From 25cfa29e29bdbb6c84bd85ea02ec542228ae585f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 8 May 2011 12:52:06 +0200 Subject: s3-passdb Redirect domain GUID and SID queries to the passdb stack This is done if the passdb module supports PDB_ADS, and ensures that a random SID is never made up locally for these directories. This is only enabled when in the waf build, due to dependency issues. Andrew Bartlett --- source3/passdb/machine_account_secrets.c | 58 ++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c index 61894d4ee6..665e2f89a4 100644 --- a/source3/passdb/machine_account_secrets.c +++ b/source3/passdb/machine_account_secrets.c @@ -57,6 +57,17 @@ bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid) { bool ret; +#ifdef _SAMBA_WAF_BUILD_ + if (strequal(domain, get_global_sam_name()) && + (pdb_capabilities() & PDB_CAP_ADS)) { + /* If we have a ADS-capable passdb backend, we + * must never make up our own SID, it will + * already be in the directory */ + DEBUG(0, ("Refusing to store a Domain SID, this should be read from the directory not stored here\n")); + return false; + } +#endif + ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(struct dom_sid )); /* Force a re-query, in case we modified our domain */ @@ -70,6 +81,24 @@ bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid) struct dom_sid *dyn_sid; size_t size = 0; +#ifdef _SAMBA_WAF_BUILD_ + if (strequal(domain, get_global_sam_name()) && + (pdb_capabilities() & PDB_CAP_ADS)) { + struct pdb_domain_info *domain_info; + domain_info = pdb_get_domain_info(talloc_tos()); + if (!domain_info) { + /* If we have a ADS-capable passdb backend, we + * must never make up our own SID, it will + * already be in the directory */ + DEBUG(0, ("Unable to fetch a Domain SID from the directory!\n")); + return false; + } + + *sid = domain_info->sid; + return true; + } +#endif + dyn_sid = (struct dom_sid *)secrets_fetch(domain_sid_keystr(domain), &size); if (dyn_sid == NULL) @@ -89,6 +118,17 @@ bool secrets_store_domain_guid(const char *domain, struct GUID *guid) { fstring key; +#ifdef _SAMBA_WAF_BUILD_ + if (strequal(domain, get_global_sam_name()) && + (pdb_capabilities() & PDB_CAP_ADS)) { + /* If we have a ADS-capable passdb backend, we + * must never make up our own GUID, it will + * already be in the directory */ + DEBUG(0, ("Refusing to store a Domain GUID, this should be read from the directory not stored here\n")); + return false; + } +#endif + slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain); strupper_m(key); return secrets_store(key, guid, sizeof(struct GUID)); @@ -101,6 +141,24 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid) size_t size = 0; struct GUID new_guid; +#ifdef _SAMBA_WAF_BUILD_ + if (strequal(domain, get_global_sam_name()) && + (pdb_capabilities() & PDB_CAP_ADS)) { + struct pdb_domain_info *domain_info; + domain_info = pdb_get_domain_info(talloc_tos()); + if (!domain_info) { + /* If we have a ADS-capable passdb backend, we + * must never make up our own SID, it will + * already be in the directory */ + DEBUG(0, ("Unable to fetch a Domain GUID from the directory!\n")); + return false; + } + + *guid = domain_info->guid; + return true; + } +#endif + slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain); strupper_m(key); dyn_guid = (struct GUID *)secrets_fetch(key, &size); -- cgit