2
Unix SMB/CIFS implementation.
3
Password and authentication handling
4
Copyright (C) Andrew Bartlett 2002
5
Copyright (C) Jelmer Vernooij 2002
6
Copyright (C) Simo Sorce 2003
7
Copyright (C) Volker Lendecke 2006
9
This program is free software; you can redistribute it and/or modify
10
it under the terms of the GNU General Public License as published by
11
the Free Software Foundation; either version 3 of the License, or
12
(at your option) any later version.
14
This program is distributed in the hope that it will be useful,
15
but WITHOUT ANY WARRANTY; without even the implied warranty of
16
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
GNU General Public License for more details.
19
You should have received a copy of the GNU General Public License
20
along with this program. If not, see <http://www.gnu.org/licenses/>.
24
#include "system/passwd.h"
27
#include "../librpc/gen_ndr/samr.h"
29
#include "nsswitch/winbind_client.h"
30
#include "../libcli/security/security.h"
31
#include "../lib/util/util_pw.h"
34
#define DBGC_CLASS DBGC_PASSDB
38
static struct pdb_init_function_entry *backends = NULL;
40
static void lazy_initialize_passdb(void)
42
static bool initialized = False;
50
static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
52
enum lsa_SidType *psid_name_use,
53
union unid_t *unix_id);
55
NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init)
57
struct pdb_init_function_entry *entry = backends;
59
if(version != PASSDB_INTERFACE_VERSION) {
60
DEBUG(0,("Can't register passdb backend!\n"
61
"You tried to register a passdb module with PASSDB_INTERFACE_VERSION %d, "
62
"while this version of samba uses version %d\n",
63
version,PASSDB_INTERFACE_VERSION));
64
return NT_STATUS_OBJECT_TYPE_MISMATCH;
68
return NT_STATUS_INVALID_PARAMETER;
71
DEBUG(5,("Attempting to register passdb backend %s\n", name));
73
/* Check for duplicates */
74
if (pdb_find_backend_entry(name)) {
75
DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name));
76
return NT_STATUS_OBJECT_NAME_COLLISION;
79
entry = SMB_XMALLOC_P(struct pdb_init_function_entry);
80
entry->name = smb_xstrdup(name);
83
DLIST_ADD(backends, entry);
84
DEBUG(5,("Successfully added passdb backend '%s'\n", name));
88
struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
90
struct pdb_init_function_entry *entry = backends;
93
if (strcmp(entry->name, name)==0) return entry;
101
* The event context for the passdb backend. I know this is a bad hack and yet
102
* another static variable, but our pdb API is a global thing per
103
* definition. The first use for this is the LDAP idle function, more might be
106
* I don't feel too bad about this static variable, it replaces the
107
* smb_idle_event_list that used to exist in lib/module.c. -- VL
110
static struct event_context *pdb_event_ctx;
112
struct event_context *pdb_get_event_context(void)
114
return pdb_event_ctx;
117
/******************************************************************
118
Make a pdb_methods from scratch
119
*******************************************************************/
121
NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected)
123
char *module_name = smb_xstrdup(selected);
124
char *module_location = NULL, *p;
125
struct pdb_init_function_entry *entry;
126
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
128
lazy_initialize_passdb();
130
p = strchr(module_name, ':');
134
module_location = p+1;
135
trim_char(module_location, ' ', ' ');
138
trim_char(module_name, ' ', ' ');
141
DEBUG(5,("Attempting to find a passdb backend to match %s (%s)\n", selected, module_name));
143
entry = pdb_find_backend_entry(module_name);
145
/* Try to find a module that contains this module */
147
DEBUG(2,("No builtin backend found, trying to load plugin\n"));
148
if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) {
149
DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name));
150
SAFE_FREE(module_name);
151
return NT_STATUS_UNSUCCESSFUL;
155
/* No such backend found */
157
DEBUG(0,("No builtin nor plugin backend for %s found\n", module_name));
158
SAFE_FREE(module_name);
159
return NT_STATUS_INVALID_PARAMETER;
162
DEBUG(5,("Found pdb backend %s\n", module_name));
164
if ( !NT_STATUS_IS_OK( nt_status = entry->init(methods, module_location) ) ) {
165
DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n",
166
selected, nt_errstr(nt_status)));
167
SAFE_FREE(module_name);
171
SAFE_FREE(module_name);
173
DEBUG(5,("pdb backend %s has a valid init\n", selected));
178
/******************************************************************
179
Return an already initialized pdb_methods structure
180
*******************************************************************/
182
static struct pdb_methods *pdb_get_methods_reload( bool reload )
184
static struct pdb_methods *pdb = NULL;
186
if ( pdb && reload ) {
187
pdb->free_private_data( &(pdb->private_data) );
188
if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
190
if (asprintf(&msg, "pdb_get_methods_reload: "
191
"failed to get pdb methods for backend %s\n",
192
lp_passdb_backend()) > 0) {
195
smb_panic("pdb_get_methods_reload");
201
if ( !NT_STATUS_IS_OK( make_pdb_method_name( &pdb, lp_passdb_backend() ) ) ) {
203
if (asprintf(&msg, "pdb_get_methods_reload: "
204
"failed to get pdb methods for backend %s\n",
205
lp_passdb_backend()) > 0) {
208
smb_panic("pdb_get_methods_reload");
216
static struct pdb_methods *pdb_get_methods(void)
218
return pdb_get_methods_reload(False);
221
struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx)
223
struct pdb_methods *pdb = pdb_get_methods();
224
return pdb->get_domain_info(pdb, mem_ctx);
228
* @brief Check if the user account has been locked out and try to unlock it.
230
* If the user has been automatically locked out and a lockout duration is set,
231
* then check if we can unlock the account and reset the bad password values.
233
* @param[in] sampass The sam user to check.
235
* @return True if the function was successfull, false on an error.
237
static bool pdb_try_account_unlock(struct samu *sampass)
239
uint32_t acb_info = pdb_get_acct_ctrl(sampass);
241
if ((acb_info & ACB_NORMAL) && (acb_info & ACB_AUTOLOCK)) {
242
uint32_t lockout_duration;
243
time_t bad_password_time;
244
time_t now = time(NULL);
247
ok = pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION,
250
DEBUG(0, ("pdb_try_account_unlock: "
251
"pdb_get_account_policy failed.\n"));
255
if (lockout_duration == (uint32_t) -1 ||
256
lockout_duration == 0) {
257
DEBUG(9, ("pdb_try_account_unlock: No reset duration, "
258
"can't reset autolock\n"));
261
lockout_duration *= 60;
263
bad_password_time = pdb_get_bad_password_time(sampass);
264
if (bad_password_time == (time_t) 0) {
265
DEBUG(2, ("pdb_try_account_unlock: Account %s "
266
"administratively locked out "
267
"with no bad password "
268
"time. Leaving locked out.\n",
269
pdb_get_username(sampass)));
273
if ((bad_password_time +
274
convert_uint32_t_to_time_t(lockout_duration)) < now) {
277
pdb_set_acct_ctrl(sampass, acb_info & ~ACB_AUTOLOCK,
279
pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
280
pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
283
status = pdb_update_sam_account(sampass);
285
if (!NT_STATUS_IS_OK(status)) {
286
DEBUG(0, ("_samr_OpenUser: Couldn't "
287
"update account %s - %s\n",
288
pdb_get_username(sampass),
299
* @brief Get a sam user structure by the given username.
301
* This functions also checks if the account has been automatically locked out
302
* and unlocks it if a lockout duration time has been defined and the time has
305
* @param[in] sam_acct The sam user structure to fill.
307
* @param[in] username The username to look for.
309
* @return True on success, false on error.
311
bool pdb_getsampwnam(struct samu *sam_acct, const char *username)
313
struct pdb_methods *pdb = pdb_get_methods();
314
struct samu *for_cache;
315
const struct dom_sid *user_sid;
319
status = pdb->getsampwnam(pdb, sam_acct, username);
320
if (!NT_STATUS_IS_OK(status)) {
324
ok = pdb_try_account_unlock(sam_acct);
326
DEBUG(1, ("pdb_getsampwnam: Failed to unlock account %s\n",
330
for_cache = samu_new(NULL);
331
if (for_cache == NULL) {
335
if (!pdb_copy_sam_account(for_cache, sam_acct)) {
336
TALLOC_FREE(for_cache);
340
user_sid = pdb_get_user_sid(for_cache);
342
memcache_add_talloc(NULL, PDB_GETPWSID_CACHE,
343
data_blob_const(user_sid, sizeof(*user_sid)),
349
/**********************************************************************
350
**********************************************************************/
352
static bool guest_user_info( struct samu *user )
356
const char *guestname = lp_guestaccount();
358
pwd = Get_Pwnam_alloc(talloc_tos(), guestname);
360
DEBUG(0,("guest_user_info: Unable to locate guest account [%s]!\n",
365
result = samu_set_unix(user, pwd );
369
return NT_STATUS_IS_OK( result );
373
* @brief Get a sam user structure by the given username.
375
* This functions also checks if the account has been automatically locked out
376
* and unlocks it if a lockout duration time has been defined and the time has
380
* @param[in] sam_acct The sam user structure to fill.
382
* @param[in] sid The user SDI to look up.
384
* @return True on success, false on error.
386
bool pdb_getsampwsid(struct samu *sam_acct, const struct dom_sid *sid)
388
struct pdb_methods *pdb = pdb_get_methods();
393
/* hard code the Guest RID of 501 */
395
if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
398
if ( rid == DOMAIN_RID_GUEST ) {
399
DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
400
return guest_user_info( sam_acct );
403
/* check the cache first */
405
cache_data = memcache_lookup_talloc(
406
NULL, PDB_GETPWSID_CACHE, data_blob_const(sid, sizeof(*sid)));
408
if (cache_data != NULL) {
409
struct samu *cache_copy = talloc_get_type_abort(
410
cache_data, struct samu);
412
ok = pdb_copy_sam_account(sam_acct, cache_copy);
414
ok = NT_STATUS_IS_OK(pdb->getsampwsid(pdb, sam_acct, sid));
421
ok = pdb_try_account_unlock(sam_acct);
423
DEBUG(1, ("pdb_getsampwsid: Failed to unlock account %s\n",
424
sam_acct->username));
430
static NTSTATUS pdb_default_create_user(struct pdb_methods *methods,
431
TALLOC_CTX *tmp_ctx, const char *name,
432
uint32_t acb_info, uint32_t *rid)
434
struct samu *sam_pass;
438
if ((sam_pass = samu_new(tmp_ctx)) == NULL) {
439
return NT_STATUS_NO_MEMORY;
442
if ( !(pwd = Get_Pwnam_alloc(tmp_ctx, name)) ) {
443
char *add_script = NULL;
447
if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] != '$') {
448
add_script = talloc_strdup(tmp_ctx,
449
lp_adduser_script());
451
add_script = talloc_strdup(tmp_ctx,
452
lp_addmachine_script());
455
if (!add_script || add_script[0] == '\0') {
456
DEBUG(3, ("Could not find user %s and no add script "
458
return NT_STATUS_NO_SUCH_USER;
461
/* lowercase the username before creating the Unix account for
462
compatibility with previous Samba releases */
463
fstrcpy( name2, name );
465
add_script = talloc_all_string_sub(tmp_ctx,
470
return NT_STATUS_NO_MEMORY;
472
add_ret = smbrun(add_script,NULL);
473
DEBUG(add_ret ? 0 : 3, ("_samr_create_user: Running the command `%s' gave %d\n",
474
add_script, add_ret));
476
smb_nscd_flush_user_cache();
481
pwd = Get_Pwnam_alloc(tmp_ctx, name);
484
DEBUG(3, ("Could not find user %s, add script did not work\n", name));
485
return NT_STATUS_NO_SUCH_USER;
489
/* we have a valid SID coming out of this call */
491
status = samu_alloc_rid_unix( sam_pass, pwd );
495
if (!NT_STATUS_IS_OK(status)) {
496
DEBUG(3, ("pdb_default_create_user: failed to create a new user structure: %s\n", nt_errstr(status)));
500
if (!sid_peek_check_rid(get_global_sam_sid(),
501
pdb_get_user_sid(sam_pass), rid)) {
502
DEBUG(0, ("Could not get RID of fresh user\n"));
503
return NT_STATUS_INTERNAL_ERROR;
506
/* Use the username case specified in the original request */
508
pdb_set_username( sam_pass, name, PDB_SET );
510
/* Disable the account on creation, it does not have a reasonable password yet. */
512
acb_info |= ACB_DISABLED;
514
pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
516
status = pdb_add_sam_account(sam_pass);
518
TALLOC_FREE(sam_pass);
523
NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32_t flags,
526
struct pdb_methods *pdb = pdb_get_methods();
527
return pdb->create_user(pdb, mem_ctx, name, flags, rid);
530
/****************************************************************************
531
Delete a UNIX user on demand.
532
****************************************************************************/
534
static int smb_delete_user(const char *unix_user)
536
char *del_script = NULL;
541
if ( strequal( unix_user, "root" ) ) {
542
DEBUG(0,("smb_delete_user: Refusing to delete local system root account!\n"));
546
del_script = talloc_strdup(talloc_tos(), lp_deluser_script());
547
if (!del_script || !*del_script) {
550
del_script = talloc_all_string_sub(talloc_tos(),
557
ret = smbrun(del_script,NULL);
560
smb_nscd_flush_user_cache();
562
DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
567
static NTSTATUS pdb_default_delete_user(struct pdb_methods *methods,
569
struct samu *sam_acct)
574
status = pdb_delete_sam_account(sam_acct);
575
if (!NT_STATUS_IS_OK(status)) {
580
* Now delete the unix side ....
581
* note: we don't check if the delete really happened as the script is
582
* not necessary present and maybe the sysadmin doesn't want to delete
586
/* always lower case the username before handing it off to
589
fstrcpy( username, pdb_get_username(sam_acct) );
590
strlower_m( username );
592
smb_delete_user( username );
597
NTSTATUS pdb_delete_user(TALLOC_CTX *mem_ctx, struct samu *sam_acct)
599
struct pdb_methods *pdb = pdb_get_methods();
602
/* sanity check to make sure we don't delete root */
604
if ( !sid_to_uid( pdb_get_user_sid(sam_acct), &uid ) ) {
605
return NT_STATUS_NO_SUCH_USER;
609
return NT_STATUS_ACCESS_DENIED;
612
return pdb->delete_user(pdb, mem_ctx, sam_acct);
615
NTSTATUS pdb_add_sam_account(struct samu *sam_acct)
617
struct pdb_methods *pdb = pdb_get_methods();
618
return pdb->add_sam_account(pdb, sam_acct);
621
NTSTATUS pdb_update_sam_account(struct samu *sam_acct)
623
struct pdb_methods *pdb = pdb_get_methods();
625
memcache_flush(NULL, PDB_GETPWSID_CACHE);
627
return pdb->update_sam_account(pdb, sam_acct);
630
NTSTATUS pdb_delete_sam_account(struct samu *sam_acct)
632
struct pdb_methods *pdb = pdb_get_methods();
634
memcache_flush(NULL, PDB_GETPWSID_CACHE);
636
return pdb->delete_sam_account(pdb, sam_acct);
639
NTSTATUS pdb_rename_sam_account(struct samu *oldname, const char *newname)
641
struct pdb_methods *pdb = pdb_get_methods();
645
memcache_flush(NULL, PDB_GETPWSID_CACHE);
647
/* sanity check to make sure we don't rename root */
649
if ( !sid_to_uid( pdb_get_user_sid(oldname), &uid ) ) {
650
return NT_STATUS_NO_SUCH_USER;
654
return NT_STATUS_ACCESS_DENIED;
657
status = pdb->rename_sam_account(pdb, oldname, newname);
659
/* always flush the cache here just to be safe */
665
NTSTATUS pdb_update_login_attempts(struct samu *sam_acct, bool success)
667
struct pdb_methods *pdb = pdb_get_methods();
668
return pdb->update_login_attempts(pdb, sam_acct, success);
671
bool pdb_getgrsid(GROUP_MAP *map, struct dom_sid sid)
673
struct pdb_methods *pdb = pdb_get_methods();
674
return NT_STATUS_IS_OK(pdb->getgrsid(pdb, map, sid));
677
bool pdb_getgrgid(GROUP_MAP *map, gid_t gid)
679
struct pdb_methods *pdb = pdb_get_methods();
680
return NT_STATUS_IS_OK(pdb->getgrgid(pdb, map, gid));
683
bool pdb_getgrnam(GROUP_MAP *map, const char *name)
685
struct pdb_methods *pdb = pdb_get_methods();
686
return NT_STATUS_IS_OK(pdb->getgrnam(pdb, map, name));
689
static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
694
struct dom_sid group_sid;
698
grp = getgrnam(name);
703
if (smb_create_group(name, &gid) != 0) {
704
return NT_STATUS_ACCESS_DENIED;
711
return NT_STATUS_ACCESS_DENIED;
714
if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
715
if (!pdb_new_rid(rid)) {
716
return NT_STATUS_ACCESS_DENIED;
719
*rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
722
sid_compose(&group_sid, get_global_sam_sid(), *rid);
724
return add_initial_entry(grp->gr_gid, sid_to_fstring(tmp, &group_sid),
725
SID_NAME_DOM_GRP, name, NULL);
728
NTSTATUS pdb_create_dom_group(TALLOC_CTX *mem_ctx, const char *name,
731
struct pdb_methods *pdb = pdb_get_methods();
732
return pdb->create_dom_group(pdb, mem_ctx, name, rid);
735
static NTSTATUS pdb_default_delete_dom_group(struct pdb_methods *methods,
739
struct dom_sid group_sid;
743
const char *grp_name;
746
map.gid = (gid_t) -1;
748
sid_compose(&group_sid, get_global_sam_sid(), rid);
750
if (!get_domain_group_from_sid(group_sid, &map)) {
751
DEBUG(10, ("Could not find group for rid %d\n", rid));
752
return NT_STATUS_NO_SUCH_GROUP;
755
/* We need the group name for the smb_delete_group later on */
757
if (map.gid == (gid_t)-1) {
758
return NT_STATUS_NO_SUCH_GROUP;
761
grp = getgrgid(map.gid);
763
return NT_STATUS_NO_SUCH_GROUP;
766
/* Copy the name, no idea what pdb_delete_group_mapping_entry does.. */
768
grp_name = talloc_strdup(mem_ctx, grp->gr_name);
769
if (grp_name == NULL) {
770
return NT_STATUS_NO_MEMORY;
773
status = pdb_delete_group_mapping_entry(group_sid);
775
if (!NT_STATUS_IS_OK(status)) {
779
/* Don't check the result of smb_delete_group */
781
smb_delete_group(grp_name);
786
NTSTATUS pdb_delete_dom_group(TALLOC_CTX *mem_ctx, uint32_t rid)
788
struct pdb_methods *pdb = pdb_get_methods();
789
return pdb->delete_dom_group(pdb, mem_ctx, rid);
792
NTSTATUS pdb_add_group_mapping_entry(GROUP_MAP *map)
794
struct pdb_methods *pdb = pdb_get_methods();
795
return pdb->add_group_mapping_entry(pdb, map);
798
NTSTATUS pdb_update_group_mapping_entry(GROUP_MAP *map)
800
struct pdb_methods *pdb = pdb_get_methods();
801
return pdb->update_group_mapping_entry(pdb, map);
804
NTSTATUS pdb_delete_group_mapping_entry(struct dom_sid sid)
806
struct pdb_methods *pdb = pdb_get_methods();
807
return pdb->delete_group_mapping_entry(pdb, sid);
810
bool pdb_enum_group_mapping(const struct dom_sid *sid, enum lsa_SidType sid_name_use, GROUP_MAP **pp_rmap,
811
size_t *p_num_entries, bool unix_only)
813
struct pdb_methods *pdb = pdb_get_methods();
814
return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
815
pp_rmap, p_num_entries, unix_only));
818
NTSTATUS pdb_enum_group_members(TALLOC_CTX *mem_ctx,
819
const struct dom_sid *sid,
820
uint32_t **pp_member_rids,
821
size_t *p_num_members)
823
struct pdb_methods *pdb = pdb_get_methods();
826
result = pdb->enum_group_members(pdb, mem_ctx,
827
sid, pp_member_rids, p_num_members);
829
/* special check for rid 513 */
831
if ( !NT_STATUS_IS_OK( result ) ) {
834
sid_peek_rid( sid, &rid );
836
if ( rid == DOMAIN_RID_USERS ) {
838
*pp_member_rids = NULL;
847
NTSTATUS pdb_enum_group_memberships(TALLOC_CTX *mem_ctx, struct samu *user,
848
struct dom_sid **pp_sids, gid_t **pp_gids,
849
uint32_t *p_num_groups)
851
struct pdb_methods *pdb = pdb_get_methods();
852
return pdb->enum_group_memberships(
854
pp_sids, pp_gids, p_num_groups);
857
static NTSTATUS pdb_default_set_unix_primary_group(struct pdb_methods *methods,
859
struct samu *sampass)
864
if (!sid_to_gid(pdb_get_group_sid(sampass), &gid) ||
865
(grp = getgrgid(gid)) == NULL) {
866
return NT_STATUS_INVALID_PRIMARY_GROUP;
869
if (smb_set_primary_group(grp->gr_name,
870
pdb_get_username(sampass)) != 0) {
871
return NT_STATUS_ACCESS_DENIED;
877
NTSTATUS pdb_set_unix_primary_group(TALLOC_CTX *mem_ctx, struct samu *user)
879
struct pdb_methods *pdb = pdb_get_methods();
880
return pdb->set_unix_primary_group(pdb, mem_ctx, user);
884
* Helper function to see whether a user is in a group. We can't use
885
* user_in_group_sid here because this creates dependencies only smbd can
889
static bool pdb_user_in_group(TALLOC_CTX *mem_ctx, struct samu *account,
890
const struct dom_sid *group_sid)
892
struct dom_sid *sids;
894
uint32_t i, num_groups;
896
if (!NT_STATUS_IS_OK(pdb_enum_group_memberships(mem_ctx, account,
902
for (i=0; i<num_groups; i++) {
903
if (dom_sid_equal(group_sid, &sids[i])) {
910
static NTSTATUS pdb_default_add_groupmem(struct pdb_methods *methods,
915
struct dom_sid group_sid, member_sid;
916
struct samu *account = NULL;
920
const char *group_name;
924
map.gid = (gid_t) -1;
926
sid_compose(&group_sid, get_global_sam_sid(), group_rid);
927
sid_compose(&member_sid, get_global_sam_sid(), member_rid);
929
if (!get_domain_group_from_sid(group_sid, &map) ||
930
(map.gid == (gid_t)-1) ||
931
((grp = getgrgid(map.gid)) == NULL)) {
932
return NT_STATUS_NO_SUCH_GROUP;
935
group_name = talloc_strdup(mem_ctx, grp->gr_name);
936
if (group_name == NULL) {
937
return NT_STATUS_NO_MEMORY;
940
if ( !(account = samu_new( NULL )) ) {
941
return NT_STATUS_NO_MEMORY;
944
if (!pdb_getsampwsid(account, &member_sid) ||
945
!sid_to_uid(&member_sid, &uid) ||
946
((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
947
return NT_STATUS_NO_SUCH_USER;
950
if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
951
return NT_STATUS_MEMBER_IN_GROUP;
955
* ok, the group exist, the user exist, the user is not in the group,
956
* we can (finally) add it to the group !
959
smb_add_user_group(group_name, pwd->pw_name);
961
if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
962
return NT_STATUS_ACCESS_DENIED;
968
NTSTATUS pdb_add_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
971
struct pdb_methods *pdb = pdb_get_methods();
972
return pdb->add_groupmem(pdb, mem_ctx, group_rid, member_rid);
975
static NTSTATUS pdb_default_del_groupmem(struct pdb_methods *methods,
980
struct dom_sid group_sid, member_sid;
981
struct samu *account = NULL;
985
const char *group_name;
988
sid_compose(&group_sid, get_global_sam_sid(), group_rid);
989
sid_compose(&member_sid, get_global_sam_sid(), member_rid);
991
if (!get_domain_group_from_sid(group_sid, &map) ||
992
(map.gid == (gid_t)-1) ||
993
((grp = getgrgid(map.gid)) == NULL)) {
994
return NT_STATUS_NO_SUCH_GROUP;
997
group_name = talloc_strdup(mem_ctx, grp->gr_name);
998
if (group_name == NULL) {
999
return NT_STATUS_NO_MEMORY;
1002
if ( !(account = samu_new( NULL )) ) {
1003
return NT_STATUS_NO_MEMORY;
1006
if (!pdb_getsampwsid(account, &member_sid) ||
1007
!sid_to_uid(&member_sid, &uid) ||
1008
((pwd = getpwuid_alloc(mem_ctx, uid)) == NULL)) {
1009
return NT_STATUS_NO_SUCH_USER;
1012
if (!pdb_user_in_group(mem_ctx, account, &group_sid)) {
1013
return NT_STATUS_MEMBER_NOT_IN_GROUP;
1017
* ok, the group exist, the user exist, the user is in the group,
1018
* we can (finally) delete it from the group!
1021
smb_delete_user_group(group_name, pwd->pw_name);
1023
if (pdb_user_in_group(mem_ctx, account, &group_sid)) {
1024
return NT_STATUS_ACCESS_DENIED;
1027
return NT_STATUS_OK;
1030
NTSTATUS pdb_del_groupmem(TALLOC_CTX *mem_ctx, uint32_t group_rid,
1031
uint32_t member_rid)
1033
struct pdb_methods *pdb = pdb_get_methods();
1034
return pdb->del_groupmem(pdb, mem_ctx, group_rid, member_rid);
1037
NTSTATUS pdb_create_alias(const char *name, uint32_t *rid)
1039
struct pdb_methods *pdb = pdb_get_methods();
1040
return pdb->create_alias(pdb, name, rid);
1043
NTSTATUS pdb_delete_alias(const struct dom_sid *sid)
1045
struct pdb_methods *pdb = pdb_get_methods();
1046
return pdb->delete_alias(pdb, sid);
1049
NTSTATUS pdb_get_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1051
struct pdb_methods *pdb = pdb_get_methods();
1052
return pdb->get_aliasinfo(pdb, sid, info);
1055
NTSTATUS pdb_set_aliasinfo(const struct dom_sid *sid, struct acct_info *info)
1057
struct pdb_methods *pdb = pdb_get_methods();
1058
return pdb->set_aliasinfo(pdb, sid, info);
1061
NTSTATUS pdb_add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1063
struct pdb_methods *pdb = pdb_get_methods();
1064
return pdb->add_aliasmem(pdb, alias, member);
1067
NTSTATUS pdb_del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
1069
struct pdb_methods *pdb = pdb_get_methods();
1070
return pdb->del_aliasmem(pdb, alias, member);
1073
NTSTATUS pdb_enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
1074
struct dom_sid **pp_members, size_t *p_num_members)
1076
struct pdb_methods *pdb = pdb_get_methods();
1077
return pdb->enum_aliasmem(pdb, alias, mem_ctx, pp_members,
1081
NTSTATUS pdb_enum_alias_memberships(TALLOC_CTX *mem_ctx,
1082
const struct dom_sid *domain_sid,
1083
const struct dom_sid *members, size_t num_members,
1084
uint32_t **pp_alias_rids,
1085
size_t *p_num_alias_rids)
1087
struct pdb_methods *pdb = pdb_get_methods();
1088
return pdb->enum_alias_memberships(pdb, mem_ctx,
1090
members, num_members,
1095
NTSTATUS pdb_lookup_rids(const struct dom_sid *domain_sid,
1099
enum lsa_SidType *attrs)
1101
struct pdb_methods *pdb = pdb_get_methods();
1102
return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
1106
* NOTE: pdb_lookup_names is currently (2007-01-12) not used anywhere
1107
* in the samba code.
1108
* Unlike _lsa_lookup_sids and _samr_lookup_rids, which eventually
1109
* also ask pdb_lookup_rids, thus looking up a bunch of rids at a time,
1110
* the pdb_ calls _lsa_lookup_names and _samr_lookup_names come
1111
* down to are pdb_getsampwnam and pdb_getgrnam instead of
1113
* But in principle, it the call belongs to the API and might get
1114
* used in this context some day.
1117
NTSTATUS pdb_lookup_names(const struct dom_sid *domain_sid,
1121
enum lsa_SidType *attrs)
1123
struct pdb_methods *pdb = pdb_get_methods();
1124
return pdb->lookup_names(pdb, domain_sid, num_names, names, rids, attrs);
1128
bool pdb_get_account_policy(enum pdb_policy_type type, uint32_t *value)
1130
struct pdb_methods *pdb = pdb_get_methods();
1134
status = pdb->get_account_policy(pdb, type, value);
1137
return NT_STATUS_IS_OK(status);
1140
bool pdb_set_account_policy(enum pdb_policy_type type, uint32_t value)
1142
struct pdb_methods *pdb = pdb_get_methods();
1146
status = pdb->set_account_policy(pdb, type, value);
1149
return NT_STATUS_IS_OK(status);
1152
bool pdb_get_seq_num(time_t *seq_num)
1154
struct pdb_methods *pdb = pdb_get_methods();
1155
return NT_STATUS_IS_OK(pdb->get_seq_num(pdb, seq_num));
1158
bool pdb_uid_to_sid(uid_t uid, struct dom_sid *sid)
1160
struct pdb_methods *pdb = pdb_get_methods();
1161
return pdb->uid_to_sid(pdb, uid, sid);
1164
bool pdb_gid_to_sid(gid_t gid, struct dom_sid *sid)
1166
struct pdb_methods *pdb = pdb_get_methods();
1167
return pdb->gid_to_sid(pdb, gid, sid);
1170
bool pdb_sid_to_id(const struct dom_sid *sid, union unid_t *id,
1171
enum lsa_SidType *type)
1173
struct pdb_methods *pdb = pdb_get_methods();
1174
return pdb->sid_to_id(pdb, sid, id, type);
1177
uint32_t pdb_capabilities(void)
1179
struct pdb_methods *pdb = pdb_get_methods();
1180
return pdb->capabilities(pdb);
1183
/********************************************************************
1184
Allocate a new RID from the passdb backend. Verify that it is free
1185
by calling lookup_global_sam_rid() to verify that the RID is not
1186
in use. This handles servers that have existing users or groups
1187
with add RIDs (assigned from previous algorithmic mappings)
1188
********************************************************************/
1190
bool pdb_new_rid(uint32_t *rid)
1192
struct pdb_methods *pdb = pdb_get_methods();
1193
const char *name = NULL;
1194
enum lsa_SidType type;
1195
uint32_t allocated_rid = 0;
1199
if ((pdb_capabilities() & PDB_CAP_STORE_RIDS) == 0) {
1200
DEBUG(0, ("Trying to allocate a RID when algorithmic RIDs "
1205
if (algorithmic_rid_base() != BASE_RID) {
1206
DEBUG(0, ("'algorithmic rid base' is set but a passdb backend "
1207
"without algorithmic RIDs is chosen.\n"));
1208
DEBUGADD(0, ("Please map all used groups using 'net groupmap "
1209
"add', set the maximum used RID\n"));
1210
DEBUGADD(0, ("and remove the parameter\n"));
1214
if ( (ctx = talloc_init("pdb_new_rid")) == NULL ) {
1215
DEBUG(0,("pdb_new_rid: Talloc initialization failure\n"));
1219
/* Attempt to get an unused RID (max tires is 250...yes that it is
1220
and arbitrary number I pulkled out of my head). -- jerry */
1222
for ( i=0; allocated_rid==0 && i<250; i++ ) {
1225
if ( !pdb->new_rid(pdb, &allocated_rid) ) {
1229
/* validate that the RID is not in use */
1231
if ( lookup_global_sam_rid( ctx, allocated_rid, &name, &type, NULL ) ) {
1238
if ( allocated_rid == 0 ) {
1239
DEBUG(0,("pdb_new_rid: Failed to find unused RID\n"));
1243
*rid = allocated_rid;
1248
/***************************************************************
1249
Initialize the static context (at smbd startup etc).
1251
If uninitialised, context will auto-init on first use.
1252
***************************************************************/
1254
bool initialize_password_db(bool reload, struct event_context *event_ctx)
1256
pdb_event_ctx = event_ctx;
1257
return (pdb_get_methods_reload(reload) != NULL);
1261
/***************************************************************************
1262
Default implementations of some functions.
1263
****************************************************************************/
1265
static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, struct samu *user, const char *sname)
1267
return NT_STATUS_NO_SUCH_USER;
1270
static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1272
return NT_STATUS_NO_SUCH_USER;
1275
static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1277
return NT_STATUS_NOT_IMPLEMENTED;
1280
static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, struct samu *newpwd)
1282
return NT_STATUS_NOT_IMPLEMENTED;
1285
static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, struct samu *pwd)
1287
return NT_STATUS_NOT_IMPLEMENTED;
1290
static NTSTATUS pdb_default_rename_sam_account (struct pdb_methods *methods, struct samu *pwd, const char *newname)
1292
return NT_STATUS_NOT_IMPLEMENTED;
1295
static NTSTATUS pdb_default_update_login_attempts (struct pdb_methods *methods, struct samu *newpwd, bool success)
1297
/* Only the pdb_nds backend implements this, by
1298
* default just return ok. */
1299
return NT_STATUS_OK;
1302
static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t *value)
1304
return account_policy_get(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1307
static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, enum pdb_policy_type type, uint32_t value)
1309
return account_policy_set(type, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1312
static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq_num)
1314
*seq_num = time(NULL);
1315
return NT_STATUS_OK;
1318
static bool pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
1319
struct dom_sid *sid)
1321
struct samu *sampw = NULL;
1322
struct passwd *unix_pw;
1325
unix_pw = sys_getpwuid( uid );
1328
DEBUG(4,("pdb_default_uid_to_sid: host has no idea of uid "
1329
"%lu\n", (unsigned long)uid));
1333
if ( !(sampw = samu_new( NULL )) ) {
1334
DEBUG(0,("pdb_default_uid_to_sid: samu_new() failed!\n"));
1339
ret = NT_STATUS_IS_OK(
1340
methods->getsampwnam(methods, sampw, unix_pw->pw_name ));
1344
DEBUG(5, ("pdb_default_uid_to_sid: Did not find user "
1345
"%s (%u)\n", unix_pw->pw_name, (unsigned int)uid));
1350
sid_copy(sid, pdb_get_user_sid(sampw));
1357
static bool pdb_default_gid_to_sid(struct pdb_methods *methods, gid_t gid,
1358
struct dom_sid *sid)
1362
if (!NT_STATUS_IS_OK(methods->getgrgid(methods, &map, gid))) {
1366
sid_copy(sid, &map.sid);
1370
static bool pdb_default_sid_to_id(struct pdb_methods *methods,
1371
const struct dom_sid *sid,
1372
union unid_t *id, enum lsa_SidType *type)
1374
TALLOC_CTX *mem_ctx;
1379
mem_ctx = talloc_new(NULL);
1381
if (mem_ctx == NULL) {
1382
DEBUG(0, ("talloc_new failed\n"));
1386
if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
1387
/* Here we might have users as well as groups and aliases */
1388
ret = lookup_global_sam_rid(mem_ctx, rid, &name, type, id);
1392
/* check for "Unix User" */
1394
if ( sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid) ) {
1396
*type = SID_NAME_USER;
1401
/* check for "Unix Group" */
1403
if ( sid_peek_check_rid(&global_sid_Unix_Groups, sid, &rid) ) {
1405
*type = SID_NAME_ALIAS;
1412
if (sid_check_is_in_builtin(sid) ||
1413
sid_check_is_in_wellknown_domain(sid)) {
1414
/* Here we only have aliases */
1416
if (!NT_STATUS_IS_OK(methods->getgrsid(methods, &map, *sid))) {
1417
DEBUG(10, ("Could not find map for sid %s\n",
1418
sid_string_dbg(sid)));
1421
if ((map.sid_name_use != SID_NAME_ALIAS) &&
1422
(map.sid_name_use != SID_NAME_WKN_GRP)) {
1423
DEBUG(10, ("Map for sid %s is a %s, expected an "
1424
"alias\n", sid_string_dbg(sid),
1425
sid_type_lookup(map.sid_name_use)));
1430
*type = SID_NAME_ALIAS;
1435
DEBUG(5, ("Sid %s is neither ours, a Unix SID, nor builtin\n",
1436
sid_string_dbg(sid)));
1440
TALLOC_FREE(mem_ctx);
1444
static bool get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, uint32_t *p_num)
1455
/* We only look at our own sam, so don't care about imported stuff */
1456
winbind_env = winbind_env_set();
1457
(void)winbind_off();
1459
if ((grp = getgrgid(gid)) == NULL) {
1460
/* allow winbindd lookups, but only if they weren't already disabled */
1464
/* Primary group members */
1466
while ((pwd = getpwent()) != NULL) {
1467
if (pwd->pw_gid == gid) {
1468
if (!add_uid_to_array_unique(mem_ctx, pwd->pw_uid,
1476
/* Secondary group members */
1477
for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
1478
struct passwd *pw = getpwnam(*gr);
1482
if (!add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num)) {
1491
/* allow winbindd lookups, but only if they weren't already disabled */
1499
static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
1500
TALLOC_CTX *mem_ctx,
1501
const struct dom_sid *group,
1502
uint32_t **pp_member_rids,
1503
size_t *p_num_members)
1507
uint32_t i, num_uids;
1509
*pp_member_rids = NULL;
1512
if (!sid_to_gid(group, &gid))
1513
return NT_STATUS_NO_SUCH_GROUP;
1515
if(!get_memberuids(mem_ctx, gid, &uids, &num_uids))
1516
return NT_STATUS_NO_SUCH_GROUP;
1519
return NT_STATUS_OK;
1521
*pp_member_rids = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t, num_uids);
1523
for (i=0; i<num_uids; i++) {
1526
uid_to_sid(&sid, uids[i]);
1528
if (!sid_check_is_in_our_domain(&sid)) {
1529
DEBUG(5, ("Inconsistent SAM -- group member uid not "
1530
"in our domain\n"));
1534
sid_peek_rid(&sid, &(*pp_member_rids)[*p_num_members]);
1535
*p_num_members += 1;
1538
return NT_STATUS_OK;
1541
static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
1542
TALLOC_CTX *mem_ctx,
1544
struct dom_sid **pp_sids,
1546
uint32_t *p_num_groups)
1551
const char *username = pdb_get_username(user);
1554
/* Ignore the primary group SID. Honor the real Unix primary group.
1555
The primary group SID is only of real use to Windows clients */
1557
if ( !(pw = Get_Pwnam_alloc(mem_ctx, username)) ) {
1558
return NT_STATUS_NO_SUCH_USER;
1565
if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
1566
return NT_STATUS_NO_SUCH_USER;
1569
if (*p_num_groups == 0) {
1570
smb_panic("primary group missing");
1573
*pp_sids = TALLOC_ARRAY(mem_ctx, struct dom_sid, *p_num_groups);
1575
if (*pp_sids == NULL) {
1576
TALLOC_FREE(*pp_gids);
1577
return NT_STATUS_NO_MEMORY;
1580
for (i=0; i<*p_num_groups; i++) {
1581
gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
1584
return NT_STATUS_OK;
1587
/*******************************************************************
1588
Look up a rid in the SAM we're responsible for (i.e. passdb)
1589
********************************************************************/
1591
static bool lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32_t rid,
1593
enum lsa_SidType *psid_name_use,
1594
union unid_t *unix_id)
1596
struct samu *sam_account = NULL;
1601
*psid_name_use = SID_NAME_UNKNOWN;
1603
DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
1604
(unsigned int)rid));
1606
sid_compose(&sid, get_global_sam_sid(), rid);
1608
/* see if the passdb can help us with the name of the user */
1610
if ( !(sam_account = samu_new( NULL )) ) {
1614
/* BEING ROOT BLOCK */
1616
if (pdb_getsampwsid(sam_account, &sid)) {
1619
unbecome_root(); /* -----> EXIT BECOME_ROOT() */
1620
*name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
1622
TALLOC_FREE(sam_account);
1626
*psid_name_use = SID_NAME_USER;
1628
TALLOC_FREE(sam_account);
1630
if (unix_id == NULL) {
1634
pw = Get_Pwnam_alloc(talloc_tos(), *name);
1638
unix_id->uid = pw->pw_uid;
1642
TALLOC_FREE(sam_account);
1644
ret = pdb_getgrsid(&map, sid);
1646
/* END BECOME_ROOT BLOCK */
1648
/* do not resolve SIDs to a name unless there is a valid
1649
gid associated with it */
1651
if ( ret && (map.gid != (gid_t)-1) ) {
1652
*name = talloc_strdup(mem_ctx, map.nt_name);
1653
*psid_name_use = map.sid_name_use;
1656
unix_id->gid = map.gid;
1662
/* Windows will always map RID 513 to something. On a non-domain
1663
controller, this gets mapped to SERVER\None. */
1666
DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
1670
if ( rid == DOMAIN_RID_USERS ) {
1671
*name = talloc_strdup(mem_ctx, "None" );
1672
*psid_name_use = SID_NAME_DOM_GRP;
1680
static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
1681
const struct dom_sid *domain_sid,
1685
enum lsa_SidType *attrs)
1689
bool have_mapped = False;
1690
bool have_unmapped = False;
1692
if (sid_check_is_builtin(domain_sid)) {
1694
for (i=0; i<num_rids; i++) {
1697
if (lookup_builtin_rid(names, rids[i], &name)) {
1698
attrs[i] = SID_NAME_ALIAS;
1700
DEBUG(5,("lookup_rids: %s:%d\n",
1701
names[i], attrs[i]));
1704
have_unmapped = True;
1705
attrs[i] = SID_NAME_UNKNOWN;
1711
/* Should not happen, but better check once too many */
1712
if (!sid_check_is_domain(domain_sid)) {
1713
return NT_STATUS_INVALID_HANDLE;
1716
for (i = 0; i < num_rids; i++) {
1719
if (lookup_global_sam_rid(names, rids[i], &name, &attrs[i],
1722
return NT_STATUS_NO_MEMORY;
1725
DEBUG(5,("lookup_rids: %s:%d\n", names[i], attrs[i]));
1728
have_unmapped = True;
1729
attrs[i] = SID_NAME_UNKNOWN;
1735
result = NT_STATUS_NONE_MAPPED;
1738
result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1744
static NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
1745
const struct dom_sid *domain_sid,
1749
enum lsa_SidType *attrs)
1753
bool have_mapped = False;
1754
bool have_unmapped = False;
1756
if (sid_check_is_builtin(domain_sid)) {
1758
for (i=0; i<num_names; i++) {
1761
if (lookup_builtin_name(names[i], &rid)) {
1762
attrs[i] = SID_NAME_ALIAS;
1764
DEBUG(5,("lookup_rids: %s:%d\n",
1765
names[i], attrs[i]));
1768
have_unmapped = True;
1769
attrs[i] = SID_NAME_UNKNOWN;
1775
/* Should not happen, but better check once too many */
1776
if (!sid_check_is_domain(domain_sid)) {
1777
return NT_STATUS_INVALID_HANDLE;
1780
for (i = 0; i < num_names; i++) {
1781
if (lookup_global_sam_name(names[i], 0, &rids[i], &attrs[i])) {
1782
DEBUG(5,("lookup_names: %s-> %d:%d\n", names[i],
1783
rids[i], attrs[i]));
1786
have_unmapped = True;
1787
attrs[i] = SID_NAME_UNKNOWN;
1793
result = NT_STATUS_NONE_MAPPED;
1796
result = have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK;
1802
static int pdb_search_destructor(struct pdb_search *search)
1804
if ((!search->search_ended) && (search->search_end != NULL)) {
1805
search->search_end(search);
1810
struct pdb_search *pdb_search_init(TALLOC_CTX *mem_ctx,
1811
enum pdb_search_type type)
1813
struct pdb_search *result;
1815
result = talloc(mem_ctx, struct pdb_search);
1816
if (result == NULL) {
1817
DEBUG(0, ("talloc failed\n"));
1821
result->type = type;
1822
result->cache = NULL;
1823
result->num_entries = 0;
1824
result->cache_size = 0;
1825
result->search_ended = False;
1826
result->search_end = NULL;
1828
/* Segfault appropriately if not initialized */
1829
result->next_entry = NULL;
1830
result->search_end = NULL;
1832
talloc_set_destructor(result, pdb_search_destructor);
1837
static void fill_displayentry(TALLOC_CTX *mem_ctx, uint32_t rid,
1838
uint16_t acct_flags,
1839
const char *account_name,
1840
const char *fullname,
1841
const char *description,
1842
struct samr_displayentry *entry)
1845
entry->acct_flags = acct_flags;
1847
if (account_name != NULL)
1848
entry->account_name = talloc_strdup(mem_ctx, account_name);
1850
entry->account_name = "";
1852
if (fullname != NULL)
1853
entry->fullname = talloc_strdup(mem_ctx, fullname);
1855
entry->fullname = "";
1857
if (description != NULL)
1858
entry->description = talloc_strdup(mem_ctx, description);
1860
entry->description = "";
1863
struct group_search {
1865
size_t num_groups, current_group;
1868
static bool next_entry_groups(struct pdb_search *s,
1869
struct samr_displayentry *entry)
1871
struct group_search *state = (struct group_search *)s->private_data;
1873
GROUP_MAP *map = &state->groups[state->current_group];
1875
if (state->current_group == state->num_groups)
1878
sid_peek_rid(&map->sid, &rid);
1880
fill_displayentry(s, rid, 0, map->nt_name, NULL, map->comment, entry);
1882
state->current_group += 1;
1886
static void search_end_groups(struct pdb_search *search)
1888
struct group_search *state =
1889
(struct group_search *)search->private_data;
1890
SAFE_FREE(state->groups);
1893
static bool pdb_search_grouptype(struct pdb_search *search,
1894
const struct dom_sid *sid, enum lsa_SidType type)
1896
struct group_search *state;
1898
state = talloc(search, struct group_search);
1899
if (state == NULL) {
1900
DEBUG(0, ("talloc failed\n"));
1904
if (!pdb_enum_group_mapping(sid, type, &state->groups, &state->num_groups,
1906
DEBUG(0, ("Could not enum groups\n"));
1910
state->current_group = 0;
1911
search->private_data = state;
1912
search->next_entry = next_entry_groups;
1913
search->search_end = search_end_groups;
1917
static bool pdb_default_search_groups(struct pdb_methods *methods,
1918
struct pdb_search *search)
1920
return pdb_search_grouptype(search, get_global_sam_sid(), SID_NAME_DOM_GRP);
1923
static bool pdb_default_search_aliases(struct pdb_methods *methods,
1924
struct pdb_search *search,
1925
const struct dom_sid *sid)
1928
return pdb_search_grouptype(search, sid, SID_NAME_ALIAS);
1931
static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
1934
if (idx < search->num_entries)
1935
return &search->cache[idx];
1937
if (search->search_ended)
1940
while (idx >= search->num_entries) {
1941
struct samr_displayentry entry;
1943
if (!search->next_entry(search, &entry)) {
1944
search->search_end(search);
1945
search->search_ended = True;
1949
ADD_TO_LARGE_ARRAY(search, struct samr_displayentry,
1950
entry, &search->cache, &search->num_entries,
1951
&search->cache_size);
1954
return (search->num_entries > idx) ? &search->cache[idx] : NULL;
1957
struct pdb_search *pdb_search_users(TALLOC_CTX *mem_ctx, uint32_t acct_flags)
1959
struct pdb_methods *pdb = pdb_get_methods();
1960
struct pdb_search *result;
1962
result = pdb_search_init(mem_ctx, PDB_USER_SEARCH);
1963
if (result == NULL) {
1967
if (!pdb->search_users(pdb, result, acct_flags)) {
1968
TALLOC_FREE(result);
1974
struct pdb_search *pdb_search_groups(TALLOC_CTX *mem_ctx)
1976
struct pdb_methods *pdb = pdb_get_methods();
1977
struct pdb_search *result;
1979
result = pdb_search_init(mem_ctx, PDB_GROUP_SEARCH);
1980
if (result == NULL) {
1984
if (!pdb->search_groups(pdb, result)) {
1985
TALLOC_FREE(result);
1991
struct pdb_search *pdb_search_aliases(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
1993
struct pdb_methods *pdb = pdb_get_methods();
1994
struct pdb_search *result;
1996
if (pdb == NULL) return NULL;
1998
result = pdb_search_init(mem_ctx, PDB_ALIAS_SEARCH);
1999
if (result == NULL) {
2003
if (!pdb->search_aliases(pdb, result, sid)) {
2004
TALLOC_FREE(result);
2010
uint32_t pdb_search_entries(struct pdb_search *search,
2011
uint32_t start_idx, uint32_t max_entries,
2012
struct samr_displayentry **result)
2014
struct samr_displayentry *end_entry;
2015
uint32_t end_idx = start_idx+max_entries-1;
2017
/* The first entry needs to be searched after the last. Otherwise the
2018
* first entry might have moved due to a realloc during the search for
2019
* the last entry. */
2021
end_entry = pdb_search_getentry(search, end_idx);
2022
*result = pdb_search_getentry(search, start_idx);
2024
if (end_entry != NULL)
2027
if (start_idx >= search->num_entries)
2030
return search->num_entries - start_idx;
2033
/*******************************************************************
2035
*******************************************************************/
2037
bool pdb_get_trusteddom_pw(const char *domain, char** pwd, struct dom_sid *sid,
2038
time_t *pass_last_set_time)
2040
struct pdb_methods *pdb = pdb_get_methods();
2041
return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
2042
pass_last_set_time);
2045
bool pdb_set_trusteddom_pw(const char* domain, const char* pwd,
2046
const struct dom_sid *sid)
2048
struct pdb_methods *pdb = pdb_get_methods();
2049
return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
2052
bool pdb_del_trusteddom_pw(const char *domain)
2054
struct pdb_methods *pdb = pdb_get_methods();
2055
return pdb->del_trusteddom_pw(pdb, domain);
2058
NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2059
struct trustdom_info ***domains)
2061
struct pdb_methods *pdb = pdb_get_methods();
2062
return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
2065
/*******************************************************************
2066
the defaults for trustdom methods:
2067
these simply call the original passdb/secrets.c actions,
2068
to be replaced by pdb_ldap.
2069
*******************************************************************/
2071
static bool pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
2074
struct dom_sid *sid,
2075
time_t *pass_last_set_time)
2077
return secrets_fetch_trusted_domain_password(domain, pwd,
2078
sid, pass_last_set_time);
2082
static bool pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
2085
const struct dom_sid *sid)
2087
return secrets_store_trusted_domain_password(domain, pwd, sid);
2090
static bool pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
2093
return trusted_domain_password_delete(domain);
2096
static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
2097
TALLOC_CTX *mem_ctx,
2098
uint32_t *num_domains,
2099
struct trustdom_info ***domains)
2101
return secrets_trusted_domains(mem_ctx, num_domains, domains);
2104
/*******************************************************************
2105
trusted_domain methods
2106
*******************************************************************/
2108
NTSTATUS pdb_get_trusted_domain(TALLOC_CTX *mem_ctx, const char *domain,
2109
struct pdb_trusted_domain **td)
2111
struct pdb_methods *pdb = pdb_get_methods();
2112
return pdb->get_trusted_domain(pdb, mem_ctx, domain, td);
2115
NTSTATUS pdb_get_trusted_domain_by_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid,
2116
struct pdb_trusted_domain **td)
2118
struct pdb_methods *pdb = pdb_get_methods();
2119
return pdb->get_trusted_domain_by_sid(pdb, mem_ctx, sid, td);
2122
NTSTATUS pdb_set_trusted_domain(const char* domain,
2123
const struct pdb_trusted_domain *td)
2125
struct pdb_methods *pdb = pdb_get_methods();
2126
return pdb->set_trusted_domain(pdb, domain, td);
2129
NTSTATUS pdb_del_trusted_domain(const char *domain)
2131
struct pdb_methods *pdb = pdb_get_methods();
2132
return pdb->del_trusted_domain(pdb, domain);
2135
NTSTATUS pdb_enum_trusted_domains(TALLOC_CTX *mem_ctx, uint32_t *num_domains,
2136
struct pdb_trusted_domain ***domains)
2138
struct pdb_methods *pdb = pdb_get_methods();
2139
return pdb->enum_trusted_domains(pdb, mem_ctx, num_domains, domains);
2142
static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
2143
TALLOC_CTX *mem_ctx,
2145
struct pdb_trusted_domain **td)
2147
return NT_STATUS_NOT_IMPLEMENTED;
2150
static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
2151
TALLOC_CTX *mem_ctx,
2152
struct dom_sid *sid,
2153
struct pdb_trusted_domain **td)
2155
return NT_STATUS_NOT_IMPLEMENTED;
2158
static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
2160
const struct pdb_trusted_domain *td)
2162
return NT_STATUS_NOT_IMPLEMENTED;
2165
static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
2168
return NT_STATUS_NOT_IMPLEMENTED;
2171
static NTSTATUS pdb_default_enum_trusted_domains(struct pdb_methods *methods,
2172
TALLOC_CTX *mem_ctx,
2173
uint32_t *num_domains,
2174
struct pdb_trusted_domain ***domains)
2176
return NT_STATUS_NOT_IMPLEMENTED;
2179
static struct pdb_domain_info *pdb_default_get_domain_info(
2180
struct pdb_methods *m, TALLOC_CTX *mem_ctx)
2185
/*******************************************************************
2186
Create a pdb_methods structure and initialize it with the default
2187
operations. In this way a passdb module can simply implement
2188
the functionality it cares about. However, normally this is done
2189
in groups of related functions.
2190
*******************************************************************/
2192
NTSTATUS make_pdb_method( struct pdb_methods **methods )
2194
/* allocate memory for the structure as its own talloc CTX */
2196
*methods = talloc_zero(NULL, struct pdb_methods);
2197
if (*methods == NULL) {
2198
return NT_STATUS_NO_MEMORY;
2201
(*methods)->get_domain_info = pdb_default_get_domain_info;
2202
(*methods)->getsampwnam = pdb_default_getsampwnam;
2203
(*methods)->getsampwsid = pdb_default_getsampwsid;
2204
(*methods)->create_user = pdb_default_create_user;
2205
(*methods)->delete_user = pdb_default_delete_user;
2206
(*methods)->add_sam_account = pdb_default_add_sam_account;
2207
(*methods)->update_sam_account = pdb_default_update_sam_account;
2208
(*methods)->delete_sam_account = pdb_default_delete_sam_account;
2209
(*methods)->rename_sam_account = pdb_default_rename_sam_account;
2210
(*methods)->update_login_attempts = pdb_default_update_login_attempts;
2212
(*methods)->getgrsid = pdb_default_getgrsid;
2213
(*methods)->getgrgid = pdb_default_getgrgid;
2214
(*methods)->getgrnam = pdb_default_getgrnam;
2215
(*methods)->create_dom_group = pdb_default_create_dom_group;
2216
(*methods)->delete_dom_group = pdb_default_delete_dom_group;
2217
(*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
2218
(*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
2219
(*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
2220
(*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
2221
(*methods)->enum_group_members = pdb_default_enum_group_members;
2222
(*methods)->enum_group_memberships = pdb_default_enum_group_memberships;
2223
(*methods)->set_unix_primary_group = pdb_default_set_unix_primary_group;
2224
(*methods)->add_groupmem = pdb_default_add_groupmem;
2225
(*methods)->del_groupmem = pdb_default_del_groupmem;
2226
(*methods)->create_alias = pdb_default_create_alias;
2227
(*methods)->delete_alias = pdb_default_delete_alias;
2228
(*methods)->get_aliasinfo = pdb_default_get_aliasinfo;
2229
(*methods)->set_aliasinfo = pdb_default_set_aliasinfo;
2230
(*methods)->add_aliasmem = pdb_default_add_aliasmem;
2231
(*methods)->del_aliasmem = pdb_default_del_aliasmem;
2232
(*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
2233
(*methods)->enum_alias_memberships = pdb_default_alias_memberships;
2234
(*methods)->lookup_rids = pdb_default_lookup_rids;
2235
(*methods)->get_account_policy = pdb_default_get_account_policy;
2236
(*methods)->set_account_policy = pdb_default_set_account_policy;
2237
(*methods)->get_seq_num = pdb_default_get_seq_num;
2238
(*methods)->uid_to_sid = pdb_default_uid_to_sid;
2239
(*methods)->gid_to_sid = pdb_default_gid_to_sid;
2240
(*methods)->sid_to_id = pdb_default_sid_to_id;
2242
(*methods)->search_groups = pdb_default_search_groups;
2243
(*methods)->search_aliases = pdb_default_search_aliases;
2245
(*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
2246
(*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
2247
(*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
2248
(*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
2250
(*methods)->get_trusted_domain = pdb_default_get_trusted_domain;
2251
(*methods)->get_trusted_domain_by_sid = pdb_default_get_trusted_domain_by_sid;
2252
(*methods)->set_trusted_domain = pdb_default_set_trusted_domain;
2253
(*methods)->del_trusted_domain = pdb_default_del_trusted_domain;
2254
(*methods)->enum_trusted_domains = pdb_default_enum_trusted_domains;
2256
return NT_STATUS_OK;