2 Unix SMB/CIFS implementation.
3 pdb glue module for samba4
4 Copyright (C) Volker Lendecke 2009-2011
5 Copyright (C) Andrew Bartlett 2010
6 Copyright (C) Matthias Dieter Wallnöfer 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* This module, is a port of Volker's pdb_ads to ldb and DSDB APIs */
25 #include "source3/include/passdb.h"
26 #include "source4/dsdb/samdb/samdb.h"
27 #include "ldb_errors.h"
28 #include "libcli/security/dom_sid.h"
29 #include "source4/winbind/idmap.h"
30 #include "librpc/gen_ndr/ndr_security.h"
31 #include "libds/common/flag_mapping.h"
32 #include "source4/lib/events/events.h"
33 #include "source4/auth/session.h"
34 #include "source4/auth/system_session_proto.h"
35 #include "source4/param/param.h"
37 struct pdb_samba4_state {
38 struct tevent_context *ev;
39 struct ldb_context *ldb;
40 struct idmap_context *idmap_ctx;
41 struct loadparm_context *lp_ctx;
44 static NTSTATUS pdb_samba4_getsampwsid(struct pdb_methods *m,
45 struct samu *sam_acct,
46 const struct dom_sid *sid);
47 static NTSTATUS pdb_samba4_getsamupriv(struct pdb_samba4_state *state,
50 struct ldb_message **pmsg);
51 static bool pdb_samba4_sid_to_id(struct pdb_methods *m, const struct dom_sid *sid,
52 union unid_t *id, enum lsa_SidType *type);
54 static bool pdb_samba4_pull_time(struct ldb_message *msg, const char *attr,
58 if (! ldb_msg_find_element(msg, attr)) {
61 tmp = ldb_msg_find_attr_as_uint64(msg, attr, 0);
62 *ptime = uint64s_nt_time_to_unix_abs(&tmp);
66 static struct pdb_domain_info *pdb_samba4_get_domain_info(
67 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
69 struct pdb_samba4_state *state = talloc_get_type_abort(
70 m->private_data, struct pdb_samba4_state);
71 struct pdb_domain_info *info;
72 struct dom_sid *domain_sid;
73 struct ldb_dn *forest_dn, *domain_dn;
74 struct ldb_result *dom_res = NULL;
75 const char *dom_attrs[] = {
85 info = talloc(mem_ctx, struct pdb_domain_info);
90 domain_dn = ldb_get_default_basedn(state->ldb);
92 ret = ldb_search(state->ldb, info, &dom_res,
93 domain_dn, LDB_SCOPE_BASE, dom_attrs, NULL);
94 if (ret != LDB_SUCCESS) {
97 if (dom_res->count != 1) {
101 info->guid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
103 domain_sid = samdb_result_dom_sid(state, dom_res->msgs[0], "objectSid");
107 info->sid = *domain_sid;
109 TALLOC_FREE(dom_res);
111 info->name = talloc_strdup(info, lpcfg_sam_name(state->lp_ctx));
112 info->dns_domain = ldb_dn_canonical_string(info, domain_dn);
114 if (!info->dns_domain) {
117 p = strchr(info->dns_domain, '/');
122 forest_dn = ldb_get_root_basedn(state->ldb);
127 info->dns_forest = ldb_dn_canonical_string(info, forest_dn);
128 if (!info->dns_forest) {
131 p = strchr(info->dns_forest, '/');
139 TALLOC_FREE(dom_res);
144 static struct ldb_message *pdb_samba4_get_samu_private(
145 struct pdb_methods *m, struct samu *sam)
147 struct pdb_samba4_state *state = talloc_get_type_abort(
148 m->private_data, struct pdb_samba4_state);
149 struct ldb_message *msg;
150 char *sidstr, *filter;
153 msg = (struct ldb_message *)
154 pdb_get_backend_private_data(sam, m);
157 return talloc_get_type_abort(msg, struct ldb_message);
160 sidstr = dom_sid_string(talloc_tos(), pdb_get_user_sid(sam));
161 if (sidstr == NULL) {
165 filter = talloc_asprintf(
166 talloc_tos(), "(&(objectsid=%s)(objectclass=user))", sidstr);
168 if (filter == NULL) {
172 status = pdb_samba4_getsamupriv(state, filter, sam, &msg);
174 if (!NT_STATUS_IS_OK(status)) {
181 static NTSTATUS pdb_samba4_init_sam_from_priv(struct pdb_methods *m,
183 struct ldb_message *msg)
185 struct pdb_samba4_state *state = talloc_get_type_abort(
186 m->private_data, struct pdb_samba4_state);
187 TALLOC_CTX *frame = talloc_stackframe();
188 NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION;
191 struct dom_sid *sid, group_sid;
193 const DATA_BLOB *blob;
195 str = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
197 DEBUG(10, ("no samAccountName\n"));
200 pdb_set_username(sam, str, PDB_SET);
202 if (pdb_samba4_pull_time(msg, "lastLogon", &tmp_time)) {
203 pdb_set_logon_time(sam, tmp_time, PDB_SET);
205 if (pdb_samba4_pull_time(msg, "lastLogoff", &tmp_time)) {
206 pdb_set_logoff_time(sam, tmp_time, PDB_SET);
208 if (pdb_samba4_pull_time(msg, "pwdLastSet", &tmp_time)) {
209 pdb_set_pass_last_set_time(sam, tmp_time, PDB_SET);
211 if (pdb_samba4_pull_time(msg, "accountExpires", &tmp_time)) {
212 pdb_set_kickoff_time(sam, tmp_time, PDB_SET);
215 str = ldb_msg_find_attr_as_string(msg, "displayName",
218 pdb_set_fullname(sam, str, PDB_SET);
221 str = ldb_msg_find_attr_as_string(msg, "homeDirectory",
224 pdb_set_homedir(sam, str, PDB_SET);
227 str = ldb_msg_find_attr_as_string(msg, "homeDrive", NULL);
229 pdb_set_dir_drive(sam, str, PDB_SET);
232 str = ldb_msg_find_attr_as_string(msg, "scriptPath", NULL);
234 pdb_set_logon_script(sam, str, PDB_SET);
237 str = ldb_msg_find_attr_as_string(msg, "profilePath",
240 pdb_set_profile_path(sam, str, PDB_SET);
243 str = ldb_msg_find_attr_as_string(msg, "profilePath",
246 pdb_set_profile_path(sam, str, PDB_SET);
249 str = ldb_msg_find_attr_as_string(msg, "comment",
252 pdb_set_comment(sam, str, PDB_SET);
255 str = ldb_msg_find_attr_as_string(msg, "description",
258 pdb_set_acct_desc(sam, str, PDB_SET);
261 str = ldb_msg_find_attr_as_string(msg, "userWorkstations",
264 pdb_set_workstations(sam, str, PDB_SET);
267 str = ldb_msg_find_attr_as_string(msg, "userParameters",
270 pdb_set_munged_dial(sam, str, PDB_SET);
273 sid = samdb_result_dom_sid(talloc_tos(), msg, "objectSid");
275 DEBUG(10, ("Could not pull SID\n"));
278 pdb_set_user_sid(sam, sid, PDB_SET);
280 n = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
282 DEBUG(10, ("Could not pull userAccountControl\n"));
285 pdb_set_acct_ctrl(sam, ds_uf2acb(n), PDB_SET);
287 blob = ldb_msg_find_ldb_val(msg, "unicodePwd");
289 if (blob->length != NT_HASH_LEN) {
290 DEBUG(0, ("Got NT hash of length %d, expected %d\n",
291 (int)blob->length, NT_HASH_LEN));
294 pdb_set_nt_passwd(sam, blob->data, PDB_SET);
297 blob = ldb_msg_find_ldb_val(msg, "dBCSPwd");
299 if (blob->length != LM_HASH_LEN) {
300 DEBUG(0, ("Got LM hash of length %d, expected %d\n",
301 (int)blob->length, LM_HASH_LEN));
304 pdb_set_lanman_passwd(sam, blob->data, PDB_SET);
307 n = ldb_msg_find_attr_as_uint(msg, "primaryGroupID", 0);
309 DEBUG(10, ("Could not pull primaryGroupID\n"));
312 sid_compose(&group_sid, samdb_domain_sid(state->ldb), n);
313 pdb_set_group_sid(sam, &group_sid, PDB_SET);
315 status = NT_STATUS_OK;
321 static bool pdb_samba4_add_time(struct ldb_message *msg,
322 const char *attrib, time_t t)
326 unix_to_nt_time(&nt_time, t);
328 return ldb_msg_add_fmt(msg, attrib, "%llu", (unsigned long long) nt_time);
331 /* Like in pdb_ldap(), this will need to be a function pointer when we
332 * start to support 'adds' for migrations from samba3 passdb backends
334 static bool update_required(struct samu *sam, enum pdb_elements element)
336 return (IS_SAM_CHANGED(sam, element));
339 static bool pdb_samba4_init_samba4_from_sam(struct pdb_samba4_state *state,
340 struct ldb_message *existing,
342 struct ldb_message **pmods,
345 int ret = LDB_SUCCESS;
347 struct ldb_message *msg;
349 /* TODO: All fields :-) */
351 msg = ldb_msg_new(mem_ctx);
356 msg->dn = existing->dn;
358 pw = pdb_get_plaintext_passwd(sam);
359 if (update_required(sam, PDB_PLAINTEXT_PW)) {
361 ret = LDB_ERR_OPERATIONS_ERROR;
365 ret |= ldb_msg_add_string(msg, "clearTextPassword", pw);
368 if (update_required(sam, PDB_FULLNAME)) {
369 ret |= ldb_msg_add_string(msg, "displayName", pdb_get_fullname(sam));
372 if (update_required(sam, PDB_SMBHOME)) {
373 ret |= ldb_msg_add_string(msg, "homeDirectory",
374 pdb_get_homedir(sam));
377 if (update_required(sam, PDB_PROFILE)) {
378 ret |= ldb_msg_add_string(msg, "profilePath",
379 pdb_get_profile_path(sam));
382 if (update_required(sam, PDB_DRIVE)) {
383 ret |= ldb_msg_add_string(msg, "homeDrive",
384 pdb_get_dir_drive(sam));
387 if (update_required(sam, PDB_LOGONSCRIPT)) {
388 ret |= ldb_msg_add_string(msg, "scriptPath",
389 pdb_get_logon_script(sam));
392 if (update_required(sam, PDB_KICKOFFTIME)) {
393 ret |= pdb_samba4_add_time(msg, "accountExpires",
394 pdb_get_kickoff_time(sam));
397 if (update_required(sam, PDB_USERNAME)) {
398 ret |= ldb_msg_add_string(msg, "samAccountName",
399 pdb_get_username(sam));
402 if (update_required(sam, PDB_HOURSLEN) || update_required(sam, PDB_HOURS)) {
403 struct ldb_val hours = data_blob_const(pdb_get_hours(sam), pdb_get_hours_len(sam));
404 ret |= ldb_msg_add_value(msg, "logonHours",
408 if (update_required(sam, PDB_ACCTCTRL)) {
409 ret |= ldb_msg_add_fmt(msg, "userAccountControl",
410 "%d", ds_acb2uf(pdb_get_acct_ctrl(sam)));
413 if (update_required(sam, PDB_COMMENT)) {
414 ret |= ldb_msg_add_string(msg, "comment",
415 pdb_get_comment(sam));
418 if (update_required(sam, PDB_ACCTDESC)) {
419 ret |= ldb_msg_add_string(msg, "description",
420 pdb_get_acct_desc(sam));
423 if (update_required(sam, PDB_WORKSTATIONS)) {
424 ret |= ldb_msg_add_string(msg, "userWorkstations",
425 pdb_get_workstations(sam));
428 /* This will need work, it is actually a UTF8 'string' with internal NULLs, to handle TS parameters */
429 if (update_required(sam, PDB_MUNGEDDIAL)) {
430 ret |= ldb_msg_add_string(msg, "userParameters",
431 pdb_get_munged_dial(sam));
434 if (update_required(sam, PDB_COUNTRY_CODE)) {
435 ret |= ldb_msg_add_fmt(msg, "countryCode",
436 "%i", (int)pdb_get_country_code(sam));
439 if (update_required(sam, PDB_CODE_PAGE)) {
440 ret |= ldb_msg_add_fmt(msg, "codePage",
441 "%i", (int)pdb_get_code_page(sam));
444 /* Not yet handled here or not meaningful for modifies on a Samba4 backend:
447 PDB_BAD_PASSWORD_TIME,
457 PDB_BAD_PASSWORD_COUNT,
463 PDB_BACKEND_PRIVATE_DATA,
469 return ret == LDB_SUCCESS;
472 static NTSTATUS pdb_samba4_getsamupriv(struct pdb_samba4_state *state,
475 struct ldb_message **msg)
477 const char * attrs[] = {
478 "lastLogon", "lastLogoff", "pwdLastSet", "accountExpires",
479 "sAMAccountName", "displayName", "homeDirectory",
480 "homeDrive", "scriptPath", "profilePath", "description",
481 "userWorkstations", "comment", "userParameters", "objectSid",
482 "primaryGroupID", "userAccountControl", "logonHours",
483 "badPwdCount", "logonCount", "countryCode", "codePage",
484 "unicodePwd", "dBCSPwd", NULL };
486 int rc = dsdb_search_one(state->ldb, mem_ctx, msg, NULL, LDB_SCOPE_SUBTREE, attrs, 0, "%s", filter);
487 if (rc != LDB_SUCCESS) {
488 DEBUG(10, ("ldap_search failed %s\n",
489 ldb_errstring(state->ldb)));
490 return NT_STATUS_LDAP(rc);
496 static NTSTATUS pdb_samba4_getsampwfilter(struct pdb_methods *m,
497 struct pdb_samba4_state *state,
498 struct samu *sam_acct,
499 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(4, 5)
501 struct ldb_message *priv;
504 char *expression = NULL;
505 TALLOC_CTX *tmp_ctx = talloc_new(state);
506 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
508 va_start(ap, exp_fmt);
509 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
513 talloc_free(tmp_ctx);
514 return NT_STATUS_NO_MEMORY;
517 status = pdb_samba4_getsamupriv(state, expression, sam_acct, &priv);
518 talloc_free(tmp_ctx);
519 if (!NT_STATUS_IS_OK(status)) {
520 DEBUG(10, ("pdb_samba4_getsamupriv failed: %s\n",
525 status = pdb_samba4_init_sam_from_priv(m, sam_acct, priv);
526 if (!NT_STATUS_IS_OK(status)) {
527 DEBUG(10, ("pdb_samba4_init_sam_from_priv failed: %s\n",
533 pdb_set_backend_private_data(sam_acct, priv, NULL, m, PDB_SET);
537 static NTSTATUS pdb_samba4_getsampwnam(struct pdb_methods *m,
538 struct samu *sam_acct,
539 const char *username)
541 struct pdb_samba4_state *state = talloc_get_type_abort(
542 m->private_data, struct pdb_samba4_state);
544 return pdb_samba4_getsampwfilter(m, state, sam_acct,
545 "(&(samaccountname=%s)(objectclass=user))",
549 static NTSTATUS pdb_samba4_getsampwsid(struct pdb_methods *m,
550 struct samu *sam_acct,
551 const struct dom_sid *sid)
554 struct pdb_samba4_state *state = talloc_get_type_abort(
555 m->private_data, struct pdb_samba4_state);
558 sidstr = dom_sid_string(talloc_tos(), sid);
559 NT_STATUS_HAVE_NO_MEMORY(sidstr);
561 status = pdb_samba4_getsampwfilter(m, state, sam_acct,
562 "(&(objectsid=%s)(objectclass=user))",
568 static NTSTATUS pdb_samba4_create_user(struct pdb_methods *m,
570 const char *name, uint32 acct_flags,
573 struct pdb_samba4_state *state = talloc_get_type_abort(
574 m->private_data, struct pdb_samba4_state);
578 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
579 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
581 /* Internally this uses transactions to ensure all the steps
582 * happen or fail as one */
583 status = dsdb_add_user(state->ldb, tmp_ctx, name, acct_flags, NULL,
585 if (!NT_STATUS_IS_OK(status)) {
586 talloc_free(tmp_ctx);
589 sid_peek_rid(sid, rid);
590 talloc_free(tmp_ctx);
594 static NTSTATUS pdb_samba4_delete_user(struct pdb_methods *m,
598 struct pdb_samba4_state *state = talloc_get_type_abort(
599 m->private_data, struct pdb_samba4_state);
602 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
603 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
605 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, pdb_get_user_sid(sam)));
606 if (!dn || !ldb_dn_validate(dn)) {
607 talloc_free(tmp_ctx);
608 return NT_STATUS_NO_MEMORY;
610 rc = ldb_delete(state->ldb, dn);
612 if (rc != LDB_SUCCESS) {
613 DEBUG(10, ("ldb_delete for %s failed: %s\n", ldb_dn_get_linearized(dn),
614 ldb_errstring(state->ldb)));
615 talloc_free(tmp_ctx);
616 return NT_STATUS_LDAP(rc);
618 talloc_free(tmp_ctx);
622 /* This interface takes a fully populated struct samu and places it in
623 * the database. This is not implemented at this time as we need to
624 * be careful around the creation of arbitary SIDs (ie, we must ensrue
625 * they are not left in a RID pool */
626 static NTSTATUS pdb_samba4_add_sam_account(struct pdb_methods *m,
627 struct samu *sampass)
629 return NT_STATUS_NOT_IMPLEMENTED;
633 * Update the Samba4 LDB with the changes from a struct samu.
635 * This takes care not to update elements that have not been changed
638 static NTSTATUS pdb_samba4_update_sam_account(struct pdb_methods *m,
641 struct pdb_samba4_state *state = talloc_get_type_abort(
642 m->private_data, struct pdb_samba4_state);
643 struct ldb_message *msg = pdb_samba4_get_samu_private(
645 struct ldb_message *replace_msg;
648 if (!pdb_samba4_init_samba4_from_sam(state, msg, talloc_tos(),
649 &replace_msg, sam)) {
650 return NT_STATUS_NO_MEMORY;
653 if (replace_msg->num_elements == 0) {
654 /* Nothing to do, just return success */
658 rc = dsdb_replace(state->ldb, replace_msg, 0);
659 TALLOC_FREE(replace_msg);
660 if (rc != LDB_SUCCESS) {
661 DEBUG(10, ("dsdb_replace for %s failed: %s\n", ldb_dn_get_linearized(replace_msg->dn),
662 ldb_errstring(state->ldb)));
663 return NT_STATUS_LDAP(rc);
669 static NTSTATUS pdb_samba4_delete_sam_account(struct pdb_methods *m,
670 struct samu *username)
673 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
674 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
675 status = pdb_samba4_delete_user(m, tmp_ctx, username);
676 talloc_free(tmp_ctx);
680 static NTSTATUS pdb_samba4_rename_sam_account(struct pdb_methods *m,
681 struct samu *oldname,
684 return NT_STATUS_NOT_IMPLEMENTED;
687 /* This is not implemented, as this module is exptected to be used
688 * with auth_samba4, and this is responible for login counters etc
691 static NTSTATUS pdb_samba4_update_login_attempts(struct pdb_methods *m,
692 struct samu *sam_acct,
695 return NT_STATUS_NOT_IMPLEMENTED;
698 static NTSTATUS pdb_samba4_getgrfilter(struct pdb_methods *m, GROUP_MAP *map,
699 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(4, 5)
701 struct pdb_samba4_state *state = talloc_get_type_abort(
702 m->private_data, struct pdb_samba4_state);
703 const char *attrs[] = { "objectSid", "description", "samAccountName",
705 struct ldb_message *msg;
707 char *expression = NULL;
712 TALLOC_CTX *tmp_ctx = talloc_stackframe();
713 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
715 va_start(ap, exp_fmt);
716 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
720 talloc_free(tmp_ctx);
721 return NT_STATUS_NO_MEMORY;
724 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, NULL, LDB_SCOPE_SUBTREE, attrs, 0, "%s", expression);
725 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
726 talloc_free(tmp_ctx);
727 return NT_STATUS_NO_SUCH_GROUP;
728 } else if (rc != LDB_SUCCESS) {
729 talloc_free(tmp_ctx);
730 DEBUG(10, ("dsdb_search_one failed %s\n",
731 ldb_errstring(state->ldb)));
732 return NT_STATUS_LDAP(rc);
735 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
737 talloc_free(tmp_ctx);
738 DEBUG(10, ("Could not pull SID\n"));
739 return NT_STATUS_INTERNAL_DB_CORRUPTION;
744 if (!pdb_samba4_sid_to_id(m, sid, &id, &map->sid_name_use)) {
745 talloc_free(tmp_ctx);
746 return NT_STATUS_NO_SUCH_GROUP;
748 if (map->sid_name_use == SID_NAME_USER) {
749 DEBUG(1, (__location__ "Got SID_NAME_USER when searching for a group with %s", expression));
750 return NT_STATUS_INTERNAL_DB_CORRUPTION;
754 str = ldb_msg_find_attr_as_string(msg, "samAccountName",
757 talloc_free(tmp_ctx);
758 return NT_STATUS_INTERNAL_DB_CORRUPTION;
760 fstrcpy(map->nt_name, str);
762 str = ldb_msg_find_attr_as_string(msg, "description",
765 fstrcpy(map->comment, str);
767 map->comment[0] = '\0';
770 talloc_free(tmp_ctx);
774 static NTSTATUS pdb_samba4_getgrsid(struct pdb_methods *m, GROUP_MAP *map,
780 filter = talloc_asprintf(talloc_tos(),
781 "(&(objectsid=%s)(objectclass=group))",
782 sid_string_talloc(talloc_tos(), &sid));
783 if (filter == NULL) {
784 return NT_STATUS_NO_MEMORY;
787 status = pdb_samba4_getgrfilter(m, map, filter);
792 static NTSTATUS pdb_samba4_getgrgid(struct pdb_methods *m, GROUP_MAP *map,
795 struct pdb_samba4_state *state = talloc_get_type_abort(
796 m->private_data, struct pdb_samba4_state);
798 struct id_map id_map;
799 struct id_map *id_maps[2];
800 TALLOC_CTX *tmp_ctx = talloc_stackframe();
801 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
804 id_map.xid.type = ID_TYPE_GID;
805 id_maps[0] = &id_map;
808 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
809 if (!NT_STATUS_IS_OK(status)) {
812 status = pdb_samba4_getgrsid(m, map, *id_map.sid);
813 talloc_free(tmp_ctx);
817 static NTSTATUS pdb_samba4_getgrnam(struct pdb_methods *m, GROUP_MAP *map,
823 filter = talloc_asprintf(talloc_tos(),
824 "(&(samaccountname=%s)(objectclass=group))",
826 if (filter == NULL) {
827 return NT_STATUS_NO_MEMORY;
830 status = pdb_samba4_getgrfilter(m, map, filter);
835 static NTSTATUS pdb_samba4_create_dom_group(struct pdb_methods *m,
836 TALLOC_CTX *mem_ctx, const char *name,
839 struct pdb_samba4_state *state = talloc_get_type_abort(
840 m->private_data, struct pdb_samba4_state);
844 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
845 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
847 status = dsdb_add_domain_group(state->ldb, tmp_ctx, name, &sid, &dn);
848 if (!NT_STATUS_IS_OK(status)) {
849 talloc_free(tmp_ctx);
853 sid_peek_rid(sid, rid);
854 talloc_free(tmp_ctx);
858 static NTSTATUS pdb_samba4_delete_dom_group(struct pdb_methods *m,
859 TALLOC_CTX *mem_ctx, uint32 rid)
861 const char *attrs[] = { NULL };
862 struct pdb_samba4_state *state = talloc_get_type_abort(
863 m->private_data, struct pdb_samba4_state);
865 struct ldb_message *msg;
868 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
869 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
871 sid_compose(&sid, samdb_domain_sid(state->ldb), rid);
873 if (ldb_transaction_start(state->ldb) != LDB_SUCCESS) {
874 DEBUG(0, ("Unable to start transaction in pdb_samba4_delete_dom_group()\n"));
875 return NT_STATUS_INTERNAL_ERROR;
878 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, &sid));
879 if (!dn || !ldb_dn_validate(dn)) {
880 talloc_free(tmp_ctx);
881 ldb_transaction_cancel(state->ldb);
882 return NT_STATUS_NO_MEMORY;
884 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "objectclass=group");
885 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
886 talloc_free(tmp_ctx);
887 ldb_transaction_cancel(state->ldb);
888 return NT_STATUS_NO_SUCH_GROUP;
890 rc = ldb_delete(state->ldb, dn);
891 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
892 talloc_free(tmp_ctx);
893 ldb_transaction_cancel(state->ldb);
894 return NT_STATUS_NO_SUCH_GROUP;
895 } else if (rc != LDB_SUCCESS) {
896 DEBUG(10, ("ldb_delete failed %s\n",
897 ldb_errstring(state->ldb)));
898 ldb_transaction_cancel(state->ldb);
899 return NT_STATUS_LDAP(rc);
902 if (ldb_transaction_commit(state->ldb) != LDB_SUCCESS) {
903 DEBUG(0, ("Unable to commit transaction in pdb_samba4_delete_dom_group()\n"));
904 return NT_STATUS_INTERNAL_ERROR;
909 static NTSTATUS pdb_samba4_add_group_mapping_entry(struct pdb_methods *m,
912 return NT_STATUS_NOT_IMPLEMENTED;
915 static NTSTATUS pdb_samba4_update_group_mapping_entry(struct pdb_methods *m,
918 return NT_STATUS_NOT_IMPLEMENTED;
921 static NTSTATUS pdb_samba4_delete_group_mapping_entry(struct pdb_methods *m,
924 return NT_STATUS_NOT_IMPLEMENTED;
927 static NTSTATUS pdb_samba4_enum_group_mapping(struct pdb_methods *m,
928 const struct dom_sid *sid,
929 enum lsa_SidType sid_name_use,
931 size_t *p_num_entries,
934 return NT_STATUS_NOT_IMPLEMENTED;
937 static NTSTATUS pdb_samba4_enum_group_members(struct pdb_methods *m,
939 const struct dom_sid *group,
941 size_t *pnum_members)
943 unsigned int i, num_sids, num_members;
944 struct pdb_samba4_state *state = talloc_get_type_abort(
945 m->private_data, struct pdb_samba4_state);
946 struct dom_sid *members_as_sids;
947 struct dom_sid *dom_sid;
952 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
953 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
955 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, group));
956 if (!dn || !ldb_dn_validate(dn)) {
957 return NT_STATUS_NO_MEMORY;
960 status = dsdb_enum_group_mem(state->ldb, tmp_ctx, dn, &members_as_sids, &num_sids);
961 if (!NT_STATUS_IS_OK(status)) {
962 talloc_free(tmp_ctx);
965 status = dom_sid_split_rid(tmp_ctx, group, &dom_sid, NULL);
966 if (!NT_STATUS_IS_OK(status)) {
967 talloc_free(tmp_ctx);
971 *pmembers = members = talloc_array(mem_ctx, uint32_t, num_sids);
972 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(*pmembers, tmp_ctx);
975 for (i = 0; i < num_sids; i++) {
976 if (!dom_sid_in_domain(dom_sid, &members_as_sids[i])) {
979 status = dom_sid_split_rid(NULL, &members_as_sids[i],
980 NULL, &members[num_members]);
981 if (!NT_STATUS_IS_OK(status)) {
982 talloc_free(tmp_ctx);
987 *pnum_members = num_members;
991 /* Just convert the primary group SID into a group */
992 static NTSTATUS fake_enum_group_memberships(struct pdb_samba4_state *state,
995 struct dom_sid **pp_sids,
997 uint32_t *p_num_groups)
1000 size_t num_groups = 0;
1001 struct dom_sid *group_sids;
1003 TALLOC_CTX *tmp_ctx;
1005 tmp_ctx = talloc_new(mem_ctx);
1006 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1008 if (user->group_sid) {
1009 struct id_map *id_maps[2];
1010 struct id_map id_map;
1014 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_groups);
1015 if (group_sids == NULL) {
1016 talloc_free(tmp_ctx);
1017 return NT_STATUS_NO_MEMORY;
1019 gids = talloc_array(tmp_ctx, gid_t, num_groups);
1021 talloc_free(tmp_ctx);
1022 return NT_STATUS_NO_MEMORY;
1025 group_sids[0] = *user->group_sid;
1027 ZERO_STRUCT(id_map);
1028 id_map.sid = &group_sids[0];
1029 id_maps[0] = &id_map;
1032 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1033 if (!NT_STATUS_IS_OK(status)) {
1034 talloc_free(tmp_ctx);
1037 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
1038 gids[0] = id_map.xid.id;
1040 DEBUG(1, (__location__
1041 "Group %s, of which %s is a member, could not be converted to a GID\n",
1042 dom_sid_string(tmp_ctx, &group_sids[0]),
1043 dom_sid_string(tmp_ctx, &user->user_sid)));
1044 talloc_free(tmp_ctx);
1045 /* We must error out, otherwise a user might
1046 * avoid a DENY acl based on a group they
1048 return NT_STATUS_NO_SUCH_GROUP;
1052 *pp_sids = talloc_steal(mem_ctx, group_sids);
1053 *pp_gids = talloc_steal(mem_ctx, gids);
1054 *p_num_groups = num_groups;
1055 talloc_free(tmp_ctx);
1056 return NT_STATUS_OK;
1059 static NTSTATUS pdb_samba4_enum_group_memberships(struct pdb_methods *m,
1060 TALLOC_CTX *mem_ctx,
1062 struct dom_sid **pp_sids,
1064 uint32_t *p_num_groups)
1066 struct pdb_samba4_state *state = talloc_get_type_abort(
1067 m->private_data, struct pdb_samba4_state);
1068 struct ldb_message *msg = pdb_samba4_get_samu_private(
1070 const char *attrs[] = { "tokenGroups", NULL};
1071 struct ldb_message *tokengroups_msg;
1072 struct ldb_message_element *tokengroups;
1075 unsigned int count = 0;
1077 struct dom_sid *group_sids;
1079 TALLOC_CTX *tmp_ctx;
1082 /* Fake up some things here */
1083 return fake_enum_group_memberships(state,
1086 pp_gids, p_num_groups);
1089 tmp_ctx = talloc_new(mem_ctx);
1090 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1092 rc = dsdb_search_one(state->ldb, tmp_ctx, &tokengroups_msg, msg->dn, LDB_SCOPE_BASE, attrs, 0, NULL);
1094 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1095 talloc_free(tmp_ctx);
1096 return NT_STATUS_NO_SUCH_USER;
1097 } else if (rc != LDB_SUCCESS) {
1098 DEBUG(10, ("dsdb_search_one failed %s\n",
1099 ldb_errstring(state->ldb)));
1100 talloc_free(tmp_ctx);
1101 return NT_STATUS_LDAP(rc);
1104 tokengroups = ldb_msg_find_element(tokengroups_msg, "tokenGroups");
1107 count = tokengroups->num_values;
1110 group_sids = talloc_array(tmp_ctx, struct dom_sid, count);
1111 if (group_sids == NULL) {
1112 talloc_free(tmp_ctx);
1113 return NT_STATUS_NO_MEMORY;
1115 gids = talloc_array(tmp_ctx, gid_t, count);
1117 talloc_free(tmp_ctx);
1118 return NT_STATUS_NO_MEMORY;
1122 for (i=0; i<count; i++) {
1123 struct id_map *id_maps[2];
1124 struct id_map id_map;
1125 struct ldb_val *v = &tokengroups->values[i];
1126 enum ndr_err_code ndr_err
1127 = ndr_pull_struct_blob(v, group_sids, &group_sids[num_groups],
1128 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
1129 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1130 talloc_free(tmp_ctx);
1131 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1134 ZERO_STRUCT(id_map);
1135 id_map.sid = &group_sids[num_groups];
1136 id_maps[0] = &id_map;
1139 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1140 if (!NT_STATUS_IS_OK(status)) {
1141 talloc_free(tmp_ctx);
1144 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
1145 gids[num_groups] = id_map.xid.id;
1147 DEBUG(1, (__location__
1148 "Group %s, of which %s is a member, could not be converted to a GID\n",
1149 dom_sid_string(tmp_ctx, &group_sids[num_groups]),
1150 ldb_dn_get_linearized(msg->dn)));
1151 talloc_free(tmp_ctx);
1152 /* We must error out, otherwise a user might
1153 * avoid a DENY acl based on a group they
1155 return NT_STATUS_NO_SUCH_GROUP;
1159 if (num_groups == count) {
1164 *pp_sids = talloc_steal(mem_ctx, group_sids);
1165 *pp_gids = talloc_steal(mem_ctx, gids);
1166 *p_num_groups = num_groups;
1167 talloc_free(tmp_ctx);
1168 return NT_STATUS_OK;
1171 static NTSTATUS pdb_samba4_set_unix_primary_group(struct pdb_methods *m,
1172 TALLOC_CTX *mem_ctx,
1175 return NT_STATUS_NOT_IMPLEMENTED;
1178 static NTSTATUS pdb_samba4_mod_groupmem_by_sid(struct pdb_methods *m,
1179 TALLOC_CTX *mem_ctx,
1180 const struct dom_sid *groupsid,
1181 const struct dom_sid *membersid,
1184 struct pdb_samba4_state *state = talloc_get_type_abort(
1185 m->private_data, struct pdb_samba4_state);
1186 struct ldb_message *msg;
1188 struct ldb_message_element *el;
1189 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1190 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1191 msg = ldb_msg_new(tmp_ctx);
1192 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, tmp_ctx);
1194 msg->dn = ldb_dn_new_fmt(msg, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, groupsid));
1195 if (!msg->dn || !ldb_dn_validate(msg->dn)) {
1196 talloc_free(tmp_ctx);
1197 return NT_STATUS_NO_MEMORY;
1199 ret = ldb_msg_add_fmt(msg, "member", "<SID=%s>", dom_sid_string(tmp_ctx, membersid));
1200 if (ret != LDB_SUCCESS) {
1201 talloc_free(tmp_ctx);
1202 return NT_STATUS_NO_MEMORY;
1204 el = ldb_msg_find_element(msg, "member");
1207 /* No need for transactions here, the ldb auto-transaction
1208 * code will handle things for the single operation */
1209 ret = ldb_modify(state->ldb, msg);
1210 talloc_free(tmp_ctx);
1211 if (ret != LDB_SUCCESS) {
1212 DEBUG(10, ("ldb_modify failed: %s\n",
1213 ldb_errstring(state->ldb)));
1214 if (ret == LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS) {
1215 return NT_STATUS_MEMBER_IN_GROUP;
1217 if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
1218 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1220 return NT_STATUS_LDAP(ret);
1223 return NT_STATUS_OK;
1226 static NTSTATUS pdb_samba4_mod_groupmem(struct pdb_methods *m,
1227 TALLOC_CTX *mem_ctx,
1228 uint32 grouprid, uint32 memberrid,
1231 struct pdb_samba4_state *state = talloc_get_type_abort(
1232 m->private_data, struct pdb_samba4_state);
1233 const struct dom_sid *dom_sid, *groupsid, *membersid;
1235 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1236 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1238 dom_sid = samdb_domain_sid(state->ldb);
1240 groupsid = dom_sid_add_rid(tmp_ctx, dom_sid, grouprid);
1241 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupsid, tmp_ctx);
1242 membersid = dom_sid_add_rid(tmp_ctx, dom_sid, memberrid);
1243 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(membersid, tmp_ctx);
1244 status = pdb_samba4_mod_groupmem_by_sid(m, tmp_ctx, groupsid, membersid, mod_op);
1245 talloc_free(tmp_ctx);
1249 static NTSTATUS pdb_samba4_add_groupmem(struct pdb_methods *m,
1250 TALLOC_CTX *mem_ctx,
1251 uint32 group_rid, uint32 member_rid)
1253 return pdb_samba4_mod_groupmem(m, mem_ctx, group_rid, member_rid,
1257 static NTSTATUS pdb_samba4_del_groupmem(struct pdb_methods *m,
1258 TALLOC_CTX *mem_ctx,
1259 uint32 group_rid, uint32 member_rid)
1261 return pdb_samba4_mod_groupmem(m, mem_ctx, group_rid, member_rid,
1262 LDB_FLAG_MOD_DELETE);
1265 static NTSTATUS pdb_samba4_create_alias(struct pdb_methods *m,
1266 const char *name, uint32 *rid)
1268 TALLOC_CTX *frame = talloc_stackframe();
1269 struct pdb_samba4_state *state = talloc_get_type_abort(
1270 m->private_data, struct pdb_samba4_state);
1271 struct dom_sid *sid;
1276 /* Internally this uses transactions to ensure all the steps
1277 * happen or fail as one */
1278 status = dsdb_add_domain_alias(state->ldb, frame, name, &sid, &dn);
1279 if (!NT_STATUS_IS_OK(status)) {
1283 sid_peek_rid(sid, rid);
1285 return NT_STATUS_OK;
1288 static NTSTATUS pdb_samba4_delete_alias(struct pdb_methods *m,
1289 const struct dom_sid *sid)
1291 const char *attrs[] = { NULL };
1292 struct pdb_samba4_state *state = talloc_get_type_abort(
1293 m->private_data, struct pdb_samba4_state);
1294 struct ldb_message *msg;
1297 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1298 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1300 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, sid));
1301 if (!dn || !ldb_dn_validate(dn)) {
1302 talloc_free(tmp_ctx);
1303 return NT_STATUS_NO_MEMORY;
1306 if (ldb_transaction_start(state->ldb) != LDB_SUCCESS) {
1307 DEBUG(0, ("Failed to start transaction in dsdb_add_domain_alias(): %s\n", ldb_errstring(state->ldb)));
1308 return NT_STATUS_INTERNAL_ERROR;
1311 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "(objectclass=group)"
1312 "(|(grouptype=%d)(grouptype=%d)))",
1313 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
1314 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
1315 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1316 talloc_free(tmp_ctx);
1317 ldb_transaction_cancel(state->ldb);
1318 return NT_STATUS_NO_SUCH_ALIAS;
1320 rc = ldb_delete(state->ldb, dn);
1321 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1322 talloc_free(tmp_ctx);
1323 ldb_transaction_cancel(state->ldb);
1324 return NT_STATUS_NO_SUCH_ALIAS;
1325 } else if (rc != LDB_SUCCESS) {
1326 DEBUG(10, ("ldb_delete failed %s\n",
1327 ldb_errstring(state->ldb)));
1328 ldb_transaction_cancel(state->ldb);
1329 return NT_STATUS_LDAP(rc);
1332 if (ldb_transaction_commit(state->ldb) != LDB_SUCCESS) {
1333 DEBUG(0, ("Failed to commit transaction in pdb_samba4_delete_alias(): %s\n",
1334 ldb_errstring(state->ldb)));
1335 return NT_STATUS_INTERNAL_ERROR;
1338 return NT_STATUS_OK;
1342 static NTSTATUS pdb_samba4_set_aliasinfo(struct pdb_methods *m,
1343 const struct dom_sid *sid,
1344 struct acct_info *info)
1346 struct pdb_samba4_state *state = talloc_get_type_abort(
1347 m->private_data, struct pdb_samba4_state);
1348 struct tldap_context *ld;
1349 const char *attrs[3] = { "objectSid", "description",
1351 struct ldb_message **msg;
1354 struct tldap_mod *mods;
1358 ld = pdb_samba4_ld(state);
1360 return NT_STATUS_LDAP(TLDAP_SERVER_DOWN);
1363 sidstr = sid_binstring(talloc_tos(), sid);
1364 NT_STATUS_HAVE_NO_MEMORY(sidstr);
1366 rc = pdb_samba4_search_fmt(state, state->domaindn, TLDAP_SCOPE_SUB,
1367 attrs, ARRAY_SIZE(attrs), 0, talloc_tos(),
1368 &msg, "(&(objectSid=%s)(objectclass=group)"
1369 "(|(grouptype=%d)(grouptype=%d)))",
1370 sidstr, GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
1371 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
1373 if (rc != LDB_SUCCESS) {
1374 DEBUG(10, ("ldap_search failed %s\n",
1375 ldb_errstring(state->ldb)));
1376 return NT_STATUS_LDAP(rc);
1378 switch talloc_array_length(msg) {
1380 return NT_STATUS_NO_SUCH_ALIAS;
1384 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1387 if (!tldap_entry_dn(msg[0], &dn)) {
1389 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1396 ok &= tldap_make_mod_fmt(
1397 msg[0], msg, &num_mods, &mods, "description",
1398 "%s", info->acct_desc);
1399 ok &= tldap_make_mod_fmt(
1400 msg[0], msg, &num_mods, &mods, "samAccountName",
1401 "%s", info->acct_name);
1404 return NT_STATUS_NO_MEMORY;
1406 if (num_mods == 0) {
1409 return NT_STATUS_OK;
1412 rc = tldap_modify(ld, dn, num_mods, mods, NULL, 0, NULL, 0);
1414 if (rc != LDB_SUCCESS) {
1415 DEBUG(10, ("ldap_modify failed: %s\n",
1416 ldb_errstring(state->ldb)));
1417 return NT_STATUS_LDAP(rc);
1419 return NT_STATUS_OK;
1422 static NTSTATUS pdb_samba4_add_aliasmem(struct pdb_methods *m,
1423 const struct dom_sid *alias,
1424 const struct dom_sid *member)
1427 TALLOC_CTX *frame = talloc_stackframe();
1428 status = pdb_samba4_mod_groupmem_by_sid(m, frame, alias, member, LDB_FLAG_MOD_ADD);
1433 static NTSTATUS pdb_samba4_del_aliasmem(struct pdb_methods *m,
1434 const struct dom_sid *alias,
1435 const struct dom_sid *member)
1438 TALLOC_CTX *frame = talloc_stackframe();
1439 status = pdb_samba4_mod_groupmem_by_sid(m, frame, alias, member, LDB_FLAG_MOD_DELETE);
1444 static NTSTATUS pdb_samba4_enum_aliasmem(struct pdb_methods *m,
1445 const struct dom_sid *alias,
1446 TALLOC_CTX *mem_ctx,
1447 struct dom_sid **pmembers,
1448 size_t *pnum_members)
1450 struct pdb_samba4_state *state = talloc_get_type_abort(
1451 m->private_data, struct pdb_samba4_state);
1453 unsigned int num_members;
1455 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1456 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1458 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, alias));
1459 if (!dn || !ldb_dn_validate(dn)) {
1460 return NT_STATUS_NO_MEMORY;
1463 status = dsdb_enum_group_mem(state->ldb, mem_ctx, dn, pmembers, &num_members);
1464 *pnum_members = num_members;
1465 if (NT_STATUS_IS_OK(status)) {
1466 talloc_steal(mem_ctx, pmembers);
1468 talloc_free(tmp_ctx);
1472 static NTSTATUS pdb_samba4_enum_alias_memberships(struct pdb_methods *m,
1473 TALLOC_CTX *mem_ctx,
1474 const struct dom_sid *domain_sid,
1475 const struct dom_sid *members,
1477 uint32_t **palias_rids,
1478 size_t *pnum_alias_rids)
1480 struct pdb_samba4_state *state = talloc_get_type_abort(
1481 m->private_data, struct pdb_samba4_state);
1482 uint32_t *alias_rids = NULL;
1483 size_t num_alias_rids = 0;
1485 struct dom_sid *groupSIDs = NULL;
1486 unsigned int num_groupSIDs = 0;
1489 const char *sid_string;
1493 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1494 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1496 * TODO: Get the filter right so that we only get the aliases from
1497 * either the SAM or BUILTIN
1500 filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
1501 GROUP_TYPE_BUILTIN_LOCAL_GROUP);
1502 if (filter == NULL) {
1503 return NT_STATUS_NO_MEMORY;
1506 for (i = 0; i < num_members; i++) {
1507 sid_string = dom_sid_string(tmp_ctx, &members[i]);
1508 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, tmp_ctx);
1510 sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
1511 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, tmp_ctx);
1513 sid_blob = data_blob_string_const(sid_dn);
1515 status = dsdb_expand_nested_groups(state->ldb, &sid_blob, true, filter,
1516 tmp_ctx, &groupSIDs, &num_groupSIDs);
1517 if (!NT_STATUS_IS_OK(status)) {
1518 talloc_free(tmp_ctx);
1523 alias_rids = talloc_array(mem_ctx, uint32_t, num_groupSIDs);
1524 if (alias_rids == NULL) {
1525 talloc_free(tmp_ctx);
1526 return NT_STATUS_NO_MEMORY;
1529 for (i=0; i<num_groupSIDs; i++) {
1530 if (sid_peek_check_rid(domain_sid, &groupSIDs[i],
1531 &alias_rids[num_alias_rids])) {
1536 *palias_rids = alias_rids;
1537 *pnum_alias_rids = num_alias_rids;
1538 return NT_STATUS_OK;
1541 static NTSTATUS pdb_samba4_lookup_rids(struct pdb_methods *m,
1542 const struct dom_sid *domain_sid,
1546 enum lsa_SidType *lsa_attrs)
1548 struct pdb_samba4_state *state = talloc_get_type_abort(
1549 m->private_data, struct pdb_samba4_state);
1552 TALLOC_CTX *tmp_ctx;
1554 if (num_rids == 0) {
1555 return NT_STATUS_NONE_MAPPED;
1558 tmp_ctx = talloc_stackframe();
1559 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1561 status = dsdb_lookup_rids(state->ldb, tmp_ctx, domain_sid, num_rids, rids, names, lsa_attrs);
1562 talloc_free(tmp_ctx);
1566 static NTSTATUS pdb_samba4_lookup_names(struct pdb_methods *m,
1567 const struct dom_sid *domain_sid,
1569 const char **pp_names,
1571 enum lsa_SidType *attrs)
1573 return NT_STATUS_NOT_IMPLEMENTED;
1576 static NTSTATUS pdb_samba4_get_account_policy(struct pdb_methods *m,
1577 enum pdb_policy_type type,
1580 return account_policy_get(type, value)
1581 ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1584 static NTSTATUS pdb_samba4_set_account_policy(struct pdb_methods *m,
1585 enum pdb_policy_type type,
1588 return account_policy_set(type, value)
1589 ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1592 static NTSTATUS pdb_samba4_get_seq_num(struct pdb_methods *m,
1593 time_t *seq_num_out)
1595 struct pdb_samba4_state *state = talloc_get_type_abort(
1596 m->private_data, struct pdb_samba4_state);
1598 int ret = ldb_sequence_number(state->ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
1599 if (ret == LDB_SUCCESS) {
1600 *seq_num_out = seq_num;
1601 return NT_STATUS_OK;
1603 return NT_STATUS_UNSUCCESSFUL;
1607 struct pdb_samba4_search_state {
1608 uint32_t acct_flags;
1609 struct samr_displayentry *entries;
1610 uint32_t num_entries;
1615 static bool pdb_samba4_next_entry(struct pdb_search *search,
1616 struct samr_displayentry *entry)
1618 struct pdb_samba4_search_state *state = talloc_get_type_abort(
1619 search->private_data, struct pdb_samba4_search_state);
1621 if (state->current == state->num_entries) {
1625 entry->idx = state->entries[state->current].idx;
1626 entry->rid = state->entries[state->current].rid;
1627 entry->acct_flags = state->entries[state->current].acct_flags;
1629 entry->account_name = talloc_strdup(
1630 search, state->entries[state->current].account_name);
1631 entry->fullname = talloc_strdup(
1632 search, state->entries[state->current].fullname);
1633 entry->description = talloc_strdup(
1634 search, state->entries[state->current].description);
1636 state->current += 1;
1640 static void pdb_samba4_search_end(struct pdb_search *search)
1642 struct pdb_samba4_search_state *state = talloc_get_type_abort(
1643 search->private_data, struct pdb_samba4_search_state);
1647 static bool pdb_samba4_search_filter(struct pdb_methods *m,
1648 struct pdb_search *search,
1649 struct pdb_samba4_search_state **pstate,
1650 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(4, 5)
1652 struct pdb_samba4_state *state = talloc_get_type_abort(
1653 m->private_data, struct pdb_samba4_state);
1654 struct pdb_samba4_search_state *sstate;
1655 const char * attrs[] = { "objectSid", "sAMAccountName", "displayName",
1656 "userAccountControl", "description", NULL };
1657 struct ldb_result *res;
1658 int i, rc, num_users;
1661 char *expression = NULL;
1663 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1668 va_start(ap, exp_fmt);
1669 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
1673 talloc_free(tmp_ctx);
1674 return LDB_ERR_OPERATIONS_ERROR;
1677 sstate = talloc_zero(tmp_ctx, struct pdb_samba4_search_state);
1678 if (sstate == NULL) {
1679 talloc_free(tmp_ctx);
1683 rc = dsdb_search(state->ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs, 0, "%s", expression);
1684 if (rc != LDB_SUCCESS) {
1685 talloc_free(tmp_ctx);
1686 DEBUG(10, ("dsdb_search failed: %s\n",
1687 ldb_errstring(state->ldb)));
1691 num_users = res->count;
1693 sstate->entries = talloc_array(sstate, struct samr_displayentry,
1695 if (sstate->entries == NULL) {
1696 talloc_free(tmp_ctx);
1697 DEBUG(10, ("talloc failed\n"));
1701 sstate->num_entries = 0;
1703 for (i=0; i<num_users; i++) {
1704 struct samr_displayentry *e;
1705 struct dom_sid *sid;
1707 e = &sstate->entries[sstate->num_entries];
1709 e->idx = sstate->num_entries;
1710 sid = samdb_result_dom_sid(tmp_ctx, res->msgs[i], "objectSid");
1712 talloc_free(tmp_ctx);
1713 DEBUG(10, ("Could not pull SID\n"));
1716 sid_peek_rid(sid, &e->rid);
1718 e->acct_flags = samdb_result_acct_flags(state->ldb, tmp_ctx,
1720 ldb_get_default_basedn(state->ldb));
1721 e->account_name = ldb_msg_find_attr_as_string(
1722 res->msgs[i], "samAccountName", NULL);
1723 if (e->account_name == NULL) {
1724 talloc_free(tmp_ctx);
1727 e->fullname = ldb_msg_find_attr_as_string(
1728 res->msgs[i], "displayName", "");
1729 e->description = ldb_msg_find_attr_as_string(
1730 res->msgs[i], "description", "");
1732 sstate->num_entries += 1;
1733 if (sstate->num_entries >= num_users) {
1737 talloc_steal(sstate->entries, res->msgs);
1738 search->private_data = talloc_steal(search, sstate);
1739 search->next_entry = pdb_samba4_next_entry;
1740 search->search_end = pdb_samba4_search_end;
1742 talloc_free(tmp_ctx);
1746 static bool pdb_samba4_search_users(struct pdb_methods *m,
1747 struct pdb_search *search,
1750 struct pdb_samba4_search_state *sstate;
1753 ret = pdb_samba4_search_filter(m, search, &sstate, "(objectclass=user)");
1757 sstate->acct_flags = acct_flags;
1761 static bool pdb_samba4_search_groups(struct pdb_methods *m,
1762 struct pdb_search *search)
1764 struct pdb_samba4_search_state *sstate;
1767 ret = pdb_samba4_search_filter(m, search, &sstate,
1768 "(&(grouptype=%d)(objectclass=group))",
1769 GTYPE_SECURITY_GLOBAL_GROUP);
1773 sstate->acct_flags = 0;
1777 static bool pdb_samba4_search_aliases(struct pdb_methods *m,
1778 struct pdb_search *search,
1779 const struct dom_sid *sid)
1781 struct pdb_samba4_search_state *sstate;
1784 ret = pdb_samba4_search_filter(m, search, &sstate,
1785 "(&(grouptype=%d)(objectclass=group))",
1786 sid_check_is_builtin(sid)
1787 ? GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
1788 : GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
1792 sstate->acct_flags = 0;
1796 static bool pdb_samba4_uid_to_sid(struct pdb_methods *m, uid_t uid,
1797 struct dom_sid *sid)
1799 struct pdb_samba4_state *state = talloc_get_type_abort(
1800 m->private_data, struct pdb_samba4_state);
1802 struct id_map id_map;
1803 struct id_map *id_maps[2];
1804 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1809 id_map.xid.id = uid;
1810 id_map.xid.type = ID_TYPE_UID;
1811 id_maps[0] = &id_map;
1814 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
1815 if (!NT_STATUS_IS_OK(status)) {
1816 talloc_free(tmp_ctx);
1820 talloc_free(tmp_ctx);
1824 static bool pdb_samba4_gid_to_sid(struct pdb_methods *m, gid_t gid,
1825 struct dom_sid *sid)
1827 struct pdb_samba4_state *state = talloc_get_type_abort(
1828 m->private_data, struct pdb_samba4_state);
1830 struct id_map id_map;
1831 struct id_map *id_maps[2];
1832 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1837 id_map.xid.id = gid;
1838 id_map.xid.type = ID_TYPE_GID;
1839 id_maps[0] = &id_map;
1842 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
1843 if (!NT_STATUS_IS_OK(status)) {
1847 talloc_free(tmp_ctx);
1851 static bool pdb_samba4_sid_to_id(struct pdb_methods *m, const struct dom_sid *sid,
1852 union unid_t *id, enum lsa_SidType *type)
1854 struct pdb_samba4_state *state = talloc_get_type_abort(
1855 m->private_data, struct pdb_samba4_state);
1856 struct id_map id_map;
1857 struct id_map *id_maps[2];
1858 const char *attrs[] = { "objectClass", "groupType", NULL };
1859 struct ldb_message *msg;
1863 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1868 ZERO_STRUCT(id_map);
1870 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, sid));
1871 if (!dn || !ldb_dn_validate(dn)) {
1872 talloc_free(tmp_ctx);
1875 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, NULL);
1876 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1877 DEBUG(5, (__location__ "SID to Unix ID lookup failed because SID %s could not be found in the samdb\n", dom_sid_string(tmp_ctx, sid)));
1878 talloc_free(tmp_ctx);
1881 if (samdb_find_attribute(state->ldb, msg, "objectClass", "group")) {
1882 uint32_t grouptype = ldb_msg_find_attr_as_uint(msg, "groupType", 0);
1883 switch (grouptype) {
1884 case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
1885 case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
1886 *type = SID_NAME_ALIAS;
1888 case GTYPE_SECURITY_GLOBAL_GROUP:
1889 *type = SID_NAME_DOM_GRP;
1892 talloc_free(tmp_ctx);
1893 DEBUG(10, ("Could not pull groupType\n"));
1897 *type = SID_NAME_DOM_GRP;
1899 ZERO_STRUCT(id_map);
1901 id_maps[0] = &id_map;
1904 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1905 talloc_free(tmp_ctx);
1906 if (!NT_STATUS_IS_OK(status)) {
1909 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
1910 id->gid = id_map.xid.id;
1914 } else if (samdb_find_attribute(state->ldb, msg, "objectClass", "user")) {
1915 *type = SID_NAME_USER;
1916 ZERO_STRUCT(id_map);
1918 id_maps[0] = &id_map;
1921 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1922 talloc_free(tmp_ctx);
1923 if (!NT_STATUS_IS_OK(status)) {
1926 if (id_map.xid.type == ID_TYPE_UID || id_map.xid.type == ID_TYPE_BOTH) {
1927 id->uid = id_map.xid.id;
1932 DEBUG(5, (__location__ "SID to Unix ID lookup failed because SID %s was found, but was not a user or group\n", dom_sid_string(tmp_ctx, sid)));
1933 talloc_free(tmp_ctx);
1937 static uint32_t pdb_samba4_capabilities(struct pdb_methods *m)
1939 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS;
1942 static bool pdb_samba4_new_rid(struct pdb_methods *m, uint32 *rid)
1947 static bool pdb_samba4_get_trusteddom_pw(struct pdb_methods *m,
1948 const char *domain, char** pwd,
1949 struct dom_sid *sid,
1950 time_t *pass_last_set_time)
1955 static bool pdb_samba4_set_trusteddom_pw(struct pdb_methods *m,
1956 const char* domain, const char* pwd,
1957 const struct dom_sid *sid)
1962 static bool pdb_samba4_del_trusteddom_pw(struct pdb_methods *m,
1968 static NTSTATUS pdb_samba4_enum_trusteddoms(struct pdb_methods *m,
1969 TALLOC_CTX *mem_ctx,
1970 uint32 *num_domains,
1971 struct trustdom_info ***domains)
1975 return NT_STATUS_OK;
1978 static void pdb_samba4_init_methods(struct pdb_methods *m)
1981 m->get_domain_info = pdb_samba4_get_domain_info;
1982 m->getsampwnam = pdb_samba4_getsampwnam;
1983 m->getsampwsid = pdb_samba4_getsampwsid;
1984 m->create_user = pdb_samba4_create_user;
1985 m->delete_user = pdb_samba4_delete_user;
1986 m->add_sam_account = pdb_samba4_add_sam_account;
1987 m->update_sam_account = pdb_samba4_update_sam_account;
1988 m->delete_sam_account = pdb_samba4_delete_sam_account;
1989 m->rename_sam_account = pdb_samba4_rename_sam_account;
1990 m->update_login_attempts = pdb_samba4_update_login_attempts;
1991 m->getgrsid = pdb_samba4_getgrsid;
1992 m->getgrgid = pdb_samba4_getgrgid;
1993 m->getgrnam = pdb_samba4_getgrnam;
1994 m->create_dom_group = pdb_samba4_create_dom_group;
1995 m->delete_dom_group = pdb_samba4_delete_dom_group;
1996 m->add_group_mapping_entry = pdb_samba4_add_group_mapping_entry;
1997 m->update_group_mapping_entry = pdb_samba4_update_group_mapping_entry;
1998 m->delete_group_mapping_entry = pdb_samba4_delete_group_mapping_entry;
1999 m->enum_group_mapping = pdb_samba4_enum_group_mapping;
2000 m->enum_group_members = pdb_samba4_enum_group_members;
2001 m->enum_group_memberships = pdb_samba4_enum_group_memberships;
2002 m->set_unix_primary_group = pdb_samba4_set_unix_primary_group;
2003 m->add_groupmem = pdb_samba4_add_groupmem;
2004 m->del_groupmem = pdb_samba4_del_groupmem;
2005 m->create_alias = pdb_samba4_create_alias;
2006 m->delete_alias = pdb_samba4_delete_alias;
2007 m->get_aliasinfo = pdb_default_get_aliasinfo;
2008 m->add_aliasmem = pdb_samba4_add_aliasmem;
2009 m->del_aliasmem = pdb_samba4_del_aliasmem;
2010 m->enum_aliasmem = pdb_samba4_enum_aliasmem;
2011 m->enum_alias_memberships = pdb_samba4_enum_alias_memberships;
2012 m->lookup_rids = pdb_samba4_lookup_rids;
2013 m->lookup_names = pdb_samba4_lookup_names;
2014 m->get_account_policy = pdb_samba4_get_account_policy;
2015 m->set_account_policy = pdb_samba4_set_account_policy;
2016 m->get_seq_num = pdb_samba4_get_seq_num;
2017 m->search_users = pdb_samba4_search_users;
2018 m->search_groups = pdb_samba4_search_groups;
2019 m->search_aliases = pdb_samba4_search_aliases;
2020 m->uid_to_sid = pdb_samba4_uid_to_sid;
2021 m->gid_to_sid = pdb_samba4_gid_to_sid;
2022 m->sid_to_id = pdb_samba4_sid_to_id;
2023 m->capabilities = pdb_samba4_capabilities;
2024 m->new_rid = pdb_samba4_new_rid;
2025 m->get_trusteddom_pw = pdb_samba4_get_trusteddom_pw;
2026 m->set_trusteddom_pw = pdb_samba4_set_trusteddom_pw;
2027 m->del_trusteddom_pw = pdb_samba4_del_trusteddom_pw;
2028 m->enum_trusteddoms = pdb_samba4_enum_trusteddoms;
2031 static void free_private_data(void **vp)
2033 struct pdb_samba4_state *state = talloc_get_type_abort(
2034 *vp, struct pdb_samba4_state);
2035 talloc_unlink(state, state->ldb);
2039 static NTSTATUS pdb_init_samba4(struct pdb_methods **pdb_method,
2040 const char *location)
2042 struct pdb_methods *m;
2043 struct pdb_samba4_state *state;
2046 if ( !NT_STATUS_IS_OK(status = make_pdb_method( &m )) ) {
2050 state = talloc_zero(m, struct pdb_samba4_state);
2051 if (state == NULL) {
2054 m->private_data = state;
2055 m->free_private_data = free_private_data;
2056 pdb_samba4_init_methods(m);
2058 state->ev = s4_event_context_init(state);
2060 DEBUG(10, ("s4_event_context_init failed\n"));
2064 state->lp_ctx = loadparm_init_s3(state, loadparm_s3_context());
2065 if (state->lp_ctx == NULL) {
2066 DEBUG(10, ("loadparm_init_s3 failed\n"));
2070 state->ldb = samdb_connect(state,
2073 system_session(state->lp_ctx), 0);
2076 DEBUG(10, ("samdb_connect failed\n"));
2080 state->idmap_ctx = idmap_init(state, state->ev,
2082 if (!state->idmap_ctx) {
2083 DEBUG(10, ("samdb_connect failed\n"));
2088 return NT_STATUS_OK;
2090 status = NT_STATUS_NO_MEMORY;
2096 NTSTATUS pdb_samba4_init(void);
2097 NTSTATUS pdb_samba4_init(void)
2099 return smb_register_passdb(PASSDB_INTERFACE_VERSION, "samba4",
git.samba.org / amitay / samba.git / blob