diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-05-08 12:52:06 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-05-08 17:48:33 +0200 |
commit | 25cfa29e29bdbb6c84bd85ea02ec542228ae585f (patch) | |
tree | d57bc2ecf0de9d615515fd1b37433accd39af8b6 | |
parent | 5d2ce400d2324e58861b696a02582d2858d1b25b (diff) | |
download | samba-25cfa29e29bdbb6c84bd85ea02ec542228ae585f.tar.gz samba-25cfa29e29bdbb6c84bd85ea02ec542228ae585f.tar.bz2 samba-25cfa29e29bdbb6c84bd85ea02ec542228ae585f.zip |
s3-passdb Redirect domain GUID and SID queries to the passdb stack
This is done if the passdb module supports PDB_ADS, and ensures that a
random SID is never made up locally for these directories.
This is only enabled when in the waf build, due to dependency issues.
Andrew Bartlett
-rw-r--r-- | source3/passdb/machine_account_secrets.c | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c index 61894d4ee6..665e2f89a4 100644 --- a/source3/passdb/machine_account_secrets.c +++ b/source3/passdb/machine_account_secrets.c @@ -57,6 +57,17 @@ bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid) { bool ret; +#ifdef _SAMBA_WAF_BUILD_ + if (strequal(domain, get_global_sam_name()) && + (pdb_capabilities() & PDB_CAP_ADS)) { + /* If we have a ADS-capable passdb backend, we + * must never make up our own SID, it will + * already be in the directory */ + DEBUG(0, ("Refusing to store a Domain SID, this should be read from the directory not stored here\n")); + return false; + } +#endif + ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(struct dom_sid )); /* Force a re-query, in case we modified our domain */ @@ -70,6 +81,24 @@ bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid) struct dom_sid *dyn_sid; size_t size = 0; +#ifdef _SAMBA_WAF_BUILD_ + if (strequal(domain, get_global_sam_name()) && + (pdb_capabilities() & PDB_CAP_ADS)) { + struct pdb_domain_info *domain_info; + domain_info = pdb_get_domain_info(talloc_tos()); + if (!domain_info) { + /* If we have a ADS-capable passdb backend, we + * must never make up our own SID, it will + * already be in the directory */ + DEBUG(0, ("Unable to fetch a Domain SID from the directory!\n")); + return false; + } + + *sid = domain_info->sid; + return true; + } +#endif + dyn_sid = (struct dom_sid *)secrets_fetch(domain_sid_keystr(domain), &size); if (dyn_sid == NULL) @@ -89,6 +118,17 @@ bool secrets_store_domain_guid(const char *domain, struct GUID *guid) { fstring key; +#ifdef _SAMBA_WAF_BUILD_ + if (strequal(domain, get_global_sam_name()) && + (pdb_capabilities() & PDB_CAP_ADS)) { + /* If we have a ADS-capable passdb backend, we + * must never make up our own GUID, it will + * already be in the directory */ + DEBUG(0, ("Refusing to store a Domain GUID, this should be read from the directory not stored here\n")); + return false; + } +#endif + slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain); strupper_m(key); return secrets_store(key, guid, sizeof(struct GUID)); @@ -101,6 +141,24 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid) size_t size = 0; struct GUID new_guid; +#ifdef _SAMBA_WAF_BUILD_ + if (strequal(domain, get_global_sam_name()) && + (pdb_capabilities() & PDB_CAP_ADS)) { + struct pdb_domain_info *domain_info; + domain_info = pdb_get_domain_info(talloc_tos()); + if (!domain_info) { + /* If we have a ADS-capable passdb backend, we + * must never make up our own SID, it will + * already be in the directory */ + DEBUG(0, ("Unable to fetch a Domain GUID from the directory!\n")); + return false; + } + + *guid = domain_info->guid; + return true; + } +#endif + slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain); strupper_m(key); dyn_guid = (struct GUID *)secrets_fetch(key, &size); |