2 Unix SMB/CIFS implementation.
4 interface functions for the sam database
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "librpc/gen_ndr/ndr_netlogon.h"
26 #include "librpc/gen_ndr/ndr_misc.h"
27 #include "librpc/gen_ndr/ndr_security.h"
28 #include "lib/events/events.h"
29 #include "lib/ldb/include/ldb.h"
30 #include "lib/ldb/include/ldb_errors.h"
31 #include "libcli/security/security.h"
32 #include "libcli/auth/libcli_auth.h"
33 #include "libcli/ldap/ldap_ndr.h"
34 #include "system/time.h"
35 #include "system/filesys.h"
37 #include "../lib/util/util_ldb.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "../libds/common/flags.h"
40 #include "param/param.h"
41 #include "lib/events/events.h"
42 #include "auth/credentials/credentials.h"
43 #include "param/secrets.h"
44 #include "auth/auth.h"
46 char *samdb_relative_path(struct ldb_context
*ldb
,
50 const char *base_url
=
51 (const char *)ldb_get_opaque(ldb
, "ldb_url");
52 char *path
, *p
, *full_name
;
56 if (strncmp("tdb://", base_url
, 6) == 0) {
57 base_url
= base_url
+6;
59 path
= talloc_strdup(mem_ctx
, base_url
);
63 if ( (p
= strrchr(path
, '/')) != NULL
) {
65 full_name
= talloc_asprintf(mem_ctx
, "%s/%s", path
, name
);
67 full_name
= talloc_asprintf(mem_ctx
, "./%s", name
);
74 make sure the static credentials are not freed
76 static int samdb_credentials_destructor(struct cli_credentials
*creds
)
82 this returns a static set of system credentials. It is static so
83 that we always get the same pointer in ldb_wrap_connect()
85 struct cli_credentials
*samdb_credentials(struct tevent_context
*event_ctx
,
86 struct loadparm_context
*lp_ctx
)
88 static struct cli_credentials
*static_credentials
;
89 struct cli_credentials
*cred
;
92 if (static_credentials
) {
93 return static_credentials
;
96 cred
= cli_credentials_init(talloc_autofree_context());
100 cli_credentials_set_conf(cred
, lp_ctx
);
102 /* We don't want to use krb5 to talk to our samdb - recursion
103 * here would be bad, and this account isn't in the KDC
105 cli_credentials_set_kerberos_state(cred
, CRED_DONT_USE_KERBEROS
);
107 if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred
, event_ctx
, lp_ctx
, NULL
, NULL
,
108 SECRETS_LDAP_FILTER
, &error_string
))) {
109 DEBUG(5, ("(normal if no LDAP backend) %s", error_string
));
110 /* Perfectly OK - if not against an LDAP backend */
114 static_credentials
= cred
;
115 talloc_set_destructor(cred
, samdb_credentials_destructor
);
120 connect to the SAM database
121 return an opaque context pointer on success, or NULL on failure
123 struct ldb_context
*samdb_connect(TALLOC_CTX
*mem_ctx
,
124 struct tevent_context
*ev_ctx
,
125 struct loadparm_context
*lp_ctx
,
126 struct auth_session_info
*session_info
)
128 struct ldb_context
*ldb
;
129 ldb
= ldb_wrap_connect(mem_ctx
, ev_ctx
, lp_ctx
,
130 lp_sam_url(lp_ctx
), session_info
,
131 samdb_credentials(ev_ctx
, lp_ctx
),
140 /****************************************************************************
141 Create the SID list for this user.
142 ****************************************************************************/
143 NTSTATUS
security_token_create(TALLOC_CTX
*mem_ctx
,
144 struct tevent_context
*ev_ctx
,
145 struct loadparm_context
*lp_ctx
,
146 struct dom_sid
*user_sid
,
147 struct dom_sid
*group_sid
,
148 unsigned int n_groupSIDs
,
149 struct dom_sid
**groupSIDs
,
150 uint32_t session_info_flags
,
151 struct security_token
**token
)
153 struct security_token
*ptoken
;
157 ptoken
= security_token_initialise(mem_ctx
);
158 NT_STATUS_HAVE_NO_MEMORY(ptoken
);
160 ptoken
->user_sid
= talloc_reference(ptoken
, user_sid
);
161 ptoken
->group_sid
= talloc_reference(ptoken
, group_sid
);
162 ptoken
->privilege_mask
= 0;
164 ptoken
->sids
= talloc_array(ptoken
, struct dom_sid
*, n_groupSIDs
+ 6 /* over-allocate */);
165 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
);
167 ptoken
->num_sids
= 1;
169 ptoken
->sids
= talloc_realloc(ptoken
, ptoken
->sids
, struct dom_sid
*, ptoken
->num_sids
+ 1);
170 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
);
172 ptoken
->sids
[0] = ptoken
->user_sid
;
173 ptoken
->sids
[1] = ptoken
->group_sid
;
177 * Finally add the "standard" SIDs.
178 * The only difference between guest and "anonymous"
179 * is the addition of Authenticated_Users.
182 if (session_info_flags
& AUTH_SESSION_INFO_DEFAULT_GROUPS
) {
183 ptoken
->sids
= talloc_realloc(ptoken
, ptoken
->sids
, struct dom_sid
*, ptoken
->num_sids
+ 1);
184 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
);
186 ptoken
->sids
[ptoken
->num_sids
] = dom_sid_parse_talloc(ptoken
->sids
, SID_WORLD
);
187 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
[ptoken
->num_sids
]);
190 ptoken
->sids
= talloc_realloc(ptoken
, ptoken
->sids
, struct dom_sid
*, ptoken
->num_sids
+ 1);
191 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
);
193 ptoken
->sids
[ptoken
->num_sids
] = dom_sid_parse_talloc(ptoken
->sids
, SID_NT_NETWORK
);
194 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
[ptoken
->num_sids
]);
200 if (session_info_flags
& AUTH_SESSION_INFO_AUTHENTICATED
) {
201 ptoken
->sids
= talloc_realloc(ptoken
, ptoken
->sids
, struct dom_sid
*, ptoken
->num_sids
+ 1);
202 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
);
204 ptoken
->sids
[ptoken
->num_sids
] = dom_sid_parse_talloc(ptoken
->sids
, SID_NT_AUTHENTICATED_USERS
);
205 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
[ptoken
->num_sids
]);
209 if (session_info_flags
& AUTH_SESSION_INFO_ENTERPRISE_DC
) {
210 ptoken
->sids
= talloc_realloc(ptoken
, ptoken
->sids
, struct dom_sid
*, ptoken
->num_sids
+ 1);
211 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
);
213 ptoken
->sids
[ptoken
->num_sids
] = dom_sid_parse_talloc(ptoken
->sids
, SID_NT_ENTERPRISE_DCS
);
214 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
[ptoken
->num_sids
]);
218 for (i
= 0; i
< n_groupSIDs
; i
++) {
219 size_t check_sid_idx
;
220 for (check_sid_idx
= 1;
221 check_sid_idx
< ptoken
->num_sids
;
223 if (dom_sid_equal(ptoken
->sids
[check_sid_idx
], groupSIDs
[i
])) {
228 if (check_sid_idx
== ptoken
->num_sids
) {
229 ptoken
->sids
= talloc_realloc(ptoken
, ptoken
->sids
, struct dom_sid
*, ptoken
->num_sids
+ 1);
230 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
);
232 ptoken
->sids
[ptoken
->num_sids
] = talloc_reference(ptoken
->sids
, groupSIDs
[i
]);
233 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
[ptoken
->num_sids
]);
239 /* setup the privilege mask for this token */
240 status
= samdb_privilege_setup(ev_ctx
, lp_ctx
, ptoken
);
241 if (!NT_STATUS_IS_OK(status
)) {
246 security_token_debug(10, ptoken
);