search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libcli/smb: pass smbXcli_tcon to smb2cli_write*()
[Samba/gebeck_regimport.git] / source3 / passdb / pdb_interface.c
blob7a73fbfacf0225933a299fb052d6c6410c291cc8
1 /*
2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Jelmer Vernooij 2002
6 Copyright (C) Simo Sorce 2003
7 Copyright (C) Volker Lendecke 2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/passwd.h"
25 #include "passdb.h"
26 #include "secrets.h"
27 #include "messages.h"
28 #include "../librpc/gen_ndr/samr.h"
29 #include "../librpc/gen_ndr/drsblobs.h"
30 #include "../librpc/gen_ndr/ndr_drsblobs.h"
31 #include "../librpc/gen_ndr/idmap.h"
32 #include "memcache.h"
33 #include "nsswitch/winbind_client.h"
34 #include "../libcli/security/security.h"
35 #include "../lib/util/util_pw.h"
36 #include "passdb/pdb_secrets.h"
37
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_PASSDB
40
41 static_decl_pdb;
42
43 static struct pdb_init_function_entry *backends = NULL;
44
45 static void lazy_initialize_passdb(void)
46 {
47 static bool initialized = False;
48 if(initialized) {
49 return;
50 }
51 static_init_pdb;
52 initialized = True;
53 }
54
55 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
56 const char **name,
57 enum lsa_SidType *psid_name_use,
58 uid_t *uid, gid_t *gid);
59
60 NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
61 {
62 struct pdb_init_function_entry *entry = backends;
63
64 if(version != PASSDB_INTERFACE_VERSION) {
65 DEBUG(0,("Can't register passdb backend!\n"
66 "You tried to register a passdb module with PASSDB_INTERFACE_VERSION %d, "
67 "while this version of samba uses version %d\n",
68 version,PASSDB_INTERFACE_VERSION));
69 return NT_STATUS_OBJECT_TYPE_MISMATCH;
70 }
71
72 if (!name || !init) {
73 return NT_STATUS_INVALID_PARAMETER;
74 }
75
76 DEBUG(5,("Attempting to register passdb backend %s\n", name));
77
78 /* Check for duplicates */
79 if (pdb_find_backend_entry(name)) {
80 DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name));
81 return NT_STATUS_OBJECT_NAME_COLLISION;
82 }
83
84 entry = SMB_XMALLOC_P(struct pdb_init_function_entry);
85 entry->name = smb_xstrdup(name);
86 entry->init = init;
87
88 DLIST_ADD(backends, entry);
89 DEBUG(5,("Successfully added passdb backend '%s'\n", name));
90 return NT_STATUS_OK;
91 }
92
93 struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
94 {
95 struct pdb_init_function_entry *entry = backends;
96
97 while(entry) {
98 if (strcmp(entry->name, name)==0) return entry;
99 entry = entry->next;
100 }
101
102 return NULL;
103 }
104
105 const struct pdb_init_function_entry *pdb_get_backends(void)
106 {
107 return backends;
108 }
109
110
111 /*
112 * The event context for the passdb backend. I know this is a bad hack and yet
113 * another static variable, but our pdb API is a global thing per
114 * definition. The first use for this is the LDAP idle function, more might be
115 * added later.
116 *
117 * I don't feel too bad about this static variable, it replaces the
118 * smb_idle_event_list that used to exist in lib/module.c. -- VL
119 */
120
121 static struct tevent_context *pdb_tevent_ctx;
122
123 struct tevent_context *pdb_get_tevent_context(void)
124 {
125 return pdb_tevent_ctx;
126 }
127
128 /******************************************************************
129 Make a pdb_methods from scratch
130 *******************************************************************/
131
132 NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected)
133 {
134 char *module_name = smb_xstrdup(selected);
135 char *module_location = NULL, *p;
136 struct pdb_init_function_entry *entry;
137 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
138
139 lazy_initialize_passdb();
140
141 p = strchr(module_name, ':');
142
143 if (p) {
144 *p = 0;
145 module_location = p+1;
146 trim_char(module_location, ' ', ' ');
147 }
148
149 trim_char(module_name, ' ', ' ');
150
151
152 DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected, module_name));
153
154 entry = pdb_find_backend_entry(module_name);
155
156 /* Try to find a module that contains this module */
157 if (!entry) {
158 DEBUG(2,("No builtin backend found, trying to load plugin\n"));
159 if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
160 DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
161 SAFE_FREE(module_name);
162 return NT_STATUS_UNSUCCESSFUL;
163 }
164 }
165
166 /* No such backend found */
167 if(!entry) {
168 DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
169 SAFE_FREE(module_name);
170 return NT_STATUS_INVALID_PARAMETER;
171 }
172
173 DEBUG(5,("Found pdb backend %s\n", module_name));
174
175 if ( !NT_STATUS_IS_OK( nt_status = entry->init(methods, module_location) ) ) {
176 DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
177 selected, nt_errstr(nt_status)));
178 SAFE_FREE(module_name);
179 return nt_status;
180 }
181
182 SAFE_FREE(module_name);
183
184 DEBUG(5,("pdb backend %s has a valid init\n", selected));
185
186 return nt_status;
187 }
188
189 /******************************************************************
190 Return an already initialized pdb_methods structure
191 *******************************************************************/
192
193 static struct pdb_methods *pdb_get_methods_reload( bool reload )
194 {
195 static struct pdb_methods *pdb = NULL;
196
197 if ( pdb && reload ) {
198 if (pdb->free_private_data != NULL) {
199 pdb->free_private_data( &(pdb->private_data) );
200 }
201 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
202 return NULL;
203 }
204 }
205
206 if ( !pdb ) {
207 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
208 return NULL;
209 }
210 }
211
212 return pdb;
213 }
214
215 static struct pdb_methods *pdb_get_methods(void)
216 {
217 struct pdb_methods *pdb;
218
219 pdb = pdb_get_methods_reload(false);
220 if (!pdb) {
221 char *msg = NULL;
222 if (asprintf(&msg, "pdb_get_methods: "
223 "failed to get pdb methods for backend %s\n",
224 lp_passdb_backend()) > 0) {
225 smb_panic(msg);
226 } else {
227 smb_panic("pdb_get_methods");
228 }
229 }
230
231 return pdb;
232 }
233
234 struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
235 {
236 struct pdb_methods *pdb = pdb_get_methods();
237 return pdb->get_domain_info(pdb, mem_ctx);
238 }
239
240 /**
241 * @brief Check if the user account has been locked out and try to unlock it.
242 *
243 * If the user has been automatically locked out and a lockout duration is set,
244 * then check if we can unlock the account and reset the bad password values.
245 *
246 * @param[in] sampass The sam user to check.
247 *
248 * @return True if the function was successfull, false on an error.
249 */
250 static bool pdb_try_account_unlock(struct samu *sampass)
251 {
252 uint32_t acb_info = pdb_get_acct_ctrl(sampass);
253
254 if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
255 uint32_t lockout_duration;
256 time_t bad_password_time;
257 time_t now = time(NULL);
258 bool ok;
259
260 ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
261 &lockout_duration);
262 if (!ok) {
263 DEBUG(0, ("pdb_try_account_unlock: "
264 "pdb_get_account_policy failed.\n"));
265 return false;
266 }
267
268 if (lockout_duration == (uint32_t) -1 ||
269 lockout_duration == 0) {
270 DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
271 "can't reset autolock\n"));
272 return false;
273 }
274 lockout_duration *= 60;
275
276 bad_password_time = pdb_get_bad_password_time(sampass);
277 if (bad_password_time == (time_t) 0) {
278 DEBUG(2, ("pdb_try_account_unlock: Account %s "
279 "administratively locked out "
280 "with no bad password "
281 "time. Leaving locked out.\n",
282 pdb_get_username(sampass)));
283 return true;
284 }
285
286 if ((bad_password_time +
287 convert_uint32_t_to_time_t(lockout_duration)) < now) {
288 NTSTATUS status;
289
290 pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
291 PDB_CHANGED);
292 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
293 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
294
295 become_root();
296 status = pdb_update_sam_account(sampass);
297 unbecome_root();
298 if (!NT_STATUS_IS_OK(status)) {
299 DEBUG(0, ("_samr_OpenUser: Couldn't "
300 "update account %s - %s\n",
301 pdb_get_username(sampass),
302 nt_errstr(status)));
303 return false;
304 }
305 }
306 }
307
308 return true;
309 }
310
311 /**
312 * @brief Get a sam user structure by the given username.
313 *
314 * This functions also checks if the account has been automatically locked out
315 * and unlocks it if a lockout duration time has been defined and the time has
316 * elapsed.
317 *
318 * @param[in] sam_acct The sam user structure to fill.
319 *
320 * @param[in] username The username to look for.
321 *
322 * @return True on success, false on error.
323 */
324 bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
325 {
326 struct pdb_methods *pdb = pdb_get_methods();
327 struct samu *for_cache;
328 const struct dom_sid *user_sid;
329 NTSTATUS status;
330 bool ok;
331
332 status = pdb->getsampwnam(pdb, sam_acct, username);
333 if (!NT_STATUS_IS_OK(status)) {
334 return false;
335 }
336
337 ok = pdb_try_account_unlock(sam_acct);
338 if (!ok) {
339 DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
340 username));
341 }
342
343 for_cache = samu_new(NULL);
344 if (for_cache == NULL) {
345 return False;
346 }
347
348 if (!pdb_copy_sam_account(for_cache, sam_acct)) {
349 TALLOC_FREE(for_cache);
350 return False;
351 }
352
353 user_sid = pdb_get_user_sid(for_cache);
354
355 memcache_add_talloc(NULL, PDB_GETPWSID_CACHE,
356 data_blob_const(user_sid, sizeof(*user_sid)),
357 &for_cache);
358
359 return True;
360 }
361
362 /**********************************************************************
363 **********************************************************************/
364
365 static bool guest_user_info( struct samu *user )
366 {
367 struct passwd *pwd;
368 NTSTATUS result;
369 const char *guestname = lp_guestaccount();
370
371 pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
372 if (pwd == NULL) {
373 DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
374 guestname));
375 return False;
376 }
377
378 result = samu_set_unix(user, pwd );
379
380 TALLOC_FREE( pwd );
381
382 return NT_STATUS_IS_OK( result );
383 }
384
385 /**
386 * @brief Get a sam user structure by the given username.
387 *
388 * This functions also checks if the account has been automatically locked out
389 * and unlocks it if a lockout duration time has been defined and the time has
390 * elapsed.
391 *
392 *
393 * @param[in] sam_acct The sam user structure to fill.
394 *
395 * @param[in] sid The user SDI to look up.
396 *
397 * @return True on success, false on error.
398 */
399 bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
400 {
401 struct pdb_methods *pdb = pdb_get_methods();
402 uint32_t rid;
403 void *cache_data;
404 bool ok = false;
405
406 /* hard code the Guest RID of 501 */
407
408 if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
409 return False;
410
411 if ( rid == DOMAIN_RID_GUEST ) {
412 DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
413 return guest_user_info( sam_acct );
414 }
415
416 /* check the cache first */
417
418 cache_data = memcache_lookup_talloc(
419 NULL, PDB_GETPWSID_CACHE, data_blob_const(sid, sizeof(*sid)));
420
421 if (cache_data != NULL) {
422 struct samu *cache_copy = talloc_get_type_abort(
423 cache_data, struct samu);
424
425 ok = pdb_copy_sam_account(sam_acct, cache_copy);
426 } else {
427 ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
428 }
429
430 if (!ok) {
431 return false;
432 }
433
434 ok = pdb_try_account_unlock(sam_acct);
435 if (!ok) {
436 DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
437 sam_acct->username));
438 }
439
440 return true;
441 }
442
443 static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
444 TALLOC_CTX *tmp_ctx, const char *name,
445 uint32_t acb_info, uint32_t *rid)
446 {
447 struct samu *sam_pass;
448 NTSTATUS status;
449 struct passwd *pwd;
450
451 if ((sam_pass = samu_new(tmp_ctx)) == NULL) {
452 return NT_STATUS_NO_MEMORY;
453 }
454
455 if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
456 char *add_script = NULL;
457 int add_ret;
458 fstring name2;
459
460 if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
461 add_script = lp_adduser_script(tmp_ctx);
462 } else {
463 add_script = lp_addmachine_script(tmp_ctx);
464 }
465
466 if (!add_script || add_script[0] == '\0') {
467 DEBUG(3, ("Could not find user %s and no add script "
468 "defined\n", name));
469 return NT_STATUS_NO_SUCH_USER;
470 }
471
472 /* lowercase the username before creating the Unix account for
473 compatibility with previous Samba releases */
474 fstrcpy( name2, name );
475 strlower_m( name2 );
476 add_script = talloc_all_string_sub(tmp_ctx,
477 add_script,
478 "%u",
479 name2);
480 if (!add_script) {
481 return NT_STATUS_NO_MEMORY;
482 }
483 add_ret = smbrun(add_script,NULL);
484 DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
485 add_script, add_ret));
486 if (add_ret == 0) {
487 smb_nscd_flush_user_cache();
488 }
489
490 flush_pwnam_cache();
491
492 pwd = Get_Pwnam_alloc(tmp_ctx, name);
493
494 if(pwd == NULL) {
495 DEBUG(3, ("Could not find user %s, add script did not work\n", name));
496 return NT_STATUS_NO_SUCH_USER;
497 }
498 }
499
500 /* we have a valid SID coming out of this call */
501
502 status = samu_alloc_rid_unix(methods, sam_pass, pwd);
503
504 TALLOC_FREE( pwd );
505
506 if (!NT_STATUS_IS_OK(status)) {
507 DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status)));
508 return status;
509 }
510
511 if (!sid_peek_check_rid(get_global_sam_sid(),
512 pdb_get_user_sid(sam_pass), rid)) {
513 DEBUG(0, ("Could not get RID of fresh user\n"));
514 return NT_STATUS_INTERNAL_ERROR;
515 }
516
517 /* Use the username case specified in the original request */
518
519 pdb_set_username( sam_pass, name, PDB_SET );
520
521 /* Disable the account on creation, it does not have a reasonable password yet. */
522
523 acb_info |= ACB_DISABLED;
524
525 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
526
527 status = methods->add_sam_account(methods, sam_pass);
528
529 TALLOC_FREE(sam_pass);
530
531 return status;
532 }
533
534 NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32_t flags,
535 uint32_t *rid)
536 {
537 struct pdb_methods *pdb = pdb_get_methods();
538 return pdb->create_user(pdb, mem_ctx, name, flags, rid);
539 }
540
541 /****************************************************************************
542 Delete a UNIX user on demand.
543 ****************************************************************************/
544
545 static int smb_delete_user(const char *unix_user)
546 {
547 char *del_script = NULL;
548 int ret;
549
550 /* safety check */
551
552 if ( strequal( unix_user, "root" ) ) {
553 DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
554 return -1;
555 }
556
557 del_script = lp_deluser_script(talloc_tos());
558 if (!del_script || !*del_script) {
559 return -1;
560 }
561 del_script = talloc_all_string_sub(talloc_tos(),
562 del_script,
563 "%u",
564 unix_user);
565 if (!del_script) {
566 return -1;
567 }
568 ret = smbrun(del_script,NULL);
569 flush_pwnam_cache();
570 if (ret == 0) {
571 smb_nscd_flush_user_cache();
572 }
573 DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
574
575 return ret;
576 }
577
578 static NTSTATUS pdb_default_delete_user(struct pdb_methods *methods,
579 TALLOC_CTX *mem_ctx,
580 struct samu *sam_acct)
581 {
582 NTSTATUS status;
583 fstring username;
584
585 status = methods->delete_sam_account(methods, sam_acct);
586 if (!NT_STATUS_IS_OK(status)) {
587 return status;
588 }
589
590 /*
591 * Now delete the unix side ....
592 * note: we don't check if the delete really happened as the script is
593 * not necessary present and maybe the sysadmin doesn't want to delete
594 * the unix side
595 */
596
597 /* always lower case the username before handing it off to
598 external scripts */
599
600 fstrcpy( username, pdb_get_username(sam_acct) );
601 strlower_m( username );
602
603 smb_delete_user( username );
604
605 return status;
606 }
607
608 NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
609 {
610 struct pdb_methods *pdb = pdb_get_methods();
611 uid_t uid = -1;
612 NTSTATUS status;
613 const struct dom_sid *user_sid;
614 char *msg_data;
615
616 user_sid = pdb_get_user_sid(sam_acct);
617
618 /* sanity check to make sure we don't delete root */
619
620 if ( !sid_to_uid(user_sid, &uid ) ) {
621 return NT_STATUS_NO_SUCH_USER;
622 }
623
624 if ( uid == 0 ) {
625 return NT_STATUS_ACCESS_DENIED;
626 }
627
628 memcache_delete(NULL,
629 PDB_GETPWSID_CACHE,
630 data_blob_const(user_sid, sizeof(*user_sid)));
631
632 status = pdb->delete_user(pdb, mem_ctx, sam_acct);
633 if (!NT_STATUS_IS_OK(status)) {
634 return status;
635 }
636
637 msg_data = talloc_asprintf(mem_ctx, "USER %s",
638 pdb_get_username(sam_acct));
639 if (!msg_data) {
640 /* not fatal, and too late to rollback,
641 * just return */
642 return status;
643 }
644 message_send_all(server_messaging_context(),
645 ID_CACHE_DELETE,
646 msg_data,
647 strlen(msg_data) + 1,
648 NULL);
649
650 TALLOC_FREE(msg_data);
651 return status;
652 }
653
654 NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
655 {
656 struct pdb_methods *pdb = pdb_get_methods();
657 return pdb->add_sam_account(pdb, sam_acct);
658 }
659
660 NTSTATUS pdb_update_sam_account(struct samu *sam_acct)
661 {
662 struct pdb_methods *pdb = pdb_get_methods();
663
664 memcache_flush(NULL, PDB_GETPWSID_CACHE);
665
666 return pdb->update_sam_account(pdb, sam_acct);
667 }
668
669 NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
670 {
671 struct pdb_methods *pdb = pdb_get_methods();
672 const struct dom_sid *user_sid = pdb_get_user_sid(sam_acct);
673
674 memcache_delete(NULL,
675 PDB_GETPWSID_CACHE,
676 data_blob_const(user_sid, sizeof(*user_sid)));
677
678 return pdb->delete_sam_account(pdb, sam_acct);
679 }
680
681 NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
682 {
683 struct pdb_methods *pdb = pdb_get_methods();
684 uid_t uid;
685 NTSTATUS status;
686
687 memcache_flush(NULL, PDB_GETPWSID_CACHE);
688
689 /* sanity check to make sure we don't rename root */
690
691 if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
692 return NT_STATUS_NO_SUCH_USER;
693 }
694
695 if ( uid == 0 ) {
696 return NT_STATUS_ACCESS_DENIED;
697 }
698
699 status = pdb->rename_sam_account(pdb, oldname, newname);
700
701 /* always flush the cache here just to be safe */
702 flush_pwnam_cache();
703
704 return status;
705 }
706
707 NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, bool success)
708 {
709 struct pdb_methods *pdb = pdb_get_methods();
710 return pdb->update_login_attempts(pdb, sam_acct, success);
711 }
712
713 bool pdb_getgrsid(GROUP_MAP *map, struct dom_sid sid)
714 {
715 struct pdb_methods *pdb = pdb_get_methods();
716 return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
717 }
718
719 bool pdb_getgrgid(GROUP_MAP *map, gid_t gid)
720 {
721 struct pdb_methods *pdb = pdb_get_methods();
722 return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
723 }
724
725 bool pdb_getgrnam(GROUP_MAP *map, const char *name)
726 {
727 struct pdb_methods *pdb = pdb_get_methods();
728 return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
729 }
730
731 static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
732 TALLOC_CTX *mem_ctx,
733 const char *name,
734 uint32_t *rid)
735 {
736 struct dom_sid group_sid;
737 struct group *grp;
738 fstring tmp;
739
740 grp = getgrnam(name);
741
742 if (grp == NULL) {
743 gid_t gid;
744
745 if (smb_create_group(name, &gid) != 0) {
746 return NT_STATUS_ACCESS_DENIED;
747 }
748
749 grp = getgrgid(gid);
750 }
751
752 if (grp == NULL) {
753 return NT_STATUS_ACCESS_DENIED;
754 }
755
756 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
757 if (!pdb_new_rid(rid)) {
758 return NT_STATUS_ACCESS_DENIED;
759 }
760 } else {
761 *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
762 }
763
764 sid_compose(&group_sid, get_global_sam_sid(), *rid);
765
766 return add_initial_entry(grp->gr_gid, sid_to_fstring(tmp, &group_sid),
767 SID_NAME_DOM_GRP, name, NULL);
768 }
769
770 NTSTATUS pdb_create_dom_group(TALLOC_CTX *mem_ctx, const char *name,
771 uint32_t *rid)
772 {
773 struct pdb_methods *pdb = pdb_get_methods();
774 return pdb->create_dom_group(pdb, mem_ctx, name, rid);
775 }
776
777 static NTSTATUS pdb_default_delete_dom_group(struct pdb_methods *methods,
778 TALLOC_CTX *mem_ctx,
779 uint32_t rid)
780 {
781 struct dom_sid group_sid;
782 GROUP_MAP *map;
783 NTSTATUS status;
784 struct group *grp;
785 const char *grp_name;
786
787 map = talloc_zero(mem_ctx, GROUP_MAP);
788 if (!map) {
789 return NT_STATUS_NO_MEMORY;
790 }
791
792 /* coverity */
793 map->gid = (gid_t) -1;
794
795 sid_compose(&group_sid, get_global_sam_sid(), rid);
796
797 if (!get_domain_group_from_sid(group_sid, map)) {
798 DEBUG(10, ("Could not find group for rid %d\n", rid));
799 return NT_STATUS_NO_SUCH_GROUP;
800 }
801
802 /* We need the group name for the smb_delete_group later on */
803
804 if (map->gid == (gid_t)-1) {
805 return NT_STATUS_NO_SUCH_GROUP;
806 }
807
808 grp = getgrgid(map->gid);
809 if (grp == NULL) {
810 return NT_STATUS_NO_SUCH_GROUP;
811 }
812
813 TALLOC_FREE(map);
814
815 /* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
816
817 grp_name = talloc_strdup(mem_ctx, grp->gr_name);
818 if (grp_name == NULL) {
819 return NT_STATUS_NO_MEMORY;
820 }
821
822 status = pdb_delete_group_mapping_entry(group_sid);
823
824 if (!NT_STATUS_IS_OK(status)) {
825 return status;
826 }
827
828 /* Don't check the result of smb_delete_group */
829
830 smb_delete_group(grp_name);
831
832 return NT_STATUS_OK;
833 }
834
835 NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32_t rid)
836 {
837 struct pdb_methods *pdb = pdb_get_methods();
838 return pdb->delete_dom_group(pdb, mem_ctx, rid);
839 }
840
841 NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
842 {
843 struct pdb_methods *pdb = pdb_get_methods();
844 return pdb->add_group_mapping_entry(pdb, map);
845 }
846
847 NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
848 {
849 struct pdb_methods *pdb = pdb_get_methods();
850 return pdb->update_group_mapping_entry(pdb, map);
851 }
852
853 NTSTATUS pdb_delete_group_mapping_entry(struct dom_sid sid)
854 {
855 struct pdb_methods *pdb = pdb_get_methods();
856 return pdb->delete_group_mapping_entry(pdb, sid);
857 }
858
859 bool pdb_enum_group_mapping(const struct dom_sid *sid,
860 enum lsa_SidType sid_name_use,
861 GROUP_MAP ***pp_rmap,
862 size_t *p_num_entries,
863 bool unix_only)
864 {
865 struct pdb_methods *pdb = pdb_get_methods();
866 return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
867 pp_rmap, p_num_entries, unix_only));
868 }
869
870 NTSTATUS pdb_enum_group_members(TALLOC_CTX *mem_ctx,
871 const struct dom_sid *sid,
872 uint32_t **pp_member_rids,
873 size_t *p_num_members)
874 {
875 struct pdb_methods *pdb = pdb_get_methods();
876 NTSTATUS result;
877
878 result = pdb->enum_group_members(pdb, mem_ctx,
879 sid, pp_member_rids, p_num_members);
880
881 /* special check for rid 513 */
882
883 if ( !NT_STATUS_IS_OK( result ) ) {
884 uint32_t rid;
885
886 sid_peek_rid( sid, &rid );
887
888 if ( rid == DOMAIN_RID_USERS ) {
889 *p_num_members = 0;
890 *pp_member_rids = NULL;
891
892 return NT_STATUS_OK;
893 }
894 }
895
896 return result;
897 }
898
899 NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
900 struct dom_sid **pp_sids, gid_t **pp_gids,
901 uint32_t *p_num_groups)
902 {
903 struct pdb_methods *pdb = pdb_get_methods();
904 return pdb->enum_group_memberships(
905 pdb, mem_ctx, user,
906 pp_sids, pp_gids, p_num_groups);
907 }
908
909 static NTSTATUS pdb_default_set_unix_primary_group(struct pdb_methods *methods,
910 TALLOC_CTX *mem_ctx,
911 struct samu *sampass)
912 {
913 struct group *grp;
914 gid_t gid;
915
916 if (!sid_to_gid(pdb_get_group_sid(sampass), &gid) ||
917 (grp = getgrgid(gid)) == NULL) {
918 return NT_STATUS_INVALID_PRIMARY_GROUP;
919 }
920
921 if (smb_set_primary_group(grp->gr_name,
922 pdb_get_username(sampass)) != 0) {
923 return NT_STATUS_ACCESS_DENIED;
924 }
925
926 return NT_STATUS_OK;
927 }
928
929 NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
930 {
931 struct pdb_methods *pdb = pdb_get_methods();
932 return pdb->set_unix_primary_group(pdb, mem_ctx, user);
933 }
934
935 /*
936 * Helper function to see whether a user is in a group. We can't use
937 * user_in_group_sid here because this creates dependencies only smbd can
938 * fulfil.
939 */
940
941 static bool pdb_user_in_group(TALLOC_CTX *mem_ctx, struct samu *account,
942 const struct dom_sid *group_sid)
943 {
944 struct dom_sid *sids;
945 gid_t *gids;
946 uint32_t i, num_groups;
947
948 if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
949 &sids, &gids,
950 &num_groups))) {
951 return False;
952 }
953
954 for (i=0; i<num_groups; i++) {
955 if (dom_sid_equal(group_sid, &sids[i])) {
956 return True;
957 }
958 }
959 return False;
960 }
961
962 static NTSTATUS pdb_default_add_groupmem(struct pdb_methods *methods,
963 TALLOC_CTX *mem_ctx,
964 uint32_t group_rid,
965 uint32_t member_rid)
966 {
967 struct dom_sid group_sid, member_sid;
968 struct samu *account = NULL;
969 GROUP_MAP *map;
970 struct group *grp;
971 struct passwd *pwd;
972 const char *group_name;
973 uid_t uid;
974
975 map = talloc_zero(mem_ctx, GROUP_MAP);
976 if (!map) {
977 return NT_STATUS_NO_MEMORY;
978 }
979
980 /* coverity */
981 map->gid = (gid_t) -1;
982
983 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
984 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
985
986 if (!get_domain_group_from_sid(group_sid, map) ||
987 (map->gid == (gid_t)-1) ||
988 ((grp = getgrgid(map->gid)) == NULL)) {
989 return NT_STATUS_NO_SUCH_GROUP;
990 }
991
992 TALLOC_FREE(map);
993
994 group_name = talloc_strdup(mem_ctx, grp->gr_name);
995 if (group_name == NULL) {
996 return NT_STATUS_NO_MEMORY;
997 }
998
999 if ( !(account = samu_new( NULL )) ) {
1000 return NT_STATUS_NO_MEMORY;
1001 }
1002
1003 if (!pdb_getsampwsid(account, &member_sid) ||
1004 !sid_to_uid(&member_sid, &uid) ||
1005 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1006 return NT_STATUS_NO_SUCH_USER;
1007 }
1008
1009 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1010 return NT_STATUS_MEMBER_IN_GROUP;
1011 }
1012
1013 /*
1014 * ok, the group exist, the user exist, the user is not in the group,
1015 * we can (finally) add it to the group !
1016 */
1017
1018 smb_add_user_group(group_name, pwd->pw_name);
1019
1020 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1021 return NT_STATUS_ACCESS_DENIED;
1022 }
1023
1024 return NT_STATUS_OK;
1025 }
1026
1027 NTSTATUS pdb_add_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1028 uint32_t member_rid)
1029 {
1030 struct pdb_methods *pdb = pdb_get_methods();
1031 return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
1032 }
1033
1034 static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
1035 TALLOC_CTX *mem_ctx,
1036 uint32_t group_rid,
1037 uint32_t member_rid)
1038 {
1039 struct dom_sid group_sid, member_sid;
1040 struct samu *account = NULL;
1041 GROUP_MAP *map;
1042 struct group *grp;
1043 struct passwd *pwd;
1044 const char *group_name;
1045 uid_t uid;
1046
1047 map = talloc_zero(mem_ctx, GROUP_MAP);
1048 if (!map) {
1049 return NT_STATUS_NO_MEMORY;
1050 }
1051
1052 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
1053 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
1054
1055 if (!get_domain_group_from_sid(group_sid, map) ||
1056 (map->gid == (gid_t)-1) ||
1057 ((grp = getgrgid(map->gid)) == NULL)) {
1058 return NT_STATUS_NO_SUCH_GROUP;
1059 }
1060
1061 TALLOC_FREE(map);
1062
1063 group_name = talloc_strdup(mem_ctx, grp->gr_name);
1064 if (group_name == NULL) {
1065 return NT_STATUS_NO_MEMORY;
1066 }
1067
1068 if ( !(account = samu_new( NULL )) ) {
1069 return NT_STATUS_NO_MEMORY;
1070 }
1071
1072 if (!pdb_getsampwsid(account, &member_sid) ||
1073 !sid_to_uid(&member_sid, &uid) ||
1074 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1075 return NT_STATUS_NO_SUCH_USER;
1076 }
1077
1078 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1079 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1080 }
1081
1082 /*
1083 * ok, the group exist, the user exist, the user is in the group,
1084 * we can (finally) delete it from the group!
1085 */
1086
1087 smb_delete_user_group(group_name, pwd->pw_name);
1088
1089 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1090 return NT_STATUS_ACCESS_DENIED;
1091 }
1092
1093 return NT_STATUS_OK;
1094 }
1095
1096 NTSTATUS pdb_del_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1097 uint32_t member_rid)
1098 {
1099 struct pdb_methods *pdb = pdb_get_methods();
1100 return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
1101 }
1102
1103 NTSTATUS pdb_create_alias(const char *name, uint32_t *rid)
1104 {
1105 struct pdb_methods *pdb = pdb_get_methods();
1106 return pdb->create_alias(pdb, name, rid);
1107 }
1108
1109 NTSTATUS pdb_delete_alias(const struct dom_sid *sid)
1110 {
1111 struct pdb_methods *pdb = pdb_get_methods();
1112 return pdb->delete_alias(pdb, sid);
1113 }
1114
1115 NTSTATUS pdb_get_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1116 {
1117 struct pdb_methods *pdb = pdb_get_methods();
1118 return pdb->get_aliasinfo(pdb, sid, info);
1119 }
1120
1121 NTSTATUS pdb_set_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1122 {
1123 struct pdb_methods *pdb = pdb_get_methods();
1124 return pdb->set_aliasinfo(pdb, sid, info);
1125 }
1126
1127 NTSTATUS pdb_add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1128 {
1129 struct pdb_methods *pdb = pdb_get_methods();
1130 return pdb->add_aliasmem(pdb, alias, member);
1131 }
1132
1133 NTSTATUS pdb_del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1134 {
1135 struct pdb_methods *pdb = pdb_get_methods();
1136 return pdb->del_aliasmem(pdb, alias, member);
1137 }
1138
1139 NTSTATUS pdb_enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
1140 struct dom_sid **pp_members, size_t *p_num_members)
1141 {
1142 struct pdb_methods *pdb = pdb_get_methods();
1143 return pdb->enum_aliasmem(pdb, alias, mem_ctx, pp_members,
1144 p_num_members);
1145 }
1146
1147 NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
1148 const struct dom_sid *domain_sid,
1149 const struct dom_sid *members, size_t num_members,
1150 uint32_t **pp_alias_rids,
1151 size_t *p_num_alias_rids)
1152 {
1153 struct pdb_methods *pdb = pdb_get_methods();
1154 return pdb->enum_alias_memberships(pdb, mem_ctx,
1155 domain_sid,
1156 members, num_members,
1157 pp_alias_rids,
1158 p_num_alias_rids);
1159 }
1160
1161 NTSTATUS pdb_lookup_rids(const struct dom_sid *domain_sid,
1162 int num_rids,
1163 uint32_t *rids,
1164 const char **names,
1165 enum lsa_SidType *attrs)
1166 {
1167 struct pdb_methods *pdb = pdb_get_methods();
1168 return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
1169 }
1170
1171 bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
1172 {
1173 struct pdb_methods *pdb = pdb_get_methods();
1174 NTSTATUS status;
1175
1176 become_root();
1177 status = pdb->get_account_policy(pdb, type, value);
1178 unbecome_root();
1179
1180 return NT_STATUS_IS_OK(status);
1181 }
1182
1183 bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value)
1184 {
1185 struct pdb_methods *pdb = pdb_get_methods();
1186 NTSTATUS status;
1187
1188 become_root();
1189 status = pdb->set_account_policy(pdb, type, value);
1190 unbecome_root();
1191
1192 return NT_STATUS_IS_OK(status);
1193 }
1194
1195 bool pdb_get_seq_num(time_t *seq_num)
1196 {
1197 struct pdb_methods *pdb = pdb_get_methods();
1198 return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
1199 }
1200
1201 bool pdb_uid_to_sid(uid_t uid, struct dom_sid *sid)
1202 {
1203 struct pdb_methods *pdb = pdb_get_methods();
1204 return pdb->uid_to_sid(pdb, uid, sid);
1205 }
1206
1207 bool pdb_gid_to_sid(gid_t gid, struct dom_sid *sid)
1208 {
1209 struct pdb_methods *pdb = pdb_get_methods();
1210 return pdb->gid_to_sid(pdb, gid, sid);
1211 }
1212
1213 bool pdb_sid_to_id(const struct dom_sid *sid, struct unixid *id)
1214 {
1215 struct pdb_methods *pdb = pdb_get_methods();
1216 return pdb->sid_to_id(pdb, sid, id);
1217 }
1218
1219 uint32_t pdb_capabilities(void)
1220 {
1221 struct pdb_methods *pdb = pdb_get_methods();
1222 return pdb->capabilities(pdb);
1223 }
1224
1225 /********************************************************************
1226 Allocate a new RID from the passdb backend. Verify that it is free
1227 by calling lookup_global_sam_rid() to verify that the RID is not
1228 in use. This handles servers that have existing users or groups
1229 with add RIDs (assigned from previous algorithmic mappings)
1230 ********************************************************************/
1231
1232 bool pdb_new_rid(uint32_t *rid)
1233 {
1234 struct pdb_methods *pdb = pdb_get_methods();
1235 const char *name = NULL;
1236 enum lsa_SidType type;
1237 uint32_t allocated_rid = 0;
1238 int i;
1239 TALLOC_CTX *ctx;
1240
1241 if ((pdb_capabilities() & PDB_CAP_STORE_RIDS) == 0) {
1242 DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
1243 "are active\n"));
1244 return False;
1245 }
1246
1247 if (algorithmic_rid_base() != BASE_RID) {
1248 DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
1249 "without algorithmic RIDs is chosen.\n"));
1250 DEBUGADD(0, ("Please map all used groups using 'net groupmap "
1251 "add', set the maximum used RID\n"));
1252 DEBUGADD(0, ("and remove the parameter\n"));
1253 return False;
1254 }
1255
1256 if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
1257 DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
1258 return False;
1259 }
1260
1261 /* Attempt to get an unused RID (max tires is 250...yes that it is
1262 and arbitrary number I pulkled out of my head). -- jerry */
1263
1264 for ( i=0; allocated_rid==0 && i<250; i++ ) {
1265 /* get a new RID */
1266
1267 if ( !pdb->new_rid(pdb, &allocated_rid) ) {
1268 return False;
1269 }
1270
1271 /* validate that the RID is not in use */
1272
1273 if (lookup_global_sam_rid(ctx, allocated_rid, &name, &type, NULL, NULL)) {
1274 allocated_rid = 0;
1275 }
1276 }
1277
1278 TALLOC_FREE( ctx );
1279
1280 if ( allocated_rid == 0 ) {
1281 DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
1282 return False;
1283 }
1284
1285 *rid = allocated_rid;
1286
1287 return True;
1288 }
1289
1290 /***************************************************************
1291 Initialize the static context (at smbd startup etc).
1292
1293 If uninitialised, context will auto-init on first use.
1294 ***************************************************************/
1295
1296 bool initialize_password_db(bool reload, struct tevent_context *tevent_ctx)
1297 {
1298 pdb_tevent_ctx = tevent_ctx;
1299 return (pdb_get_methods_reload(reload) != NULL);
1300 }
1301
1302
1303 /***************************************************************************
1304 Default implementations of some functions.
1305 ****************************************************************************/
1306
1307 static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, struct samu *user, const char *sname)
1308 {
1309 return NT_STATUS_NO_SUCH_USER;
1310 }
1311
1312 static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1313 {
1314 return NT_STATUS_NO_SUCH_USER;
1315 }
1316
1317 static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1318 {
1319 return NT_STATUS_NOT_IMPLEMENTED;
1320 }
1321
1322 static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1323 {
1324 return NT_STATUS_NOT_IMPLEMENTED;
1325 }
1326
1327 static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, struct samu *pwd)
1328 {
1329 return NT_STATUS_NOT_IMPLEMENTED;
1330 }
1331
1332 static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, struct samu *pwd, const char *newname)
1333 {
1334 return NT_STATUS_NOT_IMPLEMENTED;
1335 }
1336
1337 static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success)
1338 {
1339 /* Only the pdb_nds backend implements this, by
1340 * default just return ok. */
1341 return NT_STATUS_OK;
1342 }
1343
1344 static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t *value)
1345 {
1346 return account_policy_get(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1347 }
1348
1349 static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t value)
1350 {
1351 return account_policy_set(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1352 }
1353
1354 static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq_num)
1355 {
1356 *seq_num = time(NULL);
1357 return NT_STATUS_OK;
1358 }
1359
1360 static bool pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
1361 struct dom_sid *sid)
1362 {
1363 struct samu *sampw = NULL;
1364 struct passwd *unix_pw;
1365 bool ret;
1366
1367 unix_pw = getpwuid( uid );
1368
1369 if ( !unix_pw ) {
1370 DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
1371 "%lu\n", (unsigned long)uid));
1372 return False;
1373 }
1374
1375 if ( !(sampw = samu_new( NULL )) ) {
1376 DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
1377 return False;
1378 }
1379
1380 become_root();
1381 ret = NT_STATUS_IS_OK(
1382 methods->getsampwnam(methods, sampw, unix_pw->pw_name ));
1383 unbecome_root();
1384
1385 if (!ret) {
1386 DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
1387 "%s (%u)\n", unix_pw->pw_name, (unsigned int)uid));
1388 TALLOC_FREE(sampw);
1389 return False;
1390 }
1391
1392 sid_copy(sid, pdb_get_user_sid(sampw));
1393
1394 TALLOC_FREE(sampw);
1395
1396 return True;
1397 }
1398
1399 static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
1400 struct dom_sid *sid)
1401 {
1402 GROUP_MAP *map;
1403
1404 map = talloc_zero(NULL, GROUP_MAP);
1405 if (!map) {
1406 return false;
1407 }
1408
1409 if (!NT_STATUS_IS_OK(methods->getgrgid(methods, map, gid))) {
1410 TALLOC_FREE(map);
1411 return false;
1412 }
1413
1414 sid_copy(sid, &map->sid);
1415 TALLOC_FREE(map);
1416 return true;
1417 }
1418
1419 static bool pdb_default_sid_to_id(struct pdb_methods *methods,
1420 const struct dom_sid *sid,
1421 struct unixid *id)
1422 {
1423 TALLOC_CTX *mem_ctx;
1424 bool ret = False;
1425 uint32_t rid;
1426 id->id = -1;
1427
1428 mem_ctx = talloc_new(NULL);
1429
1430 if (mem_ctx == NULL) {
1431 DEBUG(0, ("talloc_new failed\n"));
1432 return False;
1433 }
1434
1435 if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
1436 const char *name;
1437 enum lsa_SidType type;
1438 uid_t uid;
1439 gid_t gid;
1440 /* Here we might have users as well as groups and aliases */
1441 ret = lookup_global_sam_rid(mem_ctx, rid, &name, &type, &uid, &gid);
1442 if (ret) {
1443 switch (type) {
1444 case SID_NAME_DOM_GRP:
1445 case SID_NAME_ALIAS:
1446 id->type = ID_TYPE_GID;
1447 id->id = gid;
1448 break;
1449 case SID_NAME_USER:
1450 id->type = ID_TYPE_UID;
1451 id->id = uid;
1452 break;
1453 default:
1454 DEBUG(5, ("SID %s is our domain, but is not mapped to a user or group (got %d)\n",
1455 sid_string_dbg(sid), type));
1456 ret = false;
1457 }
1458 } else {
1459 DEBUG(5, ("SID %s is or domain, but is unmapped\n",
1460 sid_string_dbg(sid)));
1461 }
1462 goto done;
1463 }
1464
1465 /* check for "Unix User" */
1466
1467 if ( sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid) ) {
1468 id->id = rid;
1469 id->type = ID_TYPE_UID;
1470 ret = True;
1471 goto done;
1472 }
1473
1474 /* check for "Unix Group" */
1475
1476 if ( sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid) ) {
1477 id->id = rid;
1478 id->type = ID_TYPE_GID;
1479 ret = True;
1480 goto done;
1481 }
1482
1483 /* BUILTIN */
1484
1485 if (sid_check_is_in_builtin(sid) ||
1486 sid_check_is_in_wellknown_domain(sid)) {
1487 /* Here we only have aliases */
1488 GROUP_MAP *map;
1489
1490 map = talloc_zero(mem_ctx, GROUP_MAP);
1491 if (!map) {
1492 ret = false;
1493 goto done;
1494 }
1495
1496 if (!NT_STATUS_IS_OK(methods->getgrsid(methods, map, *sid))) {
1497 DEBUG(10, ("Could not find map for sid %s\n",
1498 sid_string_dbg(sid)));
1499 goto done;
1500 }
1501 if ((map->sid_name_use != SID_NAME_ALIAS) &&
1502 (map->sid_name_use != SID_NAME_WKN_GRP)) {
1503 DEBUG(10, ("Map for sid %s is a %s, expected an "
1504 "alias\n", sid_string_dbg(sid),
1505 sid_type_lookup(map->sid_name_use)));
1506 goto done;
1507 }
1508
1509 id->id = map->gid;
1510 id->type = ID_TYPE_GID;
1511 ret = True;
1512 goto done;
1513 }
1514
1515 DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
1516 sid_string_dbg(sid)));
1517
1518 done:
1519
1520 TALLOC_FREE(mem_ctx);
1521 return ret;
1522 }
1523
1524 static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
1525 {
1526 struct group *grp;
1527 char **gr;
1528 struct passwd *pwd;
1529 bool winbind_env;
1530 bool ret = False;
1531
1532 *pp_uids = NULL;
1533 *p_num = 0;
1534
1535 /* We only look at our own sam, so don't care about imported stuff */
1536 winbind_env = winbind_env_set();
1537 (void)winbind_off();
1538
1539 if ((grp = getgrgid(gid)) == NULL) {
1540 /* allow winbindd lookups, but only if they weren't already disabled */
1541 goto done;
1542 }
1543
1544 /* Primary group members */
1545 setpwent();
1546 while ((pwd = getpwent()) != NULL) {
1547 if (pwd->pw_gid == gid) {
1548 if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
1549 pp_uids, p_num)) {
1550 goto done;
1551 }
1552 }
1553 }
1554 endpwent();
1555
1556 /* Secondary group members */
1557 for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
1558 struct passwd *pw = getpwnam(*gr);
1559
1560 if (pw == NULL)
1561 continue;
1562 if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
1563 goto done;
1564 }
1565 }
1566
1567 ret = True;
1568
1569 done:
1570
1571 /* allow winbindd lookups, but only if they weren't already disabled */
1572 if (!winbind_env) {
1573 (void)winbind_on();
1574 }
1575
1576 return ret;
1577 }
1578
1579 static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
1580 TALLOC_CTX *mem_ctx,
1581 const struct dom_sid *group,
1582 uint32_t **pp_member_rids,
1583 size_t *p_num_members)
1584 {
1585 gid_t gid;
1586 uid_t *uids;
1587 uint32_t i, num_uids;
1588
1589 *pp_member_rids = NULL;
1590 *p_num_members = 0;
1591
1592 if (!sid_to_gid(group, &gid))
1593 return NT_STATUS_NO_SUCH_GROUP;
1594
1595 if(!get_memberuids(mem_ctx, gid, &uids, &num_uids))
1596 return NT_STATUS_NO_SUCH_GROUP;
1597
1598 if (num_uids == 0)
1599 return NT_STATUS_OK;
1600
1601 *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
1602
1603 for (i=0; i<num_uids; i++) {
1604 struct dom_sid sid;
1605
1606 uid_to_sid(&sid, uids[i]);
1607
1608 if (!sid_check_is_in_our_sam(&sid)) {
1609 DEBUG(5, ("Inconsistent SAM -- group member uid not "
1610 "in our domain\n"));
1611 continue;
1612 }
1613
1614 sid_peek_rid(&sid, &(*pp_member_rids)[*p_num_members]);
1615 *p_num_members += 1;
1616 }
1617
1618 return NT_STATUS_OK;
1619 }
1620
1621 static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
1622 TALLOC_CTX *mem_ctx,
1623 struct samu *user,
1624 struct dom_sid **pp_sids,
1625 gid_t **pp_gids,
1626 uint32_t *p_num_groups)
1627 {
1628 size_t i;
1629 gid_t gid;
1630 struct passwd *pw;
1631 const char *username = pdb_get_username(user);
1632
1633
1634 /* Ignore the primary group SID. Honor the real Unix primary group.
1635 The primary group SID is only of real use to Windows clients */
1636
1637 if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
1638 return NT_STATUS_NO_SUCH_USER;
1639 }
1640
1641 gid = pw->pw_gid;
1642
1643 TALLOC_FREE( pw );
1644
1645 if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
1646 return NT_STATUS_NO_SUCH_USER;
1647 }
1648
1649 if (*p_num_groups == 0) {
1650 smb_panic("primary group missing");
1651 }
1652
1653 *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
1654
1655 if (*pp_sids == NULL) {
1656 TALLOC_FREE(*pp_gids);
1657 return NT_STATUS_NO_MEMORY;
1658 }
1659
1660 for (i=0; i<*p_num_groups; i++) {
1661 gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
1662 }
1663
1664 return NT_STATUS_OK;
1665 }
1666
1667 /*******************************************************************
1668 Look up a rid in the SAM we're responsible for (i.e. passdb)
1669 ********************************************************************/
1670
1671 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
1672 const char **name,
1673 enum lsa_SidType *psid_name_use,
1674 uid_t *uid, gid_t *gid)
1675 {
1676 struct samu *sam_account = NULL;
1677 GROUP_MAP *map = NULL;
1678 bool ret;
1679 struct dom_sid sid;
1680
1681 *psid_name_use = SID_NAME_UNKNOWN;
1682
1683 DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
1684 (unsigned int)rid));
1685
1686 sid_compose(&sid, get_global_sam_sid(), rid);
1687
1688 /* see if the passdb can help us with the name of the user */
1689
1690 if ( !(sam_account = samu_new( NULL )) ) {
1691 return False;
1692 }
1693
1694 map = talloc_zero(mem_ctx, GROUP_MAP);
1695 if (!map) {
1696 return false;
1697 }
1698
1699 /* BEING ROOT BLOCK */
1700 become_root();
1701 ret = pdb_getsampwsid(sam_account, &sid);
1702 if (!ret) {
1703 TALLOC_FREE(sam_account);
1704 ret = pdb_getgrsid(map, sid);
1705 }
1706 unbecome_root();
1707 /* END BECOME_ROOT BLOCK */
1708
1709 if (sam_account || !ret) {
1710 TALLOC_FREE(map);
1711 }
1712
1713 if (sam_account) {
1714 struct passwd *pw;
1715
1716 *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
1717 if (!*name) {
1718 TALLOC_FREE(sam_account);
1719 return False;
1720 }
1721
1722 *psid_name_use = SID_NAME_USER;
1723
1724 TALLOC_FREE(sam_account);
1725
1726 if (uid == NULL) {
1727 return True;
1728 }
1729
1730 pw = Get_Pwnam_alloc(talloc_tos(), *name);
1731 if (pw == NULL) {
1732 return False;
1733 }
1734 *uid = pw->pw_uid;
1735 TALLOC_FREE(pw);
1736 return True;
1737
1738 } else if (map && (map->gid != (gid_t)-1)) {
1739
1740 /* do not resolve SIDs to a name unless there is a valid
1741 gid associated with it */
1742
1743 *name = talloc_steal(mem_ctx, map->nt_name);
1744 *psid_name_use = map->sid_name_use;
1745
1746 if (gid) {
1747 *gid = map->gid;
1748 }
1749
1750 TALLOC_FREE(map);
1751 return True;
1752 }
1753
1754 TALLOC_FREE(map);
1755
1756 /* Windows will always map RID 513 to something. On a non-domain
1757 controller, this gets mapped to SERVER\None. */
1758
1759 if (uid || gid) {
1760 DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
1761 return False;
1762 }
1763
1764 if ( rid == DOMAIN_RID_USERS ) {
1765 *name = talloc_strdup(mem_ctx, "None" );
1766 *psid_name_use = SID_NAME_DOM_GRP;
1767
1768 return True;
1769 }
1770
1771 return False;
1772 }
1773
1774 static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
1775 const struct dom_sid *domain_sid,
1776 int num_rids,
1777 uint32_t *rids,
1778 const char **names,
1779 enum lsa_SidType *attrs)
1780 {
1781 int i;
1782 NTSTATUS result;
1783 bool have_mapped = False;
1784 bool have_unmapped = False;
1785
1786 if (sid_check_is_builtin(domain_sid)) {
1787
1788 for (i=0; i<num_rids; i++) {
1789 const char *name;
1790
1791 if (lookup_builtin_rid(names, rids[i], &name)) {
1792 attrs[i] = SID_NAME_ALIAS;
1793 names[i] = name;
1794 DEBUG(5,("lookup_rids: %s:%d\n",
1795 names[i], attrs[i]));
1796 have_mapped = True;
1797 } else {
1798 have_unmapped = True;
1799 attrs[i] = SID_NAME_UNKNOWN;
1800 }
1801 }
1802 goto done;
1803 }
1804
1805 /* Should not happen, but better check once too many */
1806 if (!sid_check_is_our_sam(domain_sid)) {
1807 return NT_STATUS_INVALID_HANDLE;
1808 }
1809
1810 for (i = 0; i < num_rids; i++) {
1811 const char *name;
1812
1813 if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
1814 NULL, NULL)) {
1815 if (name == NULL) {
1816 return NT_STATUS_NO_MEMORY;
1817 }
1818 names[i] = name;
1819 DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
1820 have_mapped = True;
1821 } else {
1822 have_unmapped = True;
1823 attrs[i] = SID_NAME_UNKNOWN;
1824 }
1825 }
1826
1827 done:
1828
1829 result = NT_STATUS_NONE_MAPPED;
1830
1831 if (have_mapped)
1832 result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1833
1834 return result;
1835 }
1836
1837 static int pdb_search_destructor(struct pdb_search *search)
1838 {
1839 if ((!search->search_ended) && (search->search_end != NULL)) {
1840 search->search_end(search);
1841 }
1842 return 0;
1843 }
1844
1845 struct pdb_search *pdb_search_init(TALLOC_CTX *mem_ctx,
1846 enum pdb_search_type type)
1847 {
1848 struct pdb_search *result;
1849
1850 result = talloc(mem_ctx, struct pdb_search);
1851 if (result == NULL) {
1852 DEBUG(0, ("talloc failed\n"));
1853 return NULL;
1854 }
1855
1856 result->type = type;
1857 result->cache = NULL;
1858 result->num_entries = 0;
1859 result->cache_size = 0;
1860 result->search_ended = False;
1861 result->search_end = NULL;
1862
1863 /* Segfault appropriately if not initialized */
1864 result->next_entry = NULL;
1865 result->search_end = NULL;
1866
1867 talloc_set_destructor(result, pdb_search_destructor);
1868
1869 return result;
1870 }
1871
1872 static void fill_displayentry(TALLOC_CTX *mem_ctx, uint32_t rid,
1873 uint16_t acct_flags,
1874 const char *account_name,
1875 const char *fullname,
1876 const char *description,
1877 struct samr_displayentry *entry)
1878 {
1879 entry->rid = rid;
1880 entry->acct_flags = acct_flags;
1881
1882 if (account_name != NULL)
1883 entry->account_name = talloc_strdup(mem_ctx, account_name);
1884 else
1885 entry->account_name = "";
1886
1887 if (fullname != NULL)
1888 entry->fullname = talloc_strdup(mem_ctx, fullname);
1889 else
1890 entry->fullname = "";
1891
1892 if (description != NULL)
1893 entry->description = talloc_strdup(mem_ctx, description);
1894 else
1895 entry->description = "";
1896 }
1897
1898 struct group_search {
1899 GROUP_MAP **groups;
1900 size_t num_groups, current_group;
1901 };
1902
1903 static bool next_entry_groups(struct pdb_search *s,
1904 struct samr_displayentry *entry)
1905 {
1906 struct group_search *state = (struct group_search *)s->private_data;
1907 uint32_t rid;
1908 GROUP_MAP *map;
1909
1910 if (state->current_group == state->num_groups)
1911 return False;
1912
1913 map = state->groups[state->current_group];
1914
1915 sid_peek_rid(&map->sid, &rid);
1916
1917 fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
1918
1919 state->current_group += 1;
1920 return True;
1921 }
1922
1923 static void search_end_groups(struct pdb_search *search)
1924 {
1925 struct group_search *state =
1926 (struct group_search *)search->private_data;
1927 TALLOC_FREE(state->groups);
1928 }
1929
1930 static bool pdb_search_grouptype(struct pdb_methods *methods,
1931 struct pdb_search *search,
1932 const struct dom_sid *sid, enum lsa_SidType type)
1933 {
1934 struct group_search *state;
1935
1936 state = talloc_zero(search, struct group_search);
1937 if (state == NULL) {
1938 DEBUG(0, ("talloc failed\n"));
1939 return False;
1940 }
1941
1942 if (!NT_STATUS_IS_OK(methods->enum_group_mapping(methods, sid, type,
1943 &state->groups, &state->num_groups,
1944 True))) {
1945 DEBUG(0, ("Could not enum groups\n"));
1946 return False;
1947 }
1948
1949 state->current_group = 0;
1950 search->private_data = state;
1951 search->next_entry = next_entry_groups;
1952 search->search_end = search_end_groups;
1953 return True;
1954 }
1955
1956 static bool pdb_default_search_groups(struct pdb_methods *methods,
1957 struct pdb_search *search)
1958 {
1959 return pdb_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
1960 }
1961
1962 static bool pdb_default_search_aliases(struct pdb_methods *methods,
1963 struct pdb_search *search,
1964 const struct dom_sid *sid)
1965 {
1966
1967 return pdb_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
1968 }
1969
1970 static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
1971 uint32_t idx)
1972 {
1973 if (idx < search->num_entries)
1974 return &search->cache[idx];
1975
1976 if (search->search_ended)
1977 return NULL;
1978
1979 while (idx >= search->num_entries) {
1980 struct samr_displayentry entry;
1981
1982 if (!search->next_entry(search, &entry)) {
1983 search->search_end(search);
1984 search->search_ended = True;
1985 break;
1986 }
1987
1988 ADD_TO_LARGE_ARRAY(search, struct samr_displayentry,
1989 entry, &search->cache, &search->num_entries,
1990 &search->cache_size);
1991 }
1992
1993 return (search->num_entries > idx) ? &search->cache[idx] : NULL;
1994 }
1995
1996 struct pdb_search *pdb_search_users(TALLOC_CTX *mem_ctx, uint32_t acct_flags)
1997 {
1998 struct pdb_methods *pdb = pdb_get_methods();
1999 struct pdb_search *result;
2000
2001 result = pdb_search_init(mem_ctx, PDB_USER_SEARCH);
2002 if (result == NULL) {
2003 return NULL;
2004 }
2005
2006 if (!pdb->search_users(pdb, result, acct_flags)) {
2007 TALLOC_FREE(result);
2008 return NULL;
2009 }
2010 return result;
2011 }
2012
2013 struct pdb_search *pdb_search_groups(TALLOC_CTX *mem_ctx)
2014 {
2015 struct pdb_methods *pdb = pdb_get_methods();
2016 struct pdb_search *result;
2017
2018 result = pdb_search_init(mem_ctx, PDB_GROUP_SEARCH);
2019 if (result == NULL) {
2020 return NULL;
2021 }
2022
2023 if (!pdb->search_groups(pdb, result)) {
2024 TALLOC_FREE(result);
2025 return NULL;
2026 }
2027 return result;
2028 }
2029
2030 struct pdb_search *pdb_search_aliases(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
2031 {
2032 struct pdb_methods *pdb = pdb_get_methods();
2033 struct pdb_search *result;
2034
2035 if (pdb == NULL) return NULL;
2036
2037 result = pdb_search_init(mem_ctx, PDB_ALIAS_SEARCH);
2038 if (result == NULL) {
2039 return NULL;
2040 }
2041
2042 if (!pdb->search_aliases(pdb, result, sid)) {
2043 TALLOC_FREE(result);
2044 return NULL;
2045 }
2046 return result;
2047 }
2048
2049 uint32_t pdb_search_entries(struct pdb_search *search,
2050 uint32_t start_idx, uint32_t max_entries,
2051 struct samr_displayentry **result)
2052 {
2053 struct samr_displayentry *end_entry;
2054 uint32_t end_idx = start_idx+max_entries-1;
2055
2056 /* The first entry needs to be searched after the last. Otherwise the
2057 * first entry might have moved due to a realloc during the search for
2058 * the last entry. */
2059
2060 end_entry = pdb_search_getentry(search, end_idx);
2061 *result = pdb_search_getentry(search, start_idx);
2062
2063 if (end_entry != NULL)
2064 return max_entries;
2065
2066 if (start_idx >= search->num_entries)
2067 return 0;
2068
2069 return search->num_entries - start_idx;
2070 }
2071
2072 /*******************************************************************
2073 trustdom methods
2074 *******************************************************************/
2075
2076 bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
2077 time_t *pass_last_set_time)
2078 {
2079 struct pdb_methods *pdb = pdb_get_methods();
2080 return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
2081 pass_last_set_time);
2082 }
2083
2084 bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
2085 const struct dom_sid *sid)
2086 {
2087 struct pdb_methods *pdb = pdb_get_methods();
2088 return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
2089 }
2090
2091 bool pdb_del_trusteddom_pw(const char *domain)
2092 {
2093 struct pdb_methods *pdb = pdb_get_methods();
2094 return pdb->del_trusteddom_pw(pdb, domain);
2095 }
2096
2097 NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2098 struct trustdom_info ***domains)
2099 {
2100 struct pdb_methods *pdb = pdb_get_methods();
2101 return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
2102 }
2103
2104 /*******************************************************************
2105 the defaults for trustdom methods:
2106 these simply call the original passdb/secrets.c actions,
2107 to be replaced by pdb_ldap.
2108 *******************************************************************/
2109
2110 static bool pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
2111 const char *domain,
2112 char** pwd,
2113 struct dom_sid *sid,
2114 time_t *pass_last_set_time)
2115 {
2116 return secrets_fetch_trusted_domain_password(domain, pwd,
2117 sid, pass_last_set_time);
2118
2119 }
2120
2121 static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
2122 const char* domain,
2123 const char* pwd,
2124 const struct dom_sid *sid)
2125 {
2126 return secrets_store_trusted_domain_password(domain, pwd, sid);
2127 }
2128
2129 static bool pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
2130 const char *domain)
2131 {
2132 return trusted_domain_password_delete(domain);
2133 }
2134
2135 static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
2136 TALLOC_CTX *mem_ctx,
2137 uint32_t *num_domains,
2138 struct trustdom_info ***domains)
2139 {
2140 return secrets_trusted_domains(mem_ctx, num_domains, domains);
2141 }
2142
2143 /*******************************************************************
2144 trusted_domain methods
2145 *******************************************************************/
2146
2147 NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
2148 struct pdb_trusted_domain **td)
2149 {
2150 struct pdb_methods *pdb = pdb_get_methods();
2151 return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
2152 }
2153
2154 NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
2155 struct pdb_trusted_domain **td)
2156 {
2157 struct pdb_methods *pdb = pdb_get_methods();
2158 return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
2159 }
2160
2161 NTSTATUS pdb_set_trusted_domain(const char* domain,
2162 const struct pdb_trusted_domain *td)
2163 {
2164 struct pdb_methods *pdb = pdb_get_methods();
2165 return pdb->set_trusted_domain(pdb, domain, td);
2166 }
2167
2168 NTSTATUS pdb_del_trusted_domain(const char *domain)
2169 {
2170 struct pdb_methods *pdb = pdb_get_methods();
2171 return pdb->del_trusted_domain(pdb, domain);
2172 }
2173
2174 NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2175 struct pdb_trusted_domain ***domains)
2176 {
2177 struct pdb_methods *pdb = pdb_get_methods();
2178 return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
2179 }
2180
2181 static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
2182 TALLOC_CTX *mem_ctx,
2183 const char *domain,
2184 struct pdb_trusted_domain **td)
2185 {
2186 struct trustAuthInOutBlob taiob;
2187 struct AuthenticationInformation aia;
2188 struct pdb_trusted_domain *tdom;
2189 enum ndr_err_code ndr_err;
2190 time_t last_set_time;
2191 char *pwd;
2192 bool ok;
2193
2194 tdom = talloc(mem_ctx, struct pdb_trusted_domain);
2195 if (!tdom) {
2196 return NT_STATUS_NO_MEMORY;
2197 }
2198
2199 tdom->domain_name = talloc_strdup(tdom, domain);
2200 tdom->netbios_name = talloc_strdup(tdom, domain);
2201 if (!tdom->domain_name || !tdom->netbios_name) {
2202 talloc_free(tdom);
2203 return NT_STATUS_NO_MEMORY;
2204 }
2205
2206 tdom->trust_auth_incoming = data_blob_null;
2207
2208 ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
2209 &last_set_time);
2210 if (!ok) {
2211 talloc_free(tdom);
2212 return NT_STATUS_UNSUCCESSFUL;
2213 }
2214
2215 ZERO_STRUCT(taiob);
2216 ZERO_STRUCT(aia);
2217 taiob.count = 1;
2218 taiob.current.count = 1;
2219 taiob.current.array = &aia;
2220 unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
2221 aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
2222 aia.AuthInfo.clear.password = (uint8_t *) pwd;
2223 aia.AuthInfo.clear.size = strlen(pwd);
2224 taiob.previous.count = 0;
2225 taiob.previous.array = NULL;
2226
2227 ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
2228 tdom, &taiob,
2229 (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2230 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2231 talloc_free(tdom);
2232 return NT_STATUS_UNSUCCESSFUL;
2233 }
2234
2235 tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
2236 tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
2237 tdom->trust_attributes = 0;
2238 tdom->trust_forest_trust_info = data_blob_null;
2239
2240 *td = tdom;
2241 return NT_STATUS_OK;
2242 }
2243
2244 static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
2245 TALLOC_CTX *mem_ctx,
2246 struct dom_sid *sid,
2247 struct pdb_trusted_domain **td)
2248 {
2249 return NT_STATUS_NOT_IMPLEMENTED;
2250 }
2251
2252 #define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
2253
2254 static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
2255 const char* domain,
2256 const struct pdb_trusted_domain *td)
2257 {
2258 struct trustAuthInOutBlob taiob;
2259 struct AuthenticationInformation *aia;
2260 enum ndr_err_code ndr_err;
2261 char *pwd;
2262 bool ok;
2263
2264 if (td->trust_attributes != 0 ||
2265 td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
2266 td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
2267 !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
2268 !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
2269 return NT_STATUS_NOT_IMPLEMENTED;
2270 }
2271
2272 ZERO_STRUCT(taiob);
2273 ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
2274 &taiob,
2275 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2276 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2277 return NT_STATUS_UNSUCCESSFUL;
2278 }
2279
2280 aia = (struct AuthenticationInformation *) taiob.current.array;
2281
2282 if (taiob.count != 1 || taiob.current.count != 1 ||
2283 taiob.previous.count != 0 ||
2284 aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
2285 return NT_STATUS_NOT_IMPLEMENTED;
2286 }
2287
2288 pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
2289 aia->AuthInfo.clear.size);
2290 if (!pwd) {
2291 return NT_STATUS_NO_MEMORY;
2292 }
2293
2294 ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
2295 if (!ok) {
2296 return NT_STATUS_UNSUCCESSFUL;
2297 }
2298
2299 return NT_STATUS_OK;
2300 }
2301
2302 static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
2303 const char *domain)
2304 {
2305 return NT_STATUS_NOT_IMPLEMENTED;
2306 }
2307
2308 static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
2309 TALLOC_CTX *mem_ctx,
2310 uint32_t *num_domains,
2311 struct pdb_trusted_domain ***domains)
2312 {
2313 return NT_STATUS_NOT_IMPLEMENTED;
2314 }
2315
2316 static struct pdb_domain_info *pdb_default_get_domain_info(
2317 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
2318 {
2319 return NULL;
2320 }
2321
2322 /*******************************************************************
2323 secret methods
2324 *******************************************************************/
2325
2326 NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
2327 const char *secret_name,
2328 DATA_BLOB *secret_current,
2329 NTTIME *secret_current_lastchange,
2330 DATA_BLOB *secret_old,
2331 NTTIME *secret_old_lastchange,
2332 struct security_descriptor **sd)
2333 {
2334 struct pdb_methods *pdb = pdb_get_methods();
2335 return pdb->get_secret(pdb, mem_ctx, secret_name,
2336 secret_current, secret_current_lastchange,
2337 secret_old, secret_old_lastchange,
2338 sd);
2339 }
2340
2341 NTSTATUS pdb_set_secret(const char *secret_name,
2342 DATA_BLOB *secret_current,
2343 DATA_BLOB *secret_old,
2344 struct security_descriptor *sd)
2345 {
2346 struct pdb_methods *pdb = pdb_get_methods();
2347 return pdb->set_secret(pdb, secret_name,
2348 secret_current,
2349 secret_old,
2350 sd);
2351 }
2352
2353 NTSTATUS pdb_delete_secret(const char *secret_name)
2354 {
2355 struct pdb_methods *pdb = pdb_get_methods();
2356 return pdb->delete_secret(pdb, secret_name);
2357 }
2358
2359 static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
2360 TALLOC_CTX *mem_ctx,
2361 const char *secret_name,
2362 DATA_BLOB *secret_current,
2363 NTTIME *secret_current_lastchange,
2364 DATA_BLOB *secret_old,
2365 NTTIME *secret_old_lastchange,
2366 struct security_descriptor **sd)
2367 {
2368 return lsa_secret_get(mem_ctx, secret_name,
2369 secret_current,
2370 secret_current_lastchange,
2371 secret_old,
2372 secret_old_lastchange,
2373 sd);
2374 }
2375
2376 static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
2377 const char *secret_name,
2378 DATA_BLOB *secret_current,
2379 DATA_BLOB *secret_old,
2380 struct security_descriptor *sd)
2381 {
2382 return lsa_secret_set(secret_name,
2383 secret_current,
2384 secret_old,
2385 sd);
2386 }
2387
2388 static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
2389 const char *secret_name)
2390 {
2391 return lsa_secret_delete(secret_name);
2392 }
2393
2394 /*******************************************************************
2395 Create a pdb_methods structure and initialize it with the default
2396 operations. In this way a passdb module can simply implement
2397 the functionality it cares about. However, normally this is done
2398 in groups of related functions.
2399 *******************************************************************/
2400
2401 NTSTATUS make_pdb_method( struct pdb_methods **methods )
2402 {
2403 /* allocate memory for the structure as its own talloc CTX */
2404
2405 *methods = talloc_zero(NULL, struct pdb_methods);
2406 if (*methods == NULL) {
2407 return NT_STATUS_NO_MEMORY;
2408 }
2409
2410 (*methods)->get_domain_info = pdb_default_get_domain_info;
2411 (*methods)->getsampwnam = pdb_default_getsampwnam;
2412 (*methods)->getsampwsid = pdb_default_getsampwsid;
2413 (*methods)->create_user = pdb_default_create_user;
2414 (*methods)->delete_user = pdb_default_delete_user;
2415 (*methods)->add_sam_account = pdb_default_add_sam_account;
2416 (*methods)->update_sam_account = pdb_default_update_sam_account;
2417 (*methods)->delete_sam_account = pdb_default_delete_sam_account;
2418 (*methods)->rename_sam_account = pdb_default_rename_sam_account;
2419 (*methods)->update_login_attempts = pdb_default_update_login_attempts;
2420
2421 (*methods)->getgrsid = pdb_default_getgrsid;
2422 (*methods)->getgrgid = pdb_default_getgrgid;
2423 (*methods)->getgrnam = pdb_default_getgrnam;
2424 (*methods)->create_dom_group = pdb_default_create_dom_group;
2425 (*methods)->delete_dom_group = pdb_default_delete_dom_group;
2426 (*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
2427 (*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
2428 (*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
2429 (*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
2430 (*methods)->enum_group_members = pdb_default_enum_group_members;
2431 (*methods)->enum_group_memberships = pdb_default_enum_group_memberships;
2432 (*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
2433 (*methods)->add_groupmem = pdb_default_add_groupmem;
2434 (*methods)->del_groupmem = pdb_default_del_groupmem;
2435 (*methods)->create_alias = pdb_default_create_alias;
2436 (*methods)->delete_alias = pdb_default_delete_alias;
2437 (*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
2438 (*methods)->set_aliasinfo = pdb_default_set_aliasinfo;
2439 (*methods)->add_aliasmem = pdb_default_add_aliasmem;
2440 (*methods)->del_aliasmem = pdb_default_del_aliasmem;
2441 (*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
2442 (*methods)->enum_alias_memberships = pdb_default_alias_memberships;
2443 (*methods)->lookup_rids = pdb_default_lookup_rids;
2444 (*methods)->get_account_policy = pdb_default_get_account_policy;
2445 (*methods)->set_account_policy = pdb_default_set_account_policy;
2446 (*methods)->get_seq_num = pdb_default_get_seq_num;
2447 (*methods)->uid_to_sid = pdb_default_uid_to_sid;
2448 (*methods)->gid_to_sid = pdb_default_gid_to_sid;
2449 (*methods)->sid_to_id = pdb_default_sid_to_id;
2450
2451 (*methods)->search_groups = pdb_default_search_groups;
2452 (*methods)->search_aliases = pdb_default_search_aliases;
2453
2454 (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
2455 (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
2456 (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
2457 (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
2458
2459 (*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
2460 (*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
2461 (*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
2462 (*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
2463 (*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
2464
2465 (*methods)->get_secret = pdb_default_get_secret;
2466 (*methods)->set_secret = pdb_default_set_secret;
2467 (*methods)->delete_secret = pdb_default_delete_secret;
2468
2469 return NT_STATUS_OK;
2470 }
reg import