2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
30 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
31 #define IPA_MAGIC_ID_STR "999"
33 #define LDAP_TRUST_CONTAINER "ou=system"
34 #define LDAP_ATTRIBUTE_CN "cn"
35 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
36 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
37 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
38 #define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
39 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
40 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
41 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
42 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
43 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
44 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
45 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
47 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
48 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
49 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
51 #define LDAP_OBJ_IPAOBJECT "ipaObject"
52 #define LDAP_OBJ_IPAHOST "ipaHost"
53 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
55 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
56 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
57 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
58 #define LDAP_OBJ_POSIXGROUP "posixGroup"
60 #define HAS_KRB_PRINCIPAL (1<<0)
61 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
62 #define HAS_IPAOBJECT (1<<2)
63 #define HAS_IPAHOST (1<<3)
64 #define HAS_POSIXACCOUNT (1<<4)
65 #define HAS_GROUPOFNAMES (1<<5)
66 #define HAS_NESTEDGROUP (1<<6)
67 #define HAS_IPAUSERGROUP (1<<7)
68 #define HAS_POSIXGROUP (1<<8)
70 struct ipasam_privates
{
72 NTSTATUS (*ldapsam_add_sam_account
)(struct pdb_methods
*,
73 struct samu
*sampass
);
74 NTSTATUS (*ldapsam_update_sam_account
)(struct pdb_methods
*,
75 struct samu
*sampass
);
76 NTSTATUS (*ldapsam_create_user
)(struct pdb_methods
*my_methods
,
77 TALLOC_CTX
*tmp_ctx
, const char *name
,
78 uint32_t acb_info
, uint32_t *rid
);
79 NTSTATUS (*ldapsam_create_dom_group
)(struct pdb_methods
*my_methods
,
85 static bool ipasam_get_trusteddom_pw(struct pdb_methods
*methods
,
89 time_t *pass_last_set_time
)
94 static bool ipasam_set_trusteddom_pw(struct pdb_methods
*methods
,
97 const struct dom_sid
*sid
)
102 static bool ipasam_del_trusteddom_pw(struct pdb_methods
*methods
,
108 static char *get_account_dn(const char *name
)
113 escape_name
= escape_rdn_val_string_alloc(name
);
118 if (name
[strlen(name
)-1] == '$') {
119 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
120 lp_ldap_machine_suffix());
122 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
123 lp_ldap_user_suffix());
126 SAFE_FREE(escape_name
);
131 static char *trusted_domain_dn(struct ldapsam_privates
*ldap_state
,
134 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
135 LDAP_ATTRIBUTE_CN
, domain
,
136 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
139 static char *trusted_domain_base_dn(struct ldapsam_privates
*ldap_state
)
141 return talloc_asprintf(talloc_tos(), "%s,%s",
142 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
145 static bool get_trusted_domain_int(struct ldapsam_privates
*ldap_state
,
147 const char *filter
, LDAPMessage
**entry
)
150 char *base_dn
= NULL
;
151 LDAPMessage
*result
= NULL
;
154 base_dn
= trusted_domain_base_dn(ldap_state
);
155 if (base_dn
== NULL
) {
159 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
,
160 LDAP_SCOPE_SUBTREE
, filter
, NULL
, 0, &result
);
161 TALLOC_FREE(base_dn
);
163 if (result
!= NULL
) {
164 talloc_autofree_ldapmsg(mem_ctx
, result
);
167 if (rc
== LDAP_NO_SUCH_OBJECT
) {
172 if (rc
!= LDAP_SUCCESS
) {
176 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
178 if (num_result
> 1) {
179 DEBUG(1, ("get_trusted_domain_int: more than one "
180 "%s object with filter '%s'?!\n",
181 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
185 if (num_result
== 0) {
186 DEBUG(1, ("get_trusted_domain_int: no "
187 "%s object with filter '%s'.\n",
188 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
191 *entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
197 static bool get_trusted_domain_by_name_int(struct ldapsam_privates
*ldap_state
,
204 filter
= talloc_asprintf(talloc_tos(),
205 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
206 LDAP_OBJ_TRUSTED_DOMAIN
,
207 LDAP_ATTRIBUTE_FLAT_NAME
, domain
,
208 LDAP_ATTRIBUTE_TRUST_PARTNER
, domain
, domain
);
209 if (filter
== NULL
) {
213 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
216 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates
*ldap_state
,
218 const char *sid
, LDAPMessage
**entry
)
222 filter
= talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
223 LDAP_OBJ_TRUSTED_DOMAIN
,
224 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
, sid
);
225 if (filter
== NULL
) {
229 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
232 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates
*ldap_state
,
241 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
244 DEBUG(9, ("Attribute %s not present.\n", attr
));
249 l
= strtoul(dummy
, &endptr
, 10);
252 if (l
< 0 || l
> UINT32_MAX
|| *endptr
!= '\0') {
261 static void get_data_blob_from_ldap_msg(TALLOC_CTX
*mem_ctx
,
262 struct ldapsam_privates
*ldap_state
,
263 LDAPMessage
*entry
, const char *attr
,
269 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
, attr
,
272 DEBUG(9, ("Attribute %s not present.\n", attr
));
275 blob
= base64_decode_data_blob(dummy
);
276 if (blob
.length
== 0) {
279 _blob
->length
= blob
.length
;
280 _blob
->data
= talloc_steal(mem_ctx
, blob
.data
);
286 static bool fill_pdb_trusted_domain(TALLOC_CTX
*mem_ctx
,
287 struct ldapsam_privates
*ldap_state
,
289 struct pdb_trusted_domain
**_td
)
293 struct pdb_trusted_domain
*td
;
299 td
= talloc_zero(mem_ctx
, struct pdb_trusted_domain
);
304 /* All attributes are MAY */
306 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
307 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
310 DEBUG(9, ("Attribute %s not present.\n",
311 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
));
312 ZERO_STRUCT(td
->security_identifier
);
314 res
= string_to_sid(&td
->security_identifier
, dummy
);
321 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
322 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
323 &td
->trust_auth_incoming
);
325 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
326 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
327 &td
->trust_auth_outgoing
);
329 td
->netbios_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
331 LDAP_ATTRIBUTE_FLAT_NAME
,
333 if (td
->netbios_name
== NULL
) {
334 DEBUG(9, ("Attribute %s not present.\n",
335 LDAP_ATTRIBUTE_FLAT_NAME
));
338 td
->domain_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
340 LDAP_ATTRIBUTE_TRUST_PARTNER
,
342 if (td
->domain_name
== NULL
) {
343 DEBUG(9, ("Attribute %s not present.\n",
344 LDAP_ATTRIBUTE_TRUST_PARTNER
));
347 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
348 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
349 &td
->trust_direction
);
354 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
355 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
356 &td
->trust_attributes
);
361 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
362 LDAP_ATTRIBUTE_TRUST_TYPE
,
368 td
->trust_posix_offset
= talloc(td
, uint32_t);
369 if (td
->trust_posix_offset
== NULL
) {
372 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
373 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET
,
374 td
->trust_posix_offset
);
379 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
380 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
381 &td
->trust_forest_trust_info
);
388 static NTSTATUS
ipasam_get_trusted_domain(struct pdb_methods
*methods
,
391 struct pdb_trusted_domain
**td
)
393 struct ldapsam_privates
*ldap_state
=
394 (struct ldapsam_privates
*)methods
->private_data
;
395 LDAPMessage
*entry
= NULL
;
397 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain
));
399 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
401 return NT_STATUS_UNSUCCESSFUL
;
404 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
406 return NT_STATUS_NO_SUCH_DOMAIN
;
409 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
410 return NT_STATUS_UNSUCCESSFUL
;
416 static NTSTATUS
ipasam_get_trusted_domain_by_sid(struct pdb_methods
*methods
,
419 struct pdb_trusted_domain
**td
)
421 struct ldapsam_privates
*ldap_state
=
422 (struct ldapsam_privates
*)methods
->private_data
;
423 LDAPMessage
*entry
= NULL
;
426 sid_str
= sid_string_tos(sid
);
428 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
431 if (!get_trusted_domain_by_sid_int(ldap_state
, talloc_tos(), sid_str
,
433 return NT_STATUS_UNSUCCESSFUL
;
436 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
437 "with sid: %s\n", sid_str
));
438 return NT_STATUS_NO_SUCH_DOMAIN
;
441 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
442 return NT_STATUS_UNSUCCESSFUL
;
448 static bool smbldap_make_mod_uint32_t(LDAP
*ldap_struct
, LDAPMessage
*entry
,
449 LDAPMod
***mods
, const char *attribute
,
454 dummy
= talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val
);
458 smbldap_make_mod(ldap_struct
, entry
, mods
, attribute
, dummy
);
464 static NTSTATUS
ipasam_set_trusted_domain(struct pdb_methods
*methods
,
466 const struct pdb_trusted_domain
*td
)
468 struct ldapsam_privates
*ldap_state
=
469 (struct ldapsam_privates
*)methods
->private_data
;
470 LDAPMessage
*entry
= NULL
;
473 char *trusted_dn
= NULL
;
476 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain
));
478 res
= get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
481 return NT_STATUS_UNSUCCESSFUL
;
485 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
, "objectClass",
486 LDAP_OBJ_TRUSTED_DOMAIN
);
488 if (td
->netbios_name
!= NULL
) {
489 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
490 LDAP_ATTRIBUTE_FLAT_NAME
,
494 if (td
->domain_name
!= NULL
) {
495 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
496 LDAP_ATTRIBUTE_TRUST_PARTNER
,
500 if (!is_null_sid(&td
->security_identifier
)) {
501 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
502 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
503 sid_string_tos(&td
->security_identifier
));
506 if (td
->trust_type
!= 0) {
507 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
508 &mods
, LDAP_ATTRIBUTE_TRUST_TYPE
,
511 return NT_STATUS_UNSUCCESSFUL
;
515 if (td
->trust_attributes
!= 0) {
516 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
518 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
519 td
->trust_attributes
);
521 return NT_STATUS_UNSUCCESSFUL
;
525 if (td
->trust_direction
!= 0) {
526 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
528 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
529 td
->trust_direction
);
531 return NT_STATUS_UNSUCCESSFUL
;
535 if (td
->trust_posix_offset
!= NULL
) {
536 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
538 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET
,
539 *td
->trust_posix_offset
);
541 return NT_STATUS_UNSUCCESSFUL
;
545 if (td
->trust_auth_outgoing
.data
!= NULL
) {
546 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
547 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
548 &td
->trust_auth_outgoing
);
551 if (td
->trust_auth_incoming
.data
!= NULL
) {
552 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
553 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
554 &td
->trust_auth_incoming
);
557 if (td
->trust_forest_trust_info
.data
!= NULL
) {
558 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
559 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
560 &td
->trust_forest_trust_info
);
563 talloc_autofree_ldapmod(talloc_tos(), mods
);
565 trusted_dn
= trusted_domain_dn(ldap_state
, domain
);
566 if (trusted_dn
== NULL
) {
567 return NT_STATUS_NO_MEMORY
;
570 ret
= smbldap_add(ldap_state
->smbldap_state
, trusted_dn
, mods
);
572 ret
= smbldap_modify(ldap_state
->smbldap_state
, trusted_dn
, mods
);
575 if (ret
!= LDAP_SUCCESS
) {
576 DEBUG(1, ("error writing trusted domain data!\n"));
577 return NT_STATUS_UNSUCCESSFUL
;
582 static NTSTATUS
ipasam_del_trusted_domain(struct pdb_methods
*methods
,
586 struct ldapsam_privates
*ldap_state
=
587 (struct ldapsam_privates
*)methods
->private_data
;
588 LDAPMessage
*entry
= NULL
;
591 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
593 return NT_STATUS_UNSUCCESSFUL
;
597 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
599 return NT_STATUS_NO_SUCH_DOMAIN
;
602 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
604 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
605 return NT_STATUS_NO_MEMORY
;
608 ret
= smbldap_delete(ldap_state
->smbldap_state
, dn
);
609 if (ret
!= LDAP_SUCCESS
) {
610 return NT_STATUS_UNSUCCESSFUL
;
616 static NTSTATUS
ipasam_enum_trusted_domains(struct pdb_methods
*methods
,
618 uint32_t *num_domains
,
619 struct pdb_trusted_domain
***domains
)
622 struct ldapsam_privates
*ldap_state
=
623 (struct ldapsam_privates
*)methods
->private_data
;
624 char *base_dn
= NULL
;
626 int scope
= LDAP_SCOPE_SUBTREE
;
627 LDAPMessage
*result
= NULL
;
628 LDAPMessage
*entry
= NULL
;
630 filter
= talloc_asprintf(talloc_tos(), "(objectClass=%s)",
631 LDAP_OBJ_TRUSTED_DOMAIN
);
632 if (filter
== NULL
) {
633 return NT_STATUS_NO_MEMORY
;
636 base_dn
= trusted_domain_base_dn(ldap_state
);
637 if (base_dn
== NULL
) {
639 return NT_STATUS_NO_MEMORY
;
642 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
, scope
, filter
,
645 TALLOC_FREE(base_dn
);
647 if (result
!= NULL
) {
648 talloc_autofree_ldapmsg(mem_ctx
, result
);
651 if (rc
== LDAP_NO_SUCH_OBJECT
) {
657 if (rc
!= LDAP_SUCCESS
) {
658 return NT_STATUS_UNSUCCESSFUL
;
662 if (!(*domains
= talloc_array(mem_ctx
, struct pdb_trusted_domain
*, 1))) {
663 DEBUG(1, ("talloc failed\n"));
664 return NT_STATUS_NO_MEMORY
;
667 for (entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
669 entry
= ldap_next_entry(priv2ld(ldap_state
), entry
))
671 struct pdb_trusted_domain
*dom_info
;
673 if (!fill_pdb_trusted_domain(*domains
, ldap_state
, entry
,
675 return NT_STATUS_UNSUCCESSFUL
;
678 ADD_TO_ARRAY(*domains
, struct pdb_trusted_domain
*, dom_info
,
679 domains
, num_domains
);
681 if (*domains
== NULL
) {
682 DEBUG(1, ("talloc failed\n"));
683 return NT_STATUS_NO_MEMORY
;
687 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains
));
691 static NTSTATUS
ipasam_enum_trusteddoms(struct pdb_methods
*methods
,
693 uint32_t *num_domains
,
694 struct trustdom_info
***domains
)
697 struct pdb_trusted_domain
**td
;
700 status
= ipasam_enum_trusted_domains(methods
, talloc_tos(),
702 if (!NT_STATUS_IS_OK(status
)) {
706 if (*num_domains
== 0) {
710 if (!(*domains
= talloc_array(mem_ctx
, struct trustdom_info
*,
712 DEBUG(1, ("talloc failed\n"));
713 return NT_STATUS_NO_MEMORY
;
716 for (i
= 0; i
< *num_domains
; i
++) {
717 struct trustdom_info
*dom_info
;
719 dom_info
= talloc(*domains
, struct trustdom_info
);
720 if (dom_info
== NULL
) {
721 DEBUG(1, ("talloc failed\n"));
722 return NT_STATUS_NO_MEMORY
;
725 dom_info
->name
= talloc_steal(mem_ctx
, td
[i
]->netbios_name
);
726 sid_copy(&dom_info
->sid
, &td
[i
]->security_identifier
);
728 (*domains
)[i
] = dom_info
;
734 static uint32_t pdb_ipasam_capabilities(struct pdb_methods
*methods
)
736 return PDB_CAP_STORE_RIDS
| PDB_CAP_ADS
| PDB_CAP_TRUSTED_DOMAINS_EX
;
739 static struct pdb_domain_info
*pdb_ipasam_get_domain_info(struct pdb_methods
*pdb_methods
,
742 struct pdb_domain_info
*info
;
743 struct ldapsam_privates
*ldap_state
=
744 (struct ldapsam_privates
*)pdb_methods
->private_data
;
749 info
= talloc(mem_ctx
, struct pdb_domain_info
);
754 info
->name
= talloc_strdup(info
, ldap_state
->domain_name
);
755 if (info
->name
== NULL
) {
759 /* TODO: read dns_domain, dns_forest and guid from LDAP */
760 info
->dns_domain
= talloc_strdup(info
, lp_realm());
761 if (info
->dns_domain
== NULL
) {
764 strlower_m(info
->dns_domain
);
765 info
->dns_forest
= talloc_strdup(info
, info
->dns_domain
);
767 /* we expect a domain SID to have 4 sub IDs */
768 if (ldap_state
->domain_sid
.num_auths
!= 4) {
772 sid_copy(&info
->sid
, &ldap_state
->domain_sid
);
774 if (!sid_linearize(sid_buf
, sizeof(sid_buf
), &info
->sid
)) {
778 /* the first 8 bytes of the linearized SID are not random,
780 sid_blob
.data
= (uint8_t *) sid_buf
+ 8 ;
781 sid_blob
.length
= 16;
783 status
= GUID_from_ndr_blob(&sid_blob
, &info
->guid
);
784 if (!NT_STATUS_IS_OK(status
)) {
795 static NTSTATUS
modify_ipa_password_exop(struct ldapsam_privates
*ldap_state
,
796 struct samu
*sampass
)
799 BerElement
*ber
= NULL
;
800 struct berval
*bv
= NULL
;
802 struct berval
*retdata
= NULL
;
803 const char *password
;
806 password
= pdb_get_plaintext_passwd(sampass
);
807 if (password
== NULL
|| *password
== '\0') {
808 return NT_STATUS_INVALID_PARAMETER
;
811 dn
= get_account_dn(pdb_get_username(sampass
));
813 return NT_STATUS_INVALID_PARAMETER
;
816 ber
= ber_alloc_t( LBER_USE_DER
);
818 DEBUG(7, ("ber_alloc_t failed.\n"));
819 return NT_STATUS_NO_MEMORY
;
822 ret
= ber_printf(ber
, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID
, dn
,
823 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW
, password
);
825 DEBUG(7, ("ber_printf failed.\n"));
827 return NT_STATUS_UNSUCCESSFUL
;
830 ret
= ber_flatten(ber
, &bv
);
833 DEBUG(1, ("ber_flatten failed.\n"));
834 return NT_STATUS_UNSUCCESSFUL
;
837 ret
= smbldap_extended_operation(ldap_state
->smbldap_state
,
838 LDAP_EXOP_MODIFY_PASSWD
, bv
, NULL
,
839 NULL
, &retoid
, &retdata
);
845 ldap_memfree(retoid
);
847 if (ret
!= LDAP_SUCCESS
) {
848 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
849 return NT_STATUS_UNSUCCESSFUL
;
855 static NTSTATUS
ipasam_get_objectclasses(struct ldapsam_privates
*ldap_state
,
856 const char *dn
, LDAPMessage
*entry
,
857 uint32_t *has_objectclass
)
859 char **objectclasses
;
862 objectclasses
= ldap_get_values(priv2ld(ldap_state
), entry
,
863 LDAP_ATTRIBUTE_OBJECTCLASS
);
864 if (objectclasses
== NULL
) {
865 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn
));
866 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
869 *has_objectclass
= 0;
870 for (c
= 0; objectclasses
[c
] != NULL
; c
++) {
871 if (strequal(objectclasses
[c
], LDAP_OBJ_KRB_PRINCIPAL
)) {
872 *has_objectclass
|= HAS_KRB_PRINCIPAL
;
873 } else if (strequal(objectclasses
[c
],
874 LDAP_OBJ_KRB_PRINCIPAL_AUX
)) {
875 *has_objectclass
|= HAS_KRB_PRINCIPAL_AUX
;
876 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAOBJECT
)) {
877 *has_objectclass
|= HAS_IPAOBJECT
;
878 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAHOST
)) {
879 *has_objectclass
|= HAS_IPAHOST
;
880 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXACCOUNT
)) {
881 *has_objectclass
|= HAS_POSIXACCOUNT
;
882 } else if (strequal(objectclasses
[c
], LDAP_OBJ_GROUPOFNAMES
)) {
883 *has_objectclass
|= HAS_GROUPOFNAMES
;
884 } else if (strequal(objectclasses
[c
], LDAP_OBJ_NESTEDGROUP
)) {
885 *has_objectclass
|= HAS_NESTEDGROUP
;
886 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAUSERGROUP
)) {
887 *has_objectclass
|= HAS_IPAUSERGROUP
;
888 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXGROUP
)) {
889 *has_objectclass
|= HAS_POSIXGROUP
;
892 ldap_value_free(objectclasses
);
903 static NTSTATUS
find_obj(struct ldapsam_privates
*ldap_state
, const char *name
,
904 enum obj_type type
, char **_dn
,
905 uint32_t *_has_objectclass
)
910 LDAPMessage
*result
= NULL
;
911 LDAPMessage
*entry
= NULL
;
914 uint32_t has_objectclass
;
916 const char *obj_class
= NULL
;
920 obj_class
= LDAP_OBJ_POSIXACCOUNT
;
923 obj_class
= LDAP_OBJ_POSIXGROUP
;
926 DEBUG(0, ("Unsupported IPA object.\n"));
927 return NT_STATUS_INVALID_PARAMETER
;
930 username
= escape_ldap_string(talloc_tos(), name
);
931 if (username
== NULL
) {
932 return NT_STATUS_NO_MEMORY
;
934 filter
= talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
935 username
, obj_class
);
936 if (filter
== NULL
) {
937 return NT_STATUS_NO_MEMORY
;
939 TALLOC_FREE(username
);
941 ret
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, NULL
,
943 if (ret
!= LDAP_SUCCESS
) {
944 DEBUG(0, ("smbldap_search_suffix failed.\n"));
945 return NT_STATUS_ACCESS_DENIED
;
948 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
950 if (num_result
!= 1) {
951 if (num_result
== 0) {
954 status
= NT_STATUS_NO_SUCH_USER
;
957 status
= NT_STATUS_NO_SUCH_GROUP
;
960 status
= NT_STATUS_INVALID_PARAMETER
;
963 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
965 status
= NT_STATUS_INTERNAL_DB_CORRUPTION
;
970 entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
972 DEBUG(0,("find_user: Out of memory!\n"));
973 status
= NT_STATUS_UNSUCCESSFUL
;
977 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
979 DEBUG(0,("find_user: Out of memory!\n"));
980 status
= NT_STATUS_NO_MEMORY
;
984 status
= ipasam_get_objectclasses(ldap_state
, dn
, entry
, &has_objectclass
);
985 if (!NT_STATUS_IS_OK(status
)) {
990 *_has_objectclass
= has_objectclass
;
992 status
= NT_STATUS_OK
;
995 ldap_msgfree(result
);
1000 static NTSTATUS
find_user(struct ldapsam_privates
*ldap_state
, const char *name
,
1001 char **_dn
, uint32_t *_has_objectclass
)
1003 return find_obj(ldap_state
, name
, IPA_USER_OBJ
, _dn
, _has_objectclass
);
1006 static NTSTATUS
find_group(struct ldapsam_privates
*ldap_state
, const char *name
,
1007 char **_dn
, uint32_t *_has_objectclass
)
1009 return find_obj(ldap_state
, name
, IPA_GROUP_OBJ
, _dn
, _has_objectclass
);
1012 static NTSTATUS
ipasam_add_posix_account_objectclass(struct ldapsam_privates
*ldap_state
,
1015 const char *username
)
1018 LDAPMod
**mods
= NULL
;
1020 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1021 "objectclass", "posixAccount");
1022 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1024 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1025 "uidNumber", IPA_MAGIC_ID_STR
);
1026 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1027 "gidNumber", "12345");
1028 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1029 "homeDirectory", "/dev/null");
1031 if (ldap_op
== LDAP_MOD_ADD
) {
1032 ret
= smbldap_add(ldap_state
->smbldap_state
, dn
, mods
);
1034 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1036 ldap_mods_free(mods
, 1);
1037 if (ret
!= LDAP_SUCCESS
) {
1038 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1040 return NT_STATUS_LDAP(ret
);
1043 return NT_STATUS_OK
;
1046 static NTSTATUS
ipasam_add_ipa_group_objectclasses(struct ldapsam_privates
*ldap_state
,
1049 uint32_t has_objectclass
)
1051 LDAPMod
**mods
= NULL
;
1054 if (!(has_objectclass
& HAS_GROUPOFNAMES
)) {
1055 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1056 LDAP_ATTRIBUTE_OBJECTCLASS
,
1057 LDAP_OBJ_GROUPOFNAMES
);
1060 if (!(has_objectclass
& HAS_NESTEDGROUP
)) {
1061 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1062 LDAP_ATTRIBUTE_OBJECTCLASS
,
1063 LDAP_OBJ_NESTEDGROUP
);
1066 if (!(has_objectclass
& HAS_IPAUSERGROUP
)) {
1067 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1068 LDAP_ATTRIBUTE_OBJECTCLASS
,
1069 LDAP_OBJ_IPAUSERGROUP
);
1072 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1073 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1074 LDAP_ATTRIBUTE_OBJECTCLASS
,
1075 LDAP_OBJ_IPAOBJECT
);
1078 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1079 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1080 LDAP_ATTRIBUTE_OBJECTCLASS
,
1081 LDAP_OBJ_POSIXGROUP
);
1082 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1085 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1086 LDAP_ATTRIBUTE_GIDNUMBER
,
1090 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1091 ldap_mods_free(mods
, 1);
1092 if (ret
!= LDAP_SUCCESS
) {
1093 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1095 return NT_STATUS_LDAP(ret
);
1098 return NT_STATUS_OK
;
1101 static NTSTATUS
ipasam_add_ipa_objectclasses(struct ldapsam_privates
*ldap_state
,
1102 const char *dn
, const char *name
,
1104 uint32_t acct_flags
,
1105 uint32_t has_objectclass
)
1107 LDAPMod
**mods
= NULL
;
1111 if (!(has_objectclass
& HAS_KRB_PRINCIPAL
)) {
1112 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1113 LDAP_ATTRIBUTE_OBJECTCLASS
,
1114 LDAP_OBJ_KRB_PRINCIPAL
);
1116 princ
= talloc_asprintf(talloc_tos(), "%s@%s", name
, lp_realm());
1117 if (princ
== NULL
) {
1118 return NT_STATUS_NO_MEMORY
;
1121 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, LDAP_ATTRIBUTE_KRB_PRINCIPAL
, princ
);
1124 if (!(has_objectclass
& HAS_KRB_PRINCIPAL_AUX
)) {
1125 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1126 LDAP_ATTRIBUTE_OBJECTCLASS
,
1127 LDAP_OBJ_KRB_PRINCIPAL_AUX
);
1130 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1131 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1132 LDAP_ATTRIBUTE_OBJECTCLASS
, LDAP_OBJ_IPAOBJECT
);
1135 if ((acct_flags
!= 0) &&
1136 (((acct_flags
& ACB_NORMAL
) && name
[strlen(name
)-1] == '$') ||
1137 ((acct_flags
& (ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
)) != 0))) {
1139 if (!(has_objectclass
& HAS_IPAHOST
)) {
1140 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1141 LDAP_ATTRIBUTE_OBJECTCLASS
,
1144 if (domain
== NULL
) {
1145 return NT_STATUS_INVALID_PARAMETER
;
1148 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1153 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1154 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1155 "objectclass", "posixAccount");
1156 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "cn", name
);
1157 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1158 "uidNumber", IPA_MAGIC_ID_STR
);
1159 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1160 "gidNumber", "12345");
1161 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1162 "homeDirectory", "/dev/null");
1166 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1167 ldap_mods_free(mods
, 1);
1168 if (ret
!= LDAP_SUCCESS
) {
1169 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1171 return NT_STATUS_LDAP(ret
);
1175 return NT_STATUS_OK
;
1178 static NTSTATUS
pdb_ipasam_add_sam_account(struct pdb_methods
*pdb_methods
,
1179 struct samu
*sampass
)
1182 struct ldapsam_privates
*ldap_state
;
1185 uint32_t has_objectclass
;
1187 struct dom_sid user_sid
;
1189 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1191 if (IS_SAM_SET(sampass
, PDB_USERSID
) ||
1192 IS_SAM_CHANGED(sampass
, PDB_USERSID
)) {
1193 if (!pdb_new_rid(&rid
)) {
1194 return NT_STATUS_DS_NO_MORE_RIDS
;
1196 sid_compose(&user_sid
, get_global_sam_sid(), rid
);
1197 if (!pdb_set_user_sid(sampass
, &user_sid
, PDB_SET
)) {
1198 return NT_STATUS_UNSUCCESSFUL
;
1202 status
= ldap_state
->ipasam_privates
->ldapsam_add_sam_account(pdb_methods
,
1204 if (!NT_STATUS_IS_OK(status
)) {
1208 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1209 name
= pdb_get_username(sampass
);
1210 if (name
== NULL
|| *name
== '\0') {
1211 return NT_STATUS_INVALID_PARAMETER
;
1214 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1215 if (!NT_STATUS_IS_OK(status
)) {
1219 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
,
1220 pdb_get_domain(sampass
),
1221 pdb_get_acct_ctrl(sampass
),
1223 if (!NT_STATUS_IS_OK(status
)) {
1227 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1228 status
= ipasam_add_posix_account_objectclass(ldap_state
,
1231 if (!NT_STATUS_IS_OK(status
)) {
1236 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1237 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1238 if (!NT_STATUS_IS_OK(status
)) {
1244 return NT_STATUS_OK
;
1247 static NTSTATUS
pdb_ipasam_update_sam_account(struct pdb_methods
*pdb_methods
,
1248 struct samu
*sampass
)
1251 struct ldapsam_privates
*ldap_state
;
1252 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1254 status
= ldap_state
->ipasam_privates
->ldapsam_update_sam_account(pdb_methods
,
1256 if (!NT_STATUS_IS_OK(status
)) {
1260 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1261 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1262 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1263 if (!NT_STATUS_IS_OK(status
)) {
1269 return NT_STATUS_OK
;
1272 static NTSTATUS
ipasam_create_dom_group(struct pdb_methods
*pdb_methods
,
1273 TALLOC_CTX
*tmp_ctx
, const char *name
,
1277 struct ldapsam_privates
*ldap_state
;
1278 int ldap_op
= LDAP_MOD_REPLACE
;
1280 uint32_t has_objectclass
= 0;
1282 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1284 if (name
== NULL
|| *name
== '\0') {
1285 return NT_STATUS_INVALID_PARAMETER
;
1288 status
= find_group(ldap_state
, name
, &dn
, &has_objectclass
);
1289 if (NT_STATUS_IS_OK(status
)) {
1290 ldap_op
= LDAP_MOD_REPLACE
;
1291 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1292 ldap_op
= LDAP_MOD_ADD
;
1297 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1298 status
= ipasam_add_ipa_group_objectclasses(ldap_state
, dn
,
1301 if (!NT_STATUS_IS_OK(status
)) {
1306 status
= ldap_state
->ipasam_privates
->ldapsam_create_dom_group(pdb_methods
,
1310 if (!NT_STATUS_IS_OK(status
)) {
1314 return NT_STATUS_OK
;
1316 static NTSTATUS
ipasam_create_user(struct pdb_methods
*pdb_methods
,
1317 TALLOC_CTX
*tmp_ctx
, const char *name
,
1318 uint32_t acb_info
, uint32_t *rid
)
1321 struct ldapsam_privates
*ldap_state
;
1322 int ldap_op
= LDAP_MOD_REPLACE
;
1324 uint32_t has_objectclass
= 0;
1326 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1328 if (name
== NULL
|| *name
== '\0') {
1329 return NT_STATUS_INVALID_PARAMETER
;
1332 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1333 if (NT_STATUS_IS_OK(status
)) {
1334 ldap_op
= LDAP_MOD_REPLACE
;
1335 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1336 char *escape_username
;
1337 ldap_op
= LDAP_MOD_ADD
;
1338 escape_username
= escape_rdn_val_string_alloc(name
);
1339 if (!escape_username
) {
1340 return NT_STATUS_NO_MEMORY
;
1342 if (name
[strlen(name
)-1] == '$') {
1343 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1345 lp_ldap_machine_suffix());
1347 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1349 lp_ldap_user_suffix());
1351 SAFE_FREE(escape_username
);
1353 return NT_STATUS_NO_MEMORY
;
1359 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1360 status
= ipasam_add_posix_account_objectclass(ldap_state
, ldap_op
,
1362 if (!NT_STATUS_IS_OK(status
)) {
1365 has_objectclass
|= HAS_POSIXACCOUNT
;
1368 status
= ldap_state
->ipasam_privates
->ldapsam_create_user(pdb_methods
,
1371 if (!NT_STATUS_IS_OK(status
)) {
1375 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
, lp_realm(),
1376 acb_info
, has_objectclass
);
1377 if (!NT_STATUS_IS_OK(status
)) {
1381 return NT_STATUS_OK
;
1384 static NTSTATUS
pdb_init_IPA_ldapsam(struct pdb_methods
**pdb_method
, const char *location
)
1386 struct ldapsam_privates
*ldap_state
;
1389 status
= pdb_init_ldapsam(pdb_method
, location
);
1390 if (!NT_STATUS_IS_OK(status
)) {
1394 (*pdb_method
)->name
= "IPA_ldapsam";
1396 ldap_state
= (struct ldapsam_privates
*)((*pdb_method
)->private_data
);
1397 ldap_state
->ipasam_privates
= talloc_zero(ldap_state
,
1398 struct ipasam_privates
);
1399 if (ldap_state
->ipasam_privates
== NULL
) {
1400 return NT_STATUS_NO_MEMORY
;
1402 ldap_state
->is_ipa_ldap
= True
;
1404 ldap_state
->ipasam_privates
->server_is_ipa
= smbldap_has_extension(
1405 priv2ld(ldap_state
), IPA_KEYTAB_SET_OID
);
1406 ldap_state
->ipasam_privates
->ldapsam_add_sam_account
= (*pdb_method
)->add_sam_account
;
1407 ldap_state
->ipasam_privates
->ldapsam_update_sam_account
= (*pdb_method
)->update_sam_account
;
1408 ldap_state
->ipasam_privates
->ldapsam_create_user
= (*pdb_method
)->create_user
;
1409 ldap_state
->ipasam_privates
->ldapsam_create_dom_group
= (*pdb_method
)->create_dom_group
;
1411 (*pdb_method
)->add_sam_account
= pdb_ipasam_add_sam_account
;
1412 (*pdb_method
)->update_sam_account
= pdb_ipasam_update_sam_account
;
1414 if (lp_parm_bool(-1, "ldapsam", "trusted", False
)) {
1415 if (lp_parm_bool(-1, "ldapsam", "editposix", False
)) {
1416 (*pdb_method
)->create_user
= ipasam_create_user
;
1417 (*pdb_method
)->create_dom_group
= ipasam_create_dom_group
;
1421 (*pdb_method
)->capabilities
= pdb_ipasam_capabilities
;
1422 (*pdb_method
)->get_domain_info
= pdb_ipasam_get_domain_info
;
1424 (*pdb_method
)->get_trusteddom_pw
= ipasam_get_trusteddom_pw
;
1425 (*pdb_method
)->set_trusteddom_pw
= ipasam_set_trusteddom_pw
;
1426 (*pdb_method
)->del_trusteddom_pw
= ipasam_del_trusteddom_pw
;
1427 (*pdb_method
)->enum_trusteddoms
= ipasam_enum_trusteddoms
;
1429 (*pdb_method
)->get_trusted_domain
= ipasam_get_trusted_domain
;
1430 (*pdb_method
)->get_trusted_domain_by_sid
= ipasam_get_trusted_domain_by_sid
;
1431 (*pdb_method
)->set_trusted_domain
= ipasam_set_trusted_domain
;
1432 (*pdb_method
)->del_trusted_domain
= ipasam_del_trusted_domain
;
1433 (*pdb_method
)->enum_trusted_domains
= ipasam_enum_trusted_domains
;
1435 return NT_STATUS_OK
;
1438 NTSTATUS
pdb_ipa_init(void)
1442 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "IPA_ldapsam", pdb_init_IPA_ldapsam
)))
1445 return NT_STATUS_OK
;