diff options
| -rw-r--r-- | source3/Makefile.in | 2 | ||||
| -rw-r--r-- | source3/auth/auth_domain.c | 4 | ||||
| -rw-r--r-- | source3/auth/auth_util.c | 3 | ||||
| -rw-r--r-- | source3/include/passdb.h | 13 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_ads.c | 2 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_passdb.c | 3 | ||||
| -rw-r--r-- | source3/passdb/lookup_sid.c | 9 | ||||
| -rw-r--r-- | source3/passdb/passdb.c | 43 | ||||
| -rw-r--r-- | source3/passdb/pdb_interface.c | 76 | ||||
| -rw-r--r-- | source3/passdb/secrets.c | 41 | ||||
| -rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 3 | ||||
| -rw-r--r-- | source3/utils/net_rpc.c | 18 |
12 files changed, 153 insertions, 64 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index bed5d77814..7dbb979c7b 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -536,6 +536,7 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \ $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \ rpc_client/cli_pipe.o $(RPC_PARSE_OBJ2) \ $(RPC_CLIENT_OBJ1) \ + $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(LDB_OBJ) $(GROUPDB_OBJ) \ $(LIBMSRPC_GEN_OBJ) TESTPARM_OBJ = utils/testparm.o \ @@ -607,6 +608,7 @@ CLIENT_OBJ1 = client/client.o client/clitar.o rpc_client/cli_pipe.o \ CLIENT_OBJ = $(CLIENT_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) \ $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(LIBMSRPC_GEN_OBJ) \ $(READLINE_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \ + $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(LDB_OBJ) \ $(DISPLAY_SEC_OBJ) TOOL_OBJ = client/smbctool.o client/clitar.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6468c18cb0..6517852093 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -408,8 +408,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * No need to become_root() as secrets_init() is done at startup. */ - if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password, - &sid, &last_change_time)) { + if (!pdb_get_trusteddom_pw(user_info->domain, &trust_password, + &sid, &last_change_time)) { DEBUG(0, ("check_trustdomain_security: could not fetch trust " "account password for domain %s\n", user_info->domain)); diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 94551cb8a5..1080ced51b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -2142,8 +2142,7 @@ BOOL is_trusted_domain(const char* dom_name) become_root(); DEBUG (5,("is_trusted_domain: Checking for domain trust with " "[%s]\n", dom_name )); - ret = secrets_fetch_trusted_domain_password(dom_name, NULL, - NULL, NULL); + ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL); unbecome_root(); if (ret) return True; diff --git a/source3/include/passdb.h b/source3/include/passdb.h index 092904ab60..d5abb7ad55 100644 --- a/source3/include/passdb.h +++ b/source3/include/passdb.h @@ -403,6 +403,19 @@ struct pdb_methods BOOL (*rid_algorithm)(struct pdb_methods *methods); BOOL (*new_rid)(struct pdb_methods *methods, uint32 *rid); + + BOOL (*get_trusteddom_pw)(struct pdb_methods *methods, + const char *domain, char** pwd, + DOM_SID *sid, time_t *pass_last_set_time); + BOOL (*set_trusteddom_pw)(struct pdb_methods *methods, + const char* domain, const char* pwd, + const DOM_SID *sid); + BOOL (*del_trusteddom_pw)(struct pdb_methods *methods, + const char *domain); + NTSTATUS (*enum_trusteddoms)(struct pdb_methods *methods, + TALLOC_CTX *mem_ctx, uint32 *num_domains, + struct trustdom_info ***domains); + void *private_data; /* Private data of some kind */ void (*free_private_data)(void **); diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index 3505f183f2..8cb60806f8 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -81,7 +81,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) DOM_SID sid; time_t last_set_time; - if ( !secrets_fetch_trusted_domain_password( domain->name, &ads->auth.password, &sid, &last_set_time ) ) { + if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, &sid, &last_set_time ) ) { ads_destroy( &ads ); return NULL; } diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c index 70590579cc..c8a9eea1c9 100644 --- a/source3/nsswitch/winbindd_passdb.c +++ b/source3/nsswitch/winbindd_passdb.c @@ -541,8 +541,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, return NT_STATUS_NO_MEMORY; } - nt_status = secrets_trusted_domains(tmp_ctx, num_domains, - &domains); + nt_status = pdb_enum_trusteddoms(tmp_ctx, num_domains, &domains); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index c1dca6e433..82db246f04 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -178,8 +178,7 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx, /* 5. Trusted domains as such, to me it looks as if members don't do this, tested an XP workstation in a NT domain -- vl */ - if (IS_DC && (secrets_fetch_trusted_domain_password(name, NULL, - &sid, NULL))) { + if (IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) { /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; @@ -581,9 +580,9 @@ static BOOL lookup_as_domain(const DOM_SID *sid, TALLOC_CTX *mem_ctx, * and for SIDs that have 4 sub-authorities and thus look like * domains */ - if (!NT_STATUS_IS_OK(secrets_trusted_domains(mem_ctx, - &num_domains, - &domains))) { + if (!NT_STATUS_IS_OK(pdb_enum_trusteddoms(mem_ctx, + &num_domains, + &domains))) { return False; } diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 310ab50d14..266b28fe95 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -1523,3 +1523,46 @@ BOOL pdb_increment_bad_password_count(struct samu *sampass) return True; } + + +/******************************************************************* + Wrapper around retrieving the trust account password +*******************************************************************/ + +BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel) +{ + DOM_SID sid; + char *pwd; + time_t last_set_time; + + /* if we are a DC and this is not our domain, then lookup an account + for the domain trust */ + + if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) { + if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time)) { + DEBUG(0, ("get_trust_pw: could not fetch trust " + "account password for trusted domain %s\n", + domain)); + return False; + } + + *channel = SEC_CHAN_DOMAIN; + E_md4hash(pwd, ret_pwd); + SAFE_FREE(pwd); + + return True; + } + + /* Just get the account for the requested domain. In the future this + * might also cover to be member of more than one domain. */ + + if (secrets_fetch_trust_account_password(domain, ret_pwd, + &last_set_time, channel)) + return True; + + DEBUG(5, ("get_trust_pw: could not fetch trust account " + "password for domain %s\n", domain)); + return False; +} + +/* END */ diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index f7990f2939..36536e5fea 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -1997,6 +1997,77 @@ void pdb_search_destroy(struct pdb_search *search) } /******************************************************************* + trustodm methods + *******************************************************************/ + +BOOL pdb_get_trusteddom_pw(const char *domain, char** pwd, DOM_SID *sid, + time_t *pass_last_set_time) +{ + struct pdb_methods *pdb = pdb_get_methods(); + return pdb->get_trusteddom_pw(pdb, domain, pwd, sid, + pass_last_set_time); +} + +BOOL pdb_set_trusteddom_pw(const char* domain, const char* pwd, + const DOM_SID *sid) +{ + struct pdb_methods *pdb = pdb_get_methods(); + return pdb->set_trusteddom_pw(pdb, domain, pwd, sid); +} + +BOOL pdb_del_trusteddom_pw(const char *domain) +{ + struct pdb_methods *pdb = pdb_get_methods(); + return pdb->del_trusteddom_pw(pdb, domain); +} + +NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32 *num_domains, + struct trustdom_info ***domains) +{ + struct pdb_methods *pdb = pdb_get_methods(); + return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains); +} + +/******************************************************************* + the defaults for trustdom methods: + these simply call the original passdb/secrets.c actions, + to be replaced by pdb_ldap. + *******************************************************************/ + +static BOOL pdb_default_get_trusteddom_pw(struct pdb_methods *methods, + const char *domain, + char** pwd, + DOM_SID *sid, + time_t *pass_last_set_time) +{ + return secrets_fetch_trusted_domain_password(domain, pwd, + sid, pass_last_set_time); + +} + +static BOOL pdb_default_set_trusteddom_pw(struct pdb_methods *methods, + const char* domain, + const char* pwd, + const DOM_SID *sid) +{ + return secrets_store_trusted_domain_password(domain, pwd, sid); +} + +static BOOL pdb_default_del_trusteddom_pw(struct pdb_methods *methods, + const char *domain) +{ + return trusted_domain_password_delete(domain); +} + +static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods, + TALLOC_CTX *mem_ctx, + uint32 *num_domains, + struct trustdom_info ***domains) +{ + return secrets_trusted_domains(mem_ctx, num_domains, domains); +} + +/******************************************************************* Create a pdb_methods structure and initialize it with the default operations. In this way a passdb module can simply implement the functionality it cares about. However, normally this is done @@ -2060,5 +2131,10 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods ) (*methods)->search_groups = pdb_default_search_groups; (*methods)->search_aliases = pdb_default_search_aliases; + (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw; + (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw; + (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw; + (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms; + return NT_STATUS_OK; } diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index 3ac3a93233..262ca4f7ed 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -655,47 +655,6 @@ char *secrets_fetch_machine_password(const char *domain, return ret; } -/******************************************************************* - Wrapper around retrieving the trust account password -*******************************************************************/ - -BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel) -{ - DOM_SID sid; - char *pwd; - time_t last_set_time; - - /* if we are a DC and this is not our domain, then lookup an account - for the domain trust */ - - if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) { - if (!secrets_fetch_trusted_domain_password(domain, &pwd, &sid, - &last_set_time)) { - DEBUG(0, ("get_trust_pw: could not fetch trust " - "account password for trusted domain %s\n", - domain)); - return False; - } - - *channel = SEC_CHAN_DOMAIN; - E_md4hash(pwd, ret_pwd); - SAFE_FREE(pwd); - - return True; - } - - /* Just get the account for the requested domain. In the future this - * might also cover to be member of more than one domain. */ - - if (secrets_fetch_trust_account_password(domain, ret_pwd, - &last_set_time, channel)) - return True; - - DEBUG(5, ("get_trust_pw: could not fetch trust account " - "password for domain %s\n", domain)); - return False; -} - /************************************************************************ Routine to delete the machine trust account password file for a domain. ************************************************************************/ diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 1a92ec6740..44ec292750 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -648,8 +648,7 @@ NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u, if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; - nt_status = secrets_trusted_domains(p->mem_ctx, &num_domains, - &domains); + nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 366f63dc5b..e29d0495d1 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -5604,9 +5604,7 @@ static int rpc_trustdom_establish(int argc, const char **argv) * Store the password in secrets db */ - if (!secrets_store_trusted_domain_password(domain_name, - opt_password, - domain_sid)) { + if (!pdb_set_trusteddom_pw(domain_name, opt_password, domain_sid)) { DEBUG(0, ("Storing password for trusted domain failed.\n")); cli_shutdown(cli); return -1; @@ -5644,6 +5642,7 @@ static int rpc_trustdom_establish(int argc, const char **argv) static int rpc_trustdom_revoke(int argc, const char **argv) { char* domain_name; + int rc = -1; if (argc < 1) return -1; @@ -5652,13 +5651,16 @@ static int rpc_trustdom_revoke(int argc, const char **argv) strupper_m(domain_name); /* delete password of the trust */ - if (!trusted_domain_password_delete(domain_name)) { + if (!pdb_del_trusteddom_pw(domain_name)) { DEBUG(0, ("Failed to revoke relationship to the trusted domain %s\n", domain_name)); - return -1; + goto done; }; - return 0; + rc = 0; +done: + SAFE_FREE(domain_name); + return rc; } /** @@ -5744,9 +5746,7 @@ static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd, goto done; } - if (!secrets_store_trusted_domain_password(trusted_dom_name, - cleartextpwd, - &dom_sid)) { + if (!pdb_set_trusteddom_pw(trusted_dom_name, cleartextpwd, &dom_sid)) { DEBUG(0, ("Storing password for trusted domain failed.\n")); nt_status = NT_STATUS_UNSUCCESSFUL; goto done; |