2003-08-13 05:53:07 +04:00
/*
Unix SMB / CIFS implementation .
Copyright ( C ) Andrew Tridgell 1992 - 2001
Copyright ( C ) Andrew Bartlett 2002
Copyright ( C ) Rafal Szczesniak 2002
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-08-13 05:53:07 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-08-13 05:53:07 +04:00
*/
/* the Samba secrets database stores any generated, private information
such as the local SID and machine trust password */
# include "includes.h"
2004-11-02 09:14:15 +03:00
# include "secrets.h"
2006-03-20 03:28:12 +03:00
# include "param/param.h"
2005-02-10 08:09:35 +03:00
# include "system/filesys.h"
2005-02-10 10:22:25 +03:00
# include "db_wrap.h"
2005-09-26 01:01:56 +04:00
# include "lib/ldb/include/ldb.h"
2006-10-21 03:32:23 +04:00
# include "lib/tdb/include/tdb.h"
# include "lib/util/util_tdb.h"
2005-12-28 18:38:36 +03:00
# include "dsdb/samdb/samdb.h"
2003-08-13 05:53:07 +04:00
2004-10-16 17:47:00 +04:00
static struct tdb_wrap * tdb ;
2003-08-13 05:53:07 +04:00
2004-07-14 16:14:07 +04:00
/**
* Use a TDB to store an incrementing random seed .
*
* Initialised to the current pid , the very first time Samba starts ,
* and incremented by one each time it is needed .
*
* @ note Not called by systems with a working / dev / urandom .
*/
static void get_rand_seed ( int * new_seed )
{
* new_seed = getpid ( ) ;
if ( tdb ) {
2004-10-16 17:47:00 +04:00
tdb_change_int32_atomic ( tdb - > tdb , " INFO/random_seed " , new_seed , 1 ) ;
2004-07-14 16:14:07 +04:00
}
}
2004-10-25 06:57:20 +04:00
/* close the secrets database */
void secrets_shutdown ( void )
{
2005-10-27 09:31:20 +04:00
talloc_free ( tdb ) ;
2004-10-25 06:57:20 +04:00
}
2003-08-13 05:53:07 +04:00
/* open up the secrets database */
2007-09-28 05:17:46 +04:00
bool secrets_init ( void )
2003-08-13 05:53:07 +04:00
{
2005-09-26 20:57:08 +04:00
char * fname ;
2004-11-25 23:01:47 +03:00
uint8_t dummy ;
2003-08-13 05:53:07 +04:00
if ( tdb )
2007-09-28 05:17:46 +04:00
return true ;
2003-08-13 05:53:07 +04:00
2007-09-28 05:17:46 +04:00
asprintf ( & fname , " %s/secrets.tdb " , lp_private_dir ( global_loadparm ) ) ;
2003-08-13 05:53:07 +04:00
2005-01-30 03:54:57 +03:00
tdb = tdb_wrap_open ( talloc_autofree_context ( ) , fname , 0 , TDB_DEFAULT , O_RDWR | O_CREAT , 0600 ) ;
2003-08-13 05:53:07 +04:00
if ( ! tdb ) {
DEBUG ( 0 , ( " Failed to open %s \n " , fname ) ) ;
2005-09-26 20:57:08 +04:00
SAFE_FREE ( fname ) ;
2007-09-28 05:17:46 +04:00
return false ;
2003-08-13 05:53:07 +04:00
}
2005-09-26 20:57:08 +04:00
SAFE_FREE ( fname ) ;
2004-07-14 16:14:07 +04:00
/**
* Set a reseed function for the crypto random generator
*
* This avoids a problem where systems without / dev / urandom
* could send the same challenge to multiple clients
*/
set_rand_reseed_callback ( get_rand_seed ) ;
/* Ensure that the reseed is done now, while we are root, etc */
generate_random_buffer ( & dummy , sizeof ( dummy ) ) ;
2003-08-13 05:53:07 +04:00
return True ;
}
2005-01-11 17:04:58 +03:00
/*
connect to the schannel ldb
*/
2005-02-27 14:35:47 +03:00
struct ldb_context * secrets_db_connect ( TALLOC_CTX * mem_ctx )
2005-01-11 17:04:58 +03:00
{
char * path ;
2007-01-15 17:17:26 +03:00
const char * url ;
2005-02-27 14:35:47 +03:00
struct ldb_context * ldb ;
2005-05-02 18:17:19 +04:00
BOOL existed ;
const char * init_ldif =
" dn: @ATTRIBUTES \n " \
" computerName: CASE_INSENSITIVE \n " \
" flatname: CASE_INSENSITIVE \n " ;
2005-01-11 17:04:58 +03:00
2007-09-28 05:17:46 +04:00
url = lp_secrets_url ( global_loadparm ) ;
2007-01-15 17:17:26 +03:00
if ( ! url | | ! url [ 0 ] ) {
return NULL ;
}
path = private_path ( mem_ctx , url ) ;
2005-01-11 17:04:58 +03:00
if ( ! path ) {
return NULL ;
}
2007-01-15 17:17:26 +03:00
2006-06-26 15:23:06 +04:00
existed = file_exist ( path ) ;
2005-12-14 10:22:25 +03:00
/* Secrets.ldb *must* always be local. If we call for a
* system_session ( ) we will recurse */
ldb = ldb_wrap_connect ( mem_ctx , path , NULL , NULL , 0 , NULL ) ;
2005-01-11 17:04:58 +03:00
talloc_free ( path ) ;
if ( ! ldb ) {
return NULL ;
}
2005-05-02 18:17:19 +04:00
if ( ! existed ) {
gendb_add_ldif ( ldb , init_ldif ) ;
}
2005-01-11 17:04:58 +03:00
return ldb ;
}
2005-09-26 01:01:56 +04:00
struct dom_sid * secrets_get_domain_sid ( TALLOC_CTX * mem_ctx ,
const char * domain )
{
struct ldb_context * ldb ;
struct ldb_message * * msgs ;
int ldb_ret ;
const char * attrs [ ] = { " objectSid " , NULL } ;
struct dom_sid * result = NULL ;
ldb = secrets_db_connect ( mem_ctx ) ;
if ( ldb = = NULL ) {
DEBUG ( 5 , ( " secrets_db_connect failed \n " ) ) ;
2006-07-07 05:59:43 +04:00
return NULL ;
2005-09-26 01:01:56 +04:00
}
ldb_ret = gendb_search ( ldb , ldb ,
2006-11-22 03:59:34 +03:00
ldb_dn_new ( mem_ctx , ldb , SECRETS_PRIMARY_DOMAIN_DN ) ,
2005-09-26 01:01:56 +04:00
& msgs , attrs ,
SECRETS_PRIMARY_DOMAIN_FILTER , domain ) ;
2006-07-07 05:59:43 +04:00
if ( ldb_ret = = - 1 ) {
DEBUG ( 5 , ( " Error searching for domain SID for %s: %s " ,
domain , ldb_errstring ( ldb ) ) ) ;
talloc_free ( ldb ) ;
return NULL ;
}
2005-09-26 01:01:56 +04:00
if ( ldb_ret = = 0 ) {
DEBUG ( 5 , ( " Did not find domain record for %s \n " , domain ) ) ;
2006-07-07 05:59:43 +04:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-26 01:01:56 +04:00
}
if ( ldb_ret > 1 ) {
DEBUG ( 5 , ( " Found more than one (%d) domain records for %s \n " ,
ldb_ret , domain ) ) ;
2006-07-07 05:59:43 +04:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-26 01:01:56 +04:00
}
result = samdb_result_dom_sid ( mem_ctx , msgs [ 0 ] , " objectSid " ) ;
if ( result = = NULL ) {
DEBUG ( 0 , ( " Domain object for %s does not contain a SID! \n " ,
domain ) ) ;
2006-07-07 05:59:43 +04:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-26 01:01:56 +04:00
}
return result ;
}
