2 Unix SMB/CIFS implementation.
3 pdb glue module for direct access to the dsdb via LDB APIs
4 Copyright (C) Volker Lendecke 2009-2011
5 Copyright (C) Andrew Bartlett 2010-2012
6 Copyright (C) Matthias Dieter Wallnöfer 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* This module, is a port of Volker's pdb_ads to ldb and DSDB APIs */
25 #include "source3/include/passdb.h"
26 #include "source4/dsdb/samdb/samdb.h"
27 #include "ldb_errors.h"
28 #include "libcli/security/dom_sid.h"
29 #include "source4/winbind/idmap.h"
30 #include "librpc/gen_ndr/ndr_security.h"
31 #include "librpc/gen_ndr/ndr_drsblobs.h"
32 #include "librpc/gen_ndr/ndr_lsa.h"
33 #include "libds/common/flag_mapping.h"
34 #include "source4/lib/events/events.h"
35 #include "source4/auth/session.h"
36 #include "source4/auth/system_session_proto.h"
37 #include "lib/param/param.h"
38 #include "source4/dsdb/common/util.h"
39 #include "source3/include/secrets.h"
40 #include "source4/auth/auth_sam.h"
41 #include "auth/credentials/credentials.h"
42 #include "lib/util/base64.h"
43 #include "libcli/ldap/ldap_ndr.h"
45 struct pdb_samba_dsdb_state {
46 struct tevent_context *ev;
47 struct ldb_context *ldb;
48 struct idmap_context *idmap_ctx;
49 struct loadparm_context *lp_ctx;
52 static NTSTATUS pdb_samba_dsdb_getsampwsid(struct pdb_methods *m,
53 struct samu *sam_acct,
54 const struct dom_sid *sid);
55 static NTSTATUS pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state *state,
58 struct ldb_message **pmsg);
59 static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods *m, const struct dom_sid *sid,
62 static bool pdb_samba_dsdb_pull_time(struct ldb_message *msg, const char *attr,
66 if (! ldb_msg_find_element(msg, attr)) {
69 tmp = ldb_msg_find_attr_as_uint64(msg, attr, 0);
70 *ptime = nt_time_to_unix(tmp);
74 static struct pdb_domain_info *pdb_samba_dsdb_get_domain_info(
75 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
77 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
78 m->private_data, struct pdb_samba_dsdb_state);
79 struct pdb_domain_info *info;
80 struct dom_sid *domain_sid;
81 struct ldb_dn *forest_dn, *domain_dn;
82 struct ldb_result *dom_res = NULL;
83 const char *dom_attrs[] = {
92 info = talloc(mem_ctx, struct pdb_domain_info);
97 domain_dn = ldb_get_default_basedn(state->ldb);
99 ret = ldb_search(state->ldb, info, &dom_res,
100 domain_dn, LDB_SCOPE_BASE, dom_attrs, NULL);
101 if (ret != LDB_SUCCESS) {
104 if (dom_res->count != 1) {
108 info->guid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
110 domain_sid = samdb_result_dom_sid(state, dom_res->msgs[0], "objectSid");
114 info->sid = *domain_sid;
116 TALLOC_FREE(dom_res);
118 info->name = talloc_strdup(info, lpcfg_sam_name(state->lp_ctx));
119 info->dns_domain = ldb_dn_canonical_string(info, domain_dn);
121 if (!info->dns_domain) {
124 p = strchr(info->dns_domain, '/');
129 forest_dn = ldb_get_root_basedn(state->ldb);
134 info->dns_forest = ldb_dn_canonical_string(info, forest_dn);
135 if (!info->dns_forest) {
138 p = strchr(info->dns_forest, '/');
146 TALLOC_FREE(dom_res);
151 static struct ldb_message *pdb_samba_dsdb_get_samu_private(
152 struct pdb_methods *m, struct samu *sam)
154 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
155 m->private_data, struct pdb_samba_dsdb_state);
156 struct ldb_message *msg;
157 char *sidstr, *filter;
160 msg = (struct ldb_message *)
161 pdb_get_backend_private_data(sam, m);
164 return talloc_get_type_abort(msg, struct ldb_message);
167 sidstr = dom_sid_string(talloc_tos(), pdb_get_user_sid(sam));
168 if (sidstr == NULL) {
172 filter = talloc_asprintf(
173 talloc_tos(), "(&(objectsid=%s)(objectclass=user))", sidstr);
175 if (filter == NULL) {
179 status = pdb_samba_dsdb_getsamupriv(state, filter, sam, &msg);
181 if (!NT_STATUS_IS_OK(status)) {
188 static NTSTATUS pdb_samba_dsdb_init_sam_from_priv(struct pdb_methods *m,
190 struct ldb_message *msg)
192 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
193 m->private_data, struct pdb_samba_dsdb_state);
194 TALLOC_CTX *frame = talloc_stackframe();
195 NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION;
198 struct dom_sid *sid, group_sid;
200 const DATA_BLOB *blob;
202 str = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
204 DEBUG(10, ("no samAccountName\n"));
207 pdb_set_username(sam, str, PDB_SET);
209 if (pdb_samba_dsdb_pull_time(msg, "lastLogon", &tmp_time)) {
210 pdb_set_logon_time(sam, tmp_time, PDB_SET);
212 if (pdb_samba_dsdb_pull_time(msg, "lastLogoff", &tmp_time)) {
213 pdb_set_logoff_time(sam, tmp_time, PDB_SET);
215 if (pdb_samba_dsdb_pull_time(msg, "pwdLastSet", &tmp_time)) {
216 pdb_set_pass_last_set_time(sam, tmp_time, PDB_SET);
218 if (pdb_samba_dsdb_pull_time(msg, "accountExpires", &tmp_time)) {
219 pdb_set_kickoff_time(sam, tmp_time, PDB_SET);
222 str = ldb_msg_find_attr_as_string(msg, "displayName",
225 pdb_set_fullname(sam, str, PDB_SET);
228 str = ldb_msg_find_attr_as_string(msg, "homeDirectory",
231 pdb_set_homedir(sam, str, PDB_SET);
234 str = ldb_msg_find_attr_as_string(msg, "homeDrive", NULL);
236 pdb_set_dir_drive(sam, str, PDB_SET);
239 str = ldb_msg_find_attr_as_string(msg, "scriptPath", NULL);
241 pdb_set_logon_script(sam, str, PDB_SET);
244 str = ldb_msg_find_attr_as_string(msg, "profilePath",
247 pdb_set_profile_path(sam, str, PDB_SET);
250 str = ldb_msg_find_attr_as_string(msg, "comment",
253 pdb_set_comment(sam, str, PDB_SET);
256 str = ldb_msg_find_attr_as_string(msg, "description",
259 pdb_set_acct_desc(sam, str, PDB_SET);
262 str = ldb_msg_find_attr_as_string(msg, "userWorkstations",
265 pdb_set_workstations(sam, str, PDB_SET);
268 blob = ldb_msg_find_ldb_val(msg, "userParameters");
270 str = base64_encode_data_blob(frame, *blob);
272 DEBUG(0, ("base64_encode_data_blob() failed\n"));
275 pdb_set_munged_dial(sam, str, PDB_SET);
278 sid = samdb_result_dom_sid(talloc_tos(), msg, "objectSid");
280 DEBUG(10, ("Could not pull SID\n"));
283 pdb_set_user_sid(sam, sid, PDB_SET);
285 n = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
287 DEBUG(10, ("Could not pull userAccountControl\n"));
290 pdb_set_acct_ctrl(sam, n, PDB_SET);
292 blob = ldb_msg_find_ldb_val(msg, "unicodePwd");
294 if (blob->length != NT_HASH_LEN) {
295 DEBUG(0, ("Got NT hash of length %d, expected %d\n",
296 (int)blob->length, NT_HASH_LEN));
299 pdb_set_nt_passwd(sam, blob->data, PDB_SET);
302 blob = ldb_msg_find_ldb_val(msg, "dBCSPwd");
304 if (blob->length != LM_HASH_LEN) {
305 DEBUG(0, ("Got LM hash of length %d, expected %d\n",
306 (int)blob->length, LM_HASH_LEN));
309 pdb_set_lanman_passwd(sam, blob->data, PDB_SET);
312 n = ldb_msg_find_attr_as_uint(msg, "primaryGroupID", 0);
314 DEBUG(10, ("Could not pull primaryGroupID\n"));
317 sid_compose(&group_sid, samdb_domain_sid(state->ldb), n);
318 pdb_set_group_sid(sam, &group_sid, PDB_SET);
320 status = NT_STATUS_OK;
326 static bool pdb_samba_dsdb_add_time(struct ldb_message *msg,
327 const char *attrib, time_t t)
331 unix_to_nt_time(&nt_time, t);
333 return ldb_msg_add_fmt(msg, attrib, "%llu", (unsigned long long) nt_time);
336 static int pdb_samba_dsdb_replace_by_sam(struct pdb_samba_dsdb_state *state,
337 bool (*need_update)(const struct samu *,
342 TALLOC_CTX *frame = talloc_stackframe();
343 int ret = LDB_SUCCESS;
345 struct ldb_message *msg;
346 struct ldb_request *req;
347 uint32_t dsdb_flags = 0;
348 /* TODO: All fields :-) */
350 msg = ldb_msg_new(frame);
358 /* build modify request */
359 ret = ldb_build_mod_req(&req, state->ldb, frame, msg, NULL, NULL,
360 ldb_op_default_callback,
362 if (ret != LDB_SUCCESS) {
367 /* If we set a plaintext password, the system will
368 * force the pwdLastSet to now() */
369 if (need_update(sam, PDB_PASSLASTSET)) {
370 dsdb_flags |= DSDB_PASSWORD_BYPASS_LAST_SET;
372 ret |= pdb_samba_dsdb_add_time(msg, "pwdLastSet",
373 pdb_get_pass_last_set_time(sam));
376 pw = pdb_get_plaintext_passwd(sam);
377 if (need_update(sam, PDB_PLAINTEXT_PW)) {
378 struct ldb_val pw_utf16;
381 return LDB_ERR_OPERATIONS_ERROR;
384 if (!convert_string_talloc(msg,
387 (void *)&pw_utf16.data,
390 return LDB_ERR_OPERATIONS_ERROR;
392 ret |= ldb_msg_add_value(msg, "clearTextPassword", &pw_utf16, NULL);
394 bool changed_lm_pw = false;
395 bool changed_nt_pw = false;
396 bool changed_history = false;
397 if (need_update(sam, PDB_LMPASSWD)) {
399 val.data = discard_const_p(uint8_t, pdb_get_lanman_passwd(sam));
401 samdb_msg_add_delete(state->ldb, msg, msg,
404 val.length = LM_HASH_LEN;
405 ret |= ldb_msg_add_value(msg, "dBCSPwd", &val, NULL);
407 changed_lm_pw = true;
409 if (need_update(sam, PDB_NTPASSWD)) {
411 val.data = discard_const_p(uint8_t, pdb_get_nt_passwd(sam));
413 samdb_msg_add_delete(state->ldb, msg, msg,
416 val.length = NT_HASH_LEN;
417 ret |= ldb_msg_add_value(msg, "unicodePwd", &val, NULL);
419 changed_nt_pw = true;
422 /* Try to ensure we don't get out of sync */
423 if (changed_lm_pw && !changed_nt_pw) {
424 samdb_msg_add_delete(state->ldb, msg, msg,
426 } else if (changed_nt_pw && !changed_lm_pw) {
427 samdb_msg_add_delete(state->ldb, msg, msg,
430 if (changed_lm_pw || changed_nt_pw) {
431 samdb_msg_add_delete(state->ldb, msg, msg,
432 "supplementalCredentials");
436 if (need_update(sam, PDB_PWHISTORY)) {
437 uint32_t current_hist_len;
438 const uint8_t *history = pdb_get_pw_history(sam, ¤t_hist_len);
440 bool invalid_history = false;
441 struct samr_Password *history_hashes = talloc_array(talloc_tos(), struct samr_Password,
444 invalid_history = true;
447 /* Parse the history into the correct format */
448 for (i = 0; i < current_hist_len; i++) {
449 if (!all_zero(&history[i*PW_HISTORY_ENTRY_LEN],
451 /* If the history is in the old format, with a salted hash, then we can't migrate it to AD format */
452 invalid_history = true;
455 /* Copy out the 2nd 16 bytes of the 32 byte password history, containing the NT hash */
456 memcpy(history_hashes[i].hash,
457 &history[(i*PW_HISTORY_ENTRY_LEN) + PW_HISTORY_SALT_LEN],
458 sizeof(history_hashes[i].hash));
461 if (invalid_history) {
462 ret |= samdb_msg_add_delete(state->ldb, msg, msg,
465 ret |= samdb_msg_add_delete(state->ldb, msg, msg,
468 ret |= samdb_msg_add_hashes(state->ldb, msg, msg,
473 changed_history = true;
475 if (changed_lm_pw || changed_nt_pw || changed_history) {
476 /* These attributes can only be modified directly by using a special control */
477 dsdb_flags |= DSDB_BYPASS_PASSWORD_HASH;
481 /* PDB_USERSID is only allowed on ADD, handled in caller */
482 if (need_update(sam, PDB_GROUPSID)) {
483 const struct dom_sid *sid = pdb_get_group_sid(sam);
485 NTSTATUS status = dom_sid_split_rid(NULL, sid, NULL, &rid);
486 if (!NT_STATUS_IS_OK(status)) {
488 return LDB_ERR_OPERATIONS_ERROR;
490 if (!dom_sid_in_domain(samdb_domain_sid(state->ldb), sid)) {
492 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
494 ret |= samdb_msg_add_uint(state->ldb, msg, msg, "primaryGroupID", rid);
496 if (need_update(sam, PDB_FULLNAME)) {
497 ret |= ldb_msg_add_string(msg, "displayName", pdb_get_fullname(sam));
500 if (need_update(sam, PDB_SMBHOME)) {
501 ret |= ldb_msg_add_string(msg, "homeDirectory",
502 pdb_get_homedir(sam));
505 if (need_update(sam, PDB_PROFILE)) {
506 ret |= ldb_msg_add_string(msg, "profilePath",
507 pdb_get_profile_path(sam));
510 if (need_update(sam, PDB_DRIVE)) {
511 ret |= ldb_msg_add_string(msg, "homeDrive",
512 pdb_get_dir_drive(sam));
515 if (need_update(sam, PDB_LOGONSCRIPT)) {
516 ret |= ldb_msg_add_string(msg, "scriptPath",
517 pdb_get_logon_script(sam));
520 if (need_update(sam, PDB_KICKOFFTIME)) {
521 ret |= pdb_samba_dsdb_add_time(msg, "accountExpires",
522 pdb_get_kickoff_time(sam));
525 if (need_update(sam, PDB_LOGONTIME)) {
526 ret |= pdb_samba_dsdb_add_time(msg, "lastLogon",
527 pdb_get_logon_time(sam));
530 if (need_update(sam, PDB_LOGOFFTIME)) {
531 ret |= pdb_samba_dsdb_add_time(msg, "lastLogoff",
532 pdb_get_logoff_time(sam));
535 if (need_update(sam, PDB_USERNAME)) {
536 ret |= ldb_msg_add_string(msg, "samAccountName",
537 pdb_get_username(sam));
540 if (need_update(sam, PDB_HOURSLEN) || need_update(sam, PDB_HOURS)) {
541 struct ldb_val hours = data_blob_const(pdb_get_hours(sam), pdb_get_hours_len(sam));
542 ret |= ldb_msg_add_value(msg, "logonHours",
546 if (need_update(sam, PDB_ACCTCTRL)) {
547 ret |= samdb_msg_add_acct_flags(state->ldb, msg, msg,
548 "userAccountControl", pdb_get_acct_ctrl(sam));
551 if (need_update(sam, PDB_COMMENT)) {
552 ret |= ldb_msg_add_string(msg, "comment",
553 pdb_get_comment(sam));
556 if (need_update(sam, PDB_ACCTDESC)) {
557 ret |= ldb_msg_add_string(msg, "description",
558 pdb_get_acct_desc(sam));
561 if (need_update(sam, PDB_WORKSTATIONS)) {
562 ret |= ldb_msg_add_string(msg, "userWorkstations",
563 pdb_get_workstations(sam));
566 /* This will need work, it is actually a UTF8 'string' with internal NULLs, to handle TS parameters */
567 if (need_update(sam, PDB_MUNGEDDIAL)) {
568 const char *base64_munged_dial = NULL;
570 base64_munged_dial = pdb_get_munged_dial(sam);
571 if (base64_munged_dial != NULL && strlen(base64_munged_dial) > 0) {
574 blob = base64_decode_data_blob_talloc(msg,
576 if (blob.data == NULL) {
577 DEBUG(0, ("Failed to decode userParameters from "
578 "munged dialback string[%s] for %s\n",
580 ldb_dn_get_linearized(msg->dn)));
582 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
584 ret |= ldb_msg_add_steal_value(msg, "userParameters",
589 if (need_update(sam, PDB_COUNTRY_CODE)) {
590 ret |= ldb_msg_add_fmt(msg, "countryCode",
591 "%i", (int)pdb_get_country_code(sam));
594 if (need_update(sam, PDB_CODE_PAGE)) {
595 ret |= ldb_msg_add_fmt(msg, "codePage",
596 "%i", (int)pdb_get_code_page(sam));
599 /* Not yet handled here or not meaningful for modifies on a Samba_Dsdb backend:
600 PDB_BAD_PASSWORD_TIME,
601 PDB_CANCHANGETIME, - these are calculated per policy, not stored
603 PDB_NTUSERNAME, - this makes no sense, and never really did
605 PDB_USERSID, - Handled in pdb_samba_dsdb_add_sam_account()
607 PDB_BAD_PASSWORD_COUNT,
610 PDB_BACKEND_PRIVATE_DATA,
613 if (ret != LDB_SUCCESS) {
615 return LDB_ERR_OPERATIONS_ERROR;
618 if (msg->num_elements == 0) {
620 /* Nothing to do, just return success */
624 ret = dsdb_replace(state->ldb, msg, dsdb_flags);
626 if (ret != LDB_SUCCESS) {
627 DEBUG(0,("Failed to modify account record %s to set user attributes: %s\n",
628 ldb_dn_get_linearized(msg->dn),
629 ldb_errstring(state->ldb)));
636 static NTSTATUS pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state *state,
639 struct ldb_message **msg)
641 const char * attrs[] = {
642 "lastLogon", "lastLogoff", "pwdLastSet", "accountExpires",
643 "sAMAccountName", "displayName", "homeDirectory",
644 "homeDrive", "scriptPath", "profilePath", "description",
645 "userWorkstations", "comment", "userParameters", "objectSid",
646 "primaryGroupID", "userAccountControl",
647 "msDS-User-Account-Control-Computed", "logonHours",
648 "badPwdCount", "logonCount", "countryCode", "codePage",
649 "unicodePwd", "dBCSPwd", NULL };
651 int rc = dsdb_search_one(state->ldb, mem_ctx, msg, ldb_get_default_basedn(state->ldb), LDB_SCOPE_SUBTREE, attrs, 0, "%s", filter);
652 if (rc != LDB_SUCCESS) {
653 DEBUG(10, ("ldap_search failed %s\n",
654 ldb_errstring(state->ldb)));
655 return NT_STATUS_LDAP(rc);
661 static NTSTATUS pdb_samba_dsdb_getsampwfilter(struct pdb_methods *m,
662 struct pdb_samba_dsdb_state *state,
663 struct samu *sam_acct,
664 const char *exp_fmt, ...)
665 PRINTF_ATTRIBUTE(4,5);
667 static NTSTATUS pdb_samba_dsdb_getsampwfilter(struct pdb_methods *m,
668 struct pdb_samba_dsdb_state *state,
669 struct samu *sam_acct,
670 const char *exp_fmt, ...)
672 struct ldb_message *priv;
675 char *expression = NULL;
676 TALLOC_CTX *tmp_ctx = talloc_new(state);
677 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
679 va_start(ap, exp_fmt);
680 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
684 talloc_free(tmp_ctx);
685 return NT_STATUS_NO_MEMORY;
688 status = pdb_samba_dsdb_getsamupriv(state, expression, sam_acct, &priv);
689 talloc_free(tmp_ctx);
690 if (!NT_STATUS_IS_OK(status)) {
691 DEBUG(10, ("pdb_samba_dsdb_getsamupriv failed: %s\n",
696 status = pdb_samba_dsdb_init_sam_from_priv(m, sam_acct, priv);
697 if (!NT_STATUS_IS_OK(status)) {
698 DEBUG(10, ("pdb_samba_dsdb_init_sam_from_priv failed: %s\n",
704 pdb_set_backend_private_data(sam_acct, priv, NULL, m, PDB_SET);
708 static NTSTATUS pdb_samba_dsdb_getsampwnam(struct pdb_methods *m,
709 struct samu *sam_acct,
710 const char *username)
712 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
713 m->private_data, struct pdb_samba_dsdb_state);
715 return pdb_samba_dsdb_getsampwfilter(m, state, sam_acct,
716 "(&(samaccountname=%s)(objectclass=user))",
720 static NTSTATUS pdb_samba_dsdb_getsampwsid(struct pdb_methods *m,
721 struct samu *sam_acct,
722 const struct dom_sid *sid)
725 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
726 m->private_data, struct pdb_samba_dsdb_state);
729 sidstr = dom_sid_string(talloc_tos(), sid);
730 NT_STATUS_HAVE_NO_MEMORY(sidstr);
732 status = pdb_samba_dsdb_getsampwfilter(m, state, sam_acct,
733 "(&(objectsid=%s)(objectclass=user))",
739 static NTSTATUS pdb_samba_dsdb_create_user(struct pdb_methods *m,
741 const char *name, uint32_t acct_flags,
744 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
745 m->private_data, struct pdb_samba_dsdb_state);
749 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
750 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
752 /* Internally this uses transactions to ensure all the steps
753 * happen or fail as one */
754 status = dsdb_add_user(state->ldb, tmp_ctx, name, acct_flags, NULL,
756 if (!NT_STATUS_IS_OK(status)) {
757 talloc_free(tmp_ctx);
760 sid_peek_rid(sid, rid);
761 talloc_free(tmp_ctx);
765 static NTSTATUS pdb_samba_dsdb_delete_user(struct pdb_methods *m,
769 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
770 m->private_data, struct pdb_samba_dsdb_state);
773 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
774 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
776 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, pdb_get_user_sid(sam)));
777 if (!dn || !ldb_dn_validate(dn)) {
778 talloc_free(tmp_ctx);
779 return NT_STATUS_NO_MEMORY;
781 rc = ldb_delete(state->ldb, dn);
783 if (rc != LDB_SUCCESS) {
784 DEBUG(10, ("ldb_delete for %s failed: %s\n", ldb_dn_get_linearized(dn),
785 ldb_errstring(state->ldb)));
786 talloc_free(tmp_ctx);
787 return NT_STATUS_LDAP(rc);
789 talloc_free(tmp_ctx);
793 /* This interface takes a fully populated struct samu and places it in
794 * the database. This is not implemented at this time as we need to
795 * be careful around the creation of arbitary SIDs (ie, we must ensrue
796 * they are not left in a RID pool */
797 static NTSTATUS pdb_samba_dsdb_add_sam_account(struct pdb_methods *m,
798 struct samu *sampass)
803 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
804 m->private_data, struct pdb_samba_dsdb_state);
805 uint32_t acb_flags = pdb_get_acct_ctrl(sampass);
806 const char *username = pdb_get_username(sampass);
807 const struct dom_sid *user_sid = pdb_get_user_sid(sampass);
808 TALLOC_CTX *tframe = talloc_stackframe();
810 acb_flags &= (ACB_NORMAL|ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST);
812 ret = ldb_transaction_start(state->ldb);
813 if (ret != LDB_SUCCESS) {
815 return NT_STATUS_LOCK_NOT_GRANTED;
818 status = dsdb_add_user(state->ldb, talloc_tos(), username,
819 acb_flags, user_sid, NULL, &dn);
820 if (!NT_STATUS_IS_OK(status)) {
821 ldb_transaction_cancel(state->ldb);
826 ret = pdb_samba_dsdb_replace_by_sam(state, pdb_element_is_set_or_changed,
828 if (ret != LDB_SUCCESS) {
829 ldb_transaction_cancel(state->ldb);
831 return dsdb_ldb_err_to_ntstatus(ret);
834 ret = ldb_transaction_commit(state->ldb);
835 if (ret != LDB_SUCCESS) {
836 DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
837 ldb_dn_get_linearized(dn),
838 ldb_errstring(state->ldb)));
840 return NT_STATUS_INTERNAL_DB_CORRUPTION;
847 * Update the Samba_Dsdb LDB with the changes from a struct samu.
849 * This takes care not to update elements that have not been changed
852 static NTSTATUS pdb_samba_dsdb_update_sam_account(struct pdb_methods *m,
855 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
856 m->private_data, struct pdb_samba_dsdb_state);
857 struct ldb_message *msg = pdb_samba_dsdb_get_samu_private(
861 ret = pdb_samba_dsdb_replace_by_sam(state, pdb_element_is_changed, msg->dn,
863 return dsdb_ldb_err_to_ntstatus(ret);
866 static NTSTATUS pdb_samba_dsdb_delete_sam_account(struct pdb_methods *m,
867 struct samu *username)
870 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
871 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
872 status = pdb_samba_dsdb_delete_user(m, tmp_ctx, username);
873 talloc_free(tmp_ctx);
877 static NTSTATUS pdb_samba_dsdb_rename_sam_account(struct pdb_methods *m,
878 struct samu *oldname,
881 return NT_STATUS_NOT_IMPLEMENTED;
884 /* This is not implemented, as this module is exptected to be used
885 * with auth_samba_dsdb, and this is responible for login counters etc
888 static NTSTATUS pdb_samba_dsdb_update_login_attempts(struct pdb_methods *m,
889 struct samu *sam_acct,
892 return NT_STATUS_NOT_IMPLEMENTED;
895 static NTSTATUS pdb_samba_dsdb_getgrfilter(struct pdb_methods *m,
897 const char *exp_fmt, ...)
898 PRINTF_ATTRIBUTE(3,4);
900 static NTSTATUS pdb_samba_dsdb_getgrfilter(struct pdb_methods *m, GROUP_MAP *map,
901 const char *exp_fmt, ...)
903 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
904 m->private_data, struct pdb_samba_dsdb_state);
905 const char *attrs[] = { "objectClass", "objectSid", "description", "samAccountName", "groupType",
907 struct ldb_message *msg;
909 char *expression = NULL;
913 struct id_map id_map;
914 struct id_map *id_maps[2];
915 TALLOC_CTX *tmp_ctx = talloc_stackframe();
916 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
918 va_start(ap, exp_fmt);
919 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
923 talloc_free(tmp_ctx);
924 return NT_STATUS_NO_MEMORY;
927 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, ldb_get_default_basedn(state->ldb), LDB_SCOPE_SUBTREE, attrs, 0, "%s", expression);
928 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
929 talloc_free(tmp_ctx);
930 return NT_STATUS_NO_SUCH_GROUP;
931 } else if (rc != LDB_SUCCESS) {
932 talloc_free(tmp_ctx);
933 DEBUG(10, ("dsdb_search_one failed %s\n",
934 ldb_errstring(state->ldb)));
935 return NT_STATUS_LDAP(rc);
938 sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
940 talloc_free(tmp_ctx);
941 DEBUG(10, ("Could not pull SID\n"));
942 return NT_STATUS_INTERNAL_DB_CORRUPTION;
947 if (samdb_find_attribute(state->ldb, msg, "objectClass", "group")) {
949 uint32_t grouptype = ldb_msg_find_attr_as_uint(msg, "groupType", 0);
951 case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
952 case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
953 map->sid_name_use = SID_NAME_ALIAS;
955 case GTYPE_SECURITY_GLOBAL_GROUP:
956 map->sid_name_use = SID_NAME_DOM_GRP;
959 talloc_free(tmp_ctx);
960 DEBUG(10, ("Could not pull groupType\n"));
961 return NT_STATUS_INTERNAL_DB_CORRUPTION;
966 id_maps[0] = &id_map;
969 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
971 if (!NT_STATUS_IS_OK(status)) {
972 talloc_free(tmp_ctx);
975 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
976 map->gid = id_map.xid.id;
978 DEBUG(1, (__location__ "Did not get GUID when mapping SID for %s", expression));
979 talloc_free(tmp_ctx);
980 return NT_STATUS_INTERNAL_DB_CORRUPTION;
982 } else if (samdb_find_attribute(state->ldb, msg, "objectClass", "user")) {
983 DEBUG(1, (__location__ "Got SID_NAME_USER when searching for a group with %s", expression));
984 talloc_free(tmp_ctx);
985 return NT_STATUS_INTERNAL_DB_CORRUPTION;
988 str = ldb_msg_find_attr_as_string(msg, "samAccountName",
991 talloc_free(tmp_ctx);
992 return NT_STATUS_INTERNAL_DB_CORRUPTION;
994 map->nt_name = talloc_strdup(map, str);
996 talloc_free(tmp_ctx);
997 return NT_STATUS_NO_MEMORY;
1000 str = ldb_msg_find_attr_as_string(msg, "description",
1003 map->comment = talloc_strdup(map, str);
1005 map->comment = talloc_strdup(map, "");
1007 if (!map->comment) {
1008 talloc_free(tmp_ctx);
1009 return NT_STATUS_NO_MEMORY;
1012 talloc_free(tmp_ctx);
1013 return NT_STATUS_OK;
1016 static NTSTATUS pdb_samba_dsdb_getgrsid(struct pdb_methods *m, GROUP_MAP *map,
1022 filter = talloc_asprintf(talloc_tos(),
1023 "(&(objectsid=%s)(objectclass=group))",
1024 sid_string_talloc(talloc_tos(), &sid));
1025 if (filter == NULL) {
1026 return NT_STATUS_NO_MEMORY;
1029 status = pdb_samba_dsdb_getgrfilter(m, map, "%s", filter);
1030 TALLOC_FREE(filter);
1034 static NTSTATUS pdb_samba_dsdb_getgrgid(struct pdb_methods *m, GROUP_MAP *map,
1037 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1038 m->private_data, struct pdb_samba_dsdb_state);
1040 struct id_map id_map;
1041 struct id_map *id_maps[2];
1042 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1043 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1045 id_map.xid.id = gid;
1046 id_map.xid.type = ID_TYPE_GID;
1047 id_maps[0] = &id_map;
1050 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
1051 if (!NT_STATUS_IS_OK(status)) {
1052 talloc_free(tmp_ctx);
1055 status = pdb_samba_dsdb_getgrsid(m, map, *id_map.sid);
1056 talloc_free(tmp_ctx);
1060 static NTSTATUS pdb_samba_dsdb_getgrnam(struct pdb_methods *m, GROUP_MAP *map,
1066 filter = talloc_asprintf(talloc_tos(),
1067 "(&(samaccountname=%s)(objectclass=group))",
1069 if (filter == NULL) {
1070 return NT_STATUS_NO_MEMORY;
1073 status = pdb_samba_dsdb_getgrfilter(m, map, "%s", filter);
1074 TALLOC_FREE(filter);
1078 static NTSTATUS pdb_samba_dsdb_create_dom_group(struct pdb_methods *m,
1079 TALLOC_CTX *mem_ctx, const char *name,
1082 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1083 m->private_data, struct pdb_samba_dsdb_state);
1085 struct dom_sid *sid;
1087 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1088 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1090 status = dsdb_add_domain_group(state->ldb, tmp_ctx, name, &sid, &dn);
1091 if (!NT_STATUS_IS_OK(status)) {
1092 talloc_free(tmp_ctx);
1096 sid_peek_rid(sid, rid);
1097 talloc_free(tmp_ctx);
1098 return NT_STATUS_OK;
1101 static NTSTATUS pdb_samba_dsdb_delete_dom_group(struct pdb_methods *m,
1102 TALLOC_CTX *mem_ctx, uint32_t rid)
1104 const char *attrs[] = { NULL };
1105 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1106 m->private_data, struct pdb_samba_dsdb_state);
1108 struct ldb_message *msg;
1111 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1112 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1114 sid_compose(&sid, samdb_domain_sid(state->ldb), rid);
1116 if (ldb_transaction_start(state->ldb) != LDB_SUCCESS) {
1117 DEBUG(0, ("Unable to start transaction in pdb_samba_dsdb_delete_dom_group()\n"));
1118 return NT_STATUS_INTERNAL_ERROR;
1121 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, &sid));
1122 if (!dn || !ldb_dn_validate(dn)) {
1123 talloc_free(tmp_ctx);
1124 ldb_transaction_cancel(state->ldb);
1125 return NT_STATUS_NO_MEMORY;
1127 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "objectclass=group");
1128 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1129 talloc_free(tmp_ctx);
1130 ldb_transaction_cancel(state->ldb);
1131 return NT_STATUS_NO_SUCH_GROUP;
1133 rc = ldb_delete(state->ldb, dn);
1134 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1135 talloc_free(tmp_ctx);
1136 ldb_transaction_cancel(state->ldb);
1137 return NT_STATUS_NO_SUCH_GROUP;
1138 } else if (rc != LDB_SUCCESS) {
1139 DEBUG(10, ("ldb_delete failed %s\n",
1140 ldb_errstring(state->ldb)));
1141 ldb_transaction_cancel(state->ldb);
1142 return NT_STATUS_LDAP(rc);
1145 if (ldb_transaction_commit(state->ldb) != LDB_SUCCESS) {
1146 DEBUG(0, ("Unable to commit transaction in pdb_samba_dsdb_delete_dom_group()\n"));
1147 return NT_STATUS_INTERNAL_ERROR;
1149 return NT_STATUS_OK;
1152 static NTSTATUS pdb_samba_dsdb_add_group_mapping_entry(struct pdb_methods *m,
1155 return NT_STATUS_NOT_IMPLEMENTED;
1158 static NTSTATUS pdb_samba_dsdb_update_group_mapping_entry(struct pdb_methods *m,
1161 return NT_STATUS_NOT_IMPLEMENTED;
1164 static NTSTATUS pdb_samba_dsdb_delete_group_mapping_entry(struct pdb_methods *m,
1167 return NT_STATUS_NOT_IMPLEMENTED;
1170 static NTSTATUS pdb_samba_dsdb_enum_group_mapping(struct pdb_methods *m,
1171 const struct dom_sid *sid,
1172 enum lsa_SidType sid_name_use,
1173 GROUP_MAP ***pp_rmap,
1174 size_t *p_num_entries,
1177 return NT_STATUS_NOT_IMPLEMENTED;
1180 static NTSTATUS pdb_samba_dsdb_enum_group_members(struct pdb_methods *m,
1181 TALLOC_CTX *mem_ctx,
1182 const struct dom_sid *group,
1183 uint32_t **pmembers,
1184 size_t *pnum_members)
1186 unsigned int i, num_sids, num_members;
1187 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1188 m->private_data, struct pdb_samba_dsdb_state);
1189 struct dom_sid *members_as_sids;
1190 struct dom_sid *dom_sid;
1195 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1196 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1198 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, group));
1199 if (!dn || !ldb_dn_validate(dn)) {
1200 return NT_STATUS_NO_MEMORY;
1203 status = dsdb_enum_group_mem(state->ldb, tmp_ctx, dn, &members_as_sids, &num_sids);
1204 if (!NT_STATUS_IS_OK(status)) {
1205 talloc_free(tmp_ctx);
1208 status = dom_sid_split_rid(tmp_ctx, group, &dom_sid, NULL);
1209 if (!NT_STATUS_IS_OK(status)) {
1210 talloc_free(tmp_ctx);
1214 *pmembers = members = talloc_array(mem_ctx, uint32_t, num_sids);
1215 if (*pmembers == NULL) {
1216 TALLOC_FREE(tmp_ctx);
1217 return NT_STATUS_NO_MEMORY;
1221 for (i = 0; i < num_sids; i++) {
1222 if (!dom_sid_in_domain(dom_sid, &members_as_sids[i])) {
1225 status = dom_sid_split_rid(NULL, &members_as_sids[i],
1226 NULL, &members[num_members]);
1227 if (!NT_STATUS_IS_OK(status)) {
1228 talloc_free(tmp_ctx);
1233 *pnum_members = num_members;
1234 return NT_STATUS_OK;
1237 /* Just convert the primary group SID into a group */
1238 static NTSTATUS fake_enum_group_memberships(struct pdb_samba_dsdb_state *state,
1239 TALLOC_CTX *mem_ctx,
1241 struct dom_sid **pp_sids,
1243 uint32_t *p_num_groups)
1246 size_t num_groups = 0;
1247 struct dom_sid *group_sids = NULL;
1249 TALLOC_CTX *tmp_ctx;
1251 tmp_ctx = talloc_new(mem_ctx);
1252 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1254 if (user->group_sid) {
1255 struct id_map *id_maps[2];
1256 struct id_map id_map;
1260 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_groups);
1261 if (group_sids == NULL) {
1262 talloc_free(tmp_ctx);
1263 return NT_STATUS_NO_MEMORY;
1265 gids = talloc_array(tmp_ctx, gid_t, num_groups);
1267 talloc_free(tmp_ctx);
1268 return NT_STATUS_NO_MEMORY;
1271 group_sids[0] = *user->group_sid;
1273 ZERO_STRUCT(id_map);
1274 id_map.sid = &group_sids[0];
1275 id_maps[0] = &id_map;
1278 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1279 if (!NT_STATUS_IS_OK(status)) {
1280 talloc_free(tmp_ctx);
1283 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
1284 gids[0] = id_map.xid.id;
1286 DEBUG(1, (__location__
1287 "Group %s, of which %s is a member, could not be converted to a GID\n",
1288 dom_sid_string(tmp_ctx, &group_sids[0]),
1289 dom_sid_string(tmp_ctx, &user->user_sid)));
1290 talloc_free(tmp_ctx);
1291 /* We must error out, otherwise a user might
1292 * avoid a DENY acl based on a group they
1294 return NT_STATUS_NO_SUCH_GROUP;
1298 *pp_sids = talloc_steal(mem_ctx, group_sids);
1299 *pp_gids = talloc_steal(mem_ctx, gids);
1300 *p_num_groups = num_groups;
1301 talloc_free(tmp_ctx);
1302 return NT_STATUS_OK;
1305 static NTSTATUS pdb_samba_dsdb_enum_group_memberships(struct pdb_methods *m,
1306 TALLOC_CTX *mem_ctx,
1308 struct dom_sid **pp_sids,
1310 uint32_t *p_num_groups)
1312 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1313 m->private_data, struct pdb_samba_dsdb_state);
1314 struct ldb_message *msg = pdb_samba_dsdb_get_samu_private(
1316 const char *attrs[] = { "tokenGroups", NULL};
1317 struct ldb_message *tokengroups_msg;
1318 struct ldb_message_element *tokengroups;
1321 unsigned int count = 0;
1323 struct dom_sid *group_sids;
1325 TALLOC_CTX *tmp_ctx;
1328 /* Fake up some things here */
1329 return fake_enum_group_memberships(state,
1332 pp_gids, p_num_groups);
1335 tmp_ctx = talloc_new(mem_ctx);
1336 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1338 rc = dsdb_search_one(state->ldb, tmp_ctx, &tokengroups_msg, msg->dn, LDB_SCOPE_BASE, attrs, 0, NULL);
1340 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1341 talloc_free(tmp_ctx);
1342 return NT_STATUS_NO_SUCH_USER;
1343 } else if (rc != LDB_SUCCESS) {
1344 DEBUG(10, ("dsdb_search_one failed %s\n",
1345 ldb_errstring(state->ldb)));
1346 talloc_free(tmp_ctx);
1347 return NT_STATUS_LDAP(rc);
1350 tokengroups = ldb_msg_find_element(tokengroups_msg, "tokenGroups");
1353 count = tokengroups->num_values;
1356 group_sids = talloc_array(tmp_ctx, struct dom_sid, count);
1357 if (group_sids == NULL) {
1358 talloc_free(tmp_ctx);
1359 return NT_STATUS_NO_MEMORY;
1361 gids = talloc_array(tmp_ctx, gid_t, count);
1363 talloc_free(tmp_ctx);
1364 return NT_STATUS_NO_MEMORY;
1368 for (i=0; i<count; i++) {
1369 struct id_map *id_maps[2];
1370 struct id_map id_map;
1371 struct ldb_val *v = &tokengroups->values[i];
1372 enum ndr_err_code ndr_err
1373 = ndr_pull_struct_blob(v, group_sids, &group_sids[num_groups],
1374 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
1375 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1376 talloc_free(tmp_ctx);
1377 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1380 ZERO_STRUCT(id_map);
1381 id_map.sid = &group_sids[num_groups];
1382 id_maps[0] = &id_map;
1385 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
1386 if (!NT_STATUS_IS_OK(status)) {
1387 talloc_free(tmp_ctx);
1390 if (id_map.xid.type == ID_TYPE_GID || id_map.xid.type == ID_TYPE_BOTH) {
1391 gids[num_groups] = id_map.xid.id;
1393 DEBUG(1, (__location__
1394 "Group %s, of which %s is a member, could not be converted to a GID\n",
1395 dom_sid_string(tmp_ctx, &group_sids[num_groups]),
1396 ldb_dn_get_linearized(msg->dn)));
1397 talloc_free(tmp_ctx);
1398 /* We must error out, otherwise a user might
1399 * avoid a DENY acl based on a group they
1401 return NT_STATUS_NO_SUCH_GROUP;
1405 if (num_groups == count) {
1410 *pp_sids = talloc_steal(mem_ctx, group_sids);
1411 *pp_gids = talloc_steal(mem_ctx, gids);
1412 *p_num_groups = num_groups;
1413 talloc_free(tmp_ctx);
1414 return NT_STATUS_OK;
1417 static NTSTATUS pdb_samba_dsdb_set_unix_primary_group(struct pdb_methods *m,
1418 TALLOC_CTX *mem_ctx,
1421 return NT_STATUS_NOT_IMPLEMENTED;
1424 static NTSTATUS pdb_samba_dsdb_mod_groupmem_by_sid(struct pdb_methods *m,
1425 TALLOC_CTX *mem_ctx,
1426 const struct dom_sid *groupsid,
1427 const struct dom_sid *membersid,
1430 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1431 m->private_data, struct pdb_samba_dsdb_state);
1432 struct ldb_message *msg;
1434 struct ldb_message_element *el;
1435 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1436 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1437 msg = ldb_msg_new(tmp_ctx);
1439 TALLOC_FREE(tmp_ctx);
1440 return NT_STATUS_NO_MEMORY;
1443 msg->dn = ldb_dn_new_fmt(msg, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, groupsid));
1444 if (!msg->dn || !ldb_dn_validate(msg->dn)) {
1445 talloc_free(tmp_ctx);
1446 return NT_STATUS_NO_MEMORY;
1448 ret = ldb_msg_add_fmt(msg, "member", "<SID=%s>", dom_sid_string(tmp_ctx, membersid));
1449 if (ret != LDB_SUCCESS) {
1450 talloc_free(tmp_ctx);
1451 return NT_STATUS_NO_MEMORY;
1453 el = ldb_msg_find_element(msg, "member");
1456 /* No need for transactions here, the ldb auto-transaction
1457 * code will handle things for the single operation */
1458 ret = ldb_modify(state->ldb, msg);
1459 talloc_free(tmp_ctx);
1460 if (ret != LDB_SUCCESS) {
1461 DEBUG(10, ("ldb_modify failed: %s\n",
1462 ldb_errstring(state->ldb)));
1463 if (ret == LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS) {
1464 return NT_STATUS_MEMBER_IN_GROUP;
1466 if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
1467 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1469 return NT_STATUS_LDAP(ret);
1472 return NT_STATUS_OK;
1475 static NTSTATUS pdb_samba_dsdb_mod_groupmem(struct pdb_methods *m,
1476 TALLOC_CTX *mem_ctx,
1477 uint32_t grouprid, uint32_t memberrid,
1480 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1481 m->private_data, struct pdb_samba_dsdb_state);
1482 const struct dom_sid *dom_sid, *groupsid, *membersid;
1484 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1485 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1487 dom_sid = samdb_domain_sid(state->ldb);
1489 groupsid = dom_sid_add_rid(tmp_ctx, dom_sid, grouprid);
1490 if (groupsid == NULL) {
1491 TALLOC_FREE(tmp_ctx);
1492 return NT_STATUS_NO_MEMORY;
1494 membersid = dom_sid_add_rid(tmp_ctx, dom_sid, memberrid);
1495 if (membersid == NULL) {
1496 TALLOC_FREE(tmp_ctx);
1497 return NT_STATUS_NO_MEMORY;
1499 status = pdb_samba_dsdb_mod_groupmem_by_sid(m, tmp_ctx, groupsid, membersid, mod_op);
1500 talloc_free(tmp_ctx);
1504 static NTSTATUS pdb_samba_dsdb_add_groupmem(struct pdb_methods *m,
1505 TALLOC_CTX *mem_ctx,
1506 uint32_t group_rid, uint32_t member_rid)
1508 return pdb_samba_dsdb_mod_groupmem(m, mem_ctx, group_rid, member_rid,
1512 static NTSTATUS pdb_samba_dsdb_del_groupmem(struct pdb_methods *m,
1513 TALLOC_CTX *mem_ctx,
1514 uint32_t group_rid, uint32_t member_rid)
1516 return pdb_samba_dsdb_mod_groupmem(m, mem_ctx, group_rid, member_rid,
1517 LDB_FLAG_MOD_DELETE);
1520 static NTSTATUS pdb_samba_dsdb_create_alias(struct pdb_methods *m,
1521 const char *name, uint32_t *rid)
1523 TALLOC_CTX *frame = talloc_stackframe();
1524 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1525 m->private_data, struct pdb_samba_dsdb_state);
1526 struct dom_sid *sid;
1531 /* Internally this uses transactions to ensure all the steps
1532 * happen or fail as one */
1533 status = dsdb_add_domain_alias(state->ldb, frame, name, &sid, &dn);
1534 if (!NT_STATUS_IS_OK(status)) {
1538 sid_peek_rid(sid, rid);
1540 return NT_STATUS_OK;
1543 static NTSTATUS pdb_samba_dsdb_delete_alias(struct pdb_methods *m,
1544 const struct dom_sid *sid)
1546 const char *attrs[] = { NULL };
1547 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1548 m->private_data, struct pdb_samba_dsdb_state);
1549 struct ldb_message *msg;
1552 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1553 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1555 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, sid));
1556 if (!dn || !ldb_dn_validate(dn)) {
1557 talloc_free(tmp_ctx);
1558 return NT_STATUS_NO_MEMORY;
1561 if (ldb_transaction_start(state->ldb) != LDB_SUCCESS) {
1562 DEBUG(0, ("Failed to start transaction in dsdb_add_domain_alias(): %s\n", ldb_errstring(state->ldb)));
1563 talloc_free(tmp_ctx);
1564 return NT_STATUS_INTERNAL_ERROR;
1567 rc = dsdb_search_one(state->ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "(objectclass=group)"
1568 "(|(grouptype=%d)(grouptype=%d)))",
1569 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
1570 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
1571 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1572 talloc_free(tmp_ctx);
1573 ldb_transaction_cancel(state->ldb);
1574 return NT_STATUS_NO_SUCH_ALIAS;
1576 rc = ldb_delete(state->ldb, dn);
1577 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
1578 talloc_free(tmp_ctx);
1579 ldb_transaction_cancel(state->ldb);
1580 return NT_STATUS_NO_SUCH_ALIAS;
1581 } else if (rc != LDB_SUCCESS) {
1582 DEBUG(10, ("ldb_delete failed %s\n",
1583 ldb_errstring(state->ldb)));
1584 ldb_transaction_cancel(state->ldb);
1585 talloc_free(tmp_ctx);
1586 return NT_STATUS_LDAP(rc);
1589 if (ldb_transaction_commit(state->ldb) != LDB_SUCCESS) {
1590 DEBUG(0, ("Failed to commit transaction in pdb_samba_dsdb_delete_alias(): %s\n",
1591 ldb_errstring(state->ldb)));
1592 talloc_free(tmp_ctx);
1593 return NT_STATUS_INTERNAL_ERROR;
1596 talloc_free(tmp_ctx);
1597 return NT_STATUS_OK;
1601 static NTSTATUS pdb_samba_dsdb_set_aliasinfo(struct pdb_methods *m,
1602 const struct dom_sid *sid,
1603 struct acct_info *info)
1605 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1606 m->private_data, struct pdb_samba_dsdb_state);
1607 struct tldap_context *ld;
1608 const char *attrs[3] = { "objectSid", "description",
1610 struct ldb_message **msg;
1613 struct tldap_mod *mods;
1617 ld = pdb_samba_dsdb_ld(state);
1619 return NT_STATUS_LDAP(TLDAP_SERVER_DOWN);
1622 sidstr = sid_binstring(talloc_tos(), sid);
1623 NT_STATUS_HAVE_NO_MEMORY(sidstr);
1625 rc = pdb_samba_dsdb_search_fmt(state, state->domaindn, TLDAP_SCOPE_SUB,
1626 attrs, ARRAY_SIZE(attrs), 0, talloc_tos(),
1627 &msg, "(&(objectSid=%s)(objectclass=group)"
1628 "(|(grouptype=%d)(grouptype=%d)))",
1629 sidstr, GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
1630 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
1632 if (rc != LDB_SUCCESS) {
1633 DEBUG(10, ("ldap_search failed %s\n",
1634 ldb_errstring(state->ldb)));
1635 return NT_STATUS_LDAP(rc);
1637 switch talloc_array_length(msg) {
1639 return NT_STATUS_NO_SUCH_ALIAS;
1643 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1646 if (!tldap_entry_dn(msg[0], &dn)) {
1648 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1655 ok &= tldap_make_mod_fmt(
1656 msg[0], msg, &num_mods, &mods, "description",
1657 "%s", info->acct_desc);
1658 ok &= tldap_make_mod_fmt(
1659 msg[0], msg, &num_mods, &mods, "samAccountName",
1660 "%s", info->acct_name);
1663 return NT_STATUS_NO_MEMORY;
1665 if (num_mods == 0) {
1668 return NT_STATUS_OK;
1671 rc = tldap_modify(ld, dn, num_mods, mods, NULL, 0, NULL, 0);
1673 if (rc != LDB_SUCCESS) {
1674 DEBUG(10, ("ldap_modify failed: %s\n",
1675 ldb_errstring(state->ldb)));
1676 return NT_STATUS_LDAP(rc);
1678 return NT_STATUS_OK;
1681 static NTSTATUS pdb_samba_dsdb_add_aliasmem(struct pdb_methods *m,
1682 const struct dom_sid *alias,
1683 const struct dom_sid *member)
1686 TALLOC_CTX *frame = talloc_stackframe();
1687 status = pdb_samba_dsdb_mod_groupmem_by_sid(m, frame, alias, member, LDB_FLAG_MOD_ADD);
1692 static NTSTATUS pdb_samba_dsdb_del_aliasmem(struct pdb_methods *m,
1693 const struct dom_sid *alias,
1694 const struct dom_sid *member)
1697 TALLOC_CTX *frame = talloc_stackframe();
1698 status = pdb_samba_dsdb_mod_groupmem_by_sid(m, frame, alias, member, LDB_FLAG_MOD_DELETE);
1703 static NTSTATUS pdb_samba_dsdb_enum_aliasmem(struct pdb_methods *m,
1704 const struct dom_sid *alias,
1705 TALLOC_CTX *mem_ctx,
1706 struct dom_sid **pmembers,
1707 size_t *pnum_members)
1709 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1710 m->private_data, struct pdb_samba_dsdb_state);
1712 unsigned int num_members;
1714 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1715 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1717 dn = ldb_dn_new_fmt(tmp_ctx, state->ldb, "<SID=%s>", dom_sid_string(tmp_ctx, alias));
1718 if (!dn || !ldb_dn_validate(dn)) {
1719 return NT_STATUS_NO_MEMORY;
1722 status = dsdb_enum_group_mem(state->ldb, mem_ctx, dn, pmembers, &num_members);
1723 *pnum_members = num_members;
1724 if (NT_STATUS_IS_OK(status)) {
1725 talloc_steal(mem_ctx, pmembers);
1727 talloc_free(tmp_ctx);
1731 static NTSTATUS pdb_samba_dsdb_enum_alias_memberships(struct pdb_methods *m,
1732 TALLOC_CTX *mem_ctx,
1733 const struct dom_sid *domain_sid,
1734 const struct dom_sid *members,
1736 uint32_t **palias_rids,
1737 size_t *pnum_alias_rids)
1739 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1740 m->private_data, struct pdb_samba_dsdb_state);
1741 uint32_t *alias_rids = NULL;
1742 size_t num_alias_rids = 0;
1744 struct dom_sid *groupSIDs = NULL;
1745 unsigned int num_groupSIDs = 0;
1748 const char *sid_string;
1752 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1753 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1755 * TODO: Get the filter right so that we only get the aliases from
1756 * either the SAM or BUILTIN
1759 filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
1760 GROUP_TYPE_BUILTIN_LOCAL_GROUP);
1761 if (filter == NULL) {
1762 return NT_STATUS_NO_MEMORY;
1765 for (i = 0; i < num_members; i++) {
1766 sid_string = dom_sid_string(tmp_ctx, &members[i]);
1767 if (sid_string == NULL) {
1768 TALLOC_FREE(tmp_ctx);
1769 return NT_STATUS_NO_MEMORY;
1772 sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
1773 if (sid_dn == NULL) {
1774 TALLOC_FREE(tmp_ctx);
1775 return NT_STATUS_NO_MEMORY;
1778 sid_blob = data_blob_string_const(sid_dn);
1780 status = dsdb_expand_nested_groups(state->ldb, &sid_blob, true, filter,
1781 tmp_ctx, &groupSIDs, &num_groupSIDs);
1782 if (!NT_STATUS_IS_OK(status)) {
1783 talloc_free(tmp_ctx);
1788 alias_rids = talloc_array(mem_ctx, uint32_t, num_groupSIDs);
1789 if (alias_rids == NULL) {
1790 talloc_free(tmp_ctx);
1791 return NT_STATUS_NO_MEMORY;
1794 for (i=0; i<num_groupSIDs; i++) {
1795 if (sid_peek_check_rid(domain_sid, &groupSIDs[i],
1796 &alias_rids[num_alias_rids])) {
1801 *palias_rids = alias_rids;
1802 *pnum_alias_rids = num_alias_rids;
1803 return NT_STATUS_OK;
1806 static NTSTATUS pdb_samba_dsdb_lookup_rids(struct pdb_methods *m,
1807 const struct dom_sid *domain_sid,
1811 enum lsa_SidType *lsa_attrs)
1813 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1814 m->private_data, struct pdb_samba_dsdb_state);
1817 TALLOC_CTX *tmp_ctx;
1819 if (num_rids == 0) {
1820 return NT_STATUS_NONE_MAPPED;
1823 tmp_ctx = talloc_stackframe();
1824 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1826 status = dsdb_lookup_rids(state->ldb, tmp_ctx, domain_sid, num_rids, rids, names, lsa_attrs);
1827 talloc_free(tmp_ctx);
1831 static NTSTATUS pdb_samba_dsdb_lookup_names(struct pdb_methods *m,
1832 const struct dom_sid *domain_sid,
1834 const char **pp_names,
1836 enum lsa_SidType *attrs)
1838 return NT_STATUS_NOT_IMPLEMENTED;
1841 static NTSTATUS pdb_samba_dsdb_get_account_policy(struct pdb_methods *m,
1842 enum pdb_policy_type type,
1845 return account_policy_get(type, value)
1846 ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1849 static NTSTATUS pdb_samba_dsdb_set_account_policy(struct pdb_methods *m,
1850 enum pdb_policy_type type,
1853 return account_policy_set(type, value)
1854 ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1857 static NTSTATUS pdb_samba_dsdb_get_seq_num(struct pdb_methods *m,
1858 time_t *seq_num_out)
1860 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1861 m->private_data, struct pdb_samba_dsdb_state);
1863 int ret = ldb_sequence_number(state->ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
1864 if (ret == LDB_SUCCESS) {
1865 *seq_num_out = seq_num;
1866 return NT_STATUS_OK;
1868 return NT_STATUS_UNSUCCESSFUL;
1872 struct pdb_samba_dsdb_search_state {
1873 uint32_t acct_flags;
1874 struct samr_displayentry *entries;
1875 uint32_t num_entries;
1880 static bool pdb_samba_dsdb_next_entry(struct pdb_search *search,
1881 struct samr_displayentry *entry)
1883 struct pdb_samba_dsdb_search_state *state = talloc_get_type_abort(
1884 search->private_data, struct pdb_samba_dsdb_search_state);
1886 if (state->current == state->num_entries) {
1890 entry->idx = state->entries[state->current].idx;
1891 entry->rid = state->entries[state->current].rid;
1892 entry->acct_flags = state->entries[state->current].acct_flags;
1894 entry->account_name = talloc_strdup(
1895 search, state->entries[state->current].account_name);
1896 entry->fullname = talloc_strdup(
1897 search, state->entries[state->current].fullname);
1898 entry->description = talloc_strdup(
1899 search, state->entries[state->current].description);
1901 state->current += 1;
1905 static void pdb_samba_dsdb_search_end(struct pdb_search *search)
1907 struct pdb_samba_dsdb_search_state *state = talloc_get_type_abort(
1908 search->private_data, struct pdb_samba_dsdb_search_state);
1912 static bool pdb_samba_dsdb_search_filter(struct pdb_methods *m,
1913 struct pdb_search *search,
1914 struct pdb_samba_dsdb_search_state **pstate,
1915 const char *exp_fmt, ...)
1916 PRINTF_ATTRIBUTE(4, 5);
1918 static bool pdb_samba_dsdb_search_filter(struct pdb_methods *m,
1919 struct pdb_search *search,
1920 struct pdb_samba_dsdb_search_state **pstate,
1921 const char *exp_fmt, ...)
1923 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
1924 m->private_data, struct pdb_samba_dsdb_state);
1925 struct pdb_samba_dsdb_search_state *sstate;
1926 const char * attrs[] = { "objectSid", "sAMAccountName", "displayName",
1927 "userAccountControl", "description", NULL };
1928 struct ldb_result *res;
1929 int i, rc, num_users;
1932 char *expression = NULL;
1934 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1939 va_start(ap, exp_fmt);
1940 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
1944 talloc_free(tmp_ctx);
1945 return LDB_ERR_OPERATIONS_ERROR;
1948 sstate = talloc_zero(tmp_ctx, struct pdb_samba_dsdb_search_state);
1949 if (sstate == NULL) {
1950 talloc_free(tmp_ctx);
1954 rc = dsdb_search(state->ldb, tmp_ctx, &res, ldb_get_default_basedn(state->ldb), LDB_SCOPE_SUBTREE, attrs, 0, "%s", expression);
1955 if (rc != LDB_SUCCESS) {
1956 talloc_free(tmp_ctx);
1957 DEBUG(10, ("dsdb_search failed: %s\n",
1958 ldb_errstring(state->ldb)));
1962 num_users = res->count;
1964 sstate->entries = talloc_array(sstate, struct samr_displayentry,
1966 if (sstate->entries == NULL) {
1967 talloc_free(tmp_ctx);
1968 DEBUG(10, ("talloc failed\n"));
1972 sstate->num_entries = 0;
1974 for (i=0; i<num_users; i++) {
1975 struct samr_displayentry *e;
1976 struct dom_sid *sid;
1978 e = &sstate->entries[sstate->num_entries];
1980 e->idx = sstate->num_entries;
1981 sid = samdb_result_dom_sid(tmp_ctx, res->msgs[i], "objectSid");
1983 talloc_free(tmp_ctx);
1984 DEBUG(10, ("Could not pull SID\n"));
1987 sid_peek_rid(sid, &e->rid);
1989 e->acct_flags = samdb_result_acct_flags(res->msgs[i], "userAccountControl");
1990 e->account_name = ldb_msg_find_attr_as_string(
1991 res->msgs[i], "samAccountName", NULL);
1992 if (e->account_name == NULL) {
1993 talloc_free(tmp_ctx);
1996 e->fullname = ldb_msg_find_attr_as_string(
1997 res->msgs[i], "displayName", "");
1998 e->description = ldb_msg_find_attr_as_string(
1999 res->msgs[i], "description", "");
2001 sstate->num_entries += 1;
2002 if (sstate->num_entries >= num_users) {
2006 talloc_steal(sstate->entries, res->msgs);
2007 search->private_data = talloc_steal(search, sstate);
2008 search->next_entry = pdb_samba_dsdb_next_entry;
2009 search->search_end = pdb_samba_dsdb_search_end;
2011 talloc_free(tmp_ctx);
2015 static bool pdb_samba_dsdb_search_users(struct pdb_methods *m,
2016 struct pdb_search *search,
2017 uint32_t acct_flags)
2019 struct pdb_samba_dsdb_search_state *sstate;
2022 ret = pdb_samba_dsdb_search_filter(m, search, &sstate, "(objectclass=user)");
2026 sstate->acct_flags = acct_flags;
2030 static bool pdb_samba_dsdb_search_groups(struct pdb_methods *m,
2031 struct pdb_search *search)
2033 struct pdb_samba_dsdb_search_state *sstate;
2036 ret = pdb_samba_dsdb_search_filter(m, search, &sstate,
2037 "(&(grouptype=%d)(objectclass=group))",
2038 GTYPE_SECURITY_GLOBAL_GROUP);
2042 sstate->acct_flags = 0;
2046 static bool pdb_samba_dsdb_search_aliases(struct pdb_methods *m,
2047 struct pdb_search *search,
2048 const struct dom_sid *sid)
2050 struct pdb_samba_dsdb_search_state *sstate;
2053 ret = pdb_samba_dsdb_search_filter(m, search, &sstate,
2054 "(&(grouptype=%d)(objectclass=group))",
2055 sid_check_is_builtin(sid)
2056 ? GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
2057 : GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
2061 sstate->acct_flags = 0;
2066 * Instead of taking a gid or uid, this function takes a pointer to a
2069 * This acts as an in-out variable so that the idmap functions can correctly
2070 * receive ID_TYPE_BOTH, and this function ensures cache details are filled
2071 * correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID.
2073 static bool pdb_samba_dsdb_id_to_sid(struct pdb_methods *m, struct unixid *id,
2074 struct dom_sid *sid)
2076 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2077 m->private_data, struct pdb_samba_dsdb_state);
2079 struct id_map id_map;
2080 struct id_map *id_maps[2];
2081 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2087 id_maps[0] = &id_map;
2090 status = idmap_xids_to_sids(state->idmap_ctx, tmp_ctx, id_maps);
2091 if (!NT_STATUS_IS_OK(status)) {
2092 talloc_free(tmp_ctx);
2096 if (id_map.xid.type != ID_TYPE_NOT_SPECIFIED) {
2097 id->type = id_map.xid.type;
2100 talloc_free(tmp_ctx);
2104 static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods *m, const struct dom_sid *sid,
2107 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2108 m->private_data, struct pdb_samba_dsdb_state);
2109 struct id_map id_map;
2110 struct id_map *id_maps[2];
2112 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2117 ZERO_STRUCT(id_map);
2118 id_map.sid = discard_const_p(struct dom_sid, sid);
2119 id_maps[0] = &id_map;
2122 status = idmap_sids_to_xids(state->idmap_ctx, tmp_ctx, id_maps);
2123 talloc_free(tmp_ctx);
2124 if (!NT_STATUS_IS_OK(status)) {
2127 if (id_map.xid.type != ID_TYPE_NOT_SPECIFIED) {
2134 static uint32_t pdb_samba_dsdb_capabilities(struct pdb_methods *m)
2136 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS;
2139 static bool pdb_samba_dsdb_new_rid(struct pdb_methods *m, uint32_t *rid)
2144 static bool pdb_samba_dsdb_get_trusteddom_pw(struct pdb_methods *m,
2145 const char *domain, char** pwd,
2146 struct dom_sid *sid,
2147 time_t *pass_last_set_time)
2149 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2150 m->private_data, struct pdb_samba_dsdb_state);
2151 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2152 const char * const attrs[] = {
2153 "securityIdentifier",
2156 "trustAuthOutgoing",
2158 "msDS-SupportedEncryptionTypes",
2164 struct ldb_message *msg;
2165 const struct ldb_val *password_val;
2166 int trust_direction_flags;
2169 DATA_BLOB password_utf16;
2170 struct trustAuthInOutBlob password_blob;
2171 struct AuthenticationInformationArray *auth_array;
2172 char *password_talloc;
2173 size_t password_len;
2174 enum ndr_err_code ndr_err;
2176 const char *netbios_domain = NULL;
2177 const struct dom_sid *domain_sid = NULL;
2179 status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
2180 attrs, tmp_ctx, &msg);
2181 if (!NT_STATUS_IS_OK(status)) {
2183 * This can be called to work out of a domain is
2184 * trusted, rather than just to get the password
2186 DEBUG(2, ("Failed to get trusted domain password for %s - %s. "
2187 "It may not be a trusted domain.\n", domain,
2188 nt_errstr(status)));
2189 TALLOC_FREE(tmp_ctx);
2193 netbios_domain = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
2194 if (netbios_domain == NULL) {
2195 DEBUG(2, ("Trusted domain %s has to flatName defined.\n",
2197 TALLOC_FREE(tmp_ctx);
2201 domain_sid = samdb_result_dom_sid(tmp_ctx, msg, "securityIdentifier");
2202 if (domain_sid == NULL) {
2203 DEBUG(2, ("Trusted domain %s has no securityIdentifier defined.\n",
2205 TALLOC_FREE(tmp_ctx);
2209 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
2210 if (!(trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND)) {
2211 DEBUG(2, ("Trusted domain %s is is not an outbound trust.\n",
2213 TALLOC_FREE(tmp_ctx);
2217 trust_type = ldb_msg_find_attr_as_int(msg, "trustType", 0);
2218 if (trust_type == LSA_TRUST_TYPE_MIT) {
2219 DEBUG(1, ("Trusted domain %s is is not an AD trust "
2220 "(trustType == LSA_TRUST_TYPE_MIT).\n",
2222 TALLOC_FREE(tmp_ctx);
2226 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
2227 if (password_val == NULL) {
2228 DEBUG(2, ("Failed to get trusted domain password for %s, "
2229 "attribute trustAuthOutgoing not returned.\n", domain));
2230 TALLOC_FREE(tmp_ctx);
2234 ndr_err = ndr_pull_struct_blob(password_val, tmp_ctx, &password_blob,
2235 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2236 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2237 DEBUG(0, ("Failed to get trusted domain password for %s, "
2238 "attribute trustAuthOutgoing coult not be parsed %s.\n",
2240 ndr_map_error2string(ndr_err)));
2241 TALLOC_FREE(tmp_ctx);
2245 auth_array = &password_blob.current;
2247 for (i=0; i < auth_array->count; i++) {
2248 if (auth_array->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
2253 if (i == auth_array->count) {
2254 DEBUG(0, ("Trusted domain %s does not have a "
2255 "clear-text password stored\n",
2257 TALLOC_FREE(tmp_ctx);
2261 password_utf16 = data_blob_const(auth_array->array[i].AuthInfo.clear.password,
2262 auth_array->array[i].AuthInfo.clear.size);
2265 * In the future, make this function return a
2266 * cli_credentials that can store a MD4 hash with cli_credential_set_nt_hash()
2267 * but for now convert to UTF8 and fail if the string can not be converted.
2269 * We can't safely convert the random strings windows uses into
2272 if (!convert_string_talloc(tmp_ctx,
2273 CH_UTF16MUNGED, CH_UTF8,
2274 password_utf16.data, password_utf16.length,
2275 (void *)&password_talloc,
2277 DEBUG(0, ("FIXME: Could not convert password for trusted domain %s"
2278 " to UTF8. This may be a password set from Windows.\n",
2280 TALLOC_FREE(tmp_ctx);
2283 *pwd = SMB_STRNDUP(password_talloc, password_len);
2284 if (pass_last_set_time) {
2285 *pass_last_set_time = nt_time_to_unix(auth_array->array[i].LastUpdateTime);
2289 sid_copy(sid, domain_sid);
2292 TALLOC_FREE(tmp_ctx);
2296 static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
2298 TALLOC_CTX *mem_ctx,
2299 struct cli_credentials **_creds)
2301 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2302 m->private_data, struct pdb_samba_dsdb_state);
2303 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2304 const char * const attrs[] = {
2305 "securityIdentifier",
2308 "trustAuthOutgoing",
2310 "msDS-SupportedEncryptionTypes",
2316 struct ldb_message *msg;
2317 const struct ldb_val *password_val;
2318 int trust_direction_flags;
2321 DATA_BLOB password_utf16 = {};
2322 struct samr_Password *password_nt = NULL;
2323 uint32_t password_version = 0;
2324 DATA_BLOB old_password_utf16 = {};
2325 struct samr_Password *old_password_nt = NULL;
2326 struct trustAuthInOutBlob password_blob;
2327 enum ndr_err_code ndr_err;
2329 time_t last_set_time = 0;
2330 struct cli_credentials *creds = NULL;
2332 const char *my_netbios_name = NULL;
2333 const char *my_netbios_domain = NULL;
2334 const char *my_dns_domain = NULL;
2335 const char *netbios_domain = NULL;
2336 char *account_name = NULL;
2337 char *principal_name = NULL;
2338 const char *dns_domain = NULL;
2340 status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
2341 attrs, tmp_ctx, &msg);
2342 if (!NT_STATUS_IS_OK(status)) {
2344 * This can be called to work out of a domain is
2345 * trusted, rather than just to get the password
2347 DEBUG(2, ("Failed to get trusted domain password for %s - %s "
2348 "It may not be a trusted domain.\n", domain,
2349 nt_errstr(status)));
2350 TALLOC_FREE(tmp_ctx);
2351 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2354 netbios_domain = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
2355 if (netbios_domain == NULL) {
2356 DEBUG(2, ("Trusted domain %s has to flatName defined.\n",
2358 TALLOC_FREE(tmp_ctx);
2359 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2362 dns_domain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
2364 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
2365 if (!(trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND)) {
2366 DEBUG(2, ("Trusted domain %s is is not an outbound trust.\n",
2368 TALLOC_FREE(tmp_ctx);
2369 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2372 trust_type = ldb_msg_find_attr_as_int(msg, "trustType", 0);
2373 if (trust_type == LSA_TRUST_TYPE_MIT) {
2374 DEBUG(1, ("Trusted domain %s is is not an AD trust "
2375 "(trustType == LSA_TRUST_TYPE_MIT).\n",
2377 TALLOC_FREE(tmp_ctx);
2378 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2381 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
2382 if (password_val == NULL) {
2383 DEBUG(2, ("Failed to get trusted domain password for %s, "
2384 "attribute trustAuthOutgoing not returned.\n", domain));
2385 TALLOC_FREE(tmp_ctx);
2386 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2389 ndr_err = ndr_pull_struct_blob(password_val, tmp_ctx, &password_blob,
2390 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2391 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2392 DEBUG(0, ("Failed to get trusted domain password for %s, "
2393 "attribute trustAuthOutgoing coult not be parsed %s.\n",
2395 ndr_map_error2string(ndr_err)));
2396 TALLOC_FREE(tmp_ctx);
2397 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2400 for (i=0; i < password_blob.current.count; i++) {
2401 struct AuthenticationInformation *a =
2402 &password_blob.current.array[i];
2404 switch (a->AuthType) {
2405 case TRUST_AUTH_TYPE_NONE:
2408 case TRUST_AUTH_TYPE_VERSION:
2409 password_version = a->AuthInfo.version.version;
2412 case TRUST_AUTH_TYPE_CLEAR:
2413 last_set_time = nt_time_to_unix(a->LastUpdateTime);
2415 password_utf16 = data_blob_const(a->AuthInfo.clear.password,
2416 a->AuthInfo.clear.size);
2420 case TRUST_AUTH_TYPE_NT4OWF:
2421 if (password_utf16.length != 0) {
2425 last_set_time = nt_time_to_unix(a->LastUpdateTime);
2427 password_nt = &a->AuthInfo.nt4owf.password;
2432 for (i=0; i < password_blob.previous.count; i++) {
2433 struct AuthenticationInformation *a = &password_blob.previous.array[i];
2435 switch (a->AuthType) {
2436 case TRUST_AUTH_TYPE_NONE:
2439 case TRUST_AUTH_TYPE_VERSION:
2442 case TRUST_AUTH_TYPE_CLEAR:
2443 old_password_utf16 = data_blob_const(a->AuthInfo.clear.password,
2444 a->AuthInfo.clear.size);
2445 old_password_nt = NULL;
2448 case TRUST_AUTH_TYPE_NT4OWF:
2449 if (old_password_utf16.length != 0) {
2453 old_password_nt = &a->AuthInfo.nt4owf.password;
2458 if (password_utf16.length == 0 && password_nt == NULL) {
2459 DEBUG(0, ("Trusted domain %s does not have a "
2460 "clear-text nor nt password stored\n",
2462 TALLOC_FREE(tmp_ctx);
2463 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2466 my_netbios_name = lpcfg_netbios_name(state->lp_ctx);
2467 my_netbios_domain = lpcfg_workgroup(state->lp_ctx);
2468 my_dns_domain = lpcfg_dnsdomain(state->lp_ctx);
2470 creds = cli_credentials_init(tmp_ctx);
2471 if (creds == NULL) {
2472 TALLOC_FREE(tmp_ctx);
2473 return NT_STATUS_NO_MEMORY;
2476 ok = cli_credentials_set_workstation(creds, my_netbios_name, CRED_SPECIFIED);
2478 TALLOC_FREE(tmp_ctx);
2479 return NT_STATUS_NO_MEMORY;
2482 ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
2484 TALLOC_FREE(tmp_ctx);
2485 return NT_STATUS_NO_MEMORY;
2487 ok = cli_credentials_set_realm(creds, dns_domain, CRED_SPECIFIED);
2489 TALLOC_FREE(tmp_ctx);
2490 return NT_STATUS_NO_MEMORY;
2493 if (my_dns_domain != NULL && dns_domain != NULL) {
2494 cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DNS_DOMAIN);
2495 account_name = talloc_asprintf(tmp_ctx, "%s.", my_dns_domain);
2496 if (account_name == NULL) {
2497 TALLOC_FREE(tmp_ctx);
2498 return NT_STATUS_NO_MEMORY;
2500 principal_name = talloc_asprintf(tmp_ctx, "%s$@%s", my_netbios_domain,
2501 cli_credentials_get_realm(creds));
2502 if (principal_name == NULL) {
2503 TALLOC_FREE(tmp_ctx);
2504 return NT_STATUS_NO_MEMORY;
2507 cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DOMAIN);
2508 account_name = talloc_asprintf(tmp_ctx, "%s$", my_netbios_domain);
2509 if (account_name == NULL) {
2510 TALLOC_FREE(tmp_ctx);
2511 return NT_STATUS_NO_MEMORY;
2513 principal_name = NULL;
2516 ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
2518 TALLOC_FREE(tmp_ctx);
2519 return NT_STATUS_NO_MEMORY;
2522 if (principal_name != NULL) {
2523 ok = cli_credentials_set_principal(creds, principal_name,
2526 TALLOC_FREE(tmp_ctx);
2527 return NT_STATUS_NO_MEMORY;
2531 if (old_password_nt != NULL) {
2532 ok = cli_credentials_set_old_nt_hash(creds, old_password_nt);
2534 TALLOC_FREE(tmp_ctx);
2535 return NT_STATUS_NO_MEMORY;
2539 if (old_password_utf16.length > 0) {
2540 ok = cli_credentials_set_old_utf16_password(creds,
2541 &old_password_utf16);
2543 TALLOC_FREE(tmp_ctx);
2544 return NT_STATUS_NO_MEMORY;
2548 if (password_nt != NULL) {
2549 ok = cli_credentials_set_nt_hash(creds, password_nt,
2552 TALLOC_FREE(tmp_ctx);
2553 return NT_STATUS_NO_MEMORY;
2557 if (password_utf16.length > 0) {
2558 ok = cli_credentials_set_utf16_password(creds,
2562 TALLOC_FREE(tmp_ctx);
2563 return NT_STATUS_NO_MEMORY;
2567 cli_credentials_set_password_last_changed_time(creds, last_set_time);
2568 cli_credentials_set_kvno(creds, password_version);
2570 if (password_utf16.length > 0 && dns_domain != NULL) {
2572 * Force kerberos if this is an active directory domain
2574 cli_credentials_set_kerberos_state(creds,
2575 CRED_MUST_USE_KERBEROS);
2578 * TODO: we should allow krb5 with the raw nt hash.
2580 cli_credentials_set_kerberos_state(creds,
2581 CRED_DONT_USE_KERBEROS);
2584 *_creds = talloc_move(mem_ctx, &creds);
2585 TALLOC_FREE(tmp_ctx);
2586 return NT_STATUS_OK;
2589 static bool pdb_samba_dsdb_set_trusteddom_pw(struct pdb_methods *m,
2590 const char* domain, const char* pwd,
2591 const struct dom_sid *sid)
2593 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2594 m->private_data, struct pdb_samba_dsdb_state);
2595 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2596 const char * const attrs[] = {
2597 "trustAuthOutgoing",
2602 struct ldb_message *msg = NULL;
2603 int trust_direction_flags;
2606 const struct ldb_val *old_val = NULL;
2607 struct trustAuthInOutBlob old_blob = {};
2608 uint32_t old_version = 0;
2609 uint32_t new_version = 0;
2610 DATA_BLOB new_utf16 = {};
2611 struct trustAuthInOutBlob new_blob = {};
2612 struct ldb_val new_val = {};
2613 struct timeval tv = timeval_current();
2614 NTTIME now = timeval_to_nttime(&tv);
2615 enum ndr_err_code ndr_err;
2620 ret = ldb_transaction_start(state->ldb);
2621 if (ret != LDB_SUCCESS) {
2622 DEBUG(2, ("Failed to start transaction.\n"));
2623 TALLOC_FREE(tmp_ctx);
2627 ok = samdb_is_pdc(state->ldb);
2629 DEBUG(2, ("Password changes for domain %s are only allowed on a PDC.\n",
2631 TALLOC_FREE(tmp_ctx);
2632 ldb_transaction_cancel(state->ldb);
2636 status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
2637 attrs, tmp_ctx, &msg);
2638 if (!NT_STATUS_IS_OK(status)) {
2640 * This can be called to work out of a domain is
2641 * trusted, rather than just to get the password
2643 DEBUG(2, ("Failed to get trusted domain password for %s - %s. "
2644 "It may not be a trusted domain.\n", domain,
2645 nt_errstr(status)));
2646 TALLOC_FREE(tmp_ctx);
2647 ldb_transaction_cancel(state->ldb);
2651 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
2652 if (!(trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND)) {
2653 DEBUG(2, ("Trusted domain %s is is not an outbound trust, can't set a password.\n",
2655 TALLOC_FREE(tmp_ctx);
2656 ldb_transaction_cancel(state->ldb);
2660 trust_type = ldb_msg_find_attr_as_int(msg, "trustType", 0);
2661 switch (trust_type) {
2662 case LSA_TRUST_TYPE_DOWNLEVEL:
2663 case LSA_TRUST_TYPE_UPLEVEL:
2666 DEBUG(0, ("Trusted domain %s is of type 0x%X - "
2667 "password changes are not supported\n",
2668 domain, (unsigned)trust_type));
2669 TALLOC_FREE(tmp_ctx);
2670 ldb_transaction_cancel(state->ldb);
2674 old_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
2675 if (old_val != NULL) {
2676 ndr_err = ndr_pull_struct_blob(old_val, tmp_ctx, &old_blob,
2677 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2678 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2679 DEBUG(0, ("Failed to get trusted domain password for %s, "
2680 "attribute trustAuthOutgoing coult not be parsed %s.\n",
2682 ndr_map_error2string(ndr_err)));
2683 TALLOC_FREE(tmp_ctx);
2684 ldb_transaction_cancel(state->ldb);
2689 for (i=0; i < old_blob.current.count; i++) {
2690 struct AuthenticationInformation *a =
2691 &old_blob.current.array[i];
2693 switch (a->AuthType) {
2694 case TRUST_AUTH_TYPE_NONE:
2697 case TRUST_AUTH_TYPE_VERSION:
2698 old_version = a->AuthInfo.version.version;
2701 case TRUST_AUTH_TYPE_CLEAR:
2704 case TRUST_AUTH_TYPE_NT4OWF:
2709 new_version = old_version + 1;
2710 ok = convert_string_talloc(tmp_ctx,
2713 (void *)&new_utf16.data,
2716 DEBUG(0, ("Failed to generate new_utf16 password for domain %s\n",
2718 TALLOC_FREE(tmp_ctx);
2719 ldb_transaction_cancel(state->ldb);
2723 if (new_utf16.length < 28) {
2724 DEBUG(0, ("new_utf16[%zu] version[%u] for domain %s to short.\n",
2726 (unsigned)new_version,
2728 TALLOC_FREE(tmp_ctx);
2729 ldb_transaction_cancel(state->ldb);
2732 if (new_utf16.length > 498) {
2733 DEBUG(0, ("new_utf16[%zu] version[%u] for domain %s to long.\n",
2735 (unsigned)new_version,
2737 TALLOC_FREE(tmp_ctx);
2738 ldb_transaction_cancel(state->ldb);
2742 new_blob.count = MAX(old_blob.current.count, 2);
2743 new_blob.current.array = talloc_zero_array(tmp_ctx,
2744 struct AuthenticationInformation,
2746 if (new_blob.current.array == NULL) {
2747 DEBUG(0, ("talloc_zero_array(%u) failed\n",
2748 (unsigned)new_blob.count));
2749 TALLOC_FREE(tmp_ctx);
2750 ldb_transaction_cancel(state->ldb);
2753 new_blob.previous.array = talloc_zero_array(tmp_ctx,
2754 struct AuthenticationInformation,
2756 if (new_blob.current.array == NULL) {
2757 DEBUG(0, ("talloc_zero_array(%u) failed\n",
2758 (unsigned)new_blob.count));
2759 TALLOC_FREE(tmp_ctx);
2760 ldb_transaction_cancel(state->ldb);
2764 for (i = 0; i < old_blob.current.count; i++) {
2765 struct AuthenticationInformation *o =
2766 &old_blob.current.array[i];
2767 struct AuthenticationInformation *p =
2768 &new_blob.previous.array[i];
2771 new_blob.previous.count++;
2773 for (; i < new_blob.count; i++) {
2774 struct AuthenticationInformation *pi =
2775 &new_blob.previous.array[i];
2779 * new_blob.previous is still empty so
2780 * we'll do new_blob.previous = new_blob.current
2786 pi->LastUpdateTime = now;
2787 pi->AuthType = TRUST_AUTH_TYPE_NONE;
2788 new_blob.previous.count++;
2791 for (i = 0; i < new_blob.count; i++) {
2792 struct AuthenticationInformation *ci =
2793 &new_blob.current.array[i];
2795 ci->LastUpdateTime = now;
2798 ci->AuthType = TRUST_AUTH_TYPE_CLEAR;
2799 ci->AuthInfo.clear.size = new_utf16.length;
2800 ci->AuthInfo.clear.password = new_utf16.data;
2803 ci->AuthType = TRUST_AUTH_TYPE_VERSION;
2804 ci->AuthInfo.version.version = new_version;
2807 ci->AuthType = TRUST_AUTH_TYPE_NONE;
2811 new_blob.current.count++;
2814 if (new_blob.previous.count == 0) {
2815 TALLOC_FREE(new_blob.previous.array);
2816 new_blob.previous = new_blob.current;
2819 ndr_err = ndr_push_struct_blob(&new_val, tmp_ctx, &new_blob,
2820 (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2821 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2822 DEBUG(0, ("Failed to generate trustAuthOutgoing for "
2823 "trusted domain password for %s: %s.\n",
2824 domain, ndr_map_error2string(ndr_err)));
2825 TALLOC_FREE(tmp_ctx);
2826 ldb_transaction_cancel(state->ldb);
2830 msg->num_elements = 0;
2831 ret = ldb_msg_add_empty(msg, "trustAuthOutgoing",
2832 LDB_FLAG_MOD_REPLACE, NULL);
2833 if (ret != LDB_SUCCESS) {
2834 DEBUG(0, ("ldb_msg_add_empty() failed\n"));
2835 TALLOC_FREE(tmp_ctx);
2836 ldb_transaction_cancel(state->ldb);
2839 ret = ldb_msg_add_value(msg, "trustAuthOutgoing",
2841 if (ret != LDB_SUCCESS) {
2842 DEBUG(0, ("ldb_msg_add_value() failed\n"));
2843 TALLOC_FREE(tmp_ctx);
2844 ldb_transaction_cancel(state->ldb);
2848 ret = ldb_modify(state->ldb, msg);
2849 if (ret != LDB_SUCCESS) {
2850 DEBUG(0, ("Failed to replace trustAuthOutgoing for "
2851 "trusted domain password for %s: %s - %s\n",
2852 domain, ldb_strerror(ret), ldb_errstring(state->ldb)));
2853 TALLOC_FREE(tmp_ctx);
2854 ldb_transaction_cancel(state->ldb);
2858 ret = ldb_transaction_commit(state->ldb);
2859 if (ret != LDB_SUCCESS) {
2860 DEBUG(0, ("Failed to commit trustAuthOutgoing for "
2861 "trusted domain password for %s: %s - %s\n",
2862 domain, ldb_strerror(ret), ldb_errstring(state->ldb)));
2863 TALLOC_FREE(tmp_ctx);
2867 DEBUG(1, ("Added new_version[%u] to trustAuthOutgoing for "
2868 "trusted domain password for %s.\n",
2869 (unsigned)new_version, domain));
2870 TALLOC_FREE(tmp_ctx);
2874 static bool pdb_samba_dsdb_del_trusteddom_pw(struct pdb_methods *m,
2880 static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m,
2881 TALLOC_CTX *mem_ctx,
2882 uint32_t *_num_domains,
2883 struct trustdom_info ***_domains)
2885 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
2886 m->private_data, struct pdb_samba_dsdb_state);
2887 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2888 const char * const attrs[] = {
2889 "securityIdentifier",
2894 struct ldb_result *res = NULL;
2896 struct trustdom_info **domains = NULL;
2903 status = dsdb_trust_search_tdos(state->ldb, NULL,
2904 attrs, tmp_ctx, &res);
2905 if (!NT_STATUS_IS_OK(status)) {
2906 DBG_ERR("dsdb_trust_search_tdos() - %s ", nt_errstr(status));
2907 TALLOC_FREE(tmp_ctx);
2911 if (res->count == 0) {
2912 TALLOC_FREE(tmp_ctx);
2913 return NT_STATUS_OK;
2916 domains = talloc_zero_array(tmp_ctx, struct trustdom_info *,
2918 if (domains == NULL) {
2919 TALLOC_FREE(tmp_ctx);
2920 return NT_STATUS_NO_MEMORY;
2923 for (i = 0; i < res->count; i++) {
2924 struct ldb_message *msg = res->msgs[i];
2925 struct trustdom_info *d = NULL;
2926 const char *name = NULL;
2927 struct dom_sid *sid = NULL;
2930 d = talloc_zero(domains, struct trustdom_info);
2932 TALLOC_FREE(tmp_ctx);
2933 return NT_STATUS_NO_MEMORY;
2936 name = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
2938 TALLOC_FREE(tmp_ctx);
2939 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2941 sid = samdb_result_dom_sid(msg, msg, "securityIdentifier");
2946 direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
2947 if (!(direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
2951 d->name = talloc_strdup(d, name);
2952 if (d->name == NULL) {
2953 TALLOC_FREE(tmp_ctx);
2954 return NT_STATUS_NO_MEMORY;
2961 talloc_realloc(domains, domains, struct trustdom_info *, di);
2962 *_domains = talloc_move(mem_ctx, &domains);
2964 TALLOC_FREE(tmp_ctx);
2965 return NT_STATUS_OK;
2968 static NTSTATUS pdb_samba_dsdb_msg_to_trusted_domain(const struct ldb_message *msg,
2969 TALLOC_CTX *mem_ctx,
2970 struct pdb_trusted_domain **_d)
2972 struct pdb_trusted_domain *d = NULL;
2973 const char *str = NULL;
2974 struct dom_sid *sid = NULL;
2975 const struct ldb_val *val = NULL;
2980 d = talloc_zero(mem_ctx, struct pdb_trusted_domain);
2982 return NT_STATUS_NO_MEMORY;
2985 str = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
2988 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2990 d->netbios_name = talloc_strdup(d, str);
2991 if (d->netbios_name == NULL) {
2993 return NT_STATUS_NO_MEMORY;
2996 str = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
2998 d->domain_name = talloc_strdup(d, str);
2999 if (d->domain_name == NULL) {
3001 return NT_STATUS_NO_MEMORY;
3005 sid = samdb_result_dom_sid(d, msg, "securityIdentifier");
3007 d->security_identifier = *sid;
3011 val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
3013 d->trust_auth_outgoing = data_blob_dup_talloc(d, *val);
3014 if (d->trust_auth_outgoing.data == NULL) {
3016 return NT_STATUS_NO_MEMORY;
3019 val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
3021 d->trust_auth_incoming = data_blob_dup_talloc(d, *val);
3022 if (d->trust_auth_incoming.data == NULL) {
3024 return NT_STATUS_NO_MEMORY;
3028 d->trust_direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
3029 d->trust_type = ldb_msg_find_attr_as_uint(msg, "trustType", 0);
3030 d->trust_attributes = ldb_msg_find_attr_as_uint(msg, "trustAttributes", 0);
3032 val64 = ldb_msg_find_attr_as_uint64(msg, "trustPosixOffset", UINT64_MAX);
3033 if (val64 != UINT64_MAX) {
3034 d->trust_posix_offset = talloc(d, uint32_t);
3035 if (d->trust_posix_offset == NULL) {
3037 return NT_STATUS_NO_MEMORY;
3039 *d->trust_posix_offset = (uint32_t)val64;
3042 val64 = ldb_msg_find_attr_as_uint64(msg, "msDS-SupportedEncryptionTypes", UINT64_MAX);
3043 if (val64 != UINT64_MAX) {
3044 d->supported_enc_type = talloc(d, uint32_t);
3045 if (d->supported_enc_type == NULL) {
3047 return NT_STATUS_NO_MEMORY;
3049 *d->supported_enc_type = (uint32_t)val64;
3052 val = ldb_msg_find_ldb_val(msg, "msDS-TrustForestTrustInfo");
3054 d->trust_forest_trust_info = data_blob_dup_talloc(d, *val);
3055 if (d->trust_forest_trust_info.data == NULL) {
3057 return NT_STATUS_NO_MEMORY;
3062 return NT_STATUS_OK;
3065 static NTSTATUS pdb_samba_dsdb_get_trusted_domain(struct pdb_methods *m,
3066 TALLOC_CTX *mem_ctx,
3068 struct pdb_trusted_domain **td)
3070 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3071 m->private_data, struct pdb_samba_dsdb_state);
3072 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3073 const char * const attrs[] = {
3074 "securityIdentifier",
3077 "trustAuthOutgoing",
3078 "trustAuthIncoming",
3083 "msDS-SupportedEncryptionTypes",
3084 "msDS-TrustForestTrustInfo",
3087 struct ldb_message *msg = NULL;
3088 struct pdb_trusted_domain *d = NULL;
3091 status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
3092 attrs, tmp_ctx, &msg);
3093 if (!NT_STATUS_IS_OK(status)) {
3094 DBG_ERR("dsdb_trust_search_tdo(%s) - %s ",
3095 domain, nt_errstr(status));
3096 TALLOC_FREE(tmp_ctx);
3100 status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
3101 if (!NT_STATUS_IS_OK(status)) {
3102 DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
3103 domain, nt_errstr(status));
3104 TALLOC_FREE(tmp_ctx);
3109 TALLOC_FREE(tmp_ctx);
3110 return NT_STATUS_OK;
3113 static NTSTATUS pdb_samba_dsdb_get_trusted_domain_by_sid(struct pdb_methods *m,
3114 TALLOC_CTX *mem_ctx,
3115 struct dom_sid *sid,
3116 struct pdb_trusted_domain **td)
3118 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3119 m->private_data, struct pdb_samba_dsdb_state);
3120 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3121 const char * const attrs[] = {
3122 "securityIdentifier",
3125 "trustAuthOutgoing",
3126 "trustAuthIncoming",
3131 "msDS-SupportedEncryptionTypes",
3132 "msDS-TrustForestTrustInfo",
3135 struct ldb_message *msg = NULL;
3136 struct pdb_trusted_domain *d = NULL;
3139 status = dsdb_trust_search_tdo_by_sid(state->ldb, sid,
3140 attrs, tmp_ctx, &msg);
3141 if (!NT_STATUS_IS_OK(status)) {
3142 DBG_ERR("dsdb_trust_search_tdo_by_sid(%s) - %s ",
3143 dom_sid_string(tmp_ctx, sid), nt_errstr(status));
3144 TALLOC_FREE(tmp_ctx);
3148 status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
3149 if (!NT_STATUS_IS_OK(status)) {
3150 DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
3151 dom_sid_string(tmp_ctx, sid), nt_errstr(status));
3152 TALLOC_FREE(tmp_ctx);
3157 TALLOC_FREE(tmp_ctx);
3158 return NT_STATUS_OK;
3161 static NTSTATUS add_trust_user(TALLOC_CTX *mem_ctx,
3162 struct ldb_context *sam_ldb,
3163 struct ldb_dn *base_dn,
3164 const char *netbios_name,
3165 struct trustAuthInOutBlob *taiob)
3167 struct ldb_request *req = NULL;
3168 struct ldb_message *msg = NULL;
3169 struct ldb_dn *dn = NULL;
3174 dn = ldb_dn_copy(mem_ctx, base_dn);
3176 return NT_STATUS_NO_MEMORY;
3178 ok = ldb_dn_add_child_fmt(dn, "cn=%s$,cn=users", netbios_name);
3180 return NT_STATUS_NO_MEMORY;
3183 msg = ldb_msg_new(mem_ctx);
3185 return NT_STATUS_NO_MEMORY;
3189 ret = ldb_msg_add_string(msg, "objectClass", "user");
3190 if (ret != LDB_SUCCESS) {
3191 return NT_STATUS_NO_MEMORY;
3194 ret = ldb_msg_add_fmt(msg, "samAccountName", "%s$", netbios_name);
3195 if (ret != LDB_SUCCESS) {
3196 return NT_STATUS_NO_MEMORY;
3199 ret = samdb_msg_add_uint(sam_ldb, msg, msg, "userAccountControl",
3200 UF_INTERDOMAIN_TRUST_ACCOUNT);
3201 if (ret != LDB_SUCCESS) {
3202 return NT_STATUS_NO_MEMORY;
3205 for (i = 0; i < taiob->count; i++) {
3206 struct AuthenticationInformation *auth_info =
3207 &taiob->current.array[i];
3208 const char *attribute = NULL;
3211 switch (taiob->current.array[i].AuthType) {
3212 case TRUST_AUTH_TYPE_NT4OWF:
3213 attribute = "unicodePwd";
3214 v.data = (uint8_t *)&auth_info->AuthInfo.nt4owf.password;
3218 case TRUST_AUTH_TYPE_CLEAR:
3219 attribute = "clearTextPassword";
3220 v.data = auth_info->AuthInfo.clear.password;
3221 v.length = auth_info->AuthInfo.clear.size;
3228 ret = ldb_msg_add_value(msg, attribute, &v, NULL);
3229 if (ret != LDB_SUCCESS) {
3230 return NT_STATUS_NO_MEMORY;
3234 /* create the trusted_domain user account */
3235 ret = ldb_build_add_req(&req, sam_ldb, mem_ctx, msg, NULL, NULL,
3236 ldb_op_default_callback, NULL);
3237 if (ret != LDB_SUCCESS) {
3238 return NT_STATUS_NO_MEMORY;
3241 ret = ldb_request_add_control(
3242 req, DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID,
3244 if (ret != LDB_SUCCESS) {
3245 return NT_STATUS_NO_MEMORY;
3248 ret = dsdb_autotransaction_request(sam_ldb, req);
3249 if (ret != LDB_SUCCESS) {
3250 DEBUG(0,("Failed to create user record %s: %s\n",
3251 ldb_dn_get_linearized(msg->dn),
3252 ldb_errstring(sam_ldb)));
3255 case LDB_ERR_ENTRY_ALREADY_EXISTS:
3256 return NT_STATUS_DOMAIN_EXISTS;
3257 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
3258 return NT_STATUS_ACCESS_DENIED;
3260 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3264 return NT_STATUS_OK;
3267 static NTSTATUS pdb_samba_dsdb_set_trusted_domain(struct pdb_methods *methods,
3269 const struct pdb_trusted_domain *td)
3271 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3272 methods->private_data, struct pdb_samba_dsdb_state);
3273 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3274 bool in_txn = false;
3275 struct ldb_dn *base_dn = NULL;
3276 struct ldb_message *msg = NULL;
3277 const char *attrs[] = {
3280 char *netbios_encoded = NULL;
3281 char *dns_encoded = NULL;
3282 struct dom_sid *tmp_sid1;
3283 struct dom_sid *tmp_sid2;
3285 char *sid_encoded = NULL;
3287 struct trustAuthInOutBlob taiob;
3288 enum ndr_err_code ndr_err;
3292 base_dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->ldb));
3293 if (base_dn == NULL) {
3294 TALLOC_FREE(tmp_ctx);
3295 status = NT_STATUS_NO_MEMORY;
3299 * We expect S-1-5-21-A-B-C, but we don't
3300 * allow S-1-5-21-0-0-0 as this is used
3301 * for claims and compound identities.
3303 * So we call dom_sid_split_rid() 3 times
3304 * and compare the result to S-1-5-21
3306 status = dom_sid_split_rid(tmp_ctx,
3307 &td->security_identifier,
3308 &tmp_sid1, &tmp_rid);
3309 if (!NT_STATUS_IS_OK(status)) {
3312 status = dom_sid_split_rid(tmp_ctx, tmp_sid1, &tmp_sid2, &tmp_rid);
3313 if (!NT_STATUS_IS_OK(status)) {
3316 status = dom_sid_split_rid(tmp_ctx, tmp_sid2, &tmp_sid1, &tmp_rid);
3317 if (!NT_STATUS_IS_OK(status)) {
3320 ok = dom_sid_parse("S-1-5-21", tmp_sid2);
3322 status = NT_STATUS_INTERNAL_ERROR;
3325 ok = dom_sid_equal(tmp_sid1, tmp_sid2);
3327 status = NT_STATUS_INVALID_PARAMETER;
3330 ok = dom_sid_parse("S-1-5-21-0-0-0", tmp_sid2);
3332 return NT_STATUS_INTERNAL_ERROR;
3334 ok = !dom_sid_equal(&td->security_identifier, tmp_sid2);
3336 status = NT_STATUS_INVALID_PARAMETER;
3340 if (strequal(td->netbios_name, "BUILTIN")) {
3341 status = NT_STATUS_INVALID_PARAMETER;
3344 if (strequal(td->domain_name, "BUILTIN")) {
3345 status = NT_STATUS_INVALID_PARAMETER;
3349 dns_encoded = ldb_binary_encode_string(tmp_ctx, td->domain_name);
3350 if (dns_encoded == NULL) {
3351 status = NT_STATUS_NO_MEMORY;
3354 netbios_encoded = ldb_binary_encode_string(tmp_ctx, td->netbios_name);
3355 if (netbios_encoded == NULL) {
3356 status =NT_STATUS_NO_MEMORY;
3359 sid_encoded = ldap_encode_ndr_dom_sid(tmp_ctx, &td->security_identifier);
3360 if (sid_encoded == NULL) {
3361 status = NT_STATUS_NO_MEMORY;
3365 ok = samdb_is_pdc(state->ldb);
3367 DBG_ERR("Adding TDO is only allowed on a PDC.\n");
3368 TALLOC_FREE(tmp_ctx);
3369 status = NT_STATUS_INVALID_DOMAIN_ROLE;
3373 status = dsdb_trust_search_tdo(state->ldb,
3379 if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
3380 DBG_ERR("dsdb_trust_search_tdo returned %s\n",
3382 status = NT_STATUS_INVALID_DOMAIN_STATE;
3386 ret = ldb_transaction_start(state->ldb);
3387 if (ret != LDB_SUCCESS) {
3388 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
3393 msg = ldb_msg_new(tmp_ctx);
3395 status = NT_STATUS_NO_MEMORY;
3399 msg->dn = ldb_dn_copy(tmp_ctx, base_dn);
3401 ok = ldb_dn_add_child_fmt(msg->dn, "cn=%s,cn=System", td->domain_name);
3403 status = NT_STATUS_NO_MEMORY;
3407 ret = ldb_msg_add_string(msg, "objectClass", "trustedDomain");
3408 if (ret != LDB_SUCCESS) {
3409 status = NT_STATUS_NO_MEMORY;
3413 ret = ldb_msg_add_string(msg, "flatname", td->netbios_name);
3414 if (ret != LDB_SUCCESS) {
3415 status = NT_STATUS_NO_MEMORY;
3419 ret = ldb_msg_add_string(msg, "trustPartner", td->domain_name);
3420 if (ret != LDB_SUCCESS) {
3421 status = NT_STATUS_NO_MEMORY;
3425 ret = samdb_msg_add_dom_sid(state->ldb,
3428 "securityIdentifier",
3429 &td->security_identifier);
3430 if (ret != LDB_SUCCESS) {
3431 status = NT_STATUS_NO_MEMORY;
3435 ret = samdb_msg_add_int(state->ldb,
3440 if (ret != LDB_SUCCESS) {
3441 status = NT_STATUS_NO_MEMORY;
3445 ret = samdb_msg_add_int(state->ldb,
3449 td->trust_attributes);
3450 if (ret != LDB_SUCCESS) {
3451 status =NT_STATUS_NO_MEMORY;
3455 ret = samdb_msg_add_int(state->ldb,
3459 td->trust_direction);
3460 if (ret != LDB_SUCCESS) {
3461 status = NT_STATUS_NO_MEMORY;
3465 if (td->trust_auth_incoming.data != NULL) {
3466 ret = ldb_msg_add_value(msg,
3467 "trustAuthIncoming",
3468 &td->trust_auth_incoming,
3470 if (ret != LDB_SUCCESS) {
3471 status = NT_STATUS_NO_MEMORY;
3475 if (td->trust_auth_outgoing.data != NULL) {
3476 ret = ldb_msg_add_value(msg,
3477 "trustAuthOutgoing",
3478 &td->trust_auth_outgoing,
3480 if (ret != LDB_SUCCESS) {
3481 status = NT_STATUS_NO_MEMORY;
3486 /* create the trusted_domain */
3487 ret = ldb_add(state->ldb, msg);
3492 case LDB_ERR_ENTRY_ALREADY_EXISTS:
3493 DBG_ERR("Failed to create trusted domain record %s: %s\n",
3494 ldb_dn_get_linearized(msg->dn),
3495 ldb_errstring(state->ldb));
3496 status = NT_STATUS_DOMAIN_EXISTS;
3499 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
3500 DBG_ERR("Failed to create trusted domain record %s: %s\n",
3501 ldb_dn_get_linearized(msg->dn),
3502 ldb_errstring(state->ldb));
3503 status = NT_STATUS_ACCESS_DENIED;
3507 DBG_ERR("Failed to create trusted domain record %s: %s\n",
3508 ldb_dn_get_linearized(msg->dn),
3509 ldb_errstring(state->ldb));
3510 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
3514 ndr_err = ndr_pull_struct_blob(
3515 &td->trust_auth_outgoing,
3518 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
3519 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3520 status = ndr_map_error2ntstatus(ndr_err);
3524 if (td->trust_direction == LSA_TRUST_DIRECTION_INBOUND) {
3525 status = add_trust_user(tmp_ctx,
3530 if (!NT_STATUS_IS_OK(status)) {
3535 ret = ldb_transaction_commit(state->ldb);
3536 if (ret != LDB_SUCCESS) {
3537 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3542 * TODO: Notify winbindd that we have a new trust
3545 status = NT_STATUS_OK;
3549 ldb_transaction_cancel(state->ldb);
3551 TALLOC_FREE(tmp_ctx);
3555 static NTSTATUS pdb_samba_dsdb_del_trusted_domain(struct pdb_methods *methods,
3558 return NT_STATUS_NOT_IMPLEMENTED;
3561 static NTSTATUS pdb_samba_dsdb_enum_trusted_domains(struct pdb_methods *m,
3562 TALLOC_CTX *mem_ctx,
3563 uint32_t *_num_domains,
3564 struct pdb_trusted_domain ***_domains)
3566 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3567 m->private_data, struct pdb_samba_dsdb_state);
3568 TALLOC_CTX *tmp_ctx = talloc_stackframe();
3569 const char * const attrs[] = {
3570 "securityIdentifier",
3573 "trustAuthOutgoing",
3574 "trustAuthIncoming",
3579 "msDS-SupportedEncryptionTypes",
3580 "msDS-TrustForestTrustInfo",
3583 struct ldb_result *res = NULL;
3585 struct pdb_trusted_domain **domains = NULL;
3592 status = dsdb_trust_search_tdos(state->ldb, NULL,
3593 attrs, tmp_ctx, &res);
3594 if (!NT_STATUS_IS_OK(status)) {
3595 DBG_ERR("dsdb_trust_search_tdos() - %s ", nt_errstr(status));
3596 TALLOC_FREE(tmp_ctx);
3600 if (res->count == 0) {
3601 TALLOC_FREE(tmp_ctx);
3602 return NT_STATUS_OK;
3605 domains = talloc_zero_array(tmp_ctx, struct pdb_trusted_domain *,
3607 if (domains == NULL) {
3608 TALLOC_FREE(tmp_ctx);
3609 return NT_STATUS_NO_MEMORY;
3612 for (i = 0; i < res->count; i++) {
3613 struct ldb_message *msg = res->msgs[i];
3614 struct pdb_trusted_domain *d = NULL;
3616 status = pdb_samba_dsdb_msg_to_trusted_domain(msg, domains, &d);
3617 if (!NT_STATUS_IS_OK(status)) {
3618 DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain() - %s ",
3620 TALLOC_FREE(tmp_ctx);
3627 talloc_realloc(domains, domains, struct pdb_trusted_domain *, di);
3628 *_domains = talloc_move(mem_ctx, &domains);
3630 TALLOC_FREE(tmp_ctx);
3631 return NT_STATUS_OK;
3634 static bool pdb_samba_dsdb_is_responsible_for_wellknown(struct pdb_methods *m)
3639 static bool pdb_samba_dsdb_is_responsible_for_everything_else(struct pdb_methods *m)
3644 static void pdb_samba_dsdb_init_methods(struct pdb_methods *m)
3646 m->name = "samba_dsdb";
3647 m->get_domain_info = pdb_samba_dsdb_get_domain_info;
3648 m->getsampwnam = pdb_samba_dsdb_getsampwnam;
3649 m->getsampwsid = pdb_samba_dsdb_getsampwsid;
3650 m->create_user = pdb_samba_dsdb_create_user;
3651 m->delete_user = pdb_samba_dsdb_delete_user;
3652 m->add_sam_account = pdb_samba_dsdb_add_sam_account;
3653 m->update_sam_account = pdb_samba_dsdb_update_sam_account;
3654 m->delete_sam_account = pdb_samba_dsdb_delete_sam_account;
3655 m->rename_sam_account = pdb_samba_dsdb_rename_sam_account;
3656 m->update_login_attempts = pdb_samba_dsdb_update_login_attempts;
3657 m->getgrsid = pdb_samba_dsdb_getgrsid;
3658 m->getgrgid = pdb_samba_dsdb_getgrgid;
3659 m->getgrnam = pdb_samba_dsdb_getgrnam;
3660 m->create_dom_group = pdb_samba_dsdb_create_dom_group;
3661 m->delete_dom_group = pdb_samba_dsdb_delete_dom_group;
3662 m->add_group_mapping_entry = pdb_samba_dsdb_add_group_mapping_entry;
3663 m->update_group_mapping_entry = pdb_samba_dsdb_update_group_mapping_entry;
3664 m->delete_group_mapping_entry = pdb_samba_dsdb_delete_group_mapping_entry;
3665 m->enum_group_mapping = pdb_samba_dsdb_enum_group_mapping;
3666 m->enum_group_members = pdb_samba_dsdb_enum_group_members;
3667 m->enum_group_memberships = pdb_samba_dsdb_enum_group_memberships;
3668 m->set_unix_primary_group = pdb_samba_dsdb_set_unix_primary_group;
3669 m->add_groupmem = pdb_samba_dsdb_add_groupmem;
3670 m->del_groupmem = pdb_samba_dsdb_del_groupmem;
3671 m->create_alias = pdb_samba_dsdb_create_alias;
3672 m->delete_alias = pdb_samba_dsdb_delete_alias;
3673 m->get_aliasinfo = pdb_default_get_aliasinfo;
3674 m->add_aliasmem = pdb_samba_dsdb_add_aliasmem;
3675 m->del_aliasmem = pdb_samba_dsdb_del_aliasmem;
3676 m->enum_aliasmem = pdb_samba_dsdb_enum_aliasmem;
3677 m->enum_alias_memberships = pdb_samba_dsdb_enum_alias_memberships;
3678 m->lookup_rids = pdb_samba_dsdb_lookup_rids;
3679 m->lookup_names = pdb_samba_dsdb_lookup_names;
3680 m->get_account_policy = pdb_samba_dsdb_get_account_policy;
3681 m->set_account_policy = pdb_samba_dsdb_set_account_policy;
3682 m->get_seq_num = pdb_samba_dsdb_get_seq_num;
3683 m->search_users = pdb_samba_dsdb_search_users;
3684 m->search_groups = pdb_samba_dsdb_search_groups;
3685 m->search_aliases = pdb_samba_dsdb_search_aliases;
3686 m->id_to_sid = pdb_samba_dsdb_id_to_sid;
3687 m->sid_to_id = pdb_samba_dsdb_sid_to_id;
3688 m->capabilities = pdb_samba_dsdb_capabilities;
3689 m->new_rid = pdb_samba_dsdb_new_rid;
3690 m->get_trusteddom_pw = pdb_samba_dsdb_get_trusteddom_pw;
3691 m->get_trusteddom_creds = pdb_samba_dsdb_get_trusteddom_creds;
3692 m->set_trusteddom_pw = pdb_samba_dsdb_set_trusteddom_pw;
3693 m->del_trusteddom_pw = pdb_samba_dsdb_del_trusteddom_pw;
3694 m->enum_trusteddoms = pdb_samba_dsdb_enum_trusteddoms;
3695 m->get_trusted_domain = pdb_samba_dsdb_get_trusted_domain;
3696 m->get_trusted_domain_by_sid = pdb_samba_dsdb_get_trusted_domain_by_sid;
3697 m->set_trusted_domain = pdb_samba_dsdb_set_trusted_domain;
3698 m->del_trusted_domain = pdb_samba_dsdb_del_trusted_domain;
3699 m->enum_trusted_domains = pdb_samba_dsdb_enum_trusted_domains;
3700 m->is_responsible_for_wellknown =
3701 pdb_samba_dsdb_is_responsible_for_wellknown;
3702 m->is_responsible_for_everything_else =
3703 pdb_samba_dsdb_is_responsible_for_everything_else;
3706 static void free_private_data(void **vp)
3708 struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
3709 *vp, struct pdb_samba_dsdb_state);
3710 talloc_unlink(state, state->ldb);
3714 static NTSTATUS pdb_samba_dsdb_init_secrets(struct pdb_methods *m)
3716 struct pdb_domain_info *dom_info;
3717 struct dom_sid stored_sid;
3718 struct GUID stored_guid;
3719 bool sid_exists_and_matches = false;
3720 bool guid_exists_and_matches = false;
3723 dom_info = pdb_samba_dsdb_get_domain_info(m, m);
3725 return NT_STATUS_UNSUCCESSFUL;
3728 ret = secrets_fetch_domain_sid(dom_info->name, &stored_sid);
3730 if (dom_sid_equal(&stored_sid, &dom_info->sid)) {
3731 sid_exists_and_matches = true;
3735 if (sid_exists_and_matches == false) {
3736 secrets_clear_domain_protection(dom_info->name);
3737 ret = secrets_store_domain_sid(dom_info->name,
3739 ret &= secrets_mark_domain_protected(dom_info->name);
3745 ret = secrets_fetch_domain_guid(dom_info->name, &stored_guid);
3747 if (GUID_equal(&stored_guid, &dom_info->guid)) {
3748 guid_exists_and_matches = true;
3752 if (guid_exists_and_matches == false) {
3753 secrets_clear_domain_protection(dom_info->name);
3754 ret = secrets_store_domain_guid(dom_info->name,
3756 ret &= secrets_mark_domain_protected(dom_info->name);
3763 TALLOC_FREE(dom_info);
3765 return NT_STATUS_UNSUCCESSFUL;
3767 return NT_STATUS_OK;
3770 static NTSTATUS pdb_init_samba_dsdb(struct pdb_methods **pdb_method,
3771 const char *location)
3773 struct pdb_methods *m;
3774 struct pdb_samba_dsdb_state *state;
3776 char *errstring = NULL;
3779 if ( !NT_STATUS_IS_OK(status = make_pdb_method( &m )) ) {
3783 state = talloc_zero(m, struct pdb_samba_dsdb_state);
3784 if (state == NULL) {
3787 m->private_data = state;
3788 m->free_private_data = free_private_data;
3789 pdb_samba_dsdb_init_methods(m);
3791 state->ev = s4_event_context_init(state);
3793 DEBUG(0, ("s4_event_context_init failed\n"));
3797 state->lp_ctx = loadparm_init_s3(state, loadparm_s3_helpers());
3798 if (state->lp_ctx == NULL) {
3799 DEBUG(0, ("loadparm_init_s3 failed\n"));
3803 if (location == NULL) {
3804 location = "sam.ldb";
3807 ret = samdb_connect_url(state,
3810 system_session(state->lp_ctx),
3812 &state->ldb, &errstring);
3815 DEBUG(0, ("samdb_connect failed: %s: %s\n",
3816 errstring, ldb_strerror(ret)));
3817 status = NT_STATUS_INTERNAL_ERROR;
3821 state->idmap_ctx = idmap_init(state, state->ev,
3823 if (!state->idmap_ctx) {
3824 DEBUG(0, ("idmap failed\n"));
3825 status = NT_STATUS_INTERNAL_ERROR;
3829 status = pdb_samba_dsdb_init_secrets(m);
3830 if (!NT_STATUS_IS_OK(status)) {
3831 DEBUG(10, ("pdb_samba_dsdb_init_secrets failed!\n"));
3836 return NT_STATUS_OK;
3838 status = NT_STATUS_NO_MEMORY;
3844 NTSTATUS pdb_samba_dsdb_init(TALLOC_CTX *);
3845 NTSTATUS pdb_samba_dsdb_init(TALLOC_CTX *ctx)
3847 NTSTATUS status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "samba_dsdb",
3848 pdb_init_samba_dsdb);
3849 if (!NT_STATUS_IS_OK(status)) {
3852 return smb_register_passdb(PASSDB_INTERFACE_VERSION, "samba4",
3853 pdb_init_samba_dsdb);