2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
29 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
30 #define IPA_MAGIC_ID_STR "999"
32 #define LDAP_TRUST_CONTAINER "ou=system"
33 #define LDAP_ATTRIBUTE_CN "cn"
34 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
35 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
36 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
37 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
38 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
39 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
40 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
41 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
42 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
43 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
45 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
46 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
47 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
49 #define LDAP_OBJ_IPAOBJECT "ipaObject"
50 #define LDAP_OBJ_IPAHOST "ipaHost"
51 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
53 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
54 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
55 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
56 #define LDAP_OBJ_POSIXGROUP "posixGroup"
58 #define HAS_KRB_PRINCIPAL (1<<0)
59 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
60 #define HAS_IPAOBJECT (1<<2)
61 #define HAS_IPAHOST (1<<3)
62 #define HAS_POSIXACCOUNT (1<<4)
63 #define HAS_GROUPOFNAMES (1<<5)
64 #define HAS_NESTEDGROUP (1<<6)
65 #define HAS_IPAUSERGROUP (1<<7)
66 #define HAS_POSIXGROUP (1<<8)
68 struct ipasam_privates {
70 NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
71 struct samu *sampass);
72 NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
73 struct samu *sampass);
74 NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
75 TALLOC_CTX *tmp_ctx, const char *name,
76 uint32_t acb_info, uint32_t *rid);
77 NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods,
83 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
87 time_t *pass_last_set_time)
92 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
95 const struct dom_sid *sid)
100 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
106 static char *get_account_dn(const char *name)
111 escape_name = escape_rdn_val_string_alloc(name);
116 if (name[strlen(name)-1] == '$') {
117 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
118 lp_ldap_machine_suffix());
120 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
121 lp_ldap_user_suffix());
124 SAFE_FREE(escape_name);
129 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
132 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
133 LDAP_ATTRIBUTE_CN, domain,
134 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
137 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
139 return talloc_asprintf(talloc_tos(), "%s,%s",
140 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
143 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
145 const char *filter, LDAPMessage **entry)
148 char *base_dn = NULL;
149 LDAPMessage *result = NULL;
152 base_dn = trusted_domain_base_dn(ldap_state);
153 if (base_dn == NULL) {
157 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
158 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
159 TALLOC_FREE(base_dn);
161 if (result != NULL) {
162 talloc_autofree_ldapmsg(mem_ctx, result);
165 if (rc == LDAP_NO_SUCH_OBJECT) {
170 if (rc != LDAP_SUCCESS) {
174 num_result = ldap_count_entries(priv2ld(ldap_state), result);
176 if (num_result > 1) {
177 DEBUG(1, ("get_trusted_domain_int: more than one "
178 "%s object with filter '%s'?!\n",
179 LDAP_OBJ_TRUSTED_DOMAIN, filter));
183 if (num_result == 0) {
184 DEBUG(1, ("get_trusted_domain_int: no "
185 "%s object with filter '%s'.\n",
186 LDAP_OBJ_TRUSTED_DOMAIN, filter));
189 *entry = ldap_first_entry(priv2ld(ldap_state), result);
195 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
202 filter = talloc_asprintf(talloc_tos(),
203 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
204 LDAP_OBJ_TRUSTED_DOMAIN,
205 LDAP_ATTRIBUTE_FLAT_NAME, domain,
206 LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
207 if (filter == NULL) {
211 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
214 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
216 const char *sid, LDAPMessage **entry)
220 filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
221 LDAP_OBJ_TRUSTED_DOMAIN,
222 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
223 if (filter == NULL) {
227 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
230 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
239 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
242 DEBUG(9, ("Attribute %s not present.\n", attr));
247 l = strtoul(dummy, &endptr, 10);
250 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
259 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
260 struct ldapsam_privates *ldap_state,
261 LDAPMessage *entry, const char *attr,
267 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
270 DEBUG(9, ("Attribute %s not present.\n", attr));
273 blob = base64_decode_data_blob(dummy);
274 if (blob.length == 0) {
277 _blob->length = blob.length;
278 _blob->data = talloc_steal(mem_ctx, blob.data);
284 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
285 struct ldapsam_privates *ldap_state,
287 struct pdb_trusted_domain **_td)
291 struct pdb_trusted_domain *td;
297 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
302 /* All attributes are MAY */
304 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
305 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
308 DEBUG(9, ("Attribute %s not present.\n",
309 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
310 ZERO_STRUCT(td->security_identifier);
312 res = string_to_sid(&td->security_identifier, dummy);
319 get_data_blob_from_ldap_msg(td, ldap_state, entry,
320 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
321 &td->trust_auth_incoming);
323 get_data_blob_from_ldap_msg(td, ldap_state, entry,
324 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
325 &td->trust_auth_outgoing);
327 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
329 LDAP_ATTRIBUTE_FLAT_NAME,
331 if (td->netbios_name == NULL) {
332 DEBUG(9, ("Attribute %s not present.\n",
333 LDAP_ATTRIBUTE_FLAT_NAME));
336 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
338 LDAP_ATTRIBUTE_TRUST_PARTNER,
340 if (td->domain_name == NULL) {
341 DEBUG(9, ("Attribute %s not present.\n",
342 LDAP_ATTRIBUTE_TRUST_PARTNER));
345 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
346 LDAP_ATTRIBUTE_TRUST_DIRECTION,
347 &td->trust_direction);
352 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
353 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
354 &td->trust_attributes);
359 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
360 LDAP_ATTRIBUTE_TRUST_TYPE,
366 get_data_blob_from_ldap_msg(td, ldap_state, entry,
367 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
368 &td->trust_forest_trust_info);
375 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
378 struct pdb_trusted_domain **td)
380 struct ldapsam_privates *ldap_state =
381 (struct ldapsam_privates *)methods->private_data;
382 LDAPMessage *entry = NULL;
384 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
386 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
388 return NT_STATUS_UNSUCCESSFUL;
391 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
393 return NT_STATUS_NO_SUCH_DOMAIN;
396 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
397 return NT_STATUS_UNSUCCESSFUL;
403 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
406 struct pdb_trusted_domain **td)
408 struct ldapsam_privates *ldap_state =
409 (struct ldapsam_privates *)methods->private_data;
410 LDAPMessage *entry = NULL;
413 sid_str = sid_string_tos(sid);
415 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
418 if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
420 return NT_STATUS_UNSUCCESSFUL;
423 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
424 "with sid: %s\n", sid_str));
425 return NT_STATUS_NO_SUCH_DOMAIN;
428 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
429 return NT_STATUS_UNSUCCESSFUL;
435 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
436 LDAPMod ***mods, const char *attribute,
441 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
445 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
451 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
453 const struct pdb_trusted_domain *td)
455 struct ldapsam_privates *ldap_state =
456 (struct ldapsam_privates *)methods->private_data;
457 LDAPMessage *entry = NULL;
460 char *trusted_dn = NULL;
463 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
465 res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
468 return NT_STATUS_UNSUCCESSFUL;
472 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
473 LDAP_OBJ_TRUSTED_DOMAIN);
475 if (td->netbios_name != NULL) {
476 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
477 LDAP_ATTRIBUTE_FLAT_NAME,
481 if (td->domain_name != NULL) {
482 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
483 LDAP_ATTRIBUTE_TRUST_PARTNER,
487 if (!is_null_sid(&td->security_identifier)) {
488 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
489 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
490 sid_string_tos(&td->security_identifier));
493 if (td->trust_type != 0) {
494 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
495 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
498 return NT_STATUS_UNSUCCESSFUL;
502 if (td->trust_attributes != 0) {
503 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
505 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
506 td->trust_attributes);
508 return NT_STATUS_UNSUCCESSFUL;
512 if (td->trust_direction != 0) {
513 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
515 LDAP_ATTRIBUTE_TRUST_DIRECTION,
516 td->trust_direction);
518 return NT_STATUS_UNSUCCESSFUL;
522 if (td->trust_auth_outgoing.data != NULL) {
523 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
524 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
525 &td->trust_auth_outgoing);
528 if (td->trust_auth_incoming.data != NULL) {
529 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
530 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
531 &td->trust_auth_incoming);
534 if (td->trust_forest_trust_info.data != NULL) {
535 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
536 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
537 &td->trust_forest_trust_info);
540 talloc_autofree_ldapmod(talloc_tos(), mods);
542 trusted_dn = trusted_domain_dn(ldap_state, domain);
543 if (trusted_dn == NULL) {
544 return NT_STATUS_NO_MEMORY;
547 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
549 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
552 if (ret != LDAP_SUCCESS) {
553 DEBUG(1, ("error writing trusted domain data!\n"));
554 return NT_STATUS_UNSUCCESSFUL;
559 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
563 struct ldapsam_privates *ldap_state =
564 (struct ldapsam_privates *)methods->private_data;
565 LDAPMessage *entry = NULL;
568 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
570 return NT_STATUS_UNSUCCESSFUL;
574 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
576 return NT_STATUS_NO_SUCH_DOMAIN;
579 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
581 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
582 return NT_STATUS_NO_MEMORY;
585 ret = smbldap_delete(ldap_state->smbldap_state, dn);
586 if (ret != LDAP_SUCCESS) {
587 return NT_STATUS_UNSUCCESSFUL;
593 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
595 uint32_t *num_domains,
596 struct pdb_trusted_domain ***domains)
599 struct ldapsam_privates *ldap_state =
600 (struct ldapsam_privates *)methods->private_data;
601 char *base_dn = NULL;
603 int scope = LDAP_SCOPE_SUBTREE;
604 LDAPMessage *result = NULL;
605 LDAPMessage *entry = NULL;
607 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
608 LDAP_OBJ_TRUSTED_DOMAIN);
609 if (filter == NULL) {
610 return NT_STATUS_NO_MEMORY;
613 base_dn = trusted_domain_base_dn(ldap_state);
614 if (base_dn == NULL) {
616 return NT_STATUS_NO_MEMORY;
619 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
622 TALLOC_FREE(base_dn);
624 if (result != NULL) {
625 talloc_autofree_ldapmsg(mem_ctx, result);
628 if (rc == LDAP_NO_SUCH_OBJECT) {
634 if (rc != LDAP_SUCCESS) {
635 return NT_STATUS_UNSUCCESSFUL;
639 if (!(*domains = talloc_array(mem_ctx, struct pdb_trusted_domain *, 1))) {
640 DEBUG(1, ("talloc failed\n"));
641 return NT_STATUS_NO_MEMORY;
644 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
646 entry = ldap_next_entry(priv2ld(ldap_state), entry))
648 struct pdb_trusted_domain *dom_info;
650 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
652 return NT_STATUS_UNSUCCESSFUL;
655 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
656 domains, num_domains);
658 if (*domains == NULL) {
659 DEBUG(1, ("talloc failed\n"));
660 return NT_STATUS_NO_MEMORY;
664 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
668 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
670 uint32_t *num_domains,
671 struct trustdom_info ***domains)
674 struct pdb_trusted_domain **td;
677 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
679 if (!NT_STATUS_IS_OK(status)) {
683 if (*num_domains == 0) {
687 if (!(*domains = talloc_array(mem_ctx, struct trustdom_info *,
689 DEBUG(1, ("talloc failed\n"));
690 return NT_STATUS_NO_MEMORY;
693 for (i = 0; i < *num_domains; i++) {
694 struct trustdom_info *dom_info;
696 dom_info = talloc(*domains, struct trustdom_info);
697 if (dom_info == NULL) {
698 DEBUG(1, ("talloc failed\n"));
699 return NT_STATUS_NO_MEMORY;
702 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
703 sid_copy(&dom_info->sid, &td[i]->security_identifier);
705 (*domains)[i] = dom_info;
711 static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
713 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
716 static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pdb_methods,
719 struct pdb_domain_info *info;
721 struct ldapsam_privates *ldap_state =
722 (struct ldapsam_privates *)pdb_methods->private_data;
724 info = talloc(mem_ctx, struct pdb_domain_info);
729 info->name = talloc_strdup(info, ldap_state->domain_name);
730 if (info->name == NULL) {
734 /* TODO: read dns_domain, dns_forest and guid from LDAP */
735 info->dns_domain = talloc_strdup(info, lp_realm());
736 if (info->dns_domain == NULL) {
739 strlower_m(info->dns_domain);
740 info->dns_forest = talloc_strdup(info, info->dns_domain);
741 sid_copy(&info->sid, &ldap_state->domain_sid);
743 status = GUID_from_string("testguid", &info->guid);
752 static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
753 struct samu *sampass)
756 BerElement *ber = NULL;
757 struct berval *bv = NULL;
759 struct berval *retdata = NULL;
760 const char *password;
763 password = pdb_get_plaintext_passwd(sampass);
764 if (password == NULL || *password == '\0') {
765 return NT_STATUS_INVALID_PARAMETER;
768 dn = get_account_dn(pdb_get_username(sampass));
770 return NT_STATUS_INVALID_PARAMETER;
773 ber = ber_alloc_t( LBER_USE_DER );
775 DEBUG(7, ("ber_alloc_t failed.\n"));
776 return NT_STATUS_NO_MEMORY;
779 ret = ber_printf(ber, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, dn,
780 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, password);
782 DEBUG(7, ("ber_printf failed.\n"));
784 return NT_STATUS_UNSUCCESSFUL;
787 ret = ber_flatten(ber, &bv);
790 DEBUG(1, ("ber_flatten failed.\n"));
791 return NT_STATUS_UNSUCCESSFUL;
794 ret = smbldap_extended_operation(ldap_state->smbldap_state,
795 LDAP_EXOP_MODIFY_PASSWD, bv, NULL,
796 NULL, &retoid, &retdata);
802 ldap_memfree(retoid);
804 if (ret != LDAP_SUCCESS) {
805 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
806 return NT_STATUS_UNSUCCESSFUL;
812 static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
813 const char *dn, LDAPMessage *entry,
814 uint32_t *has_objectclass)
816 char **objectclasses;
819 objectclasses = ldap_get_values(priv2ld(ldap_state), entry,
820 LDAP_ATTRIBUTE_OBJECTCLASS);
821 if (objectclasses == NULL) {
822 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn));
823 return NT_STATUS_INTERNAL_DB_CORRUPTION;
826 *has_objectclass = 0;
827 for (c = 0; objectclasses[c] != NULL; c++) {
828 if (strequal(objectclasses[c], LDAP_OBJ_KRB_PRINCIPAL)) {
829 *has_objectclass |= HAS_KRB_PRINCIPAL;
830 } else if (strequal(objectclasses[c],
831 LDAP_OBJ_KRB_PRINCIPAL_AUX)) {
832 *has_objectclass |= HAS_KRB_PRINCIPAL_AUX;
833 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAOBJECT)) {
834 *has_objectclass |= HAS_IPAOBJECT;
835 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAHOST)) {
836 *has_objectclass |= HAS_IPAHOST;
837 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXACCOUNT)) {
838 *has_objectclass |= HAS_POSIXACCOUNT;
839 } else if (strequal(objectclasses[c], LDAP_OBJ_GROUPOFNAMES)) {
840 *has_objectclass |= HAS_GROUPOFNAMES;
841 } else if (strequal(objectclasses[c], LDAP_OBJ_NESTEDGROUP)) {
842 *has_objectclass |= HAS_NESTEDGROUP;
843 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAUSERGROUP)) {
844 *has_objectclass |= HAS_IPAUSERGROUP;
845 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXGROUP)) {
846 *has_objectclass |= HAS_POSIXGROUP;
849 ldap_value_free(objectclasses);
860 static NTSTATUS find_obj(struct ldapsam_privates *ldap_state, const char *name,
861 enum obj_type type, char **_dn,
862 uint32_t *_has_objectclass)
867 LDAPMessage *result = NULL;
868 LDAPMessage *entry = NULL;
871 uint32_t has_objectclass;
873 const char *obj_class = NULL;
877 obj_class = LDAP_OBJ_POSIXACCOUNT;
880 obj_class = LDAP_OBJ_POSIXGROUP;
883 DEBUG(0, ("Unsupported IPA object.\n"));
884 return NT_STATUS_INVALID_PARAMETER;
887 username = escape_ldap_string(talloc_tos(), name);
888 if (username == NULL) {
889 return NT_STATUS_NO_MEMORY;
891 filter = talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
892 username, obj_class);
893 if (filter == NULL) {
894 return NT_STATUS_NO_MEMORY;
896 TALLOC_FREE(username);
898 ret = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL,
900 if (ret != LDAP_SUCCESS) {
901 DEBUG(0, ("smbldap_search_suffix failed.\n"));
902 return NT_STATUS_ACCESS_DENIED;
905 num_result = ldap_count_entries(priv2ld(ldap_state), result);
907 if (num_result != 1) {
908 if (num_result == 0) {
911 status = NT_STATUS_NO_SUCH_USER;
914 status = NT_STATUS_NO_SUCH_GROUP;
917 status = NT_STATUS_INVALID_PARAMETER;
920 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
922 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
927 entry = ldap_first_entry(priv2ld(ldap_state), result);
929 DEBUG(0,("find_user: Out of memory!\n"));
930 status = NT_STATUS_UNSUCCESSFUL;
934 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
936 DEBUG(0,("find_user: Out of memory!\n"));
937 status = NT_STATUS_NO_MEMORY;
941 status = ipasam_get_objectclasses(ldap_state, dn, entry, &has_objectclass);
942 if (!NT_STATUS_IS_OK(status)) {
947 *_has_objectclass = has_objectclass;
949 status = NT_STATUS_OK;
952 ldap_msgfree(result);
957 static NTSTATUS find_user(struct ldapsam_privates *ldap_state, const char *name,
958 char **_dn, uint32_t *_has_objectclass)
960 return find_obj(ldap_state, name, IPA_USER_OBJ, _dn, _has_objectclass);
963 static NTSTATUS find_group(struct ldapsam_privates *ldap_state, const char *name,
964 char **_dn, uint32_t *_has_objectclass)
966 return find_obj(ldap_state, name, IPA_GROUP_OBJ, _dn, _has_objectclass);
969 static NTSTATUS ipasam_add_posix_account_objectclass(struct ldapsam_privates *ldap_state,
972 const char *username)
975 LDAPMod **mods = NULL;
977 smbldap_set_mod(&mods, LDAP_MOD_ADD,
978 "objectclass", "posixAccount");
979 smbldap_set_mod(&mods, LDAP_MOD_ADD,
981 smbldap_set_mod(&mods, LDAP_MOD_ADD,
982 "uidNumber", IPA_MAGIC_ID_STR);
983 smbldap_set_mod(&mods, LDAP_MOD_ADD,
984 "gidNumber", "12345");
985 smbldap_set_mod(&mods, LDAP_MOD_ADD,
986 "homeDirectory", "/dev/null");
988 if (ldap_op == LDAP_MOD_ADD) {
989 ret = smbldap_add(ldap_state->smbldap_state, dn, mods);
991 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
993 ldap_mods_free(mods, 1);
994 if (ret != LDAP_SUCCESS) {
995 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
997 return NT_STATUS_LDAP(ret);
1000 return NT_STATUS_OK;
1003 static NTSTATUS ipasam_add_ipa_group_objectclasses(struct ldapsam_privates *ldap_state,
1006 uint32_t has_objectclass)
1008 LDAPMod **mods = NULL;
1011 if (!(has_objectclass & HAS_GROUPOFNAMES)) {
1012 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1013 LDAP_ATTRIBUTE_OBJECTCLASS,
1014 LDAP_OBJ_GROUPOFNAMES);
1017 if (!(has_objectclass & HAS_NESTEDGROUP)) {
1018 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1019 LDAP_ATTRIBUTE_OBJECTCLASS,
1020 LDAP_OBJ_NESTEDGROUP);
1023 if (!(has_objectclass & HAS_IPAUSERGROUP)) {
1024 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1025 LDAP_ATTRIBUTE_OBJECTCLASS,
1026 LDAP_OBJ_IPAUSERGROUP);
1029 if (!(has_objectclass & HAS_IPAOBJECT)) {
1030 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1031 LDAP_ATTRIBUTE_OBJECTCLASS,
1032 LDAP_OBJ_IPAOBJECT);
1035 if (!(has_objectclass & HAS_POSIXGROUP)) {
1036 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1037 LDAP_ATTRIBUTE_OBJECTCLASS,
1038 LDAP_OBJ_POSIXGROUP);
1039 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1042 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1043 LDAP_ATTRIBUTE_GIDNUMBER,
1047 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1048 ldap_mods_free(mods, 1);
1049 if (ret != LDAP_SUCCESS) {
1050 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1052 return NT_STATUS_LDAP(ret);
1055 return NT_STATUS_OK;
1058 static NTSTATUS ipasam_add_ipa_objectclasses(struct ldapsam_privates *ldap_state,
1059 const char *dn, const char *name,
1061 uint32_t acct_flags,
1062 uint32_t has_objectclass)
1064 LDAPMod **mods = NULL;
1068 if (!(has_objectclass & HAS_KRB_PRINCIPAL)) {
1069 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1070 LDAP_ATTRIBUTE_OBJECTCLASS,
1071 LDAP_OBJ_KRB_PRINCIPAL);
1073 princ = talloc_asprintf(talloc_tos(), "%s@%s", name, lp_realm());
1074 if (princ == NULL) {
1075 return NT_STATUS_NO_MEMORY;
1078 smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
1081 if (!(has_objectclass & HAS_KRB_PRINCIPAL_AUX)) {
1082 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1083 LDAP_ATTRIBUTE_OBJECTCLASS,
1084 LDAP_OBJ_KRB_PRINCIPAL_AUX);
1087 if (!(has_objectclass & HAS_IPAOBJECT)) {
1088 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1089 LDAP_ATTRIBUTE_OBJECTCLASS, LDAP_OBJ_IPAOBJECT);
1092 if ((acct_flags != 0) &&
1093 (((acct_flags & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
1094 ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))) {
1096 if (!(has_objectclass & HAS_IPAHOST)) {
1097 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1098 LDAP_ATTRIBUTE_OBJECTCLASS,
1101 if (domain == NULL) {
1102 return NT_STATUS_INVALID_PARAMETER;
1105 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1110 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1111 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1112 "objectclass", "posixAccount");
1113 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1114 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1115 "uidNumber", IPA_MAGIC_ID_STR);
1116 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1117 "gidNumber", "12345");
1118 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1119 "homeDirectory", "/dev/null");
1123 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1124 ldap_mods_free(mods, 1);
1125 if (ret != LDAP_SUCCESS) {
1126 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1128 return NT_STATUS_LDAP(ret);
1132 return NT_STATUS_OK;
1135 static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
1136 struct samu *sampass)
1139 struct ldapsam_privates *ldap_state;
1142 uint32_t has_objectclass;
1144 struct dom_sid user_sid;
1146 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1148 if (IS_SAM_SET(sampass, PDB_USERSID) ||
1149 IS_SAM_CHANGED(sampass, PDB_USERSID)) {
1150 if (!pdb_new_rid(&rid)) {
1151 return NT_STATUS_DS_NO_MORE_RIDS;
1153 sid_compose(&user_sid, get_global_sam_sid(), rid);
1154 if (!pdb_set_user_sid(sampass, &user_sid, PDB_SET)) {
1155 return NT_STATUS_UNSUCCESSFUL;
1159 status = ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
1161 if (!NT_STATUS_IS_OK(status)) {
1165 if (ldap_state->ipasam_privates->server_is_ipa) {
1166 name = pdb_get_username(sampass);
1167 if (name == NULL || *name == '\0') {
1168 return NT_STATUS_INVALID_PARAMETER;
1171 status = find_user(ldap_state, name, &dn, &has_objectclass);
1172 if (!NT_STATUS_IS_OK(status)) {
1176 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name,
1177 pdb_get_domain(sampass),
1178 pdb_get_acct_ctrl(sampass),
1180 if (!NT_STATUS_IS_OK(status)) {
1184 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1185 status = ipasam_add_posix_account_objectclass(ldap_state,
1188 if (!NT_STATUS_IS_OK(status)) {
1193 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1194 status = modify_ipa_password_exop(ldap_state, sampass);
1195 if (!NT_STATUS_IS_OK(status)) {
1201 return NT_STATUS_OK;
1204 static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
1205 struct samu *sampass)
1208 struct ldapsam_privates *ldap_state;
1209 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1211 status = ldap_state->ipasam_privates->ldapsam_update_sam_account(pdb_methods,
1213 if (!NT_STATUS_IS_OK(status)) {
1217 if (ldap_state->ipasam_privates->server_is_ipa) {
1218 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1219 status = modify_ipa_password_exop(ldap_state, sampass);
1220 if (!NT_STATUS_IS_OK(status)) {
1226 return NT_STATUS_OK;
1229 static NTSTATUS ipasam_create_dom_group(struct pdb_methods *pdb_methods,
1230 TALLOC_CTX *tmp_ctx, const char *name,
1234 struct ldapsam_privates *ldap_state;
1235 int ldap_op = LDAP_MOD_REPLACE;
1237 uint32_t has_objectclass = 0;
1239 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1241 if (name == NULL || *name == '\0') {
1242 return NT_STATUS_INVALID_PARAMETER;
1245 status = find_group(ldap_state, name, &dn, &has_objectclass);
1246 if (NT_STATUS_IS_OK(status)) {
1247 ldap_op = LDAP_MOD_REPLACE;
1248 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1249 ldap_op = LDAP_MOD_ADD;
1254 if (!(has_objectclass & HAS_POSIXGROUP)) {
1255 status = ipasam_add_ipa_group_objectclasses(ldap_state, dn,
1258 if (!NT_STATUS_IS_OK(status)) {
1263 status = ldap_state->ipasam_privates->ldapsam_create_dom_group(pdb_methods,
1267 if (!NT_STATUS_IS_OK(status)) {
1271 return NT_STATUS_OK;
1273 static NTSTATUS ipasam_create_user(struct pdb_methods *pdb_methods,
1274 TALLOC_CTX *tmp_ctx, const char *name,
1275 uint32_t acb_info, uint32_t *rid)
1278 struct ldapsam_privates *ldap_state;
1279 int ldap_op = LDAP_MOD_REPLACE;
1281 uint32_t has_objectclass = 0;
1283 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1285 if (name == NULL || *name == '\0') {
1286 return NT_STATUS_INVALID_PARAMETER;
1289 status = find_user(ldap_state, name, &dn, &has_objectclass);
1290 if (NT_STATUS_IS_OK(status)) {
1291 ldap_op = LDAP_MOD_REPLACE;
1292 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1293 char *escape_username;
1294 ldap_op = LDAP_MOD_ADD;
1295 escape_username = escape_rdn_val_string_alloc(name);
1296 if (!escape_username) {
1297 return NT_STATUS_NO_MEMORY;
1299 if (name[strlen(name)-1] == '$') {
1300 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1302 lp_ldap_machine_suffix());
1304 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1306 lp_ldap_user_suffix());
1308 SAFE_FREE(escape_username);
1310 return NT_STATUS_NO_MEMORY;
1316 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1317 status = ipasam_add_posix_account_objectclass(ldap_state, ldap_op,
1319 if (!NT_STATUS_IS_OK(status)) {
1322 has_objectclass |= HAS_POSIXACCOUNT;
1325 status = ldap_state->ipasam_privates->ldapsam_create_user(pdb_methods,
1328 if (!NT_STATUS_IS_OK(status)) {
1332 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name, lp_realm(),
1333 acb_info, has_objectclass);
1334 if (!NT_STATUS_IS_OK(status)) {
1338 return NT_STATUS_OK;
1341 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
1343 struct ldapsam_privates *ldap_state;
1346 status = pdb_init_ldapsam(pdb_method, location);
1347 if (!NT_STATUS_IS_OK(status)) {
1351 (*pdb_method)->name = "IPA_ldapsam";
1353 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
1354 ldap_state->ipasam_privates = talloc_zero(ldap_state,
1355 struct ipasam_privates);
1356 if (ldap_state->ipasam_privates == NULL) {
1357 return NT_STATUS_NO_MEMORY;
1359 ldap_state->is_ipa_ldap = True;
1361 ldap_state->ipasam_privates->server_is_ipa = smbldap_has_extension(
1362 priv2ld(ldap_state), IPA_KEYTAB_SET_OID);
1363 ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
1364 ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
1365 ldap_state->ipasam_privates->ldapsam_create_user = (*pdb_method)->create_user;
1366 ldap_state->ipasam_privates->ldapsam_create_dom_group = (*pdb_method)->create_dom_group;
1368 (*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
1369 (*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
1371 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
1372 if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
1373 (*pdb_method)->create_user = ipasam_create_user;
1374 (*pdb_method)->create_dom_group = ipasam_create_dom_group;
1378 (*pdb_method)->capabilities = pdb_ipasam_capabilities;
1379 (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
1381 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
1382 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
1383 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
1384 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
1386 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
1387 (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
1388 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
1389 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
1390 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
1392 return NT_STATUS_OK;
1395 NTSTATUS pdb_ipa_init(void)
1399 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))
1402 return NT_STATUS_OK;