2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
28 #define LDAP_TRUST_CONTAINER "ou=system"
29 #define LDAP_ATTRIBUTE_CN "cn"
30 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
31 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
32 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
33 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
34 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
35 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
36 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
37 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
38 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
40 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
41 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
42 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
44 struct ipasam_privates
{
45 NTSTATUS (*ldapsam_add_sam_account
)(struct pdb_methods
*,
46 struct samu
*sampass
);
47 NTSTATUS (*ldapsam_update_sam_account
)(struct pdb_methods
*,
48 struct samu
*sampass
);
51 static bool ipasam_get_trusteddom_pw(struct pdb_methods
*methods
,
55 time_t *pass_last_set_time
)
60 static bool ipasam_set_trusteddom_pw(struct pdb_methods
*methods
,
63 const struct dom_sid
*sid
)
68 static bool ipasam_del_trusteddom_pw(struct pdb_methods
*methods
,
74 static char *get_account_dn(const char *name
)
79 escape_name
= escape_rdn_val_string_alloc(name
);
84 if (name
[strlen(name
)-1] == '$') {
85 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
86 lp_ldap_machine_suffix());
88 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
89 lp_ldap_user_suffix());
92 SAFE_FREE(escape_name
);
97 static char *trusted_domain_dn(struct ldapsam_privates
*ldap_state
,
100 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
101 LDAP_ATTRIBUTE_CN
, domain
,
102 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
105 static char *trusted_domain_base_dn(struct ldapsam_privates
*ldap_state
)
107 return talloc_asprintf(talloc_tos(), "%s,%s",
108 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
111 static bool get_trusted_domain_int(struct ldapsam_privates
*ldap_state
,
113 const char *filter
, LDAPMessage
**entry
)
116 char *base_dn
= NULL
;
117 LDAPMessage
*result
= NULL
;
120 base_dn
= trusted_domain_base_dn(ldap_state
);
121 if (base_dn
== NULL
) {
125 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
,
126 LDAP_SCOPE_SUBTREE
, filter
, NULL
, 0, &result
);
127 TALLOC_FREE(base_dn
);
129 if (result
!= NULL
) {
130 talloc_autofree_ldapmsg(mem_ctx
, result
);
133 if (rc
== LDAP_NO_SUCH_OBJECT
) {
138 if (rc
!= LDAP_SUCCESS
) {
142 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
144 if (num_result
> 1) {
145 DEBUG(1, ("get_trusted_domain_int: more than one "
146 "%s object with filter '%s'?!\n",
147 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
151 if (num_result
== 0) {
152 DEBUG(1, ("get_trusted_domain_int: no "
153 "%s object with filter '%s'.\n",
154 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
157 *entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
163 static bool get_trusted_domain_by_name_int(struct ldapsam_privates
*ldap_state
,
170 filter
= talloc_asprintf(talloc_tos(),
171 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
172 LDAP_OBJ_TRUSTED_DOMAIN
,
173 LDAP_ATTRIBUTE_FLAT_NAME
, domain
,
174 LDAP_ATTRIBUTE_TRUST_PARTNER
, domain
, domain
);
175 if (filter
== NULL
) {
179 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
182 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates
*ldap_state
,
184 const char *sid
, LDAPMessage
**entry
)
188 filter
= talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
189 LDAP_OBJ_TRUSTED_DOMAIN
,
190 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
, sid
);
191 if (filter
== NULL
) {
195 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
198 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates
*ldap_state
,
207 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
210 DEBUG(9, ("Attribute %s not present.\n", attr
));
215 l
= strtoul(dummy
, &endptr
, 10);
218 if (l
< 0 || l
> UINT32_MAX
|| *endptr
!= '\0') {
227 static void get_data_blob_from_ldap_msg(TALLOC_CTX
*mem_ctx
,
228 struct ldapsam_privates
*ldap_state
,
229 LDAPMessage
*entry
, const char *attr
,
235 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
, attr
,
238 DEBUG(9, ("Attribute %s not present.\n", attr
));
241 blob
= base64_decode_data_blob(dummy
);
242 if (blob
.length
== 0) {
245 _blob
->length
= blob
.length
;
246 _blob
->data
= talloc_steal(mem_ctx
, blob
.data
);
252 static bool fill_pdb_trusted_domain(TALLOC_CTX
*mem_ctx
,
253 struct ldapsam_privates
*ldap_state
,
255 struct pdb_trusted_domain
**_td
)
259 struct pdb_trusted_domain
*td
;
265 td
= talloc_zero(mem_ctx
, struct pdb_trusted_domain
);
270 /* All attributes are MAY */
272 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
273 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
276 DEBUG(9, ("Attribute %s not present.\n",
277 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
));
278 ZERO_STRUCT(td
->security_identifier
);
280 res
= string_to_sid(&td
->security_identifier
, dummy
);
287 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
288 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
289 &td
->trust_auth_incoming
);
291 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
292 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
293 &td
->trust_auth_outgoing
);
295 td
->netbios_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
297 LDAP_ATTRIBUTE_FLAT_NAME
,
299 if (td
->netbios_name
== NULL
) {
300 DEBUG(9, ("Attribute %s not present.\n",
301 LDAP_ATTRIBUTE_FLAT_NAME
));
304 td
->domain_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
306 LDAP_ATTRIBUTE_TRUST_PARTNER
,
308 if (td
->domain_name
== NULL
) {
309 DEBUG(9, ("Attribute %s not present.\n",
310 LDAP_ATTRIBUTE_TRUST_PARTNER
));
313 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
314 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
315 &td
->trust_direction
);
320 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
321 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
322 &td
->trust_attributes
);
327 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
328 LDAP_ATTRIBUTE_TRUST_TYPE
,
334 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
335 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
336 &td
->trust_forest_trust_info
);
343 static NTSTATUS
ipasam_get_trusted_domain(struct pdb_methods
*methods
,
346 struct pdb_trusted_domain
**td
)
348 struct ldapsam_privates
*ldap_state
=
349 (struct ldapsam_privates
*)methods
->private_data
;
350 LDAPMessage
*entry
= NULL
;
352 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain
));
354 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
356 return NT_STATUS_UNSUCCESSFUL
;
359 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
361 return NT_STATUS_NO_SUCH_DOMAIN
;
364 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
365 return NT_STATUS_UNSUCCESSFUL
;
371 static NTSTATUS
ipasam_get_trusted_domain_by_sid(struct pdb_methods
*methods
,
374 struct pdb_trusted_domain
**td
)
376 struct ldapsam_privates
*ldap_state
=
377 (struct ldapsam_privates
*)methods
->private_data
;
378 LDAPMessage
*entry
= NULL
;
381 sid_str
= sid_string_tos(sid
);
383 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
386 if (!get_trusted_domain_by_sid_int(ldap_state
, talloc_tos(), sid_str
,
388 return NT_STATUS_UNSUCCESSFUL
;
391 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
392 "with sid: %s\n", sid_str
));
393 return NT_STATUS_NO_SUCH_DOMAIN
;
396 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
397 return NT_STATUS_UNSUCCESSFUL
;
403 static bool smbldap_make_mod_uint32_t(LDAP
*ldap_struct
, LDAPMessage
*entry
,
404 LDAPMod
***mods
, const char *attribute
,
409 dummy
= talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val
);
413 smbldap_make_mod(ldap_struct
, entry
, mods
, attribute
, dummy
);
419 static bool smbldap_make_mod_blob(LDAP
*ldap_struct
, LDAPMessage
*entry
,
420 LDAPMod
***mods
, const char *attribute
,
425 dummy
= base64_encode_data_blob(talloc_tos(), blob
);
430 smbldap_make_mod(ldap_struct
, entry
, mods
, attribute
, dummy
);
436 static NTSTATUS
ipasam_set_trusted_domain(struct pdb_methods
*methods
,
438 const struct pdb_trusted_domain
*td
)
440 struct ldapsam_privates
*ldap_state
=
441 (struct ldapsam_privates
*)methods
->private_data
;
442 LDAPMessage
*entry
= NULL
;
445 char *trusted_dn
= NULL
;
448 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain
));
450 res
= get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
453 return NT_STATUS_UNSUCCESSFUL
;
457 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
, "objectClass",
458 LDAP_OBJ_TRUSTED_DOMAIN
);
460 if (td
->netbios_name
!= NULL
) {
461 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
462 LDAP_ATTRIBUTE_FLAT_NAME
,
466 if (td
->domain_name
!= NULL
) {
467 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
468 LDAP_ATTRIBUTE_TRUST_PARTNER
,
472 if (!is_null_sid(&td
->security_identifier
)) {
473 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
474 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
475 sid_string_tos(&td
->security_identifier
));
478 if (td
->trust_type
!= 0) {
479 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
480 &mods
, LDAP_ATTRIBUTE_TRUST_TYPE
,
483 return NT_STATUS_UNSUCCESSFUL
;
487 if (td
->trust_attributes
!= 0) {
488 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
490 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
491 td
->trust_attributes
);
493 return NT_STATUS_UNSUCCESSFUL
;
497 if (td
->trust_direction
!= 0) {
498 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
500 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
501 td
->trust_direction
);
503 return NT_STATUS_UNSUCCESSFUL
;
507 if (td
->trust_auth_outgoing
.data
!= NULL
) {
508 res
= smbldap_make_mod_blob(priv2ld(ldap_state
), entry
,
510 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
511 td
->trust_auth_outgoing
);
513 return NT_STATUS_UNSUCCESSFUL
;
517 if (td
->trust_auth_incoming
.data
!= NULL
) {
518 res
= smbldap_make_mod_blob(priv2ld(ldap_state
), entry
,
520 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
521 td
->trust_auth_incoming
);
523 return NT_STATUS_UNSUCCESSFUL
;
527 if (td
->trust_forest_trust_info
.data
!= NULL
) {
528 res
= smbldap_make_mod_blob(priv2ld(ldap_state
), entry
,
530 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
531 td
->trust_forest_trust_info
);
533 return NT_STATUS_UNSUCCESSFUL
;
537 talloc_autofree_ldapmod(talloc_tos(), mods
);
539 trusted_dn
= trusted_domain_dn(ldap_state
, domain
);
540 if (trusted_dn
== NULL
) {
541 return NT_STATUS_NO_MEMORY
;
544 ret
= smbldap_add(ldap_state
->smbldap_state
, trusted_dn
, mods
);
546 ret
= smbldap_modify(ldap_state
->smbldap_state
, trusted_dn
, mods
);
549 if (ret
!= LDAP_SUCCESS
) {
550 DEBUG(1, ("error writing trusted domain data!\n"));
551 return NT_STATUS_UNSUCCESSFUL
;
556 static NTSTATUS
ipasam_del_trusted_domain(struct pdb_methods
*methods
,
560 struct ldapsam_privates
*ldap_state
=
561 (struct ldapsam_privates
*)methods
->private_data
;
562 LDAPMessage
*entry
= NULL
;
565 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
567 return NT_STATUS_UNSUCCESSFUL
;
571 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
573 return NT_STATUS_NO_SUCH_DOMAIN
;
576 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
578 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
579 return NT_STATUS_NO_MEMORY
;
582 ret
= smbldap_delete(ldap_state
->smbldap_state
, dn
);
583 if (ret
!= LDAP_SUCCESS
) {
584 return NT_STATUS_UNSUCCESSFUL
;
590 static NTSTATUS
ipasam_enum_trusted_domains(struct pdb_methods
*methods
,
592 uint32_t *num_domains
,
593 struct pdb_trusted_domain
***domains
)
596 struct ldapsam_privates
*ldap_state
=
597 (struct ldapsam_privates
*)methods
->private_data
;
598 char *base_dn
= NULL
;
600 int scope
= LDAP_SCOPE_SUBTREE
;
601 LDAPMessage
*result
= NULL
;
602 LDAPMessage
*entry
= NULL
;
604 filter
= talloc_asprintf(talloc_tos(), "(objectClass=%s)",
605 LDAP_OBJ_TRUSTED_DOMAIN
);
606 if (filter
== NULL
) {
607 return NT_STATUS_NO_MEMORY
;
610 base_dn
= trusted_domain_base_dn(ldap_state
);
611 if (base_dn
== NULL
) {
613 return NT_STATUS_NO_MEMORY
;
616 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
, scope
, filter
,
619 TALLOC_FREE(base_dn
);
621 if (result
!= NULL
) {
622 talloc_autofree_ldapmsg(mem_ctx
, result
);
625 if (rc
== LDAP_NO_SUCH_OBJECT
) {
631 if (rc
!= LDAP_SUCCESS
) {
632 return NT_STATUS_UNSUCCESSFUL
;
636 if (!(*domains
= TALLOC_ARRAY(mem_ctx
, struct pdb_trusted_domain
*, 1))) {
637 DEBUG(1, ("talloc failed\n"));
638 return NT_STATUS_NO_MEMORY
;
641 for (entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
643 entry
= ldap_next_entry(priv2ld(ldap_state
), entry
))
645 struct pdb_trusted_domain
*dom_info
;
647 if (!fill_pdb_trusted_domain(*domains
, ldap_state
, entry
,
649 return NT_STATUS_UNSUCCESSFUL
;
652 ADD_TO_ARRAY(*domains
, struct pdb_trusted_domain
*, dom_info
,
653 domains
, num_domains
);
655 if (*domains
== NULL
) {
656 DEBUG(1, ("talloc failed\n"));
657 return NT_STATUS_NO_MEMORY
;
661 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains
));
665 static NTSTATUS
ipasam_enum_trusteddoms(struct pdb_methods
*methods
,
667 uint32_t *num_domains
,
668 struct trustdom_info
***domains
)
671 struct pdb_trusted_domain
**td
;
674 status
= ipasam_enum_trusted_domains(methods
, talloc_tos(),
676 if (!NT_STATUS_IS_OK(status
)) {
680 if (*num_domains
== 0) {
684 if (!(*domains
= TALLOC_ARRAY(mem_ctx
, struct trustdom_info
*,
686 DEBUG(1, ("talloc failed\n"));
687 return NT_STATUS_NO_MEMORY
;
690 for (i
= 0; i
< *num_domains
; i
++) {
691 struct trustdom_info
*dom_info
;
693 dom_info
= TALLOC_P(*domains
, struct trustdom_info
);
694 if (dom_info
== NULL
) {
695 DEBUG(1, ("talloc failed\n"));
696 return NT_STATUS_NO_MEMORY
;
699 dom_info
->name
= talloc_steal(mem_ctx
, td
[i
]->netbios_name
);
700 sid_copy(&dom_info
->sid
, &td
[i
]->security_identifier
);
702 (*domains
)[i
] = dom_info
;
708 static uint32_t pdb_ipasam_capabilities(struct pdb_methods
*methods
)
710 return PDB_CAP_STORE_RIDS
| PDB_CAP_ADS
| PDB_CAP_TRUSTED_DOMAINS_EX
;
713 static struct pdb_domain_info
*pdb_ipasam_get_domain_info(struct pdb_methods
*pdb_methods
,
716 struct pdb_domain_info
*info
;
718 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)pdb_methods
->private_data
;
720 info
= talloc(mem_ctx
, struct pdb_domain_info
);
725 info
->name
= talloc_strdup(info
, ldap_state
->domain_name
);
726 if (info
->name
== NULL
) {
730 /* TODO: read dns_domain, dns_forest and guid from LDAP */
731 info
->dns_domain
= talloc_strdup(info
, lp_realm());
732 if (info
->dns_domain
== NULL
) {
735 strlower_m(info
->dns_domain
);
736 info
->dns_forest
= talloc_strdup(info
, info
->dns_domain
);
737 sid_copy(&info
->sid
, &ldap_state
->domain_sid
);
739 status
= GUID_from_string("testguid", &info
->guid
);
748 static NTSTATUS
modify_ipa_password_exop(struct ldapsam_privates
*ldap_state
,
749 struct samu
*sampass
)
752 BerElement
*ber
= NULL
;
753 struct berval
*bv
= NULL
;
755 struct berval
*retdata
= NULL
;
756 const char *password
;
759 password
= pdb_get_plaintext_passwd(sampass
);
760 if (password
== NULL
|| *password
== '\0') {
761 return NT_STATUS_INVALID_PARAMETER
;
764 dn
= get_account_dn(pdb_get_username(sampass
));
766 return NT_STATUS_INVALID_PARAMETER
;
769 ber
= ber_alloc_t( LBER_USE_DER
);
771 DEBUG(7, ("ber_alloc_t failed.\n"));
772 return NT_STATUS_NO_MEMORY
;
775 ret
= ber_printf(ber
, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID
, dn
,
776 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW
, password
);
778 DEBUG(7, ("ber_printf failed.\n"));
780 return NT_STATUS_UNSUCCESSFUL
;
783 ret
= ber_flatten(ber
, &bv
);
786 DEBUG(1, ("ber_flatten failed.\n"));
787 return NT_STATUS_UNSUCCESSFUL
;
790 ret
= smbldap_extended_operation(ldap_state
->smbldap_state
,
791 LDAP_EXOP_MODIFY_PASSWD
, bv
, NULL
,
792 NULL
, &retoid
, &retdata
);
798 ldap_memfree(retoid
);
800 if (ret
!= LDAP_SUCCESS
) {
801 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
802 return NT_STATUS_UNSUCCESSFUL
;
808 static NTSTATUS
ipasam_add_objectclasses(struct ldapsam_privates
*ldap_state
,
809 struct samu
*sampass
)
812 LDAPMod
**mods
= NULL
;
816 char *domain_with_dot
;
818 dn
= get_account_dn(pdb_get_username(sampass
));
820 return NT_STATUS_INVALID_PARAMETER
;
823 princ
= talloc_asprintf(talloc_tos(), "%s@%s", pdb_get_username(sampass
), lp_realm());
825 return NT_STATUS_NO_MEMORY
;
828 domain
= pdb_get_domain(sampass
);
829 if (domain
== NULL
) {
830 return NT_STATUS_INVALID_PARAMETER
;
833 domain_with_dot
= talloc_asprintf(talloc_tos(), "%s.", domain
);
834 if (domain_with_dot
== NULL
) {
835 return NT_STATUS_NO_MEMORY
;
838 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
839 "objectclass", LDAP_OBJ_KRB_PRINCIPAL
);
840 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
841 LDAP_ATTRIBUTE_KRB_PRINCIPAL
, princ
);
842 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
843 "objectclass", LDAP_OBJ_KRB_PRINCIPAL_AUX
);
844 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
845 "objectclass", "ipaHost");
846 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
848 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
849 "objectclass", "posixAccount");
850 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
851 "cn", pdb_get_username(sampass
));
852 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
853 "gidNumber", "12345");
854 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
855 "homeDirectory", "/dev/null");
856 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "uid", domain
);
857 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "uid", domain_with_dot
);
859 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
860 ldap_mods_free(mods
, true);
861 if (ret
!= LDAP_SUCCESS
) {
862 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
863 pdb_get_username(sampass
),dn
));
864 return NT_STATUS_LDAP(ret
);
870 static NTSTATUS
pdb_ipasam_add_sam_account(struct pdb_methods
*pdb_methods
,
871 struct samu
*sampass
)
874 struct ldapsam_privates
*ldap_state
;
876 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
878 status
=ldap_state
->ipasam_privates
->ldapsam_add_sam_account(pdb_methods
,
880 if (!NT_STATUS_IS_OK(status
)) {
884 status
= ipasam_add_objectclasses(ldap_state
, sampass
);
885 if (!NT_STATUS_IS_OK(status
)) {
889 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
890 status
= modify_ipa_password_exop(ldap_state
, sampass
);
891 if (!NT_STATUS_IS_OK(status
)) {
899 static NTSTATUS
pdb_ipasam_update_sam_account(struct pdb_methods
*pdb_methods
,
900 struct samu
*sampass
)
903 struct ldapsam_privates
*ldap_state
;
904 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
906 status
= ldap_state
->ipasam_privates
->ldapsam_update_sam_account(pdb_methods
,
908 if (!NT_STATUS_IS_OK(status
)) {
912 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
913 status
= modify_ipa_password_exop(ldap_state
, sampass
);
914 if (!NT_STATUS_IS_OK(status
)) {
922 static NTSTATUS
pdb_init_IPA_ldapsam(struct pdb_methods
**pdb_method
, const char *location
)
924 struct ldapsam_privates
*ldap_state
;
927 status
= pdb_init_ldapsam(pdb_method
, location
);
928 if (!NT_STATUS_IS_OK(status
)) {
932 (*pdb_method
)->name
= "IPA_ldapsam";
934 ldap_state
= (struct ldapsam_privates
*)((*pdb_method
)->private_data
);
935 ldap_state
->ipasam_privates
= talloc_zero(ldap_state
,
936 struct ipasam_privates
);
937 if (ldap_state
->ipasam_privates
== NULL
) {
938 return NT_STATUS_NO_MEMORY
;
940 ldap_state
->is_ipa_ldap
= true;
941 ldap_state
->ipasam_privates
->ldapsam_add_sam_account
= (*pdb_method
)->add_sam_account
;
942 ldap_state
->ipasam_privates
->ldapsam_update_sam_account
= (*pdb_method
)->update_sam_account
;
944 (*pdb_method
)->add_sam_account
= pdb_ipasam_add_sam_account
;
945 (*pdb_method
)->update_sam_account
= pdb_ipasam_update_sam_account
;
947 (*pdb_method
)->capabilities
= pdb_ipasam_capabilities
;
948 (*pdb_method
)->get_domain_info
= pdb_ipasam_get_domain_info
;
950 (*pdb_method
)->get_trusteddom_pw
= ipasam_get_trusteddom_pw
;
951 (*pdb_method
)->set_trusteddom_pw
= ipasam_set_trusteddom_pw
;
952 (*pdb_method
)->del_trusteddom_pw
= ipasam_del_trusteddom_pw
;
953 (*pdb_method
)->enum_trusteddoms
= ipasam_enum_trusteddoms
;
955 (*pdb_method
)->get_trusted_domain
= ipasam_get_trusted_domain
;
956 (*pdb_method
)->get_trusted_domain_by_sid
= ipasam_get_trusted_domain_by_sid
;
957 (*pdb_method
)->set_trusted_domain
= ipasam_set_trusted_domain
;
958 (*pdb_method
)->del_trusted_domain
= ipasam_del_trusted_domain
;
959 (*pdb_method
)->enum_trusted_domains
= ipasam_enum_trusted_domains
;
964 NTSTATUS
pdb_ipa_init(void)
968 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "IPA_ldapsam", pdb_init_IPA_ldapsam
)))