This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
static struct samu *csamuser = NULL;
+static_decl_pdb;
+
static struct pdb_init_function_entry *backends = NULL;
static void lazy_initialize_passdb(void)
{
static BOOL initialized = False;
- if(initialized)return;
+ if(initialized) {
+ return;
+ }
static_init_pdb;
initialized = True;
}
-static struct pdb_init_function_entry *pdb_find_backend_entry(const char *name);
static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
const char **name,
- enum SID_NAME_USE *psid_name_use,
+ enum lsa_SidType *psid_name_use,
union unid_t *unix_id);
-/*******************************************************************
- Clean up uninitialised passwords. The only way to tell
- that these values are not 'real' is that they do not
- have a valid last set time. Instead, the value is fixed at 0.
- Therefore we use that as the key for 'is this a valid password'.
- However, it is perfectly valid to have a 'default' last change
- time, such LDAP with a missing attribute would produce.
-********************************************************************/
-
-static void pdb_force_pw_initialization(struct samu *pass)
-{
- const uint8 *lm_pwd, *nt_pwd;
-
- /* only reset a password if the last set time has been
- explicitly been set to zero. A default last set time
- is ignored */
-
- if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT)
- && (pdb_get_pass_last_set_time(pass) == 0) )
- {
-
- if (pdb_get_init_flags(pass, PDB_LMPASSWD) != PDB_DEFAULT)
- {
- lm_pwd = pdb_get_lanman_passwd(pass);
- if (lm_pwd)
- pdb_set_lanman_passwd(pass, NULL, PDB_CHANGED);
- }
- if (pdb_get_init_flags(pass, PDB_NTPASSWD) != PDB_DEFAULT)
- {
- nt_pwd = pdb_get_nt_passwd(pass);
- if (nt_pwd)
- pdb_set_nt_passwd(pass, NULL, PDB_CHANGED);
- }
- }
-
- return;
-}
NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
{
return NT_STATUS_OK;
}
-static struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
+struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
{
struct pdb_init_function_entry *entry = backends;
return NULL;
}
+/*
+ * The event context for the passdb backend. I know this is a bad hack and yet
+ * another static variable, but our pdb API is a global thing per
+ * definition. The first use for this is the LDAP idle function, more might be
+ * added later.
+ *
+ * I don't feel too bad about this static variable, it replaces the
+ * smb_idle_event_list that used to exist in lib/module.c. -- VL
+ */
+
+static struct event_context *pdb_event_ctx;
+
+struct event_context *pdb_get_event_context(void)
+{
+ return pdb_event_ctx;
+}
+
/******************************************************************
Make a pdb_methods from scratch
*******************************************************************/
if ( pdb && reload ) {
pdb->free_private_data( &(pdb->private_data) );
if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
- return NULL;
+ pstring msg;
+ slprintf(msg, sizeof(msg)-1, "pdb_get_methods_reload: failed to get pdb methods for backend %s\n",
+ lp_passdb_backend() );
+ smb_panic(msg);
}
}
if ( !pdb ) {
if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
- return NULL;
+ pstring msg;
+ slprintf(msg, sizeof(msg)-1, "pdb_get_methods_reload: failed to get pdb methods for backend %s\n",
+ lp_passdb_backend() );
+ smb_panic(msg);
}
}
BOOL pdb_setsampwent(BOOL update, uint16 acb_mask)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
return NT_STATUS_IS_OK(pdb->setsampwent(pdb, update, acb_mask));
}
void pdb_endsampwent(void)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return;
- }
-
pdb->endsampwent(pdb);
}
{
struct pdb_methods *pdb = pdb_get_methods();
- if ( !pdb ) {
- return False;
- }
-
if ( !NT_STATUS_IS_OK(pdb->getsampwent(pdb, user) ) ) {
return False;
}
- pdb_force_pw_initialization( user );
-
return True;
}
{
struct pdb_methods *pdb = pdb_get_methods();
- if ( !pdb ) {
+ if (!NT_STATUS_IS_OK(pdb->getsampwnam(pdb, sam_acct, username))) {
return False;
}
- if (!NT_STATUS_IS_OK(pdb->getsampwnam(pdb, sam_acct, username))) {
+ if ( csamuser ) {
+ TALLOC_FREE(csamuser);
+ }
+
+ csamuser = samu_new( NULL );
+ if (!csamuser) {
return False;
}
- if (csamuser != NULL) {
+ if (!pdb_copy_sam_account(csamuser, sam_acct)) {
TALLOC_FREE(csamuser);
- csamuser = NULL;
+ return False;
}
- pdb_force_pw_initialization( sam_acct );
-
- if ( (csamuser = samu_new( NULL )) != NULL )
- pdb_copy_sam_account(csamuser, sam_acct);
-
return True;
}
BOOL pdb_getsampwsid(struct samu *sam_acct, const DOM_SID *sid)
{
- struct pdb_methods *pdb;
+ struct pdb_methods *pdb = pdb_get_methods();
uint32 rid;
- if ( !(pdb = pdb_get_methods()) ) {
- return False;
- }
-
/* hard code the Guest RID of 501 */
if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
pstring add_script;
int add_ret;
+ fstring name2;
if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
pstrcpy(add_script, lp_adduser_script());
return NT_STATUS_NO_SUCH_USER;
}
- all_string_sub(add_script, "%u", name, sizeof(add_script));
+ /* lowercase the username before creating the Unix account for
+ compatibility with previous Samba releases */
+ fstrcpy( name2, name );
+ strlower_m( name2 );
+ all_string_sub(add_script, "%u", name2, sizeof(add_script));
add_ret = smbrun(add_script,NULL);
DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
add_script, add_ret));
+ if (add_ret == 0) {
+ smb_nscd_flush_user_cache();
+ }
+
+#ifdef ENABLE_BUILD_FARM_HACKS
+ if (add_ret != 0) {
+ DEBUG(1, ("Creating a faked user %s for build farm "
+ "purposes\n", name));
+ faked_create_user(name);
+ }
+#endif
+
flush_pwnam_cache();
pwd = Get_Pwnam_alloc(tmp_ctx, name);
return NT_STATUS_INTERNAL_ERROR;
}
+ /* Use the username case specified in the original request */
+
+ pdb_set_username( sam_pass, name, PDB_SET );
+
/* Disable the account on creation, it does not have a reasonable password yet. */
acb_info |= ACB_DISABLED;
uint32 *rid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->create_user(pdb, mem_ctx, name, flags, rid);
}
pstring del_script;
int ret;
+ /* safety check */
+
+ if ( strequal( unix_user, "root" ) ) {
+ DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
+ return -1;
+ }
+
pstrcpy(del_script, lp_deluser_script());
if (! *del_script)
return -1;
all_string_sub(del_script, "%u", unix_user, sizeof(del_script));
ret = smbrun(del_script,NULL);
flush_pwnam_cache();
+ if (ret == 0) {
+ smb_nscd_flush_user_cache();
+ }
DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
return ret;
struct samu *sam_acct)
{
NTSTATUS status;
+ fstring username;
status = pdb_delete_sam_account(sam_acct);
if (!NT_STATUS_IS_OK(status)) {
* not necessary present and maybe the sysadmin doesn't want to delete
* the unix side
*/
- smb_delete_user( pdb_get_username(sam_acct) );
+
+ /* always lower case the username before handing it off to
+ external scripts */
+
+ fstrcpy( username, pdb_get_username(sam_acct) );
+ strlower_m( username );
+
+ smb_delete_user( username );
return status;
}
NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
{
struct pdb_methods *pdb = pdb_get_methods();
+ uid_t uid = -1;
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
+ /* sanity check to make sure we don't delete root */
+
+ if ( !sid_to_uid( pdb_get_user_sid(sam_acct), &uid ) ) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if ( uid == 0 ) {
+ return NT_STATUS_ACCESS_DENIED;
}
return pdb->delete_user(pdb, mem_ctx, sam_acct);
NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->add_sam_account(pdb, sam_acct);
}
{
struct pdb_methods *pdb = pdb_get_methods();
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
if (csamuser != NULL) {
TALLOC_FREE(csamuser);
csamuser = NULL;
{
struct pdb_methods *pdb = pdb_get_methods();
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
if (csamuser != NULL) {
TALLOC_FREE(csamuser);
csamuser = NULL;
NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
+ uid_t uid;
+ NTSTATUS status;
if (csamuser != NULL) {
TALLOC_FREE(csamuser);
csamuser = NULL;
}
- return pdb->rename_sam_account(pdb, oldname, newname);
+ /* sanity check to make sure we don't rename root */
+
+ if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if ( uid == 0 ) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ status = pdb->rename_sam_account(pdb, oldname, newname);
+
+ /* always flush the cache here just to be safe */
+ flush_pwnam_cache();
+
+ return status;
}
NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, BOOL success)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
return pdb->update_login_attempts(pdb, sam_acct, success);
}
BOOL pdb_getgrsid(GROUP_MAP *map, DOM_SID sid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
}
BOOL pdb_getgrgid(GROUP_MAP *map, gid_t gid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
}
BOOL pdb_getgrnam(GROUP_MAP *map, const char *name)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
}
}
if (pdb_rid_algorithm()) {
- *rid = pdb_gid_to_group_rid( grp->gr_gid );
+ *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
} else {
if (!pdb_new_rid(rid)) {
return NT_STATUS_ACCESS_DENIED;
uint32 *rid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->create_dom_group(pdb, mem_ctx, name, rid);
}
NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32 rid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->delete_dom_group(pdb, mem_ctx, rid);
}
NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->add_group_mapping_entry(pdb, map);
}
NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->update_group_mapping_entry(pdb, map);
}
NTSTATUS pdb_delete_group_mapping_entry(DOM_SID sid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->delete_group_mapping_entry(pdb, sid);
}
-BOOL pdb_enum_group_mapping(const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+BOOL pdb_enum_group_mapping(const DOM_SID *sid, enum lsa_SidType sid_name_use, GROUP_MAP **pp_rmap,
size_t *p_num_entries, BOOL unix_only)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
pp_rmap, p_num_entries, unix_only));
}
struct pdb_methods *pdb = pdb_get_methods();
NTSTATUS result;
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
result = pdb->enum_group_members(pdb, mem_ctx,
sid, pp_member_rids, p_num_members);
size_t *p_num_groups)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->enum_group_memberships(
pdb, mem_ctx, user,
pp_sids, pp_gids, p_num_groups);
NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->set_unix_primary_group(pdb, mem_ctx, user);
}
uint32 member_rid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
}
uint32 member_rid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
}
-BOOL pdb_find_alias(const char *name, DOM_SID *sid)
-{
- struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb->find_alias(pdb,
- name, sid));
-}
-
NTSTATUS pdb_create_alias(const char *name, uint32 *rid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
return pdb->create_alias(pdb, name, rid);
}
-BOOL pdb_delete_alias(const DOM_SID *sid)
+NTSTATUS pdb_delete_alias(const DOM_SID *sid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb->delete_alias(pdb,
- sid));
-
+ return pdb->delete_alias(pdb, sid);
}
-BOOL pdb_get_aliasinfo(const DOM_SID *sid, struct acct_info *info)
+NTSTATUS pdb_get_aliasinfo(const DOM_SID *sid, struct acct_info *info)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb->get_aliasinfo(pdb, sid,
- info));
+ return pdb->get_aliasinfo(pdb, sid, info);
}
-BOOL pdb_set_aliasinfo(const DOM_SID *sid, struct acct_info *info)
+NTSTATUS pdb_set_aliasinfo(const DOM_SID *sid, struct acct_info *info)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb->set_aliasinfo(pdb, sid,
- info));
+ return pdb->set_aliasinfo(pdb, sid, info);
}
NTSTATUS pdb_add_aliasmem(const DOM_SID *alias, const DOM_SID *member)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->add_aliasmem(pdb, alias, member);
}
NTSTATUS pdb_del_aliasmem(const DOM_SID *alias, const DOM_SID *member)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
return pdb->del_aliasmem(pdb, alias, member);
}
DOM_SID **pp_members, size_t *p_num_members)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- return pdb->enum_aliasmem(pdb, alias,
- pp_members, p_num_members);
+ return pdb->enum_aliasmem(pdb, alias, pp_members, p_num_members);
}
NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
size_t *p_num_alias_rids)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
return pdb->enum_alias_memberships(pdb, mem_ctx,
domain_sid,
members, num_members,
int num_rids,
uint32 *rids,
const char **names,
- uint32 *attrs)
+ enum lsa_SidType *attrs)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- return pdb->lookup_rids(pdb, domain_sid,
- num_rids, rids, names, attrs);
+ return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
}
+/*
+ * NOTE: pdb_lookup_names is currently (2007-01-12) not used anywhere
+ * in the samba code.
+ * Unlike _lsa_lookup_sids and _samr_lookup_rids, which eventually
+ * also ask pdb_lookup_rids, thus looking up a bunch of rids at a time,
+ * the pdb_ calls _lsa_lookup_names and _samr_lookup_names come
+ * down to are pdb_getsampwnam and pdb_getgrnam instead of
+ * pdb_lookup_names.
+ * But in principle, it the call belongs to the API and might get
+ * used in this context some day.
+ */
+#if 0
NTSTATUS pdb_lookup_names(const DOM_SID *domain_sid,
int num_names,
const char **names,
uint32 *rids,
- uint32 *attrs)
+ enum lsa_SidType *attrs)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- return pdb->lookup_names(pdb, domain_sid,
- num_names, names, rids, attrs);
+ return pdb->lookup_names(pdb, domain_sid, num_names, names, rids, attrs);
}
+#endif
BOOL pdb_get_account_policy(int policy_index, uint32 *value)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb->get_account_policy(pdb, policy_index, value));
+ NTSTATUS status;
+
+ become_root();
+ status = pdb->get_account_policy(pdb, policy_index, value);
+ unbecome_root();
+
+ return NT_STATUS_IS_OK(status);
}
BOOL pdb_set_account_policy(int policy_index, uint32 value)
{
struct pdb_methods *pdb = pdb_get_methods();
+ NTSTATUS status;
- if ( !pdb ) {
- return False;
- }
+ become_root();
+ status = pdb->set_account_policy(pdb, policy_index, value);
+ unbecome_root();
- return NT_STATUS_IS_OK(pdb->set_account_policy(pdb, policy_index, value));
+ return NT_STATUS_IS_OK(status);
}
BOOL pdb_get_seq_num(time_t *seq_num)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
}
BOOL pdb_uid_to_rid(uid_t uid, uint32 *rid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
return pdb->uid_to_rid(pdb, uid, rid);
}
-BOOL pdb_gid_to_sid(gid_t gid, DOM_SID *sid)
+BOOL pdb_uid_to_sid(uid_t uid, DOM_SID *sid)
{
struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->uid_to_sid(pdb, uid, sid);
+}
- if ( !pdb ) {
- return False;
- }
-
+BOOL pdb_gid_to_sid(gid_t gid, DOM_SID *sid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
return pdb->gid_to_sid(pdb, gid, sid);
}
BOOL pdb_sid_to_id(const DOM_SID *sid, union unid_t *id,
- enum SID_NAME_USE *type)
+ enum lsa_SidType *type)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
return pdb->sid_to_id(pdb, sid, id, type);
}
BOOL pdb_rid_algorithm(void)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
-
return pdb->rid_algorithm(pdb);
}
+/********************************************************************
+ Allocate a new RID from the passdb backend. Verify that it is free
+ by calling lookup_global_sam_rid() to verify that the RID is not
+ in use. This handles servers that have existing users or groups
+ with add RIDs (assigned from previous algorithmic mappings)
+********************************************************************/
+
BOOL pdb_new_rid(uint32 *rid)
{
struct pdb_methods *pdb = pdb_get_methods();
-
- if ( !pdb ) {
- return False;
- }
+ const char *name = NULL;
+ enum lsa_SidType type;
+ uint32 allocated_rid = 0;
+ int i;
+ TALLOC_CTX *ctx;
if (pdb_rid_algorithm()) {
DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
return False;
}
- return pdb->new_rid(pdb, rid);
+ if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
+ DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
+ return False;
+ }
+
+ /* Attempt to get an unused RID (max tires is 250...yes that it is
+ and arbitrary number I pulkled out of my head). -- jerry */
+
+ for ( i=0; allocated_rid==0 && i<250; i++ ) {
+ /* get a new RID */
+
+ if ( !pdb->new_rid(pdb, &allocated_rid) ) {
+ return False;
+ }
+
+ /* validate that the RID is not in use */
+
+ if ( lookup_global_sam_rid( ctx, allocated_rid, &name, &type, NULL ) ) {
+ allocated_rid = 0;
+ }
+ }
+
+ TALLOC_FREE( ctx );
+
+ if ( allocated_rid == 0 ) {
+ DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
+ return False;
+ }
+
+ *rid = allocated_rid;
+
+ return True;
}
/***************************************************************
If uninitialised, context will auto-init on first use.
***************************************************************/
-BOOL initialize_password_db(BOOL reload)
-{
+BOOL initialize_password_db(BOOL reload, struct event_context *event_ctx)
+{
+ pdb_event_ctx = event_ctx;
return (pdb_get_methods_reload(reload) != NULL);
}
static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
{
- DEBUG(0,("this backend (%s) should not be listed as the first passdb backend! You can't add users to it.\n", methods->name));
return NT_STATUS_NOT_IMPLEMENTED;
}
return NT_STATUS_OK;
}
-static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid,
- uint32 *rid)
+static BOOL pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+ DOM_SID *sid)
{
struct samu *sampw = NULL;
struct passwd *unix_pw;
return False;
}
- ret = sid_peek_check_rid(get_global_sam_sid(),
- pdb_get_user_sid(sampw), rid);
+ sid_copy(sid, pdb_get_user_sid(sampw));
+
+ TALLOC_FREE(sampw);
+
+ return True;
+}
+
+static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid,
+ uint32 *rid)
+{
+ DOM_SID sid;
+ BOOL ret;
+
+ ret = pdb_default_uid_to_sid(methods, uid, &sid);
+ if (!ret) {
+ return ret;
+ }
+
+ ret = sid_peek_check_rid(get_global_sam_sid(), &sid, rid);
if (!ret) {
DEBUG(1, ("Could not peek rid out of sid %s\n",
- sid_string_static(pdb_get_user_sid(sampw))));
+ sid_string_static(&sid)));
}
- TALLOC_FREE(sampw);
return ret;
}
static BOOL pdb_default_sid_to_id(struct pdb_methods *methods,
const DOM_SID *sid,
- union unid_t *id, enum SID_NAME_USE *type)
+ union unid_t *id, enum lsa_SidType *type)
{
TALLOC_CTX *mem_ctx;
BOOL ret = False;
goto done;
}
- if (sid_peek_check_rid(&global_sid_Builtin, sid, &rid)) {
+ /* check for "Unix User" */
+
+ if ( sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid) ) {
+ id->uid = rid;
+ *type = SID_NAME_USER;
+ ret = True;
+ goto done;
+ }
+
+ /* check for "Unix Group" */
+
+ if ( sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid) ) {
+ id->gid = rid;
+ *type = SID_NAME_ALIAS;
+ ret = True;
+ goto done;
+ }
+
+ /* BUILTIN */
+
+ if (sid_check_is_in_builtin(sid) ||
+ sid_check_is_in_wellknown_domain(sid)) {
/* Here we only have aliases */
GROUP_MAP map;
if (!NT_STATUS_IS_OK(methods->getgrsid(methods, &map, *sid))) {
goto done;
}
- DEBUG(5, ("Sid %s is neither ours nor builtin, don't know it\n",
+ DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
sid_string_static(sid)));
done:
return ret;
}
-static void add_uid_to_array_unique(TALLOC_CTX *mem_ctx,
+static BOOL add_uid_to_array_unique(TALLOC_CTX *mem_ctx,
uid_t uid, uid_t **pp_uids, size_t *p_num)
{
size_t i;
for (i=0; i<*p_num; i++) {
if ((*pp_uids)[i] == uid)
- return;
+ return True;
}
*pp_uids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_uids, uid_t, *p_num+1);
if (*pp_uids == NULL)
- return;
+ return False;
(*pp_uids)[*p_num] = uid;
*p_num += 1;
+ return True;
}
static BOOL get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, size_t *p_num)
struct group *grp;
char **gr;
struct passwd *pwd;
+ BOOL winbind_env;
+ BOOL ret = False;
*pp_uids = NULL;
*p_num = 0;
/* We only look at our own sam, so don't care about imported stuff */
-
+ winbind_env = winbind_env_set();
winbind_off();
if ((grp = getgrgid(gid)) == NULL) {
- winbind_on();
- return False;
+ /* allow winbindd lookups, but only if they weren't already disabled */
+ goto done;
}
/* Primary group members */
-
setpwent();
while ((pwd = getpwent()) != NULL) {
if (pwd->pw_gid == gid) {
- add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
- pp_uids, p_num);
+ if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
+ pp_uids, p_num)) {
+ goto done;
+ }
}
}
endpwent();
/* Secondary group members */
-
for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
struct passwd *pw = getpwnam(*gr);
if (pw == NULL)
continue;
- add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num);
+ if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
+ goto done;
+ }
}
- winbind_on();
+ ret = True;
- return True;
+ done:
+
+ /* allow winbindd lookups, but only if they weren't already disabled */
+ if (!winbind_env) {
+ winbind_on();
+ }
+
+ return ret;
}
-NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
- TALLOC_CTX *mem_ctx,
- const DOM_SID *group,
- uint32 **pp_member_rids,
- size_t *p_num_members)
+static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *group,
+ uint32 **pp_member_rids,
+ size_t *p_num_members)
{
gid_t gid;
uid_t *uids;
return NT_STATUS_OK;
}
-NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
- TALLOC_CTX *mem_ctx,
- struct samu *user,
- DOM_SID **pp_sids,
- gid_t **pp_gids,
- size_t *p_num_groups)
+static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ struct samu *user,
+ DOM_SID **pp_sids,
+ gid_t **pp_gids,
+ size_t *p_num_groups)
{
size_t i;
gid_t gid;
const char *username = pdb_get_username(user);
-#if 0
/* Ignore the primary group SID. Honor the real Unix primary group.
The primary group SID is only of real use to Windows clients */
- if (!sid_to_gid(pdb_get_group_sid(user), &gid)) {
- DEBUG(10, ("sid_to_gid failed\n"));
- return NT_STATUS_NO_SUCH_USER;
- }
-#else
if ( !(pw = getpwnam_alloc(mem_ctx, username)) ) {
return NT_STATUS_NO_SUCH_USER;
}
gid = pw->pw_gid;
TALLOC_FREE( pw );
-#endif
if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
return NT_STATUS_NO_SUCH_USER;
static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
const char **name,
- enum SID_NAME_USE *psid_name_use,
+ enum lsa_SidType *psid_name_use,
union unid_t *unix_id)
{
struct samu *sam_account = NULL;
unbecome_root(); /* -----> EXIT BECOME_ROOT() */
*name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
+ if (!*name) {
+ TALLOC_FREE(sam_account);
+ return False;
+ }
+
*psid_name_use = SID_NAME_USER;
TALLOC_FREE(sam_account);
return False;
}
-NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
- const DOM_SID *domain_sid,
- int num_rids,
- uint32 *rids,
- const char **names,
- uint32 *attrs)
+static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
+ const DOM_SID *domain_sid,
+ int num_rids,
+ uint32 *rids,
+ const char **names,
+ enum lsa_SidType *attrs)
{
int i;
NTSTATUS result;
if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
NULL)) {
+ if (name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
names[i] = name;
DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
have_mapped = True;
return result;
}
-NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
- const DOM_SID *domain_sid,
- int num_names,
- const char **names,
- uint32 *rids,
- uint32 *attrs)
+#if 0
+static NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
+ const DOM_SID *domain_sid,
+ int num_names,
+ const char **names,
+ uint32 *rids,
+ enum lsa_SidType *attrs)
{
int i;
NTSTATUS result;
return result;
}
+#endif
static struct pdb_search *pdb_search_init(enum pdb_search_type type)
{
static BOOL next_entry_users(struct pdb_search *s,
struct samr_displayentry *entry)
{
- struct user_search *state = s->private_data;
+ struct user_search *state = (struct user_search *)s->private_data;
struct samu *user = NULL;
next:
static BOOL next_entry_groups(struct pdb_search *s,
struct samr_displayentry *entry)
{
- struct group_search *state = s->private_data;
+ struct group_search *state = (struct group_search *)s->private_data;
uint32 rid;
GROUP_MAP *map = &state->groups[state->current_group];
static void search_end_groups(struct pdb_search *search)
{
- struct group_search *state = search->private_data;
+ struct group_search *state =
+ (struct group_search *)search->private_data;
SAFE_FREE(state->groups);
}
static BOOL pdb_search_grouptype(struct pdb_search *search,
- const DOM_SID *sid, enum SID_NAME_USE type)
+ const DOM_SID *sid, enum lsa_SidType type)
{
struct group_search *state;
struct pdb_methods *pdb = pdb_get_methods();
struct pdb_search *result;
- if (pdb == NULL) return NULL;
-
result = pdb_search_init(PDB_USER_SEARCH);
- if (result == NULL) return NULL;
+ if (result == NULL) {
+ return NULL;
+ }
if (!pdb->search_users(pdb, result, acct_flags)) {
talloc_destroy(result->mem_ctx);
struct pdb_methods *pdb = pdb_get_methods();
struct pdb_search *result;
- if (pdb == NULL) return NULL;
-
result = pdb_search_init(PDB_GROUP_SEARCH);
- if (result == NULL) return NULL;
+ if (result == NULL) {
+ return NULL;
+ }
if (!pdb->search_groups(pdb, result)) {
talloc_destroy(result->mem_ctx);
talloc_destroy(search->mem_ctx);
}
+/*******************************************************************
+ trustodm methods
+ *******************************************************************/
+
+BOOL pdb_get_trusteddom_pw(const char *domain, char** pwd, DOM_SID *sid,
+ time_t *pass_last_set_time)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
+ pass_last_set_time);
+}
+
+BOOL pdb_set_trusteddom_pw(const char* domain, const char* pwd,
+ const DOM_SID *sid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
+}
+
+BOOL pdb_del_trusteddom_pw(const char *domain)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->del_trusteddom_pw(pdb, domain);
+}
+
+NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32 *num_domains,
+ struct trustdom_info ***domains)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
+}
+
+/*******************************************************************
+ the defaults for trustdom methods:
+ these simply call the original passdb/secrets.c actions,
+ to be replaced by pdb_ldap.
+ *******************************************************************/
+
+static BOOL pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
+ const char *domain,
+ char** pwd,
+ DOM_SID *sid,
+ time_t *pass_last_set_time)
+{
+ return secrets_fetch_trusted_domain_password(domain, pwd,
+ sid, pass_last_set_time);
+
+}
+
+static BOOL pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
+ const char* domain,
+ const char* pwd,
+ const DOM_SID *sid)
+{
+ return secrets_store_trusted_domain_password(domain, pwd, sid);
+}
+
+static BOOL pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
+ const char *domain)
+{
+ return trusted_domain_password_delete(domain);
+}
+
+static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_domains,
+ struct trustdom_info ***domains)
+{
+ return secrets_trusted_domains(mem_ctx, num_domains, domains);
+}
+
/*******************************************************************
Create a pdb_methods structure and initialize it with the default
operations. In this way a passdb module can simply implement
(*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
(*methods)->add_groupmem = pdb_default_add_groupmem;
(*methods)->del_groupmem = pdb_default_del_groupmem;
- (*methods)->find_alias = pdb_default_find_alias;
(*methods)->create_alias = pdb_default_create_alias;
(*methods)->delete_alias = pdb_default_delete_alias;
(*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
(*methods)->set_account_policy = pdb_default_set_account_policy;
(*methods)->get_seq_num = pdb_default_get_seq_num;
(*methods)->uid_to_rid = pdb_default_uid_to_rid;
+ (*methods)->uid_to_sid = pdb_default_uid_to_sid;
(*methods)->gid_to_sid = pdb_default_gid_to_sid;
(*methods)->sid_to_id = pdb_default_sid_to_id;
(*methods)->search_groups = pdb_default_search_groups;
(*methods)->search_aliases = pdb_default_search_aliases;
+ (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
+ (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
+ (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
+ (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
+
return NT_STATUS_OK;
}