2011-05-07 00:50:04 +10:00
/*
Unix SMB / CIFS implementation .
2012-09-04 10:27:50 +10:00
pdb glue module for direct access to the dsdb via LDB APIs
2011-05-07 00:50:04 +10:00
Copyright ( C ) Volker Lendecke 2009 - 2011
2012-09-04 10:27:50 +10:00
Copyright ( C ) Andrew Bartlett 2010 - 2012
2011-05-07 00:50:04 +10:00
Copyright ( C ) Matthias Dieter Wallnöfer 2009
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
/* This module, is a port of Volker's pdb_ads to ldb and DSDB APIs */
# include "includes.h"
# include "source3/include/passdb.h"
# include "source4/dsdb/samdb/samdb.h"
# include "ldb_errors.h"
# include "libcli/security/dom_sid.h"
# include "source4/winbind/idmap.h"
# include "librpc/gen_ndr/ndr_security.h"
2014-08-15 15:01:31 +12:00
# include "librpc/gen_ndr/ndr_drsblobs.h"
# include "librpc/gen_ndr/ndr_lsa.h"
2011-05-07 00:50:04 +10:00
# include "libds/common/flag_mapping.h"
# include "source4/lib/events/events.h"
# include "source4/auth/session.h"
# include "source4/auth/system_session_proto.h"
2011-10-06 19:34:50 +11:00
# include "lib/param/param.h"
2011-08-11 16:19:24 +10:00
# include "source4/dsdb/common/util.h"
2012-01-26 15:33:02 -05:00
# include "source3/include/secrets.h"
2014-08-15 15:01:31 +12:00
# include "source4/auth/auth_sam.h"
2014-12-16 15:06:56 +00:00
# include "auth/credentials/credentials.h"
2016-05-03 16:12:10 +02:00
# include "lib/util/base64.h"
2017-12-10 20:03:37 +01:00
# include "libcli/ldap/ldap_ndr.h"
2017-12-11 07:57:27 +01:00
# include "lib/util/util_ldb.h"
2011-05-07 00:50:04 +10:00
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state {
2011-05-07 00:50:04 +10:00
struct tevent_context * ev ;
struct ldb_context * ldb ;
struct idmap_context * idmap_ctx ;
struct loadparm_context * lp_ctx ;
} ;
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getsampwsid ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct samu * sam_acct ,
const struct dom_sid * sid ) ;
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getsamupriv ( struct pdb_samba_dsdb_state * state ,
2011-05-07 00:50:04 +10:00
const char * filter ,
TALLOC_CTX * mem_ctx ,
struct ldb_message * * pmsg ) ;
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_sid_to_id ( struct pdb_methods * m , const struct dom_sid * sid ,
2012-03-16 09:16:23 +11:00
struct unixid * id ) ;
2011-05-07 00:50:04 +10:00
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_pull_time ( struct ldb_message * msg , const char * attr ,
2011-05-07 00:50:04 +10:00
time_t * ptime )
{
uint64_t tmp ;
if ( ! ldb_msg_find_element ( msg , attr ) ) {
return false ;
}
tmp = ldb_msg_find_attr_as_uint64 ( msg , attr , 0 ) ;
2012-06-27 14:56:04 +10:00
* ptime = nt_time_to_unix ( tmp ) ;
2011-05-07 00:50:04 +10:00
return true ;
}
2012-09-04 10:27:50 +10:00
static struct pdb_domain_info * pdb_samba_dsdb_get_domain_info (
2011-05-07 00:50:04 +10:00
struct pdb_methods * m , TALLOC_CTX * mem_ctx )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct pdb_domain_info * info ;
struct dom_sid * domain_sid ;
struct ldb_dn * forest_dn , * domain_dn ;
struct ldb_result * dom_res = NULL ;
const char * dom_attrs [ ] = {
2012-09-04 10:27:50 +10:00
" objectSid " ,
" objectGUID " ,
2011-05-07 00:50:04 +10:00
" fSMORoleOwner " ,
NULL
} ;
char * p ;
int ret ;
info = talloc ( mem_ctx , struct pdb_domain_info ) ;
if ( info = = NULL ) {
return NULL ;
}
2012-09-04 10:27:50 +10:00
domain_dn = ldb_get_default_basedn ( state - > ldb ) ;
2011-05-07 00:50:04 +10:00
ret = ldb_search ( state - > ldb , info , & dom_res ,
domain_dn , LDB_SCOPE_BASE , dom_attrs , NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
goto fail ;
}
if ( dom_res - > count ! = 1 ) {
goto fail ;
}
info - > guid = samdb_result_guid ( dom_res - > msgs [ 0 ] , " objectGUID " ) ;
domain_sid = samdb_result_dom_sid ( state , dom_res - > msgs [ 0 ] , " objectSid " ) ;
if ( ! domain_sid ) {
goto fail ;
}
info - > sid = * domain_sid ;
TALLOC_FREE ( dom_res ) ;
info - > name = talloc_strdup ( info , lpcfg_sam_name ( state - > lp_ctx ) ) ;
info - > dns_domain = ldb_dn_canonical_string ( info , domain_dn ) ;
if ( ! info - > dns_domain ) {
goto fail ;
}
p = strchr ( info - > dns_domain , ' / ' ) ;
if ( p ) {
* p = ' \0 ' ;
}
forest_dn = ldb_get_root_basedn ( state - > ldb ) ;
if ( ! forest_dn ) {
goto fail ;
}
info - > dns_forest = ldb_dn_canonical_string ( info , forest_dn ) ;
if ( ! info - > dns_forest ) {
goto fail ;
}
p = strchr ( info - > dns_forest , ' / ' ) ;
if ( p ) {
* p = ' \0 ' ;
}
return info ;
fail :
TALLOC_FREE ( dom_res ) ;
TALLOC_FREE ( info ) ;
return NULL ;
}
2012-09-04 10:27:50 +10:00
static struct ldb_message * pdb_samba_dsdb_get_samu_private (
2011-05-07 00:50:04 +10:00
struct pdb_methods * m , struct samu * sam )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct ldb_message * msg ;
2018-12-16 16:59:32 +01:00
struct dom_sid_buf sidstr ;
char * filter ;
2011-05-07 00:50:04 +10:00
NTSTATUS status ;
msg = ( struct ldb_message * )
pdb_get_backend_private_data ( sam , m ) ;
if ( msg ! = NULL ) {
return talloc_get_type_abort ( msg , struct ldb_message ) ;
}
filter = talloc_asprintf (
2018-12-16 16:59:32 +01:00
talloc_tos ( ) ,
" (&(objectsid=%s)(objectclass=user)) " ,
dom_sid_str_buf ( pdb_get_user_sid ( sam ) , & sidstr ) ) ;
2011-05-07 00:50:04 +10:00
if ( filter = = NULL ) {
return NULL ;
}
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_getsamupriv ( state , filter , sam , & msg ) ;
2011-05-07 00:50:04 +10:00
TALLOC_FREE ( filter ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return NULL ;
}
return msg ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_init_sam_from_priv ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct samu * sam ,
struct ldb_message * msg )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION ;
const char * str ;
time_t tmp_time ;
struct dom_sid * sid , group_sid ;
uint64_t n ;
const DATA_BLOB * blob ;
str = ldb_msg_find_attr_as_string ( msg , " samAccountName " , NULL ) ;
if ( str = = NULL ) {
DEBUG ( 10 , ( " no samAccountName \n " ) ) ;
goto fail ;
}
pdb_set_username ( sam , str , PDB_SET ) ;
2012-09-04 10:27:50 +10:00
if ( pdb_samba_dsdb_pull_time ( msg , " lastLogon " , & tmp_time ) ) {
2011-05-07 00:50:04 +10:00
pdb_set_logon_time ( sam , tmp_time , PDB_SET ) ;
}
2012-09-04 10:27:50 +10:00
if ( pdb_samba_dsdb_pull_time ( msg , " lastLogoff " , & tmp_time ) ) {
2011-05-07 00:50:04 +10:00
pdb_set_logoff_time ( sam , tmp_time , PDB_SET ) ;
}
2012-09-04 10:27:50 +10:00
if ( pdb_samba_dsdb_pull_time ( msg , " pwdLastSet " , & tmp_time ) ) {
2011-05-07 00:50:04 +10:00
pdb_set_pass_last_set_time ( sam , tmp_time , PDB_SET ) ;
}
2012-09-04 10:27:50 +10:00
if ( pdb_samba_dsdb_pull_time ( msg , " accountExpires " , & tmp_time ) ) {
2011-05-07 00:50:04 +10:00
pdb_set_kickoff_time ( sam , tmp_time , PDB_SET ) ;
}
str = ldb_msg_find_attr_as_string ( msg , " displayName " ,
NULL ) ;
if ( str ! = NULL ) {
pdb_set_fullname ( sam , str , PDB_SET ) ;
}
str = ldb_msg_find_attr_as_string ( msg , " homeDirectory " ,
NULL ) ;
if ( str ! = NULL ) {
pdb_set_homedir ( sam , str , PDB_SET ) ;
}
str = ldb_msg_find_attr_as_string ( msg , " homeDrive " , NULL ) ;
if ( str ! = NULL ) {
pdb_set_dir_drive ( sam , str , PDB_SET ) ;
}
str = ldb_msg_find_attr_as_string ( msg , " scriptPath " , NULL ) ;
if ( str ! = NULL ) {
pdb_set_logon_script ( sam , str , PDB_SET ) ;
}
str = ldb_msg_find_attr_as_string ( msg , " profilePath " ,
NULL ) ;
if ( str ! = NULL ) {
pdb_set_profile_path ( sam , str , PDB_SET ) ;
}
str = ldb_msg_find_attr_as_string ( msg , " comment " ,
NULL ) ;
if ( str ! = NULL ) {
pdb_set_comment ( sam , str , PDB_SET ) ;
}
str = ldb_msg_find_attr_as_string ( msg , " description " ,
NULL ) ;
if ( str ! = NULL ) {
pdb_set_acct_desc ( sam , str , PDB_SET ) ;
}
str = ldb_msg_find_attr_as_string ( msg , " userWorkstations " ,
NULL ) ;
if ( str ! = NULL ) {
pdb_set_workstations ( sam , str , PDB_SET ) ;
}
2014-06-17 16:03:22 +12:00
blob = ldb_msg_find_ldb_val ( msg , " userParameters " ) ;
if ( blob ! = NULL ) {
str = base64_encode_data_blob ( frame , * blob ) ;
if ( str = = NULL ) {
DEBUG ( 0 , ( " base64_encode_data_blob() failed \n " ) ) ;
goto fail ;
}
2011-05-07 00:50:04 +10:00
pdb_set_munged_dial ( sam , str , PDB_SET ) ;
}
sid = samdb_result_dom_sid ( talloc_tos ( ) , msg , " objectSid " ) ;
if ( ! sid ) {
DEBUG ( 10 , ( " Could not pull SID \n " ) ) ;
goto fail ;
}
pdb_set_user_sid ( sam , sid , PDB_SET ) ;
2013-10-29 17:30:18 +13:00
n = samdb_result_acct_flags ( msg , " msDS-User-Account-Control-Computed " ) ;
2011-05-07 00:50:04 +10:00
if ( n = = 0 ) {
DEBUG ( 10 , ( " Could not pull userAccountControl \n " ) ) ;
goto fail ;
}
2013-10-29 17:30:18 +13:00
pdb_set_acct_ctrl ( sam , n , PDB_SET ) ;
2011-05-07 00:50:04 +10:00
blob = ldb_msg_find_ldb_val ( msg , " unicodePwd " ) ;
if ( blob ) {
if ( blob - > length ! = NT_HASH_LEN ) {
DEBUG ( 0 , ( " Got NT hash of length %d, expected %d \n " ,
( int ) blob - > length , NT_HASH_LEN ) ) ;
goto fail ;
}
pdb_set_nt_passwd ( sam , blob - > data , PDB_SET ) ;
}
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
blob = ldb_msg_find_ldb_val ( msg , " dBCSPwd " ) ;
if ( blob ) {
if ( blob - > length ! = LM_HASH_LEN ) {
DEBUG ( 0 , ( " Got LM hash of length %d, expected %d \n " ,
( int ) blob - > length , LM_HASH_LEN ) ) ;
goto fail ;
}
pdb_set_lanman_passwd ( sam , blob - > data , PDB_SET ) ;
}
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
n = ldb_msg_find_attr_as_uint ( msg , " primaryGroupID " , 0 ) ;
if ( n = = 0 ) {
DEBUG ( 10 , ( " Could not pull primaryGroupID \n " ) ) ;
goto fail ;
}
sid_compose ( & group_sid , samdb_domain_sid ( state - > ldb ) , n ) ;
pdb_set_group_sid ( sam , & group_sid , PDB_SET ) ;
status = NT_STATUS_OK ;
fail :
TALLOC_FREE ( frame ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_add_time ( struct ldb_message * msg ,
2011-05-07 00:50:04 +10:00
const char * attrib , time_t t )
{
uint64_t nt_time ;
unix_to_nt_time ( & nt_time , t ) ;
2011-06-06 22:34:00 +02:00
return ldb_msg_add_fmt ( msg , attrib , " %llu " , ( unsigned long long ) nt_time ) ;
2011-05-07 00:50:04 +10:00
}
2012-09-04 10:27:50 +10:00
static int pdb_samba_dsdb_replace_by_sam ( struct pdb_samba_dsdb_state * state ,
2011-08-11 15:47:01 +10:00
bool ( * need_update ) ( const struct samu * ,
enum pdb_elements ) ,
struct ldb_dn * dn ,
struct samu * sam )
2011-05-07 00:50:04 +10:00
{
2012-06-26 20:51:17 +10:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2011-05-07 00:50:04 +10:00
int ret = LDB_SUCCESS ;
const char * pw ;
struct ldb_message * msg ;
2011-08-11 15:47:01 +10:00
struct ldb_request * req ;
2011-08-11 16:19:24 +10:00
uint32_t dsdb_flags = 0 ;
2011-05-07 00:50:04 +10:00
/* TODO: All fields :-) */
2012-06-26 20:51:17 +10:00
msg = ldb_msg_new ( frame ) ;
2011-05-07 00:50:04 +10:00
if ( ! msg ) {
2014-05-28 17:57:31 +02:00
talloc_free ( frame ) ;
2011-05-07 00:50:04 +10:00
return false ;
}
2011-08-11 15:47:01 +10:00
msg - > dn = dn ;
/* build modify request */
2012-06-26 20:51:17 +10:00
ret = ldb_build_mod_req ( & req , state - > ldb , frame , msg , NULL , NULL ,
2011-08-11 16:19:24 +10:00
ldb_op_default_callback ,
NULL ) ;
2011-08-11 15:47:01 +10:00
if ( ret ! = LDB_SUCCESS ) {
2012-06-26 20:51:17 +10:00
talloc_free ( frame ) ;
2011-08-11 15:47:01 +10:00
return ret ;
}
2011-05-07 00:50:04 +10:00
2012-01-24 18:37:24 +11:00
/* If we set a plaintext password, the system will
* force the pwdLastSet to now ( ) */
if ( need_update ( sam , PDB_PASSLASTSET ) ) {
2016-02-11 08:59:09 +01:00
dsdb_flags | = DSDB_PASSWORD_BYPASS_LAST_SET ;
2012-09-04 10:27:50 +10:00
ret | = pdb_samba_dsdb_add_time ( msg , " pwdLastSet " ,
2012-01-24 18:37:24 +11:00
pdb_get_pass_last_set_time ( sam ) ) ;
}
2011-05-07 00:50:04 +10:00
pw = pdb_get_plaintext_passwd ( sam ) ;
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_PLAINTEXT_PW ) ) {
2012-01-24 18:38:09 +11:00
struct ldb_val pw_utf16 ;
2011-05-07 00:50:04 +10:00
if ( pw = = NULL ) {
2012-06-26 20:51:17 +10:00
talloc_free ( frame ) ;
2011-08-11 15:47:01 +10:00
return LDB_ERR_OPERATIONS_ERROR ;
2011-05-07 00:50:04 +10:00
}
2012-09-04 10:27:50 +10:00
2012-01-24 18:38:09 +11:00
if ( ! convert_string_talloc ( msg ,
CH_UNIX , CH_UTF16 ,
pw , strlen ( pw ) ,
( void * ) & pw_utf16 . data ,
& pw_utf16 . length ) ) {
2014-05-28 17:57:31 +02:00
talloc_free ( frame ) ;
2012-01-24 18:38:09 +11:00
return LDB_ERR_OPERATIONS_ERROR ;
}
ret | = ldb_msg_add_value ( msg , " clearTextPassword " , & pw_utf16 , NULL ) ;
2011-08-11 15:47:01 +10:00
} else {
bool changed_lm_pw = false ;
bool changed_nt_pw = false ;
bool changed_history = false ;
if ( need_update ( sam , PDB_LMPASSWD ) ) {
struct ldb_val val ;
2012-12-13 10:33:04 +11:00
val . data = discard_const_p ( uint8_t , pdb_get_lanman_passwd ( sam ) ) ;
2011-08-11 15:47:01 +10:00
if ( ! val . data ) {
samdb_msg_add_delete ( state - > ldb , msg , msg ,
" dBCSPwd " ) ;
} else {
val . length = LM_HASH_LEN ;
ret | = ldb_msg_add_value ( msg , " dBCSPwd " , & val , NULL ) ;
}
changed_lm_pw = true ;
}
if ( need_update ( sam , PDB_NTPASSWD ) ) {
struct ldb_val val ;
2012-12-13 10:33:04 +11:00
val . data = discard_const_p ( uint8_t , pdb_get_nt_passwd ( sam ) ) ;
2011-08-11 15:47:01 +10:00
if ( ! val . data ) {
samdb_msg_add_delete ( state - > ldb , msg , msg ,
" unicodePwd " ) ;
} else {
val . length = NT_HASH_LEN ;
ret | = ldb_msg_add_value ( msg , " unicodePwd " , & val , NULL ) ;
}
changed_nt_pw = true ;
}
/* Try to ensure we don't get out of sync */
if ( changed_lm_pw & & ! changed_nt_pw ) {
samdb_msg_add_delete ( state - > ldb , msg , msg ,
" unicodePwd " ) ;
} else if ( changed_nt_pw & & ! changed_lm_pw ) {
samdb_msg_add_delete ( state - > ldb , msg , msg ,
" dBCSPwd " ) ;
}
if ( changed_lm_pw | | changed_nt_pw ) {
samdb_msg_add_delete ( state - > ldb , msg , msg ,
" supplementalCredentials " ) ;
}
if ( need_update ( sam , PDB_PWHISTORY ) ) {
uint32_t current_hist_len ;
const uint8_t * history = pdb_get_pw_history ( sam , & current_hist_len ) ;
bool invalid_history = false ;
struct samr_Password * history_hashes = talloc_array ( talloc_tos ( ) , struct samr_Password ,
current_hist_len ) ;
if ( ! history ) {
invalid_history = true ;
} else {
unsigned int i ;
/* Parse the history into the correct format */
for ( i = 0 ; i < current_hist_len ; i + + ) {
2016-12-31 12:45:51 +00:00
if ( ! all_zero ( & history [ i * PW_HISTORY_ENTRY_LEN ] ,
16 ) ) {
2011-08-11 15:47:01 +10:00
/* If the history is in the old format, with a salted hash, then we can't migrate it to AD format */
invalid_history = true ;
break ;
}
/* Copy out the 2nd 16 bytes of the 32 byte password history, containing the NT hash */
memcpy ( history_hashes [ i ] . hash ,
& history [ ( i * PW_HISTORY_ENTRY_LEN ) + PW_HISTORY_SALT_LEN ] ,
sizeof ( history_hashes [ i ] . hash ) ) ;
}
}
if ( invalid_history ) {
ret | = samdb_msg_add_delete ( state - > ldb , msg , msg ,
" ntPwdHistory " ) ;
ret | = samdb_msg_add_delete ( state - > ldb , msg , msg ,
" lmPwdHistory " ) ;
} else {
ret | = samdb_msg_add_hashes ( state - > ldb , msg , msg ,
" ntPwdHistory " ,
history_hashes ,
current_hist_len ) ;
}
changed_history = true ;
}
if ( changed_lm_pw | | changed_nt_pw | | changed_history ) {
2011-08-11 16:19:24 +10:00
/* These attributes can only be modified directly by using a special control */
2016-02-11 08:59:09 +01:00
dsdb_flags | = DSDB_BYPASS_PASSWORD_HASH ;
2011-08-11 15:47:01 +10:00
}
2011-05-07 00:50:04 +10:00
}
2011-08-11 15:47:01 +10:00
/* PDB_USERSID is only allowed on ADD, handled in caller */
if ( need_update ( sam , PDB_GROUPSID ) ) {
const struct dom_sid * sid = pdb_get_group_sid ( sam ) ;
uint32_t rid ;
NTSTATUS status = dom_sid_split_rid ( NULL , sid , NULL , & rid ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2012-06-26 20:51:17 +10:00
talloc_free ( frame ) ;
2011-08-11 15:47:01 +10:00
return LDB_ERR_OPERATIONS_ERROR ;
}
if ( ! dom_sid_in_domain ( samdb_domain_sid ( state - > ldb ) , sid ) ) {
2012-06-26 20:51:17 +10:00
talloc_free ( frame ) ;
2011-08-11 15:47:01 +10:00
return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX ;
}
ret | = samdb_msg_add_uint ( state - > ldb , msg , msg , " primaryGroupID " , rid ) ;
}
if ( need_update ( sam , PDB_FULLNAME ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_string ( msg , " displayName " , pdb_get_fullname ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_SMBHOME ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_string ( msg , " homeDirectory " ,
pdb_get_homedir ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_PROFILE ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_string ( msg , " profilePath " ,
pdb_get_profile_path ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_DRIVE ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_string ( msg , " homeDrive " ,
pdb_get_dir_drive ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_LOGONSCRIPT ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_string ( msg , " scriptPath " ,
pdb_get_logon_script ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_KICKOFFTIME ) ) {
2012-09-04 10:27:50 +10:00
ret | = pdb_samba_dsdb_add_time ( msg , " accountExpires " ,
2011-05-07 00:50:04 +10:00
pdb_get_kickoff_time ( sam ) ) ;
}
2012-06-27 14:34:47 +10:00
if ( need_update ( sam , PDB_LOGONTIME ) ) {
2012-09-04 10:27:50 +10:00
ret | = pdb_samba_dsdb_add_time ( msg , " lastLogon " ,
2012-06-27 14:34:47 +10:00
pdb_get_logon_time ( sam ) ) ;
}
if ( need_update ( sam , PDB_LOGOFFTIME ) ) {
2012-09-04 10:27:50 +10:00
ret | = pdb_samba_dsdb_add_time ( msg , " lastLogoff " ,
2012-06-27 14:34:47 +10:00
pdb_get_logoff_time ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_USERNAME ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_string ( msg , " samAccountName " ,
pdb_get_username ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_HOURSLEN ) | | need_update ( sam , PDB_HOURS ) ) {
2011-05-07 00:50:04 +10:00
struct ldb_val hours = data_blob_const ( pdb_get_hours ( sam ) , pdb_get_hours_len ( sam ) ) ;
ret | = ldb_msg_add_value ( msg , " logonHours " ,
& hours , NULL ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_ACCTCTRL ) ) {
ret | = samdb_msg_add_acct_flags ( state - > ldb , msg , msg ,
" userAccountControl " , pdb_get_acct_ctrl ( sam ) ) ;
2011-05-07 00:50:04 +10:00
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_COMMENT ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_string ( msg , " comment " ,
pdb_get_comment ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_ACCTDESC ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_string ( msg , " description " ,
pdb_get_acct_desc ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_WORKSTATIONS ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_string ( msg , " userWorkstations " ,
pdb_get_workstations ( sam ) ) ;
}
/* This will need work, it is actually a UTF8 'string' with internal NULLs, to handle TS parameters */
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_MUNGEDDIAL ) ) {
2014-06-17 16:03:22 +12:00
const char * base64_munged_dial = NULL ;
base64_munged_dial = pdb_get_munged_dial ( sam ) ;
if ( base64_munged_dial ! = NULL & & strlen ( base64_munged_dial ) > 0 ) {
struct ldb_val blob ;
blob = base64_decode_data_blob_talloc ( msg ,
base64_munged_dial ) ;
if ( blob . data = = NULL ) {
DEBUG ( 0 , ( " Failed to decode userParameters from "
" munged dialback string[%s] for %s \n " ,
base64_munged_dial ,
ldb_dn_get_linearized ( msg - > dn ) ) ) ;
talloc_free ( frame ) ;
return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX ;
}
ret | = ldb_msg_add_steal_value ( msg , " userParameters " ,
& blob ) ;
}
2011-05-07 00:50:04 +10:00
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_COUNTRY_CODE ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_fmt ( msg , " countryCode " ,
" %i " , ( int ) pdb_get_country_code ( sam ) ) ;
}
2011-08-11 15:47:01 +10:00
if ( need_update ( sam , PDB_CODE_PAGE ) ) {
2011-05-07 00:50:04 +10:00
ret | = ldb_msg_add_fmt ( msg , " codePage " ,
" %i " , ( int ) pdb_get_code_page ( sam ) ) ;
}
2012-09-04 10:27:50 +10:00
/* Not yet handled here or not meaningful for modifies on a Samba_Dsdb backend:
2011-05-07 00:50:04 +10:00
PDB_BAD_PASSWORD_TIME ,
2011-08-11 15:47:01 +10:00
PDB_CANCHANGETIME , - these are calculated per policy , not stored
2011-05-07 00:50:04 +10:00
PDB_DOMAIN ,
2011-08-11 15:47:01 +10:00
PDB_NTUSERNAME , - this makes no sense , and never really did
2011-05-07 00:50:04 +10:00
PDB_LOGONDIVS ,
2012-09-04 10:27:50 +10:00
PDB_USERSID , - Handled in pdb_samba_dsdb_add_sam_account ( )
2011-05-07 00:50:04 +10:00
PDB_FIELDS_PRESENT ,
PDB_BAD_PASSWORD_COUNT ,
PDB_LOGON_COUNT ,
PDB_UNKNOWN6 ,
PDB_BACKEND_PRIVATE_DATA ,
*/
2011-08-11 15:47:01 +10:00
if ( ret ! = LDB_SUCCESS ) {
2012-06-26 20:51:17 +10:00
talloc_free ( frame ) ;
2011-08-11 15:47:01 +10:00
return LDB_ERR_OPERATIONS_ERROR ;
}
2011-05-07 00:50:04 +10:00
2011-08-11 15:47:01 +10:00
if ( msg - > num_elements = = 0 ) {
2012-06-26 20:51:17 +10:00
talloc_free ( frame ) ;
2011-08-11 15:47:01 +10:00
/* Nothing to do, just return success */
return LDB_SUCCESS ;
}
2011-08-11 16:19:24 +10:00
ret = dsdb_replace ( state - > ldb , msg , dsdb_flags ) ;
2011-08-11 15:47:01 +10:00
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( " Failed to modify account record %s to set user attributes: %s \n " ,
ldb_dn_get_linearized ( msg - > dn ) ,
ldb_errstring ( state - > ldb ) ) ) ;
}
2012-06-26 20:51:17 +10:00
talloc_free ( frame ) ;
2011-08-11 15:47:01 +10:00
return ret ;
2011-05-07 00:50:04 +10:00
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getsamupriv ( struct pdb_samba_dsdb_state * state ,
2011-05-07 00:50:04 +10:00
const char * filter ,
TALLOC_CTX * mem_ctx ,
struct ldb_message * * msg )
{
const char * attrs [ ] = {
" lastLogon " , " lastLogoff " , " pwdLastSet " , " accountExpires " ,
" sAMAccountName " , " displayName " , " homeDirectory " ,
" homeDrive " , " scriptPath " , " profilePath " , " description " ,
" userWorkstations " , " comment " , " userParameters " , " objectSid " ,
2013-10-29 17:30:18 +13:00
" primaryGroupID " , " userAccountControl " ,
" msDS-User-Account-Control-Computed " , " logonHours " ,
2011-05-07 00:50:04 +10:00
" badPwdCount " , " logonCount " , " countryCode " , " codePage " ,
" unicodePwd " , " dBCSPwd " , NULL } ;
2011-08-19 17:27:14 +10:00
int rc = dsdb_search_one ( state - > ldb , mem_ctx , msg , ldb_get_default_basedn ( state - > ldb ) , LDB_SCOPE_SUBTREE , attrs , 0 , " %s " , filter ) ;
2011-05-07 00:50:04 +10:00
if ( rc ! = LDB_SUCCESS ) {
DEBUG ( 10 , ( " ldap_search failed %s \n " ,
ldb_errstring ( state - > ldb ) ) ) ;
return NT_STATUS_LDAP ( rc ) ;
}
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getsampwfilter ( struct pdb_methods * m ,
struct pdb_samba_dsdb_state * state ,
2011-05-07 00:50:04 +10:00
struct samu * sam_acct ,
2016-08-08 17:40:51 +10:00
const char * exp_fmt , . . . )
PRINTF_ATTRIBUTE ( 4 , 5 ) ;
static NTSTATUS pdb_samba_dsdb_getsampwfilter ( struct pdb_methods * m ,
struct pdb_samba_dsdb_state * state ,
struct samu * sam_acct ,
const char * exp_fmt , . . . )
2011-05-07 00:50:04 +10:00
{
struct ldb_message * priv ;
NTSTATUS status ;
va_list ap ;
char * expression = NULL ;
TALLOC_CTX * tmp_ctx = talloc_new ( state ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
va_start ( ap , exp_fmt ) ;
expression = talloc_vasprintf ( tmp_ctx , exp_fmt , ap ) ;
va_end ( ap ) ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
if ( ! expression ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_getsamupriv ( state , expression , sam_acct , & priv ) ;
2011-05-07 00:50:04 +10:00
talloc_free ( tmp_ctx ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2012-09-04 10:27:50 +10:00
DEBUG ( 10 , ( " pdb_samba_dsdb_getsamupriv failed: %s \n " ,
2011-05-07 00:50:04 +10:00
nt_errstr ( status ) ) ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_init_sam_from_priv ( m , sam_acct , priv ) ;
2011-05-07 00:50:04 +10:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2012-09-04 10:27:50 +10:00
DEBUG ( 10 , ( " pdb_samba_dsdb_init_sam_from_priv failed: %s \n " ,
2011-05-07 00:50:04 +10:00
nt_errstr ( status ) ) ) ;
TALLOC_FREE ( priv ) ;
return status ;
}
pdb_set_backend_private_data ( sam_acct , priv , NULL , m , PDB_SET ) ;
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getsampwnam ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct samu * sam_acct ,
const char * username )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
2012-09-04 10:27:50 +10:00
return pdb_samba_dsdb_getsampwfilter ( m , state , sam_acct ,
2011-05-07 00:50:04 +10:00
" (&(samaccountname=%s)(objectclass=user)) " ,
username ) ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getsampwsid ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct samu * sam_acct ,
const struct dom_sid * sid )
{
NTSTATUS status ;
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2011-05-07 00:50:04 +10:00
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_getsampwfilter ( m , state , sam_acct ,
" (&(objectsid=%s)(objectclass=user)) " ,
2018-12-16 16:59:32 +01:00
dom_sid_str_buf ( sid , & buf ) ) ;
2011-05-07 00:50:04 +10:00
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_create_user ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
2015-05-09 13:34:31 -07:00
const char * name , uint32_t acct_flags ,
uint32_t * rid )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct dom_sid * sid ;
struct ldb_dn * dn ;
NTSTATUS status ;
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
/* Internally this uses transactions to ensure all the steps
* happen or fail as one */
2011-08-11 15:46:26 +10:00
status = dsdb_add_user ( state - > ldb , tmp_ctx , name , acct_flags , NULL ,
& sid , & dn ) ;
2011-05-07 00:50:04 +10:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return status ;
}
sid_peek_rid ( sid , rid ) ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_delete_user ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
struct samu * sam )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct ldb_dn * dn ;
int rc ;
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2011-05-07 00:50:04 +10:00
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
2018-12-16 16:59:32 +01:00
dn = ldb_dn_new_fmt (
tmp_ctx ,
state - > ldb ,
" <SID=%s> " ,
dom_sid_str_buf ( pdb_get_user_sid ( sam ) , & buf ) ) ;
2011-05-07 00:50:04 +10:00
if ( ! dn | | ! ldb_dn_validate ( dn ) ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
rc = ldb_delete ( state - > ldb , dn ) ;
if ( rc ! = LDB_SUCCESS ) {
DEBUG ( 10 , ( " ldb_delete for %s failed: %s \n " , ldb_dn_get_linearized ( dn ) ,
ldb_errstring ( state - > ldb ) ) ) ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_LDAP ( rc ) ;
}
talloc_free ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
/* This interface takes a fully populated struct samu and places it in
* the database . This is not implemented at this time as we need to
2020-06-25 15:59:48 +02:00
* be careful around the creation of arbitrary SIDs ( ie , we must ensure
2011-05-07 00:50:04 +10:00
* they are not left in a RID pool */
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_add_sam_account ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct samu * sampass )
{
2011-08-11 15:47:01 +10:00
int ret ;
NTSTATUS status ;
struct ldb_dn * dn ;
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-08-11 15:47:01 +10:00
uint32_t acb_flags = pdb_get_acct_ctrl ( sampass ) ;
const char * username = pdb_get_username ( sampass ) ;
const struct dom_sid * user_sid = pdb_get_user_sid ( sampass ) ;
TALLOC_CTX * tframe = talloc_stackframe ( ) ;
acb_flags & = ( ACB_NORMAL | ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST ) ;
ret = ldb_transaction_start ( state - > ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
talloc_free ( tframe ) ;
return NT_STATUS_LOCK_NOT_GRANTED ;
}
status = dsdb_add_user ( state - > ldb , talloc_tos ( ) , username ,
acb_flags , user_sid , NULL , & dn ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
ldb_transaction_cancel ( state - > ldb ) ;
talloc_free ( tframe ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
ret = pdb_samba_dsdb_replace_by_sam ( state , pdb_element_is_set_or_changed ,
2011-08-11 15:47:01 +10:00
dn , sampass ) ;
if ( ret ! = LDB_SUCCESS ) {
ldb_transaction_cancel ( state - > ldb ) ;
talloc_free ( tframe ) ;
return dsdb_ldb_err_to_ntstatus ( ret ) ;
}
ret = ldb_transaction_commit ( state - > ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( " Failed to commit transaction to add and modify account record %s: %s \n " ,
ldb_dn_get_linearized ( dn ) ,
ldb_errstring ( state - > ldb ) ) ) ;
talloc_free ( tframe ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
talloc_free ( tframe ) ;
return NT_STATUS_OK ;
2011-05-07 00:50:04 +10:00
}
/*
2012-09-04 10:27:50 +10:00
* Update the Samba_Dsdb LDB with the changes from a struct samu .
2011-05-07 00:50:04 +10:00
*
* This takes care not to update elements that have not been changed
* by the caller
*/
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_update_sam_account ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct samu * sam )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
struct ldb_message * msg = pdb_samba_dsdb_get_samu_private (
2011-05-07 00:50:04 +10:00
m , sam ) ;
2011-08-11 15:47:01 +10:00
int ret ;
2011-05-07 00:50:04 +10:00
2012-09-04 10:27:50 +10:00
ret = pdb_samba_dsdb_replace_by_sam ( state , pdb_element_is_changed , msg - > dn ,
2011-08-11 15:47:01 +10:00
sam ) ;
return dsdb_ldb_err_to_ntstatus ( ret ) ;
2011-05-07 00:50:04 +10:00
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_delete_sam_account ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct samu * username )
{
NTSTATUS status ;
TALLOC_CTX * tmp_ctx = talloc_new ( NULL ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_delete_user ( m , tmp_ctx , username ) ;
2011-05-07 00:50:04 +10:00
talloc_free ( tmp_ctx ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_rename_sam_account ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct samu * oldname ,
const char * newname )
{
return NT_STATUS_NOT_IMPLEMENTED ;
}
2020-06-25 15:59:48 +02:00
/* This is not implemented, as this module is expected to be used
* with auth_samba_dsdb , and this is responsible for login counters etc
2011-05-07 00:50:04 +10:00
*
*/
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_update_login_attempts ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct samu * sam_acct ,
bool success )
{
return NT_STATUS_NOT_IMPLEMENTED ;
}
2016-08-08 17:40:51 +10:00
static NTSTATUS pdb_samba_dsdb_getgrfilter ( struct pdb_methods * m ,
GROUP_MAP * map ,
const char * exp_fmt , . . . )
PRINTF_ATTRIBUTE ( 3 , 4 ) ;
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getgrfilter ( struct pdb_methods * m , GROUP_MAP * map ,
2016-08-08 17:40:51 +10:00
const char * exp_fmt , . . . )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2013-01-17 16:44:28 +01:00
const char * attrs [ ] = { " objectClass " , " objectSid " , " description " , " samAccountName " , " groupType " ,
2011-05-07 00:50:04 +10:00
NULL } ;
struct ldb_message * msg ;
va_list ap ;
char * expression = NULL ;
struct dom_sid * sid ;
const char * str ;
int rc ;
2012-03-16 09:16:23 +11:00
struct id_map id_map ;
struct id_map * id_maps [ 2 ] ;
2011-05-07 00:50:04 +10:00
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
va_start ( ap , exp_fmt ) ;
expression = talloc_vasprintf ( tmp_ctx , exp_fmt , ap ) ;
va_end ( ap ) ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
if ( ! expression ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2011-08-19 17:27:14 +10:00
rc = dsdb_search_one ( state - > ldb , tmp_ctx , & msg , ldb_get_default_basedn ( state - > ldb ) , LDB_SCOPE_SUBTREE , attrs , 0 , " %s " , expression ) ;
2011-05-07 00:50:04 +10:00
if ( rc = = LDB_ERR_NO_SUCH_OBJECT ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_SUCH_GROUP ;
} else if ( rc ! = LDB_SUCCESS ) {
talloc_free ( tmp_ctx ) ;
DEBUG ( 10 , ( " dsdb_search_one failed %s \n " ,
ldb_errstring ( state - > ldb ) ) ) ;
return NT_STATUS_LDAP ( rc ) ;
}
sid = samdb_result_dom_sid ( tmp_ctx , msg , " objectSid " ) ;
if ( ! sid ) {
talloc_free ( tmp_ctx ) ;
DEBUG ( 10 , ( " Could not pull SID \n " ) ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
map - > sid = * sid ;
2012-09-04 10:27:50 +10:00
2012-03-16 09:16:23 +11:00
if ( samdb_find_attribute ( state - > ldb , msg , " objectClass " , " group " ) ) {
NTSTATUS status ;
uint32_t grouptype = ldb_msg_find_attr_as_uint ( msg , " groupType " , 0 ) ;
switch ( grouptype ) {
case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP :
case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP :
map - > sid_name_use = SID_NAME_ALIAS ;
break ;
case GTYPE_SECURITY_GLOBAL_GROUP :
map - > sid_name_use = SID_NAME_DOM_GRP ;
break ;
default :
talloc_free ( tmp_ctx ) ;
DEBUG ( 10 , ( " Could not pull groupType \n " ) ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
ZERO_STRUCT ( id_map ) ;
id_map . sid = sid ;
id_maps [ 0 ] = & id_map ;
id_maps [ 1 ] = NULL ;
status = idmap_sids_to_xids ( state - > idmap_ctx , tmp_ctx , id_maps ) ;
2013-01-17 16:44:28 +01:00
2012-03-16 09:16:23 +11:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return status ;
}
if ( id_map . xid . type = = ID_TYPE_GID | | id_map . xid . type = = ID_TYPE_BOTH ) {
map - > gid = id_map . xid . id ;
} else {
DEBUG ( 1 , ( __location__ " Did not get GUID when mapping SID for %s " , expression ) ) ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
} else if ( samdb_find_attribute ( state - > ldb , msg , " objectClass " , " user " ) ) {
2011-05-07 00:50:04 +10:00
DEBUG ( 1 , ( __location__ " Got SID_NAME_USER when searching for a group with %s " , expression ) ) ;
2012-03-16 09:16:23 +11:00
talloc_free ( tmp_ctx ) ;
2011-05-07 00:50:04 +10:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
str = ldb_msg_find_attr_as_string ( msg , " samAccountName " ,
NULL ) ;
if ( str = = NULL ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2011-09-26 17:55:47 -04:00
map - > nt_name = talloc_strdup ( map , str ) ;
if ( ! map - > nt_name ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2011-05-07 00:50:04 +10:00
str = ldb_msg_find_attr_as_string ( msg , " description " ,
NULL ) ;
if ( str ! = NULL ) {
2011-09-26 17:55:47 -04:00
map - > comment = talloc_strdup ( map , str ) ;
2011-05-07 00:50:04 +10:00
} else {
2011-09-26 17:55:47 -04:00
map - > comment = talloc_strdup ( map , " " ) ;
}
if ( ! map - > comment ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
2011-05-07 00:50:04 +10:00
}
talloc_free ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getgrsid ( struct pdb_methods * m , GROUP_MAP * map ,
2011-05-07 00:50:04 +10:00
struct dom_sid sid )
{
char * filter ;
NTSTATUS status ;
2018-12-08 15:52:31 +01:00
struct dom_sid_buf buf ;
2011-05-07 00:50:04 +10:00
filter = talloc_asprintf ( talloc_tos ( ) ,
" (&(objectsid=%s)(objectclass=group)) " ,
2018-12-08 15:52:31 +01:00
dom_sid_str_buf ( & sid , & buf ) ) ;
2011-05-07 00:50:04 +10:00
if ( filter = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2016-08-08 17:40:51 +10:00
status = pdb_samba_dsdb_getgrfilter ( m , map , " %s " , filter ) ;
2011-05-07 00:50:04 +10:00
TALLOC_FREE ( filter ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getgrgid ( struct pdb_methods * m , GROUP_MAP * map ,
2011-05-07 00:50:04 +10:00
gid_t gid )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
NTSTATUS status ;
struct id_map id_map ;
struct id_map * id_maps [ 2 ] ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
id_map . xid . id = gid ;
id_map . xid . type = ID_TYPE_GID ;
id_maps [ 0 ] = & id_map ;
id_maps [ 1 ] = NULL ;
status = idmap_xids_to_sids ( state - > idmap_ctx , tmp_ctx , id_maps ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2014-05-28 17:57:31 +02:00
talloc_free ( tmp_ctx ) ;
2011-05-07 00:50:04 +10:00
return status ;
}
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_getgrsid ( m , map , * id_map . sid ) ;
2011-05-07 00:50:04 +10:00
talloc_free ( tmp_ctx ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_getgrnam ( struct pdb_methods * m , GROUP_MAP * map ,
2011-05-07 00:50:04 +10:00
const char * name )
{
char * filter ;
NTSTATUS status ;
filter = talloc_asprintf ( talloc_tos ( ) ,
" (&(samaccountname=%s)(objectclass=group)) " ,
name ) ;
if ( filter = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2016-08-08 17:40:51 +10:00
status = pdb_samba_dsdb_getgrfilter ( m , map , " %s " , filter ) ;
2011-05-07 00:50:04 +10:00
TALLOC_FREE ( filter ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_create_dom_group ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx , const char * name ,
2015-05-09 13:34:31 -07:00
uint32_t * rid )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
NTSTATUS status ;
struct dom_sid * sid ;
struct ldb_dn * dn ;
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
status = dsdb_add_domain_group ( state - > ldb , tmp_ctx , name , & sid , & dn ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return status ;
}
sid_peek_rid ( sid , rid ) ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_delete_dom_group ( struct pdb_methods * m ,
2015-05-09 13:34:31 -07:00
TALLOC_CTX * mem_ctx , uint32_t rid )
2011-05-07 00:50:04 +10:00
{
const char * attrs [ ] = { NULL } ;
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct dom_sid sid ;
struct ldb_message * msg ;
struct ldb_dn * dn ;
int rc ;
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2011-05-07 00:50:04 +10:00
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
sid_compose ( & sid , samdb_domain_sid ( state - > ldb ) , rid ) ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
if ( ldb_transaction_start ( state - > ldb ) ! = LDB_SUCCESS ) {
2012-09-04 10:27:50 +10:00
DEBUG ( 0 , ( " Unable to start transaction in pdb_samba_dsdb_delete_dom_group() \n " ) ) ;
2011-05-07 00:50:04 +10:00
return NT_STATUS_INTERNAL_ERROR ;
}
2018-12-16 16:59:32 +01:00
dn = ldb_dn_new_fmt (
tmp_ctx ,
state - > ldb ,
" <SID=%s> " ,
dom_sid_str_buf ( & sid , & buf ) ) ;
2011-05-07 00:50:04 +10:00
if ( ! dn | | ! ldb_dn_validate ( dn ) ) {
talloc_free ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return NT_STATUS_NO_MEMORY ;
}
rc = dsdb_search_one ( state - > ldb , tmp_ctx , & msg , dn , LDB_SCOPE_BASE , attrs , 0 , " objectclass=group " ) ;
if ( rc = = LDB_ERR_NO_SUCH_OBJECT ) {
talloc_free ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return NT_STATUS_NO_SUCH_GROUP ;
}
rc = ldb_delete ( state - > ldb , dn ) ;
if ( rc = = LDB_ERR_NO_SUCH_OBJECT ) {
talloc_free ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return NT_STATUS_NO_SUCH_GROUP ;
} else if ( rc ! = LDB_SUCCESS ) {
DEBUG ( 10 , ( " ldb_delete failed %s \n " ,
ldb_errstring ( state - > ldb ) ) ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return NT_STATUS_LDAP ( rc ) ;
}
if ( ldb_transaction_commit ( state - > ldb ) ! = LDB_SUCCESS ) {
2012-09-04 10:27:50 +10:00
DEBUG ( 0 , ( " Unable to commit transaction in pdb_samba_dsdb_delete_dom_group() \n " ) ) ;
2011-05-07 00:50:04 +10:00
return NT_STATUS_INTERNAL_ERROR ;
}
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_add_group_mapping_entry ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
GROUP_MAP * map )
{
return NT_STATUS_NOT_IMPLEMENTED ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_update_group_mapping_entry ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
GROUP_MAP * map )
{
return NT_STATUS_NOT_IMPLEMENTED ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_delete_group_mapping_entry ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct dom_sid sid )
{
return NT_STATUS_NOT_IMPLEMENTED ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_enum_group_mapping ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const struct dom_sid * sid ,
enum lsa_SidType sid_name_use ,
2011-09-26 17:55:47 -04:00
GROUP_MAP * * * pp_rmap ,
2011-05-07 00:50:04 +10:00
size_t * p_num_entries ,
bool unix_only )
{
return NT_STATUS_NOT_IMPLEMENTED ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_enum_group_members ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
const struct dom_sid * group ,
uint32_t * * pmembers ,
size_t * pnum_members )
{
unsigned int i , num_sids , num_members ;
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct dom_sid * members_as_sids ;
struct dom_sid * dom_sid ;
uint32_t * members ;
struct ldb_dn * dn ;
NTSTATUS status ;
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2011-05-07 00:50:04 +10:00
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
2018-12-16 16:59:32 +01:00
dn = ldb_dn_new_fmt (
tmp_ctx ,
state - > ldb ,
" <SID=%s> " ,
dom_sid_str_buf ( group , & buf ) ) ;
2011-05-07 00:50:04 +10:00
if ( ! dn | | ! ldb_dn_validate ( dn ) ) {
return NT_STATUS_NO_MEMORY ;
}
status = dsdb_enum_group_mem ( state - > ldb , tmp_ctx , dn , & members_as_sids , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return status ;
}
status = dom_sid_split_rid ( tmp_ctx , group , & dom_sid , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return status ;
}
* pmembers = members = talloc_array ( mem_ctx , uint32_t , num_sids ) ;
2014-02-13 17:51:11 +13:00
if ( * pmembers = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2011-05-07 00:50:04 +10:00
num_members = 0 ;
for ( i = 0 ; i < num_sids ; i + + ) {
if ( ! dom_sid_in_domain ( dom_sid , & members_as_sids [ i ] ) ) {
continue ;
}
2012-09-04 10:27:50 +10:00
status = dom_sid_split_rid ( NULL , & members_as_sids [ i ] ,
2011-05-07 00:50:04 +10:00
NULL , & members [ num_members ] ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return status ;
}
num_members + + ;
}
* pnum_members = num_members ;
return NT_STATUS_OK ;
}
/* Just convert the primary group SID into a group */
2012-09-04 10:27:50 +10:00
static NTSTATUS fake_enum_group_memberships ( struct pdb_samba_dsdb_state * state ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
struct samu * user ,
struct dom_sid * * pp_sids ,
gid_t * * pp_gids ,
uint32_t * p_num_groups )
{
NTSTATUS status ;
size_t num_groups = 0 ;
2013-05-27 13:28:47 +02:00
struct dom_sid * group_sids = NULL ;
gid_t * gids = NULL ;
2011-05-07 00:50:04 +10:00
TALLOC_CTX * tmp_ctx ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
if ( user - > group_sid ) {
struct id_map * id_maps [ 2 ] ;
struct id_map id_map ;
num_groups = 1 ;
group_sids = talloc_array ( tmp_ctx , struct dom_sid , num_groups ) ;
if ( group_sids = = NULL ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
gids = talloc_array ( tmp_ctx , gid_t , num_groups ) ;
if ( gids = = NULL ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
group_sids [ 0 ] = * user - > group_sid ;
ZERO_STRUCT ( id_map ) ;
id_map . sid = & group_sids [ 0 ] ;
id_maps [ 0 ] = & id_map ;
id_maps [ 1 ] = NULL ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
status = idmap_sids_to_xids ( state - > idmap_ctx , tmp_ctx , id_maps ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return status ;
}
if ( id_map . xid . type = = ID_TYPE_GID | | id_map . xid . type = = ID_TYPE_BOTH ) {
gids [ 0 ] = id_map . xid . id ;
} else {
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf1 , buf2 ;
2012-09-04 10:27:50 +10:00
DEBUG ( 1 , ( __location__
2011-05-07 00:50:04 +10:00
" Group %s, of which %s is a member, could not be converted to a GID \n " ,
2018-12-16 16:59:32 +01:00
dom_sid_str_buf ( & group_sids [ 0 ] , & buf1 ) ,
dom_sid_str_buf ( & user - > user_sid , & buf2 ) ) ) ;
2011-05-07 00:50:04 +10:00
talloc_free ( tmp_ctx ) ;
/* We must error out, otherwise a user might
* avoid a DENY acl based on a group they
* missed out on */
return NT_STATUS_NO_SUCH_GROUP ;
}
}
* pp_sids = talloc_steal ( mem_ctx , group_sids ) ;
* pp_gids = talloc_steal ( mem_ctx , gids ) ;
* p_num_groups = num_groups ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_enum_group_memberships ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
struct samu * user ,
struct dom_sid * * pp_sids ,
gid_t * * pp_gids ,
uint32_t * p_num_groups )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
struct ldb_message * msg = pdb_samba_dsdb_get_samu_private (
2011-05-07 00:50:04 +10:00
m , user ) ;
const char * attrs [ ] = { " tokenGroups " , NULL } ;
struct ldb_message * tokengroups_msg ;
struct ldb_message_element * tokengroups ;
int i , rc ;
NTSTATUS status ;
unsigned int count = 0 ;
size_t num_groups ;
struct dom_sid * group_sids ;
gid_t * gids ;
TALLOC_CTX * tmp_ctx ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
if ( msg = = NULL ) {
/* Fake up some things here */
2012-09-04 10:27:50 +10:00
return fake_enum_group_memberships ( state ,
mem_ctx ,
2011-05-07 00:50:04 +10:00
user , pp_sids ,
pp_gids , p_num_groups ) ;
}
tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
rc = dsdb_search_one ( state - > ldb , tmp_ctx , & tokengroups_msg , msg - > dn , LDB_SCOPE_BASE , attrs , 0 , NULL ) ;
if ( rc = = LDB_ERR_NO_SUCH_OBJECT ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_SUCH_USER ;
} else if ( rc ! = LDB_SUCCESS ) {
DEBUG ( 10 , ( " dsdb_search_one failed %s \n " ,
ldb_errstring ( state - > ldb ) ) ) ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_LDAP ( rc ) ;
}
tokengroups = ldb_msg_find_element ( tokengroups_msg , " tokenGroups " ) ;
if ( tokengroups ) {
count = tokengroups - > num_values ;
}
group_sids = talloc_array ( tmp_ctx , struct dom_sid , count ) ;
if ( group_sids = = NULL ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
gids = talloc_array ( tmp_ctx , gid_t , count ) ;
if ( gids = = NULL ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
num_groups = 0 ;
for ( i = 0 ; i < count ; i + + ) {
struct id_map * id_maps [ 2 ] ;
struct id_map id_map ;
struct ldb_val * v = & tokengroups - > values [ i ] ;
enum ndr_err_code ndr_err
= ndr_pull_struct_blob ( v , group_sids , & group_sids [ num_groups ] ,
( ndr_pull_flags_fn_t ) ndr_pull_dom_sid ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
ZERO_STRUCT ( id_map ) ;
id_map . sid = & group_sids [ num_groups ] ;
id_maps [ 0 ] = & id_map ;
id_maps [ 1 ] = NULL ;
status = idmap_sids_to_xids ( state - > idmap_ctx , tmp_ctx , id_maps ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return status ;
}
if ( id_map . xid . type = = ID_TYPE_GID | | id_map . xid . type = = ID_TYPE_BOTH ) {
gids [ num_groups ] = id_map . xid . id ;
} else {
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2012-09-04 10:27:50 +10:00
DEBUG ( 1 , ( __location__
2011-05-07 00:50:04 +10:00
" Group %s, of which %s is a member, could not be converted to a GID \n " ,
2018-12-16 16:59:32 +01:00
dom_sid_str_buf ( & group_sids [ num_groups ] ,
& buf ) ,
2011-05-07 00:50:04 +10:00
ldb_dn_get_linearized ( msg - > dn ) ) ) ;
talloc_free ( tmp_ctx ) ;
/* We must error out, otherwise a user might
* avoid a DENY acl based on a group they
* missed out on */
return NT_STATUS_NO_SUCH_GROUP ;
}
num_groups + = 1 ;
if ( num_groups = = count ) {
break ;
}
}
* pp_sids = talloc_steal ( mem_ctx , group_sids ) ;
* pp_gids = talloc_steal ( mem_ctx , gids ) ;
* p_num_groups = num_groups ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_set_unix_primary_group ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
struct samu * user )
{
return NT_STATUS_NOT_IMPLEMENTED ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_mod_groupmem_by_sid ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
2012-09-04 10:27:50 +10:00
const struct dom_sid * groupsid ,
2011-05-07 00:50:04 +10:00
const struct dom_sid * membersid ,
int mod_op )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct ldb_message * msg ;
int ret ;
struct ldb_message_element * el ;
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2011-05-07 00:50:04 +10:00
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
msg = ldb_msg_new ( tmp_ctx ) ;
2014-02-13 17:51:11 +13:00
if ( msg = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2011-05-07 00:50:04 +10:00
2018-12-16 16:59:32 +01:00
msg - > dn = ldb_dn_new_fmt (
msg ,
state - > ldb ,
" <SID=%s> " ,
dom_sid_str_buf ( groupsid , & buf ) ) ;
2011-05-07 00:50:04 +10:00
if ( ! msg - > dn | | ! ldb_dn_validate ( msg - > dn ) ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2018-12-16 16:59:32 +01:00
ret = ldb_msg_add_fmt (
msg ,
" member " ,
" <SID=%s> " ,
dom_sid_str_buf ( membersid , & buf ) ) ;
2011-05-07 00:50:04 +10:00
if ( ret ! = LDB_SUCCESS ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
el = ldb_msg_find_element ( msg , " member " ) ;
el - > flags = mod_op ;
/* No need for transactions here, the ldb auto-transaction
* code will handle things for the single operation */
ret = ldb_modify ( state - > ldb , msg ) ;
talloc_free ( tmp_ctx ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 10 , ( " ldb_modify failed: %s \n " ,
ldb_errstring ( state - > ldb ) ) ) ;
if ( ret = = LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS ) {
return NT_STATUS_MEMBER_IN_GROUP ;
}
if ( ret = = LDB_ERR_NO_SUCH_ATTRIBUTE ) {
return NT_STATUS_MEMBER_NOT_IN_GROUP ;
}
return NT_STATUS_LDAP ( ret ) ;
}
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_mod_groupmem ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
2015-05-09 13:34:31 -07:00
uint32_t grouprid , uint32_t memberrid ,
2011-05-07 00:50:04 +10:00
int mod_op )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
const struct dom_sid * dom_sid , * groupsid , * membersid ;
NTSTATUS status ;
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
dom_sid = samdb_domain_sid ( state - > ldb ) ;
groupsid = dom_sid_add_rid ( tmp_ctx , dom_sid , grouprid ) ;
2014-02-13 17:51:11 +13:00
if ( groupsid = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2011-05-07 00:50:04 +10:00
membersid = dom_sid_add_rid ( tmp_ctx , dom_sid , memberrid ) ;
2014-02-13 17:51:11 +13:00
if ( membersid = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_mod_groupmem_by_sid ( m , tmp_ctx , groupsid , membersid , mod_op ) ;
2011-05-07 00:50:04 +10:00
talloc_free ( tmp_ctx ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_add_groupmem ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
2015-05-09 13:34:31 -07:00
uint32_t group_rid , uint32_t member_rid )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
return pdb_samba_dsdb_mod_groupmem ( m , mem_ctx , group_rid , member_rid ,
2011-05-07 00:50:04 +10:00
LDB_FLAG_MOD_ADD ) ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_del_groupmem ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
2015-05-09 13:34:31 -07:00
uint32_t group_rid , uint32_t member_rid )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
return pdb_samba_dsdb_mod_groupmem ( m , mem_ctx , group_rid , member_rid ,
2011-05-07 00:50:04 +10:00
LDB_FLAG_MOD_DELETE ) ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_create_alias ( struct pdb_methods * m ,
2015-05-09 13:34:31 -07:00
const char * name , uint32_t * rid )
2011-05-07 00:50:04 +10:00
{
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct dom_sid * sid ;
struct ldb_dn * dn ;
NTSTATUS status ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
/* Internally this uses transactions to ensure all the steps
* happen or fail as one */
status = dsdb_add_domain_alias ( state - > ldb , frame , name , & sid , & dn ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
TALLOC_FREE ( frame ) ;
}
sid_peek_rid ( sid , rid ) ;
TALLOC_FREE ( frame ) ;
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_delete_alias ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const struct dom_sid * sid )
{
const char * attrs [ ] = { NULL } ;
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct ldb_message * msg ;
struct ldb_dn * dn ;
int rc ;
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2011-05-07 00:50:04 +10:00
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
2018-12-16 16:59:32 +01:00
dn = ldb_dn_new_fmt (
tmp_ctx ,
state - > ldb ,
" <SID=%s> " ,
dom_sid_str_buf ( sid , & buf ) ) ;
2011-05-07 00:50:04 +10:00
if ( ! dn | | ! ldb_dn_validate ( dn ) ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
if ( ldb_transaction_start ( state - > ldb ) ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( " Failed to start transaction in dsdb_add_domain_alias(): %s \n " , ldb_errstring ( state - > ldb ) ) ) ;
2014-05-28 17:57:31 +02:00
talloc_free ( tmp_ctx ) ;
2011-05-07 00:50:04 +10:00
return NT_STATUS_INTERNAL_ERROR ;
}
rc = dsdb_search_one ( state - > ldb , tmp_ctx , & msg , dn , LDB_SCOPE_BASE , attrs , 0 , " (objectclass=group) "
" (|(grouptype=%d)(grouptype=%d))) " ,
GTYPE_SECURITY_BUILTIN_LOCAL_GROUP ,
GTYPE_SECURITY_DOMAIN_LOCAL_GROUP ) ;
if ( rc = = LDB_ERR_NO_SUCH_OBJECT ) {
talloc_free ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return NT_STATUS_NO_SUCH_ALIAS ;
}
rc = ldb_delete ( state - > ldb , dn ) ;
if ( rc = = LDB_ERR_NO_SUCH_OBJECT ) {
talloc_free ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return NT_STATUS_NO_SUCH_ALIAS ;
} else if ( rc ! = LDB_SUCCESS ) {
DEBUG ( 10 , ( " ldb_delete failed %s \n " ,
ldb_errstring ( state - > ldb ) ) ) ;
ldb_transaction_cancel ( state - > ldb ) ;
2014-05-28 17:57:31 +02:00
talloc_free ( tmp_ctx ) ;
2011-05-07 00:50:04 +10:00
return NT_STATUS_LDAP ( rc ) ;
}
if ( ldb_transaction_commit ( state - > ldb ) ! = LDB_SUCCESS ) {
2012-09-04 10:27:50 +10:00
DEBUG ( 0 , ( " Failed to commit transaction in pdb_samba_dsdb_delete_alias(): %s \n " ,
2011-05-07 00:50:04 +10:00
ldb_errstring ( state - > ldb ) ) ) ;
2014-05-28 17:57:31 +02:00
talloc_free ( tmp_ctx ) ;
2011-05-07 00:50:04 +10:00
return NT_STATUS_INTERNAL_ERROR ;
}
2014-05-28 17:57:31 +02:00
talloc_free ( tmp_ctx ) ;
2011-05-07 00:50:04 +10:00
return NT_STATUS_OK ;
}
#if 0
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_set_aliasinfo ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const struct dom_sid * sid ,
struct acct_info * info )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct tldap_context * ld ;
const char * attrs [ 3 ] = { " objectSid " , " description " ,
" samAccountName " } ;
struct ldb_message * * msg ;
char * sidstr , * dn ;
int rc ;
struct tldap_mod * mods ;
int num_mods ;
bool ok ;
2012-09-04 10:27:50 +10:00
ld = pdb_samba_dsdb_ld ( state ) ;
2011-05-07 00:50:04 +10:00
if ( ld = = NULL ) {
return NT_STATUS_LDAP ( TLDAP_SERVER_DOWN ) ;
}
sidstr = sid_binstring ( talloc_tos ( ) , sid ) ;
NT_STATUS_HAVE_NO_MEMORY ( sidstr ) ;
2012-09-04 10:27:50 +10:00
rc = pdb_samba_dsdb_search_fmt ( state , state - > domaindn , TLDAP_SCOPE_SUB ,
2011-05-07 00:50:04 +10:00
attrs , ARRAY_SIZE ( attrs ) , 0 , talloc_tos ( ) ,
& msg , " (&(objectSid=%s)(objectclass=group) "
" (|(grouptype=%d)(grouptype=%d))) " ,
sidstr , GTYPE_SECURITY_BUILTIN_LOCAL_GROUP ,
GTYPE_SECURITY_DOMAIN_LOCAL_GROUP ) ;
TALLOC_FREE ( sidstr )
if ( rc ! = LDB_SUCCESS ) {
DEBUG ( 10 , ( " ldap_search failed %s \n " ,
ldb_errstring ( state - > ldb ) ) ) ;
return NT_STATUS_LDAP ( rc ) ;
}
switch talloc_array_length ( msg ) {
case 0 :
return NT_STATUS_NO_SUCH_ALIAS ;
case 1 :
break ;
default :
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
if ( ! tldap_entry_dn ( msg [ 0 ] , & dn ) ) {
TALLOC_FREE ( msg ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
mods = NULL ;
num_mods = 0 ;
ok = true ;
ok & = tldap_make_mod_fmt (
msg [ 0 ] , msg , & num_mods , & mods , " description " ,
" %s " , info - > acct_desc ) ;
ok & = tldap_make_mod_fmt (
msg [ 0 ] , msg , & num_mods , & mods , " samAccountName " ,
" %s " , info - > acct_name ) ;
if ( ! ok ) {
TALLOC_FREE ( msg ) ;
return NT_STATUS_NO_MEMORY ;
}
if ( num_mods = = 0 ) {
/* no change */
TALLOC_FREE ( msg ) ;
return NT_STATUS_OK ;
}
rc = tldap_modify ( ld , dn , num_mods , mods , NULL , 0 , NULL , 0 ) ;
TALLOC_FREE ( msg ) ;
if ( rc ! = LDB_SUCCESS ) {
DEBUG ( 10 , ( " ldap_modify failed: %s \n " ,
ldb_errstring ( state - > ldb ) ) ) ;
return NT_STATUS_LDAP ( rc ) ;
}
return NT_STATUS_OK ;
}
# endif
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_add_aliasmem ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const struct dom_sid * alias ,
const struct dom_sid * member )
{
NTSTATUS status ;
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_mod_groupmem_by_sid ( m , frame , alias , member , LDB_FLAG_MOD_ADD ) ;
2011-05-07 00:50:04 +10:00
talloc_free ( frame ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_del_aliasmem ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const struct dom_sid * alias ,
const struct dom_sid * member )
{
NTSTATUS status ;
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_mod_groupmem_by_sid ( m , frame , alias , member , LDB_FLAG_MOD_DELETE ) ;
2011-05-07 00:50:04 +10:00
talloc_free ( frame ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_enum_aliasmem ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const struct dom_sid * alias ,
TALLOC_CTX * mem_ctx ,
struct dom_sid * * pmembers ,
size_t * pnum_members )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct ldb_dn * dn ;
unsigned int num_members ;
NTSTATUS status ;
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2011-05-07 00:50:04 +10:00
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
2018-12-16 16:59:32 +01:00
dn = ldb_dn_new_fmt (
tmp_ctx ,
state - > ldb ,
" <SID=%s> " ,
dom_sid_str_buf ( alias , & buf ) ) ;
2011-05-07 00:50:04 +10:00
if ( ! dn | | ! ldb_dn_validate ( dn ) ) {
return NT_STATUS_NO_MEMORY ;
}
status = dsdb_enum_group_mem ( state - > ldb , mem_ctx , dn , pmembers , & num_members ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
2020-02-05 00:25:36 -05:00
* pnum_members = num_members ;
2011-05-07 00:50:04 +10:00
}
talloc_free ( tmp_ctx ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_enum_alias_memberships ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
const struct dom_sid * domain_sid ,
const struct dom_sid * members ,
size_t num_members ,
uint32_t * * palias_rids ,
size_t * pnum_alias_rids )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
uint32_t * alias_rids = NULL ;
size_t num_alias_rids = 0 ;
int i ;
struct dom_sid * groupSIDs = NULL ;
unsigned int num_groupSIDs = 0 ;
char * filter ;
NTSTATUS status ;
const char * sid_dn ;
DATA_BLOB sid_blob ;
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
/*
* TODO : Get the filter right so that we only get the aliases from
* either the SAM or BUILTIN
*/
filter = talloc_asprintf ( tmp_ctx , " (&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u)) " ,
GROUP_TYPE_BUILTIN_LOCAL_GROUP ) ;
if ( filter = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < num_members ; i + + ) {
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2011-05-07 00:50:04 +10:00
2018-12-16 16:59:32 +01:00
sid_dn = talloc_asprintf (
tmp_ctx ,
" <SID=%s> " ,
dom_sid_str_buf ( & members [ i ] , & buf ) ) ;
2014-02-13 17:51:11 +13:00
if ( sid_dn = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
sid_blob = data_blob_string_const ( sid_dn ) ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
status = dsdb_expand_nested_groups ( state - > ldb , & sid_blob , true , filter ,
tmp_ctx , & groupSIDs , & num_groupSIDs ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return status ;
}
}
alias_rids = talloc_array ( mem_ctx , uint32_t , num_groupSIDs ) ;
if ( alias_rids = = NULL ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < num_groupSIDs ; i + + ) {
if ( sid_peek_check_rid ( domain_sid , & groupSIDs [ i ] ,
& alias_rids [ num_alias_rids ] ) ) {
num_alias_rids + + ; ;
}
}
* palias_rids = alias_rids ;
* pnum_alias_rids = num_alias_rids ;
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_lookup_rids ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const struct dom_sid * domain_sid ,
int num_rids ,
2015-05-09 13:34:31 -07:00
uint32_t * rids ,
2011-05-07 00:50:04 +10:00
const char * * names ,
enum lsa_SidType * lsa_attrs )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
NTSTATUS status ;
TALLOC_CTX * tmp_ctx ;
if ( num_rids = = 0 ) {
return NT_STATUS_NONE_MAPPED ;
}
tmp_ctx = talloc_stackframe ( ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
status = dsdb_lookup_rids ( state - > ldb , tmp_ctx , domain_sid , num_rids , rids , names , lsa_attrs ) ;
talloc_free ( tmp_ctx ) ;
return status ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_lookup_names ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const struct dom_sid * domain_sid ,
int num_names ,
const char * * pp_names ,
2015-05-09 13:34:31 -07:00
uint32_t * rids ,
2011-05-07 00:50:04 +10:00
enum lsa_SidType * attrs )
{
return NT_STATUS_NOT_IMPLEMENTED ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_get_account_policy ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
enum pdb_policy_type type ,
uint32_t * value )
{
return account_policy_get ( type , value )
? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_set_account_policy ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
enum pdb_policy_type type ,
uint32_t value )
{
return account_policy_set ( type , value )
? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_get_seq_num ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
time_t * seq_num_out )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
uint64_t seq_num ;
int ret = ldb_sequence_number ( state - > ldb , LDB_SEQ_HIGHEST_SEQ , & seq_num ) ;
if ( ret = = LDB_SUCCESS ) {
* seq_num_out = seq_num ;
return NT_STATUS_OK ;
} else {
return NT_STATUS_UNSUCCESSFUL ;
}
}
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_search_state {
2011-05-07 00:50:04 +10:00
uint32_t acct_flags ;
struct samr_displayentry * entries ;
uint32_t num_entries ;
ssize_t array_size ;
uint32_t current ;
} ;
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_next_entry ( struct pdb_search * search ,
2011-05-07 00:50:04 +10:00
struct samr_displayentry * entry )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_search_state * state = talloc_get_type_abort (
search - > private_data , struct pdb_samba_dsdb_search_state ) ;
2011-05-07 00:50:04 +10:00
if ( state - > current = = state - > num_entries ) {
return false ;
}
entry - > idx = state - > entries [ state - > current ] . idx ;
entry - > rid = state - > entries [ state - > current ] . rid ;
entry - > acct_flags = state - > entries [ state - > current ] . acct_flags ;
entry - > account_name = talloc_strdup (
search , state - > entries [ state - > current ] . account_name ) ;
entry - > fullname = talloc_strdup (
search , state - > entries [ state - > current ] . fullname ) ;
entry - > description = talloc_strdup (
search , state - > entries [ state - > current ] . description ) ;
state - > current + = 1 ;
return true ;
}
2012-09-04 10:27:50 +10:00
static void pdb_samba_dsdb_search_end ( struct pdb_search * search )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_search_state * state = talloc_get_type_abort (
search - > private_data , struct pdb_samba_dsdb_search_state ) ;
2011-05-07 00:50:04 +10:00
talloc_free ( state ) ;
}
2016-08-08 17:40:51 +10:00
static bool pdb_samba_dsdb_search_filter ( struct pdb_methods * m ,
struct pdb_search * search ,
struct pdb_samba_dsdb_search_state * * pstate ,
const char * exp_fmt , . . . )
PRINTF_ATTRIBUTE ( 4 , 5 ) ;
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_search_filter ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct pdb_search * search ,
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_search_state * * pstate ,
2016-08-08 17:40:51 +10:00
const char * exp_fmt , . . . )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
struct pdb_samba_dsdb_search_state * sstate ;
2011-05-07 00:50:04 +10:00
const char * attrs [ ] = { " objectSid " , " sAMAccountName " , " displayName " ,
" userAccountControl " , " description " , NULL } ;
struct ldb_result * res ;
int i , rc , num_users ;
va_list ap ;
char * expression = NULL ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
if ( ! tmp_ctx ) {
return false ;
}
va_start ( ap , exp_fmt ) ;
expression = talloc_vasprintf ( tmp_ctx , exp_fmt , ap ) ;
va_end ( ap ) ;
2012-09-04 10:27:50 +10:00
2011-05-07 00:50:04 +10:00
if ( ! expression ) {
talloc_free ( tmp_ctx ) ;
return LDB_ERR_OPERATIONS_ERROR ;
}
2012-09-04 10:27:50 +10:00
sstate = talloc_zero ( tmp_ctx , struct pdb_samba_dsdb_search_state ) ;
2011-05-07 00:50:04 +10:00
if ( sstate = = NULL ) {
talloc_free ( tmp_ctx ) ;
return false ;
}
2011-08-19 17:27:14 +10:00
rc = dsdb_search ( state - > ldb , tmp_ctx , & res , ldb_get_default_basedn ( state - > ldb ) , LDB_SCOPE_SUBTREE , attrs , 0 , " %s " , expression ) ;
2011-05-07 00:50:04 +10:00
if ( rc ! = LDB_SUCCESS ) {
talloc_free ( tmp_ctx ) ;
DEBUG ( 10 , ( " dsdb_search failed: %s \n " ,
ldb_errstring ( state - > ldb ) ) ) ;
return false ;
}
num_users = res - > count ;
sstate - > entries = talloc_array ( sstate , struct samr_displayentry ,
num_users ) ;
if ( sstate - > entries = = NULL ) {
talloc_free ( tmp_ctx ) ;
DEBUG ( 10 , ( " talloc failed \n " ) ) ;
return false ;
}
sstate - > num_entries = 0 ;
for ( i = 0 ; i < num_users ; i + + ) {
struct samr_displayentry * e ;
struct dom_sid * sid ;
e = & sstate - > entries [ sstate - > num_entries ] ;
e - > idx = sstate - > num_entries ;
sid = samdb_result_dom_sid ( tmp_ctx , res - > msgs [ i ] , " objectSid " ) ;
if ( ! sid ) {
talloc_free ( tmp_ctx ) ;
DEBUG ( 10 , ( " Could not pull SID \n " ) ) ;
return false ;
}
sid_peek_rid ( sid , & e - > rid ) ;
2012-09-04 10:27:50 +10:00
2013-10-29 17:30:18 +13:00
e - > acct_flags = samdb_result_acct_flags ( res - > msgs [ i ] , " userAccountControl " ) ;
2011-05-07 00:50:04 +10:00
e - > account_name = ldb_msg_find_attr_as_string (
res - > msgs [ i ] , " samAccountName " , NULL ) ;
if ( e - > account_name = = NULL ) {
talloc_free ( tmp_ctx ) ;
return false ;
}
e - > fullname = ldb_msg_find_attr_as_string (
res - > msgs [ i ] , " displayName " , " " ) ;
e - > description = ldb_msg_find_attr_as_string (
res - > msgs [ i ] , " description " , " " ) ;
sstate - > num_entries + = 1 ;
if ( sstate - > num_entries > = num_users ) {
break ;
}
}
talloc_steal ( sstate - > entries , res - > msgs ) ;
search - > private_data = talloc_steal ( search , sstate ) ;
2012-09-04 10:27:50 +10:00
search - > next_entry = pdb_samba_dsdb_next_entry ;
search - > search_end = pdb_samba_dsdb_search_end ;
2011-05-07 00:50:04 +10:00
* pstate = sstate ;
talloc_free ( tmp_ctx ) ;
return true ;
}
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_search_users ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct pdb_search * search ,
2015-05-09 13:34:31 -07:00
uint32_t acct_flags )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_search_state * sstate ;
2011-05-07 00:50:04 +10:00
bool ret ;
2012-09-04 10:27:50 +10:00
ret = pdb_samba_dsdb_search_filter ( m , search , & sstate , " (objectclass=user) " ) ;
2011-05-07 00:50:04 +10:00
if ( ! ret ) {
return false ;
}
sstate - > acct_flags = acct_flags ;
return true ;
}
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_search_groups ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct pdb_search * search )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_search_state * sstate ;
2011-05-07 00:50:04 +10:00
bool ret ;
2012-09-04 10:27:50 +10:00
ret = pdb_samba_dsdb_search_filter ( m , search , & sstate ,
2011-05-07 00:50:04 +10:00
" (&(grouptype=%d)(objectclass=group)) " ,
GTYPE_SECURITY_GLOBAL_GROUP ) ;
if ( ! ret ) {
return false ;
}
sstate - > acct_flags = 0 ;
return true ;
}
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_search_aliases ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
struct pdb_search * search ,
const struct dom_sid * sid )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_search_state * sstate ;
2011-05-07 00:50:04 +10:00
bool ret ;
2012-09-04 10:27:50 +10:00
ret = pdb_samba_dsdb_search_filter ( m , search , & sstate ,
2011-05-07 00:50:04 +10:00
" (&(grouptype=%d)(objectclass=group)) " ,
sid_check_is_builtin ( sid )
? GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
: GTYPE_SECURITY_DOMAIN_LOCAL_GROUP ) ;
if ( ! ret ) {
return false ;
}
sstate - > acct_flags = 0 ;
return true ;
}
2014-11-25 14:45:26 +13:00
/*
* Instead of taking a gid or uid , this function takes a pointer to a
* unixid .
*
* This acts as an in - out variable so that the idmap functions can correctly
* receive ID_TYPE_BOTH , and this function ensures cache details are filled
* correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID .
*/
static bool pdb_samba_dsdb_id_to_sid ( struct pdb_methods * m , struct unixid * id ,
struct dom_sid * sid )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
NTSTATUS status ;
struct id_map id_map ;
struct id_map * id_maps [ 2 ] ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
if ( ! tmp_ctx ) {
return false ;
}
2014-11-25 14:45:26 +13:00
id_map . xid = * id ;
2011-05-07 00:50:04 +10:00
id_maps [ 0 ] = & id_map ;
id_maps [ 1 ] = NULL ;
status = idmap_xids_to_sids ( state - > idmap_ctx , tmp_ctx , id_maps ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( tmp_ctx ) ;
return false ;
}
2014-11-25 14:45:26 +13:00
if ( id_map . xid . type ! = ID_TYPE_NOT_SPECIFIED ) {
id - > type = id_map . xid . type ;
2011-05-07 00:50:04 +10:00
}
* sid = * id_map . sid ;
talloc_free ( tmp_ctx ) ;
return true ;
}
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_sid_to_id ( struct pdb_methods * m , const struct dom_sid * sid ,
2012-03-16 09:16:23 +11:00
struct unixid * id )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
struct id_map id_map ;
struct id_map * id_maps [ 2 ] ;
NTSTATUS status ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
if ( ! tmp_ctx ) {
return false ;
}
ZERO_STRUCT ( id_map ) ;
2013-05-27 13:33:24 +02:00
id_map . sid = discard_const_p ( struct dom_sid , sid ) ;
2012-08-07 14:17:09 +10:00
id_maps [ 0 ] = & id_map ;
id_maps [ 1 ] = NULL ;
2011-05-07 00:50:04 +10:00
2012-08-07 14:17:09 +10:00
status = idmap_sids_to_xids ( state - > idmap_ctx , tmp_ctx , id_maps ) ;
talloc_free ( tmp_ctx ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2011-05-07 00:50:04 +10:00
return false ;
}
2012-08-07 14:17:09 +10:00
if ( id_map . xid . type ! = ID_TYPE_NOT_SPECIFIED ) {
* id = id_map . xid ;
return true ;
2011-05-07 00:50:04 +10:00
}
return false ;
}
2012-09-04 10:27:50 +10:00
static uint32_t pdb_samba_dsdb_capabilities ( struct pdb_methods * m )
2011-05-07 00:50:04 +10:00
{
2017-12-19 23:44:00 +01:00
return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX ;
2011-05-07 00:50:04 +10:00
}
2015-05-09 13:34:31 -07:00
static bool pdb_samba_dsdb_new_rid ( struct pdb_methods * m , uint32_t * rid )
2011-05-07 00:50:04 +10:00
{
return false ;
}
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_get_trusteddom_pw ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const char * domain , char * * pwd ,
struct dom_sid * sid ,
time_t * pass_last_set_time )
{
2014-08-15 15:01:31 +12:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
const char * const attrs [ ] = {
" securityIdentifier " ,
2014-12-16 15:06:56 +00:00
" flatName " ,
2014-08-15 15:01:31 +12:00
" trustPartner " ,
" trustAuthOutgoing " ,
" whenCreated " ,
" msDS-SupportedEncryptionTypes " ,
" trustAttributes " ,
" trustDirection " ,
" trustType " ,
NULL
} ;
struct ldb_message * msg ;
const struct ldb_val * password_val ;
int trust_direction_flags ;
int trust_type ;
int i ;
DATA_BLOB password_utf16 ;
struct trustAuthInOutBlob password_blob ;
struct AuthenticationInformationArray * auth_array ;
char * password_talloc ;
size_t password_len ;
enum ndr_err_code ndr_err ;
NTSTATUS status ;
2014-12-16 15:06:56 +00:00
const char * netbios_domain = NULL ;
2015-02-05 10:07:46 +00:00
const struct dom_sid * domain_sid = NULL ;
2014-08-15 15:01:31 +12:00
2015-03-30 10:17:51 +02:00
status = dsdb_trust_search_tdo ( state - > ldb , domain , NULL ,
attrs , tmp_ctx , & msg ) ;
2014-08-15 15:01:31 +12:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
/*
* This can be called to work out of a domain is
* trusted , rather than just to get the password
*/
2015-03-30 10:17:51 +02:00
DEBUG ( 2 , ( " Failed to get trusted domain password for %s - %s. "
" It may not be a trusted domain. \n " , domain ,
nt_errstr ( status ) ) ) ;
2014-08-15 15:01:31 +12:00
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
2014-12-16 15:06:56 +00:00
netbios_domain = ldb_msg_find_attr_as_string ( msg , " flatName " , NULL ) ;
if ( netbios_domain = = NULL ) {
DEBUG ( 2 , ( " Trusted domain %s has to flatName defined. \n " ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
2015-02-05 10:07:46 +00:00
domain_sid = samdb_result_dom_sid ( tmp_ctx , msg , " securityIdentifier " ) ;
if ( domain_sid = = NULL ) {
DEBUG ( 2 , ( " Trusted domain %s has no securityIdentifier defined. \n " ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
2014-08-15 15:01:31 +12:00
trust_direction_flags = ldb_msg_find_attr_as_int ( msg , " trustDirection " , 0 ) ;
if ( ! ( trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND ) ) {
2019-08-12 14:35:37 +02:00
DBG_WARNING ( " Trusted domain %s is not an outbound trust. \n " ,
domain ) ;
2014-08-15 15:01:31 +12:00
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
trust_type = ldb_msg_find_attr_as_int ( msg , " trustType " , 0 ) ;
if ( trust_type = = LSA_TRUST_TYPE_MIT ) {
2019-08-12 14:35:37 +02:00
DBG_WARNING ( " Trusted domain %s is not an AD trust "
" (trustType == LSA_TRUST_TYPE_MIT). \n " , domain ) ;
2014-08-15 15:01:31 +12:00
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
password_val = ldb_msg_find_ldb_val ( msg , " trustAuthOutgoing " ) ;
if ( password_val = = NULL ) {
DEBUG ( 2 , ( " Failed to get trusted domain password for %s, "
" attribute trustAuthOutgoing not returned. \n " , domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
ndr_err = ndr_pull_struct_blob ( password_val , tmp_ctx , & password_blob ,
( ndr_pull_flags_fn_t ) ndr_pull_trustAuthInOutBlob ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
DEBUG ( 0 , ( " Failed to get trusted domain password for %s, "
2018-05-04 22:18:47 +02:00
" attribute trustAuthOutgoing could not be parsed %s. \n " ,
2014-08-15 15:01:31 +12:00
domain ,
ndr_map_error2string ( ndr_err ) ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
auth_array = & password_blob . current ;
for ( i = 0 ; i < auth_array - > count ; i + + ) {
if ( auth_array - > array [ i ] . AuthType = = TRUST_AUTH_TYPE_CLEAR ) {
break ;
}
}
if ( i = = auth_array - > count ) {
DEBUG ( 0 , ( " Trusted domain %s does not have a "
" clear-text password stored \n " ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
password_utf16 = data_blob_const ( auth_array - > array [ i ] . AuthInfo . clear . password ,
auth_array - > array [ i ] . AuthInfo . clear . size ) ;
/*
* In the future , make this function return a
* cli_credentials that can store a MD4 hash with cli_credential_set_nt_hash ( )
* but for now convert to UTF8 and fail if the string can not be converted .
*
* We can ' t safely convert the random strings windows uses into
* utf8 .
*/
if ( ! convert_string_talloc ( tmp_ctx ,
2014-12-16 15:06:56 +00:00
CH_UTF16MUNGED , CH_UTF8 ,
2014-08-15 15:01:31 +12:00
password_utf16 . data , password_utf16 . length ,
( void * ) & password_talloc ,
& password_len ) ) {
DEBUG ( 0 , ( " FIXME: Could not convert password for trusted domain %s "
" to UTF8. This may be a password set from Windows. \n " ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
* pwd = SMB_STRNDUP ( password_talloc , password_len ) ;
if ( pass_last_set_time ) {
* pass_last_set_time = nt_time_to_unix ( auth_array - > array [ i ] . LastUpdateTime ) ;
}
2015-02-05 10:07:46 +00:00
if ( sid ! = NULL ) {
sid_copy ( sid , domain_sid ) ;
}
2014-08-15 15:01:31 +12:00
TALLOC_FREE ( tmp_ctx ) ;
return true ;
2011-05-07 00:50:04 +10:00
}
2014-12-16 15:06:56 +00:00
static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds ( struct pdb_methods * m ,
const char * domain ,
TALLOC_CTX * mem_ctx ,
struct cli_credentials * * _creds )
{
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
const char * const attrs [ ] = {
" securityIdentifier " ,
" flatName " ,
" trustPartner " ,
" trustAuthOutgoing " ,
" whenCreated " ,
" msDS-SupportedEncryptionTypes " ,
" trustAttributes " ,
" trustDirection " ,
" trustType " ,
NULL
} ;
struct ldb_message * msg ;
const struct ldb_val * password_val ;
int trust_direction_flags ;
int trust_type ;
int i ;
DATA_BLOB password_utf16 = { } ;
2015-01-30 16:53:40 +00:00
struct samr_Password * password_nt = NULL ;
uint32_t password_version = 0 ;
DATA_BLOB old_password_utf16 = { } ;
struct samr_Password * old_password_nt = NULL ;
2014-12-16 15:06:56 +00:00
struct trustAuthInOutBlob password_blob ;
enum ndr_err_code ndr_err ;
NTSTATUS status ;
time_t last_set_time = 0 ;
struct cli_credentials * creds = NULL ;
bool ok ;
const char * my_netbios_name = NULL ;
const char * my_netbios_domain = NULL ;
2014-12-16 15:57:49 +00:00
const char * my_dns_domain = NULL ;
2014-12-16 15:06:56 +00:00
const char * netbios_domain = NULL ;
char * account_name = NULL ;
2014-12-16 15:57:49 +00:00
char * principal_name = NULL ;
2014-12-16 15:06:56 +00:00
const char * dns_domain = NULL ;
2015-03-30 10:17:51 +02:00
status = dsdb_trust_search_tdo ( state - > ldb , domain , NULL ,
attrs , tmp_ctx , & msg ) ;
2014-12-16 15:06:56 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
/*
* This can be called to work out of a domain is
* trusted , rather than just to get the password
*/
2015-03-30 10:17:51 +02:00
DEBUG ( 2 , ( " Failed to get trusted domain password for %s - %s "
" It may not be a trusted domain. \n " , domain ,
nt_errstr ( status ) ) ) ;
2014-12-16 15:06:56 +00:00
TALLOC_FREE ( tmp_ctx ) ;
2015-03-30 10:17:51 +02:00
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
2014-12-16 15:06:56 +00:00
}
netbios_domain = ldb_msg_find_attr_as_string ( msg , " flatName " , NULL ) ;
if ( netbios_domain = = NULL ) {
DEBUG ( 2 , ( " Trusted domain %s has to flatName defined. \n " ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
}
dns_domain = ldb_msg_find_attr_as_string ( msg , " trustPartner " , NULL ) ;
trust_direction_flags = ldb_msg_find_attr_as_int ( msg , " trustDirection " , 0 ) ;
if ( ! ( trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND ) ) {
2019-08-12 14:35:37 +02:00
DBG_WARNING ( " Trusted domain %s is not an outbound trust. \n " ,
domain ) ;
2014-12-16 15:06:56 +00:00
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
}
trust_type = ldb_msg_find_attr_as_int ( msg , " trustType " , 0 ) ;
if ( trust_type = = LSA_TRUST_TYPE_MIT ) {
2019-08-12 14:35:37 +02:00
DBG_WARNING ( " Trusted domain %s is not an AD trust "
" (trustType == LSA_TRUST_TYPE_MIT). \n " , domain ) ;
2014-12-16 15:06:56 +00:00
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
}
password_val = ldb_msg_find_ldb_val ( msg , " trustAuthOutgoing " ) ;
if ( password_val = = NULL ) {
DEBUG ( 2 , ( " Failed to get trusted domain password for %s, "
" attribute trustAuthOutgoing not returned. \n " , domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
}
ndr_err = ndr_pull_struct_blob ( password_val , tmp_ctx , & password_blob ,
( ndr_pull_flags_fn_t ) ndr_pull_trustAuthInOutBlob ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
DEBUG ( 0 , ( " Failed to get trusted domain password for %s, "
2018-05-04 22:18:47 +02:00
" attribute trustAuthOutgoing could not be parsed %s. \n " ,
2014-12-16 15:06:56 +00:00
domain ,
ndr_map_error2string ( ndr_err ) ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
}
2015-01-30 16:53:40 +00:00
for ( i = 0 ; i < password_blob . current . count ; i + + ) {
struct AuthenticationInformation * a =
& password_blob . current . array [ i ] ;
2014-12-16 15:06:56 +00:00
2015-01-30 16:53:40 +00:00
switch ( a - > AuthType ) {
case TRUST_AUTH_TYPE_NONE :
break ;
case TRUST_AUTH_TYPE_VERSION :
password_version = a - > AuthInfo . version . version ;
break ;
case TRUST_AUTH_TYPE_CLEAR :
last_set_time = nt_time_to_unix ( a - > LastUpdateTime ) ;
password_utf16 = data_blob_const ( a - > AuthInfo . clear . password ,
a - > AuthInfo . clear . size ) ;
password_nt = NULL ;
break ;
case TRUST_AUTH_TYPE_NT4OWF :
if ( password_utf16 . length ! = 0 ) {
break ;
}
last_set_time = nt_time_to_unix ( a - > LastUpdateTime ) ;
2014-12-16 15:06:56 +00:00
2015-01-30 16:53:40 +00:00
password_nt = & a - > AuthInfo . nt4owf . password ;
2014-12-16 15:06:56 +00:00
break ;
}
2015-01-30 16:53:40 +00:00
}
for ( i = 0 ; i < password_blob . previous . count ; i + + ) {
struct AuthenticationInformation * a = & password_blob . previous . array [ i ] ;
switch ( a - > AuthType ) {
case TRUST_AUTH_TYPE_NONE :
break ;
2014-12-16 15:06:56 +00:00
2015-01-30 16:53:40 +00:00
case TRUST_AUTH_TYPE_VERSION :
break ;
case TRUST_AUTH_TYPE_CLEAR :
old_password_utf16 = data_blob_const ( a - > AuthInfo . clear . password ,
a - > AuthInfo . clear . size ) ;
old_password_nt = NULL ;
break ;
case TRUST_AUTH_TYPE_NT4OWF :
if ( old_password_utf16 . length ! = 0 ) {
break ;
}
2014-12-16 15:06:56 +00:00
2015-01-30 16:53:40 +00:00
old_password_nt = & a - > AuthInfo . nt4owf . password ;
break ;
2014-12-16 15:06:56 +00:00
}
}
2015-01-30 16:53:40 +00:00
if ( password_utf16 . length = = 0 & & password_nt = = NULL ) {
2014-12-16 15:06:56 +00:00
DEBUG ( 0 , ( " Trusted domain %s does not have a "
" clear-text nor nt password stored \n " ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
}
my_netbios_name = lpcfg_netbios_name ( state - > lp_ctx ) ;
my_netbios_domain = lpcfg_workgroup ( state - > lp_ctx ) ;
2014-12-16 15:57:49 +00:00
my_dns_domain = lpcfg_dnsdomain ( state - > lp_ctx ) ;
2014-12-16 15:06:56 +00:00
creds = cli_credentials_init ( tmp_ctx ) ;
if ( creds = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
ok = cli_credentials_set_workstation ( creds , my_netbios_name , CRED_SPECIFIED ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
ok = cli_credentials_set_domain ( creds , netbios_domain , CRED_SPECIFIED ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
ok = cli_credentials_set_realm ( creds , dns_domain , CRED_SPECIFIED ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2014-12-16 15:57:49 +00:00
if ( my_dns_domain ! = NULL & & dns_domain ! = NULL ) {
cli_credentials_set_secure_channel_type ( creds , SEC_CHAN_DNS_DOMAIN ) ;
account_name = talloc_asprintf ( tmp_ctx , " %s. " , my_dns_domain ) ;
if ( account_name = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
principal_name = talloc_asprintf ( tmp_ctx , " %s$@%s " , my_netbios_domain ,
cli_credentials_get_realm ( creds ) ) ;
if ( principal_name = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
} else {
cli_credentials_set_secure_channel_type ( creds , SEC_CHAN_DOMAIN ) ;
account_name = talloc_asprintf ( tmp_ctx , " %s$ " , my_netbios_domain ) ;
if ( account_name = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
principal_name = NULL ;
2014-12-16 15:06:56 +00:00
}
ok = cli_credentials_set_username ( creds , account_name , CRED_SPECIFIED ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2014-12-16 15:57:49 +00:00
if ( principal_name ! = NULL ) {
ok = cli_credentials_set_principal ( creds , principal_name ,
CRED_SPECIFIED ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
}
2015-01-30 16:53:40 +00:00
if ( old_password_nt ! = NULL ) {
ok = cli_credentials_set_old_nt_hash ( creds , old_password_nt ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
}
2014-12-16 15:06:56 +00:00
2015-01-30 16:53:40 +00:00
if ( old_password_utf16 . length > 0 ) {
ok = cli_credentials_set_old_utf16_password ( creds ,
& old_password_utf16 ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
}
2014-12-16 15:06:56 +00:00
2015-01-30 16:53:40 +00:00
if ( password_nt ! = NULL ) {
ok = cli_credentials_set_nt_hash ( creds , password_nt ,
2014-12-16 15:06:56 +00:00
CRED_SPECIFIED ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
}
if ( password_utf16 . length > 0 ) {
ok = cli_credentials_set_utf16_password ( creds ,
& password_utf16 ,
CRED_SPECIFIED ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
}
cli_credentials_set_password_last_changed_time ( creds , last_set_time ) ;
2015-01-30 16:53:40 +00:00
cli_credentials_set_kvno ( creds , password_version ) ;
2014-12-16 15:06:56 +00:00
if ( password_utf16 . length > 0 & & dns_domain ! = NULL ) {
/*
* Force kerberos if this is an active directory domain
*/
cli_credentials_set_kerberos_state ( creds ,
CRED_MUST_USE_KERBEROS ) ;
} else {
/*
* TODO : we should allow krb5 with the raw nt hash .
*/
cli_credentials_set_kerberos_state ( creds ,
CRED_DONT_USE_KERBEROS ) ;
}
* _creds = talloc_move ( mem_ctx , & creds ) ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_set_trusteddom_pw ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const char * domain , const char * pwd ,
const struct dom_sid * sid )
{
2015-02-05 09:26:23 +00:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
const char * const attrs [ ] = {
" trustAuthOutgoing " ,
" trustDirection " ,
" trustType " ,
NULL
} ;
struct ldb_message * msg = NULL ;
int trust_direction_flags ;
int trust_type ;
2018-09-17 15:34:33 -07:00
uint32_t i ; /* The same type as old_blob.current.count */
2015-02-05 09:26:23 +00:00
const struct ldb_val * old_val = NULL ;
struct trustAuthInOutBlob old_blob = { } ;
uint32_t old_version = 0 ;
uint32_t new_version = 0 ;
DATA_BLOB new_utf16 = { } ;
struct trustAuthInOutBlob new_blob = { } ;
struct ldb_val new_val = { } ;
struct timeval tv = timeval_current ( ) ;
NTTIME now = timeval_to_nttime ( & tv ) ;
enum ndr_err_code ndr_err ;
NTSTATUS status ;
bool ok ;
int ret ;
ret = ldb_transaction_start ( state - > ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 2 , ( " Failed to start transaction. \n " ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
ok = samdb_is_pdc ( state - > ldb ) ;
if ( ! ok ) {
DEBUG ( 2 , ( " Password changes for domain %s are only allowed on a PDC. \n " ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
2015-03-30 10:17:51 +02:00
status = dsdb_trust_search_tdo ( state - > ldb , domain , NULL ,
attrs , tmp_ctx , & msg ) ;
2015-02-05 09:26:23 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
/*
* This can be called to work out of a domain is
* trusted , rather than just to get the password
*/
2015-03-30 10:17:51 +02:00
DEBUG ( 2 , ( " Failed to get trusted domain password for %s - %s. "
" It may not be a trusted domain. \n " , domain ,
nt_errstr ( status ) ) ) ;
2015-02-05 09:26:23 +00:00
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
trust_direction_flags = ldb_msg_find_attr_as_int ( msg , " trustDirection " , 0 ) ;
if ( ! ( trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND ) ) {
2019-08-12 14:35:37 +02:00
DBG_WARNING ( " Trusted domain %s is not an outbound trust, can't set a password. \n " ,
domain ) ;
2015-02-05 09:26:23 +00:00
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
trust_type = ldb_msg_find_attr_as_int ( msg , " trustType " , 0 ) ;
switch ( trust_type ) {
case LSA_TRUST_TYPE_DOWNLEVEL :
case LSA_TRUST_TYPE_UPLEVEL :
break ;
default :
DEBUG ( 0 , ( " Trusted domain %s is of type 0x%X - "
" password changes are not supported \n " ,
domain , ( unsigned ) trust_type ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
old_val = ldb_msg_find_ldb_val ( msg , " trustAuthOutgoing " ) ;
if ( old_val ! = NULL ) {
ndr_err = ndr_pull_struct_blob ( old_val , tmp_ctx , & old_blob ,
( ndr_pull_flags_fn_t ) ndr_pull_trustAuthInOutBlob ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
DEBUG ( 0 , ( " Failed to get trusted domain password for %s, "
2018-05-04 22:18:47 +02:00
" attribute trustAuthOutgoing could not be parsed %s. \n " ,
2015-02-05 09:26:23 +00:00
domain ,
ndr_map_error2string ( ndr_err ) ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
}
for ( i = 0 ; i < old_blob . current . count ; i + + ) {
struct AuthenticationInformation * a =
& old_blob . current . array [ i ] ;
switch ( a - > AuthType ) {
case TRUST_AUTH_TYPE_NONE :
break ;
case TRUST_AUTH_TYPE_VERSION :
old_version = a - > AuthInfo . version . version ;
break ;
case TRUST_AUTH_TYPE_CLEAR :
break ;
case TRUST_AUTH_TYPE_NT4OWF :
break ;
}
}
new_version = old_version + 1 ;
ok = convert_string_talloc ( tmp_ctx ,
CH_UNIX , CH_UTF16 ,
pwd , strlen ( pwd ) ,
( void * ) & new_utf16 . data ,
& new_utf16 . length ) ;
if ( ! ok ) {
DEBUG ( 0 , ( " Failed to generate new_utf16 password for domain %s \n " ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
if ( new_utf16 . length < 28 ) {
DEBUG ( 0 , ( " new_utf16[%zu] version[%u] for domain %s to short. \n " ,
new_utf16 . length ,
( unsigned ) new_version ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
if ( new_utf16 . length > 498 ) {
DEBUG ( 0 , ( " new_utf16[%zu] version[%u] for domain %s to long. \n " ,
new_utf16 . length ,
( unsigned ) new_version ,
domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
new_blob . count = MAX ( old_blob . current . count , 2 ) ;
new_blob . current . array = talloc_zero_array ( tmp_ctx ,
struct AuthenticationInformation ,
new_blob . count ) ;
if ( new_blob . current . array = = NULL ) {
DEBUG ( 0 , ( " talloc_zero_array(%u) failed \n " ,
( unsigned ) new_blob . count ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
new_blob . previous . array = talloc_zero_array ( tmp_ctx ,
struct AuthenticationInformation ,
new_blob . count ) ;
if ( new_blob . current . array = = NULL ) {
DEBUG ( 0 , ( " talloc_zero_array(%u) failed \n " ,
( unsigned ) new_blob . count ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
for ( i = 0 ; i < old_blob . current . count ; i + + ) {
struct AuthenticationInformation * o =
& old_blob . current . array [ i ] ;
struct AuthenticationInformation * p =
& new_blob . previous . array [ i ] ;
* p = * o ;
new_blob . previous . count + + ;
}
for ( ; i < new_blob . count ; i + + ) {
struct AuthenticationInformation * pi =
& new_blob . previous . array [ i ] ;
if ( i = = 0 ) {
/*
* new_blob . previous is still empty so
* we ' ll do new_blob . previous = new_blob . current
* below .
*/
break ;
}
pi - > LastUpdateTime = now ;
pi - > AuthType = TRUST_AUTH_TYPE_NONE ;
new_blob . previous . count + + ;
}
for ( i = 0 ; i < new_blob . count ; i + + ) {
struct AuthenticationInformation * ci =
& new_blob . current . array [ i ] ;
ci - > LastUpdateTime = now ;
switch ( i ) {
case 0 :
ci - > AuthType = TRUST_AUTH_TYPE_CLEAR ;
ci - > AuthInfo . clear . size = new_utf16 . length ;
ci - > AuthInfo . clear . password = new_utf16 . data ;
break ;
case 1 :
ci - > AuthType = TRUST_AUTH_TYPE_VERSION ;
ci - > AuthInfo . version . version = new_version ;
break ;
default :
ci - > AuthType = TRUST_AUTH_TYPE_NONE ;
break ;
}
new_blob . current . count + + ;
}
if ( new_blob . previous . count = = 0 ) {
TALLOC_FREE ( new_blob . previous . array ) ;
new_blob . previous = new_blob . current ;
}
ndr_err = ndr_push_struct_blob ( & new_val , tmp_ctx , & new_blob ,
( ndr_push_flags_fn_t ) ndr_push_trustAuthInOutBlob ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
DEBUG ( 0 , ( " Failed to generate trustAuthOutgoing for "
" trusted domain password for %s: %s. \n " ,
domain , ndr_map_error2string ( ndr_err ) ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
msg - > num_elements = 0 ;
ret = ldb_msg_add_empty ( msg , " trustAuthOutgoing " ,
LDB_FLAG_MOD_REPLACE , NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( " ldb_msg_add_empty() failed \n " ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
ret = ldb_msg_add_value ( msg , " trustAuthOutgoing " ,
& new_val , NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( " ldb_msg_add_value() failed \n " ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
ret = ldb_modify ( state - > ldb , msg ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( " Failed to replace trustAuthOutgoing for "
" trusted domain password for %s: %s - %s \n " ,
domain , ldb_strerror ( ret ) , ldb_errstring ( state - > ldb ) ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
ldb_transaction_cancel ( state - > ldb ) ;
return false ;
}
ret = ldb_transaction_commit ( state - > ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( " Failed to commit trustAuthOutgoing for "
" trusted domain password for %s: %s - %s \n " ,
domain , ldb_strerror ( ret ) , ldb_errstring ( state - > ldb ) ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
DEBUG ( 1 , ( " Added new_version[%u] to trustAuthOutgoing for "
" trusted domain password for %s. \n " ,
( unsigned ) new_version , domain ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return true ;
2011-05-07 00:50:04 +10:00
}
2012-09-04 10:27:50 +10:00
static bool pdb_samba_dsdb_del_trusteddom_pw ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
const char * domain )
{
return false ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_enum_trusteddoms ( struct pdb_methods * m ,
2011-05-07 00:50:04 +10:00
TALLOC_CTX * mem_ctx ,
2017-12-01 07:59:59 +01:00
uint32_t * _num_domains ,
struct trustdom_info * * * _domains )
2011-05-07 00:50:04 +10:00
{
2017-12-01 07:59:59 +01:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
const char * const attrs [ ] = {
" securityIdentifier " ,
" flatName " ,
" trustDirection " ,
NULL
} ;
struct ldb_result * res = NULL ;
unsigned int i ;
struct trustdom_info * * domains = NULL ;
NTSTATUS status ;
uint32_t di = 0 ;
* _num_domains = 0 ;
* _domains = NULL ;
status = dsdb_trust_search_tdos ( state - > ldb , NULL ,
attrs , tmp_ctx , & res ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_ERR ( " dsdb_trust_search_tdos() - %s " , nt_errstr ( status ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return status ;
}
if ( res - > count = = 0 ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
domains = talloc_zero_array ( tmp_ctx , struct trustdom_info * ,
res - > count ) ;
if ( domains = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < res - > count ; i + + ) {
struct ldb_message * msg = res - > msgs [ i ] ;
struct trustdom_info * d = NULL ;
const char * name = NULL ;
struct dom_sid * sid = NULL ;
uint32_t direction ;
d = talloc_zero ( domains , struct trustdom_info ) ;
if ( d = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
name = ldb_msg_find_attr_as_string ( msg , " flatName " , NULL ) ;
if ( name = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
sid = samdb_result_dom_sid ( msg , msg , " securityIdentifier " ) ;
if ( sid = = NULL ) {
continue ;
}
direction = ldb_msg_find_attr_as_uint ( msg , " trustDirection " , 0 ) ;
if ( ! ( direction & LSA_TRUST_DIRECTION_OUTBOUND ) ) {
continue ;
}
d - > name = talloc_strdup ( d , name ) ;
if ( d - > name = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
d - > sid = * sid ;
domains [ di + + ] = d ;
}
2018-01-17 14:38:41 +01:00
domains = talloc_realloc ( domains , domains , struct trustdom_info * , di ) ;
2017-12-01 07:59:59 +01:00
* _domains = talloc_move ( mem_ctx , & domains ) ;
* _num_domains = di ;
TALLOC_FREE ( tmp_ctx ) ;
2011-05-07 00:50:04 +10:00
return NT_STATUS_OK ;
}
2017-12-01 08:41:29 +01:00
static NTSTATUS pdb_samba_dsdb_msg_to_trusted_domain ( const struct ldb_message * msg ,
TALLOC_CTX * mem_ctx ,
struct pdb_trusted_domain * * _d )
{
struct pdb_trusted_domain * d = NULL ;
const char * str = NULL ;
struct dom_sid * sid = NULL ;
const struct ldb_val * val = NULL ;
uint64_t val64 ;
* _d = NULL ;
d = talloc_zero ( mem_ctx , struct pdb_trusted_domain ) ;
if ( d = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
str = ldb_msg_find_attr_as_string ( msg , " flatName " , NULL ) ;
if ( str = = NULL ) {
TALLOC_FREE ( d ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
d - > netbios_name = talloc_strdup ( d , str ) ;
if ( d - > netbios_name = = NULL ) {
TALLOC_FREE ( d ) ;
return NT_STATUS_NO_MEMORY ;
}
str = ldb_msg_find_attr_as_string ( msg , " trustPartner " , NULL ) ;
if ( str ! = NULL ) {
d - > domain_name = talloc_strdup ( d , str ) ;
if ( d - > domain_name = = NULL ) {
TALLOC_FREE ( d ) ;
return NT_STATUS_NO_MEMORY ;
}
}
sid = samdb_result_dom_sid ( d , msg , " securityIdentifier " ) ;
if ( sid ! = NULL ) {
d - > security_identifier = * sid ;
TALLOC_FREE ( sid ) ;
}
val = ldb_msg_find_ldb_val ( msg , " trustAuthOutgoing " ) ;
if ( val ! = NULL ) {
d - > trust_auth_outgoing = data_blob_dup_talloc ( d , * val ) ;
if ( d - > trust_auth_outgoing . data = = NULL ) {
TALLOC_FREE ( d ) ;
return NT_STATUS_NO_MEMORY ;
}
}
val = ldb_msg_find_ldb_val ( msg , " trustAuthIncoming " ) ;
if ( val ! = NULL ) {
d - > trust_auth_incoming = data_blob_dup_talloc ( d , * val ) ;
if ( d - > trust_auth_incoming . data = = NULL ) {
TALLOC_FREE ( d ) ;
return NT_STATUS_NO_MEMORY ;
}
}
d - > trust_direction = ldb_msg_find_attr_as_uint ( msg , " trustDirection " , 0 ) ;
d - > trust_type = ldb_msg_find_attr_as_uint ( msg , " trustType " , 0 ) ;
d - > trust_attributes = ldb_msg_find_attr_as_uint ( msg , " trustAttributes " , 0 ) ;
val64 = ldb_msg_find_attr_as_uint64 ( msg , " trustPosixOffset " , UINT64_MAX ) ;
if ( val64 ! = UINT64_MAX ) {
d - > trust_posix_offset = talloc ( d , uint32_t ) ;
if ( d - > trust_posix_offset = = NULL ) {
TALLOC_FREE ( d ) ;
return NT_STATUS_NO_MEMORY ;
}
* d - > trust_posix_offset = ( uint32_t ) val64 ;
}
val64 = ldb_msg_find_attr_as_uint64 ( msg , " msDS-SupportedEncryptionTypes " , UINT64_MAX ) ;
if ( val64 ! = UINT64_MAX ) {
d - > supported_enc_type = talloc ( d , uint32_t ) ;
if ( d - > supported_enc_type = = NULL ) {
TALLOC_FREE ( d ) ;
return NT_STATUS_NO_MEMORY ;
}
* d - > supported_enc_type = ( uint32_t ) val64 ;
}
val = ldb_msg_find_ldb_val ( msg , " msDS-TrustForestTrustInfo " ) ;
if ( val ! = NULL ) {
d - > trust_forest_trust_info = data_blob_dup_talloc ( d , * val ) ;
if ( d - > trust_forest_trust_info . data = = NULL ) {
TALLOC_FREE ( d ) ;
return NT_STATUS_NO_MEMORY ;
}
}
* _d = d ;
return NT_STATUS_OK ;
}
static NTSTATUS pdb_samba_dsdb_get_trusted_domain ( struct pdb_methods * m ,
TALLOC_CTX * mem_ctx ,
const char * domain ,
struct pdb_trusted_domain * * td )
{
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
const char * const attrs [ ] = {
" securityIdentifier " ,
" flatName " ,
" trustPartner " ,
" trustAuthOutgoing " ,
" trustAuthIncoming " ,
" trustAttributes " ,
" trustDirection " ,
" trustType " ,
" trustPosixOffset " ,
" msDS-SupportedEncryptionTypes " ,
" msDS-TrustForestTrustInfo " ,
NULL
} ;
struct ldb_message * msg = NULL ;
struct pdb_trusted_domain * d = NULL ;
NTSTATUS status ;
status = dsdb_trust_search_tdo ( state - > ldb , domain , NULL ,
attrs , tmp_ctx , & msg ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_ERR ( " dsdb_trust_search_tdo(%s) - %s " ,
domain , nt_errstr ( status ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return status ;
}
status = pdb_samba_dsdb_msg_to_trusted_domain ( msg , mem_ctx , & d ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_ERR ( " pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s " ,
domain , nt_errstr ( status ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return status ;
}
* td = d ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
static NTSTATUS pdb_samba_dsdb_get_trusted_domain_by_sid ( struct pdb_methods * m ,
TALLOC_CTX * mem_ctx ,
struct dom_sid * sid ,
struct pdb_trusted_domain * * td )
{
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
const char * const attrs [ ] = {
" securityIdentifier " ,
" flatName " ,
" trustPartner " ,
" trustAuthOutgoing " ,
" trustAuthIncoming " ,
" trustAttributes " ,
" trustDirection " ,
" trustType " ,
" trustPosixOffset " ,
" msDS-SupportedEncryptionTypes " ,
" msDS-TrustForestTrustInfo " ,
NULL
} ;
struct ldb_message * msg = NULL ;
struct pdb_trusted_domain * d = NULL ;
2018-12-16 16:59:32 +01:00
struct dom_sid_buf buf ;
2017-12-01 08:41:29 +01:00
NTSTATUS status ;
status = dsdb_trust_search_tdo_by_sid ( state - > ldb , sid ,
attrs , tmp_ctx , & msg ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_ERR ( " dsdb_trust_search_tdo_by_sid(%s) - %s " ,
2018-12-16 16:59:32 +01:00
dom_sid_str_buf ( sid , & buf ) ,
nt_errstr ( status ) ) ;
2017-12-01 08:41:29 +01:00
TALLOC_FREE ( tmp_ctx ) ;
return status ;
}
status = pdb_samba_dsdb_msg_to_trusted_domain ( msg , mem_ctx , & d ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_ERR ( " pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s " ,
2018-12-16 16:59:32 +01:00
dom_sid_str_buf ( sid , & buf ) ,
nt_errstr ( status ) ) ;
2017-12-01 08:41:29 +01:00
TALLOC_FREE ( tmp_ctx ) ;
return status ;
}
* td = d ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
2017-12-10 20:03:37 +01:00
static NTSTATUS add_trust_user ( TALLOC_CTX * mem_ctx ,
struct ldb_context * sam_ldb ,
struct ldb_dn * base_dn ,
const char * netbios_name ,
struct trustAuthInOutBlob * taiob )
{
struct ldb_request * req = NULL ;
struct ldb_message * msg = NULL ;
struct ldb_dn * dn = NULL ;
uint32_t i ;
int ret ;
bool ok ;
dn = ldb_dn_copy ( mem_ctx , base_dn ) ;
if ( dn = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
ok = ldb_dn_add_child_fmt ( dn , " cn=%s$,cn=users " , netbios_name ) ;
if ( ! ok ) {
return NT_STATUS_NO_MEMORY ;
}
msg = ldb_msg_new ( mem_ctx ) ;
if ( msg = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
msg - > dn = dn ;
ret = ldb_msg_add_string ( msg , " objectClass " , " user " ) ;
if ( ret ! = LDB_SUCCESS ) {
return NT_STATUS_NO_MEMORY ;
}
ret = ldb_msg_add_fmt ( msg , " samAccountName " , " %s$ " , netbios_name ) ;
if ( ret ! = LDB_SUCCESS ) {
return NT_STATUS_NO_MEMORY ;
}
ret = samdb_msg_add_uint ( sam_ldb , msg , msg , " userAccountControl " ,
UF_INTERDOMAIN_TRUST_ACCOUNT ) ;
if ( ret ! = LDB_SUCCESS ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < taiob - > count ; i + + ) {
struct AuthenticationInformation * auth_info =
& taiob - > current . array [ i ] ;
const char * attribute = NULL ;
struct ldb_val v ;
switch ( taiob - > current . array [ i ] . AuthType ) {
case TRUST_AUTH_TYPE_NT4OWF :
attribute = " unicodePwd " ;
v . data = ( uint8_t * ) & auth_info - > AuthInfo . nt4owf . password ;
v . length = 16 ;
break ;
case TRUST_AUTH_TYPE_CLEAR :
attribute = " clearTextPassword " ;
v . data = auth_info - > AuthInfo . clear . password ;
v . length = auth_info - > AuthInfo . clear . size ;
break ;
default :
continue ;
}
ret = ldb_msg_add_value ( msg , attribute , & v , NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
return NT_STATUS_NO_MEMORY ;
}
}
/* create the trusted_domain user account */
ret = ldb_build_add_req ( & req , sam_ldb , mem_ctx , msg , NULL , NULL ,
ldb_op_default_callback , NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
return NT_STATUS_NO_MEMORY ;
}
ret = ldb_request_add_control (
req , DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID ,
false , NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
return NT_STATUS_NO_MEMORY ;
}
ret = dsdb_autotransaction_request ( sam_ldb , req ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( " Failed to create user record %s: %s \n " ,
ldb_dn_get_linearized ( msg - > dn ) ,
ldb_errstring ( sam_ldb ) ) ) ;
switch ( ret ) {
case LDB_ERR_ENTRY_ALREADY_EXISTS :
return NT_STATUS_DOMAIN_EXISTS ;
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS :
return NT_STATUS_ACCESS_DENIED ;
default :
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
}
return NT_STATUS_OK ;
}
2017-12-01 08:41:29 +01:00
static NTSTATUS pdb_samba_dsdb_set_trusted_domain ( struct pdb_methods * methods ,
const char * domain ,
const struct pdb_trusted_domain * td )
{
2017-12-10 20:03:37 +01:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
methods - > private_data , struct pdb_samba_dsdb_state ) ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
bool in_txn = false ;
struct ldb_dn * base_dn = NULL ;
struct ldb_message * msg = NULL ;
const char * attrs [ ] = {
NULL
} ;
char * netbios_encoded = NULL ;
char * dns_encoded = NULL ;
char * sid_encoded = NULL ;
int ret ;
struct trustAuthInOutBlob taiob ;
enum ndr_err_code ndr_err ;
NTSTATUS status ;
bool ok ;
base_dn = ldb_dn_copy ( tmp_ctx , ldb_get_default_basedn ( state - > ldb ) ) ;
if ( base_dn = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
/*
* We expect S - 1 - 5 - 21 - A - B - C , but we don ' t
* allow S - 1 - 5 - 21 - 0 - 0 - 0 as this is used
* for claims and compound identities .
*/
2018-01-25 11:23:12 +01:00
ok = dom_sid_is_valid_account_domain ( & td - > security_identifier ) ;
2017-12-10 20:03:37 +01:00
if ( ! ok ) {
status = NT_STATUS_INVALID_PARAMETER ;
goto out ;
}
if ( strequal ( td - > netbios_name , " BUILTIN " ) ) {
status = NT_STATUS_INVALID_PARAMETER ;
goto out ;
}
if ( strequal ( td - > domain_name , " BUILTIN " ) ) {
status = NT_STATUS_INVALID_PARAMETER ;
goto out ;
}
dns_encoded = ldb_binary_encode_string ( tmp_ctx , td - > domain_name ) ;
if ( dns_encoded = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
netbios_encoded = ldb_binary_encode_string ( tmp_ctx , td - > netbios_name ) ;
if ( netbios_encoded = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
sid_encoded = ldap_encode_ndr_dom_sid ( tmp_ctx , & td - > security_identifier ) ;
if ( sid_encoded = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ok = samdb_is_pdc ( state - > ldb ) ;
if ( ! ok ) {
DBG_ERR ( " Adding TDO is only allowed on a PDC. \n " ) ;
TALLOC_FREE ( tmp_ctx ) ;
status = NT_STATUS_INVALID_DOMAIN_ROLE ;
goto out ;
}
status = dsdb_trust_search_tdo ( state - > ldb ,
td - > netbios_name ,
td - > domain_name ,
attrs ,
tmp_ctx ,
& msg ) ;
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ) {
DBG_ERR ( " dsdb_trust_search_tdo returned %s \n " ,
nt_errstr ( status ) ) ;
status = NT_STATUS_INVALID_DOMAIN_STATE ;
goto out ;
}
ret = ldb_transaction_start ( state - > ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_INTERNAL_DB_CORRUPTION ;
goto out ;
}
in_txn = true ;
msg = ldb_msg_new ( tmp_ctx ) ;
if ( msg = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
msg - > dn = ldb_dn_copy ( tmp_ctx , base_dn ) ;
ok = ldb_dn_add_child_fmt ( msg - > dn , " cn=%s,cn=System " , td - > domain_name ) ;
if ( ! ok ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ret = ldb_msg_add_string ( msg , " objectClass " , " trustedDomain " ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ret = ldb_msg_add_string ( msg , " flatname " , td - > netbios_name ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ret = ldb_msg_add_string ( msg , " trustPartner " , td - > domain_name ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ret = samdb_msg_add_dom_sid ( state - > ldb ,
tmp_ctx ,
msg ,
" securityIdentifier " ,
& td - > security_identifier ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ret = samdb_msg_add_int ( state - > ldb ,
tmp_ctx ,
msg ,
" trustType " ,
td - > trust_type ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ret = samdb_msg_add_int ( state - > ldb ,
tmp_ctx ,
msg ,
" trustAttributes " ,
td - > trust_attributes ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ret = samdb_msg_add_int ( state - > ldb ,
tmp_ctx ,
msg ,
" trustDirection " ,
td - > trust_direction ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
if ( td - > trust_auth_incoming . data ! = NULL ) {
ret = ldb_msg_add_value ( msg ,
" trustAuthIncoming " ,
& td - > trust_auth_incoming ,
NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
}
if ( td - > trust_auth_outgoing . data ! = NULL ) {
ret = ldb_msg_add_value ( msg ,
" trustAuthOutgoing " ,
& td - > trust_auth_outgoing ,
NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
}
/* create the trusted_domain */
ret = ldb_add ( state - > ldb , msg ) ;
switch ( ret ) {
case LDB_SUCCESS :
break ;
case LDB_ERR_ENTRY_ALREADY_EXISTS :
DBG_ERR ( " Failed to create trusted domain record %s: %s \n " ,
ldb_dn_get_linearized ( msg - > dn ) ,
ldb_errstring ( state - > ldb ) ) ;
status = NT_STATUS_DOMAIN_EXISTS ;
goto out ;
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS :
DBG_ERR ( " Failed to create trusted domain record %s: %s \n " ,
ldb_dn_get_linearized ( msg - > dn ) ,
ldb_errstring ( state - > ldb ) ) ;
status = NT_STATUS_ACCESS_DENIED ;
goto out ;
default :
DBG_ERR ( " Failed to create trusted domain record %s: %s \n " ,
ldb_dn_get_linearized ( msg - > dn ) ,
ldb_errstring ( state - > ldb ) ) ;
status = NT_STATUS_INTERNAL_DB_CORRUPTION ;
goto out ;
}
ndr_err = ndr_pull_struct_blob (
& td - > trust_auth_outgoing ,
tmp_ctx ,
& taiob ,
( ndr_pull_flags_fn_t ) ndr_pull_trustAuthInOutBlob ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
status = ndr_map_error2ntstatus ( ndr_err ) ;
goto out ;
}
if ( td - > trust_direction = = LSA_TRUST_DIRECTION_INBOUND ) {
status = add_trust_user ( tmp_ctx ,
state - > ldb ,
base_dn ,
td - > netbios_name ,
& taiob ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
}
}
ret = ldb_transaction_commit ( state - > ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
in_txn = false ;
/*
* TODO : Notify winbindd that we have a new trust
*/
status = NT_STATUS_OK ;
out :
if ( in_txn ) {
ldb_transaction_cancel ( state - > ldb ) ;
}
TALLOC_FREE ( tmp_ctx ) ;
return status ;
2017-12-01 08:41:29 +01:00
}
2017-12-11 07:57:27 +01:00
static NTSTATUS delete_trust_user ( TALLOC_CTX * mem_ctx ,
struct pdb_samba_dsdb_state * state ,
const char * trust_user )
{
const char * attrs [ ] = { " userAccountControl " , NULL } ;
struct ldb_message * * msgs ;
uint32_t uac ;
int ret ;
ret = gendb_search ( state - > ldb ,
mem_ctx ,
ldb_get_default_basedn ( state - > ldb ) ,
& msgs ,
attrs ,
" samAccountName=%s$ " ,
trust_user ) ;
if ( ret > 1 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
if ( ret = = 0 ) {
return NT_STATUS_OK ;
}
uac = ldb_msg_find_attr_as_uint ( msgs [ 0 ] ,
" userAccountControl " ,
0 ) ;
if ( ! ( uac & UF_INTERDOMAIN_TRUST_ACCOUNT ) ) {
return NT_STATUS_OBJECT_NAME_COLLISION ;
}
ret = ldb_delete ( state - > ldb , msgs [ 0 ] - > dn ) ;
switch ( ret ) {
case LDB_SUCCESS :
break ;
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS :
return NT_STATUS_ACCESS_DENIED ;
default :
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
return NT_STATUS_OK ;
}
2017-12-01 08:41:29 +01:00
static NTSTATUS pdb_samba_dsdb_del_trusted_domain ( struct pdb_methods * methods ,
const char * domain )
{
2017-12-11 07:57:27 +01:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
methods - > private_data , struct pdb_samba_dsdb_state ) ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
struct pdb_trusted_domain * td = NULL ;
struct ldb_dn * tdo_dn = NULL ;
bool in_txn = false ;
NTSTATUS status ;
int ret ;
bool ok ;
status = pdb_samba_dsdb_get_trusted_domain ( methods ,
tmp_ctx ,
domain ,
& td ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ) {
DBG_ERR ( " Searching TDO for %s returned %s \n " ,
domain , nt_errstr ( status ) ) ;
return status ;
}
DBG_NOTICE ( " No TDO object for %s \n " , domain ) ;
return NT_STATUS_OK ;
}
tdo_dn = ldb_dn_copy ( tmp_ctx , ldb_get_default_basedn ( state - > ldb ) ) ;
if ( tdo_dn = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ok = ldb_dn_add_child_fmt ( tdo_dn , " cn=%s,cn=System " , domain ) ;
if ( ! ok ) {
TALLOC_FREE ( tmp_ctx ) ;
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
ret = ldb_transaction_start ( state - > ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_INTERNAL_DB_CORRUPTION ;
goto out ;
}
in_txn = true ;
ret = ldb_delete ( state - > ldb , tdo_dn ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_INVALID_HANDLE ;
goto out ;
}
if ( td - > trust_direction = = LSA_TRUST_DIRECTION_INBOUND ) {
status = delete_trust_user ( tmp_ctx , state , domain ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
}
}
ret = ldb_transaction_commit ( state - > ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
status = NT_STATUS_INTERNAL_DB_CORRUPTION ;
goto out ;
}
in_txn = false ;
status = NT_STATUS_OK ;
out :
if ( in_txn ) {
ldb_transaction_cancel ( state - > ldb ) ;
}
TALLOC_FREE ( tmp_ctx ) ;
return status ;
2017-12-01 08:41:29 +01:00
}
static NTSTATUS pdb_samba_dsdb_enum_trusted_domains ( struct pdb_methods * m ,
TALLOC_CTX * mem_ctx ,
uint32_t * _num_domains ,
struct pdb_trusted_domain * * * _domains )
{
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
m - > private_data , struct pdb_samba_dsdb_state ) ;
TALLOC_CTX * tmp_ctx = talloc_stackframe ( ) ;
const char * const attrs [ ] = {
" securityIdentifier " ,
" flatName " ,
" trustPartner " ,
" trustAuthOutgoing " ,
" trustAuthIncoming " ,
" trustAttributes " ,
" trustDirection " ,
" trustType " ,
" trustPosixOffset " ,
" msDS-SupportedEncryptionTypes " ,
" msDS-TrustForestTrustInfo " ,
NULL
} ;
struct ldb_result * res = NULL ;
unsigned int i ;
struct pdb_trusted_domain * * domains = NULL ;
NTSTATUS status ;
uint32_t di = 0 ;
* _num_domains = 0 ;
* _domains = NULL ;
status = dsdb_trust_search_tdos ( state - > ldb , NULL ,
attrs , tmp_ctx , & res ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_ERR ( " dsdb_trust_search_tdos() - %s " , nt_errstr ( status ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return status ;
}
if ( res - > count = = 0 ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
domains = talloc_zero_array ( tmp_ctx , struct pdb_trusted_domain * ,
res - > count ) ;
if ( domains = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < res - > count ; i + + ) {
struct ldb_message * msg = res - > msgs [ i ] ;
struct pdb_trusted_domain * d = NULL ;
status = pdb_samba_dsdb_msg_to_trusted_domain ( msg , domains , & d ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_ERR ( " pdb_samba_dsdb_msg_to_trusted_domain() - %s " ,
nt_errstr ( status ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return status ;
}
domains [ di + + ] = d ;
}
2018-01-17 14:38:41 +01:00
domains = talloc_realloc ( domains , domains , struct pdb_trusted_domain * ,
di ) ;
2017-12-01 08:41:29 +01:00
* _domains = talloc_move ( mem_ctx , & domains ) ;
* _num_domains = di ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
2013-06-18 10:43:38 +02:00
static bool pdb_samba_dsdb_is_responsible_for_wellknown ( struct pdb_methods * m )
{
return true ;
}
2014-03-28 15:36:22 +13:00
static bool pdb_samba_dsdb_is_responsible_for_everything_else ( struct pdb_methods * m )
{
return true ;
}
2012-09-04 10:27:50 +10:00
static void pdb_samba_dsdb_init_methods ( struct pdb_methods * m )
{
m - > name = " samba_dsdb " ;
m - > get_domain_info = pdb_samba_dsdb_get_domain_info ;
m - > getsampwnam = pdb_samba_dsdb_getsampwnam ;
m - > getsampwsid = pdb_samba_dsdb_getsampwsid ;
m - > create_user = pdb_samba_dsdb_create_user ;
m - > delete_user = pdb_samba_dsdb_delete_user ;
m - > add_sam_account = pdb_samba_dsdb_add_sam_account ;
m - > update_sam_account = pdb_samba_dsdb_update_sam_account ;
m - > delete_sam_account = pdb_samba_dsdb_delete_sam_account ;
m - > rename_sam_account = pdb_samba_dsdb_rename_sam_account ;
m - > update_login_attempts = pdb_samba_dsdb_update_login_attempts ;
m - > getgrsid = pdb_samba_dsdb_getgrsid ;
m - > getgrgid = pdb_samba_dsdb_getgrgid ;
m - > getgrnam = pdb_samba_dsdb_getgrnam ;
m - > create_dom_group = pdb_samba_dsdb_create_dom_group ;
m - > delete_dom_group = pdb_samba_dsdb_delete_dom_group ;
m - > add_group_mapping_entry = pdb_samba_dsdb_add_group_mapping_entry ;
m - > update_group_mapping_entry = pdb_samba_dsdb_update_group_mapping_entry ;
m - > delete_group_mapping_entry = pdb_samba_dsdb_delete_group_mapping_entry ;
m - > enum_group_mapping = pdb_samba_dsdb_enum_group_mapping ;
m - > enum_group_members = pdb_samba_dsdb_enum_group_members ;
m - > enum_group_memberships = pdb_samba_dsdb_enum_group_memberships ;
m - > set_unix_primary_group = pdb_samba_dsdb_set_unix_primary_group ;
m - > add_groupmem = pdb_samba_dsdb_add_groupmem ;
m - > del_groupmem = pdb_samba_dsdb_del_groupmem ;
m - > create_alias = pdb_samba_dsdb_create_alias ;
m - > delete_alias = pdb_samba_dsdb_delete_alias ;
2011-05-07 00:50:04 +10:00
m - > get_aliasinfo = pdb_default_get_aliasinfo ;
2012-09-04 10:27:50 +10:00
m - > add_aliasmem = pdb_samba_dsdb_add_aliasmem ;
m - > del_aliasmem = pdb_samba_dsdb_del_aliasmem ;
m - > enum_aliasmem = pdb_samba_dsdb_enum_aliasmem ;
m - > enum_alias_memberships = pdb_samba_dsdb_enum_alias_memberships ;
m - > lookup_rids = pdb_samba_dsdb_lookup_rids ;
m - > lookup_names = pdb_samba_dsdb_lookup_names ;
m - > get_account_policy = pdb_samba_dsdb_get_account_policy ;
m - > set_account_policy = pdb_samba_dsdb_set_account_policy ;
m - > get_seq_num = pdb_samba_dsdb_get_seq_num ;
m - > search_users = pdb_samba_dsdb_search_users ;
m - > search_groups = pdb_samba_dsdb_search_groups ;
m - > search_aliases = pdb_samba_dsdb_search_aliases ;
2014-11-25 14:45:26 +13:00
m - > id_to_sid = pdb_samba_dsdb_id_to_sid ;
2012-09-04 10:27:50 +10:00
m - > sid_to_id = pdb_samba_dsdb_sid_to_id ;
m - > capabilities = pdb_samba_dsdb_capabilities ;
m - > new_rid = pdb_samba_dsdb_new_rid ;
m - > get_trusteddom_pw = pdb_samba_dsdb_get_trusteddom_pw ;
2014-12-16 15:06:56 +00:00
m - > get_trusteddom_creds = pdb_samba_dsdb_get_trusteddom_creds ;
2012-09-04 10:27:50 +10:00
m - > set_trusteddom_pw = pdb_samba_dsdb_set_trusteddom_pw ;
m - > del_trusteddom_pw = pdb_samba_dsdb_del_trusteddom_pw ;
m - > enum_trusteddoms = pdb_samba_dsdb_enum_trusteddoms ;
2017-12-01 08:41:29 +01:00
m - > get_trusted_domain = pdb_samba_dsdb_get_trusted_domain ;
m - > get_trusted_domain_by_sid = pdb_samba_dsdb_get_trusted_domain_by_sid ;
m - > set_trusted_domain = pdb_samba_dsdb_set_trusted_domain ;
m - > del_trusted_domain = pdb_samba_dsdb_del_trusted_domain ;
m - > enum_trusted_domains = pdb_samba_dsdb_enum_trusted_domains ;
2013-06-18 10:43:38 +02:00
m - > is_responsible_for_wellknown =
pdb_samba_dsdb_is_responsible_for_wellknown ;
2014-03-28 15:36:22 +13:00
m - > is_responsible_for_everything_else =
pdb_samba_dsdb_is_responsible_for_everything_else ;
2011-05-07 00:50:04 +10:00
}
static void free_private_data ( void * * vp )
{
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state = talloc_get_type_abort (
* vp , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
talloc_unlink ( state , state - > ldb ) ;
return ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_samba_dsdb_init_secrets ( struct pdb_methods * m )
2012-01-26 15:33:02 -05:00
{
struct pdb_domain_info * dom_info ;
2014-05-13 17:47:03 +12:00
struct dom_sid stored_sid ;
struct GUID stored_guid ;
bool sid_exists_and_matches = false ;
bool guid_exists_and_matches = false ;
2012-01-26 15:33:02 -05:00
bool ret ;
2012-09-04 10:27:50 +10:00
dom_info = pdb_samba_dsdb_get_domain_info ( m , m ) ;
2012-01-26 15:33:02 -05:00
if ( ! dom_info ) {
return NT_STATUS_UNSUCCESSFUL ;
}
2014-05-13 17:47:03 +12:00
ret = secrets_fetch_domain_sid ( dom_info - > name , & stored_sid ) ;
if ( ret ) {
if ( dom_sid_equal ( & stored_sid , & dom_info - > sid ) ) {
sid_exists_and_matches = true ;
}
2012-01-26 15:33:02 -05:00
}
2014-05-13 17:47:03 +12:00
if ( sid_exists_and_matches = = false ) {
secrets_clear_domain_protection ( dom_info - > name ) ;
ret = secrets_store_domain_sid ( dom_info - > name ,
& dom_info - > sid ) ;
ret & = secrets_mark_domain_protected ( dom_info - > name ) ;
if ( ! ret ) {
goto done ;
}
2012-01-26 15:33:02 -05:00
}
2014-05-13 17:47:03 +12:00
ret = secrets_fetch_domain_guid ( dom_info - > name , & stored_guid ) ;
if ( ret ) {
if ( GUID_equal ( & stored_guid , & dom_info - > guid ) ) {
guid_exists_and_matches = true ;
}
}
if ( guid_exists_and_matches = = false ) {
secrets_clear_domain_protection ( dom_info - > name ) ;
ret = secrets_store_domain_guid ( dom_info - > name ,
& dom_info - > guid ) ;
ret & = secrets_mark_domain_protected ( dom_info - > name ) ;
if ( ! ret ) {
goto done ;
}
2012-01-26 15:33:02 -05:00
}
done :
TALLOC_FREE ( dom_info ) ;
if ( ! ret ) {
return NT_STATUS_UNSUCCESSFUL ;
}
return NT_STATUS_OK ;
}
2012-09-04 10:27:50 +10:00
static NTSTATUS pdb_init_samba_dsdb ( struct pdb_methods * * pdb_method ,
2011-05-07 00:50:04 +10:00
const char * location )
{
struct pdb_methods * m ;
2012-09-04 10:27:50 +10:00
struct pdb_samba_dsdb_state * state ;
2011-05-07 00:50:04 +10:00
NTSTATUS status ;
2017-09-14 15:02:36 +12:00
char * errstring = NULL ;
int ret ;
2011-05-07 00:50:04 +10:00
if ( ! NT_STATUS_IS_OK ( status = make_pdb_method ( & m ) ) ) {
return status ;
}
2012-09-04 10:27:50 +10:00
state = talloc_zero ( m , struct pdb_samba_dsdb_state ) ;
2011-05-07 00:50:04 +10:00
if ( state = = NULL ) {
goto nomem ;
}
m - > private_data = state ;
m - > free_private_data = free_private_data ;
2012-09-04 10:27:50 +10:00
pdb_samba_dsdb_init_methods ( m ) ;
2011-05-07 00:50:04 +10:00
state - > ev = s4_event_context_init ( state ) ;
if ( ! state - > ev ) {
2011-08-12 15:44:39 +10:00
DEBUG ( 0 , ( " s4_event_context_init failed \n " ) ) ;
goto nomem ;
2011-05-07 00:50:04 +10:00
}
2012-06-27 23:24:39 +10:00
state - > lp_ctx = loadparm_init_s3 ( state , loadparm_s3_helpers ( ) ) ;
2011-05-07 00:50:04 +10:00
if ( state - > lp_ctx = = NULL ) {
2011-08-12 15:44:39 +10:00
DEBUG ( 0 , ( " loadparm_init_s3 failed \n " ) ) ;
goto nomem ;
2011-05-07 00:50:04 +10:00
}
2017-09-14 15:02:36 +12:00
if ( location = = NULL ) {
location = " sam.ldb " ;
2011-08-12 15:45:43 +10:00
}
2011-05-07 00:50:04 +10:00
2017-09-14 15:02:36 +12:00
ret = samdb_connect_url ( state ,
state - > ev ,
state - > lp_ctx ,
system_session ( state - > lp_ctx ) ,
2018-04-12 06:41:30 +12:00
0 ,
location ,
NULL ,
& state - > ldb ,
& errstring ) ;
2017-09-14 15:02:36 +12:00
2011-05-07 00:50:04 +10:00
if ( ! state - > ldb ) {
2017-09-14 15:02:36 +12:00
DEBUG ( 0 , ( " samdb_connect failed: %s: %s \n " ,
errstring , ldb_strerror ( ret ) ) ) ;
2011-08-12 15:44:39 +10:00
status = NT_STATUS_INTERNAL_ERROR ;
2011-05-07 00:50:04 +10:00
goto fail ;
}
state - > idmap_ctx = idmap_init ( state , state - > ev ,
state - > lp_ctx ) ;
if ( ! state - > idmap_ctx ) {
2011-08-12 15:44:39 +10:00
DEBUG ( 0 , ( " idmap failed \n " ) ) ;
status = NT_STATUS_INTERNAL_ERROR ;
2011-05-07 00:50:04 +10:00
goto fail ;
}
2012-09-04 10:27:50 +10:00
status = pdb_samba_dsdb_init_secrets ( m ) ;
2012-01-26 15:33:02 -05:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2012-09-04 10:27:50 +10:00
DEBUG ( 10 , ( " pdb_samba_dsdb_init_secrets failed! \n " ) ) ;
2012-01-26 15:33:02 -05:00
goto fail ;
}
2011-05-07 00:50:04 +10:00
* pdb_method = m ;
return NT_STATUS_OK ;
nomem :
status = NT_STATUS_NO_MEMORY ;
fail :
TALLOC_FREE ( m ) ;
return status ;
}
2017-04-20 12:24:43 -07:00
NTSTATUS pdb_samba_dsdb_init ( TALLOC_CTX * ) ;
NTSTATUS pdb_samba_dsdb_init ( TALLOC_CTX * ctx )
2011-05-07 00:50:04 +10:00
{
2012-09-04 10:27:50 +10:00
NTSTATUS status = smb_register_passdb ( PASSDB_INTERFACE_VERSION , " samba_dsdb " ,
pdb_init_samba_dsdb ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2011-05-07 00:50:04 +10:00
return smb_register_passdb ( PASSDB_INTERFACE_VERSION , " samba4 " ,
2012-09-04 10:27:50 +10:00
pdb_init_samba_dsdb ) ;
2011-05-07 00:50:04 +10:00
}