#include "system/passwd.h"
#include "passdb.h"
#include "secrets.h"
+#include "messages.h"
+#include "serverid.h"
#include "../librpc/gen_ndr/samr.h"
-#include "memcache.h"
+#include "../librpc/gen_ndr/drsblobs.h"
+#include "../librpc/gen_ndr/ndr_drsblobs.h"
+#include "../librpc/gen_ndr/idmap.h"
+#include "../lib/util/memcache.h"
#include "nsswitch/winbind_client.h"
#include "../libcli/security/security.h"
#include "../lib/util/util_pw.h"
+#include "passdb/pdb_secrets.h"
+#include "lib/util_sid_passdb.h"
+#include "idmap_cache.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
if(initialized) {
return;
}
- static_init_pdb;
+ static_init_pdb(NULL);
initialized = True;
}
-static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
+static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
const char **name,
enum lsa_SidType *psid_name_use,
- union unid_t *unix_id);
+ uid_t *uid, gid_t *gid);
NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
{
return NULL;
}
+const struct pdb_init_function_entry *pdb_get_backends(void)
+{
+ return backends;
+}
+
+
/*
* The event context for the passdb backend. I know this is a bad hack and yet
* another static variable, but our pdb API is a global thing per
* smb_idle_event_list that used to exist in lib/module.c. -- VL
*/
-static struct event_context *pdb_event_ctx;
+static struct tevent_context *pdb_tevent_ctx;
-struct event_context *pdb_get_event_context(void)
+struct tevent_context *pdb_get_tevent_context(void)
{
- return pdb_event_ctx;
+ return pdb_tevent_ctx;
}
/******************************************************************
static struct pdb_methods *pdb = NULL;
if ( pdb && reload ) {
- pdb->free_private_data( &(pdb->private_data) );
+ if (pdb->free_private_data != NULL) {
+ pdb->free_private_data( &(pdb->private_data) );
+ }
if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
- char *msg = NULL;
- if (asprintf(&msg, "pdb_get_methods_reload: "
- "failed to get pdb methods for backend %s\n",
- lp_passdb_backend()) > 0) {
- smb_panic(msg);
- } else {
- smb_panic("pdb_get_methods_reload");
- }
+ return NULL;
}
}
if ( !pdb ) {
if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
- char *msg = NULL;
- if (asprintf(&msg, "pdb_get_methods_reload: "
- "failed to get pdb methods for backend %s\n",
- lp_passdb_backend()) > 0) {
- smb_panic(msg);
- } else {
- smb_panic("pdb_get_methods_reload");
- }
+ return NULL;
}
}
static struct pdb_methods *pdb_get_methods(void)
{
- return pdb_get_methods_reload(False);
+ struct pdb_methods *pdb;
+
+ pdb = pdb_get_methods_reload(false);
+ if (!pdb) {
+ char *msg = NULL;
+ if (asprintf(&msg, "pdb_get_methods: "
+ "failed to get pdb methods for backend %s\n",
+ lp_passdb_backend()) > 0) {
+ smb_panic(msg);
+ } else {
+ smb_panic("pdb_get_methods");
+ }
+ }
+
+ return pdb;
}
struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
{
struct passwd *pwd;
NTSTATUS result;
- const char *guestname = lp_guestaccount();
+ const char *guestname = lp_guest_account();
pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
if (pwd == NULL) {
fstring name2;
if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
- add_script = talloc_strdup(tmp_ctx,
- lp_adduser_script());
+ add_script = lp_add_user_script(tmp_ctx);
} else {
- add_script = talloc_strdup(tmp_ctx,
- lp_addmachine_script());
+ add_script = lp_add_machine_script(tmp_ctx);
}
if (!add_script || add_script[0] == '\0') {
/* lowercase the username before creating the Unix account for
compatibility with previous Samba releases */
fstrcpy( name2, name );
- strlower_m( name2 );
+ if (!strlower_m( name2 )) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
add_script = talloc_all_string_sub(tmp_ctx,
add_script,
"%u",
if (!add_script) {
return NT_STATUS_NO_MEMORY;
}
- add_ret = smbrun(add_script,NULL);
+ add_ret = smbrun(add_script, NULL, NULL);
DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
add_script, add_ret));
if (add_ret == 0) {
/* we have a valid SID coming out of this call */
- status = samu_alloc_rid_unix( sam_pass, pwd );
+ status = samu_alloc_rid_unix(methods, sam_pass, pwd);
TALLOC_FREE( pwd );
pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
- status = pdb_add_sam_account(sam_pass);
+ status = methods->add_sam_account(methods, sam_pass);
TALLOC_FREE(sam_pass);
return -1;
}
- del_script = talloc_strdup(talloc_tos(), lp_deluser_script());
+ del_script = lp_delete_user_script(talloc_tos());
if (!del_script || !*del_script) {
return -1;
}
if (!del_script) {
return -1;
}
- ret = smbrun(del_script,NULL);
+ ret = smbrun(del_script, NULL, NULL);
flush_pwnam_cache();
if (ret == 0) {
smb_nscd_flush_user_cache();
NTSTATUS status;
fstring username;
- status = pdb_delete_sam_account(sam_acct);
+ status = methods->delete_sam_account(methods, sam_acct);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
external scripts */
fstrcpy( username, pdb_get_username(sam_acct) );
- strlower_m( username );
+ if (!strlower_m( username )) {
+ return status;
+ }
smb_delete_user( username );
{
struct pdb_methods *pdb = pdb_get_methods();
uid_t uid = -1;
+ NTSTATUS status;
+ const struct dom_sid *user_sid;
+ char *msg_data;
+
+ user_sid = pdb_get_user_sid(sam_acct);
/* sanity check to make sure we don't delete root */
- if ( !sid_to_uid( pdb_get_user_sid(sam_acct), &uid ) ) {
+ if ( !sid_to_uid(user_sid, &uid ) ) {
return NT_STATUS_NO_SUCH_USER;
}
return NT_STATUS_ACCESS_DENIED;
}
- return pdb->delete_user(pdb, mem_ctx, sam_acct);
+ memcache_delete(NULL,
+ PDB_GETPWSID_CACHE,
+ data_blob_const(user_sid, sizeof(*user_sid)));
+
+ status = pdb->delete_user(pdb, mem_ctx, sam_acct);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ msg_data = talloc_asprintf(mem_ctx, "USER %s",
+ pdb_get_username(sam_acct));
+ if (!msg_data) {
+ /* not fatal, and too late to rollback,
+ * just return */
+ return status;
+ }
+ messaging_send_all(server_messaging_context(),
+ ID_CACHE_DELETE,
+ msg_data,
+ strlen(msg_data) + 1);
+
+ TALLOC_FREE(msg_data);
+ return status;
}
NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
{
struct pdb_methods *pdb = pdb_get_methods();
+ const struct dom_sid *user_sid = pdb_get_user_sid(sam_acct);
- memcache_flush(NULL, PDB_GETPWSID_CACHE);
+ memcache_delete(NULL,
+ PDB_GETPWSID_CACHE,
+ data_blob_const(user_sid, sizeof(*user_sid)));
return pdb->delete_sam_account(pdb, sam_acct);
}
uint32_t rid)
{
struct dom_sid group_sid;
- GROUP_MAP map;
+ GROUP_MAP *map;
NTSTATUS status;
struct group *grp;
const char *grp_name;
+ map = talloc_zero(mem_ctx, GROUP_MAP);
+ if (!map) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
/* coverity */
- map.gid = (gid_t) -1;
+ map->gid = (gid_t) -1;
sid_compose(&group_sid, get_global_sam_sid(), rid);
- if (!get_domain_group_from_sid(group_sid, &map)) {
+ if (!get_domain_group_from_sid(group_sid, map)) {
DEBUG(10, ("Could not find group for rid %d\n", rid));
return NT_STATUS_NO_SUCH_GROUP;
}
/* We need the group name for the smb_delete_group later on */
- if (map.gid == (gid_t)-1) {
+ if (map->gid == (gid_t)-1) {
return NT_STATUS_NO_SUCH_GROUP;
}
- grp = getgrgid(map.gid);
+ grp = getgrgid(map->gid);
if (grp == NULL) {
return NT_STATUS_NO_SUCH_GROUP;
}
+ TALLOC_FREE(map);
+
/* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
grp_name = talloc_strdup(mem_ctx, grp->gr_name);
return pdb->delete_group_mapping_entry(pdb, sid);
}
-bool pdb_enum_group_mapping(const struct dom_sid *sid, enum lsa_SidType sid_name_use, GROUP_MAP **pp_rmap,
- size_t *p_num_entries, bool unix_only)
+bool pdb_enum_group_mapping(const struct dom_sid *sid,
+ enum lsa_SidType sid_name_use,
+ GROUP_MAP ***pp_rmap,
+ size_t *p_num_entries,
+ bool unix_only)
{
struct pdb_methods *pdb = pdb_get_methods();
return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
{
struct dom_sid group_sid, member_sid;
struct samu *account = NULL;
- GROUP_MAP map;
+ GROUP_MAP *map;
struct group *grp;
struct passwd *pwd;
const char *group_name;
uid_t uid;
+ map = talloc_zero(mem_ctx, GROUP_MAP);
+ if (!map) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
/* coverity */
- map.gid = (gid_t) -1;
+ map->gid = (gid_t) -1;
sid_compose(&group_sid, get_global_sam_sid(), group_rid);
sid_compose(&member_sid, get_global_sam_sid(), member_rid);
- if (!get_domain_group_from_sid(group_sid, &map) ||
- (map.gid == (gid_t)-1) ||
- ((grp = getgrgid(map.gid)) == NULL)) {
+ if (!get_domain_group_from_sid(group_sid, map) ||
+ (map->gid == (gid_t)-1) ||
+ ((grp = getgrgid(map->gid)) == NULL)) {
return NT_STATUS_NO_SUCH_GROUP;
}
+ TALLOC_FREE(map);
+
group_name = talloc_strdup(mem_ctx, grp->gr_name);
if (group_name == NULL) {
return NT_STATUS_NO_MEMORY;
{
struct dom_sid group_sid, member_sid;
struct samu *account = NULL;
- GROUP_MAP map;
+ GROUP_MAP *map;
struct group *grp;
struct passwd *pwd;
const char *group_name;
uid_t uid;
+ map = talloc_zero(mem_ctx, GROUP_MAP);
+ if (!map) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
sid_compose(&group_sid, get_global_sam_sid(), group_rid);
sid_compose(&member_sid, get_global_sam_sid(), member_rid);
- if (!get_domain_group_from_sid(group_sid, &map) ||
- (map.gid == (gid_t)-1) ||
- ((grp = getgrgid(map.gid)) == NULL)) {
+ if (!get_domain_group_from_sid(group_sid, map) ||
+ (map->gid == (gid_t)-1) ||
+ ((grp = getgrgid(map->gid)) == NULL)) {
return NT_STATUS_NO_SUCH_GROUP;
}
+ TALLOC_FREE(map);
+
group_name = talloc_strdup(mem_ctx, grp->gr_name);
if (group_name == NULL) {
return NT_STATUS_NO_MEMORY;
return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
}
-/*
- * NOTE: pdb_lookup_names is currently (2007-01-12) not used anywhere
- * in the samba code.
- * Unlike _lsa_lookup_sids and _samr_lookup_rids, which eventually
- * also ask pdb_lookup_rids, thus looking up a bunch of rids at a time,
- * the pdb_ calls _lsa_lookup_names and _samr_lookup_names come
- * down to are pdb_getsampwnam and pdb_getgrnam instead of
- * pdb_lookup_names.
- * But in principle, it the call belongs to the API and might get
- * used in this context some day.
- */
-#if 0
-NTSTATUS pdb_lookup_names(const struct dom_sid *domain_sid,
- int num_names,
- const char **names,
- uint32_t *rids,
- enum lsa_SidType *attrs)
-{
- struct pdb_methods *pdb = pdb_get_methods();
- return pdb->lookup_names(pdb, domain_sid, num_names, names, rids, attrs);
-}
-#endif
-
bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
{
struct pdb_methods *pdb = pdb_get_methods();
return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
}
-bool pdb_uid_to_sid(uid_t uid, struct dom_sid *sid)
+/*
+ * Instead of passing down a gid or uid, this function sends down a pointer
+ * to a unixid.
+ *
+ * This acts as an in-out variable so that the idmap functions can correctly
+ * receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing
+ * the cache to store ID_TYPE_UID or ID_TYPE_GID.
+ */
+bool pdb_id_to_sid(struct unixid *id, struct dom_sid *sid)
{
struct pdb_methods *pdb = pdb_get_methods();
- return pdb->uid_to_sid(pdb, uid, sid);
-}
+ bool ret;
-bool pdb_gid_to_sid(gid_t gid, struct dom_sid *sid)
-{
- struct pdb_methods *pdb = pdb_get_methods();
- return pdb->gid_to_sid(pdb, gid, sid);
+ ret = pdb->id_to_sid(pdb, id, sid);
+
+ if (ret) {
+ idmap_cache_set_sid2unixid(sid, id);
+ }
+
+ return ret;
}
-bool pdb_sid_to_id(const struct dom_sid *sid, union unid_t *id,
- enum lsa_SidType *type)
+bool pdb_sid_to_id(const struct dom_sid *sid, struct unixid *id)
{
struct pdb_methods *pdb = pdb_get_methods();
- return pdb->sid_to_id(pdb, sid, id, type);
+ bool ret;
+
+ /* only ask the backend if it is responsible */
+ if (!sid_check_object_is_for_passdb(sid)) {
+ return false;
+ }
+
+ ret = pdb->sid_to_id(pdb, sid, id);
+
+ if (ret == true) {
+ idmap_cache_set_sid2unixid(sid, id);
+ }
+
+ return ret;
}
uint32_t pdb_capabilities(void)
/* validate that the RID is not in use */
- if ( lookup_global_sam_rid( ctx, allocated_rid, &name, &type, NULL ) ) {
+ if (lookup_global_sam_rid(ctx, allocated_rid, &name, &type, NULL, NULL)) {
allocated_rid = 0;
}
}
If uninitialised, context will auto-init on first use.
***************************************************************/
-bool initialize_password_db(bool reload, struct event_context *event_ctx)
+bool initialize_password_db(bool reload, struct tevent_context *tevent_ctx)
{
- pdb_event_ctx = event_ctx;
+ if (tevent_ctx) {
+ pdb_tevent_ctx = tevent_ctx;
+ }
return (pdb_get_methods_reload(reload) != NULL);
}
-
/***************************************************************************
Default implementations of some functions.
****************************************************************************/
struct passwd *unix_pw;
bool ret;
- unix_pw = sys_getpwuid( uid );
+ unix_pw = getpwuid( uid );
if ( !unix_pw ) {
DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
struct dom_sid *sid)
{
- GROUP_MAP map;
+ GROUP_MAP *map;
- if (!NT_STATUS_IS_OK(methods->getgrgid(methods, &map, gid))) {
- return False;
+ map = talloc_zero(NULL, GROUP_MAP);
+ if (!map) {
+ return false;
}
- sid_copy(sid, &map.sid);
- return True;
+ if (!NT_STATUS_IS_OK(methods->getgrgid(methods, map, gid))) {
+ TALLOC_FREE(map);
+ return false;
+ }
+
+ sid_copy(sid, &map->sid);
+ TALLOC_FREE(map);
+ return true;
+}
+
+static bool pdb_default_id_to_sid(struct pdb_methods *methods, struct unixid *id,
+ struct dom_sid *sid)
+{
+ switch (id->type) {
+ case ID_TYPE_UID:
+ return pdb_default_uid_to_sid(methods, id->id, sid);
+
+ case ID_TYPE_GID:
+ return pdb_default_gid_to_sid(methods, id->id, sid);
+
+ default:
+ return false;
+ }
+}
+/**
+ * The "Unix User" and "Unix Group" domains have a special
+ * id mapping that is a rid-algorithm with range starting at 0.
+ */
+bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid *sid,
+ struct unixid *id)
+{
+ uint32_t rid;
+
+ id->id = -1;
+
+ if (sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid)) {
+ id->id = rid;
+ id->type = ID_TYPE_UID;
+ return true;
+ }
+
+ if (sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid)) {
+ id->id = rid;
+ id->type = ID_TYPE_GID;
+ return true;
+ }
+
+ return false;
}
static bool pdb_default_sid_to_id(struct pdb_methods *methods,
const struct dom_sid *sid,
- union unid_t *id, enum lsa_SidType *type)
+ struct unixid *id)
{
TALLOC_CTX *mem_ctx;
bool ret = False;
- const char *name;
uint32_t rid;
+ id->id = -1;
mem_ctx = talloc_new(NULL);
}
if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
+ const char *name;
+ enum lsa_SidType type;
+ uid_t uid = (uid_t)-1;
+ gid_t gid = (gid_t)-1;
/* Here we might have users as well as groups and aliases */
- ret = lookup_global_sam_rid(mem_ctx, rid, &name, type, id);
+ ret = lookup_global_sam_rid(mem_ctx, rid, &name, &type, &uid, &gid);
+ if (ret) {
+ switch (type) {
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ id->type = ID_TYPE_GID;
+ id->id = gid;
+ break;
+ case SID_NAME_USER:
+ id->type = ID_TYPE_UID;
+ id->id = uid;
+ break;
+ default:
+ DEBUG(5, ("SID %s belongs to our domain, and "
+ "an object exists in the database, "
+ "but it is neither a user nor a "
+ "group (got type %d).\n",
+ sid_string_dbg(sid), type));
+ ret = false;
+ }
+ } else {
+ DEBUG(5, ("SID %s belongs to our domain, but there is "
+ "no corresponding object in the database.\n",
+ sid_string_dbg(sid)));
+ }
goto done;
}
- /* check for "Unix User" */
-
- if ( sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid) ) {
- id->uid = rid;
- *type = SID_NAME_USER;
- ret = True;
- goto done;
- }
-
- /* check for "Unix Group" */
-
- if ( sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid) ) {
- id->gid = rid;
- *type = SID_NAME_ALIAS;
- ret = True;
- goto done;
+ /*
+ * "Unix User" and "Unix Group"
+ */
+ ret = pdb_sid_to_id_unix_users_and_groups(sid, id);
+ if (ret == true) {
+ goto done;
}
/* BUILTIN */
if (sid_check_is_in_builtin(sid) ||
sid_check_is_in_wellknown_domain(sid)) {
/* Here we only have aliases */
- GROUP_MAP map;
- if (!NT_STATUS_IS_OK(methods->getgrsid(methods, &map, *sid))) {
+ GROUP_MAP *map;
+
+ map = talloc_zero(mem_ctx, GROUP_MAP);
+ if (!map) {
+ ret = false;
+ goto done;
+ }
+
+ if (!NT_STATUS_IS_OK(methods->getgrsid(methods, map, *sid))) {
DEBUG(10, ("Could not find map for sid %s\n",
sid_string_dbg(sid)));
goto done;
}
- if ((map.sid_name_use != SID_NAME_ALIAS) &&
- (map.sid_name_use != SID_NAME_WKN_GRP)) {
+ if ((map->sid_name_use != SID_NAME_ALIAS) &&
+ (map->sid_name_use != SID_NAME_WKN_GRP)) {
DEBUG(10, ("Map for sid %s is a %s, expected an "
"alias\n", sid_string_dbg(sid),
- sid_type_lookup(map.sid_name_use)));
+ sid_type_lookup(map->sid_name_use)));
goto done;
}
- id->gid = map.gid;
- *type = SID_NAME_ALIAS;
+ id->id = map->gid;
+ id->type = ID_TYPE_GID;
ret = True;
goto done;
}
if (num_uids == 0)
return NT_STATUS_OK;
- *pp_member_rids = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t, num_uids);
+ *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
for (i=0; i<num_uids; i++) {
struct dom_sid sid;
uid_to_sid(&sid, uids[i]);
- if (!sid_check_is_in_our_domain(&sid)) {
+ if (!sid_check_is_in_our_sam(&sid)) {
DEBUG(5, ("Inconsistent SAM -- group member uid not "
"in our domain\n"));
continue;
smb_panic("primary group missing");
}
- *pp_sids = TALLOC_ARRAY(mem_ctx, struct dom_sid, *p_num_groups);
+ *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
if (*pp_sids == NULL) {
TALLOC_FREE(*pp_gids);
static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
const char **name,
enum lsa_SidType *psid_name_use,
- union unid_t *unix_id)
+ uid_t *uid, gid_t *gid)
{
struct samu *sam_account = NULL;
- GROUP_MAP map;
+ GROUP_MAP *map = NULL;
bool ret;
struct dom_sid sid;
return False;
}
+ map = talloc_zero(mem_ctx, GROUP_MAP);
+ if (!map) {
+ return false;
+ }
+
/* BEING ROOT BLOCK */
become_root();
- if (pdb_getsampwsid(sam_account, &sid)) {
+ ret = pdb_getsampwsid(sam_account, &sid);
+ if (!ret) {
+ TALLOC_FREE(sam_account);
+ ret = pdb_getgrsid(map, sid);
+ }
+ unbecome_root();
+ /* END BECOME_ROOT BLOCK */
+
+ if (sam_account || !ret) {
+ TALLOC_FREE(map);
+ }
+
+ if (sam_account) {
struct passwd *pw;
- unbecome_root(); /* -----> EXIT BECOME_ROOT() */
*name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
if (!*name) {
TALLOC_FREE(sam_account);
TALLOC_FREE(sam_account);
- if (unix_id == NULL) {
+ if (uid == NULL) {
return True;
}
if (pw == NULL) {
return False;
}
- unix_id->uid = pw->pw_uid;
+ *uid = pw->pw_uid;
TALLOC_FREE(pw);
return True;
- }
- TALLOC_FREE(sam_account);
- ret = pdb_getgrsid(&map, sid);
- unbecome_root();
- /* END BECOME_ROOT BLOCK */
+ } else if (map && (map->gid != (gid_t)-1)) {
- /* do not resolve SIDs to a name unless there is a valid
- gid associated with it */
+ /* do not resolve SIDs to a name unless there is a valid
+ gid associated with it */
- if ( ret && (map.gid != (gid_t)-1) ) {
- *name = talloc_strdup(mem_ctx, map.nt_name);
- *psid_name_use = map.sid_name_use;
+ *name = talloc_steal(mem_ctx, map->nt_name);
+ *psid_name_use = map->sid_name_use;
- if ( unix_id ) {
- unix_id->gid = map.gid;
+ if (gid) {
+ *gid = map->gid;
}
+ TALLOC_FREE(map);
return True;
}
+ TALLOC_FREE(map);
+
/* Windows will always map RID 513 to something. On a non-domain
controller, this gets mapped to SERVER\None. */
- if ( unix_id ) {
+ if (uid || gid) {
DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
return False;
}
}
/* Should not happen, but better check once too many */
- if (!sid_check_is_domain(domain_sid)) {
+ if (!sid_check_is_our_sam(domain_sid)) {
return NT_STATUS_INVALID_HANDLE;
}
const char *name;
if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
- NULL)) {
+ NULL, NULL)) {
if (name == NULL) {
return NT_STATUS_NO_MEMORY;
}
return result;
}
-#if 0
-static NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
- const struct dom_sid *domain_sid,
- int num_names,
- const char **names,
- uint32_t *rids,
- enum lsa_SidType *attrs)
-{
- int i;
- NTSTATUS result;
- bool have_mapped = False;
- bool have_unmapped = False;
-
- if (sid_check_is_builtin(domain_sid)) {
-
- for (i=0; i<num_names; i++) {
- uint32_t rid;
-
- if (lookup_builtin_name(names[i], &rid)) {
- attrs[i] = SID_NAME_ALIAS;
- rids[i] = rid;
- DEBUG(5,("lookup_rids: %s:%d\n",
- names[i], attrs[i]));
- have_mapped = True;
- } else {
- have_unmapped = True;
- attrs[i] = SID_NAME_UNKNOWN;
- }
- }
- goto done;
- }
-
- /* Should not happen, but better check once too many */
- if (!sid_check_is_domain(domain_sid)) {
- return NT_STATUS_INVALID_HANDLE;
- }
-
- for (i = 0; i < num_names; i++) {
- if (lookup_global_sam_name(names[i], 0, &rids[i], &attrs[i])) {
- DEBUG(5,("lookup_names: %s-> %d:%d\n", names[i],
- rids[i], attrs[i]));
- have_mapped = True;
- } else {
- have_unmapped = True;
- attrs[i] = SID_NAME_UNKNOWN;
- }
- }
-
- done:
-
- result = NT_STATUS_NONE_MAPPED;
-
- if (have_mapped)
- result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
-
- return result;
-}
-#endif
-
static int pdb_search_destructor(struct pdb_search *search)
{
if ((!search->search_ended) && (search->search_end != NULL)) {
}
struct group_search {
- GROUP_MAP *groups;
+ GROUP_MAP **groups;
size_t num_groups, current_group;
};
{
struct group_search *state = (struct group_search *)s->private_data;
uint32_t rid;
- GROUP_MAP *map = &state->groups[state->current_group];
+ GROUP_MAP *map;
if (state->current_group == state->num_groups)
return False;
+ map = state->groups[state->current_group];
+
sid_peek_rid(&map->sid, &rid);
fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
{
struct group_search *state =
(struct group_search *)search->private_data;
- SAFE_FREE(state->groups);
+ TALLOC_FREE(state->groups);
}
-static bool pdb_search_grouptype(struct pdb_search *search,
+static bool pdb_search_grouptype(struct pdb_methods *methods,
+ struct pdb_search *search,
const struct dom_sid *sid, enum lsa_SidType type)
{
struct group_search *state;
- state = talloc(search, struct group_search);
+ state = talloc_zero(search, struct group_search);
if (state == NULL) {
DEBUG(0, ("talloc failed\n"));
return False;
}
- if (!pdb_enum_group_mapping(sid, type, &state->groups, &state->num_groups,
- True)) {
+ if (!NT_STATUS_IS_OK(methods->enum_group_mapping(methods, sid, type,
+ &state->groups, &state->num_groups,
+ True))) {
DEBUG(0, ("Could not enum groups\n"));
return False;
}
static bool pdb_default_search_groups(struct pdb_methods *methods,
struct pdb_search *search)
{
- return pdb_search_grouptype(search, get_global_sam_sid(), SID_NAME_DOM_GRP);
+ return pdb_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
}
static bool pdb_default_search_aliases(struct pdb_methods *methods,
const struct dom_sid *sid)
{
- return pdb_search_grouptype(search, sid, SID_NAME_ALIAS);
+ return pdb_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
}
static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
pass_last_set_time);
}
+NTSTATUS pdb_get_trusteddom_creds(const char *domain, TALLOC_CTX *mem_ctx,
+ struct cli_credentials **creds)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_trusteddom_creds(pdb, domain, mem_ctx, creds);
+}
+
bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
const struct dom_sid *sid)
{
}
+static NTSTATUS pdb_default_get_trusteddom_creds(struct pdb_methods *methods,
+ const char *domain,
+ TALLOC_CTX *mem_ctx,
+ struct cli_credentials **creds)
+{
+ *creds = NULL;
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
const char* domain,
const char* pwd,
const char *domain,
struct pdb_trusted_domain **td)
{
- return NT_STATUS_NOT_IMPLEMENTED;
+ struct trustAuthInOutBlob taiob;
+ struct AuthenticationInformation aia;
+ struct pdb_trusted_domain *tdom;
+ enum ndr_err_code ndr_err;
+ time_t last_set_time;
+ char *pwd;
+ bool ok;
+
+ tdom = talloc(mem_ctx, struct pdb_trusted_domain);
+ if (!tdom) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ tdom->domain_name = talloc_strdup(tdom, domain);
+ tdom->netbios_name = talloc_strdup(tdom, domain);
+ if (!tdom->domain_name || !tdom->netbios_name) {
+ talloc_free(tdom);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ tdom->trust_auth_incoming = data_blob_null;
+
+ ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
+ &last_set_time);
+ if (!ok) {
+ talloc_free(tdom);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ZERO_STRUCT(taiob);
+ ZERO_STRUCT(aia);
+ taiob.count = 1;
+ taiob.current.count = 1;
+ taiob.current.array = &aia;
+ unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
+
+ aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
+ aia.AuthInfo.clear.size = strlen(pwd);
+ aia.AuthInfo.clear.password = (uint8_t *)talloc_memdup(tdom, pwd,
+ aia.AuthInfo.clear.size);
+ SAFE_FREE(pwd);
+ if (aia.AuthInfo.clear.password == NULL) {
+ talloc_free(tdom);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ taiob.previous.count = 0;
+ taiob.previous.array = NULL;
+
+ ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
+ tdom, &taiob,
+ (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ talloc_free(tdom);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
+ tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
+ tdom->trust_attributes = 0;
+ tdom->trust_forest_trust_info = data_blob_null;
+
+ *td = tdom;
+ return NT_STATUS_OK;
}
static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
return NT_STATUS_NOT_IMPLEMENTED;
}
+#define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
+
static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
const char* domain,
const struct pdb_trusted_domain *td)
{
- return NT_STATUS_NOT_IMPLEMENTED;
+ struct trustAuthInOutBlob taiob;
+ struct AuthenticationInformation *aia;
+ enum ndr_err_code ndr_err;
+ char *pwd;
+ bool ok;
+
+ if (td->trust_attributes != 0 ||
+ td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
+ td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
+ !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
+ !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ ZERO_STRUCT(taiob);
+ ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
+ &taiob,
+ (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ aia = (struct AuthenticationInformation *) taiob.current.array;
+
+ if (taiob.count != 1 || taiob.current.count != 1 ||
+ taiob.previous.count != 0 ||
+ aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
+ aia->AuthInfo.clear.size);
+ if (!pwd) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
+ if (!ok) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return NT_STATUS_OK;
}
static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
return NULL;
}
+/*****************************************************************
+ UPN suffixes
+ *****************************************************************/
+static NTSTATUS pdb_default_enum_upn_suffixes(struct pdb_methods *pdb,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_suffixes,
+ char ***suffixes)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_set_upn_suffixes(struct pdb_methods *pdb,
+ uint32_t num_suffixes,
+ const char **suffixes)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx,
+ uint32_t *num_suffixes,
+ char ***suffixes)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_upn_suffixes(pdb, mem_ctx, num_suffixes, suffixes);
+}
+
+NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes,
+ const char **suffixes)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_upn_suffixes(pdb, num_suffixes, suffixes);
+}
+
+/*******************************************************************
+ idmap control methods
+ *******************************************************************/
+static bool pdb_default_is_responsible_for_our_sam(
+ struct pdb_methods *methods)
+{
+ return true;
+}
+
+static bool pdb_default_is_responsible_for_builtin(
+ struct pdb_methods *methods)
+{
+ return true;
+}
+
+static bool pdb_default_is_responsible_for_wellknown(
+ struct pdb_methods *methods)
+{
+ return false;
+}
+
+static bool pdb_default_is_responsible_for_unix_users(
+ struct pdb_methods *methods)
+{
+ return true;
+}
+
+static bool pdb_default_is_responsible_for_unix_groups(
+ struct pdb_methods *methods)
+{
+ return true;
+}
+
+static bool pdb_default_is_responsible_for_everything_else(
+ struct pdb_methods *methods)
+{
+ return false;
+}
+
+bool pdb_is_responsible_for_our_sam(void)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->is_responsible_for_our_sam(pdb);
+}
+
+bool pdb_is_responsible_for_builtin(void)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->is_responsible_for_builtin(pdb);
+}
+
+bool pdb_is_responsible_for_wellknown(void)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->is_responsible_for_wellknown(pdb);
+}
+
+bool pdb_is_responsible_for_unix_users(void)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->is_responsible_for_unix_users(pdb);
+}
+
+bool pdb_is_responsible_for_unix_groups(void)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->is_responsible_for_unix_groups(pdb);
+}
+
+bool pdb_is_responsible_for_everything_else(void)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->is_responsible_for_everything_else(pdb);
+}
+
+/*******************************************************************
+ secret methods
+ *******************************************************************/
+
+NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_secret(pdb, mem_ctx, secret_name,
+ secret_current, secret_current_lastchange,
+ secret_old, secret_old_lastchange,
+ sd);
+}
+
+NTSTATUS pdb_set_secret(const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_secret(pdb, secret_name,
+ secret_current,
+ secret_old,
+ sd);
+}
+
+NTSTATUS pdb_delete_secret(const char *secret_name)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->delete_secret(pdb, secret_name);
+}
+
+static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd)
+{
+ return lsa_secret_get(mem_ctx, secret_name,
+ secret_current,
+ secret_current_lastchange,
+ secret_old,
+ secret_old_lastchange,
+ sd);
+}
+
+static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd)
+{
+ return lsa_secret_set(secret_name,
+ secret_current,
+ secret_old,
+ sd);
+}
+
+static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
+ const char *secret_name)
+{
+ return lsa_secret_delete(secret_name);
+}
+
/*******************************************************************
Create a pdb_methods structure and initialize it with the default
operations. In this way a passdb module can simply implement
(*methods)->get_account_policy = pdb_default_get_account_policy;
(*methods)->set_account_policy = pdb_default_set_account_policy;
(*methods)->get_seq_num = pdb_default_get_seq_num;
- (*methods)->uid_to_sid = pdb_default_uid_to_sid;
- (*methods)->gid_to_sid = pdb_default_gid_to_sid;
+ (*methods)->id_to_sid = pdb_default_id_to_sid;
(*methods)->sid_to_id = pdb_default_sid_to_id;
(*methods)->search_groups = pdb_default_search_groups;
(*methods)->search_aliases = pdb_default_search_aliases;
(*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
+ (*methods)->get_trusteddom_creds = pdb_default_get_trusteddom_creds;
(*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
(*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
(*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
(*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
(*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
+ (*methods)->get_secret = pdb_default_get_secret;
+ (*methods)->set_secret = pdb_default_set_secret;
+ (*methods)->delete_secret = pdb_default_delete_secret;
+
+ (*methods)->enum_upn_suffixes = pdb_default_enum_upn_suffixes;
+ (*methods)->set_upn_suffixes = pdb_default_set_upn_suffixes;
+
+ (*methods)->is_responsible_for_our_sam =
+ pdb_default_is_responsible_for_our_sam;
+ (*methods)->is_responsible_for_builtin =
+ pdb_default_is_responsible_for_builtin;
+ (*methods)->is_responsible_for_wellknown =
+ pdb_default_is_responsible_for_wellknown;
+ (*methods)->is_responsible_for_unix_users =
+ pdb_default_is_responsible_for_unix_users;
+ (*methods)->is_responsible_for_unix_groups =
+ pdb_default_is_responsible_for_unix_groups;
+ (*methods)->is_responsible_for_everything_else =
+ pdb_default_is_responsible_for_everything_else;
+
return NT_STATUS_OK;
}