summaryrefslogtreecommitdiff
path: root/source4/passdb
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2003-08-13 01:53:07 +0000
committerAndrew Tridgell <tridge@samba.org>2003-08-13 01:53:07 +0000
commitef2e26c91b80556af033d3335e55f5dfa6fff31d (patch)
treefaa21bfd7e7b5247250b47c7891dc1a5ebee6be9 /source4/passdb
downloadsamba-ef2e26c91b80556af033d3335e55f5dfa6fff31d.tar.gz
samba-ef2e26c91b80556af033d3335e55f5dfa6fff31d.tar.bz2
samba-ef2e26c91b80556af033d3335e55f5dfa6fff31d.zip
first public release of samba4 code
(This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
Diffstat (limited to 'source4/passdb')
-rw-r--r--source4/passdb/.cvsignore2
-rw-r--r--source4/passdb/machine_sid.c192
-rw-r--r--source4/passdb/passdb.c1167
-rw-r--r--source4/passdb/pdb_compat.c115
-rw-r--r--source4/passdb/pdb_get_set.c1123
-rw-r--r--source4/passdb/pdb_guest.c123
-rw-r--r--source4/passdb/pdb_interface.c855
-rw-r--r--source4/passdb/pdb_ldap.c2089
-rw-r--r--source4/passdb/pdb_nisplus.c1565
-rw-r--r--source4/passdb/pdb_smbpasswd.c1581
-rw-r--r--source4/passdb/pdb_tdb.c1007
-rw-r--r--source4/passdb/pdb_unix.c110
-rw-r--r--source4/passdb/privileges.c349
-rw-r--r--source4/passdb/secrets.c612
-rw-r--r--source4/passdb/util_sam_sid.c303
15 files changed, 11193 insertions, 0 deletions
diff --git a/source4/passdb/.cvsignore b/source4/passdb/.cvsignore
new file mode 100644
index 0000000000..5f2a5c4cf7
--- /dev/null
+++ b/source4/passdb/.cvsignore
@@ -0,0 +1,2 @@
+*.po
+*.po32
diff --git a/source4/passdb/machine_sid.c b/source4/passdb/machine_sid.c
new file mode 100644
index 0000000000..f19b4a0c1d
--- /dev/null
+++ b/source4/passdb/machine_sid.c
@@ -0,0 +1,192 @@
+/*
+ Unix SMB/CIFS implementation.
+ Password and authentication handling
+ Copyright (C) Jeremy Allison 1996-2002
+ Copyright (C) Andrew Tridgell 2002
+ Copyright (C) Gerald (Jerry) Carter 2000
+ Copyright (C) Stefan (metze) Metzmacher 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+/* NOTE! the global_sam_sid is the SID of our local SAM. This is only
+ equal to the domain SID when we are a DC, otherwise its our
+ workstation SID */
+static DOM_SID *global_sam_sid=NULL;
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+/****************************************************************************
+ Read a SID from a file. This is for compatibility with the old MACHINE.SID
+ style of SID storage
+****************************************************************************/
+static BOOL read_sid_from_file(const char *fname, DOM_SID *sid)
+{
+ char **lines;
+ int numlines;
+ BOOL ret;
+
+ lines = file_lines_load(fname, &numlines);
+
+ if (!lines || numlines < 1) {
+ if (lines) file_lines_free(lines);
+ return False;
+ }
+
+ ret = string_to_sid(sid, lines[0]);
+ file_lines_free(lines);
+ return ret;
+}
+
+/*
+ generate a random sid - used to build our own sid if we don't have one
+*/
+static void generate_random_sid(DOM_SID *sid)
+{
+ int i;
+ uchar raw_sid_data[12];
+
+ memset((char *)sid, '\0', sizeof(*sid));
+ sid->sid_rev_num = 1;
+ sid->id_auth[5] = 5;
+ sid->num_auths = 0;
+ sid->sub_auths[sid->num_auths++] = 21;
+
+ generate_random_buffer(raw_sid_data, 12, True);
+ for (i = 0; i < 3; i++)
+ sid->sub_auths[sid->num_auths++] = IVAL(raw_sid_data, i*4);
+}
+
+/****************************************************************************
+ Generate the global machine sid.
+****************************************************************************/
+
+static BOOL pdb_generate_sam_sid(void)
+{
+ char *fname = NULL;
+ BOOL is_dc = False;
+
+ if(global_sam_sid==NULL)
+ if(!(global_sam_sid=(DOM_SID *)malloc(sizeof(DOM_SID))))
+ return False;
+
+ generate_wellknown_sids();
+
+ switch (lp_server_role()) {
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ is_dc = True;
+ break;
+ default:
+ is_dc = False;
+ break;
+ }
+
+ if (secrets_fetch_domain_sid(lp_netbios_name(), global_sam_sid)) {
+ DOM_SID domain_sid;
+
+ /* We got our sid. If not a pdc/bdc, we're done. */
+ if (!is_dc)
+ return True;
+
+ if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
+
+ /* No domain sid and we're a pdc/bdc. Store it */
+
+ if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
+ DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n"));
+ return False;
+ }
+ return True;
+ }
+
+ if (!sid_equal(&domain_sid, global_sam_sid)) {
+
+ /* Domain name sid doesn't match global sam sid. Re-store global sam sid as domain sid. */
+
+ DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
+ if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
+ DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID as a pdc/bdc.\n"));
+ return False;
+ }
+ return True;
+ }
+
+ return True;
+
+ }
+
+ /* check for an old MACHINE.SID file for backwards compatibility */
+ asprintf(&fname, "%s/MACHINE.SID", lp_private_dir());
+
+ if (read_sid_from_file(fname, global_sam_sid)) {
+ /* remember it for future reference and unlink the old MACHINE.SID */
+ if (!secrets_store_domain_sid(lp_netbios_name(), global_sam_sid)) {
+ DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file-1.\n"));
+ SAFE_FREE(fname);
+ return False;
+ }
+ unlink(fname);
+ if (is_dc) {
+ if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
+ DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file-2.\n"));
+ SAFE_FREE(fname);
+ return False;
+ }
+ }
+
+ /* Stored the old sid from MACHINE.SID successfully.*/
+ SAFE_FREE(fname);
+ return True;
+ }
+
+ SAFE_FREE(fname);
+
+ /* we don't have the SID in secrets.tdb, we will need to
+ generate one and save it */
+ generate_random_sid(global_sam_sid);
+
+ if (!secrets_store_domain_sid(lp_netbios_name(), global_sam_sid)) {
+ DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID-3, nb name=%s.\n", lp_netbios_name()));
+ return False;
+ }
+ if (is_dc) {
+ if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
+ DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID-4, wg name=%s.\n", lp_workgroup()));
+ return False;
+ }
+ }
+
+ return True;
+}
+
+/* return our global_sam_sid */
+DOM_SID *get_global_sam_sid(void)
+{
+ if (global_sam_sid != NULL)
+ return global_sam_sid;
+
+ /* memory for global_sam_sid is allocated in
+ pdb_generate_sam_sid() as needed */
+
+ if (!pdb_generate_sam_sid())
+ global_sam_sid=NULL;
+
+ return global_sam_sid;
+}
+
diff --git a/source4/passdb/passdb.c b/source4/passdb/passdb.c
new file mode 100644
index 0000000000..39e2d4cb22
--- /dev/null
+++ b/source4/passdb/passdb.c
@@ -0,0 +1,1167 @@
+/*
+ Unix SMB/CIFS implementation.
+ Password and authentication handling
+ Copyright (C) Jeremy Allison 1996-2001
+ Copyright (C) Luke Kenneth Casson Leighton 1996-1998
+ Copyright (C) Gerald (Jerry) Carter 2000-2001
+ Copyright (C) Andrew Bartlett 2001-2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+/*
+ * This is set on startup - it defines the SID for this
+ * machine, and therefore the SAM database for which it is
+ * responsible.
+ */
+
+/************************************************************
+ Fill the SAM_ACCOUNT with default values.
+ ***********************************************************/
+
+static void pdb_fill_default_sam(SAM_ACCOUNT *user)
+{
+ ZERO_STRUCT(user->private); /* Don't touch the talloc context */
+
+ /* no initial methods */
+ user->methods = NULL;
+
+ /* Don't change these timestamp settings without a good reason.
+ They are important for NT member server compatibility. */
+
+ user->private.uid = user->private.gid = -1;
+
+ user->private.logon_time = (time_t)0;
+ user->private.pass_last_set_time = (time_t)0;
+ user->private.pass_can_change_time = (time_t)0;
+ user->private.logoff_time =
+ user->private.kickoff_time =
+ user->private.pass_must_change_time = get_time_t_max();
+ user->private.unknown_3 = 0x00ffffff; /* don't know */
+ user->private.logon_divs = 168; /* hours per week */
+ user->private.hours_len = 21; /* 21 times 8 bits = 168 */
+ memset(user->private.hours, 0xff, user->private.hours_len); /* available at all hours */
+ user->private.unknown_5 = 0x00000000; /* don't know */
+ user->private.unknown_6 = 0x000004ec; /* don't know */
+
+ /* Some parts of samba strlen their pdb_get...() returns,
+ so this keeps the interface unchanged for now. */
+
+ user->private.username = "";
+ user->private.domain = "";
+ user->private.nt_username = "";
+ user->private.full_name = "";
+ user->private.home_dir = "";
+ user->private.logon_script = "";
+ user->private.profile_path = "";
+ user->private.acct_desc = "";
+ user->private.workstations = "";
+ user->private.unknown_str = "";
+ user->private.munged_dial = "";
+
+ user->private.plaintext_pw = NULL;
+
+}
+
+static void destroy_pdb_talloc(SAM_ACCOUNT **user)
+{
+ if (*user) {
+ data_blob_clear_free(&((*user)->private.lm_pw));
+ data_blob_clear_free(&((*user)->private.nt_pw));
+
+ if((*user)->private.plaintext_pw!=NULL)
+ memset((*user)->private.plaintext_pw,'\0',strlen((*user)->private.plaintext_pw));
+ talloc_destroy((*user)->mem_ctx);
+ *user = NULL;
+ }
+}
+
+
+/**********************************************************************
+ Alloc memory and initialises a struct sam_passwd on supplied mem_ctx.
+***********************************************************************/
+
+NTSTATUS pdb_init_sam_talloc(TALLOC_CTX *mem_ctx, SAM_ACCOUNT **user)
+{
+ if (*user != NULL) {
+ DEBUG(0,("pdb_init_sam_talloc: SAM_ACCOUNT was non NULL\n"));
+#if 0
+ smb_panic("non-NULL pointer passed to pdb_init_sam\n");
+#endif
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!mem_ctx) {
+ DEBUG(0,("pdb_init_sam_talloc: mem_ctx was NULL!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ *user=(SAM_ACCOUNT *)talloc(mem_ctx, sizeof(SAM_ACCOUNT));
+
+ if (*user==NULL) {
+ DEBUG(0,("pdb_init_sam_talloc: error while allocating memory\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ (*user)->mem_ctx = mem_ctx;
+
+ (*user)->free_fn = NULL;
+
+ pdb_fill_default_sam(*user);
+
+ return NT_STATUS_OK;
+}
+
+
+/*************************************************************
+ Alloc memory and initialises a struct sam_passwd.
+ ************************************************************/
+
+NTSTATUS pdb_init_sam(SAM_ACCOUNT **user)
+{
+ TALLOC_CTX *mem_ctx;
+ NTSTATUS nt_status;
+
+ mem_ctx = talloc_init("passdb internal SAM_ACCOUNT allocation");
+
+ if (!mem_ctx) {
+ DEBUG(0,("pdb_init_sam: error while doing talloc_init()\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, user))) {
+ talloc_destroy(mem_ctx);
+ return nt_status;
+ }
+
+ (*user)->free_fn = destroy_pdb_talloc;
+
+ return NT_STATUS_OK;
+}
+
+
+/*************************************************************
+ Initialises a struct sam_passwd with sane values.
+ ************************************************************/
+
+NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
+{
+ GROUP_MAP map;
+
+ const char *guest_account = lp_guestaccount();
+ if (!(guest_account && *guest_account)) {
+ DEBUG(1, ("NULL guest account!?!?\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!pwd) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ pdb_fill_default_sam(sam_account);
+
+ pdb_set_username(sam_account, pwd->pw_name, PDB_SET);
+ pdb_set_fullname(sam_account, pwd->pw_gecos, PDB_SET);
+
+ pdb_set_unix_homedir(sam_account, pwd->pw_dir, PDB_SET);
+
+ pdb_set_domain (sam_account, lp_workgroup(), PDB_DEFAULT);
+
+ pdb_set_uid(sam_account, pwd->pw_uid, PDB_SET);
+ pdb_set_gid(sam_account, pwd->pw_gid, PDB_SET);
+
+ /* When we get a proper uid -> SID and SID -> uid allocation
+ mechinism, we should call it here.
+
+ We can't just set this to 0 or allow it only to be filled
+ in when added to the backend, becouse the user's SID
+ may already be in security descriptors etc.
+
+ -- abartlet 11-May-02
+ */
+
+
+ /* Ensure this *must* be set right */
+ if (strcmp(pwd->pw_name, guest_account) == 0) {
+ if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ } else {
+
+ if (!pdb_set_user_sid_from_rid(sam_account,
+ fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
+ DEBUG(0,("Can't set User SID from RID!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* call the mapping code here */
+ if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) {
+ if (!pdb_set_group_sid(sam_account,&map.sid, PDB_SET)){
+ DEBUG(0,("Can't set Group SID!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+ else {
+ if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
+ DEBUG(0,("Can't set Group SID\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+ }
+
+ /* check if this is a user account or a machine account */
+ if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
+ {
+ pdb_set_profile_path(sam_account,
+ talloc_sub_specified((sam_account)->mem_ctx,
+ lp_logon_path(),
+ pwd->pw_name, lp_netbios_name(),
+ pwd->pw_uid, pwd->pw_gid),
+ PDB_DEFAULT);
+
+ pdb_set_homedir(sam_account,
+ talloc_sub_specified((sam_account)->mem_ctx,
+ lp_logon_home(),
+ pwd->pw_name, lp_netbios_name(),
+ pwd->pw_uid, pwd->pw_gid),
+ PDB_DEFAULT);
+
+ pdb_set_dir_drive(sam_account,
+ talloc_sub_specified((sam_account)->mem_ctx,
+ lp_logon_drive(),
+ pwd->pw_name, lp_netbios_name(),
+ pwd->pw_uid, pwd->pw_gid),
+ PDB_DEFAULT);
+
+ pdb_set_logon_script(sam_account,
+ talloc_sub_specified((sam_account)->mem_ctx,
+ lp_logon_script(),
+ pwd->pw_name, lp_netbios_name(),
+ pwd->pw_uid, pwd->pw_gid),
+ PDB_DEFAULT);
+ if (!pdb_set_acct_ctrl(sam_account, ACB_NORMAL, PDB_DEFAULT)) {
+ DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n", pwd->pw_name));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ } else {
+ if (!pdb_set_acct_ctrl(sam_account, ACB_WSTRUST, PDB_DEFAULT)) {
+ DEBUG(1, ("Failed to set 'trusted workstation account' flags for user %s.\n", pwd->pw_name));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+ return NT_STATUS_OK;
+}
+
+
+/*************************************************************
+ Initialises a struct sam_passwd with sane values.
+ ************************************************************/
+
+NTSTATUS pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd)
+{
+ NTSTATUS nt_status;
+
+ if (!pwd) {
+ new_sam_acct = NULL;
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(new_sam_acct))) {
+ new_sam_acct = NULL;
+ return nt_status;
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*new_sam_acct, pwd))) {
+ pdb_free_sam(new_sam_acct);
+ new_sam_acct = NULL;
+ return nt_status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+
+/**
+ * Free the contets of the SAM_ACCOUNT, but not the structure.
+ *
+ * Also wipes the LM and NT hashes and plaintext password from
+ * memory.
+ *
+ * @param user SAM_ACCOUNT to free members of.
+ **/
+
+static void pdb_free_sam_contents(SAM_ACCOUNT *user)
+{
+
+ /* Kill off sensitive data. Free()ed by the
+ talloc mechinism */
+
+ data_blob_clear_free(&(user->private.lm_pw));
+ data_blob_clear_free(&(user->private.nt_pw));
+ if (user->private.plaintext_pw!=NULL)
+ memset(user->private.plaintext_pw,'\0',strlen(user->private.plaintext_pw));
+}
+
+
+/************************************************************
+ Reset the SAM_ACCOUNT and free the NT/LM hashes.
+ ***********************************************************/
+
+NTSTATUS pdb_reset_sam(SAM_ACCOUNT *user)
+{
+ if (user == NULL) {
+ DEBUG(0,("pdb_reset_sam: SAM_ACCOUNT was NULL\n"));
+#if 0
+ smb_panic("NULL pointer passed to pdb_free_sam\n");
+#endif
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ pdb_free_sam_contents(user);
+
+ pdb_fill_default_sam(user);
+
+ return NT_STATUS_OK;
+}
+
+
+/************************************************************
+ Free the SAM_ACCOUNT and the member pointers.
+ ***********************************************************/
+
+NTSTATUS pdb_free_sam(SAM_ACCOUNT **user)
+{
+ if (*user == NULL) {
+ DEBUG(0,("pdb_free_sam: SAM_ACCOUNT was NULL\n"));
+#if 0
+ smb_panic("NULL pointer passed to pdb_free_sam\n");
+#endif
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ pdb_free_sam_contents(*user);
+
+ if ((*user)->free_fn) {
+ (*user)->free_fn(user);
+ }
+
+ return NT_STATUS_OK;
+}
+
+
+/**********************************************************
+ Encode the account control bits into a string.
+ length = length of string to encode into (including terminating
+ null). length *MUST BE MORE THAN 2* !
+ **********************************************************/
+
+char *pdb_encode_acct_ctrl(uint16 acct_ctrl, size_t length)
+{
+ static fstring acct_str;
+ size_t i = 0;
+
+ acct_str[i++] = '[';
+
+ if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
+ if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
+ if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
+ if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
+ if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
+ if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
+ if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
+ if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
+ if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
+ if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X';
+ if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';
+
+ for ( ; i < length - 2 ; i++ )
+ acct_str[i] = ' ';
+
+ i = length - 2;
+ acct_str[i++] = ']';
+ acct_str[i++] = '\0';
+
+ return acct_str;
+}
+
+/**********************************************************
+ Decode the account control bits from a string.
+ **********************************************************/
+
+uint16 pdb_decode_acct_ctrl(const char *p)
+{
+ uint16 acct_ctrl = 0;
+ BOOL finished = False;
+
+ /*
+ * Check if the account type bits have been encoded after the
+ * NT password (in the form [NDHTUWSLXI]).
+ */
+
+ if (*p != '[')
+ return 0;
+
+ for (p++; *p && !finished; p++) {
+ switch (*p) {
+ case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
+ case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
+ case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
+ case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
+ case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
+ case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
+ case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
+ case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
+ case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
+ case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
+ case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
+ case ' ': { break; }
+ case ':':
+ case '\n':
+ case '\0':
+ case ']':
+ default: { finished = True; }
+ }
+ }
+
+ return acct_ctrl;
+}
+
+/*************************************************************
+ Routine to set 32 hex password characters from a 16 byte array.
+**************************************************************/
+
+void pdb_sethexpwd(char *p, const unsigned char *pwd, uint16 acct_ctrl)
+{
+ if (pwd != NULL) {
+ int i;
+ for (i = 0; i < 16; i++)
+ slprintf(&p[i*2], 3, "%02X", pwd[i]);
+ } else {
+ if (acct_ctrl & ACB_PWNOTREQ)
+ safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
+ else
+ safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
+ }
+}
+
+/*************************************************************
+ Routine to get the 32 hex characters and turn them
+ into a 16 byte array.
+**************************************************************/
+
+BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
+{
+ int i;
+ unsigned char lonybble, hinybble;
+ const char *hexchars = "0123456789ABCDEF";
+ char *p1, *p2;
+
+ if (!p)
+ return (False);
+
+ for (i = 0; i < 32; i += 2) {
+ hinybble = toupper(p[i]);
+ lonybble = toupper(p[i + 1]);
+
+ p1 = strchr(hexchars, hinybble);
+ p2 = strchr(hexchars, lonybble);
+
+ if (!p1 || !p2)
+ return (False);
+
+ hinybble = PTR_DIFF(p1, hexchars);
+ lonybble = PTR_DIFF(p2, hexchars);
+
+ pwd[i / 2] = (hinybble << 4) | lonybble;
+ }
+ return (True);
+}
+
+/*******************************************************************
+ Converts NT user RID to a UNIX uid.
+ ********************************************************************/
+
+static int algorithmic_rid_base(void)
+{
+ static int rid_offset = 0;
+
+ if (rid_offset != 0)
+ return rid_offset;
+
+ rid_offset = lp_algorithmic_rid_base();
+
+ if (rid_offset < BASE_RID) {
+ /* Try to prevent admin foot-shooting, we can't put algorithmic
+ rids below 1000, that's the 'well known RIDs' on NT */
+ DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
+ rid_offset = BASE_RID;
+ }
+ if (rid_offset & 1) {
+ DEBUG(0, ("algorithmic rid base must be even\n"));
+ rid_offset += 1;
+ }
+ return rid_offset;
+}
+
+
+uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid)
+{
+ int rid_offset = algorithmic_rid_base();
+ return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
+}
+
+
+/*******************************************************************
+ converts UNIX uid to an NT User RID.
+ ********************************************************************/
+
+uint32 fallback_pdb_uid_to_user_rid(uid_t uid)
+{
+ int rid_offset = algorithmic_rid_base();
+ return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
+}
+
+/*******************************************************************
+ Converts NT group RID to a UNIX gid.
+ ********************************************************************/
+
+gid_t pdb_group_rid_to_gid(uint32 group_rid)
+{
+ int rid_offset = algorithmic_rid_base();
+ return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
+}
+
+/*******************************************************************
+ converts NT Group RID to a UNIX uid.
+
+ warning: you must not call that function only
+ you must do a call to the group mapping first.
+ there is not anymore a direct link between the gid and the rid.
+ ********************************************************************/
+
+uint32 pdb_gid_to_group_rid(gid_t gid)
+{
+ int rid_offset = algorithmic_rid_base();
+ return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
+}
+
+/*******************************************************************
+ Decides if a RID is a well known RID.
+ ********************************************************************/
+
+static BOOL pdb_rid_is_well_known(uint32 rid)
+{
+ /* Not using rid_offset here, becouse this is the actual
+ NT fixed value (1000) */
+
+ return (rid < BASE_RID);
+}
+
+/*******************************************************************
+ Decides if a RID is a user or group RID.
+ ********************************************************************/
+
+BOOL pdb_rid_is_user(uint32 rid)
+{
+ /* lkcl i understand that NT attaches an enumeration to a RID
+ * such that it can be identified as either a user, group etc
+ * type. there are 5 such categories, and they are documented.
+ */
+ /* However, they are not in the RID, just somthing you can query
+ seperatly. Sorry luke :-) */
+
+ if(pdb_rid_is_well_known(rid)) {
+ /*
+ * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
+ * and DOMAIN_USER_RID_GUEST.
+ */
+ if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
+ return True;
+ } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
+ return True;
+ }
+ return False;
+}
+
+/*******************************************************************
+ Convert a rid into a name. Used in the lookup SID rpc.
+ ********************************************************************/
+
+BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use)
+{
+ uint32 rid;
+ SAM_ACCOUNT *sam_account = NULL;
+ GROUP_MAP map;
+ TALLOC_CTX *mem_ctx;
+
+ mem_ctx = talloc_init("local_lookup_sid");
+ if (!mem_ctx) {
+ DEBUG(0,("local_sid_to_gid: No memory\n"));
+ return False;
+ }
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){
+ DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n",
+ sid_string_talloc(mem_ctx, &map.sid)));
+ return False;
+ }
+ talloc_destroy(mem_ctx);
+ *psid_name_use = SID_NAME_UNKNOWN;
+
+ DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid));
+
+ if (rid == DOMAIN_USER_RID_ADMIN) {
+ const char **admin_list = lp_admin_users(-1);
+ *psid_name_use = SID_NAME_USER;
+ if (admin_list) {
+ const char *p = *admin_list;
+ if(!next_token(&p, name, NULL, sizeof(fstring)))
+ fstrcpy(name, "Administrator");
+ } else {
+ fstrcpy(name, "Administrator");
+ }
+ return True;
+ }
+
+ /*
+ * Don't try to convert the rid to a name if
+ * running in appliance mode
+ */
+
+ if (lp_hide_local_users())
+ return False;
+
+ if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
+ return False;
+ }
+
+ /* This now does the 'generic' mapping in pdb_unix */
+ /* 'guest' is also handled there */
+ if (pdb_getsampwsid(sam_account, sid)) {
+ fstrcpy(name, pdb_get_username(sam_account));
+ *psid_name_use = SID_NAME_USER;
+
+ pdb_free_sam(&sam_account);
+
+ return True;
+ }
+
+ pdb_free_sam(&sam_account);
+
+ if (pdb_getgrsid(&map, *sid, MAPPING_WITHOUT_PRIV)) {
+ if (map.gid!=(gid_t)-1) {
+ DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid));
+ } else {
+ DEBUG(5,("local_lookup_sid: mapped group %s to no unix gid. Returning name.\n", map.nt_name));
+ }
+
+ fstrcpy(name, map.nt_name);
+ *psid_name_use = map.sid_name_use;
+ return True;
+ }
+
+ if (pdb_rid_is_user(rid)) {
+ uid_t uid;
+
+ DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid));
+
+ uid = fallback_pdb_user_rid_to_uid(rid);
+ slprintf(name, sizeof(fstring)-1, "unix_user.%u", (unsigned int)uid);
+
+ return False; /* Indicates that this user was 'not mapped' */
+ } else {
+ gid_t gid;
+ struct group *gr;
+
+ DEBUG(5, ("assuming RID %u is a group\n", (unsigned)rid));
+
+ gid = pdb_group_rid_to_gid(rid);
+ gr = getgrgid(gid);
+
+ *psid_name_use = SID_NAME_ALIAS;
+
+ DEBUG(5,("local_lookup_sid: looking up gid %u %s\n", (unsigned int)gid,
+ gr ? "succeeded" : "failed" ));
+
+ if(!gr) {
+ slprintf(name, sizeof(fstring)-1, "unix_group.%u", (unsigned int)gid);
+ return False; /* Indicates that this group was 'not mapped' */
+ }
+
+ fstrcpy( name, gr->gr_name);
+
+ DEBUG(5,("local_lookup_sid: found group %s for rid %u\n", name,
+ (unsigned int)rid ));
+ return True;
+ }
+}
+
+/*******************************************************************
+ Convert a name into a SID. Used in the lookup name rpc.
+ ********************************************************************/
+
+BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psid_name_use)
+{
+ extern DOM_SID global_sid_World_Domain;
+ DOM_SID local_sid;
+ fstring user;
+ SAM_ACCOUNT *sam_account = NULL;
+ struct group *grp;
+ GROUP_MAP map;
+
+ *psid_name_use = SID_NAME_UNKNOWN;
+
+ /*
+ * user may be quoted a const string, and map_username and
+ * friends can modify it. Make a modifiable copy. JRA.
+ */
+
+ fstrcpy(user, c_user);
+
+ sid_copy(&local_sid, get_global_sam_sid());
+
+ /*
+ * Special case for MACHINE\Everyone. Map to the world_sid.
+ */
+
+ if(strequal(user, "Everyone")) {
+ sid_copy( psid, &global_sid_World_Domain);
+ sid_append_rid(psid, 0);
+ *psid_name_use = SID_NAME_ALIAS;
+ return True;
+ }
+
+ /*
+ * Don't lookup local unix users if running in appliance mode
+ */
+ if (lp_hide_local_users())
+ return False;
+
+ if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
+ return False;
+ }
+
+ if (pdb_getsampwnam(sam_account, user)) {
+ sid_copy(psid, pdb_get_user_sid(sam_account));
+ *psid_name_use = SID_NAME_USER;
+
+ pdb_free_sam(&sam_account);
+ return True;
+ }
+
+ pdb_free_sam(&sam_account);
+
+ /*
+ * Maybe it was a group ?
+ */
+
+ /* check if it's a mapped group */
+ if (pdb_getgrnam(&map, user, MAPPING_WITHOUT_PRIV)) {
+ /* yes it's a mapped group */
+ sid_copy(&local_sid, &map.sid);
+ *psid_name_use = map.sid_name_use;
+ } else {
+ /* it's not a mapped group */
+ grp = getgrnam(user);
+ if(!grp)
+ return False;
+
+ /*
+ *check if it's mapped, if it is reply it doesn't exist
+ *
+ * that's to prevent this case:
+ *
+ * unix group ug is mapped to nt group ng
+ * someone does a lookup on ug
+ * we must not reply as it doesn't "exist" anymore
+ * for NT. For NT only ng exists.
+ * JFM, 30/11/2001
+ */
+
+ if (pdb_getgrgid(&map, grp->gr_gid, MAPPING_WITHOUT_PRIV)){
+ return False;
+ }
+
+ sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
+ *psid_name_use = SID_NAME_ALIAS;
+ }
+
+ sid_copy( psid, &local_sid);
+
+ return True;
+}
+
+/****************************************************************************
+ Convert a uid to SID - locally.
+****************************************************************************/
+
+DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
+{
+ struct passwd *pass;
+ SAM_ACCOUNT *sam_user = NULL;
+ fstring str; /* sid string buffer */
+
+ sid_copy(psid, get_global_sam_sid());
+
+ if((pass = getpwuid_alloc(uid))) {
+
+ if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) {
+ passwd_free(&pass);
+ return NULL;
+ }
+
+ if (pdb_getsampwnam(sam_user, pass->pw_name)) {
+ sid_copy(psid, pdb_get_user_sid(sam_user));
+ } else {
+ sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
+ }
+
+ DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (%s).\n",
+ (unsigned)uid, sid_to_string( str, psid),
+ pass->pw_name ));
+
+ passwd_free(&pass);
+ pdb_free_sam(&sam_user);
+
+ } else {
+ sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
+
+ DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (unknown user).\n",
+ (unsigned)uid, sid_to_string( str, psid)));
+ }
+
+ return psid;
+}
+
+/****************************************************************************
+ Convert a SID to uid - locally.
+****************************************************************************/
+
+BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
+{
+ fstring str;
+ SAM_ACCOUNT *sam_user = NULL;
+
+ *name_type = SID_NAME_UNKNOWN;
+
+ if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
+ return False;
+
+ if (pdb_getsampwsid(sam_user, psid)) {
+
+ if (!IS_SAM_SET(sam_user,PDB_UID)&&!IS_SAM_CHANGED(sam_user,PDB_UID)) {
+ pdb_free_sam(&sam_user);
+ return False;
+ }
+
+ *puid = pdb_get_uid(sam_user);
+
+ DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid),
+ (unsigned int)*puid, pdb_get_username(sam_user)));
+ pdb_free_sam(&sam_user);
+ } else {
+
+ DOM_SID dom_sid;
+ uint32 rid;
+ GROUP_MAP map;
+
+ pdb_free_sam(&sam_user);
+
+ if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) {
+ DEBUG(3, ("local_sid_to_uid: SID '%s' is a group, not a user... \n", sid_to_string(str, psid)));
+ /* It's a group, not a user... */
+ return False;
+ }
+
+ sid_copy(&dom_sid, psid);
+ if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
+ DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
+ return False;
+ }
+
+ if (!pdb_rid_is_user(rid)) {
+ DEBUG(3, ("local_sid_to_uid: sid '%s' cannot be mapped to a uid algorithmicly becouse it is a group\n", sid_to_string(str, psid)));
+ return False;
+ }
+
+ *puid = fallback_pdb_user_rid_to_uid(rid);
+
+ DEBUG(5,("local_sid_to_uid: SID %s algorithmicly mapped to %ld mapped becouse SID was not found in passdb.\n",
+ sid_to_string(str, psid), (signed long int)(*puid)));
+ }
+
+ *name_type = SID_NAME_USER;
+
+ return True;
+}
+
+/****************************************************************************
+ Convert a gid to SID - locally.
+****************************************************************************/
+
+DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
+{
+ GROUP_MAP map;
+
+ sid_copy(psid, get_global_sam_sid());
+
+ if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+ sid_copy(psid, &map.sid);
+ }
+ else {
+ sid_append_rid(psid, pdb_gid_to_group_rid(gid));
+ }
+
+ return psid;
+}
+
+/****************************************************************************
+ Convert a SID to gid - locally.
+****************************************************************************/
+
+BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
+{
+ fstring str;
+ GROUP_MAP map;
+
+ *name_type = SID_NAME_UNKNOWN;
+
+ /*
+ * We can only convert to a gid if this is our local
+ * Domain SID (ie. we are the controling authority).
+ *
+ * Or in the Builtin SID too. JFM, 11/30/2001
+ */
+
+ if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) {
+
+ /* the SID is in the mapping table but not mapped */
+ if (map.gid==(gid_t)-1)
+ return False;
+
+ *pgid = map.gid;
+ *name_type = map.sid_name_use;
+ DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n",
+ sid_to_string( str, psid),
+ map.nt_name, (unsigned int)*pgid));
+
+ } else {
+ uint32 rid;
+ SAM_ACCOUNT *sam_user = NULL;
+ if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
+ return False;
+
+ if (pdb_getsampwsid(sam_user, psid)) {
+ return False;
+ pdb_free_sam(&sam_user);
+ }
+
+ pdb_free_sam(&sam_user);
+
+ if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
+ DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
+ return False;
+ }
+
+ if (pdb_rid_is_user(rid))
+ return False;
+
+ *pgid = pdb_group_rid_to_gid(rid);
+ *name_type = SID_NAME_ALIAS;
+ DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid),
+ (unsigned int)*pgid));
+ }
+
+ return True;
+}
+
+/*************************************************************
+ Change a password entry in the local smbpasswd file.
+
+It is currently being called by SWAT and by smbpasswd.
+
+ --jerry
+ *************************************************************/
+
+BOOL local_password_change(const char *user_name, int local_flags,
+ const char *new_passwd,
+ char *err_str, size_t err_str_len,
+ char *msg_str, size_t msg_str_len)
+{
+ struct passwd *pwd = NULL;
+ SAM_ACCOUNT *sam_pass=NULL;
+ uint16 other_acb;
+
+ *err_str = '\0';
+ *msg_str = '\0';
+
+ /* Get the smb passwd entry for this user */
+ pdb_init_sam(&sam_pass);
+ if(!pdb_getsampwnam(sam_pass, user_name)) {
+ pdb_free_sam(&sam_pass);
+
+ if (local_flags & LOCAL_ADD_USER) {
+ pwd = getpwnam_alloc(user_name);
+ } else if (local_flags & LOCAL_DELETE_USER) {
+ /* Might not exist in /etc/passwd */
+ } else {
+ slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
+ return False;
+ }
+
+ if (pwd) {
+ /* Local user found, so init from this */
+ if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sam_pass, pwd))){
+ slprintf(err_str, err_str_len-1, "Failed initialise SAM_ACCOUNT for user %s.\n", user_name);
+ passwd_free(&pwd);
+ return False;
+ }
+
+ passwd_free(&pwd);
+ } else {
+ if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_pass))){
+ slprintf(err_str, err_str_len-1, "Failed initialise SAM_ACCOUNT for user %s.\n", user_name);
+ return False;
+ }
+
+ if (!pdb_set_username(sam_pass, user_name, PDB_CHANGED)) {
+ slprintf(err_str, err_str_len - 1, "Failed to set username for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ }
+ } else {
+ /* the entry already existed */
+ local_flags &= ~LOCAL_ADD_USER;
+ }
+
+ /* the 'other' acb bits not being changed here */
+ other_acb = (pdb_get_acct_ctrl(sam_pass) & (!(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
+ if (local_flags & LOCAL_TRUST_ACCOUNT) {
+ if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
+ slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ } else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
+ if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST | other_acb, PDB_CHANGED)) {
+ slprintf(err_str, err_str_len - 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ } else {
+ if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL | other_acb, PDB_CHANGED)) {
+ slprintf(err_str, err_str_len - 1, "Failed to set 'normal account' flags for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ }
+
+ /*
+ * We are root - just write the new password
+ * and the valid last change time.
+ */
+
+ if (local_flags & LOCAL_DISABLE_USER) {
+ if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED, PDB_CHANGED)) {
+ slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ } else if (local_flags & LOCAL_ENABLE_USER) {
+ if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
+ slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ }
+
+ if (local_flags & LOCAL_SET_NO_PASSWORD) {
+ if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ, PDB_CHANGED)) {
+ slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ } else if (local_flags & LOCAL_SET_PASSWORD) {
+ /*
+ * If we're dealing with setting a completely empty user account
+ * ie. One with a password of 'XXXX', but not set disabled (like
+ * an account created from scratch) then if the old password was
+ * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
+ * We remove that as we're giving this user their first password
+ * and the decision hasn't really been made to disable them (ie.
+ * don't create them disabled). JRA.
+ */
+ if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
+ if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
+ slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ }
+ if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ), PDB_CHANGED)) {
+ slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+
+ if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
+ slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ }
+
+ if (local_flags & LOCAL_ADD_USER) {
+ if (pdb_add_sam_account(sam_pass)) {
+ slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return True;
+ } else {
+ slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ } else if (local_flags & LOCAL_DELETE_USER) {
+ if (!pdb_delete_sam_account(sam_pass)) {
+ slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
+ } else {
+ if(!pdb_update_sam_account(sam_pass)) {
+ slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
+ pdb_free_sam(&sam_pass);
+ return False;
+ }
+ if(local_flags & LOCAL_DISABLE_USER)
+ slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
+ else if (local_flags & LOCAL_ENABLE_USER)
+ slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
+ else if (local_flags & LOCAL_SET_NO_PASSWORD)
+ slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
+ }
+
+ pdb_free_sam(&sam_pass);
+ return True;
+}
diff --git a/source4/passdb/pdb_compat.c b/source4/passdb/pdb_compat.c
new file mode 100644
index 0000000000..0bd003f1e9
--- /dev/null
+++ b/source4/passdb/pdb_compat.c
@@ -0,0 +1,115 @@
+/*
+ Unix SMB/CIFS implementation.
+ SAM_ACCOUNT access routines
+ Copyright (C) Jeremy Allison 1996-2001
+ Copyright (C) Luke Kenneth Casson Leighton 1996-1998
+ Copyright (C) Gerald (Jerry) Carter 2000-2001
+ Copyright (C) Andrew Bartlett 2001-2002
+ Copyright (C) Stefan (metze) Metzmacher 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass)
+{
+ uint32 u_rid;
+
+ if (sampass)
+ if (sid_peek_check_rid(get_global_sam_sid(), pdb_get_user_sid(sampass),&u_rid))
+ return u_rid;
+
+ return (0);
+}
+
+uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass)
+{
+ uint32 g_rid;
+
+ if (sampass)
+ if (sid_peek_check_rid(get_global_sam_sid(), pdb_get_group_sid(sampass),&g_rid))
+ return g_rid;
+ return (0);
+}
+
+BOOL pdb_set_user_sid_from_rid (SAM_ACCOUNT *sampass, uint32 rid, enum pdb_value_state flag)
+{
+ DOM_SID u_sid;
+ const DOM_SID *global_sam_sid;
+ TALLOC_CTX *mem_ctx;
+
+ if (!sampass)
+ return False;
+
+ if (!(global_sam_sid = get_global_sam_sid())) {
+ DEBUG(1, ("pdb_set_user_sid_from_rid: Could not read global sam sid!\n"));
+ return False;
+ }
+
+ sid_copy(&u_sid, global_sam_sid);
+
+ if (!sid_append_rid(&u_sid, rid))
+ return False;
+
+ if (!pdb_set_user_sid(sampass, &u_sid, flag))
+ return False;
+ mem_ctx = talloc_init("pdb_set_user_sid_from_rid");
+ if (!mem_ctx) {
+ DEBUG(1, ("pdb_set_user_sid_from_rid: No memory\n"));
+ return False;
+ }
+ DEBUG(10, ("pdb_set_user_sid_from_rid:\n\tsetting user sid %s from rid %d\n",
+ sid_string_talloc(mem_ctx, &u_sid),rid));
+ talloc_destroy(mem_ctx);
+ return True;
+}
+
+BOOL pdb_set_group_sid_from_rid (SAM_ACCOUNT *sampass, uint32 grid, enum pdb_value_state flag)
+{
+ DOM_SID g_sid;
+ const DOM_SID *global_sam_sid;
+ TALLOC_CTX *mem_ctx;
+
+ if (!sampass)
+ return False;
+
+ if (!(global_sam_sid = get_global_sam_sid())) {
+ DEBUG(1, ("pdb_set_user_sid_from_rid: Could not read global sam sid!\n"));
+ return False;
+ }
+
+ sid_copy(&g_sid, global_sam_sid);
+
+ if (!sid_append_rid(&g_sid, grid))
+ return False;
+
+ if (!pdb_set_group_sid(sampass, &g_sid, flag))
+ return False;
+
+ mem_ctx = talloc_init("pdb_set_user_sid_from_rid");
+ if (!mem_ctx) {
+ DEBUG(1, ("pdb_set_user_sid_from_rid: No memory\n"));
+ return False;
+ }
+ DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s from rid %d\n",
+ sid_string_talloc(mem_ctx, &g_sid), grid));
+ talloc_destroy(mem_ctx);
+ return True;
+}
+
diff --git a/source4/passdb/pdb_get_set.c b/source4/passdb/pdb_get_set.c
new file mode 100644
index 0000000000..27aa5923e4
--- /dev/null
+++ b/source4/passdb/pdb_get_set.c
@@ -0,0 +1,1123 @@
+/*
+ Unix SMB/CIFS implementation.
+ SAM_ACCOUNT access routines
+ Copyright (C) Jeremy Allison 1996-2001
+ Copyright (C) Luke Kenneth Casson Leighton 1996-1998
+ Copyright (C) Gerald (Jerry) Carter 2000-2001
+ Copyright (C) Andrew Bartlett 2001-2002
+ Copyright (C) Stefan (metze) Metzmacher 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+/**
+ * @todo Redefine this to NULL, but this changes the API becouse
+ * much of samba assumes that the pdb_get...() funtions
+ * return pstrings. (ie not null-pointers).
+ * See also pdb_fill_default_sam().
+ */
+
+#define PDB_NOT_QUITE_NULL ""
+
+/*********************************************************************
+ Collection of get...() functions for SAM_ACCOUNT.
+ ********************************************************************/
+
+uint16 pdb_get_acct_ctrl (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.acct_ctrl);
+ else
+ return (ACB_DISABLED);
+}
+
+time_t pdb_get_logon_time (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.logon_time);
+ else
+ return (0);
+}
+
+time_t pdb_get_logoff_time (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.logoff_time);
+ else
+ return (-1);
+}
+
+time_t pdb_get_kickoff_time (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.kickoff_time);
+ else
+ return (-1);
+}
+
+time_t pdb_get_pass_last_set_time (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.pass_last_set_time);
+ else
+ return (-1);
+}
+
+time_t pdb_get_pass_can_change_time (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.pass_can_change_time);
+ else
+ return (-1);
+}
+
+time_t pdb_get_pass_must_change_time (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.pass_must_change_time);
+ else
+ return (-1);
+}
+
+uint16 pdb_get_logon_divs (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.logon_divs);
+ else
+ return (-1);
+}
+
+uint32 pdb_get_hours_len (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.hours_len);
+ else
+ return (-1);
+}
+
+const uint8* pdb_get_hours (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.hours);
+ else
+ return (NULL);
+}
+
+const uint8* pdb_get_nt_passwd (const SAM_ACCOUNT *sampass)
+{
+ if (sampass) {
+ SMB_ASSERT((!sampass->private.nt_pw.data)
+ || sampass->private.nt_pw.length == NT_HASH_LEN);
+ return ((uint8*)sampass->private.nt_pw.data);
+ }
+ else
+ return (NULL);
+}
+
+const uint8* pdb_get_lanman_passwd (const SAM_ACCOUNT *sampass)
+{
+ if (sampass) {
+ SMB_ASSERT((!sampass->private.lm_pw.data)
+ || sampass->private.lm_pw.length == LM_HASH_LEN);
+ return ((uint8*)sampass->private.lm_pw.data);
+ }
+ else
+ return (NULL);
+}
+
+/* Return the plaintext password if known. Most of the time
+ it isn't, so don't assume anything magic about this function.
+
+ Used to pass the plaintext to passdb backends that might
+ want to store more than just the NTLM hashes.
+*/
+const char* pdb_get_plaintext_passwd (const SAM_ACCOUNT *sampass)
+{
+ if (sampass) {
+ return (sampass->private.plaintext_pw);
+ }
+ else
+ return (NULL);
+}
+const DOM_SID *pdb_get_user_sid(const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return &sampass->private.user_sid;
+ else
+ return (NULL);
+}
+
+const DOM_SID *pdb_get_group_sid(const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return &sampass->private.group_sid;
+ else
+ return (NULL);
+}
+
+/**
+ * Get flags showing what is initalised in the SAM_ACCOUNT
+ * @param sampass the SAM_ACCOUNT in question
+ * @return the flags indicating the members initialised in the struct.
+ **/
+
+enum pdb_value_state pdb_get_init_flags (const SAM_ACCOUNT *sampass, enum pdb_elements element)
+{
+ enum pdb_value_state ret = PDB_DEFAULT;
+
+ if (!sampass || !sampass->private.change_flags || !sampass->private.set_flags)
+ return ret;
+
+ if (bitmap_query(sampass->private.set_flags, element)) {
+ DEBUG(10, ("element %d: SET\n", element));
+ ret = PDB_SET;
+ }
+
+ if (bitmap_query(sampass->private.change_flags, element)) {
+ DEBUG(10, ("element %d: CHANGED\n", element));
+ ret = PDB_CHANGED;
+ }
+
+ if (ret == PDB_DEFAULT) {
+ DEBUG(10, ("element %d: DEFAULT\n", element));
+ }
+
+ return ret;
+}
+
+uid_t pdb_get_uid (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.uid);
+ else
+ return (-1);
+}
+
+gid_t pdb_get_gid (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.gid);
+ else
+ return (-1);
+}
+
+const char* pdb_get_username (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.username);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_domain (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.domain);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_nt_username (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.nt_username);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_fullname (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.full_name);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_homedir (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.home_dir);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_unix_homedir (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.unix_home_dir);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_dir_drive (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.dir_drive);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_logon_script (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.logon_script);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_profile_path (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.profile_path);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_acct_desc (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.acct_desc);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_workstations (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.workstations);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_unknown_str (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.unknown_str);
+ else
+ return (NULL);
+}
+
+const char* pdb_get_munged_dial (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.munged_dial);
+ else
+ return (NULL);
+}
+
+uint32 pdb_get_unknown_3 (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.unknown_3);
+ else
+ return (-1);
+}
+
+uint32 pdb_get_unknown_5 (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.unknown_5);
+ else
+ return (-1);
+}
+
+uint32 pdb_get_unknown_6 (const SAM_ACCOUNT *sampass)
+{
+ if (sampass)
+ return (sampass->private.unknown_6);
+ else
+ return (-1);
+}
+
+/*********************************************************************
+ Collection of set...() functions for SAM_ACCOUNT.
+ ********************************************************************/
+
+BOOL pdb_set_acct_ctrl (SAM_ACCOUNT *sampass, uint16 acct_ctrl, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.acct_ctrl = acct_ctrl;
+
+ return pdb_set_init_flags(sampass, PDB_ACCTCTRL, flag);
+}
+
+BOOL pdb_set_logon_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.logon_time = mytime;
+
+ return pdb_set_init_flags(sampass, PDB_LOGONTIME, flag);
+}
+
+BOOL pdb_set_logoff_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.logoff_time = mytime;
+
+ return pdb_set_init_flags(sampass, PDB_LOGOFFTIME, flag);
+}
+
+BOOL pdb_set_kickoff_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.kickoff_time = mytime;
+
+ return pdb_set_init_flags(sampass, PDB_KICKOFFTIME, flag);
+}
+
+BOOL pdb_set_pass_can_change_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.pass_can_change_time = mytime;
+
+ return pdb_set_init_flags(sampass, PDB_CANCHANGETIME, flag);
+}
+
+BOOL pdb_set_pass_must_change_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.pass_must_change_time = mytime;
+
+ return pdb_set_init_flags(sampass, PDB_MUSTCHANGETIME, flag);
+}
+
+BOOL pdb_set_pass_last_set_time (SAM_ACCOUNT *sampass, time_t mytime, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.pass_last_set_time = mytime;
+
+ return pdb_set_init_flags(sampass, PDB_PASSLASTSET, flag);
+}
+
+BOOL pdb_set_hours_len (SAM_ACCOUNT *sampass, uint32 len, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.hours_len = len;
+
+ return pdb_set_init_flags(sampass, PDB_HOURSLEN, flag);
+}
+
+BOOL pdb_set_logon_divs (SAM_ACCOUNT *sampass, uint16 hours, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.logon_divs = hours;
+
+ return pdb_set_init_flags(sampass, PDB_LOGONDIVS, flag);
+}
+
+/**
+ * Set flags showing what is initalised in the SAM_ACCOUNT
+ * @param sampass the SAM_ACCOUNT in question
+ * @param flag The *new* flag to be set. Old flags preserved
+ * this flag is only added.
+ **/
+
+BOOL pdb_set_init_flags (SAM_ACCOUNT *sampass, enum pdb_elements element, enum pdb_value_state value_flag)
+{
+ if (!sampass || !sampass->mem_ctx)
+ return False;
+
+ if (!sampass->private.set_flags) {
+ if ((sampass->private.set_flags =
+ bitmap_talloc(sampass->mem_ctx,
+ PDB_COUNT))==NULL) {
+ DEBUG(0,("bitmap_talloc failed\n"));
+ return False;
+ }
+ }
+ if (!sampass->private.change_flags) {
+ if ((sampass->private.change_flags =
+ bitmap_talloc(sampass->mem_ctx,
+ PDB_COUNT))==NULL) {
+ DEBUG(0,("bitmap_talloc failed\n"));
+ return False;
+ }
+ }
+
+ switch(value_flag) {
+ case PDB_CHANGED:
+ if (!bitmap_set(sampass->private.change_flags, element)) {
+ DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
+ return False;
+ }
+ if (!bitmap_set(sampass->private.set_flags, element)) {
+ DEBUG(0,("Can't set flag: %d in set_falgs.\n",element));
+ return False;
+ }
+ DEBUG(10, ("element %d -> now CHANGED\n", element));
+ break;
+ case PDB_SET:
+ if (!bitmap_clear(sampass->private.change_flags, element)) {
+ DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
+ return False;
+ }
+ if (!bitmap_set(sampass->private.set_flags, element)) {
+ DEBUG(0,("Can't set flag: %d in set_falgs.\n",element));
+ return False;
+ }
+ DEBUG(10, ("element %d -> now SET\n", element));
+ break;
+ case PDB_DEFAULT:
+ default:
+ if (!bitmap_clear(sampass->private.change_flags, element)) {
+ DEBUG(0,("Can't set flag: %d in change_flags.\n",element));
+ return False;
+ }
+ if (!bitmap_clear(sampass->private.set_flags, element)) {
+ DEBUG(0,("Can't set flag: %d in set_falgs.\n",element));
+ return False;
+ }
+ DEBUG(10, ("element %d -> now DEFAULT\n", element));
+ break;
+ }
+
+ return True;
+}
+
+BOOL pdb_set_uid (SAM_ACCOUNT *sampass, const uid_t uid, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ DEBUG(10, ("pdb_set_uid: setting uid %d, was %d\n",
+ (int)uid, (int)sampass->private.uid));
+
+ sampass->private.uid = uid;
+
+ return pdb_set_init_flags(sampass, PDB_UID, flag);
+}
+
+BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ DEBUG(10, ("pdb_set_gid: setting gid %d, was %d\n",
+ (int)gid, (int)sampass->private.gid));
+
+ sampass->private.gid = gid;
+
+ return pdb_set_init_flags(sampass, PDB_GID, flag);
+}
+
+BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid, enum pdb_value_state flag)
+{
+ TALLOC_CTX *mem_ctx;
+ if (!sampass || !u_sid)
+ return False;
+
+ sid_copy(&sampass->private.user_sid, u_sid);
+
+ mem_ctx = talloc_init("pdb_set_group_sid");
+ if (!mem_ctx) return False;
+ DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n",
+ sid_string_talloc(mem_ctx, &sampass->private.user_sid)));
+
+ talloc_destroy(mem_ctx);
+ return pdb_set_init_flags(sampass, PDB_USERSID, flag);
+}
+
+BOOL pdb_set_user_sid_from_string (SAM_ACCOUNT *sampass, fstring u_sid, enum pdb_value_state flag)
+{
+ DOM_SID new_sid;
+
+ if (!sampass || !u_sid)
+ return False;
+
+ DEBUG(10, ("pdb_set_user_sid_from_string: setting user sid %s\n",
+ u_sid));
+
+ if (!string_to_sid(&new_sid, u_sid)) {
+ DEBUG(1, ("pdb_set_user_sid_from_string: %s isn't a valid SID!\n", u_sid));
+ return False;
+ }
+
+ if (!pdb_set_user_sid(sampass, &new_sid, flag)) {
+ DEBUG(1, ("pdb_set_user_sid_from_string: could not set sid %s on SAM_ACCOUNT!\n", u_sid));
+ return False;
+ }
+
+ return True;
+}
+
+BOOL pdb_set_group_sid (SAM_ACCOUNT *sampass, DOM_SID *g_sid, enum pdb_value_state flag)
+{
+ TALLOC_CTX *mem_ctx;
+ if (!sampass || !g_sid)
+ return False;
+
+ sid_copy(&sampass->private.group_sid, g_sid);
+
+ mem_ctx = talloc_init("pdb_set_group_sid");
+ if (!mem_ctx) return False;
+ DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n",
+ sid_string_talloc(mem_ctx, &sampass->private.group_sid)));
+ talloc_destroy(mem_ctx);
+ return pdb_set_init_flags(sampass, PDB_GROUPSID, flag);
+}
+
+BOOL pdb_set_group_sid_from_string (SAM_ACCOUNT *sampass, fstring g_sid, enum pdb_value_state flag)
+{
+ DOM_SID new_sid;
+ if (!sampass || !g_sid)
+ return False;
+
+ DEBUG(10, ("pdb_set_group_sid_from_string: setting group sid %s\n",
+ g_sid));
+
+ if (!string_to_sid(&new_sid, g_sid)) {
+ DEBUG(1, ("pdb_set_group_sid_from_string: %s isn't a valid SID!\n", g_sid));
+ return False;
+ }
+
+ if (!pdb_set_group_sid(sampass, &new_sid, flag)) {
+ DEBUG(1, ("pdb_set_group_sid_from_string: could not set sid %s on SAM_ACCOUNT!\n", g_sid));
+ return False;
+ }
+ return True;
+}
+
+/*********************************************************************
+ Set the user's UNIX name.
+ ********************************************************************/
+
+BOOL pdb_set_username(SAM_ACCOUNT *sampass, const char *username, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (username) {
+ DEBUG(10, ("pdb_set_username: setting username %s, was %s\n", username,
+ (sampass->private.username)?(sampass->private.username):"NULL"));
+
+ sampass->private.username = talloc_strdup(sampass->mem_ctx, username);
+
+ if (!sampass->private.username) {
+ DEBUG(0, ("pdb_set_username: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.username = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_USERNAME, flag);
+}
+
+/*********************************************************************
+ Set the domain name.
+ ********************************************************************/
+
+BOOL pdb_set_domain(SAM_ACCOUNT *sampass, const char *domain, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (domain) {
+ DEBUG(10, ("pdb_set_domain: setting domain %s, was %s\n", domain,
+ (sampass->private.domain)?(sampass->private.domain):"NULL"));
+
+ sampass->private.domain = talloc_strdup(sampass->mem_ctx, domain);
+
+ if (!sampass->private.domain) {
+ DEBUG(0, ("pdb_set_domain: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.domain = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_DOMAIN, flag);
+}
+
+/*********************************************************************
+ Set the user's NT name.
+ ********************************************************************/
+
+BOOL pdb_set_nt_username(SAM_ACCOUNT *sampass, const char *nt_username, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (nt_username) {
+ DEBUG(10, ("pdb_set_nt_username: setting nt username %s, was %s\n", nt_username,
+ (sampass->private.nt_username)?(sampass->private.nt_username):"NULL"));
+
+ sampass->private.nt_username = talloc_strdup(sampass->mem_ctx, nt_username);
+
+ if (!sampass->private.nt_username) {
+ DEBUG(0, ("pdb_set_nt_username: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.nt_username = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_NTUSERNAME, flag);
+}
+
+/*********************************************************************
+ Set the user's full name.
+ ********************************************************************/
+
+BOOL pdb_set_fullname(SAM_ACCOUNT *sampass, const char *full_name, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (full_name) {
+ DEBUG(10, ("pdb_set_full_name: setting full name %s, was %s\n", full_name,
+ (sampass->private.full_name)?(sampass->private.full_name):"NULL"));
+
+ sampass->private.full_name = talloc_strdup(sampass->mem_ctx, full_name);
+
+ if (!sampass->private.full_name) {
+ DEBUG(0, ("pdb_set_fullname: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.full_name = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_FULLNAME, flag);
+}
+
+/*********************************************************************
+ Set the user's logon script.
+ ********************************************************************/
+
+BOOL pdb_set_logon_script(SAM_ACCOUNT *sampass, const char *logon_script, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (logon_script) {
+ DEBUG(10, ("pdb_set_logon_script: setting logon script %s, was %s\n", logon_script,
+ (sampass->private.logon_script)?(sampass->private.logon_script):"NULL"));
+
+ sampass->private.logon_script = talloc_strdup(sampass->mem_ctx, logon_script);
+
+ if (!sampass->private.logon_script) {
+ DEBUG(0, ("pdb_set_logon_script: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.logon_script = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_LOGONSCRIPT, flag);
+}
+
+/*********************************************************************
+ Set the user's profile path.
+ ********************************************************************/
+
+BOOL pdb_set_profile_path (SAM_ACCOUNT *sampass, const char *profile_path, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (profile_path) {
+ DEBUG(10, ("pdb_set_profile_path: setting profile path %s, was %s\n", profile_path,
+ (sampass->private.profile_path)?(sampass->private.profile_path):"NULL"));
+
+ sampass->private.profile_path = talloc_strdup(sampass->mem_ctx, profile_path);
+
+ if (!sampass->private.profile_path) {
+ DEBUG(0, ("pdb_set_profile_path: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.profile_path = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_PROFILE, flag);
+}
+
+/*********************************************************************
+ Set the user's directory drive.
+ ********************************************************************/
+
+BOOL pdb_set_dir_drive (SAM_ACCOUNT *sampass, const char *dir_drive, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (dir_drive) {
+ DEBUG(10, ("pdb_set_dir_drive: setting dir drive %s, was %s\n", dir_drive,
+ (sampass->private.dir_drive)?(sampass->private.dir_drive):"NULL"));
+
+ sampass->private.dir_drive = talloc_strdup(sampass->mem_ctx, dir_drive);
+
+ if (!sampass->private.dir_drive) {
+ DEBUG(0, ("pdb_set_dir_drive: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.dir_drive = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_DRIVE, flag);
+}
+
+/*********************************************************************
+ Set the user's home directory.
+ ********************************************************************/
+
+BOOL pdb_set_homedir (SAM_ACCOUNT *sampass, const char *home_dir, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (home_dir) {
+ DEBUG(10, ("pdb_set_homedir: setting home dir %s, was %s\n", home_dir,
+ (sampass->private.home_dir)?(sampass->private.home_dir):"NULL"));
+
+ sampass->private.home_dir = talloc_strdup(sampass->mem_ctx, home_dir);
+
+ if (!sampass->private.home_dir) {
+ DEBUG(0, ("pdb_set_home_dir: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.home_dir = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_SMBHOME, flag);
+}
+
+/*********************************************************************
+ Set the user's unix home directory.
+ ********************************************************************/
+
+BOOL pdb_set_unix_homedir (SAM_ACCOUNT *sampass, const char *unix_home_dir, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (unix_home_dir) {
+ DEBUG(10, ("pdb_set_unix_homedir: setting home dir %s, was %s\n", unix_home_dir,
+ (sampass->private.unix_home_dir)?(sampass->private.unix_home_dir):"NULL"));
+
+ sampass->private.unix_home_dir = talloc_strdup(sampass->mem_ctx,
+ unix_home_dir);
+
+ if (!sampass->private.unix_home_dir) {
+ DEBUG(0, ("pdb_set_unix_home_dir: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.unix_home_dir = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_UNIXHOMEDIR, flag);
+}
+
+/*********************************************************************
+ Set the user's account description.
+ ********************************************************************/
+
+BOOL pdb_set_acct_desc (SAM_ACCOUNT *sampass, const char *acct_desc, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (acct_desc) {
+ sampass->private.acct_desc = talloc_strdup(sampass->mem_ctx, acct_desc);
+
+ if (!sampass->private.acct_desc) {
+ DEBUG(0, ("pdb_set_acct_desc: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.acct_desc = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_ACCTDESC, flag);
+}
+
+/*********************************************************************
+ Set the user's workstation allowed list.
+ ********************************************************************/
+
+BOOL pdb_set_workstations (SAM_ACCOUNT *sampass, const char *workstations, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (workstations) {
+ DEBUG(10, ("pdb_set_workstations: setting workstations %s, was %s\n", workstations,
+ (sampass->private.workstations)?(sampass->private.workstations):"NULL"));
+
+ sampass->private.workstations = talloc_strdup(sampass->mem_ctx, workstations);
+
+ if (!sampass->private.workstations) {
+ DEBUG(0, ("pdb_set_workstations: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.workstations = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_WORKSTATIONS, flag);
+}
+
+/*********************************************************************
+ Set the user's 'unknown_str', whatever the heck this actually is...
+ ********************************************************************/
+
+BOOL pdb_set_unknown_str (SAM_ACCOUNT *sampass, const char *unknown_str, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (unknown_str) {
+ sampass->private.unknown_str = talloc_strdup(sampass->mem_ctx, unknown_str);
+
+ if (!sampass->private.unknown_str) {
+ DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.unknown_str = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_UNKNOWNSTR, flag);
+}
+
+/*********************************************************************
+ Set the user's dial string.
+ ********************************************************************/
+
+BOOL pdb_set_munged_dial (SAM_ACCOUNT *sampass, const char *munged_dial, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (munged_dial) {
+ sampass->private.munged_dial = talloc_strdup(sampass->mem_ctx, munged_dial);
+
+ if (!sampass->private.munged_dial) {
+ DEBUG(0, ("pdb_set_munged_dial: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.munged_dial = PDB_NOT_QUITE_NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_MUNGEDDIAL, flag);
+}
+
+/*********************************************************************
+ Set the user's NT hash.
+ ********************************************************************/
+
+BOOL pdb_set_nt_passwd (SAM_ACCOUNT *sampass, const uint8 pwd[NT_HASH_LEN], enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ data_blob_clear_free(&sampass->private.nt_pw);
+
+ sampass->private.nt_pw = data_blob(pwd, NT_HASH_LEN);
+
+ return pdb_set_init_flags(sampass, PDB_NTPASSWD, flag);
+}
+
+/*********************************************************************
+ Set the user's LM hash.
+ ********************************************************************/
+
+BOOL pdb_set_lanman_passwd (SAM_ACCOUNT *sampass, const uint8 pwd[LM_HASH_LEN], enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ data_blob_clear_free(&sampass->private.lm_pw);
+
+ sampass->private.lm_pw = data_blob(pwd, LM_HASH_LEN);
+
+ return pdb_set_init_flags(sampass, PDB_LMPASSWD, flag);
+}
+
+/*********************************************************************
+ Set the user's plaintext password only (base procedure, see helper
+ below)
+ ********************************************************************/
+
+BOOL pdb_set_plaintext_pw_only (SAM_ACCOUNT *sampass, const char *password, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (password) {
+ if (sampass->private.plaintext_pw!=NULL)
+ memset(sampass->private.plaintext_pw,'\0',strlen(sampass->private.plaintext_pw)+1);
+
+ sampass->private.plaintext_pw = talloc_strdup(sampass->mem_ctx, password);
+
+ if (!sampass->private.plaintext_pw) {
+ DEBUG(0, ("pdb_set_unknown_str: talloc_strdup() failed!\n"));
+ return False;
+ }
+
+ } else {
+ sampass->private.plaintext_pw = NULL;
+ }
+
+ return pdb_set_init_flags(sampass, PDB_PLAINTEXT_PW, flag);
+}
+
+BOOL pdb_set_unknown_3 (SAM_ACCOUNT *sampass, uint32 unkn, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.unknown_3 = unkn;
+
+ return pdb_set_init_flags(sampass, PDB_UNKNOWN3, flag);
+}
+
+BOOL pdb_set_unknown_5 (SAM_ACCOUNT *sampass, uint32 unkn, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.unknown_5 = unkn;
+
+ return pdb_set_init_flags(sampass, PDB_UNKNOWN5, flag);
+}
+
+BOOL pdb_set_unknown_6 (SAM_ACCOUNT *sampass, uint32 unkn, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ sampass->private.unknown_6 = unkn;
+
+ return pdb_set_init_flags(sampass, PDB_UNKNOWN6, flag);
+}
+
+BOOL pdb_set_hours (SAM_ACCOUNT *sampass, const uint8 *hours, enum pdb_value_state flag)
+{
+ if (!sampass)
+ return False;
+
+ if (!hours) {
+ memset ((char *)sampass->private.hours, 0, MAX_HOURS_LEN);
+ return True;
+ }
+
+ memcpy (sampass->private.hours, hours, MAX_HOURS_LEN);
+
+ return pdb_set_init_flags(sampass, PDB_HOURS, flag);
+}
+
+
+/* Helpful interfaces to the above */
+
+/*********************************************************************
+ Sets the last changed times and must change times for a normal
+ password change.
+ ********************************************************************/
+
+BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
+{
+ uint32 expire;
+
+ if (!sampass)
+ return False;
+
+ if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
+ return False;
+
+ if (!account_policy_get(AP_MAX_PASSWORD_AGE, &expire)
+ || (expire==(uint32)-1)) {
+ if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED))
+ return False;
+ } else {
+ if (!pdb_set_pass_must_change_time (sampass,
+ pdb_get_pass_last_set_time(sampass)
+ + expire, PDB_CHANGED))
+ return False;
+ }
+
+ return True;
+}
+
+/*********************************************************************
+ Set the user's PLAINTEXT password. Used as an interface to the above.
+ Also sets the last change time to NOW.
+ ********************************************************************/
+
+BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext)
+{
+ uchar new_lanman_p16[16];
+ uchar new_nt_p16[16];
+
+ if (!sampass || !plaintext)
+ return False;
+
+ nt_lm_owf_gen (plaintext, new_nt_p16, new_lanman_p16);
+
+ if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED))
+ return False;
+
+ if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED))
+ return False;
+
+ if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED))
+ return False;
+
+ if (!pdb_set_pass_changed_now (sampass))
+ return False;
+
+ return True;
+}
diff --git a/source4/passdb/pdb_guest.c b/source4/passdb/pdb_guest.c
new file mode 100644
index 0000000000..3f0f06d18d
--- /dev/null
+++ b/source4/passdb/pdb_guest.c
@@ -0,0 +1,123 @@
+/*
+ * 'Guest' password backend for samba
+ * Copyright (C) Jelmer Vernooij 2002
+ * Copyright (C) Andrew Bartlett 2003
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 675
+ * Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+/******************************************************************
+ Lookup a name in the SAM database
+ ******************************************************************/
+
+static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname)
+{
+ NTSTATUS nt_status;
+ struct passwd *pass;
+ const char *guest_account = lp_guestaccount();
+ if (!(guest_account && *guest_account)) {
+ DEBUG(1, ("NULL guest account!?!?\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!methods) {
+ DEBUG(0,("invalid methods\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (!sname) {
+ DEBUG(0,("invalid name specified"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!strequal(guest_account, sname)) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ pass = getpwnam_alloc(guest_account);
+
+ nt_status = pdb_fill_sam_pw(user, pass);
+
+ passwd_free(&pass);
+ return nt_status;
+}
+
+
+/***************************************************************************
+ Search by rid
+ **************************************************************************/
+
+static NTSTATUS guestsam_getsampwrid (struct pdb_methods *methods,
+ SAM_ACCOUNT *user, uint32 rid)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct passwd *pass = NULL;
+ const char *guest_account = lp_guestaccount();
+ if (!(guest_account && *guest_account)) {
+ DEBUG(1, ("NULL guest account!?!?\n"));
+ return nt_status;
+ }
+
+ if (!methods) {
+ DEBUG(0,("invalid methods\n"));
+ return nt_status;
+ }
+
+ if (rid == DOMAIN_USER_RID_GUEST) {
+ pass = getpwnam_alloc(guest_account);
+ if (!pass) {
+ DEBUG(1, ("guest account %s does not seem to exist...\n", guest_account));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ } else {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ nt_status = pdb_fill_sam_pw(user, pass);
+ passwd_free(&pass);
+
+ return nt_status;
+}
+
+static NTSTATUS guestsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
+{
+ uint32 rid;
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return NT_STATUS_NO_SUCH_USER;
+ return guestsam_getsampwrid(my_methods, user, rid);
+}
+
+NTSTATUS pdb_init_guestsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ NTSTATUS nt_status;
+
+ if (!pdb_context) {
+ DEBUG(0, ("invalid pdb_context specified\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
+ return nt_status;
+ }
+
+ (*pdb_method)->name = "guestsam";
+
+ (*pdb_method)->getsampwnam = guestsam_getsampwnam;
+ (*pdb_method)->getsampwsid = guestsam_getsampwsid;
+
+ /* There's not very much to initialise here */
+ return NT_STATUS_OK;
+}
diff --git a/source4/passdb/pdb_interface.c b/source4/passdb/pdb_interface.c
new file mode 100644
index 0000000000..48a039b3de
--- /dev/null
+++ b/source4/passdb/pdb_interface.c
@@ -0,0 +1,855 @@
+/*
+ Unix SMB/CIFS implementation.
+ Password and authentication handling
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Jelmer Vernooij 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+/** List of various built-in passdb modules */
+static const struct {
+ const char *name;
+ /* Function to create a member of the pdb_methods list */
+ pdb_init_function init;
+} builtin_pdb_init_functions[] = {
+ { "smbpasswd", pdb_init_smbpasswd },
+ { "smbpasswd_nua", pdb_init_smbpasswd_nua },
+ { "tdbsam", pdb_init_tdbsam },
+ { "tdbsam_nua", pdb_init_tdbsam_nua },
+ { "ldapsam", pdb_init_ldapsam },
+ { "ldapsam_nua", pdb_init_ldapsam_nua },
+ { "unixsam", pdb_init_unixsam },
+ { "guest", pdb_init_guestsam },
+ { "nisplussam", pdb_init_nisplussam },
+ { NULL, NULL}
+};
+
+static struct pdb_init_function_entry *backends;
+static void lazy_initialize_passdb(void);
+
+static void lazy_initialize_passdb()
+{
+ int i;
+ static BOOL initialised = False;
+
+ if(!initialised) {
+ initialised = True;
+
+ for(i = 0; builtin_pdb_init_functions[i].name; i++) {
+ smb_register_passdb(builtin_pdb_init_functions[i].name, builtin_pdb_init_functions[i].init, PASSDB_INTERFACE_VERSION);
+ }
+ }
+}
+
+BOOL smb_register_passdb(const char *name, pdb_init_function init, int version)
+{
+ struct pdb_init_function_entry *entry = backends;
+
+ if(version != PASSDB_INTERFACE_VERSION)
+ return False;
+
+ DEBUG(5,("Attempting to register passdb backend %s\n", name));
+
+ /* Check for duplicates */
+ while(entry) {
+ if(strcasecmp(name, entry->name) == 0) {
+ DEBUG(0,("There already is a passdb backend registered with the name %s!\n", name));
+ return False;
+ }
+ entry = entry->next;
+ }
+
+ entry = smb_xmalloc(sizeof(struct pdb_init_function_entry));
+ entry->name = name;
+ entry->init = init;
+
+ DLIST_ADD(backends, entry);
+ DEBUG(5,("Successfully added passdb backend '%s'\n", name));
+ return True;
+}
+
+struct pdb_init_function_entry *pdb_find_backend_entry(const char *name)
+{
+ struct pdb_init_function_entry *entry = backends;
+
+ while(entry) {
+ if (strequal(entry->name, name)) return entry;
+ entry = entry->next;
+ }
+
+ return NULL;
+}
+
+static NTSTATUS context_setsampwent(struct pdb_context *context, BOOL update)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if (!context) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ context->pwent_methods = context->pdb_methods;
+
+ if (!context->pwent_methods) {
+ /* No passdbs at all */
+ return ret;
+ }
+
+ while (NT_STATUS_IS_ERR(ret = context->pwent_methods->setsampwent(context->pwent_methods, update))) {
+ context->pwent_methods = context->pwent_methods->next;
+ if (context->pwent_methods == NULL)
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ return ret;
+}
+
+static void context_endsampwent(struct pdb_context *context)
+{
+ if ((!context)){
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return;
+ }
+
+ if (context->pwent_methods && context->pwent_methods->endsampwent)
+ context->pwent_methods->endsampwent(context->pwent_methods);
+
+ /* So we won't get strange data when calling getsampwent now */
+ context->pwent_methods = NULL;
+}
+
+static NTSTATUS context_getsampwent(struct pdb_context *context, SAM_ACCOUNT *user)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if ((!context) || (!context->pwent_methods)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+ /* Loop until we find something useful */
+ while (NT_STATUS_IS_ERR(ret = context->pwent_methods->getsampwent(context->pwent_methods, user))) {
+
+ context->pwent_methods->endsampwent(context->pwent_methods);
+
+ context->pwent_methods = context->pwent_methods->next;
+
+ /* All methods are checked now. There are no more entries */
+ if (context->pwent_methods == NULL)
+ return ret;
+
+ context->pwent_methods->setsampwent(context->pwent_methods, False);
+ }
+ user->methods = context->pwent_methods;
+ return ret;
+}
+
+static NTSTATUS context_getsampwnam(struct pdb_context *context, SAM_ACCOUNT *sam_acct, const char *username)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ struct pdb_methods *curmethods;
+ if ((!context)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+ curmethods = context->pdb_methods;
+ while (curmethods){
+ if (NT_STATUS_IS_OK(ret = curmethods->getsampwnam(curmethods, sam_acct, username))) {
+ sam_acct->methods = curmethods;
+ return ret;
+ }
+ curmethods = curmethods->next;
+ }
+
+ return ret;
+}
+
+static NTSTATUS context_getsampwsid(struct pdb_context *context, SAM_ACCOUNT *sam_acct, const DOM_SID *sid)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ struct pdb_methods *curmethods;
+ if ((!context)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ curmethods = context->pdb_methods;
+
+ while (curmethods){
+ if (NT_STATUS_IS_OK(ret = curmethods->getsampwsid(curmethods, sam_acct, sid))) {
+ sam_acct->methods = curmethods;
+ return ret;
+ }
+ curmethods = curmethods->next;
+ }
+
+ return ret;
+}
+
+static NTSTATUS context_add_sam_account(struct pdb_context *context, SAM_ACCOUNT *sam_acct)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if ((!context) || (!context->pdb_methods)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ /** @todo This is where a 're-read on add' should be done */
+ /* We now add a new account to the first database listed.
+ * Should we? */
+
+ return context->pdb_methods->add_sam_account(context->pdb_methods, sam_acct);
+}
+
+static NTSTATUS context_update_sam_account(struct pdb_context *context, SAM_ACCOUNT *sam_acct)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if (!context) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ if (!sam_acct || !sam_acct->methods){
+ DEBUG(0, ("invalid sam_acct specified\n"));
+ return ret;
+ }
+
+ /** @todo This is where a 're-read on update' should be done */
+
+ return sam_acct->methods->update_sam_account(sam_acct->methods, sam_acct);
+}
+
+static NTSTATUS context_delete_sam_account(struct pdb_context *context, SAM_ACCOUNT *sam_acct)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ struct pdb_methods *pdb_selected;
+ if (!context) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ if (!sam_acct->methods){
+ pdb_selected = context->pdb_methods;
+ /* There's no passdb backend specified for this account.
+ * Try to delete it in every passdb available
+ * Needed to delete accounts in smbpasswd that are not
+ * in /etc/passwd.
+ */
+ while (pdb_selected){
+ if (NT_STATUS_IS_OK(ret = pdb_selected->delete_sam_account(pdb_selected, sam_acct))) {
+ return ret;
+ }
+ pdb_selected = pdb_selected->next;
+ }
+ return ret;
+ }
+
+ if (!sam_acct->methods->delete_sam_account){
+ DEBUG(0,("invalid sam_acct->methods->delete_sam_account\n"));
+ return ret;
+ }
+
+ return sam_acct->methods->delete_sam_account(sam_acct->methods, sam_acct);
+}
+
+static NTSTATUS context_getgrsid(struct pdb_context *context,
+ GROUP_MAP *map, DOM_SID sid, BOOL with_priv)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ struct pdb_methods *curmethods;
+ if ((!context)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+ curmethods = context->pdb_methods;
+ while (curmethods){
+ ret = curmethods->getgrsid(curmethods, map, sid, with_priv);
+ if (NT_STATUS_IS_OK(ret)) {
+ map->methods = curmethods;
+ return ret;
+ }
+ curmethods = curmethods->next;
+ }
+
+ return ret;
+}
+
+static NTSTATUS context_getgrgid(struct pdb_context *context,
+ GROUP_MAP *map, gid_t gid, BOOL with_priv)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ struct pdb_methods *curmethods;
+ if ((!context)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+ curmethods = context->pdb_methods;
+ while (curmethods){
+ ret = curmethods->getgrgid(curmethods, map, gid, with_priv);
+ if (NT_STATUS_IS_OK(ret)) {
+ map->methods = curmethods;
+ return ret;
+ }
+ curmethods = curmethods->next;
+ }
+
+ return ret;
+}
+
+static NTSTATUS context_getgrnam(struct pdb_context *context,
+ GROUP_MAP *map, char *name, BOOL with_priv)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ struct pdb_methods *curmethods;
+ if ((!context)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+ curmethods = context->pdb_methods;
+ while (curmethods){
+ ret = curmethods->getgrnam(curmethods, map, name, with_priv);
+ if (NT_STATUS_IS_OK(ret)) {
+ map->methods = curmethods;
+ return ret;
+ }
+ curmethods = curmethods->next;
+ }
+
+ return ret;
+}
+
+static NTSTATUS context_add_group_mapping_entry(struct pdb_context *context,
+ GROUP_MAP *map)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if ((!context) || (!context->pdb_methods)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ return context->pdb_methods->add_group_mapping_entry(context->pdb_methods,
+ map);
+}
+
+static NTSTATUS context_update_group_mapping_entry(struct pdb_context *context,
+ GROUP_MAP *map)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if ((!context) || (!context->pdb_methods)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ return context->
+ pdb_methods->update_group_mapping_entry(context->pdb_methods, map);
+}
+
+static NTSTATUS context_delete_group_mapping_entry(struct pdb_context *context,
+ DOM_SID sid)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if ((!context) || (!context->pdb_methods)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ return context->
+ pdb_methods->delete_group_mapping_entry(context->pdb_methods, sid);
+}
+
+static NTSTATUS context_enum_group_mapping(struct pdb_context *context,
+ enum SID_NAME_USE sid_name_use,
+ GROUP_MAP **rmap, int *num_entries,
+ BOOL unix_only, BOOL with_priv)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if ((!context) || (!context->pdb_methods)) {
+ DEBUG(0, ("invalid pdb_context specified!\n"));
+ return ret;
+ }
+
+ return context->pdb_methods->enum_group_mapping(context->pdb_methods,
+ sid_name_use, rmap,
+ num_entries, unix_only,
+ with_priv);
+}
+
+/******************************************************************
+ Free and cleanup a pdb context, any associated data and anything
+ that the attached modules might have associated.
+ *******************************************************************/
+
+static void free_pdb_context(struct pdb_context **context)
+{
+ struct pdb_methods *pdb_selected = (*context)->pdb_methods;
+
+ while (pdb_selected){
+ if(pdb_selected->free_private_data)
+ pdb_selected->free_private_data(&(pdb_selected->private_data));
+ pdb_selected = pdb_selected->next;
+ }
+
+ talloc_destroy((*context)->mem_ctx);
+ *context = NULL;
+}
+
+/******************************************************************
+ Make a pdb_methods from scratch
+ *******************************************************************/
+
+static NTSTATUS make_pdb_methods_name(struct pdb_methods **methods, struct pdb_context *context, const char *selected)
+{
+ char *module_name = smb_xstrdup(selected);
+ char *module_location = NULL, *p;
+ struct pdb_init_function_entry *entry;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+
+ lazy_initialize_passdb();
+
+ p = strchr(module_name, ':');
+
+ if (p) {
+ *p = 0;
+ module_location = p+1;
+ trim_string(module_location, " ", " ");
+ }
+
+ trim_string(module_name, " ", " ");
+
+
+ DEBUG(5,("Attempting to find an passdb backend to match %s (%s)\n", selected, module_name));
+
+ entry = pdb_find_backend_entry(module_name);
+
+ /* Try to find a module that contains this module */
+ if(!entry) {
+ smb_probe_module("passdb", module_name);
+ entry = pdb_find_backend_entry(module_name);
+ }
+
+ /* No such backend found */
+ if(!entry) {
+ SAFE_FREE(module_name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DEBUG(5,("Found pdb backend %s\n", module_name));
+ nt_status = entry->init(context, methods, module_location);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(5,("pdb backend %s has a valid init\n", selected));
+ } else {
+ DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n", selected, nt_errstr(nt_status)));
+ }
+ SAFE_FREE(module_name);
+ return nt_status;
+}
+
+/******************************************************************
+ Make a pdb_context from scratch.
+ *******************************************************************/
+
+static NTSTATUS make_pdb_context(struct pdb_context **context)
+{
+ TALLOC_CTX *mem_ctx;
+
+ mem_ctx = talloc_init("pdb_context internal allocation context");
+
+ if (!mem_ctx) {
+ DEBUG(0, ("make_pdb_context: talloc init failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *context = talloc(mem_ctx, sizeof(**context));
+ if (!*context) {
+ DEBUG(0, ("make_pdb_context: talloc failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ZERO_STRUCTP(*context);
+
+ (*context)->mem_ctx = mem_ctx;
+
+ (*context)->pdb_setsampwent = context_setsampwent;
+ (*context)->pdb_endsampwent = context_endsampwent;
+ (*context)->pdb_getsampwent = context_getsampwent;
+ (*context)->pdb_getsampwnam = context_getsampwnam;
+ (*context)->pdb_getsampwsid = context_getsampwsid;
+ (*context)->pdb_add_sam_account = context_add_sam_account;
+ (*context)->pdb_update_sam_account = context_update_sam_account;
+ (*context)->pdb_delete_sam_account = context_delete_sam_account;
+ (*context)->pdb_getgrsid = context_getgrsid;
+ (*context)->pdb_getgrgid = context_getgrgid;
+ (*context)->pdb_getgrnam = context_getgrnam;
+ (*context)->pdb_add_group_mapping_entry = context_add_group_mapping_entry;
+ (*context)->pdb_update_group_mapping_entry = context_update_group_mapping_entry;
+ (*context)->pdb_delete_group_mapping_entry = context_delete_group_mapping_entry;
+ (*context)->pdb_enum_group_mapping = context_enum_group_mapping;
+
+ (*context)->free_fn = free_pdb_context;
+
+ return NT_STATUS_OK;
+}
+
+
+/******************************************************************
+ Make a pdb_context, given an array of strings
+ *******************************************************************/
+
+NTSTATUS make_pdb_context_list(struct pdb_context **context, const char **selected)
+{
+ int i = 0;
+ struct pdb_methods *curmethods, *tmpmethods;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+
+ if (!NT_STATUS_IS_OK(nt_status = make_pdb_context(context))) {
+ return nt_status;
+ }
+
+ while (selected[i]){
+ /* Try to initialise pdb */
+ DEBUG(5,("Trying to load: %s\n", selected[i]));
+ if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods_name(&curmethods, *context, selected[i]))) {
+ DEBUG(1, ("Loading %s failed!\n", selected[i]));
+ free_pdb_context(context);
+ return nt_status;
+ }
+ curmethods->parent = *context;
+ DLIST_ADD_END((*context)->pdb_methods, curmethods, tmpmethods);
+ i++;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/******************************************************************
+ Make a pdb_context, given a text string.
+ *******************************************************************/
+
+NTSTATUS make_pdb_context_string(struct pdb_context **context, const char *selected)
+{
+ NTSTATUS ret;
+ char **newsel = str_list_make(selected, NULL);
+ ret = make_pdb_context_list(context, (const char **)newsel);
+ str_list_free(&newsel);
+ return ret;
+}
+
+/******************************************************************
+ Return an already initialised pdb_context, to facilitate backward
+ compatibility (see functions below).
+*******************************************************************/
+
+static struct pdb_context *pdb_get_static_context(BOOL reload)
+{
+ static struct pdb_context *pdb_context = NULL;
+
+ if ((pdb_context) && (reload)) {
+ pdb_context->free_fn(&pdb_context);
+ if (NT_STATUS_IS_ERR(make_pdb_context_list(&pdb_context, lp_passdb_backend()))) {
+ return NULL;
+ }
+ }
+
+ if (!pdb_context) {
+ if (NT_STATUS_IS_ERR(make_pdb_context_list(&pdb_context, lp_passdb_backend()))) {
+ return NULL;
+ }
+ }
+
+ return pdb_context;
+}
+
+/******************************************************************
+ Backward compatibility functions for the original passdb interface
+*******************************************************************/
+
+BOOL pdb_setsampwent(BOOL update)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->pdb_setsampwent(pdb_context, update));
+}
+
+void pdb_endsampwent(void)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return;
+ }
+
+ pdb_context->pdb_endsampwent(pdb_context);
+}
+
+BOOL pdb_getsampwent(SAM_ACCOUNT *user)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->pdb_getsampwent(pdb_context, user));
+}
+
+BOOL pdb_getsampwnam(SAM_ACCOUNT *sam_acct, const char *username)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->pdb_getsampwnam(pdb_context, sam_acct, username));
+}
+
+BOOL pdb_getsampwsid(SAM_ACCOUNT *sam_acct, const DOM_SID *sid)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->pdb_getsampwsid(pdb_context, sam_acct, sid));
+}
+
+BOOL pdb_add_sam_account(SAM_ACCOUNT *sam_acct)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->pdb_add_sam_account(pdb_context, sam_acct));
+}
+
+BOOL pdb_update_sam_account(SAM_ACCOUNT *sam_acct)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->pdb_update_sam_account(pdb_context, sam_acct));
+}
+
+BOOL pdb_delete_sam_account(SAM_ACCOUNT *sam_acct)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->pdb_delete_sam_account(pdb_context, sam_acct));
+}
+
+BOOL pdb_getgrsid(GROUP_MAP *map, DOM_SID sid, BOOL with_priv)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->
+ pdb_getgrsid(pdb_context, map, sid, with_priv));
+}
+
+BOOL pdb_getgrgid(GROUP_MAP *map, gid_t gid, BOOL with_priv)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->
+ pdb_getgrgid(pdb_context, map, gid, with_priv));
+}
+
+BOOL pdb_getgrnam(GROUP_MAP *map, char *name, BOOL with_priv)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->
+ pdb_getgrnam(pdb_context, map, name, with_priv));
+}
+
+BOOL pdb_add_group_mapping_entry(GROUP_MAP *map)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->
+ pdb_add_group_mapping_entry(pdb_context, map));
+}
+
+BOOL pdb_update_group_mapping_entry(GROUP_MAP *map)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->
+ pdb_update_group_mapping_entry(pdb_context, map));
+}
+
+BOOL pdb_delete_group_mapping_entry(DOM_SID sid)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->
+ pdb_delete_group_mapping_entry(pdb_context, sid));
+}
+
+BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
+ int *num_entries, BOOL unix_only, BOOL with_priv)
+{
+ struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+ if (!pdb_context) {
+ return False;
+ }
+
+ return NT_STATUS_IS_OK(pdb_context->
+ pdb_enum_group_mapping(pdb_context, sid_name_use,
+ rmap, num_entries, unix_only,
+ with_priv));
+}
+
+/***************************************************************
+ Initialize the static context (at smbd startup etc).
+
+ If uninitialised, context will auto-init on first use.
+ ***************************************************************/
+
+BOOL initialize_password_db(BOOL reload)
+{
+ return (pdb_get_static_context(reload) != NULL);
+}
+
+
+/***************************************************************************
+ Default implementations of some functions.
+ ****************************************************************************/
+
+static NTSTATUS pdb_default_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname)
+{
+ return NT_STATUS_NO_SUCH_USER;
+}
+
+static NTSTATUS pdb_default_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
+{
+ return NT_STATUS_NO_SUCH_USER;
+}
+
+static NTSTATUS pdb_default_add_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *newpwd)
+{
+ DEBUG(0,("this backend (%s) should not be listed as the first passdb backend! You can't add users to it.\n", methods->name));
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_update_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *newpwd)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_delete_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *pwd)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_setsampwent(struct pdb_methods *methods, BOOL update)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_getsampwent(struct pdb_methods *methods, SAM_ACCOUNT *user)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static void pdb_default_endsampwent(struct pdb_methods *methods)
+{
+ return; /* NT_STATUS_NOT_IMPLEMENTED; */
+}
+
+NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods)
+{
+ *methods = talloc(mem_ctx, sizeof(struct pdb_methods));
+
+ if (!*methods) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ZERO_STRUCTP(*methods);
+
+ (*methods)->setsampwent = pdb_default_setsampwent;
+ (*methods)->endsampwent = pdb_default_endsampwent;
+ (*methods)->getsampwent = pdb_default_getsampwent;
+ (*methods)->getsampwnam = pdb_default_getsampwnam;
+ (*methods)->getsampwsid = pdb_default_getsampwsid;
+ (*methods)->add_sam_account = pdb_default_add_sam_account;
+ (*methods)->update_sam_account = pdb_default_update_sam_account;
+ (*methods)->delete_sam_account = pdb_default_delete_sam_account;
+
+ (*methods)->getgrsid = pdb_default_getgrsid;
+ (*methods)->getgrgid = pdb_default_getgrgid;
+ (*methods)->getgrnam = pdb_default_getgrnam;
+ (*methods)->add_group_mapping_entry = pdb_default_add_group_mapping_entry;
+ (*methods)->update_group_mapping_entry = pdb_default_update_group_mapping_entry;
+ (*methods)->delete_group_mapping_entry = pdb_default_delete_group_mapping_entry;
+ (*methods)->enum_group_mapping = pdb_default_enum_group_mapping;
+
+ return NT_STATUS_OK;
+}
diff --git a/source4/passdb/pdb_ldap.c b/source4/passdb/pdb_ldap.c
new file mode 100644
index 0000000000..0136a33871
--- /dev/null
+++ b/source4/passdb/pdb_ldap.c
@@ -0,0 +1,2089 @@
+/*
+ Unix SMB/CIFS implementation.
+ LDAP protocol helper functions for SAMBA
+ Copyright (C) Jean François Micouleau 1998
+ Copyright (C) Gerald Carter 2001
+ Copyright (C) Shahms King 2001
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Stefan (metze) Metzmacher 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+#ifdef HAVE_LDAP
+/* TODO:
+* persistent connections: if using NSS LDAP, many connections are made
+* however, using only one within Samba would be nice
+*
+* Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
+*
+* Other LDAP based login attributes: accountExpires, etc.
+* (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
+* structures don't have fields for some of these attributes)
+*
+* SSL is done, but can't get the certificate based authentication to work
+* against on my test platform (Linux 2.4, OpenLDAP 2.x)
+*/
+
+/* NOTE: this will NOT work against an Active Directory server
+* due to the fact that the two password fields cannot be retrieved
+* from a server; recommend using security = domain in this situation
+* and/or winbind
+*/
+
+#include <lber.h>
+#include <ldap.h>
+
+#ifndef SAM_ACCOUNT
+#define SAM_ACCOUNT struct sam_passwd
+#endif
+
+struct ldapsam_privates {
+
+ /* Former statics */
+ LDAP *ldap_struct;
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ int index;
+
+ time_t last_ping;
+ /* retrive-once info */
+ const char *uri;
+
+ BOOL permit_non_unix_accounts;
+
+ uint32 low_nua_rid;
+ uint32 high_nua_rid;
+
+ char *bind_dn;
+ char *bind_secret;
+};
+
+#define LDAPSAM_DONT_PING_TIME 10 /* ping only all 10 seconds */
+
+static struct ldapsam_privates *static_ldap_state;
+
+static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state);
+
+/*******************************************************************
+ find the ldap password
+******************************************************************/
+static BOOL fetch_ldapsam_pw(char **dn, char** pw)
+{
+ char *key = NULL;
+ size_t size;
+
+ *dn = smb_xstrdup(lp_ldap_admin_dn());
+
+ if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
+ SAFE_FREE(*dn);
+ DEBUG(0, ("fetch_ldapsam_pw: asprintf failed!\n"));
+ }
+
+ *pw=secrets_fetch(key, &size);
+ if (!size) {
+ /* Upgrade 2.2 style entry */
+ char *p;
+ char* old_style_key = strdup(*dn);
+ char *data;
+ fstring old_style_pw;
+
+ if (!old_style_key) {
+ DEBUG(0, ("fetch_ldapsam_pw: strdup failed!\n"));
+ return False;
+ }
+
+ for (p=old_style_key; *p; p++)
+ if (*p == ',') *p = '/';
+
+ data=secrets_fetch(old_style_key, &size);
+ if (!size && size < sizeof(old_style_pw)) {
+ DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
+ SAFE_FREE(old_style_key);
+ SAFE_FREE(*dn);
+ return False;
+ }
+
+ strncpy(old_style_pw, data, size);
+ old_style_pw[size] = 0;
+
+ SAFE_FREE(data);
+
+ if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
+ DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
+ SAFE_FREE(old_style_key);
+ SAFE_FREE(*dn);
+ return False;
+ }
+ if (!secrets_delete(old_style_key)) {
+ DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
+ }
+
+ SAFE_FREE(old_style_key);
+
+ *pw = smb_xstrdup(old_style_pw);
+ }
+
+ return True;
+}
+
+static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
+ "logoffTime", "kickoffTime", "cn",
+ "pwdCanChange", "pwdMustChange",
+ "displayName", "homeDrive",
+ "smbHome", "scriptPath",
+ "profilePath", "description",
+ "userWorkstations", "rid",
+ "primaryGroupID", "lmPassword",
+ "ntPassword", "acctFlags",
+ "domain", "objectClass",
+ "uidNumber", "gidNumber",
+ "homeDirectory", NULL };
+
+/*******************************************************************
+ open a connection to the ldap server.
+******************************************************************/
+static int ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct)
+{
+ int rc = LDAP_SUCCESS;
+ int version;
+ BOOL ldap_v3 = False;
+
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+ DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri));
+
+ if ((rc = ldap_initialize(ldap_struct, ldap_state->uri)) != LDAP_SUCCESS) {
+ DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
+ return rc;
+ }
+
+#else
+
+ /* Parse the string manually */
+
+ {
+ int port = 0;
+ fstring protocol;
+ fstring host;
+ const char *p = ldap_state->uri;
+ SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
+
+ /* skip leading "URL:" (if any) */
+ if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
+ p += 4;
+ }
+
+ sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
+
+ if (port == 0) {
+ if (strequal(protocol, "ldap")) {
+ port = LDAP_PORT;
+ } else if (strequal(protocol, "ldaps")) {
+ port = LDAPS_PORT;
+ } else {
+ DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
+ }
+ }
+
+ if ((*ldap_struct = ldap_init(host, port)) == NULL) {
+ DEBUG(0, ("ldap_init failed !\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ if (strequal(protocol, "ldaps")) {
+#ifdef LDAP_OPT_X_TLS
+ int tls = LDAP_OPT_X_TLS_HARD;
+ if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
+ {
+ DEBUG(0, ("Failed to setup a TLS session\n"));
+ }
+
+ DEBUG(3,("LDAPS option set...!\n"));
+#else
+ DEBUG(0,("ldapsam_open_connection: Secure connection not supported by LDAP client libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+#endif
+ }
+ }
+#endif
+
+ if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
+ {
+ if (version != LDAP_VERSION3)
+ {
+ version = LDAP_VERSION3;
+ if (ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) {
+ ldap_v3 = True;
+ }
+ } else {
+ ldap_v3 = True;
+ }
+ }
+
+ if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
+#ifdef LDAP_OPT_X_TLS
+ if (ldap_v3) {
+ if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
+ {
+ DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
+ ldap_err2string(rc)));
+ return rc;
+ }
+ DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
+ } else {
+
+ DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+#else
+ DEBUG(0,("ldapsam_open_connection: StartTLS not supported by LDAP client libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+#endif
+ }
+
+ DEBUG(2, ("ldapsam_open_connection: connection opened\n"));
+ return rc;
+}
+
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+static int rebindproc_with_state (LDAP * ld, char **whop, char **credp,
+ int *methodp, int freeit, void *arg)
+{
+ struct ldapsam_privates *ldap_state = arg;
+
+ /** @TODO Should we be doing something to check what servers we rebind to?
+ Could we get a referral to a machine that we don't want to give our
+ username and password to? */
+
+ if (freeit) {
+ SAFE_FREE(*whop);
+ memset(*credp, '\0', strlen(*credp));
+ SAFE_FREE(*credp);
+ } else {
+ DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
+ ldap_state->bind_dn));
+
+ *whop = strdup(ldap_state->bind_dn);
+ if (!*whop) {
+ return LDAP_NO_MEMORY;
+ }
+ *credp = strdup(ldap_state->bind_secret);
+ if (!*credp) {
+ SAFE_FREE(*whop);
+ return LDAP_NO_MEMORY;
+ }
+ *methodp = LDAP_AUTH_SIMPLE;
+ }
+ return 0;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+ and actually does the connection.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+static int rebindproc_connect_with_state (LDAP *ldap_struct,
+ LDAP_CONST char *url,
+ ber_tag_t request,
+ ber_int_t msgid, void *arg)
+{
+ struct ldapsam_privates *ldap_state = arg;
+ int rc;
+ DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n",
+ ldap_state->bind_dn));
+
+ /** @TODO Should we be doing something to check what servers we rebind to?
+ Could we get a referral to a machine that we don't want to give our
+ username and password to? */
+
+ rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+
+ return rc;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ Add a rebind function for authenticated referrals
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
+ int *method, int freeit )
+{
+ return rebindproc_with_state(ldap_struct, whop, credp,
+ method, freeit, static_ldap_state);
+
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ this also does the connection, but no void*.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
+ ber_int_t msgid)
+{
+ return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
+ static_ldap_state);
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ connect to the ldap server under system privilege.
+******************************************************************/
+static int ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct)
+{
+ int rc;
+ char *ldap_dn;
+ char *ldap_secret;
+
+ /* The rebind proc needs this *HACK*. We are not multithreaded, so
+ this will work, but it's not nice. */
+ static_ldap_state = ldap_state;
+
+ /* get the password */
+ if (!fetch_ldapsam_pw(&ldap_dn, &ldap_secret))
+ {
+ DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
+ return LDAP_INVALID_CREDENTIALS;
+ }
+
+ ldap_state->bind_dn = ldap_dn;
+ ldap_state->bind_secret = ldap_secret;
+
+ /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
+ (OpenLDAP) doesnt' seem to support it */
+
+ DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
+ ldap_state->uri, ldap_dn));
+
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
+# endif
+#else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(ldap_struct, &rebindproc);
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
+# endif
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+ rc = ldap_simple_bind_s(ldap_struct, ldap_dn, ldap_secret);
+
+ if (rc != LDAP_SUCCESS) {
+ char *ld_error;
+ ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+ &ld_error);
+ DEBUG(0,
+ ("failed to bind to server with dn= %s Error: %s\n\t%s\n",
+ ldap_dn, ldap_err2string(rc),
+ ld_error));
+ free(ld_error);
+ return rc;
+ }
+
+ DEBUG(2, ("ldap_connect_system: succesful connection to the LDAP server\n"));
+ return rc;
+}
+
+/**********************************************************************
+Connect to LDAP server
+*********************************************************************/
+static int ldapsam_open(struct ldapsam_privates *ldap_state)
+{
+ int rc;
+ SMB_ASSERT(ldap_state);
+
+#ifndef NO_LDAP_SECURITY
+ if (geteuid() != 0) {
+ DEBUG(0, ("ldapsam_open: cannot access LDAP when not root..\n"));
+ return LDAP_INSUFFICIENT_ACCESS;
+ }
+#endif
+
+ if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + LDAPSAM_DONT_PING_TIME) < time(NULL))) {
+ struct sockaddr_un addr;
+ socklen_t len;
+ int sd;
+ if (ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd) == 0 &&
+ getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
+ /* the other end has died. reopen. */
+ ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
+ ldap_state->ldap_struct = NULL;
+ ldap_state->last_ping = (time_t)0;
+ } else {
+ ldap_state->last_ping = time(NULL);
+ }
+ }
+
+ if (ldap_state->ldap_struct != NULL) {
+ DEBUG(5,("ldapsam_open: allready connected to the LDAP server\n"));
+ return LDAP_SUCCESS;
+ }
+
+ if ((rc = ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct))) {
+ return rc;
+ }
+
+ if ((rc = ldapsam_connect_system(ldap_state, ldap_state->ldap_struct))) {
+ ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
+ ldap_state->ldap_struct = NULL;
+ return rc;
+ }
+
+
+ ldap_state->last_ping = time(NULL);
+ DEBUG(4,("The LDAP server is succesful connected\n"));
+
+ return LDAP_SUCCESS;
+}
+
+/**********************************************************************
+Disconnect from LDAP server
+*********************************************************************/
+static NTSTATUS ldapsam_close(struct ldapsam_privates *ldap_state)
+{
+ if (!ldap_state)
+ return NT_STATUS_INVALID_PARAMETER;
+
+ if (ldap_state->ldap_struct != NULL) {
+ ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
+ ldap_state->ldap_struct = NULL;
+ }
+
+ DEBUG(5,("The connection to the LDAP server was closed\n"));
+ /* maybe free the results here --metze */
+
+ return NT_STATUS_OK;
+}
+
+static int ldapsam_retry_open(struct ldapsam_privates *ldap_state, int *attempts)
+{
+ int rc;
+
+ SMB_ASSERT(ldap_state && attempts);
+
+ if (*attempts != 0) {
+ /* we retry after 0.5, 2, 4.5, 8, 12.5, 18, 24.5 seconds */
+ msleep((((*attempts)*(*attempts))/2)*1000);
+ }
+ (*attempts)++;
+
+ if ((rc = ldapsam_open(ldap_state))) {
+ DEBUG(0,("Connection to LDAP Server failed for the %d try!\n",*attempts));
+ return rc;
+ }
+
+ return LDAP_SUCCESS;
+}
+
+
+static int ldapsam_search(struct ldapsam_privates *ldap_state,
+ const char *base, int scope, const char *filter,
+ const char *attrs[], int attrsonly,
+ LDAPMessage **res)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+
+ SMB_ASSERT(ldap_state);
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_search_s(ldap_state->ldap_struct, base, scope,
+ filter, attrs, attrsonly, res);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("ldapsam_seacrh: LDAP server is down!\n"));
+ ldapsam_close(ldap_state);
+ }
+
+ return rc;
+}
+
+static int ldapsam_modify(struct ldapsam_privates *ldap_state, char *dn, LDAPMod *attrs[])
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+
+ if (!ldap_state)
+ return (-1);
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_modify_s(ldap_state->ldap_struct, dn, attrs);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("ldapsam_modify: LDAP server is down!\n"));
+ ldapsam_close(ldap_state);
+ }
+
+ return rc;
+}
+
+static int ldapsam_add(struct ldapsam_privates *ldap_state, const char *dn, LDAPMod *attrs[])
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+
+ if (!ldap_state)
+ return (-1);
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_add_s(ldap_state->ldap_struct, dn, attrs);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("ldapsam_add: LDAP server is down!\n"));
+ ldapsam_close(ldap_state);
+ }
+
+ return rc;
+}
+
+static int ldapsam_delete(struct ldapsam_privates *ldap_state, char *dn)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+
+ if (!ldap_state)
+ return (-1);
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_delete_s(ldap_state->ldap_struct, dn);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("ldapsam_delete: LDAP server is down!\n"));
+ ldapsam_close(ldap_state);
+ }
+
+ return rc;
+}
+
+static int ldapsam_extended_operation(struct ldapsam_privates *ldap_state, LDAP_CONST char *reqoid, struct berval *reqdata, LDAPControl **serverctrls, LDAPControl **clientctrls, char **retoidp, struct berval **retdatap)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+
+ if (!ldap_state)
+ return (-1);
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid, reqdata, serverctrls, clientctrls, retoidp, retdatap);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("ldapsam_extended_operation: LDAP server is down!\n"));
+ ldapsam_close(ldap_state);
+ }
+
+ return rc;
+}
+
+/*******************************************************************
+ run the search by name.
+******************************************************************/
+static int ldapsam_search_one_user (struct ldapsam_privates *ldap_state, const char *filter, LDAPMessage ** result)
+{
+ int scope = LDAP_SCOPE_SUBTREE;
+ int rc;
+
+ DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter));
+
+ rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope, filter, attr, 0, result);
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("ldapsam_search_one_user: Problem during the LDAP search: %s\n",
+ ldap_err2string (rc)));
+ DEBUG(3,("ldapsam_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
+ filter));
+ }
+
+ return rc;
+}
+
+/*******************************************************************
+ run the search by name.
+******************************************************************/
+static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, const char *user,
+ LDAPMessage ** result)
+{
+ pstring filter;
+ char *escape_user = escape_ldap_string_alloc(user);
+
+ if (!escape_user) {
+ return LDAP_NO_MEMORY;
+ }
+
+ /*
+ * in the filter expression, replace %u with the real name
+ * so in ldap filter, %u MUST exist :-)
+ */
+ pstrcpy(filter, lp_ldap_filter());
+
+ /*
+ * have to use this here because $ is filtered out
+ * in pstring_sub
+ */
+
+
+ all_string_sub(filter, "%u", escape_user, sizeof(pstring));
+ SAFE_FREE(escape_user);
+
+ return ldapsam_search_one_user(ldap_state, filter, result);
+}
+
+/*******************************************************************
+ run the search by uid.
+******************************************************************/
+static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state,
+ int uid,
+ LDAPMessage ** result)
+{
+ struct passwd *user;
+ pstring filter;
+ char *escape_user;
+
+ /* Get the username from the system and look that up in the LDAP */
+
+ if ((user = getpwuid_alloc(uid)) == NULL) {
+ DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
+ return LDAP_NO_SUCH_OBJECT;
+ }
+
+ pstrcpy(filter, lp_ldap_filter());
+
+ escape_user = escape_ldap_string_alloc(user->pw_name);
+ if (!escape_user) {
+ passwd_free(&user);
+ return LDAP_NO_MEMORY;
+ }
+
+ all_string_sub(filter, "%u", escape_user, sizeof(pstring));
+
+ passwd_free(&user);
+ SAFE_FREE(escape_user);
+
+ return ldapsam_search_one_user(ldap_state, filter, result);
+}
+
+/*******************************************************************
+ run the search by rid.
+******************************************************************/
+static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state,
+ uint32 rid,
+ LDAPMessage ** result)
+{
+ pstring filter;
+ int rc;
+
+ /* check if the user rid exsists, if not, try searching on the uid */
+
+ snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
+ rc = ldapsam_search_one_user(ldap_state, filter, result);
+
+ if (rc != LDAP_SUCCESS)
+ rc = ldapsam_search_one_user_by_uid(ldap_state,
+ fallback_pdb_user_rid_to_uid(rid),
+ result);
+
+ return rc;
+}
+
+/*******************************************************************
+search an attribute and return the first value found.
+******************************************************************/
+static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
+ const char *attribute, pstring value)
+{
+ char **values;
+
+ if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
+ value = NULL;
+ DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute));
+
+ return False;
+ }
+
+ pstrcpy(value, values[0]);
+ ldap_value_free(values);
+#ifdef DEBUG_PASSWORDS
+ DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
+#endif
+ return True;
+}
+
+/************************************************************************
+Routine to manage the LDAPMod structure array
+manage memory used by the array, by each struct, and values
+
+************************************************************************/
+static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
+{
+ LDAPMod **mods;
+ int i;
+ int j;
+
+ mods = *modlist;
+
+ if (attribute == NULL || *attribute == '\0')
+ return;
+
+ if (value == NULL || *value == '\0')
+ return;
+
+ if (mods == NULL)
+ {
+ mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
+ if (mods == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[0] = NULL;
+ }
+
+ for (i = 0; mods[i] != NULL; ++i) {
+ if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
+ break;
+ }
+
+ if (mods[i] == NULL)
+ {
+ mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
+ if (mods == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
+ if (mods[i] == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[i]->mod_op = modop;
+ mods[i]->mod_values = NULL;
+ mods[i]->mod_type = strdup(attribute);
+ mods[i + 1] = NULL;
+ }
+
+ if (value != NULL)
+ {
+ j = 0;
+ if (mods[i]->mod_values != NULL) {
+ for (; mods[i]->mod_values[j] != NULL; j++);
+ }
+ mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
+ (j + 2) * sizeof (char *));
+
+ if (mods[i]->mod_values == NULL) {
+ DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
+ return;
+ }
+ mods[i]->mod_values[j] = strdup(value);
+ mods[i]->mod_values[j + 1] = NULL;
+ }
+ *modlist = mods;
+}
+
+/* New Interface is being implemented here */
+
+/**********************************************************************
+Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
+*********************************************************************/
+static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
+ SAM_ACCOUNT * sampass,
+ LDAPMessage * entry)
+{
+ pstring homedir;
+ pstring temp;
+ uid_t uid;
+ gid_t gid;
+ char **ldap_values;
+ char **values;
+
+ if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
+ DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
+ return False;
+ }
+
+ for (values=ldap_values;*values;values++) {
+ if (strcasecmp(*values, "posixAccount") == 0) {
+ break;
+ }
+ }
+
+ if (!*values) { /*end of array, no posixAccount */
+ DEBUG(10, ("user does not have posixAcccount attributes\n"));
+ ldap_value_free(ldap_values);
+ return False;
+ }
+ ldap_value_free(ldap_values);
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir))
+ return False;
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
+ return False;
+
+ uid = (uid_t)atol(temp);
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
+ return False;
+
+ gid = (gid_t)atol(temp);
+
+ pdb_set_unix_homedir(sampass, homedir, PDB_SET);
+ pdb_set_uid(sampass, uid, PDB_SET);
+ pdb_set_gid(sampass, gid, PDB_SET);
+
+ DEBUG(10, ("user has posixAcccount attributes\n"));
+ return True;
+}
+
+
+/**********************************************************************
+Initialize SAM_ACCOUNT from an LDAP query
+(Based on init_sam_from_buffer in pdb_tdb.c)
+*********************************************************************/
+static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
+ SAM_ACCOUNT * sampass,
+ LDAPMessage * entry)
+{
+ time_t logon_time,
+ logoff_time,
+ kickoff_time,
+ pass_last_set_time,
+ pass_can_change_time,
+ pass_must_change_time;
+ pstring username,
+ domain,
+ nt_username,
+ fullname,
+ homedir,
+ dir_drive,
+ logon_script,
+ profile_path,
+ acct_desc,
+ munged_dial,
+ workstations;
+ struct passwd *pw;
+ uint32 user_rid,
+ group_rid;
+ uint8 smblmpwd[LM_HASH_LEN],
+ smbntpwd[NT_HASH_LEN];
+ uint16 acct_ctrl = 0,
+ logon_divs;
+ uint32 hours_len;
+ uint8 hours[MAX_HOURS_LEN];
+ pstring temp;
+ uid_t uid = -1;
+ gid_t gid = getegid();
+
+
+ /*
+ * do a little initialization
+ */
+ username[0] = '\0';
+ domain[0] = '\0';
+ nt_username[0] = '\0';
+ fullname[0] = '\0';
+ homedir[0] = '\0';
+ dir_drive[0] = '\0';
+ logon_script[0] = '\0';
+ profile_path[0] = '\0';
+ acct_desc[0] = '\0';
+ munged_dial[0] = '\0';
+ workstations[0] = '\0';
+
+
+ if (sampass == NULL || ldap_state == NULL || entry == NULL) {
+ DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
+ return False;
+ }
+
+ if (ldap_state->ldap_struct == NULL) {
+ DEBUG(0, ("init_sam_from_ldap: ldap_state->ldap_struct is NULL!\n"));
+ return False;
+ }
+
+ get_single_attribute(ldap_state->ldap_struct, entry, "uid", username);
+ DEBUG(2, ("Entry found for user: %s\n", username));
+
+ pstrcpy(nt_username, username);
+
+ pstrcpy(domain, lp_workgroup());
+
+ pdb_set_username(sampass, username, PDB_SET);
+
+ pdb_set_domain(sampass, domain, PDB_DEFAULT);
+ pdb_set_nt_username(sampass, nt_username, PDB_SET);
+
+ get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp);
+ user_rid = (uint32)atol(temp);
+
+ pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
+ group_rid = 0;
+ } else {
+ group_rid = (uint32)atol(temp);
+ pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
+ }
+
+
+ /*
+ * If so configured, try and get the values from LDAP
+ */
+
+ if (!lp_ldap_trust_ids() || (!get_unix_attributes(ldap_state, sampass, entry))) {
+
+ /*
+ * Otherwise just ask the system getpw() calls.
+ */
+
+ pw = getpwnam_alloc(username);
+ if (pw == NULL) {
+ if (! ldap_state->permit_non_unix_accounts) {
+ DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
+ return False;
+ }
+ } else {
+ uid = pw->pw_uid;
+ pdb_set_uid(sampass, uid, PDB_SET);
+ gid = pw->pw_gid;
+ pdb_set_gid(sampass, gid, PDB_SET);
+
+ pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
+
+ passwd_free(&pw);
+ }
+ }
+
+ if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
+ GROUP_MAP map;
+ gid = pdb_get_gid(sampass);
+ /* call the mapping code here */
+ if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+ pdb_set_group_sid(sampass, &map.sid, PDB_SET);
+ }
+ else {
+ pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
+ }
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdLastSet", temp)) {
+ /* leave as default */
+ } else {
+ pass_last_set_time = (time_t) atol(temp);
+ pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "logonTime", temp)) {
+ /* leave as default */
+ } else {
+ logon_time = (time_t) atol(temp);
+ pdb_set_logon_time(sampass, logon_time, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "logoffTime", temp)) {
+ /* leave as default */
+ } else {
+ logoff_time = (time_t) atol(temp);
+ pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "kickoffTime", temp)) {
+ /* leave as default */
+ } else {
+ kickoff_time = (time_t) atol(temp);
+ pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdCanChange", temp)) {
+ /* leave as default */
+ } else {
+ pass_can_change_time = (time_t) atol(temp);
+ pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdMustChange", temp)) {
+ /* leave as default */
+ } else {
+ pass_must_change_time = (time_t) atol(temp);
+ pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
+ }
+
+ /* recommend that 'gecos' and 'displayName' should refer to the same
+ * attribute OID. userFullName depreciated, only used by Samba
+ * primary rules of LDAP: don't make a new attribute when one is already defined
+ * that fits your needs; using cn then displayName rather than 'userFullName'
+ */
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "cn", fullname)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "displayName", fullname)) {
+ /* leave as default */
+ } else {
+ pdb_set_fullname(sampass, fullname, PDB_SET);
+ }
+ } else {
+ pdb_set_fullname(sampass, fullname, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDrive", dir_drive)) {
+ pdb_set_dir_drive(sampass, talloc_sub_specified(sampass->mem_ctx,
+ lp_logon_drive(),
+ username, domain,
+ uid, gid),
+ PDB_DEFAULT);
+ } else {
+ pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "smbHome", homedir)) {
+ pdb_set_homedir(sampass, talloc_sub_specified(sampass->mem_ctx,
+ lp_logon_home(),
+ username, domain,
+ uid, gid),
+ PDB_DEFAULT);
+ } else {
+ pdb_set_homedir(sampass, homedir, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "scriptPath", logon_script)) {
+ pdb_set_logon_script(sampass, talloc_sub_specified(sampass->mem_ctx,
+ lp_logon_script(),
+ username, domain,
+ uid, gid),
+ PDB_DEFAULT);
+ } else {
+ pdb_set_logon_script(sampass, logon_script, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "profilePath", profile_path)) {
+ pdb_set_profile_path(sampass, talloc_sub_specified(sampass->mem_ctx,
+ lp_logon_path(),
+ username, domain,
+ uid, gid),
+ PDB_DEFAULT);
+ } else {
+ pdb_set_profile_path(sampass, profile_path, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "description", acct_desc)) {
+ /* leave as default */
+ } else {
+ pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
+ }
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "userWorkstations", workstations)) {
+ /* leave as default */;
+ } else {
+ pdb_set_workstations(sampass, workstations, PDB_SET);
+ }
+
+ /* FIXME: hours stuff should be cleaner */
+
+ logon_divs = 168;
+ hours_len = 21;
+ memset(hours, 0xff, hours_len);
+
+ if (!get_single_attribute (ldap_state->ldap_struct, entry, "lmPassword", temp)) {
+ /* leave as default */
+ } else {
+ pdb_gethexpwd(temp, smblmpwd);
+ memset((char *)temp, '\0', strlen(temp)+1);
+ if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
+ return False;
+ ZERO_STRUCT(smblmpwd);
+ }
+
+ if (!get_single_attribute (ldap_state->ldap_struct, entry, "ntPassword", temp)) {
+ /* leave as default */
+ } else {
+ pdb_gethexpwd(temp, smbntpwd);
+ memset((char *)temp, '\0', strlen(temp)+1);
+ if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
+ return False;
+ ZERO_STRUCT(smbntpwd);
+ }
+
+ if (!get_single_attribute (ldap_state->ldap_struct, entry, "acctFlags", temp)) {
+ acct_ctrl |= ACB_NORMAL;
+ } else {
+ acct_ctrl = pdb_decode_acct_ctrl(temp);
+
+ if (acct_ctrl == 0)
+ acct_ctrl |= ACB_NORMAL;
+
+ pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
+ }
+
+ pdb_set_hours_len(sampass, hours_len, PDB_SET);
+ pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
+
+ pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
+
+ /* pdb_set_unknown_3(sampass, unknown3, PDB_SET); */
+ /* pdb_set_unknown_5(sampass, unknown5, PDB_SET); */
+ /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
+
+ pdb_set_hours(sampass, hours, PDB_SET);
+
+ return True;
+}
+
+static BOOL need_ldap_mod(BOOL pdb_add, const SAM_ACCOUNT * sampass, enum pdb_elements element) {
+ if (pdb_add) {
+ return (!IS_SAM_DEFAULT(sampass, element));
+ } else {
+ return IS_SAM_CHANGED(sampass, element);
+ }
+}
+
+/**********************************************************************
+Initialize SAM_ACCOUNT from an LDAP query
+(Based on init_buffer_from_sam in pdb_tdb.c)
+*********************************************************************/
+static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
+ LDAPMod *** mods, int ldap_op,
+ BOOL pdb_add,
+ const SAM_ACCOUNT * sampass)
+{
+ pstring temp;
+ uint32 rid;
+
+ if (mods == NULL || sampass == NULL) {
+ DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
+ return False;
+ }
+
+ *mods = NULL;
+
+ /*
+ * took out adding "objectclass: sambaAccount"
+ * do this on a per-mod basis
+ */
+ if (need_ldap_mod(pdb_add, sampass, PDB_USERNAME)) {
+ make_a_mod(mods, ldap_op, "uid", pdb_get_username(sampass));
+ DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
+ }
+
+ if ((rid = pdb_get_user_rid(sampass))!=0 ) {
+ if (need_ldap_mod(pdb_add, sampass, PDB_USERSID)) {
+ slprintf(temp, sizeof(temp) - 1, "%i", rid);
+ make_a_mod(mods, ldap_op, "rid", temp);
+ }
+ } else if (!IS_SAM_DEFAULT(sampass, PDB_UID)) {
+ rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(sampass));
+ slprintf(temp, sizeof(temp) - 1, "%i", rid);
+ make_a_mod(mods, ldap_op, "rid", temp);
+ } else if (ldap_state->permit_non_unix_accounts) {
+ rid = ldapsam_get_next_available_nua_rid(ldap_state);
+ if (rid == 0) {
+ DEBUG(0, ("NO user RID specified on account %s, and findining next available NUA RID failed, cannot store!\n", pdb_get_username(sampass)));
+ return False;
+ }
+ slprintf(temp, sizeof(temp) - 1, "%i", rid);
+ make_a_mod(mods, ldap_op, "rid", temp);
+ } else {
+ DEBUG(0, ("NO user RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
+ return False;
+ }
+
+
+
+ if ((rid = pdb_get_group_rid(sampass))!=0 ) {
+ if (need_ldap_mod(pdb_add, sampass, PDB_GROUPSID)) {
+ slprintf(temp, sizeof(temp) - 1, "%i", rid);
+ make_a_mod(mods, ldap_op, "primaryGroupID", temp);
+ }
+ } else if (!IS_SAM_DEFAULT(sampass, PDB_GID)) {
+ rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
+ slprintf(temp, sizeof(temp) - 1, "%i", rid);
+ make_a_mod(mods, ldap_op, "primaryGroupID", temp);
+ } else if (ldap_state->permit_non_unix_accounts) {
+ rid = DOMAIN_GROUP_RID_USERS;
+ slprintf(temp, sizeof(temp) - 1, "%i", rid);
+ make_a_mod(mods, ldap_op, "primaryGroupID", temp);
+ } else {
+ DEBUG(0, ("NO group RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
+ return False;
+ }
+
+
+ /* displayName, cn, and gecos should all be the same
+ * most easily accomplished by giving them the same OID
+ * gecos isn't set here b/c it should be handled by the
+ * add-user script
+ */
+ if (need_ldap_mod(pdb_add, sampass, PDB_FULLNAME)) {
+ make_a_mod(mods, ldap_op, "displayName", pdb_get_fullname(sampass));
+ make_a_mod(mods, ldap_op, "cn", pdb_get_fullname(sampass));
+ }
+ if (need_ldap_mod(pdb_add, sampass, PDB_ACCTDESC)) {
+ make_a_mod(mods, ldap_op, "description", pdb_get_acct_desc(sampass));
+ }
+ if (need_ldap_mod(pdb_add, sampass, PDB_WORKSTATIONS)) {
+ make_a_mod(mods, ldap_op, "userWorkstations", pdb_get_workstations(sampass));
+ }
+ /*
+ * Only updates fields which have been set (not defaults from smb.conf)
+ */
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_SMBHOME)) {
+ make_a_mod(mods, ldap_op, "smbHome", pdb_get_homedir(sampass));
+ }
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_DRIVE)) {
+ make_a_mod(mods, ldap_op, "homeDrive", pdb_get_dir_drive(sampass));
+ }
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_LOGONSCRIPT)) {
+ make_a_mod(mods, ldap_op, "scriptPath", pdb_get_logon_script(sampass));
+ }
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_PROFILE))
+ make_a_mod(mods, ldap_op, "profilePath", pdb_get_profile_path(sampass));
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_LOGONTIME)) {
+ slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
+ make_a_mod(mods, ldap_op, "logonTime", temp);
+ }
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_LOGOFFTIME)) {
+ slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
+ make_a_mod(mods, ldap_op, "logoffTime", temp);
+ }
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_KICKOFFTIME)) {
+ slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
+ make_a_mod(mods, ldap_op, "kickoffTime", temp);
+ }
+
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_CANCHANGETIME)) {
+ slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
+ make_a_mod(mods, ldap_op, "pwdCanChange", temp);
+ }
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_MUSTCHANGETIME)) {
+ slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
+ make_a_mod(mods, ldap_op, "pwdMustChange", temp);
+ }
+
+ if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))||
+ (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_LMPASSWD)) {
+ pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass));
+ make_a_mod (mods, ldap_op, "lmPassword", temp);
+ }
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_NTPASSWD)) {
+ pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass));
+ make_a_mod (mods, ldap_op, "ntPassword", temp);
+ }
+
+ if (need_ldap_mod(pdb_add, sampass, PDB_PASSLASTSET)) {
+ slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
+ make_a_mod(mods, ldap_op, "pwdLastSet", temp);
+ }
+ }
+
+ /* FIXME: Hours stuff goes in LDAP */
+ if (need_ldap_mod(pdb_add, sampass, PDB_ACCTCTRL)) {
+ make_a_mod (mods, ldap_op, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
+ NEW_PW_FORMAT_SPACE_PADDED_LEN));
+ }
+
+ return True;
+}
+
+
+/**********************************************************************
+Connect to LDAP server and find the next available RID.
+*********************************************************************/
+static uint32 check_nua_rid_is_avail(struct ldapsam_privates *ldap_state, uint32 top_rid)
+{
+ LDAPMessage *result;
+ uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER;
+ if (top_rid == 0) {
+ return 0;
+ }
+
+ if (final_rid < ldap_state->low_nua_rid || final_rid > ldap_state->high_nua_rid) {
+ return 0;
+ }
+
+ if (ldapsam_search_one_user_by_rid(ldap_state, final_rid, &result) != LDAP_SUCCESS) {
+ DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the confirmation search failed!\n", final_rid, final_rid));
+ return 0;
+ }
+
+ if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) {
+ DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the RID is already in use!!\n", final_rid, final_rid));
+ ldap_msgfree(result);
+ return 0;
+ }
+
+ DEBUG(5, ("NUA RID %d (0x%x), declared valid\n", final_rid, final_rid));
+ ldap_msgfree(result);
+ return final_rid;
+}
+
+/**********************************************************************
+Extract the RID from an LDAP entry
+*********************************************************************/
+static uint32 entry_to_user_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry) {
+ uint32 rid;
+ SAM_ACCOUNT *user = NULL;
+ if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) {
+ return 0;
+ }
+
+ if (init_sam_from_ldap(ldap_state, user, entry)) {
+ rid = pdb_get_user_rid(user);
+ } else {
+ rid =0;
+ }
+ pdb_free_sam(&user);
+ if (rid >= ldap_state->low_nua_rid && rid <= ldap_state->high_nua_rid) {
+ return rid;
+ }
+ return 0;
+}
+
+
+/**********************************************************************
+Connect to LDAP server and find the next available RID.
+*********************************************************************/
+static uint32 search_top_nua_rid(struct ldapsam_privates *ldap_state)
+{
+ int rc;
+ pstring filter;
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ char *final_filter = NULL;
+ uint32 top_rid = 0;
+ uint32 count;
+ uint32 rid;
+
+ pstrcpy(filter, lp_ldap_filter());
+ all_string_sub(filter, "%u", "*", sizeof(pstring));
+
+#if 0
+ asprintf(&final_filter, "(&(%s)(&(rid>=%d)(rid<=%d)))", filter, ldap_state->low_nua_rid, ldap_state->high_nua_rid);
+#else
+ final_filter = strdup(filter);
+#endif
+ DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter));
+
+ rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
+ LDAP_SCOPE_SUBTREE, final_filter, attr, 0,
+ &result);
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
+ DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
+
+ free(final_filter);
+ result = NULL;
+ return 0;
+ }
+
+ count = ldap_count_entries(ldap_state->ldap_struct, result);
+ DEBUG(2, ("search_top_nua_rid: %d entries in the base!\n", count));
+
+ if (count == 0) {
+ DEBUG(3, ("LDAP search returned no records, assuming no non-unix-accounts present!: %s\n", ldap_err2string(rc)));
+ DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
+ free(final_filter);
+ ldap_msgfree(result);
+ result = NULL;
+ return ldap_state->low_nua_rid;
+ }
+
+ free(final_filter);
+ entry = ldap_first_entry(ldap_state->ldap_struct,result);
+
+ top_rid = entry_to_user_rid(ldap_state, entry);
+
+ while ((entry = ldap_next_entry(ldap_state->ldap_struct, entry))) {
+
+ rid = entry_to_user_rid(ldap_state, entry);
+ if (rid > top_rid) {
+ top_rid = rid;
+ }
+ }
+
+ ldap_msgfree(result);
+
+ if (top_rid < ldap_state->low_nua_rid)
+ top_rid = ldap_state->low_nua_rid;
+
+ return top_rid;
+}
+
+/**********************************************************************
+Connect to LDAP server and find the next available RID.
+*********************************************************************/
+static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state) {
+ uint32 next_nua_rid;
+ uint32 top_nua_rid;
+
+ top_nua_rid = search_top_nua_rid(ldap_state);
+
+ next_nua_rid = check_nua_rid_is_avail(ldap_state,
+ top_nua_rid);
+
+ return next_nua_rid;
+}
+
+/**********************************************************************
+Connect to LDAP server for password enumeration
+*********************************************************************/
+static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
+{
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+ int rc;
+ pstring filter;
+
+ pstrcpy(filter, lp_ldap_filter());
+ all_string_sub(filter, "%u", "*", sizeof(pstring));
+
+ rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
+ LDAP_SCOPE_SUBTREE, filter, attr, 0,
+ &ldap_state->result);
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
+ DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
+ ldap_msgfree(ldap_state->result);
+ ldap_state->result = NULL;
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
+ ldap_count_entries(ldap_state->ldap_struct,
+ ldap_state->result)));
+
+ ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
+ ldap_state->result);
+ ldap_state->index = 0;
+
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+End enumeration of the LDAP password list
+*********************************************************************/
+static void ldapsam_endsampwent(struct pdb_methods *my_methods)
+{
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+ if (ldap_state->result) {
+ ldap_msgfree(ldap_state->result);
+ ldap_state->result = NULL;
+ }
+}
+
+/**********************************************************************
+Get the next entry in the LDAP password database
+*********************************************************************/
+static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+ BOOL bret = False;
+
+ /* The rebind proc needs this *HACK*. We are not multithreaded, so
+ this will work, but it's not nice. */
+ static_ldap_state = ldap_state;
+
+ while (!bret) {
+ if (!ldap_state->entry)
+ return ret;
+
+ ldap_state->index++;
+ bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
+
+ ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
+ ldap_state->entry);
+ }
+
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+Get SAM_ACCOUNT entry from LDAP by username
+*********************************************************************/
+static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ int count;
+
+ if (ldapsam_search_one_user_by_name(ldap_state, sname, &result) != LDAP_SUCCESS) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ count = ldap_count_entries(ldap_state->ldap_struct, result);
+
+ if (count < 1) {
+ DEBUG(4,
+ ("We don't find this user [%s] count=%d\n", sname,
+ count));
+ return NT_STATUS_NO_SUCH_USER;
+ } else if (count > 1) {
+ DEBUG(1,
+ ("Duplicate entries for this user [%s] Failing. count=%d\n", sname,
+ count));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ entry = ldap_first_entry(ldap_state->ldap_struct, result);
+ if (entry) {
+ if (!init_sam_from_ldap(ldap_state, user, entry)) {
+ DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
+ ldap_msgfree(result);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ ldap_msgfree(result);
+ ret = NT_STATUS_OK;
+ } else {
+ ldap_msgfree(result);
+ }
+ return ret;
+}
+
+/**********************************************************************
+Get SAM_ACCOUNT entry from LDAP by rid
+*********************************************************************/
+static NTSTATUS ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *user, uint32 rid)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)my_methods->private_data;
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ int count;
+
+ if (ldapsam_search_one_user_by_rid(ldap_state, rid, &result) != LDAP_SUCCESS) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ count = ldap_count_entries(ldap_state->ldap_struct, result);
+
+ if (count < 1) {
+ DEBUG(4,
+ ("We don't find this rid [%i] count=%d\n", rid,
+ count));
+ return NT_STATUS_NO_SUCH_USER;
+ } else if (count > 1) {
+ DEBUG(1,
+ ("More than one user with rid [%i]. Failing. count=%d\n", rid,
+ count));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ entry = ldap_first_entry(ldap_state->ldap_struct, result);
+ if (entry) {
+ if (!init_sam_from_ldap(ldap_state, user, entry)) {
+ DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
+ ldap_msgfree(result);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ ldap_msgfree(result);
+ ret = NT_STATUS_OK;
+ } else {
+ ldap_msgfree(result);
+ }
+ return ret;
+}
+
+static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
+{
+ uint32 rid;
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return NT_STATUS_NO_SUCH_USER;
+ return ldapsam_getsampwrid(my_methods, user, rid);
+}
+
+/********************************************************************
+Do the actual modification - also change a plaittext passord if
+it it set.
+**********************************************************************/
+
+static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
+ SAM_ACCOUNT *newpwd, char *dn,
+ LDAPMod **mods, int ldap_op, BOOL pdb_add)
+{
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+ int rc;
+
+ if (!my_methods || !newpwd || !dn) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!mods) {
+ DEBUG(5,("mods is empty: nothing to modify\n"));
+ /* may be password change below however */
+ } else {
+ switch(ldap_op)
+ {
+ case LDAP_MOD_ADD:
+ make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "account");
+ rc = ldapsam_add(ldap_state, dn, mods);
+ break;
+ case LDAP_MOD_REPLACE:
+ rc = ldapsam_modify(ldap_state, dn ,mods);
+ break;
+ default:
+ DEBUG(0,("Wrong LDAP operation type: %d!\n", ldap_op));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (rc!=LDAP_SUCCESS) {
+ char *ld_error;
+ ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+ &ld_error);
+ DEBUG(1,
+ ("failed to %s user dn= %s with: %s\n\t%s\n",
+ ldap_op == LDAP_MOD_ADD ? "add" : "modify",
+ dn, ldap_err2string(rc),
+ ld_error));
+ free(ld_error);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+
+#ifdef LDAP_EXOP_X_MODIFY_PASSWD
+ if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))&&
+ (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_OFF)&&
+ need_ldap_mod(pdb_add, newpwd, PDB_PLAINTEXT_PW)&&
+ (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
+ BerElement *ber;
+ struct berval *bv;
+ char *retoid;
+ struct berval *retdata;
+
+ if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
+ DEBUG(0,("ber_alloc_t returns NULL\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ ber_printf (ber, "{");
+ ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID,dn);
+ ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, pdb_get_plaintext_passwd(newpwd));
+ ber_printf (ber, "N}");
+
+ if ((rc = ber_flatten (ber, &bv))<0) {
+ DEBUG(0,("ber_flatten returns a value <0\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ber_free(ber,1);
+
+ if ((rc = ldapsam_extended_operation(ldap_state, LDAP_EXOP_X_MODIFY_PASSWD,
+ bv, NULL, NULL, &retoid, &retdata))!=LDAP_SUCCESS) {
+ DEBUG(0,("LDAP Password could not be changed for user %s: %s\n",
+ pdb_get_username(newpwd),ldap_err2string(rc)));
+ } else {
+ DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
+
+ ber_bvfree(retdata);
+ ber_memfree(retoid);
+ }
+ ber_bvfree(bv);
+ }
+#else
+ DEBUG(10,("LDAP PASSWORD SYNC is not supported!\n"));
+#endif /* LDAP_EXOP_X_MODIFY_PASSWD */
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+Delete entry from LDAP for username
+*********************************************************************/
+static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
+{
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+ const char *sname;
+ int rc;
+ char *dn;
+ LDAPMessage *entry;
+ LDAPMessage *result;
+
+ if (!sam_acct) {
+ DEBUG(0, ("sam_acct was NULL!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ sname = pdb_get_username(sam_acct);
+
+ DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
+
+ rc = ldapsam_search_one_user_by_name(ldap_state, sname, &result);
+ if (rc != LDAP_SUCCESS) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (ldap_count_entries (ldap_state->ldap_struct, result) == 0) {
+ DEBUG (0, ("User doesn't exit!\n"));
+ ldap_msgfree (result);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ entry = ldap_first_entry (ldap_state->ldap_struct, result);
+ dn = ldap_get_dn (ldap_state->ldap_struct, entry);
+ ldap_msgfree(result);
+
+ rc = ldapsam_delete(ldap_state, dn);
+
+ ldap_memfree (dn);
+ if (rc != LDAP_SUCCESS) {
+ char *ld_error;
+ ldap_get_option (ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
+ DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n",
+ sname, ldap_err2string (rc), ld_error));
+ free (ld_error);
+ return NT_STATUS_CANNOT_DELETE;
+ }
+
+ DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname));
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+Update SAM_ACCOUNT
+*********************************************************************/
+static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+ int rc;
+ char *dn;
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ LDAPMod **mods;
+
+ if (!init_ldap_from_sam(ldap_state, &mods, LDAP_MOD_REPLACE, False, newpwd)) {
+ DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (mods == NULL) {
+ DEBUG(4,("mods is empty: nothing to update for user: %s\n",pdb_get_username(newpwd)));
+ return NT_STATUS_OK;
+ }
+
+ rc = ldapsam_search_one_user_by_name(ldap_state, pdb_get_username(newpwd), &result);
+ if (rc != LDAP_SUCCESS) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (ldap_count_entries(ldap_state->ldap_struct, result) == 0) {
+ DEBUG(0, ("No user to modify!\n"));
+ ldap_msgfree(result);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ entry = ldap_first_entry(ldap_state->ldap_struct, result);
+ dn = ldap_get_dn(ldap_state->ldap_struct, entry);
+ ldap_msgfree(result);
+
+ ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, False);
+ if (NT_STATUS_IS_ERR(ret)) {
+ DEBUG(0,("failed to modify user with uid = %s\n",
+ pdb_get_username(newpwd)));
+ ldap_mods_free(mods,1);
+ return ret;
+ }
+
+
+ DEBUG(2,
+ ("successfully modified uid = %s in the LDAP database\n",
+ pdb_get_username(newpwd)));
+ ldap_mods_free(mods, 1);
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+Add SAM_ACCOUNT to LDAP
+*********************************************************************/
+static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+ int rc;
+ pstring filter;
+ LDAPMessage *result = NULL;
+ pstring dn;
+ LDAPMod **mods = NULL;
+ int ldap_op;
+ uint32 num_result;
+
+ const char *username = pdb_get_username(newpwd);
+ if (!username || !*username) {
+ DEBUG(0, ("Cannot add user without a username!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ rc = ldapsam_search_one_user_by_name (ldap_state, username, &result);
+ if (rc != LDAP_SUCCESS) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) {
+ DEBUG(0,("User '%s' already in the base, with samba properties\n",
+ username));
+ ldap_msgfree(result);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ ldap_msgfree(result);
+
+ slprintf (filter, sizeof (filter) - 1, "uid=%s", username);
+ rc = ldapsam_search_one_user(ldap_state, filter, &result);
+ if (rc != LDAP_SUCCESS) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ num_result = ldap_count_entries(ldap_state->ldap_struct, result);
+
+ if (num_result > 1) {
+ DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
+ ldap_msgfree(result);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* Check if we need to update an existing entry */
+ if (num_result == 1) {
+ char *tmp;
+ LDAPMessage *entry;
+
+ DEBUG(3,("User exists without samba properties: adding them\n"));
+ ldap_op = LDAP_MOD_REPLACE;
+ entry = ldap_first_entry (ldap_state->ldap_struct, result);
+ tmp = ldap_get_dn (ldap_state->ldap_struct, entry);
+ slprintf (dn, sizeof (dn) - 1, "%s", tmp);
+ ldap_memfree (tmp);
+ } else {
+ /* Check if we need to add an entry */
+ DEBUG(3,("Adding new user\n"));
+ ldap_op = LDAP_MOD_ADD;
+ if (username[strlen(username)-1] == '$') {
+ slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
+ } else {
+ slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
+ }
+ }
+
+ ldap_msgfree(result);
+
+ if (!init_ldap_from_sam(ldap_state, &mods, ldap_op, True, newpwd)) {
+ DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
+ ldap_mods_free(mods, 1);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (mods == NULL) {
+ DEBUG(0,("mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
+
+ ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, True);
+ if (NT_STATUS_IS_ERR(ret)) {
+ DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n",
+ pdb_get_username(newpwd),dn));
+ ldap_mods_free(mods,1);
+ return ret;
+ }
+
+ DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
+ ldap_mods_free(mods, 1);
+ return NT_STATUS_OK;
+}
+
+static void free_private_data(void **vp)
+{
+ struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
+
+ ldapsam_close(*ldap_state);
+
+ if ((*ldap_state)->bind_secret) {
+ memset((*ldap_state)->bind_secret, '\0', strlen((*ldap_state)->bind_secret));
+ }
+
+ ldapsam_close(*ldap_state);
+
+ SAFE_FREE((*ldap_state)->bind_dn);
+ SAFE_FREE((*ldap_state)->bind_secret);
+
+ *ldap_state = NULL;
+
+ /* No need to free any further, as it is talloc()ed */
+}
+
+NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ NTSTATUS nt_status;
+ struct ldapsam_privates *ldap_state;
+
+ if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
+ return nt_status;
+ }
+
+ (*pdb_method)->name = "ldapsam";
+
+ (*pdb_method)->setsampwent = ldapsam_setsampwent;
+ (*pdb_method)->endsampwent = ldapsam_endsampwent;
+ (*pdb_method)->getsampwent = ldapsam_getsampwent;
+ (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
+ (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
+ (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
+ (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
+ (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
+
+ /* TODO: Setup private data and free */
+
+ ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates));
+
+ if (!ldap_state) {
+ DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (location) {
+ ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
+#ifdef WITH_LDAP_SAMCONFIG
+ } else {
+ int ldap_port = lp_ldap_port();
+
+ /* remap default port if not using SSL (ie clear or TLS) */
+ if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
+ ldap_port = 389;
+ }
+
+ ldap_state->uri = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
+ if (!ldap_state->uri) {
+ return NT_STATUS_NO_MEMORY;
+ }
+#else
+ } else {
+ ldap_state->uri = "ldap://localhost";
+#endif
+ }
+
+ (*pdb_method)->private_data = ldap_state;
+
+ (*pdb_method)->free_private_data = free_private_data;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ NTSTATUS nt_status;
+ struct ldapsam_privates *ldap_state;
+ uint32 low_nua_uid, high_nua_uid;
+
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) {
+ return nt_status;
+ }
+
+ (*pdb_method)->name = "ldapsam_nua";
+
+ ldap_state = (*pdb_method)->private_data;
+
+ ldap_state->permit_non_unix_accounts = True;
+
+ if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) {
+ DEBUG(0, ("cannot use ldapsam_nua without 'non unix account range' in smb.conf!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ldap_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid);
+
+ ldap_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
+
+ return NT_STATUS_OK;
+}
+
+
+#else
+
+NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ DEBUG(0, ("ldap not detected at configure time, ldapsam not availalble!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ DEBUG(0, ("ldap not dectected at configure time, ldapsam_nua not available!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+
+#endif
diff --git a/source4/passdb/pdb_nisplus.c b/source4/passdb/pdb_nisplus.c
new file mode 100644
index 0000000000..0a42c36ea0
--- /dev/null
+++ b/source4/passdb/pdb_nisplus.c
@@ -0,0 +1,1565 @@
+
+/*
+ * NIS+ Passdb Backend
+ * Copyright (C) Andrew Tridgell 1992-1998 Modified by Jeremy Allison 1995.
+ * Copyright (C) Benny Holmgren 1998 <bigfoot@astrakan.hgs.se>
+ * Copyright (C) Luke Kenneth Casson Leighton 1996-1998.
+ * Copyright (C) Toomas Soome <tsoome@ut.ee> 2001
+ * Copyright (C) Jelmer Vernooij 2002
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 675
+ * Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+#ifdef WITH_NISPLUS_SAM
+
+#ifdef BROKEN_NISPLUS_INCLUDE_FILES
+
+/*
+ * The following lines are needed due to buggy include files
+ * in Solaris 2.6 which define GROUP in both /usr/include/sys/acl.h and
+ * also in /usr/include/rpcsvc/nis.h. The definitions conflict. JRA.
+ * Also GROUP_OBJ is defined as 0x4 in /usr/include/sys/acl.h and as
+ * an enum in /usr/include/rpcsvc/nis.h.
+ */
+
+
+#if defined(GROUP)
+#undef GROUP
+#endif
+
+#if defined(GROUP_OBJ)
+#undef GROUP_OBJ
+#endif
+
+#endif
+
+#include <rpcsvc/nis.h>
+
+/***************************************************************
+
+ the fields for the NIS+ table, generated from mknissmbpwtbl.sh, are:
+
+ name=S,nogw=r
+ uid=S,nogw=r
+ user_rid=S,nogw=r
+ smb_grpid=,nw+r
+ group_rid=,nw+r
+ acb=,nw+r
+
+ lmpwd=C,nw=,g=r,o=rm
+ ntpwd=C,nw=,g=r,o=rm
+
+ logon_t=,nw+r
+ logoff_t=,nw+r
+ kick_t=,nw+r
+ pwdlset_t=,nw+r
+ pwdlchg_t=,nw+r
+ pwdmchg_t=,nw+r
+
+ full_name=,nw+r
+ home_dir=,nw+r
+ dir_drive=,nw+r
+ logon_script=,nw+r
+ profile_path=,nw+r
+ acct_desc=,nw+r
+ workstations=,nw+r
+
+ hours=,nw+r
+
+****************************************************************/
+
+#define NPF_NAME 0
+#define NPF_UID 1
+#define NPF_USER_RID 2
+#define NPF_SMB_GRPID 3
+#define NPF_GROUP_RID 4
+#define NPF_ACB 5
+#define NPF_LMPWD 6
+#define NPF_NTPWD 7
+#define NPF_LOGON_T 8
+#define NPF_LOGOFF_T 9
+#define NPF_KICK_T 10
+#define NPF_PWDLSET_T 11
+#define NPF_PWDCCHG_T 12
+#define NPF_PWDMCHG_T 13
+#define NPF_FULL_NAME 14
+#define NPF_HOME_DIR 15
+#define NPF_DIR_DRIVE 16
+#define NPF_LOGON_SCRIPT 17
+#define NPF_PROFILE_PATH 18
+#define NPF_ACCT_DESC 19
+#define NPF_WORKSTATIONS 20
+#define NPF_HOURS 21
+
+struct nisplus_private_info {
+ nis_result *result;
+ int enum_entry;
+ char *location;
+};
+
+static char *make_nisname_from_user_rid (uint32 rid, char *pfile);
+static char *make_nisname_from_name (const char *user_name, char *pfile);
+static void get_single_attribute (const nis_object * new_obj, int col,
+ char *val, int len);;
+static BOOL make_sam_from_nisp_object (SAM_ACCOUNT * pw_buf,
+ const nis_object * obj);
+static BOOL make_sam_from_nisresult (SAM_ACCOUNT * pw_buf,
+ const nis_result * result);;
+static void set_single_attribute (nis_object * new_obj, int col,
+ const char *val, int len, int flags);
+static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass,
+ nis_object * old);
+static nis_result *nisp_get_nis_list (const char *nisname,
+ unsigned int flags);
+
+/***************************************************************
+ Start enumeration of the passwd list.
+****************************************************************/
+
+static NTSTATUS nisplussam_setsampwent (struct pdb_methods *methods, BOOL update)
+{
+ struct nisplus_private_info *private =
+ (struct nisplus_private_info *) methods->private_data;
+
+ char *sp;
+ pstring pfiletmp;
+
+ if ((sp = strrchr (private->location, '/')))
+ safe_strcpy (pfiletmp, sp + 1, sizeof (pfiletmp) - 1);
+ else
+ safe_strcpy (pfiletmp, p, sizeof (pfiletmp) - 1);
+ safe_strcat (pfiletmp, ".org_dir",
+ sizeof (pfiletmp) - strlen (pfiletmp) - 1);
+
+ pdb_endsampwent (); /* just in case */
+ global_nisp_ent->result = nisp_get_nis_list (pfiletmp, 0);
+ global_nisp_ent->enum_entry = 0;
+ if (global_nisp_ent->result != NULL)
+ return NT_STATUS_UNSUCCESSFUL;
+ else
+ return NT_STATUS_OK;
+}
+
+/***************************************************************
+ End enumeration of the passwd list.
+****************************************************************/
+
+static void nisplussam_endsampwent (struct pdb_methods *methods)
+{
+ struct nisplus_private_info *global_nisp_ent =
+ (struct nisplus_private_info *) methods->private_data;
+ if (global_nisp_ent->result)
+ nis_freeresult (global_nisp_ent->result);
+ global_nisp_ent->result = NULL;
+ global_nisp_ent->enum_entry = 0;
+}
+
+/*****************************************************************
+ Get one SAM_ACCOUNT from the list (next in line)
+*****************************************************************/
+
+static NTSTATUS nisplussam_getsampwent (struct pdb_methods *methods,
+ SAM_ACCOUNT * user)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct nisplus_private_info *global_nisp_ent =
+ (struct nisplus_private_info *) methods->private_data;
+ int enum_entry = (int) (global_nisp_ent->enum_entry);
+ nis_result *result = global_nisp_ent->result;
+
+ if (user == NULL) {
+ DEBUG (0, ("SAM_ACCOUNT is NULL.\n"));
+ return nt_status;
+ }
+
+ if (result == NULL || enum_entry < 0 || enum_entry >= (NIS_RES_NUMOBJ (result) - 1)) {
+ return nt_status;
+ }
+
+ if (!make_sam_from_nisp_object(user, &NIS_RES_OBJECT (result)[enum_entry])) {
+ DEBUG (0, ("Bad SAM_ACCOUNT entry returned from NIS+!\n"));
+ return nt_status;
+ }
+ (int) (global_nisp_ent->enum_entry)++;
+
+ return nt_status;
+}
+
+/******************************************************************
+ Lookup a name in the SAM database
+******************************************************************/
+
+static NTSTATUS nisplussam_getsampwnam (struct pdb_methods *methods,
+ SAM_ACCOUNT * user, const char *sname)
+{
+ /* Static buffers we will return. */
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ nis_result *result = NULL;
+ pstring nisname;
+ BOOL ret;
+ struct nisplus_private_info *private =
+ (struct nisplus_private_info *) methods->private_data;
+
+ if (!private->location || !(*private->location)) {
+ DEBUG (0, ("No SMB password file set\n"));
+ return nt_status;
+ }
+ if (strrchr (private->location, '/'))
+ private->location = strrchr (private->location, '/') + 1;
+
+ slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.org_dir",
+ sname, private->location);
+ DEBUG (10, ("search by nisname: %s\n", nisname));
+
+ /* Search the table. */
+
+ if (!(result = nisp_get_nis_list (nisname, 0))) {
+ return nt_status;
+ }
+
+ ret = make_sam_from_nisresult (user, result);
+ nis_freeresult (result);
+
+ if (ret) nt_status = NT_STATUS_OK;
+
+ return nt_status;
+}
+
+/***************************************************************************
+ Search by sid
+ **************************************************************************/
+
+static NTSTATUS nisplussam_getsampwrid (struct pdb_methods *methods,
+ SAM_ACCOUNT * user, uint32 rid)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ nis_result *result;
+ char *nisname;
+ BOOL ret;
+ char *sp;
+ pstring pfiletmp;
+ struct nisplus_private_info *private =
+ (struct nisplus_private_info *) methods->private_data;
+
+ if (!private->location || !(*private->location)) {
+ DEBUG (0, ("no SMB password file set\n"));
+ return nt_status;
+ }
+
+ if ((sp = strrchr (private->location, '/')))
+ safe_strcpy (pfiletmp, sp + 1, sizeof (pfiletmp) - 1);
+ else
+ safe_strcpy (pfiletmp, private->location, sizeof (pfiletmp) - 1);
+ safe_strcat (pfiletmp, ".org_dir",
+ sizeof (pfiletmp) - strlen (pfiletmp) - 1);
+
+ nisname = make_nisname_from_user_rid (rid, pfiletmp);
+
+ DEBUG (10, ("search by rid: %s\n", nisname));
+
+ /* Search the table. */
+
+ if (!(result = nisp_get_nis_list (nisname, 0))) {
+ return nt_status;
+ }
+
+ ret = make_sam_from_nisresult (user, result);
+ nis_freeresult (result);
+
+ if (ret) nt_status = NT_STATUS_OK;
+
+ return nt_status;
+}
+
+static NTSTATUS nisplussam_getsampwsid (struct pdb_methods *methods,
+ SAM_ACCOUNT * user, const DOM_SID * sid)
+{
+ uint32 rid;
+
+ if (!sid_peek_check_rid (get_global_sam_sid (), sid, &rid))
+ return NT_STATUS_UNSUCCESSFUL;
+ return nisplussam_getsampwrid (methods, user, rid);
+}
+
+
+
+/***************************************************************************
+ Delete a SAM_ACCOUNT
+****************************************************************************/
+
+static NTSTATUS nisplussam_delete_sam_account (struct pdb_methods *methods,
+ SAM_ACCOUNT * user)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ const char *sname;
+ pstring nisname;
+ nis_result *result, *delresult;
+ nis_object *obj;
+ struct nisplus_private_info *private =
+ (struct nisplus_private_info *) methods->private_data;
+
+ if (!user) {
+ DEBUG (0, ("no SAM_ACCOUNT specified!\n"));
+ return nt_status;
+ }
+
+ sname = pdb_get_username (user);
+
+ if (!private->location || !(*private->location)) {
+ DEBUG (0, ("no SMB password file set\n"));
+ return nt_status;
+ }
+
+ if (strrchr (private->location, '/'))
+ private->location = strrchr (private->location, '/') + 1;
+
+ slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.org_dir",
+ sname, private->location);
+
+ /* Search the table. */
+
+ if (!(result = nisp_get_nis_list (nisname,
+ MASTER_ONLY | FOLLOW_LINKS |
+ FOLLOW_PATH | EXPAND_NAME |
+ HARD_LOOKUP))) {
+ return nt_status;
+ }
+
+ if (result->status != NIS_SUCCESS || NIS_RES_NUMOBJ (result) <= 0) {
+ /* User not found. */
+ DEBUG (0, ("user not found in NIS+\n"));
+ nis_freeresult (result);
+ return nt_status;
+ }
+
+ obj = NIS_RES_OBJECT (result);
+ slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.%s", sname,
+ obj->zo_name, obj->zo_domain);
+
+ DEBUG (10, ("removing name: %s\n", nisname));
+ delresult = nis_remove_entry (nisname, obj,
+ MASTER_ONLY | REM_MULTIPLE | ALL_RESULTS
+ | FOLLOW_PATH | EXPAND_NAME |
+ HARD_LOOKUP);
+
+ nis_freeresult (result);
+
+ if (delresult->status != NIS_SUCCESS) {
+ DEBUG (0, ("NIS+ table update failed: %s %s\n",
+ nisname, nis_sperrno (delresult->status)));
+ nis_freeresult (delresult);
+ return nt_status;
+ }
+ nis_freeresult (delresult);
+
+ return NT_STATUS_OK;
+}
+
+/***************************************************************************
+ Modifies an existing SAM_ACCOUNT
+****************************************************************************/
+
+static NTSTATUS nisplussam_update_sam_account (struct pdb_methods *methods,
+ SAM_ACCOUNT * newpwd)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ nis_result *result, *addresult;
+ nis_object *obj;
+ nis_object new_obj;
+ entry_col *ecol;
+ int ta_maxcol;
+ struct nisplus_private_info *private =
+ (struct nisplus_private_info *) methods->private_data;
+ pstring nisname;
+
+ if (!private->location || !(*private->location)) {
+ DEBUG (0, ("no SMB password file set\n"));
+ return nt_status;
+ }
+ if (strrchr (private->location, '/'))
+ private->location = strrchr (private->location, '/') + 1;
+
+ slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.org_dir",
+ pdb_get_username (newpwd), private->location);
+
+ DEBUG (10, ("search by name: %s\n", nisname));
+
+ /* Search the table. */
+
+ if (!
+ (result =
+ nisp_get_nis_list (nisname,
+ MASTER_ONLY | FOLLOW_LINKS | FOLLOW_PATH |
+ EXPAND_NAME | HARD_LOOKUP))) {
+ return ne_status;
+ }
+
+ if (result->status != NIS_SUCCESS || NIS_RES_NUMOBJ (result) <= 0) {
+ /* User not found. */
+ DEBUG (0, ("user not found in NIS+\n"));
+ nis_freeresult (result);
+ return nt_status;
+ }
+
+ obj = NIS_RES_OBJECT (result);
+ DEBUG (6, ("entry found in %s\n", obj->zo_domain));
+
+ /* we must create new stub object with EN_MODIFIED flag.
+ this is because obj from result is going to be freed and
+ we do not want to break it or cause memory leaks or corruption.
+ */
+
+ memmove ((char *) &new_obj, obj, sizeof (new_obj));
+ ta_maxcol = obj->TA_data.ta_maxcol;
+
+ if (!(ecol = (entry_col *) malloc (ta_maxcol * sizeof (entry_col)))) {
+ DEBUG (0, ("memory allocation failure\n"));
+ nis_freeresult (result);
+ return nt_status;
+ }
+
+ memmove ((char *) ecol, obj->EN_data.en_cols.en_cols_val,
+ ta_maxcol * sizeof (entry_col));
+ new_obj.EN_data.en_cols.en_cols_val = ecol;
+ new_obj.EN_data.en_cols.en_cols_len = ta_maxcol;
+
+ if (init_nisp_from_sam (&new_obj, newpwd, obj) == True) {
+ slprintf (nisname, sizeof (nisname) - 1, "[name=%s],%s.%s",
+ pdb_get_username (newpwd), private->location, obj->zo_domain);
+
+ DEBUG (10, ("NIS+ table update: %s\n", nisname));
+ addresult =
+ nis_modify_entry (nisname, &new_obj,
+ MOD_SAMEOBJ | FOLLOW_PATH |
+ EXPAND_NAME | HARD_LOOKUP);
+
+ if (addresult->status != NIS_SUCCESS) {
+ DEBUG (0, ("NIS+ table update failed: %s %s\n",
+ nisname, nis_sperrno (addresult->status)));
+ nis_freeresult (addresult);
+ nis_freeresult (result);
+ free (ecol);
+ return nt_status;
+ }
+
+ DEBUG (6, ("password changed\n"));
+ nis_freeresult (addresult);
+ } else {
+ DEBUG (6, ("nothing to change!\n"));
+ }
+
+ free (ecol);
+ nis_freeresult (result);
+
+ return NT_STATUS_OK;
+}
+
+/***************************************************************************
+ Adds an existing SAM_ACCOUNT
+****************************************************************************/
+
+static NTSTATUS nisplussam_add_sam_account (struct pdb_methods *methods,
+ SAM_ACCOUNT * newpwd)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ int local_user = 0;
+ char *pfile;
+ pstring pfiletmp;
+ char *nisname;
+ nis_result *result = NULL, *tblresult = NULL;
+ nis_object new_obj;
+ entry_col *ecol;
+ int ta_maxcol;
+
+ /*
+ * 1. find user domain.
+ * a. try nis search in passwd.org_dir - if found use domain from result.
+ * b. try getpwnam. this may be needed if user is defined
+ * in /etc/passwd file (or elsewere) and not in passwd.org_dir.
+ * if found, use host default domain.
+ * c. exit with False - no such user.
+ *
+ * 2. add user
+ * a. find smbpasswd table
+ * search pfile in user domain if not found, try host default
+ * domain.
+ * b. smbpasswd domain is found, fill data and add entry.
+ *
+ * pfile should contain ONLY table name, org_dir will be concated.
+ * so, at first we will clear path prefix from pfile, and
+ * then we will use pfiletmp as playground to put together full
+ * nisname string.
+ * such approach will make it possible to specify samba private dir
+ * AND still use NIS+ table. as all domain related data is normally
+ * stored in org_dir.DOMAIN, this should be ok do do.
+ */
+
+ pfile = private->location;
+ if (strrchr (pfile, '/'))
+ pfile = strrchr (pfile, '/') + 1;
+
+ /*
+ * Check if user is already there.
+ */
+ safe_strcpy (pfiletmp, pfile, sizeof (pfiletmp) - 1);
+ safe_strcat (pfiletmp, ".org_dir",
+ sizeof (pfiletmp) - strlen (pfiletmp) - 1);
+
+ if (pdb_get_username (newpwd) != NULL) {
+ nisname = make_nisname_from_name (pdb_get_username (newpwd),
+ pfiletmp);
+ } else {
+ return nt_status;
+ }
+
+ if (!
+ (result =
+ nisp_get_nis_list (nisname,
+ MASTER_ONLY | FOLLOW_LINKS | FOLLOW_PATH |
+ EXPAND_NAME | HARD_LOOKUP))) {
+ return nt_status;
+ }
+ if (result->status != NIS_SUCCESS && result->status != NIS_NOTFOUND) {
+ DEBUG (3, ("nis_list failure: %s: %s\n",
+ nisname, nis_sperrno (result->status)));
+ nis_freeresult (result);
+ return nt_status;
+ }
+
+ if (result->status == NIS_SUCCESS && NIS_RES_NUMOBJ (result) > 0) {
+ DEBUG (3, ("User already exists in NIS+ password db: %s\n",
+ pfile));
+ nis_freeresult (result);
+ return nt_status;
+ }
+
+ nis_freeresult (result); /* no such user, free results */
+
+ /*
+ * check for user in unix password database. we need this to get
+ * domain, where smbpasswd entry should be stored.
+ */
+
+ nisname = make_nisname_from_name (pdb_get_username (newpwd),
+ "passwd.org_dir");
+
+ result = nisp_get_nis_list (nisname,
+ MASTER_ONLY | FOLLOW_LINKS | FOLLOW_PATH |
+ EXPAND_NAME | HARD_LOOKUP);
+
+ if (result->status != NIS_SUCCESS || NIS_RES_NUMOBJ (result) <= 0) {
+ struct passwd *passwd;
+
+ DEBUG (3, ("nis_list failure: %s: %s\n",
+ nisname, nis_sperrno (result->status)));
+ nis_freeresult (result);
+
+ if (!(passwd = getpwnam_alloc (pdb_get_username (newpwd)))) {
+ /* no such user in system! */
+ return nt_status;
+ }
+ passwd_free (&passwd);
+
+ /*
+ * user is defined, but not in passwd.org_dir.
+ */
+ local_user = 1;
+ } else {
+ safe_strcpy (pfiletmp, pfile, sizeof (pfiletmp) - 1);
+ safe_strcat (pfiletmp, ".",
+ sizeof (pfiletmp) - strlen (pfiletmp) - 1);
+ safe_strcat (pfiletmp, NIS_RES_OBJECT (result)->zo_domain,
+ sizeof (pfiletmp) - strlen (pfiletmp) - 1);
+ nis_freeresult (result); /* not needed any more */
+
+ tblresult = nisp_get_nis_list (pfiletmp,
+ MASTER_ONLY | FOLLOW_LINKS |
+ FOLLOW_PATH | EXPAND_NAME |
+ HARD_LOOKUP);
+ }
+
+ if (local_user || tblresult->status != NIS_SUCCESS) {
+ /*
+ * no user domain or
+ * smbpasswd table not found in user domain, fallback to
+ * default domain.
+ */
+ if (!local_user) /* free previous failed search result */
+ nis_freeresult (tblresult);
+
+ safe_strcpy (pfiletmp, pfile, sizeof (pfiletmp) - 1);
+ safe_strcat (pfiletmp, ".org_dir",
+ sizeof (pfiletmp) - strlen (pfiletmp) - 1);
+ tblresult = nis_lookup (pfiletmp, MASTER_ONLY | FOLLOW_LINKS |
+ FOLLOW_PATH | EXPAND_NAME |
+ HARD_LOOKUP);
+ if (tblresult->status != NIS_SUCCESS) {
+ /* still nothing. bail out */
+ nis_freeresult (tblresult);
+ DEBUG (3, ("nis_lookup failure: %s\n",
+ nis_sperrno (tblresult->status)));
+ return nt_status;
+ }
+ /* we need full name for nis_add_entry() */
+ safe_strcpy (pfiletmp, pfile, sizeof (pfiletmp) - 1);
+ safe_strcat (pfiletmp, ".",
+ sizeof (pfiletmp) - strlen (pfiletmp) - 1);
+ safe_strcat (pfiletmp, NIS_RES_OBJECT (tblresult)->zo_domain,
+ sizeof (pfiletmp) - strlen (pfiletmp) - 1);
+ }
+
+ memset ((char *) &new_obj, 0, sizeof (new_obj));
+ /* fill entry headers */
+ /* we do not free these. */
+ new_obj.zo_name = NIS_RES_OBJECT (tblresult)->zo_name;
+ new_obj.zo_owner = NIS_RES_OBJECT (tblresult)->zo_owner;
+ new_obj.zo_group = NIS_RES_OBJECT (tblresult)->zo_group;
+ new_obj.zo_domain = NIS_RES_OBJECT (tblresult)->zo_domain;
+ /* uints */
+ new_obj.zo_access = NIS_RES_OBJECT (tblresult)->zo_access;
+ new_obj.zo_ttl = NIS_RES_OBJECT (tblresult)->zo_ttl;
+
+ new_obj.zo_data.zo_type = ENTRY_OBJ;
+ new_obj.EN_data.en_type = NIS_RES_OBJECT (tblresult)->TA_data.ta_type;
+
+ ta_maxcol = NIS_RES_OBJECT (tblresult)->TA_data.ta_maxcol;
+
+ if (!(ecol = (entry_col *) malloc (ta_maxcol * sizeof (entry_col)))) {
+ DEBUG (0, ("memory allocation failure\n"));
+ nis_freeresult (tblresult);
+ return nt_status;
+ }
+
+ memset ((char *) ecol, 0, ta_maxcol * sizeof (entry_col));
+ new_obj.EN_data.en_cols.en_cols_val = ecol;
+ new_obj.EN_data.en_cols.en_cols_len = ta_maxcol;
+
+ init_nisp_from_sam (&new_obj, newpwd, NULL);
+
+ DEBUG (10, ("add NIS+ entry: %s\n", nisname));
+ result = nis_add_entry (pfiletmp, &new_obj, 0);
+
+ free (ecol); /* free allocated entry space */
+
+ if (result->status != NIS_SUCCESS) {
+ DEBUG (3, ("NIS+ table update failed: %s,%s\n",
+ nisname, nis_sperrno (result->status)));
+ nis_freeresult (tblresult);
+ nis_freeresult (result);
+ return nt_status;
+ }
+
+ nis_freeresult (tblresult);
+ nis_freeresult (result);
+
+ return NT_STATUS_OK;
+}
+
+/***************************************************************
+ make_nisname_from_user_rid
+ ****************************************************************/
+static char *make_nisname_from_user_rid (uint32 rid, char *pfile)
+{
+ static pstring nisname;
+
+ safe_strcpy (nisname, "[user_rid=", sizeof (nisname) - 1);
+ slprintf (nisname, sizeof (nisname) - 1, "%s%d", nisname, rid);
+ safe_strcat (nisname, "],", sizeof (nisname) - strlen (nisname) - 1);
+ safe_strcat (nisname, pfile, sizeof (nisname) - strlen (nisname) - 1);
+
+ return nisname;
+}
+
+/***************************************************************
+ make_nisname_from_name
+ ****************************************************************/
+static char *make_nisname_from_name (const char *user_name, char *pfile)
+{
+ static pstring nisname;
+
+ safe_strcpy (nisname, "[name=", sizeof (nisname) - 1);
+ safe_strcat (nisname, user_name,
+ sizeof (nisname) - strlen (nisname) - 1);
+ safe_strcat (nisname, "],", sizeof (nisname) - strlen (nisname) - 1);
+ safe_strcat (nisname, pfile, sizeof (nisname) - strlen (nisname) - 1);
+
+ return nisname;
+}
+
+/*************************************************************************
+ gets a NIS+ attribute
+ *************************************************************************/
+static void get_single_attribute (const nis_object * new_obj, int col,
+ char *val, int len)
+{
+ int entry_len;
+
+ if (new_obj == NULL || val == NULL)
+ return;
+
+ entry_len = ENTRY_LEN (new_obj, col);
+ if (len > entry_len) {
+ len = entry_len;
+ }
+
+ safe_strcpy (val, ENTRY_VAL (new_obj, col), len - 1);
+}
+
+/************************************************************************
+ makes a struct sam_passwd from a NIS+ object.
+ ************************************************************************/
+static BOOL make_sam_from_nisp_object (SAM_ACCOUNT * pw_buf,
+ const nis_object * obj)
+{
+ char *ptr;
+ pstring full_name; /* this must be translated to dos code page */
+ pstring acct_desc; /* this must be translated to dos code page */
+ pstring home_dir; /* set default value from smb.conf for user */
+ pstring home_drive; /* set default value from smb.conf for user */
+ pstring logon_script; /* set default value from smb.conf for user */
+ pstring profile_path; /* set default value from smb.conf for user */
+ pstring hours;
+ int hours_len;
+ unsigned char smbpwd[16];
+ unsigned char smbntpwd[16];
+
+
+ /*
+ * time values. note: this code assumes 32bit time_t!
+ */
+
+ /* Don't change these timestamp settings without a good reason. They are
+ important for NT member server compatibility. */
+
+ pdb_set_logon_time (pw_buf, (time_t) 0, PDB_DEFAULT);
+ ptr = (uchar *) ENTRY_VAL (obj, NPF_LOGON_T);
+ if (ptr && *ptr && (StrnCaseCmp (ptr, "LNT-", 4) == 0)) {
+ int i;
+
+ ptr += 4;
+ for (i = 0; i < 8; i++) {
+ if (ptr[i] == '\0' || !isxdigit (ptr[i]))
+ break;
+ }
+ if (i == 8) {
+ pdb_set_logon_time (pw_buf,
+ (time_t) strtol (ptr, NULL, 16),
+ PDB_SET);
+ }
+ }
+
+ pdb_set_logoff_time (pw_buf, get_time_t_max (), PDB_DEFAULT);
+ ptr = (uchar *) ENTRY_VAL (obj, NPF_LOGOFF_T);
+ if (ptr && *ptr && (StrnCaseCmp (ptr, "LOT-", 4) == 0)) {
+ int i;
+
+ ptr += 4;
+ for (i = 0; i < 8; i++) {
+ if (ptr[i] == '\0' || !isxdigit (ptr[i]))
+ break;
+ }
+ if (i == 8) {
+ pdb_set_logoff_time (pw_buf,
+ (time_t) strtol (ptr, NULL, 16),
+ PDB_SET);
+ }
+ }
+
+ pdb_set_kickoff_time (pw_buf, get_time_t_max (), PDB_DEFAULT);
+ ptr = (uchar *) ENTRY_VAL (obj, NPF_KICK_T);
+ if (ptr && *ptr && (StrnCaseCmp (ptr, "KOT-", 4) == 0)) {
+ int i;
+
+ ptr += 4;
+ for (i = 0; i < 8; i++) {
+ if (ptr[i] == '\0' || !isxdigit (ptr[i]))
+ break;
+ }
+ if (i == 8) {
+ pdb_set_kickoff_time (pw_buf,
+ (time_t) strtol (ptr, NULL, 16),
+ PDB_SET);
+ }
+ }
+
+ pdb_set_pass_last_set_time (pw_buf, (time_t) 0, PDB_DEFAULT);
+ ptr = (uchar *) ENTRY_VAL (obj, NPF_PWDLSET_T);
+ if (ptr && *ptr && (StrnCaseCmp (ptr, "LCT-", 4) == 0)) {
+ int i;
+
+ ptr += 4;
+ for (i = 0; i < 8; i++) {
+ if (ptr[i] == '\0' || !isxdigit (ptr[i]))
+ break;
+ }
+ if (i == 8) {
+ pdb_set_pass_last_set_time (pw_buf,
+ (time_t) strtol (ptr,
+ NULL,
+ 16),
+ PDB_SET);
+ }
+ }
+
+ pdb_set_pass_can_change_time (pw_buf, (time_t) 0, PDB_DEFAULT);
+ ptr = (uchar *) ENTRY_VAL (obj, NPF_PWDCCHG_T);
+ if (ptr && *ptr && (StrnCaseCmp (ptr, "CCT-", 4) == 0)) {
+ int i;
+
+ ptr += 4;
+ for (i = 0; i < 8; i++) {
+ if (ptr[i] == '\0' || !isxdigit (ptr[i]))
+ break;
+ }
+ if (i == 8) {
+ pdb_set_pass_can_change_time (pw_buf,
+ (time_t) strtol (ptr,
+ NULL,
+ 16),
+ PDB_SET);
+ }
+ }
+
+ pdb_set_pass_must_change_time (pw_buf, get_time_t_max (), PDB_DEFAULT); /* Password never expires. */
+ ptr = (uchar *) ENTRY_VAL (obj, NPF_PWDMCHG_T);
+ if (ptr && *ptr && (StrnCaseCmp (ptr, "MCT-", 4) == 0)) {
+ int i;
+
+ ptr += 4;
+ for (i = 0; i < 8; i++) {
+ if (ptr[i] == '\0' || !isxdigit (ptr[i]))
+ break;
+ }
+ if (i == 8) {
+ pdb_set_pass_must_change_time (pw_buf,
+ (time_t) strtol (ptr,
+ NULL,
+ 16),
+ PDB_SET);
+ }
+ }
+
+ /* string values */
+ pdb_set_username (pw_buf, ENTRY_VAL (obj, NPF_NAME), PDB_SET);
+ pdb_set_domain (pw_buf, lp_workgroup (), PDB_DEFAULT);
+ /* pdb_set_nt_username() -- cant set it here... */
+
+ get_single_attribute (obj, NPF_FULL_NAME, full_name,
+ sizeof (pstring));
+#if 0
+ unix_to_dos (full_name, True);
+#endif
+ pdb_set_fullname (pw_buf, full_name, PDB_SET);
+
+ pdb_set_acct_ctrl (pw_buf, pdb_decode_acct_ctrl (ENTRY_VAL (obj,
+ NPF_ACB), PDB_SET));
+
+ get_single_attribute (obj, NPF_ACCT_DESC, acct_desc,
+ sizeof (pstring));
+#if 0
+ unix_to_dos (acct_desc, True);
+#endif
+ pdb_set_acct_desc (pw_buf, acct_desc, PDB_SET);
+
+ pdb_set_workstations (pw_buf, ENTRY_VAL (obj, NPF_WORKSTATIONS), PDB_SET);
+ pdb_set_munged_dial (pw_buf, NULL, PDB_DEFAULT);
+
+ pdb_set_uid (pw_buf, atoi (ENTRY_VAL (obj, NPF_UID)), PDB_SET);
+ pdb_set_gid (pw_buf, atoi (ENTRY_VAL (obj, NPF_SMB_GRPID)), PDB_SET);
+ pdb_set_user_sid_from_rid (pw_buf,
+ atoi (ENTRY_VAL (obj, NPF_USER_RID)), PDB_SET);
+ pdb_set_group_sid_from_rid (pw_buf,
+ atoi (ENTRY_VAL (obj, NPF_GROUP_RID)), PDB_SET);
+
+ /* values, must exist for user */
+ if (!(pdb_get_acct_ctrl (pw_buf) & ACB_WSTRUST)) {
+
+ get_single_attribute (obj, NPF_HOME_DIR, home_dir,
+ sizeof (pstring));
+ if (!(home_dir && *home_dir)) {
+ pstrcpy (home_dir, lp_logon_home ());
+ pdb_set_homedir (pw_buf, home_dir, PDB_DEFAULT);
+ } else
+ pdb_set_homedir (pw_buf, home_dir, PDB_SET);
+
+ get_single_attribute (obj, NPF_DIR_DRIVE, home_drive,
+ sizeof (pstring));
+ if (!(home_drive && *home_drive)) {
+ pstrcpy (home_drive, lp_logon_drive ());
+ pdb_set_dir_drive (pw_buf, home_drive, PDB_DEFAULT);
+ } else
+ pdb_set_dir_drive (pw_buf, home_drive, PDB_SET);
+
+ get_single_attribute (obj, NPF_LOGON_SCRIPT, logon_script,
+ sizeof (pstring));
+ if (!(logon_script && *logon_script)) {
+ pstrcpy (logon_script, lp_logon_script ());
+ pdb_set_logon_script (pw_buf, logon_script, PDB_DEFAULT);
+ } else
+ pdb_set_logon_script (pw_buf, logon_script, PDB_SET);
+
+ get_single_attribute (obj, NPF_PROFILE_PATH, profile_path,
+ sizeof (pstring));
+ if (!(profile_path && *profile_path)) {
+ pstrcpy (profile_path, lp_logon_path ());
+ pdb_set_profile_path (pw_buf, profile_path, PDB_DEFAULT);
+ } else
+ pdb_set_profile_path (pw_buf, profile_path, PDB_SET);
+
+ } else {
+ /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */
+ pdb_set_group_sid_from_rid (pw_buf, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+ }
+
+ /* Check the lanman password column. */
+ ptr = (char *) ENTRY_VAL (obj, NPF_LMPWD);
+ if (!pdb_set_lanman_passwd (pw_buf, NULL, PDB_DEFAULT))
+ return False;
+
+ if (!strncasecmp (ptr, "NO PASSWORD", 11)) {
+ pdb_set_acct_ctrl (pw_buf,
+ pdb_get_acct_ctrl (pw_buf) | ACB_PWNOTREQ, PDB_SET);
+ } else {
+ if (strlen (ptr) != 32 || !pdb_gethexpwd (ptr, smbpwd)) {
+ DEBUG (0, ("malformed LM pwd entry: %s.\n",
+ pdb_get_username (pw_buf)));
+ return False;
+ }
+ if (!pdb_set_lanman_passwd (pw_buf, smbpwd, PDB_SET))
+ return False;
+ }
+
+ /* Check the NT password column. */
+ ptr = ENTRY_VAL (obj, NPF_NTPWD);
+ if (!pdb_set_nt_passwd (pw_buf, NULL, PDB_DEFAULT))
+ return False;
+
+ if (!(pdb_get_acct_ctrl (pw_buf) & ACB_PWNOTREQ) &&
+ strncasecmp (ptr, "NO PASSWORD", 11)) {
+ if (strlen (ptr) != 32 || !pdb_gethexpwd (ptr, smbntpwd)) {
+ DEBUG (0, ("malformed NT pwd entry:\
+ uid = %d.\n", pdb_get_uid (pw_buf)));
+ return False;
+ }
+ if (!pdb_set_nt_passwd (pw_buf, smbntpwd, PDB_SET))
+ return False;
+ }
+
+ pdb_set_unknown_3 (pw_buf, 0xffffff, PDB_DEFAULT); /* don't know */
+ pdb_set_logon_divs (pw_buf, 168, PDB_DEFAULT); /* hours per week */
+
+ if ((hours_len = ENTRY_LEN (obj, NPF_HOURS)) == 21) {
+ memcpy (hours, ENTRY_VAL (obj, NPF_HOURS), hours_len);
+ } else {
+ hours_len = 21; /* 21 times 8 bits = 168 */
+ /* available at all hours */
+ memset (hours, 0xff, hours_len);
+ }
+ pdb_set_hours_len (pw_buf, hours_len, PDB_SET);
+ pdb_set_hours (pw_buf, hours, PDB_SET);
+
+ pdb_set_unknown_5 (pw_buf, 0x00020000, PDB_DEFAULT); /* don't know */
+ pdb_set_unknown_6 (pw_buf, 0x000004ec, PDB_DEFAULT); /* don't know */
+
+ return True;
+}
+
+/************************************************************************
+ makes a struct sam_passwd from a NIS+ result.
+ ************************************************************************/
+static BOOL make_sam_from_nisresult (SAM_ACCOUNT * pw_buf,
+ const nis_result * result)
+{
+ if (pw_buf == NULL || result == NULL)
+ return False;
+
+ if (result->status != NIS_SUCCESS && result->status != NIS_NOTFOUND) {
+ DEBUG (0, ("NIS+ lookup failure: %s\n",
+ nis_sperrno (result->status)));
+ return False;
+ }
+
+ /* User not found. */
+ if (NIS_RES_NUMOBJ (result) <= 0) {
+ DEBUG (10, ("user not found in NIS+\n"));
+ return False;
+ }
+
+ if (NIS_RES_NUMOBJ (result) > 1) {
+ DEBUG (10,
+ ("WARNING: Multiple entries for user in NIS+ table!\n"));
+ }
+
+ /* Grab the first hit. */
+ return make_sam_from_nisp_object (pw_buf,
+ &NIS_RES_OBJECT (result)[0]);
+}
+
+/*************************************************************************
+ sets a NIS+ attribute
+ *************************************************************************/
+static void set_single_attribute (nis_object * new_obj, int col,
+ const char *val, int len, int flags)
+{
+ if (new_obj == NULL)
+ return;
+
+ ENTRY_VAL (new_obj, col) = val;
+ ENTRY_LEN (new_obj, col) = len + 1;
+
+ if (flags != 0) {
+ new_obj->EN_data.en_cols.en_cols_val[col].ec_flags = flags;
+ }
+}
+
+/***************************************************************
+ copy or modify nis object. this object is used to add or update
+ nisplus table entry.
+ ****************************************************************/
+static BOOL init_nisp_from_sam (nis_object * obj, const SAM_ACCOUNT * sampass,
+ nis_object * old)
+{
+ /*
+ * Fill nis_object for entry add or update.
+ * if we are updateing, we have to find out differences and set
+ * EN_MODIFIED flag. also set need_to_modify to trigger
+ * nis_modify_entry() call in pdb_update_sam_account().
+ *
+ * TODO:
+ * get data from SAM
+ * if (modify) get data from nis_object, compare and store if
+ * different + set EN_MODIFIED and need_to_modify
+ * else
+ * store
+ */
+ BOOL need_to_modify = False;
+ const char *name = pdb_get_username (sampass); /* from SAM */
+
+ /* these must be static or allocate and free entry columns! */
+ static fstring uid; /* from SAM */
+ static fstring user_rid; /* from SAM */
+ static fstring gid; /* from SAM */
+ static fstring group_rid; /* from SAM */
+ char *acb; /* from SAM */
+ static fstring smb_passwd; /* from SAM */
+ static fstring smb_nt_passwd; /* from SAM */
+ static fstring logon_t; /* from SAM */
+ static fstring logoff_t; /* from SAM */
+ static fstring kickoff_t; /* from SAM */
+ static fstring pwdlset_t; /* from SAM */
+ static fstring pwdlchg_t; /* from SAM */
+ static fstring pwdmchg_t; /* from SAM */
+ static fstring full_name; /* from SAM */
+ static fstring acct_desc; /* from SAM */
+ static char empty[1]; /* just an empty string */
+
+ slprintf (uid, sizeof (uid) - 1, "%u", pdb_get_uid (sampass));
+ slprintf (user_rid, sizeof (user_rid) - 1, "%u",
+ pdb_get_user_rid (sampass) ? pdb_get_user_rid (sampass) :
+ fallback_pdb_uid_to_user_rid (pdb_get_uid (sampass)));
+ slprintf (gid, sizeof (gid) - 1, "%u", pdb_get_gid (sampass));
+
+ {
+ uint32 rid;
+ GROUP_MAP map;
+
+ rid = pdb_get_group_rid (sampass);
+
+ if (rid == 0) {
+ if (pdb_getgrgid(&map, pdb_get_gid (sampass),
+ MAPPING_WITHOUT_PRIV)) {
+ if (!sid_peek_check_rid
+ (get_global_sam_sid (), &map.sid, &rid))
+ return False;
+ } else
+ rid = pdb_gid_to_group_rid (pdb_get_gid
+ (sampass));
+ }
+
+ slprintf (group_rid, sizeof (group_rid) - 1, "%u", rid);
+ }
+
+ acb = pdb_encode_acct_ctrl (pdb_get_acct_ctrl (sampass),
+ NEW_PW_FORMAT_SPACE_PADDED_LEN);
+ pdb_sethexpwd (smb_passwd, pdb_get_lanman_passwd (sampass),
+ pdb_get_acct_ctrl (sampass));
+ pdb_sethexpwd (smb_nt_passwd, pdb_get_nt_passwd (sampass),
+ pdb_get_acct_ctrl (sampass));
+ slprintf (logon_t, 13, "LNT-%08X",
+ (uint32) pdb_get_logon_time (sampass));
+ slprintf (logoff_t, 13, "LOT-%08X",
+ (uint32) pdb_get_logoff_time (sampass));
+ slprintf (kickoff_t, 13, "KOT-%08X",
+ (uint32) pdb_get_kickoff_time (sampass));
+ slprintf (pwdlset_t, 13, "LCT-%08X",
+ (uint32) pdb_get_pass_last_set_time (sampass));
+ slprintf (pwdlchg_t, 13, "CCT-%08X",
+ (uint32) pdb_get_pass_can_change_time (sampass));
+ slprintf (pwdmchg_t, 13, "MCT-%08X",
+ (uint32) pdb_get_pass_must_change_time (sampass));
+ safe_strcpy (full_name, pdb_get_fullname (sampass),
+ sizeof (full_name) - 1);
+ safe_strcpy (acct_desc, pdb_get_acct_desc (sampass),
+ sizeof (acct_desc) - 1);
+
+#if 0
+
+ /* Not sure what to do with these guys. -tpot */
+
+ dos_to_unix (full_name, True);
+ dos_to_unix (acct_desc, True);
+
+#endif
+
+ if (old) {
+ /* name */
+ if (strcmp (ENTRY_VAL (old, NPF_NAME), name)) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_NAME, name,
+ strlen (name), EN_MODIFIED);
+ }
+
+
+ /* uid */
+ if (pdb_get_uid (sampass) != -1) {
+ if (!ENTRY_VAL (old, NPF_UID)
+ || strcmp (ENTRY_VAL (old, NPF_UID), uid)) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_UID, uid,
+ strlen (uid),
+ EN_MODIFIED);
+ }
+ }
+
+ /* user_rid */
+ if (pdb_get_user_rid (sampass)) {
+ if (!ENTRY_VAL (old, NPF_USER_RID) ||
+ strcmp (ENTRY_VAL (old, NPF_USER_RID),
+ user_rid)) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_USER_RID,
+ user_rid,
+ strlen (user_rid),
+ EN_MODIFIED);
+ }
+ }
+
+ /* smb_grpid */
+ if (pdb_get_gid (sampass) != -1) {
+ if (!ENTRY_VAL (old, NPF_SMB_GRPID) ||
+ strcmp (ENTRY_VAL (old, NPF_SMB_GRPID), gid)) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_SMB_GRPID, gid,
+ strlen (gid),
+ EN_MODIFIED);
+ }
+ }
+
+ /* group_rid */
+ if (pdb_get_group_rid (sampass)) {
+ if (!ENTRY_VAL (old, NPF_GROUP_RID) ||
+ strcmp (ENTRY_VAL (old, NPF_GROUP_RID),
+ group_rid)) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_GROUP_RID,
+ group_rid,
+ strlen (group_rid),
+ EN_MODIFIED);
+ }
+ }
+
+ /* acb */
+ if (!ENTRY_VAL (old, NPF_ACB) ||
+ strcmp (ENTRY_VAL (old, NPF_ACB), acb)) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_ACB, acb, strlen (acb),
+ EN_MODIFIED);
+ }
+
+ /* lmpwd */
+ if (!ENTRY_VAL (old, NPF_LMPWD) ||
+ strcmp (ENTRY_VAL (old, NPF_LMPWD), smb_passwd)) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_LMPWD, smb_passwd,
+ strlen (smb_passwd),
+ EN_CRYPT | EN_MODIFIED);
+ }
+
+ /* ntpwd */
+ if (!ENTRY_VAL (old, NPF_NTPWD) ||
+ strcmp (ENTRY_VAL (old, NPF_NTPWD), smb_nt_passwd)) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_NTPWD, smb_nt_passwd,
+ strlen (smb_nt_passwd),
+ EN_CRYPT | EN_MODIFIED);
+ }
+
+ /* logon_t */
+ if (pdb_get_logon_time (sampass) &&
+ (!ENTRY_VAL (old, NPF_LOGON_T) ||
+ strcmp (ENTRY_VAL (old, NPF_LOGON_T), logon_t))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_LOGON_T, logon_t,
+ strlen (logon_t), EN_MODIFIED);
+ }
+
+ /* logoff_t */
+ if (pdb_get_logoff_time (sampass) &&
+ (!ENTRY_VAL (old, NPF_LOGOFF_T) ||
+ strcmp (ENTRY_VAL (old, NPF_LOGOFF_T), logoff_t))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_LOGOFF_T, logoff_t,
+ strlen (logoff_t), EN_MODIFIED);
+ }
+
+ /* kick_t */
+ if (pdb_get_kickoff_time (sampass) &&
+ (!ENTRY_VAL (old, NPF_KICK_T) ||
+ strcmp (ENTRY_VAL (old, NPF_KICK_T), kickoff_t))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_KICK_T, kickoff_t,
+ strlen (kickoff_t),
+ EN_MODIFIED);
+ }
+
+ /* pwdlset_t */
+ if (pdb_get_pass_last_set_time (sampass) &&
+ (!ENTRY_VAL (old, NPF_PWDLSET_T) ||
+ strcmp (ENTRY_VAL (old, NPF_PWDLSET_T), pwdlset_t))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_PWDLSET_T, pwdlset_t,
+ strlen (pwdlset_t),
+ EN_MODIFIED);
+ }
+
+ /* pwdlchg_t */
+ if (pdb_get_pass_can_change_time (sampass) &&
+ (!ENTRY_VAL (old, NPF_PWDCCHG_T) ||
+ strcmp (ENTRY_VAL (old, NPF_PWDCCHG_T), pwdlchg_t))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_PWDCCHG_T, pwdlchg_t,
+ strlen (pwdlchg_t),
+ EN_MODIFIED);
+ }
+
+ /* pwdmchg_t */
+ if (pdb_get_pass_must_change_time (sampass) &&
+ (!ENTRY_VAL (old, NPF_PWDMCHG_T) ||
+ strcmp (ENTRY_VAL (old, NPF_PWDMCHG_T), pwdmchg_t))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_PWDMCHG_T, pwdmchg_t,
+ strlen (pwdmchg_t),
+ EN_MODIFIED);
+ }
+
+ /* full_name */
+ /* must support set, unset and change */
+ if ((pdb_get_fullname (sampass) &&
+ !ENTRY_VAL (old, NPF_FULL_NAME)) ||
+ (ENTRY_VAL (old, NPF_FULL_NAME) &&
+ !pdb_get_fullname (sampass)) ||
+ (ENTRY_VAL (old, NPF_FULL_NAME) &&
+ pdb_get_fullname (sampass) &&
+ strcmp (ENTRY_VAL (old, NPF_FULL_NAME), full_name))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_FULL_NAME, full_name,
+ strlen (full_name),
+ EN_MODIFIED);
+ }
+
+ /* home_dir */
+ /* must support set, unset and change */
+ if ((pdb_get_homedir (sampass) &&
+ !ENTRY_VAL (old, NPF_HOME_DIR)) ||
+ (ENTRY_VAL (old, NPF_HOME_DIR) &&
+ !pdb_get_homedir (sampass)) ||
+ (ENTRY_VAL (old, NPF_HOME_DIR) &&
+ pdb_get_homedir (sampass) &&
+ strcmp (ENTRY_VAL (old, NPF_HOME_DIR),
+ pdb_get_homedir (sampass)))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_HOME_DIR,
+ pdb_get_homedir (sampass),
+ strlen (pdb_get_homedir
+ (sampass)),
+ EN_MODIFIED);
+ }
+
+ /* dir_drive */
+ /* must support set, unset and change */
+ if ((pdb_get_dir_drive (sampass) &&
+ !ENTRY_VAL (old, NPF_DIR_DRIVE)) ||
+ (ENTRY_VAL (old, NPF_DIR_DRIVE) &&
+ !pdb_get_dir_drive (sampass)) ||
+ (ENTRY_VAL (old, NPF_DIR_DRIVE) &&
+ pdb_get_dir_drive (sampass) &&
+ strcmp (ENTRY_VAL (old, NPF_DIR_DRIVE),
+ pdb_get_dir_drive (sampass)))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_DIR_DRIVE,
+ pdb_get_dir_drive (sampass),
+ strlen (pdb_get_dir_drive
+ (sampass)),
+ EN_MODIFIED);
+ }
+
+ /* logon_script */
+ /* must support set, unset and change */
+ if (((pdb_get_logon_script (sampass) &&
+ !ENTRY_VAL (old, NPF_LOGON_SCRIPT)) ||
+ ((ENTRY_VAL (old, NPF_LOGON_SCRIPT) &&
+ (!pdb_get_logon_script (sampass)))) ||
+ ((ENTRY_VAL (old, NPF_LOGON_SCRIPT) &&
+ pdb_get_logon_script (sampass) &&
+ strcmp (ENTRY_VAL (old, NPF_LOGON_SCRIPT),
+ pdb_get_logon_script (sampass)))))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_LOGON_SCRIPT,
+ pdb_get_logon_script (sampass),
+ strlen (pdb_get_logon_script
+ (sampass)),
+ EN_MODIFIED);
+ }
+
+ /* profile_path */
+ /* must support set, unset and change */
+ if ((pdb_get_profile_path (sampass) &&
+ !ENTRY_VAL (old, NPF_PROFILE_PATH)) ||
+ (ENTRY_VAL (old, NPF_PROFILE_PATH) &&
+ !pdb_get_profile_path (sampass)) ||
+ (ENTRY_VAL (old, NPF_PROFILE_PATH) &&
+ pdb_get_profile_path (sampass) &&
+ strcmp (ENTRY_VAL (old, NPF_PROFILE_PATH),
+ pdb_get_profile_path (sampass)))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_PROFILE_PATH,
+ pdb_get_profile_path (sampass),
+ strlen (pdb_get_profile_path
+ (sampass)),
+ EN_MODIFIED);
+ }
+
+ /* acct_desc */
+ /* must support set, unset and change */
+ if ((pdb_get_acct_desc (sampass) &&
+ !ENTRY_VAL (old, NPF_ACCT_DESC)) ||
+ (ENTRY_VAL (old, NPF_ACCT_DESC) &&
+ !pdb_get_acct_desc (sampass)) ||
+ (ENTRY_VAL (old, NPF_ACCT_DESC) &&
+ pdb_get_acct_desc (sampass) &&
+ strcmp (ENTRY_VAL (old, NPF_ACCT_DESC), acct_desc))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_ACCT_DESC, acct_desc,
+ strlen (acct_desc),
+ EN_MODIFIED);
+ }
+
+ /* workstations */
+ /* must support set, unset and change */
+ if ((pdb_get_workstations (sampass) &&
+ !ENTRY_VAL (old, NPF_WORKSTATIONS)) ||
+ (ENTRY_VAL (old, NPF_WORKSTATIONS) &&
+ !pdb_get_workstations (sampass)) ||
+ (ENTRY_VAL (old, NPF_WORKSTATIONS) &&
+ (pdb_get_workstations (sampass)) &&
+ strcmp (ENTRY_VAL (old, NPF_WORKSTATIONS),
+ pdb_get_workstations (sampass)))) {
+ need_to_modify = True;
+ set_single_attribute (obj, NPF_WORKSTATIONS,
+ pdb_get_workstations (sampass),
+ strlen (pdb_get_workstations
+ (sampass)),
+ EN_MODIFIED);
+ }
+
+ /* hours */
+ if ((pdb_get_hours_len (sampass) !=
+ ENTRY_LEN (old, NPF_HOURS))
+ || memcmp (pdb_get_hours (sampass),
+ ENTRY_VAL (old, NPF_HOURS), ENTRY_LEN (old,
+ NPF_HOURS)))
+ {
+ need_to_modify = True;
+ /* set_single_attribute will add 1 for len ... */
+ set_single_attribute (obj, NPF_HOURS,
+ pdb_get_hours (sampass),
+ pdb_get_hours_len (sampass) - 1,
+ EN_MODIFIED);
+ }
+ } else {
+ const char *homedir, *dirdrive, *logon_script, *profile_path,
+ *workstations;
+
+ *empty = '\0'; /* empty string */
+
+ set_single_attribute (obj, NPF_NAME, name, strlen (name), 0);
+ set_single_attribute (obj, NPF_UID, uid, strlen (uid), 0);
+ set_single_attribute (obj, NPF_USER_RID, user_rid,
+ strlen (user_rid), 0);
+ set_single_attribute (obj, NPF_SMB_GRPID, gid, strlen (gid),
+ 0);
+ set_single_attribute (obj, NPF_GROUP_RID, group_rid,
+ strlen (group_rid), 0);
+ set_single_attribute (obj, NPF_ACB, acb, strlen (acb), 0);
+ set_single_attribute (obj, NPF_LMPWD, smb_passwd,
+ strlen (smb_passwd), EN_CRYPT);
+ set_single_attribute (obj, NPF_NTPWD, smb_nt_passwd,
+ strlen (smb_nt_passwd), EN_CRYPT);
+ set_single_attribute (obj, NPF_LOGON_T, logon_t,
+ strlen (logon_t), 0);
+ set_single_attribute (obj, NPF_LOGOFF_T, logoff_t,
+ strlen (logoff_t), 0);
+ set_single_attribute (obj, NPF_KICK_T, kickoff_t,
+ strlen (kickoff_t), 0);
+ set_single_attribute (obj, NPF_PWDLSET_T, pwdlset_t,
+ strlen (pwdlset_t), 0);
+ set_single_attribute (obj, NPF_PWDCCHG_T, pwdlchg_t,
+ strlen (pwdlchg_t), 0);
+ set_single_attribute (obj, NPF_PWDMCHG_T, pwdmchg_t,
+ strlen (pwdmchg_t), 0);
+ set_single_attribute (obj, NPF_FULL_NAME,
+ full_name, strlen (full_name), 0);
+
+ if (!(homedir = pdb_get_homedir (sampass)))
+ homedir = empty;
+
+ set_single_attribute (obj, NPF_HOME_DIR,
+ homedir, strlen (homedir), 0);
+
+ if (!(dirdrive = pdb_get_dir_drive (sampass)))
+ dirdrive = empty;
+
+ set_single_attribute (obj, NPF_DIR_DRIVE,
+ dirdrive, strlen (dirdrive), 0);
+
+ if (!(logon_script = pdb_get_logon_script (sampass)))
+ logon_script = empty;
+
+ set_single_attribute (obj, NPF_LOGON_SCRIPT,
+ logon_script, strlen (logon_script), 0);
+
+ if (!(profile_path = pdb_get_profile_path (sampass)))
+ profile_path = empty;
+
+ set_single_attribute (obj, NPF_PROFILE_PATH,
+ profile_path, strlen (profile_path), 0);
+
+ set_single_attribute (obj, NPF_ACCT_DESC,
+ acct_desc, strlen (acct_desc), 0);
+
+ if (!(workstations = pdb_get_workstations (sampass)))
+ workstations = empty;
+
+ set_single_attribute (obj, NPF_WORKSTATIONS,
+ workstations, strlen (workstations), 0);
+
+ /* set_single_attribute will add 1 for len ... */
+ set_single_attribute (obj, NPF_HOURS,
+ pdb_get_hours (sampass),
+ pdb_get_hours_len (sampass) - 1, 0);
+ }
+
+ return need_to_modify;
+}
+
+/***************************************************************
+ calls nis_list, returns results.
+ ****************************************************************/
+static nis_result *nisp_get_nis_list (const char *nisname, unsigned int flags)
+{
+ nis_result *result;
+ int i;
+
+ if (!flags)
+ flags = FOLLOW_LINKS | FOLLOW_PATH | EXPAND_NAME |
+ HARD_LOOKUP;
+
+ for (i = 0; i < 2; i++) {
+ alarm (60); /* hopefully ok for long searches */
+ result = nis_list (nisname, flags, NULL, NULL);
+
+ alarm (0);
+ CatchSignal (SIGALRM, SIGNAL_CAST SIG_DFL);
+
+ if (!(flags & MASTER_ONLY) && NIS_RES_NUMOBJ (result) <= 0) {
+ /* nis replicas are not in sync perhaps?
+ * this can happen, if account was just added.
+ */
+ DEBUG (10, ("will try master only\n"));
+ nis_freeresult (result);
+ flags |= MASTER_ONLY;
+ } else
+ break;
+ }
+ return result;
+}
+
+static void free_private_data(void **vp)
+{
+ struct nisplus_private_info **private = (struct nisplus_private_info **)vp;
+
+ if ((*private)->result) {
+ nis_freeresult ((*private)->result);
+ }
+
+ free(*private);
+
+ /* No need to free any further, as it is talloc()ed */
+}
+
+NTSTATUS pdb_init_nisplussam (PDB_CONTEXT * pdb_context,
+ PDB_METHODS ** pdb_method, const char *location)
+{
+ NTSTATUS nt_status;
+ struct nisplus_private_info *private = malloc (sizeof (struct nisplus_private_info));
+
+ ZERO_STRUCT(private);
+ p->location = talloc_strdup(pdb_context->mem_ctx, location);
+
+ if (!NT_STATUS_IS_OK
+ (nt_status =
+ make_pdb_methods (pdb_context->mem_ctx, pdb_method))) {
+ return nt_status;
+ }
+
+ (*pdb_method)->name = "nisplussam";
+
+ /* Functions your pdb module doesn't provide should be set
+ * to NULL */
+
+ (*pdb_method)->setsampwent = nisplussam_setsampwent;
+ (*pdb_method)->endsampwent = nisplussam_endsampwent;
+ (*pdb_method)->getsampwent = nisplussam_getsampwent;
+ (*pdb_method)->getsampwnam = nisplussam_getsampwnam;
+ (*pdb_method)->getsampwsid = nisplussam_getsampwsid;
+ (*pdb_method)->add_sam_account = nisplussam_add_sam_account;
+ (*pdb_method)->update_sam_account = nisplussam_update_sam_account;
+ (*pdb_method)->delete_sam_account = nisplussam_delete_sam_account;
+ (*pdb_method)->free_private_data = free_private_data;
+ (*pdb_method)->private_data = private;
+
+ return NT_STATUS_OK;
+}
+
+#else
+NTSTATUS pdb_init_nisplussam (PDB_CONTEXT * c, PDB_METHODS ** m,
+ const char *l)
+{
+ DEBUG (0, ("nisplus sam not compiled in!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+}
+#endif /* WITH_NISPLUS_SAM */
diff --git a/source4/passdb/pdb_smbpasswd.c b/source4/passdb/pdb_smbpasswd.c
new file mode 100644
index 0000000000..6f8c8a6fcc
--- /dev/null
+++ b/source4/passdb/pdb_smbpasswd.c
@@ -0,0 +1,1581 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * SMB parameters and setup
+ * Copyright (C) Andrew Tridgell 1992-1998
+ * Modified by Jeremy Allison 1995.
+ * Modified by Gerald (Jerry) Carter 2000-2001
+ * Modified by Andrew Bartlett 2002.
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 675
+ * Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+/*
+ smb_passwd is analogous to sam_passwd used everywhere
+ else. However, smb_passwd is limited to the information
+ stored by an smbpasswd entry
+ */
+
+struct smb_passwd
+{
+ BOOL smb_userid_set; /* this is actually the unix uid_t */
+ uint32 smb_userid; /* this is actually the unix uid_t */
+ const char *smb_name; /* username string */
+
+ const unsigned char *smb_passwd; /* Null if no password */
+ const unsigned char *smb_nt_passwd; /* Null if no password */
+
+ uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */
+ time_t pass_last_set_time; /* password last set time */
+};
+
+struct smbpasswd_privates
+{
+ /* used for maintain locks on the smbpasswd file */
+ int pw_file_lock_depth;
+
+ /* Global File pointer */
+ FILE *pw_file;
+
+ /* formerly static variables */
+ struct smb_passwd pw_buf;
+ pstring user_name;
+ unsigned char smbpwd[16];
+ unsigned char smbntpwd[16];
+
+ /* retrive-once info */
+ const char *smbpasswd_file;
+
+ BOOL permit_non_unix_accounts;
+
+ uint32 low_nua_userid;
+ uint32 high_nua_userid;
+
+};
+
+enum pwf_access_type { PWF_READ, PWF_UPDATE, PWF_CREATE };
+
+/***************************************************************
+ Lock an fd. Abandon after waitsecs seconds.
+****************************************************************/
+
+static BOOL pw_file_lock(int fd, int type, int secs, int *plock_depth)
+{
+ if (fd < 0)
+ return False;
+
+ if(*plock_depth == 0) {
+ if (!do_file_lock(fd, secs, type)) {
+ DEBUG(10,("pw_file_lock: locking file failed, error = %s.\n",
+ strerror(errno)));
+ return False;
+ }
+ }
+
+ (*plock_depth)++;
+
+ return True;
+}
+
+/***************************************************************
+ Unlock an fd. Abandon after waitsecs seconds.
+****************************************************************/
+
+static BOOL pw_file_unlock(int fd, int *plock_depth)
+{
+ BOOL ret=True;
+
+ if (fd == 0 || *plock_depth == 0) {
+ return True;
+ }
+
+ if(*plock_depth == 1)
+ ret = do_file_lock(fd, 5, F_UNLCK);
+
+ if (*plock_depth > 0)
+ (*plock_depth)--;
+
+ if(!ret)
+ DEBUG(10,("pw_file_unlock: unlocking file failed, error = %s.\n",
+ strerror(errno)));
+ return ret;
+}
+
+
+/**************************************************************
+ Intialize a smb_passwd struct
+ *************************************************************/
+
+static void pdb_init_smb(struct smb_passwd *user)
+{
+ if (user == NULL)
+ return;
+ ZERO_STRUCTP (user);
+
+ user->pass_last_set_time = (time_t)0;
+}
+
+/***************************************************************
+ Internal fn to enumerate the smbpasswd list. Returns a void pointer
+ to ensure no modification outside this module. Checks for atomic
+ rename of smbpasswd file on update or create once the lock has
+ been granted to prevent race conditions. JRA.
+****************************************************************/
+
+static FILE *startsmbfilepwent(const char *pfile, enum pwf_access_type type, int *lock_depth)
+{
+ FILE *fp = NULL;
+ const char *open_mode = NULL;
+ int race_loop = 0;
+ int lock_type = F_RDLCK;
+
+ if (!*pfile) {
+ DEBUG(0, ("startsmbfilepwent: No SMB password file set\n"));
+ return (NULL);
+ }
+
+ switch(type) {
+ case PWF_READ:
+ open_mode = "rb";
+ lock_type = F_RDLCK;
+ break;
+ case PWF_UPDATE:
+ open_mode = "r+b";
+ lock_type = F_WRLCK;
+ break;
+ case PWF_CREATE:
+ /*
+ * Ensure atomic file creation.
+ */
+ {
+ int i, fd = -1;
+
+ for(i = 0; i < 5; i++) {
+ if((fd = sys_open(pfile, O_CREAT|O_TRUNC|O_EXCL|O_RDWR, 0600))!=-1)
+ break;
+ sys_usleep(200); /* Spin, spin... */
+ }
+ if(fd == -1) {
+ DEBUG(0,("startsmbfilepwent_internal: too many race conditions creating file %s\n", pfile));
+ return NULL;
+ }
+ close(fd);
+ open_mode = "r+b";
+ lock_type = F_WRLCK;
+ break;
+ }
+ }
+
+ for(race_loop = 0; race_loop < 5; race_loop++) {
+ DEBUG(10, ("startsmbfilepwent_internal: opening file %s\n", pfile));
+
+ if((fp = sys_fopen(pfile, open_mode)) == NULL) {
+ DEBUG(0, ("startsmbfilepwent_internal: unable to open file %s. Error was %s\n", pfile, strerror(errno) ));
+ return NULL;
+ }
+
+ if (!pw_file_lock(fileno(fp), lock_type, 5, lock_depth)) {
+ DEBUG(0, ("startsmbfilepwent_internal: unable to lock file %s. Error was %s\n", pfile, strerror(errno) ));
+ fclose(fp);
+ return NULL;
+ }
+
+ /*
+ * Only check for replacement races on update or create.
+ * For read we don't mind if the data is one record out of date.
+ */
+
+ if(type == PWF_READ) {
+ break;
+ } else {
+ SMB_STRUCT_STAT sbuf1, sbuf2;
+
+ /*
+ * Avoid the potential race condition between the open and the lock
+ * by doing a stat on the filename and an fstat on the fd. If the
+ * two inodes differ then someone did a rename between the open and
+ * the lock. Back off and try the open again. Only do this 5 times to
+ * prevent infinate loops. JRA.
+ */
+
+ if (sys_stat(pfile,&sbuf1) != 0) {
+ DEBUG(0, ("startsmbfilepwent_internal: unable to stat file %s. Error was %s\n", pfile, strerror(errno)));
+ pw_file_unlock(fileno(fp), lock_depth);
+ fclose(fp);
+ return NULL;
+ }
+
+ if (sys_fstat(fileno(fp),&sbuf2) != 0) {
+ DEBUG(0, ("startsmbfilepwent_internal: unable to fstat file %s. Error was %s\n", pfile, strerror(errno)));
+ pw_file_unlock(fileno(fp), lock_depth);
+ fclose(fp);
+ return NULL;
+ }
+
+ if( sbuf1.st_ino == sbuf2.st_ino) {
+ /* No race. */
+ break;
+ }
+
+ /*
+ * Race occurred - back off and try again...
+ */
+
+ pw_file_unlock(fileno(fp), lock_depth);
+ fclose(fp);
+ }
+ }
+
+ if(race_loop == 5) {
+ DEBUG(0, ("startsmbfilepwent_internal: too many race conditions opening file %s\n", pfile));
+ return NULL;
+ }
+
+ /* Set a buffer to do more efficient reads */
+ setvbuf(fp, (char *)NULL, _IOFBF, 1024);
+
+ /* Make sure it is only rw by the owner */
+ if(fchmod(fileno(fp), S_IRUSR|S_IWUSR) == -1) {
+ DEBUG(0, ("startsmbfilepwent_internal: failed to set 0600 permissions on password file %s. \
+Error was %s\n.", pfile, strerror(errno) ));
+ pw_file_unlock(fileno(fp), lock_depth);
+ fclose(fp);
+ return NULL;
+ }
+
+ /* We have a lock on the file. */
+ return fp;
+}
+
+/***************************************************************
+ End enumeration of the smbpasswd list.
+****************************************************************/
+static void endsmbfilepwent(FILE *fp, int *lock_depth)
+{
+ if (!fp) {
+ return;
+ }
+
+ pw_file_unlock(fileno(fp), lock_depth);
+ fclose(fp);
+ DEBUG(7, ("endsmbfilepwent_internal: closed password file.\n"));
+}
+
+/*************************************************************************
+ Routine to return the next entry in the smbpasswd list.
+ *************************************************************************/
+
+static struct smb_passwd *getsmbfilepwent(struct smbpasswd_privates *smbpasswd_state, FILE *fp)
+{
+ /* Static buffers we will return. */
+ struct smb_passwd *pw_buf = &smbpasswd_state->pw_buf;
+ char *user_name = smbpasswd_state->user_name;
+ unsigned char *smbpwd = smbpasswd_state->smbpwd;
+ unsigned char *smbntpwd = smbpasswd_state->smbntpwd;
+ char linebuf[256];
+ unsigned char c;
+ unsigned char *p;
+ long uidval;
+ size_t linebuf_len;
+
+ if(fp == NULL) {
+ DEBUG(0,("getsmbfilepwent: Bad password file pointer.\n"));
+ return NULL;
+ }
+
+ pdb_init_smb(pw_buf);
+
+ pw_buf->acct_ctrl = ACB_NORMAL;
+
+ /*
+ * Scan the file, a line at a time and check if the name matches.
+ */
+ while (!feof(fp)) {
+ linebuf[0] = '\0';
+
+ fgets(linebuf, 256, fp);
+ if (ferror(fp)) {
+ return NULL;
+ }
+
+ /*
+ * Check if the string is terminated with a newline - if not
+ * then we must keep reading and discard until we get one.
+ */
+ if ((linebuf_len = strlen(linebuf)) == 0)
+ continue;
+
+ if (linebuf[linebuf_len - 1] != '\n') {
+ c = '\0';
+ while (!ferror(fp) && !feof(fp)) {
+ c = fgetc(fp);
+ if (c == '\n')
+ break;
+ }
+ } else
+ linebuf[linebuf_len - 1] = '\0';
+
+#ifdef DEBUG_PASSWORD
+ DEBUG(100, ("getsmbfilepwent: got line |%s|\n", linebuf));
+#endif
+ if ((linebuf[0] == 0) && feof(fp)) {
+ DEBUG(4, ("getsmbfilepwent: end of file reached\n"));
+ break;
+ }
+ /*
+ * The line we have should be of the form :-
+ *
+ * username:uid:32hex bytes:[Account type]:LCT-12345678....other flags presently
+ * ignored....
+ *
+ * or,
+ *
+ * username:uid:32hex bytes:32hex bytes:[Account type]:LCT-12345678....ignored....
+ *
+ * if Windows NT compatible passwords are also present.
+ * [Account type] is an ascii encoding of the type of account.
+ * LCT-(8 hex digits) is the time_t value of the last change time.
+ */
+
+ if (linebuf[0] == '#' || linebuf[0] == '\0') {
+ DEBUG(6, ("getsmbfilepwent: skipping comment or blank line\n"));
+ continue;
+ }
+ p = (unsigned char *) strchr_m(linebuf, ':');
+ if (p == NULL) {
+ DEBUG(0, ("getsmbfilepwent: malformed password entry (no :)\n"));
+ continue;
+ }
+ /*
+ * As 256 is shorter than a pstring we don't need to check
+ * length here - if this ever changes....
+ */
+ SMB_ASSERT(sizeof(pstring) > sizeof(linebuf));
+
+ strncpy(user_name, linebuf, PTR_DIFF(p, linebuf));
+ user_name[PTR_DIFF(p, linebuf)] = '\0';
+
+ /* Get smb uid. */
+
+ p++; /* Go past ':' */
+
+ if(*p == '-') {
+ DEBUG(0, ("getsmbfilepwent: uids in the smbpasswd file must not be negative.\n"));
+ continue;
+ }
+
+ if (!isdigit(*p)) {
+ DEBUG(0, ("getsmbfilepwent: malformed password entry (uid not number)\n"));
+ continue;
+ }
+
+ uidval = atoi((char *) p);
+
+ while (*p && isdigit(*p))
+ p++;
+
+ if (*p != ':') {
+ DEBUG(0, ("getsmbfilepwent: malformed password entry (no : after uid)\n"));
+ continue;
+ }
+
+ pw_buf->smb_name = user_name;
+ pw_buf->smb_userid = uidval;
+
+ /*
+ * Now get the password value - this should be 32 hex digits
+ * which are the ascii representations of a 16 byte string.
+ * Get two at a time and put them into the password.
+ */
+
+ /* Skip the ':' */
+ p++;
+
+ if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) {
+ DEBUG(0, ("getsmbfilepwent: malformed password entry (passwd too short)\n"));
+ continue;
+ }
+
+ if (p[32] != ':') {
+ DEBUG(0, ("getsmbfilepwent: malformed password entry (no terminating :)\n"));
+ continue;
+ }
+
+ if (!strncasecmp((char *) p, "NO PASSWORD", 11)) {
+ pw_buf->smb_passwd = NULL;
+ pw_buf->acct_ctrl |= ACB_PWNOTREQ;
+ } else {
+ if (*p == '*' || *p == 'X') {
+ /* NULL LM password */
+ pw_buf->smb_passwd = NULL;
+ DEBUG(10, ("getsmbfilepwent: LM password for user %s invalidated\n", user_name));
+ } else if (pdb_gethexpwd((char *)p, smbpwd)) {
+ pw_buf->smb_passwd = smbpwd;
+ } else {
+ pw_buf->smb_passwd = NULL;
+ DEBUG(0, ("getsmbfilepwent: Malformed Lanman password entry (non hex chars)\n"));
+ }
+ }
+
+ /*
+ * Now check if the NT compatible password is
+ * available.
+ */
+ pw_buf->smb_nt_passwd = NULL;
+
+ p += 33; /* Move to the first character of the line after
+ the lanman password. */
+ if ((linebuf_len >= (PTR_DIFF(p, linebuf) + 33)) && (p[32] == ':')) {
+ if (*p != '*' && *p != 'X') {
+ if(pdb_gethexpwd((char *)p,smbntpwd))
+ pw_buf->smb_nt_passwd = smbntpwd;
+ }
+ p += 33; /* Move to the first character of the line after
+ the NT password. */
+ }
+
+ DEBUG(5,("getsmbfilepwent: returning passwd entry for user %s, uid %ld\n",
+ user_name, uidval));
+
+ if (*p == '[')
+ {
+ unsigned char *end_p = (unsigned char *)strchr_m((char *)p, ']');
+ pw_buf->acct_ctrl = pdb_decode_acct_ctrl((char*)p);
+
+ /* Must have some account type set. */
+ if(pw_buf->acct_ctrl == 0)
+ pw_buf->acct_ctrl = ACB_NORMAL;
+
+ /* Now try and get the last change time. */
+ if(end_p)
+ p = end_p + 1;
+ if(*p == ':') {
+ p++;
+ if(*p && (StrnCaseCmp((char *)p, "LCT-", 4)==0)) {
+ int i;
+ p += 4;
+ for(i = 0; i < 8; i++) {
+ if(p[i] == '\0' || !isxdigit(p[i]))
+ break;
+ }
+ if(i == 8) {
+ /*
+ * p points at 8 characters of hex digits -
+ * read into a time_t as the seconds since
+ * 1970 that the password was last changed.
+ */
+ pw_buf->pass_last_set_time = (time_t)strtol((char *)p, NULL, 16);
+ }
+ }
+ }
+ } else {
+ /* 'Old' style file. Fake up based on user name. */
+ /*
+ * Currently trust accounts are kept in the same
+ * password file as 'normal accounts'. If this changes
+ * we will have to fix this code. JRA.
+ */
+ if(pw_buf->smb_name[strlen(pw_buf->smb_name) - 1] == '$') {
+ pw_buf->acct_ctrl &= ~ACB_NORMAL;
+ pw_buf->acct_ctrl |= ACB_WSTRUST;
+ }
+ }
+
+ return pw_buf;
+ }
+
+ DEBUG(5,("getsmbfilepwent: end of file reached.\n"));
+ return NULL;
+}
+
+/************************************************************************
+ Create a new smbpasswd entry - malloced space returned.
+*************************************************************************/
+
+static char *format_new_smbpasswd_entry(const struct smb_passwd *newpwd)
+{
+ int new_entry_length;
+ char *new_entry;
+ char *p;
+
+ new_entry_length = strlen(newpwd->smb_name) + 1 + 15 + 1 + 32 + 1 + 32 + 1 + NEW_PW_FORMAT_SPACE_PADDED_LEN + 1 + 13 + 2;
+
+ if((new_entry = (char *)malloc( new_entry_length )) == NULL) {
+ DEBUG(0, ("format_new_smbpasswd_entry: Malloc failed adding entry for user %s.\n", newpwd->smb_name ));
+ return NULL;
+ }
+
+ slprintf(new_entry, new_entry_length - 1, "%s:%u:", newpwd->smb_name, (unsigned)newpwd->smb_userid);
+
+ p = new_entry+strlen(new_entry);
+
+ pdb_sethexpwd(p, newpwd->smb_passwd, newpwd->acct_ctrl);
+
+ p+=strlen(p); *p = ':'; p++;
+
+ pdb_sethexpwd(p, newpwd->smb_nt_passwd, newpwd->acct_ctrl);
+
+ p+=strlen(p); *p = ':'; p++;
+
+ /* Add the account encoding and the last change time. */
+ slprintf((char *)p, new_entry_length - 1 - (p - new_entry), "%s:LCT-%08X:\n",
+ pdb_encode_acct_ctrl(newpwd->acct_ctrl, NEW_PW_FORMAT_SPACE_PADDED_LEN),
+ (uint32)newpwd->pass_last_set_time);
+
+ return new_entry;
+}
+
+/************************************************************************
+ Routine to add an entry to the smbpasswd file.
+*************************************************************************/
+
+static BOOL add_smbfilepwd_entry(struct smbpasswd_privates *smbpasswd_state, struct smb_passwd *newpwd)
+{
+ const char *pfile = smbpasswd_state->smbpasswd_file;
+ struct smb_passwd *pwd = NULL;
+ FILE *fp = NULL;
+ int wr_len;
+ int fd;
+ size_t new_entry_length;
+ char *new_entry;
+ SMB_OFF_T offpos;
+ uint32 max_found_uid = 0;
+
+ /* Open the smbpassword file - for update. */
+ fp = startsmbfilepwent(pfile, PWF_UPDATE, &(smbpasswd_state->pw_file_lock_depth));
+
+ if (fp == NULL && errno == ENOENT) {
+ /* Try again - create. */
+ fp = startsmbfilepwent(pfile, PWF_CREATE, &(smbpasswd_state->pw_file_lock_depth));
+ }
+
+ if (fp == NULL) {
+ DEBUG(0, ("add_smbfilepwd_entry: unable to open file.\n"));
+ return False;
+ }
+
+ /*
+ * Scan the file, a line at a time and check if the name matches.
+ */
+
+ while ((pwd = getsmbfilepwent(smbpasswd_state, fp)) != NULL)
+ {
+ if (strequal(newpwd->smb_name, pwd->smb_name))
+ {
+ DEBUG(0, ("add_smbfilepwd_entry: entry with name %s already exists\n", pwd->smb_name));
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ return False;
+ }
+
+ /* Look for a free uid for use in non-unix accounts */
+ if (pwd->smb_userid > max_found_uid) {
+ max_found_uid = pwd->smb_userid;
+ }
+ }
+
+ /* Ok - entry doesn't exist. We can add it */
+
+ /* Account not in /etc/passwd hack!!! */
+ if (!newpwd->smb_userid_set) {
+ if (!smbpasswd_state->permit_non_unix_accounts) {
+ DEBUG(0, ("add_smbfilepwd_entry: cannot add account %s without unix identity\n", newpwd->smb_name));
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ return False;
+ }
+
+ if (max_found_uid < smbpasswd_state->low_nua_userid) {
+ newpwd->smb_userid = smbpasswd_state->low_nua_userid;
+ newpwd->smb_userid_set = True;
+ } else if (max_found_uid >= smbpasswd_state->high_nua_userid) {
+ DEBUG(0, ("add_smbfilepwd_entry: cannot add machine %s, no uids are free! \n", newpwd->smb_name));
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ return False;
+ } else {
+ newpwd->smb_userid = max_found_uid + 1;
+ newpwd->smb_userid_set = True;
+ }
+ }
+
+
+ /* Create a new smb passwd entry and set it to the given password. */
+ /*
+ * The add user write needs to be atomic - so get the fd from
+ * the fp and do a raw write() call.
+ */
+ fd = fileno(fp);
+
+ if((offpos = sys_lseek(fd, 0, SEEK_END)) == -1)
+ {
+ DEBUG(0, ("add_smbfilepwd_entry(sys_lseek): Failed to add entry for user %s to file %s. \
+Error was %s\n", newpwd->smb_name, pfile, strerror(errno)));
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ return False;
+ }
+
+ if((new_entry = format_new_smbpasswd_entry(newpwd)) == NULL)
+ {
+ DEBUG(0, ("add_smbfilepwd_entry(malloc): Failed to add entry for user %s to file %s. \
+Error was %s\n", newpwd->smb_name, pfile, strerror(errno)));
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ return False;
+ }
+
+ new_entry_length = strlen(new_entry);
+
+#ifdef DEBUG_PASSWORD
+ DEBUG(100, ("add_smbfilepwd_entry(%d): new_entry_len %d made line |%s|",
+ fd, new_entry_length, new_entry));
+#endif
+
+ if ((wr_len = write(fd, new_entry, new_entry_length)) != new_entry_length)
+ {
+ DEBUG(0, ("add_smbfilepwd_entry(write): %d Failed to add entry for user %s to file %s. \
+Error was %s\n", wr_len, newpwd->smb_name, pfile, strerror(errno)));
+
+ /* Remove the entry we just wrote. */
+ if(sys_ftruncate(fd, offpos) == -1)
+ {
+ DEBUG(0, ("add_smbfilepwd_entry: ERROR failed to ftruncate file %s. \
+Error was %s. Password file may be corrupt ! Please examine by hand !\n",
+ newpwd->smb_name, strerror(errno)));
+ }
+
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ free(new_entry);
+ return False;
+ }
+
+ free(new_entry);
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ return True;
+}
+
+/************************************************************************
+ Routine to search the smbpasswd file for an entry matching the username.
+ and then modify its password entry. We can't use the startsmbpwent()/
+ getsmbpwent()/endsmbpwent() interfaces here as we depend on looking
+ in the actual file to decide how much room we have to write data.
+ override = False, normal
+ override = True, override XXXXXXXX'd out password or NO PASS
+************************************************************************/
+
+static BOOL mod_smbfilepwd_entry(struct smbpasswd_privates *smbpasswd_state, const struct smb_passwd* pwd)
+{
+ /* Static buffers we will return. */
+ pstring user_name;
+
+ char linebuf[256];
+ char readbuf[1024];
+ unsigned char c;
+ fstring ascii_p16;
+ fstring encode_bits;
+ unsigned char *p = NULL;
+ size_t linebuf_len = 0;
+ FILE *fp;
+ int lockfd;
+ const char *pfile = smbpasswd_state->smbpasswd_file;
+ BOOL found_entry = False;
+ BOOL got_pass_last_set_time = False;
+
+ SMB_OFF_T pwd_seekpos = 0;
+
+ int i;
+ int wr_len;
+ int fd;
+
+ if (!*pfile) {
+ DEBUG(0, ("No SMB password file set\n"));
+ return False;
+ }
+ DEBUG(10, ("mod_smbfilepwd_entry: opening file %s\n", pfile));
+
+ fp = sys_fopen(pfile, "r+");
+
+ if (fp == NULL) {
+ DEBUG(0, ("mod_smbfilepwd_entry: unable to open file %s\n", pfile));
+ return False;
+ }
+ /* Set a buffer to do more efficient reads */
+ setvbuf(fp, readbuf, _IOFBF, sizeof(readbuf));
+
+ lockfd = fileno(fp);
+
+ if (!pw_file_lock(lockfd, F_WRLCK, 5, &(smbpasswd_state->pw_file_lock_depth))) {
+ DEBUG(0, ("mod_smbfilepwd_entry: unable to lock file %s\n", pfile));
+ fclose(fp);
+ return False;
+ }
+
+ /* Make sure it is only rw by the owner */
+ chmod(pfile, 0600);
+
+ /* We have a write lock on the file. */
+ /*
+ * Scan the file, a line at a time and check if the name matches.
+ */
+ while (!feof(fp)) {
+ pwd_seekpos = sys_ftell(fp);
+
+ linebuf[0] = '\0';
+
+ fgets(linebuf, sizeof(linebuf), fp);
+ if (ferror(fp)) {
+ pw_file_unlock(lockfd, &(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ /*
+ * Check if the string is terminated with a newline - if not
+ * then we must keep reading and discard until we get one.
+ */
+ linebuf_len = strlen(linebuf);
+ if (linebuf[linebuf_len - 1] != '\n') {
+ c = '\0';
+ while (!ferror(fp) && !feof(fp)) {
+ c = fgetc(fp);
+ if (c == '\n') {
+ break;
+ }
+ }
+ } else {
+ linebuf[linebuf_len - 1] = '\0';
+ }
+
+#ifdef DEBUG_PASSWORD
+ DEBUG(100, ("mod_smbfilepwd_entry: got line |%s|\n", linebuf));
+#endif
+
+ if ((linebuf[0] == 0) && feof(fp)) {
+ DEBUG(4, ("mod_smbfilepwd_entry: end of file reached\n"));
+ break;
+ }
+
+ /*
+ * The line we have should be of the form :-
+ *
+ * username:uid:[32hex bytes]:....other flags presently
+ * ignored....
+ *
+ * or,
+ *
+ * username:uid:[32hex bytes]:[32hex bytes]:[attributes]:LCT-XXXXXXXX:...ignored.
+ *
+ * if Windows NT compatible passwords are also present.
+ */
+
+ if (linebuf[0] == '#' || linebuf[0] == '\0') {
+ DEBUG(6, ("mod_smbfilepwd_entry: skipping comment or blank line\n"));
+ continue;
+ }
+
+ p = (unsigned char *) strchr_m(linebuf, ':');
+
+ if (p == NULL) {
+ DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (no :)\n"));
+ continue;
+ }
+
+ /*
+ * As 256 is shorter than a pstring we don't need to check
+ * length here - if this ever changes....
+ */
+
+ SMB_ASSERT(sizeof(user_name) > sizeof(linebuf));
+
+ strncpy(user_name, linebuf, PTR_DIFF(p, linebuf));
+ user_name[PTR_DIFF(p, linebuf)] = '\0';
+ if (strequal(user_name, pwd->smb_name)) {
+ found_entry = True;
+ break;
+ }
+ }
+
+ if (!found_entry) {
+ pw_file_unlock(lockfd, &(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+
+ DEBUG(2, ("Cannot update entry for user %s, as they don't exist in the smbpasswd file!\n",
+ pwd->smb_name));
+ return False;
+ }
+
+ DEBUG(6, ("mod_smbfilepwd_entry: entry exists\n"));
+
+ /* User name matches - get uid and password */
+ p++; /* Go past ':' */
+
+ if (!isdigit(*p)) {
+ DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (uid not number)\n"));
+ pw_file_unlock(lockfd, &(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ while (*p && isdigit(*p))
+ p++;
+ if (*p != ':') {
+ DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (no : after uid)\n"));
+ pw_file_unlock(lockfd, &(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ /*
+ * Now get the password value - this should be 32 hex digits
+ * which are the ascii representations of a 16 byte string.
+ * Get two at a time and put them into the password.
+ */
+ p++;
+
+ /* Record exact password position */
+ pwd_seekpos += PTR_DIFF(p, linebuf);
+
+ if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) {
+ DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (passwd too short)\n"));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return (False);
+ }
+
+ if (p[32] != ':') {
+ DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (no terminating :)\n"));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ /* Now check if the NT compatible password is
+ available. */
+ p += 33; /* Move to the first character of the line after
+ the lanman password. */
+ if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) {
+ DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (passwd too short)\n"));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return (False);
+ }
+
+ if (p[32] != ':') {
+ DEBUG(0, ("mod_smbfilepwd_entry: malformed password entry (no terminating :)\n"));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ /*
+ * Now check if the account info and the password last
+ * change time is available.
+ */
+ p += 33; /* Move to the first character of the line after
+ the NT password. */
+
+ if (*p == '[') {
+
+ i = 0;
+ encode_bits[i++] = *p++;
+ while((linebuf_len > PTR_DIFF(p, linebuf)) && (*p != ']'))
+ encode_bits[i++] = *p++;
+
+ encode_bits[i++] = ']';
+ encode_bits[i++] = '\0';
+
+ if(i == NEW_PW_FORMAT_SPACE_PADDED_LEN) {
+ /*
+ * We are using a new format, space padded
+ * acct ctrl field. Encode the given acct ctrl
+ * bits into it.
+ */
+ fstrcpy(encode_bits, pdb_encode_acct_ctrl(pwd->acct_ctrl, NEW_PW_FORMAT_SPACE_PADDED_LEN));
+ } else {
+ DEBUG(0,("mod_smbfilepwd_entry: Using old smbpasswd format. This is no longer supported.!\n"));
+ DEBUG(0,("mod_smbfilepwd_entry: No changes made, failing.!\n"));
+ return False;
+ }
+
+ /* Go past the ']' */
+ if(linebuf_len > PTR_DIFF(p, linebuf))
+ p++;
+
+ if((linebuf_len > PTR_DIFF(p, linebuf)) && (*p == ':')) {
+ p++;
+
+ /* We should be pointing at the LCT entry. */
+ if((linebuf_len > (PTR_DIFF(p, linebuf) + 13)) && (StrnCaseCmp((char *)p, "LCT-", 4) == 0)) {
+
+ p += 4;
+ for(i = 0; i < 8; i++) {
+ if(p[i] == '\0' || !isxdigit(p[i]))
+ break;
+ }
+ if(i == 8) {
+ /*
+ * p points at 8 characters of hex digits -
+ * read into a time_t as the seconds since
+ * 1970 that the password was last changed.
+ */
+ got_pass_last_set_time = True;
+ } /* i == 8 */
+ } /* *p && StrnCaseCmp() */
+ } /* p == ':' */
+ } /* p == '[' */
+
+ /* Entry is correctly formed. */
+
+ /* Create the 32 byte representation of the new p16 */
+ pdb_sethexpwd(ascii_p16, pwd->smb_passwd, pwd->acct_ctrl);
+
+ /* Add on the NT md4 hash */
+ ascii_p16[32] = ':';
+ wr_len = 66;
+ pdb_sethexpwd(ascii_p16+33, pwd->smb_nt_passwd, pwd->acct_ctrl);
+ ascii_p16[65] = ':';
+ ascii_p16[66] = '\0'; /* null-terminate the string so that strlen works */
+
+ /* Add on the account info bits and the time of last
+ password change. */
+
+ if(got_pass_last_set_time) {
+ slprintf(&ascii_p16[strlen(ascii_p16)],
+ sizeof(ascii_p16)-(strlen(ascii_p16)+1),
+ "%s:LCT-%08X:",
+ encode_bits, (uint32)pwd->pass_last_set_time );
+ wr_len = strlen(ascii_p16);
+ }
+
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,("mod_smbfilepwd_entry: "));
+ dump_data(100, ascii_p16, wr_len);
+#endif
+
+ if(wr_len > sizeof(linebuf)) {
+ DEBUG(0, ("mod_smbfilepwd_entry: line to write (%d) is too long.\n", wr_len+1));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return (False);
+ }
+
+ /*
+ * Do an atomic write into the file at the position defined by
+ * seekpos.
+ */
+
+ /* The mod user write needs to be atomic - so get the fd from
+ the fp and do a raw write() call.
+ */
+
+ fd = fileno(fp);
+
+ if (sys_lseek(fd, pwd_seekpos - 1, SEEK_SET) != pwd_seekpos - 1) {
+ DEBUG(0, ("mod_smbfilepwd_entry: seek fail on file %s.\n", pfile));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ /* Sanity check - ensure the areas we are writing are framed by ':' */
+ if (read(fd, linebuf, wr_len+1) != wr_len+1) {
+ DEBUG(0, ("mod_smbfilepwd_entry: read fail on file %s.\n", pfile));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ if ((linebuf[0] != ':') || (linebuf[wr_len] != ':')) {
+ DEBUG(0, ("mod_smbfilepwd_entry: check on passwd file %s failed.\n", pfile));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ if (sys_lseek(fd, pwd_seekpos, SEEK_SET) != pwd_seekpos) {
+ DEBUG(0, ("mod_smbfilepwd_entry: seek fail on file %s.\n", pfile));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ if (write(fd, ascii_p16, wr_len) != wr_len) {
+ DEBUG(0, ("mod_smbfilepwd_entry: write failed in passwd file %s\n", pfile));
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return False;
+ }
+
+ pw_file_unlock(lockfd,&(smbpasswd_state->pw_file_lock_depth));
+ fclose(fp);
+ return True;
+}
+
+/************************************************************************
+ Routine to delete an entry in the smbpasswd file by name.
+*************************************************************************/
+
+static BOOL del_smbfilepwd_entry(struct smbpasswd_privates *smbpasswd_state, const char *name)
+{
+ const char *pfile = smbpasswd_state->smbpasswd_file;
+ pstring pfile2;
+ struct smb_passwd *pwd = NULL;
+ FILE *fp = NULL;
+ FILE *fp_write = NULL;
+ int pfile2_lockdepth = 0;
+
+ slprintf(pfile2, sizeof(pfile2)-1, "%s.%u", pfile, (unsigned)getpid() );
+
+ /*
+ * Open the smbpassword file - for update. It needs to be update
+ * as we need any other processes to wait until we have replaced
+ * it.
+ */
+
+ if((fp = startsmbfilepwent(pfile, PWF_UPDATE, &(smbpasswd_state->pw_file_lock_depth))) == NULL) {
+ DEBUG(0, ("del_smbfilepwd_entry: unable to open file %s.\n", pfile));
+ return False;
+ }
+
+ /*
+ * Create the replacement password file.
+ */
+ if((fp_write = startsmbfilepwent(pfile2, PWF_CREATE, &pfile2_lockdepth)) == NULL) {
+ DEBUG(0, ("del_smbfilepwd_entry: unable to open file %s.\n", pfile));
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ return False;
+ }
+
+ /*
+ * Scan the file, a line at a time and check if the name matches.
+ */
+
+ while ((pwd = getsmbfilepwent(smbpasswd_state, fp)) != NULL) {
+ char *new_entry;
+ size_t new_entry_length;
+
+ if (strequal(name, pwd->smb_name)) {
+ DEBUG(10, ("add_smbfilepwd_entry: found entry with name %s - deleting it.\n", name));
+ continue;
+ }
+
+ /*
+ * We need to copy the entry out into the second file.
+ */
+
+ if((new_entry = format_new_smbpasswd_entry(pwd)) == NULL)
+ {
+ DEBUG(0, ("del_smbfilepwd_entry(malloc): Failed to copy entry for user %s to file %s. \
+Error was %s\n", pwd->smb_name, pfile2, strerror(errno)));
+ unlink(pfile2);
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ endsmbfilepwent(fp_write, &pfile2_lockdepth);
+ return False;
+ }
+
+ new_entry_length = strlen(new_entry);
+
+ if(fwrite(new_entry, 1, new_entry_length, fp_write) != new_entry_length)
+ {
+ DEBUG(0, ("del_smbfilepwd_entry(write): Failed to copy entry for user %s to file %s. \
+Error was %s\n", pwd->smb_name, pfile2, strerror(errno)));
+ unlink(pfile2);
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ endsmbfilepwent(fp_write, &pfile2_lockdepth);
+ free(new_entry);
+ return False;
+ }
+
+ free(new_entry);
+ }
+
+ /*
+ * Ensure pfile2 is flushed before rename.
+ */
+
+ if(fflush(fp_write) != 0)
+ {
+ DEBUG(0, ("del_smbfilepwd_entry: Failed to flush file %s. Error was %s\n", pfile2, strerror(errno)));
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ endsmbfilepwent(fp_write,&pfile2_lockdepth);
+ return False;
+ }
+
+ /*
+ * Do an atomic rename - then release the locks.
+ */
+
+ if(rename(pfile2,pfile) != 0) {
+ unlink(pfile2);
+ }
+
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+ endsmbfilepwent(fp_write,&pfile2_lockdepth);
+ return True;
+}
+
+/*********************************************************************
+ Create a smb_passwd struct from a SAM_ACCOUNT.
+ We will not allocate any new memory. The smb_passwd struct
+ should only stay around as long as the SAM_ACCOUNT does.
+ ********************************************************************/
+static BOOL build_smb_pass (struct smb_passwd *smb_pw, const SAM_ACCOUNT *sampass)
+{
+ uid_t uid;
+
+ if (sampass == NULL)
+ return False;
+
+ ZERO_STRUCTP(smb_pw);
+
+ if (!IS_SAM_UNIX_USER(sampass)) {
+ smb_pw->smb_userid_set = False;
+ DEBUG(5,("build_smb_pass: storing user without a UNIX uid or gid. \n"));
+ } else {
+ uint32 rid = pdb_get_user_rid(sampass);
+ smb_pw->smb_userid_set = True;
+ uid = pdb_get_uid(sampass);
+
+ /* If the user specified a RID, make sure its able to be both stored and retreived */
+ if (rid && rid != DOMAIN_USER_RID_GUEST && uid != fallback_pdb_user_rid_to_uid(rid)) {
+ DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n"));
+ return False;
+ }
+
+ smb_pw->smb_userid=uid;
+ }
+
+ smb_pw->smb_name=(const char*)pdb_get_username(sampass);
+
+ smb_pw->smb_passwd=pdb_get_lanman_passwd(sampass);
+ smb_pw->smb_nt_passwd=pdb_get_nt_passwd(sampass);
+
+ smb_pw->acct_ctrl=pdb_get_acct_ctrl(sampass);
+ smb_pw->pass_last_set_time=pdb_get_pass_last_set_time(sampass);
+
+#if 0
+ /*
+ * ifdef'out by JFM on 11/29/2001.
+ * this assertion is no longer valid
+ * and I don't understand the goal
+ * and doing the same thing with the group mapping code
+ * is hairy !
+ *
+ * We just have the RID, in which SID is it valid ?
+ * our domain SID ? well known SID ? local SID ?
+ */
+
+ if (gid != pdb_group_rid_to_gid(pdb_get_group_rid(sampass))) {
+ DEBUG(0,("build_sam_pass: Failing attempt to store user with non-gid based primary group RID. \n"));
+ DEBUG(0,("build_sam_pass: %d %d %d. \n", *gid, pdb_group_rid_to_gid(pdb_get_group_rid(sampass)), pdb_get_group_rid(sampass)));
+ return False;
+ }
+#endif
+
+ return True;
+}
+
+/*********************************************************************
+ Create a SAM_ACCOUNT from a smb_passwd struct
+ ********************************************************************/
+static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state,
+ SAM_ACCOUNT *sam_pass, const struct smb_passwd *pw_buf)
+{
+ struct passwd *pwfile;
+
+ if (sam_pass==NULL) {
+ DEBUG(5,("build_sam_account: SAM_ACCOUNT is NULL\n"));
+ return False;
+ }
+
+ pwfile = getpwnam_alloc(pw_buf->smb_name);
+ if (pwfile == NULL) {
+ if ((smbpasswd_state->permit_non_unix_accounts)
+ && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid)
+ && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
+
+ pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid), PDB_SET);
+
+ /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here.
+
+ This was down the bottom for machines, but it looks pretty good as
+ a general default for non-unix users. --abartlet 2002-01-08
+ */
+ pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET);
+ pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET);
+ pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT);
+
+ } else {
+ DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid %u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid));
+ return False;
+ }
+ } else {
+ if (!NT_STATUS_IS_OK(pdb_fill_sam_pw(sam_pass, pwfile))) {
+ return False;
+ }
+
+ passwd_free(&pwfile);
+ }
+
+ pdb_set_nt_passwd (sam_pass, pw_buf->smb_nt_passwd, PDB_SET);
+ pdb_set_lanman_passwd (sam_pass, pw_buf->smb_passwd, PDB_SET);
+ pdb_set_acct_ctrl (sam_pass, pw_buf->acct_ctrl, PDB_SET);
+ pdb_set_pass_last_set_time (sam_pass, pw_buf->pass_last_set_time, PDB_SET);
+ pdb_set_pass_can_change_time (sam_pass, pw_buf->pass_last_set_time, PDB_SET);
+
+#if 0 /* JERRY */
+ /* the smbpasswd format doesn't have a must change time field, so
+ we can't get this right. The best we can do is to set this to
+ some time in the future. 21 days seems as reasonable as any other value :)
+ */
+ pdb_set_pass_must_change_time (sam_pass, pw_buf->pass_last_set_time + MAX_PASSWORD_AGE, PDB_DEFAULT);
+#endif
+ return True;
+}
+
+/*****************************************************************
+ Functions to be implemented by the new passdb API
+ ****************************************************************/
+static NTSTATUS smbpasswd_setsampwent (struct pdb_methods *my_methods, BOOL update)
+{
+ struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
+
+ smbpasswd_state->pw_file = startsmbfilepwent(smbpasswd_state->smbpasswd_file,
+ update ? PWF_UPDATE : PWF_READ,
+ &(smbpasswd_state->pw_file_lock_depth));
+
+ /* did we fail? Should we try to create it? */
+ if (!smbpasswd_state->pw_file && update && errno == ENOENT)
+ {
+ FILE *fp;
+ /* slprintf(msg_str,msg_str_len-1,
+ "smbpasswd file did not exist - attempting to create it.\n"); */
+ DEBUG(0,("smbpasswd file did not exist - attempting to create it.\n"));
+ fp = sys_fopen(smbpasswd_state->smbpasswd_file, "w");
+ if (fp)
+ {
+ fprintf(fp, "# Samba SMB password file\n");
+ fclose(fp);
+ }
+
+ smbpasswd_state->pw_file = startsmbfilepwent(smbpasswd_state->smbpasswd_file,
+ update ? PWF_UPDATE : PWF_READ,
+ &(smbpasswd_state->pw_file_lock_depth));
+ }
+
+ if (smbpasswd_state->pw_file != NULL)
+ return NT_STATUS_OK;
+ else
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+static void smbpasswd_endsampwent (struct pdb_methods *my_methods)
+{
+ struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
+ endsmbfilepwent(smbpasswd_state->pw_file, &(smbpasswd_state->pw_file_lock_depth));
+}
+
+/*****************************************************************
+ ****************************************************************/
+static NTSTATUS smbpasswd_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
+ struct smb_passwd *pw_buf=NULL;
+ BOOL done = False;
+ DEBUG(5,("pdb_getsampwent\n"));
+
+ if (user==NULL) {
+ DEBUG(5,("pdb_getsampwent (smbpasswd): user is NULL\n"));
+#if 0
+ smb_panic("NULL pointer passed to getsampwent (smbpasswd)\n");
+#endif
+ return nt_status;
+ }
+
+ while (!done)
+ {
+ /* do we have an entry? */
+ pw_buf = getsmbfilepwent(smbpasswd_state, smbpasswd_state->pw_file);
+ if (pw_buf == NULL)
+ return nt_status;
+
+ /* build the SAM_ACCOUNT entry from the smb_passwd struct.
+ We loop in case the user in the pdb does not exist in
+ the local system password file */
+ if (build_sam_account(smbpasswd_state, user, pw_buf))
+ done = True;
+ }
+
+ DEBUG(5,("getsampwent (smbpasswd): done\n"));
+
+ /* success */
+ return NT_STATUS_OK;
+}
+
+
+/****************************************************************
+ Search smbpasswd file by iterating over the entries. Do not
+ call getpwnam() for unix account information until we have found
+ the correct entry
+ ***************************************************************/
+static NTSTATUS smbpasswd_getsampwnam(struct pdb_methods *my_methods,
+ SAM_ACCOUNT *sam_acct, const char *username)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
+ struct smb_passwd *smb_pw;
+ void *fp = NULL;
+
+ DEBUG(10, ("getsampwnam (smbpasswd): search by name: %s\n", username));
+
+ /* startsmbfilepwent() is used here as we don't want to lookup
+ the UNIX account in the local system password file until
+ we have a match. */
+ fp = startsmbfilepwent(smbpasswd_state->smbpasswd_file, PWF_READ, &(smbpasswd_state->pw_file_lock_depth));
+
+ if (fp == NULL) {
+ DEBUG(0, ("unable to open passdb database.\n"));
+ return nt_status;
+ }
+
+ while ( ((smb_pw=getsmbfilepwent(smbpasswd_state, fp)) != NULL)&& (!strequal(smb_pw->smb_name, username)) )
+ /* do nothing....another loop */ ;
+
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+
+
+ /* did we locate the username in smbpasswd */
+ if (smb_pw == NULL)
+ return nt_status;
+
+ DEBUG(10, ("getsampwnam (smbpasswd): found by name: %s\n", smb_pw->smb_name));
+
+ if (!sam_acct) {
+ DEBUG(10,("getsampwnam (smbpasswd): SAM_ACCOUNT is NULL\n"));
+#if 0
+ smb_panic("NULL pointer passed to pdb_getsampwnam\n");
+#endif
+ return nt_status;
+ }
+
+ /* now build the SAM_ACCOUNT */
+ if (!build_sam_account(smbpasswd_state, sam_acct, smb_pw))
+ return nt_status;
+
+ /* success */
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbpasswd_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT *sam_acct, const DOM_SID *sid)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
+ struct smb_passwd *smb_pw;
+ void *fp = NULL;
+ fstring sid_str;
+ uint32 rid;
+
+ DEBUG(10, ("smbpasswd_getsampwrid: search by sid: %s\n", sid_to_string(sid_str, sid)));
+
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return NT_STATUS_UNSUCCESSFUL;
+
+ /* More special case 'guest account' hacks... */
+ if (rid == DOMAIN_USER_RID_GUEST) {
+ const char *guest_account = lp_guestaccount();
+ if (!(guest_account && *guest_account)) {
+ DEBUG(1, ("Guest account not specfied!\n"));
+ return nt_status;
+ }
+ return smbpasswd_getsampwnam(my_methods, sam_acct, guest_account);
+ }
+
+ /* Open the sam password file - not for update. */
+ fp = startsmbfilepwent(smbpasswd_state->smbpasswd_file, PWF_READ, &(smbpasswd_state->pw_file_lock_depth));
+
+ if (fp == NULL) {
+ DEBUG(0, ("unable to open passdb database.\n"));
+ return nt_status;
+ }
+
+ while ( ((smb_pw=getsmbfilepwent(smbpasswd_state, fp)) != NULL) && (fallback_pdb_uid_to_user_rid(smb_pw->smb_userid) != rid) )
+ /* do nothing */ ;
+
+ endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth));
+
+
+ /* did we locate the username in smbpasswd */
+ if (smb_pw == NULL)
+ return nt_status;
+
+ DEBUG(10, ("getsampwrid (smbpasswd): found by name: %s\n", smb_pw->smb_name));
+
+ if (!sam_acct) {
+ DEBUG(10,("getsampwrid: (smbpasswd) SAM_ACCOUNT is NULL\n"));
+#if 0
+ smb_panic("NULL pointer passed to pdb_getsampwrid\n");
+#endif
+ return nt_status;
+ }
+
+ /* now build the SAM_ACCOUNT */
+ if (!build_sam_account (smbpasswd_state, sam_acct, smb_pw))
+ return nt_status;
+
+ /* build_sam_account might change the SID on us, if the name was for the guest account */
+ if (NT_STATUS_IS_OK(nt_status) && !sid_equal(pdb_get_user_sid(sam_acct), sid)) {
+ fstring sid_string1, sid_string2;
+ DEBUG(1, ("looking for user with sid %s instead returned %s for account %s!?!\n",
+ sid_to_string(sid_string1, sid), sid_to_string(sid_string2, pdb_get_user_sid(sam_acct)), pdb_get_username(sam_acct)));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ /* success */
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbpasswd_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT *sampass)
+{
+ struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
+ struct smb_passwd smb_pw;
+
+ /* convert the SAM_ACCOUNT */
+ if (!build_smb_pass(&smb_pw, sampass)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* add the entry */
+ if(!add_smbfilepwd_entry(smbpasswd_state, &smb_pw)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbpasswd_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT *sampass)
+{
+ struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
+ struct smb_passwd smb_pw;
+
+ /* convert the SAM_ACCOUNT */
+ if (!build_smb_pass(&smb_pw, sampass)) {
+ DEBUG(0, ("smbpasswd_update_sam_account: build_smb_pass failed!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* update the entry */
+ if(!mod_smbfilepwd_entry(smbpasswd_state, &smb_pw)) {
+ DEBUG(0, ("smbpasswd_update_sam_account: mod_smbfilepwd_entry failed!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbpasswd_delete_sam_account (struct pdb_methods *my_methods, SAM_ACCOUNT *sampass)
+{
+ struct smbpasswd_privates *smbpasswd_state = (struct smbpasswd_privates*)my_methods->private_data;
+
+ const char *username = pdb_get_username(sampass);
+
+ if (del_smbfilepwd_entry(smbpasswd_state, username))
+ return NT_STATUS_OK;
+
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+static void free_private_data(void **vp)
+{
+ struct smbpasswd_privates **privates = (struct smbpasswd_privates**)vp;
+
+ endsmbfilepwent((*privates)->pw_file, &((*privates)->pw_file_lock_depth));
+
+ *privates = NULL;
+ /* No need to free any further, as it is talloc()ed */
+}
+
+
+NTSTATUS pdb_init_smbpasswd(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ NTSTATUS nt_status;
+ struct smbpasswd_privates *privates;
+
+ if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
+ return nt_status;
+ }
+
+ (*pdb_method)->name = "smbpasswd";
+
+ (*pdb_method)->setsampwent = smbpasswd_setsampwent;
+ (*pdb_method)->endsampwent = smbpasswd_endsampwent;
+ (*pdb_method)->getsampwent = smbpasswd_getsampwent;
+ (*pdb_method)->getsampwnam = smbpasswd_getsampwnam;
+ (*pdb_method)->getsampwsid = smbpasswd_getsampwsid;
+ (*pdb_method)->add_sam_account = smbpasswd_add_sam_account;
+ (*pdb_method)->update_sam_account = smbpasswd_update_sam_account;
+ (*pdb_method)->delete_sam_account = smbpasswd_delete_sam_account;
+
+ /* Setup private data and free function */
+
+ privates = talloc_zero(pdb_context->mem_ctx, sizeof(struct smbpasswd_privates));
+
+ if (!privates) {
+ DEBUG(0, ("talloc() failed for smbpasswd private_data!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Store some config details */
+
+ if (location) {
+ privates->smbpasswd_file = talloc_strdup(pdb_context->mem_ctx, location);
+ } else {
+ privates->smbpasswd_file = talloc_strdup(pdb_context->mem_ctx, lp_smb_passwd_file());
+ }
+
+ if (!privates->smbpasswd_file) {
+ DEBUG(0, ("talloc_strdp() failed for storing smbpasswd location!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ (*pdb_method)->private_data = privates;
+
+ (*pdb_method)->free_private_data = free_private_data;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS pdb_init_smbpasswd_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ NTSTATUS nt_status;
+ struct smbpasswd_privates *privates;
+
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_smbpasswd(pdb_context, pdb_method, location))) {
+ return nt_status;
+ }
+
+ (*pdb_method)->name = "smbpasswd_nua";
+
+ privates = (*pdb_method)->private_data;
+
+ privates->permit_non_unix_accounts = True;
+
+ if (!lp_non_unix_account_range(&privates->low_nua_userid, &privates->high_nua_userid)) {
+ DEBUG(0, ("cannot use smbpasswd_nua without 'non unix account range' in smb.conf!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source4/passdb/pdb_tdb.c b/source4/passdb/pdb_tdb.c
new file mode 100644
index 0000000000..c48c9567b1
--- /dev/null
+++ b/source4/passdb/pdb_tdb.c
@@ -0,0 +1,1007 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * SMB parameters and setup
+ * Copyright (C) Andrew Tridgell 1992-1998
+ * Copyright (C) Simo Sorce 2000-2002
+ * Copyright (C) Gerald Carter 2000
+ * Copyright (C) Jeremy Allison 2001
+ * Copyright (C) Andrew Bartlett 2002
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 675
+ * Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+#if 0 /* when made a module use this */
+
+static int tdbsam_debug_level = DBGC_ALL;
+#undef DBGC_CLASS
+#define DBGC_CLASS tdbsam_debug_level
+
+#else
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+#endif
+
+#ifdef WITH_TDB_SAM
+
+#define PDB_VERSION "20010830"
+#define PASSDB_FILE_NAME "passdb.tdb"
+#define TDB_FORMAT_STRING "ddddddBBBBBBBBBBBBddBBwdwdBdd"
+#define USERPREFIX "USER_"
+#define RIDPREFIX "RID_"
+
+struct tdbsam_privates {
+ TDB_CONTEXT *passwd_tdb;
+ TDB_DATA key;
+
+ /* retrive-once info */
+ const char *tdbsam_location;
+
+ BOOL permit_non_unix_accounts;
+
+ BOOL algorithmic_rids;
+
+ uint32 low_nua_rid;
+ uint32 high_nua_rid;
+};
+
+/**********************************************************************
+ Intialize a SAM_ACCOUNT struct from a BYTE buffer of size len
+ *********************************************************************/
+
+static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state,
+ SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
+{
+
+ /* times are stored as 32bit integer
+ take care on system with 64bit wide time_t
+ --SSS */
+ uint32 logon_time,
+ logoff_time,
+ kickoff_time,
+ pass_last_set_time,
+ pass_can_change_time,
+ pass_must_change_time;
+ char *username;
+ char *domain;
+ char *nt_username;
+ char *dir_drive;
+ char *unknown_str;
+ char *munged_dial;
+ char *fullname;
+ char *homedir;
+ char *logon_script;
+ char *profile_path;
+ char *acct_desc;
+ char *workstations;
+ uint32 username_len, domain_len, nt_username_len,
+ dir_drive_len, unknown_str_len, munged_dial_len,
+ fullname_len, homedir_len, logon_script_len,
+ profile_path_len, acct_desc_len, workstations_len;
+
+ uint32 user_rid, group_rid, unknown_3, hours_len, unknown_5, unknown_6;
+ uint16 acct_ctrl, logon_divs;
+ uint8 *hours;
+ static uint8 *lm_pw_ptr, *nt_pw_ptr;
+ uint32 len = 0;
+ uint32 lm_pw_len, nt_pw_len, hourslen;
+ BOOL ret = True;
+ struct passwd *pw;
+ uid_t uid = -1;
+ gid_t gid = -1; /* This is what standard sub advanced expects if no gid is known */
+
+ if(sampass == NULL || buf == NULL) {
+ DEBUG(0, ("init_sam_from_buffer: NULL parameters found!\n"));
+ return False;
+ }
+
+ /* unpack the buffer into variables */
+ len = tdb_unpack (buf, buflen, TDB_FORMAT_STRING,
+ &logon_time,
+ &logoff_time,
+ &kickoff_time,
+ &pass_last_set_time,
+ &pass_can_change_time,
+ &pass_must_change_time,
+ &username_len, &username,
+ &domain_len, &domain,
+ &nt_username_len, &nt_username,
+ &fullname_len, &fullname,
+ &homedir_len, &homedir,
+ &dir_drive_len, &dir_drive,
+ &logon_script_len, &logon_script,
+ &profile_path_len, &profile_path,
+ &acct_desc_len, &acct_desc,
+ &workstations_len, &workstations,
+ &unknown_str_len, &unknown_str,
+ &munged_dial_len, &munged_dial,
+ &user_rid,
+ &group_rid,
+ &lm_pw_len, &lm_pw_ptr,
+ &nt_pw_len, &nt_pw_ptr,
+ &acct_ctrl,
+ &unknown_3,
+ &logon_divs,
+ &hours_len,
+ &hourslen, &hours,
+ &unknown_5,
+ &unknown_6);
+
+ if (len == -1) {
+ ret = False;
+ goto done;
+ }
+
+ /* validate the account and fill in UNIX uid and gid. Standard
+ * getpwnam() is used instead of Get_Pwnam() as we do not need
+ * to try case permutations
+ */
+ if (!username || !(pw = getpwnam_alloc(username))) {
+ if (!(tdb_state->permit_non_unix_accounts)) {
+ DEBUG(0,("tdbsam: getpwnam_alloc(%s) return NULL. User does not exist!\n", username));
+ ret = False;
+ goto done;
+ }
+ }
+
+ if (pw) {
+ uid = pw->pw_uid;
+ gid = pw->pw_gid;
+
+ pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
+
+ passwd_free(&pw);
+
+ pdb_set_uid(sampass, uid, PDB_SET);
+ pdb_set_gid(sampass, gid, PDB_SET);
+ }
+
+ pdb_set_logon_time(sampass, logon_time, PDB_SET);
+ pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
+ pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
+ pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
+ pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
+ pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
+
+ pdb_set_username (sampass, username, PDB_SET);
+ pdb_set_domain (sampass, domain, PDB_SET);
+ pdb_set_nt_username (sampass, nt_username, PDB_SET);
+ pdb_set_fullname (sampass, fullname, PDB_SET);
+
+ if (homedir) {
+ pdb_set_homedir(sampass, homedir, PDB_SET);
+ }
+ else {
+ pdb_set_homedir(sampass,
+ talloc_sub_specified(sampass->mem_ctx,
+ lp_logon_home(),
+ username, domain,
+ uid, gid),
+ PDB_DEFAULT);
+ }
+
+ if (dir_drive)
+ pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
+ else {
+ pdb_set_dir_drive(sampass,
+ talloc_sub_specified(sampass->mem_ctx,
+ lp_logon_drive(),
+ username, domain,
+ uid, gid),
+ PDB_DEFAULT);
+ }
+
+ if (logon_script)
+ pdb_set_logon_script(sampass, logon_script, PDB_SET);
+ else {
+ pdb_set_logon_script(sampass,
+ talloc_sub_specified(sampass->mem_ctx,
+ lp_logon_script(),
+ username, domain,
+ uid, gid),
+ PDB_DEFAULT);
+ }
+
+ if (profile_path) {
+ pdb_set_profile_path(sampass, profile_path, PDB_SET);
+ } else {
+ pdb_set_profile_path(sampass,
+ talloc_sub_specified(sampass->mem_ctx,
+ lp_logon_path(),
+ username, domain,
+ uid, gid),
+ PDB_DEFAULT);
+ }
+
+ pdb_set_acct_desc (sampass, acct_desc, PDB_SET);
+ pdb_set_workstations (sampass, workstations, PDB_SET);
+ pdb_set_munged_dial (sampass, munged_dial, PDB_SET);
+
+ if (lm_pw_ptr && lm_pw_len == LM_HASH_LEN) {
+ if (!pdb_set_lanman_passwd(sampass, lm_pw_ptr, PDB_SET)) {
+ ret = False;
+ goto done;
+ }
+ }
+
+ if (nt_pw_ptr && nt_pw_len == NT_HASH_LEN) {
+ if (!pdb_set_nt_passwd(sampass, nt_pw_ptr, PDB_SET)) {
+ ret = False;
+ goto done;
+ }
+ }
+
+ pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
+ pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
+ pdb_set_unknown_3(sampass, unknown_3, PDB_SET);
+ pdb_set_hours_len(sampass, hours_len, PDB_SET);
+ pdb_set_unknown_5(sampass, unknown_5, PDB_SET);
+ pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
+ pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
+ pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
+ pdb_set_hours(sampass, hours, PDB_SET);
+
+done:
+
+ SAFE_FREE(username);
+ SAFE_FREE(domain);
+ SAFE_FREE(nt_username);
+ SAFE_FREE(fullname);
+ SAFE_FREE(homedir);
+ SAFE_FREE(dir_drive);
+ SAFE_FREE(logon_script);
+ SAFE_FREE(profile_path);
+ SAFE_FREE(acct_desc);
+ SAFE_FREE(workstations);
+ SAFE_FREE(munged_dial);
+
+ return ret;
+}
+
+/**********************************************************************
+ Intialize a BYTE buffer from a SAM_ACCOUNT struct
+ *********************************************************************/
+static uint32 init_buffer_from_sam (struct tdbsam_privates *tdb_state,
+ uint8 **buf, const SAM_ACCOUNT *sampass)
+{
+ size_t len, buflen;
+
+ /* times are stored as 32bit integer
+ take care on system with 64bit wide time_t
+ --SSS */
+ uint32 logon_time,
+ logoff_time,
+ kickoff_time,
+ pass_last_set_time,
+ pass_can_change_time,
+ pass_must_change_time;
+
+ uint32 user_rid, group_rid;
+
+ const char *username;
+ const char *domain;
+ const char *nt_username;
+ const char *dir_drive;
+ const char *unknown_str;
+ const char *munged_dial;
+ const char *fullname;
+ const char *homedir;
+ const char *logon_script;
+ const char *profile_path;
+ const char *acct_desc;
+ const char *workstations;
+ uint32 username_len, domain_len, nt_username_len,
+ dir_drive_len, unknown_str_len, munged_dial_len,
+ fullname_len, homedir_len, logon_script_len,
+ profile_path_len, acct_desc_len, workstations_len;
+
+ const uint8 *lm_pw;
+ const uint8 *nt_pw;
+ uint32 lm_pw_len = 16;
+ uint32 nt_pw_len = 16;
+
+ /* do we have a valid SAM_ACCOUNT pointer? */
+ if (sampass == NULL) {
+ DEBUG(0, ("init_buffer_from_sam: SAM_ACCOUNT is NULL!\n"));
+ return -1;
+ }
+
+ *buf = NULL;
+ buflen = 0;
+
+ logon_time = (uint32)pdb_get_logon_time(sampass);
+ logoff_time = (uint32)pdb_get_logoff_time(sampass);
+ kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
+ pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
+ pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
+ pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
+
+ user_rid = pdb_get_user_rid(sampass);
+ group_rid = pdb_get_group_rid(sampass);
+
+ username = pdb_get_username(sampass);
+ if (username) username_len = strlen(username) +1;
+ else username_len = 0;
+
+ domain = pdb_get_domain(sampass);
+ if (domain) domain_len = strlen(domain) +1;
+ else domain_len = 0;
+
+ nt_username = pdb_get_nt_username(sampass);
+ if (nt_username) nt_username_len = strlen(nt_username) +1;
+ else nt_username_len = 0;
+
+ fullname = pdb_get_fullname(sampass);
+ if (fullname) fullname_len = strlen(fullname) +1;
+ else fullname_len = 0;
+
+ /*
+ * Only updates fields which have been set (not defaults from smb.conf)
+ */
+
+ if (!IS_SAM_DEFAULT(sampass, PDB_DRIVE))
+ dir_drive = pdb_get_dir_drive(sampass);
+ else dir_drive = NULL;
+ if (dir_drive) dir_drive_len = strlen(dir_drive) +1;
+ else dir_drive_len = 0;
+
+ if (!IS_SAM_DEFAULT(sampass, PDB_SMBHOME)) homedir = pdb_get_homedir(sampass);
+ else homedir = NULL;
+ if (homedir) homedir_len = strlen(homedir) +1;
+ else homedir_len = 0;
+
+ if (!IS_SAM_DEFAULT(sampass, PDB_LOGONSCRIPT)) logon_script = pdb_get_logon_script(sampass);
+ else logon_script = NULL;
+ if (logon_script) logon_script_len = strlen(logon_script) +1;
+ else logon_script_len = 0;
+
+ if (!IS_SAM_DEFAULT(sampass, PDB_PROFILE)) profile_path = pdb_get_profile_path(sampass);
+ else profile_path = NULL;
+ if (profile_path) profile_path_len = strlen(profile_path) +1;
+ else profile_path_len = 0;
+
+ lm_pw = pdb_get_lanman_passwd(sampass);
+ if (!lm_pw) lm_pw_len = 0;
+
+ nt_pw = pdb_get_nt_passwd(sampass);
+ if (!nt_pw) nt_pw_len = 0;
+
+ acct_desc = pdb_get_acct_desc(sampass);
+ if (acct_desc) acct_desc_len = strlen(acct_desc) +1;
+ else acct_desc_len = 0;
+
+ workstations = pdb_get_workstations(sampass);
+ if (workstations) workstations_len = strlen(workstations) +1;
+ else workstations_len = 0;
+
+ unknown_str = NULL;
+ unknown_str_len = 0;
+
+ munged_dial = pdb_get_munged_dial(sampass);
+ if (munged_dial) munged_dial_len = strlen(munged_dial) +1;
+ else munged_dial_len = 0;
+
+ /* one time to get the size needed */
+ len = tdb_pack(NULL, 0, TDB_FORMAT_STRING,
+ logon_time,
+ logoff_time,
+ kickoff_time,
+ pass_last_set_time,
+ pass_can_change_time,
+ pass_must_change_time,
+ username_len, username,
+ domain_len, domain,
+ nt_username_len, nt_username,
+ fullname_len, fullname,
+ homedir_len, homedir,
+ dir_drive_len, dir_drive,
+ logon_script_len, logon_script,
+ profile_path_len, profile_path,
+ acct_desc_len, acct_desc,
+ workstations_len, workstations,
+ unknown_str_len, unknown_str,
+ munged_dial_len, munged_dial,
+ user_rid,
+ group_rid,
+ lm_pw_len, lm_pw,
+ nt_pw_len, nt_pw,
+ pdb_get_acct_ctrl(sampass),
+ pdb_get_unknown_3(sampass),
+ pdb_get_logon_divs(sampass),
+ pdb_get_hours_len(sampass),
+ MAX_HOURS_LEN, pdb_get_hours(sampass),
+ pdb_get_unknown_5(sampass),
+ pdb_get_unknown_6(sampass));
+
+
+ /* malloc the space needed */
+ if ( (*buf=(uint8*)malloc(len)) == NULL) {
+ DEBUG(0,("init_buffer_from_sam: Unable to malloc() memory for buffer!\n"));
+ return (-1);
+ }
+
+ /* now for the real call to tdb_pack() */
+ buflen = tdb_pack(*buf, len, TDB_FORMAT_STRING,
+ logon_time,
+ logoff_time,
+ kickoff_time,
+ pass_last_set_time,
+ pass_can_change_time,
+ pass_must_change_time,
+ username_len, username,
+ domain_len, domain,
+ nt_username_len, nt_username,
+ fullname_len, fullname,
+ homedir_len, homedir,
+ dir_drive_len, dir_drive,
+ logon_script_len, logon_script,
+ profile_path_len, profile_path,
+ acct_desc_len, acct_desc,
+ workstations_len, workstations,
+ unknown_str_len, unknown_str,
+ munged_dial_len, munged_dial,
+ user_rid,
+ group_rid,
+ lm_pw_len, lm_pw,
+ nt_pw_len, nt_pw,
+ pdb_get_acct_ctrl(sampass),
+ pdb_get_unknown_3(sampass),
+ pdb_get_logon_divs(sampass),
+ pdb_get_hours_len(sampass),
+ MAX_HOURS_LEN, pdb_get_hours(sampass),
+ pdb_get_unknown_5(sampass),
+ pdb_get_unknown_6(sampass));
+
+
+ /* check to make sure we got it correct */
+ if (buflen != len) {
+ DEBUG(0, ("init_buffer_from_sam: somthing odd is going on here: bufflen (%d) != len (%d) in tdb_pack operations!\n",
+ buflen, len));
+ /* error */
+ SAFE_FREE (*buf);
+ return (-1);
+ }
+
+ return (buflen);
+}
+
+/***************************************************************
+ Open the TDB passwd database for SAM account enumeration.
+****************************************************************/
+
+static NTSTATUS tdbsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
+{
+ struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
+
+ /* Open tdb passwd */
+ if (!(tdb_state->passwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, update?(O_RDWR|O_CREAT):O_RDONLY, 0600)))
+ {
+ DEBUG(0, ("Unable to open/create TDB passwd\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ tdb_state->key = tdb_firstkey(tdb_state->passwd_tdb);
+
+ return NT_STATUS_OK;
+}
+
+static void close_tdb(struct tdbsam_privates *tdb_state)
+{
+ if (tdb_state->passwd_tdb) {
+ tdb_close(tdb_state->passwd_tdb);
+ tdb_state->passwd_tdb = NULL;
+ }
+}
+
+/***************************************************************
+ End enumeration of the TDB passwd list.
+****************************************************************/
+
+static void tdbsam_endsampwent(struct pdb_methods *my_methods)
+{
+ struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
+ close_tdb(tdb_state);
+
+ DEBUG(7, ("endtdbpwent: closed sam database.\n"));
+}
+
+/*****************************************************************
+ Get one SAM_ACCOUNT from the TDB (next in line)
+*****************************************************************/
+
+static NTSTATUS tdbsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
+ TDB_DATA data;
+ const char *prefix = USERPREFIX;
+ int prefixlen = strlen (prefix);
+
+
+ if (user==NULL) {
+ DEBUG(0,("pdb_get_sampwent: SAM_ACCOUNT is NULL.\n"));
+ return nt_status;
+ }
+
+ /* skip all non-USER entries (eg. RIDs) */
+ while ((tdb_state->key.dsize != 0) && (strncmp(tdb_state->key.dptr, prefix, prefixlen)))
+ /* increment to next in line */
+ tdb_state->key = tdb_nextkey(tdb_state->passwd_tdb, tdb_state->key);
+
+ /* do we have an valid iteration pointer? */
+ if(tdb_state->passwd_tdb == NULL) {
+ DEBUG(0,("pdb_get_sampwent: Bad TDB Context pointer.\n"));
+ return nt_status;
+ }
+
+ data = tdb_fetch(tdb_state->passwd_tdb, tdb_state->key);
+ if (!data.dptr) {
+ DEBUG(5,("pdb_getsampwent: database entry not found.\n"));
+ return nt_status;
+ }
+
+ /* unpack the buffer */
+ if (!init_sam_from_buffer(tdb_state, user, data.dptr, data.dsize)) {
+ DEBUG(0,("pdb_getsampwent: Bad SAM_ACCOUNT entry returned from TDB!\n"));
+ SAFE_FREE(data.dptr);
+ return nt_status;
+ }
+ SAFE_FREE(data.dptr);
+
+ /* increment to next in line */
+ tdb_state->key = tdb_nextkey(tdb_state->passwd_tdb, tdb_state->key);
+
+ return NT_STATUS_OK;
+}
+
+/******************************************************************
+ Lookup a name in the SAM TDB
+******************************************************************/
+
+static NTSTATUS tdbsam_getsampwnam (struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
+ TDB_CONTEXT *pwd_tdb;
+ TDB_DATA data, key;
+ fstring keystr;
+ fstring name;
+
+ if (user==NULL) {
+ DEBUG(0,("pdb_getsampwnam: SAM_ACCOUNT is NULL.\n"));
+ return nt_status;
+ }
+
+ /* Data is stored in all lower-case */
+ unix_strlower(sname, -1, name, sizeof(name));
+
+ /* set search key */
+ slprintf(keystr, sizeof(keystr)-1, "%s%s", USERPREFIX, name);
+ key.dptr = keystr;
+ key.dsize = strlen(keystr) + 1;
+
+ /* open the accounts TDB */
+ if (!(pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDONLY, 0600))) {
+ DEBUG(0, ("pdb_getsampwnam: Unable to open TDB passwd (%s)!\n", tdb_state->tdbsam_location));
+ return nt_status;
+ }
+
+ /* get the record */
+ data = tdb_fetch(pwd_tdb, key);
+ if (!data.dptr) {
+ DEBUG(5,("pdb_getsampwnam (TDB): error fetching database.\n"));
+ DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
+ DEBUGADD(5, (" Key: %s\n", keystr));
+ tdb_close(pwd_tdb);
+ return nt_status;
+ }
+
+ /* unpack the buffer */
+ if (!init_sam_from_buffer(tdb_state, user, data.dptr, data.dsize)) {
+ DEBUG(0,("pdb_getsampwent: Bad SAM_ACCOUNT entry returned from TDB!\n"));
+ SAFE_FREE(data.dptr);
+ tdb_close(pwd_tdb);
+ return nt_status;
+ }
+ SAFE_FREE(data.dptr);
+
+ /* no further use for database, close it now */
+ tdb_close(pwd_tdb);
+
+ return NT_STATUS_OK;
+}
+
+/***************************************************************************
+ Search by rid
+ **************************************************************************/
+
+static NTSTATUS tdbsam_getsampwrid (struct pdb_methods *my_methods, SAM_ACCOUNT *user, uint32 rid)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
+ TDB_CONTEXT *pwd_tdb;
+ TDB_DATA data, key;
+ fstring keystr;
+ fstring name;
+
+ if (user==NULL) {
+ DEBUG(0,("pdb_getsampwrid: SAM_ACCOUNT is NULL.\n"));
+ return nt_status;
+ }
+
+ /* set search key */
+ slprintf(keystr, sizeof(keystr)-1, "%s%.8x", RIDPREFIX, rid);
+ key.dptr = keystr;
+ key.dsize = strlen (keystr) + 1;
+
+ /* open the accounts TDB */
+ if (!(pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDONLY, 0600))) {
+ DEBUG(0, ("pdb_getsampwrid: Unable to open TDB rid database!\n"));
+ return nt_status;
+ }
+
+ /* get the record */
+ data = tdb_fetch (pwd_tdb, key);
+ if (!data.dptr) {
+ DEBUG(5,("pdb_getsampwrid (TDB): error looking up RID %d by key %s.\n", rid, keystr));
+ DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
+ tdb_close (pwd_tdb);
+ return nt_status;
+ }
+
+ fstrcpy (name, data.dptr);
+ SAFE_FREE(data.dptr);
+
+ tdb_close (pwd_tdb);
+
+ return tdbsam_getsampwnam (my_methods, user, name);
+}
+
+static NTSTATUS tdbsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
+{
+ uint32 rid;
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return NT_STATUS_UNSUCCESSFUL;
+ return tdbsam_getsampwrid(my_methods, user, rid);
+}
+
+/***************************************************************************
+ Delete a SAM_ACCOUNT
+****************************************************************************/
+
+static NTSTATUS tdbsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT *sam_pass)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
+ TDB_CONTEXT *pwd_tdb;
+ TDB_DATA key;
+ fstring keystr;
+ uint32 rid;
+ fstring name;
+
+ unix_strlower(pdb_get_username(sam_pass), -1, name, sizeof(name));
+
+ /* open the TDB */
+ if (!(pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDWR, 0600))) {
+ DEBUG(0, ("Unable to open TDB passwd!"));
+ return nt_status;
+ }
+
+ /* set the search key */
+ slprintf(keystr, sizeof(keystr)-1, "%s%s", USERPREFIX, name);
+ key.dptr = keystr;
+ key.dsize = strlen (keystr) + 1;
+
+ rid = pdb_get_user_rid(sam_pass);
+
+ /* it's outaa here! 8^) */
+ if (tdb_delete(pwd_tdb, key) != TDB_SUCCESS) {
+ DEBUG(5, ("Error deleting entry from tdb passwd database!\n"));
+ DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
+ tdb_close(pwd_tdb);
+ return nt_status;
+ }
+
+ /* delete also the RID key */
+
+ /* set the search key */
+ slprintf(keystr, sizeof(keystr)-1, "%s%.8x", RIDPREFIX, rid);
+ key.dptr = keystr;
+ key.dsize = strlen (keystr) + 1;
+
+ /* it's outaa here! 8^) */
+ if (tdb_delete(pwd_tdb, key) != TDB_SUCCESS) {
+ DEBUG(5, ("Error deleting entry from tdb rid database!\n"));
+ DEBUGADD(5, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
+ tdb_close(pwd_tdb);
+ return nt_status;
+ }
+
+ tdb_close(pwd_tdb);
+
+ return NT_STATUS_OK;
+}
+
+/***************************************************************************
+ Update the TDB SAM
+****************************************************************************/
+
+static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, int flag)
+{
+ struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
+ TDB_CONTEXT *pwd_tdb = NULL;
+ TDB_DATA key, data;
+ uint8 *buf = NULL;
+ fstring keystr;
+ fstring name;
+ BOOL ret = True;
+ uint32 user_rid;
+ BOOL tdb_ret;
+
+ /* invalidate the existing TDB iterator if it is open */
+ if (tdb_state->passwd_tdb) {
+ tdb_close(tdb_state->passwd_tdb);
+ tdb_state->passwd_tdb = NULL;
+ }
+
+ /* open the account TDB passwd*/
+ pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0600);
+ if (!pwd_tdb)
+ {
+ DEBUG(0, ("tdb_update_sam: Unable to open TDB passwd (%s)!\n", tdb_state->tdbsam_location));
+ return False;
+ }
+
+ /* if flag == TDB_INSERT then make up a new RID else throw an error. */
+ if (!(user_rid = pdb_get_user_rid(newpwd))) {
+ if (flag & TDB_INSERT) {
+ if (IS_SAM_UNIX_USER(newpwd)) {
+ if (tdb_state->algorithmic_rids) {
+ user_rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(newpwd));
+ } else {
+ user_rid = BASE_RID;
+ tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER);
+ if (!tdb_ret) {
+ ret = False;
+ goto done;
+ }
+ }
+ pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED);
+ } else {
+ user_rid = tdb_state->low_nua_rid;
+ tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER);
+ if (!tdb_ret) {
+ ret = False;
+ goto done;
+ }
+ if (user_rid > tdb_state->high_nua_rid) {
+ DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd)));
+ ret = False;
+ goto done;
+ }
+ pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED);
+ }
+ } else {
+ DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
+ ret = False;
+ goto done;
+ }
+ }
+
+ if (!pdb_get_group_rid(newpwd)) {
+ if (flag & TDB_INSERT) {
+ if (!tdb_state->permit_non_unix_accounts) {
+ DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
+ ret = False;
+ goto done;
+ } else {
+ /* This seems like a good default choice for non-unix users */
+ pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+ }
+ } else {
+ DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
+ ret = False;
+ goto done;
+ }
+ }
+
+ /* copy the SAM_ACCOUNT struct into a BYTE buffer for storage */
+ if ((data.dsize=init_buffer_from_sam (tdb_state, &buf, newpwd)) == -1) {
+ DEBUG(0,("tdb_update_sam: ERROR - Unable to copy SAM_ACCOUNT info BYTE buffer!\n"));
+ ret = False;
+ goto done;
+ }
+ data.dptr = buf;
+
+ unix_strlower(pdb_get_username(newpwd), -1, name, sizeof(name));
+
+ DEBUG(5, ("Storing %saccount %s with RID %d\n", flag == TDB_INSERT ? "(new) " : "", name, user_rid));
+
+ /* setup the USER index key */
+ slprintf(keystr, sizeof(keystr)-1, "%s%s", USERPREFIX, name);
+ key.dptr = keystr;
+ key.dsize = strlen (keystr) + 1;
+
+ /* add the account */
+ if (tdb_store(pwd_tdb, key, data, flag) != TDB_SUCCESS) {
+ DEBUG(0, ("Unable to modify passwd TDB!"));
+ DEBUGADD(0, (" Error: %s", tdb_errorstr(pwd_tdb)));
+ DEBUGADD(0, (" occured while storing the main record (%s)\n", keystr));
+ ret = False;
+ goto done;
+ }
+
+ /* setup RID data */
+ data.dsize = sizeof(fstring);
+ data.dptr = name;
+
+ /* setup the RID index key */
+ slprintf(keystr, sizeof(keystr)-1, "%s%.8x", RIDPREFIX, user_rid);
+ key.dptr = keystr;
+ key.dsize = strlen (keystr) + 1;
+
+ /* add the reference */
+ if (tdb_store(pwd_tdb, key, data, flag) != TDB_SUCCESS) {
+ DEBUG(0, ("Unable to modify TDB passwd !"));
+ DEBUGADD(0, (" Error: %s\n", tdb_errorstr(pwd_tdb)));
+ DEBUGADD(0, (" occured while storing the RID index (%s)\n", keystr));
+ ret = False;
+ goto done;
+ }
+
+done:
+ /* cleanup */
+ tdb_close (pwd_tdb);
+ SAFE_FREE(buf);
+
+ return (ret);
+}
+
+/***************************************************************************
+ Modifies an existing SAM_ACCOUNT
+****************************************************************************/
+
+static NTSTATUS tdbsam_update_sam_account (struct pdb_methods *my_methods, SAM_ACCOUNT *newpwd)
+{
+ if (tdb_update_sam(my_methods, newpwd, TDB_MODIFY))
+ return NT_STATUS_OK;
+ else
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+/***************************************************************************
+ Adds an existing SAM_ACCOUNT
+****************************************************************************/
+
+static NTSTATUS tdbsam_add_sam_account (struct pdb_methods *my_methods, SAM_ACCOUNT *newpwd)
+{
+ if (tdb_update_sam(my_methods, newpwd, TDB_INSERT))
+ return NT_STATUS_OK;
+ else
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+static void free_private_data(void **vp)
+{
+ struct tdbsam_privates **tdb_state = (struct tdbsam_privates **)vp;
+ close_tdb(*tdb_state);
+ *tdb_state = NULL;
+
+ /* No need to free any further, as it is talloc()ed */
+}
+
+
+NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ NTSTATUS nt_status;
+ struct tdbsam_privates *tdb_state;
+
+#if 0 /* when made a module use this */
+ tdbsam_debug_level = debug_add_class("tdbsam");
+ if(tdbsam_debug_level == -1) {
+ tdbsam_debug_level = DBGC_ALL;
+ DEBUG(0, ("tdbsam: Couldn't register custom debugging class!\n"));
+ }
+#endif
+
+ if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
+ return nt_status;
+ }
+
+ (*pdb_method)->name = "tdbsam";
+
+ (*pdb_method)->setsampwent = tdbsam_setsampwent;
+ (*pdb_method)->endsampwent = tdbsam_endsampwent;
+ (*pdb_method)->getsampwent = tdbsam_getsampwent;
+ (*pdb_method)->getsampwnam = tdbsam_getsampwnam;
+ (*pdb_method)->getsampwsid = tdbsam_getsampwsid;
+ (*pdb_method)->add_sam_account = tdbsam_add_sam_account;
+ (*pdb_method)->update_sam_account = tdbsam_update_sam_account;
+ (*pdb_method)->delete_sam_account = tdbsam_delete_sam_account;
+
+ tdb_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct tdbsam_privates));
+
+ if (!tdb_state) {
+ DEBUG(0, ("talloc() failed for tdbsam private_data!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (location) {
+ tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, location);
+ } else {
+ pstring tdbfile;
+ get_private_directory(tdbfile);
+ pstrcat(tdbfile, "/");
+ pstrcat(tdbfile, PASSDB_FILE_NAME);
+ tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, tdbfile);
+ }
+
+ tdb_state->algorithmic_rids = True;
+
+ (*pdb_method)->private_data = tdb_state;
+
+ (*pdb_method)->free_private_data = free_private_data;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS pdb_init_tdbsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ NTSTATUS nt_status;
+ struct tdbsam_privates *tdb_state;
+ uint32 low_nua_uid, high_nua_uid;
+
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_tdbsam(pdb_context, pdb_method, location))) {
+ return nt_status;
+ }
+
+ (*pdb_method)->name = "tdbsam_nua";
+
+ tdb_state = (*pdb_method)->private_data;
+
+ tdb_state->permit_non_unix_accounts = True;
+
+ if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) {
+ DEBUG(0, ("cannot use tdbsam_nua without 'non unix account range' in smb.conf!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid);
+
+ tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
+
+ return NT_STATUS_OK;
+}
+
+
+#else
+
+NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ DEBUG(0, ("tdbsam not compiled in!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+NTSTATUS pdb_init_tdbsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ DEBUG(0, ("tdbsam_nua not compiled in!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+
+#endif
diff --git a/source4/passdb/pdb_unix.c b/source4/passdb/pdb_unix.c
new file mode 100644
index 0000000000..b42843d802
--- /dev/null
+++ b/source4/passdb/pdb_unix.c
@@ -0,0 +1,110 @@
+/*
+ * Unix password backend for samba
+ * Copyright (C) Jelmer Vernooij 2002
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 675
+ * Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+/******************************************************************
+ Lookup a name in the SAM database
+ ******************************************************************/
+
+static NTSTATUS unixsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname)
+{
+ struct passwd *pass;
+ if (!methods) {
+ DEBUG(0,("invalid methods\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (!sname) {
+ DEBUG(0,("invalid name specified"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ pass = Get_Pwnam(sname);
+
+ return pdb_fill_sam_pw(user, pass);
+}
+
+
+/***************************************************************************
+ Search by rid
+ **************************************************************************/
+
+static NTSTATUS unixsam_getsampwrid (struct pdb_methods *methods,
+ SAM_ACCOUNT *user, uint32 rid)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct passwd *pass = NULL;
+ const char *guest_account = lp_guestaccount();
+ if (!(guest_account && *guest_account)) {
+ DEBUG(1, ("NULL guest account!?!?\n"));
+ return nt_status;
+ }
+
+ if (!methods) {
+ DEBUG(0,("invalid methods\n"));
+ return nt_status;
+ }
+
+ if (rid == DOMAIN_USER_RID_GUEST) {
+ pass = getpwnam_alloc(guest_account);
+ if (!pass) {
+ DEBUG(1, ("guest account %s does not seem to exist...\n", guest_account));
+ return nt_status;
+ }
+ } else if (pdb_rid_is_user(rid)) {
+ pass = getpwuid_alloc(fallback_pdb_user_rid_to_uid (rid));
+ }
+
+ if (pass == NULL) {
+ return nt_status;
+ }
+
+ nt_status = pdb_fill_sam_pw(user, pass);
+ passwd_free(&pass);
+
+ return nt_status;
+}
+
+static NTSTATUS unixsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
+{
+ uint32 rid;
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+ return NT_STATUS_UNSUCCESSFUL;
+ return unixsam_getsampwrid(my_methods, user, rid);
+}
+
+NTSTATUS pdb_init_unixsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ NTSTATUS nt_status;
+
+ if (!pdb_context) {
+ DEBUG(0, ("invalid pdb_context specified\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
+ return nt_status;
+ }
+
+ (*pdb_method)->name = "unixsam";
+ (*pdb_method)->getsampwnam = unixsam_getsampwnam;
+ (*pdb_method)->getsampwsid = unixsam_getsampwsid;
+
+ /* There's not very much to initialise here */
+ return NT_STATUS_OK;
+}
diff --git a/source4/passdb/privileges.c b/source4/passdb/privileges.c
new file mode 100644
index 0000000000..c90bc47d31
--- /dev/null
+++ b/source4/passdb/privileges.c
@@ -0,0 +1,349 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * default privileges backend for passdb
+ *
+ * Copyright (C) Andrew Tridgell 2003
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 675
+ * Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+/*
+ this is a local implementation of a privileges backend, with
+ privileges stored in a tdb. Most passdb implementations will
+ probably use this backend, although some (such as pdb_ldap) will
+ store the privileges in another manner.
+
+ The basic principle is that the backend should store a list of SIDs
+ associated with each right, where a right is a string name such as
+ 'SeTakeOwnershipPrivilege'. The SIDs can be of any type, and do not
+ need to belong to the local domain.
+
+ The way this is used is that certain places in the code which
+ require access control will ask the privileges backend 'does this
+ user have the following privilege'. The 'user' will be a NT_TOKEN,
+ which is essentially just a list of SIDs. If any of those SIDs are
+ listed in the list of SIDs for that privilege then the answer will
+ be 'yes'. That will usually mean that the user gets unconditional
+ access to that functionality, regradless of any ACLs. In this way
+ privileges act in a similar fashion to unix setuid bits.
+*/
+
+/*
+ The terms 'right' and 'privilege' are used interchangably in this
+ file. This follows MSDN convention where the LSA calls are calls on
+ 'rights', which really means privileges. My apologies for the
+ confusion.
+*/
+
+
+/* 15 seconds seems like an ample time for timeouts on the privileges db */
+#define LOCK_TIMEOUT 15
+
+
+/* the tdb handle for the privileges database */
+static TDB_CONTEXT *tdb;
+
+
+/* initialise the privilege database */
+BOOL privilege_init(void)
+{
+ TALLOC_CTX *mem_ctx;
+
+ mem_ctx = talloc_init("privilege_init talloc");
+ if (!mem_ctx) {
+ DEBUG(0,("No memory to open privilege database\n"));
+ return False;
+ }
+ tdb = tdb_open_log(lock_path(mem_ctx, "privilege.tdb"), 0, TDB_DEFAULT,
+ O_RDWR|O_CREAT, 0600);
+ talloc_destroy(mem_ctx);
+ if (!tdb) {
+ DEBUG(0,("Failed to open privilege database\n"));
+ return False;
+ }
+
+ return True;
+}
+
+/*
+ lock the record for a particular privilege (write lock)
+*/
+static NTSTATUS privilege_lock_right(const char *right)
+{
+ if (tdb_lock_bystring(tdb, right, LOCK_TIMEOUT) != 0) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ return NT_STATUS_OK;
+}
+
+/*
+ unlock the record for a particular privilege (write lock)
+*/
+static void privilege_unlock_right(const char *right)
+{
+ tdb_unlock_bystring(tdb, right);
+}
+
+
+/*
+ return a list of SIDs that have a particular right
+*/
+NTSTATUS privilege_enum_account_with_right(const char *right,
+ uint32 *count,
+ DOM_SID **sids)
+{
+ TDB_DATA data;
+ char *p;
+ int i;
+
+ if (!tdb) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ data = tdb_fetch_by_string(tdb, right);
+ if (!data.dptr) {
+ *count = 0;
+ *sids = NULL;
+ return NT_STATUS_OK;
+ }
+
+ /* count them */
+ for (i=0, p=data.dptr; p<data.dptr+data.dsize; i++) {
+ p += strlen(p) + 1;
+ }
+ *count = i;
+
+ /* allocate and parse */
+ *sids = malloc(sizeof(DOM_SID) * *count);
+ if (! *sids) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ for (i=0, p=data.dptr; p<data.dptr+data.dsize; i++) {
+ if (!string_to_sid(&(*sids)[i], p)) {
+ free(data.dptr);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ p += strlen(p) + 1;
+ }
+
+ free(data.dptr);
+
+ return NT_STATUS_OK;
+}
+
+/*
+ set what accounts have a given right - this is an internal interface
+*/
+static NTSTATUS privilege_set_accounts_with_right(const char *right,
+ uint32 count,
+ DOM_SID *sids)
+{
+ TDB_DATA data;
+ char *p;
+ int i;
+
+ if (!tdb) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ /* allocate the maximum size that we might use */
+ data.dptr = malloc(count * ((MAXSUBAUTHS*11) + 30));
+ if (!data.dptr) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ p = data.dptr;
+
+ for (i=0;i<count;i++) {
+ sid_to_string(p, &sids[i]);
+ p += strlen(p) + 1;
+ }
+
+ data.dsize = PTR_DIFF(p, data.dptr);
+
+ if (tdb_store_by_string(tdb, right, data, TDB_REPLACE) != 0) {
+ free(data.dptr);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ free(data.dptr);
+ return NT_STATUS_OK;
+}
+
+
+/*
+ add a SID to the list of SIDs for a right
+*/
+NTSTATUS privilege_add_account_right(const char *right,
+ DOM_SID *sid)
+{
+ NTSTATUS status;
+ DOM_SID *current_sids;
+ uint32 current_count;
+ int i;
+
+ status = privilege_lock_right(right);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = privilege_enum_account_with_right(right, &current_count, &current_sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ privilege_unlock_right(right);
+ return status;
+ }
+
+ /* maybe that SID is already listed? this is not an error */
+ for (i=0;i<current_count;i++) {
+ if (sid_equal(&current_sids[i], sid)) {
+ privilege_unlock_right(right);
+ free(current_sids);
+ return NT_STATUS_OK;
+ }
+ }
+
+ /* add it in */
+ current_sids = Realloc(current_sids, sizeof(current_sids[0]) * (current_count+1));
+ if (!current_sids) {
+ privilege_unlock_right(right);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sid_copy(&current_sids[current_count], sid);
+ current_count++;
+
+ status = privilege_set_accounts_with_right(right, current_count, current_sids);
+
+ free(current_sids);
+ privilege_unlock_right(right);
+
+ return status;
+}
+
+
+/*
+ remove a SID from the list of SIDs for a right
+*/
+NTSTATUS privilege_remove_account_right(const char *right,
+ DOM_SID *sid)
+{
+ NTSTATUS status;
+ DOM_SID *current_sids;
+ uint32 current_count;
+ int i;
+
+ status = privilege_lock_right(right);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = privilege_enum_account_with_right(right, &current_count, &current_sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ privilege_unlock_right(right);
+ return status;
+ }
+
+ for (i=0;i<current_count;i++) {
+ if (sid_equal(&current_sids[i], sid)) {
+ /* found it - so remove it */
+ if (current_count-i > 1) {
+ memmove(&current_sids[i], &current_sids[i+1],
+ sizeof(current_sids[0]) * ((current_count-i)-1));
+ }
+ current_count--;
+ status = privilege_set_accounts_with_right(right,
+ current_count,
+ current_sids);
+ free(current_sids);
+ privilege_unlock_right(right);
+ return status;
+ }
+ }
+
+ /* removing a right that you don't have is not an error */
+
+ safe_free(current_sids);
+ privilege_unlock_right(right);
+ return NT_STATUS_OK;
+}
+
+
+/*
+ an internal function for checking if a SID has a right
+*/
+static BOOL privilege_sid_has_right(DOM_SID *sid, const char *right)
+{
+ NTSTATUS status;
+ uint32 count;
+ DOM_SID *sids;
+ int i;
+
+ status = privilege_enum_account_with_right(right, &count, &sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ return False;
+ }
+ for (i=0;i<count;i++) {
+ if (sid_equal(sid, &sids[i])) {
+ free(sids);
+ return True;
+ }
+ }
+
+ safe_free(sids);
+ return False;
+}
+
+/*
+ list the rights for an account. This involves traversing the database
+*/
+NTSTATUS privilege_enum_account_rights(DOM_SID *sid,
+ uint32 *count,
+ char ***rights)
+{
+ TDB_DATA key, nextkey;
+ char *right;
+
+ if (!tdb) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ *rights = NULL;
+ *count = 0;
+
+ for (key = tdb_firstkey(tdb); key.dptr; key = nextkey) {
+ nextkey = tdb_nextkey(tdb, key);
+
+ right = key.dptr;
+
+ if (privilege_sid_has_right(sid, right)) {
+ (*rights) = (char **)Realloc(*rights,sizeof(char *) * ((*count)+1));
+ if (! *rights) {
+ safe_free(nextkey.dptr);
+ free(key.dptr);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ (*rights)[*count] = strdup(right);
+ (*count)++;
+ }
+
+ free(key.dptr);
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source4/passdb/secrets.c b/source4/passdb/secrets.c
new file mode 100644
index 0000000000..01eb82f414
--- /dev/null
+++ b/source4/passdb/secrets.c
@@ -0,0 +1,612 @@
+/*
+ Unix SMB/CIFS implementation.
+ Copyright (C) Andrew Tridgell 1992-2001
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Rafal Szczesniak 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+/* the Samba secrets database stores any generated, private information
+ such as the local SID and machine trust password */
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+static TDB_CONTEXT *tdb;
+
+/* open up the secrets database */
+BOOL secrets_init(void)
+{
+ pstring fname;
+
+ if (tdb)
+ return True;
+
+ pstrcpy(fname, lp_private_dir());
+ pstrcat(fname,"/secrets.tdb");
+
+ tdb = tdb_open_log(fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+
+ if (!tdb) {
+ DEBUG(0,("Failed to open %s\n", fname));
+ return False;
+ }
+ return True;
+}
+
+/* read a entry from the secrets database - the caller must free the result
+ if size is non-null then the size of the entry is put in there
+ */
+void *secrets_fetch(const char *key, size_t *size)
+{
+ TDB_DATA kbuf, dbuf;
+ secrets_init();
+ if (!tdb)
+ return NULL;
+ kbuf.dptr = strdup(key);
+ kbuf.dsize = strlen(key);
+ dbuf = tdb_fetch(tdb, kbuf);
+ if (size)
+ *size = dbuf.dsize;
+ free(kbuf.dptr);
+ return dbuf.dptr;
+}
+
+/* store a secrets entry
+ */
+BOOL secrets_store(const char *key, const void *data, size_t size)
+{
+ TDB_DATA kbuf, dbuf;
+ int ret;
+
+ secrets_init();
+ if (!tdb)
+ return False;
+ kbuf.dptr = strdup(key);
+ kbuf.dsize = strlen(key);
+ dbuf.dptr = memdup(data, size);
+ dbuf.dsize = size;
+
+ ret = tdb_store(tdb, kbuf, dbuf, TDB_REPLACE) == 0;
+
+ free(kbuf.dptr);
+ free(dbuf.dptr);
+
+ return ret == 0;
+}
+
+
+/* delete a secets database entry
+ */
+BOOL secrets_delete(const char *key)
+{
+ TDB_DATA kbuf;
+ int ret;
+
+ secrets_init();
+ if (!tdb)
+ return False;
+ kbuf.dptr = strdup(key);
+ kbuf.dsize = strlen(key);
+ ret = tdb_delete(tdb, kbuf);
+ free(kbuf.dptr);
+ return ret == 0;
+}
+
+BOOL secrets_store_domain_sid(const char *domain, const DOM_SID *sid)
+{
+ fstring key;
+
+ slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_SID, domain);
+ strupper(key);
+ return secrets_store(key, sid, sizeof(DOM_SID));
+}
+
+BOOL secrets_fetch_domain_sid(const char *domain, DOM_SID *sid)
+{
+ DOM_SID *dyn_sid;
+ fstring key;
+ size_t size;
+
+ slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_SID, domain);
+ strupper(key);
+ dyn_sid = (DOM_SID *)secrets_fetch(key, &size);
+
+ if (dyn_sid == NULL)
+ return False;
+
+ if (size != sizeof(DOM_SID))
+ {
+ SAFE_FREE(dyn_sid);
+ return False;
+ }
+
+ *sid = *dyn_sid;
+ SAFE_FREE(dyn_sid);
+ return True;
+}
+
+BOOL secrets_store_domain_guid(const char *domain, GUID *guid)
+{
+ fstring key;
+
+ slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
+ strupper(key);
+ return secrets_store(key, guid, sizeof(GUID));
+}
+
+BOOL secrets_fetch_domain_guid(const char *domain, GUID *guid)
+{
+ GUID *dyn_guid;
+ fstring key;
+ size_t size;
+ GUID new_guid;
+
+ slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
+ strupper(key);
+ dyn_guid = (GUID *)secrets_fetch(key, &size);
+
+ DEBUG(6,("key is %s, size is %d\n", key, (int)size));
+
+ if ((NULL == dyn_guid) && (ROLE_DOMAIN_PDC == lp_server_role())) {
+ uuid_generate_random(&new_guid);
+ if (!secrets_store_domain_guid(domain, &new_guid))
+ return False;
+ dyn_guid = (GUID *)secrets_fetch(key, &size);
+ if (dyn_guid == NULL)
+ return False;
+ }
+
+ if (size != sizeof(GUID))
+ {
+ SAFE_FREE(dyn_guid);
+ return False;
+ }
+
+ *guid = *dyn_guid;
+ SAFE_FREE(dyn_guid);
+ return True;
+}
+
+/**
+ * Form a key for fetching the machine trust account password
+ *
+ * @param domain domain name
+ *
+ * @return stored password's key
+ **/
+const char *trust_keystr(const char *domain)
+{
+ static fstring keystr;
+
+ slprintf(keystr,sizeof(keystr)-1,"%s/%s",
+ SECRETS_MACHINE_ACCT_PASS, domain);
+ strupper(keystr);
+
+ return keystr;
+}
+
+/**
+ * Form a key for fetching a trusted domain password
+ *
+ * @param domain trusted domain name
+ *
+ * @return stored password's key
+ **/
+char *trustdom_keystr(const char *domain)
+{
+ static char* keystr;
+
+ asprintf(&keystr, "%s/%s", SECRETS_DOMTRUST_ACCT_PASS, domain);
+ strupper(keystr);
+
+ return keystr;
+}
+
+/************************************************************************
+ Lock the trust password entry.
+************************************************************************/
+
+BOOL secrets_lock_trust_account_password(const char *domain, BOOL dolock)
+{
+ if (!tdb)
+ return False;
+
+ if (dolock)
+ return (tdb_lock_bystring(tdb, trust_keystr(domain),0) == 0);
+ else
+ tdb_unlock_bystring(tdb, trust_keystr(domain));
+ return True;
+}
+
+/************************************************************************
+ Routine to get the trust account password for a domain.
+ The user of this function must have locked the trust password file using
+ the above call.
+************************************************************************/
+
+BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
+ time_t *pass_last_set_time)
+{
+ struct machine_acct_pass *pass;
+ char *plaintext;
+ size_t size;
+
+ plaintext = secrets_fetch_machine_password();
+ if (plaintext) {
+ /* we have an ADS password - use that */
+ DEBUG(4,("Using ADS machine password\n"));
+ E_md4hash(plaintext, ret_pwd);
+ SAFE_FREE(plaintext);
+ pass_last_set_time = 0;
+ return True;
+ }
+
+ if (!(pass = secrets_fetch(trust_keystr(domain), &size))) {
+ DEBUG(5, ("secrets_fetch failed!\n"));
+ return False;
+ }
+
+ if (size != sizeof(*pass)) {
+ DEBUG(0, ("secrets were of incorrect size!\n"));
+ return False;
+ }
+
+ if (pass_last_set_time) *pass_last_set_time = pass->mod_time;
+ memcpy(ret_pwd, pass->hash, 16);
+ SAFE_FREE(pass);
+ return True;
+}
+
+/************************************************************************
+ Routine to get account password to trusted domain
+************************************************************************/
+
+BOOL secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
+ DOM_SID *sid, time_t *pass_last_set_time)
+{
+ struct trusted_dom_pass *pass;
+ size_t size;
+
+ /* fetching trusted domain password structure */
+ if (!(pass = secrets_fetch(trustdom_keystr(domain), &size))) {
+ DEBUG(5, ("secrets_fetch failed!\n"));
+ return False;
+ }
+
+ if (size != sizeof(*pass)) {
+ DEBUG(0, ("secrets were of incorrect size!\n"));
+ return False;
+ }
+
+ /* the trust's password */
+ if (pwd) {
+ *pwd = strdup(pass->pass);
+ if (!*pwd) {
+ return False;
+ }
+ }
+
+ /* last change time */
+ if (pass_last_set_time) *pass_last_set_time = pass->mod_time;
+
+ /* domain sid */
+ memcpy(&sid, &(pass->domain_sid), sizeof(sid));
+
+ SAFE_FREE(pass);
+
+ return True;
+}
+
+/************************************************************************
+ Routine to set the trust account password for a domain.
+************************************************************************/
+
+BOOL secrets_store_trust_account_password(const char *domain, uint8 new_pwd[16])
+{
+ struct machine_acct_pass pass;
+
+ pass.mod_time = time(NULL);
+ memcpy(pass.hash, new_pwd, 16);
+
+ return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass));
+}
+
+/**
+ * Routine to set the password for trusted domain
+ *
+ * @param domain remote domain name
+ * @param pwd plain text password of trust relationship
+ * @param sid remote domain sid
+ *
+ * @return true if succeeded
+ **/
+
+BOOL secrets_store_trusted_domain_password(const char* domain, smb_ucs2_t *uni_dom_name,
+ size_t uni_name_len, const char* pwd,
+ DOM_SID sid)
+{
+ struct trusted_dom_pass pass;
+ ZERO_STRUCT(pass);
+
+ /* unicode domain name and its length */
+ if (!uni_dom_name)
+ return False;
+
+ strncpy_w(pass.uni_name, uni_dom_name, sizeof(pass.uni_name) - 1);
+ pass.uni_name_len = uni_name_len;
+
+ /* last change time */
+ pass.mod_time = time(NULL);
+
+ /* password of the trust */
+ pass.pass_len = strlen(pwd);
+ fstrcpy(pass.pass, pwd);
+
+ /* domain sid */
+ memcpy(&(pass.domain_sid), &sid, sizeof(sid));
+
+ return secrets_store(trustdom_keystr(domain), (void *)&pass, sizeof(pass));
+}
+
+/************************************************************************
+ Routine to set the plaintext machine account password for a realm
+the password is assumed to be a null terminated ascii string
+************************************************************************/
+
+BOOL secrets_store_machine_password(const char *pass)
+{
+ char *key;
+ BOOL ret;
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, lp_workgroup());
+ strupper(key);
+ ret = secrets_store(key, pass, strlen(pass)+1);
+ free(key);
+ return ret;
+}
+
+
+/************************************************************************
+ Routine to fetch the plaintext machine account password for a realm
+the password is assumed to be a null terminated ascii string
+************************************************************************/
+char *secrets_fetch_machine_password(void)
+{
+ char *key;
+ char *ret;
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, lp_workgroup());
+ strupper(key);
+ ret = (char *)secrets_fetch(key, NULL);
+ free(key);
+ return ret;
+}
+
+
+
+/************************************************************************
+ Routine to delete the machine trust account password file for a domain.
+************************************************************************/
+
+BOOL trust_password_delete(const char *domain)
+{
+ return secrets_delete(trust_keystr(domain));
+}
+
+/************************************************************************
+ Routine to delete the password for trusted domain
+************************************************************************/
+
+BOOL trusted_domain_password_delete(const char *domain)
+{
+ return secrets_delete(trustdom_keystr(domain));
+}
+
+
+BOOL secrets_store_ldap_pw(const char* dn, char* pw)
+{
+ char *key = NULL;
+ BOOL ret;
+
+ if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, dn) < 0) {
+ DEBUG(0, ("secrets_store_ldap_pw: asprintf failed!\n"));
+ return False;
+ }
+
+ ret = secrets_store(key, pw, strlen(pw)+1);
+
+ SAFE_FREE(key);
+ return ret;
+}
+
+
+/**
+ * Get trusted domains info from secrets.tdb.
+ *
+ * The linked list is allocated on the supplied talloc context, caller gets to destroy
+ * when done.
+ *
+ * @param ctx Allocation context
+ * @param enum_ctx Starting index, eg. we can start fetching at third
+ * or sixth trusted domain entry. Zero is the first index.
+ * Value it is set to is the enum context for the next enumeration.
+ * @param num_domains Number of domain entries to fetch at one call
+ * @param domains Pointer to array of trusted domain structs to be filled up
+ *
+ * @return nt status code of rpc response
+ **/
+
+NTSTATUS secrets_get_trusted_domains(TALLOC_CTX* ctx, int* enum_ctx, unsigned int max_num_domains, int *num_domains, TRUSTDOM ***domains)
+{
+ TDB_LIST_NODE *keys, *k;
+ TRUSTDOM *dom = NULL;
+ char *pattern;
+ unsigned int start_idx;
+ uint32 idx = 0;
+ size_t size;
+ fstring dom_name;
+ struct trusted_dom_pass *pass;
+ NTSTATUS status;
+
+ if (!secrets_init()) return NT_STATUS_ACCESS_DENIED;
+
+ *num_domains = 0;
+ start_idx = *enum_ctx;
+
+ /* generate searching pattern */
+ if (!(pattern = talloc_asprintf(ctx, "%s/*", SECRETS_DOMTRUST_ACCT_PASS))) {
+ DEBUG(0, ("secrets_get_trusted_domains: talloc_asprintf() failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DEBUG(5, ("secrets_get_trusted_domains: looking for %d domains, starting at index %d\n",
+ max_num_domains, *enum_ctx));
+
+ *domains = talloc_zero(ctx, sizeof(**domains)*max_num_domains);
+
+ /* fetching trusted domains' data and collecting them in a list */
+ keys = tdb_search_keys(tdb, pattern);
+
+ /*
+ * if there's no keys returned ie. no trusted domain,
+ * return "no more entries" code
+ */
+ status = NT_STATUS_NO_MORE_ENTRIES;
+
+ /* searching for keys in sectrets db -- way to go ... */
+ for (k = keys; k; k = k->next) {
+ char *secrets_key;
+
+ /* important: ensure null-termination of the key string */
+ secrets_key = strndup(k->node_key.dptr, k->node_key.dsize);
+ if (!secrets_key) {
+ DEBUG(0, ("strndup failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ pass = secrets_fetch(secrets_key, &size);
+
+ if (size != sizeof(*pass)) {
+ DEBUG(2, ("Secrets record %s is invalid!\n", secrets_key));
+ SAFE_FREE(pass);
+ continue;
+ }
+
+ pull_ucs2_fstring(dom_name, pass->uni_name);
+ DEBUG(18, ("Fetched secret record num %d.\nDomain name: %s, SID: %s\n",
+ idx, dom_name, sid_string_talloc(ctx, &pass->domain_sid)));
+
+ SAFE_FREE(secrets_key);
+
+ if (idx >= start_idx && idx < start_idx + max_num_domains) {
+ dom = talloc_zero(ctx, sizeof(*dom));
+ if (!dom) {
+ /* free returned tdb record */
+ SAFE_FREE(pass);
+
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* copy domain sid */
+ SMB_ASSERT(sizeof(dom->sid) == sizeof(pass->domain_sid));
+ memcpy(&(dom->sid), &(pass->domain_sid), sizeof(dom->sid));
+
+ /* copy unicode domain name */
+ dom->name = talloc_strdup_w(ctx, pass->uni_name);
+
+ (*domains)[idx - start_idx] = dom;
+
+ DEBUG(18, ("Secret record is in required range.\n \
+ start_idx = %d, max_num_domains = %d. Added to returned array.\n",
+ start_idx, max_num_domains));
+
+ *enum_ctx = idx + 1;
+ (*num_domains)++;
+
+ /* set proper status code to return */
+ if (k->next) {
+ /* there are yet some entries to enumerate */
+ status = STATUS_MORE_ENTRIES;
+ } else {
+ /* this is the last entry in the whole enumeration */
+ status = NT_STATUS_OK;
+ }
+ } else {
+ DEBUG(18, ("Secret is outside the required range.\n \
+ start_idx = %d, max_num_domains = %d. Not added to returned array\n",
+ start_idx, max_num_domains));
+ }
+
+ idx++;
+
+ /* free returned tdb record */
+ SAFE_FREE(pass);
+ }
+
+ DEBUG(5, ("secrets_get_trusted_domains: got %d domains\n", *num_domains));
+
+ /* free the results of searching the keys */
+ tdb_search_list_free(keys);
+
+ return status;
+}
+
+/*******************************************************************************
+ Lock the secrets tdb based on a string - this is used as a primitive form of mutex
+ between smbd instances.
+*******************************************************************************/
+
+BOOL secrets_named_mutex(const char *name, unsigned int timeout, size_t *p_ref_count)
+{
+ size_t ref_count = *p_ref_count;
+ int ret = 0;
+
+ if (!message_init())
+ return False;
+
+ if (ref_count == 0) {
+ ret = tdb_lock_bystring(tdb, name, timeout);
+ if (ret == 0)
+ DEBUG(10,("secrets_named_mutex: got mutex for %s\n", name ));
+ }
+
+ if (ret == 0) {
+ *p_ref_count = ++ref_count;
+ DEBUG(10,("secrets_named_mutex: ref_count for mutex %s = %u\n", name, (unsigned int)ref_count ));
+ }
+ return (ret == 0);
+}
+
+/*******************************************************************************
+ Unlock a named mutex.
+*******************************************************************************/
+
+void secrets_named_mutex_release(const char *name, size_t *p_ref_count)
+{
+ size_t ref_count = *p_ref_count;
+
+ SMB_ASSERT(ref_count != 0);
+
+ if (ref_count == 1) {
+ tdb_unlock_bystring(tdb, name);
+ DEBUG(10,("secrets_named_mutex: released mutex for %s\n", name ));
+ }
+
+ *p_ref_count = --ref_count;
+ DEBUG(10,("secrets_named_mutex_release: ref_count for mutex %s = %u\n", name, (unsigned int)ref_count ));
+}
+
diff --git a/source4/passdb/util_sam_sid.c b/source4/passdb/util_sam_sid.c
new file mode 100644
index 0000000000..e18386801c
--- /dev/null
+++ b/source4/passdb/util_sam_sid.c
@@ -0,0 +1,303 @@
+/*
+ Unix SMB/CIFS implementation.
+ Samba utility functions
+ Copyright (C) Andrew Tridgell 1992-1998
+ Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
+ Copyright (C) Jeremy Allison 1999
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#define MAX_SID_NAMES 7
+
+typedef struct _known_sid_users {
+ uint32 rid;
+ enum SID_NAME_USE sid_name_use;
+ const char *known_user_name;
+} known_sid_users;
+
+static struct sid_name_map_info
+{
+ DOM_SID *sid;
+ const char *name;
+ const known_sid_users *known_users;
+} sid_name_map[MAX_SID_NAMES];
+
+extern DOM_SID global_sid_Builtin; /* Local well-known domain */
+extern DOM_SID global_sid_World_Domain; /* Everyone domain */
+extern DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */
+extern DOM_SID global_sid_NT_Authority; /* NT Authority */
+
+
+static BOOL sid_name_map_initialized = False;
+/* static known_sid_users no_users[] = {{0, 0, NULL}}; */
+
+static const known_sid_users everyone_users[] = {
+ { 0, SID_NAME_WKN_GRP, "Everyone" },
+ {0, (enum SID_NAME_USE)0, NULL}};
+
+static const known_sid_users creator_owner_users[] = {
+ { 0, SID_NAME_WKN_GRP, "Creator Owner" },
+ { 1, SID_NAME_WKN_GRP, "Creator Group" },
+ {0, (enum SID_NAME_USE)0, NULL}};
+
+static const known_sid_users nt_authority_users[] = {
+ { 1, SID_NAME_ALIAS, "Dialup" },
+ { 2, SID_NAME_ALIAS, "Network"},
+ { 3, SID_NAME_ALIAS, "Batch"},
+ { 4, SID_NAME_ALIAS, "Interactive"},
+ { 6, SID_NAME_ALIAS, "Service"},
+ { 7, SID_NAME_ALIAS, "AnonymousLogon"},
+ { 8, SID_NAME_ALIAS, "Proxy"},
+ { 9, SID_NAME_ALIAS, "ServerLogon"},
+ { 11, SID_NAME_ALIAS, "Authenticated Users"},
+ { 18, SID_NAME_ALIAS, "SYSTEM"},
+ { 0, (enum SID_NAME_USE)0, NULL}};
+
+static const known_sid_users builtin_groups[] = {
+ { BUILTIN_ALIAS_RID_ADMINS, SID_NAME_ALIAS, "Administrators" },
+ { BUILTIN_ALIAS_RID_USERS, SID_NAME_ALIAS, "Users" },
+ { BUILTIN_ALIAS_RID_GUESTS, SID_NAME_ALIAS, "Guests" },
+ { BUILTIN_ALIAS_RID_ACCOUNT_OPS, SID_NAME_ALIAS, "Account Operators" },
+ { BUILTIN_ALIAS_RID_SYSTEM_OPS, SID_NAME_ALIAS, "Server Operators" },
+ { BUILTIN_ALIAS_RID_PRINT_OPS, SID_NAME_ALIAS, "Print Operators" },
+ { BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" },
+ { 0, (enum SID_NAME_USE)0, NULL}};
+
+/**************************************************************************
+ Quick init function.
+*************************************************************************/
+
+static void init_sid_name_map (void)
+{
+ int i = 0;
+
+ if (sid_name_map_initialized) return;
+
+ generate_wellknown_sids();
+
+ if ((lp_security() == SEC_USER) && lp_domain_logons()) {
+ sid_name_map[i].sid = get_global_sam_sid();
+ /* This is not lp_workgroup() for good reason:
+ it must stay around longer than the lp_*()
+ strings do */
+ sid_name_map[i].name = strdup(lp_workgroup());
+ sid_name_map[i].known_users = NULL;
+ i++;
+ sid_name_map[i].sid = get_global_sam_sid();
+ sid_name_map[i].name = strdup(lp_netbios_name());
+ sid_name_map[i].known_users = NULL;
+ i++;
+ } else {
+ sid_name_map[i].sid = get_global_sam_sid();
+ sid_name_map[i].name = strdup(lp_netbios_name());
+ sid_name_map[i].known_users = NULL;
+ i++;
+ }
+
+ sid_name_map[i].sid = &global_sid_Builtin;
+ sid_name_map[i].name = "BUILTIN";
+ sid_name_map[i].known_users = &builtin_groups[0];
+ i++;
+
+ sid_name_map[i].sid = &global_sid_World_Domain;
+ sid_name_map[i].name = "";
+ sid_name_map[i].known_users = &everyone_users[0];
+ i++;
+
+ sid_name_map[i].sid = &global_sid_Creator_Owner_Domain;
+ sid_name_map[i].name = "";
+ sid_name_map[i].known_users = &creator_owner_users[0];
+ i++;
+
+ sid_name_map[i].sid = &global_sid_NT_Authority;
+ sid_name_map[i].name = "NT Authority";
+ sid_name_map[i].known_users = &nt_authority_users[0];
+ i++;
+
+ /* End of array. */
+ sid_name_map[i].sid = NULL;
+ sid_name_map[i].name = NULL;
+ sid_name_map[i].known_users = NULL;
+
+ sid_name_map_initialized = True;
+
+ return;
+}
+
+/**************************************************************************
+ Turns a domain SID into a name, returned in the nt_domain argument.
+***************************************************************************/
+
+BOOL map_domain_sid_to_name(DOM_SID *sid, fstring nt_domain)
+{
+ fstring sid_str;
+ int i = 0;
+
+ sid_to_string(sid_str, sid);
+
+ if (!sid_name_map_initialized)
+ init_sid_name_map();
+
+ DEBUG(5,("map_domain_sid_to_name: %s\n", sid_str));
+
+ if (nt_domain == NULL)
+ return False;
+
+ while (sid_name_map[i].sid != NULL) {
+ sid_to_string(sid_str, sid_name_map[i].sid);
+ DEBUG(5,("map_domain_sid_to_name: compare: %s\n", sid_str));
+ if (sid_equal(sid_name_map[i].sid, sid)) {
+ fstrcpy(nt_domain, sid_name_map[i].name);
+ DEBUG(5,("map_domain_sid_to_name: found '%s'\n", nt_domain));
+ return True;
+ }
+ i++;
+ }
+
+ DEBUG(5,("map_domain_sid_to_name: mapping for %s not found\n", sid_str));
+
+ return False;
+}
+
+/**************************************************************************
+ Looks up a known username from one of the known domains.
+***************************************************************************/
+
+BOOL lookup_known_rid(DOM_SID *sid, uint32 rid, char *name, enum SID_NAME_USE *psid_name_use)
+{
+ int i = 0;
+ struct sid_name_map_info *psnm;
+
+ if (!sid_name_map_initialized)
+ init_sid_name_map();
+
+ for(i = 0; sid_name_map[i].sid != NULL; i++) {
+ psnm = &sid_name_map[i];
+ if(sid_equal(psnm->sid, sid)) {
+ int j;
+ for(j = 0; psnm->known_users && psnm->known_users[j].known_user_name != NULL; j++) {
+ if(rid == psnm->known_users[j].rid) {
+ DEBUG(5,("lookup_builtin_rid: rid = %u, domain = '%s', user = '%s'\n",
+ (unsigned int)rid, psnm->name, psnm->known_users[j].known_user_name ));
+ fstrcpy( name, psnm->known_users[j].known_user_name);
+ *psid_name_use = psnm->known_users[j].sid_name_use;
+ return True;
+ }
+ }
+ }
+ }
+
+ return False;
+}
+
+/**************************************************************************
+ Turns a domain name into a SID.
+ *** side-effect: if the domain name is NULL, it is set to our domain ***
+***************************************************************************/
+
+BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain)
+{
+ int i = 0;
+
+ if (nt_domain == NULL) {
+ DEBUG(5,("map_domain_name_to_sid: mapping NULL domain to our SID.\n"));
+ sid_copy(sid, get_global_sam_sid());
+ return True;
+ }
+
+ if (nt_domain[0] == 0) {
+ fstrcpy(nt_domain, lp_netbios_name());
+ DEBUG(5,("map_domain_name_to_sid: overriding blank name to %s\n", nt_domain));
+ sid_copy(sid, get_global_sam_sid());
+ return True;
+ }
+
+ DEBUG(5,("map_domain_name_to_sid: %s\n", nt_domain));
+
+ if (!sid_name_map_initialized)
+ init_sid_name_map();
+
+ while (sid_name_map[i].name != NULL) {
+ DEBUG(5,("map_domain_name_to_sid: compare: %s\n", sid_name_map[i].name));
+ if (strequal(sid_name_map[i].name, nt_domain)) {
+ fstring sid_str;
+ sid_copy(sid, sid_name_map[i].sid);
+ sid_to_string(sid_str, sid_name_map[i].sid);
+ DEBUG(5,("map_domain_name_to_sid: found %s\n", sid_str));
+ return True;
+ }
+ i++;
+ }
+
+ DEBUG(0,("map_domain_name_to_sid: mapping to %s not found.\n", nt_domain));
+ return False;
+}
+
+/*****************************************************************
+ Check if the SID is our domain SID (S-1-5-21-x-y-z).
+*****************************************************************/
+
+BOOL sid_check_is_domain(const DOM_SID *sid)
+{
+ return sid_equal(sid, get_global_sam_sid());
+}
+
+/*****************************************************************
+ Check if the SID is our domain SID (S-1-5-21-x-y-z).
+*****************************************************************/
+
+BOOL sid_check_is_in_our_domain(const DOM_SID *sid)
+{
+ DOM_SID dom_sid;
+ uint32 rid;
+
+ sid_copy(&dom_sid, sid);
+ sid_split_rid(&dom_sid, &rid);
+
+ return sid_equal(&dom_sid, get_global_sam_sid());
+}
+
+/**************************************************************************
+ Try and map a name to one of the well known SIDs.
+***************************************************************************/
+
+BOOL map_name_to_wellknown_sid(DOM_SID *sid, enum SID_NAME_USE *use, const char *name)
+{
+ int i, j;
+
+ if (!sid_name_map_initialized)
+ init_sid_name_map();
+
+ for (i=0; sid_name_map[i].sid != NULL; i++) {
+ const known_sid_users *users = sid_name_map[i].known_users;
+
+ if (users == NULL)
+ continue;
+
+ for (j=0; users[j].known_user_name != NULL; j++) {
+ if (strequal(users[j].known_user_name, name) == 0) {
+ sid_copy(sid, sid_name_map[i].sid);
+ sid_append_rid(sid, users[j].rid);
+ *use = users[j].sid_name_use;
+ return True;
+ }
+ }
+ }
+
+ return False;
+}