2011-10-17 18:00:01 +02:00
/*
2020-08-09 16:14:02 +02:00
Unix SMB / CIFS Implementation .
2005-05-31 13:46:45 +00:00
LDAP protocol helper functions for SAMBA
2018-05-07 08:04:17 -04:00
Copyright ( C ) Jean François Micouleau 1998
2005-05-31 13:46:45 +00:00
Copyright ( C ) Gerald Carter 2001 - 2003
Copyright ( C ) Shahms King 2001
Copyright ( C ) Andrew Bartlett 2002 - 2003
Copyright ( C ) Stefan ( metze ) Metzmacher 2002 - 2003
2011-10-17 18:00:01 +02:00
2005-05-31 13:46:45 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2005-05-31 13:46:45 +00:00
( at your option ) any later version .
2011-10-17 18:00:01 +02:00
2005-05-31 13:46:45 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2011-10-17 18:00:01 +02:00
2005-05-31 13:46:45 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2011-10-17 18:00:01 +02:00
2005-05-31 13:46:45 +00:00
*/
# include "includes.h"
# include "smbldap.h"
2011-03-22 16:50:02 +01:00
# include "passdb.h"
2011-11-16 18:54:02 +01:00
# include "passdb/pdb_ldap_util.h"
2011-10-17 18:03:31 +02:00
# include "passdb/pdb_ldap_schema.h"
2018-10-26 15:43:30 +02:00
# include "libcli/security/dom_sid.h"
2005-05-31 13:46:45 +00:00
2005-09-30 17:13:37 +00:00
/**********************************************************************
2011-10-17 18:00:01 +02:00
Add the account - policies below the sambaDomain object to LDAP ,
2005-09-30 17:13:37 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-24 22:04:07 +00:00
2005-09-30 17:13:37 +00:00
static NTSTATUS add_new_domain_account_policies ( struct smbldap_state * ldap_state ,
2011-10-17 18:00:01 +02:00
const char * domain_name )
2005-09-30 17:13:37 +00:00
{
NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL ;
int i , rc ;
2015-05-09 13:34:31 -07:00
uint32_t policy_default ;
2005-09-30 17:13:37 +00:00
const char * policy_attr = NULL ;
2007-11-15 14:19:52 -08:00
char * dn = NULL ;
2005-09-30 17:13:37 +00:00
LDAPMod * * mods = NULL ;
2007-03-01 00:49:28 +00:00
char * escape_domain_name ;
2005-09-30 17:13:37 +00:00
2006-02-24 22:04:07 +00:00
DEBUG ( 3 , ( " add_new_domain_account_policies: Adding new account policies for domain \n " ) ) ;
2007-03-01 00:49:28 +00:00
escape_domain_name = escape_rdn_val_string_alloc ( domain_name ) ;
if ( ! escape_domain_name ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2007-11-15 14:19:52 -08:00
if ( asprintf ( & dn , " %s=%s,%s " ,
2005-09-30 17:13:37 +00:00
get_attr_key2string ( dominfo_attr_list , LDAP_ATTR_DOMAIN ) ,
2019-11-05 09:46:21 +01:00
escape_domain_name , lp_ldap_suffix ( ) ) < 0 ) {
2007-11-15 14:19:52 -08:00
SAFE_FREE ( escape_domain_name ) ;
return NT_STATUS_NO_MEMORY ;
}
2007-03-01 00:49:28 +00:00
SAFE_FREE ( escape_domain_name ) ;
2005-09-30 17:13:37 +00:00
for ( i = 1 ; decode_account_policy_name ( i ) ! = NULL ; i + + ) {
2007-11-15 14:19:52 -08:00
char * val = NULL ;
2005-09-30 17:13:37 +00:00
policy_attr = get_account_policy_attr ( i ) ;
if ( ! policy_attr ) {
DEBUG ( 0 , ( " add_new_domain_account_policies: ops. no policy! \n " ) ) ;
continue ;
}
if ( ! account_policy_get_default ( i , & policy_default ) ) {
DEBUG ( 0 , ( " add_new_domain_account_policies: failed to get default account policy \n " ) ) ;
2007-11-15 14:19:52 -08:00
SAFE_FREE ( dn ) ;
2005-09-30 17:13:37 +00:00
return ntstatus ;
}
DEBUG ( 10 , ( " add_new_domain_account_policies: adding \" %s \" with value: %d \n " , policy_attr , policy_default ) ) ;
2007-11-15 14:19:52 -08:00
if ( asprintf ( & val , " %d " , policy_default ) < 0 ) {
SAFE_FREE ( dn ) ;
return NT_STATUS_NO_MEMORY ;
}
2005-09-30 17:13:37 +00:00
smbldap_set_mod ( & mods , LDAP_MOD_REPLACE , policy_attr , val ) ;
rc = smbldap_modify ( ldap_state , dn , mods ) ;
2007-11-15 14:19:52 -08:00
SAFE_FREE ( val ) ;
2005-09-30 17:13:37 +00:00
if ( rc ! = LDAP_SUCCESS ) {
char * ld_error = NULL ;
2017-04-19 13:29:31 +02:00
ldap_get_option ( smbldap_get_ldap ( ldap_state ) ,
LDAP_OPT_ERROR_STRING , & ld_error ) ;
2006-02-24 22:04:07 +00:00
DEBUG ( 1 , ( " add_new_domain_account_policies: failed to add account policies to dn= %s with: %s \n \t %s \n " ,
2005-09-30 17:13:37 +00:00
dn , ldap_err2string ( rc ) ,
ld_error ? ld_error : " unknown " ) ) ;
SAFE_FREE ( ld_error ) ;
2007-11-15 14:19:52 -08:00
SAFE_FREE ( dn ) ;
2005-09-30 17:13:37 +00:00
ldap_mods_free ( mods , True ) ;
return ntstatus ;
}
}
2007-11-15 14:19:52 -08:00
SAFE_FREE ( dn ) ;
2005-09-30 17:13:37 +00:00
ldap_mods_free ( mods , True ) ;
return NT_STATUS_OK ;
}
2005-05-31 13:46:45 +00:00
/**********************************************************************
Add the sambaDomain to LDAP , so we don ' t have to search for this stuff
again . This is a once - add operation for now .
TODO : Add other attributes , and allow modification .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-24 22:04:07 +00:00
2007-11-15 14:19:52 -08:00
static NTSTATUS add_new_domain_info ( struct smbldap_state * ldap_state ,
const char * domain_name )
2005-05-31 13:46:45 +00:00
{
2018-10-26 15:43:30 +02:00
struct dom_sid_buf sid_string ;
2005-05-31 13:46:45 +00:00
fstring algorithmic_rid_base_string ;
2007-11-15 14:19:52 -08:00
char * filter = NULL ;
char * dn = NULL ;
2005-05-31 13:46:45 +00:00
LDAPMod * * mods = NULL ;
int rc ;
LDAPMessage * result = NULL ;
int num_result ;
const char * * attr_list ;
2007-03-01 00:49:28 +00:00
char * escape_domain_name ;
/* escape for filter */
2009-07-09 22:03:52 +02:00
escape_domain_name = escape_ldap_string ( talloc_tos ( ) , domain_name ) ;
2007-03-01 00:49:28 +00:00
if ( ! escape_domain_name ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2005-05-31 13:46:45 +00:00
2007-11-15 14:19:52 -08:00
if ( asprintf ( & filter , " (&(%s=%s)(objectclass=%s)) " ,
get_attr_key2string ( dominfo_attr_list , LDAP_ATTR_DOMAIN ) ,
escape_domain_name , LDAP_OBJ_DOMINFO ) < 0 ) {
2009-07-09 22:03:52 +02:00
TALLOC_FREE ( escape_domain_name ) ;
2007-11-15 14:19:52 -08:00
return NT_STATUS_NO_MEMORY ;
}
2007-03-01 00:49:28 +00:00
2009-07-09 22:03:52 +02:00
TALLOC_FREE ( escape_domain_name ) ;
2005-05-31 13:46:45 +00:00
2007-11-15 14:19:52 -08:00
attr_list = get_attr_list ( NULL , dominfo_attr_list ) ;
2005-05-31 13:46:45 +00:00
rc = smbldap_search_suffix ( ldap_state , filter , attr_list , & result ) ;
2006-02-20 17:59:58 +00:00
TALLOC_FREE ( attr_list ) ;
2007-11-15 14:19:52 -08:00
SAFE_FREE ( filter ) ;
2005-05-31 13:46:45 +00:00
if ( rc ! = LDAP_SUCCESS ) {
return NT_STATUS_UNSUCCESSFUL ;
}
2017-04-19 13:29:31 +02:00
num_result = ldap_count_entries ( smbldap_get_ldap ( ldap_state ) , result ) ;
2007-11-15 14:19:52 -08:00
2005-05-31 13:46:45 +00:00
if ( num_result > 1 ) {
2006-02-24 22:04:07 +00:00
DEBUG ( 0 , ( " add_new_domain_info: More than domain with that name exists: bailing "
2006-02-03 22:19:41 +00:00
" out! \n " ) ) ;
2005-05-31 13:46:45 +00:00
ldap_msgfree ( result ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
2007-11-15 14:19:52 -08:00
2005-05-31 13:46:45 +00:00
/* Check if we need to add an entry */
2006-02-24 22:04:07 +00:00
DEBUG ( 3 , ( " add_new_domain_info: Adding new domain \n " ) ) ;
2005-05-31 13:46:45 +00:00
2007-03-01 00:49:28 +00:00
/* this time escape for DN */
escape_domain_name = escape_rdn_val_string_alloc ( domain_name ) ;
if ( ! escape_domain_name ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2007-11-15 14:19:52 -08:00
if ( asprintf ( & dn , " %s=%s,%s " ,
2006-02-03 22:19:41 +00:00
get_attr_key2string ( dominfo_attr_list , LDAP_ATTR_DOMAIN ) ,
2019-11-05 09:46:21 +01:00
escape_domain_name , lp_ldap_suffix ( ) ) < 0 ) {
2007-11-15 14:19:52 -08:00
SAFE_FREE ( escape_domain_name ) ;
return NT_STATUS_NO_MEMORY ;
}
2007-03-01 00:49:28 +00:00
SAFE_FREE ( escape_domain_name ) ;
2005-05-31 13:46:45 +00:00
/* Free original search */
ldap_msgfree ( result ) ;
2006-02-03 22:19:41 +00:00
/* make the changes - the entry *must* not already have samba
* attributes */
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
get_attr_key2string ( dominfo_attr_list ,
2007-11-15 14:19:52 -08:00
LDAP_ATTR_DOMAIN ) ,
2006-02-03 22:19:41 +00:00
domain_name ) ;
2005-05-31 13:46:45 +00:00
2006-02-03 22:19:41 +00:00
/* If we don't have an entry, then ask secrets.tdb for what it thinks.
2005-05-31 13:46:45 +00:00
It may choose to make it up */
2006-02-03 22:19:41 +00:00
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
get_attr_key2string ( dominfo_attr_list ,
LDAP_ATTR_DOM_SID ) ,
2018-10-26 15:43:30 +02:00
dom_sid_str_buf ( get_global_sam_sid ( ) , & sid_string ) ) ;
2006-02-03 22:19:41 +00:00
slprintf ( algorithmic_rid_base_string ,
sizeof ( algorithmic_rid_base_string ) - 1 , " %i " ,
algorithmic_rid_base ( ) ) ;
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
get_attr_key2string ( dominfo_attr_list ,
2007-11-15 14:19:52 -08:00
LDAP_ATTR_ALGORITHMIC_RID_BASE ) ,
2005-05-31 13:46:45 +00:00
algorithmic_rid_base_string ) ;
smbldap_set_mod ( & mods , LDAP_MOD_ADD , " objectclass " , LDAP_OBJ_DOMINFO ) ;
2007-11-15 14:19:52 -08:00
2006-02-03 22:19:41 +00:00
/* add the sambaNextUserRid attributes. */
2007-11-15 14:19:52 -08:00
2005-05-31 13:46:45 +00:00
{
2015-05-09 13:34:31 -07:00
uint32_t rid = BASE_RID ;
2005-05-31 13:46:45 +00:00
fstring rid_str ;
2007-11-15 14:19:52 -08:00
2006-02-03 22:19:41 +00:00
fstr_sprintf ( rid_str , " %i " , rid ) ;
2006-02-24 22:04:07 +00:00
DEBUG ( 10 , ( " add_new_domain_info: setting next available user rid [%s] \n " , rid_str ) ) ;
2007-11-15 14:19:52 -08:00
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
2006-02-03 22:19:41 +00:00
get_attr_key2string ( dominfo_attr_list ,
2007-11-15 14:19:52 -08:00
LDAP_ATTR_NEXT_USERRID ) ,
2005-05-31 13:46:45 +00:00
rid_str ) ;
}
2006-02-03 22:19:41 +00:00
rc = smbldap_add ( ldap_state , dn , mods ) ;
2005-05-31 13:46:45 +00:00
if ( rc ! = LDAP_SUCCESS ) {
char * ld_error = NULL ;
2017-04-19 13:29:31 +02:00
ldap_get_option ( smbldap_get_ldap ( ldap_state ) ,
2006-02-03 22:19:41 +00:00
LDAP_OPT_ERROR_STRING , & ld_error ) ;
2006-02-24 22:04:07 +00:00
DEBUG ( 1 , ( " add_new_domain_info: failed to add domain dn= %s with: %s \n \t %s \n " ,
2006-02-03 22:19:41 +00:00
dn , ldap_err2string ( rc ) ,
ld_error ? ld_error : " unknown " ) ) ;
2005-05-31 13:46:45 +00:00
SAFE_FREE ( ld_error ) ;
2007-11-15 14:19:52 -08:00
SAFE_FREE ( dn ) ;
2005-05-31 13:46:45 +00:00
ldap_mods_free ( mods , True ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
2006-02-24 22:04:07 +00:00
DEBUG ( 2 , ( " add_new_domain_info: added: domain = %s in the LDAP database \n " , domain_name ) ) ;
2005-05-31 13:46:45 +00:00
ldap_mods_free ( mods , True ) ;
2007-11-15 14:19:52 -08:00
SAFE_FREE ( dn ) ;
2005-05-31 13:46:45 +00:00
return NT_STATUS_OK ;
}
/**********************************************************************
Search for the domain info entry
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-24 22:04:07 +00:00
2005-05-31 13:46:45 +00:00
NTSTATUS smbldap_search_domain_info ( struct smbldap_state * ldap_state ,
LDAPMessage * * result , const char * domain_name ,
2007-10-18 17:40:25 -07:00
bool try_add )
2005-05-31 13:46:45 +00:00
{
2005-07-07 13:42:09 +00:00
NTSTATUS status = NT_STATUS_UNSUCCESSFUL ;
2007-11-15 14:19:52 -08:00
char * filter = NULL ;
2005-05-31 13:46:45 +00:00
int rc ;
const char * * attr_list ;
int count ;
2007-03-01 00:49:28 +00:00
char * escape_domain_name ;
2007-11-15 14:19:52 -08:00
2009-07-09 22:03:52 +02:00
escape_domain_name = escape_ldap_string ( talloc_tos ( ) , domain_name ) ;
2007-03-01 00:49:28 +00:00
if ( ! escape_domain_name ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2005-05-31 13:46:45 +00:00
2007-11-15 14:19:52 -08:00
if ( asprintf ( & filter , " (&(objectClass=%s)(%s=%s)) " ,
2005-05-31 13:46:45 +00:00
LDAP_OBJ_DOMINFO ,
2007-11-15 14:19:52 -08:00
get_attr_key2string ( dominfo_attr_list , LDAP_ATTR_DOMAIN ) ,
escape_domain_name ) < 0 ) {
2009-07-09 22:03:52 +02:00
TALLOC_FREE ( escape_domain_name ) ;
2007-11-15 14:19:52 -08:00
return NT_STATUS_NO_MEMORY ;
}
2007-03-01 00:49:28 +00:00
2009-07-09 22:03:52 +02:00
TALLOC_FREE ( escape_domain_name ) ;
2005-05-31 13:46:45 +00:00
2006-02-24 22:04:07 +00:00
DEBUG ( 2 , ( " smbldap_search_domain_info: Searching for:[%s] \n " , filter ) ) ;
2005-05-31 13:46:45 +00:00
2006-02-03 22:19:41 +00:00
attr_list = get_attr_list ( NULL , dominfo_attr_list ) ;
2005-05-31 13:46:45 +00:00
rc = smbldap_search_suffix ( ldap_state , filter , attr_list , result ) ;
2006-02-20 17:59:58 +00:00
TALLOC_FREE ( attr_list ) ;
2005-05-31 13:46:45 +00:00
if ( rc ! = LDAP_SUCCESS ) {
2006-02-24 22:04:07 +00:00
DEBUG ( 2 , ( " smbldap_search_domain_info: Problem during LDAPsearch: %s \n " , ldap_err2string ( rc ) ) ) ;
2019-11-05 09:46:21 +01:00
DEBUG ( 2 , ( " smbldap_search_domain_info: Query was: %s, %s \n " , lp_ldap_suffix ( ) , filter ) ) ;
2005-07-07 13:42:09 +00:00
goto failed ;
}
2007-11-15 14:19:52 -08:00
SAFE_FREE ( filter ) ;
2017-04-19 13:29:31 +02:00
count = ldap_count_entries ( smbldap_get_ldap ( ldap_state ) , * result ) ;
2005-07-07 13:42:09 +00:00
2007-11-15 14:19:52 -08:00
if ( count = = 1 ) {
2005-07-07 13:42:09 +00:00
return NT_STATUS_OK ;
2007-11-15 14:19:52 -08:00
}
2005-07-07 13:42:09 +00:00
ldap_msgfree ( * result ) ;
* result = NULL ;
2007-11-15 14:19:52 -08:00
2005-07-07 13:42:09 +00:00
if ( count < 1 ) {
2006-02-24 22:04:07 +00:00
DEBUG ( 3 , ( " smbldap_search_domain_info: Got no domain info entries for domain \n " ) ) ;
2005-07-07 13:42:09 +00:00
if ( ! try_add )
goto failed ;
status = add_new_domain_info ( ldap_state , domain_name ) ;
2005-07-07 14:19:51 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2011-10-17 18:00:01 +02:00
DEBUG ( 0 , ( " smbldap_search_domain_info: Adding domain info for %s failed with %s \n " ,
2005-07-07 13:42:09 +00:00
domain_name , nt_errstr ( status ) ) ) ;
goto failed ;
2005-05-31 13:46:45 +00:00
}
2007-11-15 14:19:52 -08:00
2005-09-30 17:13:37 +00:00
status = add_new_domain_account_policies ( ldap_state , domain_name ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2011-10-17 18:00:01 +02:00
DEBUG ( 0 , ( " smbldap_search_domain_info: Adding domain account policies for %s failed with %s \n " ,
2005-09-30 17:13:37 +00:00
domain_name , nt_errstr ( status ) ) ) ;
goto failed ;
}
2005-07-07 13:42:09 +00:00
return smbldap_search_domain_info ( ldap_state , result , domain_name , False ) ;
2007-11-15 14:19:52 -08:00
2011-10-17 18:00:01 +02:00
}
2005-07-07 13:42:09 +00:00
if ( count > 1 ) {
2011-10-17 18:00:01 +02:00
2006-02-24 22:04:07 +00:00
DEBUG ( 0 , ( " smbldap_search_domain_info: Got too many (%d) domain info entries for domain %s \n " ,
2005-05-31 13:46:45 +00:00
count , domain_name ) ) ;
2005-07-07 13:42:09 +00:00
goto failed ;
2005-05-31 13:46:45 +00:00
}
2005-07-07 13:42:09 +00:00
failed :
return status ;
2005-05-31 13:46:45 +00:00
}