summaryrefslogtreecommitdiff
path: root/source3/sam
diff options
context:
space:
mode:
Diffstat (limited to 'source3/sam')
-rwxr-xr-xsource3/sam/sam_ads.c332
1 files changed, 253 insertions, 79 deletions
diff --git a/source3/sam/sam_ads.c b/source3/sam/sam_ads.c
index e10b476997..6cb205d338 100755
--- a/source3/sam/sam_ads.c
+++ b/source3/sam/sam_ads.c
@@ -30,6 +30,11 @@ static int sam_ads_debug_level = DBGC_SAM;
#undef DBGC_CLASS
#define DBGC_CLASS sam_ads_debug_level
+#ifndef FIXME
+#define FIXME( body ) { DEBUG(0,("FIXME: "));\
+ DEBUGADD(0,(body));}
+#endif
+
#define ADS_STATUS_OK ADS_ERROR(0)
#define ADS_STATUS_UNSUCCESSFUL ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL)
#define ADS_STATUS_NOT_IMPLEMENTED ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED)
@@ -42,7 +47,7 @@ static int sam_ads_debug_level = DBGC_SAM;
#define ADS_ROOT_TREE ""
/* Here are private module structs and functions */
-struct sam_ads_privates {
+typedef struct sam_ads_privates {
ADS_STRUCT *ads_struct;
TALLOC_CTX *mem_ctx;
BOOL bind_plaintext;
@@ -50,7 +55,7 @@ struct sam_ads_privates {
char *ads_bind_pw;
char *ldap_uri;
/* did we need something more? */
-};
+}SAM_ADS_PRIVATES;
/* get only these LDAP attributes, witch we really need for an account */
@@ -106,30 +111,30 @@ const char *group_attrs[] = {"objectSid",
return our ads connection. We keep the connection
open to make things faster
****************************************************/
-static ADS_STATUS sam_ads_cached_connection(struct sam_ads_privates *private)
+static ADS_STATUS sam_ads_cached_connection(SAM_ADS_PRIVATES *privates)
{
ADS_STRUCT *ads_struct;
ADS_STATUS ads_status;
- if (!private->ads_struct) {
- private->ads_struct = ads_init_simple();
- ads_struct = private->ads_struct;
- ads_struct->server.ldap_uri = smb_xstrdup(private->ldap_uri);
- if ((!private->ads_bind_dn) || (!*private->ads_bind_dn)) {
+ if (!privates->ads_struct) {
+ privates->ads_struct = ads_init_simple();
+ ads_struct = privates->ads_struct;
+ ads_struct->server.ldap_uri = smb_xstrdup(privates->ldap_uri);
+ if ((!privates->ads_bind_dn) || (!*privates->ads_bind_dn)) {
ads_struct->auth.flags |= ADS_AUTH_ANON_BIND;
} else {
ads_struct->auth.user_name
- = smb_xstrdup(private->ads_bind_dn);
- if (private->ads_bind_pw) {
+ = smb_xstrdup(privates->ads_bind_dn);
+ if (privates->ads_bind_pw) {
ads_struct->auth.password
- = smb_xstrdup(private->ads_bind_pw);
+ = smb_xstrdup(privates->ads_bind_pw);
}
}
- if (private->bind_plaintext) {
+ if (privates->bind_plaintext) {
ads_struct->auth.flags |= ADS_AUTH_SIMPLE_BIND;
}
} else {
- ads_struct = private->ads_struct;
+ ads_struct = privates->ads_struct;
}
if (ads_struct->ld != NULL) {
@@ -155,22 +160,22 @@ static ADS_STATUS sam_ads_cached_connection(struct sam_ads_privates *private)
ads_status = ads_server_info(ads_struct);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(0,("Can't set server info: %s\n",ads_errstr(ads_status)));
- /* return ads_status; */ /*for now we only warn! */
+ /* return ads_status; */ FIXME("for now we only warn!\n");
}
DEBUG(2, ("sam_ads_cached_connection: succesful connection to the LDAP server\n"));
return ADS_SUCCESS;
}
-static ADS_STATUS sam_ads_do_search(struct sam_ads_privates *private, const char *bind_path, int scope, const char *exp, const char **attrs, void **res)
+static ADS_STATUS sam_ads_do_search(SAM_ADS_PRIVATES *privates, const char *bind_path, int scope, const char *exp, const char **attrs, void **res)
{
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- ads_status = sam_ads_cached_connection(private);
+ ads_status = sam_ads_cached_connection(privates);
if (!ADS_ERR_OK(ads_status))
return ads_status;
- return ads_do_search_retry(private->ads_struct, bind_path, scope, exp, attrs, res);
+ return ads_do_search_retry(privates->ads_struct, bind_path, scope, exp, attrs, res);
}
@@ -178,13 +183,13 @@ static ADS_STATUS sam_ads_do_search(struct sam_ads_privates *private, const char
here we have to check the update serial number
- this is the core of the ldap cache
*********************************************/
-static ADS_STATUS sam_ads_usn_is_valid(ADS_STRUCT *ads_struct, uint32 usn_in, uint32 *usn_out)
+static ADS_STATUS sam_ads_usn_is_valid(SAM_ADS_PRIVATES *privates, uint32 usn_in, uint32 *usn_out)
{
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- SAM_ASSERT(ads_struct && usn_out);
+ SAM_ASSERT(privates && privates->ads_struct && usn_out);
- ads_status = ads_USN(ads_struct, usn_out);
+ ads_status = ads_USN(privates->ads_struct, usn_out);
if (!ADS_ERR_OK(ads_status))
return ads_status;
@@ -198,13 +203,107 @@ static ADS_STATUS sam_ads_usn_is_valid(ADS_STRUCT *ads_struct, uint32 usn_in, ui
Initialize SAM_ACCOUNT_HANDLE from an ADS query
************************************************/
/* not ready :-( */
-static ADS_STATUS ads_entry2sam_account_handle(ADS_STRUCT *ads_struct, SAM_ACCOUNT_HANDLE *account ,const void *entry)
+static ADS_STATUS ads_entry2sam_account_handle(SAM_ADS_PRIVATES *privates, SAM_ACCOUNT_HANDLE *account ,void *msg)
{
- ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED;
- DEBUG(0,("sam_ads: %s was called!\n",__FUNCTION__));
- SAM_ASSERT(ads_struct && account && entry);
+ ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_NO_SUCH_USER);
+ NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
+ ADS_STRUCT *ads_struct = privates->ads_struct;
+ TALLOC_CTX *mem_ctx = account->mem_ctx;
+ char *tmp_str = NULL;
+
+ SAM_ASSERT(privates && ads_struct && account && mem_ctx && msg);
+ FIXME("should we really use ads_pull_username()(or ads_pull_string())?\n");
+ if ((account->private.account_name = ads_pull_username(ads_struct, mem_ctx, msg))==NULL) {
+ DEBUG(0,("ads_pull_username failed\n"));
+ return ADS_ERROR_NT(NT_STATUS_NO_SUCH_USER);
+ }
+
+ if ((account->private.full_name = ads_pull_string(ads_struct, mem_ctx, msg,"name"))==NULL) {
+ DEBUG(3,("ads_pull_string for 'name' failed - skip\n"));
+ }
+
+ if ((account->private.acct_desc = ads_pull_string(ads_struct, mem_ctx, msg,"description"))!=NULL) {
+ DEBUG(3,("ads_pull_string for 'acct_desc' failed - skip\n"));
+ }
+
+ if ((account->private.home_dir = ads_pull_string(ads_struct, mem_ctx, msg,"homeDirectory"))!=NULL) {
+ DEBUG(3,("ads_pull_string for 'homeDirectory' failed - skip\n"));
+ }
+
+ if ((account->private.dir_drive = ads_pull_string(ads_struct, mem_ctx, msg,"homeDrive"))!=NULL) {
+ DEBUG(3,("ads_pull_string for 'homeDrive' failed - skip\n"));
+ }
+
+ if ((account->private.profile_path = ads_pull_string(ads_struct, mem_ctx, msg,"profilePath"))!=NULL) {
+ DEBUG(3,("ads_pull_string for 'profilePath' failed - skip\n"));
+ }
+
+ if ((account->private.logon_script = ads_pull_string(ads_struct, mem_ctx, msg,"scriptPath"))!=NULL) {
+ DEBUG(3,("ads_pull_string for 'scriptPath' failed - skip\n"));
+ }
+
+ FIXME("check 'nsNPAllowDialIn' for munged_dial!\n");
+ if ((account->private.munged_dial = ads_pull_string(ads_struct, mem_ctx, msg,"userParameters"))!=NULL) {
+ DEBUG(3,("ads_pull_string for 'userParameters' failed - skip\n"));
+ }
+
+ if ((account->private.unix_home_dir = ads_pull_string(ads_struct, mem_ctx, msg,"msSFUHomeDrirectory"))!=NULL) {
+ DEBUG(3,("ads_pull_string for 'msSFUHomeDrirectory' failed - skip\n"));
+ }
+#if 0
+ FIXME("use function intern mem_ctx for pwdLastSet\n");
+ if ((tmp_str = ads_pull_string(ads_struct, mem_ctx, msg,"pwdLastSet"))!=NULL) {
+ DEBUG(3,("ads_pull_string for 'pwdLastSet' failed - skip\n"));
+ } else {
+ account->private.pass_last_set_time = ads_parse_nttime(tmp_str);
+ tmp_str = NULL;
+
+ }
+#endif
+
+#if 0
+typedef struct sam_account_handle {
+ TALLOC_CTX *mem_ctx;
+ uint32 access_granted;
+ const struct sam_methods *current_sam_methods; /* sam_methods creating this handle */
+ void (*free_fn)(struct sam_account_handle **);
+ struct sam_account_data {
+ uint32 init_flag;
+ NTTIME logon_time; /* logon time */
+ NTTIME logoff_time; /* logoff time */
+ NTTIME kickoff_time; /* kickoff time */
+ NTTIME pass_last_set_time; /* password last set time */
+ NTTIME pass_can_change_time; /* password can change time */
+ NTTIME pass_must_change_time; /* password must change time */
+ char * account_name; /* account_name string */
+ SAM_DOMAIN_HANDLE * domain; /* domain of account */
+ char *full_name; /* account's full name string */
+ char *unix_home_dir; /* UNIX home directory string */
+ char *home_dir; /* home directory string */
+ char *dir_drive; /* home directory drive string */
+ char *logon_script; /* logon script string */
+ char *profile_path; /* profile path string */
+ char *acct_desc; /* account description string */
+ char *workstations; /* login from workstations string */
+ char *unknown_str; /* don't know what this is, yet. */
+ char *munged_dial; /* munged path name and dial-back tel number */
+ DOM_SID account_sid; /* Primary Account SID */
+ DOM_SID group_sid; /* Primary Group SID */
+ DATA_BLOB lm_pw; /* .data is Null if no password */
+ DATA_BLOB nt_pw; /* .data is Null if no password */
+ char *plaintext_pw; /* if Null not available */
+ uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */
+ uint32 unknown_1; /* 0x00ff ffff */
+ uint16 logon_divs; /* 168 - number of hours in a week */
+ uint32 hours_len; /* normally 21 bytes */
+ uint8 hours[MAX_HOURS_LEN];
+ uint32 unknown_2; /* 0x0002 0000 */
+ uint32 unknown_3; /* 0x0000 04ec */
+ } private;
+} SAM_ACCOUNT_HANDLE;
+#endif
return ads_status;
}
@@ -214,29 +313,30 @@ static ADS_STATUS ads_entry2sam_account_handle(ADS_STRUCT *ads_struct, SAM_ACCOU
Initialize SAM_GROUP_ENUM from an ads entry
************************************************/
/* not ready :-( */
-static ADS_STATUS ads_entry2sam_group_enum(ADS_STRUCT *ads_struct, TALLOC_CTX *mem_ctx, SAM_GROUP_ENUM **group_enum,const void *entry)
+static ADS_STATUS ads_entry2sam_group_enum(SAM_ADS_PRIVATES *privates, TALLOC_CTX *mem_ctx, SAM_GROUP_ENUM **group_enum,const void *entry)
{
ADS_STATUS ads_status = ADS_STATUS_UNSUCCESSFUL;
+ ADS_STRUCT *ads_struct = privates->ads_struct;
SAM_GROUP_ENUM __group_enum;
SAM_GROUP_ENUM *_group_enum = &__group_enum;
- SAM_ASSERT(ads_struct && mem_ctx && group_enum && entry);
+ SAM_ASSERT(privates && ads_struct && mem_ctx && group_enum && entry);
*group_enum = _group_enum;
DEBUG(3,("sam_ads: ads_entry2sam_account_handle\n"));
- if (!ads_pull_sid((ADS_STRUCT *)ads_struct, &entry, "objectSid", &(_group_enum->sid))) {
+ if (!ads_pull_sid(ads_struct, &entry, "objectSid", &(_group_enum->sid))) {
DEBUG(0,("No sid for!?\n"));
return ADS_STATUS_UNSUCCESSFUL;
}
- if (!(_group_enum->group_name = ads_pull_string((ADS_STRUCT *)ads_struct, mem_ctx, &entry, "sAMAccountName"))) {
+ if (!(_group_enum->group_name = ads_pull_string(ads_struct, mem_ctx, &entry, "sAMAccountName"))) {
DEBUG(0,("No groupname found"));
return ADS_STATUS_UNSUCCESSFUL;
}
- if (!(_group_enum->group_desc = ads_pull_string((ADS_STRUCT *)ads_struct, mem_ctx, &entry, "desciption"))) {
+ if (!(_group_enum->group_desc = ads_pull_string(ads_struct, mem_ctx, &entry, "desciption"))) {
DEBUG(0,("No description found"));
return ADS_STATUS_UNSUCCESSFUL;
}
@@ -250,19 +350,21 @@ static ADS_STATUS ads_entry2sam_group_enum(ADS_STRUCT *ads_struct, TALLOC_CTX *m
return ads_status;
}
-static ADS_STATUS sam_ads_access_check(const SAM_METHODS *sam_method, const SEC_DESC *sd, const NT_USER_TOKEN *access_token, uint32 access_desired)
+static ADS_STATUS sam_ads_access_check(SAM_ADS_PRIVATES *privates, const SEC_DESC *sd, const NT_USER_TOKEN *access_token, uint32 access_desired, uint32 *acc_granted)
{
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
NTSTATUS nt_status;
- uint32 acc_granted;
+ uint32 my_acc_granted;
- SAM_ASSERT(sam_method && sd && access_token);
+ SAM_ASSERT(privates && sd && access_token);
+ /* acc_granted can be set to NULL */
+
/* the steps you need are:
1. get_sec_desc for sid
2. se_map_generic(accessdesired, generic_mapping)
3. se_access_check() */
- if (!se_access_check(sd, access_token, access_desired, &acc_granted, &nt_status)) {
+ if (!se_access_check(sd, access_token, access_desired, (acc_granted)?acc_granted:&my_acc_granted, &nt_status)) {
DEBUG(3,("sam_ads_access_check: ACCESS DENIED\n"));
ads_status = ADS_ERROR_NT(nt_status);
return ads_status;
@@ -271,10 +373,9 @@ static ADS_STATUS sam_ads_access_check(const SAM_METHODS *sam_method, const SEC_
return ads_status;
}
-static ADS_STATUS sam_ads_get_tree_sec_desc(const SAM_METHODS *sam_method, const char *subtree, SEC_DESC **sd)
+static ADS_STATUS sam_ads_get_tree_sec_desc(SAM_ADS_PRIVATES *privates, const char *subtree, SEC_DESC **sd)
{
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data;
ADS_STRUCT *ads_struct = privates->ads_struct;
TALLOC_CTX *mem_ctx = privates->mem_ctx;
char *search_path;
@@ -282,7 +383,7 @@ static ADS_STATUS sam_ads_get_tree_sec_desc(const SAM_METHODS *sam_method, const
void *sec_desc_msg;
const char *sec_desc_attrs[] = {"nTSecurityDescriptor",NULL};
- SAM_ASSERT(sam_method && ads_struct && sd);
+ SAM_ASSERT(privates && ads_struct && mem_ctx && sd);
*sd = NULL;
if (subtree) {
@@ -309,25 +410,33 @@ static ADS_STATUS sam_ads_get_tree_sec_desc(const SAM_METHODS *sam_method, const
return ads_status;
}
-static ADS_STATUS sam_ads_account_policy_get(const SAM_METHODS *sam_method, int field, uint32 *value)
+static ADS_STATUS sam_ads_account_policy_get(SAM_ADS_PRIVATES *privates, int field, uint32 *value)
{
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data;
ADS_STRUCT *ads_struct = privates->ads_struct;
void *ap_res;
void *ap_msg;
- const char *ap_attrs[] = {"minPwdLength","pwdHistoryLength",
- /*"mustLogonToChangePass",*/"lockoutDuration"
- "maxPwdAge","minPwdAge",NULL};
+ const char *ap_attrs[] = {"minPwdLength",/* AP_MIN_PASSWORD_LEN */
+ "pwdHistoryLength",/* AP_PASSWORD_HISTORY */
+ "AP_USER_MUST_LOGON_TO_CHG_PASS",/* AP_USER_MUST_LOGON_TO_CHG_PASS */
+ "maxPwdAge",/* AP_MAX_PASSWORD_AGE */
+ "minPwdAge",/* AP_MIN_PASSWORD_AGE */
+ "lockoutDuration",/* AP_LOCK_ACCOUNT_DURATION */
+ "AP_RESET_COUNT_TIME",/* AP_RESET_COUNT_TIME */
+ "AP_BAD_ATTEMPT_LOCKOUT",/* AP_BAD_ATTEMPT_LOCKOUT */
+ "AP_TIME_TO_LOGOUT",/* AP_TIME_TO_LOGOUT */
+ NULL};
/*lockOutObservationWindow
lockoutThreshold $ pwdProperties*/
static uint32 ap[9];
static uint32 ap_usn = 0;
uint32 tmp_usn = 0;
- SAM_ASSERT(sam_method && value);
+ SAM_ASSERT(privates && ads_struct && value);
+
+ FIXME("We need to decode all account_policy attributes!\n");
- ads_status = sam_ads_usn_is_valid(ads_struct,ap_usn,&tmp_usn);
+ ads_status = sam_ads_usn_is_valid(privates,ap_usn,&tmp_usn);
if (!ADS_ERR_OK(ads_status)) {
ads_status = sam_ads_do_search(privates, ads_struct->config.bind_path, LDAP_SCOPE_BASE, "(objectClass=*)", ap_attrs, &ap_res);
if (!ADS_ERR_OK(ads_status))
@@ -427,6 +536,7 @@ static ADS_STATUS sam_ads_account_policy_get(const SAM_METHODS *sam_method, int
return ads_status;
}
+
/**********************************
Now the functions off the SAM API
***********************************/
@@ -436,7 +546,7 @@ static NTSTATUS sam_ads_get_sec_desc(const SAM_METHODS *sam_method, const NT_USE
const DOM_SID *sid, SEC_DESC **sd)
{
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data;
+ SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data;
ADS_STRUCT *ads_struct = privates->ads_struct;
TALLOC_CTX *mem_ctx;
char *sidstr,*filter;
@@ -448,11 +558,11 @@ static NTSTATUS sam_ads_get_sec_desc(const SAM_METHODS *sam_method, const NT_USE
SAM_ASSERT(sam_method && access_token && sid && sd);
- ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_ROOT_TREE, &my_sd);
+ ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &my_sd);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
- ads_status = sam_ads_access_check(sam_method, my_sd, access_token, DOMAIN_READ);
+ ads_status = sam_ads_access_check(privates, my_sd, access_token, GENERIC_RIGHTS_DOMAIN_READ, NULL);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
@@ -523,17 +633,17 @@ static NTSTATUS sam_ads_lookup_sid(const SAM_METHODS *sam_method, const NT_USER_
enum SID_NAME_USE *type)
{
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data;
+ SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data;
ADS_STRUCT *ads_struct = privates->ads_struct;
SEC_DESC *my_sd;
SAM_ASSERT(sam_method && access_token && mem_ctx && sid && name && type);
- ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_ROOT_TREE, &my_sd);
+ ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &my_sd);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
- ads_status = sam_ads_access_check(sam_method, my_sd, access_token, DOMAIN_READ);
+ ads_status = sam_ads_access_check(privates, my_sd, access_token, GENERIC_RIGHTS_DOMAIN_READ, NULL);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
@@ -544,17 +654,17 @@ static NTSTATUS sam_ads_lookup_name(const SAM_METHODS *sam_method, const NT_USER
const char *name, DOM_SID *sid, enum SID_NAME_USE *type)
{
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data;
+ SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data;
ADS_STRUCT *ads_struct = privates->ads_struct;
SEC_DESC *my_sd;
SAM_ASSERT(sam_method && access_token && name && sid && type);
- ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_ROOT_TREE, &my_sd);
+ ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &my_sd);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
- ads_status = sam_ads_access_check(sam_method, my_sd, access_token, DOMAIN_READ);
+ ads_status = sam_ads_access_check(privates, my_sd, access_token, GENERIC_RIGHTS_DOMAIN_READ, NULL);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
@@ -576,7 +686,7 @@ static NTSTATUS sam_ads_get_domain_handle(const SAM_METHODS *sam_method, const N
const uint32 access_desired, SAM_DOMAIN_HANDLE **domain)
{
ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED;
- struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data;
+ SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data;
TALLOC_CTX *mem_ctx = privates->mem_ctx; /*Fix me is this right??? */
SAM_DOMAIN_HANDLE *dom_handle = NULL;
SEC_DESC *sd;
@@ -603,11 +713,11 @@ static NTSTATUS sam_ads_get_domain_handle(const SAM_METHODS *sam_method, const N
/* check if access can be granted as requested */
- ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_ROOT_TREE, &sd);
+ ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &sd);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
- ads_status = sam_ads_access_check(sam_method, sd, access_token, access_desired);
+ ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
@@ -619,62 +729,62 @@ static NTSTATUS sam_ads_get_domain_handle(const SAM_METHODS *sam_method, const N
dom_handle->private.servername = "WHOKNOWS"; /* what is the servername */
/*Fix me: sam_ads_account_policy_get() return ADS_STATUS! */
- ads_status = sam_ads_account_policy_get(sam_method, AP_MAX_PASSWORD_AGE, &tmp_value);
+ ads_status = sam_ads_account_policy_get(privates, AP_MAX_PASSWORD_AGE, &tmp_value);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("sam_ads_account_policy_get failed for max password age. Useing default\n"));
tmp_value = MAX_PASSWORD_AGE;
}
unix_to_nt_time_abs(&dom_handle->private.max_passwordage,tmp_value);
- ads_status = sam_ads_account_policy_get(sam_method, AP_MIN_PASSWORD_AGE, &tmp_value);
+ ads_status = sam_ads_account_policy_get(privates, AP_MIN_PASSWORD_AGE, &tmp_value);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("sam_ads_account_policy_get failed for min password age. Useing default\n"));
tmp_value = 0;
}
unix_to_nt_time_abs(&dom_handle->private.min_passwordage, tmp_value);
- ads_status = sam_ads_account_policy_get(sam_method, AP_LOCK_ACCOUNT_DURATION, &tmp_value);
+ ads_status = sam_ads_account_policy_get(privates, AP_LOCK_ACCOUNT_DURATION, &tmp_value);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("sam_ads_account_policy_get failed for lockout duration. Useing default\n"));
tmp_value = 0;
}
unix_to_nt_time_abs(&dom_handle->private.lockout_duration, tmp_value);
- ads_status = sam_ads_account_policy_get(sam_method, AP_RESET_COUNT_TIME, &tmp_value);
+ ads_status = sam_ads_account_policy_get(privates, AP_RESET_COUNT_TIME, &tmp_value);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("sam_ads_account_policy_get failed for time till locout count is reset. Useing default\n"));
tmp_value = 0;
}
unix_to_nt_time_abs(&dom_handle->private.reset_count, tmp_value);
- ads_status = sam_ads_account_policy_get(sam_method, AP_MIN_PASSWORD_LEN, &tmp_value);
+ ads_status = sam_ads_account_policy_get(privates, AP_MIN_PASSWORD_LEN, &tmp_value);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("sam_ads_account_policy_get failed for min password length. Useing default\n"));
tmp_value = 0;
}
dom_handle->private.min_passwordlength = (uint16)tmp_value;
- ads_status = sam_ads_account_policy_get(sam_method, AP_PASSWORD_HISTORY, &tmp_value);
+ ads_status = sam_ads_account_policy_get(privates, AP_PASSWORD_HISTORY, &tmp_value);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("sam_ads_account_policy_get failed password history. Useing default\n"));
tmp_value = 0;
}
dom_handle->private.password_history = (uint16)tmp_value;
- ads_status = sam_ads_account_policy_get(sam_method, AP_BAD_ATTEMPT_LOCKOUT, &tmp_value);
+ ads_status = sam_ads_account_policy_get(privates, AP_BAD_ATTEMPT_LOCKOUT, &tmp_value);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("sam_ads_account_policy_get failed for bad attempts till lockout. Useing default\n"));
tmp_value = 0;
}
dom_handle->private.lockout_count = (uint16)tmp_value;
- ads_status = sam_ads_account_policy_get(sam_method, AP_TIME_TO_LOGOUT, &tmp_value);
+ ads_status = sam_ads_account_policy_get(privates, AP_TIME_TO_LOGOUT, &tmp_value);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("sam_ads_account_policy_get failed for force logout. Useing default\n"));
tmp_value = -1;
}
- ads_status = sam_ads_account_policy_get(sam_method, AP_USER_MUST_LOGON_TO_CHG_PASS, &tmp_value);
+ ads_status = sam_ads_account_policy_get(privates, AP_USER_MUST_LOGON_TO_CHG_PASS, &tmp_value);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("sam_ads_account_policy_get failed for user must login to change password. Useing default\n"));
tmp_value = 0;
@@ -699,15 +809,17 @@ static NTSTATUS sam_ads_create_account(const SAM_METHODS *sam_method,
const char *account_name, uint16 acct_ctrl, SAM_ACCOUNT_HANDLE **account)
{
ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED;
+ SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data;
SEC_DESC *sd = NULL;
+ uint32 acc_granted;
- SAM_ASSERT(sam_method && access_token && account_name && account);
+ SAM_ASSERT(sam_method && privates && access_token && account_name && account);
- ads_status = sam_ads_get_tree_sec_desc(sam_method, ADS_SUBTREE_USERS, &sd);
+ ads_status = sam_ads_get_tree_sec_desc(privates, ADS_SUBTREE_USERS, &sd);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
- ads_status = sam_ads_access_check(sam_method, sd, access_token, access_desired);
+ ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted);
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
@@ -715,21 +827,25 @@ static NTSTATUS sam_ads_create_account(const SAM_METHODS *sam_method,
if (!ADS_ERR_OK(ads_status))
return ads_ntstatus(ads_status);
+ (*account)->access_granted = acc_granted;
+
return ads_ntstatus(ads_status);
}
static NTSTATUS sam_ads_add_account(const SAM_METHODS *sam_method, const SAM_ACCOUNT_HANDLE *account)
{
ADS_STATUS ads_status = ADS_ERROR(LDAP_NO_MEMORY);
- struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data;
+ SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data;
ADS_STRUCT *ads_struct = privates->ads_struct;
TALLOC_CTX *mem_ctx = privates->mem_ctx;
ADS_MODLIST mods;
uint16 acct_ctrl;
char *new_dn;
+ SEC_DESC *sd;
+ uint32 acc_granted;
SAM_ASSERT(sam_method && account);
-
+
ads_status = ADS_ERROR_NT(sam_get_account_acct_ctrl(account,&acct_ctrl));
if (!ADS_ERR_OK(ads_status))
goto done;
@@ -892,22 +1008,81 @@ static NTSTATUS sam_ads_enum_accounts(const SAM_METHODS *sam_method, const NT_US
return ads_ntstatus(ads_status);
}
-static NTSTATUS sam_ads_get_account_by_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const DOM_SID *accountsid, SAM_ACCOUNT_HANDLE **account)
+#if 0
+static NTSTATUS sam_ads_get_account_by_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const DOM_SID *account_sid, SAM_ACCOUNT_HANDLE **account)
+{
+ ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data;
+ ADS_STRUCT *ads_struct = privates->ads_struct;
+ TALLOC_CTX *mem_ctx = privates->mem_ctx;
+ SEC_DESC *sd = NULL;
+ uint32 acc_granted;
+
+ SAM_ASSERT(sam_method && privates && ads_struct && access_token && account_sid && account);
+
+ ads_status = ADS_ERROR_NT(sam_ads_get_sec_desc(sam_method, access_token, account_sid, &my_sd));
+ if (!ADS_ERR_OK(ads_status))
+ return ads_ntstatus(ads_status);
+
+ ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted);
+ if (!ADS_ERR_OK(ads_status))
+ return ads_ntstatus(ads_status);
+
+ ads_status = ADS_ERROR_NT(sam_init_account(account));
+ if (!ADS_ERR_OK(ads_status))
+ return ads_ntstatus(ads_status);
+
+ (*account)->access_granted = acc_granted;
+
+ return ads_ntstatus(ads_status);
+}
+#else
+static NTSTATUS sam_ads_get_account_by_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const DOM_SID *account_sid, SAM_ACCOUNT_HANDLE **account)
{
ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED;
DEBUG(0,("sam_ads: %s was called!\n",__FUNCTION__));
SAM_ASSERT(sam_method);
return ads_ntstatus(ads_status);
}
+#endif
-static NTSTATUS sam_ads_get_account_by_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const char *name, SAM_ACCOUNT_HANDLE **account)
+#if 0
+static NTSTATUS sam_ads_get_account_by_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const char *account_name, SAM_ACCOUNT_HANDLE **account)
+{
+ ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data;
+ ADS_STRUCT *ads_struct = privates->ads_struct;
+ TALLOC_CTX *mem_ctx = privates->mem_ctx;
+ SEC_DESC *sd = NULL;
+ uint32 acc_granted;
+
+ SAM_ASSERT(sam_method && privates && ads_struct && access_token && account_name && account);
+
+ ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &sd);
+ if (!ADS_ERR_OK(ads_status))
+ return ads_ntstatus(ads_status);
+
+ ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted);
+ if (!ADS_ERR_OK(ads_status))
+ return ads_ntstatus(ads_status);
+
+ ads_status = ADS_ERROR_NT(sam_init_account(account));
+ if (!ADS_ERR_OK(ads_status))
+ return ads_ntstatus(ads_status);
+
+ (*account)->access_granted = acc_granted;
+
+ return ads_ntstatus(ads_status);
+}
+#else
+static NTSTATUS sam_ads_get_account_by_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const char *account_name, SAM_ACCOUNT_HANDLE **account)
{
ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED;
DEBUG(0,("sam_ads: %s was called!\n",__FUNCTION__));
SAM_ASSERT(sam_method);
return ads_ntstatus(ads_status);
}
-
+#endif
/* Group API */
static NTSTATUS sam_ads_create_group(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, uint32 access_desired, const char *group_name, uint16 group_ctrl, SAM_GROUP_HANDLE **group)
@@ -945,7 +1120,7 @@ static NTSTATUS sam_ads_delete_group(const SAM_METHODS *sam_method, const SAM_GR
static NTSTATUS sam_ads_enum_groups(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint16 group_ctrl, uint32 *groups_count, SAM_GROUP_ENUM **groups)
{
ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED;
- struct sam_ads_privates *privates = (struct sam_ads_privates *)sam_method->private_data;
+ SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data;
ADS_STRUCT *ads_struct = privates->ads_struct;
TALLOC_CTX *mem_ctx = privates->mem_ctx;
void *res = NULL;
@@ -965,7 +1140,7 @@ static NTSTATUS sam_ads_enum_groups(const SAM_METHODS *sam_method, const NT_USER
DEBUG(3,("ads: enum_dom_groups\n"));
- /* Fix Me: get only group from the wanted Type */
+ FIXME("get only group from the wanted Type!\n");
asprintf(&filter, "(&(objectClass=group)(groupType=%s))", "*");
ads_status = sam_ads_do_search(privates, ads_struct->config.bind_path, LDAP_SCOPE_SUBTREE, filter, group_enum_attrs, &res);
if (!ADS_ERR_OK(ads_status)) {
@@ -1071,7 +1246,7 @@ Free our private data
***********************************/
static void sam_ads_free_private_data(void **vp)
{
- struct sam_ads_privates **sam_ads_state = (struct sam_ads_privates **)vp;
+ SAM_ADS_PRIVATES **sam_ads_state = (SAM_ADS_PRIVATES **)vp;
if ((*sam_ads_state)->ads_struct->ld) {
ldap_unbind((*sam_ads_state)->ads_struct->ld);
@@ -1080,7 +1255,7 @@ static void sam_ads_free_private_data(void **vp)
ads_destroy(&((*sam_ads_state)->ads_struct));
talloc_destroy((*sam_ads_state)->mem_ctx);
- /* Fix me: maybe we must free some other stuff here */
+ FIXME("maybe we must free some other stuff here\n");
*sam_ads_state = NULL;
}
@@ -1093,7 +1268,7 @@ Init the ADS SAM backend
NTSTATUS sam_init_ads(SAM_METHODS *sam_method, const char *module_params)
{
ADS_STATUS ads_status;
- struct sam_ads_privates *sam_ads_state;
+ SAM_ADS_PRIVATES *sam_ads_state;
TALLOC_CTX *mem_ctx;
SAM_ASSERT(sam_method && sam_method->parent);
@@ -1142,8 +1317,7 @@ NTSTATUS sam_init_ads(SAM_METHODS *sam_method, const char *module_params)
sam_method->sam_get_groups_of_sid = sam_ads_get_groups_of_sid;
- /*Fix me: use talloc !*/
- sam_ads_state = talloc_zero(mem_ctx, sizeof(struct sam_ads_privates));
+ sam_ads_state = talloc_zero(mem_ctx, sizeof(SAM_ADS_PRIVATES));
if (!sam_ads_state) {
DEBUG(0, ("talloc() failed for sam_ads private_data!\n"));
return NT_STATUS_NO_MEMORY;