diff options
Diffstat (limited to 'source3/passdb/pdb_tdb.c')
| -rw-r--r-- | source3/passdb/pdb_tdb.c | 627 |
1 files changed, 1 insertions, 626 deletions
diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index 8f2fe7651f..9bfb10c400 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -42,7 +42,6 @@ static int tdbsam_debug_level = DBGC_ALL; #define PASSDB_FILE_NAME "passdb.tdb" #define USERPREFIX "USER_" #define RIDPREFIX "RID_" -#define PRIVPREFIX "PRIV_" #define tdbsamver_t int32 struct tdbsam_privates { @@ -698,620 +697,6 @@ static void free_private_data(void **vp) /* No need to free any further, as it is talloc()ed */ } -/** - * Start trust passwords enumeration. This function is a simple - * wrapper for calling gettrustpwent with null pointer passed. - * - * @param methods methods belonging in pdb context (module) - * @return nt status of performed operation - **/ - -static NTSTATUS tdbsam_settrustpwent(struct pdb_methods *methods) -{ - /* rewind enumeration from beginning */ - return methods->gettrustpwent(methods, NULL); -} - - -/** - * Enumerate across trust passwords (machine and interdomain nt/ads) - * - * @param methods methods belonging in pdb context (module) - * @param trust trust password structure - * - * @return nt status of performed operation - **/ - -static NTSTATUS tdbsam_gettrustpwent(struct pdb_methods *methods, SAM_TRUST_PASSWD *trust) -{ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - struct trust_passwd_data t; - TALLOC_CTX *mem_ctx; - - TRUSTDOM **trustdom; - static int enum_ctx; - int num_domains = 0; - unsigned int max_domains = 1; - char *dom_name, *dom_pass; - - smb_ucs2_t *uni_dom_name; - uint8 mach_pass[16]; - uint32 sec_chan; - - if (!methods) return NT_STATUS_UNSUCCESSFUL; - - /* - * NT domain trust passwords - */ - - /* rewind enumeration when passed NULL pointer as a trust */ - if (!trust) { - enum_ctx = 0; - return NT_STATUS_OK; - } - - mem_ctx = talloc_init("tdbsam_gettrustpwent: trust password enumeration"); - - /* fetch next trusted domain (one at a time) and its full information */ - nt_status = secrets_get_trusted_domains(mem_ctx, &enum_ctx, max_domains, &num_domains, - &trustdom); - if (num_domains) { - pull_ucs2_talloc(mem_ctx, &dom_name, trustdom[0]->name); - if (secrets_fetch_trusted_domain_password(dom_name, &dom_pass, &t.domain_sid, - &t.mod_time)) { - - t.uni_name_len = strnlen_w(trustdom[0]->name, 32); - strncpy_w(t.uni_name, trustdom[0]->name, t.uni_name_len); - safe_strcpy(t.pass, dom_pass, FSTRING_LEN - 1); - t.flags = PASS_DOMAIN_TRUST_NT; - - SAFE_FREE(dom_pass); - talloc_destroy(mem_ctx); - trust->private = t; - return nt_status; - } else { - talloc_destroy(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - } - - /* - * NT machine trust password - */ - - if (secrets_lock_trust_account_password(lp_workgroup(), True)) { - sec_chan = get_default_sec_channel(); - if (secrets_fetch_trust_account_password(lp_workgroup(), mach_pass, &t.mod_time, - &sec_chan)) { - - t.uni_name_len = strlen(lp_workgroup()); - push_ucs2_talloc(mem_ctx, &uni_dom_name, lp_workgroup()); - strncpy_w(t.uni_name, uni_dom_name, t.uni_name_len); - safe_strcpy(t.pass, mach_pass, FSTRING_LEN - 1); - t.flags = PASS_MACHINE_TRUST_NT; - if (!secrets_fetch_domain_sid(lp_workgroup(), &t.domain_sid)) { - talloc_destroy(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - - talloc_destroy(mem_ctx); - trust->private = t; - return NT_STATUS_NO_MORE_ENTRIES; - } - secrets_lock_trust_account_password(lp_workgroup(), False); - } else { - talloc_destroy(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - - /* - * ADS machine trust password (TODO) - */ - - - /* - * if nothing is to be returned then reset domain name - * and return "no more entries" - */ - nt_status = NT_STATUS_NO_MORE_ENTRIES; - trust->private.uni_name_len = 0; - trust->private.uni_name[t.uni_name_len] = 0; - - talloc_destroy(mem_ctx); - return nt_status; -} - - -/** - * Get trust password by trusted party name - * - * @param methods methods belonging to pdb context (module) - * @param trust trust password structure - * @param sid trusted party name - * - * @return nt status of performed operation - **/ - -static NTSTATUS tdbsam_gettrustpwnam(struct pdb_methods *methods, SAM_TRUST_PASSWD *trust, - const char *name) -{ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - char domain_name[32]; - - if (!methods || !trust || !name) return nt_status; - - do { - /* get trust password (next in turn) */ - nt_status = tdbsam_gettrustpwent(methods, trust); - - /* convert unicode name and do case insensitive compare */ - pull_ucs2(NULL, domain_name, trust->private.uni_name, sizeof(domain_name), - trust->private.uni_name_len, STR_TERMINATE); - if (!StrnCaseCmp(domain_name, name, sizeof(domain_name))) - return NT_STATUS_OK; - - } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES)); - - return nt_status; -} - - -/** - * Get trust password by trusted party sid - * - * @param methods methods belonging to pdb context (module) - * @param trust trust password structure - * @param sid trusted party sid - * - * @return nt status of performed operation - **/ - -static NTSTATUS tdbsam_gettrustpwsid(struct pdb_methods *methods, SAM_TRUST_PASSWD *trust, - const DOM_SID *sid) -{ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - - if (!methods || !trust || !sid) return nt_status; - - do { - nt_status = tdbsam_gettrustpwent(methods, trust); - - if (sid_equal(&trust->private.domain_sid, sid)) - return NT_STATUS_OK; - - } while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES)); - - return nt_status; -} - - -/** - * Add new trust password. - * - * @param methods methods belonging in pdb context (module) - * @param trust trust password structure - * - * @return nt status of performed operation - **/ - -static NTSTATUS tdbsam_add_trust_passwd(struct pdb_methods *methods, const SAM_TRUST_PASSWD *trust) -{ - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - BOOL status = False; - TALLOC_CTX *mem_ctx; - - char* domain = NULL; - struct trust_passwd_data t = trust->private; - uint32 sec_chan; - - mem_ctx = talloc_init("tdbsam_add_trust_passwd: storing new trust password"); - - /* convert unicode name to char* (used to form the key) */ - pull_ucs2_talloc(mem_ctx, &domain, t.uni_name); - - /* add nt machine trust password */ - if (t.flags & (PASS_MACHINE_TRUST_NT | PASS_SERVER_TRUST_NT)) { - sec_chan = (t.flags & PASS_MACHINE_TRUST_NT) ? SEC_CHAN_WKSTA : SEC_CHAN_BDC; - status = secrets_store_machine_password(t.pass, domain, sec_chan); - if (status) - status = secrets_store_domain_sid(domain, &t.domain_sid); - - nt_status = status ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; - - /* add nt domain trust password */ - } else if (t.flags & PASS_DOMAIN_TRUST_NT) { - status = secrets_store_trusted_domain_password(domain, t.uni_name, t.uni_name_len, - t.pass, t.domain_sid); - nt_status = status ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; - - /* add ads machine trust password (TODO) */ - } else if (t.flags & PASS_MACHINE_TRUST_ADS) { - } - - talloc_destroy(mem_ctx); - return nt_status; -} - - -/** - * Update trust password. - * - * @param methods methods belonging in pdb context (module) - * @param trust trust password structure - * - * @return nt status of performed operation - **/ - -static NTSTATUS tdbsam_update_trust_passwd(struct pdb_methods *methods, const SAM_TRUST_PASSWD* trust) -{ - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - return nt_status; -} - - -/** - * Delete trust password. - * - * @param methods methods belonging in pdb context (module) - * @param trust trust password structure - * - * @return nt status of performed operation - **/ - -static NTSTATUS tdbsam_delete_trust_passwd(struct pdb_methods *methods, const SAM_TRUST_PASSWD* trust) -{ - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - return nt_status; -} - - -/*************************************************************************** - Add sid to privilege -****************************************************************************/ - -static NTSTATUS tdbsam_add_sid_to_privilege(struct pdb_methods *my_methods, const char *priv_name, const DOM_SID *sid) -{ - struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data; - TDB_CONTEXT *pwd_tdb = NULL; - TDB_DATA key, data; - fstring keystr; - fstring name; - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - fstring sid_str; - char *sid_list = NULL, *s = NULL; - size_t str_size; - int flag; - - /* invalidate the existing TDB iterator if it is open */ - - if (tdb_state->passwd_tdb) { - tdb_close(tdb_state->passwd_tdb); - tdb_state->passwd_tdb = NULL; - } - - /* open the account TDB passwd*/ - - pwd_tdb = tdbsam_tdbopen(tdb_state->tdbsam_location, O_RDWR | O_CREAT); - - if (!pwd_tdb) { - DEBUG(0, ("tdb_add_sid_to_privilege: Unable to open TDB passwd (%s)!\n", - tdb_state->tdbsam_location)); - return NT_STATUS_UNSUCCESSFUL; - } - - /* setup the PRIV index key */ - fstrcpy(name, priv_name); - strlower_m(name); - - slprintf(keystr, sizeof(keystr)-1, "%s%s", PRIVPREFIX, name); - key.dptr = keystr; - key.dsize = strlen(keystr) + 1; - - /* check if the privilege already exist in the database */ - - /* get the record */ - data = tdb_fetch (pwd_tdb, key); - - if (data.dptr) { - /* check the list is not empty */ - if (*(data.dptr)) { - sid_list = strdup(data.dptr); - if (!sid_list) { - DEBUG(0, ("tdbsam_add_sid_to_privilege: Out of Memory!\n")); - goto done; - } - } - SAFE_FREE(data.dptr); - - flag = TDB_MODIFY; - } else { - /* if privilege does not exist create one */ - flag = TDB_INSERT; - } - - /* add the given sid */ - sid_to_string(sid_str, sid); - - if (sid_list) { - str_size = strlen(sid_list) + strlen(sid_str) + 2; - s = realloc(sid_list, str_size); - if (!s) { - DEBUG(0, ("tdbsam_add_sid_to_privilege: Out of Memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - sid_list = s; - s = &sid_list[strlen(sid_list)]; - snprintf(s, strlen(sid_str) + 2, ",%s", sid_str); - - } else { - sid_list = strdup(sid_str); - if (!sid_list) { - DEBUG(0, ("tdbsam_add_sid_to_privilege: Out of Memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - } - - /* copy the PRIVILEGE struct into a BYTE buffer for storage */ - data.dsize = strlen(sid_list) + 1; - data.dptr = sid_list; - - /* add the account */ - if (tdb_store(pwd_tdb, key, data, flag) != TDB_SUCCESS) { - DEBUG(0, ("Unable to modify passwd TDB!")); - DEBUGADD(0, (" Error: %s", tdb_errorstr(pwd_tdb))); - DEBUGADD(0, (" occured while storing the main record (%s)\n", keystr)); - goto done; - } - - ret = NT_STATUS_OK; - -done: - /* cleanup */ - tdb_close (pwd_tdb); - SAFE_FREE(sid_list); - - return (ret); -} - -/*************************************************************************** - Reomve sid to privilege -****************************************************************************/ - -static NTSTATUS tdbsam_remove_sid_from_privilege(struct pdb_methods *my_methods, const char *priv_name, const DOM_SID *sid) -{ - struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data; - TDB_CONTEXT *pwd_tdb = NULL; - TDB_DATA key, data; - fstring keystr; - fstring name; - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - fstring sid_str; - char *sid_list = NULL, *s = NULL; - - /* invalidate the existing TDB iterator if it is open */ - - if (tdb_state->passwd_tdb) { - tdb_close(tdb_state->passwd_tdb); - tdb_state->passwd_tdb = NULL; - } - - /* open the account TDB passwd*/ - - pwd_tdb = tdbsam_tdbopen(tdb_state->tdbsam_location, O_RDWR | O_CREAT); - - if (!pwd_tdb) { - DEBUG(0, ("tdbsam_remove_sid_from_privilege: Unable to open TDB passwd (%s)!\n", - tdb_state->tdbsam_location)); - return NT_STATUS_UNSUCCESSFUL; - } - - /* setup the PRIV index key */ - fstrcpy(name, priv_name); - strlower_m(name); - - slprintf(keystr, sizeof(keystr)-1, "%s%s", PRIVPREFIX, name); - key.dptr = keystr; - key.dsize = strlen(keystr) + 1; - - /* check if the privilege already exist in the database */ - - /* get the record */ - data = tdb_fetch (pwd_tdb, key); - - /* if privilege does not exist, just leave */ - if (!data.dptr) { - ret = NT_STATUS_OK; - goto done; - } - - if (data.dptr) { - sid_list = strdup(data.dptr); - if (!sid_list) { - DEBUG(0, ("tdbsam_remove_sid_from_privilege: Out of Memory!\n")); - goto done; - } - SAFE_FREE(data.dptr); - } - - /* remove the given sid */ - sid_to_string(sid_str, sid); - - s = strstr(sid_list, sid_str); - if (s) { - char *p; - p = strstr(s, ","); - if (p) { - size_t l = strlen(sid_list) + 1 - (s - sid_list); - memmove(s, ++p, l); - } else { - if (s != sid_list) - s--; - *s = '\0'; - } - } else { - /* sid not found */ - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* copy the PRIVILEGE struct into a BYTE buffer for storage */ - data.dsize = strlen(sid_list) + 1; - data.dptr = sid_list; - - /* add the account */ - if (tdb_store(pwd_tdb, key, data, TDB_MODIFY) != TDB_SUCCESS) { - DEBUG(0, ("Unable to modify passwd TDB!")); - DEBUGADD(0, (" Error: %s", tdb_errorstr(pwd_tdb))); - DEBUGADD(0, (" occured while storing the main record (%s)\n", keystr)); - goto done; - } - - ret = NT_STATUS_OK; - -done: - /* cleanup */ - tdb_close (pwd_tdb); - SAFE_FREE(sid_list); - - return (ret); -} - -/*************************************************************************** - get the privilege list for the given token -****************************************************************************/ - -struct priv_traverse { - char **sid_list; - PRIVILEGE_SET *privset; -}; - -static int tdbsam_traverse_privilege(TDB_CONTEXT *t, TDB_DATA key, TDB_DATA data, void *state) -{ - struct priv_traverse *pt = (struct priv_traverse *)state; - int prefixlen = strlen(PRIVPREFIX); - - if (strncmp(key.dptr, PRIVPREFIX, prefixlen) == 0) { - - /* add to privilege_set if any of the sid in the token - * is contained in the privilege */ - int i; - - for(i=0; pt->sid_list[i] != NULL; i++) { - char *c, *s; - int len; - - s = data.dptr; - while ((c=strchr(s, ',')) !=NULL) { - len = MAX((c - s), strlen(pt->sid_list[i])); - if (strncmp(s, pt->sid_list[i], len) == 0) { - DEBUG(10, ("sid [%s] found in users sid list\n", pt->sid_list[i])); - DEBUG(10, ("adding privilege [%s] to the users privilege list\n", &(key.dptr[prefixlen]))); - add_privilege_by_name(pt->privset, &(key.dptr[prefixlen])); - return 0; - } - s = c + 1; - } - len = MAX(strlen(s), strlen(pt->sid_list[i])); - if (strncmp(s, pt->sid_list[i], len) == 0) { - DEBUG(10, ("sid [%s] found in users sid list\n", pt->sid_list[i])); - DEBUG(10, ("adding privilege [%s] to the users privilege list\n", &(key.dptr[prefixlen]))); - add_privilege_by_name(pt->privset, &(key.dptr[prefixlen])); - return 0; - } - } - } - - return 0; -} - -static NTSTATUS tdbsam_get_privilege_set(struct pdb_methods *my_methods, NT_USER_TOKEN *token, PRIVILEGE_SET *privset) -{ - struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data; - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - TDB_CONTEXT *pwd_tdb = NULL; - struct priv_traverse pt; - fstring sid_str; - char **sid_list; - int i; - - if (!(pwd_tdb = tdbsam_tdbopen(tdb_state->tdbsam_location, O_RDONLY ))) - return NT_STATUS_UNSUCCESSFUL; - - sid_list = (char **)malloc(sizeof(char *) * (token->num_sids + 1)); - for (i = 0; i < token->num_sids; i++) { - sid_to_string(sid_str, &token->user_sids[i]); - sid_list[i] = strdup(sid_str); - if ( ! sid_list[i]) { - ret = NT_STATUS_NO_MEMORY; - goto done; - } - } - sid_list[i] = NULL; - - pt.sid_list = sid_list; - pt.privset = privset; - tdb_traverse(pwd_tdb, tdbsam_traverse_privilege, &pt); - - ret = NT_STATUS_OK; - -done: - i = 0; - while (sid_list[i]) { - free(sid_list[i]); - i++; - } - free(sid_list); - - tdb_close(pwd_tdb); - - return ret; -} - -static NTSTATUS tdbsam_get_privilege_entry(struct pdb_methods *my_methods, const char *privname, char **sid_list) -{ - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - TDB_CONTEXT *pwd_tdb = NULL; - TDB_DATA key, data; - fstring name; - fstring keystr; - - struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data; - - if (!(pwd_tdb = tdbsam_tdbopen(tdb_state->tdbsam_location, O_RDONLY))) - return ret; - - /* setup the PRIV index key */ - fstrcpy(name, privname); - strlower_m(name); - - slprintf(keystr, sizeof(keystr)-1, "%s%s", PRIVPREFIX, name); - key.dptr = keystr; - key.dsize = strlen(keystr) + 1; - - data = tdb_fetch(pwd_tdb, key); - if (!data.dptr) - goto done; - - *sid_list = strdup(data.dptr); - SAFE_FREE(data.dptr); - - if (!*sid_list) - goto done; - - ret = NT_STATUS_OK; -done: - tdb_close(pwd_tdb); - return ret; -} - - - - - - static NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { @@ -1332,17 +717,6 @@ static NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_meth (*pdb_method)->add_sam_account = tdbsam_add_sam_account; (*pdb_method)->update_sam_account = tdbsam_update_sam_account; (*pdb_method)->delete_sam_account = tdbsam_delete_sam_account; - (*pdb_method)->settrustpwent = tdbsam_settrustpwent; - (*pdb_method)->gettrustpwent = tdbsam_gettrustpwent; - (*pdb_method)->gettrustpwnam = tdbsam_gettrustpwnam; - (*pdb_method)->gettrustpwsid = tdbsam_gettrustpwsid; - (*pdb_method)->add_trust_passwd = tdbsam_add_trust_passwd; - (*pdb_method)->update_trust_passwd = tdbsam_update_trust_passwd; - (*pdb_method)->delete_trust_passwd = tdbsam_delete_trust_passwd; - (*pdb_method)->add_sid_to_privilege = tdbsam_add_sid_to_privilege; - (*pdb_method)->remove_sid_from_privilege = tdbsam_remove_sid_from_privilege; - (*pdb_method)->get_privilege_set = tdbsam_get_privilege_set; - (*pdb_method)->get_privilege_entry = tdbsam_get_privilege_entry; tdb_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct tdbsam_privates)); @@ -1372,3 +746,4 @@ NTSTATUS pdb_tdbsam_init(void) { return smb_register_passdb(PASSDB_INTERFACE_VERSION, "tdbsam", pdb_init_tdbsam); } + |