r9589: Support reading secrets tdb

(This used to be commit dd15131b5219ecf0d09329c0de37c426b9147f45)
author: Jelmer Vernooij <jelmer@samba.org> 2005-08-24 16:39:28 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:34:32 -0500
commit: cdf218e270bb6e0e3e04419279292c80ed39fb98 (patch)
tree: b68c8122feb58ff86f7167786a1afc330692387a /source4
parent: b873c1789faf4413dcd30e934135ce3517510408 (diff)
download: samba-cdf218e270bb6e0e3e04419279292c80ed39fb98.tar.gz
samba-cdf218e270bb6e0e3e04419279292c80ed39fb98.tar.bz2
samba-cdf218e270bb6e0e3e04419279292c80ed39fb98.zip
5 files changed, 195 insertions, 476 deletions
diff --git a/source4/include/structs.h b/source4/include/structs.h
index 6d060fb22f..cac46c030f 100644
--- a/source4/include/structs.h
+++ b/source4/include/structs.h
@@ -278,4 +278,5 @@ struct samba3_groupdb;
 struct samba3_winsdb_entry;
 struct samba3_policy;
 struct samba3_regdb;
+struct samba3_secrets;
 struct samba3;
diff --git a/source4/lib/samba3/config.mk b/source4/lib/samba3/config.mk
index 23f07106f0..75073048d0 100644
--- a/source4/lib/samba3/config.mk
+++ b/source4/lib/samba3/config.mk
@@ -9,8 +9,8 @@ ADD_OBJ_FILES = \
 		lib/samba3/winsdb.o \
 		lib/samba3/samba3.o \
 		lib/samba3/group.o \
-		lib/samba3/registry.o
-#		lib/samba3/secrets.o
+		lib/samba3/registry.o \
+		lib/samba3/secrets.o
 # End SUBSYSTEM LIBSAMBA3
 ################################################
 
diff --git a/source4/lib/samba3/samba3.c b/source4/lib/samba3/samba3.c
index c74b1b5279..bfd41d6554 100644
--- a/source4/lib/samba3/samba3.c
+++ b/source4/lib/samba3/samba3.c
@@ -51,5 +51,9 @@ struct samba3 *samba3_read(const char *libdir, TALLOC_CTX *ctx)
 	samba3_read_regdb(dbfile, ctx, &ret->registry);
 	SAFE_FREE(dbfile);
 
+	asprintf(&dbfile, "%s/secrets.tdb", libdir);
+	samba3_read_secrets(dbfile, ctx, &ret->secrets);
+	SAFE_FREE(dbfile);
+
 	return ret;
 }
diff --git a/source4/lib/samba3/samba3.h b/source4/lib/samba3/samba3.h
index bebd120704..575ee83825 100644
--- a/source4/lib/samba3/samba3.h
+++ b/source4/lib/samba3/samba3.h
@@ -137,6 +137,53 @@ struct samba3_regdb
 	struct samba3_regkey *keys;
 };
 
+struct samba3_secrets
+{
+	struct cli_credentials *ipc_cred;
+	
+	uint32_t ldappw_count;
+	struct samba3_ldappw 
+	{
+		char *dn;
+		char *password;
+	} *ldappws;
+
+	uint32_t domain_count;
+	struct samba3_domainsecrets 
+	{
+		char *name;
+		struct dom_sid sid;
+		struct GUID guid;
+		char *plaintext_pw;
+		time_t last_change_time;
+		struct {
+			uint8_t hash[16];
+			time_t mod_time;
+		} hash_pw;;
+		int sec_channel_type;
+	} *domains;
+
+	uint32_t trusted_domain_count;
+	struct samba3_trusted_dom_pass {
+		uint32_t uni_name_len;
+		const char *uni_name[32]; /* unicode domain name */
+		const char *pass;		/* trust relationship's password */
+		time_t mod_time;
+		struct dom_sid domain_sid;	/* remote domain's sid */
+	} *trusted_domains;
+
+	uint32_t afs_keyfile_count;
+
+	struct samba3_afs_keyfile {
+		uint32_t nkeys;
+		struct {
+			uint32_t kvno;
+			char key[8];
+		} entry[8];
+		char *cell;
+	} *afs_keyfiles;
+};
+
 struct samba3 
 {
 	uint32_t winsdb_count;
@@ -145,6 +192,7 @@ struct samba3
 	uint32_t samaccount_count;
 	struct samba3_samaccount *samaccounts;
 
+	struct samba3_secrets secrets;
 	struct samba3_groupdb group;
 	struct samba3_idmapdb idmap;
 	struct samba3_policy policy;
diff --git a/source4/lib/samba3/secrets.c b/source4/lib/samba3/secrets.c
index ab19f166ee..4aacffda34 100644
--- a/source4/lib/samba3/secrets.c
+++ b/source4/lib/samba3/secrets.c
@@ -24,52 +24,13 @@
 /* the Samba secrets database stores any generated, private information
    such as the local SID and machine trust password */
 
-#define SECRETS_DOMAIN_SID "SECRETS/SID"
-#define SECRETS_DOMAIN_GUID "SECRETS/DOMGUID"
-#define SECRETS_LDAP_BIND_PW "SECRETS/LDAP_BIND_PW"
-#define SECRETS_MACHINE_ACCT_PASS "SECRETS/$MACHINE.ACC"
-#define SECRETS_DOMTRUST_ACCT_PASS "SECRETS/$DOMTRUST.ACC"
-#define SECRETS_MACHINE_PASSWORD "SECRETS/MACHINE_PASSWORD"
-#define SECRETS_MACHINE_LAST_CHANGE_TIME "SECRETS/MACHINE_LAST_CHANGE_TIME"
-#define SECRETS_MACHINE_SEC_CHANNEL_TYPE "SECRETS/MACHINE_SEC_CHANNEL_TYPE"
-#define SECRETS_AFS_KEYFILE "SECRETS/AFS_KEYFILE"
-#define SECRETS_AUTH_USER      "SECRETS/AUTH_USER"
-#define SECRETS_AUTH_DOMAIN      "SECRETS/AUTH_DOMAIN"
-#define SECRETS_AUTH_PASSWORD  "SECRETS/AUTH_PASSWORD"
-
-
 #include "includes.h"
 #include "tdb.h"
+#include "lib/samba3/samba3.h"
 #include "system/filesys.h"
 #include "librpc/gen_ndr/ndr_security.h"
 #include "lib/tdb/include/tdbutil.h"
 
-/* structure for storing machine account password
-   (ie. when samba server is member of a domain */
-struct machine_acct_pass {
-	uint8_t hash[16];
-	time_t mod_time;
-};
-
-#define SECRETS_AFS_MAXKEYS 8
-
-struct afs_key {
-	uint32_t kvno;
-	char key[8];
-};
-
-/*
- * storage structure for trusted domain
- */
-typedef struct trusted_dom_pass {
-	size_t uni_name_len;
-	const char *uni_name[32]; /* unicode domain name */
-	size_t pass_len;
-	const char *pass;		/* trust relationship's password */
-	time_t mod_time;
-	struct dom_sid domain_sid;	/* remote domain's sid */
-} TRUSTED_DOM_PASS;
-
 /**
  * Unpack SID into a pointer
  *
@@ -99,492 +60,197 @@ static size_t tdb_sid_unpack(TDB_CONTEXT *tdb, char* pack_buf, int bufsize, stru
 	return len;
 }
 
-/**
- * Unpack TRUSTED_DOM_PASS passed by pointer
- *
- * @param pack_buf pointer to buffer with packed representation
- * @param bufsize size of the buffer
- * @param pass pointer to trusted domain password to be filled with unpacked data
- *
- * @return size of structure unpacked from buffer
- **/
-static size_t tdb_trusted_dom_pass_unpack(TDB_CONTEXT *tdb, char* pack_buf, int bufsize, TRUSTED_DOM_PASS* pass)
+static struct samba3_domainsecrets *secrets_find_domain(TALLOC_CTX *ctx, struct samba3_secrets *db, const char *key)
 {
-	int idx, len = 0;
-	
-	if (!pack_buf || !pass) return -1;
+	int i;
 
-	/* unpack unicode domain name and plaintext password */
-	len += tdb_unpack(tdb, pack_buf, bufsize - len, "d", &pass->uni_name_len);
-	
-	for (idx = 0; idx < 32; idx++)
-		len +=  tdb_unpack(tdb, pack_buf + len, bufsize - len, "w", &pass->uni_name[idx]);
+	for (i = 0; i < db->domain_count; i++) 
+	{
+		if (!StrCaseCmp(db->domains[i].name, key)) 
+			return &db->domains[i];
+	}
 
-	len += tdb_unpack(tdb, pack_buf + len, bufsize - len, "dPd", &pass->pass_len, &pass->pass,
-	                  &pass->mod_time);
-	
-	/* unpack domain sid */
-	len += tdb_sid_unpack(tdb, pack_buf + len, bufsize - len, &pass->domain_sid);
+	db->domains = talloc_realloc(ctx, db->domains, struct samba3_domainsecrets, db->domain_count+1);
+	ZERO_STRUCT(db->domains[db->domain_count]);
+	db->domains[db->domain_count].name = talloc_strdup(ctx, key); 
+
+	db->domain_count++;
 	
-	return len;	
+	return &db->domains[db->domain_count-1];
 }
 
-
-static TDB_CONTEXT *secrets_open(const char *fname)
+static NTSTATUS ipc_password (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	TDB_CONTEXT *tdb = tdb_open(fname, 0, TDB_DEFAULT, O_RDONLY, 0600);
-
-	if (!tdb) {
-		DEBUG(0,("Failed to open %s\n", fname));
-		return NULL;
-	}
-
-	return tdb;
+	cli_credentials_set_password(db->ipc_cred, vbuf.dptr, CRED_SPECIFIED);
+	return NT_STATUS_OK;
 }
 
-static BOOL secrets_fetch_domain_sid(TDB_CONTEXT *tdb, const char *domain, struct dom_sid *sid)
+static NTSTATUS ipc_username (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	struct dom_sid *dyn_sid;
-	TDB_DATA val;
-	char *key;
-	size_t size;
-
-	asprintf(&key, "%s/%s", SECRETS_DOMAIN_SID, domain);
-	strupper_m(key);
+	cli_credentials_set_username(db->ipc_cred, vbuf.dptr, CRED_SPECIFIED);
+	return NT_STATUS_OK;
+}
 	
-	val = tdb_fetch_bystring(tdb, key);
-	/* FIXME: Convert val to dyn_sid */
-	SAFE_FREE(key);
-
-	if (dyn_sid == NULL)
-		return False;
-
-	if (size != sizeof(struct dom_sid))
-	{ 
-		SAFE_FREE(dyn_sid);
-		return False;
-	}
-
-	*sid = *dyn_sid;
-	SAFE_FREE(dyn_sid);
-	return True;
+static NTSTATUS ipc_domain (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
+{
+	cli_credentials_set_domain(db->ipc_cred, vbuf.dptr, CRED_SPECIFIED);
+	return NT_STATUS_OK;
 }
 
-static BOOL secrets_fetch_domain_guid(TDB_CONTEXT *tdb, const char *domain, struct GUID *guid)
+static NTSTATUS domain_sid (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	struct GUID *dyn_guid;
-	char *key;
-	TDB_DATA val;
-	size_t size;
-
-	asprintf(&key, "%s/%s", SECRETS_DOMAIN_GUID, domain);
-	strupper_m(key);
-	val = tdb_fetch_bystring(tdb, key);
-
-	dyn_guid = (struct GUID *)val.dptr;
-
-	if (!dyn_guid) {
-		return False;
-	}
-
-	if (val.dsize != sizeof(struct GUID))
-	{ 
-		DEBUG(1,("GUID size %d is wrong!\n", (int)size));
-		SAFE_FREE(dyn_guid);
-		return False;
-	}
-
-	*guid = *dyn_guid;
-	SAFE_FREE(dyn_guid);
-	return True;
+	struct samba3_domainsecrets *domainsec = secrets_find_domain(ctx, db, key);
+	domainsec->sid.sub_auths = talloc_array(ctx, uint32_t, 15);
+	tdb_sid_unpack(tdb, vbuf.dptr, vbuf.dsize, &domainsec->sid);
+	return NT_STATUS_OK;
 }
 
-/**
- * Form a key for fetching the machine trust account password
- *
- * @param domain domain name
- *
- * @return stored password's key
- **/
-static char *trust_keystr(const char *domain)
+static NTSTATUS domain_guid (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	char *keystr;
-
-	asprintf(&keystr, "%s/%s", SECRETS_MACHINE_ACCT_PASS, domain);
-	strupper_m(keystr);
-
-	return keystr;
+	struct samba3_domainsecrets *domainsec = secrets_find_domain(ctx, db, key);
+	memcpy(&domainsec->guid, vbuf.dptr, vbuf.dsize);
+	return NT_STATUS_OK;
 }
 
-/**
- * Form a key for fetching a trusted domain password
- *
- * @param domain trusted domain name
- *
- * @return stored password's key
- **/
-static char *trustdom_keystr(const char *domain)
+static NTSTATUS ldap_bind_pw (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	char *keystr;
-
-	asprintf(&keystr, "%s/%s", SECRETS_DOMTRUST_ACCT_PASS, domain);
-	strupper_m(keystr);
-		
-	return keystr;
+	struct samba3_ldappw pw;
+	pw.dn = talloc_strdup(ctx, key);
+	pw.password = talloc_strdup(ctx, vbuf.dptr);
+
+	db->ldappws = talloc_realloc(ctx, db->ldappws, struct samba3_ldappw, db->ldappw_count+1);
+	db->ldappws[db->ldappw_count] = pw;
+	db->ldappw_count++;
+	return NT_STATUS_OK;
 }
 
-/************************************************************************
- Routine to get the trust account password for a domain.
- The user of this function must have locked the trust password file using
- the above secrets_lock_trust_account_password().
-************************************************************************/
-
-static BOOL secrets_fetch_trust_account_password(TDB_CONTEXT *tdb, 
-					  const char *domain, uint8_t ret_pwd[16],
-					  time_t *pass_last_set_time,
-					  uint32_t *channel)
+static NTSTATUS afs_keyfile (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	struct machine_acct_pass *pass;
-	char *plaintext;
-	TDB_DATA val;
-
-	plaintext = secrets_fetch_machine_password(tdb, domain, pass_last_set_time, 
-						   channel);
-	if (plaintext) {
-		DEBUG(4,("Using cleartext machine password\n"));
-		E_md4hash(plaintext, ret_pwd);
-		SAFE_FREE(plaintext);
-		return True;
-	}
-	
-	val = tdb_fetch_bystring(tdb, trust_keystr(domain));
-	if (!val.dptr) {
-		DEBUG(5, ("tdb_fetch_bystring failed!\n"));
-		return False;
-	}
-	
-	if (val.dsize != sizeof(*pass)) {
-		DEBUG(0, ("secrets were of incorrect size!\n"));
-		return False;
-	}
-
-	pass = (struct machine_acct_pass *)val.dptr;
+	struct samba3_afs_keyfile keyfile;
+	memcpy(&keyfile, vbuf.dptr, vbuf.dsize);
+	keyfile.cell = talloc_strdup(ctx, key);
 
-	if (pass_last_set_time) *pass_last_set_time = pass->mod_time;
-	memcpy(ret_pwd, pass->hash, 16);
-
-	return True;
+	db->afs_keyfiles = talloc_realloc(ctx, db->afs_keyfiles, struct samba3_afs_keyfile, db->afs_keyfile_count+1);
+	db->afs_keyfiles[db->afs_keyfile_count] = keyfile;
+	db->afs_keyfile_count++;
+	
+	return NT_STATUS_OK;
 }
 
-/************************************************************************
- Routine to get account password to trusted domain
-************************************************************************/
-
-static BOOL secrets_fetch_trusted_domain_password(TDB_CONTEXT *tdb, const char *domain, char** pwd, struct dom_sid **sid, time_t *pass_last_set_time)
+static NTSTATUS machine_sec_channel_type (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	struct trusted_dom_pass pass;
-	
-	/* unpacking structures */
-	int pass_len = 0;
-	TDB_DATA val;
+	struct samba3_domainsecrets *domainsec = secrets_find_domain(ctx, db, key);
 
-	ZERO_STRUCT(pass);
-
-	/* fetching trusted domain password structure */
-	val = tdb_fetch_bystring(tdb, trustdom_keystr(domain));
-	if (!val.dptr) {
-		DEBUG(5, ("secrets_fetch failed!\n"));
-		return False;
-	}
-
-	/* unpack trusted domain password */
-	pass_len = tdb_trusted_dom_pass_unpack(val.dptr, val.dsize, &pass);
-
-	if (pass_len != val.dsize) {
-		DEBUG(5, ("Invalid secrets size. Unpacked data doesn't match trusted_dom_pass structure.\n"));
-		return False;
-	}
-			
-	/* the trust's password */	
-	if (pwd) {
-		*pwd = strdup(pass.pass);
-		if (!*pwd) {
-			return False;
-		}
-	}
-
-	/* last change time */
-	if (pass_last_set_time) *pass_last_set_time = pass.mod_time;
-
-	/* domain sid */
-	
-	*sid = dom_sid_dup(tdb, &pass.domain_sid);
-		
-	return True;
+	domainsec->sec_channel_type = IVAL(vbuf.dptr, 0);
+	return NT_STATUS_OK;
 }
 
-/************************************************************************
- Routine to fetch the plaintext machine account password for a realm
-the password is assumed to be a null terminated ascii string
-************************************************************************/
-static char *secrets_fetch_machine_password(TDB_CONTEXT *tdb, const char *domain, 
-				     time_t *pass_last_set_time,
-				     uint32_t *channel)
+static NTSTATUS machine_last_change_time (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	char *key = NULL;
-	char *ret;
-	TDB_DATA val;
-	asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
-	strupper_m(key);
-	val = tdb_fetch_bystring(tdb, key);
-	SAFE_FREE(key);
-	
-	if (pass_last_set_time) {
-		asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
-		strupper_m(key);
-		tdb_fetch_uint32(tdb, key, (uint32_t *)pass_last_set_time);
-		SAFE_FREE(key);
-	}
-	
-	if (channel) {
-		asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
-		strupper_m(key);
-		tdb_fetch_uint32(tdb, key, channel);
-		SAFE_FREE(key);
-	}
-	
-	return ret;
+	struct samba3_domainsecrets *domainsec = secrets_find_domain(ctx, db, key);
+	domainsec->last_change_time = IVAL(vbuf.dptr, 0);
+	return NT_STATUS_OK;
 }
 
-/*******************************************************************
- find the ldap password
-******************************************************************/
-static BOOL fetch_ldap_pw(TDB_CONTEXT *tdb, const char *dn, char** pw)
+static NTSTATUS machine_password (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	char *key = NULL;
-	size_t size;
-	TDB_DATA val;
-	
-	if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, dn) < 0) {
-		DEBUG(0, ("fetch_ldap_pw: asprintf failed!\n"));
-	}
-	
-	val = tdb_fetch_bystring(tdb, key);
-	*pw = val.dptr;
-	SAFE_FREE(key);
-
-	if (!size) {
-		return False;
-	}
-	
-	return True;
+	struct samba3_domainsecrets *domainsec = secrets_find_domain(ctx, db, key);
+	domainsec->plaintext_pw = talloc_strdup(ctx, vbuf.dptr);
+	return NT_STATUS_OK;
 }
 
+static NTSTATUS machine_acc (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
+{
+	struct samba3_domainsecrets *domainsec = secrets_find_domain(ctx, db, key);
 
-/**
- * Get trusted domains info from secrets.tdb.
- *
- * The linked list is allocated on the supplied talloc context, caller gets to destroy
- * when done.
- *
- * @param ctx Allocation context
- * @param enum_ctx Starting index, eg. we can start fetching at third
- *        or sixth trusted domain entry. Zero is the first index.
- *        Value it is set to is the enum context for the next enumeration.
- * @param num_domains Number of domain entries to fetch at one call
- * @param domains Pointer to array of trusted domain structs to be filled up
- *
- * @return nt status code of rpc response
- **/ 
+	memcpy(&domainsec->hash_pw, vbuf.dptr, vbuf.dsize);
+
+	return NT_STATUS_OK;
+}
 
-static NTSTATUS secrets_get_trusted_domains(TDB_CONTEXT *tdb, TALLOC_CTX* ctx, int* enum_ctx, unsigned int max_num_domains,
-                                     int *num_domains, struct samba3_trustdom ***domains)
+static NTSTATUS domtrust_acc (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db) 
 {
-	TDB_LIST_NODE *keys, *k;
-	struct samba3_trustdom *dom = NULL;
-	char *pattern;
-	unsigned int start_idx;
-	uint32_t idx = 0;
-	size_t size, packed_size = 0;
-	fstring dom_name;
-	char *packed_pass;
-	struct trusted_dom_pass *pass = talloc(ctx, struct trusted_dom_pass);
-	NTSTATUS status;
-
-	if (!pass) {
-		DEBUG(0, ("talloc_zero failed!\n"));
-		return NT_STATUS_NO_MEMORY;
-	}
-				
-	*num_domains = 0;
-	start_idx = *enum_ctx;
-
-	/* generate searching pattern */
-	if (!(pattern = talloc_asprintf(ctx, "%s/*", SECRETS_DOMTRUST_ACCT_PASS))) {
-		DEBUG(0, ("secrets_get_trusted_domains: talloc_asprintf() failed!\n"));
-		return NT_STATUS_NO_MEMORY;
-	}
+	int idx, len = 0;
+	struct samba3_trusted_dom_pass pass;
+	int pass_len;
+	
+	if (!vbuf.dptr) 
+		return NT_STATUS_UNSUCCESSFUL;
 
-	DEBUG(5, ("secrets_get_trusted_domains: looking for %d domains, starting at index %d\n", 
-		  max_num_domains, *enum_ctx));
-
-	*domains = talloc_zero_array(ctx, struct samba3_trustdom *, max_num_domains);
-
-	/* fetching trusted domains' data and collecting them in a list */
-	keys = tdb_search_keys(tdb, pattern);
-
-	/* 
-	 * if there's no keys returned ie. no trusted domain,
-	 * return "no more entries" code
-	 */
-	status = NT_STATUS_NO_MORE_ENTRIES;
-
-	/* searching for keys in secrets db -- way to go ... */
-	for (k = keys; k; k = k->next) {
-		char *secrets_key;
-		
-		/* important: ensure null-termination of the key string */
-		secrets_key = strndup(k->node_key.dptr, k->node_key.dsize);
-		if (!secrets_key) {
-			DEBUG(0, ("strndup failed!\n"));
-			return NT_STATUS_NO_MEMORY;
-		}
+	/* unpack unicode domain name and plaintext password */
+	len += tdb_unpack(tdb, vbuf.dptr, vbuf.dsize - len, "d", &pass.uni_name_len);
+	
+	for (idx = 0; idx < 32; idx++)
+		len +=  tdb_unpack(tdb, vbuf.dptr + len, vbuf.dsize - len, "w", &pass.uni_name[idx]);
 
-		packed_pass = secrets_fetch(tdb, secrets_key, &size);
-		packed_size = tdb_trusted_dom_pass_unpack(packed_pass, size, pass);
-		/* packed representation isn't needed anymore */
-		SAFE_FREE(packed_pass);
-		
-		if (size != packed_size) {
-			DEBUG(2, ("Secrets record %s is invalid!\n", secrets_key));
-			continue;
-		}
-		
-		pull_ucs2_fstring(dom_name, pass->uni_name);
-		DEBUG(18, ("Fetched secret record num %d.\nDomain name: %s, SID: %s\n",
-			   idx, dom_name, sid_string_static(&pass->domain_sid)));
-
-		SAFE_FREE(secrets_key);
-
-		if (idx >= start_idx && idx < start_idx + max_num_domains) {
-			dom = talloc(ctx, struct samba3_trustdom);
-			if (!dom) {
-				/* free returned tdb record */
-				return NT_STATUS_NO_MEMORY;
-			}
-			
-			/* copy domain sid */
-			SMB_ASSERT(sizeof(dom->sid) == sizeof(pass->domain_sid));
-			memcpy(&(dom->sid), &(pass->domain_sid), sizeof(dom->sid));
-			
-			/* copy unicode domain name */
-			dom->name = talloc_memdup(ctx, pass->uni_name,
-						  (strlen_w(pass->uni_name) + 1) * sizeof(smb_ucs2_t));
-			
-			(*domains)[idx - start_idx] = dom;
-			
-			DEBUG(18, ("Secret record is in required range.\n \
-				   start_idx = %d, max_num_domains = %d. Added to returned array.\n",
-				   start_idx, max_num_domains));
-
-			*enum_ctx = idx + 1;
-			(*num_domains)++;
-		
-			/* set proper status code to return */
-			if (k->next) {
-				/* there are yet some entries to enumerate */
-				status = STATUS_MORE_ENTRIES;
-			} else {
-				/* this is the last entry in the whole enumeration */
-				status = NT_STATUS_OK;
-			}
-		} else {
-			DEBUG(18, ("Secret is outside the required range.\n \
-				   start_idx = %d, max_num_domains = %d. Not added to returned array\n",
-				   start_idx, max_num_domains));
-		}
-		
-		idx++;		
-	}
+	len += tdb_unpack(tdb, vbuf.dptr + len, vbuf.dsize - len, "d", &pass_len);
+	pass.pass = talloc_strdup(ctx, vbuf.dptr+len);
+	len += strlen(vbuf.dptr)+1;
+	len += tdb_unpack(tdb, vbuf.dptr + len, vbuf.dsize - len, "d", &pass.mod_time);
 	
-	DEBUG(5, ("secrets_get_trusted_domains: got %d domains\n", *num_domains));
+	pass.domain_sid.sub_auths = talloc_array(ctx, uint32_t, 15);
+	/* unpack domain sid */
+	len += tdb_sid_unpack(tdb, vbuf.dptr + len, vbuf.dsize - len, &pass.domain_sid);
 
-	/* free the results of searching the keys */
-	tdb_search_list_free(keys);
+	/* FIXME: Add to list */
 
-	return status;
+	return NT_STATUS_OK;
 }
 
-/*******************************************************************************
- Fetch the current (highest) AFS key from secrets.tdb
-*******************************************************************************/
-static BOOL secrets_fetch_afs_key(TDB_CONTEXT *tdb, const char *cell, struct afs_key *result)
-{
-	fstring key;
-	struct afs_keyfile *keyfile;
-	size_t size;
-	uint32_t i;
-
-	slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
+static const struct {
+	const char *prefix;
+	NTSTATUS (*handler) (TDB_CONTEXT *tdb, const char *key, TDB_DATA vbuf, TALLOC_CTX *ctx, struct samba3_secrets *db);
+} secrets_handlers[] = {
+	{ "SECRETS/AUTH_PASSWORD", ipc_password },
+	{ "SECRETS/AUTH_DOMAIN", ipc_domain },
+	{ "SECRETS/AUTH_USER", ipc_username },
+	{ "SECRETS/SID/", domain_sid },
+	{ "SECRETS/DOMGUID/", domain_guid },
+	{ "SECRETS/LDAP_BIND_PW/", ldap_bind_pw },
+	{ "SECRETS/AFS_KEYFILE/", afs_keyfile },
+	{ "SECRETS/MACHINE_SEC_CHANNEL_TYPE/", machine_sec_channel_type },
+	{ "SECRETS/MACHINE_LAST_CHANGE_TIME/", machine_last_change_time },
+	{ "SECRETS/MACHINE_PASSWORD/", machine_password },
+	{ "SECRETS/$MACHINE.ACC/", machine_acc },
+	{ "SECRETS/$DOMTRUST.ACC/", domtrust_acc },
+};
 
-	keyfile = (struct afs_keyfile *)secrets_fetch(tdb, key, &size);
 
-	if (keyfile == NULL)
-		return False;
+NTSTATUS samba3_read_secrets(const char *fname, TALLOC_CTX *ctx, struct samba3_secrets *db)
+{
+	TDB_CONTEXT *tdb = tdb_open(fname, 0, TDB_DEFAULT, O_RDONLY, 0600);
+	TDB_DATA kbuf, vbuf;
 
-	if (size != sizeof(struct afs_keyfile)) {
-		SAFE_FREE(keyfile);
-		return False;
+	if (!tdb) {
+		DEBUG(0,("Failed to open %s\n", fname));
+		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	i = ntohl(keyfile->nkeys);
+	ZERO_STRUCTP(db);
+	
+	db->ipc_cred = cli_credentials_init(ctx);
+	
+	for (kbuf = tdb_firstkey(tdb); kbuf.dptr; kbuf = tdb_nextkey(tdb, kbuf))
+	{
+		int i;
+		char *key;
+		vbuf = tdb_fetch(tdb, kbuf);
+
+		for (i = 0; secrets_handlers[i].prefix; i++) {
+			if (!strncmp(kbuf.dptr, secrets_handlers[i].prefix, strlen(secrets_handlers[i].prefix))) {
+				key = talloc_strndup(ctx, kbuf.dptr+strlen(secrets_handlers[i].prefix), kbuf.dsize-strlen(secrets_handlers[i].prefix));
+				secrets_handlers[i].handler(tdb, key, vbuf, ctx, db);
+				talloc_free(key);
+				break;
+			}
+		}
 
-	if (i > SECRETS_AFS_MAXKEYS) {
-		SAFE_FREE(keyfile);
-		return False;
+		if (!secrets_handlers[i].prefix) {
+			DEBUG(0, ("Unable to find handler for string %s", kbuf.dptr));
+		}
 	}
-
-	*result = keyfile->entry[i-1];
-
-	result->kvno = ntohl(result->kvno);
-
-	return True;
-}
-
-/******************************************************************************
-  When kerberos is not available, choose between anonymous or
-  authenticated connections.  
-
-  We need to use an authenticated connection if DCs have the
-  RestrictAnonymous registry entry set > 0, or the "Additional
-  restrictions for anonymous connections" set in the win2k Local
-  Security Policy.
-
-  Caller to free() result in domain, username, password
-*******************************************************************************/
-static void secrets_fetch_ipc_userpass(TDB_CONTEXT *tdb, char **username, char **domain, char **password)
-{
-	*username = secrets_fetch(tdb, SECRETS_AUTH_USER, NULL);
-	*domain = secrets_fetch(tdb, SECRETS_AUTH_DOMAIN, NULL);
-	*password = secrets_fetch(tdb, SECRETS_AUTH_PASSWORD, NULL);
 	
-	if (*username && **username) {
-
-		if (!*domain || !**domain)
-			*domain = smb_xstrdup(lp_workgroup());
-		
-		if (!*password || !**password)
-			*password = smb_xstrdup("");
-
-		DEBUG(3, ("IPC$ connections done by user %s\\%s\n", 
-			  *domain, *username));
-
-	} else {
-		DEBUG(3, ("IPC$ connections done anonymously\n"));
-		*username = smb_xstrdup("");
-		*domain = smb_xstrdup("");
-		*password = smb_xstrdup("");
-	}
-}
-
+	tdb_close(tdb);
 
+	return NT_STATUS_OK;
+}
author	Jelmer Vernooij <jelmer@samba.org>	2005-08-24 16:39:28 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:34:32 -0500
commit	cdf218e270bb6e0e3e04419279292c80ed39fb98 (patch)
tree	b68c8122feb58ff86f7167786a1afc330692387a /source4
parent	b873c1789faf4413dcd30e934135ce3517510408 (diff)
download	samba-cdf218e270bb6e0e3e04419279292c80ed39fb98.tar.gz samba-cdf218e270bb6e0e3e04419279292c80ed39fb98.tar.bz2 samba-cdf218e270bb6e0e3e04419279292c80ed39fb98.zip