#include "passdb.h"
#include "libcli/security/dom_sid.h"
#include "../librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/samr.h"
+#include "secrets.h"
#include "smbldap.h"
+#include "passdb/pdb_ldap.h"
+#include "passdb/pdb_ipa.h"
+#include "passdb/pdb_ldap_schema.h"
+#include "lib/util/base64.h"
#define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
+#define IPA_MAGIC_ID_STR "999"
#define LDAP_TRUST_CONTAINER "ou=system"
#define LDAP_ATTRIBUTE_CN "cn"
#define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
#define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
#define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
+#define LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET "sambaTrustPosixOffset"
+#define LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE "sambaSupportedEncryptionTypes"
#define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
#define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
#define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
#define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
#define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
#define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
+#define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
#define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
#define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
#define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
+#define LDAP_OBJ_IPAOBJECT "ipaObject"
+#define LDAP_OBJ_IPAHOST "ipaHost"
+#define LDAP_OBJ_POSIXACCOUNT "posixAccount"
+
+#define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
+#define LDAP_OBJ_NESTEDGROUP "nestedGroup"
+#define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
+#define LDAP_OBJ_POSIXGROUP "posixGroup"
+
+#define HAS_KRB_PRINCIPAL (1<<0)
+#define HAS_KRB_PRINCIPAL_AUX (1<<1)
+#define HAS_IPAOBJECT (1<<2)
+#define HAS_IPAHOST (1<<3)
+#define HAS_POSIXACCOUNT (1<<4)
+#define HAS_GROUPOFNAMES (1<<5)
+#define HAS_NESTEDGROUP (1<<6)
+#define HAS_IPAUSERGROUP (1<<7)
+#define HAS_POSIXGROUP (1<<8)
+
struct ipasam_privates {
bool server_is_ipa;
NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
struct samu *sampass);
NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
struct samu *sampass);
+ NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
+ TALLOC_CTX *tmp_ctx, const char *name,
+ uint32_t acb_info, uint32_t *rid);
+ NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods,
+ TALLOC_CTX *tmp_ctx,
+ const char *name,
+ uint32_t *rid);
};
static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
if (name[strlen(name)-1] == '$') {
dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
- lp_ldap_machine_suffix());
+ lp_ldap_machine_suffix(talloc_tos()));
} else {
dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
- lp_ldap_user_suffix());
+ lp_ldap_user_suffix(talloc_tos()));
}
SAFE_FREE(escape_name);
TALLOC_FREE(base_dn);
if (result != NULL) {
- talloc_autofree_ldapmsg(mem_ctx, result);
+ smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
}
if (rc == LDAP_NO_SUCH_OBJECT) {
return false;
}
+ td->trust_posix_offset = talloc(td, uint32_t);
+ if (td->trust_posix_offset == NULL) {
+ return false;
+ }
+ res = get_uint32_t_from_ldap_msg(ldap_state, entry,
+ LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
+ td->trust_posix_offset);
+ if (!res) {
+ return false;
+ }
+
+ td->supported_enc_type = talloc(td, uint32_t);
+ if (td->supported_enc_type == NULL) {
+ return false;
+ }
+ res = get_uint32_t_from_ldap_msg(ldap_state, entry,
+ LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
+ td->supported_enc_type);
+ if (!res) {
+ return false;
+ }
+
+
get_data_blob_from_ldap_msg(td, ldap_state, entry,
LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
&td->trust_forest_trust_info);
}
}
+ if (td->trust_posix_offset != NULL) {
+ res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
+ &mods,
+ LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
+ *td->trust_posix_offset);
+ if (!res) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+
+ if (td->supported_enc_type != NULL) {
+ res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
+ &mods,
+ LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
+ *td->supported_enc_type);
+ if (!res) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+
if (td->trust_auth_outgoing.data != NULL) {
smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
&td->trust_forest_trust_info);
}
- talloc_autofree_ldapmod(talloc_tos(), mods);
+ smbldap_talloc_autofree_ldapmod(talloc_tos(), mods);
trusted_dn = trusted_domain_dn(ldap_state, domain);
if (trusted_dn == NULL) {
TALLOC_FREE(base_dn);
if (result != NULL) {
- talloc_autofree_ldapmsg(mem_ctx, result);
+ smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
}
if (rc == LDAP_NO_SUCH_OBJECT) {
}
*num_domains = 0;
- if (!(*domains = TALLOC_ARRAY(mem_ctx, struct pdb_trusted_domain *, 1))) {
+ if (!(*domains = talloc_array(mem_ctx, struct pdb_trusted_domain *, 1))) {
DEBUG(1, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
- if (!(*domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info *,
+ if (!(*domains = talloc_array(mem_ctx, struct trustdom_info *,
*num_domains))) {
DEBUG(1, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
for (i = 0; i < *num_domains; i++) {
struct trustdom_info *dom_info;
- dom_info = TALLOC_P(*domains, struct trustdom_info);
+ dom_info = talloc(*domains, struct trustdom_info);
if (dom_info == NULL) {
DEBUG(1, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
TALLOC_CTX *mem_ctx)
{
struct pdb_domain_info *info;
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)pdb_methods->private_data;
+ uint8_t sid_buf[24];
+ DATA_BLOB sid_blob;
NTSTATUS status;
- struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)pdb_methods->private_data;
info = talloc(mem_ctx, struct pdb_domain_info);
if (info == NULL) {
if (info->dns_domain == NULL) {
goto fail;
}
- strlower_m(info->dns_domain);
+ if (!strlower_m(info->dns_domain)) {
+ goto fail;
+ }
info->dns_forest = talloc_strdup(info, info->dns_domain);
+
+ /* we expect a domain SID to have 4 sub IDs */
+ if (ldap_state->domain_sid.num_auths != 4) {
+ goto fail;
+ }
+
sid_copy(&info->sid, &ldap_state->domain_sid);
- status = GUID_from_string("testguid", &info->guid);
+ if (!sid_linearize(sid_buf, sizeof(sid_buf), &info->sid)) {
+ goto fail;
+ }
+
+ /* the first 8 bytes of the linearized SID are not random,
+ * so we skip them */
+ sid_blob.data = (uint8_t *) sid_buf + 8 ;
+ sid_blob.length = 16;
+
+ status = GUID_from_ndr_blob(&sid_blob, &info->guid);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
return info;
return NT_STATUS_OK;
}
-static NTSTATUS ipasam_add_objectclasses(struct ldapsam_privates *ldap_state,
- struct samu *sampass)
+static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
+ const char *dn, LDAPMessage *entry,
+ uint32_t *has_objectclass)
+{
+ char **objectclasses;
+ size_t c;
+
+ objectclasses = ldap_get_values(priv2ld(ldap_state), entry,
+ LDAP_ATTRIBUTE_OBJECTCLASS);
+ if (objectclasses == NULL) {
+ DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ *has_objectclass = 0;
+ for (c = 0; objectclasses[c] != NULL; c++) {
+ if (strequal(objectclasses[c], LDAP_OBJ_KRB_PRINCIPAL)) {
+ *has_objectclass |= HAS_KRB_PRINCIPAL;
+ } else if (strequal(objectclasses[c],
+ LDAP_OBJ_KRB_PRINCIPAL_AUX)) {
+ *has_objectclass |= HAS_KRB_PRINCIPAL_AUX;
+ } else if (strequal(objectclasses[c], LDAP_OBJ_IPAOBJECT)) {
+ *has_objectclass |= HAS_IPAOBJECT;
+ } else if (strequal(objectclasses[c], LDAP_OBJ_IPAHOST)) {
+ *has_objectclass |= HAS_IPAHOST;
+ } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXACCOUNT)) {
+ *has_objectclass |= HAS_POSIXACCOUNT;
+ } else if (strequal(objectclasses[c], LDAP_OBJ_GROUPOFNAMES)) {
+ *has_objectclass |= HAS_GROUPOFNAMES;
+ } else if (strequal(objectclasses[c], LDAP_OBJ_NESTEDGROUP)) {
+ *has_objectclass |= HAS_NESTEDGROUP;
+ } else if (strequal(objectclasses[c], LDAP_OBJ_IPAUSERGROUP)) {
+ *has_objectclass |= HAS_IPAUSERGROUP;
+ } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXGROUP)) {
+ *has_objectclass |= HAS_POSIXGROUP;
+ }
+ }
+ ldap_value_free(objectclasses);
+
+ return NT_STATUS_OK;
+}
+
+enum obj_type {
+ IPA_NO_OBJ = 0,
+ IPA_USER_OBJ,
+ IPA_GROUP_OBJ
+};
+
+static NTSTATUS find_obj(struct ldapsam_privates *ldap_state, const char *name,
+ enum obj_type type, char **_dn,
+ uint32_t *_has_objectclass)
{
- char *dn;
- LDAPMod **mods = NULL;
int ret;
- char *princ;
- const char *domain;
- char *domain_with_dot;
+ char *username;
+ char *filter;
+ LDAPMessage *result = NULL;
+ LDAPMessage *entry = NULL;
+ int num_result;
+ char *dn;
+ uint32_t has_objectclass;
+ NTSTATUS status;
+ const char *obj_class = NULL;
+
+ switch (type) {
+ case IPA_USER_OBJ:
+ obj_class = LDAP_OBJ_POSIXACCOUNT;
+ break;
+ case IPA_GROUP_OBJ:
+ obj_class = LDAP_OBJ_POSIXGROUP;
+ break;
+ default:
+ DEBUG(0, ("Unsupported IPA object.\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ username = escape_ldap_string(talloc_tos(), name);
+ if (username == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ filter = talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
+ username, obj_class);
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ TALLOC_FREE(username);
- dn = get_account_dn(pdb_get_username(sampass));
- if (dn == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
+ ret = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL,
+ &result);
+ if (ret != LDAP_SUCCESS) {
+ DEBUG(0, ("smbldap_search_suffix failed.\n"));
+ return NT_STATUS_ACCESS_DENIED;
}
- princ = talloc_asprintf(talloc_tos(), "%s@%s", pdb_get_username(sampass), lp_realm());
- if (princ == NULL) {
- return NT_STATUS_NO_MEMORY;
+ num_result = ldap_count_entries(priv2ld(ldap_state), result);
+
+ if (num_result != 1) {
+ if (num_result == 0) {
+ switch (type) {
+ case IPA_USER_OBJ:
+ status = NT_STATUS_NO_SUCH_USER;
+ break;
+ case IPA_GROUP_OBJ:
+ status = NT_STATUS_NO_SUCH_GROUP;
+ break;
+ default:
+ status = NT_STATUS_INVALID_PARAMETER;
+ }
+ } else {
+ DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
+ name));
+ status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ goto done;
}
- domain = pdb_get_domain(sampass);
- if (domain == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
+ entry = ldap_first_entry(priv2ld(ldap_state), result);
+ if (!entry) {
+ DEBUG(0,("find_user: Out of memory!\n"));
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
}
- domain_with_dot = talloc_asprintf(talloc_tos(), "%s.", domain);
- if (domain_with_dot == NULL) {
- return NT_STATUS_NO_MEMORY;
+ dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
+ if (!dn) {
+ DEBUG(0,("find_user: Out of memory!\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
}
- smbldap_set_mod(&mods, LDAP_MOD_ADD,
- "objectclass", LDAP_OBJ_KRB_PRINCIPAL);
- smbldap_set_mod(&mods, LDAP_MOD_ADD,
- LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
- smbldap_set_mod(&mods, LDAP_MOD_ADD,
- "objectclass", LDAP_OBJ_KRB_PRINCIPAL_AUX);
- smbldap_set_mod(&mods, LDAP_MOD_ADD,
- "objectclass", "ipaHost");
- smbldap_set_mod(&mods, LDAP_MOD_ADD,
- "fqdn", domain);
+ status = ipasam_get_objectclasses(ldap_state, dn, entry, &has_objectclass);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ *_dn = dn;
+ *_has_objectclass = has_objectclass;
+
+ status = NT_STATUS_OK;
+
+done:
+ ldap_msgfree(result);
+
+ return status;
+}
+
+static NTSTATUS find_user(struct ldapsam_privates *ldap_state, const char *name,
+ char **_dn, uint32_t *_has_objectclass)
+{
+ return find_obj(ldap_state, name, IPA_USER_OBJ, _dn, _has_objectclass);
+}
+
+static NTSTATUS find_group(struct ldapsam_privates *ldap_state, const char *name,
+ char **_dn, uint32_t *_has_objectclass)
+{
+ return find_obj(ldap_state, name, IPA_GROUP_OBJ, _dn, _has_objectclass);
+}
+
+static NTSTATUS ipasam_add_posix_account_objectclass(struct ldapsam_privates *ldap_state,
+ int ldap_op,
+ const char *dn,
+ const char *username)
+{
+ int ret;
+ LDAPMod **mods = NULL;
+
smbldap_set_mod(&mods, LDAP_MOD_ADD,
"objectclass", "posixAccount");
smbldap_set_mod(&mods, LDAP_MOD_ADD,
- "cn", pdb_get_username(sampass));
+ "cn", username);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ "uidNumber", IPA_MAGIC_ID_STR);
smbldap_set_mod(&mods, LDAP_MOD_ADD,
"gidNumber", "12345");
smbldap_set_mod(&mods, LDAP_MOD_ADD,
"homeDirectory", "/dev/null");
- smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", domain);
- smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", domain_with_dot);
- ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
- ldap_mods_free(mods, true);
+ if (ldap_op == LDAP_MOD_ADD) {
+ ret = smbldap_add(ldap_state->smbldap_state, dn, mods);
+ } else {
+ ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
+ }
+ ldap_mods_free(mods, 1);
if (ret != LDAP_SUCCESS) {
DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
- pdb_get_username(sampass),dn));
+ username, dn));
+ return NT_STATUS_LDAP(ret);
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS ipasam_add_ipa_group_objectclasses(struct ldapsam_privates *ldap_state,
+ const char *dn,
+ const char *name,
+ uint32_t has_objectclass)
+{
+ LDAPMod **mods = NULL;
+ int ret;
+
+ if (!(has_objectclass & HAS_GROUPOFNAMES)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_OBJECTCLASS,
+ LDAP_OBJ_GROUPOFNAMES);
+ }
+
+ if (!(has_objectclass & HAS_NESTEDGROUP)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_OBJECTCLASS,
+ LDAP_OBJ_NESTEDGROUP);
+ }
+
+ if (!(has_objectclass & HAS_IPAUSERGROUP)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_OBJECTCLASS,
+ LDAP_OBJ_IPAUSERGROUP);
+ }
+
+ if (!(has_objectclass & HAS_IPAOBJECT)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_OBJECTCLASS,
+ LDAP_OBJ_IPAOBJECT);
+ }
+
+ if (!(has_objectclass & HAS_POSIXGROUP)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_OBJECTCLASS,
+ LDAP_OBJ_POSIXGROUP);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_CN,
+ name);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_GIDNUMBER,
+ IPA_MAGIC_ID_STR);
+ }
+
+ ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
+ ldap_mods_free(mods, 1);
+ if (ret != LDAP_SUCCESS) {
+ DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
+ name, dn));
return NT_STATUS_LDAP(ret);
}
return NT_STATUS_OK;
}
+static NTSTATUS ipasam_add_ipa_objectclasses(struct ldapsam_privates *ldap_state,
+ const char *dn, const char *name,
+ const char *domain,
+ uint32_t acct_flags,
+ uint32_t has_objectclass)
+{
+ LDAPMod **mods = NULL;
+ int ret;
+ char *princ;
+
+ if (!(has_objectclass & HAS_KRB_PRINCIPAL)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_OBJECTCLASS,
+ LDAP_OBJ_KRB_PRINCIPAL);
+
+ princ = talloc_asprintf(talloc_tos(), "%s@%s", name, lp_realm());
+ if (princ == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
+ }
+
+ if (!(has_objectclass & HAS_KRB_PRINCIPAL_AUX)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_OBJECTCLASS,
+ LDAP_OBJ_KRB_PRINCIPAL_AUX);
+ }
+
+ if (!(has_objectclass & HAS_IPAOBJECT)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_OBJECTCLASS, LDAP_OBJ_IPAOBJECT);
+ }
+
+ if ((acct_flags != 0) &&
+ (((acct_flags & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
+ ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))) {
+
+ if (!(has_objectclass & HAS_IPAHOST)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ LDAP_ATTRIBUTE_OBJECTCLASS,
+ LDAP_OBJ_IPAHOST);
+
+ if (domain == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ "fqdn", domain);
+ }
+ }
+
+ if (!(has_objectclass & HAS_POSIXACCOUNT)) {
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ "objectclass", "posixAccount");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ "uidNumber", IPA_MAGIC_ID_STR);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ "gidNumber", "12345");
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ "homeDirectory", "/dev/null");
+ }
+
+ if (mods != NULL) {
+ ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
+ ldap_mods_free(mods, 1);
+ if (ret != LDAP_SUCCESS) {
+ DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
+ name, dn));
+ return NT_STATUS_LDAP(ret);
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
struct samu *sampass)
{
NTSTATUS status;
struct ldapsam_privates *ldap_state;
+ const char *name;
+ char *dn;
+ uint32_t has_objectclass;
+ uint32_t rid;
+ struct dom_sid user_sid;
ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
- status =ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
- sampass);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ if (IS_SAM_SET(sampass, PDB_USERSID) ||
+ IS_SAM_CHANGED(sampass, PDB_USERSID)) {
+ if (!pdb_new_rid(&rid)) {
+ return NT_STATUS_DS_NO_MORE_RIDS;
+ }
+ sid_compose(&user_sid, get_global_sam_sid(), rid);
+ if (!pdb_set_user_sid(sampass, &user_sid, PDB_SET)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
}
- status = ipasam_add_objectclasses(ldap_state, sampass);
+ status = ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
+ sampass);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
- status = modify_ipa_password_exop(ldap_state, sampass);
+ if (ldap_state->ipasam_privates->server_is_ipa) {
+ name = pdb_get_username(sampass);
+ if (name == NULL || *name == '\0') {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = find_user(ldap_state, name, &dn, &has_objectclass);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = ipasam_add_ipa_objectclasses(ldap_state, dn, name,
+ pdb_get_domain(sampass),
+ pdb_get_acct_ctrl(sampass),
+ has_objectclass);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+
+ if (!(has_objectclass & HAS_POSIXACCOUNT)) {
+ status = ipasam_add_posix_account_objectclass(ldap_state,
+ LDAP_MOD_REPLACE,
+ dn, name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
+ status = modify_ipa_password_exop(ldap_state, sampass);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
}
return NT_STATUS_OK;
return status;
}
- if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
- status = modify_ipa_password_exop(ldap_state, sampass);
+ if (ldap_state->ipasam_privates->server_is_ipa) {
+ if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
+ status = modify_ipa_password_exop(ldap_state, sampass);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS ipasam_create_dom_group(struct pdb_methods *pdb_methods,
+ TALLOC_CTX *tmp_ctx, const char *name,
+ uint32_t *rid)
+{
+ NTSTATUS status;
+ struct ldapsam_privates *ldap_state;
+ char *dn = NULL;
+ uint32_t has_objectclass = 0;
+
+ ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
+
+ if (name == NULL || *name == '\0') {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = find_group(ldap_state, name, &dn, &has_objectclass);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+ return status;
+ }
+
+ if (!(has_objectclass & HAS_POSIXGROUP)) {
+ status = ipasam_add_ipa_group_objectclasses(ldap_state, dn,
+ name,
+ has_objectclass);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ status = ldap_state->ipasam_privates->ldapsam_create_dom_group(pdb_methods,
+ tmp_ctx,
+ name,
+ rid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+static NTSTATUS ipasam_create_user(struct pdb_methods *pdb_methods,
+ TALLOC_CTX *tmp_ctx, const char *name,
+ uint32_t acb_info, uint32_t *rid)
+{
+ NTSTATUS status;
+ struct ldapsam_privates *ldap_state;
+ int ldap_op = LDAP_MOD_REPLACE;
+ char *dn;
+ uint32_t has_objectclass = 0;
+
+ ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
+
+ if (name == NULL || *name == '\0') {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = find_user(ldap_state, name, &dn, &has_objectclass);
+ if (NT_STATUS_IS_OK(status)) {
+ ldap_op = LDAP_MOD_REPLACE;
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+ char *escape_username;
+ ldap_op = LDAP_MOD_ADD;
+ escape_username = escape_rdn_val_string_alloc(name);
+ if (!escape_username) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ if (name[strlen(name)-1] == '$') {
+ dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
+ escape_username,
+ lp_ldap_machine_suffix(talloc_tos()));
+ } else {
+ dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
+ escape_username,
+ lp_ldap_user_suffix(talloc_tos()));
+ }
+ SAFE_FREE(escape_username);
+ if (!dn) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ return status;
+ }
+
+ if (!(has_objectclass & HAS_POSIXACCOUNT)) {
+ status = ipasam_add_posix_account_objectclass(ldap_state, ldap_op,
+ dn, name);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ has_objectclass |= HAS_POSIXACCOUNT;
+ }
+
+ status = ldap_state->ipasam_privates->ldapsam_create_user(pdb_methods,
+ tmp_ctx, name,
+ acb_info, rid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = ipasam_add_ipa_objectclasses(ldap_state, dn, name, lp_realm(),
+ acb_info, has_objectclass);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
return NT_STATUS_OK;
}
+static NTSTATUS pdb_ipa_init_secrets(struct pdb_methods *m)
+{
+ struct pdb_domain_info *dom_info;
+ bool ret;
+
+ dom_info = pdb_ipasam_get_domain_info(m, m);
+ if (!dom_info) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ PDB_secrets_clear_domain_protection(dom_info->name);
+ ret = PDB_secrets_store_domain_sid(dom_info->name,
+ &dom_info->sid);
+ if (!ret) {
+ goto done;
+ }
+ ret = PDB_secrets_store_domain_guid(dom_info->name,
+ &dom_info->guid);
+ if (!ret) {
+ goto done;
+ }
+ ret = PDB_secrets_mark_domain_protected(dom_info->name);
+ if (!ret) {
+ goto done;
+ }
+
+done:
+ TALLOC_FREE(dom_info);
+ if (!ret) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ return NT_STATUS_OK;
+}
+
static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
{
struct ldapsam_privates *ldap_state;
NTSTATUS status;
- status = pdb_init_ldapsam(pdb_method, location);
+ status = pdb_ldapsam_init_common(pdb_method, location);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
priv2ld(ldap_state), IPA_KEYTAB_SET_OID);
ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
+ ldap_state->ipasam_privates->ldapsam_create_user = (*pdb_method)->create_user;
+ ldap_state->ipasam_privates->ldapsam_create_dom_group = (*pdb_method)->create_dom_group;
(*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
(*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
+ if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
+ if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
+ (*pdb_method)->create_user = ipasam_create_user;
+ (*pdb_method)->create_dom_group = ipasam_create_dom_group;
+ }
+ }
+
(*pdb_method)->capabilities = pdb_ipasam_capabilities;
(*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
(*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
(*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
+ status = pdb_ipa_init_secrets(*pdb_method);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("pdb_ipa_init_secrets failed!\n"));
+ return status;
+ }
+
return NT_STATUS_OK;
}
git.samba.org / samba.git / blobdiff