2003-08-13 05:53:07 +04:00
/*
Unix SMB / CIFS implementation .
Copyright ( C ) Andrew Tridgell 1992 - 2001
Copyright ( C ) Andrew Bartlett 2002
Copyright ( C ) Rafal Szczesniak 2002
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-08-13 05:53:07 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-08-13 05:53:07 +04:00
*/
/* the Samba secrets database stores any generated, private information
such as the local SID and machine trust password */
# include "includes.h"
2004-11-02 09:14:15 +03:00
# include "secrets.h"
2006-03-20 03:28:12 +03:00
# include "param/param.h"
2005-02-10 08:09:35 +03:00
# include "system/filesys.h"
2007-11-16 22:12:00 +03:00
# include "tdb_wrap.h"
2005-09-26 01:01:56 +04:00
# include "lib/ldb/include/ldb.h"
2008-09-16 17:16:31 +04:00
# include "../tdb/include/tdb.h"
2008-10-11 23:31:42 +04:00
# include "../lib/util/util_tdb.h"
# include "../lib/util/util_ldb.h"
2007-12-06 23:16:40 +03:00
# include "librpc/gen_ndr/ndr_security.h"
2010-02-18 02:54:53 +03:00
# include "dsdb/samdb/samdb.h"
# include "dsdb/common/util.h"
# include "dsdb/common/proto.h"
2003-08-13 05:53:07 +04:00
2004-07-14 16:14:07 +04:00
/**
* Use a TDB to store an incrementing random seed .
*
* Initialised to the current pid , the very first time Samba starts ,
* and incremented by one each time it is needed .
*
* @ note Not called by systems with a working / dev / urandom .
*/
2008-04-01 17:26:00 +04:00
static void get_rand_seed ( struct tdb_wrap * secretsdb , int * new_seed )
2004-07-14 16:14:07 +04:00
{
* new_seed = getpid ( ) ;
2008-04-01 17:26:00 +04:00
if ( secretsdb ! = NULL ) {
tdb_change_int32_atomic ( secretsdb - > tdb , " INFO/random_seed " , new_seed , 1 ) ;
2004-07-14 16:14:07 +04:00
}
}
2007-11-26 04:31:53 +03:00
/**
* open up the secrets database
*/
2008-04-01 17:26:00 +04:00
struct tdb_wrap * secrets_init ( TALLOC_CTX * mem_ctx , struct loadparm_context * lp_ctx )
2003-08-13 05:53:07 +04:00
{
2005-09-26 20:57:08 +04:00
char * fname ;
2004-11-25 23:01:47 +03:00
uint8_t dummy ;
2008-04-01 17:26:00 +04:00
struct tdb_wrap * tdb ;
2003-08-13 05:53:07 +04:00
2008-04-01 17:26:00 +04:00
fname = private_path ( mem_ctx , lp_ctx , " secrets.tdb " ) ;
2003-08-13 05:53:07 +04:00
2008-04-01 17:26:00 +04:00
tdb = tdb_wrap_open ( mem_ctx , fname , 0 , TDB_DEFAULT , O_RDWR | O_CREAT , 0600 ) ;
2003-08-13 05:53:07 +04:00
if ( ! tdb ) {
DEBUG ( 0 , ( " Failed to open %s \n " , fname ) ) ;
2007-11-26 04:31:53 +03:00
talloc_free ( fname ) ;
2008-04-01 17:26:00 +04:00
return NULL ;
2003-08-13 05:53:07 +04:00
}
2007-11-26 04:31:53 +03:00
talloc_free ( fname ) ;
2004-07-14 16:14:07 +04:00
/**
* Set a reseed function for the crypto random generator
*
* This avoids a problem where systems without / dev / urandom
* could send the same challenge to multiple clients
*/
2008-04-01 17:26:00 +04:00
set_rand_reseed_callback ( ( void ( * ) ( void * , int * ) ) get_rand_seed , tdb ) ;
2004-07-14 16:14:07 +04:00
/* Ensure that the reseed is done now, while we are root, etc */
generate_random_buffer ( & dummy , sizeof ( dummy ) ) ;
2008-04-01 17:26:00 +04:00
return tdb ;
2003-08-13 05:53:07 +04:00
}
2007-11-26 04:31:53 +03:00
/**
connect to the secrets ldb
2005-01-11 17:04:58 +03:00
*/
2008-06-14 19:24:17 +04:00
struct ldb_context * secrets_db_connect ( TALLOC_CTX * mem_ctx ,
2008-12-29 22:24:57 +03:00
struct tevent_context * ev_ctx ,
2008-06-14 19:24:17 +04:00
struct loadparm_context * lp_ctx )
2005-01-11 17:04:58 +03:00
{
char * path ;
2007-01-15 17:17:26 +03:00
const char * url ;
2005-02-27 14:35:47 +03:00
struct ldb_context * ldb ;
2005-01-11 17:04:58 +03:00
2007-11-29 18:01:16 +03:00
url = lp_secrets_url ( lp_ctx ) ;
2007-01-15 17:17:26 +03:00
if ( ! url | | ! url [ 0 ] ) {
return NULL ;
}
2007-11-29 18:01:16 +03:00
path = private_path ( mem_ctx , lp_ctx , url ) ;
2005-01-11 17:04:58 +03:00
if ( ! path ) {
return NULL ;
}
2007-01-15 17:17:26 +03:00
2005-12-14 10:22:25 +03:00
/* Secrets.ldb *must* always be local. If we call for a
* system_session ( ) we will recurse */
2008-06-14 19:24:17 +04:00
ldb = ldb_init ( mem_ctx , ev_ctx ) ;
2005-01-11 17:04:58 +03:00
if ( ! ldb ) {
2007-11-29 18:01:08 +03:00
talloc_free ( path ) ;
return NULL ;
}
2007-11-29 18:01:16 +03:00
ldb_set_modules_dir ( ldb ,
talloc_asprintf ( ldb , " %s/ldb " , lp_modulesdir ( lp_ctx ) ) ) ;
2007-11-29 18:01:08 +03:00
if ( ldb_connect ( ldb , path , 0 , NULL ) ! = 0 ) {
talloc_free ( path ) ;
2005-01-11 17:04:58 +03:00
return NULL ;
}
2007-11-29 18:01:08 +03:00
2009-09-07 04:33:02 +04:00
/* the update_keytab module relies on this being setup */
if ( ldb_set_opaque ( ldb , " loadparm " , lp_ctx ) ! = LDB_SUCCESS ) {
talloc_free ( path ) ;
talloc_free ( ldb ) ;
return NULL ;
}
2007-11-29 18:01:08 +03:00
talloc_free ( path ) ;
2005-05-02 18:17:19 +04:00
2005-01-11 17:04:58 +03:00
return ldb ;
}
2007-11-26 04:31:53 +03:00
/**
* Retrieve the domain SID from the secrets database .
* @ return pointer to a SID object if the SID could be obtained , NULL otherwise
*/
2005-09-26 01:01:56 +04:00
struct dom_sid * secrets_get_domain_sid ( TALLOC_CTX * mem_ctx ,
2008-12-29 22:24:57 +03:00
struct tevent_context * ev_ctx ,
2007-12-03 17:53:17 +03:00
struct loadparm_context * lp_ctx ,
2010-02-18 02:54:53 +03:00
const char * domain ,
char * * errstring )
2005-09-26 01:01:56 +04:00
{
struct ldb_context * ldb ;
2010-02-18 02:54:53 +03:00
struct ldb_message * msg ;
2005-09-26 01:01:56 +04:00
int ldb_ret ;
const char * attrs [ ] = { " objectSid " , NULL } ;
struct dom_sid * result = NULL ;
2007-12-06 23:16:40 +03:00
const struct ldb_val * v ;
enum ndr_err_code ndr_err ;
2010-02-18 02:54:53 +03:00
* errstring = NULL ;
2005-09-26 01:01:56 +04:00
2008-06-14 19:24:17 +04:00
ldb = secrets_db_connect ( mem_ctx , ev_ctx , lp_ctx ) ;
2005-09-26 01:01:56 +04:00
if ( ldb = = NULL ) {
DEBUG ( 5 , ( " secrets_db_connect failed \n " ) ) ;
2006-07-07 05:59:43 +04:00
return NULL ;
2005-09-26 01:01:56 +04:00
}
2010-02-18 02:54:53 +03:00
ldb_ret = dsdb_search_one ( ldb , ldb , & msg ,
ldb_dn_new ( mem_ctx , ldb , SECRETS_PRIMARY_DOMAIN_DN ) ,
LDB_SCOPE_ONELEVEL ,
attrs , 0 , SECRETS_PRIMARY_DOMAIN_FILTER , domain ) ;
2005-09-26 01:01:56 +04:00
2010-02-18 02:54:53 +03:00
if ( ldb_ret ! = LDB_SUCCESS ) {
2010-02-19 03:14:15 +03:00
* errstring = talloc_asprintf ( mem_ctx , " Failed to find record for %s in %s: %s: %s " ,
2010-04-06 16:52:38 +04:00
domain , ( char * ) ldb_get_opaque ( ldb , " ldb_url " ) ,
2010-02-19 03:14:15 +03:00
ldb_strerror ( ldb_ret ) , ldb_errstring ( ldb ) ) ;
2006-07-07 05:59:43 +04:00
return NULL ;
2005-09-26 01:01:56 +04:00
}
2010-02-18 02:54:53 +03:00
v = ldb_msg_find_ldb_val ( msg , " objectSid " ) ;
2007-12-06 23:16:40 +03:00
if ( v = = NULL ) {
2010-02-19 03:14:15 +03:00
* errstring = talloc_asprintf ( mem_ctx , " Failed to find a SID on record for %s in %s " ,
2010-04-06 16:52:38 +04:00
domain , ( char * ) ldb_get_opaque ( ldb , " ldb_url " ) ) ;
2007-12-06 23:16:40 +03:00
return NULL ;
}
result = talloc ( mem_ctx , struct dom_sid ) ;
if ( result = = NULL ) {
talloc_free ( ldb ) ;
return NULL ;
}
2010-05-09 19:20:01 +04:00
ndr_err = ndr_pull_struct_blob ( v , result , result ,
2007-12-06 23:16:40 +03:00
( ndr_pull_flags_fn_t ) ndr_pull_dom_sid ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
2010-02-19 03:14:15 +03:00
* errstring = talloc_asprintf ( mem_ctx , " Failed to parse SID on record for %s in %s " ,
2010-04-06 16:52:38 +04:00
domain , ( char * ) ldb_get_opaque ( ldb , " ldb_url " ) ) ;
2007-12-06 23:16:40 +03:00
talloc_free ( result ) ;
2006-07-07 05:59:43 +04:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-26 01:01:56 +04:00
}
return result ;
}