2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* the Samba secrets database stores any generated, private information
23 such as the local SID and machine trust password */
26 #include "../libcli/auth/libcli_auth.h"
27 #include "librpc/gen_ndr/ndr_secrets.h"
30 #define DBGC_CLASS DBGC_PASSDB
32 static struct db_context *db_ctx;
34 /* Urrrg. global.... */
35 bool global_machine_password_needs_changing;
38 * Use a TDB to store an incrementing random seed.
40 * Initialised to the current pid, the very first time Samba starts,
41 * and incremented by one each time it is needed.
43 * @note Not called by systems with a working /dev/urandom.
45 static void get_rand_seed(void *userdata, int *new_seed)
47 *new_seed = sys_getpid();
49 dbwrap_trans_change_int32_atomic(db_ctx, "INFO/random_seed",
54 /* open up the secrets database */
55 bool secrets_init(void)
63 fname = talloc_asprintf(talloc_tos(), "%s/secrets.tdb",
69 db_ctx = db_open(NULL, fname, 0,
70 TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
73 DEBUG(0,("Failed to open %s\n", fname));
81 * Set a reseed function for the crypto random generator
83 * This avoids a problem where systems without /dev/urandom
84 * could send the same challenge to multiple clients
86 set_rand_reseed_callback(get_rand_seed, NULL);
88 /* Ensure that the reseed is done now, while we are root, etc */
89 generate_random_buffer(&dummy, sizeof(dummy));
94 struct db_context *secrets_db_ctx(void)
96 if (!secrets_init()) {
106 void secrets_shutdown(void)
111 /* read a entry from the secrets database - the caller must free the result
112 if size is non-null then the size of the entry is put in there
114 void *secrets_fetch(const char *key, size_t *size)
119 if (!secrets_init()) {
123 if (db_ctx->fetch(db_ctx, talloc_tos(), string_tdb_data(key),
128 result = memdup(dbuf.dptr, dbuf.dsize);
129 if (result == NULL) {
132 TALLOC_FREE(dbuf.dptr);
141 /* store a secrets entry
143 bool secrets_store(const char *key, const void *data, size_t size)
147 if (!secrets_init()) {
151 status = dbwrap_trans_store(db_ctx, string_tdb_data(key),
152 make_tdb_data((const uint8 *)data, size),
154 return NT_STATUS_IS_OK(status);
158 /* delete a secets database entry
160 bool secrets_delete(const char *key)
163 if (!secrets_init()) {
167 status = dbwrap_trans_delete(db_ctx, string_tdb_data(key));
169 return NT_STATUS_IS_OK(status);
173 * Form a key for fetching the domain sid
175 * @param domain domain name
179 static const char *domain_sid_keystr(const char *domain)
183 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
184 SECRETS_DOMAIN_SID, domain);
185 SMB_ASSERT(keystr != NULL);
189 bool secrets_store_domain_sid(const char *domain, const DOM_SID *sid)
193 ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(DOM_SID));
195 /* Force a re-query, in case we modified our domain */
197 reset_global_sam_sid();
201 bool secrets_fetch_domain_sid(const char *domain, DOM_SID *sid)
206 dyn_sid = (DOM_SID *)secrets_fetch(domain_sid_keystr(domain), &size);
211 if (size != sizeof(DOM_SID)) {
221 bool secrets_store_domain_guid(const char *domain, struct GUID *guid)
225 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
227 return secrets_store(key, guid, sizeof(struct GUID));
230 bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
232 struct GUID *dyn_guid;
235 struct GUID new_guid;
237 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
239 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
242 if (lp_server_role() == ROLE_DOMAIN_PDC) {
243 new_guid = GUID_random();
244 if (!secrets_store_domain_guid(domain, &new_guid))
246 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
248 if (dyn_guid == NULL) {
253 if (size != sizeof(struct GUID)) {
254 DEBUG(1,("UUID size %d is wrong!\n", (int)size));
264 bool secrets_store_local_schannel_key(uint8_t schannel_key[16])
266 return secrets_store(SECRETS_LOCAL_SCHANNEL_KEY, schannel_key, 16);
269 bool secrets_fetch_local_schannel_key(uint8_t schannel_key[16])
274 key = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY, &size);
284 memcpy(schannel_key, key, 16);
290 * Form a key for fetching the machine trust account sec channel type
292 * @param domain domain name
296 static const char *machine_sec_channel_type_keystr(const char *domain)
300 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
301 SECRETS_MACHINE_SEC_CHANNEL_TYPE,
303 SMB_ASSERT(keystr != NULL);
308 * Form a key for fetching the machine trust account last change time
310 * @param domain domain name
314 static const char *machine_last_change_time_keystr(const char *domain)
318 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
319 SECRETS_MACHINE_LAST_CHANGE_TIME,
321 SMB_ASSERT(keystr != NULL);
327 * Form a key for fetching the machine trust account password
329 * @param domain domain name
333 static const char *machine_password_keystr(const char *domain)
337 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
338 SECRETS_MACHINE_PASSWORD, domain);
339 SMB_ASSERT(keystr != NULL);
344 * Form a key for fetching the machine trust account password
346 * @param domain domain name
348 * @return stored password's key
350 static const char *trust_keystr(const char *domain)
354 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
355 SECRETS_MACHINE_ACCT_PASS, domain);
356 SMB_ASSERT(keystr != NULL);
361 * Form a key for fetching a trusted domain password
363 * @param domain trusted domain name
365 * @return stored password's key
367 static char *trustdom_keystr(const char *domain)
371 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
372 SECRETS_DOMTRUST_ACCT_PASS,
374 SMB_ASSERT(keystr != NULL);
378 /************************************************************************
379 Lock the trust password entry.
380 ************************************************************************/
382 void *secrets_get_trust_account_lock(TALLOC_CTX *mem_ctx, const char *domain)
384 if (!secrets_init()) {
388 return db_ctx->fetch_locked(
389 db_ctx, mem_ctx, string_term_tdb_data(trust_keystr(domain)));
392 /************************************************************************
393 Routine to get the default secure channel type for trust accounts
394 ************************************************************************/
396 enum netr_SchannelType get_default_sec_channel(void)
398 if (lp_server_role() == ROLE_DOMAIN_BDC ||
399 lp_server_role() == ROLE_DOMAIN_PDC) {
402 return SEC_CHAN_WKSTA;
406 /************************************************************************
407 Routine to get the trust account password for a domain.
408 This only tries to get the legacy hashed version of the password.
409 The user of this function must have locked the trust password file using
410 the above secrets_lock_trust_account_password().
411 ************************************************************************/
413 bool secrets_fetch_trust_account_password_legacy(const char *domain,
415 time_t *pass_last_set_time,
416 enum netr_SchannelType *channel)
418 struct machine_acct_pass *pass;
421 if (!(pass = (struct machine_acct_pass *)secrets_fetch(
422 trust_keystr(domain), &size))) {
423 DEBUG(5, ("secrets_fetch failed!\n"));
427 if (size != sizeof(*pass)) {
428 DEBUG(0, ("secrets were of incorrect size!\n"));
433 if (pass_last_set_time) {
434 *pass_last_set_time = pass->mod_time;
436 memcpy(ret_pwd, pass->hash, 16);
439 *channel = get_default_sec_channel();
442 /* Test if machine password has expired and needs to be changed */
443 if (lp_machine_password_timeout()) {
444 if (pass->mod_time > 0 && time(NULL) > (pass->mod_time +
445 (time_t)lp_machine_password_timeout())) {
446 global_machine_password_needs_changing = True;
454 /************************************************************************
455 Routine to get the trust account password for a domain.
456 The user of this function must have locked the trust password file using
457 the above secrets_lock_trust_account_password().
458 ************************************************************************/
460 bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
461 time_t *pass_last_set_time,
462 enum netr_SchannelType *channel)
466 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
469 DEBUG(4,("Using cleartext machine password\n"));
470 E_md4hash(plaintext, ret_pwd);
471 SAFE_FREE(plaintext);
475 return secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
480 /************************************************************************
481 Routine to get account password to trusted domain
482 ************************************************************************/
484 bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
485 DOM_SID *sid, time_t *pass_last_set_time)
487 struct TRUSTED_DOM_PASS pass;
488 enum ndr_err_code ndr_err;
490 /* unpacking structures */
493 /* fetching trusted domain password structure */
494 if (!(blob.data = (uint8_t *)secrets_fetch(trustdom_keystr(domain),
496 DEBUG(5, ("secrets_fetch failed!\n"));
500 /* unpack trusted domain password */
501 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &pass,
502 (ndr_pull_flags_fn_t)ndr_pull_TRUSTED_DOM_PASS);
503 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
507 SAFE_FREE(blob.data);
509 /* the trust's password */
511 *pwd = SMB_STRDUP(pass.pass);
517 /* last change time */
518 if (pass_last_set_time) *pass_last_set_time = pass.mod_time;
521 if (sid != NULL) sid_copy(sid, &pass.domain_sid);
527 * Routine to store the password for trusted domain
529 * @param domain remote domain name
530 * @param pwd plain text password of trust relationship
531 * @param sid remote domain sid
533 * @return true if succeeded
536 bool secrets_store_trusted_domain_password(const char* domain, const char* pwd,
541 /* packing structures */
543 enum ndr_err_code ndr_err;
544 struct TRUSTED_DOM_PASS pass;
547 pass.uni_name = domain;
548 pass.uni_name_len = strlen(domain)+1;
550 /* last change time */
551 pass.mod_time = time(NULL);
553 /* password of the trust */
554 pass.pass_len = strlen(pwd);
558 sid_copy(&pass.domain_sid, sid);
560 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &pass,
561 (ndr_push_flags_fn_t)ndr_push_TRUSTED_DOM_PASS);
562 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
566 ret = secrets_store(trustdom_keystr(domain), blob.data, blob.length);
568 data_blob_free(&blob);
573 /************************************************************************
574 Routine to delete the plaintext machine account password
575 ************************************************************************/
577 bool secrets_delete_machine_password(const char *domain)
579 return secrets_delete(machine_password_keystr(domain));
582 /************************************************************************
583 Routine to delete the plaintext machine account password, sec channel type and
584 last change time from secrets database
585 ************************************************************************/
587 bool secrets_delete_machine_password_ex(const char *domain)
589 if (!secrets_delete(machine_password_keystr(domain))) {
592 if (!secrets_delete(machine_sec_channel_type_keystr(domain))) {
595 return secrets_delete(machine_last_change_time_keystr(domain));
598 /************************************************************************
599 Routine to delete the domain sid
600 ************************************************************************/
602 bool secrets_delete_domain_sid(const char *domain)
604 return secrets_delete(domain_sid_keystr(domain));
607 /************************************************************************
608 Routine to set the plaintext machine account password for a realm
609 the password is assumed to be a null terminated ascii string
610 ************************************************************************/
612 bool secrets_store_machine_password(const char *pass, const char *domain,
613 enum netr_SchannelType sec_channel)
616 uint32 last_change_time;
617 uint32 sec_channel_type;
619 ret = secrets_store(machine_password_keystr(domain), pass, strlen(pass)+1);
623 SIVAL(&last_change_time, 0, time(NULL));
624 ret = secrets_store(machine_last_change_time_keystr(domain), &last_change_time, sizeof(last_change_time));
626 SIVAL(&sec_channel_type, 0, sec_channel);
627 ret = secrets_store(machine_sec_channel_type_keystr(domain), &sec_channel_type, sizeof(sec_channel_type));
632 /************************************************************************
633 Routine to fetch the plaintext machine account password for a realm
634 the password is assumed to be a null terminated ascii string.
635 ************************************************************************/
637 char *secrets_fetch_machine_password(const char *domain,
638 time_t *pass_last_set_time,
639 enum netr_SchannelType *channel)
642 ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
644 if (pass_last_set_time) {
646 uint32 *last_set_time;
647 last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size);
649 *pass_last_set_time = IVAL(last_set_time,0);
650 SAFE_FREE(last_set_time);
652 *pass_last_set_time = 0;
658 uint32 *channel_type;
659 channel_type = (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain), &size);
661 *channel = IVAL(channel_type,0);
662 SAFE_FREE(channel_type);
664 *channel = get_default_sec_channel();
671 /************************************************************************
672 Routine to delete the password for trusted domain
673 ************************************************************************/
675 bool trusted_domain_password_delete(const char *domain)
677 return secrets_delete(trustdom_keystr(domain));
680 bool secrets_store_ldap_pw(const char* dn, char* pw)
685 if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, dn) < 0) {
686 DEBUG(0, ("secrets_store_ldap_pw: asprintf failed!\n"));
690 ret = secrets_store(key, pw, strlen(pw)+1);
696 /*******************************************************************
697 Find the ldap password.
698 ******************************************************************/
700 bool fetch_ldap_pw(char **dn, char** pw)
705 *dn = smb_xstrdup(lp_ldap_admin_dn());
707 if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
709 DEBUG(0, ("fetch_ldap_pw: asprintf failed!\n"));
713 *pw=(char *)secrets_fetch(key, &size);
717 /* Upgrade 2.2 style entry */
719 char* old_style_key = SMB_STRDUP(*dn);
721 fstring old_style_pw;
723 if (!old_style_key) {
724 DEBUG(0, ("fetch_ldap_pw: strdup failed!\n"));
728 for (p=old_style_key; *p; p++)
729 if (*p == ',') *p = '/';
731 data=(char *)secrets_fetch(old_style_key, &size);
732 if ((data == NULL) || (size < sizeof(old_style_pw))) {
733 DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
734 SAFE_FREE(old_style_key);
740 size = MIN(size, sizeof(fstring)-1);
741 strncpy(old_style_pw, data, size);
742 old_style_pw[size] = 0;
746 if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
747 DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
748 SAFE_FREE(old_style_key);
752 if (!secrets_delete(old_style_key)) {
753 DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
756 SAFE_FREE(old_style_key);
758 *pw = smb_xstrdup(old_style_pw);
765 * Get trusted domains info from secrets.tdb.
768 struct list_trusted_domains_state {
770 struct trustdom_info **domains;
773 static int list_trusted_domain(struct db_record *rec, void *private_data)
775 const size_t prefix_len = strlen(SECRETS_DOMTRUST_ACCT_PASS);
776 struct TRUSTED_DOM_PASS pass;
777 enum ndr_err_code ndr_err;
779 struct trustdom_info *dom_info;
781 struct list_trusted_domains_state *state =
782 (struct list_trusted_domains_state *)private_data;
784 if ((rec->key.dsize < prefix_len)
785 || (strncmp((char *)rec->key.dptr, SECRETS_DOMTRUST_ACCT_PASS,
790 blob = data_blob_const(rec->value.dptr, rec->value.dsize);
792 ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &pass,
793 (ndr_pull_flags_fn_t)ndr_pull_TRUSTED_DOM_PASS);
794 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
798 if (pass.domain_sid.num_auths != 4) {
799 DEBUG(0, ("SID %s is not a domain sid, has %d "
800 "auths instead of 4\n",
801 sid_string_dbg(&pass.domain_sid),
802 pass.domain_sid.num_auths));
806 if (!(dom_info = TALLOC_P(state->domains, struct trustdom_info))) {
807 DEBUG(0, ("talloc failed\n"));
811 dom_info->name = talloc_strdup(dom_info, pass.uni_name);
812 if (!dom_info->name) {
813 TALLOC_FREE(dom_info);
817 sid_copy(&dom_info->sid, &pass.domain_sid);
819 ADD_TO_ARRAY(state->domains, struct trustdom_info *, dom_info,
820 &state->domains, &state->num_domains);
822 if (state->domains == NULL) {
823 state->num_domains = 0;
829 NTSTATUS secrets_trusted_domains(TALLOC_CTX *mem_ctx, uint32 *num_domains,
830 struct trustdom_info ***domains)
832 struct list_trusted_domains_state state;
836 if (db_ctx == NULL) {
837 return NT_STATUS_ACCESS_DENIED;
840 state.num_domains = 0;
843 * Make sure that a talloc context for the trustdom_info structs
847 if (!(state.domains = TALLOC_ARRAY(
848 mem_ctx, struct trustdom_info *, 1))) {
849 return NT_STATUS_NO_MEMORY;
852 db_ctx->traverse_read(db_ctx, list_trusted_domain, (void *)&state);
854 *num_domains = state.num_domains;
855 *domains = state.domains;
859 /*******************************************************************************
860 Store a complete AFS keyfile into secrets.tdb.
861 *******************************************************************************/
863 bool secrets_store_afs_keyfile(const char *cell, const struct afs_keyfile *keyfile)
867 if ((cell == NULL) || (keyfile == NULL))
870 if (ntohl(keyfile->nkeys) > SECRETS_AFS_MAXKEYS)
873 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
874 return secrets_store(key, keyfile, sizeof(struct afs_keyfile));
877 /*******************************************************************************
878 Fetch the current (highest) AFS key from secrets.tdb
879 *******************************************************************************/
880 bool secrets_fetch_afs_key(const char *cell, struct afs_key *result)
883 struct afs_keyfile *keyfile;
887 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
889 keyfile = (struct afs_keyfile *)secrets_fetch(key, &size);
894 if (size != sizeof(struct afs_keyfile)) {
899 i = ntohl(keyfile->nkeys);
901 if (i > SECRETS_AFS_MAXKEYS) {
906 *result = keyfile->entry[i-1];
908 result->kvno = ntohl(result->kvno);
915 /******************************************************************************
916 When kerberos is not available, choose between anonymous or
917 authenticated connections.
919 We need to use an authenticated connection if DCs have the
920 RestrictAnonymous registry entry set > 0, or the "Additional
921 restrictions for anonymous connections" set in the win2k Local
924 Caller to free() result in domain, username, password
925 *******************************************************************************/
926 void secrets_fetch_ipc_userpass(char **username, char **domain, char **password)
928 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
929 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
930 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
932 if (*username && **username) {
934 if (!*domain || !**domain)
935 *domain = smb_xstrdup(lp_workgroup());
937 if (!*password || !**password)
938 *password = smb_xstrdup("");
940 DEBUG(3, ("IPC$ connections done by user %s\\%s\n",
941 *domain, *username));
944 DEBUG(3, ("IPC$ connections done anonymously\n"));
945 *username = smb_xstrdup("");
946 *domain = smb_xstrdup("");
947 *password = smb_xstrdup("");
951 bool secrets_store_generic(const char *owner, const char *key, const char *secret)
956 if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
957 DEBUG(0, ("asprintf failed!\n"));
961 ret = secrets_store(tdbkey, secret, strlen(secret)+1);
967 bool secrets_delete_generic(const char *owner, const char *key)
972 if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
973 DEBUG(0, ("asprintf failed!\n"));
977 ret = secrets_delete(tdbkey);
983 /*******************************************************************
984 Find the ldap password.
985 ******************************************************************/
987 char *secrets_fetch_generic(const char *owner, const char *key)
992 if (( ! owner) || ( ! key)) {
993 DEBUG(1, ("Invalid Paramters"));
997 if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
998 DEBUG(0, ("Out of memory!\n"));
1002 secret = (char *)secrets_fetch(tdbkey, NULL);
git.samba.org / amitay / samba.git / blob