diff --git a/source3/Makefile.in b/source3/Makefile.in index a06c8c7c098..3ef754182ba 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1037,6 +1037,7 @@ PDBEDIT_OBJ = utils/pdbedit.o $(PASSWD_UTIL_OBJ) $(PARAM_OBJ) $(PASSDB_OBJ) \ $(LIBSAMBA_OBJ) $(LIBTSOCKET_OBJ) \ $(LIB_NONSMBD_OBJ) $(GROUPDB_OBJ) \ $(LIBCLI_LDAP_NDR_OBJ) \ + $(DRSUAPI_OBJ) $(LIBNDR_GEN_OBJ0) \ $(POPT_LIB_OBJ) $(SMBLDAP_OBJ) ../lib/util/asn1.o SMBGET_OBJ = utils/smbget.o $(POPT_LIB_OBJ) $(LIBSMBCLIENT_OBJ1) @@ -1320,6 +1321,7 @@ PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \ pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o PAM_SMBPASS_OBJ = $(PAM_SMBPASS_OBJ_0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ $(SMBLDAP_OBJ) $(LIBSAMBA_OBJ) \ + $(DRSUAPI_OBJ) $(LIBNDR_GEN_OBJ0) \ $(LIBTSOCKET_OBJ) $(PAM_ERRORS_OBJ) IDMAP_RW_OBJ = winbindd/idmap_rw.o @@ -1502,6 +1504,7 @@ NTLM_AUTH_OBJ = ${NTLM_AUTH_OBJ1} $(LIBSAMBA_OBJ) $(POPT_LIB_OBJ) \ $(SMBLDAP_OBJ) $(LIBNMB_OBJ) \ $(WBCOMMON_OBJ) \ $(LIBCLI_LDAP_NDR_OBJ) \ + $(DRSUAPI_OBJ) \ $(LIBNDR_GEN_OBJ0) $(LIBNDR_NETLOGON_OBJ) @BUILD_INIPARSER@ @@ -1871,11 +1874,11 @@ bin/smbpasswd@EXEEXT@: $(BINARY_PREREQS) $(SMBPASSWD_OBJ) @BUILD_POPT@ $(LIBTALL $(DYNEXP) $(LIBS) $(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) \ $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) $(ZLIB_LIBS) -bin/pdbedit@EXEEXT@: $(BINARY_PREREQS) $(PDBEDIT_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) +bin/pdbedit@EXEEXT@: $(BINARY_PREREQS) $(PDBEDIT_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) $(ZLIB_LIBS) @echo Linking $@ @$(CC) -o $@ $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ $(POPT_LIBS) $(PASSDB_LIBS) $(LDAP_LIBS) $(LIBTALLOC_LIBS) \ - $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) + $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) $(ZLIB_LIBS) bin/smbget@EXEEXT@: $(BINARY_PREREQS) $(SMBGET_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) @echo Linking $@ @@ -3115,17 +3118,17 @@ bin/wbinfo@EXEEXT@: $(BINARY_PREREQS) $(WBINFO_OBJ) @BUILD_POPT@ $(LIBTALLOC) $( $(LIBWBCLIENT_LIBS) bin/ntlm_auth@EXEEXT@: $(BINARY_PREREQS) $(NTLM_AUTH_OBJ) $(PARAM_OBJ) \ - $(LIB_NONSMBD_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) + $(LIB_NONSMBD_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) $(ZLIB_LIBS) @echo Linking $@ @$(CC) -o $@ $(LDFLAGS) $(DYNEXP) $(NTLM_AUTH_OBJ) \ - $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBS) \ + $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBS) $(ZLIB_LIBS) \ $(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(NSCD_LIBS) \ $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) @INIPARSERLIBS@ -bin/pam_smbpass.@SHLIBEXT@: $(BINARY_PREREQS) $(PAM_SMBPASS_OBJ) $(LIBCLI_LDAP_NDR_OBJ) $(LIBTALLOC) $(LIBWBCLIENT) $(LIBTDB) +bin/pam_smbpass.@SHLIBEXT@: $(BINARY_PREREQS) $(PAM_SMBPASS_OBJ) $(LIBCLI_LDAP_NDR_OBJ) $(LIBTALLOC) $(LIBWBCLIENT) $(LIBTDB) $(ZLIB_LIBS) @echo "Linking shared library $@" @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_OBJ) $(LIBCLI_LDAP_NDR_OBJ) -lpam $(DYNEXP) \ - $(LIBS) $(LDAP_LIBS) $(NSCD_LIBS) \ + $(LIBS) $(LDAP_LIBS) $(NSCD_LIBS) $(ZLIB_LIBS) \ $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) bin/tdbbackup@EXEEXT@: $(BINARY_PREREQS) $(TDBBACKUP_OBJ) $(LIBTALLOC) $(LIBTDB) diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index b3d62bc61cb..94ed355e2c5 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -25,6 +25,8 @@ #include "passdb.h" #include "secrets.h" #include "../librpc/gen_ndr/samr.h" +#include "../librpc/gen_ndr/drsblobs.h" +#include "../librpc/gen_ndr/ndr_drsblobs.h" #include "memcache.h" #include "nsswitch/winbind_client.h" #include "../libcli/security/security.h" @@ -2144,7 +2146,62 @@ static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods, const char *domain, struct pdb_trusted_domain **td) { - return NT_STATUS_NOT_IMPLEMENTED; + struct trustAuthInOutBlob taiob; + struct AuthenticationInformation aia; + struct pdb_trusted_domain *tdom; + enum ndr_err_code ndr_err; + time_t last_set_time; + char *pwd; + bool ok; + + tdom = talloc(mem_ctx, struct pdb_trusted_domain); + if (!tdom) { + return NT_STATUS_NO_MEMORY; + } + + tdom->domain_name = talloc_strdup(tdom, domain); + tdom->netbios_name = talloc_strdup(tdom, domain); + if (!tdom->domain_name || !tdom->netbios_name) { + talloc_free(tdom); + return NT_STATUS_NO_MEMORY; + } + + tdom->trust_auth_incoming = data_blob_null; + + ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier, + &last_set_time); + if (!ok) { + talloc_free(tdom); + return NT_STATUS_UNSUCCESSFUL; + } + + ZERO_STRUCT(taiob); + ZERO_STRUCT(aia); + taiob.count = 1; + taiob.current.count = 1; + taiob.current.array = &aia; + unix_to_nt_time(&aia.LastUpdateTime, last_set_time); + aia.AuthType = TRUST_AUTH_TYPE_CLEAR; + aia.AuthInfo.clear.password = (uint8_t *) pwd; + aia.AuthInfo.clear.size = strlen(pwd); + taiob.previous.count = 0; + taiob.previous.array = NULL; + + ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing, + tdom, &taiob, + (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + talloc_free(tdom); + return NT_STATUS_UNSUCCESSFUL; + } + + tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND; + tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL; + tdom->trust_attributes = 0; + tdom->trust_forest_trust_info = data_blob_null; + + *td = tdom; + return NT_STATUS_OK; } static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods, @@ -2155,11 +2212,54 @@ static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *method return NT_STATUS_NOT_IMPLEMENTED; } +#define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0) + static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods, const char* domain, const struct pdb_trusted_domain *td) { - return NT_STATUS_NOT_IMPLEMENTED; + struct trustAuthInOutBlob taiob; + struct AuthenticationInformation *aia; + enum ndr_err_code ndr_err; + char *pwd; + bool ok; + + if (td->trust_attributes != 0 || + td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL || + td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND || + !IS_NULL_DATA_BLOB(td->trust_auth_incoming) || + !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + ZERO_STRUCT(taiob); + ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(), + &taiob, + (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return NT_STATUS_UNSUCCESSFUL; + } + + aia = (struct AuthenticationInformation *) taiob.current.array; + + if (taiob.count != 1 || taiob.current.count != 1 || + taiob.previous.count != 0 || + aia->AuthType != TRUST_AUTH_TYPE_CLEAR) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password, + aia->AuthInfo.clear.size); + if (!pwd) { + return NT_STATUS_NO_MEMORY; + } + + ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier); + if (!ok) { + return NT_STATUS_UNSUCCESSFUL; + } + + return NT_STATUS_OK; } static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods, diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c index 7ab20c76926..33419db2753 100644 --- a/source3/torture/pdbtest.c +++ b/source3/torture/pdbtest.c @@ -24,6 +24,14 @@ #include "popt_common.h" #include "passdb.h" +#include "../librpc/gen_ndr/drsblobs.h" +#include "../librpc/gen_ndr/ndr_drsblobs.h" +#include "../libcli/security/dom_sid.h" + +#define TRUST_DOM "trustdom" +#define TRUST_PWD "trustpwd1232" +#define TRUST_SID "S-1-5-21-1111111111-2222222222-3333333333" + static bool samu_correct(struct samu *s1, struct samu *s2) { bool ret = True; @@ -366,6 +374,81 @@ int main(int argc, char **argv) get_friendly_nt_error_msg(rv)); } + /* test trustdom calls */ + struct pdb_trusted_domain *td; + struct pdb_trusted_domain *new_td; + struct trustAuthInOutBlob taiob; + struct AuthenticationInformation aia; + enum ndr_err_code ndr_err; + + td = talloc_zero(ctx ,struct pdb_trusted_domain); + if (!td) { + fprintf(stderr, "talloc failed\n"); + exit(1); + } + + td->domain_name = talloc_strdup(td, TRUST_DOM); + td->netbios_name = talloc_strdup(td, TRUST_DOM); + if (!td->domain_name || !td->netbios_name) { + fprintf(stderr, "talloc failed\n"); + exit(1); + } + + td->trust_auth_incoming = data_blob_null; + + ZERO_STRUCT(taiob); + ZERO_STRUCT(aia); + taiob.count = 1; + taiob.current.count = 1; + taiob.current.array = &aia; + unix_to_nt_time(&aia.LastUpdateTime, time(NULL)); + aia.AuthType = TRUST_AUTH_TYPE_CLEAR; + aia.AuthInfo.clear.password = (uint8_t *) talloc_strdup(ctx, TRUST_PWD); + aia.AuthInfo.clear.size = strlen(TRUST_PWD); + + taiob.previous.count = 0; + taiob.previous.array = NULL; + + ndr_err = ndr_push_struct_blob(&td->trust_auth_outgoing, + td, &taiob, + (ndr_push_flags_fn_t) ndr_push_trustAuthInOutBlob); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + fprintf(stderr, "ndr_push_struct_blob failed.\n"); + exit(1); + } + + td->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND; + td->trust_type = LSA_TRUST_TYPE_DOWNLEVEL; + td->trust_attributes = 0; + td->trust_forest_trust_info = data_blob_null; + + rv = pdb->set_trusted_domain(pdb, TRUST_DOM, td); + if (!NT_STATUS_IS_OK(rv)) { + fprintf(stderr, "Error in set_trusted_domain %s\n", + get_friendly_nt_error_msg(rv)); + error = True; + } + + rv = pdb->get_trusted_domain(pdb, ctx, TRUST_DOM, &new_td); + if (!NT_STATUS_IS_OK(rv)) { + fprintf(stderr, "Error in set_trusted_domain %s\n", + get_friendly_nt_error_msg(rv)); + error = True; + } + + if (!strequal(td->domain_name, new_td->domain_name) || + !strequal(td->netbios_name, new_td->netbios_name) || + !sid_equal(&td->security_identifier, &new_td->security_identifier) || + td->trust_direction != new_td->trust_direction || + td->trust_type != new_td->trust_type || + td->trust_attributes != new_td->trust_attributes || + td->trust_auth_incoming.length != new_td->trust_auth_incoming.length || + td->trust_forest_trust_info.length != new_td->trust_forest_trust_info.length || + data_blob_cmp(&td->trust_auth_outgoing, &new_td->trust_auth_outgoing) != 0) { + fprintf(stderr, "Old and new trusdet domain data do not match\n"); + error = True; + } + TALLOC_FREE(ctx); if (error) {