bbd3339f2f9a29aed7fa20ede2923d6cd9cb0447
[samba.git] / source3 / passdb / pdb_ipa.c
1 /*
2    Unix SMB/CIFS implementation.
3    IPA helper functions for SAMBA
4    Copyright (C) Sumit Bose <sbose@redhat.com> 2010
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10
11    This program is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
18
19 */
20
21 #include "includes.h"
22 #include "passdb.h"
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
26 #include "secrets.h"
27
28 #include "smbldap.h"
29 #include "passdb/pdb_ldap.h"
30 #include "passdb/pdb_ipa.h"
31 #include "passdb/pdb_ldap_schema.h"
32
33 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
34 #define IPA_MAGIC_ID_STR "999"
35
36 #define LDAP_TRUST_CONTAINER "ou=system"
37 #define LDAP_ATTRIBUTE_CN "cn"
38 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
39 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
40 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
41 #define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
42 #define LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE "sambaSupportedEncryptionTypes"
43 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
44 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
45 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
46 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
47 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
48 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
49 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
50
51 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
52 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
53 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
54
55 #define LDAP_OBJ_IPAOBJECT "ipaObject"
56 #define LDAP_OBJ_IPAHOST "ipaHost"
57 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
58
59 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
60 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
61 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
62 #define LDAP_OBJ_POSIXGROUP "posixGroup"
63
64 #define HAS_KRB_PRINCIPAL (1<<0)
65 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
66 #define HAS_IPAOBJECT (1<<2)
67 #define HAS_IPAHOST (1<<3)
68 #define HAS_POSIXACCOUNT (1<<4)
69 #define HAS_GROUPOFNAMES (1<<5)
70 #define HAS_NESTEDGROUP (1<<6)
71 #define HAS_IPAUSERGROUP (1<<7)
72 #define HAS_POSIXGROUP (1<<8)
73
74 struct ipasam_privates {
75         bool server_is_ipa;
76         NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
77                                             struct samu *sampass);
78         NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
79                                                struct samu *sampass);
80         NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
81                                         TALLOC_CTX *tmp_ctx, const char *name,
82                                         uint32_t acb_info, uint32_t *rid);
83         NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods,
84                                              TALLOC_CTX *tmp_ctx,
85                                              const char *name,
86                                              uint32_t *rid);
87 };
88
89 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
90                                       const char *domain,
91                                       char** pwd,
92                                       struct dom_sid *sid,
93                                       time_t *pass_last_set_time)
94 {
95         return false;
96 }
97
98 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
99                                       const char* domain,
100                                       const char* pwd,
101                                       const struct dom_sid *sid)
102 {
103         return false;
104 }
105
106 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
107                                       const char *domain)
108 {
109         return false;
110 }
111
112 static char *get_account_dn(const char *name)
113 {
114         char *escape_name;
115         char *dn;
116
117         escape_name = escape_rdn_val_string_alloc(name);
118         if (!escape_name) {
119                 return NULL;
120         }
121
122         if (name[strlen(name)-1] == '$') {
123                 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
124                                      lp_ldap_machine_suffix(talloc_tos()));
125         } else {
126                 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
127                                      lp_ldap_user_suffix(talloc_tos()));
128         }
129
130         SAFE_FREE(escape_name);
131
132         return dn;
133 }
134
135 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
136                                const char *domain)
137 {
138         return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
139                                LDAP_ATTRIBUTE_CN, domain,
140                                LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
141 }
142
143 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
144 {
145         return talloc_asprintf(talloc_tos(), "%s,%s",
146                                LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
147 }
148
149 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
150                                    TALLOC_CTX *mem_ctx,
151                                    const char *filter, LDAPMessage **entry)
152 {
153         int rc;
154         char *base_dn = NULL;
155         LDAPMessage *result = NULL;
156         uint32_t num_result;
157
158         base_dn = trusted_domain_base_dn(ldap_state);
159         if (base_dn == NULL) {
160                 return false;
161         }
162
163         rc = smbldap_search(ldap_state->smbldap_state, base_dn,
164                             LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
165         TALLOC_FREE(base_dn);
166
167         if (result != NULL) {
168                 talloc_autofree_ldapmsg(mem_ctx, result);
169         }
170
171         if (rc == LDAP_NO_SUCH_OBJECT) {
172                 *entry = NULL;
173                 return true;
174         }
175
176         if (rc != LDAP_SUCCESS) {
177                 return false;
178         }
179
180         num_result = ldap_count_entries(priv2ld(ldap_state), result);
181
182         if (num_result > 1) {
183                 DEBUG(1, ("get_trusted_domain_int: more than one "
184                           "%s object with filter '%s'?!\n",
185                           LDAP_OBJ_TRUSTED_DOMAIN, filter));
186                 return false;
187         }
188
189         if (num_result == 0) {
190                 DEBUG(1, ("get_trusted_domain_int: no "
191                           "%s object with filter '%s'.\n",
192                           LDAP_OBJ_TRUSTED_DOMAIN, filter));
193                 *entry = NULL;
194         } else {
195                 *entry = ldap_first_entry(priv2ld(ldap_state), result);
196         }
197
198         return true;
199 }
200
201 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
202                                           TALLOC_CTX *mem_ctx,
203                                           const char *domain,
204                                           LDAPMessage **entry)
205 {
206         char *filter = NULL;
207
208         filter = talloc_asprintf(talloc_tos(),
209                                  "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
210                                  LDAP_OBJ_TRUSTED_DOMAIN,
211                                  LDAP_ATTRIBUTE_FLAT_NAME, domain,
212                                  LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
213         if (filter == NULL) {
214                 return false;
215         }
216
217         return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
218 }
219
220 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
221                                            TALLOC_CTX *mem_ctx,
222                                            const char *sid, LDAPMessage **entry)
223 {
224         char *filter = NULL;
225
226         filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
227                                  LDAP_OBJ_TRUSTED_DOMAIN,
228                                  LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
229         if (filter == NULL) {
230                 return false;
231         }
232
233         return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
234 }
235
236 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
237                                        LDAPMessage *entry,
238                                        const char *attr,
239                                        uint32_t *val)
240 {
241         char *dummy;
242         long int l;
243         char *endptr;
244
245         dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
246                                                 attr, talloc_tos());
247         if (dummy == NULL) {
248                 DEBUG(9, ("Attribute %s not present.\n", attr));
249                 *val = 0;
250                 return true;
251         }
252
253         l = strtoul(dummy, &endptr, 10);
254         TALLOC_FREE(dummy);
255
256         if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
257                 return false;
258         }
259
260         *val = l;
261
262         return true;
263 }
264
265 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
266                                         struct ldapsam_privates *ldap_state,
267                                         LDAPMessage *entry, const char *attr,
268                                         DATA_BLOB *_blob)
269 {
270         char *dummy;
271         DATA_BLOB blob;
272
273         dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
274                                                 talloc_tos());
275         if (dummy == NULL) {
276                 DEBUG(9, ("Attribute %s not present.\n", attr));
277                 ZERO_STRUCTP(_blob);
278         } else {
279                 blob = base64_decode_data_blob(dummy);
280                 if (blob.length == 0) {
281                         ZERO_STRUCTP(_blob);
282                 } else {
283                         _blob->length = blob.length;
284                         _blob->data = talloc_steal(mem_ctx, blob.data);
285                 }
286         }
287         TALLOC_FREE(dummy);
288 }
289
290 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
291                                     struct ldapsam_privates *ldap_state,
292                                     LDAPMessage *entry,
293                                     struct pdb_trusted_domain **_td)
294 {
295         char *dummy;
296         bool res;
297         struct pdb_trusted_domain *td;
298
299         if (entry == NULL) {
300                 return false;
301         }
302
303         td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
304         if (td == NULL) {
305                 return false;
306         }
307
308         /* All attributes are MAY */
309
310         dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
311                                                 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
312                                                 talloc_tos());
313         if (dummy == NULL) {
314                 DEBUG(9, ("Attribute %s not present.\n",
315                           LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
316                 ZERO_STRUCT(td->security_identifier);
317         } else {
318                 res = string_to_sid(&td->security_identifier, dummy);
319                 TALLOC_FREE(dummy);
320                 if (!res) {
321                         return false;
322                 }
323         }
324
325         get_data_blob_from_ldap_msg(td, ldap_state, entry,
326                                     LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
327                                     &td->trust_auth_incoming);
328
329         get_data_blob_from_ldap_msg(td, ldap_state, entry,
330                                     LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
331                                     &td->trust_auth_outgoing);
332
333         td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
334                                                            entry,
335                                                            LDAP_ATTRIBUTE_FLAT_NAME,
336                                                            td);
337         if (td->netbios_name == NULL) {
338                 DEBUG(9, ("Attribute %s not present.\n",
339                           LDAP_ATTRIBUTE_FLAT_NAME));
340         }
341
342         td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
343                                                           entry,
344                                                           LDAP_ATTRIBUTE_TRUST_PARTNER,
345                                                           td);
346         if (td->domain_name == NULL) {
347                 DEBUG(9, ("Attribute %s not present.\n",
348                           LDAP_ATTRIBUTE_TRUST_PARTNER));
349         }
350
351         res = get_uint32_t_from_ldap_msg(ldap_state, entry,
352                                          LDAP_ATTRIBUTE_TRUST_DIRECTION,
353                                          &td->trust_direction);
354         if (!res) {
355                 return false;
356         }
357
358         res = get_uint32_t_from_ldap_msg(ldap_state, entry,
359                                          LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
360                                          &td->trust_attributes);
361         if (!res) {
362                 return false;
363         }
364
365         res = get_uint32_t_from_ldap_msg(ldap_state, entry,
366                                          LDAP_ATTRIBUTE_TRUST_TYPE,
367                                          &td->trust_type);
368         if (!res) {
369                 return false;
370         }
371
372         td->trust_posix_offset = talloc(td, uint32_t);
373         if (td->trust_posix_offset == NULL) {
374                 return false;
375         }
376         res = get_uint32_t_from_ldap_msg(ldap_state, entry,
377                                          LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
378                                          td->trust_posix_offset);
379         if (!res) {
380                 return false;
381         }
382
383         td->supported_enc_type = talloc(td, uint32_t);
384         if (td->supported_enc_type == NULL) {
385                 return false;
386         }
387         res = get_uint32_t_from_ldap_msg(ldap_state, entry,
388                                          LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
389                                          td->supported_enc_type);
390         if (!res) {
391                 return false;
392         }
393
394
395         get_data_blob_from_ldap_msg(td, ldap_state, entry,
396                                     LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
397                                     &td->trust_forest_trust_info);
398
399         *_td = td;
400
401         return true;
402 }
403
404 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
405                                           TALLOC_CTX *mem_ctx,
406                                           const char *domain,
407                                           struct pdb_trusted_domain **td)
408 {
409         struct ldapsam_privates *ldap_state =
410                 (struct ldapsam_privates *)methods->private_data;
411         LDAPMessage *entry = NULL;
412
413         DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
414
415         if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
416                                             &entry)) {
417                 return NT_STATUS_UNSUCCESSFUL;
418         }
419         if (entry == NULL) {
420                 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
421                           "%s\n", domain));
422                 return NT_STATUS_NO_SUCH_DOMAIN;
423         }
424
425         if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
426                 return NT_STATUS_UNSUCCESSFUL;
427         }
428
429         return NT_STATUS_OK;
430 }
431
432 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
433                                                  TALLOC_CTX *mem_ctx,
434                                                  struct dom_sid *sid,
435                                                  struct pdb_trusted_domain **td)
436 {
437         struct ldapsam_privates *ldap_state =
438                 (struct ldapsam_privates *)methods->private_data;
439         LDAPMessage *entry = NULL;
440         char *sid_str;
441
442         sid_str = sid_string_tos(sid);
443
444         DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
445                    sid_str));
446
447         if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
448                                            &entry)) {
449                 return NT_STATUS_UNSUCCESSFUL;
450         }
451         if (entry == NULL) {
452                 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
453                           "with sid: %s\n", sid_str));
454                 return NT_STATUS_NO_SUCH_DOMAIN;
455         }
456
457         if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
458                 return NT_STATUS_UNSUCCESSFUL;
459         }
460
461         return NT_STATUS_OK;
462 }
463
464 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
465                                       LDAPMod ***mods, const char *attribute,
466                                       const uint32_t val)
467 {
468         char *dummy;
469
470         dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
471         if (dummy == NULL) {
472                 return false;
473         }
474         smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
475         TALLOC_FREE(dummy);
476
477         return true;
478 }
479
480 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
481                                           const char* domain,
482                                           const struct pdb_trusted_domain *td)
483 {
484         struct ldapsam_privates *ldap_state =
485                 (struct ldapsam_privates *)methods->private_data;
486         LDAPMessage *entry = NULL;
487         LDAPMod **mods;
488         bool res;
489         char *trusted_dn = NULL;
490         int ret;
491
492         DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
493
494         res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
495                                              &entry);
496         if (!res) {
497                 return NT_STATUS_UNSUCCESSFUL;
498         }
499
500         mods = NULL;
501         smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
502                          LDAP_OBJ_TRUSTED_DOMAIN);
503
504         if (td->netbios_name != NULL) {
505                 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
506                                  LDAP_ATTRIBUTE_FLAT_NAME,
507                                  td->netbios_name);
508         }
509
510         if (td->domain_name != NULL) {
511                 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
512                                  LDAP_ATTRIBUTE_TRUST_PARTNER,
513                                  td->domain_name);
514         }
515
516         if (!is_null_sid(&td->security_identifier)) {
517                 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
518                                  LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
519                                  sid_string_tos(&td->security_identifier));
520         }
521
522         if (td->trust_type != 0) {
523                 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
524                                                 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
525                                                 td->trust_type);
526                 if (!res) {
527                         return NT_STATUS_UNSUCCESSFUL;
528                 }
529         }
530
531         if (td->trust_attributes != 0) {
532                 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
533                                                 &mods,
534                                                 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
535                                                 td->trust_attributes);
536                 if (!res) {
537                         return NT_STATUS_UNSUCCESSFUL;
538                 }
539         }
540
541         if (td->trust_direction != 0) {
542                 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
543                                                 &mods,
544                                                 LDAP_ATTRIBUTE_TRUST_DIRECTION,
545                                                 td->trust_direction);
546                 if (!res) {
547                         return NT_STATUS_UNSUCCESSFUL;
548                 }
549         }
550
551         if (td->trust_posix_offset != NULL) {
552                 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
553                                                 &mods,
554                                                 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
555                                                 *td->trust_posix_offset);
556                 if (!res) {
557                         return NT_STATUS_UNSUCCESSFUL;
558                 }
559         }
560
561         if (td->supported_enc_type != NULL) {
562                 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
563                                                 &mods,
564                                                 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
565                                                 *td->supported_enc_type);
566                 if (!res) {
567                         return NT_STATUS_UNSUCCESSFUL;
568                 }
569         }
570
571         if (td->trust_auth_outgoing.data != NULL) {
572                 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
573                                       LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
574                                       &td->trust_auth_outgoing);
575         }
576
577         if (td->trust_auth_incoming.data != NULL) {
578                 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
579                                       LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
580                                       &td->trust_auth_incoming);
581         }
582
583         if (td->trust_forest_trust_info.data != NULL) {
584                 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
585                                       LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
586                                       &td->trust_forest_trust_info);
587         }
588
589         talloc_autofree_ldapmod(talloc_tos(), mods);
590
591         trusted_dn = trusted_domain_dn(ldap_state, domain);
592         if (trusted_dn == NULL) {
593                 return NT_STATUS_NO_MEMORY;
594         }
595         if (entry == NULL) {
596                 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
597         } else {
598                 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
599         }
600
601         if (ret != LDAP_SUCCESS) {
602                 DEBUG(1, ("error writing trusted domain data!\n"));
603                 return NT_STATUS_UNSUCCESSFUL;
604         }
605         return NT_STATUS_OK;
606 }
607
608 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
609                                            const char *domain)
610 {
611         int ret;
612         struct ldapsam_privates *ldap_state =
613                 (struct ldapsam_privates *)methods->private_data;
614         LDAPMessage *entry = NULL;
615         const char *dn;
616
617         if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
618                                             &entry)) {
619                 return NT_STATUS_UNSUCCESSFUL;
620         }
621
622         if (entry == NULL) {
623                 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
624                           "%s\n", domain));
625                 return NT_STATUS_NO_SUCH_DOMAIN;
626         }
627
628         dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
629         if (dn == NULL) {
630                 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
631                 return NT_STATUS_NO_MEMORY;
632         }
633
634         ret = smbldap_delete(ldap_state->smbldap_state, dn);
635         if (ret != LDAP_SUCCESS) {
636                 return NT_STATUS_UNSUCCESSFUL;
637         }
638
639         return NT_STATUS_OK;
640 }
641
642 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
643                                             TALLOC_CTX *mem_ctx,
644                                             uint32_t *num_domains,
645                                             struct pdb_trusted_domain ***domains)
646 {
647         int rc;
648         struct ldapsam_privates *ldap_state =
649                 (struct ldapsam_privates *)methods->private_data;
650         char *base_dn = NULL;
651         char *filter = NULL;
652         int scope = LDAP_SCOPE_SUBTREE;
653         LDAPMessage *result = NULL;
654         LDAPMessage *entry = NULL;
655
656         filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
657                                  LDAP_OBJ_TRUSTED_DOMAIN);
658         if (filter == NULL) {
659                 return NT_STATUS_NO_MEMORY;
660         }
661
662         base_dn = trusted_domain_base_dn(ldap_state);
663         if (base_dn == NULL) {
664                 TALLOC_FREE(filter);
665                 return NT_STATUS_NO_MEMORY;
666         }
667
668         rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
669                             NULL, 0, &result);
670         TALLOC_FREE(filter);
671         TALLOC_FREE(base_dn);
672
673         if (result != NULL) {
674                 talloc_autofree_ldapmsg(mem_ctx, result);
675         }
676
677         if (rc == LDAP_NO_SUCH_OBJECT) {
678                 *num_domains = 0;
679                 *domains = NULL;
680                 return NT_STATUS_OK;
681         }
682
683         if (rc != LDAP_SUCCESS) {
684                 return NT_STATUS_UNSUCCESSFUL;
685         }
686
687         *num_domains = 0;
688         if (!(*domains = talloc_array(mem_ctx, struct pdb_trusted_domain *, 1))) {
689                 DEBUG(1, ("talloc failed\n"));
690                 return NT_STATUS_NO_MEMORY;
691         }
692
693         for (entry = ldap_first_entry(priv2ld(ldap_state), result);
694              entry != NULL;
695              entry = ldap_next_entry(priv2ld(ldap_state), entry))
696         {
697                 struct pdb_trusted_domain *dom_info;
698
699                 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
700                                              &dom_info)) {
701                         return NT_STATUS_UNSUCCESSFUL;
702                 }
703
704                 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
705                              domains, num_domains);
706
707                 if (*domains == NULL) {
708                         DEBUG(1, ("talloc failed\n"));
709                         return NT_STATUS_NO_MEMORY;
710                 }
711         }
712
713         DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
714         return NT_STATUS_OK;
715 }
716
717 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
718                                          TALLOC_CTX *mem_ctx,
719                                          uint32_t *num_domains,
720                                          struct trustdom_info ***domains)
721 {
722         NTSTATUS status;
723         struct pdb_trusted_domain **td;
724         int i;
725
726         status = ipasam_enum_trusted_domains(methods, talloc_tos(),
727                                              num_domains, &td);
728         if (!NT_STATUS_IS_OK(status)) {
729                 return status;
730         }
731
732         if (*num_domains == 0) {
733                 return NT_STATUS_OK;
734         }
735
736         if (!(*domains = talloc_array(mem_ctx, struct trustdom_info *,
737                                       *num_domains))) {
738                 DEBUG(1, ("talloc failed\n"));
739                 return NT_STATUS_NO_MEMORY;
740         }
741
742         for (i = 0; i < *num_domains; i++) {
743                 struct trustdom_info *dom_info;
744
745                 dom_info = talloc(*domains, struct trustdom_info);
746                 if (dom_info == NULL) {
747                         DEBUG(1, ("talloc failed\n"));
748                         return NT_STATUS_NO_MEMORY;
749                 }
750
751                 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
752                 sid_copy(&dom_info->sid, &td[i]->security_identifier);
753
754                 (*domains)[i] = dom_info;
755         }
756
757         return NT_STATUS_OK;
758 }
759
760 static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
761 {
762         return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
763 }
764
765 static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pdb_methods,
766                                                           TALLOC_CTX *mem_ctx)
767 {
768         struct pdb_domain_info *info;
769         struct ldapsam_privates *ldap_state =
770                         (struct ldapsam_privates *)pdb_methods->private_data;
771         char sid_buf[24];
772         DATA_BLOB sid_blob;
773         NTSTATUS status;
774
775         info = talloc(mem_ctx, struct pdb_domain_info);
776         if (info == NULL) {
777                 return NULL;
778         }
779
780         info->name = talloc_strdup(info, ldap_state->domain_name);
781         if (info->name == NULL) {
782                 goto fail;
783         }
784
785         /* TODO: read dns_domain, dns_forest and guid from LDAP */
786         info->dns_domain = talloc_strdup(info, lp_realm());
787         if (info->dns_domain == NULL) {
788                 goto fail;
789         }
790         strlower_m(info->dns_domain);
791         info->dns_forest = talloc_strdup(info, info->dns_domain);
792
793         /* we expect a domain SID to have 4 sub IDs */
794         if (ldap_state->domain_sid.num_auths != 4) {
795                 goto fail;
796         }
797
798         sid_copy(&info->sid, &ldap_state->domain_sid);
799
800         if (!sid_linearize(sid_buf, sizeof(sid_buf), &info->sid)) {
801                 goto fail;
802         }
803
804         /* the first 8 bytes of the linearized SID are not random,
805          * so we skip them */
806         sid_blob.data = (uint8_t *) sid_buf + 8 ;
807         sid_blob.length = 16;
808
809         status = GUID_from_ndr_blob(&sid_blob, &info->guid);
810         if (!NT_STATUS_IS_OK(status)) {
811                 goto fail;
812         }
813
814         return info;
815
816 fail:
817         TALLOC_FREE(info);
818         return NULL;
819 }
820
821 static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
822                                          struct samu *sampass)
823 {
824         int ret;
825         BerElement *ber = NULL;
826         struct berval *bv = NULL;
827         char *retoid = NULL;
828         struct berval *retdata = NULL;
829         const char *password;
830         char *dn;
831
832         password = pdb_get_plaintext_passwd(sampass);
833         if (password == NULL || *password == '\0') {
834                 return NT_STATUS_INVALID_PARAMETER;
835         }
836
837         dn = get_account_dn(pdb_get_username(sampass));
838         if (dn == NULL) {
839                 return NT_STATUS_INVALID_PARAMETER;
840         }
841
842         ber = ber_alloc_t( LBER_USE_DER );
843         if (ber == NULL) {
844                 DEBUG(7, ("ber_alloc_t failed.\n"));
845                 return NT_STATUS_NO_MEMORY;
846         }
847
848         ret = ber_printf(ber, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, dn,
849                          LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, password);
850         if (ret == -1) {
851                 DEBUG(7, ("ber_printf failed.\n"));
852                 ber_free(ber, 1);
853                 return NT_STATUS_UNSUCCESSFUL;
854         }
855
856         ret = ber_flatten(ber, &bv);
857         ber_free(ber, 1);
858         if (ret == -1) {
859                 DEBUG(1, ("ber_flatten failed.\n"));
860                 return NT_STATUS_UNSUCCESSFUL;
861         }
862
863         ret = smbldap_extended_operation(ldap_state->smbldap_state,
864                                          LDAP_EXOP_MODIFY_PASSWD, bv, NULL,
865                                          NULL, &retoid, &retdata);
866         ber_bvfree(bv);
867         if (retdata) {
868                 ber_bvfree(retdata);
869         }
870         if (retoid) {
871                 ldap_memfree(retoid);
872         }
873         if (ret != LDAP_SUCCESS) {
874                 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
875                 return NT_STATUS_UNSUCCESSFUL;
876         }
877
878         return NT_STATUS_OK;
879 }
880
881 static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
882                                          const char *dn, LDAPMessage *entry,
883                                          uint32_t *has_objectclass)
884 {
885         char **objectclasses;
886         size_t c;
887
888         objectclasses = ldap_get_values(priv2ld(ldap_state), entry,
889                                         LDAP_ATTRIBUTE_OBJECTCLASS);
890         if (objectclasses == NULL) {
891                 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn));
892                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
893         }
894
895         *has_objectclass = 0;
896         for (c = 0; objectclasses[c] != NULL; c++) {
897                 if (strequal(objectclasses[c], LDAP_OBJ_KRB_PRINCIPAL)) {
898                         *has_objectclass |= HAS_KRB_PRINCIPAL;
899                 } else if (strequal(objectclasses[c],
900                            LDAP_OBJ_KRB_PRINCIPAL_AUX)) {
901                         *has_objectclass |= HAS_KRB_PRINCIPAL_AUX;
902                 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAOBJECT)) {
903                         *has_objectclass |= HAS_IPAOBJECT;
904                 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAHOST)) {
905                         *has_objectclass |= HAS_IPAHOST;
906                 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXACCOUNT)) {
907                         *has_objectclass |= HAS_POSIXACCOUNT;
908                 } else if (strequal(objectclasses[c], LDAP_OBJ_GROUPOFNAMES)) {
909                         *has_objectclass |= HAS_GROUPOFNAMES;
910                 } else if (strequal(objectclasses[c], LDAP_OBJ_NESTEDGROUP)) {
911                         *has_objectclass |= HAS_NESTEDGROUP;
912                 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAUSERGROUP)) {
913                         *has_objectclass |= HAS_IPAUSERGROUP;
914                 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXGROUP)) {
915                         *has_objectclass |= HAS_POSIXGROUP;
916                 }
917         }
918         ldap_value_free(objectclasses);
919
920         return NT_STATUS_OK;
921 }
922
923 enum obj_type {
924         IPA_NO_OBJ = 0,
925         IPA_USER_OBJ,
926         IPA_GROUP_OBJ
927 };
928
929 static NTSTATUS find_obj(struct ldapsam_privates *ldap_state, const char *name,
930                          enum obj_type type, char **_dn,
931                          uint32_t *_has_objectclass)
932 {
933         int ret;
934         char *username;
935         char *filter;
936         LDAPMessage *result = NULL;
937         LDAPMessage *entry = NULL;
938         int num_result;
939         char *dn;
940         uint32_t has_objectclass;
941         NTSTATUS status;
942         const char *obj_class = NULL;
943
944         switch (type) {
945                 case IPA_USER_OBJ:
946                         obj_class = LDAP_OBJ_POSIXACCOUNT;
947                         break;
948                 case IPA_GROUP_OBJ:
949                         obj_class = LDAP_OBJ_POSIXGROUP;
950                         break;
951                 default:
952                         DEBUG(0, ("Unsupported IPA object.\n"));
953                         return NT_STATUS_INVALID_PARAMETER;
954         }
955
956         username = escape_ldap_string(talloc_tos(), name);
957         if (username == NULL) {
958                 return NT_STATUS_NO_MEMORY;
959         }
960         filter = talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
961                                  username, obj_class);
962         if (filter == NULL) {
963                 return NT_STATUS_NO_MEMORY;
964         }
965         TALLOC_FREE(username);
966
967         ret = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL,
968                                     &result);
969         if (ret != LDAP_SUCCESS) {
970                 DEBUG(0, ("smbldap_search_suffix failed.\n"));
971                 return NT_STATUS_ACCESS_DENIED;
972         }
973
974         num_result = ldap_count_entries(priv2ld(ldap_state), result);
975
976         if (num_result != 1) {
977                 if (num_result == 0) {
978                         switch (type) {
979                                 case IPA_USER_OBJ:
980                                         status = NT_STATUS_NO_SUCH_USER;
981                                         break;
982                                 case IPA_GROUP_OBJ:
983                                         status = NT_STATUS_NO_SUCH_GROUP;
984                                         break;
985                                 default:
986                                         status = NT_STATUS_INVALID_PARAMETER;
987                         }
988                 } else {
989                         DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
990                                    name));
991                         status = NT_STATUS_INTERNAL_DB_CORRUPTION;
992                 }
993                 goto done;
994         }
995
996         entry = ldap_first_entry(priv2ld(ldap_state), result);
997         if (!entry) {
998                 DEBUG(0,("find_user: Out of memory!\n"));
999                 status = NT_STATUS_UNSUCCESSFUL;
1000                 goto done;
1001         }
1002
1003         dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
1004         if (!dn) {
1005                 DEBUG(0,("find_user: Out of memory!\n"));
1006                 status = NT_STATUS_NO_MEMORY;
1007                 goto done;
1008         }
1009
1010         status = ipasam_get_objectclasses(ldap_state, dn, entry, &has_objectclass);
1011         if (!NT_STATUS_IS_OK(status)) {
1012                 goto done;
1013         }
1014
1015         *_dn = dn;
1016         *_has_objectclass = has_objectclass;
1017
1018         status = NT_STATUS_OK;
1019
1020 done:
1021         ldap_msgfree(result);
1022
1023         return status;
1024 }
1025
1026 static NTSTATUS find_user(struct ldapsam_privates *ldap_state, const char *name,
1027                           char **_dn, uint32_t *_has_objectclass)
1028 {
1029         return find_obj(ldap_state, name, IPA_USER_OBJ, _dn, _has_objectclass);
1030 }
1031
1032 static NTSTATUS find_group(struct ldapsam_privates *ldap_state, const char *name,
1033                            char **_dn, uint32_t *_has_objectclass)
1034 {
1035         return find_obj(ldap_state, name, IPA_GROUP_OBJ, _dn, _has_objectclass);
1036 }
1037
1038 static NTSTATUS ipasam_add_posix_account_objectclass(struct ldapsam_privates *ldap_state,
1039                                                      int ldap_op,
1040                                                      const char *dn,
1041                                                      const char *username)
1042 {
1043         int ret;
1044         LDAPMod **mods = NULL;
1045
1046         smbldap_set_mod(&mods, LDAP_MOD_ADD,
1047                         "objectclass", "posixAccount");
1048         smbldap_set_mod(&mods, LDAP_MOD_ADD,
1049                         "cn", username);
1050         smbldap_set_mod(&mods, LDAP_MOD_ADD,
1051                         "uidNumber", IPA_MAGIC_ID_STR);
1052         smbldap_set_mod(&mods, LDAP_MOD_ADD,
1053                         "gidNumber", "12345");
1054         smbldap_set_mod(&mods, LDAP_MOD_ADD,
1055                         "homeDirectory", "/dev/null");
1056
1057         if (ldap_op == LDAP_MOD_ADD) {
1058             ret = smbldap_add(ldap_state->smbldap_state, dn, mods);
1059         } else {
1060             ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1061         }
1062         ldap_mods_free(mods, 1);
1063         if (ret != LDAP_SUCCESS) {
1064                 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1065                           username, dn));
1066                 return NT_STATUS_LDAP(ret);
1067         }
1068
1069         return NT_STATUS_OK;
1070 }
1071
1072 static NTSTATUS ipasam_add_ipa_group_objectclasses(struct ldapsam_privates *ldap_state,
1073                                                    const char *dn,
1074                                                    const char *name,
1075                                                    uint32_t has_objectclass)
1076 {
1077         LDAPMod **mods = NULL;
1078         int ret;
1079
1080         if (!(has_objectclass & HAS_GROUPOFNAMES)) {
1081                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1082                                 LDAP_ATTRIBUTE_OBJECTCLASS,
1083                                 LDAP_OBJ_GROUPOFNAMES);
1084         }
1085
1086         if (!(has_objectclass & HAS_NESTEDGROUP)) {
1087                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1088                                 LDAP_ATTRIBUTE_OBJECTCLASS,
1089                                 LDAP_OBJ_NESTEDGROUP);
1090         }
1091
1092         if (!(has_objectclass & HAS_IPAUSERGROUP)) {
1093                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1094                                 LDAP_ATTRIBUTE_OBJECTCLASS,
1095                                 LDAP_OBJ_IPAUSERGROUP);
1096         }
1097
1098         if (!(has_objectclass & HAS_IPAOBJECT)) {
1099                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1100                                 LDAP_ATTRIBUTE_OBJECTCLASS,
1101                                 LDAP_OBJ_IPAOBJECT);
1102         }
1103
1104         if (!(has_objectclass & HAS_POSIXGROUP)) {
1105                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1106                                 LDAP_ATTRIBUTE_OBJECTCLASS,
1107                                 LDAP_OBJ_POSIXGROUP);
1108                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1109                                 LDAP_ATTRIBUTE_CN,
1110                                 name);
1111                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1112                                 LDAP_ATTRIBUTE_GIDNUMBER,
1113                                 IPA_MAGIC_ID_STR);
1114         }
1115
1116         ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1117         ldap_mods_free(mods, 1);
1118         if (ret != LDAP_SUCCESS) {
1119                 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1120                           name, dn));
1121                 return NT_STATUS_LDAP(ret);
1122         }
1123
1124         return NT_STATUS_OK;
1125 }
1126
1127 static NTSTATUS ipasam_add_ipa_objectclasses(struct ldapsam_privates *ldap_state,
1128                                              const char *dn, const char *name,
1129                                              const char *domain,
1130                                              uint32_t acct_flags,
1131                                              uint32_t has_objectclass)
1132 {
1133         LDAPMod **mods = NULL;
1134         int ret;
1135         char *princ;
1136
1137         if (!(has_objectclass & HAS_KRB_PRINCIPAL)) {
1138                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1139                                 LDAP_ATTRIBUTE_OBJECTCLASS,
1140                                 LDAP_OBJ_KRB_PRINCIPAL);
1141
1142                 princ = talloc_asprintf(talloc_tos(), "%s@%s", name, lp_realm());
1143                 if (princ == NULL) {
1144                         return NT_STATUS_NO_MEMORY;
1145                 }
1146
1147                 smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
1148         }
1149
1150         if (!(has_objectclass & HAS_KRB_PRINCIPAL_AUX)) {
1151                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1152                                 LDAP_ATTRIBUTE_OBJECTCLASS,
1153                                 LDAP_OBJ_KRB_PRINCIPAL_AUX);
1154         }
1155
1156         if (!(has_objectclass & HAS_IPAOBJECT)) {
1157                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1158                                 LDAP_ATTRIBUTE_OBJECTCLASS, LDAP_OBJ_IPAOBJECT);
1159         }
1160
1161         if ((acct_flags != 0) &&
1162             (((acct_flags & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
1163             ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))) {
1164
1165                 if (!(has_objectclass & HAS_IPAHOST)) {
1166                         smbldap_set_mod(&mods, LDAP_MOD_ADD,
1167                                         LDAP_ATTRIBUTE_OBJECTCLASS,
1168                                         LDAP_OBJ_IPAHOST);
1169
1170                         if (domain == NULL) {
1171                                 return NT_STATUS_INVALID_PARAMETER;
1172                         }
1173
1174                         smbldap_set_mod(&mods, LDAP_MOD_ADD,
1175                                         "fqdn", domain);
1176                 }
1177         }
1178
1179         if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1180                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1181                                 "objectclass", "posixAccount");
1182                 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1183                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1184                                 "uidNumber", IPA_MAGIC_ID_STR);
1185                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1186                                 "gidNumber", "12345");
1187                 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1188                                 "homeDirectory", "/dev/null");
1189         }
1190
1191         if (mods != NULL) {
1192                 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1193                 ldap_mods_free(mods, 1);
1194                 if (ret != LDAP_SUCCESS) {
1195                         DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1196                                   name, dn));
1197                         return NT_STATUS_LDAP(ret);
1198                 }
1199         }
1200
1201         return NT_STATUS_OK;
1202 }
1203
1204 static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
1205                                            struct samu *sampass)
1206 {
1207         NTSTATUS status;
1208         struct ldapsam_privates *ldap_state;
1209         const char *name;
1210         char *dn;
1211         uint32_t has_objectclass;
1212         uint32_t rid;
1213         struct dom_sid user_sid;
1214
1215         ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1216
1217         if (IS_SAM_SET(sampass, PDB_USERSID) ||
1218             IS_SAM_CHANGED(sampass, PDB_USERSID)) {
1219                 if (!pdb_new_rid(&rid)) {
1220                         return NT_STATUS_DS_NO_MORE_RIDS;
1221                 }
1222                 sid_compose(&user_sid, get_global_sam_sid(), rid);
1223                 if (!pdb_set_user_sid(sampass, &user_sid, PDB_SET)) {
1224                         return NT_STATUS_UNSUCCESSFUL;
1225                 }
1226         }
1227
1228         status = ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
1229                                                                       sampass);
1230         if (!NT_STATUS_IS_OK(status)) {
1231                 return status;
1232         }
1233
1234         if (ldap_state->ipasam_privates->server_is_ipa) {
1235                 name = pdb_get_username(sampass);
1236                 if (name == NULL || *name == '\0') {
1237                         return NT_STATUS_INVALID_PARAMETER;
1238                 }
1239
1240                 status = find_user(ldap_state, name, &dn, &has_objectclass);
1241                 if (!NT_STATUS_IS_OK(status)) {
1242                         return status;
1243                 }
1244
1245                 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name,
1246                                                       pdb_get_domain(sampass),
1247                                                       pdb_get_acct_ctrl(sampass),
1248                                                       has_objectclass);
1249                 if (!NT_STATUS_IS_OK(status)) {
1250                         return status;
1251                 }
1252
1253                 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1254                         status = ipasam_add_posix_account_objectclass(ldap_state,
1255                                                                       LDAP_MOD_REPLACE,
1256                                                                       dn, name);
1257                         if (!NT_STATUS_IS_OK(status)) {
1258                                 return status;
1259                         }
1260                 }
1261
1262                 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1263                         status = modify_ipa_password_exop(ldap_state, sampass);
1264                         if (!NT_STATUS_IS_OK(status)) {
1265                                 return status;
1266                         }
1267                 }
1268         }
1269
1270         return NT_STATUS_OK;
1271 }
1272
1273 static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
1274                                               struct samu *sampass)
1275 {
1276         NTSTATUS status;
1277         struct ldapsam_privates *ldap_state;
1278         ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1279
1280         status = ldap_state->ipasam_privates->ldapsam_update_sam_account(pdb_methods,
1281                                                                          sampass);
1282         if (!NT_STATUS_IS_OK(status)) {
1283                 return status;
1284         }
1285
1286         if (ldap_state->ipasam_privates->server_is_ipa) {
1287                 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1288                         status = modify_ipa_password_exop(ldap_state, sampass);
1289                         if (!NT_STATUS_IS_OK(status)) {
1290                                 return status;
1291                         }
1292                 }
1293         }
1294
1295         return NT_STATUS_OK;
1296 }
1297
1298 static NTSTATUS ipasam_create_dom_group(struct pdb_methods *pdb_methods,
1299                                         TALLOC_CTX *tmp_ctx, const char *name,
1300                                         uint32_t *rid)
1301 {
1302         NTSTATUS status;
1303         struct ldapsam_privates *ldap_state;
1304         char *dn;
1305         uint32_t has_objectclass = 0;
1306
1307         ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1308
1309         if (name == NULL || *name == '\0') {
1310                 return NT_STATUS_INVALID_PARAMETER;
1311         }
1312
1313         status = find_group(ldap_state, name, &dn, &has_objectclass);
1314         if (!NT_STATUS_IS_OK(status) &&
1315                         !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1316                 return status;
1317         }
1318
1319         if (!(has_objectclass & HAS_POSIXGROUP)) {
1320                 status = ipasam_add_ipa_group_objectclasses(ldap_state, dn,
1321                                                             name,
1322                                                             has_objectclass);
1323                 if (!NT_STATUS_IS_OK(status)) {
1324                         return status;
1325                 }
1326         }
1327
1328         status = ldap_state->ipasam_privates->ldapsam_create_dom_group(pdb_methods,
1329                                                                        tmp_ctx,
1330                                                                        name,
1331                                                                        rid);
1332         if (!NT_STATUS_IS_OK(status)) {
1333                 return status;
1334         }
1335
1336         return NT_STATUS_OK;
1337 }
1338 static NTSTATUS ipasam_create_user(struct pdb_methods *pdb_methods,
1339                                    TALLOC_CTX *tmp_ctx, const char *name,
1340                                    uint32_t acb_info, uint32_t *rid)
1341 {
1342         NTSTATUS status;
1343         struct ldapsam_privates *ldap_state;
1344         int ldap_op = LDAP_MOD_REPLACE;
1345         char *dn;
1346         uint32_t has_objectclass = 0;
1347
1348         ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1349
1350         if (name == NULL || *name == '\0') {
1351                 return NT_STATUS_INVALID_PARAMETER;
1352         }
1353
1354         status = find_user(ldap_state, name, &dn, &has_objectclass);
1355         if (NT_STATUS_IS_OK(status)) {
1356                 ldap_op = LDAP_MOD_REPLACE;
1357         } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1358                 char *escape_username;
1359                 ldap_op = LDAP_MOD_ADD;
1360                 escape_username = escape_rdn_val_string_alloc(name);
1361                 if (!escape_username) {
1362                         return NT_STATUS_NO_MEMORY;
1363                 }
1364                 if (name[strlen(name)-1] == '$') {
1365                         dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1366                                              escape_username,
1367                                              lp_ldap_machine_suffix(talloc_tos()));
1368                 } else {
1369                         dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1370                                              escape_username,
1371                                              lp_ldap_user_suffix(talloc_tos()));
1372                 }
1373                 SAFE_FREE(escape_username);
1374                 if (!dn) {
1375                         return NT_STATUS_NO_MEMORY;
1376                 }
1377         } else {
1378                 return status;
1379         }
1380
1381         if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1382                 status = ipasam_add_posix_account_objectclass(ldap_state, ldap_op,
1383                                                               dn, name);
1384                 if (!NT_STATUS_IS_OK(status)) {
1385                         return status;
1386                 }
1387                 has_objectclass |= HAS_POSIXACCOUNT;
1388         }
1389
1390         status = ldap_state->ipasam_privates->ldapsam_create_user(pdb_methods,
1391                                                                   tmp_ctx, name,
1392                                                                   acb_info, rid);
1393         if (!NT_STATUS_IS_OK(status)) {
1394                 return status;
1395         }
1396
1397         status = ipasam_add_ipa_objectclasses(ldap_state, dn, name, lp_realm(),
1398                                               acb_info, has_objectclass);
1399         if (!NT_STATUS_IS_OK(status)) {
1400                 return status;
1401         }
1402
1403         return NT_STATUS_OK;
1404 }
1405
1406 static NTSTATUS pdb_ipa_init_secrets(struct pdb_methods *m)
1407 {
1408 #if _SAMBA_BUILD_ == 4
1409         struct pdb_domain_info *dom_info;
1410         bool ret;
1411
1412         dom_info = pdb_ipasam_get_domain_info(m, m);
1413         if (!dom_info) {
1414                 return NT_STATUS_UNSUCCESSFUL;
1415         }
1416
1417         secrets_clear_domain_protection(dom_info->name);
1418         ret = secrets_store_domain_sid(dom_info->name,
1419                                        &dom_info->sid);
1420         if (!ret) {
1421                 goto done;
1422         }
1423         ret = secrets_store_domain_guid(dom_info->name,
1424                                         &dom_info->guid);
1425         if (!ret) {
1426                 goto done;
1427         }
1428         ret = secrets_mark_domain_protected(dom_info->name);
1429         if (!ret) {
1430                 goto done;
1431         }
1432
1433 done:
1434         TALLOC_FREE(dom_info);
1435         if (!ret) {
1436                 return NT_STATUS_UNSUCCESSFUL;
1437         }
1438 #endif
1439         return NT_STATUS_OK;
1440 }
1441
1442 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
1443 {
1444         struct ldapsam_privates *ldap_state;
1445         NTSTATUS status;
1446
1447         status = pdb_init_ldapsam(pdb_method, location);
1448         if (!NT_STATUS_IS_OK(status)) {
1449                 return status;
1450         }
1451
1452         (*pdb_method)->name = "IPA_ldapsam";
1453
1454         ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
1455         ldap_state->ipasam_privates = talloc_zero(ldap_state,
1456                                                   struct ipasam_privates);
1457         if (ldap_state->ipasam_privates == NULL) {
1458                 return NT_STATUS_NO_MEMORY;
1459         }
1460         ldap_state->is_ipa_ldap = True;
1461
1462         ldap_state->ipasam_privates->server_is_ipa = smbldap_has_extension(
1463                                         priv2ld(ldap_state), IPA_KEYTAB_SET_OID);
1464         ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
1465         ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
1466         ldap_state->ipasam_privates->ldapsam_create_user = (*pdb_method)->create_user;
1467         ldap_state->ipasam_privates->ldapsam_create_dom_group = (*pdb_method)->create_dom_group;
1468
1469         (*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
1470         (*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
1471
1472         if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
1473                 if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
1474                         (*pdb_method)->create_user = ipasam_create_user;
1475                         (*pdb_method)->create_dom_group = ipasam_create_dom_group;
1476                 }
1477         }
1478
1479         (*pdb_method)->capabilities = pdb_ipasam_capabilities;
1480         (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
1481
1482         (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
1483         (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
1484         (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
1485         (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
1486
1487         (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
1488         (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
1489         (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
1490         (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
1491         (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
1492
1493         status = pdb_ipa_init_secrets(*pdb_method);
1494         if (!NT_STATUS_IS_OK(status)) {
1495                 DEBUG(10, ("pdb_ipa_init_secrets failed!\n"));
1496                 return status;
1497         }
1498
1499         return NT_STATUS_OK;
1500 }
1501
1502 NTSTATUS pdb_ipa_init(void)
1503 {
1504         NTSTATUS nt_status;
1505
1506         if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))
1507                 return nt_status;
1508
1509         return NT_STATUS_OK;
1510 }