2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* the Samba secrets database stores any generated, private information
23 such as the local SID and machine trust password */
28 #define DBGC_CLASS DBGC_PASSDB
30 static TDB_CONTEXT *tdb;
32 /* Urrrg. global.... */
33 bool global_machine_password_needs_changing;
36 * Use a TDB to store an incrementing random seed.
38 * Initialised to the current pid, the very first time Samba starts,
39 * and incremented by one each time it is needed.
41 * @note Not called by systems with a working /dev/urandom.
43 static void get_rand_seed(int *new_seed)
45 *new_seed = sys_getpid();
47 tdb_change_int32_atomic(tdb, "INFO/random_seed", new_seed, 1);
51 /* open up the secrets database */
52 bool secrets_init(void)
61 ctx = talloc_init("secrets_init");
65 fname = talloc_asprintf(ctx,
73 tdb = tdb_open_log(fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
76 DEBUG(0,("Failed to open %s\n", fname));
84 * Set a reseed function for the crypto random generator
86 * This avoids a problem where systems without /dev/urandom
87 * could send the same challenge to multiple clients
89 set_rand_reseed_callback(get_rand_seed);
91 /* Ensure that the reseed is done now, while we are root, etc */
92 generate_random_buffer(&dummy, sizeof(dummy));
100 void secrets_shutdown(void)
110 /* read a entry from the secrets database - the caller must free the result
111 if size is non-null then the size of the entry is put in there
113 void *secrets_fetch(const char *key, size_t *size)
119 dbuf = tdb_fetch(tdb, string_tdb_data(key));
125 /* store a secrets entry
127 bool secrets_store(const char *key, const void *data, size_t size)
132 return tdb_trans_store(tdb, string_tdb_data(key),
133 make_tdb_data((const uint8 *)data, size),
138 /* delete a secets database entry
140 bool secrets_delete(const char *key)
145 return tdb_trans_delete(tdb, string_tdb_data(key)) == 0;
149 * Form a key for fetching the domain sid
151 * @param domain domain name
155 static const char *domain_sid_keystr(const char *domain)
159 keystr = talloc_asprintf(talloc_tos(), "%s/%s",
160 SECRETS_DOMAIN_SID, domain);
161 SMB_ASSERT(keystr != NULL);
168 bool secrets_store_domain_sid(const char *domain, const DOM_SID *sid)
172 ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(DOM_SID));
174 /* Force a re-query, in case we modified our domain */
176 reset_global_sam_sid();
180 bool secrets_fetch_domain_sid(const char *domain, DOM_SID *sid)
185 dyn_sid = (DOM_SID *)secrets_fetch(domain_sid_keystr(domain), &size);
190 if (size != sizeof(DOM_SID)) {
200 bool secrets_store_domain_guid(const char *domain, struct GUID *guid)
204 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
206 return secrets_store(key, guid, sizeof(struct GUID));
209 bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
211 struct GUID *dyn_guid;
214 struct GUID new_guid;
216 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
218 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
221 if (lp_server_role() == ROLE_DOMAIN_PDC) {
222 smb_uuid_generate_random(&new_guid);
223 if (!secrets_store_domain_guid(domain, &new_guid))
225 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
227 if (dyn_guid == NULL) {
232 if (size != sizeof(struct GUID)) {
233 DEBUG(1,("UUID size %d is wrong!\n", (int)size));
244 * Form a key for fetching the machine trust account sec channel type
246 * @param domain domain name
250 static const char *machine_sec_channel_type_keystr(const char *domain)
254 keystr = talloc_asprintf(talloc_tos(), "%s/%s",
255 SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
256 SMB_ASSERT(keystr != NULL);
264 * Form a key for fetching the machine trust account last change time
266 * @param domain domain name
270 static const char *machine_last_change_time_keystr(const char *domain)
274 keystr = talloc_asprintf(talloc_tos(), "%s/%s",
275 SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
276 SMB_ASSERT(keystr != NULL);
285 * Form a key for fetching the machine trust account password
287 * @param domain domain name
291 static const char *machine_password_keystr(const char *domain)
295 keystr = talloc_asprintf(talloc_tos(), "%s/%s",
296 SECRETS_MACHINE_PASSWORD, domain);
297 SMB_ASSERT(keystr != NULL);
305 * Form a key for fetching the machine trust account password
307 * @param domain domain name
309 * @return stored password's key
311 static const char *trust_keystr(const char *domain)
315 keystr = talloc_asprintf(talloc_tos(), "%s/%s",
316 SECRETS_MACHINE_ACCT_PASS, domain);
317 SMB_ASSERT(keystr != NULL);
325 * Form a key for fetching a trusted domain password
327 * @param domain trusted domain name
329 * @return stored password's key
331 static char *trustdom_keystr(const char *domain)
335 keystr = talloc_asprintf(talloc_tos(), "%s/%s",
336 SECRETS_DOMTRUST_ACCT_PASS, domain);
337 SMB_ASSERT(keystr != NULL);
343 /************************************************************************
344 Lock the trust password entry.
345 ************************************************************************/
347 bool secrets_lock_trust_account_password(const char *domain, bool dolock)
353 return (tdb_lock_bystring(tdb, trust_keystr(domain)) == 0);
355 tdb_unlock_bystring(tdb, trust_keystr(domain));
359 /************************************************************************
360 Routine to get the default secure channel type for trust accounts
361 ************************************************************************/
363 uint32 get_default_sec_channel(void)
365 if (lp_server_role() == ROLE_DOMAIN_BDC ||
366 lp_server_role() == ROLE_DOMAIN_PDC) {
369 return SEC_CHAN_WKSTA;
373 /************************************************************************
374 Routine to get the trust account password for a domain.
375 This only tries to get the legacy hashed version of the password.
376 The user of this function must have locked the trust password file using
377 the above secrets_lock_trust_account_password().
378 ************************************************************************/
380 bool secrets_fetch_trust_account_password_legacy(const char *domain,
382 time_t *pass_last_set_time,
385 struct machine_acct_pass *pass;
388 if (!(pass = (struct machine_acct_pass *)secrets_fetch(
389 trust_keystr(domain), &size))) {
390 DEBUG(5, ("secrets_fetch failed!\n"));
394 if (size != sizeof(*pass)) {
395 DEBUG(0, ("secrets were of incorrect size!\n"));
399 if (pass_last_set_time) {
400 *pass_last_set_time = pass->mod_time;
402 memcpy(ret_pwd, pass->hash, 16);
405 *channel = get_default_sec_channel();
408 /* Test if machine password has expired and needs to be changed */
409 if (lp_machine_password_timeout()) {
410 if (pass->mod_time > 0 && time(NULL) > (pass->mod_time +
411 (time_t)lp_machine_password_timeout())) {
412 global_machine_password_needs_changing = True;
420 /************************************************************************
421 Routine to get the trust account password for a domain.
422 The user of this function must have locked the trust password file using
423 the above secrets_lock_trust_account_password().
424 ************************************************************************/
426 bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
427 time_t *pass_last_set_time,
432 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
435 DEBUG(4,("Using cleartext machine password\n"));
436 E_md4hash(plaintext, ret_pwd);
437 SAFE_FREE(plaintext);
441 return secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
447 * Pack SID passed by pointer
449 * @param pack_buf pointer to buffer which is to be filled with packed data
450 * @param bufsize size of packing buffer
451 * @param sid pointer to sid to be packed
453 * @return length of the packed representation of the whole structure
455 static size_t tdb_sid_pack(uint8 *pack_buf, int bufsize, DOM_SID* sid)
460 int remaining_space = pack_buf ? bufsize : 0;
466 len += tdb_pack(p, remaining_space, "bb", sid->sid_rev_num,
470 remaining_space = bufsize - len;
473 for (idx = 0; idx < 6; idx++) {
474 len += tdb_pack(p, remaining_space, "b",
478 remaining_space = bufsize - len;
482 for (idx = 0; idx < MAXSUBAUTHS; idx++) {
483 len += tdb_pack(p, remaining_space, "d",
484 sid->sub_auths[idx]);
487 remaining_space = bufsize - len;
495 * Unpack SID into a pointer
497 * @param pack_buf pointer to buffer with packed representation
498 * @param bufsize size of the buffer
499 * @param sid pointer to sid structure to be filled with unpacked data
501 * @return size of structure unpacked from buffer
503 static size_t tdb_sid_unpack(uint8 *pack_buf, int bufsize, DOM_SID* sid)
507 if (!sid || !pack_buf) return -1;
509 len += tdb_unpack(pack_buf + len, bufsize - len, "bb",
510 &sid->sid_rev_num, &sid->num_auths);
512 for (idx = 0; idx < 6; idx++) {
513 len += tdb_unpack(pack_buf + len, bufsize - len, "b",
517 for (idx = 0; idx < MAXSUBAUTHS; idx++) {
518 len += tdb_unpack(pack_buf + len, bufsize - len, "d",
519 &sid->sub_auths[idx]);
526 * Pack TRUSTED_DOM_PASS passed by pointer
528 * @param pack_buf pointer to buffer which is to be filled with packed data
529 * @param bufsize size of the buffer
530 * @param pass pointer to trusted domain password to be packed
532 * @return length of the packed representation of the whole structure
534 static size_t tdb_trusted_dom_pass_pack(uint8 *pack_buf, int bufsize,
535 TRUSTED_DOM_PASS* pass)
539 int remaining_space = pack_buf ? bufsize : 0;
545 /* packing unicode domain name and password */
546 len += tdb_pack(p, remaining_space, "d",
550 remaining_space = bufsize - len;
553 for (idx = 0; idx < 32; idx++) {
554 len += tdb_pack(p, remaining_space, "w",
555 pass->uni_name[idx]);
558 remaining_space = bufsize - len;
562 len += tdb_pack(p, remaining_space, "dPd", pass->pass_len,
563 pass->pass, pass->mod_time);
566 remaining_space = bufsize - len;
569 /* packing SID structure */
570 len += tdb_sid_pack(p, remaining_space, &pass->domain_sid);
573 remaining_space = bufsize - len;
581 * Unpack TRUSTED_DOM_PASS passed by pointer
583 * @param pack_buf pointer to buffer with packed representation
584 * @param bufsize size of the buffer
585 * @param pass pointer to trusted domain password to be filled with unpacked data
587 * @return size of structure unpacked from buffer
589 static size_t tdb_trusted_dom_pass_unpack(uint8 *pack_buf, int bufsize,
590 TRUSTED_DOM_PASS* pass)
595 if (!pack_buf || !pass) return -1;
597 /* unpack unicode domain name and plaintext password */
598 len += tdb_unpack(pack_buf, bufsize - len, "d", &pass->uni_name_len);
600 for (idx = 0; idx < 32; idx++)
601 len += tdb_unpack(pack_buf + len, bufsize - len, "w",
602 &pass->uni_name[idx]);
604 len += tdb_unpack(pack_buf + len, bufsize - len, "dPd",
605 &pass->pass_len, &passp, &pass->mod_time);
607 fstrcpy(pass->pass, passp);
611 /* unpack domain sid */
612 len += tdb_sid_unpack(pack_buf + len, bufsize - len,
618 /************************************************************************
619 Routine to get account password to trusted domain
620 ************************************************************************/
622 bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
623 DOM_SID *sid, time_t *pass_last_set_time)
625 struct trusted_dom_pass pass;
628 /* unpacking structures */
634 /* fetching trusted domain password structure */
635 if (!(pass_buf = (uint8 *)secrets_fetch(trustdom_keystr(domain),
637 DEBUG(5, ("secrets_fetch failed!\n"));
641 /* unpack trusted domain password */
642 pass_len = tdb_trusted_dom_pass_unpack(pass_buf, size, &pass);
645 if (pass_len != size) {
646 DEBUG(5, ("Invalid secrets size. Unpacked data doesn't match trusted_dom_pass structure.\n"));
650 /* the trust's password */
652 *pwd = SMB_STRDUP(pass.pass);
658 /* last change time */
659 if (pass_last_set_time) *pass_last_set_time = pass.mod_time;
662 if (sid != NULL) sid_copy(sid, &pass.domain_sid);
668 * Routine to store the password for trusted domain
670 * @param domain remote domain name
671 * @param pwd plain text password of trust relationship
672 * @param sid remote domain sid
674 * @return true if succeeded
677 bool secrets_store_trusted_domain_password(const char* domain, const char* pwd,
680 smb_ucs2_t *uni_dom_name;
683 /* packing structures */
684 uint8 *pass_buf = NULL;
687 struct trusted_dom_pass pass;
690 if (push_ucs2_allocate(&uni_dom_name, domain) == (size_t)-1) {
691 DEBUG(0, ("Could not convert domain name %s to unicode\n",
696 strncpy_w(pass.uni_name, uni_dom_name, sizeof(pass.uni_name) - 1);
697 pass.uni_name_len = strlen_w(uni_dom_name)+1;
698 SAFE_FREE(uni_dom_name);
700 /* last change time */
701 pass.mod_time = time(NULL);
703 /* password of the trust */
704 pass.pass_len = strlen(pwd);
705 fstrcpy(pass.pass, pwd);
708 sid_copy(&pass.domain_sid, sid);
710 /* Calculate the length. */
711 pass_len = tdb_trusted_dom_pass_pack(NULL, 0, &pass);
712 pass_buf = SMB_MALLOC_ARRAY(uint8, pass_len);
716 pass_len = tdb_trusted_dom_pass_pack(pass_buf, pass_len, &pass);
717 ret = secrets_store(trustdom_keystr(domain), (void *)pass_buf,
723 /************************************************************************
724 Routine to delete the plaintext machine account password
725 ************************************************************************/
727 bool secrets_delete_machine_password(const char *domain)
729 return secrets_delete(machine_password_keystr(domain));
732 /************************************************************************
733 Routine to delete the plaintext machine account password, sec channel type and
734 last change time from secrets database
735 ************************************************************************/
737 bool secrets_delete_machine_password_ex(const char *domain)
739 if (!secrets_delete(machine_password_keystr(domain))) {
742 if (!secrets_delete(machine_sec_channel_type_keystr(domain))) {
745 return secrets_delete(machine_last_change_time_keystr(domain));
748 /************************************************************************
749 Routine to delete the domain sid
750 ************************************************************************/
752 bool secrets_delete_domain_sid(const char *domain)
754 return secrets_delete(domain_sid_keystr(domain));
757 /************************************************************************
758 Routine to set the plaintext machine account password for a realm
759 the password is assumed to be a null terminated ascii string
760 ************************************************************************/
762 bool secrets_store_machine_password(const char *pass, const char *domain, uint32 sec_channel)
765 uint32 last_change_time;
766 uint32 sec_channel_type;
768 ret = secrets_store(machine_password_keystr(domain), pass, strlen(pass)+1);
772 SIVAL(&last_change_time, 0, time(NULL));
773 ret = secrets_store(machine_last_change_time_keystr(domain), &last_change_time, sizeof(last_change_time));
775 SIVAL(&sec_channel_type, 0, sec_channel);
776 ret = secrets_store(machine_sec_channel_type_keystr(domain), &sec_channel_type, sizeof(sec_channel_type));
781 /************************************************************************
782 Routine to fetch the plaintext machine account password for a realm
783 the password is assumed to be a null terminated ascii string.
784 ************************************************************************/
786 char *secrets_fetch_machine_password(const char *domain,
787 time_t *pass_last_set_time,
791 ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
793 if (pass_last_set_time) {
795 uint32 *last_set_time;
796 last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size);
798 *pass_last_set_time = IVAL(last_set_time,0);
799 SAFE_FREE(last_set_time);
801 *pass_last_set_time = 0;
807 uint32 *channel_type;
808 channel_type = (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain), &size);
810 *channel = IVAL(channel_type,0);
811 SAFE_FREE(channel_type);
813 *channel = get_default_sec_channel();
820 /************************************************************************
821 Routine to delete the password for trusted domain
822 ************************************************************************/
824 bool trusted_domain_password_delete(const char *domain)
826 return secrets_delete(trustdom_keystr(domain));
829 bool secrets_store_ldap_pw(const char* dn, char* pw)
834 if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, dn) < 0) {
835 DEBUG(0, ("secrets_store_ldap_pw: asprintf failed!\n"));
839 ret = secrets_store(key, pw, strlen(pw)+1);
845 /*******************************************************************
846 Find the ldap password.
847 ******************************************************************/
849 bool fetch_ldap_pw(char **dn, char** pw)
854 *dn = smb_xstrdup(lp_ldap_admin_dn());
856 if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
858 DEBUG(0, ("fetch_ldap_pw: asprintf failed!\n"));
861 *pw=(char *)secrets_fetch(key, &size);
865 /* Upgrade 2.2 style entry */
867 char* old_style_key = SMB_STRDUP(*dn);
869 fstring old_style_pw;
871 if (!old_style_key) {
872 DEBUG(0, ("fetch_ldap_pw: strdup failed!\n"));
876 for (p=old_style_key; *p; p++)
877 if (*p == ',') *p = '/';
879 data=(char *)secrets_fetch(old_style_key, &size);
880 if (!size && size < sizeof(old_style_pw)) {
881 DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
882 SAFE_FREE(old_style_key);
887 size = MIN(size, sizeof(fstring)-1);
888 strncpy(old_style_pw, data, size);
889 old_style_pw[size] = 0;
893 if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
894 DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
895 SAFE_FREE(old_style_key);
899 if (!secrets_delete(old_style_key)) {
900 DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
903 SAFE_FREE(old_style_key);
905 *pw = smb_xstrdup(old_style_pw);
912 * Get trusted domains info from secrets.tdb.
915 NTSTATUS secrets_trusted_domains(TALLOC_CTX *mem_ctx, uint32 *num_domains,
916 struct trustdom_info ***domains)
918 TDB_LIST_NODE *keys, *k;
922 if (!(tmp_ctx = talloc_new(mem_ctx))) {
923 return NT_STATUS_NO_MEMORY;
926 if (!secrets_init()) return NT_STATUS_ACCESS_DENIED;
928 /* generate searching pattern */
929 pattern = talloc_asprintf(tmp_ctx, "%s/*", SECRETS_DOMTRUST_ACCT_PASS);
930 if (pattern == NULL) {
931 DEBUG(0, ("secrets_trusted_domains: talloc_asprintf() "
933 TALLOC_FREE(tmp_ctx);
934 return NT_STATUS_NO_MEMORY;
940 * Make sure that a talloc context for the trustdom_info structs
944 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info *, 1))) {
945 TALLOC_FREE(tmp_ctx);
946 return NT_STATUS_NO_MEMORY;
949 /* fetching trusted domains' data and collecting them in a list */
950 keys = tdb_search_keys(tdb, pattern);
952 /* searching for keys in secrets db -- way to go ... */
953 for (k = keys; k; k = k->next) {
955 size_t size = 0, packed_size = 0;
956 struct trusted_dom_pass pass;
958 struct trustdom_info *dom_info;
960 /* important: ensure null-termination of the key string */
961 secrets_key = talloc_strndup(tmp_ctx,
962 (const char *)k->node_key.dptr,
965 DEBUG(0, ("strndup failed!\n"));
966 tdb_search_list_free(keys);
967 TALLOC_FREE(tmp_ctx);
968 return NT_STATUS_NO_MEMORY;
971 packed_pass = (uint8 *)secrets_fetch(secrets_key, &size);
972 packed_size = tdb_trusted_dom_pass_unpack(packed_pass, size,
974 /* packed representation isn't needed anymore */
975 SAFE_FREE(packed_pass);
977 if (size != packed_size) {
978 DEBUG(2, ("Secrets record %s is invalid!\n",
983 if (pass.domain_sid.num_auths != 4) {
984 DEBUG(0, ("SID %s is not a domain sid, has %d "
985 "auths instead of 4\n",
986 sid_string_dbg(&pass.domain_sid),
987 pass.domain_sid.num_auths));
991 if (!(dom_info = TALLOC_P(*domains, struct trustdom_info))) {
992 DEBUG(0, ("talloc failed\n"));
993 tdb_search_list_free(keys);
994 TALLOC_FREE(tmp_ctx);
995 return NT_STATUS_NO_MEMORY;
998 if (pull_ucs2_talloc(dom_info, &dom_info->name,
999 pass.uni_name) == (size_t)-1) {
1000 DEBUG(2, ("pull_ucs2_talloc failed\n"));
1001 tdb_search_list_free(keys);
1002 TALLOC_FREE(tmp_ctx);
1003 return NT_STATUS_NO_MEMORY;
1006 sid_copy(&dom_info->sid, &pass.domain_sid);
1008 ADD_TO_ARRAY(*domains, struct trustdom_info *, dom_info,
1009 domains, num_domains);
1011 if (*domains == NULL) {
1012 tdb_search_list_free(keys);
1013 TALLOC_FREE(tmp_ctx);
1014 return NT_STATUS_NO_MEMORY;
1018 DEBUG(5, ("secrets_get_trusted_domains: got %d domains\n",
1021 /* free the results of searching the keys */
1022 tdb_search_list_free(keys);
1023 TALLOC_FREE(tmp_ctx);
1025 return NT_STATUS_OK;
1028 /*******************************************************************************
1029 Lock the secrets tdb based on a string - this is used as a primitive form of mutex
1030 between smbd instances.
1031 *******************************************************************************/
1033 bool secrets_named_mutex(const char *name, unsigned int timeout)
1037 if (!secrets_init())
1040 ret = tdb_lock_bystring_with_timeout(tdb, name, timeout);
1042 DEBUG(10,("secrets_named_mutex: got mutex for %s\n", name ));
1047 /*******************************************************************************
1048 Unlock a named mutex.
1049 *******************************************************************************/
1051 void secrets_named_mutex_release(const char *name)
1053 tdb_unlock_bystring(tdb, name);
1054 DEBUG(10,("secrets_named_mutex: released mutex for %s\n", name ));
1057 /*******************************************************************************
1058 Store a complete AFS keyfile into secrets.tdb.
1059 *******************************************************************************/
1061 bool secrets_store_afs_keyfile(const char *cell, const struct afs_keyfile *keyfile)
1065 if ((cell == NULL) || (keyfile == NULL))
1068 if (ntohl(keyfile->nkeys) > SECRETS_AFS_MAXKEYS)
1071 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
1072 return secrets_store(key, keyfile, sizeof(struct afs_keyfile));
1075 /*******************************************************************************
1076 Fetch the current (highest) AFS key from secrets.tdb
1077 *******************************************************************************/
1078 bool secrets_fetch_afs_key(const char *cell, struct afs_key *result)
1081 struct afs_keyfile *keyfile;
1085 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
1087 keyfile = (struct afs_keyfile *)secrets_fetch(key, &size);
1089 if (keyfile == NULL)
1092 if (size != sizeof(struct afs_keyfile)) {
1097 i = ntohl(keyfile->nkeys);
1099 if (i > SECRETS_AFS_MAXKEYS) {
1104 *result = keyfile->entry[i-1];
1106 result->kvno = ntohl(result->kvno);
1111 /******************************************************************************
1112 When kerberos is not available, choose between anonymous or
1113 authenticated connections.
1115 We need to use an authenticated connection if DCs have the
1116 RestrictAnonymous registry entry set > 0, or the "Additional
1117 restrictions for anonymous connections" set in the win2k Local
1120 Caller to free() result in domain, username, password
1121 *******************************************************************************/
1122 void secrets_fetch_ipc_userpass(char **username, char **domain, char **password)
1124 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
1125 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
1126 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
1128 if (*username && **username) {
1130 if (!*domain || !**domain)
1131 *domain = smb_xstrdup(lp_workgroup());
1133 if (!*password || !**password)
1134 *password = smb_xstrdup("");
1136 DEBUG(3, ("IPC$ connections done by user %s\\%s\n",
1137 *domain, *username));
1140 DEBUG(3, ("IPC$ connections done anonymously\n"));
1141 *username = smb_xstrdup("");
1142 *domain = smb_xstrdup("");
1143 *password = smb_xstrdup("");
1147 /******************************************************************************
1148 Open or create the schannel session store tdb.
1149 *******************************************************************************/
1151 static TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx)
1155 TDB_CONTEXT *tdb_sc = NULL;
1156 char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb", lp_private_dir());
1162 tdb_sc = tdb_open_log(fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
1165 DEBUG(0,("open_schannel_session_store: Failed to open %s\n", fname));
1170 vers = tdb_fetch_bystring(tdb_sc, "SCHANNEL_STORE_VERSION");
1171 if (vers.dptr == NULL) {
1172 /* First opener, no version. */
1174 vers.dptr = (uint8 *)&ver;
1176 tdb_store_bystring(tdb_sc, "SCHANNEL_STORE_VERSION", vers, TDB_REPLACE);
1178 } else if (vers.dsize == 4) {
1179 ver = IVAL(vers.dptr,0);
1183 DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n",
1189 DEBUG(0,("open_schannel_session_store: wrong version number size %d in %s\n",
1190 (int)vers.dsize, fname ));
1193 SAFE_FREE(vers.dptr);
1199 /******************************************************************************
1200 Store the schannel state after an AUTH2 call.
1201 Note we must be root here.
1202 *******************************************************************************/
1204 bool secrets_store_schannel_session_info(TALLOC_CTX *mem_ctx,
1205 const char *remote_machine,
1206 const struct dcinfo *pdc)
1208 TDB_CONTEXT *tdb_sc = NULL;
1211 char *keystr = talloc_asprintf(mem_ctx, "%s/%s", SECRETS_SCHANNEL_STATE,
1219 /* Work out how large the record is. */
1220 value.dsize = tdb_pack(NULL, 0, "dBBBBBfff",
1222 8, pdc->seed_chal.data,
1223 8, pdc->clnt_chal.data,
1224 8, pdc->srv_chal.data,
1228 pdc->remote_machine,
1231 value.dptr = TALLOC_ARRAY(mem_ctx, uint8, value.dsize);
1233 TALLOC_FREE(keystr);
1237 value.dsize = tdb_pack(value.dptr, value.dsize, "dBBBBBfff",
1239 8, pdc->seed_chal.data,
1240 8, pdc->clnt_chal.data,
1241 8, pdc->srv_chal.data,
1245 pdc->remote_machine,
1248 tdb_sc = open_schannel_session_store(mem_ctx);
1250 TALLOC_FREE(keystr);
1251 TALLOC_FREE(value.dptr);
1255 ret = (tdb_store_bystring(tdb_sc, keystr, value, TDB_REPLACE) == 0 ? True : False);
1257 DEBUG(3,("secrets_store_schannel_session_info: stored schannel info with key %s\n",
1261 TALLOC_FREE(keystr);
1262 TALLOC_FREE(value.dptr);
1266 /******************************************************************************
1267 Restore the schannel state on a client reconnect.
1268 Note we must be root here.
1269 *******************************************************************************/
1271 bool secrets_restore_schannel_session_info(TALLOC_CTX *mem_ctx,
1272 const char *remote_machine,
1273 struct dcinfo **ppdc)
1275 TDB_CONTEXT *tdb_sc = NULL;
1277 unsigned char *pseed_chal = NULL;
1278 unsigned char *pclnt_chal = NULL;
1279 unsigned char *psrv_chal = NULL;
1280 unsigned char *psess_key = NULL;
1281 unsigned char *pmach_pw = NULL;
1282 uint32 l1, l2, l3, l4, l5;
1284 struct dcinfo *pdc = NULL;
1285 char *keystr = talloc_asprintf(mem_ctx, "%s/%s", SECRETS_SCHANNEL_STATE,
1296 tdb_sc = open_schannel_session_store(mem_ctx);
1298 TALLOC_FREE(keystr);
1302 value = tdb_fetch_bystring(tdb_sc, keystr);
1304 DEBUG(0,("secrets_restore_schannel_session_info: Failed to find entry with key %s\n",
1310 pdc = TALLOC_ZERO_P(mem_ctx, struct dcinfo);
1312 /* Retrieve the record. */
1313 ret = tdb_unpack(value.dptr, value.dsize, "dBBBBBfff",
1321 &pdc->remote_machine,
1324 if (ret == -1 || l1 != 8 || l2 != 8 || l3 != 8 || l4 != 16 || l5 != 16) {
1325 /* Bad record - delete it. */
1326 tdb_delete_bystring(tdb_sc, keystr);
1328 TALLOC_FREE(keystr);
1330 SAFE_FREE(pseed_chal);
1331 SAFE_FREE(pclnt_chal);
1332 SAFE_FREE(psrv_chal);
1333 SAFE_FREE(psess_key);
1334 SAFE_FREE(pmach_pw);
1335 SAFE_FREE(value.dptr);
1341 memcpy(pdc->seed_chal.data, pseed_chal, 8);
1342 memcpy(pdc->clnt_chal.data, pclnt_chal, 8);
1343 memcpy(pdc->srv_chal.data, psrv_chal, 8);
1344 memcpy(pdc->sess_key, psess_key, 16);
1345 memcpy(pdc->mach_pw, pmach_pw, 16);
1347 /* We know these are true so didn't bother to store them. */
1348 pdc->challenge_sent = True;
1349 pdc->authenticated = True;
1351 DEBUG(3,("secrets_restore_schannel_session_info: restored schannel info key %s\n",
1354 SAFE_FREE(pseed_chal);
1355 SAFE_FREE(pclnt_chal);
1356 SAFE_FREE(psrv_chal);
1357 SAFE_FREE(psess_key);
1358 SAFE_FREE(pmach_pw);
1360 TALLOC_FREE(keystr);
1361 SAFE_FREE(value.dptr);
1368 bool secrets_store_generic(const char *owner, const char *key, const char *secret)
1370 char *tdbkey = NULL;
1373 if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
1374 DEBUG(0, ("asprintf failed!\n"));
1378 ret = secrets_store(tdbkey, secret, strlen(secret)+1);
1384 /*******************************************************************
1385 Find the ldap password.
1386 ******************************************************************/
1388 char *secrets_fetch_generic(const char *owner, const char *key)
1390 char *secret = NULL;
1391 char *tdbkey = NULL;
1393 if (( ! owner) || ( ! key)) {
1394 DEBUG(1, ("Invalid Paramters"));
1398 if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
1399 DEBUG(0, ("Out of memory!\n"));
1403 secret = (char *)secrets_fetch(tdbkey, NULL);