2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Jelmer Vernooij 2002
6 Copyright (C) Simo Sorce 2003
7 Copyright (C) Volker Lendecke 2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/passwd.h"
28 #include "../librpc/gen_ndr/samr.h"
29 #include "../librpc/gen_ndr/drsblobs.h"
30 #include "../librpc/gen_ndr/ndr_drsblobs.h"
31 #include "../librpc/gen_ndr/idmap.h"
33 #include "nsswitch/winbind_client.h"
34 #include "../libcli/security/security.h"
35 #include "../lib/util/util_pw.h"
36 #include "passdb/pdb_secrets.h"
39 #define DBGC_CLASS DBGC_PASSDB
43 static struct pdb_init_function_entry *backends = NULL;
45 static void lazy_initialize_passdb(void)
47 static bool initialized = False;
55 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
57 enum lsa_SidType *psid_name_use,
58 uid_t *uid, gid_t *gid);
60 NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
62 struct pdb_init_function_entry *entry = backends;
64 if(version != PASSDB_INTERFACE_VERSION) {
65 DEBUG(0,("Can't register passdb backend!\n"
66 "You tried to register a passdb module with PASSDB_INTERFACE_VERSION %d, "
67 "while this version of samba uses version %d\n",
68 version,PASSDB_INTERFACE_VERSION));
69 return NT_STATUS_OBJECT_TYPE_MISMATCH;
73 return NT_STATUS_INVALID_PARAMETER;
76 DEBUG(5,("Attempting to register passdb backend %s\n", name));
78 /* Check for duplicates */
79 if (pdb_find_backend_entry(name)) {
80 DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name));
81 return NT_STATUS_OBJECT_NAME_COLLISION;
84 entry = SMB_XMALLOC_P(struct pdb_init_function_entry);
85 entry->name = smb_xstrdup(name);
88 DLIST_ADD(backends, entry);
89 DEBUG(5,("Successfully added passdb backend '%s'\n", name));
93 struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
95 struct pdb_init_function_entry *entry = backends;
98 if (strcmp(entry->name, name)==0) return entry;
105 const struct pdb_init_function_entry *pdb_get_backends(void)
112 * The event context for the passdb backend. I know this is a bad hack and yet
113 * another static variable, but our pdb API is a global thing per
114 * definition. The first use for this is the LDAP idle function, more might be
117 * I don't feel too bad about this static variable, it replaces the
118 * smb_idle_event_list that used to exist in lib/module.c. -- VL
121 static struct tevent_context *pdb_tevent_ctx;
123 struct tevent_context *pdb_get_tevent_context(void)
125 return pdb_tevent_ctx;
128 /******************************************************************
129 Make a pdb_methods from scratch
130 *******************************************************************/
132 NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected)
134 char *module_name = smb_xstrdup(selected);
135 char *module_location = NULL, *p;
136 struct pdb_init_function_entry *entry;
137 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
139 lazy_initialize_passdb();
141 p = strchr(module_name, ':');
145 module_location = p+1;
146 trim_char(module_location, ' ', ' ');
149 trim_char(module_name, ' ', ' ');
152 DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected, module_name));
154 entry = pdb_find_backend_entry(module_name);
156 /* Try to find a module that contains this module */
158 DEBUG(2,("No builtin backend found, trying to load plugin\n"));
159 if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
160 DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
161 SAFE_FREE(module_name);
162 return NT_STATUS_UNSUCCESSFUL;
166 /* No such backend found */
168 DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
169 SAFE_FREE(module_name);
170 return NT_STATUS_INVALID_PARAMETER;
173 DEBUG(5,("Found pdb backend %s\n", module_name));
175 if ( !NT_STATUS_IS_OK( nt_status = entry->init(methods, module_location) ) ) {
176 DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
177 selected, nt_errstr(nt_status)));
178 SAFE_FREE(module_name);
182 SAFE_FREE(module_name);
184 DEBUG(5,("pdb backend %s has a valid init\n", selected));
189 /******************************************************************
190 Return an already initialized pdb_methods structure
191 *******************************************************************/
193 static struct pdb_methods *pdb_get_methods_reload( bool reload )
195 static struct pdb_methods *pdb = NULL;
197 if ( pdb && reload ) {
198 pdb->free_private_data( &(pdb->private_data) );
199 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
205 if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
213 static struct pdb_methods *pdb_get_methods(void)
215 struct pdb_methods *pdb;
217 pdb = pdb_get_methods_reload(false);
220 if (asprintf(&msg, "pdb_get_methods: "
221 "failed to get pdb methods for backend %s\n",
222 lp_passdb_backend()) > 0) {
225 smb_panic("pdb_get_methods");
232 struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
234 struct pdb_methods *pdb = pdb_get_methods();
235 return pdb->get_domain_info(pdb, mem_ctx);
239 * @brief Check if the user account has been locked out and try to unlock it.
241 * If the user has been automatically locked out and a lockout duration is set,
242 * then check if we can unlock the account and reset the bad password values.
244 * @param[in] sampass The sam user to check.
246 * @return True if the function was successfull, false on an error.
248 static bool pdb_try_account_unlock(struct samu *sampass)
250 uint32_t acb_info = pdb_get_acct_ctrl(sampass);
252 if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
253 uint32_t lockout_duration;
254 time_t bad_password_time;
255 time_t now = time(NULL);
258 ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
261 DEBUG(0, ("pdb_try_account_unlock: "
262 "pdb_get_account_policy failed.\n"));
266 if (lockout_duration == (uint32_t) -1 ||
267 lockout_duration == 0) {
268 DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
269 "can't reset autolock\n"));
272 lockout_duration *= 60;
274 bad_password_time = pdb_get_bad_password_time(sampass);
275 if (bad_password_time == (time_t) 0) {
276 DEBUG(2, ("pdb_try_account_unlock: Account %s "
277 "administratively locked out "
278 "with no bad password "
279 "time. Leaving locked out.\n",
280 pdb_get_username(sampass)));
284 if ((bad_password_time +
285 convert_uint32_t_to_time_t(lockout_duration)) < now) {
288 pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
290 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
291 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
294 status = pdb_update_sam_account(sampass);
296 if (!NT_STATUS_IS_OK(status)) {
297 DEBUG(0, ("_samr_OpenUser: Couldn't "
298 "update account %s - %s\n",
299 pdb_get_username(sampass),
310 * @brief Get a sam user structure by the given username.
312 * This functions also checks if the account has been automatically locked out
313 * and unlocks it if a lockout duration time has been defined and the time has
316 * @param[in] sam_acct The sam user structure to fill.
318 * @param[in] username The username to look for.
320 * @return True on success, false on error.
322 bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
324 struct pdb_methods *pdb = pdb_get_methods();
325 struct samu *for_cache;
326 const struct dom_sid *user_sid;
330 status = pdb->getsampwnam(pdb, sam_acct, username);
331 if (!NT_STATUS_IS_OK(status)) {
335 ok = pdb_try_account_unlock(sam_acct);
337 DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
341 for_cache = samu_new(NULL);
342 if (for_cache == NULL) {
346 if (!pdb_copy_sam_account(for_cache, sam_acct)) {
347 TALLOC_FREE(for_cache);
351 user_sid = pdb_get_user_sid(for_cache);
353 memcache_add_talloc(NULL, PDB_GETPWSID_CACHE,
354 data_blob_const(user_sid, sizeof(*user_sid)),
360 /**********************************************************************
361 **********************************************************************/
363 static bool guest_user_info( struct samu *user )
367 const char *guestname = lp_guestaccount();
369 pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
371 DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
376 result = samu_set_unix(user, pwd );
380 return NT_STATUS_IS_OK( result );
384 * @brief Get a sam user structure by the given username.
386 * This functions also checks if the account has been automatically locked out
387 * and unlocks it if a lockout duration time has been defined and the time has
391 * @param[in] sam_acct The sam user structure to fill.
393 * @param[in] sid The user SDI to look up.
395 * @return True on success, false on error.
397 bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
399 struct pdb_methods *pdb = pdb_get_methods();
404 /* hard code the Guest RID of 501 */
406 if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
409 if ( rid == DOMAIN_RID_GUEST ) {
410 DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
411 return guest_user_info( sam_acct );
414 /* check the cache first */
416 cache_data = memcache_lookup_talloc(
417 NULL, PDB_GETPWSID_CACHE, data_blob_const(sid, sizeof(*sid)));
419 if (cache_data != NULL) {
420 struct samu *cache_copy = talloc_get_type_abort(
421 cache_data, struct samu);
423 ok = pdb_copy_sam_account(sam_acct, cache_copy);
425 ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
432 ok = pdb_try_account_unlock(sam_acct);
434 DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
435 sam_acct->username));
441 static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
442 TALLOC_CTX *tmp_ctx, const char *name,
443 uint32_t acb_info, uint32_t *rid)
445 struct samu *sam_pass;
449 if ((sam_pass = samu_new(tmp_ctx)) == NULL) {
450 return NT_STATUS_NO_MEMORY;
453 if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
454 char *add_script = NULL;
458 if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
459 add_script = talloc_strdup(tmp_ctx,
460 lp_adduser_script());
462 add_script = talloc_strdup(tmp_ctx,
463 lp_addmachine_script());
466 if (!add_script || add_script[0] == '\0') {
467 DEBUG(3, ("Could not find user %s and no add script "
469 return NT_STATUS_NO_SUCH_USER;
472 /* lowercase the username before creating the Unix account for
473 compatibility with previous Samba releases */
474 fstrcpy( name2, name );
476 add_script = talloc_all_string_sub(tmp_ctx,
481 return NT_STATUS_NO_MEMORY;
483 add_ret = smbrun(add_script,NULL);
484 DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
485 add_script, add_ret));
487 smb_nscd_flush_user_cache();
492 pwd = Get_Pwnam_alloc(tmp_ctx, name);
495 DEBUG(3, ("Could not find user %s, add script did not work\n", name));
496 return NT_STATUS_NO_SUCH_USER;
500 /* we have a valid SID coming out of this call */
502 status = samu_alloc_rid_unix(methods, sam_pass, pwd);
506 if (!NT_STATUS_IS_OK(status)) {
507 DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status)));
511 if (!sid_peek_check_rid(get_global_sam_sid(),
512 pdb_get_user_sid(sam_pass), rid)) {
513 DEBUG(0, ("Could not get RID of fresh user\n"));
514 return NT_STATUS_INTERNAL_ERROR;
517 /* Use the username case specified in the original request */
519 pdb_set_username( sam_pass, name, PDB_SET );
521 /* Disable the account on creation, it does not have a reasonable password yet. */
523 acb_info |= ACB_DISABLED;
525 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
527 status = methods->add_sam_account(methods, sam_pass);
529 TALLOC_FREE(sam_pass);
534 NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32_t flags,
537 struct pdb_methods *pdb = pdb_get_methods();
538 return pdb->create_user(pdb, mem_ctx, name, flags, rid);
541 /****************************************************************************
542 Delete a UNIX user on demand.
543 ****************************************************************************/
545 static int smb_delete_user(const char *unix_user)
547 char *del_script = NULL;
552 if ( strequal( unix_user, "root" ) ) {
553 DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
557 del_script = talloc_strdup(talloc_tos(), lp_deluser_script());
558 if (!del_script || !*del_script) {
561 del_script = talloc_all_string_sub(talloc_tos(),
568 ret = smbrun(del_script,NULL);
571 smb_nscd_flush_user_cache();
573 DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
578 static NTSTATUS pdb_default_delete_user(struct pdb_methods *methods,
580 struct samu *sam_acct)
585 status = methods->delete_sam_account(methods, sam_acct);
586 if (!NT_STATUS_IS_OK(status)) {
591 * Now delete the unix side ....
592 * note: we don't check if the delete really happened as the script is
593 * not necessary present and maybe the sysadmin doesn't want to delete
597 /* always lower case the username before handing it off to
600 fstrcpy( username, pdb_get_username(sam_acct) );
601 strlower_m( username );
603 smb_delete_user( username );
608 NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
610 struct pdb_methods *pdb = pdb_get_methods();
613 const struct dom_sid *user_sid;
616 user_sid = pdb_get_user_sid(sam_acct);
618 /* sanity check to make sure we don't delete root */
620 if ( !sid_to_uid(user_sid, &uid ) ) {
621 return NT_STATUS_NO_SUCH_USER;
625 return NT_STATUS_ACCESS_DENIED;
628 memcache_delete(NULL,
630 data_blob_const(user_sid, sizeof(*user_sid)));
632 status = pdb->delete_user(pdb, mem_ctx, sam_acct);
633 if (!NT_STATUS_IS_OK(status)) {
637 msg_data = talloc_asprintf(mem_ctx, "USER %s",
638 pdb_get_username(sam_acct));
640 /* not fatal, and too late to rollback,
644 message_send_all(server_messaging_context(),
647 strlen(msg_data) + 1,
650 TALLOC_FREE(msg_data);
654 NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
656 struct pdb_methods *pdb = pdb_get_methods();
657 return pdb->add_sam_account(pdb, sam_acct);
660 NTSTATUS pdb_update_sam_account(struct samu *sam_acct)
662 struct pdb_methods *pdb = pdb_get_methods();
664 memcache_flush(NULL, PDB_GETPWSID_CACHE);
666 return pdb->update_sam_account(pdb, sam_acct);
669 NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
671 struct pdb_methods *pdb = pdb_get_methods();
672 const struct dom_sid *user_sid = pdb_get_user_sid(sam_acct);
674 memcache_delete(NULL,
676 data_blob_const(user_sid, sizeof(*user_sid)));
678 return pdb->delete_sam_account(pdb, sam_acct);
681 NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
683 struct pdb_methods *pdb = pdb_get_methods();
687 memcache_flush(NULL, PDB_GETPWSID_CACHE);
689 /* sanity check to make sure we don't rename root */
691 if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
692 return NT_STATUS_NO_SUCH_USER;
696 return NT_STATUS_ACCESS_DENIED;
699 status = pdb->rename_sam_account(pdb, oldname, newname);
701 /* always flush the cache here just to be safe */
707 NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, bool success)
709 struct pdb_methods *pdb = pdb_get_methods();
710 return pdb->update_login_attempts(pdb, sam_acct, success);
713 bool pdb_getgrsid(GROUP_MAP *map, struct dom_sid sid)
715 struct pdb_methods *pdb = pdb_get_methods();
716 return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
719 bool pdb_getgrgid(GROUP_MAP *map, gid_t gid)
721 struct pdb_methods *pdb = pdb_get_methods();
722 return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
725 bool pdb_getgrnam(GROUP_MAP *map, const char *name)
727 struct pdb_methods *pdb = pdb_get_methods();
728 return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
731 static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
736 struct dom_sid group_sid;
740 grp = getgrnam(name);
745 if (smb_create_group(name, &gid) != 0) {
746 return NT_STATUS_ACCESS_DENIED;
753 return NT_STATUS_ACCESS_DENIED;
756 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
757 if (!pdb_new_rid(rid)) {
758 return NT_STATUS_ACCESS_DENIED;
761 *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
764 sid_compose(&group_sid, get_global_sam_sid(), *rid);
766 return add_initial_entry(grp->gr_gid, sid_to_fstring(tmp, &group_sid),
767 SID_NAME_DOM_GRP, name, NULL);
770 NTSTATUS pdb_create_dom_group(TALLOC_CTX *mem_ctx, const char *name,
773 struct pdb_methods *pdb = pdb_get_methods();
774 return pdb->create_dom_group(pdb, mem_ctx, name, rid);
777 static NTSTATUS pdb_default_delete_dom_group(struct pdb_methods *methods,
781 struct dom_sid group_sid;
785 const char *grp_name;
787 map = talloc_zero(mem_ctx, GROUP_MAP);
789 return NT_STATUS_NO_MEMORY;
793 map->gid = (gid_t) -1;
795 sid_compose(&group_sid, get_global_sam_sid(), rid);
797 if (!get_domain_group_from_sid(group_sid, map)) {
798 DEBUG(10, ("Could not find group for rid %d\n", rid));
799 return NT_STATUS_NO_SUCH_GROUP;
802 /* We need the group name for the smb_delete_group later on */
804 if (map->gid == (gid_t)-1) {
805 return NT_STATUS_NO_SUCH_GROUP;
808 grp = getgrgid(map->gid);
810 return NT_STATUS_NO_SUCH_GROUP;
815 /* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
817 grp_name = talloc_strdup(mem_ctx, grp->gr_name);
818 if (grp_name == NULL) {
819 return NT_STATUS_NO_MEMORY;
822 status = pdb_delete_group_mapping_entry(group_sid);
824 if (!NT_STATUS_IS_OK(status)) {
828 /* Don't check the result of smb_delete_group */
830 smb_delete_group(grp_name);
835 NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32_t rid)
837 struct pdb_methods *pdb = pdb_get_methods();
838 return pdb->delete_dom_group(pdb, mem_ctx, rid);
841 NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
843 struct pdb_methods *pdb = pdb_get_methods();
844 return pdb->add_group_mapping_entry(pdb, map);
847 NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
849 struct pdb_methods *pdb = pdb_get_methods();
850 return pdb->update_group_mapping_entry(pdb, map);
853 NTSTATUS pdb_delete_group_mapping_entry(struct dom_sid sid)
855 struct pdb_methods *pdb = pdb_get_methods();
856 return pdb->delete_group_mapping_entry(pdb, sid);
859 bool pdb_enum_group_mapping(const struct dom_sid *sid,
860 enum lsa_SidType sid_name_use,
861 GROUP_MAP ***pp_rmap,
862 size_t *p_num_entries,
865 struct pdb_methods *pdb = pdb_get_methods();
866 return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
867 pp_rmap, p_num_entries, unix_only));
870 NTSTATUS pdb_enum_group_members(TALLOC_CTX *mem_ctx,
871 const struct dom_sid *sid,
872 uint32_t **pp_member_rids,
873 size_t *p_num_members)
875 struct pdb_methods *pdb = pdb_get_methods();
878 result = pdb->enum_group_members(pdb, mem_ctx,
879 sid, pp_member_rids, p_num_members);
881 /* special check for rid 513 */
883 if ( !NT_STATUS_IS_OK( result ) ) {
886 sid_peek_rid( sid, &rid );
888 if ( rid == DOMAIN_RID_USERS ) {
890 *pp_member_rids = NULL;
899 NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
900 struct dom_sid **pp_sids, gid_t **pp_gids,
901 uint32_t *p_num_groups)
903 struct pdb_methods *pdb = pdb_get_methods();
904 return pdb->enum_group_memberships(
906 pp_sids, pp_gids, p_num_groups);
909 static NTSTATUS pdb_default_set_unix_primary_group(struct pdb_methods *methods,
911 struct samu *sampass)
916 if (!sid_to_gid(pdb_get_group_sid(sampass), &gid) ||
917 (grp = getgrgid(gid)) == NULL) {
918 return NT_STATUS_INVALID_PRIMARY_GROUP;
921 if (smb_set_primary_group(grp->gr_name,
922 pdb_get_username(sampass)) != 0) {
923 return NT_STATUS_ACCESS_DENIED;
929 NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
931 struct pdb_methods *pdb = pdb_get_methods();
932 return pdb->set_unix_primary_group(pdb, mem_ctx, user);
936 * Helper function to see whether a user is in a group. We can't use
937 * user_in_group_sid here because this creates dependencies only smbd can
941 static bool pdb_user_in_group(TALLOC_CTX *mem_ctx, struct samu *account,
942 const struct dom_sid *group_sid)
944 struct dom_sid *sids;
946 uint32_t i, num_groups;
948 if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
954 for (i=0; i<num_groups; i++) {
955 if (dom_sid_equal(group_sid, &sids[i])) {
962 static NTSTATUS pdb_default_add_groupmem(struct pdb_methods *methods,
967 struct dom_sid group_sid, member_sid;
968 struct samu *account = NULL;
972 const char *group_name;
975 map = talloc_zero(mem_ctx, GROUP_MAP);
977 return NT_STATUS_NO_MEMORY;
981 map->gid = (gid_t) -1;
983 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
984 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
986 if (!get_domain_group_from_sid(group_sid, map) ||
987 (map->gid == (gid_t)-1) ||
988 ((grp = getgrgid(map->gid)) == NULL)) {
989 return NT_STATUS_NO_SUCH_GROUP;
994 group_name = talloc_strdup(mem_ctx, grp->gr_name);
995 if (group_name == NULL) {
996 return NT_STATUS_NO_MEMORY;
999 if ( !(account = samu_new( NULL )) ) {
1000 return NT_STATUS_NO_MEMORY;
1003 if (!pdb_getsampwsid(account, &member_sid) ||
1004 !sid_to_uid(&member_sid, &uid) ||
1005 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1006 return NT_STATUS_NO_SUCH_USER;
1009 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1010 return NT_STATUS_MEMBER_IN_GROUP;
1014 * ok, the group exist, the user exist, the user is not in the group,
1015 * we can (finally) add it to the group !
1018 smb_add_user_group(group_name, pwd->pw_name);
1020 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1021 return NT_STATUS_ACCESS_DENIED;
1024 return NT_STATUS_OK;
1027 NTSTATUS pdb_add_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1028 uint32_t member_rid)
1030 struct pdb_methods *pdb = pdb_get_methods();
1031 return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
1034 static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
1035 TALLOC_CTX *mem_ctx,
1037 uint32_t member_rid)
1039 struct dom_sid group_sid, member_sid;
1040 struct samu *account = NULL;
1044 const char *group_name;
1047 map = talloc_zero(mem_ctx, GROUP_MAP);
1049 return NT_STATUS_NO_MEMORY;
1052 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
1053 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
1055 if (!get_domain_group_from_sid(group_sid, map) ||
1056 (map->gid == (gid_t)-1) ||
1057 ((grp = getgrgid(map->gid)) == NULL)) {
1058 return NT_STATUS_NO_SUCH_GROUP;
1063 group_name = talloc_strdup(mem_ctx, grp->gr_name);
1064 if (group_name == NULL) {
1065 return NT_STATUS_NO_MEMORY;
1068 if ( !(account = samu_new( NULL )) ) {
1069 return NT_STATUS_NO_MEMORY;
1072 if (!pdb_getsampwsid(account, &member_sid) ||
1073 !sid_to_uid(&member_sid, &uid) ||
1074 ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1075 return NT_STATUS_NO_SUCH_USER;
1078 if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1079 return NT_STATUS_MEMBER_NOT_IN_GROUP;
1083 * ok, the group exist, the user exist, the user is in the group,
1084 * we can (finally) delete it from the group!
1087 smb_delete_user_group(group_name, pwd->pw_name);
1089 if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1090 return NT_STATUS_ACCESS_DENIED;
1093 return NT_STATUS_OK;
1096 NTSTATUS pdb_del_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1097 uint32_t member_rid)
1099 struct pdb_methods *pdb = pdb_get_methods();
1100 return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
1103 NTSTATUS pdb_create_alias(const char *name, uint32_t *rid)
1105 struct pdb_methods *pdb = pdb_get_methods();
1106 return pdb->create_alias(pdb, name, rid);
1109 NTSTATUS pdb_delete_alias(const struct dom_sid *sid)
1111 struct pdb_methods *pdb = pdb_get_methods();
1112 return pdb->delete_alias(pdb, sid);
1115 NTSTATUS pdb_get_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1117 struct pdb_methods *pdb = pdb_get_methods();
1118 return pdb->get_aliasinfo(pdb, sid, info);
1121 NTSTATUS pdb_set_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1123 struct pdb_methods *pdb = pdb_get_methods();
1124 return pdb->set_aliasinfo(pdb, sid, info);
1127 NTSTATUS pdb_add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1129 struct pdb_methods *pdb = pdb_get_methods();
1130 return pdb->add_aliasmem(pdb, alias, member);
1133 NTSTATUS pdb_del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1135 struct pdb_methods *pdb = pdb_get_methods();
1136 return pdb->del_aliasmem(pdb, alias, member);
1139 NTSTATUS pdb_enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
1140 struct dom_sid **pp_members, size_t *p_num_members)
1142 struct pdb_methods *pdb = pdb_get_methods();
1143 return pdb->enum_aliasmem(pdb, alias, mem_ctx, pp_members,
1147 NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
1148 const struct dom_sid *domain_sid,
1149 const struct dom_sid *members, size_t num_members,
1150 uint32_t **pp_alias_rids,
1151 size_t *p_num_alias_rids)
1153 struct pdb_methods *pdb = pdb_get_methods();
1154 return pdb->enum_alias_memberships(pdb, mem_ctx,
1156 members, num_members,
1161 NTSTATUS pdb_lookup_rids(const struct dom_sid *domain_sid,
1165 enum lsa_SidType *attrs)
1167 struct pdb_methods *pdb = pdb_get_methods();
1168 return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
1172 * NOTE: pdb_lookup_names is currently (2007-01-12) not used anywhere
1173 * in the samba code.
1174 * Unlike _lsa_lookup_sids and _samr_lookup_rids, which eventually
1175 * also ask pdb_lookup_rids, thus looking up a bunch of rids at a time,
1176 * the pdb_ calls _lsa_lookup_names and _samr_lookup_names come
1177 * down to are pdb_getsampwnam and pdb_getgrnam instead of
1179 * But in principle, it the call belongs to the API and might get
1180 * used in this context some day.
1183 NTSTATUS pdb_lookup_names(const struct dom_sid *domain_sid,
1187 enum lsa_SidType *attrs)
1189 struct pdb_methods *pdb = pdb_get_methods();
1190 return pdb->lookup_names(pdb, domain_sid, num_names, names, rids, attrs);
1194 bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
1196 struct pdb_methods *pdb = pdb_get_methods();
1200 status = pdb->get_account_policy(pdb, type, value);
1203 return NT_STATUS_IS_OK(status);
1206 bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value)
1208 struct pdb_methods *pdb = pdb_get_methods();
1212 status = pdb->set_account_policy(pdb, type, value);
1215 return NT_STATUS_IS_OK(status);
1218 bool pdb_get_seq_num(time_t *seq_num)
1220 struct pdb_methods *pdb = pdb_get_methods();
1221 return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
1224 bool pdb_uid_to_sid(uid_t uid, struct dom_sid *sid)
1226 struct pdb_methods *pdb = pdb_get_methods();
1227 return pdb->uid_to_sid(pdb, uid, sid);
1230 bool pdb_gid_to_sid(gid_t gid, struct dom_sid *sid)
1232 struct pdb_methods *pdb = pdb_get_methods();
1233 return pdb->gid_to_sid(pdb, gid, sid);
1236 bool pdb_sid_to_id(const struct dom_sid *sid, struct unixid *id)
1238 struct pdb_methods *pdb = pdb_get_methods();
1239 return pdb->sid_to_id(pdb, sid, id);
1242 uint32_t pdb_capabilities(void)
1244 struct pdb_methods *pdb = pdb_get_methods();
1245 return pdb->capabilities(pdb);
1248 /********************************************************************
1249 Allocate a new RID from the passdb backend. Verify that it is free
1250 by calling lookup_global_sam_rid() to verify that the RID is not
1251 in use. This handles servers that have existing users or groups
1252 with add RIDs (assigned from previous algorithmic mappings)
1253 ********************************************************************/
1255 bool pdb_new_rid(uint32_t *rid)
1257 struct pdb_methods *pdb = pdb_get_methods();
1258 const char *name = NULL;
1259 enum lsa_SidType type;
1260 uint32_t allocated_rid = 0;
1264 if ((pdb_capabilities() & PDB_CAP_STORE_RIDS) == 0) {
1265 DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
1270 if (algorithmic_rid_base() != BASE_RID) {
1271 DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
1272 "without algorithmic RIDs is chosen.\n"));
1273 DEBUGADD(0, ("Please map all used groups using 'net groupmap "
1274 "add', set the maximum used RID\n"));
1275 DEBUGADD(0, ("and remove the parameter\n"));
1279 if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
1280 DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
1284 /* Attempt to get an unused RID (max tires is 250...yes that it is
1285 and arbitrary number I pulkled out of my head). -- jerry */
1287 for ( i=0; allocated_rid==0 && i<250; i++ ) {
1290 if ( !pdb->new_rid(pdb, &allocated_rid) ) {
1294 /* validate that the RID is not in use */
1296 if (lookup_global_sam_rid(ctx, allocated_rid, &name, &type, NULL, NULL)) {
1303 if ( allocated_rid == 0 ) {
1304 DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
1308 *rid = allocated_rid;
1313 /***************************************************************
1314 Initialize the static context (at smbd startup etc).
1316 If uninitialised, context will auto-init on first use.
1317 ***************************************************************/
1319 bool initialize_password_db(bool reload, struct tevent_context *tevent_ctx)
1321 pdb_tevent_ctx = tevent_ctx;
1322 return (pdb_get_methods_reload(reload) != NULL);
1326 /***************************************************************************
1327 Default implementations of some functions.
1328 ****************************************************************************/
1330 static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, struct samu *user, const char *sname)
1332 return NT_STATUS_NO_SUCH_USER;
1335 static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1337 return NT_STATUS_NO_SUCH_USER;
1340 static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1342 return NT_STATUS_NOT_IMPLEMENTED;
1345 static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1347 return NT_STATUS_NOT_IMPLEMENTED;
1350 static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, struct samu *pwd)
1352 return NT_STATUS_NOT_IMPLEMENTED;
1355 static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, struct samu *pwd, const char *newname)
1357 return NT_STATUS_NOT_IMPLEMENTED;
1360 static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success)
1362 /* Only the pdb_nds backend implements this, by
1363 * default just return ok. */
1364 return NT_STATUS_OK;
1367 static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t *value)
1369 return account_policy_get(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1372 static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t value)
1374 return account_policy_set(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1377 static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq_num)
1379 *seq_num = time(NULL);
1380 return NT_STATUS_OK;
1383 static bool pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
1384 struct dom_sid *sid)
1386 struct samu *sampw = NULL;
1387 struct passwd *unix_pw;
1390 unix_pw = getpwuid( uid );
1393 DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
1394 "%lu\n", (unsigned long)uid));
1398 if ( !(sampw = samu_new( NULL )) ) {
1399 DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
1404 ret = NT_STATUS_IS_OK(
1405 methods->getsampwnam(methods, sampw, unix_pw->pw_name ));
1409 DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
1410 "%s (%u)\n", unix_pw->pw_name, (unsigned int)uid));
1415 sid_copy(sid, pdb_get_user_sid(sampw));
1422 static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
1423 struct dom_sid *sid)
1427 map = talloc_zero(NULL, GROUP_MAP);
1432 if (!NT_STATUS_IS_OK(methods->getgrgid(methods, map, gid))) {
1437 sid_copy(sid, &map->sid);
1442 static bool pdb_default_sid_to_id(struct pdb_methods *methods,
1443 const struct dom_sid *sid,
1446 TALLOC_CTX *mem_ctx;
1451 mem_ctx = talloc_new(NULL);
1453 if (mem_ctx == NULL) {
1454 DEBUG(0, ("talloc_new failed\n"));
1458 if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
1460 enum lsa_SidType type;
1463 /* Here we might have users as well as groups and aliases */
1464 ret = lookup_global_sam_rid(mem_ctx, rid, &name, &type, &uid, &gid);
1467 case SID_NAME_DOM_GRP:
1468 case SID_NAME_ALIAS:
1469 id->type = ID_TYPE_GID;
1473 id->type = ID_TYPE_UID;
1481 /* check for "Unix User" */
1483 if ( sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid) ) {
1485 id->type = ID_TYPE_UID;
1490 /* check for "Unix Group" */
1492 if ( sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid) ) {
1494 id->type = ID_TYPE_GID;
1501 if (sid_check_is_in_builtin(sid) ||
1502 sid_check_is_in_wellknown_domain(sid)) {
1503 /* Here we only have aliases */
1506 map = talloc_zero(mem_ctx, GROUP_MAP);
1512 if (!NT_STATUS_IS_OK(methods->getgrsid(methods, map, *sid))) {
1513 DEBUG(10, ("Could not find map for sid %s\n",
1514 sid_string_dbg(sid)));
1517 if ((map->sid_name_use != SID_NAME_ALIAS) &&
1518 (map->sid_name_use != SID_NAME_WKN_GRP)) {
1519 DEBUG(10, ("Map for sid %s is a %s, expected an "
1520 "alias\n", sid_string_dbg(sid),
1521 sid_type_lookup(map->sid_name_use)));
1526 id->type = ID_TYPE_GID;
1531 DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
1532 sid_string_dbg(sid)));
1536 TALLOC_FREE(mem_ctx);
1540 static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
1551 /* We only look at our own sam, so don't care about imported stuff */
1552 winbind_env = winbind_env_set();
1553 (void)winbind_off();
1555 if ((grp = getgrgid(gid)) == NULL) {
1556 /* allow winbindd lookups, but only if they weren't already disabled */
1560 /* Primary group members */
1562 while ((pwd = getpwent()) != NULL) {
1563 if (pwd->pw_gid == gid) {
1564 if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
1572 /* Secondary group members */
1573 for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
1574 struct passwd *pw = getpwnam(*gr);
1578 if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
1587 /* allow winbindd lookups, but only if they weren't already disabled */
1595 static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
1596 TALLOC_CTX *mem_ctx,
1597 const struct dom_sid *group,
1598 uint32_t **pp_member_rids,
1599 size_t *p_num_members)
1603 uint32_t i, num_uids;
1605 *pp_member_rids = NULL;
1608 if (!sid_to_gid(group, &gid))
1609 return NT_STATUS_NO_SUCH_GROUP;
1611 if(!get_memberuids(mem_ctx, gid, &uids, &num_uids))
1612 return NT_STATUS_NO_SUCH_GROUP;
1615 return NT_STATUS_OK;
1617 *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
1619 for (i=0; i<num_uids; i++) {
1622 uid_to_sid(&sid, uids[i]);
1624 if (!sid_check_is_in_our_domain(&sid)) {
1625 DEBUG(5, ("Inconsistent SAM -- group member uid not "
1626 "in our domain\n"));
1630 sid_peek_rid(&sid, &(*pp_member_rids)[*p_num_members]);
1631 *p_num_members += 1;
1634 return NT_STATUS_OK;
1637 static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
1638 TALLOC_CTX *mem_ctx,
1640 struct dom_sid **pp_sids,
1642 uint32_t *p_num_groups)
1647 const char *username = pdb_get_username(user);
1650 /* Ignore the primary group SID. Honor the real Unix primary group.
1651 The primary group SID is only of real use to Windows clients */
1653 if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
1654 return NT_STATUS_NO_SUCH_USER;
1661 if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
1662 return NT_STATUS_NO_SUCH_USER;
1665 if (*p_num_groups == 0) {
1666 smb_panic("primary group missing");
1669 *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
1671 if (*pp_sids == NULL) {
1672 TALLOC_FREE(*pp_gids);
1673 return NT_STATUS_NO_MEMORY;
1676 for (i=0; i<*p_num_groups; i++) {
1677 gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
1680 return NT_STATUS_OK;
1683 /*******************************************************************
1684 Look up a rid in the SAM we're responsible for (i.e. passdb)
1685 ********************************************************************/
1687 static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
1689 enum lsa_SidType *psid_name_use,
1690 uid_t *uid, gid_t *gid)
1692 struct samu *sam_account = NULL;
1693 GROUP_MAP *map = NULL;
1697 *psid_name_use = SID_NAME_UNKNOWN;
1699 DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
1700 (unsigned int)rid));
1702 sid_compose(&sid, get_global_sam_sid(), rid);
1704 /* see if the passdb can help us with the name of the user */
1706 if ( !(sam_account = samu_new( NULL )) ) {
1710 map = talloc_zero(mem_ctx, GROUP_MAP);
1715 /* BEING ROOT BLOCK */
1717 ret = pdb_getsampwsid(sam_account, &sid);
1719 TALLOC_FREE(sam_account);
1720 ret = pdb_getgrsid(map, sid);
1723 /* END BECOME_ROOT BLOCK */
1725 if (sam_account || !ret) {
1732 *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
1734 TALLOC_FREE(sam_account);
1738 *psid_name_use = SID_NAME_USER;
1740 TALLOC_FREE(sam_account);
1746 pw = Get_Pwnam_alloc(talloc_tos(), *name);
1754 } else if (map && (map->gid != (gid_t)-1)) {
1756 /* do not resolve SIDs to a name unless there is a valid
1757 gid associated with it */
1759 *name = talloc_steal(mem_ctx, map->nt_name);
1760 *psid_name_use = map->sid_name_use;
1772 /* Windows will always map RID 513 to something. On a non-domain
1773 controller, this gets mapped to SERVER\None. */
1776 DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
1780 if ( rid == DOMAIN_RID_USERS ) {
1781 *name = talloc_strdup(mem_ctx, "None" );
1782 *psid_name_use = SID_NAME_DOM_GRP;
1790 static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
1791 const struct dom_sid *domain_sid,
1795 enum lsa_SidType *attrs)
1799 bool have_mapped = False;
1800 bool have_unmapped = False;
1802 if (sid_check_is_builtin(domain_sid)) {
1804 for (i=0; i<num_rids; i++) {
1807 if (lookup_builtin_rid(names, rids[i], &name)) {
1808 attrs[i] = SID_NAME_ALIAS;
1810 DEBUG(5,("lookup_rids: %s:%d\n",
1811 names[i], attrs[i]));
1814 have_unmapped = True;
1815 attrs[i] = SID_NAME_UNKNOWN;
1821 /* Should not happen, but better check once too many */
1822 if (!sid_check_is_domain(domain_sid)) {
1823 return NT_STATUS_INVALID_HANDLE;
1826 for (i = 0; i < num_rids; i++) {
1829 if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
1832 return NT_STATUS_NO_MEMORY;
1835 DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
1838 have_unmapped = True;
1839 attrs[i] = SID_NAME_UNKNOWN;
1845 result = NT_STATUS_NONE_MAPPED;
1848 result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1854 static NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
1855 const struct dom_sid *domain_sid,
1859 enum lsa_SidType *attrs)
1863 bool have_mapped = False;
1864 bool have_unmapped = False;
1866 if (sid_check_is_builtin(domain_sid)) {
1868 for (i=0; i<num_names; i++) {
1871 if (lookup_builtin_name(names[i], &rid)) {
1872 attrs[i] = SID_NAME_ALIAS;
1874 DEBUG(5,("lookup_rids: %s:%d\n",
1875 names[i], attrs[i]));
1878 have_unmapped = True;
1879 attrs[i] = SID_NAME_UNKNOWN;
1885 /* Should not happen, but better check once too many */
1886 if (!sid_check_is_domain(domain_sid)) {
1887 return NT_STATUS_INVALID_HANDLE;
1890 for (i = 0; i < num_names; i++) {
1891 if (lookup_global_sam_name(names[i], 0, &rids[i], &attrs[i])) {
1892 DEBUG(5,("lookup_names: %s-> %d:%d\n", names[i],
1893 rids[i], attrs[i]));
1896 have_unmapped = True;
1897 attrs[i] = SID_NAME_UNKNOWN;
1903 result = NT_STATUS_NONE_MAPPED;
1906 result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1912 static int pdb_search_destructor(struct pdb_search *search)
1914 if ((!search->search_ended) && (search->search_end != NULL)) {
1915 search->search_end(search);
1920 struct pdb_search *pdb_search_init(TALLOC_CTX *mem_ctx,
1921 enum pdb_search_type type)
1923 struct pdb_search *result;
1925 result = talloc(mem_ctx, struct pdb_search);
1926 if (result == NULL) {
1927 DEBUG(0, ("talloc failed\n"));
1931 result->type = type;
1932 result->cache = NULL;
1933 result->num_entries = 0;
1934 result->cache_size = 0;
1935 result->search_ended = False;
1936 result->search_end = NULL;
1938 /* Segfault appropriately if not initialized */
1939 result->next_entry = NULL;
1940 result->search_end = NULL;
1942 talloc_set_destructor(result, pdb_search_destructor);
1947 static void fill_displayentry(TALLOC_CTX *mem_ctx, uint32_t rid,
1948 uint16_t acct_flags,
1949 const char *account_name,
1950 const char *fullname,
1951 const char *description,
1952 struct samr_displayentry *entry)
1955 entry->acct_flags = acct_flags;
1957 if (account_name != NULL)
1958 entry->account_name = talloc_strdup(mem_ctx, account_name);
1960 entry->account_name = "";
1962 if (fullname != NULL)
1963 entry->fullname = talloc_strdup(mem_ctx, fullname);
1965 entry->fullname = "";
1967 if (description != NULL)
1968 entry->description = talloc_strdup(mem_ctx, description);
1970 entry->description = "";
1973 struct group_search {
1975 size_t num_groups, current_group;
1978 static bool next_entry_groups(struct pdb_search *s,
1979 struct samr_displayentry *entry)
1981 struct group_search *state = (struct group_search *)s->private_data;
1985 if (state->current_group == state->num_groups)
1988 map = state->groups[state->current_group];
1990 sid_peek_rid(&map->sid, &rid);
1992 fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
1994 state->current_group += 1;
1998 static void search_end_groups(struct pdb_search *search)
2000 struct group_search *state =
2001 (struct group_search *)search->private_data;
2002 TALLOC_FREE(state->groups);
2005 static bool pdb_search_grouptype(struct pdb_methods *methods,
2006 struct pdb_search *search,
2007 const struct dom_sid *sid, enum lsa_SidType type)
2009 struct group_search *state;
2011 state = talloc_zero(search, struct group_search);
2012 if (state == NULL) {
2013 DEBUG(0, ("talloc failed\n"));
2017 if (!NT_STATUS_IS_OK(methods->enum_group_mapping(methods, sid, type,
2018 &state->groups, &state->num_groups,
2020 DEBUG(0, ("Could not enum groups\n"));
2024 state->current_group = 0;
2025 search->private_data = state;
2026 search->next_entry = next_entry_groups;
2027 search->search_end = search_end_groups;
2031 static bool pdb_default_search_groups(struct pdb_methods *methods,
2032 struct pdb_search *search)
2034 return pdb_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
2037 static bool pdb_default_search_aliases(struct pdb_methods *methods,
2038 struct pdb_search *search,
2039 const struct dom_sid *sid)
2042 return pdb_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
2045 static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
2048 if (idx < search->num_entries)
2049 return &search->cache[idx];
2051 if (search->search_ended)
2054 while (idx >= search->num_entries) {
2055 struct samr_displayentry entry;
2057 if (!search->next_entry(search, &entry)) {
2058 search->search_end(search);
2059 search->search_ended = True;
2063 ADD_TO_LARGE_ARRAY(search, struct samr_displayentry,
2064 entry, &search->cache, &search->num_entries,
2065 &search->cache_size);
2068 return (search->num_entries > idx) ? &search->cache[idx] : NULL;
2071 struct pdb_search *pdb_search_users(TALLOC_CTX *mem_ctx, uint32_t acct_flags)
2073 struct pdb_methods *pdb = pdb_get_methods();
2074 struct pdb_search *result;
2076 result = pdb_search_init(mem_ctx, PDB_USER_SEARCH);
2077 if (result == NULL) {
2081 if (!pdb->search_users(pdb, result, acct_flags)) {
2082 TALLOC_FREE(result);
2088 struct pdb_search *pdb_search_groups(TALLOC_CTX *mem_ctx)
2090 struct pdb_methods *pdb = pdb_get_methods();
2091 struct pdb_search *result;
2093 result = pdb_search_init(mem_ctx, PDB_GROUP_SEARCH);
2094 if (result == NULL) {
2098 if (!pdb->search_groups(pdb, result)) {
2099 TALLOC_FREE(result);
2105 struct pdb_search *pdb_search_aliases(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
2107 struct pdb_methods *pdb = pdb_get_methods();
2108 struct pdb_search *result;
2110 if (pdb == NULL) return NULL;
2112 result = pdb_search_init(mem_ctx, PDB_ALIAS_SEARCH);
2113 if (result == NULL) {
2117 if (!pdb->search_aliases(pdb, result, sid)) {
2118 TALLOC_FREE(result);
2124 uint32_t pdb_search_entries(struct pdb_search *search,
2125 uint32_t start_idx, uint32_t max_entries,
2126 struct samr_displayentry **result)
2128 struct samr_displayentry *end_entry;
2129 uint32_t end_idx = start_idx+max_entries-1;
2131 /* The first entry needs to be searched after the last. Otherwise the
2132 * first entry might have moved due to a realloc during the search for
2133 * the last entry. */
2135 end_entry = pdb_search_getentry(search, end_idx);
2136 *result = pdb_search_getentry(search, start_idx);
2138 if (end_entry != NULL)
2141 if (start_idx >= search->num_entries)
2144 return search->num_entries - start_idx;
2147 /*******************************************************************
2149 *******************************************************************/
2151 bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
2152 time_t *pass_last_set_time)
2154 struct pdb_methods *pdb = pdb_get_methods();
2155 return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
2156 pass_last_set_time);
2159 bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
2160 const struct dom_sid *sid)
2162 struct pdb_methods *pdb = pdb_get_methods();
2163 return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
2166 bool pdb_del_trusteddom_pw(const char *domain)
2168 struct pdb_methods *pdb = pdb_get_methods();
2169 return pdb->del_trusteddom_pw(pdb, domain);
2172 NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2173 struct trustdom_info ***domains)
2175 struct pdb_methods *pdb = pdb_get_methods();
2176 return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
2179 /*******************************************************************
2180 the defaults for trustdom methods:
2181 these simply call the original passdb/secrets.c actions,
2182 to be replaced by pdb_ldap.
2183 *******************************************************************/
2185 static bool pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
2188 struct dom_sid *sid,
2189 time_t *pass_last_set_time)
2191 return secrets_fetch_trusted_domain_password(domain, pwd,
2192 sid, pass_last_set_time);
2196 static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
2199 const struct dom_sid *sid)
2201 return secrets_store_trusted_domain_password(domain, pwd, sid);
2204 static bool pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
2207 return trusted_domain_password_delete(domain);
2210 static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
2211 TALLOC_CTX *mem_ctx,
2212 uint32_t *num_domains,
2213 struct trustdom_info ***domains)
2215 return secrets_trusted_domains(mem_ctx, num_domains, domains);
2218 /*******************************************************************
2219 trusted_domain methods
2220 *******************************************************************/
2222 NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
2223 struct pdb_trusted_domain **td)
2225 struct pdb_methods *pdb = pdb_get_methods();
2226 return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
2229 NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
2230 struct pdb_trusted_domain **td)
2232 struct pdb_methods *pdb = pdb_get_methods();
2233 return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
2236 NTSTATUS pdb_set_trusted_domain(const char* domain,
2237 const struct pdb_trusted_domain *td)
2239 struct pdb_methods *pdb = pdb_get_methods();
2240 return pdb->set_trusted_domain(pdb, domain, td);
2243 NTSTATUS pdb_del_trusted_domain(const char *domain)
2245 struct pdb_methods *pdb = pdb_get_methods();
2246 return pdb->del_trusted_domain(pdb, domain);
2249 NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2250 struct pdb_trusted_domain ***domains)
2252 struct pdb_methods *pdb = pdb_get_methods();
2253 return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
2256 static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
2257 TALLOC_CTX *mem_ctx,
2259 struct pdb_trusted_domain **td)
2261 struct trustAuthInOutBlob taiob;
2262 struct AuthenticationInformation aia;
2263 struct pdb_trusted_domain *tdom;
2264 enum ndr_err_code ndr_err;
2265 time_t last_set_time;
2269 tdom = talloc(mem_ctx, struct pdb_trusted_domain);
2271 return NT_STATUS_NO_MEMORY;
2274 tdom->domain_name = talloc_strdup(tdom, domain);
2275 tdom->netbios_name = talloc_strdup(tdom, domain);
2276 if (!tdom->domain_name || !tdom->netbios_name) {
2278 return NT_STATUS_NO_MEMORY;
2281 tdom->trust_auth_incoming = data_blob_null;
2283 ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
2287 return NT_STATUS_UNSUCCESSFUL;
2293 taiob.current.count = 1;
2294 taiob.current.array = &aia;
2295 unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
2296 aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
2297 aia.AuthInfo.clear.password = (uint8_t *) pwd;
2298 aia.AuthInfo.clear.size = strlen(pwd);
2299 taiob.previous.count = 0;
2300 taiob.previous.array = NULL;
2302 ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
2304 (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2305 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2307 return NT_STATUS_UNSUCCESSFUL;
2310 tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
2311 tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
2312 tdom->trust_attributes = 0;
2313 tdom->trust_forest_trust_info = data_blob_null;
2316 return NT_STATUS_OK;
2319 static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
2320 TALLOC_CTX *mem_ctx,
2321 struct dom_sid *sid,
2322 struct pdb_trusted_domain **td)
2324 return NT_STATUS_NOT_IMPLEMENTED;
2327 #define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
2329 static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
2331 const struct pdb_trusted_domain *td)
2333 struct trustAuthInOutBlob taiob;
2334 struct AuthenticationInformation *aia;
2335 enum ndr_err_code ndr_err;
2339 if (td->trust_attributes != 0 ||
2340 td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
2341 td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
2342 !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
2343 !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
2344 return NT_STATUS_NOT_IMPLEMENTED;
2348 ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
2350 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2351 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2352 return NT_STATUS_UNSUCCESSFUL;
2355 aia = (struct AuthenticationInformation *) taiob.current.array;
2357 if (taiob.count != 1 || taiob.current.count != 1 ||
2358 taiob.previous.count != 0 ||
2359 aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
2360 return NT_STATUS_NOT_IMPLEMENTED;
2363 pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
2364 aia->AuthInfo.clear.size);
2366 return NT_STATUS_NO_MEMORY;
2369 ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
2371 return NT_STATUS_UNSUCCESSFUL;
2374 return NT_STATUS_OK;
2377 static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
2380 return NT_STATUS_NOT_IMPLEMENTED;
2383 static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
2384 TALLOC_CTX *mem_ctx,
2385 uint32_t *num_domains,
2386 struct pdb_trusted_domain ***domains)
2388 return NT_STATUS_NOT_IMPLEMENTED;
2391 static struct pdb_domain_info *pdb_default_get_domain_info(
2392 struct pdb_methods *m, TALLOC_CTX *mem_ctx)
2397 /*******************************************************************
2399 *******************************************************************/
2401 NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
2402 const char *secret_name,
2403 DATA_BLOB *secret_current,
2404 NTTIME *secret_current_lastchange,
2405 DATA_BLOB *secret_old,
2406 NTTIME *secret_old_lastchange,
2407 struct security_descriptor **sd)
2409 struct pdb_methods *pdb = pdb_get_methods();
2410 return pdb->get_secret(pdb, mem_ctx, secret_name,
2411 secret_current, secret_current_lastchange,
2412 secret_old, secret_old_lastchange,
2416 NTSTATUS pdb_set_secret(const char *secret_name,
2417 DATA_BLOB *secret_current,
2418 DATA_BLOB *secret_old,
2419 struct security_descriptor *sd)
2421 struct pdb_methods *pdb = pdb_get_methods();
2422 return pdb->set_secret(pdb, secret_name,
2428 NTSTATUS pdb_delete_secret(const char *secret_name)
2430 struct pdb_methods *pdb = pdb_get_methods();
2431 return pdb->delete_secret(pdb, secret_name);
2434 static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
2435 TALLOC_CTX *mem_ctx,
2436 const char *secret_name,
2437 DATA_BLOB *secret_current,
2438 NTTIME *secret_current_lastchange,
2439 DATA_BLOB *secret_old,
2440 NTTIME *secret_old_lastchange,
2441 struct security_descriptor **sd)
2443 return lsa_secret_get(mem_ctx, secret_name,
2445 secret_current_lastchange,
2447 secret_old_lastchange,
2451 static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
2452 const char *secret_name,
2453 DATA_BLOB *secret_current,
2454 DATA_BLOB *secret_old,
2455 struct security_descriptor *sd)
2457 return lsa_secret_set(secret_name,
2463 static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
2464 const char *secret_name)
2466 return lsa_secret_delete(secret_name);
2469 /*******************************************************************
2470 Create a pdb_methods structure and initialize it with the default
2471 operations. In this way a passdb module can simply implement
2472 the functionality it cares about. However, normally this is done
2473 in groups of related functions.
2474 *******************************************************************/
2476 NTSTATUS make_pdb_method( struct pdb_methods **methods )
2478 /* allocate memory for the structure as its own talloc CTX */
2480 *methods = talloc_zero(NULL, struct pdb_methods);
2481 if (*methods == NULL) {
2482 return NT_STATUS_NO_MEMORY;
2485 (*methods)->get_domain_info = pdb_default_get_domain_info;
2486 (*methods)->getsampwnam = pdb_default_getsampwnam;
2487 (*methods)->getsampwsid = pdb_default_getsampwsid;
2488 (*methods)->create_user = pdb_default_create_user;
2489 (*methods)->delete_user = pdb_default_delete_user;
2490 (*methods)->add_sam_account = pdb_default_add_sam_account;
2491 (*methods)->update_sam_account = pdb_default_update_sam_account;
2492 (*methods)->delete_sam_account = pdb_default_delete_sam_account;
2493 (*methods)->rename_sam_account = pdb_default_rename_sam_account;
2494 (*methods)->update_login_attempts = pdb_default_update_login_attempts;
2496 (*methods)->getgrsid = pdb_default_getgrsid;
2497 (*methods)->getgrgid = pdb_default_getgrgid;
2498 (*methods)->getgrnam = pdb_default_getgrnam;
2499 (*methods)->create_dom_group = pdb_default_create_dom_group;
2500 (*methods)->delete_dom_group = pdb_default_delete_dom_group;
2501 (*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
2502 (*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
2503 (*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
2504 (*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
2505 (*methods)->enum_group_members = pdb_default_enum_group_members;
2506 (*methods)->enum_group_memberships = pdb_default_enum_group_memberships;
2507 (*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
2508 (*methods)->add_groupmem = pdb_default_add_groupmem;
2509 (*methods)->del_groupmem = pdb_default_del_groupmem;
2510 (*methods)->create_alias = pdb_default_create_alias;
2511 (*methods)->delete_alias = pdb_default_delete_alias;
2512 (*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
2513 (*methods)->set_aliasinfo = pdb_default_set_aliasinfo;
2514 (*methods)->add_aliasmem = pdb_default_add_aliasmem;
2515 (*methods)->del_aliasmem = pdb_default_del_aliasmem;
2516 (*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
2517 (*methods)->enum_alias_memberships = pdb_default_alias_memberships;
2518 (*methods)->lookup_rids = pdb_default_lookup_rids;
2519 (*methods)->get_account_policy = pdb_default_get_account_policy;
2520 (*methods)->set_account_policy = pdb_default_set_account_policy;
2521 (*methods)->get_seq_num = pdb_default_get_seq_num;
2522 (*methods)->uid_to_sid = pdb_default_uid_to_sid;
2523 (*methods)->gid_to_sid = pdb_default_gid_to_sid;
2524 (*methods)->sid_to_id = pdb_default_sid_to_id;
2526 (*methods)->search_groups = pdb_default_search_groups;
2527 (*methods)->search_aliases = pdb_default_search_aliases;
2529 (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
2530 (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
2531 (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
2532 (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
2534 (*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
2535 (*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
2536 (*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
2537 (*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
2538 (*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
2540 (*methods)->get_secret = pdb_default_get_secret;
2541 (*methods)->set_secret = pdb_default_set_secret;
2542 (*methods)->delete_secret = pdb_default_delete_secret;
2544 return NT_STATUS_OK;