8 files changed, 150 insertions, 34 deletions

diff --git a/source3/include/smb.h b/source3/include/smb.h
index fa4cec4bdb..fafaf36c3e 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -655,6 +655,7 @@ typedef struct sam_passwd
 #define LOCAL_TRUST_ACCOUNT 0x10
 #define LOCAL_SET_NO_PASSWORD 0x20
 #define LOCAL_SET_PASSWORD 0x40
+#define LOCAL_SET_LDAP_ADMIN_PW 0x80
 
 /* key and data in the connections database - used in smbstatus and smbd */
 struct connections_key {
@@ -1316,6 +1317,12 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
 #endif /* DEVELOPER */
 };
 
+/* LDAP schema types */
+enum schema_types {SCHEMA_COMPAT, SCHEMA_AD, SCHEMA_SAMBA};
+
+/* LDAP SSL options */
+enum ldap_ssl_types {LDAP_SSL_ON, LDAP_SSL_OFF, LDAP_SSL_START_TLS};
+
 /* Remote architectures we know about. */
 enum remote_arch_types {RA_UNKNOWN, RA_WFWG, RA_OS2, RA_WIN95, RA_WINNT, RA_WIN2K, RA_SAMBA};
 
diff --git a/source3/libsmb/cli_netlogon.c b/source3/libsmb/cli_netlogon.c
index 896af0d7c9..8840a6264b 100644
--- a/source3/libsmb/cli_netlogon.c
+++ b/source3/libsmb/cli_netlogon.c
@@ -282,7 +282,7 @@ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred)
 
 /* Sam synchronisation */
 
-NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_CRED *ret_creds,
                                uint32 database_id, uint32 *num_deltas,
                                SAM_DELTA_HDR **hdr_deltas, 
                                SAM_DELTA_CTR **deltas)
@@ -306,7 +306,7 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx,
         gen_next_creds(cli, &clnt_creds);
 
 	init_net_q_sam_sync(&q, cli->srv_name_slash, cli->clnt_name_slash + 2,
-                            &clnt_creds, database_id);
+                            &clnt_creds, ret_creds, database_id);
 
 	/* Marshall data and send request */
 
@@ -330,6 +330,8 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx,
         *hdr_deltas = r.hdr_deltas;
         *deltas = r.deltas;
 
+	memcpy(ret_creds, &r.srv_creds, sizeof(*ret_creds));
+
  done:
 	prs_mem_free(&qbuf);
 	prs_mem_free(&rbuf);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 44aa861940..8a8123ed18 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -131,11 +131,6 @@ typedef struct
 	char **szNetbiosAliases;
 	char *szDomainOtherSIDs;
 	char *szNameResolveOrder;
-	char *szLdapServer;
-	char *szLdapSuffix;
-	char *szLdapFilter;
-	char *szLdapRoot;
-	char *szLdapRootPassword;
 	char *szPanicAction;
 	char *szAddUserScript;
 	char *szDelUserScript;
@@ -200,9 +195,14 @@ typedef struct
 	int min_passwd_length;
 	int oplock_break_wait_time;
 	int winbind_cache_time;
-#ifdef WITH_LDAP
+#ifdef WITH_LDAP_SAM
 	int ldap_port;
-#endif				/* WITH_LDAP */
+	int ldap_ssl;
+	char *szLdapServer;
+	char *szLdapSuffix;
+	char *szLdapFilter;
+	char *szLdapAdminDn;
+#endif				/* WITH_LDAP_SAM */
 #ifdef WITH_SSL
 	int sslVersion;
 	char **sslHostsRequire;
@@ -568,6 +568,21 @@ static struct enum_list enum_printing[] = {
 	{-1, NULL}
 };
 
+#ifdef WITH_LDAP_SAM
+static struct enum_list enum_ldap_ssl[] = {
+	{LDAP_SSL_ON, "Yes"},
+	{LDAP_SSL_ON, "yes"},
+	{LDAP_SSL_ON, "on"},
+	{LDAP_SSL_ON, "On"},
+	{LDAP_SSL_OFF, "no"},
+	{LDAP_SSL_OFF, "No"},
+	{LDAP_SSL_OFF, "off"},
+	{LDAP_SSL_OFF, "Off"},
+	{LDAP_SSL_START_TLS, "start tls"},
+	{-1, NULL}
+};
+#endif /* WITH_LDAP_SAM */
+
 /* Types of machine we can announce as. */
 #define ANNOUNCE_AS_NT_SERVER 1
 #define ANNOUNCE_AS_WIN95 2
@@ -939,16 +954,16 @@ static struct parm_struct parm_table[] = {
 	{"strict locking", P_BOOL, P_LOCAL, &sDefault.bStrictLocking, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL},
 	{"share modes", P_BOOL, P_LOCAL, &sDefault.bShareModes, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL},
 
-#ifdef WITH_LDAP
+#ifdef WITH_LDAP_SAM
 	{"Ldap Options", P_SEP, P_SEPARATOR},
 	
 	{"ldap server", P_STRING, P_GLOBAL, &Globals.szLdapServer, NULL, NULL, 0},
 	{"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0}, 
 	{"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, NULL, NULL, 0},
 	{"ldap filter", P_STRING, P_GLOBAL, &Globals.szLdapFilter, NULL, NULL, 0},
-	{"ldap root", P_STRING, P_GLOBAL, &Globals.szLdapRoot, NULL, NULL, 0},
-	{"ldap root passwd", P_STRING, P_GLOBAL, &Globals.szLdapRootPassword, NULL, NULL, 0},
-#endif /* WITH_LDAP */
+	{"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, 0},
+	{"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, 0},
+#endif /* WITH_LDAP_SAM */
 
 	{"Miscellaneous Options", P_SEP, P_SEPARATOR},
 	{"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, 0},
@@ -1287,11 +1302,14 @@ static void init_globals(void)
 	   a large number of sites (tridge) */
 	Globals.bHostnameLookups = False;
 
-#ifdef WITH_LDAP
-	/* default values for ldap */
+#ifdef WITH_LDAP_SAM
 	string_set(&Globals.szLdapServer, "localhost");
+	string_set(&Globals.szLdapSuffix, "");
+	string_set(&Globals.szLdapFilter, "(&(uid=%u)(objectclass=sambaAccount))");
+	string_set(&Globals.szLdapAdminDn, "");
 	Globals.ldap_port = 389;
-#endif /* WITH_LDAP */
+	Globals.ldap_ssl = LDAP_SSL_OFF;
+#endif /* WITH_LDAP_SAM */
 
 #ifdef WITH_SSL
 	Globals.sslVersion = SMB_SSL_V23;
@@ -1492,13 +1510,14 @@ FN_GLOBAL_STRING(lp_template_shell, &Globals.szTemplateShell)
 FN_GLOBAL_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
 FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers)
 FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups)
-#ifdef WITH_LDAP
+#ifdef WITH_LDAP_SAM
 FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer)
 FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)
 FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter)
-FN_GLOBAL_STRING(lp_ldap_root, &Globals.szLdapRoot)
-FN_GLOBAL_STRING(lp_ldap_rootpasswd, &Globals.szLdapRootPassword)
-#endif /* WITH_LDAP */
+FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
+FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port)
+FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
+#endif /* WITH_LDAP_SAM */
 FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
 FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
 FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand)
@@ -1598,9 +1617,6 @@ FN_GLOBAL_INTEGER(lp_stat_cache_size, &Globals.stat_cache_size)
 FN_GLOBAL_INTEGER(lp_map_to_guest, &Globals.map_to_guest)
 FN_GLOBAL_INTEGER(lp_min_passwd_length, &Globals.min_passwd_length)
 FN_GLOBAL_INTEGER(lp_oplock_break_wait_time, &Globals.oplock_break_wait_time)
-#ifdef WITH_LDAP
-FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port)
-#endif				/* WITH_LDAP */
 FN_LOCAL_STRING(lp_preexec, szPreExec)
 FN_LOCAL_STRING(lp_postexec, szPostExec)
 FN_LOCAL_STRING(lp_rootpreexec, szRootPreExec)
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 198f557bd6..fd616c6841 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -245,3 +245,44 @@ void reset_globals_after_fork(void)
 	 */
 	generate_random_buffer( &dummy, 1, True);
 }
+
+BOOL secrets_store_ldap_pw(char* dn, char* pw)
+{
+	fstring key;
+	char *p;
+	
+	pstrcpy(key, dn);
+	for (p=key; *p; p++)
+		if (*p == ',') *p = '/';
+	
+	return secrets_store(key, pw, strlen(pw));
+}
+
+BOOL fetch_ldap_pw(char *dn, char* pw, int len)
+{
+	fstring key;
+	char *p;
+	void *data = NULL;
+	size_t size;
+	
+	pstrcpy(key, dn);
+	for (p=key; *p; p++)
+		if (*p == ',') *p = '/';
+	
+	data=secrets_fetch(key, &size);
+	if (!size) {
+		DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n"));
+		return False;
+	}
+	
+	if (size > len-1)
+	{
+		DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1));
+		return False;
+	}
+
+	memcpy(pw, data, size);
+	pw[size] = '\0';
+	
+	return True;
+}
diff --git a/source3/rpc_parse/parse_net.c b/source3/rpc_parse/parse_net.c
index 9890527552..bb123330ee 100644
--- a/source3/rpc_parse/parse_net.c
+++ b/source3/rpc_parse/parse_net.c
@@ -1592,18 +1592,21 @@ BOOL net_io_r_sam_logoff(char *desc, NET_R_SAM_LOGOFF *r_l, prs_struct *ps, int
 makes a NET_Q_SAM_SYNC structure.
 ********************************************************************/
 BOOL init_net_q_sam_sync(NET_Q_SAM_SYNC * q_s, const char *srv_name,
-                         const char *cli_name, DOM_CRED * cli_creds, 
-                         uint32 database_id)
+                         const char *cli_name, DOM_CRED *cli_creds, 
+                         DOM_CRED *ret_creds, uint32 database_id)
 {
 	DEBUG(5, ("init_q_sam_sync\n"));
 
 	init_unistr2(&q_s->uni_srv_name, srv_name, strlen(srv_name) + 1);
 	init_unistr2(&q_s->uni_cli_name, cli_name, strlen(cli_name) + 1);
 
-        if (cli_creds) {
+        if (cli_creds)
                 memcpy(&q_s->cli_creds, cli_creds, sizeof(q_s->cli_creds));
-                memset(&q_s->ret_creds, 0, sizeof(q_s->ret_creds));
-        }
+
+	if (cli_creds)
+                memcpy(&q_s->ret_creds, ret_creds, sizeof(q_s->ret_creds));
+	else
+		memset(&q_s->ret_creds, 0, sizeof(q_s->ret_creds));
 
 	q_s->database_id = database_id;
 	q_s->restart_state = 0;
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 524ff5fb49..e98573da0c 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -152,6 +152,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
         uint32 database_id = 0, num_deltas;
         SAM_DELTA_HDR *hdr_deltas;
         SAM_DELTA_CTR *deltas;
+	DOM_CRED ret_creds;
 
         if (argc > 2) {
                 fprintf(stderr, "Usage: %s [database_id]\n", argv[0]);
@@ -181,9 +182,12 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
                 goto done;
         }
 
+	/* on first call the returnAuthenticator is empty */
+	memset(&ret_creds, 0, sizeof(ret_creds));
+ 
         /* Synchronise sam database */
 
-	result = cli_netlogon_sam_sync(cli, mem_ctx, database_id,
+	result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, database_id,
 				       &num_deltas, &hdr_deltas, &deltas);
 
 	if (!NT_STATUS_IS_OK(result))
diff --git a/source3/rpcclient/samsync.c b/source3/rpcclient/samsync.c
index 1379485f1d..4d3e15550e 100644
--- a/source3/rpcclient/samsync.c
+++ b/source3/rpcclient/samsync.c
@@ -264,6 +264,7 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
         uint32 num_deltas_0, num_deltas_1, num_deltas_2;
         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 
+	DOM_CRED ret_creds;
         /* Initialise */
 
 	if (!(mem_ctx = talloc_init())) {
@@ -283,9 +284,12 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
                 goto done;
         }
 
+	/* on first call the returnAuthenticator is empty */
+	memset(&ret_creds, 0, sizeof(ret_creds));
+
         /* Do sam synchronisation on the SAM database*/
 
-	result = cli_netlogon_sam_sync(cli, mem_ctx, 0, &num_deltas_0, &hdr_deltas_0, &deltas_0);
+	result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, 0, &num_deltas_0, &hdr_deltas_0, &deltas_0);
         
         if (!NT_STATUS_IS_OK(result))
 		goto done;
@@ -300,11 +304,10 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
 	 * we must chain the credentials
 	 */
 
-
-#if 0
+#if 1
         /* Do sam synchronisation on the LSA database */
 
-	result = cli_netlogon_sam_sync(cli, mem_ctx, 2, &num_deltas_2, &hdr_deltas_2, &deltas_2);
+	result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, 2, &num_deltas_2, &hdr_deltas_2, &deltas_2);
         
         if (!NT_STATUS_IS_OK(result))
 		goto done;
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index e076687c4f..7086fbff37 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -56,6 +56,9 @@ static void usage(void)
 	printf("  -e                   enable user\n");
 	printf("  -n                   set no password\n");
 	printf("  -m                   machine trust account\n");
+#ifdef WITH_LDAP_SAM
+	printf("  -w                   ldap admin password\n");
+#endif
 
 	exit(1);
 }
@@ -170,6 +173,21 @@ static BOOL password_change(const char *remote_machine, char *user_name,
 	return ret;
 }
 
+#ifdef WITH_LDAP_SAM
+/*******************************************************************
+ Store the LDAP admin password in secrets.tdb
+ ******************************************************************/
+static BOOL store_ldap_admin_pw (char* pw)
+{	
+	if (!pw) 
+		return False;
+
+	if (!secrets_init())
+		return False;
+	
+	return secrets_store_ldap_pw(lp_ldap_admin_dn(), pw);
+}
+#endif
 
 /*************************************************************
  Handle password changing for root.
@@ -186,13 +204,16 @@ static int process_root(int argc, char *argv[])
 	char *new_passwd = NULL;
 	char *old_passwd = NULL;
 	char *remote_machine = NULL;
+#ifdef WITH_LDAP_SAM
+	fstring ldap_secret;
+#endif
 
 	ZERO_STRUCT(user_name);
 	ZERO_STRUCT(user_password);
 
 	user_name[0] = '\0';
 
-	while ((ch = getopt(argc, argv, "axdehmnjr:sR:D:U:L")) != EOF) {
+	while ((ch = getopt(argc, argv, "axdehmnjr:swR:D:U:L")) != EOF) {
 		switch(ch) {
 		case 'L':
 			local_mode = True;
@@ -228,6 +249,15 @@ static int process_root(int argc, char *argv[])
 			set_line_buffering(stderr);
 			stdin_passwd_get = True;
 			break;
+		case 'w':
+#ifdef WITH_LDAP_SAM
+			local_flags |= LOCAL_SET_LDAP_ADMIN_PW;
+			fstrcpy(ldap_secret, optarg);
+			break;
+#else
+			printf("-w not available unless configured --with-ldap\n");
+			goto done;
+#endif			
 		case 'R':
 			lp_set_name_resolve_order(optarg);
 			break;
@@ -259,6 +289,16 @@ static int process_root(int argc, char *argv[])
 	argc -= optind;
 	argv += optind;
 
+#ifdef WITH_LDAP_SAM
+	if (local_flags & LOCAL_SET_LDAP_ADMIN_PW)
+	{
+		printf("Setting stored password for \"%s\" in secrets.tdb\n", 
+			lp_ldap_admin_dn());
+		if (!store_ldap_admin_pw(ldap_secret))
+			DEBUG(0,("ERROR: Failed to store the ldap admin password!\n"));
+		goto done;
+	}
+#endif
 	/*
 	 * Ensure both add/delete user are not set
 	 * Ensure add/delete user and either remote machine or join domain are