return false;
}
-static NTSTATUS pdb_samba_dsdb_get_trusted_domain_internal(struct pdb_methods *m,
- TALLOC_CTX *mem_ctx,
- const char *domain,
- struct pdb_trusted_domain **td,
- struct ldb_message **_msg)
-{
- struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
- m->private_data, struct pdb_samba_dsdb_state);
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
- const char * const attrs[] = {
- "securityIdentifier",
- "flatName",
- "trustPartner",
- "trustAuthIncoming",
- "trustAuthOutgoing",
- "whenCreated",
- "msDS-SupportedEncryptionTypes",
- "trustAttributes",
- "trustDirection",
- "trustType",
- "trustPosixOffset",
- "msDS-TrustForestTrustInfo",
- NULL
- };
- struct ldb_message *msg;
- const struct ldb_val *val = NULL;
- NTSTATUS status;
- const char *netbios_domain = NULL;
- const char *dns_domain = NULL;
- const struct dom_sid *domain_sid = NULL;
- struct pdb_trusted_domain *tdom;
-
- status = sam_get_results_trust(state->ldb, tmp_ctx, domain,
- NULL, attrs, &msg);
- if (!NT_STATUS_IS_OK(status)) {
- /*
- * This can be called to work out of a domain is
- * trusted, rather than just to get the password
- */
- DEBUG(2, ("Failed to get trusted domain password for %s. "
- "It may not be a trusted domain.\n", domain));
- TALLOC_FREE(tmp_ctx);
- return status;
- }
-
- netbios_domain = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
- if (netbios_domain == NULL) {
- DEBUG(2, ("Trusted domain %s has no flatName defined.\n",
- domain));
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
- dns_domain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
- if (dns_domain == NULL) {
- DEBUG(2, ("Trusted domain %s has no trustPartner defined.\n",
- domain));
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
- domain_sid = samdb_result_dom_sid(tmp_ctx, msg, "securityIdentifier");
- if (domain_sid == NULL) {
- DEBUG(2, ("Trusted domain %s has no securityIdentifier defined.\n",
- domain));
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
- tdom = talloc_zero(tmp_ctx, struct pdb_trusted_domain);
- if (tdom == NULL) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- tdom->domain_name = talloc_strdup(tdom, dns_domain);
- if (tdom->domain_name == NULL) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- tdom->netbios_name = talloc_strdup(tdom, netbios_domain);
- if (tdom->netbios_name == NULL) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- tdom->security_identifier = *domain_sid;
-
- tdom->trust_direction = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
- tdom->trust_type = ldb_msg_find_attr_as_int(msg, "trustType", 0);
- tdom->trust_attributes = ldb_msg_find_attr_as_int(msg, "trustAttributes", 0);
-
- val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
- if (val != NULL) {
- tdom->trust_auth_incoming = *val;
- talloc_steal(tdom, val->data);
- }
- val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
- if (val != NULL) {
- tdom->trust_auth_outgoing = *val;
- talloc_steal(tdom, val->data);
- }
- val = ldb_msg_find_ldb_val(msg, "msDS-TrustForestTrustInfo");
- if (val != NULL) {
- tdom->trust_forest_trust_info = *val;
- talloc_steal(tdom, val->data);
- }
- val = ldb_msg_find_ldb_val(msg, "trustPosixOffset");
- if (val != NULL) {
- tdom->trust_posix_offset = talloc(tdom, uint32_t);
- if (tdom->trust_posix_offset == NULL) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- *tdom->trust_posix_offset = ldb_msg_find_attr_as_int(msg,
- "trustPosixOffset", 0);
- }
- val = ldb_msg_find_ldb_val(msg, "msDS-SupportedEncryptionTypes");
- if (val != NULL) {
- tdom->supported_enc_type = talloc(tdom, uint32_t);
- if (tdom->supported_enc_type == NULL) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- *tdom->supported_enc_type = ldb_msg_find_attr_as_int(msg,
- "msDS-SupportedEncryptionTypes", 0);
- }
-
- *td = talloc_move(mem_ctx, &tdom);
- if (_msg != NULL) {
- *_msg = talloc_move(mem_ctx, &msg);
- }
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS pdb_samba_dsdb_get_trusted_domain(struct pdb_methods *m,
- TALLOC_CTX *mem_ctx,
- const char *domain,
- struct pdb_trusted_domain **td)
-{
- return pdb_samba_dsdb_get_trusted_domain_internal(m, mem_ctx,
- domain, td, NULL);
-}
-
-static NTSTATUS pdb_samba_dsdb_get_trusted_domain_by_sid(struct pdb_methods *m,
- TALLOC_CTX *mem_ctx,
- struct dom_sid *sid,
- struct pdb_trusted_domain **td)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS pdb_samba_dsdb_set_trusted_domain(struct pdb_methods *m,
- const char *domain,
- const struct pdb_trusted_domain *td)
-{
- struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
- m->private_data, struct pdb_samba_dsdb_state);
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
- struct ldb_message *msg = NULL;
- NTSTATUS status;
- struct pdb_trusted_domain *otd = NULL;
- int cmp;
- bool ok;
- int ret;
-
- ret = ldb_transaction_start(state->ldb);
- if (ret != LDB_SUCCESS) {
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
-
- status = pdb_samba_dsdb_get_trusted_domain_internal(m, tmp_ctx, domain,
- &otd, &msg);
- if (!NT_STATUS_IS_OK(status)) {
- /*
- * This can be called to work out of a domain is
- * trusted, rather than just to get the password
- */
- DEBUG(2, ("Failed to get trusted domain password for %s. "
- "It may not be a trusted domain.\n", domain));
- ldb_transaction_cancel(state->ldb);
- TALLOC_FREE(tmp_ctx);
- return status;
- }
-
- TALLOC_FREE(msg->elements);
- msg->num_elements = 0;
-
- /*
- * For now we only support changing
- */
- cmp = strcmp(otd->domain_name, td->domain_name);
- if (cmp != 0) {
- goto not_implemented;
- }
-
- cmp = strcmp(otd->netbios_name, td->netbios_name);
- if (cmp != 0) {
- goto not_implemented;
- }
-
- ok = dom_sid_equal(&otd->security_identifier, &td->security_identifier);
- if (!ok) {
- goto not_implemented;
- }
-
- if (otd->trust_type != td->trust_type) {
- goto not_implemented;
- }
-
- if (otd->trust_direction != td->trust_direction) {
- goto not_implemented;
- }
-
- if (otd->trust_attributes != td->trust_attributes) {
- goto not_implemented;
- }
-
- if (otd->trust_auth_incoming.length != td->trust_auth_incoming.length) {
- goto not_implemented;
- }
- cmp = memcmp(otd->trust_auth_incoming.data,
- td->trust_auth_incoming.data,
- td->trust_auth_incoming.length);
- if (cmp != 0) {
- goto not_implemented;
- }
-
- if (otd->trust_auth_outgoing.length != td->trust_auth_outgoing.length) {
- goto not_implemented;
- }
- cmp = memcmp(otd->trust_auth_outgoing.data,
- td->trust_auth_outgoing.data,
- td->trust_auth_outgoing.length);
- if (cmp != 0) {
- goto not_implemented;
- }
-
- if (otd->trust_posix_offset != NULL &&
- td->trust_posix_offset != NULL)
- {
- if (*otd->trust_posix_offset != *td->trust_posix_offset) {
- goto not_implemented;
- }
- } else if (otd->trust_posix_offset != NULL) {
- goto not_implemented;
- } else if (td->trust_posix_offset != NULL) {
- goto not_implemented;
- }
-
- if (otd->supported_enc_type != NULL &&
- td->supported_enc_type != NULL)
- {
- if (*otd->supported_enc_type != *td->supported_enc_type) {
- goto not_implemented;
- }
- } else if (otd->supported_enc_type != NULL) {
- goto not_implemented;
- } else if (td->supported_enc_type != NULL) {
- goto not_implemented;
- }
-
- if ((otd->trust_forest_trust_info.length > 0) ||
- (td->trust_forest_trust_info.length > 0))
- {
- ret = ldb_msg_add_empty(msg, "msDS-TrustForestTrustInfo",
- LDB_FLAG_MOD_REPLACE, NULL);
- if (ret != LDB_SUCCESS) {
- ldb_transaction_cancel(state->ldb);
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- if (td->trust_forest_trust_info.length > 0) {
- if (!(td->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) {
- goto not_implemented;
- }
-
- ret = ldb_msg_add_value(msg, "msDS-TrustForestTrustInfo",
- &td->trust_forest_trust_info,
- NULL);
- if (ret != LDB_SUCCESS) {
- ldb_transaction_cancel(state->ldb);
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- }
- }
-
- if (msg->num_elements > 0) {
- ret = ldb_modify(state->ldb, msg);
- if (ret != LDB_SUCCESS) {
- ldb_transaction_cancel(state->ldb);
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
-
- ret = ldb_transaction_commit(state->ldb);
- if (ret != LDB_SUCCESS) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
- } else {
- ldb_transaction_cancel(state->ldb);
- }
-
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_OK;
-
-not_implemented:
- ldb_transaction_cancel(state->ldb);
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m,
TALLOC_CTX *mem_ctx,
uint32_t *_num_domains,
m->get_trusteddom_creds = pdb_samba_dsdb_get_trusteddom_creds;
m->set_trusteddom_pw = pdb_samba_dsdb_set_trusteddom_pw;
m->del_trusteddom_pw = pdb_samba_dsdb_del_trusteddom_pw;
- m->get_trusted_domain = pdb_samba_dsdb_get_trusted_domain;
- m->get_trusted_domain_by_sid = pdb_samba_dsdb_get_trusted_domain_by_sid;
- m->set_trusted_domain = pdb_samba_dsdb_set_trusted_domain;
m->enum_trusteddoms = pdb_samba_dsdb_enum_trusteddoms;
m->get_trusted_domain = pdb_samba_dsdb_get_trusted_domain;
m->get_trusted_domain_by_sid = pdb_samba_dsdb_get_trusted_domain_by_sid;