search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:test: add the failure blackbox test as samba3.blackbox.failure
[Samba/gbeck.git] / source3 / passdb / pdb_ipa.c
blob3108c5e1f012e44c07d72ca2554d4cb9ade43429
1 /*
2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18
19 */
20
21 #include "includes.h"
22 #include "libcli/security/dom_sid.h"
23
24 #include "smbldap.h"
25
26 #define LDAP_TRUST_CONTAINER "ou=system"
27 #define LDAP_ATTRIBUTE_CN "cn"
28 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
29 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
30 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
31 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
32 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
33 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
34 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
35 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
36 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
37
38 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
39 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
40 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
41
42 struct ipasam_privates {
43 NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
44 struct samu *sampass);
45 NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
46 struct samu *sampass);
47 };
48
49 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
50 const char *domain,
51 char** pwd,
52 struct dom_sid *sid,
53 time_t *pass_last_set_time)
54 {
55 return false;
56 }
57
58 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
59 const char* domain,
60 const char* pwd,
61 const struct dom_sid *sid)
62 {
63 return false;
64 }
65
66 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
67 const char *domain)
68 {
69 return false;
70 }
71
72 static char *get_account_dn(const char *name)
73 {
74 char *escape_name;
75 char *dn;
76
77 escape_name = escape_rdn_val_string_alloc(name);
78 if (!escape_name) {
79 return NULL;
80 }
81
82 if (name[strlen(name)-1] == '$') {
83 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
84 lp_ldap_machine_suffix());
85 } else {
86 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
87 lp_ldap_user_suffix());
88 }
89
90 SAFE_FREE(escape_name);
91
92 return dn;
93 }
94
95 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
96 const char *domain)
97 {
98 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
99 LDAP_ATTRIBUTE_CN, domain,
100 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
101 }
102
103 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
104 {
105 return talloc_asprintf(talloc_tos(), "%s,%s",
106 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
107 }
108
109 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
110 TALLOC_CTX *mem_ctx,
111 const char *filter, LDAPMessage **entry)
112 {
113 int rc;
114 char *base_dn = NULL;
115 LDAPMessage *result = NULL;
116 uint32_t num_result;
117
118 base_dn = trusted_domain_base_dn(ldap_state);
119 if (base_dn == NULL) {
120 return false;
121 }
122
123 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
124 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
125 TALLOC_FREE(base_dn);
126
127 if (result != NULL) {
128 talloc_autofree_ldapmsg(mem_ctx, result);
129 }
130
131 if (rc == LDAP_NO_SUCH_OBJECT) {
132 *entry = NULL;
133 return true;
134 }
135
136 if (rc != LDAP_SUCCESS) {
137 return false;
138 }
139
140 num_result = ldap_count_entries(priv2ld(ldap_state), result);
141
142 if (num_result > 1) {
143 DEBUG(1, ("get_trusted_domain_int: more than one "
144 "%s object with filter '%s'?!\n",
145 LDAP_OBJ_TRUSTED_DOMAIN, filter));
146 return false;
147 }
148
149 if (num_result == 0) {
150 DEBUG(1, ("get_trusted_domain_int: no "
151 "%s object with filter '%s'.\n",
152 LDAP_OBJ_TRUSTED_DOMAIN, filter));
153 *entry = NULL;
154 } else {
155 *entry = ldap_first_entry(priv2ld(ldap_state), result);
156 }
157
158 return true;
159 }
160
161 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
162 TALLOC_CTX *mem_ctx,
163 const char *domain,
164 LDAPMessage **entry)
165 {
166 char *filter = NULL;
167
168 filter = talloc_asprintf(talloc_tos(),
169 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
170 LDAP_OBJ_TRUSTED_DOMAIN,
171 LDAP_ATTRIBUTE_FLAT_NAME, domain,
172 LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
173 if (filter == NULL) {
174 return false;
175 }
176
177 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
178 }
179
180 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
181 TALLOC_CTX *mem_ctx,
182 const char *sid, LDAPMessage **entry)
183 {
184 char *filter = NULL;
185
186 filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
187 LDAP_OBJ_TRUSTED_DOMAIN,
188 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
189 if (filter == NULL) {
190 return false;
191 }
192
193 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
194 }
195
196 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
197 LDAPMessage *entry,
198 const char *attr,
199 uint32_t *val)
200 {
201 char *dummy;
202 long int l;
203 char *endptr;
204
205 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
206 attr, talloc_tos());
207 if (dummy == NULL) {
208 DEBUG(9, ("Attribute %s not present.\n", attr));
209 *val = 0;
210 return true;
211 }
212
213 l = strtoul(dummy, &endptr, 10);
214 TALLOC_FREE(dummy);
215
216 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
217 return false;
218 }
219
220 *val = l;
221
222 return true;
223 }
224
225 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
226 struct ldapsam_privates *ldap_state,
227 LDAPMessage *entry, const char *attr,
228 DATA_BLOB *_blob)
229 {
230 char *dummy;
231 DATA_BLOB blob;
232
233 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
234 talloc_tos());
235 if (dummy == NULL) {
236 DEBUG(9, ("Attribute %s not present.\n", attr));
237 ZERO_STRUCTP(_blob);
238 } else {
239 blob = base64_decode_data_blob(dummy);
240 if (blob.length == 0) {
241 ZERO_STRUCTP(_blob);
242 } else {
243 _blob->length = blob.length;
244 _blob->data = talloc_steal(mem_ctx, blob.data);
245 }
246 }
247 TALLOC_FREE(dummy);
248 }
249
250 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
251 struct ldapsam_privates *ldap_state,
252 LDAPMessage *entry,
253 struct pdb_trusted_domain **_td)
254 {
255 char *dummy;
256 bool res;
257 struct pdb_trusted_domain *td;
258
259 if (entry == NULL) {
260 return false;
261 }
262
263 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
264 if (td == NULL) {
265 return false;
266 }
267
268 /* All attributes are MAY */
269
270 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
271 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
272 talloc_tos());
273 if (dummy == NULL) {
274 DEBUG(9, ("Attribute %s not present.\n",
275 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
276 ZERO_STRUCT(td->security_identifier);
277 } else {
278 res = string_to_sid(&td->security_identifier, dummy);
279 TALLOC_FREE(dummy);
280 if (!res) {
281 return false;
282 }
283 }
284
285 get_data_blob_from_ldap_msg(td, ldap_state, entry,
286 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
287 &td->trust_auth_incoming);
288
289 get_data_blob_from_ldap_msg(td, ldap_state, entry,
290 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
291 &td->trust_auth_outgoing);
292
293 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
294 entry,
295 LDAP_ATTRIBUTE_FLAT_NAME,
296 td);
297 if (td->netbios_name == NULL) {
298 DEBUG(9, ("Attribute %s not present.\n",
299 LDAP_ATTRIBUTE_FLAT_NAME));
300 }
301
302 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
303 entry,
304 LDAP_ATTRIBUTE_TRUST_PARTNER,
305 td);
306 if (td->domain_name == NULL) {
307 DEBUG(9, ("Attribute %s not present.\n",
308 LDAP_ATTRIBUTE_TRUST_PARTNER));
309 }
310
311 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
312 LDAP_ATTRIBUTE_TRUST_DIRECTION,
313 &td->trust_direction);
314 if (!res) {
315 return false;
316 }
317
318 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
319 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
320 &td->trust_attributes);
321 if (!res) {
322 return false;
323 }
324
325 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
326 LDAP_ATTRIBUTE_TRUST_TYPE,
327 &td->trust_type);
328 if (!res) {
329 return false;
330 }
331
332 get_data_blob_from_ldap_msg(td, ldap_state, entry,
333 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
334 &td->trust_forest_trust_info);
335
336 *_td = td;
337
338 return true;
339 }
340
341 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
342 TALLOC_CTX *mem_ctx,
343 const char *domain,
344 struct pdb_trusted_domain **td)
345 {
346 struct ldapsam_privates *ldap_state =
347 (struct ldapsam_privates *)methods->private_data;
348 LDAPMessage *entry = NULL;
349
350 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
351
352 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
353 &entry)) {
354 return NT_STATUS_UNSUCCESSFUL;
355 }
356 if (entry == NULL) {
357 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
358 "%s\n", domain));
359 return NT_STATUS_NO_SUCH_DOMAIN;
360 }
361
362 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
363 return NT_STATUS_UNSUCCESSFUL;
364 }
365
366 return NT_STATUS_OK;
367 }
368
369 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
370 TALLOC_CTX *mem_ctx,
371 struct dom_sid *sid,
372 struct pdb_trusted_domain **td)
373 {
374 struct ldapsam_privates *ldap_state =
375 (struct ldapsam_privates *)methods->private_data;
376 LDAPMessage *entry = NULL;
377 char *sid_str;
378
379 sid_str = sid_string_tos(sid);
380
381 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
382 sid_str));
383
384 if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
385 &entry)) {
386 return NT_STATUS_UNSUCCESSFUL;
387 }
388 if (entry == NULL) {
389 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
390 "with sid: %s\n", sid_str));
391 return NT_STATUS_NO_SUCH_DOMAIN;
392 }
393
394 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
395 return NT_STATUS_UNSUCCESSFUL;
396 }
397
398 return NT_STATUS_OK;
399 }
400
401 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
402 LDAPMod ***mods, const char *attribute,
403 const uint32_t val)
404 {
405 char *dummy;
406
407 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
408 if (dummy == NULL) {
409 return false;
410 }
411 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
412 TALLOC_FREE(dummy);
413
414 return true;
415 }
416
417 static bool smbldap_make_mod_blob(LDAP *ldap_struct, LDAPMessage *entry,
418 LDAPMod ***mods, const char *attribute,
419 DATA_BLOB blob)
420 {
421 char *dummy;
422
423 dummy = base64_encode_data_blob(talloc_tos(), blob);
424 if (dummy == NULL) {
425 return false;
426 }
427
428 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
429 TALLOC_FREE(dummy);
430
431 return true;
432 }
433
434 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
435 const char* domain,
436 const struct pdb_trusted_domain *td)
437 {
438 struct ldapsam_privates *ldap_state =
439 (struct ldapsam_privates *)methods->private_data;
440 LDAPMessage *entry = NULL;
441 LDAPMod **mods;
442 bool res;
443 char *trusted_dn = NULL;
444 int ret;
445
446 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
447
448 res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
449 &entry);
450 if (!res) {
451 return NT_STATUS_UNSUCCESSFUL;
452 }
453
454 mods = NULL;
455 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
456 LDAP_OBJ_TRUSTED_DOMAIN);
457
458 if (td->netbios_name != NULL) {
459 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
460 LDAP_ATTRIBUTE_FLAT_NAME,
461 td->netbios_name);
462 }
463
464 if (td->domain_name != NULL) {
465 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
466 LDAP_ATTRIBUTE_TRUST_PARTNER,
467 td->domain_name);
468 }
469
470 if (!is_null_sid(&td->security_identifier)) {
471 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
472 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
473 sid_string_tos(&td->security_identifier));
474 }
475
476 if (td->trust_type != 0) {
477 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
478 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
479 td->trust_type);
480 if (!res) {
481 return NT_STATUS_UNSUCCESSFUL;
482 }
483 }
484
485 if (td->trust_attributes != 0) {
486 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
487 &mods,
488 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
489 td->trust_attributes);
490 if (!res) {
491 return NT_STATUS_UNSUCCESSFUL;
492 }
493 }
494
495 if (td->trust_direction != 0) {
496 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
497 &mods,
498 LDAP_ATTRIBUTE_TRUST_DIRECTION,
499 td->trust_direction);
500 if (!res) {
501 return NT_STATUS_UNSUCCESSFUL;
502 }
503 }
504
505 if (td->trust_auth_outgoing.data != NULL) {
506 res = smbldap_make_mod_blob(priv2ld(ldap_state), entry,
507 &mods,
508 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
509 td->trust_auth_outgoing);
510 if (!res) {
511 return NT_STATUS_UNSUCCESSFUL;
512 }
513 }
514
515 if (td->trust_auth_incoming.data != NULL) {
516 res = smbldap_make_mod_blob(priv2ld(ldap_state), entry,
517 &mods,
518 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
519 td->trust_auth_incoming);
520 if (!res) {
521 return NT_STATUS_UNSUCCESSFUL;
522 }
523 }
524
525 if (td->trust_forest_trust_info.data != NULL) {
526 res = smbldap_make_mod_blob(priv2ld(ldap_state), entry,
527 &mods,
528 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
529 td->trust_forest_trust_info);
530 if (!res) {
531 return NT_STATUS_UNSUCCESSFUL;
532 }
533 }
534
535 talloc_autofree_ldapmod(talloc_tos(), mods);
536
537 trusted_dn = trusted_domain_dn(ldap_state, domain);
538 if (trusted_dn == NULL) {
539 return NT_STATUS_NO_MEMORY;
540 }
541 if (entry == NULL) {
542 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
543 } else {
544 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
545 }
546
547 if (ret != LDAP_SUCCESS) {
548 DEBUG(1, ("error writing trusted domain data!\n"));
549 return NT_STATUS_UNSUCCESSFUL;
550 }
551 return NT_STATUS_OK;
552 }
553
554 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
555 const char *domain)
556 {
557 int ret;
558 struct ldapsam_privates *ldap_state =
559 (struct ldapsam_privates *)methods->private_data;
560 LDAPMessage *entry = NULL;
561 const char *dn;
562
563 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
564 &entry)) {
565 return NT_STATUS_UNSUCCESSFUL;
566 }
567
568 if (entry == NULL) {
569 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
570 "%s\n", domain));
571 return NT_STATUS_NO_SUCH_DOMAIN;
572 }
573
574 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
575 if (dn == NULL) {
576 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
577 return NT_STATUS_NO_MEMORY;
578 }
579
580 ret = smbldap_delete(ldap_state->smbldap_state, dn);
581 if (ret != LDAP_SUCCESS) {
582 return NT_STATUS_UNSUCCESSFUL;
583 }
584
585 return NT_STATUS_OK;
586 }
587
588 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
589 TALLOC_CTX *mem_ctx,
590 uint32_t *num_domains,
591 struct pdb_trusted_domain ***domains)
592 {
593 int rc;
594 struct ldapsam_privates *ldap_state =
595 (struct ldapsam_privates *)methods->private_data;
596 char *base_dn = NULL;
597 char *filter = NULL;
598 int scope = LDAP_SCOPE_SUBTREE;
599 LDAPMessage *result = NULL;
600 LDAPMessage *entry = NULL;
601
602 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
603 LDAP_OBJ_TRUSTED_DOMAIN);
604 if (filter == NULL) {
605 return NT_STATUS_NO_MEMORY;
606 }
607
608 base_dn = trusted_domain_base_dn(ldap_state);
609 if (base_dn == NULL) {
610 TALLOC_FREE(filter);
611 return NT_STATUS_NO_MEMORY;
612 }
613
614 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
615 NULL, 0, &result);
616 TALLOC_FREE(filter);
617 TALLOC_FREE(base_dn);
618
619 if (result != NULL) {
620 talloc_autofree_ldapmsg(mem_ctx, result);
621 }
622
623 if (rc == LDAP_NO_SUCH_OBJECT) {
624 *num_domains = 0;
625 *domains = NULL;
626 return NT_STATUS_OK;
627 }
628
629 if (rc != LDAP_SUCCESS) {
630 return NT_STATUS_UNSUCCESSFUL;
631 }
632
633 *num_domains = 0;
634 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct pdb_trusted_domain *, 1))) {
635 DEBUG(1, ("talloc failed\n"));
636 return NT_STATUS_NO_MEMORY;
637 }
638
639 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
640 entry != NULL;
641 entry = ldap_next_entry(priv2ld(ldap_state), entry))
642 {
643 struct pdb_trusted_domain *dom_info;
644
645 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
646 &dom_info)) {
647 return NT_STATUS_UNSUCCESSFUL;
648 }
649
650 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
651 domains, num_domains);
652
653 if (*domains == NULL) {
654 DEBUG(1, ("talloc failed\n"));
655 return NT_STATUS_NO_MEMORY;
656 }
657 }
658
659 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
660 return NT_STATUS_OK;
661 }
662
663 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
664 TALLOC_CTX *mem_ctx,
665 uint32_t *num_domains,
666 struct trustdom_info ***domains)
667 {
668 NTSTATUS status;
669 struct pdb_trusted_domain **td;
670 int i;
671
672 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
673 num_domains, &td);
674 if (!NT_STATUS_IS_OK(status)) {
675 return status;
676 }
677
678 if (*num_domains == 0) {
679 return NT_STATUS_OK;
680 }
681
682 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info *,
683 *num_domains))) {
684 DEBUG(1, ("talloc failed\n"));
685 return NT_STATUS_NO_MEMORY;
686 }
687
688 for (i = 0; i < *num_domains; i++) {
689 struct trustdom_info *dom_info;
690
691 dom_info = TALLOC_P(*domains, struct trustdom_info);
692 if (dom_info == NULL) {
693 DEBUG(1, ("talloc failed\n"));
694 return NT_STATUS_NO_MEMORY;
695 }
696
697 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
698 sid_copy(&dom_info->sid, &td[i]->security_identifier);
699
700 (*domains)[i] = dom_info;
701 }
702
703 return NT_STATUS_OK;
704 }
705
706 static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
707 {
708 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS;
709 }
710
711 static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pdb_methods,
712 TALLOC_CTX *mem_ctx)
713 {
714 struct pdb_domain_info *info;
715 NTSTATUS status;
716 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)pdb_methods->private_data;
717
718 info = talloc(mem_ctx, struct pdb_domain_info);
719 if (info == NULL) {
720 return NULL;
721 }
722
723 info->name = talloc_strdup(info, ldap_state->domain_name);
724 if (info->name == NULL) {
725 goto fail;
726 }
727
728 /* TODO: read dns_domain, dns_forest and guid from LDAP */
729 info->dns_domain = talloc_strdup(info, lp_realm());
730 if (info->dns_domain == NULL) {
731 goto fail;
732 }
733 strlower_m(info->dns_domain);
734 info->dns_forest = talloc_strdup(info, info->dns_domain);
735
736 sid_copy(&info->sid, &ldap_state->domain_sid);
737
738 status = GUID_from_string("testguid", &info->guid);
739
740 return info;
741
742 fail:
743 TALLOC_FREE(info);
744 return NULL;
745 }
746
747 static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
748 struct samu *sampass)
749 {
750 int ret;
751 BerElement *ber = NULL;
752 struct berval *bv = NULL;
753 char *retoid = NULL;
754 struct berval *retdata = NULL;
755 const char *password;
756 char *dn;
757
758 password = pdb_get_plaintext_passwd(sampass);
759 if (password == NULL || *password == '\0') {
760 return NT_STATUS_INVALID_PARAMETER;
761 }
762
763 dn = get_account_dn(pdb_get_username(sampass));
764 if (dn == NULL) {
765 return NT_STATUS_INVALID_PARAMETER;
766 }
767
768 ber = ber_alloc_t( LBER_USE_DER );
769 if (ber == NULL) {
770 DEBUG(7, ("ber_alloc_t failed.\n"));
771 return NT_STATUS_NO_MEMORY;
772 }
773
774 ret = ber_printf(ber, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, dn,
775 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, password);
776 if (ret == -1) {
777 DEBUG(7, ("ber_printf failed.\n"));
778 ber_free(ber, 1);
779 return NT_STATUS_UNSUCCESSFUL;
780 }
781
782 ret = ber_flatten(ber, &bv);
783 ber_free(ber, 1);
784 if (ret == -1) {
785 DEBUG(1, ("ber_flatten failed.\n"));
786 return NT_STATUS_UNSUCCESSFUL;
787 }
788
789 ret = smbldap_extended_operation(ldap_state->smbldap_state,
790 LDAP_EXOP_MODIFY_PASSWD, bv, NULL,
791 NULL, &retoid, &retdata);
792 ber_bvfree(bv);
793 if (retdata) {
794 ber_bvfree(retdata);
795 }
796 if (retoid) {
797 ldap_memfree(retoid);
798 }
799 if (ret != LDAP_SUCCESS) {
800 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
801 return NT_STATUS_UNSUCCESSFUL;
802 }
803
804 return NT_STATUS_OK;
805 }
806
807 static NTSTATUS ipasam_add_objectclasses(struct ldapsam_privates *ldap_state,
808 struct samu *sampass)
809 {
810 char *dn;
811 LDAPMod **mods = NULL;
812 NTSTATUS status;
813 int ret;
814 char *princ;
815 const char *domain;
816 char *domain_with_dot;
817
818 dn = get_account_dn(pdb_get_username(sampass));
819 if (dn == NULL) {
820 return NT_STATUS_INVALID_PARAMETER;
821 }
822
823 princ = talloc_asprintf(talloc_tos(), "%s@%s", pdb_get_username(sampass), lp_realm());
824 if (princ == NULL) {
825 return NT_STATUS_NO_MEMORY;
826 }
827
828 domain = pdb_get_domain(sampass);
829 if (domain == NULL) {
830 return NT_STATUS_INVALID_PARAMETER;
831 }
832
833 domain_with_dot = talloc_asprintf(talloc_tos(), "%s.", domain);
834 if (domain_with_dot == NULL) {
835 return NT_STATUS_NO_MEMORY;
836 }
837
838 smbldap_set_mod(&mods, LDAP_MOD_ADD,
839 "objectclass", LDAP_OBJ_KRB_PRINCIPAL);
840 smbldap_set_mod(&mods, LDAP_MOD_ADD,
841 LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
842 smbldap_set_mod(&mods, LDAP_MOD_ADD,
843 "objectclass", LDAP_OBJ_KRB_PRINCIPAL_AUX);
844 smbldap_set_mod(&mods, LDAP_MOD_ADD,
845 "objectclass", "ipaHost");
846 smbldap_set_mod(&mods, LDAP_MOD_ADD,
847 "fqdn", domain);
848 smbldap_set_mod(&mods, LDAP_MOD_ADD,
849 "objectclass", "posixAccount");
850 smbldap_set_mod(&mods, LDAP_MOD_ADD,
851 "cn", pdb_get_username(sampass));
852 smbldap_set_mod(&mods, LDAP_MOD_ADD,
853 "gidNumber", "12345");
854 smbldap_set_mod(&mods, LDAP_MOD_ADD,
855 "homeDirectory", "/dev/null");
856 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", domain);
857 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", domain_with_dot);
858
859 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
860 ldap_mods_free(mods, true);
861 if (ret != LDAP_SUCCESS) {
862 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
863 pdb_get_username(sampass),dn));
864 return status;
865 }
866
867 return NT_STATUS_OK;
868 }
869
870 static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
871 struct samu *sampass)
872 {
873 NTSTATUS status;
874 struct ldapsam_privates *ldap_state;
875
876 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
877
878 status =ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
879 sampass);
880 if (!NT_STATUS_IS_OK(status)) {
881 return status;
882 }
883
884 status = ipasam_add_objectclasses(ldap_state, sampass);
885 if (!NT_STATUS_IS_OK(status)) {
886 return status;
887 }
888
889 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
890 status = modify_ipa_password_exop(ldap_state, sampass);
891 if (!NT_STATUS_IS_OK(status)) {
892 return status;
893 }
894 }
895
896 return NT_STATUS_OK;
897 }
898
899 static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
900 struct samu *sampass)
901 {
902 NTSTATUS status;
903 struct ldapsam_privates *ldap_state;
904 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
905
906 status = ldap_state->ipasam_privates->ldapsam_update_sam_account(pdb_methods,
907 sampass);
908 if (!NT_STATUS_IS_OK(status)) {
909 return status;
910 }
911
912 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
913 status = modify_ipa_password_exop(ldap_state, sampass);
914 if (!NT_STATUS_IS_OK(status)) {
915 return status;
916 }
917 }
918
919 return NT_STATUS_OK;
920 }
921
922 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
923 {
924 struct ldapsam_privates *ldap_state;
925 NTSTATUS status;
926
927 status = pdb_init_ldapsam(pdb_method, location);
928 if (!NT_STATUS_IS_OK(status)) {
929 return status;
930 }
931
932 (*pdb_method)->name = "IPA_ldapsam";
933
934 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
935 ldap_state->ipasam_privates = talloc_zero(ldap_state,
936 struct ipasam_privates);
937 if (ldap_state->ipasam_privates == NULL) {
938 return NT_STATUS_NO_MEMORY;
939 }
940 ldap_state->is_ipa_ldap = true;
941 ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
942 ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
943
944 (*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
945 (*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
946
947 (*pdb_method)->capabilities = pdb_ipasam_capabilities;
948 (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
949
950 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
951 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
952 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
953 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
954
955 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
956 (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
957 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
958 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
959 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
960
961 return NT_STATUS_OK;
962 }
963
964 NTSTATUS pdb_ipa_init(void)
965 {
966 NTSTATUS nt_status;
967
968 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))
969 return nt_status;
970
971 return NT_STATUS_OK;
972 }
WIP