search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:registry: do not use regdb functions during db upgrade
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / update_keytab.c
blob3658c1b3ce8bbd0f5f9e8d08f37f42a3bacc5161
1 /*
2 ldb database library
3
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21 * Name: ldb
22 *
23 * Component: ldb update_keytabs module
24 *
25 * Description: Update keytabs whenever their matching secret record changes
26 *
27 * Author: Andrew Bartlett
28 */
29
30 #include "includes.h"
31 #include "ldb_module.h"
32 #include "lib/util/dlinklist.h"
33 #include "auth/credentials/credentials.h"
34 #include "auth/credentials/credentials_krb5.h"
35 #include "system/kerberos.h"
36 #include "auth/kerberos/kerberos.h"
37 #include "dsdb/samdb/ldb_modules/util.h"
38
39 struct dn_list {
40 struct ldb_message *msg;
41 bool do_delete;
42 struct dn_list *prev, *next;
43 };
44
45 struct update_kt_private {
46 struct dn_list *changed_dns;
47 };
48
49 struct update_kt_ctx {
50 struct ldb_module *module;
51 struct ldb_request *req;
52
53 struct ldb_dn *dn;
54 bool do_delete;
55
56 struct ldb_reply *op_reply;
57 bool found;
58 };
59
60 static struct update_kt_ctx *update_kt_ctx_init(struct ldb_module *module,
61 struct ldb_request *req)
62 {
63 struct update_kt_ctx *ac;
64
65 ac = talloc_zero(req, struct update_kt_ctx);
66 if (ac == NULL) {
67 ldb_oom(ldb_module_get_ctx(module));
68 return NULL;
69 }
70
71 ac->module = module;
72 ac->req = req;
73
74 return ac;
75 }
76
77 /* FIXME: too many semi-async searches here for my taste, direct and indirect as
78 * cli_credentials_set_secrets() performs a sync ldb search.
79 * Just hope we are lucky and nothing breaks (using the tdb backend masks a lot
80 * of async issues). -SSS
81 */
82 static int add_modified(struct ldb_module *module, struct ldb_dn *dn, bool do_delete,
83 struct ldb_request *parent)
84 {
85 struct ldb_context *ldb = ldb_module_get_ctx(module);
86 struct update_kt_private *data = talloc_get_type(ldb_module_get_private(module), struct update_kt_private);
87 struct dn_list *item;
88 char *filter;
89 struct ldb_result *res;
90 int ret;
91
92 filter = talloc_asprintf(data,
93 "(&(objectClass=kerberosSecret)(privateKeytab=*))");
94 if (!filter) {
95 return ldb_oom(ldb);
96 }
97
98 ret = dsdb_module_search(module, data, &res,
99 dn, LDB_SCOPE_BASE, NULL,
100 DSDB_FLAG_NEXT_MODULE, parent,
101 "%s", filter);
102 talloc_free(filter);
103 if (ret != LDB_SUCCESS) {
104 return ret;
105 }
106
107 if (res->count != 1) {
108 /* if it's not a kerberosSecret then we don't have anything to update */
109 talloc_free(res);
110 talloc_free(filter);
111 return LDB_SUCCESS;
112 }
113
114 item = talloc(data->changed_dns? (void *)data->changed_dns: (void *)data, struct dn_list);
115 if (!item) {
116 talloc_free(res);
117 talloc_free(filter);
118 return ldb_oom(ldb);
119 }
120
121 item->msg = talloc_steal(item, res->msgs[0]);
122 item->do_delete = do_delete;
123 talloc_free(res);
124
125 DLIST_ADD_END(data->changed_dns, item, struct dn_list *);
126 return LDB_SUCCESS;
127 }
128
129 static int ukt_search_modified(struct update_kt_ctx *ac);
130
131 static int update_kt_op_callback(struct ldb_request *req,
132 struct ldb_reply *ares)
133 {
134 struct ldb_context *ldb;
135 struct update_kt_ctx *ac;
136 int ret;
137
138 ac = talloc_get_type(req->context, struct update_kt_ctx);
139 ldb = ldb_module_get_ctx(ac->module);
140
141 if (!ares) {
142 return ldb_module_done(ac->req, NULL, NULL,
143 LDB_ERR_OPERATIONS_ERROR);
144 }
145 if (ares->error != LDB_SUCCESS) {
146 return ldb_module_done(ac->req, ares->controls,
147 ares->response, ares->error);
148 }
149
150 if (ares->type != LDB_REPLY_DONE) {
151 ldb_set_errstring(ldb, "Invalid request type!\n");
152 return ldb_module_done(ac->req, NULL, NULL,
153 LDB_ERR_OPERATIONS_ERROR);
154 }
155
156 if (ac->do_delete) {
157 return ldb_module_done(ac->req, ares->controls,
158 ares->response, LDB_SUCCESS);
159 }
160
161 ac->op_reply = talloc_steal(ac, ares);
162
163 ret = ukt_search_modified(ac);
164 if (ret != LDB_SUCCESS) {
165 return ldb_module_done(ac->req, NULL, NULL, ret);
166 }
167
168 return LDB_SUCCESS;
169 }
170
171 static int ukt_del_op(struct update_kt_ctx *ac)
172 {
173 struct ldb_context *ldb;
174 struct ldb_request *down_req;
175 int ret;
176
177 ldb = ldb_module_get_ctx(ac->module);
178
179 ret = ldb_build_del_req(&down_req, ldb, ac,
180 ac->dn,
181 ac->req->controls,
182 ac, update_kt_op_callback,
183 ac->req);
184 LDB_REQ_SET_LOCATION(down_req);
185 if (ret != LDB_SUCCESS) {
186 return ret;
187 }
188 return ldb_next_request(ac->module, down_req);
189 }
190
191 static int ukt_search_modified_callback(struct ldb_request *req,
192 struct ldb_reply *ares)
193 {
194 struct update_kt_ctx *ac;
195 int ret;
196
197 ac = talloc_get_type(req->context, struct update_kt_ctx);
198
199 if (!ares) {
200 return ldb_module_done(ac->req, NULL, NULL,
201 LDB_ERR_OPERATIONS_ERROR);
202 }
203 if (ares->error != LDB_SUCCESS) {
204 return ldb_module_done(ac->req, ares->controls,
205 ares->response, ares->error);
206 }
207
208 switch (ares->type) {
209 case LDB_REPLY_ENTRY:
210
211 ac->found = true;
212 break;
213
214 case LDB_REPLY_REFERRAL:
215 /* ignore */
216 break;
217
218 case LDB_REPLY_DONE:
219
220 if (ac->found) {
221 /* do the dirty sync job here :/ */
222 ret = add_modified(ac->module, ac->dn, ac->do_delete, ac->req);
223 }
224
225 if (ac->do_delete) {
226 ret = ukt_del_op(ac);
227 if (ret != LDB_SUCCESS) {
228 return ldb_module_done(ac->req,
229 NULL, NULL, ret);
230 }
231 break;
232 }
233
234 return ldb_module_done(ac->req, ac->op_reply->controls,
235 ac->op_reply->response, LDB_SUCCESS);
236 }
237
238 talloc_free(ares);
239 return LDB_SUCCESS;
240 }
241
242 static int ukt_search_modified(struct update_kt_ctx *ac)
243 {
244 struct ldb_context *ldb;
245 static const char * const no_attrs[] = { NULL };
246 struct ldb_request *search_req;
247 int ret;
248
249 ldb = ldb_module_get_ctx(ac->module);
250
251 ret = ldb_build_search_req(&search_req, ldb, ac,
252 ac->dn, LDB_SCOPE_BASE,
253 "(&(objectClass=kerberosSecret)"
254 "(privateKeytab=*))", no_attrs,
255 NULL,
256 ac, ukt_search_modified_callback,
257 ac->req);
258 LDB_REQ_SET_LOCATION(search_req);
259 if (ret != LDB_SUCCESS) {
260 return ret;
261 }
262 return ldb_next_request(ac->module, search_req);
263 }
264
265
266 /* add */
267 static int update_kt_add(struct ldb_module *module, struct ldb_request *req)
268 {
269 struct ldb_context *ldb;
270 struct update_kt_ctx *ac;
271 struct ldb_request *down_req;
272 int ret;
273
274 ldb = ldb_module_get_ctx(module);
275
276 ac = update_kt_ctx_init(module, req);
277 if (ac == NULL) {
278 return ldb_operr(ldb);
279 }
280
281 ac->dn = req->op.add.message->dn;
282
283 ret = ldb_build_add_req(&down_req, ldb, ac,
284 req->op.add.message,
285 req->controls,
286 ac, update_kt_op_callback,
287 req);
288 LDB_REQ_SET_LOCATION(down_req);
289 if (ret != LDB_SUCCESS) {
290 return ret;
291 }
292
293 return ldb_next_request(module, down_req);
294 }
295
296 /* modify */
297 static int update_kt_modify(struct ldb_module *module, struct ldb_request *req)
298 {
299 struct ldb_context *ldb;
300 struct update_kt_ctx *ac;
301 struct ldb_request *down_req;
302 int ret;
303
304 ldb = ldb_module_get_ctx(module);
305
306 ac = update_kt_ctx_init(module, req);
307 if (ac == NULL) {
308 return ldb_operr(ldb);
309 }
310
311 ac->dn = req->op.mod.message->dn;
312
313 ret = ldb_build_mod_req(&down_req, ldb, ac,
314 req->op.mod.message,
315 req->controls,
316 ac, update_kt_op_callback,
317 req);
318 LDB_REQ_SET_LOCATION(down_req);
319 if (ret != LDB_SUCCESS) {
320 return ret;
321 }
322
323 return ldb_next_request(module, down_req);
324 }
325
326 /* delete */
327 static int update_kt_delete(struct ldb_module *module, struct ldb_request *req)
328 {
329 struct update_kt_ctx *ac;
330
331 ac = update_kt_ctx_init(module, req);
332 if (ac == NULL) {
333 return ldb_operr(ldb_module_get_ctx(module));
334 }
335
336 ac->dn = req->op.del.dn;
337 ac->do_delete = true;
338
339 return ukt_search_modified(ac);
340 }
341
342 /* rename */
343 static int update_kt_rename(struct ldb_module *module, struct ldb_request *req)
344 {
345 struct ldb_context *ldb;
346 struct update_kt_ctx *ac;
347 struct ldb_request *down_req;
348 int ret;
349
350 ldb = ldb_module_get_ctx(module);
351
352 ac = update_kt_ctx_init(module, req);
353 if (ac == NULL) {
354 return ldb_operr(ldb);
355 }
356
357 ac->dn = req->op.rename.newdn;
358
359 ret = ldb_build_rename_req(&down_req, ldb, ac,
360 req->op.rename.olddn,
361 req->op.rename.newdn,
362 req->controls,
363 ac, update_kt_op_callback,
364 req);
365 LDB_REQ_SET_LOCATION(down_req);
366 if (ret != LDB_SUCCESS) {
367 return ret;
368 }
369
370 return ldb_next_request(module, down_req);
371 }
372
373 /* prepare for a commit */
374 static int update_kt_prepare_commit(struct ldb_module *module)
375 {
376 struct ldb_context *ldb = ldb_module_get_ctx(module);
377 struct update_kt_private *data = talloc_get_type(ldb_module_get_private(module), struct update_kt_private);
378 struct dn_list *p;
379 struct smb_krb5_context *smb_krb5_context;
380 int krb5_ret = smb_krb5_init_context(data, ldb_get_event_context(ldb), ldb_get_opaque(ldb, "loadparm"),
381 &smb_krb5_context);
382 if (krb5_ret != 0) {
383 talloc_free(data->changed_dns);
384 data->changed_dns = NULL;
385 ldb_asprintf_errstring(ldb, "Failed to setup krb5_context: %s", error_message(krb5_ret));
386 return LDB_ERR_OPERATIONS_ERROR;
387 }
388
389 ldb = ldb_module_get_ctx(module);
390
391 for (p=data->changed_dns; p; p = p->next) {
392 const char *error_string;
393 krb5_ret = smb_krb5_update_keytab(data, smb_krb5_context, ldb, p->msg, p->do_delete, &error_string);
394 if (krb5_ret != 0) {
395 talloc_free(data->changed_dns);
396 data->changed_dns = NULL;
397 ldb_asprintf_errstring(ldb, "Failed to update keytab from entry %s in %s: %s",
398 ldb_dn_get_linearized(p->msg->dn),
399 (const char *)ldb_get_opaque(ldb, "ldb_url"),
400 error_string);
401 return LDB_ERR_OPERATIONS_ERROR;
402 }
403 }
404
405 talloc_free(data->changed_dns);
406 data->changed_dns = NULL;
407
408 return ldb_next_prepare_commit(module);
409 }
410
411 /* end a transaction */
412 static int update_kt_del_trans(struct ldb_module *module)
413 {
414 struct update_kt_private *data = talloc_get_type(ldb_module_get_private(module), struct update_kt_private);
415
416 talloc_free(data->changed_dns);
417 data->changed_dns = NULL;
418
419 return ldb_next_del_trans(module);
420 }
421
422 static int update_kt_init(struct ldb_module *module)
423 {
424 struct ldb_context *ldb;
425 struct update_kt_private *data;
426
427 ldb = ldb_module_get_ctx(module);
428
429 data = talloc(module, struct update_kt_private);
430 if (data == NULL) {
431 return ldb_oom(ldb);
432 }
433
434 data->changed_dns = NULL;
435
436 ldb_module_set_private(module, data);
437
438 return ldb_next_init(module);
439 }
440
441 static const struct ldb_module_ops ldb_update_keytab_module_ops = {
442 .name = "update_keytab",
443 .init_context = update_kt_init,
444 .add = update_kt_add,
445 .modify = update_kt_modify,
446 .rename = update_kt_rename,
447 .del = update_kt_delete,
448 .prepare_commit = update_kt_prepare_commit,
449 .del_transaction = update_kt_del_trans,
450 };
451
452 int ldb_update_keytab_module_init(const char *version)
453 {
454 LDB_MODULE_CHECK_VERSION(version);
455 return ldb_register_module(&ldb_update_keytab_module_ops);
456 }
reg import