2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Jelmer Vernooij 2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 /* the Samba secrets database stores any generated, private information
25 such as the local SID and machine trust password */
27 #define SECRETS_DOMAIN_SID "SECRETS/SID"
28 #define SECRETS_DOMAIN_GUID "SECRETS/DOMGUID"
29 #define SECRETS_LDAP_BIND_PW "SECRETS/LDAP_BIND_PW"
30 #define SECRETS_MACHINE_ACCT_PASS "SECRETS/$MACHINE.ACC"
31 #define SECRETS_DOMTRUST_ACCT_PASS "SECRETS/$DOMTRUST.ACC"
32 #define SECRETS_MACHINE_PASSWORD "SECRETS/MACHINE_PASSWORD"
33 #define SECRETS_MACHINE_LAST_CHANGE_TIME "SECRETS/MACHINE_LAST_CHANGE_TIME"
34 #define SECRETS_MACHINE_SEC_CHANNEL_TYPE "SECRETS/MACHINE_SEC_CHANNEL_TYPE"
35 #define SECRETS_AFS_KEYFILE "SECRETS/AFS_KEYFILE"
36 #define SECRETS_AUTH_USER "SECRETS/AUTH_USER"
37 #define SECRETS_AUTH_DOMAIN "SECRETS/AUTH_DOMAIN"
38 #define SECRETS_AUTH_PASSWORD "SECRETS/AUTH_PASSWORD"
43 #include "system/filesys.h"
44 #include "librpc/gen_ndr/ndr_security.h"
46 /* structure for storing machine account password
47 (ie. when samba server is member of a domain */
48 struct machine_acct_pass {
53 #define SECRETS_AFS_MAXKEYS 8
60 static TDB_CONTEXT *secrets_open(const char *fname)
62 TDB_CONTEXT *tdb = tdb_open(fname, 0, TDB_DEFAULT, O_RDONLY, 0600);
65 DEBUG(0,("Failed to open %s\n", fname));
72 /* read a entry from the secrets database - the caller must free the result
73 if size is non-null then the size of the entry is put in there
75 static void *secrets_fetch(TDB_CONTEXT *tdb, const char *key, size_t *size)
79 kbuf.dptr = strdup(key);
80 kbuf.dsize = strlen(key);
81 dbuf = tdb_fetch(tdb, kbuf);
88 static BOOL secrets_fetch_domain_sid(TDB_CONTEXT *tdb, const char *domain, struct dom_sid *sid)
90 struct dom_sid *dyn_sid;
94 asprintf(&key, "%s/%s", SECRETS_DOMAIN_SID, domain);
96 dyn_sid = (struct dom_sid *)secrets_fetch(tdb, key, &size);
102 if (size != sizeof(struct dom_sid))
113 static BOOL secrets_fetch_domain_guid(TDB_CONTEXT *tdb, const char *domain, struct GUID *guid)
115 struct GUID *dyn_guid;
119 asprintf(&key, "%s/%s", SECRETS_DOMAIN_GUID, domain);
121 dyn_guid = (struct GUID *)secrets_fetch(tdb, key, &size);
127 if (size != sizeof(struct GUID))
129 DEBUG(1,("GUID size %d is wrong!\n", (int)size));
140 * Form a key for fetching the machine trust account password
142 * @param domain domain name
144 * @return stored password's key
146 static char *trust_keystr(const char *domain)
150 asprintf(&keystr, "%s/%s", SECRETS_MACHINE_ACCT_PASS, domain);
157 * Form a key for fetching a trusted domain password
159 * @param domain trusted domain name
161 * @return stored password's key
163 static char *trustdom_keystr(const char *domain)
167 asprintf(&keystr, "%s/%s", SECRETS_DOMTRUST_ACCT_PASS, domain);
173 /************************************************************************
174 Routine to get the trust account password for a domain.
175 The user of this function must have locked the trust password file using
176 the above secrets_lock_trust_account_password().
177 ************************************************************************/
179 static BOOL secrets_fetch_trust_account_password(TDB_CONTEXT *tdb,
180 const char *domain, uint8_t ret_pwd[16],
181 time_t *pass_last_set_time,
184 struct machine_acct_pass *pass;
188 plaintext = secrets_fetch_machine_password(tdb, domain, pass_last_set_time,
191 DEBUG(4,("Using cleartext machine password\n"));
192 E_md4hash(plaintext, ret_pwd);
193 SAFE_FREE(plaintext);
197 if (!(pass = secrets_fetch(tdb, trust_keystr(domain), &size))) {
198 DEBUG(5, ("secrets_fetch failed!\n"));
202 if (size != sizeof(*pass)) {
203 DEBUG(0, ("secrets were of incorrect size!\n"));
207 if (pass_last_set_time) *pass_last_set_time = pass->mod_time;
208 memcpy(ret_pwd, pass->hash, 16);
212 *channel = get_default_sec_channel();
217 /************************************************************************
218 Routine to get account password to trusted domain
219 ************************************************************************/
221 static BOOL secrets_fetch_trusted_domain_password(TDB_CONTEXT *tdb, const char *domain, char** pwd, struct dom_sid **sid, time_t *pass_last_set_time)
223 struct trusted_dom_pass pass;
226 /* unpacking structures */
232 /* fetching trusted domain password structure */
233 if (!(pass_buf = secrets_fetch(tdb, trustdom_keystr(domain), &size))) {
234 DEBUG(5, ("secrets_fetch failed!\n"));
238 /* unpack trusted domain password */
239 pass_len = tdb_trusted_dom_pass_unpack(pass_buf, size, &pass);
242 if (pass_len != size) {
243 DEBUG(5, ("Invalid secrets size. Unpacked data doesn't match trusted_dom_pass structure.\n"));
247 /* the trust's password */
249 *pwd = strdup(pass.pass);
255 /* last change time */
256 if (pass_last_set_time) *pass_last_set_time = pass.mod_time;
260 *sid = dom_sid_dup(tdb, &pass.domain_sid);
265 /************************************************************************
266 Routine to fetch the plaintext machine account password for a realm
267 the password is assumed to be a null terminated ascii string
268 ************************************************************************/
269 static char *secrets_fetch_machine_password(TDB_CONTEXT *tdb, const char *domain,
270 time_t *pass_last_set_time,
275 asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
277 ret = (char *)secrets_fetch(tdb, key, NULL);
280 if (pass_last_set_time) {
282 uint32_t *last_set_time;
283 asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
285 last_set_time = secrets_fetch(tdb, key, &size);
287 *pass_last_set_time = IVAL(last_set_time,0);
288 SAFE_FREE(last_set_time);
290 *pass_last_set_time = 0;
297 uint32_t *channel_type;
298 asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
300 channel_type = secrets_fetch(tdb, key, &size);
302 *channel = IVAL(channel_type,0);
303 SAFE_FREE(channel_type);
305 *channel = get_default_sec_channel();
313 /*******************************************************************
314 find the ldap password
315 ******************************************************************/
316 static BOOL fetch_ldap_pw(TDB_CONTEXT *tdb, const char *dn, char** pw)
321 if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, dn) < 0) {
322 DEBUG(0, ("fetch_ldap_pw: asprintf failed!\n"));
325 *pw=secrets_fetch(tdb, key, &size);
337 * Get trusted domains info from secrets.tdb.
339 * The linked list is allocated on the supplied talloc context, caller gets to destroy
342 * @param ctx Allocation context
343 * @param enum_ctx Starting index, eg. we can start fetching at third
344 * or sixth trusted domain entry. Zero is the first index.
345 * Value it is set to is the enum context for the next enumeration.
346 * @param num_domains Number of domain entries to fetch at one call
347 * @param domains Pointer to array of trusted domain structs to be filled up
349 * @return nt status code of rpc response
352 static NTSTATUS secrets_get_trusted_domains(TDB_CONTEXT *tdb, TALLOC_CTX* ctx, int* enum_ctx, unsigned int max_num_domains,
353 int *num_domains, struct samba3_trustdom ***domains)
355 TDB_LIST_NODE *keys, *k;
356 struct samba3_trustdom *dom = NULL;
358 unsigned int start_idx;
360 size_t size, packed_size = 0;
363 struct trusted_dom_pass *pass = talloc(ctx, struct trusted_dom_pass);
366 if (!secrets_init()) return NT_STATUS_ACCESS_DENIED;
369 DEBUG(0, ("talloc_zero failed!\n"));
370 return NT_STATUS_NO_MEMORY;
374 start_idx = *enum_ctx;
376 /* generate searching pattern */
377 if (!(pattern = talloc_asprintf(ctx, "%s/*", SECRETS_DOMTRUST_ACCT_PASS))) {
378 DEBUG(0, ("secrets_get_trusted_domains: talloc_asprintf() failed!\n"));
379 return NT_STATUS_NO_MEMORY;
382 DEBUG(5, ("secrets_get_trusted_domains: looking for %d domains, starting at index %d\n",
383 max_num_domains, *enum_ctx));
385 *domains = talloc_zero_array(ctx, struct samba3_trustdom *, max_num_domains);
387 /* fetching trusted domains' data and collecting them in a list */
388 keys = tdb_search_keys(tdb, pattern);
391 * if there's no keys returned ie. no trusted domain,
392 * return "no more entries" code
394 status = NT_STATUS_NO_MORE_ENTRIES;
396 /* searching for keys in secrets db -- way to go ... */
397 for (k = keys; k; k = k->next) {
400 /* important: ensure null-termination of the key string */
401 secrets_key = strndup(k->node_key.dptr, k->node_key.dsize);
403 DEBUG(0, ("strndup failed!\n"));
404 return NT_STATUS_NO_MEMORY;
407 packed_pass = secrets_fetch(tdb, secrets_key, &size);
408 packed_size = tdb_trusted_dom_pass_unpack(packed_pass, size, pass);
409 /* packed representation isn't needed anymore */
410 SAFE_FREE(packed_pass);
412 if (size != packed_size) {
413 DEBUG(2, ("Secrets record %s is invalid!\n", secrets_key));
417 pull_ucs2_fstring(dom_name, pass->uni_name);
418 DEBUG(18, ("Fetched secret record num %d.\nDomain name: %s, SID: %s\n",
419 idx, dom_name, sid_string_static(&pass->domain_sid)));
421 SAFE_FREE(secrets_key);
423 if (idx >= start_idx && idx < start_idx + max_num_domains) {
424 dom = talloc(ctx, struct samba3_trustdom);
426 /* free returned tdb record */
427 return NT_STATUS_NO_MEMORY;
430 /* copy domain sid */
431 SMB_ASSERT(sizeof(dom->sid) == sizeof(pass->domain_sid));
432 memcpy(&(dom->sid), &(pass->domain_sid), sizeof(dom->sid));
434 /* copy unicode domain name */
435 dom->name = talloc_memdup(ctx, pass->uni_name,
436 (strlen_w(pass->uni_name) + 1) * sizeof(smb_ucs2_t));
438 (*domains)[idx - start_idx] = dom;
440 DEBUG(18, ("Secret record is in required range.\n \
441 start_idx = %d, max_num_domains = %d. Added to returned array.\n",
442 start_idx, max_num_domains));
447 /* set proper status code to return */
449 /* there are yet some entries to enumerate */
450 status = STATUS_MORE_ENTRIES;
452 /* this is the last entry in the whole enumeration */
453 status = NT_STATUS_OK;
456 DEBUG(18, ("Secret is outside the required range.\n \
457 start_idx = %d, max_num_domains = %d. Not added to returned array\n",
458 start_idx, max_num_domains));
464 DEBUG(5, ("secrets_get_trusted_domains: got %d domains\n", *num_domains));
466 /* free the results of searching the keys */
467 tdb_search_list_free(keys);
472 /*******************************************************************************
473 Fetch the current (highest) AFS key from secrets.tdb
474 *******************************************************************************/
475 static BOOL secrets_fetch_afs_key(TDB_CONTEXT *tdb, const char *cell, struct afs_key *result)
478 struct afs_keyfile *keyfile;
482 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
484 keyfile = (struct afs_keyfile *)secrets_fetch(tdb, key, &size);
489 if (size != sizeof(struct afs_keyfile)) {
494 i = ntohl(keyfile->nkeys);
496 if (i > SECRETS_AFS_MAXKEYS) {
501 *result = keyfile->entry[i-1];
503 result->kvno = ntohl(result->kvno);
508 /******************************************************************************
509 When kerberos is not available, choose between anonymous or
510 authenticated connections.
512 We need to use an authenticated connection if DCs have the
513 RestrictAnonymous registry entry set > 0, or the "Additional
514 restrictions for anonymous connections" set in the win2k Local
517 Caller to free() result in domain, username, password
518 *******************************************************************************/
519 static void secrets_fetch_ipc_userpass(TDB_CONTEXT *tdb, char **username, char **domain, char **password)
521 *username = secrets_fetch(tdb, SECRETS_AUTH_USER, NULL);
522 *domain = secrets_fetch(tdb, SECRETS_AUTH_DOMAIN, NULL);
523 *password = secrets_fetch(tdb, SECRETS_AUTH_PASSWORD, NULL);
525 if (*username && **username) {
527 if (!*domain || !**domain)
528 *domain = smb_xstrdup(lp_workgroup());
530 if (!*password || !**password)
531 *password = smb_xstrdup("");
533 DEBUG(3, ("IPC$ connections done by user %s\\%s\n",
534 *domain, *username));
537 DEBUG(3, ("IPC$ connections done anonymously\n"));
538 *username = smb_xstrdup("");
539 *domain = smb_xstrdup("");
540 *password = smb_xstrdup("");