2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
28 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
30 #define LDAP_TRUST_CONTAINER "ou=system"
31 #define LDAP_ATTRIBUTE_CN "cn"
32 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
33 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
34 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
35 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
36 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
37 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
38 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
39 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
40 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
42 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
43 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
44 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
46 struct ipasam_privates
{
48 NTSTATUS (*ldapsam_add_sam_account
)(struct pdb_methods
*,
49 struct samu
*sampass
);
50 NTSTATUS (*ldapsam_update_sam_account
)(struct pdb_methods
*,
51 struct samu
*sampass
);
54 static bool ipasam_get_trusteddom_pw(struct pdb_methods
*methods
,
58 time_t *pass_last_set_time
)
63 static bool ipasam_set_trusteddom_pw(struct pdb_methods
*methods
,
66 const struct dom_sid
*sid
)
71 static bool ipasam_del_trusteddom_pw(struct pdb_methods
*methods
,
77 static char *get_account_dn(const char *name
)
82 escape_name
= escape_rdn_val_string_alloc(name
);
87 if (name
[strlen(name
)-1] == '$') {
88 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
89 lp_ldap_machine_suffix());
91 dn
= talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name
,
92 lp_ldap_user_suffix());
95 SAFE_FREE(escape_name
);
100 static char *trusted_domain_dn(struct ldapsam_privates
*ldap_state
,
103 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
104 LDAP_ATTRIBUTE_CN
, domain
,
105 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
108 static char *trusted_domain_base_dn(struct ldapsam_privates
*ldap_state
)
110 return talloc_asprintf(talloc_tos(), "%s,%s",
111 LDAP_TRUST_CONTAINER
, ldap_state
->domain_dn
);
114 static bool get_trusted_domain_int(struct ldapsam_privates
*ldap_state
,
116 const char *filter
, LDAPMessage
**entry
)
119 char *base_dn
= NULL
;
120 LDAPMessage
*result
= NULL
;
123 base_dn
= trusted_domain_base_dn(ldap_state
);
124 if (base_dn
== NULL
) {
128 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
,
129 LDAP_SCOPE_SUBTREE
, filter
, NULL
, 0, &result
);
130 TALLOC_FREE(base_dn
);
132 if (result
!= NULL
) {
133 talloc_autofree_ldapmsg(mem_ctx
, result
);
136 if (rc
== LDAP_NO_SUCH_OBJECT
) {
141 if (rc
!= LDAP_SUCCESS
) {
145 num_result
= ldap_count_entries(priv2ld(ldap_state
), result
);
147 if (num_result
> 1) {
148 DEBUG(1, ("get_trusted_domain_int: more than one "
149 "%s object with filter '%s'?!\n",
150 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
154 if (num_result
== 0) {
155 DEBUG(1, ("get_trusted_domain_int: no "
156 "%s object with filter '%s'.\n",
157 LDAP_OBJ_TRUSTED_DOMAIN
, filter
));
160 *entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
166 static bool get_trusted_domain_by_name_int(struct ldapsam_privates
*ldap_state
,
173 filter
= talloc_asprintf(talloc_tos(),
174 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
175 LDAP_OBJ_TRUSTED_DOMAIN
,
176 LDAP_ATTRIBUTE_FLAT_NAME
, domain
,
177 LDAP_ATTRIBUTE_TRUST_PARTNER
, domain
, domain
);
178 if (filter
== NULL
) {
182 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
185 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates
*ldap_state
,
187 const char *sid
, LDAPMessage
**entry
)
191 filter
= talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
192 LDAP_OBJ_TRUSTED_DOMAIN
,
193 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
, sid
);
194 if (filter
== NULL
) {
198 return get_trusted_domain_int(ldap_state
, mem_ctx
, filter
, entry
);
201 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates
*ldap_state
,
210 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
213 DEBUG(9, ("Attribute %s not present.\n", attr
));
218 l
= strtoul(dummy
, &endptr
, 10);
221 if (l
< 0 || l
> UINT32_MAX
|| *endptr
!= '\0') {
230 static void get_data_blob_from_ldap_msg(TALLOC_CTX
*mem_ctx
,
231 struct ldapsam_privates
*ldap_state
,
232 LDAPMessage
*entry
, const char *attr
,
238 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
, attr
,
241 DEBUG(9, ("Attribute %s not present.\n", attr
));
244 blob
= base64_decode_data_blob(dummy
);
245 if (blob
.length
== 0) {
248 _blob
->length
= blob
.length
;
249 _blob
->data
= talloc_steal(mem_ctx
, blob
.data
);
255 static bool fill_pdb_trusted_domain(TALLOC_CTX
*mem_ctx
,
256 struct ldapsam_privates
*ldap_state
,
258 struct pdb_trusted_domain
**_td
)
262 struct pdb_trusted_domain
*td
;
268 td
= talloc_zero(mem_ctx
, struct pdb_trusted_domain
);
273 /* All attributes are MAY */
275 dummy
= smbldap_talloc_single_attribute(priv2ld(ldap_state
), entry
,
276 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
279 DEBUG(9, ("Attribute %s not present.\n",
280 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
));
281 ZERO_STRUCT(td
->security_identifier
);
283 res
= string_to_sid(&td
->security_identifier
, dummy
);
290 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
291 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
292 &td
->trust_auth_incoming
);
294 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
295 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
296 &td
->trust_auth_outgoing
);
298 td
->netbios_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
300 LDAP_ATTRIBUTE_FLAT_NAME
,
302 if (td
->netbios_name
== NULL
) {
303 DEBUG(9, ("Attribute %s not present.\n",
304 LDAP_ATTRIBUTE_FLAT_NAME
));
307 td
->domain_name
= smbldap_talloc_single_attribute(priv2ld(ldap_state
),
309 LDAP_ATTRIBUTE_TRUST_PARTNER
,
311 if (td
->domain_name
== NULL
) {
312 DEBUG(9, ("Attribute %s not present.\n",
313 LDAP_ATTRIBUTE_TRUST_PARTNER
));
316 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
317 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
318 &td
->trust_direction
);
323 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
324 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
325 &td
->trust_attributes
);
330 res
= get_uint32_t_from_ldap_msg(ldap_state
, entry
,
331 LDAP_ATTRIBUTE_TRUST_TYPE
,
337 get_data_blob_from_ldap_msg(td
, ldap_state
, entry
,
338 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
339 &td
->trust_forest_trust_info
);
346 static NTSTATUS
ipasam_get_trusted_domain(struct pdb_methods
*methods
,
349 struct pdb_trusted_domain
**td
)
351 struct ldapsam_privates
*ldap_state
=
352 (struct ldapsam_privates
*)methods
->private_data
;
353 LDAPMessage
*entry
= NULL
;
355 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain
));
357 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
359 return NT_STATUS_UNSUCCESSFUL
;
362 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
364 return NT_STATUS_NO_SUCH_DOMAIN
;
367 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
368 return NT_STATUS_UNSUCCESSFUL
;
374 static NTSTATUS
ipasam_get_trusted_domain_by_sid(struct pdb_methods
*methods
,
377 struct pdb_trusted_domain
**td
)
379 struct ldapsam_privates
*ldap_state
=
380 (struct ldapsam_privates
*)methods
->private_data
;
381 LDAPMessage
*entry
= NULL
;
384 sid_str
= sid_string_tos(sid
);
386 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
389 if (!get_trusted_domain_by_sid_int(ldap_state
, talloc_tos(), sid_str
,
391 return NT_STATUS_UNSUCCESSFUL
;
394 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
395 "with sid: %s\n", sid_str
));
396 return NT_STATUS_NO_SUCH_DOMAIN
;
399 if (!fill_pdb_trusted_domain(mem_ctx
, ldap_state
, entry
, td
)) {
400 return NT_STATUS_UNSUCCESSFUL
;
406 static bool smbldap_make_mod_uint32_t(LDAP
*ldap_struct
, LDAPMessage
*entry
,
407 LDAPMod
***mods
, const char *attribute
,
412 dummy
= talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val
);
416 smbldap_make_mod(ldap_struct
, entry
, mods
, attribute
, dummy
);
422 static NTSTATUS
ipasam_set_trusted_domain(struct pdb_methods
*methods
,
424 const struct pdb_trusted_domain
*td
)
426 struct ldapsam_privates
*ldap_state
=
427 (struct ldapsam_privates
*)methods
->private_data
;
428 LDAPMessage
*entry
= NULL
;
431 char *trusted_dn
= NULL
;
434 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain
));
436 res
= get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
439 return NT_STATUS_UNSUCCESSFUL
;
443 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
, "objectClass",
444 LDAP_OBJ_TRUSTED_DOMAIN
);
446 if (td
->netbios_name
!= NULL
) {
447 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
448 LDAP_ATTRIBUTE_FLAT_NAME
,
452 if (td
->domain_name
!= NULL
) {
453 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
454 LDAP_ATTRIBUTE_TRUST_PARTNER
,
458 if (!is_null_sid(&td
->security_identifier
)) {
459 smbldap_make_mod(priv2ld(ldap_state
), entry
, &mods
,
460 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER
,
461 sid_string_tos(&td
->security_identifier
));
464 if (td
->trust_type
!= 0) {
465 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
466 &mods
, LDAP_ATTRIBUTE_TRUST_TYPE
,
469 return NT_STATUS_UNSUCCESSFUL
;
473 if (td
->trust_attributes
!= 0) {
474 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
476 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES
,
477 td
->trust_attributes
);
479 return NT_STATUS_UNSUCCESSFUL
;
483 if (td
->trust_direction
!= 0) {
484 res
= smbldap_make_mod_uint32_t(priv2ld(ldap_state
), entry
,
486 LDAP_ATTRIBUTE_TRUST_DIRECTION
,
487 td
->trust_direction
);
489 return NT_STATUS_UNSUCCESSFUL
;
493 if (td
->trust_auth_outgoing
.data
!= NULL
) {
494 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
495 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING
,
496 &td
->trust_auth_outgoing
);
499 if (td
->trust_auth_incoming
.data
!= NULL
) {
500 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
501 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING
,
502 &td
->trust_auth_incoming
);
505 if (td
->trust_forest_trust_info
.data
!= NULL
) {
506 smbldap_make_mod_blob(priv2ld(ldap_state
), entry
, &mods
,
507 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO
,
508 &td
->trust_forest_trust_info
);
511 talloc_autofree_ldapmod(talloc_tos(), mods
);
513 trusted_dn
= trusted_domain_dn(ldap_state
, domain
);
514 if (trusted_dn
== NULL
) {
515 return NT_STATUS_NO_MEMORY
;
518 ret
= smbldap_add(ldap_state
->smbldap_state
, trusted_dn
, mods
);
520 ret
= smbldap_modify(ldap_state
->smbldap_state
, trusted_dn
, mods
);
523 if (ret
!= LDAP_SUCCESS
) {
524 DEBUG(1, ("error writing trusted domain data!\n"));
525 return NT_STATUS_UNSUCCESSFUL
;
530 static NTSTATUS
ipasam_del_trusted_domain(struct pdb_methods
*methods
,
534 struct ldapsam_privates
*ldap_state
=
535 (struct ldapsam_privates
*)methods
->private_data
;
536 LDAPMessage
*entry
= NULL
;
539 if (!get_trusted_domain_by_name_int(ldap_state
, talloc_tos(), domain
,
541 return NT_STATUS_UNSUCCESSFUL
;
545 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
547 return NT_STATUS_NO_SUCH_DOMAIN
;
550 dn
= smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state
), entry
);
552 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
553 return NT_STATUS_NO_MEMORY
;
556 ret
= smbldap_delete(ldap_state
->smbldap_state
, dn
);
557 if (ret
!= LDAP_SUCCESS
) {
558 return NT_STATUS_UNSUCCESSFUL
;
564 static NTSTATUS
ipasam_enum_trusted_domains(struct pdb_methods
*methods
,
566 uint32_t *num_domains
,
567 struct pdb_trusted_domain
***domains
)
570 struct ldapsam_privates
*ldap_state
=
571 (struct ldapsam_privates
*)methods
->private_data
;
572 char *base_dn
= NULL
;
574 int scope
= LDAP_SCOPE_SUBTREE
;
575 LDAPMessage
*result
= NULL
;
576 LDAPMessage
*entry
= NULL
;
578 filter
= talloc_asprintf(talloc_tos(), "(objectClass=%s)",
579 LDAP_OBJ_TRUSTED_DOMAIN
);
580 if (filter
== NULL
) {
581 return NT_STATUS_NO_MEMORY
;
584 base_dn
= trusted_domain_base_dn(ldap_state
);
585 if (base_dn
== NULL
) {
587 return NT_STATUS_NO_MEMORY
;
590 rc
= smbldap_search(ldap_state
->smbldap_state
, base_dn
, scope
, filter
,
593 TALLOC_FREE(base_dn
);
595 if (result
!= NULL
) {
596 talloc_autofree_ldapmsg(mem_ctx
, result
);
599 if (rc
== LDAP_NO_SUCH_OBJECT
) {
605 if (rc
!= LDAP_SUCCESS
) {
606 return NT_STATUS_UNSUCCESSFUL
;
610 if (!(*domains
= TALLOC_ARRAY(mem_ctx
, struct pdb_trusted_domain
*, 1))) {
611 DEBUG(1, ("talloc failed\n"));
612 return NT_STATUS_NO_MEMORY
;
615 for (entry
= ldap_first_entry(priv2ld(ldap_state
), result
);
617 entry
= ldap_next_entry(priv2ld(ldap_state
), entry
))
619 struct pdb_trusted_domain
*dom_info
;
621 if (!fill_pdb_trusted_domain(*domains
, ldap_state
, entry
,
623 return NT_STATUS_UNSUCCESSFUL
;
626 ADD_TO_ARRAY(*domains
, struct pdb_trusted_domain
*, dom_info
,
627 domains
, num_domains
);
629 if (*domains
== NULL
) {
630 DEBUG(1, ("talloc failed\n"));
631 return NT_STATUS_NO_MEMORY
;
635 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains
));
639 static NTSTATUS
ipasam_enum_trusteddoms(struct pdb_methods
*methods
,
641 uint32_t *num_domains
,
642 struct trustdom_info
***domains
)
645 struct pdb_trusted_domain
**td
;
648 status
= ipasam_enum_trusted_domains(methods
, talloc_tos(),
650 if (!NT_STATUS_IS_OK(status
)) {
654 if (*num_domains
== 0) {
658 if (!(*domains
= TALLOC_ARRAY(mem_ctx
, struct trustdom_info
*,
660 DEBUG(1, ("talloc failed\n"));
661 return NT_STATUS_NO_MEMORY
;
664 for (i
= 0; i
< *num_domains
; i
++) {
665 struct trustdom_info
*dom_info
;
667 dom_info
= TALLOC_P(*domains
, struct trustdom_info
);
668 if (dom_info
== NULL
) {
669 DEBUG(1, ("talloc failed\n"));
670 return NT_STATUS_NO_MEMORY
;
673 dom_info
->name
= talloc_steal(mem_ctx
, td
[i
]->netbios_name
);
674 sid_copy(&dom_info
->sid
, &td
[i
]->security_identifier
);
676 (*domains
)[i
] = dom_info
;
682 static uint32_t pdb_ipasam_capabilities(struct pdb_methods
*methods
)
684 return PDB_CAP_STORE_RIDS
| PDB_CAP_ADS
| PDB_CAP_TRUSTED_DOMAINS_EX
;
687 static struct pdb_domain_info
*pdb_ipasam_get_domain_info(struct pdb_methods
*pdb_methods
,
690 struct pdb_domain_info
*info
;
692 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)pdb_methods
->private_data
;
694 info
= talloc(mem_ctx
, struct pdb_domain_info
);
699 info
->name
= talloc_strdup(info
, ldap_state
->domain_name
);
700 if (info
->name
== NULL
) {
704 /* TODO: read dns_domain, dns_forest and guid from LDAP */
705 info
->dns_domain
= talloc_strdup(info
, lp_realm());
706 if (info
->dns_domain
== NULL
) {
709 strlower_m(info
->dns_domain
);
710 info
->dns_forest
= talloc_strdup(info
, info
->dns_domain
);
711 sid_copy(&info
->sid
, &ldap_state
->domain_sid
);
713 status
= GUID_from_string("testguid", &info
->guid
);
722 static NTSTATUS
modify_ipa_password_exop(struct ldapsam_privates
*ldap_state
,
723 struct samu
*sampass
)
726 BerElement
*ber
= NULL
;
727 struct berval
*bv
= NULL
;
729 struct berval
*retdata
= NULL
;
730 const char *password
;
733 password
= pdb_get_plaintext_passwd(sampass
);
734 if (password
== NULL
|| *password
== '\0') {
735 return NT_STATUS_INVALID_PARAMETER
;
738 dn
= get_account_dn(pdb_get_username(sampass
));
740 return NT_STATUS_INVALID_PARAMETER
;
743 ber
= ber_alloc_t( LBER_USE_DER
);
745 DEBUG(7, ("ber_alloc_t failed.\n"));
746 return NT_STATUS_NO_MEMORY
;
749 ret
= ber_printf(ber
, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID
, dn
,
750 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW
, password
);
752 DEBUG(7, ("ber_printf failed.\n"));
754 return NT_STATUS_UNSUCCESSFUL
;
757 ret
= ber_flatten(ber
, &bv
);
760 DEBUG(1, ("ber_flatten failed.\n"));
761 return NT_STATUS_UNSUCCESSFUL
;
764 ret
= smbldap_extended_operation(ldap_state
->smbldap_state
,
765 LDAP_EXOP_MODIFY_PASSWD
, bv
, NULL
,
766 NULL
, &retoid
, &retdata
);
772 ldap_memfree(retoid
);
774 if (ret
!= LDAP_SUCCESS
) {
775 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
776 return NT_STATUS_UNSUCCESSFUL
;
782 static NTSTATUS
ipasam_add_objectclasses(struct ldapsam_privates
*ldap_state
,
783 struct samu
*sampass
)
786 LDAPMod
**mods
= NULL
;
790 char *domain_with_dot
;
792 dn
= get_account_dn(pdb_get_username(sampass
));
794 return NT_STATUS_INVALID_PARAMETER
;
797 princ
= talloc_asprintf(talloc_tos(), "%s@%s", pdb_get_username(sampass
), lp_realm());
799 return NT_STATUS_NO_MEMORY
;
802 domain
= pdb_get_domain(sampass
);
803 if (domain
== NULL
) {
804 return NT_STATUS_INVALID_PARAMETER
;
807 domain_with_dot
= talloc_asprintf(talloc_tos(), "%s.", domain
);
808 if (domain_with_dot
== NULL
) {
809 return NT_STATUS_NO_MEMORY
;
812 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
813 "objectclass", LDAP_OBJ_KRB_PRINCIPAL
);
814 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
815 LDAP_ATTRIBUTE_KRB_PRINCIPAL
, princ
);
816 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
817 "objectclass", LDAP_OBJ_KRB_PRINCIPAL_AUX
);
818 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
819 "objectclass", "ipaHost");
820 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
822 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
823 "objectclass", "posixAccount");
824 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
825 "cn", pdb_get_username(sampass
));
826 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
827 "gidNumber", "12345");
828 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
829 "homeDirectory", "/dev/null");
830 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "uid", domain
);
831 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "uid", domain_with_dot
);
833 ret
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
834 ldap_mods_free(mods
, true);
835 if (ret
!= LDAP_SUCCESS
) {
836 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
837 pdb_get_username(sampass
),dn
));
838 return NT_STATUS_LDAP(ret
);
844 static NTSTATUS
pdb_ipasam_add_sam_account(struct pdb_methods
*pdb_methods
,
845 struct samu
*sampass
)
848 struct ldapsam_privates
*ldap_state
;
850 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
852 status
=ldap_state
->ipasam_privates
->ldapsam_add_sam_account(pdb_methods
,
854 if (!NT_STATUS_IS_OK(status
)) {
858 status
= ipasam_add_objectclasses(ldap_state
, sampass
);
859 if (!NT_STATUS_IS_OK(status
)) {
863 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
864 status
= modify_ipa_password_exop(ldap_state
, sampass
);
865 if (!NT_STATUS_IS_OK(status
)) {
873 static NTSTATUS
pdb_ipasam_update_sam_account(struct pdb_methods
*pdb_methods
,
874 struct samu
*sampass
)
877 struct ldapsam_privates
*ldap_state
;
878 ldap_state
= (struct ldapsam_privates
*)(pdb_methods
->private_data
);
880 status
= ldap_state
->ipasam_privates
->ldapsam_update_sam_account(pdb_methods
,
882 if (!NT_STATUS_IS_OK(status
)) {
886 if (pdb_get_init_flags(sampass
, PDB_PLAINTEXT_PW
) == PDB_CHANGED
) {
887 status
= modify_ipa_password_exop(ldap_state
, sampass
);
888 if (!NT_STATUS_IS_OK(status
)) {
896 static NTSTATUS
pdb_init_IPA_ldapsam(struct pdb_methods
**pdb_method
, const char *location
)
898 struct ldapsam_privates
*ldap_state
;
901 status
= pdb_init_ldapsam(pdb_method
, location
);
902 if (!NT_STATUS_IS_OK(status
)) {
906 (*pdb_method
)->name
= "IPA_ldapsam";
908 ldap_state
= (struct ldapsam_privates
*)((*pdb_method
)->private_data
);
909 ldap_state
->ipasam_privates
= talloc_zero(ldap_state
,
910 struct ipasam_privates
);
911 if (ldap_state
->ipasam_privates
== NULL
) {
912 return NT_STATUS_NO_MEMORY
;
914 ldap_state
->is_ipa_ldap
= True
;
916 ldap_state
->ipasam_privates
->server_is_ipa
= smbldap_has_extension(
917 priv2ld(ldap_state
), IPA_KEYTAB_SET_OID
);
918 ldap_state
->ipasam_privates
->ldapsam_add_sam_account
= (*pdb_method
)->add_sam_account
;
919 ldap_state
->ipasam_privates
->ldapsam_update_sam_account
= (*pdb_method
)->update_sam_account
;
921 (*pdb_method
)->add_sam_account
= pdb_ipasam_add_sam_account
;
922 (*pdb_method
)->update_sam_account
= pdb_ipasam_update_sam_account
;
924 (*pdb_method
)->capabilities
= pdb_ipasam_capabilities
;
925 (*pdb_method
)->get_domain_info
= pdb_ipasam_get_domain_info
;
927 (*pdb_method
)->get_trusteddom_pw
= ipasam_get_trusteddom_pw
;
928 (*pdb_method
)->set_trusteddom_pw
= ipasam_set_trusteddom_pw
;
929 (*pdb_method
)->del_trusteddom_pw
= ipasam_del_trusteddom_pw
;
930 (*pdb_method
)->enum_trusteddoms
= ipasam_enum_trusteddoms
;
932 (*pdb_method
)->get_trusted_domain
= ipasam_get_trusted_domain
;
933 (*pdb_method
)->get_trusted_domain_by_sid
= ipasam_get_trusted_domain_by_sid
;
934 (*pdb_method
)->set_trusted_domain
= ipasam_set_trusted_domain
;
935 (*pdb_method
)->del_trusted_domain
= ipasam_del_trusted_domain
;
936 (*pdb_method
)->enum_trusted_domains
= ipasam_enum_trusted_domains
;
941 NTSTATUS
pdb_ipa_init(void)
945 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "IPA_ldapsam", pdb_init_IPA_ldapsam
)))