mirror of
https://github.com/samba-team/samba.git
synced 2025-02-25 17:57:42 +03:00
auth: Split out fetching trusted domain into sam_get_results_trust()
This new helper function will also be used by pdb_samba_dsdb. Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett
parent
36085a222c
commit
80be6993c9
@ -560,6 +560,80 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
NTSTATUS sam_get_results_trust(struct ldb_context *sam_ctx,
|
||||
TALLOC_CTX *mem_ctx, const char *domain,
|
||||
const char *realm, const char * const *attrs,
|
||||
struct ldb_message **msg)
|
||||
{
|
||||
TALLOC_CTX *frame = talloc_stackframe();
|
||||
int lret;
|
||||
struct ldb_dn *system_dn;
|
||||
char *filter;
|
||||
struct ldb_result *res = NULL;
|
||||
char *domain_encoded;
|
||||
|
||||
system_dn = ldb_dn_copy(frame, ldb_get_default_basedn(sam_ctx));
|
||||
if (system_dn == NULL) {
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
if (!ldb_dn_add_child_fmt(system_dn, "CN=System")) {
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
domain_encoded = ldb_binary_encode_string(mem_ctx, domain);
|
||||
if (!domain_encoded) {
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
if (realm == NULL) {
|
||||
filter = talloc_asprintf(mem_ctx,
|
||||
"(&(objectClass=trustedDomain)(flatname=%s))",
|
||||
domain_encoded);
|
||||
if (!filter) {
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
} else {
|
||||
char *realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
|
||||
if (!realm_encoded) {
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
filter = talloc_asprintf(mem_ctx,
|
||||
"(&(objectClass=trustedDomain)"
|
||||
"(|(trustPartner=%s)(flatname=%s))"
|
||||
")",
|
||||
realm_encoded, domain_encoded);
|
||||
if (!filter) {
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
}
|
||||
|
||||
lret = dsdb_search(sam_ctx, frame, &res,
|
||||
system_dn,
|
||||
LDB_SCOPE_ONELEVEL, attrs,
|
||||
DSDB_SEARCH_NO_GLOBAL_CATALOG|DSDB_SEARCH_ONE_ONLY,
|
||||
"%s", filter);
|
||||
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
|
||||
DEBUG(3, ("Failed to find result for %s: %s\n", filter, ldb_errstring(sam_ctx)));
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_NOT_FOUND;
|
||||
} else if (lret != LDB_SUCCESS) {
|
||||
DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(sam_ctx)));
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
||||
}
|
||||
talloc_steal(mem_ctx, res->msgs);
|
||||
*msg = res->msgs[0];
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
|
||||
|
||||
Supply either a principal or a DN
|
||||
|
||||
@ -1079,47 +1079,25 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c
|
||||
struct ldb_dn *realm_dn,
|
||||
struct ldb_message **pmsg)
|
||||
{
|
||||
int lret;
|
||||
krb5_error_code ret;
|
||||
char *filter = NULL;
|
||||
NTSTATUS status;
|
||||
const char * const *attrs = trust_attrs;
|
||||
|
||||
struct ldb_result *res = NULL;
|
||||
char *realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
|
||||
if (!realm_encoded) {
|
||||
if (!filter) {
|
||||
ret = ENOMEM;
|
||||
krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(flatname=%s)(trustPartner=%s)))",
|
||||
realm_encoded, realm_encoded);
|
||||
|
||||
if (!filter) {
|
||||
talloc_free(realm_encoded);
|
||||
ret = ENOMEM;
|
||||
krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
|
||||
status = sam_get_results_trust(ldb_ctx,
|
||||
mem_ctx, realm, realm, attrs,
|
||||
pmsg);
|
||||
if (NT_STATUS_IS_OK(status)) {
|
||||
return 0;
|
||||
} else if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
|
||||
return HDB_ERR_NOENTRY;
|
||||
} else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
|
||||
int ret = ENOMEM;
|
||||
krb5_set_error_message(context, ret, "get_sam_result_trust: out of memory");
|
||||
return ret;
|
||||
} else {
|
||||
int ret = EINVAL;
|
||||
krb5_set_error_message(context, ret, "get_sam_result_trust: %s", nt_errstr(status));
|
||||
return ret;
|
||||
}
|
||||
|
||||
lret = dsdb_search(ldb_ctx, mem_ctx, &res,
|
||||
ldb_get_default_basedn(ldb_ctx),
|
||||
LDB_SCOPE_SUBTREE, attrs,
|
||||
DSDB_SEARCH_NO_GLOBAL_CATALOG,
|
||||
"%s", filter);
|
||||
if (lret != LDB_SUCCESS) {
|
||||
DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
|
||||
return HDB_ERR_NOENTRY;
|
||||
} else if (res->count == 0 || res->count > 1) {
|
||||
DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count));
|
||||
talloc_free(res);
|
||||
return HDB_ERR_NOENTRY;
|
||||
}
|
||||
talloc_steal(mem_ctx, res->msgs);
|
||||
*pmsg = res->msgs[0];
|
||||
talloc_free(res);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_error_code samba_kdc_lookup_client(krb5_context context,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user