Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : LDAP protocol helper functions for SAMBA
4 : Copyright (C) Jean François Micouleau 1998
5 : Copyright (C) Gerald Carter 2001-2003
6 : Copyright (C) Shahms King 2001
7 : Copyright (C) Andrew Bartlett 2002-2003
8 : Copyright (C) Stefan (metze) Metzmacher 2002-2003
9 : Copyright (C) Simo Sorce 2006
10 :
11 : This program is free software; you can redistribute it and/or modify
12 : it under the terms of the GNU General Public License as published by
13 : the Free Software Foundation; either version 3 of the License, or
14 : (at your option) any later version.
15 :
16 : This program is distributed in the hope that it will be useful,
17 : but WITHOUT ANY WARRANTY; without even the implied warranty of
18 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 : GNU General Public License for more details.
20 :
21 : You should have received a copy of the GNU General Public License
22 : along with this program. If not, see <http://www.gnu.org/licenses/>.
23 :
24 : */
25 :
26 : /* TODO:
27 : * persistent connections: if using NSS LDAP, many connections are made
28 : * however, using only one within Samba would be nice
29 : *
30 : * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
31 : *
32 : * Other LDAP based login attributes: accountExpires, etc.
33 : * (should be the domain of Samba proper, but the sam_password/struct samu
34 : * structures don't have fields for some of these attributes)
35 : *
36 : * SSL is done, but can't get the certificate based authentication to work
37 : * against on my test platform (Linux 2.4, OpenLDAP 2.x)
38 : */
39 :
40 : /* NOTE: this will NOT work against an Active Directory server
41 : * due to the fact that the two password fields cannot be retrieved
42 : * from a server; recommend using security = domain in this situation
43 : * and/or winbind
44 : */
45 :
46 : #include "includes.h"
47 : #include "passdb.h"
48 : #include "../libcli/auth/libcli_auth.h"
49 : #include "secrets.h"
50 : #include "idmap_cache.h"
51 : #include "../libcli/security/security.h"
52 : #include "../lib/util/util_pw.h"
53 : #include "lib/winbind_util.h"
54 : #include "librpc/gen_ndr/idmap.h"
55 : #include "lib/param/loadparm.h"
56 : #include "lib/util_sid_passdb.h"
57 : #include "lib/util/smb_strtox.h"
58 : #include "lib/util/string_wrappers.h"
59 : #include "source3/lib/substitute.h"
60 :
61 : #undef DBGC_CLASS
62 : #define DBGC_CLASS DBGC_PASSDB
63 :
64 : #include <lber.h>
65 : #include <ldap.h>
66 :
67 :
68 : #include "smbldap.h"
69 : #include "passdb/pdb_ldap.h"
70 : #include "passdb/pdb_nds.h"
71 : #include "passdb/pdb_ldap_util.h"
72 : #include "passdb/pdb_ldap_schema.h"
73 :
74 : /**********************************************************************
75 : Simple helper function to make stuff better readable
76 : **********************************************************************/
77 :
78 0 : LDAP *priv2ld(struct ldapsam_privates *priv)
79 : {
80 0 : return smbldap_get_ldap(priv->smbldap_state);
81 : }
82 :
83 : /**********************************************************************
84 : Get the attribute name given a user schema version.
85 : **********************************************************************/
86 :
87 0 : static const char* get_userattr_key2string( int schema_ver, int key )
88 : {
89 0 : switch ( schema_ver ) {
90 0 : case SCHEMAVER_SAMBASAMACCOUNT:
91 0 : return get_attr_key2string( attrib_map_v30, key );
92 :
93 0 : default:
94 0 : DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
95 0 : break;
96 : }
97 0 : return NULL;
98 : }
99 :
100 : /**********************************************************************
101 : Return the list of attribute names given a user schema version.
102 : **********************************************************************/
103 :
104 0 : const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver )
105 : {
106 0 : switch ( schema_ver ) {
107 0 : case SCHEMAVER_SAMBASAMACCOUNT:
108 0 : return get_attr_list( mem_ctx, attrib_map_v30 );
109 0 : default:
110 0 : DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
111 0 : break;
112 : }
113 :
114 0 : return NULL;
115 : }
116 :
117 : /**************************************************************************
118 : Return the list of attribute names to delete given a user schema version.
119 : **************************************************************************/
120 :
121 0 : static const char** get_userattr_delete_list( TALLOC_CTX *mem_ctx,
122 : int schema_ver )
123 : {
124 0 : switch ( schema_ver ) {
125 0 : case SCHEMAVER_SAMBASAMACCOUNT:
126 0 : return get_attr_list( mem_ctx,
127 : attrib_map_to_delete_v30 );
128 0 : default:
129 0 : DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
130 0 : break;
131 : }
132 :
133 0 : return NULL;
134 : }
135 :
136 :
137 : /*******************************************************************
138 : Generate the LDAP search filter for the objectclass based on the
139 : version of the schema we are using.
140 : ******************************************************************/
141 :
142 0 : static const char* get_objclass_filter( int schema_ver )
143 : {
144 0 : fstring objclass_filter;
145 0 : char *result;
146 :
147 0 : switch( schema_ver ) {
148 0 : case SCHEMAVER_SAMBASAMACCOUNT:
149 0 : fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
150 0 : break;
151 0 : default:
152 0 : DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
153 0 : objclass_filter[0] = '\0';
154 0 : break;
155 : }
156 :
157 0 : result = talloc_strdup(talloc_tos(), objclass_filter);
158 0 : SMB_ASSERT(result != NULL);
159 0 : return result;
160 : }
161 :
162 : /*****************************************************************
163 : Scan a sequence number off OpenLDAP's syncrepl contextCSN
164 : ******************************************************************/
165 :
166 0 : static NTSTATUS ldapsam_get_seq_num(struct pdb_methods *my_methods, time_t *seq_num)
167 : {
168 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
169 0 : NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
170 0 : LDAPMessage *msg = NULL;
171 0 : LDAPMessage *entry = NULL;
172 0 : TALLOC_CTX *mem_ctx;
173 0 : char **values = NULL;
174 0 : int rc, num_result, num_values, rid;
175 0 : char *suffix = NULL;
176 0 : char *tok;
177 0 : const char *p;
178 0 : const char **attrs;
179 :
180 : /* Unfortunately there is no proper way to detect syncrepl-support in
181 : * smbldap_connect_system(). The syncrepl OIDs are submitted for publication
182 : * but do not show up in the root-DSE yet. Neither we can query the
183 : * subschema-context for the syncProviderSubentry or syncConsumerSubentry
184 : * objectclass. Currently we require lp_ldap_suffix() to show up as
185 : * namingContext. - Guenther
186 : */
187 :
188 0 : if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) {
189 0 : return ntstatus;
190 : }
191 :
192 0 : if (!seq_num) {
193 0 : DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n"));
194 0 : return ntstatus;
195 : }
196 :
197 0 : if (!smbldap_has_naming_context(
198 : smbldap_get_ldap(ldap_state->smbldap_state),
199 : lp_ldap_suffix())) {
200 0 : DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
201 : "as top-level namingContext\n", lp_ldap_suffix()));
202 0 : return ntstatus;
203 : }
204 :
205 0 : mem_ctx = talloc_init("ldapsam_get_seq_num");
206 :
207 0 : if (mem_ctx == NULL)
208 0 : return NT_STATUS_NO_MEMORY;
209 :
210 0 : if ((attrs = talloc_array(mem_ctx, const char *, 2)) == NULL) {
211 0 : ntstatus = NT_STATUS_NO_MEMORY;
212 0 : goto done;
213 : }
214 :
215 : /* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */
216 0 : rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1);
217 0 : if (rid > 0) {
218 :
219 : /* consumer syncreplCookie: */
220 : /* csn=20050126161620Z#0000001#00#00000 */
221 0 : attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
222 0 : attrs[1] = NULL;
223 0 : suffix = talloc_asprintf(mem_ctx,
224 : "cn=syncrepl%d,%s", rid, lp_ldap_suffix());
225 0 : if (!suffix) {
226 0 : ntstatus = NT_STATUS_NO_MEMORY;
227 0 : goto done;
228 : }
229 : } else {
230 :
231 : /* provider contextCSN */
232 : /* 20050126161620Z#000009#00#000000 */
233 0 : attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
234 0 : attrs[1] = NULL;
235 0 : suffix = talloc_asprintf(mem_ctx,
236 : "cn=ldapsync,%s", lp_ldap_suffix());
237 :
238 0 : if (!suffix) {
239 0 : ntstatus = NT_STATUS_NO_MEMORY;
240 0 : goto done;
241 : }
242 : }
243 :
244 0 : rc = smbldap_search(ldap_state->smbldap_state, suffix,
245 : LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg);
246 :
247 0 : if (rc != LDAP_SUCCESS) {
248 0 : goto done;
249 : }
250 :
251 0 : num_result = ldap_count_entries(
252 : smbldap_get_ldap(ldap_state->smbldap_state), msg);
253 0 : if (num_result != 1) {
254 0 : DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result));
255 0 : goto done;
256 : }
257 :
258 0 : entry = ldap_first_entry(
259 : smbldap_get_ldap(ldap_state->smbldap_state), msg);
260 0 : if (entry == NULL) {
261 0 : DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n"));
262 0 : goto done;
263 : }
264 :
265 0 : values = ldap_get_values(
266 : smbldap_get_ldap(ldap_state->smbldap_state), entry, attrs[0]);
267 0 : if (values == NULL) {
268 0 : DEBUG(3,("ldapsam_get_seq_num: no values\n"));
269 0 : goto done;
270 : }
271 :
272 0 : num_values = ldap_count_values(values);
273 0 : if (num_values == 0) {
274 0 : DEBUG(3,("ldapsam_get_seq_num: not a single value\n"));
275 0 : goto done;
276 : }
277 :
278 0 : p = values[0];
279 0 : if (!next_token_talloc(mem_ctx, &p, &tok, "#")) {
280 0 : DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n"));
281 0 : goto done;
282 : }
283 :
284 0 : p = tok;
285 0 : if (!strncmp(p, "csn=", strlen("csn=")))
286 0 : p += strlen("csn=");
287 :
288 0 : DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p));
289 :
290 0 : *seq_num = generalized_to_unix_time(p);
291 :
292 : /* very basic sanity check */
293 0 : if (*seq_num <= 0) {
294 0 : DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n",
295 : (int)*seq_num));
296 0 : goto done;
297 : }
298 :
299 0 : ntstatus = NT_STATUS_OK;
300 :
301 0 : done:
302 0 : if (values != NULL)
303 0 : ldap_value_free(values);
304 0 : if (msg != NULL)
305 0 : ldap_msgfree(msg);
306 0 : if (mem_ctx)
307 0 : talloc_destroy(mem_ctx);
308 :
309 0 : return ntstatus;
310 : }
311 :
312 : /*******************************************************************
313 : Run the search by name.
314 : ******************************************************************/
315 :
316 0 : int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
317 : const char *user,
318 : LDAPMessage ** result,
319 : const char **attr)
320 : {
321 0 : char *filter = NULL;
322 0 : char *escape_user = escape_ldap_string(talloc_tos(), user);
323 0 : int ret = -1;
324 :
325 0 : if (!escape_user) {
326 0 : return LDAP_NO_MEMORY;
327 : }
328 :
329 : /*
330 : * in the filter expression, replace %u with the real name
331 : * so in ldap filter, %u MUST exist :-)
332 : */
333 0 : filter = talloc_asprintf(talloc_tos(), "(&%s%s)", "(uid=%u)",
334 : get_objclass_filter(ldap_state->schema_ver));
335 0 : if (!filter) {
336 0 : TALLOC_FREE(escape_user);
337 0 : return LDAP_NO_MEMORY;
338 : }
339 : /*
340 : * have to use this here because $ is filtered out
341 : * in string_sub
342 : */
343 :
344 0 : filter = talloc_all_string_sub(talloc_tos(),
345 : filter, "%u", escape_user);
346 0 : TALLOC_FREE(escape_user);
347 0 : if (!filter) {
348 0 : return LDAP_NO_MEMORY;
349 : }
350 :
351 0 : ret = smbldap_search_suffix(ldap_state->smbldap_state,
352 : filter, attr, result);
353 0 : TALLOC_FREE(filter);
354 0 : return ret;
355 : }
356 :
357 : /*******************************************************************
358 : Run the search by SID.
359 : ******************************************************************/
360 :
361 0 : static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
362 : const struct dom_sid *sid, LDAPMessage ** result,
363 : const char **attr)
364 : {
365 0 : char *filter = NULL;
366 0 : int rc;
367 0 : struct dom_sid_buf sid_string;
368 :
369 0 : filter = talloc_asprintf(talloc_tos(), "(&(%s=%s)%s)",
370 : get_userattr_key2string(ldap_state->schema_ver,
371 : LDAP_ATTR_USER_SID),
372 : dom_sid_str_buf(sid, &sid_string),
373 : get_objclass_filter(ldap_state->schema_ver));
374 0 : if (!filter) {
375 0 : return LDAP_NO_MEMORY;
376 : }
377 :
378 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state,
379 : filter, attr, result);
380 :
381 0 : TALLOC_FREE(filter);
382 0 : return rc;
383 : }
384 :
385 : /*******************************************************************
386 : Delete complete object or objectclass and attrs from
387 : object found in search_result depending on lp_ldap_delete_dn
388 : ******************************************************************/
389 :
390 0 : static int ldapsam_delete_entry(struct ldapsam_privates *priv,
391 : TALLOC_CTX *mem_ctx,
392 : LDAPMessage *entry,
393 : const char *objectclass,
394 : const char **attrs)
395 : {
396 0 : LDAPMod **mods = NULL;
397 0 : char *name;
398 0 : const char *dn;
399 0 : BerElement *ptr = NULL;
400 :
401 0 : dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry);
402 0 : if (dn == NULL) {
403 0 : return LDAP_NO_MEMORY;
404 : }
405 :
406 0 : if (lp_ldap_delete_dn()) {
407 0 : return smbldap_delete(priv->smbldap_state, dn);
408 : }
409 :
410 : /* Ok, delete only the SAM attributes */
411 :
412 0 : for (name = ldap_first_attribute(priv2ld(priv), entry, &ptr);
413 0 : name != NULL;
414 0 : name = ldap_next_attribute(priv2ld(priv), entry, ptr)) {
415 : const char **attrib;
416 :
417 : /* We are only allowed to delete the attributes that
418 : really exist. */
419 :
420 0 : for (attrib = attrs; *attrib != NULL; attrib++) {
421 0 : if (strequal(*attrib, name)) {
422 0 : DEBUG(10, ("ldapsam_delete_entry: deleting "
423 : "attribute %s\n", name));
424 0 : smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
425 : NULL);
426 : }
427 : }
428 0 : ldap_memfree(name);
429 : }
430 :
431 0 : if (ptr != NULL) {
432 0 : ber_free(ptr, 0);
433 : }
434 :
435 0 : smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
436 0 : smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
437 :
438 0 : return smbldap_modify(priv->smbldap_state, dn, mods);
439 : }
440 :
441 0 : static time_t ldapsam_get_entry_timestamp( struct ldapsam_privates *ldap_state, LDAPMessage * entry)
442 : {
443 0 : char *temp;
444 0 : struct tm tm = {};
445 :
446 0 : temp = smbldap_talloc_single_attribute(
447 : smbldap_get_ldap(ldap_state->smbldap_state), entry,
448 : get_userattr_key2string(ldap_state->schema_ver,
449 : LDAP_ATTR_MOD_TIMESTAMP),
450 : talloc_tos());
451 0 : if (!temp) {
452 0 : return (time_t) 0;
453 : }
454 :
455 0 : if ( !strptime(temp, "%Y%m%d%H%M%SZ", &tm)) {
456 0 : DEBUG(2,("ldapsam_get_entry_timestamp: strptime failed on: %s\n",
457 : (char*)temp));
458 0 : TALLOC_FREE(temp);
459 0 : return (time_t) 0;
460 : }
461 0 : TALLOC_FREE(temp);
462 0 : tzset();
463 0 : return timegm(&tm);
464 : }
465 :
466 : /**********************************************************************
467 : Initialize struct samu from an LDAP query.
468 : (Based on init_sam_from_buffer in pdb_tdb.c)
469 : *********************************************************************/
470 :
471 0 : static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
472 : struct samu * sampass,
473 : LDAPMessage * entry)
474 : {
475 0 : time_t logon_time,
476 : logoff_time,
477 : kickoff_time,
478 : pass_last_set_time,
479 : pass_can_change_time,
480 : ldap_entry_time,
481 : bad_password_time;
482 0 : char *username = NULL,
483 0 : *domain = NULL,
484 0 : *nt_username = NULL,
485 0 : *fullname = NULL,
486 0 : *homedir = NULL,
487 0 : *dir_drive = NULL,
488 0 : *logon_script = NULL,
489 0 : *profile_path = NULL,
490 0 : *acct_desc = NULL,
491 0 : *workstations = NULL,
492 0 : *munged_dial = NULL;
493 0 : uint32_t user_rid;
494 0 : uint8_t smblmpwd[LM_HASH_LEN],
495 : smbntpwd[NT_HASH_LEN];
496 0 : bool use_samba_attrs = True;
497 0 : uint16_t logon_divs;
498 0 : uint16_t bad_password_count = 0,
499 0 : logon_count = 0;
500 0 : uint32_t hours_len;
501 0 : uint8_t hours[MAX_HOURS_LEN];
502 0 : char *temp = NULL;
503 0 : struct login_cache cache_entry;
504 0 : uint32_t pwHistLen;
505 0 : bool expand_explicit = lp_passdb_expand_explicit();
506 0 : bool ret = false;
507 0 : TALLOC_CTX *ctx = talloc_init("init_sam_from_ldap");
508 :
509 0 : if (!ctx) {
510 0 : return false;
511 : }
512 0 : if (sampass == NULL || ldap_state == NULL || entry == NULL) {
513 0 : DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
514 0 : goto fn_exit;
515 : }
516 :
517 0 : if (priv2ld(ldap_state) == NULL) {
518 0 : DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->"
519 : "ldap_struct is NULL!\n"));
520 0 : goto fn_exit;
521 : }
522 :
523 0 : if (!(username = smbldap_talloc_first_attribute(priv2ld(ldap_state),
524 : entry,
525 : "uid",
526 : ctx))) {
527 0 : DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
528 : "this user!\n"));
529 0 : goto fn_exit;
530 : }
531 :
532 0 : DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
533 :
534 0 : nt_username = talloc_strdup(ctx, username);
535 0 : if (!nt_username) {
536 0 : goto fn_exit;
537 : }
538 :
539 0 : domain = talloc_strdup(ctx, ldap_state->domain_name);
540 0 : if (!domain) {
541 0 : goto fn_exit;
542 : }
543 :
544 0 : pdb_set_username(sampass, username, PDB_SET);
545 :
546 0 : pdb_set_domain(sampass, domain, PDB_DEFAULT);
547 0 : pdb_set_nt_username(sampass, nt_username, PDB_SET);
548 :
549 : /* deal with different attributes between the schema first */
550 :
551 0 : if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
552 0 : if ((temp = smbldap_talloc_single_attribute(
553 : smbldap_get_ldap(ldap_state->smbldap_state),
554 : entry,
555 : get_userattr_key2string(ldap_state->schema_ver,
556 : LDAP_ATTR_USER_SID),
557 : ctx))!=NULL) {
558 0 : pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
559 : }
560 : } else {
561 0 : if ((temp = smbldap_talloc_single_attribute(
562 : smbldap_get_ldap(ldap_state->smbldap_state),
563 : entry,
564 : get_userattr_key2string(ldap_state->schema_ver,
565 : LDAP_ATTR_USER_RID),
566 : ctx))!=NULL) {
567 0 : user_rid = (uint32_t)atol(temp);
568 0 : pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
569 : }
570 : }
571 :
572 0 : if (IS_SAM_DEFAULT(sampass, PDB_USERSID)) {
573 0 : DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
574 : get_userattr_key2string(ldap_state->schema_ver,
575 : LDAP_ATTR_USER_SID),
576 : get_userattr_key2string(ldap_state->schema_ver,
577 : LDAP_ATTR_USER_RID),
578 : username));
579 0 : return False;
580 : }
581 :
582 0 : temp = smbldap_talloc_single_attribute(
583 : smbldap_get_ldap(ldap_state->smbldap_state),
584 : entry,
585 : get_userattr_key2string(ldap_state->schema_ver,
586 : LDAP_ATTR_PWD_LAST_SET),
587 : ctx);
588 0 : if (temp) {
589 0 : pass_last_set_time = (time_t) atol(temp);
590 0 : pdb_set_pass_last_set_time(sampass,
591 : pass_last_set_time, PDB_SET);
592 : }
593 :
594 0 : temp = smbldap_talloc_single_attribute(
595 : smbldap_get_ldap(ldap_state->smbldap_state),
596 : entry,
597 : get_userattr_key2string(ldap_state->schema_ver,
598 : LDAP_ATTR_LOGON_TIME),
599 : ctx);
600 0 : if (temp) {
601 0 : logon_time = (time_t) atol(temp);
602 0 : pdb_set_logon_time(sampass, logon_time, PDB_SET);
603 : }
604 :
605 0 : temp = smbldap_talloc_single_attribute(
606 : smbldap_get_ldap(ldap_state->smbldap_state),
607 : entry,
608 : get_userattr_key2string(ldap_state->schema_ver,
609 : LDAP_ATTR_LOGOFF_TIME),
610 : ctx);
611 0 : if (temp) {
612 0 : logoff_time = (time_t) atol(temp);
613 0 : pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
614 : }
615 :
616 0 : temp = smbldap_talloc_single_attribute(
617 : smbldap_get_ldap(ldap_state->smbldap_state),
618 : entry,
619 : get_userattr_key2string(ldap_state->schema_ver,
620 : LDAP_ATTR_KICKOFF_TIME),
621 : ctx);
622 0 : if (temp) {
623 0 : kickoff_time = (time_t) atol(temp);
624 0 : pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
625 : }
626 :
627 0 : temp = smbldap_talloc_single_attribute(
628 : smbldap_get_ldap(ldap_state->smbldap_state),
629 : entry,
630 : get_userattr_key2string(ldap_state->schema_ver,
631 : LDAP_ATTR_PWD_CAN_CHANGE),
632 : ctx);
633 0 : if (temp) {
634 0 : pass_can_change_time = (time_t) atol(temp);
635 0 : pdb_set_pass_can_change_time(sampass,
636 : pass_can_change_time, PDB_SET);
637 : }
638 :
639 : /* recommend that 'gecos' and 'displayName' should refer to the same
640 : * attribute OID. userFullName depreciated, only used by Samba
641 : * primary rules of LDAP: don't make a new attribute when one is already defined
642 : * that fits your needs; using cn then displayName rather than 'userFullName'
643 : */
644 :
645 0 : fullname = smbldap_talloc_single_attribute(
646 : smbldap_get_ldap(ldap_state->smbldap_state),
647 : entry,
648 : get_userattr_key2string(ldap_state->schema_ver,
649 : LDAP_ATTR_DISPLAY_NAME),
650 : ctx);
651 0 : if (fullname) {
652 0 : pdb_set_fullname(sampass, fullname, PDB_SET);
653 : } else {
654 0 : fullname = smbldap_talloc_single_attribute(
655 : smbldap_get_ldap(ldap_state->smbldap_state),
656 : entry,
657 : get_userattr_key2string(ldap_state->schema_ver,
658 : LDAP_ATTR_CN),
659 : ctx);
660 0 : if (fullname) {
661 0 : pdb_set_fullname(sampass, fullname, PDB_SET);
662 : }
663 : }
664 :
665 0 : dir_drive = smbldap_talloc_single_attribute(
666 : smbldap_get_ldap(ldap_state->smbldap_state),
667 : entry,
668 : get_userattr_key2string(ldap_state->schema_ver,
669 : LDAP_ATTR_HOME_DRIVE),
670 : ctx);
671 0 : if (dir_drive) {
672 0 : pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
673 : } else {
674 0 : pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT );
675 : }
676 :
677 0 : homedir = smbldap_talloc_single_attribute(
678 : smbldap_get_ldap(ldap_state->smbldap_state),
679 : entry,
680 : get_userattr_key2string(ldap_state->schema_ver,
681 : LDAP_ATTR_HOME_PATH),
682 : ctx);
683 0 : if (homedir) {
684 0 : if (expand_explicit) {
685 0 : homedir = talloc_sub_basic(ctx,
686 : username,
687 : domain,
688 : homedir);
689 0 : if (!homedir) {
690 0 : goto fn_exit;
691 : }
692 : }
693 0 : pdb_set_homedir(sampass, homedir, PDB_SET);
694 : } else {
695 0 : pdb_set_homedir(sampass,
696 0 : talloc_sub_basic(ctx, username, domain,
697 : lp_logon_home()),
698 : PDB_DEFAULT);
699 : }
700 :
701 0 : logon_script = smbldap_talloc_single_attribute(
702 : smbldap_get_ldap(ldap_state->smbldap_state),
703 : entry,
704 : get_userattr_key2string(ldap_state->schema_ver,
705 : LDAP_ATTR_LOGON_SCRIPT),
706 : ctx);
707 0 : if (logon_script) {
708 0 : if (expand_explicit) {
709 0 : logon_script = talloc_sub_basic(ctx,
710 : username,
711 : domain,
712 : logon_script);
713 0 : if (!logon_script) {
714 0 : goto fn_exit;
715 : }
716 : }
717 0 : pdb_set_logon_script(sampass, logon_script, PDB_SET);
718 : } else {
719 0 : pdb_set_logon_script(sampass,
720 0 : talloc_sub_basic(ctx, username, domain,
721 : lp_logon_script()),
722 : PDB_DEFAULT );
723 : }
724 :
725 0 : profile_path = smbldap_talloc_single_attribute(
726 : smbldap_get_ldap(ldap_state->smbldap_state),
727 : entry,
728 : get_userattr_key2string(ldap_state->schema_ver,
729 : LDAP_ATTR_PROFILE_PATH),
730 : ctx);
731 0 : if (profile_path) {
732 0 : if (expand_explicit) {
733 0 : profile_path = talloc_sub_basic(ctx,
734 : username,
735 : domain,
736 : profile_path);
737 0 : if (!profile_path) {
738 0 : goto fn_exit;
739 : }
740 : }
741 0 : pdb_set_profile_path(sampass, profile_path, PDB_SET);
742 : } else {
743 0 : pdb_set_profile_path(sampass,
744 0 : talloc_sub_basic(ctx, username, domain,
745 : lp_logon_path()),
746 : PDB_DEFAULT );
747 : }
748 :
749 0 : acct_desc = smbldap_talloc_single_attribute(
750 : smbldap_get_ldap(ldap_state->smbldap_state),
751 : entry,
752 : get_userattr_key2string(ldap_state->schema_ver,
753 : LDAP_ATTR_DESC),
754 : ctx);
755 0 : if (acct_desc) {
756 0 : pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
757 : }
758 :
759 0 : workstations = smbldap_talloc_single_attribute(
760 : smbldap_get_ldap(ldap_state->smbldap_state),
761 : entry,
762 : get_userattr_key2string(ldap_state->schema_ver,
763 : LDAP_ATTR_USER_WKS),
764 : ctx);
765 0 : if (workstations) {
766 0 : pdb_set_workstations(sampass, workstations, PDB_SET);
767 : }
768 :
769 0 : munged_dial = smbldap_talloc_single_attribute(
770 : smbldap_get_ldap(ldap_state->smbldap_state),
771 : entry,
772 : get_userattr_key2string(ldap_state->schema_ver,
773 : LDAP_ATTR_MUNGED_DIAL),
774 : ctx);
775 0 : if (munged_dial) {
776 0 : pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
777 : }
778 :
779 : /* FIXME: hours stuff should be cleaner */
780 :
781 0 : logon_divs = 168;
782 0 : hours_len = 21;
783 0 : memset(hours, 0xff, hours_len);
784 :
785 0 : if (ldap_state->is_nds_ldap) {
786 0 : char *user_dn;
787 0 : size_t pwd_len;
788 0 : char clear_text_pw[512];
789 :
790 : /* Make call to Novell eDirectory ldap extension to get clear text password.
791 : NOTE: This will only work if we have an SSL connection to eDirectory. */
792 0 : user_dn = smbldap_talloc_dn(
793 : ctx, smbldap_get_ldap(ldap_state->smbldap_state),
794 : entry);
795 0 : if (user_dn != NULL) {
796 0 : DEBUG(3, ("init_sam_from_ldap: smbldap_talloc_dn(ctx, %s) returned '%s'\n", username, user_dn));
797 :
798 0 : pwd_len = sizeof(clear_text_pw);
799 0 : if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
800 0 : nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd);
801 0 : if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
802 0 : TALLOC_FREE(user_dn);
803 0 : return False;
804 : }
805 0 : ZERO_STRUCT(smblmpwd);
806 0 : if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
807 0 : TALLOC_FREE(user_dn);
808 0 : return False;
809 : }
810 0 : ZERO_STRUCT(smbntpwd);
811 0 : use_samba_attrs = False;
812 : }
813 :
814 0 : TALLOC_FREE(user_dn);
815 :
816 : } else {
817 0 : DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username));
818 : }
819 : }
820 :
821 0 : if (use_samba_attrs) {
822 0 : temp = smbldap_talloc_single_attribute(
823 : smbldap_get_ldap(ldap_state->smbldap_state),
824 : entry,
825 : get_userattr_key2string(ldap_state->schema_ver,
826 : LDAP_ATTR_LMPW),
827 : ctx);
828 0 : if (temp) {
829 0 : pdb_gethexpwd(temp, smblmpwd);
830 0 : memset((char *)temp, '\0', strlen(temp)+1);
831 0 : if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
832 0 : goto fn_exit;
833 : }
834 0 : ZERO_STRUCT(smblmpwd);
835 : }
836 :
837 0 : temp = smbldap_talloc_single_attribute(
838 : smbldap_get_ldap(ldap_state->smbldap_state),
839 : entry,
840 : get_userattr_key2string(ldap_state->schema_ver,
841 : LDAP_ATTR_NTPW),
842 : ctx);
843 0 : if (temp) {
844 0 : pdb_gethexpwd(temp, smbntpwd);
845 0 : memset((char *)temp, '\0', strlen(temp)+1);
846 0 : if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
847 0 : goto fn_exit;
848 : }
849 0 : ZERO_STRUCT(smbntpwd);
850 : }
851 : }
852 :
853 0 : pwHistLen = 0;
854 :
855 0 : pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
856 0 : if (pwHistLen > 0){
857 0 : uint8_t *pwhist = NULL;
858 0 : int i;
859 0 : char *history_string = talloc_array(ctx, char,
860 : MAX_PW_HISTORY_LEN*64);
861 :
862 0 : if (!history_string) {
863 0 : goto fn_exit;
864 : }
865 :
866 0 : pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
867 :
868 0 : pwhist = talloc_zero_array(ctx, uint8_t,
869 : pwHistLen * PW_HISTORY_ENTRY_LEN);
870 0 : if (pwhist == NULL) {
871 0 : DEBUG(0, ("init_sam_from_ldap: talloc failed!\n"));
872 0 : goto fn_exit;
873 : }
874 :
875 0 : if (smbldap_get_single_attribute(
876 : smbldap_get_ldap(ldap_state->smbldap_state),
877 : entry,
878 : get_userattr_key2string(ldap_state->schema_ver,
879 : LDAP_ATTR_PWD_HISTORY),
880 : history_string,
881 : MAX_PW_HISTORY_LEN*64)) {
882 0 : bool hex_failed = false;
883 0 : for (i = 0; i < pwHistLen; i++){
884 : /* Get the 16 byte salt. */
885 0 : if (!pdb_gethexpwd(&history_string[i*64],
886 0 : &pwhist[i*PW_HISTORY_ENTRY_LEN])) {
887 0 : hex_failed = true;
888 0 : break;
889 : }
890 : /* Get the 16 byte MD5 hash of salt+passwd. */
891 0 : if (!pdb_gethexpwd(&history_string[(i*64)+32],
892 0 : &pwhist[(i*PW_HISTORY_ENTRY_LEN)+
893 : PW_HISTORY_SALT_LEN])) {
894 0 : hex_failed = True;
895 0 : break;
896 : }
897 : }
898 0 : if (hex_failed) {
899 0 : DEBUG(2,("init_sam_from_ldap: Failed to get password history for user %s\n",
900 : username));
901 0 : memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
902 : }
903 : }
904 0 : if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
905 0 : goto fn_exit;
906 : }
907 : }
908 :
909 0 : temp = smbldap_talloc_single_attribute(
910 : smbldap_get_ldap(ldap_state->smbldap_state),
911 : entry,
912 : get_userattr_key2string(ldap_state->schema_ver,
913 : LDAP_ATTR_ACB_INFO),
914 : ctx);
915 0 : if (temp) {
916 0 : uint32_t acct_ctrl = 0;
917 0 : acct_ctrl = pdb_decode_acct_ctrl(temp);
918 :
919 0 : if (acct_ctrl == 0) {
920 0 : acct_ctrl |= ACB_NORMAL;
921 : }
922 :
923 0 : pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
924 : }
925 :
926 0 : pdb_set_hours_len(sampass, hours_len, PDB_SET);
927 0 : pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
928 :
929 0 : temp = smbldap_talloc_single_attribute(
930 : smbldap_get_ldap(ldap_state->smbldap_state),
931 : entry,
932 : get_userattr_key2string(ldap_state->schema_ver,
933 : LDAP_ATTR_BAD_PASSWORD_COUNT),
934 : ctx);
935 0 : if (temp) {
936 0 : bad_password_count = (uint32_t) atol(temp);
937 0 : pdb_set_bad_password_count(sampass,
938 : bad_password_count, PDB_SET);
939 : }
940 :
941 0 : temp = smbldap_talloc_single_attribute(
942 : smbldap_get_ldap(ldap_state->smbldap_state),
943 : entry,
944 : get_userattr_key2string(ldap_state->schema_ver,
945 : LDAP_ATTR_BAD_PASSWORD_TIME),
946 : ctx);
947 0 : if (temp) {
948 0 : bad_password_time = (time_t) atol(temp);
949 0 : pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
950 : }
951 :
952 :
953 0 : temp = smbldap_talloc_single_attribute(
954 : smbldap_get_ldap(ldap_state->smbldap_state),
955 : entry,
956 : get_userattr_key2string(ldap_state->schema_ver,
957 : LDAP_ATTR_LOGON_COUNT),
958 : ctx);
959 0 : if (temp) {
960 0 : logon_count = (uint32_t) atol(temp);
961 0 : pdb_set_logon_count(sampass, logon_count, PDB_SET);
962 : }
963 :
964 : /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
965 :
966 0 : temp = smbldap_talloc_single_attribute(
967 : smbldap_get_ldap(ldap_state->smbldap_state),
968 : entry,
969 : get_userattr_key2string(ldap_state->schema_ver,
970 : LDAP_ATTR_LOGON_HOURS),
971 : ctx);
972 0 : if (temp) {
973 0 : pdb_gethexhours(temp, hours);
974 0 : memset((char *)temp, '\0', strlen(temp) +1);
975 0 : pdb_set_hours(sampass, hours, hours_len, PDB_SET);
976 0 : ZERO_STRUCT(hours);
977 : }
978 :
979 0 : if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
980 0 : struct passwd unix_pw;
981 0 : bool have_uid = false;
982 0 : bool have_gid = false;
983 0 : struct dom_sid mapped_gsid;
984 0 : const struct dom_sid *primary_gsid;
985 0 : struct unixid id;
986 0 : int error = 0;
987 :
988 0 : ZERO_STRUCT(unix_pw);
989 :
990 0 : unix_pw.pw_name = username;
991 0 : unix_pw.pw_passwd = discard_const_p(char, "x");
992 :
993 0 : temp = smbldap_talloc_single_attribute(
994 : priv2ld(ldap_state),
995 : entry,
996 : "uidNumber",
997 : ctx);
998 0 : if (temp) {
999 : /* We've got a uid, feed the cache */
1000 0 : unix_pw.pw_uid = smb_strtoul(temp,
1001 : NULL,
1002 : 10,
1003 : &error,
1004 : SMB_STR_STANDARD);
1005 0 : if (error != 0) {
1006 0 : DBG_ERR("Failed to convert UID\n");
1007 0 : goto fn_exit;
1008 : }
1009 0 : have_uid = true;
1010 : }
1011 0 : temp = smbldap_talloc_single_attribute(
1012 : priv2ld(ldap_state),
1013 : entry,
1014 : "gidNumber",
1015 : ctx);
1016 0 : if (temp) {
1017 : /* We've got a uid, feed the cache */
1018 0 : unix_pw.pw_gid = smb_strtoul(temp,
1019 : NULL,
1020 : 10,
1021 : &error,
1022 : SMB_STR_STANDARD);
1023 0 : if (error != 0) {
1024 0 : DBG_ERR("Failed to convert GID\n");
1025 0 : goto fn_exit;
1026 : }
1027 0 : have_gid = true;
1028 : }
1029 0 : unix_pw.pw_gecos = smbldap_talloc_single_attribute(
1030 : priv2ld(ldap_state),
1031 : entry,
1032 : "gecos",
1033 : ctx);
1034 0 : if (unix_pw.pw_gecos == NULL) {
1035 0 : unix_pw.pw_gecos = fullname;
1036 : }
1037 0 : unix_pw.pw_dir = smbldap_talloc_single_attribute(
1038 : priv2ld(ldap_state),
1039 : entry,
1040 : "homeDirectory",
1041 : ctx);
1042 0 : if (unix_pw.pw_dir == NULL) {
1043 0 : unix_pw.pw_dir = discard_const_p(char, "");
1044 : }
1045 0 : unix_pw.pw_shell = smbldap_talloc_single_attribute(
1046 : priv2ld(ldap_state),
1047 : entry,
1048 : "loginShell",
1049 : ctx);
1050 0 : if (unix_pw.pw_shell == NULL) {
1051 0 : unix_pw.pw_shell = discard_const_p(char, "");
1052 : }
1053 :
1054 0 : if (have_uid && have_gid) {
1055 0 : sampass->unix_pw = tcopy_passwd(sampass, &unix_pw);
1056 : } else {
1057 0 : sampass->unix_pw = Get_Pwnam_alloc(sampass, unix_pw.pw_name);
1058 : }
1059 :
1060 0 : if (sampass->unix_pw == NULL) {
1061 0 : DEBUG(0,("init_sam_from_ldap: Failed to find Unix account for %s\n",
1062 : pdb_get_username(sampass)));
1063 0 : goto fn_exit;
1064 : }
1065 :
1066 0 : id.id = sampass->unix_pw->pw_uid;
1067 0 : id.type = ID_TYPE_UID;
1068 :
1069 0 : idmap_cache_set_sid2unixid(pdb_get_user_sid(sampass), &id);
1070 :
1071 0 : gid_to_sid(&mapped_gsid, sampass->unix_pw->pw_gid);
1072 0 : primary_gsid = pdb_get_group_sid(sampass);
1073 0 : if (primary_gsid && dom_sid_equal(primary_gsid, &mapped_gsid)) {
1074 0 : id.id = sampass->unix_pw->pw_gid;
1075 0 : id.type = ID_TYPE_GID;
1076 :
1077 0 : idmap_cache_set_sid2unixid(primary_gsid, &id);
1078 : }
1079 : }
1080 :
1081 : /* check the timestamp of the cache vs ldap entry */
1082 0 : if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
1083 : entry))) {
1084 0 : ret = true;
1085 0 : goto fn_exit;
1086 : }
1087 :
1088 : /* see if we have newer updates */
1089 0 : if (!login_cache_read(sampass, &cache_entry)) {
1090 0 : DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
1091 : (unsigned int)pdb_get_bad_password_count(sampass),
1092 : (unsigned int)pdb_get_bad_password_time(sampass)));
1093 0 : ret = true;
1094 0 : goto fn_exit;
1095 : }
1096 :
1097 0 : DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
1098 : (unsigned int)ldap_entry_time,
1099 : (unsigned int)cache_entry.entry_timestamp,
1100 : (unsigned int)cache_entry.bad_password_time));
1101 :
1102 0 : if (ldap_entry_time > cache_entry.entry_timestamp) {
1103 : /* cache is older than directory , so
1104 : we need to delete the entry but allow the
1105 : fields to be written out */
1106 0 : login_cache_delentry(sampass);
1107 : } else {
1108 : /* read cache in */
1109 0 : pdb_set_acct_ctrl(sampass,
1110 0 : pdb_get_acct_ctrl(sampass) |
1111 0 : (cache_entry.acct_ctrl & ACB_AUTOLOCK),
1112 : PDB_SET);
1113 0 : pdb_set_bad_password_count(sampass,
1114 0 : cache_entry.bad_password_count,
1115 : PDB_SET);
1116 0 : pdb_set_bad_password_time(sampass,
1117 : cache_entry.bad_password_time,
1118 : PDB_SET);
1119 : }
1120 :
1121 0 : ret = true;
1122 :
1123 0 : fn_exit:
1124 :
1125 0 : TALLOC_FREE(ctx);
1126 0 : return ret;
1127 : }
1128 :
1129 : /**********************************************************************
1130 : Initialize the ldap db from a struct samu. Called on update.
1131 : (Based on init_buffer_from_sam in pdb_tdb.c)
1132 : *********************************************************************/
1133 :
1134 0 : static bool init_ldap_from_sam (struct ldapsam_privates *ldap_state,
1135 : LDAPMessage *existing,
1136 : LDAPMod *** mods, struct samu * sampass,
1137 : bool (*need_update)(const struct samu *,
1138 : enum pdb_elements))
1139 : {
1140 0 : char *temp = NULL;
1141 :
1142 0 : if (mods == NULL || sampass == NULL) {
1143 0 : DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
1144 0 : return False;
1145 : }
1146 :
1147 0 : *mods = NULL;
1148 :
1149 : /*
1150 : * took out adding "objectclass: sambaAccount"
1151 : * do this on a per-mod basis
1152 : */
1153 0 : if (need_update(sampass, PDB_USERNAME)) {
1154 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1155 : existing, mods,
1156 : "uid", pdb_get_username(sampass));
1157 0 : if (ldap_state->is_nds_ldap) {
1158 0 : smbldap_make_mod(
1159 : smbldap_get_ldap(ldap_state->smbldap_state),
1160 : existing, mods,
1161 : "cn", pdb_get_username(sampass));
1162 0 : smbldap_make_mod(
1163 : smbldap_get_ldap(ldap_state->smbldap_state),
1164 : existing, mods,
1165 : "sn", pdb_get_username(sampass));
1166 : }
1167 : }
1168 :
1169 0 : DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
1170 :
1171 : /* only update the RID if we actually need to */
1172 0 : if (need_update(sampass, PDB_USERSID)) {
1173 0 : struct dom_sid_buf sid_str;
1174 0 : const struct dom_sid *user_sid = pdb_get_user_sid(sampass);
1175 :
1176 0 : switch ( ldap_state->schema_ver ) {
1177 0 : case SCHEMAVER_SAMBASAMACCOUNT:
1178 0 : smbldap_make_mod(
1179 : smbldap_get_ldap(
1180 : ldap_state->smbldap_state),
1181 : existing, mods,
1182 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1183 0 : dom_sid_str_buf(user_sid, &sid_str));
1184 0 : break;
1185 :
1186 0 : default:
1187 0 : DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1188 0 : break;
1189 : }
1190 : }
1191 :
1192 : /* we don't need to store the primary group RID - so leaving it
1193 : 'free' to hang off the unix primary group makes life easier */
1194 :
1195 0 : if (need_update(sampass, PDB_GROUPSID)) {
1196 0 : struct dom_sid_buf sid_str;
1197 0 : const struct dom_sid *group_sid = pdb_get_group_sid(sampass);
1198 :
1199 0 : switch ( ldap_state->schema_ver ) {
1200 0 : case SCHEMAVER_SAMBASAMACCOUNT:
1201 0 : smbldap_make_mod(
1202 : smbldap_get_ldap(
1203 : ldap_state->smbldap_state),
1204 : existing, mods,
1205 : get_userattr_key2string(ldap_state->schema_ver,
1206 : LDAP_ATTR_PRIMARY_GROUP_SID),
1207 0 : dom_sid_str_buf(group_sid, &sid_str));
1208 0 : break;
1209 :
1210 0 : default:
1211 0 : DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1212 0 : break;
1213 : }
1214 :
1215 : }
1216 :
1217 : /* displayName, cn, and gecos should all be the same
1218 : * most easily accomplished by giving them the same OID
1219 : * gecos isn't set here b/c it should be handled by the
1220 : * add-user script
1221 : * We change displayName only and fall back to cn if
1222 : * it does not exist.
1223 : */
1224 :
1225 0 : if (need_update(sampass, PDB_FULLNAME))
1226 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1227 : existing, mods,
1228 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
1229 : pdb_get_fullname(sampass));
1230 :
1231 0 : if (need_update(sampass, PDB_ACCTDESC))
1232 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1233 : existing, mods,
1234 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
1235 : pdb_get_acct_desc(sampass));
1236 :
1237 0 : if (need_update(sampass, PDB_WORKSTATIONS))
1238 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1239 : existing, mods,
1240 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
1241 : pdb_get_workstations(sampass));
1242 :
1243 0 : if (need_update(sampass, PDB_MUNGEDDIAL))
1244 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1245 : existing, mods,
1246 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
1247 : pdb_get_munged_dial(sampass));
1248 :
1249 0 : if (need_update(sampass, PDB_SMBHOME))
1250 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1251 : existing, mods,
1252 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
1253 : pdb_get_homedir(sampass));
1254 :
1255 0 : if (need_update(sampass, PDB_DRIVE))
1256 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1257 : existing, mods,
1258 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
1259 : pdb_get_dir_drive(sampass));
1260 :
1261 0 : if (need_update(sampass, PDB_LOGONSCRIPT))
1262 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1263 : existing, mods,
1264 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
1265 : pdb_get_logon_script(sampass));
1266 :
1267 0 : if (need_update(sampass, PDB_PROFILE))
1268 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1269 : existing, mods,
1270 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
1271 : pdb_get_profile_path(sampass));
1272 :
1273 0 : if (asprintf(&temp, "%li", (long int)pdb_get_logon_time(sampass)) < 0) {
1274 0 : return false;
1275 : }
1276 0 : if (need_update(sampass, PDB_LOGONTIME))
1277 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1278 : existing, mods,
1279 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
1280 0 : SAFE_FREE(temp);
1281 :
1282 0 : if (asprintf(&temp, "%li", (long int)pdb_get_logoff_time(sampass)) < 0) {
1283 0 : return false;
1284 : }
1285 0 : if (need_update(sampass, PDB_LOGOFFTIME))
1286 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1287 : existing, mods,
1288 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
1289 0 : SAFE_FREE(temp);
1290 :
1291 0 : if (asprintf(&temp, "%li", (long int)pdb_get_kickoff_time(sampass)) < 0) {
1292 0 : return false;
1293 : }
1294 0 : if (need_update(sampass, PDB_KICKOFFTIME))
1295 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1296 : existing, mods,
1297 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
1298 0 : SAFE_FREE(temp);
1299 :
1300 0 : if (asprintf(&temp, "%li", (long int)pdb_get_pass_can_change_time_noncalc(sampass)) < 0) {
1301 0 : return false;
1302 : }
1303 0 : if (need_update(sampass, PDB_CANCHANGETIME))
1304 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
1305 : existing, mods,
1306 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
1307 0 : SAFE_FREE(temp);
1308 :
1309 0 : if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
1310 0 : || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
1311 :
1312 0 : if (need_update(sampass, PDB_LMPASSWD)) {
1313 0 : const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
1314 0 : if (lm_pw) {
1315 0 : char pwstr[34];
1316 0 : pdb_sethexpwd(pwstr, lm_pw,
1317 : pdb_get_acct_ctrl(sampass));
1318 0 : smbldap_make_mod(
1319 : smbldap_get_ldap(
1320 : ldap_state->smbldap_state),
1321 : existing, mods,
1322 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
1323 : pwstr);
1324 : } else {
1325 0 : smbldap_make_mod(
1326 : smbldap_get_ldap(
1327 : ldap_state->smbldap_state),
1328 : existing, mods,
1329 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
1330 : NULL);
1331 : }
1332 : }
1333 0 : if (need_update(sampass, PDB_NTPASSWD)) {
1334 0 : const uchar *nt_pw = pdb_get_nt_passwd(sampass);
1335 0 : if (nt_pw) {
1336 0 : char pwstr[34];
1337 0 : pdb_sethexpwd(pwstr, nt_pw,
1338 : pdb_get_acct_ctrl(sampass));
1339 0 : smbldap_make_mod(
1340 : smbldap_get_ldap(
1341 : ldap_state->smbldap_state),
1342 : existing, mods,
1343 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1344 : pwstr);
1345 : } else {
1346 0 : smbldap_make_mod(
1347 : smbldap_get_ldap(
1348 : ldap_state->smbldap_state),
1349 : existing, mods,
1350 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1351 : NULL);
1352 : }
1353 : }
1354 :
1355 0 : if (need_update(sampass, PDB_PWHISTORY)) {
1356 0 : char *pwstr = NULL;
1357 0 : uint32_t pwHistLen = 0;
1358 0 : pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1359 :
1360 0 : pwstr = SMB_MALLOC_ARRAY(char, 1024);
1361 0 : if (!pwstr) {
1362 0 : return false;
1363 : }
1364 0 : if (pwHistLen == 0) {
1365 : /* Remove any password history from the LDAP store. */
1366 0 : memset(pwstr, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
1367 0 : pwstr[64] = '\0';
1368 : } else {
1369 0 : int i;
1370 0 : uint32_t currHistLen = 0;
1371 0 : const uint8_t *pwhist = pdb_get_pw_history(sampass, &currHistLen);
1372 0 : if (pwhist != NULL) {
1373 : /* We can only store (1024-1/64 password history entries. */
1374 0 : pwHistLen = MIN(pwHistLen, ((1024-1)/64));
1375 0 : for (i=0; i< pwHistLen && i < currHistLen; i++) {
1376 : /* Store the salt. */
1377 0 : pdb_sethexpwd(&pwstr[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0);
1378 : /* Followed by the md5 hash of salt + md4 hash */
1379 0 : pdb_sethexpwd(&pwstr[(i*64)+32],
1380 0 : &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
1381 0 : DEBUG(100, ("pwstr=%s\n", pwstr));
1382 : }
1383 : }
1384 : }
1385 0 : smbldap_make_mod(
1386 : smbldap_get_ldap(ldap_state->smbldap_state),
1387 : existing, mods,
1388 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
1389 : pwstr);
1390 0 : SAFE_FREE(pwstr);
1391 : }
1392 :
1393 0 : if (need_update(sampass, PDB_PASSLASTSET)) {
1394 0 : if (asprintf(&temp, "%li",
1395 0 : (long int)pdb_get_pass_last_set_time(sampass)) < 0) {
1396 0 : return false;
1397 : }
1398 0 : smbldap_make_mod(
1399 : smbldap_get_ldap(ldap_state->smbldap_state),
1400 : existing, mods,
1401 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
1402 : temp);
1403 0 : SAFE_FREE(temp);
1404 : }
1405 : }
1406 :
1407 0 : if (need_update(sampass, PDB_HOURS)) {
1408 0 : const uint8_t *hours = pdb_get_hours(sampass);
1409 0 : if (hours) {
1410 0 : char hourstr[44];
1411 0 : pdb_sethexhours(hourstr, hours);
1412 0 : smbldap_make_mod(
1413 : smbldap_get_ldap(ldap_state->smbldap_state),
1414 : existing,
1415 : mods,
1416 : get_userattr_key2string(ldap_state->schema_ver,
1417 : LDAP_ATTR_LOGON_HOURS),
1418 : hourstr);
1419 : }
1420 : }
1421 :
1422 0 : if (need_update(sampass, PDB_ACCTCTRL))
1423 0 : smbldap_make_mod(
1424 : smbldap_get_ldap(ldap_state->smbldap_state),
1425 : existing, mods,
1426 : get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
1427 0 : pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1428 :
1429 : /* password lockout cache:
1430 : - If we are now autolocking or clearing, we write to ldap
1431 : - If we are clearing, we delete the cache entry
1432 : - If the count is > 0, we update the cache
1433 :
1434 : This even means when autolocking, we cache, just in case the
1435 : update doesn't work, and we have to cache the autolock flag */
1436 :
1437 0 : if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
1438 : need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1439 0 : uint16_t badcount = pdb_get_bad_password_count(sampass);
1440 0 : time_t badtime = pdb_get_bad_password_time(sampass);
1441 0 : uint32_t pol;
1442 0 : pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &pol);
1443 :
1444 0 : DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1445 : (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1446 :
1447 0 : if ((badcount >= pol) || (badcount == 0)) {
1448 0 : DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1449 : (unsigned int)badcount, (unsigned int)badtime));
1450 0 : if (asprintf(&temp, "%li", (long)badcount) < 0) {
1451 0 : return false;
1452 : }
1453 0 : smbldap_make_mod(
1454 : smbldap_get_ldap(ldap_state->smbldap_state),
1455 : existing, mods,
1456 : get_userattr_key2string(
1457 : ldap_state->schema_ver,
1458 : LDAP_ATTR_BAD_PASSWORD_COUNT),
1459 : temp);
1460 0 : SAFE_FREE(temp);
1461 :
1462 0 : if (asprintf(&temp, "%li", (long int)badtime) < 0) {
1463 0 : return false;
1464 : }
1465 0 : smbldap_make_mod(
1466 : smbldap_get_ldap(ldap_state->smbldap_state),
1467 : existing, mods,
1468 : get_userattr_key2string(
1469 : ldap_state->schema_ver,
1470 : LDAP_ATTR_BAD_PASSWORD_TIME),
1471 : temp);
1472 0 : SAFE_FREE(temp);
1473 : }
1474 0 : if (badcount == 0) {
1475 0 : DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1476 0 : login_cache_delentry(sampass);
1477 : } else {
1478 0 : struct login_cache cache_entry;
1479 :
1480 0 : cache_entry.entry_timestamp = time(NULL);
1481 0 : cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
1482 0 : cache_entry.bad_password_count = badcount;
1483 0 : cache_entry.bad_password_time = badtime;
1484 :
1485 0 : DEBUG(7, ("Updating bad password count and time in login cache\n"));
1486 0 : login_cache_write(sampass, &cache_entry);
1487 : }
1488 : }
1489 :
1490 0 : return True;
1491 : }
1492 :
1493 : /**********************************************************************
1494 : End enumeration of the LDAP password list.
1495 : *********************************************************************/
1496 :
1497 0 : static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1498 : {
1499 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1500 0 : if (ldap_state->result) {
1501 0 : ldap_msgfree(ldap_state->result);
1502 0 : ldap_state->result = NULL;
1503 : }
1504 0 : }
1505 :
1506 0 : static void append_attr(TALLOC_CTX *mem_ctx, const char ***attr_list,
1507 : const char *new_attr)
1508 : {
1509 0 : int i;
1510 :
1511 0 : if (new_attr == NULL) {
1512 0 : return;
1513 : }
1514 :
1515 0 : for (i=0; (*attr_list)[i] != NULL; i++) {
1516 0 : ;
1517 : }
1518 :
1519 0 : (*attr_list) = talloc_realloc(mem_ctx, (*attr_list),
1520 : const char *, i+2);
1521 0 : SMB_ASSERT((*attr_list) != NULL);
1522 0 : (*attr_list)[i] = talloc_strdup((*attr_list), new_attr);
1523 0 : (*attr_list)[i+1] = NULL;
1524 : }
1525 :
1526 0 : static void ldapsam_add_unix_attributes(TALLOC_CTX *mem_ctx,
1527 : const char ***attr_list)
1528 : {
1529 0 : append_attr(mem_ctx, attr_list, "uidNumber");
1530 0 : append_attr(mem_ctx, attr_list, "gidNumber");
1531 0 : append_attr(mem_ctx, attr_list, "homeDirectory");
1532 0 : append_attr(mem_ctx, attr_list, "loginShell");
1533 0 : append_attr(mem_ctx, attr_list, "gecos");
1534 0 : }
1535 :
1536 : /**********************************************************************
1537 : Get struct samu entry from LDAP by username.
1538 : *********************************************************************/
1539 :
1540 0 : static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, struct samu *user, const char *sname)
1541 : {
1542 0 : NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1543 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1544 0 : LDAPMessage *result = NULL;
1545 0 : LDAPMessage *entry = NULL;
1546 0 : int count;
1547 0 : const char ** attr_list;
1548 0 : int rc;
1549 :
1550 0 : attr_list = get_userattr_list( user, ldap_state->schema_ver );
1551 0 : append_attr(user, &attr_list,
1552 : get_userattr_key2string(ldap_state->schema_ver,
1553 : LDAP_ATTR_MOD_TIMESTAMP));
1554 0 : ldapsam_add_unix_attributes(user, &attr_list);
1555 0 : rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result,
1556 : attr_list);
1557 0 : TALLOC_FREE( attr_list );
1558 :
1559 0 : if ( rc != LDAP_SUCCESS )
1560 0 : return NT_STATUS_NO_SUCH_USER;
1561 :
1562 0 : count = ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
1563 : result);
1564 :
1565 0 : if (count < 1) {
1566 0 : DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1567 0 : ldap_msgfree(result);
1568 0 : return NT_STATUS_NO_SUCH_USER;
1569 0 : } else if (count > 1) {
1570 0 : DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1571 0 : ldap_msgfree(result);
1572 0 : return NT_STATUS_NO_SUCH_USER;
1573 : }
1574 :
1575 0 : entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
1576 : result);
1577 0 : if (entry) {
1578 0 : if (!init_sam_from_ldap(ldap_state, user, entry)) {
1579 0 : DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1580 0 : ldap_msgfree(result);
1581 0 : return NT_STATUS_NO_SUCH_USER;
1582 : }
1583 0 : pdb_set_backend_private_data(user, result, NULL,
1584 : my_methods, PDB_CHANGED);
1585 0 : smbldap_talloc_autofree_ldapmsg(user, result);
1586 0 : ret = NT_STATUS_OK;
1587 : } else {
1588 0 : ldap_msgfree(result);
1589 : }
1590 0 : return ret;
1591 : }
1592 :
1593 0 : static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
1594 : const struct dom_sid *sid, LDAPMessage **result)
1595 : {
1596 0 : int rc = -1;
1597 0 : const char ** attr_list;
1598 :
1599 0 : switch ( ldap_state->schema_ver ) {
1600 0 : case SCHEMAVER_SAMBASAMACCOUNT: {
1601 0 : TALLOC_CTX *tmp_ctx = talloc_new(NULL);
1602 0 : if (tmp_ctx == NULL) {
1603 0 : return LDAP_NO_MEMORY;
1604 : }
1605 :
1606 0 : attr_list = get_userattr_list(tmp_ctx,
1607 : ldap_state->schema_ver);
1608 0 : append_attr(tmp_ctx, &attr_list,
1609 : get_userattr_key2string(
1610 : ldap_state->schema_ver,
1611 : LDAP_ATTR_MOD_TIMESTAMP));
1612 0 : ldapsam_add_unix_attributes(tmp_ctx, &attr_list);
1613 0 : rc = ldapsam_search_suffix_by_sid(ldap_state, sid,
1614 : result, attr_list);
1615 0 : TALLOC_FREE(tmp_ctx);
1616 :
1617 0 : if ( rc != LDAP_SUCCESS )
1618 0 : return rc;
1619 0 : break;
1620 : }
1621 :
1622 0 : default:
1623 0 : DEBUG(0,("Invalid schema version specified\n"));
1624 0 : break;
1625 : }
1626 0 : return rc;
1627 : }
1628 :
1629 : /**********************************************************************
1630 : Get struct samu entry from LDAP by SID.
1631 : *********************************************************************/
1632 :
1633 0 : static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1634 : {
1635 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1636 0 : LDAPMessage *result = NULL;
1637 0 : LDAPMessage *entry = NULL;
1638 0 : int count;
1639 0 : int rc;
1640 :
1641 0 : rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1642 : sid, &result);
1643 0 : if (rc != LDAP_SUCCESS)
1644 0 : return NT_STATUS_NO_SUCH_USER;
1645 :
1646 0 : count = ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
1647 : result);
1648 :
1649 0 : if (count < 1) {
1650 0 : struct dom_sid_buf buf;
1651 0 : DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] "
1652 : "count=%d\n",
1653 : dom_sid_str_buf(sid, &buf),
1654 : count));
1655 0 : ldap_msgfree(result);
1656 0 : return NT_STATUS_NO_SUCH_USER;
1657 0 : } else if (count > 1) {
1658 0 : struct dom_sid_buf buf;
1659 0 : DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID "
1660 : "[%s]. Failing. count=%d\n",
1661 : dom_sid_str_buf(sid, &buf),
1662 : count));
1663 0 : ldap_msgfree(result);
1664 0 : return NT_STATUS_NO_SUCH_USER;
1665 : }
1666 :
1667 0 : entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
1668 : result);
1669 0 : if (!entry) {
1670 0 : ldap_msgfree(result);
1671 0 : return NT_STATUS_NO_SUCH_USER;
1672 : }
1673 :
1674 0 : if (!init_sam_from_ldap(ldap_state, user, entry)) {
1675 0 : DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
1676 0 : ldap_msgfree(result);
1677 0 : return NT_STATUS_NO_SUCH_USER;
1678 : }
1679 :
1680 0 : pdb_set_backend_private_data(user, result, NULL,
1681 : my_methods, PDB_CHANGED);
1682 0 : smbldap_talloc_autofree_ldapmsg(user, result);
1683 0 : return NT_STATUS_OK;
1684 : }
1685 :
1686 : /********************************************************************
1687 : Do the actual modification - also change a plaintext password if
1688 : it it set.
1689 : **********************************************************************/
1690 :
1691 0 : static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
1692 : struct samu *newpwd, char *dn,
1693 : LDAPMod **mods, int ldap_op,
1694 : bool (*need_update)(const struct samu *, enum pdb_elements))
1695 : {
1696 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1697 0 : int rc;
1698 :
1699 0 : if (!newpwd || !dn) {
1700 0 : return NT_STATUS_INVALID_PARAMETER;
1701 : }
1702 :
1703 0 : if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1704 0 : (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1705 0 : need_update(newpwd, PDB_PLAINTEXT_PW) &&
1706 0 : (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1707 0 : BerElement *ber;
1708 0 : struct berval *bv;
1709 0 : char *retoid = NULL;
1710 0 : struct berval *retdata = NULL;
1711 0 : char *utf8_password;
1712 0 : char *utf8_dn;
1713 0 : size_t converted_size;
1714 0 : int ret;
1715 :
1716 0 : if (!ldap_state->is_nds_ldap) {
1717 :
1718 0 : if (!smbldap_has_extension(
1719 : smbldap_get_ldap(
1720 : ldap_state->smbldap_state),
1721 : LDAP_EXOP_MODIFY_PASSWD)) {
1722 0 : DEBUG(2, ("ldap password change requested, but LDAP "
1723 : "server does not support it -- ignoring\n"));
1724 0 : return NT_STATUS_OK;
1725 : }
1726 : }
1727 :
1728 0 : if (!push_utf8_talloc(talloc_tos(), &utf8_password,
1729 : pdb_get_plaintext_passwd(newpwd),
1730 : &converted_size))
1731 : {
1732 0 : return NT_STATUS_NO_MEMORY;
1733 : }
1734 :
1735 0 : if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1736 0 : TALLOC_FREE(utf8_password);
1737 0 : return NT_STATUS_NO_MEMORY;
1738 : }
1739 :
1740 0 : if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1741 0 : DEBUG(0,("ber_alloc_t returns NULL\n"));
1742 0 : TALLOC_FREE(utf8_password);
1743 0 : TALLOC_FREE(utf8_dn);
1744 0 : return NT_STATUS_UNSUCCESSFUL;
1745 : }
1746 :
1747 0 : if ((ber_printf (ber, "{") < 0) ||
1748 0 : (ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID,
1749 : utf8_dn) < 0)) {
1750 0 : DEBUG(0,("ldapsam_modify_entry: ber_printf returns a "
1751 : "value <0\n"));
1752 0 : ber_free(ber,1);
1753 0 : TALLOC_FREE(utf8_dn);
1754 0 : TALLOC_FREE(utf8_password);
1755 0 : return NT_STATUS_UNSUCCESSFUL;
1756 : }
1757 :
1758 0 : if ((utf8_password != NULL) && (*utf8_password != '\0')) {
1759 0 : ret = ber_printf(ber, "ts}",
1760 : LDAP_TAG_EXOP_MODIFY_PASSWD_NEW,
1761 : utf8_password);
1762 : } else {
1763 0 : ret = ber_printf(ber, "}");
1764 : }
1765 :
1766 0 : if (ret < 0) {
1767 0 : DEBUG(0,("ldapsam_modify_entry: ber_printf returns a "
1768 : "value <0\n"));
1769 0 : ber_free(ber,1);
1770 0 : TALLOC_FREE(utf8_dn);
1771 0 : TALLOC_FREE(utf8_password);
1772 0 : return NT_STATUS_UNSUCCESSFUL;
1773 : }
1774 :
1775 0 : if ((rc = ber_flatten (ber, &bv))<0) {
1776 0 : DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1777 0 : ber_free(ber,1);
1778 0 : TALLOC_FREE(utf8_dn);
1779 0 : TALLOC_FREE(utf8_password);
1780 0 : return NT_STATUS_UNSUCCESSFUL;
1781 : }
1782 :
1783 0 : TALLOC_FREE(utf8_dn);
1784 0 : TALLOC_FREE(utf8_password);
1785 0 : ber_free(ber, 1);
1786 :
1787 0 : if (!ldap_state->is_nds_ldap) {
1788 0 : rc = smbldap_extended_operation(ldap_state->smbldap_state,
1789 : LDAP_EXOP_MODIFY_PASSWD,
1790 : bv, NULL, NULL, &retoid,
1791 : &retdata);
1792 : } else {
1793 0 : rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
1794 : pdb_get_plaintext_passwd(newpwd));
1795 : }
1796 0 : if (rc != LDAP_SUCCESS) {
1797 0 : char *ld_error = NULL;
1798 :
1799 0 : if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
1800 0 : DEBUG(3, ("Could not set userPassword "
1801 : "attribute due to an objectClass "
1802 : "violation -- ignoring\n"));
1803 0 : ber_bvfree(bv);
1804 0 : return NT_STATUS_OK;
1805 : }
1806 :
1807 0 : ldap_get_option(
1808 : smbldap_get_ldap(ldap_state->smbldap_state),
1809 : LDAP_OPT_ERROR_STRING,
1810 : &ld_error);
1811 0 : DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1812 : pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1813 0 : SAFE_FREE(ld_error);
1814 0 : ber_bvfree(bv);
1815 : #if defined(LDAP_CONSTRAINT_VIOLATION)
1816 0 : if (rc == LDAP_CONSTRAINT_VIOLATION)
1817 0 : return NT_STATUS_PASSWORD_RESTRICTION;
1818 : #endif
1819 0 : return NT_STATUS_UNSUCCESSFUL;
1820 : } else {
1821 0 : DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1822 : #ifdef DEBUG_PASSWORD
1823 0 : DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1824 : #endif
1825 0 : if (retdata)
1826 0 : ber_bvfree(retdata);
1827 0 : if (retoid)
1828 0 : ldap_memfree(retoid);
1829 : }
1830 0 : ber_bvfree(bv);
1831 : }
1832 :
1833 0 : if (!mods) {
1834 0 : DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1835 : /* may be password change below however */
1836 : } else {
1837 0 : switch(ldap_op) {
1838 0 : case LDAP_MOD_ADD:
1839 0 : if (ldap_state->is_nds_ldap) {
1840 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD,
1841 : "objectclass",
1842 : "inetOrgPerson");
1843 : } else {
1844 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD,
1845 : "objectclass",
1846 : LDAP_OBJ_ACCOUNT);
1847 : }
1848 0 : rc = smbldap_add(ldap_state->smbldap_state,
1849 : dn, mods);
1850 0 : break;
1851 0 : case LDAP_MOD_REPLACE:
1852 0 : rc = smbldap_modify(ldap_state->smbldap_state,
1853 : dn ,mods);
1854 0 : break;
1855 0 : default:
1856 0 : DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1857 : ldap_op));
1858 0 : return NT_STATUS_INVALID_PARAMETER;
1859 : }
1860 :
1861 0 : if (rc!=LDAP_SUCCESS) {
1862 0 : return NT_STATUS_UNSUCCESSFUL;
1863 : }
1864 : }
1865 :
1866 0 : return NT_STATUS_OK;
1867 : }
1868 :
1869 : /**********************************************************************
1870 : Delete entry from LDAP for username.
1871 : *********************************************************************/
1872 :
1873 0 : static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods,
1874 : struct samu * sam_acct)
1875 : {
1876 0 : struct ldapsam_privates *priv =
1877 : (struct ldapsam_privates *)my_methods->private_data;
1878 0 : const char *sname;
1879 0 : int rc;
1880 0 : LDAPMessage *msg, *entry;
1881 0 : NTSTATUS result = NT_STATUS_NO_MEMORY;
1882 0 : const char **attr_list;
1883 0 : TALLOC_CTX *mem_ctx;
1884 :
1885 0 : if (!sam_acct) {
1886 0 : DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1887 0 : return NT_STATUS_INVALID_PARAMETER;
1888 : }
1889 :
1890 0 : sname = pdb_get_username(sam_acct);
1891 :
1892 0 : DEBUG(3, ("ldapsam_delete_sam_account: Deleting user %s from "
1893 : "LDAP.\n", sname));
1894 :
1895 0 : mem_ctx = talloc_new(NULL);
1896 0 : if (mem_ctx == NULL) {
1897 0 : DEBUG(0, ("talloc_new failed\n"));
1898 0 : goto done;
1899 : }
1900 :
1901 0 : attr_list = get_userattr_delete_list(mem_ctx, priv->schema_ver );
1902 0 : if (attr_list == NULL) {
1903 0 : goto done;
1904 : }
1905 :
1906 0 : rc = ldapsam_search_suffix_by_name(priv, sname, &msg, attr_list);
1907 :
1908 0 : if ((rc != LDAP_SUCCESS) ||
1909 0 : (ldap_count_entries(priv2ld(priv), msg) != 1) ||
1910 0 : ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
1911 0 : DEBUG(5, ("Could not find user %s\n", sname));
1912 0 : result = NT_STATUS_NO_SUCH_USER;
1913 0 : goto done;
1914 : }
1915 :
1916 0 : rc = ldapsam_delete_entry(
1917 : priv, mem_ctx, entry,
1918 0 : priv->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ?
1919 : LDAP_OBJ_SAMBASAMACCOUNT : 0,
1920 : attr_list);
1921 :
1922 0 : result = (rc == LDAP_SUCCESS) ?
1923 0 : NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1924 :
1925 0 : done:
1926 0 : TALLOC_FREE(mem_ctx);
1927 0 : return result;
1928 : }
1929 :
1930 : /**********************************************************************
1931 : Update struct samu.
1932 : *********************************************************************/
1933 :
1934 0 : static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
1935 : {
1936 0 : NTSTATUS ret;
1937 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1938 0 : int rc = 0;
1939 0 : char *dn;
1940 0 : LDAPMessage *result = NULL;
1941 0 : LDAPMessage *entry = NULL;
1942 0 : LDAPMod **mods = NULL;
1943 0 : const char **attr_list;
1944 :
1945 0 : result = (LDAPMessage *)pdb_get_backend_private_data(newpwd, my_methods);
1946 0 : if (!result) {
1947 0 : attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
1948 0 : if (pdb_get_username(newpwd) == NULL) {
1949 0 : return NT_STATUS_INVALID_PARAMETER;
1950 : }
1951 0 : rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1952 0 : TALLOC_FREE( attr_list );
1953 0 : if (rc != LDAP_SUCCESS) {
1954 0 : return NT_STATUS_UNSUCCESSFUL;
1955 : }
1956 0 : pdb_set_backend_private_data(newpwd, result, NULL,
1957 : my_methods, PDB_CHANGED);
1958 0 : smbldap_talloc_autofree_ldapmsg(newpwd, result);
1959 : }
1960 :
1961 0 : if (ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
1962 : result) == 0) {
1963 0 : DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1964 0 : return NT_STATUS_UNSUCCESSFUL;
1965 : }
1966 :
1967 0 : entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
1968 : result);
1969 0 : dn = smbldap_talloc_dn(talloc_tos(),
1970 : smbldap_get_ldap(ldap_state->smbldap_state),
1971 : entry);
1972 0 : if (!dn) {
1973 0 : return NT_STATUS_UNSUCCESSFUL;
1974 : }
1975 :
1976 0 : DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1977 :
1978 0 : if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1979 : pdb_element_is_changed)) {
1980 0 : DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1981 0 : TALLOC_FREE(dn);
1982 0 : if (mods != NULL)
1983 0 : ldap_mods_free(mods,True);
1984 0 : return NT_STATUS_UNSUCCESSFUL;
1985 : }
1986 :
1987 0 : if ((lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_ONLY)
1988 0 : && (mods == NULL)) {
1989 0 : DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1990 : pdb_get_username(newpwd)));
1991 0 : TALLOC_FREE(dn);
1992 0 : return NT_STATUS_OK;
1993 : }
1994 :
1995 0 : ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, pdb_element_is_changed);
1996 :
1997 0 : if (mods != NULL) {
1998 0 : ldap_mods_free(mods,True);
1999 : }
2000 :
2001 0 : TALLOC_FREE(dn);
2002 :
2003 : /*
2004 : * We need to set the backend private data to NULL here. For example
2005 : * setuserinfo level 25 does a pdb_update_sam_account twice on the
2006 : * same one, and with the explicit delete / add logic for attribute
2007 : * values the second time we would use the wrong "old" value which
2008 : * does not exist in LDAP anymore. Thus the LDAP server would refuse
2009 : * the update.
2010 : * The existing LDAPMessage is still being auto-freed by the
2011 : * destructor.
2012 : */
2013 0 : pdb_set_backend_private_data(newpwd, NULL, NULL, my_methods,
2014 : PDB_CHANGED);
2015 :
2016 0 : if (!NT_STATUS_IS_OK(ret)) {
2017 0 : return ret;
2018 : }
2019 :
2020 0 : DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
2021 : pdb_get_username(newpwd)));
2022 0 : return NT_STATUS_OK;
2023 : }
2024 :
2025 : /***************************************************************************
2026 : Renames a struct samu
2027 : - The "rename user script" has full responsibility for changing everything
2028 : ***************************************************************************/
2029 :
2030 : static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods,
2031 : TALLOC_CTX *tmp_ctx,
2032 : uint32_t group_rid,
2033 : uint32_t member_rid);
2034 :
2035 : static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
2036 : TALLOC_CTX *mem_ctx,
2037 : struct samu *user,
2038 : struct dom_sid **pp_sids,
2039 : gid_t **pp_gids,
2040 : uint32_t *p_num_groups);
2041 :
2042 0 : static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
2043 : struct samu *old_acct,
2044 : const char *newname)
2045 : {
2046 0 : const struct loadparm_substitution *lp_sub =
2047 0 : loadparm_s3_global_substitution();
2048 0 : const char *oldname;
2049 0 : int rc;
2050 0 : char *rename_script = NULL;
2051 0 : fstring oldname_lower, newname_lower;
2052 :
2053 0 : if (!old_acct) {
2054 0 : DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n"));
2055 0 : return NT_STATUS_INVALID_PARAMETER;
2056 : }
2057 0 : if (!newname) {
2058 0 : DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n"));
2059 0 : return NT_STATUS_INVALID_PARAMETER;
2060 : }
2061 :
2062 0 : oldname = pdb_get_username(old_acct);
2063 :
2064 : /* rename the posix user */
2065 0 : rename_script = lp_rename_user_script(talloc_tos(), lp_sub);
2066 0 : if (rename_script == NULL) {
2067 0 : return NT_STATUS_NO_MEMORY;
2068 : }
2069 :
2070 0 : if (!(*rename_script)) {
2071 0 : TALLOC_FREE(rename_script);
2072 0 : return NT_STATUS_ACCESS_DENIED;
2073 : }
2074 :
2075 0 : DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n",
2076 : oldname, newname));
2077 :
2078 : /* We have to allow the account name to end with a '$'.
2079 : Also, follow the semantics in _samr_create_user() and lower case the
2080 : posix name but preserve the case in passdb */
2081 :
2082 0 : fstrcpy( oldname_lower, oldname );
2083 0 : if (!strlower_m( oldname_lower )) {
2084 0 : return NT_STATUS_INVALID_PARAMETER;
2085 : }
2086 0 : fstrcpy( newname_lower, newname );
2087 0 : if (!strlower_m( newname_lower )) {
2088 0 : return NT_STATUS_INVALID_PARAMETER;
2089 : }
2090 :
2091 0 : rename_script = realloc_string_sub2(rename_script,
2092 : "%unew",
2093 : newname_lower,
2094 : true,
2095 : true);
2096 0 : if (!rename_script) {
2097 0 : return NT_STATUS_NO_MEMORY;
2098 : }
2099 0 : rename_script = realloc_string_sub2(rename_script,
2100 : "%uold",
2101 : oldname_lower,
2102 : true,
2103 : true);
2104 0 : rc = smbrun(rename_script, NULL, NULL);
2105 :
2106 0 : DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n",
2107 : rename_script, rc));
2108 :
2109 0 : TALLOC_FREE(rename_script);
2110 :
2111 0 : if (rc == 0) {
2112 0 : smb_nscd_flush_user_cache();
2113 : }
2114 :
2115 0 : if (rc)
2116 0 : return NT_STATUS_UNSUCCESSFUL;
2117 :
2118 0 : return NT_STATUS_OK;
2119 : }
2120 :
2121 : /**********************************************************************
2122 : Add struct samu to LDAP.
2123 : *********************************************************************/
2124 :
2125 0 : static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
2126 : {
2127 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2128 0 : int rc;
2129 0 : LDAPMessage *result = NULL;
2130 0 : LDAPMessage *entry = NULL;
2131 0 : LDAPMod **mods = NULL;
2132 0 : int ldap_op = LDAP_MOD_REPLACE;
2133 0 : uint32_t num_result;
2134 0 : const char **attr_list;
2135 0 : char *escape_user = NULL;
2136 0 : const char *username = pdb_get_username(newpwd);
2137 0 : const struct dom_sid *sid = pdb_get_user_sid(newpwd);
2138 0 : char *filter = NULL;
2139 0 : char *dn = NULL;
2140 0 : NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2141 0 : TALLOC_CTX *ctx = talloc_init("ldapsam_add_sam_account");
2142 :
2143 0 : if (!ctx) {
2144 0 : return NT_STATUS_NO_MEMORY;
2145 : }
2146 :
2147 0 : if (!username || !*username) {
2148 0 : DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
2149 0 : status = NT_STATUS_INVALID_PARAMETER;
2150 0 : goto fn_exit;
2151 : }
2152 :
2153 : /* free this list after the second search or in case we exit on failure */
2154 0 : attr_list = get_userattr_list(ctx, ldap_state->schema_ver);
2155 :
2156 0 : rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
2157 :
2158 0 : if (rc != LDAP_SUCCESS) {
2159 0 : goto fn_exit;
2160 : }
2161 :
2162 0 : if (ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
2163 : result) != 0) {
2164 0 : DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
2165 : username));
2166 0 : goto fn_exit;
2167 : }
2168 0 : ldap_msgfree(result);
2169 0 : result = NULL;
2170 :
2171 0 : if (pdb_element_is_set_or_changed(newpwd, PDB_USERSID)) {
2172 0 : rc = ldapsam_get_ldap_user_by_sid(ldap_state,
2173 : sid, &result);
2174 0 : if (rc == LDAP_SUCCESS) {
2175 0 : if (ldap_count_entries(
2176 : smbldap_get_ldap(
2177 : ldap_state->smbldap_state),
2178 : result) != 0) {
2179 0 : struct dom_sid_buf buf;
2180 0 : DEBUG(0,("ldapsam_add_sam_account: SID '%s' "
2181 : "already in the base, with samba "
2182 : "attributes\n",
2183 : dom_sid_str_buf(sid, &buf)));
2184 0 : goto fn_exit;
2185 : }
2186 0 : ldap_msgfree(result);
2187 0 : result = NULL;
2188 : }
2189 : }
2190 :
2191 : /* does the entry already exist but without a samba attributes?
2192 : we need to return the samba attributes here */
2193 :
2194 0 : escape_user = escape_ldap_string(talloc_tos(), username);
2195 0 : filter = talloc_strdup(attr_list, "(uid=%u)");
2196 0 : if (!filter) {
2197 0 : status = NT_STATUS_NO_MEMORY;
2198 0 : goto fn_exit;
2199 : }
2200 0 : filter = talloc_all_string_sub(attr_list, filter, "%u", escape_user);
2201 0 : TALLOC_FREE(escape_user);
2202 0 : if (!filter) {
2203 0 : status = NT_STATUS_NO_MEMORY;
2204 0 : goto fn_exit;
2205 : }
2206 :
2207 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state,
2208 : filter, attr_list, &result);
2209 0 : if ( rc != LDAP_SUCCESS ) {
2210 0 : goto fn_exit;
2211 : }
2212 :
2213 0 : num_result = ldap_count_entries(
2214 : smbldap_get_ldap(ldap_state->smbldap_state), result);
2215 :
2216 0 : if (num_result > 1) {
2217 0 : DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
2218 0 : goto fn_exit;
2219 : }
2220 :
2221 : /* Check if we need to update an existing entry */
2222 0 : if (num_result == 1) {
2223 0 : DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2224 0 : ldap_op = LDAP_MOD_REPLACE;
2225 0 : entry = ldap_first_entry(
2226 : smbldap_get_ldap(ldap_state->smbldap_state), result);
2227 0 : dn = smbldap_talloc_dn(
2228 : ctx, smbldap_get_ldap(ldap_state->smbldap_state),
2229 : entry);
2230 0 : if (!dn) {
2231 0 : status = NT_STATUS_NO_MEMORY;
2232 0 : goto fn_exit;
2233 : }
2234 :
2235 0 : } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
2236 :
2237 0 : struct dom_sid_buf buf;
2238 :
2239 : /* There might be a SID for this account already - say an idmap entry */
2240 :
2241 0 : filter = talloc_asprintf(ctx,
2242 : "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
2243 : get_userattr_key2string(ldap_state->schema_ver,
2244 : LDAP_ATTR_USER_SID),
2245 : dom_sid_str_buf(sid, &buf),
2246 : LDAP_OBJ_IDMAP_ENTRY,
2247 : LDAP_OBJ_SID_ENTRY);
2248 0 : if (!filter) {
2249 0 : status = NT_STATUS_NO_MEMORY;
2250 0 : goto fn_exit;
2251 : }
2252 :
2253 : /* free old result before doing a new search */
2254 0 : if (result != NULL) {
2255 0 : ldap_msgfree(result);
2256 0 : result = NULL;
2257 : }
2258 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state,
2259 : filter, attr_list, &result);
2260 :
2261 0 : if ( rc != LDAP_SUCCESS ) {
2262 0 : goto fn_exit;
2263 : }
2264 :
2265 0 : num_result = ldap_count_entries(
2266 : smbldap_get_ldap(ldap_state->smbldap_state), result);
2267 :
2268 0 : if (num_result > 1) {
2269 0 : DEBUG (0, ("ldapsam_add_sam_account: More than one user with specified Sid exists: bailing out!\n"));
2270 0 : goto fn_exit;
2271 : }
2272 :
2273 : /* Check if we need to update an existing entry */
2274 0 : if (num_result == 1) {
2275 :
2276 0 : DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2277 0 : ldap_op = LDAP_MOD_REPLACE;
2278 0 : entry = ldap_first_entry (
2279 : smbldap_get_ldap(ldap_state->smbldap_state),
2280 : result);
2281 0 : dn = smbldap_talloc_dn (
2282 : ctx,
2283 : smbldap_get_ldap(ldap_state->smbldap_state),
2284 : entry);
2285 0 : if (!dn) {
2286 0 : status = NT_STATUS_NO_MEMORY;
2287 0 : goto fn_exit;
2288 : }
2289 : }
2290 : }
2291 :
2292 0 : if (num_result == 0) {
2293 0 : char *escape_username;
2294 : /* Check if we need to add an entry */
2295 0 : DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
2296 0 : ldap_op = LDAP_MOD_ADD;
2297 :
2298 0 : escape_username = escape_rdn_val_string_alloc(username);
2299 0 : if (!escape_username) {
2300 0 : status = NT_STATUS_NO_MEMORY;
2301 0 : goto fn_exit;
2302 : }
2303 :
2304 0 : if (username[strlen(username)-1] == '$') {
2305 0 : dn = talloc_asprintf(ctx,
2306 : "uid=%s,%s",
2307 : escape_username,
2308 : lp_ldap_machine_suffix(talloc_tos()));
2309 : } else {
2310 0 : dn = talloc_asprintf(ctx,
2311 : "uid=%s,%s",
2312 : escape_username,
2313 : lp_ldap_user_suffix(talloc_tos()));
2314 : }
2315 :
2316 0 : SAFE_FREE(escape_username);
2317 0 : if (!dn) {
2318 0 : status = NT_STATUS_NO_MEMORY;
2319 0 : goto fn_exit;
2320 : }
2321 : }
2322 :
2323 0 : if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
2324 : pdb_element_is_set_or_changed)) {
2325 0 : DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
2326 0 : if (mods != NULL) {
2327 0 : ldap_mods_free(mods, true);
2328 : }
2329 0 : goto fn_exit;
2330 : }
2331 :
2332 0 : if (mods == NULL) {
2333 0 : DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
2334 0 : goto fn_exit;
2335 : }
2336 0 : switch ( ldap_state->schema_ver ) {
2337 0 : case SCHEMAVER_SAMBASAMACCOUNT:
2338 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
2339 0 : break;
2340 0 : default:
2341 0 : DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
2342 0 : break;
2343 : }
2344 :
2345 0 : status = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, pdb_element_is_set_or_changed);
2346 0 : if (!NT_STATUS_IS_OK(status)) {
2347 0 : DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
2348 : pdb_get_username(newpwd),dn));
2349 0 : ldap_mods_free(mods, true);
2350 0 : goto fn_exit;
2351 : }
2352 :
2353 0 : DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
2354 0 : ldap_mods_free(mods, true);
2355 :
2356 0 : status = NT_STATUS_OK;
2357 :
2358 0 : fn_exit:
2359 :
2360 0 : TALLOC_FREE(ctx);
2361 0 : if (result) {
2362 0 : ldap_msgfree(result);
2363 : }
2364 0 : return status;
2365 : }
2366 :
2367 : /**********************************************************************
2368 : *********************************************************************/
2369 :
2370 0 : static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
2371 : const char *filter,
2372 : LDAPMessage ** result)
2373 : {
2374 0 : int scope = LDAP_SCOPE_SUBTREE;
2375 0 : int rc;
2376 0 : const char **attr_list;
2377 :
2378 0 : attr_list = get_attr_list(NULL, groupmap_attr_list);
2379 0 : rc = smbldap_search(ldap_state->smbldap_state,
2380 : lp_ldap_suffix(), scope,
2381 : filter, attr_list, 0, result);
2382 0 : TALLOC_FREE(attr_list);
2383 :
2384 0 : return rc;
2385 : }
2386 :
2387 : /**********************************************************************
2388 : *********************************************************************/
2389 :
2390 0 : static bool init_group_from_ldap(struct ldapsam_privates *ldap_state,
2391 : GROUP_MAP *map, LDAPMessage *entry)
2392 : {
2393 0 : char *temp = NULL;
2394 0 : TALLOC_CTX *ctx = talloc_init("init_group_from_ldap");
2395 :
2396 0 : if (ldap_state == NULL || map == NULL || entry == NULL ||
2397 0 : smbldap_get_ldap(ldap_state->smbldap_state) == NULL) {
2398 0 : DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
2399 0 : TALLOC_FREE(ctx);
2400 0 : return false;
2401 : }
2402 :
2403 0 : temp = smbldap_talloc_single_attribute(
2404 : smbldap_get_ldap(ldap_state->smbldap_state),
2405 : entry,
2406 : get_attr_key2string(groupmap_attr_list,
2407 : LDAP_ATTR_GIDNUMBER),
2408 : ctx);
2409 0 : if (!temp) {
2410 0 : DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2411 : get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
2412 0 : TALLOC_FREE(ctx);
2413 0 : return false;
2414 : }
2415 0 : DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
2416 :
2417 0 : map->gid = (gid_t)atol(temp);
2418 :
2419 0 : TALLOC_FREE(temp);
2420 0 : temp = smbldap_talloc_single_attribute(
2421 : smbldap_get_ldap(ldap_state->smbldap_state),
2422 : entry,
2423 : get_attr_key2string(groupmap_attr_list,
2424 : LDAP_ATTR_GROUP_SID),
2425 : ctx);
2426 0 : if (!temp) {
2427 0 : DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2428 : get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
2429 0 : TALLOC_FREE(ctx);
2430 0 : return false;
2431 : }
2432 :
2433 0 : if (!string_to_sid(&map->sid, temp)) {
2434 0 : DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
2435 0 : TALLOC_FREE(ctx);
2436 0 : return false;
2437 : }
2438 :
2439 0 : TALLOC_FREE(temp);
2440 0 : temp = smbldap_talloc_single_attribute(
2441 : smbldap_get_ldap(ldap_state->smbldap_state),
2442 : entry,
2443 : get_attr_key2string(groupmap_attr_list,
2444 : LDAP_ATTR_GROUP_TYPE),
2445 : ctx);
2446 0 : if (!temp) {
2447 0 : DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2448 : get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
2449 0 : TALLOC_FREE(ctx);
2450 0 : return false;
2451 : }
2452 0 : map->sid_name_use = (enum lsa_SidType)atol(temp);
2453 :
2454 0 : if ((map->sid_name_use < SID_NAME_USER) ||
2455 0 : (map->sid_name_use > SID_NAME_UNKNOWN)) {
2456 0 : DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
2457 0 : TALLOC_FREE(ctx);
2458 0 : return false;
2459 : }
2460 :
2461 0 : TALLOC_FREE(temp);
2462 0 : temp = smbldap_talloc_single_attribute(
2463 : smbldap_get_ldap(ldap_state->smbldap_state),
2464 : entry,
2465 : get_attr_key2string(groupmap_attr_list,
2466 : LDAP_ATTR_DISPLAY_NAME),
2467 : ctx);
2468 0 : if (!temp) {
2469 0 : temp = smbldap_talloc_single_attribute(
2470 : smbldap_get_ldap(ldap_state->smbldap_state),
2471 : entry,
2472 : get_attr_key2string(groupmap_attr_list,
2473 : LDAP_ATTR_CN),
2474 : ctx);
2475 0 : if (!temp) {
2476 0 : DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
2477 : for gidNumber(%lu)\n",(unsigned long)map->gid));
2478 0 : TALLOC_FREE(ctx);
2479 0 : return false;
2480 : }
2481 : }
2482 0 : map->nt_name = talloc_strdup(map, temp);
2483 0 : if (!map->nt_name) {
2484 0 : TALLOC_FREE(ctx);
2485 0 : return false;
2486 : }
2487 :
2488 0 : TALLOC_FREE(temp);
2489 0 : temp = smbldap_talloc_single_attribute(
2490 : smbldap_get_ldap(ldap_state->smbldap_state),
2491 : entry,
2492 : get_attr_key2string(groupmap_attr_list,
2493 : LDAP_ATTR_DESC),
2494 : ctx);
2495 0 : if (!temp) {
2496 0 : temp = talloc_strdup(ctx, "");
2497 0 : if (!temp) {
2498 0 : TALLOC_FREE(ctx);
2499 0 : return false;
2500 : }
2501 : }
2502 0 : map->comment = talloc_strdup(map, temp);
2503 0 : if (!map->comment) {
2504 0 : TALLOC_FREE(ctx);
2505 0 : return false;
2506 : }
2507 :
2508 0 : if (lp_parm_bool(-1, "ldapsam", "trusted", false)) {
2509 0 : struct unixid id;
2510 0 : id.id = map->gid;
2511 0 : id.type = ID_TYPE_GID;
2512 :
2513 0 : idmap_cache_set_sid2unixid(&map->sid, &id);
2514 : }
2515 :
2516 0 : TALLOC_FREE(ctx);
2517 0 : return true;
2518 : }
2519 :
2520 : /**********************************************************************
2521 : *********************************************************************/
2522 :
2523 0 : static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
2524 : const char *filter,
2525 : GROUP_MAP *map)
2526 : {
2527 0 : struct ldapsam_privates *ldap_state =
2528 : (struct ldapsam_privates *)methods->private_data;
2529 0 : LDAPMessage *result = NULL;
2530 0 : LDAPMessage *entry = NULL;
2531 0 : int count;
2532 :
2533 0 : if (ldapsam_search_one_group(ldap_state, filter, &result)
2534 : != LDAP_SUCCESS) {
2535 0 : return NT_STATUS_NO_SUCH_GROUP;
2536 : }
2537 :
2538 0 : count = ldap_count_entries(priv2ld(ldap_state), result);
2539 :
2540 0 : if (count < 1) {
2541 0 : DEBUG(4, ("ldapsam_getgroup: Did not find group, filter was "
2542 : "%s\n", filter));
2543 0 : ldap_msgfree(result);
2544 0 : return NT_STATUS_NO_SUCH_GROUP;
2545 : }
2546 :
2547 0 : if (count > 1) {
2548 0 : DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2549 : "count=%d\n", filter, count));
2550 0 : ldap_msgfree(result);
2551 0 : return NT_STATUS_NO_SUCH_GROUP;
2552 : }
2553 :
2554 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
2555 :
2556 0 : if (!entry) {
2557 0 : ldap_msgfree(result);
2558 0 : return NT_STATUS_UNSUCCESSFUL;
2559 : }
2560 :
2561 0 : if (!init_group_from_ldap(ldap_state, map, entry)) {
2562 0 : DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for "
2563 : "group filter %s\n", filter));
2564 0 : ldap_msgfree(result);
2565 0 : return NT_STATUS_NO_SUCH_GROUP;
2566 : }
2567 :
2568 0 : ldap_msgfree(result);
2569 0 : return NT_STATUS_OK;
2570 : }
2571 :
2572 : /**********************************************************************
2573 : *********************************************************************/
2574 :
2575 0 : static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
2576 : struct dom_sid sid)
2577 : {
2578 0 : char *filter = NULL;
2579 0 : NTSTATUS status;
2580 0 : struct dom_sid_buf tmp;
2581 :
2582 0 : if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))",
2583 : LDAP_OBJ_GROUPMAP,
2584 : get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
2585 : dom_sid_str_buf(&sid, &tmp)) < 0) {
2586 0 : return NT_STATUS_NO_MEMORY;
2587 : }
2588 :
2589 0 : status = ldapsam_getgroup(methods, filter, map);
2590 0 : SAFE_FREE(filter);
2591 0 : return status;
2592 : }
2593 :
2594 : /**********************************************************************
2595 : *********************************************************************/
2596 :
2597 0 : static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
2598 : gid_t gid)
2599 : {
2600 0 : char *filter = NULL;
2601 0 : NTSTATUS status;
2602 :
2603 0 : if (asprintf(&filter, "(&(objectClass=%s)(%s=%lu))",
2604 : LDAP_OBJ_GROUPMAP,
2605 : get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2606 : (unsigned long)gid) < 0) {
2607 0 : return NT_STATUS_NO_MEMORY;
2608 : }
2609 :
2610 0 : status = ldapsam_getgroup(methods, filter, map);
2611 0 : SAFE_FREE(filter);
2612 0 : return status;
2613 : }
2614 :
2615 : /**********************************************************************
2616 : *********************************************************************/
2617 :
2618 0 : static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
2619 : const char *name)
2620 : {
2621 0 : char *filter = NULL;
2622 0 : char *escape_name = escape_ldap_string(talloc_tos(), name);
2623 0 : NTSTATUS status;
2624 :
2625 0 : if (!escape_name) {
2626 0 : return NT_STATUS_NO_MEMORY;
2627 : }
2628 :
2629 0 : if (asprintf(&filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
2630 : LDAP_OBJ_GROUPMAP,
2631 : get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
2632 : get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN),
2633 : escape_name) < 0) {
2634 0 : TALLOC_FREE(escape_name);
2635 0 : return NT_STATUS_NO_MEMORY;
2636 : }
2637 :
2638 0 : TALLOC_FREE(escape_name);
2639 0 : status = ldapsam_getgroup(methods, filter, map);
2640 0 : SAFE_FREE(filter);
2641 0 : return status;
2642 : }
2643 :
2644 0 : static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
2645 : LDAPMessage *entry,
2646 : const struct dom_sid *domain_sid,
2647 : uint32_t *rid)
2648 : {
2649 0 : fstring str;
2650 0 : struct dom_sid sid;
2651 :
2652 0 : if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID",
2653 : str, sizeof(str)-1)) {
2654 0 : DEBUG(10, ("Could not find sambaSID attribute\n"));
2655 0 : return False;
2656 : }
2657 :
2658 0 : if (!string_to_sid(&sid, str)) {
2659 0 : DEBUG(10, ("Could not convert string %s to sid\n", str));
2660 0 : return False;
2661 : }
2662 :
2663 0 : if (dom_sid_compare_domain(&sid, domain_sid) != 0) {
2664 0 : struct dom_sid_buf buf;
2665 0 : DEBUG(10, ("SID %s is not in expected domain %s\n",
2666 : str,
2667 : dom_sid_str_buf(domain_sid, &buf)));
2668 0 : return False;
2669 : }
2670 :
2671 0 : if (!sid_peek_rid(&sid, rid)) {
2672 0 : DEBUG(10, ("Could not peek into RID\n"));
2673 0 : return False;
2674 : }
2675 :
2676 0 : return True;
2677 : }
2678 :
2679 0 : static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods,
2680 : TALLOC_CTX *mem_ctx,
2681 : const struct dom_sid *group,
2682 : uint32_t **pp_member_rids,
2683 : size_t *p_num_members)
2684 : {
2685 0 : struct ldapsam_privates *ldap_state =
2686 : (struct ldapsam_privates *)methods->private_data;
2687 0 : struct smbldap_state *conn = ldap_state->smbldap_state;
2688 0 : const char *id_attrs[] = { "memberUid", "gidNumber", NULL };
2689 0 : const char *sid_attrs[] = { "sambaSID", NULL };
2690 0 : NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2691 0 : LDAPMessage *result = NULL;
2692 0 : LDAPMessage *entry;
2693 0 : char *filter;
2694 0 : char **values = NULL;
2695 0 : char **memberuid;
2696 0 : char *gidstr;
2697 0 : int rc, count;
2698 0 : struct dom_sid_buf buf;
2699 :
2700 0 : *pp_member_rids = NULL;
2701 0 : *p_num_members = 0;
2702 :
2703 0 : filter = talloc_asprintf(mem_ctx,
2704 : "(&(objectClass="LDAP_OBJ_POSIXGROUP")"
2705 : "(objectClass="LDAP_OBJ_GROUPMAP")"
2706 : "(sambaSID=%s))",
2707 : dom_sid_str_buf(group, &buf));
2708 0 : if (filter == NULL) {
2709 0 : ret = NT_STATUS_NO_MEMORY;
2710 0 : goto done;
2711 : }
2712 :
2713 0 : rc = smbldap_search(conn, lp_ldap_suffix(),
2714 : LDAP_SCOPE_SUBTREE, filter, id_attrs, 0,
2715 : &result);
2716 :
2717 0 : if (rc != LDAP_SUCCESS)
2718 0 : goto done;
2719 :
2720 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2721 :
2722 0 : count = ldap_count_entries(smbldap_get_ldap(conn), result);
2723 :
2724 0 : if (count > 1) {
2725 0 : DEBUG(1, ("Found more than one groupmap entry for %s\n",
2726 : dom_sid_str_buf(group, &buf)));
2727 0 : ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2728 0 : goto done;
2729 : }
2730 :
2731 0 : if (count == 0) {
2732 0 : ret = NT_STATUS_NO_SUCH_GROUP;
2733 0 : goto done;
2734 : }
2735 :
2736 0 : entry = ldap_first_entry(smbldap_get_ldap(conn), result);
2737 0 : if (entry == NULL)
2738 0 : goto done;
2739 :
2740 0 : gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2741 0 : if (!gidstr) {
2742 0 : DEBUG (0, ("ldapsam_enum_group_members: Unable to find the group's gid!\n"));
2743 0 : ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2744 0 : goto done;
2745 : }
2746 :
2747 0 : values = ldap_get_values(smbldap_get_ldap(conn), entry, "memberUid");
2748 :
2749 0 : if ((values != NULL) && (values[0] != NULL)) {
2750 :
2751 0 : filter = talloc_strdup(mem_ctx, "(&(objectClass="LDAP_OBJ_SAMBASAMACCOUNT")(|");
2752 :
2753 0 : for (memberuid = values; *memberuid != NULL; memberuid += 1) {
2754 0 : char *escape_memberuid;
2755 :
2756 0 : escape_memberuid = escape_ldap_string(talloc_tos(),
2757 : *memberuid);
2758 0 : if (escape_memberuid == NULL) {
2759 0 : ret = NT_STATUS_NO_MEMORY;
2760 0 : goto done;
2761 : }
2762 :
2763 0 : filter = talloc_asprintf_append_buffer(filter, "(uid=%s)", escape_memberuid);
2764 0 : TALLOC_FREE(escape_memberuid);
2765 0 : if (filter == NULL) {
2766 0 : ret = NT_STATUS_NO_MEMORY;
2767 0 : goto done;
2768 : }
2769 : }
2770 :
2771 0 : filter = talloc_asprintf_append_buffer(filter, "))");
2772 0 : if (filter == NULL) {
2773 0 : ret = NT_STATUS_NO_MEMORY;
2774 0 : goto done;
2775 : }
2776 :
2777 0 : rc = smbldap_search(conn, lp_ldap_suffix(),
2778 : LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2779 : &result);
2780 :
2781 0 : if (rc != LDAP_SUCCESS)
2782 0 : goto done;
2783 :
2784 0 : count = ldap_count_entries(smbldap_get_ldap(conn), result);
2785 0 : DEBUG(10,("ldapsam_enum_group_members: found %d accounts\n", count));
2786 :
2787 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2788 :
2789 0 : for (entry = ldap_first_entry(smbldap_get_ldap(conn), result);
2790 0 : entry != NULL;
2791 0 : entry = ldap_next_entry(smbldap_get_ldap(conn), entry))
2792 : {
2793 0 : char *sidstr;
2794 0 : struct dom_sid sid;
2795 0 : uint32_t rid;
2796 :
2797 0 : sidstr = smbldap_talloc_single_attribute(
2798 : smbldap_get_ldap(conn), entry, "sambaSID",
2799 : mem_ctx);
2800 0 : if (!sidstr) {
2801 0 : DEBUG(0, ("Severe DB error, %s can't miss the sambaSID"
2802 : "attribute\n", LDAP_OBJ_SAMBASAMACCOUNT));
2803 0 : ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2804 0 : goto done;
2805 : }
2806 :
2807 0 : if (!string_to_sid(&sid, sidstr))
2808 0 : goto done;
2809 :
2810 0 : if (!sid_check_is_in_our_sam(&sid)) {
2811 0 : DEBUG(0, ("Inconsistent SAM -- group member uid not "
2812 : "in our domain\n"));
2813 0 : ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2814 0 : goto done;
2815 : }
2816 :
2817 0 : sid_peek_rid(&sid, &rid);
2818 :
2819 0 : if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2820 : p_num_members)) {
2821 0 : ret = NT_STATUS_NO_MEMORY;
2822 0 : goto done;
2823 : }
2824 : }
2825 : }
2826 :
2827 0 : filter = talloc_asprintf(mem_ctx,
2828 : "(&(objectClass=%s)"
2829 : "(gidNumber=%s))",
2830 : LDAP_OBJ_SAMBASAMACCOUNT,
2831 : gidstr);
2832 :
2833 0 : rc = smbldap_search(conn, lp_ldap_suffix(),
2834 : LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2835 : &result);
2836 :
2837 0 : if (rc != LDAP_SUCCESS)
2838 0 : goto done;
2839 :
2840 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2841 :
2842 0 : for (entry = ldap_first_entry(smbldap_get_ldap(conn), result);
2843 0 : entry != NULL;
2844 0 : entry = ldap_next_entry(smbldap_get_ldap(conn), entry))
2845 : {
2846 0 : uint32_t rid;
2847 :
2848 0 : if (!ldapsam_extract_rid_from_entry(smbldap_get_ldap(conn),
2849 : entry,
2850 0 : get_global_sam_sid(),
2851 : &rid)) {
2852 0 : DEBUG(0, ("Severe DB error, %s can't miss the samba SID"
2853 : "attribute\n", LDAP_OBJ_SAMBASAMACCOUNT));
2854 0 : ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2855 0 : goto done;
2856 : }
2857 :
2858 0 : if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2859 : p_num_members)) {
2860 0 : ret = NT_STATUS_NO_MEMORY;
2861 0 : goto done;
2862 : }
2863 : }
2864 :
2865 0 : ret = NT_STATUS_OK;
2866 :
2867 0 : done:
2868 :
2869 0 : if (values)
2870 0 : ldap_value_free(values);
2871 :
2872 0 : return ret;
2873 : }
2874 :
2875 0 : static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
2876 : TALLOC_CTX *mem_ctx,
2877 : struct samu *user,
2878 : struct dom_sid **pp_sids,
2879 : gid_t **pp_gids,
2880 : uint32_t *p_num_groups)
2881 : {
2882 0 : struct ldapsam_privates *ldap_state =
2883 : (struct ldapsam_privates *)methods->private_data;
2884 0 : struct smbldap_state *conn = ldap_state->smbldap_state;
2885 0 : char *filter;
2886 0 : const char *attrs[] = { "gidNumber", "sambaSID", NULL };
2887 0 : char *escape_name;
2888 0 : int rc, count;
2889 0 : LDAPMessage *result = NULL;
2890 0 : LDAPMessage *entry;
2891 0 : NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2892 0 : uint32_t num_sids;
2893 0 : uint32_t num_gids;
2894 0 : char *gidstr;
2895 0 : gid_t primary_gid = -1;
2896 0 : int error = 0;
2897 :
2898 0 : *pp_sids = NULL;
2899 0 : num_sids = 0;
2900 :
2901 0 : if (pdb_get_username(user) == NULL) {
2902 0 : return NT_STATUS_INVALID_PARAMETER;
2903 : }
2904 :
2905 0 : escape_name = escape_ldap_string(talloc_tos(), pdb_get_username(user));
2906 0 : if (escape_name == NULL)
2907 0 : return NT_STATUS_NO_MEMORY;
2908 :
2909 0 : if (user->unix_pw) {
2910 0 : primary_gid = user->unix_pw->pw_gid;
2911 : } else {
2912 : /* retrieve the users primary gid */
2913 0 : filter = talloc_asprintf(mem_ctx,
2914 : "(&(objectClass="LDAP_OBJ_SAMBASAMACCOUNT")(uid=%s))",
2915 : escape_name);
2916 0 : if (filter == NULL) {
2917 0 : ret = NT_STATUS_NO_MEMORY;
2918 0 : goto done;
2919 : }
2920 :
2921 0 : rc = smbldap_search(conn, lp_ldap_suffix(),
2922 : LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2923 :
2924 0 : if (rc != LDAP_SUCCESS)
2925 0 : goto done;
2926 :
2927 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2928 :
2929 0 : count = ldap_count_entries(priv2ld(ldap_state), result);
2930 :
2931 0 : switch (count) {
2932 0 : case 0:
2933 0 : DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
2934 0 : ret = NT_STATUS_NO_SUCH_USER;
2935 0 : goto done;
2936 0 : case 1:
2937 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
2938 :
2939 0 : gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2940 0 : if (!gidstr) {
2941 0 : DEBUG (1, ("Unable to find the member's gid!\n"));
2942 0 : ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2943 0 : goto done;
2944 : }
2945 0 : primary_gid = smb_strtoul(gidstr,
2946 : NULL,
2947 : 10,
2948 : &error,
2949 : SMB_STR_STANDARD);
2950 0 : if (error != 0) {
2951 0 : DBG_ERR("Failed to convert GID\n");
2952 0 : goto done;
2953 : }
2954 0 : break;
2955 0 : default:
2956 0 : DEBUG(1, ("found more than one account with the same user name ?!\n"));
2957 0 : ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2958 0 : goto done;
2959 : }
2960 : }
2961 :
2962 0 : filter = talloc_asprintf(mem_ctx,
2963 : "(&(objectClass="LDAP_OBJ_POSIXGROUP")(|(memberUid=%s)(gidNumber=%u)))",
2964 : escape_name, (unsigned int)primary_gid);
2965 0 : if (filter == NULL) {
2966 0 : ret = NT_STATUS_NO_MEMORY;
2967 0 : goto done;
2968 : }
2969 :
2970 0 : rc = smbldap_search(conn, lp_ldap_suffix(),
2971 : LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2972 :
2973 0 : if (rc != LDAP_SUCCESS)
2974 0 : goto done;
2975 :
2976 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2977 :
2978 0 : num_gids = 0;
2979 0 : *pp_gids = NULL;
2980 :
2981 0 : num_sids = 0;
2982 0 : *pp_sids = NULL;
2983 :
2984 : /* We need to add the primary group as the first gid/sid */
2985 :
2986 0 : if (!add_gid_to_array_unique(mem_ctx, primary_gid, pp_gids, &num_gids)) {
2987 0 : ret = NT_STATUS_NO_MEMORY;
2988 0 : goto done;
2989 : }
2990 :
2991 : /* This sid will be replaced later */
2992 :
2993 0 : ret = add_sid_to_array_unique(mem_ctx, &global_sid_NULL, pp_sids,
2994 : &num_sids);
2995 0 : if (!NT_STATUS_IS_OK(ret)) {
2996 0 : goto done;
2997 : }
2998 :
2999 0 : for (entry = ldap_first_entry(smbldap_get_ldap(conn), result);
3000 0 : entry != NULL;
3001 0 : entry = ldap_next_entry(smbldap_get_ldap(conn), entry))
3002 : {
3003 0 : fstring str;
3004 0 : struct dom_sid sid;
3005 0 : gid_t gid;
3006 :
3007 0 : if (!smbldap_get_single_attribute(smbldap_get_ldap(conn),
3008 : entry, "sambaSID",
3009 : str, sizeof(str)-1))
3010 0 : continue;
3011 :
3012 0 : if (!string_to_sid(&sid, str))
3013 0 : goto done;
3014 :
3015 0 : if (!smbldap_get_single_attribute(smbldap_get_ldap(conn),
3016 : entry, "gidNumber",
3017 : str, sizeof(str)-1))
3018 0 : continue;
3019 :
3020 0 : gid = smb_strtoul(str, NULL, 10, &error, SMB_STR_FULL_STR_CONV);
3021 :
3022 0 : if (error != 0) {
3023 0 : goto done;
3024 : }
3025 :
3026 0 : if (gid == primary_gid) {
3027 0 : sid_copy(&(*pp_sids)[0], &sid);
3028 : } else {
3029 0 : if (!add_gid_to_array_unique(mem_ctx, gid, pp_gids,
3030 : &num_gids)) {
3031 0 : ret = NT_STATUS_NO_MEMORY;
3032 0 : goto done;
3033 : }
3034 0 : ret = add_sid_to_array_unique(mem_ctx, &sid, pp_sids,
3035 : &num_sids);
3036 0 : if (!NT_STATUS_IS_OK(ret)) {
3037 0 : goto done;
3038 : }
3039 : }
3040 : }
3041 :
3042 0 : if (dom_sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) {
3043 0 : DEBUG(3, ("primary group of [%s] not found\n",
3044 : pdb_get_username(user)));
3045 0 : ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
3046 0 : goto done;
3047 : }
3048 :
3049 0 : *p_num_groups = num_sids;
3050 :
3051 0 : ret = NT_STATUS_OK;
3052 :
3053 0 : done:
3054 :
3055 0 : TALLOC_FREE(escape_name);
3056 0 : return ret;
3057 : }
3058 :
3059 : /**********************************************************************
3060 : * Augment a posixGroup object with a sambaGroupMapping domgroup
3061 : *********************************************************************/
3062 :
3063 0 : static NTSTATUS ldapsam_map_posixgroup(TALLOC_CTX *mem_ctx,
3064 : struct ldapsam_privates *ldap_state,
3065 : GROUP_MAP *map)
3066 : {
3067 0 : const char *filter, *dn;
3068 0 : LDAPMessage *msg, *entry;
3069 0 : LDAPMod **mods;
3070 0 : struct dom_sid_buf buf;
3071 0 : int rc;
3072 :
3073 0 : filter = talloc_asprintf(mem_ctx,
3074 : "(&(objectClass="LDAP_OBJ_POSIXGROUP")(gidNumber=%u))",
3075 0 : (unsigned int)map->gid);
3076 0 : if (filter == NULL) {
3077 0 : return NT_STATUS_NO_MEMORY;
3078 : }
3079 :
3080 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
3081 : get_attr_list(mem_ctx, groupmap_attr_list),
3082 : &msg);
3083 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
3084 :
3085 0 : if ((rc != LDAP_SUCCESS) ||
3086 0 : (ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
3087 0 : msg) != 1) ||
3088 0 : ((entry = ldap_first_entry(
3089 : smbldap_get_ldap(ldap_state->smbldap_state),
3090 : msg)) == NULL)) {
3091 0 : return NT_STATUS_NO_SUCH_GROUP;
3092 : }
3093 :
3094 0 : dn = smbldap_talloc_dn(mem_ctx,
3095 : smbldap_get_ldap(ldap_state->smbldap_state),
3096 : entry);
3097 0 : if (dn == NULL) {
3098 0 : return NT_STATUS_NO_MEMORY;
3099 : }
3100 :
3101 0 : mods = NULL;
3102 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass",
3103 : LDAP_OBJ_GROUPMAP);
3104 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
3105 : &mods, "sambaSid",
3106 0 : dom_sid_str_buf(&map->sid, &buf));
3107 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
3108 : &mods, "sambaGroupType",
3109 0 : talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
3110 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
3111 : &mods, "displayName",
3112 0 : map->nt_name);
3113 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
3114 : &mods, "description",
3115 0 : map->comment);
3116 0 : smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
3117 :
3118 0 : rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3119 0 : if (rc != LDAP_SUCCESS) {
3120 0 : return NT_STATUS_ACCESS_DENIED;
3121 : }
3122 :
3123 0 : return NT_STATUS_OK;
3124 : }
3125 :
3126 0 : static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
3127 : GROUP_MAP *map)
3128 : {
3129 0 : struct ldapsam_privates *ldap_state =
3130 : (struct ldapsam_privates *)methods->private_data;
3131 0 : LDAPMessage *msg = NULL;
3132 0 : LDAPMod **mods = NULL;
3133 0 : const char *attrs[] = { NULL };
3134 0 : char *filter;
3135 :
3136 0 : char *dn;
3137 0 : TALLOC_CTX *mem_ctx;
3138 0 : NTSTATUS result;
3139 :
3140 0 : struct dom_sid sid;
3141 0 : struct dom_sid_buf buf;
3142 0 : struct unixid id;
3143 :
3144 0 : int rc;
3145 :
3146 0 : mem_ctx = talloc_new(NULL);
3147 0 : if (mem_ctx == NULL) {
3148 0 : DEBUG(0, ("talloc_new failed\n"));
3149 0 : return NT_STATUS_NO_MEMORY;
3150 : }
3151 :
3152 0 : filter = talloc_asprintf(mem_ctx, "(sambaSid=%s)",
3153 0 : dom_sid_str_buf(&map->sid, &buf));
3154 0 : if (filter == NULL) {
3155 0 : result = NT_STATUS_NO_MEMORY;
3156 0 : goto done;
3157 : }
3158 :
3159 0 : rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
3160 : LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg);
3161 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
3162 :
3163 0 : if ((rc == LDAP_SUCCESS) &&
3164 0 : (ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
3165 : msg) > 0)) {
3166 :
3167 0 : DEBUG(3, ("SID %s already present in LDAP, refusing to add "
3168 : "group mapping entry\n",
3169 : dom_sid_str_buf(&map->sid, &buf)));
3170 0 : result = NT_STATUS_GROUP_EXISTS;
3171 0 : goto done;
3172 : }
3173 :
3174 0 : switch (map->sid_name_use) {
3175 :
3176 0 : case SID_NAME_DOM_GRP:
3177 : /* To map a domain group we need to have a posix group
3178 : to attach to. */
3179 0 : result = ldapsam_map_posixgroup(mem_ctx, ldap_state, map);
3180 0 : goto done;
3181 0 : break;
3182 :
3183 0 : case SID_NAME_ALIAS:
3184 0 : if (!sid_check_is_in_our_sam(&map->sid)
3185 0 : && !sid_check_is_in_builtin(&map->sid) )
3186 : {
3187 0 : DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
3188 : dom_sid_str_buf(&map->sid, &buf)));
3189 0 : result = NT_STATUS_INVALID_PARAMETER;
3190 0 : goto done;
3191 : }
3192 0 : break;
3193 :
3194 0 : default:
3195 0 : DEBUG(3, ("Got invalid use '%s' for mapping\n",
3196 : sid_type_lookup(map->sid_name_use)));
3197 0 : result = NT_STATUS_INVALID_PARAMETER;
3198 0 : goto done;
3199 : }
3200 :
3201 : /* Domain groups have been mapped in a separate routine, we have to
3202 : * create an alias now */
3203 :
3204 0 : if (map->gid == -1) {
3205 0 : DEBUG(10, ("Refusing to map gid==-1\n"));
3206 0 : result = NT_STATUS_INVALID_PARAMETER;
3207 0 : goto done;
3208 : }
3209 :
3210 0 : id.id = map->gid;
3211 0 : id.type = ID_TYPE_GID;
3212 :
3213 0 : if (pdb_id_to_sid(&id, &sid)) {
3214 0 : DEBUG(3, ("Gid %u is already mapped to SID %s, refusing to "
3215 : "add\n",
3216 : (unsigned int)map->gid,
3217 : dom_sid_str_buf(&sid, &buf)));
3218 0 : result = NT_STATUS_GROUP_EXISTS;
3219 0 : goto done;
3220 : }
3221 :
3222 : /* Ok, enough checks done. It's still racy to go ahead now, but that's
3223 : * the best we can get out of LDAP. */
3224 :
3225 0 : dn = talloc_asprintf(mem_ctx, "sambaSid=%s,%s",
3226 0 : dom_sid_str_buf(&map->sid, &buf),
3227 : lp_ldap_group_suffix(talloc_tos()));
3228 0 : if (dn == NULL) {
3229 0 : result = NT_STATUS_NO_MEMORY;
3230 0 : goto done;
3231 : }
3232 :
3233 0 : mods = NULL;
3234 :
3235 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
3236 : &mods, "objectClass", LDAP_OBJ_SID_ENTRY);
3237 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
3238 : &mods, "objectClass", LDAP_OBJ_GROUPMAP);
3239 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
3240 : &mods, "sambaSid",
3241 0 : dom_sid_str_buf(&map->sid, &buf));
3242 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
3243 : &mods, "sambaGroupType",
3244 0 : talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
3245 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
3246 : &mods, "displayName",
3247 0 : map->nt_name);
3248 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
3249 : &mods, "description",
3250 0 : map->comment);
3251 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
3252 : &mods, "gidNumber",
3253 0 : talloc_asprintf(mem_ctx, "%u",
3254 0 : (unsigned int)map->gid));
3255 0 : smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
3256 :
3257 0 : rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
3258 :
3259 0 : result = (rc == LDAP_SUCCESS) ?
3260 0 : NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
3261 :
3262 0 : done:
3263 0 : TALLOC_FREE(mem_ctx);
3264 0 : return result;
3265 : }
3266 :
3267 : /**********************************************************************
3268 : * Update a group mapping entry. We're quite strict about what can be changed:
3269 : * Only the description and displayname may be changed. It simply does not
3270 : * make any sense to change the SID, gid or the type in a mapping.
3271 : *********************************************************************/
3272 :
3273 0 : static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
3274 : GROUP_MAP *map)
3275 : {
3276 0 : struct ldapsam_privates *ldap_state =
3277 : (struct ldapsam_privates *)methods->private_data;
3278 0 : int rc;
3279 0 : const char *filter, *dn;
3280 0 : LDAPMessage *msg = NULL;
3281 0 : LDAPMessage *entry = NULL;
3282 0 : LDAPMod **mods = NULL;
3283 0 : TALLOC_CTX *mem_ctx;
3284 0 : NTSTATUS result;
3285 0 : struct dom_sid_buf buf;
3286 :
3287 0 : mem_ctx = talloc_new(NULL);
3288 0 : if (mem_ctx == NULL) {
3289 0 : DEBUG(0, ("talloc_new failed\n"));
3290 0 : return NT_STATUS_NO_MEMORY;
3291 : }
3292 :
3293 : /* Make 100% sure that sid, gid and type are not changed by looking up
3294 : * exactly the values we're given in LDAP. */
3295 :
3296 0 : filter = talloc_asprintf(mem_ctx, "(&(objectClass="LDAP_OBJ_GROUPMAP")"
3297 : "(sambaSid=%s)(gidNumber=%u)"
3298 : "(sambaGroupType=%d))",
3299 0 : dom_sid_str_buf(&map->sid, &buf),
3300 0 : (unsigned int)map->gid, map->sid_name_use);
3301 0 : if (filter == NULL) {
3302 0 : result = NT_STATUS_NO_MEMORY;
3303 0 : goto done;
3304 : }
3305 :
3306 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
3307 : get_attr_list(mem_ctx, groupmap_attr_list),
3308 : &msg);
3309 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
3310 :
3311 0 : if ((rc != LDAP_SUCCESS) ||
3312 0 : (ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
3313 0 : msg) != 1) ||
3314 0 : ((entry = ldap_first_entry(
3315 : smbldap_get_ldap(ldap_state->smbldap_state),
3316 : msg)) == NULL)) {
3317 0 : result = NT_STATUS_NO_SUCH_GROUP;
3318 0 : goto done;
3319 : }
3320 :
3321 0 : dn = smbldap_talloc_dn(
3322 : mem_ctx, smbldap_get_ldap(ldap_state->smbldap_state), entry);
3323 :
3324 0 : if (dn == NULL) {
3325 0 : result = NT_STATUS_NO_MEMORY;
3326 0 : goto done;
3327 : }
3328 :
3329 0 : mods = NULL;
3330 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
3331 0 : &mods, "displayName", map->nt_name);
3332 0 : smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
3333 0 : &mods, "description", map->comment);
3334 0 : smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
3335 :
3336 0 : if (mods == NULL) {
3337 0 : DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: "
3338 : "nothing to do\n"));
3339 0 : result = NT_STATUS_OK;
3340 0 : goto done;
3341 : }
3342 :
3343 0 : rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3344 :
3345 0 : if (rc != LDAP_SUCCESS) {
3346 0 : result = NT_STATUS_ACCESS_DENIED;
3347 0 : goto done;
3348 : }
3349 :
3350 0 : DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified "
3351 : "group %lu in LDAP\n", (unsigned long)map->gid));
3352 :
3353 0 : result = NT_STATUS_OK;
3354 :
3355 0 : done:
3356 0 : TALLOC_FREE(mem_ctx);
3357 0 : return result;
3358 : }
3359 :
3360 : /**********************************************************************
3361 : *********************************************************************/
3362 :
3363 0 : static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
3364 : struct dom_sid sid)
3365 : {
3366 0 : struct ldapsam_privates *priv =
3367 : (struct ldapsam_privates *)methods->private_data;
3368 0 : LDAPMessage *msg, *entry;
3369 0 : int rc;
3370 0 : NTSTATUS result;
3371 0 : TALLOC_CTX *mem_ctx;
3372 0 : char *filter;
3373 0 : struct dom_sid_buf buf;
3374 :
3375 0 : mem_ctx = talloc_new(NULL);
3376 0 : if (mem_ctx == NULL) {
3377 0 : DEBUG(0, ("talloc_new failed\n"));
3378 0 : return NT_STATUS_NO_MEMORY;
3379 : }
3380 :
3381 0 : filter = talloc_asprintf(mem_ctx, "(&(objectClass="LDAP_OBJ_GROUPMAP")("LDAP_ATTRIBUTE_SID"=%s))",
3382 : dom_sid_str_buf(&sid, &buf));
3383 0 : if (filter == NULL) {
3384 0 : result = NT_STATUS_NO_MEMORY;
3385 0 : goto done;
3386 : }
3387 0 : rc = smbldap_search_suffix(priv->smbldap_state, filter,
3388 : get_attr_list(mem_ctx, groupmap_attr_list),
3389 : &msg);
3390 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
3391 :
3392 0 : if ((rc != LDAP_SUCCESS) ||
3393 0 : (ldap_count_entries(priv2ld(priv), msg) != 1) ||
3394 0 : ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
3395 0 : result = NT_STATUS_NO_SUCH_GROUP;
3396 0 : goto done;
3397 : }
3398 :
3399 0 : rc = ldapsam_delete_entry(priv, mem_ctx, entry, LDAP_OBJ_GROUPMAP,
3400 : get_attr_list(mem_ctx,
3401 : groupmap_attr_list_to_delete));
3402 :
3403 0 : if ((rc == LDAP_NAMING_VIOLATION) ||
3404 0 : (rc == LDAP_NOT_ALLOWED_ON_RDN) ||
3405 : (rc == LDAP_OBJECT_CLASS_VIOLATION)) {
3406 0 : const char *attrs[] = { "sambaGroupType", "description",
3407 : "displayName", "sambaSIDList",
3408 : NULL };
3409 :
3410 : /* Second try. Don't delete the sambaSID attribute, this is
3411 : for "old" entries that are tacked on a winbind
3412 : sambaIdmapEntry. */
3413 :
3414 0 : rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3415 : LDAP_OBJ_GROUPMAP, attrs);
3416 : }
3417 :
3418 0 : if ((rc == LDAP_NAMING_VIOLATION) ||
3419 0 : (rc == LDAP_NOT_ALLOWED_ON_RDN) ||
3420 : (rc == LDAP_OBJECT_CLASS_VIOLATION)) {
3421 0 : const char *attrs[] = { "sambaGroupType", "description",
3422 : "displayName", "sambaSIDList",
3423 : "gidNumber", NULL };
3424 :
3425 : /* Third try. This is a post-3.0.21 alias (containing only
3426 : * sambaSidEntry and sambaGroupMapping classes), we also have
3427 : * to delete the gidNumber attribute, only the sambaSidEntry
3428 : * remains */
3429 :
3430 0 : rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3431 : LDAP_OBJ_GROUPMAP, attrs);
3432 : }
3433 :
3434 0 : result = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
3435 :
3436 0 : done:
3437 0 : TALLOC_FREE(mem_ctx);
3438 0 : return result;
3439 : }
3440 :
3441 : /**********************************************************************
3442 : *********************************************************************/
3443 :
3444 0 : static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
3445 : bool update)
3446 : {
3447 0 : struct ldapsam_privates *ldap_state =
3448 : (struct ldapsam_privates *)my_methods->private_data;
3449 0 : const char *filter = NULL;
3450 0 : int rc;
3451 0 : const char **attr_list;
3452 :
3453 0 : filter = "(objectclass="LDAP_OBJ_GROUPMAP")";
3454 0 : attr_list = get_attr_list( NULL, groupmap_attr_list );
3455 0 : rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
3456 : LDAP_SCOPE_SUBTREE, filter,
3457 : attr_list, 0, &ldap_state->result);
3458 0 : TALLOC_FREE(attr_list);
3459 :
3460 0 : if (rc != LDAP_SUCCESS) {
3461 0 : DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n",
3462 : ldap_err2string(rc)));
3463 0 : DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n",
3464 : lp_ldap_suffix(), filter));
3465 0 : ldap_msgfree(ldap_state->result);
3466 0 : ldap_state->result = NULL;
3467 0 : return NT_STATUS_UNSUCCESSFUL;
3468 : }
3469 :
3470 0 : DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
3471 : ldap_count_entries(
3472 : smbldap_get_ldap(ldap_state->smbldap_state),
3473 : ldap_state->result)));
3474 :
3475 0 : ldap_state->entry =
3476 0 : ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
3477 : ldap_state->result);
3478 0 : ldap_state->index = 0;
3479 :
3480 0 : return NT_STATUS_OK;
3481 : }
3482 :
3483 : /**********************************************************************
3484 : *********************************************************************/
3485 :
3486 0 : static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
3487 : {
3488 0 : ldapsam_endsampwent(my_methods);
3489 0 : }
3490 :
3491 : /**********************************************************************
3492 : *********************************************************************/
3493 :
3494 0 : static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
3495 : GROUP_MAP *map)
3496 : {
3497 0 : NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
3498 0 : struct ldapsam_privates *ldap_state =
3499 : (struct ldapsam_privates *)my_methods->private_data;
3500 0 : bool bret = False;
3501 :
3502 0 : while (!bret) {
3503 0 : if (!ldap_state->entry)
3504 0 : return ret;
3505 :
3506 0 : ldap_state->index++;
3507 0 : bret = init_group_from_ldap(ldap_state, map,
3508 : ldap_state->entry);
3509 :
3510 0 : ldap_state->entry = ldap_next_entry(
3511 : smbldap_get_ldap(ldap_state->smbldap_state),
3512 : ldap_state->entry);
3513 : }
3514 :
3515 0 : return NT_STATUS_OK;
3516 : }
3517 :
3518 : /**********************************************************************
3519 : *********************************************************************/
3520 :
3521 0 : static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
3522 : const struct dom_sid *domsid, enum lsa_SidType sid_name_use,
3523 : GROUP_MAP ***pp_rmap,
3524 : size_t *p_num_entries,
3525 : bool unix_only)
3526 : {
3527 0 : GROUP_MAP *map = NULL;
3528 0 : size_t entries = 0;
3529 :
3530 0 : *p_num_entries = 0;
3531 0 : *pp_rmap = NULL;
3532 :
3533 0 : if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
3534 0 : DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open "
3535 : "passdb\n"));
3536 0 : return NT_STATUS_ACCESS_DENIED;
3537 : }
3538 :
3539 0 : while (true) {
3540 :
3541 0 : map = talloc_zero(NULL, GROUP_MAP);
3542 0 : if (!map) {
3543 0 : return NT_STATUS_NO_MEMORY;
3544 : }
3545 :
3546 0 : if (!NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, map))) {
3547 0 : TALLOC_FREE(map);
3548 0 : break;
3549 : }
3550 :
3551 0 : if (sid_name_use != SID_NAME_UNKNOWN &&
3552 0 : sid_name_use != map->sid_name_use) {
3553 0 : DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3554 : "not of the requested type\n",
3555 : map->nt_name));
3556 0 : continue;
3557 : }
3558 0 : if (unix_only == ENUM_ONLY_MAPPED && map->gid == -1) {
3559 0 : DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3560 : "non mapped\n", map->nt_name));
3561 0 : continue;
3562 : }
3563 :
3564 0 : *pp_rmap = talloc_realloc(NULL, *pp_rmap,
3565 : GROUP_MAP *, entries + 1);
3566 0 : if (!(*pp_rmap)) {
3567 0 : DEBUG(0,("ldapsam_enum_group_mapping: Unable to "
3568 : "enlarge group map!\n"));
3569 0 : return NT_STATUS_UNSUCCESSFUL;
3570 : }
3571 :
3572 0 : (*pp_rmap)[entries] = talloc_move((*pp_rmap), &map);
3573 :
3574 0 : entries += 1;
3575 : }
3576 :
3577 0 : ldapsam_endsamgrent(methods);
3578 :
3579 0 : *p_num_entries = entries;
3580 :
3581 0 : return NT_STATUS_OK;
3582 : }
3583 :
3584 0 : static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
3585 : const struct dom_sid *alias,
3586 : const struct dom_sid *member,
3587 : int modop)
3588 : {
3589 0 : struct ldapsam_privates *ldap_state =
3590 : (struct ldapsam_privates *)methods->private_data;
3591 0 : char *dn = NULL;
3592 0 : LDAPMessage *result = NULL;
3593 0 : LDAPMessage *entry = NULL;
3594 0 : int count;
3595 0 : LDAPMod **mods = NULL;
3596 0 : int rc;
3597 0 : enum lsa_SidType type = SID_NAME_USE_NONE;
3598 0 : struct dom_sid_buf tmp;
3599 :
3600 0 : char *filter = NULL;
3601 :
3602 0 : if (sid_check_is_in_builtin(alias)) {
3603 0 : type = SID_NAME_ALIAS;
3604 : }
3605 :
3606 0 : if (sid_check_is_in_our_sam(alias)) {
3607 0 : type = SID_NAME_ALIAS;
3608 : }
3609 :
3610 0 : if (type == SID_NAME_USE_NONE) {
3611 0 : struct dom_sid_buf buf;
3612 0 : DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3613 : dom_sid_str_buf(alias, &buf)));
3614 0 : return NT_STATUS_NO_SUCH_ALIAS;
3615 : }
3616 :
3617 0 : if (asprintf(&filter,
3618 : "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3619 : LDAP_OBJ_GROUPMAP,
3620 : dom_sid_str_buf(alias, &tmp),
3621 : type) < 0) {
3622 0 : return NT_STATUS_NO_MEMORY;
3623 : }
3624 :
3625 0 : if (ldapsam_search_one_group(ldap_state, filter,
3626 : &result) != LDAP_SUCCESS) {
3627 0 : SAFE_FREE(filter);
3628 0 : return NT_STATUS_NO_SUCH_ALIAS;
3629 : }
3630 :
3631 0 : count = ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
3632 : result);
3633 :
3634 0 : if (count < 1) {
3635 0 : DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n"));
3636 0 : ldap_msgfree(result);
3637 0 : SAFE_FREE(filter);
3638 0 : return NT_STATUS_NO_SUCH_ALIAS;
3639 : }
3640 :
3641 0 : if (count > 1) {
3642 0 : DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for "
3643 : "filter %s: count=%d\n", filter, count));
3644 0 : ldap_msgfree(result);
3645 0 : SAFE_FREE(filter);
3646 0 : return NT_STATUS_NO_SUCH_ALIAS;
3647 : }
3648 :
3649 0 : SAFE_FREE(filter);
3650 :
3651 0 : entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
3652 : result);
3653 :
3654 0 : if (!entry) {
3655 0 : ldap_msgfree(result);
3656 0 : return NT_STATUS_UNSUCCESSFUL;
3657 : }
3658 :
3659 0 : dn = smbldap_talloc_dn(talloc_tos(),
3660 : smbldap_get_ldap(ldap_state->smbldap_state),
3661 : entry);
3662 0 : if (!dn) {
3663 0 : ldap_msgfree(result);
3664 0 : return NT_STATUS_UNSUCCESSFUL;
3665 : }
3666 :
3667 0 : smbldap_set_mod(&mods, modop,
3668 : get_attr_key2string(groupmap_attr_list,
3669 : LDAP_ATTR_SID_LIST),
3670 0 : dom_sid_str_buf(member, &tmp));
3671 :
3672 0 : rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3673 :
3674 0 : ldap_mods_free(mods, True);
3675 0 : ldap_msgfree(result);
3676 0 : TALLOC_FREE(dn);
3677 :
3678 0 : if (rc == LDAP_TYPE_OR_VALUE_EXISTS) {
3679 0 : return NT_STATUS_MEMBER_IN_ALIAS;
3680 : }
3681 :
3682 0 : if (rc == LDAP_NO_SUCH_ATTRIBUTE) {
3683 0 : return NT_STATUS_MEMBER_NOT_IN_ALIAS;
3684 : }
3685 :
3686 0 : if (rc != LDAP_SUCCESS) {
3687 0 : return NT_STATUS_UNSUCCESSFUL;
3688 : }
3689 :
3690 0 : return NT_STATUS_OK;
3691 : }
3692 :
3693 0 : static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
3694 : const struct dom_sid *alias,
3695 : const struct dom_sid *member)
3696 : {
3697 0 : return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
3698 : }
3699 :
3700 0 : static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
3701 : const struct dom_sid *alias,
3702 : const struct dom_sid *member)
3703 : {
3704 0 : return ldapsam_modify_aliasmem(methods, alias, member,
3705 : LDAP_MOD_DELETE);
3706 : }
3707 :
3708 0 : static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
3709 : const struct dom_sid *alias,
3710 : TALLOC_CTX *mem_ctx,
3711 : struct dom_sid **pp_members,
3712 : size_t *p_num_members)
3713 : {
3714 0 : struct ldapsam_privates *ldap_state =
3715 : (struct ldapsam_privates *)methods->private_data;
3716 0 : LDAPMessage *result = NULL;
3717 0 : LDAPMessage *entry = NULL;
3718 0 : int count;
3719 0 : char **values = NULL;
3720 0 : int i;
3721 0 : char *filter = NULL;
3722 0 : uint32_t num_members = 0;
3723 0 : enum lsa_SidType type = SID_NAME_USE_NONE;
3724 0 : struct dom_sid_buf tmp;
3725 :
3726 0 : *pp_members = NULL;
3727 0 : *p_num_members = 0;
3728 :
3729 0 : if (sid_check_is_in_builtin(alias)) {
3730 0 : type = SID_NAME_ALIAS;
3731 : }
3732 :
3733 0 : if (sid_check_is_in_our_sam(alias)) {
3734 0 : type = SID_NAME_ALIAS;
3735 : }
3736 :
3737 0 : if (type == SID_NAME_USE_NONE) {
3738 0 : DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3739 : dom_sid_str_buf(alias, &tmp)));
3740 0 : return NT_STATUS_NO_SUCH_ALIAS;
3741 : }
3742 :
3743 0 : if (asprintf(&filter,
3744 : "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3745 : LDAP_OBJ_GROUPMAP,
3746 : dom_sid_str_buf(alias, &tmp),
3747 : type) < 0) {
3748 0 : return NT_STATUS_NO_MEMORY;
3749 : }
3750 :
3751 0 : if (ldapsam_search_one_group(ldap_state, filter,
3752 : &result) != LDAP_SUCCESS) {
3753 0 : SAFE_FREE(filter);
3754 0 : return NT_STATUS_NO_SUCH_ALIAS;
3755 : }
3756 :
3757 0 : count = ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
3758 : result);
3759 :
3760 0 : if (count < 1) {
3761 0 : DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n"));
3762 0 : ldap_msgfree(result);
3763 0 : SAFE_FREE(filter);
3764 0 : return NT_STATUS_NO_SUCH_ALIAS;
3765 : }
3766 :
3767 0 : if (count > 1) {
3768 0 : DEBUG(1, ("ldapsam_enum_aliasmem: Duplicate entries for "
3769 : "filter %s: count=%d\n", filter, count));
3770 0 : ldap_msgfree(result);
3771 0 : SAFE_FREE(filter);
3772 0 : return NT_STATUS_NO_SUCH_ALIAS;
3773 : }
3774 :
3775 0 : SAFE_FREE(filter);
3776 :
3777 0 : entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
3778 : result);
3779 :
3780 0 : if (!entry) {
3781 0 : ldap_msgfree(result);
3782 0 : return NT_STATUS_UNSUCCESSFUL;
3783 : }
3784 :
3785 0 : values = ldap_get_values(smbldap_get_ldap(ldap_state->smbldap_state),
3786 : entry,
3787 : get_attr_key2string(groupmap_attr_list,
3788 : LDAP_ATTR_SID_LIST));
3789 :
3790 0 : if (values == NULL) {
3791 0 : ldap_msgfree(result);
3792 0 : return NT_STATUS_OK;
3793 : }
3794 :
3795 0 : count = ldap_count_values(values);
3796 :
3797 0 : for (i=0; i<count; i++) {
3798 0 : struct dom_sid member;
3799 0 : NTSTATUS status;
3800 :
3801 0 : if (!string_to_sid(&member, values[i]))
3802 0 : continue;
3803 :
3804 0 : status = add_sid_to_array(mem_ctx, &member, pp_members,
3805 : &num_members);
3806 0 : if (!NT_STATUS_IS_OK(status)) {
3807 0 : ldap_value_free(values);
3808 0 : ldap_msgfree(result);
3809 0 : return status;
3810 : }
3811 : }
3812 :
3813 0 : *p_num_members = num_members;
3814 0 : ldap_value_free(values);
3815 0 : ldap_msgfree(result);
3816 :
3817 0 : return NT_STATUS_OK;
3818 : }
3819 :
3820 0 : static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
3821 : TALLOC_CTX *mem_ctx,
3822 : const struct dom_sid *domain_sid,
3823 : const struct dom_sid *members,
3824 : size_t num_members,
3825 : uint32_t **pp_alias_rids,
3826 : size_t *p_num_alias_rids)
3827 : {
3828 0 : struct ldapsam_privates *ldap_state =
3829 : (struct ldapsam_privates *)methods->private_data;
3830 0 : LDAP *ldap_struct;
3831 :
3832 0 : const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
3833 :
3834 0 : LDAPMessage *result = NULL;
3835 0 : LDAPMessage *entry = NULL;
3836 0 : int i;
3837 0 : int rc;
3838 0 : char *filter;
3839 0 : enum lsa_SidType type = SID_NAME_USE_NONE;
3840 0 : bool is_builtin = false;
3841 0 : bool sid_added = false;
3842 :
3843 0 : *pp_alias_rids = NULL;
3844 0 : *p_num_alias_rids = 0;
3845 :
3846 0 : if (sid_check_is_builtin(domain_sid)) {
3847 0 : is_builtin = true;
3848 0 : type = SID_NAME_ALIAS;
3849 : }
3850 :
3851 0 : if (sid_check_is_our_sam(domain_sid)) {
3852 0 : type = SID_NAME_ALIAS;
3853 : }
3854 :
3855 0 : if (type == SID_NAME_USE_NONE) {
3856 0 : struct dom_sid_buf buf;
3857 0 : DEBUG(5, ("SID %s is neither builtin nor domain!\n",
3858 : dom_sid_str_buf(domain_sid, &buf)));
3859 0 : return NT_STATUS_UNSUCCESSFUL;
3860 : }
3861 :
3862 0 : if (num_members == 0) {
3863 0 : return NT_STATUS_OK;
3864 : }
3865 :
3866 0 : filter = talloc_asprintf(mem_ctx,
3867 : "(&(objectclass="LDAP_OBJ_GROUPMAP")(sambaGroupType=%d)(|",
3868 : type);
3869 :
3870 0 : for (i=0; i<num_members; i++) {
3871 0 : struct dom_sid_buf buf;
3872 0 : filter = talloc_asprintf(mem_ctx, "%s(sambaSIDList=%s)",
3873 : filter,
3874 0 : dom_sid_str_buf(&members[i], &buf));
3875 : }
3876 :
3877 0 : filter = talloc_asprintf(mem_ctx, "%s))", filter);
3878 :
3879 0 : if (filter == NULL) {
3880 0 : return NT_STATUS_NO_MEMORY;
3881 : }
3882 :
3883 0 : if (is_builtin &&
3884 0 : ldap_state->search_cache.filter &&
3885 0 : strcmp(ldap_state->search_cache.filter, filter) == 0) {
3886 0 : filter = talloc_move(filter, &ldap_state->search_cache.filter);
3887 0 : result = ldap_state->search_cache.result;
3888 0 : ldap_state->search_cache.result = NULL;
3889 : } else {
3890 0 : rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
3891 : LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
3892 0 : if (rc != LDAP_SUCCESS) {
3893 0 : return NT_STATUS_UNSUCCESSFUL;
3894 : }
3895 0 : smbldap_talloc_autofree_ldapmsg(filter, result);
3896 : }
3897 :
3898 0 : ldap_struct = smbldap_get_ldap(ldap_state->smbldap_state);
3899 :
3900 0 : for (entry = ldap_first_entry(ldap_struct, result);
3901 0 : entry != NULL;
3902 0 : entry = ldap_next_entry(ldap_struct, entry))
3903 : {
3904 0 : fstring sid_str;
3905 0 : struct dom_sid sid;
3906 0 : uint32_t rid;
3907 :
3908 0 : if (!smbldap_get_single_attribute(ldap_struct, entry,
3909 : LDAP_ATTRIBUTE_SID,
3910 : sid_str,
3911 : sizeof(sid_str)-1))
3912 0 : continue;
3913 :
3914 0 : if (!string_to_sid(&sid, sid_str))
3915 0 : continue;
3916 :
3917 0 : if (!sid_peek_check_rid(domain_sid, &sid, &rid))
3918 0 : continue;
3919 :
3920 0 : sid_added = true;
3921 :
3922 0 : if (!add_rid_to_array_unique(mem_ctx, rid, pp_alias_rids,
3923 : p_num_alias_rids)) {
3924 0 : return NT_STATUS_NO_MEMORY;
3925 : }
3926 : }
3927 :
3928 0 : if (!is_builtin && !sid_added) {
3929 0 : TALLOC_FREE(ldap_state->search_cache.filter);
3930 : /*
3931 : * Note: result is a talloc child of filter because of the
3932 : * smbldap_talloc_autofree_ldapmsg() usage
3933 : */
3934 0 : ldap_state->search_cache.filter = talloc_move(ldap_state, &filter);
3935 0 : ldap_state->search_cache.result = result;
3936 : }
3937 :
3938 0 : return NT_STATUS_OK;
3939 : }
3940 :
3941 0 : static NTSTATUS ldapsam_set_account_policy_in_ldap(struct pdb_methods *methods,
3942 : enum pdb_policy_type type,
3943 : uint32_t value)
3944 : {
3945 0 : NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3946 0 : int rc;
3947 0 : LDAPMod **mods = NULL;
3948 0 : fstring value_string;
3949 0 : const char *policy_attr = NULL;
3950 :
3951 0 : struct ldapsam_privates *ldap_state =
3952 : (struct ldapsam_privates *)methods->private_data;
3953 :
3954 0 : DEBUG(10,("ldapsam_set_account_policy_in_ldap\n"));
3955 :
3956 0 : if (!ldap_state->domain_dn) {
3957 0 : return NT_STATUS_INVALID_PARAMETER;
3958 : }
3959 :
3960 0 : policy_attr = get_account_policy_attr(type);
3961 0 : if (policy_attr == NULL) {
3962 0 : DEBUG(0,("ldapsam_set_account_policy_in_ldap: invalid "
3963 : "policy\n"));
3964 0 : return ntstatus;
3965 : }
3966 :
3967 0 : slprintf(value_string, sizeof(value_string) - 1, "%i", value);
3968 :
3969 0 : smbldap_set_mod(&mods, LDAP_MOD_REPLACE, policy_attr, value_string);
3970 :
3971 0 : rc = smbldap_modify(ldap_state->smbldap_state, ldap_state->domain_dn,
3972 : mods);
3973 :
3974 0 : ldap_mods_free(mods, True);
3975 :
3976 0 : if (rc != LDAP_SUCCESS) {
3977 0 : return ntstatus;
3978 : }
3979 :
3980 0 : if (!cache_account_policy_set(type, value)) {
3981 0 : DEBUG(0,("ldapsam_set_account_policy_in_ldap: failed to "
3982 : "update local tdb cache\n"));
3983 0 : return ntstatus;
3984 : }
3985 :
3986 0 : return NT_STATUS_OK;
3987 : }
3988 :
3989 0 : static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods,
3990 : enum pdb_policy_type type,
3991 : uint32_t value)
3992 : {
3993 0 : return ldapsam_set_account_policy_in_ldap(methods, type,
3994 : value);
3995 : }
3996 :
3997 0 : static NTSTATUS ldapsam_get_account_policy_from_ldap(struct pdb_methods *methods,
3998 : enum pdb_policy_type type,
3999 : uint32_t *value)
4000 : {
4001 0 : NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
4002 0 : LDAPMessage *result = NULL;
4003 0 : LDAPMessage *entry = NULL;
4004 0 : int count;
4005 0 : int rc;
4006 0 : char **vals = NULL;
4007 0 : const char *filter;
4008 0 : const char *policy_attr = NULL;
4009 :
4010 0 : struct ldapsam_privates *ldap_state =
4011 : (struct ldapsam_privates *)methods->private_data;
4012 :
4013 0 : const char *attrs[2];
4014 :
4015 0 : DEBUG(10,("ldapsam_get_account_policy_from_ldap\n"));
4016 :
4017 0 : if (!ldap_state->domain_dn) {
4018 0 : return NT_STATUS_INVALID_PARAMETER;
4019 : }
4020 :
4021 0 : policy_attr = get_account_policy_attr(type);
4022 0 : if (!policy_attr) {
4023 0 : DEBUG(0,("ldapsam_get_account_policy_from_ldap: invalid "
4024 : "policy index: %d\n", type));
4025 0 : return ntstatus;
4026 : }
4027 :
4028 0 : attrs[0] = policy_attr;
4029 0 : attrs[1] = NULL;
4030 :
4031 0 : filter = "(objectClass="LDAP_OBJ_DOMINFO")";
4032 0 : rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
4033 : LDAP_SCOPE_BASE, filter, attrs, 0,
4034 : &result);
4035 0 : if (rc != LDAP_SUCCESS) {
4036 0 : return ntstatus;
4037 : }
4038 :
4039 0 : count = ldap_count_entries(priv2ld(ldap_state), result);
4040 0 : if (count < 1) {
4041 0 : goto out;
4042 : }
4043 :
4044 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
4045 0 : if (entry == NULL) {
4046 0 : goto out;
4047 : }
4048 :
4049 0 : vals = ldap_get_values(priv2ld(ldap_state), entry, policy_attr);
4050 0 : if (vals == NULL) {
4051 0 : goto out;
4052 : }
4053 :
4054 0 : *value = (uint32_t)atol(vals[0]);
4055 :
4056 0 : ntstatus = NT_STATUS_OK;
4057 :
4058 0 : out:
4059 0 : if (vals)
4060 0 : ldap_value_free(vals);
4061 0 : ldap_msgfree(result);
4062 :
4063 0 : return ntstatus;
4064 : }
4065 :
4066 : /* wrapper around ldapsam_get_account_policy_from_ldap(), handles tdb as cache
4067 :
4068 : - if user hasn't decided to use account policies inside LDAP just reuse the
4069 : old tdb values
4070 :
4071 : - if there is a valid cache entry, return that
4072 : - if there is an LDAP entry, update cache and return
4073 : - otherwise set to default, update cache and return
4074 :
4075 : Guenther
4076 : */
4077 0 : static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods,
4078 : enum pdb_policy_type type,
4079 : uint32_t *value)
4080 : {
4081 0 : NTSTATUS ntstatus;
4082 :
4083 0 : if (cache_account_policy_get(type, value)) {
4084 0 : DEBUG(11,("ldapsam_get_account_policy: got valid value from "
4085 : "cache\n"));
4086 0 : return NT_STATUS_OK;
4087 : }
4088 :
4089 0 : ntstatus = ldapsam_get_account_policy_from_ldap(methods, type,
4090 : value);
4091 0 : if (NT_STATUS_IS_OK(ntstatus)) {
4092 0 : goto update_cache;
4093 : }
4094 :
4095 0 : DEBUG(10,("ldapsam_get_account_policy: failed to retrieve from "
4096 : "ldap\n"));
4097 :
4098 : #if 0
4099 : /* should we automagically migrate old tdb value here ? */
4100 : if (account_policy_get(type, value))
4101 : goto update_ldap;
4102 :
4103 : DEBUG(10,("ldapsam_get_account_policy: no tdb for %d, trying "
4104 : "default\n", type));
4105 : #endif
4106 :
4107 0 : if (!account_policy_get_default(type, value)) {
4108 0 : return ntstatus;
4109 : }
4110 :
4111 : /* update_ldap: */
4112 :
4113 0 : ntstatus = ldapsam_set_account_policy(methods, type, *value);
4114 0 : if (!NT_STATUS_IS_OK(ntstatus)) {
4115 0 : return ntstatus;
4116 : }
4117 :
4118 0 : update_cache:
4119 :
4120 0 : if (!cache_account_policy_set(type, *value)) {
4121 0 : DEBUG(0,("ldapsam_get_account_policy: failed to update local "
4122 : "tdb as a cache\n"));
4123 0 : return NT_STATUS_UNSUCCESSFUL;
4124 : }
4125 :
4126 0 : return NT_STATUS_OK;
4127 : }
4128 :
4129 0 : static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
4130 : const struct dom_sid *domain_sid,
4131 : int num_rids,
4132 : uint32_t *rids,
4133 : const char **names,
4134 : enum lsa_SidType *attrs)
4135 : {
4136 0 : struct ldapsam_privates *ldap_state =
4137 : (struct ldapsam_privates *)methods->private_data;
4138 0 : LDAPMessage *msg = NULL;
4139 0 : LDAPMessage *entry;
4140 0 : char *allsids = NULL;
4141 0 : size_t i, num_mapped;
4142 0 : int rc;
4143 0 : NTSTATUS result = NT_STATUS_NO_MEMORY;
4144 0 : TALLOC_CTX *mem_ctx;
4145 0 : LDAP *ld;
4146 0 : bool is_builtin;
4147 :
4148 0 : mem_ctx = talloc_new(NULL);
4149 0 : if (mem_ctx == NULL) {
4150 0 : DEBUG(0, ("talloc_new failed\n"));
4151 0 : goto done;
4152 : }
4153 :
4154 0 : if (!sid_check_is_builtin(domain_sid) &&
4155 0 : !sid_check_is_our_sam(domain_sid)) {
4156 0 : result = NT_STATUS_INVALID_PARAMETER;
4157 0 : goto done;
4158 : }
4159 :
4160 0 : if (num_rids == 0) {
4161 0 : result = NT_STATUS_NONE_MAPPED;
4162 0 : goto done;
4163 : }
4164 :
4165 0 : for (i=0; i<num_rids; i++)
4166 0 : attrs[i] = SID_NAME_UNKNOWN;
4167 :
4168 0 : allsids = talloc_strdup(mem_ctx, "");
4169 0 : if (allsids == NULL) {
4170 0 : goto done;
4171 : }
4172 :
4173 0 : for (i=0; i<num_rids; i++) {
4174 0 : struct dom_sid sid;
4175 0 : struct dom_sid_buf buf;
4176 0 : sid_compose(&sid, domain_sid, rids[i]);
4177 0 : allsids = talloc_asprintf_append_buffer(
4178 : allsids,
4179 : "(sambaSid=%s)",
4180 : dom_sid_str_buf(&sid, &buf));
4181 0 : if (allsids == NULL) {
4182 0 : goto done;
4183 : }
4184 : }
4185 :
4186 : /* First look for users */
4187 :
4188 : {
4189 0 : char *filter;
4190 0 : const char *ldap_attrs[] = { "uid", "sambaSid", NULL };
4191 :
4192 0 : filter = talloc_asprintf(
4193 : mem_ctx, ("(&(objectClass="LDAP_OBJ_SAMBASAMACCOUNT")(|%s))"),
4194 : allsids);
4195 :
4196 0 : if (filter == NULL) {
4197 0 : goto done;
4198 : }
4199 :
4200 0 : rc = smbldap_search(ldap_state->smbldap_state,
4201 : lp_ldap_user_suffix(talloc_tos()),
4202 : LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
4203 : &msg);
4204 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
4205 : }
4206 :
4207 0 : if (rc != LDAP_SUCCESS)
4208 0 : goto done;
4209 :
4210 0 : ld = smbldap_get_ldap(ldap_state->smbldap_state);
4211 0 : num_mapped = 0;
4212 :
4213 0 : for (entry = ldap_first_entry(ld, msg);
4214 0 : entry != NULL;
4215 0 : entry = ldap_next_entry(ld, entry)) {
4216 0 : uint32_t rid;
4217 0 : int rid_index;
4218 0 : const char *name;
4219 :
4220 0 : if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
4221 : &rid)) {
4222 0 : DEBUG(2, ("Could not find sid from ldap entry\n"));
4223 0 : continue;
4224 : }
4225 :
4226 0 : name = smbldap_talloc_single_attribute(ld, entry, "uid",
4227 : names);
4228 0 : if (name == NULL) {
4229 0 : DEBUG(2, ("Could not retrieve uid attribute\n"));
4230 0 : continue;
4231 : }
4232 :
4233 0 : for (rid_index = 0; rid_index < num_rids; rid_index++) {
4234 0 : if (rid == rids[rid_index])
4235 0 : break;
4236 : }
4237 :
4238 0 : if (rid_index == num_rids) {
4239 0 : DEBUG(2, ("Got a RID not asked for: %d\n", rid));
4240 0 : continue;
4241 : }
4242 :
4243 0 : attrs[rid_index] = SID_NAME_USER;
4244 0 : names[rid_index] = name;
4245 0 : num_mapped += 1;
4246 : }
4247 :
4248 0 : if (num_mapped == num_rids) {
4249 : /* No need to look for groups anymore -- we're done */
4250 0 : result = NT_STATUS_OK;
4251 0 : goto done;
4252 : }
4253 :
4254 : /* Same game for groups */
4255 :
4256 : {
4257 0 : char *filter;
4258 0 : const char *ldap_attrs[] = { "cn", "displayName", "sambaSid",
4259 : "sambaGroupType", NULL };
4260 :
4261 0 : filter = talloc_asprintf(
4262 : mem_ctx, "(&(objectClass="LDAP_OBJ_GROUPMAP")(|%s))",
4263 : allsids);
4264 0 : if (filter == NULL) {
4265 0 : goto done;
4266 : }
4267 :
4268 0 : rc = smbldap_search(ldap_state->smbldap_state,
4269 : lp_ldap_suffix(),
4270 : LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
4271 : &msg);
4272 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
4273 : }
4274 :
4275 0 : if (rc != LDAP_SUCCESS)
4276 0 : goto done;
4277 :
4278 : /* ldap_struct might have changed due to a reconnect */
4279 :
4280 0 : ld = smbldap_get_ldap(ldap_state->smbldap_state);
4281 :
4282 : /* For consistency checks, we already checked we're only domain or builtin */
4283 :
4284 0 : is_builtin = sid_check_is_builtin(domain_sid);
4285 :
4286 0 : for (entry = ldap_first_entry(ld, msg);
4287 0 : entry != NULL;
4288 0 : entry = ldap_next_entry(ld, entry))
4289 : {
4290 0 : uint32_t rid;
4291 0 : int rid_index;
4292 0 : const char *attr;
4293 0 : enum lsa_SidType type;
4294 0 : const char *dn = smbldap_talloc_dn(mem_ctx, ld, entry);
4295 :
4296 0 : attr = smbldap_talloc_single_attribute(ld, entry, "sambaGroupType",
4297 : mem_ctx);
4298 0 : if (attr == NULL) {
4299 0 : DEBUG(2, ("Could not extract type from ldap entry %s\n",
4300 : dn));
4301 0 : continue;
4302 : }
4303 :
4304 0 : type = (enum lsa_SidType)atol(attr);
4305 :
4306 : /* Consistency checks */
4307 0 : if ((is_builtin && (type != SID_NAME_ALIAS)) ||
4308 0 : (!is_builtin && ((type != SID_NAME_ALIAS) &&
4309 0 : (type != SID_NAME_DOM_GRP)))) {
4310 0 : DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
4311 : }
4312 :
4313 0 : if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
4314 : &rid)) {
4315 0 : DEBUG(2, ("Could not find sid from ldap entry %s\n", dn));
4316 0 : continue;
4317 : }
4318 :
4319 0 : attr = smbldap_talloc_single_attribute(ld, entry, "displayName", names);
4320 :
4321 0 : if (attr == NULL) {
4322 0 : DEBUG(10, ("Could not retrieve 'displayName' attribute from %s\n",
4323 : dn));
4324 0 : attr = smbldap_talloc_single_attribute(ld, entry, "cn", names);
4325 : }
4326 :
4327 0 : if (attr == NULL) {
4328 0 : DEBUG(2, ("Could not retrieve naming attribute from %s\n",
4329 : dn));
4330 0 : continue;
4331 : }
4332 :
4333 0 : for (rid_index = 0; rid_index < num_rids; rid_index++) {
4334 0 : if (rid == rids[rid_index])
4335 0 : break;
4336 : }
4337 :
4338 0 : if (rid_index == num_rids) {
4339 0 : DEBUG(2, ("Got a RID not asked for: %d\n", rid));
4340 0 : continue;
4341 : }
4342 :
4343 0 : attrs[rid_index] = type;
4344 0 : names[rid_index] = attr;
4345 0 : num_mapped += 1;
4346 : }
4347 :
4348 0 : result = NT_STATUS_NONE_MAPPED;
4349 :
4350 0 : if (num_mapped > 0)
4351 0 : result = (num_mapped == num_rids) ?
4352 0 : NT_STATUS_OK : STATUS_SOME_UNMAPPED;
4353 0 : done:
4354 0 : TALLOC_FREE(mem_ctx);
4355 0 : return result;
4356 : }
4357 :
4358 0 : static char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username)
4359 : {
4360 0 : char *filter = NULL;
4361 0 : char *escaped = NULL;
4362 0 : char *result = NULL;
4363 :
4364 0 : if (asprintf(&filter, "(&%s(objectclass=%s))",
4365 : "(uid=%u)", LDAP_OBJ_SAMBASAMACCOUNT) < 0) {
4366 0 : goto done;
4367 : }
4368 :
4369 0 : escaped = escape_ldap_string(talloc_tos(), username);
4370 0 : if (escaped == NULL) goto done;
4371 :
4372 0 : result = talloc_string_sub(mem_ctx, filter, "%u", username);
4373 :
4374 0 : done:
4375 0 : SAFE_FREE(filter);
4376 0 : TALLOC_FREE(escaped);
4377 :
4378 0 : return result;
4379 : }
4380 :
4381 0 : static const char **talloc_attrs(TALLOC_CTX *mem_ctx, ...)
4382 : {
4383 0 : int i, num = 0;
4384 0 : va_list ap;
4385 0 : const char **result;
4386 :
4387 0 : va_start(ap, mem_ctx);
4388 0 : while (va_arg(ap, const char *) != NULL)
4389 0 : num += 1;
4390 0 : va_end(ap);
4391 :
4392 0 : if ((result = talloc_array(mem_ctx, const char *, num+1)) == NULL) {
4393 0 : return NULL;
4394 : }
4395 :
4396 0 : va_start(ap, mem_ctx);
4397 0 : for (i=0; i<num; i++) {
4398 0 : result[i] = talloc_strdup(result, va_arg(ap, const char*));
4399 0 : if (result[i] == NULL) {
4400 0 : talloc_free(result);
4401 0 : va_end(ap);
4402 0 : return NULL;
4403 : }
4404 : }
4405 0 : va_end(ap);
4406 :
4407 0 : result[num] = NULL;
4408 0 : return result;
4409 : }
4410 :
4411 : struct ldap_search_state {
4412 : struct smbldap_state *connection;
4413 :
4414 : uint32_t acct_flags;
4415 : uint16_t group_type;
4416 :
4417 : const char *base;
4418 : int scope;
4419 : const char *filter;
4420 : const char **attrs;
4421 : int attrsonly;
4422 : void *pagedresults_cookie;
4423 :
4424 : LDAPMessage *entries, *current_entry;
4425 : bool (*ldap2displayentry)(struct ldap_search_state *state,
4426 : TALLOC_CTX *mem_ctx,
4427 : LDAP *ld, LDAPMessage *entry,
4428 : struct samr_displayentry *result);
4429 : };
4430 :
4431 0 : static bool ldapsam_search_firstpage(struct pdb_search *search)
4432 : {
4433 0 : struct ldap_search_state *state =
4434 : (struct ldap_search_state *)search->private_data;
4435 0 : LDAP *ld;
4436 0 : int rc = LDAP_OPERATIONS_ERROR;
4437 :
4438 0 : state->entries = NULL;
4439 :
4440 0 : if (smbldap_get_paged_results(state->connection)) {
4441 0 : rc = smbldap_search_paged(state->connection, state->base,
4442 : state->scope, state->filter,
4443 : state->attrs, state->attrsonly,
4444 : lp_ldap_page_size(), &state->entries,
4445 : &state->pagedresults_cookie);
4446 : }
4447 :
4448 0 : if ((rc != LDAP_SUCCESS) || (state->entries == NULL)) {
4449 :
4450 0 : if (state->entries != NULL) {
4451 : /* Left over from unsuccessful paged attempt */
4452 0 : ldap_msgfree(state->entries);
4453 0 : state->entries = NULL;
4454 : }
4455 :
4456 0 : rc = smbldap_search(state->connection, state->base,
4457 : state->scope, state->filter, state->attrs,
4458 : state->attrsonly, &state->entries);
4459 :
4460 0 : if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
4461 0 : return False;
4462 :
4463 : /* Ok, the server was lying. It told us it could do paged
4464 : * searches when it could not. */
4465 0 : smbldap_set_paged_results(state->connection, false);
4466 : }
4467 :
4468 0 : ld = smbldap_get_ldap(state->connection);
4469 0 : if ( ld == NULL) {
4470 0 : DEBUG(5, ("Don't have an LDAP connection right after a "
4471 : "search\n"));
4472 0 : return False;
4473 : }
4474 0 : state->current_entry = ldap_first_entry(ld, state->entries);
4475 :
4476 0 : return True;
4477 : }
4478 :
4479 0 : static bool ldapsam_search_nextpage(struct pdb_search *search)
4480 : {
4481 0 : struct ldap_search_state *state =
4482 : (struct ldap_search_state *)search->private_data;
4483 0 : int rc;
4484 :
4485 0 : if (!smbldap_get_paged_results(state->connection)) {
4486 : /* There is no next page when there are no paged results */
4487 0 : return False;
4488 : }
4489 :
4490 0 : rc = smbldap_search_paged(state->connection, state->base,
4491 : state->scope, state->filter, state->attrs,
4492 : state->attrsonly, lp_ldap_page_size(),
4493 : &state->entries,
4494 : &state->pagedresults_cookie);
4495 :
4496 0 : if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
4497 0 : return False;
4498 :
4499 0 : state->current_entry = ldap_first_entry(
4500 : smbldap_get_ldap(state->connection), state->entries);
4501 :
4502 0 : if (state->current_entry == NULL) {
4503 0 : ldap_msgfree(state->entries);
4504 0 : state->entries = NULL;
4505 0 : return false;
4506 : }
4507 :
4508 0 : return True;
4509 : }
4510 :
4511 0 : static bool ldapsam_search_next_entry(struct pdb_search *search,
4512 : struct samr_displayentry *entry)
4513 : {
4514 0 : struct ldap_search_state *state =
4515 : (struct ldap_search_state *)search->private_data;
4516 0 : bool result;
4517 :
4518 0 : retry:
4519 0 : if ((state->entries == NULL) && (state->pagedresults_cookie == NULL))
4520 0 : return False;
4521 :
4522 0 : if ((state->entries == NULL) &&
4523 0 : !ldapsam_search_nextpage(search))
4524 0 : return False;
4525 :
4526 0 : if (state->current_entry == NULL) {
4527 0 : return false;
4528 : }
4529 :
4530 0 : result = state->ldap2displayentry(state, search,
4531 : smbldap_get_ldap(state->connection),
4532 : state->current_entry, entry);
4533 :
4534 0 : if (!result) {
4535 0 : char *dn;
4536 0 : dn = ldap_get_dn(smbldap_get_ldap(state->connection),
4537 : state->current_entry);
4538 0 : DEBUG(5, ("Skipping entry %s\n", dn != NULL ? dn : "<NULL>"));
4539 0 : if (dn != NULL) ldap_memfree(dn);
4540 : }
4541 :
4542 0 : state->current_entry = ldap_next_entry(
4543 : smbldap_get_ldap(state->connection), state->current_entry);
4544 :
4545 0 : if (state->current_entry == NULL) {
4546 0 : ldap_msgfree(state->entries);
4547 0 : state->entries = NULL;
4548 : }
4549 :
4550 0 : if (!result) goto retry;
4551 :
4552 0 : return True;
4553 : }
4554 :
4555 0 : static void ldapsam_search_end(struct pdb_search *search)
4556 : {
4557 0 : struct ldap_search_state *state =
4558 : (struct ldap_search_state *)search->private_data;
4559 0 : int rc;
4560 :
4561 0 : if (state->pagedresults_cookie == NULL)
4562 0 : return;
4563 :
4564 0 : if (state->entries != NULL)
4565 0 : ldap_msgfree(state->entries);
4566 :
4567 0 : state->entries = NULL;
4568 0 : state->current_entry = NULL;
4569 :
4570 0 : if (!smbldap_get_paged_results(state->connection)) {
4571 0 : return;
4572 : }
4573 :
4574 : /* Tell the LDAP server we're not interested in the rest anymore. */
4575 :
4576 0 : rc = smbldap_search_paged(state->connection, state->base, state->scope,
4577 : state->filter, state->attrs,
4578 : state->attrsonly, 0, &state->entries,
4579 : &state->pagedresults_cookie);
4580 :
4581 0 : if (rc != LDAP_SUCCESS)
4582 0 : DEBUG(5, ("Could not end search properly\n"));
4583 :
4584 0 : return;
4585 : }
4586 :
4587 0 : static bool ldapuser2displayentry(struct ldap_search_state *state,
4588 : TALLOC_CTX *mem_ctx,
4589 : LDAP *ld, LDAPMessage *entry,
4590 : struct samr_displayentry *result)
4591 : {
4592 0 : char **vals;
4593 0 : size_t converted_size;
4594 0 : struct dom_sid sid;
4595 0 : uint32_t acct_flags;
4596 :
4597 0 : vals = ldap_get_values(ld, entry, "sambaAcctFlags");
4598 0 : if ((vals == NULL) || (vals[0] == NULL)) {
4599 0 : acct_flags = ACB_NORMAL;
4600 : } else {
4601 0 : acct_flags = pdb_decode_acct_ctrl(vals[0]);
4602 0 : ldap_value_free(vals);
4603 : }
4604 :
4605 0 : if ((state->acct_flags != 0) &&
4606 0 : ((state->acct_flags & acct_flags) == 0))
4607 0 : return False;
4608 :
4609 0 : result->acct_flags = acct_flags;
4610 0 : result->account_name = "";
4611 0 : result->fullname = "";
4612 0 : result->description = "";
4613 :
4614 0 : vals = ldap_get_values(ld, entry, "uid");
4615 0 : if ((vals == NULL) || (vals[0] == NULL)) {
4616 0 : DEBUG(5, ("\"uid\" not found\n"));
4617 0 : return False;
4618 : }
4619 0 : if (!pull_utf8_talloc(mem_ctx,
4620 0 : discard_const_p(char *, &result->account_name),
4621 : vals[0], &converted_size))
4622 : {
4623 0 : DEBUG(0,("ldapuser2displayentry: pull_utf8_talloc failed: %s\n",
4624 : strerror(errno)));
4625 : }
4626 :
4627 0 : ldap_value_free(vals);
4628 :
4629 0 : vals = ldap_get_values(ld, entry, "displayName");
4630 0 : if ((vals == NULL) || (vals[0] == NULL))
4631 0 : DEBUG(8, ("\"displayName\" not found\n"));
4632 0 : else if (!pull_utf8_talloc(mem_ctx,
4633 0 : discard_const_p(char *, &result->fullname),
4634 : vals[0], &converted_size))
4635 : {
4636 0 : DEBUG(0,("ldapuser2displayentry: pull_utf8_talloc failed: %s\n",
4637 : strerror(errno)));
4638 : }
4639 :
4640 0 : ldap_value_free(vals);
4641 :
4642 0 : vals = ldap_get_values(ld, entry, "description");
4643 0 : if ((vals == NULL) || (vals[0] == NULL))
4644 0 : DEBUG(8, ("\"description\" not found\n"));
4645 0 : else if (!pull_utf8_talloc(mem_ctx,
4646 0 : discard_const_p(char *, &result->description),
4647 : vals[0], &converted_size))
4648 : {
4649 0 : DEBUG(0,("ldapuser2displayentry: pull_utf8_talloc failed: %s\n",
4650 : strerror(errno)));
4651 : }
4652 :
4653 0 : ldap_value_free(vals);
4654 :
4655 0 : if ((result->account_name == NULL) ||
4656 0 : (result->fullname == NULL) ||
4657 0 : (result->description == NULL)) {
4658 0 : DEBUG(0, ("talloc failed\n"));
4659 0 : return False;
4660 : }
4661 :
4662 0 : vals = ldap_get_values(ld, entry, "sambaSid");
4663 0 : if ((vals == NULL) || (vals[0] == NULL)) {
4664 0 : DEBUG(0, ("\"objectSid\" not found\n"));
4665 0 : return False;
4666 : }
4667 :
4668 0 : if (!string_to_sid(&sid, vals[0])) {
4669 0 : DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
4670 0 : ldap_value_free(vals);
4671 0 : return False;
4672 : }
4673 0 : ldap_value_free(vals);
4674 :
4675 0 : if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
4676 0 : struct dom_sid_buf buf;
4677 0 : DEBUG(0, ("sid %s does not belong to our domain\n",
4678 : dom_sid_str_buf(&sid, &buf)));
4679 0 : return False;
4680 : }
4681 :
4682 0 : return True;
4683 : }
4684 :
4685 :
4686 0 : static bool ldapsam_search_users(struct pdb_methods *methods,
4687 : struct pdb_search *search,
4688 : uint32_t acct_flags)
4689 : {
4690 0 : struct ldapsam_privates *ldap_state =
4691 : (struct ldapsam_privates *)methods->private_data;
4692 0 : struct ldap_search_state *state;
4693 :
4694 0 : state = talloc(search, struct ldap_search_state);
4695 0 : if (state == NULL) {
4696 0 : DEBUG(0, ("talloc failed\n"));
4697 0 : return False;
4698 : }
4699 :
4700 0 : state->connection = ldap_state->smbldap_state;
4701 :
4702 0 : if ((acct_flags != 0) && ((acct_flags & ACB_NORMAL) != 0))
4703 0 : state->base = lp_ldap_user_suffix(talloc_tos());
4704 0 : else if ((acct_flags != 0) &&
4705 0 : ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))
4706 0 : state->base = lp_ldap_machine_suffix(talloc_tos());
4707 : else
4708 0 : state->base = lp_ldap_suffix();
4709 :
4710 0 : state->acct_flags = acct_flags;
4711 0 : state->base = talloc_strdup(search, state->base);
4712 0 : state->scope = LDAP_SCOPE_SUBTREE;
4713 0 : state->filter = get_ldap_filter(search, "*");
4714 0 : state->attrs = talloc_attrs(search, "uid", "sambaSid",
4715 : "displayName", "description",
4716 : "sambaAcctFlags", NULL);
4717 0 : state->attrsonly = 0;
4718 0 : state->pagedresults_cookie = NULL;
4719 0 : state->entries = NULL;
4720 0 : state->ldap2displayentry = ldapuser2displayentry;
4721 :
4722 0 : if ((state->filter == NULL) || (state->attrs == NULL)) {
4723 0 : DEBUG(0, ("talloc failed\n"));
4724 0 : return False;
4725 : }
4726 :
4727 0 : search->private_data = state;
4728 0 : search->next_entry = ldapsam_search_next_entry;
4729 0 : search->search_end = ldapsam_search_end;
4730 :
4731 0 : return ldapsam_search_firstpage(search);
4732 : }
4733 :
4734 0 : static bool ldapgroup2displayentry(struct ldap_search_state *state,
4735 : TALLOC_CTX *mem_ctx,
4736 : LDAP *ld, LDAPMessage *entry,
4737 : struct samr_displayentry *result)
4738 : {
4739 0 : char **vals;
4740 0 : size_t converted_size;
4741 0 : struct dom_sid sid;
4742 0 : uint16_t group_type;
4743 :
4744 0 : result->account_name = "";
4745 0 : result->fullname = "";
4746 0 : result->description = "";
4747 :
4748 :
4749 0 : vals = ldap_get_values(ld, entry, "sambaGroupType");
4750 0 : if ((vals == NULL) || (vals[0] == NULL)) {
4751 0 : DEBUG(5, ("\"sambaGroupType\" not found\n"));
4752 0 : if (vals != NULL) {
4753 0 : ldap_value_free(vals);
4754 : }
4755 0 : return False;
4756 : }
4757 :
4758 0 : group_type = atoi(vals[0]);
4759 :
4760 0 : if ((state->group_type != 0) &&
4761 0 : ((state->group_type != group_type))) {
4762 0 : ldap_value_free(vals);
4763 0 : return False;
4764 : }
4765 :
4766 0 : ldap_value_free(vals);
4767 :
4768 : /* display name is the NT group name */
4769 :
4770 0 : vals = ldap_get_values(ld, entry, "displayName");
4771 0 : if ((vals == NULL) || (vals[0] == NULL)) {
4772 0 : DEBUG(8, ("\"displayName\" not found\n"));
4773 :
4774 : /* fallback to the 'cn' attribute */
4775 0 : vals = ldap_get_values(ld, entry, "cn");
4776 0 : if ((vals == NULL) || (vals[0] == NULL)) {
4777 0 : DEBUG(5, ("\"cn\" not found\n"));
4778 0 : return False;
4779 : }
4780 0 : if (!pull_utf8_talloc(mem_ctx,
4781 0 : discard_const_p(char *,
4782 : &result->account_name),
4783 : vals[0], &converted_size))
4784 : {
4785 0 : DEBUG(0,("ldapgroup2displayentry: pull_utf8_talloc "
4786 : "failed: %s\n", strerror(errno)));
4787 : }
4788 : }
4789 0 : else if (!pull_utf8_talloc(mem_ctx,
4790 0 : discard_const_p(char *,
4791 : &result->account_name),
4792 : vals[0], &converted_size))
4793 : {
4794 0 : DEBUG(0,("ldapgroup2displayentry: pull_utf8_talloc failed: %s\n",
4795 : strerror(errno)));
4796 : }
4797 :
4798 0 : ldap_value_free(vals);
4799 :
4800 0 : vals = ldap_get_values(ld, entry, "description");
4801 0 : if ((vals == NULL) || (vals[0] == NULL))
4802 0 : DEBUG(8, ("\"description\" not found\n"));
4803 0 : else if (!pull_utf8_talloc(mem_ctx,
4804 0 : discard_const_p(char *, &result->description),
4805 : vals[0], &converted_size))
4806 : {
4807 0 : DEBUG(0,("ldapgroup2displayentry: pull_utf8_talloc failed: %s\n",
4808 : strerror(errno)));
4809 : }
4810 0 : ldap_value_free(vals);
4811 :
4812 0 : if ((result->account_name == NULL) ||
4813 0 : (result->fullname == NULL) ||
4814 0 : (result->description == NULL)) {
4815 0 : DEBUG(0, ("talloc failed\n"));
4816 0 : return False;
4817 : }
4818 :
4819 0 : vals = ldap_get_values(ld, entry, "sambaSid");
4820 0 : if ((vals == NULL) || (vals[0] == NULL)) {
4821 0 : DEBUG(0, ("\"objectSid\" not found\n"));
4822 0 : if (vals != NULL) {
4823 0 : ldap_value_free(vals);
4824 : }
4825 0 : return False;
4826 : }
4827 :
4828 0 : if (!string_to_sid(&sid, vals[0])) {
4829 0 : DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
4830 0 : return False;
4831 : }
4832 :
4833 0 : ldap_value_free(vals);
4834 :
4835 0 : switch (group_type) {
4836 0 : case SID_NAME_DOM_GRP:
4837 : case SID_NAME_ALIAS:
4838 :
4839 0 : if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
4840 0 : && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
4841 : {
4842 0 : struct dom_sid_buf buf;
4843 0 : DEBUG(0, ("%s is not in our domain\n",
4844 : dom_sid_str_buf(&sid, &buf)));
4845 0 : return False;
4846 : }
4847 0 : break;
4848 :
4849 0 : default:
4850 0 : DEBUG(0,("unknown group type: %d\n", group_type));
4851 0 : return False;
4852 : }
4853 :
4854 0 : result->acct_flags = 0;
4855 :
4856 0 : return True;
4857 : }
4858 :
4859 0 : static bool ldapsam_search_grouptype(struct pdb_methods *methods,
4860 : struct pdb_search *search,
4861 : const struct dom_sid *sid,
4862 : enum lsa_SidType type)
4863 : {
4864 0 : struct ldapsam_privates *ldap_state =
4865 : (struct ldapsam_privates *)methods->private_data;
4866 0 : struct ldap_search_state *state;
4867 0 : struct dom_sid_buf tmp;
4868 :
4869 0 : state = talloc(search, struct ldap_search_state);
4870 0 : if (state == NULL) {
4871 0 : DEBUG(0, ("talloc failed\n"));
4872 0 : return False;
4873 : }
4874 :
4875 0 : state->connection = ldap_state->smbldap_state;
4876 :
4877 0 : state->base = lp_ldap_suffix();
4878 0 : state->connection = ldap_state->smbldap_state;
4879 0 : state->scope = LDAP_SCOPE_SUBTREE;
4880 0 : state->filter = talloc_asprintf(search, "(&(objectclass="LDAP_OBJ_GROUPMAP")"
4881 : "(sambaGroupType=%d)(sambaSID=%s*))",
4882 : type,
4883 : dom_sid_str_buf(sid, &tmp));
4884 0 : state->attrs = talloc_attrs(search, "cn", "sambaSid",
4885 : "displayName", "description",
4886 : "sambaGroupType", NULL);
4887 0 : state->attrsonly = 0;
4888 0 : state->pagedresults_cookie = NULL;
4889 0 : state->entries = NULL;
4890 0 : state->group_type = type;
4891 0 : state->ldap2displayentry = ldapgroup2displayentry;
4892 :
4893 0 : if ((state->filter == NULL) || (state->attrs == NULL)) {
4894 0 : DEBUG(0, ("talloc failed\n"));
4895 0 : return False;
4896 : }
4897 :
4898 0 : search->private_data = state;
4899 0 : search->next_entry = ldapsam_search_next_entry;
4900 0 : search->search_end = ldapsam_search_end;
4901 :
4902 0 : return ldapsam_search_firstpage(search);
4903 : }
4904 :
4905 0 : static bool ldapsam_search_groups(struct pdb_methods *methods,
4906 : struct pdb_search *search)
4907 : {
4908 0 : return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
4909 : }
4910 :
4911 0 : static bool ldapsam_search_aliases(struct pdb_methods *methods,
4912 : struct pdb_search *search,
4913 : const struct dom_sid *sid)
4914 : {
4915 0 : return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
4916 : }
4917 :
4918 0 : static uint32_t ldapsam_capabilities(struct pdb_methods *methods)
4919 : {
4920 0 : return PDB_CAP_STORE_RIDS;
4921 : }
4922 :
4923 0 : static NTSTATUS ldapsam_get_new_rid(struct ldapsam_privates *priv,
4924 : uint32_t *rid)
4925 : {
4926 0 : struct smbldap_state *smbldap_state = priv->smbldap_state;
4927 :
4928 0 : LDAPMessage *result = NULL;
4929 0 : LDAPMessage *entry = NULL;
4930 0 : LDAPMod **mods = NULL;
4931 0 : NTSTATUS status;
4932 0 : char *value;
4933 0 : int rc;
4934 0 : uint32_t nextRid = 0;
4935 0 : const char *dn;
4936 0 : uint32_t tmp;
4937 0 : int error = 0;
4938 :
4939 0 : TALLOC_CTX *mem_ctx;
4940 :
4941 0 : mem_ctx = talloc_new(NULL);
4942 0 : if (mem_ctx == NULL) {
4943 0 : DEBUG(0, ("talloc_new failed\n"));
4944 0 : return NT_STATUS_NO_MEMORY;
4945 : }
4946 :
4947 0 : status = smbldap_search_domain_info(smbldap_state, &result,
4948 : get_global_sam_name(), False);
4949 0 : if (!NT_STATUS_IS_OK(status)) {
4950 0 : DEBUG(3, ("Could not get domain info: %s\n",
4951 : nt_errstr(status)));
4952 0 : goto done;
4953 : }
4954 :
4955 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
4956 :
4957 0 : entry = ldap_first_entry(priv2ld(priv), result);
4958 0 : if (entry == NULL) {
4959 0 : DEBUG(0, ("Could not get domain info entry\n"));
4960 0 : status = NT_STATUS_INTERNAL_DB_CORRUPTION;
4961 0 : goto done;
4962 : }
4963 :
4964 : /* Find the largest of the three attributes "sambaNextRid",
4965 : "sambaNextGroupRid" and "sambaNextUserRid". I gave up on the
4966 : concept of differentiating between user and group rids, and will
4967 : use only "sambaNextRid" in the future. But for compatibility
4968 : reasons I look if others have chosen different strategies -- VL */
4969 :
4970 0 : value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4971 : "sambaNextRid", mem_ctx);
4972 0 : if (value != NULL) {
4973 0 : tmp = (uint32_t)smb_strtoul(value,
4974 : NULL,
4975 : 10,
4976 : &error,
4977 : SMB_STR_STANDARD);
4978 0 : if (error != 0) {
4979 0 : goto done;
4980 : }
4981 :
4982 0 : nextRid = MAX(nextRid, tmp);
4983 : }
4984 :
4985 0 : value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4986 : "sambaNextUserRid", mem_ctx);
4987 0 : if (value != NULL) {
4988 0 : tmp = (uint32_t)smb_strtoul(value,
4989 : NULL,
4990 : 10,
4991 : &error,
4992 : SMB_STR_STANDARD);
4993 0 : if (error != 0) {
4994 0 : goto done;
4995 : }
4996 :
4997 0 : nextRid = MAX(nextRid, tmp);
4998 : }
4999 :
5000 0 : value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
5001 : "sambaNextGroupRid", mem_ctx);
5002 0 : if (value != NULL) {
5003 0 : tmp = (uint32_t)smb_strtoul(value,
5004 : NULL,
5005 : 10,
5006 : &error,
5007 : SMB_STR_STANDARD);
5008 0 : if (error != 0) {
5009 0 : goto done;
5010 : }
5011 :
5012 0 : nextRid = MAX(nextRid, tmp);
5013 : }
5014 :
5015 0 : if (nextRid == 0) {
5016 0 : nextRid = BASE_RID-1;
5017 : }
5018 :
5019 0 : nextRid += 1;
5020 :
5021 0 : smbldap_make_mod(priv2ld(priv), entry, &mods, "sambaNextRid",
5022 0 : talloc_asprintf(mem_ctx, "%d", nextRid));
5023 0 : smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
5024 :
5025 0 : if ((dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)) == NULL) {
5026 0 : status = NT_STATUS_NO_MEMORY;
5027 0 : goto done;
5028 : }
5029 :
5030 0 : rc = smbldap_modify(smbldap_state, dn, mods);
5031 :
5032 : /* ACCESS_DENIED is used as a placeholder for "the modify failed,
5033 : * please retry" */
5034 :
5035 0 : status = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
5036 :
5037 0 : done:
5038 0 : if (NT_STATUS_IS_OK(status)) {
5039 0 : *rid = nextRid;
5040 : }
5041 :
5042 0 : TALLOC_FREE(mem_ctx);
5043 0 : return status;
5044 : }
5045 :
5046 0 : static NTSTATUS ldapsam_new_rid_internal(struct pdb_methods *methods, uint32_t *rid)
5047 : {
5048 0 : int i;
5049 :
5050 0 : for (i=0; i<10; i++) {
5051 0 : NTSTATUS result = ldapsam_get_new_rid(
5052 0 : (struct ldapsam_privates *)methods->private_data, rid);
5053 0 : if (NT_STATUS_IS_OK(result)) {
5054 0 : return result;
5055 : }
5056 :
5057 0 : if (!NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
5058 0 : return result;
5059 : }
5060 :
5061 : /* The ldap update failed (maybe a race condition), retry */
5062 : }
5063 :
5064 : /* Tried 10 times, fail. */
5065 0 : return NT_STATUS_ACCESS_DENIED;
5066 : }
5067 :
5068 0 : static bool ldapsam_new_rid(struct pdb_methods *methods, uint32_t *rid)
5069 : {
5070 0 : NTSTATUS result = ldapsam_new_rid_internal(methods, rid);
5071 0 : return NT_STATUS_IS_OK(result) ? True : False;
5072 : }
5073 :
5074 0 : static bool ldapsam_sid_to_id(struct pdb_methods *methods,
5075 : const struct dom_sid *sid,
5076 : struct unixid *id)
5077 : {
5078 0 : struct ldapsam_privates *priv =
5079 : (struct ldapsam_privates *)methods->private_data;
5080 0 : char *filter;
5081 0 : int error = 0;
5082 0 : struct dom_sid_buf buf;
5083 0 : const char *attrs[] = { "sambaGroupType", "gidNumber", "uidNumber",
5084 : NULL };
5085 0 : LDAPMessage *result = NULL;
5086 0 : LDAPMessage *entry = NULL;
5087 0 : bool ret = False;
5088 0 : char *value;
5089 0 : int rc;
5090 :
5091 0 : TALLOC_CTX *mem_ctx;
5092 :
5093 0 : ret = pdb_sid_to_id_unix_users_and_groups(sid, id);
5094 0 : if (ret == true) {
5095 0 : return true;
5096 : }
5097 :
5098 0 : mem_ctx = talloc_new(NULL);
5099 0 : if (mem_ctx == NULL) {
5100 0 : DEBUG(0, ("talloc_new failed\n"));
5101 0 : return False;
5102 : }
5103 :
5104 0 : filter = talloc_asprintf(mem_ctx,
5105 : "(&(sambaSid=%s)"
5106 : "(|(objectClass="LDAP_OBJ_GROUPMAP")(objectClass="LDAP_OBJ_SAMBASAMACCOUNT")))",
5107 : dom_sid_str_buf(sid, &buf));
5108 0 : if (filter == NULL) {
5109 0 : DEBUG(5, ("talloc_asprintf failed\n"));
5110 0 : goto done;
5111 : }
5112 :
5113 0 : rc = smbldap_search_suffix(priv->smbldap_state, filter,
5114 : attrs, &result);
5115 0 : if (rc != LDAP_SUCCESS) {
5116 0 : goto done;
5117 : }
5118 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
5119 :
5120 0 : if (ldap_count_entries(priv2ld(priv), result) != 1) {
5121 0 : DEBUG(10, ("Got %d entries, expected one\n",
5122 : ldap_count_entries(priv2ld(priv), result)));
5123 0 : goto done;
5124 : }
5125 :
5126 0 : entry = ldap_first_entry(priv2ld(priv), result);
5127 :
5128 0 : value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
5129 : "sambaGroupType", mem_ctx);
5130 :
5131 0 : if (value != NULL) {
5132 0 : const char *gid_str;
5133 : /* It's a group */
5134 :
5135 0 : gid_str = smbldap_talloc_single_attribute(
5136 : priv2ld(priv), entry, "gidNumber", mem_ctx);
5137 0 : if (gid_str == NULL) {
5138 0 : DEBUG(1, ("%s has sambaGroupType but no gidNumber\n",
5139 : smbldap_talloc_dn(mem_ctx, priv2ld(priv),
5140 : entry)));
5141 0 : goto done;
5142 : }
5143 :
5144 0 : id->id = smb_strtoul(gid_str,
5145 : NULL,
5146 : 10,
5147 : &error,
5148 : SMB_STR_STANDARD);
5149 0 : if (error != 0) {
5150 0 : goto done;
5151 : }
5152 :
5153 0 : id->type = ID_TYPE_GID;
5154 0 : ret = True;
5155 0 : goto done;
5156 : }
5157 :
5158 : /* It must be a user */
5159 :
5160 0 : value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
5161 : "uidNumber", mem_ctx);
5162 0 : if (value == NULL) {
5163 0 : DEBUG(1, ("Could not find uidNumber in %s\n",
5164 : smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)));
5165 0 : goto done;
5166 : }
5167 :
5168 0 : id->id = smb_strtoul(value, NULL, 10, &error, SMB_STR_STANDARD);
5169 0 : if (error != 0) {
5170 0 : goto done;
5171 : }
5172 :
5173 0 : id->type = ID_TYPE_UID;
5174 0 : ret = True;
5175 0 : done:
5176 0 : TALLOC_FREE(mem_ctx);
5177 0 : return ret;
5178 : }
5179 :
5180 : /**
5181 : * Find the SID for a uid.
5182 : * This is shortcut is only used if ldapsam:trusted is set to true.
5183 : */
5184 0 : static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
5185 : struct dom_sid *sid)
5186 : {
5187 0 : struct ldapsam_privates *priv =
5188 : (struct ldapsam_privates *)methods->private_data;
5189 0 : char *filter;
5190 0 : const char *attrs[] = { "sambaSID", NULL };
5191 0 : LDAPMessage *result = NULL;
5192 0 : LDAPMessage *entry = NULL;
5193 0 : bool ret = false;
5194 0 : char *user_sid_string;
5195 0 : struct dom_sid user_sid;
5196 0 : int rc;
5197 0 : TALLOC_CTX *tmp_ctx = talloc_stackframe();
5198 :
5199 0 : filter = talloc_asprintf(tmp_ctx,
5200 : "(&(uidNumber=%u)"
5201 : "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
5202 : "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
5203 : (unsigned int)uid);
5204 0 : if (filter == NULL) {
5205 0 : DEBUG(3, ("talloc_asprintf failed\n"));
5206 0 : goto done;
5207 : }
5208 :
5209 0 : rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result);
5210 0 : if (rc != LDAP_SUCCESS) {
5211 0 : goto done;
5212 : }
5213 0 : smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
5214 :
5215 0 : if (ldap_count_entries(priv2ld(priv), result) != 1) {
5216 0 : DEBUG(3, ("ERROR: Got %d entries for uid %u, expected one\n",
5217 : ldap_count_entries(priv2ld(priv), result),
5218 : (unsigned int)uid));
5219 0 : goto done;
5220 : }
5221 :
5222 0 : entry = ldap_first_entry(priv2ld(priv), result);
5223 :
5224 0 : user_sid_string = smbldap_talloc_single_attribute(priv2ld(priv), entry,
5225 : "sambaSID", tmp_ctx);
5226 0 : if (user_sid_string == NULL) {
5227 0 : DEBUG(1, ("Could not find sambaSID in object '%s'\n",
5228 : smbldap_talloc_dn(tmp_ctx, priv2ld(priv), entry)));
5229 0 : goto done;
5230 : }
5231 :
5232 0 : if (!string_to_sid(&user_sid, user_sid_string)) {
5233 0 : DEBUG(3, ("Error calling string_to_sid for sid '%s'\n",
5234 : user_sid_string));
5235 0 : goto done;
5236 : }
5237 :
5238 0 : sid_copy(sid, &user_sid);
5239 :
5240 0 : ret = true;
5241 :
5242 0 : done:
5243 0 : TALLOC_FREE(tmp_ctx);
5244 0 : return ret;
5245 : }
5246 :
5247 : /**
5248 : * Find the SID for a gid.
5249 : * This is shortcut is only used if ldapsam:trusted is set to true.
5250 : */
5251 0 : static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
5252 : struct dom_sid *sid)
5253 : {
5254 0 : struct ldapsam_privates *priv =
5255 : (struct ldapsam_privates *)methods->private_data;
5256 0 : char *filter;
5257 0 : const char *attrs[] = { "sambaSID", NULL };
5258 0 : LDAPMessage *result = NULL;
5259 0 : LDAPMessage *entry = NULL;
5260 0 : bool ret = false;
5261 0 : char *group_sid_string;
5262 0 : struct dom_sid group_sid;
5263 0 : int rc;
5264 0 : TALLOC_CTX *tmp_ctx = talloc_stackframe();
5265 :
5266 0 : filter = talloc_asprintf(tmp_ctx,
5267 : "(&(gidNumber=%u)"
5268 : "(objectClass="LDAP_OBJ_GROUPMAP"))",
5269 : (unsigned int)gid);
5270 0 : if (filter == NULL) {
5271 0 : DEBUG(3, ("talloc_asprintf failed\n"));
5272 0 : goto done;
5273 : }
5274 :
5275 0 : rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result);
5276 0 : if (rc != LDAP_SUCCESS) {
5277 0 : goto done;
5278 : }
5279 0 : smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
5280 :
5281 0 : if (ldap_count_entries(priv2ld(priv), result) != 1) {
5282 0 : DEBUG(3, ("ERROR: Got %d entries for gid %u, expected one\n",
5283 : ldap_count_entries(priv2ld(priv), result),
5284 : (unsigned int)gid));
5285 0 : goto done;
5286 : }
5287 :
5288 0 : entry = ldap_first_entry(priv2ld(priv), result);
5289 :
5290 0 : group_sid_string = smbldap_talloc_single_attribute(priv2ld(priv), entry,
5291 : "sambaSID", tmp_ctx);
5292 0 : if (group_sid_string == NULL) {
5293 0 : DEBUG(1, ("Could not find sambaSID in object '%s'\n",
5294 : smbldap_talloc_dn(tmp_ctx, priv2ld(priv), entry)));
5295 0 : goto done;
5296 : }
5297 :
5298 0 : if (!string_to_sid(&group_sid, group_sid_string)) {
5299 0 : DEBUG(3, ("Error calling string_to_sid for sid '%s'\n",
5300 : group_sid_string));
5301 0 : goto done;
5302 : }
5303 :
5304 0 : sid_copy(sid, &group_sid);
5305 :
5306 0 : ret = true;
5307 :
5308 0 : done:
5309 0 : TALLOC_FREE(tmp_ctx);
5310 0 : return ret;
5311 : }
5312 :
5313 0 : static bool ldapsam_id_to_sid(struct pdb_methods *methods, struct unixid *id,
5314 : struct dom_sid *sid)
5315 : {
5316 0 : switch (id->type) {
5317 0 : case ID_TYPE_UID:
5318 0 : return ldapsam_uid_to_sid(methods, id->id, sid);
5319 :
5320 0 : case ID_TYPE_GID:
5321 0 : return ldapsam_gid_to_sid(methods, id->id, sid);
5322 :
5323 0 : default:
5324 0 : return false;
5325 : }
5326 : }
5327 :
5328 :
5329 : /*
5330 : * The following functions are called only if
5331 : * ldapsam:trusted and ldapsam:editposix are
5332 : * set to true
5333 : */
5334 :
5335 : /*
5336 : * ldapsam_create_user creates a new
5337 : * posixAccount and sambaSamAccount object
5338 : * in the ldap users subtree
5339 : *
5340 : * The uid is allocated by winbindd.
5341 : */
5342 :
5343 0 : static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods,
5344 : TALLOC_CTX *tmp_ctx, const char *name,
5345 : uint32_t acb_info, uint32_t *rid)
5346 : {
5347 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
5348 0 : LDAPMessage *entry = NULL;
5349 0 : LDAPMessage *result = NULL;
5350 0 : uint32_t num_result;
5351 0 : bool is_machine = False;
5352 0 : bool add_posix = False;
5353 0 : bool init_okay = False;
5354 0 : LDAPMod **mods = NULL;
5355 0 : struct samu *user;
5356 0 : char *filter;
5357 0 : char *username;
5358 0 : char *homedir;
5359 0 : char *gidstr;
5360 0 : char *uidstr;
5361 0 : char *shell;
5362 0 : const char *dn = NULL;
5363 0 : struct dom_sid group_sid;
5364 0 : struct dom_sid user_sid;
5365 0 : gid_t gid = -1;
5366 0 : uid_t uid = -1;
5367 0 : NTSTATUS ret;
5368 0 : int rc;
5369 :
5370 0 : if (((acb_info & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
5371 0 : acb_info & ACB_WSTRUST ||
5372 0 : acb_info & ACB_SVRTRUST ||
5373 0 : acb_info & ACB_DOMTRUST) {
5374 0 : is_machine = True;
5375 : }
5376 :
5377 0 : username = escape_ldap_string(talloc_tos(), name);
5378 0 : filter = talloc_asprintf(tmp_ctx, "(&(uid=%s)(objectClass="LDAP_OBJ_POSIXACCOUNT"))",
5379 : username);
5380 0 : TALLOC_FREE(username);
5381 :
5382 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5383 0 : if (rc != LDAP_SUCCESS) {
5384 0 : DEBUG(0,("ldapsam_create_user: ldap search failed!\n"));
5385 0 : return NT_STATUS_ACCESS_DENIED;
5386 : }
5387 0 : smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
5388 :
5389 0 : num_result = ldap_count_entries(priv2ld(ldap_state), result);
5390 :
5391 0 : if (num_result > 1) {
5392 0 : DEBUG (0, ("ldapsam_create_user: More than one user with name [%s] ?!\n", name));
5393 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
5394 : }
5395 :
5396 0 : if (num_result == 1) {
5397 0 : char *tmp;
5398 : /* check if it is just a posix account.
5399 : * or if there is a sid attached to this entry
5400 : */
5401 :
5402 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
5403 0 : if (!entry) {
5404 0 : return NT_STATUS_UNSUCCESSFUL;
5405 : }
5406 :
5407 0 : tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
5408 0 : if (tmp) {
5409 0 : DEBUG (1, ("ldapsam_create_user: The user [%s] already exist!\n", name));
5410 0 : return NT_STATUS_USER_EXISTS;
5411 : }
5412 :
5413 : /* it is just a posix account, retrieve the dn for later use */
5414 0 : dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5415 0 : if (!dn) {
5416 0 : DEBUG(0,("ldapsam_create_user: Out of memory!\n"));
5417 0 : return NT_STATUS_NO_MEMORY;
5418 : }
5419 : }
5420 :
5421 0 : if (num_result == 0) {
5422 0 : add_posix = True;
5423 : }
5424 :
5425 : /* Create the basic samu structure and generate the mods for the ldap commit */
5426 0 : if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
5427 0 : DEBUG(1, ("ldapsam_create_user: Could not allocate a new RID\n"));
5428 0 : return ret;
5429 : }
5430 :
5431 0 : sid_compose(&user_sid, get_global_sam_sid(), *rid);
5432 :
5433 0 : user = samu_new(tmp_ctx);
5434 0 : if (!user) {
5435 0 : DEBUG(1,("ldapsam_create_user: Unable to allocate user struct\n"));
5436 0 : return NT_STATUS_NO_MEMORY;
5437 : }
5438 :
5439 0 : if (!pdb_set_username(user, name, PDB_SET)) {
5440 0 : DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5441 0 : return NT_STATUS_UNSUCCESSFUL;
5442 : }
5443 0 : if (!pdb_set_domain(user, get_global_sam_name(), PDB_SET)) {
5444 0 : DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5445 0 : return NT_STATUS_UNSUCCESSFUL;
5446 : }
5447 0 : if (is_machine) {
5448 0 : if (acb_info & ACB_NORMAL) {
5449 0 : if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_SET)) {
5450 0 : DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5451 0 : return NT_STATUS_UNSUCCESSFUL;
5452 : }
5453 : } else {
5454 0 : if (!pdb_set_acct_ctrl(user, acb_info, PDB_SET)) {
5455 0 : DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5456 0 : return NT_STATUS_UNSUCCESSFUL;
5457 : }
5458 : }
5459 : } else {
5460 0 : if (!pdb_set_acct_ctrl(user, ACB_NORMAL | ACB_DISABLED, PDB_SET)) {
5461 0 : DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5462 0 : return NT_STATUS_UNSUCCESSFUL;
5463 : }
5464 : }
5465 :
5466 0 : if (!pdb_set_user_sid(user, &user_sid, PDB_SET)) {
5467 0 : DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5468 0 : return NT_STATUS_UNSUCCESSFUL;
5469 : }
5470 :
5471 0 : init_okay = init_ldap_from_sam(ldap_state, entry, &mods, user, pdb_element_is_set_or_changed);
5472 :
5473 0 : if (!init_okay) {
5474 0 : DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5475 0 : ldap_mods_free(mods, true);
5476 0 : return NT_STATUS_UNSUCCESSFUL;
5477 : }
5478 :
5479 0 : if (ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT) {
5480 0 : DEBUG(1,("ldapsam_create_user: Unsupported schema version\n"));
5481 : }
5482 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
5483 :
5484 0 : if (add_posix) {
5485 0 : char *escape_name;
5486 :
5487 0 : DEBUG(3,("ldapsam_create_user: Creating new posix user\n"));
5488 :
5489 : /* retrieve the Domain Users group gid */
5490 0 : if (!sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_RID_USERS) ||
5491 0 : !sid_to_gid(&group_sid, &gid)) {
5492 0 : DEBUG (0, ("ldapsam_create_user: Unable to get the Domain Users gid: bailing out!\n"));
5493 0 : ldap_mods_free(mods, true);
5494 0 : return NT_STATUS_INVALID_PRIMARY_GROUP;
5495 : }
5496 :
5497 : /* lets allocate a new userid for this user */
5498 0 : if (!winbind_allocate_uid(&uid)) {
5499 0 : DEBUG (0, ("ldapsam_create_user: Unable to allocate a new user id: bailing out!\n"));
5500 0 : ldap_mods_free(mods, true);
5501 0 : return NT_STATUS_UNSUCCESSFUL;
5502 : }
5503 :
5504 :
5505 0 : if (is_machine) {
5506 : /* TODO: choose a more appropriate default for machines */
5507 0 : homedir = talloc_sub_specified(tmp_ctx,
5508 : lp_template_homedir(),
5509 : "SMB_workstations_home",
5510 : NULL,
5511 : ldap_state->domain_name,
5512 : uid,
5513 : gid);
5514 0 : shell = talloc_strdup(tmp_ctx, "/bin/false");
5515 : } else {
5516 0 : homedir = talloc_sub_specified(tmp_ctx,
5517 : lp_template_homedir(),
5518 : name,
5519 : NULL,
5520 : ldap_state->domain_name,
5521 : uid,
5522 : gid);
5523 0 : shell = talloc_sub_specified(tmp_ctx,
5524 : lp_template_shell(),
5525 : name,
5526 : NULL,
5527 : ldap_state->domain_name,
5528 : uid,
5529 : gid);
5530 : }
5531 0 : uidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)uid);
5532 0 : gidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)gid);
5533 :
5534 0 : escape_name = escape_rdn_val_string_alloc(name);
5535 0 : if (!escape_name) {
5536 0 : DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
5537 0 : ldap_mods_free(mods, true);
5538 0 : return NT_STATUS_NO_MEMORY;
5539 : }
5540 :
5541 0 : if (is_machine) {
5542 0 : dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_machine_suffix (talloc_tos()));
5543 : } else {
5544 0 : dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_user_suffix (talloc_tos()));
5545 : }
5546 :
5547 0 : SAFE_FREE(escape_name);
5548 :
5549 0 : if (!homedir || !shell || !uidstr || !gidstr || !dn) {
5550 0 : DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
5551 0 : ldap_mods_free(mods, true);
5552 0 : return NT_STATUS_NO_MEMORY;
5553 : }
5554 :
5555 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
5556 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
5557 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
5558 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
5559 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
5560 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", homedir);
5561 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
5562 : }
5563 :
5564 0 : if (add_posix) {
5565 0 : rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
5566 : } else {
5567 0 : rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
5568 : }
5569 :
5570 0 : ldap_mods_free(mods, true);
5571 :
5572 0 : if (rc != LDAP_SUCCESS) {
5573 0 : DEBUG(0,("ldapsam_create_user: failed to create a new user [%s] (dn = %s)\n", name ,dn));
5574 0 : return NT_STATUS_UNSUCCESSFUL;
5575 : }
5576 :
5577 0 : DEBUG(2,("ldapsam_create_user: added account [%s] in the LDAP database\n", name));
5578 :
5579 0 : flush_pwnam_cache();
5580 :
5581 0 : return NT_STATUS_OK;
5582 : }
5583 :
5584 0 : static NTSTATUS ldapsam_delete_user(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, struct samu *sam_acct)
5585 : {
5586 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
5587 0 : LDAPMessage *result = NULL;
5588 0 : LDAPMessage *entry = NULL;
5589 0 : int num_result;
5590 0 : const char *dn;
5591 0 : char *filter;
5592 0 : int rc;
5593 :
5594 0 : DEBUG(0,("ldapsam_delete_user: Attempt to delete user [%s]\n", pdb_get_username(sam_acct)));
5595 :
5596 0 : filter = talloc_asprintf(tmp_ctx,
5597 : "(&(uid=%s)"
5598 : "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
5599 : "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
5600 : pdb_get_username(sam_acct));
5601 0 : if (filter == NULL) {
5602 0 : return NT_STATUS_NO_MEMORY;
5603 : }
5604 :
5605 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5606 0 : if (rc != LDAP_SUCCESS) {
5607 0 : DEBUG(0,("ldapsam_delete_user: user search failed!\n"));
5608 0 : return NT_STATUS_UNSUCCESSFUL;
5609 : }
5610 0 : smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
5611 :
5612 0 : num_result = ldap_count_entries(priv2ld(ldap_state), result);
5613 :
5614 0 : if (num_result == 0) {
5615 0 : DEBUG(0,("ldapsam_delete_user: user not found!\n"));
5616 0 : return NT_STATUS_NO_SUCH_USER;
5617 : }
5618 :
5619 0 : if (num_result > 1) {
5620 0 : DEBUG (0, ("ldapsam_delete_user: More than one user with name [%s] ?!\n", pdb_get_username(sam_acct)));
5621 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
5622 : }
5623 :
5624 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
5625 0 : if (!entry) {
5626 0 : return NT_STATUS_UNSUCCESSFUL;
5627 : }
5628 :
5629 : /* it is just a posix account, retrieve the dn for later use */
5630 0 : dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5631 0 : if (!dn) {
5632 0 : DEBUG(0,("ldapsam_delete_user: Out of memory!\n"));
5633 0 : return NT_STATUS_NO_MEMORY;
5634 : }
5635 :
5636 : /* try to remove memberships first */
5637 : {
5638 0 : NTSTATUS status;
5639 0 : struct dom_sid *sids = NULL;
5640 0 : gid_t *gids = NULL;
5641 0 : uint32_t num_groups = 0;
5642 0 : int i;
5643 0 : uint32_t user_rid = pdb_get_user_rid(sam_acct);
5644 :
5645 0 : status = ldapsam_enum_group_memberships(my_methods,
5646 : tmp_ctx,
5647 : sam_acct,
5648 : &sids,
5649 : &gids,
5650 : &num_groups);
5651 0 : if (!NT_STATUS_IS_OK(status)) {
5652 0 : goto delete_dn;
5653 : }
5654 :
5655 0 : for (i=0; i < num_groups; i++) {
5656 :
5657 0 : uint32_t group_rid;
5658 :
5659 0 : sid_peek_rid(&sids[i], &group_rid);
5660 :
5661 0 : ldapsam_del_groupmem(my_methods,
5662 : tmp_ctx,
5663 : group_rid,
5664 : user_rid);
5665 : }
5666 : }
5667 :
5668 0 : delete_dn:
5669 :
5670 0 : rc = smbldap_delete(ldap_state->smbldap_state, dn);
5671 0 : if (rc != LDAP_SUCCESS) {
5672 0 : return NT_STATUS_UNSUCCESSFUL;
5673 : }
5674 :
5675 0 : flush_pwnam_cache();
5676 :
5677 0 : return NT_STATUS_OK;
5678 : }
5679 :
5680 : /*
5681 : * ldapsam_create_group creates a new
5682 : * posixGroup and sambaGroupMapping object
5683 : * in the ldap groups subtree
5684 : *
5685 : * The gid is allocated by winbindd.
5686 : */
5687 :
5688 0 : static NTSTATUS ldapsam_create_dom_group(struct pdb_methods *my_methods,
5689 : TALLOC_CTX *tmp_ctx,
5690 : const char *name,
5691 : uint32_t *rid)
5692 : {
5693 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
5694 0 : NTSTATUS ret;
5695 0 : LDAPMessage *entry = NULL;
5696 0 : LDAPMessage *result = NULL;
5697 0 : uint32_t num_result;
5698 0 : bool is_new_entry = False;
5699 0 : LDAPMod **mods = NULL;
5700 0 : char *filter;
5701 0 : char *groupname;
5702 0 : const char *grouptype;
5703 0 : char *gidstr;
5704 0 : const char *dn = NULL;
5705 0 : struct dom_sid group_sid;
5706 0 : struct dom_sid_buf buf;
5707 0 : gid_t gid = -1;
5708 0 : int rc;
5709 0 : int error = 0;
5710 :
5711 0 : groupname = escape_ldap_string(talloc_tos(), name);
5712 0 : filter = talloc_asprintf(tmp_ctx, "(&(cn=%s)(objectClass="LDAP_OBJ_POSIXGROUP"))",
5713 : groupname);
5714 0 : TALLOC_FREE(groupname);
5715 :
5716 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5717 0 : if (rc != LDAP_SUCCESS) {
5718 0 : DEBUG(0,("ldapsam_create_group: ldap search failed!\n"));
5719 0 : return NT_STATUS_UNSUCCESSFUL;
5720 : }
5721 0 : smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
5722 :
5723 0 : num_result = ldap_count_entries(priv2ld(ldap_state), result);
5724 :
5725 0 : if (num_result > 1) {
5726 0 : DEBUG (0, ("ldapsam_create_group: There exists more than one group with name [%s]: bailing out!\n", name));
5727 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
5728 : }
5729 :
5730 0 : if (num_result == 1) {
5731 0 : char *tmp;
5732 : /* check if it is just a posix group.
5733 : * or if there is a sid attached to this entry
5734 : */
5735 :
5736 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
5737 0 : if (!entry) {
5738 0 : return NT_STATUS_UNSUCCESSFUL;
5739 : }
5740 :
5741 0 : tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
5742 0 : if (tmp) {
5743 0 : DEBUG (1, ("ldapsam_create_group: The group [%s] already exist!\n", name));
5744 0 : return NT_STATUS_GROUP_EXISTS;
5745 : }
5746 :
5747 : /* it is just a posix group, retrieve the gid and the dn for later use */
5748 0 : tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
5749 0 : if (!tmp) {
5750 0 : DEBUG (1, ("ldapsam_create_group: Couldn't retrieve the gidNumber for [%s]?!?!\n", name));
5751 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
5752 : }
5753 :
5754 0 : gid = smb_strtoul(tmp, NULL, 10, &error, SMB_STR_STANDARD);
5755 0 : if (error != 0) {
5756 0 : DBG_ERR("Failed to convert gidNumber\n");
5757 0 : return NT_STATUS_UNSUCCESSFUL;
5758 : }
5759 :
5760 0 : dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5761 0 : if (!dn) {
5762 0 : DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
5763 0 : return NT_STATUS_NO_MEMORY;
5764 : }
5765 : }
5766 :
5767 0 : if (num_result == 0) {
5768 0 : is_new_entry = true;
5769 : }
5770 :
5771 0 : if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
5772 0 : DEBUG(1, ("ldapsam_create_group: Could not allocate a new RID\n"));
5773 0 : return ret;
5774 : }
5775 :
5776 0 : sid_compose(&group_sid, get_global_sam_sid(), *rid);
5777 :
5778 0 : grouptype = talloc_asprintf(tmp_ctx, "%d", SID_NAME_DOM_GRP);
5779 :
5780 0 : if (!grouptype) {
5781 0 : DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
5782 0 : return NT_STATUS_NO_MEMORY;
5783 : }
5784 :
5785 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
5786 0 : smbldap_set_mod(&mods,
5787 : LDAP_MOD_ADD,
5788 : "sambaSid",
5789 0 : dom_sid_str_buf(&group_sid, &buf));
5790 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", grouptype);
5791 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
5792 :
5793 0 : if (is_new_entry) {
5794 0 : char *escape_name;
5795 :
5796 0 : DEBUG(3,("ldapsam_create_user: Creating new posix group\n"));
5797 :
5798 : /* lets allocate a new groupid for this group */
5799 0 : if (!winbind_allocate_gid(&gid)) {
5800 0 : DEBUG (0, ("ldapsam_create_group: Unable to allocate a new group id: bailing out!\n"));
5801 0 : return NT_STATUS_UNSUCCESSFUL;
5802 : }
5803 :
5804 0 : gidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)gid);
5805 :
5806 0 : escape_name = escape_rdn_val_string_alloc(name);
5807 0 : if (!escape_name) {
5808 0 : DEBUG (0, ("ldapsam_create_group: Out of memory!\n"));
5809 0 : return NT_STATUS_NO_MEMORY;
5810 : }
5811 :
5812 0 : dn = talloc_asprintf(tmp_ctx, "cn=%s,%s", escape_name, lp_ldap_group_suffix(talloc_tos()));
5813 :
5814 0 : SAFE_FREE(escape_name);
5815 :
5816 0 : if (!gidstr || !dn) {
5817 0 : DEBUG (0, ("ldapsam_create_group: Out of memory!\n"));
5818 0 : return NT_STATUS_NO_MEMORY;
5819 : }
5820 :
5821 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
5822 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
5823 0 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
5824 : }
5825 :
5826 0 : smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);
5827 :
5828 0 : if (is_new_entry) {
5829 0 : rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
5830 : #if 0
5831 : if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
5832 : /* This call may fail with rfc2307bis schema */
5833 : /* Retry adding a structural class */
5834 : smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "????");
5835 : rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
5836 : }
5837 : #endif
5838 : } else {
5839 0 : rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
5840 : }
5841 :
5842 0 : if (rc != LDAP_SUCCESS) {
5843 0 : DEBUG(0,("ldapsam_create_group: failed to create a new group [%s] (dn = %s)\n", name ,dn));
5844 0 : return NT_STATUS_UNSUCCESSFUL;
5845 : }
5846 :
5847 0 : DEBUG(2,("ldapsam_create_group: added group [%s] in the LDAP database\n", name));
5848 :
5849 0 : return NT_STATUS_OK;
5850 : }
5851 :
5852 0 : static NTSTATUS ldapsam_delete_dom_group(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, uint32_t rid)
5853 : {
5854 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
5855 0 : LDAPMessage *result = NULL;
5856 0 : LDAPMessage *entry = NULL;
5857 0 : int num_result;
5858 0 : const char *dn;
5859 0 : char *gidstr;
5860 0 : char *filter;
5861 0 : struct dom_sid group_sid;
5862 0 : struct dom_sid_buf buf;
5863 0 : int rc;
5864 :
5865 : /* get the group sid */
5866 0 : sid_compose(&group_sid, get_global_sam_sid(), rid);
5867 :
5868 0 : filter = talloc_asprintf(tmp_ctx,
5869 : "(&(sambaSID=%s)"
5870 : "(objectClass="LDAP_OBJ_POSIXGROUP")"
5871 : "(objectClass="LDAP_OBJ_GROUPMAP"))",
5872 : dom_sid_str_buf(&group_sid, &buf));
5873 0 : if (filter == NULL) {
5874 0 : return NT_STATUS_NO_MEMORY;
5875 : }
5876 :
5877 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5878 0 : if (rc != LDAP_SUCCESS) {
5879 0 : DEBUG(1,("ldapsam_delete_dom_group: group search failed!\n"));
5880 0 : return NT_STATUS_UNSUCCESSFUL;
5881 : }
5882 0 : smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
5883 :
5884 0 : num_result = ldap_count_entries(priv2ld(ldap_state), result);
5885 :
5886 0 : if (num_result == 0) {
5887 0 : DEBUG(1,("ldapsam_delete_dom_group: group not found!\n"));
5888 0 : return NT_STATUS_NO_SUCH_GROUP;
5889 : }
5890 :
5891 0 : if (num_result > 1) {
5892 0 : DEBUG (0, ("ldapsam_delete_dom_group: More than one group with the same SID ?!\n"));
5893 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
5894 : }
5895 :
5896 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
5897 0 : if (!entry) {
5898 0 : return NT_STATUS_UNSUCCESSFUL;
5899 : }
5900 :
5901 : /* here it is, retrieve the dn for later use */
5902 0 : dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5903 0 : if (!dn) {
5904 0 : DEBUG(0,("ldapsam_delete_dom_group: Out of memory!\n"));
5905 0 : return NT_STATUS_NO_MEMORY;
5906 : }
5907 :
5908 0 : gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
5909 0 : if (!gidstr) {
5910 0 : DEBUG (0, ("ldapsam_delete_dom_group: Unable to find the group's gid!\n"));
5911 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
5912 : }
5913 :
5914 : /* check no user have this group marked as primary group */
5915 0 : filter = talloc_asprintf(tmp_ctx,
5916 : "(&(gidNumber=%s)"
5917 : "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
5918 : "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
5919 : gidstr);
5920 :
5921 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5922 0 : if (rc != LDAP_SUCCESS) {
5923 0 : DEBUG(1,("ldapsam_delete_dom_group: accounts search failed!\n"));
5924 0 : return NT_STATUS_UNSUCCESSFUL;
5925 : }
5926 0 : smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
5927 :
5928 0 : num_result = ldap_count_entries(priv2ld(ldap_state), result);
5929 :
5930 0 : if (num_result != 0) {
5931 0 : DEBUG(3,("ldapsam_delete_dom_group: Can't delete group, it is a primary group for %d users\n", num_result));
5932 0 : return NT_STATUS_MEMBERS_PRIMARY_GROUP;
5933 : }
5934 :
5935 0 : rc = smbldap_delete(ldap_state->smbldap_state, dn);
5936 0 : if (rc != LDAP_SUCCESS) {
5937 0 : return NT_STATUS_UNSUCCESSFUL;
5938 : }
5939 :
5940 0 : return NT_STATUS_OK;
5941 : }
5942 :
5943 0 : static NTSTATUS ldapsam_change_groupmem(struct pdb_methods *my_methods,
5944 : TALLOC_CTX *tmp_ctx,
5945 : uint32_t group_rid,
5946 : uint32_t member_rid,
5947 : int modop)
5948 : {
5949 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
5950 0 : LDAPMessage *entry = NULL;
5951 0 : LDAPMessage *result = NULL;
5952 0 : uint32_t num_result;
5953 0 : LDAPMod **mods = NULL;
5954 0 : char *filter;
5955 0 : char *uidstr;
5956 0 : const char *dn = NULL;
5957 0 : struct dom_sid group_sid;
5958 0 : struct dom_sid member_sid;
5959 0 : struct dom_sid_buf buf;
5960 0 : int rc;
5961 0 : int error = 0;
5962 :
5963 0 : switch (modop) {
5964 0 : case LDAP_MOD_ADD:
5965 0 : DEBUG(1,("ldapsam_change_groupmem: add new member(rid=%d) to a domain group(rid=%d)\n", member_rid, group_rid));
5966 0 : break;
5967 0 : case LDAP_MOD_DELETE:
5968 0 : DEBUG(1,("ldapsam_change_groupmem: delete member(rid=%d) from a domain group(rid=%d)\n", member_rid, group_rid));
5969 0 : break;
5970 0 : default:
5971 0 : return NT_STATUS_UNSUCCESSFUL;
5972 : }
5973 :
5974 : /* get member sid */
5975 0 : sid_compose(&member_sid, get_global_sam_sid(), member_rid);
5976 :
5977 : /* get the group sid */
5978 0 : sid_compose(&group_sid, get_global_sam_sid(), group_rid);
5979 :
5980 0 : filter = talloc_asprintf(tmp_ctx,
5981 : "(&(sambaSID=%s)"
5982 : "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
5983 : "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
5984 : dom_sid_str_buf(&member_sid, &buf));
5985 0 : if (filter == NULL) {
5986 0 : return NT_STATUS_NO_MEMORY;
5987 : }
5988 :
5989 : /* get the member uid */
5990 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5991 0 : if (rc != LDAP_SUCCESS) {
5992 0 : DEBUG(1,("ldapsam_change_groupmem: member search failed!\n"));
5993 0 : return NT_STATUS_UNSUCCESSFUL;
5994 : }
5995 0 : smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
5996 :
5997 0 : num_result = ldap_count_entries(priv2ld(ldap_state), result);
5998 :
5999 0 : if (num_result == 0) {
6000 0 : DEBUG(1,("ldapsam_change_groupmem: member not found!\n"));
6001 0 : return NT_STATUS_NO_SUCH_MEMBER;
6002 : }
6003 :
6004 0 : if (num_result > 1) {
6005 0 : DEBUG (0, ("ldapsam_change_groupmem: More than one account with the same SID ?!\n"));
6006 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
6007 : }
6008 :
6009 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
6010 0 : if (!entry) {
6011 0 : return NT_STATUS_UNSUCCESSFUL;
6012 : }
6013 :
6014 0 : if (modop == LDAP_MOD_DELETE) {
6015 : /* check if we are trying to remove the member from his primary group */
6016 0 : char *gidstr;
6017 0 : gid_t user_gid, group_gid;
6018 :
6019 0 : gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
6020 0 : if (!gidstr) {
6021 0 : DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's gid!\n"));
6022 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
6023 : }
6024 :
6025 0 : user_gid = smb_strtoul(gidstr, NULL, 10, &error, SMB_STR_STANDARD);
6026 0 : if (error != 0) {
6027 0 : DBG_ERR("Failed to convert user gid\n");
6028 0 : return NT_STATUS_UNSUCCESSFUL;
6029 : }
6030 :
6031 0 : if (!sid_to_gid(&group_sid, &group_gid)) {
6032 0 : DEBUG (0, ("ldapsam_change_groupmem: Unable to get group gid from SID!\n"));
6033 0 : return NT_STATUS_UNSUCCESSFUL;
6034 : }
6035 :
6036 0 : if (user_gid == group_gid) {
6037 0 : DEBUG (3, ("ldapsam_change_groupmem: can't remove user from its own primary group!\n"));
6038 0 : return NT_STATUS_MEMBERS_PRIMARY_GROUP;
6039 : }
6040 : }
6041 :
6042 : /* here it is, retrieve the uid for later use */
6043 0 : uidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "uid", tmp_ctx);
6044 0 : if (!uidstr) {
6045 0 : DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's name!\n"));
6046 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
6047 : }
6048 :
6049 0 : filter = talloc_asprintf(tmp_ctx,
6050 : "(&(sambaSID=%s)"
6051 : "(objectClass="LDAP_OBJ_POSIXGROUP")"
6052 : "(objectClass="LDAP_OBJ_GROUPMAP"))",
6053 : dom_sid_str_buf(&group_sid, &buf));
6054 :
6055 : /* get the group */
6056 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
6057 0 : if (rc != LDAP_SUCCESS) {
6058 0 : DEBUG(1,("ldapsam_change_groupmem: group search failed!\n"));
6059 0 : return NT_STATUS_UNSUCCESSFUL;
6060 : }
6061 0 : smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
6062 :
6063 0 : num_result = ldap_count_entries(priv2ld(ldap_state), result);
6064 :
6065 0 : if (num_result == 0) {
6066 0 : DEBUG(1,("ldapsam_change_groupmem: group not found!\n"));
6067 0 : return NT_STATUS_NO_SUCH_GROUP;
6068 : }
6069 :
6070 0 : if (num_result > 1) {
6071 0 : DEBUG (0, ("ldapsam_change_groupmem: More than one group with the same SID ?!\n"));
6072 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
6073 : }
6074 :
6075 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
6076 0 : if (!entry) {
6077 0 : return NT_STATUS_UNSUCCESSFUL;
6078 : }
6079 :
6080 : /* here it is, retrieve the dn for later use */
6081 0 : dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
6082 0 : if (!dn) {
6083 0 : DEBUG(0,("ldapsam_change_groupmem: Out of memory!\n"));
6084 0 : return NT_STATUS_NO_MEMORY;
6085 : }
6086 :
6087 0 : smbldap_set_mod(&mods, modop, "memberUid", uidstr);
6088 :
6089 0 : smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);
6090 :
6091 0 : rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
6092 0 : if (rc != LDAP_SUCCESS) {
6093 0 : if (rc == LDAP_TYPE_OR_VALUE_EXISTS && modop == LDAP_MOD_ADD) {
6094 0 : DEBUG(1,("ldapsam_change_groupmem: member is already in group, add failed!\n"));
6095 0 : return NT_STATUS_MEMBER_IN_GROUP;
6096 : }
6097 0 : if (rc == LDAP_NO_SUCH_ATTRIBUTE && modop == LDAP_MOD_DELETE) {
6098 0 : DEBUG(1,("ldapsam_change_groupmem: member is not in group, delete failed!\n"));
6099 0 : return NT_STATUS_MEMBER_NOT_IN_GROUP;
6100 : }
6101 0 : return NT_STATUS_UNSUCCESSFUL;
6102 : }
6103 :
6104 0 : return NT_STATUS_OK;
6105 : }
6106 :
6107 0 : static NTSTATUS ldapsam_add_groupmem(struct pdb_methods *my_methods,
6108 : TALLOC_CTX *tmp_ctx,
6109 : uint32_t group_rid,
6110 : uint32_t member_rid)
6111 : {
6112 0 : return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_ADD);
6113 : }
6114 0 : static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods,
6115 : TALLOC_CTX *tmp_ctx,
6116 : uint32_t group_rid,
6117 : uint32_t member_rid)
6118 : {
6119 0 : return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_DELETE);
6120 : }
6121 :
6122 0 : static NTSTATUS ldapsam_set_primary_group(struct pdb_methods *my_methods,
6123 : TALLOC_CTX *mem_ctx,
6124 : struct samu *sampass)
6125 : {
6126 0 : struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
6127 0 : LDAPMessage *entry = NULL;
6128 0 : LDAPMessage *result = NULL;
6129 0 : uint32_t num_result;
6130 0 : LDAPMod **mods = NULL;
6131 0 : char *filter;
6132 0 : char *escape_username;
6133 0 : char *gidstr;
6134 0 : char *dn = NULL;
6135 0 : gid_t gid;
6136 0 : int rc;
6137 :
6138 0 : DEBUG(0,("ldapsam_set_primary_group: Attempt to set primary group for user [%s]\n", pdb_get_username(sampass)));
6139 :
6140 0 : if (!sid_to_gid(pdb_get_group_sid(sampass), &gid)) {
6141 0 : DEBUG(0,("ldapsam_set_primary_group: failed to retrieve gid from user's group SID!\n"));
6142 0 : return NT_STATUS_UNSUCCESSFUL;
6143 : }
6144 0 : gidstr = talloc_asprintf(mem_ctx, "%u", (unsigned int)gid);
6145 0 : if (!gidstr) {
6146 0 : DEBUG(0,("ldapsam_set_primary_group: Out of Memory!\n"));
6147 0 : return NT_STATUS_NO_MEMORY;
6148 : }
6149 :
6150 0 : escape_username = escape_ldap_string(talloc_tos(),
6151 : pdb_get_username(sampass));
6152 0 : if (escape_username== NULL) {
6153 0 : return NT_STATUS_NO_MEMORY;
6154 : }
6155 :
6156 0 : filter = talloc_asprintf(mem_ctx,
6157 : "(&(uid=%s)"
6158 : "(objectClass="LDAP_OBJ_POSIXACCOUNT")"
6159 : "(objectClass="LDAP_OBJ_SAMBASAMACCOUNT"))",
6160 : escape_username);
6161 :
6162 0 : TALLOC_FREE(escape_username);
6163 :
6164 0 : if (filter == NULL) {
6165 0 : return NT_STATUS_NO_MEMORY;
6166 : }
6167 :
6168 0 : rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
6169 0 : if (rc != LDAP_SUCCESS) {
6170 0 : DEBUG(0,("ldapsam_set_primary_group: user search failed!\n"));
6171 0 : return NT_STATUS_UNSUCCESSFUL;
6172 : }
6173 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
6174 :
6175 0 : num_result = ldap_count_entries(priv2ld(ldap_state), result);
6176 :
6177 0 : if (num_result == 0) {
6178 0 : DEBUG(0,("ldapsam_set_primary_group: user not found!\n"));
6179 0 : return NT_STATUS_NO_SUCH_USER;
6180 : }
6181 :
6182 0 : if (num_result > 1) {
6183 0 : DEBUG (0, ("ldapsam_set_primary_group: More than one user with name [%s] ?!\n", pdb_get_username(sampass)));
6184 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
6185 : }
6186 :
6187 0 : entry = ldap_first_entry(priv2ld(ldap_state), result);
6188 0 : if (!entry) {
6189 0 : return NT_STATUS_UNSUCCESSFUL;
6190 : }
6191 :
6192 : /* retrieve the dn for later use */
6193 0 : dn = smbldap_talloc_dn(mem_ctx, priv2ld(ldap_state), entry);
6194 0 : if (!dn) {
6195 0 : DEBUG(0,("ldapsam_set_primary_group: Out of memory!\n"));
6196 0 : return NT_STATUS_NO_MEMORY;
6197 : }
6198 :
6199 : /* remove the old one, and add the new one, this way we do not risk races */
6200 0 : smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "gidNumber", gidstr);
6201 :
6202 0 : if (mods == NULL) {
6203 0 : TALLOC_FREE(dn);
6204 0 : return NT_STATUS_OK;
6205 : }
6206 :
6207 0 : rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
6208 0 : TALLOC_FREE(dn);
6209 0 : if (rc != LDAP_SUCCESS) {
6210 0 : DEBUG(0,("ldapsam_set_primary_group: failed to modify [%s] primary group to [%s]\n",
6211 : pdb_get_username(sampass), gidstr));
6212 0 : return NT_STATUS_UNSUCCESSFUL;
6213 : }
6214 :
6215 0 : flush_pwnam_cache();
6216 :
6217 0 : return NT_STATUS_OK;
6218 : }
6219 :
6220 :
6221 : /**********************************************************************
6222 : trusted domains functions
6223 : *********************************************************************/
6224 :
6225 0 : static char *trusteddom_dn(struct ldapsam_privates *ldap_state,
6226 : const char *domain)
6227 : {
6228 0 : return talloc_asprintf(talloc_tos(), "sambaDomainName=%s,%s", domain,
6229 : ldap_state->domain_dn);
6230 : }
6231 :
6232 0 : static bool get_trusteddom_pw_int(struct ldapsam_privates *ldap_state,
6233 : TALLOC_CTX *mem_ctx,
6234 : const char *domain, LDAPMessage **entry)
6235 : {
6236 0 : int rc;
6237 0 : char *filter;
6238 0 : int scope = LDAP_SCOPE_SUBTREE;
6239 0 : const char **attrs = NULL; /* NULL: get all attrs */
6240 0 : int attrsonly = 0; /* 0: return values too */
6241 0 : LDAPMessage *result = NULL;
6242 0 : char *trusted_dn;
6243 0 : uint32_t num_result;
6244 :
6245 0 : filter = talloc_asprintf(talloc_tos(),
6246 : "(&(objectClass="LDAP_OBJ_TRUSTDOM_PASSWORD")(sambaDomainName=%s))",
6247 : domain);
6248 :
6249 0 : trusted_dn = trusteddom_dn(ldap_state, domain);
6250 0 : if (trusted_dn == NULL) {
6251 0 : return False;
6252 : }
6253 0 : rc = smbldap_search(ldap_state->smbldap_state, trusted_dn, scope,
6254 : filter, attrs, attrsonly, &result);
6255 :
6256 0 : if (result != NULL) {
6257 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
6258 : }
6259 :
6260 0 : if (rc == LDAP_NO_SUCH_OBJECT) {
6261 0 : *entry = NULL;
6262 0 : return True;
6263 : }
6264 :
6265 0 : if (rc != LDAP_SUCCESS) {
6266 0 : return False;
6267 : }
6268 :
6269 0 : num_result = ldap_count_entries(priv2ld(ldap_state), result);
6270 :
6271 0 : if (num_result > 1) {
6272 0 : DEBUG(1, ("ldapsam_get_trusteddom_pw: more than one "
6273 : "%s object for domain '%s'?!\n",
6274 : LDAP_OBJ_TRUSTDOM_PASSWORD, domain));
6275 0 : return False;
6276 : }
6277 :
6278 0 : if (num_result == 0) {
6279 0 : DEBUG(1, ("ldapsam_get_trusteddom_pw: no "
6280 : "%s object for domain %s.\n",
6281 : LDAP_OBJ_TRUSTDOM_PASSWORD, domain));
6282 0 : *entry = NULL;
6283 : } else {
6284 0 : *entry = ldap_first_entry(priv2ld(ldap_state), result);
6285 : }
6286 :
6287 0 : return True;
6288 : }
6289 :
6290 0 : static bool ldapsam_get_trusteddom_pw(struct pdb_methods *methods,
6291 : const char *domain,
6292 : char** pwd,
6293 : struct dom_sid *sid,
6294 : time_t *pass_last_set_time)
6295 : {
6296 0 : struct ldapsam_privates *ldap_state =
6297 : (struct ldapsam_privates *)methods->private_data;
6298 0 : LDAPMessage *entry = NULL;
6299 :
6300 0 : DEBUG(10, ("ldapsam_get_trusteddom_pw called for domain %s\n", domain));
6301 :
6302 0 : if (!get_trusteddom_pw_int(ldap_state, talloc_tos(), domain, &entry) ||
6303 0 : (entry == NULL))
6304 : {
6305 0 : return False;
6306 : }
6307 :
6308 : /* password */
6309 0 : if (pwd != NULL) {
6310 0 : char *pwd_str;
6311 0 : pwd_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
6312 : entry, "sambaClearTextPassword", talloc_tos());
6313 0 : if (pwd_str == NULL) {
6314 0 : return False;
6315 : }
6316 : /* trusteddom_pw routines do not use talloc yet... */
6317 0 : *pwd = SMB_STRDUP(pwd_str);
6318 0 : if (*pwd == NULL) {
6319 0 : return False;
6320 : }
6321 : }
6322 :
6323 : /* last change time */
6324 0 : if (pass_last_set_time != NULL) {
6325 0 : char *time_str;
6326 0 : time_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
6327 : entry, "sambaPwdLastSet", talloc_tos());
6328 0 : if (time_str == NULL) {
6329 0 : return False;
6330 : }
6331 0 : *pass_last_set_time = (time_t)atol(time_str);
6332 : }
6333 :
6334 : /* domain sid */
6335 0 : if (sid != NULL) {
6336 0 : char *sid_str;
6337 0 : struct dom_sid dom_sid;
6338 0 : sid_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
6339 : entry, "sambaSID",
6340 : talloc_tos());
6341 0 : if (sid_str == NULL) {
6342 0 : return False;
6343 : }
6344 0 : if (!string_to_sid(&dom_sid, sid_str)) {
6345 0 : return False;
6346 : }
6347 0 : sid_copy(sid, &dom_sid);
6348 : }
6349 :
6350 0 : return True;
6351 : }
6352 :
6353 0 : static bool ldapsam_set_trusteddom_pw(struct pdb_methods *methods,
6354 : const char* domain,
6355 : const char* pwd,
6356 : const struct dom_sid *sid)
6357 : {
6358 0 : struct ldapsam_privates *ldap_state =
6359 : (struct ldapsam_privates *)methods->private_data;
6360 0 : LDAPMessage *entry = NULL;
6361 0 : LDAPMod **mods = NULL;
6362 0 : char *prev_pwd = NULL;
6363 0 : char *trusted_dn = NULL;
6364 0 : struct dom_sid_buf buf;
6365 0 : int rc;
6366 :
6367 0 : DEBUG(10, ("ldapsam_set_trusteddom_pw called for domain %s\n", domain));
6368 :
6369 : /*
6370 : * get the current entry (if there is one) in order to put the
6371 : * current password into the previous password attribute
6372 : */
6373 0 : if (!get_trusteddom_pw_int(ldap_state, talloc_tos(), domain, &entry)) {
6374 0 : return False;
6375 : }
6376 :
6377 0 : mods = NULL;
6378 0 : smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
6379 : LDAP_OBJ_TRUSTDOM_PASSWORD);
6380 0 : smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaDomainName",
6381 : domain);
6382 0 : smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaSID",
6383 0 : dom_sid_str_buf(sid, &buf));
6384 0 : smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaPwdLastSet",
6385 0 : talloc_asprintf(talloc_tos(), "%li", (long int)time(NULL)));
6386 0 : smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
6387 : "sambaClearTextPassword", pwd);
6388 :
6389 0 : if (entry != NULL) {
6390 0 : prev_pwd = smbldap_talloc_single_attribute(priv2ld(ldap_state),
6391 : entry, "sambaClearTextPassword", talloc_tos());
6392 0 : if (prev_pwd != NULL) {
6393 0 : smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
6394 : "sambaPreviousClearTextPassword",
6395 : prev_pwd);
6396 : }
6397 : }
6398 :
6399 0 : smbldap_talloc_autofree_ldapmod(talloc_tos(), mods);
6400 :
6401 0 : trusted_dn = trusteddom_dn(ldap_state, domain);
6402 0 : if (trusted_dn == NULL) {
6403 0 : return False;
6404 : }
6405 0 : if (entry == NULL) {
6406 0 : rc = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
6407 : } else {
6408 0 : rc = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
6409 : }
6410 :
6411 0 : if (rc != LDAP_SUCCESS) {
6412 0 : DEBUG(1, ("error writing trusted domain password!\n"));
6413 0 : return False;
6414 : }
6415 :
6416 0 : return True;
6417 : }
6418 :
6419 0 : static bool ldapsam_del_trusteddom_pw(struct pdb_methods *methods,
6420 : const char *domain)
6421 : {
6422 0 : int rc;
6423 0 : struct ldapsam_privates *ldap_state =
6424 : (struct ldapsam_privates *)methods->private_data;
6425 0 : LDAPMessage *entry = NULL;
6426 0 : const char *trusted_dn;
6427 :
6428 0 : if (!get_trusteddom_pw_int(ldap_state, talloc_tos(), domain, &entry)) {
6429 0 : return False;
6430 : }
6431 :
6432 0 : if (entry == NULL) {
6433 0 : DEBUG(5, ("ldapsam_del_trusteddom_pw: no such trusted domain: "
6434 : "%s\n", domain));
6435 0 : return True;
6436 : }
6437 :
6438 0 : trusted_dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state),
6439 : entry);
6440 0 : if (trusted_dn == NULL) {
6441 0 : DEBUG(0,("ldapsam_del_trusteddom_pw: Out of memory!\n"));
6442 0 : return False;
6443 : }
6444 :
6445 0 : rc = smbldap_delete(ldap_state->smbldap_state, trusted_dn);
6446 0 : if (rc != LDAP_SUCCESS) {
6447 0 : return False;
6448 : }
6449 :
6450 0 : return True;
6451 : }
6452 :
6453 0 : static NTSTATUS ldapsam_enum_trusteddoms(struct pdb_methods *methods,
6454 : TALLOC_CTX *mem_ctx,
6455 : uint32_t *num_domains,
6456 : struct trustdom_info ***domains)
6457 : {
6458 0 : int rc;
6459 0 : struct ldapsam_privates *ldap_state =
6460 : (struct ldapsam_privates *)methods->private_data;
6461 0 : const char *filter;
6462 0 : int scope = LDAP_SCOPE_SUBTREE;
6463 0 : const char *attrs[] = { "sambaDomainName", "sambaSID", NULL };
6464 0 : int attrsonly = 0; /* 0: return values too */
6465 0 : LDAPMessage *result = NULL;
6466 0 : LDAPMessage *entry = NULL;
6467 :
6468 0 : filter = "(objectClass="LDAP_OBJ_TRUSTDOM_PASSWORD")";
6469 :
6470 0 : rc = smbldap_search(ldap_state->smbldap_state,
6471 0 : ldap_state->domain_dn,
6472 : scope,
6473 : filter,
6474 : attrs,
6475 : attrsonly,
6476 : &result);
6477 :
6478 0 : if (result != NULL) {
6479 0 : smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
6480 : }
6481 :
6482 0 : if (rc != LDAP_SUCCESS) {
6483 0 : return NT_STATUS_UNSUCCESSFUL;
6484 : }
6485 :
6486 0 : *num_domains = 0;
6487 0 : if (!(*domains = talloc_array(mem_ctx, struct trustdom_info *, 1))) {
6488 0 : DEBUG(1, ("talloc failed\n"));
6489 0 : return NT_STATUS_NO_MEMORY;
6490 : }
6491 :
6492 0 : for (entry = ldap_first_entry(priv2ld(ldap_state), result);
6493 0 : entry != NULL;
6494 0 : entry = ldap_next_entry(priv2ld(ldap_state), entry))
6495 : {
6496 0 : char *dom_name, *dom_sid_str;
6497 0 : struct trustdom_info *dom_info;
6498 :
6499 0 : dom_info = talloc(*domains, struct trustdom_info);
6500 0 : if (dom_info == NULL) {
6501 0 : DEBUG(1, ("talloc failed\n"));
6502 0 : return NT_STATUS_NO_MEMORY;
6503 : }
6504 :
6505 0 : dom_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
6506 : entry,
6507 : "sambaDomainName",
6508 : talloc_tos());
6509 0 : if (dom_name == NULL) {
6510 0 : DEBUG(1, ("talloc failed\n"));
6511 0 : return NT_STATUS_NO_MEMORY;
6512 : }
6513 0 : dom_info->name = dom_name;
6514 :
6515 0 : dom_sid_str = smbldap_talloc_single_attribute(
6516 : priv2ld(ldap_state), entry, "sambaSID",
6517 : talloc_tos());
6518 0 : if (dom_sid_str == NULL) {
6519 0 : DEBUG(1, ("talloc failed\n"));
6520 0 : return NT_STATUS_NO_MEMORY;
6521 : }
6522 0 : if (!string_to_sid(&dom_info->sid, dom_sid_str)) {
6523 0 : DEBUG(1, ("Error calling string_to_sid on SID %s\n",
6524 : dom_sid_str));
6525 0 : return NT_STATUS_UNSUCCESSFUL;
6526 : }
6527 :
6528 0 : ADD_TO_ARRAY(*domains, struct trustdom_info *, dom_info,
6529 : domains, num_domains);
6530 :
6531 0 : if (*domains == NULL) {
6532 0 : DEBUG(1, ("talloc failed\n"));
6533 0 : return NT_STATUS_NO_MEMORY;
6534 : }
6535 : }
6536 :
6537 0 : DEBUG(5, ("ldapsam_enum_trusteddoms: got %d domains\n", *num_domains));
6538 0 : return NT_STATUS_OK;
6539 : }
6540 :
6541 :
6542 : /**********************************************************************
6543 : Housekeeping
6544 : *********************************************************************/
6545 :
6546 0 : static void free_private_data(void **vp)
6547 : {
6548 0 : struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
6549 :
6550 0 : smbldap_free_struct(&(*ldap_state)->smbldap_state);
6551 :
6552 0 : if ((*ldap_state)->result != NULL) {
6553 0 : ldap_msgfree((*ldap_state)->result);
6554 0 : (*ldap_state)->result = NULL;
6555 : }
6556 0 : if ((*ldap_state)->domain_dn != NULL) {
6557 0 : SAFE_FREE((*ldap_state)->domain_dn);
6558 : }
6559 :
6560 0 : *ldap_state = NULL;
6561 :
6562 : /* No need to free any further, as it is talloc()ed */
6563 0 : }
6564 :
6565 : /*********************************************************************
6566 : Initialise the parts of the pdb_methods structure that are common to
6567 : all pdb_ldap modes
6568 : *********************************************************************/
6569 :
6570 0 : static NTSTATUS pdb_init_ldapsam_common(struct pdb_methods **pdb_method, const char *location)
6571 : {
6572 0 : NTSTATUS nt_status;
6573 0 : struct ldapsam_privates *ldap_state;
6574 0 : char *bind_dn = NULL;
6575 0 : char *bind_secret = NULL;
6576 :
6577 0 : if (!NT_STATUS_IS_OK(nt_status = make_pdb_method( pdb_method ))) {
6578 0 : return nt_status;
6579 : }
6580 :
6581 0 : (*pdb_method)->name = "ldapsam";
6582 :
6583 0 : (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
6584 0 : (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
6585 0 : (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
6586 0 : (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
6587 0 : (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
6588 0 : (*pdb_method)->rename_sam_account = ldapsam_rename_sam_account;
6589 :
6590 0 : (*pdb_method)->getgrsid = ldapsam_getgrsid;
6591 0 : (*pdb_method)->getgrgid = ldapsam_getgrgid;
6592 0 : (*pdb_method)->getgrnam = ldapsam_getgrnam;
6593 0 : (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
6594 0 : (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
6595 0 : (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
6596 0 : (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
6597 :
6598 0 : (*pdb_method)->get_account_policy = ldapsam_get_account_policy;
6599 0 : (*pdb_method)->set_account_policy = ldapsam_set_account_policy;
6600 :
6601 0 : (*pdb_method)->get_seq_num = ldapsam_get_seq_num;
6602 :
6603 0 : (*pdb_method)->capabilities = ldapsam_capabilities;
6604 0 : (*pdb_method)->new_rid = ldapsam_new_rid;
6605 :
6606 0 : (*pdb_method)->get_trusteddom_pw = ldapsam_get_trusteddom_pw;
6607 0 : (*pdb_method)->set_trusteddom_pw = ldapsam_set_trusteddom_pw;
6608 0 : (*pdb_method)->del_trusteddom_pw = ldapsam_del_trusteddom_pw;
6609 0 : (*pdb_method)->enum_trusteddoms = ldapsam_enum_trusteddoms;
6610 :
6611 : /* TODO: Setup private data and free */
6612 :
6613 0 : if ( !(ldap_state = talloc_zero(*pdb_method, struct ldapsam_privates)) ) {
6614 0 : DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
6615 0 : return NT_STATUS_NO_MEMORY;
6616 : }
6617 :
6618 0 : if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
6619 0 : DEBUG(0, ("pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb\n"));
6620 0 : return NT_STATUS_NO_MEMORY;
6621 : }
6622 :
6623 0 : nt_status = smbldap_init(*pdb_method, pdb_get_tevent_context(),
6624 : location, false, bind_dn, bind_secret,
6625 : &ldap_state->smbldap_state);
6626 0 : BURN_FREE_STR(bind_secret);
6627 0 : SAFE_FREE(bind_dn);
6628 0 : if ( !NT_STATUS_IS_OK(nt_status) ) {
6629 0 : return nt_status;
6630 : }
6631 :
6632 0 : if ( !(ldap_state->domain_name = talloc_strdup(*pdb_method, get_global_sam_name()) ) ) {
6633 0 : return NT_STATUS_NO_MEMORY;
6634 : }
6635 :
6636 0 : (*pdb_method)->private_data = ldap_state;
6637 :
6638 0 : (*pdb_method)->free_private_data = free_private_data;
6639 :
6640 0 : return NT_STATUS_OK;
6641 : }
6642 :
6643 0 : static bool ldapsam_is_responsible_for_wellknown(struct pdb_methods *m)
6644 : {
6645 0 : return true;
6646 : }
6647 :
6648 : /**********************************************************************
6649 : Initialise the normal mode for pdb_ldap
6650 : *********************************************************************/
6651 :
6652 0 : NTSTATUS pdb_ldapsam_init_common(struct pdb_methods **pdb_method,
6653 : const char *location)
6654 : {
6655 0 : NTSTATUS nt_status;
6656 0 : struct ldapsam_privates *ldap_state = NULL;
6657 0 : uint32_t alg_rid_base;
6658 0 : char *alg_rid_base_string = NULL;
6659 0 : LDAPMessage *result = NULL;
6660 0 : LDAPMessage *entry = NULL;
6661 0 : struct dom_sid ldap_domain_sid;
6662 0 : struct dom_sid secrets_domain_sid;
6663 0 : char *domain_sid_string = NULL;
6664 0 : char *dn = NULL;
6665 0 : char *uri = talloc_strdup( NULL, location );
6666 :
6667 0 : trim_char( uri, '\"', '\"' );
6668 0 : nt_status = pdb_init_ldapsam_common(pdb_method, uri);
6669 :
6670 0 : TALLOC_FREE(uri);
6671 :
6672 0 : if (!NT_STATUS_IS_OK(nt_status)) {
6673 0 : return nt_status;
6674 : }
6675 :
6676 0 : (*pdb_method)->name = "ldapsam";
6677 :
6678 0 : (*pdb_method)->add_aliasmem = ldapsam_add_aliasmem;
6679 0 : (*pdb_method)->del_aliasmem = ldapsam_del_aliasmem;
6680 0 : (*pdb_method)->enum_aliasmem = ldapsam_enum_aliasmem;
6681 0 : (*pdb_method)->enum_alias_memberships = ldapsam_alias_memberships;
6682 0 : (*pdb_method)->search_users = ldapsam_search_users;
6683 0 : (*pdb_method)->search_groups = ldapsam_search_groups;
6684 0 : (*pdb_method)->search_aliases = ldapsam_search_aliases;
6685 0 : (*pdb_method)->is_responsible_for_wellknown =
6686 : ldapsam_is_responsible_for_wellknown;
6687 :
6688 0 : if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
6689 0 : (*pdb_method)->enum_group_members = ldapsam_enum_group_members;
6690 0 : (*pdb_method)->enum_group_memberships =
6691 : ldapsam_enum_group_memberships;
6692 0 : (*pdb_method)->lookup_rids = ldapsam_lookup_rids;
6693 0 : (*pdb_method)->sid_to_id = ldapsam_sid_to_id;
6694 0 : (*pdb_method)->id_to_sid = ldapsam_id_to_sid;
6695 :
6696 0 : if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
6697 0 : (*pdb_method)->create_user = ldapsam_create_user;
6698 0 : (*pdb_method)->delete_user = ldapsam_delete_user;
6699 0 : (*pdb_method)->create_dom_group = ldapsam_create_dom_group;
6700 0 : (*pdb_method)->delete_dom_group = ldapsam_delete_dom_group;
6701 0 : (*pdb_method)->add_groupmem = ldapsam_add_groupmem;
6702 0 : (*pdb_method)->del_groupmem = ldapsam_del_groupmem;
6703 0 : (*pdb_method)->set_unix_primary_group = ldapsam_set_primary_group;
6704 : }
6705 : }
6706 :
6707 0 : ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
6708 0 : ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
6709 :
6710 : /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
6711 :
6712 0 : nt_status = smbldap_search_domain_info(ldap_state->smbldap_state,
6713 : &result,
6714 : ldap_state->domain_name, True);
6715 :
6716 0 : if ( !NT_STATUS_IS_OK(nt_status) ) {
6717 0 : DEBUG(0, ("pdb_init_ldapsam: WARNING: Could not get domain "
6718 : "info, nor add one to the domain. "
6719 : "We cannot work reliably without it.\n"));
6720 0 : return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
6721 : }
6722 :
6723 : /* Given that the above might fail, everything below this must be
6724 : * optional */
6725 :
6726 0 : entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
6727 : result);
6728 0 : if (!entry) {
6729 0 : DEBUG(0, ("pdb_init_ldapsam: Could not get domain info "
6730 : "entry\n"));
6731 0 : ldap_msgfree(result);
6732 0 : return NT_STATUS_UNSUCCESSFUL;
6733 : }
6734 :
6735 0 : dn = smbldap_talloc_dn(talloc_tos(),
6736 : smbldap_get_ldap(ldap_state->smbldap_state),
6737 : entry);
6738 0 : if (!dn) {
6739 0 : ldap_msgfree(result);
6740 0 : return NT_STATUS_UNSUCCESSFUL;
6741 : }
6742 :
6743 0 : ldap_state->domain_dn = smb_xstrdup(dn);
6744 0 : TALLOC_FREE(dn);
6745 :
6746 0 : domain_sid_string = smbldap_talloc_single_attribute(
6747 : smbldap_get_ldap(ldap_state->smbldap_state),
6748 : entry,
6749 : get_userattr_key2string(ldap_state->schema_ver,
6750 : LDAP_ATTR_USER_SID),
6751 : talloc_tos());
6752 :
6753 0 : if (domain_sid_string) {
6754 0 : bool found_sid;
6755 0 : if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
6756 0 : DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be "
6757 : "read as a valid SID\n", domain_sid_string));
6758 0 : ldap_msgfree(result);
6759 0 : TALLOC_FREE(domain_sid_string);
6760 0 : return NT_STATUS_INVALID_PARAMETER;
6761 : }
6762 0 : found_sid = PDB_secrets_fetch_domain_sid(ldap_state->domain_name,
6763 : &secrets_domain_sid);
6764 0 : if (!found_sid || !dom_sid_equal(&secrets_domain_sid,
6765 : &ldap_domain_sid)) {
6766 0 : struct dom_sid_buf buf1, buf2;
6767 0 : DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain "
6768 : "%s based on pdb_ldap results %s -> %s\n",
6769 : ldap_state->domain_name,
6770 : dom_sid_str_buf(&secrets_domain_sid, &buf1),
6771 : dom_sid_str_buf(&ldap_domain_sid, &buf2)));
6772 :
6773 : /* reset secrets.tdb sid */
6774 0 : PDB_secrets_store_domain_sid(ldap_state->domain_name,
6775 : &ldap_domain_sid);
6776 0 : DEBUG(1, ("New global sam SID: %s\n",
6777 : dom_sid_str_buf(get_global_sam_sid(),
6778 : &buf1)));
6779 : }
6780 0 : sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
6781 0 : TALLOC_FREE(domain_sid_string);
6782 : }
6783 :
6784 0 : alg_rid_base_string = smbldap_talloc_single_attribute(
6785 : smbldap_get_ldap(ldap_state->smbldap_state),
6786 : entry,
6787 : get_attr_key2string( dominfo_attr_list,
6788 : LDAP_ATTR_ALGORITHMIC_RID_BASE ),
6789 : talloc_tos());
6790 0 : if (alg_rid_base_string) {
6791 0 : alg_rid_base = (uint32_t)atol(alg_rid_base_string);
6792 0 : if (alg_rid_base != algorithmic_rid_base()) {
6793 0 : DEBUG(0, ("The value of 'algorithmic RID base' has "
6794 : "changed since the LDAP\n"
6795 : "database was initialised. Aborting. \n"));
6796 0 : ldap_msgfree(result);
6797 0 : TALLOC_FREE(alg_rid_base_string);
6798 0 : return NT_STATUS_UNSUCCESSFUL;
6799 : }
6800 0 : TALLOC_FREE(alg_rid_base_string);
6801 : }
6802 0 : ldap_msgfree(result);
6803 :
6804 0 : return NT_STATUS_OK;
6805 : }
6806 :
6807 1674 : NTSTATUS pdb_ldapsam_init(TALLOC_CTX *ctx)
6808 : {
6809 16 : NTSTATUS nt_status;
6810 :
6811 1674 : nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION,
6812 : "ldapsam",
6813 : pdb_ldapsam_init_common);
6814 1674 : if (!NT_STATUS_IS_OK(nt_status)) {
6815 0 : return nt_status;
6816 : }
6817 :
6818 : /* Let pdb_nds register backends */
6819 1674 : pdb_nds_init(ctx);
6820 :
6821 1674 : return NT_STATUS_OK;
6822 : }
|
