1/* 2 Unix SMB/CIFS implementation. 3 LDAP protocol helper functions for SAMBA 4 Copyright (C) Jean Fran�ois Micouleau 1998 5 Copyright (C) Gerald Carter 2001-2003 6 Copyright (C) Shahms King 2001 7 Copyright (C) Andrew Bartlett 2002-2003 8 Copyright (C) Stefan (metze) Metzmacher 2002-2003 9 Copyright (C) Simo Sorce 2006 10 11 This program is free software; you can redistribute it and/or modify 12 it under the terms of the GNU General Public License as published by 13 the Free Software Foundation; either version 3 of the License, or 14 (at your option) any later version. 15 16 This program is distributed in the hope that it will be useful, 17 but WITHOUT ANY WARRANTY; without even the implied warranty of 18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 GNU General Public License for more details. 20 21 You should have received a copy of the GNU General Public License 22 along with this program. If not, see <http://www.gnu.org/licenses/>. 23 24*/ 25 26/* TODO: 27* persistent connections: if using NSS LDAP, many connections are made 28* however, using only one within Samba would be nice 29* 30* Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK 31* 32* Other LDAP based login attributes: accountExpires, etc. 33* (should be the domain of Samba proper, but the sam_password/struct samu 34* structures don't have fields for some of these attributes) 35* 36* SSL is done, but can't get the certificate based authentication to work 37* against on my test platform (Linux 2.4, OpenLDAP 2.x) 38*/ 39 40/* NOTE: this will NOT work against an Active Directory server 41* due to the fact that the two password fields cannot be retrieved 42* from a server; recommend using security = domain in this situation 43* and/or winbind 44*/ 45 46#include "includes.h" 47#include "../libcli/auth/libcli_auth.h" 48 49#undef DBGC_CLASS 50#define DBGC_CLASS DBGC_PASSDB 51 52#include <lber.h> 53#include <ldap.h> 54 55/* 56 * Work around versions of the LDAP client libs that don't have the OIDs 57 * defined, or have them defined under the old name. 58 * This functionality is really a factor of the server, not the client 59 * 60 */ 61 62#if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD) 63#define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD 64#elif !defined(LDAP_EXOP_MODIFY_PASSWD) 65#define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1" 66#endif 67 68#if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID) 69#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID 70#elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID) 71#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U) 72#endif 73 74#if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW) 75#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW 76#elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW) 77#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U) 78#endif 79 80 81#include "smbldap.h" 82 83/********************************************************************** 84 Simple helper function to make stuff better readable 85 **********************************************************************/ 86 87static LDAP *priv2ld(struct ldapsam_privates *priv) 88{ 89 return priv->smbldap_state->ldap_struct; 90} 91 92/********************************************************************** 93 Get the attribute name given a user schame version. 94 **********************************************************************/ 95 96static const char* get_userattr_key2string( int schema_ver, int key ) 97{ 98 switch ( schema_ver ) { 99 case SCHEMAVER_SAMBAACCOUNT: 100 return get_attr_key2string( attrib_map_v22, key ); 101 102 case SCHEMAVER_SAMBASAMACCOUNT: 103 return get_attr_key2string( attrib_map_v30, key ); 104 105 default: 106 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n")); 107 break; 108 } 109 return NULL; 110} 111 112/********************************************************************** 113 Return the list of attribute names given a user schema version. 114**********************************************************************/ 115 116const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver ) 117{ 118 switch ( schema_ver ) { 119 case SCHEMAVER_SAMBAACCOUNT: 120 return get_attr_list( mem_ctx, attrib_map_v22 ); 121 122 case SCHEMAVER_SAMBASAMACCOUNT: 123 return get_attr_list( mem_ctx, attrib_map_v30 ); 124 default: 125 DEBUG(0,("get_userattr_list: unknown schema version specified!\n")); 126 break; 127 } 128 129 return NULL; 130} 131 132/************************************************************************** 133 Return the list of attribute names to delete given a user schema version. 134**************************************************************************/ 135 136static const char** get_userattr_delete_list( TALLOC_CTX *mem_ctx, 137 int schema_ver ) 138{ 139 switch ( schema_ver ) { 140 case SCHEMAVER_SAMBAACCOUNT: 141 return get_attr_list( mem_ctx, 142 attrib_map_to_delete_v22 ); 143 144 case SCHEMAVER_SAMBASAMACCOUNT: 145 return get_attr_list( mem_ctx, 146 attrib_map_to_delete_v30 ); 147 default: 148 DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n")); 149 break; 150 } 151 152 return NULL; 153} 154 155 156/******************************************************************* 157 Generate the LDAP search filter for the objectclass based on the 158 version of the schema we are using. 159******************************************************************/ 160 161static const char* get_objclass_filter( int schema_ver ) 162{ 163 fstring objclass_filter; 164 char *result; 165 166 switch( schema_ver ) { 167 case SCHEMAVER_SAMBAACCOUNT: 168 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT ); 169 break; 170 case SCHEMAVER_SAMBASAMACCOUNT: 171 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT ); 172 break; 173 default: 174 DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n")); 175 objclass_filter[0] = '\0'; 176 break; 177 } 178 179 result = talloc_strdup(talloc_tos(), objclass_filter); 180 SMB_ASSERT(result != NULL); 181 return result; 182} 183 184/***************************************************************** 185 Scan a sequence number off OpenLDAP's syncrepl contextCSN 186******************************************************************/ 187 188static NTSTATUS ldapsam_get_seq_num(struct pdb_methods *my_methods, time_t *seq_num) 189{ 190 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 191 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL; 192 LDAPMessage *msg = NULL; 193 LDAPMessage *entry = NULL; 194 TALLOC_CTX *mem_ctx; 195 char **values = NULL; 196 int rc, num_result, num_values, rid; 197 char *suffix = NULL; 198 char *tok; 199 const char *p; 200 const char **attrs; 201 202 /* Unfortunatly there is no proper way to detect syncrepl-support in 203 * smbldap_connect_system(). The syncrepl OIDs are submitted for publication 204 * but do not show up in the root-DSE yet. Neither we can query the 205 * subschema-context for the syncProviderSubentry or syncConsumerSubentry 206 * objectclass. Currently we require lp_ldap_suffix() to show up as 207 * namingContext. - Guenther 208 */ 209 210 if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) { 211 return ntstatus; 212 } 213 214 if (!seq_num) { 215 DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n")); 216 return ntstatus; 217 } 218 219 if (!smbldap_has_naming_context(ldap_state->smbldap_state->ldap_struct, lp_ldap_suffix())) { 220 DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s " 221 "as top-level namingContext\n", lp_ldap_suffix())); 222 return ntstatus; 223 } 224 225 mem_ctx = talloc_init("ldapsam_get_seq_num"); 226 227 if (mem_ctx == NULL) 228 return NT_STATUS_NO_MEMORY; 229 230 if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 2)) == NULL) { 231 ntstatus = NT_STATUS_NO_MEMORY; 232 goto done; 233 } 234 235 /* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */ 236 rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1); 237 if (rid > 0) { 238 239 /* consumer syncreplCookie: */ 240 /* csn=20050126161620Z#0000001#00#00000 */ 241 attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie"); 242 attrs[1] = NULL; 243 suffix = talloc_asprintf(mem_ctx, 244 "cn=syncrepl%d,%s", rid, lp_ldap_suffix()); 245 if (!suffix) { 246 ntstatus = NT_STATUS_NO_MEMORY; 247 goto done; 248 } 249 } else { 250 251 /* provider contextCSN */ 252 /* 20050126161620Z#000009#00#000000 */ 253 attrs[0] = talloc_strdup(mem_ctx, "contextCSN"); 254 attrs[1] = NULL; 255 suffix = talloc_asprintf(mem_ctx, 256 "cn=ldapsync,%s", lp_ldap_suffix()); 257 258 if (!suffix) { 259 ntstatus = NT_STATUS_NO_MEMORY; 260 goto done; 261 } 262 } 263 264 rc = smbldap_search(ldap_state->smbldap_state, suffix, 265 LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg); 266 267 if (rc != LDAP_SUCCESS) { 268 goto done; 269 } 270 271 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg); 272 if (num_result != 1) { 273 DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result)); 274 goto done; 275 } 276 277 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg); 278 if (entry == NULL) { 279 DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n")); 280 goto done; 281 } 282 283 values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, attrs[0]); 284 if (values == NULL) { 285 DEBUG(3,("ldapsam_get_seq_num: no values\n")); 286 goto done; 287 } 288 289 num_values = ldap_count_values(values); 290 if (num_values == 0) { 291 DEBUG(3,("ldapsam_get_seq_num: not a single value\n")); 292 goto done; 293 } 294 295 p = values[0]; 296 if (!next_token_talloc(mem_ctx, &p, &tok, "#")) { 297 DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n")); 298 goto done; 299 } 300 301 p = tok; 302 if (!strncmp(p, "csn=", strlen("csn="))) 303 p += strlen("csn="); 304 305 DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p)); 306 307 *seq_num = generalized_to_unix_time(p); 308 309 /* very basic sanity check */ 310 if (*seq_num <= 0) { 311 DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n", 312 (int)*seq_num)); 313 goto done; 314 } 315 316 ntstatus = NT_STATUS_OK; 317 318 done: 319 if (values != NULL) 320 ldap_value_free(values); 321 if (msg != NULL) 322 ldap_msgfree(msg); 323 if (mem_ctx) 324 talloc_destroy(mem_ctx); 325 326 return ntstatus; 327} 328 329/******************************************************************* 330 Run the search by name. 331******************************************************************/ 332 333int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state, 334 const char *user, 335 LDAPMessage ** result, 336 const char **attr) 337{ 338 char *filter = NULL; 339 char *escape_user = escape_ldap_string(talloc_tos(), user); 340 int ret = -1; 341 342 if (!escape_user) { 343 return LDAP_NO_MEMORY; 344 } 345 346 /* 347 * in the filter expression, replace %u with the real name 348 * so in ldap filter, %u MUST exist :-) 349 */ 350 filter = talloc_asprintf(talloc_tos(), "(&%s%s)", "(uid=%u)", 351 get_objclass_filter(ldap_state->schema_ver)); 352 if (!filter) { 353 TALLOC_FREE(escape_user); 354 return LDAP_NO_MEMORY; 355 } 356 /* 357 * have to use this here because $ is filtered out 358 * in string_sub 359 */ 360 361 filter = talloc_all_string_sub(talloc_tos(), 362 filter, "%u", escape_user); 363 TALLOC_FREE(escape_user); 364 if (!filter) { 365 return LDAP_NO_MEMORY; 366 } 367 368 ret = smbldap_search_suffix(ldap_state->smbldap_state, 369 filter, attr, result); 370 TALLOC_FREE(filter); 371 return ret; 372} 373 374/******************************************************************* 375 Run the search by rid. 376******************************************************************/ 377 378static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state, 379 uint32 rid, LDAPMessage ** result, 380 const char **attr) 381{ 382 char *filter = NULL; 383 int rc; 384 385 filter = talloc_asprintf(talloc_tos(), "(&(rid=%i)%s)", rid, 386 get_objclass_filter(ldap_state->schema_ver)); 387 if (!filter) { 388 return LDAP_NO_MEMORY; 389 } 390 391 rc = smbldap_search_suffix(ldap_state->smbldap_state, 392 filter, attr, result); 393 TALLOC_FREE(filter); 394 return rc; 395} 396 397/******************************************************************* 398 Run the search by SID. 399******************************************************************/ 400 401static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state, 402 const DOM_SID *sid, LDAPMessage ** result, 403 const char **attr) 404{ 405 char *filter = NULL; 406 int rc; 407 fstring sid_string; 408 409 filter = talloc_asprintf(talloc_tos(), "(&(%s=%s)%s)", 410 get_userattr_key2string(ldap_state->schema_ver, 411 LDAP_ATTR_USER_SID), 412 sid_to_fstring(sid_string, sid), 413 get_objclass_filter(ldap_state->schema_ver)); 414 if (!filter) { 415 return LDAP_NO_MEMORY; 416 } 417 418 rc = smbldap_search_suffix(ldap_state->smbldap_state, 419 filter, attr, result); 420 421 TALLOC_FREE(filter); 422 return rc; 423} 424 425/******************************************************************* 426 Delete complete object or objectclass and attrs from 427 object found in search_result depending on lp_ldap_delete_dn 428******************************************************************/ 429 430static int ldapsam_delete_entry(struct ldapsam_privates *priv, 431 TALLOC_CTX *mem_ctx, 432 LDAPMessage *entry, 433 const char *objectclass, 434 const char **attrs) 435{ 436 LDAPMod **mods = NULL; 437 char *name; 438 const char *dn; 439 BerElement *ptr = NULL; 440 441 dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry); 442 if (dn == NULL) { 443 return LDAP_NO_MEMORY; 444 } 445 446 if (lp_ldap_delete_dn()) { 447 return smbldap_delete(priv->smbldap_state, dn); 448 } 449 450 /* Ok, delete only the SAM attributes */ 451 452 for (name = ldap_first_attribute(priv2ld(priv), entry, &ptr); 453 name != NULL; 454 name = ldap_next_attribute(priv2ld(priv), entry, ptr)) { 455 const char **attrib; 456 457 /* We are only allowed to delete the attributes that 458 really exist. */ 459 460 for (attrib = attrs; *attrib != NULL; attrib++) { 461 if (strequal(*attrib, name)) { 462 DEBUG(10, ("ldapsam_delete_entry: deleting " 463 "attribute %s\n", name)); 464 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name, 465 NULL); 466 } 467 } 468 ldap_memfree(name); 469 } 470 471 if (ptr != NULL) { 472 ber_free(ptr, 0); 473 } 474 475 smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass); 476 talloc_autofree_ldapmod(mem_ctx, mods); 477 478 return smbldap_modify(priv->smbldap_state, dn, mods); 479} 480 481static time_t ldapsam_get_entry_timestamp( struct ldapsam_privates *ldap_state, LDAPMessage * entry) 482{ 483 char *temp; 484 struct tm tm; 485 486 temp = smbldap_talloc_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 487 get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP), 488 talloc_tos()); 489 if (!temp) { 490 return (time_t) 0; 491 } 492 493 if ( !strptime(temp, "%Y%m%d%H%M%SZ", &tm)) { 494 DEBUG(2,("ldapsam_get_entry_timestamp: strptime failed on: %s\n", 495 (char*)temp)); 496 TALLOC_FREE(temp); 497 return (time_t) 0; 498 } 499 TALLOC_FREE(temp); 500 tzset(); 501 return timegm(&tm); 502} 503 504/********************************************************************** 505 Initialize struct samu from an LDAP query. 506 (Based on init_sam_from_buffer in pdb_tdb.c) 507*********************************************************************/ 508 509static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, 510 struct samu * sampass, 511 LDAPMessage * entry) 512{ 513 time_t logon_time, 514 logoff_time, 515 kickoff_time, 516 pass_last_set_time, 517 pass_can_change_time, 518 pass_must_change_time, 519 ldap_entry_time, 520 bad_password_time; 521 char *username = NULL, 522 *domain = NULL, 523 *nt_username = NULL, 524 *fullname = NULL, 525 *homedir = NULL, 526 *dir_drive = NULL, 527 *logon_script = NULL, 528 *profile_path = NULL, 529 *acct_desc = NULL, 530 *workstations = NULL, 531 *munged_dial = NULL; 532 uint32 user_rid; 533 uint8 smblmpwd[LM_HASH_LEN], 534 smbntpwd[NT_HASH_LEN]; 535 bool use_samba_attrs = True; 536 uint32 acct_ctrl = 0; 537 uint16 logon_divs; 538 uint16 bad_password_count = 0, 539 logon_count = 0; 540 uint32 hours_len; 541 uint8 hours[MAX_HOURS_LEN]; 542 char *temp = NULL; 543 LOGIN_CACHE *cache_entry = NULL; 544 uint32 pwHistLen; 545 bool expand_explicit = lp_passdb_expand_explicit(); 546 bool ret = false; 547 TALLOC_CTX *ctx = talloc_init("init_sam_from_ldap"); 548 549 if (!ctx) { 550 return false; 551 } 552 if (sampass == NULL || ldap_state == NULL || entry == NULL) { 553 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n")); 554 goto fn_exit; 555 } 556 557 if (priv2ld(ldap_state) == NULL) { 558 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->" 559 "ldap_struct is NULL!\n")); 560 goto fn_exit; 561 } 562 563 if (!(username = smbldap_talloc_first_attribute(priv2ld(ldap_state), 564 entry, 565 "uid", 566 ctx))) { 567 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for " 568 "this user!\n")); 569 goto fn_exit; 570 } 571 572 DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username)); 573 574 nt_username = talloc_strdup(ctx, username); 575 if (!nt_username) { 576 goto fn_exit; 577 } 578 579 domain = talloc_strdup(ctx, ldap_state->domain_name); 580 if (!domain) { 581 goto fn_exit; 582 } 583 584 pdb_set_username(sampass, username, PDB_SET); 585 586 pdb_set_domain(sampass, domain, PDB_DEFAULT); 587 pdb_set_nt_username(sampass, nt_username, PDB_SET); 588 589 /* deal with different attributes between the schema first */ 590 591 if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) { 592 if ((temp = smbldap_talloc_single_attribute( 593 ldap_state->smbldap_state->ldap_struct, 594 entry, 595 get_userattr_key2string(ldap_state->schema_ver, 596 LDAP_ATTR_USER_SID), 597 ctx))!=NULL) { 598 pdb_set_user_sid_from_string(sampass, temp, PDB_SET); 599 } 600 } else { 601 if ((temp = smbldap_talloc_single_attribute( 602 ldap_state->smbldap_state->ldap_struct, 603 entry, 604 get_userattr_key2string(ldap_state->schema_ver, 605 LDAP_ATTR_USER_RID), 606 ctx))!=NULL) { 607 user_rid = (uint32)atol(temp); 608 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET); 609 } 610 } 611 612 if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) { 613 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n", 614 get_userattr_key2string(ldap_state->schema_ver, 615 LDAP_ATTR_USER_SID), 616 get_userattr_key2string(ldap_state->schema_ver, 617 LDAP_ATTR_USER_RID), 618 username)); 619 return False; 620 } 621 622 temp = smbldap_talloc_single_attribute( 623 ldap_state->smbldap_state->ldap_struct, 624 entry, 625 get_userattr_key2string(ldap_state->schema_ver, 626 LDAP_ATTR_PWD_LAST_SET), 627 ctx); 628 if (temp) { 629 pass_last_set_time = (time_t) atol(temp); 630 pdb_set_pass_last_set_time(sampass, 631 pass_last_set_time, PDB_SET); 632 } 633 634 temp = smbldap_talloc_single_attribute( 635 ldap_state->smbldap_state->ldap_struct, 636 entry, 637 get_userattr_key2string(ldap_state->schema_ver, 638 LDAP_ATTR_LOGON_TIME), 639 ctx); 640 if (temp) { 641 logon_time = (time_t) atol(temp); 642 pdb_set_logon_time(sampass, logon_time, PDB_SET); 643 } 644 645 temp = smbldap_talloc_single_attribute( 646 ldap_state->smbldap_state->ldap_struct, 647 entry, 648 get_userattr_key2string(ldap_state->schema_ver, 649 LDAP_ATTR_LOGOFF_TIME), 650 ctx); 651 if (temp) { 652 logoff_time = (time_t) atol(temp); 653 pdb_set_logoff_time(sampass, logoff_time, PDB_SET); 654 } 655 656 temp = smbldap_talloc_single_attribute( 657 ldap_state->smbldap_state->ldap_struct, 658 entry, 659 get_userattr_key2string(ldap_state->schema_ver, 660 LDAP_ATTR_KICKOFF_TIME), 661 ctx); 662 if (temp) { 663 kickoff_time = (time_t) atol(temp); 664 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET); 665 } 666 667 temp = smbldap_talloc_single_attribute( 668 ldap_state->smbldap_state->ldap_struct, 669 entry, 670 get_userattr_key2string(ldap_state->schema_ver, 671 LDAP_ATTR_PWD_CAN_CHANGE), 672 ctx); 673 if (temp) { 674 pass_can_change_time = (time_t) atol(temp); 675 pdb_set_pass_can_change_time(sampass, 676 pass_can_change_time, PDB_SET); 677 } 678 679 temp = smbldap_talloc_single_attribute( 680 ldap_state->smbldap_state->ldap_struct, 681 entry, 682 get_userattr_key2string(ldap_state->schema_ver, 683 LDAP_ATTR_PWD_MUST_CHANGE), 684 ctx); 685 if (temp) { 686 pass_must_change_time = (time_t) atol(temp); 687 pdb_set_pass_must_change_time(sampass, 688 pass_must_change_time, PDB_SET); 689 } 690 691 /* recommend that 'gecos' and 'displayName' should refer to the same 692 * attribute OID. userFullName depreciated, only used by Samba 693 * primary rules of LDAP: don't make a new attribute when one is already defined 694 * that fits your needs; using cn then displayName rather than 'userFullName' 695 */ 696 697 fullname = smbldap_talloc_single_attribute( 698 ldap_state->smbldap_state->ldap_struct, 699 entry, 700 get_userattr_key2string(ldap_state->schema_ver, 701 LDAP_ATTR_DISPLAY_NAME), 702 ctx); 703 if (fullname) { 704 pdb_set_fullname(sampass, fullname, PDB_SET); 705 } else { 706 fullname = smbldap_talloc_single_attribute( 707 ldap_state->smbldap_state->ldap_struct, 708 entry, 709 get_userattr_key2string(ldap_state->schema_ver, 710 LDAP_ATTR_CN), 711 ctx); 712 if (fullname) { 713 pdb_set_fullname(sampass, fullname, PDB_SET); 714 } 715 } 716 717 dir_drive = smbldap_talloc_single_attribute( 718 ldap_state->smbldap_state->ldap_struct, 719 entry, 720 get_userattr_key2string(ldap_state->schema_ver, 721 LDAP_ATTR_HOME_DRIVE), 722 ctx); 723 if (dir_drive) { 724 pdb_set_dir_drive(sampass, dir_drive, PDB_SET); 725 } else { 726 pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT ); 727 } 728 729 homedir = smbldap_talloc_single_attribute( 730 ldap_state->smbldap_state->ldap_struct, 731 entry, 732 get_userattr_key2string(ldap_state->schema_ver, 733 LDAP_ATTR_HOME_PATH), 734 ctx); 735 if (homedir) { 736 if (expand_explicit) { 737 homedir = talloc_sub_basic(ctx, 738 username, 739 domain, 740 homedir); 741 if (!homedir) { 742 goto fn_exit; 743 } 744 } 745 pdb_set_homedir(sampass, homedir, PDB_SET); 746 } else { 747 pdb_set_homedir(sampass, 748 talloc_sub_basic(ctx, username, domain, 749 lp_logon_home()), 750 PDB_DEFAULT); 751 } 752 753 logon_script = smbldap_talloc_single_attribute( 754 ldap_state->smbldap_state->ldap_struct, 755 entry, 756 get_userattr_key2string(ldap_state->schema_ver, 757 LDAP_ATTR_LOGON_SCRIPT), 758 ctx); 759 if (logon_script) { 760 if (expand_explicit) { 761 logon_script = talloc_sub_basic(ctx, 762 username, 763 domain, 764 logon_script); 765 if (!logon_script) { 766 goto fn_exit; 767 } 768 } 769 pdb_set_logon_script(sampass, logon_script, PDB_SET); 770 } else { 771 pdb_set_logon_script(sampass, 772 talloc_sub_basic(ctx, username, domain, 773 lp_logon_script()), 774 PDB_DEFAULT ); 775 } 776 777 profile_path = smbldap_talloc_single_attribute( 778 ldap_state->smbldap_state->ldap_struct, 779 entry, 780 get_userattr_key2string(ldap_state->schema_ver, 781 LDAP_ATTR_PROFILE_PATH), 782 ctx); 783 if (profile_path) { 784 if (expand_explicit) { 785 profile_path = talloc_sub_basic(ctx, 786 username, 787 domain, 788 profile_path); 789 if (!profile_path) { 790 goto fn_exit; 791 } 792 } 793 pdb_set_profile_path(sampass, profile_path, PDB_SET); 794 } else { 795 pdb_set_profile_path(sampass, 796 talloc_sub_basic(ctx, username, domain, 797 lp_logon_path()), 798 PDB_DEFAULT ); 799 } 800 801 acct_desc = smbldap_talloc_single_attribute( 802 ldap_state->smbldap_state->ldap_struct, 803 entry, 804 get_userattr_key2string(ldap_state->schema_ver, 805 LDAP_ATTR_DESC), 806 ctx); 807 if (acct_desc) { 808 pdb_set_acct_desc(sampass, acct_desc, PDB_SET); 809 } 810 811 workstations = smbldap_talloc_single_attribute( 812 ldap_state->smbldap_state->ldap_struct, 813 entry, 814 get_userattr_key2string(ldap_state->schema_ver, 815 LDAP_ATTR_USER_WKS), 816 ctx); 817 if (workstations) { 818 pdb_set_workstations(sampass, workstations, PDB_SET); 819 } 820 821 munged_dial = smbldap_talloc_single_attribute( 822 ldap_state->smbldap_state->ldap_struct, 823 entry, 824 get_userattr_key2string(ldap_state->schema_ver, 825 LDAP_ATTR_MUNGED_DIAL), 826 ctx); 827 if (munged_dial) { 828 pdb_set_munged_dial(sampass, munged_dial, PDB_SET); 829 } 830 831 /* FIXME: hours stuff should be cleaner */ 832 833 logon_divs = 168; 834 hours_len = 21; 835 memset(hours, 0xff, hours_len); 836 837 if (ldap_state->is_nds_ldap) { 838 char *user_dn; 839 size_t pwd_len; 840 char clear_text_pw[512]; 841 842 /* Make call to Novell eDirectory ldap extension to get clear text password. 843 NOTE: This will only work if we have an SSL connection to eDirectory. */ 844 user_dn = smbldap_talloc_dn(ctx, ldap_state->smbldap_state->ldap_struct, entry); 845 if (user_dn != NULL) { 846 DEBUG(3, ("init_sam_from_ldap: smbldap_talloc_dn(ctx, %s) returned '%s'\n", username, user_dn)); 847 848 pwd_len = sizeof(clear_text_pw); 849 if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) { 850 nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd); 851 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) { 852 TALLOC_FREE(user_dn); 853 return False; 854 } 855 ZERO_STRUCT(smblmpwd); 856 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) { 857 TALLOC_FREE(user_dn); 858 return False; 859 } 860 ZERO_STRUCT(smbntpwd); 861 use_samba_attrs = False; 862 } 863 864 TALLOC_FREE(user_dn); 865 866 } else { 867 DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username)); 868 } 869 } 870 871 if (use_samba_attrs) { 872 temp = smbldap_talloc_single_attribute( 873 ldap_state->smbldap_state->ldap_struct, 874 entry, 875 get_userattr_key2string(ldap_state->schema_ver, 876 LDAP_ATTR_LMPW), 877 ctx); 878 if (temp) { 879 pdb_gethexpwd(temp, smblmpwd); 880 memset((char *)temp, '\0', strlen(temp)+1); 881 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) { 882 goto fn_exit; 883 } 884 ZERO_STRUCT(smblmpwd); 885 } 886 887 temp = smbldap_talloc_single_attribute( 888 ldap_state->smbldap_state->ldap_struct, 889 entry, 890 get_userattr_key2string(ldap_state->schema_ver, 891 LDAP_ATTR_NTPW), 892 ctx); 893 if (temp) { 894 pdb_gethexpwd(temp, smbntpwd); 895 memset((char *)temp, '\0', strlen(temp)+1); 896 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) { 897 goto fn_exit; 898 } 899 ZERO_STRUCT(smbntpwd); 900 } 901 } 902 903 pwHistLen = 0; 904 905 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen); 906 if (pwHistLen > 0){ 907 uint8 *pwhist = NULL; 908 int i; 909 char *history_string = TALLOC_ARRAY(ctx, char, 910 MAX_PW_HISTORY_LEN*64); 911 912 if (!history_string) { 913 goto fn_exit; 914 } 915 916 pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN); 917 918 if ((pwhist = TALLOC_ARRAY(ctx, uint8, 919 pwHistLen * PW_HISTORY_ENTRY_LEN)) == 920 NULL){ 921 DEBUG(0, ("init_sam_from_ldap: talloc failed!\n")); 922 goto fn_exit; 923 } 924 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN); 925 926 if (smbldap_get_single_attribute( 927 ldap_state->smbldap_state->ldap_struct, 928 entry, 929 get_userattr_key2string(ldap_state->schema_ver, 930 LDAP_ATTR_PWD_HISTORY), 931 history_string, 932 MAX_PW_HISTORY_LEN*64)) { 933 bool hex_failed = false; 934 for (i = 0; i < pwHistLen; i++){ 935 /* Get the 16 byte salt. */ 936 if (!pdb_gethexpwd(&history_string[i*64], 937 &pwhist[i*PW_HISTORY_ENTRY_LEN])) { 938 hex_failed = true; 939 break; 940 } 941 /* Get the 16 byte MD5 hash of salt+passwd. */ 942 if (!pdb_gethexpwd(&history_string[(i*64)+32], 943 &pwhist[(i*PW_HISTORY_ENTRY_LEN)+ 944 PW_HISTORY_SALT_LEN])) { 945 hex_failed = True; 946 break; 947 } 948 } 949 if (hex_failed) { 950 DEBUG(2,("init_sam_from_ldap: Failed to get password history for user %s\n", 951 username)); 952 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN); 953 } 954 } 955 if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){ 956 goto fn_exit; 957 } 958 } 959 960 temp = smbldap_talloc_single_attribute( 961 ldap_state->smbldap_state->ldap_struct, 962 entry, 963 get_userattr_key2string(ldap_state->schema_ver, 964 LDAP_ATTR_ACB_INFO), 965 ctx); 966 if (temp) { 967 acct_ctrl = pdb_decode_acct_ctrl(temp); 968 969 if (acct_ctrl == 0) { 970 acct_ctrl |= ACB_NORMAL; 971 } 972 973 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET); 974 } else { 975 acct_ctrl |= ACB_NORMAL; 976 } 977 978 pdb_set_hours_len(sampass, hours_len, PDB_SET); 979 pdb_set_logon_divs(sampass, logon_divs, PDB_SET); 980 981 temp = smbldap_talloc_single_attribute( 982 ldap_state->smbldap_state->ldap_struct, 983 entry, 984 get_userattr_key2string(ldap_state->schema_ver, 985 LDAP_ATTR_BAD_PASSWORD_COUNT), 986 ctx); 987 if (temp) { 988 bad_password_count = (uint32) atol(temp); 989 pdb_set_bad_password_count(sampass, 990 bad_password_count, PDB_SET); 991 } 992 993 temp = smbldap_talloc_single_attribute( 994 ldap_state->smbldap_state->ldap_struct, 995 entry, 996 get_userattr_key2string(ldap_state->schema_ver, 997 LDAP_ATTR_BAD_PASSWORD_TIME), 998 ctx); 999 if (temp) { 1000 bad_password_time = (time_t) atol(temp); 1001 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET); 1002 } 1003 1004 1005 temp = smbldap_talloc_single_attribute( 1006 ldap_state->smbldap_state->ldap_struct, 1007 entry, 1008 get_userattr_key2string(ldap_state->schema_ver, 1009 LDAP_ATTR_LOGON_COUNT), 1010 ctx); 1011 if (temp) { 1012 logon_count = (uint32) atol(temp); 1013 pdb_set_logon_count(sampass, logon_count, PDB_SET); 1014 } 1015 1016 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */ 1017 1018 temp = smbldap_talloc_single_attribute( 1019 ldap_state->smbldap_state->ldap_struct, 1020 entry, 1021 get_userattr_key2string(ldap_state->schema_ver, 1022 LDAP_ATTR_LOGON_HOURS), 1023 ctx); 1024 if (temp) { 1025 pdb_gethexhours(temp, hours); 1026 memset((char *)temp, '\0', strlen(temp) +1); 1027 pdb_set_hours(sampass, hours, PDB_SET); 1028 ZERO_STRUCT(hours); 1029 } 1030 1031 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) { 1032 struct passwd unix_pw; 1033 bool have_uid = false; 1034 bool have_gid = false; 1035 DOM_SID mapped_gsid; 1036 const DOM_SID *primary_gsid; 1037 1038 ZERO_STRUCT(unix_pw); 1039 1040 unix_pw.pw_name = username; 1041 unix_pw.pw_passwd = discard_const_p(char, "x"); 1042 1043 temp = smbldap_talloc_single_attribute( 1044 priv2ld(ldap_state), 1045 entry, 1046 "uidNumber", 1047 ctx); 1048 if (temp) { 1049 /* We've got a uid, feed the cache */ 1050 unix_pw.pw_uid = strtoul(temp, NULL, 10); 1051 have_uid = true; 1052 } 1053 temp = smbldap_talloc_single_attribute( 1054 priv2ld(ldap_state), 1055 entry, 1056 "gidNumber", 1057 ctx); 1058 if (temp) { 1059 /* We've got a uid, feed the cache */ 1060 unix_pw.pw_gid = strtoul(temp, NULL, 10); 1061 have_gid = true; 1062 } 1063 unix_pw.pw_gecos = smbldap_talloc_single_attribute( 1064 priv2ld(ldap_state), 1065 entry, 1066 "gecos", 1067 ctx); 1068 if (unix_pw.pw_gecos) { 1069 unix_pw.pw_gecos = fullname; 1070 } 1071 unix_pw.pw_dir = smbldap_talloc_single_attribute( 1072 priv2ld(ldap_state), 1073 entry, 1074 "homeDirectory", 1075 ctx); 1076 if (unix_pw.pw_dir) { 1077 unix_pw.pw_dir = discard_const_p(char, ""); 1078 } 1079 unix_pw.pw_shell = smbldap_talloc_single_attribute( 1080 priv2ld(ldap_state), 1081 entry, 1082 "loginShell", 1083 ctx); 1084 if (unix_pw.pw_shell) { 1085 unix_pw.pw_shell = discard_const_p(char, ""); 1086 } 1087 1088 if (have_uid && have_gid) { 1089 sampass->unix_pw = tcopy_passwd(sampass, &unix_pw); 1090 } else { 1091 sampass->unix_pw = Get_Pwnam_alloc(sampass, unix_pw.pw_name); 1092 } 1093 1094 if (sampass->unix_pw == NULL) { 1095 DEBUG(0,("init_sam_from_ldap: Failed to find Unix account for %s\n", 1096 pdb_get_username(sampass))); 1097 goto fn_exit; 1098 } 1099 1100 store_uid_sid_cache(pdb_get_user_sid(sampass), 1101 sampass->unix_pw->pw_uid); 1102 idmap_cache_set_sid2uid(pdb_get_user_sid(sampass), 1103 sampass->unix_pw->pw_uid); 1104 1105 gid_to_sid(&mapped_gsid, sampass->unix_pw->pw_gid); 1106 primary_gsid = pdb_get_group_sid(sampass); 1107 if (primary_gsid && sid_equal(primary_gsid, &mapped_gsid)) { 1108 store_gid_sid_cache(primary_gsid, 1109 sampass->unix_pw->pw_gid); 1110 idmap_cache_set_sid2gid(primary_gsid, 1111 sampass->unix_pw->pw_gid); 1112 } 1113 } 1114 1115 /* check the timestamp of the cache vs ldap entry */ 1116 if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state, 1117 entry))) { 1118 ret = true; 1119 goto fn_exit; 1120 } 1121 1122 /* see if we have newer updates */ 1123 if (!(cache_entry = login_cache_read(sampass))) { 1124 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n", 1125 (unsigned int)pdb_get_bad_password_count(sampass), 1126 (unsigned int)pdb_get_bad_password_time(sampass))); 1127 ret = true; 1128 goto fn_exit; 1129 } 1130 1131 DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n", 1132 (unsigned int)ldap_entry_time, 1133 (unsigned int)cache_entry->entry_timestamp, 1134 (unsigned int)cache_entry->bad_password_time)); 1135 1136 if (ldap_entry_time > cache_entry->entry_timestamp) { 1137 /* cache is older than directory , so 1138 we need to delete the entry but allow the 1139 fields to be written out */ 1140 login_cache_delentry(sampass); 1141 } else { 1142 /* read cache in */ 1143 pdb_set_acct_ctrl(sampass, 1144 pdb_get_acct_ctrl(sampass) | 1145 (cache_entry->acct_ctrl & ACB_AUTOLOCK), 1146 PDB_SET); 1147 pdb_set_bad_password_count(sampass, 1148 cache_entry->bad_password_count, 1149 PDB_SET); 1150 pdb_set_bad_password_time(sampass, 1151 cache_entry->bad_password_time, 1152 PDB_SET); 1153 } 1154 1155 ret = true; 1156 1157 fn_exit: 1158 1159 TALLOC_FREE(ctx); 1160 SAFE_FREE(cache_entry); 1161 return ret; 1162} 1163 1164/********************************************************************** 1165 Initialize the ldap db from a struct samu. Called on update. 1166 (Based on init_buffer_from_sam in pdb_tdb.c) 1167*********************************************************************/ 1168 1169static bool init_ldap_from_sam (struct ldapsam_privates *ldap_state, 1170 LDAPMessage *existing, 1171 LDAPMod *** mods, struct samu * sampass, 1172 bool (*need_update)(const struct samu *, 1173 enum pdb_elements)) 1174{ 1175 char *temp = NULL; 1176 uint32 rid; 1177 1178 if (mods == NULL || sampass == NULL) { 1179 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n")); 1180 return False; 1181 } 1182 1183 *mods = NULL; 1184 1185 /* 1186 * took out adding "objectclass: sambaAccount" 1187 * do this on a per-mod basis 1188 */ 1189 if (need_update(sampass, PDB_USERNAME)) { 1190 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1191 "uid", pdb_get_username(sampass)); 1192 if (ldap_state->is_nds_ldap) { 1193 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1194 "cn", pdb_get_username(sampass)); 1195 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1196 "sn", pdb_get_username(sampass)); 1197 } 1198 } 1199 1200 DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass))); 1201 1202 /* only update the RID if we actually need to */ 1203 if (need_update(sampass, PDB_USERSID)) { 1204 fstring sid_string; 1205 const DOM_SID *user_sid = pdb_get_user_sid(sampass); 1206 1207 switch ( ldap_state->schema_ver ) { 1208 case SCHEMAVER_SAMBAACCOUNT: 1209 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) { 1210 DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", 1211 sid_string_dbg(user_sid), 1212 sid_string_dbg( 1213 &ldap_state->domain_sid))); 1214 return False; 1215 } 1216 if (asprintf(&temp, "%i", rid) < 0) { 1217 return false; 1218 } 1219 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1220 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), 1221 temp); 1222 SAFE_FREE(temp); 1223 break; 1224 1225 case SCHEMAVER_SAMBASAMACCOUNT: 1226 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1227 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), 1228 sid_to_fstring(sid_string, user_sid)); 1229 break; 1230 1231 default: 1232 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n")); 1233 break; 1234 } 1235 } 1236 1237 /* we don't need to store the primary group RID - so leaving it 1238 'free' to hang off the unix primary group makes life easier */ 1239 1240 if (need_update(sampass, PDB_GROUPSID)) { 1241 fstring sid_string; 1242 const DOM_SID *group_sid = pdb_get_group_sid(sampass); 1243 1244 switch ( ldap_state->schema_ver ) { 1245 case SCHEMAVER_SAMBAACCOUNT: 1246 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) { 1247 DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n", 1248 sid_string_dbg(group_sid), 1249 sid_string_dbg( 1250 &ldap_state->domain_sid))); 1251 return False; 1252 } 1253 1254 if (asprintf(&temp, "%i", rid) < 0) { 1255 return false; 1256 } 1257 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1258 get_userattr_key2string(ldap_state->schema_ver, 1259 LDAP_ATTR_PRIMARY_GROUP_RID), temp); 1260 SAFE_FREE(temp); 1261 break; 1262 1263 case SCHEMAVER_SAMBASAMACCOUNT: 1264 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1265 get_userattr_key2string(ldap_state->schema_ver, 1266 LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_fstring(sid_string, group_sid)); 1267 break; 1268 1269 default: 1270 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n")); 1271 break; 1272 } 1273 1274 } 1275 1276 /* displayName, cn, and gecos should all be the same 1277 * most easily accomplished by giving them the same OID 1278 * gecos isn't set here b/c it should be handled by the 1279 * add-user script 1280 * We change displayName only and fall back to cn if 1281 * it does not exist. 1282 */ 1283 1284 if (need_update(sampass, PDB_FULLNAME)) 1285 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1286 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), 1287 pdb_get_fullname(sampass)); 1288 1289 if (need_update(sampass, PDB_ACCTDESC)) 1290 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1291 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), 1292 pdb_get_acct_desc(sampass)); 1293 1294 if (need_update(sampass, PDB_WORKSTATIONS)) 1295 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1296 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), 1297 pdb_get_workstations(sampass)); 1298 1299 if (need_update(sampass, PDB_MUNGEDDIAL)) 1300 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1301 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), 1302 pdb_get_munged_dial(sampass)); 1303 1304 if (need_update(sampass, PDB_SMBHOME)) 1305 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1306 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), 1307 pdb_get_homedir(sampass)); 1308 1309 if (need_update(sampass, PDB_DRIVE)) 1310 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1311 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), 1312 pdb_get_dir_drive(sampass)); 1313 1314 if (need_update(sampass, PDB_LOGONSCRIPT)) 1315 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1316 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), 1317 pdb_get_logon_script(sampass)); 1318 1319 if (need_update(sampass, PDB_PROFILE)) 1320 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1321 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), 1322 pdb_get_profile_path(sampass)); 1323 1324 if (asprintf(&temp, "%li", (long int)pdb_get_logon_time(sampass)) < 0) { 1325 return false; 1326 } 1327 if (need_update(sampass, PDB_LOGONTIME)) 1328 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1329 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp); 1330 SAFE_FREE(temp); 1331 1332 if (asprintf(&temp, "%li", (long int)pdb_get_logoff_time(sampass)) < 0) { 1333 return false; 1334 } 1335 if (need_update(sampass, PDB_LOGOFFTIME)) 1336 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1337 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp); 1338 SAFE_FREE(temp); 1339 1340 if (asprintf(&temp, "%li", (long int)pdb_get_kickoff_time(sampass)) < 0) { 1341 return false; 1342 } 1343 if (need_update(sampass, PDB_KICKOFFTIME)) 1344 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1345 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp); 1346 SAFE_FREE(temp); 1347 1348 if (asprintf(&temp, "%li", (long int)pdb_get_pass_can_change_time_noncalc(sampass)) < 0) { 1349 return false; 1350 } 1351 if (need_update(sampass, PDB_CANCHANGETIME)) 1352 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1353 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp); 1354 SAFE_FREE(temp); 1355 1356 if (asprintf(&temp, "%li", (long int)pdb_get_pass_must_change_time(sampass)) < 0) { 1357 return false; 1358 } 1359 if (need_update(sampass, PDB_MUSTCHANGETIME)) 1360 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1361 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp); 1362 SAFE_FREE(temp); 1363 1364 if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) 1365 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) { 1366 1367 if (need_update(sampass, PDB_LMPASSWD)) { 1368 const uchar *lm_pw = pdb_get_lanman_passwd(sampass); 1369 if (lm_pw) { 1370 char pwstr[34]; 1371 pdb_sethexpwd(pwstr, lm_pw, 1372 pdb_get_acct_ctrl(sampass)); 1373 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1374 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 1375 pwstr); 1376 } else { 1377 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1378 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 1379 NULL); 1380 } 1381 } 1382 if (need_update(sampass, PDB_NTPASSWD)) { 1383 const uchar *nt_pw = pdb_get_nt_passwd(sampass); 1384 if (nt_pw) { 1385 char pwstr[34]; 1386 pdb_sethexpwd(pwstr, nt_pw, 1387 pdb_get_acct_ctrl(sampass)); 1388 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1389 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 1390 pwstr); 1391 } else { 1392 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1393 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 1394 NULL); 1395 } 1396 } 1397 1398 if (need_update(sampass, PDB_PWHISTORY)) { 1399 char *pwstr = NULL; 1400 uint32 pwHistLen = 0; 1401 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen); 1402 1403 pwstr = SMB_MALLOC_ARRAY(char, 1024); 1404 if (!pwstr) { 1405 return false; 1406 } 1407 if (pwHistLen == 0) { 1408 /* Remove any password history from the LDAP store. */ 1409 memset(pwstr, '0', 64); /* NOTE !!!! '0' *NOT '\0' */ 1410 pwstr[64] = '\0'; 1411 } else { 1412 int i; 1413 uint32 currHistLen = 0; 1414 const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen); 1415 if (pwhist != NULL) { 1416 /* We can only store (1024-1/64 password history entries. */ 1417 pwHistLen = MIN(pwHistLen, ((1024-1)/64)); 1418 for (i=0; i< pwHistLen && i < currHistLen; i++) { 1419 /* Store the salt. */ 1420 pdb_sethexpwd(&pwstr[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0); 1421 /* Followed by the md5 hash of salt + md4 hash */ 1422 pdb_sethexpwd(&pwstr[(i*64)+32], 1423 &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0); 1424 DEBUG(100, ("pwstr=%s\n", pwstr)); 1425 } 1426 } 1427 } 1428 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1429 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY), 1430 pwstr); 1431 SAFE_FREE(pwstr); 1432 } 1433 1434 if (need_update(sampass, PDB_PASSLASTSET)) { 1435 if (asprintf(&temp, "%li", 1436 (long int)pdb_get_pass_last_set_time(sampass)) < 0) { 1437 return false; 1438 } 1439 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1440 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), 1441 temp); 1442 SAFE_FREE(temp); 1443 } 1444 } 1445 1446 if (need_update(sampass, PDB_HOURS)) { 1447 const uint8 *hours = pdb_get_hours(sampass); 1448 if (hours) { 1449 char hourstr[44]; 1450 pdb_sethexhours(hourstr, hours); 1451 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, 1452 existing, 1453 mods, 1454 get_userattr_key2string(ldap_state->schema_ver, 1455 LDAP_ATTR_LOGON_HOURS), 1456 hourstr); 1457 } 1458 } 1459 1460 if (need_update(sampass, PDB_ACCTCTRL)) 1461 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 1462 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), 1463 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN)); 1464 1465 /* password lockout cache: 1466 - If we are now autolocking or clearing, we write to ldap 1467 - If we are clearing, we delete the cache entry 1468 - If the count is > 0, we update the cache 1469 1470 This even means when autolocking, we cache, just in case the 1471 update doesn't work, and we have to cache the autolock flag */ 1472 1473 if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* && 1474 need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ { 1475 uint16 badcount = pdb_get_bad_password_count(sampass); 1476 time_t badtime = pdb_get_bad_password_time(sampass); 1477 uint32 pol; 1478 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &pol); 1479 1480 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n", 1481 (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime)); 1482 1483 if ((badcount >= pol) || (badcount == 0)) { 1484 DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n", 1485 (unsigned int)badcount, (unsigned int)badtime)); 1486 if (asprintf(&temp, "%li", (long)badcount) < 0) { 1487 return false; 1488 } 1489 smbldap_make_mod( 1490 ldap_state->smbldap_state->ldap_struct, 1491 existing, mods, 1492 get_userattr_key2string( 1493 ldap_state->schema_ver, 1494 LDAP_ATTR_BAD_PASSWORD_COUNT), 1495 temp); 1496 SAFE_FREE(temp); 1497 1498 if (asprintf(&temp, "%li", (long int)badtime) < 0) { 1499 return false; 1500 } 1501 smbldap_make_mod( 1502 ldap_state->smbldap_state->ldap_struct, 1503 existing, mods, 1504 get_userattr_key2string( 1505 ldap_state->schema_ver, 1506 LDAP_ATTR_BAD_PASSWORD_TIME), 1507 temp); 1508 SAFE_FREE(temp); 1509 } 1510 if (badcount == 0) { 1511 DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass))); 1512 login_cache_delentry(sampass); 1513 } else { 1514 LOGIN_CACHE cache_entry; 1515 1516 cache_entry.entry_timestamp = time(NULL); 1517 cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass); 1518 cache_entry.bad_password_count = badcount; 1519 cache_entry.bad_password_time = badtime; 1520 1521 DEBUG(7, ("Updating bad password count and time in login cache\n")); 1522 login_cache_write(sampass, cache_entry); 1523 } 1524 } 1525 1526 return True; 1527} 1528 1529/********************************************************************** 1530 End enumeration of the LDAP password list. 1531*********************************************************************/ 1532 1533static void ldapsam_endsampwent(struct pdb_methods *my_methods) 1534{ 1535 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 1536 if (ldap_state->result) { 1537 ldap_msgfree(ldap_state->result); 1538 ldap_state->result = NULL; 1539 } 1540} 1541 1542static void append_attr(TALLOC_CTX *mem_ctx, const char ***attr_list, 1543 const char *new_attr) 1544{ 1545 int i; 1546 1547 if (new_attr == NULL) { 1548 return; 1549 } 1550 1551 for (i=0; (*attr_list)[i] != NULL; i++) { 1552 ; 1553 } 1554 1555 (*attr_list) = TALLOC_REALLOC_ARRAY(mem_ctx, (*attr_list), 1556 const char *, i+2); 1557 SMB_ASSERT((*attr_list) != NULL); 1558 (*attr_list)[i] = talloc_strdup((*attr_list), new_attr); 1559 (*attr_list)[i+1] = NULL; 1560} 1561 1562static void ldapsam_add_unix_attributes(TALLOC_CTX *mem_ctx, 1563 const char ***attr_list) 1564{ 1565 append_attr(mem_ctx, attr_list, "uidNumber"); 1566 append_attr(mem_ctx, attr_list, "gidNumber"); 1567 append_attr(mem_ctx, attr_list, "homeDirectory"); 1568 append_attr(mem_ctx, attr_list, "loginShell"); 1569 append_attr(mem_ctx, attr_list, "gecos"); 1570} 1571 1572/********************************************************************** 1573Get struct samu entry from LDAP by username. 1574*********************************************************************/ 1575 1576static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, struct samu *user, const char *sname) 1577{ 1578 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; 1579 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 1580 LDAPMessage *result = NULL; 1581 LDAPMessage *entry = NULL; 1582 int count; 1583 const char ** attr_list; 1584 int rc; 1585 1586 attr_list = get_userattr_list( user, ldap_state->schema_ver ); 1587 append_attr(user, &attr_list, 1588 get_userattr_key2string(ldap_state->schema_ver, 1589 LDAP_ATTR_MOD_TIMESTAMP)); 1590 ldapsam_add_unix_attributes(user, &attr_list); 1591 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, 1592 attr_list); 1593 TALLOC_FREE( attr_list ); 1594 1595 if ( rc != LDAP_SUCCESS ) 1596 return NT_STATUS_NO_SUCH_USER; 1597 1598 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result); 1599 1600 if (count < 1) { 1601 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count)); 1602 ldap_msgfree(result); 1603 return NT_STATUS_NO_SUCH_USER; 1604 } else if (count > 1) { 1605 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count)); 1606 ldap_msgfree(result); 1607 return NT_STATUS_NO_SUCH_USER; 1608 } 1609 1610 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result); 1611 if (entry) { 1612 if (!init_sam_from_ldap(ldap_state, user, entry)) { 1613 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname)); 1614 ldap_msgfree(result); 1615 return NT_STATUS_NO_SUCH_USER; 1616 } 1617 pdb_set_backend_private_data(user, result, NULL, 1618 my_methods, PDB_CHANGED); 1619 talloc_autofree_ldapmsg(user, result); 1620 ret = NT_STATUS_OK; 1621 } else { 1622 ldap_msgfree(result); 1623 } 1624 return ret; 1625} 1626 1627static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state, 1628 const DOM_SID *sid, LDAPMessage **result) 1629{ 1630 int rc = -1; 1631 const char ** attr_list; 1632 uint32 rid; 1633 1634 switch ( ldap_state->schema_ver ) { 1635 case SCHEMAVER_SAMBASAMACCOUNT: { 1636 TALLOC_CTX *tmp_ctx = talloc_new(NULL); 1637 if (tmp_ctx == NULL) { 1638 return LDAP_NO_MEMORY; 1639 } 1640 1641 attr_list = get_userattr_list(tmp_ctx, 1642 ldap_state->schema_ver); 1643 append_attr(tmp_ctx, &attr_list, 1644 get_userattr_key2string( 1645 ldap_state->schema_ver, 1646 LDAP_ATTR_MOD_TIMESTAMP)); 1647 ldapsam_add_unix_attributes(tmp_ctx, &attr_list); 1648 rc = ldapsam_search_suffix_by_sid(ldap_state, sid, 1649 result, attr_list); 1650 TALLOC_FREE(tmp_ctx); 1651 1652 if ( rc != LDAP_SUCCESS ) 1653 return rc; 1654 break; 1655 } 1656 1657 case SCHEMAVER_SAMBAACCOUNT: 1658 if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) { 1659 return rc; 1660 } 1661 1662 attr_list = get_userattr_list(NULL, 1663 ldap_state->schema_ver); 1664 rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list ); 1665 TALLOC_FREE( attr_list ); 1666 1667 if ( rc != LDAP_SUCCESS ) 1668 return rc; 1669 break; 1670 } 1671 return rc; 1672} 1673 1674/********************************************************************** 1675 Get struct samu entry from LDAP by SID. 1676*********************************************************************/ 1677 1678static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const DOM_SID *sid) 1679{ 1680 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 1681 LDAPMessage *result = NULL; 1682 LDAPMessage *entry = NULL; 1683 int count; 1684 int rc; 1685 1686 rc = ldapsam_get_ldap_user_by_sid(ldap_state, 1687 sid, &result); 1688 if (rc != LDAP_SUCCESS) 1689 return NT_STATUS_NO_SUCH_USER; 1690 1691 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result); 1692 1693 if (count < 1) { 1694 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] " 1695 "count=%d\n", sid_string_dbg(sid), count)); 1696 ldap_msgfree(result); 1697 return NT_STATUS_NO_SUCH_USER; 1698 } else if (count > 1) { 1699 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID " 1700 "[%s]. Failing. count=%d\n", sid_string_dbg(sid), 1701 count)); 1702 ldap_msgfree(result); 1703 return NT_STATUS_NO_SUCH_USER; 1704 } 1705 1706 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result); 1707 if (!entry) { 1708 ldap_msgfree(result); 1709 return NT_STATUS_NO_SUCH_USER; 1710 } 1711 1712 if (!init_sam_from_ldap(ldap_state, user, entry)) { 1713 DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n")); 1714 ldap_msgfree(result); 1715 return NT_STATUS_NO_SUCH_USER; 1716 } 1717 1718 pdb_set_backend_private_data(user, result, NULL, 1719 my_methods, PDB_CHANGED); 1720 talloc_autofree_ldapmsg(user, result); 1721 return NT_STATUS_OK; 1722} 1723 1724/******************************************************************** 1725 Do the actual modification - also change a plaintext passord if 1726 it it set. 1727**********************************************************************/ 1728 1729static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, 1730 struct samu *newpwd, char *dn, 1731 LDAPMod **mods, int ldap_op, 1732 bool (*need_update)(const struct samu *, enum pdb_elements)) 1733{ 1734 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 1735 int rc; 1736 1737 if (!newpwd || !dn) { 1738 return NT_STATUS_INVALID_PARAMETER; 1739 } 1740 1741 if (!mods) { 1742 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n")); 1743 /* may be password change below however */ 1744 } else { 1745 switch(ldap_op) { 1746 case LDAP_MOD_ADD: 1747 if (ldap_state->is_nds_ldap) { 1748 smbldap_set_mod(&mods, LDAP_MOD_ADD, 1749 "objectclass", 1750 "inetOrgPerson"); 1751 } else { 1752 smbldap_set_mod(&mods, LDAP_MOD_ADD, 1753 "objectclass", 1754 LDAP_OBJ_ACCOUNT); 1755 } 1756 rc = smbldap_add(ldap_state->smbldap_state, 1757 dn, mods); 1758 break; 1759 case LDAP_MOD_REPLACE: 1760 rc = smbldap_modify(ldap_state->smbldap_state, 1761 dn ,mods); 1762 break; 1763 default: 1764 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n", 1765 ldap_op)); 1766 return NT_STATUS_INVALID_PARAMETER; 1767 } 1768 1769 if (rc!=LDAP_SUCCESS) { 1770 return NT_STATUS_UNSUCCESSFUL; 1771 } 1772 } 1773 1774 if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) && 1775 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) && 1776 need_update(newpwd, PDB_PLAINTEXT_PW) && 1777 (pdb_get_plaintext_passwd(newpwd)!=NULL)) { 1778 BerElement *ber; 1779 struct berval *bv; 1780 char *retoid = NULL; 1781 struct berval *retdata = NULL; 1782 char *utf8_password; 1783 char *utf8_dn; 1784 size_t converted_size; 1785 int ret; 1786 1787 if (!ldap_state->is_nds_ldap) { 1788 1789 if (!smbldap_has_extension(ldap_state->smbldap_state->ldap_struct, 1790 LDAP_EXOP_MODIFY_PASSWD)) { 1791 DEBUG(2, ("ldap password change requested, but LDAP " 1792 "server does not support it -- ignoring\n")); 1793 return NT_STATUS_OK; 1794 } 1795 } 1796 1797 if (!push_utf8_talloc(talloc_tos(), &utf8_password, 1798 pdb_get_plaintext_passwd(newpwd), 1799 &converted_size)) 1800 { 1801 return NT_STATUS_NO_MEMORY; 1802 } 1803 1804 if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) { 1805 TALLOC_FREE(utf8_password); 1806 return NT_STATUS_NO_MEMORY; 1807 } 1808 1809 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) { 1810 DEBUG(0,("ber_alloc_t returns NULL\n")); 1811 TALLOC_FREE(utf8_password); 1812 TALLOC_FREE(utf8_dn); 1813 return NT_STATUS_UNSUCCESSFUL; 1814 } 1815 1816 if ((ber_printf (ber, "{") < 0) || 1817 (ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, 1818 utf8_dn) < 0)) { 1819 DEBUG(0,("ldapsam_modify_entry: ber_printf returns a " 1820 "value <0\n")); 1821 ber_free(ber,1); 1822 TALLOC_FREE(utf8_dn); 1823 TALLOC_FREE(utf8_password); 1824 return NT_STATUS_UNSUCCESSFUL; 1825 } 1826 1827 if ((utf8_password != NULL) && (*utf8_password != '\0')) { 1828 ret = ber_printf(ber, "ts}", 1829 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, 1830 utf8_password); 1831 } else { 1832 ret = ber_printf(ber, "}"); 1833 } 1834 1835 if (ret < 0) { 1836 DEBUG(0,("ldapsam_modify_entry: ber_printf returns a " 1837 "value <0\n")); 1838 ber_free(ber,1); 1839 TALLOC_FREE(utf8_dn); 1840 TALLOC_FREE(utf8_password); 1841 return NT_STATUS_UNSUCCESSFUL; 1842 } 1843 1844 if ((rc = ber_flatten (ber, &bv))<0) { 1845 DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n")); 1846 ber_free(ber,1); 1847 TALLOC_FREE(utf8_dn); 1848 TALLOC_FREE(utf8_password); 1849 return NT_STATUS_UNSUCCESSFUL; 1850 } 1851 1852 TALLOC_FREE(utf8_dn); 1853 TALLOC_FREE(utf8_password); 1854 ber_free(ber, 1); 1855 1856 if (!ldap_state->is_nds_ldap) { 1857 rc = smbldap_extended_operation(ldap_state->smbldap_state, 1858 LDAP_EXOP_MODIFY_PASSWD, 1859 bv, NULL, NULL, &retoid, 1860 &retdata); 1861 } else { 1862 rc = pdb_nds_set_password(ldap_state->smbldap_state, dn, 1863 pdb_get_plaintext_passwd(newpwd)); 1864 } 1865 if (rc != LDAP_SUCCESS) { 1866 char *ld_error = NULL; 1867 1868 if (rc == LDAP_OBJECT_CLASS_VIOLATION) { 1869 DEBUG(3, ("Could not set userPassword " 1870 "attribute due to an objectClass " 1871 "violation -- ignoring\n")); 1872 ber_bvfree(bv); 1873 return NT_STATUS_OK; 1874 } 1875 1876 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, 1877 &ld_error); 1878 DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n", 1879 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown")); 1880 SAFE_FREE(ld_error); 1881 ber_bvfree(bv); 1882#if defined(LDAP_CONSTRAINT_VIOLATION) 1883 if (rc == LDAP_CONSTRAINT_VIOLATION) 1884 return NT_STATUS_PASSWORD_RESTRICTION; 1885#endif 1886 return NT_STATUS_UNSUCCESSFUL; 1887 } else { 1888 DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd))); 1889#ifdef DEBUG_PASSWORD 1890 DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd))); 1891#endif 1892 if (retdata) 1893 ber_bvfree(retdata); 1894 if (retoid) 1895 ldap_memfree(retoid); 1896 } 1897 ber_bvfree(bv); 1898 } 1899 return NT_STATUS_OK; 1900} 1901 1902/********************************************************************** 1903 Delete entry from LDAP for username. 1904*********************************************************************/ 1905 1906static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, 1907 struct samu * sam_acct) 1908{ 1909 struct ldapsam_privates *priv = 1910 (struct ldapsam_privates *)my_methods->private_data; 1911 const char *sname; 1912 int rc; 1913 LDAPMessage *msg, *entry; 1914 NTSTATUS result = NT_STATUS_NO_MEMORY; 1915 const char **attr_list; 1916 TALLOC_CTX *mem_ctx; 1917 1918 if (!sam_acct) { 1919 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n")); 1920 return NT_STATUS_INVALID_PARAMETER; 1921 } 1922 1923 sname = pdb_get_username(sam_acct); 1924 1925 DEBUG(3, ("ldapsam_delete_sam_account: Deleting user %s from " 1926 "LDAP.\n", sname)); 1927 1928 mem_ctx = talloc_new(NULL); 1929 if (mem_ctx == NULL) { 1930 DEBUG(0, ("talloc_new failed\n")); 1931 goto done; 1932 } 1933 1934 attr_list = get_userattr_delete_list(mem_ctx, priv->schema_ver ); 1935 if (attr_list == NULL) { 1936 goto done; 1937 } 1938 1939 rc = ldapsam_search_suffix_by_name(priv, sname, &msg, attr_list); 1940 1941 if ((rc != LDAP_SUCCESS) || 1942 (ldap_count_entries(priv2ld(priv), msg) != 1) || 1943 ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) { 1944 DEBUG(5, ("Could not find user %s\n", sname)); 1945 result = NT_STATUS_NO_SUCH_USER; 1946 goto done; 1947 } 1948 1949 rc = ldapsam_delete_entry( 1950 priv, mem_ctx, entry, 1951 priv->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ? 1952 LDAP_OBJ_SAMBASAMACCOUNT : LDAP_OBJ_SAMBAACCOUNT, 1953 attr_list); 1954 1955 result = (rc == LDAP_SUCCESS) ? 1956 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; 1957 1958 done: 1959 TALLOC_FREE(mem_ctx); 1960 return result; 1961} 1962 1963/********************************************************************** 1964 Helper function to determine for update_sam_account whether 1965 we need LDAP modification. 1966*********************************************************************/ 1967 1968static bool element_is_changed(const struct samu *sampass, 1969 enum pdb_elements element) 1970{ 1971 return IS_SAM_CHANGED(sampass, element); 1972} 1973 1974/********************************************************************** 1975 Update struct samu. 1976*********************************************************************/ 1977 1978static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, struct samu * newpwd) 1979{ 1980 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; 1981 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 1982 int rc = 0; 1983 char *dn; 1984 LDAPMessage *result = NULL; 1985 LDAPMessage *entry = NULL; 1986 LDAPMod **mods = NULL; 1987 const char **attr_list; 1988 1989 result = (LDAPMessage *)pdb_get_backend_private_data(newpwd, my_methods); 1990 if (!result) { 1991 attr_list = get_userattr_list(NULL, ldap_state->schema_ver); 1992 if (pdb_get_username(newpwd) == NULL) { 1993 return NT_STATUS_INVALID_PARAMETER; 1994 } 1995 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list ); 1996 TALLOC_FREE( attr_list ); 1997 if (rc != LDAP_SUCCESS) { 1998 return NT_STATUS_UNSUCCESSFUL; 1999 } 2000 pdb_set_backend_private_data(newpwd, result, NULL, 2001 my_methods, PDB_CHANGED); 2002 talloc_autofree_ldapmsg(newpwd, result); 2003 } 2004 2005 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) { 2006 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n")); 2007 return NT_STATUS_UNSUCCESSFUL; 2008 } 2009 2010 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result); 2011 dn = smbldap_talloc_dn(talloc_tos(), ldap_state->smbldap_state->ldap_struct, entry); 2012 if (!dn) { 2013 return NT_STATUS_UNSUCCESSFUL; 2014 } 2015 2016 DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn)); 2017 2018 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd, 2019 element_is_changed)) { 2020 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n")); 2021 TALLOC_FREE(dn); 2022 if (mods != NULL) 2023 ldap_mods_free(mods,True); 2024 return NT_STATUS_UNSUCCESSFUL; 2025 } 2026 2027 if ((lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_ONLY) 2028 && (mods == NULL)) { 2029 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n", 2030 pdb_get_username(newpwd))); 2031 TALLOC_FREE(dn); 2032 return NT_STATUS_OK; 2033 } 2034 2035 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed); 2036 2037 if (mods != NULL) { 2038 ldap_mods_free(mods,True); 2039 } 2040 2041 TALLOC_FREE(dn); 2042 2043 /* 2044 * We need to set the backend private data to NULL here. For example 2045 * setuserinfo level 25 does a pdb_update_sam_account twice on the 2046 * same one, and with the explicit delete / add logic for attribute 2047 * values the second time we would use the wrong "old" value which 2048 * does not exist in LDAP anymore. Thus the LDAP server would refuse 2049 * the update. 2050 * The existing LDAPMessage is still being auto-freed by the 2051 * destructor. 2052 */ 2053 pdb_set_backend_private_data(newpwd, NULL, NULL, my_methods, 2054 PDB_CHANGED); 2055 2056 if (!NT_STATUS_IS_OK(ret)) { 2057 return ret; 2058 } 2059 2060 DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n", 2061 pdb_get_username(newpwd))); 2062 return NT_STATUS_OK; 2063} 2064 2065/*************************************************************************** 2066 Renames a struct samu 2067 - The "rename user script" has full responsibility for changing everything 2068***************************************************************************/ 2069 2070static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods, 2071 TALLOC_CTX *tmp_ctx, 2072 uint32 group_rid, 2073 uint32 member_rid); 2074 2075static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods, 2076 TALLOC_CTX *mem_ctx, 2077 struct samu *user, 2078 DOM_SID **pp_sids, 2079 gid_t **pp_gids, 2080 size_t *p_num_groups); 2081 2082static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods, 2083 struct samu *old_acct, 2084 const char *newname) 2085{ 2086 const char *oldname; 2087 int rc; 2088 char *rename_script = NULL; 2089 fstring oldname_lower, newname_lower; 2090 2091 if (!old_acct) { 2092 DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n")); 2093 return NT_STATUS_INVALID_PARAMETER; 2094 } 2095 if (!newname) { 2096 DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n")); 2097 return NT_STATUS_INVALID_PARAMETER; 2098 } 2099 2100 oldname = pdb_get_username(old_acct); 2101 2102 /* rename the posix user */ 2103 rename_script = SMB_STRDUP(lp_renameuser_script()); 2104 if (rename_script == NULL) { 2105 return NT_STATUS_NO_MEMORY; 2106 } 2107 2108 if (!(*rename_script)) { 2109 SAFE_FREE(rename_script); 2110 return NT_STATUS_ACCESS_DENIED; 2111 } 2112 2113 DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n", 2114 oldname, newname)); 2115 2116 /* We have to allow the account name to end with a '$'. 2117 Also, follow the semantics in _samr_create_user() and lower case the 2118 posix name but preserve the case in passdb */ 2119 2120 fstrcpy( oldname_lower, oldname ); 2121 strlower_m( oldname_lower ); 2122 fstrcpy( newname_lower, newname ); 2123 strlower_m( newname_lower ); 2124 rename_script = realloc_string_sub2(rename_script, 2125 "%unew", 2126 newname_lower, 2127 true, 2128 true); 2129 if (!rename_script) { 2130 return NT_STATUS_NO_MEMORY; 2131 } 2132 rename_script = realloc_string_sub2(rename_script, 2133 "%uold", 2134 oldname_lower, 2135 true, 2136 true); 2137 rc = smbrun(rename_script, NULL); 2138 2139 DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n", 2140 rename_script, rc)); 2141 2142 SAFE_FREE(rename_script); 2143 2144 if (rc == 0) { 2145 smb_nscd_flush_user_cache(); 2146 } 2147 2148 if (rc) 2149 return NT_STATUS_UNSUCCESSFUL; 2150 2151 return NT_STATUS_OK; 2152} 2153 2154/********************************************************************** 2155 Helper function to determine for update_sam_account whether 2156 we need LDAP modification. 2157 *********************************************************************/ 2158 2159static bool element_is_set_or_changed(const struct samu *sampass, 2160 enum pdb_elements element) 2161{ 2162 return (IS_SAM_SET(sampass, element) || 2163 IS_SAM_CHANGED(sampass, element)); 2164} 2165 2166/********************************************************************** 2167 Add struct samu to LDAP. 2168*********************************************************************/ 2169 2170static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, struct samu * newpwd) 2171{ 2172 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; 2173 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 2174 int rc; 2175 LDAPMessage *result = NULL; 2176 LDAPMessage *entry = NULL; 2177 LDAPMod **mods = NULL; 2178 int ldap_op = LDAP_MOD_REPLACE; 2179 uint32 num_result; 2180 const char **attr_list; 2181 char *escape_user = NULL; 2182 const char *username = pdb_get_username(newpwd); 2183 const DOM_SID *sid = pdb_get_user_sid(newpwd); 2184 char *filter = NULL; 2185 char *dn = NULL; 2186 NTSTATUS status = NT_STATUS_UNSUCCESSFUL; 2187 TALLOC_CTX *ctx = talloc_init("ldapsam_add_sam_account"); 2188 2189 if (!ctx) { 2190 return NT_STATUS_NO_MEMORY; 2191 } 2192 2193 if (!username || !*username) { 2194 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n")); 2195 status = NT_STATUS_INVALID_PARAMETER; 2196 goto fn_exit; 2197 } 2198 2199 /* free this list after the second search or in case we exit on failure */ 2200 attr_list = get_userattr_list(ctx, ldap_state->schema_ver); 2201 2202 rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list); 2203 2204 if (rc != LDAP_SUCCESS) { 2205 goto fn_exit; 2206 } 2207 2208 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) { 2209 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n", 2210 username)); 2211 goto fn_exit; 2212 } 2213 ldap_msgfree(result); 2214 result = NULL; 2215 2216 if (element_is_set_or_changed(newpwd, PDB_USERSID)) { 2217 rc = ldapsam_get_ldap_user_by_sid(ldap_state, 2218 sid, &result); 2219 if (rc == LDAP_SUCCESS) { 2220 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) { 2221 DEBUG(0,("ldapsam_add_sam_account: SID '%s' " 2222 "already in the base, with samba " 2223 "attributes\n", sid_string_dbg(sid))); 2224 goto fn_exit; 2225 } 2226 ldap_msgfree(result); 2227 result = NULL; 2228 } 2229 } 2230 2231 /* does the entry already exist but without a samba attributes? 2232 we need to return the samba attributes here */ 2233 2234 escape_user = escape_ldap_string(talloc_tos(), username); 2235 filter = talloc_strdup(attr_list, "(uid=%u)"); 2236 if (!filter) { 2237 status = NT_STATUS_NO_MEMORY; 2238 goto fn_exit; 2239 } 2240 filter = talloc_all_string_sub(attr_list, filter, "%u", escape_user); 2241 TALLOC_FREE(escape_user); 2242 if (!filter) { 2243 status = NT_STATUS_NO_MEMORY; 2244 goto fn_exit; 2245 } 2246 2247 rc = smbldap_search_suffix(ldap_state->smbldap_state, 2248 filter, attr_list, &result); 2249 if ( rc != LDAP_SUCCESS ) { 2250 goto fn_exit; 2251 } 2252 2253 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result); 2254 2255 if (num_result > 1) { 2256 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n")); 2257 goto fn_exit; 2258 } 2259 2260 /* Check if we need to update an existing entry */ 2261 if (num_result == 1) { 2262 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n")); 2263 ldap_op = LDAP_MOD_REPLACE; 2264 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result); 2265 dn = smbldap_talloc_dn(ctx, ldap_state->smbldap_state->ldap_struct, entry); 2266 if (!dn) { 2267 status = NT_STATUS_NO_MEMORY; 2268 goto fn_exit; 2269 } 2270 2271 } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) { 2272 2273 /* There might be a SID for this account already - say an idmap entry */ 2274 2275 filter = talloc_asprintf(ctx, 2276 "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))", 2277 get_userattr_key2string(ldap_state->schema_ver, 2278 LDAP_ATTR_USER_SID), 2279 sid_string_talloc(ctx, sid), 2280 LDAP_OBJ_IDMAP_ENTRY, 2281 LDAP_OBJ_SID_ENTRY); 2282 if (!filter) { 2283 status = NT_STATUS_NO_MEMORY; 2284 goto fn_exit; 2285 } 2286 2287 /* free old result before doing a new search */ 2288 if (result != NULL) { 2289 ldap_msgfree(result); 2290 result = NULL; 2291 } 2292 rc = smbldap_search_suffix(ldap_state->smbldap_state, 2293 filter, attr_list, &result); 2294 2295 if ( rc != LDAP_SUCCESS ) { 2296 goto fn_exit; 2297 } 2298 2299 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result); 2300 2301 if (num_result > 1) { 2302 DEBUG (0, ("ldapsam_add_sam_account: More than one user with specified Sid exists: bailing out!\n")); 2303 goto fn_exit; 2304 } 2305 2306 /* Check if we need to update an existing entry */ 2307 if (num_result == 1) { 2308 2309 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n")); 2310 ldap_op = LDAP_MOD_REPLACE; 2311 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result); 2312 dn = smbldap_talloc_dn (ctx, ldap_state->smbldap_state->ldap_struct, entry); 2313 if (!dn) { 2314 status = NT_STATUS_NO_MEMORY; 2315 goto fn_exit; 2316 } 2317 } 2318 } 2319 2320 if (num_result == 0) { 2321 char *escape_username; 2322 /* Check if we need to add an entry */ 2323 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n")); 2324 ldap_op = LDAP_MOD_ADD; 2325 2326 escape_username = escape_rdn_val_string_alloc(username); 2327 if (!escape_username) { 2328 status = NT_STATUS_NO_MEMORY; 2329 goto fn_exit; 2330 } 2331 2332 if (username[strlen(username)-1] == '$') { 2333 dn = talloc_asprintf(ctx, 2334 "uid=%s,%s", 2335 escape_username, 2336 lp_ldap_machine_suffix()); 2337 } else { 2338 dn = talloc_asprintf(ctx, 2339 "uid=%s,%s", 2340 escape_username, 2341 lp_ldap_user_suffix()); 2342 } 2343 2344 SAFE_FREE(escape_username); 2345 if (!dn) { 2346 status = NT_STATUS_NO_MEMORY; 2347 goto fn_exit; 2348 } 2349 } 2350 2351 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd, 2352 element_is_set_or_changed)) { 2353 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n")); 2354 if (mods != NULL) { 2355 ldap_mods_free(mods, true); 2356 } 2357 goto fn_exit; 2358 } 2359 2360 if (mods == NULL) { 2361 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd))); 2362 goto fn_exit; 2363 } 2364 switch ( ldap_state->schema_ver ) { 2365 case SCHEMAVER_SAMBAACCOUNT: 2366 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT); 2367 break; 2368 case SCHEMAVER_SAMBASAMACCOUNT: 2369 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT); 2370 break; 2371 default: 2372 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n")); 2373 break; 2374 } 2375 2376 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed); 2377 if (!NT_STATUS_IS_OK(ret)) { 2378 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n", 2379 pdb_get_username(newpwd),dn)); 2380 ldap_mods_free(mods, true); 2381 goto fn_exit; 2382 } 2383 2384 DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd))); 2385 ldap_mods_free(mods, true); 2386 2387 status = NT_STATUS_OK; 2388 2389 fn_exit: 2390 2391 TALLOC_FREE(ctx); 2392 if (result) { 2393 ldap_msgfree(result); 2394 } 2395 return status; 2396} 2397 2398/********************************************************************** 2399 *********************************************************************/ 2400 2401static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state, 2402 const char *filter, 2403 LDAPMessage ** result) 2404{ 2405 int scope = LDAP_SCOPE_SUBTREE; 2406 int rc; 2407 const char **attr_list; 2408 2409 attr_list = get_attr_list(NULL, groupmap_attr_list); 2410 rc = smbldap_search(ldap_state->smbldap_state, 2411 lp_ldap_suffix (), scope, 2412 filter, attr_list, 0, result); 2413 TALLOC_FREE(attr_list); 2414 2415 return rc; 2416} 2417 2418/********************************************************************** 2419 *********************************************************************/ 2420 2421static bool init_group_from_ldap(struct ldapsam_privates *ldap_state, 2422 GROUP_MAP *map, LDAPMessage *entry) 2423{ 2424 char *temp = NULL; 2425 TALLOC_CTX *ctx = talloc_init("init_group_from_ldap"); 2426 2427 if (ldap_state == NULL || map == NULL || entry == NULL || 2428 ldap_state->smbldap_state->ldap_struct == NULL) { 2429 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n")); 2430 TALLOC_FREE(ctx); 2431 return false; 2432 } 2433 2434 temp = smbldap_talloc_single_attribute( 2435 ldap_state->smbldap_state->ldap_struct, 2436 entry, 2437 get_attr_key2string(groupmap_attr_list, 2438 LDAP_ATTR_GIDNUMBER), 2439 ctx); 2440 if (!temp) { 2441 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n", 2442 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER))); 2443 TALLOC_FREE(ctx); 2444 return false; 2445 } 2446 DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp)); 2447 2448 map->gid = (gid_t)atol(temp); 2449 2450 TALLOC_FREE(temp); 2451 temp = smbldap_talloc_single_attribute( 2452 ldap_state->smbldap_state->ldap_struct, 2453 entry, 2454 get_attr_key2string(groupmap_attr_list, 2455 LDAP_ATTR_GROUP_SID), 2456 ctx); 2457 if (!temp) { 2458 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n", 2459 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID))); 2460 TALLOC_FREE(ctx); 2461 return false; 2462 } 2463 2464 if (!string_to_sid(&map->sid, temp)) { 2465 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp)); 2466 TALLOC_FREE(ctx); 2467 return false; 2468 } 2469 2470 TALLOC_FREE(temp); 2471 temp = smbldap_talloc_single_attribute( 2472 ldap_state->smbldap_state->ldap_struct, 2473 entry, 2474 get_attr_key2string(groupmap_attr_list, 2475 LDAP_ATTR_GROUP_TYPE), 2476 ctx); 2477 if (!temp) { 2478 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n", 2479 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE))); 2480 TALLOC_FREE(ctx); 2481 return false; 2482 } 2483 map->sid_name_use = (enum lsa_SidType)atol(temp); 2484 2485 if ((map->sid_name_use < SID_NAME_USER) || 2486 (map->sid_name_use > SID_NAME_UNKNOWN)) { 2487 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use)); 2488 TALLOC_FREE(ctx); 2489 return false; 2490 } 2491 2492 TALLOC_FREE(temp); 2493 temp = smbldap_talloc_single_attribute( 2494 ldap_state->smbldap_state->ldap_struct, 2495 entry, 2496 get_attr_key2string(groupmap_attr_list, 2497 LDAP_ATTR_DISPLAY_NAME), 2498 ctx); 2499 if (!temp) { 2500 temp = smbldap_talloc_single_attribute( 2501 ldap_state->smbldap_state->ldap_struct, 2502 entry, 2503 get_attr_key2string(groupmap_attr_list, 2504 LDAP_ATTR_CN), 2505 ctx); 2506 if (!temp) { 2507 DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \ 2508for gidNumber(%lu)\n",(unsigned long)map->gid)); 2509 TALLOC_FREE(ctx); 2510 return false; 2511 } 2512 } 2513 fstrcpy(map->nt_name, temp); 2514 2515 TALLOC_FREE(temp); 2516 temp = smbldap_talloc_single_attribute( 2517 ldap_state->smbldap_state->ldap_struct, 2518 entry, 2519 get_attr_key2string(groupmap_attr_list, 2520 LDAP_ATTR_DESC), 2521 ctx); 2522 if (!temp) { 2523 temp = talloc_strdup(ctx, ""); 2524 if (!temp) { 2525 TALLOC_FREE(ctx); 2526 return false; 2527 } 2528 } 2529 fstrcpy(map->comment, temp); 2530 2531 if (lp_parm_bool(-1, "ldapsam", "trusted", false)) { 2532 store_gid_sid_cache(&map->sid, map->gid); 2533 idmap_cache_set_sid2gid(&map->sid, map->gid); 2534 } 2535 2536 TALLOC_FREE(ctx); 2537 return true; 2538} 2539 2540/********************************************************************** 2541 *********************************************************************/ 2542 2543static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods, 2544 const char *filter, 2545 GROUP_MAP *map) 2546{ 2547 struct ldapsam_privates *ldap_state = 2548 (struct ldapsam_privates *)methods->private_data; 2549 LDAPMessage *result = NULL; 2550 LDAPMessage *entry = NULL; 2551 int count; 2552 2553 if (ldapsam_search_one_group(ldap_state, filter, &result) 2554 != LDAP_SUCCESS) { 2555 return NT_STATUS_NO_SUCH_GROUP; 2556 } 2557 2558 count = ldap_count_entries(priv2ld(ldap_state), result); 2559 2560 if (count < 1) { 2561 DEBUG(4, ("ldapsam_getgroup: Did not find group, filter was " 2562 "%s\n", filter)); 2563 ldap_msgfree(result); 2564 return NT_STATUS_NO_SUCH_GROUP; 2565 } 2566 2567 if (count > 1) { 2568 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: " 2569 "count=%d\n", filter, count)); 2570 ldap_msgfree(result); 2571 return NT_STATUS_NO_SUCH_GROUP; 2572 } 2573 2574 entry = ldap_first_entry(priv2ld(ldap_state), result); 2575 2576 if (!entry) { 2577 ldap_msgfree(result); 2578 return NT_STATUS_UNSUCCESSFUL; 2579 } 2580 2581 if (!init_group_from_ldap(ldap_state, map, entry)) { 2582 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for " 2583 "group filter %s\n", filter)); 2584 ldap_msgfree(result); 2585 return NT_STATUS_NO_SUCH_GROUP; 2586 } 2587 2588 ldap_msgfree(result); 2589 return NT_STATUS_OK; 2590} 2591 2592/********************************************************************** 2593 *********************************************************************/ 2594 2595static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map, 2596 DOM_SID sid) 2597{ 2598 char *filter = NULL; 2599 NTSTATUS status; 2600 fstring tmp; 2601 2602 if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))", 2603 LDAP_OBJ_GROUPMAP, 2604 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), 2605 sid_to_fstring(tmp, &sid)) < 0) { 2606 return NT_STATUS_NO_MEMORY; 2607 } 2608 2609 status = ldapsam_getgroup(methods, filter, map); 2610 SAFE_FREE(filter); 2611 return status; 2612} 2613 2614/********************************************************************** 2615 *********************************************************************/ 2616 2617static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map, 2618 gid_t gid) 2619{ 2620 char *filter = NULL; 2621 NTSTATUS status; 2622 2623 if (asprintf(&filter, "(&(objectClass=%s)(%s=%lu))", 2624 LDAP_OBJ_GROUPMAP, 2625 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), 2626 (unsigned long)gid) < 0) { 2627 return NT_STATUS_NO_MEMORY; 2628 } 2629 2630 status = ldapsam_getgroup(methods, filter, map); 2631 SAFE_FREE(filter); 2632 return status; 2633} 2634 2635/********************************************************************** 2636 *********************************************************************/ 2637 2638static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map, 2639 const char *name) 2640{ 2641 char *filter = NULL; 2642 char *escape_name = escape_ldap_string(talloc_tos(), name); 2643 NTSTATUS status; 2644 2645 if (!escape_name) { 2646 return NT_STATUS_NO_MEMORY; 2647 } 2648 2649 if (asprintf(&filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))", 2650 LDAP_OBJ_GROUPMAP, 2651 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name, 2652 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), 2653 escape_name) < 0) { 2654 TALLOC_FREE(escape_name); 2655 return NT_STATUS_NO_MEMORY; 2656 } 2657 2658 TALLOC_FREE(escape_name); 2659 status = ldapsam_getgroup(methods, filter, map); 2660 SAFE_FREE(filter); 2661 return status; 2662} 2663 2664static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct, 2665 LDAPMessage *entry, 2666 const DOM_SID *domain_sid, 2667 uint32 *rid) 2668{ 2669 fstring str; 2670 DOM_SID sid; 2671 2672 if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID", 2673 str, sizeof(str)-1)) { 2674 DEBUG(10, ("Could not find sambaSID attribute\n")); 2675 return False; 2676 } 2677 2678 if (!string_to_sid(&sid, str)) { 2679 DEBUG(10, ("Could not convert string %s to sid\n", str)); 2680 return False; 2681 } 2682 2683 if (sid_compare_domain(&sid, domain_sid) != 0) { 2684 DEBUG(10, ("SID %s is not in expected domain %s\n", 2685 str, sid_string_dbg(domain_sid))); 2686 return False; 2687 } 2688 2689 if (!sid_peek_rid(&sid, rid)) { 2690 DEBUG(10, ("Could not peek into RID\n")); 2691 return False; 2692 } 2693 2694 return True; 2695} 2696 2697static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods, 2698 TALLOC_CTX *mem_ctx, 2699 const DOM_SID *group, 2700 uint32 **pp_member_rids, 2701 size_t *p_num_members) 2702{ 2703 struct ldapsam_privates *ldap_state = 2704 (struct ldapsam_privates *)methods->private_data; 2705 struct smbldap_state *conn = ldap_state->smbldap_state; 2706 const char *id_attrs[] = { "memberUid", "gidNumber", NULL }; 2707 const char *sid_attrs[] = { "sambaSID", NULL }; 2708 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; 2709 LDAPMessage *result = NULL; 2710 LDAPMessage *entry; 2711 char *filter; 2712 char **values = NULL; 2713 char **memberuid; 2714 char *gidstr; 2715 int rc, count; 2716 2717 *pp_member_rids = NULL; 2718 *p_num_members = 0; 2719 2720 filter = talloc_asprintf(mem_ctx, 2721 "(&(objectClass=%s)" 2722 "(objectClass=%s)" 2723 "(sambaSID=%s))", 2724 LDAP_OBJ_POSIXGROUP, 2725 LDAP_OBJ_GROUPMAP, 2726 sid_string_talloc(mem_ctx, group)); 2727 if (filter == NULL) { 2728 ret = NT_STATUS_NO_MEMORY; 2729 goto done; 2730 } 2731 2732 rc = smbldap_search(conn, lp_ldap_suffix(), 2733 LDAP_SCOPE_SUBTREE, filter, id_attrs, 0, 2734 &result); 2735 2736 if (rc != LDAP_SUCCESS) 2737 goto done; 2738 2739 talloc_autofree_ldapmsg(mem_ctx, result); 2740 2741 count = ldap_count_entries(conn->ldap_struct, result); 2742 2743 if (count > 1) { 2744 DEBUG(1, ("Found more than one groupmap entry for %s\n", 2745 sid_string_dbg(group))); 2746 ret = NT_STATUS_INTERNAL_DB_CORRUPTION; 2747 goto done; 2748 } 2749 2750 if (count == 0) { 2751 ret = NT_STATUS_NO_SUCH_GROUP; 2752 goto done; 2753 } 2754 2755 entry = ldap_first_entry(conn->ldap_struct, result); 2756 if (entry == NULL) 2757 goto done; 2758 2759 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx); 2760 if (!gidstr) { 2761 DEBUG (0, ("ldapsam_enum_group_members: Unable to find the group's gid!\n")); 2762 ret = NT_STATUS_INTERNAL_DB_CORRUPTION; 2763 goto done; 2764 } 2765 2766 values = ldap_get_values(conn->ldap_struct, entry, "memberUid"); 2767 2768 if ((values != NULL) && (values[0] != NULL)) { 2769 2770 filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT); 2771 if (filter == NULL) { 2772 ret = NT_STATUS_NO_MEMORY; 2773 goto done; 2774 } 2775 2776 for (memberuid = values; *memberuid != NULL; memberuid += 1) { 2777 char *escape_memberuid; 2778 2779 escape_memberuid = escape_ldap_string(talloc_tos(), 2780 *memberuid); 2781 if (escape_memberuid == NULL) { 2782 ret = NT_STATUS_NO_MEMORY; 2783 goto done; 2784 } 2785 2786 filter = talloc_asprintf_append_buffer(filter, "(uid=%s)", escape_memberuid); 2787 TALLOC_FREE(escape_memberuid); 2788 if (filter == NULL) { 2789 ret = NT_STATUS_NO_MEMORY; 2790 goto done; 2791 } 2792 } 2793 2794 filter = talloc_asprintf_append_buffer(filter, "))"); 2795 if (filter == NULL) { 2796 ret = NT_STATUS_NO_MEMORY; 2797 goto done; 2798 } 2799 2800 rc = smbldap_search(conn, lp_ldap_suffix(), 2801 LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0, 2802 &result); 2803 2804 if (rc != LDAP_SUCCESS) 2805 goto done; 2806 2807 count = ldap_count_entries(conn->ldap_struct, result); 2808 DEBUG(10,("ldapsam_enum_group_members: found %d accounts\n", count)); 2809 2810 talloc_autofree_ldapmsg(mem_ctx, result); 2811 2812 for (entry = ldap_first_entry(conn->ldap_struct, result); 2813 entry != NULL; 2814 entry = ldap_next_entry(conn->ldap_struct, entry)) 2815 { 2816 char *sidstr; 2817 DOM_SID sid; 2818 uint32 rid; 2819 2820 sidstr = smbldap_talloc_single_attribute(conn->ldap_struct, 2821 entry, "sambaSID", 2822 mem_ctx); 2823 if (!sidstr) { 2824 DEBUG(0, ("Severe DB error, %s can't miss the sambaSID" 2825 "attribute\n", LDAP_OBJ_SAMBASAMACCOUNT)); 2826 ret = NT_STATUS_INTERNAL_DB_CORRUPTION; 2827 goto done; 2828 } 2829 2830 if (!string_to_sid(&sid, sidstr)) 2831 goto done; 2832 2833 if (!sid_check_is_in_our_domain(&sid)) { 2834 DEBUG(0, ("Inconsistent SAM -- group member uid not " 2835 "in our domain\n")); 2836 ret = NT_STATUS_INTERNAL_DB_CORRUPTION; 2837 goto done; 2838 } 2839 2840 sid_peek_rid(&sid, &rid); 2841 2842 if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids, 2843 p_num_members)) { 2844 ret = NT_STATUS_NO_MEMORY; 2845 goto done; 2846 } 2847 } 2848 } 2849 2850 filter = talloc_asprintf(mem_ctx, 2851 "(&(objectClass=%s)" 2852 "(gidNumber=%s))", 2853 LDAP_OBJ_SAMBASAMACCOUNT, 2854 gidstr); 2855 2856 rc = smbldap_search(conn, lp_ldap_suffix(), 2857 LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0, 2858 &result); 2859 2860 if (rc != LDAP_SUCCESS) 2861 goto done; 2862 2863 talloc_autofree_ldapmsg(mem_ctx, result); 2864 2865 for (entry = ldap_first_entry(conn->ldap_struct, result); 2866 entry != NULL; 2867 entry = ldap_next_entry(conn->ldap_struct, entry)) 2868 { 2869 uint32 rid; 2870 2871 if (!ldapsam_extract_rid_from_entry(conn->ldap_struct, 2872 entry, 2873 get_global_sam_sid(), 2874 &rid)) { 2875 DEBUG(0, ("Severe DB error, %s can't miss the samba SID" "attribute\n", LDAP_OBJ_SAMBASAMACCOUNT)); 2876 ret = NT_STATUS_INTERNAL_DB_CORRUPTION; 2877 goto done; 2878 } 2879 2880 if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids, 2881 p_num_members)) { 2882 ret = NT_STATUS_NO_MEMORY; 2883 goto done; 2884 } 2885 } 2886 2887 ret = NT_STATUS_OK; 2888 2889 done: 2890 2891 if (values) 2892 ldap_value_free(values); 2893 2894 return ret; 2895} 2896 2897static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods, 2898 TALLOC_CTX *mem_ctx, 2899 struct samu *user, 2900 DOM_SID **pp_sids, 2901 gid_t **pp_gids, 2902 size_t *p_num_groups) 2903{ 2904 struct ldapsam_privates *ldap_state = 2905 (struct ldapsam_privates *)methods->private_data; 2906 struct smbldap_state *conn = ldap_state->smbldap_state; 2907 char *filter; 2908 const char *attrs[] = { "gidNumber", "sambaSID", NULL }; 2909 char *escape_name; 2910 int rc, count; 2911 LDAPMessage *result = NULL; 2912 LDAPMessage *entry; 2913 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; 2914 size_t num_sids, num_gids; 2915 char *gidstr; 2916 gid_t primary_gid = -1; 2917 2918 *pp_sids = NULL; 2919 num_sids = 0; 2920 2921 if (pdb_get_username(user) == NULL) { 2922 return NT_STATUS_INVALID_PARAMETER; 2923 } 2924 2925 escape_name = escape_ldap_string(talloc_tos(), pdb_get_username(user)); 2926 if (escape_name == NULL) 2927 return NT_STATUS_NO_MEMORY; 2928 2929 if (user->unix_pw) { 2930 primary_gid = user->unix_pw->pw_gid; 2931 } else { 2932 /* retrieve the users primary gid */ 2933 filter = talloc_asprintf(mem_ctx, 2934 "(&(objectClass=%s)(uid=%s))", 2935 LDAP_OBJ_SAMBASAMACCOUNT, 2936 escape_name); 2937 if (filter == NULL) { 2938 ret = NT_STATUS_NO_MEMORY; 2939 goto done; 2940 } 2941 2942 rc = smbldap_search(conn, lp_ldap_suffix(), 2943 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result); 2944 2945 if (rc != LDAP_SUCCESS) 2946 goto done; 2947 2948 talloc_autofree_ldapmsg(mem_ctx, result); 2949 2950 count = ldap_count_entries(priv2ld(ldap_state), result); 2951 2952 switch (count) { 2953 case 0: 2954 DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user))); 2955 ret = NT_STATUS_NO_SUCH_USER; 2956 goto done; 2957 case 1: 2958 entry = ldap_first_entry(priv2ld(ldap_state), result); 2959 2960 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx); 2961 if (!gidstr) { 2962 DEBUG (1, ("Unable to find the member's gid!\n")); 2963 ret = NT_STATUS_INTERNAL_DB_CORRUPTION; 2964 goto done; 2965 } 2966 primary_gid = strtoul(gidstr, NULL, 10); 2967 break; 2968 default: 2969 DEBUG(1, ("found more than one account with the same user name ?!\n")); 2970 ret = NT_STATUS_INTERNAL_DB_CORRUPTION; 2971 goto done; 2972 } 2973 } 2974 2975 filter = talloc_asprintf(mem_ctx, 2976 "(&(objectClass=%s)(|(memberUid=%s)(gidNumber=%u)))", 2977 LDAP_OBJ_POSIXGROUP, escape_name, (unsigned int)primary_gid); 2978 if (filter == NULL) { 2979 ret = NT_STATUS_NO_MEMORY; 2980 goto done; 2981 } 2982 2983 rc = smbldap_search(conn, lp_ldap_suffix(), 2984 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result); 2985 2986 if (rc != LDAP_SUCCESS) 2987 goto done; 2988 2989 talloc_autofree_ldapmsg(mem_ctx, result); 2990 2991 num_gids = 0; 2992 *pp_gids = NULL; 2993 2994 num_sids = 0; 2995 *pp_sids = NULL; 2996 2997 /* We need to add the primary group as the first gid/sid */ 2998 2999 if (!add_gid_to_array_unique(mem_ctx, primary_gid, pp_gids, &num_gids)) { 3000 ret = NT_STATUS_NO_MEMORY; 3001 goto done; 3002 } 3003 3004 /* This sid will be replaced later */ 3005 3006 ret = add_sid_to_array_unique(mem_ctx, &global_sid_NULL, pp_sids, 3007 &num_sids); 3008 if (!NT_STATUS_IS_OK(ret)) { 3009 goto done; 3010 } 3011 3012 for (entry = ldap_first_entry(conn->ldap_struct, result); 3013 entry != NULL; 3014 entry = ldap_next_entry(conn->ldap_struct, entry)) 3015 { 3016 fstring str; 3017 DOM_SID sid; 3018 gid_t gid; 3019 char *end; 3020 3021 if (!smbldap_get_single_attribute(conn->ldap_struct, 3022 entry, "sambaSID", 3023 str, sizeof(str)-1)) 3024 continue; 3025 3026 if (!string_to_sid(&sid, str)) 3027 goto done; 3028 3029 if (!smbldap_get_single_attribute(conn->ldap_struct, 3030 entry, "gidNumber", 3031 str, sizeof(str)-1)) 3032 continue; 3033 3034 gid = strtoul(str, &end, 10); 3035 3036 if (PTR_DIFF(end, str) != strlen(str)) 3037 goto done; 3038 3039 if (gid == primary_gid) { 3040 sid_copy(&(*pp_sids)[0], &sid); 3041 } else { 3042 if (!add_gid_to_array_unique(mem_ctx, gid, pp_gids, 3043 &num_gids)) { 3044 ret = NT_STATUS_NO_MEMORY; 3045 goto done; 3046 } 3047 ret = add_sid_to_array_unique(mem_ctx, &sid, pp_sids, 3048 &num_sids); 3049 if (!NT_STATUS_IS_OK(ret)) { 3050 goto done; 3051 } 3052 } 3053 } 3054 3055 if (sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) { 3056 DEBUG(3, ("primary group of [%s] not found\n", 3057 pdb_get_username(user))); 3058 goto done; 3059 } 3060 3061 *p_num_groups = num_sids; 3062 3063 ret = NT_STATUS_OK; 3064 3065 done: 3066 3067 TALLOC_FREE(escape_name); 3068 return ret; 3069} 3070 3071/********************************************************************** 3072 * Augment a posixGroup object with a sambaGroupMapping domgroup 3073 *********************************************************************/ 3074 3075static NTSTATUS ldapsam_map_posixgroup(TALLOC_CTX *mem_ctx, 3076 struct ldapsam_privates *ldap_state, 3077 GROUP_MAP *map) 3078{ 3079 const char *filter, *dn; 3080 LDAPMessage *msg, *entry; 3081 LDAPMod **mods; 3082 int rc; 3083 3084 filter = talloc_asprintf(mem_ctx, 3085 "(&(objectClass=%s)(gidNumber=%u))", 3086 LDAP_OBJ_POSIXGROUP, (unsigned int)map->gid); 3087 if (filter == NULL) { 3088 return NT_STATUS_NO_MEMORY; 3089 } 3090 3091 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, 3092 get_attr_list(mem_ctx, groupmap_attr_list), 3093 &msg); 3094 talloc_autofree_ldapmsg(mem_ctx, msg); 3095 3096 if ((rc != LDAP_SUCCESS) || 3097 (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) || 3098 ((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) { 3099 return NT_STATUS_NO_SUCH_GROUP; 3100 } 3101 3102 dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry); 3103 if (dn == NULL) { 3104 return NT_STATUS_NO_MEMORY; 3105 } 3106 3107 mods = NULL; 3108 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", 3109 LDAP_OBJ_GROUPMAP); 3110 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaSid", 3111 sid_string_talloc(mem_ctx, &map->sid)); 3112 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaGroupType", 3113 talloc_asprintf(mem_ctx, "%d", map->sid_name_use)); 3114 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName", 3115 map->nt_name); 3116 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description", 3117 map->comment); 3118 talloc_autofree_ldapmod(mem_ctx, mods); 3119 3120 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods); 3121 if (rc != LDAP_SUCCESS) { 3122 return NT_STATUS_ACCESS_DENIED; 3123 } 3124 3125 return NT_STATUS_OK; 3126} 3127 3128static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods, 3129 GROUP_MAP *map) 3130{ 3131 struct ldapsam_privates *ldap_state = 3132 (struct ldapsam_privates *)methods->private_data; 3133 LDAPMessage *msg = NULL; 3134 LDAPMod **mods = NULL; 3135 const char *attrs[] = { NULL }; 3136 char *filter; 3137 3138 char *dn; 3139 TALLOC_CTX *mem_ctx; 3140 NTSTATUS result; 3141 3142 DOM_SID sid; 3143 3144 int rc; 3145 3146 mem_ctx = talloc_new(NULL); 3147 if (mem_ctx == NULL) { 3148 DEBUG(0, ("talloc_new failed\n")); 3149 return NT_STATUS_NO_MEMORY; 3150 } 3151 3152 filter = talloc_asprintf(mem_ctx, "(sambaSid=%s)", 3153 sid_string_talloc(mem_ctx, &map->sid)); 3154 if (filter == NULL) { 3155 result = NT_STATUS_NO_MEMORY; 3156 goto done; 3157 } 3158 3159 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(), 3160 LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg); 3161 talloc_autofree_ldapmsg(mem_ctx, msg); 3162 3163 if ((rc == LDAP_SUCCESS) && 3164 (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) > 0)) { 3165 3166 DEBUG(3, ("SID %s already present in LDAP, refusing to add " 3167 "group mapping entry\n", sid_string_dbg(&map->sid))); 3168 result = NT_STATUS_GROUP_EXISTS; 3169 goto done; 3170 } 3171 3172 switch (map->sid_name_use) { 3173 3174 case SID_NAME_DOM_GRP: 3175 /* To map a domain group we need to have a posix group 3176 to attach to. */ 3177 result = ldapsam_map_posixgroup(mem_ctx, ldap_state, map); 3178 goto done; 3179 break; 3180 3181 case SID_NAME_ALIAS: 3182 if (!sid_check_is_in_our_domain(&map->sid) 3183 && !sid_check_is_in_builtin(&map->sid) ) 3184 { 3185 DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n", 3186 sid_string_dbg(&map->sid))); 3187 result = NT_STATUS_INVALID_PARAMETER; 3188 goto done; 3189 } 3190 break; 3191 3192 default: 3193 DEBUG(3, ("Got invalid use '%s' for mapping\n", 3194 sid_type_lookup(map->sid_name_use))); 3195 result = NT_STATUS_INVALID_PARAMETER; 3196 goto done; 3197 } 3198 3199 /* Domain groups have been mapped in a separate routine, we have to 3200 * create an alias now */ 3201 3202 if (map->gid == -1) { 3203 DEBUG(10, ("Refusing to map gid==-1\n")); 3204 result = NT_STATUS_INVALID_PARAMETER; 3205 goto done; 3206 } 3207 3208 if (pdb_gid_to_sid(map->gid, &sid)) { 3209 DEBUG(3, ("Gid %u is already mapped to SID %s, refusing to " 3210 "add\n", (unsigned int)map->gid, sid_string_dbg(&sid))); 3211 result = NT_STATUS_GROUP_EXISTS; 3212 goto done; 3213 } 3214 3215 /* Ok, enough checks done. It's still racy to go ahead now, but that's 3216 * the best we can get out of LDAP. */ 3217 3218 dn = talloc_asprintf(mem_ctx, "sambaSid=%s,%s", 3219 sid_string_talloc(mem_ctx, &map->sid), 3220 lp_ldap_group_suffix()); 3221 if (dn == NULL) { 3222 result = NT_STATUS_NO_MEMORY; 3223 goto done; 3224 } 3225 3226 mods = NULL; 3227 3228 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass", 3229 LDAP_OBJ_SID_ENTRY); 3230 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass", 3231 LDAP_OBJ_GROUPMAP); 3232 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaSid", 3233 sid_string_talloc(mem_ctx, &map->sid)); 3234 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaGroupType", 3235 talloc_asprintf(mem_ctx, "%d", map->sid_name_use)); 3236 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "displayName", 3237 map->nt_name); 3238 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "description", 3239 map->comment); 3240 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "gidNumber", 3241 talloc_asprintf(mem_ctx, "%u", (unsigned int)map->gid)); 3242 talloc_autofree_ldapmod(mem_ctx, mods); 3243 3244 rc = smbldap_add(ldap_state->smbldap_state, dn, mods); 3245 3246 result = (rc == LDAP_SUCCESS) ? 3247 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; 3248 3249 done: 3250 TALLOC_FREE(mem_ctx); 3251 return result; 3252} 3253 3254/********************************************************************** 3255 * Update a group mapping entry. We're quite strict about what can be changed: 3256 * Only the description and displayname may be changed. It simply does not 3257 * make any sense to change the SID, gid or the type in a mapping. 3258 *********************************************************************/ 3259 3260static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods, 3261 GROUP_MAP *map) 3262{ 3263 struct ldapsam_privates *ldap_state = 3264 (struct ldapsam_privates *)methods->private_data; 3265 int rc; 3266 const char *filter, *dn; 3267 LDAPMessage *msg = NULL; 3268 LDAPMessage *entry = NULL; 3269 LDAPMod **mods = NULL; 3270 TALLOC_CTX *mem_ctx; 3271 NTSTATUS result; 3272 3273 mem_ctx = talloc_new(NULL); 3274 if (mem_ctx == NULL) { 3275 DEBUG(0, ("talloc_new failed\n")); 3276 return NT_STATUS_NO_MEMORY; 3277 } 3278 3279 /* Make 100% sure that sid, gid and type are not changed by looking up 3280 * exactly the values we're given in LDAP. */ 3281 3282 filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)" 3283 "(sambaSid=%s)(gidNumber=%u)" 3284 "(sambaGroupType=%d))", 3285 LDAP_OBJ_GROUPMAP, 3286 sid_string_talloc(mem_ctx, &map->sid), 3287 (unsigned int)map->gid, map->sid_name_use); 3288 if (filter == NULL) { 3289 result = NT_STATUS_NO_MEMORY; 3290 goto done; 3291 } 3292 3293 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, 3294 get_attr_list(mem_ctx, groupmap_attr_list), 3295 &msg); 3296 talloc_autofree_ldapmsg(mem_ctx, msg); 3297 3298 if ((rc != LDAP_SUCCESS) || 3299 (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) || 3300 ((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) { 3301 result = NT_STATUS_NO_SUCH_GROUP; 3302 goto done; 3303 } 3304 3305 dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry); 3306 3307 if (dn == NULL) { 3308 result = NT_STATUS_NO_MEMORY; 3309 goto done; 3310 } 3311 3312 mods = NULL; 3313 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName", 3314 map->nt_name); 3315 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description", 3316 map->comment); 3317 talloc_autofree_ldapmod(mem_ctx, mods); 3318 3319 if (mods == NULL) { 3320 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: " 3321 "nothing to do\n")); 3322 result = NT_STATUS_OK; 3323 goto done; 3324 } 3325 3326 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods); 3327 3328 if (rc != LDAP_SUCCESS) { 3329 result = NT_STATUS_ACCESS_DENIED; 3330 goto done; 3331 } 3332 3333 DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified " 3334 "group %lu in LDAP\n", (unsigned long)map->gid)); 3335 3336 result = NT_STATUS_OK; 3337 3338 done: 3339 TALLOC_FREE(mem_ctx); 3340 return result; 3341} 3342 3343/********************************************************************** 3344 *********************************************************************/ 3345 3346static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods, 3347 DOM_SID sid) 3348{ 3349 struct ldapsam_privates *priv = 3350 (struct ldapsam_privates *)methods->private_data; 3351 LDAPMessage *msg, *entry; 3352 int rc; 3353 NTSTATUS result; 3354 TALLOC_CTX *mem_ctx; 3355 char *filter; 3356 3357 mem_ctx = talloc_new(NULL); 3358 if (mem_ctx == NULL) { 3359 DEBUG(0, ("talloc_new failed\n")); 3360 return NT_STATUS_NO_MEMORY; 3361 } 3362 3363 filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))", 3364 LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, 3365 sid_string_talloc(mem_ctx, &sid)); 3366 if (filter == NULL) { 3367 result = NT_STATUS_NO_MEMORY; 3368 goto done; 3369 } 3370 rc = smbldap_search_suffix(priv->smbldap_state, filter, 3371 get_attr_list(mem_ctx, groupmap_attr_list), 3372 &msg); 3373 talloc_autofree_ldapmsg(mem_ctx, msg); 3374 3375 if ((rc != LDAP_SUCCESS) || 3376 (ldap_count_entries(priv2ld(priv), msg) != 1) || 3377 ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) { 3378 result = NT_STATUS_NO_SUCH_GROUP; 3379 goto done; 3380 } 3381 3382 rc = ldapsam_delete_entry(priv, mem_ctx, entry, LDAP_OBJ_GROUPMAP, 3383 get_attr_list(mem_ctx, 3384 groupmap_attr_list_to_delete)); 3385 3386 if ((rc == LDAP_NAMING_VIOLATION) || 3387 (rc == LDAP_NOT_ALLOWED_ON_RDN) || 3388 (rc == LDAP_OBJECT_CLASS_VIOLATION)) { 3389 const char *attrs[] = { "sambaGroupType", "description", 3390 "displayName", "sambaSIDList", 3391 NULL }; 3392 3393 /* Second try. Don't delete the sambaSID attribute, this is 3394 for "old" entries that are tacked on a winbind 3395 sambaIdmapEntry. */ 3396 3397 rc = ldapsam_delete_entry(priv, mem_ctx, entry, 3398 LDAP_OBJ_GROUPMAP, attrs); 3399 } 3400 3401 if ((rc == LDAP_NAMING_VIOLATION) || 3402 (rc == LDAP_NOT_ALLOWED_ON_RDN) || 3403 (rc == LDAP_OBJECT_CLASS_VIOLATION)) { 3404 const char *attrs[] = { "sambaGroupType", "description", 3405 "displayName", "sambaSIDList", 3406 "gidNumber", NULL }; 3407 3408 /* Third try. This is a post-3.0.21 alias (containing only 3409 * sambaSidEntry and sambaGroupMapping classes), we also have 3410 * to delete the gidNumber attribute, only the sambaSidEntry 3411 * remains */ 3412 3413 rc = ldapsam_delete_entry(priv, mem_ctx, entry, 3414 LDAP_OBJ_GROUPMAP, attrs); 3415 } 3416 3417 result = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; 3418 3419 done: 3420 TALLOC_FREE(mem_ctx); 3421 return result; 3422 } 3423 3424/********************************************************************** 3425 *********************************************************************/ 3426 3427static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, 3428 bool update) 3429{ 3430 struct ldapsam_privates *ldap_state = 3431 (struct ldapsam_privates *)my_methods->private_data; 3432 char *filter = NULL; 3433 int rc; 3434 const char **attr_list; 3435 3436 filter = talloc_asprintf(NULL, "(objectclass=%s)", LDAP_OBJ_GROUPMAP); 3437 if (!filter) { 3438 return NT_STATUS_NO_MEMORY; 3439 } 3440 attr_list = get_attr_list( NULL, groupmap_attr_list ); 3441 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(), 3442 LDAP_SCOPE_SUBTREE, filter, 3443 attr_list, 0, &ldap_state->result); 3444 TALLOC_FREE(attr_list); 3445 3446 if (rc != LDAP_SUCCESS) { 3447 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n", 3448 ldap_err2string(rc))); 3449 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n", 3450 lp_ldap_suffix(), filter)); 3451 ldap_msgfree(ldap_state->result); 3452 ldap_state->result = NULL; 3453 TALLOC_FREE(filter); 3454 return NT_STATUS_UNSUCCESSFUL; 3455 } 3456 3457 TALLOC_FREE(filter); 3458 3459 DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n", 3460 ldap_count_entries(ldap_state->smbldap_state->ldap_struct, 3461 ldap_state->result))); 3462 3463 ldap_state->entry = 3464 ldap_first_entry(ldap_state->smbldap_state->ldap_struct, 3465 ldap_state->result); 3466 ldap_state->index = 0; 3467 3468 return NT_STATUS_OK; 3469} 3470 3471/********************************************************************** 3472 *********************************************************************/ 3473 3474static void ldapsam_endsamgrent(struct pdb_methods *my_methods) 3475{ 3476 ldapsam_endsampwent(my_methods); 3477} 3478 3479/********************************************************************** 3480 *********************************************************************/ 3481 3482static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods, 3483 GROUP_MAP *map) 3484{ 3485 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; 3486 struct ldapsam_privates *ldap_state = 3487 (struct ldapsam_privates *)my_methods->private_data; 3488 bool bret = False; 3489 3490 while (!bret) { 3491 if (!ldap_state->entry) 3492 return ret; 3493 3494 ldap_state->index++; 3495 bret = init_group_from_ldap(ldap_state, map, 3496 ldap_state->entry); 3497 3498 ldap_state->entry = 3499 ldap_next_entry(ldap_state->smbldap_state->ldap_struct, 3500 ldap_state->entry); 3501 } 3502 3503 return NT_STATUS_OK; 3504} 3505 3506/********************************************************************** 3507 *********************************************************************/ 3508 3509static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods, 3510 const DOM_SID *domsid, enum lsa_SidType sid_name_use, 3511 GROUP_MAP **pp_rmap, 3512 size_t *p_num_entries, 3513 bool unix_only) 3514{ 3515 GROUP_MAP map; 3516 size_t entries = 0; 3517 3518 *p_num_entries = 0; 3519 *pp_rmap = NULL; 3520 3521 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) { 3522 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open " 3523 "passdb\n")); 3524 return NT_STATUS_ACCESS_DENIED; 3525 } 3526 3527 while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) { 3528 if (sid_name_use != SID_NAME_UNKNOWN && 3529 sid_name_use != map.sid_name_use) { 3530 DEBUG(11,("ldapsam_enum_group_mapping: group %s is " 3531 "not of the requested type\n", map.nt_name)); 3532 continue; 3533 } 3534 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) { 3535 DEBUG(11,("ldapsam_enum_group_mapping: group %s is " 3536 "non mapped\n", map.nt_name)); 3537 continue; 3538 } 3539 3540 (*pp_rmap)=SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, entries+1); 3541 if (!(*pp_rmap)) { 3542 DEBUG(0,("ldapsam_enum_group_mapping: Unable to " 3543 "enlarge group map!\n")); 3544 return NT_STATUS_UNSUCCESSFUL; 3545 } 3546 3547 (*pp_rmap)[entries] = map; 3548 3549 entries += 1; 3550 3551 } 3552 ldapsam_endsamgrent(methods); 3553 3554 *p_num_entries = entries; 3555 3556 return NT_STATUS_OK; 3557} 3558 3559static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods, 3560 const DOM_SID *alias, 3561 const DOM_SID *member, 3562 int modop) 3563{ 3564 struct ldapsam_privates *ldap_state = 3565 (struct ldapsam_privates *)methods->private_data; 3566 char *dn = NULL; 3567 LDAPMessage *result = NULL; 3568 LDAPMessage *entry = NULL; 3569 int count; 3570 LDAPMod **mods = NULL; 3571 int rc; 3572 enum lsa_SidType type = SID_NAME_USE_NONE; 3573 fstring tmp; 3574 3575 char *filter = NULL; 3576 3577 if (sid_check_is_in_builtin(alias)) { 3578 type = SID_NAME_ALIAS; 3579 } 3580 3581 if (sid_check_is_in_our_domain(alias)) { 3582 type = SID_NAME_ALIAS; 3583 } 3584 3585 if (type == SID_NAME_USE_NONE) { 3586 DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n", 3587 sid_string_dbg(alias))); 3588 return NT_STATUS_NO_SUCH_ALIAS; 3589 } 3590 3591 if (asprintf(&filter, 3592 "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))", 3593 LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias), 3594 type) < 0) { 3595 return NT_STATUS_NO_MEMORY; 3596 } 3597 3598 if (ldapsam_search_one_group(ldap_state, filter, 3599 &result) != LDAP_SUCCESS) { 3600 SAFE_FREE(filter); 3601 return NT_STATUS_NO_SUCH_ALIAS; 3602 } 3603 3604 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, 3605 result); 3606 3607 if (count < 1) { 3608 DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n")); 3609 ldap_msgfree(result); 3610 SAFE_FREE(filter); 3611 return NT_STATUS_NO_SUCH_ALIAS; 3612 } 3613 3614 if (count > 1) { 3615 DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for " 3616 "filter %s: count=%d\n", filter, count)); 3617 ldap_msgfree(result); 3618 SAFE_FREE(filter); 3619 return NT_STATUS_NO_SUCH_ALIAS; 3620 } 3621 3622 SAFE_FREE(filter); 3623 3624 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, 3625 result); 3626 3627 if (!entry) { 3628 ldap_msgfree(result); 3629 return NT_STATUS_UNSUCCESSFUL; 3630 } 3631 3632 dn = smbldap_talloc_dn(talloc_tos(), ldap_state->smbldap_state->ldap_struct, entry); 3633 if (!dn) { 3634 ldap_msgfree(result); 3635 return NT_STATUS_UNSUCCESSFUL; 3636 } 3637 3638 smbldap_set_mod(&mods, modop, 3639 get_attr_key2string(groupmap_attr_list, 3640 LDAP_ATTR_SID_LIST), 3641 sid_to_fstring(tmp, member)); 3642 3643 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods); 3644 3645 ldap_mods_free(mods, True); 3646 ldap_msgfree(result); 3647 TALLOC_FREE(dn); 3648 3649 if (rc == LDAP_TYPE_OR_VALUE_EXISTS) { 3650 return NT_STATUS_MEMBER_IN_ALIAS; 3651 } 3652 3653 if (rc == LDAP_NO_SUCH_ATTRIBUTE) { 3654 return NT_STATUS_MEMBER_NOT_IN_ALIAS; 3655 } 3656 3657 if (rc != LDAP_SUCCESS) { 3658 return NT_STATUS_UNSUCCESSFUL; 3659 } 3660 3661 return NT_STATUS_OK; 3662} 3663 3664static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods, 3665 const DOM_SID *alias, 3666 const DOM_SID *member) 3667{ 3668 return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD); 3669} 3670 3671static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods, 3672 const DOM_SID *alias, 3673 const DOM_SID *member) 3674{ 3675 return ldapsam_modify_aliasmem(methods, alias, member, 3676 LDAP_MOD_DELETE); 3677} 3678 3679static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods, 3680 const DOM_SID *alias, 3681 TALLOC_CTX *mem_ctx, 3682 DOM_SID **pp_members, 3683 size_t *p_num_members) 3684{ 3685 struct ldapsam_privates *ldap_state = 3686 (struct ldapsam_privates *)methods->private_data; 3687 LDAPMessage *result = NULL; 3688 LDAPMessage *entry = NULL; 3689 int count; 3690 char **values = NULL; 3691 int i; 3692 char *filter = NULL; 3693 size_t num_members = 0; 3694 enum lsa_SidType type = SID_NAME_USE_NONE; 3695 fstring tmp; 3696 3697 *pp_members = NULL; 3698 *p_num_members = 0; 3699 3700 if (sid_check_is_in_builtin(alias)) { 3701 type = SID_NAME_ALIAS; 3702 } 3703 3704 if (sid_check_is_in_our_domain(alias)) { 3705 type = SID_NAME_ALIAS; 3706 } 3707 3708 if (type == SID_NAME_USE_NONE) { 3709 DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n", 3710 sid_string_dbg(alias))); 3711 return NT_STATUS_NO_SUCH_ALIAS; 3712 } 3713 3714 if (asprintf(&filter, 3715 "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))", 3716 LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias), 3717 type) < 0) { 3718 return NT_STATUS_NO_MEMORY; 3719 } 3720 3721 if (ldapsam_search_one_group(ldap_state, filter, 3722 &result) != LDAP_SUCCESS) { 3723 SAFE_FREE(filter); 3724 return NT_STATUS_NO_SUCH_ALIAS; 3725 } 3726 3727 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, 3728 result); 3729 3730 if (count < 1) { 3731 DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n")); 3732 ldap_msgfree(result); 3733 SAFE_FREE(filter); 3734 return NT_STATUS_NO_SUCH_ALIAS; 3735 } 3736 3737 if (count > 1) { 3738 DEBUG(1, ("ldapsam_enum_aliasmem: Duplicate entries for " 3739 "filter %s: count=%d\n", filter, count)); 3740 ldap_msgfree(result); 3741 SAFE_FREE(filter); 3742 return NT_STATUS_NO_SUCH_ALIAS; 3743 } 3744 3745 SAFE_FREE(filter); 3746 3747 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, 3748 result); 3749 3750 if (!entry) { 3751 ldap_msgfree(result); 3752 return NT_STATUS_UNSUCCESSFUL; 3753 } 3754 3755 values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, 3756 entry, 3757 get_attr_key2string(groupmap_attr_list, 3758 LDAP_ATTR_SID_LIST)); 3759 3760 if (values == NULL) { 3761 ldap_msgfree(result); 3762 return NT_STATUS_OK; 3763 } 3764 3765 count = ldap_count_values(values); 3766 3767 for (i=0; i<count; i++) { 3768 DOM_SID member; 3769 NTSTATUS status; 3770 3771 if (!string_to_sid(&member, values[i])) 3772 continue; 3773 3774 status = add_sid_to_array(mem_ctx, &member, pp_members, 3775 &num_members); 3776 if (!NT_STATUS_IS_OK(status)) { 3777 ldap_value_free(values); 3778 ldap_msgfree(result); 3779 return status; 3780 } 3781 } 3782 3783 *p_num_members = num_members; 3784 ldap_value_free(values); 3785 ldap_msgfree(result); 3786 3787 return NT_STATUS_OK; 3788} 3789 3790static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods, 3791 TALLOC_CTX *mem_ctx, 3792 const DOM_SID *domain_sid, 3793 const DOM_SID *members, 3794 size_t num_members, 3795 uint32 **pp_alias_rids, 3796 size_t *p_num_alias_rids) 3797{ 3798 struct ldapsam_privates *ldap_state = 3799 (struct ldapsam_privates *)methods->private_data; 3800 LDAP *ldap_struct; 3801 3802 const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL }; 3803 3804 LDAPMessage *result = NULL; 3805 LDAPMessage *entry = NULL; 3806 int i; 3807 int rc; 3808 char *filter; 3809 enum lsa_SidType type = SID_NAME_USE_NONE; 3810 bool is_builtin = false; 3811 bool sid_added = false; 3812 3813 *pp_alias_rids = NULL; 3814 *p_num_alias_rids = 0; 3815 3816 if (sid_check_is_builtin(domain_sid)) { 3817 is_builtin = true; 3818 type = SID_NAME_ALIAS; 3819 } 3820 3821 if (sid_check_is_domain(domain_sid)) { 3822 type = SID_NAME_ALIAS; 3823 } 3824 3825 if (type == SID_NAME_USE_NONE) { 3826 DEBUG(5, ("SID %s is neither builtin nor domain!\n", 3827 sid_string_dbg(domain_sid))); 3828 return NT_STATUS_UNSUCCESSFUL; 3829 } 3830 3831 if (num_members == 0) { 3832 return NT_STATUS_OK; 3833 } 3834 3835 filter = talloc_asprintf(mem_ctx, 3836 "(&(objectclass=%s)(sambaGroupType=%d)(|", 3837 LDAP_OBJ_GROUPMAP, type); 3838 3839 for (i=0; i<num_members; i++) 3840 filter = talloc_asprintf(mem_ctx, "%s(sambaSIDList=%s)", 3841 filter, 3842 sid_string_talloc(mem_ctx, 3843 &members[i])); 3844 3845 filter = talloc_asprintf(mem_ctx, "%s))", filter); 3846 3847 if (filter == NULL) { 3848 return NT_STATUS_NO_MEMORY; 3849 } 3850 3851 if (is_builtin && 3852 ldap_state->search_cache.filter && 3853 strcmp(ldap_state->search_cache.filter, filter) == 0) { 3854 filter = talloc_move(filter, &ldap_state->search_cache.filter); 3855 result = ldap_state->search_cache.result; 3856 ldap_state->search_cache.result = NULL; 3857 } else { 3858 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(), 3859 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result); 3860 if (rc != LDAP_SUCCESS) { 3861 return NT_STATUS_UNSUCCESSFUL; 3862 } 3863 talloc_autofree_ldapmsg(filter, result); 3864 } 3865 3866 ldap_struct = ldap_state->smbldap_state->ldap_struct; 3867 3868 for (entry = ldap_first_entry(ldap_struct, result); 3869 entry != NULL; 3870 entry = ldap_next_entry(ldap_struct, entry)) 3871 { 3872 fstring sid_str; 3873 DOM_SID sid; 3874 uint32 rid; 3875 3876 if (!smbldap_get_single_attribute(ldap_struct, entry, 3877 LDAP_ATTRIBUTE_SID, 3878 sid_str, 3879 sizeof(sid_str)-1)) 3880 continue; 3881 3882 if (!string_to_sid(&sid, sid_str)) 3883 continue; 3884 3885 if (!sid_peek_check_rid(domain_sid, &sid, &rid)) 3886 continue; 3887 3888 sid_added = true; 3889 3890 if (!add_rid_to_array_unique(mem_ctx, rid, pp_alias_rids, 3891 p_num_alias_rids)) { 3892 return NT_STATUS_NO_MEMORY; 3893 } 3894 } 3895 3896 if (!is_builtin && !sid_added) { 3897 TALLOC_FREE(ldap_state->search_cache.filter); 3898 /* 3899 * Note: result is a talloc child of filter because of the 3900 * talloc_autofree_ldapmsg() usage 3901 */ 3902 ldap_state->search_cache.filter = talloc_move(ldap_state, &filter); 3903 ldap_state->search_cache.result = result; 3904 } 3905 3906 return NT_STATUS_OK; 3907} 3908 3909static NTSTATUS ldapsam_set_account_policy_in_ldap(struct pdb_methods *methods, 3910 enum pdb_policy_type type, 3911 uint32 value) 3912{ 3913 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL; 3914 int rc; 3915 LDAPMod **mods = NULL; 3916 fstring value_string; 3917 const char *policy_attr = NULL; 3918 3919 struct ldapsam_privates *ldap_state = 3920 (struct ldapsam_privates *)methods->private_data; 3921 3922 DEBUG(10,("ldapsam_set_account_policy_in_ldap\n")); 3923 3924 if (!ldap_state->domain_dn) { 3925 return NT_STATUS_INVALID_PARAMETER; 3926 } 3927 3928 policy_attr = get_account_policy_attr(type); 3929 if (policy_attr == NULL) { 3930 DEBUG(0,("ldapsam_set_account_policy_in_ldap: invalid " 3931 "policy\n")); 3932 return ntstatus; 3933 } 3934 3935 slprintf(value_string, sizeof(value_string) - 1, "%i", value); 3936 3937 smbldap_set_mod(&mods, LDAP_MOD_REPLACE, policy_attr, value_string); 3938 3939 rc = smbldap_modify(ldap_state->smbldap_state, ldap_state->domain_dn, 3940 mods); 3941 3942 ldap_mods_free(mods, True); 3943 3944 if (rc != LDAP_SUCCESS) { 3945 return ntstatus; 3946 } 3947 3948 if (!cache_account_policy_set(type, value)) { 3949 DEBUG(0,("ldapsam_set_account_policy_in_ldap: failed to " 3950 "update local tdb cache\n")); 3951 return ntstatus; 3952 } 3953 3954 return NT_STATUS_OK; 3955} 3956 3957static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods, 3958 enum pdb_policy_type type, 3959 uint32_t value) 3960{ 3961 return ldapsam_set_account_policy_in_ldap(methods, type, 3962 value); 3963} 3964 3965static NTSTATUS ldapsam_get_account_policy_from_ldap(struct pdb_methods *methods, 3966 enum pdb_policy_type type, 3967 uint32 *value) 3968{ 3969 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL; 3970 LDAPMessage *result = NULL; 3971 LDAPMessage *entry = NULL; 3972 int count; 3973 int rc; 3974 char **vals = NULL; 3975 char *filter; 3976 const char *policy_attr = NULL; 3977 3978 struct ldapsam_privates *ldap_state = 3979 (struct ldapsam_privates *)methods->private_data; 3980 3981 const char *attrs[2]; 3982 3983 DEBUG(10,("ldapsam_get_account_policy_from_ldap\n")); 3984 3985 if (!ldap_state->domain_dn) { 3986 return NT_STATUS_INVALID_PARAMETER; 3987 } 3988 3989 policy_attr = get_account_policy_attr(type); 3990 if (!policy_attr) { 3991 DEBUG(0,("ldapsam_get_account_policy_from_ldap: invalid " 3992 "policy index: %d\n", type)); 3993 return ntstatus; 3994 } 3995 3996 attrs[0] = policy_attr; 3997 attrs[1] = NULL; 3998 3999 filter = talloc_asprintf(NULL, "(objectClass=%s)", LDAP_OBJ_DOMINFO); 4000 if (filter == NULL) { 4001 return NT_STATUS_NO_MEMORY; 4002 } 4003 rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn, 4004 LDAP_SCOPE_BASE, filter, attrs, 0, 4005 &result); 4006 4007 if (rc != LDAP_SUCCESS) { 4008 return ntstatus; 4009 } 4010 4011 count = ldap_count_entries(priv2ld(ldap_state), result); 4012 if (count < 1) { 4013 goto out; 4014 } 4015 4016 entry = ldap_first_entry(priv2ld(ldap_state), result); 4017 if (entry == NULL) { 4018 goto out; 4019 } 4020 4021 vals = ldap_get_values(priv2ld(ldap_state), entry, policy_attr); 4022 if (vals == NULL) { 4023 goto out; 4024 } 4025 4026 *value = (uint32)atol(vals[0]); 4027 4028 ntstatus = NT_STATUS_OK; 4029 4030out: 4031 if (vals) 4032 ldap_value_free(vals); 4033 ldap_msgfree(result); 4034 4035 return ntstatus; 4036} 4037 4038/* wrapper around ldapsam_get_account_policy_from_ldap(), handles tdb as cache 4039 4040 - if user hasn't decided to use account policies inside LDAP just reuse the 4041 old tdb values 4042 4043 - if there is a valid cache entry, return that 4044 - if there is an LDAP entry, update cache and return 4045 - otherwise set to default, update cache and return 4046 4047 Guenther 4048*/ 4049static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods, 4050 enum pdb_policy_type type, 4051 uint32_t *value) 4052{ 4053 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL; 4054 4055 if (cache_account_policy_get(type, value)) { 4056 DEBUG(11,("ldapsam_get_account_policy: got valid value from " 4057 "cache\n")); 4058 return NT_STATUS_OK; 4059 } 4060 4061 ntstatus = ldapsam_get_account_policy_from_ldap(methods, type, 4062 value); 4063 if (NT_STATUS_IS_OK(ntstatus)) { 4064 goto update_cache; 4065 } 4066 4067 DEBUG(10,("ldapsam_get_account_policy: failed to retrieve from " 4068 "ldap\n")); 4069 4070#if 0 4071 /* should we automagically migrate old tdb value here ? */ 4072 if (account_policy_get(type, value)) 4073 goto update_ldap; 4074 4075 DEBUG(10,("ldapsam_get_account_policy: no tdb for %d, trying " 4076 "default\n", type)); 4077#endif 4078 4079 if (!account_policy_get_default(type, value)) { 4080 return ntstatus; 4081 } 4082 4083/* update_ldap: */ 4084 4085 ntstatus = ldapsam_set_account_policy(methods, type, *value); 4086 if (!NT_STATUS_IS_OK(ntstatus)) { 4087 return ntstatus; 4088 } 4089 4090 update_cache: 4091 4092 if (!cache_account_policy_set(type, *value)) { 4093 DEBUG(0,("ldapsam_get_account_policy: failed to update local " 4094 "tdb as a cache\n")); 4095 return NT_STATUS_UNSUCCESSFUL; 4096 } 4097 4098 return NT_STATUS_OK; 4099} 4100 4101static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, 4102 const DOM_SID *domain_sid, 4103 int num_rids, 4104 uint32 *rids, 4105 const char **names, 4106 enum lsa_SidType *attrs) 4107{ 4108 struct ldapsam_privates *ldap_state = 4109 (struct ldapsam_privates *)methods->private_data; 4110 LDAPMessage *msg = NULL; 4111 LDAPMessage *entry; 4112 char *allsids = NULL; 4113 int i, rc, num_mapped; 4114 NTSTATUS result = NT_STATUS_NO_MEMORY; 4115 TALLOC_CTX *mem_ctx; 4116 LDAP *ld; 4117 bool is_builtin; 4118 4119 mem_ctx = talloc_new(NULL); 4120 if (mem_ctx == NULL) { 4121 DEBUG(0, ("talloc_new failed\n")); 4122 goto done; 4123 } 4124 4125 if (!sid_check_is_builtin(domain_sid) && 4126 !sid_check_is_domain(domain_sid)) { 4127 result = NT_STATUS_INVALID_PARAMETER; 4128 goto done; 4129 } 4130 4131 if (num_rids == 0) { 4132 result = NT_STATUS_NONE_MAPPED; 4133 goto done; 4134 } 4135 4136 for (i=0; i<num_rids; i++) 4137 attrs[i] = SID_NAME_UNKNOWN; 4138 4139 allsids = talloc_strdup(mem_ctx, ""); 4140 if (allsids == NULL) { 4141 goto done; 4142 } 4143 4144 for (i=0; i<num_rids; i++) { 4145 DOM_SID sid; 4146 sid_compose(&sid, domain_sid, rids[i]); 4147 allsids = talloc_asprintf_append_buffer( 4148 allsids, "(sambaSid=%s)", 4149 sid_string_talloc(mem_ctx, &sid)); 4150 if (allsids == NULL) { 4151 goto done; 4152 } 4153 } 4154 4155 /* First look for users */ 4156 4157 { 4158 char *filter; 4159 const char *ldap_attrs[] = { "uid", "sambaSid", NULL }; 4160 4161 filter = talloc_asprintf( 4162 mem_ctx, ("(&(objectClass=%s)(|%s))"), 4163 LDAP_OBJ_SAMBASAMACCOUNT, allsids); 4164 4165 if (filter == NULL) { 4166 goto done; 4167 } 4168 4169 rc = smbldap_search(ldap_state->smbldap_state, 4170 lp_ldap_user_suffix(), 4171 LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0, 4172 &msg); 4173 talloc_autofree_ldapmsg(mem_ctx, msg); 4174 } 4175 4176 if (rc != LDAP_SUCCESS) 4177 goto done; 4178 4179 ld = ldap_state->smbldap_state->ldap_struct; 4180 num_mapped = 0; 4181 4182 for (entry = ldap_first_entry(ld, msg); 4183 entry != NULL; 4184 entry = ldap_next_entry(ld, entry)) { 4185 uint32 rid; 4186 int rid_index; 4187 const char *name; 4188 4189 if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid, 4190 &rid)) { 4191 DEBUG(2, ("Could not find sid from ldap entry\n")); 4192 continue; 4193 } 4194 4195 name = smbldap_talloc_single_attribute(ld, entry, "uid", 4196 names); 4197 if (name == NULL) { 4198 DEBUG(2, ("Could not retrieve uid attribute\n")); 4199 continue; 4200 } 4201 4202 for (rid_index = 0; rid_index < num_rids; rid_index++) { 4203 if (rid == rids[rid_index]) 4204 break; 4205 } 4206 4207 if (rid_index == num_rids) { 4208 DEBUG(2, ("Got a RID not asked for: %d\n", rid)); 4209 continue; 4210 } 4211 4212 attrs[rid_index] = SID_NAME_USER; 4213 names[rid_index] = name; 4214 num_mapped += 1; 4215 } 4216 4217 if (num_mapped == num_rids) { 4218 /* No need to look for groups anymore -- we're done */ 4219 result = NT_STATUS_OK; 4220 goto done; 4221 } 4222 4223 /* Same game for groups */ 4224 4225 { 4226 char *filter; 4227 const char *ldap_attrs[] = { "cn", "displayName", "sambaSid", 4228 "sambaGroupType", NULL }; 4229 4230 filter = talloc_asprintf( 4231 mem_ctx, "(&(objectClass=%s)(|%s))", 4232 LDAP_OBJ_GROUPMAP, allsids); 4233 if (filter == NULL) { 4234 goto done; 4235 } 4236 4237 rc = smbldap_search(ldap_state->smbldap_state, 4238 lp_ldap_suffix(), 4239 LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0, 4240 &msg); 4241 talloc_autofree_ldapmsg(mem_ctx, msg); 4242 } 4243 4244 if (rc != LDAP_SUCCESS) 4245 goto done; 4246 4247 /* ldap_struct might have changed due to a reconnect */ 4248 4249 ld = ldap_state->smbldap_state->ldap_struct; 4250 4251 /* For consistency checks, we already checked we're only domain or builtin */ 4252 4253 is_builtin = sid_check_is_builtin(domain_sid); 4254 4255 for (entry = ldap_first_entry(ld, msg); 4256 entry != NULL; 4257 entry = ldap_next_entry(ld, entry)) 4258 { 4259 uint32 rid; 4260 int rid_index; 4261 const char *attr; 4262 enum lsa_SidType type; 4263 const char *dn = smbldap_talloc_dn(mem_ctx, ld, entry); 4264 4265 attr = smbldap_talloc_single_attribute(ld, entry, "sambaGroupType", 4266 mem_ctx); 4267 if (attr == NULL) { 4268 DEBUG(2, ("Could not extract type from ldap entry %s\n", 4269 dn)); 4270 continue; 4271 } 4272 4273 type = (enum lsa_SidType)atol(attr); 4274 4275 /* Consistency checks */ 4276 if ((is_builtin && (type != SID_NAME_ALIAS)) || 4277 (!is_builtin && ((type != SID_NAME_ALIAS) && 4278 (type != SID_NAME_DOM_GRP)))) { 4279 DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn)); 4280 } 4281 4282 if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid, 4283 &rid)) { 4284 DEBUG(2, ("Could not find sid from ldap entry %s\n", dn)); 4285 continue; 4286 } 4287 4288 attr = smbldap_talloc_single_attribute(ld, entry, "displayName", names); 4289 4290 if (attr == NULL) { 4291 DEBUG(10, ("Could not retrieve 'displayName' attribute from %s\n", 4292 dn)); 4293 attr = smbldap_talloc_single_attribute(ld, entry, "cn", names); 4294 } 4295 4296 if (attr == NULL) { 4297 DEBUG(2, ("Could not retrieve naming attribute from %s\n", 4298 dn)); 4299 continue; 4300 } 4301 4302 for (rid_index = 0; rid_index < num_rids; rid_index++) { 4303 if (rid == rids[rid_index]) 4304 break; 4305 } 4306 4307 if (rid_index == num_rids) { 4308 DEBUG(2, ("Got a RID not asked for: %d\n", rid)); 4309 continue; 4310 } 4311 4312 attrs[rid_index] = type; 4313 names[rid_index] = attr; 4314 num_mapped += 1; 4315 } 4316 4317 result = NT_STATUS_NONE_MAPPED; 4318 4319 if (num_mapped > 0) 4320 result = (num_mapped == num_rids) ? 4321 NT_STATUS_OK : STATUS_SOME_UNMAPPED; 4322 done: 4323 TALLOC_FREE(mem_ctx); 4324 return result; 4325} 4326 4327static char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username) 4328{ 4329 char *filter = NULL; 4330 char *escaped = NULL; 4331 char *result = NULL; 4332 4333 if (asprintf(&filter, "(&%s(objectclass=%s))", 4334 "(uid=%u)", LDAP_OBJ_SAMBASAMACCOUNT) < 0) { 4335 goto done; 4336 } 4337 4338 escaped = escape_ldap_string(talloc_tos(), username); 4339 if (escaped == NULL) goto done; 4340 4341 result = talloc_string_sub(mem_ctx, filter, "%u", username); 4342 4343 done: 4344 SAFE_FREE(filter); 4345 TALLOC_FREE(escaped); 4346 4347 return result; 4348} 4349 4350const char **talloc_attrs(TALLOC_CTX *mem_ctx, ...) 4351{ 4352 int i, num = 0; 4353 va_list ap; 4354 const char **result; 4355 4356 va_start(ap, mem_ctx); 4357 while (va_arg(ap, const char *) != NULL) 4358 num += 1; 4359 va_end(ap); 4360 4361 if ((result = TALLOC_ARRAY(mem_ctx, const char *, num+1)) == NULL) { 4362 return NULL; 4363 } 4364 4365 va_start(ap, mem_ctx); 4366 for (i=0; i<num; i++) { 4367 result[i] = talloc_strdup(result, va_arg(ap, const char*)); 4368 if (result[i] == NULL) { 4369 talloc_free(result); 4370 va_end(ap); 4371 return NULL; 4372 } 4373 } 4374 va_end(ap); 4375 4376 result[num] = NULL; 4377 return result; 4378} 4379 4380struct ldap_search_state { 4381 struct smbldap_state *connection; 4382 4383 uint32 acct_flags; 4384 uint16 group_type; 4385 4386 const char *base; 4387 int scope; 4388 const char *filter; 4389 const char **attrs; 4390 int attrsonly; 4391 void *pagedresults_cookie; 4392 4393 LDAPMessage *entries, *current_entry; 4394 bool (*ldap2displayentry)(struct ldap_search_state *state, 4395 TALLOC_CTX *mem_ctx, 4396 LDAP *ld, LDAPMessage *entry, 4397 struct samr_displayentry *result); 4398}; 4399 4400static bool ldapsam_search_firstpage(struct pdb_search *search) 4401{ 4402 struct ldap_search_state *state = 4403 (struct ldap_search_state *)search->private_data; 4404 LDAP *ld; 4405 int rc = LDAP_OPERATIONS_ERROR; 4406 4407 state->entries = NULL; 4408 4409 if (state->connection->paged_results) { 4410 rc = smbldap_search_paged(state->connection, state->base, 4411 state->scope, state->filter, 4412 state->attrs, state->attrsonly, 4413 lp_ldap_page_size(), &state->entries, 4414 &state->pagedresults_cookie); 4415 } 4416 4417 if ((rc != LDAP_SUCCESS) || (state->entries == NULL)) { 4418 4419 if (state->entries != NULL) { 4420 /* Left over from unsuccessful paged attempt */ 4421 ldap_msgfree(state->entries); 4422 state->entries = NULL; 4423 } 4424 4425 rc = smbldap_search(state->connection, state->base, 4426 state->scope, state->filter, state->attrs, 4427 state->attrsonly, &state->entries); 4428 4429 if ((rc != LDAP_SUCCESS) || (state->entries == NULL)) 4430 return False; 4431 4432 /* Ok, the server was lying. It told us it could do paged 4433 * searches when it could not. */ 4434 state->connection->paged_results = False; 4435 } 4436 4437 ld = state->connection->ldap_struct; 4438 if ( ld == NULL) { 4439 DEBUG(5, ("Don't have an LDAP connection right after a " 4440 "search\n")); 4441 return False; 4442 } 4443 state->current_entry = ldap_first_entry(ld, state->entries); 4444 4445 return True; 4446} 4447 4448static bool ldapsam_search_nextpage(struct pdb_search *search) 4449{ 4450 struct ldap_search_state *state = 4451 (struct ldap_search_state *)search->private_data; 4452 int rc; 4453 4454 if (!state->connection->paged_results) { 4455 /* There is no next page when there are no paged results */ 4456 return False; 4457 } 4458 4459 rc = smbldap_search_paged(state->connection, state->base, 4460 state->scope, state->filter, state->attrs, 4461 state->attrsonly, lp_ldap_page_size(), 4462 &state->entries, 4463 &state->pagedresults_cookie); 4464 4465 if ((rc != LDAP_SUCCESS) || (state->entries == NULL)) 4466 return False; 4467 4468 state->current_entry = ldap_first_entry(state->connection->ldap_struct, state->entries); 4469 4470 if (state->current_entry == NULL) { 4471 ldap_msgfree(state->entries); 4472 state->entries = NULL; 4473 return false; 4474 } 4475 4476 return True; 4477} 4478 4479static bool ldapsam_search_next_entry(struct pdb_search *search, 4480 struct samr_displayentry *entry) 4481{ 4482 struct ldap_search_state *state = 4483 (struct ldap_search_state *)search->private_data; 4484 bool result; 4485 4486 retry: 4487 if ((state->entries == NULL) && (state->pagedresults_cookie == NULL)) 4488 return False; 4489 4490 if ((state->entries == NULL) && 4491 !ldapsam_search_nextpage(search)) 4492 return False; 4493 4494 if (state->current_entry == NULL) { 4495 return false; 4496 } 4497 4498 result = state->ldap2displayentry(state, search, 4499 state->connection->ldap_struct, 4500 state->current_entry, entry); 4501 4502 if (!result) { 4503 char *dn; 4504 dn = ldap_get_dn(state->connection->ldap_struct, state->current_entry); 4505 DEBUG(5, ("Skipping entry %s\n", dn != NULL ? dn : "<NULL>")); 4506 if (dn != NULL) ldap_memfree(dn); 4507 } 4508 4509 state->current_entry = ldap_next_entry(state->connection->ldap_struct, state->current_entry); 4510 4511 if (state->current_entry == NULL) { 4512 ldap_msgfree(state->entries); 4513 state->entries = NULL; 4514 } 4515 4516 if (!result) goto retry; 4517 4518 return True; 4519} 4520 4521static void ldapsam_search_end(struct pdb_search *search) 4522{ 4523 struct ldap_search_state *state = 4524 (struct ldap_search_state *)search->private_data; 4525 int rc; 4526 4527 if (state->pagedresults_cookie == NULL) 4528 return; 4529 4530 if (state->entries != NULL) 4531 ldap_msgfree(state->entries); 4532 4533 state->entries = NULL; 4534 state->current_entry = NULL; 4535 4536 if (!state->connection->paged_results) 4537 return; 4538 4539 /* Tell the LDAP server we're not interested in the rest anymore. */ 4540 4541 rc = smbldap_search_paged(state->connection, state->base, state->scope, 4542 state->filter, state->attrs, 4543 state->attrsonly, 0, &state->entries, 4544 &state->pagedresults_cookie); 4545 4546 if (rc != LDAP_SUCCESS) 4547 DEBUG(5, ("Could not end search properly\n")); 4548 4549 return; 4550} 4551 4552static bool ldapuser2displayentry(struct ldap_search_state *state, 4553 TALLOC_CTX *mem_ctx, 4554 LDAP *ld, LDAPMessage *entry, 4555 struct samr_displayentry *result) 4556{ 4557 char **vals; 4558 size_t converted_size; 4559 DOM_SID sid; 4560 uint32 acct_flags; 4561 4562 vals = ldap_get_values(ld, entry, "sambaAcctFlags"); 4563 if ((vals == NULL) || (vals[0] == NULL)) { 4564 DEBUG(5, ("\"sambaAcctFlags\" not found\n")); 4565 return False; 4566 } 4567 acct_flags = pdb_decode_acct_ctrl(vals[0]); 4568 ldap_value_free(vals); 4569 4570 if ((state->acct_flags != 0) && 4571 ((state->acct_flags & acct_flags) == 0)) 4572 return False; 4573 4574 result->acct_flags = acct_flags; 4575 result->account_name = ""; 4576 result->fullname = ""; 4577 result->description = ""; 4578 4579 vals = ldap_get_values(ld, entry, "uid"); 4580 if ((vals == NULL) || (vals[0] == NULL)) { 4581 DEBUG(5, ("\"uid\" not found\n")); 4582 return False; 4583 } 4584 if (!pull_utf8_talloc(mem_ctx, 4585 CONST_DISCARD(char **, &result->account_name), 4586 vals[0], &converted_size)) 4587 { 4588 DEBUG(0,("ldapuser2displayentry: pull_utf8_talloc failed: %s", 4589 strerror(errno))); 4590 } 4591 4592 ldap_value_free(vals); 4593 4594 vals = ldap_get_values(ld, entry, "displayName"); 4595 if ((vals == NULL) || (vals[0] == NULL)) 4596 DEBUG(8, ("\"displayName\" not found\n")); 4597 else if (!pull_utf8_talloc(mem_ctx, 4598 CONST_DISCARD(char **, &result->fullname), 4599 vals[0], &converted_size)) 4600 { 4601 DEBUG(0,("ldapuser2displayentry: pull_utf8_talloc failed: %s", 4602 strerror(errno))); 4603 } 4604 4605 ldap_value_free(vals); 4606 4607 vals = ldap_get_values(ld, entry, "description"); 4608 if ((vals == NULL) || (vals[0] == NULL)) 4609 DEBUG(8, ("\"description\" not found\n")); 4610 else if (!pull_utf8_talloc(mem_ctx, 4611 CONST_DISCARD(char **, &result->description), 4612 vals[0], &converted_size)) 4613 { 4614 DEBUG(0,("ldapuser2displayentry: pull_utf8_talloc failed: %s", 4615 strerror(errno))); 4616 } 4617 4618 ldap_value_free(vals); 4619 4620 if ((result->account_name == NULL) || 4621 (result->fullname == NULL) || 4622 (result->description == NULL)) { 4623 DEBUG(0, ("talloc failed\n")); 4624 return False; 4625 } 4626 4627 vals = ldap_get_values(ld, entry, "sambaSid"); 4628 if ((vals == NULL) || (vals[0] == NULL)) { 4629 DEBUG(0, ("\"objectSid\" not found\n")); 4630 return False; 4631 } 4632 4633 if (!string_to_sid(&sid, vals[0])) { 4634 DEBUG(0, ("Could not convert %s to SID\n", vals[0])); 4635 ldap_value_free(vals); 4636 return False; 4637 } 4638 ldap_value_free(vals); 4639 4640 if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) { 4641 DEBUG(0, ("sid %s does not belong to our domain\n", 4642 sid_string_dbg(&sid))); 4643 return False; 4644 } 4645 4646 return True; 4647} 4648 4649 4650static bool ldapsam_search_users(struct pdb_methods *methods, 4651 struct pdb_search *search, 4652 uint32 acct_flags) 4653{ 4654 struct ldapsam_privates *ldap_state = 4655 (struct ldapsam_privates *)methods->private_data; 4656 struct ldap_search_state *state; 4657 4658 state = talloc(search, struct ldap_search_state); 4659 if (state == NULL) { 4660 DEBUG(0, ("talloc failed\n")); 4661 return False; 4662 } 4663 4664 state->connection = ldap_state->smbldap_state; 4665 4666 if ((acct_flags != 0) && ((acct_flags & ACB_NORMAL) != 0)) 4667 state->base = lp_ldap_user_suffix(); 4668 else if ((acct_flags != 0) && 4669 ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0)) 4670 state->base = lp_ldap_machine_suffix(); 4671 else 4672 state->base = lp_ldap_suffix(); 4673 4674 state->acct_flags = acct_flags; 4675 state->base = talloc_strdup(search, state->base); 4676 state->scope = LDAP_SCOPE_SUBTREE; 4677 state->filter = get_ldap_filter(search, "*"); 4678 state->attrs = talloc_attrs(search, "uid", "sambaSid", 4679 "displayName", "description", 4680 "sambaAcctFlags", NULL); 4681 state->attrsonly = 0; 4682 state->pagedresults_cookie = NULL; 4683 state->entries = NULL; 4684 state->ldap2displayentry = ldapuser2displayentry; 4685 4686 if ((state->filter == NULL) || (state->attrs == NULL)) { 4687 DEBUG(0, ("talloc failed\n")); 4688 return False; 4689 } 4690 4691 search->private_data = state; 4692 search->next_entry = ldapsam_search_next_entry; 4693 search->search_end = ldapsam_search_end; 4694 4695 return ldapsam_search_firstpage(search); 4696} 4697 4698static bool ldapgroup2displayentry(struct ldap_search_state *state, 4699 TALLOC_CTX *mem_ctx, 4700 LDAP *ld, LDAPMessage *entry, 4701 struct samr_displayentry *result) 4702{ 4703 char **vals; 4704 size_t converted_size; 4705 DOM_SID sid; 4706 uint16 group_type; 4707 4708 result->account_name = ""; 4709 result->fullname = ""; 4710 result->description = ""; 4711 4712 4713 vals = ldap_get_values(ld, entry, "sambaGroupType"); 4714 if ((vals == NULL) || (vals[0] == NULL)) { 4715 DEBUG(5, ("\"sambaGroupType\" not found\n")); 4716 if (vals != NULL) { 4717 ldap_value_free(vals); 4718 } 4719 return False; 4720 } 4721 4722 group_type = atoi(vals[0]); 4723 4724 if ((state->group_type != 0) && 4725 ((state->group_type != group_type))) { 4726 ldap_value_free(vals); 4727 return False; 4728 } 4729 4730 ldap_value_free(vals); 4731 4732 /* display name is the NT group name */ 4733 4734 vals = ldap_get_values(ld, entry, "displayName"); 4735 if ((vals == NULL) || (vals[0] == NULL)) { 4736 DEBUG(8, ("\"displayName\" not found\n")); 4737 4738 /* fallback to the 'cn' attribute */ 4739 vals = ldap_get_values(ld, entry, "cn"); 4740 if ((vals == NULL) || (vals[0] == NULL)) { 4741 DEBUG(5, ("\"cn\" not found\n")); 4742 return False; 4743 } 4744 if (!pull_utf8_talloc(mem_ctx, 4745 CONST_DISCARD(char **, 4746 &result->account_name), 4747 vals[0], &converted_size)) 4748 { 4749 DEBUG(0,("ldapgroup2displayentry: pull_utf8_talloc " 4750 "failed: %s", strerror(errno))); 4751 } 4752 } 4753 else if (!pull_utf8_talloc(mem_ctx, 4754 CONST_DISCARD(char **, 4755 &result->account_name), 4756 vals[0], &converted_size)) 4757 { 4758 DEBUG(0,("ldapgroup2displayentry: pull_utf8_talloc failed: %s", 4759 strerror(errno))); 4760 } 4761 4762 ldap_value_free(vals); 4763 4764 vals = ldap_get_values(ld, entry, "description"); 4765 if ((vals == NULL) || (vals[0] == NULL)) 4766 DEBUG(8, ("\"description\" not found\n")); 4767 else if (!pull_utf8_talloc(mem_ctx, 4768 CONST_DISCARD(char **, &result->description), 4769 vals[0], &converted_size)) 4770 { 4771 DEBUG(0,("ldapgroup2displayentry: pull_utf8_talloc failed: %s", 4772 strerror(errno))); 4773 } 4774 ldap_value_free(vals); 4775 4776 if ((result->account_name == NULL) || 4777 (result->fullname == NULL) || 4778 (result->description == NULL)) { 4779 DEBUG(0, ("talloc failed\n")); 4780 return False; 4781 } 4782 4783 vals = ldap_get_values(ld, entry, "sambaSid"); 4784 if ((vals == NULL) || (vals[0] == NULL)) { 4785 DEBUG(0, ("\"objectSid\" not found\n")); 4786 if (vals != NULL) { 4787 ldap_value_free(vals); 4788 } 4789 return False; 4790 } 4791 4792 if (!string_to_sid(&sid, vals[0])) { 4793 DEBUG(0, ("Could not convert %s to SID\n", vals[0])); 4794 return False; 4795 } 4796 4797 ldap_value_free(vals); 4798 4799 switch (group_type) { 4800 case SID_NAME_DOM_GRP: 4801 case SID_NAME_ALIAS: 4802 4803 if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid) 4804 && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid)) 4805 { 4806 DEBUG(0, ("%s is not in our domain\n", 4807 sid_string_dbg(&sid))); 4808 return False; 4809 } 4810 break; 4811 4812 default: 4813 DEBUG(0,("unkown group type: %d\n", group_type)); 4814 return False; 4815 } 4816 4817 result->acct_flags = 0; 4818 4819 return True; 4820} 4821 4822static bool ldapsam_search_grouptype(struct pdb_methods *methods, 4823 struct pdb_search *search, 4824 const DOM_SID *sid, 4825 enum lsa_SidType type) 4826{ 4827 struct ldapsam_privates *ldap_state = 4828 (struct ldapsam_privates *)methods->private_data; 4829 struct ldap_search_state *state; 4830 fstring tmp; 4831 4832 state = talloc(search, struct ldap_search_state); 4833 if (state == NULL) { 4834 DEBUG(0, ("talloc failed\n")); 4835 return False; 4836 } 4837 4838 state->connection = ldap_state->smbldap_state; 4839 4840 state->base = talloc_strdup(search, lp_ldap_suffix()); 4841 state->connection = ldap_state->smbldap_state; 4842 state->scope = LDAP_SCOPE_SUBTREE; 4843 state->filter = talloc_asprintf(search, "(&(objectclass=%s)" 4844 "(sambaGroupType=%d)(sambaSID=%s*))", 4845 LDAP_OBJ_GROUPMAP, 4846 type, sid_to_fstring(tmp, sid)); 4847 state->attrs = talloc_attrs(search, "cn", "sambaSid", 4848 "displayName", "description", 4849 "sambaGroupType", NULL); 4850 state->attrsonly = 0; 4851 state->pagedresults_cookie = NULL; 4852 state->entries = NULL; 4853 state->group_type = type; 4854 state->ldap2displayentry = ldapgroup2displayentry; 4855 4856 if ((state->filter == NULL) || (state->attrs == NULL)) { 4857 DEBUG(0, ("talloc failed\n")); 4858 return False; 4859 } 4860 4861 search->private_data = state; 4862 search->next_entry = ldapsam_search_next_entry; 4863 search->search_end = ldapsam_search_end; 4864 4865 return ldapsam_search_firstpage(search); 4866} 4867 4868static bool ldapsam_search_groups(struct pdb_methods *methods, 4869 struct pdb_search *search) 4870{ 4871 return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP); 4872} 4873 4874static bool ldapsam_search_aliases(struct pdb_methods *methods, 4875 struct pdb_search *search, 4876 const DOM_SID *sid) 4877{ 4878 return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS); 4879} 4880 4881static uint32_t ldapsam_capabilities(struct pdb_methods *methods) 4882{ 4883 return PDB_CAP_STORE_RIDS; 4884} 4885 4886static NTSTATUS ldapsam_get_new_rid(struct ldapsam_privates *priv, 4887 uint32 *rid) 4888{ 4889 struct smbldap_state *smbldap_state = priv->smbldap_state; 4890 4891 LDAPMessage *result = NULL; 4892 LDAPMessage *entry = NULL; 4893 LDAPMod **mods = NULL; 4894 NTSTATUS status; 4895 char *value; 4896 int rc; 4897 uint32 nextRid = 0; 4898 const char *dn; 4899 4900 TALLOC_CTX *mem_ctx; 4901 4902 mem_ctx = talloc_new(NULL); 4903 if (mem_ctx == NULL) { 4904 DEBUG(0, ("talloc_new failed\n")); 4905 return NT_STATUS_NO_MEMORY; 4906 } 4907 4908 status = smbldap_search_domain_info(smbldap_state, &result, 4909 get_global_sam_name(), False); 4910 if (!NT_STATUS_IS_OK(status)) { 4911 DEBUG(3, ("Could not get domain info: %s\n", 4912 nt_errstr(status))); 4913 goto done; 4914 } 4915 4916 talloc_autofree_ldapmsg(mem_ctx, result); 4917 4918 entry = ldap_first_entry(priv2ld(priv), result); 4919 if (entry == NULL) { 4920 DEBUG(0, ("Could not get domain info entry\n")); 4921 status = NT_STATUS_INTERNAL_DB_CORRUPTION; 4922 goto done; 4923 } 4924 4925 /* Find the largest of the three attributes "sambaNextRid", 4926 "sambaNextGroupRid" and "sambaNextUserRid". I gave up on the 4927 concept of differentiating between user and group rids, and will 4928 use only "sambaNextRid" in the future. But for compatibility 4929 reasons I look if others have chosen different strategies -- VL */ 4930 4931 value = smbldap_talloc_single_attribute(priv2ld(priv), entry, 4932 "sambaNextRid", mem_ctx); 4933 if (value != NULL) { 4934 uint32 tmp = (uint32)strtoul(value, NULL, 10); 4935 nextRid = MAX(nextRid, tmp); 4936 } 4937 4938 value = smbldap_talloc_single_attribute(priv2ld(priv), entry, 4939 "sambaNextUserRid", mem_ctx); 4940 if (value != NULL) { 4941 uint32 tmp = (uint32)strtoul(value, NULL, 10); 4942 nextRid = MAX(nextRid, tmp); 4943 } 4944 4945 value = smbldap_talloc_single_attribute(priv2ld(priv), entry, 4946 "sambaNextGroupRid", mem_ctx); 4947 if (value != NULL) { 4948 uint32 tmp = (uint32)strtoul(value, NULL, 10); 4949 nextRid = MAX(nextRid, tmp); 4950 } 4951 4952 if (nextRid == 0) { 4953 nextRid = BASE_RID-1; 4954 } 4955 4956 nextRid += 1; 4957 4958 smbldap_make_mod(priv2ld(priv), entry, &mods, "sambaNextRid", 4959 talloc_asprintf(mem_ctx, "%d", nextRid)); 4960 talloc_autofree_ldapmod(mem_ctx, mods); 4961 4962 if ((dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)) == NULL) { 4963 status = NT_STATUS_NO_MEMORY; 4964 goto done; 4965 } 4966 4967 rc = smbldap_modify(smbldap_state, dn, mods); 4968 4969 /* ACCESS_DENIED is used as a placeholder for "the modify failed, 4970 * please retry" */ 4971 4972 status = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; 4973 4974 done: 4975 if (NT_STATUS_IS_OK(status)) { 4976 *rid = nextRid; 4977 } 4978 4979 TALLOC_FREE(mem_ctx); 4980 return status; 4981} 4982 4983static NTSTATUS ldapsam_new_rid_internal(struct pdb_methods *methods, uint32 *rid) 4984{ 4985 int i; 4986 4987 for (i=0; i<10; i++) { 4988 NTSTATUS result = ldapsam_get_new_rid( 4989 (struct ldapsam_privates *)methods->private_data, rid); 4990 if (NT_STATUS_IS_OK(result)) { 4991 return result; 4992 } 4993 4994 if (!NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) { 4995 return result; 4996 } 4997 4998 /* The ldap update failed (maybe a race condition), retry */ 4999 } 5000 5001 /* Tried 10 times, fail. */ 5002 return NT_STATUS_ACCESS_DENIED; 5003} 5004 5005static bool ldapsam_new_rid(struct pdb_methods *methods, uint32 *rid) 5006{ 5007 NTSTATUS result = ldapsam_new_rid_internal(methods, rid); 5008 return NT_STATUS_IS_OK(result) ? True : False; 5009} 5010 5011static bool ldapsam_sid_to_id(struct pdb_methods *methods, 5012 const DOM_SID *sid, 5013 union unid_t *id, enum lsa_SidType *type) 5014{ 5015 struct ldapsam_privates *priv = 5016 (struct ldapsam_privates *)methods->private_data; 5017 char *filter; 5018 const char *attrs[] = { "sambaGroupType", "gidNumber", "uidNumber", 5019 NULL }; 5020 LDAPMessage *result = NULL; 5021 LDAPMessage *entry = NULL; 5022 bool ret = False; 5023 char *value; 5024 int rc; 5025 5026 TALLOC_CTX *mem_ctx; 5027 5028 mem_ctx = talloc_new(NULL); 5029 if (mem_ctx == NULL) { 5030 DEBUG(0, ("talloc_new failed\n")); 5031 return False; 5032 } 5033 5034 filter = talloc_asprintf(mem_ctx, 5035 "(&(sambaSid=%s)" 5036 "(|(objectClass=%s)(objectClass=%s)))", 5037 sid_string_talloc(mem_ctx, sid), 5038 LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT); 5039 if (filter == NULL) { 5040 DEBUG(5, ("talloc_asprintf failed\n")); 5041 goto done; 5042 } 5043 5044 rc = smbldap_search_suffix(priv->smbldap_state, filter, 5045 attrs, &result); 5046 if (rc != LDAP_SUCCESS) { 5047 goto done; 5048 } 5049 talloc_autofree_ldapmsg(mem_ctx, result); 5050 5051 if (ldap_count_entries(priv2ld(priv), result) != 1) { 5052 DEBUG(10, ("Got %d entries, expected one\n", 5053 ldap_count_entries(priv2ld(priv), result))); 5054 goto done; 5055 } 5056 5057 entry = ldap_first_entry(priv2ld(priv), result); 5058 5059 value = smbldap_talloc_single_attribute(priv2ld(priv), entry, 5060 "sambaGroupType", mem_ctx); 5061 5062 if (value != NULL) { 5063 const char *gid_str; 5064 /* It's a group */ 5065 5066 gid_str = smbldap_talloc_single_attribute( 5067 priv2ld(priv), entry, "gidNumber", mem_ctx); 5068 if (gid_str == NULL) { 5069 DEBUG(1, ("%s has sambaGroupType but no gidNumber\n", 5070 smbldap_talloc_dn(mem_ctx, priv2ld(priv), 5071 entry))); 5072 goto done; 5073 } 5074 5075 id->gid = strtoul(gid_str, NULL, 10); 5076 *type = (enum lsa_SidType)strtoul(value, NULL, 10); 5077 store_gid_sid_cache(sid, id->gid); 5078 idmap_cache_set_sid2gid(sid, id->gid); 5079 ret = True; 5080 goto done; 5081 } 5082 5083 /* It must be a user */ 5084 5085 value = smbldap_talloc_single_attribute(priv2ld(priv), entry, 5086 "uidNumber", mem_ctx); 5087 if (value == NULL) { 5088 DEBUG(1, ("Could not find uidNumber in %s\n", 5089 smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry))); 5090 goto done; 5091 } 5092 5093 id->uid = strtoul(value, NULL, 10); 5094 *type = SID_NAME_USER; 5095 store_uid_sid_cache(sid, id->uid); 5096 idmap_cache_set_sid2uid(sid, id->uid); 5097 5098 ret = True; 5099 done: 5100 TALLOC_FREE(mem_ctx); 5101 return ret; 5102} 5103 5104/** 5105 * Find the SID for a uid. 5106 * This is shortcut is only used if ldapsam:trusted is set to true. 5107 */ 5108static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid, 5109 DOM_SID *sid) 5110{ 5111 struct ldapsam_privates *priv = 5112 (struct ldapsam_privates *)methods->private_data; 5113 char *filter; 5114 const char *attrs[] = { "sambaSID", NULL }; 5115 LDAPMessage *result = NULL; 5116 LDAPMessage *entry = NULL; 5117 bool ret = false; 5118 char *user_sid_string; 5119 DOM_SID *user_sid; 5120 int rc; 5121 TALLOC_CTX *tmp_ctx = talloc_stackframe(); 5122 5123 filter = talloc_asprintf(tmp_ctx, 5124 "(&(uidNumber=%u)" 5125 "(objectClass=%s)" 5126 "(objectClass=%s))", 5127 (unsigned int)uid, 5128 LDAP_OBJ_POSIXACCOUNT, 5129 LDAP_OBJ_SAMBASAMACCOUNT); 5130 if (filter == NULL) { 5131 DEBUG(3, ("talloc_asprintf failed\n")); 5132 goto done; 5133 } 5134 5135 rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result); 5136 if (rc != LDAP_SUCCESS) { 5137 goto done; 5138 } 5139 talloc_autofree_ldapmsg(tmp_ctx, result); 5140 5141 if (ldap_count_entries(priv2ld(priv), result) != 1) { 5142 DEBUG(3, ("ERROR: Got %d entries for uid %u, expected one\n", 5143 ldap_count_entries(priv2ld(priv), result), 5144 (unsigned int)uid)); 5145 goto done; 5146 } 5147 5148 entry = ldap_first_entry(priv2ld(priv), result); 5149 5150 user_sid_string = smbldap_talloc_single_attribute(priv2ld(priv), entry, 5151 "sambaSID", tmp_ctx); 5152 if (user_sid_string == NULL) { 5153 DEBUG(1, ("Could not find sambaSID in object '%s'\n", 5154 smbldap_talloc_dn(tmp_ctx, priv2ld(priv), entry))); 5155 goto done; 5156 } 5157 5158 user_sid = string_sid_talloc(tmp_ctx, user_sid_string); 5159 if (user_sid == NULL) { 5160 DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", 5161 user_sid_string)); 5162 goto done; 5163 } 5164 5165 sid_copy(sid, user_sid); 5166 5167 store_uid_sid_cache(sid, uid); 5168 idmap_cache_set_sid2uid(sid, uid); 5169 5170 ret = true; 5171 5172 done: 5173 TALLOC_FREE(tmp_ctx); 5174 return ret; 5175} 5176 5177/** 5178 * Find the SID for a gid. 5179 * This is shortcut is only used if ldapsam:trusted is set to true. 5180 */ 5181static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid, 5182 DOM_SID *sid) 5183{ 5184 struct ldapsam_privates *priv = 5185 (struct ldapsam_privates *)methods->private_data; 5186 char *filter; 5187 const char *attrs[] = { "sambaSID", NULL }; 5188 LDAPMessage *result = NULL; 5189 LDAPMessage *entry = NULL; 5190 bool ret = false; 5191 char *group_sid_string; 5192 DOM_SID group_sid; 5193 int rc; 5194 TALLOC_CTX *tmp_ctx = talloc_stackframe(); 5195 5196 filter = talloc_asprintf(tmp_ctx, 5197 "(&(gidNumber=%u)" 5198 "(objectClass=%s))", 5199 (unsigned int)gid, 5200 LDAP_OBJ_GROUPMAP); 5201 if (filter == NULL) { 5202 DEBUG(3, ("talloc_asprintf failed\n")); 5203 goto done; 5204 } 5205 5206 rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result); 5207 if (rc != LDAP_SUCCESS) { 5208 goto done; 5209 } 5210 talloc_autofree_ldapmsg(tmp_ctx, result); 5211 5212 if (ldap_count_entries(priv2ld(priv), result) != 1) { 5213 DEBUG(3, ("ERROR: Got %d entries for gid %u, expected one\n", 5214 ldap_count_entries(priv2ld(priv), result), 5215 (unsigned int)gid)); 5216 goto done; 5217 } 5218 5219 entry = ldap_first_entry(priv2ld(priv), result); 5220 5221 group_sid_string = smbldap_talloc_single_attribute(priv2ld(priv), entry, 5222 "sambaSID", tmp_ctx); 5223 if (group_sid_string == NULL) { 5224 DEBUG(1, ("Could not find sambaSID in object '%s'\n", 5225 smbldap_talloc_dn(tmp_ctx, priv2ld(priv), entry))); 5226 goto done; 5227 } 5228 5229 if (!string_to_sid(&group_sid, group_sid_string)) { 5230 DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", 5231 group_sid_string)); 5232 goto done; 5233 } 5234 5235 sid_copy(sid, &group_sid); 5236 5237 store_gid_sid_cache(sid, gid); 5238 idmap_cache_set_sid2gid(sid, gid); 5239 5240 ret = true; 5241 5242 done: 5243 TALLOC_FREE(tmp_ctx); 5244 return ret; 5245} 5246 5247 5248/* 5249 * The following functions are called only if 5250 * ldapsam:trusted and ldapsam:editposix are 5251 * set to true 5252 */ 5253 5254/* 5255 * ldapsam_create_user creates a new 5256 * posixAccount and sambaSamAccount object 5257 * in the ldap users subtree 5258 * 5259 * The uid is allocated by winbindd. 5260 */ 5261 5262static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods, 5263 TALLOC_CTX *tmp_ctx, const char *name, 5264 uint32 acb_info, uint32 *rid) 5265{ 5266 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 5267 LDAPMessage *entry = NULL; 5268 LDAPMessage *result = NULL; 5269 uint32 num_result; 5270 bool is_machine = False; 5271 bool add_posix = False; 5272 LDAPMod **mods = NULL; 5273 struct samu *user; 5274 char *filter; 5275 char *username; 5276 char *homedir; 5277 char *gidstr; 5278 char *uidstr; 5279 char *shell; 5280 const char *dn = NULL; 5281 DOM_SID group_sid; 5282 DOM_SID user_sid; 5283 gid_t gid = -1; 5284 uid_t uid = -1; 5285 NTSTATUS ret; 5286 int rc; 5287 5288 if (((acb_info & ACB_NORMAL) && name[strlen(name)-1] == '$') || 5289 acb_info & ACB_WSTRUST || 5290 acb_info & ACB_SVRTRUST || 5291 acb_info & ACB_DOMTRUST) { 5292 is_machine = True; 5293 } 5294 5295 username = escape_ldap_string(talloc_tos(), name); 5296 filter = talloc_asprintf(tmp_ctx, "(&(uid=%s)(objectClass=%s))", 5297 username, LDAP_OBJ_POSIXACCOUNT); 5298 TALLOC_FREE(username); 5299 5300 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result); 5301 if (rc != LDAP_SUCCESS) { 5302 DEBUG(0,("ldapsam_create_user: ldap search failed!\n")); 5303 return NT_STATUS_ACCESS_DENIED; 5304 } 5305 talloc_autofree_ldapmsg(tmp_ctx, result); 5306 5307 num_result = ldap_count_entries(priv2ld(ldap_state), result); 5308 5309 if (num_result > 1) { 5310 DEBUG (0, ("ldapsam_create_user: More than one user with name [%s] ?!\n", name)); 5311 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5312 } 5313 5314 if (num_result == 1) { 5315 char *tmp; 5316 /* check if it is just a posix account. 5317 * or if there is a sid attached to this entry 5318 */ 5319 5320 entry = ldap_first_entry(priv2ld(ldap_state), result); 5321 if (!entry) { 5322 return NT_STATUS_UNSUCCESSFUL; 5323 } 5324 5325 tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx); 5326 if (tmp) { 5327 DEBUG (1, ("ldapsam_create_user: The user [%s] already exist!\n", name)); 5328 return NT_STATUS_USER_EXISTS; 5329 } 5330 5331 /* it is just a posix account, retrieve the dn for later use */ 5332 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry); 5333 if (!dn) { 5334 DEBUG(0,("ldapsam_create_user: Out of memory!\n")); 5335 return NT_STATUS_NO_MEMORY; 5336 } 5337 } 5338 5339 if (num_result == 0) { 5340 add_posix = True; 5341 } 5342 5343 /* Create the basic samu structure and generate the mods for the ldap commit */ 5344 if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) { 5345 DEBUG(1, ("ldapsam_create_user: Could not allocate a new RID\n")); 5346 return ret; 5347 } 5348 5349 sid_compose(&user_sid, get_global_sam_sid(), *rid); 5350 5351 user = samu_new(tmp_ctx); 5352 if (!user) { 5353 DEBUG(1,("ldapsam_create_user: Unable to allocate user struct\n")); 5354 return NT_STATUS_NO_MEMORY; 5355 } 5356 5357 if (!pdb_set_username(user, name, PDB_SET)) { 5358 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n")); 5359 return NT_STATUS_UNSUCCESSFUL; 5360 } 5361 if (!pdb_set_domain(user, get_global_sam_name(), PDB_SET)) { 5362 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n")); 5363 return NT_STATUS_UNSUCCESSFUL; 5364 } 5365 if (is_machine) { 5366 if (acb_info & ACB_NORMAL) { 5367 if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_SET)) { 5368 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n")); 5369 return NT_STATUS_UNSUCCESSFUL; 5370 } 5371 } else { 5372 if (!pdb_set_acct_ctrl(user, acb_info, PDB_SET)) { 5373 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n")); 5374 return NT_STATUS_UNSUCCESSFUL; 5375 } 5376 } 5377 } else { 5378 if (!pdb_set_acct_ctrl(user, ACB_NORMAL | ACB_DISABLED, PDB_SET)) { 5379 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n")); 5380 return NT_STATUS_UNSUCCESSFUL; 5381 } 5382 } 5383 5384 if (!pdb_set_user_sid(user, &user_sid, PDB_SET)) { 5385 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n")); 5386 return NT_STATUS_UNSUCCESSFUL; 5387 } 5388 5389 if (!init_ldap_from_sam(ldap_state, NULL, &mods, user, element_is_set_or_changed)) { 5390 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n")); 5391 return NT_STATUS_UNSUCCESSFUL; 5392 } 5393 5394 if (ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT) { 5395 DEBUG(1,("ldapsam_create_user: Unsupported schema version\n")); 5396 } 5397 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT); 5398 5399 if (add_posix) { 5400 char *escape_name; 5401 5402 DEBUG(3,("ldapsam_create_user: Creating new posix user\n")); 5403 5404 /* retrieve the Domain Users group gid */ 5405 if (!sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS) || 5406 !sid_to_gid(&group_sid, &gid)) { 5407 DEBUG (0, ("ldapsam_create_user: Unable to get the Domain Users gid: bailing out!\n")); 5408 return NT_STATUS_INVALID_PRIMARY_GROUP; 5409 } 5410 5411 /* lets allocate a new userid for this user */ 5412 if (!winbind_allocate_uid(&uid)) { 5413 DEBUG (0, ("ldapsam_create_user: Unable to allocate a new user id: bailing out!\n")); 5414 return NT_STATUS_UNSUCCESSFUL; 5415 } 5416 5417 5418 if (is_machine) { 5419 /* TODO: choose a more appropriate default for machines */ 5420 homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), "SMB_workstations_home", ldap_state->domain_name, uid, gid); 5421 shell = talloc_strdup(tmp_ctx, "/bin/false"); 5422 } else { 5423 homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), name, ldap_state->domain_name, uid, gid); 5424 shell = talloc_sub_specified(tmp_ctx, lp_template_shell(), name, ldap_state->domain_name, uid, gid); 5425 } 5426 uidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)uid); 5427 gidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)gid); 5428 5429 escape_name = escape_rdn_val_string_alloc(name); 5430 if (!escape_name) { 5431 DEBUG (0, ("ldapsam_create_user: Out of memory!\n")); 5432 return NT_STATUS_NO_MEMORY; 5433 } 5434 5435 if (is_machine) { 5436 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_machine_suffix ()); 5437 } else { 5438 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_user_suffix ()); 5439 } 5440 5441 SAFE_FREE(escape_name); 5442 5443 if (!homedir || !shell || !uidstr || !gidstr || !dn) { 5444 DEBUG (0, ("ldapsam_create_user: Out of memory!\n")); 5445 return NT_STATUS_NO_MEMORY; 5446 } 5447 5448 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT); 5449 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT); 5450 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name); 5451 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr); 5452 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr); 5453 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", homedir); 5454 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell); 5455 } 5456 5457 talloc_autofree_ldapmod(tmp_ctx, mods); 5458 5459 if (add_posix) { 5460 rc = smbldap_add(ldap_state->smbldap_state, dn, mods); 5461 } else { 5462 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods); 5463 } 5464 5465 if (rc != LDAP_SUCCESS) { 5466 DEBUG(0,("ldapsam_create_user: failed to create a new user [%s] (dn = %s)\n", name ,dn)); 5467 return NT_STATUS_UNSUCCESSFUL; 5468 } 5469 5470 DEBUG(2,("ldapsam_create_user: added account [%s] in the LDAP database\n", name)); 5471 5472 flush_pwnam_cache(); 5473 5474 return NT_STATUS_OK; 5475} 5476 5477static NTSTATUS ldapsam_delete_user(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, struct samu *sam_acct) 5478{ 5479 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 5480 LDAPMessage *result = NULL; 5481 LDAPMessage *entry = NULL; 5482 int num_result; 5483 const char *dn; 5484 char *filter; 5485 int rc; 5486 5487 DEBUG(0,("ldapsam_delete_user: Attempt to delete user [%s]\n", pdb_get_username(sam_acct))); 5488 5489 filter = talloc_asprintf(tmp_ctx, 5490 "(&(uid=%s)" 5491 "(objectClass=%s)" 5492 "(objectClass=%s))", 5493 pdb_get_username(sam_acct), 5494 LDAP_OBJ_POSIXACCOUNT, 5495 LDAP_OBJ_SAMBASAMACCOUNT); 5496 if (filter == NULL) { 5497 return NT_STATUS_NO_MEMORY; 5498 } 5499 5500 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result); 5501 if (rc != LDAP_SUCCESS) { 5502 DEBUG(0,("ldapsam_delete_user: user search failed!\n")); 5503 return NT_STATUS_UNSUCCESSFUL; 5504 } 5505 talloc_autofree_ldapmsg(tmp_ctx, result); 5506 5507 num_result = ldap_count_entries(priv2ld(ldap_state), result); 5508 5509 if (num_result == 0) { 5510 DEBUG(0,("ldapsam_delete_user: user not found!\n")); 5511 return NT_STATUS_NO_SUCH_USER; 5512 } 5513 5514 if (num_result > 1) { 5515 DEBUG (0, ("ldapsam_delete_user: More than one user with name [%s] ?!\n", pdb_get_username(sam_acct))); 5516 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5517 } 5518 5519 entry = ldap_first_entry(priv2ld(ldap_state), result); 5520 if (!entry) { 5521 return NT_STATUS_UNSUCCESSFUL; 5522 } 5523 5524 /* it is just a posix account, retrieve the dn for later use */ 5525 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry); 5526 if (!dn) { 5527 DEBUG(0,("ldapsam_delete_user: Out of memory!\n")); 5528 return NT_STATUS_NO_MEMORY; 5529 } 5530 5531 /* try to remove memberships first */ 5532 { 5533 NTSTATUS status; 5534 struct dom_sid *sids = NULL; 5535 gid_t *gids = NULL; 5536 size_t num_groups = 0; 5537 int i; 5538 uint32_t user_rid = pdb_get_user_rid(sam_acct); 5539 5540 status = ldapsam_enum_group_memberships(my_methods, 5541 tmp_ctx, 5542 sam_acct, 5543 &sids, 5544 &gids, 5545 &num_groups); 5546 if (!NT_STATUS_IS_OK(status)) { 5547 goto delete_dn; 5548 } 5549 5550 for (i=0; i < num_groups; i++) { 5551 5552 uint32_t group_rid; 5553 5554 sid_peek_rid(&sids[i], &group_rid); 5555 5556 ldapsam_del_groupmem(my_methods, 5557 tmp_ctx, 5558 group_rid, 5559 user_rid); 5560 } 5561 } 5562 5563 delete_dn: 5564 5565 rc = smbldap_delete(ldap_state->smbldap_state, dn); 5566 if (rc != LDAP_SUCCESS) { 5567 return NT_STATUS_UNSUCCESSFUL; 5568 } 5569 5570 flush_pwnam_cache(); 5571 5572 return NT_STATUS_OK; 5573} 5574 5575/* 5576 * ldapsam_create_group creates a new 5577 * posixGroup and sambaGroupMapping object 5578 * in the ldap groups subtree 5579 * 5580 * The gid is allocated by winbindd. 5581 */ 5582 5583static NTSTATUS ldapsam_create_dom_group(struct pdb_methods *my_methods, 5584 TALLOC_CTX *tmp_ctx, 5585 const char *name, 5586 uint32 *rid) 5587{ 5588 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 5589 NTSTATUS ret; 5590 LDAPMessage *entry = NULL; 5591 LDAPMessage *result = NULL; 5592 uint32 num_result; 5593 bool is_new_entry = False; 5594 LDAPMod **mods = NULL; 5595 char *filter; 5596 char *groupsidstr; 5597 char *groupname; 5598 char *grouptype; 5599 char *gidstr; 5600 const char *dn = NULL; 5601 DOM_SID group_sid; 5602 gid_t gid = -1; 5603 int rc; 5604 5605 groupname = escape_ldap_string(talloc_tos(), name); 5606 filter = talloc_asprintf(tmp_ctx, "(&(cn=%s)(objectClass=%s))", 5607 groupname, LDAP_OBJ_POSIXGROUP); 5608 TALLOC_FREE(groupname); 5609 5610 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result); 5611 if (rc != LDAP_SUCCESS) { 5612 DEBUG(0,("ldapsam_create_group: ldap search failed!\n")); 5613 return NT_STATUS_UNSUCCESSFUL; 5614 } 5615 talloc_autofree_ldapmsg(tmp_ctx, result); 5616 5617 num_result = ldap_count_entries(priv2ld(ldap_state), result); 5618 5619 if (num_result > 1) { 5620 DEBUG (0, ("ldapsam_create_group: There exists more than one group with name [%s]: bailing out!\n", name)); 5621 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5622 } 5623 5624 if (num_result == 1) { 5625 char *tmp; 5626 /* check if it is just a posix group. 5627 * or if there is a sid attached to this entry 5628 */ 5629 5630 entry = ldap_first_entry(priv2ld(ldap_state), result); 5631 if (!entry) { 5632 return NT_STATUS_UNSUCCESSFUL; 5633 } 5634 5635 tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx); 5636 if (tmp) { 5637 DEBUG (1, ("ldapsam_create_group: The group [%s] already exist!\n", name)); 5638 return NT_STATUS_GROUP_EXISTS; 5639 } 5640 5641 /* it is just a posix group, retrieve the gid and the dn for later use */ 5642 tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx); 5643 if (!tmp) { 5644 DEBUG (1, ("ldapsam_create_group: Couldn't retrieve the gidNumber for [%s]?!?!\n", name)); 5645 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5646 } 5647 5648 gid = strtoul(tmp, NULL, 10); 5649 5650 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry); 5651 if (!dn) { 5652 DEBUG(0,("ldapsam_create_group: Out of memory!\n")); 5653 return NT_STATUS_NO_MEMORY; 5654 } 5655 } 5656 5657 if (num_result == 0) { 5658 char *escape_name; 5659 5660 DEBUG(3,("ldapsam_create_user: Creating new posix group\n")); 5661 5662 is_new_entry = True; 5663 5664 /* lets allocate a new groupid for this group */ 5665 if (!winbind_allocate_gid(&gid)) { 5666 DEBUG (0, ("ldapsam_create_group: Unable to allocate a new group id: bailing out!\n")); 5667 return NT_STATUS_UNSUCCESSFUL; 5668 } 5669 5670 gidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)gid); 5671 5672 escape_name = escape_rdn_val_string_alloc(name); 5673 if (!escape_name) { 5674 DEBUG (0, ("ldapsam_create_group: Out of memory!\n")); 5675 return NT_STATUS_NO_MEMORY; 5676 } 5677 5678 dn = talloc_asprintf(tmp_ctx, "cn=%s,%s", escape_name, lp_ldap_group_suffix()); 5679 5680 SAFE_FREE(escape_name); 5681 5682 if (!gidstr || !dn) { 5683 DEBUG (0, ("ldapsam_create_group: Out of memory!\n")); 5684 return NT_STATUS_NO_MEMORY; 5685 } 5686 5687 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP); 5688 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name); 5689 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr); 5690 } 5691 5692 if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) { 5693 DEBUG(1, ("ldapsam_create_group: Could not allocate a new RID\n")); 5694 return ret; 5695 } 5696 5697 sid_compose(&group_sid, get_global_sam_sid(), *rid); 5698 5699 groupsidstr = talloc_strdup(tmp_ctx, sid_string_talloc(tmp_ctx, 5700 &group_sid)); 5701 grouptype = talloc_asprintf(tmp_ctx, "%d", SID_NAME_DOM_GRP); 5702 5703 if (!groupsidstr || !grouptype) { 5704 DEBUG(0,("ldapsam_create_group: Out of memory!\n")); 5705 return NT_STATUS_NO_MEMORY; 5706 } 5707 5708 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP); 5709 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", groupsidstr); 5710 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", grouptype); 5711 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name); 5712 talloc_autofree_ldapmod(tmp_ctx, mods); 5713 5714 if (is_new_entry) { 5715 rc = smbldap_add(ldap_state->smbldap_state, dn, mods); 5716#if 0 5717 if (rc == LDAP_OBJECT_CLASS_VIOLATION) { 5718 /* This call may fail with rfc2307bis schema */ 5719 /* Retry adding a structural class */ 5720 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "????"); 5721 rc = smbldap_add(ldap_state->smbldap_state, dn, mods); 5722 } 5723#endif 5724 } else { 5725 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods); 5726 } 5727 5728 if (rc != LDAP_SUCCESS) { 5729 DEBUG(0,("ldapsam_create_group: failed to create a new group [%s] (dn = %s)\n", name ,dn)); 5730 return NT_STATUS_UNSUCCESSFUL; 5731 } 5732 5733 DEBUG(2,("ldapsam_create_group: added group [%s] in the LDAP database\n", name)); 5734 5735 return NT_STATUS_OK; 5736} 5737 5738static NTSTATUS ldapsam_delete_dom_group(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, uint32 rid) 5739{ 5740 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 5741 LDAPMessage *result = NULL; 5742 LDAPMessage *entry = NULL; 5743 int num_result; 5744 const char *dn; 5745 char *gidstr; 5746 char *filter; 5747 DOM_SID group_sid; 5748 int rc; 5749 5750 /* get the group sid */ 5751 sid_compose(&group_sid, get_global_sam_sid(), rid); 5752 5753 filter = talloc_asprintf(tmp_ctx, 5754 "(&(sambaSID=%s)" 5755 "(objectClass=%s)" 5756 "(objectClass=%s))", 5757 sid_string_talloc(tmp_ctx, &group_sid), 5758 LDAP_OBJ_POSIXGROUP, 5759 LDAP_OBJ_GROUPMAP); 5760 if (filter == NULL) { 5761 return NT_STATUS_NO_MEMORY; 5762 } 5763 5764 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result); 5765 if (rc != LDAP_SUCCESS) { 5766 DEBUG(1,("ldapsam_delete_dom_group: group search failed!\n")); 5767 return NT_STATUS_UNSUCCESSFUL; 5768 } 5769 talloc_autofree_ldapmsg(tmp_ctx, result); 5770 5771 num_result = ldap_count_entries(priv2ld(ldap_state), result); 5772 5773 if (num_result == 0) { 5774 DEBUG(1,("ldapsam_delete_dom_group: group not found!\n")); 5775 return NT_STATUS_NO_SUCH_GROUP; 5776 } 5777 5778 if (num_result > 1) { 5779 DEBUG (0, ("ldapsam_delete_dom_group: More than one group with the same SID ?!\n")); 5780 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5781 } 5782 5783 entry = ldap_first_entry(priv2ld(ldap_state), result); 5784 if (!entry) { 5785 return NT_STATUS_UNSUCCESSFUL; 5786 } 5787 5788 /* here it is, retrieve the dn for later use */ 5789 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry); 5790 if (!dn) { 5791 DEBUG(0,("ldapsam_delete_dom_group: Out of memory!\n")); 5792 return NT_STATUS_NO_MEMORY; 5793 } 5794 5795 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx); 5796 if (!gidstr) { 5797 DEBUG (0, ("ldapsam_delete_dom_group: Unable to find the group's gid!\n")); 5798 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5799 } 5800 5801 /* check no user have this group marked as primary group */ 5802 filter = talloc_asprintf(tmp_ctx, 5803 "(&(gidNumber=%s)" 5804 "(objectClass=%s)" 5805 "(objectClass=%s))", 5806 gidstr, 5807 LDAP_OBJ_POSIXACCOUNT, 5808 LDAP_OBJ_SAMBASAMACCOUNT); 5809 5810 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result); 5811 if (rc != LDAP_SUCCESS) { 5812 DEBUG(1,("ldapsam_delete_dom_group: accounts search failed!\n")); 5813 return NT_STATUS_UNSUCCESSFUL; 5814 } 5815 talloc_autofree_ldapmsg(tmp_ctx, result); 5816 5817 num_result = ldap_count_entries(priv2ld(ldap_state), result); 5818 5819 if (num_result != 0) { 5820 DEBUG(3,("ldapsam_delete_dom_group: Can't delete group, it is a primary group for %d users\n", num_result)); 5821 return NT_STATUS_MEMBERS_PRIMARY_GROUP; 5822 } 5823 5824 rc = smbldap_delete(ldap_state->smbldap_state, dn); 5825 if (rc != LDAP_SUCCESS) { 5826 return NT_STATUS_UNSUCCESSFUL; 5827 } 5828 5829 return NT_STATUS_OK; 5830} 5831 5832static NTSTATUS ldapsam_change_groupmem(struct pdb_methods *my_methods, 5833 TALLOC_CTX *tmp_ctx, 5834 uint32 group_rid, 5835 uint32 member_rid, 5836 int modop) 5837{ 5838 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 5839 LDAPMessage *entry = NULL; 5840 LDAPMessage *result = NULL; 5841 uint32 num_result; 5842 LDAPMod **mods = NULL; 5843 char *filter; 5844 char *uidstr; 5845 const char *dn = NULL; 5846 DOM_SID group_sid; 5847 DOM_SID member_sid; 5848 int rc; 5849 5850 switch (modop) { 5851 case LDAP_MOD_ADD: 5852 DEBUG(1,("ldapsam_change_groupmem: add new member(rid=%d) to a domain group(rid=%d)", member_rid, group_rid)); 5853 break; 5854 case LDAP_MOD_DELETE: 5855 DEBUG(1,("ldapsam_change_groupmem: delete member(rid=%d) from a domain group(rid=%d)", member_rid, group_rid)); 5856 break; 5857 default: 5858 return NT_STATUS_UNSUCCESSFUL; 5859 } 5860 5861 /* get member sid */ 5862 sid_compose(&member_sid, get_global_sam_sid(), member_rid); 5863 5864 /* get the group sid */ 5865 sid_compose(&group_sid, get_global_sam_sid(), group_rid); 5866 5867 filter = talloc_asprintf(tmp_ctx, 5868 "(&(sambaSID=%s)" 5869 "(objectClass=%s)" 5870 "(objectClass=%s))", 5871 sid_string_talloc(tmp_ctx, &member_sid), 5872 LDAP_OBJ_POSIXACCOUNT, 5873 LDAP_OBJ_SAMBASAMACCOUNT); 5874 if (filter == NULL) { 5875 return NT_STATUS_NO_MEMORY; 5876 } 5877 5878 /* get the member uid */ 5879 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result); 5880 if (rc != LDAP_SUCCESS) { 5881 DEBUG(1,("ldapsam_change_groupmem: member search failed!\n")); 5882 return NT_STATUS_UNSUCCESSFUL; 5883 } 5884 talloc_autofree_ldapmsg(tmp_ctx, result); 5885 5886 num_result = ldap_count_entries(priv2ld(ldap_state), result); 5887 5888 if (num_result == 0) { 5889 DEBUG(1,("ldapsam_change_groupmem: member not found!\n")); 5890 return NT_STATUS_NO_SUCH_MEMBER; 5891 } 5892 5893 if (num_result > 1) { 5894 DEBUG (0, ("ldapsam_change_groupmem: More than one account with the same SID ?!\n")); 5895 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5896 } 5897 5898 entry = ldap_first_entry(priv2ld(ldap_state), result); 5899 if (!entry) { 5900 return NT_STATUS_UNSUCCESSFUL; 5901 } 5902 5903 if (modop == LDAP_MOD_DELETE) { 5904 /* check if we are trying to remove the member from his primary group */ 5905 char *gidstr; 5906 gid_t user_gid, group_gid; 5907 5908 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx); 5909 if (!gidstr) { 5910 DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's gid!\n")); 5911 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5912 } 5913 5914 user_gid = strtoul(gidstr, NULL, 10); 5915 5916 if (!sid_to_gid(&group_sid, &group_gid)) { 5917 DEBUG (0, ("ldapsam_change_groupmem: Unable to get group gid from SID!\n")); 5918 return NT_STATUS_UNSUCCESSFUL; 5919 } 5920 5921 if (user_gid == group_gid) { 5922 DEBUG (3, ("ldapsam_change_groupmem: can't remove user from its own primary group!\n")); 5923 return NT_STATUS_MEMBERS_PRIMARY_GROUP; 5924 } 5925 } 5926 5927 /* here it is, retrieve the uid for later use */ 5928 uidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "uid", tmp_ctx); 5929 if (!uidstr) { 5930 DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's name!\n")); 5931 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5932 } 5933 5934 filter = talloc_asprintf(tmp_ctx, 5935 "(&(sambaSID=%s)" 5936 "(objectClass=%s)" 5937 "(objectClass=%s))", 5938 sid_string_talloc(tmp_ctx, &group_sid), 5939 LDAP_OBJ_POSIXGROUP, 5940 LDAP_OBJ_GROUPMAP); 5941 5942 /* get the group */ 5943 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result); 5944 if (rc != LDAP_SUCCESS) { 5945 DEBUG(1,("ldapsam_change_groupmem: group search failed!\n")); 5946 return NT_STATUS_UNSUCCESSFUL; 5947 } 5948 talloc_autofree_ldapmsg(tmp_ctx, result); 5949 5950 num_result = ldap_count_entries(priv2ld(ldap_state), result); 5951 5952 if (num_result == 0) { 5953 DEBUG(1,("ldapsam_change_groupmem: group not found!\n")); 5954 return NT_STATUS_NO_SUCH_GROUP; 5955 } 5956 5957 if (num_result > 1) { 5958 DEBUG (0, ("ldapsam_change_groupmem: More than one group with the same SID ?!\n")); 5959 return NT_STATUS_INTERNAL_DB_CORRUPTION; 5960 } 5961 5962 entry = ldap_first_entry(priv2ld(ldap_state), result); 5963 if (!entry) { 5964 return NT_STATUS_UNSUCCESSFUL; 5965 } 5966 5967 /* here it is, retrieve the dn for later use */ 5968 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry); 5969 if (!dn) { 5970 DEBUG(0,("ldapsam_change_groupmem: Out of memory!\n")); 5971 return NT_STATUS_NO_MEMORY; 5972 } 5973 5974 smbldap_set_mod(&mods, modop, "memberUid", uidstr); 5975 5976 talloc_autofree_ldapmod(tmp_ctx, mods); 5977 5978 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods); 5979 if (rc != LDAP_SUCCESS) { 5980 if (rc == LDAP_TYPE_OR_VALUE_EXISTS && modop == LDAP_MOD_ADD) { 5981 DEBUG(1,("ldapsam_change_groupmem: member is already in group, add failed!\n")); 5982 return NT_STATUS_MEMBER_IN_GROUP; 5983 } 5984 if (rc == LDAP_NO_SUCH_ATTRIBUTE && modop == LDAP_MOD_DELETE) { 5985 DEBUG(1,("ldapsam_change_groupmem: member is not in group, delete failed!\n")); 5986 return NT_STATUS_MEMBER_NOT_IN_GROUP; 5987 } 5988 return NT_STATUS_UNSUCCESSFUL; 5989 } 5990 5991 return NT_STATUS_OK; 5992} 5993 5994static NTSTATUS ldapsam_add_groupmem(struct pdb_methods *my_methods, 5995 TALLOC_CTX *tmp_ctx, 5996 uint32 group_rid, 5997 uint32 member_rid) 5998{ 5999 return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_ADD); 6000} 6001static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods, 6002 TALLOC_CTX *tmp_ctx, 6003 uint32 group_rid, 6004 uint32 member_rid) 6005{ 6006 return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_DELETE); 6007} 6008 6009static NTSTATUS ldapsam_set_primary_group(struct pdb_methods *my_methods, 6010 TALLOC_CTX *mem_ctx, 6011 struct samu *sampass) 6012{ 6013 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; 6014 LDAPMessage *entry = NULL; 6015 LDAPMessage *result = NULL; 6016 uint32 num_result; 6017 LDAPMod **mods = NULL; 6018 char *filter; 6019 char *escape_username; 6020 char *gidstr; 6021 const char *dn = NULL; 6022 gid_t gid; 6023 int rc; 6024 6025 DEBUG(0,("ldapsam_set_primary_group: Attempt to set primary group for user [%s]\n", pdb_get_username(sampass))); 6026 6027 if (!sid_to_gid(pdb_get_group_sid(sampass), &gid)) { 6028 DEBUG(0,("ldapsam_set_primary_group: failed to retrieve gid from user's group SID!\n")); 6029 return NT_STATUS_UNSUCCESSFUL; 6030 } 6031 gidstr = talloc_asprintf(mem_ctx, "%u", (unsigned int)gid); 6032 if (!gidstr) { 6033 DEBUG(0,("ldapsam_set_primary_group: Out of Memory!\n")); 6034 return NT_STATUS_NO_MEMORY; 6035 } 6036 6037 escape_username = escape_ldap_string(talloc_tos(), 6038 pdb_get_username(sampass)); 6039 if (escape_username== NULL) { 6040 return NT_STATUS_NO_MEMORY; 6041 } 6042 6043 filter = talloc_asprintf(mem_ctx, 6044 "(&(uid=%s)" 6045 "(objectClass=%s)" 6046 "(objectClass=%s))", 6047 escape_username, 6048 LDAP_OBJ_POSIXACCOUNT, 6049 LDAP_OBJ_SAMBASAMACCOUNT); 6050 6051 TALLOC_FREE(escape_username); 6052 6053 if (filter == NULL) { 6054 return NT_STATUS_NO_MEMORY; 6055 } 6056 6057 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result); 6058 if (rc != LDAP_SUCCESS) { 6059 DEBUG(0,("ldapsam_set_primary_group: user search failed!\n")); 6060 return NT_STATUS_UNSUCCESSFUL; 6061 } 6062 talloc_autofree_ldapmsg(mem_ctx, result); 6063 6064 num_result = ldap_count_entries(priv2ld(ldap_state), result); 6065 6066 if (num_result == 0) { 6067 DEBUG(0,("ldapsam_set_primary_group: user not found!\n")); 6068 return NT_STATUS_NO_SUCH_USER; 6069 } 6070 6071 if (num_result > 1) { 6072 DEBUG (0, ("ldapsam_set_primary_group: More than one user with name [%s] ?!\n", pdb_get_username(sampass))); 6073 return NT_STATUS_INTERNAL_DB_CORRUPTION; 6074 } 6075 6076 entry = ldap_first_entry(priv2ld(ldap_state), result); 6077 if (!entry) { 6078 return NT_STATUS_UNSUCCESSFUL; 6079 } 6080 6081 /* retrieve the dn for later use */ 6082 dn = smbldap_talloc_dn(mem_ctx, priv2ld(ldap_state), entry); 6083 if (!dn) { 6084 DEBUG(0,("ldapsam_set_primary_group: Out of memory!\n")); 6085 return NT_STATUS_NO_MEMORY; 6086 } 6087 6088 /* remove the old one, and add the new one, this way we do not risk races */ 6089 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "gidNumber", gidstr); 6090 6091 if (mods == NULL) { 6092 return NT_STATUS_OK; 6093 } 6094 6095 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods); 6096 6097 if (rc != LDAP_SUCCESS) { 6098 DEBUG(0,("ldapsam_set_primary_group: failed to modify [%s] primary group to [%s]\n", 6099 pdb_get_username(sampass), gidstr)); 6100 return NT_STATUS_UNSUCCESSFUL; 6101 } 6102 6103 flush_pwnam_cache(); 6104 6105 return NT_STATUS_OK; 6106} 6107 6108 6109/********************************************************************** 6110 trusted domains functions 6111 *********************************************************************/ 6112 6113static char *trusteddom_dn(struct ldapsam_privates *ldap_state, 6114 const char *domain) 6115{ 6116 return talloc_asprintf(talloc_tos(), "sambaDomainName=%s,%s", domain, 6117 ldap_state->domain_dn); 6118} 6119 6120static bool get_trusteddom_pw_int(struct ldapsam_privates *ldap_state, 6121 TALLOC_CTX *mem_ctx, 6122 const char *domain, LDAPMessage **entry) 6123{ 6124 int rc; 6125 char *filter; 6126 int scope = LDAP_SCOPE_SUBTREE; 6127 const char **attrs = NULL; /* NULL: get all attrs */ 6128 int attrsonly = 0; /* 0: return values too */ 6129 LDAPMessage *result = NULL; 6130 char *trusted_dn; 6131 uint32 num_result; 6132 6133 filter = talloc_asprintf(talloc_tos(), 6134 "(&(objectClass=%s)(sambaDomainName=%s))", 6135 LDAP_OBJ_TRUSTDOM_PASSWORD, domain); 6136 6137 trusted_dn = trusteddom_dn(ldap_state, domain); 6138 if (trusted_dn == NULL) { 6139 return False; 6140 } 6141 rc = smbldap_search(ldap_state->smbldap_state, trusted_dn, scope, 6142 filter, attrs, attrsonly, &result); 6143 6144 if (result != NULL) { 6145 talloc_autofree_ldapmsg(mem_ctx, result); 6146 } 6147 6148 if (rc == LDAP_NO_SUCH_OBJECT) { 6149 *entry = NULL; 6150 return True; 6151 } 6152 6153 if (rc != LDAP_SUCCESS) { 6154 return False; 6155 } 6156 6157 num_result = ldap_count_entries(priv2ld(ldap_state), result); 6158 6159 if (num_result > 1) { 6160 DEBUG(1, ("ldapsam_get_trusteddom_pw: more than one " 6161 "%s object for domain '%s'?!\n", 6162 LDAP_OBJ_TRUSTDOM_PASSWORD, domain)); 6163 return False; 6164 } 6165 6166 if (num_result == 0) { 6167 DEBUG(1, ("ldapsam_get_trusteddom_pw: no " 6168 "%s object for domain %s.\n", 6169 LDAP_OBJ_TRUSTDOM_PASSWORD, domain)); 6170 *entry = NULL; 6171 } else { 6172 *entry = ldap_first_entry(priv2ld(ldap_state), result); 6173 } 6174 6175 return True; 6176} 6177 6178static bool ldapsam_get_trusteddom_pw(struct pdb_methods *methods, 6179 const char *domain, 6180 char** pwd, 6181 DOM_SID *sid, 6182 time_t *pass_last_set_time) 6183{ 6184 struct ldapsam_privates *ldap_state = 6185 (struct ldapsam_privates *)methods->private_data; 6186 LDAPMessage *entry = NULL; 6187 6188 DEBUG(10, ("ldapsam_get_trusteddom_pw called for domain %s\n", domain)); 6189 6190 if (!get_trusteddom_pw_int(ldap_state, talloc_tos(), domain, &entry) || 6191 (entry == NULL)) 6192 { 6193 return False; 6194 } 6195 6196 /* password */ 6197 if (pwd != NULL) { 6198 char *pwd_str; 6199 pwd_str = smbldap_talloc_single_attribute(priv2ld(ldap_state), 6200 entry, "sambaClearTextPassword", talloc_tos()); 6201 if (pwd_str == NULL) { 6202 return False; 6203 } 6204 /* trusteddom_pw routines do not use talloc yet... */ 6205 *pwd = SMB_STRDUP(pwd_str); 6206 if (*pwd == NULL) { 6207 return False; 6208 } 6209 } 6210 6211 /* last change time */ 6212 if (pass_last_set_time != NULL) { 6213 char *time_str; 6214 time_str = smbldap_talloc_single_attribute(priv2ld(ldap_state), 6215 entry, "sambaPwdLastSet", talloc_tos()); 6216 if (time_str == NULL) { 6217 return False; 6218 } 6219 *pass_last_set_time = (time_t)atol(time_str); 6220 } 6221 6222 /* domain sid */ 6223 if (sid != NULL) { 6224 char *sid_str; 6225 DOM_SID *dom_sid; 6226 sid_str = smbldap_talloc_single_attribute(priv2ld(ldap_state), 6227 entry, "sambaSID", 6228 talloc_tos()); 6229 if (sid_str == NULL) { 6230 return False; 6231 } 6232 dom_sid = string_sid_talloc(talloc_tos(), sid_str); 6233 if (dom_sid == NULL) { 6234 return False; 6235 } 6236 sid_copy(sid, dom_sid); 6237 } 6238 6239 return True; 6240} 6241 6242static bool ldapsam_set_trusteddom_pw(struct pdb_methods *methods, 6243 const char* domain, 6244 const char* pwd, 6245 const DOM_SID *sid) 6246{ 6247 struct ldapsam_privates *ldap_state = 6248 (struct ldapsam_privates *)methods->private_data; 6249 LDAPMessage *entry = NULL; 6250 LDAPMod **mods = NULL; 6251 char *prev_pwd = NULL; 6252 char *trusted_dn = NULL; 6253 int rc; 6254 6255 DEBUG(10, ("ldapsam_set_trusteddom_pw called for domain %s\n", domain)); 6256 6257 /* 6258 * get the current entry (if there is one) in order to put the 6259 * current password into the previous password attribute 6260 */ 6261 if (!get_trusteddom_pw_int(ldap_state, talloc_tos(), domain, &entry)) { 6262 return False; 6263 } 6264 6265 mods = NULL; 6266 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", 6267 LDAP_OBJ_TRUSTDOM_PASSWORD); 6268 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaDomainName", 6269 domain); 6270 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaSID", 6271 sid_string_tos(sid)); 6272 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaPwdLastSet", 6273 talloc_asprintf(talloc_tos(), "%li", (long int)time(NULL))); 6274 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, 6275 "sambaClearTextPassword", pwd); 6276 6277 if (entry != NULL) { 6278 prev_pwd = smbldap_talloc_single_attribute(priv2ld(ldap_state), 6279 entry, "sambaClearTextPassword", talloc_tos()); 6280 if (prev_pwd != NULL) { 6281 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, 6282 "sambaPreviousClearTextPassword", 6283 prev_pwd); 6284 } 6285 } 6286 6287 talloc_autofree_ldapmod(talloc_tos(), mods); 6288 6289 trusted_dn = trusteddom_dn(ldap_state, domain); 6290 if (trusted_dn == NULL) { 6291 return False; 6292 } 6293 if (entry == NULL) { 6294 rc = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods); 6295 } else { 6296 rc = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods); 6297 } 6298 6299 if (rc != LDAP_SUCCESS) { 6300 DEBUG(1, ("error writing trusted domain password!\n")); 6301 return False; 6302 } 6303 6304 return True; 6305} 6306 6307static bool ldapsam_del_trusteddom_pw(struct pdb_methods *methods, 6308 const char *domain) 6309{ 6310 int rc; 6311 struct ldapsam_privates *ldap_state = 6312 (struct ldapsam_privates *)methods->private_data; 6313 LDAPMessage *entry = NULL; 6314 const char *trusted_dn; 6315 6316 if (!get_trusteddom_pw_int(ldap_state, talloc_tos(), domain, &entry)) { 6317 return False; 6318 } 6319 6320 if (entry == NULL) { 6321 DEBUG(5, ("ldapsam_del_trusteddom_pw: no such trusted domain: " 6322 "%s\n", domain)); 6323 return True; 6324 } 6325 6326 trusted_dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), 6327 entry); 6328 if (trusted_dn == NULL) { 6329 DEBUG(0,("ldapsam_del_trusteddom_pw: Out of memory!\n")); 6330 return False; 6331 } 6332 6333 rc = smbldap_delete(ldap_state->smbldap_state, trusted_dn); 6334 if (rc != LDAP_SUCCESS) { 6335 return False; 6336 } 6337 6338 return True; 6339} 6340 6341static NTSTATUS ldapsam_enum_trusteddoms(struct pdb_methods *methods, 6342 TALLOC_CTX *mem_ctx, 6343 uint32 *num_domains, 6344 struct trustdom_info ***domains) 6345{ 6346 int rc; 6347 struct ldapsam_privates *ldap_state = 6348 (struct ldapsam_privates *)methods->private_data; 6349 char *filter; 6350 int scope = LDAP_SCOPE_SUBTREE; 6351 const char *attrs[] = { "sambaDomainName", "sambaSID", NULL }; 6352 int attrsonly = 0; /* 0: return values too */ 6353 LDAPMessage *result = NULL; 6354 LDAPMessage *entry = NULL; 6355 6356 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)", 6357 LDAP_OBJ_TRUSTDOM_PASSWORD); 6358 6359 rc = smbldap_search(ldap_state->smbldap_state, 6360 ldap_state->domain_dn, 6361 scope, 6362 filter, 6363 attrs, 6364 attrsonly, 6365 &result); 6366 6367 if (result != NULL) { 6368 talloc_autofree_ldapmsg(mem_ctx, result); 6369 } 6370 6371 if (rc != LDAP_SUCCESS) { 6372 return NT_STATUS_UNSUCCESSFUL; 6373 } 6374 6375 *num_domains = 0; 6376 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info *, 1))) { 6377 DEBUG(1, ("talloc failed\n")); 6378 return NT_STATUS_NO_MEMORY; 6379 } 6380 6381 for (entry = ldap_first_entry(priv2ld(ldap_state), result); 6382 entry != NULL; 6383 entry = ldap_next_entry(priv2ld(ldap_state), entry)) 6384 { 6385 char *dom_name, *dom_sid_str; 6386 struct trustdom_info *dom_info; 6387 6388 dom_info = TALLOC_P(*domains, struct trustdom_info); 6389 if (dom_info == NULL) { 6390 DEBUG(1, ("talloc failed\n")); 6391 return NT_STATUS_NO_MEMORY; 6392 } 6393 6394 dom_name = smbldap_talloc_single_attribute(priv2ld(ldap_state), 6395 entry, 6396 "sambaDomainName", 6397 talloc_tos()); 6398 if (dom_name == NULL) { 6399 DEBUG(1, ("talloc failed\n")); 6400 return NT_STATUS_NO_MEMORY; 6401 } 6402 dom_info->name = dom_name; 6403 6404 dom_sid_str = smbldap_talloc_single_attribute( 6405 priv2ld(ldap_state), entry, "sambaSID", 6406 talloc_tos()); 6407 if (dom_sid_str == NULL) { 6408 DEBUG(1, ("talloc failed\n")); 6409 return NT_STATUS_NO_MEMORY; 6410 } 6411 if (!string_to_sid(&dom_info->sid, dom_sid_str)) { 6412 DEBUG(1, ("Error calling string_to_sid on SID %s\n", 6413 dom_sid_str)); 6414 return NT_STATUS_UNSUCCESSFUL; 6415 } 6416 6417 ADD_TO_ARRAY(*domains, struct trustdom_info *, dom_info, 6418 domains, num_domains); 6419 6420 if (*domains == NULL) { 6421 DEBUG(1, ("talloc failed\n")); 6422 return NT_STATUS_NO_MEMORY; 6423 } 6424 } 6425 6426 DEBUG(5, ("ldapsam_enum_trusteddoms: got %d domains\n", *num_domains)); 6427 return NT_STATUS_OK; 6428} 6429 6430 6431/********************************************************************** 6432 Housekeeping 6433 *********************************************************************/ 6434 6435static void free_private_data(void **vp) 6436{ 6437 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp; 6438 6439 smbldap_free_struct(&(*ldap_state)->smbldap_state); 6440 6441 if ((*ldap_state)->result != NULL) { 6442 ldap_msgfree((*ldap_state)->result); 6443 (*ldap_state)->result = NULL; 6444 } 6445 if ((*ldap_state)->domain_dn != NULL) { 6446 SAFE_FREE((*ldap_state)->domain_dn); 6447 } 6448 6449 *ldap_state = NULL; 6450 6451 /* No need to free any further, as it is talloc()ed */ 6452} 6453 6454/********************************************************************* 6455 Intitalise the parts of the pdb_methods structure that are common to 6456 all pdb_ldap modes 6457*********************************************************************/ 6458 6459static NTSTATUS pdb_init_ldapsam_common(struct pdb_methods **pdb_method, const char *location) 6460{ 6461 NTSTATUS nt_status; 6462 struct ldapsam_privates *ldap_state; 6463 6464 if (!NT_STATUS_IS_OK(nt_status = make_pdb_method( pdb_method ))) { 6465 return nt_status; 6466 } 6467 6468 (*pdb_method)->name = "ldapsam"; 6469 6470 (*pdb_method)->getsampwnam = ldapsam_getsampwnam; 6471 (*pdb_method)->getsampwsid = ldapsam_getsampwsid; 6472 (*pdb_method)->add_sam_account = ldapsam_add_sam_account; 6473 (*pdb_method)->update_sam_account = ldapsam_update_sam_account; 6474 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account; 6475 (*pdb_method)->rename_sam_account = ldapsam_rename_sam_account; 6476 6477 (*pdb_method)->getgrsid = ldapsam_getgrsid; 6478 (*pdb_method)->getgrgid = ldapsam_getgrgid; 6479 (*pdb_method)->getgrnam = ldapsam_getgrnam; 6480 (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry; 6481 (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry; 6482 (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry; 6483 (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping; 6484 6485 (*pdb_method)->get_account_policy = ldapsam_get_account_policy; 6486 (*pdb_method)->set_account_policy = ldapsam_set_account_policy; 6487 6488 (*pdb_method)->get_seq_num = ldapsam_get_seq_num; 6489 6490 (*pdb_method)->capabilities = ldapsam_capabilities; 6491 (*pdb_method)->new_rid = ldapsam_new_rid; 6492 6493 (*pdb_method)->get_trusteddom_pw = ldapsam_get_trusteddom_pw; 6494 (*pdb_method)->set_trusteddom_pw = ldapsam_set_trusteddom_pw; 6495 (*pdb_method)->del_trusteddom_pw = ldapsam_del_trusteddom_pw; 6496 (*pdb_method)->enum_trusteddoms = ldapsam_enum_trusteddoms; 6497 6498 /* TODO: Setup private data and free */ 6499 6500 if ( !(ldap_state = TALLOC_ZERO_P(*pdb_method, struct ldapsam_privates)) ) { 6501 DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n")); 6502 return NT_STATUS_NO_MEMORY; 6503 } 6504 6505 nt_status = smbldap_init(*pdb_method, pdb_get_event_context(), 6506 location, &ldap_state->smbldap_state); 6507 6508 if ( !NT_STATUS_IS_OK(nt_status) ) { 6509 return nt_status; 6510 } 6511 6512 if ( !(ldap_state->domain_name = talloc_strdup(*pdb_method, get_global_sam_name()) ) ) { 6513 return NT_STATUS_NO_MEMORY; 6514 } 6515 6516 (*pdb_method)->private_data = ldap_state; 6517 6518 (*pdb_method)->free_private_data = free_private_data; 6519 6520 return NT_STATUS_OK; 6521} 6522 6523/********************************************************************** 6524 Initialise the 'compat' mode for pdb_ldap 6525 *********************************************************************/ 6526 6527NTSTATUS pdb_init_ldapsam_compat(struct pdb_methods **pdb_method, const char *location) 6528{ 6529 NTSTATUS nt_status; 6530 struct ldapsam_privates *ldap_state; 6531 char *uri = talloc_strdup( NULL, location ); 6532 6533 trim_char( uri, '\"', '\"' ); 6534 nt_status = pdb_init_ldapsam_common( pdb_method, uri ); 6535 if ( uri ) 6536 TALLOC_FREE( uri ); 6537 6538 if ( !NT_STATUS_IS_OK(nt_status) ) { 6539 return nt_status; 6540 } 6541 6542 (*pdb_method)->name = "ldapsam_compat"; 6543 6544 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data); 6545 ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT; 6546 6547 sid_copy(&ldap_state->domain_sid, get_global_sam_sid()); 6548 6549 return NT_STATUS_OK; 6550} 6551 6552/********************************************************************** 6553 Initialise the normal mode for pdb_ldap 6554 *********************************************************************/ 6555 6556NTSTATUS pdb_init_ldapsam(struct pdb_methods **pdb_method, const char *location) 6557{ 6558 NTSTATUS nt_status; 6559 struct ldapsam_privates *ldap_state = NULL; 6560 uint32 alg_rid_base; 6561 char *alg_rid_base_string = NULL; 6562 LDAPMessage *result = NULL; 6563 LDAPMessage *entry = NULL; 6564 DOM_SID ldap_domain_sid; 6565 DOM_SID secrets_domain_sid; 6566 char *domain_sid_string = NULL; 6567 char *dn = NULL; 6568 char *uri = talloc_strdup( NULL, location ); 6569 6570 trim_char( uri, '\"', '\"' ); 6571 nt_status = pdb_init_ldapsam_common(pdb_method, uri); 6572 if (uri) { 6573 TALLOC_FREE(uri); 6574 } 6575 6576 if (!NT_STATUS_IS_OK(nt_status)) { 6577 return nt_status; 6578 } 6579 6580 (*pdb_method)->name = "ldapsam"; 6581 6582 (*pdb_method)->add_aliasmem = ldapsam_add_aliasmem; 6583 (*pdb_method)->del_aliasmem = ldapsam_del_aliasmem; 6584 (*pdb_method)->enum_aliasmem = ldapsam_enum_aliasmem; 6585 (*pdb_method)->enum_alias_memberships = ldapsam_alias_memberships; 6586 (*pdb_method)->search_users = ldapsam_search_users; 6587 (*pdb_method)->search_groups = ldapsam_search_groups; 6588 (*pdb_method)->search_aliases = ldapsam_search_aliases; 6589 6590 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) { 6591 (*pdb_method)->enum_group_members = ldapsam_enum_group_members; 6592 (*pdb_method)->enum_group_memberships = 6593 ldapsam_enum_group_memberships; 6594 (*pdb_method)->lookup_rids = ldapsam_lookup_rids; 6595 (*pdb_method)->sid_to_id = ldapsam_sid_to_id; 6596 (*pdb_method)->uid_to_sid = ldapsam_uid_to_sid; 6597 (*pdb_method)->gid_to_sid = ldapsam_gid_to_sid; 6598 6599 if (lp_parm_bool(-1, "ldapsam", "editposix", False)) { 6600 (*pdb_method)->create_user = ldapsam_create_user; 6601 (*pdb_method)->delete_user = ldapsam_delete_user; 6602 (*pdb_method)->create_dom_group = ldapsam_create_dom_group; 6603 (*pdb_method)->delete_dom_group = ldapsam_delete_dom_group; 6604 (*pdb_method)->add_groupmem = ldapsam_add_groupmem; 6605 (*pdb_method)->del_groupmem = ldapsam_del_groupmem; 6606 (*pdb_method)->set_unix_primary_group = ldapsam_set_primary_group; 6607 } 6608 } 6609 6610 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data); 6611 ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT; 6612 6613 /* Try to setup the Domain Name, Domain SID, algorithmic rid base */ 6614 6615 nt_status = smbldap_search_domain_info(ldap_state->smbldap_state, 6616 &result, 6617 ldap_state->domain_name, True); 6618 6619 if ( !NT_STATUS_IS_OK(nt_status) ) { 6620 DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain " 6621 "info, nor add one to the domain\n")); 6622 DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, " 6623 "will be unable to allocate new users/groups, " 6624 "and will risk BDCs having inconsistant SIDs\n")); 6625 sid_copy(&ldap_state->domain_sid, get_global_sam_sid()); 6626 return NT_STATUS_OK; 6627 } 6628 6629 /* Given that the above might fail, everything below this must be 6630 * optional */ 6631 6632 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, 6633 result); 6634 if (!entry) { 6635 DEBUG(0, ("pdb_init_ldapsam: Could not get domain info " 6636 "entry\n")); 6637 ldap_msgfree(result); 6638 return NT_STATUS_UNSUCCESSFUL; 6639 } 6640 6641 dn = smbldap_talloc_dn(talloc_tos(), ldap_state->smbldap_state->ldap_struct, entry); 6642 if (!dn) { 6643 ldap_msgfree(result); 6644 return NT_STATUS_UNSUCCESSFUL; 6645 } 6646 6647 ldap_state->domain_dn = smb_xstrdup(dn); 6648 TALLOC_FREE(dn); 6649 6650 domain_sid_string = smbldap_talloc_single_attribute( 6651 ldap_state->smbldap_state->ldap_struct, 6652 entry, 6653 get_userattr_key2string(ldap_state->schema_ver, 6654 LDAP_ATTR_USER_SID), 6655 talloc_tos()); 6656 6657 if (domain_sid_string) { 6658 bool found_sid; 6659 if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) { 6660 DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be " 6661 "read as a valid SID\n", domain_sid_string)); 6662 ldap_msgfree(result); 6663 TALLOC_FREE(domain_sid_string); 6664 return NT_STATUS_INVALID_PARAMETER; 6665 } 6666 found_sid = secrets_fetch_domain_sid(ldap_state->domain_name, 6667 &secrets_domain_sid); 6668 if (!found_sid || !sid_equal(&secrets_domain_sid, 6669 &ldap_domain_sid)) { 6670 DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain " 6671 "%s based on pdb_ldap results %s -> %s\n", 6672 ldap_state->domain_name, 6673 sid_string_dbg(&secrets_domain_sid), 6674 sid_string_dbg(&ldap_domain_sid))); 6675 6676 /* reset secrets.tdb sid */ 6677 secrets_store_domain_sid(ldap_state->domain_name, 6678 &ldap_domain_sid); 6679 DEBUG(1, ("New global sam SID: %s\n", 6680 sid_string_dbg(get_global_sam_sid()))); 6681 } 6682 sid_copy(&ldap_state->domain_sid, &ldap_domain_sid); 6683 TALLOC_FREE(domain_sid_string); 6684 } 6685 6686 alg_rid_base_string = smbldap_talloc_single_attribute( 6687 ldap_state->smbldap_state->ldap_struct, 6688 entry, 6689 get_attr_key2string( dominfo_attr_list, 6690 LDAP_ATTR_ALGORITHMIC_RID_BASE ), 6691 talloc_tos()); 6692 if (alg_rid_base_string) { 6693 alg_rid_base = (uint32)atol(alg_rid_base_string); 6694 if (alg_rid_base != algorithmic_rid_base()) { 6695 DEBUG(0, ("The value of 'algorithmic RID base' has " 6696 "changed since the LDAP\n" 6697 "database was initialised. Aborting. \n")); 6698 ldap_msgfree(result); 6699 TALLOC_FREE(alg_rid_base_string); 6700 return NT_STATUS_UNSUCCESSFUL; 6701 } 6702 TALLOC_FREE(alg_rid_base_string); 6703 } 6704 ldap_msgfree(result); 6705 6706 return NT_STATUS_OK; 6707} 6708 6709NTSTATUS pdb_ldap_init(void) 6710{ 6711 NTSTATUS nt_status; 6712 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam))) 6713 return nt_status; 6714 6715 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat))) 6716 return nt_status; 6717 6718 /* Let pdb_nds register backends */ 6719 pdb_nds_init(); 6720 6721 return NT_STATUS_OK; 6722} 6723