 attrs[i] = SID_NAME_UNKNOWN;
1888 }
1889 }
1890
1891 done:
1892
1893 result = NT_STATUS_NONE_MAPPED;
1894
1895 if (have_mapped)
1896 result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1897
1898 return result;
1899 }
1900
1901 static int pdb_search_destructor(struct pdb_search *search)
1902 {
1903 if ((!search->search_ended) && (search->search_end != NULL)) {
1904 search->search_end(search);
1905 }
1906 return 0;
1907 }
1908
1909 struct pdb_search *pdb_search_init(TALLOC_CTX *mem_ctx,
1910 enum pdb_search_type type)
1911 {
1912 struct pdb_search *result;
1913
1914 result = talloc(mem_ctx, struct pdb_search);
1915 if (result == NULL) {
1916 DEBUG(0, ("talloc failed\n"));
1917 return NULL;
1918 }
1919
1920 result->type = type;
1921 result->cache = NULL;
1922 result->num_entries = 0;
1923 result->cache_size = 0;
1924 result->search_ended = False;
1925 result->search_end = NULL;
1926
1927 /* Segfault appropriately if not initialized */
1928 result->next_entry = NULL;
1929 result->search_end = NULL;
1930
1931 talloc_set_destructor(result, pdb_search_destructor);
1932
1933 return result;
1934 }
1935
1936 static void fill_displayentry(TALLOC_CTX *mem_ctx, uint32_t rid,
1937 uint16_t acct_flags,
1938 const char *account_name,
1939 const char *fullname,
1940 const char *description,
1941 struct samr_displayentry *entry)
1942 {
1943 entry->rid = rid;
1944 entry->acct_flags = acct_flags;
1945
1946 if (account_name != NULL)
1947 entry->account_name = talloc_strdup(mem_ctx, account_name);
1948 else
1949 entry->account_name = "";
1950
1951 if (fullname != NULL)
1952 entry->fullname = talloc_strdup(mem_ctx, fullname);
1953 else
1954 entry->fullname = "";
1955
1956 if (description != NULL)
1957 entry->description = talloc_strdup(mem_ctx, description);
1958 else
1959 entry->description = "";
1960 }
1961
1962 struct group_search {
1963 GROUP_MAP **groups;
1964 size_t num_groups, current_group;
1965 };
1966
1967 static bool next_entry_groups(struct pdb_search *s,
1968 struct samr_displayentry *entry)
1969 {
1970 struct group_search *state = (struct group_search *)s->private_data;
1971 uint32_t rid;
1972 GROUP_MAP *map;
1973
1974 if (state->current_group == state->num_groups)
1975 return False;
1976
1977 map = state->groups[state->current_group];
1978
1979 sid_peek_rid(&map->sid, &rid);
1980
1981 fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
1982
1983 state->current_group += 1;
1984 return True;
1985 }
1986
1987 static void search_end_groups(struct pdb_search *search)
1988 {
1989 struct group_search *state =
1990 (struct group_search *)search->private_data;
1991 TALLOC_FREE(state->groups);
1992 }
1993
1994 static bool pdb_search_grouptype(struct pdb_methods *methods,
1995 struct pdb_search *search,
1996 const struct dom_sid *sid, enum lsa_SidType type)
1997 {
1998 struct group_search *state;
1999
2000 state = talloc_zero(search, struct group_search);
2001 if (state == NULL) {
2002 DEBUG(0, ("talloc failed\n"));
2003 return False;
2004 }
2005
2006 if (!NT_STATUS_IS_OK(methods->enum_group_mapping(methods, sid, type,
2007 &state->groups, &state->num_groups,
2008 True))) {
2009 DEBUG(0, ("Could not enum groups\n"));
2010 return False;
2011 }
2012
2013 state->current_group = 0;
2014 search->private_data = state;
2015 search->next_entry = next_entry_groups;
2016 search->search_end = search_end_groups;
2017 return True;
2018 }
2019
2020 static bool pdb_default_search_groups(struct pdb_methods *methods,
2021 struct pdb_search *search)
2022 {
2023 return pdb_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
2024 }
2025
2026 static bool pdb_default_search_aliases(struct pdb_methods *methods,
2027 struct pdb_search *search,
2028 const struct dom_sid *sid)
2029 {
2030
2031 return pdb_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
2032 }
2033
2034 static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
2035 uint32_t idx)
2036 {
2037 if (idx < search->num_entries)
2038 return &search->cache[idx];
2039
2040 if (search->search_ended)
2041 return NULL;
2042
2043 while (idx >= search->num_entries) {
2044 struct samr_displayentry entry;
2045
2046 if (!search->next_entry(search, &entry)) {
2047 search->search_end(search);
2048 search->search_ended = True;
2049 break;
2050 }
2051
2052 ADD_TO_LARGE_ARRAY(search, struct samr_displayentry,
2053 entry, &search->cache, &search->num_entries,
2054 &search->cache_size);
2055 }
2056
2057 return (search->num_entries > idx) ? &search->cache[idx] : NULL;
2058 }
2059
2060 struct pdb_search *pdb_search_users(TALLOC_CTX *mem_ctx, uint32_t acct_flags)
2061 {
2062 struct pdb_methods *pdb = pdb_get_methods();
2063 struct pdb_search *result;
2064
2065 result = pdb_search_init(mem_ctx, PDB_USER_SEARCH);
2066 if (result == NULL) {
2067 return NULL;
2068 }
2069
2070 if (!pdb->search_users(pdb, result, acct_flags)) {
2071 TALLOC_FREE(result);
2072 return NULL;
2073 }
2074 return result;
2075 }
2076
2077 struct pdb_search *pdb_search_groups(TALLOC_CTX *mem_ctx)
2078 {
2079 struct pdb_methods *pdb = pdb_get_methods();
2080 struct pdb_search *result;
2081
2082 result = pdb_search_init(mem_ctx, PDB_GROUP_SEARCH);
2083 if (result == NULL) {
2084 return NULL;
2085 }
2086
2087 if (!pdb->search_groups(pdb, result)) {
2088 TALLOC_FREE(result);
2089 return NULL;
2090 }
2091 return result;
2092 }
2093
2094 struct pdb_search *pdb_search_aliases(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
2095 {
2096 struct pdb_methods *pdb = pdb_get_methods();
2097 struct pdb_search *result;
2098
2099 if (pdb == NULL) return NULL;
2100
2101 result = pdb_search_init(mem_ctx, PDB_ALIAS_SEARCH);
2102 if (result == NULL) {
2103 return NULL;
2104 }
2105
2106 if (!pdb->search_aliases(pdb, result, sid)) {
2107 TALLOC_FREE(result);
2108 return NULL;
2109 }
2110 return result;
2111 }
2112
2113 uint32_t pdb_search_entries(struct pdb_search *search,
2114 uint32_t start_idx, uint32_t max_entries,
2115 struct samr_displayentry **result)
2116 {
2117 struct samr_displayentry *end_entry;
2118 uint32_t end_idx = start_idx+max_entries-1;
2119
2120 /* The first entry needs to be searched after the last. Otherwise the
2121 * first entry might have moved due to a realloc during the search for
2122 * the last entry. */
2123
2124 end_entry = pdb_search_getentry(search, end_idx);
2125 *result = pdb_search_getentry(search, start_idx);
2126
2127 if (end_entry != NULL)
2128 return max_entries;
2129
2130 if (start_idx >= search->num_entries)
2131 return 0;
2132
2133 return search->num_entries - start_idx;
2134 }
2135
2136 /*******************************************************************
2137 trustdom methods
2138 *******************************************************************/
2139
2140 bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
2141 time_t *pass_last_set_time)
2142 {
2143 struct pdb_methods *pdb = pdb_get_methods();
2144 return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
2145 pass_last_set_time);
2146 }
2147
2148 NTSTATUS pdb_get_trusteddom_creds(const char *domain, TALLOC_CTX *mem_ctx,
2149 struct cli_credentials **creds)
2150 {
2151 struct pdb_methods *pdb = pdb_get_methods();
2152 return pdb->get_trusteddom_creds(pdb, domain, mem_ctx, creds);
2153 }
2154
2155 bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
2156 const struct dom_sid *sid)
2157 {
2158 struct pdb_methods *pdb = pdb_get_methods();
2159 return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
2160 }
2161
2162 bool pdb_del_trusteddom_pw(const char *domain)
2163 {
2164 struct pdb_methods *pdb = pdb_get_methods();
2165 return pdb->del_trusteddom_pw(pdb, domain);
2166 }
2167
2168 NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2169 struct trustdom_info ***domains)
2170 {
2171 struct pdb_methods *pdb = pdb_get_methods();
2172 return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
2173 }
2174
2175 /*******************************************************************
2176 the defaults for trustdom methods:
2177 these simply call the original passdb/secrets.c actions,
2178 to be replaced by pdb_ldap.
2179 *******************************************************************/
2180
2181 static bool pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
2182 const char *domain,
2183 char** pwd,
2184 struct dom_sid *sid,
2185 time_t *pass_last_set_time)
2186 {
2187 return secrets_fetch_trusted_domain_password(domain, pwd,
2188 sid, pass_last_set_time);
2189
2190 }
2191
2192 static NTSTATUS pdb_default_get_trusteddom_creds(struct pdb_methods *methods,
2193 const char *domain,
2194 TALLOC_CTX *mem_ctx,
2195 struct cli_credentials **creds)
2196 {
2197 *creds = NULL;
2198 return NT_STATUS_NOT_IMPLEMENTED;
2199 }
2200
2201 static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
2202 const char* domain,
2203 const char* pwd,
2204 const struct dom_sid *sid)
2205 {
2206 return secrets_store_trusted_domain_password(domain, pwd, sid);
2207 }
2208
2209 static bool pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
2210 const char *domain)
2211 {
2212 return trusted_domain_password_delete(domain);
2213 }
2214
2215 static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
2216 TALLOC_CTX *mem_ctx,
2217 uint32_t *num_domains,
2218 struct trustdom_info ***domains)
2219 {
2220 return secrets_trusted_domains(mem_ctx, num_domains, domains);
2221 }
2222
2223 /*******************************************************************
2224 trusted_domain methods
2225 *******************************************************************/
2226
2227 NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
2228 struct pdb_trusted_domain **td)
2229 {
2230 struct pdb_methods *pdb = pdb_get_methods();
2231 return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
2232 }
2233
2234 NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
2235 struct pdb_trusted_domain **td)
2236 {
2237 struct pdb_methods *pdb = pdb_get_methods();
2238 return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
2239 }
2240
2241 NTSTATUS pdb_set_trusted_domain(const char* domain,
2242 const struct pdb_trusted_domain *td)
2243 {
2244 struct pdb_methods *pdb = pdb_get_methods();
2245 return pdb->set_trusted_domain(pdb, domain, td);
2246 }
2247
2248 NTSTATUS pdb_del_trusted_domain(const char *domain)
2249 {
2250 struct pdb_methods *pdb = pdb_get_methods();
2251 return pdb->del_trusted_domain(pdb, domain);
2252 }
2253
2254 NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2255 struct pdb_trusted_domain ***domains)
2256 {
2257 struct pdb_methods *pdb = pdb_get_methods();
2258 return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
2259 }
2260
2261 static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
2262 TALLOC_CTX *mem_ctx,
2263 const char *domain,
2264 struct pdb_trusted_domain **td)
2265 {
2266 struct trustAuthInOutBlob taiob;
2267 struct AuthenticationInformation aia;
2268 struct pdb_trusted_domain *tdom;
2269 enum ndr_err_code ndr_err;
2270 time_t last_set_time;
2271 char *pwd;
2272 bool ok;
2273
2274 tdom = talloc(mem_ctx, struct pdb_trusted_domain);
2275 if (!tdom) {
2276 return NT_STATUS_NO_MEMORY;
2277 }
2278
2279 tdom->domain_name = talloc_strdup(tdom, domain);
2280 tdom->netbios_name = talloc_strdup(tdom, domain);
2281 if (!tdom->domain_name || !tdom->netbios_name) {
2282 talloc_free(tdom);
2283 return NT_STATUS_NO_MEMORY;
2284 }
2285
2286 tdom->trust_auth_incoming = data_blob_null;
2287
2288 ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
2289 &last_set_time);
2290 if (!ok) {
2291 talloc_free(tdom);
2292 return NT_STATUS_UNSUCCESSFUL;
2293 }
2294
2295 ZERO_STRUCT(taiob);
2296 ZERO_STRUCT(aia);
2297 taiob.count = 1;
2298 taiob.current.count = 1;
2299 taiob.current.array = &aia;
2300 unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
2301
2302 aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
2303 aia.AuthInfo.clear.size = strlen(pwd);
2304 aia.AuthInfo.clear.password = (uint8_t *)talloc_memdup(tdom, pwd,
2305 aia.AuthInfo.clear.size);
2306 SAFE_FREE(pwd);
2307 if (aia.AuthInfo.clear.password == NULL) {
2308 talloc_free(tdom);
2309 return NT_STATUS_NO_MEMORY;
2310 }
2311
2312 taiob.previous.count = 0;
2313 taiob.previous.array = NULL;
2314
2315 ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
2316 tdom, &taiob,
2317 (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2318 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2319 talloc_free(tdom);
2320 return NT_STATUS_UNSUCCESSFUL;
2321 }
2322
2323 tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
2324 tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
2325 tdom->trust_attributes = 0;
2326 tdom->trust_forest_trust_info = data_blob_null;
2327
2328 *td = tdom;
2329 return NT_STATUS_OK;
2330 }
2331
2332 static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
2333 TALLOC_CTX *mem_ctx,
2334 struct dom_sid *sid,
2335 struct pdb_trusted_domain **td)
2336 {
2337 return NT_STATUS_NOT_IMPLEMENTED;
2338 }
2339
2340 #define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
2341
2342 static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
2343 const char* domain,
2344 const struct pdb_trusted_domain *td)
2345 {
2346 struct trustAuthInOutBlob taiob;
2347 struct AuthenticationInformation *aia;
2348 enum ndr_err_code ndr_err;
2349 char *pwd;
2350 bool ok;
2351
2352 if (td->trust_attributes != 0 ||
2353 td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
2354 td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
2355 !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
2356 !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
2357 return NT_STATUS_NOT_IMPLEMENTED;
2358 }
2359
2360 ZERO_STRUCT(taiob);
2361 ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
2362 &taiob,
2363 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2364 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2365 return NT_STATUS_UNSUCCESSFUL;
2366 }
2367
2368 aia = (struct AuthenticationInformation *) taiob.current.array;
2369
2370 if (taiob.count != 1 || taiob.current.count != 1 ||
2371 taiob.previous.count != 0 ||
2372 aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
2373 return NT_STATUS_NOT_IMPLEMENTED;
2374 }
2375
2376 pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
2377 aia->AuthInfo.clear.size);
2378 if (!pwd) {
2379 return NT_STATUS_NO_MEMORY;
2380 }
2381
2382 ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
2383 if (!ok) {
2384 return NT_STATUS_UNSUCCESSFUL;
2385 }
2386
2387 return NT_STATUS_OK;
2388 }
2389
2390 static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
2391 const char *domain)
2392 {
2393 return NT_STATUS_NOT_IMPLEMENTED;
2394 }
2395
2396 static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
2397 TALLOC_CTX *mem_ctx,
2398 uint32_t *num_domains,
2399 struct pdb_trusted_domain ***domains)
2400 {
2401 return NT_STATUS_NOT_IMPLEMENTED;
2402 }
2403
2404 static struct pdb_domain_info *pdb_default_get_domain_info(
2405 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
2406 {
2407 return NULL;
2408 }
2409
2410 /*****************************************************************
2411 UPN suffixes
2412 *****************************************************************/
2413 static NTSTATUS pdb_default_enum_upn_suffixes(struct pdb_methods *pdb,
2414 TALLOC_CTX *mem_ctx,
2415 uint32_t *num_suffixes,
2416 char ***suffixes)
2417 {
2418 return NT_STATUS_NOT_IMPLEMENTED;
2419 }
2420
2421 static NTSTATUS pdb_default_set_upn_suffixes(struct pdb_methods *pdb,
2422 uint32_t num_suffixes,
2423 const char **suffixes)
2424 {
2425 return NT_STATUS_NOT_IMPLEMENTED;
2426 }
2427
2428 NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx,
2429 uint32_t *num_suffixes,
2430 char ***suffixes)
2431 {
2432 struct pdb_methods *pdb = pdb_get_methods();
2433 return pdb->enum_upn_suffixes(pdb, mem_ctx, num_suffixes, suffixes);
2434 }
2435
2436 NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes,
2437 const char **suffixes)
2438 {
2439 struct pdb_methods *pdb = pdb_get_methods();
2440 return pdb->set_upn_suffixes(pdb, num_suffixes, suffixes);
2441 }
2442
2443 /*******************************************************************
2444 idmap control methods
2445 *******************************************************************/
2446 static bool pdb_default_is_responsible_for_our_sam(
2447 struct pdb_methods *methods)
2448 {
2449 return true;
2450 }
2451
2452 static bool pdb_default_is_responsible_for_builtin(
2453 struct pdb_methods *methods)
2454 {
2455 return true;
2456 }
2457
2458 static bool pdb_default_is_responsible_for_wellknown(
2459 struct pdb_methods *methods)
2460 {
2461 return false;
2462 }
2463
2464 static bool pdb_default_is_responsible_for_unix_users(
2465 struct pdb_methods *methods)
2466 {
2467 return true;
2468 }
2469
2470 static bool pdb_default_is_responsible_for_unix_groups(
2471 struct pdb_methods *methods)
2472 {
2473 return true;
2474 }
2475
2476 static bool pdb_default_is_responsible_for_everything_else(
2477 struct pdb_methods *methods)
2478 {
2479 return false;
2480 }
2481
2482 bool pdb_is_responsible_for_our_sam(void)
2483 {
2484 struct pdb_methods *pdb = pdb_get_methods();
2485 return pdb->is_responsible_for_our_sam(pdb);
2486 }
2487
2488 bool pdb_is_responsible_for_builtin(void)
2489 {
2490 struct pdb_methods *pdb = pdb_get_methods();
2491 return pdb->is_responsible_for_builtin(pdb);
2492 }
2493
2494 bool pdb_is_responsible_for_wellknown(void)
2495 {
2496 struct pdb_methods *pdb = pdb_get_methods();
2497 return pdb->is_responsible_for_wellknown(pdb);
2498 }
2499
2500 bool pdb_is_responsible_for_unix_users(void)
2501 {
2502 struct pdb_methods *pdb = pdb_get_methods();
2503 return pdb->is_responsible_for_unix_users(pdb);
2504 }
2505
2506 bool pdb_is_responsible_for_unix_groups(void)
2507 {
2508 struct pdb_methods *pdb = pdb_get_methods();
2509 return pdb->is_responsible_for_unix_groups(pdb);
2510 }
2511
2512 bool pdb_is_responsible_for_everything_else(void)
2513 {
2514 struct pdb_methods *pdb = pdb_get_methods();
2515 return pdb->is_responsible_for_everything_else(pdb);
2516 }
2517
2518 /*******************************************************************
2519 secret methods
2520 *******************************************************************/
2521
2522 NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
2523 const char *secret_name,
2524 DATA_BLOB *secret_current,
2525 NTTIME *secret_current_lastchange,
2526 DATA_BLOB *secret_old,
2527 NTTIME *secret_old_lastchange,
2528 struct security_descriptor **sd)
2529 {
2530 struct pdb_methods *pdb = pdb_get_methods();
2531 return pdb->get_secret(pdb, mem_ctx, secret_name,
2532 secret_current, secret_current_lastchange,
2533 secret_old, secret_old_lastchange,
2534 sd);
2535 }
2536
2537 NTSTATUS pdb_set_secret(const char *secret_name,
2538 DATA_BLOB *secret_current,
2539 DATA_BLOB *secret_old,
2540 struct security_descriptor *sd)
2541 {
2542 struct pdb_methods *pdb = pdb_get_methods();
2543 return pdb->set_secret(pdb, secret_name,
2544 secret_current,
2545 secret_old,
2546 sd);
2547 }
2548
2549 NTSTATUS pdb_delete_secret(const char *secret_name)
2550 {
2551 struct pdb_methods *pdb = pdb_get_methods();
2552 return pdb->delete_secret(pdb, secret_name);
2553 }
2554
2555 static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
2556 TALLOC_CTX *mem_ctx,
2557 const char *secret_name,
2558 DATA_BLOB *secret_current,
2559 NTTIME *secret_current_lastchange,
2560 DATA_BLOB *secret_old,
2561 NTTIME *secret_old_lastchange,
2562 struct security_descriptor **sd)
2563 {
2564 return lsa_secret_get(mem_ctx, secret_name,
2565 secret_current,
2566 secret_current_lastchange,
2567 secret_old,
2568 secret_old_lastchange,
2569 sd);
2570 }
2571
2572 static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
2573 const char *secret_name,
2574 DATA_BLOB *secret_current,
2575 DATA_BLOB *secret_old,
2576 struct security_descriptor *sd)
2577 {
2578 return lsa_secret_set(secret_name,
2579 secret_current,
2580 secret_old,
2581 sd);
2582 }
2583
2584 static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
2585 const char *secret_name)
2586 {
2587 return lsa_secret_delete(secret_name);
2588 }
2589
2590 /*******************************************************************
2591 Create a pdb_methods structure and initialize it with the default
2592 operations. In this way a passdb module can simply implement
2593 the functionality it cares about. However, normally this is done
2594 in groups of related functions.
2595 *******************************************************************/
2596
2597 NTSTATUS make_pdb_method( struct pdb_methods **methods )
2598 {
2599 /* allocate memory for the structure as its own talloc CTX */
2600
2601 *methods = talloc_zero(NULL, struct pdb_methods);
2602 if (*methods == NULL) {
2603 return NT_STATUS_NO_MEMORY;
2604 }
2605
2606 (*methods)->get_domain_info = pdb_default_get_domain_info;
2607 (*methods)->getsampwnam = pdb_default_getsampwnam;
2608 (*methods)->getsampwsid = pdb_default_getsampwsid;
2609 (*methods)->create_user = pdb_default_create_user;
2610 (*methods)->delete_user = pdb_default_delete_user;
2611 (*methods)->add_sam_account = pdb_default_add_sam_account;
2612 (*methods)->update_sam_account = pdb_default_update_sam_account;
2613 (*methods)->delete_sam_account = pdb_default_delete_sam_account;
2614 (*methods)->rename_sam_account = pdb_default_rename_sam_account;
2615 (*methods)->update_login_attempts = pdb_default_update_login_attempts;
2616
2617 (*methods)->getgrsid = pdb_default_getgrsid;
2618 (*methods)->getgrgid = pdb_default_getgrgid;
2619 (*methods)->getgrnam = pdb_default_getgrnam;
2620 (*methods)->create_dom_group = pdb_default_create_dom_group;
2621 (*methods)->delete_dom_group = pdb_default_delete_dom_group;
2622 (*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
2623 (*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
2624 (*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
2625 (*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
2626 (*methods)->enum_group_members = pdb_default_enum_group_members;
2627 (*methods)->enum_group_memberships = pdb_default_enum_group_memberships;
2628 (*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
2629 (*methods)->add_groupmem = pdb_default_add_groupmem;
2630 (*methods)->del_groupmem = pdb_default_del_groupmem;
2631 (*methods)->create_alias = pdb_default_create_alias;
2632 (*methods)->delete_alias = pdb_default_delete_alias;
2633 (*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
2634 (*methods)->set_aliasinfo = pdb_default_set_aliasinfo;
2635 (*methods)->add_aliasmem = pdb_default_add_aliasmem;
2636 (*methods)->del_aliasmem = pdb_default_del_aliasmem;
2637 (*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
2638 (*methods)->enum_alias_memberships = pdb_default_alias_memberships;
2639 (*methods)->lookup_rids = pdb_default_lookup_rids;
2640 (*methods)->get_account_policy = pdb_default_get_account_policy;
2641 (*methods)->set_account_policy = pdb_default_set_account_policy;
2642 (*methods)->get_seq_num = pdb_default_get_seq_num;
2643 (*methods)->id_to_sid = pdb_default_id_to_sid;
2644 (*methods)->sid_to_id = pdb_default_sid_to_id;
2645
2646 (*methods)->search_groups = pdb_default_search_groups;
2647 (*methods)->search_aliases = pdb_default_search_aliases;
2648
2649 (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
2650 (*methods)->get_trusteddom_creds = pdb_default_get_trusteddom_creds;
2651 (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
2652 (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
2653 (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
2654
2655 (*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
2656 (*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
2657 (*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
2658 (*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
2659 (*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
2660
2661 (*methods)->get_secret = pdb_default_get_secret;
2662 (*methods)->set_secret = pdb_default_set_secret;
2663 (*methods)->delete_secret = pdb_default_delete_secret;
2664
2665 (*methods)->enum_upn_suffixes = pdb_default_enum_upn_suffixes;
2666 (*methods)->set_upn_suffixes = pdb_default_set_upn_suffixes;
2667
2668 (*methods)->is_responsible_for_our_sam =
2669 pdb_default_is_responsible_for_our_sam;
2670 (*methods)->is_responsible_for_builtin =
2671 pdb_default_is_responsible_for_builtin;
2672 (*methods)->is_responsible_for_wellknown =
2673 pdb_default_is_responsible_for_wellknown;
2674 (*methods)->is_responsible_for_unix_users =
2675 pdb_default_is_responsible_for_unix_users;
2676 (*methods)->is_responsible_for_unix_groups =
2677 pdb_default_is_responsible_for_unix_groups;
2678 (*methods)->is_responsible_for_everything_else =
2679 pdb_default_is_responsible_for_everything_else;
2680
2681 return NT_STATUS_OK;
2682 }
Samba GIT mirror