2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
29 #include "passdb/pdb_ldap.h"
30 #include "passdb/pdb_ipa.h"
31 #include "passdb/pdb_ldap_schema.h"
33 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
34 #define IPA_MAGIC_ID_STR "999"
36 #define LDAP_TRUST_CONTAINER "ou=system"
37 #define LDAP_ATTRIBUTE_CN "cn"
38 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
39 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
40 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
41 #define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
42 #define LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE "sambaSupportedEncryptionTypes"
43 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
44 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
45 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
46 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
47 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
48 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
49 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
51 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
52 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
53 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
55 #define LDAP_OBJ_IPAOBJECT "ipaObject"
56 #define LDAP_OBJ_IPAHOST "ipaHost"
57 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
59 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
60 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
61 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
62 #define LDAP_OBJ_POSIXGROUP "posixGroup"
64 #define HAS_KRB_PRINCIPAL (1<<0)
65 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
66 #define HAS_IPAOBJECT (1<<2)
67 #define HAS_IPAHOST (1<<3)
68 #define HAS_POSIXACCOUNT (1<<4)
69 #define HAS_GROUPOFNAMES (1<<5)
70 #define HAS_NESTEDGROUP (1<<6)
71 #define HAS_IPAUSERGROUP (1<<7)
72 #define HAS_POSIXGROUP (1<<8)
74 struct ipasam_privates
{
76 NTSTATUS (*ldapsam_add_sam_account
)(struct pdb_methods
*,
77 struct samu
*sampass
);
78 NTSTATUS (*ldapsam_update_sam_account
)(struct pdb_methods
*,
79 struct samu
*sampass
);
80 NTSTATUS (*ldapsam_create_user
)(struct pdb_methods
*my_methods
,
81 TALLOC_CTX
*tmp_ctx
, const char *name
,
82 uint32_t acb_info
, uint32_t *rid
);
83 NTSTATUS (*ldapsam_create_dom_group
)(struct pdb_methods
*my_methods
,
89 static bool ipasam_get_trusteddom_pw(struct pdb_methods
*methods
,
93 time_t *pass_last_set_time
)
98 static bool ipasam_set_trusteddom_pw(struct pdb_methods
*methods
,
101 const struct dom_sid
*sid
)
106 static bool ipasam_del_trusteddom_pw(struct pdb_methods
*methods
,
112 static char *get_account_dn(const char *name
)
117 escape_name
= escape_rdn_val_string_alloc(name
);
122 if (name
[strlen(name
)-1] == '$') {
123 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
124 lp_ldap_machine_suffix(talloc_tos()));
126 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
127 lp_ldap_user_suffix(talloc_tos()));
130 SAFE_FREE(escape_name
);
135 static char *trusted_domain_dn(struct ldapsam_privates
*ldap_state
,
138 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
139 LDAP_ATTRIBUTE_CN
, domain
,
140 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
143 static char *trusted_domain_base_dn(struct ldapsam_privates
*ldap_state
)
145 return talloc_asprintf(talloc_tos(), "%s,%s",
146 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
149 static bool get_trusted_domain_int(struct ldapsam_privates
*ldap_state
,
151 const char *filter
, LDAPMessage
**entry
)
154 char *base_dn
= NULL
;
155 LDAPMessage
*result
= NULL
;
158 base_dn
= trusted_domain_base_dn(ldap_state
);
159 if (base_dn
== NULL
) {
163 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
,
164 LDAP_SCOPE_SUBTREE
, filter
, NULL
, 0, &result
);
165 TALLOC_FREE(base_dn
);
167 if (result
!= NULL
) {
168 smbldap_talloc_autofree_ldapmsg(mem_ctx
, result
);
171 if (rc
== LDAP_NO_SUCH_OBJECT
) {
176 if (rc
!= LDAP_SUCCESS
) {
180 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
182 if (num_result
> 1) {
183 DEBUG(1, ("get_trusted_domain_int: more than one "
184 "%s object with filter '%s'?!\n",
185 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
189 if (num_result
== 0) {
190 DEBUG(1, ("get_trusted_domain_int: no "
191 "%s object with filter '%s'.\n",
192 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
195 *entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
201 static bool get_trusted_domain_by_name_int(struct ldapsam_privates
*ldap_state
,
208 filter
= talloc_asprintf(talloc_tos(),
209 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
210 LDAP_OBJ_TRUSTED_DOMAIN
,
211 LDAP_ATTRIBUTE_FLAT_NAME
, domain
,
212 LDAP_ATTRIBUTE_TRUST_PARTNER
, domain
, domain
);
213 if (filter
== NULL
) {
217 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
220 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates
*ldap_state
,
222 const char *sid
, LDAPMessage
**entry
)
226 filter
= talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
227 LDAP_OBJ_TRUSTED_DOMAIN
,
228 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
, sid
);
229 if (filter
== NULL
) {
233 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
236 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates
*ldap_state
,
245 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
248 DEBUG(9, ("Attribute %s not present.\n", attr
));
253 l
= strtoul(dummy
, &endptr
, 10);
256 if (l
< 0 || l
> UINT32_MAX
|| *endptr
!= '\0') {
265 static void get_data_blob_from_ldap_msg(TALLOC_CTX
*mem_ctx
,
266 struct ldapsam_privates
*ldap_state
,
267 LDAPMessage
*entry
, const char *attr
,
273 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
, attr
,
276 DEBUG(9, ("Attribute %s not present.\n", attr
));
279 blob
= base64_decode_data_blob(dummy
);
280 if (blob
.length
== 0) {
283 _blob
->length
= blob
.length
;
284 _blob
->data
= talloc_steal(mem_ctx
, blob
.data
);
290 static bool fill_pdb_trusted_domain(TALLOC_CTX
*mem_ctx
,
291 struct ldapsam_privates
*ldap_state
,
293 struct pdb_trusted_domain
**_td
)
297 struct pdb_trusted_domain
*td
;
303 td
= talloc_zero(mem_ctx
, struct pdb_trusted_domain
);
308 /* All attributes are MAY */
310 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
311 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
314 DEBUG(9, ("Attribute %s not present.\n",
315 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
));
316 ZERO_STRUCT(td
->security_identifier
);
318 res
= string_to_sid(&td
->security_identifier
, dummy
);
325 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
326 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
327 &td
->trust_auth_incoming
);
329 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
330 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
331 &td
->trust_auth_outgoing
);
333 td
->netbios_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
335 LDAP_ATTRIBUTE_FLAT_NAME
,
337 if (td
->netbios_name
== NULL
) {
338 DEBUG(9, ("Attribute %s not present.\n",
339 LDAP_ATTRIBUTE_FLAT_NAME
));
342 td
->domain_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
344 LDAP_ATTRIBUTE_TRUST_PARTNER
,
346 if (td
->domain_name
== NULL
) {
347 DEBUG(9, ("Attribute %s not present.\n",
348 LDAP_ATTRIBUTE_TRUST_PARTNER
));
351 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
352 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
353 &td
->trust_direction
);
358 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
359 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
360 &td
->trust_attributes
);
365 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
366 LDAP_ATTRIBUTE_TRUST_TYPE
,
372 td
->trust_posix_offset
= talloc(td
, uint32_t);
373 if (td
->trust_posix_offset
== NULL
) {
376 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
377 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET
,
378 td
->trust_posix_offset
);
383 td
->supported_enc_type
= talloc(td
, uint32_t);
384 if (td
->supported_enc_type
== NULL
) {
387 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
388 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE
,
389 td
->supported_enc_type
);
395 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
396 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
397 &td
->trust_forest_trust_info
);
404 static NTSTATUS
ipasam_get_trusted_domain(struct pdb_methods
*methods
,
407 struct pdb_trusted_domain
**td
)
409 struct ldapsam_privates
*ldap_state
=
410 (struct ldapsam_privates
*)methods
->private_data
;
411 LDAPMessage
*entry
= NULL
;
413 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain
));
415 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
417 return NT_STATUS_UNSUCCESSFUL
;
420 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
422 return NT_STATUS_NO_SUCH_DOMAIN
;
425 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
426 return NT_STATUS_UNSUCCESSFUL
;
432 static NTSTATUS
ipasam_get_trusted_domain_by_sid(struct pdb_methods
*methods
,
435 struct pdb_trusted_domain
**td
)
437 struct ldapsam_privates
*ldap_state
=
438 (struct ldapsam_privates
*)methods
->private_data
;
439 LDAPMessage
*entry
= NULL
;
442 sid_str
= sid_string_tos(sid
);
444 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
447 if (!get_trusted_domain_by_sid_int(ldap_state
, talloc_tos(), sid_str
,
449 return NT_STATUS_UNSUCCESSFUL
;
452 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
453 "with sid: %s\n", sid_str
));
454 return NT_STATUS_NO_SUCH_DOMAIN
;
457 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
458 return NT_STATUS_UNSUCCESSFUL
;
464 static bool smbldap_make_mod_uint32_t(LDAP
*ldap_struct
, LDAPMessage
*entry
,
465 LDAPMod
***mods
, const char *attribute
,
470 dummy
= talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val
);
474 smbldap_make_mod(ldap_struct
, entry
, mods
, attribute
, dummy
);
480 static NTSTATUS
ipasam_set_trusted_domain(struct pdb_methods
*methods
,
482 const struct pdb_trusted_domain
*td
)
484 struct ldapsam_privates
*ldap_state
=
485 (struct ldapsam_privates
*)methods
->private_data
;
486 LDAPMessage
*entry
= NULL
;
489 char *trusted_dn
= NULL
;
492 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain
));
494 res
= get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
497 return NT_STATUS_UNSUCCESSFUL
;
501 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
, "objectClass",
502 LDAP_OBJ_TRUSTED_DOMAIN
);
504 if (td
->netbios_name
!= NULL
) {
505 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
506 LDAP_ATTRIBUTE_FLAT_NAME
,
510 if (td
->domain_name
!= NULL
) {
511 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
512 LDAP_ATTRIBUTE_TRUST_PARTNER
,
516 if (!is_null_sid(&td
->security_identifier
)) {
517 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
518 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
519 sid_string_tos(&td
->security_identifier
));
522 if (td
->trust_type
!= 0) {
523 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
524 &mods
, LDAP_ATTRIBUTE_TRUST_TYPE
,
527 return NT_STATUS_UNSUCCESSFUL
;
531 if (td
->trust_attributes
!= 0) {
532 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
534 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
535 td
->trust_attributes
);
537 return NT_STATUS_UNSUCCESSFUL
;
541 if (td
->trust_direction
!= 0) {
542 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
544 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
545 td
->trust_direction
);
547 return NT_STATUS_UNSUCCESSFUL
;
551 if (td
->trust_posix_offset
!= NULL
) {
552 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
554 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET
,
555 *td
->trust_posix_offset
);
557 return NT_STATUS_UNSUCCESSFUL
;
561 if (td
->supported_enc_type
!= NULL
) {
562 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
564 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE
,
565 *td
->supported_enc_type
);
567 return NT_STATUS_UNSUCCESSFUL
;
571 if (td
->trust_auth_outgoing
.data
!= NULL
) {
572 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
573 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
574 &td
->trust_auth_outgoing
);
577 if (td
->trust_auth_incoming
.data
!= NULL
) {
578 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
579 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
580 &td
->trust_auth_incoming
);
583 if (td
->trust_forest_trust_info
.data
!= NULL
) {
584 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
585 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
586 &td
->trust_forest_trust_info
);
589 smbldap_talloc_autofree_ldapmod(talloc_tos(), mods
);
591 trusted_dn
= trusted_domain_dn(ldap_state
, domain
);
592 if (trusted_dn
== NULL
) {
593 return NT_STATUS_NO_MEMORY
;
596 ret
= smbldap_add(ldap_state
->smbldap_state
, trusted_dn
, mods
);
598 ret
= smbldap_modify(ldap_state
->smbldap_state
, trusted_dn
, mods
);
601 if (ret
!= LDAP_SUCCESS
) {
602 DEBUG(1, ("error writing trusted domain data!\n"));
603 return NT_STATUS_UNSUCCESSFUL
;
608 static NTSTATUS
ipasam_del_trusted_domain(struct pdb_methods
*methods
,
612 struct ldapsam_privates
*ldap_state
=
613 (struct ldapsam_privates
*)methods
->private_data
;
614 LDAPMessage
*entry
= NULL
;
617 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
619 return NT_STATUS_UNSUCCESSFUL
;
623 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
625 return NT_STATUS_NO_SUCH_DOMAIN
;
628 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
630 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
631 return NT_STATUS_NO_MEMORY
;
634 ret
= smbldap_delete(ldap_state
->smbldap_state
, dn
);
635 if (ret
!= LDAP_SUCCESS
) {
636 return NT_STATUS_UNSUCCESSFUL
;
642 static NTSTATUS
ipasam_enum_trusted_domains(struct pdb_methods
*methods
,
644 uint32_t *num_domains
,
645 struct pdb_trusted_domain
***domains
)
648 struct ldapsam_privates
*ldap_state
=
649 (struct ldapsam_privates
*)methods
->private_data
;
650 char *base_dn
= NULL
;
652 int scope
= LDAP_SCOPE_SUBTREE
;
653 LDAPMessage
*result
= NULL
;
654 LDAPMessage
*entry
= NULL
;
656 filter
= talloc_asprintf(talloc_tos(), "(objectClass=%s)",
657 LDAP_OBJ_TRUSTED_DOMAIN
);
658 if (filter
== NULL
) {
659 return NT_STATUS_NO_MEMORY
;
662 base_dn
= trusted_domain_base_dn(ldap_state
);
663 if (base_dn
== NULL
) {
665 return NT_STATUS_NO_MEMORY
;
668 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
, scope
, filter
,
671 TALLOC_FREE(base_dn
);
673 if (result
!= NULL
) {
674 smbldap_talloc_autofree_ldapmsg(mem_ctx
, result
);
677 if (rc
== LDAP_NO_SUCH_OBJECT
) {
683 if (rc
!= LDAP_SUCCESS
) {
684 return NT_STATUS_UNSUCCESSFUL
;
688 if (!(*domains
= talloc_array(mem_ctx
, struct pdb_trusted_domain
*, 1))) {
689 DEBUG(1, ("talloc failed\n"));
690 return NT_STATUS_NO_MEMORY
;
693 for (entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
695 entry
= ldap_next_entry(priv2ld(ldap_state
), entry
))
697 struct pdb_trusted_domain
*dom_info
;
699 if (!fill_pdb_trusted_domain(*domains
, ldap_state
, entry
,
701 return NT_STATUS_UNSUCCESSFUL
;
704 ADD_TO_ARRAY(*domains
, struct pdb_trusted_domain
*, dom_info
,
705 domains
, num_domains
);
707 if (*domains
== NULL
) {
708 DEBUG(1, ("talloc failed\n"));
709 return NT_STATUS_NO_MEMORY
;
713 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains
));
717 static NTSTATUS
ipasam_enum_trusteddoms(struct pdb_methods
*methods
,
719 uint32_t *num_domains
,
720 struct trustdom_info
***domains
)
723 struct pdb_trusted_domain
**td
;
726 status
= ipasam_enum_trusted_domains(methods
, talloc_tos(),
728 if (!NT_STATUS_IS_OK(status
)) {
732 if (*num_domains
== 0) {
736 if (!(*domains
= talloc_array(mem_ctx
, struct trustdom_info
*,
738 DEBUG(1, ("talloc failed\n"));
739 return NT_STATUS_NO_MEMORY
;
742 for (i
= 0; i
< *num_domains
; i
++) {
743 struct trustdom_info
*dom_info
;
745 dom_info
= talloc(*domains
, struct trustdom_info
);
746 if (dom_info
== NULL
) {
747 DEBUG(1, ("talloc failed\n"));
748 return NT_STATUS_NO_MEMORY
;
751 dom_info
->name
= talloc_steal(mem_ctx
, td
[i
]->netbios_name
);
752 sid_copy(&dom_info
->sid
, &td
[i
]->security_identifier
);
754 (*domains
)[i
] = dom_info
;
760 static uint32_t pdb_ipasam_capabilities(struct pdb_methods
*methods
)
762 return PDB_CAP_STORE_RIDS
| PDB_CAP_ADS
| PDB_CAP_TRUSTED_DOMAINS_EX
;
765 static struct pdb_domain_info
*pdb_ipasam_get_domain_info(struct pdb_methods
*pdb_methods
,
768 struct pdb_domain_info
*info
;
769 struct ldapsam_privates
*ldap_state
=
770 (struct ldapsam_privates
*)pdb_methods
->private_data
;
775 info
= talloc(mem_ctx
, struct pdb_domain_info
);
780 info
->name
= talloc_strdup(info
, ldap_state
->domain_name
);
781 if (info
->name
== NULL
) {
785 /* TODO: read dns_domain, dns_forest and guid from LDAP */
786 info
->dns_domain
= talloc_strdup(info
, lp_realm());
787 if (info
->dns_domain
== NULL
) {
790 if (!strlower_m(info
->dns_domain
)) {
793 info
->dns_forest
= talloc_strdup(info
, info
->dns_domain
);
795 /* we expect a domain SID to have 4 sub IDs */
796 if (ldap_state
->domain_sid
.num_auths
!= 4) {
800 sid_copy(&info
->sid
, &ldap_state
->domain_sid
);
802 if (!sid_linearize(sid_buf
, sizeof(sid_buf
), &info
->sid
)) {
806 /* the first 8 bytes of the linearized SID are not random,
808 sid_blob
.data
= (uint8_t *) sid_buf
+ 8 ;
809 sid_blob
.length
= 16;
811 status
= GUID_from_ndr_blob(&sid_blob
, &info
->guid
);
812 if (!NT_STATUS_IS_OK(status
)) {
823 static NTSTATUS
modify_ipa_password_exop(struct ldapsam_privates
*ldap_state
,
824 struct samu
*sampass
)
827 BerElement
*ber
= NULL
;
828 struct berval
*bv
= NULL
;
830 struct berval
*retdata
= NULL
;
831 const char *password
;
834 password
= pdb_get_plaintext_passwd(sampass
);
835 if (password
== NULL
|| *password
== '\0') {
836 return NT_STATUS_INVALID_PARAMETER
;
839 dn
= get_account_dn(pdb_get_username(sampass
));
841 return NT_STATUS_INVALID_PARAMETER
;
844 ber
= ber_alloc_t( LBER_USE_DER
);
846 DEBUG(7, ("ber_alloc_t failed.\n"));
847 return NT_STATUS_NO_MEMORY
;
850 ret
= ber_printf(ber
, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID
, dn
,
851 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW
, password
);
853 DEBUG(7, ("ber_printf failed.\n"));
855 return NT_STATUS_UNSUCCESSFUL
;
858 ret
= ber_flatten(ber
, &bv
);
861 DEBUG(1, ("ber_flatten failed.\n"));
862 return NT_STATUS_UNSUCCESSFUL
;
865 ret
= smbldap_extended_operation(ldap_state
->smbldap_state
,
866 LDAP_EXOP_MODIFY_PASSWD
, bv
, NULL
,
867 NULL
, &retoid
, &retdata
);
873 ldap_memfree(retoid
);
875 if (ret
!= LDAP_SUCCESS
) {
876 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
877 return NT_STATUS_UNSUCCESSFUL
;
883 static NTSTATUS
ipasam_get_objectclasses(struct ldapsam_privates
*ldap_state
,
884 const char *dn
, LDAPMessage
*entry
,
885 uint32_t *has_objectclass
)
887 char **objectclasses
;
890 objectclasses
= ldap_get_values(priv2ld(ldap_state
), entry
,
891 LDAP_ATTRIBUTE_OBJECTCLASS
);
892 if (objectclasses
== NULL
) {
893 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn
));
894 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
897 *has_objectclass
= 0;
898 for (c
= 0; objectclasses
[c
] != NULL
; c
++) {
899 if (strequal(objectclasses
[c
], LDAP_OBJ_KRB_PRINCIPAL
)) {
900 *has_objectclass
|= HAS_KRB_PRINCIPAL
;
901 } else if (strequal(objectclasses
[c
],
902 LDAP_OBJ_KRB_PRINCIPAL_AUX
)) {
903 *has_objectclass
|= HAS_KRB_PRINCIPAL_AUX
;
904 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAOBJECT
)) {
905 *has_objectclass
|= HAS_IPAOBJECT
;
906 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAHOST
)) {
907 *has_objectclass
|= HAS_IPAHOST
;
908 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXACCOUNT
)) {
909 *has_objectclass
|= HAS_POSIXACCOUNT
;
910 } else if (strequal(objectclasses
[c
], LDAP_OBJ_GROUPOFNAMES
)) {
911 *has_objectclass
|= HAS_GROUPOFNAMES
;
912 } else if (strequal(objectclasses
[c
], LDAP_OBJ_NESTEDGROUP
)) {
913 *has_objectclass
|= HAS_NESTEDGROUP
;
914 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAUSERGROUP
)) {
915 *has_objectclass
|= HAS_IPAUSERGROUP
;
916 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXGROUP
)) {
917 *has_objectclass
|= HAS_POSIXGROUP
;
920 ldap_value_free(objectclasses
);
931 static NTSTATUS
find_obj(struct ldapsam_privates
*ldap_state
, const char *name
,
932 enum obj_type type
, char **_dn
,
933 uint32_t *_has_objectclass
)
938 LDAPMessage
*result
= NULL
;
939 LDAPMessage
*entry
= NULL
;
942 uint32_t has_objectclass
;
944 const char *obj_class
= NULL
;
948 obj_class
= LDAP_OBJ_POSIXACCOUNT
;
951 obj_class
= LDAP_OBJ_POSIXGROUP
;
954 DEBUG(0, ("Unsupported IPA object.\n"));
955 return NT_STATUS_INVALID_PARAMETER
;
958 username
= escape_ldap_string(talloc_tos(), name
);
959 if (username
== NULL
) {
960 return NT_STATUS_NO_MEMORY
;
962 filter
= talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
963 username
, obj_class
);
964 if (filter
== NULL
) {
965 return NT_STATUS_NO_MEMORY
;
967 TALLOC_FREE(username
);
969 ret
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, NULL
,
971 if (ret
!= LDAP_SUCCESS
) {
972 DEBUG(0, ("smbldap_search_suffix failed.\n"));
973 return NT_STATUS_ACCESS_DENIED
;
976 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
978 if (num_result
!= 1) {
979 if (num_result
== 0) {
982 status
= NT_STATUS_NO_SUCH_USER
;
985 status
= NT_STATUS_NO_SUCH_GROUP
;
988 status
= NT_STATUS_INVALID_PARAMETER
;
991 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
993 status
= NT_STATUS_INTERNAL_DB_CORRUPTION
;
998 entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
1000 DEBUG(0,("find_user: Out of memory!\n"));
1001 status
= NT_STATUS_UNSUCCESSFUL
;
1005 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
1007 DEBUG(0,("find_user: Out of memory!\n"));
1008 status
= NT_STATUS_NO_MEMORY
;
1012 status
= ipasam_get_objectclasses(ldap_state
, dn
, entry
, &has_objectclass
);
1013 if (!NT_STATUS_IS_OK(status
)) {
1018 *_has_objectclass
= has_objectclass
;
1020 status
= NT_STATUS_OK
;
1023 ldap_msgfree(result
);
1028 static NTSTATUS
find_user(struct ldapsam_privates
*ldap_state
, const char *name
,
1029 char **_dn
, uint32_t *_has_objectclass
)
1031 return find_obj(ldap_state
, name
, IPA_USER_OBJ
, _dn
, _has_objectclass
);
1034 static NTSTATUS
find_group(struct ldapsam_privates
*ldap_state
, const char *name
,
1035 char **_dn
, uint32_t *_has_objectclass
)
1037 return find_obj(ldap_state
, name
, IPA_GROUP_OBJ
, _dn
, _has_objectclass
);
1040 static NTSTATUS
ipasam_add_posix_account_objectclass(struct ldapsam_privates
*ldap_state
,
1043 const char *username
)
1046 LDAPMod
**mods
= NULL
;
1048 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1049 "objectclass", "posixAccount");
1050 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1052 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1053 "uidNumber", IPA_MAGIC_ID_STR
);
1054 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1055 "gidNumber", "12345");
1056 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1057 "homeDirectory", "/dev/null");
1059 if (ldap_op
== LDAP_MOD_ADD
) {
1060 ret
= smbldap_add(ldap_state
->smbldap_state
, dn
, mods
);
1062 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1064 ldap_mods_free(mods
, 1);
1065 if (ret
!= LDAP_SUCCESS
) {
1066 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1068 return NT_STATUS_LDAP(ret
);
1071 return NT_STATUS_OK
;
1074 static NTSTATUS
ipasam_add_ipa_group_objectclasses(struct ldapsam_privates
*ldap_state
,
1077 uint32_t has_objectclass
)
1079 LDAPMod
**mods
= NULL
;
1082 if (!(has_objectclass
& HAS_GROUPOFNAMES
)) {
1083 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1084 LDAP_ATTRIBUTE_OBJECTCLASS
,
1085 LDAP_OBJ_GROUPOFNAMES
);
1088 if (!(has_objectclass
& HAS_NESTEDGROUP
)) {
1089 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1090 LDAP_ATTRIBUTE_OBJECTCLASS
,
1091 LDAP_OBJ_NESTEDGROUP
);
1094 if (!(has_objectclass
& HAS_IPAUSERGROUP
)) {
1095 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1096 LDAP_ATTRIBUTE_OBJECTCLASS
,
1097 LDAP_OBJ_IPAUSERGROUP
);
1100 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1101 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1102 LDAP_ATTRIBUTE_OBJECTCLASS
,
1103 LDAP_OBJ_IPAOBJECT
);
1106 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1107 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1108 LDAP_ATTRIBUTE_OBJECTCLASS
,
1109 LDAP_OBJ_POSIXGROUP
);
1110 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1113 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1114 LDAP_ATTRIBUTE_GIDNUMBER
,
1118 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1119 ldap_mods_free(mods
, 1);
1120 if (ret
!= LDAP_SUCCESS
) {
1121 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1123 return NT_STATUS_LDAP(ret
);
1126 return NT_STATUS_OK
;
1129 static NTSTATUS
ipasam_add_ipa_objectclasses(struct ldapsam_privates
*ldap_state
,
1130 const char *dn
, const char *name
,
1132 uint32_t acct_flags
,
1133 uint32_t has_objectclass
)
1135 LDAPMod
**mods
= NULL
;
1139 if (!(has_objectclass
& HAS_KRB_PRINCIPAL
)) {
1140 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1141 LDAP_ATTRIBUTE_OBJECTCLASS
,
1142 LDAP_OBJ_KRB_PRINCIPAL
);
1144 princ
= talloc_asprintf(talloc_tos(), "%s@%s", name
, lp_realm());
1145 if (princ
== NULL
) {
1146 return NT_STATUS_NO_MEMORY
;
1149 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, LDAP_ATTRIBUTE_KRB_PRINCIPAL
, princ
);
1152 if (!(has_objectclass
& HAS_KRB_PRINCIPAL_AUX
)) {
1153 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1154 LDAP_ATTRIBUTE_OBJECTCLASS
,
1155 LDAP_OBJ_KRB_PRINCIPAL_AUX
);
1158 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1159 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1160 LDAP_ATTRIBUTE_OBJECTCLASS
, LDAP_OBJ_IPAOBJECT
);
1163 if ((acct_flags
!= 0) &&
1164 (((acct_flags
& ACB_NORMAL
) && name
[strlen(name
)-1] == '$') ||
1165 ((acct_flags
& (ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
)) != 0))) {
1167 if (!(has_objectclass
& HAS_IPAHOST
)) {
1168 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1169 LDAP_ATTRIBUTE_OBJECTCLASS
,
1172 if (domain
== NULL
) {
1173 return NT_STATUS_INVALID_PARAMETER
;
1176 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1181 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1182 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1183 "objectclass", "posixAccount");
1184 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "cn", name
);
1185 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1186 "uidNumber", IPA_MAGIC_ID_STR
);
1187 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1188 "gidNumber", "12345");
1189 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1190 "homeDirectory", "/dev/null");
1194 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1195 ldap_mods_free(mods
, 1);
1196 if (ret
!= LDAP_SUCCESS
) {
1197 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1199 return NT_STATUS_LDAP(ret
);
1203 return NT_STATUS_OK
;
1206 static NTSTATUS
pdb_ipasam_add_sam_account(struct pdb_methods
*pdb_methods
,
1207 struct samu
*sampass
)
1210 struct ldapsam_privates
*ldap_state
;
1213 uint32_t has_objectclass
;
1215 struct dom_sid user_sid
;
1217 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1219 if (IS_SAM_SET(sampass
, PDB_USERSID
) ||
1220 IS_SAM_CHANGED(sampass
, PDB_USERSID
)) {
1221 if (!pdb_new_rid(&rid
)) {
1222 return NT_STATUS_DS_NO_MORE_RIDS
;
1224 sid_compose(&user_sid
, get_global_sam_sid(), rid
);
1225 if (!pdb_set_user_sid(sampass
, &user_sid
, PDB_SET
)) {
1226 return NT_STATUS_UNSUCCESSFUL
;
1230 status
= ldap_state
->ipasam_privates
->ldapsam_add_sam_account(pdb_methods
,
1232 if (!NT_STATUS_IS_OK(status
)) {
1236 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1237 name
= pdb_get_username(sampass
);
1238 if (name
== NULL
|| *name
== '\0') {
1239 return NT_STATUS_INVALID_PARAMETER
;
1242 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1243 if (!NT_STATUS_IS_OK(status
)) {
1247 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
,
1248 pdb_get_domain(sampass
),
1249 pdb_get_acct_ctrl(sampass
),
1251 if (!NT_STATUS_IS_OK(status
)) {
1255 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1256 status
= ipasam_add_posix_account_objectclass(ldap_state
,
1259 if (!NT_STATUS_IS_OK(status
)) {
1264 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1265 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1266 if (!NT_STATUS_IS_OK(status
)) {
1272 return NT_STATUS_OK
;
1275 static NTSTATUS
pdb_ipasam_update_sam_account(struct pdb_methods
*pdb_methods
,
1276 struct samu
*sampass
)
1279 struct ldapsam_privates
*ldap_state
;
1280 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1282 status
= ldap_state
->ipasam_privates
->ldapsam_update_sam_account(pdb_methods
,
1284 if (!NT_STATUS_IS_OK(status
)) {
1288 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1289 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1290 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1291 if (!NT_STATUS_IS_OK(status
)) {
1297 return NT_STATUS_OK
;
1300 static NTSTATUS
ipasam_create_dom_group(struct pdb_methods
*pdb_methods
,
1301 TALLOC_CTX
*tmp_ctx
, const char *name
,
1305 struct ldapsam_privates
*ldap_state
;
1307 uint32_t has_objectclass
= 0;
1309 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1311 if (name
== NULL
|| *name
== '\0') {
1312 return NT_STATUS_INVALID_PARAMETER
;
1315 status
= find_group(ldap_state
, name
, &dn
, &has_objectclass
);
1316 if (!NT_STATUS_IS_OK(status
) &&
1317 !NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1321 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1322 status
= ipasam_add_ipa_group_objectclasses(ldap_state
, dn
,
1325 if (!NT_STATUS_IS_OK(status
)) {
1330 status
= ldap_state
->ipasam_privates
->ldapsam_create_dom_group(pdb_methods
,
1334 if (!NT_STATUS_IS_OK(status
)) {
1338 return NT_STATUS_OK
;
1340 static NTSTATUS
ipasam_create_user(struct pdb_methods
*pdb_methods
,
1341 TALLOC_CTX
*tmp_ctx
, const char *name
,
1342 uint32_t acb_info
, uint32_t *rid
)
1345 struct ldapsam_privates
*ldap_state
;
1346 int ldap_op
= LDAP_MOD_REPLACE
;
1348 uint32_t has_objectclass
= 0;
1350 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1352 if (name
== NULL
|| *name
== '\0') {
1353 return NT_STATUS_INVALID_PARAMETER
;
1356 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1357 if (NT_STATUS_IS_OK(status
)) {
1358 ldap_op
= LDAP_MOD_REPLACE
;
1359 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1360 char *escape_username
;
1361 ldap_op
= LDAP_MOD_ADD
;
1362 escape_username
= escape_rdn_val_string_alloc(name
);
1363 if (!escape_username
) {
1364 return NT_STATUS_NO_MEMORY
;
1366 if (name
[strlen(name
)-1] == '$') {
1367 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1369 lp_ldap_machine_suffix(talloc_tos()));
1371 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1373 lp_ldap_user_suffix(talloc_tos()));
1375 SAFE_FREE(escape_username
);
1377 return NT_STATUS_NO_MEMORY
;
1383 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1384 status
= ipasam_add_posix_account_objectclass(ldap_state
, ldap_op
,
1386 if (!NT_STATUS_IS_OK(status
)) {
1389 has_objectclass
|= HAS_POSIXACCOUNT
;
1392 status
= ldap_state
->ipasam_privates
->ldapsam_create_user(pdb_methods
,
1395 if (!NT_STATUS_IS_OK(status
)) {
1399 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
, lp_realm(),
1400 acb_info
, has_objectclass
);
1401 if (!NT_STATUS_IS_OK(status
)) {
1405 return NT_STATUS_OK
;
1408 static NTSTATUS
pdb_ipa_init_secrets(struct pdb_methods
*m
)
1410 #if _SAMBA_BUILD_ == 4
1411 struct pdb_domain_info
*dom_info
;
1414 dom_info
= pdb_ipasam_get_domain_info(m
, m
);
1416 return NT_STATUS_UNSUCCESSFUL
;
1419 PDB_secrets_clear_domain_protection(dom_info
->name
);
1420 ret
= PDB_secrets_store_domain_sid(dom_info
->name
,
1425 ret
= PDB_secrets_store_domain_guid(dom_info
->name
,
1430 ret
= PDB_secrets_mark_domain_protected(dom_info
->name
);
1436 TALLOC_FREE(dom_info
);
1438 return NT_STATUS_UNSUCCESSFUL
;
1441 return NT_STATUS_OK
;
1444 static NTSTATUS
pdb_init_IPA_ldapsam(struct pdb_methods
**pdb_method
, const char *location
)
1446 struct ldapsam_privates
*ldap_state
;
1449 status
= pdb_init_ldapsam(pdb_method
, location
);
1450 if (!NT_STATUS_IS_OK(status
)) {
1454 (*pdb_method
)->name
= "IPA_ldapsam";
1456 ldap_state
= (struct ldapsam_privates
*)((*pdb_method
)->private_data
);
1457 ldap_state
->ipasam_privates
= talloc_zero(ldap_state
,
1458 struct ipasam_privates
);
1459 if (ldap_state
->ipasam_privates
== NULL
) {
1460 return NT_STATUS_NO_MEMORY
;
1462 ldap_state
->is_ipa_ldap
= True
;
1464 ldap_state
->ipasam_privates
->server_is_ipa
= smbldap_has_extension(
1465 priv2ld(ldap_state
), IPA_KEYTAB_SET_OID
);
1466 ldap_state
->ipasam_privates
->ldapsam_add_sam_account
= (*pdb_method
)->add_sam_account
;
1467 ldap_state
->ipasam_privates
->ldapsam_update_sam_account
= (*pdb_method
)->update_sam_account
;
1468 ldap_state
->ipasam_privates
->ldapsam_create_user
= (*pdb_method
)->create_user
;
1469 ldap_state
->ipasam_privates
->ldapsam_create_dom_group
= (*pdb_method
)->create_dom_group
;
1471 (*pdb_method
)->add_sam_account
= pdb_ipasam_add_sam_account
;
1472 (*pdb_method
)->update_sam_account
= pdb_ipasam_update_sam_account
;
1474 if (lp_parm_bool(-1, "ldapsam", "trusted", False
)) {
1475 if (lp_parm_bool(-1, "ldapsam", "editposix", False
)) {
1476 (*pdb_method
)->create_user
= ipasam_create_user
;
1477 (*pdb_method
)->create_dom_group
= ipasam_create_dom_group
;
1481 (*pdb_method
)->capabilities
= pdb_ipasam_capabilities
;
1482 (*pdb_method
)->get_domain_info
= pdb_ipasam_get_domain_info
;
1484 (*pdb_method
)->get_trusteddom_pw
= ipasam_get_trusteddom_pw
;
1485 (*pdb_method
)->set_trusteddom_pw
= ipasam_set_trusteddom_pw
;
1486 (*pdb_method
)->del_trusteddom_pw
= ipasam_del_trusteddom_pw
;
1487 (*pdb_method
)->enum_trusteddoms
= ipasam_enum_trusteddoms
;
1489 (*pdb_method
)->get_trusted_domain
= ipasam_get_trusted_domain
;
1490 (*pdb_method
)->get_trusted_domain_by_sid
= ipasam_get_trusted_domain_by_sid
;
1491 (*pdb_method
)->set_trusted_domain
= ipasam_set_trusted_domain
;
1492 (*pdb_method
)->del_trusted_domain
= ipasam_del_trusted_domain
;
1493 (*pdb_method
)->enum_trusted_domains
= ipasam_enum_trusted_domains
;
1495 status
= pdb_ipa_init_secrets(*pdb_method
);
1496 if (!NT_STATUS_IS_OK(status
)) {
1497 DEBUG(10, ("pdb_ipa_init_secrets failed!\n"));
1501 return NT_STATUS_OK
;
1504 NTSTATUS
pdb_ipa_init(void)
1508 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "IPA_ldapsam", pdb_init_IPA_ldapsam
)))
1511 return NT_STATUS_OK
;