diff options
| author | Simo Sorce <idra@samba.org> | 2012-01-26 15:27:54 -0500 |
|---|---|---|
| committer | Andreas Schneider <asn@samba.org> | 2012-01-27 18:11:10 +0100 |
| commit | e6c39a292c7aa17792f09222d17733ecc9207849 (patch) | |
| tree | 19eee80a64985d433ff5829fe1fa8e85e996cdcf /source3/passdb/machine_account_secrets.c | |
| parent | c543ce102890532c45ec9b293b705336f0e2c5bf (diff) | |
| download | samba-e6c39a292c7aa17792f09222d17733ecc9207849.tar.gz samba-e6c39a292c7aa17792f09222d17733ecc9207849.tar.bz2 samba-e6c39a292c7aa17792f09222d17733ecc9207849.zip | |
s3-pdb: Break SECRETS3 dependency on PDB.
This is causing circular depdnendcies that bring libpdb in all code and this is
BAD.
This change 'protects' the sid and guid of the domain by adding a special key
that makes them effectively read only.
Limit this temporarily to the samba 4 build, once it gets some good testing the
samba4 ifdefs can be dropped.
fix pdb dependencies
Signed-off-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source3/passdb/machine_account_secrets.c')
| -rw-r--r-- | source3/passdb/machine_account_secrets.c | 99 |
1 files changed, 49 insertions, 50 deletions
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c index 565c7c4c20..a2bd8be493 100644 --- a/source3/passdb/machine_account_secrets.c +++ b/source3/passdb/machine_account_secrets.c @@ -53,18 +53,52 @@ static const char *domain_sid_keystr(const char *domain) return keystr; } +static const char *protect_ids_keystr(const char *domain) +{ + char *keystr; + + keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s", + SECRETS_PROTECT_IDS, domain); + SMB_ASSERT(keystr != NULL); + return keystr; +} + +/* N O T E: never use this outside of passdb modules that store the SID on their own */ +bool secrets_mark_domain_protected(const char *domain) +{ + bool ret; + + ret = secrets_store(protect_ids_keystr(domain), "TRUE", 5); + if (!ret) { + DEBUG(0, ("Failed to protect the Domain IDs\n")); + } + return ret; +} + +bool secrets_clear_domain_protection(const char *domain) +{ + bool ret; + + ret = secrets_delete(protect_ids_keystr(domain)); + if (!ret) { + DEBUG(0, ("Failed to remove Domain IDs protection\n")); + } + return ret; +} + bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid) { + char *protect_ids; bool ret; #if _SAMBA_BUILD_ == 4 - if (strequal(domain, get_global_sam_name()) && - (pdb_capabilities() & PDB_CAP_ADS)) { - /* If we have a ADS-capable passdb backend, we - * must never make up our own SID, it will - * already be in the directory */ - DEBUG(0, ("Refusing to store a Domain SID, this should be read from the directory not stored here\n")); - return false; + protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL); + if (protect_ids) { + if (strncmp(protect_ids, "TRUE", 4)) { + DEBUG(0, ("Refusing to store a Domain SID, " + "it has been marked as protected!\n")); + return false; + } } #endif @@ -81,24 +115,6 @@ bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid) struct dom_sid *dyn_sid; size_t size = 0; -#if _SAMBA_BUILD_ == 4 - if (strequal(domain, get_global_sam_name()) && - (pdb_capabilities() & PDB_CAP_ADS)) { - struct pdb_domain_info *domain_info; - domain_info = pdb_get_domain_info(talloc_tos()); - if (!domain_info) { - /* If we have a ADS-capable passdb backend, we - * must never make up our own SID, it will - * already be in the directory */ - DEBUG(0, ("Unable to fetch a Domain SID from the directory!\n")); - return false; - } - - *sid = domain_info->sid; - return true; - } -#endif - dyn_sid = (struct dom_sid *)secrets_fetch(domain_sid_keystr(domain), &size); if (dyn_sid == NULL) @@ -116,16 +132,17 @@ bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid) bool secrets_store_domain_guid(const char *domain, struct GUID *guid) { + char *protect_ids; fstring key; #if _SAMBA_BUILD_ == 4 - if (strequal(domain, get_global_sam_name()) && - (pdb_capabilities() & PDB_CAP_ADS)) { - /* If we have a ADS-capable passdb backend, we - * must never make up our own GUID, it will - * already be in the directory */ - DEBUG(0, ("Refusing to store a Domain GUID, this should be read from the directory not stored here\n")); - return false; + protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL); + if (protect_ids) { + if (strncmp(protect_ids, "TRUE", 4)) { + DEBUG(0, ("Refusing to store a Domain SID, " + "it has been marked as protected!\n")); + return false; + } } #endif @@ -141,24 +158,6 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid) size_t size = 0; struct GUID new_guid; -#if _SAMBA_BUILD_ == 4 - if (strequal(domain, get_global_sam_name()) && - (pdb_capabilities() & PDB_CAP_ADS)) { - struct pdb_domain_info *domain_info; - domain_info = pdb_get_domain_info(talloc_tos()); - if (!domain_info) { - /* If we have a ADS-capable passdb backend, we - * must never make up our own SID, it will - * already be in the directory */ - DEBUG(0, ("Unable to fetch a Domain GUID from the directory!\n")); - return false; - } - - *guid = domain_info->guid; - return true; - } -#endif - slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain); strupper_m(key); dyn_guid = (struct GUID *)secrets_fetch(key, &size); |