#include "includes.h"
+#include "system/passwd.h"
#include "utils/net.h"
+#include "../librpc/gen_ndr/samr.h"
+#include "smbldap.h"
+#include "../libcli/security/security.h"
+#include "lib/winbind_util.h"
+#include "passdb.h"
+#include "lib/privileges.h"
/*
* Set a user's data
enum pdb_value_state))
{
struct samu *sam_acct = NULL;
- DOM_SID sid;
+ struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
uint16 flag)
{
struct samu *sam_acct = NULL;
- DOM_SID sid;
+ struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
const char **argv)
{
struct samu *sam_acct = NULL;
- DOM_SID sid;
+ struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
const char **argv)
{
GROUP_MAP map;
- DOM_SID sid;
+ struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
const char **names;
int i, count;
- account_policy_names_list(&names, &count);
+ account_policy_names_list(talloc_tos(), &names, &count);
d_fprintf(stderr, _("No account policy \"%s\"!\n\n"), argv[0]);
d_fprintf(stderr, _("Valid account policies are:\n"));
d_fprintf(stderr, "%s\n", names[i]);
}
- SAFE_FREE(names);
+ TALLOC_FREE(names);
+
return -1;
}
const char **names;
int count;
int i;
- account_policy_names_list(&names, &count);
+ account_policy_names_list(talloc_tos(), &names, &count);
d_fprintf(stderr, _("No account policy by that name!\n"));
if (count != 0) {
d_fprintf(stderr, _("Valid account policies "
d_fprintf(stderr, "%s\n", names[i]);
}
}
- SAFE_FREE(names);
+ TALLOC_FREE(names);
return -1;
}
return 0;
}
- account_policy_names_list(&names, &count);
+ account_policy_names_list(talloc_tos(), &names, &count);
if (count != 0) {
d_fprintf(stderr, _("Valid account policies "
"are:\n"));
d_fprintf(stderr, "%s\n", names[i]);
}
}
- SAFE_FREE(names);
+ TALLOC_FREE(names);
return -1;
}
return net_run_function(c, argc, argv, "net sam policy", func);
}
-extern PRIVS privs[];
-
static int net_sam_rights_list(struct net_context *c, int argc,
const char **argv)
{
- SE_PRIV mask;
+ enum sec_privilege privilege;
if (argc > 1 || c->display_usage) {
d_fprintf(stderr, "%s\n%s",
if (argc == 0) {
int i;
- int num = count_all_privileges();
+ int num = num_privileges_in_short_list();
for (i=0; i<num; i++) {
- d_printf("%s\n", privs[i].name);
+ d_printf("%s\n", sec_privilege_name_from_index(i));
}
return 0;
}
- if (se_priv_from_name(argv[0], &mask)) {
- DOM_SID *sids;
+ privilege = sec_privilege_id(argv[0]);
+
+ if (privilege != SEC_PRIV_INVALID) {
+ struct dom_sid *sids;
int i, num_sids;
NTSTATUS status;
- status = privilege_enum_sids(&mask, talloc_tos(),
+ status = privilege_enum_sids(privilege, talloc_tos(),
&sids, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, _("Could not list rights: %s\n"),
static int net_sam_rights_grant(struct net_context *c, int argc,
const char **argv)
{
- DOM_SID sid;
+ struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
- SE_PRIV mask;
int i;
if (argc < 2 || c->display_usage) {
}
for (i=1; i < argc; i++) {
- if (!se_priv_from_name(argv[i], &mask)) {
+ enum sec_privilege privilege = sec_privilege_id(argv[i]);
+ if (privilege == SEC_PRIV_INVALID) {
d_fprintf(stderr, _("%s unknown\n"), argv[i]);
return -1;
}
- if (!grant_privilege(&sid, &mask)) {
+ if (!grant_privilege_by_name(&sid, argv[i])) {
d_fprintf(stderr, _("Could not grant privilege\n"));
return -1;
}
static int net_sam_rights_revoke(struct net_context *c, int argc,
const char **argv)
{
- DOM_SID sid;
+ struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
- SE_PRIV mask;
int i;
if (argc < 2 || c->display_usage) {
}
for (i=1; i < argc; i++) {
-
- if (!se_priv_from_name(argv[i], &mask)) {
+ enum sec_privilege privilege = sec_privilege_id(argv[i]);
+ if (privilege == SEC_PRIV_INVALID) {
d_fprintf(stderr, _("%s unknown\n"), argv[i]);
return -1;
}
- if (!revoke_privilege(&sid, &mask)) {
+ if (!revoke_privilege_by_name(&sid, argv[i])) {
d_fprintf(stderr, _("Could not revoke privilege\n"));
return -1;
}
static NTSTATUS unmap_unix_group(const struct group *grp, GROUP_MAP *pmap)
{
- NTSTATUS status;
GROUP_MAP map;
const char *grpname;
- DOM_SID dom_sid;
+ struct dom_sid dom_sid;
map.gid = grp->gr_gid;
grpname = grp->gr_name;
return NT_STATUS_UNSUCCESSFUL;
}
- status = pdb_delete_group_mapping_entry(dom_sid);
-
- return status;
+ return pdb_delete_group_mapping_entry(dom_sid);
}
static int net_sam_unmapunixgroup(struct net_context *c, int argc, const char **argv)
static int net_sam_deletedomaingroup(struct net_context *c, int argc,
const char **argv)
{
- DOM_SID sid;
+ struct dom_sid sid;
uint32_t rid;
enum lsa_SidType type;
const char *dom, *name;
static int net_sam_deletelocalgroup(struct net_context *c, int argc, const char **argv)
{
- DOM_SID sid;
+ struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
uint32 rid;
enum lsa_SidType type;
fstring groupname;
- DOM_SID sid;
+ struct dom_sid sid;
if (argc != 1 || c->display_usage) {
d_fprintf(stderr, "%s\n%s",
static int net_sam_addmem(struct net_context *c, int argc, const char **argv)
{
const char *groupdomain, *groupname, *memberdomain, *membername;
- DOM_SID group, member;
+ struct dom_sid group, member;
enum lsa_SidType grouptype, membertype;
NTSTATUS status;
const char *groupdomain, *groupname;
const char *memberdomain = NULL;
const char *membername = NULL;
- DOM_SID group, member;
+ struct dom_sid group, member;
enum lsa_SidType grouptype;
NTSTATUS status;
static int net_sam_listmem(struct net_context *c, int argc, const char **argv)
{
const char *groupdomain, *groupname;
- DOM_SID group;
- DOM_SID *members = NULL;
+ struct dom_sid group;
+ struct dom_sid *members = NULL;
size_t i, num_members = 0;
enum lsa_SidType grouptype;
NTSTATUS status;
static int net_sam_show(struct net_context *c, int argc, const char **argv)
{
- DOM_SID sid;
+ struct dom_sid sid;
enum lsa_SidType type;
const char *dom, *name;
char *p;
struct smbldap_state *ls;
GROUP_MAP gmap;
- DOM_SID gsid;
+ struct dom_sid gsid;
gid_t domusers_gid = -1;
gid_t domadmins_gid = -1;
struct samu *samuser;
struct passwd *pwd;
+ bool is_ipa = false;
if (c->display_usage) {
d_printf( "%s\n"
trim_char(ldap_bk, ' ', ' ');
- if (strcmp(ldap_bk, "ldapsam") != 0) {
+ if (strcmp(ldap_bk, "IPA_ldapsam") == 0 ) {
+ is_ipa = true;
+ }
+
+ if (strcmp(ldap_bk, "ldapsam") != 0 && !is_ipa ) {
d_fprintf(stderr,
_("Provisioning works only with ldapsam backend\n"));
goto failed;
goto failed;
}
- if (!winbind_ping()) {
+ if (!is_ipa && !winbind_ping()) {
d_fprintf(stderr, _("winbind seems not to run. Provisioning "
"LDAP only works when winbind runs.\n"));
goto failed;
d_printf(_("Checking for Domain Users group.\n"));
- sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
+ sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_USERS);
if (!pdb_getgrsid(&gmap, gsid)) {
LDAPMod **mods = NULL;
d_printf(_("Adding the Domain Users group.\n"));
/* lets allocate a new groupid for this group */
- if (!winbind_allocate_gid(&domusers_gid)) {
- d_fprintf(stderr, _("Unable to allocate a new gid to "
- "create Domain Users group!\n"));
- goto domu_done;
+ if (is_ipa) {
+ domusers_gid = 999;
+ } else {
+ if (!winbind_allocate_gid(&domusers_gid)) {
+ d_fprintf(stderr, _("Unable to allocate a new gid to "
+ "create Domain Users group!\n"));
+ goto domu_done;
+ }
}
uname = talloc_strdup(tc, "domusers");
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
+ if (is_ipa) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
+ }
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
d_fprintf(stderr, _("Failed to add Domain Users group "
"to ldap directory\n"));
}
+
+ if (is_ipa) {
+ if (!pdb_getgrsid(&gmap, gsid)) {
+ d_fprintf(stderr, _("Failed to read just "
+ "created domain group.\n"));
+ goto failed;
+ } else {
+ domusers_gid = gmap.gid;
+ }
+ }
} else {
domusers_gid = gmap.gid;
d_printf(_("found!\n"));
d_printf(_("Checking for Domain Admins group.\n"));
- sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
+ sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
if (!pdb_getgrsid(&gmap, gsid)) {
LDAPMod **mods = NULL;
d_printf(_("Adding the Domain Admins group.\n"));
/* lets allocate a new groupid for this group */
- if (!winbind_allocate_gid(&domadmins_gid)) {
- d_fprintf(stderr, _("Unable to allocate a new gid to "
- "create Domain Admins group!\n"));
- goto doma_done;
+ if (is_ipa) {
+ domadmins_gid = 999;
+ } else {
+ if (!winbind_allocate_gid(&domadmins_gid)) {
+ d_fprintf(stderr, _("Unable to allocate a new gid to "
+ "create Domain Admins group!\n"));
+ goto doma_done;
+ }
}
uname = talloc_strdup(tc, "domadmins");
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
+ if (is_ipa) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
+ }
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
d_fprintf(stderr, _("Failed to add Domain Admins group "
"to ldap directory\n"));
}
+
+ if (is_ipa) {
+ if (!pdb_getgrsid(&gmap, gsid)) {
+ d_fprintf(stderr, _("Failed to read just "
+ "created domain group.\n"));
+ goto failed;
+ } else {
+ domadmins_gid = gmap.gid;
+ }
+ }
} else {
domadmins_gid = gmap.gid;
d_printf(_("found!\n"));
if (!pdb_getsampwnam(samuser, "Administrator")) {
LDAPMod **mods = NULL;
- DOM_SID sid;
+ struct dom_sid sid;
char *dn;
char *name;
char *uidstr;
char *gidstr;
char *shell;
char *dir;
+ char *princ;
uid_t uid;
int rc;
"Admins group not available!\n"));
goto done;
}
- if (!winbind_allocate_uid(&uid)) {
- d_fprintf(stderr,
- _("Unable to allocate a new uid to create "
- "the Administrator user!\n"));
- goto done;
+
+ if (is_ipa) {
+ uid = 999;
+ } else {
+ if (!winbind_allocate_uid(&uid)) {
+ d_fprintf(stderr,
+ _("Unable to allocate a new uid to create "
+ "the Administrator user!\n"));
+ goto done;
+ }
}
+
name = talloc_strdup(tc, "Administrator");
dn = talloc_asprintf(tc, "uid=Administrator,%s", lp_ldap_user_suffix());
uidstr = talloc_asprintf(tc, "%u", (unsigned int)uid);
goto failed;
}
- sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN);
+ sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_ADMINISTRATOR);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
+ if (is_ipa) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", name);
+ princ = talloc_asprintf(tc, "%s@%s", name, lp_realm());
+ if (!princ) {
+ d_fprintf(stderr, _("Out of Memory!\n"));
+ goto failed;
+ }
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "krbPrincipalName", princ);
+ }
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
d_fprintf(stderr, _("Failed to add Administrator user "
"to ldap directory\n"));
}
+
+ if (is_ipa) {
+ if (!pdb_getsampwnam(samuser, "Administrator")) {
+ d_fprintf(stderr, _("Failed to read just "
+ "created user.\n"));
+ goto failed;
+ }
+ }
} else {
d_printf(_("found!\n"));
}
if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
LDAPMod **mods = NULL;
- DOM_SID sid;
+ struct dom_sid sid;
char *dn;
char *uidstr;
char *gidstr;
d_printf(_("Adding the Guest user.\n"));
- pwd = getpwnam_alloc(tc, lp_guestaccount());
+ sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
+
+ pwd = Get_Pwnam_alloc(tc, lp_guestaccount());
if (!pwd) {
if (domusers_gid == -1) {
goto done;
}
pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
- if (!winbind_allocate_uid(&(pwd->pw_uid))) {
- d_fprintf(stderr,
- _("Unable to allocate a new uid to "
- "create the Guest user!\n"));
- goto done;
+
+ if (is_ipa) {
+ pwd->pw_uid = 999;
+ } else {
+ if (!winbind_allocate_uid(&(pwd->pw_uid))) {
+ d_fprintf(stderr,
+ _("Unable to allocate a new uid to "
+ "create the Guest user!\n"));
+ goto done;
+ }
}
pwd->pw_gid = domusers_gid;
pwd->pw_dir = talloc_strdup(tc, "/");
}
}
- sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
-
dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
gidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_gid);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
+ if (is_ipa) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", pwd->pw_name);
+ }
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
d_fprintf(stderr, _("Failed to add Guest user to "
"ldap directory\n"));
}
+
+ if (is_ipa) {
+ if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
+ d_fprintf(stderr, _("Failed to read just "
+ "created user.\n"));
+ goto failed;
+ }
+ }
} else {
d_printf(_("found!\n"));
}
d_printf(_("Checking Guest's group.\n"));
- pwd = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
+ pwd = Get_Pwnam_alloc(tc, lp_guestaccount());
if (!pwd) {
d_fprintf(stderr,
_("Failed to find just created Guest account!\n"
goto failed;
}
- sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS);
+ sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
+ if (is_ipa) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
+ }
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);