source3/passdb/machine_sid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Password and authentication handling
   4    Copyright (C) Jeremy Allison                 1996-2002
   5    Copyright (C) Andrew Tridgell                2002
   6    Copyright (C) Gerald (Jerry) Carter          2000
   7    Copyright (C) Stefan (metze) Metzmacher      2002
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "secrets.h"
  25 #include "dbwrap.h"
  26 #include "../libcli/security/security.h"
  27
  28 /* NOTE! the global_sam_sid is the SID of our local SAM. This is only
  29    equal to the domain SID when we are a DC, otherwise its our
  30    workstation SID */
  31 static struct dom_sid *global_sam_sid=NULL;
  32
  33 #undef DBGC_CLASS
  34 #define DBGC_CLASS DBGC_PASSDB
  35
  36 /****************************************************************************
  37  Read a SID from a file. This is for compatibility with the old MACHINE.SID
  38  style of SID storage
  39 ****************************************************************************/
  40
  41 static bool read_sid_from_file(const char *fname, struct dom_sid *sid)
  42 {
  43         char **lines;
  44         int numlines;
  45         bool ret;
  46
  47         lines = file_lines_load(fname, &numlines,0, NULL);
  48
  49         if (!lines || numlines < 1) {
  50                 TALLOC_FREE(lines);
  51                 return False;
  52         }
  53
  54         ret = string_to_sid(sid, lines[0]);
  55         TALLOC_FREE(lines);
  56         return ret;
  57 }
  58
  59 /*
  60   generate a random sid - used to build our own sid if we don't have one
  61 */
  62 static void generate_random_sid(struct dom_sid *sid)
  63 {
  64         int i;
  65         uchar raw_sid_data[12];
  66
  67         ZERO_STRUCTP(sid);
  68
  69         sid->sid_rev_num = 1;
  70         sid->id_auth[5] = 5;
  71         sid->num_auths = 0;
  72         sid->sub_auths[sid->num_auths++] = 21;
  73
  74         generate_random_buffer(raw_sid_data, 12);
  75         for (i = 0; i < 3; i++)
  76                 sid->sub_auths[sid->num_auths++] = IVAL(raw_sid_data, i*4);
  77 }
  78
  79 /****************************************************************************
  80  Generate the global machine sid.
  81 ****************************************************************************/
  82
  83 static struct dom_sid *pdb_generate_sam_sid(void)
  84 {
  85         struct dom_sid domain_sid;
  86         char *fname = NULL;
  87         struct dom_sid *sam_sid;
  88
  89         if(!(sam_sid=SMB_MALLOC_P(struct dom_sid)))
  90                 return NULL;
  91
  92         if ( IS_DC ) {
  93                 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
  94                         sid_copy(sam_sid, &domain_sid);
  95                         return sam_sid;
  96                 }
  97         }
  98
  99         if (secrets_fetch_domain_sid(global_myname(), sam_sid)) {
 100
 101                 /* We got our sid. If not a pdc/bdc, we're done. */
 102                 if ( !IS_DC )
 103                         return sam_sid;
 104
 105                 if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
 106
 107                         /* No domain sid and we're a pdc/bdc. Store it */
 108
 109                         if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) {
 110                                 DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n"));
 111                                 SAFE_FREE(sam_sid);
 112                                 return NULL;
 113                         }
 114                         return sam_sid;
 115                 }
 116
 117                 if (!dom_sid_equal(&domain_sid, sam_sid)) {
 118
 119                         /* Domain name sid doesn't match global sam sid. Re-store domain sid as 'local' sid. */
 120
 121                         DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
 122                         if (!secrets_store_domain_sid(global_myname(), &domain_sid)) {
 123                                 DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID for local sid as PDC/BDC.\n"));
 124                                 SAFE_FREE(sam_sid);
 125                                 return NULL;
 126                         }
 127                         return sam_sid;
 128                 }
 129
 130                 return sam_sid;
 131         }
 132
 133         /* check for an old MACHINE.SID file for backwards compatibility */
 134         if (asprintf(&fname, "%s/MACHINE.SID", lp_private_dir()) == -1) {
 135                 SAFE_FREE(sam_sid);
 136                 return NULL;
 137         }
 138
 139         if (read_sid_from_file(fname, sam_sid)) {
 140                 /* remember it for future reference and unlink the old MACHINE.SID */
 141                 if (!secrets_store_domain_sid(global_myname(), sam_sid)) {
 142                         DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n"));
 143                         SAFE_FREE(fname);
 144                         SAFE_FREE(sam_sid);
 145                         return NULL;
 146                 }
 147                 unlink(fname);
 148                 if ( !IS_DC ) {
 149                         if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) {
 150                                 DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n"));
 151                                 SAFE_FREE(fname);
 152                                 SAFE_FREE(sam_sid);
 153                                 return NULL;
 154                         }
 155                 }
 156
 157                 /* Stored the old sid from MACHINE.SID successfully.*/
 158                 SAFE_FREE(fname);
 159                 return sam_sid;
 160         }
 161
 162         SAFE_FREE(fname);
 163
 164         /* we don't have the SID in secrets.tdb, we will need to
 165            generate one and save it */
 166         generate_random_sid(sam_sid);
 167
 168         if (!secrets_store_domain_sid(global_myname(), sam_sid)) {
 169                 DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n"));
 170                 SAFE_FREE(sam_sid);
 171                 return NULL;
 172         }
 173         if ( IS_DC ) {
 174                 if (!secrets_store_domain_sid(lp_workgroup(), sam_sid)) {
 175                         DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n"));
 176                         SAFE_FREE(sam_sid);
 177                         return NULL;
 178                 }
 179         }
 180
 181         return sam_sid;
 182 }
 183
 184 /* return our global_sam_sid */
 185 struct dom_sid *get_global_sam_sid(void)
 186 {
 187         struct db_context *db;
 188
 189         if (global_sam_sid != NULL)
 190                 return global_sam_sid;
 191
 192         /*
 193          * memory for global_sam_sid is allocated in
 194          * pdb_generate_sam_sid() as needed
 195          *
 196          * Note: this is garded by a transaction
 197          *       to prevent races on startup which
 198          *       can happen with some dbwrap backends
 199          */
 200
 201         db = secrets_db_ctx();
 202         if (!db) {
 203                 smb_panic("could not open secrets db");
 204         }
 205
 206         if (db->transaction_start(db) != 0) {
 207                 smb_panic("could not start transaction on secrets db");
 208         }
 209
 210         if (!(global_sam_sid = pdb_generate_sam_sid())) {
 211                 db->transaction_cancel(db);
 212                 smb_panic("could not generate a machine SID");
 213         }
 214
 215         if (db->transaction_commit(db) != 0) {
 216                 smb_panic("could not start commit secrets db");
 217         }
 218
 219         return global_sam_sid;
 220 }
 221
 222 /**
 223  * Force get_global_sam_sid to requery the backends
 224  */
 225 void reset_global_sam_sid(void)
 226 {
 227         SAFE_FREE(global_sam_sid);
 228 }
 229
 230 /*****************************************************************
 231  Check if the SID is our domain SID (S-1-5-21-x-y-z).
 232 *****************************************************************/
 233
 234 bool sid_check_is_domain(const struct dom_sid *sid)
 235 {
 236         return dom_sid_equal(sid, get_global_sam_sid());
 237 }
 238
 239 /*****************************************************************
 240  Check if the SID is our domain SID (S-1-5-21-x-y-z).
 241 *****************************************************************/
 242
 243 bool sid_check_is_in_our_domain(const struct dom_sid *sid)
 244 {
 245         struct dom_sid dom_sid;
 246
 247         sid_copy(&dom_sid, sid);
 248         sid_split_rid(&dom_sid, NULL);
 249         return sid_check_is_domain(&dom_sid);
 250 }