From 9f59fc64b8c1772b6a73d1649013d2187c298868 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Thu, 13 Dec 2001 18:09:29 +0000 Subject: update the ldap support code. it compiles. Ignacio you can update your howto ;-) samsync: a small patch to try chaning challenges. J.F. (This used to be commit c99bc305599698f2291efbfe20024355cb2bcde0) --- source3/include/smb.h | 7 +++++ source3/libsmb/cli_netlogon.c | 6 +++-- source3/param/loadparm.c | 58 +++++++++++++++++++++++++--------------- source3/passdb/secrets.c | 41 ++++++++++++++++++++++++++++ source3/rpc_parse/parse_net.c | 13 +++++---- source3/rpcclient/cmd_netlogon.c | 6 ++++- source3/rpcclient/samsync.c | 11 +++++--- source3/utils/smbpasswd.c | 42 ++++++++++++++++++++++++++++- 8 files changed, 150 insertions(+), 34 deletions(-) (limited to 'source3') diff --git a/source3/include/smb.h b/source3/include/smb.h index fa4cec4bdb..fafaf36c3e 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -655,6 +655,7 @@ typedef struct sam_passwd #define LOCAL_TRUST_ACCOUNT 0x10 #define LOCAL_SET_NO_PASSWORD 0x20 #define LOCAL_SET_PASSWORD 0x40 +#define LOCAL_SET_LDAP_ADMIN_PW 0x80 /* key and data in the connections database - used in smbstatus and smbd */ struct connections_key { @@ -1316,6 +1317,12 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX, #endif /* DEVELOPER */ }; +/* LDAP schema types */ +enum schema_types {SCHEMA_COMPAT, SCHEMA_AD, SCHEMA_SAMBA}; + +/* LDAP SSL options */ +enum ldap_ssl_types {LDAP_SSL_ON, LDAP_SSL_OFF, LDAP_SSL_START_TLS}; + /* Remote architectures we know about. */ enum remote_arch_types {RA_UNKNOWN, RA_WFWG, RA_OS2, RA_WIN95, RA_WINNT, RA_WIN2K, RA_SAMBA}; diff --git a/source3/libsmb/cli_netlogon.c b/source3/libsmb/cli_netlogon.c index 896af0d7c9..8840a6264b 100644 --- a/source3/libsmb/cli_netlogon.c +++ b/source3/libsmb/cli_netlogon.c @@ -282,7 +282,7 @@ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) /* Sam synchronisation */ -NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, +NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_CRED *ret_creds, uint32 database_id, uint32 *num_deltas, SAM_DELTA_HDR **hdr_deltas, SAM_DELTA_CTR **deltas) @@ -306,7 +306,7 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, gen_next_creds(cli, &clnt_creds); init_net_q_sam_sync(&q, cli->srv_name_slash, cli->clnt_name_slash + 2, - &clnt_creds, database_id); + &clnt_creds, ret_creds, database_id); /* Marshall data and send request */ @@ -330,6 +330,8 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, *hdr_deltas = r.hdr_deltas; *deltas = r.deltas; + memcpy(ret_creds, &r.srv_creds, sizeof(*ret_creds)); + done: prs_mem_free(&qbuf); prs_mem_free(&rbuf); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 44aa861940..8a8123ed18 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -131,11 +131,6 @@ typedef struct char **szNetbiosAliases; char *szDomainOtherSIDs; char *szNameResolveOrder; - char *szLdapServer; - char *szLdapSuffix; - char *szLdapFilter; - char *szLdapRoot; - char *szLdapRootPassword; char *szPanicAction; char *szAddUserScript; char *szDelUserScript; @@ -200,9 +195,14 @@ typedef struct int min_passwd_length; int oplock_break_wait_time; int winbind_cache_time; -#ifdef WITH_LDAP +#ifdef WITH_LDAP_SAM int ldap_port; -#endif /* WITH_LDAP */ + int ldap_ssl; + char *szLdapServer; + char *szLdapSuffix; + char *szLdapFilter; + char *szLdapAdminDn; +#endif /* WITH_LDAP_SAM */ #ifdef WITH_SSL int sslVersion; char **sslHostsRequire; @@ -568,6 +568,21 @@ static struct enum_list enum_printing[] = { {-1, NULL} }; +#ifdef WITH_LDAP_SAM +static struct enum_list enum_ldap_ssl[] = { + {LDAP_SSL_ON, "Yes"}, + {LDAP_SSL_ON, "yes"}, + {LDAP_SSL_ON, "on"}, + {LDAP_SSL_ON, "On"}, + {LDAP_SSL_OFF, "no"}, + {LDAP_SSL_OFF, "No"}, + {LDAP_SSL_OFF, "off"}, + {LDAP_SSL_OFF, "Off"}, + {LDAP_SSL_START_TLS, "start tls"}, + {-1, NULL} +}; +#endif /* WITH_LDAP_SAM */ + /* Types of machine we can announce as. */ #define ANNOUNCE_AS_NT_SERVER 1 #define ANNOUNCE_AS_WIN95 2 @@ -939,16 +954,16 @@ static struct parm_struct parm_table[] = { {"strict locking", P_BOOL, P_LOCAL, &sDefault.bStrictLocking, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL}, {"share modes", P_BOOL, P_LOCAL, &sDefault.bShareModes, NULL, NULL, FLAG_SHARE | FLAG_GLOBAL}, -#ifdef WITH_LDAP +#ifdef WITH_LDAP_SAM {"Ldap Options", P_SEP, P_SEPARATOR}, {"ldap server", P_STRING, P_GLOBAL, &Globals.szLdapServer, NULL, NULL, 0}, {"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0}, {"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, NULL, NULL, 0}, {"ldap filter", P_STRING, P_GLOBAL, &Globals.szLdapFilter, NULL, NULL, 0}, - {"ldap root", P_STRING, P_GLOBAL, &Globals.szLdapRoot, NULL, NULL, 0}, - {"ldap root passwd", P_STRING, P_GLOBAL, &Globals.szLdapRootPassword, NULL, NULL, 0}, -#endif /* WITH_LDAP */ + {"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, 0}, + {"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, 0}, +#endif /* WITH_LDAP_SAM */ {"Miscellaneous Options", P_SEP, P_SEPARATOR}, {"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, 0}, @@ -1287,11 +1302,14 @@ static void init_globals(void) a large number of sites (tridge) */ Globals.bHostnameLookups = False; -#ifdef WITH_LDAP - /* default values for ldap */ +#ifdef WITH_LDAP_SAM string_set(&Globals.szLdapServer, "localhost"); + string_set(&Globals.szLdapSuffix, ""); + string_set(&Globals.szLdapFilter, "(&(uid=%u)(objectclass=sambaAccount))"); + string_set(&Globals.szLdapAdminDn, ""); Globals.ldap_port = 389; -#endif /* WITH_LDAP */ + Globals.ldap_ssl = LDAP_SSL_OFF; +#endif /* WITH_LDAP_SAM */ #ifdef WITH_SSL Globals.sslVersion = SMB_SSL_V23; @@ -1492,13 +1510,14 @@ FN_GLOBAL_STRING(lp_template_shell, &Globals.szTemplateShell) FN_GLOBAL_STRING(lp_winbind_separator, &Globals.szWinbindSeparator) FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers) FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups) -#ifdef WITH_LDAP +#ifdef WITH_LDAP_SAM FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer) FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix) FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter) -FN_GLOBAL_STRING(lp_ldap_root, &Globals.szLdapRoot) -FN_GLOBAL_STRING(lp_ldap_rootpasswd, &Globals.szLdapRootPassword) -#endif /* WITH_LDAP */ +FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn) +FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port) +FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl) +#endif /* WITH_LDAP_SAM */ FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand) FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand) FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand) @@ -1598,9 +1617,6 @@ FN_GLOBAL_INTEGER(lp_stat_cache_size, &Globals.stat_cache_size) FN_GLOBAL_INTEGER(lp_map_to_guest, &Globals.map_to_guest) FN_GLOBAL_INTEGER(lp_min_passwd_length, &Globals.min_passwd_length) FN_GLOBAL_INTEGER(lp_oplock_break_wait_time, &Globals.oplock_break_wait_time) -#ifdef WITH_LDAP -FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port) -#endif /* WITH_LDAP */ FN_LOCAL_STRING(lp_preexec, szPreExec) FN_LOCAL_STRING(lp_postexec, szPostExec) FN_LOCAL_STRING(lp_rootpreexec, szRootPreExec) diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index 198f557bd6..fd616c6841 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -245,3 +245,44 @@ void reset_globals_after_fork(void) */ generate_random_buffer( &dummy, 1, True); } + +BOOL secrets_store_ldap_pw(char* dn, char* pw) +{ + fstring key; + char *p; + + pstrcpy(key, dn); + for (p=key; *p; p++) + if (*p == ',') *p = '/'; + + return secrets_store(key, pw, strlen(pw)); +} + +BOOL fetch_ldap_pw(char *dn, char* pw, int len) +{ + fstring key; + char *p; + void *data = NULL; + size_t size; + + pstrcpy(key, dn); + for (p=key; *p; p++) + if (*p == ',') *p = '/'; + + data=secrets_fetch(key, &size); + if (!size) { + DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n")); + return False; + } + + if (size > len-1) + { + DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1)); + return False; + } + + memcpy(pw, data, size); + pw[size] = '\0'; + + return True; +} diff --git a/source3/rpc_parse/parse_net.c b/source3/rpc_parse/parse_net.c index 9890527552..bb123330ee 100644 --- a/source3/rpc_parse/parse_net.c +++ b/source3/rpc_parse/parse_net.c @@ -1592,18 +1592,21 @@ BOOL net_io_r_sam_logoff(char *desc, NET_R_SAM_LOGOFF *r_l, prs_struct *ps, int makes a NET_Q_SAM_SYNC structure. ********************************************************************/ BOOL init_net_q_sam_sync(NET_Q_SAM_SYNC * q_s, const char *srv_name, - const char *cli_name, DOM_CRED * cli_creds, - uint32 database_id) + const char *cli_name, DOM_CRED *cli_creds, + DOM_CRED *ret_creds, uint32 database_id) { DEBUG(5, ("init_q_sam_sync\n")); init_unistr2(&q_s->uni_srv_name, srv_name, strlen(srv_name) + 1); init_unistr2(&q_s->uni_cli_name, cli_name, strlen(cli_name) + 1); - if (cli_creds) { + if (cli_creds) memcpy(&q_s->cli_creds, cli_creds, sizeof(q_s->cli_creds)); - memset(&q_s->ret_creds, 0, sizeof(q_s->ret_creds)); - } + + if (cli_creds) + memcpy(&q_s->ret_creds, ret_creds, sizeof(q_s->ret_creds)); + else + memset(&q_s->ret_creds, 0, sizeof(q_s->ret_creds)); q_s->database_id = database_id; q_s->restart_state = 0; diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c index 524ff5fb49..e98573da0c 100644 --- a/source3/rpcclient/cmd_netlogon.c +++ b/source3/rpcclient/cmd_netlogon.c @@ -152,6 +152,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli, uint32 database_id = 0, num_deltas; SAM_DELTA_HDR *hdr_deltas; SAM_DELTA_CTR *deltas; + DOM_CRED ret_creds; if (argc > 2) { fprintf(stderr, "Usage: %s [database_id]\n", argv[0]); @@ -181,9 +182,12 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli, goto done; } + /* on first call the returnAuthenticator is empty */ + memset(&ret_creds, 0, sizeof(ret_creds)); + /* Synchronise sam database */ - result = cli_netlogon_sam_sync(cli, mem_ctx, database_id, + result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, database_id, &num_deltas, &hdr_deltas, &deltas); if (!NT_STATUS_IS_OK(result)) diff --git a/source3/rpcclient/samsync.c b/source3/rpcclient/samsync.c index 1379485f1d..4d3e15550e 100644 --- a/source3/rpcclient/samsync.c +++ b/source3/rpcclient/samsync.c @@ -264,6 +264,7 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16], uint32 num_deltas_0, num_deltas_1, num_deltas_2; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + DOM_CRED ret_creds; /* Initialise */ if (!(mem_ctx = talloc_init())) { @@ -283,9 +284,12 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16], goto done; } + /* on first call the returnAuthenticator is empty */ + memset(&ret_creds, 0, sizeof(ret_creds)); + /* Do sam synchronisation on the SAM database*/ - result = cli_netlogon_sam_sync(cli, mem_ctx, 0, &num_deltas_0, &hdr_deltas_0, &deltas_0); + result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, 0, &num_deltas_0, &hdr_deltas_0, &deltas_0); if (!NT_STATUS_IS_OK(result)) goto done; @@ -300,11 +304,10 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16], * we must chain the credentials */ - -#if 0 +#if 1 /* Do sam synchronisation on the LSA database */ - result = cli_netlogon_sam_sync(cli, mem_ctx, 2, &num_deltas_2, &hdr_deltas_2, &deltas_2); + result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, 2, &num_deltas_2, &hdr_deltas_2, &deltas_2); if (!NT_STATUS_IS_OK(result)) goto done; diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index e076687c4f..7086fbff37 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -56,6 +56,9 @@ static void usage(void) printf(" -e enable user\n"); printf(" -n set no password\n"); printf(" -m machine trust account\n"); +#ifdef WITH_LDAP_SAM + printf(" -w ldap admin password\n"); +#endif exit(1); } @@ -170,6 +173,21 @@ static BOOL password_change(const char *remote_machine, char *user_name, return ret; } +#ifdef WITH_LDAP_SAM +/******************************************************************* + Store the LDAP admin password in secrets.tdb + ******************************************************************/ +static BOOL store_ldap_admin_pw (char* pw) +{ + if (!pw) + return False; + + if (!secrets_init()) + return False; + + return secrets_store_ldap_pw(lp_ldap_admin_dn(), pw); +} +#endif /************************************************************* Handle password changing for root. @@ -186,13 +204,16 @@ static int process_root(int argc, char *argv[]) char *new_passwd = NULL; char *old_passwd = NULL; char *remote_machine = NULL; +#ifdef WITH_LDAP_SAM + fstring ldap_secret; +#endif ZERO_STRUCT(user_name); ZERO_STRUCT(user_password); user_name[0] = '\0'; - while ((ch = getopt(argc, argv, "axdehmnjr:sR:D:U:L")) != EOF) { + while ((ch = getopt(argc, argv, "axdehmnjr:swR:D:U:L")) != EOF) { switch(ch) { case 'L': local_mode = True; @@ -228,6 +249,15 @@ static int process_root(int argc, char *argv[]) set_line_buffering(stderr); stdin_passwd_get = True; break; + case 'w': +#ifdef WITH_LDAP_SAM + local_flags |= LOCAL_SET_LDAP_ADMIN_PW; + fstrcpy(ldap_secret, optarg); + break; +#else + printf("-w not available unless configured --with-ldap\n"); + goto done; +#endif case 'R': lp_set_name_resolve_order(optarg); break; @@ -259,6 +289,16 @@ static int process_root(int argc, char *argv[]) argc -= optind; argv += optind; +#ifdef WITH_LDAP_SAM + if (local_flags & LOCAL_SET_LDAP_ADMIN_PW) + { + printf("Setting stored password for \"%s\" in secrets.tdb\n", + lp_ldap_admin_dn()); + if (!store_ldap_admin_pw(ldap_secret)) + DEBUG(0,("ERROR: Failed to store the ldap admin password!\n")); + goto done; + } +#endif /* * Ensure both add/delete user are not set * Ensure add/delete user and either remote machine or join domain are -- cgit