#include "librpc/gen_ndr/ndr_netlogon.h"
#include "librpc/gen_ndr/ndr_misc.h"
#include "librpc/gen_ndr/ndr_security.h"
+#include "lib/events/events.h"
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "libcli/security/security.h"
#include "system/time.h"
#include "system/filesys.h"
#include "ldb_wrap.h"
-#include "util/util_ldb.h"
+#include "../lib/util/util_ldb.h"
#include "dsdb/samdb/samdb.h"
-#include "dsdb/common/flags.h"
+#include "../libds/common/flags.h"
#include "param/param.h"
+#include "lib/events/events.h"
+#include "auth/credentials/credentials.h"
+#include "param/secrets.h"
char *samdb_relative_path(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
if (name == NULL) {
return NULL;
}
- if (name[0] == 0 || name[0] == '/' || strstr(name, ":/")) {
- return talloc_strdup(mem_ctx, name);
+ if (strncmp("tdb://", base_url, 6) == 0) {
+ base_url = base_url+6;
}
path = talloc_strdup(mem_ctx, base_url);
if (path == NULL) {
return full_name;
}
+/*
+ make sure the static credentials are not freed
+ */
+static int samdb_credentials_destructor(struct cli_credentials *creds)
+{
+ return -1;
+}
+
+/*
+ this returns a static set of system credentials. It is static so
+ that we always get the same pointer in ldb_wrap_connect()
+ */
+struct cli_credentials *samdb_credentials(struct tevent_context *event_ctx,
+ struct loadparm_context *lp_ctx)
+{
+ static struct cli_credentials *static_credentials;
+ struct cli_credentials *cred;
+
+ if (static_credentials) {
+ return static_credentials;
+ }
+
+ cred = cli_credentials_init(talloc_autofree_context());
+ if (!cred) {
+ return NULL;
+ }
+ cli_credentials_set_conf(cred, lp_ctx);
+
+ /* We don't want to use krb5 to talk to our samdb - recursion
+ * here would be bad, and this account isn't in the KDC
+ * anyway */
+ cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+ if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL,
+ SECRETS_LDAP_FILTER))) {
+ /* Perfectly OK - if not against an LDAP backend */
+ talloc_free(cred);
+ return NULL;
+ }
+ static_credentials = cred;
+ talloc_set_destructor(cred, samdb_credentials_destructor);
+ return cred;
+}
/*
connect to the SAM database
return an opaque context pointer on success, or NULL on failure
*/
struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info *session_info)
{
struct ldb_context *ldb;
- ldb = ldb_wrap_connect(mem_ctx, lp_ctx,
+ ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx,
lp_sam_url(lp_ctx), session_info,
- NULL, 0, NULL);
+ samdb_credentials(ev_ctx, lp_ctx),
+ 0);
if (!ldb) {
return NULL;
}
- dsdb_make_schema_global(ldb);
return ldb;
}
-/*
- copy from a template record to a message
-*/
-int samdb_copy_template(struct ldb_context *ldb,
- struct ldb_message *msg, const char *name,
- const char **errstring)
-{
- struct ldb_result *res;
- struct ldb_message *t;
- int ret, i, j;
- struct ldb_context *templates_ldb;
- char *templates_ldb_path;
- struct ldb_dn *basedn;
-
- templates_ldb = talloc_get_type(ldb_get_opaque(ldb, "templates_ldb"), struct ldb_context);
-
- if (!templates_ldb) {
- templates_ldb_path = samdb_relative_path(ldb,
- msg,
- "templates.ldb");
- if (!templates_ldb_path) {
- *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: Failed to contruct path for template db");
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- templates_ldb = ldb_wrap_connect(ldb, (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"),
- templates_ldb_path, NULL,
- NULL, 0, NULL);
- talloc_free(templates_ldb_path);
- if (!templates_ldb) {
- *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: Failed to connect to templates db at: %s",
- templates_ldb_path);
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- ret = ldb_set_opaque(ldb, "templates_ldb", templates_ldb);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
- }
- *errstring = NULL;
-
- basedn = ldb_dn_new(templates_ldb, ldb, "cn=Templates");
- if (!ldb_dn_add_child_fmt(basedn, "CN=Template%s", name)) {
- talloc_free(basedn);
- *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: Failed to contruct DN for template '%s'",
- name);
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- /* pull the template record */
- ret = ldb_search(templates_ldb, basedn, LDB_SCOPE_BASE, "distinguishedName=*", NULL, &res);
- talloc_free(basedn);
- if (ret != LDB_SUCCESS) {
- *errstring = talloc_steal(msg, ldb_errstring(templates_ldb));
- return ret;
- }
- if (res->count != 1) {
- *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: template '%s' matched %d records, expected 1",
- name,
- res->count);
- talloc_free(res);
- return LDB_ERR_OPERATIONS_ERROR;
- }
- t = res->msgs[0];
-
- for (i = 0; i < t->num_elements; i++) {
- struct ldb_message_element *el = &t->elements[i];
- /* some elements should not be copied from the template */
- if (ldb_attr_cmp(el->name, "cn") == 0 ||
- ldb_attr_cmp(el->name, "name") == 0 ||
- ldb_attr_cmp(el->name, "objectClass") == 0 ||
- ldb_attr_cmp(el->name, "sAMAccountName") == 0 ||
- ldb_attr_cmp(el->name, "sAMAccountName") == 0 ||
- ldb_attr_cmp(el->name, "distinguishedName") == 0 ||
- ldb_attr_cmp(el->name, "objectGUID") == 0) {
- continue;
- }
- for (j = 0; j < el->num_values; j++) {
- ret = samdb_find_or_add_attribute(ldb, msg, el->name,
- (char *)el->values[j].data);
- if (ret) {
- *errstring = talloc_asprintf(msg, "Adding attribute %s failed.", el->name);
- talloc_free(res);
- return ret;
- }
- }
- }
-
- talloc_free(res);
-
- return LDB_SUCCESS;
-}
-
/****************************************************************************
Create the SID list for this user.
****************************************************************************/
NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev_ctx,
struct loadparm_context *lp_ctx,
struct dom_sid *user_sid,
struct dom_sid *group_sid,
}
/* setup the privilege mask for this token */
- status = samdb_privilege_setup(lp_ctx, ptoken);
+ status = samdb_privilege_setup(ev_ctx, lp_ctx, ptoken);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(ptoken);
return status;
git.samba.org / ira / wip.git / blobdiff