2 Unix SMB/CIFS implementation.
4 interface functions for the sam database
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "librpc/gen_ndr/ndr_netlogon.h"
25 #include "librpc/gen_ndr/ndr_misc.h"
26 #include "lib/ldb/include/ldb.h"
27 #include "system/time.h"
28 #include "system/filesys.h"
32 connect to the SAM database
33 return an opaque context pointer on success, or NULL on failure
35 struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx)
37 return ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
41 search the sam for the specified attributes in a specific domain, filter on
42 objectSid being in domain_sid.
44 int samdb_search_domain(struct ldb_context *sam_ldb,
46 const struct ldb_dn *basedn,
47 struct ldb_message ***res,
48 const char * const *attrs,
49 const struct dom_sid *domain_sid,
50 const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
56 count = gendb_search_v(sam_ldb, mem_ctx, basedn,
57 res, attrs, format, ap);
63 struct dom_sid *entry_sid;
65 entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
67 if ((entry_sid == NULL) ||
68 (!dom_sid_in_domain(domain_sid, entry_sid))) {
69 /* Delete that entry from the result set */
70 (*res)[i] = (*res)[count-1];
72 talloc_free(entry_sid);
75 talloc_free(entry_sid);
83 search the sam for a single string attribute in exactly 1 record
85 const char *samdb_search_string_v(struct ldb_context *sam_ldb,
87 const struct ldb_dn *basedn,
88 const char *attr_name,
89 const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
92 const char *attrs[2] = { NULL, NULL };
93 struct ldb_message **res = NULL;
97 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
99 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
100 attr_name, format, count));
107 return samdb_result_string(res[0], attr_name, NULL);
112 search the sam for a single string attribute in exactly 1 record
114 const char *samdb_search_string(struct ldb_context *sam_ldb,
116 const struct ldb_dn *basedn,
117 const char *attr_name,
118 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
123 va_start(ap, format);
124 str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
131 search the sam for a dom_sid attribute in exactly 1 record
133 struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
135 const struct ldb_dn *basedn,
136 const char *attr_name,
137 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
141 struct ldb_message **res;
142 const char *attrs[2] = { NULL, NULL };
145 attrs[0] = attr_name;
147 va_start(ap, format);
148 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
151 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
152 attr_name, format, count));
158 sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
164 return the count of the number of records in the sam matching the query
166 int samdb_search_count(struct ldb_context *sam_ldb,
168 const struct ldb_dn *basedn,
169 const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
172 struct ldb_message **res;
173 const char * const attrs[] = { NULL };
176 va_start(ap, format);
177 ret = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
185 search the sam for a single integer attribute in exactly 1 record
187 uint_t samdb_search_uint(struct ldb_context *sam_ldb,
189 uint_t default_value,
190 const struct ldb_dn *basedn,
191 const char *attr_name,
192 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
196 struct ldb_message **res;
197 const char *attrs[2] = { NULL, NULL };
199 attrs[0] = attr_name;
201 va_start(ap, format);
202 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
206 return default_value;
209 return samdb_result_uint(res[0], attr_name, default_value);
213 search the sam for a single signed 64 bit integer attribute in exactly 1 record
215 int64_t samdb_search_int64(struct ldb_context *sam_ldb,
217 int64_t default_value,
218 const struct ldb_dn *basedn,
219 const char *attr_name,
220 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
224 struct ldb_message **res;
225 const char *attrs[2] = { NULL, NULL };
227 attrs[0] = attr_name;
229 va_start(ap, format);
230 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
234 return default_value;
237 return samdb_result_int64(res[0], attr_name, default_value);
241 search the sam for multipe records each giving a single string attribute
242 return the number of matches, or -1 on error
244 int samdb_search_string_multiple(struct ldb_context *sam_ldb,
246 const struct ldb_dn *basedn,
248 const char *attr_name,
249 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
253 const char *attrs[2] = { NULL, NULL };
254 struct ldb_message **res = NULL;
256 attrs[0] = attr_name;
258 va_start(ap, format);
259 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
266 /* make sure its single valued */
267 for (i=0;i<count;i++) {
268 if (res[i]->num_elements != 1) {
269 DEBUG(1,("samdb: search for %s %s not single valued\n",
276 *strs = talloc_array(mem_ctx, const char *, count+1);
282 for (i=0;i<count;i++) {
283 (*strs)[i] = samdb_result_string(res[i], attr_name, NULL);
285 (*strs)[count] = NULL;
291 pull a uint from a result set.
293 uint_t samdb_result_uint(struct ldb_message *msg, const char *attr, uint_t default_value)
295 return ldb_msg_find_uint(msg, attr, default_value);
299 pull a (signed) int64 from a result set.
301 int64_t samdb_result_int64(struct ldb_message *msg, const char *attr, int64_t default_value)
303 return ldb_msg_find_int64(msg, attr, default_value);
307 pull a string from a result set.
309 const char *samdb_result_string(struct ldb_message *msg, const char *attr,
310 const char *default_value)
312 return ldb_msg_find_string(msg, attr, default_value);
315 struct ldb_dn *samdb_result_dn(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
316 const char *attr, struct ldb_dn *default_value)
318 const char *string = samdb_result_string(msg, attr, NULL);
319 if (string == NULL) return default_value;
320 return ldb_dn_explode(mem_ctx, string);
324 pull a rid from a objectSid in a result set.
326 uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
327 const char *attr, uint32_t default_value)
332 sid = samdb_result_dom_sid(mem_ctx, msg, attr);
334 return default_value;
336 rid = sid->sub_auths[sid->num_auths-1];
342 pull a dom_sid structure from a objectSid in a result set.
344 struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
347 const struct ldb_val *v;
350 v = ldb_msg_find_ldb_val(msg, attr);
354 sid = talloc(mem_ctx, struct dom_sid);
358 status = ndr_pull_struct_blob(v, sid, sid,
359 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
360 if (!NT_STATUS_IS_OK(status)) {
368 pull a guid structure from a objectGUID in a result set.
370 struct GUID samdb_result_guid(struct ldb_message *msg, const char *attr)
372 const struct ldb_val *v;
379 v = ldb_msg_find_ldb_val(msg, attr);
382 mem_ctx = talloc_named_const(NULL, 0, "samdb_result_guid");
383 if (!mem_ctx) return guid;
384 status = ndr_pull_struct_blob(v, mem_ctx, &guid,
385 (ndr_pull_flags_fn_t)ndr_pull_GUID);
386 talloc_free(mem_ctx);
387 if (!NT_STATUS_IS_OK(status)) {
395 pull a sid prefix from a objectSid in a result set.
396 this is used to find the domain sid for a user
398 struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
401 struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
402 if (!sid || sid->num_auths < 1) return NULL;
408 pull a NTTIME in a result set.
410 NTTIME samdb_result_nttime(struct ldb_message *msg, const char *attr, NTTIME default_value)
412 const char *str = ldb_msg_find_string(msg, attr, NULL);
413 if (!str) return default_value;
414 return nttime_from_string(str);
418 pull a uint64_t from a result set.
420 uint64_t samdb_result_uint64(struct ldb_message *msg, const char *attr, uint64_t default_value)
422 return ldb_msg_find_uint64(msg, attr, default_value);
427 construct the allow_password_change field from the PwdLastSet attribute and the
428 domain password settings
430 NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
432 const struct ldb_dn *domain_dn,
433 struct ldb_message *msg,
436 uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
439 if (attr_time == 0) {
443 minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0,
444 domain_dn, "minPwdAge", "dn=%s", ldb_dn_linearize(mem_ctx, domain_dn));
446 /* yes, this is a -= not a += as minPwdAge is stored as the negative
447 of the number of 100-nano-seconds */
448 attr_time -= minPwdAge;
454 construct the force_password_change field from the PwdLastSet attribute and the
455 domain password settings
457 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
459 const struct ldb_dn *domain_dn,
460 struct ldb_message *msg,
463 uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
466 if (attr_time == 0) {
470 maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn,
471 "maxPwdAge", "dn=%s", ldb_dn_linearize(mem_ctx, domain_dn));
472 if (maxPwdAge == 0) {
475 attr_time -= maxPwdAge;
482 pull a samr_Password structutre from a result set.
484 struct samr_Password samdb_result_hash(struct ldb_message *msg, const char *attr)
486 struct samr_Password hash;
487 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
490 memcpy(hash.hash, val->data, MIN(val->length, sizeof(hash.hash)));
496 pull an array of samr_Password structutres from a result set.
498 uint_t samdb_result_hashes(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
499 const char *attr, struct samr_Password **hashes)
502 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
509 count = val->length / 16;
514 *hashes = talloc_array(mem_ctx, struct samr_Password, count);
519 for (i=0;i<count;i++) {
520 memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
526 NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
527 struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
530 const char *unicodePwd = samdb_result_string(msg, "unicodePwd", NULL);
532 struct samr_Password *lmPwdHash, *ntPwdHash;
535 ntPwdHash = talloc(mem_ctx, struct samr_Password);
537 return NT_STATUS_NO_MEMORY;
540 E_md4hash(unicodePwd, ntPwdHash->hash);
547 lmPwdHash = talloc(mem_ctx, struct samr_Password);
549 return NT_STATUS_NO_MEMORY;
552 /* compute the new nt and lm hashes */
553 lm_hash_ok = E_deshash(unicodePwd, lmPwdHash->hash);
564 num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHash", &ntPwdHash);
567 } else if (num_nt > 1) {
568 return NT_STATUS_INTERNAL_DB_CORRUPTION;
570 *nt_pwd = &ntPwdHash[0];
575 num_lm = samdb_result_hashes(mem_ctx, msg, "lmPwdHash", &lmPwdHash);
578 } else if (num_lm > 1) {
579 return NT_STATUS_INTERNAL_DB_CORRUPTION;
581 *lm_pwd = &lmPwdHash[0];
590 pull a samr_LogonHours structutre from a result set.
592 struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
594 struct samr_LogonHours hours;
595 const int units_per_week = 168;
596 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
598 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
602 hours.units_per_week = units_per_week;
603 memset(hours.bits, 0xFF, units_per_week);
605 memcpy(hours.bits, val->data, MIN(val->length, units_per_week));
611 pull a set of account_flags from a result set.
613 uint16_t samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
615 uint_t userAccountControl = ldb_msg_find_uint(msg, attr, 0);
616 return samdb_uf2acb(userAccountControl);
620 copy from a template record to a message
622 int samdb_copy_template(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
623 struct ldb_message *msg, const char *expression)
625 struct ldb_message **res, *t;
629 /* pull the template record */
630 ret = gendb_search(sam_ldb, mem_ctx, NULL, &res, NULL, "%s", expression);
632 DEBUG(1,("samdb: ERROR: template '%s' matched %d records\n",
638 for (i=0;i<t->num_elements;i++) {
639 struct ldb_message_element *el = &t->elements[i];
640 /* some elements should not be copied from the template */
641 if (strcasecmp(el->name, "cn") == 0 ||
642 strcasecmp(el->name, "name") == 0 ||
643 strcasecmp(el->name, "sAMAccountName") == 0) {
646 for (j=0;j<el->num_values;j++) {
647 if (strcasecmp(el->name, "objectClass") == 0 &&
648 (strcasecmp((char *)el->values[j].data, "Template") == 0 ||
649 strcasecmp((char *)el->values[j].data, "userTemplate") == 0 ||
650 strcasecmp((char *)el->values[j].data, "groupTemplate") == 0 ||
651 strcasecmp((char *)el->values[j].data, "foreignSecurityTemplate") == 0 ||
652 strcasecmp((char *)el->values[j].data, "aliasTemplate") == 0 ||
653 strcasecmp((char *)el->values[j].data, "trustedDomainTemplate") == 0 ||
654 strcasecmp((char *)el->values[j].data, "secretTemplate") == 0)) {
657 samdb_msg_add_string(sam_ldb, mem_ctx, msg, el->name,
658 (char *)el->values[j].data);
667 add a string element to a message
669 int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
670 const char *attr_name, const char *str)
672 char *s = talloc_strdup(mem_ctx, str);
673 char *a = talloc_strdup(mem_ctx, attr_name);
674 if (s == NULL || a == NULL) {
677 return ldb_msg_add_string(sam_ldb, msg, a, s);
681 add a dom_sid element to a message
683 int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
684 const char *attr_name, struct dom_sid *sid)
688 status = ndr_push_struct_blob(&v, mem_ctx, sid,
689 (ndr_push_flags_fn_t)ndr_push_dom_sid);
690 if (!NT_STATUS_IS_OK(status)) {
693 return ldb_msg_add_value(sam_ldb, msg, attr_name, &v);
698 add a delete element operation to a message
700 int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
701 const char *attr_name)
703 char *a = talloc_strdup(mem_ctx, attr_name);
707 /* we use an empty replace rather than a delete, as it allows for
708 samdb_replace() to be used everywhere */
709 return ldb_msg_add_empty(sam_ldb, msg, a, LDB_FLAG_MOD_REPLACE);
713 add a add attribute value to a message
715 int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
716 const char *attr_name, const char *value)
718 struct ldb_message_element *el;
721 a = talloc_strdup(mem_ctx, attr_name);
724 v = talloc_strdup(mem_ctx, value);
727 ret = ldb_msg_add_string(sam_ldb, msg, a, v);
730 el = ldb_msg_find_element(msg, a);
733 el->flags = LDB_FLAG_MOD_ADD;
738 add a delete attribute value to a message
740 int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
741 const char *attr_name, const char *value)
743 struct ldb_message_element *el;
746 a = talloc_strdup(mem_ctx, attr_name);
749 v = talloc_strdup(mem_ctx, value);
752 ret = ldb_msg_add_string(sam_ldb, msg, a, v);
755 el = ldb_msg_find_element(msg, a);
758 el->flags = LDB_FLAG_MOD_DELETE;
763 add a uint_t element to a message
765 int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
766 const char *attr_name, uint_t v)
768 const char *s = talloc_asprintf(mem_ctx, "%u", v);
769 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
773 add a (signed) int64_t element to a message
775 int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
776 const char *attr_name, int64_t v)
778 const char *s = talloc_asprintf(mem_ctx, "%lld", v);
779 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
783 add a uint64_t element to a message
785 int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
786 const char *attr_name, uint64_t v)
788 const char *s = talloc_asprintf(mem_ctx, "%llu", v);
789 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
793 add a samr_Password element to a message
795 int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
796 const char *attr_name, struct samr_Password *hash)
799 val.data = talloc_memdup(mem_ctx, hash->hash, 16);
804 return ldb_msg_add_value(sam_ldb, msg, attr_name, &val);
808 add a samr_Password array to a message
810 int samdb_msg_add_hashes(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
811 const char *attr_name, struct samr_Password *hashes, uint_t count)
815 val.data = talloc_array_size(mem_ctx, 16, count);
816 val.length = count*16;
820 for (i=0;i<count;i++) {
821 memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
823 return ldb_msg_add_value(sam_ldb, msg, attr_name, &val);
827 add a acct_flags element to a message
829 int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
830 const char *attr_name, uint32_t v)
832 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, samdb_acb2uf(v));
836 add a logon_hours element to a message
838 int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
839 const char *attr_name, struct samr_LogonHours *hours)
842 val.length = hours->units_per_week / 8;
843 val.data = hours->bits;
844 return ldb_msg_add_value(sam_ldb, msg, attr_name, &val);
848 add a general value element to a message
850 int samdb_msg_add_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
851 const char *attr_name, const struct ldb_val *val)
853 return ldb_msg_add_value(sam_ldb, msg, attr_name, val);
857 sets a general value element to a message
859 int samdb_msg_set_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
860 const char *attr_name, const struct ldb_val *val)
862 struct ldb_message_element *el;
864 el = ldb_msg_find_element(msg, attr_name);
868 return ldb_msg_add_value(sam_ldb, msg, attr_name, val);
872 set a string element in a message
874 int samdb_msg_set_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
875 const char *attr_name, const char *str)
877 struct ldb_message_element *el;
879 el = ldb_msg_find_element(msg, attr_name);
883 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, str);
887 set a ldaptime element in a message
889 int samdb_msg_set_ldaptime(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
890 const char *attr_name, time_t t)
892 char *str = ldap_timestring(mem_ctx, t);
896 return samdb_msg_set_string(sam_ldb, mem_ctx, msg, attr_name, str);
902 int samdb_add(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
904 return ldb_add(sam_ldb, msg);
910 int samdb_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, const struct ldb_dn *dn)
912 return ldb_delete(sam_ldb, dn);
918 int samdb_modify(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
920 return ldb_modify(sam_ldb, msg);
924 replace elements in a record
926 int samdb_replace(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
930 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
931 for (i=0;i<msg->num_elements;i++) {
932 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
935 /* modify the samdb record */
936 return samdb_modify(sam_ldb, mem_ctx, msg);
940 return a default security descriptor
942 struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
944 struct security_descriptor *sd;
946 sd = security_descriptor_initialise(mem_ctx);