search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdbd_conn: add ctdbd_unregister_ips()
[Samba.git] / source3 / passdb / pdb_samba_dsdb.c
blobdee40bf217553c124276b261399b11cc0a04df81
1 /*
2 Unix SMB/CIFS implementation.
3 pdb glue module for direct access to the dsdb via LDB APIs
4 Copyright (C) Volker Lendecke 2009-2011
5 Copyright (C) Andrew Bartlett 2010-2012
6 Copyright (C) Matthias Dieter Wallnöfer 2009
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /* This module, is a port of Volker's pdb_ads to ldb and DSDB APIs */
23
24 #include "includes.h"
25 #include "source3/include/passdb.h"
26 #include "source4/dsdb/samdb/samdb.h"
27 #include "ldb_errors.h"
28 #include "libcli/security/dom_sid.h"
29 #include "source4/winbind/idmap.h"
30 #include "librpc/gen_ndr/ndr_security.h"
31 #include "librpc/gen_ndr/ndr_drsblobs.h"
32 #include "librpc/gen_ndr/ndr_lsa.h"
33 #include "libds/common/flag_mapping.h"
34 #include "source4/lib/events/events.h"
35 #include "source4/auth/session.h"
36 #include "source4/auth/system_session_proto.h"
37 #include "lib/param/param.h"
38 #include "source4/dsdb/common/util.h"
39 #include "source3/include/secrets.h"
40 #include "source4/auth/auth_sam.h"
41 #include "auth/credentials/credentials.h"
42 #include "lib/util/base64.h"
43 #include "libcli/ldap/ldap_ndr.h"
44 #include "lib/util/util_ldb.h"
45
46 struct pdb_samba_dsdb_state {
47 struct tevent_context *ev;
48 struct ldb_context *ldb;
49 struct idmap_context *idmap_ctx;
50 struct loadparm_context *lp_ctx;
51 };
52
53 static NTSTATUS pdb_samba_dsdb_getsampwsid(struct pdb_methods *m,
54 struct samu *sam_acct,
55 const struct dom_sid *sid);
56 static NTSTATUS pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state *state,
57 const char *filter,
58 TALLOC_CTX *mem_ctx,
59 struct ldb_message **pmsg);
60 static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods *m, const struct dom_sid *sid,
61 struct unixid *id);
62
63 static bool pdb_samba_dsdb_pull_time(struct ldb_message *msg, const char *attr,
64 time_t *ptime)
65 {
66 uint64_t tmp;
67 if (! ldb_msg_find_element(msg, attr)) {
68 return false;
69 }
70 tmp = ldb_msg_find_attr_as_uint64(msg, attr, 0);
71 *ptime = nt_time_to_unix(tmp);
72 return true;
73 }
74
75 static struct pdb_domain_info *pdb_samba_dsdb_get_domain_info(
76 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
77 {
78 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
79 m->private_data, struct pdb_samba_dsdb_state);
80 struct pdb_domain_info *info;
81 struct dom_sid *domain_sid;
82 struct ldb_dn *forest_dn, *domain_dn;
83 struct ldb_result *dom_res = NULL;
84 const char *dom_attrs[] = {
85 "objectSid",
86 "objectGUID",
87 "fSMORoleOwner",
88 NULL
89 };
90 char *p;
91 int ret;
92
93 info = talloc(mem_ctx, struct pdb_domain_info);
94 if (info == NULL) {
95 return NULL;
96 }
97
98 domain_dn = ldb_get_default_basedn(state->ldb);
99
100 ret = ldb_search(state->ldb, info, &dom_res,
101 domain_dn, LDB_SCOPE_BASE, dom_attrs, NULL);
102 if (ret != LDB_SUCCESS) {
103 goto fail;
104 }
105 if (dom_res->count != 1) {
106 goto fail;
107 }
108
109 info->guid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
110
111 domain_sid = samdb_result_dom_sid(state, dom_res->msgs[0], "objectSid");
112 if (!domain_sid) {
113 goto fail;
114 }
115 info->sid = *domain_sid;
116
117 TALLOC_FREE(dom_res);
118
119 info->name = talloc_strdup(info, lpcfg_sam_name(state->lp_ctx));
120 info->dns_domain = ldb_dn_canonical_string(info, domain_dn);
121
122 if (!info->dns_domain) {
123 goto fail;
124 }
125 p = strchr(info->dns_domain, '/');
126 if (p) {
127 *p = '\0';
128 }
129
130 forest_dn = ldb_get_root_basedn(state->ldb);
131 if (!forest_dn) {
132 goto fail;
133 }
134
135 info->dns_forest = ldb_dn_canonical_string(info, forest_dn);
136 if (!info->dns_forest) {
137 goto fail;
138 }
139 p = strchr(info->dns_forest, '/');
140 if (p) {
141 *p = '\0';
142 }
143
144 return info;
145
146 fail:
147 TALLOC_FREE(dom_res);
148 TALLOC_FREE(info);
149 return NULL;
150 }
151
152 static struct ldb_message *pdb_samba_dsdb_get_samu_private(
153 struct pdb_methods *m, struct samu *sam)
154 {
155 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
156 m->private_data, struct pdb_samba_dsdb_state);
157 struct ldb_message *msg;
158 struct dom_sid_buf sidstr;
159 char *filter;
160 NTSTATUS status;
161
162 msg = (struct ldb_message *)
163 pdb_get_backend_private_data(sam, m);
164
165 if (msg != NULL) {
166 return talloc_get_type_abort(msg, struct ldb_message);
167 }
168
169 filter = talloc_asprintf(
170 talloc_tos(),
171 "(&(objectsid=%s)(objectclass=user))",
172 dom_sid_str_buf(pdb_get_user_sid(sam), &sidstr));
173 if (filter == NULL) {
174 return NULL;
175 }
176
177 status = pdb_samba_dsdb_getsamupriv(state, filter, sam, &msg);
178 TALLOC_FREE(filter);
179 if (!NT_STATUS_IS_OK(status)) {
180 return NULL;
181 }
182
183 return msg;
184 }
185
186 static NTSTATUS pdb_samba_dsdb_init_sam_from_priv(struct pdb_methods *m,
187 struct samu *sam,
188 struct ldb_message *msg)
189 {
190 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
191 m->private_data, struct pdb_samba_dsdb_state);
192 TALLOC_CTX *frame = talloc_stackframe();
193 NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION;
194 const char *str;
195 time_t tmp_time;
196 struct dom_sid *sid, group_sid;
197 uint64_t n;
198 const DATA_BLOB *blob;
199
200 str = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
201 if (str == NULL) {
202 DEBUG(10, ("no samAccountName\n"));
203 goto fail;
204 }
205 pdb_set_username(sam, str, PDB_SET);
206
207 if (pdb_samba_dsdb_pull_time(msg, "lastLogon", &tmp_time)) {
208 pdb_set_logon_time(sam, tmp_time, PDB_SET);
209 }
210 if (pdb_samba_dsdb_pull_time(msg, "lastLogoff", &tmp_time)) {
211 pdb_set_logoff_time(sam, tmp_time, PDB_SET);
212 }
213 if (pdb_samba_dsdb_pull_time(msg, "pwdLastSet", &tmp_time)) {
214 pdb_set_pass_last_set_time(sam, tmp_time, PDB_SET);
215 }
216 if (pdb_samba_dsdb_pull_time(msg, "accountExpires", &tmp_time)) {
217 pdb_set_kickoff_time(sam, tmp_time, PDB_SET);
218 }
219
220 str = ldb_msg_find_attr_as_string(msg, "displayName",
221 NULL);
222 if (str != NULL) {
223 pdb_set_fullname(sam, str, PDB_SET);
224 }
225
226 str = ldb_msg_find_attr_as_string(msg, "homeDirectory",
227 NULL);
228 if (str != NULL) {
229 pdb_set_homedir(sam, str, PDB_SET);
230 }
231
232 str = ldb_msg_find_attr_as_string(msg, "homeDrive", NULL);
233 if (str != NULL) {
234 pdb_set_dir_drive(sam, str, PDB_SET);
235 }
236
237 str = ldb_msg_find_attr_as_string(msg, "scriptPath", NULL);
238 if (str != NULL) {
239 pdb_set_logon_script(sam, str, PDB_SET);
240 }
241
242 str = ldb_msg_find_attr_as_string(msg, "profilePath",
243 NULL);
244 if (str != NULL) {
245 pdb_set_profile_path(sam, str, PDB_SET);
246 }
247
248 str = ldb_msg_find_attr_as_string(msg, "comment",
249 NULL);
250 if (str != NULL) {
251 pdb_set_comment(sam, str, PDB_SET);
252 }
253
254 str = ldb_msg_find_attr_as_string(msg, "description",
255 NULL);
256 if (str != NULL) {
257 pdb_set_acct_desc(sam, str, PDB_SET);
258 }
259
260 str = ldb_msg_find_attr_as_string(msg, "userWorkstations",
261 NULL);
262 if (str != NULL) {
263 pdb_set_workstations(sam, str, PDB_SET);
264 }
265
266 blob = ldb_msg_find_ldb_val(msg, "userParameters");
267 if (blob != NULL) {
268 str = base64_encode_data_blob(frame, *blob);
269 if (str == NULL) {
270 DEBUG(0, ("base64_encode_data_blob() failed\n"));
271 goto fail;
272 }
273 pdb_set_munged_dial(sam, str, PDB_SET);
274 }
275
276 sid = samdb_result_dom_sid(talloc_tos(), msg, "objectSid");
277 if (!sid) {
278 DEBUG(10, ("Could not pull SID\n"));
279 goto fail;
280 }
281 pdb_set_user_sid(sam, sid, PDB_SET);
282
283 n = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
284 if (n == 0) {
285 DEBUG(10, ("Could not pull userAccountControl\n"));
286 goto fail;
287 }
288 pdb_set_acct_ctrl(sam, n, PDB_SET);
289
290 blob = ldb_msg_find_ldb_val(msg, "unicodePwd");
291 if (blob) {
292 if (blob->length != NT_HASH_LEN) {
293 DEBUG(0, ("Got NT hash of length %d, expected %d\n",
294 (int)blob->length, NT_HASH_LEN));
295 goto fail;
296 }
297 pdb_set_nt_passwd(sam, blob->data, PDB_SET);
298 }
299
300 blob = ldb_msg_find_ldb_val(msg, "dBCSPwd");
301 if (blob) {
302 if (blob->length != LM_HASH_LEN) {
303 DEBUG(0, ("Got LM hash of length %d, expected %d\n",
304 (int)blob->length, LM_HASH_LEN));
305 goto fail;
306 }
307 pdb_set_lanman_passwd(sam, blob->data, PDB_SET);
308 }
309
310 n = ldb_msg_find_attr_as_uint(msg, "primaryGroupID", 0);
311 if (n == 0) {
312 DEBUG(10, ("Could not pull primaryGroupID\n"));
313 goto fail;
314 }
315 sid_compose(&group_sid, samdb_domain_sid(state->ldb), n);
316 pdb_set_group_sid(sam, &group_sid, PDB_SET);
317
318 status = NT_STATUS_OK;
319 fail:
320 TALLOC_FREE(frame);
321 return status;
322 }
323
324 static bool pdb_samba_dsdb_add_time(struct ldb_message *msg,
325 const char *attrib, time_t t)
326 {
327 uint64_t nt_time;
328
329 unix_to_nt_time(&nt_time, t);
330
331 return ldb_msg_add_fmt(msg, attrib, "%llu", (unsigned long long) nt_time);
332 }
333
334 static int pdb_samba_dsdb_replace_by_sam(struct pdb_samba_dsdb_state *state,
335 bool (*need_update)(const struct samu *,
336 enum pdb_elements),
337 struct ldb_dn *dn,
338 struct samu *sam)
339 {
340 TALLOC_CTX *frame = talloc_stackframe();
341 int ret = LDB_SUCCESS;
342 const char *pw;
343 struct ldb_message *msg;
344 struct ldb_request *req;
345 uint32_t dsdb_flags = 0;
346 /* TODO: All fields :-) */
347
348 msg = ldb_msg_new(frame);
349 if (!msg) {
350 talloc_free(frame);
351 return false;
352 }
353
354 msg->dn = dn;
355
356 /* build modify request */
357 ret = ldb_build_mod_req(&req, state->ldb, frame, msg, NULL, NULL,
358 ldb_op_default_callback,
359 NULL);
360 if (ret != LDB_SUCCESS) {
361 talloc_free(frame);
362 return ret;
363 }
364
365 /* If we set a plaintext password, the system will
366 * force the pwdLastSet to now() */
367 if (need_update(sam, PDB_PASSLASTSET)) {
368 dsdb_flags |= DSDB_PASSWORD_BYPASS_LAST_SET;
369
370 ret |= pdb_samba_dsdb_add_time(msg, "pwdLastSet",
371 pdb_get_pass_last_set_time(sam));
372 }
373
374 pw = pdb_get_plaintext_passwd(sam);
375 if (need_update(sam, PDB_PLAINTEXT_PW)) {
376 struct ldb_val pw_utf16;
377 if (pw == NULL) {
378 talloc_free(frame);
379 return LDB_ERR_OPERATIONS_ERROR;
380 }
381
382 if (!convert_string_talloc(msg,
383 CH_UNIX, CH_UTF16,
384 pw, strlen(pw),
385 (void *)&pw_utf16.data,
386 &pw_utf16.length)) {
387 talloc_free(frame);
388 return LDB_ERR_OPERATIONS_ERROR;
389 }
390 ret |= ldb_msg_add_value(msg, "clearTextPassword", &pw_utf16, NULL);
391 } else {
392 bool changed_lm_pw = false;
393 bool changed_nt_pw = false;
394 bool changed_history = false;
395 if (need_update(sam, PDB_LMPASSWD)) {
396 struct ldb_val val;
397 val.data = discard_const_p(uint8_t, pdb_get_lanman_passwd(sam));
398 if (!val.data) {
399 samdb_msg_add_delete(state->ldb, msg, msg,
400 "dBCSPwd");
401 } else {
402 val.length = LM_HASH_LEN;
403 ret |= ldb_msg_add_value(msg, "dBCSPwd", &val, NULL);
404 }
405 changed_lm_pw = true;
406 }
407 if (need_update(sam, PDB_NTPASSWD)) {
408 struct ldb_val val;
409 val.data = discard_const_p(uint8_t, pdb_get_nt_passwd(sam));
410 if (!val.data) {
411 samdb_msg_add_delete(state->ldb, msg, msg,
412 "unicodePwd");
413 } else {
414 val.length = NT_HASH_LEN;
415 ret |= ldb_msg_add_value(msg, "unicodePwd", &val, NULL);
416 }
417 changed_nt_pw = true;
418 }
419
420 /* Try to ensure we don't get out of sync */
421 if (changed_lm_pw && !changed_nt_pw) {
422 samdb_msg_add_delete(state->ldb, msg, msg,
423 "unicodePwd");
424 } else if (changed_nt_pw && !changed_lm_pw) {
425 samdb_msg_add_delete(state->ldb, msg, msg,
426 "dBCSPwd");
427 }
428 if (changed_lm_pw || changed_nt_pw) {
429 samdb_msg_add_delete(state->ldb, msg, msg,
430 "supplementalCredentials");
431
432 }
433
434 if (need_update(sam, PDB_PWHISTORY)) {
435 uint32_t current_hist_len;
436 const uint8_t *history = pdb_get_pw_history(sam, &current_hist_len);
437
438 bool invalid_history = false;
439 struct samr_Password *history_hashes = talloc_array(talloc_tos(), struct samr_Password,
440 current_hist_len);
441 if (!history) {
442 invalid_history = true;
443 } else {
444 unsigned int i;
445 /* Parse the history into the correct format */
446 for (i = 0; i < current_hist_len; i++) {
447 if (!all_zero(&history[i*PW_HISTORY_ENTRY_LEN],
448 16)) {
449 /* If the history is in the old format, with a salted hash, then we can't migrate it to AD format */
450 invalid_history = true;
451 break;
452 }
453 /* Copy out the 2nd 16 bytes of the 32 byte password history, containing the NT hash */
454 memcpy(history_hashes[i].hash,
455 &history[(i*PW_HISTORY_ENTRY_LEN) + PW_HISTORY_SALT_LEN],
456 sizeof(history_hashes[i].hash));
457 }
458 }
459 if (invalid_history) {
460 ret |= samdb_msg_add_delete(state->ldb, msg, msg,
461 "ntPwdHistory");
462
463 ret |= samdb_msg_add_delete(state->ldb, msg, msg,
464 "lmPwdHistory");
465 } else {
466 ret |= samdb_msg_add_hashes(state->ldb, msg, msg,
467 "ntPwdHistory",
468 history_hashes,
469 current_hist_len);
470 }
471 changed_history = true;
472 }
473 if (changed_lm_pw || changed_nt_pw || changed_history) {
474 /* These attributes can only be modified directly by using a special control */
475 dsdb_flags |= DSDB_BYPASS_PASSWORD_HASH;
476 }
477 }
478
479 /* PDB_USERSID is only allowed on ADD, handled in caller */
480 if (need_update(sam, PDB_GROUPSID)) {
481 const struct dom_sid *sid = pdb_get_group_sid(sam);
482 uint32_t rid;
483 NTSTATUS status = dom_sid_split_rid(NULL, sid, NULL, &rid);
484 if (!NT_STATUS_IS_OK(status)) {
485 talloc_free(frame);
486 return LDB_ERR_OPERATIONS_ERROR;
487 }
488 if (!dom_sid_in_domain(samdb_domain_sid(state->ldb), sid)) {
489 talloc_free(frame);
490 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
491 }
492 ret |= samdb_msg_add_uint(state->ldb, msg, msg, "primaryGroupID", rid);
493 }
494 if (need_update(sam, PDB_FULLNAME)) {
495 ret |= ldb_msg_add_string(msg, "displayName", pdb_get_fullname(sam));
496 }
497
498 if (need_update(sam, PDB_SMBHOME)) {
499 ret |= ldb_msg_add_string(msg, "homeDirectory",
500 pdb_get_homedir(sam));
501 }
502
503 if (need_update(sam, PDB_PROFILE)) {
504 ret |= ldb_msg_add_string(msg, "profilePath",
505 pdb_get_profile_path(sam));
506 }
507
508 if (need_update(sam, PDB_DRIVE)) {
509 ret |= ldb_msg_add_string(msg, "homeDrive",
510 pdb_get_dir_drive(sam));
511 }
512
513 if (need_update(sam, PDB_LOGONSCRIPT)) {
514 ret |= ldb_msg_add_string(msg, "scriptPath",
515 pdb_get_logon_script(sam));
516 }
517
518 if (need_update(sam, PDB_KICKOFFTIME)) {
519 ret |= pdb_samba_dsdb_add_time(msg, "accountExpires",
520 pdb_get_kickoff_time(sam));
521 }
522
523 if (need_update(sam, PDB_LOGONTIME)) {
524 ret |= pdb_samba_dsdb_add_time(msg, "lastLogon",
525 pdb_get_logon_time(sam));
526 }
527
528 if (need_update(sam, PDB_LOGOFFTIME)) {
529 ret |= pdb_samba_dsdb_add_time(msg, "lastLogoff",
530 pdb_get_logoff_time(sam));
531 }
532
533 if (need_update(sam, PDB_USERNAME)) {
534 ret |= ldb_msg_add_string(msg, "samAccountName",
535 pdb_get_username(sam));
536 }
537
538 if (need_update(sam, PDB_HOURSLEN) || need_update(sam, PDB_HOURS)) {
539 struct ldb_val hours = data_blob_const(pdb_get_hours(sam), pdb_get_hours_len(sam));
540 ret |= ldb_msg_add_value(msg, "logonHours",
541 &hours, NULL);
542 }
543
544 if (need_update(sam, PDB_ACCTCTRL)) {
545 ret |= samdb_msg_add_acct_flags(state->ldb, msg, msg,
546 "userAccountControl", pdb_get_acct_ctrl(sam));
547 }
548
549 if (need_update(sam, PDB_COMMENT)) {
550 ret |= ldb_msg_add_string(msg, "comment",
551 pdb_get_comment(sam));
552 }
553
554 if (need_update(sam, PDB_ACCTDESC)) {
555 ret |= ldb_msg_add_string(msg, "description",
556 pdb_get_acct_desc(sam));
557 }
558
559 if (need_update(sam, PDB_WORKSTATIONS)) {
560 ret |= ldb_msg_add_string(msg, "userWorkstations",
561 pdb_get_workstations(sam));
562 }
563
564 /* This will need work, it is actually a UTF8 'string' with internal NULLs, to handle TS parameters */
565 if (need_update(sam, PDB_MUNGEDDIAL)) {
566 const char *base64_munged_dial = NULL;
567
568 base64_munged_dial = pdb_get_munged_dial(sam);
569 if (base64_munged_dial != NULL && strlen(base64_munged_dial) > 0) {
570 struct ldb_val blob;
571
572 blob = base64_decode_data_blob_talloc(msg,
573 base64_munged_dial);
574 if (blob.data == NULL) {
575 DEBUG(0, ("Failed to decode userParameters from "
576 "munged dialback string[%s] for %s\n",
577 base64_munged_dial,
578 ldb_dn_get_linearized(msg->dn)));
579 talloc_free(frame);
580 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
581 }
582 ret |= ldb_msg_add_steal_value(msg, "userParameters",
583 &blob);
584 }
585 }
586
587 if (need_update(sam, PDB_COUNTRY_CODE)) {
588 ret |= ldb_msg_add_fmt(msg, "countryCode",
589 "%i", (int)pdb_get_country_code(sam));
590 }
591
592 if (need_update(sam, PDB_CODE_PAGE)) {
593 ret |= ldb_msg_add_fmt(msg, "codePage",
594 "%i", (int)pdb_get_code_page(sam));
595 }
596
597 /* Not yet handled here or not meaningful for modifies on a Samba_Dsdb backend:
598 PDB_BAD_PASSWORD_TIME,
599 PDB_CANCHANGETIME, - these are calculated per policy, not stored
600 PDB_DOMAIN,
601 PDB_NTUSERNAME, - this makes no sense, and never really did
602 PDB_LOGONDIVS,
603 PDB_USERSID, - Handled in pdb_samba_dsdb_add_sam_account()
604 PDB_FIELDS_PRESENT,
605 PDB_BAD_PASSWORD_COUNT,
606 PDB_LOGON_COUNT,
607 PDB_UNKNOWN6,
608 PDB_BACKEND_PRIVATE_DATA,
609
610 */
611 if (ret != LDB_SUCCESS) {
612 talloc_free(frame);
613 return LDB_ERR_OPERATIONS_ERROR;
614 }
615
616 if (msg->num_elements == 0) {
617 talloc_free(frame);
618 /* Nothing to do, just return success */
619 return LDB_SUCCESS;
620 }
621
622 ret = dsdb_replace(state->ldb, msg, dsdb_flags);
623
624 if (ret != LDB_SUCCESS) {
625 DEBUG(0,("Failed to modify account record %s to set user attributes: %s\n",
626 ldb_dn_get_linearized(msg->dn),
627 ldb_errstring(state->ldb)));
628 }
629
630 talloc_free(frame);
631 return ret;
632 }
633
634 static NTSTATUS pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state *state,
635 const char *filter,
636 TALLOC_CTX *mem_ctx,
637 struct ldb_message **msg)
638 {
639 const char * attrs[] = {
640 "lastLogon", "lastLogoff", "pwdLastSet", "accountExpires",
641 "sAMAccountName", "displayName", "homeDirectory",
642 "homeDrive", "scriptPath", "profilePath", "description",
643 "userWorkstations", "comment", "userParameters", "objectSid",
644 "primaryGroupID", "userAccountControl",
645 "msDS-User-Account-Control-Computed", "logonHours",
646 "badPwdCount", "logonCount", "countryCode", "codePage",
647 "unicodePwd", "dBCSPwd", NULL };
648
649 int rc = dsdb_search_one(state->ldb, mem_ctx, msg, ldb_get_default_basedn(state->ldb), LDB_SCOPE_SUBTREE, attrs, 0, "%s", filter);
650 if (rc != LDB_SUCCESS) {
651 DEBUG(10, ("ldap_search failed %s\n",
652 ldb_errstring(state->ldb)));
653 return NT_STATUS_LDAP(rc);
654 }
655
656 return NT_STATUS_OK;
657 }
658
659 static NTSTATUS pdb_samba_dsdb_getsampwfilter(struct pdb_methods *m,
660 struct pdb_samba_dsdb_state *state,
661 struct samu *sam_acct,
662 const char *exp_fmt, ...)
663 PRINTF_ATTRIBUTE(4,5);
664
665 static NTSTATUS pdb_samba_dsdb_getsampwfilter(struct pdb_methods *m,
666 struct pdb_samba_dsdb_state *state,
667 struct samu *sam_acct,
668 const char *exp_fmt, ...)
669 {
670 struct ldb_message *priv;
671 NTSTATUS status;
672 va_list ap;
673 char *expression = NULL;
674 TALLOC_CTX *tmp_ctx = talloc_new(state);
675 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
676
677 va_start(ap, exp_fmt);
678 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
679 va_end(ap);
680
681 if (!expression) {
682 talloc_free(tmp_ctx);
683 return NT_STATUS_NO_MEMORY;
684 }
685
686 status = pdb_samba_dsdb_getsamupriv(state, expression, sam_acct, &priv);
687 talloc_free(tmp_ctx);
688 if (!NT_STATUS_IS_OK(status)) {
689 DEBUG(10, ("pdb_samba_dsdb_getsamupriv failed: %s\n",
690 nt_errstr(status)));
691 return status;
692 }
693
694 status = pdb_samba_dsdb_init_sam_from_priv(m, sam_acct, priv);
695 if (!NT_STATUS_IS_OK(status)) {
696 DEBUG(10, ("pdb_samba_dsdb_init_sam_from_priv failed: %s\n",
697 nt_errstr(status)));
698 TALLOC_FREE(priv);
699 return status;
700 }
701
702 pdb_set_backend_private_data(sam_acct, priv, NULL, m, PDB_SET);
703 return NT_STATUS_OK;
704 }
705
706 static NTSTATUS pdb_samba_dsdb_getsampwnam(struct pdb_methods *m,
707 struct samu *sam_acct,
708 const char *username)
709 {
710 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
711 m->private_data, struct pdb_samba_dsdb_state);
712
713 return pdb_samba_dsdb_getsampwfilter(m, state, sam_acct,
714 "(&(samaccountname=%s)(objectclass=user))",
715 username);
716 }
717
718 static NTSTATUS pdb_samba_dsdb_getsampwsid(struct pdb_methods *m,
719 struct samu *sam_acct,
720 const struct dom_sid *sid)
721 {
722 NTSTATUS status;
723 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
724 m->private_data, struct pdb_samba_dsdb_state);
725 struct dom_sid_buf buf;
726
727 status = pdb_samba_dsdb_getsampwfilter(m, state, sam_acct,
728 "(&(objectsid=%s)(objectclass=user))",
729 dom_sid_str_buf(sid, &buf));
730 return status;
731 }
732
733 static NTSTATUS pdb_samba_dsdb_create_user(struct pdb_methods *m,
734 TALLOC_CTX *mem_ctx,
735 const char *name, uint32_t acct_flags,
736 uint32_t *rid)
737 {
738 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
739 m->private_data, struct pdb_samba_dsdb_state);
740 struct dom_sid *sid;
741 struct ldb_dn *dn;
742 NTSTATUS status;
743 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
744 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
745
746 /* Internally this uses transactions to ensure all the steps
747 * happen or fail as one */
748 status = dsdb_add_user(state->ldb, tmp_ctx, name, acct_flags, NULL,
749 &sid, &dn);
750 if (!NT_STATUS_IS_OK(status)) {
751 talloc_free(tmp_ctx);
752 return status;
753 }
754 sid_peek_rid(sid, rid);
755 talloc_free(tmp_ctx);
756 return NT_STATUS_OK;
757 }
758
759 static NTSTATUS pdb_samba_dsdb_delete_user(struct pdb_methods *m,
760 TALLOC_CTX *mem_ctx,
761 struct samu *sam)
762 {
763 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
764 m->private_data, struct pdb_samba_dsdb_state);
765 struct ldb_dn *dn;
766 int rc;
767 struct dom_sid_buf buf;
768 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
769 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
770
771 dn = ldb_dn_new_fmt(
772 tmp_ctx,
773 state->ldb,
774 "<SID=%s>",
775 dom_sid_str_buf(pdb_get_user_sid(sam), &buf));
776 if (!dn || !ldb_dn_validate(dn)) {
777 talloc_free(tmp_ctx);
778 return NT_STATUS_NO_MEMORY;
779 }
780 rc = ldb_delete(state->ldb, dn);
781
782 if (rc != LDB_SUCCESS) {
783 DEBUG(10, ("ldb_delete for %s failed: %s\n", ldb_dn_get_linearized(dn),
784 ldb_errstring(state->ldb)));
785 talloc_free(tmp_ctx);
786 return NT_STATUS_LDAP(rc);
787 }
788 talloc_free(tmp_ctx);
789 return NT_STATUS_OK;
790 }
791
792 /* This interface takes a fully populated struct samu and places it in
793 * the database. This is not implemented at this time as we need to
794 * be careful around the creation of arbitrary SIDs (ie, we must ensure
795 * they are not left in a RID pool */
796 static NTSTATUS pdb_samba_dsdb_add_sam_account(struct pdb_methods *m,
797 struct samu *sampass)
798 {
799 int ret;
800 NTSTATUS status;
801 struct ldb_dn *dn;
802 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
803 m->private_data, struct pdb_samba_dsdb_state);
804 uint32_t acb_flags = pdb_get_acct_ctrl(sampass);
805 const char *username = pdb_get_username(sampass);
806 const struct dom_sid *user_sid = pdb_get_user_sid(sampass);
807 TALLOC_CTX *tframe = talloc_stackframe();
808
809 acb_flags &= (ACB_NORMAL|ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST);
810
811 ret = ldb_transaction_start(state->ldb);
812 if (ret != LDB_SUCCESS) {
813 talloc_free(tframe);
814 return NT_STATUS_LOCK_NOT_GRANTED;
815 }
816
817 status = dsdb_add_user(state->ldb, talloc_tos(), username,
818 acb_flags, user_sid, NULL, &dn);
819 if (!NT_STATUS_IS_OK(status)) {
820 ldb_transaction_cancel(state->ldb);
821 talloc_free(tframe);
822 return status;
823 }
824
825 ret = pdb_samba_dsdb_replace_by_sam(state, pdb_element_is_set_or_changed,
826 dn, sampass);
827 if (ret != LDB_SUCCESS) {
828 ldb_transaction_cancel(state->ldb);
829 talloc_free(tframe);
830 return dsdb_ldb_err_to_ntstatus(ret);
831 }
832
833 ret = ldb_transaction_commit(state->ldb);
834 if (ret != LDB_SUCCESS) {
835 DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
836 ldb_dn_get_linearized(dn),
837 ldb_errstring(state->ldb)));
838 talloc_free(tframe);
839 return NT_STATUS_INTERNAL_DB_CORRUPTION;
840 }
841 talloc_free(tframe);
842 return NT_STATUS_OK;
843 }
844
845 /*
846 * Update the Samba_Dsdb LDB with the changes from a struct samu.
847 *
848 * This takes care not to update elements that have not been changed
849 * by the caller
850 */
851 static NTSTATUS pdb_samba_dsdb_update_sam_account(struct pdb_methods *m,
852 struct samu *sam)
853 {
854 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
855 m->private_data, struct pdb_samba_dsdb_state);
856 struct ldb_message *msg = pdb_samba_dsdb_get_samu_private(
857 m, sam);
858 int ret;
859
860 ret = pdb_samba_dsdb_replace_by_sam(state, pdb_element_is_changed, msg->dn,
861 sam);
862 return dsdb_ldb_err_to_ntstatus(ret);
863 }
864
865 static NTSTATUS pdb_samba_dsdb_delete_sam_account(struct pdb_methods *m,
866 struct samu *username)
867 {
868 NTSTATUS status;
869 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
870 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
871 status = pdb_samba_dsdb_delete_user(m, tmp_ctx, username);
872 talloc_free(tmp_ctx);
873 return status;
874 }
875
876 static NTSTATUS pdb_samba_dsdb_rename_sam_account(struct pdb_methods *m,
877 struct samu *oldname,
878 const char *newname)
879 {
880 return NT_STATUS_NOT_IMPLEMENTED;
881 }
882
883 /* This is not implemented, as this module is expected to be used
884 * with auth_samba_dsdb, and this is responsible for login counters etc
885 *
886 */
887 static NTSTATUS pdb_samba_dsdb_update_login_attempts(struct pdb_methods *m,
888 struct samu *sam_acct,
889 bool success)
890 {
891 return NT_STATUS_NOT_IMPLEMENTED;
892 }
893
894 static NTSTATUS pdb_samba_dsdb_getgrfilter(struct pdb_methods *m,
895 GROUP_MAP *map,
896 const char *exp_fmt, ...)
897 PRINTF_ATTRIBUTE(3,4);
898
899 static NTSTATUS pdb_samba_dsdb_getgrfilter(struct pdb_methods *m, GROUP_MAP *map,
900 const char *exp_fmt, ...)
901 {
902 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
903 m->private_data, struct pdb_samba_dsdb_state);
904 const char *attrs[] = { "objectClass", "objectSid", "description", "samAccountName", "groupType",
905 NULL };
906 struct ldb_message *msg;
907 va_list ap;
908 char *expression = NULL;
909 struct dom_sid *sid;
910 const char *str;
911 int rc;
912 struct id_map id_map;
913 struct id_map *id_maps[2];
914 TALLOC_CTX *tmp_ctx = talloc_stackframe();
915 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
916
917 va_start(ap, exp_fmt);
918 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
919 va_end(ap);
920
921 if (!expression) {
922 talloc_free(tmp_ctx);
923 return NT_STATUS_NO_MEMORY;
924 }
925
926 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, ldb_get_default_basedn(state->ldb), LDB_SCOPE_SUBTREE, attrs, 0, "%s", expression);
927 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
928 talloc_free(tmp_ctx);
929 return NT_STATUS_NO_SUCH_GROUP;
930 } else if (rc != LDB_SUCCESS) {
931 talloc_free(tmp_ctx);
932 DEBUG(10, ("dsdb_search_one failed %s\n",
933 ldb_errstring(state->ldb)));
934 return NT_STATUS_LDAP(rc);
935 }
936
937 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
938 if (!sid) {
939 talloc_free(tmp_ctx);
940 DEBUG(10, ("Could not pull SID\n"));
941 return NT_STATUS_INTERNAL_DB_CORRUPTION;
942 }
943
944 map->sid = *sid;
945
946 if (samdb_find_attribute(state->ldb, msg, "objectClass", "group")) {
947 NTSTATUS status;
948 uint32_t grouptype = ldb_msg_find_attr_as_uint(msg, "groupType", 0);
949 switch (grouptype) {
950 case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
951 case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
952 map->sid_name_use = SID_NAME_ALIAS;
953 break;
954 case GTYPE_SECURITY_GLOBAL_GROUP:
955 map->sid_name_use = SID_NAME_DOM_GRP;
956 break;
957 default:
958 talloc_free(tmp_ctx);
959 DEBUG(10, ("Could not pull groupType\n"));
960 return NT_STATUS_INTERNAL_DB_CORRUPTION;
961 }
962
963 ZERO_STRUCT(id_map);
964 id_map.sid = sid;
965 id_maps[0] = &id_map;
966 id_maps[1] = NULL;
967
968 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
969
970 if (!NT_STATUS_IS_OK(status)) {
971 talloc_free(tmp_ctx);
972 return status;
973 }
974 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
975 map->gid = id_map.xid.id;
976 } else {
977 DEBUG(1, (__location__ "Did not get GUID when mapping SID for %s", expression));
978 talloc_free(tmp_ctx);
979 return NT_STATUS_INTERNAL_DB_CORRUPTION;
980 }
981 } else if (samdb_find_attribute(state->ldb, msg, "objectClass", "user")) {
982 DEBUG(1, (__location__ "Got SID_NAME_USER when searching for a group with %s", expression));
983 talloc_free(tmp_ctx);
984 return NT_STATUS_INTERNAL_DB_CORRUPTION;
985 }
986
987 str = ldb_msg_find_attr_as_string(msg, "samAccountName",
988 NULL);
989 if (str == NULL) {
990 talloc_free(tmp_ctx);
991 return NT_STATUS_INTERNAL_DB_CORRUPTION;
992 }
993 map->nt_name = talloc_strdup(map, str);
994 if (!map->nt_name) {
995 talloc_free(tmp_ctx);
996 return NT_STATUS_NO_MEMORY;
997 }
998
999 str = ldb_msg_find_attr_as_string(msg, "description",
1000 NULL);
1001 if (str != NULL) {
1002 map->comment = talloc_strdup(map, str);
1003 } else {
1004 map->comment = talloc_strdup(map, "");
1005 }
1006 if (!map->comment) {
1007 talloc_free(tmp_ctx);
1008 return NT_STATUS_NO_MEMORY;
1009 }
1010
1011 talloc_free(tmp_ctx);
1012 return NT_STATUS_OK;
1013 }
1014
1015 static NTSTATUS pdb_samba_dsdb_getgrsid(struct pdb_methods *m, GROUP_MAP *map,
1016 struct dom_sid sid)
1017 {
1018 char *filter;
1019 NTSTATUS status;
1020 struct dom_sid_buf buf;
1021
1022 filter = talloc_asprintf(talloc_tos(),
1023 "(&(objectsid=%s)(objectclass=group))",
1024 dom_sid_str_buf(&sid, &buf));
1025 if (filter == NULL) {
1026 return NT_STATUS_NO_MEMORY;
1027 }
1028
1029 status = pdb_samba_dsdb_getgrfilter(m, map, "%s", filter);
1030 TALLOC_FREE(filter);
1031 return status;
1032 }
1033
1034 static NTSTATUS pdb_samba_dsdb_getgrgid(struct pdb_methods *m, GROUP_MAP *map,
1035 gid_t gid)
1036 {
1037 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1038 m->private_data, struct pdb_samba_dsdb_state);
1039 NTSTATUS status;
1040 struct id_map id_map;
1041 struct id_map *id_maps[2];
1042 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1043 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1044
1045 id_map.xid.id = gid;
1046 id_map.xid.type = ID_TYPE_GID;
1047 id_maps[0] = &id_map;
1048 id_maps[1] = NULL;
1049
1050 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
1051 if (!NT_STATUS_IS_OK(status)) {
1052 talloc_free(tmp_ctx);
1053 return status;
1054 }
1055 status = pdb_samba_dsdb_getgrsid(m, map, *id_map.sid);
1056 talloc_free(tmp_ctx);
1057 return status;
1058 }
1059
1060 static NTSTATUS pdb_samba_dsdb_getgrnam(struct pdb_methods *m, GROUP_MAP *map,
1061 const char *name)
1062 {
1063 char *filter;
1064 NTSTATUS status;
1065
1066 filter = talloc_asprintf(talloc_tos(),
1067 "(&(samaccountname=%s)(objectclass=group))",
1068 name);
1069 if (filter == NULL) {
1070 return NT_STATUS_NO_MEMORY;
1071 }
1072
1073 status = pdb_samba_dsdb_getgrfilter(m, map, "%s", filter);
1074 TALLOC_FREE(filter);
1075 return status;
1076 }
1077
1078 static NTSTATUS pdb_samba_dsdb_create_dom_group(struct pdb_methods *m,
1079 TALLOC_CTX *mem_ctx, const char *name,
1080 uint32_t *rid)
1081 {
1082 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1083 m->private_data, struct pdb_samba_dsdb_state);
1084 NTSTATUS status;
1085 struct dom_sid *sid;
1086 struct ldb_dn *dn;
1087 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1088 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1089
1090 status = dsdb_add_domain_group(state->ldb, tmp_ctx, name, &sid, &dn);
1091 if (!NT_STATUS_IS_OK(status)) {
1092 talloc_free(tmp_ctx);
1093 return status;
1094 }
1095
1096 sid_peek_rid(sid, rid);
1097 talloc_free(tmp_ctx);
1098 return NT_STATUS_OK;
1099 }
1100
1101 static NTSTATUS pdb_samba_dsdb_delete_dom_group(struct pdb_methods *m,
1102 TALLOC_CTX *mem_ctx, uint32_t rid)
1103 {
1104 const char *attrs[] = { NULL };
1105 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1106 m->private_data, struct pdb_samba_dsdb_state);
1107 struct dom_sid sid;
1108 struct ldb_message *msg;
1109 struct ldb_dn *dn;
1110 int rc;
1111 struct dom_sid_buf buf;
1112 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1113 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1114
1115 sid_compose(&sid, samdb_domain_sid(state->ldb), rid);
1116
1117 if (ldb_transaction_start(state->ldb) != LDB_SUCCESS) {
1118 DEBUG(0, ("Unable to start transaction in pdb_samba_dsdb_delete_dom_group()\n"));
1119 return NT_STATUS_INTERNAL_ERROR;
1120 }
1121
1122 dn = ldb_dn_new_fmt(
1123 tmp_ctx,
1124 state->ldb,
1125 "<SID=%s>",
1126 dom_sid_str_buf(&sid, &buf));
1127 if (!dn || !ldb_dn_validate(dn)) {
1128 talloc_free(tmp_ctx);
1129 ldb_transaction_cancel(state->ldb);
1130 return NT_STATUS_NO_MEMORY;
1131 }
1132 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "objectclass=group");
1133 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1134 talloc_free(tmp_ctx);
1135 ldb_transaction_cancel(state->ldb);
1136 return NT_STATUS_NO_SUCH_GROUP;
1137 } else if (rc != LDB_SUCCESS) {
1138 talloc_free(tmp_ctx);
1139 DEBUG(10, ("dsdb_search_one failed %s\n",
1140 ldb_errstring(state->ldb)));
1141 ldb_transaction_cancel(state->ldb);
1142 return NT_STATUS_LDAP(rc);
1143 }
1144 rc = ldb_delete(state->ldb, dn);
1145 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1146 talloc_free(tmp_ctx);
1147 ldb_transaction_cancel(state->ldb);
1148 return NT_STATUS_NO_SUCH_GROUP;
1149 } else if (rc != LDB_SUCCESS) {
1150 DEBUG(10, ("ldb_delete failed %s\n",
1151 ldb_errstring(state->ldb)));
1152 ldb_transaction_cancel(state->ldb);
1153 return NT_STATUS_LDAP(rc);
1154 }
1155
1156 if (ldb_transaction_commit(state->ldb) != LDB_SUCCESS) {
1157 DEBUG(0, ("Unable to commit transaction in pdb_samba_dsdb_delete_dom_group()\n"));
1158 return NT_STATUS_INTERNAL_ERROR;
1159 }
1160 return NT_STATUS_OK;
1161 }
1162
1163 static NTSTATUS pdb_samba_dsdb_add_group_mapping_entry(struct pdb_methods *m,
1164 GROUP_MAP *map)
1165 {
1166 return NT_STATUS_NOT_IMPLEMENTED;
1167 }
1168
1169 static NTSTATUS pdb_samba_dsdb_update_group_mapping_entry(struct pdb_methods *m,
1170 GROUP_MAP *map)
1171 {
1172 return NT_STATUS_NOT_IMPLEMENTED;
1173 }
1174
1175 static NTSTATUS pdb_samba_dsdb_delete_group_mapping_entry(struct pdb_methods *m,
1176 struct dom_sid sid)
1177 {
1178 return NT_STATUS_NOT_IMPLEMENTED;
1179 }
1180
1181 static NTSTATUS pdb_samba_dsdb_enum_group_mapping(struct pdb_methods *m,
1182 const struct dom_sid *sid,
1183 enum lsa_SidType sid_name_use,
1184 GROUP_MAP ***pp_rmap,
1185 size_t *p_num_entries,
1186 bool unix_only)
1187 {
1188 return NT_STATUS_NOT_IMPLEMENTED;
1189 }
1190
1191 static NTSTATUS pdb_samba_dsdb_enum_group_members(struct pdb_methods *m,
1192 TALLOC_CTX *mem_ctx,
1193 const struct dom_sid *group,
1194 uint32_t **pmembers,
1195 size_t *pnum_members)
1196 {
1197 unsigned int i, num_sids, num_members;
1198 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1199 m->private_data, struct pdb_samba_dsdb_state);
1200 struct dom_sid *members_as_sids;
1201 struct dom_sid *dom_sid;
1202 uint32_t *members;
1203 struct ldb_dn *dn;
1204 NTSTATUS status;
1205 struct dom_sid_buf buf;
1206
1207 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1208 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1209
1210 dn = ldb_dn_new_fmt(
1211 tmp_ctx,
1212 state->ldb,
1213 "<SID=%s>",
1214 dom_sid_str_buf(group, &buf));
1215 if (!dn || !ldb_dn_validate(dn)) {
1216 return NT_STATUS_NO_MEMORY;
1217 }
1218
1219 status = dsdb_enum_group_mem(state->ldb, tmp_ctx, dn, &members_as_sids, &num_sids);
1220 if (!NT_STATUS_IS_OK(status)) {
1221 talloc_free(tmp_ctx);
1222 return status;
1223 }
1224 status = dom_sid_split_rid(tmp_ctx, group, &dom_sid, NULL);
1225 if (!NT_STATUS_IS_OK(status)) {
1226 talloc_free(tmp_ctx);
1227 return status;
1228 }
1229
1230 *pmembers = members = talloc_array(mem_ctx, uint32_t, num_sids);
1231 if (*pmembers == NULL) {
1232 TALLOC_FREE(tmp_ctx);
1233 return NT_STATUS_NO_MEMORY;
1234 }
1235 num_members = 0;
1236
1237 for (i = 0; i < num_sids; i++) {
1238 if (!dom_sid_in_domain(dom_sid, &members_as_sids[i])) {
1239 continue;
1240 }
1241 status = dom_sid_split_rid(NULL, &members_as_sids[i],
1242 NULL, &members[num_members]);
1243 if (!NT_STATUS_IS_OK(status)) {
1244 talloc_free(tmp_ctx);
1245 return status;
1246 }
1247 num_members++;
1248 }
1249 *pnum_members = num_members;
1250 return NT_STATUS_OK;
1251 }
1252
1253 /* Just convert the primary group SID into a group */
1254 static NTSTATUS fake_enum_group_memberships(struct pdb_samba_dsdb_state *state,
1255 TALLOC_CTX *mem_ctx,
1256 struct samu *user,
1257 struct dom_sid **pp_sids,
1258 gid_t **pp_gids,
1259 uint32_t *p_num_groups)
1260 {
1261 NTSTATUS status;
1262 size_t num_groups = 0;
1263 struct dom_sid *group_sids = NULL;
1264 gid_t *gids = NULL;
1265 TALLOC_CTX *tmp_ctx;
1266
1267 tmp_ctx = talloc_new(mem_ctx);
1268 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1269
1270 if (user->group_sid) {
1271 struct id_map *id_maps[2];
1272 struct id_map id_map;
1273
1274 num_groups = 1;
1275
1276 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_groups);
1277 if (group_sids == NULL) {
1278 talloc_free(tmp_ctx);
1279 return NT_STATUS_NO_MEMORY;
1280 }
1281 gids = talloc_array(tmp_ctx, gid_t, num_groups);
1282 if (gids == NULL) {
1283 talloc_free(tmp_ctx);
1284 return NT_STATUS_NO_MEMORY;
1285 }
1286
1287 group_sids[0] = *user->group_sid;
1288
1289 ZERO_STRUCT(id_map);
1290 id_map.sid = &group_sids[0];
1291 id_maps[0] = &id_map;
1292 id_maps[1] = NULL;
1293
1294 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1295 if (!NT_STATUS_IS_OK(status)) {
1296 talloc_free(tmp_ctx);
1297 return status;
1298 }
1299 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
1300 gids[0] = id_map.xid.id;
1301 } else {
1302 struct dom_sid_buf buf1, buf2;
1303 DEBUG(1, (__location__
1304 "Group %s, of which %s is a member, could not be converted to a GID\n",
1305 dom_sid_str_buf(&group_sids[0], &buf1),
1306 dom_sid_str_buf(&user->user_sid, &buf2)));
1307 talloc_free(tmp_ctx);
1308 /* We must error out, otherwise a user might
1309 * avoid a DENY acl based on a group they
1310 * missed out on */
1311 return NT_STATUS_NO_SUCH_GROUP;
1312 }
1313 }
1314
1315 *pp_sids = talloc_steal(mem_ctx, group_sids);
1316 *pp_gids = talloc_steal(mem_ctx, gids);
1317 *p_num_groups = num_groups;
1318 talloc_free(tmp_ctx);
1319 return NT_STATUS_OK;
1320 }
1321
1322 static NTSTATUS pdb_samba_dsdb_enum_group_memberships(struct pdb_methods *m,
1323 TALLOC_CTX *mem_ctx,
1324 struct samu *user,
1325 struct dom_sid **pp_sids,
1326 gid_t **pp_gids,
1327 uint32_t *p_num_groups)
1328 {
1329 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1330 m->private_data, struct pdb_samba_dsdb_state);
1331 struct ldb_message *msg = pdb_samba_dsdb_get_samu_private(
1332 m, user);
1333 const char *attrs[] = { "tokenGroups", NULL};
1334 struct ldb_message *tokengroups_msg;
1335 struct ldb_message_element *tokengroups;
1336 int i, rc;
1337 NTSTATUS status;
1338 unsigned int count = 0;
1339 size_t num_groups;
1340 struct dom_sid *group_sids;
1341 gid_t *gids;
1342 TALLOC_CTX *tmp_ctx;
1343
1344 if (msg == NULL) {
1345 /* Fake up some things here */
1346 return fake_enum_group_memberships(state,
1347 mem_ctx,
1348 user, pp_sids,
1349 pp_gids, p_num_groups);
1350 }
1351
1352 tmp_ctx = talloc_new(mem_ctx);
1353 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1354
1355 rc = dsdb_search_one(state->ldb, tmp_ctx, &tokengroups_msg, msg->dn, LDB_SCOPE_BASE, attrs, 0, NULL);
1356
1357 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1358 talloc_free(tmp_ctx);
1359 return NT_STATUS_NO_SUCH_USER;
1360 } else if (rc != LDB_SUCCESS) {
1361 DEBUG(10, ("dsdb_search_one failed %s\n",
1362 ldb_errstring(state->ldb)));
1363 talloc_free(tmp_ctx);
1364 return NT_STATUS_LDAP(rc);
1365 }
1366
1367 tokengroups = ldb_msg_find_element(tokengroups_msg, "tokenGroups");
1368
1369 if (tokengroups) {
1370 count = tokengroups->num_values;
1371 }
1372
1373 group_sids = talloc_array(tmp_ctx, struct dom_sid, count);
1374 if (group_sids == NULL) {
1375 talloc_free(tmp_ctx);
1376 return NT_STATUS_NO_MEMORY;
1377 }
1378 gids = talloc_array(tmp_ctx, gid_t, count);
1379 if (gids == NULL) {
1380 talloc_free(tmp_ctx);
1381 return NT_STATUS_NO_MEMORY;
1382 }
1383 num_groups = 0;
1384
1385 for (i=0; i<count; i++) {
1386 struct id_map *id_maps[2];
1387 struct id_map id_map;
1388 struct ldb_val *v = &tokengroups->values[i];
1389 enum ndr_err_code ndr_err
1390 = ndr_pull_struct_blob(v, group_sids, &group_sids[num_groups],
1391 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
1392 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1393 talloc_free(tmp_ctx);
1394 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1395 }
1396
1397 ZERO_STRUCT(id_map);
1398 id_map.sid = &group_sids[num_groups];
1399 id_maps[0] = &id_map;
1400 id_maps[1] = NULL;
1401
1402 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1403 if (!NT_STATUS_IS_OK(status)) {
1404 talloc_free(tmp_ctx);
1405 return status;
1406 }
1407 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
1408 gids[num_groups] = id_map.xid.id;
1409 } else {
1410 struct dom_sid_buf buf;
1411 DEBUG(1, (__location__
1412 "Group %s, of which %s is a member, could not be converted to a GID\n",
1413 dom_sid_str_buf(&group_sids[num_groups],
1414 &buf),
1415 ldb_dn_get_linearized(msg->dn)));
1416 talloc_free(tmp_ctx);
1417 /* We must error out, otherwise a user might
1418 * avoid a DENY acl based on a group they
1419 * missed out on */
1420 return NT_STATUS_NO_SUCH_GROUP;
1421 }
1422
1423 num_groups += 1;
1424 if (num_groups == count) {
1425 break;
1426 }
1427 }
1428
1429 *pp_sids = talloc_steal(mem_ctx, group_sids);
1430 *pp_gids = talloc_steal(mem_ctx, gids);
1431 *p_num_groups = num_groups;
1432 talloc_free(tmp_ctx);
1433 return NT_STATUS_OK;
1434 }
1435
1436 static NTSTATUS pdb_samba_dsdb_set_unix_primary_group(struct pdb_methods *m,
1437 TALLOC_CTX *mem_ctx,
1438 struct samu *user)
1439 {
1440 return NT_STATUS_NOT_IMPLEMENTED;
1441 }
1442
1443 static NTSTATUS pdb_samba_dsdb_mod_groupmem_by_sid(struct pdb_methods *m,
1444 TALLOC_CTX *mem_ctx,
1445 const struct dom_sid *groupsid,
1446 const struct dom_sid *membersid,
1447 int mod_op)
1448 {
1449 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1450 m->private_data, struct pdb_samba_dsdb_state);
1451 struct ldb_message *msg;
1452 int ret;
1453 struct ldb_message_element *el;
1454 struct dom_sid_buf buf;
1455 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1456 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1457 msg = ldb_msg_new(tmp_ctx);
1458 if (msg == NULL) {
1459 TALLOC_FREE(tmp_ctx);
1460 return NT_STATUS_NO_MEMORY;
1461 }
1462
1463 msg->dn = ldb_dn_new_fmt(
1464 msg,
1465 state->ldb,
1466 "<SID=%s>",
1467 dom_sid_str_buf(groupsid, &buf));
1468 if (!msg->dn || !ldb_dn_validate(msg->dn)) {
1469 talloc_free(tmp_ctx);
1470 return NT_STATUS_NO_MEMORY;
1471 }
1472 ret = ldb_msg_add_fmt(
1473 msg,
1474 "member",
1475 "<SID=%s>",
1476 dom_sid_str_buf(membersid, &buf));
1477 if (ret != LDB_SUCCESS) {
1478 talloc_free(tmp_ctx);
1479 return NT_STATUS_NO_MEMORY;
1480 }
1481 el = ldb_msg_find_element(msg, "member");
1482 el->flags = mod_op;
1483
1484 /* No need for transactions here, the ldb auto-transaction
1485 * code will handle things for the single operation */
1486 ret = ldb_modify(state->ldb, msg);
1487 talloc_free(tmp_ctx);
1488 if (ret != LDB_SUCCESS) {
1489 DEBUG(10, ("ldb_modify failed: %s\n",
1490 ldb_errstring(state->ldb)));
1491 if (ret == LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS) {
1492 return NT_STATUS_MEMBER_IN_GROUP;
1493 }
1494 if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
1495 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1496 }
1497 return NT_STATUS_LDAP(ret);
1498 }
1499
1500 return NT_STATUS_OK;
1501 }
1502
1503 static NTSTATUS pdb_samba_dsdb_mod_groupmem(struct pdb_methods *m,
1504 TALLOC_CTX *mem_ctx,
1505 uint32_t grouprid, uint32_t memberrid,
1506 int mod_op)
1507 {
1508 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1509 m->private_data, struct pdb_samba_dsdb_state);
1510 const struct dom_sid *dom_sid, *groupsid, *membersid;
1511 NTSTATUS status;
1512 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1513 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1514
1515 dom_sid = samdb_domain_sid(state->ldb);
1516
1517 groupsid = dom_sid_add_rid(tmp_ctx, dom_sid, grouprid);
1518 if (groupsid == NULL) {
1519 TALLOC_FREE(tmp_ctx);
1520 return NT_STATUS_NO_MEMORY;
1521 }
1522 membersid = dom_sid_add_rid(tmp_ctx, dom_sid, memberrid);
1523 if (membersid == NULL) {
1524 TALLOC_FREE(tmp_ctx);
1525 return NT_STATUS_NO_MEMORY;
1526 }
1527 status = pdb_samba_dsdb_mod_groupmem_by_sid(m, tmp_ctx, groupsid, membersid, mod_op);
1528 talloc_free(tmp_ctx);
1529 return status;
1530 }
1531
1532 static NTSTATUS pdb_samba_dsdb_add_groupmem(struct pdb_methods *m,
1533 TALLOC_CTX *mem_ctx,
1534 uint32_t group_rid, uint32_t member_rid)
1535 {
1536 return pdb_samba_dsdb_mod_groupmem(m, mem_ctx, group_rid, member_rid,
1537 LDB_FLAG_MOD_ADD);
1538 }
1539
1540 static NTSTATUS pdb_samba_dsdb_del_groupmem(struct pdb_methods *m,
1541 TALLOC_CTX *mem_ctx,
1542 uint32_t group_rid, uint32_t member_rid)
1543 {
1544 return pdb_samba_dsdb_mod_groupmem(m, mem_ctx, group_rid, member_rid,
1545 LDB_FLAG_MOD_DELETE);
1546 }
1547
1548 static NTSTATUS pdb_samba_dsdb_create_alias(struct pdb_methods *m,
1549 const char *name, uint32_t *rid)
1550 {
1551 TALLOC_CTX *frame = talloc_stackframe();
1552 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1553 m->private_data, struct pdb_samba_dsdb_state);
1554 struct dom_sid *sid;
1555
1556 struct ldb_dn *dn;
1557 NTSTATUS status;
1558
1559 /* Internally this uses transactions to ensure all the steps
1560 * happen or fail as one */
1561 status = dsdb_add_domain_alias(state->ldb, frame, name, &sid, &dn);
1562 if (!NT_STATUS_IS_OK(status)) {
1563 TALLOC_FREE(frame);
1564 }
1565
1566 sid_peek_rid(sid, rid);
1567 TALLOC_FREE(frame);
1568 return NT_STATUS_OK;
1569 }
1570
1571 static NTSTATUS pdb_samba_dsdb_delete_alias(struct pdb_methods *m,
1572 const struct dom_sid *sid)
1573 {
1574 const char *attrs[] = { NULL };
1575 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1576 m->private_data, struct pdb_samba_dsdb_state);
1577 struct ldb_message *msg;
1578 struct ldb_dn *dn;
1579 int rc;
1580 struct dom_sid_buf buf;
1581 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1582 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1583
1584 dn = ldb_dn_new_fmt(
1585 tmp_ctx,
1586 state->ldb,
1587 "<SID=%s>",
1588 dom_sid_str_buf(sid, &buf));
1589 if (!dn || !ldb_dn_validate(dn)) {
1590 talloc_free(tmp_ctx);
1591 return NT_STATUS_NO_MEMORY;
1592 }
1593
1594 if (ldb_transaction_start(state->ldb) != LDB_SUCCESS) {
1595 DEBUG(0, ("Failed to start transaction in dsdb_add_domain_alias(): %s\n", ldb_errstring(state->ldb)));
1596 talloc_free(tmp_ctx);
1597 return NT_STATUS_INTERNAL_ERROR;
1598 }
1599
1600 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "(objectclass=group)"
1601 "(|(grouptype=%d)(grouptype=%d)))",
1602 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
1603 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
1604 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1605 talloc_free(tmp_ctx);
1606 ldb_transaction_cancel(state->ldb);
1607 return NT_STATUS_NO_SUCH_ALIAS;
1608 } else if (rc != LDB_SUCCESS) {
1609 talloc_free(tmp_ctx);
1610 DEBUG(10, ("dsdb_search_one failed %s\n",
1611 ldb_errstring(state->ldb)));
1612 ldb_transaction_cancel(state->ldb);
1613 return NT_STATUS_LDAP(rc);
1614 }
1615 rc = ldb_delete(state->ldb, dn);
1616 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1617 talloc_free(tmp_ctx);
1618 ldb_transaction_cancel(state->ldb);
1619 return NT_STATUS_NO_SUCH_ALIAS;
1620 } else if (rc != LDB_SUCCESS) {
1621 DEBUG(10, ("ldb_delete failed %s\n",
1622 ldb_errstring(state->ldb)));
1623 ldb_transaction_cancel(state->ldb);
1624 talloc_free(tmp_ctx);
1625 return NT_STATUS_LDAP(rc);
1626 }
1627
1628 if (ldb_transaction_commit(state->ldb) != LDB_SUCCESS) {
1629 DEBUG(0, ("Failed to commit transaction in pdb_samba_dsdb_delete_alias(): %s\n",
1630 ldb_errstring(state->ldb)));
1631 talloc_free(tmp_ctx);
1632 return NT_STATUS_INTERNAL_ERROR;
1633 }
1634
1635 talloc_free(tmp_ctx);
1636 return NT_STATUS_OK;
1637 }
1638
1639 static NTSTATUS pdb_samba_dsdb_add_aliasmem(struct pdb_methods *m,
1640 const struct dom_sid *alias,
1641 const struct dom_sid *member)
1642 {
1643 NTSTATUS status;
1644 TALLOC_CTX *frame = talloc_stackframe();
1645 status = pdb_samba_dsdb_mod_groupmem_by_sid(m, frame, alias, member, LDB_FLAG_MOD_ADD);
1646 talloc_free(frame);
1647 return status;
1648 }
1649
1650 static NTSTATUS pdb_samba_dsdb_del_aliasmem(struct pdb_methods *m,
1651 const struct dom_sid *alias,
1652 const struct dom_sid *member)
1653 {
1654 NTSTATUS status;
1655 TALLOC_CTX *frame = talloc_stackframe();
1656 status = pdb_samba_dsdb_mod_groupmem_by_sid(m, frame, alias, member, LDB_FLAG_MOD_DELETE);
1657 talloc_free(frame);
1658 return status;
1659 }
1660
1661 static NTSTATUS pdb_samba_dsdb_enum_aliasmem(struct pdb_methods *m,
1662 const struct dom_sid *alias,
1663 TALLOC_CTX *mem_ctx,
1664 struct dom_sid **pmembers,
1665 size_t *pnum_members)
1666 {
1667 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1668 m->private_data, struct pdb_samba_dsdb_state);
1669 struct ldb_dn *dn;
1670 unsigned int num_members;
1671 NTSTATUS status;
1672 struct dom_sid_buf buf;
1673 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1674 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1675
1676 dn = ldb_dn_new_fmt(
1677 tmp_ctx,
1678 state->ldb,
1679 "<SID=%s>",
1680 dom_sid_str_buf(alias, &buf));
1681 if (!dn || !ldb_dn_validate(dn)) {
1682 return NT_STATUS_NO_MEMORY;
1683 }
1684
1685 status = dsdb_enum_group_mem(state->ldb, mem_ctx, dn, pmembers, &num_members);
1686 if (NT_STATUS_IS_OK(status)) {
1687 *pnum_members = num_members;
1688 }
1689 talloc_free(tmp_ctx);
1690 return status;
1691 }
1692
1693 static NTSTATUS pdb_samba_dsdb_enum_alias_memberships(struct pdb_methods *m,
1694 TALLOC_CTX *mem_ctx,
1695 const struct dom_sid *domain_sid,
1696 const struct dom_sid *members,
1697 size_t num_members,
1698 uint32_t **palias_rids,
1699 size_t *pnum_alias_rids)
1700 {
1701 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1702 m->private_data, struct pdb_samba_dsdb_state);
1703 uint32_t *alias_rids = NULL;
1704 size_t num_alias_rids = 0;
1705 int i;
1706 struct auth_SidAttr *groupSIDs = NULL;
1707 uint32_t num_groupSIDs = 0;
1708 char *filter;
1709 NTSTATUS status;
1710 const char *sid_dn;
1711 DATA_BLOB sid_blob;
1712
1713 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1714 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1715 /*
1716 * TODO: Get the filter right so that we only get the aliases from
1717 * either the SAM or BUILTIN
1718 */
1719
1720 filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:"LDB_OID_COMPARATOR_AND":=%u))",
1721 GROUP_TYPE_BUILTIN_LOCAL_GROUP);
1722 if (filter == NULL) {
1723 return NT_STATUS_NO_MEMORY;
1724 }
1725
1726 for (i = 0; i < num_members; i++) {
1727 struct dom_sid_buf buf;
1728
1729 sid_dn = talloc_asprintf(
1730 tmp_ctx,
1731 "<SID=%s>",
1732 dom_sid_str_buf(&members[i], &buf));
1733 if (sid_dn == NULL) {
1734 TALLOC_FREE(tmp_ctx);
1735 return NT_STATUS_NO_MEMORY;
1736 }
1737
1738 sid_blob = data_blob_string_const(sid_dn);
1739
1740 status = dsdb_expand_nested_groups(state->ldb, &sid_blob, true, filter,
1741 tmp_ctx, &groupSIDs, &num_groupSIDs);
1742 if (!NT_STATUS_IS_OK(status)) {
1743 talloc_free(tmp_ctx);
1744 return status;
1745 }
1746 }
1747
1748 alias_rids = talloc_array(mem_ctx, uint32_t, num_groupSIDs);
1749 if (alias_rids == NULL) {
1750 talloc_free(tmp_ctx);
1751 return NT_STATUS_NO_MEMORY;
1752 }
1753
1754 for (i=0; i<num_groupSIDs; i++) {
1755 if (sid_peek_check_rid(domain_sid, &groupSIDs[i].sid,
1756 &alias_rids[num_alias_rids])) {
1757 num_alias_rids++;;
1758 }
1759 }
1760
1761 *palias_rids = alias_rids;
1762 *pnum_alias_rids = num_alias_rids;
1763 return NT_STATUS_OK;
1764 }
1765
1766 static NTSTATUS pdb_samba_dsdb_lookup_rids(struct pdb_methods *m,
1767 const struct dom_sid *domain_sid,
1768 int num_rids,
1769 uint32_t *rids,
1770 const char **names,
1771 enum lsa_SidType *lsa_attrs)
1772 {
1773 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1774 m->private_data, struct pdb_samba_dsdb_state);
1775 NTSTATUS status;
1776
1777 TALLOC_CTX *tmp_ctx;
1778
1779 if (num_rids == 0) {
1780 return NT_STATUS_NONE_MAPPED;
1781 }
1782
1783 tmp_ctx = talloc_stackframe();
1784 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1785
1786 status = dsdb_lookup_rids(state->ldb, tmp_ctx, domain_sid, num_rids, rids, names, lsa_attrs);
1787 talloc_free(tmp_ctx);
1788 return status;
1789 }
1790
1791 static NTSTATUS pdb_samba_dsdb_lookup_names(struct pdb_methods *m,
1792 const struct dom_sid *domain_sid,
1793 int num_names,
1794 const char **pp_names,
1795 uint32_t *rids,
1796 enum lsa_SidType *attrs)
1797 {
1798 return NT_STATUS_NOT_IMPLEMENTED;
1799 }
1800
1801 static NTSTATUS pdb_samba_dsdb_get_account_policy(struct pdb_methods *m,
1802 enum pdb_policy_type type,
1803 uint32_t *value)
1804 {
1805 return account_policy_get(type, value)
1806 ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1807 }
1808
1809 static NTSTATUS pdb_samba_dsdb_set_account_policy(struct pdb_methods *m,
1810 enum pdb_policy_type type,
1811 uint32_t value)
1812 {
1813 return account_policy_set(type, value)
1814 ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1815 }
1816
1817 static NTSTATUS pdb_samba_dsdb_get_seq_num(struct pdb_methods *m,
1818 time_t *seq_num_out)
1819 {
1820 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1821 m->private_data, struct pdb_samba_dsdb_state);
1822 uint64_t seq_num;
1823 int ret = ldb_sequence_number(state->ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
1824 if (ret == LDB_SUCCESS) {
1825 *seq_num_out = seq_num;
1826 return NT_STATUS_OK;
1827 } else {
1828 return NT_STATUS_UNSUCCESSFUL;
1829 }
1830 }
1831
1832 struct pdb_samba_dsdb_search_state {
1833 uint32_t acct_flags;
1834 struct samr_displayentry *entries;
1835 uint32_t num_entries;
1836 ssize_t array_size;
1837 uint32_t current;
1838 };
1839
1840 static bool pdb_samba_dsdb_next_entry(struct pdb_search *search,
1841 struct samr_displayentry *entry)
1842 {
1843 struct pdb_samba_dsdb_search_state *state = talloc_get_type_abort(
1844 search->private_data, struct pdb_samba_dsdb_search_state);
1845
1846 if (state->current == state->num_entries) {
1847 return false;
1848 }
1849
1850 entry->idx = state->entries[state->current].idx;
1851 entry->rid = state->entries[state->current].rid;
1852 entry->acct_flags = state->entries[state->current].acct_flags;
1853
1854 entry->account_name = talloc_strdup(
1855 search, state->entries[state->current].account_name);
1856 entry->fullname = talloc_strdup(
1857 search, state->entries[state->current].fullname);
1858 entry->description = talloc_strdup(
1859 search, state->entries[state->current].description);
1860
1861 state->current += 1;
1862 return true;
1863 }
1864
1865 static void pdb_samba_dsdb_search_end(struct pdb_search *search)
1866 {
1867 struct pdb_samba_dsdb_search_state *state = talloc_get_type_abort(
1868 search->private_data, struct pdb_samba_dsdb_search_state);
1869 talloc_free(state);
1870 }
1871
1872 static bool pdb_samba_dsdb_search_filter(struct pdb_methods *m,
1873 struct pdb_search *search,
1874 struct pdb_samba_dsdb_search_state **pstate,
1875 const char *exp_fmt, ...)
1876 PRINTF_ATTRIBUTE(4, 5);
1877
1878 static bool pdb_samba_dsdb_search_filter(struct pdb_methods *m,
1879 struct pdb_search *search,
1880 struct pdb_samba_dsdb_search_state **pstate,
1881 const char *exp_fmt, ...)
1882 {
1883 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1884 m->private_data, struct pdb_samba_dsdb_state);
1885 struct pdb_samba_dsdb_search_state *sstate;
1886 const char * attrs[] = { "objectSid", "sAMAccountName", "displayName",
1887 "userAccountControl", "description", NULL };
1888 struct ldb_result *res;
1889 int i, rc, num_users;
1890
1891 va_list ap;
1892 char *expression = NULL;
1893
1894 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1895 if (!tmp_ctx) {
1896 return false;
1897 }
1898
1899 va_start(ap, exp_fmt);
1900 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
1901 va_end(ap);
1902
1903 if (!expression) {
1904 talloc_free(tmp_ctx);
1905 return LDB_ERR_OPERATIONS_ERROR;
1906 }
1907
1908 sstate = talloc_zero(tmp_ctx, struct pdb_samba_dsdb_search_state);
1909 if (sstate == NULL) {
1910 talloc_free(tmp_ctx);
1911 return false;
1912 }
1913
1914 rc = dsdb_search(state->ldb, tmp_ctx, &res, ldb_get_default_basedn(state->ldb), LDB_SCOPE_SUBTREE, attrs, 0, "%s", expression);
1915 if (rc != LDB_SUCCESS) {
1916 talloc_free(tmp_ctx);
1917 DEBUG(10, ("dsdb_search failed: %s\n",
1918 ldb_errstring(state->ldb)));
1919 return false;
1920 }
1921
1922 num_users = res->count;
1923
1924 sstate->entries = talloc_array(sstate, struct samr_displayentry,
1925 num_users);
1926 if (sstate->entries == NULL) {
1927 talloc_free(tmp_ctx);
1928 DEBUG(10, ("talloc failed\n"));
1929 return false;
1930 }
1931
1932 sstate->num_entries = 0;
1933
1934 for (i=0; i<num_users; i++) {
1935 struct samr_displayentry *e;
1936 struct dom_sid *sid;
1937
1938 e = &sstate->entries[sstate->num_entries];
1939
1940 e->idx = sstate->num_entries;
1941 sid = samdb_result_dom_sid(tmp_ctx, res->msgs[i], "objectSid");
1942 if (!sid) {
1943 talloc_free(tmp_ctx);
1944 DEBUG(10, ("Could not pull SID\n"));
1945 return false;
1946 }
1947 sid_peek_rid(sid, &e->rid);
1948
1949 e->acct_flags = samdb_result_acct_flags(res->msgs[i], "userAccountControl");
1950 e->account_name = ldb_msg_find_attr_as_string(
1951 res->msgs[i], "samAccountName", NULL);
1952 if (e->account_name == NULL) {
1953 talloc_free(tmp_ctx);
1954 return false;
1955 }
1956 e->fullname = ldb_msg_find_attr_as_string(
1957 res->msgs[i], "displayName", "");
1958 e->description = ldb_msg_find_attr_as_string(
1959 res->msgs[i], "description", "");
1960
1961 sstate->num_entries += 1;
1962 if (sstate->num_entries >= num_users) {
1963 break;
1964 }
1965 }
1966 talloc_steal(sstate->entries, res->msgs);
1967 search->private_data = talloc_steal(search, sstate);
1968 search->next_entry = pdb_samba_dsdb_next_entry;
1969 search->search_end = pdb_samba_dsdb_search_end;
1970 *pstate = sstate;
1971 talloc_free(tmp_ctx);
1972 return true;
1973 }
1974
1975 static bool pdb_samba_dsdb_search_users(struct pdb_methods *m,
1976 struct pdb_search *search,
1977 uint32_t acct_flags)
1978 {
1979 struct pdb_samba_dsdb_search_state *sstate;
1980 bool ret;
1981
1982 ret = pdb_samba_dsdb_search_filter(m, search, &sstate, "(objectclass=user)");
1983 if (!ret) {
1984 return false;
1985 }
1986 sstate->acct_flags = acct_flags;
1987 return true;
1988 }
1989
1990 static bool pdb_samba_dsdb_search_groups(struct pdb_methods *m,
1991 struct pdb_search *search)
1992 {
1993 struct pdb_samba_dsdb_search_state *sstate;
1994 bool ret;
1995
1996 ret = pdb_samba_dsdb_search_filter(m, search, &sstate,
1997 "(&(grouptype=%d)(objectclass=group))",
1998 GTYPE_SECURITY_GLOBAL_GROUP);
1999 if (!ret) {
2000 return false;
2001 }
2002 sstate->acct_flags = 0;
2003 return true;
2004 }
2005
2006 static bool pdb_samba_dsdb_search_aliases(struct pdb_methods *m,
2007 struct pdb_search *search,
2008 const struct dom_sid *sid)
2009 {
2010 struct pdb_samba_dsdb_search_state *sstate;
2011 bool ret;
2012
2013 ret = pdb_samba_dsdb_search_filter(m, search, &sstate,
2014 "(&(grouptype=%d)(objectclass=group))",
2015 sid_check_is_builtin(sid)
2016 ? GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
2017 : GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
2018 if (!ret) {
2019 return false;
2020 }
2021 sstate->acct_flags = 0;
2022 return true;
2023 }
2024
2025 /*
2026 * Instead of taking a gid or uid, this function takes a pointer to a
2027 * unixid.
2028 *
2029 * This acts as an in-out variable so that the idmap functions can correctly
2030 * receive ID_TYPE_BOTH, and this function ensures cache details are filled
2031 * correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID.
2032 */
2033 static bool pdb_samba_dsdb_id_to_sid(struct pdb_methods *m, struct unixid *id,
2034 struct dom_sid *sid)
2035 {
2036 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2037 m->private_data, struct pdb_samba_dsdb_state);
2038 NTSTATUS status;
2039 struct id_map id_map;
2040 struct id_map *id_maps[2];
2041 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2042 if (!tmp_ctx) {
2043 return false;
2044 }
2045
2046 id_map.xid = *id;
2047 id_maps[0] = &id_map;
2048 id_maps[1] = NULL;
2049
2050 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
2051 if (!NT_STATUS_IS_OK(status)) {
2052 talloc_free(tmp_ctx);
2053 return false;
2054 }
2055
2056 if (id_map.xid.type != ID_TYPE_NOT_SPECIFIED) {
2057 id->type = id_map.xid.type;
2058 }
2059 *sid = *id_map.sid;
2060 talloc_free(tmp_ctx);
2061 return true;
2062 }
2063
2064 static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods *m, const struct dom_sid *sid,
2065 struct unixid *id)
2066 {
2067 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2068 m->private_data, struct pdb_samba_dsdb_state);
2069 struct id_map id_map;
2070 struct id_map *id_maps[2];
2071 NTSTATUS status;
2072 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2073 if (!tmp_ctx) {
2074 return false;
2075 }
2076
2077 ZERO_STRUCT(id_map);
2078 id_map.sid = discard_const_p(struct dom_sid, sid);
2079 id_maps[0] = &id_map;
2080 id_maps[1] = NULL;
2081
2082 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
2083 talloc_free(tmp_ctx);
2084 if (!NT_STATUS_IS_OK(status)) {
2085 return false;
2086 }
2087 if (id_map.xid.type != ID_TYPE_NOT_SPECIFIED) {
2088 *id = id_map.xid;
2089 return true;
2090 }
2091 return false;
2092 }
2093
2094 static uint32_t pdb_samba_dsdb_capabilities(struct pdb_methods *m)
2095 {
2096 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
2097 }
2098
2099 static bool pdb_samba_dsdb_new_rid(struct pdb_methods *m, uint32_t *rid)
2100 {
2101 return false;
2102 }
2103
2104 static bool pdb_samba_dsdb_get_trusteddom_pw(struct pdb_methods *m,
2105 const char *domain, char** pwd,
2106 struct dom_sid *sid,
2107 time_t *pass_last_set_time)
2108 {
2109 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2110 m->private_data, struct pdb_samba_dsdb_state);
2111 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2112 const char * const attrs[] = {
2113 "securityIdentifier",
2114 "flatName",
2115 "trustPartner",
2116 "trustAuthOutgoing",
2117 "whenCreated",
2118 "msDS-SupportedEncryptionTypes",
2119 "trustAttributes",
2120 "trustDirection",
2121 "trustType",
2122 NULL
2123 };
2124 struct ldb_message *msg;
2125 const struct ldb_val *password_val;
2126 int trust_direction_flags;
2127 int trust_type;
2128 int i;
2129 DATA_BLOB password_utf16;
2130 struct trustAuthInOutBlob password_blob;
2131 struct AuthenticationInformationArray *auth_array;
2132 char *password_talloc;
2133 size_t password_len;
2134 enum ndr_err_code ndr_err;
2135 NTSTATUS status;
2136 const char *netbios_domain = NULL;
2137 const struct dom_sid *domain_sid = NULL;
2138
2139 status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
2140 attrs, tmp_ctx, &msg);
2141 if (!NT_STATUS_IS_OK(status)) {
2142 /*
2143 * This can be called to work out of a domain is
2144 * trusted, rather than just to get the password
2145 */
2146 DEBUG(2, ("Failed to get trusted domain password for %s - %s. "
2147 "It may not be a trusted domain.\n", domain,
2148 nt_errstr(status)));
2149 TALLOC_FREE(tmp_ctx);
2150 return false;
2151 }
2152
2153 netbios_domain = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
2154 if (netbios_domain == NULL) {
2155 DEBUG(2, ("Trusted domain %s has to flatName defined.\n",
2156 domain));
2157 TALLOC_FREE(tmp_ctx);
2158 return false;
2159 }
2160
2161 domain_sid = samdb_result_dom_sid(tmp_ctx, msg, "securityIdentifier");
2162 if (domain_sid == NULL) {
2163 DEBUG(2, ("Trusted domain %s has no securityIdentifier defined.\n",
2164 domain));
2165 TALLOC_FREE(tmp_ctx);
2166 return false;
2167 }
2168
2169 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
2170 if (!(trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND)) {
2171 DBG_WARNING("Trusted domain %s is not an outbound trust.\n",
2172 domain);
2173 TALLOC_FREE(tmp_ctx);
2174 return false;
2175 }
2176
2177 trust_type = ldb_msg_find_attr_as_int(msg, "trustType", 0);
2178 if (trust_type == LSA_TRUST_TYPE_MIT) {
2179 DBG_WARNING("Trusted domain %s is not an AD trust "
2180 "(trustType == LSA_TRUST_TYPE_MIT).\n", domain);
2181 TALLOC_FREE(tmp_ctx);
2182 return false;
2183 }
2184
2185 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
2186 if (password_val == NULL) {
2187 DEBUG(2, ("Failed to get trusted domain password for %s, "
2188 "attribute trustAuthOutgoing not returned.\n", domain));
2189 TALLOC_FREE(tmp_ctx);
2190 return false;
2191 }
2192
2193 ndr_err = ndr_pull_struct_blob(password_val, tmp_ctx, &password_blob,
2194 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2195 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2196 DEBUG(0, ("Failed to get trusted domain password for %s, "
2197 "attribute trustAuthOutgoing could not be parsed %s.\n",
2198 domain,
2199 ndr_map_error2string(ndr_err)));
2200 TALLOC_FREE(tmp_ctx);
2201 return false;
2202 }
2203
2204 auth_array = &password_blob.current;
2205
2206 for (i=0; i < auth_array->count; i++) {
2207 if (auth_array->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
2208 break;
2209 }
2210 }
2211
2212 if (i == auth_array->count) {
2213 DEBUG(0, ("Trusted domain %s does not have a "
2214 "clear-text password stored\n",
2215 domain));
2216 TALLOC_FREE(tmp_ctx);
2217 return false;
2218 }
2219
2220 password_utf16 = data_blob_const(auth_array->array[i].AuthInfo.clear.password,
2221 auth_array->array[i].AuthInfo.clear.size);
2222
2223 /*
2224 * In the future, make this function return a
2225 * cli_credentials that can store a MD4 hash with cli_credential_set_nt_hash()
2226 * but for now convert to UTF8 and fail if the string can not be converted.
2227 *
2228 * We can't safely convert the random strings windows uses into
2229 * utf8.
2230 */
2231 if (!convert_string_talloc(tmp_ctx,
2232 CH_UTF16MUNGED, CH_UTF8,
2233 password_utf16.data, password_utf16.length,
2234 (void *)&password_talloc,
2235 &password_len)) {
2236 DEBUG(0, ("FIXME: Could not convert password for trusted domain %s"
2237 " to UTF8. This may be a password set from Windows.\n",
2238 domain));
2239 TALLOC_FREE(tmp_ctx);
2240 return false;
2241 }
2242 *pwd = SMB_STRNDUP(password_talloc, password_len);
2243 if (pass_last_set_time) {
2244 *pass_last_set_time = nt_time_to_unix(auth_array->array[i].LastUpdateTime);
2245 }
2246
2247 if (sid != NULL) {
2248 sid_copy(sid, domain_sid);
2249 }
2250
2251 TALLOC_FREE(tmp_ctx);
2252 return true;
2253 }
2254
2255 static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
2256 const char *domain,
2257 TALLOC_CTX *mem_ctx,
2258 struct cli_credentials **_creds)
2259 {
2260 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2261 m->private_data, struct pdb_samba_dsdb_state);
2262 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2263 const char * const attrs[] = {
2264 "securityIdentifier",
2265 "flatName",
2266 "trustPartner",
2267 "trustAuthOutgoing",
2268 "whenCreated",
2269 "msDS-SupportedEncryptionTypes",
2270 "trustAttributes",
2271 "trustDirection",
2272 "trustType",
2273 NULL
2274 };
2275 struct ldb_message *msg;
2276 const struct ldb_val *password_val;
2277 int trust_direction_flags;
2278 int trust_type;
2279 int i;
2280 DATA_BLOB password_utf16 = {};
2281 struct samr_Password *password_nt = NULL;
2282 uint32_t password_version = 0;
2283 DATA_BLOB old_password_utf16 = {};
2284 struct samr_Password *old_password_nt = NULL;
2285 struct trustAuthInOutBlob password_blob;
2286 enum ndr_err_code ndr_err;
2287 NTSTATUS status;
2288 time_t last_set_time = 0;
2289 struct cli_credentials *creds = NULL;
2290 bool ok;
2291 const char *my_netbios_name = NULL;
2292 const char *my_netbios_domain = NULL;
2293 const char *my_dns_domain = NULL;
2294 const char *netbios_domain = NULL;
2295 char *account_name = NULL;
2296 char *principal_name = NULL;
2297 const char *dns_domain = NULL;
2298
2299 status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
2300 attrs, tmp_ctx, &msg);
2301 if (!NT_STATUS_IS_OK(status)) {
2302 /*
2303 * This can be called to work out of a domain is
2304 * trusted, rather than just to get the password
2305 */
2306 DEBUG(2, ("Failed to get trusted domain password for %s - %s "
2307 "It may not be a trusted domain.\n", domain,
2308 nt_errstr(status)));
2309 TALLOC_FREE(tmp_ctx);
2310 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2311 }
2312
2313 netbios_domain = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
2314 if (netbios_domain == NULL) {
2315 DEBUG(2, ("Trusted domain %s has to flatName defined.\n",
2316 domain));
2317 TALLOC_FREE(tmp_ctx);
2318 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2319 }
2320
2321 dns_domain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
2322
2323 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
2324 if (!(trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND)) {
2325 DBG_WARNING("Trusted domain %s is not an outbound trust.\n",
2326 domain);
2327 TALLOC_FREE(tmp_ctx);
2328 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2329 }
2330
2331 trust_type = ldb_msg_find_attr_as_int(msg, "trustType", 0);
2332 if (trust_type == LSA_TRUST_TYPE_MIT) {
2333 DBG_WARNING("Trusted domain %s is not an AD trust "
2334 "(trustType == LSA_TRUST_TYPE_MIT).\n", domain);
2335 TALLOC_FREE(tmp_ctx);
2336 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2337 }
2338
2339 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
2340 if (password_val == NULL) {
2341 DEBUG(2, ("Failed to get trusted domain password for %s, "
2342 "attribute trustAuthOutgoing not returned.\n", domain));
2343 TALLOC_FREE(tmp_ctx);
2344 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2345 }
2346
2347 ndr_err = ndr_pull_struct_blob(password_val, tmp_ctx, &password_blob,
2348 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2349 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2350 DEBUG(0, ("Failed to get trusted domain password for %s, "
2351 "attribute trustAuthOutgoing could not be parsed %s.\n",
2352 domain,
2353 ndr_map_error2string(ndr_err)));
2354 TALLOC_FREE(tmp_ctx);
2355 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2356 }
2357
2358 for (i=0; i < password_blob.current.count; i++) {
2359 struct AuthenticationInformation *a =
2360 &password_blob.current.array[i];
2361
2362 switch (a->AuthType) {
2363 case TRUST_AUTH_TYPE_NONE:
2364 break;
2365
2366 case TRUST_AUTH_TYPE_VERSION:
2367 password_version = a->AuthInfo.version.version;
2368 break;
2369
2370 case TRUST_AUTH_TYPE_CLEAR:
2371 last_set_time = nt_time_to_unix(a->LastUpdateTime);
2372
2373 password_utf16 = data_blob_const(a->AuthInfo.clear.password,
2374 a->AuthInfo.clear.size);
2375 password_nt = NULL;
2376 break;
2377
2378 case TRUST_AUTH_TYPE_NT4OWF:
2379 if (password_utf16.length != 0) {
2380 break;
2381 }
2382
2383 last_set_time = nt_time_to_unix(a->LastUpdateTime);
2384
2385 password_nt = &a->AuthInfo.nt4owf.password;
2386 break;
2387 }
2388 }
2389
2390 for (i=0; i < password_blob.previous.count; i++) {
2391 struct AuthenticationInformation *a = &password_blob.previous.array[i];
2392
2393 switch (a->AuthType) {
2394 case TRUST_AUTH_TYPE_NONE:
2395 break;
2396
2397 case TRUST_AUTH_TYPE_VERSION:
2398 break;
2399
2400 case TRUST_AUTH_TYPE_CLEAR:
2401 old_password_utf16 = data_blob_const(a->AuthInfo.clear.password,
2402 a->AuthInfo.clear.size);
2403 old_password_nt = NULL;
2404 break;
2405
2406 case TRUST_AUTH_TYPE_NT4OWF:
2407 if (old_password_utf16.length != 0) {
2408 break;
2409 }
2410
2411 old_password_nt = &a->AuthInfo.nt4owf.password;
2412 break;
2413 }
2414 }
2415
2416 if (password_utf16.length == 0 && password_nt == NULL) {
2417 DEBUG(0, ("Trusted domain %s does not have a "
2418 "clear-text nor nt password stored\n",
2419 domain));
2420 TALLOC_FREE(tmp_ctx);
2421 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2422 }
2423
2424 my_netbios_name = lpcfg_netbios_name(state->lp_ctx);
2425 my_netbios_domain = lpcfg_workgroup(state->lp_ctx);
2426 my_dns_domain = lpcfg_dnsdomain(state->lp_ctx);
2427
2428 creds = cli_credentials_init(tmp_ctx);
2429 if (creds == NULL) {
2430 TALLOC_FREE(tmp_ctx);
2431 return NT_STATUS_NO_MEMORY;
2432 }
2433
2434 ok = cli_credentials_set_workstation(creds, my_netbios_name, CRED_SPECIFIED);
2435 if (!ok) {
2436 TALLOC_FREE(tmp_ctx);
2437 return NT_STATUS_NO_MEMORY;
2438 }
2439
2440 ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
2441 if (!ok) {
2442 TALLOC_FREE(tmp_ctx);
2443 return NT_STATUS_NO_MEMORY;
2444 }
2445 ok = cli_credentials_set_realm(creds, dns_domain, CRED_SPECIFIED);
2446 if (!ok) {
2447 TALLOC_FREE(tmp_ctx);
2448 return NT_STATUS_NO_MEMORY;
2449 }
2450
2451 if (my_dns_domain != NULL && dns_domain != NULL) {
2452 cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DNS_DOMAIN);
2453 account_name = talloc_asprintf(tmp_ctx, "%s.", my_dns_domain);
2454 if (account_name == NULL) {
2455 TALLOC_FREE(tmp_ctx);
2456 return NT_STATUS_NO_MEMORY;
2457 }
2458 principal_name = talloc_asprintf(tmp_ctx, "%s$@%s", my_netbios_domain,
2459 cli_credentials_get_realm(creds));
2460 if (principal_name == NULL) {
2461 TALLOC_FREE(tmp_ctx);
2462 return NT_STATUS_NO_MEMORY;
2463 }
2464 } else {
2465 cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DOMAIN);
2466 account_name = talloc_asprintf(tmp_ctx, "%s$", my_netbios_domain);
2467 if (account_name == NULL) {
2468 TALLOC_FREE(tmp_ctx);
2469 return NT_STATUS_NO_MEMORY;
2470 }
2471 principal_name = NULL;
2472 }
2473
2474 ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
2475 if (!ok) {
2476 TALLOC_FREE(tmp_ctx);
2477 return NT_STATUS_NO_MEMORY;
2478 }
2479
2480 if (principal_name != NULL) {
2481 ok = cli_credentials_set_principal(creds, principal_name,
2482 CRED_SPECIFIED);
2483 if (!ok) {
2484 TALLOC_FREE(tmp_ctx);
2485 return NT_STATUS_NO_MEMORY;
2486 }
2487 }
2488
2489 if (old_password_nt != NULL) {
2490 ok = cli_credentials_set_old_nt_hash(creds, old_password_nt);
2491 if (!ok) {
2492 TALLOC_FREE(tmp_ctx);
2493 return NT_STATUS_NO_MEMORY;
2494 }
2495 }
2496
2497 if (old_password_utf16.length > 0) {
2498 ok = cli_credentials_set_old_utf16_password(creds,
2499 &old_password_utf16);
2500 if (!ok) {
2501 TALLOC_FREE(tmp_ctx);
2502 return NT_STATUS_NO_MEMORY;
2503 }
2504 }
2505
2506 if (password_nt != NULL) {
2507 ok = cli_credentials_set_nt_hash(creds, password_nt,
2508 CRED_SPECIFIED);
2509 if (!ok) {
2510 TALLOC_FREE(tmp_ctx);
2511 return NT_STATUS_NO_MEMORY;
2512 }
2513 }
2514
2515 if (password_utf16.length > 0) {
2516 ok = cli_credentials_set_utf16_password(creds,
2517 &password_utf16,
2518 CRED_SPECIFIED);
2519 if (!ok) {
2520 TALLOC_FREE(tmp_ctx);
2521 return NT_STATUS_NO_MEMORY;
2522 }
2523 }
2524
2525 cli_credentials_set_password_last_changed_time(creds, last_set_time);
2526 cli_credentials_set_kvno(creds, password_version);
2527
2528 if (password_utf16.length > 0 && dns_domain != NULL) {
2529 /*
2530 * Force kerberos if this is an active directory domain
2531 */
2532 cli_credentials_set_kerberos_state(creds,
2533 CRED_USE_KERBEROS_REQUIRED,
2534 CRED_SPECIFIED);
2535 } else {
2536 /*
2537 * TODO: we should allow krb5 with the raw nt hash.
2538 */
2539 cli_credentials_set_kerberos_state(creds,
2540 CRED_USE_KERBEROS_DISABLED,
2541 CRED_SPECIFIED);
2542 }
2543
2544 *_creds = talloc_move(mem_ctx, &creds);
2545 TALLOC_FREE(tmp_ctx);
2546 return NT_STATUS_OK;
2547 }
2548
2549 static bool pdb_samba_dsdb_set_trusteddom_pw(struct pdb_methods *m,
2550 const char* domain, const char* pwd,
2551 const struct dom_sid *sid)
2552 {
2553 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2554 m->private_data, struct pdb_samba_dsdb_state);
2555 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2556 const char * const attrs[] = {
2557 "trustAuthOutgoing",
2558 "trustDirection",
2559 "trustType",
2560 NULL
2561 };
2562 struct ldb_message *msg = NULL;
2563 int trust_direction_flags;
2564 int trust_type;
2565 uint32_t i; /* The same type as old_blob.current.count */
2566 const struct ldb_val *old_val = NULL;
2567 struct trustAuthInOutBlob old_blob = {};
2568 uint32_t old_version = 0;
2569 uint32_t new_version = 0;
2570 DATA_BLOB new_utf16 = {};
2571 struct trustAuthInOutBlob new_blob = {};
2572 struct ldb_val new_val = {};
2573 struct timeval tv = timeval_current();
2574 NTTIME now = timeval_to_nttime(&tv);
2575 enum ndr_err_code ndr_err;
2576 NTSTATUS status;
2577 bool ok;
2578 int ret;
2579
2580 ret = ldb_transaction_start(state->ldb);
2581 if (ret != LDB_SUCCESS) {
2582 DEBUG(2, ("Failed to start transaction.\n"));
2583 TALLOC_FREE(tmp_ctx);
2584 return false;
2585 }
2586
2587 ok = samdb_is_pdc(state->ldb);
2588 if (!ok) {
2589 DEBUG(2, ("Password changes for domain %s are only allowed on a PDC.\n",
2590 domain));
2591 TALLOC_FREE(tmp_ctx);
2592 ldb_transaction_cancel(state->ldb);
2593 return false;
2594 }
2595
2596 status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
2597 attrs, tmp_ctx, &msg);
2598 if (!NT_STATUS_IS_OK(status)) {
2599 /*
2600 * This can be called to work out of a domain is
2601 * trusted, rather than just to get the password
2602 */
2603 DEBUG(2, ("Failed to get trusted domain password for %s - %s. "
2604 "It may not be a trusted domain.\n", domain,
2605 nt_errstr(status)));
2606 TALLOC_FREE(tmp_ctx);
2607 ldb_transaction_cancel(state->ldb);
2608 return false;
2609 }
2610
2611 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
2612 if (!(trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND)) {
2613 DBG_WARNING("Trusted domain %s is not an outbound trust, can't set a password.\n",
2614 domain);
2615 TALLOC_FREE(tmp_ctx);
2616 ldb_transaction_cancel(state->ldb);
2617 return false;
2618 }
2619
2620 trust_type = ldb_msg_find_attr_as_int(msg, "trustType", 0);
2621 switch (trust_type) {
2622 case LSA_TRUST_TYPE_DOWNLEVEL:
2623 case LSA_TRUST_TYPE_UPLEVEL:
2624 break;
2625 default:
2626 DEBUG(0, ("Trusted domain %s is of type 0x%X - "
2627 "password changes are not supported\n",
2628 domain, (unsigned)trust_type));
2629 TALLOC_FREE(tmp_ctx);
2630 ldb_transaction_cancel(state->ldb);
2631 return false;
2632 }
2633
2634 old_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
2635 if (old_val != NULL) {
2636 ndr_err = ndr_pull_struct_blob(old_val, tmp_ctx, &old_blob,
2637 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2638 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2639 DEBUG(0, ("Failed to get trusted domain password for %s, "
2640 "attribute trustAuthOutgoing could not be parsed %s.\n",
2641 domain,
2642 ndr_map_error2string(ndr_err)));
2643 TALLOC_FREE(tmp_ctx);
2644 ldb_transaction_cancel(state->ldb);
2645 return false;
2646 }
2647 }
2648
2649 for (i=0; i < old_blob.current.count; i++) {
2650 struct AuthenticationInformation *a =
2651 &old_blob.current.array[i];
2652
2653 switch (a->AuthType) {
2654 case TRUST_AUTH_TYPE_NONE:
2655 break;
2656
2657 case TRUST_AUTH_TYPE_VERSION:
2658 old_version = a->AuthInfo.version.version;
2659 break;
2660
2661 case TRUST_AUTH_TYPE_CLEAR:
2662 break;
2663
2664 case TRUST_AUTH_TYPE_NT4OWF:
2665 break;
2666 }
2667 }
2668
2669 new_version = old_version + 1;
2670 ok = convert_string_talloc(tmp_ctx,
2671 CH_UNIX, CH_UTF16,
2672 pwd, strlen(pwd),
2673 (void *)&new_utf16.data,
2674 &new_utf16.length);
2675 if (!ok) {
2676 DEBUG(0, ("Failed to generate new_utf16 password for domain %s\n",
2677 domain));
2678 TALLOC_FREE(tmp_ctx);
2679 ldb_transaction_cancel(state->ldb);
2680 return false;
2681 }
2682
2683 if (new_utf16.length < 28) {
2684 DEBUG(0, ("new_utf16[%zu] version[%u] for domain %s to short.\n",
2685 new_utf16.length,
2686 (unsigned)new_version,
2687 domain));
2688 TALLOC_FREE(tmp_ctx);
2689 ldb_transaction_cancel(state->ldb);
2690 return false;
2691 }
2692 if (new_utf16.length > 498) {
2693 DEBUG(0, ("new_utf16[%zu] version[%u] for domain %s to long.\n",
2694 new_utf16.length,
2695 (unsigned)new_version,
2696 domain));
2697 TALLOC_FREE(tmp_ctx);
2698 ldb_transaction_cancel(state->ldb);
2699 return false;
2700 }
2701
2702 new_blob.count = MAX(old_blob.current.count, 2);
2703 new_blob.current.array = talloc_zero_array(tmp_ctx,
2704 struct AuthenticationInformation,
2705 new_blob.count);
2706 if (new_blob.current.array == NULL) {
2707 DEBUG(0, ("talloc_zero_array(%u) failed\n",
2708 (unsigned)new_blob.count));
2709 TALLOC_FREE(tmp_ctx);
2710 ldb_transaction_cancel(state->ldb);
2711 return false;
2712 }
2713 new_blob.previous.array = talloc_zero_array(tmp_ctx,
2714 struct AuthenticationInformation,
2715 new_blob.count);
2716 if (new_blob.current.array == NULL) {
2717 DEBUG(0, ("talloc_zero_array(%u) failed\n",
2718 (unsigned)new_blob.count));
2719 TALLOC_FREE(tmp_ctx);
2720 ldb_transaction_cancel(state->ldb);
2721 return false;
2722 }
2723
2724 for (i = 0; i < old_blob.current.count; i++) {
2725 struct AuthenticationInformation *o =
2726 &old_blob.current.array[i];
2727 struct AuthenticationInformation *p =
2728 &new_blob.previous.array[i];
2729
2730 *p = *o;
2731 new_blob.previous.count++;
2732 }
2733 for (; i < new_blob.count; i++) {
2734 struct AuthenticationInformation *pi =
2735 &new_blob.previous.array[i];
2736
2737 if (i == 0) {
2738 /*
2739 * new_blob.previous is still empty so
2740 * we'll do new_blob.previous = new_blob.current
2741 * below.
2742 */
2743 break;
2744 }
2745
2746 pi->LastUpdateTime = now;
2747 pi->AuthType = TRUST_AUTH_TYPE_NONE;
2748 new_blob.previous.count++;
2749 }
2750
2751 for (i = 0; i < new_blob.count; i++) {
2752 struct AuthenticationInformation *ci =
2753 &new_blob.current.array[i];
2754
2755 ci->LastUpdateTime = now;
2756 switch (i) {
2757 case 0:
2758 ci->AuthType = TRUST_AUTH_TYPE_CLEAR;
2759 ci->AuthInfo.clear.size = new_utf16.length;
2760 ci->AuthInfo.clear.password = new_utf16.data;
2761 break;
2762 case 1:
2763 ci->AuthType = TRUST_AUTH_TYPE_VERSION;
2764 ci->AuthInfo.version.version = new_version;
2765 break;
2766 default:
2767 ci->AuthType = TRUST_AUTH_TYPE_NONE;
2768 break;
2769 }
2770
2771 new_blob.current.count++;
2772 }
2773
2774 if (new_blob.previous.count == 0) {
2775 TALLOC_FREE(new_blob.previous.array);
2776 new_blob.previous = new_blob.current;
2777 }
2778
2779 ndr_err = ndr_push_struct_blob(&new_val, tmp_ctx, &new_blob,
2780 (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2781 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2782 DEBUG(0, ("Failed to generate trustAuthOutgoing for "
2783 "trusted domain password for %s: %s.\n",
2784 domain, ndr_map_error2string(ndr_err)));
2785 TALLOC_FREE(tmp_ctx);
2786 ldb_transaction_cancel(state->ldb);
2787 return false;
2788 }
2789
2790 msg->num_elements = 0;
2791 ret = ldb_msg_append_value(msg, "trustAuthOutgoing",
2792 &new_val, LDB_FLAG_MOD_REPLACE);
2793 if (ret != LDB_SUCCESS) {
2794 DEBUG(0, ("ldb_msg_append_value() failed\n"));
2795 TALLOC_FREE(tmp_ctx);
2796 ldb_transaction_cancel(state->ldb);
2797 return false;
2798 }
2799
2800 ret = ldb_modify(state->ldb, msg);
2801 if (ret != LDB_SUCCESS) {
2802 DEBUG(0, ("Failed to replace trustAuthOutgoing for "
2803 "trusted domain password for %s: %s - %s\n",
2804 domain, ldb_strerror(ret), ldb_errstring(state->ldb)));
2805 TALLOC_FREE(tmp_ctx);
2806 ldb_transaction_cancel(state->ldb);
2807 return false;
2808 }
2809
2810 ret = ldb_transaction_commit(state->ldb);
2811 if (ret != LDB_SUCCESS) {
2812 DEBUG(0, ("Failed to commit trustAuthOutgoing for "
2813 "trusted domain password for %s: %s - %s\n",
2814 domain, ldb_strerror(ret), ldb_errstring(state->ldb)));
2815 TALLOC_FREE(tmp_ctx);
2816 return false;
2817 }
2818
2819 DEBUG(1, ("Added new_version[%u] to trustAuthOutgoing for "
2820 "trusted domain password for %s.\n",
2821 (unsigned)new_version, domain));
2822 TALLOC_FREE(tmp_ctx);
2823 return true;
2824 }
2825
2826 static bool pdb_samba_dsdb_del_trusteddom_pw(struct pdb_methods *m,
2827 const char *domain)
2828 {
2829 return false;
2830 }
2831
2832 static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m,
2833 TALLOC_CTX *mem_ctx,
2834 uint32_t *_num_domains,
2835 struct trustdom_info ***_domains)
2836 {
2837 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2838 m->private_data, struct pdb_samba_dsdb_state);
2839 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2840 const char * const attrs[] = {
2841 "securityIdentifier",
2842 "flatName",
2843 "trustDirection",
2844 NULL
2845 };
2846 struct ldb_result *res = NULL;
2847 unsigned int i;
2848 struct trustdom_info **domains = NULL;
2849 NTSTATUS status;
2850 uint32_t di = 0;
2851
2852 *_num_domains = 0;
2853 *_domains = NULL;
2854
2855 status = dsdb_trust_search_tdos(state->ldb, NULL,
2856 attrs, tmp_ctx, &res);
2857 if (!NT_STATUS_IS_OK(status)) {
2858 DBG_ERR("dsdb_trust_search_tdos() - %s ", nt_errstr(status));
2859 TALLOC_FREE(tmp_ctx);
2860 return status;
2861 }
2862
2863 if (res->count == 0) {
2864 TALLOC_FREE(tmp_ctx);
2865 return NT_STATUS_OK;
2866 }
2867
2868 domains = talloc_zero_array(tmp_ctx, struct trustdom_info *,
2869 res->count);
2870 if (domains == NULL) {
2871 TALLOC_FREE(tmp_ctx);
2872 return NT_STATUS_NO_MEMORY;
2873 }
2874
2875 for (i = 0; i < res->count; i++) {
2876 struct ldb_message *msg = res->msgs[i];
2877 struct trustdom_info *d = NULL;
2878 const char *name = NULL;
2879 struct dom_sid *sid = NULL;
2880 uint32_t direction;
2881
2882 d = talloc_zero(domains, struct trustdom_info);
2883 if (d == NULL) {
2884 TALLOC_FREE(tmp_ctx);
2885 return NT_STATUS_NO_MEMORY;
2886 }
2887
2888 name = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
2889 if (name == NULL) {
2890 TALLOC_FREE(tmp_ctx);
2891 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2892 }
2893 sid = samdb_result_dom_sid(msg, msg, "securityIdentifier");
2894 if (sid == NULL) {
2895 continue;
2896 }
2897
2898 direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
2899 if (!(direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
2900 continue;
2901 }
2902
2903 d->name = talloc_strdup(d, name);
2904 if (d->name == NULL) {
2905 TALLOC_FREE(tmp_ctx);
2906 return NT_STATUS_NO_MEMORY;
2907 }
2908 d->sid = *sid;
2909
2910 domains[di++] = d;
2911 }
2912
2913 domains = talloc_realloc(domains, domains, struct trustdom_info *, di);
2914 *_domains = talloc_move(mem_ctx, &domains);
2915 *_num_domains = di;
2916 TALLOC_FREE(tmp_ctx);
2917 return NT_STATUS_OK;
2918 }
2919
2920 static NTSTATUS pdb_samba_dsdb_msg_to_trusted_domain(const struct ldb_message *msg,
2921 TALLOC_CTX *mem_ctx,
2922 struct pdb_trusted_domain **_d)
2923 {
2924 struct pdb_trusted_domain *d = NULL;
2925 const char *str = NULL;
2926 struct dom_sid *sid = NULL;
2927 const struct ldb_val *val = NULL;
2928 uint64_t val64;
2929
2930 *_d = NULL;
2931
2932 d = talloc_zero(mem_ctx, struct pdb_trusted_domain);
2933 if (d == NULL) {
2934 return NT_STATUS_NO_MEMORY;
2935 }
2936
2937 str = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
2938 if (str == NULL) {
2939 TALLOC_FREE(d);
2940 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2941 }
2942 d->netbios_name = talloc_strdup(d, str);
2943 if (d->netbios_name == NULL) {
2944 TALLOC_FREE(d);
2945 return NT_STATUS_NO_MEMORY;
2946 }
2947
2948 str = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
2949 if (str != NULL) {
2950 d->domain_name = talloc_strdup(d, str);
2951 if (d->domain_name == NULL) {
2952 TALLOC_FREE(d);
2953 return NT_STATUS_NO_MEMORY;
2954 }
2955 }
2956
2957 sid = samdb_result_dom_sid(d, msg, "securityIdentifier");
2958 if (sid != NULL) {
2959 d->security_identifier = *sid;
2960 TALLOC_FREE(sid);
2961 }
2962
2963 val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
2964 if (val != NULL) {
2965 d->trust_auth_outgoing = data_blob_dup_talloc(d, *val);
2966 if (d->trust_auth_outgoing.data == NULL) {
2967 TALLOC_FREE(d);
2968 return NT_STATUS_NO_MEMORY;
2969 }
2970 }
2971 val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
2972 if (val != NULL) {
2973 d->trust_auth_incoming = data_blob_dup_talloc(d, *val);
2974 if (d->trust_auth_incoming.data == NULL) {
2975 TALLOC_FREE(d);
2976 return NT_STATUS_NO_MEMORY;
2977 }
2978 }
2979
2980 d->trust_direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
2981 d->trust_type = ldb_msg_find_attr_as_uint(msg, "trustType", 0);
2982 d->trust_attributes = ldb_msg_find_attr_as_uint(msg, "trustAttributes", 0);
2983
2984 val64 = ldb_msg_find_attr_as_uint64(msg, "trustPosixOffset", UINT64_MAX);
2985 if (val64 != UINT64_MAX) {
2986 d->trust_posix_offset = talloc(d, uint32_t);
2987 if (d->trust_posix_offset == NULL) {
2988 TALLOC_FREE(d);
2989 return NT_STATUS_NO_MEMORY;
2990 }
2991 *d->trust_posix_offset = (uint32_t)val64;
2992 }
2993
2994 val64 = ldb_msg_find_attr_as_uint64(msg, "msDS-SupportedEncryptionTypes", UINT64_MAX);
2995 if (val64 != UINT64_MAX) {
2996 d->supported_enc_type = talloc(d, uint32_t);
2997 if (d->supported_enc_type == NULL) {
2998 TALLOC_FREE(d);
2999 return NT_STATUS_NO_MEMORY;
3000 }
3001 *d->supported_enc_type = (uint32_t)val64;
3002 }
3003
3004 val = ldb_msg_find_ldb_val(msg, "msDS-TrustForestTrustInfo");
3005 if (val != NULL) {
3006 d->trust_forest_trust_info = data_blob_dup_talloc(d, *val);
3007 if (d->trust_forest_trust_info.data == NULL) {
3008 TALLOC_FREE(d);
3009 return NT_STATUS_NO_MEMORY;
3010 }
3011 }
3012
3013 *_d = d;
3014 return NT_STATUS_OK;
3015 }
3016
3017 static NTSTATUS pdb_samba_dsdb_get_trusted_domain(struct pdb_methods *m,
3018 TALLOC_CTX *mem_ctx,
3019 const char *domain,
3020 struct pdb_trusted_domain **td)
3021 {
3022 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3023 m->private_data, struct pdb_samba_dsdb_state);
3024 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3025 const char * const attrs[] = {
3026 "securityIdentifier",
3027 "flatName",
3028 "trustPartner",
3029 "trustAuthOutgoing",
3030 "trustAuthIncoming",
3031 "trustAttributes",
3032 "trustDirection",
3033 "trustType",
3034 "trustPosixOffset",
3035 "msDS-SupportedEncryptionTypes",
3036 "msDS-TrustForestTrustInfo",
3037 NULL
3038 };
3039 struct ldb_message *msg = NULL;
3040 struct pdb_trusted_domain *d = NULL;
3041 NTSTATUS status;
3042
3043 status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
3044 attrs, tmp_ctx, &msg);
3045 if (!NT_STATUS_IS_OK(status)) {
3046 DBG_ERR("dsdb_trust_search_tdo(%s) - %s ",
3047 domain, nt_errstr(status));
3048 TALLOC_FREE(tmp_ctx);
3049 return status;
3050 }
3051
3052 status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
3053 if (!NT_STATUS_IS_OK(status)) {
3054 DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
3055 domain, nt_errstr(status));
3056 TALLOC_FREE(tmp_ctx);
3057 return status;
3058 }
3059
3060 *td = d;
3061 TALLOC_FREE(tmp_ctx);
3062 return NT_STATUS_OK;
3063 }
3064
3065 static NTSTATUS pdb_samba_dsdb_get_trusted_domain_by_sid(struct pdb_methods *m,
3066 TALLOC_CTX *mem_ctx,
3067 struct dom_sid *sid,
3068 struct pdb_trusted_domain **td)
3069 {
3070 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3071 m->private_data, struct pdb_samba_dsdb_state);
3072 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3073 const char * const attrs[] = {
3074 "securityIdentifier",
3075 "flatName",
3076 "trustPartner",
3077 "trustAuthOutgoing",
3078 "trustAuthIncoming",
3079 "trustAttributes",
3080 "trustDirection",
3081 "trustType",
3082 "trustPosixOffset",
3083 "msDS-SupportedEncryptionTypes",
3084 "msDS-TrustForestTrustInfo",
3085 NULL
3086 };
3087 struct ldb_message *msg = NULL;
3088 struct pdb_trusted_domain *d = NULL;
3089 struct dom_sid_buf buf;
3090 NTSTATUS status;
3091
3092 status = dsdb_trust_search_tdo_by_sid(state->ldb, sid,
3093 attrs, tmp_ctx, &msg);
3094 if (!NT_STATUS_IS_OK(status)) {
3095 DBG_ERR("dsdb_trust_search_tdo_by_sid(%s) - %s ",
3096 dom_sid_str_buf(sid, &buf),
3097 nt_errstr(status));
3098 TALLOC_FREE(tmp_ctx);
3099 return status;
3100 }
3101
3102 status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
3103 if (!NT_STATUS_IS_OK(status)) {
3104 DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
3105 dom_sid_str_buf(sid, &buf),
3106 nt_errstr(status));
3107 TALLOC_FREE(tmp_ctx);
3108 return status;
3109 }
3110
3111 *td = d;
3112 TALLOC_FREE(tmp_ctx);
3113 return NT_STATUS_OK;
3114 }
3115
3116 static NTSTATUS add_trust_user(TALLOC_CTX *mem_ctx,
3117 struct ldb_context *sam_ldb,
3118 struct ldb_dn *base_dn,
3119 const char *netbios_name,
3120 struct trustAuthInOutBlob *taiob)
3121 {
3122 struct ldb_request *req = NULL;
3123 struct ldb_message *msg = NULL;
3124 struct ldb_dn *dn = NULL;
3125 uint32_t i;
3126 int ret;
3127 bool ok;
3128
3129 dn = ldb_dn_copy(mem_ctx, base_dn);
3130 if (dn == NULL) {
3131 return NT_STATUS_NO_MEMORY;
3132 }
3133 ok = ldb_dn_add_child_fmt(dn, "cn=%s$,cn=users", netbios_name);
3134 if (!ok) {
3135 return NT_STATUS_NO_MEMORY;
3136 }
3137
3138 msg = ldb_msg_new(mem_ctx);
3139 if (msg == NULL) {
3140 return NT_STATUS_NO_MEMORY;
3141 }
3142 msg->dn = dn;
3143
3144 ret = ldb_msg_add_string(msg, "objectClass", "user");
3145 if (ret != LDB_SUCCESS) {
3146 return NT_STATUS_NO_MEMORY;
3147 }
3148
3149 ret = ldb_msg_add_fmt(msg, "samAccountName", "%s$", netbios_name);
3150 if (ret != LDB_SUCCESS) {
3151 return NT_STATUS_NO_MEMORY;
3152 }
3153
3154 ret = samdb_msg_add_uint(sam_ldb, msg, msg, "userAccountControl",
3155 UF_INTERDOMAIN_TRUST_ACCOUNT);
3156 if (ret != LDB_SUCCESS) {
3157 return NT_STATUS_NO_MEMORY;
3158 }
3159
3160 for (i = 0; i < taiob->count; i++) {
3161 struct AuthenticationInformation *auth_info =
3162 &taiob->current.array[i];
3163 const char *attribute = NULL;
3164 struct ldb_val v;
3165
3166 switch (taiob->current.array[i].AuthType) {
3167 case TRUST_AUTH_TYPE_NT4OWF:
3168 attribute = "unicodePwd";
3169 v.data = (uint8_t *)&auth_info->AuthInfo.nt4owf.password;
3170 v.length = 16;
3171 break;
3172
3173 case TRUST_AUTH_TYPE_CLEAR:
3174 attribute = "clearTextPassword";
3175 v.data = auth_info->AuthInfo.clear.password;
3176 v.length = auth_info->AuthInfo.clear.size;
3177 break;
3178
3179 default:
3180 continue;
3181 }
3182
3183 ret = ldb_msg_add_value(msg, attribute, &v, NULL);
3184 if (ret != LDB_SUCCESS) {
3185 return NT_STATUS_NO_MEMORY;
3186 }
3187 }
3188
3189 /* create the trusted_domain user account */
3190 ret = ldb_build_add_req(&req, sam_ldb, mem_ctx, msg, NULL, NULL,
3191 ldb_op_default_callback, NULL);
3192 if (ret != LDB_SUCCESS) {
3193 return NT_STATUS_NO_MEMORY;
3194 }
3195
3196 ret = ldb_request_add_control(
3197 req, DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID,
3198 false, NULL);
3199 if (ret != LDB_SUCCESS) {
3200 return NT_STATUS_NO_MEMORY;
3201 }
3202
3203 ret = dsdb_autotransaction_request(sam_ldb, req);
3204 if (ret != LDB_SUCCESS) {
3205 DEBUG(0,("Failed to create user record %s: %s\n",
3206 ldb_dn_get_linearized(msg->dn),
3207 ldb_errstring(sam_ldb)));
3208
3209 switch (ret) {
3210 case LDB_ERR_ENTRY_ALREADY_EXISTS:
3211 return NT_STATUS_DOMAIN_EXISTS;
3212 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
3213 return NT_STATUS_ACCESS_DENIED;
3214 default:
3215 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3216 }
3217 }
3218
3219 return NT_STATUS_OK;
3220 }
3221
3222 static NTSTATUS pdb_samba_dsdb_set_trusted_domain(struct pdb_methods *methods,
3223 const char* domain,
3224 const struct pdb_trusted_domain *td)
3225 {
3226 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3227 methods->private_data, struct pdb_samba_dsdb_state);
3228 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3229 bool in_txn = false;
3230 struct ldb_dn *base_dn = NULL;
3231 struct ldb_message *msg = NULL;
3232 const char *attrs[] = {
3233 NULL
3234 };
3235 char *netbios_encoded = NULL;
3236 char *dns_encoded = NULL;
3237 char *sid_encoded = NULL;
3238 int ret;
3239 struct trustAuthInOutBlob taiob;
3240 enum ndr_err_code ndr_err;
3241 NTSTATUS status;
3242 bool ok;
3243
3244 base_dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->ldb));
3245 if (base_dn == NULL) {
3246 TALLOC_FREE(tmp_ctx);
3247 status = NT_STATUS_NO_MEMORY;
3248 goto out;
3249 }
3250 /*
3251 * We expect S-1-5-21-A-B-C, but we don't
3252 * allow S-1-5-21-0-0-0 as this is used
3253 * for claims and compound identities.
3254 */
3255 ok = dom_sid_is_valid_account_domain(&td->security_identifier);
3256 if (!ok) {
3257 status = NT_STATUS_INVALID_PARAMETER;
3258 goto out;
3259 }
3260
3261 if (strequal(td->netbios_name, "BUILTIN")) {
3262 status = NT_STATUS_INVALID_PARAMETER;
3263 goto out;
3264 }
3265 if (strequal(td->domain_name, "BUILTIN")) {
3266 status = NT_STATUS_INVALID_PARAMETER;
3267 goto out;
3268 }
3269
3270 dns_encoded = ldb_binary_encode_string(tmp_ctx, td->domain_name);
3271 if (dns_encoded == NULL) {
3272 status = NT_STATUS_NO_MEMORY;
3273 goto out;
3274 }
3275 netbios_encoded = ldb_binary_encode_string(tmp_ctx, td->netbios_name);
3276 if (netbios_encoded == NULL) {
3277 status =NT_STATUS_NO_MEMORY;
3278 goto out;
3279 }
3280 sid_encoded = ldap_encode_ndr_dom_sid(tmp_ctx, &td->security_identifier);
3281 if (sid_encoded == NULL) {
3282 status = NT_STATUS_NO_MEMORY;
3283 goto out;
3284 }
3285
3286 ok = samdb_is_pdc(state->ldb);
3287 if (!ok) {
3288 DBG_ERR("Adding TDO is only allowed on a PDC.\n");
3289 TALLOC_FREE(tmp_ctx);
3290 status = NT_STATUS_INVALID_DOMAIN_ROLE;
3291 goto out;
3292 }
3293
3294 status = dsdb_trust_search_tdo(state->ldb,
3295 td->netbios_name,
3296 td->domain_name,
3297 attrs,
3298 tmp_ctx,
3299 &msg);
3300 if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
3301 DBG_ERR("dsdb_trust_search_tdo returned %s\n",
3302 nt_errstr(status));
3303 status = NT_STATUS_INVALID_DOMAIN_STATE;
3304 goto out;
3305 }
3306
3307 ret = ldb_transaction_start(state->ldb);
3308 if (ret != LDB_SUCCESS) {
3309 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
3310 goto out;
3311 }
3312 in_txn = true;
3313
3314 msg = ldb_msg_new(tmp_ctx);
3315 if (msg == NULL) {
3316 status = NT_STATUS_NO_MEMORY;
3317 goto out;
3318 }
3319
3320 msg->dn = samdb_system_container_dn(state->ldb, tmp_ctx);
3321 if (msg->dn == NULL) {
3322 status = NT_STATUS_NO_MEMORY;
3323 goto out;
3324 }
3325
3326 ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s", td->domain_name);
3327 if (!ok) {
3328 status = NT_STATUS_NO_MEMORY;
3329 goto out;
3330 }
3331
3332 ret = ldb_msg_add_string(msg, "objectClass", "trustedDomain");
3333 if (ret != LDB_SUCCESS) {
3334 status = NT_STATUS_NO_MEMORY;
3335 goto out;
3336 }
3337
3338 ret = ldb_msg_add_string(msg, "flatname", td->netbios_name);
3339 if (ret != LDB_SUCCESS) {
3340 status = NT_STATUS_NO_MEMORY;
3341 goto out;
3342 }
3343
3344 ret = ldb_msg_add_string(msg, "trustPartner", td->domain_name);
3345 if (ret != LDB_SUCCESS) {
3346 status = NT_STATUS_NO_MEMORY;
3347 goto out;
3348 }
3349
3350 ret = samdb_msg_add_dom_sid(state->ldb,
3351 tmp_ctx,
3352 msg,
3353 "securityIdentifier",
3354 &td->security_identifier);
3355 if (ret != LDB_SUCCESS) {
3356 status = NT_STATUS_NO_MEMORY;
3357 goto out;
3358 }
3359
3360 ret = samdb_msg_add_int(state->ldb,
3361 tmp_ctx,
3362 msg,
3363 "trustType",
3364 td->trust_type);
3365 if (ret != LDB_SUCCESS) {
3366 status = NT_STATUS_NO_MEMORY;
3367 goto out;
3368 }
3369
3370 ret = samdb_msg_add_int(state->ldb,
3371 tmp_ctx,
3372 msg,
3373 "trustAttributes",
3374 td->trust_attributes);
3375 if (ret != LDB_SUCCESS) {
3376 status =NT_STATUS_NO_MEMORY;
3377 goto out;
3378 }
3379
3380 ret = samdb_msg_add_int(state->ldb,
3381 tmp_ctx,
3382 msg,
3383 "trustDirection",
3384 td->trust_direction);
3385 if (ret != LDB_SUCCESS) {
3386 status = NT_STATUS_NO_MEMORY;
3387 goto out;
3388 }
3389
3390 if (td->trust_auth_incoming.data != NULL) {
3391 ret = ldb_msg_add_value(msg,
3392 "trustAuthIncoming",
3393 &td->trust_auth_incoming,
3394 NULL);
3395 if (ret != LDB_SUCCESS) {
3396 status = NT_STATUS_NO_MEMORY;
3397 goto out;
3398 }
3399 }
3400 if (td->trust_auth_outgoing.data != NULL) {
3401 ret = ldb_msg_add_value(msg,
3402 "trustAuthOutgoing",
3403 &td->trust_auth_outgoing,
3404 NULL);
3405 if (ret != LDB_SUCCESS) {
3406 status = NT_STATUS_NO_MEMORY;
3407 goto out;
3408 }
3409 }
3410
3411 /* create the trusted_domain */
3412 ret = ldb_add(state->ldb, msg);
3413 switch (ret) {
3414 case LDB_SUCCESS:
3415 break;
3416
3417 case LDB_ERR_ENTRY_ALREADY_EXISTS:
3418 DBG_ERR("Failed to create trusted domain record %s: %s\n",
3419 ldb_dn_get_linearized(msg->dn),
3420 ldb_errstring(state->ldb));
3421 status = NT_STATUS_DOMAIN_EXISTS;
3422 goto out;
3423
3424 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
3425 DBG_ERR("Failed to create trusted domain record %s: %s\n",
3426 ldb_dn_get_linearized(msg->dn),
3427 ldb_errstring(state->ldb));
3428 status = NT_STATUS_ACCESS_DENIED;
3429 goto out;
3430
3431 default:
3432 DBG_ERR("Failed to create trusted domain record %s: %s\n",
3433 ldb_dn_get_linearized(msg->dn),
3434 ldb_errstring(state->ldb));
3435 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
3436 goto out;
3437 }
3438
3439 ndr_err = ndr_pull_struct_blob(
3440 &td->trust_auth_outgoing,
3441 tmp_ctx,
3442 &taiob,
3443 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
3444 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3445 status = ndr_map_error2ntstatus(ndr_err);
3446 goto out;
3447 }
3448
3449 if (td->trust_direction == LSA_TRUST_DIRECTION_INBOUND) {
3450 status = add_trust_user(tmp_ctx,
3451 state->ldb,
3452 base_dn,
3453 td->netbios_name,
3454 &taiob);
3455 if (!NT_STATUS_IS_OK(status)) {
3456 goto out;
3457 }
3458 }
3459
3460 ret = ldb_transaction_commit(state->ldb);
3461 if (ret != LDB_SUCCESS) {
3462 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3463 }
3464 in_txn = false;
3465
3466 /*
3467 * TODO: Notify winbindd that we have a new trust
3468 */
3469
3470 status = NT_STATUS_OK;
3471
3472 out:
3473 if (in_txn) {
3474 ldb_transaction_cancel(state->ldb);
3475 }
3476 TALLOC_FREE(tmp_ctx);
3477 return status;
3478 }
3479
3480 static NTSTATUS delete_trust_user(TALLOC_CTX *mem_ctx,
3481 struct pdb_samba_dsdb_state *state,
3482 const char *trust_user)
3483 {
3484 const char *attrs[] = { "userAccountControl", NULL };
3485 struct ldb_message **msgs;
3486 uint32_t uac;
3487 int ret;
3488
3489 ret = gendb_search(state->ldb,
3490 mem_ctx,
3491 ldb_get_default_basedn(state->ldb),
3492 &msgs,
3493 attrs,
3494 "samAccountName=%s$",
3495 trust_user);
3496 if (ret > 1) {
3497 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3498 }
3499
3500 if (ret == 0) {
3501 return NT_STATUS_OK;
3502 }
3503
3504 uac = ldb_msg_find_attr_as_uint(msgs[0],
3505 "userAccountControl",
3506 0);
3507 if (!(uac & UF_INTERDOMAIN_TRUST_ACCOUNT)) {
3508 return NT_STATUS_OBJECT_NAME_COLLISION;
3509 }
3510
3511 ret = ldb_delete(state->ldb, msgs[0]->dn);
3512 switch (ret) {
3513 case LDB_SUCCESS:
3514 break;
3515 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
3516 return NT_STATUS_ACCESS_DENIED;
3517 default:
3518 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3519 }
3520
3521 return NT_STATUS_OK;
3522 }
3523
3524 static NTSTATUS pdb_samba_dsdb_del_trusted_domain(struct pdb_methods *methods,
3525 const char *domain)
3526 {
3527 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3528 methods->private_data, struct pdb_samba_dsdb_state);
3529 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3530 struct pdb_trusted_domain *td = NULL;
3531 struct ldb_dn *tdo_dn = NULL;
3532 bool in_txn = false;
3533 NTSTATUS status;
3534 int ret;
3535 bool ok;
3536
3537 status = pdb_samba_dsdb_get_trusted_domain(methods,
3538 tmp_ctx,
3539 domain,
3540 &td);
3541 if (!NT_STATUS_IS_OK(status)) {
3542 if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
3543 DBG_ERR("Searching TDO for %s returned %s\n",
3544 domain, nt_errstr(status));
3545 return status;
3546 }
3547 DBG_NOTICE("No TDO object for %s\n", domain);
3548 return NT_STATUS_OK;
3549 }
3550
3551 tdo_dn = samdb_system_container_dn(state->ldb, tmp_ctx);
3552 if (tdo_dn == NULL) {
3553 status = NT_STATUS_NO_MEMORY;
3554 goto out;
3555 }
3556
3557 ok = ldb_dn_add_child_fmt(tdo_dn, "cn=%s", domain);
3558 if (!ok) {
3559 TALLOC_FREE(tmp_ctx);
3560 status = NT_STATUS_NO_MEMORY;
3561 goto out;
3562 }
3563
3564 ret = ldb_transaction_start(state->ldb);
3565 if (ret != LDB_SUCCESS) {
3566 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
3567 goto out;
3568 }
3569 in_txn = true;
3570
3571 ret = ldb_delete(state->ldb, tdo_dn);
3572 if (ret != LDB_SUCCESS) {
3573 status = NT_STATUS_INVALID_HANDLE;
3574 goto out;
3575 }
3576
3577 if (td->trust_direction == LSA_TRUST_DIRECTION_INBOUND) {
3578 status = delete_trust_user(tmp_ctx, state, domain);
3579 if (!NT_STATUS_IS_OK(status)) {
3580 goto out;
3581 }
3582 }
3583
3584 ret = ldb_transaction_commit(state->ldb);
3585 if (ret != LDB_SUCCESS) {
3586 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
3587 goto out;
3588 }
3589 in_txn = false;
3590
3591 status = NT_STATUS_OK;
3592
3593 out:
3594 if (in_txn) {
3595 ldb_transaction_cancel(state->ldb);
3596 }
3597 TALLOC_FREE(tmp_ctx);
3598
3599 return status;
3600 }
3601
3602 static NTSTATUS pdb_samba_dsdb_enum_trusted_domains(struct pdb_methods *m,
3603 TALLOC_CTX *mem_ctx,
3604 uint32_t *_num_domains,
3605 struct pdb_trusted_domain ***_domains)
3606 {
3607 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3608 m->private_data, struct pdb_samba_dsdb_state);
3609 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3610 const char * const attrs[] = {
3611 "securityIdentifier",
3612 "flatName",
3613 "trustPartner",
3614 "trustAuthOutgoing",
3615 "trustAuthIncoming",
3616 "trustAttributes",
3617 "trustDirection",
3618 "trustType",
3619 "trustPosixOffset",
3620 "msDS-SupportedEncryptionTypes",
3621 "msDS-TrustForestTrustInfo",
3622 NULL
3623 };
3624 struct ldb_result *res = NULL;
3625 unsigned int i;
3626 struct pdb_trusted_domain **domains = NULL;
3627 NTSTATUS status;
3628 uint32_t di = 0;
3629
3630 *_num_domains = 0;
3631 *_domains = NULL;
3632
3633 status = dsdb_trust_search_tdos(state->ldb, NULL,
3634 attrs, tmp_ctx, &res);
3635 if (!NT_STATUS_IS_OK(status)) {
3636 DBG_ERR("dsdb_trust_search_tdos() - %s ", nt_errstr(status));
3637 TALLOC_FREE(tmp_ctx);
3638 return status;
3639 }
3640
3641 if (res->count == 0) {
3642 TALLOC_FREE(tmp_ctx);
3643 return NT_STATUS_OK;
3644 }
3645
3646 domains = talloc_zero_array(tmp_ctx, struct pdb_trusted_domain *,
3647 res->count);
3648 if (domains == NULL) {
3649 TALLOC_FREE(tmp_ctx);
3650 return NT_STATUS_NO_MEMORY;
3651 }
3652
3653 for (i = 0; i < res->count; i++) {
3654 struct ldb_message *msg = res->msgs[i];
3655 struct pdb_trusted_domain *d = NULL;
3656
3657 status = pdb_samba_dsdb_msg_to_trusted_domain(msg, domains, &d);
3658 if (!NT_STATUS_IS_OK(status)) {
3659 DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain() - %s ",
3660 nt_errstr(status));
3661 TALLOC_FREE(tmp_ctx);
3662 return status;
3663 }
3664
3665 domains[di++] = d;
3666 }
3667
3668 domains = talloc_realloc(domains, domains, struct pdb_trusted_domain *,
3669 di);
3670 *_domains = talloc_move(mem_ctx, &domains);
3671 *_num_domains = di;
3672 TALLOC_FREE(tmp_ctx);
3673 return NT_STATUS_OK;
3674 }
3675
3676 static bool pdb_samba_dsdb_is_responsible_for_wellknown(struct pdb_methods *m)
3677 {
3678 return true;
3679 }
3680
3681 static bool pdb_samba_dsdb_is_responsible_for_everything_else(struct pdb_methods *m)
3682 {
3683 return true;
3684 }
3685
3686 static void pdb_samba_dsdb_init_methods(struct pdb_methods *m)
3687 {
3688 m->name = "samba_dsdb";
3689 m->get_domain_info = pdb_samba_dsdb_get_domain_info;
3690 m->getsampwnam = pdb_samba_dsdb_getsampwnam;
3691 m->getsampwsid = pdb_samba_dsdb_getsampwsid;
3692 m->create_user = pdb_samba_dsdb_create_user;
3693 m->delete_user = pdb_samba_dsdb_delete_user;
3694 m->add_sam_account = pdb_samba_dsdb_add_sam_account;
3695 m->update_sam_account = pdb_samba_dsdb_update_sam_account;
3696 m->delete_sam_account = pdb_samba_dsdb_delete_sam_account;
3697 m->rename_sam_account = pdb_samba_dsdb_rename_sam_account;
3698 m->update_login_attempts = pdb_samba_dsdb_update_login_attempts;
3699 m->getgrsid = pdb_samba_dsdb_getgrsid;
3700 m->getgrgid = pdb_samba_dsdb_getgrgid;
3701 m->getgrnam = pdb_samba_dsdb_getgrnam;
3702 m->create_dom_group = pdb_samba_dsdb_create_dom_group;
3703 m->delete_dom_group = pdb_samba_dsdb_delete_dom_group;
3704 m->add_group_mapping_entry = pdb_samba_dsdb_add_group_mapping_entry;
3705 m->update_group_mapping_entry = pdb_samba_dsdb_update_group_mapping_entry;
3706 m->delete_group_mapping_entry = pdb_samba_dsdb_delete_group_mapping_entry;
3707 m->enum_group_mapping = pdb_samba_dsdb_enum_group_mapping;
3708 m->enum_group_members = pdb_samba_dsdb_enum_group_members;
3709 m->enum_group_memberships = pdb_samba_dsdb_enum_group_memberships;
3710 m->set_unix_primary_group = pdb_samba_dsdb_set_unix_primary_group;
3711 m->add_groupmem = pdb_samba_dsdb_add_groupmem;
3712 m->del_groupmem = pdb_samba_dsdb_del_groupmem;
3713 m->create_alias = pdb_samba_dsdb_create_alias;
3714 m->delete_alias = pdb_samba_dsdb_delete_alias;
3715 m->get_aliasinfo = pdb_default_get_aliasinfo;
3716 m->add_aliasmem = pdb_samba_dsdb_add_aliasmem;
3717 m->del_aliasmem = pdb_samba_dsdb_del_aliasmem;
3718 m->enum_aliasmem = pdb_samba_dsdb_enum_aliasmem;
3719 m->enum_alias_memberships = pdb_samba_dsdb_enum_alias_memberships;
3720 m->lookup_rids = pdb_samba_dsdb_lookup_rids;
3721 m->lookup_names = pdb_samba_dsdb_lookup_names;
3722 m->get_account_policy = pdb_samba_dsdb_get_account_policy;
3723 m->set_account_policy = pdb_samba_dsdb_set_account_policy;
3724 m->get_seq_num = pdb_samba_dsdb_get_seq_num;
3725 m->search_users = pdb_samba_dsdb_search_users;
3726 m->search_groups = pdb_samba_dsdb_search_groups;
3727 m->search_aliases = pdb_samba_dsdb_search_aliases;
3728 m->id_to_sid = pdb_samba_dsdb_id_to_sid;
3729 m->sid_to_id = pdb_samba_dsdb_sid_to_id;
3730 m->capabilities = pdb_samba_dsdb_capabilities;
3731 m->new_rid = pdb_samba_dsdb_new_rid;
3732 m->get_trusteddom_pw = pdb_samba_dsdb_get_trusteddom_pw;
3733 m->get_trusteddom_creds = pdb_samba_dsdb_get_trusteddom_creds;
3734 m->set_trusteddom_pw = pdb_samba_dsdb_set_trusteddom_pw;
3735 m->del_trusteddom_pw = pdb_samba_dsdb_del_trusteddom_pw;
3736 m->enum_trusteddoms = pdb_samba_dsdb_enum_trusteddoms;
3737 m->get_trusted_domain = pdb_samba_dsdb_get_trusted_domain;
3738 m->get_trusted_domain_by_sid = pdb_samba_dsdb_get_trusted_domain_by_sid;
3739 m->set_trusted_domain = pdb_samba_dsdb_set_trusted_domain;
3740 m->del_trusted_domain = pdb_samba_dsdb_del_trusted_domain;
3741 m->enum_trusted_domains = pdb_samba_dsdb_enum_trusted_domains;
3742 m->is_responsible_for_wellknown =
3743 pdb_samba_dsdb_is_responsible_for_wellknown;
3744 m->is_responsible_for_everything_else =
3745 pdb_samba_dsdb_is_responsible_for_everything_else;
3746 }
3747
3748 static void free_private_data(void **vp)
3749 {
3750 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3751 *vp, struct pdb_samba_dsdb_state);
3752 talloc_unlink(state, state->ldb);
3753 return;
3754 }
3755
3756 static NTSTATUS pdb_samba_dsdb_init_secrets(struct pdb_methods *m)
3757 {
3758 struct pdb_domain_info *dom_info;
3759 struct dom_sid stored_sid;
3760 struct GUID stored_guid;
3761 bool sid_exists_and_matches = false;
3762 bool guid_exists_and_matches = false;
3763 bool ret;
3764
3765 dom_info = pdb_samba_dsdb_get_domain_info(m, m);
3766 if (!dom_info) {
3767 return NT_STATUS_UNSUCCESSFUL;
3768 }
3769
3770 ret = secrets_fetch_domain_sid(dom_info->name, &stored_sid);
3771 if (ret) {
3772 if (dom_sid_equal(&stored_sid, &dom_info->sid)) {
3773 sid_exists_and_matches = true;
3774 }
3775 }
3776
3777 if (sid_exists_and_matches == false) {
3778 secrets_clear_domain_protection(dom_info->name);
3779 ret = secrets_store_domain_sid(dom_info->name,
3780 &dom_info->sid);
3781 ret &= secrets_mark_domain_protected(dom_info->name);
3782 if (!ret) {
3783 goto done;
3784 }
3785 }
3786
3787 ret = secrets_fetch_domain_guid(dom_info->name, &stored_guid);
3788 if (ret) {
3789 if (GUID_equal(&stored_guid, &dom_info->guid)) {
3790 guid_exists_and_matches = true;
3791 }
3792 }
3793
3794 if (guid_exists_and_matches == false) {
3795 secrets_clear_domain_protection(dom_info->name);
3796 ret = secrets_store_domain_guid(dom_info->name,
3797 &dom_info->guid);
3798 ret &= secrets_mark_domain_protected(dom_info->name);
3799 if (!ret) {
3800 goto done;
3801 }
3802 }
3803
3804 done:
3805 TALLOC_FREE(dom_info);
3806 if (!ret) {
3807 return NT_STATUS_UNSUCCESSFUL;
3808 }
3809 return NT_STATUS_OK;
3810 }
3811
3812 static NTSTATUS pdb_init_samba_dsdb(struct pdb_methods **pdb_method,
3813 const char *location)
3814 {
3815 struct pdb_methods *m;
3816 struct pdb_samba_dsdb_state *state;
3817 NTSTATUS status;
3818 char *errstring = NULL;
3819 int ret;
3820
3821 if ( !NT_STATUS_IS_OK(status = make_pdb_method( &m )) ) {
3822 return status;
3823 }
3824
3825 state = talloc_zero(m, struct pdb_samba_dsdb_state);
3826 if (state == NULL) {
3827 goto nomem;
3828 }
3829 m->private_data = state;
3830 m->free_private_data = free_private_data;
3831 pdb_samba_dsdb_init_methods(m);
3832
3833 state->ev = s4_event_context_init(state);
3834 if (!state->ev) {
3835 DEBUG(0, ("s4_event_context_init failed\n"));
3836 goto nomem;
3837 }
3838
3839 state->lp_ctx = loadparm_init_s3(state, loadparm_s3_helpers());
3840 if (state->lp_ctx == NULL) {
3841 DEBUG(0, ("loadparm_init_s3 failed\n"));
3842 goto nomem;
3843 }
3844
3845 if (location == NULL) {
3846 location = "sam.ldb";
3847 }
3848
3849 ret = samdb_connect_url(state,
3850 state->ev,
3851 state->lp_ctx,
3852 system_session(state->lp_ctx),
3853 0,
3854 location,
3855 NULL,
3856 &state->ldb,
3857 &errstring);
3858
3859 if (!state->ldb) {
3860 DEBUG(0, ("samdb_connect failed: %s: %s\n",
3861 errstring, ldb_strerror(ret)));
3862 status = NT_STATUS_INTERNAL_ERROR;
3863 goto fail;
3864 }
3865
3866 state->idmap_ctx = idmap_init(state, state->ev,
3867 state->lp_ctx);
3868 if (!state->idmap_ctx) {
3869 DEBUG(0, ("idmap failed\n"));
3870 status = NT_STATUS_INTERNAL_ERROR;
3871 goto fail;
3872 }
3873
3874 status = pdb_samba_dsdb_init_secrets(m);
3875 if (!NT_STATUS_IS_OK(status)) {
3876 DEBUG(10, ("pdb_samba_dsdb_init_secrets failed!\n"));
3877 goto fail;
3878 }
3879
3880 *pdb_method = m;
3881 return NT_STATUS_OK;
3882 nomem:
3883 status = NT_STATUS_NO_MEMORY;
3884 fail:
3885 TALLOC_FREE(m);
3886 return status;
3887 }
3888
3889 NTSTATUS pdb_samba_dsdb_init(TALLOC_CTX *);
3890 NTSTATUS pdb_samba_dsdb_init(TALLOC_CTX *ctx)
3891 {
3892 NTSTATUS status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "samba_dsdb",
3893 pdb_init_samba_dsdb);
3894 if (!NT_STATUS_IS_OK(status)) {
3895 return status;
3896 }
3897 return smb_register_passdb(PASSDB_INTERFACE_VERSION, "samba4",
3898 pdb_init_samba_dsdb);
3899 }
Samba GIT mirror