search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-pdb_ipa: Add posix offset to struct pdb_trusted_domain
[Samba/gebeck_regimport.git] / source3 / passdb / pdb_ipa.c
blob65164e5865705507137fc09797b9211b0979dcec
1 /*
2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18
19 */
20
21 #include "includes.h"
22 #include "passdb.h"
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
26 #include "secrets.h"
27
28 #include "smbldap.h"
29
30 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
31 #define IPA_MAGIC_ID_STR "999"
32
33 #define LDAP_TRUST_CONTAINER "ou=system"
34 #define LDAP_ATTRIBUTE_CN "cn"
35 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
36 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
37 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
38 #define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
39 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
40 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
41 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
42 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
43 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
44 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
45 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
46
47 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
48 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
49 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
50
51 #define LDAP_OBJ_IPAOBJECT "ipaObject"
52 #define LDAP_OBJ_IPAHOST "ipaHost"
53 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
54
55 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
56 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
57 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
58 #define LDAP_OBJ_POSIXGROUP "posixGroup"
59
60 #define HAS_KRB_PRINCIPAL (1<<0)
61 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
62 #define HAS_IPAOBJECT (1<<2)
63 #define HAS_IPAHOST (1<<3)
64 #define HAS_POSIXACCOUNT (1<<4)
65 #define HAS_GROUPOFNAMES (1<<5)
66 #define HAS_NESTEDGROUP (1<<6)
67 #define HAS_IPAUSERGROUP (1<<7)
68 #define HAS_POSIXGROUP (1<<8)
69
70 struct ipasam_privates {
71 bool server_is_ipa;
72 NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
73 struct samu *sampass);
74 NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
75 struct samu *sampass);
76 NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
77 TALLOC_CTX *tmp_ctx, const char *name,
78 uint32_t acb_info, uint32_t *rid);
79 NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods,
80 TALLOC_CTX *tmp_ctx,
81 const char *name,
82 uint32_t *rid);
83 };
84
85 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
86 const char *domain,
87 char** pwd,
88 struct dom_sid *sid,
89 time_t *pass_last_set_time)
90 {
91 return false;
92 }
93
94 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
95 const char* domain,
96 const char* pwd,
97 const struct dom_sid *sid)
98 {
99 return false;
100 }
101
102 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
103 const char *domain)
104 {
105 return false;
106 }
107
108 static char *get_account_dn(const char *name)
109 {
110 char *escape_name;
111 char *dn;
112
113 escape_name = escape_rdn_val_string_alloc(name);
114 if (!escape_name) {
115 return NULL;
116 }
117
118 if (name[strlen(name)-1] == '$') {
119 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
120 lp_ldap_machine_suffix());
121 } else {
122 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
123 lp_ldap_user_suffix());
124 }
125
126 SAFE_FREE(escape_name);
127
128 return dn;
129 }
130
131 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
132 const char *domain)
133 {
134 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
135 LDAP_ATTRIBUTE_CN, domain,
136 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
137 }
138
139 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
140 {
141 return talloc_asprintf(talloc_tos(), "%s,%s",
142 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
143 }
144
145 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
146 TALLOC_CTX *mem_ctx,
147 const char *filter, LDAPMessage **entry)
148 {
149 int rc;
150 char *base_dn = NULL;
151 LDAPMessage *result = NULL;
152 uint32_t num_result;
153
154 base_dn = trusted_domain_base_dn(ldap_state);
155 if (base_dn == NULL) {
156 return false;
157 }
158
159 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
160 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
161 TALLOC_FREE(base_dn);
162
163 if (result != NULL) {
164 talloc_autofree_ldapmsg(mem_ctx, result);
165 }
166
167 if (rc == LDAP_NO_SUCH_OBJECT) {
168 *entry = NULL;
169 return true;
170 }
171
172 if (rc != LDAP_SUCCESS) {
173 return false;
174 }
175
176 num_result = ldap_count_entries(priv2ld(ldap_state), result);
177
178 if (num_result > 1) {
179 DEBUG(1, ("get_trusted_domain_int: more than one "
180 "%s object with filter '%s'?!\n",
181 LDAP_OBJ_TRUSTED_DOMAIN, filter));
182 return false;
183 }
184
185 if (num_result == 0) {
186 DEBUG(1, ("get_trusted_domain_int: no "
187 "%s object with filter '%s'.\n",
188 LDAP_OBJ_TRUSTED_DOMAIN, filter));
189 *entry = NULL;
190 } else {
191 *entry = ldap_first_entry(priv2ld(ldap_state), result);
192 }
193
194 return true;
195 }
196
197 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
198 TALLOC_CTX *mem_ctx,
199 const char *domain,
200 LDAPMessage **entry)
201 {
202 char *filter = NULL;
203
204 filter = talloc_asprintf(talloc_tos(),
205 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
206 LDAP_OBJ_TRUSTED_DOMAIN,
207 LDAP_ATTRIBUTE_FLAT_NAME, domain,
208 LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
209 if (filter == NULL) {
210 return false;
211 }
212
213 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
214 }
215
216 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
217 TALLOC_CTX *mem_ctx,
218 const char *sid, LDAPMessage **entry)
219 {
220 char *filter = NULL;
221
222 filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
223 LDAP_OBJ_TRUSTED_DOMAIN,
224 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
225 if (filter == NULL) {
226 return false;
227 }
228
229 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
230 }
231
232 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
233 LDAPMessage *entry,
234 const char *attr,
235 uint32_t *val)
236 {
237 char *dummy;
238 long int l;
239 char *endptr;
240
241 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
242 attr, talloc_tos());
243 if (dummy == NULL) {
244 DEBUG(9, ("Attribute %s not present.\n", attr));
245 *val = 0;
246 return true;
247 }
248
249 l = strtoul(dummy, &endptr, 10);
250 TALLOC_FREE(dummy);
251
252 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
253 return false;
254 }
255
256 *val = l;
257
258 return true;
259 }
260
261 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
262 struct ldapsam_privates *ldap_state,
263 LDAPMessage *entry, const char *attr,
264 DATA_BLOB *_blob)
265 {
266 char *dummy;
267 DATA_BLOB blob;
268
269 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
270 talloc_tos());
271 if (dummy == NULL) {
272 DEBUG(9, ("Attribute %s not present.\n", attr));
273 ZERO_STRUCTP(_blob);
274 } else {
275 blob = base64_decode_data_blob(dummy);
276 if (blob.length == 0) {
277 ZERO_STRUCTP(_blob);
278 } else {
279 _blob->length = blob.length;
280 _blob->data = talloc_steal(mem_ctx, blob.data);
281 }
282 }
283 TALLOC_FREE(dummy);
284 }
285
286 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
287 struct ldapsam_privates *ldap_state,
288 LDAPMessage *entry,
289 struct pdb_trusted_domain **_td)
290 {
291 char *dummy;
292 bool res;
293 struct pdb_trusted_domain *td;
294
295 if (entry == NULL) {
296 return false;
297 }
298
299 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
300 if (td == NULL) {
301 return false;
302 }
303
304 /* All attributes are MAY */
305
306 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
307 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
308 talloc_tos());
309 if (dummy == NULL) {
310 DEBUG(9, ("Attribute %s not present.\n",
311 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
312 ZERO_STRUCT(td->security_identifier);
313 } else {
314 res = string_to_sid(&td->security_identifier, dummy);
315 TALLOC_FREE(dummy);
316 if (!res) {
317 return false;
318 }
319 }
320
321 get_data_blob_from_ldap_msg(td, ldap_state, entry,
322 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
323 &td->trust_auth_incoming);
324
325 get_data_blob_from_ldap_msg(td, ldap_state, entry,
326 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
327 &td->trust_auth_outgoing);
328
329 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
330 entry,
331 LDAP_ATTRIBUTE_FLAT_NAME,
332 td);
333 if (td->netbios_name == NULL) {
334 DEBUG(9, ("Attribute %s not present.\n",
335 LDAP_ATTRIBUTE_FLAT_NAME));
336 }
337
338 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
339 entry,
340 LDAP_ATTRIBUTE_TRUST_PARTNER,
341 td);
342 if (td->domain_name == NULL) {
343 DEBUG(9, ("Attribute %s not present.\n",
344 LDAP_ATTRIBUTE_TRUST_PARTNER));
345 }
346
347 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
348 LDAP_ATTRIBUTE_TRUST_DIRECTION,
349 &td->trust_direction);
350 if (!res) {
351 return false;
352 }
353
354 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
355 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
356 &td->trust_attributes);
357 if (!res) {
358 return false;
359 }
360
361 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
362 LDAP_ATTRIBUTE_TRUST_TYPE,
363 &td->trust_type);
364 if (!res) {
365 return false;
366 }
367
368 td->trust_posix_offset = talloc(td, uint32_t);
369 if (td->trust_posix_offset == NULL) {
370 return false;
371 }
372 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
373 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
374 td->trust_posix_offset);
375 if (!res) {
376 return false;
377 }
378
379 get_data_blob_from_ldap_msg(td, ldap_state, entry,
380 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
381 &td->trust_forest_trust_info);
382
383 *_td = td;
384
385 return true;
386 }
387
388 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
389 TALLOC_CTX *mem_ctx,
390 const char *domain,
391 struct pdb_trusted_domain **td)
392 {
393 struct ldapsam_privates *ldap_state =
394 (struct ldapsam_privates *)methods->private_data;
395 LDAPMessage *entry = NULL;
396
397 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
398
399 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
400 &entry)) {
401 return NT_STATUS_UNSUCCESSFUL;
402 }
403 if (entry == NULL) {
404 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
405 "%s\n", domain));
406 return NT_STATUS_NO_SUCH_DOMAIN;
407 }
408
409 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
410 return NT_STATUS_UNSUCCESSFUL;
411 }
412
413 return NT_STATUS_OK;
414 }
415
416 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
417 TALLOC_CTX *mem_ctx,
418 struct dom_sid *sid,
419 struct pdb_trusted_domain **td)
420 {
421 struct ldapsam_privates *ldap_state =
422 (struct ldapsam_privates *)methods->private_data;
423 LDAPMessage *entry = NULL;
424 char *sid_str;
425
426 sid_str = sid_string_tos(sid);
427
428 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
429 sid_str));
430
431 if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
432 &entry)) {
433 return NT_STATUS_UNSUCCESSFUL;
434 }
435 if (entry == NULL) {
436 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
437 "with sid: %s\n", sid_str));
438 return NT_STATUS_NO_SUCH_DOMAIN;
439 }
440
441 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
442 return NT_STATUS_UNSUCCESSFUL;
443 }
444
445 return NT_STATUS_OK;
446 }
447
448 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
449 LDAPMod ***mods, const char *attribute,
450 const uint32_t val)
451 {
452 char *dummy;
453
454 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
455 if (dummy == NULL) {
456 return false;
457 }
458 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
459 TALLOC_FREE(dummy);
460
461 return true;
462 }
463
464 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
465 const char* domain,
466 const struct pdb_trusted_domain *td)
467 {
468 struct ldapsam_privates *ldap_state =
469 (struct ldapsam_privates *)methods->private_data;
470 LDAPMessage *entry = NULL;
471 LDAPMod **mods;
472 bool res;
473 char *trusted_dn = NULL;
474 int ret;
475
476 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
477
478 res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
479 &entry);
480 if (!res) {
481 return NT_STATUS_UNSUCCESSFUL;
482 }
483
484 mods = NULL;
485 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
486 LDAP_OBJ_TRUSTED_DOMAIN);
487
488 if (td->netbios_name != NULL) {
489 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
490 LDAP_ATTRIBUTE_FLAT_NAME,
491 td->netbios_name);
492 }
493
494 if (td->domain_name != NULL) {
495 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
496 LDAP_ATTRIBUTE_TRUST_PARTNER,
497 td->domain_name);
498 }
499
500 if (!is_null_sid(&td->security_identifier)) {
501 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
502 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
503 sid_string_tos(&td->security_identifier));
504 }
505
506 if (td->trust_type != 0) {
507 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
508 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
509 td->trust_type);
510 if (!res) {
511 return NT_STATUS_UNSUCCESSFUL;
512 }
513 }
514
515 if (td->trust_attributes != 0) {
516 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
517 &mods,
518 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
519 td->trust_attributes);
520 if (!res) {
521 return NT_STATUS_UNSUCCESSFUL;
522 }
523 }
524
525 if (td->trust_direction != 0) {
526 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
527 &mods,
528 LDAP_ATTRIBUTE_TRUST_DIRECTION,
529 td->trust_direction);
530 if (!res) {
531 return NT_STATUS_UNSUCCESSFUL;
532 }
533 }
534
535 if (td->trust_posix_offset != NULL) {
536 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
537 &mods,
538 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
539 *td->trust_posix_offset);
540 if (!res) {
541 return NT_STATUS_UNSUCCESSFUL;
542 }
543 }
544
545 if (td->trust_auth_outgoing.data != NULL) {
546 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
547 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
548 &td->trust_auth_outgoing);
549 }
550
551 if (td->trust_auth_incoming.data != NULL) {
552 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
553 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
554 &td->trust_auth_incoming);
555 }
556
557 if (td->trust_forest_trust_info.data != NULL) {
558 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
559 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
560 &td->trust_forest_trust_info);
561 }
562
563 talloc_autofree_ldapmod(talloc_tos(), mods);
564
565 trusted_dn = trusted_domain_dn(ldap_state, domain);
566 if (trusted_dn == NULL) {
567 return NT_STATUS_NO_MEMORY;
568 }
569 if (entry == NULL) {
570 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
571 } else {
572 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
573 }
574
575 if (ret != LDAP_SUCCESS) {
576 DEBUG(1, ("error writing trusted domain data!\n"));
577 return NT_STATUS_UNSUCCESSFUL;
578 }
579 return NT_STATUS_OK;
580 }
581
582 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
583 const char *domain)
584 {
585 int ret;
586 struct ldapsam_privates *ldap_state =
587 (struct ldapsam_privates *)methods->private_data;
588 LDAPMessage *entry = NULL;
589 const char *dn;
590
591 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
592 &entry)) {
593 return NT_STATUS_UNSUCCESSFUL;
594 }
595
596 if (entry == NULL) {
597 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
598 "%s\n", domain));
599 return NT_STATUS_NO_SUCH_DOMAIN;
600 }
601
602 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
603 if (dn == NULL) {
604 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
605 return NT_STATUS_NO_MEMORY;
606 }
607
608 ret = smbldap_delete(ldap_state->smbldap_state, dn);
609 if (ret != LDAP_SUCCESS) {
610 return NT_STATUS_UNSUCCESSFUL;
611 }
612
613 return NT_STATUS_OK;
614 }
615
616 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
617 TALLOC_CTX *mem_ctx,
618 uint32_t *num_domains,
619 struct pdb_trusted_domain ***domains)
620 {
621 int rc;
622 struct ldapsam_privates *ldap_state =
623 (struct ldapsam_privates *)methods->private_data;
624 char *base_dn = NULL;
625 char *filter = NULL;
626 int scope = LDAP_SCOPE_SUBTREE;
627 LDAPMessage *result = NULL;
628 LDAPMessage *entry = NULL;
629
630 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
631 LDAP_OBJ_TRUSTED_DOMAIN);
632 if (filter == NULL) {
633 return NT_STATUS_NO_MEMORY;
634 }
635
636 base_dn = trusted_domain_base_dn(ldap_state);
637 if (base_dn == NULL) {
638 TALLOC_FREE(filter);
639 return NT_STATUS_NO_MEMORY;
640 }
641
642 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
643 NULL, 0, &result);
644 TALLOC_FREE(filter);
645 TALLOC_FREE(base_dn);
646
647 if (result != NULL) {
648 talloc_autofree_ldapmsg(mem_ctx, result);
649 }
650
651 if (rc == LDAP_NO_SUCH_OBJECT) {
652 *num_domains = 0;
653 *domains = NULL;
654 return NT_STATUS_OK;
655 }
656
657 if (rc != LDAP_SUCCESS) {
658 return NT_STATUS_UNSUCCESSFUL;
659 }
660
661 *num_domains = 0;
662 if (!(*domains = talloc_array(mem_ctx, struct pdb_trusted_domain *, 1))) {
663 DEBUG(1, ("talloc failed\n"));
664 return NT_STATUS_NO_MEMORY;
665 }
666
667 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
668 entry != NULL;
669 entry = ldap_next_entry(priv2ld(ldap_state), entry))
670 {
671 struct pdb_trusted_domain *dom_info;
672
673 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
674 &dom_info)) {
675 return NT_STATUS_UNSUCCESSFUL;
676 }
677
678 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
679 domains, num_domains);
680
681 if (*domains == NULL) {
682 DEBUG(1, ("talloc failed\n"));
683 return NT_STATUS_NO_MEMORY;
684 }
685 }
686
687 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
688 return NT_STATUS_OK;
689 }
690
691 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
692 TALLOC_CTX *mem_ctx,
693 uint32_t *num_domains,
694 struct trustdom_info ***domains)
695 {
696 NTSTATUS status;
697 struct pdb_trusted_domain **td;
698 int i;
699
700 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
701 num_domains, &td);
702 if (!NT_STATUS_IS_OK(status)) {
703 return status;
704 }
705
706 if (*num_domains == 0) {
707 return NT_STATUS_OK;
708 }
709
710 if (!(*domains = talloc_array(mem_ctx, struct trustdom_info *,
711 *num_domains))) {
712 DEBUG(1, ("talloc failed\n"));
713 return NT_STATUS_NO_MEMORY;
714 }
715
716 for (i = 0; i < *num_domains; i++) {
717 struct trustdom_info *dom_info;
718
719 dom_info = talloc(*domains, struct trustdom_info);
720 if (dom_info == NULL) {
721 DEBUG(1, ("talloc failed\n"));
722 return NT_STATUS_NO_MEMORY;
723 }
724
725 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
726 sid_copy(&dom_info->sid, &td[i]->security_identifier);
727
728 (*domains)[i] = dom_info;
729 }
730
731 return NT_STATUS_OK;
732 }
733
734 static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
735 {
736 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
737 }
738
739 static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pdb_methods,
740 TALLOC_CTX *mem_ctx)
741 {
742 struct pdb_domain_info *info;
743 struct ldapsam_privates *ldap_state =
744 (struct ldapsam_privates *)pdb_methods->private_data;
745 char sid_buf[24];
746 DATA_BLOB sid_blob;
747 NTSTATUS status;
748
749 info = talloc(mem_ctx, struct pdb_domain_info);
750 if (info == NULL) {
751 return NULL;
752 }
753
754 info->name = talloc_strdup(info, ldap_state->domain_name);
755 if (info->name == NULL) {
756 goto fail;
757 }
758
759 /* TODO: read dns_domain, dns_forest and guid from LDAP */
760 info->dns_domain = talloc_strdup(info, lp_realm());
761 if (info->dns_domain == NULL) {
762 goto fail;
763 }
764 strlower_m(info->dns_domain);
765 info->dns_forest = talloc_strdup(info, info->dns_domain);
766
767 /* we expect a domain SID to have 4 sub IDs */
768 if (ldap_state->domain_sid.num_auths != 4) {
769 goto fail;
770 }
771
772 sid_copy(&info->sid, &ldap_state->domain_sid);
773
774 if (!sid_linearize(sid_buf, sizeof(sid_buf), &info->sid)) {
775 goto fail;
776 }
777
778 /* the first 8 bytes of the linearized SID are not random,
779 * so we skip them */
780 sid_blob.data = (uint8_t *) sid_buf + 8 ;
781 sid_blob.length = 16;
782
783 status = GUID_from_ndr_blob(&sid_blob, &info->guid);
784 if (!NT_STATUS_IS_OK(status)) {
785 goto fail;
786 }
787
788 return info;
789
790 fail:
791 TALLOC_FREE(info);
792 return NULL;
793 }
794
795 static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
796 struct samu *sampass)
797 {
798 int ret;
799 BerElement *ber = NULL;
800 struct berval *bv = NULL;
801 char *retoid = NULL;
802 struct berval *retdata = NULL;
803 const char *password;
804 char *dn;
805
806 password = pdb_get_plaintext_passwd(sampass);
807 if (password == NULL || *password == '\0') {
808 return NT_STATUS_INVALID_PARAMETER;
809 }
810
811 dn = get_account_dn(pdb_get_username(sampass));
812 if (dn == NULL) {
813 return NT_STATUS_INVALID_PARAMETER;
814 }
815
816 ber = ber_alloc_t( LBER_USE_DER );
817 if (ber == NULL) {
818 DEBUG(7, ("ber_alloc_t failed.\n"));
819 return NT_STATUS_NO_MEMORY;
820 }
821
822 ret = ber_printf(ber, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, dn,
823 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, password);
824 if (ret == -1) {
825 DEBUG(7, ("ber_printf failed.\n"));
826 ber_free(ber, 1);
827 return NT_STATUS_UNSUCCESSFUL;
828 }
829
830 ret = ber_flatten(ber, &bv);
831 ber_free(ber, 1);
832 if (ret == -1) {
833 DEBUG(1, ("ber_flatten failed.\n"));
834 return NT_STATUS_UNSUCCESSFUL;
835 }
836
837 ret = smbldap_extended_operation(ldap_state->smbldap_state,
838 LDAP_EXOP_MODIFY_PASSWD, bv, NULL,
839 NULL, &retoid, &retdata);
840 ber_bvfree(bv);
841 if (retdata) {
842 ber_bvfree(retdata);
843 }
844 if (retoid) {
845 ldap_memfree(retoid);
846 }
847 if (ret != LDAP_SUCCESS) {
848 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
849 return NT_STATUS_UNSUCCESSFUL;
850 }
851
852 return NT_STATUS_OK;
853 }
854
855 static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
856 const char *dn, LDAPMessage *entry,
857 uint32_t *has_objectclass)
858 {
859 char **objectclasses;
860 size_t c;
861
862 objectclasses = ldap_get_values(priv2ld(ldap_state), entry,
863 LDAP_ATTRIBUTE_OBJECTCLASS);
864 if (objectclasses == NULL) {
865 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn));
866 return NT_STATUS_INTERNAL_DB_CORRUPTION;
867 }
868
869 *has_objectclass = 0;
870 for (c = 0; objectclasses[c] != NULL; c++) {
871 if (strequal(objectclasses[c], LDAP_OBJ_KRB_PRINCIPAL)) {
872 *has_objectclass |= HAS_KRB_PRINCIPAL;
873 } else if (strequal(objectclasses[c],
874 LDAP_OBJ_KRB_PRINCIPAL_AUX)) {
875 *has_objectclass |= HAS_KRB_PRINCIPAL_AUX;
876 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAOBJECT)) {
877 *has_objectclass |= HAS_IPAOBJECT;
878 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAHOST)) {
879 *has_objectclass |= HAS_IPAHOST;
880 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXACCOUNT)) {
881 *has_objectclass |= HAS_POSIXACCOUNT;
882 } else if (strequal(objectclasses[c], LDAP_OBJ_GROUPOFNAMES)) {
883 *has_objectclass |= HAS_GROUPOFNAMES;
884 } else if (strequal(objectclasses[c], LDAP_OBJ_NESTEDGROUP)) {
885 *has_objectclass |= HAS_NESTEDGROUP;
886 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAUSERGROUP)) {
887 *has_objectclass |= HAS_IPAUSERGROUP;
888 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXGROUP)) {
889 *has_objectclass |= HAS_POSIXGROUP;
890 }
891 }
892 ldap_value_free(objectclasses);
893
894 return NT_STATUS_OK;
895 }
896
897 enum obj_type {
898 IPA_NO_OBJ = 0,
899 IPA_USER_OBJ,
900 IPA_GROUP_OBJ
901 };
902
903 static NTSTATUS find_obj(struct ldapsam_privates *ldap_state, const char *name,
904 enum obj_type type, char **_dn,
905 uint32_t *_has_objectclass)
906 {
907 int ret;
908 char *username;
909 char *filter;
910 LDAPMessage *result = NULL;
911 LDAPMessage *entry = NULL;
912 int num_result;
913 char *dn;
914 uint32_t has_objectclass;
915 NTSTATUS status;
916 const char *obj_class = NULL;
917
918 switch (type) {
919 case IPA_USER_OBJ:
920 obj_class = LDAP_OBJ_POSIXACCOUNT;
921 break;
922 case IPA_GROUP_OBJ:
923 obj_class = LDAP_OBJ_POSIXGROUP;
924 break;
925 default:
926 DEBUG(0, ("Unsupported IPA object.\n"));
927 return NT_STATUS_INVALID_PARAMETER;
928 }
929
930 username = escape_ldap_string(talloc_tos(), name);
931 if (username == NULL) {
932 return NT_STATUS_NO_MEMORY;
933 }
934 filter = talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
935 username, obj_class);
936 if (filter == NULL) {
937 return NT_STATUS_NO_MEMORY;
938 }
939 TALLOC_FREE(username);
940
941 ret = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL,
942 &result);
943 if (ret != LDAP_SUCCESS) {
944 DEBUG(0, ("smbldap_search_suffix failed.\n"));
945 return NT_STATUS_ACCESS_DENIED;
946 }
947
948 num_result = ldap_count_entries(priv2ld(ldap_state), result);
949
950 if (num_result != 1) {
951 if (num_result == 0) {
952 switch (type) {
953 case IPA_USER_OBJ:
954 status = NT_STATUS_NO_SUCH_USER;
955 break;
956 case IPA_GROUP_OBJ:
957 status = NT_STATUS_NO_SUCH_GROUP;
958 break;
959 default:
960 status = NT_STATUS_INVALID_PARAMETER;
961 }
962 } else {
963 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
964 name));
965 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
966 }
967 goto done;
968 }
969
970 entry = ldap_first_entry(priv2ld(ldap_state), result);
971 if (!entry) {
972 DEBUG(0,("find_user: Out of memory!\n"));
973 status = NT_STATUS_UNSUCCESSFUL;
974 goto done;
975 }
976
977 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
978 if (!dn) {
979 DEBUG(0,("find_user: Out of memory!\n"));
980 status = NT_STATUS_NO_MEMORY;
981 goto done;
982 }
983
984 status = ipasam_get_objectclasses(ldap_state, dn, entry, &has_objectclass);
985 if (!NT_STATUS_IS_OK(status)) {
986 goto done;
987 }
988
989 *_dn = dn;
990 *_has_objectclass = has_objectclass;
991
992 status = NT_STATUS_OK;
993
994 done:
995 ldap_msgfree(result);
996
997 return status;
998 }
999
1000 static NTSTATUS find_user(struct ldapsam_privates *ldap_state, const char *name,
1001 char **_dn, uint32_t *_has_objectclass)
1002 {
1003 return find_obj(ldap_state, name, IPA_USER_OBJ, _dn, _has_objectclass);
1004 }
1005
1006 static NTSTATUS find_group(struct ldapsam_privates *ldap_state, const char *name,
1007 char **_dn, uint32_t *_has_objectclass)
1008 {
1009 return find_obj(ldap_state, name, IPA_GROUP_OBJ, _dn, _has_objectclass);
1010 }
1011
1012 static NTSTATUS ipasam_add_posix_account_objectclass(struct ldapsam_privates *ldap_state,
1013 int ldap_op,
1014 const char *dn,
1015 const char *username)
1016 {
1017 int ret;
1018 LDAPMod **mods = NULL;
1019
1020 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1021 "objectclass", "posixAccount");
1022 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1023 "cn", username);
1024 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1025 "uidNumber", IPA_MAGIC_ID_STR);
1026 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1027 "gidNumber", "12345");
1028 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1029 "homeDirectory", "/dev/null");
1030
1031 if (ldap_op == LDAP_MOD_ADD) {
1032 ret = smbldap_add(ldap_state->smbldap_state, dn, mods);
1033 } else {
1034 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1035 }
1036 ldap_mods_free(mods, 1);
1037 if (ret != LDAP_SUCCESS) {
1038 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1039 username, dn));
1040 return NT_STATUS_LDAP(ret);
1041 }
1042
1043 return NT_STATUS_OK;
1044 }
1045
1046 static NTSTATUS ipasam_add_ipa_group_objectclasses(struct ldapsam_privates *ldap_state,
1047 const char *dn,
1048 const char *name,
1049 uint32_t has_objectclass)
1050 {
1051 LDAPMod **mods = NULL;
1052 int ret;
1053
1054 if (!(has_objectclass & HAS_GROUPOFNAMES)) {
1055 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1056 LDAP_ATTRIBUTE_OBJECTCLASS,
1057 LDAP_OBJ_GROUPOFNAMES);
1058 }
1059
1060 if (!(has_objectclass & HAS_NESTEDGROUP)) {
1061 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1062 LDAP_ATTRIBUTE_OBJECTCLASS,
1063 LDAP_OBJ_NESTEDGROUP);
1064 }
1065
1066 if (!(has_objectclass & HAS_IPAUSERGROUP)) {
1067 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1068 LDAP_ATTRIBUTE_OBJECTCLASS,
1069 LDAP_OBJ_IPAUSERGROUP);
1070 }
1071
1072 if (!(has_objectclass & HAS_IPAOBJECT)) {
1073 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1074 LDAP_ATTRIBUTE_OBJECTCLASS,
1075 LDAP_OBJ_IPAOBJECT);
1076 }
1077
1078 if (!(has_objectclass & HAS_POSIXGROUP)) {
1079 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1080 LDAP_ATTRIBUTE_OBJECTCLASS,
1081 LDAP_OBJ_POSIXGROUP);
1082 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1083 LDAP_ATTRIBUTE_CN,
1084 name);
1085 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1086 LDAP_ATTRIBUTE_GIDNUMBER,
1087 IPA_MAGIC_ID_STR);
1088 }
1089
1090 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1091 ldap_mods_free(mods, 1);
1092 if (ret != LDAP_SUCCESS) {
1093 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1094 name, dn));
1095 return NT_STATUS_LDAP(ret);
1096 }
1097
1098 return NT_STATUS_OK;
1099 }
1100
1101 static NTSTATUS ipasam_add_ipa_objectclasses(struct ldapsam_privates *ldap_state,
1102 const char *dn, const char *name,
1103 const char *domain,
1104 uint32_t acct_flags,
1105 uint32_t has_objectclass)
1106 {
1107 LDAPMod **mods = NULL;
1108 int ret;
1109 char *princ;
1110
1111 if (!(has_objectclass & HAS_KRB_PRINCIPAL)) {
1112 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1113 LDAP_ATTRIBUTE_OBJECTCLASS,
1114 LDAP_OBJ_KRB_PRINCIPAL);
1115
1116 princ = talloc_asprintf(talloc_tos(), "%s@%s", name, lp_realm());
1117 if (princ == NULL) {
1118 return NT_STATUS_NO_MEMORY;
1119 }
1120
1121 smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
1122 }
1123
1124 if (!(has_objectclass & HAS_KRB_PRINCIPAL_AUX)) {
1125 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1126 LDAP_ATTRIBUTE_OBJECTCLASS,
1127 LDAP_OBJ_KRB_PRINCIPAL_AUX);
1128 }
1129
1130 if (!(has_objectclass & HAS_IPAOBJECT)) {
1131 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1132 LDAP_ATTRIBUTE_OBJECTCLASS, LDAP_OBJ_IPAOBJECT);
1133 }
1134
1135 if ((acct_flags != 0) &&
1136 (((acct_flags & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
1137 ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))) {
1138
1139 if (!(has_objectclass & HAS_IPAHOST)) {
1140 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1141 LDAP_ATTRIBUTE_OBJECTCLASS,
1142 LDAP_OBJ_IPAHOST);
1143
1144 if (domain == NULL) {
1145 return NT_STATUS_INVALID_PARAMETER;
1146 }
1147
1148 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1149 "fqdn", domain);
1150 }
1151 }
1152
1153 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1154 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1155 "objectclass", "posixAccount");
1156 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1157 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1158 "uidNumber", IPA_MAGIC_ID_STR);
1159 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1160 "gidNumber", "12345");
1161 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1162 "homeDirectory", "/dev/null");
1163 }
1164
1165 if (mods != NULL) {
1166 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1167 ldap_mods_free(mods, 1);
1168 if (ret != LDAP_SUCCESS) {
1169 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1170 name, dn));
1171 return NT_STATUS_LDAP(ret);
1172 }
1173 }
1174
1175 return NT_STATUS_OK;
1176 }
1177
1178 static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
1179 struct samu *sampass)
1180 {
1181 NTSTATUS status;
1182 struct ldapsam_privates *ldap_state;
1183 const char *name;
1184 char *dn;
1185 uint32_t has_objectclass;
1186 uint32_t rid;
1187 struct dom_sid user_sid;
1188
1189 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1190
1191 if (IS_SAM_SET(sampass, PDB_USERSID) ||
1192 IS_SAM_CHANGED(sampass, PDB_USERSID)) {
1193 if (!pdb_new_rid(&rid)) {
1194 return NT_STATUS_DS_NO_MORE_RIDS;
1195 }
1196 sid_compose(&user_sid, get_global_sam_sid(), rid);
1197 if (!pdb_set_user_sid(sampass, &user_sid, PDB_SET)) {
1198 return NT_STATUS_UNSUCCESSFUL;
1199 }
1200 }
1201
1202 status = ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
1203 sampass);
1204 if (!NT_STATUS_IS_OK(status)) {
1205 return status;
1206 }
1207
1208 if (ldap_state->ipasam_privates->server_is_ipa) {
1209 name = pdb_get_username(sampass);
1210 if (name == NULL || *name == '\0') {
1211 return NT_STATUS_INVALID_PARAMETER;
1212 }
1213
1214 status = find_user(ldap_state, name, &dn, &has_objectclass);
1215 if (!NT_STATUS_IS_OK(status)) {
1216 return status;
1217 }
1218
1219 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name,
1220 pdb_get_domain(sampass),
1221 pdb_get_acct_ctrl(sampass),
1222 has_objectclass);
1223 if (!NT_STATUS_IS_OK(status)) {
1224 return status;
1225 }
1226
1227 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1228 status = ipasam_add_posix_account_objectclass(ldap_state,
1229 LDAP_MOD_REPLACE,
1230 dn, name);
1231 if (!NT_STATUS_IS_OK(status)) {
1232 return status;
1233 }
1234 }
1235
1236 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1237 status = modify_ipa_password_exop(ldap_state, sampass);
1238 if (!NT_STATUS_IS_OK(status)) {
1239 return status;
1240 }
1241 }
1242 }
1243
1244 return NT_STATUS_OK;
1245 }
1246
1247 static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
1248 struct samu *sampass)
1249 {
1250 NTSTATUS status;
1251 struct ldapsam_privates *ldap_state;
1252 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1253
1254 status = ldap_state->ipasam_privates->ldapsam_update_sam_account(pdb_methods,
1255 sampass);
1256 if (!NT_STATUS_IS_OK(status)) {
1257 return status;
1258 }
1259
1260 if (ldap_state->ipasam_privates->server_is_ipa) {
1261 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1262 status = modify_ipa_password_exop(ldap_state, sampass);
1263 if (!NT_STATUS_IS_OK(status)) {
1264 return status;
1265 }
1266 }
1267 }
1268
1269 return NT_STATUS_OK;
1270 }
1271
1272 static NTSTATUS ipasam_create_dom_group(struct pdb_methods *pdb_methods,
1273 TALLOC_CTX *tmp_ctx, const char *name,
1274 uint32_t *rid)
1275 {
1276 NTSTATUS status;
1277 struct ldapsam_privates *ldap_state;
1278 int ldap_op = LDAP_MOD_REPLACE;
1279 char *dn;
1280 uint32_t has_objectclass = 0;
1281
1282 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1283
1284 if (name == NULL || *name == '\0') {
1285 return NT_STATUS_INVALID_PARAMETER;
1286 }
1287
1288 status = find_group(ldap_state, name, &dn, &has_objectclass);
1289 if (NT_STATUS_IS_OK(status)) {
1290 ldap_op = LDAP_MOD_REPLACE;
1291 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1292 ldap_op = LDAP_MOD_ADD;
1293 } else {
1294 return status;
1295 }
1296
1297 if (!(has_objectclass & HAS_POSIXGROUP)) {
1298 status = ipasam_add_ipa_group_objectclasses(ldap_state, dn,
1299 name,
1300 has_objectclass);
1301 if (!NT_STATUS_IS_OK(status)) {
1302 return status;
1303 }
1304 }
1305
1306 status = ldap_state->ipasam_privates->ldapsam_create_dom_group(pdb_methods,
1307 tmp_ctx,
1308 name,
1309 rid);
1310 if (!NT_STATUS_IS_OK(status)) {
1311 return status;
1312 }
1313
1314 return NT_STATUS_OK;
1315 }
1316 static NTSTATUS ipasam_create_user(struct pdb_methods *pdb_methods,
1317 TALLOC_CTX *tmp_ctx, const char *name,
1318 uint32_t acb_info, uint32_t *rid)
1319 {
1320 NTSTATUS status;
1321 struct ldapsam_privates *ldap_state;
1322 int ldap_op = LDAP_MOD_REPLACE;
1323 char *dn;
1324 uint32_t has_objectclass = 0;
1325
1326 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1327
1328 if (name == NULL || *name == '\0') {
1329 return NT_STATUS_INVALID_PARAMETER;
1330 }
1331
1332 status = find_user(ldap_state, name, &dn, &has_objectclass);
1333 if (NT_STATUS_IS_OK(status)) {
1334 ldap_op = LDAP_MOD_REPLACE;
1335 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1336 char *escape_username;
1337 ldap_op = LDAP_MOD_ADD;
1338 escape_username = escape_rdn_val_string_alloc(name);
1339 if (!escape_username) {
1340 return NT_STATUS_NO_MEMORY;
1341 }
1342 if (name[strlen(name)-1] == '$') {
1343 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1344 escape_username,
1345 lp_ldap_machine_suffix());
1346 } else {
1347 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1348 escape_username,
1349 lp_ldap_user_suffix());
1350 }
1351 SAFE_FREE(escape_username);
1352 if (!dn) {
1353 return NT_STATUS_NO_MEMORY;
1354 }
1355 } else {
1356 return status;
1357 }
1358
1359 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1360 status = ipasam_add_posix_account_objectclass(ldap_state, ldap_op,
1361 dn, name);
1362 if (!NT_STATUS_IS_OK(status)) {
1363 return status;
1364 }
1365 has_objectclass |= HAS_POSIXACCOUNT;
1366 }
1367
1368 status = ldap_state->ipasam_privates->ldapsam_create_user(pdb_methods,
1369 tmp_ctx, name,
1370 acb_info, rid);
1371 if (!NT_STATUS_IS_OK(status)) {
1372 return status;
1373 }
1374
1375 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name, lp_realm(),
1376 acb_info, has_objectclass);
1377 if (!NT_STATUS_IS_OK(status)) {
1378 return status;
1379 }
1380
1381 return NT_STATUS_OK;
1382 }
1383
1384 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
1385 {
1386 struct ldapsam_privates *ldap_state;
1387 NTSTATUS status;
1388
1389 status = pdb_init_ldapsam(pdb_method, location);
1390 if (!NT_STATUS_IS_OK(status)) {
1391 return status;
1392 }
1393
1394 (*pdb_method)->name = "IPA_ldapsam";
1395
1396 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
1397 ldap_state->ipasam_privates = talloc_zero(ldap_state,
1398 struct ipasam_privates);
1399 if (ldap_state->ipasam_privates == NULL) {
1400 return NT_STATUS_NO_MEMORY;
1401 }
1402 ldap_state->is_ipa_ldap = True;
1403
1404 ldap_state->ipasam_privates->server_is_ipa = smbldap_has_extension(
1405 priv2ld(ldap_state), IPA_KEYTAB_SET_OID);
1406 ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
1407 ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
1408 ldap_state->ipasam_privates->ldapsam_create_user = (*pdb_method)->create_user;
1409 ldap_state->ipasam_privates->ldapsam_create_dom_group = (*pdb_method)->create_dom_group;
1410
1411 (*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
1412 (*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
1413
1414 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
1415 if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
1416 (*pdb_method)->create_user = ipasam_create_user;
1417 (*pdb_method)->create_dom_group = ipasam_create_dom_group;
1418 }
1419 }
1420
1421 (*pdb_method)->capabilities = pdb_ipasam_capabilities;
1422 (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
1423
1424 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
1425 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
1426 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
1427 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
1428
1429 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
1430 (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
1431 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
1432 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
1433 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
1434
1435 return NT_STATUS_OK;
1436 }
1437
1438 NTSTATUS pdb_ipa_init(void)
1439 {
1440 NTSTATUS nt_status;
1441
1442 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))
1443 return nt_status;
1444
1445 return NT_STATUS_OK;
1446 }
reg import