From 0027cd2409492a250fb825927596a2dd9b08d75d Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Thu, 26 Jan 2012 15:33:02 -0500
Subject: s3-pdb: Make ADS-type backends updates secrets.tdb.

Make the backends that have ADS capability the only ones that can change the
SID and GUID in secrets.tdb at initialization time.

Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Fri Jan 27 19:42:17 CET 2012 on sn-devel-104
---
 source3/passdb/pdb_ads.c    | 42 ++++++++++++++++++++++++++++++++++++++++++
 source3/passdb/pdb_ipa.c    | 42 ++++++++++++++++++++++++++++++++++++++++++
 source3/passdb/pdb_samba4.c | 43 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 127 insertions(+)

(limited to 'source3/passdb')

diff --git a/source3/passdb/pdb_ads.c b/source3/passdb/pdb_ads.c
index 8dc9585b40..cd7781a1af 100644
--- a/source3/passdb/pdb_ads.c
+++ b/source3/passdb/pdb_ads.c
@@ -2594,6 +2594,42 @@ done:
 	return status;
 }
 
+static NTSTATUS pdb_ads_init_secrets(struct pdb_methods *m)
+{
+#if _SAMBA_BUILD_ == 4
+	struct pdb_domain_info *dom_info;
+	bool ret;
+
+	dom_info = pdb_ads_get_domain_info(m, m);
+	if (!dom_info) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	secrets_clear_domain_protection(dom_info->name);
+	ret = secrets_store_domain_sid(dom_info->name,
+				       &dom_info->sid);
+	if (!ret) {
+		goto done;
+	}
+	ret = secrets_store_domain_guid(dom_info->name,
+				        &dom_info->guid);
+	if (!ret) {
+		goto done;
+	}
+	ret = secrets_mark_domain_protected(dom_info->name);
+	if (!ret) {
+		goto done;
+	}
+
+done:
+	TALLOC_FREE(dom_info);
+	if (!ret) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+#endif
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS pdb_init_ads(struct pdb_methods **pdb_method,
 			     const char *location)
 {
@@ -2629,6 +2665,12 @@ static NTSTATUS pdb_init_ads(struct pdb_methods **pdb_method,
 		goto fail;
 	}
 
+	status = pdb_ads_init_secrets(m);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("pdb_ads_init_secrets failed!\n"));
+		goto fail;
+	}
+
 	*pdb_method = m;
 	return NT_STATUS_OK;
 nomem:
diff --git a/source3/passdb/pdb_ipa.c b/source3/passdb/pdb_ipa.c
index 00185d4961..74ac6774a4 100644
--- a/source3/passdb/pdb_ipa.c
+++ b/source3/passdb/pdb_ipa.c
@@ -1407,6 +1407,42 @@ static NTSTATUS ipasam_create_user(struct pdb_methods *pdb_methods,
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS pdb_ipa_init_secrets(struct pdb_methods *m)
+{
+#if _SAMBA_BUILD_ == 4
+	struct pdb_domain_info *dom_info;
+	bool ret;
+
+	dom_info = pdb_ipasam_get_domain_info(m, m);
+	if (!dom_info) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	secrets_clear_domain_protection(dom_info->name);
+	ret = secrets_store_domain_sid(dom_info->name,
+				       &dom_info->sid);
+	if (!ret) {
+		goto done;
+	}
+	ret = secrets_store_domain_guid(dom_info->name,
+				        &dom_info->guid);
+	if (!ret) {
+		goto done;
+	}
+	ret = secrets_mark_domain_protected(dom_info->name);
+	if (!ret) {
+		goto done;
+	}
+
+done:
+	TALLOC_FREE(dom_info);
+	if (!ret) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+#endif
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
 {
 	struct ldapsam_privates *ldap_state;
@@ -1458,6 +1494,12 @@ static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char
 	(*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
 	(*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
 
+	status = pdb_ipa_init_secrets(*pdb_method);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("pdb_ipa_init_secrets failed!\n"));
+		return status;
+	}
+
 	return NT_STATUS_OK;
 }
 
diff --git a/source3/passdb/pdb_samba4.c b/source3/passdb/pdb_samba4.c
index bc3b1238c1..9db9a9bb1d 100644
--- a/source3/passdb/pdb_samba4.c
+++ b/source3/passdb/pdb_samba4.c
@@ -34,6 +34,7 @@
 #include "source4/auth/system_session_proto.h"
 #include "lib/param/param.h"
 #include "source4/dsdb/common/util.h"
+#include "source3/include/secrets.h"
 
 struct pdb_samba4_state {
 	struct tevent_context *ev;
@@ -2195,6 +2196,42 @@ static void free_private_data(void **vp)
 	return;
 }
 
+static NTSTATUS pdb_samba4_init_secrets(struct pdb_methods *m)
+{
+#if _SAMBA_BUILD_ == 4
+	struct pdb_domain_info *dom_info;
+	bool ret;
+
+	dom_info = pdb_samba4_get_domain_info(m, m);
+	if (!dom_info) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	secrets_clear_domain_protection(dom_info->name);
+	ret = secrets_store_domain_sid(dom_info->name,
+				       &dom_info->sid);
+	if (!ret) {
+		goto done;
+	}
+	ret = secrets_store_domain_guid(dom_info->name,
+				        &dom_info->guid);
+	if (!ret) {
+		goto done;
+	}
+	ret = secrets_mark_domain_protected(dom_info->name);
+	if (!ret) {
+		goto done;
+	}
+
+done:
+	TALLOC_FREE(dom_info);
+	if (!ret) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+#endif
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS pdb_init_samba4(struct pdb_methods **pdb_method,
 			     const char *location)
 {
@@ -2253,6 +2290,12 @@ static NTSTATUS pdb_init_samba4(struct pdb_methods **pdb_method,
 		goto fail;
 	}
 
+	status = pdb_samba4_init_secrets(m);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("pdb_samba4_init_secrets failed!\n"));
+		goto fail;
+	}
+
 	*pdb_method = m;
 	return NT_STATUS_OK;
 nomem:
-- 
cgit