interface functions for the sam database
Copyright (C) Andrew Tridgell 2004
-
+ Copyright (C) Volker Lendecke 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_security.h"
#include "lib/ldb/include/ldb.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "libcli/security/security.h"
+#include "libcli/auth/libcli_auth.h"
+#include "libcli/ldap/ldap_ndr.h"
#include "system/time.h"
#include "system/filesys.h"
-#include "db_wrap.h"
-
-/*
- connect to the SAM database
- return an opaque context pointer on success, or NULL on failure
- */
-struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx)
-{
- return ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
-}
-
-/*
- search the sam for the specified attributes in a specific domain, filter on
- objectSid being in domain_sid.
-*/
-int samdb_search_domain(struct ldb_context *sam_ldb,
- TALLOC_CTX *mem_ctx,
- const char *basedn,
- struct ldb_message ***res,
- const char * const *attrs,
- const struct dom_sid *domain_sid,
- const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
-{
- va_list ap;
- int i, count;
-
- va_start(ap, format);
- count = gendb_search_v(sam_ldb, mem_ctx, basedn,
- res, attrs, format, ap);
- va_end(ap);
-
- i=0;
-
- while (i<count) {
- struct dom_sid *entry_sid;
-
- entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i],
- "objectSid");
-
- if ((entry_sid == NULL) ||
- (!dom_sid_in_domain(domain_sid, entry_sid))) {
-
- /* Delete that entry from the result set */
- (*res)[i] = (*res)[count-1];
- count -= 1;
- continue;
- }
- i += 1;
- }
-
- return count;
-}
-
-/*
- search the sam for a single string attribute in exactly 1 record
-*/
-const char *samdb_search_string_v(struct ldb_context *sam_ldb,
- TALLOC_CTX *mem_ctx,
- const char *basedn,
- const char *attr_name,
- const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
-{
- int count;
- const char * const attrs[2] = { attr_name, NULL };
- struct ldb_message **res = NULL;
-
- count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
- if (count > 1) {
- DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
- attr_name, format, count));
- }
- if (count != 1) {
- talloc_free(res);
+#include "ldb_wrap.h"
+#include "util/util_ldb.h"
+#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/flags.h"
+#include "param/param.h"
+
+char *samdb_relative_path(struct ldb_context *ldb,
+ TALLOC_CTX *mem_ctx,
+ const char *name)
+{
+ const char *base_url =
+ (const char *)ldb_get_opaque(ldb, "ldb_url");
+ char *path, *p, *full_name;
+ if (name == NULL) {
return NULL;
}
-
- return samdb_result_string(res[0], attr_name, NULL);
-}
-
-
-/*
- search the sam for a single string attribute in exactly 1 record
-*/
-const char *samdb_search_string(struct ldb_context *sam_ldb,
- TALLOC_CTX *mem_ctx,
- const char *basedn,
- const char *attr_name,
- const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
-{
- va_list ap;
- const char *str;
-
- va_start(ap, format);
- str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
- va_end(ap);
-
- return str;
-}
-
-/*
- return the count of the number of records in the sam matching the query
-*/
-int samdb_search_count(struct ldb_context *sam_ldb,
- TALLOC_CTX *mem_ctx,
- const char *basedn,
- const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
-{
- va_list ap;
- struct ldb_message **res;
- const char * const attrs[] = { NULL };
- int ret;
-
- va_start(ap, format);
- ret = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
- va_end(ap);
-
- return ret;
-}
-
-
-/*
- search the sam for a single integer attribute in exactly 1 record
-*/
-uint_t samdb_search_uint(struct ldb_context *sam_ldb,
- TALLOC_CTX *mem_ctx,
- uint_t default_value,
- const char *basedn,
- const char *attr_name,
- const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
-{
- va_list ap;
- int count;
- struct ldb_message **res;
- const char * const attrs[2] = { attr_name, NULL };
-
- va_start(ap, format);
- count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
- va_end(ap);
-
- if (count != 1) {
- return default_value;
- }
-
- return samdb_result_uint(res[0], attr_name, default_value);
-}
-
-/*
- search the sam for a single signed 64 bit integer attribute in exactly 1 record
-*/
-int64_t samdb_search_int64(struct ldb_context *sam_ldb,
- TALLOC_CTX *mem_ctx,
- int64_t default_value,
- const char *basedn,
- const char *attr_name,
- const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
-{
- va_list ap;
- int count;
- struct ldb_message **res;
- const char * const attrs[2] = { attr_name, NULL };
-
- va_start(ap, format);
- count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
- va_end(ap);
-
- if (count != 1) {
- return default_value;
- }
-
- return samdb_result_int64(res[0], attr_name, default_value);
-}
-
-/*
- search the sam for multipe records each giving a single string attribute
- return the number of matches, or -1 on error
-*/
-int samdb_search_string_multiple(struct ldb_context *sam_ldb,
- TALLOC_CTX *mem_ctx,
- const char *basedn,
- const char ***strs,
- const char *attr_name,
- const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
-{
- va_list ap;
- int count, i;
- const char * const attrs[2] = { attr_name, NULL };
- struct ldb_message **res = NULL;
-
- va_start(ap, format);
- count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
- va_end(ap);
-
- if (count <= 0) {
- return count;
- }
-
- /* make sure its single valued */
- for (i=0;i<count;i++) {
- if (res[i]->num_elements != 1) {
- DEBUG(1,("samdb: search for %s %s not single valued\n",
- attr_name, format));
- talloc_free(res);
- return -1;
- }
- }
-
- *strs = talloc_array(mem_ctx, const char *, count+1);
- if (! *strs) {
- talloc_free(res);
- return -1;
- }
-
- for (i=0;i<count;i++) {
- (*strs)[i] = samdb_result_string(res[i], attr_name, NULL);
- }
- (*strs)[count] = NULL;
-
- return count;
-}
-
-/*
- pull a uint from a result set.
-*/
-uint_t samdb_result_uint(struct ldb_message *msg, const char *attr, uint_t default_value)
-{
- return ldb_msg_find_uint(msg, attr, default_value);
-}
-
-/*
- pull a (signed) int64 from a result set.
-*/
-int64_t samdb_result_int64(struct ldb_message *msg, const char *attr, int64_t default_value)
-{
- return ldb_msg_find_int64(msg, attr, default_value);
-}
-
-/*
- pull a string from a result set.
-*/
-const char *samdb_result_string(struct ldb_message *msg, const char *attr,
- const char *default_value)
-{
- return ldb_msg_find_string(msg, attr, default_value);
-}
-
-/*
- pull a rid from a objectSid in a result set.
-*/
-uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr, uint32_t default_value)
-{
- struct dom_sid *sid;
- const char *sidstr = ldb_msg_find_string(msg, attr, NULL);
- if (!sidstr) return default_value;
-
- sid = dom_sid_parse_talloc(mem_ctx, sidstr);
- if (!sid) return default_value;
-
- return sid->sub_auths[sid->num_auths-1];
-}
-
-/*
- pull a dom_sid structure from a objectSid in a result set.
-*/
-struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr)
-{
- const char *sidstr = ldb_msg_find_string(msg, attr, NULL);
- if (!sidstr) return NULL;
-
- return dom_sid_parse_talloc(mem_ctx, sidstr);
-}
-
-/*
- pull a guid structure from a objectGUID in a result set.
-*/
-struct GUID samdb_result_guid(struct ldb_message *msg, const char *attr)
-{
- NTSTATUS status;
- struct GUID guid;
- const char *guidstr = ldb_msg_find_string(msg, attr, NULL);
-
- ZERO_STRUCT(guid);
-
- if (!guidstr) return guid;
-
- status = GUID_from_string(guidstr, &guid);
- if (!NT_STATUS_IS_OK(status)) {
- ZERO_STRUCT(guid);
- return guid;
- }
-
- return guid;
-}
-
-/*
- pull a sid prefix from a objectSid in a result set.
- this is used to find the domain sid for a user
-*/
-const char *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr)
-{
- struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
- if (!sid || sid->num_auths < 1) return NULL;
-
- sid->num_auths--;
-
- return dom_sid_string(mem_ctx, sid);
-}
-
-/*
- pull a NTTIME in a result set.
-*/
-NTTIME samdb_result_nttime(struct ldb_message *msg, const char *attr, const char *default_value)
-{
- const char *str = ldb_msg_find_string(msg, attr, default_value);
- return nttime_from_string(str);
-}
-
-/*
- pull a uint64_t from a result set.
-*/
-uint64_t samdb_result_uint64(struct ldb_message *msg, const char *attr, uint64_t default_value)
-{
- return ldb_msg_find_uint64(msg, attr, default_value);
-}
-
-
-/*
- construct the allow_password_change field from the PwdLastSet attribute and the
- domain password settings
-*/
-NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
- TALLOC_CTX *mem_ctx,
- const char *domain_dn,
- struct ldb_message *msg,
- const char *attr)
-{
- uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
- int64_t minPwdAge;
-
- if (attr_time == 0) {
- return 0;
+ if (name[0] == 0 || name[0] == '/' || strstr(name, ":/")) {
+ return talloc_strdup(mem_ctx, name);
}
-
- minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0,
- domain_dn, "minPwdAge", NULL);
-
- /* yes, this is a -= not a += as minPwdAge is stored as the negative
- of the number of 100-nano-seconds */
- attr_time -= minPwdAge;
-
- return attr_time;
-}
-
-/*
- construct the force_password_change field from the PwdLastSet attribute and the
- domain password settings
-*/
-NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
- TALLOC_CTX *mem_ctx,
- const char *domain_dn,
- struct ldb_message *msg,
- const char *attr)
-{
- uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
- int64_t maxPwdAge;
-
- if (attr_time == 0) {
- return 0;
+ path = talloc_strdup(mem_ctx, base_url);
+ if (path == NULL) {
+ return NULL;
}
-
- maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "maxPwdAge", NULL);
- if (maxPwdAge == 0) {
- return 0;
+ if ( (p = strrchr(path, '/')) != NULL) {
+ p[0] = '\0';
+ full_name = talloc_asprintf(mem_ctx, "%s/%s", path, name);
} else {
- attr_time -= maxPwdAge;
+ full_name = talloc_asprintf(mem_ctx, "./%s", name);
}
-
- return attr_time;
+ talloc_free(path);
+ return full_name;
}
+
/*
- pull a samr_Password structutre from a result set.
-*/
-struct samr_Password samdb_result_hash(struct ldb_message *msg, const char *attr)
-{
- struct samr_Password hash;
- const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
- ZERO_STRUCT(hash);
- if (val) {
- memcpy(hash.hash, val->data, MIN(val->length, sizeof(hash.hash)));
+ connect to the SAM database
+ return an opaque context pointer on success, or NULL on failure
+ */
+struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ struct auth_session_info *session_info)
+{
+ struct ldb_context *ldb;
+ ldb = ldb_wrap_connect(mem_ctx, lp_ctx,
+ lp_sam_url(lp_ctx), session_info,
+ NULL, 0, NULL);
+ if (!ldb) {
+ return NULL;
}
- return hash;
+ dsdb_make_schema_global(ldb);
+ return ldb;
}
/*
- pull an array of samr_Password structutres from a result set.
+ copy from a template record to a message
*/
-uint_t samdb_result_hashes(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr, struct samr_Password **hashes)
-{
- uint_t count = 0;
- const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
- int i;
-
- *hashes = NULL;
- if (!val) {
- return 0;
- }
- count = val->length / 16;
- if (count == 0) {
- return 0;
- }
-
- *hashes = talloc_array(mem_ctx, struct samr_Password, count);
- if (! *hashes) {
- return 0;
- }
-
- for (i=0;i<count;i++) {
- memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
- }
-
- return count;
-}
-
-NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
+int samdb_copy_template(struct ldb_context *ldb,
+ struct ldb_message *msg, const char *name,
+ const char **errstring)
{
-
- const char *unicodePwd = samdb_result_string(msg, "unicodePwd", NULL);
-
- struct samr_Password *lmPwdHash, *ntPwdHash;
- if (unicodePwd) {
- if (nt_pwd) {
- ntPwdHash = talloc(mem_ctx, struct samr_Password);
- if (!ntPwdHash) {
- return NT_STATUS_NO_MEMORY;
- }
-
- E_md4hash(unicodePwd, ntPwdHash->hash);
- *nt_pwd = ntPwdHash;
+ struct ldb_result *res;
+ struct ldb_message *t;
+ int ret, i, j;
+ struct ldb_context *templates_ldb;
+ char *templates_ldb_path;
+ struct ldb_dn *basedn;
+
+ templates_ldb = talloc_get_type(ldb_get_opaque(ldb, "templates_ldb"), struct ldb_context);
+
+ if (!templates_ldb) {
+ templates_ldb_path = samdb_relative_path(ldb,
+ msg,
+ "templates.ldb");
+ if (!templates_ldb_path) {
+ *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: Failed to contruct path for template db");
+ return LDB_ERR_OPERATIONS_ERROR;
}
- if (lm_pwd) {
- BOOL lm_hash_ok;
-
- lmPwdHash = talloc(mem_ctx, struct samr_Password);
- if (!lmPwdHash) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* compute the new nt and lm hashes */
- lm_hash_ok = E_deshash(unicodePwd, lmPwdHash->hash);
-
- if (lm_hash_ok) {
- *lm_pwd = lmPwdHash;
- } else {
- *lm_pwd = NULL;
- }
- }
- } else {
- if (nt_pwd) {
- int num_nt;
- num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHash", &ntPwdHash);
- if (num_nt == 0) {
- *nt_pwd = NULL;
- } else if (num_nt > 1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- } else {
- *nt_pwd = &ntPwdHash[0];
- }
- }
- if (lm_pwd) {
- int num_lm;
- num_lm = samdb_result_hashes(mem_ctx, msg, "lmPwdHash", &lmPwdHash);
- if (num_lm == 0) {
- *lm_pwd = NULL;
- } else if (num_lm > 1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- } else {
- *lm_pwd = &lmPwdHash[0];
- }
+ templates_ldb = ldb_wrap_connect(ldb, (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"),
+ templates_ldb_path, NULL,
+ NULL, 0, NULL);
+ talloc_free(templates_ldb_path);
+ if (!templates_ldb) {
+ return LDB_ERR_OPERATIONS_ERROR;
}
+ ret = ldb_set_opaque(ldb, "templates_ldb", templates_ldb);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
}
- return NT_STATUS_OK;
-}
+ *errstring = NULL;
-/*
- pull a samr_LogonHours structutre from a result set.
-*/
-struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
-{
- struct samr_LogonHours hours;
- const int units_per_week = 168;
- const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
- ZERO_STRUCT(hours);
- hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
- if (!hours.bits) {
- return hours;
- }
- hours.units_per_week = units_per_week;
- memset(hours.bits, 0xFF, units_per_week);
- if (val) {
- memcpy(hours.bits, val->data, MIN(val->length, units_per_week));
+ basedn = ldb_dn_new(templates_ldb, ldb, "cn=Templates");
+ if (!ldb_dn_add_child_fmt(basedn, "CN=Template%s", name)) {
+ talloc_free(basedn);
+ *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: Failed to contruct DN for template '%s'",
+ name);
+ return LDB_ERR_OPERATIONS_ERROR;
}
- return hours;
-}
-
-/*
- pull a set of account_flags from a result set.
-*/
-uint16_t samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
-{
- uint_t userAccountControl = ldb_msg_find_uint(msg, attr, 0);
- return samdb_uf2acb(userAccountControl);
-}
-
-/*
- copy from a template record to a message
-*/
-int samdb_copy_template(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
- struct ldb_message *msg, const char *expression)
-{
- struct ldb_message **res, *t;
- int ret, i, j;
-
/* pull the template record */
- ret = gendb_search(sam_ldb, mem_ctx, NULL, &res, NULL, "%s", expression);
- if (ret != 1) {
- DEBUG(1,("samdb: ERROR: template '%s' matched %d records\n",
- expression, ret));
- return -1;
+ ret = ldb_search(templates_ldb, basedn, LDB_SCOPE_BASE, "distinguishedName=*", NULL, &res);
+ talloc_free(basedn);
+ if (ret != LDB_SUCCESS) {
+ *errstring = talloc_steal(msg, ldb_errstring(templates_ldb));
+ return ret;
}
- t = res[0];
+ if (res->count != 1) {
+ *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: template '%s' matched %d records, expected 1",
+ name,
+ res->count);
+ talloc_free(res);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ t = res->msgs[0];
- for (i=0;i<t->num_elements;i++) {
+ for (i = 0; i < t->num_elements; i++) {
struct ldb_message_element *el = &t->elements[i];
/* some elements should not be copied from the template */
- if (strcasecmp(el->name, "cn") == 0 ||
- strcasecmp(el->name, "name") == 0 ||
- strcasecmp(el->name, "sAMAccountName") == 0) {
+ if (ldb_attr_cmp(el->name, "cn") == 0 ||
+ ldb_attr_cmp(el->name, "name") == 0 ||
+ ldb_attr_cmp(el->name, "objectClass") == 0 ||
+ ldb_attr_cmp(el->name, "sAMAccountName") == 0 ||
+ ldb_attr_cmp(el->name, "sAMAccountName") == 0 ||
+ ldb_attr_cmp(el->name, "distinguishedName") == 0 ||
+ ldb_attr_cmp(el->name, "objectGUID") == 0) {
continue;
}
- for (j=0;j<el->num_values;j++) {
- if (strcasecmp(el->name, "objectClass") == 0 &&
- (strcasecmp((char *)el->values[j].data, "Template") == 0 ||
- strcasecmp((char *)el->values[j].data, "userTemplate") == 0 ||
- strcasecmp((char *)el->values[j].data, "groupTemplate") == 0 ||
- strcasecmp((char *)el->values[j].data, "foreignSecurityTemplate") == 0 ||
- strcasecmp((char *)el->values[j].data, "aliasTemplate") == 0 ||
- strcasecmp((char *)el->values[j].data, "trustedDomainTemplate") == 0 ||
- strcasecmp((char *)el->values[j].data, "secretTemplate") == 0)) {
- continue;
+ for (j = 0; j < el->num_values; j++) {
+ ret = samdb_find_or_add_attribute(ldb, msg, el->name,
+ (char *)el->values[j].data);
+ if (ret) {
+ *errstring = talloc_asprintf(msg, "Adding attribute %s failed.", el->name);
+ talloc_free(res);
+ return ret;
}
- samdb_msg_add_string(sam_ldb, mem_ctx, msg, el->name,
- (char *)el->values[j].data);
}
}
- return 0;
-}
-
-
-/*
- allocate a new id, attempting to do it atomically
- return 0 on failure, the id on success
-*/
-static NTSTATUS _samdb_allocate_next_id(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, const char *dn,
- const char *attr, uint32_t *id)
-{
- struct ldb_message msg;
- int ret;
- const char *str;
- struct ldb_val vals[2];
- struct ldb_message_element els[2];
-
- str = samdb_search_string(sam_ldb, mem_ctx, dn, attr, NULL);
- if (!str) {
- DEBUG(1,("id not found at %s %s\n", dn, attr));
- return NT_STATUS_OBJECT_NAME_INVALID;
- }
-
- *id = strtol(str, NULL, 0);
- if ((*id)+1 == 0) {
- /* out of IDs ! */
- return NT_STATUS_INSUFFICIENT_RESOURCES;
- }
-
- /* we do a delete and add as a single operation. That prevents
- a race */
- ZERO_STRUCT(msg);
- msg.dn = talloc_strdup(mem_ctx, dn);
- if (!msg.dn) {
- return NT_STATUS_NO_MEMORY;
- }
- msg.num_elements = 2;
- msg.elements = els;
-
- els[0].num_values = 1;
- els[0].values = &vals[0];
- els[0].flags = LDB_FLAG_MOD_DELETE;
- els[0].name = talloc_strdup(mem_ctx, attr);
- if (!els[0].name) {
- return NT_STATUS_NO_MEMORY;
- }
-
- els[1].num_values = 1;
- els[1].values = &vals[1];
- els[1].flags = LDB_FLAG_MOD_ADD;
- els[1].name = els[0].name;
+ talloc_free(res);
- vals[0].data = talloc_asprintf(mem_ctx, "%u", *id);
- if (!vals[0].data) {
- return NT_STATUS_NO_MEMORY;
- }
- vals[0].length = strlen(vals[0].data);
-
- vals[1].data = talloc_asprintf(mem_ctx, "%u", (*id)+1);
- if (!vals[1].data) {
- return NT_STATUS_NO_MEMORY;
- }
- vals[1].length = strlen(vals[1].data);
-
- ret = ldb_modify(sam_ldb, &msg);
- if (ret != 0) {
- return NT_STATUS_UNEXPECTED_IO_ERROR;
- }
-
- (*id)++;
-
- return NT_STATUS_OK;
+ return LDB_SUCCESS;
}
-/*
- allocate a new id, attempting to do it atomically
- return 0 on failure, the id on success
-*/
-NTSTATUS samdb_allocate_next_id(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, const char *dn, const char *attr,
- uint32_t *id)
-{
- int tries = 10;
- NTSTATUS status;
- /* we need to try multiple times to cope with two account
- creations at the same time */
- while (tries--) {
- status = _samdb_allocate_next_id(sam_ldb, mem_ctx, dn, attr, id);
- if (!NT_STATUS_EQUAL(NT_STATUS_UNEXPECTED_IO_ERROR, status)) {
- break;
- }
- }
-
- if (NT_STATUS_EQUAL(NT_STATUS_UNEXPECTED_IO_ERROR, status)) {
- DEBUG(1,("Failed to increment id %s at %s\n", attr, dn));
- }
-
- return status;
-}
-
-
-/*
- add a string element to a message
-*/
-int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, const char *str)
+/****************************************************************************
+ Create the SID list for this user.
+****************************************************************************/
+NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ struct dom_sid *user_sid,
+ struct dom_sid *group_sid,
+ int n_groupSIDs,
+ struct dom_sid **groupSIDs,
+ bool is_authenticated,
+ struct security_token **token)
{
- char *s = talloc_strdup(mem_ctx, str);
- char *a = talloc_strdup(mem_ctx, attr_name);
- if (s == NULL || a == NULL) {
- return -1;
- }
- return ldb_msg_add_string(sam_ldb, msg, a, s);
-}
-
-/*
- add a delete element operation to a message
-*/
-int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name)
-{
- char *a = talloc_strdup(mem_ctx, attr_name);
- if (a == NULL) {
- return -1;
- }
- /* we use an empty replace rather than a delete, as it allows for
- samdb_replace() to be used everywhere */
- return ldb_msg_add_empty(sam_ldb, msg, a, LDB_FLAG_MOD_REPLACE);
-}
-
-/*
- add a add attribute value to a message
-*/
-int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, const char *value)
-{
- struct ldb_message_element *el;
- char *a, *v;
- int ret;
- a = talloc_strdup(mem_ctx, attr_name);
- if (a == NULL)
- return -1;
- v = talloc_strdup(mem_ctx, value);
- if (v == NULL)
- return -1;
- ret = ldb_msg_add_string(sam_ldb, msg, a, v);
- if (ret != 0)
- return ret;
- el = ldb_msg_find_element(msg, a);
- if (el == NULL)
- return -1;
- el->flags = LDB_FLAG_MOD_ADD;
- return 0;
-}
-
-/*
- add a delete attribute value to a message
-*/
-int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, const char *value)
-{
- struct ldb_message_element *el;
- char *a, *v;
- int ret;
- a = talloc_strdup(mem_ctx, attr_name);
- if (a == NULL)
- return -1;
- v = talloc_strdup(mem_ctx, value);
- if (v == NULL)
- return -1;
- ret = ldb_msg_add_string(sam_ldb, msg, a, v);
- if (ret != 0)
- return ret;
- el = ldb_msg_find_element(msg, a);
- if (el == NULL)
- return -1;
- el->flags = LDB_FLAG_MOD_DELETE;
- return 0;
-}
-
-/*
- add a uint_t element to a message
-*/
-int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, uint_t v)
-{
- const char *s = talloc_asprintf(mem_ctx, "%u", v);
- return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
-}
-
-/*
- add a (signed) int64_t element to a message
-*/
-int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, int64_t v)
-{
- const char *s = talloc_asprintf(mem_ctx, "%lld", v);
- return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
-}
-
-/*
- add a uint64_t element to a message
-*/
-int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, uint64_t v)
-{
- const char *s = talloc_asprintf(mem_ctx, "%llu", v);
- return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
-}
-
-/*
- add a samr_Password element to a message
-*/
-int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, struct samr_Password *hash)
-{
- struct ldb_val val;
- val.data = talloc_memdup(mem_ctx, hash->hash, 16);
- if (!val.data) {
- return -1;
- }
- val.length = 16;
- return ldb_msg_add_value(sam_ldb, msg, attr_name, &val);
-}
-
-/*
- add a samr_Password array to a message
-*/
-int samdb_msg_add_hashes(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, struct samr_Password *hashes, uint_t count)
-{
- struct ldb_val val;
+ struct security_token *ptoken;
int i;
- val.data = talloc_array_size(mem_ctx, 16, count);
- val.length = count*16;
- if (!val.data) {
- return -1;
- }
- for (i=0;i<count;i++) {
- memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
- }
- return ldb_msg_add_value(sam_ldb, msg, attr_name, &val);
-}
-
-/*
- add a acct_flags element to a message
-*/
-int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, uint32_t v)
-{
- return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, samdb_acb2uf(v));
-}
-
-/*
- add a logon_hours element to a message
-*/
-int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, struct samr_LogonHours *hours)
-{
- struct ldb_val val;
- val.length = hours->units_per_week / 8;
- val.data = hours->bits;
- return ldb_msg_add_value(sam_ldb, msg, attr_name, &val);
-}
-
-/*
- add a general value element to a message
-*/
-int samdb_msg_add_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, const struct ldb_val *val)
-{
- return ldb_msg_add_value(sam_ldb, msg, attr_name, val);
-}
-
-/*
- sets a general value element to a message
-*/
-int samdb_msg_set_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, const struct ldb_val *val)
-{
- struct ldb_message_element *el;
-
- el = ldb_msg_find_element(msg, attr_name);
- if (el) {
- el->num_values = 0;
- }
- return ldb_msg_add_value(sam_ldb, msg, attr_name, val);
-}
-
-/*
- set a string element in a message
-*/
-int samdb_msg_set_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, const char *str)
-{
- struct ldb_message_element *el;
-
- el = ldb_msg_find_element(msg, attr_name);
- if (el) {
- el->num_values = 0;
- }
- return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, str);
-}
+ NTSTATUS status;
-/*
- set a ldaptime element in a message
-*/
-int samdb_msg_set_ldaptime(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, time_t t)
-{
- char *str = ldap_timestring(mem_ctx, t);
- if (!str) {
- return -1;
- }
- return samdb_msg_set_string(sam_ldb, mem_ctx, msg, attr_name, str);
-}
+ ptoken = security_token_initialise(mem_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken);
+
+ ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
+ ptoken->user_sid = talloc_reference(ptoken, user_sid);
+ ptoken->group_sid = talloc_reference(ptoken, group_sid);
+ ptoken->privilege_mask = 0;
+
+ ptoken->sids[0] = ptoken->user_sid;
+ ptoken->sids[1] = ptoken->group_sid;
+
+ /*
+ * Finally add the "standard" SIDs.
+ * The only difference between guest and "anonymous"
+ * is the addition of Authenticated_Users.
+ */
+ ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]);
+ ptoken->sids[3] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[3]);
+ ptoken->num_sids = 4;
+
+ if (is_authenticated) {
+ ptoken->sids[4] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]);
+ ptoken->num_sids++;
+ }
+
+ for (i = 0; i < n_groupSIDs; i++) {
+ size_t check_sid_idx;
+ for (check_sid_idx = 1;
+ check_sid_idx < ptoken->num_sids;
+ check_sid_idx++) {
+ if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) {
+ break;
+ }
+ }
-/*
- add a record
-*/
-int samdb_add(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
-{
- struct GUID guid;
- const char *guidstr;
- time_t now = time(NULL);
- /* a new GUID */
- guid = GUID_random();
- guidstr = GUID_string(mem_ctx, &guid);
- if (!guidstr) {
- return -1;
+ if (check_sid_idx == ptoken->num_sids) {
+ ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]);
+ }
}
- samdb_msg_add_string(sam_ldb, mem_ctx, msg, "objectGUID", guidstr);
- samdb_msg_set_ldaptime(sam_ldb, mem_ctx, msg, "whenCreated", now);
- return ldb_add(sam_ldb, msg);
-}
-
-/*
- delete a record
-*/
-int samdb_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, const char *dn)
-{
- return ldb_delete(sam_ldb, dn);
-}
-
-/*
- modify a record
-*/
-int samdb_modify(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
-{
- return ldb_modify(sam_ldb, msg);
-}
-
-/*
- replace elements in a record
-*/
-int samdb_replace(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
-{
- int i;
-
- /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
- for (i=0;i<msg->num_elements;i++) {
- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
+ /* setup the privilege mask for this token */
+ status = samdb_privilege_setup(lp_ctx, ptoken);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(ptoken);
+ return status;
}
- /* modify the samdb record */
- return samdb_modify(sam_ldb, mem_ctx, msg);
-}
+ security_token_debug(10, ptoken);
-/*
- return a default security descriptor
-*/
-struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
-{
- struct security_descriptor *sd;
+ *token = ptoken;
- sd = security_descriptor_initialise(mem_ctx);
-
- return sd;
+ return NT_STATUS_OK;
}
git.samba.org / samba.git / blobdiff