s3-passdb: Implement new pdb trust calls for the default backend

Signed-off-by: Simo Sorce <idra@samba.org>

Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Sun Jun 12 06:45:25 CEST 2011 on sn-devel-104

3 files changed, 194 insertions, 8 deletions

diff --git a/source3/Makefile.in b/source3/Makefile.in
index a06c8c7c09..3ef754182b 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -1037,6 +1037,7 @@ PDBEDIT_OBJ = utils/pdbedit.o $(PASSWD_UTIL_OBJ) $(PARAM_OBJ) $(PASSDB_OBJ) \
 		$(LIBSAMBA_OBJ) $(LIBTSOCKET_OBJ) \
 		$(LIB_NONSMBD_OBJ) $(GROUPDB_OBJ) \
 		$(LIBCLI_LDAP_NDR_OBJ) \
+		$(DRSUAPI_OBJ) $(LIBNDR_GEN_OBJ0) \
 		$(POPT_LIB_OBJ) $(SMBLDAP_OBJ) ../lib/util/asn1.o
 
 SMBGET_OBJ = utils/smbget.o $(POPT_LIB_OBJ) $(LIBSMBCLIENT_OBJ1)
@@ -1320,6 +1321,7 @@ PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
 		pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o
 PAM_SMBPASS_OBJ = $(PAM_SMBPASS_OBJ_0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
 		$(SMBLDAP_OBJ) $(LIBSAMBA_OBJ) \
+		$(DRSUAPI_OBJ) $(LIBNDR_GEN_OBJ0) \
 		$(LIBTSOCKET_OBJ) $(PAM_ERRORS_OBJ)
 
 IDMAP_RW_OBJ = winbindd/idmap_rw.o
@@ -1502,6 +1504,7 @@ NTLM_AUTH_OBJ = ${NTLM_AUTH_OBJ1} $(LIBSAMBA_OBJ) $(POPT_LIB_OBJ) \
 		$(SMBLDAP_OBJ) $(LIBNMB_OBJ) \
 		$(WBCOMMON_OBJ) \
 		$(LIBCLI_LDAP_NDR_OBJ) \
+		$(DRSUAPI_OBJ) \
 		$(LIBNDR_GEN_OBJ0) $(LIBNDR_NETLOGON_OBJ) @BUILD_INIPARSER@
 
 
@@ -1871,11 +1874,11 @@ bin/smbpasswd@EXEEXT@: $(BINARY_PREREQS) $(SMBPASSWD_OBJ) @BUILD_POPT@ $(LIBTALL
 		$(DYNEXP) $(LIBS) $(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) \
 		$(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) $(ZLIB_LIBS)
 
-bin/pdbedit@EXEEXT@: $(BINARY_PREREQS) $(PDBEDIT_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT)
+bin/pdbedit@EXEEXT@: $(BINARY_PREREQS) $(PDBEDIT_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) $(ZLIB_LIBS)
 	@echo Linking $@
 	@$(CC) -o $@ $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \
 		$(POPT_LIBS) $(PASSDB_LIBS) $(LDAP_LIBS) $(LIBTALLOC_LIBS) \
-		$(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS)
+		$(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) $(ZLIB_LIBS)
 
 bin/smbget@EXEEXT@: $(BINARY_PREREQS) $(SMBGET_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT)
 	@echo Linking $@
@@ -3115,17 +3118,17 @@ bin/wbinfo@EXEEXT@: $(BINARY_PREREQS) $(WBINFO_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(
 		$(LIBWBCLIENT_LIBS)
 
 bin/ntlm_auth@EXEEXT@: $(BINARY_PREREQS) $(NTLM_AUTH_OBJ) $(PARAM_OBJ) \
-	$(LIB_NONSMBD_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT)
+	$(LIB_NONSMBD_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) $(ZLIB_LIBS)
 	@echo Linking $@
 	@$(CC) -o $@ $(LDFLAGS) $(DYNEXP) $(NTLM_AUTH_OBJ) \
-		$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBS) \
+		$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBS) $(ZLIB_LIBS) \
 		$(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(NSCD_LIBS) \
 		$(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) @INIPARSERLIBS@
 
-bin/pam_smbpass.@SHLIBEXT@: $(BINARY_PREREQS) $(PAM_SMBPASS_OBJ) $(LIBCLI_LDAP_NDR_OBJ) $(LIBTALLOC) $(LIBWBCLIENT) $(LIBTDB)
+bin/pam_smbpass.@SHLIBEXT@: $(BINARY_PREREQS) $(PAM_SMBPASS_OBJ) $(LIBCLI_LDAP_NDR_OBJ) $(LIBTALLOC) $(LIBWBCLIENT) $(LIBTDB) $(ZLIB_LIBS)
 	@echo "Linking shared library $@"
 	@$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_OBJ) $(LIBCLI_LDAP_NDR_OBJ) -lpam $(DYNEXP) \
-		$(LIBS) $(LDAP_LIBS) $(NSCD_LIBS) \
+		$(LIBS) $(LDAP_LIBS) $(NSCD_LIBS) $(ZLIB_LIBS) \
 		$(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS)
 
 bin/tdbbackup@EXEEXT@: $(BINARY_PREREQS) $(TDBBACKUP_OBJ) $(LIBTALLOC) $(LIBTDB)
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index b3d62bc61c..94ed355e2c 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -25,6 +25,8 @@
 #include "passdb.h"
 #include "secrets.h"
 #include "../librpc/gen_ndr/samr.h"
+#include "../librpc/gen_ndr/drsblobs.h"
+#include "../librpc/gen_ndr/ndr_drsblobs.h"
 #include "memcache.h"
 #include "nsswitch/winbind_client.h"
 #include "../libcli/security/security.h"
@@ -2144,7 +2146,62 @@ static NTSTATUS pdb_default_get_trusted_domain(struct pdb_methods *methods,
 					       const char *domain,
 					       struct pdb_trusted_domain **td)
 {
-	return NT_STATUS_NOT_IMPLEMENTED;
+	struct trustAuthInOutBlob taiob;
+	struct AuthenticationInformation aia;
+	struct pdb_trusted_domain *tdom;
+	enum ndr_err_code ndr_err;
+	time_t last_set_time;
+	char *pwd;
+	bool ok;
+
+	tdom = talloc(mem_ctx, struct pdb_trusted_domain);
+	if (!tdom) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	tdom->domain_name = talloc_strdup(tdom, domain);
+	tdom->netbios_name = talloc_strdup(tdom, domain);
+	if (!tdom->domain_name || !tdom->netbios_name) {
+		talloc_free(tdom);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	tdom->trust_auth_incoming = data_blob_null;
+
+	ok = pdb_get_trusteddom_pw(domain, &pwd, &tdom->security_identifier,
+				   &last_set_time);
+	if (!ok) {
+		talloc_free(tdom);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	ZERO_STRUCT(taiob);
+	ZERO_STRUCT(aia);
+	taiob.count = 1;
+	taiob.current.count = 1;
+	taiob.current.array = &aia;
+	unix_to_nt_time(&aia.LastUpdateTime, last_set_time);
+	aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
+	aia.AuthInfo.clear.password = (uint8_t *) pwd;
+	aia.AuthInfo.clear.size = strlen(pwd);
+	taiob.previous.count = 0;
+	taiob.previous.array = NULL;
+
+	ndr_err = ndr_push_struct_blob(&tdom->trust_auth_outgoing,
+					tdom, &taiob,
+			(ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		talloc_free(tdom);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	tdom->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
+	tdom->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
+	tdom->trust_attributes = 0;
+	tdom->trust_forest_trust_info = data_blob_null;
+
+	*td = tdom;
+	return NT_STATUS_OK;
 }
 
 static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *methods,
@@ -2155,11 +2212,54 @@ static NTSTATUS pdb_default_get_trusted_domain_by_sid(struct pdb_methods *method
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
+#define IS_NULL_DATA_BLOB(d) ((d).data == NULL && (d).length == 0)
+
 static NTSTATUS pdb_default_set_trusted_domain(struct pdb_methods *methods,
 					       const char* domain,
 					       const struct pdb_trusted_domain *td)
 {
-	return NT_STATUS_NOT_IMPLEMENTED;
+	struct trustAuthInOutBlob taiob;
+	struct AuthenticationInformation *aia;
+	enum ndr_err_code ndr_err;
+	char *pwd;
+	bool ok;
+
+	if (td->trust_attributes != 0 ||
+	    td->trust_type != LSA_TRUST_TYPE_DOWNLEVEL ||
+	    td->trust_direction != LSA_TRUST_DIRECTION_OUTBOUND ||
+	    !IS_NULL_DATA_BLOB(td->trust_auth_incoming) ||
+	    !IS_NULL_DATA_BLOB(td->trust_forest_trust_info)) {
+	    return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	ZERO_STRUCT(taiob);
+	ndr_err = ndr_pull_struct_blob(&td->trust_auth_outgoing, talloc_tos(),
+			      &taiob,
+			      (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	aia = (struct AuthenticationInformation *) taiob.current.array;
+
+	if (taiob.count != 1 || taiob.current.count != 1 ||
+	    taiob.previous.count != 0 ||
+	    aia->AuthType != TRUST_AUTH_TYPE_CLEAR) {
+	    return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	pwd = talloc_strndup(talloc_tos(), (char *) aia->AuthInfo.clear.password,
+			     aia->AuthInfo.clear.size);
+	if (!pwd) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ok = pdb_set_trusteddom_pw(domain, pwd, &td->security_identifier);
+	if (!ok) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	return NT_STATUS_OK;
 }
 
 static NTSTATUS pdb_default_del_trusted_domain(struct pdb_methods *methods,
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index 7ab20c7692..33419db275 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -24,6 +24,14 @@
 #include "popt_common.h"
 #include "passdb.h"
 
+#include "../librpc/gen_ndr/drsblobs.h"
+#include "../librpc/gen_ndr/ndr_drsblobs.h"
+#include "../libcli/security/dom_sid.h"
+
+#define TRUST_DOM "trustdom"
+#define TRUST_PWD "trustpwd1232"
+#define TRUST_SID "S-1-5-21-1111111111-2222222222-3333333333"
+
 static bool samu_correct(struct samu *s1, struct samu *s2)
 {
 	bool ret = True;
@@ -366,6 +374,81 @@ int main(int argc, char **argv)
 					get_friendly_nt_error_msg(rv));
 	}
 
+	/* test trustdom calls */
+	struct pdb_trusted_domain *td;
+	struct pdb_trusted_domain *new_td;
+	struct trustAuthInOutBlob taiob;
+	struct AuthenticationInformation aia;
+	enum ndr_err_code ndr_err;
+
+	td = talloc_zero(ctx ,struct pdb_trusted_domain);
+	if (!td) {
+		fprintf(stderr, "talloc failed\n");
+		exit(1);
+	}
+
+	td->domain_name = talloc_strdup(td, TRUST_DOM);
+	td->netbios_name = talloc_strdup(td, TRUST_DOM);
+	if (!td->domain_name || !td->netbios_name) {
+		fprintf(stderr, "talloc failed\n");
+		exit(1);
+	}
+
+	td->trust_auth_incoming = data_blob_null;
+
+	ZERO_STRUCT(taiob);
+	ZERO_STRUCT(aia);
+	taiob.count = 1;
+	taiob.current.count = 1;
+	taiob.current.array = &aia;
+	unix_to_nt_time(&aia.LastUpdateTime, time(NULL));
+	aia.AuthType = TRUST_AUTH_TYPE_CLEAR;
+	aia.AuthInfo.clear.password = (uint8_t *) talloc_strdup(ctx, TRUST_PWD);
+	aia.AuthInfo.clear.size = strlen(TRUST_PWD);
+
+	taiob.previous.count = 0;
+	taiob.previous.array = NULL;
+
+	ndr_err = ndr_push_struct_blob(&td->trust_auth_outgoing,
+					td, &taiob,
+			(ndr_push_flags_fn_t) ndr_push_trustAuthInOutBlob);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		fprintf(stderr, "ndr_push_struct_blob failed.\n");
+		exit(1);
+	}
+
+	td->trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
+	td->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
+	td->trust_attributes = 0;
+	td->trust_forest_trust_info = data_blob_null;
+
+	rv = pdb->set_trusted_domain(pdb, TRUST_DOM, td);
+	if (!NT_STATUS_IS_OK(rv)) {
+		fprintf(stderr, "Error in set_trusted_domain %s\n",
+				get_friendly_nt_error_msg(rv));
+		error = True;
+	}
+
+	rv = pdb->get_trusted_domain(pdb, ctx, TRUST_DOM, &new_td);
+	if (!NT_STATUS_IS_OK(rv)) {
+		fprintf(stderr, "Error in set_trusted_domain %s\n",
+				get_friendly_nt_error_msg(rv));
+		error = True;
+	}
+
+	if (!strequal(td->domain_name, new_td->domain_name) ||
+	    !strequal(td->netbios_name, new_td->netbios_name) ||
+	    !sid_equal(&td->security_identifier, &new_td->security_identifier) ||
+	    td->trust_direction != new_td->trust_direction ||
+	    td->trust_type != new_td->trust_type ||
+	    td->trust_attributes != new_td->trust_attributes ||
+	    td->trust_auth_incoming.length != new_td->trust_auth_incoming.length ||
+	    td->trust_forest_trust_info.length != new_td->trust_forest_trust_info.length ||
+	    data_blob_cmp(&td->trust_auth_outgoing, &new_td->trust_auth_outgoing) != 0) {
+		fprintf(stderr, "Old and new trusdet domain data do not match\n");
+		error = True;
+	}
+
 	TALLOC_FREE(ctx);
 
 	if (error) {