goto fn_exit;
}
- if (!(username = smbldap_talloc_smallest_attribute(priv2ld(ldap_state),
+ if (!(username = smbldap_talloc_first_attribute(priv2ld(ldap_state),
entry,
"uid",
ctx))) {
}
}
- if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
+ if (IS_SAM_DEFAULT(sampass, PDB_USERSID)) {
DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_SID),
pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
- if ((pwhist = TALLOC_ARRAY(ctx, uint8,
- pwHistLen * PW_HISTORY_ENTRY_LEN)) ==
- NULL){
+ pwhist = TALLOC_ARRAY(ctx, uint8,
+ pwHistLen * PW_HISTORY_ENTRY_LEN);
+ if (pwhist == NULL) {
DEBUG(0, ("init_sam_from_ldap: talloc failed!\n"));
goto fn_exit;
}
}
if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
+ struct passwd unix_pw;
+ bool have_uid = false;
+ bool have_gid = false;
+ DOM_SID mapped_gsid;
+ const DOM_SID *primary_gsid;
+
+ ZERO_STRUCT(unix_pw);
+
+ unix_pw.pw_name = username;
+ unix_pw.pw_passwd = discard_const_p(char, "x");
+
temp = smbldap_talloc_single_attribute(
priv2ld(ldap_state),
entry,
ctx);
if (temp) {
/* We've got a uid, feed the cache */
- uid_t uid = strtoul(temp, NULL, 10);
- store_uid_sid_cache(pdb_get_user_sid(sampass), uid);
+ unix_pw.pw_uid = strtoul(temp, NULL, 10);
+ have_uid = true;
+ }
+ temp = smbldap_talloc_single_attribute(
+ priv2ld(ldap_state),
+ entry,
+ "gidNumber",
+ ctx);
+ if (temp) {
+ /* We've got a uid, feed the cache */
+ unix_pw.pw_gid = strtoul(temp, NULL, 10);
+ have_gid = true;
+ }
+ unix_pw.pw_gecos = smbldap_talloc_single_attribute(
+ priv2ld(ldap_state),
+ entry,
+ "gecos",
+ ctx);
+ if (unix_pw.pw_gecos) {
+ unix_pw.pw_gecos = fullname;
+ }
+ unix_pw.pw_dir = smbldap_talloc_single_attribute(
+ priv2ld(ldap_state),
+ entry,
+ "homeDirectory",
+ ctx);
+ if (unix_pw.pw_dir) {
+ unix_pw.pw_dir = discard_const_p(char, "");
+ }
+ unix_pw.pw_shell = smbldap_talloc_single_attribute(
+ priv2ld(ldap_state),
+ entry,
+ "loginShell",
+ ctx);
+ if (unix_pw.pw_shell) {
+ unix_pw.pw_shell = discard_const_p(char, "");
+ }
+
+ if (have_uid && have_gid) {
+ sampass->unix_pw = tcopy_passwd(sampass, &unix_pw);
+ } else {
+ sampass->unix_pw = Get_Pwnam_alloc(sampass, unix_pw.pw_name);
+ }
+
+ if (sampass->unix_pw == NULL) {
+ DEBUG(0,("init_sam_from_ldap: Failed to find Unix account for %s\n",
+ pdb_get_username(sampass)));
+ goto fn_exit;
+ }
+
+ store_uid_sid_cache(pdb_get_user_sid(sampass),
+ sampass->unix_pw->pw_uid);
+ idmap_cache_set_sid2uid(pdb_get_user_sid(sampass),
+ sampass->unix_pw->pw_uid);
+
+ gid_to_sid(&mapped_gsid, sampass->unix_pw->pw_gid);
+ primary_gsid = pdb_get_group_sid(sampass);
+ if (primary_gsid && sid_equal(primary_gsid, &mapped_gsid)) {
+ store_gid_sid_cache(primary_gsid,
+ sampass->unix_pw->pw_gid);
+ idmap_cache_set_sid2uid(primary_gsid,
+ sampass->unix_pw->pw_gid);
}
}
(*attr_list)[i+1] = NULL;
}
+static void ldapsam_add_unix_attributes(TALLOC_CTX *mem_ctx,
+ const char ***attr_list)
+{
+ append_attr(mem_ctx, attr_list, "uidNumber");
+ append_attr(mem_ctx, attr_list, "gidNumber");
+ append_attr(mem_ctx, attr_list, "homeDirectory");
+ append_attr(mem_ctx, attr_list, "loginShell");
+ append_attr(mem_ctx, attr_list, "gecos");
+}
+
/**********************************************************************
Get struct samu entry from LDAP by username.
*********************************************************************/
append_attr(user, &attr_list,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_MOD_TIMESTAMP));
- append_attr(user, &attr_list, "uidNumber");
+ ldapsam_add_unix_attributes(user, &attr_list);
rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result,
attr_list);
TALLOC_FREE( attr_list );
get_userattr_key2string(
ldap_state->schema_ver,
LDAP_ATTR_MOD_TIMESTAMP));
- append_attr(tmp_ctx, &attr_list, "uidNumber");
+ ldapsam_add_unix_attributes(tmp_ctx, &attr_list);
rc = ldapsam_search_suffix_by_sid(ldap_state, sid,
result, attr_list);
TALLOC_FREE(tmp_ctx);
char *utf8_password;
char *utf8_dn;
size_t converted_size;
+ int ret;
if (!ldap_state->is_nds_ldap) {
}
if ((ber_printf (ber, "{") < 0) ||
- (ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn) < 0) ||
- (ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password) < 0) ||
- (ber_printf (ber, "n}") < 0)) {
- DEBUG(0,("ldapsam_modify_entry: ber_printf returns a value <0\n"));
- ber_free(ber,1);
- TALLOC_FREE(utf8_dn);
- TALLOC_FREE(utf8_password);
- return NT_STATUS_UNSUCCESSFUL;
+ (ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID,
+ utf8_dn) < 0)) {
+ DEBUG(0,("ldapsam_modify_entry: ber_printf returns a "
+ "value <0\n"));
+ ber_free(ber,1);
+ TALLOC_FREE(utf8_dn);
+ TALLOC_FREE(utf8_password);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if ((utf8_password != NULL) && (*utf8_password != '\0')) {
+ ret = ber_printf(ber, "ts}",
+ LDAP_TAG_EXOP_MODIFY_PASSWD_NEW,
+ utf8_password);
+ } else {
+ ret = ber_printf(ber, "}");
+ }
+
+ if (ret < 0) {
+ DEBUG(0,("ldapsam_modify_entry: ber_printf returns a "
+ "value <0\n"));
+ ber_free(ber,1);
+ TALLOC_FREE(utf8_dn);
+ TALLOC_FREE(utf8_password);
+ return NT_STATUS_UNSUCCESSFUL;
}
if ((rc = ber_flatten (ber, &bv))<0) {
- The "rename user script" has full responsibility for changing everything
***************************************************************************/
+static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods,
+ TALLOC_CTX *tmp_ctx,
+ uint32 group_rid,
+ uint32 member_rid);
+
+static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ struct samu *user,
+ DOM_SID **pp_sids,
+ gid_t **pp_gids,
+ size_t *p_num_groups);
+
static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
struct samu *old_acct,
const char *newname)
if (lp_parm_bool(-1, "ldapsam", "trusted", false)) {
store_gid_sid_cache(&map->sid, map->gid);
+ idmap_cache_set_sid2gid(&map->sid, map->gid);
}
TALLOC_FREE(ctx);
values = ldap_get_values(conn->ldap_struct, entry, "memberUid");
- if (values) {
+ if ((values != NULL) && (values[0] != NULL)) {
filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT);
if (filter == NULL) {
if (escape_name == NULL)
return NT_STATUS_NO_MEMORY;
- /* retrieve the users primary gid */
- filter = talloc_asprintf(mem_ctx,
- "(&(objectClass=%s)(uid=%s))",
- LDAP_OBJ_SAMBASAMACCOUNT,
- escape_name);
- if (filter == NULL) {
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
+ if (user->unix_pw) {
+ primary_gid = user->unix_pw->pw_gid;
+ } else {
+ /* retrieve the users primary gid */
+ filter = talloc_asprintf(mem_ctx,
+ "(&(objectClass=%s)(uid=%s))",
+ LDAP_OBJ_SAMBASAMACCOUNT,
+ escape_name);
+ if (filter == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
- rc = smbldap_search(conn, lp_ldap_suffix(),
- LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
+ rc = smbldap_search(conn, lp_ldap_suffix(),
+ LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
- if (rc != LDAP_SUCCESS)
- goto done;
+ if (rc != LDAP_SUCCESS)
+ goto done;
- talloc_autofree_ldapmsg(mem_ctx, result);
+ talloc_autofree_ldapmsg(mem_ctx, result);
- count = ldap_count_entries(priv2ld(ldap_state), result);
+ count = ldap_count_entries(priv2ld(ldap_state), result);
- switch (count) {
- case 0:
- DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
- ret = NT_STATUS_NO_SUCH_USER;
- goto done;
- case 1:
- entry = ldap_first_entry(priv2ld(ldap_state), result);
+ switch (count) {
+ case 0:
+ DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
+ ret = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ case 1:
+ entry = ldap_first_entry(priv2ld(ldap_state), result);
- gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
- if (!gidstr) {
- DEBUG (1, ("Unable to find the member's gid!\n"));
+ gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
+ if (!gidstr) {
+ DEBUG (1, ("Unable to find the member's gid!\n"));
+ ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
+ goto done;
+ }
+ primary_gid = strtoul(gidstr, NULL, 10);
+ break;
+ default:
+ DEBUG(1, ("found more than one account with the same user name ?!\n"));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
- primary_gid = strtoul(gidstr, NULL, 10);
- break;
- default:
- DEBUG(1, ("found more than one account with the same user name ?!\n"));
- ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
- goto done;
}
filter = talloc_asprintf(mem_ctx,
int rc;
char *filter;
enum lsa_SidType type = SID_NAME_USE_NONE;
+ bool is_builtin = false;
+ bool sid_added = false;
+
+ *pp_alias_rids = NULL;
+ *p_num_alias_rids = 0;
if (sid_check_is_builtin(domain_sid)) {
+ is_builtin = true;
type = SID_NAME_ALIAS;
}
return NT_STATUS_UNSUCCESSFUL;
}
+ if (num_members == 0) {
+ return NT_STATUS_OK;
+ }
+
filter = talloc_asprintf(mem_ctx,
"(&(|(objectclass=%s)(sambaGroupType=%d))(|",
LDAP_OBJ_GROUPMAP, type);
return NT_STATUS_NO_MEMORY;
}
- rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
- LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
-
- if (rc != LDAP_SUCCESS)
- return NT_STATUS_UNSUCCESSFUL;
+ if (is_builtin &&
+ ldap_state->search_cache.filter &&
+ strcmp(ldap_state->search_cache.filter, filter) == 0) {
+ filter = talloc_move(filter, &ldap_state->search_cache.filter);
+ result = ldap_state->search_cache.result;
+ ldap_state->search_cache.result = NULL;
+ } else {
+ rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
+ LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
+ if (rc != LDAP_SUCCESS) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ talloc_autofree_ldapmsg(filter, result);
+ }
ldap_struct = ldap_state->smbldap_state->ldap_struct;
if (!sid_peek_check_rid(domain_sid, &sid, &rid))
continue;
+ sid_added = true;
+
if (!add_rid_to_array_unique(mem_ctx, rid, pp_alias_rids,
p_num_alias_rids)) {
- ldap_msgfree(result);
return NT_STATUS_NO_MEMORY;
}
}
- ldap_msgfree(result);
+ if (!is_builtin && !sid_added) {
+ TALLOC_FREE(ldap_state->search_cache.filter);
+ /*
+ * Note: result is a talloc child of filter because of the
+ * talloc_autofree_ldapmsg() usage
+ */
+ ldap_state->search_cache.filter = talloc_move(ldap_state, &filter);
+ ldap_state->search_cache.result = result;
+ }
+
return NT_STATUS_OK;
}
int count;
int rc;
char **vals = NULL;
+ char *filter;
const char *policy_attr = NULL;
struct ldapsam_privates *ldap_state =
attrs[0] = policy_attr;
attrs[1] = NULL;
+ filter = talloc_asprintf(NULL, "(objectClass=%s)", LDAP_OBJ_DOMINFO);
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
- LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0,
+ LDAP_SCOPE_BASE, filter, attrs, 0,
&result);
if (rc != LDAP_SUCCESS) {
if (state->current_entry == NULL) {
ldap_msgfree(state->entries);
state->entries = NULL;
+ return false;
}
return True;
if (state->current_entry == NULL) {
ldap_msgfree(state->entries);
state->entries = NULL;
+ return false;
}
return True;
id->gid = strtoul(gid_str, NULL, 10);
*type = (enum lsa_SidType)strtoul(value, NULL, 10);
+ store_gid_sid_cache(sid, id->gid);
+ idmap_cache_set_sid2gid(sid, id->gid);
ret = True;
goto done;
}
id->uid = strtoul(value, NULL, 10);
*type = SID_NAME_USER;
+ store_uid_sid_cache(sid, id->uid);
+ idmap_cache_set_sid2uid(sid, id->uid);
ret = True;
done:
return ret;
}
+/**
+ * Find the SID for a uid.
+ * This is shortcut is only used if ldapsam:trusted is set to true.
+ */
+static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+ DOM_SID *sid)
+{
+ struct ldapsam_privates *priv =
+ (struct ldapsam_privates *)methods->private_data;
+ char *filter;
+ const char *attrs[] = { "sambaSID", NULL };
+ LDAPMessage *result = NULL;
+ LDAPMessage *entry = NULL;
+ bool ret = false;
+ char *user_sid_string;
+ struct dom_sid user_sid;
+ int rc;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+ filter = talloc_asprintf(tmp_ctx,
+ "(&(uidNumber=%u)"
+ "(objectClass=%s)"
+ "(objectClass=%s))",
+ (unsigned int)uid,
+ LDAP_OBJ_POSIXACCOUNT,
+ LDAP_OBJ_SAMBASAMACCOUNT);
+ if (filter == NULL) {
+ DEBUG(3, ("talloc_asprintf failed\n"));
+ goto done;
+ }
+
+ rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result);
+ if (rc != LDAP_SUCCESS) {
+ goto done;
+ }
+ talloc_autofree_ldapmsg(tmp_ctx, result);
+
+ if (ldap_count_entries(priv2ld(priv), result) != 1) {
+ DEBUG(3, ("ERROR: Got %d entries for uid %u, expected one\n",
+ ldap_count_entries(priv2ld(priv), result),
+ (unsigned int)uid));
+ goto done;
+ }
+
+ entry = ldap_first_entry(priv2ld(priv), result);
+
+ user_sid_string = smbldap_talloc_single_attribute(priv2ld(priv), entry,
+ "sambaSID", tmp_ctx);
+ if (user_sid_string == NULL) {
+ DEBUG(1, ("Could not find sambaSID in object '%s'\n",
+ smbldap_talloc_dn(tmp_ctx, priv2ld(priv), entry)));
+ goto done;
+ }
+
+ if (!string_to_sid(&user_sid, user_sid_string)) {
+ DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
+ user_sid_string));
+ goto done;
+ }
+
+ sid_copy(sid, &user_sid);
+
+ store_uid_sid_cache(sid, uid);
+ idmap_cache_set_sid2uid(sid, uid);
+
+ ret = true;
+
+ done:
+ TALLOC_FREE(tmp_ctx);
+ return ret;
+}
+
+/**
+ * Find the SID for a gid.
+ * This is shortcut is only used if ldapsam:trusted is set to true.
+ */
+static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ DOM_SID *sid)
+{
+ struct ldapsam_privates *priv =
+ (struct ldapsam_privates *)methods->private_data;
+ char *filter;
+ const char *attrs[] = { "sambaSID", NULL };
+ LDAPMessage *result = NULL;
+ LDAPMessage *entry = NULL;
+ bool ret = false;
+ char *group_sid_string;
+ DOM_SID group_sid;
+ int rc;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+ filter = talloc_asprintf(tmp_ctx,
+ "(&(gidNumber=%u)"
+ "(objectClass=%s))",
+ (unsigned int)gid,
+ LDAP_OBJ_GROUPMAP);
+ if (filter == NULL) {
+ DEBUG(3, ("talloc_asprintf failed\n"));
+ goto done;
+ }
+
+ rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result);
+ if (rc != LDAP_SUCCESS) {
+ goto done;
+ }
+ talloc_autofree_ldapmsg(tmp_ctx, result);
+
+ if (ldap_count_entries(priv2ld(priv), result) != 1) {
+ DEBUG(3, ("ERROR: Got %d entries for gid %u, expected one\n",
+ ldap_count_entries(priv2ld(priv), result),
+ (unsigned int)gid));
+ goto done;
+ }
+
+ entry = ldap_first_entry(priv2ld(priv), result);
+
+ group_sid_string = smbldap_talloc_single_attribute(priv2ld(priv), entry,
+ "sambaSID", tmp_ctx);
+ if (group_sid_string == NULL) {
+ DEBUG(1, ("Could not find sambaSID in object '%s'\n",
+ smbldap_talloc_dn(tmp_ctx, priv2ld(priv), entry)));
+ goto done;
+ }
+
+ if (!string_to_sid(&group_sid, group_sid_string)) {
+ DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
+ group_sid_string));
+ goto done;
+ }
+
+ sid_copy(sid, &group_sid);
+
+ store_gid_sid_cache(sid, gid);
+ idmap_cache_set_sid2gid(sid, gid);
+
+ ret = true;
+
+ done:
+ TALLOC_FREE(tmp_ctx);
+ return ret;
+}
+
+
/*
- * The following functions is called only if
+ * The following functions are called only if
* ldapsam:trusted and ldapsam:editposix are
* set to true
*/
return NT_STATUS_NO_MEMORY;
}
+ /* try to remove memberships first */
+ {
+ NTSTATUS status;
+ struct dom_sid *sids = NULL;
+ gid_t *gids = NULL;
+ size_t num_groups = 0;
+ int i;
+ uint32_t user_rid = pdb_get_user_rid(sam_acct);
+
+ status = ldapsam_enum_group_memberships(my_methods,
+ tmp_ctx,
+ sam_acct,
+ &sids,
+ &gids,
+ &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto delete_dn;
+ }
+
+ for (i=0; i < num_groups; i++) {
+
+ uint32_t group_rid;
+
+ sid_peek_rid(&sids[i], &group_rid);
+
+ ldapsam_del_groupmem(my_methods,
+ tmp_ctx,
+ group_rid,
+ user_rid);
+ }
+ }
+
+ delete_dn:
+
rc = smbldap_delete(ldap_state->smbldap_state, dn);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
/* domain sid */
if (sid != NULL) {
char *sid_str;
- DOM_SID *dom_sid;
+ struct dom_sid dom_sid;
sid_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
entry, "sambaSID",
talloc_tos());
if (sid_str == NULL) {
return False;
}
- dom_sid = string_sid_talloc(talloc_tos(), sid_str);
- if (dom_sid == NULL) {
+ if (!string_to_sid(&dom_sid, sid_str)) {
return False;
}
- sid_copy(sid, dom_sid);
+ sid_copy(sid, &dom_sid);
}
return True;
smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
"sambaClearTextPassword", pwd);
- talloc_autofree_ldapmod(talloc_tos(), mods);
-
if (entry != NULL) {
prev_pwd = smbldap_talloc_single_attribute(priv2ld(ldap_state),
entry, "sambaClearTextPassword", talloc_tos());
}
}
+ talloc_autofree_ldapmod(talloc_tos(), mods);
+
trusted_dn = trusteddom_dn(ldap_state, domain);
if (trusted_dn == NULL) {
return False;
trim_char( uri, '\"', '\"' );
nt_status = pdb_init_ldapsam_common(pdb_method, uri);
- if (uri) {
- TALLOC_FREE(uri);
- }
+
+ TALLOC_FREE(uri);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
ldapsam_enum_group_memberships;
(*pdb_method)->lookup_rids = ldapsam_lookup_rids;
(*pdb_method)->sid_to_id = ldapsam_sid_to_id;
+ (*pdb_method)->uid_to_sid = ldapsam_uid_to_sid;
+ (*pdb_method)->gid_to_sid = ldapsam_gid_to_sid;
if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
(*pdb_method)->create_user = ldapsam_create_user;
git.samba.org / ira / wip.git / blobdiff