Initial design of some of the functions to operate on trust passwords

from passdb backend level (tdbsam, in this case).
It is written as wrapper for secrets_ calls that use secrets.tdb file
and is not treated as eventual solution. Trust passwords are being
handled uniformly, SAM_TRUST_PASSWD structure, and so they should be
stored as well.

Note, this code is disabled ie. not used anywhere yet. I'm working
on next routines in line.


rafal
(This used to be commit 02ac9332ab1d34f47667b40ce23b2b5d04c4dff1)

1 files changed, 202 insertions, 0 deletions

diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
index 966682563c..1d8fb9b7ec 100644
--- a/source3/passdb/pdb_tdb.c
+++ b/source3/passdb/pdb_tdb.c
@@ -643,6 +643,203 @@ static void free_private_data(void **vp)
 	/* No need to free any further, as it is talloc()ed */
 }
 
+/**
+ * Start enumerating through trust passwords (machine and
+ * interdomain nt/ads)
+ *
+ * @param methods methods belonging in pdb context (module)
+ * @param trust trust password structure
+ *
+ * @return nt status of performed operation
+ **/
+
+static NTSTATUS tdbsam_gettrustpwent(struct pdb_methods *methods, SAM_TRUST_PASSWD *trust)
+{
+	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+	struct trust_passwd_data t;
+	TALLOC_CTX *mem_ctx;
+	
+	TRUSTDOM **trustdom;
+	static int enum_ctx;
+	int num_domains = 0;
+	unsigned int max_domains = 1;
+	char *dom_name, *dom_pass;
+	
+	smb_ucs2_t *uni_dom_name;
+	uint8 mach_pass[16];
+	uint32 sec_chan;
+	
+	if (!methods) return NT_STATUS_UNSUCCESSFUL;
+	
+	/*
+	 * NT domain trust passwords
+	 */
+	
+	/* rewind enumeration when passed NULL pointer as a trust */
+	if (!trust) {
+		enum_ctx = 0;
+		return NT_STATUS_OK;
+	}
+	
+	mem_ctx = talloc_init("tdbsam_gettrustpwent: trust password enumeration");
+
+	/* fetch next trusted domain (one at a time) and its full information */
+	nt_status = secrets_get_trusted_domains(mem_ctx, &enum_ctx, max_domains, &num_domains,
+	                                        &trustdom);
+	if (num_domains) {
+		pull_ucs2_talloc(mem_ctx, &dom_name, trustdom[0]->name);
+		if (secrets_fetch_trusted_domain_password(dom_name, &dom_pass, &t.domain_sid,
+		                                          &t.mod_time)) {
+
+			t.uni_name_len = strnlen_w(trustdom[0]->name, 32);
+			strncpy_w(t.uni_name, trustdom[0]->name, t.uni_name_len);
+			safe_strcpy(t.pass, dom_pass, FSTRING_LEN - 1);
+			t.flags = PASS_DOMAIN_TRUST_NT;
+
+			SAFE_FREE(dom_pass);
+			talloc_destroy(mem_ctx);
+			trust->private = t;
+			return nt_status;
+		} else {
+			talloc_destroy(mem_ctx);
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	}
+	
+	/*
+	 * NT machine trust password
+	 */
+	
+	if (secrets_lock_trust_account_password(lp_workgroup(), True)) {
+		sec_chan = get_default_sec_channel();
+		if (secrets_fetch_trust_account_password(lp_workgroup(), mach_pass, &t.mod_time,
+		                                         &sec_chan)) {
+			
+			t.uni_name_len = strlen(lp_workgroup());
+			push_ucs2_talloc(mem_ctx, &uni_dom_name, lp_workgroup());
+			strncpy_w(t.uni_name, uni_dom_name, t.uni_name_len);
+			safe_strcpy(t.pass, mach_pass, FSTRING_LEN - 1);
+			t.flags = PASS_MACHINE_TRUST_NT;
+			if (!secrets_fetch_domain_sid(lp_workgroup(), &t.domain_sid)) {
+				talloc_destroy(mem_ctx);
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+			
+			talloc_destroy(mem_ctx);
+			trust->private = t;
+			return NT_STATUS_OK;
+		}
+		secrets_lock_trust_account_password(lp_workgroup(), False);
+	} else {
+		talloc_destroy(mem_ctx);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	/*
+	 * ADS machine trust password (TODO)
+	 */
+
+	talloc_destroy(mem_ctx);
+	return nt_status;
+}
+
+/**
+ * Get trust password by trusted party sid
+ *
+ * @param methods methods belonging to pdb context (module)
+ * @param trust trust password structure
+ * @param sid trusted party sid
+ *
+ * @return nt status of performed operation
+ **/
+ 
+static NTSTATUS tdbsam_gettrustpwsid(struct pdb_methods *methods, SAM_TRUST_PASSWD *trust,
+                                     const DOM_SID *sid)
+{
+	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+	return nt_status;
+}
+
+
+/**
+ * Add new trust password.
+ *
+ * @param methods methods belonging in pdb context (module)
+ * @param trust trust password structure
+ *
+ * @return nt status of performed operation
+ **/
+
+static NTSTATUS tdbsam_add_trust_passwd(struct pdb_methods *methods, const SAM_TRUST_PASSWD *trust)
+{
+	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+	BOOL status = False;
+	TALLOC_CTX *mem_ctx;
+	
+	char* domain = NULL;
+	struct trust_passwd_data t = trust->private;
+	uint32 sec_chan;
+
+	mem_ctx = talloc_init("tdbsam_add_trust_passwd: storing new trust password");
+		
+	/* convert unicode name to char* (used to form the key) */
+	pull_ucs2_talloc(mem_ctx, &domain, t.uni_name);
+	
+	/* add nt machine trust password */
+	if (t.flags & (PASS_MACHINE_TRUST_NT | PASS_SERVER_TRUST_NT)) {
+		sec_chan = (t.flags & PASS_MACHINE_TRUST_NT) ? SEC_CHAN_WKSTA : SEC_CHAN_BDC;
+		status = secrets_store_machine_password(t.pass, domain, sec_chan);
+		if (status)
+			status = secrets_store_domain_sid(domain, &t.domain_sid);
+		
+		nt_status = status ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+		
+	/* add nt domain trust password */
+	} else if (t.flags & PASS_DOMAIN_TRUST_NT) {
+		status = secrets_store_trusted_domain_password(domain, t.uni_name, t.uni_name_len,
+		                                               t.pass, t.domain_sid);
+		nt_status = status ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+		
+	/* add ads machine trust password (TODO) */
+	} else if (t.flags & PASS_MACHINE_TRUST_ADS) {
+	}
+
+	talloc_destroy(mem_ctx);	
+	return nt_status;
+}
+
+
+/**
+ * Update trust password.
+ *
+ * @param methods methods belonging in pdb context (module)
+ * @param trust trust password structure
+ *
+ * @return nt status of performed operation
+ **/
+
+static NTSTATUS tdbsam_update_trust_passwd(struct pdb_methods *methods, const SAM_TRUST_PASSWD* trust)
+{
+	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+	return nt_status;
+}
+
+
+/**
+ * Delete trust password.
+ *
+ * @param methods methods belonging in pdb context (module)
+ * @param trust trust password structure
+ *
+ * @return nt status of performed operation
+ **/
+
+static NTSTATUS tdbsam_delete_trust_passwd(struct pdb_methods *methods, const SAM_TRUST_PASSWD* trust)
+{
+	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+	return nt_status;
+}
+
 
 static NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
 {
@@ -663,6 +860,11 @@ static NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_meth
 	(*pdb_method)->add_sam_account = tdbsam_add_sam_account;
 	(*pdb_method)->update_sam_account = tdbsam_update_sam_account;
 	(*pdb_method)->delete_sam_account = tdbsam_delete_sam_account;
+	(*pdb_method)->gettrustpwent = tdbsam_gettrustpwent;
+	(*pdb_method)->gettrustpwsid = tdbsam_gettrustpwsid;
+	(*pdb_method)->add_trust_passwd = tdbsam_add_trust_passwd;
+	(*pdb_method)->update_trust_passwd = tdbsam_update_trust_passwd;
+	(*pdb_method)->delete_trust_passwd = tdbsam_delete_trust_passwd;
 
 	tdb_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct tdbsam_privates));