2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
29 #include "passdb/pdb_ldap.h"
30 #include "passdb/pdb_ipa.h"
32 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
33 #define IPA_MAGIC_ID_STR "999"
35 #define LDAP_TRUST_CONTAINER "ou=system"
36 #define LDAP_ATTRIBUTE_CN "cn"
37 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
38 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
39 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
40 #define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
41 #define LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE "sambaSupportedEncryptionTypes"
42 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
43 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
44 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
45 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
46 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
47 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
48 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
50 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
51 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
52 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
54 #define LDAP_OBJ_IPAOBJECT "ipaObject"
55 #define LDAP_OBJ_IPAHOST "ipaHost"
56 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
58 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
59 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
60 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
61 #define LDAP_OBJ_POSIXGROUP "posixGroup"
63 #define HAS_KRB_PRINCIPAL (1<<0)
64 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
65 #define HAS_IPAOBJECT (1<<2)
66 #define HAS_IPAHOST (1<<3)
67 #define HAS_POSIXACCOUNT (1<<4)
68 #define HAS_GROUPOFNAMES (1<<5)
69 #define HAS_NESTEDGROUP (1<<6)
70 #define HAS_IPAUSERGROUP (1<<7)
71 #define HAS_POSIXGROUP (1<<8)
73 struct ipasam_privates
{
75 NTSTATUS (*ldapsam_add_sam_account
)(struct pdb_methods
*,
76 struct samu
*sampass
);
77 NTSTATUS (*ldapsam_update_sam_account
)(struct pdb_methods
*,
78 struct samu
*sampass
);
79 NTSTATUS (*ldapsam_create_user
)(struct pdb_methods
*my_methods
,
80 TALLOC_CTX
*tmp_ctx
, const char *name
,
81 uint32_t acb_info
, uint32_t *rid
);
82 NTSTATUS (*ldapsam_create_dom_group
)(struct pdb_methods
*my_methods
,
88 static bool ipasam_get_trusteddom_pw(struct pdb_methods
*methods
,
92 time_t *pass_last_set_time
)
97 static bool ipasam_set_trusteddom_pw(struct pdb_methods
*methods
,
100 const struct dom_sid
*sid
)
105 static bool ipasam_del_trusteddom_pw(struct pdb_methods
*methods
,
111 static char *get_account_dn(const char *name
)
116 escape_name
= escape_rdn_val_string_alloc(name
);
121 if (name
[strlen(name
)-1] == '$') {
122 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
123 lp_ldap_machine_suffix());
125 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
126 lp_ldap_user_suffix());
129 SAFE_FREE(escape_name
);
134 static char *trusted_domain_dn(struct ldapsam_privates
*ldap_state
,
137 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
138 LDAP_ATTRIBUTE_CN
, domain
,
139 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
142 static char *trusted_domain_base_dn(struct ldapsam_privates
*ldap_state
)
144 return talloc_asprintf(talloc_tos(), "%s,%s",
145 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
148 static bool get_trusted_domain_int(struct ldapsam_privates
*ldap_state
,
150 const char *filter
, LDAPMessage
**entry
)
153 char *base_dn
= NULL
;
154 LDAPMessage
*result
= NULL
;
157 base_dn
= trusted_domain_base_dn(ldap_state
);
158 if (base_dn
== NULL
) {
162 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
,
163 LDAP_SCOPE_SUBTREE
, filter
, NULL
, 0, &result
);
164 TALLOC_FREE(base_dn
);
166 if (result
!= NULL
) {
167 talloc_autofree_ldapmsg(mem_ctx
, result
);
170 if (rc
== LDAP_NO_SUCH_OBJECT
) {
175 if (rc
!= LDAP_SUCCESS
) {
179 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
181 if (num_result
> 1) {
182 DEBUG(1, ("get_trusted_domain_int: more than one "
183 "%s object with filter '%s'?!\n",
184 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
188 if (num_result
== 0) {
189 DEBUG(1, ("get_trusted_domain_int: no "
190 "%s object with filter '%s'.\n",
191 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
194 *entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
200 static bool get_trusted_domain_by_name_int(struct ldapsam_privates
*ldap_state
,
207 filter
= talloc_asprintf(talloc_tos(),
208 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
209 LDAP_OBJ_TRUSTED_DOMAIN
,
210 LDAP_ATTRIBUTE_FLAT_NAME
, domain
,
211 LDAP_ATTRIBUTE_TRUST_PARTNER
, domain
, domain
);
212 if (filter
== NULL
) {
216 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
219 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates
*ldap_state
,
221 const char *sid
, LDAPMessage
**entry
)
225 filter
= talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
226 LDAP_OBJ_TRUSTED_DOMAIN
,
227 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
, sid
);
228 if (filter
== NULL
) {
232 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
235 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates
*ldap_state
,
244 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
247 DEBUG(9, ("Attribute %s not present.\n", attr
));
252 l
= strtoul(dummy
, &endptr
, 10);
255 if (l
< 0 || l
> UINT32_MAX
|| *endptr
!= '\0') {
264 static void get_data_blob_from_ldap_msg(TALLOC_CTX
*mem_ctx
,
265 struct ldapsam_privates
*ldap_state
,
266 LDAPMessage
*entry
, const char *attr
,
272 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
, attr
,
275 DEBUG(9, ("Attribute %s not present.\n", attr
));
278 blob
= base64_decode_data_blob(dummy
);
279 if (blob
.length
== 0) {
282 _blob
->length
= blob
.length
;
283 _blob
->data
= talloc_steal(mem_ctx
, blob
.data
);
289 static bool fill_pdb_trusted_domain(TALLOC_CTX
*mem_ctx
,
290 struct ldapsam_privates
*ldap_state
,
292 struct pdb_trusted_domain
**_td
)
296 struct pdb_trusted_domain
*td
;
302 td
= talloc_zero(mem_ctx
, struct pdb_trusted_domain
);
307 /* All attributes are MAY */
309 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
310 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
313 DEBUG(9, ("Attribute %s not present.\n",
314 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
));
315 ZERO_STRUCT(td
->security_identifier
);
317 res
= string_to_sid(&td
->security_identifier
, dummy
);
324 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
325 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
326 &td
->trust_auth_incoming
);
328 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
329 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
330 &td
->trust_auth_outgoing
);
332 td
->netbios_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
334 LDAP_ATTRIBUTE_FLAT_NAME
,
336 if (td
->netbios_name
== NULL
) {
337 DEBUG(9, ("Attribute %s not present.\n",
338 LDAP_ATTRIBUTE_FLAT_NAME
));
341 td
->domain_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
343 LDAP_ATTRIBUTE_TRUST_PARTNER
,
345 if (td
->domain_name
== NULL
) {
346 DEBUG(9, ("Attribute %s not present.\n",
347 LDAP_ATTRIBUTE_TRUST_PARTNER
));
350 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
351 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
352 &td
->trust_direction
);
357 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
358 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
359 &td
->trust_attributes
);
364 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
365 LDAP_ATTRIBUTE_TRUST_TYPE
,
371 td
->trust_posix_offset
= talloc(td
, uint32_t);
372 if (td
->trust_posix_offset
== NULL
) {
375 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
376 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET
,
377 td
->trust_posix_offset
);
382 td
->supported_enc_type
= talloc(td
, uint32_t);
383 if (td
->supported_enc_type
== NULL
) {
386 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
387 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE
,
388 td
->supported_enc_type
);
394 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
395 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
396 &td
->trust_forest_trust_info
);
403 static NTSTATUS
ipasam_get_trusted_domain(struct pdb_methods
*methods
,
406 struct pdb_trusted_domain
**td
)
408 struct ldapsam_privates
*ldap_state
=
409 (struct ldapsam_privates
*)methods
->private_data
;
410 LDAPMessage
*entry
= NULL
;
412 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain
));
414 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
416 return NT_STATUS_UNSUCCESSFUL
;
419 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
421 return NT_STATUS_NO_SUCH_DOMAIN
;
424 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
425 return NT_STATUS_UNSUCCESSFUL
;
431 static NTSTATUS
ipasam_get_trusted_domain_by_sid(struct pdb_methods
*methods
,
434 struct pdb_trusted_domain
**td
)
436 struct ldapsam_privates
*ldap_state
=
437 (struct ldapsam_privates
*)methods
->private_data
;
438 LDAPMessage
*entry
= NULL
;
441 sid_str
= sid_string_tos(sid
);
443 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
446 if (!get_trusted_domain_by_sid_int(ldap_state
, talloc_tos(), sid_str
,
448 return NT_STATUS_UNSUCCESSFUL
;
451 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
452 "with sid: %s\n", sid_str
));
453 return NT_STATUS_NO_SUCH_DOMAIN
;
456 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
457 return NT_STATUS_UNSUCCESSFUL
;
463 static bool smbldap_make_mod_uint32_t(LDAP
*ldap_struct
, LDAPMessage
*entry
,
464 LDAPMod
***mods
, const char *attribute
,
469 dummy
= talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val
);
473 smbldap_make_mod(ldap_struct
, entry
, mods
, attribute
, dummy
);
479 static NTSTATUS
ipasam_set_trusted_domain(struct pdb_methods
*methods
,
481 const struct pdb_trusted_domain
*td
)
483 struct ldapsam_privates
*ldap_state
=
484 (struct ldapsam_privates
*)methods
->private_data
;
485 LDAPMessage
*entry
= NULL
;
488 char *trusted_dn
= NULL
;
491 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain
));
493 res
= get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
496 return NT_STATUS_UNSUCCESSFUL
;
500 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
, "objectClass",
501 LDAP_OBJ_TRUSTED_DOMAIN
);
503 if (td
->netbios_name
!= NULL
) {
504 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
505 LDAP_ATTRIBUTE_FLAT_NAME
,
509 if (td
->domain_name
!= NULL
) {
510 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
511 LDAP_ATTRIBUTE_TRUST_PARTNER
,
515 if (!is_null_sid(&td
->security_identifier
)) {
516 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
517 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
518 sid_string_tos(&td
->security_identifier
));
521 if (td
->trust_type
!= 0) {
522 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
523 &mods
, LDAP_ATTRIBUTE_TRUST_TYPE
,
526 return NT_STATUS_UNSUCCESSFUL
;
530 if (td
->trust_attributes
!= 0) {
531 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
533 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
534 td
->trust_attributes
);
536 return NT_STATUS_UNSUCCESSFUL
;
540 if (td
->trust_direction
!= 0) {
541 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
543 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
544 td
->trust_direction
);
546 return NT_STATUS_UNSUCCESSFUL
;
550 if (td
->trust_posix_offset
!= NULL
) {
551 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
553 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET
,
554 *td
->trust_posix_offset
);
556 return NT_STATUS_UNSUCCESSFUL
;
560 if (td
->supported_enc_type
!= NULL
) {
561 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
563 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE
,
564 *td
->supported_enc_type
);
566 return NT_STATUS_UNSUCCESSFUL
;
570 if (td
->trust_auth_outgoing
.data
!= NULL
) {
571 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
572 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
573 &td
->trust_auth_outgoing
);
576 if (td
->trust_auth_incoming
.data
!= NULL
) {
577 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
578 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
579 &td
->trust_auth_incoming
);
582 if (td
->trust_forest_trust_info
.data
!= NULL
) {
583 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
584 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
585 &td
->trust_forest_trust_info
);
588 talloc_autofree_ldapmod(talloc_tos(), mods
);
590 trusted_dn
= trusted_domain_dn(ldap_state
, domain
);
591 if (trusted_dn
== NULL
) {
592 return NT_STATUS_NO_MEMORY
;
595 ret
= smbldap_add(ldap_state
->smbldap_state
, trusted_dn
, mods
);
597 ret
= smbldap_modify(ldap_state
->smbldap_state
, trusted_dn
, mods
);
600 if (ret
!= LDAP_SUCCESS
) {
601 DEBUG(1, ("error writing trusted domain data!\n"));
602 return NT_STATUS_UNSUCCESSFUL
;
607 static NTSTATUS
ipasam_del_trusted_domain(struct pdb_methods
*methods
,
611 struct ldapsam_privates
*ldap_state
=
612 (struct ldapsam_privates
*)methods
->private_data
;
613 LDAPMessage
*entry
= NULL
;
616 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
618 return NT_STATUS_UNSUCCESSFUL
;
622 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
624 return NT_STATUS_NO_SUCH_DOMAIN
;
627 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
629 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
630 return NT_STATUS_NO_MEMORY
;
633 ret
= smbldap_delete(ldap_state
->smbldap_state
, dn
);
634 if (ret
!= LDAP_SUCCESS
) {
635 return NT_STATUS_UNSUCCESSFUL
;
641 static NTSTATUS
ipasam_enum_trusted_domains(struct pdb_methods
*methods
,
643 uint32_t *num_domains
,
644 struct pdb_trusted_domain
***domains
)
647 struct ldapsam_privates
*ldap_state
=
648 (struct ldapsam_privates
*)methods
->private_data
;
649 char *base_dn
= NULL
;
651 int scope
= LDAP_SCOPE_SUBTREE
;
652 LDAPMessage
*result
= NULL
;
653 LDAPMessage
*entry
= NULL
;
655 filter
= talloc_asprintf(talloc_tos(), "(objectClass=%s)",
656 LDAP_OBJ_TRUSTED_DOMAIN
);
657 if (filter
== NULL
) {
658 return NT_STATUS_NO_MEMORY
;
661 base_dn
= trusted_domain_base_dn(ldap_state
);
662 if (base_dn
== NULL
) {
664 return NT_STATUS_NO_MEMORY
;
667 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
, scope
, filter
,
670 TALLOC_FREE(base_dn
);
672 if (result
!= NULL
) {
673 talloc_autofree_ldapmsg(mem_ctx
, result
);
676 if (rc
== LDAP_NO_SUCH_OBJECT
) {
682 if (rc
!= LDAP_SUCCESS
) {
683 return NT_STATUS_UNSUCCESSFUL
;
687 if (!(*domains
= talloc_array(mem_ctx
, struct pdb_trusted_domain
*, 1))) {
688 DEBUG(1, ("talloc failed\n"));
689 return NT_STATUS_NO_MEMORY
;
692 for (entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
694 entry
= ldap_next_entry(priv2ld(ldap_state
), entry
))
696 struct pdb_trusted_domain
*dom_info
;
698 if (!fill_pdb_trusted_domain(*domains
, ldap_state
, entry
,
700 return NT_STATUS_UNSUCCESSFUL
;
703 ADD_TO_ARRAY(*domains
, struct pdb_trusted_domain
*, dom_info
,
704 domains
, num_domains
);
706 if (*domains
== NULL
) {
707 DEBUG(1, ("talloc failed\n"));
708 return NT_STATUS_NO_MEMORY
;
712 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains
));
716 static NTSTATUS
ipasam_enum_trusteddoms(struct pdb_methods
*methods
,
718 uint32_t *num_domains
,
719 struct trustdom_info
***domains
)
722 struct pdb_trusted_domain
**td
;
725 status
= ipasam_enum_trusted_domains(methods
, talloc_tos(),
727 if (!NT_STATUS_IS_OK(status
)) {
731 if (*num_domains
== 0) {
735 if (!(*domains
= talloc_array(mem_ctx
, struct trustdom_info
*,
737 DEBUG(1, ("talloc failed\n"));
738 return NT_STATUS_NO_MEMORY
;
741 for (i
= 0; i
< *num_domains
; i
++) {
742 struct trustdom_info
*dom_info
;
744 dom_info
= talloc(*domains
, struct trustdom_info
);
745 if (dom_info
== NULL
) {
746 DEBUG(1, ("talloc failed\n"));
747 return NT_STATUS_NO_MEMORY
;
750 dom_info
->name
= talloc_steal(mem_ctx
, td
[i
]->netbios_name
);
751 sid_copy(&dom_info
->sid
, &td
[i
]->security_identifier
);
753 (*domains
)[i
] = dom_info
;
759 static uint32_t pdb_ipasam_capabilities(struct pdb_methods
*methods
)
761 return PDB_CAP_STORE_RIDS
| PDB_CAP_ADS
| PDB_CAP_TRUSTED_DOMAINS_EX
;
764 static struct pdb_domain_info
*pdb_ipasam_get_domain_info(struct pdb_methods
*pdb_methods
,
767 struct pdb_domain_info
*info
;
768 struct ldapsam_privates
*ldap_state
=
769 (struct ldapsam_privates
*)pdb_methods
->private_data
;
774 info
= talloc(mem_ctx
, struct pdb_domain_info
);
779 info
->name
= talloc_strdup(info
, ldap_state
->domain_name
);
780 if (info
->name
== NULL
) {
784 /* TODO: read dns_domain, dns_forest and guid from LDAP */
785 info
->dns_domain
= talloc_strdup(info
, lp_realm());
786 if (info
->dns_domain
== NULL
) {
789 strlower_m(info
->dns_domain
);
790 info
->dns_forest
= talloc_strdup(info
, info
->dns_domain
);
792 /* we expect a domain SID to have 4 sub IDs */
793 if (ldap_state
->domain_sid
.num_auths
!= 4) {
797 sid_copy(&info
->sid
, &ldap_state
->domain_sid
);
799 if (!sid_linearize(sid_buf
, sizeof(sid_buf
), &info
->sid
)) {
803 /* the first 8 bytes of the linearized SID are not random,
805 sid_blob
.data
= (uint8_t *) sid_buf
+ 8 ;
806 sid_blob
.length
= 16;
808 status
= GUID_from_ndr_blob(&sid_blob
, &info
->guid
);
809 if (!NT_STATUS_IS_OK(status
)) {
820 static NTSTATUS
modify_ipa_password_exop(struct ldapsam_privates
*ldap_state
,
821 struct samu
*sampass
)
824 BerElement
*ber
= NULL
;
825 struct berval
*bv
= NULL
;
827 struct berval
*retdata
= NULL
;
828 const char *password
;
831 password
= pdb_get_plaintext_passwd(sampass
);
832 if (password
== NULL
|| *password
== '\0') {
833 return NT_STATUS_INVALID_PARAMETER
;
836 dn
= get_account_dn(pdb_get_username(sampass
));
838 return NT_STATUS_INVALID_PARAMETER
;
841 ber
= ber_alloc_t( LBER_USE_DER
);
843 DEBUG(7, ("ber_alloc_t failed.\n"));
844 return NT_STATUS_NO_MEMORY
;
847 ret
= ber_printf(ber
, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID
, dn
,
848 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW
, password
);
850 DEBUG(7, ("ber_printf failed.\n"));
852 return NT_STATUS_UNSUCCESSFUL
;
855 ret
= ber_flatten(ber
, &bv
);
858 DEBUG(1, ("ber_flatten failed.\n"));
859 return NT_STATUS_UNSUCCESSFUL
;
862 ret
= smbldap_extended_operation(ldap_state
->smbldap_state
,
863 LDAP_EXOP_MODIFY_PASSWD
, bv
, NULL
,
864 NULL
, &retoid
, &retdata
);
870 ldap_memfree(retoid
);
872 if (ret
!= LDAP_SUCCESS
) {
873 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
874 return NT_STATUS_UNSUCCESSFUL
;
880 static NTSTATUS
ipasam_get_objectclasses(struct ldapsam_privates
*ldap_state
,
881 const char *dn
, LDAPMessage
*entry
,
882 uint32_t *has_objectclass
)
884 char **objectclasses
;
887 objectclasses
= ldap_get_values(priv2ld(ldap_state
), entry
,
888 LDAP_ATTRIBUTE_OBJECTCLASS
);
889 if (objectclasses
== NULL
) {
890 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn
));
891 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
894 *has_objectclass
= 0;
895 for (c
= 0; objectclasses
[c
] != NULL
; c
++) {
896 if (strequal(objectclasses
[c
], LDAP_OBJ_KRB_PRINCIPAL
)) {
897 *has_objectclass
|= HAS_KRB_PRINCIPAL
;
898 } else if (strequal(objectclasses
[c
],
899 LDAP_OBJ_KRB_PRINCIPAL_AUX
)) {
900 *has_objectclass
|= HAS_KRB_PRINCIPAL_AUX
;
901 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAOBJECT
)) {
902 *has_objectclass
|= HAS_IPAOBJECT
;
903 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAHOST
)) {
904 *has_objectclass
|= HAS_IPAHOST
;
905 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXACCOUNT
)) {
906 *has_objectclass
|= HAS_POSIXACCOUNT
;
907 } else if (strequal(objectclasses
[c
], LDAP_OBJ_GROUPOFNAMES
)) {
908 *has_objectclass
|= HAS_GROUPOFNAMES
;
909 } else if (strequal(objectclasses
[c
], LDAP_OBJ_NESTEDGROUP
)) {
910 *has_objectclass
|= HAS_NESTEDGROUP
;
911 } else if (strequal(objectclasses
[c
], LDAP_OBJ_IPAUSERGROUP
)) {
912 *has_objectclass
|= HAS_IPAUSERGROUP
;
913 } else if (strequal(objectclasses
[c
], LDAP_OBJ_POSIXGROUP
)) {
914 *has_objectclass
|= HAS_POSIXGROUP
;
917 ldap_value_free(objectclasses
);
928 static NTSTATUS
find_obj(struct ldapsam_privates
*ldap_state
, const char *name
,
929 enum obj_type type
, char **_dn
,
930 uint32_t *_has_objectclass
)
935 LDAPMessage
*result
= NULL
;
936 LDAPMessage
*entry
= NULL
;
939 uint32_t has_objectclass
;
941 const char *obj_class
= NULL
;
945 obj_class
= LDAP_OBJ_POSIXACCOUNT
;
948 obj_class
= LDAP_OBJ_POSIXGROUP
;
951 DEBUG(0, ("Unsupported IPA object.\n"));
952 return NT_STATUS_INVALID_PARAMETER
;
955 username
= escape_ldap_string(talloc_tos(), name
);
956 if (username
== NULL
) {
957 return NT_STATUS_NO_MEMORY
;
959 filter
= talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
960 username
, obj_class
);
961 if (filter
== NULL
) {
962 return NT_STATUS_NO_MEMORY
;
964 TALLOC_FREE(username
);
966 ret
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, NULL
,
968 if (ret
!= LDAP_SUCCESS
) {
969 DEBUG(0, ("smbldap_search_suffix failed.\n"));
970 return NT_STATUS_ACCESS_DENIED
;
973 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
975 if (num_result
!= 1) {
976 if (num_result
== 0) {
979 status
= NT_STATUS_NO_SUCH_USER
;
982 status
= NT_STATUS_NO_SUCH_GROUP
;
985 status
= NT_STATUS_INVALID_PARAMETER
;
988 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
990 status
= NT_STATUS_INTERNAL_DB_CORRUPTION
;
995 entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
997 DEBUG(0,("find_user: Out of memory!\n"));
998 status
= NT_STATUS_UNSUCCESSFUL
;
1002 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
1004 DEBUG(0,("find_user: Out of memory!\n"));
1005 status
= NT_STATUS_NO_MEMORY
;
1009 status
= ipasam_get_objectclasses(ldap_state
, dn
, entry
, &has_objectclass
);
1010 if (!NT_STATUS_IS_OK(status
)) {
1015 *_has_objectclass
= has_objectclass
;
1017 status
= NT_STATUS_OK
;
1020 ldap_msgfree(result
);
1025 static NTSTATUS
find_user(struct ldapsam_privates
*ldap_state
, const char *name
,
1026 char **_dn
, uint32_t *_has_objectclass
)
1028 return find_obj(ldap_state
, name
, IPA_USER_OBJ
, _dn
, _has_objectclass
);
1031 static NTSTATUS
find_group(struct ldapsam_privates
*ldap_state
, const char *name
,
1032 char **_dn
, uint32_t *_has_objectclass
)
1034 return find_obj(ldap_state
, name
, IPA_GROUP_OBJ
, _dn
, _has_objectclass
);
1037 static NTSTATUS
ipasam_add_posix_account_objectclass(struct ldapsam_privates
*ldap_state
,
1040 const char *username
)
1043 LDAPMod
**mods
= NULL
;
1045 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1046 "objectclass", "posixAccount");
1047 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1049 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1050 "uidNumber", IPA_MAGIC_ID_STR
);
1051 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1052 "gidNumber", "12345");
1053 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1054 "homeDirectory", "/dev/null");
1056 if (ldap_op
== LDAP_MOD_ADD
) {
1057 ret
= smbldap_add(ldap_state
->smbldap_state
, dn
, mods
);
1059 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1061 ldap_mods_free(mods
, 1);
1062 if (ret
!= LDAP_SUCCESS
) {
1063 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1065 return NT_STATUS_LDAP(ret
);
1068 return NT_STATUS_OK
;
1071 static NTSTATUS
ipasam_add_ipa_group_objectclasses(struct ldapsam_privates
*ldap_state
,
1074 uint32_t has_objectclass
)
1076 LDAPMod
**mods
= NULL
;
1079 if (!(has_objectclass
& HAS_GROUPOFNAMES
)) {
1080 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1081 LDAP_ATTRIBUTE_OBJECTCLASS
,
1082 LDAP_OBJ_GROUPOFNAMES
);
1085 if (!(has_objectclass
& HAS_NESTEDGROUP
)) {
1086 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1087 LDAP_ATTRIBUTE_OBJECTCLASS
,
1088 LDAP_OBJ_NESTEDGROUP
);
1091 if (!(has_objectclass
& HAS_IPAUSERGROUP
)) {
1092 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1093 LDAP_ATTRIBUTE_OBJECTCLASS
,
1094 LDAP_OBJ_IPAUSERGROUP
);
1097 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1098 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1099 LDAP_ATTRIBUTE_OBJECTCLASS
,
1100 LDAP_OBJ_IPAOBJECT
);
1103 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1104 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1105 LDAP_ATTRIBUTE_OBJECTCLASS
,
1106 LDAP_OBJ_POSIXGROUP
);
1107 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1110 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1111 LDAP_ATTRIBUTE_GIDNUMBER
,
1115 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1116 ldap_mods_free(mods
, 1);
1117 if (ret
!= LDAP_SUCCESS
) {
1118 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1120 return NT_STATUS_LDAP(ret
);
1123 return NT_STATUS_OK
;
1126 static NTSTATUS
ipasam_add_ipa_objectclasses(struct ldapsam_privates
*ldap_state
,
1127 const char *dn
, const char *name
,
1129 uint32_t acct_flags
,
1130 uint32_t has_objectclass
)
1132 LDAPMod
**mods
= NULL
;
1136 if (!(has_objectclass
& HAS_KRB_PRINCIPAL
)) {
1137 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1138 LDAP_ATTRIBUTE_OBJECTCLASS
,
1139 LDAP_OBJ_KRB_PRINCIPAL
);
1141 princ
= talloc_asprintf(talloc_tos(), "%s@%s", name
, lp_realm());
1142 if (princ
== NULL
) {
1143 return NT_STATUS_NO_MEMORY
;
1146 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, LDAP_ATTRIBUTE_KRB_PRINCIPAL
, princ
);
1149 if (!(has_objectclass
& HAS_KRB_PRINCIPAL_AUX
)) {
1150 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1151 LDAP_ATTRIBUTE_OBJECTCLASS
,
1152 LDAP_OBJ_KRB_PRINCIPAL_AUX
);
1155 if (!(has_objectclass
& HAS_IPAOBJECT
)) {
1156 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1157 LDAP_ATTRIBUTE_OBJECTCLASS
, LDAP_OBJ_IPAOBJECT
);
1160 if ((acct_flags
!= 0) &&
1161 (((acct_flags
& ACB_NORMAL
) && name
[strlen(name
)-1] == '$') ||
1162 ((acct_flags
& (ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
)) != 0))) {
1164 if (!(has_objectclass
& HAS_IPAHOST
)) {
1165 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1166 LDAP_ATTRIBUTE_OBJECTCLASS
,
1169 if (domain
== NULL
) {
1170 return NT_STATUS_INVALID_PARAMETER
;
1173 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1178 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1179 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1180 "objectclass", "posixAccount");
1181 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "cn", name
);
1182 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1183 "uidNumber", IPA_MAGIC_ID_STR
);
1184 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1185 "gidNumber", "12345");
1186 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1187 "homeDirectory", "/dev/null");
1191 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
1192 ldap_mods_free(mods
, 1);
1193 if (ret
!= LDAP_SUCCESS
) {
1194 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1196 return NT_STATUS_LDAP(ret
);
1200 return NT_STATUS_OK
;
1203 static NTSTATUS
pdb_ipasam_add_sam_account(struct pdb_methods
*pdb_methods
,
1204 struct samu
*sampass
)
1207 struct ldapsam_privates
*ldap_state
;
1210 uint32_t has_objectclass
;
1212 struct dom_sid user_sid
;
1214 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1216 if (IS_SAM_SET(sampass
, PDB_USERSID
) ||
1217 IS_SAM_CHANGED(sampass
, PDB_USERSID
)) {
1218 if (!pdb_new_rid(&rid
)) {
1219 return NT_STATUS_DS_NO_MORE_RIDS
;
1221 sid_compose(&user_sid
, get_global_sam_sid(), rid
);
1222 if (!pdb_set_user_sid(sampass
, &user_sid
, PDB_SET
)) {
1223 return NT_STATUS_UNSUCCESSFUL
;
1227 status
= ldap_state
->ipasam_privates
->ldapsam_add_sam_account(pdb_methods
,
1229 if (!NT_STATUS_IS_OK(status
)) {
1233 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1234 name
= pdb_get_username(sampass
);
1235 if (name
== NULL
|| *name
== '\0') {
1236 return NT_STATUS_INVALID_PARAMETER
;
1239 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1240 if (!NT_STATUS_IS_OK(status
)) {
1244 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
,
1245 pdb_get_domain(sampass
),
1246 pdb_get_acct_ctrl(sampass
),
1248 if (!NT_STATUS_IS_OK(status
)) {
1252 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1253 status
= ipasam_add_posix_account_objectclass(ldap_state
,
1256 if (!NT_STATUS_IS_OK(status
)) {
1261 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1262 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1263 if (!NT_STATUS_IS_OK(status
)) {
1269 return NT_STATUS_OK
;
1272 static NTSTATUS
pdb_ipasam_update_sam_account(struct pdb_methods
*pdb_methods
,
1273 struct samu
*sampass
)
1276 struct ldapsam_privates
*ldap_state
;
1277 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1279 status
= ldap_state
->ipasam_privates
->ldapsam_update_sam_account(pdb_methods
,
1281 if (!NT_STATUS_IS_OK(status
)) {
1285 if (ldap_state
->ipasam_privates
->server_is_ipa
) {
1286 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
1287 status
= modify_ipa_password_exop(ldap_state
, sampass
);
1288 if (!NT_STATUS_IS_OK(status
)) {
1294 return NT_STATUS_OK
;
1297 static NTSTATUS
ipasam_create_dom_group(struct pdb_methods
*pdb_methods
,
1298 TALLOC_CTX
*tmp_ctx
, const char *name
,
1302 struct ldapsam_privates
*ldap_state
;
1303 int ldap_op
= LDAP_MOD_REPLACE
;
1305 uint32_t has_objectclass
= 0;
1307 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1309 if (name
== NULL
|| *name
== '\0') {
1310 return NT_STATUS_INVALID_PARAMETER
;
1313 status
= find_group(ldap_state
, name
, &dn
, &has_objectclass
);
1314 if (NT_STATUS_IS_OK(status
)) {
1315 ldap_op
= LDAP_MOD_REPLACE
;
1316 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1317 ldap_op
= LDAP_MOD_ADD
;
1322 if (!(has_objectclass
& HAS_POSIXGROUP
)) {
1323 status
= ipasam_add_ipa_group_objectclasses(ldap_state
, dn
,
1326 if (!NT_STATUS_IS_OK(status
)) {
1331 status
= ldap_state
->ipasam_privates
->ldapsam_create_dom_group(pdb_methods
,
1335 if (!NT_STATUS_IS_OK(status
)) {
1339 return NT_STATUS_OK
;
1341 static NTSTATUS
ipasam_create_user(struct pdb_methods
*pdb_methods
,
1342 TALLOC_CTX
*tmp_ctx
, const char *name
,
1343 uint32_t acb_info
, uint32_t *rid
)
1346 struct ldapsam_privates
*ldap_state
;
1347 int ldap_op
= LDAP_MOD_REPLACE
;
1349 uint32_t has_objectclass
= 0;
1351 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
1353 if (name
== NULL
|| *name
== '\0') {
1354 return NT_STATUS_INVALID_PARAMETER
;
1357 status
= find_user(ldap_state
, name
, &dn
, &has_objectclass
);
1358 if (NT_STATUS_IS_OK(status
)) {
1359 ldap_op
= LDAP_MOD_REPLACE
;
1360 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1361 char *escape_username
;
1362 ldap_op
= LDAP_MOD_ADD
;
1363 escape_username
= escape_rdn_val_string_alloc(name
);
1364 if (!escape_username
) {
1365 return NT_STATUS_NO_MEMORY
;
1367 if (name
[strlen(name
)-1] == '$') {
1368 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1370 lp_ldap_machine_suffix());
1372 dn
= talloc_asprintf(tmp_ctx
, "uid=%s,%s",
1374 lp_ldap_user_suffix());
1376 SAFE_FREE(escape_username
);
1378 return NT_STATUS_NO_MEMORY
;
1384 if (!(has_objectclass
& HAS_POSIXACCOUNT
)) {
1385 status
= ipasam_add_posix_account_objectclass(ldap_state
, ldap_op
,
1387 if (!NT_STATUS_IS_OK(status
)) {
1390 has_objectclass
|= HAS_POSIXACCOUNT
;
1393 status
= ldap_state
->ipasam_privates
->ldapsam_create_user(pdb_methods
,
1396 if (!NT_STATUS_IS_OK(status
)) {
1400 status
= ipasam_add_ipa_objectclasses(ldap_state
, dn
, name
, lp_realm(),
1401 acb_info
, has_objectclass
);
1402 if (!NT_STATUS_IS_OK(status
)) {
1406 return NT_STATUS_OK
;
1409 static NTSTATUS
pdb_init_IPA_ldapsam(struct pdb_methods
**pdb_method
, const char *location
)
1411 struct ldapsam_privates
*ldap_state
;
1414 status
= pdb_init_ldapsam(pdb_method
, location
);
1415 if (!NT_STATUS_IS_OK(status
)) {
1419 (*pdb_method
)->name
= "IPA_ldapsam";
1421 ldap_state
= (struct ldapsam_privates
*)((*pdb_method
)->private_data
);
1422 ldap_state
->ipasam_privates
= talloc_zero(ldap_state
,
1423 struct ipasam_privates
);
1424 if (ldap_state
->ipasam_privates
== NULL
) {
1425 return NT_STATUS_NO_MEMORY
;
1427 ldap_state
->is_ipa_ldap
= True
;
1429 ldap_state
->ipasam_privates
->server_is_ipa
= smbldap_has_extension(
1430 priv2ld(ldap_state
), IPA_KEYTAB_SET_OID
);
1431 ldap_state
->ipasam_privates
->ldapsam_add_sam_account
= (*pdb_method
)->add_sam_account
;
1432 ldap_state
->ipasam_privates
->ldapsam_update_sam_account
= (*pdb_method
)->update_sam_account
;
1433 ldap_state
->ipasam_privates
->ldapsam_create_user
= (*pdb_method
)->create_user
;
1434 ldap_state
->ipasam_privates
->ldapsam_create_dom_group
= (*pdb_method
)->create_dom_group
;
1436 (*pdb_method
)->add_sam_account
= pdb_ipasam_add_sam_account
;
1437 (*pdb_method
)->update_sam_account
= pdb_ipasam_update_sam_account
;
1439 if (lp_parm_bool(-1, "ldapsam", "trusted", False
)) {
1440 if (lp_parm_bool(-1, "ldapsam", "editposix", False
)) {
1441 (*pdb_method
)->create_user
= ipasam_create_user
;
1442 (*pdb_method
)->create_dom_group
= ipasam_create_dom_group
;
1446 (*pdb_method
)->capabilities
= pdb_ipasam_capabilities
;
1447 (*pdb_method
)->get_domain_info
= pdb_ipasam_get_domain_info
;
1449 (*pdb_method
)->get_trusteddom_pw
= ipasam_get_trusteddom_pw
;
1450 (*pdb_method
)->set_trusteddom_pw
= ipasam_set_trusteddom_pw
;
1451 (*pdb_method
)->del_trusteddom_pw
= ipasam_del_trusteddom_pw
;
1452 (*pdb_method
)->enum_trusteddoms
= ipasam_enum_trusteddoms
;
1454 (*pdb_method
)->get_trusted_domain
= ipasam_get_trusted_domain
;
1455 (*pdb_method
)->get_trusted_domain_by_sid
= ipasam_get_trusted_domain_by_sid
;
1456 (*pdb_method
)->set_trusted_domain
= ipasam_set_trusted_domain
;
1457 (*pdb_method
)->del_trusted_domain
= ipasam_del_trusted_domain
;
1458 (*pdb_method
)->enum_trusted_domains
= ipasam_enum_trusted_domains
;
1460 return NT_STATUS_OK
;
1463 NTSTATUS
pdb_ipa_init(void)
1467 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "IPA_ldapsam", pdb_init_IPA_ldapsam
)))
1470 return NT_STATUS_OK
;