summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-05-08 12:52:06 +0200
committerAndrew Bartlett <abartlet@samba.org>2011-05-08 17:48:33 +0200
commit25cfa29e29bdbb6c84bd85ea02ec542228ae585f (patch)
treed57bc2ecf0de9d615515fd1b37433accd39af8b6
parent5d2ce400d2324e58861b696a02582d2858d1b25b (diff)
downloadsamba-25cfa29e29bdbb6c84bd85ea02ec542228ae585f.tar.gz
samba-25cfa29e29bdbb6c84bd85ea02ec542228ae585f.tar.bz2
samba-25cfa29e29bdbb6c84bd85ea02ec542228ae585f.zip
s3-passdb Redirect domain GUID and SID queries to the passdb stack
This is done if the passdb module supports PDB_ADS, and ensures that a random SID is never made up locally for these directories. This is only enabled when in the waf build, due to dependency issues. Andrew Bartlett
-rw-r--r--source3/passdb/machine_account_secrets.c58
1 files changed, 58 insertions, 0 deletions
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 61894d4ee6..665e2f89a4 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -57,6 +57,17 @@ bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid)
{
bool ret;
+#ifdef _SAMBA_WAF_BUILD_
+ if (strequal(domain, get_global_sam_name()) &&
+ (pdb_capabilities() & PDB_CAP_ADS)) {
+ /* If we have a ADS-capable passdb backend, we
+ * must never make up our own SID, it will
+ * already be in the directory */
+ DEBUG(0, ("Refusing to store a Domain SID, this should be read from the directory not stored here\n"));
+ return false;
+ }
+#endif
+
ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(struct dom_sid ));
/* Force a re-query, in case we modified our domain */
@@ -70,6 +81,24 @@ bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid)
struct dom_sid *dyn_sid;
size_t size = 0;
+#ifdef _SAMBA_WAF_BUILD_
+ if (strequal(domain, get_global_sam_name()) &&
+ (pdb_capabilities() & PDB_CAP_ADS)) {
+ struct pdb_domain_info *domain_info;
+ domain_info = pdb_get_domain_info(talloc_tos());
+ if (!domain_info) {
+ /* If we have a ADS-capable passdb backend, we
+ * must never make up our own SID, it will
+ * already be in the directory */
+ DEBUG(0, ("Unable to fetch a Domain SID from the directory!\n"));
+ return false;
+ }
+
+ *sid = domain_info->sid;
+ return true;
+ }
+#endif
+
dyn_sid = (struct dom_sid *)secrets_fetch(domain_sid_keystr(domain), &size);
if (dyn_sid == NULL)
@@ -89,6 +118,17 @@ bool secrets_store_domain_guid(const char *domain, struct GUID *guid)
{
fstring key;
+#ifdef _SAMBA_WAF_BUILD_
+ if (strequal(domain, get_global_sam_name()) &&
+ (pdb_capabilities() & PDB_CAP_ADS)) {
+ /* If we have a ADS-capable passdb backend, we
+ * must never make up our own GUID, it will
+ * already be in the directory */
+ DEBUG(0, ("Refusing to store a Domain GUID, this should be read from the directory not stored here\n"));
+ return false;
+ }
+#endif
+
slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
strupper_m(key);
return secrets_store(key, guid, sizeof(struct GUID));
@@ -101,6 +141,24 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
size_t size = 0;
struct GUID new_guid;
+#ifdef _SAMBA_WAF_BUILD_
+ if (strequal(domain, get_global_sam_name()) &&
+ (pdb_capabilities() & PDB_CAP_ADS)) {
+ struct pdb_domain_info *domain_info;
+ domain_info = pdb_get_domain_info(talloc_tos());
+ if (!domain_info) {
+ /* If we have a ADS-capable passdb backend, we
+ * must never make up our own SID, it will
+ * already be in the directory */
+ DEBUG(0, ("Unable to fetch a Domain GUID from the directory!\n"));
+ return false;
+ }
+
+ *guid = domain_info->guid;
+ return true;
+ }
+#endif
+
slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
strupper_m(key);
dyn_guid = (struct GUID *)secrets_fetch(key, &size);