summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/auth/auth_domain.c4
-rw-r--r--source3/auth/auth_util.c3
-rw-r--r--source3/include/passdb.h13
-rw-r--r--source3/nsswitch/winbindd_ads.c2
-rw-r--r--source3/nsswitch/winbindd_passdb.c3
-rw-r--r--source3/passdb/lookup_sid.c9
-rw-r--r--source3/passdb/passdb.c43
-rw-r--r--source3/passdb/pdb_interface.c76
-rw-r--r--source3/passdb/secrets.c41
-rw-r--r--source3/rpc_server/srv_lsa_nt.c3
-rw-r--r--source3/utils/net_rpc.c18
12 files changed, 153 insertions, 64 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index bed5d77814..7dbb979c7b 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -536,6 +536,7 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
$(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \
rpc_client/cli_pipe.o $(RPC_PARSE_OBJ2) \
$(RPC_CLIENT_OBJ1) \
+ $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(LDB_OBJ) $(GROUPDB_OBJ) \
$(LIBMSRPC_GEN_OBJ)
TESTPARM_OBJ = utils/testparm.o \
@@ -607,6 +608,7 @@ CLIENT_OBJ1 = client/client.o client/clitar.o rpc_client/cli_pipe.o \
CLIENT_OBJ = $(CLIENT_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) \
$(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(LIBMSRPC_GEN_OBJ) \
$(READLINE_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \
+ $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(LDB_OBJ) \
$(DISPLAY_SEC_OBJ)
TOOL_OBJ = client/smbctool.o client/clitar.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 6468c18cb0..6517852093 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -408,8 +408,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
* No need to become_root() as secrets_init() is done at startup.
*/
- if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password,
- &sid, &last_change_time)) {
+ if (!pdb_get_trusteddom_pw(user_info->domain, &trust_password,
+ &sid, &last_change_time)) {
DEBUG(0, ("check_trustdomain_security: could not fetch trust "
"account password for domain %s\n",
user_info->domain));
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 94551cb8a5..1080ced51b 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -2142,8 +2142,7 @@ BOOL is_trusted_domain(const char* dom_name)
become_root();
DEBUG (5,("is_trusted_domain: Checking for domain trust with "
"[%s]\n", dom_name ));
- ret = secrets_fetch_trusted_domain_password(dom_name, NULL,
- NULL, NULL);
+ ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
unbecome_root();
if (ret)
return True;
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 092904ab60..d5abb7ad55 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -403,6 +403,19 @@ struct pdb_methods
BOOL (*rid_algorithm)(struct pdb_methods *methods);
BOOL (*new_rid)(struct pdb_methods *methods, uint32 *rid);
+
+ BOOL (*get_trusteddom_pw)(struct pdb_methods *methods,
+ const char *domain, char** pwd,
+ DOM_SID *sid, time_t *pass_last_set_time);
+ BOOL (*set_trusteddom_pw)(struct pdb_methods *methods,
+ const char* domain, const char* pwd,
+ const DOM_SID *sid);
+ BOOL (*del_trusteddom_pw)(struct pdb_methods *methods,
+ const char *domain);
+ NTSTATUS (*enum_trusteddoms)(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx, uint32 *num_domains,
+ struct trustdom_info ***domains);
+
void *private_data; /* Private data of some kind */
void (*free_private_data)(void **);
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 3505f183f2..8cb60806f8 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -81,7 +81,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
DOM_SID sid;
time_t last_set_time;
- if ( !secrets_fetch_trusted_domain_password( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
+ if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
ads_destroy( &ads );
return NULL;
}
diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c
index 70590579cc..c8a9eea1c9 100644
--- a/source3/nsswitch/winbindd_passdb.c
+++ b/source3/nsswitch/winbindd_passdb.c
@@ -541,8 +541,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
return NT_STATUS_NO_MEMORY;
}
- nt_status = secrets_trusted_domains(tmp_ctx, num_domains,
- &domains);
+ nt_status = pdb_enum_trusteddoms(tmp_ctx, num_domains, &domains);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(tmp_ctx);
return nt_status;
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index c1dca6e433..82db246f04 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -178,8 +178,7 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
/* 5. Trusted domains as such, to me it looks as if members don't do
this, tested an XP workstation in a NT domain -- vl */
- if (IS_DC && (secrets_fetch_trusted_domain_password(name, NULL,
- &sid, NULL))) {
+ if (IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) {
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
@@ -581,9 +580,9 @@ static BOOL lookup_as_domain(const DOM_SID *sid, TALLOC_CTX *mem_ctx,
* and for SIDs that have 4 sub-authorities and thus look like
* domains */
- if (!NT_STATUS_IS_OK(secrets_trusted_domains(mem_ctx,
- &num_domains,
- &domains))) {
+ if (!NT_STATUS_IS_OK(pdb_enum_trusteddoms(mem_ctx,
+ &num_domains,
+ &domains))) {
return False;
}
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 310ab50d14..266b28fe95 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1523,3 +1523,46 @@ BOOL pdb_increment_bad_password_count(struct samu *sampass)
return True;
}
+
+
+/*******************************************************************
+ Wrapper around retrieving the trust account password
+*******************************************************************/
+
+BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
+{
+ DOM_SID sid;
+ char *pwd;
+ time_t last_set_time;
+
+ /* if we are a DC and this is not our domain, then lookup an account
+ for the domain trust */
+
+ if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
+ if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time)) {
+ DEBUG(0, ("get_trust_pw: could not fetch trust "
+ "account password for trusted domain %s\n",
+ domain));
+ return False;
+ }
+
+ *channel = SEC_CHAN_DOMAIN;
+ E_md4hash(pwd, ret_pwd);
+ SAFE_FREE(pwd);
+
+ return True;
+ }
+
+ /* Just get the account for the requested domain. In the future this
+ * might also cover to be member of more than one domain. */
+
+ if (secrets_fetch_trust_account_password(domain, ret_pwd,
+ &last_set_time, channel))
+ return True;
+
+ DEBUG(5, ("get_trust_pw: could not fetch trust account "
+ "password for domain %s\n", domain));
+ return False;
+}
+
+/* END */
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index f7990f2939..36536e5fea 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -1997,6 +1997,77 @@ void pdb_search_destroy(struct pdb_search *search)
}
/*******************************************************************
+ trustodm methods
+ *******************************************************************/
+
+BOOL pdb_get_trusteddom_pw(const char *domain, char** pwd, DOM_SID *sid,
+ time_t *pass_last_set_time)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
+ pass_last_set_time);
+}
+
+BOOL pdb_set_trusteddom_pw(const char* domain, const char* pwd,
+ const DOM_SID *sid)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
+}
+
+BOOL pdb_del_trusteddom_pw(const char *domain)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->del_trusteddom_pw(pdb, domain);
+}
+
+NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32 *num_domains,
+ struct trustdom_info ***domains)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
+}
+
+/*******************************************************************
+ the defaults for trustdom methods:
+ these simply call the original passdb/secrets.c actions,
+ to be replaced by pdb_ldap.
+ *******************************************************************/
+
+static BOOL pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
+ const char *domain,
+ char** pwd,
+ DOM_SID *sid,
+ time_t *pass_last_set_time)
+{
+ return secrets_fetch_trusted_domain_password(domain, pwd,
+ sid, pass_last_set_time);
+
+}
+
+static BOOL pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
+ const char* domain,
+ const char* pwd,
+ const DOM_SID *sid)
+{
+ return secrets_store_trusted_domain_password(domain, pwd, sid);
+}
+
+static BOOL pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
+ const char *domain)
+{
+ return trusted_domain_password_delete(domain);
+}
+
+static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_domains,
+ struct trustdom_info ***domains)
+{
+ return secrets_trusted_domains(mem_ctx, num_domains, domains);
+}
+
+/*******************************************************************
Create a pdb_methods structure and initialize it with the default
operations. In this way a passdb module can simply implement
the functionality it cares about. However, normally this is done
@@ -2060,5 +2131,10 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods )
(*methods)->search_groups = pdb_default_search_groups;
(*methods)->search_aliases = pdb_default_search_aliases;
+ (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
+ (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
+ (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
+ (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
+
return NT_STATUS_OK;
}
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 3ac3a93233..262ca4f7ed 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -655,47 +655,6 @@ char *secrets_fetch_machine_password(const char *domain,
return ret;
}
-/*******************************************************************
- Wrapper around retrieving the trust account password
-*******************************************************************/
-
-BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
-{
- DOM_SID sid;
- char *pwd;
- time_t last_set_time;
-
- /* if we are a DC and this is not our domain, then lookup an account
- for the domain trust */
-
- if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
- if (!secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
- &last_set_time)) {
- DEBUG(0, ("get_trust_pw: could not fetch trust "
- "account password for trusted domain %s\n",
- domain));
- return False;
- }
-
- *channel = SEC_CHAN_DOMAIN;
- E_md4hash(pwd, ret_pwd);
- SAFE_FREE(pwd);
-
- return True;
- }
-
- /* Just get the account for the requested domain. In the future this
- * might also cover to be member of more than one domain. */
-
- if (secrets_fetch_trust_account_password(domain, ret_pwd,
- &last_set_time, channel))
- return True;
-
- DEBUG(5, ("get_trust_pw: could not fetch trust account "
- "password for domain %s\n", domain));
- return False;
-}
-
/************************************************************************
Routine to delete the machine trust account password file for a domain.
************************************************************************/
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 1a92ec6740..44ec292750 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -648,8 +648,7 @@ NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u,
if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
- nt_status = secrets_trusted_domains(p->mem_ctx, &num_domains,
- &domains);
+ nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 366f63dc5b..e29d0495d1 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -5604,9 +5604,7 @@ static int rpc_trustdom_establish(int argc, const char **argv)
* Store the password in secrets db
*/
- if (!secrets_store_trusted_domain_password(domain_name,
- opt_password,
- domain_sid)) {
+ if (!pdb_set_trusteddom_pw(domain_name, opt_password, domain_sid)) {
DEBUG(0, ("Storing password for trusted domain failed.\n"));
cli_shutdown(cli);
return -1;
@@ -5644,6 +5642,7 @@ static int rpc_trustdom_establish(int argc, const char **argv)
static int rpc_trustdom_revoke(int argc, const char **argv)
{
char* domain_name;
+ int rc = -1;
if (argc < 1) return -1;
@@ -5652,13 +5651,16 @@ static int rpc_trustdom_revoke(int argc, const char **argv)
strupper_m(domain_name);
/* delete password of the trust */
- if (!trusted_domain_password_delete(domain_name)) {
+ if (!pdb_del_trusteddom_pw(domain_name)) {
DEBUG(0, ("Failed to revoke relationship to the trusted domain %s\n",
domain_name));
- return -1;
+ goto done;
};
- return 0;
+ rc = 0;
+done:
+ SAFE_FREE(domain_name);
+ return rc;
}
/**
@@ -5744,9 +5746,7 @@ static NTSTATUS vampire_trusted_domain(struct rpc_pipe_client *pipe_hnd,
goto done;
}
- if (!secrets_store_trusted_domain_password(trusted_dom_name,
- cleartextpwd,
- &dom_sid)) {
+ if (!pdb_set_trusteddom_pw(trusted_dom_name, cleartextpwd, &dom_sid)) {
DEBUG(0, ("Storing password for trusted domain failed.\n"));
nt_status = NT_STATUS_UNSUCCESSFUL;
goto done;