2003-08-13 05:53:07 +04:00
/*
Unix SMB / CIFS implementation .
Copyright ( C ) Andrew Tridgell 1992 - 2001
Copyright ( C ) Andrew Bartlett 2002
Copyright ( C ) Rafal Szczesniak 2002
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-08-13 05:53:07 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-08-13 05:53:07 +04:00
*/
/* the Samba secrets database stores any generated, private information
such as the local SID and machine trust password */
# include "includes.h"
2004-11-02 09:14:15 +03:00
# include "secrets.h"
2006-03-20 03:28:12 +03:00
# include "param/param.h"
2005-02-10 08:09:35 +03:00
# include "system/filesys.h"
2011-05-04 04:28:15 +04:00
# include "lib/util/tdb_wrap.h"
2010-06-23 15:15:43 +04:00
# include "lib/ldb-samba/ldb_wrap.h"
2011-02-10 06:12:51 +03:00
# include <ldb.h>
2008-10-11 23:31:42 +04:00
# include "../lib/util/util_tdb.h"
2007-12-06 23:16:40 +03:00
# include "librpc/gen_ndr/ndr_security.h"
2010-02-18 02:54:53 +03:00
# include "dsdb/samdb/samdb.h"
2003-08-13 05:53:07 +04:00
2004-07-14 16:14:07 +04:00
/**
* Use a TDB to store an incrementing random seed .
*
* Initialised to the current pid , the very first time Samba starts ,
* and incremented by one each time it is needed .
*
* @ note Not called by systems with a working / dev / urandom .
*/
2008-04-01 17:26:00 +04:00
static void get_rand_seed ( struct tdb_wrap * secretsdb , int * new_seed )
2004-07-14 16:14:07 +04:00
{
* new_seed = getpid ( ) ;
2008-04-01 17:26:00 +04:00
if ( secretsdb ! = NULL ) {
tdb_change_int32_atomic ( secretsdb - > tdb , " INFO/random_seed " , new_seed , 1 ) ;
2004-07-14 16:14:07 +04:00
}
}
2007-11-26 04:31:53 +03:00
/**
2011-05-03 07:24:10 +04:00
* open up the randseed database and set the random number generator callback
2007-11-26 04:31:53 +03:00
*/
2011-05-03 07:24:10 +04:00
bool randseed_init ( TALLOC_CTX * mem_ctx , struct loadparm_context * lp_ctx )
2003-08-13 05:53:07 +04:00
{
2005-09-26 20:57:08 +04:00
char * fname ;
2004-11-25 23:01:47 +03:00
uint8_t dummy ;
2008-04-01 17:26:00 +04:00
struct tdb_wrap * tdb ;
2003-08-13 05:53:07 +04:00
2011-05-03 07:24:10 +04:00
fname = lpcfg_private_path ( mem_ctx , lp_ctx , " randseed.tdb " ) ;
2003-08-13 05:53:07 +04:00
2011-10-12 16:01:08 +04:00
tdb = tdb_wrap_open ( mem_ctx , fname , 0 , TDB_DEFAULT , O_RDWR | O_CREAT , 0600 , lp_ctx ) ;
2003-08-13 05:53:07 +04:00
if ( ! tdb ) {
DEBUG ( 0 , ( " Failed to open %s \n " , fname ) ) ;
2007-11-26 04:31:53 +03:00
talloc_free ( fname ) ;
2011-05-03 07:24:10 +04:00
return false ;
2003-08-13 05:53:07 +04:00
}
2007-11-26 04:31:53 +03:00
talloc_free ( fname ) ;
2004-07-14 16:14:07 +04:00
/**
* Set a reseed function for the crypto random generator
*
* This avoids a problem where systems without / dev / urandom
* could send the same challenge to multiple clients
*/
2008-04-01 17:26:00 +04:00
set_rand_reseed_callback ( ( void ( * ) ( void * , int * ) ) get_rand_seed , tdb ) ;
2004-07-14 16:14:07 +04:00
/* Ensure that the reseed is done now, while we are root, etc */
generate_random_buffer ( & dummy , sizeof ( dummy ) ) ;
2011-05-03 07:24:10 +04:00
return true ;
2003-08-13 05:53:07 +04:00
}
2007-11-26 04:31:53 +03:00
/**
connect to the secrets ldb
2005-01-11 17:04:58 +03:00
*/
2008-06-14 19:24:17 +04:00
struct ldb_context * secrets_db_connect ( TALLOC_CTX * mem_ctx ,
struct loadparm_context * lp_ctx )
2005-01-11 17:04:58 +03:00
{
2011-06-02 09:47:44 +04:00
return ldb_wrap_connect ( mem_ctx , NULL , lp_ctx , " secrets.ldb " ,
2010-06-23 15:15:43 +04:00
NULL , NULL , 0 ) ;
2005-01-11 17:04:58 +03:00
}
2007-11-26 04:31:53 +03:00
/**
* Retrieve the domain SID from the secrets database .
* @ return pointer to a SID object if the SID could be obtained , NULL otherwise
*/
2005-09-26 01:01:56 +04:00
struct dom_sid * secrets_get_domain_sid ( TALLOC_CTX * mem_ctx ,
2007-12-03 17:53:17 +03:00
struct loadparm_context * lp_ctx ,
2010-02-18 02:54:53 +03:00
const char * domain ,
2010-09-13 06:15:52 +04:00
enum netr_SchannelType * sec_channel_type ,
2010-02-18 02:54:53 +03:00
char * * errstring )
2005-09-26 01:01:56 +04:00
{
struct ldb_context * ldb ;
2010-02-18 02:54:53 +03:00
struct ldb_message * msg ;
2005-09-26 01:01:56 +04:00
int ldb_ret ;
2010-09-13 06:15:52 +04:00
const char * attrs [ ] = { " objectSid " , " secureChannelType " , NULL } ;
2005-09-26 01:01:56 +04:00
struct dom_sid * result = NULL ;
2007-12-06 23:16:40 +03:00
const struct ldb_val * v ;
enum ndr_err_code ndr_err ;
2010-09-13 06:15:52 +04:00
2010-02-18 02:54:53 +03:00
* errstring = NULL ;
2005-09-26 01:01:56 +04:00
2010-10-11 09:43:07 +04:00
ldb = secrets_db_connect ( mem_ctx , lp_ctx ) ;
2005-09-26 01:01:56 +04:00
if ( ldb = = NULL ) {
DEBUG ( 5 , ( " secrets_db_connect failed \n " ) ) ;
2006-07-07 05:59:43 +04:00
return NULL ;
2005-09-26 01:01:56 +04:00
}
2010-02-18 02:54:53 +03:00
ldb_ret = dsdb_search_one ( ldb , ldb , & msg ,
ldb_dn_new ( mem_ctx , ldb , SECRETS_PRIMARY_DOMAIN_DN ) ,
LDB_SCOPE_ONELEVEL ,
attrs , 0 , SECRETS_PRIMARY_DOMAIN_FILTER , domain ) ;
2005-09-26 01:01:56 +04:00
2010-02-18 02:54:53 +03:00
if ( ldb_ret ! = LDB_SUCCESS ) {
2010-02-19 03:14:15 +03:00
* errstring = talloc_asprintf ( mem_ctx , " Failed to find record for %s in %s: %s: %s " ,
2010-04-06 16:52:38 +04:00
domain , ( char * ) ldb_get_opaque ( ldb , " ldb_url " ) ,
2010-02-19 03:14:15 +03:00
ldb_strerror ( ldb_ret ) , ldb_errstring ( ldb ) ) ;
2006-07-07 05:59:43 +04:00
return NULL ;
2005-09-26 01:01:56 +04:00
}
2010-02-18 02:54:53 +03:00
v = ldb_msg_find_ldb_val ( msg , " objectSid " ) ;
2007-12-06 23:16:40 +03:00
if ( v = = NULL ) {
2010-02-19 03:14:15 +03:00
* errstring = talloc_asprintf ( mem_ctx , " Failed to find a SID on record for %s in %s " ,
2010-04-06 16:52:38 +04:00
domain , ( char * ) ldb_get_opaque ( ldb , " ldb_url " ) ) ;
2007-12-06 23:16:40 +03:00
return NULL ;
}
2010-09-13 06:15:52 +04:00
if ( sec_channel_type ) {
2010-09-14 07:12:00 +04:00
int t ;
t = ldb_msg_find_attr_as_int ( msg , " secureChannelType " , - 1 ) ;
if ( t = = - 1 ) {
2010-09-13 06:15:52 +04:00
* errstring = talloc_asprintf ( mem_ctx , " Failed to find secureChannelType for %s in %s " ,
domain , ( char * ) ldb_get_opaque ( ldb , " ldb_url " ) ) ;
return NULL ;
}
2010-09-14 07:12:00 +04:00
* sec_channel_type = t ;
2010-09-13 06:15:52 +04:00
}
2007-12-06 23:16:40 +03:00
result = talloc ( mem_ctx , struct dom_sid ) ;
if ( result = = NULL ) {
talloc_free ( ldb ) ;
return NULL ;
}
2010-05-09 19:20:01 +04:00
ndr_err = ndr_pull_struct_blob ( v , result , result ,
2007-12-06 23:16:40 +03:00
( ndr_pull_flags_fn_t ) ndr_pull_dom_sid ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
2010-02-19 03:14:15 +03:00
* errstring = talloc_asprintf ( mem_ctx , " Failed to parse SID on record for %s in %s " ,
2010-04-06 16:52:38 +04:00
domain , ( char * ) ldb_get_opaque ( ldb , " ldb_url " ) ) ;
2007-12-06 23:16:40 +03:00
talloc_free ( result ) ;
2006-07-07 05:59:43 +04:00
talloc_free ( ldb ) ;
return NULL ;
2005-09-26 01:01:56 +04:00
}
return result ;
}
2010-09-23 11:01:44 +04:00
char * keytab_name_from_msg ( TALLOC_CTX * mem_ctx , struct ldb_context * ldb , struct ldb_message * msg )
{
const char * krb5keytab = ldb_msg_find_attr_as_string ( msg , " krb5Keytab " , NULL ) ;
if ( krb5keytab ) {
return talloc_strdup ( mem_ctx , krb5keytab ) ;
} else {
char * file_keytab ;
char * relative_path ;
const char * privateKeytab = ldb_msg_find_attr_as_string ( msg , " privateKeytab " , NULL ) ;
if ( ! privateKeytab ) {
return NULL ;
}
2010-10-11 01:45:23 +04:00
relative_path = ldb_relative_path ( ldb , mem_ctx , privateKeytab ) ;
2010-09-23 11:01:44 +04:00
if ( ! relative_path ) {
return NULL ;
}
file_keytab = talloc_asprintf ( mem_ctx , " FILE:%s " , relative_path ) ;
talloc_free ( relative_path ) ;
return file_keytab ;
}
return NULL ;
}