Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : Password and authentication handling
4 : Copyright (C) Andrew Bartlett 2002
5 : Copyright (C) Jelmer Vernooij 2002
6 : Copyright (C) Simo Sorce 2003
7 : Copyright (C) Volker Lendecke 2006
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include "includes.h"
24 : #include "system/passwd.h"
25 : #include "passdb.h"
26 : #include "secrets.h"
27 : #include "messages.h"
28 : #include "serverid.h"
29 : #include "../librpc/gen_ndr/samr.h"
30 : #include "../librpc/gen_ndr/drsblobs.h"
31 : #include "../librpc/gen_ndr/ndr_drsblobs.h"
32 : #include "../librpc/gen_ndr/idmap.h"
33 : #include "../lib/util/memcache.h"
34 : #include "nsswitch/winbind_client.h"
35 : #include "../libcli/security/security.h"
36 : #include "../lib/util/util_pw.h"
37 : #include "passdb/pdb_secrets.h"
38 : #include "lib/util_sid_passdb.h"
39 : #include "idmap_cache.h"
40 : #include "lib/util/string_wrappers.h"
41 : #include "lib/global_contexts.h"
42 :
43 : #undef DBGC_CLASS
44 : #define DBGC_CLASS DBGC_PASSDB
45 :
46 : static_decl_pdb;
47 :
48 : static struct pdb_init_function_entry *backends = NULL;
49 :
50 33710 : static void lazy_initialize_passdb(void)
51 : {
52 877 : static bool initialized = False;
53 33710 : if(initialized) {
54 30934 : return;
55 : }
56 1915 : static_init_pdb(NULL);
57 1915 : initialized = True;
58 : }
59 :
60 : static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
61 : const char **name,
62 : enum lsa_SidType *psid_name_use,
63 : uid_t *uid, gid_t *gid);
64 :
65 9381 : NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
66 : {
67 9381 : struct pdb_init_function_entry *entry = NULL;
68 :
69 9381 : if(version != PASSDB_INTERFACE_VERSION) {
70 0 : DEBUG(0,("Can't register passdb backend!\n"
71 : "You tried to register a passdb module with PASSDB_INTERFACE_VERSION %d, "
72 : "while this version of samba uses version %d\n",
73 : version,PASSDB_INTERFACE_VERSION));
74 0 : return NT_STATUS_OBJECT_TYPE_MISMATCH;
75 : }
76 :
77 9381 : if (!name || !init) {
78 0 : return NT_STATUS_INVALID_PARAMETER;
79 : }
80 :
81 9381 : DEBUG(5,("Attempting to register passdb backend %s\n", name));
82 :
83 : /* Check for duplicates */
84 9381 : if (pdb_find_backend_entry(name)) {
85 0 : DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name));
86 0 : return NT_STATUS_OBJECT_NAME_COLLISION;
87 : }
88 :
89 9381 : entry = SMB_XMALLOC_P(struct pdb_init_function_entry);
90 9381 : entry->name = smb_xstrdup(name);
91 9381 : entry->init = init;
92 :
93 9381 : DLIST_ADD(backends, entry);
94 9381 : DEBUG(5,("Successfully added passdb backend '%s'\n", name));
95 9381 : return NT_STATUS_OK;
96 : }
97 :
98 43091 : struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
99 : {
100 43091 : struct pdb_init_function_entry *entry = backends;
101 :
102 137010 : while(entry) {
103 127629 : if (strcmp(entry->name, name)==0) return entry;
104 93919 : entry = entry->next;
105 : }
106 :
107 9285 : return NULL;
108 : }
109 :
110 0 : const struct pdb_init_function_entry *pdb_get_backends(void)
111 : {
112 0 : return backends;
113 : }
114 :
115 :
116 : /*
117 : * The event context for the passdb backend. I know this is a bad hack and yet
118 : * another static variable, but our pdb API is a global thing per
119 : * definition. The first use for this is the LDAP idle function, more might be
120 : * added later.
121 : *
122 : * I don't feel too bad about this static variable, it replaces the
123 : * smb_idle_event_list that used to exist in lib/module.c. -- VL
124 : */
125 :
126 : static struct tevent_context *pdb_tevent_ctx;
127 :
128 0 : struct tevent_context *pdb_get_tevent_context(void)
129 : {
130 0 : return pdb_tevent_ctx;
131 : }
132 :
133 : /******************************************************************
134 : Make a pdb_methods from scratch
135 : *******************************************************************/
136 :
137 33710 : NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected)
138 : {
139 33710 : char *module_name = smb_xstrdup(selected);
140 33710 : char *module_location = NULL, *p;
141 877 : struct pdb_init_function_entry *entry;
142 877 : NTSTATUS nt_status;
143 :
144 33710 : lazy_initialize_passdb();
145 :
146 33710 : p = strchr(module_name, ':');
147 :
148 33710 : if (p) {
149 160 : *p = 0;
150 160 : module_location = p+1;
151 160 : trim_char(module_location, ' ', ' ');
152 : }
153 :
154 33710 : trim_char(module_name, ' ', ' ');
155 :
156 :
157 33710 : DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected, module_name));
158 :
159 33710 : entry = pdb_find_backend_entry(module_name);
160 :
161 : /* Try to find a module that contains this module */
162 33710 : if (!entry) {
163 0 : DEBUG(2,("No builtin backend found, trying to load plugin\n"));
164 0 : if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
165 0 : DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
166 0 : SAFE_FREE(module_name);
167 0 : return NT_STATUS_UNSUCCESSFUL;
168 : }
169 : }
170 :
171 : /* No such backend found */
172 33710 : if(!entry) {
173 0 : DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
174 0 : SAFE_FREE(module_name);
175 0 : return NT_STATUS_INVALID_PARAMETER;
176 : }
177 :
178 33710 : DEBUG(5,("Found pdb backend %s\n", module_name));
179 :
180 33710 : nt_status = entry->init(methods, module_location);
181 33710 : if (!NT_STATUS_IS_OK(nt_status)) {
182 0 : DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
183 : selected, nt_errstr(nt_status)));
184 0 : SAFE_FREE(module_name);
185 0 : return nt_status;
186 : }
187 :
188 33710 : SAFE_FREE(module_name);
189 :
190 33710 : DEBUG(5,("pdb backend %s has a valid init\n", selected));
191 :
192 33710 : return nt_status;
193 : }
194 :
195 : /******************************************************************
196 : Return an already initialized pdb_methods structure
197 : *******************************************************************/
198 :
199 1100584 : static struct pdb_methods *pdb_get_methods_reload( bool reload )
200 : {
201 1861 : static struct pdb_methods *pdb = NULL;
202 1100584 : const char *backend = lp_passdb_backend();
203 1100584 : NTSTATUS status = NT_STATUS_OK;
204 :
205 1100584 : if ( pdb && reload ) {
206 31572 : if (pdb->free_private_data != NULL) {
207 9653 : pdb->free_private_data( &(pdb->private_data) );
208 : }
209 31572 : status = make_pdb_method_name(&pdb, backend);
210 : }
211 :
212 1100584 : if ( !pdb ) {
213 1914 : status = make_pdb_method_name(&pdb, backend);
214 : }
215 :
216 1100584 : if (!NT_STATUS_IS_OK(status)) {
217 0 : return NULL;
218 : }
219 :
220 1100584 : return pdb;
221 : }
222 :
223 1068379 : static struct pdb_methods *pdb_get_methods(void)
224 : {
225 1009 : struct pdb_methods *pdb;
226 :
227 1068379 : pdb = pdb_get_methods_reload(false);
228 1068379 : if (!pdb) {
229 0 : char *msg = NULL;
230 0 : if (asprintf(&msg, "pdb_get_methods: "
231 : "failed to get pdb methods for backend %s\n",
232 : lp_passdb_backend()) > 0) {
233 0 : smb_panic(msg);
234 : } else {
235 0 : smb_panic("pdb_get_methods");
236 : }
237 : }
238 :
239 1068379 : return pdb;
240 : }
241 :
242 4038 : struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
243 : {
244 4038 : struct pdb_methods *pdb = pdb_get_methods();
245 4038 : return pdb->get_domain_info(pdb, mem_ctx);
246 : }
247 :
248 : /**
249 : * @brief Check if the user account has been locked out and try to unlock it.
250 : *
251 : * If the user has been automatically locked out and a lockout duration is set,
252 : * then check if we can unlock the account and reset the bad password values.
253 : *
254 : * @param[in] sampass The sam user to check.
255 : *
256 : * @return True if the function was successful, false on an error.
257 : */
258 54227 : static bool pdb_try_account_unlock(struct samu *sampass)
259 : {
260 54227 : uint32_t acb_info = pdb_get_acct_ctrl(sampass);
261 :
262 54227 : if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
263 0 : uint32_t lockout_duration;
264 0 : time_t bad_password_time;
265 0 : time_t now = time(NULL);
266 0 : bool ok;
267 :
268 0 : ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
269 : &lockout_duration);
270 0 : if (!ok) {
271 0 : DEBUG(0, ("pdb_try_account_unlock: "
272 : "pdb_get_account_policy failed.\n"));
273 0 : return false;
274 : }
275 :
276 0 : if (lockout_duration == (uint32_t) -1 ||
277 0 : lockout_duration == 0) {
278 0 : DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
279 : "can't reset autolock\n"));
280 0 : return false;
281 : }
282 0 : lockout_duration *= 60;
283 :
284 0 : bad_password_time = pdb_get_bad_password_time(sampass);
285 0 : if (bad_password_time == (time_t) 0) {
286 0 : DEBUG(2, ("pdb_try_account_unlock: Account %s "
287 : "administratively locked out "
288 : "with no bad password "
289 : "time. Leaving locked out.\n",
290 : pdb_get_username(sampass)));
291 0 : return true;
292 : }
293 :
294 0 : if ((bad_password_time +
295 0 : convert_uint32_t_to_time_t(lockout_duration)) < now) {
296 0 : NTSTATUS status;
297 :
298 0 : pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
299 : PDB_CHANGED);
300 0 : pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
301 0 : pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
302 :
303 0 : become_root();
304 0 : status = pdb_update_sam_account(sampass);
305 0 : unbecome_root();
306 0 : if (!NT_STATUS_IS_OK(status)) {
307 0 : DEBUG(0, ("_samr_OpenUser: Couldn't "
308 : "update account %s - %s\n",
309 : pdb_get_username(sampass),
310 : nt_errstr(status)));
311 0 : return false;
312 : }
313 : }
314 : }
315 :
316 53951 : return true;
317 : }
318 :
319 : /**
320 : * @brief Get a sam user structure by the given username.
321 : *
322 : * This functions also checks if the account has been automatically locked out
323 : * and unlocks it if a lockout duration time has been defined and the time has
324 : * elapsed.
325 : *
326 : * @param[in] sam_acct The sam user structure to fill.
327 : *
328 : * @param[in] username The username to look for.
329 : *
330 : * @return True on success, false on error.
331 : */
332 47383 : bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
333 : {
334 47383 : struct pdb_methods *pdb = pdb_get_methods();
335 0 : struct samu *for_cache;
336 0 : const struct dom_sid *user_sid;
337 0 : NTSTATUS status;
338 0 : bool ok;
339 :
340 47383 : status = pdb->getsampwnam(pdb, sam_acct, username);
341 47383 : if (!NT_STATUS_IS_OK(status)) {
342 4469 : return false;
343 : }
344 :
345 42914 : ok = pdb_try_account_unlock(sam_acct);
346 42914 : if (!ok) {
347 0 : DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
348 : username));
349 : }
350 :
351 42914 : for_cache = samu_new(NULL);
352 42914 : if (for_cache == NULL) {
353 0 : return False;
354 : }
355 :
356 42914 : if (!pdb_copy_sam_account(for_cache, sam_acct)) {
357 0 : TALLOC_FREE(for_cache);
358 0 : return False;
359 : }
360 :
361 42914 : user_sid = pdb_get_user_sid(for_cache);
362 :
363 42914 : ok = memcache_add_talloc(NULL,
364 : PDB_GETPWSID_CACHE,
365 : data_blob_const(user_sid, sizeof(*user_sid)),
366 : &for_cache);
367 42914 : if (!ok) {
368 1757 : TALLOC_FREE(for_cache);
369 : }
370 :
371 42914 : return True;
372 : }
373 :
374 : /**********************************************************************
375 : **********************************************************************/
376 :
377 96 : static bool guest_user_info( struct samu *user )
378 : {
379 0 : struct passwd *pwd;
380 0 : NTSTATUS result;
381 96 : const char *guestname = lp_guest_account();
382 :
383 96 : pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
384 96 : if (pwd == NULL) {
385 0 : DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
386 : guestname));
387 0 : return False;
388 : }
389 :
390 96 : result = samu_set_unix(user, pwd );
391 :
392 96 : TALLOC_FREE( pwd );
393 :
394 96 : return NT_STATUS_IS_OK( result );
395 : }
396 :
397 : /**
398 : * @brief Get a sam user structure by the given username.
399 : *
400 : * This functions also checks if the account has been automatically locked out
401 : * and unlocks it if a lockout duration time has been defined and the time has
402 : * elapsed.
403 : *
404 : *
405 : * @param[in] sam_acct The sam user structure to fill.
406 : *
407 : * @param[in] sid The user SDI to look up.
408 : *
409 : * @return True on success, false on error.
410 : */
411 13773 : bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
412 : {
413 13773 : struct pdb_methods *pdb = pdb_get_methods();
414 282 : uint32_t rid;
415 282 : void *cache_data;
416 13773 : bool ok = false;
417 :
418 : /* hard code the Guest RID of 501 */
419 :
420 13773 : if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
421 0 : return False;
422 :
423 13773 : if ( rid == DOMAIN_RID_GUEST ) {
424 96 : DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
425 96 : return guest_user_info( sam_acct );
426 : }
427 :
428 : /* check the cache first */
429 :
430 13677 : cache_data = memcache_lookup_talloc(
431 : NULL, PDB_GETPWSID_CACHE, data_blob_const(sid, sizeof(*sid)));
432 :
433 13677 : if (cache_data != NULL) {
434 144 : struct samu *cache_copy = talloc_get_type_abort(
435 : cache_data, struct samu);
436 :
437 144 : ok = pdb_copy_sam_account(sam_acct, cache_copy);
438 : } else {
439 13533 : ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
440 : }
441 :
442 13677 : if (!ok) {
443 2358 : return false;
444 : }
445 :
446 11313 : ok = pdb_try_account_unlock(sam_acct);
447 11313 : if (!ok) {
448 0 : DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
449 : sam_acct->username));
450 : }
451 :
452 11037 : return true;
453 : }
454 :
455 552 : static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
456 : TALLOC_CTX *tmp_ctx, const char *name,
457 : uint32_t acb_info, uint32_t *rid)
458 : {
459 0 : const struct loadparm_substitution *lp_sub =
460 552 : loadparm_s3_global_substitution();
461 0 : struct samu *sam_pass;
462 0 : NTSTATUS status;
463 0 : struct passwd *pwd;
464 :
465 552 : if ((sam_pass = samu_new(tmp_ctx)) == NULL) {
466 0 : return NT_STATUS_NO_MEMORY;
467 : }
468 :
469 552 : if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
470 60 : char *add_script = NULL;
471 0 : int add_ret;
472 0 : fstring name2;
473 :
474 60 : if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
475 18 : add_script = lp_add_user_script(tmp_ctx, lp_sub);
476 : } else {
477 42 : add_script = lp_add_machine_script(tmp_ctx, lp_sub);
478 : }
479 :
480 60 : if (!add_script || add_script[0] == '\0') {
481 0 : DEBUG(3, ("Could not find user %s and no add script "
482 : "defined\n", name));
483 0 : return NT_STATUS_NO_SUCH_USER;
484 : }
485 :
486 : /* lowercase the username before creating the Unix account for
487 : compatibility with previous Samba releases */
488 60 : fstrcpy( name2, name );
489 60 : if (!strlower_m( name2 )) {
490 0 : return NT_STATUS_INVALID_PARAMETER;
491 : }
492 60 : add_script = talloc_all_string_sub(tmp_ctx,
493 : add_script,
494 : "%u",
495 : name2);
496 60 : if (!add_script) {
497 0 : return NT_STATUS_NO_MEMORY;
498 : }
499 60 : add_ret = smbrun(add_script, NULL, NULL);
500 60 : DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
501 : add_script, add_ret));
502 60 : if (add_ret == 0) {
503 60 : smb_nscd_flush_user_cache();
504 : }
505 :
506 60 : flush_pwnam_cache();
507 :
508 60 : pwd = Get_Pwnam_alloc(tmp_ctx, name);
509 :
510 60 : if(pwd == NULL) {
511 0 : DEBUG(3, ("Could not find user %s, add script did not work\n", name));
512 0 : return NT_STATUS_NO_SUCH_USER;
513 : }
514 : }
515 :
516 : /* we have a valid SID coming out of this call */
517 :
518 552 : status = samu_alloc_rid_unix(methods, sam_pass, pwd);
519 :
520 552 : TALLOC_FREE( pwd );
521 :
522 552 : if (!NT_STATUS_IS_OK(status)) {
523 0 : DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status)));
524 0 : return status;
525 : }
526 :
527 552 : if (!sid_peek_check_rid(get_global_sam_sid(),
528 : pdb_get_user_sid(sam_pass), rid)) {
529 0 : DEBUG(0, ("Could not get RID of fresh user\n"));
530 0 : return NT_STATUS_INTERNAL_ERROR;
531 : }
532 :
533 : /* Use the username case specified in the original request */
534 :
535 552 : pdb_set_username( sam_pass, name, PDB_SET );
536 :
537 : /* Disable the account on creation, it does not have a reasonable password yet. */
538 :
539 552 : acb_info |= ACB_DISABLED;
540 :
541 552 : pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
542 :
543 552 : status = methods->add_sam_account(methods, sam_pass);
544 :
545 552 : TALLOC_FREE(sam_pass);
546 :
547 552 : return status;
548 : }
549 :
550 553 : NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32_t flags,
551 : uint32_t *rid)
552 : {
553 553 : struct pdb_methods *pdb = pdb_get_methods();
554 553 : return pdb->create_user(pdb, mem_ctx, name, flags, rid);
555 : }
556 :
557 : /****************************************************************************
558 : Delete a UNIX user on demand.
559 : ****************************************************************************/
560 :
561 56 : static int smb_delete_user(const char *unix_user)
562 : {
563 0 : const struct loadparm_substitution *lp_sub =
564 56 : loadparm_s3_global_substitution();
565 56 : char *del_script = NULL;
566 0 : int ret;
567 :
568 : /* safety check */
569 :
570 56 : if ( strequal( unix_user, "root" ) ) {
571 0 : DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
572 0 : return -1;
573 : }
574 :
575 56 : del_script = lp_delete_user_script(talloc_tos(), lp_sub);
576 56 : if (!del_script || !*del_script) {
577 0 : return -1;
578 : }
579 56 : del_script = talloc_all_string_sub(talloc_tos(),
580 : del_script,
581 : "%u",
582 : unix_user);
583 56 : if (!del_script) {
584 0 : return -1;
585 : }
586 56 : ret = smbrun(del_script, NULL, NULL);
587 56 : flush_pwnam_cache();
588 56 : if (ret == 0) {
589 56 : smb_nscd_flush_user_cache();
590 : }
591 56 : DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
592 :
593 56 : return ret;
594 : }
595 :
596 56 : static NTSTATUS pdb_default_delete_user(struct pdb_methods *methods,
597 : TALLOC_CTX *mem_ctx,
598 : struct samu *sam_acct)
599 : {
600 0 : NTSTATUS status;
601 0 : fstring username;
602 :
603 56 : status = methods->delete_sam_account(methods, sam_acct);
604 56 : if (!NT_STATUS_IS_OK(status)) {
605 0 : return status;
606 : }
607 :
608 : /*
609 : * Now delete the unix side ....
610 : * note: we don't check if the delete really happened as the script is
611 : * not necessary present and maybe the sysadmin doesn't want to delete
612 : * the unix side
613 : */
614 :
615 : /* always lower case the username before handing it off to
616 : external scripts */
617 :
618 56 : fstrcpy( username, pdb_get_username(sam_acct) );
619 56 : if (!strlower_m( username )) {
620 0 : return status;
621 : }
622 :
623 56 : smb_delete_user( username );
624 :
625 56 : return status;
626 : }
627 :
628 56 : NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
629 : {
630 56 : struct pdb_methods *pdb = pdb_get_methods();
631 56 : uid_t uid = -1;
632 0 : NTSTATUS status;
633 0 : const struct dom_sid *user_sid;
634 0 : char *msg_data;
635 :
636 56 : user_sid = pdb_get_user_sid(sam_acct);
637 :
638 : /* sanity check to make sure we don't delete root */
639 :
640 56 : if ( !sid_to_uid(user_sid, &uid ) ) {
641 0 : return NT_STATUS_NO_SUCH_USER;
642 : }
643 :
644 56 : if ( uid == 0 ) {
645 0 : return NT_STATUS_ACCESS_DENIED;
646 : }
647 :
648 56 : memcache_delete(NULL,
649 : PDB_GETPWSID_CACHE,
650 : data_blob_const(user_sid, sizeof(*user_sid)));
651 :
652 56 : status = pdb->delete_user(pdb, mem_ctx, sam_acct);
653 56 : if (!NT_STATUS_IS_OK(status)) {
654 0 : return status;
655 : }
656 :
657 56 : msg_data = talloc_asprintf(mem_ctx, "USER %s",
658 : pdb_get_username(sam_acct));
659 56 : if (!msg_data) {
660 : /* not fatal, and too late to rollback,
661 : * just return */
662 0 : return status;
663 : }
664 56 : messaging_send_all(global_messaging_context(),
665 : ID_CACHE_DELETE,
666 : msg_data,
667 56 : strlen(msg_data) + 1);
668 :
669 56 : TALLOC_FREE(msg_data);
670 56 : return status;
671 : }
672 :
673 0 : NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
674 : {
675 0 : struct pdb_methods *pdb = pdb_get_methods();
676 0 : return pdb->add_sam_account(pdb, sam_acct);
677 : }
678 :
679 811 : NTSTATUS pdb_update_sam_account(struct samu *sam_acct)
680 : {
681 811 : struct pdb_methods *pdb = pdb_get_methods();
682 :
683 811 : memcache_flush(NULL, PDB_GETPWSID_CACHE);
684 :
685 811 : return pdb->update_sam_account(pdb, sam_acct);
686 : }
687 :
688 3 : NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
689 : {
690 3 : struct pdb_methods *pdb = pdb_get_methods();
691 3 : const struct dom_sid *user_sid = pdb_get_user_sid(sam_acct);
692 :
693 3 : memcache_delete(NULL,
694 : PDB_GETPWSID_CACHE,
695 : data_blob_const(user_sid, sizeof(*user_sid)));
696 :
697 3 : return pdb->delete_sam_account(pdb, sam_acct);
698 : }
699 :
700 0 : NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
701 : {
702 0 : struct pdb_methods *pdb = pdb_get_methods();
703 0 : uid_t uid;
704 0 : NTSTATUS status;
705 :
706 0 : memcache_flush(NULL, PDB_GETPWSID_CACHE);
707 :
708 : /* sanity check to make sure we don't rename root */
709 :
710 0 : if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
711 0 : return NT_STATUS_NO_SUCH_USER;
712 : }
713 :
714 0 : if ( uid == 0 ) {
715 0 : return NT_STATUS_ACCESS_DENIED;
716 : }
717 :
718 0 : status = pdb->rename_sam_account(pdb, oldname, newname);
719 :
720 : /* always flush the cache here just to be safe */
721 0 : flush_pwnam_cache();
722 :
723 0 : return status;
724 : }
725 :
726 20721 : NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, bool success)
727 : {
728 20721 : struct pdb_methods *pdb = pdb_get_methods();
729 20721 : return pdb->update_login_attempts(pdb, sam_acct, success);
730 : }
731 :
732 72606 : bool pdb_getgrsid(GROUP_MAP *map, struct dom_sid sid)
733 : {
734 72606 : struct pdb_methods *pdb = pdb_get_methods();
735 72606 : return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
736 : }
737 :
738 161 : bool pdb_getgrgid(GROUP_MAP *map, gid_t gid)
739 : {
740 161 : struct pdb_methods *pdb = pdb_get_methods();
741 161 : return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
742 : }
743 :
744 2156 : bool pdb_getgrnam(GROUP_MAP *map, const char *name)
745 : {
746 2156 : struct pdb_methods *pdb = pdb_get_methods();
747 2156 : return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
748 : }
749 :
750 302 : static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
751 : TALLOC_CTX *mem_ctx,
752 : const char *name,
753 : uint32_t *rid)
754 : {
755 0 : struct dom_sid group_sid;
756 0 : struct group *grp;
757 0 : struct dom_sid_buf tmp;
758 :
759 302 : grp = getgrnam(name);
760 :
761 302 : if (grp == NULL) {
762 0 : gid_t gid;
763 :
764 302 : if (smb_create_group(name, &gid) != 0) {
765 0 : return NT_STATUS_ACCESS_DENIED;
766 : }
767 :
768 302 : grp = getgrgid(gid);
769 : }
770 :
771 302 : if (grp == NULL) {
772 0 : return NT_STATUS_ACCESS_DENIED;
773 : }
774 :
775 302 : if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
776 302 : if (!pdb_new_rid(rid)) {
777 0 : return NT_STATUS_ACCESS_DENIED;
778 : }
779 : } else {
780 0 : *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
781 : }
782 :
783 302 : sid_compose(&group_sid, get_global_sam_sid(), *rid);
784 :
785 302 : return add_initial_entry(
786 : grp->gr_gid,
787 302 : dom_sid_str_buf(&group_sid, &tmp),
788 : SID_NAME_DOM_GRP,
789 : name,
790 : NULL);
791 : }
792 :
793 302 : NTSTATUS pdb_create_dom_group(TALLOC_CTX *mem_ctx, const char *name,
794 : uint32_t *rid)
795 : {
796 302 : struct pdb_methods *pdb = pdb_get_methods();
797 302 : return pdb->create_dom_group(pdb, mem_ctx, name, rid);
798 : }
799 :
800 2 : static NTSTATUS pdb_default_delete_dom_group(struct pdb_methods *methods,
801 : TALLOC_CTX *mem_ctx,
802 : uint32_t rid)
803 : {
804 0 : struct dom_sid group_sid;
805 0 : GROUP_MAP *map;
806 0 : NTSTATUS status;
807 0 : struct group *grp;
808 0 : const char *grp_name;
809 :
810 2 : map = talloc_zero(mem_ctx, GROUP_MAP);
811 2 : if (!map) {
812 0 : return NT_STATUS_NO_MEMORY;
813 : }
814 :
815 : /* coverity */
816 2 : map->gid = (gid_t) -1;
817 :
818 2 : sid_compose(&group_sid, get_global_sam_sid(), rid);
819 :
820 2 : if (!get_domain_group_from_sid(group_sid, map)) {
821 0 : DEBUG(10, ("Could not find group for rid %d\n", rid));
822 0 : return NT_STATUS_NO_SUCH_GROUP;
823 : }
824 :
825 : /* We need the group name for the smb_delete_group later on */
826 :
827 2 : if (map->gid == (gid_t)-1) {
828 0 : return NT_STATUS_NO_SUCH_GROUP;
829 : }
830 :
831 2 : grp = getgrgid(map->gid);
832 2 : if (grp == NULL) {
833 0 : return NT_STATUS_NO_SUCH_GROUP;
834 : }
835 :
836 2 : TALLOC_FREE(map);
837 :
838 : /* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
839 :
840 2 : grp_name = talloc_strdup(mem_ctx, grp->gr_name);
841 2 : if (grp_name == NULL) {
842 0 : return NT_STATUS_NO_MEMORY;
843 : }
844 :
845 2 : status = pdb_delete_group_mapping_entry(group_sid);
846 :
847 2 : if (!NT_STATUS_IS_OK(status)) {
848 0 : return status;
849 : }
850 :
851 : /* Don't check the result of smb_delete_group */
852 :
853 2 : smb_delete_group(grp_name);
854 :
855 2 : return NT_STATUS_OK;
856 : }
857 :
858 2 : NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32_t rid)
859 : {
860 2 : struct pdb_methods *pdb = pdb_get_methods();
861 2 : return pdb->delete_dom_group(pdb, mem_ctx, rid);
862 : }
863 :
864 800 : NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
865 : {
866 800 : struct pdb_methods *pdb = pdb_get_methods();
867 800 : return pdb->add_group_mapping_entry(pdb, map);
868 : }
869 :
870 0 : NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
871 : {
872 0 : struct pdb_methods *pdb = pdb_get_methods();
873 0 : return pdb->update_group_mapping_entry(pdb, map);
874 : }
875 :
876 18 : NTSTATUS pdb_delete_group_mapping_entry(struct dom_sid sid)
877 : {
878 18 : struct pdb_methods *pdb = pdb_get_methods();
879 18 : return pdb->delete_group_mapping_entry(pdb, sid);
880 : }
881 :
882 0 : bool pdb_enum_group_mapping(const struct dom_sid *sid,
883 : enum lsa_SidType sid_name_use,
884 : GROUP_MAP ***pp_rmap,
885 : size_t *p_num_entries,
886 : bool unix_only)
887 : {
888 0 : struct pdb_methods *pdb = pdb_get_methods();
889 0 : return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
890 : pp_rmap, p_num_entries, unix_only));
891 : }
892 :
893 306 : NTSTATUS pdb_enum_group_members(TALLOC_CTX *mem_ctx,
894 : const struct dom_sid *sid,
895 : uint32_t **pp_member_rids,
896 : size_t *p_num_members)
897 : {
898 306 : struct pdb_methods *pdb = pdb_get_methods();
899 0 : NTSTATUS result;
900 :
901 306 : result = pdb->enum_group_members(pdb, mem_ctx,
902 : sid, pp_member_rids, p_num_members);
903 :
904 : /* special check for rid 513 */
905 :
906 306 : if ( !NT_STATUS_IS_OK( result ) ) {
907 0 : uint32_t rid;
908 :
909 0 : sid_peek_rid( sid, &rid );
910 :
911 0 : if ( rid == DOMAIN_RID_USERS ) {
912 0 : *p_num_members = 0;
913 0 : *pp_member_rids = NULL;
914 :
915 0 : return NT_STATUS_OK;
916 : }
917 : }
918 :
919 306 : return result;
920 : }
921 :
922 27436 : NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
923 : struct dom_sid **pp_sids, gid_t **pp_gids,
924 : uint32_t *p_num_groups)
925 : {
926 27436 : struct pdb_methods *pdb = pdb_get_methods();
927 27436 : return pdb->enum_group_memberships(
928 : pdb, mem_ctx, user,
929 : pp_sids, pp_gids, p_num_groups);
930 : }
931 :
932 0 : static NTSTATUS pdb_default_set_unix_primary_group(struct pdb_methods *methods,
933 : TALLOC_CTX *mem_ctx,
934 : struct samu *sampass)
935 : {
936 0 : struct group *grp;
937 0 : gid_t gid;
938 :
939 0 : if (!sid_to_gid(pdb_get_group_sid(sampass), &gid) ||
940 0 : (grp = getgrgid(gid)) == NULL) {
941 0 : return NT_STATUS_INVALID_PRIMARY_GROUP;
942 : }
943 :
944 0 : if (smb_set_primary_group(grp->gr_name,
945 : pdb_get_username(sampass)) != 0) {
946 0 : return NT_STATUS_ACCESS_DENIED;
947 : }
948 :
949 0 : return NT_STATUS_OK;
950 : }
951 :
952 0 : NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
953 : {
954 0 : struct pdb_methods *pdb = pdb_get_methods();
955 0 : return pdb->set_unix_primary_group(pdb, mem_ctx, user);
956 : }
957 :
958 : /*
959 : * Helper function to see whether a user is in a group. We can't use
960 : * user_in_group_sid here because this creates dependencies only smbd can
961 : * fulfil.
962 : */
963 :
964 8 : static bool pdb_user_in_group(TALLOC_CTX *mem_ctx, struct samu *account,
965 : const struct dom_sid *group_sid)
966 : {
967 0 : struct dom_sid *sids;
968 0 : gid_t *gids;
969 0 : uint32_t i, num_groups;
970 :
971 8 : if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
972 : &sids, &gids,
973 : &num_groups))) {
974 0 : return False;
975 : }
976 :
977 16 : for (i=0; i<num_groups; i++) {
978 12 : if (dom_sid_equal(group_sid, &sids[i])) {
979 4 : return True;
980 : }
981 : }
982 4 : return False;
983 : }
984 :
985 2 : static NTSTATUS pdb_default_add_groupmem(struct pdb_methods *methods,
986 : TALLOC_CTX *mem_ctx,
987 : uint32_t group_rid,
988 : uint32_t member_rid)
989 : {
990 0 : struct dom_sid group_sid, member_sid;
991 2 : struct samu *account = NULL;
992 0 : GROUP_MAP *map;
993 0 : struct group *grp;
994 0 : struct passwd *pwd;
995 0 : const char *group_name;
996 0 : uid_t uid;
997 :
998 2 : map = talloc_zero(mem_ctx, GROUP_MAP);
999 2 : if (!map) {
1000 0 : return NT_STATUS_NO_MEMORY;
1001 : }
1002 :
1003 : /* coverity */
1004 2 : map->gid = (gid_t) -1;
1005 :
1006 2 : sid_compose(&group_sid, get_global_sam_sid(), group_rid);
1007 2 : sid_compose(&member_sid, get_global_sam_sid(), member_rid);
1008 :
1009 2 : if (!get_domain_group_from_sid(group_sid, map) ||
1010 4 : (map->gid == (gid_t)-1) ||
1011 2 : ((grp = getgrgid(map->gid)) == NULL)) {
1012 0 : return NT_STATUS_NO_SUCH_GROUP;
1013 : }
1014 :
1015 2 : TALLOC_FREE(map);
1016 :
1017 2 : group_name = talloc_strdup(mem_ctx, grp->gr_name);
1018 2 : if (group_name == NULL) {
1019 0 : return NT_STATUS_NO_MEMORY;
1020 : }
1021 :
1022 2 : if ( !(account = samu_new( NULL )) ) {
1023 0 : return NT_STATUS_NO_MEMORY;
1024 : }
1025 :
1026 2 : if (!pdb_getsampwsid(account, &member_sid) ||
1027 4 : !sid_to_uid(&member_sid, &uid) ||
1028 2 : ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1029 0 : return NT_STATUS_NO_SUCH_USER;
1030 : }
1031 :
1032 2 : if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1033 0 : return NT_STATUS_MEMBER_IN_GROUP;
1034 : }
1035 :
1036 : /*
1037 : * ok, the group exist, the user exist, the user is not in the group,
1038 : * we can (finally) add it to the group !
1039 : */
1040 :
1041 2 : smb_add_user_group(group_name, pwd->pw_name);
1042 :
1043 2 : if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1044 0 : return NT_STATUS_ACCESS_DENIED;
1045 : }
1046 :
1047 2 : return NT_STATUS_OK;
1048 : }
1049 :
1050 2 : NTSTATUS pdb_add_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1051 : uint32_t member_rid)
1052 : {
1053 2 : struct pdb_methods *pdb = pdb_get_methods();
1054 2 : return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
1055 : }
1056 :
1057 2 : static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
1058 : TALLOC_CTX *mem_ctx,
1059 : uint32_t group_rid,
1060 : uint32_t member_rid)
1061 : {
1062 0 : struct dom_sid group_sid, member_sid;
1063 2 : struct samu *account = NULL;
1064 0 : GROUP_MAP *map;
1065 0 : struct group *grp;
1066 0 : struct passwd *pwd;
1067 0 : const char *group_name;
1068 0 : uid_t uid;
1069 :
1070 2 : map = talloc_zero(mem_ctx, GROUP_MAP);
1071 2 : if (!map) {
1072 0 : return NT_STATUS_NO_MEMORY;
1073 : }
1074 :
1075 2 : sid_compose(&group_sid, get_global_sam_sid(), group_rid);
1076 2 : sid_compose(&member_sid, get_global_sam_sid(), member_rid);
1077 :
1078 2 : if (!get_domain_group_from_sid(group_sid, map) ||
1079 4 : (map->gid == (gid_t)-1) ||
1080 2 : ((grp = getgrgid(map->gid)) == NULL)) {
1081 0 : return NT_STATUS_NO_SUCH_GROUP;
1082 : }
1083 :
1084 2 : TALLOC_FREE(map);
1085 :
1086 2 : group_name = talloc_strdup(mem_ctx, grp->gr_name);
1087 2 : if (group_name == NULL) {
1088 0 : return NT_STATUS_NO_MEMORY;
1089 : }
1090 :
1091 2 : if ( !(account = samu_new( NULL )) ) {
1092 0 : return NT_STATUS_NO_MEMORY;
1093 : }
1094 :
1095 2 : if (!pdb_getsampwsid(account, &member_sid) ||
1096 4 : !sid_to_uid(&member_sid, &uid) ||
1097 2 : ((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1098 0 : return NT_STATUS_NO_SUCH_USER;
1099 : }
1100 :
1101 2 : if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1102 0 : return NT_STATUS_MEMBER_NOT_IN_GROUP;
1103 : }
1104 :
1105 : /*
1106 : * ok, the group exist, the user exist, the user is in the group,
1107 : * we can (finally) delete it from the group!
1108 : */
1109 :
1110 2 : smb_delete_user_group(group_name, pwd->pw_name);
1111 :
1112 2 : if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1113 0 : return NT_STATUS_ACCESS_DENIED;
1114 : }
1115 :
1116 2 : return NT_STATUS_OK;
1117 : }
1118 :
1119 2 : NTSTATUS pdb_del_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1120 : uint32_t member_rid)
1121 : {
1122 2 : struct pdb_methods *pdb = pdb_get_methods();
1123 2 : return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
1124 : }
1125 :
1126 302 : NTSTATUS pdb_create_alias(const char *name, uint32_t *rid)
1127 : {
1128 302 : struct pdb_methods *pdb = pdb_get_methods();
1129 302 : return pdb->create_alias(pdb, name, rid);
1130 : }
1131 :
1132 2 : NTSTATUS pdb_delete_alias(const struct dom_sid *sid)
1133 : {
1134 2 : struct pdb_methods *pdb = pdb_get_methods();
1135 2 : return pdb->delete_alias(pdb, sid);
1136 : }
1137 :
1138 69930 : NTSTATUS pdb_get_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1139 : {
1140 69930 : struct pdb_methods *pdb = pdb_get_methods();
1141 69930 : return pdb->get_aliasinfo(pdb, sid, info);
1142 : }
1143 :
1144 0 : NTSTATUS pdb_set_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1145 : {
1146 0 : struct pdb_methods *pdb = pdb_get_methods();
1147 0 : return pdb->set_aliasinfo(pdb, sid, info);
1148 : }
1149 :
1150 74 : NTSTATUS pdb_add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1151 : {
1152 74 : struct pdb_methods *pdb = pdb_get_methods();
1153 74 : return pdb->add_aliasmem(pdb, alias, member);
1154 : }
1155 :
1156 20 : NTSTATUS pdb_del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1157 : {
1158 20 : struct pdb_methods *pdb = pdb_get_methods();
1159 20 : return pdb->del_aliasmem(pdb, alias, member);
1160 : }
1161 :
1162 8 : NTSTATUS pdb_enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
1163 : struct dom_sid **pp_members, size_t *p_num_members)
1164 : {
1165 8 : struct pdb_methods *pdb = pdb_get_methods();
1166 8 : return pdb->enum_aliasmem(pdb, alias, mem_ctx, pp_members,
1167 : p_num_members);
1168 : }
1169 :
1170 50418 : NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
1171 : const struct dom_sid *domain_sid,
1172 : const struct dom_sid *members, size_t num_members,
1173 : uint32_t **pp_alias_rids,
1174 : size_t *p_num_alias_rids)
1175 : {
1176 50418 : struct pdb_methods *pdb = pdb_get_methods();
1177 50418 : return pdb->enum_alias_memberships(pdb, mem_ctx,
1178 : domain_sid,
1179 : members, num_members,
1180 : pp_alias_rids,
1181 : p_num_alias_rids);
1182 : }
1183 :
1184 6241 : NTSTATUS pdb_lookup_rids(const struct dom_sid *domain_sid,
1185 : int num_rids,
1186 : uint32_t *rids,
1187 : const char **names,
1188 : enum lsa_SidType *attrs)
1189 : {
1190 6241 : struct pdb_methods *pdb = pdb_get_methods();
1191 6241 : return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
1192 : }
1193 :
1194 244558 : bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
1195 : {
1196 244558 : struct pdb_methods *pdb = pdb_get_methods();
1197 54 : NTSTATUS status;
1198 :
1199 244558 : become_root();
1200 244558 : status = pdb->get_account_policy(pdb, type, value);
1201 244558 : unbecome_root();
1202 :
1203 244558 : return NT_STATUS_IS_OK(status);
1204 : }
1205 :
1206 0 : bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value)
1207 : {
1208 0 : struct pdb_methods *pdb = pdb_get_methods();
1209 0 : NTSTATUS status;
1210 :
1211 0 : become_root();
1212 0 : status = pdb->set_account_policy(pdb, type, value);
1213 0 : unbecome_root();
1214 :
1215 0 : return NT_STATUS_IS_OK(status);
1216 : }
1217 :
1218 12 : bool pdb_get_seq_num(time_t *seq_num)
1219 : {
1220 12 : struct pdb_methods *pdb = pdb_get_methods();
1221 12 : return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
1222 : }
1223 :
1224 : /*
1225 : * Instead of passing down a gid or uid, this function sends down a pointer
1226 : * to a unixid.
1227 : *
1228 : * This acts as an in-out variable so that the idmap functions can correctly
1229 : * receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing
1230 : * the cache to store ID_TYPE_UID or ID_TYPE_GID.
1231 : */
1232 220318 : bool pdb_id_to_sid(struct unixid *id, struct dom_sid *sid)
1233 : {
1234 220318 : struct pdb_methods *pdb = pdb_get_methods();
1235 13 : bool ret;
1236 :
1237 220318 : ret = pdb->id_to_sid(pdb, id, sid);
1238 :
1239 220318 : if (ret) {
1240 122 : idmap_cache_set_sid2unixid(sid, id);
1241 : }
1242 :
1243 220318 : return ret;
1244 : }
1245 :
1246 95601 : bool pdb_sid_to_id(const struct dom_sid *sid, struct unixid *id)
1247 : {
1248 95601 : struct pdb_methods *pdb = pdb_get_methods();
1249 55 : bool ret;
1250 :
1251 : /* only ask the backend if it is responsible */
1252 95601 : if (!sid_check_object_is_for_passdb(sid)) {
1253 59344 : return false;
1254 : }
1255 :
1256 36241 : ret = pdb->sid_to_id(pdb, sid, id);
1257 :
1258 36241 : if (ret) {
1259 453 : idmap_cache_set_sid2unixid(sid, id);
1260 : }
1261 :
1262 36202 : return ret;
1263 : }
1264 :
1265 1132 : uint32_t pdb_capabilities(void)
1266 : {
1267 1132 : struct pdb_methods *pdb = pdb_get_methods();
1268 1132 : return pdb->capabilities(pdb);
1269 : }
1270 :
1271 : /********************************************************************
1272 : Allocate a new RID from the passdb backend. Verify that it is free
1273 : by calling lookup_global_sam_rid() to verify that the RID is not
1274 : in use. This handles servers that have existing users or groups
1275 : with add RIDs (assigned from previous algorithmic mappings)
1276 : ********************************************************************/
1277 :
1278 604 : bool pdb_new_rid(uint32_t *rid)
1279 : {
1280 604 : struct pdb_methods *pdb = pdb_get_methods();
1281 604 : const char *name = NULL;
1282 0 : enum lsa_SidType type;
1283 604 : uint32_t allocated_rid = 0;
1284 0 : int i;
1285 0 : TALLOC_CTX *ctx;
1286 :
1287 604 : if ((pdb_capabilities() & PDB_CAP_STORE_RIDS) == 0) {
1288 0 : DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
1289 : "are active\n"));
1290 0 : return False;
1291 : }
1292 :
1293 604 : if (algorithmic_rid_base() != BASE_RID) {
1294 0 : DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
1295 : "without algorithmic RIDs is chosen.\n"));
1296 0 : DEBUGADD(0, ("Please map all used groups using 'net groupmap "
1297 : "add', set the maximum used RID\n"));
1298 0 : DEBUGADD(0, ("and remove the parameter\n"));
1299 0 : return False;
1300 : }
1301 :
1302 604 : if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
1303 0 : DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
1304 0 : return False;
1305 : }
1306 :
1307 : /* Attempt to get an unused RID (max tires is 250...yes that it is
1308 : and arbitrary number I pulkled out of my head). -- jerry */
1309 :
1310 1208 : for ( i=0; allocated_rid==0 && i<250; i++ ) {
1311 : /* get a new RID */
1312 :
1313 604 : if ( !pdb->new_rid(pdb, &allocated_rid) ) {
1314 0 : return False;
1315 : }
1316 :
1317 : /* validate that the RID is not in use */
1318 :
1319 604 : if (lookup_global_sam_rid(ctx, allocated_rid, &name, &type, NULL, NULL)) {
1320 0 : allocated_rid = 0;
1321 : }
1322 : }
1323 :
1324 604 : TALLOC_FREE( ctx );
1325 :
1326 604 : if ( allocated_rid == 0 ) {
1327 0 : DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
1328 0 : return False;
1329 : }
1330 :
1331 604 : *rid = allocated_rid;
1332 :
1333 604 : return True;
1334 : }
1335 :
1336 : /***************************************************************
1337 : Initialize the static context (at smbd startup etc).
1338 :
1339 : If uninitialised, context will auto-init on first use.
1340 : ***************************************************************/
1341 :
1342 32205 : bool initialize_password_db(bool reload, struct tevent_context *tevent_ctx)
1343 : {
1344 32205 : if (tevent_ctx) {
1345 31611 : pdb_tevent_ctx = tevent_ctx;
1346 : }
1347 32205 : return (pdb_get_methods_reload(reload) != NULL);
1348 : }
1349 :
1350 : /***************************************************************************
1351 : Default implementations of some functions.
1352 : ****************************************************************************/
1353 :
1354 0 : static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, struct samu *user, const char *sname)
1355 : {
1356 0 : return NT_STATUS_NO_SUCH_USER;
1357 : }
1358 :
1359 0 : static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1360 : {
1361 0 : return NT_STATUS_NO_SUCH_USER;
1362 : }
1363 :
1364 0 : static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1365 : {
1366 0 : return NT_STATUS_NOT_IMPLEMENTED;
1367 : }
1368 :
1369 0 : static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1370 : {
1371 0 : return NT_STATUS_NOT_IMPLEMENTED;
1372 : }
1373 :
1374 0 : static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, struct samu *pwd)
1375 : {
1376 0 : return NT_STATUS_NOT_IMPLEMENTED;
1377 : }
1378 :
1379 0 : static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, struct samu *pwd, const char *newname)
1380 : {
1381 0 : return NT_STATUS_NOT_IMPLEMENTED;
1382 : }
1383 :
1384 20720 : static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success)
1385 : {
1386 : /* Only the pdb_nds backend implements this, by
1387 : * default just return ok. */
1388 20720 : return NT_STATUS_OK;
1389 : }
1390 :
1391 244532 : static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t *value)
1392 : {
1393 244532 : return account_policy_get(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1394 : }
1395 :
1396 0 : static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t value)
1397 : {
1398 0 : return account_policy_set(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1399 : }
1400 :
1401 12 : static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq_num)
1402 : {
1403 12 : *seq_num = time(NULL);
1404 12 : return NT_STATUS_OK;
1405 : }
1406 :
1407 54 : static bool pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
1408 : struct dom_sid *sid)
1409 : {
1410 54 : struct samu *sampw = NULL;
1411 0 : struct passwd *unix_pw;
1412 54 : fstring pw_name = { 0 };
1413 0 : bool ret;
1414 :
1415 54 : unix_pw = getpwuid( uid );
1416 :
1417 54 : if ( !unix_pw ) {
1418 12 : DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
1419 : "%lu\n", (unsigned long)uid));
1420 12 : return False;
1421 : }
1422 :
1423 42 : if (unix_pw->pw_name == NULL) {
1424 0 : DBG_DEBUG("No pw_name for uid %d\n", (int)uid);
1425 0 : return false;
1426 : }
1427 :
1428 : /*
1429 : * Make a copy, "unix_pw" might go away soon.
1430 : */
1431 42 : fstrcpy(pw_name, unix_pw->pw_name);
1432 :
1433 42 : if ( !(sampw = samu_new( NULL )) ) {
1434 0 : DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
1435 0 : return False;
1436 : }
1437 :
1438 42 : become_root();
1439 42 : ret = NT_STATUS_IS_OK(methods->getsampwnam(methods, sampw, pw_name));
1440 42 : unbecome_root();
1441 :
1442 42 : if (!ret) {
1443 28 : DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
1444 : "%s (%u)\n", unix_pw->pw_name, (unsigned int)uid));
1445 28 : TALLOC_FREE(sampw);
1446 28 : return False;
1447 : }
1448 :
1449 14 : sid_copy(sid, pdb_get_user_sid(sampw));
1450 :
1451 14 : TALLOC_FREE(sampw);
1452 :
1453 14 : return True;
1454 : }
1455 :
1456 220170 : static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
1457 : struct dom_sid *sid)
1458 : {
1459 5 : GROUP_MAP *map;
1460 :
1461 220170 : map = talloc_zero(NULL, GROUP_MAP);
1462 220170 : if (!map) {
1463 0 : return false;
1464 : }
1465 :
1466 220170 : if (!NT_STATUS_IS_OK(methods->getgrgid(methods, map, gid))) {
1467 220156 : TALLOC_FREE(map);
1468 220156 : return false;
1469 : }
1470 :
1471 14 : sid_copy(sid, &map->sid);
1472 14 : TALLOC_FREE(map);
1473 14 : return true;
1474 : }
1475 :
1476 220224 : static bool pdb_default_id_to_sid(struct pdb_methods *methods, struct unixid *id,
1477 : struct dom_sid *sid)
1478 : {
1479 220224 : switch (id->type) {
1480 54 : case ID_TYPE_UID:
1481 54 : return pdb_default_uid_to_sid(methods, id->id, sid);
1482 :
1483 220170 : case ID_TYPE_GID:
1484 220170 : return pdb_default_gid_to_sid(methods, id->id, sid);
1485 :
1486 0 : default:
1487 0 : return false;
1488 : }
1489 : }
1490 : /**
1491 : * The "Unix User" and "Unix Group" domains have a special
1492 : * id mapping that is a rid-algorithm with range starting at 0.
1493 : */
1494 35069 : bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid *sid,
1495 : struct unixid *id)
1496 : {
1497 0 : uint32_t rid;
1498 :
1499 35069 : id->id = -1;
1500 :
1501 35069 : if (sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid)) {
1502 0 : id->id = rid;
1503 0 : id->type = ID_TYPE_UID;
1504 0 : return true;
1505 : }
1506 :
1507 35069 : if (sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid)) {
1508 0 : id->id = rid;
1509 0 : id->type = ID_TYPE_GID;
1510 0 : return true;
1511 : }
1512 :
1513 35069 : return false;
1514 : }
1515 :
1516 35951 : static bool pdb_default_sid_to_id(struct pdb_methods *methods,
1517 : const struct dom_sid *sid,
1518 : struct unixid *id)
1519 : {
1520 12 : TALLOC_CTX *mem_ctx;
1521 35951 : bool ret = False;
1522 12 : uint32_t rid;
1523 12 : struct dom_sid_buf buf;
1524 :
1525 35951 : id->id = -1;
1526 :
1527 35951 : mem_ctx = talloc_new(NULL);
1528 :
1529 35951 : if (mem_ctx == NULL) {
1530 0 : DEBUG(0, ("talloc_new failed\n"));
1531 0 : return False;
1532 : }
1533 :
1534 35951 : if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
1535 12 : const char *name;
1536 12 : enum lsa_SidType type;
1537 882 : uid_t uid = (uid_t)-1;
1538 882 : gid_t gid = (gid_t)-1;
1539 : /* Here we might have users as well as groups and aliases */
1540 882 : ret = lookup_global_sam_rid(mem_ctx, rid, &name, &type, &uid, &gid);
1541 882 : if (ret) {
1542 126 : switch (type) {
1543 11 : case SID_NAME_DOM_GRP:
1544 : case SID_NAME_ALIAS:
1545 11 : id->type = ID_TYPE_GID;
1546 11 : id->id = gid;
1547 11 : break;
1548 115 : case SID_NAME_USER:
1549 115 : id->type = ID_TYPE_UID;
1550 115 : id->id = uid;
1551 115 : break;
1552 0 : default:
1553 0 : DEBUG(5, ("SID %s belongs to our domain, and "
1554 : "an object exists in the database, "
1555 : "but it is neither a user nor a "
1556 : "group (got type %d).\n",
1557 : dom_sid_str_buf(sid, &buf),
1558 : type));
1559 0 : ret = false;
1560 : }
1561 : } else {
1562 756 : DEBUG(5, ("SID %s belongs to our domain, but there is "
1563 : "no corresponding object in the database.\n",
1564 : dom_sid_str_buf(sid, &buf)));
1565 : }
1566 882 : goto done;
1567 : }
1568 :
1569 : /*
1570 : * "Unix User" and "Unix Group"
1571 : */
1572 35069 : ret = pdb_sid_to_id_unix_users_and_groups(sid, id);
1573 35069 : if (ret) {
1574 0 : goto done;
1575 : }
1576 :
1577 : /* BUILTIN */
1578 :
1579 35069 : if (sid_check_is_in_builtin(sid) ||
1580 0 : sid_check_is_in_wellknown_domain(sid)) {
1581 : /* Here we only have aliases */
1582 0 : GROUP_MAP *map;
1583 :
1584 35069 : map = talloc_zero(mem_ctx, GROUP_MAP);
1585 35069 : if (!map) {
1586 0 : ret = false;
1587 0 : goto done;
1588 : }
1589 :
1590 35069 : if (!NT_STATUS_IS_OK(methods->getgrsid(methods, map, *sid))) {
1591 35035 : DEBUG(10, ("Could not find map for sid %s\n",
1592 : dom_sid_str_buf(sid, &buf)));
1593 35035 : goto done;
1594 : }
1595 34 : if ((map->sid_name_use != SID_NAME_ALIAS) &&
1596 0 : (map->sid_name_use != SID_NAME_WKN_GRP)) {
1597 0 : DEBUG(10, ("Map for sid %s is a %s, expected an "
1598 : "alias\n",
1599 : dom_sid_str_buf(sid, &buf),
1600 : sid_type_lookup(map->sid_name_use)));
1601 0 : goto done;
1602 : }
1603 :
1604 34 : id->id = map->gid;
1605 34 : id->type = ID_TYPE_GID;
1606 34 : ret = True;
1607 34 : goto done;
1608 : }
1609 :
1610 0 : DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
1611 : dom_sid_str_buf(sid, &buf)));
1612 :
1613 35951 : done:
1614 :
1615 35951 : TALLOC_FREE(mem_ctx);
1616 35951 : return ret;
1617 : }
1618 :
1619 306 : static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
1620 : {
1621 0 : struct group *grp;
1622 0 : char **gr;
1623 0 : struct passwd *pwd;
1624 0 : bool winbind_env;
1625 306 : bool ret = False;
1626 :
1627 306 : *pp_uids = NULL;
1628 306 : *p_num = 0;
1629 :
1630 : /* We only look at our own sam, so don't care about imported stuff */
1631 306 : winbind_env = winbind_env_set();
1632 306 : (void)winbind_off();
1633 :
1634 306 : if ((grp = getgrgid(gid)) == NULL) {
1635 : /* allow winbindd lookups, but only if they weren't already disabled */
1636 0 : goto done;
1637 : }
1638 :
1639 : /* Primary group members */
1640 306 : setpwent();
1641 52023 : while ((pwd = getpwent()) != NULL) {
1642 51716 : if (pwd->pw_gid == gid) {
1643 16 : if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
1644 : pp_uids, p_num)) {
1645 0 : goto done;
1646 : }
1647 : }
1648 : }
1649 306 : endpwent();
1650 :
1651 : /* Secondary group members */
1652 308 : for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
1653 2 : struct passwd *pw = getpwnam(*gr);
1654 :
1655 2 : if (pw == NULL)
1656 0 : continue;
1657 2 : if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
1658 0 : goto done;
1659 : }
1660 : }
1661 :
1662 306 : ret = True;
1663 :
1664 306 : done:
1665 :
1666 : /* allow winbindd lookups, but only if they weren't already disabled */
1667 306 : if (!winbind_env) {
1668 304 : (void)winbind_on();
1669 : }
1670 :
1671 306 : return ret;
1672 : }
1673 :
1674 315 : static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
1675 : TALLOC_CTX *mem_ctx,
1676 : const struct dom_sid *group,
1677 : uint32_t **pp_member_rids,
1678 : size_t *p_num_members)
1679 : {
1680 9 : gid_t gid;
1681 9 : uid_t *uids;
1682 9 : uint32_t i, num_uids;
1683 :
1684 315 : *pp_member_rids = NULL;
1685 315 : *p_num_members = 0;
1686 :
1687 315 : if (!sid_to_gid(group, &gid))
1688 9 : return NT_STATUS_NO_SUCH_GROUP;
1689 :
1690 306 : if(!get_memberuids(mem_ctx, gid, &uids, &num_uids))
1691 0 : return NT_STATUS_NO_SUCH_GROUP;
1692 :
1693 306 : if (num_uids == 0)
1694 302 : return NT_STATUS_OK;
1695 :
1696 4 : *pp_member_rids = talloc_zero_array(mem_ctx, uint32_t, num_uids);
1697 :
1698 22 : for (i=0; i<num_uids; i++) {
1699 0 : struct dom_sid sid;
1700 :
1701 18 : uid_to_sid(&sid, uids[i]);
1702 :
1703 18 : if (!sid_check_is_in_our_sam(&sid)) {
1704 4 : DEBUG(5, ("Inconsistent SAM -- group member uid not "
1705 : "in our domain\n"));
1706 4 : continue;
1707 : }
1708 :
1709 14 : sid_peek_rid(&sid, &(*pp_member_rids)[*p_num_members]);
1710 14 : *p_num_members += 1;
1711 : }
1712 :
1713 4 : return NT_STATUS_OK;
1714 : }
1715 :
1716 22769 : static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
1717 : TALLOC_CTX *mem_ctx,
1718 : struct samu *user,
1719 : struct dom_sid **pp_sids,
1720 : gid_t **pp_gids,
1721 : uint32_t *p_num_groups)
1722 : {
1723 6 : size_t i;
1724 6 : gid_t gid;
1725 6 : struct passwd *pw;
1726 22769 : const char *username = pdb_get_username(user);
1727 :
1728 :
1729 : /* Ignore the primary group SID. Honor the real Unix primary group.
1730 : The primary group SID is only of real use to Windows clients */
1731 :
1732 22769 : if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
1733 3 : return NT_STATUS_NO_SUCH_USER;
1734 : }
1735 :
1736 22766 : gid = pw->pw_gid;
1737 :
1738 22766 : TALLOC_FREE( pw );
1739 :
1740 22766 : if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
1741 0 : return NT_STATUS_NO_SUCH_USER;
1742 : }
1743 :
1744 22766 : if (*p_num_groups == 0) {
1745 0 : smb_panic("primary group missing");
1746 : }
1747 :
1748 22766 : *pp_sids = talloc_array(mem_ctx, struct dom_sid, *p_num_groups);
1749 :
1750 22766 : if (*pp_sids == NULL) {
1751 0 : TALLOC_FREE(*pp_gids);
1752 0 : return NT_STATUS_NO_MEMORY;
1753 : }
1754 :
1755 66121 : for (i=0; i<*p_num_groups; i++) {
1756 43355 : gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
1757 : }
1758 :
1759 22766 : return NT_STATUS_OK;
1760 : }
1761 :
1762 : /*******************************************************************
1763 : Look up a rid in the SAM we're responsible for (i.e. passdb)
1764 : ********************************************************************/
1765 :
1766 3361 : static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
1767 : const char **name,
1768 : enum lsa_SidType *psid_name_use,
1769 : uid_t *uid, gid_t *gid)
1770 : {
1771 3361 : struct samu *sam_account = NULL;
1772 3361 : GROUP_MAP *map = NULL;
1773 12 : bool ret;
1774 12 : struct dom_sid sid;
1775 :
1776 3361 : *psid_name_use = SID_NAME_UNKNOWN;
1777 :
1778 3361 : DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
1779 : (unsigned int)rid));
1780 :
1781 3361 : sid_compose(&sid, get_global_sam_sid(), rid);
1782 :
1783 : /* see if the passdb can help us with the name of the user */
1784 :
1785 3361 : if ( !(sam_account = samu_new( NULL )) ) {
1786 0 : return False;
1787 : }
1788 :
1789 3361 : map = talloc_zero(mem_ctx, GROUP_MAP);
1790 3361 : if (!map) {
1791 0 : return false;
1792 : }
1793 :
1794 : /* BEING ROOT BLOCK */
1795 3361 : become_root();
1796 3361 : ret = pdb_getsampwsid(sam_account, &sid);
1797 3361 : if (!ret) {
1798 2364 : TALLOC_FREE(sam_account);
1799 2364 : ret = pdb_getgrsid(map, sid);
1800 : }
1801 3361 : unbecome_root();
1802 : /* END BECOME_ROOT BLOCK */
1803 :
1804 3361 : if (sam_account || !ret) {
1805 2353 : TALLOC_FREE(map);
1806 : }
1807 :
1808 3361 : if (sam_account) {
1809 6 : struct passwd *pw;
1810 :
1811 997 : *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
1812 997 : if (!*name) {
1813 0 : TALLOC_FREE(sam_account);
1814 0 : return False;
1815 : }
1816 :
1817 997 : *psid_name_use = SID_NAME_USER;
1818 :
1819 997 : TALLOC_FREE(sam_account);
1820 :
1821 997 : if (uid == NULL) {
1822 879 : return True;
1823 : }
1824 :
1825 118 : pw = Get_Pwnam_alloc(talloc_tos(), *name);
1826 118 : if (pw == NULL) {
1827 0 : return False;
1828 : }
1829 115 : *uid = pw->pw_uid;
1830 115 : TALLOC_FREE(pw);
1831 115 : return True;
1832 :
1833 2364 : } else if (map && (map->gid != (gid_t)-1)) {
1834 :
1835 : /* do not resolve SIDs to a name unless there is a valid
1836 : gid associated with it */
1837 :
1838 1007 : *name = talloc_steal(mem_ctx, map->nt_name);
1839 1007 : *psid_name_use = map->sid_name_use;
1840 :
1841 1007 : if (gid) {
1842 11 : *gid = map->gid;
1843 : }
1844 :
1845 1007 : TALLOC_FREE(map);
1846 1007 : return True;
1847 : }
1848 :
1849 1357 : TALLOC_FREE(map);
1850 :
1851 : /* Windows will always map RID 513 to something. On a non-domain
1852 : controller, this gets mapped to SERVER\None. */
1853 :
1854 1357 : if (uid || gid) {
1855 753 : DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
1856 753 : return False;
1857 : }
1858 :
1859 604 : if ( rid == DOMAIN_RID_USERS ) {
1860 0 : *name = talloc_strdup(mem_ctx, "None" );
1861 0 : *psid_name_use = SID_NAME_DOM_GRP;
1862 :
1863 0 : return True;
1864 : }
1865 :
1866 604 : return False;
1867 : }
1868 :
1869 1569 : static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
1870 : const struct dom_sid *domain_sid,
1871 : int num_rids,
1872 : uint32_t *rids,
1873 : const char **names,
1874 : enum lsa_SidType *attrs)
1875 : {
1876 0 : int i;
1877 0 : NTSTATUS result;
1878 1569 : bool have_mapped = False;
1879 1569 : bool have_unmapped = False;
1880 :
1881 1569 : if (sid_check_is_builtin(domain_sid)) {
1882 :
1883 28 : for (i=0; i<num_rids; i++) {
1884 0 : const char *name;
1885 :
1886 14 : if (lookup_builtin_rid(names, rids[i], &name)) {
1887 14 : attrs[i] = SID_NAME_ALIAS;
1888 14 : names[i] = name;
1889 14 : DEBUG(5,("lookup_rids: %s:%d\n",
1890 : names[i], attrs[i]));
1891 14 : have_mapped = True;
1892 : } else {
1893 0 : have_unmapped = True;
1894 0 : attrs[i] = SID_NAME_UNKNOWN;
1895 : }
1896 : }
1897 14 : goto done;
1898 : }
1899 :
1900 : /* Should not happen, but better check once too many */
1901 1555 : if (!sid_check_is_our_sam(domain_sid)) {
1902 0 : return NT_STATUS_INVALID_HANDLE;
1903 : }
1904 :
1905 3430 : for (i = 0; i < num_rids; i++) {
1906 0 : const char *name;
1907 :
1908 1875 : if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
1909 : NULL, NULL)) {
1910 1875 : if (name == NULL) {
1911 0 : return NT_STATUS_NO_MEMORY;
1912 : }
1913 1875 : names[i] = name;
1914 1875 : DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
1915 1875 : have_mapped = True;
1916 : } else {
1917 0 : have_unmapped = True;
1918 0 : attrs[i] = SID_NAME_UNKNOWN;
1919 : }
1920 : }
1921 :
1922 1555 : done:
1923 :
1924 1569 : result = NT_STATUS_NONE_MAPPED;
1925 :
1926 1569 : if (have_mapped)
1927 1569 : result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1928 :
1929 1569 : return result;
1930 : }
1931 :
1932 30 : static int pdb_search_destructor(struct pdb_search *search)
1933 : {
1934 30 : if ((!search->search_ended) && (search->search_end != NULL)) {
1935 0 : search->search_end(search);
1936 : }
1937 30 : return 0;
1938 : }
1939 :
1940 30 : struct pdb_search *pdb_search_init(TALLOC_CTX *mem_ctx,
1941 : enum pdb_search_type type)
1942 : {
1943 0 : struct pdb_search *result;
1944 :
1945 30 : result = talloc(mem_ctx, struct pdb_search);
1946 30 : if (result == NULL) {
1947 0 : DEBUG(0, ("talloc failed\n"));
1948 0 : return NULL;
1949 : }
1950 :
1951 30 : result->type = type;
1952 30 : result->cache = NULL;
1953 30 : result->num_entries = 0;
1954 30 : result->cache_size = 0;
1955 30 : result->search_ended = False;
1956 30 : result->search_end = NULL;
1957 :
1958 : /* Segfault appropriately if not initialized */
1959 30 : result->next_entry = NULL;
1960 30 : result->search_end = NULL;
1961 :
1962 30 : talloc_set_destructor(result, pdb_search_destructor);
1963 :
1964 30 : return result;
1965 : }
1966 :
1967 1238 : static void fill_displayentry(TALLOC_CTX *mem_ctx, uint32_t rid,
1968 : uint16_t acct_flags,
1969 : const char *account_name,
1970 : const char *fullname,
1971 : const char *description,
1972 : struct samr_displayentry *entry)
1973 : {
1974 1238 : entry->rid = rid;
1975 1238 : entry->acct_flags = acct_flags;
1976 :
1977 1238 : if (account_name != NULL)
1978 1238 : entry->account_name = talloc_strdup(mem_ctx, account_name);
1979 : else
1980 0 : entry->account_name = "";
1981 :
1982 1238 : if (fullname != NULL)
1983 0 : entry->fullname = talloc_strdup(mem_ctx, fullname);
1984 : else
1985 1238 : entry->fullname = "";
1986 :
1987 1238 : if (description != NULL)
1988 1238 : entry->description = talloc_strdup(mem_ctx, description);
1989 : else
1990 0 : entry->description = "";
1991 1238 : }
1992 :
1993 : struct group_search {
1994 : GROUP_MAP **groups;
1995 : size_t num_groups, current_group;
1996 : };
1997 :
1998 1262 : static bool next_entry_groups(struct pdb_search *s,
1999 : struct samr_displayentry *entry)
2000 : {
2001 1262 : struct group_search *state = (struct group_search *)s->private_data;
2002 4 : uint32_t rid;
2003 4 : GROUP_MAP *map;
2004 :
2005 1262 : if (state->current_group == state->num_groups)
2006 22 : return False;
2007 :
2008 1238 : map = state->groups[state->current_group];
2009 :
2010 1238 : sid_peek_rid(&map->sid, &rid);
2011 :
2012 1238 : fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
2013 :
2014 1238 : state->current_group += 1;
2015 1238 : return True;
2016 : }
2017 :
2018 24 : static void search_end_groups(struct pdb_search *search)
2019 : {
2020 24 : struct group_search *state =
2021 : (struct group_search *)search->private_data;
2022 24 : TALLOC_FREE(state->groups);
2023 24 : }
2024 :
2025 24 : static bool pdb_search_grouptype(struct pdb_methods *methods,
2026 : struct pdb_search *search,
2027 : const struct dom_sid *sid, enum lsa_SidType type)
2028 : {
2029 2 : struct group_search *state;
2030 :
2031 24 : state = talloc_zero(search, struct group_search);
2032 24 : if (state == NULL) {
2033 0 : DEBUG(0, ("talloc failed\n"));
2034 0 : return False;
2035 : }
2036 :
2037 24 : if (!NT_STATUS_IS_OK(methods->enum_group_mapping(methods, sid, type,
2038 : &state->groups, &state->num_groups,
2039 : True))) {
2040 0 : DEBUG(0, ("Could not enum groups\n"));
2041 0 : return False;
2042 : }
2043 :
2044 24 : state->current_group = 0;
2045 24 : search->private_data = state;
2046 24 : search->next_entry = next_entry_groups;
2047 24 : search->search_end = search_end_groups;
2048 24 : return True;
2049 : }
2050 :
2051 6 : static bool pdb_default_search_groups(struct pdb_methods *methods,
2052 : struct pdb_search *search)
2053 : {
2054 6 : return pdb_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
2055 : }
2056 :
2057 18 : static bool pdb_default_search_aliases(struct pdb_methods *methods,
2058 : struct pdb_search *search,
2059 : const struct dom_sid *sid)
2060 : {
2061 :
2062 18 : return pdb_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
2063 : }
2064 :
2065 124 : static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
2066 : uint32_t idx)
2067 : {
2068 124 : if (idx < search->num_entries)
2069 40 : return &search->cache[idx];
2070 :
2071 84 : if (search->search_ended)
2072 54 : return NULL;
2073 :
2074 1948 : while (idx >= search->num_entries) {
2075 0 : struct samr_displayentry entry;
2076 :
2077 1948 : if (!search->next_entry(search, &entry)) {
2078 30 : search->search_end(search);
2079 30 : search->search_ended = True;
2080 30 : break;
2081 : }
2082 :
2083 1918 : ADD_TO_LARGE_ARRAY(search, struct samr_displayentry,
2084 : entry, &search->cache, &search->num_entries,
2085 0 : &search->cache_size);
2086 : }
2087 :
2088 30 : return (search->num_entries > idx) ? &search->cache[idx] : NULL;
2089 : }
2090 :
2091 8 : struct pdb_search *pdb_search_users(TALLOC_CTX *mem_ctx, uint32_t acct_flags)
2092 : {
2093 8 : struct pdb_methods *pdb = pdb_get_methods();
2094 0 : struct pdb_search *result;
2095 :
2096 8 : result = pdb_search_init(mem_ctx, PDB_USER_SEARCH);
2097 8 : if (result == NULL) {
2098 0 : return NULL;
2099 : }
2100 :
2101 8 : if (!pdb->search_users(pdb, result, acct_flags)) {
2102 0 : TALLOC_FREE(result);
2103 0 : return NULL;
2104 : }
2105 8 : return result;
2106 : }
2107 :
2108 6 : struct pdb_search *pdb_search_groups(TALLOC_CTX *mem_ctx)
2109 : {
2110 6 : struct pdb_methods *pdb = pdb_get_methods();
2111 0 : struct pdb_search *result;
2112 :
2113 6 : result = pdb_search_init(mem_ctx, PDB_GROUP_SEARCH);
2114 6 : if (result == NULL) {
2115 0 : return NULL;
2116 : }
2117 :
2118 6 : if (!pdb->search_groups(pdb, result)) {
2119 0 : TALLOC_FREE(result);
2120 0 : return NULL;
2121 : }
2122 6 : return result;
2123 : }
2124 :
2125 16 : struct pdb_search *pdb_search_aliases(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
2126 : {
2127 16 : struct pdb_methods *pdb = pdb_get_methods();
2128 0 : struct pdb_search *result;
2129 :
2130 16 : if (pdb == NULL) return NULL;
2131 :
2132 16 : result = pdb_search_init(mem_ctx, PDB_ALIAS_SEARCH);
2133 16 : if (result == NULL) {
2134 0 : return NULL;
2135 : }
2136 :
2137 16 : if (!pdb->search_aliases(pdb, result, sid)) {
2138 0 : TALLOC_FREE(result);
2139 0 : return NULL;
2140 : }
2141 16 : return result;
2142 : }
2143 :
2144 62 : uint32_t pdb_search_entries(struct pdb_search *search,
2145 : uint32_t start_idx, uint32_t max_entries,
2146 : struct samr_displayentry **result)
2147 : {
2148 0 : struct samr_displayentry *end_entry;
2149 62 : uint32_t end_idx = start_idx+max_entries-1;
2150 :
2151 : /* The first entry needs to be searched after the last. Otherwise the
2152 : * first entry might have moved due to a realloc during the search for
2153 : * the last entry. */
2154 :
2155 62 : end_entry = pdb_search_getentry(search, end_idx);
2156 62 : *result = pdb_search_getentry(search, start_idx);
2157 :
2158 62 : if (end_entry != NULL)
2159 0 : return max_entries;
2160 :
2161 62 : if (start_idx >= search->num_entries)
2162 22 : return 0;
2163 :
2164 40 : return search->num_entries - start_idx;
2165 : }
2166 :
2167 : /*******************************************************************
2168 : trustdom methods
2169 : *******************************************************************/
2170 :
2171 800 : bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
2172 : time_t *pass_last_set_time)
2173 : {
2174 800 : struct pdb_methods *pdb = pdb_get_methods();
2175 800 : return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
2176 : pass_last_set_time);
2177 : }
2178 :
2179 0 : NTSTATUS pdb_get_trusteddom_creds(const char *domain, TALLOC_CTX *mem_ctx,
2180 : struct cli_credentials **creds)
2181 : {
2182 0 : struct pdb_methods *pdb = pdb_get_methods();
2183 0 : return pdb->get_trusteddom_creds(pdb, domain, mem_ctx, creds);
2184 : }
2185 :
2186 4 : bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
2187 : const struct dom_sid *sid)
2188 : {
2189 4 : struct pdb_methods *pdb = pdb_get_methods();
2190 4 : return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
2191 : }
2192 :
2193 0 : bool pdb_del_trusteddom_pw(const char *domain)
2194 : {
2195 0 : struct pdb_methods *pdb = pdb_get_methods();
2196 0 : return pdb->del_trusteddom_pw(pdb, domain);
2197 : }
2198 :
2199 100 : NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2200 : struct trustdom_info ***domains)
2201 : {
2202 100 : struct pdb_methods *pdb = pdb_get_methods();
2203 100 : return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
2204 : }
2205 :
2206 : /*******************************************************************
2207 : the defaults for trustdom methods:
2208 : these simply call the original passdb/secrets.c actions,
2209 : to be replaced by pdb_ldap.
2210 : *******************************************************************/
2211 :
2212 800 : static bool pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
2213 : const char *domain,
2214 : char** pwd,
2215 : struct dom_sid *sid,
2216 : time_t *pass_last_set_time)
2217 : {
2218 800 : return secrets_fetch_trusted_domain_password(domain, pwd,
2219 : sid, pass_last_set_time);
2220 :
2221 : }
2222 :
2223 0 : static NTSTATUS pdb_default_get_trusteddom_creds(struct pdb_methods *methods,
2224 : const char *domain,
2225 : TALLOC_CTX *mem_ctx,
2226 : struct cli_credentials **creds)
2227 : {
2228 0 : *creds = NULL;
2229 0 : return NT_STATUS_NOT_IMPLEMENTED;
2230 : }
2231 :
2232 4 : static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
2233 : const char* domain,
2234 : const char* pwd,
2235 : const struct dom_sid *sid)
2236 : {
2237 4 : return secrets_store_trusted_domain_password(domain, pwd, sid);
2238 : }
2239 :
2240 0 : static bool pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
2241 : const char *domain)
2242 : {
2243 0 : return trusted_domain_password_delete(domain);
2244 : }
2245 :
2246 100 : static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
2247 : TALLOC_CTX *mem_ctx,
2248 : uint32_t *num_domains,
2249 : struct trustdom_info ***domains)
2250 : {
2251 100 : return secrets_trusted_domains(mem_ctx, num_domains, domains);
2252 : }
2253 :
2254 : /*******************************************************************
2255 : trusted_domain methods
2256 : *******************************************************************/
2257 :
2258 0 : NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
2259 : struct pdb_trusted_domain **td)
2260 : {
2261 0 : struct pdb_methods *pdb = pdb_get_methods();
2262 0 : return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
2263 : }
2264 :
2265 0 : NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
2266 : struct pdb_trusted_domain **td)
2267 : {
2268 0 : struct pdb_methods *pdb = pdb_get_methods();
2269 0 : return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
2270 : }
2271 :
2272 0 : NTSTATUS pdb_set_trusted_domain(const char* domain,
2273 : const struct pdb_trusted_domain *td)
2274 : {
2275 0 : struct pdb_methods *pdb = pdb_get_methods();
2276 0 : return pdb->set_trusted_domain(pdb, domain, td);
2277 : }
2278 :
2279 0 : NTSTATUS pdb_del_trusted_domain(const char *domain)
2280 : {
2281 0 : struct pdb_methods *pdb = pdb_get_methods();
2282 0 : return pdb->del_trusted_domain(pdb, domain);
2283 : }
2284 :
2285 0 : NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2286 : struct pdb_trusted_domain ***domains)
2287 : {
2288 0 : struct pdb_methods *pdb = pdb_get_methods();
2289 0 : return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
2290 : }
2291 :
2292 0 : static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
2293 : TALLOC_CTX *mem_ctx,
2294 : const char *domain,
2295 : struct pdb_trusted_domain **td)
2296 : {
2297 0 : struct trustAuthInOutBlob taiob;
2298 0 : struct AuthenticationInformation aia;
2299 0 : struct pdb_trusted_domain *tdom;
2300 0 : enum ndr_err_code ndr_err;
2301 0 : time_t last_set_time;
2302 0 : char *pwd;
2303 0 : bool ok;
2304 :
2305 0 : tdom = talloc(mem_ctx, struct pdb_trusted_domain);
2306 0 : if (!tdom) {
2307 0 : return NT_STATUS_NO_MEMORY;
2308 : }
2309 :
2310 0 : tdom->domain_name = talloc_strdup(tdom, domain);
2311 0 : tdom->netbios_name = talloc_strdup(tdom, domain);
2312 0 : if (!tdom->domain_name || !tdom->netbios_name) {
2313 0 : talloc_free(tdom);
2314 0 : return NT_STATUS_NO_MEMORY;
2315 : }
2316 :
2317 0 : tdom->trust_auth_incoming = data_blob_null;
2318 :
2319 0 : ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
2320 : &last_set_time);
2321 0 : if (!ok) {
2322 0 : talloc_free(tdom);
2323 0 : return NT_STATUS_UNSUCCESSFUL;
2324 : }
2325 :
2326 0 : ZERO_STRUCT(taiob);
2327 0 : ZERO_STRUCT(aia);
2328 0 : taiob.count = 1;
2329 0 : taiob.current.count = 1;
2330 0 : taiob.current.array = &aia;
2331 0 : unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
2332 :
2333 0 : aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
2334 0 : aia.AuthInfo.clear.size = strlen(pwd);
2335 0 : aia.AuthInfo.clear.password = (uint8_t *)talloc_memdup(tdom, pwd,
2336 : aia.AuthInfo.clear.size);
2337 0 : SAFE_FREE(pwd);
2338 0 : if (aia.AuthInfo.clear.password == NULL) {
2339 0 : talloc_free(tdom);
2340 0 : return NT_STATUS_NO_MEMORY;
2341 : }
2342 :
2343 0 : taiob.previous.count = 0;
2344 0 : taiob.previous.array = NULL;
2345 :
2346 0 : ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
2347 : tdom, &taiob,
2348 : (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2349 0 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2350 0 : talloc_free(tdom);
2351 0 : return NT_STATUS_UNSUCCESSFUL;
2352 : }
2353 :
2354 0 : tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
2355 0 : tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
2356 0 : tdom->trust_attributes = 0;
2357 0 : tdom->trust_forest_trust_info = data_blob_null;
2358 :
2359 0 : *td = tdom;
2360 0 : return NT_STATUS_OK;
2361 : }
2362 :
2363 0 : static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
2364 : TALLOC_CTX *mem_ctx,
2365 : struct dom_sid *sid,
2366 : struct pdb_trusted_domain **td)
2367 : {
2368 0 : return NT_STATUS_NOT_IMPLEMENTED;
2369 : }
2370 :
2371 : #define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
2372 :
2373 0 : static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
2374 : const char* domain,
2375 : const struct pdb_trusted_domain *td)
2376 : {
2377 0 : struct trustAuthInOutBlob taiob;
2378 0 : struct AuthenticationInformation *aia;
2379 0 : enum ndr_err_code ndr_err;
2380 0 : char *pwd;
2381 0 : bool ok;
2382 :
2383 0 : if (td->trust_attributes != 0 ||
2384 0 : td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
2385 0 : td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
2386 0 : !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
2387 0 : !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
2388 0 : return NT_STATUS_NOT_IMPLEMENTED;
2389 : }
2390 :
2391 0 : ZERO_STRUCT(taiob);
2392 0 : ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
2393 : &taiob,
2394 : (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2395 0 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2396 0 : return NT_STATUS_UNSUCCESSFUL;
2397 : }
2398 :
2399 0 : aia = (struct AuthenticationInformation *) taiob.current.array;
2400 :
2401 0 : if (taiob.count != 1 || taiob.current.count != 1 ||
2402 0 : taiob.previous.count != 0 ||
2403 0 : aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
2404 0 : return NT_STATUS_NOT_IMPLEMENTED;
2405 : }
2406 :
2407 0 : pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
2408 0 : aia->AuthInfo.clear.size);
2409 0 : if (!pwd) {
2410 0 : return NT_STATUS_NO_MEMORY;
2411 : }
2412 :
2413 0 : ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
2414 0 : if (!ok) {
2415 0 : return NT_STATUS_UNSUCCESSFUL;
2416 : }
2417 :
2418 0 : return NT_STATUS_OK;
2419 : }
2420 :
2421 0 : static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
2422 : const char *domain)
2423 : {
2424 0 : return NT_STATUS_NOT_IMPLEMENTED;
2425 : }
2426 :
2427 0 : static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
2428 : TALLOC_CTX *mem_ctx,
2429 : uint32_t *num_domains,
2430 : struct pdb_trusted_domain ***domains)
2431 : {
2432 0 : return NT_STATUS_NOT_IMPLEMENTED;
2433 : }
2434 :
2435 4032 : static struct pdb_domain_info *pdb_default_get_domain_info(
2436 : struct pdb_methods *m, TALLOC_CTX *mem_ctx)
2437 : {
2438 4032 : return NULL;
2439 : }
2440 :
2441 : /*****************************************************************
2442 : UPN suffixes
2443 : *****************************************************************/
2444 0 : static NTSTATUS pdb_default_enum_upn_suffixes(struct pdb_methods *pdb,
2445 : TALLOC_CTX *mem_ctx,
2446 : uint32_t *num_suffixes,
2447 : char ***suffixes)
2448 : {
2449 0 : return NT_STATUS_NOT_IMPLEMENTED;
2450 : }
2451 :
2452 0 : static NTSTATUS pdb_default_set_upn_suffixes(struct pdb_methods *pdb,
2453 : uint32_t num_suffixes,
2454 : const char **suffixes)
2455 : {
2456 0 : return NT_STATUS_NOT_IMPLEMENTED;
2457 : }
2458 :
2459 0 : NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx,
2460 : uint32_t *num_suffixes,
2461 : char ***suffixes)
2462 : {
2463 0 : struct pdb_methods *pdb = pdb_get_methods();
2464 0 : return pdb->enum_upn_suffixes(pdb, mem_ctx, num_suffixes, suffixes);
2465 : }
2466 :
2467 0 : NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes,
2468 : const char **suffixes)
2469 : {
2470 0 : struct pdb_methods *pdb = pdb_get_methods();
2471 0 : return pdb->set_upn_suffixes(pdb, num_suffixes, suffixes);
2472 : }
2473 :
2474 : /*******************************************************************
2475 : idmap control methods
2476 : *******************************************************************/
2477 978 : static bool pdb_default_is_responsible_for_our_sam(
2478 : struct pdb_methods *methods)
2479 : {
2480 978 : return true;
2481 : }
2482 :
2483 94 : static bool pdb_default_is_responsible_for_builtin(
2484 : struct pdb_methods *methods)
2485 : {
2486 94 : return true;
2487 : }
2488 :
2489 56780 : static bool pdb_default_is_responsible_for_wellknown(
2490 : struct pdb_methods *methods)
2491 : {
2492 56780 : return false;
2493 : }
2494 :
2495 0 : static bool pdb_default_is_responsible_for_unix_users(
2496 : struct pdb_methods *methods)
2497 : {
2498 0 : return true;
2499 : }
2500 :
2501 0 : static bool pdb_default_is_responsible_for_unix_groups(
2502 : struct pdb_methods *methods)
2503 : {
2504 0 : return true;
2505 : }
2506 :
2507 59360 : static bool pdb_default_is_responsible_for_everything_else(
2508 : struct pdb_methods *methods)
2509 : {
2510 59360 : return false;
2511 : }
2512 :
2513 978 : bool pdb_is_responsible_for_our_sam(void)
2514 : {
2515 978 : struct pdb_methods *pdb = pdb_get_methods();
2516 978 : return pdb->is_responsible_for_our_sam(pdb);
2517 : }
2518 :
2519 69878 : bool pdb_is_responsible_for_builtin(void)
2520 : {
2521 69878 : struct pdb_methods *pdb = pdb_get_methods();
2522 69878 : return pdb->is_responsible_for_builtin(pdb);
2523 : }
2524 :
2525 56880 : bool pdb_is_responsible_for_wellknown(void)
2526 : {
2527 56880 : struct pdb_methods *pdb = pdb_get_methods();
2528 56880 : return pdb->is_responsible_for_wellknown(pdb);
2529 : }
2530 :
2531 0 : bool pdb_is_responsible_for_unix_users(void)
2532 : {
2533 0 : struct pdb_methods *pdb = pdb_get_methods();
2534 0 : return pdb->is_responsible_for_unix_users(pdb);
2535 : }
2536 :
2537 0 : bool pdb_is_responsible_for_unix_groups(void)
2538 : {
2539 0 : struct pdb_methods *pdb = pdb_get_methods();
2540 0 : return pdb->is_responsible_for_unix_groups(pdb);
2541 : }
2542 :
2543 59360 : bool pdb_is_responsible_for_everything_else(void)
2544 : {
2545 59360 : struct pdb_methods *pdb = pdb_get_methods();
2546 59360 : return pdb->is_responsible_for_everything_else(pdb);
2547 : }
2548 :
2549 : /*******************************************************************
2550 : secret methods
2551 : *******************************************************************/
2552 :
2553 0 : NTSTATUS pdb_get_secret(TALLOC_CTX *mem_ctx,
2554 : const char *secret_name,
2555 : DATA_BLOB *secret_current,
2556 : NTTIME *secret_current_lastchange,
2557 : DATA_BLOB *secret_old,
2558 : NTTIME *secret_old_lastchange,
2559 : struct security_descriptor **sd)
2560 : {
2561 0 : struct pdb_methods *pdb = pdb_get_methods();
2562 0 : return pdb->get_secret(pdb, mem_ctx, secret_name,
2563 : secret_current, secret_current_lastchange,
2564 : secret_old, secret_old_lastchange,
2565 : sd);
2566 : }
2567 :
2568 0 : NTSTATUS pdb_set_secret(const char *secret_name,
2569 : DATA_BLOB *secret_current,
2570 : DATA_BLOB *secret_old,
2571 : struct security_descriptor *sd)
2572 : {
2573 0 : struct pdb_methods *pdb = pdb_get_methods();
2574 0 : return pdb->set_secret(pdb, secret_name,
2575 : secret_current,
2576 : secret_old,
2577 : sd);
2578 : }
2579 :
2580 0 : NTSTATUS pdb_delete_secret(const char *secret_name)
2581 : {
2582 0 : struct pdb_methods *pdb = pdb_get_methods();
2583 0 : return pdb->delete_secret(pdb, secret_name);
2584 : }
2585 :
2586 0 : static NTSTATUS pdb_default_get_secret(struct pdb_methods *methods,
2587 : TALLOC_CTX *mem_ctx,
2588 : const char *secret_name,
2589 : DATA_BLOB *secret_current,
2590 : NTTIME *secret_current_lastchange,
2591 : DATA_BLOB *secret_old,
2592 : NTTIME *secret_old_lastchange,
2593 : struct security_descriptor **sd)
2594 : {
2595 0 : return lsa_secret_get(mem_ctx, secret_name,
2596 : secret_current,
2597 : secret_current_lastchange,
2598 : secret_old,
2599 : secret_old_lastchange,
2600 : sd);
2601 : }
2602 :
2603 0 : static NTSTATUS pdb_default_set_secret(struct pdb_methods *methods,
2604 : const char *secret_name,
2605 : DATA_BLOB *secret_current,
2606 : DATA_BLOB *secret_old,
2607 : struct security_descriptor *sd)
2608 : {
2609 0 : return lsa_secret_set(secret_name,
2610 : secret_current,
2611 : secret_old,
2612 : sd);
2613 : }
2614 :
2615 0 : static NTSTATUS pdb_default_delete_secret(struct pdb_methods *methods,
2616 : const char *secret_name)
2617 : {
2618 0 : return lsa_secret_delete(secret_name);
2619 : }
2620 :
2621 : /*******************************************************************
2622 : Create a pdb_methods structure and initialize it with the default
2623 : operations. In this way a passdb module can simply implement
2624 : the functionality it cares about. However, normally this is done
2625 : in groups of related functions.
2626 : *******************************************************************/
2627 :
2628 33710 : NTSTATUS make_pdb_method( struct pdb_methods **methods )
2629 : {
2630 : /* allocate memory for the structure as its own talloc CTX */
2631 :
2632 33710 : *methods = talloc_zero(NULL, struct pdb_methods);
2633 33710 : if (*methods == NULL) {
2634 0 : return NT_STATUS_NO_MEMORY;
2635 : }
2636 :
2637 33710 : (*methods)->get_domain_info = pdb_default_get_domain_info;
2638 33710 : (*methods)->getsampwnam = pdb_default_getsampwnam;
2639 33710 : (*methods)->getsampwsid = pdb_default_getsampwsid;
2640 33710 : (*methods)->create_user = pdb_default_create_user;
2641 33710 : (*methods)->delete_user = pdb_default_delete_user;
2642 33710 : (*methods)->add_sam_account = pdb_default_add_sam_account;
2643 33710 : (*methods)->update_sam_account = pdb_default_update_sam_account;
2644 33710 : (*methods)->delete_sam_account = pdb_default_delete_sam_account;
2645 33710 : (*methods)->rename_sam_account = pdb_default_rename_sam_account;
2646 33710 : (*methods)->update_login_attempts = pdb_default_update_login_attempts;
2647 :
2648 33710 : (*methods)->getgrsid = pdb_default_getgrsid;
2649 33710 : (*methods)->getgrgid = pdb_default_getgrgid;
2650 33710 : (*methods)->getgrnam = pdb_default_getgrnam;
2651 33710 : (*methods)->create_dom_group = pdb_default_create_dom_group;
2652 33710 : (*methods)->delete_dom_group = pdb_default_delete_dom_group;
2653 33710 : (*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
2654 33710 : (*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
2655 33710 : (*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
2656 33710 : (*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
2657 33710 : (*methods)->enum_group_members = pdb_default_enum_group_members;
2658 33710 : (*methods)->enum_group_memberships = pdb_default_enum_group_memberships;
2659 33710 : (*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
2660 33710 : (*methods)->add_groupmem = pdb_default_add_groupmem;
2661 33710 : (*methods)->del_groupmem = pdb_default_del_groupmem;
2662 33710 : (*methods)->create_alias = pdb_default_create_alias;
2663 33710 : (*methods)->delete_alias = pdb_default_delete_alias;
2664 33710 : (*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
2665 33710 : (*methods)->set_aliasinfo = pdb_default_set_aliasinfo;
2666 33710 : (*methods)->add_aliasmem = pdb_default_add_aliasmem;
2667 33710 : (*methods)->del_aliasmem = pdb_default_del_aliasmem;
2668 33710 : (*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
2669 33710 : (*methods)->enum_alias_memberships = pdb_default_alias_memberships;
2670 33710 : (*methods)->lookup_rids = pdb_default_lookup_rids;
2671 33710 : (*methods)->get_account_policy = pdb_default_get_account_policy;
2672 33710 : (*methods)->set_account_policy = pdb_default_set_account_policy;
2673 33710 : (*methods)->get_seq_num = pdb_default_get_seq_num;
2674 33710 : (*methods)->id_to_sid = pdb_default_id_to_sid;
2675 33710 : (*methods)->sid_to_id = pdb_default_sid_to_id;
2676 :
2677 33710 : (*methods)->search_groups = pdb_default_search_groups;
2678 33710 : (*methods)->search_aliases = pdb_default_search_aliases;
2679 :
2680 33710 : (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
2681 33710 : (*methods)->get_trusteddom_creds = pdb_default_get_trusteddom_creds;
2682 33710 : (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
2683 33710 : (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
2684 33710 : (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
2685 :
2686 33710 : (*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
2687 33710 : (*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
2688 33710 : (*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
2689 33710 : (*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
2690 33710 : (*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
2691 :
2692 33710 : (*methods)->get_secret = pdb_default_get_secret;
2693 33710 : (*methods)->set_secret = pdb_default_set_secret;
2694 33710 : (*methods)->delete_secret = pdb_default_delete_secret;
2695 :
2696 33710 : (*methods)->enum_upn_suffixes = pdb_default_enum_upn_suffixes;
2697 33710 : (*methods)->set_upn_suffixes = pdb_default_set_upn_suffixes;
2698 :
2699 33710 : (*methods)->is_responsible_for_our_sam =
2700 : pdb_default_is_responsible_for_our_sam;
2701 33710 : (*methods)->is_responsible_for_builtin =
2702 : pdb_default_is_responsible_for_builtin;
2703 33710 : (*methods)->is_responsible_for_wellknown =
2704 : pdb_default_is_responsible_for_wellknown;
2705 33710 : (*methods)->is_responsible_for_unix_users =
2706 : pdb_default_is_responsible_for_unix_users;
2707 33710 : (*methods)->is_responsible_for_unix_groups =
2708 : pdb_default_is_responsible_for_unix_groups;
2709 33710 : (*methods)->is_responsible_for_everything_else =
2710 : pdb_default_is_responsible_for_everything_else;
2711 :
2712 33710 : return NT_STATUS_OK;
2713 : }
|
