2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Jelmer Vernooij 2002
6 Copyright (C) Simo Sorce 2003
7 Copyright (C) Volker Lendecke 2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/passwd.h"
27 #include "../librpc/gen_ndr/samr.h"
28 #include "../librpc/gen_ndr/drsblobs.h"
29 #include "../librpc/gen_ndr/ndr_drsblobs.h"
31 #include "nsswitch/winbind_client.h"
32 #include "../libcli/security/security.h"
33 #include "../lib/util/util_pw.h"
36 #define DBGC_CLASS DBGC_PASSDB
40 static struct pdb_init_function_entry *backends = NULL;
42 static void lazy_initialize_passdb(void)
44 static bool initialized = False;
52 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
54 enum lsa_SidType *psid_name_use,
55 union unid_t *unix_id);
57 NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
59 struct pdb_init_function_entry *entry = backends;
61 if(version != PASSDB_INTERFACE_VERSION) {
62 DEBUG(0,("Can't register passdb backend!\n"
63 "You tried to register a passdb module with PASSDB_INTERFACE_VERSION %d, "
64 "while this version of samba uses version %d\n",
65 version,PASSDB_INTERFACE_VERSION));
66 return NT_STATUS_OBJECT_TYPE_MISMATCH;
70 return NT_STATUS_INVALID_PARAMETER;
73 DEBUG(5,("Attempting to register passdb backend %s\n", name));
75 /* Check for duplicates */
76 if (pdb_find_backend_entry(name)) {
77 DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name));
78 return NT_STATUS_OBJECT_NAME_COLLISION;
81 entry = SMB_XMALLOC_P(struct pdb_init_function_entry);
82 entry->name = smb_xstrdup(name);
85 DLIST_ADD(backends, entry);
86 DEBUG(5,("Successfully added passdb backend '%s'\n", name));
90 struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
92 struct pdb_init_function_entry *entry = backends;
95 if (strcmp(entry->name, name)==0) return entry;
102 const struct pdb_init_function_entry *pdb_get_backends(void)
109 * The event context for the passdb backend. I know this is a bad hack and yet
110 * another static variable, but our pdb API is a global thing per
111 * definition. The first use for this is the LDAP idle function, more might be
114 * I don't feel too bad about this static variable, it replaces the
115 * smb_idle_event_list that used to exist in lib/module.c. -- VL
118 static struct event_context *pdb_event_ctx;
120 struct event_context *pdb_get_event_context(void)
122 return pdb_event_ctx;
125 /******************************************************************
126 Make a pdb_methods from scratch
127 *******************************************************************/
129 NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected)
131 char *module_name = smb_xstrdup(selected);
132 char *module_location = NULL, *p;
133 struct pdb_init_function_entry *entry;
134 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
136 lazy_initialize_passdb();
138 p = strchr(module_name, ':');
142 module_location = p+1;
143 trim_char(module_location, ' ', ' ');
146 trim_char(module_name, ' ', ' ');
149 DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected, module_name));
151 entry = pdb_find_backend_entry(module_name);
153 /* Try to find a module that contains this module */
155 DEBUG(2,("No builtin backend found, trying to load plugin\n"));
156 if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
157 DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
158 SAFE_FREE(module_name);
159 return NT_STATUS_UNSUCCESSFUL;
163 /* No such backend found */
165 DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
166 SAFE_FREE(module_name);
167 return NT_STATUS_INVALID_PARAMETER;
170 DEBUG(5,("Found pdb backend %s\n", module_name));
172 if ( !NT_STATUS_IS_OK( nt_status = entry->init(methods, module_location) ) ) {
173 DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
174 selected, nt_errstr(nt_status)));
175 SAFE_FREE(module_name);
179 SAFE_FREE(module_name);
181 DEBUG(5,("pdb backend %s has a valid init\n", selected));
186 /******************************************************************
187 Return an already initialized pdb_methods structure
188 *******************************************************************/
190 static struct pdb_methods *pdb_get_methods_reload( bool reload )
192 static struct pdb_methods *pdb = NULL;
194 if ( pdb && reload ) {
195 pdb->free_private_data( &(pdb->private_data) );
196 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
198 if (asprintf(&msg, "pdb_get_methods_reload: "
199 "failed to get pdb methods for backend %s\n",
200 lp_passdb_backend()) > 0) {
203 smb_panic("pdb_get_methods_reload");
209 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
211 if (asprintf(&msg, "pdb_get_methods_reload: "
212 "failed to get pdb methods for backend %s\n",
213 lp_passdb_backend()) > 0) {
216 smb_panic("pdb_get_methods_reload");
224 static struct pdb_methods *pdb_get_methods(void)
226 return pdb_get_methods_reload(False);
229 struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
231 struct pdb_methods *pdb = pdb_get_methods();
232 return pdb->get_domain_info(pdb, mem_ctx);
236 * @brief Check if the user account has been locked out and try to unlock it.
238 * If the user has been automatically locked out and a lockout duration is set,
239 * then check if we can unlock the account and reset the bad password values.
241 * @param[in] sampass The sam user to check.
243 * @return True if the function was successfull, false on an error.
245 static bool pdb_try_account_unlock(struct samu *sampass)
247 uint32_t acb_info = pdb_get_acct_ctrl(sampass);
249 if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
250 uint32_t lockout_duration;
251 time_t bad_password_time;
252 time_t now = time(NULL);
255 ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
258 DEBUG(0, ("pdb_try_account_unlock: "
259 "pdb_get_account_policy failed.\n"));
263 if (lockout_duration == (uint32_t) -1 ||
264 lockout_duration == 0) {
265 DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
266 "can't reset autolock\n"));
269 lockout_duration *= 60;
271 bad_password_time = pdb_get_bad_password_time(sampass);
272 if (bad_password_time == (time_t) 0) {
273 DEBUG(2, ("pdb_try_account_unlock: Account %s "
274 "administratively locked out "
275 "with no bad password "
276 "time. Leaving locked out.\n",
277 pdb_get_username(sampass)));
281 if ((bad_password_time +
282 convert_uint32_t_to_time_t(lockout_duration)) < now) {
285 pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
287 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
288 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
291 status = pdb_update_sam_account(sampass);
293 if (!NT_STATUS_IS_OK(status)) {
294 DEBUG(0, ("_samr_OpenUser: Couldn't "
295 "update account %s - %s\n",
296 pdb_get_username(sampass),
307 * @brief Get a sam user structure by the given username.
309 * This functions also checks if the account has been automatically locked out
310 * and unlocks it if a lockout duration time has been defined and the time has
313 * @param[in] sam_acct The sam user structure to fill.
315 * @param[in] username The username to look for.
317 * @return True on success, false on error.
319 bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
321 struct pdb_methods *pdb = pdb_get_methods();
322 struct samu *for_cache;
323 const struct dom_sid *user_sid;
327 status = pdb->getsampwnam(pdb, sam_acct, username);
328 if (!NT_STATUS_IS_OK(status)) {
332 ok = pdb_try_account_unlock(sam_acct);
334 DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
338 for_cache = samu_new(NULL);
339 if (for_cache == NULL) {
343 if (!pdb_copy_sam_account(for_cache, sam_acct)) {
344 TALLOC_FREE(for_cache);
348 user_sid = pdb_get_user_sid(for_cache);
350 memcache_add_talloc(NULL, PDB_GETPWSID_CACHE,
351 data_blob_const(user_sid, sizeof(*user_sid)),
357 /**********************************************************************
358 **********************************************************************/
360 static bool guest_user_info( struct samu *user )
364 const char *guestname = lp_guestaccount();
366 pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
368 DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
373 result = samu_set_unix(user, pwd );
377 return NT_STATUS_IS_OK( result );
381 * @brief Get a sam user structure by the given username.
383 * This functions also checks if the account has been automatically locked out
384 * and unlocks it if a lockout duration time has been defined and the time has
388 * @param[in] sam_acct The sam user structure to fill.
390 * @param[in] sid The user SDI to look up.
392 * @return True on success, false on error.
394 bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
396 struct pdb_methods *pdb = pdb_get_methods();
401 /* hard code the Guest RID of 501 */
403 if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
406 if ( rid == DOMAIN_RID_GUEST ) {
407 DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
408 return guest_user_info( sam_acct );
411 /* check the cache first */
413 cache_data = memcache_lookup_talloc(
414 NULL, PDB_GETPWSID_CACHE, data_blob_const(sid, sizeof(*sid)));
416 if (cache_data != NULL) {
417 struct samu *cache_copy = talloc_get_type_abort(
418 cache_data, struct samu);
420 ok = pdb_copy_sam_account(sam_acct, cache_copy);
422 ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
429 ok = pdb_try_account_unlock(sam_acct);
431 DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
432 sam_acct->username));
438 static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
439 TALLOC_CTX *tmp_ctx, const char *name,
440 uint32_t acb_info, uint32_t *rid)
442 struct samu *sam_pass;
446 if ((sam_pass = samu_new(tmp_ctx)) == NULL) {
447 return NT_STATUS_NO_MEMORY;
450 if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
451 char *add_script = NULL;
455 if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
456 add_script = talloc_strdup(tmp_ctx,
457 lp_adduser_script());
459 add_script = talloc_strdup(tmp_ctx,
460 lp_addmachine_script());
463 if (!add_script || add_script[0] == '\0') {
464 DEBUG(3, ("Could not find user %s and no add script "
466 return NT_STATUS_NO_SUCH_USER;
469 /* lowercase the username before creating the Unix account for
470 compatibility with previous Samba releases */
471 fstrcpy( name2, name );
473 add_script = talloc_all_string_sub(tmp_ctx,
478 return NT_STATUS_NO_MEMORY;
480 add_ret = smbrun(add_script,NULL);
481 DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
482 add_script, add_ret));
484 smb_nscd_flush_user_cache();
489 pwd = Get_Pwnam_alloc(tmp_ctx, name);
492 DEBUG(3, ("Could not find user %s, add script did not work\n", name));
493 return NT_STATUS_NO_SUCH_USER;
497 /* we have a valid SID coming out of this call */
499 status = samu_alloc_rid_unix( sam_pass, pwd );
503 if (!NT_STATUS_IS_OK(status)) {
504 DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status)));
508 if (!sid_peek_check_rid(get_global_sam_sid(),
509 pdb_get_user_sid(sam_pass), rid)) {
510 DEBUG(0, ("Could not get RID of fresh user\n"));
511 return NT_STATUS_INTERNAL_ERROR;
514 /* Use the username case specified in the original request */
516 pdb_set_username( sam_pass, name, PDB_SET );
518 /* Disable the account on creation, it does not have a reasonable password yet. */
520 acb_info |= ACB_DISABLED;
522 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
524 status = pdb_add_sam_account(sam_pass);
526 TALLOC_FREE(sam_pass);
531 NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32_t flags,
534 struct pdb_methods *pdb = pdb_get_methods();
535 return pdb->create_user(pdb, mem_ctx, name, flags, rid);
538 /****************************************************************************
539 Delete a UNIX user on demand.
540 ****************************************************************************/
542 static int smb_delete_user(const char *unix_user)
544 char *del_script = NULL;
549 if ( strequal( unix_user, "root" ) ) {
550 DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
554 del_script = talloc_strdup(talloc_tos(), lp_deluser_script());
555 if (!del_script || !*del_script) {
558 del_script = talloc_all_string_sub(talloc_tos(),
565 ret = smbrun(del_script,NULL);
568 smb_nscd_flush_user_cache();
570 DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
575 static NTSTATUS pdb_default_delete_user(struct pdb_methods *methods,
577 struct samu *sam_acct)
582 status = pdb_delete_sam_account(sam_acct);
583 if (!NT_STATUS_IS_OK(status)) {
588 * Now delete the unix side ....
589 * note: we don't check if the delete really happened as the script is
590 * not necessary present and maybe the sysadmin doesn't want to delete
594 /* always lower case the username before handing it off to
597 fstrcpy( username, pdb_get_username(sam_acct) );
598 strlower_m( username );
600 smb_delete_user( username );
605 NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
607 struct pdb_methods *pdb = pdb_get_methods();
610 /* sanity check to make sure we don't delete root */
612 if ( !sid_to_uid( pdb_get_user_sid(sam_acct), &uid ) ) {
613 return NT_STATUS_NO_SUCH_USER;
617 return NT_STATUS_ACCESS_DENIED;
620 return pdb->delete_user(pdb, mem_ctx, sam_acct);
623 NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
625 struct pdb_methods *pdb = pdb_get_methods();
626 return pdb->add_sam_account(pdb, sam_acct);
629 NTSTATUS pdb_update_sam_account(struct samu *sam_acct)
631 struct pdb_methods *pdb = pdb_get_methods();
633 memcache_flush(NULL, PDB_GETPWSID_CACHE);
635 return pdb->update_sam_account(pdb, sam_acct);
638 NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
640 struct pdb_methods *pdb = pdb_get_methods();
642 memcache_flush(NULL, PDB_GETPWSID_CACHE);
644 return pdb->delete_sam_account(pdb, sam_acct);
647 NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
649 struct pdb_methods *pdb = pdb_get_methods();
653 memcache_flush(NULL, PDB_GETPWSID_CACHE);
655 /* sanity check to make sure we don't rename root */
657 if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
658 return NT_STATUS_NO_SUCH_USER;
662 return NT_STATUS_ACCESS_DENIED;
665 status = pdb->rename_sam_account(pdb, oldname, newname);
667 /* always flush the cache here just to be safe */
673 NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, bool success)
675 struct pdb_methods *pdb = pdb_get_methods();
676 return pdb->update_login_attempts(pdb, sam_acct, success);
679 bool pdb_getgrsid(GROUP_MAP *map, struct dom_sid sid)
681 struct pdb_methods *pdb = pdb_get_methods();
682 return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
685 bool pdb_getgrgid(GROUP_MAP *map, gid_t gid)
687 struct pdb_methods *pdb = pdb_get_methods();
688 return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
691 bool pdb_getgrnam(GROUP_MAP *map, const char *name)
693 struct pdb_methods *pdb = pdb_get_methods();
694 return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
697 static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
702 struct dom_sid group_sid;
706 grp = getgrnam(name);
711 if (smb_create_group(name, &gid) != 0) {
712 return NT_STATUS_ACCESS_DENIED;
719 return NT_STATUS_ACCESS_DENIED;
722 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
723 if (!pdb_new_rid(rid)) {
724 return NT_STATUS_ACCESS_DENIED;
727 *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
730 sid_compose(&group_sid, get_global_sam_sid(), *rid);
732 return add_initial_entry(grp->gr_gid, sid_to_fstring(tmp, &group_sid),
733 SID_NAME_DOM_GRP, name, NULL);
736 NTSTATUS pdb_create_dom_group(TALLOC_CTX *mem_ctx, const char *name,
739 struct pdb_methods *pdb = pdb_get_methods();
740 return pdb->create_dom_group(pdb, mem_ctx, name, rid);
743 static NTSTATUS pdb_default_delete_dom_group(struct pdb_methods *methods,
747 struct dom_sid group_sid;
751 const char *grp_name;
754 map.gid = (gid_t) -1;
756 sid_compose(&group_sid, get_global_sam_sid(), rid);
758 if (!get_domain_group_from_sid(group_sid, &map)) {
759 DEBUG(10, ("Could not find group for rid %d\n", rid));
760 return NT_STATUS_NO_SUCH_GROUP;
763 /* We need the group name for the smb_delete_group later on */
765 if (map.gid == (gid_t)-1) {
766 return NT_STATUS_NO_SUCH_GROUP;
769 grp = getgrgid(map.gid);
771 return NT_STATUS_NO_SUCH_GROUP;
774 /* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
776 grp_name = talloc_strdup(mem_ctx, grp->gr_name);
777 if (grp_name == NULL) {
778 return NT_STATUS_NO_MEMORY;
781 status = pdb_delete_group_mapping_entry(group_sid);
783 if (!NT_STATUS_IS_OK(status)) {
787 /* Don't check the result of smb_delete_group */
789 smb_delete_group(grp_name);
794 NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32_t rid)
796 struct pdb_methods *pdb = pdb_get_methods();
797 return pdb->delete_dom_group(pdb, mem_ctx, rid);
800 NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
802 struct pdb_methods *pdb = pdb_get_methods();
803 return pdb->add_group_mapping_entry(pdb, map);
806 NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
808 struct pdb_methods *pdb = pdb_get_methods();
809 return pdb->update_group_mapping_entry(pdb, map);
812 NTSTATUS pdb_delete_group_mapping_entry(struct dom_sid sid)
814 struct pdb_methods *pdb = pdb_get_methods();
815 return pdb->delete_group_mapping_entry(pdb, sid);
818 bool pdb_enum_group_mapping(const struct dom_sid *sid, enum lsa_SidType sid_name_use, GROUP_MAP **pp_rmap,
819 size_t *p_num_entries, bool unix_only)
821 struct pdb_methods *pdb = pdb_get_methods();
822 return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
823 pp_rmap, p_num_entries, unix_only));
826 NTSTATUS pdb_enum_group_members(TALLOC_CTX *mem_ctx,
827 const struct dom_sid *sid,
828 uint32_t **pp_member_rids,
829 size_t *p_num_members)
831 struct pdb_methods *pdb = pdb_get_methods();
834 result = pdb->enum_group_members(pdb, mem_ctx,
835 sid, pp_member_rids, p_num_members);
837 /* special check for rid 513 */
839 if ( !NT_STATUS_IS_OK( result ) ) {
842 sid_peek_rid( sid, &rid );
844 if ( rid == DOMAIN_RID_USERS ) {
846 *pp_member_rids = NULL;
855 NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
856 struct dom_sid **pp_sids, gid_t **pp_gids,
857 uint32_t *p_num_groups)
859 struct pdb_methods *pdb = pdb_get_methods();
860 return pdb->enum_group_memberships(
862 pp_sids, pp_gids, p_num_groups);
865 static NTSTATUS pdb_default_set_unix_primary_group(struct pdb_methods *methods,
867 struct samu *sampass)
872 if (!sid_to_gid(pdb_get_group_sid(sampass), &gid) ||
873 (grp = getgrgid(gid)) == NULL) {
874 return NT_STATUS_INVALID_PRIMARY_GROUP;
877 if (smb_set_primary_group(grp->gr_name,
878 pdb_get_username(sampass)) != 0) {
879 return NT_STATUS_ACCESS_DENIED;
885 NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
887 struct pdb_methods *pdb = pdb_get_methods();
888 return pdb->set_unix_primary_group(pdb, mem_ctx, user);
892 * Helper function to see whether a user is in a group. We can't use
893 * user_in_group_sid here because this creates dependencies only smbd can
897 static bool pdb_user_in_group(TALLOC_CTX *mem_ctx, struct samu *account,
898 const struct dom_sid *group_sid)
900 struct dom_sid *sids;
902 uint32_t i, num_groups;
904 if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
910 for (i=0; i<num_groups; i++) {
911 if (dom_sid_equal(group_sid, &sids[i])) {
918 static NTSTATUS pdb_default_add_groupmem(struct pdb_methods *methods,
923 struct dom_sid group_sid, member_sid;
924 struct samu *account = NULL;
928 const char *group_name;
932 map.gid = (gid_t) -1;
934 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
935 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
937 if (!get_domain_group_from_sid(group_sid, &map) ||
938 (map.gid == (gid_t)-1) ||
939 ((grp = getgrgid(map.gid)) == NULL)) {
940 return NT_STATUS_NO_SUCH_GROUP;
943 group_name = talloc_strdup(mem_ctx, grp->gr_name);
944 if (group_name == NULL) {
945 return NT_STATUS_NO_MEMORY;
948 if ( !(account = samu_new( NULL )) ) {
949 return NT_STATUS_NO_MEMORY;
952 if (!pdb_getsampwsid(account, &member_sid) ||
953 !sid_to_uid(&member_sid, &uid) ||
954 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
955 return NT_STATUS_NO_SUCH_USER;
958 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
959 return NT_STATUS_MEMBER_IN_GROUP;
963 * ok, the group exist, the user exist, the user is not in the group,
964 * we can (finally) add it to the group !
967 smb_add_user_group(group_name, pwd->pw_name);
969 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
970 return NT_STATUS_ACCESS_DENIED;
976 NTSTATUS pdb_add_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
979 struct pdb_methods *pdb = pdb_get_methods();
980 return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
983 static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
988 struct dom_sid group_sid, member_sid;
989 struct samu *account = NULL;
993 const char *group_name;
996 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
997 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
999 if (!get_domain_group_from_sid(group_sid, &map) ||
1000 (map.gid == (gid_t)-1) ||
1001 ((grp = getgrgid(map.gid)) == NULL)) {
1002 return NT_STATUS_NO_SUCH_GROUP;
1005 group_name = talloc_strdup(mem_ctx, grp->gr_name);
1006 if (group_name == NULL) {
1007 return NT_STATUS_NO_MEMORY;
1010 if ( !(account = samu_new( NULL )) ) {
1011 return NT_STATUS_NO_MEMORY;
1014 if (!pdb_getsampwsid(account, &member_sid) ||
1015 !sid_to_uid(&member_sid, &uid) ||
1016 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1017 return NT_STATUS_NO_SUCH_USER;
1020 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1021 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1025 * ok, the group exist, the user exist, the user is in the group,
1026 * we can (finally) delete it from the group!
1029 smb_delete_user_group(group_name, pwd->pw_name);
1031 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1032 return NT_STATUS_ACCESS_DENIED;
1035 return NT_STATUS_OK;
1038 NTSTATUS pdb_del_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1039 uint32_t member_rid)
1041 struct pdb_methods *pdb = pdb_get_methods();
1042 return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
1045 NTSTATUS pdb_create_alias(const char *name, uint32_t *rid)
1047 struct pdb_methods *pdb = pdb_get_methods();
1048 return pdb->create_alias(pdb, name, rid);
1051 NTSTATUS pdb_delete_alias(const struct dom_sid *sid)
1053 struct pdb_methods *pdb = pdb_get_methods();
1054 return pdb->delete_alias(pdb, sid);
1057 NTSTATUS pdb_get_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1059 struct pdb_methods *pdb = pdb_get_methods();
1060 return pdb->get_aliasinfo(pdb, sid, info);
1063 NTSTATUS pdb_set_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1065 struct pdb_methods *pdb = pdb_get_methods();
1066 return pdb->set_aliasinfo(pdb, sid, info);
1069 NTSTATUS pdb_add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1071 struct pdb_methods *pdb = pdb_get_methods();
1072 return pdb->add_aliasmem(pdb, alias, member);
1075 NTSTATUS pdb_del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1077 struct pdb_methods *pdb = pdb_get_methods();
1078 return pdb->del_aliasmem(pdb, alias, member);
1081 NTSTATUS pdb_enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
1082 struct dom_sid **pp_members, size_t *p_num_members)
1084 struct pdb_methods *pdb = pdb_get_methods();
1085 return pdb->enum_aliasmem(pdb, alias, mem_ctx, pp_members,
1089 NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
1090 const struct dom_sid *domain_sid,
1091 const struct dom_sid *members, size_t num_members,
1092 uint32_t **pp_alias_rids,
1093 size_t *p_num_alias_rids)
1095 struct pdb_methods *pdb = pdb_get_methods();
1096 return pdb->enum_alias_memberships(pdb, mem_ctx,
1098 members, num_members,
1103 NTSTATUS pdb_lookup_rids(const struct dom_sid *domain_sid,
1107 enum lsa_SidType *attrs)
1109 struct pdb_methods *pdb = pdb_get_methods();
1110 return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
1114 * NOTE: pdb_lookup_names is currently (2007-01-12) not used anywhere
1115 * in the samba code.
1116 * Unlike _lsa_lookup_sids and _samr_lookup_rids, which eventually
1117 * also ask pdb_lookup_rids, thus looking up a bunch of rids at a time,
1118 * the pdb_ calls _lsa_lookup_names and _samr_lookup_names come
1119 * down to are pdb_getsampwnam and pdb_getgrnam instead of
1121 * But in principle, it the call belongs to the API and might get
1122 * used in this context some day.
1125 NTSTATUS pdb_lookup_names(const struct dom_sid *domain_sid,
1129 enum lsa_SidType *attrs)
1131 struct pdb_methods *pdb = pdb_get_methods();
1132 return pdb->lookup_names(pdb, domain_sid, num_names, names, rids, attrs);
1136 bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
1138 struct pdb_methods *pdb = pdb_get_methods();
1142 status = pdb->get_account_policy(pdb, type, value);
1145 return NT_STATUS_IS_OK(status);
1148 bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value)
1150 struct pdb_methods *pdb = pdb_get_methods();
1154 status = pdb->set_account_policy(pdb, type, value);
1157 return NT_STATUS_IS_OK(status);
1160 bool pdb_get_seq_num(time_t *seq_num)
1162 struct pdb_methods *pdb = pdb_get_methods();
1163 return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
1166 bool pdb_uid_to_sid(uid_t uid, struct dom_sid *sid)
1168 struct pdb_methods *pdb = pdb_get_methods();
1169 return pdb->uid_to_sid(pdb, uid, sid);
1172 bool pdb_gid_to_sid(gid_t gid, struct dom_sid *sid)
1174 struct pdb_methods *pdb = pdb_get_methods();
1175 return pdb->gid_to_sid(pdb, gid, sid);
1178 bool pdb_sid_to_id(const struct dom_sid *sid, union unid_t *id,
1179 enum lsa_SidType *type)
1181 struct pdb_methods *pdb = pdb_get_methods();
1182 return pdb->sid_to_id(pdb, sid, id, type);
1185 uint32_t pdb_capabilities(void)
1187 struct pdb_methods *pdb = pdb_get_methods();
1188 return pdb->capabilities(pdb);
1191 /********************************************************************
1192 Allocate a new RID from the passdb backend. Verify that it is free
1193 by calling lookup_global_sam_rid() to verify that the RID is not
1194 in use. This handles servers that have existing users or groups
1195 with add RIDs (assigned from previous algorithmic mappings)
1196 ********************************************************************/
1198 bool pdb_new_rid(uint32_t *rid)
1200 struct pdb_methods *pdb = pdb_get_methods();
1201 const char *name = NULL;
1202 enum lsa_SidType type;
1203 uint32_t allocated_rid = 0;
1207 if ((pdb_capabilities() & PDB_CAP_STORE_RIDS) == 0) {
1208 DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
1213 if (algorithmic_rid_base() != BASE_RID) {
1214 DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
1215 "without algorithmic RIDs is chosen.\n"));
1216 DEBUGADD(0, ("Please map all used groups using 'net groupmap "
1217 "add', set the maximum used RID\n"));
1218 DEBUGADD(0, ("and remove the parameter\n"));
1222 if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
1223 DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
1227 /* Attempt to get an unused RID (max tires is 250...yes that it is
1228 and arbitrary number I pulkled out of my head). -- jerry */
1230 for ( i=0; allocated_rid==0 && i<250; i++ ) {
1233 if ( !pdb->new_rid(pdb, &allocated_rid) ) {
1237 /* validate that the RID is not in use */
1239 if ( lookup_global_sam_rid( ctx, allocated_rid, &name, &type, NULL ) ) {
1246 if ( allocated_rid == 0 ) {
1247 DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
1251 *rid = allocated_rid;
1256 /***************************************************************
1257 Initialize the static context (at smbd startup etc).
1259 If uninitialised, context will auto-init on first use.
1260 ***************************************************************/
1262 bool initialize_password_db(bool reload, struct event_context *event_ctx)
1264 pdb_event_ctx = event_ctx;
1265 return (pdb_get_methods_reload(reload) != NULL);
1269 /***************************************************************************
1270 Default implementations of some functions.
1271 ****************************************************************************/
1273 static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, struct samu *user, const char *sname)
1275 return NT_STATUS_NO_SUCH_USER;
1278 static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1280 return NT_STATUS_NO_SUCH_USER;
1283 static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1285 return NT_STATUS_NOT_IMPLEMENTED;
1288 static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1290 return NT_STATUS_NOT_IMPLEMENTED;
1293 static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, struct samu *pwd)
1295 return NT_STATUS_NOT_IMPLEMENTED;
1298 static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, struct samu *pwd, const char *newname)
1300 return NT_STATUS_NOT_IMPLEMENTED;
1303 static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success)
1305 /* Only the pdb_nds backend implements this, by
1306 * default just return ok. */
1307 return NT_STATUS_OK;
1310 static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t *value)
1312 return account_policy_get(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1315 static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t value)
1317 return account_policy_set(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1320 static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq_num)
1322 *seq_num = time(NULL);
1323 return NT_STATUS_OK;
1326 static bool pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
1327 struct dom_sid *sid)
1329 struct samu *sampw = NULL;
1330 struct passwd *unix_pw;
1333 unix_pw = sys_getpwuid( uid );
1336 DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
1337 "%lu\n", (unsigned long)uid));
1341 if ( !(sampw = samu_new( NULL )) ) {
1342 DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
1347 ret = NT_STATUS_IS_OK(
1348 methods->getsampwnam(methods, sampw, unix_pw->pw_name ));
1352 DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
1353 "%s (%u)\n", unix_pw->pw_name, (unsigned int)uid));
1358 sid_copy(sid, pdb_get_user_sid(sampw));
1365 static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
1366 struct dom_sid *sid)
1370 if (!NT_STATUS_IS_OK(methods->getgrgid(methods, &map, gid))) {
1374 sid_copy(sid, &map.sid);
1378 static bool pdb_default_sid_to_id(struct pdb_methods *methods,
1379 const struct dom_sid *sid,
1380 union unid_t *id, enum lsa_SidType *type)
1382 TALLOC_CTX *mem_ctx;
1387 mem_ctx = talloc_new(NULL);
1389 if (mem_ctx == NULL) {
1390 DEBUG(0, ("talloc_new failed\n"));
1394 if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
1395 /* Here we might have users as well as groups and aliases */
1396 ret = lookup_global_sam_rid(mem_ctx, rid, &name, type, id);
1400 /* check for "Unix User" */
1402 if ( sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid) ) {
1404 *type = SID_NAME_USER;
1409 /* check for "Unix Group" */
1411 if ( sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid) ) {
1413 *type = SID_NAME_ALIAS;
1420 if (sid_check_is_in_builtin(sid) ||
1421 sid_check_is_in_wellknown_domain(sid)) {
1422 /* Here we only have aliases */
1424 if (!NT_STATUS_IS_OK(methods->getgrsid(methods, &map, *sid))) {
1425 DEBUG(10, ("Could not find map for sid %s\n",
1426 sid_string_dbg(sid)));
1429 if ((map.sid_name_use != SID_NAME_ALIAS) &&
1430 (map.sid_name_use != SID_NAME_WKN_GRP)) {
1431 DEBUG(10, ("Map for sid %s is a %s, expected an "
1432 "alias\n", sid_string_dbg(sid),
1433 sid_type_lookup(map.sid_name_use)));
1438 *type = SID_NAME_ALIAS;
1443 DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
1444 sid_string_dbg(sid)));
1448 TALLOC_FREE(mem_ctx);
1452 static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
1463 /* We only look at our own sam, so don't care about imported stuff */
1464 winbind_env = winbind_env_set();
1465 (void)winbind_off();
1467 if ((grp = getgrgid(gid)) == NULL) {
1468 /* allow winbindd lookups, but only if they weren't already disabled */
1472 /* Primary group members */
1474 while ((pwd = getpwent()) != NULL) {
1475 if (pwd->pw_gid == gid) {
1476 if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
1484 /* Secondary group members */
1485 for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
1486 struct passwd *pw = getpwnam(*gr);
1490 if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
1499 /* allow winbindd lookups, but only if they weren't already disabled */
1507 static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
1508 TALLOC_CTX *mem_ctx,
1509 const struct dom_sid *group,
1510 uint32_t **pp_member_rids,
1511 size_t *p_num_members)
1515 uint32_t i, num_uids;
1517 *pp_member_rids = NULL;
1520 if (!sid_to_gid(group, &gid))
1521 return NT_STATUS_NO_SUCH_GROUP;
1523 if(!get_memberuids(mem_ctx, gid, &uids, &num_uids))
1524 return NT_STATUS_NO_SUCH_GROUP;
1527 return NT_STATUS_OK;
1529 *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
1531 for (i=0; i<num_uids; i++) {
1534 uid_to_sid(&sid, uids[i]);
1536 if (!sid_check_is_in_our_domain(&sid)) {
1537 DEBUG(5, ("Inconsistent SAM -- group member uid not "
1538 "in our domain\n"));
1542 sid_peek_rid(&sid, &(*pp_member_rids)[*p_num_members]);
1543 *p_num_members += 1;
1546 return NT_STATUS_OK;
1549 static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
1550 TALLOC_CTX *mem_ctx,
1552 struct dom_sid **pp_sids,
1554 uint32_t *p_num_groups)
1559 const char *username = pdb_get_username(user);
1562 /* Ignore the primary group SID. Honor the real Unix primary group.
1563 The primary group SID is only of real use to Windows clients */
1565 if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
1566 return NT_STATUS_NO_SUCH_USER;
1573 if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
1574 return NT_STATUS_NO_SUCH_USER;
1577 if (*p_num_groups == 0) {
1578 smb_panic("primary group missing");
1581 *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
1583 if (*pp_sids == NULL) {
1584 TALLOC_FREE(*pp_gids);
1585 return NT_STATUS_NO_MEMORY;
1588 for (i=0; i<*p_num_groups; i++) {
1589 gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
1592 return NT_STATUS_OK;
1595 /*******************************************************************
1596 Look up a rid in the SAM we're responsible for (i.e. passdb)
1597 ********************************************************************/
1599 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
1601 enum lsa_SidType *psid_name_use,
1602 union unid_t *unix_id)
1604 struct samu *sam_account = NULL;
1609 *psid_name_use = SID_NAME_UNKNOWN;
1611 DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
1612 (unsigned int)rid));
1614 sid_compose(&sid, get_global_sam_sid(), rid);
1616 /* see if the passdb can help us with the name of the user */
1618 if ( !(sam_account = samu_new( NULL )) ) {
1622 /* BEING ROOT BLOCK */
1624 if (pdb_getsampwsid(sam_account, &sid)) {
1627 unbecome_root(); /* -----> EXIT BECOME_ROOT() */
1628 *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
1630 TALLOC_FREE(sam_account);
1634 *psid_name_use = SID_NAME_USER;
1636 TALLOC_FREE(sam_account);
1638 if (unix_id == NULL) {
1642 pw = Get_Pwnam_alloc(talloc_tos(), *name);
1646 unix_id->uid = pw->pw_uid;
1650 TALLOC_FREE(sam_account);
1652 ret = pdb_getgrsid(&map, sid);
1654 /* END BECOME_ROOT BLOCK */
1656 /* do not resolve SIDs to a name unless there is a valid
1657 gid associated with it */
1659 if ( ret && (map.gid != (gid_t)-1) ) {
1660 *name = talloc_strdup(mem_ctx, map.nt_name);
1661 *psid_name_use = map.sid_name_use;
1664 unix_id->gid = map.gid;
1670 /* Windows will always map RID 513 to something. On a non-domain
1671 controller, this gets mapped to SERVER\None. */
1674 DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
1678 if ( rid == DOMAIN_RID_USERS ) {
1679 *name = talloc_strdup(mem_ctx, "None" );
1680 *psid_name_use = SID_NAME_DOM_GRP;
1688 static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
1689 const struct dom_sid *domain_sid,
1693 enum lsa_SidType *attrs)
1697 bool have_mapped = False;
1698 bool have_unmapped = False;
1700 if (sid_check_is_builtin(domain_sid)) {
1702 for (i=0; i<num_rids; i++) {
1705 if (lookup_builtin_rid(names, rids[i], &name)) {
1706 attrs[i] = SID_NAME_ALIAS;
1708 DEBUG(5,("lookup_rids: %s:%d\n",
1709 names[i], attrs[i]));
1712 have_unmapped = True;
1713 attrs[i] = SID_NAME_UNKNOWN;
1719 /* Should not happen, but better check once too many */
1720 if (!sid_check_is_domain(domain_sid)) {
1721 return NT_STATUS_INVALID_HANDLE;
1724 for (i = 0; i < num_rids; i++) {
1727 if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
1730 return NT_STATUS_NO_MEMORY;
1733 DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
1736 have_unmapped = True;
1737 attrs[i] = SID_NAME_UNKNOWN;
1743 result = NT_STATUS_NONE_MAPPED;
1746 result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1752 static NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
1753 const struct dom_sid *domain_sid,
1757 enum lsa_SidType *attrs)
1761 bool have_mapped = False;
1762 bool have_unmapped = False;
1764 if (sid_check_is_builtin(domain_sid)) {
1766 for (i=0; i<num_names; i++) {
1769 if (lookup_builtin_name(names[i], &rid)) {
1770 attrs[i] = SID_NAME_ALIAS;
1772 DEBUG(5,("lookup_rids: %s:%d\n",
1773 names[i], attrs[i]));
1776 have_unmapped = True;
1777 attrs[i] = SID_NAME_UNKNOWN;
1783 /* Should not happen, but better check once too many */
1784 if (!sid_check_is_domain(domain_sid)) {
1785 return NT_STATUS_INVALID_HANDLE;
1788 for (i = 0; i < num_names; i++) {
1789 if (lookup_global_sam_name(names[i], 0, &rids[i], &attrs[i])) {
1790 DEBUG(5,("lookup_names: %s-> %d:%d\n", names[i],
1791 rids[i], attrs[i]));
1794 have_unmapped = True;
1795 attrs[i] = SID_NAME_UNKNOWN;
1801 result = NT_STATUS_NONE_MAPPED;
1804 result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1810 static int pdb_search_destructor(struct pdb_search *search)
1812 if ((!search->search_ended) && (search->search_end != NULL)) {
1813 search->search_end(search);
1818 struct pdb_search *pdb_search_init(TALLOC_CTX *mem_ctx,
1819 enum pdb_search_type type)
1821 struct pdb_search *result;
1823 result = talloc(mem_ctx, struct pdb_search);
1824 if (result == NULL) {
1825 DEBUG(0, ("talloc failed\n"));
1829 result->type = type;
1830 result->cache = NULL;
1831 result->num_entries = 0;
1832 result->cache_size = 0;
1833 result->search_ended = False;
1834 result->search_end = NULL;
1836 /* Segfault appropriately if not initialized */
1837 result->next_entry = NULL;
1838 result->search_end = NULL;
1840 talloc_set_destructor(result, pdb_search_destructor);
1845 static void fill_displayentry(TALLOC_CTX *mem_ctx, uint32_t rid,
1846 uint16_t acct_flags,
1847 const char *account_name,
1848 const char *fullname,
1849 const char *description,
1850 struct samr_displayentry *entry)
1853 entry->acct_flags = acct_flags;
1855 if (account_name != NULL)
1856 entry->account_name = talloc_strdup(mem_ctx, account_name);
1858 entry->account_name = "";
1860 if (fullname != NULL)
1861 entry->fullname = talloc_strdup(mem_ctx, fullname);
1863 entry->fullname = "";
1865 if (description != NULL)
1866 entry->description = talloc_strdup(mem_ctx, description);
1868 entry->description = "";
1871 struct group_search {
1873 size_t num_groups, current_group;
1876 static bool next_entry_groups(struct pdb_search *s,
1877 struct samr_displayentry *entry)
1879 struct group_search *state = (struct group_search *)s->private_data;
1881 GROUP_MAP *map = &state->groups[state->current_group];
1883 if (state->current_group == state->num_groups)
1886 sid_peek_rid(&map->sid, &rid);
1888 fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
1890 state->current_group += 1;
1894 static void search_end_groups(struct pdb_search *search)
1896 struct group_search *state =
1897 (struct group_search *)search->private_data;
1898 SAFE_FREE(state->groups);
1901 static bool pdb_search_grouptype(struct pdb_search *search,
1902 const struct dom_sid *sid, enum lsa_SidType type)
1904 struct group_search *state;
1906 state = talloc(search, struct group_search);
1907 if (state == NULL) {
1908 DEBUG(0, ("talloc failed\n"));
1912 if (!pdb_enum_group_mapping(sid, type, &state->groups, &state->num_groups,
1914 DEBUG(0, ("Could not enum groups\n"));
1918 state->current_group = 0;
1919 search->private_data = state;
1920 search->next_entry = next_entry_groups;
1921 search->search_end = search_end_groups;
1925 static bool pdb_default_search_groups(struct pdb_methods *methods,
1926 struct pdb_search *search)
1928 return pdb_search_grouptype(search, get_global_sam_sid(), SID_NAME_DOM_GRP);
1931 static bool pdb_default_search_aliases(struct pdb_methods *methods,
1932 struct pdb_search *search,
1933 const struct dom_sid *sid)
1936 return pdb_search_grouptype(search, sid, SID_NAME_ALIAS);
1939 static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
1942 if (idx < search->num_entries)
1943 return &search->cache[idx];
1945 if (search->search_ended)
1948 while (idx >= search->num_entries) {
1949 struct samr_displayentry entry;
1951 if (!search->next_entry(search, &entry)) {
1952 search->search_end(search);
1953 search->search_ended = True;
1957 ADD_TO_LARGE_ARRAY(search, struct samr_displayentry,
1958 entry, &search->cache, &search->num_entries,
1959 &search->cache_size);
1962 return (search->num_entries > idx) ? &search->cache[idx] : NULL;
1965 struct pdb_search *pdb_search_users(TALLOC_CTX *mem_ctx, uint32_t acct_flags)
1967 struct pdb_methods *pdb = pdb_get_methods();
1968 struct pdb_search *result;
1970 result = pdb_search_init(mem_ctx, PDB_USER_SEARCH);
1971 if (result == NULL) {
1975 if (!pdb->search_users(pdb, result, acct_flags)) {
1976 TALLOC_FREE(result);
1982 struct pdb_search *pdb_search_groups(TALLOC_CTX *mem_ctx)
1984 struct pdb_methods *pdb = pdb_get_methods();
1985 struct pdb_search *result;
1987 result = pdb_search_init(mem_ctx, PDB_GROUP_SEARCH);
1988 if (result == NULL) {
1992 if (!pdb->search_groups(pdb, result)) {
1993 TALLOC_FREE(result);
1999 struct pdb_search *pdb_search_aliases(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
2001 struct pdb_methods *pdb = pdb_get_methods();
2002 struct pdb_search *result;
2004 if (pdb == NULL) return NULL;
2006 result = pdb_search_init(mem_ctx, PDB_ALIAS_SEARCH);
2007 if (result == NULL) {
2011 if (!pdb->search_aliases(pdb, result, sid)) {
2012 TALLOC_FREE(result);
2018 uint32_t pdb_search_entries(struct pdb_search *search,
2019 uint32_t start_idx, uint32_t max_entries,
2020 struct samr_displayentry **result)
2022 struct samr_displayentry *end_entry;
2023 uint32_t end_idx = start_idx+max_entries-1;
2025 /* The first entry needs to be searched after the last. Otherwise the
2026 * first entry might have moved due to a realloc during the search for
2027 * the last entry. */
2029 end_entry = pdb_search_getentry(search, end_idx);
2030 *result = pdb_search_getentry(search, start_idx);
2032 if (end_entry != NULL)
2035 if (start_idx >= search->num_entries)
2038 return search->num_entries - start_idx;
2041 /*******************************************************************
2043 *******************************************************************/
2045 bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
2046 time_t *pass_last_set_time)
2048 struct pdb_methods *pdb = pdb_get_methods();
2049 return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
2050 pass_last_set_time);
2053 bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
2054 const struct dom_sid *sid)
2056 struct pdb_methods *pdb = pdb_get_methods();
2057 return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
2060 bool pdb_del_trusteddom_pw(const char *domain)
2062 struct pdb_methods *pdb = pdb_get_methods();
2063 return pdb->del_trusteddom_pw(pdb, domain);
2066 NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2067 struct trustdom_info ***domains)
2069 struct pdb_methods *pdb = pdb_get_methods();
2070 return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
2073 /*******************************************************************
2074 the defaults for trustdom methods:
2075 these simply call the original passdb/secrets.c actions,
2076 to be replaced by pdb_ldap.
2077 *******************************************************************/
2079 static bool pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
2082 struct dom_sid *sid,
2083 time_t *pass_last_set_time)
2085 return secrets_fetch_trusted_domain_password(domain, pwd,
2086 sid, pass_last_set_time);
2090 static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
2093 const struct dom_sid *sid)
2095 return secrets_store_trusted_domain_password(domain, pwd, sid);
2098 static bool pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
2101 return trusted_domain_password_delete(domain);
2104 static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
2105 TALLOC_CTX *mem_ctx,
2106 uint32_t *num_domains,
2107 struct trustdom_info ***domains)
2109 return secrets_trusted_domains(mem_ctx, num_domains, domains);
2112 /*******************************************************************
2113 trusted_domain methods
2114 *******************************************************************/
2116 NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
2117 struct pdb_trusted_domain **td)
2119 struct pdb_methods *pdb = pdb_get_methods();
2120 return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
2123 NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
2124 struct pdb_trusted_domain **td)
2126 struct pdb_methods *pdb = pdb_get_methods();
2127 return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
2130 NTSTATUS pdb_set_trusted_domain(const char* domain,
2131 const struct pdb_trusted_domain *td)
2133 struct pdb_methods *pdb = pdb_get_methods();
2134 return pdb->set_trusted_domain(pdb, domain, td);
2137 NTSTATUS pdb_del_trusted_domain(const char *domain)
2139 struct pdb_methods *pdb = pdb_get_methods();
2140 return pdb->del_trusted_domain(pdb, domain);
2143 NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2144 struct pdb_trusted_domain ***domains)
2146 struct pdb_methods *pdb = pdb_get_methods();
2147 return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
2150 static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
2151 TALLOC_CTX *mem_ctx,
2153 struct pdb_trusted_domain **td)
2155 struct trustAuthInOutBlob taiob;
2156 struct AuthenticationInformation aia;
2157 struct pdb_trusted_domain *tdom;
2158 enum ndr_err_code ndr_err;
2159 time_t last_set_time;
2163 tdom = talloc(mem_ctx, struct pdb_trusted_domain);
2165 return NT_STATUS_NO_MEMORY;
2168 tdom->domain_name = talloc_strdup(tdom, domain);
2169 tdom->netbios_name = talloc_strdup(tdom, domain);
2170 if (!tdom->domain_name || !tdom->netbios_name) {
2172 return NT_STATUS_NO_MEMORY;
2175 tdom->trust_auth_incoming = data_blob_null;
2177 ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
2181 return NT_STATUS_UNSUCCESSFUL;
2187 taiob.current.count = 1;
2188 taiob.current.array = &aia;
2189 unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
2190 aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
2191 aia.AuthInfo.clear.password = (uint8_t *) pwd;
2192 aia.AuthInfo.clear.size = strlen(pwd);
2193 taiob.previous.count = 0;
2194 taiob.previous.array = NULL;
2196 ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
2198 (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2199 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2201 return NT_STATUS_UNSUCCESSFUL;
2204 tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
2205 tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
2206 tdom->trust_attributes = 0;
2207 tdom->trust_forest_trust_info = data_blob_null;
2210 return NT_STATUS_OK;
2213 static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
2214 TALLOC_CTX *mem_ctx,
2215 struct dom_sid *sid,
2216 struct pdb_trusted_domain **td)
2218 return NT_STATUS_NOT_IMPLEMENTED;
2221 #define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
2223 static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
2225 const struct pdb_trusted_domain *td)
2227 struct trustAuthInOutBlob taiob;
2228 struct AuthenticationInformation *aia;
2229 enum ndr_err_code ndr_err;
2233 if (td->trust_attributes != 0 ||
2234 td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
2235 td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
2236 !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
2237 !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
2238 return NT_STATUS_NOT_IMPLEMENTED;
2242 ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
2244 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2245 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2246 return NT_STATUS_UNSUCCESSFUL;
2249 aia = (struct AuthenticationInformation *) taiob.current.array;
2251 if (taiob.count != 1 || taiob.current.count != 1 ||
2252 taiob.previous.count != 0 ||
2253 aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
2254 return NT_STATUS_NOT_IMPLEMENTED;
2257 pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
2258 aia->AuthInfo.clear.size);
2260 return NT_STATUS_NO_MEMORY;
2263 ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
2265 return NT_STATUS_UNSUCCESSFUL;
2268 return NT_STATUS_OK;
2271 static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
2274 return NT_STATUS_NOT_IMPLEMENTED;
2277 static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
2278 TALLOC_CTX *mem_ctx,
2279 uint32_t *num_domains,
2280 struct pdb_trusted_domain ***domains)
2282 return NT_STATUS_NOT_IMPLEMENTED;
2285 static struct pdb_domain_info *pdb_default_get_domain_info(
2286 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
2291 /*******************************************************************
2293 *******************************************************************/
2295 NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
2296 const char *secret_name,
2297 DATA_BLOB *secret_current,
2298 NTTIME *secret_current_lastchange,
2299 DATA_BLOB *secret_old,
2300 NTTIME *secret_old_lastchange,
2301 struct security_descriptor **sd)
2303 struct pdb_methods *pdb = pdb_get_methods();
2304 return pdb->get_secret(pdb, mem_ctx, secret_name,
2305 secret_current, secret_current_lastchange,
2306 secret_old, secret_old_lastchange,
2310 NTSTATUS pdb_set_secret(const char *secret_name,
2311 DATA_BLOB *secret_current,
2312 DATA_BLOB *secret_old,
2313 struct security_descriptor *sd)
2315 struct pdb_methods *pdb = pdb_get_methods();
2316 return pdb->set_secret(pdb, secret_name,
2322 NTSTATUS pdb_delete_secret(const char *secret_name)
2324 struct pdb_methods *pdb = pdb_get_methods();
2325 return pdb->delete_secret(pdb, secret_name);
2328 static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
2329 TALLOC_CTX *mem_ctx,
2330 const char *secret_name,
2331 DATA_BLOB *secret_current,
2332 NTTIME *secret_current_lastchange,
2333 DATA_BLOB *secret_old,
2334 NTTIME *secret_old_lastchange,
2335 struct security_descriptor **sd)
2337 return lsa_secret_get(mem_ctx, secret_name,
2339 secret_current_lastchange,
2341 secret_old_lastchange,
2345 static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
2346 const char *secret_name,
2347 DATA_BLOB *secret_current,
2348 DATA_BLOB *secret_old,
2349 struct security_descriptor *sd)
2351 return lsa_secret_set(secret_name,
2357 static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
2358 const char *secret_name)
2360 return lsa_secret_delete(secret_name);
2363 /*******************************************************************
2364 Create a pdb_methods structure and initialize it with the default
2365 operations. In this way a passdb module can simply implement
2366 the functionality it cares about. However, normally this is done
2367 in groups of related functions.
2368 *******************************************************************/
2370 NTSTATUS make_pdb_method( struct pdb_methods **methods )
2372 /* allocate memory for the structure as its own talloc CTX */
2374 *methods = talloc_zero(NULL, struct pdb_methods);
2375 if (*methods == NULL) {
2376 return NT_STATUS_NO_MEMORY;
2379 (*methods)->get_domain_info = pdb_default_get_domain_info;
2380 (*methods)->getsampwnam = pdb_default_getsampwnam;
2381 (*methods)->getsampwsid = pdb_default_getsampwsid;
2382 (*methods)->create_user = pdb_default_create_user;
2383 (*methods)->delete_user = pdb_default_delete_user;
2384 (*methods)->add_sam_account = pdb_default_add_sam_account;
2385 (*methods)->update_sam_account = pdb_default_update_sam_account;
2386 (*methods)->delete_sam_account = pdb_default_delete_sam_account;
2387 (*methods)->rename_sam_account = pdb_default_rename_sam_account;
2388 (*methods)->update_login_attempts = pdb_default_update_login_attempts;
2390 (*methods)->getgrsid = pdb_default_getgrsid;
2391 (*methods)->getgrgid = pdb_default_getgrgid;
2392 (*methods)->getgrnam = pdb_default_getgrnam;
2393 (*methods)->create_dom_group = pdb_default_create_dom_group;
2394 (*methods)->delete_dom_group = pdb_default_delete_dom_group;
2395 (*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
2396 (*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
2397 (*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
2398 (*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
2399 (*methods)->enum_group_members = pdb_default_enum_group_members;
2400 (*methods)->enum_group_memberships = pdb_default_enum_group_memberships;
2401 (*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
2402 (*methods)->add_groupmem = pdb_default_add_groupmem;
2403 (*methods)->del_groupmem = pdb_default_del_groupmem;
2404 (*methods)->create_alias = pdb_default_create_alias;
2405 (*methods)->delete_alias = pdb_default_delete_alias;
2406 (*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
2407 (*methods)->set_aliasinfo = pdb_default_set_aliasinfo;
2408 (*methods)->add_aliasmem = pdb_default_add_aliasmem;
2409 (*methods)->del_aliasmem = pdb_default_del_aliasmem;
2410 (*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
2411 (*methods)->enum_alias_memberships = pdb_default_alias_memberships;
2412 (*methods)->lookup_rids = pdb_default_lookup_rids;
2413 (*methods)->get_account_policy = pdb_default_get_account_policy;
2414 (*methods)->set_account_policy = pdb_default_set_account_policy;
2415 (*methods)->get_seq_num = pdb_default_get_seq_num;
2416 (*methods)->uid_to_sid = pdb_default_uid_to_sid;
2417 (*methods)->gid_to_sid = pdb_default_gid_to_sid;
2418 (*methods)->sid_to_id = pdb_default_sid_to_id;
2420 (*methods)->search_groups = pdb_default_search_groups;
2421 (*methods)->search_aliases = pdb_default_search_aliases;
2423 (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
2424 (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
2425 (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
2426 (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
2428 (*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
2429 (*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
2430 (*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
2431 (*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
2432 (*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
2434 (*methods)->get_secret = pdb_default_get_secret;
2435 (*methods)->set_secret = pdb_default_set_secret;
2436 (*methods)->delete_secret = pdb_default_delete_secret;
2438 return NT_STATUS_OK;