2 ldb database library - Samba3 SAM compatibility backend
4 Copyright (C) Jelmer Vernooij 2005
5 Copyright (C) Martin Kuehl <mkhl@samba.org> 2006
9 #include "ldb/include/ldb.h"
10 #include "ldb/include/ldb_private.h"
11 #include "ldb/include/ldb_errors.h"
12 #include "ldb/ldb_map/ldb_map.h"
13 #include "system/passwd.h"
15 #include "librpc/gen_ndr/ndr_security.h"
16 #include "librpc/gen_ndr/ndr_samr.h"
17 #include "librpc/ndr/libndr.h"
18 #include "libcli/security/security.h"
19 #include "libcli/security/proto.h"
20 #include "lib/samba3/samba3.h"
23 * sambaSID -> member (dn!)
24 * sambaSIDList -> member (dn!)
25 * sambaDomainName -> name
31 * sambaAcctFlags -> systemFlags ?
32 * sambaPasswordHistory -> ntPwdHistory*/
40 * sambaAlgorithmicRidBase
51 * sambaUserWorkstations
55 /* In Samba4 but not in Samba3:
58 /* From a sambaPrimaryGroupSID, generate a primaryGroupID (integer) attribute */
59 static struct ldb_message_element *generate_primaryGroupID(struct ldb_module *module, TALLOC_CTX *ctx, const char *local_attr, const struct ldb_message *remote)
61 struct ldb_message_element *el;
62 const char *sid = ldb_msg_find_attr_as_string(remote, "sambaPrimaryGroupSID", NULL);
68 p = strrchr(sid, '-');
72 el = talloc_zero(ctx, struct ldb_message_element);
73 el->name = talloc_strdup(ctx, "primaryGroupID");
75 el->values = talloc_array(ctx, struct ldb_val, 1);
76 el->values[0].data = (uint8_t *)talloc_strdup(el->values, p+1);
77 el->values[0].length = strlen((char *)el->values[0].data);
82 static void generate_sambaPrimaryGroupSID(struct ldb_module *module, const char *local_attr, const struct ldb_message *local, struct ldb_message *remote_mp, struct ldb_message *remote_fb)
84 const struct ldb_val *sidval;
87 enum ndr_err_code ndr_err;
89 /* We need the domain, so we get it from the objectSid that we hope is here... */
90 sidval = ldb_msg_find_ldb_val(local, "objectSid");
93 return; /* Sorry, no SID today.. */
95 sid = talloc(remote_mp, struct dom_sid);
100 ndr_err = ndr_pull_struct_blob(sidval, sid, sid, (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
101 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
106 if (!ldb_msg_find_ldb_val(local, "primaryGroupID"))
107 return; /* Sorry, no SID today.. */
111 sidstring = dom_sid_string(remote_mp, sid);
113 ldb_msg_add_fmt(remote_mp, "sambaPrimaryGroupSID", "%s-%d", sidstring, ldb_msg_find_attr_as_uint(local, "primaryGroupID", 0));
114 talloc_free(sidstring);
117 /* Just copy the old value. */
118 static struct ldb_val convert_uid_samaccount(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
120 struct ldb_val out = data_blob(NULL, 0);
121 ldb_handler_copy(module->ldb, ctx, val, &out);
126 static struct ldb_val lookup_homedir(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
129 struct ldb_val retval;
131 pwd = getpwnam((char *)val->data);
134 ldb_debug(module->ldb, LDB_DEBUG_WARNING, "Unable to lookup '%s' in passwd", (char *)val->data);
135 return *talloc_zero(ctx, struct ldb_val);
138 retval.data = (uint8_t *)talloc_strdup(ctx, pwd->pw_dir);
139 retval.length = strlen((char *)retval.data);
144 static struct ldb_val lookup_gid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
147 struct ldb_val retval;
149 pwd = getpwnam((char *)val->data);
152 return *talloc_zero(ctx, struct ldb_val);
155 retval.data = (uint8_t *)talloc_asprintf(ctx, "%ld", (unsigned long)pwd->pw_gid);
156 retval.length = strlen((char *)retval.data);
161 static struct ldb_val lookup_uid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
164 struct ldb_val retval;
166 pwd = getpwnam((char *)val->data);
169 return *talloc_zero(ctx, struct ldb_val);
172 retval.data = (uint8_t *)talloc_asprintf(ctx, "%ld", (unsigned long)pwd->pw_uid);
173 retval.length = strlen((char *)retval.data);
178 /* Encode a sambaSID to an objectSid. */
179 static struct ldb_val encode_sid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
181 struct ldb_val out = data_blob(NULL, 0);
183 enum ndr_err_code ndr_err;
185 sid = dom_sid_parse_talloc(ctx, (char *)val->data);
190 ndr_err = ndr_push_struct_blob(&out, ctx, sid,
191 (ndr_push_flags_fn_t)ndr_push_dom_sid);
193 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
200 /* Decode an objectSid to a sambaSID. */
201 static struct ldb_val decode_sid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
203 struct ldb_val out = data_blob(NULL, 0);
205 enum ndr_err_code ndr_err;
207 sid = talloc(ctx, struct dom_sid);
212 ndr_err = ndr_pull_struct_blob(val, sid, sid,
213 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
214 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
218 out.data = (uint8_t *)dom_sid_string(ctx, sid);
219 if (out.data == NULL) {
222 out.length = strlen((const char *)out.data);
229 /* Convert 16 bytes to 32 hex digits. */
230 static struct ldb_val bin2hex(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
233 struct samr_Password pwd;
234 if (val->length != sizeof(pwd.hash)) {
235 return data_blob(NULL, 0);
237 memcpy(pwd.hash, val->data, sizeof(pwd.hash));
238 out = data_blob_string_const(smbpasswd_sethexpwd(ctx, &pwd, 0));
240 return data_blob(NULL, 0);
245 /* Convert 32 hex digits to 16 bytes. */
246 static struct ldb_val hex2bin(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
249 struct samr_Password *pwd;
250 pwd = smbpasswd_gethexpwd(ctx, (const char *)val->data);
252 return data_blob(NULL, 0);
254 out = data_blob_talloc(ctx, pwd->hash, sizeof(pwd->hash));
258 const struct ldb_map_objectclass samba3_objectclasses[] = {
260 .local_name = "user",
261 .remote_name = "posixAccount",
262 .base_classes = { "top", NULL },
263 .musts = { "cn", "uid", "uidNumber", "gidNumber", "homeDirectory", NULL },
264 .mays = { "userPassword", "loginShell", "gecos", "description", NULL },
267 .local_name = "group",
268 .remote_name = "posixGroup",
269 .base_classes = { "top", NULL },
270 .musts = { "cn", "gidNumber", NULL },
271 .mays = { "userPassword", "memberUid", "description", NULL },
274 .local_name = "group",
275 .remote_name = "sambaGroupMapping",
276 .base_classes = { "top", "posixGroup", NULL },
277 .musts = { "gidNumber", "sambaSID", "sambaGroupType", NULL },
278 .mays = { "displayName", "description", "sambaSIDList", NULL },
281 .local_name = "user",
282 .remote_name = "sambaSAMAccount",
283 .base_classes = { "top", "posixAccount", NULL },
284 .musts = { "uid", "sambaSID", NULL },
285 .mays = { "cn", "sambaLMPassword", "sambaNTPassword",
286 "sambaPwdLastSet", "sambaLogonTime", "sambaLogoffTime",
287 "sambaKickoffTime", "sambaPwdCanChange", "sambaPwdMustChange",
288 "sambaAcctFlags", "displayName", "sambaHomePath", "sambaHomeDrive",
289 "sambaLogonScript", "sambaProfilePath", "description", "sambaUserWorkstations",
290 "sambaPrimaryGroupSID", "sambaDomainName", "sambaMungedDial",
291 "sambaBadPasswordCount", "sambaBadPasswordTime",
292 "sambaPasswordHistory", "sambaLogonHours", NULL }
296 .local_name = "domain",
297 .remote_name = "sambaDomain",
298 .base_classes = { "top", NULL },
299 .musts = { "sambaDomainName", "sambaSID", NULL },
300 .mays = { "sambaNextRid", "sambaNextGroupRid", "sambaNextUserRid", "sambaAlgorithmicRidBase", NULL },
305 const struct ldb_map_attribute samba3_attributes[] =
307 /* sambaNextRid -> nextRid */
309 .local_name = "nextRid",
313 .remote_name = "sambaNextRid",
318 /* sambaBadPasswordTime -> badPasswordtime*/
320 .local_name = "badPasswordTime",
324 .remote_name = "sambaBadPasswordTime",
329 /* sambaLMPassword -> lmPwdHash*/
331 .local_name = "dBCSPwd",
335 .remote_name = "sambaLMPassword",
336 .convert_local = bin2hex,
337 .convert_remote = hex2bin,
342 /* sambaGroupType -> groupType */
344 .local_name = "groupType",
348 .remote_name = "sambaGroupType",
353 /* sambaNTPassword -> ntPwdHash*/
355 .local_name = "ntpwdhash",
359 .remote_name = "sambaNTPassword",
360 .convert_local = bin2hex,
361 .convert_remote = hex2bin,
366 /* sambaPrimaryGroupSID -> primaryGroupID */
368 .local_name = "primaryGroupID",
369 .type = MAP_GENERATE,
372 .remote_names = { "sambaPrimaryGroupSID", NULL },
373 .generate_local = generate_primaryGroupID,
374 .generate_remote = generate_sambaPrimaryGroupSID,
379 /* sambaBadPasswordCount -> badPwdCount */
381 .local_name = "badPwdCount",
385 .remote_name = "sambaBadPasswordCount",
390 /* sambaLogonTime -> lastLogon*/
392 .local_name = "lastLogon",
396 .remote_name = "sambaLogonTime",
401 /* sambaLogoffTime -> lastLogoff*/
403 .local_name = "lastLogoff",
407 .remote_name = "sambaLogoffTime",
412 /* uid -> unixName */
414 .local_name = "unixName",
418 .remote_name = "uid",
423 /* displayName -> name */
425 .local_name = "name",
429 .remote_name = "displayName",
440 /* sAMAccountName -> cn */
442 .local_name = "sAMAccountName",
446 .remote_name = "uid",
447 .convert_remote = convert_uid_samaccount,
454 .local_name = "objectCategory",
460 .local_name = "objectGUID",
466 .local_name = "objectVersion",
472 .local_name = "codePage",
478 .local_name = "dNSHostName",
485 .local_name = "dnsDomain",
491 .local_name = "dnsRoot",
497 .local_name = "countryCode",
503 .local_name = "nTMixedDomain",
507 /* operatingSystem */
509 .local_name = "operatingSystem",
513 /* operatingSystemVersion */
515 .local_name = "operatingSystemVersion",
520 /* servicePrincipalName */
522 .local_name = "servicePrincipalName",
526 /* msDS-Behavior-Version */
528 .local_name = "msDS-Behavior-Version",
532 /* msDS-KeyVersionNumber */
534 .local_name = "msDS-KeyVersionNumber",
538 /* msDs-masteredBy */
540 .local_name = "msDs-masteredBy",
558 .local_name = "description",
562 /* sambaSID -> objectSid*/
564 .local_name = "objectSid",
568 .remote_name = "sambaSID",
569 .convert_local = decode_sid,
570 .convert_remote = encode_sid,
575 /* sambaPwdLastSet -> pwdLastSet */
577 .local_name = "pwdLastSet",
581 .remote_name = "sambaPwdLastSet",
588 .local_name = "accountExpires",
594 .local_name = "adminCount",
600 .local_name = "canonicalName",
604 /* createTimestamp */
606 .local_name = "createTimestamp",
612 .local_name = "creationTime",
618 .local_name = "dMDLocation",
624 .local_name = "fSMORoleOwner",
630 .local_name = "forceLogoff",
636 .local_name = "instanceType",
642 .local_name = "invocationId",
646 /* isCriticalSystemObject */
648 .local_name = "isCriticalSystemObject",
652 /* localPolicyFlags */
654 .local_name = "localPolicyFlags",
658 /* lockOutObservationWindow */
660 .local_name = "lockOutObservationWindow",
664 /* lockoutDuration */
666 .local_name = "lockoutDuration",
670 /* lockoutThreshold */
672 .local_name = "lockoutThreshold",
678 .local_name = "logonCount",
684 .local_name = "masteredBy",
690 .local_name = "maxPwdAge",
696 .local_name = "member",
702 .local_name = "memberOf",
708 .local_name = "minPwdAge",
714 .local_name = "minPwdLength",
720 .local_name = "modifiedCount",
724 /* modifiedCountAtLastProm */
726 .local_name = "modifiedCountAtLastProm",
730 /* modifyTimestamp */
732 .local_name = "modifyTimestamp",
738 .local_name = "nCName",
744 .local_name = "nETBIOSName",
750 .local_name = "oEMInformation",
756 .local_name = "privilege",
760 /* pwdHistoryLength */
762 .local_name = "pwdHistoryLength",
768 .local_name = "pwdProperties",
772 /* rIDAvailablePool */
774 .local_name = "rIDAvailablePool",
780 .local_name = "revision",
784 /* ridManagerReference */
786 .local_name = "ridManagerReference",
792 .local_name = "sAMAccountType",
798 .local_name = "sPNMappings",
802 /* serverReference */
804 .local_name = "serverReference",
810 .local_name = "serverState",
814 /* showInAdvancedViewOnly */
816 .local_name = "showInAdvancedViewOnly",
822 .local_name = "subRefs",
828 .local_name = "systemFlags",
834 .local_name = "uASCompat",
840 .local_name = "uSNChanged",
846 .local_name = "uSNCreated",
852 .local_name = "sambaPassword",
856 /* userAccountControl */
858 .local_name = "userAccountControl",
864 .local_name = "whenChanged",
870 .local_name = "whenCreated",
876 .local_name = "unixName",
880 .remote_name = "uidNumber",
881 .convert_local = lookup_uid,
886 /* gidNumber. Perhaps make into generate so we can distinguish between
887 * groups and accounts? */
889 .local_name = "unixName",
893 .remote_name = "gidNumber",
894 .convert_local = lookup_gid,
901 .local_name = "unixName",
905 .remote_name = "homeDirectory",
906 .convert_local = lookup_homedir,
915 /* the context init function */
916 static int samba3sam_init(struct ldb_module *module)
920 ret = ldb_map_init(module, samba3_attributes, samba3_objectclasses, NULL, "samba3sam");
921 if (ret != LDB_SUCCESS)
924 return ldb_next_init(module);
927 static struct ldb_module_ops samba3sam_ops = {
929 .init_context = samba3sam_init,
932 /* the init function */
933 int ldb_samba3sam_module_init(void)
935 struct ldb_module_ops ops = ldb_map_get_ops();
936 samba3sam_ops.add = ops.add;
937 samba3sam_ops.modify = ops.modify;
938 samba3sam_ops.del = ops.del;
939 samba3sam_ops.rename = ops.rename;
940 samba3sam_ops.search = ops.search;
941 samba3sam_ops.wait = ops.wait;
943 return ldb_register_module(&samba3sam_ops);