diff options
author | Jelmer Vernooij <jelmer@samba.org> | 2002-10-21 15:36:51 +0000 |
---|---|---|
committer | Jelmer Vernooij <jelmer@samba.org> | 2002-10-21 15:36:51 +0000 |
commit | a3c4b4cef60e5058bcb3b41f8e32616ac0b2317f (patch) | |
tree | 59c92a28469828dc9867b7dde2fc37ec894224a0 | |
parent | e9fd0a2671e5c6df43d0b78c4bae9ecc1841b8cd (diff) | |
download | samba-a3c4b4cef60e5058bcb3b41f8e32616ac0b2317f.tar.gz samba-a3c4b4cef60e5058bcb3b41f8e32616ac0b2317f.tar.bz2 samba-a3c4b4cef60e5058bcb3b41f8e32616ac0b2317f.zip |
Sync with metze's CVS tree
(This used to be commit 2a598d435d3eb46ca28b3591a4f7f9d856ce3c1f)
-rwxr-xr-x | source3/sam/sam_ads.c | 332 |
1 files changed, 253 insertions, 79 deletions
diff --git a/source3/sam/sam_ads.c b/source3/sam/sam_ads.c index e10b476997..6cb205d338 100755 --- a/source3/sam/sam_ads.c +++ b/source3/sam/sam_ads.c @@ -30,6 +30,11 @@ static int sam_ads_debug_level = DBGC_SAM; #undef DBGC_CLASS #define DBGC_CLASS sam_ads_debug_level +#ifndef FIXME +#define FIXME( body ) { DEBUG(0,("FIXME: "));\ + DEBUGADD(0,(body));} +#endif + #define ADS_STATUS_OK ADS_ERROR(0) #define ADS_STATUS_UNSUCCESSFUL ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL) #define ADS_STATUS_NOT_IMPLEMENTED ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED) @@ -42,7 +47,7 @@ static int sam_ads_debug_level = DBGC_SAM; #define ADS_ROOT_TREE "" /* Here are private module structs and functions */ -struct sam_ads_privates { +typedef struct sam_ads_privates { ADS_STRUCT *ads_struct; TALLOC_CTX *mem_ctx; BOOL bind_plaintext; @@ -50,7 +55,7 @@ struct sam_ads_privates { char *ads_bind_pw; char *ldap_uri; /* did we need something more? */ -}; +}SAM_ADS_PRIVATES; /* get only these LDAP attributes, witch we really need for an account */ @@ -106,30 +111,30 @@ const char *group_attrs[] = {"objectSid", return our ads connection. We keep the connection open to make things faster ****************************************************/ -static ADS_STATUS sam_ads_cached_connection(struct sam_ads_privates *private) +static ADS_STATUS sam_ads_cached_connection(SAM_ADS_PRIVATES *privates) { ADS_STRUCT *ads_struct; ADS_STATUS ads_status; - if (!private->ads_struct) { - private->ads_struct = ads_init_simple(); - ads_struct = private->ads_struct; - ads_struct->server.ldap_uri = smb_xstrdup(private->ldap_uri); - if ((!private->ads_bind_dn) || (!*private->ads_bind_dn)) { + if (!privates->ads_struct) { + privates->ads_struct = ads_init_simple(); + ads_struct = privates->ads_struct; + ads_struct->server.ldap_uri = smb_xstrdup(privates->ldap_uri); + if ((!privates->ads_bind_dn) || (!*privates->ads_bind_dn)) { ads_struct->auth.flags |= ADS_AUTH_ANON_BIND; } else { ads_struct->auth.user_name - = smb_xstrdup(private->ads_bind_dn); - if (private->ads_bind_pw) { + = smb_xstrdup(privates->ads_bind_dn); + if (privates->ads_bind_pw) { ads_struct->auth.password - = smb_xstrdup(private->ads_bind_pw); + = smb_xstrdup(privates->ads_bind_pw); } } - if (private->bind_plaintext) { + if (privates->bind_plaintext) { ads_struct->auth.flags |= ADS_AUTH_SIMPLE_BIND; } } else { - ads_struct = private->ads_struct; + ads_struct = privates->ads_struct; } if (ads_struct->ld != NULL) { @@ -155,22 +160,22 @@ static ADS_STATUS sam_ads_cached_connection(struct sam_ads_privates *private) ads_status = ads_server_info(ads_struct); if (!ADS_ERR_OK(ads_status)) { DEBUG(0,("Can't set server info: %s\n",ads_errstr(ads_status))); - /* return ads_status; */ /*for now we only warn! */ + /* return ads_status; */ FIXME("for now we only warn!\n"); } DEBUG(2, ("sam_ads_cached_connection: succesful connection to the LDAP server\n")); return ADS_SUCCESS; } -static ADS_STATUS sam_ads_do_search(struct sam_ads_privates *private, const char *bind_path, int scope, const char *exp, const char **attrs, void **res) +static ADS_STATUS sam_ads_do_search(SAM_ADS_PRIVATES *privates, const char *bind_path, int scope, const char *exp, const char **attrs, void **res) { ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); - ads_status = sam_ads_cached_connection(private); + ads_status = sam_ads_cached_connection(privates); if (!ADS_ERR_OK(ads_status)) return ads_status; - return ads_do_search_retry(private->ads_struct, bind_path, scope, exp, attrs, res); + return ads_do_search_retry(privates->ads_struct, bind_path, scope, exp, attrs, res); } @@ -178,13 +183,13 @@ static ADS_STATUS sam_ads_do_search(struct sam_ads_privates *private, const char here we have to check the update serial number - this is the core of the ldap cache *********************************************/ -static ADS_STATUS sam_ads_usn_is_valid(ADS_STRUCT *ads_struct, uint32 usn_in, uint32 *usn_out) +static ADS_STATUS sam_ads_usn_is_valid(SAM_ADS_PRIVATES *privates, uint32 usn_in, uint32 *usn_out) { ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); - SAM_ASSERT(ads_struct && usn_out); + SAM_ASSERT(privates && privates->ads_struct && usn_out); - ads_status = ads_USN(ads_struct, usn_out); + ads_status = ads_USN(privates->ads_struct, usn_out); if (!ADS_ERR_OK(ads_status)) return ads_status; @@ -198,13 +203,107 @@ static ADS_STATUS sam_ads_usn_is_valid(ADS_STRUCT *ads_struct, uint32 usn_in, ui Initialize SAM_ACCOUNT_HANDLE from an ADS query ************************************************/ /* not ready :-( */ -static ADS_STATUS ads_entry2sam_account_handle(ADS_STRUCT *ads_struct, SAM_ACCOUNT_HANDLE *account ,const void *entry) +static ADS_STATUS ads_entry2sam_account_handle(SAM_ADS_PRIVATES *privates, SAM_ACCOUNT_HANDLE *account ,void *msg) { - ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; - DEBUG(0,("sam_ads: %s was called!\n",__FUNCTION__)); - SAM_ASSERT(ads_struct && account && entry); + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_NO_SUCH_USER); + NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx = account->mem_ctx; + char *tmp_str = NULL; + + SAM_ASSERT(privates && ads_struct && account && mem_ctx && msg); + FIXME("should we really use ads_pull_username()(or ads_pull_string())?\n"); + if ((account->private.account_name = ads_pull_username(ads_struct, mem_ctx, msg))==NULL) { + DEBUG(0,("ads_pull_username failed\n")); + return ADS_ERROR_NT(NT_STATUS_NO_SUCH_USER); + } + + if ((account->private.full_name = ads_pull_string(ads_struct, mem_ctx, msg,"name"))==NULL) { + DEBUG(3,("ads_pull_string for 'name' failed - skip\n")); + } + + if ((account->private.acct_desc = ads_pull_string(ads_struct, mem_ctx, msg,"description"))!=NULL) { + DEBUG(3,("ads_pull_string for 'acct_desc' failed - skip\n")); + } + + if ((account->private.home_dir = ads_pull_string(ads_struct, mem_ctx, msg,"homeDirectory"))!=NULL) { + DEBUG(3,("ads_pull_string for 'homeDirectory' failed - skip\n")); + } + + if ((account->private.dir_drive = ads_pull_string(ads_struct, mem_ctx, msg,"homeDrive"))!=NULL) { + DEBUG(3,("ads_pull_string for 'homeDrive' failed - skip\n")); + } + + if ((account->private.profile_path = ads_pull_string(ads_struct, mem_ctx, msg,"profilePath"))!=NULL) { + DEBUG(3,("ads_pull_string for 'profilePath' failed - skip\n")); + } + + if ((account->private.logon_script = ads_pull_string(ads_struct, mem_ctx, msg,"scriptPath"))!=NULL) { + DEBUG(3,("ads_pull_string for 'scriptPath' failed - skip\n")); + } + + FIXME("check 'nsNPAllowDialIn' for munged_dial!\n"); + if ((account->private.munged_dial = ads_pull_string(ads_struct, mem_ctx, msg,"userParameters"))!=NULL) { + DEBUG(3,("ads_pull_string for 'userParameters' failed - skip\n")); + } + + if ((account->private.unix_home_dir = ads_pull_string(ads_struct, mem_ctx, msg,"msSFUHomeDrirectory"))!=NULL) { + DEBUG(3,("ads_pull_string for 'msSFUHomeDrirectory' failed - skip\n")); + } +#if 0 + FIXME("use function intern mem_ctx for pwdLastSet\n"); + if ((tmp_str = ads_pull_string(ads_struct, mem_ctx, msg,"pwdLastSet"))!=NULL) { + DEBUG(3,("ads_pull_string for 'pwdLastSet' failed - skip\n")); + } else { + account->private.pass_last_set_time = ads_parse_nttime(tmp_str); + tmp_str = NULL; + + } +#endif + +#if 0 +typedef struct sam_account_handle { + TALLOC_CTX *mem_ctx; + uint32 access_granted; + const struct sam_methods *current_sam_methods; /* sam_methods creating this handle */ + void (*free_fn)(struct sam_account_handle **); + struct sam_account_data { + uint32 init_flag; + NTTIME logon_time; /* logon time */ + NTTIME logoff_time; /* logoff time */ + NTTIME kickoff_time; /* kickoff time */ + NTTIME pass_last_set_time; /* password last set time */ + NTTIME pass_can_change_time; /* password can change time */ + NTTIME pass_must_change_time; /* password must change time */ + char * account_name; /* account_name string */ + SAM_DOMAIN_HANDLE * domain; /* domain of account */ + char *full_name; /* account's full name string */ + char *unix_home_dir; /* UNIX home directory string */ + char *home_dir; /* home directory string */ + char *dir_drive; /* home directory drive string */ + char *logon_script; /* logon script string */ + char *profile_path; /* profile path string */ + char *acct_desc; /* account description string */ + char *workstations; /* login from workstations string */ + char *unknown_str; /* don't know what this is, yet. */ + char *munged_dial; /* munged path name and dial-back tel number */ + DOM_SID account_sid; /* Primary Account SID */ + DOM_SID group_sid; /* Primary Group SID */ + DATA_BLOB lm_pw; /* .data is Null if no password */ + DATA_BLOB nt_pw; /* .data is Null if no password */ + char *plaintext_pw; /* if Null not available */ + uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */ + uint32 unknown_1; /* 0x00ff ffff */ + uint16 logon_divs; /* 168 - number of hours in a week */ + uint32 hours_len; /* normally 21 bytes */ + uint8 hours[MAX_HOURS_LEN]; + uint32 unknown_2; /* 0x0002 0000 */ + uint32 unknown_3; /* 0x0000 04ec */ + } private; +} SAM_ACCOUNT_HANDLE; +#endif return ads_status; } @@ -214,29 +313,30 @@ static ADS_STATUS ads_entry2sam_account_handle(ADS_STRUCT *ads_struct, SAM_ACCOU Initialize SAM_GROUP_ENUM from an ads entry ************************************************/ /* not ready :-( */ -static ADS_STATUS ads_entry2sam_group_enum(ADS_STRUCT *ads_struct, TALLOC_CTX *mem_ctx, SAM_GROUP_ENUM **group_enum,const void *entry) +static ADS_STATUS ads_entry2sam_group_enum(SAM_ADS_PRIVATES *privates, TALLOC_CTX *mem_ctx, SAM_GROUP_ENUM **group_enum,const void *entry) { ADS_STATUS ads_status = ADS_STATUS_UNSUCCESSFUL; + ADS_STRUCT *ads_struct = privates->ads_struct; SAM_GROUP_ENUM __group_enum; SAM_GROUP_ENUM *_group_enum = &__group_enum; - SAM_ASSERT(ads_struct && mem_ctx && group_enum && entry); + SAM_ASSERT(privates && ads_struct && mem_ctx && group_enum && entry); *group_enum = _group_enum; DEBUG(3,("sam_ads: ads_entry2sam_account_handle\n")); - if (!ads_pull_sid((ADS_STRUCT *)ads_struct, &entry, "objectSid", &(_group_enum->sid))) { + if (!ads_pull_sid(ads_struct, &entry, "objectSid", &(_group_enum->sid))) { DEBUG(0,("No sid for!?\n")); return ADS_STATUS_UNSUCCESSFUL; } - if (!(_group_enum->group_name = ads_pull_string((ADS_STRUCT *)ads_struct, mem_ctx, &entry, "sAMAccountName"))) { + if (!(_group_enum->group_name = ads_pull_string(ads_struct, mem_ctx, &entry, "sAMAccountName"))) { DEBUG(0,("No groupname found")); return ADS_STATUS_UNSUCCESSFUL; } - if (!(_group_enum->group_desc = ads_pull_string((ADS_STRUCT *)ads_struct, mem_ctx, &entry, "desciption"))) { + if (!(_group_enum->group_desc = ads_pull_string(ads_struct, mem_ctx, &entry, "desciption"))) { DEBUG(0,("No description found")); return ADS_STATUS_UNSUCCESSFUL; } @@ -250,19 +350,21 @@ static ADS_STATUS ads_entry2sam_group_enum(ADS_STRUCT *ads_struct, TALLOC_CTX *m return ads_status; } -static ADS_STATUS sam_ads_access_check(const SAM_METHODS *sam_method, const SEC_DESC *sd, const NT_USER_TOKEN *access_token, uint32 access_desired) +static ADS_STATUS sam_ads_access_check(SAM_ADS_PRIVATES *privates, const SEC_DESC *sd, const NT_USER_TOKEN *access_token, uint32 access_desired, uint32 *acc_granted) { ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED); NTSTATUS nt_status; - uint32 acc_granted; + uint32 my_acc_granted; - SAM_ASSERT(sam_method && sd && access_token); + SAM_ASSERT(privates && sd && access_token); + /* acc_granted can be set to NULL */ + /* the steps you need are: 1. get_sec_desc for sid 2. se_map_generic(accessdesired, generic_mapping) 3. se_access_check() */ - if (!se_access_check(sd, access_token, access_desired, &acc_granted, &nt_status)) { + if (!se_access_check(sd, access_token, access_desired, (acc_granted)?acc_granted:&my_acc_granted, &nt_status)) { DEBUG(3,("sam_ads_access_check: ACCESS DENIED\n")); ads_status = ADS_ERROR_NT(nt_status); return ads_status; @@ -271,10 +373,9 @@ static ADS_STATUS sam_ads_access_check(const SAM_METHODS *sam_method, const SEC_ return ads_status; } -static ADS_STATUS sam_ads_get_tree_sec_desc(const SAM_METHODS *sam_method, const char *subtree, SEC_DESC **sd) +static ADS_STATUS sam_ads_get_tree_sec_desc(SAM_ADS_PRIVATES *privates, const char *subtree, SEC_DESC **sd) { ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); - struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data; ADS_STRUCT *ads_struct = privates->ads_struct; TALLOC_CTX *mem_ctx = privates->mem_ctx; char *search_path; @@ -282,7 +383,7 @@ static ADS_STATUS sam_ads_get_tree_sec_desc(const SAM_METHODS *sam_method, const void *sec_desc_msg; const char *sec_desc_attrs[] = {"nTSecurityDescriptor",NULL}; - SAM_ASSERT(sam_method && ads_struct && sd); + SAM_ASSERT(privates && ads_struct && mem_ctx && sd); *sd = NULL; if (subtree) { @@ -309,25 +410,33 @@ static ADS_STATUS sam_ads_get_tree_sec_desc(const SAM_METHODS *sam_method, const return ads_status; } -static ADS_STATUS sam_ads_account_policy_get(const SAM_METHODS *sam_method, int field, uint32 *value) +static ADS_STATUS sam_ads_account_policy_get(SAM_ADS_PRIVATES *privates, int field, uint32 *value) { ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); - struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data; ADS_STRUCT *ads_struct = privates->ads_struct; void *ap_res; void *ap_msg; - const char *ap_attrs[] = {"minPwdLength","pwdHistoryLength", - /*"mustLogonToChangePass",*/"lockoutDuration" - "maxPwdAge","minPwdAge",NULL}; + const char *ap_attrs[] = {"minPwdLength",/* AP_MIN_PASSWORD_LEN */ + "pwdHistoryLength",/* AP_PASSWORD_HISTORY */ + "AP_USER_MUST_LOGON_TO_CHG_PASS",/* AP_USER_MUST_LOGON_TO_CHG_PASS */ + "maxPwdAge",/* AP_MAX_PASSWORD_AGE */ + "minPwdAge",/* AP_MIN_PASSWORD_AGE */ + "lockoutDuration",/* AP_LOCK_ACCOUNT_DURATION */ + "AP_RESET_COUNT_TIME",/* AP_RESET_COUNT_TIME */ + "AP_BAD_ATTEMPT_LOCKOUT",/* AP_BAD_ATTEMPT_LOCKOUT */ + "AP_TIME_TO_LOGOUT",/* AP_TIME_TO_LOGOUT */ + NULL}; /*lockOutObservationWindow lockoutThreshold $ pwdProperties*/ static uint32 ap[9]; static uint32 ap_usn = 0; uint32 tmp_usn = 0; - SAM_ASSERT(sam_method && value); + SAM_ASSERT(privates && ads_struct && value); + + FIXME("We need to decode all account_policy attributes!\n"); - ads_status = sam_ads_usn_is_valid(ads_struct,ap_usn,&tmp_usn); + ads_status = sam_ads_usn_is_valid(privates,ap_usn,&tmp_usn); if (!ADS_ERR_OK(ads_status)) { ads_status = sam_ads_do_search(privates, ads_struct->config.bind_path, LDAP_SCOPE_BASE, "(objectClass=*)", ap_attrs, &ap_res); if (!ADS_ERR_OK(ads_status)) @@ -427,6 +536,7 @@ static ADS_STATUS sam_ads_account_policy_get(const SAM_METHODS *sam_method, int return ads_status; } + /********************************** Now the functions off the SAM API ***********************************/ @@ -436,7 +546,7 @@ static NTSTATUS sam_ads_get_sec_desc(const SAM_METHODS *sam_method, const NT_USE const DOM_SID *sid, SEC_DESC **sd) { ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); - struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; ADS_STRUCT *ads_struct = privates->ads_struct; TALLOC_CTX *mem_ctx; char *sidstr,*filter; @@ -448,11 +558,11 @@ static NTSTATUS sam_ads_get_sec_desc(const SAM_METHODS *sam_method, const NT_USE SAM_ASSERT(sam_method && access_token && sid && sd); - ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_ROOT_TREE, &my_sd); + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &my_sd); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); - ads_status = sam_ads_access_check(sam_method, my_sd, access_token, DOMAIN_READ); + ads_status = sam_ads_access_check(privates, my_sd, access_token, GENERIC_RIGHTS_DOMAIN_READ, NULL); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); @@ -523,17 +633,17 @@ static NTSTATUS sam_ads_lookup_sid(const SAM_METHODS *sam_method, const NT_USER_ enum SID_NAME_USE *type) { ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); - struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; ADS_STRUCT *ads_struct = privates->ads_struct; SEC_DESC *my_sd; SAM_ASSERT(sam_method && access_token && mem_ctx && sid && name && type); - ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_ROOT_TREE, &my_sd); + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &my_sd); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); - ads_status = sam_ads_access_check(sam_method, my_sd, access_token, DOMAIN_READ); + ads_status = sam_ads_access_check(privates, my_sd, access_token, GENERIC_RIGHTS_DOMAIN_READ, NULL); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); @@ -544,17 +654,17 @@ static NTSTATUS sam_ads_lookup_name(const SAM_METHODS *sam_method, const NT_USER const char *name, DOM_SID *sid, enum SID_NAME_USE *type) { ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); - struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; ADS_STRUCT *ads_struct = privates->ads_struct; SEC_DESC *my_sd; SAM_ASSERT(sam_method && access_token && name && sid && type); - ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_ROOT_TREE, &my_sd); + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &my_sd); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); - ads_status = sam_ads_access_check(sam_method, my_sd, access_token, DOMAIN_READ); + ads_status = sam_ads_access_check(privates, my_sd, access_token, GENERIC_RIGHTS_DOMAIN_READ, NULL); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); @@ -576,7 +686,7 @@ static NTSTATUS sam_ads_get_domain_handle(const SAM_METHODS *sam_method, const N const uint32 access_desired, SAM_DOMAIN_HANDLE **domain) { ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; - struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; TALLOC_CTX *mem_ctx = privates->mem_ctx; /*Fix me is this right??? */ SAM_DOMAIN_HANDLE *dom_handle = NULL; SEC_DESC *sd; @@ -603,11 +713,11 @@ static NTSTATUS sam_ads_get_domain_handle(const SAM_METHODS *sam_method, const N /* check if access can be granted as requested */ - ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_ROOT_TREE, &sd); + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &sd); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); - ads_status = sam_ads_access_check(sam_method, sd, access_token, access_desired); + ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); @@ -619,62 +729,62 @@ static NTSTATUS sam_ads_get_domain_handle(const SAM_METHODS *sam_method, const N dom_handle->private.servername = "WHOKNOWS"; /* what is the servername */ /*Fix me: sam_ads_account_policy_get() return ADS_STATUS! */ - ads_status = sam_ads_account_policy_get(sam_method, AP_MAX_PASSWORD_AGE, &tmp_value); + ads_status = sam_ads_account_policy_get(privates, AP_MAX_PASSWORD_AGE, &tmp_value); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("sam_ads_account_policy_get failed for max password age. Useing default\n")); tmp_value = MAX_PASSWORD_AGE; } unix_to_nt_time_abs(&dom_handle->private.max_passwordage,tmp_value); - ads_status = sam_ads_account_policy_get(sam_method, AP_MIN_PASSWORD_AGE, &tmp_value); + ads_status = sam_ads_account_policy_get(privates, AP_MIN_PASSWORD_AGE, &tmp_value); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("sam_ads_account_policy_get failed for min password age. Useing default\n")); tmp_value = 0; } unix_to_nt_time_abs(&dom_handle->private.min_passwordage, tmp_value); - ads_status = sam_ads_account_policy_get(sam_method, AP_LOCK_ACCOUNT_DURATION, &tmp_value); + ads_status = sam_ads_account_policy_get(privates, AP_LOCK_ACCOUNT_DURATION, &tmp_value); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("sam_ads_account_policy_get failed for lockout duration. Useing default\n")); tmp_value = 0; } unix_to_nt_time_abs(&dom_handle->private.lockout_duration, tmp_value); - ads_status = sam_ads_account_policy_get(sam_method, AP_RESET_COUNT_TIME, &tmp_value); + ads_status = sam_ads_account_policy_get(privates, AP_RESET_COUNT_TIME, &tmp_value); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("sam_ads_account_policy_get failed for time till locout count is reset. Useing default\n")); tmp_value = 0; } unix_to_nt_time_abs(&dom_handle->private.reset_count, tmp_value); - ads_status = sam_ads_account_policy_get(sam_method, AP_MIN_PASSWORD_LEN, &tmp_value); + ads_status = sam_ads_account_policy_get(privates, AP_MIN_PASSWORD_LEN, &tmp_value); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("sam_ads_account_policy_get failed for min password length. Useing default\n")); tmp_value = 0; } dom_handle->private.min_passwordlength = (uint16)tmp_value; - ads_status = sam_ads_account_policy_get(sam_method, AP_PASSWORD_HISTORY, &tmp_value); + ads_status = sam_ads_account_policy_get(privates, AP_PASSWORD_HISTORY, &tmp_value); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("sam_ads_account_policy_get failed password history. Useing default\n")); tmp_value = 0; } dom_handle->private.password_history = (uint16)tmp_value; - ads_status = sam_ads_account_policy_get(sam_method, AP_BAD_ATTEMPT_LOCKOUT, &tmp_value); + ads_status = sam_ads_account_policy_get(privates, AP_BAD_ATTEMPT_LOCKOUT, &tmp_value); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("sam_ads_account_policy_get failed for bad attempts till lockout. Useing default\n")); tmp_value = 0; } dom_handle->private.lockout_count = (uint16)tmp_value; - ads_status = sam_ads_account_policy_get(sam_method, AP_TIME_TO_LOGOUT, &tmp_value); + ads_status = sam_ads_account_policy_get(privates, AP_TIME_TO_LOGOUT, &tmp_value); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("sam_ads_account_policy_get failed for force logout. Useing default\n")); tmp_value = -1; } - ads_status = sam_ads_account_policy_get(sam_method, AP_USER_MUST_LOGON_TO_CHG_PASS, &tmp_value); + ads_status = sam_ads_account_policy_get(privates, AP_USER_MUST_LOGON_TO_CHG_PASS, &tmp_value); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("sam_ads_account_policy_get failed for user must login to change password. Useing default\n")); tmp_value = 0; @@ -699,15 +809,17 @@ static NTSTATUS sam_ads_create_account(const SAM_METHODS *sam_method, const char *account_name, uint16 acct_ctrl, SAM_ACCOUNT_HANDLE **account) { ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; SEC_DESC *sd = NULL; + uint32 acc_granted; - SAM_ASSERT(sam_method && access_token && account_name && account); + SAM_ASSERT(sam_method && privates && access_token && account_name && account); - ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_SUBTREE_USERS, &sd); + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_SUBTREE_USERS, &sd); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); - ads_status = sam_ads_access_check(sam_method, sd, access_token, access_desired); + ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted); if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); @@ -715,21 +827,25 @@ static NTSTATUS sam_ads_create_account(const SAM_METHODS *sam_method, if (!ADS_ERR_OK(ads_status)) return ads_ntstatus(ads_status); + (*account)->access_granted = acc_granted; + return ads_ntstatus(ads_status); } static NTSTATUS sam_ads_add_account(const SAM_METHODS *sam_method, const SAM_ACCOUNT_HANDLE *account) { ADS_STATUS ads_status = ADS_ERROR(LDAP_NO_MEMORY); - struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; ADS_STRUCT *ads_struct = privates->ads_struct; TALLOC_CTX *mem_ctx = privates->mem_ctx; ADS_MODLIST mods; uint16 acct_ctrl; char *new_dn; + SEC_DESC *sd; + uint32 acc_granted; SAM_ASSERT(sam_method && account); - + ads_status = ADS_ERROR_NT(sam_get_account_acct_ctrl(account,&acct_ctrl)); if (!ADS_ERR_OK(ads_status)) goto done; @@ -892,22 +1008,81 @@ static NTSTATUS sam_ads_enum_accounts(const SAM_METHODS *sam_method, const NT_US return ads_ntstatus(ads_status); } -static NTSTATUS sam_ads_get_account_by_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const DOM_SID *accountsid, SAM_ACCOUNT_HANDLE **account) +#if 0 +static NTSTATUS sam_ads_get_account_by_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const DOM_SID *account_sid, SAM_ACCOUNT_HANDLE **account) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx = privates->mem_ctx; + SEC_DESC *sd = NULL; + uint32 acc_granted; + + SAM_ASSERT(sam_method && privates && ads_struct && access_token && account_sid && account); + + ads_status = ADS_ERROR_NT(sam_ads_get_sec_desc(sam_method, access_token, account_sid, &my_sd)); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = ADS_ERROR_NT(sam_init_account(account)); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + (*account)->access_granted = acc_granted; + + return ads_ntstatus(ads_status); +} +#else +static NTSTATUS sam_ads_get_account_by_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const DOM_SID *account_sid, SAM_ACCOUNT_HANDLE **account) { ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; DEBUG(0,("sam_ads: %s was called!\n",__FUNCTION__)); SAM_ASSERT(sam_method); return ads_ntstatus(ads_status); } +#endif -static NTSTATUS sam_ads_get_account_by_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const char *name, SAM_ACCOUNT_HANDLE **account) +#if 0 +static NTSTATUS sam_ads_get_account_by_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const char *account_name, SAM_ACCOUNT_HANDLE **account) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx = privates->mem_ctx; + SEC_DESC *sd = NULL; + uint32 acc_granted; + + SAM_ASSERT(sam_method && privates && ads_struct && access_token && account_name && account); + + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &sd); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = ADS_ERROR_NT(sam_init_account(account)); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + (*account)->access_granted = acc_granted; + + return ads_ntstatus(ads_status); +} +#else +static NTSTATUS sam_ads_get_account_by_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const char *account_name, SAM_ACCOUNT_HANDLE **account) { ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; DEBUG(0,("sam_ads: %s was called!\n",__FUNCTION__)); SAM_ASSERT(sam_method); return ads_ntstatus(ads_status); } - +#endif /* Group API */ static NTSTATUS sam_ads_create_group(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, uint32 access_desired, const char *group_name, uint16 group_ctrl, SAM_GROUP_HANDLE **group) @@ -945,7 +1120,7 @@ static NTSTATUS sam_ads_delete_group(const SAM_METHODS *sam_method, const SAM_GR static NTSTATUS sam_ads_enum_groups(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint16 group_ctrl, uint32 *groups_count, SAM_GROUP_ENUM **groups) { ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; - struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; ADS_STRUCT *ads_struct = privates->ads_struct; TALLOC_CTX *mem_ctx = privates->mem_ctx; void *res = NULL; @@ -965,7 +1140,7 @@ static NTSTATUS sam_ads_enum_groups(const SAM_METHODS *sam_method, const NT_USER DEBUG(3,("ads: enum_dom_groups\n")); - /* Fix Me: get only group from the wanted Type */ + FIXME("get only group from the wanted Type!\n"); asprintf(&filter, "(&(objectClass=group)(groupType=%s))", "*"); ads_status = sam_ads_do_search(privates, ads_struct->config.bind_path, LDAP_SCOPE_SUBTREE, filter, group_enum_attrs, &res); if (!ADS_ERR_OK(ads_status)) { @@ -1071,7 +1246,7 @@ Free our private data ***********************************/ static void sam_ads_free_private_data(void **vp) { - struct sam_ads_privates **sam_ads_state = (struct sam_ads_privates **)vp; + SAM_ADS_PRIVATES **sam_ads_state = (SAM_ADS_PRIVATES **)vp; if ((*sam_ads_state)->ads_struct->ld) { ldap_unbind((*sam_ads_state)->ads_struct->ld); @@ -1080,7 +1255,7 @@ static void sam_ads_free_private_data(void **vp) ads_destroy(&((*sam_ads_state)->ads_struct)); talloc_destroy((*sam_ads_state)->mem_ctx); - /* Fix me: maybe we must free some other stuff here */ + FIXME("maybe we must free some other stuff here\n"); *sam_ads_state = NULL; } @@ -1093,7 +1268,7 @@ Init the ADS SAM backend NTSTATUS sam_init_ads(SAM_METHODS *sam_method, const char *module_params) { ADS_STATUS ads_status; - struct sam_ads_privates *sam_ads_state; + SAM_ADS_PRIVATES *sam_ads_state; TALLOC_CTX *mem_ctx; SAM_ASSERT(sam_method && sam_method->parent); @@ -1142,8 +1317,7 @@ NTSTATUS sam_init_ads(SAM_METHODS *sam_method, const char *module_params) sam_method->sam_get_groups_of_sid = sam_ads_get_groups_of_sid; - /*Fix me: use talloc !*/ - sam_ads_state = talloc_zero(mem_ctx, sizeof(struct sam_ads_privates)); + sam_ads_state = talloc_zero(mem_ctx, sizeof(SAM_ADS_PRIVATES)); if (!sam_ads_state) { DEBUG(0, ("talloc() failed for sam_ads private_data!\n")); return NT_STATUS_NO_MEMORY; |