summaryrefslogtreecommitdiff
path: root/source3/passdb
diff options
context:
space:
mode:
authorJames Peach <jpeach@samba.org>2007-12-13 20:56:53 -0800
committerJames Peach <jpeach@samba.org>2007-12-13 20:56:53 -0800
commit7b457645fb40d7195d75f8e38883b140abcb1955 (patch)
tree90c3ca21cd40c98ed4c7c1580b75216f689fad97 /source3/passdb
parent12ac4c3119b3b7712e670d95d61413d97ecafaef (diff)
parent138333ed1f571cd6bb76c3be655f70e35cd48a99 (diff)
downloadsamba-7b457645fb40d7195d75f8e38883b140abcb1955.tar.gz
samba-7b457645fb40d7195d75f8e38883b140abcb1955.tar.bz2
samba-7b457645fb40d7195d75f8e38883b140abcb1955.zip
Merge branch 'v3-2-test' of git://git.samba.org/samba into v3-2-test
(This used to be commit 0de2b3eb515f2da21ffd1ce54979bb1f8063024b)
Diffstat (limited to 'source3/passdb')
-rw-r--r--source3/passdb/lookup_sid.c45
-rw-r--r--source3/passdb/passdb.c85
-rw-r--r--source3/passdb/secrets.c67
3 files changed, 132 insertions, 65 deletions
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index bb54959e96..54db14fbfe 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -59,16 +59,19 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
name = talloc_strdup(tmp_ctx, full_name);
}
- DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
- full_name, domain, name));
-
if ((domain == NULL) || (name == NULL)) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
- if (strequal(domain, get_global_sam_name())) {
+ DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
+ full_name, domain, name));
+ DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
+
+ if ((flags & LOOKUP_NAME_DOMAIN) &&
+ strequal(domain, get_global_sam_name()))
+ {
/* It's our own domain, lookup the name in passdb */
if (lookup_global_sam_name(name, flags, &rid, &type)) {
@@ -80,8 +83,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
return false;
}
- if (strequal(domain, builtin_domain_name())) {
-
+ if ((flags & LOOKUP_NAME_BUILTIN) &&
+ strequal(domain, builtin_domain_name()))
+ {
/* Explicit request for a name in BUILTIN */
if (lookup_builtin_name(name, &rid)) {
sid_copy(&sid, &global_sid_Builtin);
@@ -97,6 +101,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
* domain yet at this point yet. This comes later. */
if ((domain[0] != '\0') &&
+ (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
(winbind_lookup_name(domain, name, &sid, &type))) {
goto ok;
}
@@ -131,14 +136,18 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 1. well-known names */
- if (lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) {
+ if ((flags & LOOKUP_NAME_WKN) &&
+ lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
+ {
type = SID_NAME_WKN_GRP;
goto ok;
}
/* 2. Builtin domain as such */
- if (strequal(name, builtin_domain_name())) {
+ if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
+ strequal(name, builtin_domain_name()))
+ {
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
sid_copy(&sid, &global_sid_Builtin);
@@ -148,7 +157,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 3. Account domain */
- if (strequal(name, get_global_sam_name())) {
+ if ((flags & LOOKUP_NAME_DOMAIN) &&
+ strequal(name, get_global_sam_name()))
+ {
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch my SID\n"));
TALLOC_FREE(tmp_ctx);
@@ -162,7 +173,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 4. Primary domain */
- if (!IS_DC && strequal(name, lp_workgroup())) {
+ if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
+ strequal(name, lp_workgroup()))
+ {
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch the domain SID\n"));
TALLOC_FREE(tmp_ctx);
@@ -177,7 +190,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 5. Trusted domains as such, to me it looks as if members don't do
this, tested an XP workstation in a NT domain -- vl */
- if (IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) {
+ if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
+ (secrets_fetch_trusted_domain_password(name, NULL, &sid, NULL)))
+ {
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
@@ -186,7 +201,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* 6. Builtin aliases */
- if (lookup_builtin_name(name, &rid)) {
+ if ((flags & LOOKUP_NAME_BUILTIN) &&
+ lookup_builtin_name(name, &rid))
+ {
domain = talloc_strdup(tmp_ctx, builtin_domain_name());
sid_copy(&sid, &global_sid_Builtin);
sid_append_rid(&sid, rid);
@@ -199,7 +216,9 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
/* Both cases are done by looking at our passdb */
- if (lookup_global_sam_name(name, flags, &rid, &type)) {
+ if ((flags & LOOKUP_NAME_DOMAIN) &&
+ lookup_global_sam_name(name, flags, &rid, &type))
+ {
domain = talloc_strdup(tmp_ctx, get_global_sam_name());
sid_copy(&sid, get_global_sam_sid());
sid_append_rid(&sid, rid);
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 2a4d4c4a0a..c4248bb48e 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1521,46 +1521,99 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
return True;
}
+bool is_trusted_domain_situation(const char *domain_name)
+{
+ return IS_DC &&
+ lp_allow_trusted_domains() &&
+ !strequal(domain_name, lp_workgroup());
+}
/*******************************************************************
- Wrapper around retrieving the trust account password
+ Wrapper around retrieving the clear text trust account password.
+ appropriate account name is stored in account_name.
+ Caller must free password, but not account_name.
*******************************************************************/
-bool get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
+bool get_trust_pw_clear(const char *domain, char **ret_pwd,
+ const char **account_name, uint32 *channel)
{
- DOM_SID sid;
char *pwd;
time_t last_set_time;
/* if we are a DC and this is not our domain, then lookup an account
- for the domain trust */
+ * for the domain trust */
- if (IS_DC && !strequal(domain, lp_workgroup()) &&
- lp_allow_trusted_domains())
- {
- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time))
+ if (is_trusted_domain_situation(domain)) {
+ if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
+ &last_set_time))
{
DEBUG(0, ("get_trust_pw: could not fetch trust "
"account password for trusted domain %s\n",
domain));
- return False;
+ return false;
}
*channel = SEC_CHAN_DOMAIN;
- E_md4hash(pwd, ret_pwd);
- SAFE_FREE(pwd);
- return True;
+ if (account_name != NULL) {
+ *account_name = lp_workgroup();
+ }
+
+ return true;
}
/* Just get the account for the requested domain. In the future this
* might also cover to be member of more than one domain. */
- if (secrets_fetch_trust_account_password(domain, ret_pwd,
- &last_set_time, channel))
- return True;
+ pwd = secrets_fetch_machine_password(domain, &last_set_time, channel);
+
+ if (pwd != NULL) {
+ *ret_pwd = pwd;
+ if (account_name != NULL) {
+ *account_name = global_myname();
+ }
+
+ return true;
+ }
+
+ DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
+ "account password for domain %s\n", domain));
+ return false;
+}
+
+/*******************************************************************
+ Wrapper around retrieving the trust account password.
+ appropriate account name is stored in account_name.
+*******************************************************************/
+
+bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
+ const char **account_name, uint32 *channel)
+{
+ char *pwd = NULL;
+ time_t last_set_time;
+
+ if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
+ E_md4hash(pwd, ret_pwd);
+ SAFE_FREE(pwd);
+ return true;
+ } else if (is_trusted_domain_situation(domain)) {
+ return false;
+ }
+
+ /* as a fallback, try to get the hashed pwd directly from the tdb... */
+
+ if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
+ &last_set_time,
+ channel))
+ {
+ if (account_name != NULL) {
+ *account_name = global_myname();
+ }
+
+ return true;
+ }
- DEBUG(5, ("get_trust_pw: could not fetch trust account "
+ DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
"password for domain %s\n", domain));
return False;
}
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index a4cb76602a..fde7fc0968 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -284,27 +284,19 @@ uint32 get_default_sec_channel(void)
/************************************************************************
Routine to get the trust account password for a domain.
+ This only tries to get the legacy hashed version of the password.
The user of this function must have locked the trust password file using
the above secrets_lock_trust_account_password().
************************************************************************/
-bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
- time_t *pass_last_set_time,
- uint32 *channel)
+bool secrets_fetch_trust_account_password_legacy(const char *domain,
+ uint8 ret_pwd[16],
+ time_t *pass_last_set_time,
+ uint32 *channel)
{
struct machine_acct_pass *pass;
- char *plaintext;
size_t size = 0;
- plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
- channel);
- if (plaintext) {
- DEBUG(4,("Using cleartext machine password\n"));
- E_md4hash(plaintext, ret_pwd);
- SAFE_FREE(plaintext);
- return True;
- }
-
if (!(pass = (struct machine_acct_pass *)secrets_fetch(
trust_keystr(domain), &size))) {
DEBUG(5, ("secrets_fetch failed!\n"));
@@ -337,6 +329,32 @@ bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
return True;
}
+/************************************************************************
+ Routine to get the trust account password for a domain.
+ The user of this function must have locked the trust password file using
+ the above secrets_lock_trust_account_password().
+************************************************************************/
+
+bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
+ time_t *pass_last_set_time,
+ uint32 *channel)
+{
+ char *plaintext;
+
+ plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
+ channel);
+ if (plaintext) {
+ DEBUG(4,("Using cleartext machine password\n"));
+ E_md4hash(plaintext, ret_pwd);
+ SAFE_FREE(plaintext);
+ return True;
+ }
+
+ return secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
+ pass_last_set_time,
+ channel);
+}
+
/**
* Pack SID passed by pointer
*
@@ -558,20 +576,6 @@ bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
return True;
}
-/************************************************************************
- Routine to set the trust account password for a domain.
-************************************************************************/
-
-bool secrets_store_trust_account_password(const char *domain, uint8 new_pwd[16])
-{
- struct machine_acct_pass pass;
-
- pass.mod_time = time(NULL);
- memcpy(pass.hash, new_pwd, 16);
-
- return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass));
-}
-
/**
* Routine to store the password for trusted domain
*
@@ -722,15 +726,6 @@ char *secrets_fetch_machine_password(const char *domain,
}
/************************************************************************
- Routine to delete the machine trust account password file for a domain.
-************************************************************************/
-
-bool trust_password_delete(const char *domain)
-{
- return secrets_delete(trust_keystr(domain));
-}
-
-/************************************************************************
Routine to delete the password for trusted domain
************************************************************************/