From 5a6e2bc9aeb71c94eeab8c0a5755aded989b039d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 6 Nov 2006 16:11:52 +0000 Subject: r19573: Move secrets.o into param/ (subsystems haven't been integrated yet). (This used to be commit 8143de855c0b65346b2d8e59ecdb78952927de4a) --- source4/auth/credentials/credentials_files.c | 2 +- source4/libnet/libnet_join.c | 2 +- source4/main.mk | 1 - source4/param/config.mk | 4 + source4/param/secrets.c | 177 +++++++++++++++++++++++++++ source4/param/secrets.h | 40 ++++++ source4/passdb/config.mk | 5 - source4/passdb/secrets.c | 177 --------------------------- source4/passdb/secrets.h | 40 ------ source4/rpc_server/lsa/dcesrv_lsa.c | 2 +- source4/smbd/process_standard.c | 2 +- source4/smbd/server.c | 2 +- source4/winbind/wb_server.c | 2 +- 13 files changed, 227 insertions(+), 229 deletions(-) create mode 100644 source4/param/secrets.c create mode 100644 source4/param/secrets.h delete mode 100644 source4/passdb/config.mk delete mode 100644 source4/passdb/secrets.c delete mode 100644 source4/passdb/secrets.h (limited to 'source4') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index c61f8ccb5e..53a6f39cd4 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -25,7 +25,7 @@ #include "includes.h" #include "lib/ldb/include/ldb.h" #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ -#include "passdb/secrets.h" +#include "param/secrets.h" #include "system/filesys.h" #include "db_wrap.h" #include "auth/credentials/credentials.h" diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c index 96d9e7f0de..b0907c5461 100644 --- a/source4/libnet/libnet_join.c +++ b/source4/libnet/libnet_join.c @@ -25,7 +25,7 @@ #include "librpc/gen_ndr/ndr_drsuapi_c.h" #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" -#include "passdb/secrets.h" +#include "param/secrets.h" #include "dsdb/samdb/samdb.h" #include "db_wrap.h" #include "libcli/security/security.h" diff --git a/source4/main.mk b/source4/main.mk index 3eaf35da4e..8b4adac1a2 100644 --- a/source4/main.mk +++ b/source4/main.mk @@ -31,7 +31,6 @@ include libcli/config.mk include scripting/ejs/config.mk include scripting/swig/config.mk include kdc/config.mk -include passdb/config.mk DEFAULT_HEADERS = $(srcdir)/include/core.h \ $(srcdir)/lib/util/dlinklist.h \ diff --git a/source4/param/config.mk b/source4/param/config.mk index 63609490a3..3406b4f952 100644 --- a/source4/param/config.mk +++ b/source4/param/config.mk @@ -44,3 +44,7 @@ PUBLIC_DEPENDENCIES = ldb # End MODULE share_ldb ################################################ +[SUBSYSTEM::SECRETS] +PRIVATE_PROTO_HEADER = secrets_proto.h +OBJ_FILES = secrets.o +PRIVATE_DEPENDENCIES = DB_WRAP UTIL_TDB diff --git a/source4/param/secrets.c b/source4/param/secrets.c new file mode 100644 index 0000000000..876be607f1 --- /dev/null +++ b/source4/param/secrets.c @@ -0,0 +1,177 @@ +/* + Unix SMB/CIFS implementation. + Copyright (C) Andrew Tridgell 1992-2001 + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Rafal Szczesniak 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +/* the Samba secrets database stores any generated, private information + such as the local SID and machine trust password */ + +#include "includes.h" +#include "secrets.h" +#include "param/param.h" +#include "system/filesys.h" +#include "db_wrap.h" +#include "lib/ldb/include/ldb.h" +#include "lib/tdb/include/tdb.h" +#include "lib/util/util_tdb.h" +#include "dsdb/samdb/samdb.h" + +static struct tdb_wrap *tdb; + +/** + * Use a TDB to store an incrementing random seed. + * + * Initialised to the current pid, the very first time Samba starts, + * and incremented by one each time it is needed. + * + * @note Not called by systems with a working /dev/urandom. + */ +static void get_rand_seed(int *new_seed) +{ + *new_seed = getpid(); + if (tdb) { + tdb_change_int32_atomic(tdb->tdb, "INFO/random_seed", new_seed, 1); + } +} + +/* close the secrets database */ +void secrets_shutdown(void) +{ + talloc_free(tdb); +} + +/* open up the secrets database */ +BOOL secrets_init(void) +{ + char *fname; + uint8_t dummy; + + if (tdb) + return True; + + asprintf(&fname, "%s/secrets.tdb", lp_private_dir()); + + tdb = tdb_wrap_open(talloc_autofree_context(), fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + + if (!tdb) { + DEBUG(0,("Failed to open %s\n", fname)); + SAFE_FREE(fname); + return False; + } + SAFE_FREE(fname); + + /** + * Set a reseed function for the crypto random generator + * + * This avoids a problem where systems without /dev/urandom + * could send the same challenge to multiple clients + */ + set_rand_reseed_callback(get_rand_seed); + + /* Ensure that the reseed is done now, while we are root, etc */ + generate_random_buffer(&dummy, sizeof(dummy)); + + return True; +} + +/* + connect to the schannel ldb +*/ +struct ldb_context *secrets_db_connect(TALLOC_CTX *mem_ctx) +{ + char *path; + struct ldb_context *ldb; + BOOL existed; + const char *init_ldif = + "dn: @ATTRIBUTES\n" \ + "computerName: CASE_INSENSITIVE\n" \ + "flatname: CASE_INSENSITIVE\n"; + + path = private_path(mem_ctx, "secrets.ldb"); + if (!path) { + return NULL; + } + + existed = file_exist(path); + + /* Secrets.ldb *must* always be local. If we call for a + * system_session() we will recurse */ + ldb = ldb_wrap_connect(mem_ctx, path, NULL, NULL, 0, NULL); + talloc_free(path); + if (!ldb) { + return NULL; + } + + if (!existed) { + gendb_add_ldif(ldb, init_ldif); + } + + return ldb; +} + +struct dom_sid *secrets_get_domain_sid(TALLOC_CTX *mem_ctx, + const char *domain) +{ + struct ldb_context *ldb; + struct ldb_message **msgs; + int ldb_ret; + const char *attrs[] = { "objectSid", NULL }; + struct dom_sid *result = NULL; + + ldb = secrets_db_connect(mem_ctx); + if (ldb == NULL) { + DEBUG(5, ("secrets_db_connect failed\n")); + return NULL; + } + + ldb_ret = gendb_search(ldb, ldb, + ldb_dn_explode(mem_ctx, SECRETS_PRIMARY_DOMAIN_DN), + &msgs, attrs, + SECRETS_PRIMARY_DOMAIN_FILTER, domain); + + if (ldb_ret == -1) { + DEBUG(5, ("Error searching for domain SID for %s: %s", + domain, ldb_errstring(ldb))); + talloc_free(ldb); + return NULL; + } + + if (ldb_ret == 0) { + DEBUG(5, ("Did not find domain record for %s\n", domain)); + talloc_free(ldb); + return NULL; + } + + if (ldb_ret > 1) { + DEBUG(5, ("Found more than one (%d) domain records for %s\n", + ldb_ret, domain)); + talloc_free(ldb); + return NULL; + } + + result = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid"); + if (result == NULL) { + DEBUG(0, ("Domain object for %s does not contain a SID!\n", + domain)); + talloc_free(ldb); + return NULL; + } + + return result; +} diff --git a/source4/param/secrets.h b/source4/param/secrets.h new file mode 100644 index 0000000000..8ef7ec5f78 --- /dev/null +++ b/source4/param/secrets.h @@ -0,0 +1,40 @@ +/* + * Unix SMB/CIFS implementation. + * secrets.tdb file format info + * Copyright (C) Andrew Tridgell 2000 + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ + +#ifndef _SECRETS_H +#define _SECRETS_H + +/* structure for storing machine account password + (ie. when samba server is member of a domain */ +struct machine_acct_pass { + uint8_t hash[16]; + time_t mod_time; +}; + +#define SECRETS_PRIMARY_DOMAIN_DN "cn=Primary Domains" +#define SECRETS_PRINCIPALS_DN "cn=Principals" +#define SECRETS_PRIMARY_DOMAIN_FILTER "(&(flatname=%s)(objectclass=primaryDomain))" +#define SECRETS_PRIMARY_REALM_FILTER "(&(realm=%s)(objectclass=primaryDomain))" +#define SECRETS_KRBTGT_SEARCH "(&((|(realm=%s)(flatname=%s))(samAccountName=krbtgt)))" +#define SECRETS_PRINCIPAL_SEARCH "(&(|(realm=%s)(flatname=%s))(servicePrincipalName=%s))" + +#include "param/secrets_proto.h" + +#endif /* _SECRETS_H */ diff --git a/source4/passdb/config.mk b/source4/passdb/config.mk deleted file mode 100644 index 81897323c9..0000000000 --- a/source4/passdb/config.mk +++ /dev/null @@ -1,5 +0,0 @@ -[SUBSYSTEM::SECRETS] -PRIVATE_PROTO_HEADER = proto.h -OBJ_FILES = secrets.o -PRIVATE_DEPENDENCIES = DB_WRAP UTIL_TDB - diff --git a/source4/passdb/secrets.c b/source4/passdb/secrets.c deleted file mode 100644 index 876be607f1..0000000000 --- a/source4/passdb/secrets.c +++ /dev/null @@ -1,177 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Copyright (C) Andrew Tridgell 1992-2001 - Copyright (C) Andrew Bartlett 2002 - Copyright (C) Rafal Szczesniak 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -/* the Samba secrets database stores any generated, private information - such as the local SID and machine trust password */ - -#include "includes.h" -#include "secrets.h" -#include "param/param.h" -#include "system/filesys.h" -#include "db_wrap.h" -#include "lib/ldb/include/ldb.h" -#include "lib/tdb/include/tdb.h" -#include "lib/util/util_tdb.h" -#include "dsdb/samdb/samdb.h" - -static struct tdb_wrap *tdb; - -/** - * Use a TDB to store an incrementing random seed. - * - * Initialised to the current pid, the very first time Samba starts, - * and incremented by one each time it is needed. - * - * @note Not called by systems with a working /dev/urandom. - */ -static void get_rand_seed(int *new_seed) -{ - *new_seed = getpid(); - if (tdb) { - tdb_change_int32_atomic(tdb->tdb, "INFO/random_seed", new_seed, 1); - } -} - -/* close the secrets database */ -void secrets_shutdown(void) -{ - talloc_free(tdb); -} - -/* open up the secrets database */ -BOOL secrets_init(void) -{ - char *fname; - uint8_t dummy; - - if (tdb) - return True; - - asprintf(&fname, "%s/secrets.tdb", lp_private_dir()); - - tdb = tdb_wrap_open(talloc_autofree_context(), fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); - - if (!tdb) { - DEBUG(0,("Failed to open %s\n", fname)); - SAFE_FREE(fname); - return False; - } - SAFE_FREE(fname); - - /** - * Set a reseed function for the crypto random generator - * - * This avoids a problem where systems without /dev/urandom - * could send the same challenge to multiple clients - */ - set_rand_reseed_callback(get_rand_seed); - - /* Ensure that the reseed is done now, while we are root, etc */ - generate_random_buffer(&dummy, sizeof(dummy)); - - return True; -} - -/* - connect to the schannel ldb -*/ -struct ldb_context *secrets_db_connect(TALLOC_CTX *mem_ctx) -{ - char *path; - struct ldb_context *ldb; - BOOL existed; - const char *init_ldif = - "dn: @ATTRIBUTES\n" \ - "computerName: CASE_INSENSITIVE\n" \ - "flatname: CASE_INSENSITIVE\n"; - - path = private_path(mem_ctx, "secrets.ldb"); - if (!path) { - return NULL; - } - - existed = file_exist(path); - - /* Secrets.ldb *must* always be local. If we call for a - * system_session() we will recurse */ - ldb = ldb_wrap_connect(mem_ctx, path, NULL, NULL, 0, NULL); - talloc_free(path); - if (!ldb) { - return NULL; - } - - if (!existed) { - gendb_add_ldif(ldb, init_ldif); - } - - return ldb; -} - -struct dom_sid *secrets_get_domain_sid(TALLOC_CTX *mem_ctx, - const char *domain) -{ - struct ldb_context *ldb; - struct ldb_message **msgs; - int ldb_ret; - const char *attrs[] = { "objectSid", NULL }; - struct dom_sid *result = NULL; - - ldb = secrets_db_connect(mem_ctx); - if (ldb == NULL) { - DEBUG(5, ("secrets_db_connect failed\n")); - return NULL; - } - - ldb_ret = gendb_search(ldb, ldb, - ldb_dn_explode(mem_ctx, SECRETS_PRIMARY_DOMAIN_DN), - &msgs, attrs, - SECRETS_PRIMARY_DOMAIN_FILTER, domain); - - if (ldb_ret == -1) { - DEBUG(5, ("Error searching for domain SID for %s: %s", - domain, ldb_errstring(ldb))); - talloc_free(ldb); - return NULL; - } - - if (ldb_ret == 0) { - DEBUG(5, ("Did not find domain record for %s\n", domain)); - talloc_free(ldb); - return NULL; - } - - if (ldb_ret > 1) { - DEBUG(5, ("Found more than one (%d) domain records for %s\n", - ldb_ret, domain)); - talloc_free(ldb); - return NULL; - } - - result = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid"); - if (result == NULL) { - DEBUG(0, ("Domain object for %s does not contain a SID!\n", - domain)); - talloc_free(ldb); - return NULL; - } - - return result; -} diff --git a/source4/passdb/secrets.h b/source4/passdb/secrets.h deleted file mode 100644 index adbc9e1586..0000000000 --- a/source4/passdb/secrets.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * secrets.tdb file format info - * Copyright (C) Andrew Tridgell 2000 - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. - */ - -#ifndef _SECRETS_H -#define _SECRETS_H - -/* structure for storing machine account password - (ie. when samba server is member of a domain */ -struct machine_acct_pass { - uint8_t hash[16]; - time_t mod_time; -}; - -#define SECRETS_PRIMARY_DOMAIN_DN "cn=Primary Domains" -#define SECRETS_PRINCIPALS_DN "cn=Principals" -#define SECRETS_PRIMARY_DOMAIN_FILTER "(&(flatname=%s)(objectclass=primaryDomain))" -#define SECRETS_PRIMARY_REALM_FILTER "(&(realm=%s)(objectclass=primaryDomain))" -#define SECRETS_KRBTGT_SEARCH "(&((|(realm=%s)(flatname=%s))(samAccountName=krbtgt)))" -#define SECRETS_PRINCIPAL_SEARCH "(&(|(realm=%s)(flatname=%s))(servicePrincipalName=%s))" - -#include "passdb/proto.h" - -#endif /* _SECRETS_H */ diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index c5c85a35fe..099464042d 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -30,7 +30,7 @@ #include "lib/ldb/include/ldb_errors.h" #include "libcli/security/security.h" #include "libcli/auth/libcli_auth.h" -#include "passdb/secrets.h" +#include "param/secrets.h" #include "db_wrap.h" #include "librpc/gen_ndr/ndr_dssetup.h" diff --git a/source4/smbd/process_standard.c b/source4/smbd/process_standard.c index a426a2473b..1efdd3d0c4 100644 --- a/source4/smbd/process_standard.c +++ b/source4/smbd/process_standard.c @@ -32,7 +32,7 @@ #include "system/kerberos.h" #include "heimdal/lib/gssapi/gssapi_locl.h" -#include "passdb/secrets.h" +#include "param/secrets.h" #ifdef HAVE_SETPROCTITLE #ifdef HAVE_SETPROCTITLE_H diff --git a/source4/smbd/server.c b/source4/smbd/server.c index 2239f33d17..48c8c8ab55 100644 --- a/source4/smbd/server.c +++ b/source4/smbd/server.c @@ -37,7 +37,7 @@ #include "auth/gensec/gensec.h" #include "smbd/process_model.h" #include "smbd/service.h" -#include "passdb/secrets.h" +#include "param/secrets.h" #include "smbd/pidfile.h" /* diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c index 4c6ff397c1..2e69785261 100644 --- a/source4/winbind/wb_server.c +++ b/source4/winbind/wb_server.c @@ -31,7 +31,7 @@ #include "winbind/wb_server.h" #include "lib/stream/packet.h" #include "smbd/service.h" -#include "passdb/secrets.h" +#include "param/secrets.h" void wbsrv_terminate_connection(struct wbsrv_connection *wbconn, const char *reason) { -- cgit