-/*
+/*
ldb database library - Samba3 SAM compatibility backend
Copyright (C) Jelmer Vernooij 2005
+ Copyright (C) Martin Kuehl <mkhl@samba.org> 2006
*/
#include "includes.h"
-#include "ldb/modules/ldb_map.h"
#include "ldb/include/ldb.h"
#include "ldb/include/ldb_private.h"
+#include "ldb/include/ldb_errors.h"
+#include "ldb/modules/ldb_map.h"
+#include "system/passwd.h"
-/* FIXME:
+#include "librpc/gen_ndr/ndr_security.h"
+#include "librpc/gen_ndr/ndr_samr.h"
+#include "librpc/ndr/libndr.h"
+#include "libcli/security/security.h"
+#include "libcli/security/proto.h"
+#include "lib/samba3/samba3.h"
+
+/*
* sambaSID -> member (dn!)
- * sambaSIDList -> member (dn!)
- * sambaDomainName -> name
- * sambaTrustPassword
- * sambaUnixIdPool
- * sambaIdmapEntry
- * sambaAccountPolicy
- * sambaSidEntry
+ * sambaSIDList -> member (dn!)
+ * sambaDomainName -> name
+ * sambaTrustPassword
+ * sambaUnixIdPool
+ * sambaIdmapEntry
+ * sambaAccountPolicy
+ * sambaSidEntry
* sambaAcctFlags -> systemFlags ?
* sambaPasswordHistory -> ntPwdHistory*/
/* Not necessary:
* sambaConfig
* sambaShare
- * sambaConfigOption
+ * sambaConfigOption
* sambaNextGroupRid
* sambaNextUserRid
* sambaAlgorithmicRidBase
*/
-/* Not in Samba4:
+/* Not in Samba4:
* sambaKickoffTime
* sambaPwdCanChange
* sambaPwdMustChange
/* In Samba4 but not in Samba3:
*/
-static struct ldb_val convert_sid_rid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+/* From a sambaPrimaryGroupSID, generate a primaryGroupID (integer) attribute */
+static struct ldb_message_element *generate_primaryGroupID(struct ldb_module *module, TALLOC_CTX *ctx, const char *local_attr, const struct ldb_message *remote)
+{
+ struct ldb_message_element *el;
+ const char *sid = ldb_msg_find_attr_as_string(remote, "sambaPrimaryGroupSID", NULL);
+ const char *p;
+
+ if (!sid)
+ return NULL;
+
+ p = strrchr(sid, '-');
+ if (!p)
+ return NULL;
+
+ el = talloc_zero(ctx, struct ldb_message_element);
+ el->name = talloc_strdup(ctx, "primaryGroupID");
+ el->num_values = 1;
+ el->values = talloc_array(ctx, struct ldb_val, 1);
+ el->values[0].data = (uint8_t *)talloc_strdup(el->values, p+1);
+ el->values[0].length = strlen((char *)el->values[0].data);
+
+ return el;
+}
+
+static void generate_sambaPrimaryGroupSID(struct ldb_module *module, const char *local_attr, const struct ldb_message *local, struct ldb_message *remote_mp, struct ldb_message *remote_fb)
{
- printf("Converting SID TO RID *\n");
+ const struct ldb_val *sidval;
+ char *sidstring;
+ struct dom_sid *sid;
+ NTSTATUS status;
+
+ /* We need the domain, so we get it from the objectSid that we hope is here... */
+ sidval = ldb_msg_find_ldb_val(local, "objectSid");
+
+ if (!sidval)
+ return; /* Sorry, no SID today.. */
+
+ sid = talloc(remote_mp, struct dom_sid);
+ if (sid == NULL) {
+ return;
+ }
+ status = ndr_pull_struct_blob(sidval, sid, sid, (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(sid);
+ return;
+ }
+
+ if (!ldb_msg_find_ldb_val(local, "primaryGroupID"))
+ return; /* Sorry, no SID today.. */
- /* FIXME */
+ sid->num_auths--;
- return ldb_val_dup(ctx, val);
+ sidstring = dom_sid_string(remote_mp, sid);
+ talloc_free(sid);
+ ldb_msg_add_fmt(remote_mp, "sambaPrimaryGroupSID", "%s-%d", sidstring, ldb_msg_find_attr_as_uint(local, "primaryGroupID", 0));
+ talloc_free(sidstring);
}
-static struct ldb_val convert_rid_sid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+/* Just copy the old value. */
+static struct ldb_val convert_uid_samaccount(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
{
- printf("Converting RID TO SID *\n");
+ struct ldb_val out = data_blob(NULL, 0);
+ ldb_handler_copy(module->ldb, ctx, val, &out);
- /* FIXME */
+ return out;
+}
+
+static struct ldb_val lookup_homedir(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+{
+ struct passwd *pwd;
+ struct ldb_val retval;
+
+ pwd = getpwnam((char *)val->data);
- return ldb_val_dup(ctx, val);
+ if (!pwd) {
+ ldb_debug(module->ldb, LDB_DEBUG_WARNING, "Unable to lookup '%s' in passwd", (char *)val->data);
+ return *talloc_zero(ctx, struct ldb_val);
+ }
+
+ retval.data = (uint8_t *)talloc_strdup(ctx, pwd->pw_dir);
+ retval.length = strlen((char *)retval.data);
+
+ return retval;
}
-static struct ldb_val convert_unix_id2name(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+static struct ldb_val lookup_gid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
{
- printf("Converting UNIX ID to name\n");
+ struct passwd *pwd;
+ struct ldb_val retval;
+
+ pwd = getpwnam((char *)val->data);
- /* FIXME */
+ if (!pwd) {
+ return *talloc_zero(ctx, struct ldb_val);
+ }
+
+ retval.data = (uint8_t *)talloc_asprintf(ctx, "%ld", (unsigned long)pwd->pw_gid);
+ retval.length = strlen((char *)retval.data);
- return ldb_val_dup(ctx, val);
+ return retval;
}
-static struct ldb_val convert_unix_name2id(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+static struct ldb_val lookup_uid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
{
- printf("Converting UNIX name to ID\n");
+ struct passwd *pwd;
+ struct ldb_val retval;
+
+ pwd = getpwnam((char *)val->data);
+
+ if (!pwd) {
+ return *talloc_zero(ctx, struct ldb_val);
+ }
- /* FIXME */
+ retval.data = (uint8_t *)talloc_asprintf(ctx, "%ld", (unsigned long)pwd->pw_uid);
+ retval.length = strlen((char *)retval.data);
- return ldb_val_dup(ctx, val);
+ return retval;
+}
+
+/* Encode a sambaSID to an objectSid. */
+static struct ldb_val encode_sid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+{
+ struct ldb_val out = data_blob(NULL, 0);
+ struct dom_sid *sid;
+ NTSTATUS status;
+
+ sid = dom_sid_parse_talloc(ctx, (char *)val->data);
+ if (sid == NULL) {
+ return out;
+ }
+
+ status = ndr_push_struct_blob(&out, ctx, sid,
+ (ndr_push_flags_fn_t)ndr_push_dom_sid);
+ talloc_free(sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return out;
+ }
+
+ return out;
+}
+
+/* Decode an objectSid to a sambaSID. */
+static struct ldb_val decode_sid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+{
+ struct ldb_val out = data_blob(NULL, 0);
+ struct dom_sid *sid;
+ NTSTATUS status;
+
+ sid = talloc(ctx, struct dom_sid);
+ if (sid == NULL) {
+ return out;
+ }
+
+ status = ndr_pull_struct_blob(val, sid, sid,
+ (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ out.data = (uint8_t *)dom_sid_string(ctx, sid);
+ if (out.data == NULL) {
+ goto done;
+ }
+ out.length = strlen((const char *)out.data);
+
+done:
+ talloc_free(sid);
+ return out;
+}
+
+/* Convert 16 bytes to 32 hex digits. */
+static struct ldb_val bin2hex(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+{
+ struct ldb_val out;
+ struct samr_Password pwd;
+ if (val->length != sizeof(pwd.hash)) {
+ return data_blob(NULL, 0);
+ }
+ memcpy(pwd.hash, val->data, sizeof(pwd.hash));
+ out = data_blob_string_const(smbpasswd_sethexpwd(ctx, &pwd, 0));
+ if (!out.data) {
+ return data_blob(NULL, 0);
+ }
+ return out;
+}
+
+/* Convert 32 hex digits to 16 bytes. */
+static struct ldb_val hex2bin(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+{
+ struct ldb_val out;
+ struct samr_Password *pwd;
+ pwd = smbpasswd_gethexpwd(ctx, (const char *)val->data);
+ if (!pwd) {
+ return data_blob(NULL, 0);
+ }
+ out = data_blob_talloc(ctx, pwd->hash, sizeof(pwd->hash));
+ return out;
}
const struct ldb_map_objectclass samba3_objectclasses[] = {
- { "group", "sambaGroupMapping" },
- { "user", "sambaSAMAccount" },
- { "domain", "sambaDomain" },
- { NULL, NULL }
+ {
+ .local_name = "user",
+ .remote_name = "posixAccount",
+ .base_classes = { "top", NULL },
+ .musts = { "cn", "uid", "uidNumber", "gidNumber", "homeDirectory", NULL },
+ .mays = { "userPassword", "loginShell", "gecos", "description", NULL },
+ },
+ {
+ .local_name = "group",
+ .remote_name = "posixGroup",
+ .base_classes = { "top", NULL },
+ .musts = { "cn", "gidNumber", NULL },
+ .mays = { "userPassword", "memberUid", "description", NULL },
+ },
+ {
+ .local_name = "group",
+ .remote_name = "sambaGroupMapping",
+ .base_classes = { "top", "posixGroup", NULL },
+ .musts = { "gidNumber", "sambaSID", "sambaGroupType", NULL },
+ .mays = { "displayName", "description", "sambaSIDList", NULL },
+ },
+ {
+ .local_name = "user",
+ .remote_name = "sambaSAMAccount",
+ .base_classes = { "top", "posixAccount", NULL },
+ .musts = { "uid", "sambaSID", NULL },
+ .mays = { "cn", "sambaLMPassword", "sambaNTPassword",
+ "sambaPwdLastSet", "sambaLogonTime", "sambaLogoffTime",
+ "sambaKickoffTime", "sambaPwdCanChange", "sambaPwdMustChange",
+ "sambaAcctFlags", "displayName", "sambaHomePath", "sambaHomeDrive",
+ "sambaLogonScript", "sambaProfilePath", "description", "sambaUserWorkstations",
+ "sambaPrimaryGroupSID", "sambaDomainName", "sambaMungedDial",
+ "sambaBadPasswordCount", "sambaBadPasswordTime",
+ "sambaPasswordHistory", "sambaLogonHours", NULL }
+
+ },
+ {
+ .local_name = "domain",
+ .remote_name = "sambaDomain",
+ .base_classes = { "top", NULL },
+ .musts = { "sambaDomainName", "sambaSID", NULL },
+ .mays = { "sambaNextRid", "sambaNextGroupRid", "sambaNextUserRid", "sambaAlgorithmicRidBase", NULL },
+ },
+ { NULL, NULL }
};
-const struct ldb_map_attribute samba3_attributes[] =
+const struct ldb_map_attribute samba3_attributes[] =
{
/* sambaNextRid -> nextRid */
{
.local_name = "nextRid",
.type = MAP_RENAME,
- .u.rename.remote_name = "sambaNextRid",
+ .u = {
+ .rename = {
+ .remote_name = "sambaNextRid",
+ },
+ },
},
/* sambaBadPasswordTime -> badPasswordtime*/
{
.local_name = "badPasswordTime",
.type = MAP_RENAME,
- .u.rename.remote_name = "sambaBadPasswordTime",
+ .u = {
+ .rename = {
+ .remote_name = "sambaBadPasswordTime",
+ },
+ },
},
/* sambaLMPassword -> lmPwdHash*/
{
- .local_name = "lmPwdHash",
- .type = MAP_RENAME,
- .u.rename.remote_name = "sambaLMPassword",
+ .local_name = "dBCSPwd",
+ .type = MAP_CONVERT,
+ .u = {
+ .convert = {
+ .remote_name = "sambaLMPassword",
+ .convert_local = bin2hex,
+ .convert_remote = hex2bin,
+ },
+ },
},
/* sambaGroupType -> groupType */
{
.local_name = "groupType",
.type = MAP_RENAME,
- .u.rename.remote_name = "sambaGroupType",
+ .u = {
+ .rename = {
+ .remote_name = "sambaGroupType",
+ },
+ },
},
/* sambaNTPassword -> ntPwdHash*/
{
- .local_name = "badPwdCount",
- .type = MAP_RENAME,
- .u.rename.remote_name = "sambaNTPassword",
+ .local_name = "ntpwdhash",
+ .type = MAP_CONVERT,
+ .u = {
+ .convert = {
+ .remote_name = "sambaNTPassword",
+ .convert_local = bin2hex,
+ .convert_remote = hex2bin,
+ },
+ },
},
/* sambaPrimaryGroupSID -> primaryGroupID */
{
.local_name = "primaryGroupID",
- .type = MAP_CONVERT,
- .u.convert.remote_name = "sambaPrimaryGroupSID",
- .u.convert.convert_local = convert_rid_sid,
- .u.convert.convert_remote = convert_sid_rid,
+ .type = MAP_GENERATE,
+ .u = {
+ .generate = {
+ .remote_names = { "sambaPrimaryGroupSID", NULL },
+ .generate_local = generate_primaryGroupID,
+ .generate_remote = generate_sambaPrimaryGroupSID,
+ },
+ },
},
/* sambaBadPasswordCount -> badPwdCount */
{
.local_name = "badPwdCount",
.type = MAP_RENAME,
- .u.rename.remote_name = "sambaBadPasswordCount",
+ .u = {
+ .rename = {
+ .remote_name = "sambaBadPasswordCount",
+ },
+ },
},
/* sambaLogonTime -> lastLogon*/
{
.local_name = "lastLogon",
.type = MAP_RENAME,
- .u.rename.remote_name = "sambaLogonTime",
+ .u = {
+ .rename = {
+ .remote_name = "sambaLogonTime",
+ },
+ },
},
/* sambaLogoffTime -> lastLogoff*/
{
.local_name = "lastLogoff",
.type = MAP_RENAME,
- .u.rename.remote_name = "sambaLogoffTime",
- },
-
- /* gidNumber -> unixName */
- {
- .local_name = "unixName",
- .type = MAP_CONVERT,
- .u.convert.remote_name = "gidNumber",
- .u.convert.convert_local = convert_unix_name2id,
- .u.convert.convert_remote = convert_unix_id2name,
+ .u = {
+ .rename = {
+ .remote_name = "sambaLogoffTime",
+ },
+ },
},
/* uid -> unixName */
{
.local_name = "unixName",
.type = MAP_RENAME,
- .u.convert.remote_name = "uid",
+ .u = {
+ .rename = {
+ .remote_name = "uid",
+ },
+ },
},
/* displayName -> name */
{
.local_name = "name",
.type = MAP_RENAME,
- .u.rename.remote_name = "displayName",
+ .u = {
+ .rename = {
+ .remote_name = "displayName",
+ },
+ },
},
/* cn */
/* sAMAccountName -> cn */
{
.local_name = "sAMAccountName",
- .type = MAP_RENAME,
- .u.rename.remote_name = "uid",
+ .type = MAP_CONVERT,
+ .u = {
+ .convert = {
+ .remote_name = "uid",
+ .convert_remote = convert_uid_samaccount,
+ },
+ },
},
/* objectCategory */
},
/* codePage */
- {
+ {
.local_name = "codePage",
.type = MAP_IGNORE,
},
},
/* nTMixedDomain */
- {
+ {
.local_name = "nTMixedDomain",
.type = MAP_IGNORE,
},
/* operatingSystem */
- {
+ {
.local_name = "operatingSystem",
.type = MAP_IGNORE,
},
/* sambaSID -> objectSid*/
{
.local_name = "objectSid",
- .type = MAP_RENAME,
- .u.rename.remote_name = "sambaSID",
+ .type = MAP_CONVERT,
+ .u = {
+ .convert = {
+ .remote_name = "sambaSID",
+ .convert_local = decode_sid,
+ .convert_remote = encode_sid,
+ },
+ },
},
/* sambaPwdLastSet -> pwdLastSet */
{
.local_name = "pwdLastSet",
.type = MAP_RENAME,
- .u.rename.remote_name = "sambaPwdLastSet",
- },
+ .u = {
+ .rename = {
+ .remote_name = "sambaPwdLastSet",
+ },
+ },
+ },
/* accountExpires */
{
- .local_name = "accountExpires",
+ .local_name = "accountExpires",
.type = MAP_IGNORE,
},
.local_name = "createTimestamp",
.type = MAP_IGNORE,
},
-
+
/* creationTime */
{
.local_name = "creationTime",
.type = MAP_IGNORE,
},
-
+
/* dMDLocation */
{
.local_name = "dMDLocation",
.type = MAP_IGNORE,
},
-
+
/* fSMORoleOwner */
{
.local_name = "fSMORoleOwner",
.type = MAP_IGNORE,
},
-
+
/* forceLogoff */
{
.local_name = "forceLogoff",
.type = MAP_IGNORE,
},
-
+
/* instanceType */
{
.local_name = "instanceType",
.type = MAP_IGNORE,
},
-
+
/* invocationId */
{
.local_name = "invocationId",
.type = MAP_IGNORE,
},
-
+
/* isCriticalSystemObject */
{
.local_name = "isCriticalSystemObject",
.type = MAP_IGNORE,
},
-
+
/* localPolicyFlags */
{
.local_name = "localPolicyFlags",
.type = MAP_IGNORE,
},
-
+
/* lockOutObservationWindow */
{
.local_name = "lockOutObservationWindow",
.type = MAP_IGNORE,
},
- /* unicodePwd */
+ /* sambaPassword */
{
- .local_name = "unicodePwd",
+ .local_name = "sambaPassword",
.type = MAP_IGNORE,
},
.type = MAP_IGNORE,
},
+ /* uidNumber */
+ {
+ .local_name = "unixName",
+ .type = MAP_CONVERT,
+ .u = {
+ .convert = {
+ .remote_name = "uidNumber",
+ .convert_local = lookup_uid,
+ },
+ },
+ },
+
+ /* gidNumber. Perhaps make into generate so we can distinguish between
+ * groups and accounts? */
+ {
+ .local_name = "unixName",
+ .type = MAP_CONVERT,
+ .u = {
+ .convert = {
+ .remote_name = "gidNumber",
+ .convert_local = lookup_gid,
+ },
+ },
+ },
+
+ /* homeDirectory */
+ {
+ .local_name = "unixName",
+ .type = MAP_CONVERT,
+ .u = {
+ .convert = {
+ .remote_name = "homeDirectory",
+ .convert_local = lookup_homedir,
+ },
+ },
+ },
{
.local_name = NULL,
}
};
- /* the init function */
-#ifdef HAVE_DLOPEN_DISABLED
-struct ldb_module *init_module(struct ldb_context *ldb, const char *options[])
-#else
-struct ldb_module *ldb_samba3sam_module_init(struct ldb_context *ldb, const char *options[])
-#endif
+/* the context init function */
+static int samba3sam_init(struct ldb_module *module)
+{
+ int ret;
+
+ ret = ldb_map_init(module, samba3_attributes, samba3_objectclasses, NULL, "samba3sam");
+ if (ret != LDB_SUCCESS)
+ return ret;
+
+ return ldb_next_init(module);
+}
+
+static struct ldb_module_ops samba3sam_ops = {
+ .name = "samba3sam",
+ .init_context = samba3sam_init,
+};
+
+/* the init function */
+int ldb_samba3sam_module_init(void)
{
- return ldb_map_init(ldb, samba3_attributes, samba3_objectclasses, "samba3sam");
+ struct ldb_module_ops ops = ldb_map_get_ops();
+ samba3sam_ops.add = ops.add;
+ samba3sam_ops.modify = ops.modify;
+ samba3sam_ops.del = ops.del;
+ samba3sam_ops.rename = ops.rename;
+ samba3sam_ops.search = ops.search;
+ samba3sam_ops.wait = ops.wait;
+
+ return ldb_register_module(&samba3sam_ops);
}