2 Unix SMB/CIFS implementation.
4 interface functions for the sam database
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "librpc/gen_ndr/ndr_netlogon.h"
25 #include "librpc/gen_ndr/ndr_misc.h"
26 #include "lib/ldb/include/ldb.h"
27 #include "system/time.h"
28 #include "system/filesys.h"
32 connect to the SAM database
33 return an opaque context pointer on success, or NULL on failure
35 struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx)
37 return ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
41 search the sam for the specified attributes in a specific domain, filter on
42 objectSid being in domain_sid.
44 int samdb_search_domain(struct ldb_context *sam_ldb,
47 struct ldb_message ***res,
48 const char * const *attrs,
49 const struct dom_sid *domain_sid,
50 const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
56 count = gendb_search_v(sam_ldb, mem_ctx, basedn,
57 res, attrs, format, ap);
63 struct dom_sid *entry_sid;
65 entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
67 if ((entry_sid == NULL) ||
68 (!dom_sid_in_domain(domain_sid, entry_sid))) {
69 /* Delete that entry from the result set */
70 (*res)[i] = (*res)[count-1];
72 talloc_free(entry_sid);
75 talloc_free(entry_sid);
83 search the sam for a single string attribute in exactly 1 record
85 const char *samdb_search_string_v(struct ldb_context *sam_ldb,
88 const char *attr_name,
89 const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
92 const char *attrs[2] = { NULL, NULL };
93 struct ldb_message **res = NULL;
97 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
99 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
100 attr_name, format, count));
107 return samdb_result_string(res[0], attr_name, NULL);
112 search the sam for a single string attribute in exactly 1 record
114 const char *samdb_search_string(struct ldb_context *sam_ldb,
117 const char *attr_name,
118 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
123 va_start(ap, format);
124 str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
131 search the sam for a dom_sid attribute in exactly 1 record
133 struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
136 const char *attr_name,
137 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
141 struct ldb_message **res;
142 const char *attrs[2] = { NULL, NULL };
145 attrs[0] = attr_name;
147 va_start(ap, format);
148 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
151 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
152 attr_name, format, count));
158 sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
164 return the count of the number of records in the sam matching the query
166 int samdb_search_count(struct ldb_context *sam_ldb,
169 const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
172 struct ldb_message **res;
173 const char * const attrs[] = { NULL };
176 va_start(ap, format);
177 ret = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
185 search the sam for a single integer attribute in exactly 1 record
187 uint_t samdb_search_uint(struct ldb_context *sam_ldb,
189 uint_t default_value,
191 const char *attr_name,
192 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
196 struct ldb_message **res;
197 const char *attrs[2] = { NULL, NULL };
199 attrs[0] = attr_name;
201 va_start(ap, format);
202 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
206 return default_value;
209 return samdb_result_uint(res[0], attr_name, default_value);
213 search the sam for a single signed 64 bit integer attribute in exactly 1 record
215 int64_t samdb_search_int64(struct ldb_context *sam_ldb,
217 int64_t default_value,
219 const char *attr_name,
220 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
224 struct ldb_message **res;
225 const char *attrs[2] = { NULL, NULL };
227 attrs[0] = attr_name;
229 va_start(ap, format);
230 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
234 return default_value;
237 return samdb_result_int64(res[0], attr_name, default_value);
241 search the sam for multipe records each giving a single string attribute
242 return the number of matches, or -1 on error
244 int samdb_search_string_multiple(struct ldb_context *sam_ldb,
248 const char *attr_name,
249 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
253 const char *attrs[2] = { NULL, NULL };
254 struct ldb_message **res = NULL;
256 attrs[0] = attr_name;
258 va_start(ap, format);
259 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
266 /* make sure its single valued */
267 for (i=0;i<count;i++) {
268 if (res[i]->num_elements != 1) {
269 DEBUG(1,("samdb: search for %s %s not single valued\n",
276 *strs = talloc_array(mem_ctx, const char *, count+1);
282 for (i=0;i<count;i++) {
283 (*strs)[i] = samdb_result_string(res[i], attr_name, NULL);
285 (*strs)[count] = NULL;
291 pull a uint from a result set.
293 uint_t samdb_result_uint(struct ldb_message *msg, const char *attr, uint_t default_value)
295 return ldb_msg_find_uint(msg, attr, default_value);
299 pull a (signed) int64 from a result set.
301 int64_t samdb_result_int64(struct ldb_message *msg, const char *attr, int64_t default_value)
303 return ldb_msg_find_int64(msg, attr, default_value);
307 pull a string from a result set.
309 const char *samdb_result_string(struct ldb_message *msg, const char *attr,
310 const char *default_value)
312 return ldb_msg_find_string(msg, attr, default_value);
316 pull a rid from a objectSid in a result set.
318 uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
319 const char *attr, uint32_t default_value)
324 sid = samdb_result_dom_sid(mem_ctx, msg, attr);
326 return default_value;
328 rid = sid->sub_auths[sid->num_auths-1];
334 pull a dom_sid structure from a objectSid in a result set.
336 struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
339 const struct ldb_val *v;
342 v = ldb_msg_find_ldb_val(msg, attr);
346 sid = talloc(mem_ctx, struct dom_sid);
350 status = ndr_pull_struct_blob(v, sid, sid,
351 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
352 if (!NT_STATUS_IS_OK(status)) {
360 pull a guid structure from a objectGUID in a result set.
362 struct GUID samdb_result_guid(struct ldb_message *msg, const char *attr)
364 const struct ldb_val *v;
371 v = ldb_msg_find_ldb_val(msg, attr);
374 mem_ctx = talloc_named_const(NULL, 0, "samdb_result_guid");
375 if (!mem_ctx) return guid;
376 status = ndr_pull_struct_blob(v, mem_ctx, &guid,
377 (ndr_pull_flags_fn_t)ndr_pull_GUID);
378 talloc_free(mem_ctx);
379 if (!NT_STATUS_IS_OK(status)) {
387 pull a sid prefix from a objectSid in a result set.
388 this is used to find the domain sid for a user
390 struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
393 struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
394 if (!sid || sid->num_auths < 1) return NULL;
400 pull a NTTIME in a result set.
402 NTTIME samdb_result_nttime(struct ldb_message *msg, const char *attr, NTTIME default_value)
404 const char *str = ldb_msg_find_string(msg, attr, NULL);
405 if (!str) return default_value;
406 return nttime_from_string(str);
410 pull a uint64_t from a result set.
412 uint64_t samdb_result_uint64(struct ldb_message *msg, const char *attr, uint64_t default_value)
414 return ldb_msg_find_uint64(msg, attr, default_value);
419 construct the allow_password_change field from the PwdLastSet attribute and the
420 domain password settings
422 NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
424 const char *domain_dn,
425 struct ldb_message *msg,
428 uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
431 if (attr_time == 0) {
435 minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0,
436 domain_dn, "minPwdAge", "dn=%s", domain_dn);
438 /* yes, this is a -= not a += as minPwdAge is stored as the negative
439 of the number of 100-nano-seconds */
440 attr_time -= minPwdAge;
446 construct the force_password_change field from the PwdLastSet attribute and the
447 domain password settings
449 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
451 const char *domain_dn,
452 struct ldb_message *msg,
455 uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
458 if (attr_time == 0) {
462 maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn,
463 "maxPwdAge", "dn=%s", domain_dn);
464 if (maxPwdAge == 0) {
467 attr_time -= maxPwdAge;
474 pull a samr_Password structutre from a result set.
476 struct samr_Password samdb_result_hash(struct ldb_message *msg, const char *attr)
478 struct samr_Password hash;
479 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
482 memcpy(hash.hash, val->data, MIN(val->length, sizeof(hash.hash)));
488 pull an array of samr_Password structutres from a result set.
490 uint_t samdb_result_hashes(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
491 const char *attr, struct samr_Password **hashes)
494 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
501 count = val->length / 16;
506 *hashes = talloc_array(mem_ctx, struct samr_Password, count);
511 for (i=0;i<count;i++) {
512 memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
518 NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
519 struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
522 const char *unicodePwd = samdb_result_string(msg, "unicodePwd", NULL);
524 struct samr_Password *lmPwdHash, *ntPwdHash;
527 ntPwdHash = talloc(mem_ctx, struct samr_Password);
529 return NT_STATUS_NO_MEMORY;
532 E_md4hash(unicodePwd, ntPwdHash->hash);
539 lmPwdHash = talloc(mem_ctx, struct samr_Password);
541 return NT_STATUS_NO_MEMORY;
544 /* compute the new nt and lm hashes */
545 lm_hash_ok = E_deshash(unicodePwd, lmPwdHash->hash);
556 num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHash", &ntPwdHash);
559 } else if (num_nt > 1) {
560 return NT_STATUS_INTERNAL_DB_CORRUPTION;
562 *nt_pwd = &ntPwdHash[0];
567 num_lm = samdb_result_hashes(mem_ctx, msg, "lmPwdHash", &lmPwdHash);
570 } else if (num_lm > 1) {
571 return NT_STATUS_INTERNAL_DB_CORRUPTION;
573 *lm_pwd = &lmPwdHash[0];
582 pull a samr_LogonHours structutre from a result set.
584 struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
586 struct samr_LogonHours hours;
587 const int units_per_week = 168;
588 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
590 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
594 hours.units_per_week = units_per_week;
595 memset(hours.bits, 0xFF, units_per_week);
597 memcpy(hours.bits, val->data, MIN(val->length, units_per_week));
603 pull a set of account_flags from a result set.
605 uint16_t samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
607 uint_t userAccountControl = ldb_msg_find_uint(msg, attr, 0);
608 return samdb_uf2acb(userAccountControl);
612 copy from a template record to a message
614 int samdb_copy_template(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
615 struct ldb_message *msg, const char *expression)
617 struct ldb_message **res, *t;
621 /* pull the template record */
622 ret = gendb_search(sam_ldb, mem_ctx, NULL, &res, NULL, "%s", expression);
624 DEBUG(1,("samdb: ERROR: template '%s' matched %d records\n",
630 for (i=0;i<t->num_elements;i++) {
631 struct ldb_message_element *el = &t->elements[i];
632 /* some elements should not be copied from the template */
633 if (strcasecmp(el->name, "cn") == 0 ||
634 strcasecmp(el->name, "name") == 0 ||
635 strcasecmp(el->name, "sAMAccountName") == 0) {
638 for (j=0;j<el->num_values;j++) {
639 if (strcasecmp(el->name, "objectClass") == 0 &&
640 (strcasecmp((char *)el->values[j].data, "Template") == 0 ||
641 strcasecmp((char *)el->values[j].data, "userTemplate") == 0 ||
642 strcasecmp((char *)el->values[j].data, "groupTemplate") == 0 ||
643 strcasecmp((char *)el->values[j].data, "foreignSecurityTemplate") == 0 ||
644 strcasecmp((char *)el->values[j].data, "aliasTemplate") == 0 ||
645 strcasecmp((char *)el->values[j].data, "trustedDomainTemplate") == 0 ||
646 strcasecmp((char *)el->values[j].data, "secretTemplate") == 0)) {
649 samdb_msg_add_string(sam_ldb, mem_ctx, msg, el->name,
650 (char *)el->values[j].data);
659 add a string element to a message
661 int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
662 const char *attr_name, const char *str)
664 char *s = talloc_strdup(mem_ctx, str);
665 char *a = talloc_strdup(mem_ctx, attr_name);
666 if (s == NULL || a == NULL) {
669 return ldb_msg_add_string(sam_ldb, msg, a, s);
673 add a dom_sid element to a message
675 int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
676 const char *attr_name, struct dom_sid *sid)
680 status = ndr_push_struct_blob(&v, mem_ctx, sid,
681 (ndr_push_flags_fn_t)ndr_push_dom_sid);
682 if (!NT_STATUS_IS_OK(status)) {
685 return ldb_msg_add_value(sam_ldb, msg, attr_name, &v);
690 add a delete element operation to a message
692 int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
693 const char *attr_name)
695 char *a = talloc_strdup(mem_ctx, attr_name);
699 /* we use an empty replace rather than a delete, as it allows for
700 samdb_replace() to be used everywhere */
701 return ldb_msg_add_empty(sam_ldb, msg, a, LDB_FLAG_MOD_REPLACE);
705 add a add attribute value to a message
707 int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
708 const char *attr_name, const char *value)
710 struct ldb_message_element *el;
713 a = talloc_strdup(mem_ctx, attr_name);
716 v = talloc_strdup(mem_ctx, value);
719 ret = ldb_msg_add_string(sam_ldb, msg, a, v);
722 el = ldb_msg_find_element(msg, a);
725 el->flags = LDB_FLAG_MOD_ADD;
730 add a delete attribute value to a message
732 int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
733 const char *attr_name, const char *value)
735 struct ldb_message_element *el;
738 a = talloc_strdup(mem_ctx, attr_name);
741 v = talloc_strdup(mem_ctx, value);
744 ret = ldb_msg_add_string(sam_ldb, msg, a, v);
747 el = ldb_msg_find_element(msg, a);
750 el->flags = LDB_FLAG_MOD_DELETE;
755 add a uint_t element to a message
757 int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
758 const char *attr_name, uint_t v)
760 const char *s = talloc_asprintf(mem_ctx, "%u", v);
761 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
765 add a (signed) int64_t element to a message
767 int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
768 const char *attr_name, int64_t v)
770 const char *s = talloc_asprintf(mem_ctx, "%lld", v);
771 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
775 add a uint64_t element to a message
777 int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
778 const char *attr_name, uint64_t v)
780 const char *s = talloc_asprintf(mem_ctx, "%llu", v);
781 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
785 add a samr_Password element to a message
787 int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
788 const char *attr_name, struct samr_Password *hash)
791 val.data = talloc_memdup(mem_ctx, hash->hash, 16);
796 return ldb_msg_add_value(sam_ldb, msg, attr_name, &val);
800 add a samr_Password array to a message
802 int samdb_msg_add_hashes(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
803 const char *attr_name, struct samr_Password *hashes, uint_t count)
807 val.data = talloc_array_size(mem_ctx, 16, count);
808 val.length = count*16;
812 for (i=0;i<count;i++) {
813 memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
815 return ldb_msg_add_value(sam_ldb, msg, attr_name, &val);
819 add a acct_flags element to a message
821 int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
822 const char *attr_name, uint32_t v)
824 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, samdb_acb2uf(v));
828 add a logon_hours element to a message
830 int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
831 const char *attr_name, struct samr_LogonHours *hours)
834 val.length = hours->units_per_week / 8;
835 val.data = hours->bits;
836 return ldb_msg_add_value(sam_ldb, msg, attr_name, &val);
840 add a general value element to a message
842 int samdb_msg_add_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
843 const char *attr_name, const struct ldb_val *val)
845 return ldb_msg_add_value(sam_ldb, msg, attr_name, val);
849 sets a general value element to a message
851 int samdb_msg_set_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
852 const char *attr_name, const struct ldb_val *val)
854 struct ldb_message_element *el;
856 el = ldb_msg_find_element(msg, attr_name);
860 return ldb_msg_add_value(sam_ldb, msg, attr_name, val);
864 set a string element in a message
866 int samdb_msg_set_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
867 const char *attr_name, const char *str)
869 struct ldb_message_element *el;
871 el = ldb_msg_find_element(msg, attr_name);
875 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, str);
879 set a ldaptime element in a message
881 int samdb_msg_set_ldaptime(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
882 const char *attr_name, time_t t)
884 char *str = ldap_timestring(mem_ctx, t);
888 return samdb_msg_set_string(sam_ldb, mem_ctx, msg, attr_name, str);
894 int samdb_add(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
896 return ldb_add(sam_ldb, msg);
902 int samdb_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, const char *dn)
904 return ldb_delete(sam_ldb, dn);
910 int samdb_modify(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
912 return ldb_modify(sam_ldb, msg);
916 replace elements in a record
918 int samdb_replace(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
922 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
923 for (i=0;i<msg->num_elements;i++) {
924 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
927 /* modify the samdb record */
928 return samdb_modify(sam_ldb, mem_ctx, msg);
932 return a default security descriptor
934 struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
936 struct security_descriptor *sd;
938 sd = security_descriptor_initialise(mem_ctx);