2003-08-13 01:53:07 +00:00
/*
Unix SMB / CIFS implementation .
Copyright ( C ) Andrew Tridgell 1992 - 2001
Copyright ( C ) Andrew Bartlett 2002
Copyright ( C ) Rafal Szczesniak 2002
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 02:07:03 +00:00
the Free Software Foundation ; either version 3 of the License , or
2003-08-13 01:53:07 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 02:07:03 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-08-13 01:53:07 +00:00
*/
/* the Samba secrets database stores any generated, private information
such as the local SID and machine trust password */
# include "includes.h"
2004-11-02 06:14:15 +00:00
# include "secrets.h"
2006-03-20 00:28:12 +00:00
# include "param/param.h"
2005-02-10 05:09:35 +00:00
# include "system/filesys.h"
2007-11-16 20:12:00 +01:00
# include "tdb_wrap.h"
2005-09-25 21:01:56 +00:00
# include "lib/ldb/include/ldb.h"
2008-09-16 15:16:31 +02:00
# include "../tdb/include/tdb.h"
2008-10-11 21:31:42 +02:00
# include "../lib/util/util_tdb.h"
# include "../lib/util/util_ldb.h"
2007-12-06 21:16:40 +01:00
# include "librpc/gen_ndr/ndr_security.h"
2003-08-13 01:53:07 +00:00
2004-07-14 12:14:07 +00:00
/**
* Use a TDB to store an incrementing random seed .
*
* Initialised to the current pid , the very first time Samba starts ,
* and incremented by one each time it is needed .
*
* @ note Not called by systems with a working / dev / urandom .
*/
2008-04-01 15:26:00 +02:00
static void get_rand_seed ( struct tdb_wrap * secretsdb , int * new_seed )
2004-07-14 12:14:07 +00:00
{
* new_seed = getpid ( ) ;
2008-04-01 15:26:00 +02:00
if ( secretsdb ! = NULL ) {
tdb_change_int32_atomic ( secretsdb - > tdb , " INFO/random_seed " , new_seed , 1 ) ;
2004-07-14 12:14:07 +00:00
}
}
2007-11-26 02:31:53 +01:00
/**
* open up the secrets database
*/
2008-04-01 15:26:00 +02:00
struct tdb_wrap * secrets_init ( TALLOC_CTX * mem_ctx , struct loadparm_context * lp_ctx )
2003-08-13 01:53:07 +00:00
{
2005-09-26 16:57:08 +00:00
char * fname ;
2004-11-25 20:01:47 +00:00
uint8_t dummy ;
2008-04-01 15:26:00 +02:00
struct tdb_wrap * tdb ;
2003-08-13 01:53:07 +00:00
2008-04-01 15:26:00 +02:00
fname = private_path ( mem_ctx , lp_ctx , " secrets.tdb " ) ;
2003-08-13 01:53:07 +00:00
2008-04-01 15:26:00 +02:00
tdb = tdb_wrap_open ( mem_ctx , fname , 0 , TDB_DEFAULT , O_RDWR | O_CREAT , 0600 ) ;
2003-08-13 01:53:07 +00:00
if ( ! tdb ) {
DEBUG ( 0 , ( " Failed to open %s \n " , fname ) ) ;
2007-11-26 02:31:53 +01:00
talloc_free ( fname ) ;
2008-04-01 15:26:00 +02:00
return NULL ;
2003-08-13 01:53:07 +00:00
}
2007-11-26 02:31:53 +01:00
talloc_free ( fname ) ;
2004-07-14 12:14:07 +00:00
/**
* Set a reseed function for the crypto random generator
*
* This avoids a problem where systems without / dev / urandom
* could send the same challenge to multiple clients
*/
2008-04-01 15:26:00 +02:00
set_rand_reseed_callback ( ( void ( * ) ( void * , int * ) ) get_rand_seed , tdb ) ;
2004-07-14 12:14:07 +00:00
/* Ensure that the reseed is done now, while we are root, etc */
generate_random_buffer ( & dummy , sizeof ( dummy ) ) ;
2008-04-01 15:26:00 +02:00
return tdb ;
2003-08-13 01:53:07 +00:00
}
2007-11-26 02:31:53 +01:00
/**
connect to the secrets ldb
2005-01-11 14:04:58 +00:00
*/
2008-06-14 11:24:17 -04:00
struct ldb_context * secrets_db_connect ( TALLOC_CTX * mem_ctx ,
2008-12-29 20:24:57 +01:00
struct tevent_context * ev_ctx ,
2008-06-14 11:24:17 -04:00
struct loadparm_context * lp_ctx )
2005-01-11 14:04:58 +00:00
{
char * path ;
2007-01-15 14:17:26 +00:00
const char * url ;
2005-02-27 11:35:47 +00:00
struct ldb_context * ldb ;
2005-01-11 14:04:58 +00:00
2007-11-29 16:01:16 +01:00
url = lp_secrets_url ( lp_ctx ) ;
2007-01-15 14:17:26 +00:00
if ( ! url | | ! url [ 0 ] ) {
return NULL ;
}
2007-11-29 16:01:16 +01:00
path = private_path ( mem_ctx , lp_ctx , url ) ;
2005-01-11 14:04:58 +00:00
if ( ! path ) {
return NULL ;
}
2007-01-15 14:17:26 +00:00
2005-12-14 07:22:25 +00:00
/* Secrets.ldb *must* always be local. If we call for a
* system_session ( ) we will recurse */
2008-06-14 11:24:17 -04:00
ldb = ldb_init ( mem_ctx , ev_ctx ) ;
2005-01-11 14:04:58 +00:00
if ( ! ldb ) {
2007-11-29 16:01:08 +01:00
talloc_free ( path ) ;
return NULL ;
}
2007-11-29 16:01:16 +01:00
ldb_set_modules_dir ( ldb ,
talloc_asprintf ( ldb , " %s/ldb " , lp_modulesdir ( lp_ctx ) ) ) ;
2007-11-29 16:01:08 +01:00
if ( ldb_connect ( ldb , path , 0 , NULL ) ! = 0 ) {
talloc_free ( path ) ;
2005-01-11 14:04:58 +00:00
return NULL ;
}
2007-11-29 16:01:08 +01:00
2009-09-07 10:33:02 +10:00
/* the update_keytab module relies on this being setup */
if ( ldb_set_opaque ( ldb , " loadparm " , lp_ctx ) ! = LDB_SUCCESS ) {
talloc_free ( path ) ;
talloc_free ( ldb ) ;
return NULL ;
}
2007-11-29 16:01:08 +01:00
talloc_free ( path ) ;
2005-05-02 14:17:19 +00:00
2005-01-11 14:04:58 +00:00
return ldb ;
}
2007-11-26 02:31:53 +01:00
/**
* Retrieve the domain SID from the secrets database .
* @ return pointer to a SID object if the SID could be obtained , NULL otherwise
*/
2005-09-25 21:01:56 +00:00
struct dom_sid * secrets_get_domain_sid ( TALLOC_CTX * mem_ctx ,
2008-12-29 20:24:57 +01:00
struct tevent_context * ev_ctx ,
2007-12-03 15:53:17 +01:00
struct loadparm_context * lp_ctx ,
2005-09-25 21:01:56 +00:00
const char * domain )
{
struct ldb_context * ldb ;
struct ldb_message * * msgs ;
int ldb_ret ;
const char * attrs [ ] = { " objectSid " , NULL } ;
struct dom_sid * result = NULL ;
2007-12-06 21:16:40 +01:00
const struct ldb_val * v ;
enum ndr_err_code ndr_err ;
2005-09-25 21:01:56 +00:00
2008-06-14 11:24:17 -04:00
ldb = secrets_db_connect ( mem_ctx , ev_ctx , lp_ctx ) ;
2005-09-25 21:01:56 +00:00
if ( ldb = = NULL ) {
DEBUG ( 5 , ( " secrets_db_connect failed \n " ) ) ;
2006-07-07 01:59:43 +00:00
return NULL ;
2005-09-25 21:01:56 +00:00
}
ldb_ret = gendb_search ( ldb , ldb ,
2006-11-22 00:59:34 +00:00
ldb_dn_new ( mem_ctx , ldb , SECRETS_PRIMARY_DOMAIN_DN ) ,
2005-09-25 21:01:56 +00:00
& msgs , attrs ,
SECRETS_PRIMARY_DOMAIN_FILTER , domain ) ;
2006-07-07 01:59:43 +00:00
if ( ldb_ret = = - 1 ) {
DEBUG ( 5 , ( " Error searching for domain SID for %s: %s " ,
domain , ldb_errstring ( ldb ) ) ) ;
talloc_free ( ldb ) ;
return NULL ;
}
2005-09-25 21:01:56 +00:00
if ( ldb_ret = = 0 ) {
DEBUG ( 5 , ( " Did not find domain record for %s \n " , domain ) ) ;
2006-07-07 01:59:43 +00:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-25 21:01:56 +00:00
}
if ( ldb_ret > 1 ) {
DEBUG ( 5 , ( " Found more than one (%d) domain records for %s \n " ,
ldb_ret , domain ) ) ;
2006-07-07 01:59:43 +00:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-25 21:01:56 +00:00
}
2007-12-06 21:16:40 +01:00
v = ldb_msg_find_ldb_val ( msgs [ 0 ] , " objectSid " ) ;
if ( v = = NULL ) {
2005-09-25 21:01:56 +00:00
DEBUG ( 0 , ( " Domain object for %s does not contain a SID! \n " ,
domain ) ) ;
2007-12-06 21:16:40 +01:00
return NULL ;
}
result = talloc ( mem_ctx , struct dom_sid ) ;
if ( result = = NULL ) {
talloc_free ( ldb ) ;
return NULL ;
}
2008-01-01 22:05:13 -06:00
ndr_err = ndr_pull_struct_blob ( v , result , NULL , result ,
2007-12-06 21:16:40 +01:00
( ndr_pull_flags_fn_t ) ndr_pull_dom_sid ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
talloc_free ( result ) ;
2006-07-07 01:59:43 +00:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-25 21:01:56 +00:00
}
return result ;
}
