really secret. */
#define SECRETS_DOMAIN_SID "SECRETS/SID"
#define SECRETS_SAM_SID "SAM/SID"
+#define SECRETS_PROTECT_IDS "SECRETS/PROTECT/IDS"
/* The domain GUID and server GUID (NOT the same) are also not secret */
#define SECRETS_DOMAIN_GUID "SECRETS/DOMGUID"
void *secrets_fetch(const char *key, size_t *size);
bool secrets_store(const char *key, const void *data, size_t size);
bool secrets_delete(const char *key);
+
+/* The following definitions come from passdb/machine_account_secrets.c */
+bool secrets_mark_domain_protected(const char *domain);
+bool secrets_clear_domain_protection(const char *domain);
bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid);
bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid);
bool secrets_store_domain_guid(const char *domain, struct GUID *guid);
return keystr;
}
+static const char *protect_ids_keystr(const char *domain)
+{
+ char *keystr;
+
+ keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
+ SECRETS_PROTECT_IDS, domain);
+ SMB_ASSERT(keystr != NULL);
+ return keystr;
+}
+
+/* N O T E: never use this outside of passdb modules that store the SID on their own */
+bool secrets_mark_domain_protected(const char *domain)
+{
+ bool ret;
+
+ ret = secrets_store(protect_ids_keystr(domain), "TRUE", 5);
+ if (!ret) {
+ DEBUG(0, ("Failed to protect the Domain IDs\n"));
+ }
+ return ret;
+}
+
+bool secrets_clear_domain_protection(const char *domain)
+{
+ bool ret;
+
+ ret = secrets_delete(protect_ids_keystr(domain));
+ if (!ret) {
+ DEBUG(0, ("Failed to remove Domain IDs protection\n"));
+ }
+ return ret;
+}
+
bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid)
{
+ char *protect_ids;
bool ret;
#if _SAMBA_BUILD_ == 4
- if (strequal(domain, get_global_sam_name()) &&
- (pdb_capabilities() & PDB_CAP_ADS)) {
- /* If we have a ADS-capable passdb backend, we
- * must never make up our own SID, it will
- * already be in the directory */
- DEBUG(0, ("Refusing to store a Domain SID, this should be read from the directory not stored here\n"));
- return false;
+ protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
+ if (protect_ids) {
+ if (strncmp(protect_ids, "TRUE", 4)) {
+ DEBUG(0, ("Refusing to store a Domain SID, "
+ "it has been marked as protected!\n"));
+ return false;
+ }
}
#endif
struct dom_sid *dyn_sid;
size_t size = 0;
-#if _SAMBA_BUILD_ == 4
- if (strequal(domain, get_global_sam_name()) &&
- (pdb_capabilities() & PDB_CAP_ADS)) {
- struct pdb_domain_info *domain_info;
- domain_info = pdb_get_domain_info(talloc_tos());
- if (!domain_info) {
- /* If we have a ADS-capable passdb backend, we
- * must never make up our own SID, it will
- * already be in the directory */
- DEBUG(0, ("Unable to fetch a Domain SID from the directory!\n"));
- return false;
- }
-
- *sid = domain_info->sid;
- return true;
- }
-#endif
-
dyn_sid = (struct dom_sid *)secrets_fetch(domain_sid_keystr(domain), &size);
if (dyn_sid == NULL)
bool secrets_store_domain_guid(const char *domain, struct GUID *guid)
{
+ char *protect_ids;
fstring key;
#if _SAMBA_BUILD_ == 4
- if (strequal(domain, get_global_sam_name()) &&
- (pdb_capabilities() & PDB_CAP_ADS)) {
- /* If we have a ADS-capable passdb backend, we
- * must never make up our own GUID, it will
- * already be in the directory */
- DEBUG(0, ("Refusing to store a Domain GUID, this should be read from the directory not stored here\n"));
- return false;
+ protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
+ if (protect_ids) {
+ if (strncmp(protect_ids, "TRUE", 4)) {
+ DEBUG(0, ("Refusing to store a Domain SID, "
+ "it has been marked as protected!\n"));
+ return false;
+ }
}
#endif
size_t size = 0;
struct GUID new_guid;
-#if _SAMBA_BUILD_ == 4
- if (strequal(domain, get_global_sam_name()) &&
- (pdb_capabilities() & PDB_CAP_ADS)) {
- struct pdb_domain_info *domain_info;
- domain_info = pdb_get_domain_info(talloc_tos());
- if (!domain_info) {
- /* If we have a ADS-capable passdb backend, we
- * must never make up our own SID, it will
- * already be in the directory */
- DEBUG(0, ("Unable to fetch a Domain GUID from the directory!\n"));
- return false;
- }
-
- *guid = domain_info->guid;
- return true;
- }
-#endif
-
slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
strupper_m(key);
dyn_guid = (struct GUID *)secrets_fetch(key, &size);
bld.SAMBA3_LIBRARY('gse',
source='librpc/crypto/gse_krb5.c librpc/crypto/gse.c',
- deps='KRB5_WRAP gensec param KRBCLIENT SECRETS3',
+ deps='KRB5_WRAP gensec param KRBCLIENT secrets3',
private_library=True)
bld.SAMBA3_LIBRARY('msrpc3',
bld.SAMBA3_LIBRARY('pdb',
source=PASSDB_SRC,
- deps='SECRETS3 GROUPDB SERVER_MUTEX wbclient LIBCLI_AUTH flag_mapping',
+ deps='secrets3 GROUPDB SERVER_MUTEX wbclient LIBCLI_AUTH flag_mapping',
private_library=True,
public_headers='''
include/passdb.h
bld.SAMBA3_LIBRARY('util_cmdline',
source='lib/util_cmdline.c',
- deps='SECRETS3 popt',
+ deps='secrets3 popt',
private_library=True)
bld.SAMBA3_SUBSYSTEM('KRBCLIENT',
deps='cli-ldap-common cli_cldap LIBTSOCKET',
vars=locals())
-bld.SAMBA3_SUBSYSTEM('SECRETS3',
+# NOTE: The secrets3 library is a low level library used by several subsystems.
+# PLEASE DO NOT make it depend on high level libraries like PDB, if you are
+# doing that your design is wrong and needs changing. -SSS
+bld.SAMBA3_LIBRARY('secrets3',
source=SECRETS_SRC,
- deps='NDR_SECRETS param samba3util dbwrap pdb',
+ deps='NDR_SECRETS param samba3util dbwrap',
+ private_library=True,
vars=locals())
bld.SAMBA3_LIBRARY('smbldap',
bld.SAMBA3_SUBSYSTEM('LIBNET',
source=LIBNET_SRC,
- deps='NDR_LIBNET_JOIN INIT_SAMR net_keytab',
+ deps='NDR_LIBNET_JOIN INIT_SAMR net_keytab pdb',
vars=locals())
bld.SAMBA3_LIBRARY('net_keytab',
bld.SAMBA3_LIBRARY('trusts_util',
source='libsmb/trusts_util.c',
- deps='libcli_netlogon3 msrpc3',
+ deps='libcli_netlogon3 msrpc3 pdb',
vars=locals(),
private_library=True)
bld.SAMBA3_LIBRARY('cli_spoolss',
source=LIBCLI_SPOOLSS_SRC,
- deps='RPC_NDR_SPOOLSS param SECRETS3',
+ deps='RPC_NDR_SPOOLSS param secrets3',
private_library=True)
bld.SAMBA3_SUBSYSTEM('LIBCLI_WINREG',
source=SMBTA_UTIL_SRC,
deps='''
talloc
- SECRETS3
+ secrets3
param''',
vars=locals())
git.samba.org / amitay / samba.git / commitdiff