2003-08-13 05:53:07 +04:00
/*
Unix SMB / CIFS implementation .
Copyright ( C ) Andrew Tridgell 1992 - 2001
Copyright ( C ) Andrew Bartlett 2002
Copyright ( C ) Rafal Szczesniak 2002
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-08-13 05:53:07 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-08-13 05:53:07 +04:00
*/
/* the Samba secrets database stores any generated, private information
such as the local SID and machine trust password */
# include "includes.h"
2004-11-02 09:14:15 +03:00
# include "secrets.h"
2006-03-20 03:28:12 +03:00
# include "param/param.h"
2005-02-10 08:09:35 +03:00
# include "system/filesys.h"
2007-11-16 22:12:00 +03:00
# include "tdb_wrap.h"
2005-09-26 01:01:56 +04:00
# include "lib/ldb/include/ldb.h"
2006-10-21 03:32:23 +04:00
# include "lib/tdb/include/tdb.h"
# include "lib/util/util_tdb.h"
2007-11-16 22:12:00 +03:00
# include "lib/util/util_ldb.h"
2007-12-06 23:16:40 +03:00
# include "librpc/gen_ndr/ndr_security.h"
2003-08-13 05:53:07 +04:00
2004-10-16 17:47:00 +04:00
static struct tdb_wrap * tdb ;
2003-08-13 05:53:07 +04:00
2004-07-14 16:14:07 +04:00
/**
* Use a TDB to store an incrementing random seed .
*
* Initialised to the current pid , the very first time Samba starts ,
* and incremented by one each time it is needed .
*
* @ note Not called by systems with a working / dev / urandom .
*/
static void get_rand_seed ( int * new_seed )
{
* new_seed = getpid ( ) ;
2007-11-26 04:31:53 +03:00
if ( tdb ! = NULL ) {
2004-10-16 17:47:00 +04:00
tdb_change_int32_atomic ( tdb - > tdb , " INFO/random_seed " , new_seed , 1 ) ;
2004-07-14 16:14:07 +04:00
}
}
2007-11-26 04:31:53 +03:00
/**
* close the secrets database
*/
2004-10-25 06:57:20 +04:00
void secrets_shutdown ( void )
{
2005-10-27 09:31:20 +04:00
talloc_free ( tdb ) ;
2004-10-25 06:57:20 +04:00
}
2007-11-26 04:31:53 +03:00
/**
* open up the secrets database
*/
2007-12-03 17:53:17 +03:00
bool secrets_init ( struct loadparm_context * lp_ctx )
2003-08-13 05:53:07 +04:00
{
2005-09-26 20:57:08 +04:00
char * fname ;
2004-11-25 23:01:47 +03:00
uint8_t dummy ;
2003-08-13 05:53:07 +04:00
2007-11-26 04:31:53 +03:00
if ( tdb ! = NULL )
2007-09-28 05:17:46 +04:00
return true ;
2003-08-13 05:53:07 +04:00
2007-12-03 17:53:17 +03:00
fname = private_path ( NULL , lp_ctx , " secrets.tdb " ) ;
2003-08-13 05:53:07 +04:00
2007-11-26 04:31:53 +03:00
tdb = tdb_wrap_open ( talloc_autofree_context ( ) , fname , 0 , TDB_DEFAULT ,
O_RDWR | O_CREAT , 0600 ) ;
2003-08-13 05:53:07 +04:00
if ( ! tdb ) {
DEBUG ( 0 , ( " Failed to open %s \n " , fname ) ) ;
2007-11-26 04:31:53 +03:00
talloc_free ( fname ) ;
2007-09-28 05:17:46 +04:00
return false ;
2003-08-13 05:53:07 +04:00
}
2007-11-26 04:31:53 +03:00
talloc_free ( fname ) ;
2004-07-14 16:14:07 +04:00
/**
* Set a reseed function for the crypto random generator
*
* This avoids a problem where systems without / dev / urandom
* could send the same challenge to multiple clients
*/
set_rand_reseed_callback ( get_rand_seed ) ;
/* Ensure that the reseed is done now, while we are root, etc */
generate_random_buffer ( & dummy , sizeof ( dummy ) ) ;
2007-10-07 01:39:52 +04:00
return true ;
2003-08-13 05:53:07 +04:00
}
2007-11-26 04:31:53 +03:00
/**
connect to the secrets ldb
2005-01-11 17:04:58 +03:00
*/
2007-11-29 18:01:16 +03:00
struct ldb_context * secrets_db_connect ( TALLOC_CTX * mem_ctx , struct loadparm_context * lp_ctx )
2005-01-11 17:04:58 +03:00
{
char * path ;
2007-01-15 17:17:26 +03:00
const char * url ;
2005-02-27 14:35:47 +03:00
struct ldb_context * ldb ;
2005-01-11 17:04:58 +03:00
2007-11-29 18:01:16 +03:00
url = lp_secrets_url ( lp_ctx ) ;
2007-01-15 17:17:26 +03:00
if ( ! url | | ! url [ 0 ] ) {
return NULL ;
}
2007-11-29 18:01:16 +03:00
path = private_path ( mem_ctx , lp_ctx , url ) ;
2005-01-11 17:04:58 +03:00
if ( ! path ) {
return NULL ;
}
2007-01-15 17:17:26 +03:00
2005-12-14 10:22:25 +03:00
/* Secrets.ldb *must* always be local. If we call for a
* system_session ( ) we will recurse */
2007-11-29 18:01:08 +03:00
ldb = ldb_init ( mem_ctx ) ;
2005-01-11 17:04:58 +03:00
if ( ! ldb ) {
2007-11-29 18:01:08 +03:00
talloc_free ( path ) ;
return NULL ;
}
2007-11-29 18:01:16 +03:00
ldb_set_modules_dir ( ldb ,
talloc_asprintf ( ldb , " %s/ldb " , lp_modulesdir ( lp_ctx ) ) ) ;
2007-11-29 18:01:08 +03:00
if ( ldb_connect ( ldb , path , 0 , NULL ) ! = 0 ) {
talloc_free ( path ) ;
2005-01-11 17:04:58 +03:00
return NULL ;
}
2007-11-29 18:01:08 +03:00
talloc_free ( path ) ;
2005-05-02 18:17:19 +04:00
2005-01-11 17:04:58 +03:00
return ldb ;
}
2007-11-26 04:31:53 +03:00
/**
* Retrieve the domain SID from the secrets database .
* @ return pointer to a SID object if the SID could be obtained , NULL otherwise
*/
2005-09-26 01:01:56 +04:00
struct dom_sid * secrets_get_domain_sid ( TALLOC_CTX * mem_ctx ,
2007-12-03 17:53:17 +03:00
struct loadparm_context * lp_ctx ,
2005-09-26 01:01:56 +04:00
const char * domain )
{
struct ldb_context * ldb ;
struct ldb_message * * msgs ;
int ldb_ret ;
const char * attrs [ ] = { " objectSid " , NULL } ;
struct dom_sid * result = NULL ;
2007-12-06 23:16:40 +03:00
const struct ldb_val * v ;
enum ndr_err_code ndr_err ;
2005-09-26 01:01:56 +04:00
2007-12-03 17:53:17 +03:00
ldb = secrets_db_connect ( mem_ctx , lp_ctx ) ;
2005-09-26 01:01:56 +04:00
if ( ldb = = NULL ) {
DEBUG ( 5 , ( " secrets_db_connect failed \n " ) ) ;
2006-07-07 05:59:43 +04:00
return NULL ;
2005-09-26 01:01:56 +04:00
}
ldb_ret = gendb_search ( ldb , ldb ,
2006-11-22 03:59:34 +03:00
ldb_dn_new ( mem_ctx , ldb , SECRETS_PRIMARY_DOMAIN_DN ) ,
2005-09-26 01:01:56 +04:00
& msgs , attrs ,
SECRETS_PRIMARY_DOMAIN_FILTER , domain ) ;
2006-07-07 05:59:43 +04:00
if ( ldb_ret = = - 1 ) {
DEBUG ( 5 , ( " Error searching for domain SID for %s: %s " ,
domain , ldb_errstring ( ldb ) ) ) ;
talloc_free ( ldb ) ;
return NULL ;
}
2005-09-26 01:01:56 +04:00
if ( ldb_ret = = 0 ) {
DEBUG ( 5 , ( " Did not find domain record for %s \n " , domain ) ) ;
2006-07-07 05:59:43 +04:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-26 01:01:56 +04:00
}
if ( ldb_ret > 1 ) {
DEBUG ( 5 , ( " Found more than one (%d) domain records for %s \n " ,
ldb_ret , domain ) ) ;
2006-07-07 05:59:43 +04:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-26 01:01:56 +04:00
}
2007-12-06 23:16:40 +03:00
v = ldb_msg_find_ldb_val ( msgs [ 0 ] , " objectSid " ) ;
if ( v = = NULL ) {
2005-09-26 01:01:56 +04:00
DEBUG ( 0 , ( " Domain object for %s does not contain a SID! \n " ,
domain ) ) ;
2007-12-06 23:16:40 +03:00
return NULL ;
}
result = talloc ( mem_ctx , struct dom_sid ) ;
if ( result = = NULL ) {
talloc_free ( ldb ) ;
return NULL ;
}
2008-01-02 07:05:13 +03:00
ndr_err = ndr_pull_struct_blob ( v , result , NULL , result ,
2007-12-06 23:16:40 +03:00
( ndr_pull_flags_fn_t ) ndr_pull_dom_sid ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
talloc_free ( result ) ;
2006-07-07 05:59:43 +04:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-26 01:01:56 +04:00
}
return result ;
}
