summaryrefslogtreecommitdiff
path: root/source3/passdb/machine_account_secrets.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/passdb/machine_account_secrets.c')
-rw-r--r--source3/passdb/machine_account_secrets.c99
1 files changed, 49 insertions, 50 deletions
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 565c7c4c20..a2bd8be493 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -53,18 +53,52 @@ static const char *domain_sid_keystr(const char *domain)
return keystr;
}
+static const char *protect_ids_keystr(const char *domain)
+{
+ char *keystr;
+
+ keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
+ SECRETS_PROTECT_IDS, domain);
+ SMB_ASSERT(keystr != NULL);
+ return keystr;
+}
+
+/* N O T E: never use this outside of passdb modules that store the SID on their own */
+bool secrets_mark_domain_protected(const char *domain)
+{
+ bool ret;
+
+ ret = secrets_store(protect_ids_keystr(domain), "TRUE", 5);
+ if (!ret) {
+ DEBUG(0, ("Failed to protect the Domain IDs\n"));
+ }
+ return ret;
+}
+
+bool secrets_clear_domain_protection(const char *domain)
+{
+ bool ret;
+
+ ret = secrets_delete(protect_ids_keystr(domain));
+ if (!ret) {
+ DEBUG(0, ("Failed to remove Domain IDs protection\n"));
+ }
+ return ret;
+}
+
bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid)
{
+ char *protect_ids;
bool ret;
#if _SAMBA_BUILD_ == 4
- if (strequal(domain, get_global_sam_name()) &&
- (pdb_capabilities() & PDB_CAP_ADS)) {
- /* If we have a ADS-capable passdb backend, we
- * must never make up our own SID, it will
- * already be in the directory */
- DEBUG(0, ("Refusing to store a Domain SID, this should be read from the directory not stored here\n"));
- return false;
+ protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
+ if (protect_ids) {
+ if (strncmp(protect_ids, "TRUE", 4)) {
+ DEBUG(0, ("Refusing to store a Domain SID, "
+ "it has been marked as protected!\n"));
+ return false;
+ }
}
#endif
@@ -81,24 +115,6 @@ bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid)
struct dom_sid *dyn_sid;
size_t size = 0;
-#if _SAMBA_BUILD_ == 4
- if (strequal(domain, get_global_sam_name()) &&
- (pdb_capabilities() & PDB_CAP_ADS)) {
- struct pdb_domain_info *domain_info;
- domain_info = pdb_get_domain_info(talloc_tos());
- if (!domain_info) {
- /* If we have a ADS-capable passdb backend, we
- * must never make up our own SID, it will
- * already be in the directory */
- DEBUG(0, ("Unable to fetch a Domain SID from the directory!\n"));
- return false;
- }
-
- *sid = domain_info->sid;
- return true;
- }
-#endif
-
dyn_sid = (struct dom_sid *)secrets_fetch(domain_sid_keystr(domain), &size);
if (dyn_sid == NULL)
@@ -116,16 +132,17 @@ bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid)
bool secrets_store_domain_guid(const char *domain, struct GUID *guid)
{
+ char *protect_ids;
fstring key;
#if _SAMBA_BUILD_ == 4
- if (strequal(domain, get_global_sam_name()) &&
- (pdb_capabilities() & PDB_CAP_ADS)) {
- /* If we have a ADS-capable passdb backend, we
- * must never make up our own GUID, it will
- * already be in the directory */
- DEBUG(0, ("Refusing to store a Domain GUID, this should be read from the directory not stored here\n"));
- return false;
+ protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
+ if (protect_ids) {
+ if (strncmp(protect_ids, "TRUE", 4)) {
+ DEBUG(0, ("Refusing to store a Domain SID, "
+ "it has been marked as protected!\n"));
+ return false;
+ }
}
#endif
@@ -141,24 +158,6 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
size_t size = 0;
struct GUID new_guid;
-#if _SAMBA_BUILD_ == 4
- if (strequal(domain, get_global_sam_name()) &&
- (pdb_capabilities() & PDB_CAP_ADS)) {
- struct pdb_domain_info *domain_info;
- domain_info = pdb_get_domain_info(talloc_tos());
- if (!domain_info) {
- /* If we have a ADS-capable passdb backend, we
- * must never make up our own SID, it will
- * already be in the directory */
- DEBUG(0, ("Unable to fetch a Domain GUID from the directory!\n"));
- return false;
- }
-
- *guid = domain_info->guid;
- return true;
- }
-#endif
-
slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
strupper_m(key);
dyn_guid = (struct GUID *)secrets_fetch(key, &size);
generated by cgit (git 2.34.1) at 2024-07-21 03:39:55 +0000