2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* the Samba secrets database stores any generated, private information
23 such as the local SID and machine trust password */
28 #define DBGC_CLASS DBGC_PASSDB
30 static struct db_context *db_ctx;
32 /* Urrrg. global.... */
33 bool global_machine_password_needs_changing;
36 * Use a TDB to store an incrementing random seed.
38 * Initialised to the current pid, the very first time Samba starts,
39 * and incremented by one each time it is needed.
41 * @note Not called by systems with a working /dev/urandom.
43 static void get_rand_seed(int *new_seed)
45 *new_seed = sys_getpid();
47 dbwrap_change_int32_atomic(db_ctx, "INFO/random_seed",
52 /* open up the secrets database */
53 bool secrets_init(void)
61 fname = talloc_asprintf(talloc_tos(), "%s/secrets.tdb",
67 db_ctx = db_open(NULL, fname, 0,
68 TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
71 DEBUG(0,("Failed to open %s\n", fname));
79 * Set a reseed function for the crypto random generator
81 * This avoids a problem where systems without /dev/urandom
82 * could send the same challenge to multiple clients
84 set_rand_reseed_callback(get_rand_seed);
86 /* Ensure that the reseed is done now, while we are root, etc */
87 generate_random_buffer(&dummy, sizeof(dummy));
92 struct db_context *secrets_db_ctx(void)
94 if (!secrets_init()) {
104 void secrets_shutdown(void)
109 /* read a entry from the secrets database - the caller must free the result
110 if size is non-null then the size of the entry is put in there
112 void *secrets_fetch(const char *key, size_t *size)
117 if (!secrets_init()) {
121 if (db_ctx->fetch(db_ctx, talloc_tos(), string_tdb_data(key),
126 result = memdup(dbuf.dptr, dbuf.dsize);
127 if (result == NULL) {
130 TALLOC_FREE(dbuf.dptr);
139 /* store a secrets entry
141 bool secrets_store(const char *key, const void *data, size_t size)
145 if (!secrets_init()) {
149 status = dbwrap_trans_store(db_ctx, string_tdb_data(key),
150 make_tdb_data((const uint8 *)data, size),
152 return NT_STATUS_IS_OK(status);
156 /* delete a secets database entry
158 bool secrets_delete(const char *key)
161 if (!secrets_init()) {
165 status = dbwrap_trans_delete(db_ctx, string_tdb_data(key));
167 return NT_STATUS_IS_OK(status);
171 * Form a key for fetching the domain sid
173 * @param domain domain name
177 static const char *domain_sid_keystr(const char *domain)
181 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
182 SECRETS_DOMAIN_SID, domain);
183 SMB_ASSERT(keystr != NULL);
187 bool secrets_store_domain_sid(const char *domain, const DOM_SID *sid)
191 ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(DOM_SID));
193 /* Force a re-query, in case we modified our domain */
195 reset_global_sam_sid();
199 bool secrets_fetch_domain_sid(const char *domain, DOM_SID *sid)
204 dyn_sid = (DOM_SID *)secrets_fetch(domain_sid_keystr(domain), &size);
209 if (size != sizeof(DOM_SID)) {
219 bool secrets_store_domain_guid(const char *domain, struct GUID *guid)
223 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
225 return secrets_store(key, guid, sizeof(struct GUID));
228 bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
230 struct GUID *dyn_guid;
233 struct GUID new_guid;
235 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
237 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
240 if (lp_server_role() == ROLE_DOMAIN_PDC) {
241 smb_uuid_generate_random(&new_guid);
242 if (!secrets_store_domain_guid(domain, &new_guid))
244 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
246 if (dyn_guid == NULL) {
251 if (size != sizeof(struct GUID)) {
252 DEBUG(1,("UUID size %d is wrong!\n", (int)size));
263 * Form a key for fetching the machine trust account sec channel type
265 * @param domain domain name
269 static const char *machine_sec_channel_type_keystr(const char *domain)
273 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
274 SECRETS_MACHINE_SEC_CHANNEL_TYPE,
276 SMB_ASSERT(keystr != NULL);
281 * Form a key for fetching the machine trust account last change time
283 * @param domain domain name
287 static const char *machine_last_change_time_keystr(const char *domain)
291 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
292 SECRETS_MACHINE_LAST_CHANGE_TIME,
294 SMB_ASSERT(keystr != NULL);
300 * Form a key for fetching the machine trust account password
302 * @param domain domain name
306 static const char *machine_password_keystr(const char *domain)
310 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
311 SECRETS_MACHINE_PASSWORD, domain);
312 SMB_ASSERT(keystr != NULL);
317 * Form a key for fetching the machine trust account password
319 * @param domain domain name
321 * @return stored password's key
323 static const char *trust_keystr(const char *domain)
327 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
328 SECRETS_MACHINE_ACCT_PASS, domain);
329 SMB_ASSERT(keystr != NULL);
334 * Form a key for fetching a trusted domain password
336 * @param domain trusted domain name
338 * @return stored password's key
340 static char *trustdom_keystr(const char *domain)
344 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
345 SECRETS_DOMTRUST_ACCT_PASS,
347 SMB_ASSERT(keystr != NULL);
351 /************************************************************************
352 Lock the trust password entry.
353 ************************************************************************/
355 void *secrets_get_trust_account_lock(TALLOC_CTX *mem_ctx, const char *domain)
357 if (!secrets_init()) {
361 return db_ctx->fetch_locked(
362 db_ctx, mem_ctx, string_term_tdb_data(trust_keystr(domain)));
365 /************************************************************************
366 Routine to get the default secure channel type for trust accounts
367 ************************************************************************/
369 uint32 get_default_sec_channel(void)
371 if (lp_server_role() == ROLE_DOMAIN_BDC ||
372 lp_server_role() == ROLE_DOMAIN_PDC) {
375 return SEC_CHAN_WKSTA;
379 /************************************************************************
380 Routine to get the trust account password for a domain.
381 This only tries to get the legacy hashed version of the password.
382 The user of this function must have locked the trust password file using
383 the above secrets_lock_trust_account_password().
384 ************************************************************************/
386 bool secrets_fetch_trust_account_password_legacy(const char *domain,
388 time_t *pass_last_set_time,
391 struct machine_acct_pass *pass;
394 if (!(pass = (struct machine_acct_pass *)secrets_fetch(
395 trust_keystr(domain), &size))) {
396 DEBUG(5, ("secrets_fetch failed!\n"));
400 if (size != sizeof(*pass)) {
401 DEBUG(0, ("secrets were of incorrect size!\n"));
406 if (pass_last_set_time) {
407 *pass_last_set_time = pass->mod_time;
409 memcpy(ret_pwd, pass->hash, 16);
412 *channel = get_default_sec_channel();
415 /* Test if machine password has expired and needs to be changed */
416 if (lp_machine_password_timeout()) {
417 if (pass->mod_time > 0 && time(NULL) > (pass->mod_time +
418 (time_t)lp_machine_password_timeout())) {
419 global_machine_password_needs_changing = True;
427 /************************************************************************
428 Routine to get the trust account password for a domain.
429 The user of this function must have locked the trust password file using
430 the above secrets_lock_trust_account_password().
431 ************************************************************************/
433 bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
434 time_t *pass_last_set_time,
439 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
442 DEBUG(4,("Using cleartext machine password\n"));
443 E_md4hash(plaintext, ret_pwd);
444 SAFE_FREE(plaintext);
448 return secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
454 * Pack SID passed by pointer
456 * @param pack_buf pointer to buffer which is to be filled with packed data
457 * @param bufsize size of packing buffer
458 * @param sid pointer to sid to be packed
460 * @return length of the packed representation of the whole structure
462 static size_t tdb_sid_pack(uint8 *pack_buf, int bufsize, DOM_SID* sid)
467 int remaining_space = pack_buf ? bufsize : 0;
473 len += tdb_pack(p, remaining_space, "bb", sid->sid_rev_num,
477 remaining_space = bufsize - len;
480 for (idx = 0; idx < 6; idx++) {
481 len += tdb_pack(p, remaining_space, "b",
485 remaining_space = bufsize - len;
489 for (idx = 0; idx < MAXSUBAUTHS; idx++) {
490 len += tdb_pack(p, remaining_space, "d",
491 sid->sub_auths[idx]);
494 remaining_space = bufsize - len;
502 * Unpack SID into a pointer
504 * @param pack_buf pointer to buffer with packed representation
505 * @param bufsize size of the buffer
506 * @param sid pointer to sid structure to be filled with unpacked data
508 * @return size of structure unpacked from buffer
510 static size_t tdb_sid_unpack(uint8 *pack_buf, int bufsize, DOM_SID* sid)
514 if (!sid || !pack_buf) return -1;
516 len += tdb_unpack(pack_buf + len, bufsize - len, "bb",
517 &sid->sid_rev_num, &sid->num_auths);
519 for (idx = 0; idx < 6; idx++) {
520 len += tdb_unpack(pack_buf + len, bufsize - len, "b",
524 for (idx = 0; idx < MAXSUBAUTHS; idx++) {
525 len += tdb_unpack(pack_buf + len, bufsize - len, "d",
526 &sid->sub_auths[idx]);
533 * Pack TRUSTED_DOM_PASS passed by pointer
535 * @param pack_buf pointer to buffer which is to be filled with packed data
536 * @param bufsize size of the buffer
537 * @param pass pointer to trusted domain password to be packed
539 * @return length of the packed representation of the whole structure
541 static size_t tdb_trusted_dom_pass_pack(uint8 *pack_buf, int bufsize,
542 TRUSTED_DOM_PASS* pass)
546 int remaining_space = pack_buf ? bufsize : 0;
552 /* packing unicode domain name and password */
553 len += tdb_pack(p, remaining_space, "d",
557 remaining_space = bufsize - len;
560 for (idx = 0; idx < 32; idx++) {
561 len += tdb_pack(p, remaining_space, "w",
562 pass->uni_name[idx]);
565 remaining_space = bufsize - len;
569 len += tdb_pack(p, remaining_space, "dPd", pass->pass_len,
570 pass->pass, pass->mod_time);
573 remaining_space = bufsize - len;
576 /* packing SID structure */
577 len += tdb_sid_pack(p, remaining_space, &pass->domain_sid);
580 remaining_space = bufsize - len;
588 * Unpack TRUSTED_DOM_PASS passed by pointer
590 * @param pack_buf pointer to buffer with packed representation
591 * @param bufsize size of the buffer
592 * @param pass pointer to trusted domain password to be filled with unpacked data
594 * @return size of structure unpacked from buffer
596 static size_t tdb_trusted_dom_pass_unpack(uint8 *pack_buf, int bufsize,
597 TRUSTED_DOM_PASS* pass)
602 if (!pack_buf || !pass) return -1;
604 /* unpack unicode domain name and plaintext password */
605 len += tdb_unpack(pack_buf, bufsize - len, "d", &pass->uni_name_len);
607 for (idx = 0; idx < 32; idx++)
608 len += tdb_unpack(pack_buf + len, bufsize - len, "w",
609 &pass->uni_name[idx]);
611 len += tdb_unpack(pack_buf + len, bufsize - len, "dPd",
612 &pass->pass_len, &passp, &pass->mod_time);
614 fstrcpy(pass->pass, passp);
618 /* unpack domain sid */
619 len += tdb_sid_unpack(pack_buf + len, bufsize - len,
625 /************************************************************************
626 Routine to get account password to trusted domain
627 ************************************************************************/
629 bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
630 DOM_SID *sid, time_t *pass_last_set_time)
632 struct trusted_dom_pass pass;
635 /* unpacking structures */
641 /* fetching trusted domain password structure */
642 if (!(pass_buf = (uint8 *)secrets_fetch(trustdom_keystr(domain),
644 DEBUG(5, ("secrets_fetch failed!\n"));
648 /* unpack trusted domain password */
649 pass_len = tdb_trusted_dom_pass_unpack(pass_buf, size, &pass);
652 if (pass_len != size) {
653 DEBUG(5, ("Invalid secrets size. Unpacked data doesn't match trusted_dom_pass structure.\n"));
657 /* the trust's password */
659 *pwd = SMB_STRDUP(pass.pass);
665 /* last change time */
666 if (pass_last_set_time) *pass_last_set_time = pass.mod_time;
669 if (sid != NULL) sid_copy(sid, &pass.domain_sid);
675 * Routine to store the password for trusted domain
677 * @param domain remote domain name
678 * @param pwd plain text password of trust relationship
679 * @param sid remote domain sid
681 * @return true if succeeded
684 bool secrets_store_trusted_domain_password(const char* domain, const char* pwd,
687 smb_ucs2_t *uni_dom_name;
689 size_t converted_size;
691 /* packing structures */
692 uint8 *pass_buf = NULL;
695 struct trusted_dom_pass pass;
698 if (!push_ucs2_allocate(&uni_dom_name, domain, &converted_size)) {
699 DEBUG(0, ("Could not convert domain name %s to unicode\n",
704 strncpy_w(pass.uni_name, uni_dom_name, sizeof(pass.uni_name) - 1);
705 pass.uni_name_len = strlen_w(uni_dom_name)+1;
706 SAFE_FREE(uni_dom_name);
708 /* last change time */
709 pass.mod_time = time(NULL);
711 /* password of the trust */
712 pass.pass_len = strlen(pwd);
713 fstrcpy(pass.pass, pwd);
716 sid_copy(&pass.domain_sid, sid);
718 /* Calculate the length. */
719 pass_len = tdb_trusted_dom_pass_pack(NULL, 0, &pass);
720 pass_buf = SMB_MALLOC_ARRAY(uint8, pass_len);
724 pass_len = tdb_trusted_dom_pass_pack(pass_buf, pass_len, &pass);
725 ret = secrets_store(trustdom_keystr(domain), (void *)pass_buf,
731 /************************************************************************
732 Routine to delete the plaintext machine account password
733 ************************************************************************/
735 bool secrets_delete_machine_password(const char *domain)
737 return secrets_delete(machine_password_keystr(domain));
740 /************************************************************************
741 Routine to delete the plaintext machine account password, sec channel type and
742 last change time from secrets database
743 ************************************************************************/
745 bool secrets_delete_machine_password_ex(const char *domain)
747 if (!secrets_delete(machine_password_keystr(domain))) {
750 if (!secrets_delete(machine_sec_channel_type_keystr(domain))) {
753 return secrets_delete(machine_last_change_time_keystr(domain));
756 /************************************************************************
757 Routine to delete the domain sid
758 ************************************************************************/
760 bool secrets_delete_domain_sid(const char *domain)
762 return secrets_delete(domain_sid_keystr(domain));
765 /************************************************************************
766 Routine to set the plaintext machine account password for a realm
767 the password is assumed to be a null terminated ascii string
768 ************************************************************************/
770 bool secrets_store_machine_password(const char *pass, const char *domain, uint32 sec_channel)
773 uint32 last_change_time;
774 uint32 sec_channel_type;
776 ret = secrets_store(machine_password_keystr(domain), pass, strlen(pass)+1);
780 SIVAL(&last_change_time, 0, time(NULL));
781 ret = secrets_store(machine_last_change_time_keystr(domain), &last_change_time, sizeof(last_change_time));
783 SIVAL(&sec_channel_type, 0, sec_channel);
784 ret = secrets_store(machine_sec_channel_type_keystr(domain), &sec_channel_type, sizeof(sec_channel_type));
789 /************************************************************************
790 Routine to fetch the plaintext machine account password for a realm
791 the password is assumed to be a null terminated ascii string.
792 ************************************************************************/
794 char *secrets_fetch_machine_password(const char *domain,
795 time_t *pass_last_set_time,
799 ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
801 if (pass_last_set_time) {
803 uint32 *last_set_time;
804 last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size);
806 *pass_last_set_time = IVAL(last_set_time,0);
807 SAFE_FREE(last_set_time);
809 *pass_last_set_time = 0;
815 uint32 *channel_type;
816 channel_type = (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain), &size);
818 *channel = IVAL(channel_type,0);
819 SAFE_FREE(channel_type);
821 *channel = get_default_sec_channel();
828 /************************************************************************
829 Routine to delete the password for trusted domain
830 ************************************************************************/
832 bool trusted_domain_password_delete(const char *domain)
834 return secrets_delete(trustdom_keystr(domain));
837 bool secrets_store_ldap_pw(const char* dn, char* pw)
842 if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, dn) < 0) {
843 DEBUG(0, ("secrets_store_ldap_pw: asprintf failed!\n"));
847 ret = secrets_store(key, pw, strlen(pw)+1);
853 /*******************************************************************
854 Find the ldap password.
855 ******************************************************************/
857 bool fetch_ldap_pw(char **dn, char** pw)
862 *dn = smb_xstrdup(lp_ldap_admin_dn());
864 if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
866 DEBUG(0, ("fetch_ldap_pw: asprintf failed!\n"));
869 *pw=(char *)secrets_fetch(key, &size);
873 /* Upgrade 2.2 style entry */
875 char* old_style_key = SMB_STRDUP(*dn);
877 fstring old_style_pw;
879 if (!old_style_key) {
880 DEBUG(0, ("fetch_ldap_pw: strdup failed!\n"));
884 for (p=old_style_key; *p; p++)
885 if (*p == ',') *p = '/';
887 data=(char *)secrets_fetch(old_style_key, &size);
888 if ((data == NULL) || (size < sizeof(old_style_pw))) {
889 DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
890 SAFE_FREE(old_style_key);
896 size = MIN(size, sizeof(fstring)-1);
897 strncpy(old_style_pw, data, size);
898 old_style_pw[size] = 0;
902 if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
903 DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
904 SAFE_FREE(old_style_key);
908 if (!secrets_delete(old_style_key)) {
909 DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
912 SAFE_FREE(old_style_key);
914 *pw = smb_xstrdup(old_style_pw);
921 * Get trusted domains info from secrets.tdb.
924 struct list_trusted_domains_state {
926 struct trustdom_info **domains;
929 static int list_trusted_domain(struct db_record *rec, void *private_data)
931 const size_t prefix_len = strlen(SECRETS_DOMTRUST_ACCT_PASS);
932 size_t converted_size, packed_size = 0;
933 struct trusted_dom_pass pass;
934 struct trustdom_info *dom_info;
936 struct list_trusted_domains_state *state =
937 (struct list_trusted_domains_state *)private_data;
939 if ((rec->key.dsize < prefix_len)
940 || (strncmp((char *)rec->key.dptr, SECRETS_DOMTRUST_ACCT_PASS,
945 packed_size = tdb_trusted_dom_pass_unpack(
946 rec->value.dptr, rec->value.dsize, &pass);
948 if (rec->value.dsize != packed_size) {
949 DEBUG(2, ("Secrets record is invalid!\n"));
953 if (pass.domain_sid.num_auths != 4) {
954 DEBUG(0, ("SID %s is not a domain sid, has %d "
955 "auths instead of 4\n",
956 sid_string_dbg(&pass.domain_sid),
957 pass.domain_sid.num_auths));
961 if (!(dom_info = TALLOC_P(state->domains, struct trustdom_info))) {
962 DEBUG(0, ("talloc failed\n"));
966 if (!pull_ucs2_talloc(dom_info, &dom_info->name, pass.uni_name,
968 DEBUG(2, ("pull_ucs2_talloc failed\n"));
969 TALLOC_FREE(dom_info);
973 sid_copy(&dom_info->sid, &pass.domain_sid);
975 ADD_TO_ARRAY(state->domains, struct trustdom_info *, dom_info,
976 &state->domains, &state->num_domains);
978 if (state->domains == NULL) {
979 state->num_domains = 0;
985 NTSTATUS secrets_trusted_domains(TALLOC_CTX *mem_ctx, uint32 *num_domains,
986 struct trustdom_info ***domains)
988 struct list_trusted_domains_state state;
992 if (db_ctx == NULL) {
993 return NT_STATUS_ACCESS_DENIED;
996 state.num_domains = 0;
999 * Make sure that a talloc context for the trustdom_info structs
1003 if (!(state.domains = TALLOC_ARRAY(
1004 mem_ctx, struct trustdom_info *, 1))) {
1005 return NT_STATUS_NO_MEMORY;
1008 db_ctx->traverse_read(db_ctx, list_trusted_domain, (void *)&state);
1010 *num_domains = state.num_domains;
1011 *domains = state.domains;
1012 return NT_STATUS_OK;
1015 /*******************************************************************************
1016 Store a complete AFS keyfile into secrets.tdb.
1017 *******************************************************************************/
1019 bool secrets_store_afs_keyfile(const char *cell, const struct afs_keyfile *keyfile)
1023 if ((cell == NULL) || (keyfile == NULL))
1026 if (ntohl(keyfile->nkeys) > SECRETS_AFS_MAXKEYS)
1029 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
1030 return secrets_store(key, keyfile, sizeof(struct afs_keyfile));
1033 /*******************************************************************************
1034 Fetch the current (highest) AFS key from secrets.tdb
1035 *******************************************************************************/
1036 bool secrets_fetch_afs_key(const char *cell, struct afs_key *result)
1039 struct afs_keyfile *keyfile;
1043 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
1045 keyfile = (struct afs_keyfile *)secrets_fetch(key, &size);
1047 if (keyfile == NULL)
1050 if (size != sizeof(struct afs_keyfile)) {
1055 i = ntohl(keyfile->nkeys);
1057 if (i > SECRETS_AFS_MAXKEYS) {
1062 *result = keyfile->entry[i-1];
1064 result->kvno = ntohl(result->kvno);
1071 /******************************************************************************
1072 When kerberos is not available, choose between anonymous or
1073 authenticated connections.
1075 We need to use an authenticated connection if DCs have the
1076 RestrictAnonymous registry entry set > 0, or the "Additional
1077 restrictions for anonymous connections" set in the win2k Local
1080 Caller to free() result in domain, username, password
1081 *******************************************************************************/
1082 void secrets_fetch_ipc_userpass(char **username, char **domain, char **password)
1084 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
1085 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
1086 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
1088 if (*username && **username) {
1090 if (!*domain || !**domain)
1091 *domain = smb_xstrdup(lp_workgroup());
1093 if (!*password || !**password)
1094 *password = smb_xstrdup("");
1096 DEBUG(3, ("IPC$ connections done by user %s\\%s\n",
1097 *domain, *username));
1100 DEBUG(3, ("IPC$ connections done anonymously\n"));
1101 *username = smb_xstrdup("");
1102 *domain = smb_xstrdup("");
1103 *password = smb_xstrdup("");
1107 /******************************************************************************
1108 Open or create the schannel session store tdb.
1109 *******************************************************************************/
1111 static TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx)
1115 TDB_CONTEXT *tdb_sc = NULL;
1116 char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb", lp_private_dir());
1122 tdb_sc = tdb_open_log(fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
1125 DEBUG(0,("open_schannel_session_store: Failed to open %s\n", fname));
1130 vers = tdb_fetch_bystring(tdb_sc, "SCHANNEL_STORE_VERSION");
1131 if (vers.dptr == NULL) {
1132 /* First opener, no version. */
1134 vers.dptr = (uint8 *)&ver;
1136 tdb_store_bystring(tdb_sc, "SCHANNEL_STORE_VERSION", vers, TDB_REPLACE);
1138 } else if (vers.dsize == 4) {
1139 ver = IVAL(vers.dptr,0);
1143 DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n",
1149 DEBUG(0,("open_schannel_session_store: wrong version number size %d in %s\n",
1150 (int)vers.dsize, fname ));
1153 SAFE_FREE(vers.dptr);
1159 /******************************************************************************
1160 Store the schannel state after an AUTH2 call.
1161 Note we must be root here.
1162 *******************************************************************************/
1164 bool secrets_store_schannel_session_info(TALLOC_CTX *mem_ctx,
1165 const char *remote_machine,
1166 const struct dcinfo *pdc)
1168 TDB_CONTEXT *tdb_sc = NULL;
1171 char *keystr = talloc_asprintf_strupper_m(mem_ctx, "%s/%s",
1172 SECRETS_SCHANNEL_STATE,
1178 /* Work out how large the record is. */
1179 value.dsize = tdb_pack(NULL, 0, "dBBBBBfff",
1181 8, pdc->seed_chal.data,
1182 8, pdc->clnt_chal.data,
1183 8, pdc->srv_chal.data,
1187 pdc->remote_machine,
1190 value.dptr = TALLOC_ARRAY(mem_ctx, uint8, value.dsize);
1192 TALLOC_FREE(keystr);
1196 value.dsize = tdb_pack(value.dptr, value.dsize, "dBBBBBfff",
1198 8, pdc->seed_chal.data,
1199 8, pdc->clnt_chal.data,
1200 8, pdc->srv_chal.data,
1204 pdc->remote_machine,
1207 tdb_sc = open_schannel_session_store(mem_ctx);
1209 TALLOC_FREE(keystr);
1210 TALLOC_FREE(value.dptr);
1214 ret = (tdb_store_bystring(tdb_sc, keystr, value, TDB_REPLACE) == 0 ? True : False);
1216 DEBUG(3,("secrets_store_schannel_session_info: stored schannel info with key %s\n",
1220 TALLOC_FREE(keystr);
1221 TALLOC_FREE(value.dptr);
1225 /******************************************************************************
1226 Restore the schannel state on a client reconnect.
1227 Note we must be root here.
1228 *******************************************************************************/
1230 bool secrets_restore_schannel_session_info(TALLOC_CTX *mem_ctx,
1231 const char *remote_machine,
1232 struct dcinfo **ppdc)
1234 TDB_CONTEXT *tdb_sc = NULL;
1236 unsigned char *pseed_chal = NULL;
1237 unsigned char *pclnt_chal = NULL;
1238 unsigned char *psrv_chal = NULL;
1239 unsigned char *psess_key = NULL;
1240 unsigned char *pmach_pw = NULL;
1241 uint32 l1, l2, l3, l4, l5;
1243 struct dcinfo *pdc = NULL;
1244 char *keystr = talloc_asprintf_strupper_m(mem_ctx, "%s/%s",
1245 SECRETS_SCHANNEL_STATE,
1254 tdb_sc = open_schannel_session_store(mem_ctx);
1256 TALLOC_FREE(keystr);
1260 value = tdb_fetch_bystring(tdb_sc, keystr);
1262 DEBUG(0,("secrets_restore_schannel_session_info: Failed to find entry with key %s\n",
1268 pdc = TALLOC_ZERO_P(mem_ctx, struct dcinfo);
1270 /* Retrieve the record. */
1271 ret = tdb_unpack(value.dptr, value.dsize, "dBBBBBfff",
1279 &pdc->remote_machine,
1282 if (ret == -1 || l1 != 8 || l2 != 8 || l3 != 8 || l4 != 16 || l5 != 16) {
1283 /* Bad record - delete it. */
1284 tdb_delete_bystring(tdb_sc, keystr);
1286 TALLOC_FREE(keystr);
1288 SAFE_FREE(pseed_chal);
1289 SAFE_FREE(pclnt_chal);
1290 SAFE_FREE(psrv_chal);
1291 SAFE_FREE(psess_key);
1292 SAFE_FREE(pmach_pw);
1293 SAFE_FREE(value.dptr);
1299 memcpy(pdc->seed_chal.data, pseed_chal, 8);
1300 memcpy(pdc->clnt_chal.data, pclnt_chal, 8);
1301 memcpy(pdc->srv_chal.data, psrv_chal, 8);
1302 memcpy(pdc->sess_key, psess_key, 16);
1303 memcpy(pdc->mach_pw, pmach_pw, 16);
1305 /* We know these are true so didn't bother to store them. */
1306 pdc->challenge_sent = True;
1307 pdc->authenticated = True;
1309 DEBUG(3,("secrets_restore_schannel_session_info: restored schannel info key %s\n",
1312 SAFE_FREE(pseed_chal);
1313 SAFE_FREE(pclnt_chal);
1314 SAFE_FREE(psrv_chal);
1315 SAFE_FREE(psess_key);
1316 SAFE_FREE(pmach_pw);
1318 TALLOC_FREE(keystr);
1319 SAFE_FREE(value.dptr);
1326 bool secrets_store_generic(const char *owner, const char *key, const char *secret)
1328 char *tdbkey = NULL;
1331 if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
1332 DEBUG(0, ("asprintf failed!\n"));
1336 ret = secrets_store(tdbkey, secret, strlen(secret)+1);
1342 /*******************************************************************
1343 Find the ldap password.
1344 ******************************************************************/
1346 char *secrets_fetch_generic(const char *owner, const char *key)
1348 char *secret = NULL;
1349 char *tdbkey = NULL;
1351 if (( ! owner) || ( ! key)) {
1352 DEBUG(1, ("Invalid Paramters"));
1356 if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
1357 DEBUG(0, ("Out of memory!\n"));
1361 secret = (char *)secrets_fetch(tdbkey, NULL);
git.samba.org / samba.git / blob