2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
29 #include "passdb/pdb_ldap.h"
30 #include "passdb/pdb_ipa.h"
31 #include "passdb/pdb_ldap_schema.h"
33 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
34 #define IPA_MAGIC_ID_STR "999"
36 #define LDAP_TRUST_CONTAINER "ou=system"
37 #define LDAP_ATTRIBUTE_CN "cn"
38 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
39 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
40 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
41 #define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
42 #define LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE "sambaSupportedEncryptionTypes"
43 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
44 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
45 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
46 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
47 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
48 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
49 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
51 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
52 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
53 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
55 #define LDAP_OBJ_IPAOBJECT "ipaObject"
56 #define LDAP_OBJ_IPAHOST "ipaHost"
57 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
59 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
60 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
61 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
62 #define LDAP_OBJ_POSIXGROUP "posixGroup"
64 #define HAS_KRB_PRINCIPAL (1<<0)
65 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
66 #define HAS_IPAOBJECT (1<<2)
67 #define HAS_IPAHOST (1<<3)
68 #define HAS_POSIXACCOUNT (1<<4)
69 #define HAS_GROUPOFNAMES (1<<5)
70 #define HAS_NESTEDGROUP (1<<6)
71 #define HAS_IPAUSERGROUP (1<<7)
72 #define HAS_POSIXGROUP (1<<8)
74 struct ipasam_privates {
76 NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
77 struct samu *sampass);
78 NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
79 struct samu *sampass);
80 NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
81 TALLOC_CTX *tmp_ctx, const char *name,
82 uint32_t acb_info, uint32_t *rid);
83 NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods,
89 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
93 time_t *pass_last_set_time)
98 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
101 const struct dom_sid *sid)
106 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
112 static char *get_account_dn(const char *name)
117 escape_name = escape_rdn_val_string_alloc(name);
122 if (name[strlen(name)-1] == '$') {
123 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
124 lp_ldap_machine_suffix());
126 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
127 lp_ldap_user_suffix());
130 SAFE_FREE(escape_name);
135 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
138 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
139 LDAP_ATTRIBUTE_CN, domain,
140 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
143 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
145 return talloc_asprintf(talloc_tos(), "%s,%s",
146 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
149 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
151 const char *filter, LDAPMessage **entry)
154 char *base_dn = NULL;
155 LDAPMessage *result = NULL;
158 base_dn = trusted_domain_base_dn(ldap_state);
159 if (base_dn == NULL) {
163 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
164 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
165 TALLOC_FREE(base_dn);
167 if (result != NULL) {
168 talloc_autofree_ldapmsg(mem_ctx, result);
171 if (rc == LDAP_NO_SUCH_OBJECT) {
176 if (rc != LDAP_SUCCESS) {
180 num_result = ldap_count_entries(priv2ld(ldap_state), result);
182 if (num_result > 1) {
183 DEBUG(1, ("get_trusted_domain_int: more than one "
184 "%s object with filter '%s'?!\n",
185 LDAP_OBJ_TRUSTED_DOMAIN, filter));
189 if (num_result == 0) {
190 DEBUG(1, ("get_trusted_domain_int: no "
191 "%s object with filter '%s'.\n",
192 LDAP_OBJ_TRUSTED_DOMAIN, filter));
195 *entry = ldap_first_entry(priv2ld(ldap_state), result);
201 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
208 filter = talloc_asprintf(talloc_tos(),
209 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
210 LDAP_OBJ_TRUSTED_DOMAIN,
211 LDAP_ATTRIBUTE_FLAT_NAME, domain,
212 LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
213 if (filter == NULL) {
217 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
220 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
222 const char *sid, LDAPMessage **entry)
226 filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
227 LDAP_OBJ_TRUSTED_DOMAIN,
228 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
229 if (filter == NULL) {
233 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
236 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
245 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
248 DEBUG(9, ("Attribute %s not present.\n", attr));
253 l = strtoul(dummy, &endptr, 10);
256 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
265 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
266 struct ldapsam_privates *ldap_state,
267 LDAPMessage *entry, const char *attr,
273 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
276 DEBUG(9, ("Attribute %s not present.\n", attr));
279 blob = base64_decode_data_blob(dummy);
280 if (blob.length == 0) {
283 _blob->length = blob.length;
284 _blob->data = talloc_steal(mem_ctx, blob.data);
290 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
291 struct ldapsam_privates *ldap_state,
293 struct pdb_trusted_domain **_td)
297 struct pdb_trusted_domain *td;
303 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
308 /* All attributes are MAY */
310 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
311 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
314 DEBUG(9, ("Attribute %s not present.\n",
315 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
316 ZERO_STRUCT(td->security_identifier);
318 res = string_to_sid(&td->security_identifier, dummy);
325 get_data_blob_from_ldap_msg(td, ldap_state, entry,
326 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
327 &td->trust_auth_incoming);
329 get_data_blob_from_ldap_msg(td, ldap_state, entry,
330 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
331 &td->trust_auth_outgoing);
333 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
335 LDAP_ATTRIBUTE_FLAT_NAME,
337 if (td->netbios_name == NULL) {
338 DEBUG(9, ("Attribute %s not present.\n",
339 LDAP_ATTRIBUTE_FLAT_NAME));
342 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
344 LDAP_ATTRIBUTE_TRUST_PARTNER,
346 if (td->domain_name == NULL) {
347 DEBUG(9, ("Attribute %s not present.\n",
348 LDAP_ATTRIBUTE_TRUST_PARTNER));
351 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
352 LDAP_ATTRIBUTE_TRUST_DIRECTION,
353 &td->trust_direction);
358 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
359 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
360 &td->trust_attributes);
365 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
366 LDAP_ATTRIBUTE_TRUST_TYPE,
372 td->trust_posix_offset = talloc(td, uint32_t);
373 if (td->trust_posix_offset == NULL) {
376 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
377 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
378 td->trust_posix_offset);
383 td->supported_enc_type = talloc(td, uint32_t);
384 if (td->supported_enc_type == NULL) {
387 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
388 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
389 td->supported_enc_type);
395 get_data_blob_from_ldap_msg(td, ldap_state, entry,
396 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
397 &td->trust_forest_trust_info);
404 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
407 struct pdb_trusted_domain **td)
409 struct ldapsam_privates *ldap_state =
410 (struct ldapsam_privates *)methods->private_data;
411 LDAPMessage *entry = NULL;
413 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
415 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
417 return NT_STATUS_UNSUCCESSFUL;
420 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
422 return NT_STATUS_NO_SUCH_DOMAIN;
425 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
426 return NT_STATUS_UNSUCCESSFUL;
432 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
435 struct pdb_trusted_domain **td)
437 struct ldapsam_privates *ldap_state =
438 (struct ldapsam_privates *)methods->private_data;
439 LDAPMessage *entry = NULL;
442 sid_str = sid_string_tos(sid);
444 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
447 if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
449 return NT_STATUS_UNSUCCESSFUL;
452 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
453 "with sid: %s\n", sid_str));
454 return NT_STATUS_NO_SUCH_DOMAIN;
457 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
458 return NT_STATUS_UNSUCCESSFUL;
464 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
465 LDAPMod ***mods, const char *attribute,
470 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
474 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
480 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
482 const struct pdb_trusted_domain *td)
484 struct ldapsam_privates *ldap_state =
485 (struct ldapsam_privates *)methods->private_data;
486 LDAPMessage *entry = NULL;
489 char *trusted_dn = NULL;
492 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
494 res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
497 return NT_STATUS_UNSUCCESSFUL;
501 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
502 LDAP_OBJ_TRUSTED_DOMAIN);
504 if (td->netbios_name != NULL) {
505 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
506 LDAP_ATTRIBUTE_FLAT_NAME,
510 if (td->domain_name != NULL) {
511 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
512 LDAP_ATTRIBUTE_TRUST_PARTNER,
516 if (!is_null_sid(&td->security_identifier)) {
517 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
518 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
519 sid_string_tos(&td->security_identifier));
522 if (td->trust_type != 0) {
523 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
524 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
527 return NT_STATUS_UNSUCCESSFUL;
531 if (td->trust_attributes != 0) {
532 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
534 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
535 td->trust_attributes);
537 return NT_STATUS_UNSUCCESSFUL;
541 if (td->trust_direction != 0) {
542 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
544 LDAP_ATTRIBUTE_TRUST_DIRECTION,
545 td->trust_direction);
547 return NT_STATUS_UNSUCCESSFUL;
551 if (td->trust_posix_offset != NULL) {
552 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
554 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
555 *td->trust_posix_offset);
557 return NT_STATUS_UNSUCCESSFUL;
561 if (td->supported_enc_type != NULL) {
562 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
564 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
565 *td->supported_enc_type);
567 return NT_STATUS_UNSUCCESSFUL;
571 if (td->trust_auth_outgoing.data != NULL) {
572 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
573 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
574 &td->trust_auth_outgoing);
577 if (td->trust_auth_incoming.data != NULL) {
578 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
579 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
580 &td->trust_auth_incoming);
583 if (td->trust_forest_trust_info.data != NULL) {
584 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
585 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
586 &td->trust_forest_trust_info);
589 talloc_autofree_ldapmod(talloc_tos(), mods);
591 trusted_dn = trusted_domain_dn(ldap_state, domain);
592 if (trusted_dn == NULL) {
593 return NT_STATUS_NO_MEMORY;
596 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
598 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
601 if (ret != LDAP_SUCCESS) {
602 DEBUG(1, ("error writing trusted domain data!\n"));
603 return NT_STATUS_UNSUCCESSFUL;
608 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
612 struct ldapsam_privates *ldap_state =
613 (struct ldapsam_privates *)methods->private_data;
614 LDAPMessage *entry = NULL;
617 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
619 return NT_STATUS_UNSUCCESSFUL;
623 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
625 return NT_STATUS_NO_SUCH_DOMAIN;
628 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
630 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
631 return NT_STATUS_NO_MEMORY;
634 ret = smbldap_delete(ldap_state->smbldap_state, dn);
635 if (ret != LDAP_SUCCESS) {
636 return NT_STATUS_UNSUCCESSFUL;
642 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
644 uint32_t *num_domains,
645 struct pdb_trusted_domain ***domains)
648 struct ldapsam_privates *ldap_state =
649 (struct ldapsam_privates *)methods->private_data;
650 char *base_dn = NULL;
652 int scope = LDAP_SCOPE_SUBTREE;
653 LDAPMessage *result = NULL;
654 LDAPMessage *entry = NULL;
656 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
657 LDAP_OBJ_TRUSTED_DOMAIN);
658 if (filter == NULL) {
659 return NT_STATUS_NO_MEMORY;
662 base_dn = trusted_domain_base_dn(ldap_state);
663 if (base_dn == NULL) {
665 return NT_STATUS_NO_MEMORY;
668 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
671 TALLOC_FREE(base_dn);
673 if (result != NULL) {
674 talloc_autofree_ldapmsg(mem_ctx, result);
677 if (rc == LDAP_NO_SUCH_OBJECT) {
683 if (rc != LDAP_SUCCESS) {
684 return NT_STATUS_UNSUCCESSFUL;
688 if (!(*domains = talloc_array(mem_ctx, struct pdb_trusted_domain *, 1))) {
689 DEBUG(1, ("talloc failed\n"));
690 return NT_STATUS_NO_MEMORY;
693 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
695 entry = ldap_next_entry(priv2ld(ldap_state), entry))
697 struct pdb_trusted_domain *dom_info;
699 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
701 return NT_STATUS_UNSUCCESSFUL;
704 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
705 domains, num_domains);
707 if (*domains == NULL) {
708 DEBUG(1, ("talloc failed\n"));
709 return NT_STATUS_NO_MEMORY;
713 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
717 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
719 uint32_t *num_domains,
720 struct trustdom_info ***domains)
723 struct pdb_trusted_domain **td;
726 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
728 if (!NT_STATUS_IS_OK(status)) {
732 if (*num_domains == 0) {
736 if (!(*domains = talloc_array(mem_ctx, struct trustdom_info *,
738 DEBUG(1, ("talloc failed\n"));
739 return NT_STATUS_NO_MEMORY;
742 for (i = 0; i < *num_domains; i++) {
743 struct trustdom_info *dom_info;
745 dom_info = talloc(*domains, struct trustdom_info);
746 if (dom_info == NULL) {
747 DEBUG(1, ("talloc failed\n"));
748 return NT_STATUS_NO_MEMORY;
751 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
752 sid_copy(&dom_info->sid, &td[i]->security_identifier);
754 (*domains)[i] = dom_info;
760 static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
762 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
765 static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pdb_methods,
768 struct pdb_domain_info *info;
769 struct ldapsam_privates *ldap_state =
770 (struct ldapsam_privates *)pdb_methods->private_data;
775 info = talloc(mem_ctx, struct pdb_domain_info);
780 info->name = talloc_strdup(info, ldap_state->domain_name);
781 if (info->name == NULL) {
785 /* TODO: read dns_domain, dns_forest and guid from LDAP */
786 info->dns_domain = talloc_strdup(info, lp_realm());
787 if (info->dns_domain == NULL) {
790 strlower_m(info->dns_domain);
791 info->dns_forest = talloc_strdup(info, info->dns_domain);
793 /* we expect a domain SID to have 4 sub IDs */
794 if (ldap_state->domain_sid.num_auths != 4) {
798 sid_copy(&info->sid, &ldap_state->domain_sid);
800 if (!sid_linearize(sid_buf, sizeof(sid_buf), &info->sid)) {
804 /* the first 8 bytes of the linearized SID are not random,
806 sid_blob.data = (uint8_t *) sid_buf + 8 ;
807 sid_blob.length = 16;
809 status = GUID_from_ndr_blob(&sid_blob, &info->guid);
810 if (!NT_STATUS_IS_OK(status)) {
821 static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
822 struct samu *sampass)
825 BerElement *ber = NULL;
826 struct berval *bv = NULL;
828 struct berval *retdata = NULL;
829 const char *password;
832 password = pdb_get_plaintext_passwd(sampass);
833 if (password == NULL || *password == '\0') {
834 return NT_STATUS_INVALID_PARAMETER;
837 dn = get_account_dn(pdb_get_username(sampass));
839 return NT_STATUS_INVALID_PARAMETER;
842 ber = ber_alloc_t( LBER_USE_DER );
844 DEBUG(7, ("ber_alloc_t failed.\n"));
845 return NT_STATUS_NO_MEMORY;
848 ret = ber_printf(ber, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, dn,
849 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, password);
851 DEBUG(7, ("ber_printf failed.\n"));
853 return NT_STATUS_UNSUCCESSFUL;
856 ret = ber_flatten(ber, &bv);
859 DEBUG(1, ("ber_flatten failed.\n"));
860 return NT_STATUS_UNSUCCESSFUL;
863 ret = smbldap_extended_operation(ldap_state->smbldap_state,
864 LDAP_EXOP_MODIFY_PASSWD, bv, NULL,
865 NULL, &retoid, &retdata);
871 ldap_memfree(retoid);
873 if (ret != LDAP_SUCCESS) {
874 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
875 return NT_STATUS_UNSUCCESSFUL;
881 static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
882 const char *dn, LDAPMessage *entry,
883 uint32_t *has_objectclass)
885 char **objectclasses;
888 objectclasses = ldap_get_values(priv2ld(ldap_state), entry,
889 LDAP_ATTRIBUTE_OBJECTCLASS);
890 if (objectclasses == NULL) {
891 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn));
892 return NT_STATUS_INTERNAL_DB_CORRUPTION;
895 *has_objectclass = 0;
896 for (c = 0; objectclasses[c] != NULL; c++) {
897 if (strequal(objectclasses[c], LDAP_OBJ_KRB_PRINCIPAL)) {
898 *has_objectclass |= HAS_KRB_PRINCIPAL;
899 } else if (strequal(objectclasses[c],
900 LDAP_OBJ_KRB_PRINCIPAL_AUX)) {
901 *has_objectclass |= HAS_KRB_PRINCIPAL_AUX;
902 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAOBJECT)) {
903 *has_objectclass |= HAS_IPAOBJECT;
904 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAHOST)) {
905 *has_objectclass |= HAS_IPAHOST;
906 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXACCOUNT)) {
907 *has_objectclass |= HAS_POSIXACCOUNT;
908 } else if (strequal(objectclasses[c], LDAP_OBJ_GROUPOFNAMES)) {
909 *has_objectclass |= HAS_GROUPOFNAMES;
910 } else if (strequal(objectclasses[c], LDAP_OBJ_NESTEDGROUP)) {
911 *has_objectclass |= HAS_NESTEDGROUP;
912 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAUSERGROUP)) {
913 *has_objectclass |= HAS_IPAUSERGROUP;
914 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXGROUP)) {
915 *has_objectclass |= HAS_POSIXGROUP;
918 ldap_value_free(objectclasses);
929 static NTSTATUS find_obj(struct ldapsam_privates *ldap_state, const char *name,
930 enum obj_type type, char **_dn,
931 uint32_t *_has_objectclass)
936 LDAPMessage *result = NULL;
937 LDAPMessage *entry = NULL;
940 uint32_t has_objectclass;
942 const char *obj_class = NULL;
946 obj_class = LDAP_OBJ_POSIXACCOUNT;
949 obj_class = LDAP_OBJ_POSIXGROUP;
952 DEBUG(0, ("Unsupported IPA object.\n"));
953 return NT_STATUS_INVALID_PARAMETER;
956 username = escape_ldap_string(talloc_tos(), name);
957 if (username == NULL) {
958 return NT_STATUS_NO_MEMORY;
960 filter = talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
961 username, obj_class);
962 if (filter == NULL) {
963 return NT_STATUS_NO_MEMORY;
965 TALLOC_FREE(username);
967 ret = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL,
969 if (ret != LDAP_SUCCESS) {
970 DEBUG(0, ("smbldap_search_suffix failed.\n"));
971 return NT_STATUS_ACCESS_DENIED;
974 num_result = ldap_count_entries(priv2ld(ldap_state), result);
976 if (num_result != 1) {
977 if (num_result == 0) {
980 status = NT_STATUS_NO_SUCH_USER;
983 status = NT_STATUS_NO_SUCH_GROUP;
986 status = NT_STATUS_INVALID_PARAMETER;
989 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
991 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
996 entry = ldap_first_entry(priv2ld(ldap_state), result);
998 DEBUG(0,("find_user: Out of memory!\n"));
999 status = NT_STATUS_UNSUCCESSFUL;
1003 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
1005 DEBUG(0,("find_user: Out of memory!\n"));
1006 status = NT_STATUS_NO_MEMORY;
1010 status = ipasam_get_objectclasses(ldap_state, dn, entry, &has_objectclass);
1011 if (!NT_STATUS_IS_OK(status)) {
1016 *_has_objectclass = has_objectclass;
1018 status = NT_STATUS_OK;
1021 ldap_msgfree(result);
1026 static NTSTATUS find_user(struct ldapsam_privates *ldap_state, const char *name,
1027 char **_dn, uint32_t *_has_objectclass)
1029 return find_obj(ldap_state, name, IPA_USER_OBJ, _dn, _has_objectclass);
1032 static NTSTATUS find_group(struct ldapsam_privates *ldap_state, const char *name,
1033 char **_dn, uint32_t *_has_objectclass)
1035 return find_obj(ldap_state, name, IPA_GROUP_OBJ, _dn, _has_objectclass);
1038 static NTSTATUS ipasam_add_posix_account_objectclass(struct ldapsam_privates *ldap_state,
1041 const char *username)
1044 LDAPMod **mods = NULL;
1046 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1047 "objectclass", "posixAccount");
1048 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1050 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1051 "uidNumber", IPA_MAGIC_ID_STR);
1052 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1053 "gidNumber", "12345");
1054 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1055 "homeDirectory", "/dev/null");
1057 if (ldap_op == LDAP_MOD_ADD) {
1058 ret = smbldap_add(ldap_state->smbldap_state, dn, mods);
1060 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1062 ldap_mods_free(mods, 1);
1063 if (ret != LDAP_SUCCESS) {
1064 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1066 return NT_STATUS_LDAP(ret);
1069 return NT_STATUS_OK;
1072 static NTSTATUS ipasam_add_ipa_group_objectclasses(struct ldapsam_privates *ldap_state,
1075 uint32_t has_objectclass)
1077 LDAPMod **mods = NULL;
1080 if (!(has_objectclass & HAS_GROUPOFNAMES)) {
1081 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1082 LDAP_ATTRIBUTE_OBJECTCLASS,
1083 LDAP_OBJ_GROUPOFNAMES);
1086 if (!(has_objectclass & HAS_NESTEDGROUP)) {
1087 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1088 LDAP_ATTRIBUTE_OBJECTCLASS,
1089 LDAP_OBJ_NESTEDGROUP);
1092 if (!(has_objectclass & HAS_IPAUSERGROUP)) {
1093 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1094 LDAP_ATTRIBUTE_OBJECTCLASS,
1095 LDAP_OBJ_IPAUSERGROUP);
1098 if (!(has_objectclass & HAS_IPAOBJECT)) {
1099 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1100 LDAP_ATTRIBUTE_OBJECTCLASS,
1101 LDAP_OBJ_IPAOBJECT);
1104 if (!(has_objectclass & HAS_POSIXGROUP)) {
1105 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1106 LDAP_ATTRIBUTE_OBJECTCLASS,
1107 LDAP_OBJ_POSIXGROUP);
1108 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1111 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1112 LDAP_ATTRIBUTE_GIDNUMBER,
1116 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1117 ldap_mods_free(mods, 1);
1118 if (ret != LDAP_SUCCESS) {
1119 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1121 return NT_STATUS_LDAP(ret);
1124 return NT_STATUS_OK;
1127 static NTSTATUS ipasam_add_ipa_objectclasses(struct ldapsam_privates *ldap_state,
1128 const char *dn, const char *name,
1130 uint32_t acct_flags,
1131 uint32_t has_objectclass)
1133 LDAPMod **mods = NULL;
1137 if (!(has_objectclass & HAS_KRB_PRINCIPAL)) {
1138 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1139 LDAP_ATTRIBUTE_OBJECTCLASS,
1140 LDAP_OBJ_KRB_PRINCIPAL);
1142 princ = talloc_asprintf(talloc_tos(), "%s@%s", name, lp_realm());
1143 if (princ == NULL) {
1144 return NT_STATUS_NO_MEMORY;
1147 smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
1150 if (!(has_objectclass & HAS_KRB_PRINCIPAL_AUX)) {
1151 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1152 LDAP_ATTRIBUTE_OBJECTCLASS,
1153 LDAP_OBJ_KRB_PRINCIPAL_AUX);
1156 if (!(has_objectclass & HAS_IPAOBJECT)) {
1157 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1158 LDAP_ATTRIBUTE_OBJECTCLASS, LDAP_OBJ_IPAOBJECT);
1161 if ((acct_flags != 0) &&
1162 (((acct_flags & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
1163 ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))) {
1165 if (!(has_objectclass & HAS_IPAHOST)) {
1166 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1167 LDAP_ATTRIBUTE_OBJECTCLASS,
1170 if (domain == NULL) {
1171 return NT_STATUS_INVALID_PARAMETER;
1174 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1179 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1180 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1181 "objectclass", "posixAccount");
1182 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1183 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1184 "uidNumber", IPA_MAGIC_ID_STR);
1185 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1186 "gidNumber", "12345");
1187 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1188 "homeDirectory", "/dev/null");
1192 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1193 ldap_mods_free(mods, 1);
1194 if (ret != LDAP_SUCCESS) {
1195 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1197 return NT_STATUS_LDAP(ret);
1201 return NT_STATUS_OK;
1204 static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
1205 struct samu *sampass)
1208 struct ldapsam_privates *ldap_state;
1211 uint32_t has_objectclass;
1213 struct dom_sid user_sid;
1215 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1217 if (IS_SAM_SET(sampass, PDB_USERSID) ||
1218 IS_SAM_CHANGED(sampass, PDB_USERSID)) {
1219 if (!pdb_new_rid(&rid)) {
1220 return NT_STATUS_DS_NO_MORE_RIDS;
1222 sid_compose(&user_sid, get_global_sam_sid(), rid);
1223 if (!pdb_set_user_sid(sampass, &user_sid, PDB_SET)) {
1224 return NT_STATUS_UNSUCCESSFUL;
1228 status = ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
1230 if (!NT_STATUS_IS_OK(status)) {
1234 if (ldap_state->ipasam_privates->server_is_ipa) {
1235 name = pdb_get_username(sampass);
1236 if (name == NULL || *name == '\0') {
1237 return NT_STATUS_INVALID_PARAMETER;
1240 status = find_user(ldap_state, name, &dn, &has_objectclass);
1241 if (!NT_STATUS_IS_OK(status)) {
1245 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name,
1246 pdb_get_domain(sampass),
1247 pdb_get_acct_ctrl(sampass),
1249 if (!NT_STATUS_IS_OK(status)) {
1253 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1254 status = ipasam_add_posix_account_objectclass(ldap_state,
1257 if (!NT_STATUS_IS_OK(status)) {
1262 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1263 status = modify_ipa_password_exop(ldap_state, sampass);
1264 if (!NT_STATUS_IS_OK(status)) {
1270 return NT_STATUS_OK;
1273 static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
1274 struct samu *sampass)
1277 struct ldapsam_privates *ldap_state;
1278 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1280 status = ldap_state->ipasam_privates->ldapsam_update_sam_account(pdb_methods,
1282 if (!NT_STATUS_IS_OK(status)) {
1286 if (ldap_state->ipasam_privates->server_is_ipa) {
1287 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1288 status = modify_ipa_password_exop(ldap_state, sampass);
1289 if (!NT_STATUS_IS_OK(status)) {
1295 return NT_STATUS_OK;
1298 static NTSTATUS ipasam_create_dom_group(struct pdb_methods *pdb_methods,
1299 TALLOC_CTX *tmp_ctx, const char *name,
1303 struct ldapsam_privates *ldap_state;
1304 int ldap_op = LDAP_MOD_REPLACE;
1306 uint32_t has_objectclass = 0;
1308 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1310 if (name == NULL || *name == '\0') {
1311 return NT_STATUS_INVALID_PARAMETER;
1314 status = find_group(ldap_state, name, &dn, &has_objectclass);
1315 if (NT_STATUS_IS_OK(status)) {
1316 ldap_op = LDAP_MOD_REPLACE;
1317 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1318 ldap_op = LDAP_MOD_ADD;
1323 if (!(has_objectclass & HAS_POSIXGROUP)) {
1324 status = ipasam_add_ipa_group_objectclasses(ldap_state, dn,
1327 if (!NT_STATUS_IS_OK(status)) {
1332 status = ldap_state->ipasam_privates->ldapsam_create_dom_group(pdb_methods,
1336 if (!NT_STATUS_IS_OK(status)) {
1340 return NT_STATUS_OK;
1342 static NTSTATUS ipasam_create_user(struct pdb_methods *pdb_methods,
1343 TALLOC_CTX *tmp_ctx, const char *name,
1344 uint32_t acb_info, uint32_t *rid)
1347 struct ldapsam_privates *ldap_state;
1348 int ldap_op = LDAP_MOD_REPLACE;
1350 uint32_t has_objectclass = 0;
1352 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1354 if (name == NULL || *name == '\0') {
1355 return NT_STATUS_INVALID_PARAMETER;
1358 status = find_user(ldap_state, name, &dn, &has_objectclass);
1359 if (NT_STATUS_IS_OK(status)) {
1360 ldap_op = LDAP_MOD_REPLACE;
1361 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1362 char *escape_username;
1363 ldap_op = LDAP_MOD_ADD;
1364 escape_username = escape_rdn_val_string_alloc(name);
1365 if (!escape_username) {
1366 return NT_STATUS_NO_MEMORY;
1368 if (name[strlen(name)-1] == '$') {
1369 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1371 lp_ldap_machine_suffix());
1373 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1375 lp_ldap_user_suffix());
1377 SAFE_FREE(escape_username);
1379 return NT_STATUS_NO_MEMORY;
1385 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1386 status = ipasam_add_posix_account_objectclass(ldap_state, ldap_op,
1388 if (!NT_STATUS_IS_OK(status)) {
1391 has_objectclass |= HAS_POSIXACCOUNT;
1394 status = ldap_state->ipasam_privates->ldapsam_create_user(pdb_methods,
1397 if (!NT_STATUS_IS_OK(status)) {
1401 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name, lp_realm(),
1402 acb_info, has_objectclass);
1403 if (!NT_STATUS_IS_OK(status)) {
1407 return NT_STATUS_OK;
1410 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
1412 struct ldapsam_privates *ldap_state;
1415 status = pdb_init_ldapsam(pdb_method, location);
1416 if (!NT_STATUS_IS_OK(status)) {
1420 (*pdb_method)->name = "IPA_ldapsam";
1422 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
1423 ldap_state->ipasam_privates = talloc_zero(ldap_state,
1424 struct ipasam_privates);
1425 if (ldap_state->ipasam_privates == NULL) {
1426 return NT_STATUS_NO_MEMORY;
1428 ldap_state->is_ipa_ldap = True;
1430 ldap_state->ipasam_privates->server_is_ipa = smbldap_has_extension(
1431 priv2ld(ldap_state), IPA_KEYTAB_SET_OID);
1432 ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
1433 ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
1434 ldap_state->ipasam_privates->ldapsam_create_user = (*pdb_method)->create_user;
1435 ldap_state->ipasam_privates->ldapsam_create_dom_group = (*pdb_method)->create_dom_group;
1437 (*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
1438 (*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
1440 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
1441 if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
1442 (*pdb_method)->create_user = ipasam_create_user;
1443 (*pdb_method)->create_dom_group = ipasam_create_dom_group;
1447 (*pdb_method)->capabilities = pdb_ipasam_capabilities;
1448 (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
1450 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
1451 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
1452 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
1453 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
1455 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
1456 (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
1457 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
1458 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
1459 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
1461 return NT_STATUS_OK;
1464 NTSTATUS pdb_ipa_init(void)
1468 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))
1471 return NT_STATUS_OK;
git.samba.org / garming / samba-autobuild / .git / blob