Copyright (C) Andrew Bartlett 2002
Copyright (C) Jelmer Vernooij 2002
Copyright (C) Simo Sorce 2003
+ Copyright (C) Volker Lendecke 2006
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
+#include "system/passwd.h"
+#include "passdb.h"
+#include "secrets.h"
+#include "messages.h"
+#include "../librpc/gen_ndr/samr.h"
+#include "../librpc/gen_ndr/drsblobs.h"
+#include "../librpc/gen_ndr/ndr_drsblobs.h"
+#include "memcache.h"
+#include "nsswitch/winbind_client.h"
+#include "../libcli/security/security.h"
+#include "../lib/util/util_pw.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
+static_decl_pdb;
+
static struct pdb_init_function_entry *backends = NULL;
static void lazy_initialize_passdb(void)
{
- static BOOL initialized = False;
- if(initialized)return;
+ static bool initialized = False;
+ if(initialized) {
+ return;
+ }
static_init_pdb;
initialized = True;
}
-static struct pdb_init_function_entry *pdb_find_backend_entry(const char *name);
-
-/*******************************************************************
- Clean up uninitialised passwords. The only way to tell
- that these values are not 'real' is that they do not
- have a valid last set time. Instead, the value is fixed at 0.
- Therefore we use that as the key for 'is this a valid password'.
- However, it is perfectly valid to have a 'default' last change
- time, such LDAP with a missing attribute would produce.
-********************************************************************/
-
-static void pdb_force_pw_initialization(SAM_ACCOUNT *pass)
-{
- const char *lm_pwd, *nt_pwd;
-
- /* only reset a password if the last set time has been
- explicitly been set to zero. A default last set time
- is ignored */
-
- if ( (pdb_get_init_flags(pass, PDB_PASSLASTSET) != PDB_DEFAULT)
- && (pdb_get_pass_last_set_time(pass) == 0) )
- {
-
- if (pdb_get_init_flags(pass, PDB_LMPASSWD) != PDB_DEFAULT)
- {
- lm_pwd = pdb_get_lanman_passwd(pass);
- if (lm_pwd)
- pdb_set_lanman_passwd(pass, NULL, PDB_CHANGED);
- }
- if (pdb_get_init_flags(pass, PDB_NTPASSWD) != PDB_DEFAULT)
- {
- nt_pwd = pdb_get_nt_passwd(pass);
- if (nt_pwd)
- pdb_set_nt_passwd(pass, NULL, PDB_CHANGED);
- }
- }
-
- return;
-}
+static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
+ const char **name,
+ enum lsa_SidType *psid_name_use,
+ union unid_t *unix_id);
NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
{
return NT_STATUS_OK;
}
-static struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
+struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
{
struct pdb_init_function_entry *entry = backends;
return NULL;
}
-static NTSTATUS context_setsampwent(struct pdb_context *context, BOOL update, uint16 acb_mask)
+const struct pdb_init_function_entry *pdb_get_backends(void)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ return backends;
+}
- if (!context) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
- context->pwent_methods = context->pdb_methods;
+/*
+ * The event context for the passdb backend. I know this is a bad hack and yet
+ * another static variable, but our pdb API is a global thing per
+ * definition. The first use for this is the LDAP idle function, more might be
+ * added later.
+ *
+ * I don't feel too bad about this static variable, it replaces the
+ * smb_idle_event_list that used to exist in lib/module.c. -- VL
+ */
+
+static struct event_context *pdb_event_ctx;
+
+struct event_context *pdb_get_event_context(void)
+{
+ return pdb_event_ctx;
+}
+
+/******************************************************************
+ Make a pdb_methods from scratch
+ *******************************************************************/
+
+NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected)
+{
+ char *module_name = smb_xstrdup(selected);
+ char *module_location = NULL, *p;
+ struct pdb_init_function_entry *entry;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+
+ lazy_initialize_passdb();
+
+ p = strchr(module_name, ':');
- if (!context->pwent_methods) {
- /* No passdbs at all */
- return ret;
+ if (p) {
+ *p = 0;
+ module_location = p+1;
+ trim_char(module_location, ' ', ' ');
}
- while (NT_STATUS_IS_ERR(ret = context->pwent_methods->setsampwent(context->pwent_methods, update, acb_mask))) {
- context->pwent_methods = context->pwent_methods->next;
- if (context->pwent_methods == NULL)
+ trim_char(module_name, ' ', ' ');
+
+
+ DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected, module_name));
+
+ entry = pdb_find_backend_entry(module_name);
+
+ /* Try to find a module that contains this module */
+ if (!entry) {
+ DEBUG(2,("No builtin backend found, trying to load plugin\n"));
+ if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
+ DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
+ SAFE_FREE(module_name);
return NT_STATUS_UNSUCCESSFUL;
+ }
}
- return ret;
+
+ /* No such backend found */
+ if(!entry) {
+ DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
+ SAFE_FREE(module_name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DEBUG(5,("Found pdb backend %s\n", module_name));
+
+ if ( !NT_STATUS_IS_OK( nt_status = entry->init(methods, module_location) ) ) {
+ DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
+ selected, nt_errstr(nt_status)));
+ SAFE_FREE(module_name);
+ return nt_status;
+ }
+
+ SAFE_FREE(module_name);
+
+ DEBUG(5,("pdb backend %s has a valid init\n", selected));
+
+ return nt_status;
}
-static void context_endsampwent(struct pdb_context *context)
+/******************************************************************
+ Return an already initialized pdb_methods structure
+*******************************************************************/
+
+static struct pdb_methods *pdb_get_methods_reload( bool reload )
{
- if ((!context)){
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return;
+ static struct pdb_methods *pdb = NULL;
+
+ if ( pdb && reload ) {
+ pdb->free_private_data( &(pdb->private_data) );
+ if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
+ char *msg = NULL;
+ if (asprintf(&msg, "pdb_get_methods_reload: "
+ "failed to get pdb methods for backend %s\n",
+ lp_passdb_backend()) > 0) {
+ smb_panic(msg);
+ } else {
+ smb_panic("pdb_get_methods_reload");
+ }
+ }
+ }
+
+ if ( !pdb ) {
+ if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
+ char *msg = NULL;
+ if (asprintf(&msg, "pdb_get_methods_reload: "
+ "failed to get pdb methods for backend %s\n",
+ lp_passdb_backend()) > 0) {
+ smb_panic(msg);
+ } else {
+ smb_panic("pdb_get_methods_reload");
+ }
+ }
}
- if (context->pwent_methods && context->pwent_methods->endsampwent)
- context->pwent_methods->endsampwent(context->pwent_methods);
+ return pdb;
+}
- /* So we won't get strange data when calling getsampwent now */
- context->pwent_methods = NULL;
+static struct pdb_methods *pdb_get_methods(void)
+{
+ return pdb_get_methods_reload(False);
}
-static NTSTATUS context_getsampwent(struct pdb_context *context, SAM_ACCOUNT *user)
+struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_domain_info(pdb, mem_ctx);
+}
- if ((!context) || (!context->pwent_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
- /* Loop until we find something useful */
- while (NT_STATUS_IS_ERR(ret = context->pwent_methods->getsampwent(context->pwent_methods, user))) {
+/**
+ * @brief Check if the user account has been locked out and try to unlock it.
+ *
+ * If the user has been automatically locked out and a lockout duration is set,
+ * then check if we can unlock the account and reset the bad password values.
+ *
+ * @param[in] sampass The sam user to check.
+ *
+ * @return True if the function was successfull, false on an error.
+ */
+static bool pdb_try_account_unlock(struct samu *sampass)
+{
+ uint32_t acb_info = pdb_get_acct_ctrl(sampass);
+
+ if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
+ uint32_t lockout_duration;
+ time_t bad_password_time;
+ time_t now = time(NULL);
+ bool ok;
- context->pwent_methods->endsampwent(context->pwent_methods);
+ ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
+ &lockout_duration);
+ if (!ok) {
+ DEBUG(0, ("pdb_try_account_unlock: "
+ "pdb_get_account_policy failed.\n"));
+ return false;
+ }
- context->pwent_methods = context->pwent_methods->next;
+ if (lockout_duration == (uint32_t) -1 ||
+ lockout_duration == 0) {
+ DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
+ "can't reset autolock\n"));
+ return false;
+ }
+ lockout_duration *= 60;
+
+ bad_password_time = pdb_get_bad_password_time(sampass);
+ if (bad_password_time == (time_t) 0) {
+ DEBUG(2, ("pdb_try_account_unlock: Account %s "
+ "administratively locked out "
+ "with no bad password "
+ "time. Leaving locked out.\n",
+ pdb_get_username(sampass)));
+ return true;
+ }
- /* All methods are checked now. There are no more entries */
- if (context->pwent_methods == NULL)
- return ret;
-
- context->pwent_methods->setsampwent(context->pwent_methods, False, 0);
+ if ((bad_password_time +
+ convert_uint32_t_to_time_t(lockout_duration)) < now) {
+ NTSTATUS status;
+
+ pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
+ PDB_CHANGED);
+ pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+ pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+
+ become_root();
+ status = pdb_update_sam_account(sampass);
+ unbecome_root();
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("_samr_OpenUser: Couldn't "
+ "update account %s - %s\n",
+ pdb_get_username(sampass),
+ nt_errstr(status)));
+ return false;
+ }
+ }
}
- user->methods = context->pwent_methods;
- pdb_force_pw_initialization(user);
- return ret;
+
+ return true;
}
-static NTSTATUS context_getsampwnam(struct pdb_context *context, SAM_ACCOUNT *sam_acct, const char *username)
+/**
+ * @brief Get a sam user structure by the given username.
+ *
+ * This functions also checks if the account has been automatically locked out
+ * and unlocks it if a lockout duration time has been defined and the time has
+ * elapsed.
+ *
+ * @param[in] sam_acct The sam user structure to fill.
+ *
+ * @param[in] username The username to look for.
+ *
+ * @return True on success, false on error.
+ */
+bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct pdb_methods *pdb = pdb_get_methods();
+ struct samu *for_cache;
+ const struct dom_sid *user_sid;
+ NTSTATUS status;
+ bool ok;
- struct pdb_methods *curmethods;
- if ((!context)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ status = pdb->getsampwnam(pdb, sam_acct, username);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
}
- curmethods = context->pdb_methods;
- while (curmethods){
- if (NT_STATUS_IS_OK(ret = curmethods->getsampwnam(curmethods, sam_acct, username))) {
- pdb_force_pw_initialization(sam_acct);
- sam_acct->methods = curmethods;
- return ret;
- }
- curmethods = curmethods->next;
+
+ ok = pdb_try_account_unlock(sam_acct);
+ if (!ok) {
+ DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
+ username));
}
- return ret;
+ for_cache = samu_new(NULL);
+ if (for_cache == NULL) {
+ return False;
+ }
+
+ if (!pdb_copy_sam_account(for_cache, sam_acct)) {
+ TALLOC_FREE(for_cache);
+ return False;
+ }
+
+ user_sid = pdb_get_user_sid(for_cache);
+
+ memcache_add_talloc(NULL, PDB_GETPWSID_CACHE,
+ data_blob_const(user_sid, sizeof(*user_sid)),
+ &for_cache);
+
+ return True;
}
-static NTSTATUS context_getsampwsid(struct pdb_context *context, SAM_ACCOUNT *sam_acct, const DOM_SID *sid)
+/**********************************************************************
+**********************************************************************/
+
+static bool guest_user_info( struct samu *user )
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct passwd *pwd;
+ NTSTATUS result;
+ const char *guestname = lp_guestaccount();
- struct pdb_methods *curmethods;
- if ((!context)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
+ if (pwd == NULL) {
+ DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
+ guestname));
+ return False;
}
-
- curmethods = context->pdb_methods;
- while (curmethods){
- if (NT_STATUS_IS_OK(ret = curmethods->getsampwsid(curmethods, sam_acct, sid))) {
- pdb_force_pw_initialization(sam_acct);
- sam_acct->methods = curmethods;
- return ret;
- }
- curmethods = curmethods->next;
+ result = samu_set_unix(user, pwd );
+
+ TALLOC_FREE( pwd );
+
+ return NT_STATUS_IS_OK( result );
+}
+
+/**
+ * @brief Get a sam user structure by the given username.
+ *
+ * This functions also checks if the account has been automatically locked out
+ * and unlocks it if a lockout duration time has been defined and the time has
+ * elapsed.
+ *
+ *
+ * @param[in] sam_acct The sam user structure to fill.
+ *
+ * @param[in] sid The user SDI to look up.
+ *
+ * @return True on success, false on error.
+ */
+bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ uint32_t rid;
+ void *cache_data;
+ bool ok = false;
+
+ /* hard code the Guest RID of 501 */
+
+ if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
+ return False;
+
+ if ( rid == DOMAIN_RID_GUEST ) {
+ DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
+ return guest_user_info( sam_acct );
}
- return ret;
+ /* check the cache first */
+
+ cache_data = memcache_lookup_talloc(
+ NULL, PDB_GETPWSID_CACHE, data_blob_const(sid, sizeof(*sid)));
+
+ if (cache_data != NULL) {
+ struct samu *cache_copy = talloc_get_type_abort(
+ cache_data, struct samu);
+
+ ok = pdb_copy_sam_account(sam_acct, cache_copy);
+ } else {
+ ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
+ }
+
+ if (!ok) {
+ return false;
+ }
+
+ ok = pdb_try_account_unlock(sam_acct);
+ if (!ok) {
+ DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
+ sam_acct->username));
+ }
+
+ return true;
}
-static NTSTATUS context_add_sam_account(struct pdb_context *context, SAM_ACCOUNT *sam_acct)
+static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
+ TALLOC_CTX *tmp_ctx, const char *name,
+ uint32_t acb_info, uint32_t *rid)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- const char *lm_pw, *nt_pw;
- uint16 acb_flags;
+ struct samu *sam_pass;
+ NTSTATUS status;
+ struct passwd *pwd;
+
+ if ((sam_pass = samu_new(tmp_ctx)) == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
+ char *add_script = NULL;
+ int add_ret;
+ fstring name2;
+
+ if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
+ add_script = talloc_strdup(tmp_ctx,
+ lp_adduser_script());
+ } else {
+ add_script = talloc_strdup(tmp_ctx,
+ lp_addmachine_script());
+ }
+
+ if (!add_script || add_script[0] == '\0') {
+ DEBUG(3, ("Could not find user %s and no add script "
+ "defined\n", name));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ /* lowercase the username before creating the Unix account for
+ compatibility with previous Samba releases */
+ fstrcpy( name2, name );
+ strlower_m( name2 );
+ add_script = talloc_all_string_sub(tmp_ctx,
+ add_script,
+ "%u",
+ name2);
+ if (!add_script) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ add_ret = smbrun(add_script,NULL);
+ DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
+ add_script, add_ret));
+ if (add_ret == 0) {
+ smb_nscd_flush_user_cache();
+ }
+
+ flush_pwnam_cache();
+
+ pwd = Get_Pwnam_alloc(tmp_ctx, name);
+
+ if(pwd == NULL) {
+ DEBUG(3, ("Could not find user %s, add script did not work\n", name));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ }
+
+ /* we have a valid SID coming out of this call */
+
+ status = samu_alloc_rid_unix(methods, sam_pass, pwd);
+
+ TALLOC_FREE( pwd );
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status)));
+ return status;
}
- /* disable acccounts with no passwords (that has not
- been allowed by the ACB_PWNOTREQ bit */
-
- lm_pw = pdb_get_lanman_passwd( sam_acct );
- nt_pw = pdb_get_nt_passwd( sam_acct );
- acb_flags = pdb_get_acct_ctrl( sam_acct );
- if ( !lm_pw && !nt_pw && !(acb_flags&ACB_PWNOTREQ) ) {
- acb_flags |= ACB_DISABLED;
- pdb_set_acct_ctrl( sam_acct, acb_flags, PDB_CHANGED );
+ if (!sid_peek_check_rid(get_global_sam_sid(),
+ pdb_get_user_sid(sam_pass), rid)) {
+ DEBUG(0, ("Could not get RID of fresh user\n"));
+ return NT_STATUS_INTERNAL_ERROR;
}
-
- /** @todo This is where a 're-read on add' should be done */
- /* We now add a new account to the first database listed.
- * Should we? */
- return context->pdb_methods->add_sam_account(context->pdb_methods, sam_acct);
+ /* Use the username case specified in the original request */
+
+ pdb_set_username( sam_pass, name, PDB_SET );
+
+ /* Disable the account on creation, it does not have a reasonable password yet. */
+
+ acb_info |= ACB_DISABLED;
+
+ pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
+
+ status = methods->add_sam_account(methods, sam_pass);
+
+ TALLOC_FREE(sam_pass);
+
+ return status;
+}
+
+NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32_t flags,
+ uint32_t *rid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->create_user(pdb, mem_ctx, name, flags, rid);
}
-static NTSTATUS context_update_sam_account(struct pdb_context *context, SAM_ACCOUNT *sam_acct)
+/****************************************************************************
+ Delete a UNIX user on demand.
+****************************************************************************/
+
+static int smb_delete_user(const char *unix_user)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- const char *lm_pw, *nt_pw;
- uint16 acb_flags;
+ char *del_script = NULL;
+ int ret;
+
+ /* safety check */
- if (!context) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if ( strequal( unix_user, "root" ) ) {
+ DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
+ return -1;
}
- if (!sam_acct || !sam_acct->methods){
- DEBUG(0, ("invalid sam_acct specified\n"));
- return ret;
+ del_script = talloc_strdup(talloc_tos(), lp_deluser_script());
+ if (!del_script || !*del_script) {
+ return -1;
}
+ del_script = talloc_all_string_sub(talloc_tos(),
+ del_script,
+ "%u",
+ unix_user);
+ if (!del_script) {
+ return -1;
+ }
+ ret = smbrun(del_script,NULL);
+ flush_pwnam_cache();
+ if (ret == 0) {
+ smb_nscd_flush_user_cache();
+ }
+ DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
+
+ return ret;
+}
+
+static NTSTATUS pdb_default_delete_user(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ struct samu *sam_acct)
+{
+ NTSTATUS status;
+ fstring username;
- /* disable acccounts with no passwords (that has not
- been allowed by the ACB_PWNOTREQ bit */
-
- lm_pw = pdb_get_lanman_passwd( sam_acct );
- nt_pw = pdb_get_nt_passwd( sam_acct );
- acb_flags = pdb_get_acct_ctrl( sam_acct );
- if ( !lm_pw && !nt_pw && !(acb_flags&ACB_PWNOTREQ) ) {
- acb_flags |= ACB_DISABLED;
- pdb_set_acct_ctrl( sam_acct, acb_flags, PDB_CHANGED );
+ status = methods->delete_sam_account(methods, sam_acct);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
-
- /** @todo This is where a 're-read on update' should be done */
- return sam_acct->methods->update_sam_account(sam_acct->methods, sam_acct);
+ /*
+ * Now delete the unix side ....
+ * note: we don't check if the delete really happened as the script is
+ * not necessary present and maybe the sysadmin doesn't want to delete
+ * the unix side
+ */
+
+ /* always lower case the username before handing it off to
+ external scripts */
+
+ fstrcpy( username, pdb_get_username(sam_acct) );
+ strlower_m( username );
+
+ smb_delete_user( username );
+
+ return status;
}
-static NTSTATUS context_delete_sam_account(struct pdb_context *context, SAM_ACCOUNT *sam_acct)
+NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct pdb_methods *pdb = pdb_get_methods();
+ uid_t uid = -1;
+ NTSTATUS status;
+ const struct dom_sid *user_sid;
+ char *msg_data;
+
+ user_sid = pdb_get_user_sid(sam_acct);
- struct pdb_methods *pdb_selected;
- if (!context) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ /* sanity check to make sure we don't delete root */
+
+ if ( !sid_to_uid(user_sid, &uid ) ) {
+ return NT_STATUS_NO_SUCH_USER;
}
- if (!sam_acct->methods){
- pdb_selected = context->pdb_methods;
- /* There's no passdb backend specified for this account.
- * Try to delete it in every passdb available
- * Needed to delete accounts in smbpasswd that are not
- * in /etc/passwd.
- */
- while (pdb_selected){
- if (NT_STATUS_IS_OK(ret = pdb_selected->delete_sam_account(pdb_selected, sam_acct))) {
- return ret;
- }
- pdb_selected = pdb_selected->next;
- }
- return ret;
+ if ( uid == 0 ) {
+ return NT_STATUS_ACCESS_DENIED;
}
- if (!sam_acct->methods->delete_sam_account){
- DEBUG(0,("invalid sam_acct->methods->delete_sam_account\n"));
- return ret;
+ memcache_delete(NULL,
+ PDB_GETPWSID_CACHE,
+ data_blob_const(user_sid, sizeof(*user_sid)));
+
+ status = pdb->delete_user(pdb, mem_ctx, sam_acct);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
-
- return sam_acct->methods->delete_sam_account(sam_acct->methods, sam_acct);
+
+ msg_data = talloc_asprintf(mem_ctx, "USER %s",
+ pdb_get_username(sam_acct));
+ if (!msg_data) {
+ /* not fatal, and too late to rollback,
+ * just return */
+ return status;
+ }
+ message_send_all(server_messaging_context(),
+ ID_CACHE_DELETE,
+ msg_data,
+ strlen(msg_data) + 1,
+ NULL);
+
+ TALLOC_FREE(msg_data);
+ return status;
+}
+
+NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->add_sam_account(pdb, sam_acct);
}
-static NTSTATUS context_getgrsid(struct pdb_context *context,
- GROUP_MAP *map, DOM_SID sid)
+NTSTATUS pdb_update_sam_account(struct samu *sam_acct)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct pdb_methods *pdb = pdb_get_methods();
- struct pdb_methods *curmethods;
- if ((!context)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ memcache_flush(NULL, PDB_GETPWSID_CACHE);
+
+ return pdb->update_sam_account(pdb, sam_acct);
+}
+
+NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ const struct dom_sid *user_sid = pdb_get_user_sid(sam_acct);
+
+ memcache_delete(NULL,
+ PDB_GETPWSID_CACHE,
+ data_blob_const(user_sid, sizeof(*user_sid)));
+
+ return pdb->delete_sam_account(pdb, sam_acct);
+}
+
+NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ uid_t uid;
+ NTSTATUS status;
+
+ memcache_flush(NULL, PDB_GETPWSID_CACHE);
+
+ /* sanity check to make sure we don't rename root */
+
+ if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
+ return NT_STATUS_NO_SUCH_USER;
}
- curmethods = context->pdb_methods;
- while (curmethods){
- ret = curmethods->getgrsid(curmethods, map, sid);
- if (NT_STATUS_IS_OK(ret)) {
- map->methods = curmethods;
- return ret;
- }
- curmethods = curmethods->next;
+
+ if ( uid == 0 ) {
+ return NT_STATUS_ACCESS_DENIED;
}
- return ret;
+ status = pdb->rename_sam_account(pdb, oldname, newname);
+
+ /* always flush the cache here just to be safe */
+ flush_pwnam_cache();
+
+ return status;
}
-static NTSTATUS context_getgrgid(struct pdb_context *context,
- GROUP_MAP *map, gid_t gid)
+NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, bool success)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->update_login_attempts(pdb, sam_acct, success);
+}
+
+bool pdb_getgrsid(GROUP_MAP *map, struct dom_sid sid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
+}
- struct pdb_methods *curmethods;
- if ((!context)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+bool pdb_getgrgid(GROUP_MAP *map, gid_t gid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
+}
+
+bool pdb_getgrnam(GROUP_MAP *map, const char *name)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
+}
+
+static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const char *name,
+ uint32_t *rid)
+{
+ struct dom_sid group_sid;
+ struct group *grp;
+ fstring tmp;
+
+ grp = getgrnam(name);
+
+ if (grp == NULL) {
+ gid_t gid;
+
+ if (smb_create_group(name, &gid) != 0) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ grp = getgrgid(gid);
}
- curmethods = context->pdb_methods;
- while (curmethods){
- ret = curmethods->getgrgid(curmethods, map, gid);
- if (NT_STATUS_IS_OK(ret)) {
- map->methods = curmethods;
- return ret;
+
+ if (grp == NULL) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
+ if (!pdb_new_rid(rid)) {
+ return NT_STATUS_ACCESS_DENIED;
}
- curmethods = curmethods->next;
+ } else {
+ *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
}
- return ret;
+ sid_compose(&group_sid, get_global_sam_sid(), *rid);
+
+ return add_initial_entry(grp->gr_gid, sid_to_fstring(tmp, &group_sid),
+ SID_NAME_DOM_GRP, name, NULL);
+}
+
+NTSTATUS pdb_create_dom_group(TALLOC_CTX *mem_ctx, const char *name,
+ uint32_t *rid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->create_dom_group(pdb, mem_ctx, name, rid);
}
-static NTSTATUS context_getgrnam(struct pdb_context *context,
- GROUP_MAP *map, const char *name)
+static NTSTATUS pdb_default_delete_dom_group(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ uint32_t rid)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct dom_sid group_sid;
+ GROUP_MAP map;
+ NTSTATUS status;
+ struct group *grp;
+ const char *grp_name;
+
+ /* coverity */
+ map.gid = (gid_t) -1;
+
+ sid_compose(&group_sid, get_global_sam_sid(), rid);
- struct pdb_methods *curmethods;
- if ((!context)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if (!get_domain_group_from_sid(group_sid, &map)) {
+ DEBUG(10, ("Could not find group for rid %d\n", rid));
+ return NT_STATUS_NO_SUCH_GROUP;
}
- curmethods = context->pdb_methods;
- while (curmethods){
- ret = curmethods->getgrnam(curmethods, map, name);
- if (NT_STATUS_IS_OK(ret)) {
- map->methods = curmethods;
- return ret;
- }
- curmethods = curmethods->next;
+
+ /* We need the group name for the smb_delete_group later on */
+
+ if (map.gid == (gid_t)-1) {
+ return NT_STATUS_NO_SUCH_GROUP;
}
- return ret;
+ grp = getgrgid(map.gid);
+ if (grp == NULL) {
+ return NT_STATUS_NO_SUCH_GROUP;
+ }
+
+ /* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
+
+ grp_name = talloc_strdup(mem_ctx, grp->gr_name);
+ if (grp_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = pdb_delete_group_mapping_entry(group_sid);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* Don't check the result of smb_delete_group */
+
+ smb_delete_group(grp_name);
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32_t rid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->delete_dom_group(pdb, mem_ctx, rid);
+}
+
+NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->add_group_mapping_entry(pdb, map);
+}
+
+NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->update_group_mapping_entry(pdb, map);
+}
+
+NTSTATUS pdb_delete_group_mapping_entry(struct dom_sid sid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->delete_group_mapping_entry(pdb, sid);
+}
+
+bool pdb_enum_group_mapping(const struct dom_sid *sid, enum lsa_SidType sid_name_use, GROUP_MAP **pp_rmap,
+ size_t *p_num_entries, bool unix_only)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
+ pp_rmap, p_num_entries, unix_only));
}
-static NTSTATUS context_add_group_mapping_entry(struct pdb_context *context,
- GROUP_MAP *map)
+NTSTATUS pdb_enum_group_members(TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ uint32_t **pp_member_rids,
+ size_t *p_num_members)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct pdb_methods *pdb = pdb_get_methods();
+ NTSTATUS result;
+
+ result = pdb->enum_group_members(pdb, mem_ctx,
+ sid, pp_member_rids, p_num_members);
+
+ /* special check for rid 513 */
+
+ if ( !NT_STATUS_IS_OK( result ) ) {
+ uint32_t rid;
+
+ sid_peek_rid( sid, &rid );
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if ( rid == DOMAIN_RID_USERS ) {
+ *p_num_members = 0;
+ *pp_member_rids = NULL;
+
+ return NT_STATUS_OK;
+ }
}
- return context->pdb_methods->add_group_mapping_entry(context->pdb_methods,
- map);
+ return result;
+}
+
+NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
+ struct dom_sid **pp_sids, gid_t **pp_gids,
+ uint32_t *p_num_groups)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_group_memberships(
+ pdb, mem_ctx, user,
+ pp_sids, pp_gids, p_num_groups);
}
-static NTSTATUS context_update_group_mapping_entry(struct pdb_context *context,
- GROUP_MAP *map)
+static NTSTATUS pdb_default_set_unix_primary_group(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ struct samu *sampass)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct group *grp;
+ gid_t gid;
+
+ if (!sid_to_gid(pdb_get_group_sid(sampass), &gid) ||
+ (grp = getgrgid(gid)) == NULL) {
+ return NT_STATUS_INVALID_PRIMARY_GROUP;
+ }
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if (smb_set_primary_group(grp->gr_name,
+ pdb_get_username(sampass)) != 0) {
+ return NT_STATUS_ACCESS_DENIED;
}
- return context->
- pdb_methods->update_group_mapping_entry(context->pdb_methods, map);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_unix_primary_group(pdb, mem_ctx, user);
}
-static NTSTATUS context_delete_group_mapping_entry(struct pdb_context *context,
- DOM_SID sid)
+/*
+ * Helper function to see whether a user is in a group. We can't use
+ * user_in_group_sid here because this creates dependencies only smbd can
+ * fulfil.
+ */
+
+static bool pdb_user_in_group(TALLOC_CTX *mem_ctx, struct samu *account,
+ const struct dom_sid *group_sid)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct dom_sid *sids;
+ gid_t *gids;
+ uint32_t i, num_groups;
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
+ &sids, &gids,
+ &num_groups))) {
+ return False;
}
- return context->
- pdb_methods->delete_group_mapping_entry(context->pdb_methods, sid);
+ for (i=0; i<num_groups; i++) {
+ if (dom_sid_equal(group_sid, &sids[i])) {
+ return True;
+ }
+ }
+ return False;
}
-static NTSTATUS context_enum_group_mapping(struct pdb_context *context,
- enum SID_NAME_USE sid_name_use,
- GROUP_MAP **rmap, int *num_entries,
- BOOL unix_only)
+static NTSTATUS pdb_default_add_groupmem(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ uint32_t group_rid,
+ uint32_t member_rid)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct dom_sid group_sid, member_sid;
+ struct samu *account = NULL;
+ GROUP_MAP map;
+ struct group *grp;
+ struct passwd *pwd;
+ const char *group_name;
+ uid_t uid;
+
+ /* coverity */
+ map.gid = (gid_t) -1;
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ sid_compose(&group_sid, get_global_sam_sid(), group_rid);
+ sid_compose(&member_sid, get_global_sam_sid(), member_rid);
+
+ if (!get_domain_group_from_sid(group_sid, &map) ||
+ (map.gid == (gid_t)-1) ||
+ ((grp = getgrgid(map.gid)) == NULL)) {
+ return NT_STATUS_NO_SUCH_GROUP;
+ }
+
+ group_name = talloc_strdup(mem_ctx, grp->gr_name);
+ if (group_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- return context->pdb_methods->enum_group_mapping(context->pdb_methods,
- sid_name_use, rmap,
- num_entries, unix_only);
+ if ( !(account = samu_new( NULL )) ) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_getsampwsid(account, &member_sid) ||
+ !sid_to_uid(&member_sid, &uid) ||
+ ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
+ return NT_STATUS_MEMBER_IN_GROUP;
+ }
+
+ /*
+ * ok, the group exist, the user exist, the user is not in the group,
+ * we can (finally) add it to the group !
+ */
+
+ smb_add_user_group(group_name, pwd->pw_name);
+
+ if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ return NT_STATUS_OK;
}
-static NTSTATUS context_enum_group_memberships(struct pdb_context *context,
- const char *username,
- gid_t primary_gid,
- DOM_SID **sids, gid_t **gids,
- int *num_groups)
+NTSTATUS pdb_add_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
+ uint32_t member_rid)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
+}
+
+static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ uint32_t group_rid,
+ uint32_t member_rid)
+{
+ struct dom_sid group_sid, member_sid;
+ struct samu *account = NULL;
+ GROUP_MAP map;
+ struct group *grp;
+ struct passwd *pwd;
+ const char *group_name;
+ uid_t uid;
+
+ sid_compose(&group_sid, get_global_sam_sid(), group_rid);
+ sid_compose(&member_sid, get_global_sam_sid(), member_rid);
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if (!get_domain_group_from_sid(group_sid, &map) ||
+ (map.gid == (gid_t)-1) ||
+ ((grp = getgrgid(map.gid)) == NULL)) {
+ return NT_STATUS_NO_SUCH_GROUP;
}
- return context->pdb_methods->
- enum_group_memberships(context->pdb_methods, username,
- primary_gid, sids, gids, num_groups);
+ group_name = talloc_strdup(mem_ctx, grp->gr_name);
+ if (group_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if ( !(account = samu_new( NULL )) ) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_getsampwsid(account, &member_sid) ||
+ !sid_to_uid(&member_sid, &uid) ||
+ ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
+ return NT_STATUS_MEMBER_NOT_IN_GROUP;
+ }
+
+ /*
+ * ok, the group exist, the user exist, the user is in the group,
+ * we can (finally) delete it from the group!
+ */
+
+ smb_delete_user_group(group_name, pwd->pw_name);
+
+ if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS pdb_del_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
+ uint32_t member_rid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
+}
+
+NTSTATUS pdb_create_alias(const char *name, uint32_t *rid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->create_alias(pdb, name, rid);
+}
+
+NTSTATUS pdb_delete_alias(const struct dom_sid *sid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->delete_alias(pdb, sid);
+}
+
+NTSTATUS pdb_get_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_aliasinfo(pdb, sid, info);
+}
+
+NTSTATUS pdb_set_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_aliasinfo(pdb, sid, info);
+}
+
+NTSTATUS pdb_add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->add_aliasmem(pdb, alias, member);
+}
+
+NTSTATUS pdb_del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->del_aliasmem(pdb, alias, member);
+}
+
+NTSTATUS pdb_enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
+ struct dom_sid **pp_members, size_t *p_num_members)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_aliasmem(pdb, alias, mem_ctx, pp_members,
+ p_num_members);
+}
+
+NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
+ const struct dom_sid *domain_sid,
+ const struct dom_sid *members, size_t num_members,
+ uint32_t **pp_alias_rids,
+ size_t *p_num_alias_rids)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_alias_memberships(pdb, mem_ctx,
+ domain_sid,
+ members, num_members,
+ pp_alias_rids,
+ p_num_alias_rids);
+}
+
+NTSTATUS pdb_lookup_rids(const struct dom_sid *domain_sid,
+ int num_rids,
+ uint32_t *rids,
+ const char **names,
+ enum lsa_SidType *attrs)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
+}
+
+/*
+ * NOTE: pdb_lookup_names is currently (2007-01-12) not used anywhere
+ * in the samba code.
+ * Unlike _lsa_lookup_sids and _samr_lookup_rids, which eventually
+ * also ask pdb_lookup_rids, thus looking up a bunch of rids at a time,
+ * the pdb_ calls _lsa_lookup_names and _samr_lookup_names come
+ * down to are pdb_getsampwnam and pdb_getgrnam instead of
+ * pdb_lookup_names.
+ * But in principle, it the call belongs to the API and might get
+ * used in this context some day.
+ */
+#if 0
+NTSTATUS pdb_lookup_names(const struct dom_sid *domain_sid,
+ int num_names,
+ const char **names,
+ uint32_t *rids,
+ enum lsa_SidType *attrs)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->lookup_names(pdb, domain_sid, num_names, names, rids, attrs);
}
+#endif
-static NTSTATUS context_find_alias(struct pdb_context *context,
- const char *name, DOM_SID *sid)
+bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct pdb_methods *pdb = pdb_get_methods();
+ NTSTATUS status;
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ become_root();
+ status = pdb->get_account_policy(pdb, type, value);
+ unbecome_root();
+
+ return NT_STATUS_IS_OK(status);
+}
+
+bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ NTSTATUS status;
+
+ become_root();
+ status = pdb->set_account_policy(pdb, type, value);
+ unbecome_root();
+
+ return NT_STATUS_IS_OK(status);
+}
+
+bool pdb_get_seq_num(time_t *seq_num)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
+}
+
+bool pdb_uid_to_sid(uid_t uid, struct dom_sid *sid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->uid_to_sid(pdb, uid, sid);
+}
+
+bool pdb_gid_to_sid(gid_t gid, struct dom_sid *sid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->gid_to_sid(pdb, gid, sid);
+}
+
+bool pdb_sid_to_id(const struct dom_sid *sid, union unid_t *id,
+ enum lsa_SidType *type)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->sid_to_id(pdb, sid, id, type);
+}
+
+uint32_t pdb_capabilities(void)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->capabilities(pdb);
+}
+
+/********************************************************************
+ Allocate a new RID from the passdb backend. Verify that it is free
+ by calling lookup_global_sam_rid() to verify that the RID is not
+ in use. This handles servers that have existing users or groups
+ with add RIDs (assigned from previous algorithmic mappings)
+********************************************************************/
+
+bool pdb_new_rid(uint32_t *rid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ const char *name = NULL;
+ enum lsa_SidType type;
+ uint32_t allocated_rid = 0;
+ int i;
+ TALLOC_CTX *ctx;
+
+ if ((pdb_capabilities() & PDB_CAP_STORE_RIDS) == 0) {
+ DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
+ "are active\n"));
+ return False;
}
- return context->pdb_methods->find_alias(context->pdb_methods,
- name, sid);
+ if (algorithmic_rid_base() != BASE_RID) {
+ DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
+ "without algorithmic RIDs is chosen.\n"));
+ DEBUGADD(0, ("Please map all used groups using 'net groupmap "
+ "add', set the maximum used RID\n"));
+ DEBUGADD(0, ("and remove the parameter\n"));
+ return False;
+ }
+
+ if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
+ DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
+ return False;
+ }
+
+ /* Attempt to get an unused RID (max tires is 250...yes that it is
+ and arbitrary number I pulkled out of my head). -- jerry */
+
+ for ( i=0; allocated_rid==0 && i<250; i++ ) {
+ /* get a new RID */
+
+ if ( !pdb->new_rid(pdb, &allocated_rid) ) {
+ return False;
+ }
+
+ /* validate that the RID is not in use */
+
+ if ( lookup_global_sam_rid( ctx, allocated_rid, &name, &type, NULL ) ) {
+ allocated_rid = 0;
+ }
+ }
+
+ TALLOC_FREE( ctx );
+
+ if ( allocated_rid == 0 ) {
+ DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
+ return False;
+ }
+
+ *rid = allocated_rid;
+
+ return True;
+}
+
+/***************************************************************
+ Initialize the static context (at smbd startup etc).
+
+ If uninitialised, context will auto-init on first use.
+ ***************************************************************/
+
+bool initialize_password_db(bool reload, struct event_context *event_ctx)
+{
+ pdb_event_ctx = event_ctx;
+ return (pdb_get_methods_reload(reload) != NULL);
}
-static NTSTATUS context_create_alias(struct pdb_context *context,
- const char *name, uint32 *rid)
+
+/***************************************************************************
+ Default implementations of some functions.
+ ****************************************************************************/
+
+static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, struct samu *user, const char *sname)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ return NT_STATUS_NO_SUCH_USER;
+}
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
+{
+ return NT_STATUS_NO_SUCH_USER;
+}
+
+static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, struct samu *newpwd)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, struct samu *pwd)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, struct samu *pwd, const char *newname)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success)
+{
+ /* Only the pdb_nds backend implements this, by
+ * default just return ok. */
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t *value)
+{
+ return account_policy_get(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
+static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t value)
+{
+ return account_policy_set(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
+static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq_num)
+{
+ *seq_num = time(NULL);
+ return NT_STATUS_OK;
+}
+
+static bool pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+ struct dom_sid *sid)
+{
+ struct samu *sampw = NULL;
+ struct passwd *unix_pw;
+ bool ret;
+
+ unix_pw = sys_getpwuid( uid );
+
+ if ( !unix_pw ) {
+ DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
+ "%lu\n", (unsigned long)uid));
+ return False;
+ }
+
+ if ( !(sampw = samu_new( NULL )) ) {
+ DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
+ return False;
+ }
+
+ become_root();
+ ret = NT_STATUS_IS_OK(
+ methods->getsampwnam(methods, sampw, unix_pw->pw_name ));
+ unbecome_root();
+
+ if (!ret) {
+ DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
+ "%s (%u)\n", unix_pw->pw_name, (unsigned int)uid));
+ TALLOC_FREE(sampw);
+ return False;
}
- return context->pdb_methods->create_alias(context->pdb_methods,
- name, rid);
+ sid_copy(sid, pdb_get_user_sid(sampw));
+
+ TALLOC_FREE(sampw);
+
+ return True;
}
-static NTSTATUS context_delete_alias(struct pdb_context *context,
- const DOM_SID *sid)
+static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ struct dom_sid *sid)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ GROUP_MAP map;
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if (!NT_STATUS_IS_OK(methods->getgrgid(methods, &map, gid))) {
+ return False;
}
- return context->pdb_methods->delete_alias(context->pdb_methods, sid);
+ sid_copy(sid, &map.sid);
+ return True;
}
-static NTSTATUS context_enum_aliases(struct pdb_context *context,
- const DOM_SID *sid,
- uint32 start_idx, uint32 max_entries,
- uint32 *num_aliases,
- struct acct_info **info)
+static bool pdb_default_sid_to_id(struct pdb_methods *methods,
+ const struct dom_sid *sid,
+ union unid_t *id, enum lsa_SidType *type)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ TALLOC_CTX *mem_ctx;
+ bool ret = False;
+ const char *name;
+ uint32_t rid;
+
+ mem_ctx = talloc_new(NULL);
+
+ if (mem_ctx == NULL) {
+ DEBUG(0, ("talloc_new failed\n"));
+ return False;
+ }
+
+ if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
+ /* Here we might have users as well as groups and aliases */
+ ret = lookup_global_sam_rid(mem_ctx, rid, &name, type, id);
+ goto done;
+ }
+
+ /* check for "Unix User" */
+
+ if ( sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid) ) {
+ id->uid = rid;
+ *type = SID_NAME_USER;
+ ret = True;
+ goto done;
+ }
+
+ /* check for "Unix Group" */
+
+ if ( sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid) ) {
+ id->gid = rid;
+ *type = SID_NAME_ALIAS;
+ ret = True;
+ goto done;
+ }
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ /* BUILTIN */
+
+ if (sid_check_is_in_builtin(sid) ||
+ sid_check_is_in_wellknown_domain(sid)) {
+ /* Here we only have aliases */
+ GROUP_MAP map;
+ if (!NT_STATUS_IS_OK(methods->getgrsid(methods, &map, *sid))) {
+ DEBUG(10, ("Could not find map for sid %s\n",
+ sid_string_dbg(sid)));
+ goto done;
+ }
+ if ((map.sid_name_use != SID_NAME_ALIAS) &&
+ (map.sid_name_use != SID_NAME_WKN_GRP)) {
+ DEBUG(10, ("Map for sid %s is a %s, expected an "
+ "alias\n", sid_string_dbg(sid),
+ sid_type_lookup(map.sid_name_use)));
+ goto done;
+ }
+
+ id->gid = map.gid;
+ *type = SID_NAME_ALIAS;
+ ret = True;
+ goto done;
}
- return context->pdb_methods->enum_aliases(context->pdb_methods,
- sid, start_idx, max_entries,
- num_aliases, info);
+ DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
+ sid_string_dbg(sid)));
+
+ done:
+
+ TALLOC_FREE(mem_ctx);
+ return ret;
}
-static NTSTATUS context_get_aliasinfo(struct pdb_context *context,
- const DOM_SID *sid,
- struct acct_info *info)
+static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct group *grp;
+ char **gr;
+ struct passwd *pwd;
+ bool winbind_env;
+ bool ret = False;
+
+ *pp_uids = NULL;
+ *p_num = 0;
+
+ /* We only look at our own sam, so don't care about imported stuff */
+ winbind_env = winbind_env_set();
+ (void)winbind_off();
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if ((grp = getgrgid(gid)) == NULL) {
+ /* allow winbindd lookups, but only if they weren't already disabled */
+ goto done;
+ }
+
+ /* Primary group members */
+ setpwent();
+ while ((pwd = getpwent()) != NULL) {
+ if (pwd->pw_gid == gid) {
+ if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
+ pp_uids, p_num)) {
+ goto done;
+ }
+ }
+ }
+ endpwent();
+
+ /* Secondary group members */
+ for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
+ struct passwd *pw = getpwnam(*gr);
+
+ if (pw == NULL)
+ continue;
+ if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
+ goto done;
+ }
}
- return context->pdb_methods->get_aliasinfo(context->pdb_methods,
- sid, info);
+ ret = True;
+
+ done:
+
+ /* allow winbindd lookups, but only if they weren't already disabled */
+ if (!winbind_env) {
+ (void)winbind_on();
+ }
+
+ return ret;
}
-static NTSTATUS context_set_aliasinfo(struct pdb_context *context,
- const DOM_SID *sid,
- struct acct_info *info)
+static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group,
+ uint32_t **pp_member_rids,
+ size_t *p_num_members)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ gid_t gid;
+ uid_t *uids;
+ uint32_t i, num_uids;
+
+ *pp_member_rids = NULL;
+ *p_num_members = 0;
+
+ if (!sid_to_gid(group, &gid))
+ return NT_STATUS_NO_SUCH_GROUP;
+
+ if(!get_memberuids(mem_ctx, gid, &uids, &num_uids))
+ return NT_STATUS_NO_SUCH_GROUP;
+
+ if (num_uids == 0)
+ return NT_STATUS_OK;
+
+ *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
+
+ for (i=0; i<num_uids; i++) {
+ struct dom_sid sid;
+
+ uid_to_sid(&sid, uids[i]);
+
+ if (!sid_check_is_in_our_domain(&sid)) {
+ DEBUG(5, ("Inconsistent SAM -- group member uid not "
+ "in our domain\n"));
+ continue;
+ }
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ sid_peek_rid(&sid, &(*pp_member_rids)[*p_num_members]);
+ *p_num_members += 1;
}
- return context->pdb_methods->set_aliasinfo(context->pdb_methods,
- sid, info);
+ return NT_STATUS_OK;
}
-static NTSTATUS context_add_aliasmem(struct pdb_context *context,
- const DOM_SID *alias,
- const DOM_SID *member)
+static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ struct samu *user,
+ struct dom_sid **pp_sids,
+ gid_t **pp_gids,
+ uint32_t *p_num_groups)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ size_t i;
+ gid_t gid;
+ struct passwd *pw;
+ const char *username = pdb_get_username(user);
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
- return context->pdb_methods->add_aliasmem(context->pdb_methods,
- alias, member);
-}
-
-static NTSTATUS context_del_aliasmem(struct pdb_context *context,
- const DOM_SID *alias,
- const DOM_SID *member)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ /* Ignore the primary group SID. Honor the real Unix primary group.
+ The primary group SID is only of real use to Windows clients */
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
+ return NT_STATUS_NO_SUCH_USER;
}
- return context->pdb_methods->del_aliasmem(context->pdb_methods,
- alias, member);
-}
-
-static NTSTATUS context_enum_aliasmem(struct pdb_context *context,
- const DOM_SID *alias, DOM_SID **members,
- int *num)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ gid = pw->pw_gid;
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
+ TALLOC_FREE( pw );
- return context->pdb_methods->enum_aliasmem(context->pdb_methods,
- alias, members, num);
-}
-
-static NTSTATUS context_enum_alias_memberships(struct pdb_context *context,
- const DOM_SID *members,
- int num_members,
- DOM_SID **aliases, int *num)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ if (*p_num_groups == 0) {
+ smb_panic("primary group missing");
}
- return context->pdb_methods->
- enum_alias_memberships(context->pdb_methods, members,
- num_members, aliases, num);
-}
+ *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
-static NTSTATUS context_get_account_policy(struct pdb_context *context,
- int policy_index, int *value)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ if (*pp_sids == NULL) {
+ TALLOC_FREE(*pp_gids);
+ return NT_STATUS_NO_MEMORY;
+ }
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
+ for (i=0; i<*p_num_groups; i++) {
+ gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
}
- return context->pdb_methods->get_account_policy(context->pdb_methods,
- policy_index, value);
+ return NT_STATUS_OK;
}
-static NTSTATUS context_set_account_policy(struct pdb_context *context,
- int policy_index, int value)
+/*******************************************************************
+ Look up a rid in the SAM we're responsible for (i.e. passdb)
+ ********************************************************************/
+
+static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
+ const char **name,
+ enum lsa_SidType *psid_name_use,
+ union unid_t *unix_id)
{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct samu *sam_account = NULL;
+ GROUP_MAP map;
+ bool ret;
+ struct dom_sid sid;
- if ((!context) || (!context->pdb_methods)) {
- DEBUG(0, ("invalid pdb_context specified!\n"));
- return ret;
- }
+ *psid_name_use = SID_NAME_UNKNOWN;
- return context->pdb_methods->set_account_policy(context->pdb_methods,
- policy_index, value);
-}
+ DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
+ (unsigned int)rid));
-
-/******************************************************************
- Free and cleanup a pdb context, any associated data and anything
- that the attached modules might have associated.
- *******************************************************************/
+ sid_compose(&sid, get_global_sam_sid(), rid);
-static void free_pdb_context(struct pdb_context **context)
-{
- struct pdb_methods *pdb_selected = (*context)->pdb_methods;
+ /* see if the passdb can help us with the name of the user */
- while (pdb_selected){
- if(pdb_selected->free_private_data)
- pdb_selected->free_private_data(&(pdb_selected->private_data));
- pdb_selected = pdb_selected->next;
+ if ( !(sam_account = samu_new( NULL )) ) {
+ return False;
}
- talloc_destroy((*context)->mem_ctx);
- *context = NULL;
-}
+ /* BEING ROOT BLOCK */
+ become_root();
+ if (pdb_getsampwsid(sam_account, &sid)) {
+ struct passwd *pw;
-/******************************************************************
- Make a pdb_methods from scratch
- *******************************************************************/
+ unbecome_root(); /* -----> EXIT BECOME_ROOT() */
+ *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
+ if (!*name) {
+ TALLOC_FREE(sam_account);
+ return False;
+ }
-static NTSTATUS make_pdb_methods_name(struct pdb_methods **methods, struct pdb_context *context, const char *selected)
-{
- char *module_name = smb_xstrdup(selected);
- char *module_location = NULL, *p;
- struct pdb_init_function_entry *entry;
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ *psid_name_use = SID_NAME_USER;
- lazy_initialize_passdb();
+ TALLOC_FREE(sam_account);
- p = strchr(module_name, ':');
+ if (unix_id == NULL) {
+ return True;
+ }
- if (p) {
- *p = 0;
- module_location = p+1;
- trim_char(module_location, ' ', ' ');
+ pw = Get_Pwnam_alloc(talloc_tos(), *name);
+ if (pw == NULL) {
+ return False;
+ }
+ unix_id->uid = pw->pw_uid;
+ TALLOC_FREE(pw);
+ return True;
}
+ TALLOC_FREE(sam_account);
- trim_char(module_name, ' ', ' ');
+ ret = pdb_getgrsid(&map, sid);
+ unbecome_root();
+ /* END BECOME_ROOT BLOCK */
+ /* do not resolve SIDs to a name unless there is a valid
+ gid associated with it */
- DEBUG(5,("Attempting to find an passdb backend to match %s (%s)\n", selected, module_name));
+ if ( ret && (map.gid != (gid_t)-1) ) {
+ *name = talloc_strdup(mem_ctx, map.nt_name);
+ *psid_name_use = map.sid_name_use;
- entry = pdb_find_backend_entry(module_name);
-
- /* Try to find a module that contains this module */
- if (!entry) {
- DEBUG(2,("No builtin backend found, trying to load plugin\n"));
- if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
- DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
- SAFE_FREE(module_name);
- return NT_STATUS_UNSUCCESSFUL;
+ if ( unix_id ) {
+ unix_id->gid = map.gid;
}
- }
-
- /* No such backend found */
- if(!entry) {
- DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
- SAFE_FREE(module_name);
- return NT_STATUS_INVALID_PARAMETER;
- }
- DEBUG(5,("Found pdb backend %s\n", module_name));
- nt_status = entry->init(context, methods, module_location);
- if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5,("pdb backend %s has a valid init\n", selected));
- } else {
- DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n", selected, nt_errstr(nt_status)));
+ return True;
}
- SAFE_FREE(module_name);
- return nt_status;
-}
-
-/******************************************************************
- Make a pdb_context from scratch.
- *******************************************************************/
-static NTSTATUS make_pdb_context(struct pdb_context **context)
-{
- TALLOC_CTX *mem_ctx;
+ /* Windows will always map RID 513 to something. On a non-domain
+ controller, this gets mapped to SERVER\None. */
- mem_ctx = talloc_init("pdb_context internal allocation context");
+ if ( unix_id ) {
+ DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
+ return False;
+ }
- if (!mem_ctx) {
- DEBUG(0, ("make_pdb_context: talloc init failed!\n"));
- return NT_STATUS_NO_MEMORY;
- }
+ if ( rid == DOMAIN_RID_USERS ) {
+ *name = talloc_strdup(mem_ctx, "None" );
+ *psid_name_use = SID_NAME_DOM_GRP;
- *context = TALLOC_P(mem_ctx, struct pdb_context);
- if (!*context) {
- DEBUG(0, ("make_pdb_context: talloc failed!\n"));
- return NT_STATUS_NO_MEMORY;
+ return True;
}
- ZERO_STRUCTP(*context);
-
- (*context)->mem_ctx = mem_ctx;
-
- (*context)->pdb_setsampwent = context_setsampwent;
- (*context)->pdb_endsampwent = context_endsampwent;
- (*context)->pdb_getsampwent = context_getsampwent;
- (*context)->pdb_getsampwnam = context_getsampwnam;
- (*context)->pdb_getsampwsid = context_getsampwsid;
- (*context)->pdb_add_sam_account = context_add_sam_account;
- (*context)->pdb_update_sam_account = context_update_sam_account;
- (*context)->pdb_delete_sam_account = context_delete_sam_account;
- (*context)->pdb_getgrsid = context_getgrsid;
- (*context)->pdb_getgrgid = context_getgrgid;
- (*context)->pdb_getgrnam = context_getgrnam;
- (*context)->pdb_add_group_mapping_entry = context_add_group_mapping_entry;
- (*context)->pdb_update_group_mapping_entry = context_update_group_mapping_entry;
- (*context)->pdb_delete_group_mapping_entry = context_delete_group_mapping_entry;
- (*context)->pdb_enum_group_mapping = context_enum_group_mapping;
- (*context)->pdb_enum_group_memberships = context_enum_group_memberships;
-
- (*context)->pdb_find_alias = context_find_alias;
- (*context)->pdb_create_alias = context_create_alias;
- (*context)->pdb_delete_alias = context_delete_alias;
- (*context)->pdb_enum_aliases = context_enum_aliases;
- (*context)->pdb_get_aliasinfo = context_get_aliasinfo;
- (*context)->pdb_set_aliasinfo = context_set_aliasinfo;
- (*context)->pdb_add_aliasmem = context_add_aliasmem;
- (*context)->pdb_del_aliasmem = context_del_aliasmem;
- (*context)->pdb_enum_aliasmem = context_enum_aliasmem;
- (*context)->pdb_enum_alias_memberships = context_enum_alias_memberships;
-
- (*context)->pdb_get_account_policy = context_get_account_policy;
- (*context)->pdb_set_account_policy = context_set_account_policy;
-
- (*context)->free_fn = free_pdb_context;
-
- return NT_STATUS_OK;
+ return False;
}
+static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
+ const struct dom_sid *domain_sid,
+ int num_rids,
+ uint32_t *rids,
+ const char **names,
+ enum lsa_SidType *attrs)
+{
+ int i;
+ NTSTATUS result;
+ bool have_mapped = False;
+ bool have_unmapped = False;
-/******************************************************************
- Make a pdb_context, given an array of strings
- *******************************************************************/
+ if (sid_check_is_builtin(domain_sid)) {
-NTSTATUS make_pdb_context_list(struct pdb_context **context, const char **selected)
-{
- int i = 0;
- struct pdb_methods *curmethods, *tmpmethods;
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- BOOL have_guest = False;
+ for (i=0; i<num_rids; i++) {
+ const char *name;
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_context(context))) {
- return nt_status;
+ if (lookup_builtin_rid(names, rids[i], &name)) {
+ attrs[i] = SID_NAME_ALIAS;
+ names[i] = name;
+ DEBUG(5,("lookup_rids: %s:%d\n",
+ names[i], attrs[i]));
+ have_mapped = True;
+ } else {
+ have_unmapped = True;
+ attrs[i] = SID_NAME_UNKNOWN;
+ }
+ }
+ goto done;
}
- if (!selected) {
- DEBUG(0, ("ERROR: empty passdb backend list!\n"));
- return nt_status;
+ /* Should not happen, but better check once too many */
+ if (!sid_check_is_domain(domain_sid)) {
+ return NT_STATUS_INVALID_HANDLE;
}
- while (selected[i]){
- if (strcmp(selected[i], "guest") == 0) {
- have_guest = True;
- }
- /* Try to initialise pdb */
- DEBUG(5,("Trying to load: %s\n", selected[i]));
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods_name(&curmethods, *context, selected[i]))) {
- DEBUG(1, ("Loading %s failed!\n", selected[i]));
- free_pdb_context(context);
- return nt_status;
+ for (i = 0; i < num_rids; i++) {
+ const char *name;
+
+ if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
+ NULL)) {
+ if (name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ names[i] = name;
+ DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
+ have_mapped = True;
+ } else {
+ have_unmapped = True;
+ attrs[i] = SID_NAME_UNKNOWN;
}
- curmethods->parent = *context;
- DLIST_ADD_END((*context)->pdb_methods, curmethods, tmpmethods);
- i++;
}
- if (have_guest)
- return NT_STATUS_OK;
+ done:
- if ( (lp_guestaccount() == NULL) ||
- (*lp_guestaccount() == '\0') ) {
- /* We explicitly don't want guest access. No idea what
- else that breaks, but be it that way. */
- return NT_STATUS_OK;
- }
+ result = NT_STATUS_NONE_MAPPED;
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods_name(&curmethods,
- *context,
- "guest"))) {
- DEBUG(1, ("Loading guest module failed!\n"));
- free_pdb_context(context);
- return nt_status;
- }
+ if (have_mapped)
+ result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
- curmethods->parent = *context;
- DLIST_ADD_END((*context)->pdb_methods, curmethods, tmpmethods);
-
- return NT_STATUS_OK;
+ return result;
}
-/******************************************************************
- Make a pdb_context, given a text string.
- *******************************************************************/
-
-NTSTATUS make_pdb_context_string(struct pdb_context **context, const char *selected)
+#if 0
+static NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
+ const struct dom_sid *domain_sid,
+ int num_names,
+ const char **names,
+ uint32_t *rids,
+ enum lsa_SidType *attrs)
{
- NTSTATUS ret;
- char **newsel = str_list_make(selected, NULL);
- ret = make_pdb_context_list(context, (const char **)newsel);
- str_list_free(&newsel);
- return ret;
-}
+ int i;
+ NTSTATUS result;
+ bool have_mapped = False;
+ bool have_unmapped = False;
-/******************************************************************
- Return an already initialised pdb_context, to facilitate backward
- compatibility (see functions below).
-*******************************************************************/
+ if (sid_check_is_builtin(domain_sid)) {
-static struct pdb_context *pdb_get_static_context(BOOL reload)
-{
- static struct pdb_context *pdb_context = NULL;
+ for (i=0; i<num_names; i++) {
+ uint32_t rid;
- if ((pdb_context) && (reload)) {
- pdb_context->free_fn(&pdb_context);
- if (!NT_STATUS_IS_OK(make_pdb_context_list(&pdb_context, lp_passdb_backend()))) {
- return NULL;
+ if (lookup_builtin_name(names[i], &rid)) {
+ attrs[i] = SID_NAME_ALIAS;
+ rids[i] = rid;
+ DEBUG(5,("lookup_rids: %s:%d\n",
+ names[i], attrs[i]));
+ have_mapped = True;
+ } else {
+ have_unmapped = True;
+ attrs[i] = SID_NAME_UNKNOWN;
+ }
}
+ goto done;
}
- if (!pdb_context) {
- if (!NT_STATUS_IS_OK(make_pdb_context_list(&pdb_context, lp_passdb_backend()))) {
- return NULL;
- }
+ /* Should not happen, but better check once too many */
+ if (!sid_check_is_domain(domain_sid)) {
+ return NT_STATUS_INVALID_HANDLE;
}
- return pdb_context;
-}
-
-/******************************************************************
- Backward compatibility functions for the original passdb interface
-*******************************************************************/
-
-BOOL pdb_setsampwent(BOOL update, uint16 acb_mask)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
+ for (i = 0; i < num_names; i++) {
+ if (lookup_global_sam_name(names[i], 0, &rids[i], &attrs[i])) {
+ DEBUG(5,("lookup_names: %s-> %d:%d\n", names[i],
+ rids[i], attrs[i]));
+ have_mapped = True;
+ } else {
+ have_unmapped = True;
+ attrs[i] = SID_NAME_UNKNOWN;
+ }
}
- return NT_STATUS_IS_OK(pdb_context->pdb_setsampwent(pdb_context, update, acb_mask));
-}
+ done:
-void pdb_endsampwent(void)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ result = NT_STATUS_NONE_MAPPED;
- if (!pdb_context) {
- return;
- }
+ if (have_mapped)
+ result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
- pdb_context->pdb_endsampwent(pdb_context);
+ return result;
}
+#endif
-BOOL pdb_getsampwent(SAM_ACCOUNT *user)
+static int pdb_search_destructor(struct pdb_search *search)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
+ if ((!search->search_ended) && (search->search_end != NULL)) {
+ search->search_end(search);
}
-
- return NT_STATUS_IS_OK(pdb_context->pdb_getsampwent(pdb_context, user));
+ return 0;
}
-static SAM_ACCOUNT *sam_account_cache = NULL;
-
-BOOL pdb_getsampwnam(SAM_ACCOUNT *sam_acct, const char *username)
+struct pdb_search *pdb_search_init(TALLOC_CTX *mem_ctx,
+ enum pdb_search_type type)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct pdb_search *result;
- if (!pdb_context) {
- return False;
+ result = talloc(mem_ctx, struct pdb_search);
+ if (result == NULL) {
+ DEBUG(0, ("talloc failed\n"));
+ return NULL;
}
- if (!NT_STATUS_IS_OK(pdb_context->pdb_getsampwnam(pdb_context,
- sam_acct, username)))
- return False;
+ result->type = type;
+ result->cache = NULL;
+ result->num_entries = 0;
+ result->cache_size = 0;
+ result->search_ended = False;
+ result->search_end = NULL;
- if (sam_account_cache != NULL) {
- pdb_free_sam(&sam_account_cache);
- sam_account_cache = NULL;
- }
+ /* Segfault appropriately if not initialized */
+ result->next_entry = NULL;
+ result->search_end = NULL;
- pdb_copy_sam_account(sam_acct, &sam_account_cache);
- return True;
+ talloc_set_destructor(result, pdb_search_destructor);
+
+ return result;
}
-BOOL pdb_getsampwsid(SAM_ACCOUNT *sam_acct, const DOM_SID *sid)
+static void fill_displayentry(TALLOC_CTX *mem_ctx, uint32_t rid,
+ uint16_t acct_flags,
+ const char *account_name,
+ const char *fullname,
+ const char *description,
+ struct samr_displayentry *entry)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ entry->rid = rid;
+ entry->acct_flags = acct_flags;
- if (!pdb_context) {
- return False;
- }
+ if (account_name != NULL)
+ entry->account_name = talloc_strdup(mem_ctx, account_name);
+ else
+ entry->account_name = "";
- if ((sam_account_cache != NULL) &&
- (sid_equal(sid, pdb_get_user_sid(sam_account_cache))))
- return pdb_copy_sam_account(sam_account_cache, &sam_acct);
+ if (fullname != NULL)
+ entry->fullname = talloc_strdup(mem_ctx, fullname);
+ else
+ entry->fullname = "";
- return NT_STATUS_IS_OK(pdb_context->pdb_getsampwsid(pdb_context, sam_acct, sid));
+ if (description != NULL)
+ entry->description = talloc_strdup(mem_ctx, description);
+ else
+ entry->description = "";
}
-BOOL pdb_add_sam_account(SAM_ACCOUNT *sam_acct)
+struct group_search {
+ GROUP_MAP *groups;
+ size_t num_groups, current_group;
+};
+
+static bool next_entry_groups(struct pdb_search *s,
+ struct samr_displayentry *entry)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct group_search *state = (struct group_search *)s->private_data;
+ uint32_t rid;
+ GROUP_MAP *map = &state->groups[state->current_group];
- if (!pdb_context) {
+ if (state->current_group == state->num_groups)
return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->pdb_add_sam_account(pdb_context, sam_acct));
-}
-BOOL pdb_update_sam_account(SAM_ACCOUNT *sam_acct)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ sid_peek_rid(&map->sid, &rid);
- if (!pdb_context) {
- return False;
- }
+ fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
- if (sam_account_cache != NULL) {
- pdb_free_sam(&sam_account_cache);
- sam_account_cache = NULL;
- }
+ state->current_group += 1;
+ return True;
+}
- return NT_STATUS_IS_OK(pdb_context->pdb_update_sam_account(pdb_context, sam_acct));
+static void search_end_groups(struct pdb_search *search)
+{
+ struct group_search *state =
+ (struct group_search *)search->private_data;
+ SAFE_FREE(state->groups);
}
-BOOL pdb_delete_sam_account(SAM_ACCOUNT *sam_acct)
+static bool pdb_search_grouptype(struct pdb_methods *methods,
+ struct pdb_search *search,
+ const struct dom_sid *sid, enum lsa_SidType type)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct group_search *state;
- if (!pdb_context) {
+ state = talloc(search, struct group_search);
+ if (state == NULL) {
+ DEBUG(0, ("talloc failed\n"));
return False;
}
- if (sam_account_cache != NULL) {
- pdb_free_sam(&sam_account_cache);
- sam_account_cache = NULL;
+ if (!NT_STATUS_IS_OK(methods->enum_group_mapping(methods, sid, type,
+ &state->groups, &state->num_groups,
+ True))) {
+ DEBUG(0, ("Could not enum groups\n"));
+ return False;
}
- return NT_STATUS_IS_OK(pdb_context->pdb_delete_sam_account(pdb_context, sam_acct));
+ state->current_group = 0;
+ search->private_data = state;
+ search->next_entry = next_entry_groups;
+ search->search_end = search_end_groups;
+ return True;
}
-BOOL pdb_getgrsid(GROUP_MAP *map, DOM_SID sid)
+static bool pdb_default_search_groups(struct pdb_methods *methods,
+ struct pdb_search *search)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->
- pdb_getgrsid(pdb_context, map, sid));
+ return pdb_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
}
-BOOL pdb_getgrgid(GROUP_MAP *map, gid_t gid)
+static bool pdb_default_search_aliases(struct pdb_methods *methods,
+ struct pdb_search *search,
+ const struct dom_sid *sid)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
- return NT_STATUS_IS_OK(pdb_context->
- pdb_getgrgid(pdb_context, map, gid));
+ return pdb_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
}
-BOOL pdb_getgrnam(GROUP_MAP *map, const char *name)
+static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
+ uint32_t idx)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ if (idx < search->num_entries)
+ return &search->cache[idx];
- if (!pdb_context) {
- return False;
- }
+ if (search->search_ended)
+ return NULL;
- return NT_STATUS_IS_OK(pdb_context->
- pdb_getgrnam(pdb_context, map, name));
-}
+ while (idx >= search->num_entries) {
+ struct samr_displayentry entry;
-BOOL pdb_add_group_mapping_entry(GROUP_MAP *map)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ if (!search->next_entry(search, &entry)) {
+ search->search_end(search);
+ search->search_ended = True;
+ break;
+ }
- if (!pdb_context) {
- return False;
+ ADD_TO_LARGE_ARRAY(search, struct samr_displayentry,
+ entry, &search->cache, &search->num_entries,
+ &search->cache_size);
}
- return NT_STATUS_IS_OK(pdb_context->
- pdb_add_group_mapping_entry(pdb_context, map));
+ return (search->num_entries > idx) ? &search->cache[idx] : NULL;
}
-BOOL pdb_update_group_mapping_entry(GROUP_MAP *map)
+struct pdb_search *pdb_search_users(TALLOC_CTX *mem_ctx, uint32_t acct_flags)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct pdb_methods *pdb = pdb_get_methods();
+ struct pdb_search *result;
- if (!pdb_context) {
- return False;
+ result = pdb_search_init(mem_ctx, PDB_USER_SEARCH);
+ if (result == NULL) {
+ return NULL;
}
- return NT_STATUS_IS_OK(pdb_context->
- pdb_update_group_mapping_entry(pdb_context, map));
+ if (!pdb->search_users(pdb, result, acct_flags)) {
+ TALLOC_FREE(result);
+ return NULL;
+ }
+ return result;
}
-BOOL pdb_delete_group_mapping_entry(DOM_SID sid)
+struct pdb_search *pdb_search_groups(TALLOC_CTX *mem_ctx)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct pdb_methods *pdb = pdb_get_methods();
+ struct pdb_search *result;
- if (!pdb_context) {
- return False;
+ result = pdb_search_init(mem_ctx, PDB_GROUP_SEARCH);
+ if (result == NULL) {
+ return NULL;
}
- return NT_STATUS_IS_OK(pdb_context->
- pdb_delete_group_mapping_entry(pdb_context, sid));
+ if (!pdb->search_groups(pdb, result)) {
+ TALLOC_FREE(result);
+ return NULL;
+ }
+ return result;
}
-BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
- int *num_entries, BOOL unix_only)
+struct pdb_search *pdb_search_aliases(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct pdb_methods *pdb = pdb_get_methods();
+ struct pdb_search *result;
- if (!pdb_context) {
- return False;
+ if (pdb == NULL) return NULL;
+
+ result = pdb_search_init(mem_ctx, PDB_ALIAS_SEARCH);
+ if (result == NULL) {
+ return NULL;
}
- return NT_STATUS_IS_OK(pdb_context->
- pdb_enum_group_mapping(pdb_context, sid_name_use,
- rmap, num_entries, unix_only));
+ if (!pdb->search_aliases(pdb, result, sid)) {
+ TALLOC_FREE(result);
+ return NULL;
+ }
+ return result;
}
-NTSTATUS pdb_enum_group_memberships(const char *username, gid_t primary_gid,
- DOM_SID **sids, gid_t **gids,
- int *num_groups)
+uint32_t pdb_search_entries(struct pdb_search *search,
+ uint32_t start_idx, uint32_t max_entries,
+ struct samr_displayentry **result)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct samr_displayentry *end_entry;
+ uint32_t end_idx = start_idx+max_entries-1;
- if (!pdb_context) {
- return NT_STATUS_UNSUCCESSFUL;
- }
+ /* The first entry needs to be searched after the last. Otherwise the
+ * first entry might have moved due to a realloc during the search for
+ * the last entry. */
- return pdb_context->pdb_enum_group_memberships(pdb_context, username,
- primary_gid, sids, gids,
- num_groups);
-}
+ end_entry = pdb_search_getentry(search, end_idx);
+ *result = pdb_search_getentry(search, start_idx);
-BOOL pdb_find_alias(const char *name, DOM_SID *sid)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ if (end_entry != NULL)
+ return max_entries;
- if (!pdb_context) {
- return False;
- }
+ if (start_idx >= search->num_entries)
+ return 0;
- return NT_STATUS_IS_OK(pdb_context->pdb_find_alias(pdb_context,
- name, sid));
+ return search->num_entries - start_idx;
}
-NTSTATUS pdb_create_alias(const char *name, uint32 *rid)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
+/*******************************************************************
+ trustdom methods
+ *******************************************************************/
- return pdb_context->pdb_create_alias(pdb_context, name, rid);
+bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
+ time_t *pass_last_set_time)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
+ pass_last_set_time);
}
-BOOL pdb_delete_alias(const DOM_SID *sid)
+bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
+ const struct dom_sid *sid)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
+}
- return NT_STATUS_IS_OK(pdb_context->pdb_delete_alias(pdb_context,
- sid));
-
+bool pdb_del_trusteddom_pw(const char *domain)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->del_trusteddom_pw(pdb, domain);
}
-BOOL pdb_enum_aliases(const DOM_SID *sid, uint32 start_idx, uint32 max_entries,
- uint32 *num_aliases, struct acct_info **info)
+NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
+ struct trustdom_info ***domains)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
+}
- if (!pdb_context) {
- return False;
- }
+/*******************************************************************
+ the defaults for trustdom methods:
+ these simply call the original passdb/secrets.c actions,
+ to be replaced by pdb_ldap.
+ *******************************************************************/
+
+static bool pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
+ const char *domain,
+ char** pwd,
+ struct dom_sid *sid,
+ time_t *pass_last_set_time)
+{
+ return secrets_fetch_trusted_domain_password(domain, pwd,
+ sid, pass_last_set_time);
- return NT_STATUS_IS_OK(pdb_context->pdb_enum_aliases(pdb_context, sid,
- start_idx,
- max_entries,
- num_aliases,
- info));
}
-BOOL pdb_get_aliasinfo(const DOM_SID *sid, struct acct_info *info)
+static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
+ const char* domain,
+ const char* pwd,
+ const struct dom_sid *sid)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
+ return secrets_store_trusted_domain_password(domain, pwd, sid);
+}
- return NT_STATUS_IS_OK(pdb_context->pdb_get_aliasinfo(pdb_context, sid,
- info));
+static bool pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
+ const char *domain)
+{
+ return trusted_domain_password_delete(domain);
}
-BOOL pdb_set_aliasinfo(const DOM_SID *sid, struct acct_info *info)
+static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_domains,
+ struct trustdom_info ***domains)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ return secrets_trusted_domains(mem_ctx, num_domains, domains);
+}
- if (!pdb_context) {
- return False;
- }
+/*******************************************************************
+ trusted_domain methods
+ *******************************************************************/
- return NT_STATUS_IS_OK(pdb_context->pdb_set_aliasinfo(pdb_context, sid,
- info));
+NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
+ struct pdb_trusted_domain **td)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
}
-BOOL pdb_add_aliasmem(const DOM_SID *alias, const DOM_SID *member)
+NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
+ struct pdb_trusted_domain **td)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
-
- if (!pdb_context) {
- return False;
- }
-
- return NT_STATUS_IS_OK(pdb_context->
- pdb_add_aliasmem(pdb_context, alias, member));
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
}
-BOOL pdb_del_aliasmem(const DOM_SID *alias, const DOM_SID *member)
+NTSTATUS pdb_set_trusted_domain(const char* domain,
+ const struct pdb_trusted_domain *td)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_trusted_domain(pdb, domain, td);
+}
- if (!pdb_context) {
- return False;
- }
+NTSTATUS pdb_del_trusted_domain(const char *domain)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->del_trusted_domain(pdb, domain);
+}
- return NT_STATUS_IS_OK(pdb_context->
- pdb_del_aliasmem(pdb_context, alias, member));
+NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
+ struct pdb_trusted_domain ***domains)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
}
-BOOL pdb_enum_aliasmem(const DOM_SID *alias,
- DOM_SID **members, int *num_members)
+static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const char *domain,
+ struct pdb_trusted_domain **td)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct trustAuthInOutBlob taiob;
+ struct AuthenticationInformation aia;
+ struct pdb_trusted_domain *tdom;
+ enum ndr_err_code ndr_err;
+ time_t last_set_time;
+ char *pwd;
+ bool ok;
- if (!pdb_context) {
- return False;
+ tdom = talloc(mem_ctx, struct pdb_trusted_domain);
+ if (!tdom) {
+ return NT_STATUS_NO_MEMORY;
}
- return NT_STATUS_IS_OK(pdb_context->
- pdb_enum_aliasmem(pdb_context, alias,
- members, num_members));
-}
+ tdom->domain_name = talloc_strdup(tdom, domain);
+ tdom->netbios_name = talloc_strdup(tdom, domain);
+ if (!tdom->domain_name || !tdom->netbios_name) {
+ talloc_free(tdom);
+ return NT_STATUS_NO_MEMORY;
+ }
-BOOL pdb_enum_alias_memberships(const DOM_SID *members, int num_members,
- DOM_SID **aliases, int *num)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ tdom->trust_auth_incoming = data_blob_null;
- if (!pdb_context) {
- return False;
+ ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
+ &last_set_time);
+ if (!ok) {
+ talloc_free(tdom);
+ return NT_STATUS_UNSUCCESSFUL;
}
- return NT_STATUS_IS_OK(pdb_context->
- pdb_enum_alias_memberships(pdb_context, members,
- num_members,
- aliases, num));
-}
+ ZERO_STRUCT(taiob);
+ ZERO_STRUCT(aia);
+ taiob.count = 1;
+ taiob.current.count = 1;
+ taiob.current.array = &aia;
+ unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
+ aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
+ aia.AuthInfo.clear.password = (uint8_t *) pwd;
+ aia.AuthInfo.clear.size = strlen(pwd);
+ taiob.previous.count = 0;
+ taiob.previous.array = NULL;
+
+ ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
+ tdom, &taiob,
+ (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ talloc_free(tdom);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
-BOOL pdb_get_account_policy(int policy_index, int *value)
-{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
+ tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
+ tdom->trust_attributes = 0;
+ tdom->trust_forest_trust_info = data_blob_null;
- if (!pdb_context) {
- return False;
- }
+ *td = tdom;
+ return NT_STATUS_OK;
+}
- return NT_STATUS_IS_OK(pdb_context->
- pdb_get_account_policy(pdb_context, policy_index, value));
+static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ struct dom_sid *sid,
+ struct pdb_trusted_domain **td)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
}
-BOOL pdb_set_account_policy(int policy_index, int value)
+#define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
+
+static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
+ const char* domain,
+ const struct pdb_trusted_domain *td)
{
- struct pdb_context *pdb_context = pdb_get_static_context(False);
+ struct trustAuthInOutBlob taiob;
+ struct AuthenticationInformation *aia;
+ enum ndr_err_code ndr_err;
+ char *pwd;
+ bool ok;
- if (!pdb_context) {
- return False;
+ if (td->trust_attributes != 0 ||
+ td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
+ td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
+ !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
+ !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
+ return NT_STATUS_NOT_IMPLEMENTED;
}
- return NT_STATUS_IS_OK(pdb_context->
- pdb_set_account_policy(pdb_context, policy_index, value));
-}
-
-/***************************************************************
- Initialize the static context (at smbd startup etc).
+ ZERO_STRUCT(taiob);
+ ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
+ &taiob,
+ (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
- If uninitialised, context will auto-init on first use.
- ***************************************************************/
+ aia = (struct AuthenticationInformation *) taiob.current.array;
-BOOL initialize_password_db(BOOL reload)
-{
- return (pdb_get_static_context(reload) != NULL);
-}
+ if (taiob.count != 1 || taiob.current.count != 1 ||
+ taiob.previous.count != 0 ||
+ aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
+ aia->AuthInfo.clear.size);
+ if (!pwd) {
+ return NT_STATUS_NO_MEMORY;
+ }
-/***************************************************************************
- Default implementations of some functions.
- ****************************************************************************/
+ ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
+ if (!ok) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
-static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname)
-{
- return NT_STATUS_NO_SUCH_USER;
+ return NT_STATUS_OK;
}
-static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
+static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
+ const char *domain)
{
- return NT_STATUS_NO_SUCH_USER;
+ return NT_STATUS_NOT_IMPLEMENTED;
}
-static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *newpwd)
+static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_domains,
+ struct pdb_trusted_domain ***domains)
{
- DEBUG(0,("this backend (%s) should not be listed as the first passdb backend! You can't add users to it.\n", methods->name));
return NT_STATUS_NOT_IMPLEMENTED;
}
-static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *newpwd)
+static struct pdb_domain_info *pdb_default_get_domain_info(
+ struct pdb_methods *m, TALLOC_CTX *mem_ctx)
{
- return NT_STATUS_NOT_IMPLEMENTED;
+ return NULL;
}
-static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *pwd)
+/*******************************************************************
+ secret methods
+ *******************************************************************/
+
+NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd)
{
- return NT_STATUS_NOT_IMPLEMENTED;
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_secret(pdb, mem_ctx, secret_name,
+ secret_current, secret_current_lastchange,
+ secret_old, secret_old_lastchange,
+ sd);
}
-static NTSTATUS pdb_default_setsampwent(struct pdb_methods *methods, BOOL update, uint16 acb_mask)
+NTSTATUS pdb_set_secret(const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd)
{
- return NT_STATUS_NOT_IMPLEMENTED;
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_secret(pdb, secret_name,
+ secret_current,
+ secret_old,
+ sd);
}
-static NTSTATUS pdb_default_getsampwent(struct pdb_methods *methods, SAM_ACCOUNT *user)
+NTSTATUS pdb_delete_secret(const char *secret_name)
{
- return NT_STATUS_NOT_IMPLEMENTED;
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->delete_secret(pdb, secret_name);
}
-static void pdb_default_endsampwent(struct pdb_methods *methods)
+static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ NTTIME *secret_current_lastchange,
+ DATA_BLOB *secret_old,
+ NTTIME *secret_old_lastchange,
+ struct security_descriptor **sd)
{
- return; /* NT_STATUS_NOT_IMPLEMENTED; */
+ return lsa_secret_get(mem_ctx, secret_name,
+ secret_current,
+ secret_current_lastchange,
+ secret_old,
+ secret_old_lastchange,
+ sd);
}
-static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, int policy_index, int *value)
+static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
+ const char *secret_name,
+ DATA_BLOB *secret_current,
+ DATA_BLOB *secret_old,
+ struct security_descriptor *sd)
{
- return account_policy_get(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+ return lsa_secret_set(secret_name,
+ secret_current,
+ secret_old,
+ sd);
}
-static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, int policy_index, int value)
+static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
+ const char *secret_name)
{
- return account_policy_set(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+ return lsa_secret_delete(secret_name);
}
-NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods)
+/*******************************************************************
+ Create a pdb_methods structure and initialize it with the default
+ operations. In this way a passdb module can simply implement
+ the functionality it cares about. However, normally this is done
+ in groups of related functions.
+*******************************************************************/
+
+NTSTATUS make_pdb_method( struct pdb_methods **methods )
{
- *methods = TALLOC_P(mem_ctx, struct pdb_methods);
+ /* allocate memory for the structure as its own talloc CTX */
- if (!*methods) {
+ *methods = talloc_zero(NULL, struct pdb_methods);
+ if (*methods == NULL) {
return NT_STATUS_NO_MEMORY;
}
- ZERO_STRUCTP(*methods);
-
- (*methods)->setsampwent = pdb_default_setsampwent;
- (*methods)->endsampwent = pdb_default_endsampwent;
- (*methods)->getsampwent = pdb_default_getsampwent;
+ (*methods)->get_domain_info = pdb_default_get_domain_info;
(*methods)->getsampwnam = pdb_default_getsampwnam;
(*methods)->getsampwsid = pdb_default_getsampwsid;
+ (*methods)->create_user = pdb_default_create_user;
+ (*methods)->delete_user = pdb_default_delete_user;
(*methods)->add_sam_account = pdb_default_add_sam_account;
(*methods)->update_sam_account = pdb_default_update_sam_account;
(*methods)->delete_sam_account = pdb_default_delete_sam_account;
+ (*methods)->rename_sam_account = pdb_default_rename_sam_account;
+ (*methods)->update_login_attempts = pdb_default_update_login_attempts;
(*methods)->getgrsid = pdb_default_getgrsid;
(*methods)->getgrgid = pdb_default_getgrgid;
(*methods)->getgrnam = pdb_default_getgrnam;
+ (*methods)->create_dom_group = pdb_default_create_dom_group;
+ (*methods)->delete_dom_group = pdb_default_delete_dom_group;
(*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
(*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
(*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
(*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
+ (*methods)->enum_group_members = pdb_default_enum_group_members;
(*methods)->enum_group_memberships = pdb_default_enum_group_memberships;
- (*methods)->find_alias = pdb_default_find_alias;
+ (*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
+ (*methods)->add_groupmem = pdb_default_add_groupmem;
+ (*methods)->del_groupmem = pdb_default_del_groupmem;
(*methods)->create_alias = pdb_default_create_alias;
(*methods)->delete_alias = pdb_default_delete_alias;
- (*methods)->enum_aliases = pdb_default_enum_aliases;
(*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
(*methods)->set_aliasinfo = pdb_default_set_aliasinfo;
(*methods)->add_aliasmem = pdb_default_add_aliasmem;
(*methods)->del_aliasmem = pdb_default_del_aliasmem;
(*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
(*methods)->enum_alias_memberships = pdb_default_alias_memberships;
+ (*methods)->lookup_rids = pdb_default_lookup_rids;
(*methods)->get_account_policy = pdb_default_get_account_policy;
(*methods)->set_account_policy = pdb_default_set_account_policy;
+ (*methods)->get_seq_num = pdb_default_get_seq_num;
+ (*methods)->uid_to_sid = pdb_default_uid_to_sid;
+ (*methods)->gid_to_sid = pdb_default_gid_to_sid;
+ (*methods)->sid_to_id = pdb_default_sid_to_id;
+
+ (*methods)->search_groups = pdb_default_search_groups;
+ (*methods)->search_aliases = pdb_default_search_aliases;
+
+ (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
+ (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
+ (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
+ (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
+
+ (*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
+ (*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
+ (*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
+ (*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
+ (*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
+
+ (*methods)->get_secret = pdb_default_get_secret;
+ (*methods)->set_secret = pdb_default_set_secret;
+ (*methods)->delete_secret = pdb_default_delete_secret;
return NT_STATUS_OK;
}
git.samba.org / amitay / samba.git / blobdiff