summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/smb.h7
-rw-r--r--source3/libsmb/cli_netlogon.c6
-rw-r--r--source3/param/loadparm.c58
-rw-r--r--source3/passdb/secrets.c41
-rw-r--r--source3/rpc_parse/parse_net.c13
-rw-r--r--source3/rpcclient/cmd_netlogon.c6
-rw-r--r--source3/rpcclient/samsync.c11
-rw-r--r--source3/utils/smbpasswd.c42
8 files changed, 150 insertions, 34 deletions
diff --git a/source3/include/smb.h b/source3/include/smb.h
index fa4cec4bdb..fafaf36c3e 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -655,6 +655,7 @@ typedef struct sam_passwd
#define LOCAL_TRUST_ACCOUNT 0x10
#define LOCAL_SET_NO_PASSWORD 0x20
#define LOCAL_SET_PASSWORD 0x40
+#define LOCAL_SET_LDAP_ADMIN_PW 0x80
/* key and data in the connections database - used in smbstatus and smbd */
struct connections_key {
@@ -1316,6 +1317,12 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
#endif /* DEVELOPER */
};
+/* LDAP schema types */
+enum schema_types {SCHEMA_COMPAT, SCHEMA_AD, SCHEMA_SAMBA};
+
+/* LDAP SSL options */
+enum ldap_ssl_types {LDAP_SSL_ON, LDAP_SSL_OFF, LDAP_SSL_START_TLS};
+
/* Remote architectures we know about. */
enum remote_arch_types {RA_UNKNOWN, RA_WFWG, RA_OS2, RA_WIN95, RA_WINNT, RA_WIN2K, RA_SAMBA};
diff --git a/source3/libsmb/cli_netlogon.c b/source3/libsmb/cli_netlogon.c
index 896af0d7c9..8840a6264b 100644
--- a/source3/libsmb/cli_netlogon.c
+++ b/source3/libsmb/cli_netlogon.c
@@ -282,7 +282,7 @@ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred)
/* Sam synchronisation */
-NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_CRED *ret_creds,
uint32 database_id, uint32 *num_deltas,
SAM_DELTA_HDR **hdr_deltas,
SAM_DELTA_CTR **deltas)
@@ -306,7 +306,7 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx,
gen_next_creds(cli, &clnt_creds);
init_net_q_sam_sync(&q, cli->srv_name_slash, cli->clnt_name_slash + 2,
- &clnt_creds, database_id);
+ &clnt_creds, ret_creds, database_id);
/* Marshall data and send request */
@@ -330,6 +330,8 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx,
*hdr_deltas = r.hdr_deltas;
*deltas = r.deltas;
+ memcpy(ret_creds, &r.srv_creds, sizeof(*ret_creds));
+
done:
prs_mem_free(&qbuf);
prs_mem_free(&rbuf);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 44aa861940..8a8123ed18 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -131,11 +131,6 @@ typedef struct
char **szNetbiosAliases;
char *szDomainOtherSIDs;
char *szNameResolveOrder;
- char *szLdapServer;
- char *szLdapSuffix;
- char *szLdapFilter;
- char *szLdapRoot;
- char *szLdapRootPassword;
char *szPanicAction;
char *szAddUserScript;
char *szDelUserScript;
@@ -200,9 +195,14 @@ typedef struct
int min_passwd_length;
int oplock_break_wait_time;
int winbind_cache_time;
-#ifdef WITH_LDAP
+#ifdef WITH_LDAP_SAM
int ldap_port;
-#endif /* WITH_LDAP */
+ int ldap_ssl;
+ char *szLdapServer;
+ char *szLdapSuffix;
+ char *szLdapFilter;
+ char *szLdapAdminDn;
+#endif /* WITH_LDAP_SAM */
#ifdef WITH_SSL
int sslVersion;
char **sslHostsRequire;
@@ -568,6 +568,21 @@ static struct enum_list enum_printing[] = {
{-1, NULL}
};
+#ifdef WITH_LDAP_SAM
+static struct enum_list enum_ldap_ssl[] = {
+ {LDAP_SSL_ON, "Yes"},
+ {LDAP_SSL_ON, "yes"},
+ {LDAP_SSL_ON, "on"},
+ {LDAP_SSL_ON, "On"},
+ {LDAP_SSL_OFF, "no"},
+ {LDAP_SSL_OFF, "No"},
+ {LDAP_SSL_OFF, "off"},
+ {LDAP_SSL_OFF, "Off"},
+ {LDAP_SSL_START_TLS, "start tls"},
+ {-1, NULL}
+};
+#endif /* WITH_LDAP_SAM */
+
/* Types of machine we can announce as. */
#define ANNOUNCE_AS_NT_SERVER 1
#define ANNOUNCE_AS_WIN95 2
@@ -939,16 +954,16 @@ static struct parm_struct parm_table[] = {
{"strict locking", P_BOOL, P_LOCAL, &sDefault.bStrictLocking, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL},
{"share modes", P_BOOL, P_LOCAL, &sDefault.bShareModes, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL},
-#ifdef WITH_LDAP
+#ifdef WITH_LDAP_SAM
{"Ldap Options", P_SEP, P_SEPARATOR},
{"ldap server", P_STRING, P_GLOBAL, &Globals.szLdapServer, NULL, NULL, 0},
{"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0},
{"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, NULL, NULL, 0},
{"ldap filter", P_STRING, P_GLOBAL, &Globals.szLdapFilter, NULL, NULL, 0},
- {"ldap root", P_STRING, P_GLOBAL, &Globals.szLdapRoot, NULL, NULL, 0},
- {"ldap root passwd", P_STRING, P_GLOBAL, &Globals.szLdapRootPassword, NULL, NULL, 0},
-#endif /* WITH_LDAP */
+ {"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, 0},
+ {"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, 0},
+#endif /* WITH_LDAP_SAM */
{"Miscellaneous Options", P_SEP, P_SEPARATOR},
{"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, 0},
@@ -1287,11 +1302,14 @@ static void init_globals(void)
a large number of sites (tridge) */
Globals.bHostnameLookups = False;
-#ifdef WITH_LDAP
- /* default values for ldap */
+#ifdef WITH_LDAP_SAM
string_set(&Globals.szLdapServer, "localhost");
+ string_set(&Globals.szLdapSuffix, "");
+ string_set(&Globals.szLdapFilter, "(&(uid=%u)(objectclass=sambaAccount))");
+ string_set(&Globals.szLdapAdminDn, "");
Globals.ldap_port = 389;
-#endif /* WITH_LDAP */
+ Globals.ldap_ssl = LDAP_SSL_OFF;
+#endif /* WITH_LDAP_SAM */
#ifdef WITH_SSL
Globals.sslVersion = SMB_SSL_V23;
@@ -1492,13 +1510,14 @@ FN_GLOBAL_STRING(lp_template_shell, &Globals.szTemplateShell)
FN_GLOBAL_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers)
FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups)
-#ifdef WITH_LDAP
+#ifdef WITH_LDAP_SAM
FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer)
FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)
FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter)
-FN_GLOBAL_STRING(lp_ldap_root, &Globals.szLdapRoot)
-FN_GLOBAL_STRING(lp_ldap_rootpasswd, &Globals.szLdapRootPassword)
-#endif /* WITH_LDAP */
+FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
+FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port)
+FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
+#endif /* WITH_LDAP_SAM */
FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand)
@@ -1598,9 +1617,6 @@ FN_GLOBAL_INTEGER(lp_stat_cache_size, &Globals.stat_cache_size)
FN_GLOBAL_INTEGER(lp_map_to_guest, &Globals.map_to_guest)
FN_GLOBAL_INTEGER(lp_min_passwd_length, &Globals.min_passwd_length)
FN_GLOBAL_INTEGER(lp_oplock_break_wait_time, &Globals.oplock_break_wait_time)
-#ifdef WITH_LDAP
-FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port)
-#endif /* WITH_LDAP */
FN_LOCAL_STRING(lp_preexec, szPreExec)
FN_LOCAL_STRING(lp_postexec, szPostExec)
FN_LOCAL_STRING(lp_rootpreexec, szRootPreExec)
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 198f557bd6..fd616c6841 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -245,3 +245,44 @@ void reset_globals_after_fork(void)
*/
generate_random_buffer( &dummy, 1, True);
}
+
+BOOL secrets_store_ldap_pw(char* dn, char* pw)
+{
+ fstring key;
+ char *p;
+
+ pstrcpy(key, dn);
+ for (p=key; *p; p++)
+ if (*p == ',') *p = '/';
+
+ return secrets_store(key, pw, strlen(pw));
+}
+
+BOOL fetch_ldap_pw(char *dn, char* pw, int len)
+{
+ fstring key;
+ char *p;
+ void *data = NULL;
+ size_t size;
+
+ pstrcpy(key, dn);
+ for (p=key; *p; p++)
+ if (*p == ',') *p = '/';
+
+ data=secrets_fetch(key, &size);
+ if (!size) {
+ DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n"));
+ return False;
+ }
+
+ if (size > len-1)
+ {
+ DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1));
+ return False;
+ }
+
+ memcpy(pw, data, size);
+ pw[size] = '\0';
+
+ return True;
+}
diff --git a/source3/rpc_parse/parse_net.c b/source3/rpc_parse/parse_net.c
index 9890527552..bb123330ee 100644
--- a/source3/rpc_parse/parse_net.c
+++ b/source3/rpc_parse/parse_net.c
@@ -1592,18 +1592,21 @@ BOOL net_io_r_sam_logoff(char *desc, NET_R_SAM_LOGOFF *r_l, prs_struct *ps, int
makes a NET_Q_SAM_SYNC structure.
********************************************************************/
BOOL init_net_q_sam_sync(NET_Q_SAM_SYNC * q_s, const char *srv_name,
- const char *cli_name, DOM_CRED * cli_creds,
- uint32 database_id)
+ const char *cli_name, DOM_CRED *cli_creds,
+ DOM_CRED *ret_creds, uint32 database_id)
{
DEBUG(5, ("init_q_sam_sync\n"));
init_unistr2(&q_s->uni_srv_name, srv_name, strlen(srv_name) + 1);
init_unistr2(&q_s->uni_cli_name, cli_name, strlen(cli_name) + 1);
- if (cli_creds) {
+ if (cli_creds)
memcpy(&q_s->cli_creds, cli_creds, sizeof(q_s->cli_creds));
- memset(&q_s->ret_creds, 0, sizeof(q_s->ret_creds));
- }
+
+ if (cli_creds)
+ memcpy(&q_s->ret_creds, ret_creds, sizeof(q_s->ret_creds));
+ else
+ memset(&q_s->ret_creds, 0, sizeof(q_s->ret_creds));
q_s->database_id = database_id;
q_s->restart_state = 0;
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 524ff5fb49..e98573da0c 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -152,6 +152,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
uint32 database_id = 0, num_deltas;
SAM_DELTA_HDR *hdr_deltas;
SAM_DELTA_CTR *deltas;
+ DOM_CRED ret_creds;
if (argc > 2) {
fprintf(stderr, "Usage: %s [database_id]\n", argv[0]);
@@ -181,9 +182,12 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
goto done;
}
+ /* on first call the returnAuthenticator is empty */
+ memset(&ret_creds, 0, sizeof(ret_creds));
+
/* Synchronise sam database */
- result = cli_netlogon_sam_sync(cli, mem_ctx, database_id,
+ result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, database_id,
&num_deltas, &hdr_deltas, &deltas);
if (!NT_STATUS_IS_OK(result))
diff --git a/source3/rpcclient/samsync.c b/source3/rpcclient/samsync.c
index 1379485f1d..4d3e15550e 100644
--- a/source3/rpcclient/samsync.c
+++ b/source3/rpcclient/samsync.c
@@ -264,6 +264,7 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
uint32 num_deltas_0, num_deltas_1, num_deltas_2;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ DOM_CRED ret_creds;
/* Initialise */
if (!(mem_ctx = talloc_init())) {
@@ -283,9 +284,12 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
goto done;
}
+ /* on first call the returnAuthenticator is empty */
+ memset(&ret_creds, 0, sizeof(ret_creds));
+
/* Do sam synchronisation on the SAM database*/
- result = cli_netlogon_sam_sync(cli, mem_ctx, 0, &num_deltas_0, &hdr_deltas_0, &deltas_0);
+ result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, 0, &num_deltas_0, &hdr_deltas_0, &deltas_0);
if (!NT_STATUS_IS_OK(result))
goto done;
@@ -300,11 +304,10 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
* we must chain the credentials
*/
-
-#if 0
+#if 1
/* Do sam synchronisation on the LSA database */
- result = cli_netlogon_sam_sync(cli, mem_ctx, 2, &num_deltas_2, &hdr_deltas_2, &deltas_2);
+ result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, 2, &num_deltas_2, &hdr_deltas_2, &deltas_2);
if (!NT_STATUS_IS_OK(result))
goto done;
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index e076687c4f..7086fbff37 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -56,6 +56,9 @@ static void usage(void)
printf(" -e enable user\n");
printf(" -n set no password\n");
printf(" -m machine trust account\n");
+#ifdef WITH_LDAP_SAM
+ printf(" -w ldap admin password\n");
+#endif
exit(1);
}
@@ -170,6 +173,21 @@ static BOOL password_change(const char *remote_machine, char *user_name,
return ret;
}
+#ifdef WITH_LDAP_SAM
+/*******************************************************************
+ Store the LDAP admin password in secrets.tdb
+ ******************************************************************/
+static BOOL store_ldap_admin_pw (char* pw)
+{
+ if (!pw)
+ return False;
+
+ if (!secrets_init())
+ return False;
+
+ return secrets_store_ldap_pw(lp_ldap_admin_dn(), pw);
+}
+#endif
/*************************************************************
Handle password changing for root.
@@ -186,13 +204,16 @@ static int process_root(int argc, char *argv[])
char *new_passwd = NULL;
char *old_passwd = NULL;
char *remote_machine = NULL;
+#ifdef WITH_LDAP_SAM
+ fstring ldap_secret;
+#endif
ZERO_STRUCT(user_name);
ZERO_STRUCT(user_password);
user_name[0] = '\0';
- while ((ch = getopt(argc, argv, "axdehmnjr:sR:D:U:L")) != EOF) {
+ while ((ch = getopt(argc, argv, "axdehmnjr:swR:D:U:L")) != EOF) {
switch(ch) {
case 'L':
local_mode = True;
@@ -228,6 +249,15 @@ static int process_root(int argc, char *argv[])
set_line_buffering(stderr);
stdin_passwd_get = True;
break;
+ case 'w':
+#ifdef WITH_LDAP_SAM
+ local_flags |= LOCAL_SET_LDAP_ADMIN_PW;
+ fstrcpy(ldap_secret, optarg);
+ break;
+#else
+ printf("-w not available unless configured --with-ldap\n");
+ goto done;
+#endif
case 'R':
lp_set_name_resolve_order(optarg);
break;
@@ -259,6 +289,16 @@ static int process_root(int argc, char *argv[])
argc -= optind;
argv += optind;
+#ifdef WITH_LDAP_SAM
+ if (local_flags & LOCAL_SET_LDAP_ADMIN_PW)
+ {
+ printf("Setting stored password for \"%s\" in secrets.tdb\n",
+ lp_ldap_admin_dn());
+ if (!store_ldap_admin_pw(ldap_secret))
+ DEBUG(0,("ERROR: Failed to store the ldap admin password!\n"));
+ goto done;
+ }
+#endif
/*
* Ensure both add/delete user are not set
* Ensure add/delete user and either remote machine or join domain are