diff options
Diffstat (limited to 'source3/passdb')
-rw-r--r-- | source3/passdb/passdb.c | 22 | ||||
-rw-r--r-- | source3/passdb/pdb_get_set.c | 35 | ||||
-rw-r--r-- | source3/passdb/pdb_interface.c | 7 | ||||
-rw-r--r-- | source3/passdb/pdb_ldap.c | 869 | ||||
-rw-r--r-- | source3/passdb/pdb_smbpasswd.c | 2 | ||||
-rw-r--r-- | source3/passdb/pdb_tdb.c | 10 | ||||
-rw-r--r-- | source3/passdb/secrets.c | 28 |
7 files changed, 692 insertions, 281 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 5ae1b710f5..191844a454 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -904,12 +904,13 @@ void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from) if (from == NULL || to == NULL) return; - pdb_set_logon_time(to,nt_time_to_unix(&from->logon_time)); - pdb_set_logoff_time(to,nt_time_to_unix(&from->logoff_time)); - pdb_set_kickoff_time(to, nt_time_to_unix(&from->kickoff_time)); + pdb_set_logon_time(to,nt_time_to_unix(&from->logon_time), True); + pdb_set_logoff_time(to,nt_time_to_unix(&from->logoff_time), True); + pdb_set_kickoff_time(to, nt_time_to_unix(&from->kickoff_time), True); + pdb_set_pass_can_change_time(to, nt_time_to_unix(&from->pass_can_change_time), True); + pdb_set_pass_must_change_time(to, nt_time_to_unix(&from->pass_must_change_time), True); + pdb_set_pass_last_set_time(to, nt_time_to_unix(&from->pass_last_set_time)); - pdb_set_pass_can_change_time(to, nt_time_to_unix(&from->pass_can_change_time)); - pdb_set_pass_must_change_time(to, nt_time_to_unix(&from->pass_must_change_time)); if (from->uni_user_name.buffer) pdb_set_username(to , pdb_convert(&from->uni_user_name )); @@ -958,12 +959,13 @@ void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from) if (from == NULL || to == NULL) return; - pdb_set_logon_time(to,nt_time_to_unix(&from->logon_time)); - pdb_set_logoff_time(to,nt_time_to_unix(&from->logoff_time)); - pdb_set_kickoff_time(to, nt_time_to_unix(&from->kickoff_time)); + pdb_set_logon_time(to,nt_time_to_unix(&from->logon_time), True); + pdb_set_logoff_time(to,nt_time_to_unix(&from->logoff_time), True); + pdb_set_kickoff_time(to, nt_time_to_unix(&from->kickoff_time), True); + pdb_set_pass_can_change_time(to, nt_time_to_unix(&from->pass_can_change_time), True); + pdb_set_pass_must_change_time(to, nt_time_to_unix(&from->pass_must_change_time), True); + pdb_set_pass_last_set_time(to, nt_time_to_unix(&from->pass_last_set_time)); - pdb_set_pass_can_change_time(to, nt_time_to_unix(&from->pass_can_change_time)); - pdb_set_pass_must_change_time(to, nt_time_to_unix(&from->pass_must_change_time)); if (from->uni_user_name.buffer) pdb_set_username(to , pdb_convert(&from->uni_user_name )); diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index 5886d29c67..181364ab6b 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -321,48 +321,68 @@ BOOL pdb_set_acct_ctrl (SAM_ACCOUNT *sampass, uint16 flags) return False; } -BOOL pdb_set_logon_time (SAM_ACCOUNT *sampass, time_t mytime) +BOOL pdb_set_logon_time (SAM_ACCOUNT *sampass, time_t mytime, BOOL store) { if (!sampass) return False; sampass->private.logon_time = mytime; + + if (store) + pdb_set_init_flag(sampass, FLAG_SAM_LOGONTIME); + return True; } -BOOL pdb_set_logoff_time (SAM_ACCOUNT *sampass, time_t mytime) +BOOL pdb_set_logoff_time (SAM_ACCOUNT *sampass, time_t mytime, BOOL store) { if (!sampass) return False; sampass->private.logoff_time = mytime; + + if (store) + pdb_set_init_flag(sampass, FLAG_SAM_LOGOFFTIME); + return True; } -BOOL pdb_set_kickoff_time (SAM_ACCOUNT *sampass, time_t mytime) +BOOL pdb_set_kickoff_time (SAM_ACCOUNT *sampass, time_t mytime, BOOL store) { if (!sampass) return False; sampass->private.kickoff_time = mytime; + + if (store) + pdb_set_init_flag(sampass, FLAG_SAM_KICKOFFTIME); + return True; } -BOOL pdb_set_pass_can_change_time (SAM_ACCOUNT *sampass, time_t mytime) +BOOL pdb_set_pass_can_change_time (SAM_ACCOUNT *sampass, time_t mytime, BOOL store) { if (!sampass) return False; sampass->private.pass_can_change_time = mytime; + + if (store) + pdb_set_init_flag(sampass, FLAG_SAM_CANCHANGETIME); + return True; } -BOOL pdb_set_pass_must_change_time (SAM_ACCOUNT *sampass, time_t mytime) +BOOL pdb_set_pass_must_change_time (SAM_ACCOUNT *sampass, time_t mytime, BOOL store) { if (!sampass) return False; sampass->private.pass_must_change_time = mytime; + + if (store) + pdb_set_init_flag(sampass, FLAG_SAM_MUSTCHANGETIME); + return True; } @@ -372,6 +392,7 @@ BOOL pdb_set_pass_last_set_time (SAM_ACCOUNT *sampass, time_t mytime) return False; sampass->private.pass_last_set_time = mytime; + return True; } @@ -876,12 +897,12 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass) account_policy_get(AP_MAX_PASSWORD_AGE, &expire); if (expire==(uint32)-1) { - if (!pdb_set_pass_must_change_time (sampass, 0)) + if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), False)) return False; } else { if (!pdb_set_pass_must_change_time (sampass, pdb_get_pass_last_set_time(sampass) - + expire)) + + expire, True)) return False; } diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index 73532984b6..953b5c4d2f 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -27,8 +27,9 @@ const struct pdb_init_function_entry builtin_pdb_init_functions[] = { { "smbpasswd_nua", pdb_init_smbpasswd_nua }, { "tdbsam", pdb_init_tdbsam }, { "tdbsam_nua", pdb_init_tdbsam_nua }, + { "ldapsam", pdb_init_ldapsam }, + { "ldapsam_nua", pdb_init_ldapsam_nua }, #if 0 - { "ldap", pdb_init_ldap }, { "nisplus", pdb_init_nisplus }, { "unix", pdb_init_unix }, #endif @@ -252,7 +253,7 @@ static struct pdb_context *pdb_get_static_context(BOOL reload) return pdb_context; } -#if !defined(WITH_LDAP_SAM) && !defined(WITH_NISPLUS_SAM) +#if !defined(WITH_NISPLUS_SAM) /****************************************************************** Backward compatability functions for the original passdb interface @@ -346,7 +347,7 @@ BOOL pdb_delete_sam_account(SAM_ACCOUNT *sam_acct) return pdb_context->pdb_delete_sam_account(pdb_context, sam_acct); } -#endif /* !defined(WITH_LDAP_SAM) && !defined(WITH_NISPLUS_SAM) */ +#endif /* !defined(WITH_NISPLUS_SAM) */ /*************************************************************** Initialize the static context (at smbd startup etc). diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 1e67d86091..7dae485394 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -4,6 +4,7 @@ Copyright (C) Gerald Carter 2001 Copyright (C) Shahms King 2001 Copyright (C) Jean François Micouleau 1998 + Copyright (C) Andrew Bartlett 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -51,87 +52,156 @@ #define SAM_ACCOUNT struct sam_passwd #endif -struct ldap_enum_info { +struct ldapsam_privates { + + /* Former statics */ LDAP *ldap_struct; LDAPMessage *result; LDAPMessage *entry; int index; + + /* retrive-once info */ + const char *uri; + + BOOL permit_non_unix_accounts; + + uint32 low_nua_rid; + uint32 high_nua_rid; }; -static struct ldap_enum_info global_ldap_ent; +static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state); +/******************************************************************* + find the ldap password +******************************************************************/ +static BOOL fetch_ldapsam_pw(char *dn, char* pw, int len) +{ + fstring key; + char *p; + void *data = NULL; + size_t size; + + pstrcpy(key, dn); + for (p=key; *p; p++) + if (*p == ',') *p = '/'; + + data=secrets_fetch(key, &size); + if (!size) { + DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n")); + return False; + } + + if (size > len-1) + { + DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1)); + return False; + } + + memcpy(pw, data, size); + pw[size] = '\0'; + + return True; +} /******************************************************************* open a connection to the ldap server. ******************************************************************/ -static BOOL ldap_open_connection (LDAP ** ldap_struct) +static BOOL ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct) { - int port; - int version, rc; - int tls = LDAP_OPT_X_TLS_HARD; - /* there should be an lp_ldap_ssl_port(), what happen if for some - reason we need to bind an SSLed LDAP on port 389 ?? ---simo */ - if (lp_ldap_ssl() == LDAP_SSL_ON && lp_ldap_port() == 389) { - port = 636; + if (geteuid() != 0) { + DEBUG(0, ("ldap_open_connection: cannot access LDAP when not root..\n")); + return False; } - else { - port = lp_ldap_port(); + +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) + DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri)); + + if (ldap_initialize(ldap_struct, ldap_state->uri) != LDAP_SUCCESS) { + DEBUG(0, ("ldap_initialize: %s\n", strerror(errno))); + return (False); } +#else - if ((*ldap_struct = ldap_init(lp_ldap_server(), port)) == NULL) { - DEBUG(0, ("The LDAP server is not responding !\n")); - return False; - } + /* Parse the string manually */ - /* Connect to older servers using SSL and V2 rather than Start TLS */ - if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) { - if (version != LDAP_VERSION2) - { - version = LDAP_VERSION2; - ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version); + int rc; + int tls = LDAP_OPT_X_TLS_HARD; + int port = 0; + int version; + fstring protocol; + fstring host; + const char *p = ldap_state->uri; + SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); + + /* skip leading "URL:" (if any) */ + if ( strncasecmp( p, "URL:", 4 ) == 0 ) { + p += 4; } - } - switch (lp_ldap_ssl()) - { - case LDAP_SSL_START_TLS: - if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, - &version) == LDAP_OPT_SUCCESS) - { - if (version < LDAP_VERSION3) - { - version = LDAP_VERSION3; - ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, - &version); - } + sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port); + + if (port == 0) { + if (strequal(protocol, "ldap")) { + port = LDAP_PORT; + } else if (strequal(protocol, "ldaps")) { + port = LDAPS_PORT; + } else { + DEBUG(0, ("unrecognised protocol (%s)!\n", protocol)); } - if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS) + } + + if ((*ldap_struct = ldap_init(host, port)) == NULL) { + DEBUG(0, ("ldap_init failed !\n")); + return False; + } + + /* Connect to older servers using SSL and V2 rather than Start TLS */ + if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) + { + if (version != LDAP_VERSION2) { - DEBUG(0,("Failed to issue the StartTLS instruction: %s\n", - ldap_err2string(rc))); - return False; + version = LDAP_VERSION2; + ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version); } - DEBUG (2, ("StartTLS issued: using a TLS connection\n")); - break; - - case LDAP_SSL_ON: - if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) - { - DEBUG(0, ("Failed to setup a TLS session\n")); + } + + if (strequal(protocol, "ldaps")) { + if (lp_ldap_ssl() == LDAP_SSL_START_TLS) { + if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, + &version) == LDAP_OPT_SUCCESS) + { + if (version < LDAP_VERSION3) + { + version = LDAP_VERSION3; + ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, + &version); + } + } + if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS) + { + DEBUG(0,("Failed to issue the StartTLS instruction: %s\n", + ldap_err2string(rc))); + return False; + } + DEBUG (2, ("StartTLS issued: using a TLS connection\n")); + } else { + + if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) + { + DEBUG(0, ("Failed to setup a TLS session\n")); + } } - break; - - case LDAP_SSL_OFF: - default: + } else { /* * No special needs to setup options prior to the LDAP * bind (which should be called next via ldap_connect_system() */ - break; + } } +#endif DEBUG(2, ("ldap_open_connection: connection opened\n")); return True; @@ -140,14 +210,14 @@ static BOOL ldap_open_connection (LDAP ** ldap_struct) /******************************************************************* connect to the ldap server under system privilege. ******************************************************************/ -static BOOL ldap_connect_system(LDAP * ldap_struct) +static BOOL ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct) { int rc; static BOOL got_pw = False; static pstring ldap_secret; /* get the password if we don't have it already */ - if (!got_pw && !(got_pw=fetch_ldap_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring)))) + if (!got_pw && !(got_pw=fetch_ldapsam_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring)))) { DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n", lp_ldap_admin_dn())); @@ -174,19 +244,19 @@ static BOOL ldap_connect_system(LDAP * ldap_struct) /******************************************************************* run the search by name. ******************************************************************/ -static int ldap_search_one_user (LDAP * ldap_struct, const char *filter, LDAPMessage ** result) +static int ldapsam_search_one_user (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *filter, LDAPMessage ** result) { int scope = LDAP_SCOPE_SUBTREE; int rc; - DEBUG(2, ("ldap_search_one_user: searching for:[%s]\n", filter)); + DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter)); rc = ldap_search_s(ldap_struct, lp_ldap_suffix (), scope, filter, NULL, 0, result); if (rc != LDAP_SUCCESS) { - DEBUG(0,("ldap_search_one_user: Problem during the LDAP search: %s\n", + DEBUG(0,("ldapsam_search_one_user: Problem during the LDAP search: %s\n", ldap_err2string (rc))); - DEBUG(3,("ldap_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(), + DEBUG(3,("ldapsam_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(), filter)); } @@ -196,7 +266,7 @@ static int ldap_search_one_user (LDAP * ldap_struct, const char *filter, LDAPMes /******************************************************************* run the search by name. ******************************************************************/ -static int ldap_search_one_user_by_name (LDAP * ldap_struct, const char *user, +static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *user, LDAPMessage ** result) { pstring filter; @@ -213,22 +283,23 @@ static int ldap_search_one_user_by_name (LDAP * ldap_struct, const char *user, */ all_string_sub(filter, "%u", user, sizeof(pstring)); - return ldap_search_one_user(ldap_struct, filter, result); + return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result); } /******************************************************************* run the search by uid. ******************************************************************/ -static int ldap_search_one_user_by_uid(LDAP * ldap_struct, int uid, - LDAPMessage ** result) +static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state, + LDAP * ldap_struct, int uid, + LDAPMessage ** result) { struct passwd *user; pstring filter; /* Get the username from the system and look that up in the LDAP */ - if ((user = sys_getpwuid(uid)) == NULL) { - DEBUG(3,("ldap_search_one_user_by_uid: Failed to locate uid [%d]\n", uid)); + if ((user = getpwuid_alloc(uid)) == NULL) { + DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid)); return LDAP_NO_SUCH_OBJECT; } @@ -236,14 +307,17 @@ static int ldap_search_one_user_by_uid(LDAP * ldap_struct, int uid, all_string_sub(filter, "%u", user->pw_name, sizeof(pstring)); - return ldap_search_one_user(ldap_struct, filter, result); + passwd_free(&user); + + return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result); } /******************************************************************* run the search by rid. ******************************************************************/ -static int ldap_search_one_user_by_rid (LDAP * ldap_struct, uint32 rid, - LDAPMessage ** result) +static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state, + LDAP * ldap_struct, uint32 rid, + LDAPMessage ** result) { pstring filter; int rc; @@ -251,11 +325,12 @@ static int ldap_search_one_user_by_rid (LDAP * ldap_struct, uint32 rid, /* check if the user rid exsists, if not, try searching on the uid */ snprintf(filter, sizeof(filter) - 1, "rid=%i", rid); - rc = ldap_search_one_user(ldap_struct, filter, result); + rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, result); if (rc != LDAP_SUCCESS) - rc = ldap_search_one_user_by_uid(ldap_struct, - pdb_user_rid_to_uid(rid), result); + rc = ldapsam_search_one_user_by_uid(ldap_state, ldap_struct, + pdb_user_rid_to_uid(rid), + result); return rc; } @@ -264,21 +339,22 @@ static int ldap_search_one_user_by_rid (LDAP * ldap_struct, uint32 rid, search an attribute and return the first value found. ******************************************************************/ static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry, - char *attribute, char *value) + char *attribute, char *value) { char **values; if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) { value = NULL; - DEBUG (2, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute)); + DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute)); return False; } - + pstrcpy(value, values[0]); ldap_value_free(values); - DEBUG (2, ("get_single_attribute: [%s] = [%s]\n", attribute, value)); - +#ifdef DEBUG_PASSWORDS + DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value)); +#endif return True; } @@ -362,8 +438,9 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c Initialize SAM_ACCOUNT from an LDAP query (Based on init_sam_from_buffer in pdb_tdb.c) *********************************************************************/ -static BOOL init_sam_from_ldap (SAM_ACCOUNT * sampass, - LDAP * ldap_struct, LDAPMessage * entry) +static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, + SAM_ACCOUNT * sampass, + LDAP * ldap_struct, LDAPMessage * entry) { time_t logon_time, logoff_time, @@ -424,27 +501,80 @@ static BOOL init_sam_from_ldap (SAM_ACCOUNT * sampass, pstrcpy(domain, lp_workgroup()); + get_single_attribute(ldap_struct, entry, "rid", temp); + user_rid = (uint32)atol(temp); + if (!get_single_attribute(ldap_struct, entry, "primaryGroupID", temp)) { + group_rid = 0; + } else { + group_rid = (uint32)atol(temp); + } + + if ((ldap_state->permit_non_unix_accounts) + && (user_rid >= ldap_state->low_nua_rid) + && (user_rid <= ldap_state->high_nua_rid)) { + + } else { + + /* These values MAY be in LDAP, but they can also be retrieved through + * sys_getpw*() which is how we're doing it + */ + + pw = getpwnam_alloc(username); + if (pw == NULL) { + DEBUG (2,("init_sam_from_ldap: User [%s] does not ave a uid!\n", username)); + return False; + } + uid = pw->pw_uid; + gid = pw->pw_gid; + + passwd_free(&pw); + + pdb_set_uid(sampass, uid); + pdb_set_gid(sampass, gid); + + if (group_rid == 0) { + GROUP_MAP map; + /* call the mapping code here */ + if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) { + sid_peek_rid(&map.sid, &group_rid); + } + else { + group_rid=pdb_gid_to_group_rid(gid); + } + } + } + get_single_attribute(ldap_struct, entry, "pwdLastSet", temp); - pass_last_set_time = (time_t) strtol(temp, NULL, 16); + pass_last_set_time = (time_t) atol(temp); - get_single_attribute(ldap_struct, entry, "logonTime", temp); - logon_time = (time_t) strtol(temp, NULL, 16); + if (!get_single_attribute(ldap_struct, entry, "logonTime", temp)) { + logon_time = (time_t) atol(temp); + pdb_set_logon_time(sampass, logon_time, True); + } - get_single_attribute(ldap_struct, entry, "logoffTime", temp); - logoff_time = (time_t) strtol(temp, NULL, 16); + if (!get_single_attribute(ldap_struct, entry, "logoffTime", temp)) { + logoff_time = (time_t) atol(temp); + pdb_set_logoff_time(sampass, logoff_time, True); + } - get_single_attribute(ldap_struct, entry, "kickoffTime", temp); - kickoff_time = (time_t) strtol(temp, NULL, 16); + if (!get_single_attribute(ldap_struct, entry, "kickoffTime", temp)) { + kickoff_time = (time_t) atol(temp); + pdb_set_kickoff_time(sampass, kickoff_time, True); + } - get_single_attribute(ldap_struct, entry, "pwdCanChange", temp); - pass_can_change_time = (time_t) strtol(temp, NULL, 16); + if (!get_single_attribute(ldap_struct, entry, "pwdCanChange", temp)) { + pass_can_change_time = (time_t) atol(temp); + pdb_set_pass_can_change_time(sampass, pass_can_change_time, True); + } - get_single_attribute(ldap_struct, entry, "pwdMustChange", temp); - pass_must_change_time = (time_t) strtol(temp, NULL, 16); + if (!get_single_attribute(ldap_struct, entry, "pwdMustChange", temp)) { + pass_must_change_time = (time_t) atol(temp); + pdb_set_pass_must_change_time(sampass, pass_must_change_time, True); + } /* recommend that 'gecos' and 'displayName' should refer to the same - * attribute OID. userFullName depreciated, only used by Samba - * primary rules of LDAP: don't make a new attribute when one is already defined + * attribute OID. userFullName depreciated, only used by Samba + * primary rules of LDAP: don't make a new attribute when one is already defined * that fits your needs; using cn then displayName rather than 'userFullName' */ @@ -491,25 +621,6 @@ static BOOL init_sam_from_ldap (SAM_ACCOUNT * sampass, get_single_attribute(ldap_struct, entry, "description", acct_desc); get_single_attribute(ldap_struct, entry, "userWorkstations", workstations); - get_single_attribute(ldap_struct, entry, "rid", temp); - user_rid = (uint32)strtol(temp, NULL, 10); - get_single_attribute(ldap_struct, entry, "primaryGroupID", temp); - group_rid = (uint32)strtol(temp, NULL, 10); - - - /* These values MAY be in LDAP, but they can also be retrieved through - * sys_getpw*() which is how we're doing it - */ - pw = getpwnam_alloc(username); - if (pw == NULL) { - DEBUG (2,("init_sam_from_ldap: User [%s] does not ave a uid!\n", username)); - return False; - } - uid = pw->pw_uid; - gid = pw->pw_gid; - - passwd_free(&pw); - /* FIXME: hours stuff should be cleaner */ logon_divs = 168; @@ -527,16 +638,8 @@ static BOOL init_sam_from_ldap (SAM_ACCOUNT * sampass, if (acct_ctrl == 0) acct_ctrl |= ACB_NORMAL; - - pdb_set_uid(sampass, uid); - pdb_set_gid(sampass, gid); pdb_set_acct_ctrl(sampass, acct_ctrl); - pdb_set_logon_time(sampass, logon_time); - pdb_set_logoff_time(sampass, logoff_time); - pdb_set_kickoff_time(sampass, kickoff_time); - pdb_set_pass_can_change_time(sampass, pass_can_change_time); - pdb_set_pass_must_change_time(sampass, pass_must_change_time); pdb_set_pass_last_set_time(sampass, pass_last_set_time); pdb_set_hours_len(sampass, hours_len); @@ -574,9 +677,12 @@ static BOOL init_sam_from_ldap (SAM_ACCOUNT * sampass, Initialize SAM_ACCOUNT from an LDAP query (Based on init_buffer_from_sam in pdb_tdb.c) *********************************************************************/ -static BOOL init_ldap_from_sam (LDAPMod *** mods, int ldap_state, const SAM_ACCOUNT * sampass) +static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, + LDAPMod *** mods, int ldap_op, + const SAM_ACCOUNT * sampass) { pstring temp; + uint32 rid; if (mods == NULL || sampass == NULL) { DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n")); @@ -590,27 +696,43 @@ static BOOL init_ldap_from_sam (LDAPMod *** mods, int ldap_state, const SAM_ACCO * do this on a per-mod basis */ - - make_a_mod(mods, ldap_state, "uid", pdb_get_username(sampass)); + make_a_mod(mods, ldap_op, "uid", pdb_get_username(sampass)); DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass))); - slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass)); - make_a_mod(mods, ldap_state, "pwdLastSet", temp); - - slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass)); - make_a_mod(mods, ldap_state, "logonTime", temp); - - slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass)); - make_a_mod(mods, ldap_state, "logoffTime", temp); + if ( pdb_get_user_rid(sampass) ) { + rid = pdb_get_user_rid(sampass); + } else if (IS_SAM_SET(sampass, FLAG_SAM_UID)) { + rid = pdb_uid_to_user_rid(pdb_get_uid(sampass)); + } else if (ldap_state->permit_non_unix_accounts) { + rid = ldapsam_get_next_available_nua_rid(ldap_state); + if (rid == 0) { + DEBUG(0, ("NO user RID specified on account %s, and findining next available NUA RID failed, cannot store!\n", pdb_get_username(sampass))); + return False; + } + } else { + DEBUG(0, ("NO user RID specified on account %s, cannot store!\n", pdb_get_username(sampass))); + return False; + } - slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass)); - make_a_mod(mods, ldap_state, "kickoffTime", temp); + slprintf(temp, sizeof(temp) - 1, "%i", rid); + make_a_mod(mods, ldap_op, "rid", temp); + + if ( pdb_get_group_rid(sampass) ) { + rid = pdb_get_group_rid(sampass); + } else if (IS_SAM_SET(sampass, FLAG_SAM_GID)) { + rid = pdb_gid_to_group_rid(pdb_get_gid(sampass)); + } else if (ldap_state->permit_non_unix_accounts) { + rid = DOMAIN_GROUP_RID_USERS; + } else { + DEBUG(0, ("NO group RID specified on account %s, cannot store!\n", pdb_get_username(sampass))); + return False; + } - slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass)); - make_a_mod(mods, ldap_state, "pwdCanChange", temp); + slprintf(temp, sizeof(temp) - 1, "%i", rid); + make_a_mod(mods, ldap_op, "primaryGroupID", temp); - slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass)); - make_a_mod(mods, ldap_state, "pwdMustChange", temp); + slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass)); + make_a_mod(mods, ldap_op, "pwdLastSet", temp); /* displayName, cn, and gecos should all be the same * most easily accomplished by giving them the same OID @@ -618,96 +740,261 @@ static BOOL init_ldap_from_sam (LDAPMod *** mods, int ldap_state, const SAM_ACCO * add-user script */ - make_a_mod(mods, ldap_state, "displayName", pdb_get_fullname(sampass)); - make_a_mod(mods, ldap_state, "cn", pdb_get_fullname(sampass)); - make_a_mod(mods, ldap_state, "description", pdb_get_acct_desc(sampass)); - make_a_mod(mods, ldap_state, "userWorkstations", pdb_get_workstations(sampass)); + make_a_mod(mods, ldap_op, "displayName", pdb_get_fullname(sampass)); + make_a_mod(mods, ldap_op, "cn", pdb_get_fullname(sampass)); + make_a_mod(mods, ldap_op, "description", pdb_get_acct_desc(sampass)); + make_a_mod(mods, ldap_op, "userWorkstations", pdb_get_workstations(sampass)); /* * Only updates fields which have been set (not defaults from smb.conf) */ if (IS_SAM_SET(sampass, FLAG_SAM_SMBHOME)) - make_a_mod(mods, ldap_state, "smbHome", pdb_get_homedir(sampass)); + make_a_mod(mods, ldap_op, "smbHome", pdb_get_homedir(sampass)); if (IS_SAM_SET(sampass, FLAG_SAM_DRIVE)) - make_a_mod(mods, ldap_state, "homeDrive", pdb_get_dirdrive(sampass)); - + make_a_mod(mods, ldap_op, "homeDrive", pdb_get_dirdrive(sampass)); + if (IS_SAM_SET(sampass, FLAG_SAM_LOGONSCRIPT)) - make_a_mod(mods, ldap_state, "scriptPath", pdb_get_logon_script(sampass)); + make_a_mod(mods, ldap_op, "scriptPath", pdb_get_logon_script(sampass)); if (IS_SAM_SET(sampass, FLAG_SAM_PROFILE)) - make_a_mod(mods, ldap_state, "profilePath", pdb_get_profile_path(sampass)); + make_a_mod(mods, ldap_op, "profilePath", pdb_get_profile_path(sampass)); + if (IS_SAM_SET(sampass, FLAG_SAM_LOGONTIME)) { + slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass)); + make_a_mod(mods, ldap_op, "logonTime", temp); + } - if ( !pdb_get_user_rid(sampass)) - slprintf(temp, sizeof(temp) - 1, "%i", pdb_uid_to_user_rid(pdb_get_uid(sampass))); - else - slprintf(temp, sizeof(temp) - 1, "%i", pdb_get_user_rid(sampass)); - make_a_mod(mods, ldap_state, "rid", temp); + if (IS_SAM_SET(sampass, FLAG_SAM_LOGOFFTIME)) { + slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass)); + make_a_mod(mods, ldap_op, "logoffTime", temp); + } - if ( !pdb_get_group_rid(sampass)) - slprintf(temp, sizeof(temp) - 1, "%i", pdb_gid_to_group_rid(pdb_get_gid(sampass))); - else - slprintf(temp, sizeof(temp) - 1, "%i", pdb_get_group_rid(sampass)); - make_a_mod(mods, ldap_state, "primaryGroupID", temp); + if (IS_SAM_SET(sampass, FLAG_SAM_KICKOFFTIME)) { + slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass)); + make_a_mod(mods, ldap_op, "kickoffTime", temp); + } + + if (IS_SAM_SET(sampass, FLAG_SAM_CANCHANGETIME)) { + slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass)); + make_a_mod(mods, ldap_op, "pwdCanChange", temp); + } + + if (IS_SAM_SET(sampass, FLAG_SAM_MUSTCHANGETIME)) { + slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass)); + make_a_mod(mods, ldap_op, "pwdMustChange", temp); + } /* FIXME: Hours stuff goes in LDAP */ pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass)); - make_a_mod (mods, ldap_state, "lmPassword", temp); + make_a_mod (mods, ldap_op, "lmPassword", temp); pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass)); - make_a_mod (mods, ldap_state, "ntPassword", temp); + make_a_mod (mods, ldap_op, "ntPassword", temp); - make_a_mod (mods, ldap_state, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), + make_a_mod (mods, ldap_op, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN)); return True; } + +/********************************************************************** +Connect to LDAP server and find the next available RID. +*********************************************************************/ +static uint32 check_nua_rid_is_avail(struct ldapsam_privates *ldap_state, uint32 top_rid, LDAP *ldap_struct) +{ + LDAPMessage *result; + uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER; + if (top_rid == 0) { + return 0; + } + + if (final_rid < ldap_state->low_nua_rid || final_rid > ldap_state->high_nua_rid) { + return 0; + } + + if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, final_rid, &result) != LDAP_SUCCESS) { + DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the confirmation search failed!\n", final_rid, final_rid)); + final_rid = 0; + ldap_msgfree(result); + } + + if (ldap_count_entries(ldap_struct, result) != 0) + { + DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the RID is already in use!!\n", final_rid, final_rid)); + final_rid = 0; + ldap_msgfree(result); + } + + DEBUG(5, ("NUA RID %d (0x%x), declared valid\n", final_rid, final_rid)); + return final_rid; +} + +/********************************************************************** +Extract the RID from an LDAP entry +*********************************************************************/ +static uint32 entry_to_user_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry, LDAP *ldap_struct) { + uint32 rid; + SAM_ACCOUNT *user = NULL; + if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) { + return 0; + } + + if (init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) { + rid = pdb_get_user_rid(user); + } else { + rid =0; + } + pdb_free_sam(&user); + if (rid >= ldap_state->low_nua_rid && rid <= ldap_state->high_nua_rid) { + return rid; + } + return 0; +} + + +/********************************************************************** +Connect to LDAP server and find the next available RID. +*********************************************************************/ +static uint32 search_top_nua_rid(struct ldapsam_privates *ldap_state, LDAP *ldap_struct) +{ + int rc; + pstring filter; + LDAPMessage *result; + LDAPMessage *entry; + char *final_filter = NULL; + uint32 top_rid = 0; + uint32 count; + uint32 rid; + + pstrcpy(filter, lp_ldap_filter()); + all_string_sub(filter, "%u", "*", sizeof(pstring)); + +#if 0 + asprintf(&final_filter, "(&(%s)(&(rid>=%d)(rid<=%d)))", filter, ldap_state->low_nua_rid, ldap_state->high_nua_rid); +#else + final_filter = strdup(filter); +#endif + DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter)); + + rc = ldap_search_s(ldap_struct, lp_ldap_suffix(), + LDAP_SCOPE_SUBTREE, final_filter, NULL, 0, + &result); + + if (rc != LDAP_SUCCESS) + { + + DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc))); + DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter)); + + free(final_filter); + ldap_msgfree(result); + result = NULL; + return 0; + } + + count = ldap_count_entries(ldap_struct, result); + DEBUG(2, ("search_top_nua_rid: %d entries in the base!\n", count)); + + if (count == 0) { + DEBUG(3, ("LDAP search returned no records, assuming no non-unix-accounts present!: %s\n", ldap_err2string(rc))); + DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter)); + free(final_filter); + ldap_msgfree(result); + result = NULL; + return ldap_state->low_nua_rid; + } + + free(final_filter); + entry = ldap_first_entry(ldap_struct,result); + + top_rid = entry_to_user_rid(ldap_state, entry, ldap_struct); + + while ((entry = ldap_next_entry(ldap_struct, entry))) { + + rid = entry_to_user_rid(ldap_state, entry, ldap_struct); + if (rid > top_rid) { + top_rid = rid; + } + } + + ldap_msgfree(result); + return top_rid; +} + +/********************************************************************** +Connect to LDAP server and find the next available RID. +*********************************************************************/ +static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state) { + LDAP *ldap_struct; + uint32 next_nua_rid; + uint32 top_nua_rid; + + if (!ldapsam_open_connection(ldap_state, &ldap_struct)) + { + return 0; + } + if (!ldapsam_connect_system(ldap_state, ldap_struct)) + { + ldap_unbind(ldap_struct); + return 0; + } + + top_nua_rid = search_top_nua_rid(ldap_state, ldap_struct); + + next_nua_rid = check_nua_rid_is_avail(ldap_state, + top_nua_rid, ldap_struct); + + ldap_unbind(ldap_struct); + return next_nua_rid; +} + /********************************************************************** Connect to LDAP server for password enumeration *********************************************************************/ -BOOL pdb_setsampwent(BOOL update) +static BOOL ldapsam_setsampwent(struct pdb_context *context, BOOL update) { + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; int rc; pstring filter; - if (!ldap_open_connection(&global_ldap_ent.ldap_struct)) + if (!ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct)) { return False; } - if (!ldap_connect_system(global_ldap_ent.ldap_struct)) + if (!ldapsam_connect_system(ldap_state, ldap_state->ldap_struct)) { - ldap_unbind(global_ldap_ent.ldap_struct); + ldap_unbind(ldap_state->ldap_struct); return False; } pstrcpy(filter, lp_ldap_filter()); all_string_sub(filter, "%u", "*", sizeof(pstring)); - rc = ldap_search_s(global_ldap_ent.ldap_struct, lp_ldap_suffix(), + rc = ldap_search_s(ldap_state->ldap_struct, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE, filter, NULL, 0, - &global_ldap_ent.result); + &ldap_state->result); if (rc != LDAP_SUCCESS) { DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc))); DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter)); - ldap_msgfree(global_ldap_ent.result); - ldap_unbind(global_ldap_ent.ldap_struct); - global_ldap_ent.ldap_struct = NULL; - global_ldap_ent.result = NULL; + ldap_msgfree(ldap_state->result); + ldap_unbind(ldap_state->ldap_struct); + ldap_state->ldap_struct = NULL; + ldap_state->result = NULL; return False; } - DEBUG(2, ("pdb_setsampwent: %d entries in the base!\n", - ldap_count_entries(global_ldap_ent.ldap_struct, - global_ldap_ent.result))); + DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n", + ldap_count_entries(ldap_state->ldap_struct, + ldap_state->result))); - global_ldap_ent.entry = ldap_first_entry(global_ldap_ent.ldap_struct, - global_ldap_ent.result); - global_ldap_ent.index = -1; + ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct, + ldap_state->result); + ldap_state->index = 0; return True; } @@ -715,63 +1002,67 @@ BOOL pdb_setsampwent(BOOL update) /********************************************************************** End enumeration of the LDAP password list *********************************************************************/ -void pdb_endsampwent(void) +static void ldapsam_endsampwent(struct pdb_context *context) { - if (global_ldap_ent.ldap_struct && global_ldap_ent.result) + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; + if (ldap_state->ldap_struct && ldap_state->result) { - ldap_msgfree(global_ldap_ent.result); - ldap_unbind(global_ldap_ent.ldap_struct); - global_ldap_ent.ldap_struct = NULL; - global_ldap_ent.result = NULL; + ldap_msgfree(ldap_state->result); + ldap_unbind(ldap_state->ldap_struct); + ldap_state->ldap_struct = NULL; + ldap_state->result = NULL; } } /********************************************************************** Get the next entry in the LDAP password database *********************************************************************/ -BOOL pdb_getsampwent(SAM_ACCOUNT * user) +static BOOL ldapsam_getsampwent(struct pdb_context *context, SAM_ACCOUNT * user) { - if (!global_ldap_ent.entry) - return False; + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; + BOOL ret = False; - global_ldap_ent.index++; - if (global_ldap_ent.index > 0) - { - global_ldap_ent.entry = ldap_next_entry(global_ldap_ent.ldap_struct, global_ldap_ent.entry); + while (!ret) { + if (!ldap_state->entry) + return False; + + ldap_state->index++; + ret = init_sam_from_ldap(ldap_state, user, ldap_state->ldap_struct, + ldap_state->entry); + + ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct, + ldap_state->entry); + } - if (global_ldap_ent.entry != NULL) - { - return init_sam_from_ldap(user, global_ldap_ent.ldap_struct, - global_ldap_ent.entry); - } - return False; + return True; } /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username *********************************************************************/ -BOOL pdb_getsampwnam(SAM_ACCOUNT * user, const char *sname) +static BOOL ldapsam_getsampwnam(struct pdb_context *context, SAM_ACCOUNT * user, const char *sname) { + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; LDAP *ldap_struct; LDAPMessage *result; LDAPMessage *entry; - if (!ldap_open_connection(&ldap_struct)) + if (!ldapsam_open_connection(ldap_state, &ldap_struct)) return False; - if (!ldap_connect_system(ldap_struct)) + if (!ldapsam_connect_system(ldap_state, ldap_struct)) { ldap_unbind(ldap_struct); return False; } - if (ldap_search_one_user_by_name(ldap_struct, sname, &result) != LDAP_SUCCESS) + if (ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result) != LDAP_SUCCESS) { ldap_unbind(ldap_struct); return False; } if (ldap_count_entries(ldap_struct, result) < 1) { - DEBUG(0, + DEBUG(4, ("We don't find this user [%s] count=%d\n", sname, ldap_count_entries(ldap_struct, result))); ldap_unbind(ldap_struct); @@ -780,7 +1071,12 @@ BOOL pdb_getsampwnam(SAM_ACCOUNT * user, const char *sname) entry = ldap_first_entry(ldap_struct, result); if (entry) { - init_sam_from_ldap(user, ldap_struct, entry); + if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) { + DEBUG(0,("ldapsam_getsampwnam: init_sam_from_ldap failed!\n")); + ldap_msgfree(result); + ldap_unbind(ldap_struct); + return False; + } ldap_msgfree(result); ldap_unbind(ldap_struct); return True; @@ -796,21 +1092,22 @@ BOOL pdb_getsampwnam(SAM_ACCOUNT * user, const char *sname) /********************************************************************** Get SAM_ACCOUNT entry from LDAP by rid *********************************************************************/ -BOOL pdb_getsampwrid(SAM_ACCOUNT * user, uint32 rid) +static BOOL ldapsam_getsampwrid(struct pdb_context *context, SAM_ACCOUNT * user, uint32 rid) { + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; LDAP *ldap_struct; LDAPMessage *result; LDAPMessage *entry; - if (!ldap_open_connection(&ldap_struct)) + if (!ldapsam_open_connection(ldap_state, &ldap_struct)) return False; - if (!ldap_connect_system(ldap_struct)) + if (!ldapsam_connect_system(ldap_state, ldap_struct)) { ldap_unbind(ldap_struct); return False; } - if (ldap_search_one_user_by_rid(ldap_struct, rid, &result) != + if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, rid, &result) != LDAP_SUCCESS) { ldap_unbind(ldap_struct); @@ -829,7 +1126,12 @@ BOOL pdb_getsampwrid(SAM_ACCOUNT * user, uint32 rid) entry = ldap_first_entry(ldap_struct, result); if (entry) { - init_sam_from_ldap(user, ldap_struct, entry); + if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) { + DEBUG(0,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n")); + ldap_msgfree(result); + ldap_unbind(ldap_struct); + return False; + } ldap_msgfree(result); ldap_unbind(ldap_struct); return True; @@ -845,8 +1147,9 @@ BOOL pdb_getsampwrid(SAM_ACCOUNT * user, uint32 rid) /********************************************************************** Delete entry from LDAP for username *********************************************************************/ -BOOL pdb_delete_sam_account(SAM_ACCOUNT * sam_acct) +static BOOL ldapsam_delete_sam_account(struct pdb_context *context, const SAM_ACCOUNT * sam_acct) { + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; const char *sname; int rc; char *dn; @@ -861,18 +1164,18 @@ BOOL pdb_delete_sam_account(SAM_ACCOUNT * sam_acct) sname = pdb_get_username(sam_acct); - if (!ldap_open_connection (&ldap_struct)) + if (!ldapsam_open_connection(ldap_state, &ldap_struct)) return False; DEBUG (3, ("Deleting user %s from LDAP.\n", sname)); - if (!ldap_connect_system (ldap_struct)) { + if (!ldapsam_connect_system(ldap_state, ldap_struct)) { ldap_unbind (ldap_struct); DEBUG(0, ("Failed to delete user %s from LDAP.\n", sname)); return False; } - rc = ldap_search_one_user_by_name (ldap_struct, sname, &result); + rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result); if (ldap_count_entries (ldap_struct, result) == 0) { DEBUG (0, ("User doesn't exit!\n")); ldap_msgfree (result); @@ -904,8 +1207,9 @@ BOOL pdb_delete_sam_account(SAM_ACCOUNT * sam_acct) /********************************************************************** Update SAM_ACCOUNT *********************************************************************/ -BOOL pdb_update_sam_account(SAM_ACCOUNT * newpwd) +static BOOL ldapsam_update_sam_account(struct pdb_context *context, const SAM_ACCOUNT * newpwd) { + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; int rc; char *dn; LDAP *ldap_struct; @@ -913,17 +1217,17 @@ BOOL pdb_update_sam_account(SAM_ACCOUNT * newpwd) LDAPMessage *entry; LDAPMod **mods; - if (!ldap_open_connection(&ldap_struct)) /* open a connection to the server */ + if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */ return False; - if (!ldap_connect_system(ldap_struct)) /* connect as system account */ + if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */ { ldap_unbind(ldap_struct); return False; } - rc = ldap_search_one_user_by_name(ldap_struct, - pdb_get_username(newpwd), &result); + rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct, + pdb_get_username(newpwd), &result); if (ldap_count_entries(ldap_struct, result) == 0) { @@ -933,7 +1237,12 @@ BOOL pdb_update_sam_account(SAM_ACCOUNT * newpwd) return False; } - init_ldap_from_sam(&mods, LDAP_MOD_REPLACE, newpwd); + if (!init_ldap_from_sam(ldap_state, &mods, LDAP_MOD_REPLACE, newpwd)) { + DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n")); + ldap_msgfree(result); + ldap_unbind(ldap_struct); + return False; + } entry = ldap_first_entry(ldap_struct, result); dn = ldap_get_dn(ldap_struct, entry); @@ -965,29 +1274,30 @@ BOOL pdb_update_sam_account(SAM_ACCOUNT * newpwd) /********************************************************************** Add SAM_ACCOUNT to LDAP *********************************************************************/ -BOOL pdb_add_sam_account(SAM_ACCOUNT * newpwd) +static BOOL ldapsam_add_sam_account(struct pdb_context *context, const SAM_ACCOUNT * newpwd) { + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; int rc; pstring filter; - LDAP *ldap_struct; - LDAPMessage *result; + LDAP *ldap_struct = NULL; + LDAPMessage *result = NULL; pstring dn; - LDAPMod **mods; + LDAPMod **mods = NULL; int ldap_op; uint32 num_result; - if (!ldap_open_connection(&ldap_struct)) /* open a connection to the server */ + if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */ { return False; } - if (!ldap_connect_system(ldap_struct)) /* connect as system account */ + if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */ { ldap_unbind(ldap_struct); return False; } - rc = ldap_search_one_user_by_name (ldap_struct, pdb_get_username(newpwd), &result); + rc = ldapsam_search_one_user_by_name (ldap_state, ldap_struct, pdb_get_username(newpwd), &result); if (ldap_count_entries(ldap_struct, result) != 0) { @@ -999,7 +1309,7 @@ BOOL pdb_add_sam_account(SAM_ACCOUNT * newpwd) ldap_msgfree(result); slprintf (filter, sizeof (filter) - 1, "uid=%s", pdb_get_username(newpwd)); - rc = ldap_search_one_user(ldap_struct, filter, &result); + rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, &result); num_result = ldap_count_entries(ldap_struct, result); if (num_result > 1) { @@ -1023,12 +1333,22 @@ BOOL pdb_add_sam_account(SAM_ACCOUNT * newpwd) /* Check if we need to add an entry */ DEBUG(3,("Adding new user\n")); ldap_op = LDAP_MOD_ADD; - slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", pdb_get_username(newpwd), lp_ldap_suffix ()); + if ( pdb_get_acct_ctrl( newpwd ) & ACB_WSTRUST ) { + slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", pdb_get_username(newpwd), lp_ldap_machine_suffix ()); + } + else { + slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", pdb_get_username(newpwd), lp_ldap_user_suffix ()); + } } ldap_msgfree(result); - init_ldap_from_sam(&mods, ldap_op, newpwd); + if (!init_ldap_from_sam(ldap_state, &mods, ldap_op, newpwd)) { + DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n")); + ldap_mods_free(mods, 1); + ldap_unbind(ldap_struct); + return False; + } make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount"); if (ldap_op == LDAP_MOD_REPLACE) { @@ -1043,8 +1363,8 @@ BOOL pdb_add_sam_account(SAM_ACCOUNT * newpwd) char *ld_error; ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); - DEBUG(0,("failed to modify user with uid = %s with: %s\n\t%s\n", - pdb_get_username(newpwd), ldap_err2string (rc), ld_error)); + DEBUG(0,("failed to modify/add user with uid = %s (dn = %s) with: %s\n\t%s\n", + pdb_get_username(newpwd), dn, ldap_err2string (rc), ld_error)); free(ld_error); ldap_mods_free(mods, 1); ldap_unbind(ldap_struct); @@ -1057,10 +1377,105 @@ BOOL pdb_add_sam_account(SAM_ACCOUNT * newpwd) return True; } +static void free_private_data(void **vp) +{ + struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp; + + if ((*ldap_state)->ldap_struct) { + ldap_unbind((*ldap_state)->ldap_struct); + } + + *ldap_state = NULL; + + /* No need to free any further, as it is talloc()ed */ +} + +NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) +{ + NTSTATUS nt_status; + struct ldapsam_privates *ldap_state; + + if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) { + return nt_status; + } + + (*pdb_method)->name = "ldapsam"; + + (*pdb_method)->setsampwent = ldapsam_setsampwent; + (*pdb_method)->endsampwent = ldapsam_endsampwent; + (*pdb_method)->getsampwent = ldapsam_getsampwent; + (*pdb_method)->getsampwnam = ldapsam_getsampwnam; + (*pdb_method)->getsampwrid = ldapsam_getsampwrid; + (*pdb_method)->add_sam_account = ldapsam_add_sam_account; + (*pdb_method)->update_sam_account = ldapsam_update_sam_account; + (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account; + + /* TODO: Setup private data and free */ + + ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates)); + + if (!ldap_state) { + DEBUG(0, ("talloc() failed for ldapsam private_data!\n")); + return NT_STATUS_NO_MEMORY; + } + + if (location) { + ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location); + } else { + ldap_state->uri = "ldap://localhost"; + return NT_STATUS_INVALID_PARAMETER; + } + + (*pdb_method)->private_data = ldap_state; + + (*pdb_method)->free_private_data = free_private_data; + + return NT_STATUS_OK; +} + +NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) +{ + NTSTATUS nt_status; + struct ldapsam_privates *ldap_state; + uint32 low_nua_uid, high_nua_uid; + + if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) { + return nt_status; + } + + (*pdb_method)->name = "ldapsam_nua"; + + ldap_state = (*pdb_method)->private_data; + + ldap_state->permit_non_unix_accounts = True; + + if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) { + DEBUG(0, ("cannot use ldapsam_nua without 'non unix account range' in smb.conf!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + ldap_state->low_nua_rid=pdb_uid_to_user_rid(low_nua_uid); + + ldap_state->high_nua_rid=pdb_uid_to_user_rid(high_nua_uid); + + return NT_STATUS_OK; +} + + #else -void dummy_function(void); -void -dummy_function (void) + +NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { -} /* stop some compilers complaining */ + DEBUG(0, ("ldapsam not compiled in!\n")); + return NT_STATUS_UNSUCCESSFUL; +} + +NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) +{ + DEBUG(0, ("ldapsam_nua not compiled in!\n")); + return NT_STATUS_UNSUCCESSFUL; +} + + #endif + diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index d895600e8e..e32af604fd 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -1302,7 +1302,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, SAM_AC pdb_set_lanman_passwd (sam_pass, pw_buf->smb_passwd); pdb_set_acct_ctrl (sam_pass, pw_buf->acct_ctrl); pdb_set_pass_last_set_time (sam_pass, pw_buf->pass_last_set_time); - pdb_set_pass_can_change_time (sam_pass, pw_buf->pass_last_set_time); + pdb_set_pass_can_change_time (sam_pass, pw_buf->pass_last_set_time, True); pdb_set_domain (sam_pass, lp_workgroup()); pdb_set_dir_drive (sam_pass, lp_logon_drive(), False); diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index 3c76f8336b..40ba8dd475 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -157,11 +157,11 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state, pdb_set_gid(sampass, gid); } - pdb_set_logon_time(sampass, logon_time); - pdb_set_logoff_time(sampass, logoff_time); - pdb_set_kickoff_time(sampass, kickoff_time); - pdb_set_pass_can_change_time(sampass, pass_can_change_time); - pdb_set_pass_must_change_time(sampass, pass_must_change_time); + pdb_set_logon_time(sampass, logon_time, True); + pdb_set_logoff_time(sampass, logoff_time, True); + pdb_set_kickoff_time(sampass, kickoff_time, True); + pdb_set_pass_can_change_time(sampass, pass_can_change_time, True); + pdb_set_pass_must_change_time(sampass, pass_must_change_time, True); pdb_set_pass_last_set_time(sampass, pass_last_set_time); pdb_set_username (sampass, username); diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index dbcd3e5579..5be6bee00e 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -353,31 +353,3 @@ BOOL secrets_store_ldap_pw(char* dn, char* pw) return secrets_store(key, pw, strlen(pw)); } -BOOL fetch_ldap_pw(char *dn, char* pw, int len) -{ - fstring key; - char *p; - void *data = NULL; - size_t size; - - pstrcpy(key, dn); - for (p=key; *p; p++) - if (*p == ',') *p = '/'; - - data=secrets_fetch(key, &size); - if (!size) { - DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n")); - return False; - } - - if (size > len-1) - { - DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1)); - return False; - } - - memcpy(pw, data, size); - pw[size] = '\0'; - - return True; -} |